Setting Up Your Own Tor Site
Setting Up Your Own Tor Site
As censorship grows, awareness needs to be raised
Preface
The Daily Beagle has been experimenting with getting a Tor Onion site up to bypass censorship, and we have step-by-step instructions on how to get one running!
These instructions are intended for Ubuntu (which is open source, and thus free), and should work on Ubuntu 20.04 or Later. Similar Linux OSes may see success, however we only tested this for Ubuntu. We won’t be covering installation steps for Ubuntu.
We do not have instructions for Windows, and it is strongly advised to use a Linux OS rather than a Windows OS, as Linux tends to be a more secure and stable operating environment.
You don’t need a dedicated server host as it is possible to be run locally (even if you are behind a ‘DMZ’ or a router that hates port forwarding). If you don’t know what this means: essentially you shouldn’t need to configure any network devices.
Security of the setup isn’t guaranteed, as this is purely to get an Onion site running.
You’d be expected to have read up on good web security practices. It is recommended to have a good understanding, both for your own security, and that of your users.
Anyone who wants to visit your Onion site will require a Tor browser or Tor proxy.
We’ll cover how to install the Tor browser first, then the server.
Installing The Tor Browser
Go to the Tor website and download the Tor browser for your OS. In our case we’re interested in “Download for Linux” as Ubuntu is a Linux OS:
It should prompt you to download a file similar to ‘tor-browser-linux-x86_64-__._._.tar.xz’ (with the underscores being filled with the version number). In our case it’s ‘tor-browser-linux-x86_64-13.0.5.tar.xz’ but the numbers will change.
Download that file, and then move the file into a directory where you want the Tor browser to be.
Whilst in that directory, open Terminal (‘Command Prompt’). It may be as simple as right-click, ‘Open in Terminal’, or you can use ‘pwd’ (print working directory) and ‘cd’ (change directory) in a new Terminal to manually get there.
First update sudo apt, and then install xz-utils (it should already be installed, but in-case it isn’t, this ensures we’re on the same page):
sudo apt update
sudo apt install xz-utilsTo save you manually typing the filename, Terminal has a neat trick! If you run:
lsIt will list the files in the directory and enable Terminal’s tab-autocomplete for filenames.
Start typing: ‘tar xf tor-browser’ then press tab (it should autocomplete with your version number). So in The Daily Beagle’s case it becomes:
tar xf tor-browser-linux-x86_64-13.0.5.tar.xzHowever in your case the version numbers might be different, so you’ll want to manually correct them.
If the extracted succeeded, you should see a folder that looks like this:
With these files inside:
(If it didn’t, leave a comment detailing the steps and the problem below).
Every time you want to open Tor, either navigate the Terminal to the tor-browser directory, or open up a new Terminal instance in tor-browser and run:
./start-tor-browser.desktopIt will fire up the Tor browser, which will allow you to test to see if your Onion site is working.
Setting Up Your Own Onion Site
Initial Installation
These next steps are for installing Tor services for hosting the Onion site (which is separate to your Tor browser). On your Ubuntu server, open the Terminal, and run the following commands:
sudo apt update
sudo apt install tor
sudo apt install apache2
sudo apt install apache2-utilsThis will update apt-get, install Tor services, and install the apache2 server host plus utilities (if they aren’t already installed).
File Directory Permissions
Now we will do some file permission configurations (it will make easier for you to add files and host as /var/www/ is protected).
cd /var/www/
sudo mkdir html
sudo chown $USER:www-data /var/www/html
sudo chmod g+s /var/www/html
sudo chmod o-rwx /var/www/htmlThe user ‘www-data’ is what apache2 identifies as by default, and you are giving it ownership permissions for the folder called ‘html’. ‘g+s’ sets group ID and has it so folders below ‘html’ inherit the settings. Finally, the permissions to ‘read, write, execute’ are given, allowing apache2 to create/delete, read and run files.
Basic Configurations
We’ll also be installing PHP, which is a powerful server programming language:
sudo apt-get install libapache2-mod-phpWe’ll want to set up an administration password for apache2:
sudo htpasswd -c /etc/apache2/.htpasswd adminThe Terminal will prompt you to input a password. Make sure it’s secure (as it’s the only thing protecting your server from modification) and memorable (as there’s no easy way to reset or recover it). Maybe write hints down in a physical book somewhere (but don’t write the password!).
Now, back to our directory, we’ll want to create a “.htaccess” file (the dot means it will be hidden) and then open it to edit it.
cd /var/www/html
touch .htaccess
gedit .htaccessYou will want to use an online .htaccess file generation service to give you a starting template to copy-paste as a .htaccess is difficult to write cleanly. For convenience, The Daily Beagle has drafted a basic .htaccess file (that also enables PHP in HTML/HTM files) which you can copy:
<Files "/var/www/html">
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Files>
AddType x-mapp-php5 .php
AddType application/x-httpd-php .php
AddType x-httpd-php .php
#AddType application/x-httpd-php .html
#AddHandler application/x-httpd-php .html
<Directory /var/www/html>
DirectoryIndex index.php index.html
</Directory>
# Caching schema
<FilesMatch "\.(jpg|png)$">
Header set Cache-Control "private, proxy-revalidate, max-age=60"
</FilesMatch>
# Block users by IP
order allow,deny
deny from
allow from
# Block bad bots
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
# Prevent viewing of .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>
# Prevent directory listings
Options All -IndexesBasic Security
We’re going to do some basic security. Open the apache2 ports.conf file:
sudo gedit /etc/apache2/ports.confAnd where it says:
Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>Change it to:
Listen 127.0.0.1:80
<IfModule ssl_module>
Listen 127.0.0.1:443
</IfModule>
<IfModule mod_gnutls.c>
Listen 127.0.0.1:443
</IfModule>Notice we have put “127.0.0.1:” in front of the port numbers. More savvy network fellows will recognise this as the ‘loopback address’, and may be wondering why we have apache2 listening on loopback.
This is because the Tor service operates via the loopback address. We’re narrowing what apache2 listens to the 127.0.0.1 loopback address because we don’t want it responding to anything outside of this.
This reduces the risk of the server leaking your real IP address, as if anyone tries to directly connect to your real IP to see if the website loads, they won’t see anything. It also reduces your attack surface substantially; connections can only ever originate from loopback.
Word of warning: Data coming in via 127.0.0.1 is treated as ‘privileged’ by Linux services (which incorrectly presumes it only contains internal data), and can be a remote execution vulnerability. Normally you would use port and service emulation (so your system sees 127.0.0.1 data as coming from a non-privileged IP address) however the complexity of this configuration is outside the scope of this simple exercise.
Hide Identifying Information
We want to disable the ability for web services and bots to easily index your site (as it makes it harder to profile for vulnerabilities):
sudo a2dismod autoindex‘a2’ stands for ‘apache2’ and ‘dismod’ is short for ‘disable mod’. So it will disable apache2’s autoindex support, preventing bots from easily profiling your site. It will hurt Search Engine Optimisation, but it vastly improves your security by hiding the layout.
We also want to hide details about your server so an attacker has less knowledge on how to exploit your system (or fingerprint who you are). Open the following file…
sudo gedit /etc/apache2/conf-enabled/security.confAnd at the end of it, copy and paste the following (then save the file):
ServerSignature Off
ServerTokens Prod
FileETag NoneThis will tell your server not to disclose details about itself (by removing the signature it sends out). “ServerTokens Prod” tells it to just say it is “Apache” when asked (giving no version number details), and the server won’t ever send the FileETag heading (which isn’t strictly necessary but does make it appear more generic).
PHP Basic Security
This isn’t comprehensive on PHP security and we presume readers will read up on appropriate security practices from places like OWASP,
We will want to disable PHP’s error reporting (so it doesn’t give an attacker information) and generalise the timezone (so it doesn’t reveal what country you’re most likely in).
In this example, we are assuming PHP version 7.4, however you should change the number to match whichever version of PHP you are using
Open the PHP configuration file:
sudo gedit /etc/php/7.4/apache2/php.iniAnd copy-paste this to the end of the file:
error_reporting = E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
date.timezone = UTCYou will want to do the same for:
sudo gedit /etc/php/7.4/cli/php.iniThis will stop PHP from puking errors publicly at visitors to your site (which will also give attackers insights on how to exploit your website);
PHP errors can still be read in the apache2 PHP error log, away from prying eyes, by using:
sudo gedit /var/log/apache2/error.logTor Service Configuration
You will want to open your Tor server configuration file:
sudo gedit /etc/tor/torrcAnd add the following lines at the end of the file:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80This will enable Tor’s hidden service, and redirect incoming connections via Tor on port 80, to your loopback address (127.0.0.1) on port 80 (this is so apache2 can ‘hear’ what Tor is saying, essentially).
We now want to restart Tor so the settings take effect:
sudo systemctl restart torAnd we want to restart apache2 so the settings take effect:
sudo service apache2 restartThe Tor service will then generate you an Onion site address automatically. You can extract it in Terminal by running:
sudo cat /var/lib/tor/hidden_service/hostnameIt will then show what seems like gobbledygook, for example:
iuasdhji4634h7498470jsajGDSJjhsd.onionThis is your onion address, which only your Tor browser can interpret. You can manually select text in your Terminal using your mouse (once selected, just be sure to use right-click → copy, as Ctrl+C is for ‘command break’, not ‘copy’ in Terminal). You can also pipe the output to somewhere.
Otherwise you may have to manually type it out very carefully.
