tor-commits
Threads by month
- ----- 2025 -----
- July
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- 213386 discussions

r24439: {website} Little more failure with anchor (this time stopped trying to (website/trunk/about/en)
by Damian Johnson 25 Mar '11
by Damian Johnson 25 Mar '11
25 Mar '11
Author: atagar
Date: 2011-03-25 15:57:24 +0000 (Fri, 25 Mar 2011)
New Revision: 24439
Modified:
website/trunk/about/en/gsoc.wml
Log:
Little more failure with anchor (this time stopped trying to race with phobos' push).
Modified: website/trunk/about/en/gsoc.wml
===================================================================
--- website/trunk/about/en/gsoc.wml 2011-03-25 15:55:26 UTC (rev 24438)
+++ website/trunk/about/en/gsoc.wml 2011-03-25 15:57:24 UTC (rev 24439)
@@ -198,6 +198,7 @@
consider spending some time working with us to make Tor better!
</p>
+ <a id="Example"></a>
<h2><a class="anchor" href="#Example">Application Examples</a></h2>
<p>
1
0

25 Mar '11
Author: atagar
Date: 2011-03-25 15:55:26 +0000 (Fri, 25 Mar 2011)
New Revision: 24438
Modified:
website/trunk/about/en/gsoc.wml
Log:
Minor bug with anchor tag.
Modified: website/trunk/about/en/gsoc.wml
===================================================================
--- website/trunk/about/en/gsoc.wml 2011-03-25 15:53:52 UTC (rev 24437)
+++ website/trunk/about/en/gsoc.wml 2011-03-25 15:55:26 UTC (rev 24438)
@@ -198,7 +198,7 @@
consider spending some time working with us to make Tor better!
</p>
- <h2><a class="anchor" href="#Template">Application Examples</a></h2>
+ <h2><a class="anchor" href="#Example">Application Examples</a></h2>
<p>
Below are examples of some GSoC applications from previous years we liked.
1
0

r24437: {website} Adding example proposals for GSoC. (in website/trunk/about: . en gsocProposal)
by Damian Johnson 25 Mar '11
by Damian Johnson 25 Mar '11
25 Mar '11
Author: atagar
Date: 2011-03-25 15:53:52 +0000 (Fri, 25 Mar 2011)
New Revision: 24437
Added:
website/trunk/about/gsocProposal/
website/trunk/about/gsocProposal/gsoc10-proposal-soat.txt
Modified:
website/trunk/about/en/gsoc.wml
Log:
Adding example proposals for GSoC.
Modified: website/trunk/about/en/gsoc.wml
===================================================================
--- website/trunk/about/en/gsoc.wml 2011-03-25 15:06:02 UTC (rev 24436)
+++ website/trunk/about/en/gsoc.wml 2011-03-25 15:53:52 UTC (rev 24437)
@@ -197,6 +197,22 @@
students. So if you haven't filled up your summer plans yet, please
consider spending some time working with us to make Tor better!
</p>
+
+ <h2><a class="anchor" href="#Template">Application Examples</a></h2>
+
+ <p>
+ Below are examples of some GSoC applications from previous years we liked.
+ The best applications tend to go through several iterations so you're
+ highly encouraged to send drafts early.
+ </p>
+
+ <ul>
+ <li><h4><a href="http://tor.spanning-tree.org/proposal.html">DNSEL Rewrite</a> by Harry Bock</h4></li>
+ <li><h4><a href="http://kjb.homeunix.com/wp-content/uploads/2010/05/KevinBerry-GSoC2010-TorP…">Extending Tor Network Metrics</a> by Kevin Berry</h4></li>
+ <li><h4><a href="../about/gsocProposal/gsoc10-proposal-soat.txt">SOAT Expansion</a> by John Schanck</h4></li>
+ <li><h4><a href="http://www.atagar.com/misc/gsocBlog09/">Website Pootle Translation</a> by Damian Johnson</h4></li>
+ </ul>
+
</div>
<!-- END MAINCOL -->
<div id = "sidecol">
Added: website/trunk/about/gsocProposal/gsoc10-proposal-soat.txt
===================================================================
--- website/trunk/about/gsocProposal/gsoc10-proposal-soat.txt (rev 0)
+++ website/trunk/about/gsocProposal/gsoc10-proposal-soat.txt 2011-03-25 15:53:52 UTC (rev 24437)
@@ -0,0 +1,164 @@
+1. What project would you like to work on? Use our ideas lists as a starting
+point or make up your own idea. Your proposal should include high-level
+descriptions of what you're going to do, with more details about the parts you
+expect to be tricky. Your proposal should also try to break down the project
+into tasks of a fairly fine granularity, and convince us you have a plan for
+finishing it.
+
+The Snakes on a Tor exit scanner has the potential to dramatically improve the
+safety of Tor users by ferreting out misconfigured and malicious exit nodes.
+At present it suffers from certain stability issues which prevent it from being
+run for long periods of time, and from an overabundance of false positives in
+the results it generates. While I would ideally like to work on designing new
+routines for detecting subtle content modifications and for better handling
+dynamic content -- the issues of stability and false positives need to be
+addressed first. I've begun looking at the SoaT source code and running some
+preliminary experiments, identifying several small stability issues. In the
+coming weeks I'll begin to collect a body of false positives which I'll study
+and design new filters around. The most difficult part of this project may be
+determining what actual positive results look like, and developing a threat
+model that predicts the kinds of modifications which malicious exit nodes are
+likely to make. I'm sure this question has been addressed by members of the Tor
+community, so much of my early work this summer will involve talking to
+community members to better understand the kinds of malicious exit nodes which
+have been seen in the past, and determining how well the current SoaT
+implementation performs against these known attacks.
+
+Timeline:
+ April 26 - May 24:
+
+ * Start to get an idea of what the threat model looks like, continue
+ performing stability tests and gathering a diverse collection of results
+ to study.
+
+ May 24 - June 17:
+
+ * Throw everything I can at SoaT - make it crash and fix the bugs.
+ * Keep collecting data!
+
+ June 17 - July 17:
+
+ * In depth analysis of false positives. Use both false positives and real
+ modifications (or modifications generated by myself which emulate the
+ types of things predicted by the threat model) to develop a data set that
+ SoaT's filters can be evaluated against offline.
+
+ * Use the data set to improve existing filters and create new ones.
+
+ July 17 - August 2:
+ Here the timeline splits depending on progress thus far.
+ Case 1 - There are still too many false positives:
+
+ * Keep developing new filters and tuning old ones.
+
+ Case 2 - False positives have been reduced to an acceptable level:
+
+ * Get SoaT running full time on a dedicated machine. Improve reporting so
+ that SoaT can communicate its suspicions to the Tor team.
+ * Start drafting plans for improving the system.
+
+ August 2 - 16:
+
+ * Perform an extensive test of the system and write up a report of where it
+ * does well and what can be improved.
+
+
+2. Point us to a code sample: something good and clean to demonstrate that you
+know what you're doing, ideally from an existing project.
+
+I'm one of the two lead developers for the Anomos project, the code for which
+can be browsed here [https://git.anomos.info/?p=anomos.git;a=summary]
+
+Anomos is in Python, and I handle almost all of the network code (which makes
+extensive use of SSL), so this project is particularly representative of where
+my skill set intersects with that needed to work on SoaT.
+
+
+3. Why do you want to work with The Tor Project / EFF in particular?
+
+I think Tor is one of the most important free software projects in development
+today - I'm very interested in the political issues surrounding access to
+information, and have been an EFF member for several years now. Tor has also
+been the primary inspiration for my work on Anomos. What particularly attracts
+me about Tor is the sustained emphasis its developers have placed on making it
+a platform for research. This emphasis has attracted a large community of
+skilled anonymity researchers with whom I would be honored to work with and
+learn from as I continue my study of anonymity and begin to conduct my own
+research.
+
+
+4. Tell us about your experiences in free software development environments. We
+especially want to hear examples of how you have collaborated with others
+rather than just working on a project by yourself.
+
+I develop all of my own software under free licenses and make an effort to work
+in groups as often as possible. Anomos, the largest project I've worked on,
+would not have been possible in a non-free environment. It has received
+tremendous support from the community in terms of development, debugging,
+translation, documentation, and testing - the project simply would not have
+been possible without support from the free software community. I run free
+software on all of my computers, and make an active effort to report or patch
+bugs whenever possible.
+
+
+5. Will you be working full-time on the project for the summer, or will you
+have other commitments too (a second job, classes, etc)? If you won't be
+available full-time, please explain, and list timing if you know them for other
+major deadlines (e.g. exams). Having other activities isn't a deal-breaker, but
+we don't want to be surprised.
+
+I will be available full-time to work on Tor. I plan on attending a couple
+conferences and spending a lot of time outdoors, but that won't take me away
+from my work for more than a few days.
+
+
+6. Will your project need more work and/or maintenance after the summer ends?
+What are the chances you will stick around and help out with that and other
+related projects?
+
+My project will almost certainly be completed during the summer. That said,
+I'm very likely to remain active with the Tor project after the summer. I'm
+currently planning on conducting anonymity research as a large part of my
+undergraduate thesis work and would love for that work to involve Tor.
+
+
+7. What is your ideal approach to keeping everybody informed of your progress,
+problems, and questions over the course of the project? Said another way, how
+much of a "manager" will you need your mentor to be?
+
+Especially when it comes to a project I'm really interested in - I'm extremely
+self motivated and require very little management. I generally check in with a
+project manager once per week unless a problem or question arises. I make
+extensive use of version control software, commit frequently, and keep my work
+in a publicly accessible repositories, so my mentor will be able to monitor my
+progress at their leisure. I'm also happy to blog or otherwise communicate my
+progress on a regular basis to the project community.
+
+
+8. What school are you attending? What year are you, and what's your
+major/degree/focus? If you're part of a research group, which one?
+
+I'm in my third year at Hampshire College studying computer science with a
+focus on distributed and peer-to-peer systems. I occasionally work at the
+University of Massachusetts, Amherst conducting BitTorrent research under Arun
+Venkataramani.
+
+
+9. How can we contact you to ask you further questions? Google doesn't share
+your contact details with us automatically, so you should include that in your
+application. In addition, what's your IRC nickname? Interacting with us on IRC
+will help us get to know you, and help you get to know our community.
+
+ You can email me: john(a)anomos.info
+ GPG Key ID: 0xA1D39D09
+ GPG Fingerprint: 7131 3E78 7500 3BB2 FCDD FA97 91ED 834D A1D3 9D09
+ Instant message me via XMPP: john(a)anomos.info
+ Or talk to me on IRC: susurrusus on OFTC (I idle in #tor)
+
+
+10. Is there anything else we should know that will make us like your project
+more?
+
+The project I've proposed here is just a starting point - I think I have a lot
+to bring to the Tor project and that this summer will just be the start of a
+lasting academic relationship with the community.
1
0

r24436: {website} Fixing the projects page side nav to match the page contents (website/trunk/projects/en)
by Damian Johnson 25 Mar '11
by Damian Johnson 25 Mar '11
25 Mar '11
Author: atagar
Date: 2011-03-25 15:06:02 +0000 (Fri, 25 Mar 2011)
New Revision: 24436
Modified:
website/trunk/projects/en/sidenav.wmi
Log:
Fixing the projects page side nav to match the page contents (caught by karsten).
Modified: website/trunk/projects/en/sidenav.wmi
===================================================================
--- website/trunk/projects/en/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435)
+++ website/trunk/projects/en/sidenav.wmi 2011-03-25 15:06:02 UTC (rev 24436)
@@ -38,14 +38,17 @@
{'url' => 'projects/arm',
'txt' => 'Arm',
},
- {'url' => '<wiki>projects/TorBulkExitlist',
- 'txt' => 'TorBEL',
+ {'url' => 'https://guardianproject.info/apps/orbot/',
+ 'txt' => 'Orbot',
},
- {'url' => 'https://check.torproject.org',
- 'txt' => 'TorCheck',
+ {'url' => 'https://tails.boum.org/',
+ 'txt' => 'Tails',
},
- {'url' => 'projects/gettor',
- 'txt' => 'GetTor',
+ {'url' => 'http://torstatus.blutmagie.de/',
+ 'txt' => 'TorStatus',
+ },
+ {'url' => 'https://metrics.torproject.org/',
+ 'txt' => 'Metrics Portal',
}
]
}];
1
0

r24435: {website} include stable man page from the old website (in website/trunk/docs: ar en fr my pl ru)
by Runa Sandvik 25 Mar '11
by Runa Sandvik 25 Mar '11
25 Mar '11
Author: runa
Date: 2011-03-25 13:08:28 +0000 (Fri, 25 Mar 2011)
New Revision: 24435
Modified:
website/trunk/docs/ar/sidenav.wmi
website/trunk/docs/en/sidenav.wmi
website/trunk/docs/en/tor-manual.wml
website/trunk/docs/fr/sidenav.wmi
website/trunk/docs/my/sidenav.wmi
website/trunk/docs/pl/sidenav.wmi
website/trunk/docs/ru/sidenav.wmi
Log:
include stable man page from the old website
Modified: website/trunk/docs/ar/sidenav.wmi
===================================================================
--- website/trunk/docs/ar/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434)
+++ website/trunk/docs/ar/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435)
@@ -61,9 +61,9 @@
{'url' => 'docs/running-a-mirror',
'txt' => 'ضبط مرآة',
},
-# {'url' => 'docs/tor-manual',
-# 'txt' => 'تور- دليل الإصدارة الثابتة',
-# },
+ {'url' => 'docs/tor-manual',
+ 'txt' => 'تور- دليل الإصدارة الثابتة',
+ },
{'url' => 'docs/tor-manual-dev',
'txt' => 'تور- دليل الإصدارة ألفا',
},
Modified: website/trunk/docs/en/sidenav.wmi
===================================================================
--- website/trunk/docs/en/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434)
+++ website/trunk/docs/en/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435)
@@ -61,9 +61,9 @@
{'url' => 'docs/running-a-mirror',
'txt' => 'Configuring a Mirror',
},
-# {'url' => 'docs/tor-manual',
-# 'txt' => 'Tor -stable Manual',
-# },
+ {'url' => 'docs/tor-manual',
+ 'txt' => 'Tor -stable Manual',
+ },
{'url' => 'docs/tor-manual-dev',
'txt' => 'Tor -alpha Manual',
},
Modified: website/trunk/docs/en/tor-manual.wml
===================================================================
--- website/trunk/docs/en/tor-manual.wml 2011-03-25 09:48:18 UTC (rev 24434)
+++ website/trunk/docs/en/tor-manual.wml 2011-03-25 13:08:28 UTC (rev 24435)
@@ -9,22 +9,2321 @@
<div id="breadcrumbs">
<a href="<page index>">Home » </a>
<a href="<page docs/documentation>">Documentation » </a>
- <a href="<page docs/tor-doc-osx>">Tor Dev Manual</a>
+ <a href="<page docs/tor-doc-osx>">Tor Manual</a>
</div>
- <div id="maincol">
- <:
- die "Missing git clone at $(TORGIT)" unless -d "$(TORGIT)";
- my $man = `GIT_DIR=$(TORGIT) git show $(STABLETAG):doc/tor.1.txt | asciidoc -d manpage -s -o - -`;
- die "No manpage because of asciidoc error or file not available from git" unless $man;
- print $man;
- :>
- </div>
+ <div id="maincol">
+ <h2 id="_synopsis">SYNOPSIS</h2>
+ <div class="sectionbody">
+ <div class="paragraph"><p><strong>tor</strong> [<em>OPTION</em> <em>value</em>]…</p>
+ </div>
+ </div>
+ <h2 id="_description">DESCRIPTION</h2>
+ <div class="sectionbody">
+ <div class="paragraph"><p><em>tor</em> is a connection-oriented anonymizing communication
+ service. Users choose a source-routed path through a set of nodes, and
+ negotiate a "virtual circuit" through the network, in which each node
+ knows its predecessor and successor, but no others. Traffic flowing down
+ the circuit is unwrapped by a symmetric key at each node, which reveals
+ the downstream node.<br /></p></div>
+
+ <div class="paragraph"><p>Basically <em>tor</em> provides a distributed network of servers ("onion routers").
