tor-doc-server.html 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307
  1. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
  2. "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
  3. <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
  4. <head>
  5. <title>Tor Server Configuration Instructions</title>
  6. <meta name="Author" content="Roger Dingledine" />
  7. <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
  8. <link rel="stylesheet" type="text/css" href="http://tor.eff.org/stylesheet.css" />
  9. <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
  10. </head>
  11. <body>
  12. <!-- TITLE BAR & NAVIGATION -->
  13. <table class="banner" border="0" cellpadding="0" cellspacing="0">
  14. <tr>
  15. <td class="banner-left"></td>
  16. <td class="banner-middle">
  17. <a href="/index.html">Home</a>
  18. | <a href="/howitworks.html">How It Works</a>
  19. | <a href="/download.html">Download</a>
  20. | <a href="/documentation.html">Docs</a>
  21. | <a href="/users.html">Users</a>
  22. | <a href="/faq.html">FAQs</a>
  23. | <a href="/volunteer.html">Volunteer</a>
  24. | <a href="/developers.html">Developers</a>
  25. | <a href="/research.html">Research</a>
  26. | <a href="/people.html">People</a>
  27. </td>
  28. <td class="banner-right"></td>
  29. </tr>
  30. </table>
  31. <!-- END TITLE BAR & NAVIGATION -->
  32. <div class="center">
  33. <div class="main-column">
  34. <h1>Configuring a <a href="http://tor.eff.org/">Tor</a> server</h1>
  35. <br />
  36. <p>
  37. The Tor network relies on volunteers to donate bandwidth. The more
  38. people who run servers, the faster the Tor network will be. If you have
  39. at least 20 kilobytes/s each way, please help out Tor by configuring your
  40. Tor to be a server too. We have many features that make Tor servers easy
  41. and convenient, including rate limiting for bandwidth, exit policies so
  42. you can limit your exposure to abuse complaints, and support for dynamic
  43. IP addresses.</p>
  44. <p>Having servers in many different places on the Internet is what
  45. makes Tor users secure. You may also get stronger anonymity yourself,
  46. since remote sites can't know whether connections originated at your
  47. computer or were relayed from others.</p>
  48. <p>Setting up a Tor server is easy and convenient:
  49. <ul>
  50. <li>Tor has built-in support for <a
  51. href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate
  52. limiting</a>. Further, if you have a fast link
  53. but want to limit the number of bytes per day
  54. (or week or month) that you donate, check out the <a
  55. href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Hibernation">hibernation
  56. feature</a>.
  57. </li>
  58. <li>Each Tor server has an <a
  59. href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RunAServerBut">exit
  60. policy</a> that specifies what sort of outbound connections are allowed
  61. or refused from that server. If you are uncomfortable allowing people
  62. to exit from your server, you can set it up to only allow connections
  63. to other Tor servers.
  64. </li>
  65. <li>It's fine if the server goes offline sometimes. The directories
  66. notice this quickly and stop advertising the server. Just try to make
  67. sure it's not too often, since connections using the server when it
  68. disconnects will break.
  69. </li>
  70. <li>We can handle servers with dynamic IPs just fine, as long as the
  71. server itself knows its IP. Have a look at this
  72. <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#DynamicIP">
  73. entry in the FAQ</a>.
  74. </li>
  75. <li>If your server is behind a NAT and it doesn't know its public
  76. IP (e.g. it has an IP of 192.168.x.y), you'll need to set up port
  77. forwarding. Forwarding TCP connections is system dependent but <a
  78. href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledCli
  79. ents">this FAQ entry</a> offers some examples on how to do this.
  80. </li>
  81. <li>Your server will passively estimate and advertise its recent
  82. bandwidth capacity, so high-bandwidth servers will attract more users than
  83. low-bandwidth ones. Therefore having low-bandwidth servers is useful too.
  84. </li>
  85. </ul>
  86. <hr />
  87. <a id="zero"></a>
  88. <h2><a class="anchor" href="#zero">Step Zero: Download and Install Tor</a></h2>
  89. <br />
  90. <p>Before you start, you need to make sure that Tor is up and running.
