diff options
Diffstat (limited to 'doc/tor.1.txt')
| -rw-r--r-- | doc/tor.1.txt | 177 |
1 files changed, 130 insertions, 47 deletions
diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 171193b794..b646a4c6e0 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -42,7 +42,8 @@ COMMAND-LINE OPTIONS [[opt-f]] **-f** __FILE__:: Specify a new configuration file to contain further Tor configuration - options. (Default: @CONFDIR@/torrc, or $HOME/.torrc if that file is not + options OR pass *-* to make Tor read its configuration from standard + input. (Default: @CONFDIR@/torrc, or $HOME/.torrc if that file is not found) [[opt-allow-missing-torrc]] **--allow-missing-torrc**:: @@ -72,7 +73,7 @@ COMMAND-LINE OPTIONS [[opt-serviceinstall]] **--service install** [**--options** __command-line options__]:: Install an instance of Tor as a Windows service, with the provided command-line options. Current instructions can be found at - https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#HowdoIrunmyTorrelayasanNTservice + https://www.torproject.org/docs/faq#NTService [[opt-service]] **--service** **remove**|**start**|**stop**:: Remove, start, or stop a configured Tor Windows service. @@ -273,7 +274,7 @@ GENERAL OPTIONS all sockets will be set to this limit. Must be a value between 2048 and 262144, in 1024 byte increments. Default of 8192 is recommended. -[[ControlPort]] **ControlPort** __PORT__|**auto**:: +[[ControlPort]] **ControlPort** __PORT__|**unix:**__path__|**auto**:: If set, Tor will accept connections on this port and allow those connections to control the Tor process using the Tor Control Protocol (described in control-spec.txt). Note: unless you also specify one or @@ -294,7 +295,7 @@ GENERAL OPTIONS [[ControlSocket]] **ControlSocket** __Path__:: Like ControlPort, but listens on a Unix domain socket, rather than a TCP - socket. (Unix and Unix-like systems only.) + socket. '0' disables ControlSocket (Unix and Unix-like systems only.) [[ControlSocketsGroupWritable]] **ControlSocketsGroupWritable** **0**|**1**:: If this option is set to 0, don't allow the filesystem group to read and @@ -483,6 +484,11 @@ GENERAL OPTIONS in accordance to RFC 1929. Both username and password must be between 1 and 255 characters. +[[SocksSocketsGroupWritable]] **SocksSocketsGroupWritable** **0**|**1**:: + If this option is set to 0, don't allow the filesystem group to read and + write unix sockets (e.g. SocksSocket). If the option is set to 1, make + the SocksSocket socket readable and writable by the default GID. (Default: 0) + [[KeepalivePeriod]] **KeepalivePeriod** __NUM__:: To keep firewalls from expiring connections, send a padding keepalive cell every NUM seconds on open connections that are in use. If the connection @@ -550,7 +556,7 @@ GENERAL OPTIONS \'info'. (Default: 0) [[PredictedPortsRelevanceTime]] **PredictedPortsRelevanceTime** __NUM__:: - Set how long, after the client has mad an anonymized connection to a + Set how long, after the client has made an anonymized connection to a given port, we will try to make sure that we build circuits to exits that support that port. The maximum value for this option is 1 hour. (Default: 1 hour) @@ -711,10 +717,11 @@ The following options are useful only for clients (that is, if unless ORPort, ExtORPort, or DirPort are configured.) (Default: 0) [[ExcludeNodes]] **ExcludeNodes** __node__,__node__,__...__:: - A list of identity fingerprints, nicknames, country codes and address - patterns of nodes to avoid when building a circuit. + A list of identity fingerprints, country codes, and address + patterns of nodes to avoid when building a circuit. Country codes must + be wrapped in braces; fingerprints may be preceded by a dollar sign. (Example: - ExcludeNodes SlowServer, ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, \{cc}, 255.254.0.0/8) + + ExcludeNodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, \{cc}, 255.254.0.0/8) + + By default, this option is treated as a preference that Tor is allowed to override in order to keep working. @@ -734,11 +741,13 @@ The following options are useful only for clients (that is, if [[ExcludeExitNodes]] **ExcludeExitNodes** __node__,__node__,__...