Nginx Configuration for Tor Hidden Services
Nginx is the most popular web server for Tor hidden services thanks to its low memory footprint, high concurrency handling, and straightforward configuration. This guide covers complete Nginx setup for .onion sites — from torrc configuration to security hardening — so your hidden service is fast, reliable, and properly secured.
Need this done for your project?
We implement, you ship. Async, documented, done in days.
Configuring torrc for Nginx
The first step is telling Tor to create a hidden service and forward connections to Nginx. Edit your /etc/tor/torrc file to define the hidden service directory and the port mapping:
# /etc/tor/torrc
HiddenServiceDir /var/lib/tor/my_hidden_service/
HiddenServicePort 80 127.0.0.1:8080
HiddenServiceVersion 3This configuration tells Tor to listen on virtual port 80 and forward traffic to localhost port 8080, where Nginx will be listening. After saving, restart Tor with systemctl restart tor and your .onion address will be generated in /var/lib/tor/my_hidden_service/hostname.
For production deployments, consider adding HiddenServiceSingleHopMode and HiddenServiceNonAnonymousMode only if your server identity is already public and you want reduced latency. For most privacy-focused use cases, keep the default 3-hop circuits.
Nginx Server Block for .onion
Configure Nginx to listen only on localhost to prevent accidental clearnet exposure. Create a server block specifically for your hidden service:
# /etc/nginx/sites-available/onion
server {
listen 127.0.0.1:8080;
server_name your56charv3onionaddress.onion;
root /var/www/onion;
index index.html;
# Disable server tokens
server_tokens off;
# Remove unnecessary headers
proxy_hide_header X-Powered-By;
# Prevent clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
# Disable logging for privacy
access_log off;
error_log /dev/null;
location / {
try_files $uri $uri/ =404;
}
}Binding to 127.0.0.1:8080 ensures Nginx only accepts connections from the local Tor daemon. Never bind to 0.0.0.0 as this would expose the service on all network interfaces, potentially revealing your server IP.
Security Hardening for Tor + Nginx
Harden your Nginx configuration to prevent information leaks that could deanonymize your hidden service. Disable all access and error logs, strip version headers, and block common fingerprinting requests:
# Block version probing
location = /server-status { return 404; }
location = /nginx_status { return 404; }
# Block dotfiles
location ~ /\. { deny all; }
# Limit request methods
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 405;
}Additionally, configure connection timeouts to mitigate slow loris attacks. Set client_body_timeout 10s, client_header_timeout 10s, and keepalive_timeout 15s. For Tor hidden services, connections arrive from localhost, but these limits still protect your application layer from abuse.
Consider enabling rate limiting with limit_req_zone to prevent brute-force attacks, as Tor exit nodes cannot be blocked by IP without also blocking legitimate users.
AnubizHost — Pre-Configured Tor + Nginx Hosting
Skip the manual configuration entirely with AnubizHost managed Tor hosting. Every VPS comes with Nginx and Tor pre-installed, pre-configured, and security-hardened by our team. Your .onion address is generated during provisioning and your site is live within minutes.
Our offshore servers in Iceland, Romania, and Finland operate under privacy-friendly jurisdictions. Pay with Bitcoin, Monero, or other cryptocurrencies — no KYC, no identity verification. AnubizHost handles Tor updates, Nginx security patches, and uptime monitoring so you can focus on your content.
Related Services
Why Anubiz Labs
Ready to get started?
Skip the research. Tell us what you need, and we'll scope it, implement it, and hand it back — fully documented and production-ready.