[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] How to protect apache local-restricted from secret service access?



On 02/04/2015 08:19 AM, contact_tor@nirgal.com wrote:
> Hi
> 
> When you have a website that is available from a tor secret service, how
> do you forbid access to url restricted to ip=localhost?
> 
> I'm thinking of apache default http://xxxxx.onion/server-status for example.
> 
> Using "a2dismod status" is the obvious solution for that one, but does
> anyone had a more generic solution?
> Maybe a full VM with a vif interface? That's an heavy solution...
> Anything more simple?

You can use firewall rules.

> The web site I'm thinking about has a public address, nothing to hide,
> and the .onion address is only there to protect the users. But I'd
> rather not introduce too many security issues...

Running hidden services and non-Tor websites on the same server is
generally considered bad practice.

> (BTW, a warning about these issues on
> https://www.torproject.org/docs/tor-hidden-service.html would be nice)
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk