I am trying to setup a .onion address to point to my https site. Everytime I try to access it from the .onion address I get a warning in Tor browser:
Your connection is not secure. The owner of myonionaddress.onion has configured their website improperly. To protect your information from being stolen, Tor Browser has not connected to this website.
.
Other .onion sites (facebook's, duckduckgo's, etc.) load fine and don't have a warning...just mine. What am I doing wrong?
My config:
HiddenServiceDir /home/user/onion_folder
HiddenServiceVersion 3
HiddenServicePort 443 187.485.887.28:443
running version 0.3.4.9
EDIT:
My website has the following to redirect http to https:
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
How do I redirect regular users to the https version while allowing http from the .onion address?
EDIT 2:
I've also tried:
if ($scheme != "https") {
if ($host !~* "\.onion$") {
return 301 https://$host$request_uri;
}
}
EDIT #3:
server {
listen 80; server_name example.com www.example.com yourhiddenserviceaddress.onion;
...
}
You will want to allow "insecure" (http) connections to your site from your hidden service.
The config should look like:
HiddenServiceDir /home/user/onion_folder
HiddenServiceVersion 3
HiddenServicePort 80 187.485.887.28:80
You will also need to make sure that the website doesn't attempt to redirect the visitor to https or your primary domain (instead of the .onion address).
Some certificate authorities (which ones?) may issue SSL certificates to .onion hosts but it is not necessary to enable secure connections. Tor hidden service connections are encrypted from end-to-end so you don't need the SSL certificate to secure the connection, only to establish trust that the hidden service is actually operated by your company/site and is not a fake.
Bootnote:
At least one CA that will issue certificates to .onion domains is DigiCert.