Self-Hosting on the Dark Web | David Álvarez Rosa | Personal WebsiteJune 1, 2026Self-Hosting on the Dark Web<br>This site is now reachable over Tor as a hidden service, at a .onion<br>address that resolves only inside the Tor network.1 1<br>Open it in the<br>Tor Browser. There is no certificate authority, no DNS, and no exposed<br>IP—the address is derived directly from a public key, and the<br>connection is end-to-end encrypted by Tor itself.<br>Tor relays and<br>encrypts your traffic as it passes through thousands of volunteer-run<br>servers, so that no single party can link who you are to what you are<br>doing; a hidden service extends that anonymity to the server itself.<br>It&rsquo;s built by the nonprofit Tor Project, which advances human rights and<br>freedoms through free software and open networks, so that anyone can use<br>the internet free from tracking, surveillance, and censorship. The<br>network only works because people use it, so consider supporting them or<br>running a relay—your contribution helps millions stay safe and private<br>online every day.<br>The hidden service<br>&sect;<br>Install Tor and point a hidden service at a local port. Edit<br>/etc/tor/torrc<br>HiddenServiceDir /var/lib/tor/blog/<br>HiddenServicePort 80 127.0.0.1:8080

The directory must be a dedicated, Tor-owned path—not your web<br>root.2 2<br>Tor stores the service&rsquo;s private key and hostname file here<br>and insists on owning it (chmod 700, user debian-tor). Point it at<br>your site files and Tor refuses to start.<br>Restart Tor and read the<br>address it generates<br>$ sudo systemctl restart tor@default<br>$ sudo cat /var/lib/tor/blog/hostname<br>dhevt6e4rtgbtr3jh53xrpwmgtilkah6nyjujocsspssrsexc7omxhid.onion

Serving the site<br>&sect;<br>Tor forwards the onion&rsquo;s port 80 to 127.0.0.1:8080, so the web server<br>just needs to listen there. Add an nginx server block for it—no TLS,<br>no HTTP/2, no QUIC, since Tor speaks plain TCP and provides its own<br>encryption.<br>server {<br>listen 127.0.0.1:8080;<br>server_name dhevt6e4rtgbtr3jh53xrpwmgtilkah6nyjujocsspssrsexc7omxhid.onion;

root /srv/tor.david.alvarezrosa.com;<br>index index.html;<br>error_page 404 /404/index.html;

location / {<br>try_files $uri $uri/ =404;

Reload nginx and the site is live on Tor.<br>Building for the onion<br>&sect;<br>A static site bakes its base URL into absolute links, so a clearnet<br>build would point visitors back to the clearnet domain even when served<br>over Tor. The fix is to build a second copy with the onion as its base<br>URL<br>$ hugo --minify --baseURL="http://dhevt6e4rtgbtr3jh53xrpwmgtilkah6nyjujocsspssrsexc7omxhid.onion/"

The deploy pipeline does this automatically: every push builds the site<br>once per target—clearnet and Tor—and rsyncs each to its own web<br>root, so the two stay in sync without any manual work.3 3<br>See First<br>Steps on a New Server for the underlying machine; the full configuration<br>lives in my homelab repository, and the site&rsquo;s own repository holds the<br>GitHub Actions workflow that builds and deploys the Tor copy.

That&rsquo;s it. Read this site over Tor at<br>dhevt6e4rtgbtr3jh53xrpwmgtilkah6nyjujocsspssrsexc7omxhid.onion.<br>—David Álvarez Rosa