123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926 |
- .TH TOR 1 "January 2006" "TOR"
- .SH NAME
- tor \- The second-generation onion router
- .SH SYNOPSIS
- .B tor
- [\fIOPTION value\fR]...
- .SH DESCRIPTION
- .I tor
- is a connection-oriented anonymizing communication
- service. Users choose a source-routed path through a set of nodes, and
- negotiate a "virtual circuit" through the network, in which each node
- knows its predecessor and successor, but no others. Traffic flowing down
- the circuit is unwrapped by a symmetric key at each node, which reveals
- the downstream node.
- .PP
- Basically \fItor\fR provides a distributed network of servers ("onion
- routers"). Users bounce their TCP streams -- web traffic, ftp, ssh, etc --
- around the routers, and recipients, observers, and even the routers
- themselves have difficulty tracking the source of the stream.
- .SH OPTIONS
- \fB-h, -help\fP
- Display a short help message and exit.
- .LP
- .TP
- \fB-f \fR\fIFILE\fP
- FILE contains further "option value" pairs. (Default: @CONFDIR@/torrc)
- .LP
- .TP
- Other options can be specified either on the command-line (\fI--option
- value\fR), or in the configuration file (\fIoption value\fR).
- Options are case-insensitive.
- .LP
- .TP
- \fBBandwidthRate \fR\fIN\fR \fBbytes\fR|\fBKB\fR|\fBMB\fR|\fBGB\fR|\fBTB\fP
- A token bucket limits the average incoming bandwidth on this node to
- the specified number of bytes per second. (Default: 3 MB)
- .LP
- .TP
- \fBBandwidthBurst \fR\fIN\fR \fBbytes\fR|\fBKB\fR|\fBMB\fR|\fBGB\fR|\fBTB\fP
- Limit the maximum token bucket size (also known as the burst) to the
- given number of bytes. (Default: 6 MB)
- .LP
- .TP
- \fBMaxAdvertisedBandwidth \fR\fIN\fR \fBbytes\fR|\fBKB\fR|\fBMB\fR|\fBGB\fR|\fBTB\fP
- If set, we will not advertise more than this amount of bandwidth for our
- BandwidthRate. Server operators who want to reduce the number of clients
- who ask to build circuits through them (since this is proportional to
- advertised bandwidth rate) can thus reduce the CPU demands on their
- server without impacting network performance.
- .LP
- .TP
- \fBConnLimit \fR\fINUM\fP
- The minimum number of file descriptors that must be available to
- the Tor process before it will start. Tor will ask the OS for as
- many file descriptors as the OS will allow (you can find this
- by "ulimit -H -n"). If this number is less than ConnLimit, then
- Tor will refuse to start.
- You probably don't need to adjust this. It has no effect on
- Windows since that platform lacks getrlimit(). (Default: 1000)
- .LP
- .TP
- \fBControlPort \fR\fIPort\fP
- If set, Tor will accept connections on
- this port, and allow those connections to control the Tor process using the
- Tor Control Protocol (described in control-spec.txt). Note: unless you also
- specify one of \fBHashedControlPassword\fP or \fBCookieAuthentication\fP,
- setting this option will cause Tor to allow any process on the local host to
- control it.
- .LP
- .TP
- \fBControlListenAddress \fR\fIIP\fR[:\fIPORT\fR]\fP
- Bind the controller listener to this address. If you specify a port,
- bind to this port rather than the one specified in ControlPort. We
- strongly recommend that you leave this alone unless you know what you're
- doing, since giving attackers access to your control listener is really
- dangerous. (Default: 127.0.0.1)
- This directive can be specified multiple times to bind to multiple
- addresses/ports.
- .LP
- .TP
- \fBHashedControlPassword \fR\fIhashed_password\fP
- Don't allow any connections on the control port except when the other process
- knows the password whose one-way hash is \fIhashed_password\fP. You can
- compute the hash of a password by running "tor --hash-password
- \fIpassword\fP".
- .LP
- .TP
- \fBCookieAuthentication \fR\fB0\fR|\fB1\fP
- If this option is set to 1, don't allow any connections on the control port
- except when the connecting process knows the contents of a file named
- "control_auth_cookie", which Tor will create in its data directory. This
- authentication methods should only be used on systems with good filesystem
- security. (Default: 0)
- .LP
- .TP
- \fBDataDirectory \fR\fIDIR\fP
- Store working data in DIR (Default: @LOCALSTATEDIR@/lib/tor)
- .LP
- .TP
- \fBDirServer \fR[\fInickname\fR] [\fBflags\fR] \fIaddress\fR\fB:\fIport fingerprint\fP
- Use a nonstandard authoritative directory server at the provided
- address and port, with the specified key fingerprint. This option can
- be repeated many times, for multiple authoritative directory
- servers. Flags are separated by spaces, and determine what kind of an
- authority this directory is. By default, every authority is authoritative
- for current ("v2")-style directories, unless the "no-v2" flag is given. If the "v1" flags is provided, Tor will use this server as an
- authority for old-style (v1) directories as well. (Only directory mirrors
- care about this.) Tor will use this server as an authority for hidden
- service information if the "hs" flag is set, or if the "v1" flag is set and
- the "no-hs" flag is \fBnot\fP set.
