Tor Hidden Service Hosting in Spain - .Onion Site in Western Europe

A Tor hidden service uses the .onion network to hide both the server's IP and the user's IP from each other. The server never knows the real IPs of visitors, and visitors never know the real IP of the server. This two-way anonymity is unique to Tor hidden services. But the server infrastructure itself still exists somewhere physical. Spain (Western Europe) provides the jurisdictional layer for that physical infrastructure: Exit nodes legal within EU framework. AEPD provides data protection for relay operators. Spain hosting for .onion sites: Moderate censorship with gambling blocks, Catalan independence sites blocked (2017-2019 era), copyright blocks. The combination: Tor hidden service network-layer anonymity + Spain jurisdictional protection + Anubiz Host no-KYC registration + Monero payment = maximum operational security for hidden service hosting.

Complete hidden service setup on Debian/Ubuntu VPS in Spain: ```bash # Install Tor and web server apt update && apt install tor nginx -y # Configure nginx to only listen on localhost # /etc/nginx/sites-available/default server { listen 127.0.0.1:80; root /var/www/html; index index.html; access_log off; # No logging error_log /dev/null; # No error logging } # /etc/tor/torrc - add hidden service config HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80 # Restart services systemctl restart nginx systemctl restart tor # Get your .onion address cat /var/lib/tor/hidden_service/hostname # Output: something like: abc123...xyz.onion ``` **Security hardening**: - Disable Nginx server tokens: `server_tokens off;` - Set strict CSP headers to prevent JavaScript leaks - Use SecureHeaders middleware in application framework - Configure fail2ban for brute-force protection on admin interfaces

Standard .onion addresses are random 56-character strings. Vanity addresses start with a recognizable prefix (e.g., "anubiz...onion"). They require computation to generate. **mkp224o** (recommended): GPU-acceleratable vanity address generator for v3 .onion addresses: ```bash # Install dependencies apt install gcc libsodium-dev make git -y # Clone and build git clone https://github.com/cathugger/mkp224o.git cd mkp224o && ./autogen.sh && ./configure && make # Generate vanity address (example: 6-character prefix) ./mkp224o -d keys/ -n 1 prefix # This runs until it finds a matching address # Shorter prefixes: seconds to minutes # 8 characters: hours to days # 10+ characters: months to years ``` After generation, copy the key files to your Spain VPS's HiddenServiceDir and restart Tor. **Security note**: Never share the private key file (hs_ed25519_secret_key). This key controls the .onion address. Losing it means losing the address permanently.

Common .onion site operational security failures: **Application-layer IP leaks**: A web application that includes URLs with the server's real IP (e.g., in redirects, API responses, or error messages) can expose the IP even when behind Tor. Audit all application responses for IP references. **DNS resolution from server**: If your hidden service application makes DNS requests that leak to the server's clearnet DNS, you may expose operational patterns. Use Tor-routed DNS or a local resolver. **Time-based correlation**: Tor can be deanonymized by traffic pattern analysis if an adversary controls both the entry and exit of the circuit. For high-risk operations, hosting in Spain adds a second independent layer of protection beyond network-layer Tor anonymity. **Server time leaks**: HTTP headers may include server timestamps. If the server clock is distinctive (wrong timezone, unusual precision), this can be correlated. Use UTC, disable Last-Modified headers in nginx: `expires epoch;` **Uptime correlation**: A hidden service that goes offline precisely when you disconnect from the internet can be correlated. For operational security, run services as daemons that stay online independently of your connection. Exit nodes legal within EU framework. AEPD provides data protection for relay operators.