Tor Hosting with Nginx — Performance-Optimized .onion Servers

Nginx's event-driven architecture is particularly well-suited for Tor hidden services. Tor connections tend to have higher latency than clearnet connections, which means connections stay open longer. Nginx handles this efficiently with its non-blocking I/O model, maintaining thousands of concurrent connections without spawning a thread for each one, unlike traditional web servers like Apache.

Memory footprint matters when running on Tor hosting infrastructure. Nginx typically uses 2-3 MB of RAM per 1,000 concurrent connections, compared to Apache's 100+ MB for the same load. This leaves more RAM available for your application, database, and the Tor process itself, all of which improve the responsiveness of your .onion site.

Nginx also excels as a reverse proxy and load balancer. If your .onion site runs a dynamic application backend — Node.js, Python, Ruby, PHP — Nginx efficiently handles static file serving and connection management while proxying dynamic requests to your application. This separation of concerns improves both performance and security.

AnubizHost's default Nginx configuration is specifically tuned for Tor hidden service operation. We increase keepalive timeouts to account for Tor's higher latency, configure upstream connection pooling for backend applications, enable HTTP/2 for multiplexed request handling, and set appropriate buffer sizes for the varied connection speeds of Tor users.

Security headers are configured by default: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Content-Security-Policy, and Referrer-Policy. We also add an Onion-Location header for sites that have a clearnet mirror, directing Tor Browser users to the .onion version automatically. Server tokens are stripped to prevent version information disclosure.

Caching is configured at multiple levels. Static assets receive long cache-control headers (30 days for images, fonts, and CSS). FastCGI cache stores rendered pages for dynamic applications, serving cached copies to subsequent visitors without hitting the backend. Cache purging is available via API or command line when you publish new content and need immediate visibility.

For complex deployments, our Nginx Tor hosting supports advanced features including rate limiting per .onion circuit, geographic-independent load balancing across multiple backend servers, WebSocket proxying for real-time applications, and gRPC proxying for microservice architectures. All features work over Tor without clearnet exposure.

We support Lua scripting within Nginx using the OpenResty module for customers who need custom request processing logic. Implement custom authentication, request routing, response transformation, or API gateway functionality directly in the web server layer with near-zero latency overhead. Lua scripts execute within the Nginx event loop for maximum performance.

TLS termination within Nginx is available for .onion sites that want the additional security layer of HTTPS over Tor. While Tor provides end-to-end encryption by default, some applications require TLS for protocol compliance or defense-in-depth. We generate self-signed certificates for .onion addresses, and Tor Browser handles these seamlessly.

Nginx access logs on our Tor hosting are configured to exclude IP addresses and other identifying information by default. You can choose to enable anonymous access logging that records request paths, response codes, and timing information — useful for debugging and analytics without compromising visitor privacy. No log configuration records visitor IP addresses.

We integrate Nginx with our monitoring system to provide real-time metrics: requests per second, response time percentiles, error rates, upstream backend health, and cache hit ratios. These metrics are available in your .onion control panel dashboard and help you identify performance bottlenecks and capacity needs.

Nginx error logs are invaluable for debugging application issues. Our configuration routes errors to a privacy-safe log that includes the error message, timestamp, and request URI without any client-identifying information. These logs are accessible through the control panel and automatically rotate to prevent disk space exhaustion.