Hidden service binding Nginx to localhost


If i set up a hidden service on a regular Linux system I would normally add


In order to bind the web server to localhost, using nginx and whonix if you bind the server to the hidden service will not load when trying to access it via an onion address.

It does load using an onion address with either of these lines instead.

Listen 80;

Is using Listen 80; safe? as whonix is forcing all traffic through tor or should I bind it to and will this cause any issues?

My concern is shodan or an equivalent finding information.

Thanks in advance.

You have a couple options:

  • Webserver listens on Then you need some way to redirect web traffic between whonix-gateway and localhost on the workstation (ie socat). This opens up localhost bypass attacks since all connections will appear to the web server to be coming from localhost. (Some web services assume localhost is safe to expose because they don’t take Tor usage into consideration.)

  • Use a non-localhost address like This will reveal that you are using Whonix.

  • The most robust option is probably to redirect Unix sockets using socat, similarly to the way that Tor Browser is doing currently. This will also reveal that you are special (non-localhost).


Don’t know. In general, anything an (unauthenticated) user can see, so can a web crawler. IIUC it’s rather trivial to enumerate v2 onions by running HSDirs. v3 is supposed to help by making the onion address itself a key to unlock the descriptors. To keep onion completely hidden, use hidden service authentication.

1 Like

Thanks for the replies if I set it up to use, what ways could someone use to find out this information?

I’ve configured my forum and removed any ips that show when posting and in user profiles.

That’s like asking “How can someone hack into my computer?” Depends on software, configuration, skill of attacker, skill of admin, etc. You’ll get better advice on a pentesting forum.

Regarding socat.

I added this to my nginx conf:


I then run socat as follows:

socat TCP-LISTEN:80,fork TCP:

it gives an error saying address is already in use, I tried stopping nginx and running the socat command first, this time nginx won’t running saying unable to bind to port it’s already in use.

Have I done something incorrect?

Thanks in advance.

don’t have much experience with socat. you can try:

socat TCP-LISTEN:80,fork,reuseaddr,bind= TCP:

(Also, there’s nothing special about port 80.)

Still not working with the new socat command, I’ve never used this before so I have no idea what to try next.

When browsing the other thread I noticed that whonix 14 will make this a lot easier, I’m looking forward to that release day :smiley:


(Also, there’s nothing special about port 80.)

There might be - all ports below 1024 require root to be opened, unless

Oops, that’s backwards. Listen on eth0, stream to localhost:

sudo socat TCP-LISTEN:80,fork,reuseaddr,bind= TCP:

But don’t have to use unix sockets, or even socat for that matter. (Disregard that riseup link. Not relevant.)

Plain iptables redirection will work. Same as what Whonix Gateway does - in reverse.

sudo sysctl -w net.ipv4.conf.all.route_localnet=1
sudo iptables -t nat -I PREROUTING -i eth0 -d -p tcp --dport 80 -j DNAT --to

Personally, I would rather not use localhost at all. You never know when some poorly behaved extension will decide to broadcast everything on a localhost page. Plus route_localnet=0 by default for a reason. (If you’re ashamed to be using Whonix :), you can change to something like I’m sure there’s at least a couple hidden services that use reverse-proxies.)

PSA: TPO just released first release candidate for 0.3.2 - meaning stable version is around the corner. Need to reserve my 56 char url before someone takes it.

1 Like