diff options
Diffstat (limited to 'doc/man/tor.1.txt')
| -rw-r--r-- | doc/man/tor.1.txt | 81 |
1 files changed, 70 insertions, 11 deletions
diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index 3672444c5d..1589809b1a 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -335,7 +335,7 @@ forward slash (/) in the configuration file and on the command line. to mess with it. (Default: -1) [[ClientTransportPlugin]] **ClientTransportPlugin** __transport__ socks4|socks5 __IP__:__PORT__:: -**ClientTransportPlugin** __transport__ exec __path-to-binary__ [options]:: +[[ClientTransportPlugin-2]] **ClientTransportPlugin** __transport__ exec __path-to-binary__ [options]:: In its first form, when set along with a corresponding Bridge line, the Tor client forwards its traffic to a SOCKS-speaking proxy on "IP:PORT". (IPv4 addresses should written as-is; IPv6 addresses should be wrapped in @@ -348,6 +348,19 @@ forward slash (/) in the configuration file and on the command line. forwards its traffic to it. It's the duty of that proxy to properly forward the traffic to the bridge. (Default: none) +[[ConfluxEnabled]] **ConfluxEnabled** **0**|**1**|**auto**:: + If this option is set to 1, general purpose traffic will use Conflux which + is traffic splitting among multiple legs (circuits). Onion services are not + supported at the moment. Default value is set to "auto" meaning the + consensus is used to decide unless set. (Default: auto) + +[[ConfluxClientUX]] **ConfluxClientUX** **throughput**|**latency**|**throughput_lowmem**|**latency_lowmem**:: + This option configures the user experience that the client requests from + the exit, for data that the exit sends to the client. The default is + "throughput", which maximizes throughput. "Latency" will tell the exit to + only use the circuit with lower latency for all data. The lowmem versions + minimize queue usage memory at the client. (Default: "throughput") + [[ConnLimit]] **ConnLimit** __NUM__:: The minimum number of file descriptors that must be available to the Tor process before it will start. Tor will ask the OS for as many file @@ -860,6 +873,7 @@ forward slash (/) in the configuration file and on the command line. \_relayed traffic_ to the given number of bytes in each direction. They do not include directory fetches by the relay (from authority or other relays), because that is considered "client" activity. (Default: 0) + RelayBandwidthBurst defaults to the value of RelayBandwidthRate if unset. [[RelayBandwidthRate]] **RelayBandwidthRate** __N__ **bytes**|**KBytes**|**MBytes**|**GBytes**|**TBytes**|**KBits**|**MBits**|**GBits**|**TBits**:: If not 0, a separate token bucket limits the average incoming bandwidth @@ -869,6 +883,7 @@ forward slash (/) in the configuration file and on the command line. requests, but that may change in future versions. They do not include directory fetches by the relay (from authority or other relays), because that is considered "client" activity. (Default: 0) + RelayBandwidthRate defaults to the value of RelayBandwidthBurst if unset. [[RephistTrackTime]] **RephistTrackTime** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**:: Tells an authority, or other node tracking node reliability and history, @@ -1172,7 +1187,7 @@ The following options are useful only for clients (that is, if entry nodes over IPv6. For IPv6 only hosts, you need to also set **ClientUseIPv4** to 0 to disable IPv4. Note that clients configured with an IPv6 address in a **Bridge**, proxy, or pluggable transportline will - try connecting over IPv6 even if **ClientUseIPv6** is set to 0. (Default: 0) + try connecting over IPv6 even if **ClientUseIPv6** is set to 0. (Default: 1) [[ConnectionPadding]] **ConnectionPadding** **0**|**1**|**auto**:: This option governs Tor's use of padding to defend against some forms of @@ -3013,14 +3028,14 @@ Denial of Service mitigation subsystem described above. (Default: auto) -As for onion services, only one possible mitigation exists. It was intended to -protect the network first and thus do not help the service availability or -reachability. +For onion services, mitigations are a work in progress and multiple options +are currently available. -The mitigation we put in place is a rate limit of the amount of introduction -that happens at the introduction point for a service. In other words, it rates -limit the number of clients that are attempting to reach the service at the -introduction point instead of at the service itself. +The introduction point defense is a rate limit on the number of introduction +requests that will be forwarded to a service by each of its honest +introduction point routers. This can prevent some types of overwhelming floods +from reaching the service, but it will also prevent legitimate clients from +establishing new connections. The following options are per onion service: @@ -3074,6 +3089,51 @@ The bottom line is that this protects the network by preventing an onion service to flood the network with new rendezvous circuits that is reducing load on the network. +A secondary mitigation is available, based on prioritized dispatch of rendezvous +circuits for new connections. The queue is ordered based on effort a client +chooses to spend at computing a proof-of-work function. + +The following options are per onion service: + +[[HiddenServicePoWDefensesEnabled]] **HiddenServicePoWDefensesEnabled** **0**|**1**:: + + Enable proof-of-work based service DoS mitigation. If set to 1 (enabled), + tor will include parameters for an optional client puzzle in the encrypted + portion of this hidden service's descriptor. Incoming rendezvous requests + will be prioritized based on the amount of effort a client chooses to make + when computing a solution to the puzzle. The service will periodically update + a suggested amount of effort, based on attack load, and disable the puzzle + entirely when the service is not overloaded. + (Default: 0) + +[[HiddenServicePoWQueueRate]] **HiddenServicePoWQueueRate** __NUM__:: + + The sustained rate of rendezvous requests to dispatch per second from + the priority queue. Has no effect when proof-of-work is disabled. + If this is set to 0 there's no explicit limit and we will process + requests as quickly as possible. + (Default: 250) + +[[HiddenServicePoWQueueBurst]] **HiddenServicePoWQueueBurst** __NUM__:: + + The maximum burst size for rendezvous requests handled from the + priority queue at once. (Default: 2500) + +These options are applicable to both onion services and their clients: + +[[CompiledProofOfWorkHash]] **CompiledProofOfWorkHash** **0**|**1**|**auto**:: + When proof-of-work DoS mitigation is active, both the services themselves + and the clients which connect will use a dynamically generated hash + function as part of the puzzle computation. + + + If this option is set to 1, puzzles will only be solved and verified using + the compiled implementation (about 20x faster) and we choose to fail rather + than using a slower fallback. If it's 0, the compiler will never be used. + By default, the compiler is always tried if possible but the interpreter is + available as a fallback. (Default: auto) + +See also <<opt-list-modules,`--list-modules`>>, these proof of work options +have no effect unless the "`pow`" module is enabled at compile time. == DIRECTORY AUTHORITY SERVER OPTIONS @@ -3532,7 +3592,7 @@ Service side: configured, the service will be accessible to anyone with the onion address. Revoking a client can be done by removing their ".auth" file, however the - revocation will be in effect only after the tor process gets restarted even if + revocation will be in effect only after the tor process gets restarted or if a SIGHUP takes place. Client side: @@ -3588,7 +3648,6 @@ The following options are used for running a testing Tor network. TestingDirConnectionMaxStall 30 seconds TestingEnableConnBwEvent 1 TestingEnableCellStatsEvent 1 - RendPostPeriod 2 minutes [[TestingAuthDirTimeToLearnReachability]] **TestingAuthDirTimeToLearnReachability** __N__ **seconds**|**minutes**|**hours**:: After starting as an authority, do not make claims about whether routers |