1TOR(1) Tor Manual TOR(1)
2
6 tor - The second-generation onion router
7
9 tor [OPTION value]...
10
12 Tor is a connection-oriented anonymizing communication service. Users
13 choose a source-routed path through a set of nodes, and negotiate a
14 "virtual circuit" through the network. Each node in a virtual circuit
15 knows its predecessor and successor nodes, but no other nodes. Traffic
16 flowing down the circuit is unwrapped by a symmetric key at each node,
17 which reveals the downstream node.
18 Basically, Tor provides a distributed network of servers or relays
20 ("onion routers"). Users bounce their TCP streams, including web
21 traffic, ftp, ssh, etc., around the network, so that recipients,
22 observers, and even the relays themselves have difficulty tracking the
23 source of the stream.
24 Note
26 By default, tor acts as a client only. To help the network by
27 providing bandwidth as a relay, change the ORPort configuration
28 option as mentioned below. Please also consult the documentation on
29 the Tor Project’s website.
30
32 Tor has a powerful command-line interface. This section lists optional
33 arguments you can specify at the command line using the tor command.
34 Configuration options can be specified on the command line in the
36 format --OptionName OptionValue, on the command line in the format
37 OptionName OptionValue, or in a configuration file. For instance, you
38 can tell Tor to start listening for SOCKS connections on port 9999 by
39 passing either --SocksPort 9999 or SocksPort 9999 on the command line,
40 or by specifying SocksPort 9999 in the configuration file. On the
41 command line, quote option values that contain spaces. For instance, if
42 you want Tor to log all debugging messages to debug.log, you must
43 specify --Log "debug file debug.log".
44 Note
46 Configuration options on the command line override those in
47 configuration files. See THE CONFIGURATION FILE FORMAT for more
48 information.
49 The following options in this section are only recognized on the tor
51 command line, not in a configuration file.
52 -h, --help
54 Display a short help message and exit.
55 -f FILE
57 Specify a new configuration file to contain further Tor
58 configuration options, or pass - to make Tor read its configuration
59 from standard input. (Default: /etc/tor/torrc, or $HOME/.torrc if
60 that file is not found)
61 --allow-missing-torrc
63 Allow the configuration file specified by -f to be missing, if the
64 defaults-torrc file (see below) is accessible.
65 --defaults-torrc FILE
67 Specify a file in which to find default values for Tor options. The
68 contents of this file are overridden by those in the regular
69 configuration file, and by those on the command line. (Default:
70 /etc/tor/torrc-defaults.)
71 --ignore-missing-torrc
73 Specify that Tor should treat a missing torrc file as though it
74 were empty. Ordinarily, Tor does this for missing default torrc
75 files, but not for those specified on the command line.
76 --hash-password PASSWORD
78 Generate a hashed password for control port access.
79 --list-fingerprint
81 Generate your keys and output your nickname and fingerprint.
82 --verify-config
84 Verify whether the configuration file is valid.
85 --dump-config short|full
87 Write a list of Tor’s configured options to standard output. When
88 the short flag is selected, only write the options that are
89 different from their default values When full is selected, write
90 every option.
91 --service install [--options command-line options]
93 Install an instance of Tor as a Windows service, with the provided
94 command-line options. Current instructions can be found at
95 https://www.torproject.org/docs/faq#NTService
96 --service remove|start|stop
98 Remove, start, or stop a configured Tor Windows service.
99 --nt-service
101 Used internally to implement a Windows service.
102 --list-torrc-options
104 List all valid options.
105 --list-deprecated-options
107 List all valid options that are scheduled to become obsolete in a
108 future version. (This is a warning, not a promise.)
109 --list-modules
111 List whether each optional module has been compiled into Tor. (Any
112 module not listed is not optional in this version of Tor.)
113 --version
115 Display Tor version and exit. The output is a single line of the
116 format "Tor version [version number]." (The version number format
117 is as specified in version-spec.txt.)
118 --quiet|--hush
120 Override the default console logging behavior. By default, Tor
121 starts out logging messages at level "notice" and higher to the
122 console. It stops doing so after it parses its configuration, if
123 the configuration tells it to log anywhere else. These options
124 override the default console logging behavior. Use the --hush
125 option if you want Tor to log only warnings and errors to the
126 console, or use the --quiet option if you want Tor not to log to
127 the console at all.
128 --keygen [--newpass]
130 Running tor --keygen creates a new ed25519 master identity key for
131 a relay, or only a fresh temporary signing key and certificate, if
132 you already have a master key. Optionally, you can encrypt the
133 master identity key with a passphrase. When Tor asks you for a
134 passphrase and you don’t want to encrypt the master key, just don’t
135 enter any passphrase when asked.
136 Use the --newpass option with --keygen only when you need to add,
139 change, or remove a passphrase on an existing ed25519 master
140 identity key. You will be prompted for the old passphrase (if any),
141 and the new passphrase (if any).
142 Note
144 When generating a master key, you may want to use
145 --DataDirectory to control where the keys and certificates will
146 be stored, and --SigningKeyLifetime to control their lifetimes.
147 See SERVER OPTIONS to learn more about the behavior of these
148 options. You must have write access to the specified
149 DataDirectory.
150 To use the generated files, you must copy them to the
151 DataDirectory/keys directory of your Tor daemon, and make sure that
152 they are owned by the user actually running the Tor daemon on your
153 system.
154 --passphrase-fd FILEDES
156 File descriptor to read the passphrase from. Note that unlike with
157 the tor-gencert program, the entire file contents are read and used
158 as the passphrase, including any trailing newlines. If the file
159 descriptor is not specified, the passphrase is read from the
160 terminal by default.
161 --key-expiration [purpose] [--format iso8601|timestamp]
163 The purpose specifies which type of key certificate to determine
164 the expiration of. The only currently recognised purpose is "sign".
165 Running tor --key-expiration sign will attempt to find your signing
168 key certificate and will output, both in the logs as well as to
169 stdout. The optional --format argument lets you specify the time
170 format. Currently, iso8601 and timestamp are supported. If --format
171 is not specified, the signing key certificate’s expiration time
172 will be in ISO-8601 format. For example, the output sent to stdout
173 will be of the form: "signing-cert-expiry: 2017-07-25 08:30:15
174 UTC". If --format timestamp is specified, the signing key
175 certificate’s expiration time will be in Unix timestamp format. For
176 example, the output sent to stdout will be of the form:
177 "signing-cert-expiry: 1500971415".
178 --dbg-...
180 Tor may support other options beginning with the string "dbg".
181 These are intended for use by developers to debug and test Tor.
182 They are not supported or guaranteed to be stable, and you should
183 probably not use them.
184
186 All configuration options in a configuration are written on a single
187 line by default. They take the form of an option name and a value, or
188 an option name and a quoted value (option value or option "value").
189 Anything after a # character is treated as a comment. Options are
190 case-insensitive. C-style escaped characters are allowed inside quoted
191 values. To split one configuration entry into multiple lines, use a
192 single backslash character (\) before the end of the line. Comments can
193 be used in such multiline entries, but they must start at the beginning
194 of a line.
195 Configuration options can be imported from files or folders using the
197 %include option with the value being a path. This path can have
198 wildcards. Wildcards are expanded first, then sorted using lexical
199 order. Then, for each matching file or folder, the following rules are
200 followed: if the path is a file, the options from the file will be
201 parsed as if they were written where the %include option is. If the
202 path is a folder, all files on that folder will be parsed following
203 lexical order. Files starting with a dot are ignored. Files in
204 subfolders are ignored. The %include option can be used recursively.
205 New configuration files or directories cannot be added to already
206 running Tor instance if Sandbox is enabled.
207 The supported wildcards are * meaning any number of characters
209 including none and ? meaning exactly one character. These characters
210 can be escaped by preceding them with a backslash, except on Windows.
211 Files starting with a dot are not matched when expanding wildcards
212 unless the starting dot is explicitly in the pattern, except on
213 Windows.
214 By default, an option on the command line overrides an option found in
216 the configuration file, and an option in a configuration file overrides
217 one in the defaults file.
218 This rule is simple for options that take a single value, but it can
220 become complicated for options that are allowed to occur more than
221 once: if you specify four SocksPorts in your configuration file, and
222 one more SocksPort on the command line, the option on the command line
223 will replace all of the SocksPorts in the configuration file. If this
224 isn’t what you want, prefix the option name with a plus sign (+), and
225 it will be appended to the previous set of options instead. For
226 example, setting SocksPort 9100 will use only port 9100, but setting
227 +SocksPort 9100 will use ports 9100 and 9050 (because this is the
228 default).
229 Alternatively, you might want to remove every instance of an option in
231 the configuration file, and not replace it at all: you might want to
232 say on the command line that you want no SocksPorts at all. To do that,
233 prefix the option name with a forward slash (/). You can use the plus
234 sign (+) and the forward slash (/) in the configuration file and on the
235 command line.
236
238 AccelDir DIR
239 Specify this option if using dynamic hardware acceleration and the
240 engine implementation library resides somewhere other than the
241 OpenSSL default. Can not be changed while tor is running.
242 AccelName NAME
244 When using OpenSSL hardware crypto acceleration attempt to load the
245 dynamic engine of this name. This must be used for any dynamic
246 hardware engine. Names can be verified with the openssl engine
247 command. Can not be changed while tor is running.
248 If the engine name is prefixed with a "!", then Tor will exit if
251 the engine cannot be loaded.
252 AlternateBridgeAuthority [nickname] [flags] ipv4address:port
254 fingerprint, AlternateDirAuthority [nickname] [flags] ipv4address:port
255 fingerprint
256 These options behave as DirAuthority, but they replace fewer of the
257 default directory authorities. Using AlternateDirAuthority replaces
258 the default Tor directory authorities, but leaves the default
259 bridge authorities in place. Similarly, AlternateBridgeAuthority
260 replaces the default bridge authority, but leaves the directory
261 authorities alone.
262 AvoidDiskWrites 0|1
264 If non-zero, try to write to disk less frequently than we would
265 otherwise. This is useful when running on flash memory or other
266 media that support only a limited number of writes. (Default: 0)
267 BandwidthBurst N
269 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
270 Limit the maximum token bucket size (also known as the burst) to
271 the given number of bytes in each direction. (Default: 1 GByte)
272 BandwidthRate N
274 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
275 A token bucket limits the average incoming bandwidth usage on this
276 node to the specified number of bytes per second, and the average
277 outgoing bandwidth usage to that same value. If you want to run a
278 relay in the public network, this needs to be at the very least 75
279 KBytes for a relay (that is, 600 kbits) or 50 KBytes for a bridge
280 (400 kbits) — but of course, more is better; we recommend at least
281 250 KBytes (2 mbits) if possible. (Default: 1 GByte)
282 Note that this option, and other bandwidth-limiting options, apply
285 to TCP data only: They do not count TCP headers or DNS traffic.
286 Tor uses powers of two, not powers of ten, so 1 GByte is
289 1024*1024*1024 bytes as opposed to 1 billion bytes.
290 With this option, and in other options that take arguments in
293 bytes, KBytes, and so on, other formats are also supported.
294 Notably, "KBytes" can also be written as "kilobytes" or "kb";
295 "MBytes" can be written as "megabytes" or "MB"; "kbits" can be
296 written as "kilobits"; and so forth. Case doesn’t matter. Tor also
297 accepts "byte" and "bit" in the singular. The prefixes "tera" and
298 "T" are also recognized. If no units are given, we default to
299 bytes. To avoid confusion, we recommend writing "bytes" or "bits"
300 explicitly, since it’s easy to forget that "B" means bytes, not
301 bits.
302 CacheDirectory DIR
304 Store cached directory data in DIR. Can not be changed while tor is
305 running. (Default: uses the value of DataDirectory.)
306 CacheDirectoryGroupReadable 0|1|auto
308 If this option is set to 0, don’t allow the filesystem group to
309 read the CacheDirectory. If the option is set to 1, make the
310 CacheDirectory readable by the default GID. If the option is
311 "auto", then we use the setting for DataDirectoryGroupReadable when
312 the CacheDirectory is the same as the DataDirectory, and 0
313 otherwise. (Default: auto)
314 CircuitPriorityHalflife NUM
316 If this value is set, we override the default algorithm for
317 choosing which circuit’s cell to deliver or relay next. It is
318 delivered first to the circuit that has the lowest weighted cell
319 count, where cells are weighted exponentially according to this
320 value (in seconds). If the value is -1, it is taken from the
321 consensus if possible else it will fallback to the default value of
322 30. Minimum: 1, Maximum: 2147483647. This can be defined as a float
323 value. This is an advanced option; you generally shouldn’t have to
324 mess with it. (Default: -1)
325 ClientTransportPlugin transport socks4|socks5 IP:PORT,
327 ClientTransportPlugin transport exec path-to-binary [options]
328 In its first form, when set along with a corresponding Bridge line,
329 the Tor client forwards its traffic to a SOCKS-speaking proxy on
330 "IP:PORT". (IPv4 addresses should written as-is; IPv6 addresses
331 should be wrapped in square brackets.) It’s the duty of that proxy
332 to properly forward the traffic to the bridge.
333 In its second form, when set along with a corresponding Bridge
336 line, the Tor client launches the pluggable transport proxy
337 executable in path-to-binary using options as its command-line
338 options, and forwards its traffic to it. It’s the duty of that
339 proxy to properly forward the traffic to the bridge. (Default:
340 none)
341 ConnLimit NUM
343 The minimum number of file descriptors that must be available to
344 the Tor process before it will start. Tor will ask the OS for as
345 many file descriptors as the OS will allow (you can find this by
346 "ulimit -H -n"). If this number is less than ConnLimit, then Tor
347 will refuse to start.
348 Tor relays need thousands of sockets, to connect to every other
351 relay. If you are running a private bridge, you can reduce the
352 number of sockets that Tor uses. For example, to limit Tor to 500
353 sockets, run "ulimit -n 500" in a shell. Then start tor in the same
354 shell, with ConnLimit 500. You may also need to set DisableOOSCheck
355 0.
356 Unless you have severely limited sockets, you probably don’t need
359 to adjust ConnLimit itself. It has no effect on Windows, since that
360 platform lacks getrlimit(). (Default: 1000)
361 ConstrainedSockets 0|1
363 If set, Tor will tell the kernel to attempt to shrink the buffers
364 for all sockets to the size specified in ConstrainedSockSize. This
365 is useful for virtual servers and other environments where system
366 level TCP buffers may be limited. If you’re on a virtual server,
367 and you encounter the "Error creating network socket: No buffer
368 space available" message, you are likely experiencing this problem.
369 The preferred solution is to have the admin increase the buffer
372 pool for the host itself via /proc/sys/net/ipv4/tcp_mem or
373 equivalent facility; this configuration option is a second-resort.
374 The DirPort option should also not be used if TCP buffers are
377 scarce. The cached directory requests consume additional sockets
378 which exacerbates the problem.
379 You should not enable this feature unless you encounter the "no
382 buffer space available" issue. Reducing the TCP buffers affects
383 window size for the TCP stream and will reduce throughput in
384 proportion to round trip time on long paths. (Default: 0)
385 ConstrainedSockSize N bytes|KBytes
387 When ConstrainedSockets is enabled the receive and transmit buffers
388 for all sockets will be set to this limit. Must be a value between
389 2048 and 262144, in 1024 byte increments. Default of 8192 is
390 recommended.
391 ControlPort [address:]port|unix:path|auto [flags]
393 If set, Tor will accept connections on this port and allow those
394 connections to control the Tor process using the Tor Control
395 Protocol (described in control-spec.txt in torspec). Note: unless
396 you also specify one or more of HashedControlPassword or
397 CookieAuthentication, setting this option will cause Tor to allow
398 any process on the local host to control it. (Setting both
399 authentication methods means either method is sufficient to
400 authenticate to Tor.) This option is required for many Tor
401 controllers; most use the value of 9051. If a unix domain socket is
402 used, you may quote the path using standard C escape sequences. You
403 can specify this directive multiple times, to bind to multiple
404 address/port pairs. Set it to "auto" to have Tor pick a port for
405 you. (Default: 0)
406 Recognized flags are:
409 GroupWritable
411 Unix domain sockets only: makes the socket get created as
412 group-writable.
413 WorldWritable
415 Unix domain sockets only: makes the socket get created as
416 world-writable.
417 RelaxDirModeCheck
419 Unix domain sockets only: Do not insist that the directory that
420 holds the socket be read-restricted.
421 ControlPortFileGroupReadable 0|1
423 If this option is set to 0, don’t allow the filesystem group to
424 read the control port file. If the option is set to 1, make the
425 control port file readable by the default GID. (Default: 0)
426 ControlPortWriteToFile Path
428 If set, Tor writes the address and port of any control port it
429 opens to this address. Usable by controllers to learn the actual
430 control port when ControlPort is set to "auto".
431 ControlSocket Path
433 Like ControlPort, but listens on a Unix domain socket, rather than
434 a TCP socket. 0 disables ControlSocket. (Unix and Unix-like
435 systems only.) (Default: 0)
436 ControlSocketsGroupWritable 0|1
438 If this option is set to 0, don’t allow the filesystem group to
439 read and write unix sockets (e.g. ControlSocket). If the option is
440 set to 1, make the control socket readable and writable by the
441 default GID. (Default: 0)
442 CookieAuthentication 0|1
444 If this option is set to 1, allow connections on the control port
445 when the connecting process knows the contents of a file named
446 "control_auth_cookie", which Tor will create in its data directory.
