summaryrefslogtreecommitdiff
path: root/doc/tor.1.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/tor.1.txt')
-rw-r--r--doc/tor.1.txt122
1 files changed, 73 insertions, 49 deletions
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index 74915b7119..1856592a9d 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -84,6 +84,10 @@ COMMAND-LINE OPTIONS
[[opt-list-torrc-options]] **--list-torrc-options**::
List all valid options.
+[[opt-list-deprecated-options]] **--list-deprecated-options**::
+ List all valid options that are scheduled to become obsolete in a
+ future version. (This is a warning, not a promise.)
+
[[opt-version]] **--version**::
Display Tor version and exit.
@@ -118,6 +122,13 @@ COMMAND-LINE OPTIONS
directory of your Tor daemon, and make sure that they are owned by the
user actually running the Tor daemon on your system.
+**--passphrase-fd** __FILEDES__::
+ Filedescriptor to read the passphrase from. Note that unlike with the
+ tor-gencert program, the entire file contents are read and used as
+ the passphrase, including any trailing newlines.
+ Default: read from the terminal.
+
+
Other options can be specified on the command-line in the format "--option
value", in the format "option value", or in a configuration file. For
instance, you can tell Tor to start listening for SOCKS connections on port
@@ -310,7 +321,7 @@ GENERAL OPTIONS
specify one or more of **HashedControlPassword** or
**CookieAuthentication**, setting this option will cause Tor to allow
any process on the local host to control it. (Setting both authentication
- methods means eithermethod is sufficient to authenticate to Tor.) This
+ methods means either method is sufficient to authenticate to Tor.) This
option is required for many Tor controllers; most use the value of 9051.
Set it to "auto" to have Tor pick a port for you. (Default: 0) +
+
@@ -595,6 +606,13 @@ GENERAL OPTIONS
message currently has at least one domain; most currently have exactly
one. This doesn't affect controller log messages. (Default: 0)
+[[MaxUnparseableDescSizeToLog]] **MaxUnparseableDescSizeToLog** __N__ **bytes**|**KBytes**|**MBytes**|**GBytes**::
+ Unparseable descriptors (e.g. for votes, consensuses, routers) are logged
+ in separate files by hash, up to the specified size in total. Note that
+ only files logged during the lifetime of this Tor process count toward the
+ total; this is intended to be used to debug problems without opening live
+ servers to resource exhaustion attacks. (Default: 10 MB)
+
[[OutboundBindAddress]] **OutboundBindAddress** __IP__::
Make all outbound connections originate from the IP address specified. This
is only useful when you have multiple network interfaces, and you want all
@@ -650,7 +668,7 @@ GENERAL OPTIONS
relay, all log messages generated when acting as a relay are sanitized, but
all messages generated when acting as a client are not. (Default: 1)
-[[User]] **User** __UID__::
+[[User]] **User** __Username__::
On startup, setuid to this user and setgid to their primary group.
[[KeepBindCapabilities]] **KeepBindCapabilities** **0**|**1**|**auto**::
@@ -691,26 +709,6 @@ GENERAL OPTIONS
networkstatus. This is an advanced option; you generally shouldn't have
to mess with it. (Default: not set)
-[[DisableIOCP]] **DisableIOCP** **0**|**1**::
- If Tor was built to use the Libevent's "bufferevents" networking code
- and you're running on Windows, setting this option to 1 will tell Libevent
- not to use the Windows IOCP networking API. (Default: 1)
-
-[[UserspaceIOCPBuffers]] **UserspaceIOCPBuffers** **0**|**1**::
- If IOCP is enabled (see DisableIOCP above), setting this option to 1
- will tell Tor to disable kernel-space TCP buffers, in order to avoid
- needless copy operations and try not to run out of non-paged RAM.
- This feature is experimental; don't use it yet unless you're eager to
- help tracking down bugs. (Default: 0)
-
-[[UseFilteringSSLBufferevents]] **UseFilteringSSLBufferevents** **0**|**1**::
- Tells Tor to do its SSL communication using a chain of
- bufferevents: one for SSL and one for networking. This option has no
- effect if bufferevents are disabled (in which case it can't turn on), or
- if IOCP bufferevents are enabled (in which case it can't turn off). This
- option is useful for debugging only; most users shouldn't touch it.
- (Default: 0)
-
[[CountPrivateBandwidth]] **CountPrivateBandwidth** **0**|**1**::
If this option is set, then Tor's rate-limiting applies not only to
remote connections, but also to connections to private addresses like
@@ -1085,7 +1083,18 @@ The following options are useful only for clients (that is, if
IPv6.)