__:: - A list of identity fingerprints, nicknames, country codes and address + A list of identity fingerprints, country codes, and address patterns of nodes to never use when picking an exit node---that is, a node that delivers traffic for you outside the Tor network. Note that any node listed in ExcludeNodes is automatically considered to be part of this - list too. See also the caveats on the "ExitNodes" option below. + list too. See + the **ExcludeNodes** option for more information on how to specify + nodes. See also the caveats on the "ExitNodes" option below. [[GeoIPExcludeUnknown]] **GeoIPExcludeUnknown** **0**|**1**|**auto**:: If this option is set to 'auto', then whenever any country code is set in @@ -749,9 +758,10 @@ The following options are useful only for clients (that is, if configured or can't be found. (Default: auto) [[ExitNodes]] **ExitNodes** __node__,__node__,__...__:: - A list of identity fingerprints, nicknames, country codes and address + A list of identity fingerprints, country codes, and address patterns of nodes to use as exit node---that is, a - node that delivers traffic for you outside the Tor network. + + node that delivers traffic for you outside the Tor network. See + the **ExcludeNodes** option for more information on how to specify nodes. + + Note that if you list too few nodes here, or if you exclude too many exit nodes with ExcludeExitNodes, you can degrade functionality. For example, @@ -772,7 +782,7 @@ The following options are useful only for clients (that is, if this option. [[EntryNodes]] **EntryNodes** __node__,__node__,__...__:: - A list of identity fingerprints, nicknames, and country codes of nodes + A list of identity fingerprints and country codes of nodes to use for the first hop in your normal circuits. Normal circuits include all circuits except for direct connections to directory servers. The Bridge @@ -780,7 +790,8 @@ The following options are useful only for clients (that is, if UseBridges is 1, the Bridges are used as your entry nodes. + + The ExcludeNodes option overrides this option: any node listed in both - EntryNodes and ExcludeNodes is treated as excluded. + EntryNodes and ExcludeNodes is treated as excluded. See + the **ExcludeNodes** option for more information on how to specify nodes. [[StrictNodes]] **StrictNodes** **0**|**1**:: If StrictNodes is set to 1, Tor will treat the ExcludeNodes option as a @@ -929,19 +940,21 @@ The following options are useful only for clients (that is, if but it has not yet been completely constructed. (Default: 32) [[NodeFamily]] **NodeFamily** __node__,__node__,__...__:: - The Tor servers, defined by their identity fingerprints or nicknames, + The Tor servers, defined by their identity fingerprints, constitute a "family" of similar or co-administered servers, so never use any two of them in the same circuit. Defining a NodeFamily is only needed when a server doesn't list the family itself (with MyFamily). This option - can be used multiple times. In addition to nodes, you can also list - IP address and ranges and country codes in {curly braces}. + can be used multiple times; each instance defines a separate family. In + addition to nodes, you can also list IP address and ranges and country + codes in {curly braces}. See the **ExcludeNodes** option for more + information on how to specify nodes. [[EnforceDistinctSubnets]] **EnforceDistinctSubnets** **0**|**1**:: If 1, Tor will not put two servers whose IP addresses are "too close" on the same circuit. Currently, two addresses are "too close" if they lie in the same /16 range. (Default: 1) -[[SOCKSPort]] **SOCKSPort** \['address':]__port__|**auto** [_flags_] [_isolation flags_]:: +[[SOCKSPort]] **SOCKSPort** \['address':]__port__|**unix:**__path__|**auto** [_flags_] [_isolation flags_]:: Open this port to listen for connections from SOCKS-speaking applications. Set this to 0 if you don't want to allow application connections via SOCKS. Set it to "auto" to have Tor pick a port for @@ -964,10 +977,10 @@ The following options are useful only for clients (that is, if (SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections, and DNSPort requests are all considered to be different