Written by Robert Whitney Category: Uncategorized

Prerequisites

Make sure that you are using the latest version of Raspbian on your devices. A minimum of 3 devices is required for my setup.
In my setup I am using a static HTML website, and there is no need for PHP to be installed.

In this setup we will use a minimum of 2 web servers, and one proxy server running the tor daemon. The load of traffic will be distributed based on which rpi has the least connections.

As root on your proxy server, run the following command:

apt install tor haproxy

As root on your web servers, run the following command:

apt install nginx

HA Proxy Config

You will need to configure HA Proxy on the master by editing the /etc/haproxy/haproxy.cfg file. It should look something like this:


global
    daemon
defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

listen stats
    bind *:8080
    stats enable
    stats hide-version
    stats uri /stats

frontend tor-frontend
    bind 127.0.0.1:80
    use_backend http-backend

backend http-backend
    balance leastconn
    server pi1 172.16.1.26:80 check
    server pi2 172.16.1.27:80 check

Tor Config

Your /etc/tor/torrc file should have this in it (it could literally just be this if you want):


HiddenServiceDir /var/lib/tor/my-site/
HiddenServicePort 80 127.0.0.1:80
    

nginx Config

Now it's time to configure nginx on your 2 webservers. Your website vhost configuration should look something like this, and be stored in /etc/nginx/sites-enabled.


server {
    listen 0.0.0.0:80;
    root /var/www/4mgsrmirbgs22m5q.onion/html/;
    index index.html;
    server_name 4mgsrmirbgs22m5q.onion;

    error_page 404 /404.html;
    location / {
            try_files $uri $uri/ =404;
            allow 172.16.1.25;
            deny all;
    }
}
    
Now just create the proper directories, drop your html in, and check /var/lib/tor/my-site/hostname on the tor/proxy server for the URL to check. Everything should load up as normal.

Explanation

Tor accepts the connection, passes it off to HA Proxy on the same machine. HA Proxy then takes that connection and distributes it across your web servers, in this case 2 raspberry pis running nginx.
The nginx servers should only be accepting connections on the local network (behind a NAT in my case), and for added security will only allow connections to the website which originate from the proxy.