Tor Hidden Service Setup Guide
This guide covers installing Tor, configuring a hidden service, serving the Rev Now static site through nginx, and keeping your mirror updated.
On This Page
1. Install Tor
# Add the official Tor repository sudo apt install -y apt-transport-https gpg wget -qO- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc \ | gpg --dearmor | sudo tee /usr/share/keyrings/tor-archive-keyring.gpg >/dev/null echo "deb [signed-by=/usr/share/keyrings/tor-archive-keyring.gpg] \ https://deb.torproject.org/torproject.org $(lsb_release -cs) main" \ | sudo tee /etc/apt/sources.list.d/tor.list # Install sudo apt update sudo apt install -y tor deb.torproject.org-keyring # Verify tor --version
sudo dnf install tor sudo systemctl enable tor
3. Set Up the Web Server
sudo apt install -y nginx
server {
listen 127.0.0.1:8181;
server_name _;
root /var/www/revnow;
index index.html;
# Security headers
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header Referrer-Policy no-referrer;
# Disable server tokens
server_tokens off;
# Serve static files
location / {
try_files $uri $uri/ $uri.html /404.html;
}
# Cache static assets
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
expires 30d;
add_header Cache-Control "public, immutable";
}
# Deny access to dotfiles
location ~ /\. {
deny all;
}
}sudo mkdir -p /var/www/revnow sudo ln -s /etc/nginx/sites-available/revnow-onion /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl reload nginx
4. Deploy the Site
Rev Now is a static site. You need to build it and copy the output to your web root.
# Option A: Build from source git clone https://github.com/earthalliance/revnow-podcast-app.git cd revnow-podcast-app npm install npm run build sudo rsync -av --delete out/ /var/www/revnow/ # Option B: Fetch from IPFS (if you're also running an IPFS node) ipfs get <CID> -o /tmp/revnow-site sudo rsync -av --delete /tmp/revnow-site/ /var/www/revnow/
5. Verify Your Mirror
# Test locally (without Tor) curl -s http://127.0.0.1:8181/ | head -20 # Test via Tor (requires torsocks or Tor Browser) torsocks curl -s http://yourlongrandomstring.onion/ | head -20 # Or simply open Tor Browser and navigate to: # http://yourlongrandomstring.onion/
6. Automated Updates
Keep your mirror current with a daily cron job that pulls the latest build:
#!/bin/bash set -euo pipefail LOG="/var/log/revnow-mirror-update.log" echo "[$(date -u +%FT%TZ)] Starting update..." >> "$LOG" cd /opt/revnow-podcast-app # Pull latest source git pull --ff-only >> "$LOG" 2>&1 # Rebuild npm install --production >> "$LOG" 2>&1 npm run build >> "$LOG" 2>&1 # Deploy sudo rsync -av --delete out/ /var/www/revnow/ >> "$LOG" 2>&1 echo "[$(date -u +%FT%TZ)] Update complete." >> "$LOG"
# Update mirror daily at 4 AM 0 4 * * * /home/YOUR_USER/bin/update-onion-mirror.sh
7. Security Hardening
Isolate the service
Run Tor and nginx in their own user accounts. Use AppArmor or SELinux profiles. Consider running in a dedicated VM or container.
Minimize server info leaks
Disable nginx server tokens. Remove version headers. Don't serve.git directories. Disable directory listing.
Keep Tor updated
Subscribe to the Tor Project's security announcements. Update promptly when new releases address vulnerabilities.
Backup your .onion key
Back up /var/lib/tor/revnow_mirror/hs_ed25519_secret_key securely. If you lose it, your .onion address changes permanently.