Build an Onion Site - Anonymous Hosting Tutorial

// What You'll Learn

Tor - Configure the Tor daemon for hidden services
Linux Server Administration - Secure server hardening
nginx - Configure web server for onion access
Operational Security (OpSec) - Practices that keep you anonymous
Privacy Architecture - How onion routing works

How Onion Sites Work

When you host an onion site, here's what happens:

Your server connects to Tor - It establishes "introduction points" on the Tor network
Tor gives you an .onion address - A unique, randomly generated address like "abc123.onion"
Visitors use Tor to connect - Their traffic bounces through multiple relays
Circuit is created through relays - Neither the visitor nor your server knows the other's IP
End-to-end encryption - Multiple layers of encryption protect the connection

The magic is that your server never reveals its IP address to visitors. The entire connection path goes through Tor relays, each only knowing the previous and next hop.

⚠️ IMPORTANT: LEGAL NOTICE

Onion sites have legitimate privacy uses. However, they can also be used for illegal activities. This tutorial is for:

Protecting journalistic sources
Organizing activist movements
Privacy-respecting communication
Running services without revealing your location

Do not use this tutorial for illegal purposes. Know the laws in your jurisdiction.

Prerequisites

Linux Fundamentals
Completed at least one project tutorial (Blog, Pastebin, or File Share)
VPS Hosting
Tor Browser (for testing)

// Part 1: Prepare Your Anonymous VPS

For true anonymity, how you acquire and configure your VPS matters. This section covers setting up a VPS that won't be traceable to you.

1.1 VPS Acquisition (OpSec)

Before you provision your VPS, consider these OpSec principles:

Pay anonymously - Use cryptocurrency (Monero is best, Bitcoin with mixing works)
Don't use your real info - Use a pseudonym for all account details
Don't link to your identity - Don't log in from your home IP
Use a privacy-friendly host - Some hosts have better privacy policies

1.2 Initial Server Setup

Connect to your VPS (ideally from a location/network not tied to you):

$ ssh your-user@your-vps-ip

1.3 Create a Dedicated User

Don't run your onion site as root. Create a dedicated user:

your-user@vps:~$ sudo adduser onion
# Create a user named "onion" with a strong password

your-user@vps:~$ sudo usermod -aG docker onion
# Add onion user to docker group (if using Docker)

1.4 Install Docker

your-user@vps:~$ sudo apt update && sudo apt install -y apt-transport-https ca-certificates curl gnupg lsb-release

your-user@vps:~$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

your-user@vps:~$ echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

your-user@vps:~$ sudo apt update && sudo apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

1.5 Configure Firewall (Minimal)

For an onion site, you don't need to expose any ports to the regular internet. The Tor network handles all connections:

your-user@vps:~$ sudo ufw disable
# Disable firewall - Tor handles network access

Why No Firewall?

Your server only needs to connect to the Tor network. The Tor daemon manages all external connections. Traditional firewall rules aren't needed because:

No incoming connections from the regular internet
All traffic flows through Tor's encrypted tunnels
Your server's real IP is never exposed

// Part 2: Configure Tor for Hidden Service

2.1 Install Tor

your-user@vps:~$ sudo apt install -y tor

2.2 Configure Tor Hidden Service

Create the Tor configuration file:

your-user@vps:~$ sudo cat > /etc/tor/torrc << 'EOF'
# Hidden Service Configuration

# Enable the onion service
HiddenServiceDir /var/lib/tor/onion_service/
HiddenServicePort 80 127.0.0.1:8080

# Security settings
ExcludeExitNodes {us},{gb},{ca},{au},{nz}
StrictNodes 1

# Don't log anything
Log notice stdout
EOF

Configuration Explained

HiddenServiceDir - Where Tor stores your private key and hostname
HiddenServicePort 80 127.0.0.1:8080 - Forward port 80 (onion) to localhost:8080 (your web server)
ExcludeExitNodes - Avoid routing through Five Eyes countries (US, UK, Canada, Australia, New Zealand)
StrictNodes 1 - Always respect the excluded nodes
Log notice stdout - Minimal logging