+ Users bounce their TCP streams — web traffic, ftp, ssh, etc — around the
+ routers, and recipients, observers, and even the routers themselves have
+ difficulty tracking the source of the stream.</p></div>
+ </div>
+ <h2 id="_options">OPTIONS</h2>
+ <div class="sectionbody">
+ <div class="dlist"><dl>
+ <dt class="hdlist1">
+ <strong>-h</strong>, <strong>-help</strong>
+ </dt>
+ <dd>
+ <p>
+ Display a short help message and exit.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>-f</strong> <em>FILE</em>
+ </dt>
+ <dd>
+ <p>
+ FILE contains further "option value" pairs. (Default: @CONFDIR@/torrc)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>--hash-password</strong>
+ </dt>
+ <dd>
+ <p>
+ Generates a hashed password for control port access.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>--list-fingerprint</strong>
+ </dt>
+ <dd>
+ <p>
+ Generate your keys and output your nickname and fingerprint.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>--verify-config</strong>
+ </dt>
+ <dd>
+ <p>
+ Verify the configuration file is valid.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>--nt-service</strong>
+ </dt>
+ <dd>
+ <p>
+ <strong>--service [install|remove|start|stop]</strong> Manage the Tor Windows
+ NT/2000/XP service. Current instructions can be found at
+ <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#WinNTService">https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#WinNTService</a>
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>--list-torrc-options</strong>
+ </dt>
+ <dd>
+ <p>
+ List all valid options.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>--version</strong>
+ </dt>
+ <dd>
+ <p>
+ Display Tor version and exit.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>--quiet</strong>
+ </dt>
+ <dd>
+ <p>
+ Do not start Tor with a console log unless explicitly requested to do so.
+ (By default, Tor starts out logging messages at level "notice" or higher to
+ the console, until it has parsed its configuration.)
+ </p>
+ </dd>
+ </dl>
+ </div>
+ <div class="paragraph">
+ <p>Other options can be specified either on the command-line (--option
+ value), or in the configuration file (option value or option "value").
+ Options are case-insensitive. C-style escaped characters are allowed inside
+ quoted values. Options on the command line take precedence over
+ options found in the configuration file, except indicated otherwise. To
+ split one configuration entry into multiple lines, use a single \ before
+ the end of the line. Comments can be used in such multiline entries, but
+ they must start at the beginning of a line.</p>
+ </div>
+ <div class="dlist"><dl>
+ <dt class="hdlist1">
+ <strong>BandwidthRate</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>
+ </dt>
+ <dd>
+ <p>
+ A token bucket limits the average incoming bandwidth usage on this node to
+ the specified number of bytes per second, and the average outgoing
+ bandwidth usage to that same value. If you want to run a relay in the
+ public network, this needs to be <em>at the very least</em> 20 KB (that is,
+ 20480 bytes). (Default: 5 MB)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>BandwidthBurst</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>
+ </dt>
+ <dd>
+ <p>
+ Limit the maximum token bucket size (also known as the burst) to the given
+ number of bytes in each direction. (Default: 10 MB)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>MaxAdvertisedBandwidth</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>
+ </dt>
+ <dd>
+ <p>
+ If set, we will not advertise more than this amount of bandwidth for our
+ BandwidthRate. Server operators who want to reduce the number of clients
+ who ask to build circuits through them (since this is proportional to
+ advertised bandwidth rate) can thus reduce the CPU demands on their server
+ without impacting network performance.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>RelayBandwidthRate</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>
+ </dt>
+ <dd>
+ <p>
+ If not 0, a separate token bucket limits the average incoming bandwidth
+ usage for _relayed traffic_ on this node to the specified number of bytes
+ per second, and the average outgoing bandwidth usage to that same value.
+ Relayed traffic currently is calculated to include answers to directory
+ requests, but that may change in future versions. (Default: 0)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>RelayBandwidthBurst</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>
+ </dt>
+ <dd>
+ <p>
+ If not 0, limit the maximum token bucket size (also known as the burst) for
+ _relayed traffic_ to the given number of bytes in each direction.
+ (Default: 0)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>ConnLimit</strong> <em>NUM</em>
+ </dt>
+ <dd>
+ <p>
+ The minimum number of file descriptors that must be available to the Tor
+ process before it will start. Tor will ask the OS for as many file
+ descriptors as the OS will allow (you can find this by "ulimit -H -n").
+ If this number is less than ConnLimit, then Tor will refuse to start.<br />
+ <br />
+ You probably don’t need to adjust this. It has no effect on Windows
+ since that platform lacks getrlimit(). (Default: 1000)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>ConstrainedSockets</strong> <strong>0</strong>|<strong>1</strong>
+ </dt>
+ <dd>
+ <p>
+ If set, Tor will tell the kernel to attempt to shrink the buffers for all
+ sockets to the size specified in <strong>ConstrainedSockSize</strong>. This is useful for
+ virtual servers and other environments where system level TCP buffers may
+ be limited. If you’re on a virtual server, and you encounter the "Error
+ creating network socket: No buffer space available" message, you are
+ likely experiencing this problem.<br />
+ <br />
+ The preferred solution is to have the admin increase the buffer pool for
+ the host itself via /proc/sys/net/ipv4/tcp_mem or equivalent facility;
+ this configuration option is a second-resort.<br />
+ <br />
+ The DirPort option should also not be used if TCP buffers are scarce. The
+ cached directory requests consume additional sockets which exacerbates
+ the problem.<br />
+ <br />
+ You should <strong>not</strong> enable this feature unless you encounter the "no buffer
+ space available" issue. Reducing the TCP buffers affects window size for
+ the TCP stream and will reduce throughput in proportion to round trip
+ time on long paths. (Default: 0.)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>ConstrainedSockSize</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>
+ </dt>
+ <dd>
+ <p>
+ When <strong>ConstrainedSockets</strong> is enabled the receive and transmit buffers for
+ all sockets will be set to this limit. Must be a value between 2048 and
+ 262144, in 1024 byte increments. Default of 8192 is recommended.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>ControlPort</strong> <em>Port</em>
+ </dt>
+ <dd>
+ <p>
+ If set, Tor will accept connections on this port and allow those
+ connections to control the Tor process using the Tor Control Protocol
+ (described in control-spec.txt). Note: unless you also specify one of
+ <strong>HashedControlPassword</strong> or <strong>CookieAuthentication</strong>, setting this option will
+ cause Tor to allow any process on the local host to control it. This
+ option is required for many Tor controllers; most use the value of 9051.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>ControlListenAddress</strong> <em>IP</em>[:<em>PORT</em>]
+ </dt>
+ <dd>
+ <p>
+ Bind the controller listener to this address. If you specify a port, bind
+ to this port rather than the one specified in ControlPort. We strongly
+ recommend that you leave this alone unless you know what you’re doing,
+ since giving attackers access to your control listener is really
+ dangerous. (Default: 127.0.0.1) This directive can be specified multiple
+ times to bind to multiple addresses/ports.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>ControlSocket</strong> <em>Path</em>
+ </dt>
+ <dd>
+ <p>
+ Like ControlPort, but listens on a Unix domain socket, rather than a TCP
+ socket. (Unix and Unix-like systems only.)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>HashedControlPassword</strong> <em>hashed_password</em>
+ </dt>
+ <dd>
+ <p>
+ Don’t allow any connections on the control port except when the other
+ process knows the password whose one-way hash is <em>hashed_password</em>. You
+ can compute the hash of a password by running "tor --hash-password
+ <em>password</em>". You can provide several acceptable passwords by using more
+ than one HashedControlPassword line.
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>CookieAuthentication</strong> <strong>0</strong>|<strong>1</strong>
+ </dt>
+ <dd>
+ <p>
+ If this option is set to 1, don’t allow any connections on the control port
+ except when the connecting process knows the contents of a file named
+ "control_auth_cookie", which Tor will create in its data directory. This
+ authentication method should only be used on systems with good filesystem
+ security. (Default: 0)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+ <strong>CookieAuthFile</strong> <em>Path</em>
+ </dt>
+ <dd>
+ <p>
+ If set, this option overrides the default location and file name
+ for Tor’s cookie file. (See CookieAuthentication above.)
+ </p>
+ </dd>
+ <dt class="hdlist1">
+<strong>CookieAuthFileGroupReadable</strong> <strong>0</strong>|<strong>1</strong>|<em>Groupname</em>
+</dt>
+<dd>
+<p>
+ If this option is set to 0, don’t allow the filesystem group to read the
+ cookie file. If the option is set to 1, make the cookie file readable by
+ the default GID. [Making the file readable by other groups is not yet
+ implemented; let us know if you need this for some reason.] (Default: 0).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DataDirectory</strong> <em>DIR</em>
+</dt>
+<dd>
+<p>
+ Store working data in DIR (Default: @LOCALSTATEDIR@/lib/tor)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DirServer</strong> [<em>nickname</em>] [<strong>flags</strong>] <em>address</em>:<em>port</em> <em>fingerprint</em>
+</dt>
+<dd>
+<p>
+ Use a nonstandard authoritative directory server at the provided address
+ and port, with the specified key fingerprint. This option can be repeated
+ many times, for multiple authoritative directory servers. Flags are
+ separated by spaces, and determine what kind of an authority this directory
+ is. By default, every authority is authoritative for current ("v2")-style
+ directories, unless the "no-v2" flag is given. If the "v1" flags is
+ provided, Tor will use this server as an authority for old-style (v1)
+ directories as well. (Only directory mirrors care about this.) Tor will
+ use this server as an authority for hidden service information if the "hs"
+ flag is set, or if the "v1" flag is set and the "no-hs" flag is <strong>not</strong> set.
+ Tor will use this authority as a bridge authoritative directory if the
+ "bridge" flag is set. If a flag "orport=<strong>port</strong>" is given, Tor will use the
+ given port when opening encrypted tunnels to the dirserver. Lastly, if a
+ flag "v3ident=<strong>fp</strong>" is given, the dirserver is a v3 directory authority
+ whose v3 long-term signing key has the fingerprint <strong>fp</strong>.<br />
+<br />
+ If no <strong>dirserver</strong> line is given, Tor will use the default directory
+ servers. NOTE: this option is intended for setting up a private Tor
+ network with its own directory authorities. If you use it, you will be
+ distinguishable from other users, because you won’t believe the same
+ authorities they do.
+</p>
+</dd>
+</dl></div>
+<div class="paragraph"><p><strong>AlternateDirAuthority</strong> [<em>nickname</em>] [<strong>flags</strong>] <em>address</em>:<em>port</em> <em>fingerprint</em><br /></p></div>
+<div class="paragraph"><p><strong>AlternateHSAuthority</strong> [<em>nickname</em>] [<strong>flags</strong>] <em>address</em>:<em>port</em> <em>fingerprint</em><br /></p></div>
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>AlternateBridgeAuthority</strong> [<em>nickname</em>] [<strong>flags</strong>] <em>address</em>:<em>port</em> <em> fingerprint</em>
+</dt>
+<dd>
+<p>
+ As DirServer, but replaces less of the default directory authorities. Using
+ AlternateDirAuthority replaces the default Tor directory authorities, but
+ leaves the hidden service authorities and bridge authorities in place.
+ Similarly, Using AlternateHSAuthority replaces the default hidden service
+ authorities, but not the directory or bridge authorities.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>FetchDirInfoEarly</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 1, Tor will always fetch directory information like other
+ directory caches, even if you don’t meet the normal criteria for fetching
+ early. Normal users should leave it off. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>FetchHidServDescriptors</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 0, Tor will never fetch any hidden service descriptors from the
+ rendezvous directories. This option is only useful if you’re using a Tor
+ controller that handles hidden service fetches for you. (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>FetchServerDescriptors</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 0, Tor will never fetch any network status summaries or server
+ descriptors from the directory servers. This option is only useful if
+ you’re using a Tor controller that handles directory fetches for you.
