[or-cvs] add tor server configuration instructions
arma at seul.org
arma at seul.org
Wed Aug 17 04:15:27 UTC 2005
Update of /home2/or/cvsroot/tor/doc
In directory moria:/home/arma/work/onion/cvs/tor/doc
Modified Files:
tor-doc-unix.html tor-doc-win32.html tor-switchproxy.html
tor.1.in
Added Files:
tor-doc-server.html
Log Message:
add tor server configuration instructions
--- NEW FILE: tor-doc-server.html ---
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>Tor Server Configuration Instructions</title>
<meta name="Author" content="Roger Dingledine" />
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1" />
<link rel="stylesheet" type="text/css" href="http://tor.eff.org/stylesheet.css" />
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico" />
</head>
<body>
<!-- TITLE BAR & NAVIGATION -->
<table class="banner" border="0" cellpadding="0" cellspacing="0">
<tr>
<td class="banner-left"></td>
<td class="banner-middle">
<a href="/index.html">Home</a>
| <a href="/howitworks.html">How It Works</a>
| <a href="/download.html">Download</a>
| <a href="/documentation.html">Docs</a>
| <a href="/users.html">Users</a>
| <a href="/faq.html">FAQs</a>
| <a href="/volunteer.html">Volunteer</a>
| <a href="/developers.html">Developers</a>
| <a href="/research.html">Research</a>
| <a href="/people.html">People</a>
</td>
<td class="banner-right"></td>
</tr>
</table>
<!-- END TITLE BAR & NAVIGATION -->
<div class="center">
<div class="main-column">
<h1>Configuring a <a href="http://tor.eff.org/">Tor</a> server</h1>
<br />
<p>The Tor network relies on volunteers to donate bandwidth. If you have
at least 20 kilobytes/s each way, please help out Tor by configuring
your Tor to be a server too. Having servers in many different pieces
of the Internet gives users more robustness against curious telcos and
brute force attacks.</p>
<p>Setting up a Tor server is easy and convenient:
<ul>
<li>Tor has built-in support for <a
href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate
limiting</a>. Further, if you have a fast link
but want to limit the number of bytes per day
(or week or month) that you donate, check out the <a
href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Hibernation">hibernation
feature</a>.
</li>
<li>Each Tor server has an <a
href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RunAServerBut">exit
policy</a> that specifies what sort of outbound connections are allowed
or refused from that server. If you are uncomfortable allowing people
to exit from your server, you can set it up to only allow connections
to other Tor servers.
</li>
<li>It's fine if the server goes offline sometimes. The directories
notice this quickly and stop advertising the server. Just try to make
sure it's not too often, since connections using the server when it
disconnects will break.
</li>
<li>We can handle servers with dynamic IPs just fine, as long as the
server itself knows its IP. Have a look at this
<a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#DynamicIP">
entry in the FAQ</a>.
</li>
<li>If your server is behind a NAT and it doesn't know its public
IP (e.g. it has an IP of 192.168.x.y), you'll need to set up port
forwarding. Forwarding TCP connections is system dependent but <a
href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledCli
ents">this FAQ entry</a> offers some examples on how to do this.
</li>
<li>Your server will passively estimate and advertise its recent
bandwidth capacity, so high-bandwidth servers will attract more users than
low-bandwidth ones. Therefore having low-bandwidth servers is useful too.
</li>
</ul>
<hr />
<a id="zero"></a>
<h2><a class="anchor" href="#zero">Step Zero: Download and Install Tor and Privoxy</a></h2>
<br />
<p>Before you start, you need to make sure that Tor is up and running.
</p>
<p>For Windows users, this means at least <a
href="http://tor.eff.org/doc/tor-doc-win32.html#installing">step one</a>
of the Windows Tor installation howto. Mac OS X users need to do at least
<a href="http://tor.eff.org/doc/tor-doc-osx.html#installing">step one</a>
of OS X Tor installation howto. Linux/BSD/Unix users should do at least
<a href="http://tor.eff.org/doc/tor-doc-unix.html#installing">step one</a>
of the Unix Tor installation howto.
</p>
<p>If it's convenient, you might also want to use it as a client for a
while to make sure it's actually working.</p>
<hr />
<a id="one"></a>
<h2><a class="anchor" href="#one">Step One: Set it up as a server</a></h2>
<br />
<ul>
<li>1. Verify that your clock is set correctly. If possible, synchronize
your clock with public time servers. Make sure name resolution works
(that is, your computer can resolve addresses correctly).