- If no \fBdirserver\fP line is given, Tor will use the default
- directory servers. NOTE: this option is intended
- for setting up a private Tor network with its own directory authorities. If
- you use it, you will be distinguishable from other users, because you won't
- believe the same authorities they do.
- .LP
- .TP
- \fBFetchHidServDescriptors \fR\fB0\fR|\fB1\fR\fP
- If set to 0, Tor will never fetch any hidden service descriptors from
- the rendezvous directories. This option is only useful if you're using
- a Tor controller that handles hidserv fetches for you.
- (Default: 1)
- .LP
- .TP
- \fBFetchServerDescriptors \fR\fB0\fR|\fB1\fR\fP
- If set to 0, Tor will never fetch any network status summaries or server
- descriptors from the directory servers. This option is only useful if
- you're using a Tor controller that handles directory fetches for you.
- (Default: 1)
- .LP
- .TP
- \fBFetchUselessDescriptors \fR\fB0\fR|\fB1\fR\fP
- If set to 1, Tor will fetch every non-obsolete descriptor from the
- authorities that it hears about. Otherwise, it will avoid fetching
- useless descriptors, for example for routers that are not running.
- This option is useful if you're using the contributed "exitlist"
- script to enumerate Tor nodes that exit to certain addresses.
- (Default: 0)
- .LP
- .TP
- \fBGroup \fR\fIGID\fP
- On startup, setgid to this user.
- .LP
- .TP
- \fBHttpProxy\fR \fIhost\fR[:\fIport\fR]\fP
- Tor will make all its directory requests through this host:port
- (or host:80 if port is not specified),
- rather than connecting directly to any directory servers.
- .LP
- .TP
- \fBHttpProxyAuthenticator\fR \fIusername:password\fP
- If defined, Tor will use this username:password for Basic Http proxy
- authentication, as in RFC 2617. This is currently the only form of
- Http proxy authentication that Tor supports; feel free to submit a
- patch if you want it to support others.
- .LP
- .TP
- \fBHttpsProxy\fR \fIhost\fR[:\fIport\fR]\fP
- Tor will make all its OR (SSL) connections through this host:port
- (or host:443 if port is not specified), via HTTP CONNECT rather than
- connecting directly to servers. You may want to set \fBFascistFirewall\fR
- to restrict the set of ports you might try to connect to, if your Https
- proxy only allows connecting to certain ports.
- .LP
- .TP
- \fBHttpsProxyAuthenticator\fR \fIusername:password\fP
- If defined, Tor will use this username:password for Basic Https proxy
- authentication, as in RFC 2617. This is currently the only form of
- Https proxy authentication that Tor supports; feel free to submit a
- patch if you want it to support others.
- .LP
- .TP
- \fBKeepalivePeriod \fR\fINUM\fP
- To keep firewalls from expiring connections, send a padding keepalive
- cell every NUM seconds on open connections that are in use. If the
- connection has no open circuits, it will instead be closed after NUM
- seconds of idleness. (Default: 5 minutes)
- .LP
- .TP
- \fBLog \fR\fIminSeverity\fR[-\fImaxSeverity\fR] \fBstderr\fR|\fBstdout\fR|\fBsyslog\fR\fP
- Send all messages between \fIminSeverity\fR and \fImaxSeverity\fR to
- the standard output stream, the standard error stream, or to the system
- log. (The "syslog" value is only supported on Unix.) Recognized
- severity levels are debug, info, notice, warn, and err. We advise using
- "notice" in most cases, since anything more verbose may provide sensitive
- information to an attacker who obtains the logs. If only one
- severity level is given, all messages of that level or higher will be
- sent to the listed destination.
- .LP
- .TP
- \fBLog \fR\fIminSeverity\fR[-\fImaxSeverity\fR] \fBfile\fR \fIFILENAME\fP
- As above, but send log messages to the listed filename. The "Log"
- option may appear more than once in a configuration file. Messages
- are sent to all the logs that match their severity level.
- .LP
- .TP
- \fBOutboundBindAddress \fR\fIIP\fP
- Make all outbound connections originate from the IP address specified. This
- is only useful when you have multiple network interfaces, and you want all
- of Tor's outgoing connections to use a single one.
- .LP
- .TP
- \fBPidFile \fR\fIFILE\fP
- On startup, write our PID to FILE. On clean shutdown, remove FILE.
- .LP
- .TP
- \fBProtocolWarnings \fR\fB0\fR|\fB1\fR\fP
- If 1, Tor will log with severity 'warn' various cases of other parties
- not following the Tor specification. Otherwise, they are logged with
- severity 'info'. (Default: 0)
- .LP
- .TP
- \fBRunAsDaemon \fR\fB0\fR|\fB1\fR\fP
- If 1, Tor forks and daemonizes to the background. This option has
- no effect on Windows; instead you should use the --service command-line
- option. (Default: 0)
- .LP
- .TP
- \fBSafeLogging \fR\fB0\fR|\fB1\fP
- If 1, Tor replaces potentially sensitive strings in the logs
- (e.g. addresses) with the string [scrubbed]. This way logs can still be
- useful, but they don't leave behind personally identifying information
- about what sites a user might have visited. (Default: 1)
- .LP
- .TP
- \fBUser \fR\fIUID\fP
- On startup, setuid to this user.