**PreferIPv6**;;
Tells exits that, if a host has both an IPv4 and an IPv6 address,
- we would prefer to connect to it via IPv6. (IPv4 is the default.) +
+ we would prefer to connect to it via IPv6. (IPv4 is the default.)
+ **NoDNSRequest**;;
+ Do not ask exits to resolve DNS addresses in SOCKS5 requests. Tor will
+ connect to IPv4 addresses, IPv6 addresses (if IPv6Traffic is set) and
+ .onion addresses.
+ **NoOnionTraffic**;;
+ Do not connect to .onion addresses in SOCKS5 requests.
+ **OnionTrafficOnly**;;
+ Tell the tor client to only connect to .onion addresses in response to
+ SOCKS5 requests on this connection. This is equivalent to NoDNSRequest,
+ NoIPv4Traffic, NoIPv6Traffic. The corresponding NoOnionTrafficOnly
+ flag is not supported.
**CacheIPv4DNS**;;
Tells the client to remember IPv4 DNS answers we receive from exit
nodes via this connection. (On by default.)
@@ -1127,6 +1136,10 @@ The following options are useful only for clients (that is, if
authentication" when IsolateSOCKSAuth is disabled, or when this
option is set.
+ Flags are processed left to right. If flags conflict, the last flag on the
+ line is used, and all earlier flags are ignored. No error is issued for
+ conflicting flags.
+
[[SocksListenAddress]] **SocksListenAddress** __IP__[:__PORT__]::
Bind to this address to listen for connections from Socks-speaking
applications. (Default: 127.0.0.1) You can also specify a port (e.g.
@@ -1257,7 +1270,7 @@ The following options are useful only for clients (that is, if
+
When providing proxy server service to a network of computers using a tool
like dns-proxy-tor, change the IPv4 network to "10.192.0.0/10" or
- "172.16.0.0/12" and change the IPv6 network to "[FC00]/7".
+ "172.16.0.0/12" and change the IPv6 network to "[FC00::]/7".
The default **VirtualAddrNetwork** address ranges on a
properly configured machine will route to the loopback or link-local
interface. For
@@ -1426,7 +1439,7 @@ The following options are useful only for clients (that is, if
**non-anonymously**. This option also disables client connections to
non-hidden-service hostnames through Tor. It **must only** be used when
running a tor2web Hidden Service web proxy.
- To enable this option the compile time flag --enable-tor2webmode must be
+ To enable this option the compile time flag --enable-tor2web-mode must be
specified. (Default: 0)
[[Tor2webRendezvousPoints]] **Tor2webRendezvousPoints** __node__,__node__,__...__::
@@ -1454,16 +1467,6 @@ The following options are useful only for clients (that is, if
"auto" (recommended) then it is on for all clients that do not set
FetchUselessDescriptors. (Default: auto)
-[[UseNTorHandshake]] **UseNTorHandshake** **0**|**1**|**auto**::
- The "ntor" circuit-creation handshake is faster and (we think) more
- secure than the original ("TAP") circuit handshake, but starting to use
- it too early might make your client stand out. If this option is 0, your
- Tor client won't use the ntor handshake. If it's 1, your Tor client
- will use the ntor handshake to extend circuits through servers that
- support it. If this option is "auto", then your client
- will use the ntor handshake once enough directory authorities recommend
- it. (Default: 1)
-
[[PathBiasCircThreshold]] **PathBiasCircThreshold** __NUM__ +
[[PathBiasNoticeRate]] **PathBiasNoticeRate** __NUM__ +
@@ -1687,15 +1690,16 @@ is non-zero):
used with accept6/reject6.) +
+
Private addresses are rejected by default (at the beginning of your exit
- policy), along with any configured primary public IPv4 and IPv6 addresses,
- and any public IPv4 and IPv6 addresses on any interface on the relay.
+ policy), along with any configured primary public IPv4 and IPv6 addresses.
These private addresses are rejected unless you set the
ExitPolicyRejectPrivate config option to 0. For example, once you've done
that, you could allow HTTP to 127.0.0.1 and block all other connections to
internal networks with "accept 127.0.0.1:80,reject private:\*", though that
may also allow connections to your own computer that are addressed to its
public (external) IP address. See RFC 1918 and RFC 3330 for more details
- about internal and reserved IP address space. +
+ about internal and reserved IP address space. See
+ ExitPolicyRejectLocalInterfaces if you want to block every address on the
+ relay, even those that aren't advertised in the descriptor. +
+
This directive can be specified multiple times so you don't have to put it
all on one line. +
@@ -1725,16 +1729,23 @@ is non-zero):
IPv4 and IPv6 addresses.
