summaryrefslogtreecommitdiff
path: root/doc/tor.1.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/tor.1.txt')
-rw-r--r--doc/tor.1.txt114
1 files changed, 89 insertions, 25 deletions
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index f0b7fa8e46..d49dd96336 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -128,6 +128,16 @@ COMMAND-LINE OPTIONS
the passphrase, including any trailing newlines.
Default: read from the terminal.
+[[opt-key-expiration]] **--key-expiration** [**purpose**]::
+ The **purpose** specifies which type of key certificate to determine
+ the expiration of. The only currently recognised **purpose** is
+ "sign". +
+ +
+ Running "tor --key-expiration sign" will attempt to find your signing
+ key certificate and will output, both in the logs as well as to stdout,
+ the signing key certificate's expiration time in ISO-8601 format.
+ For example, the output sent to stdout will be of the form:
+ "signing-cert-expiry: 2017-07-25 08:30:15 UTC"
Other options can be specified on the command-line in the format "--option
value", in the format "option value", or in a configuration file. For
@@ -436,9 +446,11 @@ GENERAL OPTIONS
authority is listening for IPv6 connections on the indicated IPv6 address
and OR Port. +
+
- Tor will contact the authority at __address__:__port__ (the DirPort) to
- download directory documents. If an IPv6 address is supplied, Tor will
- also download directory documents at the IPv6 address on the DirPort. +
+ Tor will contact the authority at __address__ to
+ download directory documents. The provided __port__ value is a dirport;
+ clients ignore this in favor of the specified "orport=" value. If an
+ IPv6 ORPort is supplied, Tor will
+ also download directory documents at the IPv6 ORPort. +
+
If no **DirAuthority** line is given, Tor will use the default directory
authorities. NOTE: this option is intended for setting up a private Tor
@@ -546,8 +558,10 @@ GENERAL OPTIONS
[[Sandbox]] **Sandbox** **0**|**1**::
If set to 1, Tor will run securely through the use of a syscall sandbox.
Otherwise the sandbox will be disabled. The option is currently an
- experimental feature. Can not be changed while tor is running.
-
+ experimental feature. It only works on Linux-based operating systems,
+ and only when Tor has been built with the libseccomp library. This option
+ can not be changed while tor is running.
+ +
When the Sandbox is 1, the following options can not be changed when tor
is running:
Address
@@ -761,11 +775,19 @@ GENERAL OPTIONS
circuits. If the option is set to "default", we obey a
parameter in the consensus document. (Default: auto)
+[[NoExec]] **NoExec** **0**|**1**::
+ If this option is set to 1, then Tor will never launch another
+ executable, regardless of the settings of PortForwardingHelper,
+ ClientTransportPlugin, or ServerTransportPlugin. Once this
+ option has been set to 1, it cannot be set back to 0 without
+ restarting Tor. (Default: 0)
+
CLIENT OPTIONS
--------------
The following options are useful only for clients (that is, if
-**SocksPort**, **TransPort**, **DNSPort**, or **NATDPort** is non-zero):
+**SocksPort**, **HTTPTunnelPort**, **TransPort**, **DNSPort**, or
+**NATDPort** is non-zero):
[[Bridge]] **Bridge** [__transport__] __IP__:__ORPort__ [__fingerprint__]::
When set along with UseBridges, instructs Tor to use the relay at
@@ -1089,7 +1111,9 @@ The following options are useful only for clients (that is, if
Unsupported and force-disabled when using Unix domain sockets.)
**IsolateSOCKSAuth**;;
Don't share circuits with streams for which different
- SOCKS authentication was provided. (On by default;
+ SOCKS authentication was provided. (For HTTPTunnelPort
+ connections, this option looks at the Proxy-Authorization and
+ X-Tor-Stream-Isolation headers. On by default;
you can disable it with **NoIsolateSOCKSAuth**.)
**IsolateClientProtocol**;;
Don't share circuits with streams using a different protocol.
