github/tor-guard-relay
1
1
Fork 0
mirror of https://github.com/r3bo0tbx1/tor-guard-relay.git synced 2026-04-06 00:32:04 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
b6001c3f7a53da65eec45509afd75c259a341671
tor-guard-relay/examples/relay-guard.conf
rE-Bo0t.bx1 9ed70bdb89 v1.1.1 Security Hardening & Config Enhancement 🛡️ 
🚀 Major architectural release with a near full rewrite of the entrypoint, validation system, diagnostics, and templates. The image is now ~20MB, fully busybox based, more secure, and more flexible for relay and bridge operators.

🔧 Critical Fixes
- Busybox compatible rewrite of OBFS4V_* parsing for values with spaces.
- Rewritten TOR_CONTACT_INFO validation to prevent crash loops.
- Restored bootstrap logs with Log notice stdout.
- Fixed ENV healthchecks and validation order.
- Resolved busybox regex and quoting issues across the script.

 Features and Enhancements
- Added PT_PORT with complete obfs4 bridge compatibility.
- Support for OR_PORT, PT_PORT, EMAIL, and NICKNAME.
- Rewritten bandwidth logic with correct Rate and Burst translation.
- Unified guard, exit, and bridge via TOR_RELAY_MODE.
- Integrated obfs4 with rewritten diagnostics for status, health, fingerprint, and bridge-line.
- Reliable ENV only mode without torrc files.

📦 Build Improvements
- Image reduced ~45MB to ~20MB with busybox only tools.
- Rewritten healthcheck for ENV and mounted configs.
- Four diagnostic tools rewritten to pure busybox sh.
- Weekly rebuilds with latest Alpine and Tor.

📚 Templates and Documentation
- All templates rewritten and updated with bandwidth options and naming alternatives.
- Updated Cosmos and Docker Compose templates for bridge, guard, exit.
- New templates README with full deployment, migration, and config comparisons.
- Revised Claude file with clearer differences and bandwidth notes.

🔒 Security Hardening
- 32 vulnerabilities fixed across critical, high, medium, low categories.
- Non root runtime with UID 100.
- Strict OBFS4V_* whitelist and rewritten validation.
- No exposed diagnostics ports, docker exec only.
- Smaller attack surface with removed binaries.

🚀 Migration Notes
- From v1.1.0: direct upgrade, no config changes, fingerprint preserved.
- From official obfs4 bridge: one time UID fix required, full ENV compatibility afterward.
- Templates include both TOR_ and official naming for smooth migration.

🧩 Compatibility
- Alpine 3.22.2 base, latest Tor from edge.
- AMD64 and ARM64 supported.
- Works with Docker, Compose, Cosmos Cloud, Portainer.
2025-11-14 02:08:27 +08:00

139 lines
4.7 KiB
Plaintext
Raw Blame History

# Tor Guard Relay Configuration Example
# Copy this file, customize it, and mount it to /etc/tor/torrc
# ============================================================================
# REQUIRED: Basic Relay Information
# ============================================================================
# Your relay's nickname (alphanumeric, 1-19 characters)
Nickname MyTorRelay
# Contact information (email + optional PGP key)
# This helps the Tor Project contact you about issues
ContactInfo your-email@example.com <0xYOUR_PGP_FINGERPRINT>
# ============================================================================
# REQUIRED: Network Configuration
# ============================================================================
# ORPort - The port for incoming Tor connections
# Common choices: 443, 9001, or any port > 1024
# IPv4 only
ORPort 9001
# IPv4 + IPv6 (recommended if you have IPv6)
# Use the same port number for both IPv4 and IPv6
# ORPort [::]:9001
# DirPort - Directory information port (optional but recommended for guards)
# Common choices: 80, 9030, or any port > 1024
# Set to 0 to disable directory serving
DirPort 9030
# ============================================================================
# REQUIRED: Relay Type
# ============================================================================
# Set to 0 to run as a guard/middle relay (NOT an exit relay)
# IMPORTANT: Do NOT change this unless you understand exit relay legal risks
ExitRelay 0
# Disable SOCKS proxy (we're a relay, not a client)
SocksPort 0
# Explicit exit policy: reject all exit traffic
ExitPolicy reject *:*
# ============================================================================
# REQUIRED: Data & Logging
# ============================================================================
# Where Tor stores its data (keys, state, etc.)
DataDirectory /var/lib/tor
# Log level and location (file + stdout for container logs)
Log notice file /var/log/tor/notices.log
Log notice stdout
# ============================================================================
# OPTIONAL: Bandwidth Limits
# ============================================================================
# Limit bandwidth to prevent overwhelming your connection
# Adjust these values based on your available bandwidth
# Option 1: Relay-specific bandwidth (recommended for relays)
# Average bandwidth (sustained rate)
RelayBandwidthRate 10 MBytes
# Burst bandwidth (temporary spikes)
RelayBandwidthBurst 20 MBytes
# Option 2: Global bandwidth limits (applies to all Tor traffic)
# BandwidthRate 10 MBytes
# BandwidthBurst 20 MBytes
# Note: Use RelayBandwidthRate/Burst for guard relays to avoid limiting
# directory and other non-relay traffic. Use BandwidthRate/Burst if you
# want to limit ALL Tor traffic including directory requests.
# Alternatively, use AccountingMax to limit monthly traffic:
# AccountingStart month 1 00:00
# AccountingMax 500 GB
# ============================================================================
# OPTIONAL: Performance Tuning
# ============================================================================
# Number of CPU cores to use
# Set to 0 for auto-detect, or specify manually
NumCPUs 2
# Maximum number of connections
# Default is usually fine, but you can increase for high-bandwidth relays
# MaxMemInQueues 512 MB
# ============================================================================
# OPTIONAL: Advanced Settings
# ============================================================================
# If you're behind NAT and need to advertise a different IP
# Address YOUR.PUBLIC.IP.HERE
# If your ISP blocks certain ports, you can use a different ORPort
# ORPort 443
# Enable if you want to be a directory mirror
# DirPort 80
# ============================================================================
# Security Notes
# ============================================================================
# 1. NEVER set ExitRelay to 1 unless you:
# - Understand the legal implications
# - Have proper legal protection
# - Are willing to handle abuse complaints
#
# 2. Use a dedicated server/VPS for relay operation
#
# 3. Keep your contact info up to date
#
# 4. Monitor your relay regularly using:
# docker exec guard-relay status
#
# 5. Check Tor Metrics after 24-48 hours:
# https://metrics.torproject.org/rs.html
# ============================================================================
# Helpful Resources
# ============================================================================
# Official Tor Relay Guide:
# https://community.torproject.org/relay/
# Tor Relay Requirements:
# https://community.torproject.org/relay/relays-requirements/
# Good/Bad Relays Criteria:
# https://community.torproject.org/relay/community-resources/good-bad-isps/
Reference in New Issue View Git Blame Copy Permalink