Ticketing System as a Tor Hidden Service

Private .onion ticketing systems serve several distinct needs. Security vulnerability reporting: security researchers can submit vulnerability disclosures without exposing their identity to the organization receiving the report - protecting researchers in adversarial disclosure relationships. Internal issue tracking for sensitive projects: development teams working on projects that should not have any public trail use .onion issue trackers where even the existence of the project is not revealed by DNS or certificate transparency logs. Whistleblower intake for journalists and NGOs: organizations receiving sensitive disclosures need a system where submitters can follow up, receive status updates, and communicate with the receiving team without each communication exposing the submitter's IP. Customer support for privacy-sensitive services: services catering to users who need operational security can offer .onion-based support that does not log customer IPs.

FreeScout is a PHP/Laravel-based helpdesk system similar to HelpScout. Install with Nginx, PHP-FPM, and MySQL/PostgreSQL. Configure Nginx to listen on 127.0.0.1:80. Configure Tor: HiddenServiceDir /var/lib/tor/ticketing/ and HiddenServicePort 80 127.0.0.1:80. FreeScout supports email integration: configure an inbound email address using Postfix (mail server also running as a hidden service) for users who prefer email over web interface. FreeScout's web interface is accessible via Tor Browser at the .onion address. Agents (support staff) access the same .onion URL to view and respond to tickets. External email submissions from non-Tor users are also possible if you configure FreeScout to receive email via a clearnet mail server - the hybrid approach allows both Tor and email submission without forcing submitters to use Tor.

Zammad is a full-featured helpdesk system with real-time updates, SLA tracking, and extensive integrations. It runs on Ruby on Rails with Redis and Elasticsearch. Install Zammad from official packages: apt install zammad. The default installation listens on port 3000. Configure Nginx to proxy to Zammad on 127.0.0.1:3000, with Nginx listening on 127.0.0.1:80. Configure Tor hidden service pointing to port 80. Zammad's WebSocket real-time updates (for live ticket refresh in the agent view) work over Tor, but may have higher latency than on clearnet. Configure Zammad's email integration for ticket creation via inbound email if needed. Zammad's web interface is accessible via Tor Browser. The Elasticsearch requirement means Zammad needs 2-4GB RAM - use a larger VPS plan if deploying Zammad.

For maximum submitter anonymity, configure the ticketing system workflow: (1) disable IP logging in the web server configuration (log_not_found off; access_log off; in Nginx, or configure access_log format without IP), (2) disable IP-recording fields in the ticketing system database (most can be configured in application settings), (3) provide Tor Browser instructions prominently on the submission page (or in public-facing documentation pointing to the .onion URL), (4) configure auto-replies via email only if the submitter provides an email - do not require email for anonymous submissions, (5) for FreeScout: configure the 'guest tickets' feature to allow submission without account creation. The submitter receives a ticket number and can follow up by visiting the same .onion URL with their ticket number.

Hardening configurations specific to .onion ticketing: (1) configure Tor v3 client authorization for agent access while keeping the submission form accessible to anyone with the .onion URL - this creates different access tiers (agents need cryptographic keys, anyone can submit), (2) enable two-factor authentication for all agent accounts, (3) configure TLS certificates for the Nginx listener even on 127.0.0.1 (self-signed, for defense in depth), (4) set Content-Security-Policy headers to prevent XSS attacks (especially important if the system displays user-submitted content), (5) configure database backups exported via Tor to a remote .onion backup server, (6) audit log all agent actions for accountability within the team. Regular security updates: both FreeScout and Zammad release security patches - maintain a patch schedule.