Hi all,
The way that I see it, there are two different ways to think about running applications like a CMS in an onion site.
1. If you are a non-profit or some other org/person who doesn't care if visitors know who they are, but they want their visitors privacy to be protected.
2. You both want your privacy and your visitors privacy to be protected.
I'm looking for suggestions for both of these two categories. The easiest, I think would be to just host flat html files on a hardened web server, but that is both tedious and ugly (unless you are really good at html). I's prefer something a but more automated.
Thanks!
Jason
On 28 April 2018 at 12:31, Jason S. Evans jsevans@gardeng.nom.es wrote:
- If you are a non-profit or some other org/person who doesn't care if
visitors know who they are, but they want their visitors privacy to be protected.
Literally Facebook.
https://www.facebook.com/notes/protect-the-graph/making-connections-to-faceb...
2. You both want your privacy and your visitors privacy to be
protected.
Any SecureDrop site; also remember that classic Onion HTTP/S sites offer a smaller attack surface to the web, than do TCP/IP HTTP/S sites.
e.g.: DDoS is mostly negated, etc.
I'm looking for suggestions for both of these two categories. The
easiest, I think would be to just host flat html files on a hardened web server, but that is both tedious and ugly (unless you are really good at html). I's prefer something a but more automated.
This might help?
https://github.com/alecmuffett/the-onion-diaries/blob/master/basic-productio...
If you're looking for fast, utterly bombproof serving, then yeah, predefined flat files and static content are the way to go.
That said: Wordpress with near-zero plugins, but optimised WP-SuperCache enabled, is pretty good.
-a
On 28/04/2018 13:31, Jason S. Evans wrote:
Hi all,
The way that I see it, there are two different ways to think about running applications like a CMS in an onion site.
- If you are a non-profit or some other org/person who doesn't care if
visitors know who they are, but they want their visitors privacy to be protected.
- You both want your privacy and your visitors privacy to be
protected.
I'm looking for suggestions for both of these two categories. The easiest, I think would be to just host flat html files on a hardened web server, but that is both tedious and ugly (unless you are really good at html). I's prefer something a but more automated.
GlobaLeaks embedd a webserver based on Twisted framework, integrate txtorcon for automatic generation of onion address and also LetsEncrypt to have HTTPS (on the internet-side, if required), everything apparmored, debian packaged, etc
In upcoming weeks we are going to deploy a project that require hosting of a self-contained html-only files for a foundation that provide psychological support to child pornographer on .onion.
As we already have all of those facilities in-place, with GlobaLeaks already serving static files from /public/ directory, include URL redirection and multi-sites with multi-hostname configuration, admin UI interface to make upload/download of static files in the public directory, we are considering the options to make some improvements to facilitate it's uses for that small CMS for .onion.
Do you think it would be useful to get a 1-cmdline install self-contained software like GlobaLeaks, disabling the "whistleblowing" functionalities, leaving all of the rest in-place as a static, hardened webserver for .onion, with mutiple-site and a web-admin interface?
Fabio
"Fabio Pietrosanti (naif) - lists" lists@infosecurity.ch writes:
GlobaLeaks embedd a webserver based on Twisted framework, integrate txtorcon for automatic generation of onion address and also LetsEncrypt to have HTTPS (on the internet-side, if required), everything apparmored, debian packaged, etc
[..]
Do you think it would be useful to get a 1-cmdline install self-contained software like GlobaLeaks, disabling the "whistleblowing" functionalities, leaving all of the rest in-place as a static, hardened webserver for .onion, with mutiple-site and a web-admin interface?
I think Twisted-web is a great choice of web-server for these use-cases: there's "txacme" for fully automated Let's Encrypt (obviously, that doesn't work for .onion), a long-tested production-ready Web-server that does WSGI so can "front" any popular Python framework, is easy to set up and of course txtorcon that can automate .onion setup (v3 support is on master if anyone wants to play with that). It's all written in a relatively-safer high-level language but still can handle pretty massive throughput -- e.g. 175k HTTP reqs/sec on one core under PyPy and 12+Gb/s on 40 cores with dynamic (but short) content; see this repo for benchmarks:
https://github.com/crossbario/crossbar-examples/tree/master/benchmark/web
Probably the *most* useful (IMO) with somewhat less work involved would be a HOWTO-style guide: the basic setup, and then "bonus" sections for things like "WSGI" or "reverse-proxy to my actual applcation" and links for how to harden your actual machine setup along with common pitfalls (e.g. accidentally listening on 0.0.0.0 instead of 127.0.0.1 etc). That said, some kind of stripped-down SecureDrop might also work nicely :)
There's already really a "1-click install" version the above for static files on Debian, as mentioned in txtorcon documentation:
sudo apt-get install --install-suggests python-txtorcon twistd web --port "onion:80" --path ~/public_html
That gives you a high-quality Twisted web server on a (new) .onion domain serving static files from ~/public_html (you can include the keys in the "onion:" endpoint-string for persistent .onions).
Cheers,
tor-onions@lists.torproject.org