Delivery-Date: Thu, 05 Feb 2015 11:11:27 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY,
	URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 10F561E03D3
	for <archiver@seul.org>; Thu,  5 Feb 2015 11:11:26 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 3FDB933A3F;
	Thu,  5 Feb 2015 16:11:22 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 0E84933A11
 for <tor-talk@lists.torproject.org>; Thu,  5 Feb 2015 16:11:19 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id cLKSa6W80b_A for <tor-talk@lists.torproject.org>;
 Thu,  5 Feb 2015 16:11:18 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id DF49B3389B
 for <tor-talk@lists.torproject.org>; Thu,  5 Feb 2015 16:11:18 +0000 (UTC)
Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.riseup.net (Postfix) with ESMTPS id 1C1884183B
 for <tor-talk@lists.torproject.org>; Thu,  5 Feb 2015 16:11:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1423152676; bh=Fcl7Od99zhiyw0hgkeKkbacQhcvHmA0hnu+LAuhyTw0=;
 h=Date:From:To:Subject:References:In-Reply-To:From;
 b=YqAJFFV/KnkLkXb8IoduhSmV3DQY2j865UKrW0I1HO7Ve3ByHSWVN0/Fo1iwZwJpT
 voV2Tw7GeSv+Wd0YKXD15B5ey3N8NXmxnKB7mUZ5BTeqOSO74uS175ZfMLU+Nqcqq+
 x9/O/t0cWwYiZRlQfTQ5dW8VHaggfkJkv5yZ0jzw=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: mirimir) with ESMTPSA id 882B14288F
Message-ID: <54D39634.6090703@riseup.net>
Date: Thu, 05 Feb 2015 09:11:32 -0700
From: Mirimir <mirimir@riseup.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <54D23891.3040409@nirgal.com>
In-Reply-To: <54D23891.3040409@nirgal.com>
X-Virus-Scanned: clamav-milter 0.98.5 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] How to protect apache local-restricted from secret
 service access?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 02/04/2015 08:19 AM, contact_tor@nirgal.com wrote:
> Hi
> 
> When you have a website that is available from a tor secret service, how
> do you forbid access to url restricted to ip=localhost?
> 
> I'm thinking of apache default http://xxxxx.onion/server-status for example.
> 
> Using "a2dismod status" is the obvious solution for that one, but does
> anyone had a more generic solution?
> Maybe a full VM with a vif interface? That's an heavy solution...
> Anything more simple?

You can use firewall rules.

> The web site I'm thinking about has a public address, nothing to hide,
> and the .onion address is only there to protect the users. But I'd
> rather not introduce too many security issues...

Running hidden services and non-Tor websites on the same server is
generally considered bad practice.

> (BTW, a warning about these issues on
> https://www.torproject.org/docs/tor-hidden-service.html would be nice)
> 
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

