Lighttpd & Tor

What follows is a blow-by-blow guide for configuring a UNIX home computer (as a webserver) to host a site permanently on a hidden slice of the internet - sometimes referred to as: "the darknet" or "onionland". Lighttpd (pronounced "lighty") is an excellent web-server - due to its flexibility, blazing speed and support for SSI, CGIs and virtual hosts.

  1. lighttpd
  2. Tor
  3. Shallot


Grab the sources for lighttpd. The latest stable release is recommended: Download the sources with wget (or use a browser), then extract them.

$ cd ~/

$ wget

$ tar xzvf lighttpd-1.4.XX.tar.gz

Move to the source directory.

$ cd ~/lighttpd-1.4.XX

Create a minimal "" script. The use of this script will facilitate upgrades (and/or the addition of compile options at a later date). In a text editor, add the following:

./configure \
"--prefix=$HOME/light" \
"--disable-ipv6" \
"--without-pcre" \
"--with-zlib" \

The "--prefix=$HOME/light" option installs lighttpd under your UNIX account, rather than system-wide. "--without-pcre" prevents the rewrite engine from being built. To build a functional rewrite, install libpcre from the package manager (or the ports collection) of your operating system and place "--with-pcre" in the Similarly, "--without-bzip2" builds lighttpd without bzip2 compression.

Run the config script.

$ sh

Build and install lighttpd

$ make

$ make install

To accelerate building lighttpd - on a machine with multiple processors or cores, "make -j9" will compile 9 threads simultaneously.

Configure lighttpd for run-time

In a text-editor, create ~/light/lighttpd.conf. The webserver should run on (localhost), bound to a non-privileged port. Port 8080 is the standard, http_alt. Substitute your username for "user" in the Directives, below.

server.document-root = "/home/user/light/pages/"
server.port = "8080"
server.bind = ""
server.username = "user"
server.groupname = "www"
accesslog.filename = "/home/user/light/logs/access"
server.errorlog = "/home/user/light/logs/error"

server.modules = (
"mod_accesslog" )

mimetype.assign = (
".css" => "text/css; charset=utf-8",
".html" => "text/html; charset=utf-8",
".htm" => "text/html; charset=utf-8",
".txt" => "text/plain; charset=utf-8",
".png" => "image/png; charset=utf-8",
".jpg" => "image/jpeg; charset=utf-8",
".jpeg" => "image/jpeg; charset=utf-8",
".gif" => "image/gif; charset=utf-8",
".ogg" => "application/ogg; charset=utf-8" )

static-file.exclude-extensions = ( "~", ".inc" )
index-file.names = ( "index.html", "index.htm" )

Before running, test the configuration file for syntax errors. If necessary, fix them:

$ ~/light/sbin/lighttpd -t -f ~/light/lighttpd.conf

If the lighttpd.conf will not parse cleanly. Verify that your UNIX username is a member of the "www" group in /etc/groups.

Create a directory for the logs and the site's content.

$ mkdir ~/light/pages

$ mkdir ~/light/logs

Execute lighttpd

$ ~/light/sbin/lighttpd -f ~/light/lighttpd.conf

Copy the web-content (html, images, audio and video files, etc.) to be served into ~/light/pages/. To preview the new site, click


Since onion domains are not resolvable by internet nameservers, installing Tor is required to generate a private key, write an onion hostname and help start the process of name resolution.

Grab and unpack the sources for the standalone version of Tor. The latest stable release is advised.

$ wget

$ tar xzvf tor-0.2.X.X-rc.tar.gz

$ cd tor-0.2.X.X

Configure, compile and install Tor

Verify that $HOME/bin exists and that it is in your $PATH statement.

$ ./configure --prefix="$HOME/tor" --exec-prefix="$HOME"

$ make

$ make install

To build Tor without the man pages, add "--disable-asciidoc" to the configure options above.

Create a directory to hold the new, onion hostname and private key, and copy the torrc.sample to ~/.torrc.

$ mkdir -p ~/tor/var/lib/tor/hidden_service

$ cp ~/tor/etc/tor/torrc.sample ~/.torrc

Open up ~/.torrc in a text editor and copy the following to it, but substitute your UNIX username for "user", below.

HiddenServiceDir /home/user/tor/var/lib/tor/hidden_service/
HiddenServicePort 80

Execute tor

$ ~/bin/tor

The new onion hostname is located in ~/tor/var/lib/tor/hidden_service as "hostname" along with a "private_key". Open the file "hostname":

$ cat ~/tor/var/lib/tor/hidden_service/hostname

To bring up the new site, copy and paste the onion hostname into the address bar of the Tor browser. The site is now available to users on the Tor network. It would be best to backup the private key and store it elsewhere. In case of a disk crash - without any backup, a new key will be generated when Tor is run, and a different hostname assigned.

To have both lighttpd and Tor start at boot, add the following cronjob with "crontab -e".

@reboot $HOME/light/sbin/lighttpd -f $HOME/light/lighttpd.conf
@reboot $HOME/bin/tor

A piece of advice: a computer which remains connected to the internet 24/7 is strongly encouraged. If the server hosting the onion domain remains offline for an extended period of time, list sites and search engines will remove their links to it, and the site will receive few hits.

Custom hostnames

To generate a custom (user selected) first portion of a new, onion domain, refer to: shallot.

Further reading
lighttpd config syntax
lighttpd performance tweaks
lighttpd modules
down 'n dirty config examples