nihilist@mainpc - 2024-02-01

Tor Website Setup

In this tutorial we'll setup a TOR website, which can be accessed via a .onion link. We'll set it up using nginx and Tor.

TODO: setups where 1) isp doesnt allow tor traffic 2) isp doesnt allow tor, nor vpns

Initial Setup

First compute your tor domain:

[ Datura-Network ] [ /dev/pts/11 ] [/srv]
→ apt install gcc libc6-dev libsodium-dev make autoconf tor

[ Datura-Network ] [ /dev/pts/11 ] [/srv]
→ git clone
Cloning into 'mkp224o'...
remote: Enumerating objects: 1571, done.
remote: Counting objects: 100% (402/402), done.
remote: Compressing objects: 100% (83/83), done.
remote: Total 1571 (delta 341), reused 350 (delta 317), pack-reused 1169
Receiving objects: 100% (1571/1571), 1.89 MiB | 6.32 MiB/s, done.
Resolving deltas: 100% (982/982), done.

[ Datura-Network ] [ /dev/pts/11 ] [/srv]
→ cd mkp224o

[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
→ ls     base64_to.c  ioutil.h          test_base64.c            worker.h
base16_from.c  calcest.c     filters.h             keccak.c          test_ed25519.c 
base16.h       common.h     keccak.h          testutil.h               yaml.c
base16_to.c    likely.h          types.h                  yaml.h
base32_from.c  contrib  main.c            vec.c
base32.h       COPYING.txt        OPTIMISATION.txt  vec.h
base32_to.c    cpucount.c    hex.h       
base64_from.c  cpucount.h    ifilter_bitsum.h      test_base16.c
base64.h       ed25519       ioutil.c              test_base32.c     worker.c

[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
→ ./

[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
→ ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether gcc accepts -g... yes
checking for gcc option to enable C11 features... none needed
checking whether CC supports -march=native... yes
checking whether CC supports -fomit-frame-pointer... yes
checking whether CC supports -fPIE... yes
checking whether CC supports -std=c99... yes
checking whether CC supports -Wall... yes
checking whether CC supports -Wextra... yes
checking whether CC supports -Wno-maybe-uninitialized... yes
checking whether CC supports and needs -Wno-format -Wno-pedantic-ms-format... no
checking whether CC supports -Wno-unused-function... yes
checking whether CC supports -Wmissing-prototypes... yes
checking whether CC supports -Wstrict-prototypes... yes
checking whether ARGON2ID13 is supported by libsodium... yes
configure: creating ./config.status
config.status: creating GNUmakefile

[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
→ make

Now i want my tor domain to contain the "datura" characters so i do the following:

[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
→ ./mkp224o datura
sorting filters... done.
in total, 1 filter
using 12 threads

[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
→ ls -lash
total 16K
4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 .
4.0K drwx--S--- 8 debian-tor debian-tor 4.0K Feb  1 15:08 ..
4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12  2023 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
4.0K drwx------ 3 debian-tor debian-tor 4.0K Jan 27 15:48 nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion

[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
→ ls -lash daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
total 24K
4.0K drwx------ 3 debian-tor debian-tor 4.0K Jul 12  2023 .
4.0K drwx------ 4 debian-tor debian-tor 4.0K Jan 27 15:33 ..
4.0K drwx------ 2 debian-tor debian-tor 4.0K Jul 12  2023 authorized_clients
4.0K -r-------- 1 debian-tor debian-tor   63 Jul 12  2023 hostname
4.0K -r-------- 1 debian-tor debian-tor   64 Jul 12  2023 hs_ed25519_public_key
4.0K -r-------- 1 debian-tor debian-tor   96 Jul 12  2023 hs_ed25519_secret_key

[ Datura-Network ] [ /dev/pts/11 ] [/srv/mkp224o]
→ cat /etc/tor/torrc
HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
HiddenServicePort 80  # for web service HTTP (recommended!)
HiddenServicePort 443 # for web service HTTPS (but not recommended!)

HiddenServicePort 18080 # for monero nodes
HiddenServicePort 18081 # for monero nodes

# to have another hidden service, you can append it afterward like so; but you need to use different ports:

HiddenServiceDir /var/lib/tor/onions/nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion/
HiddenServicePort 80

Make sure that the file permissions are correct in the /var/lib/tor/onions/datura...onion/ directory:

[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
→ chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion

[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
→ chmod 400 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/*

[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
→ chmod 700 daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/authorized_clients -R

[ Datura-Network ] [ /dev/pts/11 ] [lib/tor/onions]
→ chown debian-tor: /var/lib/tor/onions -R

Now let's set it up on our webserver:

[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
→ cat /etc/nginx/sites-available/
server {
        listen 80;
        listen [::]:80;
        return 301 https://$server_name$request_uri;

server {
        ######## TOR CHANGES ########
                listen 4443;
                listen [::]:4443;
                server_name daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
                add_header Onion-Location "http://daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
        ######## TOR CHANGES ########

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/acme/certs/;
        ssl_trusted_certificate /etc/acme/certs/;
        ssl_certificate_key /etc/acme/certs/;

        root /srv/;

