Wait, isn't the darknet some super illegal place build by the mighty blackhats of old where you go to study the occult and buy drugs to practice said dark arts‽
Well, not really. The term 'darknet' currently refers to any internet service served over some extra level of anonymisation, such as Tor or I2P. Subset of the 'darknet' is the 'darkweb', which is just HTTP and HTTPS server over said networks.
If we look a bit into history, we will learn that Tor was actually started by the US government. It's original purpose was to hide government agents. There was a small flaw, however. If you have a very special communication protocol that only US agents use, it's quite easy to notice them in the internet traffic.
To solve this, the Tor protocol was made free, so that more people than just the government agents use it. So yea, the US government basically decided that giving all the criminals and terrorist hidden and private way of communication is an acceptable sacrifice for keeping their agents hidden. Do with this information what you will
With Tor being made free for anyone to use, naturally only two types of people started to use it. The tech enthusiasts, specifically the ones of the privacy and decentralisation kind, and those who wanted to do some less-than-legal business.
So yea, there are some messed up stuff on the dark net, but it's still perfectly legal to visit and host content here.
I will not even try to explain how Tor works, as there are way better resources for that, but the cool part is that everything stays anonymous and you don't even need to register anywhere to host stuff. You don't even need a public IP address. You can run a public Tor hidden service right from inside of your home network. Isn't that neat? (and yes, this is one way to tunnel some services out of your network)
Setting up a Tor hidden service is super easy. If you just want to quickly run a temporary site on your workstation, I recommend you to check out OnionShare, but I will setup a full, proper Tor service.
First step is to install the 'tor' package. After that, you will need to configure Tor in the '/etc/tor/torrc' file. You can do a lot in there, but I'm doing just the most basic configuration. All I uncommented was:
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80
Now you just need to enable the Tor service via:
systemctl enable tor
And BOOM, you are on Tor. Well, kinda. First, that is only because I already have Nginx running. Tor is just exposing the service, the service itself has to be run by it's own server. And second, how do I get there?
Well, that is where '/var/lib/tor/hidden_service/' comes in. There you store your onion address configuration. You should find a 'hostname' there file, which contains a randomly generated address under which your services are running. If it's not there for some reason, just try restarting Tor.
Ok, so I run HTTP over Tor, now onto HTTPS. Well, no. You see, it can be done, but I would need a special certificate, which Let's Encrypt doesn't offer. I could sign my own certificate, but it would scare users with warnings, so I think I'll pass HTTPS over Tor for now.
For a static website without any sensitive information sharing or illegal content, it shouldn't matter that much. The Tor project talks about it here, and they even mention that they purposefully made the Tor browser not warn the user when HTTP is used, so I'd call it a perfectly fine and officially supported way of doing things.
So now you have a fully working website on the darknet, but there is one more thing I would like to do: rice up my domain name. Tor gave you a random onion domain name automatically, but I want do better.
Onion names are not registered anywhere and you can host onto whatever domain name you have keys to. The names are made in such a way, that they cannot be reverse engineered, but there is nothing stopping you from just generating new ones until you find a name that you like. n You can use mkp224o to generate an onion name that starts with a specific string. Note however, that onion name are encoded in Base32. This means, that you can only use lowercase letters of the English alphabet and numbers from 2-7 (both included) (in regex [a-z2-7]+), so you are a bit limited in that regard.
Depending on the length of your desired prefix, the process of finding a onion name can take a while. I'd recommend you run this on some powerful machine (not the VPS) and specify number of threads to use via the '-t' flag.
I initially tried to generate 'unit37ooo' (the 'o's serve as a separator), but it didn't yield any results even after letting it run all night long. After that, I looked at the manual, and noticed that the time needed to get the desired name increases exponentially with each letter. To quote the GitHub page:
If your machine is powerful enough, 6 character prefix shouldn't take more than few tens of minutes, if using batch mode (read OPTIMISATION.txt) 7 characters can take hours to days
In short: RTFM!
I canceled the process and tried to generate only 'unit37'. (also I'm lucky that 3 and 7 are included in Base32) In just a few minutes, I got the following name:
unit37sz3qlyuaimdp2ufhxuwv5m7hvzfpzbe5fhp4ctim5mdyz27yyd.onion
NICE!
So now all that was left was to move the generated keys to '/var/lib/tor/hidden_service/'. One thing to note is that you will need to change the owner, group and permissions in order to make Tor able use it.
And so, now I have a fully fledged darknet website. (and finger too I guess...)
I'm quite surprised that it's easier to get a proper website on the darkweb that on the clearweb. Again, I could have run this on some cheap Raspberry Pi from inside my home NAT just as easily.
You could also make your website to automatically redirect to the onion version if the browser supports it via HTML '<meta>' tag, but as my homepage is a PDF, I will just add a little icon to the bottom right corner.