Use https on all internal .onion services.
A crypto axiom says "Don't invent own cryptography". You have violated it inventing HSs.
But can we really be sure that the confidentiality and integrity they provide are real and that they don't contain vulnerabilities?
I think that you should reinforce own services with state of the art TLS which is far more better reviewed and audited.