</li>
<li>2. Edit the bottom part of your torrc. (See <a
href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#torrc">this
FAQ entry</a> for help.)
Make sure to define at least Nickname and ORPort. Create the DataDirectory
if necessary, and make sure it's owned by the user that will be running
tor.
<li>3. If you are using a firewall, open a hole in your firewall so
incoming connections can reach the ports you configured (ORPort, plus
DirPort if you enabled it). Make sure you allow all outgoing connections,
so your server can reach the other Tor servers.
<li>4. Start your server: if you installed from source you can just
run <tt>tor</tt>, whereas packages typically launch Tor from their
initscripts or startup scripts. If it logs any warnings, address them. (By
default Tor logs to stdout, but some packages log to <tt>/var/log/tor/</tt>
instead. You can edit your torrc to configure log locations.)
<li>5. Subscribe to the <a
href="http://archives.seul.org/or/announce/">or-announce</a>
mailing list. It is very low volume, and it will keep you informed
of new stable releases. You might also consider subscribing to <a
href="http://archives.seul.org/or/talk/">or-talk</a> (higher volume),
where new development releases are announced.
</li>
</ul>
<hr />
<a id="two"></a>
<h2><a class="anchor" href="#two">Step Two: Make sure it's working</a></h2>
<br />
<p>As soon as your server manages to connect to the network, it will
try to determine whether the ports you configured are reachable from
the outside. This may take several minutes. The log entries will keep
you informed of its progress.</p>
<p>When it decides that it's reachable, it will upload a "server
descriptor" to the directories. This will let other clients know
what address, ports, keys, etc your server is using. You can <a
href="http://belegost.seul.org/">load the directory manually</a> and
look through it to find the nickname you configured, to make sure it's
there. You may need to wait a few seconds to give enough time for it to
make a fresh directory.</p>
<li>Once you are convinced it's working, <b>Register your server.</b>
Send mail to <a
href="mailto:tor-ops at freehaven.net">tor-ops at freehaven.net</a> with a
subject of '[New Server] <your server's nickname>' and
include the following information in the message:
<ul>
<li>Your server's nickname</li>
<li>The fingerprint for your server's key (the contents of the
"fingerprint" file in your DataDirectory -- on Windows, look in
\<i>username</i>\Application Data\tor\ or \Application Data\tor\;
on OS X, look in /Library/Tor/var/lib/tor/; and on Linux/BSD/Unix,
look in /var/lib/tor or ~/.tor)
</li>
<li>Who you are, so we know whom to contact if a problem arises</li>
<li>What kind of connectivity the new server will have</li>
</ul>
If you like, sign your mail using PGP.<br />
Registering your server reserves your nickname so nobody else can take it,
and lets us contact you if you need to upgrade or something goes wrong.
</li>
<hr />
<a id="three"></a>
<h2><a class="anchor" href="#three">Step Three: Once it's working</a></h2>
<br />
<p>
Optionally, we recommend the following steps as well:
</p>
<ul>
<li>6 (Unix only). Make a separate user to run the server. If you
installed the OS X package or the deb or the rpm, this is already
done. Otherwise, you can do it by hand. (The Tor server doesn't need to
be run as root, so it's good practice to not run it as root. Running
as a 'tor' user avoids issues with identd and other services that
detect user name. If you're the paranoid sort, feel free to <a
href="http://wiki.noreply.org/wiki/TheOnionRouter/TorInChroot">put Tor
into a chroot jail</a>.)
<li>7. Decide what exit policy you want. By default your server allows
access to many popular services, but we restrict some (such as port 25)
due to abuse potential. You might want an exit policy that is
less restrictive or more restrictive; edit your torrc appropriately.
If you choose a particularly open exit policy, you might want to make
sure your ISP is ok with that choice.
<li>8. If you installed from source, you may find the initscripts in
contrib/tor.sh or contrib/torctl useful if you want to set up Tor to
start at boot.
<li>9. If you control the name servers for your domain, consider setting
your hostname to 'anonymous' or 'proxy' or 'tor-proxy', so when other
people see the address in their web logs, they will more quickly
understand what's going on.
<li>10. If your computer isn't running a webserver, please consider
changing your ORPort to 443 and your DirPort to 80. Many Tor
users are stuck behind firewalls that only let them browse the
web, and this change will let them reach your Tor server. Win32
servers can simply change their ORPort and DirPort directly
in their torrc and restart Tor. OS X or Unix servers can't bind
directly to these ports, so they will need to set up some sort of <a
href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#ServerForFirewalledClients">
port forwarding</a> so connections can reach their Tor server. If you are
using ports 80 and 443 already but still want to help out, other useful
ports are 22, 110, and 143.
