[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to protect apache local-restricted from secret service access?



Ping! That issue was slashdot'ed yesterday:

http://apache.slashdot.org/story/16/01/30/1825256/sensitive-information-can-be-revealed-from-tor-hidden-services-on-apache



In February 2015, contact_tor@xxxxxxxxxx wrote:
> Mirimir wrote:
>> On 02/06/2015 08:49 AM, contact_tor@xxxxxxxxxx wrote:
>>> Documentation really should warn about this, IMHO:
>>> https://www.torproject.org/docs/tor-hidden-service.html
>>> and possibly a one line warning in the example torrc since
>>> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
>>
>> Yes.
> 
> How can I make that happen?
> 
> Here's a draft for the last bullet points (English is not my native
> language):
> 
> * Make sure you don't grant access to special URLs based on source IP
> address, since all connection will come from localhost or wherever you
> install tor on your LAN. For example, on apache, you should disable
> mod_status and all modules/sites/conf with "Require local" directive.
> 
> In example torrc, we could add:
> 
> ## Be aware source IP filtering will not be available:
> ## see https://www.torproject.org/docs/tor-hidden-service.html
> 
> before
> 
> #HiddenServiceDir /var/lib/tor/hidden_service/
> #HiddenServicePort 80 127.0.0.1:80
> 

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk