commit e45978fc08d83d0c0d444240932857eb510a16c9 Author: gus <gus@torproject.org> Date: Fri Jul 5 18:28:18 2019 -0400 Move how to use ansible relayor from technical-setup main page to good practices page --- .../relay-operations/technical-setup/contents.lr | 10 +---- .../contents.lr | 52 ++++++++++++---------- 2 files changed, 29 insertions(+), 33 deletions(-) diff --git a/content/relay-operations/technical-setup/contents.lr b/content/relay-operations/technical-setup/contents.lr index 07925c7..886bacc 100644 --- a/content/relay-operations/technical-setup/contents.lr +++ b/content/relay-operations/technical-setup/contents.lr @@ -38,14 +38,6 @@ If you are looking to run a relay with minimal effort we recommend you stick to The installation commands are shown in code blocks and must be executed with root privileges. -## Configuration Management - -If you plan to run more than a single relay, or you want to run a high capacity relay (multiple Tor instances per server) or want to use strong security features like [Offline Master Keys](https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKe...) without performing additional steps manually, you may want to use a configuration management for better maintainability. - -There are multiple configuration management solutions for Unix based operating systems (Ansible, Puppet, Salt, ...). - -The following Ansible Role has specifically been build for Tor relay operators and supports multiple operating systems: [Ansible Relayor](http://github.com/nusenu/ansible-relayor). - -Click below in which type of relay do you want to host. +Click below in which type of relay do you want to host and don't forget to read [Relay post-install and good practices](relays-post-install-and-good-practices). --- _slug: {{setup}} diff --git a/content/relay-operations/technical-setup/relays-post-install-and-good-practices/contents.lr b/content/relay-operations/technical-setup/relays-post-install-and-good-practices/contents.lr index 8373219..5236fbe 100644 --- a/content/relay-operations/technical-setup/relays-post-install-and-good-practices/contents.lr +++ b/content/relay-operations/technical-setup/relays-post-install-and-good-practices/contents.lr @@ -28,8 +28,31 @@ You can search for your relay using your nickname or IP address. It takes some time for relay traffic to ramp up, this is especially true for guard relays but to a lesser extend also for exit relays. To understand this process, read about the [lifecycle of a new relay](https://blog.torproject.org/lifecycle-new-relay). +# 4. Configuration Management -#4. Optional: Limiting bandwidth usage (and traffic) +If you plan to run more than a single relay, or you want to run a high capacity relay (multiple Tor instances per server) or want to use strong security features like [Offline Master Keys](https://trac.torproject.org/projects/tor/wiki/doc/TorRelaySecurity/OfflineKe...) without performing additional steps manually, you may want to use a configuration management for better maintainability. + +There are multiple configuration management solutions for Unix based operating systems (Ansible, Puppet, Salt, ...). + +The following Ansible Role has specifically been build for Tor relay operators and supports multiple operating systems: [Ansible Relayor](http://github.com/nusenu/ansible-relayor). + +# 5. Important: if you run more than one Tor instance + +To avoid putting Tor clients at risk when operating multiple relays you must set a proper [MyFamily](https://2019.www.torproject.org/docs/tor-manual.html.en#MyFamily) value and have a valid [ContactInfo](https://2019.www.torproject.org/docs/tor-manual.html.en#ContactInfo) in your torrc configuration. +The MyFamily setting is simply telling Tor clients what Tor relays are controlled by a single entity/operator/organization, so they are not used in multiple positions in a single circuit. + +If you run two relays and they have fingerprints AAAAAAAAAA and BBBBBBBB, you would add the following configuration to set MyFamily: + +``` +MyFamily AAAAAAAAAA,BBBBBBBB +``` + +to both relays. To find your relays fingerprint you can look into the log files when tor starts up or find the file named "fingerprint" in your tor DataDirectory. + +Instead of doing so manually for big operators we recommend to automate the MyFamily setting via a configuration management solution. +Manually managing MyFamily for big relay groups is error prone and can put Tor clients at risk. + +# 6. Optional: Limiting bandwidth usage (and traffic) Tor will not limit its bandwidth usage by default, but supports multiple ways to restrict the used bandwidth and the amount of traffic. This can be handy if you want to ensure that your Tor relay does not exceed a certain amount of bandwidth or total traffic per day/week/month. @@ -44,9 +67,9 @@ The following torrc configuration options can be used to restrict bandwidth and Having a fast relay for some time of the month is preferred over a slow relay for the entire month. -Also see the bandwidth entry in the FAQ: https://www.torproject.org/docs/faq.html.en#BandwidthShaping +Also see the bandwidth entry in the [FAQ](https://www.torproject.org/docs/faq.html.en#BandwidthShaping). -# 5. Check IPv6 availability +# 7. Check IPv6 availability We encourage everyone to enable IPv6 on their relays. This is especially valuable on exit and guard relays. @@ -84,24 +107,7 @@ IPv6Exit 1 Note: Tor requires IPv4 connectivity, you can not run a Tor relay on IPv6-only. -# 6. Important: if you run more than one Tor instance - -To avoid putting Tor clients at risk when operating multiple relays you must set a proper [MyFamily](https://2019.www.torproject.org/docs/tor-manual.html.en#MyFamily) value and have a valid [ContactInfo](https://2019.www.torproject.org/docs/tor-manual.html.en#ContactInfo) in your torrc configuration. -The MyFamily setting is simply telling Tor clients what Tor relays are controlled by a single entity/operator/organization, so they are not used in multiple positions in a single circuit. - -If you run two relays and they have fingerprints AAAAAAAAAA and BBBBBBBB, you would add the following configuration to set MyFamily: - -``` -MyFamily AAAAAAAAAA,BBBBBBBB -``` - -to both relays. To find your relays fingerprint you can look into the log files when tor starts up or find the file named "fingerprint" in your tor DataDirectory. - -Instead of doing so manually for big operators we recommend to automate the MyFamily setting via a configuration management solution. -Manually managing MyFamily for big relaygroups is error prone and can put Tor clients at risk. - - -# 7. Maintaining a relay +# 8. Maintaining a relay ## Backup Tor Identity Keys @@ -116,9 +122,7 @@ Default locations of the keys folder: ## Subscribe to the tor-announce mailing list -This is a very low traffic mailing list and you will get information about new stable tor releases and important security update information. - -* https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce +This is a very low traffic mailing list and you will get information about new stable tor releases and important security update information: [tor-announce](https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce). ## Setting up outage notifications