Tor Technical

Apache Setup for .onion Hidden Service Sites

Apache remains a widely used web server with extensive module support, making it a viable choice for Tor hidden services — especially when your application relies on .htaccess rules or Apache-specific modules. This guide walks through configuring Apache to serve .onion sites securely, with a focus on privacy hardening and leak prevention.

Need this done for your project?

We implement, you ship. Async, documented, done in days.

Start a Brief

Tor and Apache Port Configuration

Configure Tor to forward hidden service traffic to Apache on localhost. Edit /etc/tor/torrc:

# /etc/tor/torrc
HiddenServiceDir /var/lib/tor/apache_onion/
HiddenServicePort 80 127.0.0.1:8080
HiddenServiceVersion 3

Then configure Apache to listen exclusively on the loopback interface by editing /etc/apache2/ports.conf:

# /etc/apache2/ports.conf
Listen 127.0.0.1:8080

This ensures Apache only accepts connections from the local Tor process. Remove any Listen 80 or Listen 443 directives that would expose Apache on public interfaces. Restart both services with systemctl restart tor apache2.

Apache VirtualHost for .onion

Create a VirtualHost specifically for your .onion address. This keeps the configuration isolated and prevents accidental serving of content on other interfaces:

# /etc/apache2/sites-available/onion.conf

    ServerName your56charv3onionaddress.onion
    DocumentRoot /var/www/onion

    # Disable server signature
    ServerSignature Off
    ServerTokens Prod

    # Disable directory listing
    
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    

    # Disable logging for privacy
    ErrorLog /dev/null
    CustomLog /dev/null combined

    # Security headers
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set Referrer-Policy "no-referrer"
    Header always unset X-Powered-By

Enable the site and required modules with a2ensite onion.conf && a2enmod headers rewrite && systemctl reload apache2.

Privacy Hardening Apache for Tor

Apache exposes more information by default than Nginx, so hardening is critical. Disable modules you do not need to reduce the attack surface:

# Disable unnecessary modules
a2dismod status info autoindex cgi

# In apache2.conf, add:
TraceEnable Off
FileETag None

Disable mod_status and mod_info to prevent server information disclosure. Set TraceEnable Off to block HTTP TRACE requests that can be used for cross-site tracing attacks. Remove FileETag values as they can leak inode numbers that fingerprint your server.

If using PHP with Apache, configure php.ini to set expose_php = Off and session.cookie_httponly = 1. These small changes prevent PHP from advertising its version and protect session cookies from JavaScript access.

AnubizHost — Managed Apache Tor Hosting

AnubizHost offers fully managed Tor hosting with Apache pre-configured and hardened for hidden service use. Our team handles module configuration, security patching, and ongoing Tor maintenance so your .onion site stays secure and performant.

With offshore servers in Iceland, Romania, and Finland, your hidden service benefits from strong privacy jurisdictions and robust infrastructure. Sign up anonymously with cryptocurrency payments — Bitcoin, Monero, Litecoin, and more. No KYC required, and your .onion address is live within minutes of provisioning.

Related Services

Offshore VPS from $17.90/mo Dedicated Servers DevOps Services

Why Anubiz Labs

100% async — no calls, no meetings

Delivered in days, not weeks

Full documentation included

Production-grade from day one

Security-first approach

Post-delivery support included

Ready to get started?

Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.

Start a Brief Tor Hosting Plans