DEV Community

David Álvarez Rosa
David Álvarez Rosa

Posted on • Originally published at david.alvarezrosa.com

Self-Hosting on the Dark Web

#infrastructure #networking #privacy #security

This site is now reachable over Tor as a hidden service, at a .onion address that resolves only inside the Tor network.1 Tor relays and encrypts your traffic as it passes through thousands of volunteer-run servers, so that no single party can link who you are to what you are doing; a hidden service extends that anonymity to the server itself.

It's built by the nonprofit Tor Project, which advances human rights and freedoms through free software and open networks, so that anyone can use the internet free from tracking, surveillance, and censorship. The network only works because people use it, so consider supporting them or running a relay---your contribution helps millions stay safe and private online every day.

The hidden service

Install Tor and point a hidden service at a local port. Edit /etc/tor/torrc

HiddenServiceDir /var/lib/tor/blog/
HiddenServicePort 80 127.0.0.1:8080
Enter fullscreen mode Exit fullscreen mode

The directory must be a dedicated, Tor-owned path---not your web root.2 Restart Tor and read the address it generates

$ sudo systemctl restart tor@default
$ sudo cat /var/lib/tor/blog/hostname
dhevt6e4rtgbtr3jh53xrpwmgtilkah6nyjujocsspssrsexc7omxhid.onion
Enter fullscreen mode Exit fullscreen mode

Serving the site

Tor forwards the onion's port 80 to 127.0.0.1:8080, so the web server just needs to listen there. Add an nginx server block for it---no TLS, no HTTP/2, no QUIC, since Tor speaks plain TCP and provides its own encryption.

server {
  listen 127.0.0.1:8080;
  server_name dhevt6e4rtgbtr3jh53xrpwmgtilkah6nyjujocsspssrsexc7omxhid.onion;

  root /srv/tor.david.alvarezrosa.com;
  index index.html;
  error_page 404 /404/index.html;

  location / {
    try_files $uri $uri/ =404;
  }
}
Enter fullscreen mode Exit fullscreen mode

Reload nginx and the site is live on Tor.

Building for the onion

A static site bakes its base URL into absolute links, so a clearnet build would point visitors back to the clearnet domain even when served over Tor. The fix is to build a second copy with the onion as its base URL

$ hugo --minify --baseURL="http://dhevt6e4rtgbtr3jh53xrpwmgtilkah6nyjujocsspssrsexc7omxhid.onion/"
Enter fullscreen mode Exit fullscreen mode

The deploy pipeline does this automatically: every push builds the site once per target---clearnet and Tor---and rsyncs each to its own web root, so the two stay in sync without any manual work.3

That's it. Read this site over Tor at dhevt6e4rtgbtr3jh53xrpwmgtilkah6nyjujocsspssrsexc7omxhid.onion.

  1. Open it in the Tor Browser. There is no certificate authority, no DNS, and no exposed IP---the address is derived directly from a public key, and the connection is end-to-end encrypted by Tor itself. 

  2. Tor stores the service's private key and hostname file here and insists on owning it (chmod 700, user debian-tor). Point it at your site files and Tor refuses to start. 

  3. See First Steps on a New Server for the underlying machine; the full configuration lives in my homelab repository, and the site's own repository holds the GitHub Actions workflow that builds and deploys the Tor copy. 

Top comments (0)