Hosting a .onion Site: Complete Technical Guide 2026
One of the most remarkable features of Tor is that anyone can host a .onion site, with no registration through a registrar, no domain name to purchase, no SSL certificate to obtain from a certificate authority. A few lines of configuration are enough to transform an existing server into a hidden service accessible to the global Tor network. This complete technical guide walks you through the process, from hardware prerequisites to advanced configuration, including operational security best practices to protect your identity as an operator.
⚫ Page filtered. The full catalog is on Tor. Tor access →Why host a .onion site?
The reasons for hosting a .onion site are varied and, for the most part, perfectly legitimate. Major media organizations (BBC, NYT, ProPublica, Deutsche Welle) do it to offer readers in censored countries risk-free access. Privacy services (ProtonMail, DuckDuckGo, Mullvad) do it out of philosophical consistency: offering their service without even the connection revealing the user's identity. Whistleblowing platforms (SecureDrop, GlobaLeaks) do it out of technical necessity: receiving documents from anonymous sources requires that the reception itself be unobservable.
For an individual or a more modest project, the motivations can be varied. An anonymous personal blog on a sensitive topic (mental health experience, political criticism in an authoritarian country, minority activism). A small community that wants to exchange ideas without depending on a centralized platform. An open-source project that wants to offer .onion access to its official site. A document repository shared with collaborators. A game or an experimental artistic project.
Technically, hosting a .onion offers several advantages over a traditional clearnet site. No registrar: the address is generated cryptographically — no one can take it from you. No DNS: your site is not vulnerable to DNS attacks or state DNS blocks. No SSL certificate needed: the .onion address itself cryptographically authenticates the server. No public IP required: you can host behind NAT, on a home connection, without port forwarding.
Hardware prerequisites and skills
Hosting a .onion site requires moderate technical skills and minimal hardware. Don't be put off: if you can follow a Linux tutorial, you can do it.
Hardware
Technically, any computer with an internet connection will do. A Raspberry Pi 4 (€50–80) with an SD card is ideal for a personal site or an experimental project, consumes very little electricity, and can stay on permanently. A recycled old PC works too. For a professional site with sustained traffic, a VPS (Virtual Private Server) with a hosting provider is more suitable.
Operating system
A Linux distribution is recommended: Debian, Ubuntu Server, and
Arch Linux are the most common. Debian is the reference for stable servers, with
long support cycles. The examples in this guide use Debian/Ubuntu commands (apt),
easily adaptable to other distributions.
Recommended skills
Basic knowledge: using the Linux command line, editing files with nano or vim, understanding Unix permissions, knowing how to use SSH. Useful concepts: HTTP/HTTPS, nginx or Apache configuration, DNS (to know what you're not using). If you are a complete Linux beginner, start with a "Linux basics" tutorial before tackling .onion hosting.
Step 1: install Tor on the server
The first step is to install Tor (the server software, not Tor Browser) on your machine. On Debian or Ubuntu:
sudo apt update
sudo apt install tor This command installs Tor from Debian's official repositories. To get the latest version, you can add the Tor Project's official repository, which follows the latest releases:
sudo apt install apt-transport-https gnupg
echo "deb https://deb.torproject.org/torproject.org $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/tor.list
curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo gpg --dearmor -o /usr/share/keyrings/tor-archive-keyring.gpg
sudo apt update
sudo apt install tor deb.torproject.org-keyring Once installed, Tor starts automatically as a system service. You can check its status:
sudo systemctl status tor
The service should display active (running). If not, start it with
sudo systemctl start tor, then enable it at boot with sudo systemctl enable tor.
Step 2: configure the web server
Your web server (nginx, Apache, Caddy) must listen on localhost only — never on a public IP. This
ensures that only Tor can reach it. Here is a minimal nginx configuration
(/etc/nginx/sites-available/myoniononsite):
server {
listen 127.0.0.1:8080;
server_name _;
root /var/www/myoniononsite;
index index.html;
# Hide server information
server_tokens off;
# No access log for anonymity
access_log off;
error_log /var/log/nginx/myoniononsite-error.log crit;
location / {
try_files $uri $uri/ =404;
}
}
Key points: the server listens only on 127.0.0.1 (unreachable from the internet),
server_tokens off hides the nginx version, access_log off
prevents visit logging (essential to protect your visitors).
Enable the site and restart nginx:
sudo ln -s /etc/nginx/sites-available/myoniononsite /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx Create a test file:
sudo mkdir -p /var/www/myoniononsite
echo "<h1>My first .onion site</h1>" | sudo tee /var/www/myoniononsite/index.html Step 3: configure torrc for the hidden service
Tor's configuration file is /etc/tor/torrc. To declare a hidden service,
add two lines:
HiddenServiceDir /var/lib/tor/myoniononsite/
HiddenServicePort 80 127.0.0.1:8080 The first line tells Tor where to store the private key and service information (the directory is created automatically). The second line means: when someone connects via HTTP to your .onion, redirect to port 8080 on localhost (where nginx is listening).
Restart Tor to generate the address:
sudo systemctl restart tor
Tor will create the /var/lib/tor/myoniononsite/ directory and generate an Ed25519 key
pair inside it. Your .onion address is in the hostname file:
sudo cat /var/lib/tor/myoniononsite/hostname
You get a 56-character address followed by .onion. Your site is now accessible from
any Tor Browser! Propagation through the Tor network's DHT takes a few minutes; be patient during
the first test.
Back up the private key
The private key stored in /var/lib/tor/myoniononsite/hs_ed25519_secret_key is
essential: it is what defines your .onion address. If you lose it, your address
changes (your visitors can no longer find you). Back it up immediately in a safe, encrypted location
(VeraCrypt, KeePassXC).
Hardening the configuration
A few additional options to add in torrc to strengthen security:
# Do not act as a Tor relay in addition to being a client
SocksPort 0
ClientOnly 1
# No Tor logging
Log notice file /dev/null
# Hidden service hardening
HiddenServiceSingleHopMode 0
HiddenServiceNonAnonymousMode 0 Step 4 (optional): custom .onion address
Randomly generated .onion addresses are hard to remember. You can create a "vanity" address whose
first characters form a word, like Facebook with
facebookwkhpilnemxj7asaniu7vnjjbiltxjqhye3mhbshg7kx5tfyd.onion. The reference tool is
mkp224o, developed by the Tor Project and actively maintained.
Installation and compilation:
sudo apt install build-essential autoconf libsodium-dev
git clone https://github.com/cathugger/mkp224o.git
cd mkp224o
./autogen.sh
./configure
make Generating an address starting with "oniondir":
./mkp224o oniondir The tool randomly traverses the Ed25519 key space until it finds one matching the prefix. Time estimates (on a modern GPU): 5 characters = a few minutes, 6 characters = a few hours, 7 characters = one day, 8 characters = several days, 9 characters = several weeks. Beyond that, it is economically prohibitive without a dedicated GPU farm.
Once a key is generated, copy the folder into /var/lib/tor/ and modify torrc to
point to it:
sudo cp -r oniondirxxxxxxxxxx.onion /var/lib/tor/
sudo chown -R debian-tor:debian-tor /var/lib/tor/oniondirxxxxxxxxxx.onion
sudo chmod 700 /var/lib/tor/oniondirxxxxxxxxxx.onion Modify torrc to point to this new directory, then restart Tor.
Opsec: protecting your operator anonymity
If you host a sensitive site, protecting your identity as an operator deserves as much attention as protecting your visitors. Here are the essential opsec rules.
Never include identifying information on the site. No real name, no address, no personal photo, no links to accounts in your real name. Your writing style itself can betray you (stylometry): for highly sensitive uses, have your texts reviewed to smooth out stylistic tics.
Pay for your infrastructure anonymously. The VPS, the domain name (if you have one for the clearnet version), third-party services: everything must be paid for without a link to your real identity. Cryptocurrencies (ideally Monero), gift cards purchased with cash, services that accept full anonymity (Mullvad, Njalla for domains).
Strictly configure the web server. HTTP headers that don't reveal the nginx version, no access logs, no third-party monitoring (no Google Analytics, obviously), file timestamps that don't correspond to a revealing time zone. Every detail matters.
Separate the administration identity from the public identity. If your site has an author under a pseudonym (for example "MeOnionSide"), never use that pseudonym elsewhere, especially not for server administration. The administrator must be a distinct and invisible identity.
Limit data in the database. If your site has a database (WordPress, dynamic applications), take care that it reveals nothing about you. No stored visitor IPs, no compromising metadata in uploaded files, regular cleanup.
Consider jurisdiction. If you host with a European provider, your data is subject to the GDPR but also to EU legal requests. Jurisdictions like Iceland (1984 Hosting) offer enhanced freedom of expression protections. Njalla, based in the Caribbean, systematically refuses requests that do not go through complete legal procedures.
Specialized hosting providers and alternatives
Several hosting providers are known for their respect for privacy and their compatibility with Tor hidden services.
Njalla (njal.la) is the registrar and hosting provider founded by Peter Sunde, co-founder of The Pirate Bay. It registers clearnet domains in its own name and then "leases" them to you, masking your identity in WHOIS. Accepts cryptocurrencies, no identity verification. Based in the Caribbean, infrastructure in Sweden.
1984 Hosting (1984.is) is an Icelandic host focused on freedom of expression, named after Orwell's novel. Iceland offers a particularly protective legal framework. Accepts cryptocurrencies and anonymous payments.
Ablative Hosting specializes in hosting Tor hidden services. Their infrastructure is designed from the ground up for this use, with optimizations specific to the Tor network.
Impreza Host (imprezahost.com) is another privacy-first host, accessible only via .onion, which accepts Bitcoin.
Simple alternative: OnionShare. For occasional or experimental needs, the OnionShare software turns any computer into a temporary .onion server with a single click. You select a folder, OnionShare generates a .onion address, and the site is accessible as long as the software is running. Perfect for sharing a file or publishing a static site without infrastructure.
Further reading
To get a broader grasp of the Tor environment, see our dark web access guide, our article on .onion links and their cryptographic workings, and our technical glossary. For VPN and pluggable transport aspects, see our VPN and Tor guide.
To explore legitimate .onion services that illustrate what your site could become, see our top 30 legitimate .onion sites. For complementary anonymity tools (SecureDrop, OnionShare, Tails), see our Tools & Privacy category. For specialized hosting providers, see our Hosting category.