diff options
Diffstat (limited to 'spec/pt-spec/configuration-environment.md')
-rw-r--r-- | spec/pt-spec/configuration-environment.md | 258 |
1 files changed, 258 insertions, 0 deletions
diff --git a/spec/pt-spec/configuration-environment.md b/spec/pt-spec/configuration-environment.md new file mode 100644 index 0000000..f2f0eb5 --- /dev/null +++ b/spec/pt-spec/configuration-environment.md @@ -0,0 +1,258 @@ +<a id="pt-spec.txt-3.2"></a> + +# Pluggable Transport Configuration Environment Variables {#envvars} + +All Pluggable Transport proxy instances are configured by their +parent process at launch time via a set of well defined +environment variables. + +The "TOR_PT\_" prefix is used for namespacing reasons and does not +indicate any relations to Tor, except for the origins of this +specification. + +<a id="pt-spec.txt-3.2.1"></a> + +## Common Environment Variables {#common} + +When launching either a client or server Pluggable Transport proxy, +the following common environment variables MUST be set. + +"TOR_PT_MANAGED_TRANSPORT_VER" + +Specifies the versions of the Pluggable Transport specification +the parent process supports, delimited by commas. All PTs MUST +accept any well-formed list, as long as a compatible version is +present. + +Valid versions MUST consist entirely of non-whitespace, +non-comma printable ASCII characters. + +The version of the Pluggable Transport specification as of this +document is "1". + +Example: + +TOR_PT_MANAGED_TRANSPORT_VER=1,1a,2b,this_is_a_valid_ver + +"TOR_PT_STATE_LOCATION" + +Specifies an absolute path to a directory where the PT is +allowed to store state that will be persisted across +invocations. The directory is not required to exist when +the PT is launched, however PT implementations SHOULD be +able to create it as required. + +PTs MUST only store files in the path provided, and MUST NOT +create or modify files elsewhere on the system. + +Example: + +TOR_PT_STATE_LOCATION=/var/lib/tor/pt_state/ + +"TOR_PT_EXIT_ON_STDIN_CLOSE" + +Specifies that the parent process will close the PT proxy's +standard input (stdin) stream to indicate that the PT proxy +should gracefully exit. + +PTs MUST NOT treat a closed stdin as a signal to terminate +unless this environment variable is set to "1". + +PTs SHOULD treat stdin being closed as a signal to gracefully +terminate if this environment variable is set to "1". + +Example: + +TOR_PT_EXIT_ON_STDIN_CLOSE=1 + +"TOR_PT_OUTBOUND_BIND_ADDRESS_V4" + +Specifies an IPv4 IP address that the PT proxy SHOULD use as source address for +outgoing IPv4 IP packets. This feature allows people with multiple network +interfaces to specify explicitly which interface they prefer the PT proxy to +use. + +If this value is unset or empty, the PT proxy MUST use the default source +address for outgoing connections. + +This setting MUST be ignored for connections to +loopback addresses (127.0.0.0/8). + +Example: + +TOR_PT_OUTBOUND_BIND_ADDRESS_V4=203.0.113.4 + +"TOR_PT_OUTBOUND_BIND_ADDRESS_V6" + +Specifies an IPv6 IP address that the PT proxy SHOULD use as source address for +outgoing IPv6 IP packets. This feature allows people with multiple network +interfaces to specify explicitly which interface they prefer the PT proxy to +use. + +If this value is unset or empty, the PT proxy MUST use the default source +address for outgoing connections. + +This setting MUST be ignored for connections to the loopback address (\[::1\]). + +IPv6 addresses MUST always be wrapped in square brackets. + +Example:: + +TOR_PT_OUTBOUND_BIND_ADDRESS_V6=\[2001:db8::4\] + +<a id="pt-spec.txt-3.2.2"></a> + +## Pluggable Transport Client Environment Variables {#client} + +Client-side Pluggable Transport forward proxies are configured +via the following environment variables. + +"TOR_PT_CLIENT_TRANSPORTS" + +Specifies the PT protocols the client proxy should initialize, +as a comma separated list of PT names. + +PTs SHOULD ignore PT names that it does not recognize. + +Parent processes MUST set this environment variable when +launching a client-side PT proxy instance. + +Example: + +TOR_PT_CLIENT_TRANSPORTS=obfs2,obfs3,obfs4 + +"TOR_PT_PROXY" + +Specifies an upstream proxy that the PT MUST use when making +outgoing network connections. It is a URI \[RFC3986\] of the +format: + +`<proxy_type>://[<user_name>[:<password>][@]<ip>:<port>`. + +The "TOR_PT_PROXY" environment variable is OPTIONAL and +MUST be omitted if there is no need to connect via an +upstream proxy. + +Examples: + +```text + TOR_PT_PROXY=socks5://tor:test1234@198.51.100.1:8000 + TOR_PT_PROXY=socks4a://198.51.100.2:8001 + TOR_PT_PROXY=http://198.51.100.3:443 +``` + +<a id="pt-spec.txt-3.2.3"></a> + +## Pluggable Transport Server Environment Variables {#server} + +Server-side Pluggable Transport reverse proxies are configured +via the following environment variables. + +"TOR_PT_SERVER_TRANSPORTS" + +Specifies the PT protocols the server proxy should initialize, +as a comma separated list of PT names. + +PTs SHOULD ignore PT names that it does not recognize. + +Parent processes MUST set this environment variable when +launching a server-side PT reverse proxy instance. + +Example: + +TOR_PT_SERVER_TRANSPORTS=obfs3,scramblesuit + +"TOR_PT_SERVER_TRANSPORT_OPTIONS" + +Specifies per-PT protocol configuration directives, as a +semicolon-separated list of `<key>:<value>` pairs, where `<key>` +is a PT name and `<value>` is a k=v string value with options +that are to be passed to the transport. + +Colons, semicolons, and backslashes MUST be +escaped with a backslash. + +If there are no arguments that need to be passed to any of +PT transport protocols, "TOR_PT_SERVER_TRANSPORT_OPTIONS" +MAY be omitted. + +Example: + +TOR_PT_SERVER_TRANSPORT_OPTIONS=scramblesuit:key=banana;automata:rule=110;automata:depth=3 + +```text + Will pass to 'scramblesuit' the parameter 'key=banana' and to + 'automata' the arguments 'rule=110' and 'depth=3'. + + "TOR_PT_SERVER_BINDADDR" +``` + +A comma separated list of `<key>-<value>` pairs, where `<key>` is +a PT name and `<value>` is the `<address>:<port>` on which it +should listen for incoming client connections. + +The keys holding transport names MUST be in the same order as +they appear in "TOR_PT_SERVER_TRANSPORTS". + +The `<address>` MAY be a locally scoped address as long as port +forwarding is done externally. + +The `<address>:<port>` combination MUST be an IP address +supported by `bind()`, and MUST NOT be a host name. + +Applications MUST NOT set more than one `<address>:<port>` pair +per PT name. + +If there is no specific `<address>:<port>` combination to be +configured for any transports, "TOR_PT_SERVER_BINDADDR" MAY +be omitted. + +Example: + +TOR_PT_SERVER_BINDADDR=obfs3-198.51.100.1:1984,scramblesuit-127.0.0.1:4891 + +"TOR_PT_ORPORT" + +Specifies the destination that the PT reverse proxy should forward +traffic to after transforming it as appropriate, as an +`<address>:<port>`. + +Connections to the destination specified via "TOR_PT_ORPORT" +MUST only contain application payload. If the parent process +requires the actual source IP address of client connections +(or other metadata), it should set "TOR_PT_EXTENDED_SERVER_PORT" +instead. + +Example: + +TOR_PT_ORPORT=127.0.0.1:9001 + +"TOR_PT_EXTENDED_SERVER_PORT" + +Specifies the destination that the PT reverse proxy should +forward traffic to, via the Extended ORPort protocol \[EXTORPORT\] +as an `<address>:<port>`. + +The Extended ORPort protocol allows the PT reverse proxy to +communicate per-connection metadata such as the PT name and +client IP address/port to the parent process. + +If the parent process does not support the ExtORPort protocol, +it MUST set "TOR_PT_EXTENDED_SERVER_PORT" to an empty string. + +Example: + +TOR_PT_EXTENDED_SERVER_PORT=127.0.0.1:4200 + +"TOR_PT_AUTH_COOKIE_FILE" + +Specifies an absolute filesystem path to the Extended ORPort +authentication cookie, required to communicate with the +Extended ORPort specified via "TOR_PT_EXTENDED_SERVER_PORT". + +If the parent process is not using the ExtORPort protocol for +incoming traffic, "TOR_PT_AUTH_COOKIE_FILE" MUST be omitted. + +Example: + +TOR_PT_AUTH_COOKIE_FILE=/var/lib/tor/extended_orport_auth_cookie |