github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-06 00:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

♻️ refactor(ops): optimize workflows, docker setup and relay configs

Browse Source 
Refactors the repository configuration to streamline CI/CD processes and tune Tor relay settings.

**CI & Build:**
- 👷 Enhance `cleanup.yml` with clearer cache deletion and logging.
- 🐳 Update `.dockerignore` to streamline CI builds.
- 🔧 Simplify `.gitattributes` and prune `.hadolint.yaml` comments.

**Tor Configuration:**
- 🛡️ Tune `relay-guard.conf` for performance and remove noise.
- 🌉 Update `relay-bridge.conf` ORPort/ServerTransport settings.
-  Refine `relay-exit.conf` exit policies and bandwidth limits.

**Misc & Cleanup:**
- 💄 Improve startup banner aesthetics in `docker-entrypoint.sh`.
- 📝 Add JS execution warnings to `tor-exit-notice` HTML template.
- 🔥 Remove obsolete `examples/.env` file.
This commit is contained in:
rE-Bo0t.bx1
2025-12-07 22:20:45 +08:00
parent bfad827af4
commit dd598ca1f9
10 changed files with 145 additions and 836 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
.dockerignore
View File

@@ -1,20 +1,15 @@
# 🧱 optimized for CI builds
# Ignore Git and CI/CD metadata
.git
.gitignore
.gitattributes
.github/
# Ignore documentation and changelogs
*.md
CHANGELOG.md
CONTRIBUTING.md
CODE_OF_CONDUCT.md
SECURITY.md
LICENSE.txt
# Ignore examples, templates, and local configs
examples/
templates/
docs/
@@ -23,25 +18,11 @@ config/
*.json
*.yaml
*.yml
# Ignore temporary, backup, and log files
*.log
*.tmp
*.bak
*.swp
*.DS_Store
# Ignore local build artifacts
*.tar
*.gz
*.zip
*.tgz
build/
dist/
node_modules/
__pycache__/
# Keep only files needed for building and running the image
!Dockerfile
!Dockerfile.edge
!tools/

11
.gitattributes vendored
View File

@@ -1,26 +1,15 @@
# Auto detect text files and perform LF normalization
* text=auto
# Ensure shell scripts always use LF
*.sh text eol=lf
docker-entrypoint.sh text eol=lf
healthcheck.sh text eol=lf
tools/* text eol=lf
# Dockerfiles
*.container text eol=lf
Dockerfile text eol=lf
# GitHub workflows
.github/workflows/*.yml text eol=lf
# Standard file handling
*.md text
*.txt text
*.yml text eol=lf
*.yaml text eol=lf
# Binary files
*.png binary
*.jpg binary
*.gif binary

24
.github/workflows/cleanup.yml vendored
View File

@@ -1,4 +1,4 @@
name: 🗑️🧹
name: 🗑️🧹 Force Clear Cache
on:
schedule:
@@ -12,24 +12,10 @@ jobs:
clear-cache:
runs-on: ubuntu-latest
steps:
- name: 🗑️ Clear GitHub Actions Cache
- name: 💥 Nuke GitHub Actions Cache
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
run: |
echo "🔍 Fetching list of caches..."
# Get all cache keys
cacheKeys=$(gh cache list --limit 100 --repo $REPO --json key --jq '.[].key')
if [ -z "$cacheKeys" ]; then
echo "✅ No caches found to clear."
exit 0
fi
echo "🗑️ Deleting caches..."
for key in $cacheKeys; do
echo " - Deleting $key"
gh cache delete "$key" --repo $REPO || echo " ⚠️ Failed to delete $key (might already be gone)"
done
echo "🎉 Cache cleanup complete."
echo "🔍 meaningful-text: check for caches..."
gh cache delete --all --repo ${{ github.repository }} || true
echo "✅ Cache storage is now empty."

