How to Host a Tor Onion Service (.onion) Safely

You need:

• An offshore VPS running Ubuntu 24.04 (recommended) or Debian 12. AnubizHost provisions these automatically after payment. See offshore VPS plans.
• SSH access to the VPS (root or sudo user).
• A basic understanding of Linux command line.

Ubuntu 24.04 includes Tor in the default repositories, but the Tor Project's own repository is more current:

# Add Tor Project repository
apt install -y apt-transport-https
cat > /etc/apt/sources.list.d/tor.list <<EOF
deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org noble main
deb-src [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] https://deb.torproject.org/torproject.org noble main
EOF

# Import signing key
wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --dearmor | tee /usr/share/keyrings/tor-archive-keyring.gpg > /dev/null

apt update
apt install -y tor deb.torproject.org-keyring

Verify Tor is running:

systemctl status tor

Your onion service needs a web server listening on localhost. Install nginx and lock it down:

apt install -y nginx

# Remove default site
rm /etc/nginx/sites-enabled/default

Create your onion site config at /etc/nginx/sites-available/onion:

server {
    listen 127.0.0.1:80;
    server_name localhost;

    root /var/www/onion;
    index index.html;

    # Block direct access by real IP (extra safeguard)
    # Replace with your VPS IP
    # if ($http_host != "your-onion-address.onion") {
    #     return 444;
    # }

    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header Referrer-Policy no-referrer;
    # Do NOT set Onion-Location here - it would reveal your clearnet domain

    location / {
        try_files $uri $uri/ =404;
    }
}

ln -s /etc/nginx/sites-available/onion /etc/nginx/sites-enabled/
mkdir -p /var/www/onion
echo '<h1>It works</h1>' > /var/www/onion/index.html
nginx -t && systemctl reload nginx

Edit /etc/tor/torrc and add these lines:

HiddenServiceDir /var/lib/tor/onion_service/
HiddenServicePort 80 127.0.0.1:80

Restart Tor to generate your onion address:

systemctl restart tor

Your onion address is in the hostname file:

cat /var/lib/tor/onion_service/hostname

You will see something like: abc123def456ghi789.onion

Test access using the Tor Browser to your .onion address. You should see the nginx page.

Hardening steps:

• Firewall: Block all inbound TCP except SSH on your VPS firewall (UFW). The onion service routes through Tor - external HTTP access to port 80 should be blocked at the firewall level.
• No clearnet listeners: Nginx should only listen on 127.0.0.1, not 0.0.0.0. Verify with ss -tlnp | grep nginx.
• Log minimization: Disable nginx access logs or route them to /dev/null for operational security. Edit the nginx config: access_log off;
• Tor v3 only: The configuration above generates a v3 onion address (56 characters). Do not use v2 addresses (16 characters) - they are deprecated and insecure.

# UFW example
ufw default deny incoming
ufw allow ssh
ufw enable

An onion service is not a replacement for a clearnet site - it serves different users and use cases. Tor users (around 2-3 million daily active users globally) access .onion sites directly through the Tor Browser. Clearnet users cannot reach .onion addresses without Tor.

If you want both: run a clearnet site on the same VPS and add an Onion-Location header pointing to your .onion address. The Tor Browser will show a banner offering the .onion version to visitors.

AnubizHost is Tor-friendly - our terms permit Tor relay operation and onion service hosting. We operate in Romania where Tor operation is legal and standard. See Why journalists choose offshore hosting for the broader context.