However if you visit the Onion site you won’t see anything, as you have created a webpage for it!
Creating A Very Basic Webpage
This is simply so you can verify it is working correctly.
Web servers generally speaking default to looking for a ‘index.html’ file first and foremost.
cd /var/www/html
touch index.html
gedit index.html(Note: due to our earlier configurations, index.php is also valid; the server will prioritise index.php with this configuration)
With the index.html webpage open, copy-paste the following into the file:
<!DOCTYPE html>
<html lang="en">
<head>
</head>
<body>
<p>Testing</P>
</body>
</html>Then save. You do not need to restart either apache2 or Tor for webpage changes as they should be reflected as soon as the website visitor refreshes the page.
If the server or service seems to stop working, you can restart apache2 or the Tor service. It is recommended to restart Tor first, then apache2.
Be patient when loading a page. The Tor network is much slower than a conventional network on account of proxies. For the security minded, an Onion site starts out as HTTP (clear-text), and will need to be properly configured for HTTPS (encrypted), which is beyond the scope of this tutorial.
Limitations Of Tor
As the browser is designed to resist censorship and surveillance, a lot of functionality is disabled, or gets reset with each update.
For example, web developers will likely be surprised to find audio is disabled in Tor, that videos do not ‘work normally’, and users may be annoyed to find bookmarks and plugins get wiped in every update.
This means things like voice chat communications, audio notification sounds, text-to-speech and more will not work in Tor browser. They might work in browsers using a Tor proxy, however there’s no guarantee the Tor proxy plugin is secure.
Risks
Besides the usual legal risks in content hosting (which The Daily Beagle won’t be advising upon here given the complexities), running your own Onion site locally on your machine still carries a risk of your normal IP address being exposed.
In theory Tor should make your real IP address hidden to Tor visitors, however this is not a guarantee, and configuration issues, future updates, bugs, exploits etc may still run the risk of exposing your real IP.
Note that this only a risk for the server hosting the Onion site. Tor browser users’ real IP addresses will be not visible to the server, and the users (assuming they use a Tor browser) should be protected.
Upsides
Compared to a non-Tor hosting model, which directly exposes your real IP address, an Onion site does offer some privacy, as it should be proxied via Tor nodes (however the Tor node you connect to could be hostile).
It also allows people with dynamic IP addresses that frequently change to be able to continually host without having to worry about things like updating their DNS. It also works even in setups that have DMZ or a particular view to censoring content.
Purpose
The purpose of this article is to help you to resist censorship and maintain communications.
Paying Subscribers Can Vote To Make This Free
Found this informative? Receive more for free!
Help improve The Daily Beagle’s reach?
What do you think, dear reader? Let us know in the comments.
I get this isn't the 'usual' article readers are used to, however censorship is clearly ramping up, and there is a lack of any 'real' options. People asked me for alternatives to Substack, if they existed, and I replied there really weren't any.
The Tor network isn't perfect, and there are flaws, but it's functional and we have to use what we've got, not what we wish we had. The end-to-end instructions already available on Tor Onion site hosting are wildly fragmented with differing, contradictory instructions.
The official Tor website is very vague, and even if one completes the steps, there's no 'follow-through' on many webpages, and certainly little warning or considerations for any possible security risks. This tutorial is to get people started in a good place where they can go on to modify the installation as they see fit.
I recently got stealth banned from Element (part of the Matrix network) where it simply 'stopped working' which prompted this investigation. I've marked it as paid because I put a lot of hours into researching this, including trial-and-error testing.
I suspect posters may have criticisms or feedback: I strongly encourage *evidenced* criticisms of the setup. I have low tolerance of people posing as know-it-all experts with no evidence to back up their claims, especially claims that attempt to weaken security or stifle our fightback against censorship.
Yes, Tor has ties to the US government (US navy, specifically). I remind ARPA (precursor to DARPA) invented the Internet (https://www.darpa.mil/about-us/timeline/modern-internet) and your real IP address is already visible to the government (and frankly I'm of the view if they wanted to unmask you online they could anyway). The primary threat vector this is aimed towards are corporate abusers and corporate level censorship (media DOXers and the like). I would have to build an entire new "net" offline from scratch with a new set of protocols for it to be disentangled completely from the government and I'm not rich enough nor smart enough nor have enough free time for that. I'm using what I've got to hand, which at this moment is the imperfect Tor.
Hopefully this helps you overcome the ever encroaching censorship.
Cheers buddy. I only started using Linux Mint in 2020 when Gates of Hell started his rampage. Managed to create a Linux boot thumb drive and install thanks to the very helpful guides dotted around the internet.
I otherwise have minimal understanding of the Linux terminal, Tor or much else outside of the 6,000+ pdf documents in my research archives.
I may give this a try at a later time as need may fancy.