Spinning Up an Onion Mirror Is Stupid Easy

Posted by speckx 10/23/2025

Spinning Up an Onion Mirror Is Stupid Easy(flower.codes)

203 points | 73 comments

crtasm 2 days ago|

>I have no interest in running a relay or exit node on my VPS, so I made some minimal changes to the config file

Noting the default configuration does not turn your server into a relay or exit node, in case anyone interprets this that way.

Thanks for offering a .onion, bookmarked for the caddy configuration.

qhwudbebd 2 days ago||

This has prompted me to look at how the Tor Project's Arti reimplementation is going. They've got way further along than I realised:

https://tpo.pages.torproject.net/core/arti/

https://gitlab.torproject.org/tpo/core/arti/-/blob/main/CHAN...

Hosting onion services is apparently still a work-in-progress, though, and turned off by default.

yogorenapan 2 days ago||

I was already able to host onion services last year by using the crate directly. A few footguns related to flushing but it generally works as expected. I will however say that the code quality could be improved though. When trying to contribute, I found a lot of somewhat bad practices such as having direct file read/writes littered around without abstraction which made refactoring difficult (trying to add different storage/cache options such as in-memory only or encrypted)

cncjchsue7 2 days ago||

Opting not to over engineer the solution with abstractions nobody asked for until you came along is the definition of best practice. something not being designed for any and all use cases doesn't make something bad practice. Reading and writing from a filesystem you always expect to available is more than reasonable. Modular code for the sake of modularity is a recipe for fizz buzz enterprise edition.

embedding-shape 2 days ago||

> along is the definition of best practice

Not disagreeing or agreeing, but "best practice" is probably one of the concepts together with "clean code", that has as many definitions as there are programmers.

Most of the time, it depends, on context, on what else is going on in life, where the priorities lie and so on. Don't think anyone can claim for others what is or isn't "best practice" because we simply don't have enough context to know what they're basing their decisions on nor what they plan for the future.

m00dy 2 days ago||

Letscage [0] is also using Arti to implement its privacy features.

[0]: https://github.com/letscage

dewey 2 days ago||

> I'm not sure if this is generally considered acceptable within the Tor network

Tor is already encrypted, that’s why you don’t need TLS. Some services (Like the hidden service from Facebook back in the days) have https but that was more of a vanity from what I remember.

embedding-shape 2 days ago||

> have https but that was more of a vanity from what I remember

It has a functional difference as well, lots of new client-side features (like webcrypto) only work on "Secure Origins" which .onion isn't, but websites behind TLS are. So if you wanna deploy say something that encrypts/decrypts something client-side on .onion, you unfortunately need TLS today otherwise the APIs aren't available.

Of course browsers could fix this, but I don't think they have any incentives to do so. I guess Tor Browser could in fact fix this, and maybe they already do, but it'd be a patch on top of Firefox I think, something they probably want to do less off, not more.

crtasm 2 days ago||

My understanding is Tor Browser already treats .onion as a secure origin, could anyone confirm?

Hakkin 1 day ago|||

That only helps so much, some things still won't work if the browser thinks you're talking over an unencrypted connection, like HTTP/2. Technically HTTP/2 allows unencrypted connections (h2c) but as far as I know, no browser implements it (including Tor Browser) and server support is also somewhat limited, so Tor Browser is limited to HTTP/1.[01] on Onion sites unless they have a TLS certificate.

bauruine 2 days ago|||

Yes it does but you can use Tor with other browsers too so it can make sense if you want to support them.

bragr 2 days ago||

I wouldn't recommend using Tor with anything other than Tor browser because there are so many browser features that will expose you now. If you don't need the Tor browser protections, you probably don't need Tor either.

dewey 2 days ago||

Fair point but using Tor even if you don't need it, just to put more legit traffic noise in the network is a valid use case.

bragr 2 days ago||

Given the actual correlations attacks governments have done on Tor traffic, I don't think more traffic moves the needle in any appreciable way. Ultimately the Tor architecture is very vulnerable to timing and correlation attacks (never use something like IRC over Tor), and the kinds of changes that would be needed to mitigate those would probably slow it down past the point of usability.

