The Cat's den

Serving a website over Tor with caddy

- Posted in SysAdmin Stuff by

TOR Header


Following this procedure will NOT GUARANTEE that the website you're serving over the Tor network cannot be traced back to you ! Just because you're serving content over the Tor network does not mean you're immune to de-anonymization !

This guide has been written for educational purposes ONLY and shall not be considered a reference for serving content anonymously over the Internet.

I will not endorse any responsibility when you're caught serving malicious or unlawful content.

Also, no offense, but if you need this tutorial to get things up and running, you probably better take a step back and reconsider what you're doing.

What do onions do ?

The technical stuff


This tutorial will assume you already have an instance of caddy up and running, serving a website on the clearnet. Our goal here is to serve this website from an .onion address over the Tor network.

Install Tor

Add the Tor Project repository to your sources

echo "deb http://deb.torproject.org/torproject.org <release_name> main" | tee /etc/apt/sources.list.d/tor-repo.list

Grab the signing key and import them

gpg --keyserver pool.sks-keyservers.net --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add -

Refresh your sources, then install the deb.torproject.org-keyring package to keep the signing key up to date, and the tor package

apt install deb.torproject.org-keyring tor

Configure Tor

Edit the /etc/tor/torrc file and declare a new hidden service :

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80
HiddenServiceVersion 2

The HiddenServiceVersion 2 directive instructs Tor to generate an onion v2 address for your hidden service instead of an onion v3 address. Onion v3 is the new generation of Tor Onion Hidden Services. While the most noticable change is the increase in address length, onion v3 also uses better cryptography (Elliptic Curve Cryptography rather than RSA), and has an improved hidden service directory protocol.
Use onion v3.

Restart the Tor service.

After restarting, Tor generates an .onion address and its associated private key. The /var/lib/tor/hidden_service/hostname file should contain something like 5h4downetfknk6jd.onion

Reconfigure caddy

Edit the /etc/caddy/Caddyfile file and declare the previously generated .onion domain :

5h4downetfknk6jd.onion:80 {
        root /var/www/
        tls off

Restart the caddy service.

Visit your hidden service

Congratulations ! You should now be able to visit your website anonymously using the Tor Browser, without leaving the Tor network.

This blog is available at the following locations :

Bonus : Vanity addresses

If you fancy a (somewhat) custom address instead of the default garbage, you can take a look at the following software :

  • Scallion for onion v2 vanity addresses
  • mkp224o for onion v3 vanity addresses