+ (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>FetchUselessDescriptors</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 1, Tor will fetch every non-obsolete descriptor from the
+ authorities that it hears about. Otherwise, it will avoid fetching useless
+ descriptors, for example for routers that are not running. This option is
+ useful if you’re using the contributed "exitlist" script to enumerate Tor
+ nodes that exit to certain addresses. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HTTPProxy</strong> <em>host</em>[:<em>port</em>]
+</dt>
+<dd>
+<p>
+ Tor will make all its directory requests through this host:port (or host:80
+ if port is not specified), rather than connecting directly to any directory
+ servers.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HTTPProxyAuthenticator</strong> <em>username:password</em>
+</dt>
+<dd>
+<p>
+ If defined, Tor will use this username:password for Basic HTTP proxy
+ authentication, as in RFC 2617. This is currently the only form of HTTP
+ proxy authentication that Tor supports; feel free to submit a patch if you
+ want it to support others.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HTTPSProxy</strong> <em>host</em>[:<em>port</em>]
+</dt>
+<dd>
+<p>
+ Tor will make all its OR (SSL) connections through this host:port (or
+ host:443 if port is not specified), via HTTP CONNECT rather than connecting
+ directly to servers. You may want to set <strong>FascistFirewall</strong> to restrict
+ the set of ports you might try to connect to, if your HTTPS proxy only
+ allows connecting to certain ports.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HTTPSProxyAuthenticator</strong> <em>username:password</em>
+</dt>
+<dd>
+<p>
+ If defined, Tor will use this username:password for Basic HTTPS proxy
+ authentication, as in RFC 2617. This is currently the only form of HTTPS
+ proxy authentication that Tor supports; feel free to submit a patch if you
+ want it to support others.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>KeepalivePeriod</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ To keep firewalls from expiring connections, send a padding keepalive cell
+ every NUM seconds on open connections that are in use. If the connection
+ has no open circuits, it will instead be closed after NUM seconds of
+ idleness. (Default: 5 minutes)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>Log</strong> <em>minSeverity</em>[-<em>maxSeverity</em>] <strong>stderr</strong>|<strong>stdout</strong>|<strong>syslog</strong>
+</dt>
+<dd>
+<p>
+ Send all messages between <em>minSeverity</em> and <em>maxSeverity</em> to the standard
+ output stream, the standard error stream, or to the system log. (The
+ "syslog" value is only supported on Unix.) Recognized severity levels are
+ debug, info, notice, warn, and err. We advise using "notice" in most cases,
+ since anything more verbose may provide sensitive information to an
+ attacker who obtains the logs. If only one severity level is given, all
+ messages of that level or higher will be sent to the listed destination.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>Log</strong> <em>minSeverity</em>[-<em>maxSeverity</em>] <strong>file</strong> <em>FILENAME</em>
+</dt>
+<dd>
+<p>
+ As above, but send log messages to the listed filename. The
+ "Log" option may appear more than once in a configuration file.
+ Messages are sent to all the logs that match their severity
+ level.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>OutboundBindAddress</strong> <em>IP</em>
+</dt>
+<dd>
+<p>
+ Make all outbound connections originate from the IP address specified. This
+ is only useful when you have multiple network interfaces, and you want all
+ of Tor’s outgoing connections to use a single one. This setting will be
+ ignored for connections to the loopback addresses (127.0.0.0/8 and ::1).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>PidFile</strong> <em>FILE</em>
+</dt>
+<dd>
+<p>
+ On startup, write our PID to FILE. On clean shutdown, remove
+ FILE.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ProtocolWarnings</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If 1, Tor will log with severity 'warn' various cases of other parties not
+ following the Tor specification. Otherwise, they are logged with severity
+ 'info'. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>RunAsDaemon</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If 1, Tor forks and daemonizes to the background. This option has no effect
+ on Windows; instead you should use the --service command-line option.
+ (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SafeLogging</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ Tor can scrub potentially sensitive strings from log messages (e.g.
+ addresses) by replacing them with the string [scrubbed]. This way logs can
+ still be useful, but they don’t leave behind personally identifying
+ information about what sites a user might have visited.<br />
+<br />
+ If this option is set to 0, Tor will not perform any scrubbing, if it is
+ set to 1, all potentially sensitive strings are replaced. (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>User</strong> <em>UID</em>
+</dt>
+<dd>
+<p>
+ On startup, setuid to this user and setgid to their primary group.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HardwareAccel</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If non-zero, try to use built-in (static) crypto hardware acceleration when
+ available. This is untested and probably buggy. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AvoidDiskWrites</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If non-zero, try to write to disk less frequently than we would otherwise.
+ This is useful when running on flash memory or other media that support
+ only a limited number of writes. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TunnelDirConns</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If non-zero, when a directory server we contact supports it, we will build
+ a one-hop circuit and make an encrypted connection via its ORPort.
+ (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>PreferTunneledDirConns</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If non-zero, we will avoid directory servers that don’t support tunneled
+ directory connections, when possible. (Default: 1)
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_client_options">CLIENT OPTIONS</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>The following options are useful only for clients (that is, if
+<strong>SocksPort</strong> is non-zero):</p></div>
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>AllowInvalidNodes</strong> <strong>entry</strong>|<strong>exit</strong>|<strong>middle</strong>|<strong>introduction</strong>|<strong>rendezvous</strong>|<strong>…</strong>
+</dt>
+<dd>
+<p>
+ If some Tor servers are obviously not working right, the directory
+ authorities can manually mark them as invalid, meaning that it’s not
+ recommended you use them for entry or exit positions in your circuits. You
+ can opt to use them in some circuit positions, though. The default is
+ "middle,rendezvous", and other choices are not advised.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ExcludeSingleHopRelays</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ This option controls whether circuits built by Tor will include relays with
+ the AllowSingleHopExits flag set to true. If ExcludeSingleHopRelays is set
+ to 0, these relays will be included. Note that these relays might be at
+ higher risk of being seized or observed, so they are not normally
+ included. Also note that relatively few clients turn off this option,
+ so using these relays might make your client stand out.
+ (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>Bridge</strong> <em>IP</em>:<em>ORPort</em> [fingerprint]
+</dt>
+<dd>
+<p>
+ When set along with UseBridges, instructs Tor to use the relay at
+ "IP:ORPort" as a "bridge" relaying into the Tor network. If "fingerprint"
+ is provided (using the same format as for DirServer), we will verify that
+ the relay running at that location has the right fingerprint. We also use
+ fingerprint to look up the bridge descriptor at the bridge authority, if
+ it’s provided and if UpdateBridgesFromAuthority is set too.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>CircuitBuildTimeout</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ Try for at most NUM seconds when building circuits. If the circuit isn't
+ open in that time, give up on it. (Default: 1 minute.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>CircuitIdleTimeout</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ If we have kept a clean (never used) circuit around for NUM seconds, then
+ close it. This way when the Tor client is entirely idle, it can expire all
+ of its circuits, and then expire its TLS connections. Also, if we end up
+ making a circuit that is not useful for exiting any of the requests we’re
+ receiving, it won’t forever take up a slot in the circuit list. (Default: 1
+ hour.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ClientOnly</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 1, Tor will under no circumstances run as a server or serve
+ directory requests. The default is to run as a client unless ORPort is
+ configured. (Usually, you don’t need to set this; Tor is pretty smart at
+ figuring out whether you are reliable and high-bandwidth enough to be a
+ useful server.) (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ExcludeNodes</strong> <em>node</em>,<em>node</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ A list of identity fingerprints, nicknames, country codes and address
+ patterns of nodes to never use when building a circuit. (Example:
+ ExcludeNodes SlowServer, $ EFFFFFFFFFFFFFFF, {cc}, 255.254.0.0/8)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ExcludeExitNodes</strong> <em>node</em>,<em>node</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ A list of identity fingerprints, nicknames, country codes and address
+ patterns of nodes to never use when picking an exit node. Note that any
+ node listed in ExcludeNodes is automatically considered to be part of this
+ list.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>EntryNodes</strong> <em>node</em>,<em>node</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ A list of identity fingerprints, nicknames and address
+ patterns of nodes to use for the first hop in normal circuits. These are
+ treated only as preferences unless StrictNodes (see below) is also set.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ExitNodes</strong> <em>node</em>,<em>node</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ A list of identity fingerprints, nicknames, country codes and address
+ patterns of nodes to use for the last hop in normal exit circuits. These
+ are treated only as preferences unless StrictNodes (see below) is also set.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>StrictEntryNodes</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If 1, Tor will never use any nodes besides those listed in "EntryNodes" for
+ the first hop of a circuit.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>StrictExitNodes</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If 1, Tor will never use any nodes besides those listed in "ExitNodes" for
+ the last hop of a circuit.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>FascistFirewall</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If 1, Tor will only create outgoing connections to ORs running on ports
+ that your firewall allows (defaults to 80 and 443; see <strong>FirewallPorts</strong>).
+ This will allow you to run Tor as a client behind a firewall with
+ restrictive policies, but will not allow you to run as a server behind such
+ a firewall. If you prefer more fine-grained control, use
+ ReachableAddresses instead.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>FirewallPorts</strong> <em>PORTS</em>
+</dt>
+<dd>
+<p>
+ A list of ports that your firewall allows you to connect to. Only used when
+ <strong>FascistFirewall</strong> is set. This option is deprecated; use ReachableAddresses
+ instead. (Default: 80, 443)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HidServAuth</strong> <em>onion-address</em> <em>auth-cookie</em> [<em>service-name</em>]
+</dt>
+<dd>
+<p>
+ Client authorization for a hidden service. Valid onion addresses contain 16
+ characters in a-z2-7 plus ".onion", and valid auth cookies contain 22
+ characters in A-Za-z0-9+/. The service name is only used for internal
+ purposes, e.g., for Tor controllers. This option may be used multiple times
+ for different hidden services. If a hidden service uses authorization and
+ this option is not set, the hidden service is not accessible. Hidden
+ services can be configured to require authorization using the
+ <strong>HiddenServiceAuthorizeClient</strong> option.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ReachableAddresses</strong> <em>ADDR</em>[/<em>MASK</em>][:<em>PORT</em>]…
+</dt>
+<dd>
+<p>
+ A comma-separated list of IP addresses and ports that your firewall allows
+ you to connect to. The format is as for the addresses in ExitPolicy, except
+ that "accept" is understood unless "reject" is explicitly provided. For
+ example, 'ReachableAddresses 99.0.0.0/8, reject 18.0.0.0/8:80, accept
+ *:80' means that your firewall allows connections to everything inside net
+ 99, rejects port 80 connections to net 18, and accepts connections to port
+ 80 otherwise. (Default: 'accept *:*'.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ReachableDirAddresses</strong> <em>ADDR</em>[/<em>MASK</em>][:<em>PORT</em>]…
+</dt>
+<dd>
+<p>
+ Like <strong>ReachableAddresses</strong>, a list of addresses and ports. Tor will obey
+ these restrictions when fetching directory information, using standard HTTP
+ GET requests. If not set explicitly then the value of
+ <strong>ReachableAddresses</strong> is used. If <strong>HTTPProxy</strong> is set then these
+ connections will go through that proxy.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ReachableORAddresses</strong> <em>ADDR</em>[/<em>MASK</em>][:<em>PORT</em>]…
+</dt>
+<dd>
+<p>
+ Like <strong>ReachableAddresses</strong>, a list of addresses and ports. Tor will obey
+ these restrictions when connecting to Onion Routers, using TLS/SSL. If not
+ set explicitly then the value of <strong>ReachableAddresses</strong> is used. If
+ <strong>HTTPSProxy</strong> is set then these connections will go through that proxy.<br />
+<br />
+ The separation between <strong>ReachableORAddresses</strong> and
+ <strong>ReachableDirAddresses</strong> is only interesting when you are connecting
+ through proxies (see <strong>HTTPProxy</strong> and <strong>HTTPSProxy</strong>). Most proxies limit
+ TLS connections (which Tor uses to connect to Onion Routers) to port 443,
+ and some limit HTTP GET requests (which Tor uses for fetching directory
+ information) to port 80.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>LongLivedPorts</strong> <em>PORTS</em>
+</dt>
+<dd>
+<p>
+ A list of ports for services that tend to have long-running connections
+ (e.g. chat and interactive shells). Circuits for streams that use these
+ ports will contain only high-uptime nodes, to reduce the chance that a node
+ will go down before the stream is finished. (Default: 21, 22, 706, 1863,
+ 5050, 5190, 5222, 5223, 6667, 6697, 8300)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>MapAddress</strong> <em>address</em> <em>newaddress</em>
+</dt>
+<dd>
+<p>
+ When a request for address arrives to Tor, it will rewrite it to newaddress
+ before processing it. For example, if you always want connections to
+ www.indymedia.org to exit via <em>torserver</em> (where <em>torserver</em> is the
+ nickname of the server), use "MapAddress www.indymedia.org
+ www.indymedia.org.torserver.exit".
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>NewCircuitPeriod</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ Every NUM seconds consider whether to build a new circuit. (Default: 30
+ seconds)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>MaxCircuitDirtiness</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ Feel free to reuse a circuit that was first used at most NUM seconds ago,
+ but never attach a new stream to a circuit that is too old. (Default: 10
+ minutes)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>NodeFamily</strong> <em>node</em>,<em>node</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ The Tor servers, defined by their identity fingerprints or nicknames,
+ constitute a "family" of similar or co-administered servers, so never use
+ any two of them in the same circuit. Defining a NodeFamily is only needed
+ when a server doesn’t list the family itself (with MyFamily). This option
+ can be used multiple times.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>EnforceDistinctSubnets</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If 1, Tor will not put two servers whose IP addresses are "too close" on
+ the same circuit. Currently, two addresses are "too close" if they lie in
+ the same /16 range. (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SocksPort</strong> <em>PORT</em>
+</dt>
+<dd>
+<p>
+ Advertise this port to listen for connections from Socks-speaking
+ applications. Set this to 0 if you don’t want to allow application
+ connections. (Default: 9050)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SocksListenAddress</strong> <em>IP</em>[:<em>PORT</em>]
+</dt>
+<dd>
+<p>
+ Bind to this address to listen for connections from Socks-speaking
+ applications. (Default: 127.0.0.1) You can also specify a port (e.g.
