diff --git a/Dockerfile b/Dockerfile index 7be7782..acd8bc2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,52 +1,52 @@ -FROM alpine:3.9 -LABEL maintainer="jarlave " - -ENV RELAY_NICKNAME ChangeMe -ENV RELAY_TYPE middle -ENV RELAY_BANDWIDTH_RATE 100 KBytes -ENV RELAY_BANDWIDTH_BURST 200 KBytes -ENV RELAY_ORPORT 9001 -ENV RELAY_DIRPORT 9030 -ENV RELAY_CTRLPORT 9051 -ENV RELAY_ACCOUNTING_MAX 1 GBytes -ENV RELAY_ACCOUNTING_START day 00:00 - -# add group/user tor with ID -RUN addgroup -g 1000 -S tor && \ - adduser -u 1000 -S tor -G tor - -RUN apk --no-cache add \ - bash \ - tor - -# install python3 and nyx -RUN apk add --no-cache python3 && \ - python3 -m ensurepip && \ - rm -r /usr/lib/python*/ensurepip && \ - pip3 install --upgrade pip setuptools && \ - if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi && \ - if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python3 /usr/bin/python; fi && \ - rm -r /root/.cache - -RUN pip install nyx - -# copy in our torrc files -COPY torrc.bridge /etc/tor/torrc.bridge -COPY torrc.middle /etc/tor/torrc.middle -COPY torrc.exit /etc/tor/torrc.exit - -# copy the run script -COPY run.sh /run.sh -RUN chmod ugo+rx /run.sh - -EXPOSE 9001 - -# make sure files are owned by tor user -RUN chown -R tor /etc/tor - -USER tor - -VOLUME ["/var/lib/tor"] -RUN chown -R tor /var/lib/tor - +FROM alpine:3.9 +LABEL maintainer="jarlave " + +ENV RELAY_NICKNAME ChangeMe +ENV RELAY_TYPE middle +ENV RELAY_BANDWIDTH_RATE 100 KBytes +ENV RELAY_BANDWIDTH_BURST 200 KBytes +ENV RELAY_ORPORT 9001 +ENV RELAY_DIRPORT 9030 +ENV RELAY_CTRLPORT 9051 +ENV RELAY_ACCOUNTING_MAX 1 GBytes +ENV RELAY_ACCOUNTING_START day 00:00 + +# add group/user tor with ID +RUN addgroup -g 1000 -S tor && \ + adduser -u 1000 -S tor -G tor + +RUN apk --no-cache add \ + bash \ + tor + +# install python3 and nyx +RUN apk add --no-cache python3 && \ + python3 -m ensurepip && \ + rm -r /usr/lib/python*/ensurepip && \ + pip3 install --upgrade pip setuptools && \ + if [ ! -e /usr/bin/pip ]; then ln -s pip3 /usr/bin/pip ; fi && \ + if [[ ! -e /usr/bin/python ]]; then ln -sf /usr/bin/python3 /usr/bin/python; fi && \ + rm -r /root/.cache + +RUN pip install nyx + +# copy in our torrc files +COPY torrc.bridge /etc/tor/torrc.bridge +COPY torrc.middle /etc/tor/torrc.middle +COPY torrc.exit /etc/tor/torrc.exit + +# copy the run script +COPY run.sh /run.sh +RUN chmod ugo+rx /run.sh + +EXPOSE 9001 + +# make sure files are owned by tor user +RUN chown -R tor /etc/tor + +USER tor + +VOLUME ["/var/lib/tor"] +RUN chown -R tor /var/lib/tor + ENTRYPOINT [ "/run.sh" ] \ No newline at end of file diff --git a/README.md b/README.md index 5a79af7..961b094 100644 --- a/README.md +++ b/README.md @@ -1,16 +1,16 @@ - ### Environment variables - -| Name | Description | Default value | -| ---------------------------- |:----------------------------------------------------------------------------:| -------------:| -| **RELAY_TYPE** | The type of relay (bridge, middle or exit) | middle | -| **RELAY_NICKNAME** | The nickname of your relay | ChangeMe | -| **CONTACT_GPG_FINGERPRINT** | Your GPG ID or fingerprint | none | -| **CONTACT_NAME** | Your name | none | -| **CONTACT_EMAIL** | Your contact email | none | -| **RELAY_BANDWIDTH_RATE** | Limit how much traffic will be allowed through your relay (must be > 20KB/s) | 100 KBytes | -| **RELAY_BANDWIDTH_BURST** | Allow temporary bursts up to a certain amount | 200 KBytes | -| **RELAY_ORPORT** | Default port used for incoming Tor connections (ORPort) | 9001 | -| **RELAY_DIRPORT** | Default port used for directory (DirPort) | 9030 | -| **RELAY_CTRLPORT** | Default port used for control interface (ControlPort) | 9051 | -| **RELAY_ACCOUNTING_MAX** | Default threshold for sent and recieve (AccountingMax) | 1 GBytes | + ### Environment variables + +| Name | Description | Default value | +| ---------------------------- |:----------------------------------------------------------------------------:| -------------:| +| **RELAY_TYPE** | The type of relay (bridge, middle or exit) | middle | +| **RELAY_NICKNAME** | The nickname of your relay | ChangeMe | +| **CONTACT_GPG_FINGERPRINT** | Your GPG ID or fingerprint | none | +| **CONTACT_NAME** | Your name | none | +| **CONTACT_EMAIL** | Your contact email | none | +| **RELAY_BANDWIDTH_RATE** | Limit how much traffic will be allowed through your relay (must be > 20KB/s) | 100 KBytes | +| **RELAY_BANDWIDTH_BURST** | Allow temporary bursts up to a certain amount | 200 KBytes | +| **RELAY_ORPORT** | Default port used for incoming Tor connections (ORPort) | 9001 | +| **RELAY_DIRPORT** | Default port used for directory (DirPort) | 9030 | +| **RELAY_CTRLPORT** | Default port used for control interface (ControlPort) | 9051 | +| **RELAY_ACCOUNTING_MAX** | Default threshold for sent and recieve (AccountingMax) | 1 GBytes | | **RELAY_ACCOUNTING_START** | threshold rest (AccountingStart) | day 00:00 | \ No newline at end of file diff --git a/run.sh b/run.sh index e2315c8..2160f26 100644 --- a/run.sh +++ b/run.sh @@ -1,21 +1,21 @@ -#!/bin/bash -set -e -set -o pipefail - -for relaytype in bridge middle exit; do - file="/etc/tor/torrc.${relaytype}" - - sed -i "s/RELAY_NICKNAME/${RELAY_NICKNAME}/g" "$file" - sed -i "s/CONTACT_GPG_FINGERPRINT/${CONTACT_GPG_FINGERPRINT}/g" "$file" - sed -i "s/CONTACT_NAME/${CONTACT_NAME}/g" "$file" - sed -i "s/CONTACT_EMAIL/${CONTACT_EMAIL}/g" "$file" - sed -i "s/RELAY_BANDWIDTH_RATE/${RELAY_BANDWIDTH_RATE}/g" "$file" - sed -i "s/RELAY_BANDWIDTH_BURST/${RELAY_BANDWIDTH_BURST}/g" "$file" - sed -i "s/RELAY_ORPORT/${RELAY_ORPORT}/g" "$file" - sed -i "s/RELAY_DIRPORT/${RELAY_DIRPORT}/g" "$file" - sed -i "s/RELAY_CTRLPORT/${RELAY_CTRLPORT}/g" "$file" - sed -i "s/RELAY_ACCOUNTING_MAX/${RELAY_ACCOUNTING_MAX}/g" "$file" - sed -i "s/RELAY_ACCOUNTING_START/${RELAY_ACCOUNTING_START}/g" "$file" -done - +#!/bin/bash +set -e +set -o pipefail + +for relaytype in bridge middle exit; do + file="/etc/tor/torrc.${relaytype}" + + sed -i "s/RELAY_NICKNAME/${RELAY_NICKNAME}/g" "$file" + sed -i "s/CONTACT_GPG_FINGERPRINT/${CONTACT_GPG_FINGERPRINT}/g" "$file" + sed -i "s/CONTACT_NAME/${CONTACT_NAME}/g" "$file" + sed -i "s/CONTACT_EMAIL/${CONTACT_EMAIL}/g" "$file" + sed -i "s/RELAY_BANDWIDTH_RATE/${RELAY_BANDWIDTH_RATE}/g" "$file" + sed -i "s/RELAY_BANDWIDTH_BURST/${RELAY_BANDWIDTH_BURST}/g" "$file" + sed -i "s/RELAY_ORPORT/${RELAY_ORPORT}/g" "$file" + sed -i "s/RELAY_DIRPORT/${RELAY_DIRPORT}/g" "$file" + sed -i "s/RELAY_CTRLPORT/${RELAY_CTRLPORT}/g" "$file" + sed -i "s/RELAY_ACCOUNTING_MAX/${RELAY_ACCOUNTING_MAX}/g" "$file" + sed -i "s/RELAY_ACCOUNTING_START/${RELAY_ACCOUNTING_START}/g" "$file" +done + exec tor -f "/etc/tor/torrc.