Set up an onion address for your website

On Tue, 25 Oct 2016 15:58:58 +0200 by Falco Nordmann

I finally managed to connect this page properly to the Tor network by setting up a Tor hidden service that redirects to this site. To use it download the Tor browser bundle and connect to the onion address http://seodnwkezyf3msbj.onion.

If you want to know about my motivation to set this up, please read this article on the Tor blog and watch this video recorded at the 32c3 explaining why hidden service are useful.

For now there is only a http version available for my onion address since the only CA issuing TLS certificates for onion addresses is DigiCert who wants to be paid for it. There is some hope that Let's Encrypt will issue certificates for onion addresses in the future. Anyway it is not a real security risk if you care for transport encryption between Tor terminating the connection to the onion address and your endpoint (e.g. web server) since connections to onion sites are encrypted and authenticated by the onion address itself. Securing the connection to the endpoint can be achieved by either running Tor on the same machine as the endpoint, or by creating a SSH/VPN tunnel or in case of a web server using a proxy connecting both using https. For a quick introduction on how to setup a Tor hidden service have a look at the article in the Tor documentation.

To forward HTTP requests sent to the onion site to your web server using https you can use the following simple NGINX configuration:

server {
        listen [::]:80;
        server_name youronionaddress.onion;

        location / {
                proxy_set_header original-host $http_host;

This will also add an additional header original-host to the forwarded request so that you have an easy way to distinguish between requests that came by using the onion address and requests that came by using the classic domain.


Write a comment
* optional