2.3 Set Permissions

your-user@vps:~$ sudo chown -R debian-tor:debian-tor /var/lib/tor/onion_service/
your-user@vps:~$ sudo chmod 700 /var/lib/tor/onion_service/

2.4 Start Tor

your-user@vps:~$ sudo systemctl start tor
your-user@vps:~$ sudo systemctl enable tor

2.5 Get Your Onion Address

your-user@vps:~$ sudo cat /var/lib/tor/onion_service/hostname
abcdef1234567890.onion

Save this address! It's your unique onion URL. The private key in that directory is the only proof of identity for your site. Back it up securely.

⚠️ CRITICAL: BACKUP YOUR PRIVATE KEY

The private key in /var/lib/tor/onion_service/ is the only way to prove you own this onion address. If you lose it, your address is gone forever.

Backup steps:

Copy the private key to a secure location (encrypted USB, password manager)
Never share it with anyone
Consider keeping offline backups

// Part 3: Operational Security (OpSec)

OpSec is the practice of keeping your anonymity intact. Technology alone isn't enough - you must also change your habits.

3.1 Server OpSec

your-user@vps:~$ sudo cat > /etc/tor/torrc << 'EOF'
# Hidden Service Configuration
HiddenServiceDir /var/lib/tor/onion_service/
HiddenServicePort 80 127.0.0.1:8080

# Avoid certain countries
ExcludeExitNodes {us},{gb},{ca},{au},{nz},{de},{fr}
StrictNodes 1

# Reduce information leakage
DisableDebugger 1
DisableNetwork 0

# Logging - minimal
Log notice stdout
EOF

3.2 Disable SSH Password Auth (Use Keys Only)

your-user@vps:~$ sudo cat /etc/ssh/sshd_config | grep -E "^(PermitRootLogin|PubkeyAuthentication|PasswordAuthentication)"
# Check current settings

your-user@vps:~$ sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
your-user@vps:~$ sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
your-user@vps:~$ sudo systemctl restart sshd

3.3 Disable System Logs

System logs can reveal information about your server. Configure minimal logging:

your-user@vps:~$ sudo systemctl stop rsyslog
your-user@vps:~$ sudo systemctl disable rsyslog

3.4 Remove Unnecessary Services

your-user@vps:~$ sudo apt remove --purge -y unattended-upgrades update-notifier
# Remove auto-update services that connect externally

3.5 Personal OpSec Rules

Follow these rules to maintain anonymity:

Don't access your onion site from your home IP - Use Tor Browser to connect to your own site
Don't discuss your onion site on regular social media - Use only secure, encrypted channels
Don't use the same nickname everywhere - Create separate identities for separate projects
Don't run other services on the same VPS - Keep your onion site isolated
Don't accept donations that can be traced - Use Monero for anonymous payments
Don't update from the server - Build Docker images elsewhere and pull them

The Golden Rule of Onion OpSec

Imagine everything you do will be exposed. Because it might be. Don't do anything online that you wouldn't be comfortable seeing on the front page of a newspaper.

// Part 4: Deploy Your Onion Site

Now let's run your web server. It will only be accessible through Tor.

4.1 Create Your Website

Create a simple HTML page that will be served over Tor:

your-user@vps:~$ mkdir -p ~/onion-site && cd ~/onion-site
your-user@vps:~$ cat > index.html << 'EOF'
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Welcome to My Onion Site</title>
    <style>
        body {
            font-family: -apple-system, BlinkMacSystemFont, sans-serif;
            max-width: 600px;
            margin: 50px auto;
            padding: 20px;
            background: #1a1a1a;
            color: #e0e0e0;
        }
        h1 { border-bottom: 1px solid #333; padding-bottom: 10px; }
        .info { background: #252525; padding: 15px; border-left: 3px solid #00ff00; }
    </style>
</head>
<body>
    <h1>🧅 Welcome to My Onion Site</h1>
    <div class="info">
        <p><strong>You're accessing this site through Tor.</strong></p>
        <p>Your IP address was not logged.</p>
        <p>This server's location is hidden.</p>
    </div>
    <p>This is a demonstration of a simple onion site running on a Tor hidden service.</p>
</body>
</html>
EOF