${RELAY_TYPE}" \ No newline at end of file diff --git a/torrc.bridge b/torrc.bridge index 8233bac..ef52238 100644 --- a/torrc.bridge +++ b/torrc.bridge @@ -1,194 +1,194 @@ -## Configuration file for a typical Tor user -## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. -## (may or may not work for much older or much newer versions of Tor.) -## -## Lines that begin with "## " try to explain what's going on. Lines -## that begin with just "#" are disabled commands: you can enable them -## by removing the "#" symbol. -## -## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, -## for more options you can use in this file. -## -## Tor will look for this file in various places based on your platform: -## https://www.torproject.org/docs/faq#torrc - -## Tor opens a socks proxy on port 9050 by default -- even if you don't -## configure one below. Set "SocksPort 0" if you plan to run Tor only -## as a relay, and not make any local application connections yourself. -#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. -#SocksPort 192.168.0.1:9100 # Bind to this address:port too. - -## Entry policies to allow/deny SOCKS requests based on IP address. -## First entry that matches wins. If no SocksPolicy is set, we accept -## all (and only) requests that reach a SocksPort. Untrusted users who -## can access your SocksPort may be able to learn about the connections -## you make. -#SocksPolicy accept 192.168.0.0/16 -#SocksPolicy reject * - -## Logs go to stdout at level "notice" unless redirected by something -## else, like one of the below lines. You can have as many Log lines as -## you want. -## -## We advise using "notice" in most cases, since anything more verbose -## may provide sensitive information to an attacker who obtains the logs. -## -## Send all messages of level 'notice' or higher to /var/log/tor/notices.log -#Log notice file /var/log/tor/notices.log -## Send every possible message to /var/log/tor/debug.log -#Log debug file /var/log/tor/debug.log -## Use the system log instead of Tor's logfiles -#Log notice syslog -## To send all messages to stderr: -#Log debug stderr - -## Uncomment this to start the process in the background... or use -## --runasdaemon 1 on the command line. This is ignored on Windows; -## see the FAQ entry if you want Tor to run as an NT service. -#RunAsDaemon 1 - -## The directory for keeping all the keys/etc. By default, we store -## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. -DataDirectory /var/lib/tor - -## The port on which Tor will listen for local connections from Tor -## controller applications, as documented in control-spec.txt. -ControlPort RELAY_CTRLPORT -## If you enable the controlport, be sure to enable one of these -## authentication methods, to prevent attackers from accessing it. -#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C -#CookieAuthentication 1 - -############### This section is just for location-hidden services ### - -## Once you have configured a hidden service, you can look at the -## contents of the file ".../hidden_service/hostname" for the address -## to tell people. -## -## HiddenServicePort x y:z says to redirect requests on port x to the -## address y:z. - -#HiddenServiceDir /var/lib/tor/hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 - -#HiddenServiceDir /var/lib/tor/other_hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 -#HiddenServicePort 22 127.0.0.1:22 - -################ This section is just for relays ##################### -# -## See https://www.torproject.org/docs/tor-doc-relay for details. - -## Required: what port to advertise for incoming Tor connections. -ORPort RELAY_ORPORT -## If you want to listen on a port other than the one advertised in -## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as -## follows. You'll need to do ipchains or other port forwarding -## yourself to make this work. -#ORPort 443 NoListen -#ORPort 127.0.0.1:9090 NoAdvertise - -## The IP address or full DNS name for incoming connections to your -## relay. Leave commented out and Tor will guess. -#Address noname.example.com - -## If you have multiple network interfaces, you can specify one for -## outgoing traffic to use. -# OutboundBindAddress 10.0.0.5 - -## A handle for your relay, so people don't have to refer to it by key. -Nickname RELAY_NICKNAME - -## Define these to limit how much relayed traffic you will allow. Your -## own traffic is still unthrottled. Note that RelayBandwidthRate must -## be at least 20 kilobytes per second. -## Note that units for these config options are bytes (per second), not -## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, -## 2^20, etc. -#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) -#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) -RelayBandwidthRate RELAY_BANDWIDTH_RATE -RelayBandwidthBurst RELAY_BANDWIDTH_BURST - -## Use these to restrict the maximum traffic per day, week, or month. -## Note that this threshold applies separately to sent and received bytes, -## not to their sum: setting "4 GB" may allow up to 8 GB total before -## hibernating. -## -## Set a maximum of 4 gigabytes each way per period. -AccountingMax RELAY_ACCOUNTING_MAX -## Each period starts daily at midnight (AccountingMax is per day) -AccountingStart RELAY_ACCOUNTING_START -## Each period starts on the 3rd of the month at 15:00 (AccountingMax -## is per month) -#AccountingStart month 3 15:00 - -## Administrative contact information for this relay or bridge. This line -## can be used to contact you if your relay or bridge is misconfigured or -## something else goes wrong. Note that we archive and publish all -## descriptors containing these lines and that Google indexes them, so -## spammers might also collect them. You may want to obscure the fact that -## it's an email address and/or generate a new address for this purpose. -#ContactInfo Random Person -## You might also include your PGP or GPG fingerprint if you have one: -ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL - -## Uncomment this to mirror directory information for others. Please do -## if you have enough bandwidth. -DirPort RELAY_DIRPORT -## If you want to listen on a port other than the one advertised in -## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as -## follows. below too. You'll need to do ipchains or other port -## forwarding yourself to make this work. -#DirPort 80 NoListen -#DirPort 127.0.0.1:9091 NoAdvertise -## Uncomment to return an arbitrary blob of html on your DirPort. Now you -## can explain what Tor is if anybody wonders why your IP address is -## contacting them. See contrib/tor-exit-notice.html in Tor's source -## distribution for a sample. -#DirPortFrontPage /etc/tor/tor-exit-notice.html - -## Uncomment this if you run more than one Tor relay, and add the identity -## key fingerprint of each Tor relay you control, even if they're on -## different networks. You declare it here so Tor clients can avoid -## using more than one of your relays in a single circuit. See -## https://www.torproject.org/docs/faq#MultipleRelays -## However, you should never include a bridge's fingerprint here, as it would -## break its concealability and potentially reveal its IP/TCP address. -#MyFamily $keyid,$keyid,... - -## A comma-separated list of exit policies. They're considered first -## to last, and the first match wins. If you want to _replace_ -## the default exit policy, end this with either a reject *:* or an -## accept *:*. Otherwise, you're _augmenting_ (prepending to) the -## default exit policy. Leave commented to just use the default, which is -## described in the man page or at -## https://www.torproject.org/documentation.html -## -## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses -## for issues you might encounter if you use the default exit policy. -## -## If certain IPs and ports are blocked externally, e.g. by your firewall, -## you should update your exit policy to reflect this -- otherwise Tor -## users will be told that those destinations are down. -## -## For security, by default Tor rejects connections to private (local) -## networks, including to your public IP address. See the man page entry -## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". -## -#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more -#ExitPolicy accept *:119 # accept nntp as well as default exit policy -ExitPolicy reject *:* # no exits allowed - -## Bridge relays (or "bridges") are Tor relays that aren't listed in the -## main directory. Since there is no complete public list of them, even an -## ISP that filters connections to all the known Tor relays probably -## won't be able to block all the bridges. Also, websites won't treat you -## differently because they won't know you're running Tor. If you can -## be a real relay, please do; but if not, be a bridge! -BridgeRelay 1 -## By default, Tor will advertise your bridge to users through various -## mechanisms like https://bridges.torproject.org/. If you want to run -## a private bridge, for example because you'll give out your bridge -## address manually to your friends, uncomment this line: +## Configuration file for a typical Tor user +## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort RELAY_CTRLPORT +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +ORPort RELAY_ORPORT +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +Nickname RELAY_NICKNAME + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) +RelayBandwidthRate RELAY_BANDWIDTH_RATE +RelayBandwidthBurst RELAY_BANDWIDTH_BURST + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +AccountingMax RELAY_ACCOUNTING_MAX +## Each period starts daily at midnight (AccountingMax is per day) +AccountingStart RELAY_ACCOUNTING_START +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +DirPort RELAY_DIRPORT +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: #PublishServerDescriptor 0 \ No newline at end of file diff --git a/torrc.exit b/torrc.exit index 44ef59f..07a14cc 100644 --- a/torrc.exit +++ b/torrc.exit @@ -1,266 +1,266 @@ -## Configuration file for a typical Tor user -## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. -## (may or may not work for much older or much newer versions of Tor.) -## -## Lines that begin with "## " try to explain what's going on. Lines -## that begin with just "#" are disabled commands: you can enable them -## by removing the "#" symbol. -## -## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, -## for more options you can use in this file. -## -## Tor will look for this file in various places based on your platform: -## https://www.torproject.org/docs/faq#torrc - -## Tor opens a socks proxy on port 9050 by default -- even if you don't -## configure one below. Set "SocksPort 0" if you plan to run Tor only -## as a relay, and not make any local application connections yourself. -#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. -#SocksPort 192.168.0.1:9100 # Bind to this address:port too. - -## Entry policies to allow/deny SOCKS requests based on IP address. -## First entry that matches wins. If no SocksPolicy is set, we accept -## all (and only) requests that reach a SocksPort. Untrusted users who -## can access your SocksPort may be able to learn about the connections -## you make. -#SocksPolicy accept 192.168.0.0/16 -#SocksPolicy reject * - -## Logs go to stdout at level "notice" unless redirected by something -## else, like one of the below lines. You can have as many Log lines as -## you want. -## -## We advise using "notice" in most cases, since anything more verbose -## may provide sensitive information to an attacker who obtains the logs. -## -## Send all messages of level 'notice' or higher to /var/log/tor/notices.log -#Log notice file /var/log/tor/notices.log -## Send every possible message to /var/log/tor/debug.log -#Log debug file /var/log/tor/debug.log -## Use the system log instead of Tor's logfiles -#Log notice syslog -## To send all messages to stderr: -#Log debug stderr - -## Uncomment this to start the process in the background... or use -## --runasdaemon 1 on the command line. This is ignored on Windows; -## see the FAQ entry if you want Tor to run as an NT service. -#RunAsDaemon 1 - -## The directory for keeping all the keys/etc. By default, we store -## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. -DataDirectory /var/lib/tor - -## The port on which Tor will listen for local connections from Tor -## controller applications, as documented in control-spec.txt. -ControlPort RELAY_CTRLPORT -## If you enable the controlport, be sure to enable one of these -## authentication methods, to prevent attackers from accessing it. -#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C -#CookieAuthentication 1 - -############### This section is just for location-hidden services ### - -## Once you have configured a hidden service, you can look at the -## contents of the file ".../hidden_service/hostname" for the address -## to tell people. -## -## HiddenServicePort x y:z says to redirect requests on port x to the -## address y:z. - -#HiddenServiceDir /var/lib/tor/hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 - -#HiddenServiceDir /var/lib/tor/other_hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 -#HiddenServicePort 22 127.0.0.1:22 - -################ This section is just for relays ##################### -# -## See https://www.torproject.org/docs/tor-doc-relay for details. - -## Required: what port to advertise for incoming Tor connections. -ORPort RELAY_ORPORT -## If you want to listen on a port other than the one advertised in -## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as -## follows. You'll need to do ipchains or other port forwarding -## yourself to make this work. -#ORPort 443 NoListen -#ORPort 127.0.0.1:9090 NoAdvertise - -## The IP address or full DNS name for incoming connections to your -## relay. Leave commented out and Tor will guess. -#Address noname.example.com - -## If you have multiple network interfaces, you can specify one for -## outgoing traffic to use. -# OutboundBindAddress 10.0.0.5 - -## A handle for your relay, so people don't have to refer to it by key. -Nickname RELAY_NICKNAME - -## Define these to limit how much relayed traffic you will allow. Your -## own traffic is still unthrottled. Note that RelayBandwidthRate must -## be at least 20 kilobytes per second. -## Note that units for these config options are bytes (per second), not -## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, -## 2^20, etc. -#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) -#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) -RelayBandwidthRate RELAY_BANDWIDTH_RATE -RelayBandwidthBurst RELAY_BANDWIDTH_BURST - -## Use these to restrict the maximum traffic per day, week, or month. -## Note that this threshold applies separately to sent and received bytes, -## not to their sum: setting "4 GB" may allow up to 8 GB total before -## hibernating. -## -## Set a maximum of 4 gigabytes each way per period. -AccountingMax RELAY_ACCOUNTING_MAX -## Each period starts daily at midnight (AccountingMax is per day) -AccountingStart RELAY_ACCOUNTING_START -## Each period starts on the 3rd of the month at 15:00 (AccountingMax -## is per month) -#AccountingStart month 3 15:00 - -## Administrative contact information for this relay or bridge. This line -## can be used to contact you if your relay or bridge is misconfigured or -## something else goes wrong. Note that we archive and publish all -## descriptors containing these lines and that Google indexes them, so -## spammers might also collect them. You may want to obscure the fact that -## it's an email address and/or generate a new address for this purpose. -#ContactInfo Random Person -## You might also include your PGP or GPG fingerprint if you have one: -ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL - -## Uncomment this to mirror directory information for others. Please do -## if you have enough bandwidth. -DirPort RELAY_DIRPORT -## If you want to listen on a port other than the one advertised in -## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as -## follows. below too. You'll need to do ipchains or other port -## forwarding yourself to make this work. -#DirPort 80 NoListen -#DirPort 127.0.0.1:9091 NoAdvertise -## Uncomment to return an arbitrary blob of html on your DirPort. Now you -## can explain what Tor is if anybody wonders why your IP address is -## contacting them. See contrib/tor-exit-notice.html in Tor's source -## distribution for a sample. -#DirPortFrontPage /etc/tor/tor-exit-notice.html - -## Uncomment this if you run more than one Tor relay, and add the identity -## key fingerprint of each Tor relay you control, even if they're on -## different networks. You declare it here so Tor clients can avoid -## using more than one of your relays in a single circuit. See -## https://www.torproject.org/docs/faq#MultipleRelays -## However, you should never include a bridge's fingerprint here, as it would -## break its concealability and potentially reveal its IP/TCP address. -#MyFamily $keyid,$keyid,... - -## A comma-separated list of exit policies. They're considered first -## to last, and the first match wins. If you want to _replace_ -## the default exit policy, end this with either a reject *:* or an -## accept *:*. Otherwise, you're _augmenting_ (prepending to) the -## default exit policy. Leave commented to just use the default, which is -## described in the man page or at -## https://www.torproject.org/documentation.html -## -## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses -## for issues you might encounter if you use the default exit policy. -## -## If certain IPs and ports are blocked externally, e.g. by your firewall, -## you should update your exit policy to reflect this -- otherwise Tor -## users will be told that those destinations are down. -## -## For security, by default Tor rejects connections to private (local) -## networks, including to your public IP address. See the man page entry -## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". -## -#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more -#ExitPolicy accept *:119 # accept nntp as well as default exit policy -#ExitPolicy reject *:* # no exits allowed -# -# Reduced exit policy from https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy -ExitPolicy accept *:20-23 # FTP, SSH, telnet -ExitPolicy accept *:43 # WHOIS -ExitPolicy accept *:53 # DNS -ExitPolicy accept *:79-81 # finger, HTTP -ExitPolicy accept *:88 # kerberos -ExitPolicy accept *:110 # POP3 -ExitPolicy accept *:143 # IMAP -ExitPolicy accept *:194 # IRC -ExitPolicy