|
|
@@ -0,0 +1,245 @@
|
|
|
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
|
|
|
+"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
|
|
|
+
|
|
|
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
|
|
|
+<head>
|
|
|
+ <title>Tor Server Configuration Instructions</title>
|
|
|
+ <meta name="Author" content="Roger Dingledine" />
|
|
|
+ <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
|
|
|
+ <link rel="stylesheet" type="text/css" href="http://tor.eff.org/stylesheet.css" />
|
|
|
+ <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
|
|
|
+</head>
|
|
|
+
|
|
|
+<body>
|
|
|
+
|
|
|
+<!-- TITLE BAR & NAVIGATION -->
|
|
|
+
|
|
|
+<table class="banner" border="0" cellpadding="0" cellspacing="0">
|
|
|
+ <tr>
|
|
|
+ <td class="banner-left"></td>
|
|
|
+ <td class="banner-middle">
|
|
|
+ <a href="/index.html">Home</a>
|
|
|
+ | <a href="/howitworks.html">How It Works</a>
|
|
|
+ | <a href="/download.html">Download</a>
|
|
|
+ | <a href="/documentation.html">Docs</a>
|
|
|
+ | <a href="/users.html">Users</a>
|
|
|
+ | <a href="/faq.html">FAQs</a>
|
|
|
+ | <a href="/volunteer.html">Volunteer</a>
|
|
|
+ | <a href="/developers.html">Developers</a>
|
|
|
+ | <a href="/research.html">Research</a>
|
|
|
+ | <a href="/people.html">People</a>
|
|
|
+ </td>
|
|
|
+ <td class="banner-right"></td>
|
|
|
+ </tr>
|
|
|
+</table>
|
|
|
+
|
|
|
+<!-- END TITLE BAR & NAVIGATION -->
|
|
|
+
|
|
|
+<div class="center">
|
|
|
+
|
|
|
+<div class="main-column">
|
|
|
+
|
|
|
+<h1>Configuring a <a href="http://tor.eff.org/">Tor</a> server</h1>
|
|
|
+<br />
|
|
|
+
|
|
|
+<p>The Tor network relies on volunteers to donate bandwidth. If you have
|
|
|
+at least 20 kilobytes/s each way, please help out Tor by configuring
|
|
|
+your Tor to be a server too. Having servers in many different pieces
|
|
|
+of the Internet gives users more robustness against curious telcos and
|
|
|
+brute force attacks.</p>
|
|
|
+
|
|
|
+<p>Setting up a Tor server is easy and convenient:
|
|
|
+<ul>
|
|
|
+<li>Tor has built-in support for <a
|
|
|
+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate
|
|
|
+limiting</a>. Further, if you have a fast link
|
|
|
+but want to limit the number of bytes per day
|
|
|
+(or week or month) that you donate, check out the <a
|
|
|
+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Hibernation">hibernation
|
|
|
+feature</a>.
|
|
|
+</li>
|
|
|
+<li>Each Tor server has an <a
|
|
|
+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RunAServerBut">exit
|
|
|
+policy</a> that specifies what sort of outbound connections are allowed
|
|
|
+or refused from that server. If you are uncomfortable allowing people
|
|
|
+to exit from your server, you can set it up to only allow connections
|
|
|
+to other Tor servers.
|
|
|
+</li>
|
|
|
+<li>It's fine if the server goes offline sometimes. The directories
|
|
|
+notice this quickly and stop advertising the server. Just try to make
|
|
|
+sure it's not too often, since connections using the server when it
|
|
|
+disconnects will break.
|
|
|
+</li>
|
|
|
+<li>We can handle servers with dynamic IPs just fine, as long as the
|
|
|
+server itself knows its IP. Have a look at this
|
|
|
+<a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#DynamicIP">
|
|
|
+entry in the FAQ</a>.
|
|
|
+</li>
|
|
|
+<li>If your server is behind a NAT and it doesn't know its public
|
|
|
+IP (e.g. it has an IP of 192.168.x.y), you'll need to set up port
|
|
|
+forwarding. Forwarding TCP connections is system dependent but <a
|
|
|
+href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledCli
|
|
|
+ents">this FAQ entry</a> offers some examples on how to do this.
|
|
|
+</li>
|
|
|
+<li>Your server will passively estimate and advertise its recent
|
|
|
+bandwidth capacity, so high-bandwidth servers will attract more users than
|
|
|
+low-bandwidth ones. Therefore having low-bandwidth servers is useful too.