[[ExitPolicyRejectPrivate]] **ExitPolicyRejectPrivate** **0**|**1**::
- Reject all private (local) networks, along with any configured public
- IPv4 and IPv6 addresses, at the beginning of your exit policy. (This
- includes the IPv4 and IPv6 addresses advertised by the relay, any
- OutboundBindAddress, and the bind addresses of any port options, such as
- ORPort and DirPort.) This also rejects any public IPv4 and IPv6 addresses
- on any interface on the relay. (If IPv6Exit is not set, all IPv6 addresses
- will be rejected anyway.)
+ Reject all private (local) networks, along with the relay's advertised
+ public IPv4 and IPv6 addresses, at the beginning of your exit policy.
See above entry on ExitPolicy.
(Default: 1)
+[[ExitPolicyRejectLocalInterfaces]] **ExitPolicyRejectLocalInterfaces** **0**|**1**::
+ Reject all IPv4 and IPv6 addresses that the relay knows about, at the
+ beginning of your exit policy. This includes any OutboundBindAddress, the
+ bind addresses of any port options, such as ControlPort or DNSPort, and any
+ public IPv4 and IPv6 addresses on any interface on the relay. (If IPv6Exit
+ is not set, all IPv6 addresses will be rejected anyway.)
+ See above entry on ExitPolicy.
+ This option is off by default, because it lists all public relay IP
+ addresses in the ExitPolicy, even those relay operators might prefer not
+ to disclose.
+ (Default: 0)
+
[[IPv6Exit]] **IPv6Exit** **0**|**1**::
If set, and we are an exit node, allow clients to use us for IPv6
traffic. (Default: 0)
@@ -2035,6 +2046,12 @@ is non-zero):
this. If this option is set to 0, Tor will try to pick a reasonable
default based on your system's physical memory. (Default: 0)
+[[DisableOOSCheck]] **DisableOOSCheck** **0**|**1**::
+ This option disables the code that closes connections when Tor notices
+ that it is running low on sockets. Right now, it is on by default,
+ since the existing out-of-sockets mechanism tends to kill OR connections
+ more than it should. (Default: 1)
+
[[SigningKeyLifetime]] **SigningKeyLifetime** __N__ **days**|**weeks**|**months**::
For how long should each Ed25519 signing key be valid? Tor uses a
permanent master identity key that can be kept offline, and periodically
@@ -2103,14 +2120,13 @@ on the public Tor network.
server. Instead of caching the directory, it generates its own list of
good servers, signs it, and sends that to the clients. Unless the clients
already have you listed as a trusted directory, you probably do not want
- to set this option. Please coordinate with the other admins at
- tor-ops@torproject.org if you think you should be a directory.
+ to set this option.
[[V3AuthoritativeDirectory]] **V3AuthoritativeDirectory** **0**|**1**::
When this option is set in addition to **AuthoritativeDirectory**, Tor
generates version 3 network statuses and serves descriptors, etc as
described in dir-spec.txt file of https://spec.torproject.org/[torspec]
- (for Tor clients and servers running atleast 0.2.0.x).
+ (for Tor clients and servers running at least 0.2.0.x).
[[VersioningAuthoritativeDirectory]] **VersioningAuthoritativeDirectory** **0**|**1**::
When this option is set to 1, Tor adds information on which versions of
@@ -2162,7 +2178,9 @@ on the public Tor network.
[[DirAllowPrivateAddresses]] **DirAllowPrivateAddresses** **0**|**1**::
If set to 1, Tor will accept server descriptors with arbitrary "Address"
elements. Otherwise, if the address is not an IP address or is a private IP
- address, it will reject the server descriptor. (Default: 0)
+ address, it will reject the server descriptor. Additionally, Tor
+ will allow exit policies for private networks to fulfill Exit flag
+ requirements. (Default: 0)
[[AuthDirBadExit]] **AuthDirBadExit** __AddressPattern...__::
Authoritative directories only. A set of address patterns for servers that
@@ -2226,6 +2244,12 @@ on the public Tor network.
in a journal if it is new, or if it differs from the most recently
accepted pinning for one of the keys it contains. (Default: 0)
+[[AuthDirSharedRandomness]] **AuthDirSharedRandomness** **0**|**1**::
+ Authoritative directories only. Switch for the shared random protocol.
+ If zero, the authority won't participate in the protocol. If non-zero
+ (default), the flag "shared-rand-participate" is added to the authority
+ vote indicating participation in the protocol. (Default: 1)
+
[[BridgePassword]] **BridgePassword** __Password__::
If set, contains an HTTP authenticator that tells a bridge authority to
serve all requested bridge information. Used by the (only partially
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion