commit aa62941d87449d96c10fe2cc0da836704873db24 Author: nusenu <nusenu-github@riseup.net> Date: Sat Apr 27 23:08:45 2019 +0000 relay guide: add platform specific content move exit configuration into separate file remove openSUSE --- .../technical-setup/centosrhel/contents.lr | 9 + .../technical-setup/debianubuntu/contents.lr | 43 +++++ .../technical-setup/exit-relay/contents.lr | 205 +++++++++++++++++++++ .../technical-setup/fedora/contents.lr | 9 + .../technical-setup/freebsd/contents.lr | 9 + 5 files changed, 275 insertions(+) diff --git a/content/relay-operations/technical-setup/centosrhel/contents.lr b/content/relay-operations/technical-setup/centosrhel/contents.lr new file mode 100644 index 0000000..224dadf --- /dev/null +++ b/content/relay-operations/technical-setup/centosrhel/contents.lr @@ -0,0 +1,9 @@ +_model: page +--- +title: CentOS/RHEL +--- +html: relay-operations.html +--- +section: relay operations +--- +section_id: relay-operations diff --git a/content/relay-operations/technical-setup/debianubuntu/contents.lr b/content/relay-operations/technical-setup/debianubuntu/contents.lr new file mode 100644 index 0000000..c8627c5 --- /dev/null +++ b/content/relay-operations/technical-setup/debianubuntu/contents.lr @@ -0,0 +1,43 @@ +_model: page +--- +title: Debian/Ubuntu +--- +html: relay-operations.html +--- +section: relay operations +--- +section_id: relay-operations +--- +body: + +# 1. Configure Tor Package Repository + +Enable the Torproject package repository by following the instructions +**[here](https://2019.www.torproject.org/docs/debian.html.en#ubuntu)**. + +# 2. Package Installation + +Install the `tor` package: + +`apt update && apt install tor` + +# 3. Configuration File + +Put the configuration file `/etc/tor/torrc` in place: + +``` +#change the nickname "myNiceRelay" to a name that you like +Nickname myNiceRelay +ORPort 443 +ExitRelay 0 +SocksPort 0 +ControlSocket 0 +# Change the email address bellow and be aware that it will be published +ContactInfo tor-operator@your-emailaddress-domain +``` + +# 4. Restart the Service + +Restart the tor daemon so your configuration changes take effect: + +`systemctl restart tor@default` diff --git a/content/relay-operations/technical-setup/exit-relay/contents.lr b/content/relay-operations/technical-setup/exit-relay/contents.lr new file mode 100644 index 0000000..8686f47 --- /dev/null +++ b/content/relay-operations/technical-setup/exit-relay/contents.lr @@ -0,0 +1,205 @@ +_model: page +--- +title: Exit Relay Configuration +--- +html: relay-operations.html +--- +section: relay operations +--- +section_id: relay-operations +--- +key: 5 +--- +body: + +We assume you read through the [relay guide](..) already. This subpage is +for operators that want to turn on exiting on their relay. + +It is recommended that you setup exit relays on servers dedicated to this +purpose. It is not recommended to install Tor exit relays on servers that you +need for other services as well. Do not mix your own traffic with your exit +relay traffic. + +## Reverse DNS and WHOIS record + +Before turning your non-exit relay into an exit relay, ensure that you have set a +reverse DNS record (PTR) to make it more obvious that this is a tor +exit relay. Something like "tor-exit" it its name is a good start. + +If your provider offers it, make sure your WHOIS record contains clear +indications that this is a Tor exit relay. + +## Exit Notice HTML page + +To make it even more obvious that this is a Tor exit relay you should serve a +Tor exit notice HTML page. Tor can do that for you if your DirPort is on TCP +port 80, you can make use of tor's DirPortFrontPage feature to display a +HTML file on that port. This file will be shown to anyone directing his browser +to your Tor exit relay IP address. + +``` +DirPort 80 +DirPortFrontPage /path/to/html/file +``` + +We offer a sample Tor exit notice HTML file, but you might want to adjust it to +your needs: +https://gitweb.torproject.org/tor.git/plain/contrib/operator-tools/tor-exit-... + +Here are some more tips for running a reliable exit relay: +https://blog.torproject.org/tips-running-exit-node + +## Exit Policy + +Defining the [exit +policy](https://www.torproject.org/docs/tor-manual.html.en#ExitPolicy) +is one of the most important parts of an exit relay configuration. The exit +policy defines which destination ports you are willing to forward. This has an +impact on the amount of abuse emails you will get (less ports means less abuse +emails, but an exit relay allowing only few ports is also less useful). If you +want to be a useful exit relay you must **at least allow destination ports 80 +and 443**. + +As a new exit relay - especially if you are new to your hoster - it is good to +start with a reduced exit policy (to reduce the amount of abuse emails) and +further open it up as you become more experienced. The reduced exit policy can +be found on the +[ReducedExitPolicy](https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy) +wiki page. + +To become an exit relay change ExitRelay from 0 to 1 in your torrc configuration +file and restart the tor