[tor-talk] How to protect apache local-restricted from secret service access?
contact_tor at nirgal.com
contact_tor at nirgal.com
Fri Feb 27 14:37:40 UTC 2015
Mirimir wrote:
> On 02/06/2015 08:49 AM, contact_tor at nirgal.com wrote:
>> Documentation really should warn about this, IMHO:
>> https://www.torproject.org/docs/tor-hidden-service.html
>> and possibly a one line warning in the example torrc since
>> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
>
> Yes.
How can I make that happen?
Here's a draft for the last bullet points (English is not my native
language):
* Make sure you don't grant access to special URLs based on source IP
address, since all connection will come from localhost or wherever you
install tor on your LAN. For example, on apache, you should disable
mod_status and all modules/sites/conf with "Require local" directive.
In example torrc, we could add:
## Be aware source IP filtering will not be available:
## see https://www.torproject.org/docs/tor-hidden-service.html
before
#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80
More information about the tor-talk
mailing list