From 955a10fee0c195c189c920bd832943a54b90c18d Mon Sep 17 00:00:00 2001 From: Andrew Lewman Date: Tue, 16 Aug 2005 02:14:40 +0000 Subject: [PATCH] Initial complete config file. Organized into easily searchable sections. svn:r4789 --- src/config/torrc.complete.in | 510 +++++++++++++++++++++++++++++++++++ 1 file changed, 510 insertions(+) create mode 100644 src/config/torrc.complete.in diff --git a/src/config/torrc.complete.in b/src/config/torrc.complete.in new file mode 100644 index 0000000000..26b3d92e9e --- /dev/null +++ b/src/config/torrc.complete.in @@ -0,0 +1,510 @@ +# $Id$ +# Last updated on $Date$ +#################################################################### +## This config file is divided into four sections. They are: +## 1. Global Options (clients and servers) +## 2. Client Options Only +## 3. Server Options Only +## 4. Directory Server Options (for running your own Tor network) +## 5. Hidden Service Options (clients and servers) +## +## The conventions used are: +## double hash (##) is for summary text about the config option; +## single hash (#) is for the config option; and, +## the config option is always after the text. +#################################################################### + + +## Section 1: Global Options (clients and servers) + +## A token bucket limits the average incoming bandwidth on this node +## to the specified number of bytes per second. (Default: 2MB) +#BandwidthRate N bytes|KB|MB|GB|TB + +## Limit the maximum token bucket size (also known as the burst) to +## the given number of bytes. (Default: 5 MB) +#BandwidthBurst N bytes|KB|MB|GB|TB + +## If set, we will not advertise more than this amount of bandwidth +## for our BandwidthRate. Server operators who want to reduce the +## number of clients who ask to build circuits through them (since +## this is proportional to advertised bandwidth rate) can thus +## reduce the CPU demands on their server without impacting +## network performance. +#MaxAdvertisedBandwidth N bytes|KB|MB|GB|TB + +## If set, Tor will accept connections from the same machine +## (localhost only) on this port, and allow those connections to +## control the Tor process using the Tor Control Protocol +## (described in control-spec.txt). Note: unless you also specify +## one of HashedControlPassword or CookieAuthentication, setting +## this option will cause Tor to allow any process on the local +## host to control it. +#ControlPort Port + +## Don’t allow any connections on the control port except when the +## other process knows the password whose one-way hash is +## hashed_password. You can compute the hash of a password by +## running "tor --hash-password password". +#HashedControlPassword hashed_password + +## If this option is set to 1, don’t allow any connections on the +## control port except when the connecting process knows the +## contents of a file named "control_auth_cookie", which Tor will +## create in its data directory. This authentication method +## should only be used on systems with good filesystem security. +## (Default: 0) +#CookieAuthentication 0|1 + +## Store working data in DIR (Default: /usr/local/var/lib/tor) +#DataDirectory DIR + +## Every time the specified period elapses, Tor downloads a direc- +## tory. A directory contains a signed list of all known servers +## as well as their current liveness status. A value of "0 sec- +## onds" tells Tor to choose an appropriate default. +## (Default: 1 hour for clients, 20 minutes for servers) +#DirFetchPeriod N seconds|minutes|hours|days|weeks + +## Use a nonstandard authoritative directory server at the pro- +## vided address and port, with the specified key fingerprint. +## This option can be repeated many times, for multiple authorita- +## tive directory servers. If no dirserver line is given, Tor will +## use the default directory servers: moria1, moria2, and tor26. +#DirServer address:port fingerprint + +## On startup, setgid to this user. +#Group GID + +## Tor will make all its directory requests through this host:port +## (or host:80 if port is not specified), rather than connecting +## directly to any directory servers. +#HttpProxy host[:port] + +## If defined, Tor will use this username:password for Basic Http +## proxy authentication, as in RFC 2617. This is currently the +## only form of Http proxy authentication that Tor supports; feel +## free to submit a patch if you want it to support others. +#HttpProxyAuthenticator username:password + +## Tor will make all its OR (SSL) connections through this +## host:port (or host:443 if port is not specified), via HTTP CON- +## NECT rather than connecting directly to servers. You may want +## to set FascistFirewall to restrict the set of ports you might +## try to connect to, if your Https proxy only allows connecting +## to certain ports. +#HttpsProxy host[:port] + +## If defined, Tor will use this username:password for Basic Https +## proxy authentication, as in RFC 2617. This is currently the +## only form of Https proxy authentication that Tor supports; feel +## free to submit a patch if you want it to support others. +#HttpsProxyAuthenticator username:password + +## To keep firewalls from expiring connections, send a padding +## keepalive cell every NUM seconds on open connections that are +## in use. If the connection has no open circuits, it will instead +## be closed after NUM seconds of idleness. (Default: 5 minutes) +#KeepalivePeriod NUM + +## Send all messages between minSeverity and maxSeverity to the +## standard output stream, the standard error stream, or to the +## system log. (The "syslog" value is only supported on Unix.) +## Recognized severity levels are debug, info, notice, warn, and +## err. If only one severity level is given, all messages of that +## level or higher will be sent to the listed destination. +#Log minSeverity[-maxSeverity] stderr|stdout|syslog + +## As above, but send log messages to the listed filename. The +## "Log" option may appear more than once in a configuration file. +## Messages are sent to all the logs that match their severity +## level. +#Log minSeverity[-maxSeverity] file FILENAME + +## Maximum number of simultaneous sockets allowed. You probably +## don’t need to adjust this. (Default: 1024) +#MaxConn NUM + +## Make all outbound connections originate from the IP address +## specified. This is only useful when you have multiple network +## interfaces, and you want all of Tor’s outgoing connections to +## use a single one. +#OutboundBindAddress IP + +## On startup, write our PID to FILE. On clean shutdown, remove +## FILE. +#PIDFile FILE + +## If 1, Tor forks and daemonizes to the background. (Default: 0) +#RunAsDaemon 0|1 + +## If 1, Tor replaces potentially sensitive strings in the logs +## (e.g. addresses) with the string [scrubbed]. This way logs can +## still be useful, but they don’t leave behind personally identi- +## fying information about what sites a user might have visited. +## (Default: 1) +#SafeLogging 0|1 + +## Every time the specified period elapses, Tor downloads signed +## status information about the current state of known servers. A +## value of "0 seconds" tells Tor to choose an appropriate +## default. (Default: 30 minutes for clients, 15 minutes for +## servers) +#StatusFetchPeriod N seconds|minutes|hours|days|weeks + +## On startup, setuid to this user. +#User UID + +## If non-zero, try to use crypto hardware acceleration when +## available. (Default: 1) +#HardwareAccel 0|1 + + +## Section 2: Client Options Only + +## Where on our circuits should we allow Tor servers that the +## directory servers haven’t authenticated as "verified"? +## (Default: middle,rendezvous) +#AllowUnverifiedNodes entry|exit|middle|introduction|rendezvous|... + +## If set to 1, Tor will under no circumstances run as a server. +## The default is to run as a client unless ORPort is configured. +## (Usually, you don’t need to set this; Tor is pretty smart at +## figuring out whether you are reliable and high-bandwidth enough +## to be a useful server.) +## This option will likely be deprecated in the future; see the +## NoPublish option below. (Default: 0) +#ClientOnly 0|1 + +## A list of preferred nodes to use for the first hop in the +## circuit, if possible. +#EntryNodes nickname,nickname,... + +## A list of preferred nodes to use for the last hop in the +## circuit, if possible. +#ExitNodes nickname,nickname,... + +## A list of nodes to never use when building a circuit. +#ExcludeNodes nickname,nickname,... + +## If 1, Tor will never use any nodes besides those listed in +## "exitnodes" for the last hop of a circuit. +#StrictExitNodes 0|1 + +## If 1, Tor will never use any nodes besides those listed in +## "entrynodes" for the first hop of a circuit. +#StrictEntryNodes 0|1 + +## If 1, Tor will only create outgoing connections to ORs running +## on ports that your firewall allows (defaults to 80 and 443; see +## FirewallPorts). This will allow you to run Tor as a client +## behind a