Static Website as Tor Hidden Service on Raspberry Pi

Goal: To run a static website and serve it as an onion site. This HOWTO does not cover RPi installation, it assumes you already have a minimal setup up and running. The choice to have a static site is for sake of simplicity, it could be expanded of course, but the risks of leaking information about the host will increase.

Local HTTP server
as : apt install nginx mkdir /var/www/partyvan echo "OHAI" > /var/www/partyvan/index.html rm /etc/nginx/sites-enabled/default server { listen 80; root /var/www/partyvan; index index.html; server_name partyvan;  # Replace with onion address once you have one } ln -s /etc/nginx/sites-available/partyvan /etc/nginx/sites-enabled/ service nginx reload
 * Install nginx on the RPi
 * In the browser from another computer on the network, check that you the default HTML page is properly served at: http://192.168.1.XXX (you should see a small "Welcome to nginx!" text).
 * create a non-default mini static website:
 * disable nginx default site
 * create new nginx site config  with:
 * Enable site
 * In the browser from another computer on the network, check that you the default HTML page is properly served: http://192.168.1.XXX (you should see a small "OHAI" text).

Tor setup
Note: This is only valid for RPi2 and later. deb https://deb.torproject.org/torproject.org buster main deb-src https://deb.torproject.org/torproject.org buster main curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | gpg --import gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - apt install tor deb.torproject.org-keyring HiddenServiceDir /var/lib/tor/partyvan/ HiddenServicePort 80 127.0.0.1:80 service tor restart cat /var/lib/tor/partyvan/hostname
 * Add the Tor deb repos to . At time of writing, stable Raspbian is based on Buster:
 * Add the GPG keys used to sign the packages from the Tor repos:
 * Install Tor
 * Edit  and in the section about hidden services, add:
 * 1) Partyvan site
 * Restart Tor, this will generate the keys for the partyvan hidden service
 * If everything went well, there should be a  folder with notably both public and private keys for the service (backup!) and the hostname information to reach the hidden service from onionland. To know the onion address of partyvan, simply do:
 * You will get something like, if you paste this address in your Tor browser, torified browser or whatever you use, you should see the partyvan site!

Certificates
Certs are not needed for a hidden service like this one. You already get encrypted traffic via Tor itself. With that said, certs could be used as a means to authenticate the ownership over the hidden service, to prevent phishing. Legit certs who can be used in this context are very $$$ and avail from DigiCert.

Disable NGINX version signature
Don't let NGINX emit its version on error pages and in the “Server” response header field, uncomment the following in  server_tokens off;

Disable directory listing
Don't trust defaults, add this to your  in the   block: location / { autoindex off; }

Onion only serving
Don't serve HTTP on the clearnet, force NGINX to serve only on localhost. In, replace   with.

Onionscan
There's a tool (untested at time of writing) that tests an onion address against know hidden service gotchas. It does not seem to be actively maintained, but it's possible to find more active forks like this one.