58
.hadolint.yaml
View File

@@ -1,65 +1,9 @@
# Hadolint configuration for Tor Guard Relay
# https://github.com/hadolint/hadolint
# Dockerfile linting with security-first approach
# ============================================================================
# Ignored Rules
# ============================================================================
ignored:
# DL3018: Ignore unpinned package versions in apk add
# Rationale: Alpine Linux frequently updates packages, causing pinned versions
# to break builds. We prefer resilience and automatic security updates over
# strict reproducibility. Weekly rebuilds (Sundays 18:30 UTC) ensure we get
# latest security patches automatically.
- DL3018
# DL3062: Ignore unpinned Go packages
# Rationale: We intentionally use 'go get -u' to fetch the latest security
# patches for dependencies during our weekly rebuilds. Pinning versions
# would prevent automatic vulnerability remediation.
- DL3062
# ============================================================================
# Security & Quality Settings
# ============================================================================
failure-threshold: error # Only fail on errors, not warnings
# Enable all built-in checks (except explicitly ignored above)
failure-threshold: error
no-fail: false
# ============================================================================
# Trusted Registries (Security)
# ============================================================================
# Only allow official registries and alpine base image
trustedRegistries:
- "docker.io"
- "registry.hub.docker.com"
# ============================================================================
# Additional Notes
# ============================================================================
#
# Enabled security checks include:
# - DL3001: Avoid using sudo
# - DL3002: Warn on using USER root
# - DL3003: Use WORKDIR for absolute paths
# - DL3006: Use --platform for multi-arch builds
# - DL3007: Use specific tags for base images (not :latest)
# - DL3008: Pin versions in apt-get (N/A - we use apk)
# - DL3009: Delete apt-get lists after install (N/A - we use apk)
# - DL3013: Pin versions in pip install (N/A - no Python)
# - DL3015: Avoid additional packages in apt-get (N/A - we use apk)
# - DL3016: Pin versions in npm (N/A - no Node.js)
# - DL3020: Use COPY instead of ADD for files/dirs
# - DL3022: COPY --from should reference valid stage
# - DL3025: Use JSON notation for CMD/ENTRYPOINT
# - DL4001: Warn on wget/curl without verified downloads
# - DL4003: Multiple CMD instructions (only last one counts)
# - DL4004: Multiple ENTRYPOINT instructions
# - DL4006: Set SHELL to pipefail mode
# - SC1000-SC9999: All ShellCheck warnings (for RUN commands)
#
# Our Dockerfile passes all checks except DL3018 (unpinned versions by design).

5
docker-entrypoint.sh
View File

@@ -49,9 +49,10 @@ cleanup_and_exit() {
}
startup_banner() {
log "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log "🧅 Tor Guard Relay v1.1.3 - Initialization"
log "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log "https://github.com/r3bo0tbx1/tor-guard-relay"
log "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
log ""
}

