Tor onion-location header AppArmor issue

2021 April 04

Following Tor Project's onion-location header documentation, Ubuntu 20.04 LTS AppArmor was preventing yawnbox.com's v3 onionsite to work. Tor Browser was saying "We can’t connect to the server..." when trying to connect.

sudo tail -f /var/log/kern.log

Apr 4 13:29:37 yawnbox kernel: [239228.849923] audit: type=1400 audit(1617568177.174:59): apparmor="DENIED" operation="connect" profile="system_tor" name="/run/tor-hs-my-website.sock" pid=8229 comm="tor" requested_mask="wr" denied_mask="wr" fsuid=112 ouid=0

Per the log, I had to add an AppArmor exception:

sudo vim /etc/apparmor.d/system_tor

Add this line to the bottom, above the last bracket:

/run/tor-hs-my-website.sock wr,

Restart AppArmor:

sudo service apparmor restart

Additional security headers

In addition to the security headers mentioned in Tor Project's documentation for the nginx onionsite server, I use the same security headers for all three nginx servers in /etc/nginx/sites-available/default:

        server_tokens off;
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "no-referrer";

Have any suggestions to make this better? Get in touch.

yawnbox