Following Tor Project’s onion-location header documentation, Ubuntu 20.04 LTS AppArmor was preventing yawnbox.com’s v3 onionsite to work. Tor Browser was saying ”We can’t connect to the server…” when trying to connect.
sudo tail -f /var/log/kern.log
Apr 4 13:29:37 yawnbox kernel: [239228.849923] audit: type=1400 audit(1617568177.174:59): apparmor="DENIED" operation="connect" profile="system_tor" name="/run/tor-hs-my-website.sock" pid=8229 comm="tor" requested_mask="wr" denied_mask="wr" fsuid=112 ouid=0
Per the log, I had to add an AppArmor exception:
sudo vim /etc/apparmor.d/system_tor
Add this line to the bottom, above the last bracket:
/run/tor-hs-my-website.sock wr,
Restart AppArmor:
sudo service apparmor restart
Additional security headers
In addition to the security headers mentioned in Tor Project’s documentation for the nginx onionsite server, I use the same security headers for all three nginx servers in /etc/nginx/sites-available/default:
server_tokens off;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer";
Have any suggestions to make this better? Get in touch.
yawnbox