[tor-talk] How to protect apache local-restricted from secret service access?

Fri Feb 6 15:57:44 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you would not like to disable the /server-status you could use
something like:

  AuthType Basic
  AuthName "Authentication Required"
  AuthUserFile "/etc/htpasswd/.htpasswd"
  Require valid-user

  Order allow,deny
  Allow from all

and protect it with some really heavy user/password.

Am 06.02.2015 um 16:49 schrieb contact_tor at nirgal.com:
> Mirimir wrote:
>>> When you have a website that is available from a tor secret service, how
>>> do you forbid access to url restricted to ip=localhost?
>>>
>>> I'm thinking of apache default http://xxxxx.onion/server-status for
example.
>>>
>>> Using "a2dismod status" is the obvious solution for that one, but does
>>> anyone had a more generic solution?
>>> Maybe a full VM with a vif interface? That's an heavy solution...
>>> Anything more simple?
>>
>> You can use firewall rules.
>> (...)
>
> I don't think you can a firewall, no:
>
> "apachectl status" is querying from localhost to
> http://localhost:80/server-status
>
> Connection from tor hidden service also comes from localhost and
> iptables won't help there.
>
>
> I tried 10 random http hidden services with that trick, and could find 2
> servers with information that shouldn't be available, like which service
> are sharing on the same server, the security patch level, list of URL
> being served, and so on. I also could read one public IP on another
one. :(
>
> If you run apache, you should probably disable mod_status. Now.
>
>
> # grep -iEr 'require +local' /etc/apache2/
> lists possible problems for apache2.4, for example.
> Each webapp should also be checked for special permissions granted when
> remote IP is actually localhost.
>
>
> Documentation really should warn about this, IMHO:
> https://www.torproject.org/docs/tor-hidden-service.html
> and possibly a one line warning in the example torrc since
> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
>
>
> I might move httpd and tor to 2 different VM. Any nicer idea?

- -- 

PGP-Key:
https://www.endofnet.org/David_K._david@endofnet.org_%280x1F86D6CB%29_pub.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU1OR4AAoJECua8aAfhtbLLbwP/0M+5nSsYc0Vh2yBsynpneAk
id4VsGtlOrGA+Zw4EV1EEmzDgA+dKs3Xkq03NKhOGTmuW88FBIXq3qRsFD0APEpR
2X2ogQUQS+WlP8k+mrM06/8pzR+quJUj4Y4RDurAzErlYSeRBiRJcWsLaTCIe9Ix
FSUWDrCu4MzT3uymvqoS7u0cqPwRlgDBR5ciqBQKLzj/vIJfk35JjMddGJU2Y1yG
3DvA55OqtHS2pQaQjIddIXp6CpRgh4AdXv8MAYEV7lS1fbd5VXAuhPuGVW2hzsJn
+qJT2aYSaywtKUPZm/4NTxa/5TqDEYoc6e3O6iaRhI4JA3er8WVWtz6amHKLtzAw
FkZ1m/VRHTRY7a0GxV+jeOZ511xNKnpeSCmmlEdmspA+DjPvQ3kls6JjC5TUMmA/
hzi8A7/j3pttGV/dlvUMGVvQpXDay1xtTTkhMJQ+dIweWoHRohtaIC7tfD5GCwWP
+lA/xF1Mdy46GBxz/YR5RuV93sIv+eqH4WuJKfDSp/d/K7wPqQTcGEoUTPrJDB9J
n8Q4omUPx0/uxu2r/pmyAyi3GL+81bdSWVnFQlkXzylj6WtzzZWS9MCtgBMbkL7l
mHKFc+Egw32GxVmZPcRIl2kAojmSPOP3CJyzhhD89gWNL+jND8B4zTxj+UYpk2je
MfrDZY4thysIH935sc2g
=aoT2
-----END PGP SIGNATURE-----