447 This authentication method should only be used on systems with good
448 filesystem security. (Default: 0)
449 CookieAuthFile Path
451 If set, this option overrides the default location and file name
452 for Tor’s cookie file. (See CookieAuthentication.)
453 CookieAuthFileGroupReadable 0|1
455 If this option is set to 0, don’t allow the filesystem group to
456 read the cookie file. If the option is set to 1, make the cookie
457 file readable by the default GID. [Making the file readable by
458 other groups is not yet implemented; let us know if you need this
459 for some reason.] (Default: 0)
460 CountPrivateBandwidth 0|1
462 If this option is set, then Tor’s rate-limiting applies not only to
463 remote connections, but also to connections to private addresses
464 like 127.0.0.1 or 10.0.0.1. This is mostly useful for debugging
465 rate-limiting. (Default: 0)
466 DataDirectory DIR
468 Store working data in DIR. Can not be changed while tor is running.
469 (Default: ~/.tor if your home directory is not /; otherwise,
470 /var/lib/tor. On Windows, the default is your ApplicationData
471 folder.)
472 DataDirectoryGroupReadable 0|1
474 If this option is set to 0, don’t allow the filesystem group to
475 read the DataDirectory. If the option is set to 1, make the
476 DataDirectory readable by the default GID. (Default: 0)
477 DirAuthority [nickname] [flags] ipv4address:dirport fingerprint
479 Use a nonstandard authoritative directory server at the provided
480 address and port, with the specified key fingerprint. This option
481 can be repeated many times, for multiple authoritative directory
482 servers. Flags are separated by spaces, and determine what kind of
483 an authority this directory is. By default, an authority is not
484 authoritative for any directory style or version unless an
485 appropriate flag is given.
486 Tor will use this authority as a bridge authoritative directory if
489 the "bridge" flag is set. If a flag "orport=orport" is given, Tor
490 will use the given port when opening encrypted tunnels to the
491 dirserver. If a flag "weight=num" is given, then the directory
492 server is chosen randomly with probability proportional to that
493 weight (default 1.0). If a flag "v3ident=fp" is given, the
494 dirserver is a v3 directory authority whose v3 long-term signing
495 key has the fingerprint fp. Lastly, if an
496 "ipv6=[ipv6address]:orport" flag is present, then the directory
497 authority is listening for IPv6 connections on the indicated IPv6
498 address and OR Port.
499 Tor will contact the authority at ipv4address to download directory
502 documents. Clients always use the ORPort. Relays usually use the
503 DirPort, but will use the ORPort in some circumstances. If an IPv6
504 ORPort is supplied, clients will also download directory documents
505 at the IPv6 ORPort, if they are configured to use IPv6.
506 If no DirAuthority line is given, Tor will use the default
509 directory authorities. NOTE: this option is intended for setting up
510 a private Tor network with its own directory authorities. If you
511 use it, you will be distinguishable from other users, because you
512 won’t believe the same authorities they do.
513 DirAuthorityFallbackRate NUM
515 When configured to use both directory authorities and fallback
516 directories, the directory authorities also work as fallbacks. They
517 are chosen with their regular weights, multiplied by this number,
518 which should be 1.0 or less. The default is less than 1, to reduce
519 load on authorities. (Default: 0.1)
520 DisableAllSwap 0|1
522 If set to 1, Tor will attempt to lock all current and future memory
523 pages, so that memory cannot be paged out. Windows, OS X and
524 Solaris are currently not supported. We believe that this feature
525 works on modern Gnu/Linux distributions, and that it should work on
526 *BSD systems (untested). This option requires that you start your
527 Tor as root, and you should use the User option to properly reduce
528 Tor’s privileges. Can not be changed while tor is running.
529 (Default: 0)
530 DisableDebuggerAttachment 0|1
532 If set to 1, Tor will attempt to prevent basic debugging attachment
533 attempts by other processes. This may also keep Tor from generating
534 core files if it crashes. It has no impact for users who wish to
535 attach if they have CAP_SYS_PTRACE or if they are root. We believe
536 that this feature works on modern Gnu/Linux distributions, and that
537 it may also work on *BSD systems (untested). Some modern Gnu/Linux
538 systems such as Ubuntu have the kernel.yama.ptrace_scope sysctl and
539 by default enable it as an attempt to limit the PTRACE scope for
540 all user processes by default. This feature will attempt to limit
541 the PTRACE scope for Tor specifically - it will not attempt to
542 alter the system wide ptrace scope as it may not even exist. If you
543 wish to attach to Tor with a debugger such as gdb or strace you
544 will want to set this to 0 for the duration of your debugging.
545 Normal users should leave it on. Disabling this option while Tor is
546 running is prohibited. (Default: 1)
547 DisableNetwork 0|1
549 When this option is set, we don’t listen for or accept any
550 connections other than controller connections, and we close (and
551 don’t reattempt) any outbound connections. Controllers sometimes
552 use this option to avoid using the network until Tor is fully
553 configured. Tor will make still certain network-related calls (like
554 DNS lookups) as a part of its configuration process, even if
555 DisableNetwork is set. (Default: 0)
556 ExtendByEd25519ID 0|1|auto
558 If this option is set to 1, we always try to include a relay’s
559 Ed25519 ID when telling the preceding relay in a circuit to extend
560 to it. If this option is set to 0, we never include Ed25519 IDs
561 when extending circuits. If the option is set to "auto", we obey a
562 parameter in the consensus document. (Default: auto)
563 ExtORPort [address:]port|auto
565 Open this port to listen for Extended ORPort connections from your
566 pluggable transports.
567 (Default: DataDirectory/extended_orport_auth_cookie)
569 ExtORPortCookieAuthFile Path
571 If set, this option overrides the default location and file name
572 for the Extended ORPort’s cookie file — the cookie file is needed
573 for pluggable transports to communicate through the Extended
574 ORPort.
575 ExtORPortCookieAuthFileGroupReadable 0|1
577 If this option is set to 0, don’t allow the filesystem group to
578 read the Extended OR Port cookie file. If the option is set to 1,
579 make the cookie file readable by the default GID. [Making the file
580 readable by other groups is not yet implemented; let us know if you
581 need this for some reason.] (Default: 0)
582 FallbackDir ipv4address:dirport orport=orport id=fingerprint
584 [weight=num] [ipv6=[ipv6address]:orport]
585 When tor is unable to connect to any directory cache for directory
586 info (usually because it doesn’t know about any yet) it tries a
587 hard-coded directory. Relays try one directory authority at a time.
588 Clients try multiple directory authorities and FallbackDirs, to
589 avoid hangs on startup if a hard-coded directory is down. Clients
590 wait for a few seconds between each attempt, and retry FallbackDirs
591 more often than directory authorities, to reduce the load on the
592 directory authorities.
593 FallbackDirs should be stable relays with stable IP addresses,
596 ports, and identity keys. They must have a DirPort.
597 By default, the directory authorities are also FallbackDirs.
600 Specifying a FallbackDir replaces Tor’s default hard-coded
601 FallbackDirs (if any). (See DirAuthority for an explanation of each
602 flag.)
603 FetchDirInfoEarly 0|1
605 If set to 1, Tor will always fetch directory information like other
606 directory caches, even if you don’t meet the normal criteria for
607 fetching early. Normal users should leave it off. (Default: 0)
608 FetchDirInfoExtraEarly 0|1
610 If set to 1, Tor will fetch directory information before other
611 directory caches. It will attempt to download directory information
612 closer to the start of the consensus period. Normal users should
613 leave it off. (Default: 0)
614 FetchHidServDescriptors 0|1
616 If set to 0, Tor will never fetch any hidden service descriptors
617 from the rendezvous directories. This option is only useful if
618 you’re using a Tor controller that handles hidden service fetches
619 for you. (Default: 1)
620 FetchServerDescriptors 0|1
622 If set to 0, Tor will never fetch any network status summaries or
623 server descriptors from the directory servers. This option is only
624 useful if you’re using a Tor controller that handles directory
625 fetches for you. (Default: 1)
626 FetchUselessDescriptors 0|1
628 If set to 1, Tor will fetch every consensus flavor, and all server
629 descriptors and authority certificates referenced by those
630 consensuses, except for extra info descriptors. When this option is
631 1, Tor will also keep fetching descriptors, even when idle. If set
632 to 0, Tor will avoid fetching useless descriptors: flavors that it
633 is not using to build circuits, and authority certificates it does
634 not trust. When Tor hasn’t built any application circuits, it will
635 go idle, and stop fetching descriptors. This option is useful if
636 you’re using a tor client with an external parser that uses a full
637 consensus. This option fetches all documents except extrainfo
638 descriptors, DirCache fetches and serves all documents except
639 extrainfo descriptors, DownloadExtraInfo* fetches extrainfo
640 documents, and serves them if DirCache is on, and
641 UseMicrodescriptors changes the flavor of consensuses and
642 descriptors that is fetched and used for building circuits.
643 (Default: 0)
644 HardwareAccel 0|1
646 If non-zero, try to use built-in (static) crypto hardware
647 acceleration when available. Can not be changed while tor is
648 running. (Default: 0)
649 HashedControlPassword hashed_password
651 Allow connections on the control port if they present the password
652 whose one-way hash is hashed_password. You can compute the hash of
653 a password by running "tor --hash-password password". You can
654 provide several acceptable passwords by using more than one
655 HashedControlPassword line.
656 HTTPProxy host[:port]
658 Tor will make all its directory requests through this host:port (or
659 host:80 if port is not specified), rather than connecting directly
660 to any directory servers. (DEPRECATED: As of 0.3.1.0-alpha you
661 should use HTTPSProxy.)
662 HTTPProxyAuthenticator username:password
664 If defined, Tor will use this username:password for Basic HTTP
665 proxy authentication, as in RFC 2617. This is currently the only
666 form of HTTP proxy authentication that Tor supports; feel free to
667 submit a patch if you want it to support others. (DEPRECATED: As of
668 0.3.1.0-alpha you should use HTTPSProxyAuthenticator.)
669 HTTPSProxy host[:port]
671 Tor will make all its OR (SSL) connections through this host:port
672 (or host:443 if port is not specified), via HTTP CONNECT rather
673 than connecting directly to servers. You may want to set
674 FascistFirewall to restrict the set of ports you might try to
675 connect to, if your HTTPS proxy only allows connecting to certain
676 ports.
677 HTTPSProxyAuthenticator username:password
679 If defined, Tor will use this username:password for Basic HTTPS
680 proxy authentication, as in RFC 2617. This is currently the only
681 form of HTTPS proxy authentication that Tor supports; feel free to
682 submit a patch if you want it to support others.
683 KeepalivePeriod NUM
685 To keep firewalls from expiring connections, send a padding
686 keepalive cell every NUM seconds on open connections that are in
687 use. (Default: 5 minutes)
688 KeepBindCapabilities 0|1|auto
690 On Linux, when we are started as root and we switch our identity
691 using the User option, the KeepBindCapabilities option tells us
692 whether to try to retain our ability to bind to low ports. If this
693 value is 1, we try to keep the capability; if it is 0 we do not;
694 and if it is auto, we keep the capability only if we are configured
695 to listen on a low port. Can not be changed while tor is running.
696 (Default: auto.)
697 Log minSeverity[-maxSeverity] stderr|stdout|syslog
699 Send all messages between minSeverity and maxSeverity to the
700 standard output stream, the standard error stream, or to the system
701 log. (The "syslog" value is only supported on Unix.) Recognized
702 severity levels are debug, info, notice, warn, and err. We advise
703 using "notice" in most cases, since anything more verbose may
704 provide sensitive information to an attacker who obtains the logs.
705 If only one severity level is given, all messages of that level or
706 higher will be sent to the listed destination.
707 Some low-level logs may be sent from signal handlers, so their
710 destination logs must be signal-safe. These low-level logs include
711 backtraces, logging function errors, and errors in code called by
712 logging functions. Signal-safe logs are always sent to stderr or
713 stdout. They are also sent to a limited number of log files that
714 are configured to log messages at error severity from the bug or
715 general domains. They are never sent as syslogs, control port log
716 events, or to any API-based log destinations.
717 Log minSeverity[-maxSeverity] file FILENAME
719 As above, but send log messages to the listed filename. The "Log"
720 option may appear more than once in a configuration file. Messages
721 are sent to all the logs that match their severity level.
722 Log [domain,...]minSeverity[-maxSeverity] ... file FILENAME
724 Log [domain,...]minSeverity[-maxSeverity] ... stderr|stdout|syslog
726 As above, but select messages by range of log severity and by a set
727 of "logging domains". Each logging domain corresponds to an area of
728 functionality inside Tor. You can specify any number of severity
729 ranges for a single log statement, each of them prefixed by a
730 comma-separated list of logging domains. You can prefix a domain
731 with ~ to indicate negation, and use * to indicate "all domains".
732 If you specify a severity range without a list of domains, it
733 matches all domains.
734 This is an advanced feature which is most useful for debugging one
737 or two of Tor’s subsystems at a time.
738 The currently recognized domains are: general, crypto, net, config,
741 fs, protocol, mm, http, app, control, circ, rend, bug, dir,
742 dirserv, or, edge, acct, hist, handshake, heartbeat, channel,
743 sched, guard, consdiff, dos, process, pt, btrack, and mesg. Domain
744 names are case-insensitive.
745 For example, "Log [handshake]debug [~net,~mm]info notice stdout"
748 sends to stdout: all handshake messages of any severity, all
749 info-and-higher messages from domains other than networking and
750 memory management, and all messages of severity notice or higher.
751 LogMessageDomains 0|1
753 If 1, Tor includes message domains with each log message. Every log
754 message currently has at least one domain; most currently have
755 exactly one. This doesn’t affect controller log messages. (Default:
756 0)
757 LogTimeGranularity NUM
759 Set the resolution of timestamps in Tor’s logs to NUM milliseconds.
760 NUM must be positive and either a divisor or a multiple of 1
761 second. Note that this option only controls the granularity written
762 by Tor to a file or console log. Tor does not (for example) "batch
763 up" log messages to affect times logged by a controller, times
764 attached to syslog messages, or the mtime fields on log files.
765 (Default: 1 second)
766 MaxAdvertisedBandwidth N
768 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
769 If set, we will not advertise more than this amount of bandwidth
770 for our BandwidthRate. Server operators who want to reduce the
771 number of clients who ask to build circuits through them (since
772 this is proportional to advertised bandwidth rate) can thus reduce
773 the CPU demands on their server without impacting network
774 performance.
775 MaxUnparseableDescSizeToLog N bytes|KBytes|MBytes|GBytes|TBytes
777 Unparseable descriptors (e.g. for votes, consensuses, routers) are
778 logged in separate files by hash, up to the specified size in
779 total. Note that only files logged during the lifetime of this Tor
780 process count toward the total; this is intended to be used to
781 debug problems without opening live servers to resource exhaustion
782 attacks. (Default: 10 MBytes)
783 MetricsPort [address:]port [format]
785 WARNING: Before enabling this, it is important to understand that
786 exposing tor metrics publicly is dangerous to the Tor network
787 users. Please take extra precaution and care when opening this
788 port. Set a very strict access policy with MetricsPortPolicy and
789 consider using your operating systems firewall features for defense
790 in depth.
791 We recommend, for the prometheus format, that the only address that
793 can access this port should be the Prometheus server itself.
794 Remember that the connection is unencrypted (HTTP) hence consider
795 using a tool like stunnel to secure the link from this port to the
796 server.
797 If set, open this port to listen for an HTTP GET request to
799 "/metrics". Upon a request, the collected metrics in the the tor
800 instance are formatted for the given format and then sent back. If
801 this is set, MetricsPortPolicy must be defined else every request
802 will be rejected.
803 Supported format is "prometheus" which is also the default if not
805 set. The Prometheus data model can be found here:
806 https://prometheus.io/docs/concepts/data_model/
807 The tor metrics are constantly collected and they solely consists
809 of counters. Thus, asking for those metrics is very lightweight on
810 the tor process. (Default: None)
811 As an example, here only 5.6.7.8 will be allowed to connect:
813 MetricsPort 1.2.3.4:9035
815 MetricsPortPolicy accept 5.6.7.8
816 MetricsPortPolicy policy,policy,...
818 Set an entrance policy for the MetricsPort, to limit who can access
819 it. The policies have the same form as exit policies below, except
820 that port specifiers are ignored. For multiple entries, this line
821 can be used multiple times. It is a reject all by default policy.
822 (Default: None)
823 Please, keep in mind here that if the server collecting metrics on
825 the MetricsPort is behind a NAT, then everything behind it can
826 access it. This is similar for the case of allowing localhost,
827 every users on the server will be able to access it. Again,
828 strongly consider using a tool like stunnel to secure the link or
829 to strengthen access control.
