tor-webwml.git

1) ## translation metadata
2) # Revision: $Revision$
3) 

4) #include "head.wmi" TITLE="Server Configuration Instructions"

5) 
6) <div class="center">
7) 
8) <div class="main-column">
9) 
10) <h1>Configuring a <a href="<page index>">Tor</a> server</h1>
11) <br />
12) 
13) <p>
14) The Tor network relies on volunteers to donate bandwidth. The more
15) people who run servers, the faster the Tor network will be. If you have
16) at least 20 kilobytes/s each way, please help out Tor by configuring your
17) Tor to be a server too. We have many features that make Tor servers easy
18) and convenient, including rate limiting for bandwidth, exit policies so
19) you can limit your exposure to abuse complaints, and support for dynamic
20) IP addresses.</p>
21) 
22) <p>Having servers in many different places on the Internet is what
23) makes Tor users secure. <a
24) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerAnonymity">You
25) may also get stronger anonymity yourself</a>,
26) since remote sites can't know whether connections originated at your
27) computer or were relayed from others.</p>
28) 
29) <p>Setting up a Tor server is easy and convenient:
30) <ul>
31) <li>Tor has built-in support for <a
32) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate
33) limiting</a>. Further, if you have a fast link
34) but want to limit the number of bytes per day
35) (or week or month) that you donate, check out the <a
36) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Hibernation">hibernation
37) feature</a>.
38) </li>
39) <li>Each Tor server has an <a
40) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RunAServerBut">exit
41) policy</a> that specifies what sort of outbound connections are allowed
42) or refused from that server. If you are uncomfortable allowing people
43) to exit from your server, you can set it up to only allow connections
44) to other Tor servers.
45) </li>
46) <li>It's fine if the server goes offline sometimes. The directories
47) notice this quickly and stop advertising the server. Just try to make
48) sure it's not too often, since connections using the server when it
49) disconnects will break.
50) </li>

51) <li>We can handle servers with dynamic IPs just fine &mdash; simply
52) leave the Address config option blank, and Tor will try to guess.

53) </li>
54) <li>If your server is behind a NAT and it doesn't know its public
55) IP (e.g. it has an IP of 192.168.x.y), you'll need to set up port
56) forwarding. Forwarding TCP connections is system dependent but <a

57) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledClients">this
58) FAQ entry</a> offers some examples on how to do this.

59) </li>
60) <li>Your server will passively estimate and advertise its recent
61) bandwidth capacity, so high-bandwidth servers will attract more users than
62) low-bandwidth ones. Therefore having low-bandwidth servers is useful too.
63) </li>
64) </ul>
65) 
66) <p>You can run a Tor server on
67) pretty much any operating system, but see <a
68) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerOS">this
69) FAQ entry</a> for advice about which ones work best and other problems
70) you might encounter.</p>
71) 
72) <hr />
73) <a id="zero"></a>
74) <h2><a class="anchor" href="#zero">Step Zero: Download and Install Tor</a></h2>
75) <br />
76) 
77) <p>Before you start, you need to make sure that Tor is up and running.
78) </p>
79) 
80) <p>For Windows users, this means at least <a

81) href="<page docs/tor-doc-win32>#installing">step one</a>

82) of the Windows Tor installation howto. Mac OS X users need to do at least

83) <a href="<page docs/tor-doc-osx>#installing">step one</a>

84) of OS X Tor installation howto.  Linux/BSD/Unix users should do at least

85) <a href="<page docs/tor-doc-unix>#installing">step one</a>

86) of the Unix Tor installation howto.
87) </p>
88) 
89) <p>If it's convenient, you might also want to use it as a client for a
90) while to make sure it's actually working.</p>
91) 
92) <hr />

93) <a id="setup"></a>
94) <h2><a class="anchor" href="#setup">Step One: Set it up as a server</a></h2>

95) <br />
96) 
97) <p>
98) 1. Verify that your clock is set correctly. If possible, synchronize

99) your clock with public time servers.

100) </p>
101) 
102) <p>

103) 2. Make sure name resolution works (that is, your computer can resolve
104) Internet addresses correctly).

105) </p>
106) 
107) <p>
108) 3. Edit the bottom part of your torrc. (See <a
109) href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#torrc">this
110) FAQ entry</a> for help.)
111) Make sure to define at least Nickname and ORPort. Create the DataDirectory
112) if necessary, and make sure it's owned by the user that will be running
113) tor. <em>If you want to run more than one server that's great, but
114) please set <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers">the
115) MyFamily option</a> in all your servers' configuration files.</em>
116) </p>
117) 
118) <p>
119) 4. If you are using a firewall, open a hole in your firewall so

120) incoming connections can reach the ports you configured in step 3 (ORPort, plus

121) DirPort if you enabled it). Make sure you allow all outgoing connections,
122) so your server can reach the other Tor servers.
123) </p>
124) 
125) <p>

126) 5. Restart your server. If it <a
127) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Logs">logs
128) any warnings</a>, address them.

129) </p>
130) 
131) <p>
132) 6. Subscribe to the <a
133) href="http://archives.seul.org/or/announce/">or-announce</a>
134) mailing list. It is very low volume, and it will keep you informed
135) of new stable releases. You might also consider subscribing to <a
136) href="http://archives.seul.org/or/talk/">or-talk</a> (higher volume),
137) where new development releases are announced.
138) </p>
139) 
140) <p>
141) 7. Have a look at the manual.
142) The <a href="<page tor-manual>">manual</a> for the

143) latest stable version provides a list of all the possible configuration
144) options for both clients and servers.
145) If you are running the development version of Tor, the manual is available

146) <a href="<page tor-manual-dev>">here</a>.

147) </p>
148) 
149) <hr />

150) <a id="check"></a>
151) <h2><a class="anchor" href="#check">Step Two: Make sure it's working</a></h2>

152) <br />
153) 
154) <p>As soon as your server manages to connect to the network, it will
155) try to determine whether the ports you configured are reachable from

156) the outside. This may take up to 20 minutes. Look for a
157) <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Logs">log
158) entry</a> like

159) <tt>Self-testing indicates your ORPort is reachable from the outside. Excellent.</tt>
160) If you don't see this message, it means that your server is not reachable
161) from the outside &mdash; you should re-check your firewalls, check that it's
162) testing the IP and port you think it should be testing, etc.
163) </p>
164) 
165) <p>When it decides that it's reachable, it will upload a "server
166) descriptor" to the directories. This will let clients know
167) what address, ports, keys, etc your server is using. You can <a

168) href="http://moria.seul.org:9032/tor/status/authority">load one of
169) the network statuses manually</a> and

170) look through it to find the nickname you configured, to make sure it's
171) there. You may need to wait a few seconds to give enough time for it to
172) make a fresh directory.</p>
173) 
174) <hr />

175) <a id="after"></a>
176) <h2><a class="anchor" href="#after">Step Three: Once it's working</a></h2>

177) <br />
178) 
179) <p>

180) We recommend the following steps as well:

181) </p>
182) 
183) <p>

184) 8. Read
185) <a href="http://wiki.noreply.org/noreply/TheOnionRouter/OperationalSecurity">this document</a>
186) to get ideas how you can increase the security of your server.

187) </p>
188) 
189) <p>

190) 9. Decide what exit policy you want. By default your server allows

191) access to many popular services, but restricts some (such as port 25)

192) due to abuse potential. You might want an exit policy that is
193) less restrictive or more restrictive; edit your torrc appropriately.
194) Read the FAQ entry on <a
195) href="<page faq-abuse>#TypicalAbuses">issues you might
196) encounter if you use the default exit policy</a>.
197) If you choose a particularly open exit policy, you should make
198) sure your ISP is ok with that choice.

199) If there are any resources that your computer can't reach (for example,
200) you are behind a restrictive firewall or content filter), please
201) explicitly reject them in your exit policy — otherwise Tor users
202) will be impacted too.

