diff --git a/production/install b/production/install
index fc89e7e30..0d19ec485 100755
--- a/production/install
+++ b/production/install
@@ -197,6 +197,7 @@ case $OS in
         TOR_USER=debian-tor
         TOR_GROUP=debian-tor
         CERTBOT_PKG=python3-certbot-nginx
+        NGINX_ETC_FOLDER=/etc/nginx
         NGINX_CONFIGURATION=/etc/nginx/nginx.conf
     ;;
 esac
@@ -925,6 +926,8 @@ if [ "${TOR_INSTALL}" = ON ];then
         osSudo "${ROOT_USER}" /bin/sh -c "echo HiddenServiceDir ${TOR_RESOURCES}/${MEMPOOL_TOR_HS}/ >> ${TOR_CONFIGURATION}"
         osSudo "${ROOT_USER}" /bin/sh -c "echo HiddenServicePort 80 127.0.0.1:81 >> ${TOR_CONFIGURATION}"
         osSudo "${ROOT_USER}" /bin/sh -c "echo HiddenServiceVersion 3 >> ${TOR_CONFIGURATION}"
+    else
+        osSudo "${ROOT_USER}" sed -i.orig "s!__TOR_RESOURCES__!${TOR_RESOURCES}!" "${TOR_CONFIGURATION}"
     fi
 
     case $OS in
@@ -936,7 +939,7 @@ if [ "${TOR_INSTALL}" = ON ];then
 
     # start tor now so it can bootstrap in time for bitcoin starting a few mins later
     echo "[*] Starting Tor service"
-    osSudo "${ROOT_USER}" service tor start
+    osSudo "${ROOT_USER}" service tor restart
 fi
 
 ########################
@@ -1508,6 +1511,12 @@ _EOF_
 
 ##### nginx
 
+
+echo "[*] Read tor v3 onion hostnames"
+NGINX_MEMPOOL_ONION=$(cat "${TOR_RESOURCES}/mempool/hostname")
+NGINX_BISQ_ONION=$(cat "${TOR_RESOURCES}/bisq/hostname")
+NGINX_LIQUID_ONION=$(cat "${TOR_RESOURCES}/liquid/hostname")
+
 echo "[*] Adding Nginx configuration"
 case $OS in
 
@@ -1517,8 +1526,16 @@ case $OS in
 
     Debian)
         osSudo "${ROOT_USER}" install -c -o "${ROOT_USER}" -g "${ROOT_GROUP}" -m 644 "${MEMPOOL_HOME}/${MEMPOOL_REPO_NAME}/production/nginx/nginx.conf" "${NGINX_CONFIGURATION}"
-#echo "[*] Restarting Nginx"
-#osSudo "${ROOT_USER}" service nginx restart
+        mkdir -p /var/cache/nginx/services /var/cache/nginx/api
+        chown www-data: /var/cache/nginx/services /var/cache/nginx/api
+        ln -s /mempool/mempool /etc/nginx/mempool
+        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_USER__!www-data!" "${NGINX_CONFIGURATION}"
+        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_ETC_FOLDER__!${NGINX_ETC_FOLDER}!" "${NGINX_CONFIGURATION}"
+        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_MEMPOOL_ONION__!${NGINX_MEMPOOL_ONION%.onion}!" "${NGINX_CONFIGURATION}"
+        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_BISQ_ONION__!${NGINX_BISQ_ONION%.onion}!" "${NGINX_CONFIGURATION}"
+        osSudo "${ROOT_USER}" sed -i.orig "s!__NGINX_LIQUID_ONION__!${NGINX_LIQUID_ONIONi%.onion}!" "${NGINX_CONFIGURATION}"
+        echo "[*] Restarting Nginx"
+        osSudo "${ROOT_USER}" service nginx restart
     ;;
 esac
 
diff --git a/production/nginx/nginx.conf b/production/nginx/nginx.conf
index 24f389533..83a794e51 100644
--- a/production/nginx/nginx.conf
+++ b/production/nginx/nginx.conf
@@ -1,4 +1,4 @@
-user nobody;
+user __NGINX_USER__;
 pid /var/run/nginx.pid;
 
 worker_processes auto;
@@ -10,11 +10,11 @@ events {
 }
 
 http {
-	# DNS servers for on-demand recursive resolver
+	# DNS servers for on-demand resolution, change if desired
 	resolver 8.8.8.8;
 
 	# include default mime types
-	include /usr/local/etc/nginx/mime.types;
+	include __NGINX_ETC_FOLDER__/mime.types;
 	default_type application/octet-stream;
 
 	# HTTP basic configuration
@@ -32,9 +32,13 @@ http {
 	# MEMPOOL.NINJA
 	server {
 		# clearnet v4/v6
-		listen 443 ssl http2;
-		listen [::]:443 ssl http2;
-		server_name mempool.ninja;
+		#listen 443 ssl http2;
+		#listen [::]:443 ssl http2;
+		server_name _;
+
+		# tor v3
+		listen 127.0.0.1:81;
+		set $onion "__NGINX_MEMPOOL_ONION__";
 
 		# for services from mempool.space like contributors on about page
 		set $mempoolSpaceServices "https://mempool.space";
@@ -52,30 +56,24 @@ http {
 		set $esploraTestnet "http://esplora-bitcoin-testnet";
 		set $esploraSignet "http://esplora-bitcoin-signet";
 