830 NoExec 0|1
832 If this option is set to 1, then Tor will never launch another
833 executable, regardless of the settings of ClientTransportPlugin or
834 ServerTransportPlugin. Once this option has been set to 1, it
835 cannot be set back to 0 without restarting Tor. (Default: 0)
836 OutboundBindAddress IP
838 Make all outbound connections originate from the IP address
839 specified. This is only useful when you have multiple network
840 interfaces, and you want all of Tor’s outgoing connections to use a
841 single one. This option may be used twice, once with an IPv4
842 address and once with an IPv6 address. IPv6 addresses should be
843 wrapped in square brackets. This setting will be ignored for
844 connections to the loopback addresses (127.0.0.0/8 and ::1), and is
845 not used for DNS requests as well.
846 OutboundBindAddressExit IP
848 Make all outbound exit connections originate from the IP address
849 specified. This option overrides OutboundBindAddress for the same
850 IP version. This option may be used twice, once with an IPv4
851 address and once with an IPv6 address. IPv6 addresses should be
852 wrapped in square brackets. This setting will be ignored for
853 connections to the loopback addresses (127.0.0.0/8 and ::1).
854 OutboundBindAddressOR IP
856 Make all outbound non-exit (relay and other) connections originate
857 from the IP address specified. This option overrides
858 OutboundBindAddress for the same IP version. This option may be
859 used twice, once with an IPv4 address and once with an IPv6
860 address. IPv6 addresses should be wrapped in square brackets. This
861 setting will be ignored for connections to the loopback addresses
862 (127.0.0.0/8 and ::1).
863 __OwningControllerProcess PID
865 Make Tor instance periodically check for presence of a controller
866 process with given PID and terminate itself if this process is no
867 longer alive. Polling interval is 15 seconds.
868 PerConnBWBurst N
870 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
871 If this option is set manually, or via the "perconnbwburst"
872 consensus field, Tor will use it for separate rate limiting for
873 each connection from a non-relay. (Default: 0)
874 PerConnBWRate N
876 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
877 If this option is set manually, or via the "perconnbwrate"
878 consensus field, Tor will use it for separate rate limiting for
879 each connection from a non-relay. (Default: 0)
880 OutboundBindAddressPT IP
882 Request that pluggable transports makes all outbound connections
883 originate from the IP address specified. Because outgoing
884 connections are handled by the pluggable transport itself, it is
885 not possible for Tor to enforce whether the pluggable transport
886 honors this option. This option overrides OutboundBindAddress for
887 the same IP version. This option may be used twice, once with an
888 IPv4 address and once with an IPv6 address. IPv6 addresses should
889 be wrapped in square brackets. This setting will be ignored for
890 connections to the loopback addresses (127.0.0.0/8 and ::1).
891 PidFile FILE
893 On startup, write our PID to FILE. On clean shutdown, remove FILE.
894 Can not be changed while tor is running.
895 ProtocolWarnings 0|1
897 If 1, Tor will log with severity 'warn' various cases of other
898 parties not following the Tor specification. Otherwise, they are
899 logged with severity 'info'. (Default: 0)
900 RelayBandwidthBurst N
902 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
903 If not 0, limit the maximum token bucket size (also known as the
904 burst) for _relayed traffic_ to the given number of bytes in each
905 direction. They do not include directory fetches by the relay (from
906 authority or other relays), because that is considered "client"
907 activity. (Default: 0)
908 RelayBandwidthRate N
910 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
911 If not 0, a separate token bucket limits the average incoming
912 bandwidth usage for _relayed traffic_ on this node to the specified
913 number of bytes per second, and the average outgoing bandwidth
914 usage to that same value. Relayed traffic currently is calculated
915 to include answers to directory requests, but that may change in
916 future versions. They do not include directory fetches by the relay
917 (from authority or other relays), because that is considered
918 "client" activity. (Default: 0)
919 RephistTrackTime N seconds|minutes|hours|days|weeks
921 Tells an authority, or other node tracking node reliability and
922 history, that fine-grained information about nodes can be discarded
923 when it hasn’t changed for a given amount of time. (Default: 24
924 hours)
925 RunAsDaemon 0|1
927 If 1, Tor forks and daemonizes to the background. This option has
928 no effect on Windows; instead you should use the --service
929 command-line option. Can not be changed while tor is running.
930 (Default: 0)
931 SafeLogging 0|1|relay
933 Tor can scrub potentially sensitive strings from log messages (e.g.
934 addresses) by replacing them with the string [scrubbed]. This way
935 logs can still be useful, but they don’t leave behind personally
936 identifying information about what sites a user might have visited.
937 If this option is set to 0, Tor will not perform any scrubbing, if
940 it is set to 1, all potentially sensitive strings are replaced. If
941 it is set to relay, all log messages generated when acting as a
942 relay are sanitized, but all messages generated when acting as a
943 client are not. Note: Tor may not heed this option when logging at
944 log levels below Notice. (Default: 1)
945 Sandbox 0|1
947 If set to 1, Tor will run securely through the use of a syscall
948 sandbox. Otherwise the sandbox will be disabled. The option only
949 works on Linux-based operating systems, and only when Tor has been
950 built with the libseccomp library. Note that this option may be
951 incompatible with some versions of libc, and some kernel versions.
952 This option can not be changed while tor is running.
953 When the Sandbox is 1, the following options can not be changed
956 when tor is running: Address, ConnLimit, CookieAuthFile,
957 DirPortFrontPage, ExtORPortCookieAuthFile, Logs,
958 ServerDNSResolvConfFile, ClientOnionAuthDir (and any files in it
959 won’t reload on HUP signal).
960 Launching new Onion Services through the control port is not
963 supported with current syscall sandboxing implementation.
964 Tor must remain in client or server mode (some changes to
967 ClientOnly and ORPort are not allowed). Currently, if Sandbox is 1,
968 ControlPort command "GETINFO address" will not work.
969 When using %include in the tor configuration files, reloading the
972 tor configuration is not supported after adding new configuration
973 files or directories.
974 (Default: 0)
977 Schedulers KIST|KISTLite|Vanilla
979 Specify the scheduler type that tor should use. The scheduler is
980 responsible for moving data around within a Tor process. This is an
981 ordered list by priority which means that the first value will be
982 tried first and if unavailable, the second one is tried and so on.
983 It is possible to change these values at runtime. This option
984 mostly effects relays, and most operators should leave it set to
985 its default value. (Default: KIST,KISTLite,Vanilla)
986 The possible scheduler types are:
989 KIST: Kernel-Informed Socket Transport. Tor will use TCP
991 information from the kernel to make informed decisions regarding
992 how much data to send and when to send it. KIST also handles
993 traffic in batches (see KISTSchedRunInterval) in order to improve
994 traffic prioritization decisions. As implemented, KIST will only
995 work on Linux kernel version 2.6.39 or higher.
996 KISTLite: Same as KIST but without kernel support. Tor will use all
999 the same mechanics as with KIST, including the batching, but its
1000 decisions regarding how much data to send will not be as good.
1001 KISTLite will work on all kernels and operating systems, and the
1002 majority of the benefits of KIST are still realized with KISTLite.
1003 Vanilla: The scheduler that Tor used before KIST was implemented.
1006 It sends as much data as possible, as soon as possible. Vanilla
1007 will work on all kernels and operating systems.
1008 KISTSchedRunInterval NUM msec
1010 If KIST or KISTLite is used in the Schedulers option, this controls
1011 at which interval the scheduler tick is. If the value is 0 msec,
1012 the value is taken from the consensus if possible else it will
1013 fallback to the default 10 msec. Maximum possible value is 100
1014 msec. (Default: 0 msec)
1015 KISTSockBufSizeFactor NUM
1017 If KIST is used in Schedulers, this is a multiplier of the
1018 per-socket limit calculation of the KIST algorithm. (Default: 1.0)
1019 ServerTransportListenAddr transport IP:PORT
1021 When this option is set, Tor will suggest IP:PORT as the listening
1022 address of any pluggable transport proxy that tries to launch
1023 transport. (IPv4 addresses should written as-is; IPv6 addresses
1024 should be wrapped in square brackets.) (Default: none)
1025 ServerTransportOptions transport k=v k=v ...
1027 When this option is set, Tor will pass the k=v parameters to any
1028 pluggable transport proxy that tries to launch transport.
1029 (Example: ServerTransportOptions obfs45 shared-secret=bridgepasswd
1031 cache=/var/lib/tor/cache) (Default: none)
1032 ServerTransportPlugin transport exec path-to-binary [options]
1034 The Tor relay launches the pluggable transport proxy in
1035 path-to-binary using options as its command-line options, and
1036 expects to receive proxied client traffic from it. (Default: none)
1037 Socks4Proxy host[:port]
1039 Tor will make all OR connections through the SOCKS 4 proxy at
1040 host:port (or host:1080 if port is not specified).
1041 Socks5Proxy host[:port]
1043 Tor will make all OR connections through the SOCKS 5 proxy at
1044 host:port (or host:1080 if port is not specified).
1045 Socks5ProxyUsername username
1047 Socks5ProxyPassword password
1049 If defined, authenticate to the SOCKS 5 server using username and
1050 password in accordance to RFC 1929. Both username and password must
1051 be between 1 and 255 characters.
1052 SyslogIdentityTag tag
1054 When logging to syslog, adds a tag to the syslog identity such that
1055 log entries are marked with "Tor-tag". Can not be changed while tor
1056 is running. (Default: none)
1057 TCPProxy protocol host:port
1059 Tor will use the given protocol to make all its OR (SSL)
1060 connections through a TCP proxy on host:port, rather than
1061 connecting directly to servers. You may want to set FascistFirewall
1062 to restrict the set of ports you might try to connect to, if your
1063 proxy only allows connecting to certain ports. There is no
1064 equivalent option for directory connections, because all Tor client
1065 versions that support this option download directory documents via
1066 OR connections.
1067 The only protocol supported right now 'haproxy'. This option is only for
1070 clients. (Default: none) +
1071 The HAProxy version 1 proxy protocol is described in detail at
1073 https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt +
1074 Both source IP address and source port will be set to zero.
1076 TruncateLogFile 0|1
1078 If 1, Tor will overwrite logs at startup and in response to a HUP
1079 signal, instead of appending to them. (Default: 0)
1080 UnixSocksGroupWritable 0|1
1082 If this option is set to 0, don’t allow the filesystem group to
1083 read and write unix sockets (e.g. SocksPort unix:). If the option
1084 is set to 1, make the Unix socket readable and writable by the
1085 default GID. (Default: 0)
1086 UseDefaultFallbackDirs 0|1
1088 Use Tor’s default hard-coded FallbackDirs (if any). (When a
1089 FallbackDir line is present, it replaces the hard-coded
1090 FallbackDirs, regardless of the value of UseDefaultFallbackDirs.)
1091 (Default: 1)
1092 User Username
1094 On startup, setuid to this user and setgid to their primary group.
1095 Can not be changed while tor is running.
1096
1098 The following options are useful only for clients (that is, if
1099 SocksPort, HTTPTunnelPort, TransPort, DNSPort, or NATDPort is
1100 non-zero):
1101 AllowNonRFC953Hostnames 0|1
1103 When this option is disabled, Tor blocks hostnames containing
1104 illegal characters (like @ and :) rather than sending them to an
1105 exit node to be resolved. This helps trap accidental attempts to
1106 resolve URLs and so on. (Default: 0)
1107 AutomapHostsOnResolve 0|1
1109 When this option is enabled, and we get a request to resolve an
1110 address that ends with one of the suffixes in AutomapHostsSuffixes,
1111 we map an unused virtual address to that address, and return the
1112 new virtual address. This is handy for making ".onion" addresses
1113 work with applications that resolve an address and then connect to
1114 it. (Default: 0)
1115 AutomapHostsSuffixes SUFFIX,SUFFIX,...
1117 A comma-separated list of suffixes to use with
1118 AutomapHostsOnResolve. The "." suffix is equivalent to "all
1119 addresses." (Default: .exit,.onion).
1120 Bridge [transport] IP:ORPort [fingerprint]
1122 When set along with UseBridges, instructs Tor to use the relay at
1123 "IP:ORPort" as a "bridge" relaying into the Tor network. If
1124 "fingerprint" is provided (using the same format as for
1125 DirAuthority), we will verify that the relay running at that
1126 location has the right fingerprint. We also use fingerprint to look
1127 up the bridge descriptor at the bridge authority, if it’s provided
1128 and if UpdateBridgesFromAuthority is set too.
1129 If "transport" is provided, it must match a ClientTransportPlugin
1132 line. We then use that pluggable transport’s proxy to transfer data
1133 to the bridge, rather than connecting to the bridge directly. Some
1134 transports use a transport-specific method to work out the remote
1135 address to connect to. These transports typically ignore the
1136 "IP:ORPort" specified in the bridge line.
1137 Tor passes any "key=val" settings to the pluggable transport proxy
1140 as per-connection arguments when connecting to the bridge. Consult
1141 the documentation of the pluggable transport for details of what
1142 arguments it supports.
1143 CircuitPadding 0|1
1145 If set to 0, Tor will not pad client circuits with additional cover
1146 traffic. Only clients may set this option. This option should be
1147 offered via the UI to mobile users for use where bandwidth may be
1148 expensive. If set to 1, padding will be negotiated as per the
1149 consensus and relay support (unlike ConnectionPadding,
1150 CircuitPadding cannot be force-enabled). (Default: 1)
1151 ReducedCircuitPadding 0|1
1153 If set to 1, Tor will only use circuit padding algorithms that have
1154 low overhead. Only clients may set this option. This option should
1155 be offered via the UI to mobile users for use where bandwidth may
1156 be expensive. (Default: 0)
1157 ClientBootstrapConsensusAuthorityDownloadInitialDelay N
1159 Initial delay in seconds for when clients should download
1160 consensuses from authorities if they are bootstrapping (that is,
1161 they don’t have a usable, reasonably live consensus). Only used by
1162 clients fetching from a list of fallback directory mirrors. This
1163 schedule is advanced by (potentially concurrent) connection
1164 attempts, unlike other schedules, which are advanced by connection
1165 failures. (Default: 6)
1166 ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay N
1168 Initial delay in seconds for when clients should download
1169 consensuses from authorities if they are bootstrapping (that is,
1170 they don’t have a usable, reasonably live consensus). Only used by
1171 clients which don’t have or won’t fetch from a list of fallback
1172 directory mirrors. This schedule is advanced by (potentially
1173 concurrent) connection attempts, unlike other schedules, which are
1174 advanced by connection failures. (Default: 0)
1175 ClientBootstrapConsensusFallbackDownloadInitialDelay N
1177 Initial delay in seconds for when clients should download
1178 consensuses from fallback directory mirrors if they are
1179 bootstrapping (that is, they don’t have a usable, reasonably live
1180 consensus). Only used by clients fetching from a list of fallback
1181 directory mirrors. This schedule is advanced by (potentially
1182 concurrent) connection attempts, unlike other schedules, which are
1183 advanced by connection failures. (Default: 0)
1184 ClientBootstrapConsensusMaxInProgressTries NUM
1186 Try this many simultaneous connections to download a consensus
1187 before waiting for one to complete, timeout, or error out.
1188 (Default: 3)
1189 ClientDNSRejectInternalAddresses 0|1
1191 If true, Tor does not believe any anonymously retrieved DNS answer
1192 that tells it that an address resolves to an internal address (like
1193 127.0.0.1 or 192.168.0.1). This option prevents certain
1194 browser-based attacks; it is not allowed to be set on the default
1195 network. (Default: 1)
1196 ClientOnionAuthDir path
1198 Path to the directory containing v3 hidden service authorization
1199 files. Each file is for a single onion address, and the files MUST
1200 have the suffix ".auth_private" (i.e. "bob_onion.auth_private").
1201 The content format MUST be:
1202 <onion-address>:descriptor:x25519:<base32-encoded-privkey>
1204 The <onion-address> MUST NOT have the ".onion" suffix. The
1206 <base32-encoded-privkey> is the base32 representation of the raw
1207 key bytes only (32 bytes for x25519). See Appendix G in the
1208 rend-spec-v3.txt file of torspec for more information.
1209 ClientOnly 0|1
1211 If set to 1, Tor will not run as a relay or serve directory
1212 requests, even if the ORPort, ExtORPort, or DirPort options are
1213 set. (This config option is mostly unnecessary: we added it back
1214 when we were considering having Tor clients auto-promote themselves
1215 to being relays if they were stable and fast enough. The current
1216 behavior is simply that Tor is a client unless ORPort, ExtORPort,
1217 or DirPort are configured.) (Default: 0)
1218 ClientPreferIPv6DirPort 0|1|auto
1220 If this option is set to 1, Tor prefers a directory port with an
1221 IPv6 address over one with IPv4, for direct connections, if a given
1222 directory server has both. (Tor also prefers an IPv6 DirPort if
1223 IPv4Client is set to 0.) If this option is set to auto, clients
1224 prefer IPv4. Other things may influence the choice. This option
1225 breaks a tie to the favor of IPv6. (Default: auto) (DEPRECATED:
1226 This option has had no effect for some time.)
1227 ClientPreferIPv6ORPort 0|1|auto
1229 If this option is set to 1, Tor prefers an OR port with an IPv6
1230 address over one with IPv4 if a given entry node has both. (Tor
1231 also prefers an IPv6 ORPort if IPv4Client is set to 0.) If this
1232 option is set to auto, Tor bridge clients prefer the configured
1233 bridge address, and other clients prefer IPv4. Other things may
1234 influence the choice. This option breaks a tie to the favor of
1235 IPv6. (Default: auto)
1236 ClientRejectInternalAddresses 0|1
1238 If true, Tor does not try to fulfill requests to connect to an
1239 internal address (like 127.0.0.1 or 192.168.0.1) unless an exit
1240 node is specifically requested (for example, via a .exit hostname,
1241 or a controller request). If true, multicast DNS hostnames for
1242 machines on the local network (of the form *.local) are also
1243 rejected. (Default: 1)
1244 ClientUseIPv4 0|1
1246 If this option is set to 0, Tor will avoid connecting to directory
1247 servers and entry nodes over IPv4. Note that clients with an IPv4
1248 address in a Bridge, proxy, or pluggable transport line will try
1249 connecting over IPv4 even if ClientUseIPv4 is set to 0. (Default:
1250 1)
1251 ClientUseIPv6 0|1
1253 If this option is set to 1, Tor might connect to directory servers
1254 or entry nodes over IPv6. For IPv6 only hosts, you need to also set
1255 ClientUseIPv4 to 0 to disable IPv4. Note that clients configured
1256 with an IPv6 address in a Bridge, proxy, or pluggable transportline
1257 will try connecting over IPv6 even if ClientUseIPv6 is set to 0.
