To ensure that your website is only reachable via the Tor network and not accessible over the clearnet, you'll need to bind your web server to the local interface and configure Tor as outlined below.
Prerequisites:
- You must have control over a server where your website is hosted.
- You should be comfortable with command-line interface and basic server administration.
- Tor must be installed on your server.
Step by Step Instructions:
-
Bind Your Web Server to the Local Interface:
First, make sure your web server is configured to listen only to localhost (127.0.0.1). This is important as it ensures that your website is not accessible from the clearnet, but only from the Tor network. The procedure for doing this will depend on your specific web server software. For example, in Apache, you might change the Listen directive in your configuration file to:
bash
-
Listen 127.0.0.1:80
-
Install Tor:
If Tor is not installed on your server, you'll need to install it. For a Debian-based system, you can use:
bash
sudo apt-get update
sudo apt-get install tor
For a RedHat-based system:
-
sudo yum update sudo yum install tor
-
Configure Tor for Hidden Services:
Open the Tor configuration file, usually located at "/etc/tor/torrc":
bash
sudo nano /etc/tor/torrc
Scroll down to the section marked "This section is just for location-hidden services".
Add two lines for your service:
-
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80
The "HiddenServiceDir" line tells Tor where to store information about the hidden service. Tor will create a directory at "/var/lib/tor/hidden_service/" and within this directory, two files: "hostname" and "private_key".
The "HiddenServicePort" line tells Tor which port to use for incoming connections and where to send those connections.
-
Start Tor:
Save and close the torrc file. Then, restart Tor:
bash
sudo systemctl restart tor
Or:
-
sudo service tor restart
-
Find your .onion address:
To find out the .onion address of your hidden service, use:
bash
-
sudo cat /var/lib/tor/hidden_service/hostname
-
Test your .onion address:
You can now test your .onion address by opening Tor Browser and navigating to "http://[your .onion address]".
Additional Notes:
- Keep your private_key file secure. If someone else gets it, they can impersonate your hidden service.
- Tor hidden services can be slow. If your website is very bandwidth-intensive, it might not work well as a hidden service.
Tor is an anonymous network, but it doesn't magically make everything you do private and there are various ways to uncover the location of your hidden service.
Make sure that your firewall only allows your server to connect to the Tor network, and that your services only respond from there, otherwise projects like Shodan may index them and your service will be exposed.