Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
224 lines (200 sloc) 9.83 KB
#
# torrc - Sample configuration file for a Tor relay/bridge
# Copyright (c) 2017 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# The Tor network is a group of volunteer-operated servers that allows
# people to improve their privacy and security on the Internet. Tor's
# users employ this network by connecting through a series of virtual
# tunnels rather than making a direct connection, thus allowing both
# organizations and individuals to share information over public networks
# without compromising their privacy. Along the same line, Tor is an
# effective censorship circumvention tool, allowing its users to reach
# otherwise blocked destinations or content. Tor can also be used as a
# building block for software developers to create new communication
# tools with built-in privacy features.
#
# This sample configuration file has been tested on FreeBSD with Tor
# 0.3.0.10.
#
# See also:
# https://www.torproject.org/docs/tor-manual.html
# https://www.torproject.org/docs/tor-doc-relay
# https://blog.torproject.org/blog/lifecycle-of-a-new-relay
# https://atlas.torproject.org/
#
############### This section contains general options
# Tor opens a SOCKS proxy on port 9050 by default -- even if you don't
# configure one below. Set "SOCKSPort 0" if you plan to run Tor only
# as a relay, and not make any local application connections yourself.
#SOCKSPort 9050 # Default: Bind to localhost:9050 for local connections.
#SOCKSPort 192.168.0.1:9100 # Bind to this address:port too.
# Entry policies to allow/deny SOCKS requests based on IP address.
# First entry that matches wins. If no SOCKSPolicy is set, we accept
# all (and only) requests that reach a SOCKSPort. Untrusted users who
# can access your SOCKSPort may be able to learn about the connections
# you make.
#SOCKSPolicy accept 192.168.0.0/16
#SOCKSPolicy accept6 FC00::/7
#SOCKSPolicy reject *
# Logs go to stdout at level "notice" unless redirected by something
# else, like one of the below lines. You can have as many Log lines as
# you want.
#
# We advise using "notice" in most cases, since anything more verbose
# may provide sensitive information to an attacker who obtains the logs.
#
# Send all messages of level 'notice' or higher to /var/log/tor/notices.log
#Log notice file /var/log/tor/notices.log
# Send every possible message to /var/log/tor/debug.log
#Log debug file /var/log/tor/debug.log
# To send all messages to stderr:
#Log debug stderr
# Use the system log instead of Tor's logfiles
Log notice syslog
# Uncomment this to start the process in the background... or use
# --runasdaemon 1 on the command line. This is ignored on Windows;
# see the FAQ entry if you want Tor to run as an NT service.
#RunAsDaemon 1
# The directory for keeping all the keys/etc. By default, we store
# things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
#DataDirectory /var/db/tor
# The port on which Tor will listen for local connections from Tor
# controller applications, as documented in control-spec.txt.
#ControlPort 9051
# If you enable the controlport, be sure to enable one of these
# authentication methods, to prevent attackers from accessing it.
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
#CookieAuthentication 1
############### This section is just for location-hidden services
# Once you have configured a hidden service, you can look at the
# contents of the file ".../hidden_service/hostname" for the address
# to tell people.
#
# HiddenServicePort x y:z says to redirect requests on port x to the
# address y:z.
#HiddenServiceDir /var/db/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServiceDir /var/db/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22
