Hidden service, Apache and Whonix wiki related questions.

I’ve been reading the Whonix wiki about setting up an apache hidden service, it says that you should use the following command

sudo apt-get install libapache-mod-removeip

is this still needed? I am only asking because when I input that command into the Whonix workstation, it says package not found.

Also the wiki suggests adding the following to ports.conf

ServerName localhost

Then it further suggests to add the following to sites-available.conf

But it is just a blank line, so am I to assume that nothing is to be added to the sites-available.conf ?

Last question, the wiki also states to use the following ncat command

sudo ncat -l 80 -c ‘ncat 80’

Would there be a better command to use for iptables if one does not have ncat installed.

Sorry if these questions are very noobish I’m just trying to gain knowledge and learn about all of this.

A researcher (Sarah Jamie-Lewis) who scans Hidden Services to map their relationships also wrote a report on tips for safely configuring them.

Apache is a bad choice that we should recommend against:

  1. Steer Away from Apache

By default, most modern web servers are private by default i.e. they have directory listings turned off, and have minimal extensions installed that may leak information.

Apache sadly is often packaged in a way that is the opposite of the above, and most fresh installs include a few modules which are damaging to privacy especially when deployed as part of an onion service.

The most critical of these is mod_status - a module which presents a single page at /server-status containing a number of analytics about the server.

The main defense mod_status has from unauthorized eyes is that it is only available from localhost.

If you’ve been following along, you might realize the issue - all onion services receive traffic as if it is coming from localhost. The availability of mod_status in this context is an example of a localhost bypass attack, but this attack, although with other Apache quirks, often contains identifiers which can be used to correlate identities.

How bad can it get - At least 12% of Apache hosted onion services have mod_status enabled - leaking server IP addresses, co-hosted hidden services, clearnet visitor IP addresses, user activity an much more.

Maybe use nginx.

1 Like

Documentation regarding libapache-mod-removeip fixed:


For reference:

Yes. And also add relevant recommends from https://mascherari.press/thwarting-identity-correlation-attacks/. Please open ticket(s).

Thank you both for the reply, I’m just trying different servers out and increasing my knowledge If I was to deploy a live .onion I would go with Nginx but right now I am still playing or attempting to play around with apache on my Workstation.

I seem to have everything else setup other than nca command, I had to use apt-get install namp on my Whonix worksation and then I ran the command in the wiki and it gave me the following error

Sudo ncat -l 80 -c 'ncat 80’
Ncat: bind to Cannot assign requested address. QUITTING.

I am right in thinking this has to be done on the workstation and not the gateway correct?

Absolutely. You should never touch the gateway for anything besides setting up a HS in the torrc. The second you install any client/server software on there you break the security model.


After reading the above links I have went ahead and created a small onion forum with an nginx server, it’s just for testing and only I have access to said forum.

When I make a dummy post on said forum it shows the whonix internal i.p instead of, is this common practice for a forum running a server behind a Whonix workstation or have I configured something innocently?

I ran S-Rahs onionscan and that came back with 0 issues

@Patrick Can socat be used here for all WS software, where users can just bind to localhost and expect it to route packets to the GW?

What is the best minimalistic setup for providing static content (like only an index.html file) or for providing dynamic content?

what about the comparison between lighttpd vs nginx in terms of minimality and anonymity/security?

So after some research,

thttpd looks like the best, fastest, minimalist choice to serve static content like html and image files. also: “thttpd has a bandwidth throttling feature which enables the server administrator to limit the maximum bit rate at which certain types of files may be transferred.” I guess this could be useful to prevent certain type of attacks including traffic correlation against hidden services.

lighttpd or nginx are the best popular options to serve dynamic as well as static content.

if the goal is to only host static content, (as an alternative to thttpd) lighttpd is said to be a better and easier option than nginx.

but for dynamic content I don’t know which one is the best overall (lighttpd vs nginx) for a hidden service to prevent deanonymization. criterias may include ease of configuration, minimality, security, and others

I recommend more people testing and providing feedback about thttpd, lighttpd and nginx, and for the wiki to be updated to at least give the idea that for static content thttpd is probably the best choice for a hidden service for many reasons.

Additional: http://tor.stackexchange.com/questions/1754/what-is-best-secure-and-anonymous-web-server-for-hosting-tor-hidden-services

I still like thttpd as a web server, but it's no longer in the Debian repository.
Nginx is arguably most secure, but lighttpd is OK, and easier to set up. – mirimir

It’s not catastrophic, but also not great since this points to Whonix.

Socat could help indeed. Bind the server to only. Then try using socat to redirect from Whonix-Workstation localhost to Whonix-Gateway. Try the following. Untested.

socat TCP-LISTEN:80,fork TCP:$GATEWAY_IP:80

socat port redirection will become more convenient in Whonix 14.

Then you can add your socat line simply to /etc/anon-ws-disable-stacked-tor.d configuration folder.

On the same website as thttpd there are 2 even smaller server software called mini_httpd and micro_httpd, the latter being extremely small with around 300 lines of simple code.


Patrick one final question if I may.

I have just setup another hidden service this time using Lighttpd as suggested in the Whonix wiki, I followed the instructions exactly as stated, but when I made my website error out, and check my logs it is showing the Whonix internal i.p still similar to how nginx did earlier with the forum i.p address.

Is this going to happen with ever server? I assume yes due to it been the gateway internal i.p and I also assume that I should follow the above instructions you left for the nginx server earlier, but you’re the expert and I would like you to confirm this if it is indeed the case.

Thanks for all the help and when I get paid at the end of the month I will be donating for all the time and effort that goes into this amazing program.

Thanks. Worth researching since these are installable from Debian.

It depends on the server software and perhaps also on its configuration. It is easy to imagine that some servers do not have this behavior by default or that it may be configured. [I conclude that from the fact, that this is possible using apache with mod removeip.]

Besides that, I don’t know if any server software does this by default or could be configured to do so. TODO: research. It would be great if there was, since that would show that they had privacy in mind when developing the server software.

[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Contributors] [Investors] [Priority Support] [Professional Support]