Last active
May 25, 2021 18:39
-
-
Save jakejarvis/050a23021905e0c143baaac7a9060536 to your computer and use it in GitHub Desktop.
Tor hidden service & Apache virtual host for proxying a static site (WIP)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<VirtualHost 127.0.0.1:80> | |
# we'll be proxying from HTTPS origin | |
SSLProxyEngine On | |
ProxyRequests Off | |
# origin is gzip'ped, need to deflate the following filetypes for substitution below | |
AddOutputFilterByType SUBSTITUTE;DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript application/json application/xml application/atom+xml application/manifest+json | |
# do the proxying | |
ProxyPass "/" "https://jarv.is/" max=20 connectiontimeout=5 timeout=10 retry=60 | |
ProxyPassReverse "/" "https://jarv.is/" | |
# un-gzip | |
SetOutputFilter INFLATE | |
# origin uses all absolute URLs, so replace them with the onion address | |
Substitute "s|https://jarv.is|http://jarvis2i2vp4j4tbxjogsnqdemnte5xhzyi7hziiyzxwge3hzmh57zad.onion|i" | |
# some random optional settings | |
ProxyVia on | |
ProxyAddHeaders Off | |
ProxyBadHeader StartBody | |
ProxyErrorOverride On | |
Protocols http/1.1 | |
Options -Indexes | |
LogLevel alert | |
UseCanonicalName Off | |
KeepAliveTimeout 5 | |
MaxKeepAliveRequests 100 | |
# removing each header set on origin one-by-one | |
Header unset content-type | |
Header unset content-language | |
Header unset Content-Disposition | |
Header unset referrer-policy | |
Header unset vary | |
Header unset x-content-type-options | |
Header unset x-frame-options | |
Header unset x-xss-protection | |
Header unset accept-ranges | |
Header unset content-length | |
Header unset content-range | |
Header unset Connection | |
Header unset cache-control | |
Header unset age | |
Header unset date | |
Header unset etag | |
Header unset Content-Security-Policy | |
Header unset feature-policy | |
Header unset permissions-policy | |
Header unset nel | |
Header unset Server | |
Header unset report-to | |
Header unset strict-transport-security | |
Header unset x-got-milk | |
Header unset x-nf-request-id | |
Header unset Onion-Location | |
Header unset x-view-source | |
# disable ETag caching header | |
FileETag None | |
# ensure responses are unicode | |
AddDefaultCharset UTF-8 | |
# adding back a few security headers for Tor mirror only, especially a *much* more restrictive CSP | |
# this should break any clearnet connections from embeds, tracking, etc. (which is good!) | |
Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'" | |
Header set Referrer-Policy "no-referrer" | |
Header set Permissions-Policy "interest-cohort=()" | |
</VirtualHost> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sandbox 1 | |
RunAsDaemon 1 | |
SocksPort 0 | |
############### This section is just for location-hidden services ### | |
## Once you have configured a hidden service, you can look at the | |
## contents of the file ".../hidden_service/hostname" for the address | |
## to tell people. | |
## | |
## HiddenServicePort x y:z says to redirect requests on port x to the | |
## address y:z. | |
HiddenServiceNonAnonymousMode 1 | |
HiddenServiceSingleHopMode 1 | |
HiddenServiceDir /var/lib/tor/jarvis/ | |
HiddenServicePort 80 127.0.0.1:80 | |
ExitNodes {nl} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment