diff --git a/Dockerfile b/Dockerfile index 42fb453..a5f21a8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,22 +1,27 @@ -FROM lsiobase/alpine:3.10 +FROM alpine:3.10 LABEL maintainer "Nicolas Coutin " -RUN apk --no-cache add tor +RUN apk --no-cache add tor bash tzdata +ENV TZ America/Los_Angeles EXPOSE 9001 -COPY torrc.default /etc/tor/torrc.default -RUN chown -R tor /etc/tor - -COPY entrypoint.sh /entrypoint.sh -RUN chmod ugo+rx /entrypoint.sh - +ENV RELAY_TYPE relay ENV TOR_ORPort 9001 ENV TOR_ContactInfo "Random Person nobody@tor.org" ENV TOR_RelayBandwidthRate "100 KBytes" ENV TOR_RelayBandwidthBurst "200 KBytes" +COPY torrc.bridge.default /etc/tor/torrc.bridge.default +COPY torrc.relay.default /etc/tor/torrc.relay.default +COPY torrc.exit.default /etc/tor/torrc.exit.default + +RUN chown -R tor /etc/tor + +COPY entrypoint.sh /entrypoint.sh +RUN chmod ugo+rx /entrypoint.sh + USER tor RUN mkdir /var/lib/tor/.tor diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 deleted file mode 100644 index 5ab74a2..0000000 --- a/Dockerfile.aarch64 +++ /dev/null @@ -1,26 +0,0 @@ -FROM lsiobase/alpine:arm64v8-3.10 - -LABEL maintainer "Nicolas Coutin " - -RUN apk --no-cache add tor - -EXPOSE 9001 - -COPY torrc.default /etc/tor/torrc.default -RUN chown -R tor /etc/tor - -COPY entrypoint.sh /entrypoint.sh -RUN chmod ugo+rx /entrypoint.sh - -ENV TOR_ORPort 9001 -ENV TOR_ContactInfo "Random Person nobody@tor.org" -ENV TOR_RelayBandwidthRate "100 KBytes" -ENV TOR_RelayBandwidthBurst "200 KBytes" - -USER tor - -RUN mkdir /var/lib/tor/.tor -VOLUME /var/lib/tor/.tor -RUN chown -R tor /var/lib/tor/.tor - -ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/Dockerfile.armhf b/Dockerfile.armhf deleted file mode 100644 index 3e492f6..0000000 --- a/Dockerfile.armhf +++ /dev/null @@ -1,26 +0,0 @@ -FROM lsiobase/alpine:arm32v7-3.10 - -LABEL maintainer "Nicolas Coutin " - -RUN apk --no-cache add tor - -EXPOSE 9001 - -COPY torrc.default /etc/tor/torrc.default -RUN chown -R tor /etc/tor - -COPY entrypoint.sh /entrypoint.sh -RUN chmod ugo+rx /entrypoint.sh - -ENV TOR_ORPort 9001 -ENV TOR_ContactInfo "Random Person nobody@tor.org" -ENV TOR_RelayBandwidthRate "100 KBytes" -ENV TOR_RelayBandwidthBurst "200 KBytes" - -USER tor - -RUN mkdir /var/lib/tor/.tor -VOLUME /var/lib/tor/.tor -RUN chown -R tor /var/lib/tor/.tor - -ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/README.md b/README.md index f3cd4b3..46a359e 100644 --- a/README.md +++ b/README.md @@ -4,15 +4,44 @@ Lightweight TOR relay image, based on the ["lsiobase/alpine" Docker image](https ## Usage +### Bridge mode + ```bash docker run \ - # -d \ + -d \ --name tor-relay \ + -e RELAY_TYPE=bridge \ + -e TOR_ORPort=9001 \ + -e TZ=Europe/London \ + -p 9001:9001 \ + --restart always \ + ilshidur/tor-relay +``` + +### Relay mode + +```bash +docker run \ + -d \ + --name tor-relay \ + -e RELAY_TYPE=relay \ + -e TOR_ORPort=9001 \ + -e TZ=Europe/London \ + -p 9001:9001 \ + --restart always \ + ilshidur/tor-relay +``` + +### Exit node mode + +```bash +docker run \ + -d \ + --name tor-relay \ + -e RELAY_TYPE=exit \ -e TOR_ORPort=9001 \ -e TZ=Europe/London \ - -e TYPE= \ -p 9001:9001 \ - # -u $(id -u)/$(id -g) \ --restart always \ ilshidur/tor-relay ``` @@ -25,3 +54,7 @@ Everyline can be changed using environment variables as described below : `TOR_=` will uncomment the first line starting with `` and set its value to ``. *Example : setting `TOR_ORPort` to `9002` will change the line `#ORPort 9001` to `ORPort 9002`.* + +## License + +MIT diff --git a/entrypoint.sh b/entrypoint.sh index 2feab6f..395c2ea 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,5 +1,8 @@ -touch /etc/tor/torrc - -#TODO: - -exec tor -f "/etc/tor/torrc" --defaults-torrc "/etc/tor/torrc.default" +#!/bin/bash + +# set -euxo pipefail +set -e + +env | grep '^TOR_' | tr "=" " " | cut -c 5- > /etc/tor/torrc + +exec tor -f /etc/tor/torrc --defaults-torrc "/etc/tor/torrc.${RELAY_TYPE}.default" diff --git a/torrc.default b/torrc.bridge.default similarity index 97% rename from torrc.default rename to torrc.bridge.default index 5612043..d7fc743 100644 --- a/torrc.default +++ b/torrc.bridge.default @@ -225,7 +225,7 @@ #ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy #ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy #ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy -#ExitPolicy reject *:* # no exits allowed +ExitPolicy reject *:* # no exits allowed ## Bridge relays (or "bridges") are Tor relays that aren't listed in the ## main directory. Since there is no complete public list of them, even an @@ -236,7 +236,7 @@ ## ## Warning: when running your Tor as a bridge, make sure than MyFamily is ## NOT configured. -#BridgeRelay 1 +BridgeRelay 1 ## By default, Tor will advertise your bridge to users through various ## mechanisms like https://bridges.torproject.org/. If you want to run ## a private bridge, for example because you'll give out your bridge diff --git a/torrc.exit.default b/torrc.exit.default new file mode 100644 index 0000000..21f5f55 --- /dev/null +++ b/torrc.exit.default @@ -0,0 +1,325 @@ +## Imported from https://raw.githubusercontent.com/torproject/tor/37320bce064730b111018d255009390d887a8a17/src/config/torrc.sample.in + +## Configuration file for a typical Tor user +## Last updated 28 February 2019 for Tor 0.3.5.