| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN""http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"><head>  <title>Tor Server Configuration Instructions</title>  <meta name="Author" content="Roger Dingledine" />  <meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />  <link rel="stylesheet" type="text/css" href="stylesheet.css" />  <link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" /></head><body><!-- TITLE BAR & NAVIGATION --><table class="banner" border="0" cellpadding="0" cellspacing="0">    <tr>        <td class="banner-left"></td>        <td class="banner-middle">            <a href="/index.html">Home</a>          | <a href="/howitworks.html">How It Works</a>          | <a href="/download.html">Download</a>          | <a href="/documentation.html">Docs</a>          | <a href="/users.html">Users</a>          | <a href="/faq.html">FAQs</a>          | <a href="/volunteer.html">Volunteer</a>          | <a href="/developers.html">Developers</a>          | <a href="/research.html">Research</a>          | <a href="/people.html">People</a>        </td>        <td class="banner-right"></td>    </tr></table><!-- END TITLE BAR & NAVIGATION --><div class="center"><div class="main-column"><h1>Configuring a <a href="http://tor.eff.org/">Tor</a> server</h1><br /><p>The Tor network relies on volunteers to donate bandwidth. The morepeople who run servers, the faster the Tor network will be. If you haveat least 20 kilobytes/s each way, please help out Tor by configuring yourTor to be a server too. We have many features that make Tor servers easyand convenient, including rate limiting for bandwidth, exit policies soyou can limit your exposure to abuse complaints, and support for dynamicIP addresses.</p><p>Having servers in many different places on the Internet is whatmakes Tor users secure. You may also get stronger anonymity yourself,since remote sites can't know whether connections originated at yourcomputer or were relayed from others.</p><p>Setting up a Tor server is easy and convenient:<ul><li>Tor has built-in support for <ahref="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">ratelimiting</a>. Further, if you have a fast linkbut want to limit the number of bytes per day(or week or month) that you donate, check out the <ahref="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Hibernation">hibernationfeature</a>.</li><li>Each Tor server has an <ahref="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RunAServerBut">exitpolicy</a> that specifies what sort of outbound connections are allowedor refused from that server. If you are uncomfortable allowing peopleto exit from your server, you can set it up to only allow connectionsto other Tor servers.</li><li>It's fine if the server goes offline sometimes. The directoriesnotice this quickly and stop advertising the server. Just try to makesure it's not too often, since connections using the server when itdisconnects will break.</li><li>We can handle servers with dynamic IPs just fine, as long as theserver itself knows its IP. Have a look at this<a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#DynamicIP">entry in the FAQ</a>.</li><li>If your server is behind a NAT and it doesn't know its publicIP (e.g. it has an IP of 192.168.x.y), you'll need to set up portforwarding. Forwarding TCP connections is system dependent but <ahref="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledClients">this FAQ entry</a> offers some examples on how to do this.</li><li>Your server will passively estimate and advertise its recentbandwidth capacity, so high-bandwidth servers will attract more users thanlow-bandwidth ones. Therefore having low-bandwidth servers is useful too.</li></ul><hr /><a id="zero"></a><h2><a class="anchor" href="#zero">Step Zero: Download and Install Tor</a></h2><br /><p>Before you start, you need to make sure that Tor is up and running.</p><p>For Windows users, this means at least <ahref="http://tor.eff.org/doc/tor-doc-win32.html#installing">step one</a>of the Windows Tor installation howto. Mac OS X users need to do at least<a href="http://tor.eff.org/doc/tor-doc-osx.html#installing">step one</a>of OS X Tor installation howto.  Linux/BSD/Unix users should do at least<a href="http://tor.eff.org/doc/tor-doc-unix.html#installing">step one</a>of the Unix Tor installation howto.</p><p>If it's convenient, you might also want to use it as a client for awhile to make sure it's actually working.</p><hr /><a id="one"></a><h2><a class="anchor" href="#one">Step One: Set it up as a server</a></h2><br /><p>1. Verify that your clock is set correctly. If possible, synchronizeyour clock with public time servers. Make sure name resolution works(that is, your computer can resolve addresses correctly).</p><p>2. Edit the bottom part of your torrc. (See <ahref="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#torrc">thisFAQ entry</a> for help.)Make sure to define at least Nickname and ORPort. Create the DataDirectoryif necessary, and make sure it's owned by the user that will be runningtor.</p><p>3. If you are using a firewall, open a hole in your firewall soincoming connections can reach the ports you configured (ORPort, plusDirPort if you enabled it). Make sure you allow all outgoing connections,so your server can reach the other Tor servers.</p><p>4. Start your server: if you installed from source you can justrun <tt>tor</tt>, whereas packages typically launch Tor from theirinitscripts or startup scripts. If it logs any warnings, address them. (Bydefault Tor logs to stdout, but some packages log to <tt>/var/log/tor/</tt>instead. You can edit your torrc to configure log locations.)