10-24-2023, 05:53 PM
While browsing the darknet (Onion websites), it’s quite stunning to see the number of badly configured Hidden Services that will leak directly or indirectly the underlying clearnet IP address. Thus canceling the server anonymity protection that can offer Tor Hidden Services.
Here are a few rules you should consider following before setting up a Onion-only website. This guide covers both Apache and Nginx.
1) Listen to localhost only
Don’t let anyone reach your Onion web application through the clearnet. Plain and simple. Your web server should only listen to 127.0.0.1 so that uniquely the Tor daemon can connect to it.
On Apache, change /etc/apache2/ports.conf:
On Nginx, you should add a listen statement in the /etc/nginx/nginx.conf file:
2) Disable directory listing
“Directory listing” or “directory indexing” is a known plague, even for clearnet websites.
On Apache you can add a Options -Indexes directive to your root web directory:
On Nginx, disable the autoindex module in nginx.conf file:
3) Disable verbose signature and error reporting
This is to ensure your server have a tiny fingerprint, no specific headers or unique version number to track you down.
3.1) Disable server-info and server-status (Apache only)
On some configuration Apache is showing by default /server-info and /server-status pages leaking internal data (such as URL requested from other users).
You can easily disable it by removing the mod_info from httpd.conf or by commenting out the
<Location/server-info>
and
<Location/server-status>
directives in the configuration file.
3.2) Removing the server signature
his will ensure that the version of your webserver and the OS server name won’t leak in the Server header and inside default error webpages (404, 500, …).
On Apache simply add these directives your default httpd.conf file (on Debian 8 you can directly edit /etc/apache2/conf-enabled/security.conf):
On Nginx, disable the server_tokens in nginx.conf:
3.3) Disable application error reporting
This depends on the backend language you’re using (PHP, NodeJS, Python, etc.), I won’t go into the details for each on how to disable error reporting, Google is your friend. Most error reporting (stack traces, memory dumps, etc.) are likely to leak your IP address or other relevant information: disable them all!
4) Fix your flaws
Patch your god damn server (keep it up to date), write code that isn’t shit and riddled with SQL injections, and you should be fine.
5) Route only Tor traffic (advanced)
Some web applications are sending verification e-mails that might leak your IP address to the recipient. This can also happen if your app tries to reach any third party through clearnet (bitcoin payment API, analytics, Twitter, …). In order to prevent this from happening, I recommend you to transparently route all outgoing traffic through Tor. The Tor Project has a guide on how to set up a Transparent Proxy.
TL;DR: set your firewall to deny all outgoing connections except from those coming from the Tor process.
Here are a few rules you should consider following before setting up a Onion-only website. This guide covers both Apache and Nginx.
1) Listen to localhost only
Don’t let anyone reach your Onion web application through the clearnet. Plain and simple. Your web server should only listen to 127.0.0.1 so that uniquely the Tor daemon can connect to it.
On Apache, change /etc/apache2/ports.conf:
Listen 127.0.0.1:80On Nginx, you should add a listen statement in the /etc/nginx/nginx.conf file:
listen 127.0.0.1:80;2) Disable directory listing
“Directory listing” or “directory indexing” is a known plague, even for clearnet websites.
On Apache you can add a Options -Indexes directive to your root web directory:
<Directory /var/www/>
[/size]
[size=medium]Options -Indexes[/size]
[size=medium]</Directory>On Nginx, disable the autoindex module in nginx.conf file:
location / {
autoindex off;
}3) Disable verbose signature and error reporting
This is to ensure your server have a tiny fingerprint, no specific headers or unique version number to track you down.
3.1) Disable server-info and server-status (Apache only)
On some configuration Apache is showing by default /server-info and /server-status pages leaking internal data (such as URL requested from other users).
You can easily disable it by removing the mod_info from httpd.conf or by commenting out the
<Location/server-info>
and
<Location/server-status>
directives in the configuration file.
3.2) Removing the server signature
his will ensure that the version of your webserver and the OS server name won’t leak in the Server header and inside default error webpages (404, 500, …).
On Apache simply add these directives your default httpd.conf file (on Debian 8 you can directly edit /etc/apache2/conf-enabled/security.conf):
ServerSignature Off
ServerTokens ProdOn Nginx, disable the server_tokens in nginx.conf:
http {
server_tokens off;
}3.3) Disable application error reporting
This depends on the backend language you’re using (PHP, NodeJS, Python, etc.), I won’t go into the details for each on how to disable error reporting, Google is your friend. Most error reporting (stack traces, memory dumps, etc.) are likely to leak your IP address or other relevant information: disable them all!
4) Fix your flaws
Patch your god damn server (keep it up to date), write code that isn’t shit and riddled with SQL injections, and you should be fine.
5) Route only Tor traffic (advanced)
Some web applications are sending verification e-mails that might leak your IP address to the recipient. This can also happen if your app tries to reach any third party through clearnet (bitcoin payment API, analytics, Twitter, …). In order to prevent this from happening, I recommend you to transparently route all outgoing traffic through Tor. The Tor Project has a guide on how to set up a Transparent Proxy.
TL;DR: set your firewall to deny all outgoing connections except from those coming from the Tor process.