A "Hidden Service" allows you to host a web server (Apache/Nginx) that is only accessible via Tor. The magic is that the client (visitor) doesn't know the server's IP, and the server doesn't know the client's IP. It is mutual anonymity.
How it works
1. Introduction Points: The server picks 3 random Tor relays and says "I am here."
2. Directory: It publishes its public key to the Distributed Hash Table (DHT). This key IS the .onion address.
3. Rendezvous Point: The client picks a random relay.
4. The Handshake: The client sends a message to the Intro Point. The Server connects to the Rendezvous Point. They meet in the middle. The traffic is encrypted end-to-end.
1. Setting it up
Edit `/etc/tor/torrc`:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
Restart Tor.
Check the directory: `cat /var/lib/tor/hidden_service/hostname`.
That is your new `.onion` address.
2. Security Pitfalls (Deanonymization)
Many admins get caught because of leaks.
Apache Status: If you leave the default Apache page reachable on the public internet (port 80) AND the Tor service, a researcher can correlate the uptime/status.
Listen on Localhost Only: Bind your web server to `127.0.0.1`. If it listens on `0.0.0.0`, Shodan might find it.
Time Skew: Ensure your server clock is perfect (NTP). Tor relies on precise timing.
3. V3 Onion Addresses
Old V2 addresses (16 characters) are dead.
V3 addresses (56 characters) use Elliptic Curve Cryptography (ed25519) for better security and un-guessability.
OpSec
Never run a hidden service on a VPS linked to your real identity. Pay with Monero. Use Whonix Gateway for isolation—if the web server is hacked, the attacker is trapped in the workstation and cannot see the real IP of the gateway.