</p><p>5. Subscribe to the <ahref="http://archives.seul.org/or/announce/">or-announce</a>mailing list. It is very low volume, and it will keep you informedof new stable releases. You might also consider subscribing to <ahref="http://archives.seul.org/or/talk/">or-talk</a> (higher volume),where new development releases are announced.</p><hr /><a id="two"></a><h2><a class="anchor" href="#two">Step Two: Make sure it's working</a></h2><br /><p>As soon as your server manages to connect to the network, it willtry to determine whether the ports you configured are reachable fromthe outside. This may take several minutes. The log entries will keepyou informed of its progress.</p><p>When it decides that it's reachable, it will upload a "serverdescriptor" to the directories. This will let clients knowwhat address, ports, keys, etc your server is using. You can <ahref="http://belegost.seul.org/">load the directory manually</a> andlook through it to find the nickname you configured, to make sure it'sthere. You may need to wait a few seconds to give enough time for it tomake a fresh directory.</p><hr /><a id="three"></a><h2><a class="anchor" href="#three">Step Three: Register your nickname</a></h2><br /><p>Once you are convinced it's working, you should register your server.This reserves your nickname so nobody else can take it, and lets uscontact you if you need to upgrade or something goes wrong.</p><p>Send mail to <ahref="mailto:tor-ops@freehaven.net">tor-ops@freehaven.net</a> with asubject of '[New Server] <your server's nickname>' andinclude the following information in the message:</p><ul><li>Your server's nickname</li><li>The fingerprint for your server's key (the contents of the"fingerprint" file in your DataDirectory -- on Windows, look in\<i>username</i>\Application Data\tor\ or \Application Data\tor\;on OS X, look in /Library/Tor/var/lib/tor/; and on Linux/BSD/Unix,look in /var/lib/tor or ~/.tor)</li><li>Who you are, so we know whom to contact if a problem arises</li><li>What kind of connectivity the new server will have</li></ul><hr /><a id="four"></a><h2><a class="anchor" href="#four">Step Four: Once it's working</a></h2><br /><p>We recommend the following steps as well:</p><p>6. Decide what exit policy you want. By default your server allowsaccess to many popular services, but we restrict some (such as port 25)due to abuse potential. You might want an exit policy that isless restrictive or more restrictive; edit your torrc appropriately.Read the FAQ entry on <ahref="http://tor.eff.org/faq-abuse.html#TypicalAbuses">issues you mightencounter if you use the default exit policy</a>.If you choose a particularly open exit policy, you should makesure your ISP is ok with that choice.</p><p>7. Decide about rate limiting. Cable modem, DSL, and other userswho have asymmetric bandwidth (e.g. more down than up) shouldrate limit to their slower bandwidth, to avoid congestion. See the <ahref="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">ratelimiting FAQ entry</a> for details.</p><p>8. If you control the name servers for your domain, consider settingyour hostname to 'anonymous' or 'proxy' or 'tor-proxy', so when otherpeople see the address in their web logs, they will more quicklyunderstand what's going on.</p><p>9. If your computer isn't running a webserver, please considerchanging your ORPort to 443 and your DirPort to 80. Many Torusers are stuck behind firewalls that only let them browse theweb, and this change will let them reach your Tor server. Win32servers can simply change their ORPort and DirPort directlyin their torrc and restart Tor. OS X or Unix servers can't binddirectly to these ports (since they don't run as root), so they willneed to set up some sort of <ahref="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#ServerForFirewalledClients">port forwarding</a> so connections can reach their Tor server. If you areusing ports 80 and 443 already but still want to help out, other usefulports are 22, 110, and 143.</p><p>10. (Unix only). Make a separate user to run the server. If youinstalled the OS X package or the deb or the rpm, this is alreadydone. Otherwise, you can do it by hand. (The Tor server doesn't need tobe run as root, so it's good practice to not run it as root. Runningas a 'tor' user avoids issues with identd and other services thatdetect user name. If you're the paranoid sort, feel free to <ahref="http://wiki.noreply.org/wiki/TheOnionRouter/TorInChroot">put Torinto a chroot jail</a>.)</p><p>11. (Unix only.) Your operating system probably limits the numberof open file descriptors per process to 1024 (or even less). If youplan to be running a fast exit node, this is probably not enough. OnLinux, you should add a line like "toruser hard nofile 8192" to your/etc/security/limits.conf file (where toruser is the user that runs theTor process), and then restart Tor if it's installed as a package (or logout and log back in if you run it yourself). If that doesn't work, see <ahref="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#FileDescriptors">thisFAQ entry</a> for other suggested ways to run "ulimit -n 8192" beforeyou launch Tor.</p><p>12. If you installed Tor via some package or installer, it probably startsTor for you automatically on boot. But if you installed from source,you may find the initscripts in contrib/tor.sh or contrib/torctl useful.</p>When you change your Tor configuration, be sure to restart Tor, andremember to verify that your server still works correctly after thechange.<hr /><p>If you have suggestions for improving this document, please postthem on <a href="http://bugs.noreply.org/tor">our bugtracker</a> in thewebsite category. Thanks!</p>  </div><!-- #main --></div>  <div class="bottom" id="bottom">     <i><a href="mailto:tor-webmaster@freehaven.net"     class="smalllink">Webmaster</a></i> - $Id$  </div></body></html>
 |