1258 (Default: 0)
1259 ConnectionPadding 0|1|auto
1261 This option governs Tor’s use of padding to defend against some
1262 forms of traffic analysis. If it is set to auto, Tor will send
1263 padding only if both the client and the relay support it. If it is
1264 set to 0, Tor will not send any padding cells. If it is set to 1,
1265 Tor will still send padding for client connections regardless of
1266 relay support. Only clients may set this option. This option should
1267 be offered via the UI to mobile users for use where bandwidth may
1268 be expensive. (Default: auto)
1269 ReducedConnectionPadding 0|1
1271 If set to 1, Tor will not not hold OR connections open for very
1272 long, and will send less padding on these connections. Only clients
1273 may set this option. This option should be offered via the UI to
1274 mobile users for use where bandwidth may be expensive. (Default: 0)
1275 DNSPort [address:]port|auto [isolation flags]
1277 If non-zero, open this port to listen for UDP DNS requests, and
1278 resolve them anonymously. This port only handles A, AAAA, and PTR
1279 requests---it doesn’t handle arbitrary DNS request types. Set the
1280 port to "auto" to have Tor pick a port for you. This directive can
1281 be specified multiple times to bind to multiple addresses/ports.
1282 See SocksPort for an explanation of isolation flags. (Default: 0)
1283 DownloadExtraInfo 0|1
1285 If true, Tor downloads and caches "extra-info" documents. These
1286 documents contain information about servers other than the
1287 information in their regular server descriptors. Tor does not use
1288 this information for anything itself; to save bandwidth, leave this
1289 option turned off. (Default: 0)
1290 EnforceDistinctSubnets 0|1
1292 If 1, Tor will not put two servers whose IP addresses are "too
1293 close" on the same circuit. Currently, two addresses are "too
1294 close" if they lie in the same /16 range. (Default: 1)
1295 FascistFirewall 0|1
1297 If 1, Tor will only create outgoing connections to ORs running on
1298 ports that your firewall allows (defaults to 80 and 443; see
1299 FirewallPorts). This will allow you to run Tor as a client behind a
1300 firewall with restrictive policies, but will not allow you to run
1301 as a server behind such a firewall. If you prefer more fine-grained
1302 control, use ReachableAddresses instead.
1303 FirewallPorts PORTS
1305 A list of ports that your firewall allows you to connect to. Only
1306 used when FascistFirewall is set. This option is deprecated; use
1307 ReachableAddresses instead. (Default: 80, 443)
1308 HidServAuth onion-address auth-cookie [service-name]
1310 Client authorization for a v2 hidden service. Valid onion addresses
1311 contain 16 characters in a-z2-7 plus ".onion", and valid auth
1312 cookies contain 22 characters in A-Za-z0-9+/. The service name is
1313 only used for internal purposes, e.g., for Tor controllers. This
1314 option may be used multiple times for different hidden services. If
1315 a hidden service uses authorization and this option is not set, the
1316 hidden service is not accessible. Hidden services can be configured
1317 to require authorization using the HiddenServiceAuthorizeClient
1318 option.
1319 HTTPTunnelPort [address:]port|auto [isolation flags]
1321 Open this port to listen for proxy connections using the "HTTP
1322 CONNECT" protocol instead of SOCKS. Set this to 0 if you don’t want
1323 to allow "HTTP CONNECT" connections. Set the port to "auto" to have
1324 Tor pick a port for you. This directive can be specified multiple
1325 times to bind to multiple addresses/ports. If multiple entries of
1326 this option are present in your configuration file, Tor will
1327 perform stream isolation between listeners by default. See
1328 SocksPort for an explanation of isolation flags. (Default: 0)
1329 LongLivedPorts PORTS
1331 A list of ports for services that tend to have long-running
1332 connections (e.g. chat and interactive shells). Circuits for
1333 streams that use these ports will contain only high-uptime nodes,
1334 to reduce the chance that a node will go down before the stream is
1335 finished. Note that the list is also honored for circuits (both
1336 client and service side) involving hidden services whose virtual
1337 port is in this list. (Default: 21, 22, 706, 1863, 5050, 5190,
1338 5222, 5223, 6523, 6667, 6697, 8300)
1339 MapAddress address newaddress
1341 When a request for address arrives to Tor, it will transform to
1342 newaddress before processing it. For example, if you always want
1343 connections to www.example.com to exit via torserver (where
1344 torserver is the fingerprint of the server), use "MapAddress
1345 www.example.com www.example.com.torserver.exit". If the value is
1346 prefixed with a "*.", matches an entire domain. For example, if you
1347 always want connections to example.com and any if its subdomains to
1348 exit via torserver (where torserver is the fingerprint of the
1349 server), use "MapAddress *.example.com
1350 *.example.com.torserver.exit". (Note the leading "*." in each part
1351 of the directive.) You can also redirect all subdomains of a domain
1352 to a single address. For example, "MapAddress *.example.com
1353 www.example.com". If the specified exit is not available, or the
1354 exit can not connect to the site, Tor will fail any connections to
1355 the mapped address.+
1356 NOTES:
1358 1. When evaluating MapAddress expressions Tor stops when it hits
1360 the most recently added expression that matches the requested
1361 address. So if you have the following in your torrc,
1362 www.torproject.org will map to 198.51.100.1:
1363 MapAddress www.torproject.org 192.0.2.1
1365 MapAddress www.torproject.org 198.51.100.1
1366 2. Tor evaluates the MapAddress configuration until it finds no
1368 matches. So if you have the following in your torrc,
1369 www.torproject.org will map to 203.0.113.1:
1370 MapAddress 198.51.100.1 203.0.113.1
1372 MapAddress www.torproject.org 198.51.100.1
1373 3. The following MapAddress expression is invalid (and will be
1375 ignored) because you cannot map from a specific address to a
1376 wildcard address:
1377 MapAddress www.torproject.org *.torproject.org.torserver.exit
1379 4. Using a wildcard to match only part of a string (as in
1381 *ample.com) is also invalid.
1382 5. Tor maps hostnames and IP addresses separately. If you
1384 MapAddress a DNS name, but use an IP address to connect, then
1385 Tor will ignore the DNS name mapping.
1386 6. MapAddress does not apply to redirects in the application
1388 protocol. For example, HTTP redirects and alt-svc headers will
1389 ignore mappings for the original address. You can use a
1390 wildcard mapping to handle redirects within the same site.
1391 MaxCircuitDirtiness NUM
1393 Feel free to reuse a circuit that was first used at most NUM
1394 seconds ago, but never attach a new stream to a circuit that is too
1395 old. For hidden services, this applies to the last time a circuit
1396 was used, not the first. Circuits with streams constructed with
1397 SOCKS authentication via SocksPorts that have
1398 KeepAliveIsolateSOCKSAuth also remain alive for MaxCircuitDirtiness
1399 seconds after carrying the last such stream. (Default: 10 minutes)
1400 MaxClientCircuitsPending NUM
1402 Do not allow more than NUM circuits to be pending at a time for
1403 handling client streams. A circuit is pending if we have begun
1404 constructing it, but it has not yet been completely constructed.
1405 (Default: 32)
1406 NATDPort [address:]port|auto [isolation flags]
1408 Open this port to listen for connections from old versions of ipfw
1409 (as included in old versions of FreeBSD, etc) using the NATD
1410 protocol. Use 0 if you don’t want to allow NATD connections. Set
1411 the port to "auto" to have Tor pick a port for you. This directive
1412 can be specified multiple times to bind to multiple
1413 addresses/ports. If multiple entries of this option are present in
1414 your configuration file, Tor will perform stream isolation between
1415 listeners by default. See SocksPort for an explanation of isolation
1416 flags.
1417 This option is only for people who cannot use TransPort. (Default:
1420 0)
1421 NewCircuitPeriod NUM
1423 Every NUM seconds consider whether to build a new circuit.
1424 (Default: 30 seconds)
1425 PathBiasCircThreshold NUM
1427 PathBiasDropGuards NUM
1429 PathBiasExtremeRate NUM
1431 PathBiasNoticeRate NUM
1433 PathBiasWarnRate NUM
1435 PathBiasScaleThreshold NUM
1437 These options override the default behavior of Tor’s (currently
1438 experimental) path bias detection algorithm. To try to find broken
1439 or misbehaving guard nodes, Tor looks for nodes where more than a
1440 certain fraction of circuits through that guard fail to get built.
1441 The PathBiasCircThreshold option controls how many circuits we need
1444 to build through a guard before we make these checks. The
1445 PathBiasNoticeRate, PathBiasWarnRate and PathBiasExtremeRate
1446 options control what fraction of circuits must succeed through a
1447 guard so we won’t write log messages. If less than
1448 PathBiasExtremeRate circuits succeed and PathBiasDropGuards is set
1449 to 1, we disable use of that guard.
1450 When we have seen more than PathBiasScaleThreshold circuits through
1453 a guard, we scale our observations by 0.5 (governed by the
1454 consensus) so that new observations don’t get swamped by old ones.
1455 By default, or if a negative value is provided for one of these
1458 options, Tor uses reasonable defaults from the networkstatus
1459 consensus document. If no defaults are available there, these
1460 options default to 150, .70, .50, .30, 0, and 300 respectively.
1461 PathBiasUseThreshold NUM
1463 PathBiasNoticeUseRate NUM
1465 PathBiasExtremeUseRate NUM
1467 PathBiasScaleUseThreshold NUM
1469 Similar to the above options, these options override the default
1470 behavior of Tor’s (currently experimental) path use bias detection
1471 algorithm.
1472 Where as the path bias parameters govern thresholds for
1475 successfully building circuits, these four path use bias parameters
1476 govern thresholds only for circuit usage. Circuits which receive no
1477 stream usage are not counted by this detection algorithm. A used
1478 circuit is considered successful if it is capable of carrying
1479 streams or otherwise receiving well-formed responses to RELAY
1480 cells.
1481 By default, or if a negative value is provided for one of these
1484 options, Tor uses reasonable defaults from the networkstatus
1485 consensus document. If no defaults are available there, these
1486 options default to 20, .80, .60, and 100, respectively.
1487 PathsNeededToBuildCircuits NUM
1489 Tor clients don’t build circuits for user traffic until they know
1490 about enough of the network so that they could potentially
1491 construct enough of the possible paths through the network. If this
1492 option is set to a fraction between 0.25 and 0.95, Tor won’t build
1493 circuits until it has enough descriptors or microdescriptors to
1494 construct that fraction of possible paths. Note that setting this
1495 option too low can make your Tor client less anonymous, and setting
1496 it too high can prevent your Tor client from bootstrapping. If this
1497 option is negative, Tor will use a default value chosen by the
1498 directory authorities. If the directory authorities do not choose a
1499 value, Tor will default to 0.6. (Default: -1)
1500 ReachableAddresses IP[/MASK][:PORT]...
1502 A comma-separated list of IP addresses and ports that your firewall
1503 allows you to connect to. The format is as for the addresses in
1504 ExitPolicy, except that "accept" is understood unless "reject" is
1505 explicitly provided. For example, 'ReachableAddresses 99.0.0.0/8,
1506 reject 18.0.0.0/8:80, accept *:80' means that your firewall allows
1507 connections to everything inside net 99, rejects port 80
1508 connections to net 18, and accepts connections to port 80
1509 otherwise. (Default: 'accept *:*'.)
1510 ReachableDirAddresses IP[/MASK][:PORT]...
1512 Like ReachableAddresses, a list of addresses and ports. Tor will
1513 obey these restrictions when fetching directory information, using
1514 standard HTTP GET requests. If not set explicitly then the value of
1515 ReachableAddresses is used. If HTTPProxy is set then these
1516 connections will go through that proxy. (DEPRECATED: This option
1517 has had no effect for some time.)
1518 ReachableORAddresses IP[/MASK][:PORT]...
1520 Like ReachableAddresses, a list of addresses and ports. Tor will
1521 obey these restrictions when connecting to Onion Routers, using
1522 TLS/SSL. If not set explicitly then the value of ReachableAddresses
1523 is used. If HTTPSProxy is set then these connections will go
1524 through that proxy.
1525 The separation between ReachableORAddresses and
1528 ReachableDirAddresses is only interesting when you are connecting
1529 through proxies (see HTTPProxy and HTTPSProxy). Most proxies limit
1530 TLS connections (which Tor uses to connect to Onion Routers) to
1531 port 443, and some limit HTTP GET requests (which Tor uses for
1532 fetching directory information) to port 80.
1533 SafeSocks 0|1
1535 When this option is enabled, Tor will reject application
1536 connections that use unsafe variants of the socks protocol — ones
1537 that only provide an IP address, meaning the application is doing a
1538 DNS resolve first. Specifically, these are socks4 and socks5 when
1539 not doing remote DNS. (Default: 0)
1540 TestSocks 0|1
1542 When this option is enabled, Tor will make a notice-level log entry
1543 for each connection to the Socks port indicating whether the
1544 request used a safe socks protocol or an unsafe one (see
1545 SafeSocks). This helps to determine whether an application using
1546 Tor is possibly leaking DNS requests. (Default: 0)
1547 WarnPlaintextPorts port,port,...
1549 Tells Tor to issue a warnings whenever the user tries to make an
1550 anonymous connection to one of these ports. This option is designed
1551 to alert users to services that risk sending passwords in the
1552 clear. (Default: 23,109,110,143)
1553 RejectPlaintextPorts port,port,...
1555 Like WarnPlaintextPorts, but instead of warning about risky port
1556 uses, Tor will instead refuse to make the connection. (Default:
1557 None)
1558 SocksPolicy policy,policy,...
1560 Set an entrance policy for this server, to limit who can connect to
1561 the SocksPort and DNSPort ports. The policies have the same form as
1562 exit policies below, except that port specifiers are ignored. Any
1563 address not matched by some entry in the policy is accepted.
1564 SocksPort [address:]port|unix:path|auto [flags] [isolation flags]
1566 Open this port to listen for connections from SOCKS-speaking
1567 applications. Set this to 0 if you don’t want to allow application
1568 connections via SOCKS. Set it to "auto" to have Tor pick a port for
1569 you. This directive can be specified multiple times to bind to
1570 multiple addresses/ports. If a unix domain socket is used, you may
1571 quote the path using standard C escape sequences. Most flags are
1572 off by default, except where specified. Flags that are on by
1573 default can be disabled by putting "No" before the flag name.
1574 (Default: 9050)
1575 NOTE: Although this option allows you to specify an IP address
1578 other than localhost, you should do so only with extreme caution.
1579 The SOCKS protocol is unencrypted and (as we use it)
1580 unauthenticated, so exposing it in this way could leak your
1581 information to anybody watching your network, and allow anybody to
1582 use your computer as an open proxy.
1583 If multiple entries of this option are present in your
1586 configuration file, Tor will perform stream isolation between
1587 listeners by default. The isolation flags arguments give Tor rules
1588 for which streams received on this SocksPort are allowed to share
1589 circuits with one another. Recognized isolation flags are:
1590 IsolateClientAddr
1592 Don’t share circuits with streams from a different client
1593 address. (On by default and strongly recommended when
1594 supported; you can disable it with NoIsolateClientAddr.
1595 Unsupported and force-disabled when using Unix domain sockets.)
1596 IsolateSOCKSAuth
1598 Don’t share circuits with streams for which different SOCKS
1599 authentication was provided. (For HTTPTunnelPort connections,
1600 this option looks at the Proxy-Authorization and
1601 X-Tor-Stream-Isolation headers. On by default; you can disable
1602 it with NoIsolateSOCKSAuth.)
1603 IsolateClientProtocol
1605 Don’t share circuits with streams using a different protocol.
1606 (SOCKS 4, SOCKS 5, HTTPTunnelPort connections, TransPort
1607 connections, NATDPort connections, and DNSPort requests are all
1608 considered to be different protocols.)
1609 IsolateDestPort
1611 Don’t share circuits with streams targeting a different
1612 destination port.
1613 IsolateDestAddr
1615 Don’t share circuits with streams targeting a different
1616 destination address.
1617 KeepAliveIsolateSOCKSAuth
1619 If IsolateSOCKSAuth is enabled, keep alive circuits while they
1620 have at least one stream with SOCKS authentication active.