+ 192.168.0.1:9100). This directive can be specified multiple times to bind
+ to multiple addresses/ports.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SocksPolicy</strong> <em>policy</em>,<em>policy</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ Set an entrance policy for this server, to limit who can connect to the
+ SocksPort and DNSPort ports. The policies have the same form as exit
+ policies below.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SocksTimeout</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ Let a socks connection wait NUM seconds handshaking, and NUM seconds
+ unattached waiting for an appropriate circuit, before we fail it. (Default:
+ 2 minutes.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TrackHostExits</strong> <em>host</em>,<em>.domain</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ For each value in the comma separated list, Tor will track recent
+ connections to hosts that match this value and attempt to reuse the same
+ exit node for each. If the value is prepended with a '.', it is treated as
+ matching an entire domain. If one of the values is just a '.', it means
+ match everything. This option is useful if you frequently connect to sites
+ that will expire all your authentication cookies (i.e. log you out) if
+ your IP address changes. Note that this option does have the disadvantage
+ of making it more clear that a given history is associated with a single
+ user. However, most people who would wish to observe this will observe it
+ through cookies or other protocol-specific means anyhow.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TrackHostExitsExpire</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ Since exit servers go up and down, it is desirable to expire the
+ association between host and exit server after NUM seconds. The default is
+ 1800 seconds (30 minutes).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>UpdateBridgesFromAuthority</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When set (along with UseBridges), Tor will try to fetch bridge descriptors
+ from the configured bridge authorities when feasible. It will fall back to
+ a direct request if the authority responds with a 404. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>UseBridges</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When set, Tor will fetch descriptors for each bridge listed in the "Bridge"
+ config lines, and use these relays as both entry guards and directory
+ guards. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>UseEntryGuards</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If this option is set to 1, we pick a few long-term entry servers, and try
+ to stick with them. This is desirable because constantly changing servers
+ increases the odds that an adversary who owns some servers will observe a
+ fraction of your paths. (Defaults to 1.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>NumEntryGuards</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ If UseEntryGuards is set to 1, we will try to pick a total of NUM routers
+ as long-term entries for our circuits. (Defaults to 3.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SafeSocks</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is enabled, Tor will reject application connections that
+ use unsafe variants of the socks protocol — ones that only provide an IP
+ address, meaning the application is doing a DNS resolve first.
+ Specifically, these are socks4 and socks5 when not doing remote DNS.
+ (Defaults to 0.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TestSocks</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is enabled, Tor will make a notice-level log entry for
+ each connection to the Socks port indicating whether the request used a
+ safe socks protocol or an unsafe one (see above entry on SafeSocks). This
+ helps to determine whether an application using Tor is possibly leaking
+ DNS requests. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>VirtualAddrNetwork</strong> <em>Address</em>/<em>bits</em>
+</dt>
+<dd>
+<p>
+ When Tor needs to assign a virtual (unused) address because of a MAPADDRESS
+ command from the controller or the AutomapHostsOnResolve feature, Tor
+ picks an unassigned address from this range. (Default:
+ 127.192.0.0/10)<br />
+<br />
+ When providing proxy server service to a network of computers using a tool
+ like dns-proxy-tor, change this address to "10.192.0.0/10" or
+ "172.16.0.0/12". The default <strong>VirtualAddrNetwork</strong> address range on a
+ properly configured machine will route to the loopback interface. For
+ local use, no change to the default VirtualAddrNetwork setting is needed.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AllowNonRFC953Hostnames</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is disabled, Tor blocks hostnames containing illegal
+ characters (like @ and :) rather than sending them to an exit node to be
+ resolved. This helps trap accidental attempts to resolve URLs and so on.
+ (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>FastFirstHopPK</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is disabled, Tor uses the public key step for the first
+ hop of creating circuits. Skipping it is generally safe since we have
+ already used TLS to authenticate the relay and to establish forward-secure
+ keys. Turning this option off makes circuit building slower.<br />
+<br />
+ Note that Tor will always use the public key step for the first hop if it’s
+ operating as a relay, and it will never use the public key step if it
+ doesn’t yet know the onion key of the first hop. (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TransPort</strong> <em>PORT</em>
+</dt>
+<dd>
+<p>
+ If non-zero, enables transparent proxy support on <em>PORT</em> (by convention,
+ 9040). Requires OS support for transparent proxies, such as BSDs' pf or
+ Linux’s IPTables. If you’re planning to use Tor as a transparent proxy for
+ a network, you’ll want to examine and change VirtualAddrNetwork from the
+ default setting. You’ll also want to set the TransListenAddress option for
+ the network you’d like to proxy. (Default: 0).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TransListenAddress</strong> <em>IP</em>[:<em>PORT</em>]
+</dt>
+<dd>
+<p>
+ Bind to this address to listen for transparent proxy connections. (Default:
+ 127.0.0.1). This is useful for exporting a transparent proxy server to an
+ entire network.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>NATDPort</strong> <em>PORT</em>
+</dt>
+<dd>
+<p>
+ Allow old versions of ipfw (as included in old versions of FreeBSD, etc.)
+ to send connections through Tor using the NATD protocol. This option is
+ only for people who cannot use TransPort.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>NATDListenAddress</strong> <em>IP</em>[:<em>PORT</em>]
+</dt>
+<dd>
+<p>
+ Bind to this address to listen for NATD connections. (Default: 127.0.0.1).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AutomapHostsOnResolve</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is enabled, and we get a request to resolve an address
+ that ends with one of the suffixes in <strong>AutomapHostsSuffixes</strong>, we map an
+ unused virtual address to that address, and return the new virtual address.
+ This is handy for making ".onion" addresses work with applications that
+ resolve an address and then connect to it. (Default: 0).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AutomapHostsSuffixes</strong> <em>SUFFIX</em>,<em>SUFFIX</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ A comma-separated list of suffixes to use with <strong>AutomapHostsOnResolve</strong>.
+ The "." suffix is equivalent to "all addresses." (Default: .exit,.onion).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DNSPort</strong> <em>PORT</em>
+</dt>
+<dd>
+<p>
+ If non-zero, Tor listens for UDP DNS requests on this port and resolves
+ them anonymously. (Default: 0).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DNSListenAddress</strong> <em>IP</em>[:<em>PORT</em>]
+</dt>
+<dd>
+<p>
+ Bind to this address to listen for DNS connections. (Default: 127.0.0.1).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ClientDNSRejectInternalAddresses</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If true, Tor does not believe any anonymously retrieved DNS answer that
+ tells it that an address resolves to an internal address (like 127.0.0.1 or
+ 192.168.0.1). This option prevents certain browser-based attacks; don’t
+ turn it off unless you know what you’re doing. (Default: 1).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DownloadExtraInfo</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If true, Tor downloads and caches "extra-info" documents. These documents
+ contain information about servers other than the information in their
+ regular router descriptors. Tor does not use this information for anything
+ itself; to save bandwidth, leave this option turned off. (Default: 0).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>FallbackNetworkstatusFile</strong> <em>FILENAME</em>
+</dt>
+<dd>
+<p>
+ If Tor doesn’t have a cached networkstatus file, it starts out using this
+ one instead. Even if this file is out of date, Tor can still use it to
+ learn about directory mirrors, so it doesn’t need to put load on the
+ authorities. (Default: None).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>WarnPlaintextPorts</strong> <em>port</em>,<em>port</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ Tells Tor to issue a warnings whenever the user tries to make an anonymous
+ connection to one of these ports. This option is designed to alert users
+ to services that risk sending passwords in the clear. (Default:
+ 23,109,110,143).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>RejectPlaintextPorts</strong> <em>port</em>,<em>port</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ Like WarnPlaintextPorts, but instead of warning about risky port uses, Tor
+ will instead refuse to make the connection. (Default: None).
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_server_options">SERVER OPTIONS</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>The following options are useful only for servers (that is, if ORPort
+is non-zero):</p></div>
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>Address</strong> <em>address</em>
+</dt>
+<dd>
+<p>
+ The IP address or fully qualified domain name of this server (e.g.
+ moria.mit.edu) You can leave this unset, and Tor will guess your IP
+ address.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AllowSingleHopExits</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ This option controls whether clients can use this server as a single hop
+ proxy. If set to 1, clients can use this server as an exit even if it is
+ the only hop in the circuit. Note that most clients will refuse to use
+ servers that set this option, since most clients have
+ ExcludeSingleHopRelays set. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AssumeReachable</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ This option is used when bootstrapping a new Tor network. If set to 1,
+ don’t do self-reachability testing; just upload your server descriptor
+ immediately. If <strong>AuthoritativeDirectory</strong> is also set, this option
+ instructs the dirserver to bypass remote reachability testing too and list
+ all connected servers as running.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>BridgeRelay</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ Sets the relay to act as a "bridge" with respect to relaying connections
+ from bridge users to the Tor network. It mainly causes Tor to publish a
+ server descriptor to the bridge database, rather than publishing a relay
+ descriptor to the public directory authorities.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ContactInfo</strong> <em>email_address</em>
+</dt>
+<dd>
+<p>
+ Administrative contact information for server. This line might get picked
+ up by spam harvesters, so you may want to obscure the fact that it’s an
+ email address.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ExitPolicy</strong> <em>policy</em>,<em>policy</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ Set an exit policy for this server. Each policy is of the form
+ "<strong>accept</strong>|<strong>reject</strong> <em>ADDR</em>[/<em>MASK</em>][:<em>PORT</em>]". If /<em>MASK</em> is
+ omitted then this policy just applies to the host given. Instead of giving
+ a host or network you can also use "*" to denote the universe (0.0.0.0/0).
+ <em>PORT</em> can be a single port number, an interval of ports
+ "<em>FROM_PORT</em>-<em>TO_PORT</em>", or "*". If <em>PORT</em> is omitted, that means
+ "*".<br />
+<br />
+ For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*" would
+ reject any traffic destined for MIT except for web.mit.edu, and accept
+ anything else.<br />
+<br />
+ To specify all internal and link-local networks (including 0.0.0.0/8,
+ 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and
+ 172.16.0.0/12), you can use the "private" alias instead of an address.
+ These addresses are rejected by default (at the beginning of your exit
+ policy), along with your public IP address, unless you set the
+ ExitPolicyRejectPrivate config option to 0. For example, once you’ve done
+ that, you could allow HTTP to 127.0.0.1 and block all other connections to
+ internal networks with "accept 127.0.0.1:80,reject private:*", though that
+ may also allow connections to your own computer that are addressed to its
+ public (external) IP address. See RFC 1918 and RFC 3330 for more details
+ about internal and reserved IP address space.<br />
+<br />
+ This directive can be specified multiple times so you don’t have to put it
+ all on one line.<br />
+<br />
+ Policies are considered first to last, and the first match wins. If you
+ want to _replace_ the default exit policy, end your exit policy with
+ either a reject *:* or an accept *:*. Otherwise, you’re _augmenting_
+ (prepending to) the default exit policy. The default exit policy is:<br />
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>reject *:25^M
+reject *:119^M
+reject *:135-139^M
+reject *:445^M
+reject *:563^M
+reject *:1214^M
+reject *:4661-4666^M
+reject *:6346-6429^M
+reject *:6699^M
+reject *:6881-6999^M
+accept *:*</tt></pre>
+</div></div>
+</dd>
+<dt class="hdlist1">
+<strong>ExitPolicyRejectPrivate</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ Reject all private (local) networks, along with your own public IP address,
+ at the beginning of your exit policy. See above entry on ExitPolicy.
+ (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>MaxOnionsPending</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ If you have more than this number of onionskins queued for decrypt, reject
+ new ones. (Default: 100)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>MyFamily</strong> <em>node</em>,<em>node</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ Declare that this Tor server is controlled or administered by a group or
+ organization identical or similar to that of the other servers, defined by
+ their identity fingerprints or nicknames. When two servers both declare
+ that they are in the same 'family', Tor clients will not use them in the
+ same circuit. (Each server only needs to list the other servers in its
+ family; it doesn’t need to list itself, but it won’t hurt.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>Nickname</strong> <em>name</em>
+</dt>
+<dd>
+<p>
+ Set the server’s nickname to 'name'. Nicknames must be between 1 and 19
+ characters inclusive, and must contain only the characters [a-zA-Z0-9].
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>NumCPUs</strong> <em>num</em>
+</dt>
+<dd>
+<p>
+ How many processes to use at once for decrypting onionskins. (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ORPort</strong> <em>PORT</em>
+</dt>
+<dd>
+<p>
+ Advertise this port to listen for connections from Tor clients and servers.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ORListenAddress</strong> <em>IP</em>[:<em>PORT</em>]
+</dt>
+<dd>
+<p>
+ Bind to this IP address to listen for connections from Tor clients and
+ servers. If you specify a port, bind to this port rather than the one
+ specified in ORPort. (Default: 0.0.0.0) This directive can be specified
+ multiple times to bind to multiple addresses/ports.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>PublishServerDescriptor</strong> <strong>0</strong>|<strong>1</strong>|<strong>v1</strong>|<strong>v2</strong>|<strong>v3</strong>|<strong>bridge</strong>,<strong>…</strong>
+</dt>
+<dd>
+<p>
+ This option specifies which descriptors Tor will publish when acting as
+ a relay. You can
+ choose multiple arguments, separated by commas.
+<br />
+ If this option is set to 0, Tor will not publish its
+ descriptors to any directories. (This is useful if you’re testing
+ out your server, or if you’re using a Tor controller that handles directory
+ publishing for you.) Otherwise, Tor will publish its descriptors of all
+ type(s) specified. The default is "1",
+ which means "if running as a server, publish the
+ appropriate descriptors to the authorities".
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ShutdownWaitLength</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ When we get a SIGINT and we’re a server, we begin shutting down:
+ we close listeners and start refusing new circuits. After <strong>NUM</strong>
+ seconds, we exit. If we get a second SIGINT, we exit immedi-
+ ately. (Default: 30 seconds)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AccountingMax</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>|<strong>TB</strong>
+</dt>
+<dd>
+<p>
+ Never send more than the specified number of bytes in a given accounting
+ period, or receive more than that number in the period. For example, with
+ AccountingMax set to 1 GB, a server could send 900 MB and receive 800 MB
+ and continue running. It will only hibernate once one of the two reaches 1
+ GB. When the number of bytes gets low, Tor will stop accepting new
+ connections and circuits. When the number of bytes
+ is exhausted, Tor will hibernate until some
+ time in the next accounting period. To prevent all servers from waking at
+ the same time, Tor will also wait until a random point in each period
+ before waking up. If you have bandwidth cost issues, enabling hibernation
+ is preferable to setting a low bandwidth, since it provides users with a
+ collection of fast servers that are up some of the time, which is more
+ useful than a set of slow servers that are always "available".
