If i set up a hidden service on a regular Linux system I would normally add
listen 127.0.0.1:80;
In order to bind the web server to localhost, using nginx and whonix if you bind the server to 127.0.0.1 the hidden service will not load when trying to access it via an onion address.
It does load using an onion address with either of these lines instead.
Listen 80;
or
Listen 10.152.152.11:80;
Is using Listen 80; safe? as whonix is forcing all traffic through tor or should I bind it to 10.152.152.11 and will this cause any issues?
My concern is shodan or an equivalent finding information.
Webserver listens on 127.0.0.1. Then you need some way to redirect web traffic between whonix-gateway and localhost on the workstation (ie socat). This opens up localhost bypass attacks since all connections will appear to the web server to be coming from localhost. (Some web services assume localhost is safe to expose because they don’t take Tor usage into consideration.)
Use a non-localhost address like 10.152.152.11. This will reveal that you are using Whonix.
The most robust option is probably to redirect Unix sockets using socat, similarly to the way that Tor Browser is doing currently. This will also reveal that you are special (non-localhost).
Don’t know. In general, anything an (unauthenticated) user can see, so can a web crawler. IIUC it’s rather trivial to enumerate v2 onions by running HSDirs. v3 is supposed to help by making the onion address itself a key to unlock the descriptors. To keep onion completely hidden, use hidden service authentication.
That’s like asking “How can someone hack into my computer?” Depends on software, configuration, skill of attacker, skill of admin, etc. You’ll get better advice on a pentesting forum.
it gives an error saying address is already in use, I tried stopping nginx and running the socat command first, this time nginx won’t running saying unable to bind to port it’s already in use.
Personally, I would rather not use localhost at all. You never know when some poorly behaved extension will decide to broadcast everything on a localhost page. Plus route_localnet=0 by default for a reason. (If you’re ashamed to be using Whonix :), you can change 10.152.152.11 to something like 192.168.0.2. I’m sure there’s at least a couple hidden services that use reverse-proxies.)
PSA: TPO just released first release candidate for 0.3.2 - meaning stable version is around the corner. Need to reserve my 56 char url before someone takes it.