184
examples/.env
View File

@@ -1,184 +0,0 @@
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Tor Relay Environment Configuration for version >=v1.1.1
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Copy this file to .env and customize for your deployment
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# BRIDGE MODE - Official Tor Project ENV Naming
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Use these for drop-in replacement of thetorproject/obfs4-bridge
# Compatible with templates/docker-compose-bridge-official.yml
# OR_PORT: Tor relay traffic port (ORPort)
# Suggested: 443 (appears as HTTPS), 9001 (standard), or any port > 1024
OR_PORT=9001
# PT_PORT: Pluggable transport port (obfs4)
# Can be any port > 1024
PT_PORT=9002
# EMAIL: Contact email address (REQUIRED)
# Used in bridge descriptor for Tor Project to contact you
EMAIL=admin@example.com
# NICKNAME: Bridge nickname (optional)
# Defaults to "DockerObfs4Bridge" if not set
NICKNAME=MyObfs4Bridge
# OBFS4_ENABLE_ADDITIONAL_VARIABLES: Enable OBFS4V_* processing
# Set to 1 to enable additional torrc options via OBFS4V_* variables
OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
# OBFS4V_AddressDisableIPv6: Disable IPv6 address announcements
# 0 = Enable IPv6 (default), 1 = Disable IPv6
OBFS4V_AddressDisableIPv6=0
# OBFS4V_MaxMemInQueues: Maximum memory in queues
# Helps with high-bandwidth bridges
OBFS4V_MaxMemInQueues=1024 MB
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# GUARD/MIDDLE MODE - Our TOR_* ENV Naming
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Use these for guard/middle/exit relays
# Compatible with templates/docker-compose-guard.yml
# TOR_RELAY_MODE: Relay mode (guard, exit, or bridge)
# Default: guard
# Note: Auto-detects to "bridge" if PT_PORT is set
#TOR_RELAY_MODE=guard
# TOR_NICKNAME: Relay nickname (REQUIRED for ENV-based config)
# Must be unique across all Tor relays
#TOR_NICKNAME=MyTorRelay
# TOR_CONTACT_INFO: Contact email (REQUIRED for ENV-based config)
#TOR_CONTACT_INFO=admin@example.com
# TOR_ORPORT: ORPort for relay traffic
# Suggested: 443, 9001, or any port > 1024
#TOR_ORPORT=9001
# TOR_DIRPORT: DirPort for directory service (guard/exit only)
# Set to 0 to disable, or use standard port 9030
#TOR_DIRPORT=9030
# TOR_OBFS4_PORT: obfs4 port (bridge mode only)
#TOR_OBFS4_PORT=9002
# TOR_BANDWIDTH_RATE: Bandwidth rate limit (optional)
# Example: "10 MBytes" = 10 MB/s sustained
#TOR_BANDWIDTH_RATE=10 MBytes
# TOR_BANDWIDTH_BURST: Bandwidth burst limit (optional)
# Example: "20 MBytes" = 20 MB/s peak
#TOR_BANDWIDTH_BURST=20 MBytes
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# EXIT MODE - Additional Options
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# TOR_EXIT_POLICY: Exit policy (exit mode only)
# Default: "ExitPolicy reject *:*" (reduced exit)
# Examples:
# - "ExitPolicy accept *:80,accept *:443,reject *:*" (HTTP/HTTPS only)
# - "ExitPolicy accept *:*" (unrestricted exit - USE WITH CAUTION)
#TOR_EXIT_POLICY=ExitPolicy reject *:*
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# OPTIONAL: Bandwidth Accounting (All Modes)
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Use OBFS4V_* prefix for official bridge naming, or add to custom torrc
# AccountingMax: Total bandwidth per period
#OBFS4V_AccountingMax=100 GBytes
# AccountingStart: When to reset accounting
# Examples: "month 1 00:00", "week 1 00:00", "day 00:00"
#OBFS4V_AccountingStart=month 1 00:00
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# CONTAINER OPTIONS
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# TZ: Container timezone (optional)
# Default: UTC
TZ=UTC
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# USAGE EXAMPLES
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# Example 1: obfs4 Bridge (Official Naming)
# ──────────────────────────────────────────
# OR_PORT=9001
# PT_PORT=9002
# EMAIL=admin@example.com
# NICKNAME=MyObfs4Bridge
# OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
# OBFS4V_MaxMemInQueues=1024 MB
# Example 2: Guard Relay (Our Naming)
# ──────────────────────────────────────────
# TOR_RELAY_MODE=guard
# TOR_NICKNAME=MyGuardRelay
# TOR_CONTACT_INFO=admin@example.com
# TOR_ORPORT=9001
# TOR_DIRPORT=9030
# TOR_BANDWIDTH_RATE=10 MBytes
# TOR_BANDWIDTH_BURST=20 MBytes
# Example 3: Exit Relay (Reduced Exit)
# ──────────────────────────────────────────
# TOR_RELAY_MODE=exit
# TOR_NICKNAME=MyExitRelay
# TOR_CONTACT_INFO=admin@example.com
# TOR_ORPORT=9001
# TOR_DIRPORT=9030
# TOR_EXIT_POLICY=ExitPolicy accept *:80,accept *:443,reject *:*
# Example 4: High-Bandwidth Bridge with Accounting
# ──────────────────────────────────────────
# OR_PORT=443
# PT_PORT=9002
# EMAIL=admin@example.com
# NICKNAME=HighBandwidthBridge
# OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
# OBFS4V_BandwidthRate=50 MBytes
# OBFS4V_BandwidthBurst=100 MBytes
# OBFS4V_AccountingMax=500 GBytes
# OBFS4V_AccountingStart=month 1 00:00
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
# NOTES
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
#
# 1. ENV Variable Priority:
# - TOR_* prefix takes precedence over official naming
# - Official naming (OR_PORT, PT_PORT, etc.) is used as fallback
# - You can mix both naming conventions
#
# 2. Bridge Mode Auto-Detection:
# - If PT_PORT is set and TOR_RELAY_MODE is not, mode becomes "bridge"
# - This ensures drop-in compatibility with official bridge config
#
# 3. OBFS4V_* Processing:
# - Only works in bridge mode when OBFS4_ENABLE_ADDITIONAL_VARIABLES=1
# - OBFS4V_* variables are stripped of prefix and added to torrc
# - Example: OBFS4V_MaxMemInQueues=1024 MB → MaxMemInQueues 1024 MB in torrc
#
# 4. Port Selection:
# - Use port 443 for ORPort in censored regions (appears as HTTPS)
# - Standard ports: ORPort 9001, DirPort 9030, obfs4 9002
# - Any port > 1024 works without special privileges
#
# 5. Bandwidth Units:
# - Supported: Bytes, KBytes, MBytes, GBytes, TBytes
# - Example: "10 MBytes" = 10 MB/s
#
# 6. Firewall Configuration Required:
# - Allow incoming connections to OR_PORT and PT_PORT (or TOR_ORPORT/TOR_OBFS4_PORT)
# - See docker-compose-bridge-official.yml comments for firewall examples
#
# ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

