On http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledClients one of the suggested methods to get your Directory service on port 80 if Apache is in the way is to use mod_proxy.
Personally I think sticking tors directory service behind Apache so it's not exposed to the wider Internet directly is a good thing anyway. The shear scale of development, usage and history of Apache makes me confident that it is less likely to contain security holes than tor, (see recent exploit) This is not a dig! I am writing this email to share some ModSecurity (http://www.modsecurity.org/) rules that I have been developing and using to severely restrict the requests that get forwarded onto the tor daemon by mod_proxy. Someone may find them useful. Here are the relevant parts of my Apache vhost: <Location /tor/> SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off SecRuleInheritance Off SecAuditLogRelevantStatus "^500$" SecDefaultAction "log,auditlog,deny,phase:2,status:500,severity:'2'" SecRule HTTP_HOST "!^\d{1,3}(?>\.\d{1,3}){3}$" "msg:'Host header must be IP address'" SecRule REQUEST_PROTOCOL "!^HTTP/1\.[01]$" "msg:'HTTP/1.0 or HTTP/1.1 only'" SecRule REQUEST_METHOD "!^GET$" "msg:'We only allow GETs here'" SecRule REQUEST_HEADERS:Content-Length "!^0?$" "msg:'No request message bodies allowed'" SecRule REQUEST_URI "!^/tor/server/authority$" "chain,msg:'Badly formed uri'" SecRule REQUEST_URI "!^/tor/status/all$" "chain" SecRule REQUEST_URI "!^/tor/running-routers$" "chain" SecRule REQUEST_URI "!^/tor/dir\.z$" "chain" SecRule REQUEST_URI "!^/tor/server/(?>d|fp)/(?>[A-F0-9]{40})(?>\+[A-F0-9]{40})*\.z$" "chain" SecRule REQUEST_URI "!^/tor/status/fp/[A-F0-9]{40}(?>\+[A-F0-9]{40})*\.z$" ProxyPass http://127.0.0.1:9030/tor/ </Location> I put another http service behind Apache earlier this year unrelated to tor (I wont mention the name of the product). After it had been running for a couple of months, we found a DOS that could be performed accidently by doing a GET request in a certain way. Whilst waiting for a bug fix, because I had the flexibility of Apache in front of it, it was a synch to just stick a rewrite rule in place to prevent the request taking place and the DOS happening. P.S. The "ProxyPassReverse" entry in the faq seems redundant as the tor directory http service doesn't appear to ever return a redirect response. Mike
