>I tested it and I guess we are stuck on this setting forever for this onion address now... On the plus side it did make a massive difference to the performance.
Thanks for testing it out, it seems the change has made the speeds basically equal to the clearnet address over tor. Did you make any other tweaks to the firewalls tor rate limiting in general or just this to massively improve the speeds? You don't have to specify if people who ddos'd watching this board is a concern. I also had no clue that it was irreversible, I'm assuming this is due to how Hidden Service Directories work. Your new HS descriptor rotates every 24 hours and you might change back to anonymous mode, then switch server to hide server location within 24 hours, you haven't switched descriptor and thus all six HS Directories are unchanged and still serving up introduction points for your now full circuit making timing attacks extremely easy for a short period of time potentially exposing your servers location.
I now see this in the manual which I probably forgot about...
>WARNING: Once a hidden service directory has been used by a tor instance in HiddenServiceSingleHopMode, it can NEVER be used again for a hidden service. It is best practice to create a new hidden service directory, key, and address for each new Single Onion Service and Hidden Service. It is not possible to run Single Onion Services and Hidden Services from the same tor instance: they should be run on different servers with different IP addresses.
>This does sound both concerning and weird. Sounds like they're saying the server can make the client less anonymous. Maybe I'm interpreting that wrong.
You are misinterpreting it in a sense, it's just a warning that they haven't researched it yet and therefore don't know how easily identifiable it would be for an adversary such as your ISP or your guard to be able to tell that you're connecting to a single hop onion instead of a hidden one. The reason this would be worrying is for anonymous onion fingerprinting/correlation an adversary could potentially disregard all single hop onion circuits if they could tell the connections apart, making it easier to identify anonymous onions and vice versa when targeting non anonymous. It just needs more research. And do keep in mind that all Cloudflare sites can be configured to connect via their onion service by default for all tor users as explained here https://blog.cloudflare.com/cloudflare-onion-service/
which uses single hop onion but obviously increases anonymity for users over just using the clearnet address, same for facebooks onion being single hop, so it's not as if use of single hop onions doesn't have a large anonymity set for clients, quite the opposite.
I would honestly be more concerned that you're still running a v2 onion for seemingly no real benefit, as well as disregarding the risks https://lists.torproject.org/pipermail/tor-dev/2020-June/014365.html,
which have been demonstrated unlike v3 single hop onions risks, even more so if you're ever trying to hide server location in the possible future. If you still really want the benefit of having a slightly memorable address most people won't type out, despite it being depreciated https://blog.torproject.org/v2-deprecation-timeline
then just have it redirect to v3. That still runs into the same risks before redirection as the client still has to query the HS Directory for the v2 address a single time, but it should cause most people to transition to v3.