0

I've read that it's best to host Tor and your website service on separate machines and then point your torrc file to your web host (host where website files are stored). It's quite possible that my Tor machine and web host will be geographically separate. Assuming my web host has a public IP of say 41.14.44.11, I would change my Tor host machine settings to:

HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80 41.14.44.11:8080

My question: Does this mean that my Tor machine will have to go out onto the clearnet to connect to my web host and then receive the data back from the host and then serve it to my visitors, essentially making it a sort of "exit node" to connect to my web host? This would be very bad for security and anonymity. The data between the Tor host and web host will also be plain text unless SSL is implemented between the two, correct? Or how would you ensure encryption for the data from the web host back into Tor?

Would it not be possible (and better) to also set up Tor on the web host machine and then point the Tor host machine to the .onion link of my web host, thus keeping all the traffic inside the Tor network and essentially turning the Tor machine into a sort of proxy while still making it secure so that if my Tor service was to be compromised my webhost would still be safe? Like so:

HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80 xxxxxxxxxxxxxxxx.onion:8080
jaydoo
  • 3
  • 1

2 Answers2

0

Where did you read that advice? I know there's advice out there that suggests you don't run a Tor relay on the same machine as an onion service. But that's a different thing entirely. Unless you're enterprise-sized, it's best to run Tor on the same machine as the webserver.

Because, yes. A torrc with the following will send web traffic over the Internet unprotected. BAD.

HiddenServicePort 80 41.14.44.11:8080

The much more intelligent thing to do is run your webserver and Tor on the same machine and use localhost in the torrc instead.

HiddenServicePort 80 127.0.0.1:8080

I think you are confusing the Tor client you run on the machine in front of you in order to access the Tor network with the Tor client you need to run on a server somewhere in order to give your website a .onion address.

pastly
  • 542
  • 2
  • 11
0

This is a terrible idea.

First of all, you're routing all plaintext HTTP requests and responses back and forth over the open internet. Absolutely everyone with network visibility can see the entire contents of every HTTP request. Even using HTTPS would result in people able to tie the requests to the .onion address due to TLS SNI.

Second of all, allowing the onion service direct access to the internet in the first place should be avoided. Most webserver hosting technologies are large and complex and were never designed with anonymity, privacy or proxy obedience in mind. They leak, and can be induced to make connections (in often unexpected ways) that can deanonymize them. I recently ran a scan of the entire Ahmia onion list and managed to cause approx. ~80 onions to perform DNS lookups, of my choosing, outside of Tor. If making connections across the internet to some remote host, then the simple ability to determine $_SERVER['REMOTE_ADDR'] or $_SERVER['SERVER_ADDR'] would be sufficient to discover the location of the server.

When people on the other ticket suggest running the web server and Tor on separate machines, they mean on a network that you control and only you have visibility of, be it a physical LAN or a virtual network undera hypervisor. By isolating the web server from direct internet access, you increase your resilience to exploitation or accidental leaks as a means of deanonymization.

[HTTPD] <--Local/Private Network--> [Tor Enforcment/Firewall] <--Tor Network--> [Attacker]

In the above scenario, an attacker who is able to exploit the HTTPD or web app is still unable to directly connect back to the internet without then also exploiting the Tor Enforcement/Firewall device, defeating many attackers and drastically increasing the cost and risk for others.

Setting this up properly is no simple task and comes with many of it's own caveats and potential pitfalls but if done right, it does have distinct advantages against sophisticated attackers.

However, in most cases simply using a local packet filter (e.g. iptables) to stop outbound connections outside of Tor and using 127.0.0.1 for your onion services would be sufficient (it would still require an additional privilege escalation exploit to bypass the network filter) to stop most attackers.

cacahuatl
  • 11,047
  • 2
  • 17
  • 39