Tested on Ubuntu 12.04 Precise and suited for a home, virtual or dedicated server.

An Isolating Proxy, where the webserver can not find out it's own external IP address and can only connect through Tor, is always preferred. (Whonix is an Isolating Proxy.) Due to the design of Isolating Proxies you need more RAM compared to installing a hidden service directly. If you are going for a virtual or dedicated server, RAM is money. The more RAM the more you have, the more you have to pay per month. This guide is about installing a hidden service directly and preventing IP leaks by correctly configuring everything. However, this guide will also work for Isolating Proxies.

Install required software

sudo apt-get install php5-cgi mediawiki lighttpd

Remove apache

Just to be sure.

sudo apt-get remove apache*

Check you have no mailsend installed

A non-torified mail send could de-anonymize the server. Look if something like sendmail is installed and manually uninstall if it is the case.

dpkg -l | grep mail


sudo nano /etc/lighttpd/lighttpd.conf
server.modules = (

# Not required. We use standard path /var/www/wiki.
# "mod_redirect",
# "mod_rewrite",

server.port                = 80

server.document-root        = "/var/www"
server.upload-dirs          = ( "/var/cache/lighttpd/uploads" )
server.errorlog-use-syslog  = "enable"
server.errorlog             = "/var/log/lighttpd/error.log"             = "/var/run/"
server.username             = "www-data"
server.groupname            = "www-data"

index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm",
                               " index.lighttpd.html" )

url.access-deny             = ( "~", ".inc" )

## Use ipv6 if available
#include_shell "/usr/share/lighttpd/"

dir-listing.encoding        = "utf-8"
server.dir-listing          = "enable"

compress.cache-dir          = "/var/cache/lighttpd/compress/"
compress.filetype           = ( "application/x-javascript", "text/css", "text/html", "text/plain" )

include_shell "/usr/share/lighttpd/"
include_shell "/usr/share/lighttpd/"

fastcgi.server = ( ".php" =>
                   ( "localhost" =>
                       "host" => "",
                       "port" => 1026,
                       #"bin-path" => "/opt/php-fcgi/bin/php-cgi"
                       "bin-path" => "/usr/bin/php-cgi"

# Not required. We use standard path /var/www/wiki.
#url.rewrite-once = (
#                     "^/wiki/upload/(.+)" => "/wiki/upload/$1",
#                     "^/$" => "/mw/index.php",
#                     "^/wiki/([^?]*)(?:\?(.*))?" => "/mw/index.php?title=$1&$2"
#                   )

# Not required. We use standard path /var/www/wiki.
# url.redirect = ( "^/(?!w|wiki|robots\.txt|favicon\.ico)(.*)" => "/mw/$1" )

static-file.exclude-extensions = ( ".php", ".pl", ".cgi", ".fcgi" )

# We created a symlink for mediawiki...
server.follow-symlink = "enable"

dir-listing.activate = "disable"
dir-listing.hide-dotfiles = "disable"
dir-listing.exclude = ("^\.", "~$")

# Deactivate IP logs. Just in case.
accesslog.format = "- - - %t \"%r\" %s %b \"%{Referer}i\" \"%{User-Agent}i\""

Find path to php-cgi

Might only be required when not using Ubuntu or Debian.

which php-cgi

Change php-cgi path in lighttpd.conf

Might only be required when not using Ubuntu.

nano /etc/lighttpd/lighttpd.conf

Where Ubuntu installed mediawiki

For your interest only.

Ubuntu installed mediawiki to:


Enabling fastcgi

mv /etc/lighttpd/conf-available/10-fastcgi.conf /etc/lighttpd/conf-enabled/.
mv /etc/lighttpd/conf-available/15-fastcgi-php.conf /etc/lighttpd/conf-enabled/.

Syntax for creating symlinks

For your interest only.

ln -s {/path/to/file-name} {link-name}

Create the symlink

ln -s /var/lib/mediawiki /var/www/wiki

Tweak LocalSettings.php to prevent IP leaks

Read through and search for "IP ".

Deactivate mediawiki IP logging

Just to be sure.

Edit /var/lib/mediawiki/includes/ProxyTools.php.

nano /var/lib/mediawiki/includes/ProxyTools.php 

Look out for:

return $ip

And add "$ip = '';" before "return $ip". Must look like this:

$ip = '';
return $ip

Secure permissions

Ensure other users may not view passwords or edit content.

chown --recursive www-data:www-data /var/www
chmod --recursive o-rwx /var/www
chmod --recursive g-rwx /var/www



Helpful sources while compiling this guide.

Last modified 16 months ago Last modified on Aug 14, 2016, 10:22:01 AM