1621 After such a circuit is idle for more than MaxCircuitDirtiness
1622 seconds, it can be closed.
1623 SessionGroup=INT
1625 If no other isolation rules would prevent it, allow streams on
1626 this port to share circuits with streams from every other port
1627 with the same session group. (By default, streams received on
1628 different SocksPorts, TransPorts, etc are always isolated from
1629 one another. This option overrides that behavior.)
1630 Other recognized flags for a SocksPort are:
1632 NoIPv4Traffic
1634 Tell exits to not connect to IPv4 addresses in response to
1635 SOCKS requests on this connection.
1636 IPv6Traffic
1638 Tell exits to allow IPv6 addresses in response to SOCKS
1639 requests on this connection, so long as SOCKS5 is in use.
1640 (SOCKS4 can’t handle IPv6.)
1641 PreferIPv6
1643 Tells exits that, if a host has both an IPv4 and an IPv6
1644 address, we would prefer to connect to it via IPv6. (IPv4 is
1645 the default.)
1646 NoDNSRequest
1648 Do not ask exits to resolve DNS addresses in SOCKS5 requests.
1649 Tor will connect to IPv4 addresses, IPv6 addresses (if
1650 IPv6Traffic is set) and .onion addresses.
1651 NoOnionTraffic
1653 Do not connect to .onion addresses in SOCKS5 requests.
1654 OnionTrafficOnly
1656 Tell the tor client to only connect to .onion addresses in
1657 response to SOCKS5 requests on this connection. This is
1658 equivalent to NoDNSRequest, NoIPv4Traffic, NoIPv6Traffic. The
1659 corresponding NoOnionTrafficOnly flag is not supported.
1660 CacheIPv4DNS
1662 Tells the client to remember IPv4 DNS answers we receive from
1663 exit nodes via this connection.
1664 CacheIPv6DNS
1666 Tells the client to remember IPv6 DNS answers we receive from
1667 exit nodes via this connection.
1668 GroupWritable
1670 Unix domain sockets only: makes the socket get created as
1671 group-writable.
1672 WorldWritable
1674 Unix domain sockets only: makes the socket get created as
1675 world-writable.
1676 CacheDNS
1678 Tells the client to remember all DNS answers we receive from
1679 exit nodes via this connection.
1680 UseIPv4Cache
1682 Tells the client to use any cached IPv4 DNS answers we have
1683 when making requests via this connection. (NOTE: This option,
1684 or UseIPv6Cache or UseDNSCache, can harm your anonymity, and
1685 probably won’t help performance as much as you might expect.
1686 Use with care!)
1687 UseIPv6Cache
1689 Tells the client to use any cached IPv6 DNS answers we have
1690 when making requests via this connection.
1691 UseDNSCache
1693 Tells the client to use any cached DNS answers we have when
1694 making requests via this connection.
1695 NoPreferIPv6Automap
1697 When serving a hostname lookup request on this port that should
1698 get automapped (according to AutomapHostsOnResolve), if we
1699 could return either an IPv4 or an IPv6 answer, prefer an IPv4
1700 answer. (Tor prefers IPv6 by default.)
1701 PreferSOCKSNoAuth
1703 Ordinarily, when an application offers both "username/password
1704 authentication" and "no authentication" to Tor via SOCKS5, Tor
1705 selects username/password authentication so that
1706 IsolateSOCKSAuth can work. This can confuse some applications,
1707 if they offer a username/password combination then get confused
1708 when asked for one. You can disable this behavior, so that Tor
1709 will select "No authentication" when IsolateSOCKSAuth is
1710 disabled, or when this option is set.
1711 ExtendedErrors
1713 Return extended error code in the SOCKS reply. So far, the
1714 possible errors are:
1715 X'F0' Onion Service Descriptor Can Not be Found
1717 The requested onion service descriptor can't be found on the
1719 hashring and thus not reachable by the client. (v3 only)
1720 X'F1' Onion Service Descriptor Is Invalid
1722 The requested onion service descriptor can't be parsed or
1724 signature validation failed. (v3 only)
1725 X'F2' Onion Service Introduction Failed
1727 All introduction attempts failed either due to a combination of
1729 NACK by the intro point or time out. (v3 only)
1730 X'F3' Onion Service Rendezvous Failed
1732 Every rendezvous circuit has timed out and thus the client is
1734 unable to rendezvous with the service. (v3 only)
1735 X'F4' Onion Service Missing Client Authorization
1737 Client was able to download the requested onion service descriptor
1739 but is unable to decrypt its content because it is missing client
1740 authorization information. (v3 only)
1741 X'F5' Onion Service Wrong Client Authorization
1743 Client was able to download the requested onion service descriptor
1745 but is unable to decrypt its content using the client
1746 authorization information it has. This means the client access
1747 were revoked. (v3 only)
1748 X'F6' Onion Service Invalid Address
1750 The given .onion address is invalid. In one of these cases this
1752 error is returned: address checksum doesn't match, ed25519 public
1753 key is invalid or the encoding is invalid. (v3 only)
1754 X'F7' Onion Service Introduction Timed Out
1756 Similar to X'F2' code but in this case, all introduction attempts
1758 have failed due to a time out. (v3 only)
1759 Flags are processed left to right. If flags conflict, the last flag
1761 on the line is used, and all earlier flags are ignored. No error is
1762 issued for conflicting flags.
1763 TokenBucketRefillInterval NUM [msec|second]
1765 Set the refill delay interval of Tor’s token bucket to NUM
1766 milliseconds. NUM must be between 1 and 1000, inclusive. When Tor
1767 is out of bandwidth, on a connection or globally, it will wait up
1768 to this long before it tries to use that connection again. Note
1769 that bandwidth limits are still expressed in bytes per second: this
1770 option only affects the frequency with which Tor checks to see
1771 whether previously exhausted connections may read again. Can not be
1772 changed while tor is running. (Default: 100 msec)
1773 TrackHostExits host,.domain,...
1775 For each value in the comma separated list, Tor will track recent
1776 connections to hosts that match this value and attempt to reuse the
1777 same exit node for each. If the value is prepended with a '.', it
1778 is treated as matching an entire domain. If one of the values is
1779 just a '.', it means match everything. This option is useful if you
1780 frequently connect to sites that will expire all your
1781 authentication cookies (i.e. log you out) if your IP address
1782 changes. Note that this option does have the disadvantage of making
1783 it more clear that a given history is associated with a single
1784 user. However, most people who would wish to observe this will
1785 observe it through cookies or other protocol-specific means anyhow.
1786 TrackHostExitsExpire NUM
1788 Since exit servers go up and down, it is desirable to expire the
1789 association between host and exit server after NUM seconds. The
1790 default is 1800 seconds (30 minutes).
1791 TransPort [address:]port|auto [isolation flags]
1793 Open this port to listen for transparent proxy connections. Set
1794 this to 0 if you don’t want to allow transparent proxy connections.
1795 Set the port to "auto" to have Tor pick a port for you. This
1796 directive can be specified multiple times to bind to multiple
1797 addresses/ports. If multiple entries of this option are present in
1798 your configuration file, Tor will perform stream isolation between
1799 listeners by default. See SocksPort for an explanation of isolation
1800 flags.
1801 TransPort requires OS support for transparent proxies, such as
1804 BSDs' pf or Linux’s IPTables. If you’re planning to use Tor as a
1805 transparent proxy for a network, you’ll want to examine and change
1806 VirtualAddrNetwork from the default setting. (Default: 0)
1807 TransProxyType default|TPROXY|ipfw|pf-divert
1809 TransProxyType may only be enabled when there is transparent proxy
1810 listener enabled.
1811 Set this to "TPROXY" if you wish to be able to use the TPROXY Linux
1814 module to transparently proxy connections that are configured using
1815 the TransPort option. Detailed information on how to configure the
1816 TPROXY feature can be found in the Linux kernel source tree in the
1817 file Documentation/networking/tproxy.txt.
1818 Set this option to "ipfw" to use the FreeBSD ipfw interface.
1821 On *BSD operating systems when using pf, set this to "pf-divert" to
1824 take advantage of divert-to rules, which do not modify the packets
1825 like rdr-to rules do. Detailed information on how to configure pf
1826 to use divert-to rules can be found in the pf.conf(5) manual page.
1827 On OpenBSD, divert-to is available to use on versions greater than
1828 or equal to OpenBSD 4.4.
1829 Set this to "default", or leave it unconfigured, to use regular
1832 IPTables on Linux, or to use pf rdr-to rules on *BSD systems.
1833 (Default: "default")
1836 UpdateBridgesFromAuthority 0|1
1838 When set (along with UseBridges), Tor will try to fetch bridge
1839 descriptors from the configured bridge authorities when feasible.
1840 It will fall back to a direct request if the authority responds
1841 with a 404. (Default: 0)
1842 UseBridges 0|1
1844 When set, Tor will fetch descriptors for each bridge listed in the
1845 "Bridge" config lines, and use these relays as both entry guards
1846 and directory guards. (Default: 0)
1847 UseEntryGuards 0|1
1849 If this option is set to 1, we pick a few long-term entry servers,
1850 and try to stick with them. This is desirable because constantly
1851 changing servers increases the odds that an adversary who owns some
1852 servers will observe a fraction of your paths. Entry Guards can not
1853 be used by Directory Authorities or Single Onion Services. In these
1854 cases, this option is ignored. (Default: 1)
1855 UseGuardFraction 0|1|auto
1857 This option specifies whether clients should use the guardfraction
1858 information found in the consensus during path selection. If it’s
1859 set to auto, clients will do what the UseGuardFraction consensus
1860 parameter tells them to do. (Default: auto)
1861 GuardLifetime N days|weeks|months
1863 If UseEntryGuards is set, minimum time to keep a guard on our guard
1864 list before picking a new one. If less than one day, we use
1865 defaults from the consensus directory. (Default: 0)
1866 NumDirectoryGuards NUM
1868 If UseEntryGuards is set to 1, we try to make sure we have at least
1869 NUM routers to use as directory guards. If this option is set to 0,
1870 use the value from the guard-n-primary-dir-guards-to-use consensus
1871 parameter, and default to 3 if the consensus parameter isn’t set.
1872 (Default: 0)
1873 NumEntryGuards NUM
1875 If UseEntryGuards is set to 1, we will try to pick a total of NUM
1876 routers as long-term entries for our circuits. If NUM is 0, we try
1877 to learn the number from the guard-n-primary-guards-to-use
1878 consensus parameter, and default to 1 if the consensus parameter
1879 isn’t set. (Default: 0)
1880 NumPrimaryGuards NUM
1882 If UseEntryGuards is set to 1, we will try to pick NUM routers for
1883 our primary guard list, which is the set of routers we strongly
1884 prefer when connecting to the Tor network. If NUM is 0, we try to
1885 learn the number from the guard-n-primary-guards consensus
1886 parameter, and default to 3 if the consensus parameter isn’t set.
1887 (Default: 0)
1888 UseMicrodescriptors 0|1|auto
1890 Microdescriptors are a smaller version of the information that Tor
1891 needs in order to build its circuits. Using microdescriptors makes
1892 Tor clients download less directory information, thus saving
1893 bandwidth. Directory caches need to fetch regular descriptors and
1894 microdescriptors, so this option doesn’t save any bandwidth for
1895 them. For legacy reasons, auto is accepted, but it has the same
1896 effect as 1. (Default: auto)
1897 VirtualAddrNetworkIPv4 IPv4Address/bits
1899 VirtualAddrNetworkIPv6 [IPv6Address]/bits
1901 When Tor needs to assign a virtual (unused) address because of a
1902 MAPADDRESS command from the controller or the AutomapHostsOnResolve
1903 feature, Tor picks an unassigned address from this range.
1904 (Defaults: 127.192.0.0/10 and [FE80::]/10 respectively.)
1905 When providing proxy server service to a network of computers using
1908 a tool like dns-proxy-tor, change the IPv4 network to
1909 "10.192.0.0/10" or "172.16.0.0/12" and change the IPv6 network to
1910 "[FC00::]/7". The default VirtualAddrNetwork address ranges on a
1911 properly configured machine will route to the loopback or
1912 link-local interface. The maximum number of bits for the network
1913 prefix is set to 104 for IPv6 and 16 for IPv4. However, a larger
1914 network (that is, one with a smaller prefix length) is preferable,
1915 since it reduces the chances for an attacker to guess the used IP.
1916 For local use, no change to the default VirtualAddrNetwork setting
1917 is needed.
1918
1920 The following options are useful for configuring timeouts related to
1921 building Tor circuits and using them:
1922 CircuitsAvailableTimeout NUM
1924 Tor will attempt to keep at least one open, unused circuit
1925 available for this amount of time. This option governs how long
1926 idle circuits are kept open, as well as the amount of time Tor will
1927 keep a circuit open to each of the recently used ports. This way
1928 when the Tor client is entirely idle, it can expire all of its
1929 circuits, and then expire its TLS connections. Note that the actual
1930 timeout value is uniformly randomized from the specified value to
1931 twice that amount. (Default: 30 minutes; Max: 24 hours)
1932 LearnCircuitBuildTimeout 0|1
1934 If 0, CircuitBuildTimeout adaptive learning is disabled. (Default:
1935 1)
1936 CircuitBuildTimeout NUM
1938 Try for at most NUM seconds when building circuits. If the circuit
1939 isn’t open in that time, give up on it. If LearnCircuitBuildTimeout
1940 is 1, this value serves as the initial value to use before a
1941 timeout is learned. If LearnCircuitBuildTimeout is 0, this value is
1942 the only value used. (Default: 60 seconds)
1943 CircuitStreamTimeout NUM
1945 If non-zero, this option overrides our internal timeout schedule
1946 for how many seconds until we detach a stream from a circuit and
1947 try a new circuit. If your network is particularly slow, you might
1948 want to set this to a number like 60. (Default: 0)
1949 SocksTimeout NUM
1951 Let a socks connection wait NUM seconds handshaking, and NUM
1952 seconds unattached waiting for an appropriate circuit, before we
1953 fail it. (Default: 2 minutes)
1954
1956 Tor can enter dormant mode to conserve power and network bandwidth. The
1957 following options control when Tor enters and leaves dormant mode:
1958 DormantCanceledByStartup 0|1
1960 By default, Tor starts in active mode if it was active the last
1961 time it was shut down, and in dormant mode if it was dormant. But
1962 if this option is true, Tor treats every startup event as user
1963 activity, and Tor will never start in Dormant mode, even if it has
1964 been unused for a long time on previous runs. (Default: 0)
1965 Note: Packagers and application developers should change the value
1967 of this option only with great caution: it has the potential to
1968 create spurious traffic on the network. This option should only be
1969 used if Tor is started by an affirmative user activity (like
1970 clicking on an application or running a command), and not if Tor is
1971 launched for some other reason (for example, by a startup process,
1972 or by an application that launches itself on every login.)
1973 DormantClientTimeout N minutes|hours|days|weeks
1975 If Tor spends this much time without any client activity, enter a
1976 dormant state where automatic circuits are not built, and directory
1977 information is not fetched. Does not affect servers or onion
1978 services. Must be at least 10 minutes. (Default: 24 hours)
1979 DormantOnFirstStartup 0|1
1981 If true, then the first time Tor starts up with a fresh
1982 DataDirectory, it starts in dormant mode, and takes no actions
1983 until the user has made a request. (This mode is recommended if
1984 installing a Tor client for a user who might not actually use it.)
1985 If false, Tor bootstraps the first time it is started, whether it
1986 sees a user request or not.
1987 After the first time Tor starts, it begins in dormant mode if it
1989 was dormant before, and not otherwise. (Default: 0)
1990 DormantTimeoutDisabledByIdleStreams 0|1
1992 If true, then any open client stream (even one not reading or
1993 writing) counts as client activity for the purpose of
1994 DormantClientTimeout. If false, then only network activity counts.
1995 (Default: 1)
1996
1998 The following options restrict the nodes that a tor client (or onion
1999 service) can use while building a circuit. These options can weaken
2000 your anonymity by making your client behavior different from other Tor
2001 clients:
2002 EntryNodes node,node,...
2004 A list of identity fingerprints and country codes of nodes to use
2005 for the first hop in your normal circuits. Normal circuits include
2006 all circuits except for direct connections to directory servers.
2007 The Bridge option overrides this option; if you have configured
2008 bridges and UseBridges is 1, the Bridges are used as your entry
2009 nodes.
2010 This option can appear multiple times: the values from multiple
2013 lines are spliced together.
2014 The ExcludeNodes option overrides this option: any node listed in
2017 both EntryNodes and ExcludeNodes is treated as excluded. See
2018 ExcludeNodes for more information on how to specify nodes.
2019 ExcludeNodes node,node,...
2021 A list of identity fingerprints, country codes, and address
2022 patterns of nodes to avoid when building a circuit. Country codes
2023 are 2-letter ISO3166 codes, and must be wrapped in braces;
2024 fingerprints may be preceded by a dollar sign. (Example:
2025 ExcludeNodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, {cc},
2026 255.254.0.0/8)
2027 This option can appear multiple times: the values from multiple
2030 lines are spliced together.
