Delivery-Date: Sun, 31 Jan 2016 05:29:22 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 7812D1E02B9;
	Sun, 31 Jan 2016 05:29:20 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E63A73939A;
	Sun, 31 Jan 2016 10:29:16 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 0052C39359
 for <tor-talk@lists.torproject.org>; Sun, 31 Jan 2016 10:29:14 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id IO5vTkgwF9vy for <tor-talk@lists.torproject.org>;
 Sun, 31 Jan 2016 10:29:13 +0000 (UTC)
Received: from hermes.nirgal.com (hermes.nirgal.com
 [IPv6:2001:bc8:33b8:202::3])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id C66813925C
 for <tor-talk@lists.torproject.org>; Sun, 31 Jan 2016 10:29:13 +0000 (UTC)
X-Greylist: delayed 2110 seconds by postgrey-1.34 at eugeni;
 Sun, 31 Jan 2016 10:29:13 UTC
Received: from [2001:67c:1350:105::e] (helo=127.0.0.1)
 by hermes.nirgal.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84) (envelope-from <contact_tor@nirgal.com>)
 id 1aPohh-0002lU-FZ
 for tor-talk@lists.torproject.org; Sun, 31 Jan 2016 09:53:58 +0000
To: tor-talk@lists.torproject.org
References: <54D23891.3040409@nirgal.com> <54D39634.6090703@riseup.net>
 <54D4E299.7080806@nirgal.com> <54D58FA8.9040302@riseup.net>
 <54F08134.1050908@nirgal.com>
From: contact_tor@nirgal.com
X-Enigmail-Draft-Status: N1110
Message-ID: <56ADD9B2.40606@nirgal.com>
Date: Sun, 31 Jan 2016 09:53:54 +0000
MIME-Version: 1.0
In-Reply-To: <54F08134.1050908@nirgal.com>
X-SA-Exim-Connect-IP: 2001:67c:1350:105::e
X-SA-Exim-Mail-From: contact_tor@nirgal.com
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on hermes.nirgal.com)
Subject: Re: [tor-talk] How to protect apache local-restricted from secret
 service access?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Ping! That issue was slashdot'ed yesterday:

http://apache.slashdot.org/story/16/01/30/1825256/sensitive-information-can-be-revealed-from-tor-hidden-services-on-apache



In February 2015, contact_tor@nirgal.com wrote:
> Mirimir wrote:
>> On 02/06/2015 08:49 AM, contact_tor@nirgal.com wrote:
>>> Documentation really should warn about this, IMHO:
>>> https://www.torproject.org/docs/tor-hidden-service.html
>>> and possibly a one line warning in the example torrc since
>>> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
>>
>> Yes.
> 
> How can I make that happen?
> 
> Here's a draft for the last bullet points (English is not my native
> language):
> 
> * Make sure you don't grant access to special URLs based on source IP
> address, since all connection will come from localhost or wherever you
> install tor on your LAN. For example, on apache, you should disable
> mod_status and all modules/sites/conf with "Require local" directive.
> 
> In example torrc, we could add:
> 
> ## Be aware source IP filtering will not be available:
> ## see https://www.torproject.org/docs/tor-hidden-service.html
> 
> before
> 
> #HiddenServiceDir /var/lib/tor/hidden_service/
> #HiddenServicePort 80 127.0.0.1:80
> 

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

