Feat: adds a catch-all VirtualHost for any site listening only in localhost

author: Silvio Rhatto <rhatto@riseup.net> 2023-07-03 22:48:23 -0300
committer: Silvio Rhatto <rhatto@riseup.net> 2023-07-03 22:48:23 -0300
commit: f170a3664268cabf8c2b22e4430d9680edd5db20 (patch)
tree: f4ba9277270899f9fdbda2cd1d5166aff6d5967b /templates
parent: 72adda4cd17c496fd13061c867de8d2c4984e7af (diff)
download: puppet-apache-f170a3664268cabf8c2b22e4430d9680edd5db20.tar.gz
puppet-apache-f170a3664268cabf8c2b22e4430d9680edd5db20.tar.bz2
1 files changed, 16 insertions, 0 deletions
diff --git a/templates/default.erb b/templates/default.erb
index 08c3a87..6e9e4fe 100644
--- a/templates/default.erb
+++ b/templates/default.erb
@@ -12,3 +12,19 @@
                                 
 </VirtualHost>
 # end vhost for <%= @fqdn %>
+
+# A catch-all VirtualHost for any site listening only in localhost.
+#
+# This is meant to protect these sites (such as Tor Onion Services) from
+# exposing other data from the server, such as the default public VirtualHost
+# above.
+#
+# This is not a strong measure, since the server can be fingerprinted by other
+# means.
+#
+# Best thing to do is not mix public and non-public sites in the same server.
+#
+# For additional details, check
+# https://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/30
+<VirtualHost 127.0.0.1:80>
+</VirtualHost>
author	Silvio Rhatto <rhatto@riseup.net>	2023-07-03 22:48:23 -0300
committer	Silvio Rhatto <rhatto@riseup.net>	2023-07-03 22:48:23 -0300
commit	f170a3664268cabf8c2b22e4430d9680edd5db20 (patch)
tree	f4ba9277270899f9fdbda2cd1d5166aff6d5967b /templates
parent	72adda4cd17c496fd13061c867de8d2c4984e7af (diff)
download	puppet-apache-f170a3664268cabf8c2b22e4430d9680edd5db20.tar.gz puppet-apache-f170a3664268cabf8c2b22e4430d9680edd5db20.tar.bz2