Skip to content

Instantly share code, notes, and snippets.

@jakejarvis
Last active May 25, 2021 18:39
Show Gist options
  • Save jakejarvis/050a23021905e0c143baaac7a9060536 to your computer and use it in GitHub Desktop.
Save jakejarvis/050a23021905e0c143baaac7a9060536 to your computer and use it in GitHub Desktop.
Tor hidden service & Apache virtual host for proxying a static site (WIP)
<VirtualHost 127.0.0.1:80>
# we'll be proxying from HTTPS origin
SSLProxyEngine On
ProxyRequests Off
# origin is gzip'ped, need to deflate the following filetypes for substitution below
AddOutputFilterByType SUBSTITUTE;DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript application/json application/xml application/atom+xml application/manifest+json
# do the proxying
ProxyPass "/" "https://jarv.is/" max=20 connectiontimeout=5 timeout=10 retry=60
ProxyPassReverse "/" "https://jarv.is/"
# un-gzip
SetOutputFilter INFLATE
# origin uses all absolute URLs, so replace them with the onion address
Substitute "s|https://jarv.is|http://jarvis2i2vp4j4tbxjogsnqdemnte5xhzyi7hziiyzxwge3hzmh57zad.onion|i"
# some random optional settings
ProxyVia on
ProxyAddHeaders Off
ProxyBadHeader StartBody
ProxyErrorOverride On
Protocols http/1.1
Options -Indexes
LogLevel alert
UseCanonicalName Off
KeepAliveTimeout 5
MaxKeepAliveRequests 100
# removing each header set on origin one-by-one
Header unset content-type
Header unset content-language
Header unset Content-Disposition
Header unset referrer-policy
Header unset vary
Header unset x-content-type-options
Header unset x-frame-options
Header unset x-xss-protection
Header unset accept-ranges
Header unset content-length
Header unset content-range
Header unset Connection
Header unset cache-control
Header unset age
Header unset date
Header unset etag
Header unset Content-Security-Policy
Header unset feature-policy
Header unset permissions-policy
Header unset nel
Header unset Server
Header unset report-to
Header unset strict-transport-security
Header unset x-got-milk
Header unset x-nf-request-id
Header unset Onion-Location
Header unset x-view-source
# disable ETag caching header
FileETag None
# ensure responses are unicode
AddDefaultCharset UTF-8
# adding back a few security headers for Tor mirror only, especially a *much* more restrictive CSP
# this should break any clearnet connections from embeds, tracking, etc. (which is good!)
Header set Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'"
Header set Referrer-Policy "no-referrer"
Header set Permissions-Policy "interest-cohort=()"
</VirtualHost>
Sandbox 1
RunAsDaemon 1
SocksPort 0
############### This section is just for location-hidden services ###
## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
HiddenServiceDir /var/lib/tor/jarvis/
HiddenServicePort 80 127.0.0.1:80
ExitNodes {nl}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment