Hidden service binding Nginx to localhost

Support
#1

Hi.

If i set up a hidden service on a regular Linux system I would normally add

listen 127.0.0.1:80;

In order to bind the web server to localhost, using nginx and whonix if you bind the server to 127.0.0.1 the hidden service will not load when trying to access it via an onion address.

It does load using an onion address with either of these lines instead.

Listen 80;
or
Listen 10.152.152.11:80;

Is using Listen 80; safe? as whonix is forcing all traffic through tor or should I bind it to 10.152.152.11 and will this cause any issues?

My concern is shodan or an equivalent finding information.

Thanks in advance.

#2

You have a couple options:

  • Webserver listens on 127.0.0.1. Then you need some way to redirect web traffic between whonix-gateway and localhost on the workstation (ie socat). This opens up localhost bypass attacks since all connections will appear to the web server to be coming from localhost. (Some web services assume localhost is safe to expose because they don’t take Tor usage into consideration.)

  • Use a non-localhost address like 10.152.152.11. This will reveal that you are using Whonix.

  • The most robust option is probably to redirect Unix sockets using socat, similarly to the way that Tor Browser is doing currently. This will also reveal that you are special (non-localhost).

See:

Don’t know. In general, anything an (unauthenticated) user can see, so can a web crawler. IIUC it’s rather trivial to enumerate v2 onions by running HSDirs. v3 is supposed to help by making the onion address itself a key to unlock the descriptors. To keep onion completely hidden, use hidden service authentication.

1 Like
#3

Thanks for the replies if I set it up to use 10.152.152.11, what ways could someone use to find out this information?

I’ve configured my forum and removed any ips that show when posting and in user profiles.

#4

That’s like asking “How can someone hack into my computer?” Depends on software, configuration, skill of attacker, skill of admin, etc. You’ll get better advice on a pentesting forum.

#5

Regarding socat.

I added this to my nginx conf:

Listen 127.0.0.1:80

I then run socat as follows:

socat TCP-LISTEN:80,fork TCP:10.152.152.10:80

it gives an error saying address is already in use, I tried stopping nginx and running the socat command first, this time nginx won’t running saying unable to bind to port it’s already in use.

Have I done something incorrect?

Thanks in advance.

#6

don’t have much experience with socat. you can try:

socat TCP-LISTEN:80,fork,reuseaddr,bind=127.0.0.1 TCP:10.152.152.10:80

(Also, there’s nothing special about port 80.)

#7

Still not working with the new socat command, I’ve never used this before so I have no idea what to try next.

When browsing the other thread I noticed that whonix 14 will make this a lot easier, I’m looking forward to that release day :smiley:

#8

entr0py:

(Also, there’s nothing special about port 80.)

There might be - all ports below 1024 require root to be opened, unless
(???).

#9

Oops, that’s backwards. Listen on eth0, stream to localhost:

sudo socat TCP-LISTEN:80,fork,reuseaddr,bind=10.152.152.11 TCP:127.0.0.1:80

But don’t have to use unix sockets, or even socat for that matter. (Disregard that riseup link. Not relevant.)

Plain iptables redirection will work. Same as what Whonix Gateway does - in reverse.

sudo sysctl -w net.ipv4.conf.all.route_localnet=1
sudo iptables -t nat -I PREROUTING -i eth0 -d 10.152.152.11 -p tcp --dport 80 -j DNAT --to 127.0.0.1:80

Personally, I would rather not use localhost at all. You never know when some poorly behaved extension will decide to broadcast everything on a localhost page. Plus route_localnet=0 by default for a reason. (If you’re ashamed to be using Whonix :), you can change 10.152.152.11 to something like 192.168.0.2. I’m sure there’s at least a couple hidden services that use reverse-proxies.)

PSA: TPO just released first release candidate for 0.3.2 - meaning stable version is around the corner. Need to reserve my 56 char url before someone takes it.

1 Like