- .LP
- .TP
- \fBHardwareAccel \fR\fB0\fR|\fB1\fP
- If non-zero, try to use crypto hardware acceleration when
- available. This is untested and probably buggy. (Default: 0)
- .SH CLIENT OPTIONS
- .PP
- The following options are useful only for clients (that is, if \fBSocksPort\fP is non-zero):
- .LP
- .TP
- \fBAllowInvalidNodes\fR \fBentry\fR|\fBexit\fR|\fBmiddle\fR|\fBintroduction\fR|\fBrendezvous\fR|...\fP
- If some Tor servers are obviously not working right, the directory
- authorities can manually mark them as invalid, meaning that it's not
- recommended you use them for entry or exit positions in your circuits. You
- can opt to use them in some circuit positions, though. The default is
- "middle,rendezvous", and other choices are not advised.
- .LP
- .TP
- \fBCircuitBuildTimeout \fR\fINUM\fP
- Try for at most NUM seconds when building circuits. If the circuit
- isn't open in that time, give up on it.
- (Default: 1 minute.)
- .LP
- .TP
- \fBCircuitIdleTimeout \fR\fINUM\fP
- If we have keept a clean (never used) circuit around for NUM seconds,
- then close it. This way when the Tor client is entirely idle, it can
- expire all of its circuits, and then expire its TLS connections. Also,
- if we end up making a circuit that is not useful for exiting any of
- the requests we're receiving, it won't forever take up a slot in the
- circuit list.
- (Default: 1 hour.)
- .LP
- .TP
- \fBClientOnly \fR\fB0\fR|\fB1\fR\fP
- If set to 1, Tor will under no circumstances run as a server. The default
- is to run as a client unless ORPort is configured. (Usually,
- you don't need to set this; Tor is pretty smart at figuring out whether
- you are reliable and high-bandwidth enough to be a useful server.)
- (Default: 0)
- .LP
- .TP
- \fBExcludeNodes \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- A list of nodes to never use when building a circuit.
- .LP
- .TP
- \fBEntryNodes \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- A list of preferred nodes to use for the first hop in the circuit.
- These are treated only as preferences unless StrictEntryNodes (see
- below) is also set.
- .LP
- .TP
- \fBExitNodes \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- A list of preferred nodes to use for the last hop in the circuit.
- These are treated only as preferences unless StrictExitNodes (see
- below) is also set.
- .LP
- .TP
- \fBStrictEntryNodes \fR\fB0\fR|\fB1\fR\fP
- If 1, Tor will never use any nodes besides those listed in "EntryNodes" for
- the first hop of a circuit.
- .LP
- .TP
- \fBStrictExitNodes \fR\fB0\fR|\fB1\fR\fP
- If 1, Tor will never use any nodes besides those listed in "ExitNodes" for
- the last hop of a circuit.
- .LP
- .TP
- \fBFascistFirewall \fR\fB0\fR|\fB1\fR\fP
- If 1, Tor will only create outgoing connections to ORs running on ports that
- your firewall allows (defaults to 80 and 443; see \fBFirewallPorts\fR). This will
- allow you to run Tor as a client behind a firewall with restrictive policies,
- but will not allow you to run as a server behind such a firewall.
- This option is deprecated; use
- ReachableAddresses instead.
- .LP
- .TP
- \fBFirewallPorts \fR\fIPORTS\fP
- A list of ports that your firewall allows you to connect to. Only
- used when \fBFascistFirewall\fR is set. This option is deprecated; use
- ReachableAddresses instead. (Default: 80, 443)
- .LP
- .TP
- \fBReachableAddresses \fR\fIADDR\fP[\fB/\fP\fIMASK\fP][:\fIPORT\fP]...\fP
- A comma-separated list of IP addresses and ports that your firewall allows you
- to connect to. The format is as
- for the addresses in ExitPolicy, except that "accept" is understood
- unless "reject" is explicitly provided. For example, 'ReachableAddresses
- 99.0.0.0/8, reject 18.0.0.0/8:80, accept *:80' means that your
- firewall allows connections to everything inside net 99, rejects port
- 80 connections to net 18, and accepts connections to port 80 otherwise.
- (Default: 'accept *:*'.)
- .LP
- .TP
- \fBReachableDirAddresses \fR\fIADDR\fP[\fB/\fP\fIMASK\fP][:\fIPORT\fP]...\fP
- Like \fBReachableAddresses\fP, a list of addresses and ports. Tor will obey
- these restrictions when fetching directory information, using standard HTTP
- GET requests. If not set explicitly then the value of \fBReachableAddresses\fP
- is used. If \fBHttpProxy\fR is set then these connections will go through that
- proxy.
- .LP
- .TP
- \fBReachableORAddresses \fR\fIADDR\fP[\fB/\fP\fIMASK\fP][:\fIPORT\fP]...\fP
- Like \fBReachableAddresses\fP, a list of addresses and ports. Tor will obey
- these restrictions when connecting to Onion Routers, using TLS/SSL. If not set
- explicitly then the value of \fBReachableAddresses\fP is used. If
- \fBHttpsProxy\fR is set then these connections will go through that proxy.