195
examples/relay-bridge.conf
View File

@@ -1,189 +1,24 @@
# Tor obfs4 Bridge Configuration Example
# For helping censored users connect to the Tor network
# Bridges are NOT published in the main Tor directory
# ============================================================================
# REQUIRED: Basic Bridge Information
# ============================================================================
# Your bridge's nickname (alphanumeric, 1-19 characters)
Nickname MyTorBridge
# Contact information (email + optional PGP key)
ContactInfo your-email@example.com <0xYOUR_PGP_FINGERPRINT>
# ============================================================================
# REQUIRED: Network Configuration
# ============================================================================
# ORPort - The port for incoming Tor connections
# Common choices: 443, 9001, or any port > 1024
# Must be publicly accessible for bridge to work
ORPort 9001
ORPort [::]:9001
# ============================================================================
# REQUIRED: Bridge Mode
# ============================================================================
# Enable bridge relay mode
BridgeRelay 1
# Pluggable transport - obfs4 via lyrebird (obfuscates traffic to look like random data)
ORPort 24819
ORPort [::]:24819
ServerTransportPlugin obfs4 exec /usr/bin/lyrebird
# obfs4 port - Common choices: 443, 9002, or any port > 1024 (different from ORPort)
# Must be publicly accessible for bridge to work
ServerTransportListenAddr obfs4 0.0.0.0:9002
ServerTransportListenAddr obfs4 [::]:9002
# Extended ORPort for pluggable transports
ServerTransportListenAddr obfs4 0.0.0.0:443
ServerTransportListenAddr obfs4 [::]:443
ExtORPort auto
# Publish bridge descriptor to bridge authority
PublishServerDescriptor 1
# ============================================================================
# REQUIRED: Data & Logging
# ============================================================================
# Where Tor stores its data (keys, state, etc.)
PublishServerDescriptor bridge
DataDirectory /var/lib/tor
# Log level and location (file + stdout for container logs)
Log notice file /var/log/tor/notices.log
Log notice stdout
# ============================================================================
# OPTIONAL: Control Port (Advanced Users Only)
# ============================================================================
# Uncomment if you want to install and use Nyx or other control tools
# Note: Nyx is NOT included in this image by default
# ControlPort 9051
# CookieAuthentication 1
# ============================================================================
# REQUIRED: Disable SOCKS
# ============================================================================
# Disable SOCKS proxy (we're a bridge, not a client)
ControlPort 0
ControlSocket /var/lib/tor/control_socket
ControlSocketsGroupWritable 1
#HashedControlPassword 16:YOUR_HASHED_PASSWORD_HERE
SocksPort 0
# ============================================================================
# OPTIONAL: Bandwidth Limits
# ============================================================================
# Limit bandwidth to prevent overwhelming your connection
# Bridges can run on lower bandwidth than relays
# Average bandwidth (sustained rate)
RelayBandwidthRate 10 MBytes
# Burst bandwidth (temporary spikes)
RelayBandwidthBurst 20 MBytes
# Alternatively, use AccountingMax to limit monthly traffic:
# AccountingStart month 1 00:00
# AccountingMax 500 GB
# ============================================================================
# OPTIONAL: Performance Tuning
# ============================================================================
# Number of CPU cores to use
NumCPUs 2
# Maximum memory in queues
# MaxMemInQueues 512 MB
# ============================================================================
# Bridge Operation Notes
# ============================================================================
# 1. WHAT IS A BRIDGE?
# - Bridges help users in censored countries connect to Tor
# - Bridge addresses are NOT published in the main Tor directory
# - They are distributed to users through BridgeDB and other means
#
# 2. obfs4 PLUGGABLE TRANSPORT
# - Makes Tor traffic look like random data
# - Harder for censors to detect and block
# - Most effective transport for circumventing censorship
#
# 3. AFTER DEPLOYMENT
# - Wait 24-48 hours for bridge to be published
# - Check BridgeDB: https://bridges.torproject.org/
# - Get your bridge line: docker exec <container> bridge-line
#
# 4. SHARING YOUR BRIDGE
# - ONLY share your bridge line with people you trust
# - Don't publish it publicly (defeats the purpose)
# - Users can also get bridges from https://bridges.torproject.org/
#
# 5. MONITORING
# - Check logs: docker logs <container>
# - Full status: docker exec <container> status
# - JSON health: docker exec <container> health
# - Get bridge line: docker exec <container> bridge-line
# - Bridges show fewer statistics than relays for privacy
#
# 6. PORTS TO EXPOSE
# - ORPort (example: 9001, suggested: 443 or 9001) - Must be publicly accessible
# - obfs4 port (example: 9002, can be any port) - Must be publicly accessible
# - Firewall must allow both ports
# - Using port 443 for ORPort may help with censorship circumvention
#
# 7. NETWORK CONSIDERATIONS
# - Use a stable IP address
# - Ensure both IPv4 and IPv6 work (if available)
# - Test port accessibility from outside your network
# ============================================================================
# Deployment Example with Environment Variables
# ============================================================================
#
# Method 1: Using TOR_* naming (standard)
#
# docker run -d \
# --name tor-bridge \
# --network host \
# -e TOR_RELAY_MODE=bridge \
# -e TOR_NICKNAME=MyBridge \
# -e TOR_CONTACT_INFO="your-email@example.com" \
# -e TOR_ORPORT=9001 \
# -e TOR_OBFS4_PORT=9002 \
# -e TOR_BANDWIDTH_RATE="10 MBytes" \
# -e TOR_BANDWIDTH_BURST="20 MBytes" \
# -v tor-bridge-data:/var/lib/tor \
# -v tor-bridge-logs:/var/log/tor \
# ghcr.io/r3bo0tbx1/onion-relay:latest
#
# Method 2: Using official Tor Project naming (drop-in compatibility)
#
# docker run -d \
# --name tor-bridge \
# --network host \
# -e NICKNAME=MyBridge \
# -e EMAIL="your-email@example.com" \
# -e OR_PORT=9001 \
# -e PT_PORT=9002 \
# -v tor-bridge-data:/var/lib/tor \
# -v tor-bridge-logs:/var/log/tor \
# ghcr.io/r3bo0tbx1/onion-relay:latest
#
# Note: PT_PORT automatically sets bridge mode. Both naming styles work identically.
#
# Get your bridge line after 24-48 hours:
# docker exec tor-bridge bridge-line
#
# Share the bridge line with users:
# Bridge obfs4 <IP>:<PORT> <FINGERPRINT> cert=<CERT> iat-mode=0
# ============================================================================
# Resources
# ============================================================================
#
# - Bridge Setup Guide: https://community.torproject.org/relay/setup/bridge/
# - BridgeDB: https://bridges.torproject.org/
# - Pluggable Transports: https://tb-manual.torproject.org/circumvention/
# - obfs4 Spec: https://gitlab.com/yawning/obfs4
RelayBandwidthRate 20 MBytes
RelayBandwidthBurst 40 MBytes
NumCPUs 1
MaxMemInQueues 512 MB
AvoidDiskWrites 1
DisableDebuggerAttachment 1

