Delivery-Date: Fri, 27 Feb 2015 09:38:08 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=0.5 required=5.0 tests=BAYES_00,
	RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_MED,RCVD_IN_SBL_CSS,T_RP_MATCHES_RCVD,
	URIBL_BLOCKED autolearn=no version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id E5CE01E0508
	for <archiver@seul.org>; Fri, 27 Feb 2015 09:38:06 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id F203A33A75;
	Fri, 27 Feb 2015 14:38:01 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 2630E33A3A
 for <tor-talk@lists.torproject.org>; Fri, 27 Feb 2015 14:37:58 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Ymbf7HBIo9LR for <tor-talk@lists.torproject.org>;
 Fri, 27 Feb 2015 14:37:58 +0000 (UTC)
Received: from silicium.nirgal.com (silicium.nirgal.com
 [IPv6:2001:bc8:33b8:100::1])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id EFC95339BF
 for <tor-talk@lists.torproject.org>; Fri, 27 Feb 2015 14:37:57 +0000 (UTC)
Received: from [82.211.201.188] (helo=127.0.0.1)
 by silicium.nirgal.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.80) (envelope-from <contact_tor@nirgal.com>)
 id 1YRM35-0008DE-Ma; Fri, 27 Feb 2015 15:37:52 +0100
Message-ID: <54F08134.1050908@nirgal.com>
Date: Fri, 27 Feb 2015 14:37:40 +0000
From: contact_tor@nirgal.com
MIME-Version: 1.0
To: tor-talk@lists.torproject.org, mirimir@riseup.net
References: <54D23891.3040409@nirgal.com> <54D39634.6090703@riseup.net>
 <54D4E299.7080806@nirgal.com> <54D58FA8.9040302@riseup.net>
In-Reply-To: <54D58FA8.9040302@riseup.net>
X-SA-Exim-Connect-IP: 82.211.201.188
X-SA-Exim-Mail-From: contact_tor@nirgal.com
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:57:07 +0000)
X-SA-Exim-Scanned: Yes (on silicium.nirgal.com)
Subject: Re: [tor-talk] How to protect apache local-restricted from secret
 service access?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Mirimir wrote:
> On 02/06/2015 08:49 AM, contact_tor@nirgal.com wrote:
>> Documentation really should warn about this, IMHO:
>> https://www.torproject.org/docs/tor-hidden-service.html
>> and possibly a one line warning in the example torrc since
>> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
> 
> Yes.

How can I make that happen?

Here's a draft for the last bullet points (English is not my native
language):

* Make sure you don't grant access to special URLs based on source IP
address, since all connection will come from localhost or wherever you
install tor on your LAN. For example, on apache, you should disable
mod_status and all modules/sites/conf with "Require local" directive.

In example torrc, we could add:

## Be aware source IP filtering will not be available:
## see https://www.torproject.org/docs/tor-hidden-service.html

before

#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