One could argue, given the limited bandwidth of the Tor network, that by using it when you don't need it, you make the experience for those that do need it worse (looking at you everyone who tries to torrent over tor).

Ajedi32 2 days ago|||

Back when EV certificates were widely supported by browsers, HTTPS was a great way of cryptographically associating a .onion service with a real legal entity, for sites like Facebook which didn't care about being anonymous.

aspenmayer 2 days ago|||

Proton also uses HTTPS for their onion site, and they used the same certificate provider as Facebook did for theirs, Digicert, per this page:

https://proton.me/blog/tor-encrypted-email

In the above blog post, they seem to imply that they made HTTPS mandatory for Proton Mail over Tor for security reasons.

adobrawy 2 days ago||

The best is to refer to official Tor project documentation for .onion over https: https://community.torproject.org/onion-services/advanced/htt...

tl;dr: Pressure from browsers, enterprise, and the overall ecosystem to use HTTPS (e.g., unavailability of advanced web features without HTTPS) is pushing for the use of HTTPS without exception, even for .onion sites with no significant technical advantage.

jszymborski 2 days ago||

Tor browser doesn't warn on http though and I feel like 90% of folks use it exclusively.

orbisvicis 2 days ago||

Without https can't the last relay snoop the traffic?

edit: oh, is the last relay the onion service? So the entire chain is encrypted?

rendx 2 days ago|||

The key used to encrypt traffic is in the URL, everything including path is encrypted from client to the onion service end. What you are saying is true for non-onion HTTP sites, not for onions.

edm0nd 2 days ago|||

side note: there is a built in flag mechanism called BadExit for Tor that if a relay or exit is detected to be malicious, it is quickly removed from being used.

age123456gpg 2 days ago||

You can generate yourself a vanity .onion address using https://github.com/AlexanderYastrebov/onion-vanity-address tool. It can also generate vanity client authorization keypair.

tripplyons 2 days ago||

Be careful with vanity address generators. A cryptocurrency market maker once lost around $160,000,000 in a vanity Ethereum address because the generator they used was only seeded with 32 bits of entropy.

https://www.forbes.com/sites/jeffkauflin/2022/09/20/profanit...

age123456gpg 2 days ago||

Indeed, be careful with anything that involves secret bits.

This tool uses proper crypto/rand initialisation of the starting key https://github.com/AlexanderYastrebov/onion-vanity-address/b...

Check out my other vanity generators (they all use crypto/rand):

https://github.com/AlexanderYastrebov/wireguard-vanity-key

https://github.com/AlexanderYastrebov/age-vanity-keygen

https://github.com/AlexanderYastrebov/ethereum-vanity-addres...

Trung0246 1 day ago||

Unfortunately I got a hard crash on go 1.25.3 when running this: https://github.com/AlexanderYastrebov/onion-vanity-address/i...

maeln 2 days ago||

It is also very useful to expose services to the world wide web behind a restrictive network, Tor takes care of the Nat punching and all that jazz, and you get free dns and encryption as an extra bonus :)

xena 2 days ago||

I do something similar like this for xeiaso.net (http://ryelkcbr65vy7pzx26c3rvxya54yuh5ciafth7p6d3p3phpgo2wkz...), but I use Kubernetes so I installed the Tor controller: https://github.com/bugfest/tor-controller. I then added an OnionService pointing to the website: https://github.com/Xe/site/blob/main/manifest/xesite/onionse.... It works pretty great!

wartywhoa23 2 days ago||

> Oh, and free speech and anti-censorship and all that jazz.

That jazz is increasingly played by the same band of 185.220.0.0/16 exit nodes, and plays it in a scale which is all but Anonymian.

flotzam 2 days ago||

No part of hosting or visiting onion services involves exit nodes. Onion service traffic stays within the Tor network instead of exiting to the clearnet.

immibis 2 days ago|||

Run more exit nodes then, and more onion services so they don't need to involve exit nodes.