protocols.) **IsolateDestPort**;; - Don't share circuits with streams targetting a different + Don't share circuits with streams targeting a different destination port. **IsolateDestAddr**;; - Don't share circuits with streams targetting a different + Don't share circuits with streams targeting a different destination address. **SessionGroup=**__INT__;; If no other isolation rules would prevent it, allow streams @@ -1018,7 +1031,7 @@ The following options are useful only for clients (that is, if requests via this connection. **PreferIPv6Automap**;; When serving a hostname lookup request on this port that - should get automapped (according to AutomapHostsOnResove), + should get automapped (according to AutomapHostsOnResolve), if we could return either an IPv4 or an IPv6 answer, prefer an IPv6 answer. (On by default.) **PreferSOCKSNoAuth**;; @@ -1435,16 +1448,6 @@ The following options are useful only for clients (that is, if Tor will use a default value chosen by the directory authorities. (Default: -1.) -[[Support022HiddenServices]] **Support022HiddenServices** **0**|**1**|**auto**:: - Tor hidden services running versions before 0.2.3.x required clients to - send timestamps, which can potentially be used to distinguish clients - whose view of the current time is skewed. If this option is set to 0, we - do not send this timestamp, and hidden services on obsolete Tor versions - will not work. If this option is set to 1, we send the timestamp. If - this optoin is "auto", we take a recommendation from the latest consensus - document. (Default: auto) - - SERVER OPTIONS -------------- @@ -1488,6 +1491,19 @@ is non-zero): that it's an email address and/or generate a new address for this purpose. +[[ExitRelay]] **ExitRelay** **0**|**1**|**auto**:: + Tells Tor whether to run as an exit relay. If Tor is running as a + non-bridge server, and ExitRelay is set to 1, then Tor allows traffic to + exit according to the ExitPolicy option (or the default ExitPolicy if + none is specified). + + + If ExitRelay is set to 0, no traffic is allowed to + exit, and the ExitPolicy option is ignored. + + + + If ExitRelay is set to "auto", then Tor behaves as if it were set to 1, but + warns the user if this would cause traffic to exit. In a future version, + the default value will be 0. (Default: auto) + [[ExitPolicy]] **ExitPolicy** __policy__,__policy__,__...__:: Set an exit policy for this server. Each policy is of the form "**accept**|**reject** __ADDR__[/__MASK__][:__PORT__]". If /__MASK__ is @@ -1554,7 +1570,7 @@ is non-zero): [[MyFamily]] **MyFamily** __node__,__node__,__...__:: Declare that this Tor server is controlled or administered by a group or organization identical or similar to that of the other servers, defined by - their identity fingerprints or nicknames. When two servers both declare + their identity fingerprints. When two servers both declare that they are in the same \'family', Tor clients will not use them in the same circuit. (Each server only needs to list the other servers in its family; it doesn't need to list itself, but it won't hurt.) Do not list @@ -1651,19 +1667,31 @@ is non-zero): to 0 will disable the heartbeat. (Default: 6 hours) [[AccountingMax]] **AccountingMax** __N__ **bytes**|**KBytes**|**MBytes**|**GBytes**|**KBits**|**MBits**|**GBits**|**TBytes**:: - Never send more than the specified number of bytes in a given accounting - period, or receive more than that number in the period. For example, with - AccountingMax set to 1 GByte, a server could send 900 MBytes and - receive 800 MBytes and continue running. It will only hibernate once - one of the two reaches 1 GByte. When the number of bytes gets low, - Tor will stop accepting new connections and circuits. When the - number of bytes is exhausted, Tor will hibernate until some - time in the next accounting period. To prevent all servers from waking at - the same time, Tor will also wait until a random point in each period - before waking up. If you have bandwidth cost issues, enabling hibernation - is preferable to setting a low bandwidth, since it provides users with a - collection of fast servers that are up some of the time, which is more - useful than