[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
→ cat /etc/nginx/sites-available/
server {
        listen 80;
        listen [::]:80;
        return 301 https://$server_name$request_uri;

server {
        ######## TOR CHANGES ########
        listen 4445;
        listen [::]:4445;
        server_name nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion;
        add_header Onion-Location "http://nihilhfjmj55gfbleupwl2ub7lvbhq4kkoioatiopahfqwkcnglsawyd.onion$request_uri" always;
        ######## TOR CHANGES ########

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        root /srv/;

        ssl_certificate /etc/acme/certs/;
        ssl_trusted_certificate /etc/acme/certs/;
        ssl_certificate_key /etc/acme/certs/;

[ Datura Network ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion]
→ nginx -t
2023/07/12 21:46:16 [emerg] 113983#113983: could not build server_names_hash, you should increase server_names_hash_bucket_size: 64
nginx: configuration file /etc/nginx/nginx.conf test failed

#if it gives you this error do the following:

[ Datura Network ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion]
→ vim /etc/nginx/nginx.conf

[ Datura Network ] [ /dev/pts/0 ] [tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion]
→ cat /etc/nginx/nginx.conf |grep 128
        server_names_hash_bucket_size 128;

[ ] [ /dev/pts/12 ] [/var/lib/tor]
→ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[ ] [ /dev/pts/12 ] [/var/lib/tor]
→ nginx -s reload

[ ] [ /dev/pts/8 ] [~debian-tor]
→ sudo -u debian-tor tor
Jan 23 16:57:19.270 [notice] Tor running on Linux with Libevent 2.1.8-stable, OpenSSL 1.1.1d, Zlib 1.2.11, Liblzma 5.2.4, and Libzstd 1.3.8.
Jan 23 16:57:19.270 [notice] Tor can't help you if you use it wrong! Learn how to be safe at
Jan 23 16:57:19.270 [notice] Read configuration file "/etc/tor/torrc".
Jan 23 16:57:19.278 [notice] Opening Socks listener on
Jan 23 16:57:19.278 [notice] Opened Socks listener on
Jan 23 16:57:19.000 [notice] Parsing GEOIP IPv4 file /usr/share/tor/geoip.
Jan 23 16:57:19.000 [notice] Parsing GEOIP IPv6 file /usr/share/tor/geoip6.
Jan 23 16:57:19.000 [warn] You are running Tor as root. You don't need to, and you probably shouldn't.
Jan 23 16:57:19.000 [notice] Bootstrapped 0%: Starting
Jan 23 16:57:20.000 [notice] Starting with guard context "default"
Jan 23 16:57:20.000 [notice] Bootstrapped 10%: Finishing handshake with directory server
Jan 23 16:57:20.000 [notice] Bootstrapped 80%: Connecting to the Tor network
Jan 23 16:57:20.000 [notice] Bootstrapped 90%: Establishing a Tor circuit
Jan 23 16:57:21.000 [notice] Bootstrapped 100%: Done

From there we can check if our tor website is up:

It works! Now let's use systemctl to start tor instead:

[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
→ systemctl restart tor@default

[ Datura-Network ] [ /dev/pts/11 ] [~debian-tor/onions]
→ systemctl status tor@default
● tor@default.service - Anonymizing overlay network for TCP
     Loaded: loaded (/lib/systemd/system/tor@default.service; enabled-runtime; preset: enabled)
     Active: active (running) since Thu 2024-02-01 15:24:07 CET; 18min ago
    Process: 3027334 ExecStartPre=/usr/bin/install -Z -m 02755 -o debian-tor -g debian-tor -d /run/tor (code=exited, status=0/SUCCESS)
    Process: 3027335 ExecStartPre=/usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0 --verify-config (code=exited, status=0/SUCCESS)
   Main PID: 3027336 (tor)
      Tasks: 30 (limit: 77000)
     Memory: 636.4M
        CPU: 49.885s
     CGroup: /system.slice/system-tor.slice/tor@default.service
             ├─3027336 /usr/bin/tor --defaults-torrc /usr/share/tor/tor-service-defaults-torrc -f /etc/tor/torrc --RunAsDaemon 0
             └─3027337 /usr/bin/obfs4proxy

Feb 01 15:24:26 Datura-Network Tor[3027336]: Your network connection speed appears to have changed. Resetting timeout to 60000ms after 18 timeouts and 1000 buildtimes.
Feb 01 15:25:09 Datura-Network Tor[3027336]: Performing bandwidth self-test...done.

Now we can do the same for a subdomain:

[ Datura-Network ] [ /dev/pts/11 ] [/etc/nginx/sites-available]
→ cat
server {
        listen 443 ssl;

        ssl_certificate /etc/acme/certs/;
    ssl_certificate_key /etc/acme/certs/;

    ######## TOR CHANGES ########
    listen 4443;
    listen [::]:4443;
    server_name cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion;
    add_header Onion-Location "http://cringe.daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion$request_uri" always;
    ######## TOR CHANGES ########


	location / {
                proxy_pass http://localhost:8083;

        location = /robots.txt {
                add_header Content-Type text/plain;
                return 200 "User-agent: *\nDisallow: /\n";

[ Datura-Network ] [ /dev/pts/11 ] [/etc/nginx/sites-available]
→ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[ Datura-Network ] [ /dev/pts/11 ] [/etc/nginx/sites-available]
→ nginx -s reload
2024/02/01 15:45:18 [notice] 3045373#3045373: signal process started