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AccountingStart</strong> <strong>day</strong>|<strong>week</strong>|<strong>month</strong> [<em>day</em>] <em>HH:MM</em>
+</dt>
+<dd>
+<p>
+ Specify how long accounting periods last. If <strong>month</strong> is given, each
+ accounting period runs from the time <em>HH:MM</em> on the <em>dayth</em> day of one
+ month to the same day and time of the next. (The day must be between 1 and
+ 28.) If <strong>week</strong> is given, each accounting period runs from the time <em>HH:MM</em>
+ of the <em>dayth</em> day of one week to the same day and time of the next week,
+ with Monday as day 1 and Sunday as day 7. If <strong>day</strong> is given, each
+ accounting period runs from the time <em>HH:MM</em> each day to the same time on
+ the next day. All times are local, and given in 24-hour time. (Defaults to
+ "month 1 0:00".)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ServerDNSResolvConfFile</strong> <em>filename</em>
+</dt>
+<dd>
+<p>
+ Overrides the default DNS configuration with the configuration in
+ <em>filename</em>. The file format is the same as the standard Unix
+ "<strong>resolv.conf</strong>" file (7). This option, like all other ServerDNS options,
+ only affects name lookups that your server does on behalf of clients.
+ (Defaults to use the system DNS configuration.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ServerDNSAllowBrokenConfig</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If this option is false, Tor exits immediately if there are problems
+ parsing the system DNS configuration or connecting to nameservers.
+ Otherwise, Tor continues to periodically retry the system nameservers until
+ it eventually succeeds. (Defaults to "1".)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ServerDNSSearchDomains</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 1, then we will search for addresses in the local search domain.
+ For example, if this system is configured to believe it is in
+ "example.com", and a client tries to connect to "www", the client will be
+ connected to "www.example.com". This option only affects name lookups that
+ your server does on behalf of clients. (Defaults to "0".)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ServerDNSDetectHijacking</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set to 1, we will test periodically to determine
+ whether our local nameservers have been configured to hijack failing DNS
+ requests (usually to an advertising site). If they are, we will attempt to
+ correct this. This option only affects name lookups that your server does
+ on behalf of clients. (Defaults to "1".)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ServerDNSTestAddresses</strong> <em>address</em>,<em>address</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ When we’re detecting DNS hijacking, make sure that these <em>valid</em> addresses
+ aren’t getting redirected. If they are, then our DNS is completely useless,
+ and we’ll reset our exit policy to "reject <strong>:</strong>". This option only affects
+ name lookups that your server does on behalf of clients. (Defaults to
+ "www.google.com, www.mit.edu, www.yahoo.com, www.slashdot.org".)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ServerDNSAllowNonRFC953Hostnames</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is disabled, Tor does not try to resolve hostnames
+ containing illegal characters (like @ and :) rather than sending them to an
+ exit node to be resolved. This helps trap accidental attempts to resolve
+ URLs and so on. This option only affects name lookups that your server does
+ on behalf of clients. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>BridgeRecordUsageByCountry</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is enabled and BridgeRelay is also enabled, and we have
+ GeoIP data, Tor keeps a keep a per-country count of how many client
+ addresses have contacted it so that it can help the bridge authority guess
+ which countries have blocked access to it. (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>ServerDNSRandomizeCase</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set, Tor sets the case of each character randomly in
+ outgoing DNS requests, and makes sure that the case matches in DNS replies.
+ This so-called "0x20 hack" helps resist some types of DNS poisoning attack.
+ For more information, see "Increased DNS Forgery Resistance through
+ 0x20-Bit Encoding". This option only affects name lookups that your server
+ does on behalf of clients. (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>GeoIPFile</strong> <em>filename</em>
+</dt>
+<dd>
+<p>
+ A filename containing GeoIP data, for use with BridgeRecordUsageByCountry.
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_directory_server_options">DIRECTORY SERVER OPTIONS</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>The following options are useful only for directory servers (that is,
+if DirPort is non-zero):</p></div>
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>AuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set to 1, Tor operates as an authoritative directory
+ server. Instead of caching the directory, it generates its own list of
+ good servers, signs it, and sends that to the clients. Unless the clients
+ already have you listed as a trusted directory, you probably do not want
+ to set this option. Please coordinate with the other admins at
+ <a href="mailto:tor-ops@torproject.org">tor-ops(a)torproject.org</a> if you think you should be a directory.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DirPortFrontPage</strong> <em>FILENAME</em>
+</dt>
+<dd>
+<p>
+ When this option is set, it takes an HTML file and publishes it as "/" on
+ the DirPort. Now relay operators can provide a disclaimer without needing
+ to set up a separate webserver. There’s a sample disclaimer in
+ contrib/tor-exit-notice.html.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>V1AuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor
+ generates version 1 directory and running-routers documents (for legacy
+ Tor clients up to 0.1.0.x).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>V2AuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor
+ generates version 2 network statuses and serves descriptors, etc as
+ described in doc/spec/dir-spec-v2.txt (for Tor clients and servers running
+ 0.1.1.x and 0.1.2.x).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>V3AuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor
+ generates version 3 network statuses and serves descriptors, etc as
+ described in doc/spec/dir-spec.txt (for Tor clients and servers running at
+ least 0.2.0.x).
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>VersioningAuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set to 1, Tor adds information on which versions of
+ Tor are still believed safe for use to the published directory. Each
+ version 1 authority is automatically a versioning authority; version 2
+ authorities provide this service optionally. See <strong>RecommendedVersions</strong>,
+ <strong>RecommendedClientVersions</strong>, and <strong>RecommendedServerVersions</strong>.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>NamingAuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set to 1, then the server advertises that it has
+ opinions about nickname-to-fingerprint bindings. It will include these
+ opinions in its published network-status pages, by listing servers with
+ the flag "Named" if a correct binding between that nickname and fingerprint
+ has been registered with the dirserver. Naming dirservers will refuse to
+ accept or publish descriptors that contradict a registered binding. See
+ <strong>approved-routers</strong> in the <strong>FILES</strong> section below.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HSAuthoritativeDir</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set in addition to
+ <strong>AuthoritativeDirectory</strong>, Tor also accepts and serves hidden
+ service descriptors. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HSAuthorityRecordStats</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set in addition to <strong>HSAuthoritativeDir</strong>,
+ Tor periodically (every 15 minutes) writes statistics about hidden service
+ usage to a file <strong>hsusage</strong> in its data directory. (Default:
+ 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HidServDirectoryV2</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set, Tor accepts and serves v2 hidden service
+ descriptors. Setting DirPort is not required for this, because clients
+ connect via the ORPort by default. (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>BridgeAuthoritativeDir</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor
+ accepts and serves router descriptors, but it caches and serves the main
+ networkstatus documents rather than generating its own. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>MinUptimeHidServDirectoryV2</strong> <em>N</em> <strong>seconds</strong>|<strong>minutes</strong>|<strong>hours</strong>|<strong>days</strong>|<strong>weeks</strong>
+</dt>
+<dd>
+<p>
+ Minimum uptime of a v2 hidden service directory to be accepted as such by
+ authoritative directories. (Default: 24 hours)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DirPort</strong> <em>PORT</em>
+</dt>
+<dd>
+<p>
+ Advertise the directory service on this port.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DirListenAddress</strong> <em>IP</em>[:<em>PORT</em>]
+</dt>
+<dd>
+<p>
+ Bind the directory service to this address. If you specify a port, bind to
+ this port rather than the one specified in DirPort. (Default: 0.0.0.0)
+ This directive can be specified multiple times to bind to multiple
+ addresses/ports.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DirPolicy</strong> <em>policy</em>,<em>policy</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ Set an entrance policy for this server, to limit who can connect to the
+ directory ports. The policies have the same form as exit policies above.
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_directory_authority_server_options">DIRECTORY AUTHORITY SERVER OPTIONS</h2>
+<div class="sectionbody">
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>RecommendedVersions</strong> <em>STRING</em>
+</dt>
+<dd>
+<p>
+ STRING is a comma-separated list of Tor versions currently believed to be
+ safe. The list is included in each directory, and nodes which pull down the
+ directory learn whether they need to upgrade. This option can appear
+ multiple times: the values from multiple lines are spliced together. When
+ this is set then <strong>VersioningAuthoritativeDirectory</strong> should be set too.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>RecommendedClientVersions</strong> <em>STRING</em>
+</dt>
+<dd>
+<p>
+ STRING is a comma-separated list of Tor versions currently believed to be
+ safe for clients to use. This information is included in version 2
+ directories. If this is not set then the value of <strong>RecommendedVersions</strong>
+ is used. When this is set then <strong>VersioningAuthoritativeDirectory</strong> should
+ be set too.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>RecommendedServerVersions</strong> <em>STRING</em>
+</dt>
+<dd>
+<p>
+ STRING is a comma-separated list of Tor versions currently believed to be
+ safe for servers to use. This information is included in version 2
+ directories. If this is not set then the value of <strong>RecommendedVersions</strong>
+ is used. When this is set then <strong>VersioningAuthoritativeDirectory</strong> should
+ be set too.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>DirAllowPrivateAddresses</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 1, Tor will accept router descriptors with arbitrary "Address"
+ elements. Otherwise, if the address is not an IP address or is a private IP
+ address, it will reject the router descriptor. Defaults to 0.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirBadDir</strong> <em>AddressPattern…</em>
+</dt>
+<dd>
+<p>
+ Authoritative directories only. A set of address patterns for servers that
+ will be listed as bad directories in any network status document this
+ authority publishes, if <strong>AuthDirListBadDirs</strong> is set.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirBadExit</strong> <em>AddressPattern…</em>
+</dt>
+<dd>
+<p>
+ Authoritative directories only. A set of address patterns for servers that
+ will be listed as bad exits in any network status document this authority
+ publishes, if <strong>AuthDirListBadExits</strong> is set.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirInvalid</strong> <em>AddressPattern…</em>
+</dt>
+<dd>
+<p>
+ Authoritative directories only. A set of address patterns for servers that
+ will never be listed as "valid" in any network status document that this
+ authority publishes.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirReject</strong> <em>AddressPattern</em>…
+</dt>
+<dd>
+<p>
+ Authoritative directories only. A set of address patterns for servers that
+ will never be listed at all in any network status document that this
+ authority publishes, or accepted as an OR address in any descriptor
+ submitted for publication by this authority.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirListBadDirs</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ Authoritative directories only. If set to 1, this directory has some
+ opinion about which nodes are unsuitable as directory caches. (Do not set
+ this to 1 unless you plan to list non-functioning directories as bad;
+ otherwise, you are effectively voting in favor of every declared
+ directory.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirListBadExits</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ Authoritative directories only. If set to 1, this directory has some
+ opinion about which nodes are unsuitable as exit nodes. (Do not set this to
+ 1 unless you plan to list non-functioning exits as bad; otherwise, you are
+ effectively voting in favor of every declared exit as an exit.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirRejectUnlisted</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ Authoritative directories only. If set to 1, the directory server rejects
+ all uploaded server descriptors that aren’t explicitly listed in the
+ fingerprints file. This acts as a "panic button" if we get hit with a Sybil
+ attack. (Default: 0)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirMaxServersPerAddr</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ Authoritative directories only. The maximum number of servers that we will
+ list as acceptable on a single IP address. Set this to "0" for "no limit".
+ (Default: 2)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>AuthDirMaxServersPerAuthAddr</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ Authoritative directories only. Like AuthDirMaxServersPerAddr, but applies
+ to addresses shared with directory authorities. (Default: 5)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>V3AuthVotingInterval</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>
+</dt>
+<dd>
+<p>
+ V3 authoritative directories only. Configures the server’s preferred voting
+ interval. Note that voting will <em>actually</em> happen at an interval chosen
+ by consensus from all the authorities' preferred intervals. This time
+ SHOULD divide evenly into a day. (Default: 1 hour)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>V3AuthVoteDelay</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>
+</dt>
+<dd>
+<p>
+ V3 authoritative directories only. Configures the server’s preferred delay
+ between publishing its vote and assuming it has all the votes from all the
+ other authorities. Note that the actual time used is not the server’s
+ preferred time, but the consensus of all preferences. (Default: 5 minutes.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>V3AuthDistDelay</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>
+</dt>
+<dd>
+<p>
+ V3 authoritative directories only. Configures the server’s preferred delay
+ between publishing its consensus and signature and assuming it has all the
+ signatures from all the other authorities. Note that the actual time used
+ is not the server’s preferred time, but the consensus of all preferences.
+ (Default: 5 minutes.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>V3AuthNIntervalsValid</strong> <em>NUM</em>
+</dt>
+<dd>
+<p>
+ V3 authoritative directories only. Configures the number of VotingIntervals
+ for which each consensus should be valid for. Choosing high numbers
+ increases network partitioning risks; choosing low numbers increases
+ directory traffic. Note that the actual number of intervals used is not the
+ server’s preferred number, but the consensus of all preferences. Must be at
+ least 2. (Default: 3.)
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_hidden_service_options">HIDDEN SERVICE OPTIONS</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>The following options are used to configure a hidden service.</p></div>
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>HiddenServiceDir</strong> <em>DIRECTORY</em>
+</dt>
+<dd>
+<p>
+ Store data files for a hidden service in DIRECTORY. Every hidden service
+ must have a separate directory. You may use this option multiple times to
+ specify multiple services.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HiddenServicePort</strong> <em>VIRTPORT</em> [<em>TARGET</em>]
+</dt>
+<dd>
+<p>
+ Configure a virtual port VIRTPORT for a hidden service. You may use this
+ option multiple times; each time applies to the service using the most
+ recent hiddenservicedir. By default, this option maps the virtual port to
+ the same port on 127.0.0.1. You may override the target port, address, or
+ both by specifying a target of addr, port, or addr:port. You may also have
+ multiple lines with the same VIRTPORT: when a user connects to that
+ VIRTPORT, one of the TARGETs from those lines will be chosen at random.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>PublishHidServDescriptors</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 0, Tor will run any hidden services you configure, but it won’t
+ advertise them to the rendezvous directory. This option is only useful if
+ you’re using a Tor controller that handles hidserv publishing for you.
