Feat: adds a catch-all VirtualHost for any site listening only in localhost

author Silvio Rhatto <rhatto@riseup.net>

Tue, 4 Jul 2023 01:48:23 +0000 (22:48 -0300)

committer Silvio Rhatto <rhatto@riseup.net>

Tue, 4 Jul 2023 01:48:23 +0000 (22:48 -0300)
author Silvio Rhatto <rhatto@riseup.net>
Tue, 4 Jul 2023 01:48:23 +0000 (22:48 -0300)
committer Silvio Rhatto <rhatto@riseup.net>
Tue, 4 Jul 2023 01:48:23 +0000 (22:48 -0300)
diff --git a/templates/default.erb b/templates/default.erb

index 08c3a87eaa0675b9fa717a2f421610edc232ce77..6e9e4fe72ebe47f10a50da6a7aafd9e50266f551 100644 (file)
--- a/templates/default.erb
+++ b/templates/default.erb
@@ -12,3 +12,19 @@
                                  
  </VirtualHost>
  # end vhost for <%= @fqdn %>
+
+# A catch-all VirtualHost for any site listening only in localhost.
+#
+# This is meant to protect these sites (such as Tor Onion Services) from
+# exposing other data from the server, such as the default public VirtualHost
+# above.
+#
+# This is not a strong measure, since the server can be fingerprinted by other
+# means.
+#
+# Best thing to do is not mix public and non-public sites in the same server.
+#
+# For additional details, check
+# https://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/30
+<VirtualHost 127.0.0.1:80>
+</VirtualHost>
author	Silvio Rhatto <rhatto@riseup.net>
	Tue, 4 Jul 2023 01:48:23 +0000 (22:48 -0300)
committer	Silvio Rhatto <rhatto@riseup.net>
	Tue, 4 Jul 2023 01:48:23 +0000 (22:48 -0300)