accept *:220 # IMAP3 -ExitPolicy accept *:389 # LDAP -ExitPolicy accept *:443 # HTTPS -ExitPolicy accept *:464 # kpasswd -ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587) -ExitPolicy accept *:531 # IRC/AIM -ExitPolicy accept *:543-544 # Kerberos -ExitPolicy accept *:554 # RTSP -ExitPolicy accept *:563 # NNTP over SSL -ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here) -ExitPolicy accept *:636 # LDAP over SSL -ExitPolicy accept *:706 # SILC -ExitPolicy accept *:749 # kerberos -ExitPolicy accept *:873 # rsync -ExitPolicy accept *:902-904 # VMware -ExitPolicy accept *:981 # Remote HTTPS management for firewall -ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL -ExitPolicy accept *:1194 # OpenVPN -ExitPolicy accept *:1220 # QT Server Admin -ExitPolicy accept *:1293 # PKT-KRB-IPSec -ExitPolicy accept *:1500 # VLSI License Manager -ExitPolicy accept *:1533 # Sametime -ExitPolicy accept *:1677 # GroupWise -ExitPolicy accept *:1723 # PPTP -ExitPolicy accept *:1755 # RTSP -ExitPolicy accept *:1863 # MSNP -ExitPolicy accept *:2082 # Infowave Mobility Server -ExitPolicy accept *:2083 # Secure Radius Service (radsec) -ExitPolicy accept *:2086-2087 # GNUnet, ELI -ExitPolicy accept *:2095-2096 # NBX -ExitPolicy accept *:2102-2104 # Zephyr -ExitPolicy accept *:3128 # SQUID -ExitPolicy accept *:3389 # MS WBT -ExitPolicy accept *:3690 # SVN -ExitPolicy accept *:4321 # RWHOIS -ExitPolicy accept *:4643 # Virtuozzo -ExitPolicy accept *:5050 # MMCC -ExitPolicy accept *:5190 # ICQ -ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL -ExitPolicy accept *:5228 # Android Market -ExitPolicy accept *:5900 # VNC -ExitPolicy accept *:6660-6669 # IRC -ExitPolicy accept *:6679 # IRC SSL -ExitPolicy accept *:6697 # IRC SSL -ExitPolicy accept *:8000 # iRDMI -ExitPolicy accept *:8008 # HTTP alternate -ExitPolicy accept *:8074 # Gadu-Gadu -ExitPolicy accept *:8080 # HTTP Proxies -ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port -ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP -ExitPolicy accept *:8332-8333 # Bitcoin -ExitPolicy accept *:8443 # PCsync HTTPS -ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE -ExitPolicy accept *:9418 # git -ExitPolicy accept *:9999 # distinct -ExitPolicy accept *:10000 # Network Data Management Protocol -ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol) -ExitPolicy accept *:19294 # Google Voice TCP -ExitPolicy accept *:19638 # Ensim control panel -ExitPolicy accept *:50002 # Electrum Bitcoin SSL -ExitPolicy accept *:64738 # Mumble -ExitPolicy reject *:* - -## Bridge relays (or "bridges") are Tor relays that aren't listed in the -## main directory. Since there is no complete public list of them, even an -## ISP that filters connections to all the known Tor relays probably -## won't be able to block all the bridges. Also, websites won't treat you -## differently because they won't know you're running Tor. If you can -## be a real relay, please do; but if not, be a bridge! -#BridgeRelay 1 -## By default, Tor will advertise your bridge to users through various -## mechanisms like https://bridges.torproject.org/. If you want to run -## a private bridge, for example because you'll give out your bridge -## address manually to your friends, uncomment this line: +## Configuration file for a typical Tor user +## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort RELAY_CTRLPORT +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +ORPort RELAY_ORPORT +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +Nickname RELAY_NICKNAME + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) +RelayBandwidthRate RELAY_BANDWIDTH_RATE +RelayBandwidthBurst RELAY_BANDWIDTH_BURST + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +AccountingMax RELAY_ACCOUNTING_MAX +## Each period starts daily at midnight (AccountingMax is per day) +AccountingStart RELAY_ACCOUNTING_START +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +DirPort RELAY_DIRPORT +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy reject *:* # no exits allowed +# +# Reduced exit policy from https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy +ExitPolicy accept *:20-23 # FTP, SSH, telnet +ExitPolicy accept *:43 # WHOIS +ExitPolicy accept *:53 # DNS +ExitPolicy accept *:79-81 # finger, HTTP +ExitPolicy accept *:88 # kerberos +ExitPolicy accept *:110 # POP3 +ExitPolicy accept *:143 # IMAP +ExitPolicy accept *:194 # IRC +ExitPolicy accept *:220 # IMAP3 +ExitPolicy accept *:389 # LDAP +ExitPolicy accept *:443 # HTTPS +ExitPolicy accept *:464 # kpasswd +ExitPolicy accept *:465 # URD for SSM (more often: an alternative SUBMISSION port, see 587) +ExitPolicy accept *:531 # IRC/AIM +ExitPolicy accept *:543-544 # Kerberos +ExitPolicy accept *:554 # RTSP +ExitPolicy accept *:563 # NNTP over SSL +ExitPolicy accept *:587 # SUBMISSION (authenticated clients [MUA's like Thunderbird] send mail over STARTTLS SMTP here) +ExitPolicy accept *:636 # LDAP over SSL +ExitPolicy accept *:706 # SILC +ExitPolicy accept *:749 # kerberos +ExitPolicy accept *:873 # rsync +ExitPolicy accept *:902-904 # VMware +ExitPolicy accept *:981 # Remote HTTPS management for firewall +ExitPolicy accept *:989-995 # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL +ExitPolicy accept *:1194 # OpenVPN +ExitPolicy accept *:1220 # QT Server Admin +ExitPolicy accept *:1293 # PKT-KRB-IPSec +ExitPolicy accept *:1500 # VLSI License Manager +ExitPolicy accept *:1533 # Sametime +ExitPolicy accept *:1677 # GroupWise +ExitPolicy accept *:1723 # PPTP +ExitPolicy accept *:1755 # RTSP +ExitPolicy accept *:1863 # MSNP +ExitPolicy accept *:2082 # Infowave Mobility Server +ExitPolicy accept *:2083 # Secure Radius Service (radsec) +ExitPolicy accept *:2086-2087 # GNUnet, ELI +ExitPolicy accept *:2095-2096 # NBX +ExitPolicy accept *:2102-2104 # Zephyr +ExitPolicy accept *:3128 # SQUID +ExitPolicy accept *:3389 # MS WBT +ExitPolicy accept *:3690 # SVN +ExitPolicy accept *:4321 # RWHOIS +ExitPolicy accept *:4643 # Virtuozzo +ExitPolicy accept *:5050 # MMCC +ExitPolicy accept *:5190 # ICQ +ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL +ExitPolicy accept *:5228 # Android Market +ExitPolicy accept *:5900 # VNC +ExitPolicy accept *:6660-6669 # IRC +ExitPolicy accept *:6679 # IRC SSL +ExitPolicy accept *:6697 # IRC SSL +ExitPolicy accept *:8000 # iRDMI +ExitPolicy