Wiki Miss offer Secure Connection while the connection over Onion

When you go to wiki login on onion:


you will find “Use secure connection” with URL:


It consider onion with http without TLS as not secure connection thus offering an https connection to onion URL which wont work.

1 Like

Confrimed. Mediawiki thinks the connection is insecure since it does not have internal concepts onion traffic. I am now sending http request X-Forwarded-Proto: https for onion to let mediawiki now that it’s a secure connection.


That mediawiki feature does not make much sense anymore nowadays since a sane website is all https (or onion) and not just for login.

Should now be fixed.

1 Like

when you search in the wiki it will add tls to the http onion e.g:

go to:


search for stream isolation, it will redirect to:


thus url wont work

Patrick via Whonix Forum:

1 Like

Alright. Then my workaround won’t work. Reverted.

Could you please report a bug report against mediawiki deprecating that feature or feature request adding onion support? Whatever seems more likely?

1 Like

On IRC i have been told:

<Vulpix> If you're able to set the X-Forwarded-Proto header, that should 
work for you
<Vulpix> (that header should be on requests arriving to MediaWiki)

i showed him this issue:

and said:

<Vulpix> Well, I'm pretty sure MediaWiki won't give you the choice to 
use "secure connection" unless there's some setting that tells MediaWiki 
https is available
<Vulpix> The problem may be that you've set https:  somewhere in your 
<Vulpix> Get rid of it

Hope it can be useful.

About registration,Well i cant register in mediawiki because they want
real IP as they block Tor.


I doubt this is fixable with reasonable effort. We’re already doing the “impossible”, something not really popular, that is using mediawiki with the same database on two different domains, a clearnet and onion domain, which was a lot effort to figure out since it’s not really documented.

That may be doable when using a wiki with onion only.

The only thing I find is $wgCanonicalServer which is set to $wgCanonicalServer = ''; on the onion.

But changing that to onion would break other things.$wgCanonicalServer

languages/i18n/en.json: “userlogin-signwithsecure”: “Use secure connection”,



            if ( $this->mSecureLoginUrl ) {
                    $secureLoginLink = Html::element( 'a', [
                            'href' => $this->mSecureLoginUrl,
                            'class' => 'mw-ui-flush-right mw-secure',
                    ], $this->msg( 'userlogin-signwithsecure' )->text() );

I guess to avoid userlogin-signwithsecure being injected into the html we would need to influence the contents of variable mSecureLoginUrl.

                // If logging in and not on HTTPS, either redirect to it or offer a link.
                global $wgSecureLogin;
                if ( $this->getRequest()->getProtocol() !== 'https' ) {
                        $title = $this->getFullTitle();
                        $query = $this->getPreservedParams( false ) + [
                                        'title' => null,
                                        ( $this->mEntryErrorType === 'error' ? 'error'
                                                : 'warning' ) => $this->mEntryError,
                                ] + $this->getRequest()->getQueryValues();
                        $url = $title->getFullURL( $query, false, PROTO_HTTPS );
                        if ( $wgSecureLogin && !$this->mFromHTTP &&
                                 wfCanIPUseHTTPS( $this->getRequest()->getIP() )
                        ) {
                                // Avoid infinite redirect
                                $url = wfAppendQuery( $url, 'fromhttp=1' );
                                $this->getOutput()->redirect( $url );
                                // Since we only do this redir to change proto, always vary
                                $this->getOutput()->addVaryHeader( 'X-Forwarded-Proto' );

                        } else {
                                // A wiki without HTTPS login support should set $wgServer to
                                // http://somehost, in which case the secure URL generated
                                // above won't actually start with https://
                                if ( substr( $url, 0, 8 ) === 'https://' ) {
                                        $this->mSecureLoginUrl = $url;


$wgServer = '//www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion';


$wgServer = 'http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion';

This is now gone on onion. Please try now.

yes now i think everything working fine. good job!

Patrick via Whonix Forum:

1 Like

i showed him this issue:
Wiki Miss offer Secure Connection while the connection over Onion - #3 by nurmagoz

Well, I’m pretty sure MediaWiki won’t give you the choice to
use “secure connection” unless there’s some setting that tells MediaWiki
https is available

About registration,Well i cant register in mediawiki because they want
real IP as they block Tor.

Just guessing: maybe what they really want is just a longer-lasting IP, such as when you set:


in your torrc.

I think I needed that too, in different circumstances. However, that might be some longer time learning needed to find out what nodes offer TLS exit, that you can also trust. [*]

I never made it to do that yet… But I know people of Onionmail [**] are able to do it, because if you create account with them with a node they don’t trust, you get “relay not allowed”, and you’re dropped.

[*] I gave a link somewhere in a topic here on whonix forums, must be topic with words “download” “tor” via “onion”, and talk about vanguards I is there too, and I mention Mike Perryr. The link gave is about Nusenu’s work published on if I remember correctly, I mean there’s bad nodes a huge lot…

[**] IIRC