+ (Default: 1)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HiddenServiceVersion</strong> <em>version</em>,<em>version</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ A list of rendezvous service descriptor versions to publish for the hidden
+ service. Currently, only version 2 is supported. (Default: 2)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>HiddenServiceAuthorizeClient</strong> <em>auth-type</em> <em>client-name</em>,<em>client-name</em>,<em>…</em>
+</dt>
+<dd>
+<p>
+ If configured, the hidden service is accessible for authorized clients
+ only. The auth-type can either be 'basic' for a general-purpose
+ authorization protocol or 'stealth' for a less scalable protocol that also
+ hides service activity from unauthorized clients. Only clients that are
+ listed here are authorized to access the hidden service. Valid client names
+ are 1 to 19 characters long and only use characters in A-Za-z0-9+-_ (no
+ spaces). If this option is set, the hidden service is not accessible for
+ clients without authorization any more. Generated authorization data can be
+ found in the hostname file. Clients need to put this authorization data in
+ their configuration file using <strong>HidServAuth</strong>.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>RendPostPeriod</strong> <em>N</em> <strong>seconds</strong>|<strong>minutes</strong>|<strong>hours</strong>|<strong>days</strong>|<strong>weeks</strong>
+</dt>
+<dd>
+<p>
+ Every time the specified period elapses, Tor uploads any rendezvous
+ service descriptors to the directory servers. This information is also
+ uploaded whenever it changes. (Default: 1 hour)
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_testing_network_options">TESTING NETWORK OPTIONS</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>The following options are used for running a testing Tor network.</p></div>
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>TestingTorNetwork</strong> <strong>0</strong>|<strong>1</strong>
+</dt>
+<dd>
+<p>
+ If set to 1, Tor adjusts default values of the configuration options below,
+ so that it is easier to set up a testing Tor network. May only be set if
+ non-default set of DirServers is set. Cannot be unset while Tor is running.
+ (Default: 0)<br />
+</p>
+<div class="literalblock">
+<div class="content">
+<pre><tt>ServerDNSAllowBrokenConfig 1^M
+DirAllowPrivateAddresses 1^M
+EnforceDistinctSubnets 0^M
+AssumeReachable 1^M
+AuthDirMaxServersPerAddr 0^M
+AuthDirMaxServersPerAuthAddr 0^M
+ClientDNSRejectInternalAddresses 0^M
+ExitPolicyRejectPrivate 0^M
+V3AuthVotingInterval 5 minutes^M
+V3AuthVoteDelay 20 seconds^M
+V3AuthDistDelay 20 seconds^M
+TestingV3AuthInitialVotingInterval 5 minutes^M
+TestingV3AuthInitialVoteDelay 20 seconds^M
+TestingV3AuthInitialDistDelay 20 seconds^M
+TestingAuthDirTimeToLearnReachability 0 minutes^M
+TestingEstimatedDescriptorPropagationTime 0 minutes</tt></pre>
+</div></div>
+</dd>
+<dt class="hdlist1">
+<strong>TestingV3AuthInitialVotingInterval</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>
+</dt>
+<dd>
+<p>
+ Like V3AuthVotingInterval, but for initial voting interval before the first
+ consensus has been created. Changing this requires that
+ <strong>TestingTorNetwork</strong> is set. (Default: 30 minutes)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TestingV3AuthInitialVoteDelay</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>
+</dt>
+<dd>
+<p>
+ Like TestingV3AuthInitialVoteDelay, but for initial voting interval before
+ the first consensus has been created. Changing this requires that
+ <strong>TestingTorNetwork</strong> is set. (Default: 5 minutes)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TestingV3AuthInitialDistDelay</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>
+</dt>
+<dd>
+<p>
+ Like TestingV3AuthInitialDistDelay, but for initial voting interval before
+ the first consensus has been created. Changing this requires that
+ <strong>TestingTorNetwork</strong> is set. (Default: 5 minutes)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TestingAuthDirTimeToLearnReachability</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>
+</dt>
+<dd>
+<p>
+ After starting as an authority, do not make claims about whether routers
+ are Running until this much time has passed. Changing this requires
+ that <strong>TestingTorNetwork</strong> is set. (Default: 30 minutes)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>TestingEstimatedDescriptorPropagationTime</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>
+</dt>
+<dd>
+<p>
+ Clients try downloading router descriptors from directory caches after this
+ time. Changing this requires that <strong>TestingTorNetwork</strong> is set. (Default:
+ 10 minutes)
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_signals">SIGNALS</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>Tor catches the following signals:</p></div>
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>SIGTERM</strong>
+</dt>
+<dd>
+<p>
+ Tor will catch this, clean up and sync to disk if necessary, and exit.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SIGINT</strong>
+</dt>
+<dd>
+<p>
+ Tor clients behave as with SIGTERM; but Tor servers will do a controlled
+ slow shutdown, closing listeners and waiting 30 seconds before exiting.
+ (The delay can be configured with the ShutdownWaitLength config option.)
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SIGHUP</strong>
+</dt>
+<dd>
+<p>
+ The signal instructs Tor to reload its configuration (including closing and
+ reopening logs), and kill and restart its helper processes if applicable.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SIGUSR1</strong>
+</dt>
+<dd>
+<p>
+ Log statistics about current connections, past connections, and throughput.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SIGUSR2</strong>
+</dt>
+<dd>
+<p>
+ Switch all logs to loglevel debug. You can go back to the old loglevels by
+ sending a SIGHUP.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SIGCHLD</strong>
+</dt>
+<dd>
+<p>
+ Tor receives this signal when one of its helper processes has exited, so it
+ can clean up.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SIGPIPE</strong>
+</dt>
+<dd>
+<p>
+ Tor catches this signal and ignores it.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>SIGXFSZ</strong>
+</dt>
+<dd>
+<p>
+ If this signal exists on your platform, Tor catches and ignores it.
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_files">FILES</h2>
+<div class="sectionbody">
+<div class="dlist"><dl>
+<dt class="hdlist1">
+<strong>@CONFDIR@/torrc</strong>
+</dt>
+<dd>
+<p>
+ The configuration file, which contains "option value" pairs.
+</p>
+</dd>
+<dt class="hdlist1">
+<strong>@LOCALSTATEDIR@/lib/tor/</strong>
+</dt>
+<dd>
+<p>
+ The tor process stores keys and other data here.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/cached-status/</strong>
+</dt>
+<dd>
+<p>
+ The most recently downloaded network status document for each authority.
+ Each file holds one such document; the filenames are the hexadecimal
+ identity key fingerprints of the directory authorities.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/cached-descriptors</strong> and <strong>cached-descriptors.new</strong>
+</dt>
+<dd>
+<p>
+ These files hold downloaded router statuses. Some routers may appear more
+ than once; if so, the most recently published descriptor is used. Lines
+ beginning with @-signs are annotations that contain more information about
+ a given router. The ".new" file is an append-only journal; when it gets
+ too large, all entries are merged into a new cached-descriptors file.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/cached-routers</strong> and <strong>cached-routers.new</strong>
+</dt>
+<dd>
+<p>
+ Obsolete versions of cached-descriptors and cached-descriptors.new. When
+ Tor can’t find the newer files, it looks here instead.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/state</strong>
+</dt>
+<dd>
+<p>
+ A set of persistent key-value mappings. These are documented in
+ the file. These include:
+</p>
+<div class="ulist"><ul>
+<li>
+<p>
+The current entry guards and their status.
+</p>
+</li>
+<li>
+<p>
+The current bandwidth accounting values (unused so far; see
+ below).
+</p>
+</li>
+<li>
+<p>
+When the file was last written
+</p>
+</li>
+<li>
+<p>
+What version of Tor generated the state file
+</p>
+</li>
+<li>
+<p>
+A short history of bandwidth usage, as produced in the router
+ descriptors.
+</p>
+</li>
+</ul></div>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/bw_accounting</strong>
+</dt>
+<dd>
+<p>
+ Used to track bandwidth accounting values (when the current period starts
+ and ends; how much has been read and written so far this period). This file
+ is obsolete, and the data is now stored in the 'state' file as well. Only
+ used when bandwidth accounting is enabled.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/control_auth_cookie</strong>
+</dt>
+<dd>
+<p>
+ Used for cookie authentication with the controller. Location can be
+ overridden by the CookieAuthFile config option. Regenerated on startup. See
+ control-spec.txt for details. Only used when cookie authentication is
+ enabled.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/keys/</strong>*
+</dt>
+<dd>
+<p>
+ Only used by servers. Holds identity keys and onion keys.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/fingerprint</strong>
+</dt>
+<dd>
+<p>
+ Only used by servers. Holds the fingerprint of the server’s identity key.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/approved-routers</strong>
+</dt>
+<dd>
+<p>
+ Only for naming authoritative directory servers (see
+ <strong>NamingAuthoritativeDirectory</strong>). This file lists nickname to identity
+ bindings. Each line lists a nickname and a fingerprint separated by
+ whitespace. See your <strong>fingerprint</strong> file in the <em>DataDirectory</em> for an
+ example line. If the nickname is <strong>!reject</strong> then descriptors from the
+ given identity (fingerprint) are rejected by this server. If it is
+ <strong>!invalid</strong> then descriptors are accepted but marked in the directory as
+ not valid, that is, not recommended.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>DataDirectory</em><strong>/router-stability</strong>
+</dt>
+<dd>
+<p>
+ Only used by authoritative directory servers. Tracks measurements for
+ router mean-time-between-failures so that authorities have a good idea of
+ how to set their Stable flags.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>HiddenServiceDirectory</em><strong>/hostname</strong>
+</dt>
+<dd>
+<p>
+ The <base32-encoded-fingerprint>.onion domain name for this hidden service.
+ If the hidden service is restricted to authorized clients only, this file
+ also contains authorization data for all clients.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>HiddenServiceDirectory</em><strong>/private_key</strong>
+</dt>
+<dd>
+<p>
+ The private key for this hidden service.
+</p>
+</dd>
+<dt class="hdlist1">
+<em>HiddenServiceDirectory</em><strong>/client_keys</strong>
+</dt>
+<dd>
+<p>
+ Authorization data for a hidden service that is only accessible by
+ authorized clients.
+</p>
+</dd>
+</dl></div>
+</div>
+<h2 id="_see_also">SEE ALSO</h2>
+<div class="sectionbody">
+<div class="paragraph"><p><strong>privoxy</strong>(1), <strong>tsocks</strong>(1), <strong>torify</strong>(1)<br /></p></div>
+<div class="paragraph"><p><strong>https://www.torproject.org/</strong></p></div>
+</div>
+<h2 id="_bugs">BUGS</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>Plenty, probably. Tor is still in development. Please report them.</p></div>
+</div>
+<h2 id="_authors">AUTHORS</h2>
+<div class="sectionbody">
+<div class="paragraph"><p>Roger Dingledine [arma at mit.edu] Nick Mathewson [nickm at alum.mit.edu]</p></div>
+</div>
+</div>
<!-- END MAINCOL -->
- <div id = "sidecol">
+<div id = "sidecol">
#include "side.wmi"
#include "info.wmi"
- </div>
- <!-- END SIDECOL -->
</div>
+<!-- END SIDECOL -->
+</div>
<!-- END CONTENT -->
-#include <foot.wmi>
+#include <foot.wmi>
Modified: website/trunk/docs/fr/sidenav.wmi
===================================================================
--- website/trunk/docs/fr/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434)
+++ website/trunk/docs/fr/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435)
@@ -61,9 +61,9 @@
{'url' => 'docs/running-a-mirror',
'txt' => 'Configuring a Mirror',
},
-# {'url' => 'docs/tor-manual',
-# 'txt' => 'Tor -stable Manual',
-# },
+ {'url' => 'docs/tor-manual',
+ 'txt' => 'Tor -stable Manual',
+ },
{'url' => 'docs/tor-manual-dev',
'txt' => 'Tor -alpha Manual',
},
Modified: website/trunk/docs/my/sidenav.wmi
===================================================================
--- website/trunk/docs/my/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434)
+++ website/trunk/docs/my/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435)
@@ -61,9 +61,9 @@
{'url' => 'docs/running-a-mirror',
'txt' => 'Configuring a Mirror',
},
-# {'url' => 'docs/tor-manual',
-# 'txt' => 'Tor -stable Manual',
-# },
+ {'url' => 'docs/tor-manual',
+ 'txt' => 'Tor -stable Manual',
+ },
{'url' => 'docs/tor-manual-dev',
'txt' => 'Tor -alpha Manual',
},
Modified: website/trunk/docs/pl/sidenav.wmi
===================================================================
--- website/trunk/docs/pl/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434)
+++ website/trunk/docs/pl/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435)
@@ -61,9 +61,9 @@
{'url' => 'docs/running-a-mirror',
'txt' => 'Configuring a Mirror',
},
-# {'url' => 'docs/tor-manual',
-# 'txt' => 'Tor -stable Manual',
-# },
+ {'url' => 'docs/tor-manual',
+ 'txt' => 'Tor -stable Manual',
+ },
{'url' => 'docs/tor-manual-dev',
'txt' => 'Tor -alpha Manual',
},
Modified: website/trunk/docs/ru/sidenav.wmi
===================================================================
--- website/trunk/docs/ru/sidenav.wmi 2011-03-25 09:48:18 UTC (rev 24434)
+++ website/trunk/docs/ru/sidenav.wmi 2011-03-25 13:08:28 UTC (rev 24435)
@@ -61,9 +61,9 @@
{'url' => 'docs/running-a-mirror',
'txt' => 'Configuring a Mirror',
},
-# {'url' => 'docs/tor-manual',
-# 'txt' => 'Tor -stable Manual',
-# },
+ {'url' => 'docs/tor-manual',
+ 'txt' => 'Tor -stable Manual',
+ },
{'url' => 'docs/tor-manual-dev',
'txt' => 'Tor -alpha Manual',
},
1
0

[metrics-tasks/master] Add code to extract and transform dirreqs from the metrics-web database.
by karsten@torproject.org 25 Mar '11
by karsten@torproject.org 25 Mar '11
25 Mar '11
commit 34ff5894093706ceee424968c1ed18cd729ed7d9
Author: Karsten Loesing <karsten.loesing(a)gmx.net>
Date: Fri Mar 25 13:45:27 2011 +0100
Add code to extract and transform dirreqs from the metrics-web database.