accept *:8008 # HTTP alternate +ExitPolicy accept *:8074 # Gadu-Gadu +ExitPolicy accept *:8080 # HTTP Proxies +ExitPolicy accept *:8082 # HTTPS Electrum Bitcoin port +ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP +ExitPolicy accept *:8332-8333 # Bitcoin +ExitPolicy accept *:8443 # PCsync HTTPS +ExitPolicy accept *:8888 # HTTP Proxies, NewsEDGE +ExitPolicy accept *:9418 # git +ExitPolicy accept *:9999 # distinct +ExitPolicy accept *:10000 # Network Data Management Protocol +ExitPolicy accept *:11371 # OpenPGP hkp (http keyserver protocol) +ExitPolicy accept *:19294 # Google Voice TCP +ExitPolicy accept *:19638 # Ensim control panel +ExitPolicy accept *:50002 # Electrum Bitcoin SSL +ExitPolicy accept *:64738 # Mumble +ExitPolicy reject *:* + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: #PublishServerDescriptor 0 \ No newline at end of file diff --git a/torrc.middle b/torrc.middle index 3bed4f9..e35423a 100644 --- a/torrc.middle +++ b/torrc.middle @@ -1,194 +1,194 @@ -## Configuration file for a typical Tor user -## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. -## (may or may not work for much older or much newer versions of Tor.) -## -## Lines that begin with "## " try to explain what's going on. Lines -## that begin with just "#" are disabled commands: you can enable them -## by removing the "#" symbol. -## -## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, -## for more options you can use in this file. -## -## Tor will look for this file in various places based on your platform: -## https://www.torproject.org/docs/faq#torrc - -## Tor opens a socks proxy on port 9050 by default -- even if you don't -## configure one below. Set "SocksPort 0" if you plan to run Tor only -## as a relay, and not make any local application connections yourself. -#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. -#SocksPort 192.168.0.1:9100 # Bind to this address:port too. - -## Entry policies to allow/deny SOCKS requests based on IP address. -## First entry that matches wins. If no SocksPolicy is set, we accept -## all (and only) requests that reach a SocksPort. Untrusted users who -## can access your SocksPort may be able to learn about the connections -## you make. -#SocksPolicy accept 192.168.0.0/16 -#SocksPolicy reject * - -## Logs go to stdout at level "notice" unless redirected by something -## else, like one of the below lines. You can have as many Log lines as -## you want. -## -## We advise using "notice" in most cases, since anything more verbose -## may provide sensitive information to an attacker who obtains the logs. -## -## Send all messages of level 'notice' or higher to /var/log/tor/notices.log -#Log notice file /var/log/tor/notices.log -## Send every possible message to /var/log/tor/debug.log -#Log debug file /var/log/tor/debug.log -## Use the system log instead of Tor's logfiles -#Log notice syslog -## To send all messages to stderr: -#Log debug stderr - -## Uncomment this to start the process in the background... or use -## --runasdaemon 1 on the command line. This is ignored on Windows; -## see the FAQ entry if you want Tor to run as an NT service. -#RunAsDaemon 1 - -## The directory for keeping all the keys/etc. By default, we store -## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. -DataDirectory /var/lib/tor - -## The port on which Tor will listen for local connections from Tor -## controller applications, as documented in control-spec.txt. -ControlPort RELAY_CTRLPORT -## If you enable the controlport, be sure to enable one of these -## authentication methods, to prevent attackers from accessing it. -#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C -#CookieAuthentication 1 - -############### This section is just for location-hidden services ### - -## Once you have configured a hidden service, you can look at the -## contents of the file ".../hidden_service/hostname" for the address -## to tell people. -## -## HiddenServicePort x y:z says to redirect requests on port x to the -## address y:z. - -#HiddenServiceDir /var/lib/tor/hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 - -#HiddenServiceDir /var/lib/tor/other_hidden_service/ -#HiddenServicePort 80 127.0.0.1:80 -#HiddenServicePort 22 127.0.0.1:22 - -################ This section is just for relays ##################### -# -## See https://www.torproject.org/docs/tor-doc-relay for details. - -## Required: what port to advertise for incoming Tor connections. -ORPort RELAY_ORPORT -## If you want to listen on a port other than the one advertised in -## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as -## follows. You'll need to do ipchains or other port forwarding -## yourself to make this work. -#ORPort 443 NoListen -#ORPort 127.0.0.1:9090 NoAdvertise - -## The IP address or full DNS name for incoming connections to your -## relay. Leave commented out and Tor will guess. -#Address noname.example.com - -## If you have multiple network interfaces, you can specify one for -## outgoing traffic to use. -# OutboundBindAddress 10.0.0.5 - -## A handle for your relay, so people don't have to refer to it by key. -Nickname RELAY_NICKNAME - -## Define these to limit how much relayed traffic you will allow. Your -## own traffic is still unthrottled. Note that RelayBandwidthRate must -## be at least 20 kilobytes per second. -## Note that units for these config options are bytes (per second), not -## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, -## 2^20, etc. -#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) -#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) -RelayBandwidthRate RELAY_BANDWIDTH_RATE -RelayBandwidthBurst RELAY_BANDWIDTH_BURST - -## Use these to restrict the maximum traffic per day, week, or month. -## Note that this threshold applies separately to sent and received bytes, -## not to their sum: setting "4 GB" may allow up to 8 GB total before -## hibernating. -## -## Set a maximum of 4 gigabytes each way per period. -AccountingMax RELAY_ACCOUNTING_MAX -## Each period starts daily at midnight (AccountingMax is per day) -AccountingStart RELAY_ACCOUNTING_START -## Each period starts on the 3rd of the month at 15:00 (AccountingMax -## is per month) -#AccountingStart month 3 15:00 - -## Administrative contact information for this relay or bridge. This line -## can be used to contact you