318
examples/relay-exit.conf
View File

@@ -1,240 +1,98 @@
# Tor Exit Relay Configuration Example
# ⚠️ WARNING: Running an exit relay has legal implications!
# Read https://community.torproject.org/relay/community-resources/eff-tor-legal-faq/
# before deploying.
# ============================================================================
# REQUIRED: Basic Relay Information
# ============================================================================
# Your relay's nickname (alphanumeric, 1-19 characters)
Nickname MyTorExitRelay
# Contact information (email + optional PGP key)
# This is CRITICAL for exit relays - you WILL receive abuse complaints
ContactInfo your-email@example.com <0xYOUR_PGP_FINGERPRINT>
# ============================================================================
# REQUIRED: Network Configuration
# ============================================================================
# ORPort - The port for incoming Tor connections
# Common choices: 443, 9001, or any port > 1024
ORPort 9001
ORPort [::]:9001
# DirPort - Directory information port (optional but recommended)
# Common choices: 80, 9030, or any port > 1024
# Set to 0 to disable directory serving
DirPort 9030
# ============================================================================
# REQUIRED: Exit Relay Configuration
# ============================================================================
# Enable exit relay mode
ExitRelay 1
# Exit policy - REDUCED EXIT POLICY (recommended for new operators)
# This allows common services while blocking high-risk ports
# See: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy
ExitPolicy accept *:20-21 # FTP
ExitPolicy accept *:22 # SSH
ExitPolicy accept *:43 # WHOIS
ExitPolicy accept *:53 # DNS
ExitPolicy accept *:79-81 # finger, HTTP
ExitPolicy accept *:88 # kerberos
ExitPolicy accept *:110 # POP3
ExitPolicy accept *:143 # IMAP
ExitPolicy accept *:194 # IRC
ExitPolicy accept *:220 # IMAP3
ExitPolicy accept *:389 # LDAP
ExitPolicy accept *:443 # HTTPS
ExitPolicy accept *:464 # kpasswd
ExitPolicy accept *:465 # SMTP over SSL
ExitPolicy accept *:531 # IRC/AIM
ExitPolicy accept *:543-544 # Kerberos
ExitPolicy accept *:554 # RTSP
ExitPolicy accept *:563 # NNTP over SSL
ExitPolicy accept *:587 # SMTP
ExitPolicy accept *:636 # LDAP over SSL
ExitPolicy accept *:706 # SILC
ExitPolicy accept *:749 # kerberos
ExitPolicy accept *:873 # rsync
ExitPolicy accept *:902-904 # VMware
ExitPolicy accept *:981 # HTTPS
ExitPolicy accept *:989-990 # FTP over SSL
ExitPolicy accept *:991 # NAS
ExitPolicy accept *:992 # Telnet over SSL
ExitPolicy accept *:993 # IMAP over SSL
ExitPolicy accept *:994 # IRC over SSL
ExitPolicy accept *:995 # POP3 over SSL
ExitPolicy accept *:1194 # OpenVPN
ExitPolicy accept *:1220 # QT Server Admin
ExitPolicy accept *:1293 # IPSec
ExitPolicy accept *:1500 # VLSI
ExitPolicy accept *:1533 # Sametime
ExitPolicy accept *:1677 # GroupWise
ExitPolicy accept *:1723 # PPTP
ExitPolicy accept *:1755 # RTSP
ExitPolicy accept *:1863 # MSNP
ExitPolicy accept *:2082 # Infowave
ExitPolicy accept *:2083 # Secure Radius
ExitPolicy accept *:2086-2087 # GNUnet
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128 # SQUID
ExitPolicy accept *:3389 # RDP
ExitPolicy accept *:3690 # SVN
ExitPolicy accept *:4321 # RWHOIS
ExitPolicy accept *:4643 # Virtuozzo
ExitPolicy accept *:5050 # Yahoo! Messenger
ExitPolicy accept *:5190 # AIM/ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228 # Google Play
ExitPolicy accept *:5900 # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679 # IRC SSL
ExitPolicy accept *:6697 # IRC SSL
ExitPolicy accept *:8000 # iRDMI
