Next.js App Router Deployment as a Tor Hidden Service

Configure the Next.js environment for .onion deployment. Set NEXTAUTH_URL=http://youronionaddress.onion in .env.local if using NextAuth.js for authentication. Set NEXT_PUBLIC_BASE_URL=http://youronionaddress.onion for client-side URL generation. In next.config.js, configure headers to set security headers appropriate for .onion (no HTTPS-related headers like HSTS). Set allowedOrigins in experimental headers config to include the .onion address for cross-origin protection. Build the application with next build and start with next start -H 127.0.0.1 -p 3000 to bind only to localhost, accessible through the Tor hidden service.

Next.js App Router's Server Actions and server-side data fetching (fetch() in Server Components) run on the server and make outbound HTTP requests. These requests would reveal the server's real IP address if they reach external servers. Route all outbound HTTP requests through Tor SOCKS proxy using the undici library with a ProxyAgent: import { ProxyAgent } from 'undici' with agent: new ProxyAgent('socks5://127.0.0.1:9050') in fetch options. Alternatively, run all external API calls through a local proxy that routes through Tor. Review all Server Component data fetching and Server Actions for outbound HTTP calls and ensure each uses Tor-routed transport.

Next.js's static site generation (SSG) and Incremental Static Regeneration (ISR) prerender pages at build time or after a revalidation period. For .onion services, static generation reduces server processing load and eliminates per-request database queries for static content. Configure generateStaticParams for dynamic route pages to prerender at build time. Set revalidate periods appropriate for your content update frequency. ISR revalidation triggers on requests - for .onion services, the revalidation still runs on the server, so ensure any revalidation logic that fetches external data uses Tor-proxied requests.

Next.js's built-in image optimization (next/image) can be configured to optimize images server-side or use an external image CDN. For .onion deployments, avoid external image CDN configurations that route image optimization through external services (Cloudinary, Imgix, etc.) which would reveal the server's IP. Use Next.js's built-in image optimization with the local server as the optimizer: configure images.unoptimized = true in next.config.js to serve images without external optimization, or configure images.remotePatterns to only allow .onion addresses for remote image sources.

Configure Nginx to proxy requests from the Tor hidden service to the Next.js server. Nginx listens on 127.0.0.1:8080 (mapped from the Tor hidden service port 80). Proxy_pass to 127.0.0.1:3000 where Next.js runs. Enable WebSocket support for Next.js development (not production): proxy_set_header Upgrade $http_upgrade, proxy_set_header Connection upgrade. Set proxy_cache_bypass $http_upgrade to skip cache for WebSocket connections. For production deployments, consider PM2 (process manager) to run next start with auto-restart on failure and log management.