Hi,

> If I want to serve an HTML page for my exit node do I need Apache2/nginx or can I just modify my torrc?

You don't need a dedicated webserver as long as unencrypted HTTP is acceptable. You can read more about the default HTML exit notice for Tor exit relays here: https://community.torproject.org/relay/setup/exit/. To quote:

"To make it even more obvious that this is a Tor exit relay you should serve a Tor exit notice HTML page. Tor can do that for you: if your DirPort is on TCP port 80, you can make use of tor's DirPortFrontPage feature to display an HTML file on that port. This file will be shown to anyone directing their browser to your Tor exit relay IP address."

And a sample HTML page can be found here: https://gitlab.torproject.org/tpo/core/tor/-/raw/HEAD/contrib/operator-tools/tor-exit-notice.html.

But this doesn't scale well on many relays and doesn't provide TLS, so if you run many relays and/or want TLS I'd advise to still use a dedicated webserver (Apache, Nginx, Caddy etc.) that redirects to a single page on your Tor domain. For example, my IP addresses redirect to https://nothingtohide.nl/tor-relay/.

Do note though that adding dedicated webservers to a OS that runs Tor also adds attack surface (both for hacking/breaching attempts and DDoS) and complexity. Make sure to harden and maintain it properly. For example with Apache the following setup might be acceptable:

- Run it as a dedicated user
- Disable ServerSignature
- Production mode for ServerTokens
- No mod_rewrite but basic Redirect 301 / https://domain.tld/tor-relay
- Disable any other unneeded modules
- Disable directory listing
- Disable access to all directories
- HSTS and proper security headers
- Use options such as -ExecCGI, -FollowSymlinks (or +SymLinksIfOwnerMatch if you really need it), -Includes etc. etc.

And if DDoS becomes too big of a problem, you might also want to look in mitigation for that as well.

Cheers and good luck!

tornth


Jan 29, 2024, 09:13 by tor-relays@lists.torproject.org:

If I want to serve an HTML page for my exit node do I need Apache2/nginx or can I just modify my torrc?