a set of slow servers that are always "available". + Limits the max number of bytes sent and received within a set time period + using a given calculation rule (see: AccountingStart, AccountingRule). + Useful if you need to stay under a specific bandwidth. By default, the + number used for calculation is the max of either the bytes sent or + received. For example, with AccountingMax set to 1 GByte, a server + could send 900 MBytes and receive 800 MBytes and continue running. + It will only hibernate once one of the two reaches 1 GByte. This can + be changed to use the sum of the both bytes received and sent by setting + the AccountingRule option to "sum" (total bandwidth in/out). When the + number of bytes remaining gets low, Tor will stop accepting new connections + and circuits. When the number of bytes is exhausted, Tor will hibernate + until some time in the next accounting period. To prevent all servers + from waking at the same time, Tor will also wait until a random point + in each period before waking up. If you have bandwidth cost issues, + enabling hibernation is preferable to setting a low bandwidth, since + it provides users with a collection of fast servers that are up some + of the time, which is more useful than a set of slow servers that are + always "available". + +[[AccountingRule]] **AccountingRule** **sum**|**max**:: + How we determine when our AccountingMax has been reached (when we + should hibernate) during a time interval. Set to "max" to calculate + using the higher of either the sent or received bytes (this is the + default functionality). Set to "sum" to calculate using the sent + plus received bytes. (Default: max) [[AccountingStart]] **AccountingStart** **day**|**week**|**month** [__day__] __HH:MM__:: Specify how long accounting periods last. If **month** is given, each @@ -1771,6 +1799,13 @@ is non-zero): When this option is enabled, Tor writes statistics on the bidirectional use of connections to disk every 24 hours. (Default: 0) +[[HiddenServiceStatistics]] **HiddenServiceStatistics** **0**|**1**:: + When this option is enabled, a Tor relay writes obfuscated + statistics on its role as hidden-service directory, introduction + point, or rendezvous point to disk every 24 hours. If + ExtraInfoStatistics is also enabled, these statistics are further + published to the directory authorities. (Default: 0) + [[ExtraInfoStatistics]] **ExtraInfoStatistics** **0**|**1**:: When this option is enabled, Tor includes previously gathered statistics in its extra-info documents that it uploads to the directory authorities. @@ -1868,6 +1903,12 @@ on the public Tor network. multiple times: the values from multiple lines are spliced together. When this is set then **VersioningAuthoritativeDirectory** should be set too. +[[RecommendedPackageVersions]] **RecommendedPackageVersions** __PACKAGENAME__ __VERSION__ __URL__ __DIGESTTYPE__**=**__DIGEST__ :: + Adds "package" line to the directory authority's vote. This information + is used to vote on the correct URL and digest for the released versions + of different Tor-related packages, so that the consensus can certify + them. This line may appear any number of times. + [[RecommendedClientVersions]] **RecommendedClientVersions** __STRING__:: STRING is a comma-separated list of Tor versions currently believed to be safe for clients to use. This information is included in version 2 @@ -2032,13 +2073,19 @@ The following options are used to configure a hidden service. Store data files for a hidden service in DIRECTORY. Every hidden service must have a separate directory. You may use this option multiple times to specify multiple services. DIRECTORY must be an existing directory. + (Note: in current versions of Tor, if DIRECTORY is a relative path, + it will be relative to current + working directory of Tor instance, not to its DataDirectory. Do not + rely on this behavior; it is not guaranteed to remain the same in future + versions.) [[HiddenServicePort]] **HiddenServicePort** __VIRTPORT__ [__TARGET__]:: Configure a virtual port VIRTPORT for a hidden service. You may use this option multiple times; each time applies to the service using the most - recent hiddenservicedir. By