1 files changed, 130 insertions, 9 deletions
diff --git a/content/articles/site-backend.md b/content/articles/site-backend.md
index 5e752a2..e096e0d 100644
--- a/content/articles/site-backend.md
+++ b/content/articles/site-backend.md
@@ -111,8 +111,6 @@ Here are a few articles which cover guidelines that I follow:
 - [Why your website should be under 14kB in size][14kb]
 - [5 things you don't need JavaScript for][you-dont-need-js]
 
-
-
 ### Images
 
 Images are created as follows:
@@ -134,6 +132,7 @@ Images are created as follows:
 Other notes:
 
 - The animated site logo is an [SVG][] generated by [this Ruby script][gen-logo.rb].
+- [Favicon][] is a 907 byte [PNG][] instead of a 4k [ICO][].
 - Menubar icons are borrowed from [Bootstrap Icons][].
 - I reviewed several [PNG][] compressors in [this post][post-png-compressors].
 
@@ -297,6 +296,9 @@ redirects removed:
   # POST needed for /hooks
   Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"
 
+  # expose onion service
+  Header set "Onion-Location" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion%{REQUEST_URI}s"
+
   # cache images, stylesheets, and javascript for 1 year
   <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$">
     Header set Cache-Control "max-age=31536000, public"
@@ -320,7 +322,12 @@ redirects removed:
 
 #### HTTP Compression
 
-[HTTP compression][] is supported via [mod\_deflate][mod-deflate].
+[HTTP compression][] is supported via [mod\_deflate][mod-deflate].  The
+list of [MIME types][] has been adjusted, like so:
+
+```apache
+AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml
+```
 
 It is safe for this site to enable [mod\_deflate][mod-deflate] because
 it does not use [cookies][] and is not vulnerable to [BREACH][].
@@ -512,10 +519,6 @@ The generated [HTML][] has been modified to:
 
   "pass-environment-to-command": [{
     "source": "string",
-    "envname": "DEPLOY_HTDOCS_PATH",
-    "name": "/data/www/pablotron.org/builds/current"
-  }, {
-    "source": "string",
     "envname": "DEPLOY_REPO_DIR",
     "name": "/data/www/pablotron.org/git"
   }, {
@@ -539,6 +542,85 @@ The generated [HTML][] has been modified to:
 
 [Download][webhook.conf]
 
+## Onion Service
+
+This site is mirrored on the [Tor network][tor] at the following [onion
+address][.onion]:
+
+[http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/][pablotron.onion]
+
+**Note:** The [onion address][.onion] will only work for [Tor][]-enabled
+browsers like [Tor Browser][].
+
+Configuration Notes:
+
+- Vanity [.onion][] address generated with [mkp224o][].
+- Served with [Nginx][] instead of [Apache][], because [Nginx][]
+  can listen on a [domain socket][].
+- Public site sets [Onion-Location][] response header.  Allows
+  [Tor Browser][] users to easily redirect to the [onion
+  address][.onion].
+
+[Nginx][] configuration:
+
+```nginx
+server {
+  listen unix:/var/run/tor/pablotron.sock;
+  server_name pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion;
+  root /store/www/pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/htdocs;
+  index index.html;
+  access_log /var/log/nginx/pablotron-access.log;
+
+  # enable compression, compress common types
+  gzip on;
+  gzip_types text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml;
+
+  # security headers (see comments in apache config)
+  add_header "X-Frame-Options" "SAMEORIGIN";
+  add_header "X-Content-Type-Options" "nosniff";
+  add_header "Cross-Origin-Opener-Policy" "same-origin";
+  add_header "Cross-Origin-Resource-Policy" "same-origin";
+  add_header "Access-Control-Allow-Origin" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion";
+  add_header "Referrer-Policy" "strict-origin-when-cross-origin";
+  add_header "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()";
+
+  # different from apache; POST method not needed
+  add_header "Access-Control-Allow-Methods" "GET, HEAD, OPTIONS";
+
+  location ~ \.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$ {
+    # cache images, stylesheets, and javascript for 1 year
+    # note: caching makes a BIG difference when browsing via tor
+    expires 1y;
+  }
+
+  location ~ \.svg$ {
+    # relax Content-Security-Policy for SVGs to allow
+    # `style-src-attr 'unsafe-inline'`
+    add_header "Content-Security-Policy" "default-src 'self'; img-src 'self'; style-src-attr 'self' 'unsafe-inline'";
+  }
+
+  location ^~ \.svg$ {
+    # default Content-Security-Policy
+    add_header "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org";
+  }
+}
+```
+
+[Download][pablotron.onion.conf]
+
+[Tor][] configuration:
+
+```ini
+HiddenServiceDir /var/lib/tor/pablotron/
+HiddenServicePort 80 unix:/var/run/tor/pablotron.sock
+```
+
+References:
+
+- [Set up Your Onion Service][onion-service-setup]
+- [Vanity .onion addresses][vanity-onion-address]
+- [Onion-Location][]
+
 ## Validation
 
 I periodically use the following tools to verify this site:
@@ -548,12 +630,14 @@ I periodically use the following tools to verify this site:
 - [Security Headers][securityheaders.com]: Check [HTTP][]
   security headers.
 - [SSL Labs SSL Test][ssl-labs-ssl-test]: Check [TLS][] configuration.
+- [htmltest][]: Check for broken links and other common [HTML][] errors.
+- [goaccess][]: Generate summary report of site statistics.
 
 I also manually check the site in the desktop and mobile versions of
 [Chrome][] and [Firefox][].
 
-I am investigated doing automated validation with [htmltest][],
-[htmltidy][], and the [W3C validator][], but have not added them yet.
+I am investigated doing automated validation with [htmltidy][], and the
+[W3C validator][], but have not added them yet.
 
 ## Other
 
@@ -597,6 +681,11 @@ published.
   black box.
 - 2025-01-30: Added [robots.txt][] info to [Other](#other).
 - 2025-03-31: Update wording to reflect the following changes: default to dark mode and remove [`prefers-color-scheme`][prefers-color-scheme] detection.
+- 2025-04-26: Document [PNG][] [favicon][].
+- 2025-05-12: Document [htmltest][] and [goaccess][].
+- 2025-05-18: Add [Onion Service](#onion-service "Onion Service") section.
+- 2025-06-07: Add caching and security headers to [nginx][] config in
+  [Onion Service](#onion-service "Onion Service") section.
 
 [s-hugo-configuration]: #hugo-configuration
   "Hugo Configuration"
@@ -818,3 +907,35 @@ published.
   "Large Language Model"
 [minified]: https://en.wikipedia.org/wiki/Minification_(programming)
   "Minification (Wikipedia)"
+[favicon]: https://en.wikipedia.org/wiki/Favicon
+  "favorite icon"
+[ico]: https://en.wikipedia.org/wiki/ICO_(file_format)
+  "ICO icon file format (ICO)"
+[goaccess]: https://goaccess.io/
+  "Fast, real-time web log analyzer."
+[tor]: https://torproject.org/
+  "The Onion Router"
+[onion service]: https://community.torproject.org/onion-services/
+  "Service that can only be accessed via the Tor network."
+[.onion]: https://en.wikipedia.org/wiki/.onion
+  "Top-level domain for onion services."
+[pablotron.onion]: http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/
+  "Onion service URL for this site."
+[nginx]: https://en.wikipedia.org/wiki/Nginx
+  "NGINX web server."
+[domain socket]: https://en.wikipedia.org/wiki/Unix_domain_socket
+  "Unix domain socket."
+[tcp port]: https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_ports
+  "TCP port."
+[pablotron.onion.conf]: /files/articles/site-backend/pablotron.onion.conf.txt
+  "Download Nginx configuration for onion address."
+[mkp224o]: https://github.com/cathugger/mkp224o/
+  "Vanity .onion address generator"
+[onion-service-setup]: https://community.torproject.org/onion-services/setup/
+  "Set up Your Onion Service"
+[vanity-onion-address]: https://community.torproject.org/onion-services/advanced/vanity-addresses/
+  "Vanity .onion address."
+[onion-location]: https://community.torproject.org/onion-services/advanced/onion-location/
+  "Onion-Location HTTP response header."
+[tor browser]: https://en.wikipedia.org/wiki/Tor_(network)#Tor_Browser
+  "Tor browser."