Question:
Greetings!
Objective: to make the server on which the .onion domain is located completely anonymous.
Problem: If the user executes the code below, it will de-anonymize the server.
The code itself, which I tested with:
<?php
ini_set('display_errors', true);
ini_set('error_reporting', E_ALL);
error_reporting(E_ALL);
try {
function curl_get_contents($url){
$page = "";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_NOPROGRESS, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; YandexImageResizer/2.0)');
$page = curl_exec($ch);
curl_close($ch);
return $page;
}
echo curl_get_contents("http://2ip.ru");
} catch(Exception $e) {
var_dump($e);
}
?>
Solution: Redirect everything through the Tor proxy. But how to do that? I tried polipo to use tor-socks as http-proxy, but nothing worked.
My configs:
apache:
<VirtualHost 127.0.0.1:8080>
ServerName [удалено].onion
#ProxyPass ^(.*)$ http://127.0.0.1:8118/$1
#ProxyPassReverse ^(.*)$ http://127.0.0.1:8118/$1
DocumentRoot /var/www/[удалено]/data/www/[удалено].onion
ServerAdmin webmaster@[удалено].onion
AddDefaultCharset UTF-8
AssignUserID [удалено] [удалено]
ErrorLog /dev/null
AccessLog /dev/null
<FilesMatch "\.ph(p[3-5]?|tml)$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@[удалено].onion"
php_admin_value upload_tmp_dir "/var/www/[удалено]/data/mod-tmp"
php_admin_value session.save_path "/var/www/[удалено]/data/mod-tmp"
php_admin_value open_basedir "/var/www/[удалено]/data:."
ServerAlias www.[удалено].onion
DirectoryIndex index.html index.php
</VirtualHost>
<Directory /var/www/[удалено]/data/www/[удалено].onion>
Options -ExecCGI
php_admin_flag engine on
</Directory>
<Directory /var/www/[удалено]/data/www/[удалено].onion/phpmyadmin>
Allow from all
AuthName "Access limited"
AuthType Basic
AuthUserFile /var/www/[удалено]/data/etc/access.[удалено].onion.passwd
Order allow,deny
Require valid-user
</Directory>
nginx:
server {
server_name [удалено].onion www.[удалено].onion;
charset UTF-8;
index index.html index.php;
disable_symlinks if_not_owner from=$root_path;
include /etc/nginx/vhosts-includes/*.conf;
include /etc/nginx/vhosts-resources/[удалено].onion/*.conf;
access_log off;
error_log off;
set $root_path /var/www/[удалено]/data/www/[удалено].onion;
root $root_path;
listen 127.0.0.1:80;
gzip on;
gzip_comp_level 5;
gzip_disable "msie6";
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
location / {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists @fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
expires max;
try_files $uri $uri/ @fallback;
}
location / {
try_files /does_not_exists @fallback;
}
}
location @fallback {
proxy_pass http://127.0.0.1:8080;
proxy_redirect http://127.0.0.1:8080 /;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /phpmyadmin/ {
location ~ [^/]\.ph(p\d*|tml)$ {
try_files /does_not_exists @fallback;
}
location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ {
expires max;
try_files $uri $uri/ @fallback;
}
location /phpmyadmin/ {
try_files /does_not_exists @fallback;
}
auth_basic "Access limited";
auth_basic_user_file /var/www/[удалено]/data/etc/access.[удалено].onion.passwd;
}
}
pilipo:
proxyAddress = "0.0.0.0" # Razreshit' podklyucheniya otovsyudu. YA v lokalke, tak chto pofig
proxyPort = 8118 # eto standartnyy port dlya Privoxy, u Polipo obychno 8123
allowedClients = 127.0.0.1, 192.168.1.0/24 # Otkuda prinimat' podklyucheniya
allowedPorts = 1-65535 # Porty po kotorym mozhno prinimat' / otdavat' soyedineniya
socksParentProxy = "127.0.0.1:9050" # TOR Roditel'skiy
socksProxyType=socks4a # Tip soks-proksi
diskCacheRoot = "/var/cache/polipo/" # Kuda keshirovat'
disableConfiguration = false # mozhno nastraivat' cherekh set', yesli ne strashno
disableVia = true # Ubezhdat'sya, chto zaprosy ne budut khodit' cherez proksi po krugu.
relaxTransparency = yes #
maxConnectionAge = 10m # Maksimal'noye vremya zhizni podklyucheniya
maxConnectionRequests = 100 # Maksimum zaprosov cherez odno podklyucheniya
serverMaxSlots = 16 # Maksimum parallel'nykh podklyucheniy k raznym serveram
serverSlots = 60 # Maksimum parallel'nykh podklyucheniy k odnomu serveru
tunnelAllowedPorts = 1-65535
daemonise=true # Ukhodit' v fon
logFile="/var/log/polipo/polipo.log" # kuda skladyvat' logi
dnsMaxTimeout=60 # yesli khost ne rezolvitsya za 60 sek, to nu yego k chertu.
dontCacheCookies = true # Ne nado keshirovat' kuki
Answer:
Found one solution, but it will let all server traffic through the proxy:
Privoxy config:
forward-socks5 / localhost:9050 .
forward-socks4 / localhost:9050 .
forward-socks4a / localhost:9050 .
Next, execute in the console: (after restarting the server, you need to do it again)
export all_proxy="socks://localhost:9050/"
export http_proxy="http://localhost:8118/"
export https_proxy="http://localhost:8118/"