|
|
|
+</li>
|
|
|
+</ul>
|
|
|
+
|
|
|
+<hr />
|
|
|
+<a id="zero"></a>
|
|
|
+<h2><a class="anchor" href="#zero">Step Zero: Download and Install Tor and Privoxy</a></h2>
|
|
|
+<br />
|
|
|
+
|
|
|
+<p>Before you start, you need to make sure that Tor is up and running.
|
|
|
+</p>
|
|
|
+
|
|
|
+<p>For Windows users, this means at least <a
|
|
|
+href="http://tor.eff.org/doc/tor-doc-win32.html#installing">step one</a>
|
|
|
+of the Windows Tor installation howto. Mac OS X users need to do at least
|
|
|
+<a href="http://tor.eff.org/doc/tor-doc-osx.html#installing">step one</a>
|
|
|
+of OS X Tor installation howto. Linux/BSD/Unix users should do at least
|
|
|
+<a href="http://tor.eff.org/doc/tor-doc-unix.html#installing">step one</a>
|
|
|
+of the Unix Tor installation howto.
|
|
|
+</p>
|
|
|
+
|
|
|
+<p>If it's convenient, you might also want to use it as a client for a
|
|
|
+while to make sure it's actually working.</p>
|
|
|
+
|
|
|
+<hr />
|
|
|
+<a id="one"></a>
|
|
|
+<h2><a class="anchor" href="#one">Step One: Set it up as a server</a></h2>
|
|
|
+<br />
|
|
|
+
|
|
|
+<ul>
|
|
|
+<li>1. Verify that your clock is set correctly. If possible, synchronize
|
|
|
+your clock with public time servers. Make sure name resolution works
|
|
|
+(that is, your computer can resolve addresses correctly).
|
|
|
+</li>
|
|
|
+<li>2. Edit the bottom part of your torrc. (See <a
|
|
|
+href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#torrc">this
|
|
|
+FAQ entry</a> for help.)
|
|
|
+Make sure to define at least Nickname and ORPort. Create the DataDirectory
|
|
|
+if necessary, and make sure it's owned by the user that will be running
|
|
|
+tor.
|
|
|
+<li>3. If you are using a firewall, open a hole in your firewall so
|
|
|
+incoming connections can reach the ports you configured (ORPort, plus
|
|
|
+DirPort if you enabled it). Make sure you allow all outgoing connections,
|
|
|
+so your server can reach the other Tor servers.
|
|
|
+<li>4. Start your server: if you installed from source you can just
|
|
|
+run <tt>tor</tt>, whereas packages typically launch Tor from their
|
|
|
+initscripts or startup scripts. If it logs any warnings, address them. (By
|
|
|
+default Tor logs to stdout, but some packages log to <tt>/var/log/tor/</tt>
|
|
|
+instead. You can edit your torrc to configure log locations.)
|
|
|
+<li>5. Subscribe to the <a
|
|
|
+href="http://archives.seul.org/or/announce/">or-announce</a>
|
|
|
+mailing list. It is very low volume, and it will keep you informed
|
|
|
+of new stable releases. You might also consider subscribing to <a
|
|
|
+href="http://archives.seul.org/or/talk/">or-talk</a> (higher volume),
|
|
|
+where new development releases are announced.
|
|
|
+</li>
|
|
|
+</ul>
|
|
|
+
|
|
|
+<hr />
|
|
|
+<a id="two"></a>
|
|
|
+<h2><a class="anchor" href="#two">Step Two: Make sure it's working</a></h2>
|
|
|
+<br />
|
|
|
+
|
|
|
+<p>As soon as your server manages to connect to the network, it will
|
|
|
+try to determine whether the ports you configured are reachable from
|
|
|
+the outside. This may take several minutes. The log entries will keep
|
|
|
+you informed of its progress.</p>
|
|
|
+
|
|
|
+<p>When it decides that it's reachable, it will upload a "server
|
|
|
+descriptor" to the directories. This will let other clients know
|
|
|
+what address, ports, keys, etc your server is using. You can <a
|
|
|
+href="http://belegost.seul.org/">load the directory manually</a> and
|
|
|
+look through it to find the nickname you configured, to make sure it's
|
|
|
+there. You may need to wait a few seconds to give enough time for it to
|
|
|
+make a fresh directory.</p>
|
|
|
+
|
|
|
+<li>Once you are convinced it's working, <b>Register your server.</b>
|
|
|
+Send mail to <a
|
|
|
+href="mailto:tor-ops@freehaven.net">tor-ops@freehaven.net</a> with a
|
|
|
+subject of '[New Server] <your server's nickname>' and
|
|
|
+include the following information in the message:
|
|
|
+<ul>
|
|
|
+<li>Your server's nickname</li>
|
|
|
+<li>The fingerprint for your server's key (the contents of the
|
|
|
+"fingerprint" file in your DataDirectory -- on Windows, look in
|
|
|
+\<i>username</i>\Application Data\tor\ or \Application Data\tor\;
|
|
|
+on OS X, look in /Library/Tor/var/lib/tor/; and on Linux/BSD/Unix,
|
|
|
+look in /var/lib/tor or ~/.tor)
|
|
|
+</li>
|
|
|
+<li>Who you are, so we know whom to contact if a problem arises</li>
|
|
|
+<li>What kind of connectivity the new server will have</li>
|
|
|
+</ul>
|
|
|
+If you like, sign your mail using PGP.<br />
|
|
|
+Registering your server reserves your nickname so nobody else can take it,
|
|
|
+and lets us contact you if you need to upgrade or something goes wrong.