@@ -1310,6 +1334,14 @@ The following options are useful only for clients (that is, if
the node "foo". Disabled by default since attacking websites and exit
relays can use it to manipulate your path selection. (Default: 0)
+[[HTTPTunnelPort]] **HTTPTunnelPort** \['address':]__port__|**auto** [_isolation flags_]::
+ Open this port to listen for proxy connections using the "HTTP CONNECT"
+ protocol instead of SOCKS. Set this to 0
+ 0 if you don't want to allow "HTTP CONNECT" connections. Set the port
+ to "auto" to have Tor pick a port for you. This directive can be
+ specified multiple times to bind to multiple addresses/ports. See
+ SOCKSPort for an explanation of isolation flags. (Default: 0)
+
[[TransPort]] **TransPort** \['address':]__port__|**auto** [_isolation flags_]::
Open this port to listen for transparent proxy connections. Set this to
0 if you don't want to allow transparent proxy connections. Set the port
@@ -1376,12 +1408,6 @@ The following options are useful only for clients (that is, if
addresses/ports. See SocksPort for an explanation of isolation
flags. (Default: 0)
-[[ClientDNSRejectInternalAddresses]] **ClientDNSRejectInternalAddresses** **0**|**1**::
- If true, Tor does not believe any anonymously retrieved DNS answer that
- tells it that an address resolves to an internal address (like 127.0.0.1 or
- 192.168.0.1). This option prevents certain browser-based attacks; don't
- turn it off unless you know what you're doing. (Default: 1)
-
[[ClientRejectInternalAddresses]] **ClientRejectInternalAddresses** **0**|**1**::
If true, Tor does not try to fulfill requests to connect to an internal
address (like 127.0.0.1 or 192.168.0.1) __unless a exit node is
@@ -1550,8 +1576,8 @@ The following options are useful only for clients (that is, if
live consensus). Only used by clients fetching from a list of fallback
directory mirrors. This schedule is advanced by (potentially concurrent)
connection attempts, unlike other schedules, which are advanced by
- connection failures. (Default: 10, 11, 3600, 10800, 25200, 54000,
- 111600, 262800)
+ connection failures. (Default: 6, 11, 3600, 10800, 25200, 54000, 111600,
+ 262800)
[[ClientBootstrapConsensusFallbackDownloadSchedule]] **ClientBootstrapConsensusFallbackDownloadSchedule** __N__,__N__,__...__::
Schedule for when clients should download consensuses from fallback
@@ -1581,7 +1607,7 @@ The following options are useful only for clients (that is, if
[[ClientBootstrapConsensusMaxInProgressTries]] **ClientBootstrapConsensusMaxInProgressTries** __NUM__::
Try this many simultaneous connections to download a consensus before
- waiting for one to complete, timeout, or error out. (Default: 4)
+ waiting for one to complete, timeout, or error out. (Default: 3)
SERVER OPTIONS
--------------
@@ -1803,11 +1829,13 @@ is non-zero):
+
If this option is set to 0, Tor will not publish its
descriptors to any directories. (This is useful if you're testing
- out your server, or if you're using a Tor controller that handles directory
- publishing for you.) Otherwise, Tor will publish its descriptors of all
- type(s) specified. The default is "1",
- which means "if running as a server, publish the
- appropriate descriptors to the authorities".
+ out your server, or if you're using a Tor controller that handles
+ directory publishing for you.) Otherwise, Tor will publish its
+ descriptors of all type(s) specified. The default is "1", which
+ means "if running as a relay or bridge, publish descriptors to the
+ appropriate authorities". Other possibilities are "v3", meaning
+ "publish as if you're a relay", and "bridge", meaning "publish as
+ if you're a bridge".
[[ShutdownWaitLength]] **ShutdownWaitLength** __NUM__::
When we get a SIGINT and we're a server, we begin shutting down:
@@ -2073,6 +2101,16 @@ details.)
because clients connect via the ORPort by default. Setting either DirPort
or BridgeRelay and setting DirCache to 0 is not supported. (Default: 1)
+[[MaxConsensusAgeForDiffs]] **MaxConsensusAgeForDiffs** __N__ **minutes**|**hours**|**days**|**weeks**::
+ When this option is nonzero, Tor caches will not try to generate
+ consensus diffs for any consensus older than this amount of time.
+ If this option is set to zero, Tor will pick a reasonable default from
+ the current networkstatus document. You should not set this
+ option unless your cache is severely low on disk space or CPU.
+ If you need to set it, keeping it above 3 or 4 hours will help clients
+ much more than setting it to zero.
