[tor-mirrors] Tor Mirror Security

Moritz Bartl moritz at torservers.net
Fri Mar 28 07:08:30 UTC 2014

Hi Taylor,

On 03/28/2014 02:42 AM, Taylor Hornby wrote:
> 2. To the host of the mirror: A network attacker, or an evil sysadmin at
>    Tor, could insert PHP scripts (or other things that Apache will
>    execute) into my system, then execute by making a web request.
> I worked around (2) by adding "php_flag engine off" to the Directory
> entry in my Apache configuration, but I'm not certain that's good
> enough. Can the .htaccess in the Tor mirror override it? Are there other
> things that Apache will execute that I'm not aware of?

I would recommend to serve static mirrors like one of tpo.org using a
webserver that does not execute anything server side in the first place.
Additionally, you might want to mount the directory noexec. You could
still use your main webserver to serve the content with reverse proxying.

> To solve (1), how about letting users submit an SSH public key so they
> can rsync over SSH, or just have an account with a stupid password like
> "tormirror", then publish the SSH fingerprint on torproject.org?

I agree that rsync over ssh with a shared, read-only account would be nice.

Moritz Bartl

More information about the tor-mirrors mailing list