daemon. + +``` +ExitRelay 1 +``` + +## DNS on Exit Relays + +Unlike other types of relays, exit relays also do DNS resolution for Tor +clients. DNS resolution on exit relays is crucial for Tor clients, it should be +reliable and fast by using caching. + +* DNS resolution can have a significant impact on the performance and reliability your exit relay provides. Poor DNS performance will result in less traffic going through your exit relay. +* Don't use any of the big DNS resolvers as your primary or fallback DNS resolver to avoid centralization (Google, OpenDNS, Quad9, Cloudflare, 4.2.2.1-6) +* We recommend running a local caching and DNSSEC-validating resolver without using any forwarders (specific instructions follow bellow for each operating systems) +* if you want to add a second DNS resolver as a fallback to your /etc/resolv.conf configuration, try to choose a resolver within your autonomous system and make sure it is not your first entry in that file (the first entry should be your local resolver) +* if a local resolver like unbound is not an option for you try to use a resolver that your provider runs in the same autonomous system (to find out if an IP address is in the same AS as your relay, you can look it up, using for example https://bgp.he.net). +* try to avoid adding too many resolvers to your /etc/resolv.conf file to limit exposure on an AS-level (try to not use more than two entries) + +There are multiple options for DNS server software, unbound has become a popular +one but **feel free to use any other you are comfortable with**. When choosing your +DNS resolver software try to ensure it supports DNSSEC validation and QNAME +minimisation (RFC7816). In every case the software should be installed +using the OS package manager to ensure it is updated with the rest of the +system. + +By using your own DNS resolver you are less vulnerable to DNS-based censorship +that your upstream resolver might impose. + +Here follow specific instructions on how to install and configure unbound on +your exit - a DNSSEC-validating and caching resolver. unbound has many +configuration and tuning nobs but we try to keep these instructions as simple +and short as possible and the basic setup will do just fine for most operators. + +After switching to unbound verify it works as expected by resolving a valid +hostname, if it does not work, you can restore the old resolv.conf file. + +### Debian/Ubuntu + +The following 3 commands install unbound, backup your DNS configuration and tell +the system to use the local unbound: + +``` +apt install unbound +cp /etc/resolv.conf /etc/resolv.conf.backup +echo nameserver 127.0.0.1 > /etc/resolv.conf +``` + +To avoid that the configuration gets changed (for example by the DHCP client): + +``` +chattr +i /etc/resolv.conf +``` + +The Debian configuration ships with QNAME minimisation (RFC7816) enabled +by default so you don't need to enable it explicitly. The unbound resolver you +just installed does also DNSSEC validation. + +### CentOS/RHEL + +Install the unbound package: + +``` +yum install unbound +``` + +in /etc/unbound/unbound.conf replace the line + +``` +# qname-minimisation: no +``` + +with: + +``` +qname-minimisation: yes +``` + +enable and start unbound: + +``` +systemctl enable unbound +systemctl start unbound +``` + +Tell the system to use the local unbound server: + +``` +cp /etc/resolv.conf /etc/resolv.conf.backup +echo nameserver 127.0.0.1 > /etc/resolv.conf +``` + +To avoid that the configuration gets changed (for example by the DHCP client): + +``` +chattr +i /etc/resolv.conf +``` + +### FreeBSD + +FreeBSD ships unbound in the base system but the one in ports is usually +following upstream more closely so we install the unbound package: + +``` +pkg install unbound +``` + +Replace the content in /usr/local/etc/unbound/unbound.conf with the following lines: + +``` +server: + verbosity: 1 + qname-minimisation: yes +``` + +enable and start the unbound service: + +``` +sysrc unbound_enable=YES +service unbound start +``` + +Tell the system to use the local unbound server: + +``` +cp /etc/resolv.conf /etc/resolv.conf.backup +echo nameserver 127.0.0.1 > /etc/resolv.conf +``` + +To avoid that the configuration gets changed (for example by the DHCP client): + +``` +chflags schg /etc/resolv.conf +``` + diff --git a/content/relay-operations/technical-setup/fedora/contents.lr b/content/relay-operations/technical-setup/fedora/contents.lr new file mode 100644 index 0000000..a0ab0a4 --- /dev/null +++ b/content/relay-operations/technical-setup/fedora/contents.lr @@ -0,0 +1,9 @@ +_model: page +--- +title: Fedora +--- +html: relay-operations.html +--- +section: relay operations +--- +section_id: relay-operations diff --git a/content/relay-operations/technical-setup/freebsd/contents.lr b/content/relay-operations/technical-setup/freebsd/contents.lr new file mode 100644 index 0000000..de83c05 --- /dev/null +++ b/content/relay-operations/technical-setup/freebsd/contents.lr @@ -0,0 +1,9 @@ +_model: page +--- +title: FreeBSD +--- +html: relay-operations.html +--- +section: relay operations +--- +section_id: relay-operations