[tor-onions] CMS in onion services?
meejah
meejah at meejah.ca
Wed May 2 17:21:12 UTC 2018
"Fabio Pietrosanti (naif) - lists" <lists at infosecurity.ch> writes:
> GlobaLeaks embedd a webserver based on Twisted framework, integrate
> txtorcon for automatic generation of onion address and also
> LetsEncrypt to have HTTPS (on the internet-side, if required),
> everything apparmored, debian packaged, etc
[..]
> Do you think it would be useful to get a 1-cmdline install
> self-contained software like GlobaLeaks, disabling the
> "whistleblowing" functionalities, leaving all of the rest in-place as
> a static, hardened webserver for .onion, with mutiple-site and a
> web-admin interface?
I think Twisted-web is a great choice of web-server for these use-cases:
there's "txacme" for fully automated Let's Encrypt (obviously, that
doesn't work for .onion), a long-tested production-ready Web-server that
does WSGI so can "front" any popular Python framework, is easy to set up
and of course txtorcon that can automate .onion setup (v3 support is on
master if anyone wants to play with that). It's all written in a
relatively-safer high-level language but still can handle pretty massive
throughput -- e.g. 175k HTTP reqs/sec on one core under PyPy and 12+Gb/s
on 40 cores with dynamic (but short) content; see this repo for
benchmarks:
https://github.com/crossbario/crossbar-examples/tree/master/benchmark/web
Probably the *most* useful (IMO) with somewhat less work involved would
be a HOWTO-style guide: the basic setup, and then "bonus" sections for
things like "WSGI" or "reverse-proxy to my actual applcation" and links
for how to harden your actual machine setup along with common pitfalls
(e.g. accidentally listening on 0.0.0.0 instead of 127.0.0.1 etc). That
said, some kind of stripped-down SecureDrop might also work nicely :)
There's already really a "1-click install" version the above for static
files on Debian, as mentioned in txtorcon documentation:
sudo apt-get install --install-suggests python-txtorcon
twistd web --port "onion:80" --path ~/public_html
That gives you a high-quality Twisted web server on a (new) .onion
domain serving static files from ~/public_html (you can include the keys
in the "onion:" endpoint-string for persistent .onions).
Cheers,
--
meejah
More information about the tor-onions
mailing list