You'd think so, but many things could go wrong to leak your IP. Besides server misconfiguration and hacking / rooting the server, if you are running PHP or other scripting languages, malicious scripts could connect over clearnet to an attacker's server to reveal your IP. The safest configuration is this: http://dkn255hz262ypmii.onion/index.php?topic=100998.0 But that's too expensive for the vast majority of hidden services. A better alternative is to use VMs or jails to isolate the web server and the Tor client, and route everything from the web server VM through the Tor VM, for example, so even if the server is pwned, the attacker won't find your IP (at least not easily). Another option is to rent the server anonymously and make frequent backups. This is the "disposable server" option, where you simply drop the server and redeploy elsewhere if it is pwned. Generally, the simpler the application, in this case the web server software, the smaller the attack surface. Apache is a complex web server with a large attack surface. If you can avoid running scripts entirely, then a simple server that only serves static html would be the safest, but Nginx with minimal features would still be better than Apache.