2 files changed, 159 insertions, 20 deletions
diff --git a/content/articles/about.md b/content/articles/about.md
index af9053d..f682d49 100644
--- a/content/articles/about.md
+++ b/content/articles/about.md
@@ -89,8 +89,9 @@ I enjoy reading about math, programming, computer security, and science,
 writing [Open Source software][oss], tinkering with electronics, [3D
 printing][], and creating electronic music.
 
-In my spare time I run a couple of servers which provide web and email
-hosting for friends and family.
+I have been an avid Linux user since the 1990s.  In my spare time
+I run a couple of servers which provide web and email hosting for
+friends and family.
 
 ## About This Site
 
@@ -98,30 +99,35 @@ This has been my web site since 1998.  The site name is a combination of
 "pablo" (my nickname) and "tron" (technical).
 
 I typically post project updates, longer articles, and links that I find
-interesting.
+interesting.  I put a considerable amount of effort into keeping this
+site fast, secure, and responsive.
+
+This site is and will always be free of advertisements and trackers.
 
 More about this site:
 
 - [Archived Posts][]: Older blog posts, grouped by year.
-- [Site Backend][]: Description of the technology behind this site.
+- [Site Backend][]: Explanation of the technology behind this site.
+- [Onion Service][pabstor]: Site mirror, only accessible via [Tor][].
 
 ## Links
 
-* [GitHub][github-me]: My [GitHub][] page.
-* [Keybase][keybase-me]: My [Keybase][] page.
-* [Mastodon][mastodon-me]: My [Mastodon][] page (currently empty).
-* [PGP Key][pgp-key]: My [PGP][] key.
+- [GitHub][github-me]: My [GitHub][] page.
+- [Keybase][keybase-me]: My [Keybase][] page.
+- [Mastodon][mastodon-me]: My [Mastodon][] page (mostly empty).
+- [PGP Key][pgp-key]: My current [PGP][] key.  Fingerprint:
+  [021136521548EB198F64FF738E182534CDD1F2B8][pgp-key-keys-openpgp-org].
 
 ## Old Sites
 
 Archives of this site and my other sites are available via the [Wayback
 Machine][] at the following URLs:
 
-* [Pre-1999 Site (archive)][ia-efn]: My personal site before 1999.  Try
+- [Pre-1999 Site (archive)][ia-efn]: My personal site before 1999.  Try
   not to giggle (too much).
-* [paulduncan.org (archive)][ia-pdo]: My personal site from 2003 until
-  2017.
-* [pablotron.org (archive)][ia-pto]: Technical content from 1998 until
+- [paulduncan.org (archive)][ia-pdo]: My non-technical personal site
+  from 2003 until 2017.
+- [pablotron.org (archive)][ia-pto]: Technical content from 1998 until
   now.
 
 [oss]: https://en.wikipedia.org/wiki/Open-source_software
@@ -135,7 +141,7 @@ Machine][] at the following URLs:
 [ia-efn]: https://web.archive.org/web/*/http://efn.org/~p_duncan/
   "My personal site before 1999."
 [ia-pdo]: https://web.archive.org/web/*/https://paulduncan.org/
-  "My personal site from 2003 until 2017."
+  "My non-technical personal site from 2003 until 2017."
 [ia-pto]: https://web.archive.org/web/*/https://pablotron.org/
   "My personal and technical site from 1998 until the present."
 [php]: https://php.net/
@@ -168,3 +174,13 @@ Machine][] at the following URLs:
   "Archived Posts"
 [site backend]: {{< relref "articles/site-backend.md" >}}
   "Site Backend"
+[pabstor]: http://pabstordmsrzhushs5drpb5mtb2ml56iyacidsjfebl2jlss65rlbsqd.onion
+  "Onion service URL for this site."
+[onion service]: https://community.torproject.org/onion-services/
+  "Service that can only be accessed via the Tor network."
+[onion address]: https://en.wikipedia.org/wiki/.onion
+  "Top-level domain for onion services."
+[tor]: https://torproject.org/
+  "The Onion Router"
+[pgp-key-keys-openpgp-org]: https://keys.openpgp.org/search?q=021136521548EB198F64FF738E182534CDD1F2B8
+  "Entry for my PGP key on keys.openpgp.org."
diff --git a/content/articles/site-backend.md b/content/articles/site-backend.md
index 62f5947..e096e0d 100644
--- a/content/articles/site-backend.md
+++ b/content/articles/site-backend.md
@@ -132,6 +132,7 @@ Images are created as follows:
 Other notes:
 
