oxeo0/blog-contributions
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git synced 2025-07-02 07:06:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

edit mysql replication guide - scp over tor, local mkp224o generation, better showcasing

Browse source
This commit is contained in:
oxeo0 2025-02-18 21:54:17 +01:00
parent 1c6049d743
commit 9edc6a7998
4 changed files with 124 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

BIN
opsec/mysqlmastermaster/7.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
opsec/mysqlmastermaster/8.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 46 KiB

255
opsec/mysqlmastermaster/index.html
View file

@ -127,6 +127,14 @@ We will synchronize databases automatically between our two hidden services. If
The MariaDB server running on each machine will connect to an onion address using socat as a background service configured with systemd, since it cannot utilize the socks5 proxy provided by the Tor client directly.
</p>
<p>For each server, we will later generate two onion v3 vanity URLs:<br>
<ul>
<li><b>Public Hidden Service URL</b> - This is used for accessing the hidden service as a client. Place this URL in your NGINX configuration to expose the vegetable shop service at port <b>80</b>.</li><br>
<li><b>Internal Hidden Service URL</b> - Used exclusively for inter-service communication.</li>
</ul></p>
<p>Note that you can use only numbers <b>2-7</b> in the onion URL, as they are not part of the <a href="https://en.wikipedia.org/wiki/Base32">base32 alphabet</a> used for encoding onion URLs. In this guide, I use words like <b>one</b> and <b>two</b> instead.</p>
<p>
Below is a table showing what ports and services will be active on each server:
</p>
@ -174,7 +182,6 @@ Below is a table showing what ports and services will be active on each server:
</tr>
</table>
<p>
<p><a>*</a> The <b>Internal Hidden Service</b> is used exclusively for inter-server communication, and its URL should remain private.</p>
<p>
@ -204,20 +211,12 @@ If using Proxmox, after setting up the vegetable store once, you can clone it to
<br>
<br>
<p>You also need socat installed on both servers:</p>
<p>Ensure you have socat installed on both servers:</p>
<pre><code class="nim">oxeo@serverN:~$ sudo apt update
oxeo@serverN:~$ sudo apt install socat
</code></pre>
<p>For each server, generate two onion vanity URLs:<br>
<ul>
<li><b>Public Hidden Service URL:</b> This is used for accessing the hidden service as a client. Place this URL in your NGINX configuration to expose the vegetable shop service at port <b>80</b>.</li><br>
<li><b>Internal Hidden Service URL:</b> Used exclusively for inter-service communication.</li>
</ul></p>
<p>Note that you can use only numbers <b>2-7</b> in the onion URL, as they are not part of the <a href="https://en.wikipedia.org/wiki/Base32">base32 alphabet</a> used for encoding onion URLs. In this guide, I use words like <b>one</b> and <b>two</b> instead.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
@ -227,10 +226,10 @@ oxeo@serverN:~$ sudo apt install socat
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Part 1</b></h2>
<h2 id="part-1"><b>Part 1</b></h2>
<p>The steps listed below should be executed on your first server. The second part of this guide will include commands for the second server with slight modifications, but they are mostly the same.<br>
This part contains explanations of how things work; the second part is primarily a list of commands.</p>
<p>The steps listed below should be executed on your first server. The <a href="#part-2">second part</a> of this guide will include commands for the second server with slight modifications, but they are mostly the same.<br>
This part contains explanations of how things work; the <a href="#part-2">second part</a> is primarily a list of commands.</p>
</div>
</div><!-- /row -->
@ -314,14 +313,7 @@ Add a replication user on the first server using MySQL shell.
</p>
<pre><code class="nim">oxeo@server1:~$ sudo mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 56
Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
[...]
MariaDB [(none)]> CREATE USER 'repl'@'%' IDENTIFIED BY 'YOUR_GENERATED_SLAVE_PASSWORD';
Query OK, 0 rows affected (0.001 sec)
@ -353,7 +345,8 @@ Replace <b>YOUR_GENERATED_SLAVE_PASSWORD</b> with the generated password and not
<h2><b>Tor Configuration</b></h2>
<p>
To make our MySQL instance accessible to the second server, create another hidden service in <b>/etc/tor/torrc</b>. You should have two hidden services: one public and one internal.
To make our MySQL instance accessible to the second server, create another hidden service in <b>/etc/tor/torrc</b>. You should have two hidden services: one public and one internal.<br>
On the internal hidden service, we will also expose SSH which will come handy later.
</p>
