3 minute read

Static Onion

Required expertise level : Advanced

Platform : Linux / Ubuntu - Debian

Last tested and confirmed : March 2022

This guide will walk you through the process of creating Onion Service for you static website.

Note

This guide focuses on creating a simple Onion service mainly in the context of censorship circumvention, if you are more concerned with the anonymity Tor provides in Onion services you should not depend on this guide alone, reading and understanding Tor project documentations will best practice in that case, as a ensuring full anonymity is an advanced and very details oriented process.

Install Nginx webserver

Run the following commands in your terminal in their respective order

sudo apt install software-properties-common
sudo add-apt-repository ppa:nginx/stable
sudo apt update && sudo apt install nginx -y

Confirm your installation by entering nginx -v, the output should look similar to this

Install Tor client

Note

If Tor Project Website and Tor communications are blocked in your country, probably the official software repositories are also blocked, in which case you should skip adding them and install Tor directly from your distribution’s repositories.

Add in the following lines in /etc/apt/sources.list

deb https://deb.torproject.org/torproject.org stretch main
deb-src https://deb.torproject.org/torproject.org stretch main

Run the following commands in your terminal in their respective order

curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
sudo apt update && apt install tor deb.torproject.org-keyring
sudo apt update && sudo apt install tor

Run the following commands to start Tor daemon

sudo systemctl start tor
sudo systemctl enable tor

Confirm Tor is running without issues

sudo systemctl status tor
tor --version

Configure Tor client

Open Tor config file at /etc/tor/torrc with your favorite editor

vim /etc/tor/torrc

Uncomment the following lines by removing the #, and optionally, replace the directory name in /var/lib/tor/hidden_service/ with different name, specially if you are planning on hosting multiple Onion Services on the same server. i.e. /var/lib/tor/myfirstonion/

Before:

 72 #HiddenServiceDir /var/lib/tor/hidden_service/
 73 #HiddenServicePort 80 127.0.0.1:80

After:

HiddenServiceDir /var/lib/tor/myfirstonion/
HiddenServicePort 80 127.0.0.1:80

Restart Tor service

sudo systemctl restart tor

Confirm your Onion Service related files were generated at /var/lib/tor/myfirstonion/

cd /var/lib/tor/myfirstonion/ && ls

You should find two files generated at this directory

1- hostname contains your Onion Service address

2- private_key Private key used for encryption. Don’t edit or share this file under any circumstances

Configure Nginx Webserver

It’s very important to read Nginx documentations and follow the best practices when configuring your Onion Service

But essentially, you can get your Onion Service up & running by adding this simple config file to your /etc/nginx/sites-enabled

server {
    listen 127.0.0.1:80;
    server_name [onion-address]; #replace with your generated onion address, you can get that by executing : `cat /var/lib/[yourservicename]/hostname`
    root /var/www/html/mystaticmirror; #replace with your mirror's files directory, and make sure the webserver user has access permissions to it.
    client_max_body_size 99M;
    port_in_redirect off;
    charset utf-8;
    index index.html;
location / {
    autoindex off;
}
}

Testing your setup

Make sure Both Nginx and Tor client are restarted and running succesfully, then head to your Tor Browser and test your new Onion address.

[Optional] - announcing your new mirror for Tor browser users

Onion-Location is a new feature implemented in Tor Browser.

It essentially allows you to announce your Onion mirror for Tor Browser users when they access your original website, through adding an HTTP Header using your webserver, or adding specific HTML <meta> to your index.html page.

HTTP Header

Apache

<VirtualHost *:443>
       ServerName <your-website.tld>
       DocumentRoot /path/to/htdocs

       Header set Onion-Location "http://your-onion-address.onion%{REQUEST_URI}s"

       SSLEngine on
       SSLCertificateFile "/path/to/www.example.com.cert"
       SSLCertificateKeyFile "/path/to/www.example.com.key"
     </VirtualHost>

Nginx

add_header Onion-Location http://<your-onion-address>.onion$request_uri;

HTML <meta>

<meta http-equiv="onion-location" content="http://<your-onion-service-address>.onion" />

When everything is well configured and working, visitors of your original Clearnet website using Tor browser, should be notified about the availability of the Onion mirror and it’s address.