ExitPolicy accept *:8008 # HTTP alternate
ExitPolicy accept *:8074 # Gadu-Gadu
ExitPolicy accept *:8080 # HTTP Proxies
ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8232-8233 # Zcash
ExitPolicy accept *:8332-8333 # Bitcoin
ExitPolicy accept *:8443 # PCsync HTTPS
ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418 # git
ExitPolicy accept *:9999 # distinct
ExitPolicy accept *:10000 # Network Data Management Protocol
ExitPolicy accept *:11371 # OpenPGP hkp (keyserver)
ExitPolicy accept *:19294 # Google Voice TCP
ExitPolicy accept *:19638 # Ensim Control Panel
ExitPolicy accept *:50002 # Electrum Bitcoin SSL
ExitPolicy accept *:64738 # Mumble
ExitPolicy reject *:* # reject everything else
# Alternative: More restrictive (HTTP/HTTPS only)
# ExitPolicy accept *:80 # HTTP
# ExitPolicy accept *:443 # HTTPS
# ExitPolicy reject *:* # reject everything else
# ============================================================================
# REQUIRED: Data & Logging
# ============================================================================
# Where Tor stores its data (keys, state, etc.)
IPv6Exit 1
RelayBandwidthRate 10 MBytes
RelayBandwidthBurst 20 MBytes
NumCPUs 1
MaxMemInQueues 1024 MB
DisableDebuggerAttachment 1
AvoidDiskWrites 1
DataDirectory /var/lib/tor
# Log level and location (file + stdout for container logs)
Log notice file /var/log/tor/notices.log
Log notice stdout
# ControlPort for monitoring with Nyx
ControlPort 9051
CookieAuthentication 1
# ============================================================================
# REQUIRED: Disable SOCKS
# ============================================================================
# Disable SOCKS proxy (we're a relay, not a client)
ControlPort 0
ControlSocket /var/lib/tor/control_socket
ControlSocketsGroupWritable 1
#HashedControlPassword 16:YOUR_HASHED_PASSWORD_HERE
SocksPort 0
# ============================================================================
# OPTIONAL: Bandwidth Limits
# ============================================================================
# Limit bandwidth to prevent overwhelming your connection
# Exit relays typically need MORE bandwidth than guard relays
# Option 1: Relay-specific bandwidth (recommended for exit relays)
# Average bandwidth (sustained rate)
RelayBandwidthRate 50 MBytes
# Burst bandwidth (temporary spikes)
RelayBandwidthBurst 100 MBytes
# Option 2: Global bandwidth limits (applies to all Tor traffic)
# BandwidthRate 50 MBytes
# BandwidthBurst 100 MBytes
# Note: Use RelayBandwidthRate/Burst for exit relays to avoid limiting
# directory and other non-relay traffic. Use BandwidthRate/Burst if you
# want to limit ALL Tor traffic including directory requests.
# Alternatively, use AccountingMax to limit monthly traffic:
# AccountingStart month 1 00:00
# AccountingMax 1000 GB
# ============================================================================
# OPTIONAL: Performance Tuning
# ============================================================================
# Number of CPU cores to use
NumCPUs 2
# Maximum memory in queues
# MaxMemInQueues 1024 MB
# ============================================================================
# IMPORTANT: Exit Relay Legal Considerations
# ============================================================================
# 1. UNDERSTAND THE LEGAL RISKS
# - Your IP will be associated with exit traffic
# - You WILL receive abuse complaints
# - Some services may block your IP
# - Legal liability varies by jurisdiction
#
# 2. PREPARATION CHECKLIST
# ✓ Read EFF Tor Legal FAQ
# ✓ Inform your ISP (recommended)
# ✓ Set up abuse complaint handling
# ✓ Use a dedicated IP/server
# ✓ Consider running from a datacenter
# ✓ Have legal resources available
# ✓ Set up WHOIS with your contact info
# ✓ Create abuse@ email address
#
# 3. ABUSE RESPONSE TEMPLATE
# Keep a standard response ready:
# "This is a Tor exit relay. The IP address you reported
# is not the source of malicious activity. Tor is an
# anonymity network. Please see https://www.torproject.org/
# for more information."