---
task-2718/.gitignore | 2 +-
task-2718/README | 22 ++++++++++++++++++++++
task-2718/convert-dirreqs-sql.R | 8 ++++++++
3 files changed, 31 insertions(+), 1 deletions(-)
diff --git a/task-2718/.gitignore b/task-2718/.gitignore
index 673fa5f..917bb1b 100644
--- a/task-2718/.gitignore
+++ b/task-2718/.gitignore
@@ -1,3 +1,3 @@
-direct-users.csv
+*.csv
*.pdf
diff --git a/task-2718/README b/task-2718/README
index 807142a..8c60847 100644
--- a/task-2718/README
+++ b/task-2718/README
@@ -3,3 +3,25 @@ Here's how you run the censorship detector prototype:
$ wget https://metrics.torproject.org/csv/direct-users.csv
$ R --slave -f detect-censorship.R
+-------------------------------------------------------------------------
+
+Extracting raw directory requests from the metrics-web database:
+
+- Export dirreq_stats table from the metrics-web database via psql:
+
+ # \f ','
+ # \a
+ # \t
+ # \o dirreqs-sql.csv
+ # SELECT * FROM dirreq_stats ORDER BY statsend;
+ # \o
+ # \t
+ # \a
+
+- Transform the huge (!) CSV file (104M) from long to wide format. Note
+ that this takes a while:
+
+ $ R --slave -f convert-dirreqs-sql.R
+
+- The result is in dirreqs.csv (8.8M).
+
diff --git a/task-2718/convert-dirreqs-sql.R b/task-2718/convert-dirreqs-sql.R
new file mode 100644
index 0000000..e330307
--- /dev/null
+++ b/task-2718/convert-dirreqs-sql.R
@@ -0,0 +1,8 @@
+library(ggplot2)
+data <- read.csv("dirreqs-sql.csv", header = FALSE)
+data <- data.frame(fingerprint = data$V1, statsend = data$V2,
+ seconds = data$V3, country = data$V4, requests = data$V5)
+data <- cast(data, fingerprint + statsend + seconds ~ country,
+ value = "requests")
+write.csv(data, file = "dirreqs.csv", quote = FALSE, row.names = FALSE)
+
1
0

r24434: {website} move robert and chiiph to the core people page (website/trunk/about/en)
by Roger Dingledine 25 Mar '11
by Roger Dingledine 25 Mar '11
25 Mar '11
Author: arma
Date: 2011-03-25 09:48:18 +0000 (Fri, 25 Mar 2011)
New Revision: 24434
Modified:
website/trunk/about/en/corepeople.wml
website/trunk/about/en/volunteers.wml
Log:
move robert and chiiph to the core people page
Modified: website/trunk/about/en/corepeople.wml
===================================================================
--- website/trunk/about/en/corepeople.wml 2011-03-25 02:30:48 UTC (rev 24433)
+++ website/trunk/about/en/corepeople.wml 2011-03-25 09:48:18 UTC (rev 24434)
@@ -136,6 +136,10 @@
Tor network and measures various properties and
behaviors. Developer and maintainer of <a href="<page
torbutton/index>">Torbutton</a>.</dd>
+ <dt>Robert Ransom</dt>
+ <dd>Bug catcher and immensely helpful on irc and the
+ email lists. Looking into hidden service performance and
+ robustness.</dd>
<dt>Karen Reilly, Development Director</dt>
<dd>Responsible for fundraising, advocacy, general marketing,
policy outreach programs for Tor. She is also available to
@@ -160,6 +164,9 @@
<dd>Works on the artwork and design for various projects,
annual reports, and brochures. His other work can be found at
<a href="http://jmtodaro.com/">http://jmtodaro.com/</a>.</dd>
+ <dt>Tomás Touceda</dt>
+ <dd>Maintenance and new development for Vidalia.</dd>
+
</dl>
</div>
<!-- END MAINCOL -->
Modified: website/trunk/about/en/volunteers.wml
===================================================================
--- website/trunk/about/en/volunteers.wml 2011-03-25 02:30:48 UTC (rev 24433)
+++ website/trunk/about/en/volunteers.wml 2011-03-25 09:48:18 UTC (rev 24434)
@@ -36,8 +36,6 @@
defenses, and resource management, especially for hidden services.</dd>
<dt>Martin Peck</dt><dd>Working on a VM-based transparent
proxying approach for Tor clients on Windows.</dd>
-<dt>Robert Ransom</dt><dd>Bug catcher and immensely helpful on irc and the
-email lists</dd>
<dt>rovv (a pseudonym -- he's managed to stay anonymous even from
us!)</dt><dd>The most dedicated bug reporter we've ever heard from. He
must read Tor source code every day over breakfast.</dd>
@@ -46,8 +44,6 @@
href="<wiki>TransparentProxy">transparent
proxy</a>. Also maintains the <a
href="http://p56soo2ibjkx23xo.onion/">TorDNSEL code</a>.</dd>
-<dt>Tomás Touceda</dt><dd>Fantastic developer involved with the Vidalia
-project</dd>
<dt>Kyle Williams</dt><dd>Developer for
JanusVM, a VMWare-based
transparent Tor proxy that makes Tor easier to set up and use.</dd>
1
0

[metrics-tasks/master] Add George's censorship detector script.
by karsten@torproject.org 25 Mar '11
by karsten@torproject.org 25 Mar '11
25 Mar '11
commit f5d257dff6af41dbbe33ab20c5bbb218a38c8cd8
Author: Karsten Loesing <karsten.loesing(a)gmx.net>
Date: Fri Mar 25 10:29:38 2011 +0100
Add George's censorship detector script.
---
task-2718/detector.py | 306 +++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 306 insertions(+), 0 deletions(-)
diff --git a/task-2718/detector.py b/task-2718/detector.py
new file mode 100644
index 0000000..0370d02
--- /dev/null
+++ b/task-2718/detector.py
@@ -0,0 +1,306 @@
+## Copyright (c) 2011 George Danezis <gdane(a)microsoft.com>
+##
+## All rights reserved.
+##
+## Redistribution and use in source and binary forms, with or without
+## modification, are permitted (subject to the limitations in the
+## disclaimer below) provided that the following conditions are met:
+##
+## * Redistributions of source code must retain the above copyright
+## notice, this list of conditions and the following disclaimer.
+##
+## * Redistributions in binary form must reproduce the above copyright
+## notice, this list of conditions and the following disclaimer in the
+## documentation and/or other materials provided with the
+## distribution.
+##
+## * Neither the name of <Owner Organization> nor the names of its
+## contributors may be used to endorse or promote products derived
+## from this software without specific prior written permission.
+##
+## NO EXPRESS OR IMPLIED LICENSES TO ANY PARTY'S PATENT RIGHTS ARE
+## GRANTED BY THIS LICENSE. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
+## HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+## WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+## MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+## DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+## LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+## CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+## SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+## BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+## WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+## OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+## IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+##
+## (Clear BSD license: http://labs.metacarta.com/license-explanation.html#license)
+
+## This script reads a .csv file of the number of Tor users and finds
+## anomalies that might be indicative of censorship.
+
+# Dep: matplotlib
+from pylab import *
+import matplotlib
+
+# Dep: numpy
+import numpy
+
+# Dep: scipy
+import scipy.stats
+from scipy.stats.distributions import norm
+from scipy.stats.distributions import poisson
+
+# Std lib
+from datetime import date
+from datetime import timedelta
+import os.path
+
+days = ["Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun"]
+
+# read the .csv file
+class torstatstore:
+ def __init__(self, file_name):
+ f = file(file_name)
+ country_codes = f.readline()
+ country_codes = country_codes.strip().split(",")
+
+ store = {}
+ MAX_INDEX = 0
+ for i, line in enumerate(f):
+ MAX_INDEX += 1
+ line_parsed = line.strip().split(",")
+ for j, (ccode, val) in enumerate(zip(country_codes,line_parsed)):
+ processed_val = None
+ if ccode == "date":
+ try:
+ year, month, day = int(val[:4]), int(val[5:7]), int(val[8:10])
+ processed_val = date(year, month, day)
+ except Exception, e:
+ print "Parsing error (ignoring line %s):" % j
+ print "%s" % val,e
+ break
+
+ elif val != "NA":
+ processed_val = int(val)
+ store[(ccode, i)] = processed_val
+
+ # min and max
+ date_min = store[("date", 0)]
+ date_max = store[("date", i)]
+
+ all_dates = []
+ d = date_min
+ dt = timedelta(days=1)
+ while d <= date_max:
+ all_dates += [d]
+ d = d + dt
+
+ # Save for later
+ self.store = store
+ self.all_dates = all_dates
+ self.country_codes = country_codes
+ self.MAX_INDEX = MAX_INDEX
+ self.date_min = date_min
+ self.date_max = date_max
+
+ def get_country_series(self, ccode):
+ assert ccode in self.country_codes
+ series = {}
+ for d in self.all_dates:
+ series[d] = None
+ for i in range(self.MAX_INDEX):
+ series[self.store[("date", i)]] = self.store[(ccode, i)]
+ sx = []
+ for d in self.all_dates:
+ sx += [series[d]]
+ return sx
+
+ def get_largest(self, number):
+ exclude = set(["all", "??", "date"])
+ l = [(self.store[(c, self.MAX_INDEX-1)], c) for c in self.country_codes if c not in exclude]
+ l.sort()
+ l.reverse()
+ return l[:number]
+
+ def get_largest_locations(self, number):
+ l = self.get_largest(number)
+ res = {}
+ for _, ccode in l[:number]:
+ res[ccode] = self.get_country_series(ccode)
+ return res
+
+# Computes the difference between today and a number of days in the past
+def n_day_rel(series, days):
+ rel = []
+ for i, v in enumerate(series):
+ if series[i] is None:
+ rel += [None]
+ continue
+
+ if i - days < 0 or series[i-days] is None or series[i-days] == 0:
+ rel += [None]
+ else:
+ rel += [ float(series[i]) / series[i-days]]
+ return rel
+
+# Main model: computes the expected min / max range of number of users
+def make_tendencies_minmax(l, INTERVAL = 1):
+ lminus1 = dict([(ccode, n_day_rel(l[ccode], INTERVAL)) for ccode in l])
+ c = lminus1[lminus1.keys()[0]]
+ dists = []
+ minx = []
+ maxx = []
+ for i in range(len(c)):
+ vals = [lminus1[ccode][i] for ccode in lminus1.keys() if lminus1[ccode][i] != None]
+ if len(vals) < 8:
+ dists += [None]
+ minx += [None]
+ maxx += [None]
+ else:
+ vals.sort()
+ median = vals[len(vals)/2]
+ q1 = vals[len(vals)/4]
+ q2 = vals[(3*len(vals))/4]
+ qd = q2 - q1
+ vals = [v for v in vals if median - qd*4 < v and v < median + qd*4]
+ if len(vals) < 8:
+ dists += [None]
+ minx += [None]
+ maxx += [None]
+ continue
+ mu, signma = norm.fit(vals)
+ dists += [(mu, signma)]
+ maxx += [norm.ppf(0.9999, mu, signma)]
+ minx += [norm.ppf(1 - 0.9999, mu, signma)]
+ ## print minx[-1], maxx[-1]
+ return minx, maxx
+
+# Makes pretty plots
+def raw_plot(series, minc, maxc, labels, xtitle):
+ assert len(xtitle) == 3
+ fname, stitle, slegend = xtitle
+
+ font = {'family' : 'Bitstream Vera Sans',
+ 'weight' : 'normal',
+ 'size' : 8}
+ matplotlib.rc('font', **font)
+
+ ylim( (-max(series)*0.1, max(series)*1.1) )
+ plot(labels, series, linewidth=1.0, label="Users")
+
+ wherefill = []
+ for mm,mx in zip(minc, maxc):
+ wherefill += [not (mm == None and mx == None)]
+ assert mm < mx or (mm == None and mx == None)
+
+ fill_between(labels, minc, maxc, where=wherefill, color="gray", label="Prediction")
+
+ vdown = []
+ vup = []
+ for i,v in enumerate(series):
+ if minc[i] != None and v < minc[i]:
+ vdown += [v]
+ vup += [None]
+ elif maxc[i] != None and v > maxc[i]:
+ vdown += [None]
+ vup += [v]
+ else:
+ vup += [None]
+ vdown += [None]
+
+ plot(labels, vdown, 'o', ms=10, lw=2, alpha=0.5, mfc='orange', label="Downturns")
+ plot(labels, vup, 'o', ms=10, lw=2, alpha=0.5, mfc='green', label="Upturns")
+
+ legend(loc=2)
+
+ xlabel('Time (days)')
+ ylabel('Users')
+ title(stitle)
+ grid(True)
+ F = gcf()
+
+ F.set_size_inches(10,5)
+ F.savefig(fname, format="png", dpi = (150))
+ close()
+
+def absolute_plot(series, minc, maxc, labels,INTERVAL, xtitle):
+ in_minc = []
+ in_maxc = []
+ for i, v in enumerate(series):
+ if i > 0 and i - INTERVAL >= 0 and series[i] != None and series[i-INTERVAL] != None and series[i-INTERVAL] != 0 and minc[i]!= None and maxc[i]!= None:
+ in_minc += [minc[i] * poisson.ppf(1-0.9999, series[i-INTERVAL])]
+ in_maxc += [maxc[i] * poisson.ppf(0.9999, series[i-INTERVAL])]
+ if not in_minc[-1] < in_maxc[-1]:
+ print in_minc[-1], in_maxc[-1], series[i-INTERVAL], minc[i], maxc[i]
+ assert in_minc[-1] < in_maxc[-1]
+ else:
+ in_minc += [None]
+ in_maxc += [None]
+ raw_plot(series, in_minc, in_maxc, labels, xtitle)
+
+# Censorship score by jurisdiction
+def censor_score(series, minc, maxc, INTERVAL):
+ upscore = 0
+ downscore = 0
+ for i, v in enumerate(series):
+ if i > 0 and i - INTERVAL >= 0 and series[i] != None and series[i-INTERVAL] != None and series[i-INTERVAL] != 0 and minc[i]!= None and maxc[i]!= None:
+ in_minc = minc[i] * poisson.ppf(1-0.9999, series[i-INTERVAL])
+ in_maxc = maxc[i] * poisson.ppf(0.9999, series[i-INTERVAL])
+ downscore += 1 if minc[i] != None and v < in_minc else 0
+ upscore += 1 if maxc[i] != None and v > in_maxc else 0
+ return downscore, upscore
+
+def plot_target(tss, TARGET, xtitle, minx, maxx, DAYS=365, INTERV = 7):
+ ctarget = tss.get_country_series(TARGET)
+ c = n_day_rel(ctarget, INTERV)
+ absolute_plot(ctarget[-DAYS:], minx[-DAYS:], maxx[-DAYS:], tss.all_dates[-DAYS:],INTERV, xtitle = xtitle)
+
+
+## Make a league table of censorship + nice graphs
+def plot_all(tss, minx, maxx, INTERV, DAYS=None, rdir="img"):
+ rdir = os.path.realpath(rdir)
+ if not os.path.exists(rdir) or not os.path.isdir(rdir):
+ print "ERROR: %s does not exist or is not a directory." % rdir
+ return
+
+ summary_file = file(os.path.join(rdir, "summary.txt"), "w")
+
+ if DAYS == None:
+ DAYS = 6*31
+
+ s = tss.get_largest(200)
+ scores = []
+ for num, li in s:
+ print ".",
+ ds,us = censor_score(tss.get_country_series(li)[-DAYS:], minx[-DAYS:], maxx[-DAYS:], INTERV)
+ # print ds, us
+ scores += [(ds,num, us, li)]
+ scores.sort()
+ scores.reverse()
+ s = "\n=======================\n"
+ s+= "Report for %s to %s\n" % (tss.all_dates[-DAYS], tss.all_dates[-1])
+ s+= "=======================\n"
+ print s
+ summary_file.write(s)
+ for a,nx, b,c in scores:
+ if a > 0:
+ s = "%s -- down: %2d (up: %2d affected: %s)" % (c, a, b, nx)
+ print s
+ summary_file.write(s + "\n")
+ xtitle = (os.path.join(rdir, "%03d-%s-censor.png" % (a,c)), "Tor report for %s -- down: %2d (up: %2d affected: %s)" % (c, a, b, nx),"")
+ plot_target(tss, c,xtitle, minx, maxx, DAYS, INTERV)
+ summary_file.close()
+
+def main():
+ # Change these to customize script
+ CSV_FILE = "direct-users.csv"
+ GRAPH_DIR = "img"
+ INTERV = 7
+ DAYS= 6 * 31
+
+ tss = torstatstore(CSV_FILE)
+ l = tss.get_largest_locations(50)
+ minx, maxx = make_tendencies_minmax(l, INTERV)
+ plot_all(tss, minx, maxx, INTERV, DAYS, rdir=GRAPH_DIR)
+
+if __name__ == "__main__":
+ main()
1
0

r24433: {arm} Couple small fixes: fix: using Tor's internal address when n (arm/trunk/src/interface/connections)
by Damian Johnson 25 Mar '11
by Damian Johnson 25 Mar '11
25 Mar '11
Author: atagar
Date: 2011-03-25 02:30:48 +0000 (Fri, 25 Mar 2011)
New Revision: 24433
Modified:
arm/trunk/src/interface/connections/connEntry.py
Log:
Couple small fixes:
fix: using Tor's internal address when not expanding (patch by Fabian Keil)
fix: sorting scrubbed ip addresses at the end
Modified: arm/trunk/src/interface/connections/connEntry.py
===================================================================
--- arm/trunk/src/interface/connections/connEntry.py 2011-03-24 10:56:13 UTC (rev 24432)
+++ arm/trunk/src/interface/connections/connEntry.py 2011-03-25 02:30:48 UTC (rev 24433)
@@ -29,6 +29,9 @@
LABEL_FORMAT = "%s --> %s %s%s"
LABEL_MIN_PADDING = 2 # min space between listing label and following data
+# sort value for scrubbed ip addresses
+SCRUBBED_IP_VAL = 255 ** 4
+
CONFIG = {"features.connection.markInitialConnections": True,
"features.connection.showExitPort": True,
"features.connection.showColumn.fingerprint": True,
@@ -149,25 +152,28 @@
Provides the value of a single attribute used for sorting purposes.
