Browser Confused With Forced Onions

I have a long-standing issue with forced onions. With both and as forced onions, occasionally a visit to Qubes is overridden and instead goes to whonix’s site, keeping the path intended for Qubes. Naturally, this results in a not found error. Not only that, it’s a privacy leak.

Most recently this happened when trying to create a custom rule for dev.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/ (Qubes OS developer documentation, which may or may not be served via onion) Goes straight to Whonix Onion. Custom rulesets had already been applied for and

In the past, searching Qubes with its site-internal DuckDuckGo and clicking a link to travel back to Qubes’ site resulted in a visit to Whonix’s page instead. Forced onion for DDG in this case.

I’m not sure why Whonix site takes priority in these cases, does anyone have any suggestions? Does this happen to anyone else?

Thanks in advance!

Hi @9jnc7,

You’re correct that this issue is occurring, it’s a server thing, not a problem at your end.

The reason is there’s currently no configuration for the dev. subdomain on the Qubes Onion service.

The only Onionized Qubes addresses are for the main site, yum., qubes-yum., ftp., deb., qubes-deb.

For any subdomain that isn’t explicitly configured, this leads a complex evaluation of the request which ends up picking the ‘default’ site on the server, which happens to be the main site.

The site is actually a third party service provided by If this were to be Onionized, it’s not ‘true’ Onion as the traffic would have to be proxied from the Onion Service out to the clearnet.

We’ll get back to you on whether we’ll get the dev docs site onionized. At the very least, I can probably do something to lead the request back to the Qubes onion rather than the clearnet site.

The DuckDuckGo issue is probably because the DuckDuckGo site only sees the real IP of the server sending the request. Its ‘Back’ functionality may have just taken you back to that IP (and again hit the default site), although I don’t reproduce it now.


FYI, for now I’ve added a wildcard for *.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion so that at least a request to previously unaccounted-for subdomains like dev.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion, will take you to the QubesOS front page - which is not great, but is better than loading the Whonix page.

We’ll need a discussion maybe with the Qubes devs if we want to somehow mirror the site - not sure if they’d want dev.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion to proxy out of tor to even though it’s SSL… but maybe they think it’s fine to do so (and it’s certainly easy for me to implement, at least, assuming that ReadTheDocs doesn’t do anything to mess URL rewriting back to the .org domain!)


Actually, just tried testing it on a stage instance, and I can’t proxy to CloudFlare (which sits in front of rejects it with a 403 forbidden.

Sorry! You’ll have to make an exception for the dev doc site.

1 Like

Huh. Actually, I managed to get it to work disbelief


@Patrick, do you want to ask Marek if he wants us to host the ‘dev’ subdomain on the Qubes v3 onion, noting that it proxies out to e.g it’s not a purely Tor network solution? Just for the sake of peoples’ HTTPSEverywhere rules…


Thanks for the in-depth response, @mig5

I understand now, I forgot about hosting arrangements between the projects.

I appreciate it.

1 Like

It was news to me too!

At this stage for cost reasons it sounds like we are not going to implement the onion for the dev documentation. Besides, it is not ‘true’ onion since it has to pop out the otherside to the non-Tor network.

I’d recommend just excluding the dev subdomain from any HTTPSEverywhere rules.

In the meantime, at least the dev subdomain and any other unaccounted-for subdomains, will redirect to the Qubes onion, instead of the Whonix site.