#
# 4. MONITORING
# - Check status daily: docker exec <container> status
# - Get JSON health: docker exec <container> health
# - View logs: docker logs <container>
# - Set up alerts for issues
#
# 5. RESOURCES
# - Tor Legal FAQ: https://community.torproject.org/relay/community-resources/eff-tor-legal-faq/
# - Abuse Response: https://community.torproject.org/relay/community-resources/tor-abuse-templates/
# - Good/Bad ISPs: https://community.torproject.org/relay/community-resources/good-bad-isps/
# ============================================================================
# Deployment Example with Environment Variables
# ============================================================================
#
# Instead of mounting this file, you can use environment variables:
#
# docker run -d \
# --name tor-exit-relay \
# --network host \
# -e TOR_RELAY_MODE=exit \
# -e TOR_NICKNAME=MyExitRelay \
# -e TOR_CONTACT_INFO="your-email@example.com" \
# -e TOR_ORPORT=9001 \
# -e TOR_DIRPORT=9030 \
# -e TOR_BANDWIDTH_RATE="50 MBytes" \
# -e TOR_BANDWIDTH_BURST="100 MBytes" \
# -e TOR_EXIT_POLICY="accept *:80,accept *:443,reject *:*" \
# -v tor-exit-data:/var/lib/tor \
# -v tor-exit-logs:/var/log/tor \
# ghcr.io/r3bo0tbx1/onion-relay:latest
ExitPolicy accept *:20-21
ExitPolicy accept *:22
ExitPolicy accept *:43
ExitPolicy accept *:53
ExitPolicy accept *:79-81
ExitPolicy accept *:88
ExitPolicy accept *:110
ExitPolicy accept *:143
ExitPolicy accept *:194
ExitPolicy accept *:220
ExitPolicy accept *:389
ExitPolicy accept *:443
ExitPolicy accept *:464
ExitPolicy accept *:465
ExitPolicy accept *:531
ExitPolicy accept *:543-544
ExitPolicy accept *:554
ExitPolicy accept *:563
ExitPolicy accept *:587
ExitPolicy accept *:636
ExitPolicy accept *:706
ExitPolicy accept *:749
ExitPolicy accept *:873
ExitPolicy accept *:902-904
ExitPolicy accept *:981
ExitPolicy accept *:989-990
ExitPolicy accept *:991
ExitPolicy accept *:992
ExitPolicy accept *:993
ExitPolicy accept *:994
ExitPolicy accept *:995
ExitPolicy accept *:1194
ExitPolicy accept *:1220
ExitPolicy accept *:1293
ExitPolicy accept *:1500
ExitPolicy accept *:1533
ExitPolicy accept *:1677
ExitPolicy accept *:1723
ExitPolicy accept *:1755
ExitPolicy accept *:1863
ExitPolicy accept *:2082
ExitPolicy accept *:2083
ExitPolicy accept *:2086-2087
ExitPolicy accept *:2095-2096
ExitPolicy accept *:2102-2104
ExitPolicy accept *:3128
ExitPolicy accept *:3389
ExitPolicy accept *:3690
ExitPolicy accept *:4321
ExitPolicy accept *:4643
ExitPolicy accept *:5050
ExitPolicy accept *:5190
ExitPolicy accept *:5222-5223
ExitPolicy accept *:5228
ExitPolicy accept *:5900
ExitPolicy accept *:6660-6669
ExitPolicy accept *:6679
ExitPolicy accept *:6697
ExitPolicy accept *:8000
ExitPolicy accept *:8008
ExitPolicy accept *:8074
ExitPolicy accept *:8080
ExitPolicy accept *:8082
ExitPolicy accept *:8087-8088
ExitPolicy accept *:8232-8233
ExitPolicy accept *:8332-8333
ExitPolicy accept *:8443
ExitPolicy accept *:8888
ExitPolicy accept *:9418
ExitPolicy accept *:9999
ExitPolicy accept *:10000
ExitPolicy accept *:11371
ExitPolicy accept *:19294
ExitPolicy accept *:19638
ExitPolicy accept *:50002
ExitPolicy accept *:64738
ExitPolicy reject *:*

