git.schokokeks.org
Repositories
Help
Report an Issue
tor-webwml.git
Code
Commits
Branches
Tags
Suche
Strukturansicht:
ec7725c1c
Branches
Tags
bridges
docs-debian
jobs
master
press-clips
tor-webwml.git
docs
en
tor-doc-server.wml
we log your identity fingerprint on startup now, and hopefully that's easier for people to find correctly.
Roger Dingledine
commited
ec7725c1c
at 2006-10-11 22:05:06
tor-doc-server.wml
Blame
History
Raw
## translation metadata # Revision: $Revision$ #include "head.wmi" TITLE="Server Configuration Instructions" <div class="center"> <div class="main-column"> <h1>Configuring a <a href="<page index>">Tor</a> server</h1> <br /> <p> The Tor network relies on volunteers to donate bandwidth. The more people who run servers, the faster the Tor network will be. If you have at least 20 kilobytes/s each way, please help out Tor by configuring your Tor to be a server too. We have many features that make Tor servers easy and convenient, including rate limiting for bandwidth, exit policies so you can limit your exposure to abuse complaints, and support for dynamic IP addresses.</p> <p>Having servers in many different places on the Internet is what makes Tor users secure. <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerAnonymity">You may also get stronger anonymity yourself</a>, since remote sites can't know whether connections originated at your computer or were relayed from others.</p> <p>Setting up a Tor server is easy and convenient: <ul> <li>Tor has built-in support for <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate limiting</a>. Further, if you have a fast link but want to limit the number of bytes per day (or week or month) that you donate, check out the <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Hibernation">hibernation feature</a>. </li> <li>Each Tor server has an <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#RunAServerBut">exit policy</a> that specifies what sort of outbound connections are allowed or refused from that server. If you are uncomfortable allowing people to exit from your server, you can set it up to only allow connections to other Tor servers. </li> <li>It's fine if the server goes offline sometimes. The directories notice this quickly and stop advertising the server. Just try to make sure it's not too often, since connections using the server when it disconnects will break. </li> <li>We can handle servers with dynamic IPs just fine, as long as the server itself knows its IP. Have a look at this <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#DynamicIP"> entry in the FAQ</a>. </li> <li>If your server is behind a NAT and it doesn't know its public IP (e.g. it has an IP of 192.168.x.y), you'll need to set up port forwarding. Forwarding TCP connections is system dependent but <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerForFirewalledClients">this FAQ entry</a> offers some examples on how to do this. </li> <li>Your server will passively estimate and advertise its recent bandwidth capacity, so high-bandwidth servers will attract more users than low-bandwidth ones. Therefore having low-bandwidth servers is useful too. </li> </ul> <p>You can run a Tor server on pretty much any operating system, but see <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ServerOS">this FAQ entry</a> for advice about which ones work best and other problems you might encounter.</p> <hr /> <a id="zero"></a> <h2><a class="anchor" href="#zero">Step Zero: Download and Install Tor</a></h2> <br /> <p>Before you start, you need to make sure that Tor is up and running. </p> <p>For Windows users, this means at least <a href="<page docs/tor-doc-win32>#installing">step one</a> of the Windows Tor installation howto. Mac OS X users need to do at least <a href="<page docs/tor-doc-osx>#installing">step one</a> of OS X Tor installation howto. Linux/BSD/Unix users should do at least <a href="<page docs/tor-doc-unix>#installing">step one</a> of the Unix Tor installation howto. </p> <p>If it's convenient, you might also want to use it as a client for a while to make sure it's actually working.</p> <hr /> <a id="setup"></a> <h2><a class="anchor" href="#setup">Step One: Set it up as a server</a></h2> <br /> <p> 1. Verify that your clock is set correctly. If possible, synchronize your clock with public time servers. </p> <p> 2. Make sure name resolution works (that is, your computer can resolve Internet addresses correctly). </p> <p> 3. Edit the bottom part of your torrc. (See <a href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#torrc">this FAQ entry</a> for help.) Make sure to define at least Nickname and ORPort. Create the DataDirectory if necessary, and make sure it's owned by the user that will be running tor. <em>If you want to run more than one server that's great, but please set <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#MultipleServers">the MyFamily option</a> in all your servers' configuration files.</em> </p> <p> 4. If you are using a firewall, open a hole in your firewall so incoming connections can reach the ports you configured (ORPort, plus DirPort if you enabled it). Make sure you allow all outgoing connections, so your server can reach the other Tor servers. </p> <p> 5. Start your server: if you installed from source you can just run <tt>tor</tt>, whereas packages typically launch Tor from their initscripts or startup scripts. If it logs any warnings, address them. (By default Tor logs to stdout, but some packages log to <tt>/var/log/tor/</tt> or <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Logs">other locations</a>. You can edit your torrc to configure log locations.) </p> <p> 6. Subscribe to the <a href="http://archives.seul.org/or/announce/">or-announce</a> mailing list. It is very low volume, and it will keep you informed of new stable releases. You might also consider subscribing to <a href="http://archives.seul.org/or/talk/">or-talk</a> (higher volume), where new development releases are announced. </p> <p> 7. Have a look at the manual. The <a href="<page tor-manual>">manual</a> for the latest stable version provides detailed instructions for how to install and use Tor, including configuration of client and server options. If you are running the development version of Tor the manual is available <a href="<page tor-manual-dev>">here</a>. </p> <hr /> <a id="check"></a> <h2><a class="anchor" href="#check">Step Two: Make sure it's working</a></h2> <br /> <p>As soon as your server manages to connect to the network, it will try to determine whether the ports you configured are reachable from the outside. This may take up to 20 minutes. Look for a <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Logs">log entry</a> like <tt>Self-testing indicates your ORPort is reachable from the outside. Excellent.</tt> If you don't see this message, it means that your server is not reachable from the outside — you should re-check your firewalls, check that it's testing the IP and port you think it should be testing, etc. </p> <p>When it decides that it's reachable, it will upload a "server descriptor" to the directories. This will let clients know what address, ports, keys, etc your server is using. You can <a href="http://belegost.mit.edu/tor/status/authority">load the network status manually</a> and look through it to find the nickname you configured, to make sure it's there. You may need to wait a few seconds to give enough time for it to make a fresh directory.</p> <hr /> <a id="after"></a> <h2><a class="anchor" href="#after">Step Three: Once it's working</a></h2> <br /> <p> We recommend the following steps as well: </p> <p> 8. Read <a href="http://wiki.noreply.org/noreply/TheOnionRouter/OperationalSecurity">this document</a> to get ideas how you can increase the security of your server. </p> <p> 9. Decide what exit policy you want. By default your server allows access to many popular services, but we restrict some (such as port 25) due to abuse potential. You might want an exit policy that is less restrictive or more restrictive; edit your torrc appropriately. Read the FAQ entry on <a href="<page faq-abuse>#TypicalAbuses">issues you might encounter if you use the default exit policy</a>. If you choose a particularly open exit policy, you should make sure your ISP is ok with that choice. If there are any resources that your computer can't reach (for example, you are behind a restrictive firewall or content filter), please explicitly reject them in your exit policy — otherwise Tor users will be impacted too. </p> <p> 10. Decide about rate limiting. Cable modem, DSL, and other users who have asymmetric bandwidth (e.g. more down than up) should rate limit to their slower bandwidth, to avoid congestion. See the <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#LimitBandwidth">rate limiting FAQ entry</a> for details. </p> <p> 11. Back up your Tor server's private key (stored in "keys/secret_id_key" in your DataDirectory). This is your server's "identity," and you need to keep it safe so nobody can read the traffic that goes through your server. This is the critical file to keep if you need to <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#UpgradeServer">move or restore your Tor server</a> if something goes wrong. </p> <p> 12. If you control the name servers for your domain, consider setting your hostname to 'anonymous' or 'proxy' or 'tor-proxy', so when other people see the address in their web logs, they will more quickly understand what's going on. </p> <p> 13. If your computer isn't running a webserver, please consider changing your ORPort to 443 and your DirPort to 80. Many Tor users are stuck behind firewalls that only let them browse the web, and this change will let them reach your Tor server. Win32 servers can simply change their ORPort and DirPort directly in their torrc and restart Tor. OS X or Unix servers can't bind directly to these ports (since they don't run as root), so they will need to set up some sort of <a href="http://wiki.noreply.org/wiki/TheOnionRouter/TorFAQ#ServerForFirewalledClients"> port forwarding</a> so connections can reach their Tor server. If you are using ports 80 and 443 already but still want to help out, other useful ports are 22, 110, and 143. </p> <p> 14. If your Tor server provides other services on the same IP address — such as a public webserver — make sure that connections to the webserver are allowed from the local host too. You need to allow these connections because Tor clients will detect that your Tor server is the <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers">safest way to reach that webserver</a>, and always build a circuit that ends at your server. If you don't want to allow the connections, you must explicitly reject them in your exit policy. </p> <p> 15. (Unix only). Make a separate user to run the server. If you installed the OS X package or the deb or the rpm, this is already done. Otherwise, you can do it by hand. (The Tor server doesn't need to be run as root, so it's good practice to not run it as root. Running as a 'tor' user avoids issues with identd and other services that detect user name. If you're the paranoid sort, feel free to <a href="http://wiki.noreply.org/wiki/TheOnionRouter/TorInChroot">put Tor into a chroot jail</a>.) </p> <p> 16. (Unix only.) Your operating system probably limits the number of open file descriptors per process to 1024 (or even less). If you plan to be running a fast exit node, this is probably not enough. On Linux, you should add a line like "toruser hard nofile 8192" to your /etc/security/limits.conf file (where toruser is the user that runs the Tor process), and then restart Tor if it's installed as a package (or log out and log back in if you run it yourself). If that doesn't work, see <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#FileDescriptors">this FAQ entry</a> for other suggested ways to run "ulimit -n 8192" before you launch Tor. </p> <p> 17. If you installed Tor via some package or installer, it probably starts Tor for you automatically on boot. But if you installed from source, you may find the initscripts in contrib/tor.sh or contrib/torctl useful. </p> <p> When you change your Tor configuration, <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Restarting">in most cases you can reload your configuration without restarting Tor</a>, and remember to verify that your server still works correctly after the change. </p> <hr /> <a id="register"></a> <h2><a class="anchor" href="#register">Step Four: Register your nickname</a></h2> <br /> <p> Let it run a few days to make sure it's actually working and that you're happy with its level of resource use. Then you should register your server. This reserves your nickname so nobody else can take it, and lets us contact you if you need to upgrade or something goes wrong. </p> <p> Send mail to <a href="mailto:tor-ops@freehaven.net">tor-ops@freehaven.net</a> with a subject of '[New Server] <your server's nickname>' and include the following information in the message: </p> <ul> <li>Your server's nickname</li> <li>The fingerprint for your server's identity key. This is <a href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#Logs">logged</a> at startup: something like "<tt>moria1 FFCB 46DB 1339 DA84 674C 70D7 CB58 6434 C437 0441</tt>". <!-- It is also written to the "fingerprint" file in your DataDirectory. — on Windows, look in \<i>username</i>\Application Data\tor\ or \Application Data\tor\; on OS X, look in /Library/Tor/var/lib/tor/; and on Linux/BSD/Unix, look in /var/lib/tor or ~/.tor) --> </li> <li>Who you are, so we know whom to contact if a problem arises</li> <li>What kind of connectivity the new server will have</li> </ul> <hr /> <p>If you have suggestions for improving this document, please <a href="<page contact>">send them to us</a>. Thanks!</p> </div><!-- #main --> </div> #include <foot.wmi>