Onion

Home / Portfolio

Description

Ft_onion: Hidden Service on Tor with Docker

This project is a hands-on introduction to Tor hidden services, developed during the 42Madrid cybersecurity bootcamp. The idea isn’t just to understand what Tor is at a theoretical level, but to build something real: a web service accessible exclusively through the Tor network, with SSH access on top of it, all nicely wrapped inside Docker containers.

🌐What’s Tor and what are hidden services about?

At this point, Tor shouldn’t sound strange to anyone in the IT world. In short, Tor routes traffic through multiple distributed nodes, making the origin and destination extremely hard to trace. The result: anonymity.

One of Tor’s lesser-known (and technically more interesting) use cases is hidden services—network or web services that:

  • Have no public IP

  • Don’t rely on traditional DNS

  • Are only accessible via Tor using .onion addresses

Yes, this is the famous “Dark Web”, which—beyond its bad reputation—is actually a pretty interesting playground to learn about networking, security, and distributed services.

🧩Project objective

The challenge was very clear:

  • Create a static website accessible only through a .onion URL

  • Publish it as a Tor hidden service

  • Serve it using Nginx

  • Allow hardened SSH access

  • Avoid opening unnecessary ports or using extra firewall rules

  • Everything running over HTTP (80) and SSH (4242)

And as a bonus: make it clean and secure, not just a sad, soulless HTML page.

🧩Main project requirements

  • The static website must be accessible only via a .onion URL

  • The server must run on Nginx (HTTP on port 80) and allow SSH access on port 4242

  • No additional ports may be opened and no firewall rules are allowed

  • Required configuration files: index.html, nginx.conf, sshd_config, torrc.

 

⚙️Tech stack

The entire project is built around Docker, which makes it possible to test configurations without wrecking the host system (something you really appreciate when playing with Tor and SSH).

The project is split into two main containers:

🔧 Server:

  • Runs Nginx, Tor, and OpenSSH

  • Hosts the static website

  • Exposes the hidden services (HTTP and SSH)

💻 Client:

  • Used only to test SSH connections through Tor

  • Includes Tor and an SSH client

Separating client and server makes the tests cleaner and closer to real-world scenarios.

 

🐋Server container: the heart of the project

The server is based on Debian and configures:

  • Nginx → serving the static site on port 80

  • Tor → managing the hidden services

  • OpenSSH → listening on port 4242, under a hardened configuration

All the magic happens by correctly copying the configuration files:

  • nginx.conf

  • torrc

  • sshd_config

  • index.html

Additionally, a dedicated SSH user (sshusr) is created with limited permissions, following basic hardening best practices.

Tor automatically generates the .onion addresses, which are stored in volumes so they can be easily retrieved.p

🐋Client container: testing access

The client container is simpler, but it plays a key role: verifying that SSH access actually works through Tor.

From this container you can run:

torify ssh sshusr@xxxxxxxx.onion -p 4242

If it connects, you know the entire chain (Tor + SSH + hardening) is correctly set up.

⚙️Automation with Makefile

A Makefile is included to simplify container management:

  • make – Builds both containers and images

  • make server – Builds only the server image

  • make client – Builds the client image

  • make exe – Launches the client container and opens a Bash shell

  • make clean – Stops and removes the containers

🔐How to try it yourself

You’ll need:

  • Docker (Docker Desktop works great)

  • Tor Browser to access the website

  • make (optional, but recommended)

Quick steps:

  1. Clone the repository

  2. Run make && make exec

  3. The server generates the .onion addresses

  4. Access:

    • Web → using Tor Browser

    • SSH → using the client container with torify

The server container generates two .onion URLs inside the /srv/url/ volume, one for HTTP and one for SSH:

  • /srv/url/hidden_service/hostname → Web service URL

  • /srv/url/other_hidden_service/hostname → SSH service URL

To access the site, simply open Tor Browser and enter the corresponding URL.

For the SSH service, run inside the client:

torify ssh sshusr@xxxxxxx.onion -p 4242

🧪Conclusion

This project is a great hands-on introduction to Tor from a practical perspective, combining:

  • Networking

  • Security

  • Web services

  • Docker

No smoke, no unnecessary frameworks—just real stuff that rarely shows up in “classic” projects. Perfect for understanding how hidden services actually work beyond theory… and for losing your fear of Tor.

The full source code is available on GitHub for anyone who wants to tinker, break things, and learn along the way.
Because in the end, that’s what this is all about 😄

Details