[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Making Apache server talk to the Tor network?



You probably want your apache to download files from hidden service or web
via exit nodes transparently. I advice you to create a virtual machine for
the apache server, which has a network interface shared with the host.
For the apache vm use 10.192.0.10/255.255.0.0 with 10.192.0.1 as a gateway
and dns.
On the hosts vm-shared interface use 10.192.0.1/255.255.0.0  without
gateway or dns.
Now install tor on the host and add following to torrc:

DNSPort 0.0.0.0:9053 VirtualAddrNetworkIPv4 10.192.0.0/16
AutomapHostsOnResolve 1
TransPort 9040

Now you need some iptables on the host:
#redirects all dns packets to our tor-dns-port, udp is stateless, so no NAT
needed
iptables -t nat -A PREROUTING -i myvlan0 -p udp --dport 53 -j REDIRECT
--to-ports 9053

#allow input on myvlan0:9040
iptables -A INPUT -i myvlan0 -p tcp --dport 9040 -j ACCEPT

#NAT all tcp connections coming from the vm to port 9040
iptables -t nat -A PREROUTING -i myvlan0 -p tcp --syn -j REDIRECT
--to-ports 9040

Now your vm will communicate with the internet only via Tor, without
knowing about it, so in case of a compromise the apache vm won't disclose
your servers IP. You can now add a hidden service to the hosts torrc
redirecting from
asdfghj.onion:80 to 10.192.0.10:80.
This is a setup used in dark markets which are still successfully
operating. You shouldn't use apache though.

A bad practice would be to install torsocks and start apache with
torsocks apache -c someconfig --otherparams
This will leak IPs left and right, wont allow onion domains and in case of
a compromise your IP is disclosed.
On Nov 29, 2014 1:27 AM, "Cypher" <cypher@xxxxxxxx> wrote:

> Does anyone know of a way to make the Apache webserver talk to the Tor
> network? Specifically, I'm wanting to do proxing over Tor and am not
> sure how to make the server have access to Tor.
>
> Thanks!
> Cypher
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk