[Tor-BSD] OpenBSD httpd hidden service

hue manatee huemanatee at riseup.net
Tue Dec 5 12:28:32 EST 2017

Nice responses. Compiled, we have the following recommendations. Not 
sure how to accomplish most of them, but do have some good search terms:

1. Access the .onion address in Tor Browser. DONE, see OP.

2. Determine if httpd answers requests for its own config (unsure how to 
test this).

3. Determine if httpd tells clients about its own IP address (unsure how 
to test this).

4. Determine if httpd looks up addresses that clients send it in DNS 
(unsure how to test this).

5. Place httpd behind a fully Tor-ified network (unsure how to do this).

6. Run httpd inside a vmm and transparently torify all traffic of its 
only (network) interface (unsure how to do this).

7. Use pf to filter by user/group, all outbound traffic originating with 
httpd/slowcgi/other hidden-location service app (consult man pf).

8. Consult Sarah Jamie Lewis' work on fingerprinting .onion services to 
test this site (https://sarahjamielewis.com/; particularly onionscan tool).

9. Ensure the www server isn't listening publicly by setting http(d) 
listening port (in httpd.conf). DONE, see OP.

10. Reinforce www server isn't listening publicly by not allowing with 
host and network-based firewall (unsure how to do this).


On 12/05/2017 09:10 AM, Jean-Philippe Ouellet wrote:
> On Tue, Dec 5, 2017 at 9:45 AM, Shawn Webb <shawn.webb at hardenedbsd.org> wrote:
>> On Tue, Dec 05, 2017 at 07:28:39PM +1100, teor wrote:
>>>> On 5 Dec 2017, at 18:42, hue manatee <huemanatee at riseup.net> wrote:
>>>> So, like any good bsd'er, I consulted 'man tor' and 'man httpd' and, of course, they described pretty clearly how to configure things. Below are the steps I followed. Would be nice to know if this location-hidden service IS indeed configured securely, but I'm not sure how to test.
>>> Access the onion address in Tor Browser.
>>> If it works, the tor portion is secure.
>>> The httpd portion may be insecure, depending on how it is configured.
>>> Does httpd:
>>> * answer requests for its own config
>>> * tell clients information about its own IP address
>>> * look up addresses that clients send it in DNS
>>> Sarah Jamie Lewis has done some excellent work on fingerprinting onion
>>> services - there are probably a few more major vectors I've forgotten.
>> If 100% anonymity is important, I would stick the httpd behind a fully
>> Tor-ified network. That way, httpd itself doesn't know or even care
>> that it's behind Tor. It cannot leak any private info.
> +1 for this approach
> If you're confined to a single physical machine for real-world
> reasons, running httpd inside vmm and transparently torrifying all
> traffic of its only interface sounds like an approach more resistant
> to inadvertent information disclosures, especially if you're concerned
> about people exploiting some webapp you're running and (pretty
> trivially) leaking from there.
> Remember that pf also has the ability to filter by user/group [1],
> which you may find useful if you wish to forbid outbound traffic
> originating from httpd/slowcgi/whatever.
> Cheers,
> Jean-Philippe
> [1]: https://man.openbsd.org/pf.conf#user

More information about the Tor-BSD mailing list