<pre><code class="nim">HiddenServiceDir /var/lib/tor/veggie_service/
@ -361,6 +354,7 @@ HiddenServicePort 80 127.0.0.1:4440
HiddenServiceDir /var/lib/tor/internal_service/
HiddenServicePort 33061 127.0.0.1:3306
HiddenServicePort 22 127.0.0.1:22
</code></pre>
<p>
@ -385,54 +379,13 @@ drwx--S--- 2 debian-tor debian-tor 2 Feb 16 17:23 authorized_clients
</code></pre>
<p>
Of course automatically generated hidden service hostname will be random so in order to use your generated vanity URLs, you need to put the appropriate keys in this directory.<br>
In my case I have <a href="../torwebsite/index.html">generated vanity addresses</a> on my computer so I <b>tar</b>red them (<b>onions.tar</b>) and transfered using <b>scp</b>:
Of course automatically generated hidden service hostname will be random so you need to <a href="../torwebsite/index.html#mkp224o">generate vanity URLs</a> for <b>srvone[...].onion</b> and <b>intone[...].onion</b> and copy appropriate keys to <b>/var/lib/tor/veggie_service</b> and <b>/var/lib/tor/internal_service</b> respectively.
</p>
<pre><code class="nim">oxeo@main-pc:~$ scp onions.tar oxeo@server1:/tmp
onions.tar 100% 20KB 4.9MB/s 00:00
</code></pre>
<p>
Now extract the archive on a remote server and copy keys to the hidden service directory.
</p>
<pre><code class="nim">oxeo@server1:~$ cd /tmp
oxeo@server1:/tmp$ tar xvf onions.tar
srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/
srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key
srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key
srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname
srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/
srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname
srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key
srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key
inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/
inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key
inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key
inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname
intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/
intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key
intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname
intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key
oxeo@server1:/tmp$ sudo cp -v srvone*/* /var/lib/tor/veggie_service
'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname' -> '/var/lib/tor/veggie_service/hostname'
'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key' -> '/var/lib/tor/veggie_service/hs_ed25519_public_key'
'srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/veggie_service/hs_ed25519_secret_key'
oxeo@server1:/tmp$ sudo cp -v intone*/* /var/lib/tor/internal_service
'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname' -> '/var/lib/tor/internal_service/hostname'
'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key' -> '/var/lib/tor/internal_service/hs_ed25519_public_key'
'intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key' -> '/var/lib/tor/internal_service/hs_ed25519_secret_key'
oxeo@server1:/tmp$ sudo rm -rv onions.tar *.onion
</code></pre>
<p>
If you haven't already, update the <b>server_name</b> also in <b>/etc/nginx/sites-available/veggie-shop.conf</b>:
<pre><code class="nim">server {
listen 4440;
listen 127.0.0.1:4440;
server_name srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion;
root /srv/shop/;
index index.php;
@ -514,10 +467,10 @@ oxeo@server1:~$ sudo systemctl enable --now socat-tor
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Part 2</b></h2>
<h2 id="part-2"><b>Part 2</b></h2>
<p>
Now log into your 2nd server and run the commands listed below. They're mostly the same with very slight differences. When you need to change something I will add a note but generally, if you get stuck on something, you should look it up in the first part.
Now log into your 2nd server and run the commands listed below. They're mostly the same with very slight differences. When you need to change something I will add a note but generally, if you get stuck on something, you should look it up in the <a href="#part-1">first part</a>.
</p>
</div>
@ -570,13 +523,7 @@ Now you can open MySQL shell on the first server and add replication user.
</p>
<pre><code class="nim">oxeo@server2:~$ sudo mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 56
Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
[...]
MariaDB [(none)]> CREATE USER 'repl'@'%' IDENTIFIED BY 'YOUR_GENERATED_SLAVE_PASSWORD';
Query OK, 0 rows affected (0.001 sec)
@ -609,6 +556,7 @@ HiddenServicePort 80 127.0.0.1:4440
HiddenServiceDir /var/lib/tor/internal_service/
HiddenServicePort 33062 127.0.0.1:3306
HiddenServicePort 22 127.0.0.1:22
</code></pre>
<pre><code class="nim">oxeo@server2:~$ sudo systemctl restart tor
