9

Running a hidden service in a secure way can be a really complicated matter.

Ideally the system where the hidden service software (e.g. a web server) lives should not have a publicly routable IP address on any of its network interfaces and should not be able to learn its real public IP address. That leaves out the solution of NAT since a system behind NAT although has not a publicly routable address can easily find its real address.

A solution would be an isolated system with all its connections routed through Tor. For example another box running Tor could server as middle-box/router for the isolated hidden service host.

If a user followed the traditional way to set up a hidden service in the isolated box then she would end up running Tor in both machines, routing one tor instance though another thus having terrible effects on latency and bandwidth.

My question is : could the user run the hidden service's software for example an Apache Web Server instance in a box different than the one running the Tor instance ?

If not, is there any other feasible solution that could fit the scheme described above?

TN888
  • 283
  • 3
  • 12
alaf
  • 2,536
  • 3
  • 17
  • 26

2 Answers2

4

Sure, just configure your hidden service with the external IP, eg:

HiddenServicePort 80 192.168.1.10:8080

Where 192.168.1.10 is the server running your hidden service (on port 8080 in this example which will be exposed via the hidden service on port 80).

If for some reason you didn't want to do that, you could always port forward to the external host's port to your local port via nc, ssh, iptables, or any other software people use to forward ports.

3

Yes, you could do that. There are probably multiple ways to do this, but the first that comes to mind is:

  • Run a hidden service that is a reverse proxy to the machine that runs the Apache instance. This machine should accept only connections from the tor network.

  • Make sure the other machine, the one that runs the Apache instance, can accept connections only from the reverse proxy. One way to do this is to run Apache on a virtualized host, and firewall it from outside the virtual machine. You can use a VPN for the communication between the two machines.

Antonis Anastasiadis
  • 131
  • 1