Run Multiple .onion Sites on One Server

Tor supports multiple hidden services by defining multiple HiddenServiceDir blocks in your torrc file. Each block creates a separate .onion address with its own cryptographic identity:

# /etc/tor/torrc — Multiple hidden services

# Service 1 — Main website
HiddenServiceDir /var/lib/tor/service_website/
HiddenServicePort 80 127.0.0.1:8080
HiddenServiceVersion 3

# Service 2 — API backend
HiddenServiceDir /var/lib/tor/service_api/
HiddenServicePort 80 127.0.0.1:8081
HiddenServiceVersion 3

# Service 3 — Admin panel
HiddenServiceDir /var/lib/tor/service_admin/
HiddenServicePort 80 127.0.0.1:8082
HiddenServiceVersion 3
HiddenServiceAuthorizeClient stealth admin1

Each service gets its own directory with its own key pair and .onion address. After restarting Tor, check each directory's hostname file for the generated addresses. The admin panel example includes client authorization, making it invisible to anyone without the auth key.

You can define as many hidden services as your server resources allow, though each additional service consumes more memory and CPU for maintaining circuits and publishing descriptors.

Configure your web server to route each .onion service to the correct site content. With Nginx, create separate server blocks for each service listening on different localhost ports:

# /etc/nginx/sites-available/service-website
server {
    listen 127.0.0.1:8080;
    root /var/www/website;
    index index.html;
    access_log off;
    error_log /dev/null;
}

# /etc/nginx/sites-available/service-api
server {
    listen 127.0.0.1:8081;
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
    }
    access_log off;
    error_log /dev/null;
}

# /etc/nginx/sites-available/service-admin
server {
    listen 127.0.0.1:8082;
    root /var/www/admin;
    index index.html;
    access_log off;
    error_log /dev/null;
    # Additional auth layer
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

Each Nginx server block listens on the port that corresponds to its HiddenServicePort target in torrc. This clean separation means services do not share any configuration or content.

When running multiple hidden services on one server, resource isolation prevents one service from affecting others. Use Linux cgroups or systemd resource limits to cap CPU and memory per service:

# Create systemd overrides for resource limits
systemctl edit nginx
# Add:
[Service]
MemoryMax=512M
CPUQuota=50%

For stronger isolation, run each web application in its own Docker container or Linux namespace. This prevents a compromised application in one .onion service from accessing files or processes belonging to another service. The Tor daemon itself should run as a single process managing all hidden services — do not run multiple Tor instances unless you have specific circuit isolation requirements.

Consider the security implications of shared infrastructure. If an attacker compromises one service and gains shell access, they could potentially access keys for all hidden services on the server. For high-security deployments, use separate servers or at minimum separate user accounts and filesystem permissions for each service's web content.

AnubizHost VPS plans support running multiple Tor hidden services out of the box. Our servers come with Tor pre-configured and enough resources to host several .onion sites simultaneously — NVMe storage, multi-core CPUs, and generous RAM allocations handle the overhead of multiple descriptor circuits.

Deploy your .onion sites on our offshore servers in Iceland, Romania, and Finland with full root access to configure as many hidden services as you need. Pay with Bitcoin, Monero, or other cryptocurrencies — no KYC, no identity verification. Our support team can assist with multi-service torrc configuration and resource allocation optimization.