This architecture allows a single website to operate in two modes simultaneously:
Clearnet (High Speed): Uses a global CDN network to accelerate and obfuscate traffic (DPI protection).
Darknet (High Availability): Uses the Tor network for access in conditions of total censorship.
Step 1: Preparing the Infrastructure
You will need:
VPS (Virtual Private Server): Preferably outside the jurisdiction where blocking is expected. (Ubuntu 22.04/24.04).
Domain name: (e.g., mysuperfastsite.com).
Cloudflare account: The free plan is sufficient.
Step 2: Setting up "Speed Shield" (Cloudflare)
This provides the "Clearnet" part: speed and protection from IP blocking. Delegation: Transfer your domain's NS records to Cloudflare.
DNS Settings:
Create an A record for your domain pointing to your VPS's IP.
Important: Set the Proxy status switch to Proxied (Orange cloud). Now the world sees Cloudflare's IP, not yours.
SSL/TLS (Encryption):
In the SSL/TLS section, select Full (Strict).
Generate an Origin Certificate in the Cloudflare panel (SSL/TLS -> Origin Server -> Create Certificate). Save the .pem (certificate) and .key (key) on your server.
Network (Speed):
Enable HTTP/3 (QUIC) and 0-RTT for maximum loading speed.
Step 3: Configure "Shadow Gateway" (Tor)
This enables access from the Dark Web. Install Tor:
sudo apt update && sudo apt install tor -y
Configure Hidden Service:
Open the /etc/tor/torrc file:
Uncomment or add the following lines:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080
Here we tell Tor to forward requests from the Onion address to local port 8080.
Restart and obtain the address:
sudo systemctl restart tor
sudo cat /var/lib/tor/hidden_service/hostname
Save the resulting .onion address.
Step 4: Configure the "Engine" (Nginx)
Nginx will be the "glue" that connects both worlds and ensures VLESS functionality (if you choose to add it as an option).
Installation: sudo apt install nginx -y
Configuration (/etc/nginx/sites-available/default):
server {
--- BLOCK 1: DARKNET (TOR) ---
Listen on local port 8080, where Tor forwards traffic
listen 127.0.0.1:8080;
server_name localhost;
Disable logging for anonymity (optional)
access_log off;
error_log /dev/null;
Website root folder
root /var/www/html;
index index.html;
location / {
try_files $uri $uri/ =404;
Add a header to let you know the user came through TOR
add_header X-Entrance "Darknet-Tor";
}
}
server {
--- BLOCK 2: CLEARNET (CLOUDFLARE + VLESS WSS) ---
Listening on port 443 with SSL
listen 443 ssl http2;
server_name mysuperfastsite.com;
SSL certificates from Cloudflare (Origin Cert)
ssl_certificate /etc/ssl/certs/cf_origin_cert.pem;
ssl_certificate_key /etc/ssl/private/cf_origin_key.key;
SSL optimization
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
root /var/www/html;
index index.html;
1. Regular website (cloaking and content)
location / {
try_files $uri $uri/ =404;
add_header X-Entrance "Clearnet-Cloudflare";
}
2. Secret path for VLESS/V2Ray (Websocket)
This is a "Tunnel" for those who even have Cloudflare blocked
location /mysecretpath {
if ($http_upgrade != "websocket") {
return 404;
}
proxy_redirect off;
Redirect to the local Xray/V2Ray port (needs to be set separately)
proxy_pass http://127.0.0.1:10000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Redirect from HTTP to HTTPS (Clearnet only)
server {
listen 80;
server_name mysuperfastsite.com;
return 301 https://$host$request_uri;
}
Final workflow
Clearnet user:
Enters mysuperfastsite.com.
Request to Cloudflare (the closest server).
Cloudflare checks DDoS protection and forwards the request to your Nginx via HTTP/3.
DPI only sees valid traffic to Cloudflare.
Speed: Maximum (CDN caching).
A user on the Darknet (or under a total blockade):
Enters your-onion-address into the Tor Browser.
The request passes through three Tor nodes and reaches your server via localhost:8080.
Availability: 100% as long as the server is up, regardless of DNS and IP blocks.
A user on VLESS (Personal VPN):
Uses a client (v2rayNG) with the address mysuperfastsite.com and the path /mysecretpath.
Nginx intercepts this path and passes it on to the Xray kernel.
You get a private, unblocked communication channel.
This is the embodiment of the "dual-use" philosophy: one server, one configuration, complete freedom of access method.
Top comments (0)