Tor Hidden Service Hosting in Macau - .Onion Site in East Asia

A Tor hidden service uses the .onion network to hide both the server's IP and the user's IP from each other. The server never knows the real IPs of visitors, and visitors never know the real IP of the server. This two-way anonymity is unique to Tor hidden services. But the server infrastructure itself still exists somewhere physical. Macau (East Asia) provides the jurisdictional layer for that physical infrastructure: Exit nodes under Macau's separate legal system from PRC - more operational flexibility than mainland China but tightening environment. Macau hosting for .onion sites: Moderate and increasing censorship. Macau's censorship environment has tightened since 2020 with casino regulatory pressure affecting political speech online. The combination: Tor hidden service network-layer anonymity + Macau jurisdictional protection + Anubiz Host no-KYC registration + Monero payment = maximum operational security for hidden service hosting.

Complete hidden service setup on Debian/Ubuntu VPS in Macau: ```bash # Install Tor and web server apt update && apt install tor nginx -y # Configure nginx to only listen on localhost # /etc/nginx/sites-available/default server { listen 127.0.0.1:80; root /var/www/html; index index.html; access_log off; # No logging error_log /dev/null; # No error logging } # /etc/tor/torrc - add hidden service config HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80 # Restart services systemctl restart nginx systemctl restart tor # Get your .onion address cat /var/lib/tor/hidden_service/hostname # Output: something like: abc123...xyz.onion ``` **Security hardening**: - Disable Nginx server tokens: `server_tokens off;` - Set strict CSP headers to prevent JavaScript leaks - Use SecureHeaders middleware in application framework - Configure fail2ban for brute-force protection on admin interfaces

Standard .onion addresses are random 56-character strings. Vanity addresses start with a recognizable prefix (e.g., "anubiz...onion"). They require computation to generate. **mkp224o** (recommended): GPU-acceleratable vanity address generator for v3 .onion addresses: ```bash # Install dependencies apt install gcc libsodium-dev make git -y # Clone and build git clone https://github.com/cathugger/mkp224o.git cd mkp224o && ./autogen.sh && ./configure && make # Generate vanity address (example: 6-character prefix) ./mkp224o -d keys/ -n 1 prefix # This runs until it finds a matching address # Shorter prefixes: seconds to minutes # 8 characters: hours to days # 10+ characters: months to years ``` After generation, copy the key files to your Macau VPS's HiddenServiceDir and restart Tor. **Security note**: Never share the private key file (hs_ed25519_secret_key). This key controls the .onion address. Losing it means losing the address permanently.

Common .onion site operational security failures: **Application-layer IP leaks**: A web application that includes URLs with the server's real IP (e.g., in redirects, API responses, or error messages) can expose the IP even when behind Tor. Audit all application responses for IP references. **DNS resolution from server**: If your hidden service application makes DNS requests that leak to the server's clearnet DNS, you may expose operational patterns. Use Tor-routed DNS or a local resolver. **Time-based correlation**: Tor can be deanonymized by traffic pattern analysis if an adversary controls both the entry and exit of the circuit. For high-risk operations, hosting in Macau adds a second independent layer of protection beyond network-layer Tor anonymity. **Server time leaks**: HTTP headers may include server timestamps. If the server clock is distinctive (wrong timezone, unusual precision), this can be correlated. Use UTC, disable Last-Modified headers in nginx: `expires epoch;` **Uptime correlation**: A hidden service that goes offline precisely when you disconnect from the internet can be correlated. For operational security, run services as daemons that stay online independently of your connection. Exit nodes under Macau's separate legal system from PRC - more operational flexibility than mainland China but tightening environment.