What is the maximum number of hidden services one Tor daemon can host?

There is no hard protocol limit, but practical limits exist. Tor documentation suggests performance degrades above a few hundred HiddenServiceDir entries due to introduction circuit maintenance overhead. For 50-100 services, a single daemon performs well. For 100-500, consider 2-4 daemon instances. For 500+, split across more instances or separate servers.

How do tenants get notified when their .onion service is down?

Implement a monitoring system that periodically attempts to connect to each tenant's .onion address via a separate Tor client. Alert tenants through their configured notification channel (internal ticketing system, email if they provide one). Note that .onion reachability checks require a separate Tor client to avoid false positives from the hosting Tor daemon's state.

Can tenants bring their own existing .onion addresses?

Yes. If a tenant has an existing .onion address with key files from a previous deployment, copy those key files to the HiddenServiceDir, restart Tor, and their .onion address will be active on the new infrastructure.

How does storage isolation work between tenants?

Use separate Docker volumes per tenant: docker volume create tenant1-data. Mount each tenant's volume exclusively to their container. Set volume-level quotas using Docker's storage driver (devicemapper) or filesystem-level quotas (ext4 project quotas). Regular automated backups of each tenant volume, stored separately.

What SLA is realistic for a .onion hosting service?

Tor circuit availability is typically 95-99% when the server infrastructure is reliable. .onion circuits can occasionally fail due to Tor network conditions rather than server issues. Advertise 99% uptime for the server (infrastructure) and note that Tor network variability may cause transient connection issues outside the operator's control.

Multi-Tenant Tor Hidden Service Architecture: Hosting Multiple .onion Sites

Running multiple Tor hidden services on a single server requires careful isolation to prevent cross-tenant information leakage and ensure resource fairness. Whether building a managed .onion hosting service, hosting multiple services for a single organization, or running a complex application with multiple independent .onion frontends, multi-tenant architecture must address: network isolation between tenants, per-tenant .onion key management, resource limits preventing a noisy-neighbor problem, and monitoring without crossing tenant privacy boundaries. Docker containers with separate network namespaces provide strong isolation, while Tor's ability to create multiple HiddenServiceDir entries allows running arbitrarily many hidden services from a single Tor instance. This guide covers the complete architecture from container isolation through Tor configuration and resource governance.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Docker Network Isolation for Multi-Tenant .onion Hosting

Each tenant's application should run in its own Docker network namespace, preventing direct network communication between tenants at the container level. Create per-tenant Docker networks: docker network create tenant1-net and docker network create tenant2-net with no cross-network routing. The Tor container (or host Tor instance) connects to each tenant network through a dedicated interface. Configure Tor's HiddenServiceDir per tenant: HiddenServiceDir /var/lib/tor/tenant1/, HiddenServicePort 80 127.0.0.1:8001 for tenant 1's container, and HiddenServiceDir /var/lib/tor/tenant2/, HiddenServicePort 80 127.0.0.1:8002 for tenant 2. The port numbers (8001, 8002) correspond to each tenant's application container's published port on the host's 127.0.0.1 interface. This architecture means all tenants share a single Tor daemon while maintaining application-level isolation.

Per-Tenant .onion Key Management

Each tenant's .onion address is derived from the Ed25519 key pair stored in their HiddenServiceDir. These key files must be protected with strong file permissions: chmod 700 /var/lib/tor/tenant1/ and chown -R debian-tor:debian-tor /var/lib/tor/tenant1/. Automate key backup as part of the provisioning workflow - when a new tenant is created and their HiddenServiceDir is first populated by Tor, immediately copy the key files to encrypted backup storage. Implement a key escrow policy if you are operating a managed service: encrypted backups under dual control (two-person authorization to access). If a tenant requests their .onion address migrated to a different server, the key files can be moved, preserving their .onion address. Document key handling procedures and audit key access quarterly.

Resource Limits and Noisy-Neighbor Prevention

Without resource limits, one tenant running a high-traffic service can exhaust CPU, RAM, or bandwidth for all other tenants. Apply Docker resource constraints per tenant container: --cpus='1.0' (CPU quota), --memory='512m' (RAM limit), --memory-swap='512m' (prevent swap abuse). For bandwidth limiting, use Linux Traffic Control (tc) at the host level: tc qdisc add dev eth0 root handle 1: htb and tc class add dev eth0 parent 1: classid 1:10 htb rate 100mbit ceil 200mbit for each tenant. Apply tc filters to classify traffic by the tenant's source port range. Monitor resource usage per tenant: docker stats provides per-container CPU and memory in real time. Alert when any tenant approaches its resource ceiling consistently - proactive capacity management prevents the noisy-neighbor problem before it impacts others.

Tor Configuration for Many Hidden Services

A single Tor daemon can host hundreds of hidden services. Performance considerations when hosting many services: Tor's startup time increases with the number of HiddenServiceDirs. Each hidden service requires introduction circuit maintenance. For large deployments (100+ services), consider running multiple Tor daemon instances, each managing a subset of services, to parallelize introduction circuit maintenance. Configure MaxCircuitDirtiness 600 (seconds) for services that don't need frequent circuit rotation. Use NumEntryGuards 3 for the shared Tor daemon - this applies to all hosted services. Tor's bandwidth allocation is shared across all circuits from a single daemon. For high-traffic services, dedicate a separate Tor instance to avoid impacting other tenants. Monitor Tor's log at notice level for circuit build failures that may indicate introduction point issues for specific services.

Monitoring and Alerting Without Crossing Privacy Boundaries

Monitoring multi-tenant .onion infrastructure requires accessing resource metrics without accessing tenant content. Implement monitoring at the infrastructure layer: container resource metrics (CPU/memory) via cAdvisor to Prometheus, Tor daemon metrics via Tor's ControlPort with authentication, and network throughput per tenant using tc statistics. Do not log application-level requests from tenant services - this would create records of tenant user activity. Alert on: container crash (systemd restart counter exceeds threshold), Tor circuit failures (parse from Tor logs without request content), resource limit approach (container at >80% CPU for 5 minutes). Present tenants with their own resource dashboard showing their container's metrics without exposing other tenants' data. Establish a clear data boundary: everything above the Docker container is tenant-private, everything below is infrastructure-level.

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Host

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Bulletproof Hosting Providers

DMCA-Ignored Servers

Offshore VPS Hosting

Anonymous Hosting Solutions

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Tor Hosting Basic