Here are some sample configuration files. This post applies if you have your own server with Nginx and Tor installed.

1. Nginx

1.1. Main configuration file

Nginx main configuration file /etc/nginx/nginx.conf. In this example, we have hardened the default configuration by adding headers and specifying buffer size limits:

cat /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
}

http {

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        server_tokens off;

        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block" always;

        client_body_buffer_size 1k;
        client_header_buffer_size 1k;
        client_max_body_size 1k;
        large_client_header_buffers 2 1k;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

1.2. Site configuration file

Nginx site configuration file /etc/nginx/sites-available/default. In this example, we listen on a Unix socket rather than on a port. The server name was generated. We also forbid any unnecessary HTTP request methods.

server {

        listen unix:/var/run/nginx.sock;

        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;

        server_name blogiwuasytomnunoj642gv7pswvacsnil4pr465mtz2wrlqf2mac5ad.onion;

        if ($request_method !~ ^(GET|HEAD|POST)$ ) {
                return 405;
        }

        location / {
                try_files $uri $uri/ =404;
        }

}

1.3. Systemd Service File

Nginx systemd service file /lib/systemd/system/nginx.service. We have added a PrivateNetwork=yes line so that Nginx is completely isolated from the outside world.

[Unit]
Description=A high performance web server and a reverse proxy server
Documentation=man:nginx(8)
After=network.target nss-lookup.target

[Service]
PrivateNetwork=yes
Type=forking
PIDFile=/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
ExecStop=-/sbin/start-stop-daemon --quiet --stop --retry QUIT/5 --pidfile /run/nginx.pid
TimeoutStopSec=5
KillMode=mixed

[Install]
WantedBy=multi-user.target

2. Tor

Tor configuration file, /etc/tor/torrc. Tor communicates with Nginx via a Unix socket. There is no need to open port 80 in your firewall.

Log notice file /var/log/tor/log
RunAsDaemon 1
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/blog/
HiddenServicePort 80 unix:/var/run/nginx.sock

3. Restarts

Commands to reload systemd service file and restart Nginx and Tor:

sudo systemctl daemon-reload

sudo systemctl restart nginx

sudo systemctl restart tor

4. Checks

Commands to check that Nginx and Tor are working as expected:

sudo systemctl status nginx

sudo journalctl -u tor@default

sudo tail /var/log/tor/log