2031 By default, this option is treated as a preference that Tor is
2034 allowed to override in order to keep working. For example, if you
2035 try to connect to a hidden service, but you have excluded all of
2036 the hidden service’s introduction points, Tor will connect to one
2037 of them anyway. If you do not want this behavior, set the
2038 StrictNodes option (documented below).
2039 Note also that if you are a relay, this (and the other node
2042 selection options below) only affects your own circuits that Tor
2043 builds for you. Clients can still build circuits through you to any
2044 node. Controllers can tell Tor to build circuits through any node.
2045 Country codes are case-insensitive. The code "{??}" refers to nodes
2048 whose country can’t be identified. No country code, including {??},
2049 works if no GeoIPFile can be loaded. See also the
2050 GeoIPExcludeUnknown option below.
2051 ExcludeExitNodes node,node,...
2053 A list of identity fingerprints, country codes, and address
2054 patterns of nodes to never use when picking an exit node---that is,
2055 a node that delivers traffic for you outside the Tor network. Note
2056 that any node listed in ExcludeNodes is automatically considered to
2057 be part of this list too. See ExcludeNodes for more information on
2058 how to specify nodes. See also the caveats on the ExitNodes option
2059 below.
2060 This option can appear multiple times: the values from multiple
2062 lines are spliced together.
2063 ExitNodes node,node,...
2066 A list of identity fingerprints, country codes, and address
2067 patterns of nodes to use as exit node---that is, a node that
2068 delivers traffic for you outside the Tor network. See ExcludeNodes
2069 for more information on how to specify nodes.
2070 This option can appear multiple times: the values from multiple
2073 lines are spliced together.
2074 Note that if you list too few nodes here, or if you exclude too
2077 many exit nodes with ExcludeExitNodes, you can degrade
2078 functionality. For example, if none of the exits you list allows
2079 traffic on port 80 or 443, you won’t be able to browse the web.
2080 Note also that not every circuit is used to deliver traffic outside
2083 of the Tor network. It is normal to see non-exit circuits (such as
2084 those used to connect to hidden services, those that do directory
2085 fetches, those used for relay reachability self-tests, and so on)
2086 that end at a non-exit node. To keep a node from being used
2087 entirely, see ExcludeNodes and StrictNodes.
2088 The ExcludeNodes option overrides this option: any node listed in
2091 both ExitNodes and ExcludeNodes is treated as excluded.
2092 The .exit address notation, if enabled via MapAddress, overrides
2095 this option.
2096 GeoIPExcludeUnknown 0|1|auto
2098 If this option is set to auto, then whenever any country code is
2099 set in ExcludeNodes or ExcludeExitNodes, all nodes with unknown
2100 country ({??} and possibly {A1}) are treated as excluded as well.
2101 If this option is set to 1, then all unknown countries are treated
2102 as excluded in ExcludeNodes and ExcludeExitNodes. This option has
2103 no effect when a GeoIP file isn’t configured or can’t be found.
2104 (Default: auto)
2105 HSLayer2Nodes node,node,...
2107 A list of identity fingerprints, nicknames, country codes, and
2108 address patterns of nodes that are allowed to be used as the second
2109 hop in all client or service-side Onion Service circuits. This
2110 option mitigates attacks where the adversary runs middle nodes and
2111 induces your client or service to create many circuits, in order to
2112 discover your primary guard node. (Default: Any node in the network
2113 may be used in the second hop.)
2114 (Example: HSLayer2Nodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234,
2116 {cc}, 255.254.0.0/8)
2117 This option can appear multiple times: the values from multiple
2120 lines are spliced together.
2121 When this is set, the resulting hidden service paths will look
2124 like:
2125 C - G - L2 - M - Rend
2127 C - G - L2 - M - HSDir
2129 C - G - L2 - M - Intro
2131 S - G - L2 - M - Rend
2133 S - G - L2 - M - HSDir
2135 S - G - L2 - M - Intro
2137 where C is this client, S is the service, G is the Guard node, L2
2140 is a node from this option, and M is a random middle node. Rend,
2141 HSDir, and Intro point selection is not affected by this option.
2142 This option may be combined with HSLayer3Nodes to create paths of
2144 the form:
2145 C - G - L2 - L3 - Rend
2147 C - G - L2 - L3 - M - HSDir
2149 C - G - L2 - L3 - M - Intro
2151 S - G - L2 - L3 - M - Rend
2153 S - G - L2 - L3 - HSDir
2155 S - G - L2 - L3 - Intro
2157 ExcludeNodes have higher priority than HSLayer2Nodes, which means
2160 that nodes specified in ExcludeNodes will not be picked.
2161 When either this option or HSLayer3Nodes are set, the /16 subnet
2163 and node family restrictions are removed for hidden service
2164 circuits. Additionally, we allow the guard node to be present as
2165 the Rend, HSDir, and IP node, and as the hop before it. This is
2166 done to prevent the adversary from inferring information about our
2167 guard, layer2, and layer3 node choices at later points in the path.
2168 This option is meant to be managed by a Tor controller such as
2170 https://github.com/mikeperry-tor/vanguards that selects and updates
2171 this set of nodes for you. Hence it does not do load balancing if
2172 fewer than 20 nodes are selected, and if no nodes in HSLayer2Nodes
2173 are currently available for use, Tor will not work. Please use
2174 extreme care if you are setting this option manually.
2175 HSLayer3Nodes node,node,...
2177 A list of identity fingerprints, nicknames, country codes, and
2178 address patterns of nodes that are allowed to be used as the third
2179 hop in all client and service-side Onion Service circuits. This
2180 option mitigates attacks where the adversary runs middle nodes and
2181 induces your client or service to create many circuits, in order to
2182 discover your primary or Layer2 guard nodes. (Default: Any node in
2183 the network may be used in the third hop.)
2184 (Example: HSLayer3Nodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234,
2186 {cc}, 255.254.0.0/8)
2187 This option can appear multiple times: the values from multiple
2190 lines are spliced together.
2191 When this is set by itself, the resulting hidden service paths will
2194 look like:
2195 C - G - M - L3 - Rend
2197 C - G - M - L3 - M - HSDir
2199 C - G - M - L3 - M - Intro
2201 S - G - M - L3 - M - Rend
2203 S - G - M - L3 - HSDir
2205 S - G - M - L3 - Intro
2207 where C is this client, S is the service, G is the Guard node, L2
2209 is a node from this option, and M is a random middle node. Rend,
2210 HSDir, and Intro point selection is not affected by this option.
2211 While it is possible to use this option by itself, it should be
2213 combined with HSLayer2Nodes to create paths of the form:
2214 C - G - L2 - L3 - Rend
2216 C - G - L2 - L3 - M - HSDir
2218 C - G - L2 - L3 - M - Intro
2220 S - G - L2 - L3 - M - Rend
2222 S - G - L2 - L3 - HSDir
2224 S - G - L2 - L3 - Intro
2226 ExcludeNodes have higher priority than HSLayer3Nodes, which means
2229 that nodes specified in ExcludeNodes will not be picked.
2230 When either this option or HSLayer2Nodes are set, the /16 subnet
2232 and node family restrictions are removed for hidden service
2233 circuits. Additionally, we allow the guard node to be present as
2234 the Rend, HSDir, and IP node, and as the hop before it. This is
2235 done to prevent the adversary from inferring information about our
2236 guard, layer2, and layer3 node choices at later points in the path.
2237 This option is meant to be managed by a Tor controller such as
2239 https://github.com/mikeperry-tor/vanguards that selects and updates
2240 this set of nodes for you. Hence it does not do load balancing if
2241 fewer than 20 nodes are selected, and if no nodes in HSLayer3Nodes
2242 are currently available for use, Tor will not work. Please use
2243 extreme care if you are setting this option manually.
2244 MiddleNodes node,node,...
2246 A list of identity fingerprints and country codes of nodes to use
2247 for "middle" hops in your normal circuits. Normal circuits include
2248 all circuits except for direct connections to directory servers.
2249 Middle hops are all hops other than exit and entry.
2250 This option can appear multiple times: the values from multiple
2252 lines are spliced together.
2253 This is an experimental feature that is meant to be used by
2256 researchers and developers to test new features in the Tor network
2257 safely. Using it without care will strongly influence your
2258 anonymity. Other tor features may not work with MiddleNodes. This
2259 feature might get removed in the future.
2260 The HSLayer2Node and HSLayer3Node options override this option for onion
2262 service circuits, if they are set. The vanguards addon will read this
2263 option, and if set, it will set HSLayer2Nodes and HSLayer3Nodes to nodes
2264 from this set.
2265 The ExcludeNodes option overrides this option: any node listed in both
2267 MiddleNodes and ExcludeNodes is treated as excluded. See
2268 the <<ExcludeNodes,ExcludeNodes>> for more information on how to specify nodes.
2269 NodeFamily node,node,...
2271 The Tor servers, defined by their identity fingerprints, constitute
2272 a "family" of similar or co-administered servers, so never use any
2273 two of them in the same circuit. Defining a NodeFamily is only
2274 needed when a server doesn’t list the family itself (with
2275 MyFamily). This option can be used multiple times; each instance
2276 defines a separate family. In addition to nodes, you can also list
2277 IP address and ranges and country codes in {curly braces}. See
2278 ExcludeNodes for more information on how to specify nodes.
2279 StrictNodes 0|1
2281 If StrictNodes is set to 1, Tor will treat solely the ExcludeNodes
2282 option as a requirement to follow for all the circuits you
2283 generate, even if doing so will break functionality for you
2284 (StrictNodes does not apply to ExcludeExitNodes, ExitNodes,
2285 MiddleNodes, or MapAddress). If StrictNodes is set to 0, Tor will
2286 still try to avoid nodes in the ExcludeNodes list, but it will err
2287 on the side of avoiding unexpected errors. Specifically,
2288 StrictNodes 0 tells Tor that it is okay to use an excluded node
2289 when it is necessary to perform relay reachability self-tests,
2290 connect to a hidden service, provide a hidden service to a client,
2291 fulfill a .exit request, upload directory information, or download
2292 directory information. (Default: 0)
2293
2295 The following options are useful only for servers (that is, if ORPort
2296 is non-zero):
2297 AccountingMax N
2299 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
2300 Limits the max number of bytes sent and received within a set time
2301 period using a given calculation rule (see AccountingStart and
2302 AccountingRule). Useful if you need to stay under a specific
2303 bandwidth. By default, the number used for calculation is the max
2304 of either the bytes sent or received. For example, with
2305 AccountingMax set to 1 TByte, a server could send 900 GBytes and
2306 receive 800 GBytes and continue running. It will only hibernate
2307 once one of the two reaches 1 TByte. This can be changed to use the
2308 sum of the both bytes received and sent by setting the
2309 AccountingRule option to "sum" (total bandwidth in/out). When the
2310 number of bytes remaining gets low, Tor will stop accepting new
2311 connections and circuits. When the number of bytes is exhausted,
2312 Tor will hibernate until some time in the next accounting period.
2313 To prevent all servers from waking at the same time, Tor will also
2314 wait until a random point in each period before waking up. If you
2315 have bandwidth cost issues, enabling hibernation is preferable to
2316 setting a low bandwidth, since it provides users with a collection
2317 of fast servers that are up some of the time, which is more useful
2318 than a set of slow servers that are always "available".
2319 Note that (as also described in the Bandwidth section) Tor uses
2322 powers of two, not powers of ten: 1 GByte is 1024*1024*1024, not
2323 one billion. Be careful: some internet service providers might
2324 count GBytes differently.
2325 AccountingRule sum|max|in|out
2327 How we determine when our AccountingMax has been reached (when we
2328 should hibernate) during a time interval. Set to "max" to calculate
2329 using the higher of either the sent or received bytes (this is the
2330 default functionality). Set to "sum" to calculate using the sent
2331 plus received bytes. Set to "in" to calculate using only the
2332 received bytes. Set to "out" to calculate using only the sent
2333 bytes. (Default: max)
2334 AccountingStart day|week|month [day] HH:MM
2336 Specify how long accounting periods last. If month is given, each
2337 accounting period runs from the time HH:MM on the dayth day of one
2338 month to the same day and time of the next. The relay will go at
2339 full speed, use all the quota you specify, then hibernate for the
2340 rest of the period. (The day must be between 1 and 28.) If week is
2341 given, each accounting period runs from the time HH:MM of the dayth
2342 day of one week to the same day and time of the next week, with
2343 Monday as day 1 and Sunday as day 7. If day is given, each
2344 accounting period runs from the time HH:MM each day to the same
2345 time on the next day. All times are local, and given in 24-hour
2346 time. (Default: "month 1 0:00")
2347 Address address
2349 The IPv4 address of this server, or a fully qualified domain name
2350 of this server that resolves to an IPv4 address. You can leave this
2351 unset, and Tor will try to guess your IPv4 address. This IPv4
2352 address is the one used to tell clients and other servers where to
2353 find your Tor server; it doesn’t affect the address that your
2354 server binds to. To bind to a different address, use the ORPort and
2355 OutboundBindAddress options.
2356 AddressDisableIPv6 0|1
2358 By default, Tor will attempt to find the IPv6 of the relay if there
2359 is no IPv4Only ORPort. If set, this option disables IPv6 auto
2360 discovery. This disables IPv6 address resolution, IPv6 ORPorts, and
2361 IPv6 reachability checks. Also, the relay won’t publish an IPv6
2362 ORPort in its descriptor. (Default: 0)
2363 AssumeReachable 0|1
2365 This option is used when bootstrapping a new Tor network. If set to
2366 1, don’t do self-reachability testing; just upload your server
2367 descriptor immediately. (Default: 0)
2368 AssumeReachableIPv6 0|1|auto
2370 Like AssumeReachable, but affects only the relay’s own IPv6 ORPort.
2371 If this value is set to "auto", then Tor will look at
2372 AssumeReachable instead. (Default: auto)
2373 BridgeRelay 0|1
2375 Sets the relay to act as a "bridge" with respect to relaying
2376 connections from bridge users to the Tor network. It mainly causes
2377 Tor to publish a server descriptor to the bridge database, rather
2378 than to the public directory authorities.
2379 Note: make sure that no MyFamily lines are present in your torrc
2382 when relay is configured in bridge mode.
2383 BridgeRecordUsageByCountry 0|1
2385 When this option is enabled and BridgeRelay is also enabled, and we
2386 have GeoIP data, Tor keeps a per-country count of how many client
2387 addresses have contacted it so that it can help the bridge
2388 authority guess which countries have blocked access to it. If
2389 ExtraInfoStatistics is enabled, it will be published as part of the
2390 extra-info document. (Default: 1)
2391 BridgeDistribution string
2393 If set along with BridgeRelay, Tor will include a new line in its
2394 bridge descriptor which indicates to the BridgeDB service how it
2395 would like its bridge address to be given out. Set it to "none" if
2396 you want BridgeDB to avoid distributing your bridge address, or
2397 "any" to let BridgeDB decide. (Default: any)
2398 ContactInfo email_address
2400 Administrative contact information for this relay or bridge. This
2401 line can be used to contact you if your relay or bridge is
2402 misconfigured or something else goes wrong. Note that we archive
2403 and publish all descriptors containing these lines and that Google
2404 indexes them, so spammers might also collect them. You may want to
2405 obscure the fact that it’s an email address and/or generate a new
2406 address for this purpose.
2407 ContactInfo must be set to a working address if you run more than
2410 one relay or bridge. (Really, everybody running a relay or bridge
2411 should set it.)
2412 DisableOOSCheck 0|1
2414 This option disables the code that closes connections when Tor
2415 notices that it is running low on sockets. Right now, it is on by
2416 default, since the existing out-of-sockets mechanism tends to kill
2417 OR connections more than it should. (Default: 1)
2418 ExitPolicy policy,policy,...
2420 Set an exit policy for this server. Each policy is of the form
2421 "accept[6]|reject[6] ADDR[/MASK][:PORT]". If /MASK is omitted then
2422 this policy just applies to the host given. Instead of giving a
2423 host or network you can also use "*" to denote the universe
2424 (0.0.0.0/0 and ::/0), or *4 to denote all IPv4 addresses, and *6 to
2425 denote all IPv6 addresses. PORT can be a single port number, an
2426 interval of ports "FROM_PORT-TO_PORT", or "*". If PORT is omitted,
2427 that means "*".
2428 For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*"
2431 would reject any IPv4 traffic destined for MIT except for
2432 web.mit.edu, and accept any other IPv4 or IPv6 traffic.
2433 Tor also allows IPv6 exit policy entries. For instance, "reject6
2436 [FC00::]/7:*" rejects all destinations that share 7 most
2437 significant bit prefix with address FC00::. Respectively, "accept6
2438 [C000::]/3:*" accepts all destinations that share 3 most
2439 significant bit prefix with address C000::.
2440 accept6 and reject6 only produce IPv6 exit policy entries. Using an
2443 IPv4 address with accept6 or reject6 is ignored and generates a
2444 warning. accept/reject allows either IPv4 or IPv6 addresses. Use *4
2445 as an IPv4 wildcard address, and *6 as an IPv6 wildcard address.
2446 accept/reject * expands to matching IPv4 and IPv6 wildcard address
2447 rules.
