Tor and .onion Mirrors for Your Website

A .onion address is a special URL accessible only through the Tor network. Publishing your site as both a regular website and a Tor hidden service gives visitors in censored regions a way to reach you, lets privacy-conscious users browse without their ISP knowing, and provides a backup access path if the regular DNS-and-IP route gets blocked. This guide explains why some sites do this, when it makes sense for yours, and the technical setup.

What a .onion mirror is

The Tor network anonymizes traffic by routing it through three random relays before reaching the destination. Normal websites are reached over Tor with the destination still being a regular IP. A “hidden service” goes further — the destination is itself inside Tor, addressed by a long cryptographic name ending in .onion instead of a domain name and IP.

An onion mirror is your existing website, additionally published at a .onion address. Visitors using the Tor Browser can reach it. Same content, different access path.

Why publish a Tor mirror

• Censorship resistance. If your normal domain gets blocked by a government or ISP, the onion address remains reachable.
• Visitor anonymity. Tor users reach you without revealing their IP. For sensitive content (whistleblowing, journalism, support for marginalized communities), this matters.
• Bypass DNS interception. Some networks intercept DNS lookups to block specific sites. .onion bypasses DNS entirely.
• End-to-end encryption. Onion services are encrypted end-to-end through Tor — no third-party certificate authority needed.
• Signal to your audience. Publishing an onion address demonstrates commitment to user privacy.

Major publishers run onion mirrors: BBC, The New York Times, ProPublica, Reuters, ProtonMail, DuckDuckGo, Facebook (yes, Facebook).

When it’s worth doing

Worth doing if:

• Your audience includes users in censored regions.
• You publish journalism, activism, or sensitive content.
• You operate in jurisdictions where users might face consequences for accessing you.
• You want to signal strong privacy commitment to a tech-savvy audience.

Probably not worth doing if:

• Your site is purely commercial / non-controversial.
• Your audience is regional and accesses you without issues.
• You’re a small business with no specific privacy mission.

The setup is straightforward but adds maintenance overhead — only useful when the benefit matches your audience.

Technical requirements

Running an onion service requires:

• A server you have root access to — VPS or dedicated. Not shared hosting.
• Tor daemon installed.
• Your web server (Apache, Nginx, LiteSpeed) listening on localhost.
• Optional: separate Tor-only server for security isolation.

iWebVault VPS or dedicated plans work. Shared hosting does not — the Tor daemon needs to run as a system service.

Setting up Tor on your VPS

Install Tor

# AlmaLinux / RHEL
yum install epel-release -y
yum install tor -y

# Debian / Ubuntu
apt update
apt install tor -y

Configure hidden service

Edit /etc/tor/torrc:

HiddenServiceDir /var/lib/tor/hidden_service_yoursite/
HiddenServicePort 80 127.0.0.1:80
HiddenServiceVersion 3

This tells Tor to publish your local port 80 as an onion service. HiddenServiceVersion 3 is the current standard (56-character addresses, modern crypto).

Start Tor

systemctl start tor
systemctl enable tor

Get your onion address

cat /var/lib/tor/hidden_service_yoursite/hostname

Output is your 56-character .onion address. This is permanent (don’t lose the keys in /var/lib/tor/hidden_service_yoursite/ or you’ll get a new address).

Configure your web server

Your web server needs to respond to requests with that onion hostname (Tor relays the hostname as the Host header to your server). For Apache:

<VirtualHost 127.0.0.1:80>
    ServerName yourlongonionaddress.onion
    DocumentRoot /var/www/yoursite
    # Your normal site config
</VirtualHost>

For Nginx, add a server block matching the onion hostname.

Test by visiting your onion address in Tor Browser.

Linking from your clearnet site

Tell visitors the onion mirror exists by adding an HTTP header:

Onion-Location: https://yourlongonionaddress.onion

In Apache .htaccess:

Header set Onion-Location "https://yourlongonionaddress.onion%{REQUEST_URI}s"

Tor Browser detects this header and offers users a “Visit onion version” prompt — they can click to switch automatically.

Also link to the onion address from your footer / about page so users not using Tor Browser know it exists.

“Vanity” onion addresses

Random onion addresses are unmemorable. You can generate addresses that start with chosen letters — e.g. iwebvaultabc...onion — using tools like mkp224o:

git clone https://github.com/cathugger/mkp224o
cd mkp224o
./autogen.sh && ./configure && make
./mkp224o -d output yourname

Searches for addresses starting with “yourname”. Each additional character increases computation time exponentially — 8 characters typically takes hours on a modern CPU.

Once found, copy the generated key files into your /var/lib/tor/hidden_service_yoursite/ folder, restart Tor.

Security considerations for onion services

• Application-level info leaks. If your site shows the real server hostname, IP, or domain anywhere (in error pages, server-status, generated PDFs, image metadata), the anonymity is broken. Audit everything.
• Avoid mixed content. If your onion site loads JavaScript or images from your clearnet domain, browsers follow those links and the user’s anonymity breaks. Host everything on the onion.
• Disable info-leaking features. Turn off Apache’s ServerSignature, disable phpinfo() in production, hide WordPress version strings.
• Separate hosting helps. Some operators run onion services on entirely separate VMs with no shared infrastructure with the clearnet site.

Performance and limitations

• Onion connections are slower than clearnet (3 relays + 3 to the service). Expect noticeable latency.
• Tor Browser doesn’t run modern JavaScript-heavy SPAs well. Server-rendered HTML is better for onion sites.
• No standard analytics work (Tor Browser blocks tracking). Use simple log-based analytics if you need data.
• Some plugins / themes assume HTTPS with a regular cert; check for compatibility.

HTTPS on onion services

Onion services are already encrypted end-to-end by Tor — no SSL cert needed. However, you CAN add HTTPS for additional verification (proving you control the onion address). DigiCert offers EV certificates for v3 onions; for most cases plain HTTP over onion is fine.

Common onion service issues

“Onion address generates but site shows the wrong content.” Web server isn’t matching the onion hostname. Check your VirtualHost / server_name configuration — must include the onion address.

“Tor Browser shows ‘unable to connect’ for my onion.” Tor daemon may not be running, or firewall blocking localhost connection. Check systemctl status tor; check that curl http://127.0.0.1:80 from the server works.

“Onion-Location header isn’t redirecting users.” Tor Browser only respects the header on HTTPS sites. Your clearnet site must be on HTTPS for the prompt to appear.

“I lost my onion service keys — will I get the same address?” No. Keys = address. Back up /var/lib/tor/hidden_service_yoursite/ contents to a secure off-server location.

What’s next

• VPS setup if you don’t have one: VPS guide.
• Server hardening (matters more once you’re running a hidden service): SSH key auth.
• Comparing privacy-focused hosting jurisdictions: Jurisdiction guide.

For most commercial sites, an onion mirror is unnecessary. For journalism, activism, privacy-focused services, or audiences in restrictive regions, it’s both achievable and meaningful. The setup is an afternoon’s work; the ongoing maintenance is minimal if your clearnet site is already solid.