-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you would not like to disable the /server-status you could use something like:
AuthType Basic AuthName "Authentication Required" AuthUserFile "/etc/htpasswd/.htpasswd" Require valid-user Order allow,deny Allow from all and protect it with some really heavy user/password. Am 06.02.2015 um 16:49 schrieb contact_...@nirgal.com: > Mirimir wrote: >>> When you have a website that is available from a tor secret service, how >>> do you forbid access to url restricted to ip=localhost? >>> >>> I'm thinking of apache default http://xxxxx.onion/server-status for example. >>> >>> Using "a2dismod status" is the obvious solution for that one, but does >>> anyone had a more generic solution? >>> Maybe a full VM with a vif interface? That's an heavy solution... >>> Anything more simple? >> >> You can use firewall rules. >> (...) > > I don't think you can a firewall, no: > > "apachectl status" is querying from localhost to > http://localhost:80/server-status > > Connection from tor hidden service also comes from localhost and > iptables won't help there. > > > I tried 10 random http hidden services with that trick, and could find 2 > servers with information that shouldn't be available, like which service > are sharing on the same server, the security patch level, list of URL > being served, and so on. I also could read one public IP on another one. :( > > If you run apache, you should probably disable mod_status. Now. > > > # grep -iEr 'require +local' /etc/apache2/ > lists possible problems for apache2.4, for example. > Each webapp should also be checked for special permissions granted when > remote IP is actually localhost. > > > Documentation really should warn about this, IMHO: > https://www.torproject.org/docs/tor-hidden-service.html > and possibly a one line warning in the example torrc since > "HiddenServicePort 80 127.0.0.1:80" typically is a problem. > > > I might move httpd and tor to 2 different VM. Any nicer idea? - -- PGP-Key: https://www.endofnet.org/David_K._david@endofnet.org_%280x1F86D6CB%29_pub.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU1OR4AAoJECua8aAfhtbLLbwP/0M+5nSsYc0Vh2yBsynpneAk id4VsGtlOrGA+Zw4EV1EEmzDgA+dKs3Xkq03NKhOGTmuW88FBIXq3qRsFD0APEpR 2X2ogQUQS+WlP8k+mrM06/8pzR+quJUj4Y4RDurAzErlYSeRBiRJcWsLaTCIe9Ix FSUWDrCu4MzT3uymvqoS7u0cqPwRlgDBR5ciqBQKLzj/vIJfk35JjMddGJU2Y1yG 3DvA55OqtHS2pQaQjIddIXp6CpRgh4AdXv8MAYEV7lS1fbd5VXAuhPuGVW2hzsJn +qJT2aYSaywtKUPZm/4NTxa/5TqDEYoc6e3O6iaRhI4JA3er8WVWtz6amHKLtzAw FkZ1m/VRHTRY7a0GxV+jeOZ511xNKnpeSCmmlEdmspA+DjPvQ3kls6JjC5TUMmA/ hzi8A7/j3pttGV/dlvUMGVvQpXDay1xtTTkhMJQ+dIweWoHRohtaIC7tfD5GCwWP +lA/xF1Mdy46GBxz/YR5RuV93sIv+eqH4WuJKfDSp/d/K7wPqQTcGEoUTPrJDB9J n8Q4omUPx0/uxu2r/pmyAyi3GL+81bdSWVnFQlkXzylj6WtzzZWS9MCtgBMbkL7l mHKFc+Egw32GxVmZPcRIl2kAojmSPOP3CJyzhhD89gWNL+jND8B4zTxj+UYpk2je MfrDZY4thysIH935sc2g =aoT2 -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