2448 To specify all IPv4 and IPv6 internal and link-local networks
2451 (including 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16,
2452 10.0.0.0/8, 172.16.0.0/12, [::]/8, [FC00::]/7, [FE80::]/10,
2453 [FEC0::]/10, [FF00::]/8, and [::]/127), you can use the "private"
2454 alias instead of an address. ("private" always produces rules for
2455 IPv4 and IPv6 addresses, even when used with accept6/reject6.)
2456 Private addresses are rejected by default (at the beginning of your
2459 exit policy), along with any configured primary public IPv4 and
2460 IPv6 addresses. These private addresses are rejected unless you set
2461 the ExitPolicyRejectPrivate config option to 0. For example, once
2462 you’ve done that, you could allow HTTP to 127.0.0.1 and block all
2463 other connections to internal networks with "accept
2464 127.0.0.1:80,reject private:*", though that may also allow
2465 connections to your own computer that are addressed to its public
2466 (external) IP address. See RFC 1918 and RFC 3330 for more details
2467 about internal and reserved IP address space. See
2468 ExitPolicyRejectLocalInterfaces if you want to block every address
2469 on the relay, even those that aren’t advertised in the descriptor.
2470 This directive can be specified multiple times so you don’t have to
2473 put it all on one line.
2474 Policies are considered first to last, and the first match wins. If
2477 you want to allow the same ports on IPv4 and IPv6, write your rules
2478 using accept/reject *. If you want to allow different ports on IPv4
2479 and IPv6, write your IPv6 rules using accept6/reject6 *6, and your
2480 IPv4 rules using accept/reject *4. If you want to _replace_ the
2481 default exit policy, end your exit policy with either a reject *:*
2482 or an accept *:*. Otherwise, you’re _augmenting_ (prepending to)
2483 the default exit policy.
2484 If you want to use a reduced exit policy rather than the default
2487 exit policy, set "ReducedExitPolicy 1". If you want to replace the
2488 default exit policy with your custom exit policy, end your exit
2489 policy with either a reject : or an accept :. Otherwise, you’re
2490 augmenting (prepending to) the default or reduced exit policy.
2491 The default exit policy is:
2494 reject *:25
2496 reject *:119
2497 reject *:135-139
2498 reject *:445
2499 reject *:563
2500 reject *:1214
2501 reject *:4661-4666
2502 reject *:6346-6429
2503 reject *:6699
2504 reject *:6881-6999
2505 accept *:*
2506 Since the default exit policy uses accept/reject *, it applies to
2508 both IPv4 and IPv6 addresses.
2509 ExitPolicyRejectLocalInterfaces 0|1
2511 Reject all IPv4 and IPv6 addresses that the relay knows about, at
2512 the beginning of your exit policy. This includes any
2513 OutboundBindAddress, the bind addresses of any port options, such
2514 as ControlPort or DNSPort, and any public IPv4 and IPv6 addresses
2515 on any interface on the relay. (If IPv6Exit is not set, all IPv6
2516 addresses will be rejected anyway.) See above entry on ExitPolicy.
2517 This option is off by default, because it lists all public relay IP
2518 addresses in the ExitPolicy, even those relay operators might
2519 prefer not to disclose. (Default: 0)
2520 ExitPolicyRejectPrivate 0|1
2522 Reject all private (local) networks, along with the relay’s
2523 advertised public IPv4 and IPv6 addresses, at the beginning of your
2524 exit policy. See above entry on ExitPolicy. (Default: 1)
2525 ExitRelay 0|1|auto
2527 Tells Tor whether to run as an exit relay. If Tor is running as a
2528 non-bridge server, and ExitRelay is set to 1, then Tor allows
2529 traffic to exit according to the ExitPolicy option, the
2530 ReducedExitPolicy option, or the default ExitPolicy (if no other
2531 exit policy option is specified).
2532 If ExitRelay is set to 0, no traffic is allowed to exit, and the
2535 ExitPolicy, ReducedExitPolicy, and IPv6Exit options are ignored.
2536 If ExitRelay is set to "auto", then Tor checks the ExitPolicy,
2539 ReducedExitPolicy, and IPv6Exit options. If at least one of these
2540 options is set, Tor behaves as if ExitRelay were set to 1. If none
2541 of these exit policy options are set, Tor behaves as if ExitRelay
2542 were set to 0. (Default: auto)
2543 ExtendAllowPrivateAddresses 0|1
2545 When this option is enabled, Tor will connect to relays on
2546 localhost, RFC1918 addresses, and so on. In particular, Tor will
2547 make direct OR connections, and Tor routers allow EXTEND requests,
2548 to these private addresses. (Tor will always allow connections to
2549 bridges, proxies, and pluggable transports configured on private
2550 addresses.) Enabling this option can create security issues; you
2551 should probably leave it off. (Default: 0)
2552 GeoIPFile filename
2554 A filename containing IPv4 GeoIP data, for use with by-country
2555 statistics.
2556 GeoIPv6File filename
2558 A filename containing IPv6 GeoIP data, for use with by-country
2559 statistics.
2560 HeartbeatPeriod N minutes|hours|days|weeks
2562 Log a heartbeat message every HeartbeatPeriod seconds. This is a
2563 log level notice message, designed to let you know your Tor server
2564 is still alive and doing useful things. Settings this to 0 will
2565 disable the heartbeat. Otherwise, it must be at least 30 minutes.
2566 (Default: 6 hours)
2567 IPv6Exit 0|1
2569 If set, and we are an exit node, allow clients to use us for IPv6
2570 traffic. When this option is set and ExitRelay is auto, we act as
2571 if ExitRelay is 1. (Default: 0)
2572 KeyDirectory DIR
2574 Store secret keys in DIR. Can not be changed while tor is running.
2575 (Default: the "keys" subdirectory of DataDirectory.)
2576 KeyDirectoryGroupReadable 0|1|auto
2578 If this option is set to 0, don’t allow the filesystem group to
2579 read the KeyDirectory. If the option is set to 1, make the
2580 KeyDirectory readable by the default GID. If the option is "auto",
2581 then we use the setting for DataDirectoryGroupReadable when the
2582 KeyDirectory is the same as the DataDirectory, and 0 otherwise.
2583 (Default: auto)
2584 MainloopStats 0|1
2586 Log main loop statistics every HeartbeatPeriod seconds. This is a
2587 log level notice message designed to help developers instrumenting
2588 Tor’s main event loop. (Default: 0)
2589 MaxMemInQueues N bytes|KBytes|MBytes|GBytes
2591 This option configures a threshold above which Tor will assume that
2592 it needs to stop queueing or buffering data because it’s about to
2593 run out of memory. If it hits this threshold, it will begin killing
2594 circuits until it has recovered at least 10% of this memory. Do not
2595 set this option too low, or your relay may be unreliable under
2596 load. This option only affects some queues, so the actual process
2597 size will be larger than this. If this option is set to 0, Tor will
2598 try to pick a reasonable default based on your system’s physical
2599 memory. (Default: 0)
2600 MaxOnionQueueDelay NUM [msec|second]
2602 If we have more onionskins queued for processing than we can
2603 process in this amount of time, reject new ones. (Default: 1750
2604 msec)
2605 MyFamily fingerprint,fingerprint,...
2607 Declare that this Tor relay is controlled or administered by a
2608 group or organization identical or similar to that of the other
2609 relays, defined by their (possibly $-prefixed) identity
2610 fingerprints. This option can be repeated many times, for
2611 convenience in defining large families: all fingerprints in all
2612 MyFamily lines are merged into one list. When two relays both
2613 declare that they are in the same 'family', Tor clients will not
2614 use them in the same circuit. (Each relay only needs to list the
2615 other servers in its family; it doesn’t need to list itself, but it
2616 won’t hurt if it does.) Do not list any bridge relay as it would
2617 compromise its concealment.
2618 If you run more than one relay, the MyFamily option on each relay
2621 must list all other relays, as described above.
2622 Note: do not use MyFamily when configuring your Tor instance as a
2625 bridge.
2626 Nickname name
2628 Set the server’s nickname to 'name'. Nicknames must be between 1
2629 and 19 characters inclusive, and must contain only the characters
2630 [a-zA-Z0-9]. If not set, Unnamed will be used. Relays can always be
2631 uniquely identified by their identity fingerprints.
2632 NumCPUs num
2634 How many processes to use at once for decrypting onionskins and
2635 other parallelizable operations. If this is set to 0, Tor will try
2636 to detect how many CPUs you have, defaulting to 1 if it can’t tell.
2637 (Default: 0)
2638 OfflineMasterKey 0|1
2640 If non-zero, the Tor relay will never generate or load its master
2641 secret key. Instead, you’ll have to use "tor --keygen" to manage
2642 the permanent ed25519 master identity key, as well as the
2643 corresponding temporary signing keys and certificates. (Default: 0)
2644 ORPort [address:]PORT|auto [flags]
2646 Advertise this port to listen for connections from Tor clients and
2647 servers. This option is required to be a Tor server. Set it to
2648 "auto" to have Tor pick a port for you. Set it to 0 to not run an
2649 ORPort at all. This option can occur more than once. (Default: 0)
2650 Tor recognizes these flags on each ORPort:
2653 NoAdvertise
2655 By default, we bind to a port and tell our users about it. If
2656 NoAdvertise is specified, we don’t advertise, but listen
2657 anyway. This can be useful if the port everybody will be
2658 connecting to (for example, one that’s opened on our firewall)
2659 is somewhere else.
2660 NoListen
2662 By default, we bind to a port and tell our users about it. If
2663 NoListen is specified, we don’t bind, but advertise anyway.
2664 This can be useful if something else (for example, a firewall’s
2665 port forwarding configuration) is causing connections to reach
2666 us.
2667 IPv4Only
2669 If the address is absent, or resolves to both an IPv4 and an
2670 IPv6 address, only listen to the IPv4 address.
2671 IPv6Only
2673 If the address is absent, or resolves to both an IPv4 and an
2674 IPv6 address, only listen to the IPv6 address.
2675 For obvious reasons, NoAdvertise and NoListen are mutually
2677 exclusive, and IPv4Only and IPv6Only are mutually exclusive.
2678 PublishServerDescriptor 0|1|v3|bridge,...
2680 This option specifies which descriptors Tor will publish when
2681 acting as a relay. You can choose multiple arguments, separated by
2682 commas.
2683 If this option is set to 0, Tor will not publish its descriptors to
2686 any directories. (This is useful if you’re testing out your server,
2687 or if you’re using a Tor controller that handles directory
2688 publishing for you.) Otherwise, Tor will publish its descriptors of
2689 all type(s) specified. The default is "1", which means "if running
2690 as a relay or bridge, publish descriptors to the appropriate
2691 authorities". Other possibilities are "v3", meaning "publish as if
2692 you’re a relay", and "bridge", meaning "publish as if you’re a
2693 bridge".
2694 ReducedExitPolicy 0|1
2696 If set, use a reduced exit policy rather than the default one.
2697 The reduced exit policy is an alternative to the default exit
2700 policy. It allows as many Internet services as possible while still
2701 blocking the majority of TCP ports. Currently, the policy allows
2702 approximately 65 ports. This reduces the odds that your node will
2703 be used for peer-to-peer applications.
2704 The reduced exit policy is:
2707 accept *:20-21
2709 accept *:22
2710 accept *:23
2711 accept *:43
2712 accept *:53
2713 accept *:79
2714 accept *:80-81
2715 accept *:88
2716 accept *:110
2717 accept *:143
2718 accept *:194
2719 accept *:220
2720 accept *:389
2721 accept *:443
2722 accept *:464
2723 accept *:465
2724 accept *:531
2725 accept *:543-544
2726 accept *:554
2727 accept *:563
2728 accept *:587
2729 accept *:636
2730 accept *:706
2731 accept *:749
2732 accept *:873
2733 accept *:902-904
2734 accept *:981
2735 accept *:989-990
2736 accept *:991
2737 accept *:992
2738 accept *:993
2739 accept *:994
2740 accept *:995
2741 accept *:1194
2742 accept *:1220
2743 accept *:1293
2744 accept *:1500
2745 accept *:1533
2746 accept *:1677
2747 accept *:1723
2748 accept *:1755
2749 accept *:1863
2750 accept *:2082
2751 accept *:2083
2752 accept *:2086-2087
2753 accept *:2095-2096
2754 accept *:2102-2104
2755 accept *:3128
2756 accept *:3389
2757 accept *:3690
2758 accept *:4321
2759 accept *:4643
2760 accept *:5050
2761 accept *:5190
2762 accept *:5222-5223
2763 accept *:5228
2764 accept *:5900
2765 accept *:6660-6669
2766 accept *:6679
2767 accept *:6697
2768 accept *:8000
2769 accept *:8008
2770 accept *:8074
2771 accept *:8080
2772 accept *:8082
2773 accept *:8087-8088
2774 accept *:8232-8233
2775 accept *:8332-8333
2776 accept *:8443
2777 accept *:8888
2778 accept *:9418
2779 accept *:9999
2780 accept *:10000
2781 accept *:11371
2782 accept *:19294
2783 accept *:19638
2784 accept *:50002
2785 accept *:64738
2786 reject *:*
2787 (Default: 0)
2789 RefuseUnknownExits 0|1|auto
2791 Prevent nodes that don’t appear in the consensus from exiting using
2792 this relay. If the option is 1, we always block exit attempts from
2793 such nodes; if it’s 0, we never do, and if the option is "auto",
2794 then we do whatever the authorities suggest in the consensus (and
2795 block if the consensus is quiet on the issue). (Default: auto)
2796 ServerDNSAllowBrokenConfig 0|1
2798 If this option is false, Tor exits immediately if there are
2799 problems parsing the system DNS configuration or connecting to
2800 nameservers. Otherwise, Tor continues to periodically retry the
2801 system nameservers until it eventually succeeds. (Default: 1)
2802 ServerDNSAllowNonRFC953Hostnames 0|1
2804 When this option is disabled, Tor does not try to resolve hostnames
2805 containing illegal characters (like @ and :) rather than sending
2806 them to an exit node to be resolved. This helps trap accidental
2807 attempts to resolve URLs and so on. This option only affects name
2808 lookups that your server does on behalf of clients. (Default: 0)
2809 ServerDNSDetectHijacking 0|1
2811 When this option is set to 1, we will test periodically to
2812 determine whether our local nameservers have been configured to
2813 hijack failing DNS requests (usually to an advertising site). If
2814 they are, we will attempt to correct this. This option only affects
2815 name lookups that your server does on behalf of clients. (Default:
2816 1)
2817 ServerDNSRandomizeCase 0|1
2819 When this option is set, Tor sets the case of each character
2820 randomly in outgoing DNS requests, and makes sure that the case
2821 matches in DNS replies. This so-called "0x20 hack" helps resist
2822 some types of DNS poisoning attack. For more information, see
2823 "Increased DNS Forgery Resistance through 0x20-Bit Encoding". This
2824 option only affects name lookups that your server does on behalf of
2825 clients. (Default: 1)
2826 ServerDNSResolvConfFile filename
2828 Overrides the default DNS configuration with the configuration in
2829 filename. The file format is the same as the standard Unix
2830 "resolv.conf" file (7). This option, like all other ServerDNS
2831 options, only affects name lookups that your server does on behalf
2832 of clients. (Defaults to use the system DNS configuration or a
2833 localhost DNS service in case no nameservers are found in a given
2834 configuration.)
2835 ServerDNSSearchDomains 0|1
2837 If set to 1, then we will search for addresses in the local search
2838 domain. For example, if this system is configured to believe it is
2839 in "example.com", and a client tries to connect to "www", the
2840 client will be connected to "www.example.com". This option only
2841 affects name lookups that your server does on behalf of clients.
2842 (Default: 0)
2843 ServerDNSTestAddresses hostname,hostname,...
2845 When we’re detecting DNS hijacking, make sure that these valid
2846 addresses aren’t getting redirected. If they are, then our DNS is
2847 completely useless, and we’ll reset our exit policy to "reject
2848 *:*". This option only affects name lookups that your server does
2849 on behalf of clients. (Default: "www.google.com, www.mit.edu,
2850 www.yahoo.com, www.slashdot.org")
2851 ShutdownWaitLength NUM
2853 When we get a SIGINT and we’re a server, we begin shutting down: we
2854 close listeners and start refusing new circuits. After NUM seconds,
2855 we exit. If we get a second SIGINT, we exit immediately. (Default:
2856 30 seconds)
2857 SigningKeyLifetime N days|weeks|months
2859 For how long should each Ed25519 signing key be valid? Tor uses a
2860 permanent master identity key that can be kept offline, and
2861 periodically generates new "signing" keys that it uses online. This
2862 option configures their lifetime. (Default: 30 days)
2863 SSLKeyLifetime N minutes|hours|days|weeks
2865 When creating a link certificate for our outermost SSL handshake,
2866 set its lifetime to this amount of time. If set to 0, Tor will
2867 choose some reasonable random defaults. (Default: 0)
2868
2870 Relays publish most statistics in a document called the extra-info
2871 document. The following options affect the different types of
2872 statistics that Tor relays collect and publish:
2873 CellStatistics 0|1
2875 Relays only. When this option is enabled, Tor collects statistics
2876 about cell processing (i.e. mean time a cell is spending in a
2877 queue, mean number of cells in a queue and mean number of processed
2878 cells per circuit) and writes them into disk every 24 hours. Onion
2879 router operators may use the statistics for performance monitoring.