144
examples/relay-guard.conf
View File

@@ -1,139 +1,21 @@
# Tor Guard Relay Configuration Example
# Copy this file, customize it, and mount it to /etc/tor/torrc
# ============================================================================
# REQUIRED: Basic Relay Information
# ============================================================================
# Your relay's nickname (alphanumeric, 1-19 characters)
Nickname MyTorRelay
# Contact information (email + optional PGP key)
# This helps the Tor Project contact you about issues
Nickname MyTorGuardRelay
ContactInfo your-email@example.com <0xYOUR_PGP_FINGERPRINT>
# ============================================================================
# REQUIRED: Network Configuration
# ============================================================================
# ORPort - The port for incoming Tor connections
# Common choices: 443, 9001, or any port > 1024
# IPv4 only
ORPort 9001
# IPv4 + IPv6 (recommended if you have IPv6)
# Use the same port number for both IPv4 and IPv6
# ORPort [::]:9001
# DirPort - Directory information port (optional but recommended for guards)
# Common choices: 80, 9030, or any port > 1024
# Set to 0 to disable directory serving
ORPort [::]:9001
DirPort 9030
# ============================================================================
# REQUIRED: Relay Type
# ============================================================================
# Set to 0 to run as a guard/middle relay (NOT an exit relay)
# IMPORTANT: Do NOT change this unless you understand exit relay legal risks
ExitRelay 0
# Disable SOCKS proxy (we're a relay, not a client)
SocksPort 0
# Explicit exit policy: reject all exit traffic
ExitPolicy reject *:*
# ============================================================================
# REQUIRED: Data & Logging
# ============================================================================
# Where Tor stores its data (keys, state, etc.)
RelayBandwidthRate 10 MBytes
RelayBandwidthBurst 20 MBytes
NumCPUs 1
MaxMemInQueues 1024 MB
DisableDebuggerAttachment 1
AvoidDiskWrites 1
DataDirectory /var/lib/tor
# Log level and location (file + stdout for container logs)
Log notice file /var/log/tor/notices.log
Log notice stdout
# ============================================================================
# OPTIONAL: Bandwidth Limits
# ============================================================================
# Limit bandwidth to prevent overwhelming your connection
# Adjust these values based on your available bandwidth
# Option 1: Relay-specific bandwidth (recommended for relays)
# Average bandwidth (sustained rate)
RelayBandwidthRate 10 MBytes
# Burst bandwidth (temporary spikes)
RelayBandwidthBurst 20 MBytes
# Option 2: Global bandwidth limits (applies to all Tor traffic)
# BandwidthRate 10 MBytes
# BandwidthBurst 20 MBytes
# Note: Use RelayBandwidthRate/Burst for guard relays to avoid limiting
# directory and other non-relay traffic. Use BandwidthRate/Burst if you
# want to limit ALL Tor traffic including directory requests.
# Alternatively, use AccountingMax to limit monthly traffic:
# AccountingStart month 1 00:00
# AccountingMax 500 GB
# ============================================================================
# OPTIONAL: Performance Tuning
# ============================================================================
# Number of CPU cores to use
# Set to 0 for auto-detect, or specify manually
NumCPUs 2
# Maximum number of connections
# Default is usually fine, but you can increase for high-bandwidth relays
# MaxMemInQueues 512 MB
# ============================================================================
# OPTIONAL: Advanced Settings
# ============================================================================
# If you're behind NAT and need to advertise a different IP
# Address YOUR.PUBLIC.IP.HERE
# If your ISP blocks certain ports, you can use a different ORPort
# ORPort 443
# Enable if you want to be a directory mirror
# DirPort 80
# ============================================================================
# Security Notes
# ============================================================================
# 1. NEVER set ExitRelay to 1 unless you:
# - Understand the legal implications
# - Have proper legal protection
# - Are willing to handle abuse complaints
#
# 2. Use a dedicated server/VPS for relay operation
#
# 3. Keep your contact info up to date
#
# 4. Monitor your relay regularly using:
# docker exec guard-relay status
#
# 5. Check Tor Metrics after 24-48 hours:
# https://metrics.torproject.org/rs.html
# ============================================================================
# Helpful Resources
# ============================================================================
# Official Tor Relay Guide:
# https://community.torproject.org/relay/
# Tor Relay Requirements:
# https://community.torproject.org/relay/relays-requirements/
# Good/Bad Relays Criteria:
# https://community.torproject.org/relay/community-resources/good-bad-isps/
ControlPort 0
ControlSocket /var/lib/tor/control_socket
ControlSocketsGroupWritable 1
#HashedControlPassword 16:YOUR_HASHED_PASSWORD_HERE
SocksPort 0

23
templates/tor-exit-notice/tor-exit-notice (r3bo0tbx1).html
View File

@@ -97,6 +97,17 @@
animation: blink 2s infinite;
}
.status-pill.danger {
color: var(--danger);
border-color: rgba(255, 123, 114, 0.4);
background: rgba(255, 123, 114, 0.1);
}
.status-pill.danger::before {
background-color: var(--danger);
box-shadow: 0 0 10px var(--danger);
}
.card {
background-color: var(--card-bg);
border: 1px solid var(--card-border);
@@ -475,6 +486,15 @@
<header>
<h1>Tor Exit Router</h1>
<div class="status-pill">System Operational</div>
<div style="margin-top: 10px;">
<noscript>
<div class="status-pill"> JavaScript: Disabled (Safe) </div>
</noscript>
<div id="js-warning" class="status-pill danger" style="display: none;"> JavaScript: Enabled </div>
</div>
<script>
document.getElementById('js-warning').style.display = 'inline-flex';
</script>
</header>
<section class="card">
<h2>
@@ -562,9 +582,6 @@
<div class="contact-box">
<span class="contact-label">P2P Policy</span>
<span class="contact-value" style="color: var(--danger);">Blocked</span>
<!-- if P2P is allowed, use this instead:
<span class="contact-value" style="color: var(--safe);">Allowed</span>
-->
</div>
<div class="contact-box">
<span class="contact-label">Logs</span>