[tor-talk] How to protect apache local-restricted from secret service access?
contact_tor at nirgal.com
contact_tor at nirgal.com
Sun Jan 31 09:53:54 UTC 2016
Ping! That issue was slashdot'ed yesterday:
http://apache.slashdot.org/story/16/01/30/1825256/sensitive-information-can-be-revealed-from-tor-hidden-services-on-apache
In February 2015, contact_tor at nirgal.com wrote:
> Mirimir wrote:
>> On 02/06/2015 08:49 AM, contact_tor at nirgal.com wrote:
>>> Documentation really should warn about this, IMHO:
>>> https://www.torproject.org/docs/tor-hidden-service.html
>>> and possibly a one line warning in the example torrc since
>>> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
>>
>> Yes.
>
> How can I make that happen?
>
> Here's a draft for the last bullet points (English is not my native
> language):
>
> * Make sure you don't grant access to special URLs based on source IP
> address, since all connection will come from localhost or wherever you
> install tor on your LAN. For example, on apache, you should disable
> mod_status and all modules/sites/conf with "Require local" directive.
>
> In example torrc, we could add:
>
> ## Be aware source IP filtering will not be available:
> ## see https://www.torproject.org/docs/tor-hidden-service.html
>
> before
>
> #HiddenServiceDir /var/lib/tor/hidden_service/
> #HiddenServicePort 80 127.0.0.1:80
>
More information about the tor-talk
mailing list