</ul>
When you change your Tor configuration, be sure to restart Tor, and
remember to verify that your server still works correctly after the
change.
<hr />
<p>If you have suggestions for improving this document, please post
them on <a href="http://bugs.noreply.org/tor">our bugtracker</a> in the
website category. Thanks!</p>
</div><!-- #main -->
</div>
<div class="bottom" id="bottom">
<i><a href="mailto:tor-webmaster at freehaven.net"
class="smalllink">Webmaster</a></i> - $Id: tor-doc-server.html,v 1.1 2005/08/17 04:15:25 arma Exp $
</div>
</body>
</html>
Index: tor-doc-unix.html
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/tor-doc-unix.html,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -d -r1.1 -r1.2
--- tor-doc-unix.html 17 Aug 2005 00:03:45 -0000 1.1
+++ tor-doc-unix.html 17 Aug 2005 04:15:25 -0000 1.2
@@ -60,7 +60,10 @@
Red Hat, Gentoo, *BSD, etc there too.
</p>
-<p>If you're building from source, run <tt>tar xzf tor-0.1.0.14.tar.gz;
+<p>If you're building from source, first install <a
+href="http://www.monkey.org/~provos/libevent/">libevent</a>, and
+make sure you have openssl and zlib (including the -devel packages if
+applicable). Then Run <tt>tar xzf tor-0.1.0.14.tar.gz;
cd tor-0.1.0.14</tt>. Then <tt>./configure && make</tt>. Now you
can run tor as <tt>src/or/tor</tt>, or you can run <tt>make install</tt>
(as root if necessary) to install it into /usr/local/, and then you can
Index: tor-doc-win32.html
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/tor-doc-win32.html,v
retrieving revision 1.75
retrieving revision 1.76
diff -u -d -r1.75 -r1.76
--- tor-doc-win32.html 9 Aug 2005 17:19:47 -0000 1.75
+++ tor-doc-win32.html 17 Aug 2005 04:15:25 -0000 1.76
@@ -190,8 +190,7 @@
button; but see <a
href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#FtpProxy">this
note</a> about Tor and ftp proxies.
-<!--You should also set your SSL proxy (IE calls it "Secure") to the same
-thing, to hide your SSL traffic too.--> In IE, this looks something like:</p>
+In IE, this looks something like:</p>
<img alt="Proxy settings in IE"
src="http://tor.eff.org/img/screenshot-win32-ie-proxies.jpg" />
Index: tor-switchproxy.html
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/tor-switchproxy.html,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- tor-switchproxy.html 15 Aug 2005 23:54:25 -0000 1.16
+++ tor-switchproxy.html 17 Aug 2005 04:15:25 -0000 1.17
@@ -69,7 +69,11 @@
two</a> of the Windows Tor installation howto. Mac OS X users just need
to do <a href="http://tor.eff.org/doc/tor-doc-osx.html#installing">step
one</a> of OS X Tor installation howto, since our OS X package includes
-Privoxy and configures it already.</p>
+Privoxy and configures it already. Linux/BSD/Unix users should do <a
+href="http://tor.eff.org/doc/tor-doc-unix.html#installing">step one</a>
+and <a href="http://tor.eff.org/doc/tor-doc-unix.html#privoxy">step
+two</a> of the Unix Tor installation howto.
+</p>
<hr />
<a id="one"></a>
Index: tor.1.in
===================================================================
RCS file: /home2/or/cvsroot/tor/doc/tor.1.in,v
retrieving revision 1.98
retrieving revision 1.99
diff -u -d -r1.98 -r1.99
--- tor.1.in 9 Aug 2005 10:35:06 -0000 1.98
+++ tor.1.in 17 Aug 2005 04:15:25 -0000 1.99
@@ -247,7 +247,7 @@
A comma-separated list of IPs that your firewall allows you to connect
to. Only used when \fBFascistFirewall\fR is set. The format is as
for the addresses in ExitPolicy, except that "accept" is understood
-unless "reject" is explicitly provided. For example, 'FirewallIPs
+unless "reject" is explicitly provided. For example, 'ReachableAddresses
99.0.0.0/8, reject 18.0.0.0/8:80, accept *:80' means that your
firewall allows connections to everything inside net 99, rejects port
80 connections to net 18, and accepts connections to port 80 otherwise.
More information about the tor-commits
mailing list