Greetings

Task: to make the server on which the .onion domain is located completely anonymous.

Problem: If the user executes the code below, he will deanonymize the server.

The code itself, which tested:

<?php ini_set('display_errors', true); ini_set('error_reporting', E_ALL); error_reporting(E_ALL); try { function curl_get_contents($url){ $page = ""; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_NOPROGRESS, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (compatible; YandexImageResizer/2.0)'); $page = curl_exec($ch); curl_close($ch); return $page; } echo curl_get_contents("http://2ip.ru"); } catch(Exception $e) { var_dump($e); } ?>

Solution: Redirect everything via Tor proxy. But how to do that? I tried to install polipo to use tor-socks as http-proxy, but it didn't work out for me.

My configs:

apache:

 <VirtualHost 127.0.0.1:8080> ServerName [удалено].onion #ProxyPass ^(.*)$ http://127.0.0.1:8118/$1 #ProxyPassReverse ^(.*)$ http://127.0.0.1:8118/$1 DocumentRoot /var/www/[удалено]/data/www/[удалено].onion ServerAdmin webmaster@[удалено].onion AddDefaultCharset UTF-8 AssignUserID [удалено] [удалено] ErrorLog /dev/null AccessLog /dev/null <FilesMatch "\.ph(p[3-5]?|tml)$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch> php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -f webmaster@[удалено].onion" php_admin_value upload_tmp_dir "/var/www/[удалено]/data/mod-tmp" php_admin_value session.save_path "/var/www/[удалено]/data/mod-tmp" php_admin_value open_basedir "/var/www/[удалено]/data:." ServerAlias www.[удалено].onion DirectoryIndex index.html index.php </VirtualHost> <Directory /var/www/[удалено]/data/www/[удалено].onion> Options -ExecCGI php_admin_flag engine on </Directory> <Directory /var/www/[удалено]/data/www/[удалено].onion/phpmyadmin> Allow from all AuthName "Access limited" AuthType Basic AuthUserFile /var/www/[удалено]/data/etc/access.[удалено].onion.passwd Order allow,deny Require valid-user </Directory>

nginx:

 server { server_name [удалено].onion www.[удалено].onion; charset UTF-8; index index.html index.php; disable_symlinks if_not_owner from=$root_path; include /etc/nginx/vhosts-includes/*.conf; include /etc/nginx/vhosts-resources/[удалено].onion/*.conf; access_log off; error_log off; set $root_path /var/www/[удалено]/data/www/[удалено].onion; root $root_path; listen 127.0.0.1:80; gzip on; gzip_comp_level 5; gzip_disable "msie6"; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript; location / { location ~ [^/]\.ph(p\d*|tml)$ { try_files /does_not_exists @fallback; } location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ { expires max; try_files $uri $uri/ @fallback; } location / { try_files /does_not_exists @fallback; } } location @fallback { proxy_pass http://127.0.0.1:8080; proxy_redirect http://127.0.0.1:8080 /; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /phpmyadmin/ { location ~ [^/]\.ph(p\d*|tml)$ { try_files /does_not_exists @fallback; } location ~* ^.+\.(jpg|jpeg|gif|png|svg|js|css|mp3|ogg|mpe?g|avi|zip|gz|bz2?|rar|swf)$ { expires max; try_files $uri $uri/ @fallback; } location /phpmyadmin/ { try_files /does_not_exists @fallback; } auth_basic "Access limited"; auth_basic_user_file /var/www/[удалено]/data/etc/access.[удалено].onion.passwd; } }

pilipo:

 proxyAddress = "0.0.0.0" # Razreshit' podklyucheniya otovsyudu. YA v lokalke, tak chto pofig proxyPort = 8118 # eto standartnyy port dlya Privoxy, u Polipo obychno 8123 allowedClients = 127.0.0.1, 192.168.1.0/24 # Otkuda prinimat' podklyucheniya allowedPorts = 1-65535 # Porty po kotorym mozhno prinimat' / otdavat' soyedineniya socksParentProxy = "127.0.0.1:9050" # TOR Roditel'skiy socksProxyType=socks4a # Tip soks-proksi diskCacheRoot = "/var/cache/polipo/" # Kuda keshirovat' disableConfiguration = false # mozhno nastraivat' cherekh set', yesli ne strashno disableVia = true # Ubezhdat'sya, chto zaprosy ne budut khodit' cherez proksi po krugu. relaxTransparency = yes # maxConnectionAge = 10m # Maksimal'noye vremya zhizni podklyucheniya maxConnectionRequests = 100 # Maksimum zaprosov cherez odno podklyucheniya serverMaxSlots = 16 # Maksimum parallel'nykh podklyucheniy k raznym serveram serverSlots = 60 # Maksimum parallel'nykh podklyucheniy k odnomu serveru tunnelAllowedPorts = 1-65535 daemonise=true # Ukhodit' v fon logFile="/var/log/polipo/polipo.log" # kuda skladyvat' logi dnsMaxTimeout=60 # yesli khost ne rezolvitsya za 60 sek, to nu yego k chertu. dontCacheCookies = true # Ne nado keshirovat' kuki

    1 answer 1

    I found one solution, but it will send all server traffic through a proxy:

    Config privoxy:

     forward-socks5 / localhost:9050 . forward-socks4 / localhost:9050 . forward-socks4a / localhost:9050 .

    Further in the console to execute: (after server restart, it is necessary to execute again)

     export all_proxy="socks://localhost:9050/" export http_proxy="http://localhost:8118/" export https_proxy="http://localhost:8118/"