 - The animated site logo is an [SVG][] generated by [this Ruby script][gen-logo.rb].
+- [Favicon][] is a 907 byte [PNG][] instead of a 4k [ICO][].
 - Menubar icons are borrowed from [Bootstrap Icons][].
 - I reviewed several [PNG][] compressors in [this post][post-png-compressors].
 
@@ -295,6 +296,9 @@ redirects removed:
   # POST needed for /hooks
   Header append "Access-Control-Allow-Methods" "POST, GET, HEAD, OPTIONS"
 
+  # expose onion service
+  Header set "Onion-Location" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion%{REQUEST_URI}s"
+
   # cache images, stylesheets, and javascript for 1 year
   <FilesMatch "\.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$">
     Header set Cache-Control "max-age=31536000, public"
@@ -318,7 +322,12 @@ redirects removed:
 
 #### HTTP Compression
 
-[HTTP compression][] is supported via [mod\_deflate][mod-deflate].
+[HTTP compression][] is supported via [mod\_deflate][mod-deflate].  The
+list of [MIME types][] has been adjusted, like so:
+
+```apache
+AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml
+```
 
 It is safe for this site to enable [mod\_deflate][mod-deflate] because
 it does not use [cookies][] and is not vulnerable to [BREACH][].
@@ -510,10 +519,6 @@ The generated [HTML][] has been modified to:
 
   "pass-environment-to-command": [{
     "source": "string",
-    "envname": "DEPLOY_HTDOCS_PATH",
-    "name": "/data/www/pablotron.org/builds/current"
-  }, {
-    "source": "string",
     "envname": "DEPLOY_REPO_DIR",
     "name": "/data/www/pablotron.org/git"
   }, {
@@ -537,6 +542,85 @@ The generated [HTML][] has been modified to:
 
 [Download][webhook.conf]
 
+## Onion Service
+
+This site is mirrored on the [Tor network][tor] at the following [onion
+address][.onion]:
+
+[http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/][pablotron.onion]
+
+**Note:** The [onion address][.onion] will only work for [Tor][]-enabled
+browsers like [Tor Browser][].
+
+Configuration Notes:
+
+- Vanity [.onion][] address generated with [mkp224o][].
+- Served with [Nginx][] instead of [Apache][], because [Nginx][]
+  can listen on a [domain socket][].
+- Public site sets [Onion-Location][] response header.  Allows
+  [Tor Browser][] users to easily redirect to the [onion
+  address][.onion].
+
+[Nginx][] configuration:
+
+```nginx
+server {
+  listen unix:/var/run/tor/pablotron.sock;
+  server_name pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion;
+  root /store/www/pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/htdocs;
+  index index.html;
+  access_log /var/log/nginx/pablotron-access.log;
+
+  # enable compression, compress common types
+  gzip on;
+  gzip_types text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml;
+
+  # security headers (see comments in apache config)
+  add_header "X-Frame-Options" "SAMEORIGIN";
+  add_header "X-Content-Type-Options" "nosniff";
+  add_header "Cross-Origin-Opener-Policy" "same-origin";
+  add_header "Cross-Origin-Resource-Policy" "same-origin";
+  add_header "Access-Control-Allow-Origin" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion";
+  add_header "Referrer-Policy" "strict-origin-when-cross-origin";
+  add_header "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()";
+
+  # different from apache; POST method not needed
+  add_header "Access-Control-Allow-Methods" "GET, HEAD, OPTIONS";
+
+  location ~ \.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$ {
+    # cache images, stylesheets, and javascript for 1 year
+    # note: caching makes a BIG difference when browsing via tor
+    expires 1y;
+  }
+
+  location ~ \.svg$ {
+    # relax Content-Security-Policy for SVGs to allow
+    # `style-src-attr 'unsafe-inline'`
+    add_header "Content-Security-Policy" "default-src 'self'; img-src 'self'; style-src-attr 'self' 'unsafe-inline'";
+  }
+
+  location ^~ \.svg$ {
+    # default Content-Security-Policy
+    add_header "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org";
+  }
+}
+```
+
+[Download][pablotron.onion.conf]
+
+[Tor][] configuration:
+
+```ini
+HiddenServiceDir /var/lib/tor/pablotron/
+HiddenServicePort 80 unix:/var/run/tor/pablotron.sock
+```
+
+References:
+
+- [Set up Your Onion Service][onion-service-setup]
+- [Vanity .onion addresses][vanity-onion-address]
+- [Onion-Location][]
+
 ## Validation
 
