Introducing Onion Containers - Docker Meets the Darknet


Ablative Hosting’s first project is now in public alpha; is a cloud hosting service with a difference. As the name suggests you can spin up a Docker container which is only accessible via Tor.

At the moment you can only spin up free instances of NGINX, an SSH shell based on Alpine and a PostgreSQL container. These containers last for between 15 minutes and 1 hour. But when we move to Beta in Q3 2018 you will be able to specify any Docker image from any registry and OnionContainers will pull it down ready for you to configure.

We are also proud to report that we have secured an EV Certificate and will be serving this on our container656ovix.onion domain and, in what we believe to a world first, a NextGen Onion; hzwjmjimhr7bdmfv2doll4upibt5ojjmpo3pbp5ctwcg37n3hyk7qzid.onion/.

We don’t require any personal information from you to use our services but we want to ensure that you know you’ve visited the right place so an EV certificate seemed to be a good idea!

The OnionContainers service was built to allow people an easy way to host content via Tor Onion Services but in a way that respects your privacy and what better way to do that than to not require any personal information, facilitate Monero and use Onion Services ourselves!

Q3 Beta Features

  1. Specify any image for use with your container
  2. Specify up to 10 Tor Onion Service port mappings (e.g. map to container:8080)
  3. Specify environment variables for your container
  4. Pay with Bitcoin, Monero or ZCash to keep your container running for as long as you wish

Q4 Release

  1. Write a custom docker file
  2. Use Docker Swarm to spin up multiple containers (e.g. Wordpress & MySQL)
  3. Integration with for alerting if your service goes down
  4. A Docker registry running at and container656ovix.onion:5000 for users to store their own images

The Journey to .onion EV TLS

Securing an Extended Validation certificate can be a pain but the folks at CertSimple make it much easier. There are still some hurdles to jump over but we’ll cover them here.

  1. Generate your onion address
  2. Generate an RSA public key from your private key due to the concerns around SHA1 openssl rsa -in key.pem -pubout -out pubkey.pem
  3. Register your Business Name somewhere such as HotFrog or
    • Ensure your address matches that of Companies House / Domain / Certificate
    • Ensure the phone number listed is one which can be transferred through to yourself
  4. Generate your CSR and key (unless you really trust CertSimple) openssl ecparam -genkey -name prime256v1 -out xxxxxxxx.onion.key openssl req -new -key xxxxxxxx.onion.key -out xxxxxxxx.onion.csr -subj '/C=GB/L=Town/O=Company Name/CN=xxxxxxxx.onion' cat xxxxxxxx.onion.csr
  5. Ensure your website whois lists an email address you can check
    • If you don’t receive the email sent to the address it will slow things down
    • DNS TXT verification is an option - ensure you email the team
  6. Goto and start the process
    • Enter the business name *(it should autocomplete from Companies House)_
    • Enter a display City/Town *(it should match all your other details)_
    • Enter your .onion domain
    • Choose to upload your own CSR
    • Enter your contact details (used as part of the validation process but don’t feature in the Certificate)
    • Choose 1 year and then fill in the payment details and you’re all sorted.
  7. You will receive several emails
    • An email asking to confirm the Terms and Conditions of the CA with the subject “Completing Your [CA] Order “
    • An email asking to confirm access to the domain(s) (step 5) with the subject “Please validate ownership of your domain”
    • An email asking you to forward the URL of the profile you create in Step 3 to the CA’s support team.
  8. Reply back to the email from CertSimple, attach the RSA public key you generated in Step 2 and advise them if you’d like to have a wildcard record for your .onion
  9. You will shortly receive a phone call asking to confirm the details and permission to issue the certificate
  10. A few hours later you should receive your certificate
  11. Install it and you’re good to go;