-		# tor v3
-		listen 127.0.0.1:81;
-		set $onion "mempoolhqx4isw62xs7abwphsq7ldayuidyx2v2oethdhhj6mlo2r6ad";
-
 		# filesystem paths
 		root /mempool/public_html/mainnet/;
 		access_log /var/log/nginx/mempool-access.log;
 		error_log /var/log/nginx/mempool-error.log;
 
-		# ssl configuration
-		ssl_certificate /usr/local/etc/letsencrypt/live/mempool.ninja/fullchain.pem;
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.ninja/privkey.pem;
-		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
-		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
-
 		# site configuration
 		include mempool/production/nginx/server-mempool.conf;
 	}
 	# BISQ.NINJA
 	server {
 		# clearnet v4/v6
-		listen 443 ssl http2;
-		listen [::]:443 ssl http2;
-		server_name bisq.ninja;
+		#listen 443 ssl http2;
+		#listen [::]:443 ssl http2;
+		server_name _;
+
+		# tor v3
+		listen 127.0.0.1:82;
+		set $onion "__NGINX_BISQ_ONION__";
 
 		# for services from mempool.space like contributors on about page
 		set $mempoolSpaceServices "https://mempool.space";
@@ -86,30 +84,24 @@ http {
 		# for blockstream/esplora daemon, see upstream-esplora.conf
 		set $esploraMainnet "http://esplora-bitcoin-mainnet";
 
-		# tor v3
-		listen 127.0.0.1:82;
-		set $onion "bisqmktse2cabavbr2xjq7xw3h6g5ottemo5rolfcwt6aly6tp5fdryd";
-
 		# filesystem paths
 		root /mempool/public_html/bisq/;
 		access_log /var/log/nginx/bisq-access.log;
 		error_log /var/log/nginx/bisq-error.log;
 
-		# ssl configuration
-		ssl_certificate /usr/local/etc/letsencrypt/live/bisq.ninja/fullchain.pem;
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/bisq.ninja/privkey.pem;
-		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
-		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
-
 		# site configuration
 		include mempool/production/nginx/server-bisq.conf;
 	}
 	# LIQUID.PLACE
 	server {
 		# clearnet v4/v6
-		listen 443 ssl http2;
-		listen [::]:443 ssl http2;
-		server_name liquid.place;
+		#listen 443 ssl http2;
+		#listen [::]:443 ssl http2;
+		server_name _;
+
+		# tor v3
+		listen 127.0.0.1:83;
+		set $onion "__NGINX_LIQUID_ONION__";
 
 		# for services from mempool.space like contributors on about page
 		set $mempoolSpaceServices "https://mempool.space";
@@ -122,36 +114,12 @@ http {
 		set $esploraMainnet "http://esplora-liquid-mainnet";
 		set $esploraTestnet "http://esplora-liquid-testnet";
 
-		# tor v3
-		listen 127.0.0.1:83;
-		set $onion "liquidmom47f6s3m53ebfxn47p76a6tlnxib3wp6deux7wuzotdr6cyd";
-
 		# filesystem paths
 		root /mempool/public_html/liquid/;
 		access_log /var/log/nginx/liquid-access.log;
 		error_log /var/log/nginx/liquid-error.log;
 
-		# ssl configuration
-		ssl_certificate /usr/local/etc/letsencrypt/live/liquid.place/fullchain.pem;
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/liquid.place/privkey.pem;
-		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
-		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
-
 		# site configuration
 		include mempool/production/nginx/server-liquid.conf;
 	}
-	# HTTP to HTTPS redirect
-	server {
-		# clearnet v4/v6
-		listen 80;
-		listen [::]:80;
-		server_name _;
-
-		# only redirect for our hosted domains
-		if ($host ~ "^(mempool.ninja|bisq.ninja|liquid.place)$")
-		{
-			return 301 https://$host$request_uri;
-		}
-		return 503;
-	}
 }
diff --git a/production/torrc b/production/torrc
index 9adace613..454cafba0 100644
--- a/production/torrc
+++ b/production/torrc
@@ -3,21 +3,21 @@ SOCKSPort 9050
 ControlPort 9051
 Log notice syslog
 
-DataDirectory /var/db/tor
+DataDirectory __TOR_RESOURCES__
 DataDirectoryGroupReadable 1
 
 CookieAuthentication 1
-CookieAuthFile /var/db/tor/control_auth_cookie
+CookieAuthFile __TOR_RESOURCES__/control_auth_cookie
 CookieAuthFileGroupReadable 1
 
-HiddenServiceDir /var/db/tor/mempool
+HiddenServiceDir __TOR_RESOURCES__/mempool
 HiddenServicePort 80 127.0.0.1:81
 HiddenServiceVersion 3
 
-HiddenServiceDir /var/db/tor/bisq
+HiddenServiceDir __TOR_RESOURCES__/bisq
 HiddenServicePort 80 127.0.0.1:82
 HiddenServiceVersion 3
 
-HiddenServiceDir /var/db/tor/liquid
+HiddenServiceDir __TOR_RESOURCES__/liquid
 HiddenServicePort 80 127.0.0.1:83
 HiddenServiceVersion 3