commit 040d635d31e4c23fd55efab0af24abd3bcd6b86d Author: jarlave Date: Sun Mar 31 15:23:12 2019 +0200 Add files via upload diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..e84dcbf --- /dev/null +++ b/Dockerfile @@ -0,0 +1,53 @@ +FROM alpine:3.9 +LABEL maintainer="jarlave " + +ENV RELAY_NICKNAME ChangeMe +ENV RELAY_TYPE middle +ENV RELAY_BANDWIDTH_RATE 100 KBytes +ENV RELAY_BANDWIDTH_BURST 200 KBytes +ENV RELAY_ORPORT 9001 +ENV RELAY_DIRPORT 9030 +ENV RELAY_CTRLPORT 9051 +ENV RELAY_ACCOUNTING_MAX 1 GBytes +ENV RELAY_ACCOUNTING_START day 00:00 +ENV RELAY_DATADIR=/var/lib/tor + +# add group/user tor with ID +RUN addgroup -g 1000 -S tor && \ + adduser -u 1000 -S tor -G tor + +RUN apk --no-cache add \ + bash \ + tor + +# install python3 and nyx +RUN apk add --no-cache python3 && \ + python3 -m ensurepip && \ + rm -r /usr/lib/python*/ensurepip && \ + pip3 install --upgrade pip setuptools && \ + if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi && \ + if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python3 /usr/bin/python; fi && \ + rm -r /root/.cache + +RUN pip install nyx + +# copy in our torrc files +COPY torrc.bridge /etc/tor/torrc.bridge +COPY torrc.middle /etc/tor/torrc.middle +COPY torrc.exit /etc/tor/torrc.exit + +# copy the run script +COPY run.sh /run.sh +RUN chmod ugo+rx /run.sh + +EXPOSE 9001 + +# make sure files are owned by tor user +RUN chown -R tor /etc/tor + +USER tor + +VOLUME ["/var/lib/tor"] +RUN chown -R tor /var/lib/tor + +ENTRYPOINT [ "/run.sh" ] \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..dc7f10e --- /dev/null +++ b/README.md @@ -0,0 +1,17 @@ + ### Environment variables + +| Name | Description | Default value | +| ---------------------------- |:----------------------------------------------------------------------------:| -------------:| +| **RELAY_TYPE** | The type of relay (bridge, middle or exit) | middle | +| **RELAY_NICKNAME** | The nickname of your relay | ChangeMe | +| **CONTACT_GPG_FINGERPRINT** | Your GPG ID or fingerprint | none | +| **CONTACT_NAME** | Your name | none | +| **CONTACT_EMAIL** | Your contact email | none | +| **RELAY_BANDWIDTH_RATE** | Limit how much traffic will be allowed through your relay (must be > 20KB/s) | 100 KBytes | +| **RELAY_BANDWIDTH_BURST** | Allow temporary bursts up to a certain amount | 200 KBytes | +| **RELAY_ORPORT** | Default port used for incoming Tor connections (ORPort) | 9001 | +| **RELAY_DIRPORT** | Default port used for directory (DirPort) | 9030 | +| **RELAY_CTRLPORT** | Default port used for control interface (ControlPort) | 9051 | +| **RELAY_ACCOUNTING_MAX** | Default threshold for sent and recieve (AccountingMax) | 1 GBytes | +| **RELAY_ACCOUNTING_START** | threshold rest (AccountingStart) | day 00:00 | +| **RELAY_DATADIR** | The directory for keeping all the keys/etc (DataDirectory) | /var/lib/tor | \ No newline at end of file diff --git a/run.sh b/run.sh new file mode 100644 index 0000000..b0d3afb --- /dev/null +++ b/run.sh @@ -0,0 +1,22 @@ +#!/bin/bash +set -e +set -o pipefail + +for relaytype in bridge middle exit; do + file="/etc/tor/torrc.${relaytype}" + + sed -i "s/RELAY_NICKNAME/${RELAY_NICKNAME}/g" "$file" + sed -i "s/CONTACT_GPG_FINGERPRINT/${CONTACT_GPG_FINGERPRINT}/g" "$file" + sed -i "s/CONTACT_NAME/${CONTACT_NAME}/g" "$file" + sed -i "s/CONTACT_EMAIL/${CONTACT_EMAIL}/g" "$file" + sed -i "s/RELAY_BANDWIDTH_RATE/${RELAY_BANDWIDTH_RATE}/g" "$file" + sed -i "s/RELAY_BANDWIDTH_BURST/${RELAY_BANDWIDTH_BURST}/g" "$file" + sed -i "s/RELAY_ORPORT/${RELAY_ORPORT}/g" "$file" + sed -i "s/RELAY_DIRPORT/${RELAY_DIRPORT}/g" "$file" + sed -i "s/RELAY_CTRLPORT/${RELAY_CTRLPORT}/g" "$file" + sed -i "s/RELAY_ACCOUNTING_MAX/${RELAY_ACCOUNTING_MAX}/g" "$file" + sed -i "s/RELAY_ACCOUNTING_START/${RELAY_ACCOUNTING_START}/g" "$file" + sed -i "s/RELAY_DATADIR/${RELAY_DATADIR}/g" "$file" +done + +exec tor -f "/etc/tor/torrc.${RELAY_TYPE}" \ No newline at end of file diff --git a/torrc.bridge b/torrc.bridge new file mode 100644 index 0000000..81f99b7 --- /dev/null +++ b/torrc.bridge @@ -0,0 +1,194 @@ +## Configuration file for a typical Tor user +## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory RELAY_DATADIR + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort RELAY_CTRLPORT +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +ORPort RELAY_ORPORT +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +Nickname RELAY_NICKNAME + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) +RelayBandwidthRate RELAY_BANDWIDTH_RATE +RelayBandwidthBurst RELAY_BANDWIDTH_BURST + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +AccountingMax RELAY_ACCOUNTING_MAX +## Each period starts daily at midnight (AccountingMax is per day) +AccountingStart RELAY_ACCOUNTING_START +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +DirPort RELAY_DIRPORT +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 \ No newline at end of file diff --git a/torrc.exit