Hosting Hidden Services

Advanced 14 min read Updated Dec 2025

Hosting Tor hidden services (.onion sites) enables anonymous publishing resistant to censorship and surveillance. This guide covers technical setup, security hardening, operational security, and maintenance of hidden services. Hosting hidden services carries significant responsibility and risk requiring careful implementation.

Understanding Hidden Services

How They Work

Hidden services create Tor circuits to introduction points. When users access your .onion address, Tor network negotiates rendezvous points where client and server meet without either knowing the other's IP address. Your server's location remains hidden from visitors and network observers.

The .onion address is cryptographic hash of service's public key. Version 3 (v3) addresses are 56 characters providing stronger security than older 16-character v2 addresses now deprecated.

Why Host Hidden Services

Legitimate uses include: whistleblowing platforms, privacy-focused services, censorship-resistant publishing, anonymous communication tools, and protecting server location from DDoS attacks. Hidden services enable free speech in repressive environments.

Legal Warning: Hosting hidden services for illegal purposes risks serious legal consequences. This guide is educational. Understand laws in your jurisdiction before hosting anything controversial or illegal.

Basic Setup

Requirements

You need: Linux server (Debian/Ubuntu recommended), root/sudo access, reliable internet connection, Tor installed, web server (Nginx/Apache), and basic Linux administration skills. Budget $5-20/month for VPS or use dedicated hardware at secure location.

Installing Tor

Debian/Ubuntu: Add Tor repository, update, install. Commands:

sudo apt install apt-transport-https
echo "deb https://deb.torproject.org/torproject.org $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tor.list
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -
sudo apt update && sudo apt install tor deb.torproject.org-keyring

Configuring Hidden Service

Edit /etc/tor/torrc file. Add hidden service configuration:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080

This creates hidden service directing port 80 to local web server on 8080. Restart Tor: sudo systemctl restart tor

Getting Your .onion Address

After restart, check: sudo cat /var/lib/tor/hidden_service/hostname

This displays your v3 .onion address. Save this - it's your site's permanent URL. Private keys stored in same directory - protect these files!

Web Server Configuration

Nginx Setup

Install: sudo apt install nginx

Create config /etc/nginx/sites-available/hidden-service:

server { listen 127.0.0.1:8080; server_name your-address.onion; root /var/www/hidden-service; index index.html; }

Enable site, restart: sudo ln -s /etc/nginx/sites-available/hidden-service /etc/nginx/sites-enabled/
sudo systemctl restart nginx

Apache Setup Alternative

Install: sudo apt install apache2

Configure VirtualHost listening on 127.0.0.1:8080. Similar principles to Nginx but different syntax.

Security Hardening

Firewall Configuration

Block all incoming except Tor: sudo ufw default deny incoming
sudo ufw allow out 9001/tcp (Tor ORPort)
sudo ufw enable

Never expose web server ports (80/443/8080) to internet. Only accessible via localhost for Tor.

Server Isolation

Run hidden service in isolated environment. Use dedicated VPS or dedicated hardware. Don't mix with clearnet services or personal accounts. Each hidden service should have separate server when possible.

Disable Logging

Minimize logs that could deanonymize: Nginx: access_log off; in config. Apache: CustomLog /dev/null combined. Tor: Already minimal logging by default but verify /etc/tor/torrc doesn't enable verbose logging.

Remove Identifying Information

Web server headers reveal software versions. Nginx: Add server_tokens off;. Apache: ServerTokens Prod and ServerSignature Off. Remove any default pages or error pages mentioning server software.

File Permissions

Restrict Tor key directory: sudo chmod 700 /var/lib/tor/hidden_service/
sudo chown -R debian-tor:debian-tor /var/lib/tor/hidden_service/

Web files should be owned by www-data (Nginx) or apache user, not your personal account.

Defense in Depth: Assume multiple layers will be breached. Each security measure reduces attack surface even if others fail. Don't rely on single protection.

Operational Security

Payment Anonymity

If using VPS, pay with cryptocurrency through Tor. Never use credit cards or PayPal linked to real identity. Monero provides better payment anonymity than Bitcoin.

Use privacy-focused VPS providers accepting crypto: Njalla, 1984 Hosting, or others with strong privacy commitments.