- The separation between \fBReachableORAddresses\fP and
- \fBReachableDirAddresses\fP is only interesting when you are connecting through
- proxies (see \fBHttpProxy\fR and \fBHttpsProxy\fR). Most proxies limit TLS
- connections (which Tor uses to connect to Onion Routers) to port 443, and some
- limit HTTP GET requests (which Tor uses for fetching directory information) to
- port 80.
- .LP
- .TP
- \fBLongLivedPorts \fR\fIPORTS\fP
- A list of ports for services that tend to have long-running connections
- (e.g. chat and interactive shells). Circuits for streams that use these
- ports will contain only high-uptime nodes, to reduce the chance that a
- node will go down before the stream is finished.
- (Default: 21, 22, 706, 1863, 5050, 5190, 5222, 5223, 6667, 6697, 8300)
- .LP
- .TP
- \fBMapAddress\fR \fIaddress\fR \fInewaddress\fR
- When a request for address arrives to Tor, it will rewrite it to
- newaddress before processing it. For example, if you always want
- connections to www.indymedia.org to exit via \fItorserver\fR (where
- \fItorserver\fR is the nickname of the server),
- use "MapAddress www.indymedia.org www.indymedia.org.torserver.exit".
- .LP
- .TP
- \fBNewCircuitPeriod \fR\fINUM\fP
- Every NUM seconds consider whether to build a new circuit. (Default: 30 seconds)
- .LP
- .TP
- \fBMaxCircuitDirtiness \fR\fINUM\fP
- Feel free to reuse a circuit that was first used at most NUM seconds ago,
- but never attach a new stream to a circuit that is too old.
- (Default: 10 minutes)
- .LP
- .TP
- \fBNodeFamily \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- The named Tor servers constitute a "family" of similar or co-administered
- servers, so never use any two of them in the same circuit. Defining a
- NodeFamily is only needed when a server doesn't list the family itself
- (with MyFamily). This option can be used multiple times.
- .LP
- .TP
- \fBEnforceDistinctSubnets \fR\fB0\fR|\fB1\fR\fP
- If 1, Tor will not put two servers whose IP addresses are "too
- close" on the same circuit. Currently, two addresses are
- "too close" if they lie in the same /16 range. (Default: 1)
- .\" \fBPathlenCoinWeight \fR\fI0.0-1.0\fP
- .\" Paths are 3 hops plus a geometric distribution centered around this coinweight.
- .\" Must be >=0.0 and <1.0. (Default: 0.3) NOT USED CURRENTLY
- .\" .TP
- .LP
- .TP
- \fBRendNodes \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- A list of preferred nodes to use for the rendezvous point, if possible.
- .LP
- .TP
- \fBRendExcludeNodes \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- A list of nodes to never use when choosing a rendezvous point.
- .LP
- .TP
- \fBSocksPort \fR\fIPORT\fP
- Advertise this port to listen for connections from Socks-speaking
- applications. Set this to 0 if you don't want to allow application
- connections. (Default: 9050)
- .LP
- .TP
- \fBSocksListenAddress \fR\fIIP\fR[:\fIPORT\fR]\fP
- Bind to this address to listen for connections from Socks-speaking
- applications. (Default: 127.0.0.1) You can also specify a port
- (e.g. 192.168.0.1:9100).
- This directive can be specified multiple times to bind to multiple
- addresses/ports.
- .LP
- .TP
- \fBSocksPolicy \fR\fIpolicy\fR,\fIpolicy\fR,\fI...\fP
- Set an entrance policy for this server, to limit who can connect to the
- Socks ports.
- The policies have the same form as exit policies below.
- .LP
- .TP
- \fBSocksTimeout \fR\fINUM\fP
- Let a socks connection wait NUM seconds unattached before we fail it.
- (Default: 2 minutes.)
- .LP
- .TP
- \fBTestVia \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- A list of nodes to prefer for your middle hop when building testing
- circuits. This option is mainly for debugging reachability problems.
- .LP
- .TP
- \fBTrackHostExits \fR\fIhost\fR,\fI.domain\fR,\fI...\fR\fP
- For each value in the comma separated list, Tor will track recent connections
- to hosts that match this value and attempt to
- reuse the same exit node for each. If the value is prepended with a '.', it is
- treated as matching an entire domain. If one of the values is just a '.', it
- means match everything. This option is useful if you frequently connect to
- sites that will expire all your authentication cookies (ie log you out) if
- your IP address changes. Note that this option does have the disadvantage of
- making it more clear that a given history is
- associated with a single user. However, most people who would wish to observe
- this will observe it through cookies or other protocol-specific means anyhow.
- .LP
- .TP
- \fBTrackHostExitsExpire \fR\fINUM\fP
- Since exit servers go up and down, it is desirable to expire the association
- between host and exit server after NUM seconds. The default
- is 1800 seconds (30 minutes).
- .LP
- .TP
- \fBUseEntryGuards \fR\fB0\fR|\fB1\fR\fP
- If this option is set to 1, we pick a few long-term entry servers, and
- try to stick with them. This is desirable because
- constantly changing servers increases the odds that an adversary who owns
- some servers will observe a fraction of your paths.