firewall with restrictive policies, but will not allow +## you to run as a server behind such a firewall. +#FascistFirewall 0|1 + +## A list of ports that your firewall allows you to connect to. +## Only used when FascistFirewall is set. (Default: 80, 443) +#FirewallPorts PORTS + +## A comma-separated list of IPs that your firewall allows you to +## connect to. Only used when FascistFirewall is set. The format +## is as for the addresses in ExitPolicy. +## For example, ’FirewallIPs 99.0.0.0/8, *:80’ means that your +## firewall allows connections to everything inside net 99, and +## to port 80 outside. +#FirewallIPs ADDR[/MASK][:PORT]... + +## A list of ports for services that tend to have long-running +## connections (e.g. chat and interactive shells). Circuits for +## streams that use these ports will contain only high-uptime +## nodes, to reduce the chance that a node will go down before the +## stream is finished. (Default: 21, 22, 706, 1863, 5050, 5190, +## 5222, 5223, 6667, 8300, 8888) +#LongLivedPorts PORTS + +## When a request for address arrives to Tor, it will rewrite it +## to newaddress before processing it. For example, if you always +## want connections to www.indymedia.org to exit via torserver +## (where torserver is the nickname of the server), +## use "MapAddress www.indymedia.org www.indymedia.org.torserver.exit". +#MapAddress address newaddress + +## Every NUM seconds consider whether to build a new circuit. +## (Default: 30 seconds) +#NewCircuitPeriod NUM + +## Feel free to reuse a circuit that was first used at most NUM +## seconds ago, but never attach a new stream to a circuit that is +## too old. (Default: 10 minutes) +#MaxCircuitDirtiness NUM + +## The named Tor servers constitute a "family" of similar or co- +## administered servers, so never use any two of them in the same +## circuit. Defining a NodeFamily is only needed when a server +## doesn’t list the family itself (with MyFamily). This option can +## be used multiple times. +#NodeFamily nickname,nickname,... + +## A list of preferred nodes to use for the rendezvous point, if +## possible. +#RendNodes nickname,nickname,... + +## A list of nodes to never use when choosing a rendezvous point. +#RendExcludeNodes nickname,nickname,... + +## Advertise this port to listen for connections from SOCKS-speak- +## ing applications. Set this to 0 if you don’t want to allow +## application connections. (Default: 9050) +#SOCKSPort PORT + +## Bind to this address to listen for connections from SOCKS- +## speaking applications. (Default: 127.0.0.1) You can also spec- +## ify a port (e.g. 192.168.0.1:9100). This directive can be spec- +## ified multiple times to bind to multiple addresses/ports. +#SOCKSBindAddress IP[:PORT] + +## Set an entrance policy for this server, to limit who can con- +## nect to the SOCKS ports. The policies have the same form as +## exit policies below. +#SOCKSPolicy policy,policy,... + +## For each value in the comma separated list, Tor will track +## recent connections to hosts that match this value and attempt +## to reuse the same exit node for each. If the value is prepended +## with a ’.’, it is treated as matching an entire domain. If one +## of the values is just a ’.’, it means match everything. This +## option is useful if you frequently connect to sites that will +## expire all your authentication cookies (ie log you out) if your +## IP address changes. Note that this option does have the disad- +## vantage of making it more clear that a given history is associ- +## ated with a single user. However, most people who would wish to +## observe this will observe it through cookies or other protocol- +## specific means anyhow. +#TrackHostExits host,.domain,... + +## Since exit servers go up and down, it is desirable to expire +## the association between host and exit server after NUM seconds. +## The default is 1800 seconds (30 minutes). +#TrackHostExitsExpire NUM + +## If this option is set to 1, we pick a few entry servers as our +## "helpers", and try to use only those fixed entry servers. This +## is desirable, because constantly changing servers increases the +## odds that an adversary who owns some servers will observe a +## fraction of your paths. (Defaults to 0; will eventually +## default to 1.) +#UseHelperNodes 0|1 + +## If UseHelperNodes is set to 1, we will try to pick a total of +## NUM helper nodes as entries for our circuits. (Defaults to 3.) +#NumHelperNodes NUM + + +## Section 3: Server Options Only + +## The IP or fqdn of this server (e.g. moria.mit.edu). You can +## leave this unset, and Tor will guess your IP. +#Address address + +## Administrative contact information for server. +#ContactInfo email_address + +## Set an exit policy for this server. Each policy is of the form +## "accept|reject ADDR[/MASK][:PORT]". If /MASK is omitted then +## this policy just applies to the host given. Instead of giving +## a host or network you can also use "*" to denote the universe +## (0.0.0.0/0). PORT can be a single port number, an interval of +## ports "FROM_PORT-TO_PORT", or "*". If PORT is omitted, that +## means "*". +## +## For example, "reject 127.0.0.1:*,reject 192.168.1.0/24:*,accept +## *:*" would reject any traffic destined for localhost and any +## 192.168.1.* address, but accept anything else. +## +## This directive can be specified multiple times so you don’t +## have to put it all on one line. +## +## See RFC 3330 for more details about internal and reserved IP +## address space. Policies are considered first to last, and the +## first match wins. If you want to _replace_ the default exit +## policy, end your exit policy with either a reject *:* or an +## accept *:*. Otherwise, you’re _augmenting_ (prepending to) the +## default exit policy. The default exit policy is: +## reject 0.0.0.0/8 +## reject 169.254.0.0/16 +## reject 127.0.0.0/8 +## reject 192.168.0.0/16 +## reject 10.0.0.0/8 +## reject 172.16.0.0/12 +## reject *:25 +## reject *:119 +## reject *:135-139 +## reject *:445 +## reject *:1214 +## reject *:4661-4666 +## reject *:6346-6429 +## reject *:6699 +## reject *:6881-6999 +## accept *:* +#ExitPolicy policy,policy,... + +## If you have more than this number of onionskins queued for +## decrypt, reject new ones. (Default: 100) +#MaxOnionsPending NUM + +## Declare that this Tor server is controlled or administered by a +## group or organization identical or similar to that of the other +## named servers. When two servers both declare that they are in +## the same ’family’, Tor clients will not use them in the same +## circuit. (Each server only needs to list the other servers in +## its family; it doesn’t need to list itself, but it won’t hurt.) +#MyFamily nickname,nickname,... + +## Set the server’s nickname to ’name’. +#Nickname name + +## If you set NoPublish 1, Tor will act as a server if you have an +## ORPort defined, but it will not publish its descriptor to the +## dirservers. This option is useful if you’re testing out your +## server, or if you’re using alternate dirservers (e.g. for other +## Tor networks such as Blossom). (Default: 0) +#NoPublish 0|1 + +## How many processes to use at once for decrypting onionskins. +## (Default: 1) +NumCPUs num + +## Advertise this port to listen for connections from Tor clients +## and servers. +#ORPort PORT + +## Bind to this IP address to listen for connections from Tor +## clients and servers. If you specify a port, bind to this port +## rather than the one specified in ORPort. (Default: 0.0.0.0) +#ORBindAddress IP[:PORT] + +## Whenever an outgoing connection tries to connect to one of a +## given set of addresses, connect to target (an address:port +## pair) instead. The address pattern is given in the same format +## as for an exit policy. The address translation applies after +## exit policies are applied. Multiple RedirectExit options can +## be used: once any one has matched successfully, no subsequent +## rules are considered. You can specify that no redirection is +## to be performed on a given set of addresses by using the spe- +## cial target string "pass", which prevents subsequent rules from +## being considered. +#RedirectExit pattern target + +## When we get a SIGINT and we’re a server, we begin shutting +## down: we close listeners and start refusing new circuits. After +## NUM seconds, we exit. If we get a second SIGINT, we exit imme- +## diately. (Default: 30 seconds) +#ShutdownWaitLengthNUM + +## Every time the specified period elapses, Tor uploads its server +## descriptors to the directory servers. This information is also +## uploaded whenever it changes. (Default: 20 minutes) +#DirPostPeriod N seconds|minutes|hours|days|weeks + +## Never send more than the specified number of bytes in a given +## accounting period, or receive more than that number in the +## period. For example, with AccountingMax set to 1 GB, a server +## could send 900 MB and receive 800 MB and continue running. It +## will only hibernate once one of the