@ -624,47 +572,14 @@ drwx--S--- 2 debian-tor debian-tor 2 Feb 16 17:23 authorized_clients
-rw------- 1 debian-tor debian-tor 96 Feb 16 17:23 hs_ed25519_secret_key
</code></pre>
<pre><code class="nim">oxeo@main-pc:~$ scp onions.tar oxeo@server2:/tmp
oxeo@server2's password:
onions.tar 100% 20KB 4.9MB/s 00:00
</code></pre>
<pre><code class="nim">oxeo@server2:~$ cd /tmp
oxeo@server2:/tmp$ tar xvf onions.tar
srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/
srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_public_key
srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hs_ed25519_secret_key
srvone4oj33rvnykz252tf2holi5ae6pz5w62znumesgmzg7mjbnhtyd.onion/hostname
srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/
srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname
srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key
srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key
inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/
inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key
inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key
inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname
intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/
intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_secret_key
intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hostname
intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion/hs_ed25519_public_key
oxeo@server2:/tmp$ sudo cp -v srvtwo*/* /var/lib/tor/veggie_service
'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hostname' -> '/var/lib/tor/veggie_service/hostname'
'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_public_key' -> '/var/lib/tor/veggie_service/hs_ed25519_public_key'
'srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/veggie_service/hs_ed25519_secret_key'
oxeo@server2:/tmp$ sudo cp -v inttwo*/* /var/lib/tor/internal_service
'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hostname' -> '/var/lib/tor/internal_service/hostname'
'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_public_key' -> '/var/lib/tor/internal_service/hs_ed25519_public_key'
'inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion/hs_ed25519_secret_key' -> '/var/lib/tor/internal_service/hs_ed25519_secret_key'
oxeo@server2:/tmp$ sudo rm -rv onions.tar *.onion
</code></pre>
<p>
<a href="../torwebsite/index.html#mkp224o">Generate vanity URLs</a> for <b>srvtwo[...].onion</b> and <b>inttwo[...].onion</b> and copy appropriate keys to <b>/var/lib/tor/veggie_service</b> and <b>/var/lib/tor/internal_service</b> respectively.
</p>
<p>
<b>/etc/nginx/sites-available/veggie-shop.conf</b>:
<pre><code class="nim">server {
listen 4440;
listen 127.0.0.1:4440;
server_name srvtwo7a3ddvt5kncimkh5esstmzomdjx2fr7o73q66fzdrsbtnexhyd.onion;
root /srv/shop/;
index index.php;
@ -745,16 +660,19 @@ oxeo@server1:~$ md5sum master1dump.sql
40c3cfa7e778cc276b6a3b670a3823a6
</code></pre>
<p>Transfer the dump to your second server using scp. First, transfer from the first server to your computer:</p>
<p>Transfer the dump to your second server using <b>SCP</b> (a wrapper over SSH enabling file transfer). To not reveal your public IP address, we will connect via the internal hidden service with <b>torsocks</b>. Remember to replace <b>int[...].onion</b> URLs with ones you generated.
</p>
<pre><code class="nim">oxeo@main-pc:~$ scp oxeo@server1:/home/oxeo/master1dump.sql /tmp/master1dump.sql
master1dump.sql 100% 2428KB 245.1MB/s 00:00
<p>First, transfer from the first server to your computer:</p>
<pre><code class="nim">oxeo@main-pc:~$ torsocks scp oxeo@intone74u43zmapi3a3k3vesrvyhcfmqp6alzgzwhv6oz32bn63jjbad.onion:/home/oxeo/master1dump.sql /tmp/master1dump.sql
master1dump.sql 100% 2428KB 1.1MB/s 00:03
</code></pre>
<p>Then, transfer from your computer to the second server:</p>
<pre><code class="nim">oxeo@main-pc:~$ scp /tmp/master1dump.sql oxeo@server2:/home/oxeo/master1dump.sql
master1dump.sql 100% 2428KB 176.3MB/s 00:00
<pre><code class="nim">oxeo@main-pc:~$ torsocks scp /tmp/master1dump.sql oxeo@inttwo6kfloukru2ggozocyhce25fnomlx76du7rugbnj5v46iydtdqd.onion:/home/oxeo/master1dump.sql
master1dump.sql 100% 2428KB 1.4MB/s 00:02
</code></pre>
<p>Verify the MD5 checksum on the second server and restore the database if it matches:</p>
@ -769,13 +687,7 @@ Finally, enable the <b>Master</b> role on each database. Here are the commands f
</p>
<pre><code class="nim">oxeo@server1:~$ sudo mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 56
Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
[...]
MariaDB [(none)]> STOP SLAVE;
Query OK, 0 rows affected (0.001 sec)
@ -800,13 +712,7 @@ And on the second server:
</p>
<pre><code class="nim">oxeo@server2:~$ sudo mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 53
Server version: 10.11.6-MariaDB-0+deb12u1-log Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
[...]
