2023-03-15

Onion Hidden Service Setup Guide

Setting a simple tor service up isn’t too difficult. The tor project has their own page Tor for it and you can find many other places on the internet telling you how like this from riseup.

Below is an example I have with nginx for the web server on a debian based system (apt for package manager). Text editing is done with nano in this example. Use whatever you want (vim, gedit).

apt update && apt upgrade -y && apt install tor nginx -y

#Start on boot
systemctl enable nginx && systemctl enable tor

nano /etc/nginx/nginx.conf

##inside http block

#Prevents displaying revealing information
server_tokens off;
#Reduces possibility of cross-site scripting
add_header X-XSS-Protection "1; mode=block";

#Reduce potential for buffer overflow attack
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;

nano /etc/nginx/sites-available/default

## Use the configuration you want. This is a simple example

server {
        # For the line below, you could go with setting a port but I prefer this. You must however remove the .sock file before each restart of nginx in the future
        listen unix:/var/run/nameofservice.sock;
        server_name nameofmyservice.org ;
        root /location/of/my/site ;
        index index.html index.htm ;
        location / {
                try_files $uri $uri/ =404 ;
        }
}

## You could optionally add this in the above server block to block some types of HTTP requests

if ($request_method !~ ^(GET|HEAD|POST)$ )
{
return 405;
}

nano /lib/systemd/system/nginx.service

## Add this below [Service] to contain nginx within its own private network with only loopback interface
PrivateNetwork=yes

systemctl daemon-reload
systemctl restart nginx
systemctl status nginx

nano /etc/tor/torrc

#If you want logs
Log notice file /var/log/tor/log

# Not needed but can do this. Default for keeping files like keys are at $HOME/.tor .
DataDirectory /var/lib/tor

RunAsDaemon 1
HiddenServiceDir /var/lib/tor/nameofmyservice/
HiddenServicePort 80 unix:/var/run/nameofservice.sock

systemctl restart tor
#Get the address of your service
cat /var/lib/tor/nameofmyservice/hostname

#Go back to /etc/nginx/sites-available/default to change server_name to this address if you want to

#restarting nginx
systemctl stop nginx
rm /var/run/nameofservice.sock
systemctl start nginx

Within a minute or so, your service should be reachable on the tor network.