- (Defaults to 1.)
- .LP
- .TP
- \fBNumEntryGuards \fR\fINUM\fP
- If UseEntryGuards is set to 1, we will try to pick a total of NUM routers
- as long-term entries for our circuits.
- (Defaults to 3.)
- .LP
- .TP
- \fBSafeSocks \fR\fB0\fR|\fB1\fR\fP
- When this option is enabled, Tor will reject application connections that
- use unsafe variants of the socks protocol -- ones that only provide an
- IP address, meaning the application is doing a DNS resolve first.
- Specifically, these are socks4 and socks5 when not doing remote DNS.
- (Defaults to 0.)
- .LP
- .TP
- \fBTestSocks \fR\fB0\fR|\fB1\fR\fP
- When this option is enabled, Tor will make a notice-level log entry for
- each connection to the Socks port indicating whether the request used
- a safe socks protocol or an unsafe one (see above entry on SafeSocks).
- This helps to determine whether an application using Tor is possibly
- leaking DNS requests.
- (Default: 0)
- .LP
- .TP
- \fBVirtualAddrNetwork \fR\fIAddress\fB/\fIbits\fP
- When a controller asks for a virtual (unused) address with the
- 'MAPADDRESS' command, Tor picks an unassigned address from this range.
- (Default: 127.192.0.0/10)
- .SH SERVER OPTIONS
- .PP
- The following options are useful only for servers (that is, if \fBORPort\fP is non-zero):
- .LP
- .TP
- \fBAddress \fR\fIaddress\fP
- The IP or fqdn of this server (e.g. moria.mit.edu). You can leave this
- unset, and Tor will guess your IP.
- .LP
- .TP
- \fBAssumeReachable \fR\fB0\fR|\fB1\fR\fP
- This option is used when bootstrapping a new Tor network. If set to 1,
- don't do self-reachability testing; just upload your server descriptor
- immediately. If \fBAuthoritativeDirectory\fP is also set, this option
- instructs the dirserver to bypass remote reachability testing too and
- list all connected servers as running.
- .LP
- .TP
- \fBContactInfo \fR\fIemail_address\fP
- Administrative contact information for server. This line might get
- picked up by spam harvesters, so you may want to obscure the fact
- that it's an email address.
- .LP
- .TP
- \fBExitPolicy \fR\fIpolicy\fR,\fIpolicy\fR,\fI...\fP
- Set an exit policy for this server. Each policy is of the form
- "\fBaccept\fP|\fBreject\fP \fIADDR\fP[\fB/\fP\fIMASK\fP]\fB[:\fP\fIPORT\fP]".
- If \fB/\fP\fIMASK\fP is omitted then this policy just applies to the host
- given. Instead of giving a host or network you can also use "\fB*\fP" to
- denote the universe (0.0.0.0/0). \fIPORT\fP can be a single port number,
- an interval of ports "\fIFROM_PORT\fP\fB-\fP\fITO_PORT\fP", or "\fB*\fP".
- If \fIPORT\fP is omitted, that means "\fB*\fP".
- For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*" would
- reject any traffic destined for MIT except for web.mit.edu, and
- accept anything else.
- To specify all internal and link-local networks (including 0.0.0.0/8,
- 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and
- 172.16.0.0/12), you can use the "private" alias instead of an address.
- These addresses are rejected by default (at the beginning of your
- exit policy) unless you set the ExitPolicyRejectPrivate config option
- to 0. For example, once you've done that, you could allow HTTP to
- 127.0.0.1 and block all other connections to internal networks with
- "accept
- 127.0.0.1:80,reject private:*". See RFC 1918 and RFC 3330 for more
- details about internal and reserved IP address space.
- This directive can be specified multiple times so you don't have to put
- it all on one line.
- Policies are considered first to last, and the first match wins. If
- you want to _replace_ the default exit policy, end your exit policy with
- either a reject *:* or an accept *:*. Otherwise, you're _augmenting_
- (prepending to) the default exit policy. The default exit policy is:
- .PD 0
- .RS 12
- .IP "reject *:25"
- .IP "reject *:119"
- .IP "reject *:135-139"
- .IP "reject *:445"
- .IP "reject *:465"
- .IP "reject *:587"
- .IP "reject *:1214"
- .IP "reject *:4661-4666"
- .IP "reject *:6346-6429"
- .IP "reject *:6699"
- .IP "reject *:6881-6999"
- .IP "accept *:*"
- .RE
- .PD
- .LP
- .TP
- \fBExitPolicyRejectPrivate \fR\fB0\fR|\fB1\fR\fP
- Reject all private (local) networks at the beginning of your exit
- policy. See above entry on ExitPolicy. (Default: 1)
- .LP
- .TP
- \fBMaxOnionsPending \fR\fINUM\fP
- If you have more than this number of onionskins queued for decrypt, reject new ones. (Default: 100)
- .LP
- .TP
- \fBMyFamily \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- Declare that this Tor server is controlled or administered by a group
- or organization identical or similar to that of the other named servers.
- When two servers both declare that they are in the same 'family', Tor clients
- will not use them in the same circuit. (Each server only needs to list the
- other servers in its family; it doesn't need to list itself, but it won't hurt.)