MariaDB [(none)]> STOP SLAVE;
Query OK, 0 rows affected (0.001 sec)
@ -853,6 +759,91 @@ Now a breakdown of what they do:
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Testing Replication</b></h2>
<p>
Now to test if both databases are synchronized, we will modify the data directly on one database and verify that both services are updated after reloading the site.
</p>
<pre><code class="nim">oxeo@server1:~$ sudo mysql
[...]
MariaDB [(none)]> USE veggie_shop;
Database changed
MariaDB [veggie_shop]> INSERT INTO products (name, price, quantity) VALUES ('Pear', 0.65, 10);
Query OK, 1 row affected (0.005 sec)
</code></pre>
<img src="7.png" class="imgRz">
<br>
<br>
<p>
Changes to the second database should be replicated as well so we'll test it by updating the number of pears.
</p>
<pre><code class="nim">oxeo@server2:~$ sudo mysql
[...]
MariaDB [(none)]> USE veggie_shop;
Database changed
MariaDB [veggie_shop]> UPDATE products SET quantity = 42 WHERE name = 'Pear';
Query OK, 1 row affected (0.002 sec)
Rows matched: 1 Changed: 1 Warnings: 0
</code></pre>
<img src="8.png" class="imgRz">
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Troubleshooting</b></h2>
<p>
If for whatever reason your replication works only in one way or doesn't work at all, you can check the system journal:
</p>
<pre><code class="nim">oxeo@server1:~$ sudo journalctl -xe
[...]
Feb 16 20:27:55 server1 /etc/mysql/debian-start[392]: Upgrading MySQL tables if necessary.
Feb 16 20:27:55 server1 /etc/mysql/debian-start[433]: Triggering myisam-recover for all MyISAM tables and aria-recover for all Aria tables
Feb 16 20:27:58 server1 mariadbd[311]: 2025-02-16 20:27:58 5 [Note] Slave I/O thread: connected to master 'repl@127.0.0.1:33062',replication started in log 'mysql-bin.000003' at position 682
Feb 16 20:29:57 server1 mariadbd[311]: 2025-02-16 20:29:57 38 [Note] Start binlog_dump to slave_server(2), pos(mysql-bin.000003, 1022), using_gtid(0), gtid('')
[...]
</code></pre>
<p>
You can also check the listening ports using the <b>ss</b> command. Here's how it should look like:
</p>
<pre><code class="nim">oxeo@server1:~$ sudo ss -tulp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 0.0.0.0:bootpc 0.0.0.0:* users:(("dhclient",pid=93,fd=7))
tcp LISTEN 0 5 127.0.0.1:33062 0.0.0.0:* users:(("socat",pid=156,fd=5))
tcp LISTEN 0 100 127.0.0.1:smtp 0.0.0.0:* users:(("master",pid=445,fd=13))
tcp LISTEN 0 80 127.0.0.1:mysql 0.0.0.0:* users:(("mariadbd",pid=311,fd=25))
tcp LISTEN 0 511 127.0.0.1:4440 0.0.0.0:* users:(("nginx",pid=9278,fd=5),("nginx",pid=9277,fd=5),("nginx",pid=9276,fd=5))
tcp LISTEN 0 4096 127.0.0.1:9050 0.0.0.0:* users:(("tor",pid=187,fd=6))
tcp LISTEN 0 100 [::1]:smtp [::]:* users:(("master",pid=445,fd=14))
tcp LISTEN 0 4096 *:ssh *:* users:(("sshd",pid=175,fd=3),("systemd",pid=1,fd=39))
</code></pre>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon1">
<div class="container">
<div class="row">
@ -864,11 +855,11 @@ Now a breakdown of what they do:
</p>
<p>
If you need even more security for inter-server communication, you cloud configure <a href="https://community.torproject.org/onion-services/advanced/client-auth/">Client Authorization</a>. Nowadays it <a href="https://forum.torproject.org/t/is-there-an-index-for-onion-domains/6893/3">shouldn't be necessary</a> unless your internal onion URL has been compromised. It provides additional protection by requiring a private key approved by your Hidden Service to access internal services.
If you need even more security for inter-server communication, you could configure <a href="https://community.torproject.org/onion-services/advanced/client-auth/">Client Authorization</a>. Nowadays it <a href="https://forum.torproject.org/t/is-there-an-index-for-onion-domains/6893/3">shouldn't be necessary</a> unless your internal onion URL has been compromised. It provides additional protection by requiring a private key approved by your Hidden Service to access internal services.
</p>
<p>
In the next tutorial of this series, we will configure <a href="https://onionservices.torproject.org/apps/base/onionbalance/">Onionbalance</a> - a service that automatically distributes requests over multiple backends on the same onion URL.
In the <a href="#TODO">next tutorial</a> of this series, we will configure <a href="https://onionservices.torproject.org/apps/base/onionbalance/">Onionbalance</a> - a service that automatically distributes requests over multiple backends on the same onion URL.
</p>
<p>

2
opsec/torwebsite/index.html
View file

@ -103,7 +103,7 @@ curl ifconfig.me
194.127.199.92
</pre></code>
<p>Once done, install tor and compute your Tor domain:</p>
<p id="mkp224o">Once done, install tor and compute your Tor domain:</p>
<pre><code class="nim">
[ nowhere.moe ] [ /dev/pts/11 ] [/srv]
→ apt install gcc libc6-dev libsodium-dev make autoconf tor nginx -y