I was thinking about the UK’s new online safety act, which, at best, is very poorly thought out legislation and, at worst, is a plot to further de-anonymise UK internet users. This got me thinking about VPNs and Tor which lead me to wonder how hard it is to serve a site through a .onion address.

Behold!

thod62d5r447cbmzxysd7xxpotsbbddspmn7q74ekewry4v7hbixv7yd.onion

Turns out it’s really easy, install Tor then point Tor at a server on your VPS that’s serving the website in question. I had to fiddle a bit to prevent Caddy from redirecting HTTP to HTTPS but apart from that it was simple.

Optional

Generate a vanity address. I used this to set the first 4 characters of mine to thod followed by. a number. It works by randomly generating addresses so the more characters you want the longer it takes, exponentially.

Setup HTTPS. Most .onion sites don’t use https on the basis that tor traffic is already encrypted. However as of 2020 you can create TLS certs for .onion address. The main blocker is that currently Let’s Encrypt, the de facto TLS CA for everything now, does support generating certs for .onion addresses yet. You can still do it if you’re willing to shell out 30 euros a year for it, Neil has a write up.

Add an Onion-Location to your cleartext site so that Tor users know there’s an onion alternative available. The best way to do this is with a custom HTTP header, see the linked site for ways to do this, for caddy it looks like:

header Onion-Location http://example.onion{path}

You can also do it using a HTML, here I’ve used the jekyll page.url variable, which I can actually also evaluate inline look: /2025/07/30/this-site-now-has-a-onion-address.html, to make the link point to whichever page you’re currently on.

<meta 
    http-equiv="onion-location" 
    content="http://example.onion{{ page.url }}" 
/>

The net effect is that if you load my cleartext site in a Tor browser you’ll get a little button suggesting you go to the onion site.