I'm trying to set up a hidden web service over the Tor network, and I was thinking of making a configuration where my Apache server and my database server are located on different networks.

I know this will introduce a lot of latency, especially since no server will know where the other is (Tor will be running on both), so that in case one of them is compromised, the other one is not.

I'd like to know if it would be reasonable to run a hidden service configured as Apache server connecting to a separate hidden service that acts as a database, and the end user connects to the Apache server?

Additionally, would the latency be low enough to make this feasible, or would it be impossible to use and it would time-out all the time, due to network latency? What would be an ideal server configuration, in terms of resources? Would the apache server need more RAM/CPU, and the DB server more I/O and things like that?

  • 10,801
  • 11
  • 46
  • 85
  • 11
  • 1
  • This is not the way to structure a hidden service. [I've written about this previously here.](http://security.stackexchange.com/a/43485/11291) – Michael Hampton Jan 03 '14 at 06:00

1 Answers1


... I don't think this will work.

The latency and reliability will cripple your site.
Performance and reliability are unlikely to be close to acceptable due to the nature of TOR and any requests involving the database now including at least double the hops to service a client request, with a raised level of lossyness.

Security will also be worse I think; you'll want to run TOR on both servers to ensure other people aren't controlling your entry/exit nodes. The requirements for this will be meek on ram/cpu but bandwidth requirements will go up, particularly if you're trying to hide from someone controlling networks you would need to be a gateway for a lot of other traffic if you're trying to hide.

I don't think I understand the security benefit of trying to hide the servers from each other like this. If they compromise one they will know how to reach the other for the services in question - the only thing it hides a bit is that the attacker who compromises one machine will have a harder time finding other (non-key) services exposed for the other machine, maybe. Additionally though, you're having to expose services to some degree through TOR (hopefully secured to some degree) that you wouldn't normally have to expose externally at all.

  • 804
  • 4
  • 8
  • so i should jsut keep the serers on the local network for load balancing? i mean what sort of specs does mysql need? more ram, or IO, just in general, not on tor, and what for apache? Also, how would both servers be discovered if one gets compromised? Server a has apache and connects to server b, which is miles away. how could you get to server b, even if youre at server a without tracking them down first? – user36603 Jan 03 '14 at 01:21
  • uhm... I don't think you're using the term 'load balancing' the way most people mean it - normally that would mean distributing load across different devices. Should you keep the devices within milliseconds of each other in terms of ping times though? Definitely. As to your other question on how an attacker who compromises host A can discover host B - they don't have to do much discovering. If host A was connecting to B there are instructions right there on A on how to do so. An attacker just connects the same way A was previously to B. – pacifist Jan 03 '14 at 09:56