torproject/webwml
1
0
Fork 0
mirror of https://github.com/torproject/webwml.git synced 2025-03-01 14:45:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

finish the process of not recommending a particular web server for

Browse Source 
hidden service operators
This commit is contained in:
Roger Dingledine 2012-04-23 04:27:55 +00:00
parent a575385337
commit 594cbbfcc9
1 changed files with 10 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
docs/en/tor-hidden-service.wml
View File

@ -73,6 +73,16 @@
you may be using it (or want to use it later) for an actual website.
</p>
<p>
You need to configure your web server so it doesn't give away any
information about you, your computer, or your location. Be sure to
bind the web server only to localhost (if people could get to it
directly, they could confirm that your computer is the one offering
the hidden service). Be sure that its error messages don't list
your hostname or other hints. Consider putting the web server in a
sandbox or VM to limit the damage from code vulnerabilities.
</p>
<p>
Once your web server is set up, make
sure it works: open your browser and go to <a
@ -80,10 +90,6 @@
8080 is the webserver port you chose during setup (you can choose any
port, 8080 is just an example). Then try putting a file in the main
html directory, and make sure it shows up when you access the site.
The reason we bind the web server only to localhost is to make sure
it isn't publically accessible. If people could get to it directly,
they could confirm that your computer is the one offering the
hidden service.
</p>
<hr>
@ -193,16 +199,6 @@
want to make a backup copy of the <var>private_key</var> file somewhere.
</p>
<p>We avoided recommending Apache above, a) because many people might
already be running it for a public web server on their computer, and b)
because it's big
and has lots of places where it might reveal your IP address or other
identifying information, for example in 404 pages. For people who need
more functionality, though, Apache may be the right answer. Can
somebody make us a checklist of ways to lock down your Apache when you're
using it as a hidden service? Savant probably has these problems too.
</p>
<p>If you want to forward multiple virtual ports for a single hidden
service, just add more <var>HiddenServicePort</var> lines.
If you want to run multiple hidden services from the same Tor