diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/HACKING/ReleasingTor.md | 1 | ||||
-rw-r--r-- | doc/man/tor.1.txt | 74 |
2 files changed, 36 insertions, 39 deletions
diff --git a/doc/HACKING/ReleasingTor.md b/doc/HACKING/ReleasingTor.md index 24b66a069a..739ea38795 100644 --- a/doc/HACKING/ReleasingTor.md +++ b/doc/HACKING/ReleasingTor.md @@ -23,6 +23,7 @@ new Tor release: - {simon} at sdeziel.info - {yuri} at freebsd.org - {mh+tor} at scrit.ch + - {security} at brave.com 3. Given the release date for Tor, ask the TB team about the likely release date of a TB that contains it. See note below in "commit, upload, diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index bec45dee6a..a8436f7446 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -91,8 +91,9 @@ The following options in this section are only recognized on the [[opt-hash-password]] **`--hash-password`** __PASSWORD__:: Generate a hashed password for control port access. -[[opt-list-fingerprint]] **`--list-fingerprint`**:: - Generate your keys and output your nickname and fingerprint. +[[opt-list-fingerprint]] **`--list-fingerprint`** [__key type__]:: + Generate your keys and output your nickname and fingerprint. Optionally, + you can specify the key type as `rsa` (default) or `ed25519`. [[opt-verify-config]] **`--verify-config`**:: Verify whether the configuration file is valid. @@ -1240,16 +1241,6 @@ The following options are useful only for clients (that is, if **FascistFirewall** is set. This option is deprecated; use ReachableAddresses instead. (Default: 80, 443) -[[HidServAuth]] **HidServAuth** __onion-address__ __auth-cookie__ [__service-name__]:: - Client authorization for a v2 hidden service. Valid onion addresses contain 16 - characters in a-z2-7 plus ".onion", and valid auth cookies contain 22 - characters in A-Za-z0-9+/. The service name is only used for internal - purposes, e.g., for Tor controllers. This option may be used multiple times - for different hidden services. If a hidden service uses authorization and - this option is not set, the hidden service is not accessible. Hidden - services can be configured to require authorization using the - **HiddenServiceAuthorizeClient** option. - [[HTTPTunnelPort]] **HTTPTunnelPort** ['address'**:**]{empty}__port__|**auto** [_isolation flags_]:: Open this port to listen for proxy connections using the "HTTP CONNECT" protocol instead of SOCKS. Set this to @@ -2810,6 +2801,11 @@ details.) but one DirPort must have the **NoAdvertise** flag set. (Default: 0) + + The same flags are supported here as are supported by ORPort. + + + As of Tor 0.4.6.1-alpha, non-authoritative relays (see + AuthoritativeDirectory) will not publish the DirPort but will still listen + on it. Clients don't use the DirPorts on relays, so it is safe for you + to remove the DirPort from your torrc configuration. [[DirPortFrontPage]] **DirPortFrontPage** __FILENAME__:: When this option is set, it takes an HTML file and publishes it as "/" on @@ -2952,6 +2948,30 @@ Denial of Service mitigation subsystem described above. consensus, the value is 100. (Default: 0) +[[DoSConnectionConnectRate]] **DoSConnectionConnectRate** __NUM__:: + + The allowed rate of client connection from a single address per second. + Coupled with the burst (see below), if the limit is reached, the address + is marked and a defense is applied (DoSConnectionDefenseType) for a period + of time defined by DoSConnectionConnectDefenseTimePeriod. If not defined + or set to 0, it is controlled by a consensus parameter. + (Default: 0) + +[[DoSConnectionConnectBurst]] **DoSConnectionConnectBurst** __NUM__:: + + The allowed burst of client connection from a single address per second. + See the DoSConnectionConnectRate for more details on this detection. If + not defined or set to 0, it is controlled by a consensus parameter. + (Default: 0) + +[[DoSConnectionConnectDefenseTimePeriod]] **DoSConnectionConnectDefenseTimePeriod** __N__ **seconds**|**minutes**|**hours**:: + + The base time period in seconds that the client connection defense is + activated for. The actual value is selected randomly for each activation + from N+1 to 3/2 * N. If not defined or set to 0, it is controlled by a + consensus parameter. + (Default: 24 hours) + [[DoSRefuseSingleHopClientRendezvous]] **DoSRefuseSingleHopClientRendezvous** **0**|**1**|**auto**:: Refuse establishment of rendezvous points for single hop clients. In other @@ -3221,20 +3241,6 @@ The next section describes the per service options that can only be set not an authorization mechanism; it is instead meant to be a mild inconvenience to port-scanners.) (Default: 0) -[[HiddenServiceAuthorizeClient]] **HiddenServiceAuthorizeClient** __auth-type__ __client-name__,__client-name__,__...__:: - If configured, the v2 hidden service is accessible for authorized clients - only. The auth-type can either be \'basic' for a general-purpose - authorization protocol or \'stealth' for a less scalable protocol that also - hides service activity from unauthorized clients. Only clients that are - listed here are authorized to access the hidden service. Valid client names - are 1 to 16 characters long and only use characters in A-Za-z0-9+-_ (no - spaces). If this option is set, the hidden service is not accessible for - clients without authorization any more. Generated authorization data can be - found in the hostname file. Clients need to put this authorization data in - their configuration file using **HidServAuth**. This option is only for v2 - services; v3 services configure client authentication in a subdirectory of - HiddenServiceDir instead (see <<client-authorization,CLIENT AUTHORIZATION>>). - [[HiddenServiceDir]] **HiddenServiceDir** __DIRECTORY__:: Store data files for a hidden service in DIRECTORY. Every hidden service must have a separate directory. You may use this option multiple times to @@ -3329,7 +3335,7 @@ The next section describes the per service options that can only be set [[HiddenServiceNumIntroductionPoints]] **HiddenServiceNumIntroductionPoints** __NUM__:: Number of introduction points the hidden service will have. You can't - have more than 10 for v2 service and 20 for v3. (Default: 3) + have more than 20. (Default: 3) [[HiddenServicePort]] **HiddenServicePort** __VIRTPORT__ [__TARGET__]:: Configure a virtual port VIRTPORT for a hidden service. You may use this @@ -3343,17 +3349,9 @@ The next section describes the per service options that can only be set connects to that VIRTPORT, one of the TARGETs from those lines will be chosen at random. Note that address-port pairs have to be comma-separated. -[[HiddenServiceVersion]] **HiddenServiceVersion** **2**|**3**:: +[[HiddenServiceVersion]] **HiddenServiceVersion** **3**:: A list of rendezvous service descriptor versions to publish for the hidden - service. Currently, versions 2 and 3 are supported. (Default: 3) - -[[RendPostPeriod]] **RendPostPeriod** __N__ **seconds**|**minutes**|**hours**|**days**|**weeks**:: - Every time the specified period elapses, Tor uploads any rendezvous - service descriptors to the directory servers. This information is also - uploaded whenever it changes. Minimum value allowed is 10 minutes and - maximum is 3.5 days. This option is only for v2 services. - (Default: 1 hour) - + service. Currently, only version 3 is supported. (Default: 3) **PER INSTANCE OPTIONS:** @@ -3402,8 +3400,6 @@ The next section describes the per service options that can only be set [[client-authorization]] == CLIENT AUTHORIZATION -(Version 3 only) - Service side: To configure client authorization on the service side, the |