203) </p>
204) 
205) <p>

206) 10. Decide about rate limiting. Cable modem, DSL, and other users

207) who have asymmetric bandwidth (e.g. more down than up) should
208) rate limit to their slower bandwidth, to avoid congestion. See the <a
209) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate
210) limiting FAQ entry</a> for details.
211) </p>
212) 
213) <p>

214) 11. Back up your Tor server's private key (stored in "keys/secret_id_key"

215) in your DataDirectory). This is your server's "identity," and
216) you need to keep it safe so nobody can read the traffic that goes
217) through your server. This is the critical file to keep if you need to <a
218) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#UpgradeServer">move
219) or restore your Tor server</a> if something goes wrong.
220) </p>
221) 
222) <p>

223) 12. If you control the name servers for your domain, consider setting

224) your hostname to 'anonymous' or 'proxy' or 'tor-proxy', so when other
225) people see the address in their web logs, they will more quickly
226) understand what's going on.
227) </p>
228) 
229) <p>

230) 13. If your computer isn't running a webserver, please consider

231) changing your ORPort to 443 and your DirPort to 80. Many Tor
232) users are stuck behind firewalls that only let them browse the
233) web, and this change will let them reach your Tor server. Win32
234) servers can simply change their ORPort and DirPort directly
235) in their torrc and restart Tor. OS X or Unix servers can't bind
236) directly to these ports (since they don't run as root), so they will
237) need to set up some sort of <a
238) href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#ServerForFirewalledClients">
239) port forwarding</a> so connections can reach their Tor server. If you are
240) using ports 80 and 443 already but still want to help out, other useful
241) ports are 22, 110, and 143.
242) </p>
243) 
244) <p>

245) 14. If your Tor server provides other services on the same IP address

246) — such as a public webserver — make sure that connections to the
247) webserver are allowed from the local host too. You need to allow these
248) connections because Tor clients will detect that your Tor server is the <a
249) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers">safest
250) way to reach that webserver</a>, and always build a circuit that ends
251) at your server. If you don't want to allow the connections, you must
252) explicitly reject them in your exit policy.
253) </p>
254) 
255) <p>

256) 15. (Unix only). Make a separate user to run the server. If you

257) installed the OS X package or the deb or the rpm, this is already
258) done. Otherwise, you can do it by hand. (The Tor server doesn't need to
259) be run as root, so it's good practice to not run it as root. Running
260) as a 'tor' user avoids issues with identd and other services that
261) detect user name. If you're the paranoid sort, feel free to <a
262) href="http://wiki.noreply.org/wiki/TheOnionRouter/TorInChroot">put Tor
263) into a chroot jail</a>.)
264) </p>
265) 
266) <p>

267) 16. (Unix only.) Your operating system probably limits the number

268) of open file descriptors per process to 1024 (or even less). If you
269) plan to be running a fast exit node, this is probably not enough. On
270) Linux, you should add a line like "toruser hard nofile 8192" to your
271) /etc/security/limits.conf file (where toruser is the user that runs the
272) Tor process), and then restart Tor if it's installed as a package (or log
273) out and log back in if you run it yourself). If that doesn't work, see <a
274) href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#FileDescriptors">this
275) FAQ entry</a> for other suggested ways to run "ulimit -n 8192" before
276) you launch Tor.
277) </p>
278) 
279) <p>

280) 17. If you installed Tor via some package or installer, it probably starts

281) Tor for you automatically on boot. But if you installed from source,
282) you may find the initscripts in contrib/tor.sh or contrib/torctl useful.
283) </p>
284) 

285) <p>

286) When you change your Tor configuration, remember to verify that your
287) server still works correctly after the change. Be sure to set your
288) "ContactInfo" line in the torrc so we can contact you if you need to
289) upgrade or something goes wrong. If you have problems or questions, see
290) the <a href="<page documentation>#Support">Support</a> section or
291) <a href="<page contact>">contact us</a> on the tor-ops list. Thanks
292) for helping to make the Tor network grow!

293) </p>
294) 

295) <hr />
296) 

297) <p>If you have suggestions for improving this document, please <a
298) href="<page contact>">send them to us</a>. Thanks!</p>