Hi,

> If I want to serve an HTML page for my exit node do I need Apache2/nginx or 
> can I just modify my torrc?

You don't need a dedicated webserver as long as unencrypted HTTP is acceptable. 
You can read more about the default HTML exit notice for Tor exit relays here: 
https://community.torproject.org/relay/setup/exit/. To quote:

"To make it even more obvious that this is a Tor exit relay you should serve a 
Tor exit notice HTML page.Tor can do that for you: if your DirPort is on TCP 
port 80, you can make use of tor's DirPortFrontPage feature to display an HTML 
file on that port.This file will be shown to anyone directing their browser to 
your Tor exit relay IP address."

And a sample HTML page can be found here: 
https://gitlab.torproject.org/tpo/core/tor/-/raw/HEAD/contrib/operator-tools/tor-exit-notice.html.

But this doesn't scale well on many relays and doesn't provide TLS, so if you 
run many relays and/or want TLS I'd advise to still use a dedicated webserver 
(Apache, Nginx, Caddy etc.) that redirects to a single page on your Tor domain. 
For example, my IP addresses redirect to https://nothingtohide.nl/tor-relay/.

Do note though that adding dedicated webservers to a OS that runs Tor also adds 
attack surface (both for hacking/breaching attempts and DDoS) and complexity. 
Make sure to harden and maintain it properly. For example with Apache the 
following setup might be acceptable:

- Run it as a dedicated user
- Disable ServerSignature
- Production mode for ServerTokens
- No mod_rewrite but basic Redirect 301 / https:// 
<https://nothingtohide.nl/tor-relay>domain.tld/tor-relay 
<http://domain.tld/tor-relay>
- Disable any other unneeded modules
- Disable directory listing
- Disable access to all directories
- HSTS and proper security headers
- Use options such as -ExecCGI, -FollowSymlinks (or +SymLinksIfOwnerMatch if 
you really need it), -Includes etc. etc.

And if DDoS becomes too big of a problem, you might also want to look in 
mitigation for that as well.

Cheers and good luck!

tornth


Jan 29, 2024, 09:13 by tor-relays@lists.torproject.org:

>
> If I want to serve an HTML page for my exit node do I need Apache2/nginx or 
> can I just modify my torrc?
>
>

_______________________________________________
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

Reply via email to