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't +## configure one below. Set "SOCKSPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections. +#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SOCKSPolicy is set, we accept +## all (and only) requests that reach a SOCKSPort. Untrusted users who +## can access your SOCKSPort may be able to learn about the connections +## you make. +#SOCKSPolicy accept 192.168.0.0/16 +#SOCKSPolicy accept6 FC00::/7 +#SOCKSPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to @LOCALSTATEDIR@/log/tor/notices.log +#Log notice file @LOCALSTATEDIR@/log/tor/notices.log +## Send every possible message to @LOCALSTATEDIR@/log/tor/debug.log +#Log debug file @LOCALSTATEDIR@/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +#DataDirectory @LOCALSTATEDIR@/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir @LOCALSTATEDIR@/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir @LOCALSTATEDIR@/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +#ORPort 9001 +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise +## If you want to listen on IPv6 your numeric address must be explictly +## between square brackets as follows. You must also listen on IPv4. +#ORPort [2001:DB8::1]:9050 + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +## OutboundBindAddressExit will be used for all exit traffic, while +## OutboundBindAddressOR will be used for all OR and Dir connections +## (DNS connections ignore OutboundBindAddress). +## If you do not wish to differentiate, use OutboundBindAddress to +## specify the same address for both in a single line. +#OutboundBindAddressExit 10.0.0.4 +#OutboundBindAddressOR 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +## Nicknames must be between 1 and 19 characters inclusive, and must +## contain only the characters [a-zA-Z0-9]. +## If not set, "Unnamed" will be used. +#Nickname ididnteditheconfig + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 75 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "40 GB" may allow up to 80 GB total before +## hibernating. +## +## Set a maximum of 40 gigabytes each way per period. +#AccountingMax 40 GBytes +## Each period starts daily at midnight (AccountingMax is per day) +#AccountingStart day 00:00 +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +## +## If you are running multiple relays, you MUST set this option. +## +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 0xFFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage @CONFDIR@/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +## +## If you are running multiple relays, you MUST set this option. +## +## Note: do not use MyFamily on bridge relays. +#MyFamily $keyid,$keyid,... + +## Uncomment this if you want your relay to be an exit, with the default +## exit policy (or whatever exit policy you set below). +## (If ReducedExitPolicy, ExitPolicy, or IPv6Exit are set, relays are exits. +## If none of these options are set, relays are non-exits.) +ExitRelay 1 + +## Uncomment this if you want your relay to allow IPv6 exit traffic. +## (Relays do not allow any exit traffic by default.) +#IPv6Exit 1 + +## Uncomment this if you want your relay to be an exit, with a reduced set +## of exit ports. +#ReducedExitPolicy 1 + +## Uncomment these lines if you want your relay to be an exit, with the +## specified set of exit IPs and ports. +## +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. +## +## If you want to allow the same ports on IPv4 and IPv6, write your rules +## using accept/reject *. If you want to allow different ports on IPv4 and +## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules +## using accept/reject *4. +## +## If you want to _replace_ the default exit policy, end this with either a +## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to) +## the default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to the configured primary public IPv4 and IPv6 addresses, +## and any public IPv4 and IPv6 addresses on any interface on the relay. +## See the man page entry for ExitPolicyRejectPrivate if you want to allow +## "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more +#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy +#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy +#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +# Reduced exit policy from https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy +ExitPolicy accept *:20-23 # FTP, SSH, telnet +ExitPolicy accept *:43 # WHOIS +ExitPolicy accept *:53 # DNS +ExitPolicy accept *:79-81 # finger, HTTP +ExitPolicy accept *:88 # kerberos +ExitPolicy accept *:110 # POP3 +ExitPolicy accept *:143 # IMAP +ExitPolicy accept *:194 # IRC +ExitPolicy accept *:220 # IMAP3 +ExitPolicy accept *:389 # LDAP +ExitPolicy accept *:443 # HTTPS +ExitPolicy accept *:464 # kpasswd +ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587) +ExitPolicy accept *:531 # IRC/AIM +ExitPolicy accept *:543-544 # Kerberos +ExitPolicy accept *:554 # RTSP +ExitPolicy accept *:563 # NNTP over SSL +ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here) +ExitPolicy accept *:636 # LDAP over SSL +ExitPolicy accept *:706 # SILC +ExitPolicy accept *:749 # kerberos +ExitPolicy accept *:873 # rsync +ExitPolicy accept *:902-904 # VMware +ExitPolicy accept *:981 # Remote HTTPS management for firewall +ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL +ExitPolicy accept *:1194 # OpenVPN +ExitPolicy accept *:1220 # QT Server Admin +ExitPolicy accept *:1293 # PKT-KRB-IPSec +ExitPolicy accept *:1500 # VLSI License Manager +ExitPolicy accept *:1533 # Sametime +ExitPolicy accept *:1677 # GroupWise +ExitPolicy accept *:1723 # PPTP +ExitPolicy accept *:1755 # RTSP +ExitPolicy accept *:1863 # MSNP +ExitPolicy accept *:2082 # Infowave Mobility Server +ExitPolicy accept *:2083 # Secure Radius Service (radsec) +ExitPolicy accept *:2086-2087 # GNUnet, ELI +ExitPolicy accept *:2095-2096 # NBX +ExitPolicy accept *:2102-2104 # Zephyr +ExitPolicy accept *:3128 # SQUID +ExitPolicy accept *:3389 # MS WBT +ExitPolicy accept *:3690 # SVN +ExitPolicy accept *:4321 # RWHOIS +ExitPolicy accept *:4643 # Virtuozzo +ExitPolicy accept *:5050 # MMCC +ExitPolicy accept *:5190 # ICQ +ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL +ExitPolicy accept *:5228 # Android Market +ExitPolicy accept *:5900 # VNC +ExitPolicy accept *:6660-6669 # IRC +ExitPolicy accept *:6679 # IRC SSL +ExitPolicy accept *:6697 # IRC SSL +ExitPolicy accept *:8000 # iRDMI +ExitPolicy accept *:8008 # HTTP alternate +ExitPolicy accept *:8074 # Gadu-Gadu +ExitPolicy accept *:8080 # HTTP Proxies +ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port +ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP +ExitPolicy accept *:8332-8333 # Bitcoin +ExitPolicy accept *:8443 # PCsync HTTPS +ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE +ExitPolicy accept *:9418 # git +ExitPolicy accept *:9999 # distinct +ExitPolicy accept *:10000 # Network Data Management Protocol +ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol) +ExitPolicy accept *:19294 # Google Voice TCP +ExitPolicy accept *:19638 # Ensim control panel +ExitPolicy accept *:50002 # Electrum Bitcoin SSL +ExitPolicy accept *:64738 # Mumble +ExitPolicy reject *:* + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +## +## Warning: when running your Tor as a bridge, make sure than MyFamily is +## NOT configured. +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 + +## Configuration options can be imported from files or folders using the %include +## option with the value being a path. If the path is a file, the options from the +## file will be parsed as if they were written where the %include option is. If +## the path is a folder, all files on that folder will be parsed following lexical +## order. Files starting with a dot are ignored. Files on subfolders are ignored. +## The %include option can be used recursively. +#%include /etc/torrc.d/ +#%include /etc/torrc.custom diff --git a/torrc.relay.default b/torrc.relay.default new file mode 100644 index 0000000..b42edc1 --- /dev/null +++ b/torrc.relay.default @@ -0,0 +1,253 @@ +## Imported from https://raw.githubusercontent.com/torproject/tor/37320bce064730b111018d255009390d887a8a17/src/config/torrc.sample.in + +## Configuration file for a typical Tor user +## Last updated 28 February 2019 for Tor 0.3.5.