- .LP
- .TP
- \fBNickname \fR\fIname\fP
- Set the server's nickname to 'name'. Nicknames must be between 1
- and 19 characters inclusive, and must contain only the characters
- [a-zA-Z0-9].
- .LP
- .TP
- \fBNumCPUs \fR\fInum\fP
- How many processes to use at once for decrypting onionskins. (Default: 1)
- .LP
- .TP
- \fBORPort \fR\fIPORT\fP
- Advertise this port to listen for connections from Tor clients and servers.
- .LP
- .TP
- \fBORListenAddress \fR\fIIP\fR[:\fIPORT\fR]\fP
- Bind to this IP address to listen for connections from Tor clients and
- servers. If you specify a port, bind to this port rather than the one
- specified in ORPort. (Default: 0.0.0.0)
- This directive can be specified multiple times to bind to multiple
- addresses/ports.
- .LP
- .TP
- \fBPublishServerDescriptor \fR\fB0\fR|\fB1\fR\fP
- If set to 0, Tor will act as a server if you have an ORPort
- defined, but it will not publish its descriptor to the dirservers. This
- option is useful if you're testing out your server, or if you're using
- a Tor controller that handles directory publishing for you.
- (Default: 1)
- .LP
- .TP
- \fBRedirectExit \fR\fIpattern target\fP
- Whenever an outgoing connection tries to connect to one of a given set
- of addresses, connect to \fItarget\fP (an \fIaddress:port\fP pair) instead.
- The address
- pattern is given in the same format as for an exit policy. The
- address translation applies after exit policies are applied. Multiple
- \fBRedirectExit\fP options can be used: once any one has matched
- successfully, no subsequent rules are considered. You can specify that no
- redirection is to be performed on a given set of addresses by using the
- special target string "pass", which prevents subsequent rules from being
- considered.
- .LP
- .TP
- \fBShutdownWaitLength\fR \fINUM\fP
- When we get a SIGINT and we're a server, we begin shutting down: we close
- listeners and start refusing new circuits. After \fBNUM\fP seconds,
- we exit. If we get a second SIGINT, we exit immediately. (Default:
- 30 seconds)
- .LP
- .TP
- \fBAccountingMax \fR\fIN\fR \fBbytes\fR|\fBKB\fR|\fBMB\fR|\fBGB\fR|\fBTB\fP
- Never send more than the specified number of bytes in a given
- accounting period, or receive more than that number in the period.
- For example, with AccountingMax set to 1 GB, a server could send 900 MB
- and receive 800 MB and continue running. It will only hibernate once one
- of the two reaches 1 GB.
- When the number of bytes is exhausted, Tor will hibernate until some
- time in the next accounting period. To prevent all servers from
- waking at the same time, Tor will also wait until a random point in
- each period before waking up. If you have bandwidth cost issues,
- enabling hibernation is preferable to setting a low bandwidth, since it
- provides users with a collection of fast servers that are up some of
- the time, which is more useful than a set of slow servers that are
- always "available".
- .LP
- .TP
- \fBAccountingStart \fR\fBday\fR|\fBweek\fR|\fBmonth\fR [\fIday\fR] \fIHH:MM\fR\fP
- Specify how long accounting periods last. If \fBmonth\fP is given,
- each accounting period runs from the time \fIHH:MM\fR on the
- \fIday\fRth day of one month to the same day and time of the next.
- (The day must be between 1 and 28.) If \fBweek\fP is given, each
- accounting period runs from the time \fIHH:MM\fR of the \fIday\fRth
- day of one week to the same day and time of the next week, with Monday
- as day 1 and Sunday as day 7. If \fBday\fR is given, each accounting
- period runs from the time \fIHH:MM\fR each day to the same time on the
- next day. All times are local, and given in 24-hour time. (Defaults to
- "month 1 0:00".)
- .LP
- .TP
- \fBServerDNSResolvConfFile \fR\fIfilename\fP
- Overrides the default DNS configuration with the configuration in
- \fIfilename\fP. The file format is the same as the standard Unix
- "\fBresolv.conf\fP" file (7). This option only affects name lookup for
- addresses requested by clients; and only takes effect if Tor was built with
- eventdns support. (Defaults to use the system DNS configuration.)
- .LP
- .TP
- \fBServerDNSSearchDomains \fR\fB0\fR|\fB1\fR\fP
- If set to \fB1\fP, then we will search for addresses in the local search
- domain. For example, if this system is configured to believe it is in
- "example.com", and a client tries to connect to "www", the client will be
- connected to "www.example.com".
- This option only affects name lookup for addresses requested by clients.
- (Defaults to "0".)
- .LP
- .TP
- \fBServerDNSDetectHijacking \fR\fB0\fR|\fB1\fR\fP
- When this option is set to 1, we will test periodically to determine whether
- our local nameservers have been configured to hijack failing DNS requests
- (usually to an advertising site). If they are, we will attempt to correct
- this. This option only affects name lookup for addresses requested by
- clients; and only takes effect if Tor was built with eventdns support.
- (Defaults to "1".)
