Prerequisites

Make sure that you are using the latest version of Raspbian on your devices. A minimum of 3 devices is required for my setup.
In my setup I am using a static HTML website, and there is no need for PHP to be installed.

In this setup we will use a minimum of 2 web servers, and one proxy server running the tor daemon. The load of traffic will be distributed based on which rpi has the least connections.

As root on your proxy server, run the following command:

apt install tor haproxy

As root on your web servers, run the following command:

apt install nginx

HA Proxy Config

You will need to configure HA Proxy on the master by editing the /etc/haproxy/haproxy.cfg file. It should look something like this:


global
    daemon
defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

listen stats
    bind *:8080
    stats enable
    stats hide-version
    stats uri /stats

frontend tor-frontend
    bind 127.0.0.1:80
    use_backend http-backend

backend http-backend
    balance leastconn
    server pi1 172.16.1.26:80 check
    server pi2 172.16.1.27:80 check

Tor Config

Your /etc/tor/torrc file should have this in it (it could literally just be this if you want):


HiddenServiceDir /var/lib/tor/my-site/
HiddenServicePort 80 127.0.0.1:80
    

nginx Config

Now it's time to configure nginx on your 2 webservers. Your website vhost configuration should look something like this, and be stored in /etc/nginx/sites-enabled.


server {
    listen 0.0.0.0:80;
    root /var/www/4mgsrmirbgs22m5q.onion/html/;
    index index.html;
    server_name 4mgsrmirbgs22m5q.onion;

    error_page 404 /404.html;
    location / {
            try_files $uri $uri/ =404;
            allow 172.16.1.25;
            deny all;
    }
}
    
Now just create the proper directories, drop your html in, and check /var/lib/tor/my-site/hostname on the tor/proxy server for the URL to check. Everything should load up as normal.

Explanation

Tor accepts the connection, passes it off to HA Proxy on the same machine. HA Proxy then takes that connection and distributes it across your web servers, in this case 2 raspberry pis running nginx.
The nginx servers should only be accepting connections on the local network (behind a NAT in my case), and for added security will only allow connections to the website which originate from the proxy.

Robert Whitney
Nerd off the farm

Geek, Gamer, Blogger, breaker of things & destroyer of @world.
My interests, aside from computers, include playing stringed instruments, listening to old rock music, learning new things, and getting a pizza the action making that dough! My favorite activities to relax include video games, listening to music, reading, watching documentaries, and talking hours on end with my girlfriend from the other side of the country who I met online and seen over Christmas. If you have my on Facebook then you'll know that she's real and totally not made up. Don't add me on Facebook if you don't know me. I don't use Facebook. Leave my Facebook alone.
I love to chill out to the Beatles, and rock out to Metalica, Guns n` Roses, and Ozzy, but my guilty pleasures are Garth Brooks, Kenny Loggins, and Red Sovine.

Robert has authored a total of 10 posts. Robert's last post was 2021-09-01T16:20:00-05:00