Become Sovran

Hosting Over Tor Via Nginx

Quick overview of Tor and some history

One way of accessing your self hosted services outside of your home network is via Tor. Tor is a privacy network, “Tor” stands for The Onion Router. Onion routing was developed by the DOD in the mid-’90s by mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschla, then released under a free license in 2004. Around this point, the EFF took over the project funding Roger Dingledine and Nick Mathewson to continue the project.

Tor enables users to surf the internet, chat, and send files anonymously by encrypting their data in layers, hence the “onion” name. The first relay you enter, known as the “guard relay”, peels off the first layer of encryption then passes it to the next relay. The guard relay is the only relay that knows your IP address. It knows nothing else about you, even the site you are trying to visit. All it can do is pass you to the next relay.

The next relays in the chain do not have your IP address nor know what site you are visiting. All they do is peel a layer of encryption and pass you to the next relay. The last relay your data reaches is called the “exit node”. It removes the last layer of encryption and passes on the web request of your final destination. The website you request will only see the IP address if the exit node and the website’s response is passed back to you via the same method.

A few notes

If you are using the Tor browser, it is generally not recommended to change too much on the browser like installing new plugins. Changes to the browser give you a unique fingerprint that might lead to deanonymization. Luckily a large amount of self hosted services have a web accessible UI so you won’t need to install a browser plugin.

On Android and IOS there is an app called Orbot that allows you to route app traffic through the Tor network, allowing you to access your services. There is the Tor browser on IOS but due to the requirement of “WebKit” by Apple, it severely downgrades the security of your connection making it not the best option. 

Installing Tor

I’m only going to cover Nginx, as this is what I know best. This guide will be for Debian based Linux like ubuntu and mint. It is also recommended that you install a new separate web server for your onion service.


If you haven’t already installed Nginx, do so now:

sudo apt install nginx –y

By default, the web server runs on port 80 test the install by going to “insert-your-ip:80”. If you got no errors during install, you should see a page saying “Welcome to Nginx ‘’ you can now move on to configuration.

Next step is editing Tor’s configuration file known as the “torrc” file. Depending on your flavor of Linux, the default file path may change, but in Debian based Linux, this should open the file.

Sudo nano /etc/tor/torrc

Scroll down to around line 70 and you’ll see two lines like so:

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 80

Uncomment these lines and edit as needed.

The “HiddenServiceDir ” line specifies the directory which should contain information and cryptographic keys for your Tor site. You will want to change this to a directory that is readable/writable by the user that will run Tor.

The “HiddenServicePort “ line specifies a virtual port (that is, the port that people visiting your Onion Service will be using) If your web server is on a different IP or port then use those values instead but keep the initial 80 the same.

Save the file with CTRL + S and exit with CTRL + X Then restart Tor with :

sudo systemctl restart tor

If Tor starts up again, move on to the next step. Otherwise, something is wrong. Check your log files for troubleshooting hints. Typically, there are typos in the torrc or wrong directory permissions. At this point restarting Tor generates your HiddenServiceDir in the directory specified. Assuming you installed it in the default directory you can now see your new address by entering this command :

Cat /var/lib/tor/hidden_service/hostname

The hostname file in your Onion Service configuration directory contains the hostname for your new onion v3 service. The other files are your Onion Service keys, so it is imperative that these are kept private. If your keys leak, other people can impersonate your Onion Service, deeming it compromised, useless, and dangerous to visit.

Web server Configuration

If your web server just serves all connections on port 80, you’re already done. You should be able to access your website using the .onion address shown in your HiddenServiceDir. If, however, you use something like Nginx  virtual hosts then you have a little more work to do.

You’ll need to edit the config file for your site (/etc/nginx/sites-available/your site name here) to add the new hostname to the server block:

server {    listen 80;    server_name


index index.html;    

root /var/www/; }

Running more that one service on Nginx

If you want to forward multiple virtual ports for a single Onion Service, just add more HiddenServicePort lines. If you want to run multiple Onion Services from the same Tor client, just add another HiddenServiceDir line. All the following HiddenServicePort lines refer to this HiddenServiceDir line until you add another HiddenServiceDir line. It will end up looking something like this:

HiddenServiceDir /var/lib/tor/onion_service/ 

HiddenServicePort 80 

HiddenServiceDir /var/lib/tor/other_onion_service/ 

HiddenServicePort 6667

If you’re running multiple onion sites on the same web server, remember to edit your web server virtual host file and add the onion address for each website. For example, in Nginx and using Tor with Unix sockets, the configuration would look like this:

server {        

listen unix:/var/run/tor-my-website.sock;        

server_name .onion;        

access_log /var/log/nginx/my-website.log;        

index index.html;        

root /path/to/htdocs; }

Tor site security

This is a complex topic and I’m not an expert on Tor. Here are some links from the official Tor site that will help you dive deeper into safely running your site. One thing I will say is that if you plan on running your site for a long time, it’s a good idea to backup your “private_key” file somewhere safe.

Opsec :

general best practices :

Onion scan helps with site opsec :

A custom domain

Ok, on to something I find super fun, making your own custom address. If you have any experience making a vanity Bitcoin address, you’ll find that is this pretty much the same. All it really takes is time. How much time depends on the computing power at your disposal. For a normal. onion address is goes something like this:

  1. Generate a 1024-bit RSA key pair
  2. Take the SHA-1 of the public key
  3. Base32 encode the first 80 bytes of the hash…

… and you have your .onion address.

There are a few programs out there designed to help you generate a ton hashes, namely Eschalot.

First install Eschalot and its dependencys:

sudo apt install build-essential libssl-dev 

git clone 

cd eschalot 


After all that, it should be installed and we can move on to making your custom address. Eschalot has a few different search modes I found using regular expressions or the single prefix mode to work best. A example usage would look like this: 

./eschalot -vct4 -r "^test|exam$" >> results.txt

I’ll break it down. ./eschalot calls the app. –vct4  flag is a mashup of 3 flags “v” for verbose mode”c” for continuous mode. It will keep searching for more than one string containing your desired word. And “t4” specify how many cores of your CPU to use. This also affects the speed in which these strings are found. The “lscpu” command can help you find how many cores you have available to use. If you want to keep your computer usable I’d suggest you limit your use to about half the cores you have available or less. -r “^test|exam$” lets the app know you are using regular expressions to look for strings that start with “test” or end with “exam” and “>> results.txt” sends your results to a text file in that folder. Here is the GitHub for further explanation and usage:

Installing the Key

After it’s done, you’ll need to install the key. This is assuming you have already installed and configured your hidden site. Find your private key in /var/lib/tor/your_hidden_service. The file we want is the “private_key” file. Copy and paste —–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– and everything in between them into this file. Save with CTRL + S and exit with CTRL + X

Restart Tor with

sudo systemctl restart tor

And you should be able to visit the site at the custom address now!

In conclusion

I hope this helps you on your self hosting and privacy journey. Learning about hosting Tor was fun for me and I’m stoked to see what kind of custom address I can come up with. As with everything, keep in mind that Tor is not bulletproof but can help immensely with privacy in our current system. Stay safe out there and as always, feel free to reach out if something doesn’t work. Until next time.