- .SH DIRECTORY SERVER OPTIONS
- .PP
- The following options are useful only for directory servers (that is, if \fBDirPort\fP is non-zero):
- .LP
- .TP
- \fBAuthoritativeDirectory \fR\fB0\fR|\fB1\fR\fP
- When this option is set to 1, Tor operates as an authoritative
- directory server. Instead of caching the directory, it generates its
- own list of good servers, signs it, and sends that to the clients.
- Unless the clients already have you listed as a trusted directory, you
- probably do not want to set this option. Please coordinate with the other
- admins at tor-ops@freehaven.net if you think you should be a directory.
- .LP
- .TP
- \fBV1AuthoritativeDirectory \fR\fB0\fR|\fB1\fR\fP
- When this option is set in addition to \fBAuthoritativeDirectory\fP, Tor also
- generates a version 1 directory (for Tor clients up to 0.1.0.x).
- (As of Tor 0.1.1.12 every (v2) authoritative directory still provides most of
- the v1 directory functionality, even without this option set to 1.
- This however is expected to change in the future.)
- .LP
- .TP
- \fBVersioningAuthoritativeDirectory \fR\fB0\fR|\fB1\fR\fP
- When this option is set to 1, Tor adds information on
- which versions of Tor are still believed safe for use to
- the published directory. Each version 1 authority is
- automatically a versioning authority; version 2 authorities
- provide this service optionally. See \fBRecommendedVersions\fP,
- \fBRecommendedClientVersions\fP, and \fBRecommendedServerVersions\fP.
- .LP
- .TP
- \fBNamingAuthoritativeDirectory \fR\fB0\fR|\fB1\fR\fP
- When this option is set to 1, then the server advertises that it has
- opinions about nickname-to-fingerprint bindings. It will include these
- opinions in its published network-status pages, by listing servers with
- the flag "Named" if a correct binding between that nickname and
- fingerprint has been registered with the dirserver. Naming dirservers
- will refuse to accept or publish descriptors that contradict a
- registered binding. See \fBapproved-routers\fP in the \fBFILES\fP
- section below.
- .LP
- .TP
- \fBHSAuthoritativeDir \fR\fB0\fR|\fB1\fR\fP
- When this option is set in addition to \fBAuthoritativeDirectory\fP, Tor also
- accepts and serves hidden service descriptors. (Default: 0)
- .LP
- .TP
- \fBDirPort \fR\fIPORT\fP
- Advertise the directory service on this port.
- .LP
- .TP
- \fBDirListenAddress \fR\fIIP\fR[:\fIPORT\fR]\fP
- Bind the directory service to this address. If you specify a port, bind
- to this port rather than the one specified in DirPort. (Default: 0.0.0.0)
- This directive can be specified multiple times to bind to multiple
- addresses/ports.
- .LP
- .TP
- \fBDirPolicy \fR\fIpolicy\fR,\fIpolicy\fR,\fI...\fP
- Set an entrance policy for this server, to limit who can connect to the
- directory ports.
- The policies have the same form as exit policies above.
- .LP
- .TP
- \fBRecommendedVersions \fR\fISTRING\fP
- STRING is a comma-separated list of Tor versions currently believed
- to be safe. The list is included in each directory, and nodes which
- pull down the directory learn whether they need to upgrade. This
- option can appear multiple times: the values from multiple lines are
- spliced together.
- When this is set then
- \fBVersioningAuthoritativeDirectory\fP should be set too.
- .LP
- .TP
- \fBRecommendedClientVersions \fR\fISTRING\fP
- STRING is a comma-separated list of Tor versions currently believed
- to be safe for clients to use. This information is included in version 2
- directories. If this is not set then the value of \fBRecommendedVersions\fR
- is used.
- When this is set then
- \fBVersioningAuthoritativeDirectory\fP should be set too.
- .LP
- .TP
- \fBRecommendedServerVersions \fR\fISTRING\fP
- STRING is a comma-separated list of Tor versions currently believed
- to be safe for servers to use. This information is included in version 2
- directories. If this is not set then the value of \fBRecommendedVersions\fR
- is used.
- When this is set then
- \fBVersioningAuthoritativeDirectory\fP should be set too.
- .LP
- .TP
- \fBDirAllowPrivateAddresses \fR\fB0\fR|\fB1\fR\fP
- If set to 1, Tor will accept router descriptors with arbitrary "Address"
- elements. Otherwise, if the address is not an IP or is a private IP,
- it will reject the router descriptor. Defaults to 0.
- .LP
- .TP
- \fBAuthDirBadExit \fR\fIAddressPattern\fR...\fP
- Authoritative directories only. A set of address patterns for servers that
- will be listed as bad exits in any network status document this authority
- publishes, if \fBAuthDirListBadExits\fR is set.
- .LP
- .TP
- \fBAuthDirInvalid \fR\fIAddressPattern\fR...\fP
- Authoritative directories only. A set of address patterns for servers that
- will never be listed as "valid" in any network status document that this
- authority publishes.
- .LP
- .TP
- \fBAuthDirReject \fR\fIAddressPattern\fR...\fP
- Authoritative directories only. A set of address patterns for servers that
- will never be listed at all in any network status document that this
- authority publishes, or accepted as an OR address in any descriptor submitted
- for publication by this authority.