################ This section is just for relays
# Required: what port to advertise for incoming Tor connections.
#ORPort 9001
# If you want to listen on a port other than the one advertised in
# ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
# follows. You'll need to do pf or other port forwarding yourself
# to make this work.
# For instance, a xinetd configuration to accomplish this might be:
# service orport
# {
# disable = no
# type = UNLISTED
# socket_type = stream
# protocol = tcp
# user = nobody
# wait = no
# redirect = 127.0.0.1 9090
# port = 443
#}
ORPort 443 NoListen
ORPort 127.0.0.1:9090 NoAdvertise
# The IP address or full DNS name for incoming connections to your
# relay. Leave commented out and Tor will guess.
#Address mytorrelay.example.com
# If you have multiple network interfaces, you can specify one for
# outgoing traffic to use.
#OutboundBindAddress 10.0.0.5
# A handle for your relay, so people don't have to refer to it by key.
Nickname mytorrelay
# Define these to limit how much relayed traffic you will allow. Your
# own traffic is still unthrottled. Note that RelayBandwidthRate must
# be at least 20 kilobytes per second.
# Note that units for these config options are bytes (per second), not
# bits (per second), and that prefixes are binary prefixes, i.e. 2^10,
# 2^20, etc.
#RelayBandwidthRate 100 KBytes # Throttle traffic to 100KB/s (800Kbps)
#RelayBandwidthBurst 200 KBytes # But allow bursts up to 200KB (1600Kb)
#RelayBandwidthRate 1 MBytes # 6 TB/Month > 6442450944/2678400/2=1202
RelayBandwidthRate 2 MBytes
# Use these to restrict the maximum traffic per day, week, or month.
# Note that this threshold applies separately to sent and received bytes,
# not to their sum: setting "40 GB" may allow up to 80 GB total before
# hibernating.
AccountingMax 1536 GBytes # 6144/4 GB/Week
AccountingRule sum
AccountingStart week 1 00:00
# Administrative contact information for this relay or bridge. This line
# can be used to contact you if your relay or bridge is misconfigured or
# something else goes wrong. Note that we archive and publish all
# descriptors containing these lines and that Google indexes them, so
# spammers might also collect them. You may want to obscure the fact that
# it's an email address and/or generate a new address for this purpose.
# You might also include your PGP or GPG fingerprint if you have one.
ContactInfo mytorcontact AT example DOT com
# Uncomment this to mirror directory information for others. Please do
# if you have enough bandwidth.
#DirPort 9030
# If you want to listen on a port other than the one advertised in
# DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
# follows. below too. You'll need to do ipchains or other port
# forwarding yourself to make this work (see ORPort above for a sample
# xinetd configuration).
DirPort 80 NoListen
DirPort 127.0.0.1:9091 NoAdvertise
# Uncomment to return an arbitrary blob of html on your DirPort. Now you
# can explain what Tor is if anybody wonders why your IP address is
# contacting them. See contrib/tor-exit-notice.html in Tor's source
# distribution for a sample.
DirPortFrontPage /usr/local/etc/tor/mytorrelay.html
# Uncomment this if you run more than one Tor relay, and add the identity
# key fingerprint of each Tor relay you control, even if they're on
# different networks. You declare it here so Tor clients can avoid
# using more than one of your relays in a single circuit. See
# https://www.torproject.org/docs/faq#MultipleRelays
# However, you should never include a bridge's fingerprint here, as it would
# break its concealability and potentially reveal its IP/TCP address.
#MyFamily $keyid,$keyid,...
# A comma-separated list of exit policies. They're considered first
# to last, and the first match wins.
#
# If you want to allow the same ports on IPv4 and IPv6, write your rules
# using accept/reject *. If you want to allow different ports on IPv4 and
# IPv6, write your IPv6 rules using accept6/reject6 *6, and your IPv4 rules
# using accept/reject *4.
#
# If you want to _replace_ the default exit policy, end this with either a
# reject *:* or an accept *:*. Otherwise, you're _augmenting_ (prepending to)
# the default exit policy. Leave commented to just use the default, which is
# described in the man page or at
# https://www.torproject.org/documentation.html
#
# Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
# for issues you might encounter if you use the default exit policy.
#
# If certain IPs and ports are blocked externally, e.g. by your firewall,
# you should update your exit policy to reflect this -- otherwise Tor
# users will be told that those destinations are down.
#
# For security, by default Tor rejects connections to private (local)
# networks, including to the configured primary public IPv4 and IPv6 addresses,
# and any public IPv4 and IPv6 addresses on any interface on the relay.
# See the man page entry for ExitPolicyRejectPrivate if you want to allow
# "exit enclaving".
#
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
ExitPolicy reject *:* # no exits allowed
# Bridge relays (or "bridges") are Tor relays that aren't listed in the
# main directory. Since there is no complete public list of them, even an
# ISP that filters connections to all the known Tor relays probably
# won't be able to block all the bridges. Also, websites won't treat you
# differently because they won't know you're running Tor. If you can
# be a real relay, please do; but if not, be a bridge!
#BridgeRelay 1
# By default, Tor will advertise your bridge to users through various
# mechanisms like https://bridges.torproject.org/. If you want to run
# a private bridge, for example because you'll give out your bridge
# address manually to your friends, uncomment this line:
#PublishServerDescriptor 0