 I periodically use the following tools to verify this site:
@@ -546,12 +630,14 @@ I periodically use the following tools to verify this site:
 - [Security Headers][securityheaders.com]: Check [HTTP][]
   security headers.
 - [SSL Labs SSL Test][ssl-labs-ssl-test]: Check [TLS][] configuration.
+- [htmltest][]: Check for broken links and other common [HTML][] errors.
+- [goaccess][]: Generate summary report of site statistics.
 
 I also manually check the site in the desktop and mobile versions of
 [Chrome][] and [Firefox][].
 
-I am investigated doing automated validation with [htmltest][],
-[htmltidy][], and the [W3C validator][], but have not added them yet.
+I am investigated doing automated validation with [htmltidy][], and the
+[W3C validator][], but have not added them yet.
 
 ## Other
 
@@ -595,6 +681,11 @@ published.
   black box.
 - 2025-01-30: Added [robots.txt][] info to [Other](#other).
 - 2025-03-31: Update wording to reflect the following changes: default to dark mode and remove [`prefers-color-scheme`][prefers-color-scheme] detection.
+- 2025-04-26: Document [PNG][] [favicon][].
+- 2025-05-12: Document [htmltest][] and [goaccess][].
+- 2025-05-18: Add [Onion Service](#onion-service "Onion Service") section.
+- 2025-06-07: Add caching and security headers to [nginx][] config in
+  [Onion Service](#onion-service "Onion Service") section.
 
 [s-hugo-configuration]: #hugo-configuration
   "Hugo Configuration"
@@ -816,3 +907,35 @@ published.
   "Large Language Model"
 [minified]: https://en.wikipedia.org/wiki/Minification_(programming)
   "Minification (Wikipedia)"
+[favicon]: https://en.wikipedia.org/wiki/Favicon
+  "favorite icon"
+[ico]: https://en.wikipedia.org/wiki/ICO_(file_format)
+  "ICO icon file format (ICO)"
+[goaccess]: https://goaccess.io/
+  "Fast, real-time web log analyzer."
+[tor]: https://torproject.org/
+  "The Onion Router"
+[onion service]: https://community.torproject.org/onion-services/
+  "Service that can only be accessed via the Tor network."
+[.onion]: https://en.wikipedia.org/wiki/.onion
+  "Top-level domain for onion services."
+[pablotron.onion]: http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/
+  "Onion service URL for this site."
+[nginx]: https://en.wikipedia.org/wiki/Nginx
+  "NGINX web server."
+[domain socket]: https://en.wikipedia.org/wiki/Unix_domain_socket
+  "Unix domain socket."
+[tcp port]: https://en.wikipedia.org/wiki/Transmission_Control_Protocol#TCP_ports
+  "TCP port."
+[pablotron.onion.conf]: /files/articles/site-backend/pablotron.onion.conf.txt
+  "Download Nginx configuration for onion address."
+[mkp224o]: https://github.com/cathugger/mkp224o/
+  "Vanity .onion address generator"
+[onion-service-setup]: https://community.torproject.org/onion-services/setup/
+  "Set up Your Onion Service"
+[vanity-onion-address]: https://community.torproject.org/onion-services/advanced/vanity-addresses/
+  "Vanity .onion address."
+[onion-location]: https://community.torproject.org/onion-services/advanced/onion-location/
+  "Onion-Location HTTP response header."
+[tor browser]: https://en.wikipedia.org/wiki/Tor_(network)#Tor_Browser
+  "Tor browser."