two reaches 1 GB. When the +## number of bytes is exhausted, Tor will hibernate until some +## time in the next accounting period. To prevent all servers +## from waking at the same time, Tor will also wait until a random +## point in each period before waking up. If you have bandwidth +## cost issues, enabling hibernation is preferable to setting a +## low bandwidth, since it provides users with a collection of +## fast servers that are up some of the time, which is more useful +## than a set of slow servers that are always "available". +#AccountingMax N bytes|KB|MB|GB|TB + +## Specify how long accounting periods last. If month is given, +## each accounting period runs from the time HH:MM on the dayth +## day of one month to the same day and time of the next. (The +## day must be between 1 and 28.) If week is given, each account- +## ing period runs from the time HH:MM of the dayth day of one +## week to the same day and time of the next week, with Monday as +## day 1 and Sunday as day 7. If day is given, each accounting +## period runs from the time HH:MM each day to the same time on +## the next day. All times are local, and given in 24-hour time. +## (Defaults to "month 1 0:00".) +#AccountingStart day|week|month [day] HH:MM + + +## Section 4: Directory Server Options (for running your own Tor +## network) + +## When this option is set to 1, Tor operates as an authoritative +## directory server. Instead of caching the directory, it gener- +## ates its own list of good servers, signs it, and sends that to +## the clients. Unless the clients already have you listed as a +## trusted directory, you probably do not want to set this option. +## Please coordinate with the other admins at +## tor-ops@freehaven.net if you think you should be a directory. +#AuthoritativeDirectory 0|1 + +## Advertise the directory service on this port. +#DirPort PORT + +## Bind the directory service to this address. If you specify a +## port, bind to this port rather than the one specified in DirPort. +## (Default: 0.0.0.0) +#DirBindAddress IP[:PORT] + +## Set an entrance policy for this server, to limit who can con- +## nect to the directory ports. The policies have the same form +## as exit policies above. +#DirPolicy policy,policy,... + +## STRING is a command-separated list of Tor versions currently +## believed to be safe. The list is included in each directory, +## and nodes which pull down the directory learn whether they need +## to upgrade. This option can appear multiple times: the values +## from multiple lines are spliced together. +#RecommendedVersions STRING + + +## If set to 1, Tor will accept router descriptors with arbitrary +## "Address" elements. Otherwise, if the address is not an IP or +## is a private IP, it will reject the router descriptor. Defaults +## to 0. +#DirAllowPrivateAddresses 0|1 + +## If set to 1, Tor tries to build circuits through all of the +## servers it knows about, so it can tell which are up and which +## are down. This option is only useful for authoritative direc- +## tories, so you probably don’t want to use it. +#RunTesting 0|1 + +## Section 5: Hidden Service Options (clients and servers) + +## Store data files for a hidden service in DIRECTORY. Every hid- +## den service must have a separate directory. You may use this +## option multiple times to specify multiple services. +#HiddenServiceDir DIRECTORY + +## Configure a virtual port VIRTPORT for a hidden service. You +## may use this option multiple times; each time applies to the +## service using the most recent hiddenservicedir. By default, +## this option maps the virtual port to the same port on +## 127.0.0.1. You may override the target port, address, or both +## by specifying a target of addr, port, or addr:port. +#HiddenServicePort VIRTPORT [TARGET] + +## If possible, use the specified nodes as introduction points for +## the hidden service. If this is left unset, Tor will be smart +## and pick some reasonable ones; most people can leave this unset. +#HiddenServiceNodes nickname,nickname,... + +## Do not use the specified nodes as introduction points for the +## hidden service. In normal use there is no reason to set this. +#HiddenServiceExcludeNodes nickname,nickname,... + +## Every time the specified period elapses, Tor uploads any ren- +## dezvous service descriptors to the directory servers. This +## information is also uploaded whenever it changes. +## (Default: 20 minutes) +#RendPostPeriod N seconds|minutes|hours|days|weeks