If you already have a non-anonymous website, and you'd like to set up a Tor onion site to mirror it, this guide is for you.

If you instead want to run an anonymous Tor onion site, take a look at this video.

1. Install Tor

Install Tor for your system. If you're running Ubuntu, don't use the packages from your OS. Instead, get the official Tor ones. If you're running Debian Stable or newer, Fedora, Arch, etc., then you can probably just use the tor package provided by your distribution. The official Tor Project binaries are always a good option, though!

2. Configure Tor

Edit /etc/tor/torrc to add these lines:

HiddenServiceDir /var/lib/tor/example.com/
HiddenServicePort 80 localhost:80
HiddenServiceNonAnonymousMode 1
HiddenServiceSingleHopMode 1
SOCKSPort 0

HiddenServiceDir says where to put the files (including the private key) for this onion service. Change "example.com" to whatever you want.

HiddenServicePort says to listen on [the first port] and forward the traffic to [the second address]. In this case, we're listening on port 80 and forwarding this traffic to localhost:80 (where you are presumably running a webserver). If your webserver is running on a different host, change this to that IP:port.

(If you want to add additional onion addresses, just add more HiddenServiceDir and corresponding HiddenServicePort lines. You can have multiple HiddenServicePort options per HiddenServiceDir, but for our purposes, we just need the one for HTTP.)

HiddenServiceSingleHopMode sets your onion service to use only 1 relay, rather than the standard 3-relay circuit. Again, this guide assumes you are not running an anonymous service since you're mirroring an existing non-anonymous website. This setting is not required, but it will improve the performance of your site.

HiddenServiceNonAnonymousMode and setting SOCKSPort to 0 are required for HiddenServiceSingleHopMode. Note that setting SOCKSPort to 0 means Tor is not running on 9050, i.e., this setting disables Tor as an anonymity proxy on your system.

3. (Re)start Tor

If you're using systemd:

sudo systemctl restart tor

You probably want Tor to start when the system boots as well:

sudo systemctl enable tor

4. Get your .onion address

cat /var/lib/tor/example.com/hostname

...replacing example.com with whatever you put above. Copy the output string for the next step.

5. Configure your webserver

I'll write instructions here for nginx. The basic idea will be the same for other webservers, though: Listen on localhost:80 for the hostname from step 4.

Increase server_names_hash_bucket_size

Modify your nginx config (/etc/nginx.conf) to increase server_names_hash_bucket_size to "128" or something else sufficiently large. The default 64 will cause problems when you try to use long onion addresses.

Restart nginx

sudo systemctl restart nginx

Modify your site config

In the server block where you have instructions for serving your site (e.g., the one where you have "listen 443 ssl" or similar), add the following:

listen localhost:80;

Also add your onion address (see step 4) to the "server_name" setting:

server_name example.com LongRandomLookingStringEndingInLowercased.onion;

Add a header to advertise your onion mirror:

add_header Onion-Location http://LongRandomLookingStringEndingInLowercased.onion$request_uri;

Reload nginx

sudo nginx -s reload

You should now be able to connect to your onion address (see step 4) in e.g., the Tor Browser! Also, if you go to the non-Tor version of your site (e.g., https://example.com) in the Tor Browser, you should see the ".onion available" option and be able to click it to get to the onion site. Yay!