You have a couple options:
-
Webserver listens on 127.0.0.1. Then you need some way to redirect web traffic between whonix-gateway and localhost on the workstation (ie socat). This opens up localhost bypass attacks since all connections will appear to the web server to be coming from localhost. (Some web services assume localhost is safe to expose because they don’t take Tor usage into consideration.)
-
Use a non-localhost address like 10.152.152.11. This will reveal that you are using Whonix.
-
The most robust option is probably to redirect Unix sockets using socat, similarly to the way that Tor Browser is doing currently. This will also reveal that you are special (non-localhost).
See:
- Hidden service, Apache and Whonix wiki related questions. - #11 by Patrick
- [s]Hosting Onion Services - riseup.net
Don’t know. In general, anything an (unauthenticated) user can see, so can a web crawler. IIUC it’s rather trivial to enumerate v2 onions by running HSDirs. v3 is supposed to help by making the onion address itself a key to unlock the descriptors. To keep onion completely hidden, use hidden service authentication.