It's also not such a big deal, provided they aren't messing with your exit traffic which you did encrypt, right? There are few exit nodes, but a great many non-exit nodes which still help anonymize your traffic. If you think it's a problem though, run an exit node.

denkmoon 1 day ago||

I’m sure lots of people would run exit nodes if it wasn’t the equivalent of putting a flashing neon sign saying “please ruin my life mr government” in front of your house

storm1er 2 days ago||

I would like to know more, can you give me some insight?

wartywhoa23 2 days ago|||

Well if you use Tor somewhat regularly and check your exit node IP, it is about 50% possible that yours is in that subnet each time you renew the route. Which begs questions.

Maybe I'm wrong, but it would look more benign to have exit nodes distributed without this much bias towards that particular subnet.

bauruine 2 days ago||

It's only 185.220.100 [0] and 185.220.101 [1] that contain all those relays. Some of the bigger German families work together as "Stiftung Erneuerbare Freiheit" that's why you see a big cluster there. But Tor never uses relays in the same /16 for a circuit so it's not really an issue.

[0] https://metrics.torproject.org/rs.html#search/185.220.100 [1] https://metrics.torproject.org/rs.html#search/185.220.101

mo 2 days ago||

Correct. "Stiftung Erneuerbare Freiheit" acts as LIR in charge of the address space, handing out chunks of that space to exit relay operating non-profits for free, but does not operate any Tor infrastructure themselves and has no visibility into the traffic. The cost for us are the RIPE membership fees (approx 2000€/yr).

Source: I'm its director and founder of torservers.net. Usually using a different nick here.

5f3cfa1a 2 days ago|||

https://nusenu.github.io/OrNetStats/ should give you a feel for the overall size & relative homogeneity of the current Tor network.

superkuh 2 days ago||

One problem with .onion is that it is not for casual sites or people trying to build lasting communities. The Tor Project only prioritizes security and they can and have and will again wipe out the entire tor web to nothing if they feel it is required by security. They have full control of the network. No v2 tor sites exist anymore, none of the communities, they were are just wiped out by the Tor Project because only their security use case matters. They care nothing for communities that use their software. Do not try to build communities on Tor .onion. It'll just be made inaccessible some day. All the hyperlinks will become useless. All the databases of sites, all the discussions, just gone. Because the tor project cannot abide potential lax security of older protocols.

.onion is not a way to own your domain. Even though you may have the private key and no one else does, the true owners of your domain remain the tor project themselves, as they can make it inaccessible to tor clients any time they want. They have before, they will again. And they aren't going to listen to any community feedback about it. Tor .onion is only for people that don't care about longevity or links working. Only for people who have 'security' as their number 1 and only concern.

I wasted a decade building my personal sites and casual communities on .onion. I won't be fooled again. A dot com or org is just as much mine as a .onion is, unfortunately, and at least those don't all disappear every 10 years.

bfkwlfkjf 2 days ago|

I would love to hear more. Have you published this somewhere you wanna share?

jjmarr 2 days ago||

https://news.ycombinator.com/item?id=36261206

stephenlf 2 days ago||

What a pleasant read. Informative in all the right places without losing brevity. Thank you.

INTPenis 2 days ago|

It's not a mirror, it's a proxy. If someone encroaches on their free speach and shuts down their hosting account that "mirror" will not save them.

Just saying, this is an important distinction to me and I've been hosting tor nodes since the 2000s.

Archiving information, and making it available, is sometimes more powerful than anonymous proxying.

Especially if there's an anonymous proxy available to that archive. ;)

Retr0id 2 days ago||

As long as they have the private key they can move it to new hosting infrastructure without issue, and the same onion address will still be operational.

a022311 2 days ago||

"Mirroring" is a term also used when a single source publishes data in different mediums (technically in this case we're talking only about the internet but the internet is full of different protocols so I'll call them mediums). For example there are websites that mirror their content to Geminispace or in this case make it available as an onion service.

You are correct that this solution does not prevent problems if the server goes down. This particular approach aims to reach a larger audience, while your idea of mirroring enables resiliency.

Both approaches have their use cases and can even be combined too!

More comments...