if your relay or bridge is misconfigured or -## something else goes wrong. Note that we archive and publish all -## descriptors containing these lines and that Google indexes them, so -## spammers might also collect them. You may want to obscure the fact that -## it's an email address and/or generate a new address for this purpose. -#ContactInfo Random Person -## You might also include your PGP or GPG fingerprint if you have one: -ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL - -## Uncomment this to mirror directory information for others. Please do -## if you have enough bandwidth. -DirPort RELAY_DIRPORT -## If you want to listen on a port other than the one advertised in -## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as -## follows. below too. You'll need to do ipchains or other port -## forwarding yourself to make this work. -#DirPort 80 NoListen -#DirPort 127.0.0.1:9091 NoAdvertise -## Uncomment to return an arbitrary blob of html on your DirPort. Now you -## can explain what Tor is if anybody wonders why your IP address is -## contacting them. See contrib/tor-exit-notice.html in Tor's source -## distribution for a sample. -#DirPortFrontPage /etc/tor/tor-exit-notice.html - -## Uncomment this if you run more than one Tor relay, and add the identity -## key fingerprint of each Tor relay you control, even if they're on -## different networks. You declare it here so Tor clients can avoid -## using more than one of your relays in a single circuit. See -## https://www.torproject.org/docs/faq#MultipleRelays -## However, you should never include a bridge's fingerprint here, as it would -## break its concealability and potentially reveal its IP/TCP address. -#MyFamily $keyid,$keyid,... - -## A comma-separated list of exit policies. They're considered first -## to last, and the first match wins. If you want to _replace_ -## the default exit policy, end this with either a reject *:* or an -## accept *:*. Otherwise, you're _augmenting_ (prepending to) the -## default exit policy. Leave commented to just use the default, which is -## described in the man page or at -## https://www.torproject.org/documentation.html -## -## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses -## for issues you might encounter if you use the default exit policy. -## -## If certain IPs and ports are blocked externally, e.g. by your firewall, -## you should update your exit policy to reflect this -- otherwise Tor -## users will be told that those destinations are down. -## -## For security, by default Tor rejects connections to private (local) -## networks, including to your public IP address. See the man page entry -## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". -## -#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more -#ExitPolicy accept *:119 # accept nntp as well as default exit policy -ExitPolicy reject *:* # no exits allowed - -## Bridge relays (or "bridges") are Tor relays that aren't listed in the -## main directory. Since there is no complete public list of them, even an -## ISP that filters connections to all the known Tor relays probably -## won't be able to block all the bridges. Also, websites won't treat you -## differently because they won't know you're running Tor. If you can -## be a real relay, please do; but if not, be a bridge! -#BridgeRelay 1 -## By default, Tor will advertise your bridge to users through various -## mechanisms like https://bridges.torproject.org/. If you want to run -## a private bridge, for example because you'll give out your bridge -## address manually to your friends, uncomment this line: +## Configuration file for a typical Tor user +## Last updated 2 September 2014 for Tor 0.2.6.1-alpha. +## (may or may not work for much older or much newer versions of Tor.) +## +## Lines that begin with "## " try to explain what's going on. Lines +## that begin with just "#" are disabled commands: you can enable them +## by removing the "#" symbol. +## +## See 'man tor', or https://www.torproject.org/docs/tor-manual.html, +## for more options you can use in this file. +## +## Tor will look for this file in various places based on your platform: +## https://www.torproject.org/docs/faq#torrc + +## Tor opens a socks proxy on port 9050 by default -- even if you don't +## configure one below. Set "SocksPort 0" if you plan to run Tor only +## as a relay, and not make any local application connections yourself. +#SocksPort 9050 # Default: Bind to localhost:9050 for local connections. +#SocksPort 192.168.0.1:9100 # Bind to this address:port too. + +## Entry policies to allow/deny SOCKS requests based on IP address. +## First entry that matches wins. If no SocksPolicy is set, we accept +## all (and only) requests that reach a SocksPort. Untrusted users who +## can access your SocksPort may be able to learn about the connections +## you make. +#SocksPolicy accept 192.168.0.0/16 +#SocksPolicy reject * + +## Logs go to stdout at level "notice" unless redirected by something +## else, like one of the below lines. You can have as many Log lines as +## you want. +## +## We advise using "notice" in most cases, since anything more verbose +## may provide sensitive information to an attacker who obtains the logs. +## +## Send all messages of level 'notice' or higher to /var/log/tor/notices.log +#Log notice file /var/log/tor/notices.log +## Send every possible message to /var/log/tor/debug.log +#Log debug file /var/log/tor/debug.log +## Use the system log instead of Tor's logfiles +#Log notice syslog +## To send all messages to stderr: +#Log debug stderr + +## Uncomment this to start the process in the background... or use +## --runasdaemon 1 on the command line. This is ignored on Windows; +## see the FAQ entry if you want Tor to run as an NT service. +#RunAsDaemon 1 + +## The directory for keeping all the keys/etc. By default, we store +## things in $HOME/.tor on Unix, and in Application Data\tor on Windows. +DataDirectory /var/lib/tor + +## The port on which Tor will listen for local connections from Tor +## controller applications, as documented in control-spec.txt. +ControlPort RELAY_CTRLPORT +## If you enable the controlport, be sure to enable one of these +## authentication methods, to prevent attackers from accessing it. +#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C +#CookieAuthentication 