Ping! That issue was slashdot'ed yesterday: http://apache.slashdot.org/story/16/01/30/1825256/sensitive-information-can-be-revealed-from-tor-hidden-services-on-apache
In February 2015, contact_...@nirgal.com wrote: > Mirimir wrote: >> On 02/06/2015 08:49 AM, contact_...@nirgal.com wrote: >>> Documentation really should warn about this, IMHO: >>> https://www.torproject.org/docs/tor-hidden-service.html >>> and possibly a one line warning in the example torrc since >>> "HiddenServicePort 80 127.0.0.1:80" typically is a problem. >> >> Yes. > > How can I make that happen? > > Here's a draft for the last bullet points (English is not my native > language): > > * Make sure you don't grant access to special URLs based on source IP > address, since all connection will come from localhost or wherever you > install tor on your LAN. For example, on apache, you should disable > mod_status and all modules/sites/conf with "Require local" directive. > > In example torrc, we could add: > > ## Be aware source IP filtering will not be available: > ## see https://www.torproject.org/docs/tor-hidden-service.html > > before > > #HiddenServiceDir /var/lib/tor/hidden_service/ > #HiddenServicePort 80 127.0.0.1:80 > -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