|
|
|
+</li>
|
|
|
+
|
|
|
+<hr />
|
|
|
+<a id="three"></a>
|
|
|
+<h2><a class="anchor" href="#three">Step Three: Once it's working</a></h2>
|
|
|
+<br />
|
|
|
+
|
|
|
+<p>
|
|
|
+Optionally, we recommend the following steps as well:
|
|
|
+</p>
|
|
|
+
|
|
|
+<ul>
|
|
|
+<li>6 (Unix only). Make a separate user to run the server. If you
|
|
|
+installed the OS X package or the deb or the rpm, this is already
|
|
|
+done. Otherwise, you can do it by hand. (The Tor server doesn't need to
|
|
|
+be run as root, so it's good practice to not run it as root. Running
|
|
|
+as a 'tor' user avoids issues with identd and other services that
|
|
|
+detect user name. If you're the paranoid sort, feel free to <a
|
|
|
+href="http://wiki.noreply.org/wiki/TheOnionRouter/TorInChroot">put Tor
|
|
|
+into a chroot jail</a>.)
|
|
|
+<li>7. Decide what exit policy you want. By default your server allows
|
|
|
+access to many popular services, but we restrict some (such as port 25)
|
|
|
+due to abuse potential. You might want an exit policy that is
|
|
|
+less restrictive or more restrictive; edit your torrc appropriately.
|
|
|
+If you choose a particularly open exit policy, you might want to make
|
|
|
+sure your ISP is ok with that choice.
|
|
|
+<li>8. If you installed from source, you may find the initscripts in
|
|
|
+contrib/tor.sh or contrib/torctl useful if you want to set up Tor to
|
|
|
+start at boot.
|
|
|
+<li>9. If you control the name servers for your domain, consider setting
|
|
|
+your hostname to 'anonymous' or 'proxy' or 'tor-proxy', so when other
|
|
|
+people see the address in their web logs, they will more quickly
|
|
|
+understand what's going on.
|
|
|
+<li>10. If your computer isn't running a webserver, please consider
|
|
|
+changing your ORPort to 443 and your DirPort to 80. Many Tor
|
|
|
+users are stuck behind firewalls that only let them browse the
|
|
|
+web, and this change will let them reach your Tor server. Win32
|
|
|
+servers can simply change their ORPort and DirPort directly
|
|
|
+in their torrc and restart Tor. OS X or Unix servers can't bind
|
|
|
+directly to these ports, so they will need to set up some sort of <a
|
|
|
+href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#ServerForFirewalledClients">
|
|
|
+port forwarding</a> so connections can reach their Tor server. If you are
|
|
|
+using ports 80 and 443 already but still want to help out, other useful
|
|
|
+ports are 22, 110, and 143.
|
|
|
+</ul>
|
|
|
+
|
|
|
+When you change your Tor configuration, be sure to restart Tor, and
|
|
|
+remember to verify that your server still works correctly after the
|
|
|
+change.
|
|
|
+
|
|
|
+<hr />
|
|
|
+
|
|
|
+<p>If you have suggestions for improving this document, please post
|
|
|
+them on <a href="http://bugs.noreply.org/tor">our bugtracker</a> in the
|
|
|
+website category. Thanks!</p>
|
|
|
+
|
|
|
+ </div><!-- #main -->
|
|
|
+</div>
|
|
|
+ <div class="bottom" id="bottom">
|
|
|
+ <i><a href="mailto:tor-webmaster@freehaven.net"
|
|
|
+ class="smalllink">Webmaster</a></i> - $Id$
|
|
|
+ </div>
|
|
|
+</body>
|
|
|
+</html>
|
|
|
+
|
Roger Dingledine