Registration Information

Register VPS with anonymous email (ProtonMail through Tor). Use fake but plausible registration details. Never reuse information across services.

Accessing Your Server

Always access server through Tor. Use SSH through Tor by adding to ~/.ssh/config:

Host hidden-server Hostname server-ip ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p

Then SSH: ssh -i key user@hidden-server

Separate Identities

Never log into server from personal IP. Never access from same location as personal activities. Maintain strict separation between admin identity and personal identity.

Advanced Configuration

Multiple Hidden Services

Host multiple sites on one server by adding more HiddenServiceDir entries in torrc. Each gets unique .onion address. Useful for compartmentalization.

Client Authentication

Restrict access to specific clients using v3 authentication. Generate keys, add to torrc:

HiddenServiceDir /var/lib/tor/private_service/ HiddenServicePort 80 127.0.0.1:8080 HiddenServiceAuthorizeClient stealth client1

This creates service only accessible to holders of client key.

Load Balancing

For high-traffic services, use multiple backend servers with load balancer. OnionBalance distributes load across multiple Tor instances while maintaining single .onion address.

Monitoring and Uptime

Monitor service availability through separate Tor connection. Set up alerts for downtime. But don't use clearnet monitoring that pings your server IP - defeats anonymity purpose.

Common Mistakes

IP Leaks

Most common mistake: Web application makes clearnet requests revealing server IP. Ensure all external resources load through Tor. No CDNs, external images, or API calls to clearnet services.

Clearnet Fallback

Applications configured with clearnet DNS can leak. Disable all DNS except Tor's internal resolution. Use DNSPort 53 in torrc and configure apps to use 127.0.0.1:53.

Time Synchronization

NTP queries can leak server location. Use Tor-aware time sync or tlsdate. Disable standard ntpd.

Metadata Exposure

Uploaded files, error messages, and database exports can contain identifying information. Sanitize all user-generated content.

Scaling and Performance

Tor Performance Limitations

Hidden services are slower than clearnet. Expect higher latency and lower throughput. Optimize ruthlessly: compress assets, minimize requests, use caching.

Database Configuration

For database-driven sites, MySQL/PostgreSQL should listen only on localhost. Never expose to network. Use Unix sockets when possible.

Static vs Dynamic

Static sites perform better and have smaller attack surface. Use static site generators when possible. Dynamic sites require additional security considerations.

Backup and Recovery

Private Key Backup

Backup /var/lib/tor/hidden_service/ directory containing private keys. Losing keys means losing .onion address permanently. Store encrypted backups offline in multiple locations.

Configuration Backup

Backup torrc, web server configs, and application data. Document your setup for recovery after failures.

Migration Planning

Plan for server migrations. Test restore procedures. Ensure you can rebuild service quickly if needed.

Legal and Ethical Considerations

Know Your Jurisdiction

Hidden service hosting legality varies by country and content. Hosting location matters - choose jurisdictions with strong speech protections when possible.

Content Responsibility

You're responsible for hosted content legally and ethically. Consider moderation policies, illegal content detection, and abuse prevention.

Exit Strategy

Have plan for shutting down service if needed. How will you notify users? What happens to stored data? Clean shutdown prevents loose ends.

Specialized Use Cases

File Sharing Services

Use OnionShare for simple file sharing. For permanent services, implement upload size limits, malware scanning, and abuse reporting.

Chat/Forum Services

Matrix servers, XMPP servers, or forum software work over Tor. Each has specific configuration needs for hidden service operation.

Cryptocurrency Services

Wallets, exchanges, or payment processors require special attention to security. Financial services are high-value targets.

Maintenance

Updates

Keep everything updated: Tor, web server, OS, applications. Subscribe to security mailing lists. Apply critical patches immediately.

Security Audits

Regularly audit configuration, check logs for anomalies, verify firewall rules, and test security measures. Assume compromise and look for evidence.

Community Feedback

Monitor community discussions about your service. Users often report issues or security concerns before you notice internally.

Final Thoughts

Hosting hidden services enables anonymous publishing but requires serious commitment to security and operational discipline. Every mistake can compromise anonymity permanently. Start small, learn thoroughly, and expand carefully.

The technical setup is straightforward but maintaining security over time is challenging. Assume adversaries are sophisticated and persistent. Your security is only as strong as your weakest moment of attention.