Reverse proxying Tor hidden services

Warren GuyWarren Guy
23 December 2014

This is a simple method of exposing a Tor hidden service via a regular TCP port.

You might find this useful as a convenient way of exposing a service behind a NAT firewall to the internet, or to provide a public internet presence for a service that you wish to conceal the real location of.


You will require an internet facing server running Tor, and a Tor hidden service server. The instructions (particularly relating to the internet facing server) are somewhat Debian specific.

Tor hidden service

The Tor Project has instructions for configuring your Tor hidden service.

Internet facing server

Your internet facing server will need to have Tor installed and running, exposing a SOCKS proxy on localhost. Add the following line to your torrc file to listen on port 9050 on localhost:

SocksPort 9050

Install the connect-proxy and openbsd-inetd packages:

sudo apt-get install openbsd-inetd connect-proxy

Create /usr/bin/connect-without-password (this is necessary to bypass connect-proxy's password prompt):

CONNECT_PASSWORD='' /usr/bin/connect $@

and make it executable:

sudo chmod +x /usr/bin/connect-without-password

Configure inetd.conf as follows, customising the port (8080) to the port you wish to listen the internet, and the onion address/port of the hidden service (warrenguyis3q3tw.onion 80).

8080 stream tcp nowait nobody /usr/bin/connect-without-password connect -R remote -5 -S warrenguyis3q3tw.onion 80

Connections to your internet facing server on port 8080 should now be proxied to the hidden service at warrenguyis3q3tw.onion on port 80.

TAGS: SysAdmin, Tor, nginx, Linux, Debian, inetd

Next post: Detecting man-in-the-middle attacks: verifying fingerprints verbally
Previous post: Detecting Tor users in nginx on Linux

Related posts:

View all posts