"""
+ connLine = self.lines[0]
if attr == entries.SortAttr.IP_ADDRESS:
- return self.lines[0].sortIpAddr
+ if connLine.isPrivate(): return SCRUBBED_IP_VAL # orders at the end
+ return connLine.sortIpAddr
elif attr == entries.SortAttr.PORT:
- return self.lines[0].sortPort
+ return connLine.sortPort
elif attr == entries.SortAttr.HOSTNAME:
- return self.lines[0].foreign.getHostname("")
+ if connLine.isPrivate(): return ""
+ return connLine.foreign.getHostname("")
elif attr == entries.SortAttr.FINGERPRINT:
- return self.lines[0].foreign.getFingerprint()
+ return connLine.foreign.getFingerprint()
elif attr == entries.SortAttr.NICKNAME:
- myNickname = self.lines[0].foreign.getNickname()
+ myNickname = connLine.foreign.getNickname()
if myNickname == "UNKNOWN": return "z" * 20 # orders at the end
else: return myNickname.lower()
elif attr == entries.SortAttr.CATEGORY:
- return Category.indexOf(self.lines[0].getType())
+ return Category.indexOf(connLine.getType())
elif attr == entries.SortAttr.UPTIME:
- return self.lines[0].startTime
+ return connLine.startTime
elif attr == entries.SortAttr.COUNTRY:
if connections.isIpAddressPrivate(self.lines[0].foreign.getIpAddr()): return ""
- else: return self.lines[0].foreign.getLocale("")
+ else: return connLine.foreign.getLocale("")
else:
return entries.ConnectionPanelEntry.getSortValue(self, attr, listingType)
@@ -508,7 +514,8 @@
isExpansionType = not myType in (Category.PROGRAM, Category.CONTROL)
- srcAddress = myExternalIpAddr + localPort
+ if isExpansionType: srcAddress = myExternalIpAddr + localPort
+ else: srcAddress = self.local.getIpAddr() + localPort
src = "%-21s" % srcAddress # ip:port = max of 21 characters
dst = "%-26s" % dstAddress # ip:port (xx) = max of 26 characters
1
0

[metrics-tasks/master] Add code for bridge churn graph (#2794).
by karsten@torproject.org 24 Mar '11
by karsten@torproject.org 24 Mar '11
24 Mar '11
commit 8dde11c31d385d92d3dc41032438b62b693f6daf
Author: Karsten Loesing <karsten.loesing(a)gmx.net>
Date: Thu Mar 24 16:05:35 2011 +0100
Add code for bridge churn graph (#2794).
---
task-2794/.gitignore | 4 +
task-2794/README | 12 +++
task-2794/StillRunning.java | 139 +++++++++++++++++++++++++++++++++++++
task-2794/still-running-bridges.R | 15 ++++
4 files changed, 170 insertions(+), 0 deletions(-)
diff --git a/task-2794/.gitignore b/task-2794/.gitignore
new file mode 100644
index 0000000..939f812
--- /dev/null
+++ b/task-2794/.gitignore
@@ -0,0 +1,4 @@
+*.csv
+*.class
+*.png
+
diff --git a/task-2794/README b/task-2794/README
new file mode 100644
index 0000000..311c5b5
--- /dev/null
+++ b/task-2794/README
@@ -0,0 +1,12 @@
+Code to create a graph on "Uptimes of bridges that were running Jan 2,
+2011, 00:00:00 UTC":
+
+ - Generate assignments.csv and statuses.csv using the #2680 code and put
+ them in this directory.
+
+ - Compile and run the Java class:
+ $ javac StillRunning.java && java StillRunning
+
+ - Run the R code (note that this may take a few minutes!):
+ $ R --slave -f still-running-bridges.R
+
diff --git a/task-2794/StillRunning.java b/task-2794/StillRunning.java
new file mode 100644
index 0000000..111c085
--- /dev/null
+++ b/task-2794/StillRunning.java
@@ -0,0 +1,139 @@
+import java.io.*;
+import java.util.*;
+public class StillRunning {
+ public static void main(String[] args) throws Exception {
+
+ /* Parse bridge pool assignments. */
+ Map<String, String> assignments = new HashMap<String, String>();
+ BufferedReader br = new BufferedReader(new FileReader(
+ "assignments.csv"));
+ String line = br.readLine();
+ while ((line = br.readLine()) != null) {
+ String[] parts = line.split(",");
+ String fingerprint = parts[1];
+ String type = parts[2];
+ assignments.put(fingerprint, type);
+ }
+ br.close();
+
+ /* Parse running bridges in first status of the second day in the data
+ * set. */
+ br = new BufferedReader(new FileReader("statuses.csv"));
+ line = br.readLine();
+ if (!line.split(",")[15].equals("running")) {
+ System.out.println("Column 16 should be 'running'");
+ System.exit(1);
+ }
+ String dayOne = null, lastStatus = null;
+ List<String> fingerprints = new ArrayList<String>();
+ Map<String, String> addresses = new HashMap<String, String>();
+ while ((line = br.readLine()) != null) {
+ String[] parts = line.split(",");
+ String status = parts[0];
+ if (dayOne == null) {
+ dayOne = status.substring(0, "yyyy-mm-dd".length());
+ } else if (status.startsWith(dayOne)) {
+ continue;
+ }
+ String running = parts[15];
+ if (!running.equals("TRUE")) {
+ continue;
+ }
+ if (lastStatus != null && !status.equals(lastStatus)) {
+ break;
+ }
+ lastStatus = status;
+ String fingerprint = parts[1];
+ fingerprints.add(fingerprint);
+ String address = parts[4];
+ addresses.put(fingerprint, address);
+ }
+
+ /* Parse subsequent statuses and count how often these bridges
+ * occur. */
+ Map<String, Integer>
+ fingerprintAnyCount = new HashMap<String, Integer>(),
+ fingerprintSameCount = new HashMap<String, Integer>();
+ for (String fingerprint : fingerprints) {
+ fingerprintAnyCount.put(fingerprint, 1);
+ fingerprintSameCount.put(fingerprint, 1);
+ }
+ do {
+ String[] parts = line.split(",");
+ String status = parts[0];
+ String running = parts[15];
+ if (!running.equals("TRUE")) {
+ continue;
+ }
+ String fingerprint = parts[1];
+ if (!fingerprints.contains(fingerprint)) {
+ continue;
+ }
+ fingerprintAnyCount.put(fingerprint,
+ fingerprintAnyCount.get(fingerprint) + 1);
+ String address = parts[4];
+ if (addresses.get(fingerprint).equals(address)) {
+ fingerprintSameCount.put(fingerprint,
+ fingerprintSameCount.get(fingerprint) + 1);
+ }
+ } while ((line = br.readLine()) != null);
+
+ /* Create two lists of fingerprints, ordered by the number of
+ * occurrences. */
+ SortedMap<String, String>
+ sortAnyFingerprints = new TreeMap<String, String>(),
+ sortSameFingerprints = new TreeMap<String, String>();
+ for (Map.Entry<String, Integer> e : fingerprintAnyCount.entrySet()) {
+ sortAnyFingerprints.put(String.format("%05d %s", e.getValue(),
+ e.getKey()), e.getKey());
+ }
+ List<String> sortedAnyFingerprints = new ArrayList<String>(
+ sortAnyFingerprints.values());
+ for (Map.Entry<String, Integer> e : fingerprintSameCount.entrySet()) {
+ sortSameFingerprints.put(String.format("%05d %s", e.getValue(),
+ e.getKey()), e.getKey());
+ }
+ List<String> sortedSameFingerprints = new ArrayList<String>(
+ sortSameFingerprints.values());
+
+ /* Write bridges of first status to disk. */
+ BufferedWriter bw = new BufferedWriter(new FileWriter(
+ "still-running-bridges.csv"));
+ bw.write("status,anyid,sameid,type,addresschange\n");
+ for (String fingerprint : sortedAnyFingerprints) {
+ bw.write(lastStatus + ","
+ + sortedAnyFingerprints.indexOf(fingerprint) + ","
+ + sortedSameFingerprints.indexOf(fingerprint) + ","
+ + assignments.get(fingerprint) + ",FALSE\n");
+ }
+
+ /* Parse statuses once again and write bridges to disk. */
+ br = new BufferedReader(new FileReader("statuses.csv"));
+ line = br.readLine();
+ while ((line = br.readLine()) != null) {
+ String[] parts = line.split(",");
+ String status = parts[0];
+ if (status.startsWith(dayOne)) {
+ continue;
+ }
+ String running = parts[15];
+ if (!running.equals("TRUE")) {
+ continue;
+ }
+ String fingerprint = parts[1];
+ if (!fingerprints.contains(fingerprint)) {
+ continue;
+ }
+ String address = parts[4];
+ boolean addressChange = !addresses.get(fingerprint).equals(address);
+ bw.write(status + ","
+ + sortedAnyFingerprints.indexOf(fingerprint) + ","
+ + sortedSameFingerprints.indexOf(fingerprint) + ","
+ + assignments.get(fingerprint) + ","
+ + (addressChange ? "TRUE" : "FALSE") + "\n");
+ }
+ bw.close();
+ br.close();
+ }
+}
+
diff --git a/task-2794/still-running-bridges.R b/task-2794/still-running-bridges.R
new file mode 100644
index 0000000..8752b07
--- /dev/null
+++ b/task-2794/still-running-bridges.R
@@ -0,0 +1,15 @@
+library(ggplot2)
+anyip <- read.csv("still-running-bridges.csv", stringsAsFactors = FALSE)
+sameip <- anyip[anyip$addresschange == FALSE, ]
+data <- rbind(
+ data.frame(status = anyip$status, bridgeid = anyip$anyid, address = "any IP address"),
+ data.frame(status = sameip$status, bridgeid = sameip$sameid, address = "same IP address"))
+ggplot(data, aes(x = as.POSIXct(status),
+ y = (max(data$bridgeid) - bridgeid) / max(data$bridgeid))) +
+facet_grid(address ~ .) +
+geom_point(size = 0.2, colour = "springgreen3") +
+scale_x_datetime(name = "") +
+scale_y_continuous(name = "", formatter = "percent") +
+opts(title = "Uptimes of bridges that were running Jan 2, 2011, 00:00:00 UTC\n")
+ggsave(filename = "still-running-bridges.png", width = 8, height = 5, dpi = 72)
+
1
0