1 + +############### This section is just for location-hidden services ### + +## Once you have configured a hidden service, you can look at the +## contents of the file ".../hidden_service/hostname" for the address +## to tell people. +## +## HiddenServicePort x y:z says to redirect requests on port x to the +## address y:z. + +#HiddenServiceDir /var/lib/tor/hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 + +#HiddenServiceDir /var/lib/tor/other_hidden_service/ +#HiddenServicePort 80 127.0.0.1:80 +#HiddenServicePort 22 127.0.0.1:22 + +################ This section is just for relays ##################### +# +## See https://www.torproject.org/docs/tor-doc-relay for details. + +## Required: what port to advertise for incoming Tor connections. +ORPort RELAY_ORPORT +## If you want to listen on a port other than the one advertised in +## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as +## follows. You'll need to do ipchains or other port forwarding +## yourself to make this work. +#ORPort 443 NoListen +#ORPort 127.0.0.1:9090 NoAdvertise + +## The IP address or full DNS name for incoming connections to your +## relay. Leave commented out and Tor will guess. +#Address noname.example.com + +## If you have multiple network interfaces, you can specify one for +## outgoing traffic to use. +# OutboundBindAddress 10.0.0.5 + +## A handle for your relay, so people don't have to refer to it by key. +Nickname RELAY_NICKNAME + +## Define these to limit how much relayed traffic you will allow. Your +## own traffic is still unthrottled. Note that RelayBandwidthRate must +## be at least 20 kilobytes per second. +## Note that units for these config options are bytes (per second), not +## bits (per second), and that prefixes are binary prefixes, i.e. 2^10, +## 2^20, etc. +#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps) +#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb) +RelayBandwidthRate RELAY_BANDWIDTH_RATE +RelayBandwidthBurst RELAY_BANDWIDTH_BURST + +## Use these to restrict the maximum traffic per day, week, or month. +## Note that this threshold applies separately to sent and received bytes, +## not to their sum: setting "4 GB" may allow up to 8 GB total before +## hibernating. +## +## Set a maximum of 4 gigabytes each way per period. +AccountingMax RELAY_ACCOUNTING_MAX +## Each period starts daily at midnight (AccountingMax is per day) +AccountingStart RELAY_ACCOUNTING_START +## Each period starts on the 3rd of the month at 15:00 (AccountingMax +## is per month) +#AccountingStart month 3 15:00 + +## Administrative contact information for this relay or bridge. This line +## can be used to contact you if your relay or bridge is misconfigured or +## something else goes wrong. Note that we archive and publish all +## descriptors containing these lines and that Google indexes them, so +## spammers might also collect them. You may want to obscure the fact that +## it's an email address and/or generate a new address for this purpose. +#ContactInfo Random Person +## You might also include your PGP or GPG fingerprint if you have one: +ContactInfo CONTACT_GPG_FINGERPRINT CONTACT_NAME CONTACT_EMAIL + +## Uncomment this to mirror directory information for others. Please do +## if you have enough bandwidth. +DirPort RELAY_DIRPORT +## If you want to listen on a port other than the one advertised in +## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as +## follows. below too. You'll need to do ipchains or other port +## forwarding yourself to make this work. +#DirPort 80 NoListen +#DirPort 127.0.0.1:9091 NoAdvertise +## Uncomment to return an arbitrary blob of html on your DirPort. Now you +## can explain what Tor is if anybody wonders why your IP address is +## contacting them. See contrib/tor-exit-notice.html in Tor's source +## distribution for a sample. +#DirPortFrontPage /etc/tor/tor-exit-notice.html + +## Uncomment this if you run more than one Tor relay, and add the identity +## key fingerprint of each Tor relay you control, even if they're on +## different networks. You declare it here so Tor clients can avoid +## using more than one of your relays in a single circuit. See +## https://www.torproject.org/docs/faq#MultipleRelays +## However, you should never include a bridge's fingerprint here, as it would +## break its concealability and potentially reveal its IP/TCP address. +#MyFamily $keyid,$keyid,... + +## A comma-separated list of exit policies. They're considered first +## to last, and the first match wins. If you want to _replace_ +## the default exit policy, end this with either a reject *:* or an +## accept *:*. Otherwise, you're _augmenting_ (prepending to) the +## default exit policy. Leave commented to just use the default, which is +## described in the man page or at +## https://www.torproject.org/documentation.html +## +## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses +## for issues you might encounter if you use the default exit policy. +## +## If certain IPs and ports are blocked externally, e.g. by your firewall, +## you should update your exit policy to reflect this -- otherwise Tor +## users will be told that those destinations are down. +## +## For security, by default Tor rejects connections to private (local) +## networks, including to your public IP address. See the man page entry +## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". +## +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more +#ExitPolicy accept *:119 # accept nntp as well as default exit policy +ExitPolicy reject *:* # no exits allowed + +## Bridge relays (or "bridges") are Tor relays that aren't listed in the +## main directory. Since there is no complete public list of them, even an +## ISP that filters connections to all the known Tor relays probably +## won't be able to block all the bridges. Also, websites won't treat you +## differently because they won't know you're running Tor. If you can +## be a real relay, please do; but if not, be a bridge! +#BridgeRelay 1 +## By default, Tor will advertise your bridge to users through various +## mechanisms like https://bridges.torproject.org/. If you want to run +## a private bridge, for example because you'll give out your bridge +## address manually to your friends, uncomment this line: #PublishServerDescriptor 0 \ No newline at end of file