b/torrc.exit new file mode 100644 index 0000000..d047318 --- /dev/null +++ b/torrc.exit @@ -0,0 +1,266 @@ +## Configuration file for a typical Tor user +## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory RELAY_DATADIR + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort RELAY_CTRLPORT +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +ORPort RELAY_ORPORT +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +Nickname RELAY_NICKNAME + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) +RelayBandwidthRate RELAY_BANDWIDTH_RATE +RelayBandwidthBurst RELAY_BANDWIDTH_BURST + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +AccountingMax RELAY_ACCOUNTING_MAX +## Each period starts daily at midnight (AccountingMax is per day) +AccountingStart RELAY_ACCOUNTING_START +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +DirPort RELAY_DIRPORT +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +# Reduced exit policy from https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy +ExitPolicy accept *:20-23 # FTP, SSH, telnet +ExitPolicy accept *:43 # WHOIS +ExitPolicy accept *:53 # DNS +ExitPolicy accept *:79-81 # finger, HTTP +ExitPolicy accept *:88 # kerberos +ExitPolicy accept *:110 # POP3 +ExitPolicy accept *:143 # IMAP +ExitPolicy accept *:194 # IRC +ExitPolicy accept *:220 # IMAP3 +ExitPolicy accept *:389 # LDAP +ExitPolicy accept *:443 # HTTPS +ExitPolicy accept *:464 # kpasswd +ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587) +ExitPolicy accept *:531 # IRC/AIM +ExitPolicy accept *:543-544 # Kerberos +ExitPolicy accept *:554 # RTSP +ExitPolicy accept *:563 # NNTP over SSL +ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here) +ExitPolicy accept *:636 # LDAP over SSL +ExitPolicy accept *:706 # SILC +ExitPolicy accept *:749 # kerberos +ExitPolicy accept *:873 # rsync +ExitPolicy accept *:902-904 # VMware +ExitPolicy accept *:981 # Remote HTTPS management for firewall +ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL +ExitPolicy accept *:1194 # OpenVPN +ExitPolicy accept *:1220 # QT Server Admin +ExitPolicy accept *:1293 # PKT-KRB-IPSec +ExitPolicy accept *:1500 # VLSI License Manager +ExitPolicy accept *:1533 # Sametime +ExitPolicy accept *:1677 # GroupWise +ExitPolicy accept *:1723 # PPTP +ExitPolicy accept *:1755 # RTSP +ExitPolicy accept *:1863 # MSNP +ExitPolicy accept *:2082 # Infowave Mobility Server +ExitPolicy accept *:2083 # Secure Radius Service (radsec) +ExitPolicy accept *:2086-2087 # GNUnet, ELI +ExitPolicy accept *:2095-2096 # NBX +ExitPolicy accept *:2102-2104 # Zephyr +ExitPolicy accept *:3128 # SQUID +ExitPolicy accept *:3389 # MS WBT +ExitPolicy accept *:3690 # SVN +ExitPolicy accept *:4321 # RWHOIS +ExitPolicy accept *:4643 # Virtuozzo +ExitPolicy accept *:5050 # MMCC +ExitPolicy accept *:5190 # ICQ +ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL +ExitPolicy accept *:5228 # Android Market +ExitPolicy accept *:5900 # VNC +ExitPolicy accept *:6660-6669 # IRC +ExitPolicy accept *:6679 # IRC SSL +ExitPolicy accept *:6697 # IRC SSL +ExitPolicy accept *:8000 # iRDMI +ExitPolicy accept *:8008 # HTTP alternate +ExitPolicy accept *:8074 # Gadu-Gadu +ExitPolicy accept *:8080 # HTTP Proxies +ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port +ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP +ExitPolicy accept *:8332-8333 # Bitcoin +ExitPolicy accept *:8443 # PCsync HTTPS +ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE +ExitPolicy accept *:9418 # git +ExitPolicy accept *:9999 # distinct +ExitPolicy accept *:10000 # Network Data Management Protocol +ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol) +ExitPolicy accept *:19294 # Google Voice TCP +ExitPolicy accept *:19638 # Ensim control panel +ExitPolicy accept *:50002 # Electrum Bitcoin SSL +ExitPolicy accept *:64738 # Mumble +ExitPolicy reject *:* + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 \ No newline at end of file diff --git a/torrc.middle b/torrc.middle new file mode 100644 index 0000000..928ae3e --- /dev/null +++ b/torrc.middle @@ -0,0 +1,194 @@ +## Configuration file for a typical Tor user +## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory RELAY_DATADIR + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort RELAY_CTRLPORT +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +ORPort RELAY_ORPORT +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +Nickname RELAY_NICKNAME + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) +RelayBandwidthRate RELAY_BANDWIDTH_RATE +RelayBandwidthBurst RELAY_BANDWIDTH_BURST + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +AccountingMax RELAY_ACCOUNTING_MAX +## Each period starts daily at midnight (AccountingMax is per day) +AccountingStart RELAY_ACCOUNTING_START +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +DirPort RELAY_DIRPORT +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: +#PublishServerDescriptor 0 \ No newline at end of file