I know absolutely nothing about the subject but I would at least run nginx and tor in a docker container. Make sure no traffic comes out of the container on my public ip. Wouldn’t solve every problem but seems like it would solve…a lot of them?
That and I could move it around a lot. Not sure if that’s good opsec or bad though lol.
There are plenty of noob mistakes to make when using docker such as accidentally exposing their database port. A lot of mongodb "hacks" in the past was due to this.
You’d probably want some traffic going out on your public IP because everything going via Tor is itself a suspicious activity and likely to draw attention.
They key is to ensure only legal stuff goes out on your IP and the illegal stuff is anonymised. Which is easier said than done.
tunnel all the Tor traffic out through a VPN? I feel like there's probably a bunch of servers operating like that for legit reasons. they'd probably assume you're just seeding torrents or something.
you can do the same trick to connect to it from home - VPN use is common. you'd want a burner laptop, of course, and some physical box preventing the laptop from hitting anything other than the VPN.
I've thought about setting this kind of thing up for fun. you could get really fancy - talking to some hopbox through Tor where you script up actions to take asynchronously, to defeat timing attacks.
Same problem. Tunnelling all of your traffic will look suspicious and thus stand out from the thousands of other people who don't tunnel all of their traffic. If I recall correctly, one of the documents Snowden released even specified that people who tunnel all of their traffic via VPC land themselves on government lists for closer monitoring. Regardless of whether this is true or not, creating a lot of legitimate traffic on your same gateway should still make it harder to fingerprint you as someone who exercises in activities that warrant closer inspection.
The best approach really is just to use VPN for specific purposes. Everyday traffic, checking the news, personal email, etc shouldn't be via VPN. You should buy yourself a dedicated laptop for "work" with all that traffic going via VPN+Tor. Don't use your "work" laptop for anything personal and visa versa with your personal devices.
This keeps things simple (conceptually) while also effortlessly creates genuinely normal looking traffic. However eventually you'll still get caught. It doesn't matter how careful you are, you only need to slip up once.
Avoiding all of this is incredibly basic and borderline common sense.
When running a darknet site you don't want associated with the clearnet, step one should be only having the http server listen on the Tor onion domain!