  91. </p>
  92. <p>For Windows users, this means at least <a
  93. href="http://tor.eff.org/doc/tor-doc-win32.html#installing">step one</a>
  94. of the Windows Tor installation howto. Mac OS X users need to do at least
  95. <a href="http://tor.eff.org/doc/tor-doc-osx.html#installing">step one</a>
  96. of OS X Tor installation howto. Linux/BSD/Unix users should do at least
  97. <a href="http://tor.eff.org/doc/tor-doc-unix.html#installing">step one</a>
  98. of the Unix Tor installation howto.
  99. </p>
  100. <p>If it's convenient, you might also want to use it as a client for a
  101. while to make sure it's actually working.</p>
  102. <hr />
  103. <a id="one"></a>
  104. <h2><a class="anchor" href="#one">Step One: Set it up as a server</a></h2>
  105. <br />
  106. <p>
  107. 1. Verify that your clock is set correctly. If possible, synchronize
  108. your clock with public time servers. Make sure name resolution works
  109. (that is, your computer can resolve addresses correctly).
  110. </p>
  111. <p>2. Edit the bottom part of your torrc. (See <a
  112. href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#torrc">this
  113. FAQ entry</a> for help.)
  114. Make sure to define at least Nickname and ORPort. Create the DataDirectory
  115. if necessary, and make sure it's owned by the user that will be running
  116. tor.
  117. </p>
  118. <p>
  119. 3. If you are using a firewall, open a hole in your firewall so
  120. incoming connections can reach the ports you configured (ORPort, plus
  121. DirPort if you enabled it). Make sure you allow all outgoing connections,
  122. so your server can reach the other Tor servers.
  123. </p>
  124. <p>
  125. 4. Start your server: if you installed from source you can just
  126. run <tt>tor</tt>, whereas packages typically launch Tor from their
  127. initscripts or startup scripts. If it logs any warnings, address them. (By
  128. default Tor logs to stdout, but some packages log to <tt>/var/log/tor/</tt>
  129. instead. You can edit your torrc to configure log locations.)
  130. </p>
  131. <p>
  132. 5. Subscribe to the <a
  133. href="http://archives.seul.org/or/announce/">or-announce</a>
  134. mailing list. It is very low volume, and it will keep you informed
  135. of new stable releases. You might also consider subscribing to <a
  136. href="http://archives.seul.org/or/talk/">or-talk</a> (higher volume),
  137. where new development releases are announced.
  138. </p>
  139. <hr />
  140. <a id="two"></a>
  141. <h2><a class="anchor" href="#two">Step Two: Make sure it's working</a></h2>
  142. <br />
  143. <p>As soon as your server manages to connect to the network, it will
  144. try to determine whether the ports you configured are reachable from
  145. the outside. This may take several minutes. The log entries will keep
  146. you informed of its progress.</p>
  147. <p>When it decides that it's reachable, it will upload a "server
  148. descriptor" to the directories. This will let clients know
  149. what address, ports, keys, etc your server is using. You can <a
  150. href="http://belegost.seul.org/">load the directory manually</a> and
  151. look through it to find the nickname you configured, to make sure it's
  152. there. You may need to wait a few seconds to give enough time for it to
  153. make a fresh directory.</p>
  154. <hr />
  155. <a id="three"></a>
  156. <h2><a class="anchor" href="#three">Step Three: Register your nickname</a></h2>
  157. <br />
  158. <p>
  159. Once you are convinced it's working, you should register your server.
  160. This reserves your nickname so nobody else can take it, and lets us
  161. contact you if you need to upgrade or something goes wrong.
  162. </p>
  163. <p>
  164. Send mail to <a
  165. href="mailto:tor-ops@freehaven.net">tor-ops@freehaven.net</a> with a
  166. subject of '[New Server] &lt;your server's nickname&gt;' and
  167. include the following information in the message:
  168. </p>
  169. <ul>
  170. <li>Your server's nickname</li>
  171. <li>The fingerprint for your server's key (the contents of the
  172. "fingerprint" file in your DataDirectory -- on Windows, look in
  173. \<i>username</i>\Application&nbsp;Data\tor\ or \Application&nbsp;Data\tor\;
  174. on OS X, look in /Library/Tor/var/lib/tor/; and on Linux/BSD/Unix,
  175. look in /var/lib/tor or ~/.tor)
  176. </li>
  177. <li>Who you are, so we know whom to contact if a problem arises</li>
  178. <li>What kind of connectivity the new server will have</li>
  179. </ul>
  180. <hr />
  181. <a id="four"></a>
  182. <h2><a class="anchor" href="#four">Step Four: Once it's working</a></h2>
  183. <br />
  184. <p>
  185. We recommend the following steps as well:
  186. </p>
  187. <p>
  188. 6. Decide what exit policy you want. By default your server allows
  189. access to many popular services, but we restrict some (such as port 25)
  190. due to abuse potential. You might want an exit policy that is
  191. less restrictive or more restrictive; edit your torrc appropriately.
  192. Read the FAQ entry on <a
  193. href="http://tor.eff.org/faq-abuse.html#TypicalAbuses">issues you might
  194. encounter if you use the default exit policy</a>.
  195. If you choose a particularly open exit policy, you should make
  196. sure your ISP is ok with that choice.
  197. </p>
  198. <p>
  199. 7. Decide about rate limiting. Cable modem, DSL, and other users
  200. who have asymmetric bandwidth (e.g. more down than up) should
  201. rate limit to their slower bandwidth, to avoid congestion. See the <a
  202. href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate
  203. limiting FAQ entry</a> for details.
  204. </p>
  205. <p>
  206. 8. If you control the name servers for your domain, consider setting
  207. your hostname to 'anonymous' or 'proxy' or 'tor-proxy', so when other
  208. people see the address in their web logs, they will more quickly
  209. understand what's going on.
  210. </p>
  211. <p>
  212. 9. If your computer isn't running a webserver, please consider
  213. changing your ORPort to 443 and your DirPort to 80. Many Tor
  214. users are stuck behind firewalls that only let them browse the
  215. web, and this change will let them reach your Tor server. Win32
  216. servers can simply change their ORPort and DirPort directly
  217. in their torrc and restart Tor. OS X or Unix servers can't bind
  218. directly to these ports (since they don't run as root), so they will
  219. need to set up some sort of <a
  220. href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#ServerForFirewalledClients">
  221. port forwarding</a> so connections can reach their Tor server. If you are
  222. using ports 80 and 443 already but still want to help out, other useful
  223. ports are 22, 110, and 143.
  224. </p>
  225. <p>
  226. 10. (Unix only). Make a separate user to run the server. If you
  227. installed the OS X package or the deb or the rpm, this is already
  228. done. Otherwise, you can do it by hand. (The Tor server doesn't need to
  229. be run as root, so it's good practice to not run it as root. Running
  230. as a 'tor' user avoids issues with identd and other services that
  231. detect user name. If you're the paranoid sort, feel free to <a
  232. href="http://wiki.noreply.org/wiki/TheOnionRouter/TorInChroot">put Tor
  233. into a chroot jail</a>.)
  234. </p>
  235. <p>
  236. 11. (Unix only.) Your operating system probably limits the number
  237. of open file descriptors per process to 1024 (or even less). If you
  238. plan to be running a fast exit node, this is probably not enough. On
  239. Linux, you should add a line like "toruser hard nofile 8192" to your
  240. /etc/security/limits.conf file (where toruser is the user that runs the
  241. Tor process), and then restart Tor if it's installed as a package (or log
  242. out and log back in if you run it yourself). If that doesn't work, see <a
  243. href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#FileDescriptors">this
  244. FAQ entry</a> for other suggested ways to run "ulimit -n 8192" before
  245. you launch Tor.
  246. </p>
  247. <p>
  248. 12. If you installed Tor via some package or installer, it probably starts
  249. Tor for you automatically on boot. But if you installed from source,
  250. you may find the initscripts in contrib/tor.sh or contrib/torctl useful.
  251. </p>
  252. When you change your Tor configuration, be sure to restart Tor, and
  253. remember to verify that your server still works correctly after the
  254. change.
  255. <hr />
  256. <p>If you have suggestions for improving this document, please post
  257. them on <a href="http://bugs.noreply.org/tor">our bugtracker</a> in the
  258. website category. Thanks!</p>
  259. </div><!-- #main -->
  260. </div>
  261. <div class="bottom" id="bottom">
  262. <i><a href="mailto:tor-webmaster@freehaven.net"
  263. class="smalllink">Webmaster</a></i> - $Id$
  264. </div>
  265. </body>
  266. </html>