- .LP
- .TP
- \fBAuthDirListBadExits \fR\fB0\fR|\fB1\fR\fP
- Authoritative directories only. If set to 1, this directory has
- some opinion about which nodes are unsuitable as exit nodes. (Do not
- set this to 1 unless you plan to list nonfunctioning exits as bad;
- otherwise, you are effectively voting in favor of every declared exit
- as an exit.)
- .LP
- .TP
- \fBAuthDirRejectUnlisted \fR\fB0\fR|\fB1\fR\fP
- Authoritative directories only. If set to 1, the directory server
- rejects all uploaded server descriptors that aren't explicitly listed
- in the fingerprints file. This acts as a "panic button" if we get
- Sybiled. (Default: 0)
- .SH HIDDEN SERVICE OPTIONS
- .PP
- The following options are used to configure a hidden service.
- .LP
- .TP
- \fBHiddenServiceDir \fR\fIDIRECTORY\fP
- Store data files for a hidden service in DIRECTORY. Every hidden
- service must have a separate directory. You may use this option multiple
- times to specify multiple services.
- .LP
- .TP
- \fBHiddenServicePort \fR\fIVIRTPORT \fR[\fITARGET\fR]\fP
- Configure a virtual port VIRTPORT for a hidden service. You may use this
- option multiple times; each time applies to the service using the most recent
- hiddenservicedir. By default, this option maps the virtual port to the
- same port on 127.0.0.1. You may override the target port, address, or both
- by specifying a target of addr, port, or addr:port.
- .LP
- .TP
- \fBHiddenServiceNodes \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- If possible, use the specified nodes as introduction points for the hidden
- service. If this is left unset, Tor will be smart and pick some reasonable
- ones; most people can leave this unset.
- .LP
- .TP
- \fBHiddenServiceExcludeNodes \fR\fInickname\fR,\fInickname\fR,\fI...\fP
- Do not use the specified nodes as introduction points for the hidden
- service. In normal use there is no reason to set this.
- .LP
- .TP
- \fBPublishHidServDescriptors \fR\fB0\fR|\fB1\fR\fP
- If set to 0, Tor will run any hidden services you configure, but it won't
- advertise them to the rendezvous directory. This option is only useful
- if you're using a Tor controller that handles hidserv publishing for you.
- (Default: 1)
- .LP
- .TP
- \fBRendPostPeriod \fR\fIN\fR \fBseconds\fR|\fBminutes\fR|\fBhours\fR|\fBdays\fR|\fBweeks\fP
- Every time the specified period elapses, Tor uploads any rendezvous
- service descriptors to the directory servers. This information is also
- uploaded whenever it changes. (Default: 20 minutes)
- .\" UNDOCUMENTED
- .\" ignoreversion
- .SH SIGNALS
- Tor catches the following signals:
- .LP
- .TP
- \fBSIGTERM\fR
- Tor will catch this, clean up and sync to disk if necessary, and exit.
- .LP
- .TP
- \fBSIGINT\fR
- Tor clients behave as with SIGTERM; but Tor servers will do a controlled
- slow shutdown, closing listeners and waiting 30 seconds before exiting.
- (The delay can be configured with the ShutdownWaitLength config option.)
- .LP
- .TP
- \fBSIGHUP\fR
- The signal instructs Tor to reload its configuration (including closing
- and reopening logs), fetch a new directory, and kill and restart its
- helper processes if applicable.
- .LP
- .TP
- \fBSIGUSR1\fR
- Log statistics about current connections, past connections, and
- throughput.
- .LP
- .TP
- \fBSIGUSR2\fR
- Switch all logs to loglevel debug. You can go back to the old loglevels
- by sending a SIGHUP.
- .LP
- .TP
- \fBSIGCHLD\fR
- Tor receives this signal when one of its helper processes has exited,
- so it can clean up.
- .LP
- .TP
- \fBSIGPIPE\fR
- Tor catches this signal and ignores it.
- .LP
- .TP
- \fBSIGXFSZ\fR
- If this signal exists on your platform, Tor catches and ignores it.
- .SH FILES
- .LP
- .TP
- .B @CONFDIR@/torrc
- The configuration file, which contains "option value" pairs.
- .LP
- .TP
- .B @LOCALSTATEDIR@/lib/tor/
- The tor process stores keys and other data here.
- .LP
- .TP
- .B \fIDataDirectory\fP/approved-routers
- Only for naming authoritative directory servers
- (see \fBNamingAuthoritativeDirectory\fP).
- This file lists nickname to identity bindings. Each line lists a
- nickname and a fingerprint seperated by whitespace. See your
- \fBfingerprint\fP file in the \fIDataDirectory\fP for an example line.
- If the nickname is \fB!reject\fP then descriptors from the given
- identity (fingerprint) are rejected by the authoritative directory
- server. If it is \fB!invalid\fP then descriptors are accepted but marked
- in the directory as not valid, that is, not recommended.
- .SH SEE ALSO
- .BR privoxy (1),
- .BR tsocks (1),
- .BR torify (1)
- .BR http://tor.eff.org/
- .SH BUGS
- Plenty, probably. Tor is still in development. Please report them.
- .SH AUTHORS
- Roger Dingledine <arma@mit.edu>, Nick Mathewson <nickm@alum.mit.edu>.
|