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a SOCKS proxy on port 9050 by default -- even if you don't +## configure one below. Set "SOCKSPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections. +#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SOCKSPolicy is set, we accept +## all (and only) requests that reach a SOCKSPort. Untrusted users who +## can access your SOCKSPort may be able to learn about the connections +## you make. +#SOCKSPolicy accept 192.168.0.0/16 +#SOCKSPolicy accept6 FC00::/7 +#SOCKSPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to @LOCALSTATEDIR@/log/tor/notices.log +#Log notice file @LOCALSTATEDIR@/log/tor/notices.log +## Send every possible message to @LOCALSTATEDIR@/log/tor/debug.log +#Log debug file @LOCALSTATEDIR@/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +#DataDirectory @LOCALSTATEDIR@/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +#ControlPort 9051 +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir @LOCALSTATEDIR@/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir @LOCALSTATEDIR@/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +#ORPort 9001 +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise +## If you want to listen on IPv6 your numeric address must be explictly +## between square brackets as follows. You must also listen on IPv4. +#ORPort [2001:DB8::1]:9050 + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +## OutboundBindAddressExit will be used for all exit traffic, while +## OutboundBindAddressOR will be used for all OR and Dir connections +## (DNS connections ignore OutboundBindAddress). +## If you do not wish to differentiate, use OutboundBindAddress to +## specify the same address for both in a single line. +#OutboundBindAddressExit 10.0.0.4 +#OutboundBindAddressOR 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +## Nicknames must be between 1 and 19 characters inclusive, and must +## contain only the characters [a-zA-Z0-9]. +## If not set, "Unnamed" will be used. +#Nickname ididnteditheconfig + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 75 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "40 GB" may allow up to 80 GB total before +## hibernating. +## +## Set a maximum of 40 gigabytes each way per period. +#AccountingMax 40 GBytes +## Each period starts daily at midnight (AccountingMax is per day) +#AccountingStart day 00:00 +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +## +## If you are running multiple relays, you MUST set this option. +## +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +#ContactInfo 0xFFFFFFFF Random Person + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +#DirPort 9030 # what port to advertise for directory connections +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage @CONFDIR@/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +## +## If you are running multiple relays, you MUST set this option. +## +## Note: do not use MyFamily on bridge relays. +#MyFamily $keyid,$keyid,... + +## Uncomment this if you want your relay to be an exit, with the default +## exit policy (or whatever exit policy you set below). +## (If ReducedExitPolicy, ExitPolicy, or IPv6Exit are set, relays are exits. +## If none of these options are set, relays are non-exits.) +#ExitRelay 1 + +## Uncomment this if you want your relay to allow IPv6 exit traffic. +## (Relays do not allow any exit traffic by default.) +#IPv6Exit 1 + +## Uncomment this if you want your relay to be an exit, with a reduced set +## of exit ports. +#ReducedExitPolicy 1 + +## Uncomment these lines if you want your relay to be an exit, with the +## specified set of exit IPs and ports. +## +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. +## +## If you want to allow the same ports on IPv4 and IPv6, write your rules +## using accept/reject *. If you want to allow different ports on IPv4 and +## IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules +## using accept/reject *4. +## +## If you want to _replace_ the default exit policy, end this with either a +## reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to) +## the default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to the configured primary public IPv4 and IPv6 addresses, +## and any public IPv4 and IPv6 addresses on any interface on the relay. +## See the man page entry for ExitPolicyRejectPrivate if you want to allow +## "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more +#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy +#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy +#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy +ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +## +## Warning: when running your Tor as a bridge, make sure than MyFamily is +## NOT configured. +# BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 + +## Configuration options can be imported from files or folders using the %include +## option with the value being a path. If the path is a file, the options from the +## file will be parsed as if they were written where the %include option is. If +## the path is a folder, all files on that folder will be parsed following lexical +## order. Files starting with a dot are ignored. Files on subfolders are ignored. +## The %include option can be used recursively. +#%include /etc/torrc.d/ +#%include /etc/torrc.custom