r25622: {website} finish the process of not recommending a particular web serv (website/trunk/docs/en) - tor-commits

23 Apr 2012

Author: arma
Date: 2012-04-23 04:27:55 +0000 (Mon, 23 Apr 2012)
New Revision: 25622
Modified:
   website/trunk/docs/en/tor-hidden-service.wml
Log:
finish the process of not recommending a particular web server for
hidden service operators
Modified: website/trunk/docs/en/tor-hidden-service.wml
===================================================================

--- website/trunk/docs/en/tor-hidden-service.wml	2012-04-23 04:12:22 UTC (rev 25621)
+++ website/trunk/docs/en/tor-hidden-service.wml	2012-04-23 04:27:55 UTC (rev 25622)
@@ -74,16 +74,22 @@
     </p>
<p>
+    You need to configure your web server so it doesn't give away any
+    information about you, your computer, or your location. Be sure to
+    bind the web server only to localhost (if people could get to it
+    directly, they could confirm that your computer is the one offering
+    the hidden service). Be sure that its error messages don't list
+    your hostname or other hints. Consider putting the web server in a
+    sandbox or VM to limit the damage from code vulnerabilities.
+    </p>
+
+    <p>
     Once your web server is set up, make
     sure it works: open your browser and go to <a
     href="http://localhost:8080/">http://localhost:8080/</a>, where
     8080 is the webserver port you chose during setup (you can choose any
     port, 8080 is just an example). Then try putting a file in the main
     html directory, and make sure it shows up when you access the site.
-    The reason we bind the web server only to localhost is to make sure
-    it isn't publically accessible. If people could get to it directly,
-    they could confirm that your computer is the one offering the
-    hidden service.
     </p>
<hr>
@@ -193,16 +199,6 @@
     want to make a backup copy of the <var>private_key</var> file somewhere.
     </p>
-    <p>We avoided recommending Apache above, a) because many people might
-    already be running it for a public web server on their computer, and b)
-    because it's big
-    and has lots of places where it might reveal your IP address or other
-    identifying information, for example in 404 pages. For people who need
-    more functionality, though, Apache may be the right answer. Can
-    somebody make us a checklist of ways to lock down your Apache when you're
-    using it as a hidden service? Savant probably has these problems too.
-    </p>
-
     <p>If you want to forward multiple virtual ports for a single hidden
     service, just add more <var>HiddenServicePort</var> lines.
     If you want to run multiple hidden services from the same Tor

    