+ (Default: 0)
+
DIRECTORY AUTHORITY SERVER OPTIONS
----------------------------------
@@ -2424,7 +2462,7 @@ The following options are used for running a testing Tor network.
4 (for 40 seconds), 8, 16, 32, 60
ClientBootstrapConsensusMaxDownloadTries 80
ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries 80
- ClientDNSRejectInternalAddresses 0
+ TestingClientDNSRejectInternalAddresses 0
ClientRejectInternalAddresses 0
CountPrivateBandwidth 1
ExitPolicyRejectPrivate 0
@@ -2442,7 +2480,8 @@ The following options are used for running a testing Tor network.
TestingClientDownloadSchedule 0, 0, 5, 10, 15, 20, 30, 60
TestingServerConsensusDownloadSchedule 0, 0, 5, 10, 15, 20, 30, 60
TestingClientConsensusDownloadSchedule 0, 0, 5, 10, 15, 20, 30, 60
- TestingBridgeDownloadSchedule 60, 30, 30, 60
+ TestingBridgeDownloadSchedule 10, 30, 60
+ TestingBridgeBootstrapDownloadSchedule 0, 0, 5, 10, 15, 20, 30, 60
TestingClientMaxIntervalWithoutRequest 5 seconds
TestingDirConnectionMaxStall 30 seconds
TestingConsensusMaxDownloadTries 80
@@ -2507,8 +2546,16 @@ The following options are used for running a testing Tor network.
1800, 3600, 3600, 3600, 10800, 21600, 43200)
[[TestingBridgeDownloadSchedule]] **TestingBridgeDownloadSchedule** __N__,__N__,__...__::
- Schedule for when clients should download bridge descriptors. Changing this
- requires that **TestingTorNetwork** is set. (Default: 3600, 900, 900, 3600)
+ Schedule for when clients should download each bridge descriptor when they
+ know that one or more of their configured bridges are running. Changing
+ this requires that **TestingTorNetwork** is set. (Default: 10800, 25200,
+ 54000, 111600, 262800)
+
+[[TestingBridgeBootstrapDownloadSchedule]] **TestingBridgeBootstrapDownloadSchedule** __N__,__N__,__...__::
+ Schedule for when clients should download each bridge descriptor when they
+ have just started, or when they can not contact any of their bridges.
+ Changing this requires that **TestingTorNetwork** is set. (Default: 0, 30,
+ 90, 600, 3600, 10800, 25200, 54000, 111600, 262800)
[[TestingClientMaxIntervalWithoutRequest]] **TestingClientMaxIntervalWithoutRequest** __N__ **seconds**|**minutes**::
When directory clients have only a few descriptors to request, they batch
@@ -2626,6 +2673,13 @@ The following options are used for running a testing Tor network.
we replace it and issue a new key?
(Default: 3 hours for link and auth; 1 day for signing.)
+[[ClientDNSRejectInternalAddresses]] [[TestingClientDNSRejectInternalAddresses]] **TestingClientDNSRejectInternalAddresses** **0**|**1**::
+ If true, Tor does not believe any anonymously retrieved DNS answer that
+ tells it that an address resolves to an internal address (like 127.0.0.1 or
+ 192.168.0.1). This option prevents certain browser-based attacks; don't
+ turn it off unless you know what you're doing. (Default: 1)
+
+
NON-PERSISTENT OPTIONS
----------------------
@@ -2835,6 +2889,16 @@ __DataDirectory__**/hashed-fingerprint**::
Only used by bridges. Holds the hashed fingerprint of the bridge's
identity key. (That is, the hash of the hash of the identity key.)
+__DataDirectory__**/approved-routers**::
+ Only used by authoritative directory servers. This file lists
+ the status of routers by their identity fingerprint.
+ Each line lists a status and a fingerprint separated by
+ whitespace. See your **fingerprint** file in the __DataDirectory__ for an
+ example line. If the status is **!reject** then descriptors from the
+ given identity (fingerprint) are rejected by this server. If it is
+ **!invalid** then descriptors are accepted but marked in the directory as
+ not valid, that is, not recommended.
+
__DataDirectory__**/v3-status-votes**::
Only for v3 authoritative directory servers. This file contains
status votes from all the authoritative directory servers.
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion