[tor-onions] If you run a Tor hidden service for an Apache server, make sure you disable mod_status
Jason Cooper
tor at lakedaemon.net
Sun Jan 31 00:28:04 UTC 2016
Hi shadow,
On Sat, Jan 30, 2016 at 12:00:57PM +0100, shadow wrote:
> To fix this problem in an apache setup and keep mod_status enabled, I
> did the following
>
> >
> > I did the following:
> >
> > 1. Only allow 127.0.0.1 to request server-status in mod_status
> > 2. Map the HiddenService on another IP (here: the internal IP of the machine)
> > 3. Force Apache to Listen on the internal IP and port
> > 4. setup a virtual host for IP and port
> >
> > 1.
> > #/etc/apache2/mods-enabled/status.conf
> >
> > Require ip 127.0.0.1
> >
> > 2.
> > # /etc/tor/torrc
> > HiddenServiceDir /var/lib/tor/hidden_service/
> > HiddenServicePort 80 192.168.2.4:8888
> >
> > 3.
> > # /etc/apache2/ports.conf
> > #ListenOnHsPorts
> > Listen 192.168.2.4:8888
> >
> > 4.
> > <VirtualHost 192.168.2.4:8888>
> >
> > ServerName fooou4vhdb26iks.onion
> > DocumentRoot /var/www/mysite.org/www
> > snip --- 8< ----
> > </VirtualHost>
perhaps 127.0.0.X where X [2-254] ? e.g.
# ip addr add 127.0.0.27 dev lo
HiddenServicePort 80 127.0.0.27:8888
Listen 127.0.0.27:8888
VirtualHost 127.0.0.27:8888
192.168.Y.Z is routable on local networks, leaving you one configuration
mistake away from revealing your hidden service locally.
As a second layer of defense against mis-configuration, set your
iptables to restrict processes running as the tor user/group to
tcp:127.0.0.27:8888 [1]. Then, drop anything else with that destination.
You can really lock down the box via iptables default DROP policies (-P)
and explicitly allowing narrowly acceptable traffic. It takes a bit to
set up, but for single-purpose boxes, it's doable.
hth,
Jason.
[1] caveat: The tor process also needs Internet access in order to be
effective. ;-)
More information about the tor-onions
mailing list