Onion-Location is an easy way to advertise an onion site to the users. You can either configure a web server to show an Onion-Location Header or add an HTML <meta> attribute in the website.

For the header to be valid the following conditions need to be fulfilled:

  • The Onion-Location value must be a valid URL with http: or https: protocol and a .onion hostname.
  • The webpage defining the Onion-Location header must be served over HTTPS.
  • The webpage defining the Onion-Location header must not be an onion site.

On this page, the commands to manage the web server are based on Debian-like operating systems and may differ from other systems. Check your web server and operating system documentation.

Apache

To configure this header in Apache 2.2 or above, you will need to enable a headers and rewrite modules and edit the website Virtual Host file.

Step 1. Enable headers and rewrite modules and reload Apache2

 $ sudo a2enmod headers rewrite

 $ sudo systemctl reload apache2

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work.

Step 2. Add the Onion-Location header to your Virtual Host configuration file

Header set Onion-Location "http://your-onion-address.onion%{REQUEST_URI}s"

Where your-onion-address.onion is the Onion Service address you want to redirect and {REQUEST_URI} is the path component of the requested URI, such as "/index.html".

Virtual Host example:

     <VirtualHost *:443>
       ServerName <your-website.tld>
       DocumentRoot /path/to/htdocs

       Header set Onion-Location "http://your-onion-address.onion%{REQUEST_URI}s"

       SSLEngine on
       SSLCertificateFile "/path/to/www.example.com.cert"
       SSLCertificateKeyFile "/path/to/www.example.com.key"
     </VirtualHost>

Step 3. Reload Apache

Reload the apache2 service, so your configuration changes take effect:

 $ sudo systemctl reload apache2 

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work.

Step 4. Testing your Onion-Location

To test if Onion-Location is working, fetch the website HTTP headers, for example:

 $ wget --server-response --spider your-website.tld

Look for onion-location entry and the Onion Service address. Or open the website in Tor Browser and a purple pill will appear in the address bar.

Nginx

To configure an Onion-Location header, the service operator should first configure an Onion service.

Step 1. Create an Onion service by setting the following in torrc:

HiddenServiceDir /var/lib/tor/hs-my-website/
HiddenServiceVersion 3
HiddenServicePort 80 unix:/var/run/tor-hs-my-website.sock

Step 2. Edit website configuration file

In /etc/nginx/conf.d/<your-website>.conf add the Onion-Location header and the Onion Service address. For example:

    add_header Onion-Location http://<your-onion-address>.onion$request_uri;

The configuration file with the Onion-Location should look like this:

server {
    listen 80;
    listen [::]:80;

    server_name <your-website.tld>;

    location / {
       return 301 https://$host$request_uri;
    }

}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name <your-website.tld>;

    # managed by Certbot - https://certbot.eff.org/
    ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header Onion-Location http://<your-onion-address>.onion$request_uri;

    # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/<hostname>-access.log;

    index index.html;
    root /path/to/htdocs;

    location / {
            try_files $uri $uri/ =404;
    }
}

server {
        listen unix:/var/run/tor-hs-my-website.sock;

        server_name <your-onion-address>.onion;

        access_log /var/log/nginx/hs-my-website.log;

        index index.html;
        root /path/to/htdocs;
}

Step 3. Test website configuration

 $ sudo nginx -t

The web server should confirm that the new syntax is working:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Step 4. Restart nginx

 $ sudo nginx -s reload

If you get an error message, something has gone wrong and you cannot continue until you've figured out why this didn't work.

Step 5. Testing your Onion-Location

To test if Onion-Location is working, fetch the website HTTP headers, for example:

 $ wget --server-response --spider your-website.tld

Look for onion-location entry and the Onion Service address. Or open the website in Tor Browser and a purple pill will appear in the address bar.

Caddy

Caddy features automatic HTTPS by default, so it provisions your TLS certificate and takes care of HTTP-to-HTTPS redirection for you. If you're using Caddy 2, to include an Onion-Location header, add the following declaration in your Caddyfile:

header Onion-Location http://<your-onion-address>.onion{path}

If you're running a static site and have the onion address in a $TOR_HOSTNAME environment variable, your Caddyfile will look like this:

your-website.tld

header Onion-Location http://{$TOR_HOSTNAME}{path}
root * /var/www
file_server

Testing it out: Test it out with:

 $ wget --server-response --spider your-website.tld

Look for onion-location entry and the Onion Service address. Or, open the web site in Tor Browser and a purple pill will appear in the address bar.

Using an HTML <meta> attribute

The identical behaviour of Onion-Location includes the option of defining it as a HTML <meta> http-equiv attribute. This may be used by websites that prefer (or need) to define an Onion-Location by modifying the served HTML content instead of adding a new HTTP header. The Onion-Location header would be equivalent to a <meta http-equiv="onion-location" content="http://<your-onion-service-address>.onion" /> added in the HTML head element of the webpage. Replace <your-onion-service-address.onion> with the Onion Service that you want to redirect.

Limitations

HTML cannot read the requested URL and insert it dynamically in the http-equiv <meta> tag. For this reason, visitors are always redirected to the .onion URL specified in the content-part of the meta tag, regardless of which subpage they are on.

Therefore, if possible, we recommend using one of the above methods.

More information

Read the Onion-Location spec.