4.2 Configure nginx (Docker)

your-user@vps:~$ cat > docker-compose.yml << 'EOF'
version: '3.8'

services:
  nginx:
    image: nginx:alpine
    container_name: onion-nginx
    ports:
      - "127.0.0.1:8080:80"
    volumes:
      - ./:/usr/share/nginx/html:ro
    restart: unless-stopped
    networks:
      - onion-net

networks:
  onion-net:
    driver: bridge
EOF

4.3 Start the Web Server

your-user@vps:~$ docker-compose up -d

4.4 Test Locally

your-user@vps:~$ curl http://127.0.0.1:8080
# Should return your HTML page

4.5 Test Through Tor

On your local machine (NOT from your home IP if possible), open Tor Browser and visit your onion address:

Visit: http://abcdef1234567890.onion

(Replace with your actual onion address from Step 2.5)

Your site is now live on the Tor network!

4.6 Let Visitors Know About Your Onion Site

To help Tor Browser users discover your onion site, add a meta tag to each HTML page on your regular (clearnet) website. When visitors using Tor Browser load a page, they'll see a purple onion icon in the address bar.

Add this to the <head> section of each HTML file:

<meta http-equiv="onion-location" content="http://your-onion-address.onion/path/to/page.html" />

Each page needs its own meta tag pointing to the corresponding page on your onion site. For example:

Homepage: content="http://your-onion.onion/"
About page: content="http://your-onion.onion/about.html"
Blog post: content="http://your-onion.onion/blog/my-post.html"

Why This Matters

The Onion-Location meta tag:

Shows visitors your onion site exists
Provides a verified onion indicator in Tor Browser
Helps privacy-conscious users find your site via Tor
Works for both HTTP and HTTPS versions of your site

// Part 5: Advanced Hardening

5.1 Verify No IP Leaks

Ensure your nginx doesn't leak information:

your-user@vps:~$ cat > nginx.conf << 'EOF'
server {
    listen 80;
    server_name localhost;
    root /usr/share/nginx/html;
    index index.html;

    # Don't reveal server version
    server_tokens off;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;

    # No access logs (Tor handles this)
    access_log /dev/null;
    error_log /dev/null;
}
EOF

5.2 Use Whonix Gateway (Advanced)

For maximum OpSec, run your onion site inside Whonix:

Whonix - A privacy-focused OS that routes all traffic through Tor
Isolates your VPS - Even if your server is compromised, your real IP remains hidden
Gateway + Workstation - Traffic flows: VPS → Whonix Gateway → Tor → Internet

5.3 Multiple Onion Services

You can run multiple onion sites from the same server:

your-user@vps:~$ sudo cat >> /etc/tor/torrc << 'EOF'

# Second onion service
HiddenServiceDir /var/lib/tor/onion_service_2/
HiddenServicePort 80 127.0.0.1:8081
EOF

your-user@vps:~$ sudo systemctl restart tor
your-user@vps:~$ sudo cat /var/lib/tor/onion_service_2/hostname

// Summary

You've created an anonymous onion site!

Hidden service - Accessible only through Tor
IP hidden - Visitors and server never see each other's IPs
Private key - Your identity is protected by cryptography
OpSec practices - Habits that maintain your anonymity

Remember:

Backup your private key
Never access your site from your real IP
Use separate identities for separate projects
Technology isn't enough - OpSec mindset matters

Onion sites are one of the most powerful tools for digital privacy. Use them responsibly.

The revolution will not be proprietary.