default, this option maps the virtual port to + recent HiddenServiceDir. By default, this option maps the virtual port to the same port on 127.0.0.1 over TCP. You may override the target port, address, or both by specifying a target of addr, port, or addr:port. + (You can specify an IPv6 target as [addr]:port.) You may also have multiple lines with the same VIRTPORT: when a user connects to that VIRTPORT, one of the TARGETs from those lines will be chosen at random. @@ -2065,11 +2112,23 @@ The following options are used to configure a hidden service. found in the hostname file. Clients need to put this authorization data in their configuration file using **HidServAuth**. +[[HiddenServiceAllowUnknownPorts]] **HiddenServiceAllowUnknownPorts** **0**|**1**:: + If set to 1, then connections to unrecognized ports do not cause the + current hidden service to close rendezvous circuits. (Setting this to 0 is + not an authorization mechanism; it is instead meant to be a mild + inconvenience to port-scanners.) (Default: 0) + [[RendPostPeriod]] **RendPostPeriod** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**:: Every time the specified period elapses, Tor uploads any rendezvous service descriptors to the directory servers. This information is also uploaded whenever it changes. (Default: 1 hour) +[[HiddenServiceDirGroupReadable]] **HiddenServiceDirGroupReadable** **0**|**1**:: + If this option is set to 1, allow the filesystem group to read the + hidden service directory and hostname file. If the option is set to 0, + only owner is able to read the hidden service directory. (Default: 0) + Has no effect on Windows. + TESTING NETWORK OPTIONS ----------------------- @@ -2201,8 +2260,18 @@ The following options are used for running a testing Tor network. Try this often to download a v3 authority certificate before giving up. Changing this requires that **TestingTorNetwork** is set. (Default: 8) +[[TestingDirAuthVoteExit]] **TestingDirAuthVoteExit** __node__,__node__,__...__:: + A list of identity fingerprints, country codes, and + address patterns of nodes to vote Exit for regardless of their + uptime, bandwidth, or exit policy. See the **ExcludeNodes** + option for more information on how to specify nodes. + + + In order for this option to have any effect, **TestingTorNetwork** + has to be set. See the **ExcludeNodes** option for more + information on how to specify nodes. + [[TestingDirAuthVoteGuard]] **TestingDirAuthVoteGuard** __node__,__node__,__...__:: - A list of identity fingerprints, nicknames, country codes and + A list of identity fingerprints and country codes and address patterns of nodes to vote Guard for regardless of their uptime and bandwidth. See the **ExcludeNodes** option for more information on how to specify nodes. @@ -2210,6 +2279,15 @@ The following options are used for running a testing Tor network. In order for this option to have any effect, **TestingTorNetwork** has to be set. +[[TestingDirAuthVoteHSDir]] **TestingDirAuthVoteHSDir** __node__,__node__,__...__:: + A list of identity fingerprints and country codes and + address patterns of nodes to vote HSDir for regardless of their + uptime and ORPort connectivity. See the **ExcludeNodes** option for more + information on how to specify nodes. + + + In order for this option to have any effect, **TestingTorNetwork** + and **VoteOnHidServDirectoriesV2** both have to be set. + [[TestingEnableConnBwEvent]] **TestingEnableConnBwEvent** **0**|**1**:: If this option is set, then Tor controllers may register for CONN_BW events. Changing this requires that **TestingTorNetwork** is set. @@ -2390,6 +2468,11 @@ __DataDirectory__**/stats/conn-stats**:: Only used by servers. This file is used to collect approximate connection history (number of active connections over time). +__DataDirectory__**/networkstatus-bridges**:: + Only used by authoritative bridge directories. Contains information + about bridges that have self-reported themselves to the bridge + authority. + __HiddenServiceDirectory__**/hostname**:: The <base32-encoded-fingerprint>.onion domain name for this hidden service. If the hidden service is restricted to authorized clients only, this file |