2880 If ExtraInfoStatistics is enabled, it will published as part of the
2881 extra-info document. (Default: 0)
2882 ConnDirectionStatistics 0|1
2884 Relays only. When this option is enabled, Tor writes statistics on
2885 the amounts of traffic it passes between itself and other relays to
2886 disk every 24 hours. Enables relay operators to monitor how much
2887 their relay is being used as middle node in the circuit. If
2888 ExtraInfoStatistics is enabled, it will be published as part of the
2889 extra-info document. (Default: 0)
2890 DirReqStatistics 0|1
2892 Relays and bridges only. When this option is enabled, a Tor
2893 directory writes statistics on the number and response time of
2894 network status requests to disk every 24 hours. Enables relay and
2895 bridge operators to monitor how much their server is being used by
2896 clients to learn about Tor network. If ExtraInfoStatistics is
2897 enabled, it will published as part of the extra-info document.
2898 (Default: 1)
2899 EntryStatistics 0|1
2901 Relays only. When this option is enabled, Tor writes statistics on
2902 the number of directly connecting clients to disk every 24 hours.
2903 Enables relay operators to monitor how much inbound traffic that
2904 originates from Tor clients passes through their server to go
2905 further down the Tor network. If ExtraInfoStatistics is enabled, it
2906 will be published as part of the extra-info document. (Default: 0)
2907 ExitPortStatistics 0|1
2909 Exit relays only. When this option is enabled, Tor writes
2910 statistics on the number of relayed bytes and opened stream per
2911 exit port to disk every 24 hours. Enables exit relay operators to
2912 measure and monitor amounts of traffic that leaves Tor network
2913 through their exit node. If ExtraInfoStatistics is enabled, it will
2914 be published as part of the extra-info document. (Default: 0)
2915 ExtraInfoStatistics 0|1
2917 When this option is enabled, Tor includes previously gathered
2918 statistics in its extra-info documents that it uploads to the
2919 directory authorities. Disabling this option also removes bandwidth
2920 usage statistics, and GeoIPFile and GeoIPv6File hashes from the
2921 extra-info file. Bridge ServerTransportPlugin lines are always
2922 included in the extra-info file, because they are required by
2923 BridgeDB. (Default: 1)
2924 HiddenServiceStatistics 0|1
2926 Relays only. When this option is enabled, a Tor relay writes
2927 obfuscated statistics on its role as hidden-service directory,
2928 introduction point, or rendezvous point to disk every 24 hours. If
2929 ExtraInfoStatistics is enabled, it will be published as part of the
2930 extra-info document. (Default: 1)
2931 PaddingStatistics 0|1
2933 Relays and bridges only. When this option is enabled, Tor collects
2934 statistics for padding cells sent and received by this relay, in
2935 addition to total cell counts. These statistics are rounded, and
2936 omitted if traffic is low. This information is important for load
2937 balancing decisions related to padding. If ExtraInfoStatistics is
2938 enabled, it will be published as a part of the extra-info document.
2939 (Default: 1)
2940
2942 The following options are useful only for directory servers. (Relays
2943 with enough bandwidth automatically become directory servers; see
2944 DirCache for details.)
2945 DirCache 0|1
2947 When this option is set, Tor caches all current directory documents
2948 except extra info documents, and accepts client requests for them.
2949 If DownloadExtraInfo is set, cached extra info documents are also
2950 cached. Setting DirPort is not required for DirCache, because
2951 clients connect via the ORPort by default. Setting either DirPort
2952 or BridgeRelay and setting DirCache to 0 is not supported.
2953 (Default: 1)
2954 DirPolicy policy,policy,...
2956 Set an entrance policy for this server, to limit who can connect to
2957 the directory ports. The policies have the same form as exit
2958 policies above, except that port specifiers are ignored. Any
2959 address not matched by some entry in the policy is accepted.
2960 DirPort [address:]PORT|auto [flags]
2962 If this option is nonzero, advertise the directory service on this
2963 port. Set it to "auto" to have Tor pick a port for you. This option
2964 can occur more than once, but only one advertised DirPort is
2965 supported: all but one DirPort must have the NoAdvertise flag set.
2966 (Default: 0)
2967 The same flags are supported here as are supported by ORPort.
2970 DirPortFrontPage FILENAME
2972 When this option is set, it takes an HTML file and publishes it as
2973 "/" on the DirPort. Now relay operators can provide a disclaimer
2974 without needing to set up a separate webserver. There’s a sample
2975 disclaimer in contrib/operator-tools/tor-exit-notice.html.
2976 MaxConsensusAgeForDiffs N minutes|hours|days|weeks
2978 When this option is nonzero, Tor caches will not try to generate
2979 consensus diffs for any consensus older than this amount of time.
2980 If this option is set to zero, Tor will pick a reasonable default
2981 from the current networkstatus document. You should not set this
2982 option unless your cache is severely low on disk space or CPU. If
2983 you need to set it, keeping it above 3 or 4 hours will help clients
2984 much more than setting it to zero. (Default: 0)
2985
2987 Tor has three built-in mitigation options that can be individually
2988 enabled/disabled and fine-tuned, but by default Tor directory
2989 authorities will define reasonable values for relays and no explicit
2990 configuration is required to make use of these protections. The
2991 mitigations take place at relays, and are as follows:
2992 1. If a single client address makes too many concurrent connections
2994 (this is configurable via DoSConnectionMaxConcurrentCount), hang up
2995 on further connections.
2996 2. If a single client IP address (v4 or v6) makes circuits too quickly
2998 (default values are more than 3 per second, with an allowed burst
2999 of 90, see DoSCircuitCreationRate and DoSCircuitCreationBurst)
3000 while also having too many connections open (default is 3, see
3001 DoSCircuitCreationMinConnections), tor will refuse any new circuit
3002 (CREATE cells) for the next while (random value between 1 and 2
3003 hours).
3004 3. If a client asks to establish a rendezvous point to you directly
3006 (ex: Tor2Web client), ignore the request.
3007 These defenses can be manually controlled by torrc options, but relays
3009 will also take guidance from consensus parameters using these same
3010 names, so there’s no need to configure anything manually. In doubt, do
3011 not change those values.
3012 The values set by the consensus, if any, can be found here:
3014 https://consensus-health.torproject.org/#consensusparams
3015 If any of the DoS mitigations are enabled, a heartbeat message will
3017 appear in your log at NOTICE level which looks like:
3018 DoS mitigation since startup: 429042 circuits rejected, 17 marked addresses.
3020 2238 connections closed. 8052 single hop clients refused.
3021 The following options are useful only for a public relay. They control
3023 the Denial of Service mitigation subsystem described above.
3024 DoSCircuitCreationEnabled 0|1|auto
3026 Enable circuit creation DoS mitigation. If set to 1 (enabled), tor
3027 will cache client IPs along with statistics in order to detect
3028 circuit DoS attacks. If an address is positively identified, tor
3029 will activate defenses against the address. See
3030 DoSCircuitCreationDefenseType option for more details. This is a
3031 client to relay detection only. "auto" means use the consensus
3032 parameter. If not defined in the consensus, the value is 0.
3033 (Default: auto)
3034 DoSCircuitCreationBurst NUM
3036 The allowed circuit creation burst per client IP address. If the
3037 circuit rate and the burst are reached, a client is marked as
3038 executing a circuit creation DoS. "0" means use the consensus
3039 parameter. If not defined in the consensus, the value is 90.
3040 (Default: 0)
3041 DoSCircuitCreationDefenseTimePeriod N seconds|minutes|hours
3043 The base time period in seconds that the DoS defense is activated
3044 for. The actual value is selected randomly for each activation from
3045 N+1 to 3/2 * N. "0" means use the consensus parameter. If not
3046 defined in the consensus, the value is 3600 seconds (1 hour).
3047 (Default: 0)
3048 DoSCircuitCreationDefenseType NUM
3050 This is the type of defense applied to a detected client address.
3051 The possible values are:
3052 1: No defense.
3054 2: Refuse circuit creation for the
3056 DoSCircuitCreationDefenseTimePeriod period of time.
3057 "0" means use the consensus parameter. If not defined in the
3059 consensus, the value is 2. (Default: 0)
3060 DoSCircuitCreationMinConnections NUM
3062 Minimum threshold of concurrent connections before a client address
3063 can be flagged as executing a circuit creation DoS. In other words,
3064 once a client address reaches the circuit rate and has a minimum of
3065 NUM concurrent connections, a detection is positive. "0" means use
3066 the consensus parameter. If not defined in the consensus, the value
3067 is 3. (Default: 0)
3068 DoSCircuitCreationRate NUM
3070 The allowed circuit creation rate per second applied per client IP
3071 address. If this option is 0, it obeys a consensus parameter. If
3072 not defined in the consensus, the value is 3. (Default: 0)
3073 DoSConnectionEnabled 0|1|auto
3075 Enable the connection DoS mitigation. If set to 1 (enabled), for
3076 client address only, this allows tor to mitigate against large
3077 number of concurrent connections made by a single IP address.
3078 "auto" means use the consensus parameter. If not defined in the
3079 consensus, the value is 0. (Default: auto)
3080 DoSConnectionDefenseType NUM
3082 This is the type of defense applied to a detected client address
3083 for the connection mitigation. The possible values are:
3084 1: No defense.
3086 2: Immediately close new connections.
3088 "0" means use the consensus parameter. If not defined in the
3090 consensus, the value is 2. (Default: 0)
3091 DoSConnectionMaxConcurrentCount NUM
3093 The maximum threshold of concurrent connection from a client IP
3094 address. Above this limit, a defense selected by
3095 DoSConnectionDefenseType is applied. "0" means use the consensus
3096 parameter. If not defined in the consensus, the value is 100.
3097 (Default: 0)
3098 DoSRefuseSingleHopClientRendezvous 0|1|auto
3100 Refuse establishment of rendezvous points for single hop clients.
3101 In other words, if a client directly connects to the relay and
3102 sends an ESTABLISH_RENDEZVOUS cell, it is silently dropped. "auto"
3103 means use the consensus parameter. If not defined in the consensus,
3104 the value is 0. (Default: auto)
3105
3107 The following options enable operation as a directory authority, and
3108 control how Tor behaves as a directory authority. You should not need
3109 to adjust any of them if you’re running a regular relay or exit server
3110 on the public Tor network.
3111 AuthoritativeDirectory 0|1
3113 When this option is set to 1, Tor operates as an authoritative
3114 directory server. Instead of caching the directory, it generates
3115 its own list of good servers, signs it, and sends that to the
3116 clients. Unless the clients already have you listed as a trusted
3117 directory, you probably do not want to set this option.
3118 BridgeAuthoritativeDir 0|1
3120 When this option is set in addition to AuthoritativeDirectory, Tor
3121 accepts and serves server descriptors, but it caches and serves the
3122 main networkstatus documents rather than generating its own.
3123 (Default: 0)
3124 V3AuthoritativeDirectory 0|1
3126 When this option is set in addition to AuthoritativeDirectory, Tor
3127 generates version 3 network statuses and serves descriptors, etc as
3128 described in dir-spec.txt file of torspec (for Tor clients and
3129 servers running at least 0.2.0.x).
3130 AuthDirBadExit AddressPattern...
3132 Authoritative directories only. A set of address patterns for
3133 servers that will be listed as bad exits in any network status
3134 document this authority publishes, if AuthDirListBadExits is set.
3135 (The address pattern syntax here and in the options below is the
3138 same as for exit policies, except that you don’t need to say
3139 "accept" or "reject", and ports are not needed.)
3140 AuthDirFastGuarantee N
3142 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
3143 Authoritative directories only. If non-zero, always vote the Fast
3144 flag for any relay advertising this amount of capacity or more.
3145 (Default: 100 KBytes)
3146 AuthDirGuardBWGuarantee N
3148 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
3149 Authoritative directories only. If non-zero, this advertised
3150 capacity or more is always sufficient to satisfy the bandwidth
3151 requirement for the Guard flag. (Default: 2 MBytes)
3152 AuthDirHasIPv6Connectivity 0|1
3154 Authoritative directories only. When set to 0, OR ports with an
3155 IPv6 address are not included in the authority’s votes. When set to
3156 1, IPv6 OR ports are tested for reachability like IPv4 OR ports. If
3157 the reachability test succeeds, the authority votes for the IPv6
3158 ORPort, and votes Running for the relay. If the reachability test
3159 fails, the authority does not vote for the IPv6 ORPort, and does
3160 not vote Running (Default: 0)
3161 The content of the consensus depends on the number of voting authorities
3164 that set AuthDirHasIPv6Connectivity:
3165 If no authorities set AuthDirHasIPv6Connectivity 1, there will be no
3167 IPv6 ORPorts in the consensus.
3168 If a minority of authorities set AuthDirHasIPv6Connectivity 1,
3170 unreachable IPv6 ORPorts will be removed from the consensus. But the
3171 majority of IPv4-only authorities will still vote the relay as Running.
3172 Reachable IPv6 ORPort lines will be included in the consensus
3173 If a majority of voting authorities set AuthDirHasIPv6Connectivity 1,
3175 relays with unreachable IPv6 ORPorts will not be listed as Running.
3176 Reachable IPv6 ORPort lines will be included in the consensus
3177 (To ensure that any valid majority will vote relays with unreachable
3178 IPv6 ORPorts not Running, 75% of authorities must set
3179 AuthDirHasIPv6Connectivity 1.)
3180 AuthDirInvalid AddressPattern...
3182 Authoritative directories only. A set of address patterns for
3183 servers that will never be listed as "valid" in any network status
3184 document that this authority publishes.
3185 AuthDirListBadExits 0|1
3187 Authoritative directories only. If set to 1, this directory has
3188 some opinion about which nodes are unsuitable as exit nodes. (Do
3189 not set this to 1 unless you plan to list non-functioning exits as
3190 bad; otherwise, you are effectively voting in favor of every
3191 declared exit as an exit.)
3192 AuthDirMaxServersPerAddr NUM
3194 Authoritative directories only. The maximum number of servers that
3195 we will list as acceptable on a single IP address. Set this to "0"
3196 for "no limit". (Default: 2)
3197 AuthDirPinKeys 0|1
3199 Authoritative directories only. If non-zero, do not allow any relay
3200 to publish a descriptor if any other relay has reserved its
3201 <Ed25519,RSA> identity keypair. In all cases, Tor records every
3202 keypair it accepts in a journal if it is new, or if it differs from
3203 the most recently accepted pinning for one of the keys it contains.
3204 (Default: 1)
3205 AuthDirReject AddressPattern...
3207 Authoritative directories only. A set of address patterns for
3208 servers that will never be listed at all in any network status
3209 document that this authority publishes, or accepted as an OR
3210 address in any descriptor submitted for publication by this
3211 authority.
3212 AuthDirBadExitCCs CC,...
3214 AuthDirInvalidCCs CC,...
3216 AuthDirRejectRequestsUnderLoad 0|1
3218 If set, the directory authority will start rejecting directory
3219 requests from non relay connections by sending a 503 error code if
3220 it is under bandwidth pressure (reaching the configured limit if
3221 any). Relays will always tried to be answered even if this is on.
3222 (Default: 1)
3223 AuthDirRejectCCs CC,...
3225 Authoritative directories only. These options contain a
3226 comma-separated list of country codes such that any server in one
3227 of those country codes will be marked as a bad exit/invalid for
3228 use, or rejected entirely.
3229 AuthDirSharedRandomness 0|1
3231 Authoritative directories only. Switch for the shared random
3232 protocol. If zero, the authority won’t participate in the protocol.
3233 If non-zero (default), the flag "shared-rand-participate" is added
3234 to the authority vote indicating participation in the protocol.
3235 (Default: 1)
3236 AuthDirTestEd25519LinkKeys 0|1
3238 Authoritative directories only. If this option is set to 0, then we
3239 treat relays as "Running" if their RSA key is correct when we probe
3240 them, regardless of their Ed25519 key. We should only ever set this
3241 option to 0 if there is some major bug in Ed25519 link
3242 authentication that causes us to label all the relays as not
3243 Running. (Default: 1)
3244 AuthDirTestReachability 0|1
3246 Authoritative directories only. If set to 1, then we periodically
3247 check every relay we know about to see whether it is running. If
3248 set to 0, we vote Running for every relay, and don’t perform these
3249 tests. (Default: 1)
3250 BridgePassword Password
3252 If set, contains an HTTP authenticator that tells a bridge
3253 authority to serve all requested bridge information. Used by the
3254 (only partially implemented) "bridge community" design, where a
3255 community of bridge relay operators all use an alternate bridge
3256 directory authority, and their target user audience can
3257 periodically fetch the list of available community bridges to stay
3258 up-to-date. (Default: not set)
3259 ConsensusParams STRING
3261 STRING is a space-separated list of key=value pairs that Tor will
3262 include in the "params" line of its networkstatus vote. This
3263 directive can be specified multiple times so you don’t have to put
3264 it all on one line.
3265 DirAllowPrivateAddresses 0|1
3267 If set to 1, Tor will accept server descriptors with arbitrary
3268 "Address" elements. Otherwise, if the address is not an IP address
3269 or is a private IP address, it will reject the server descriptor.
3270 Additionally, Tor will allow exit policies for private networks to
3271 fulfill Exit flag requirements. (Default: 0)
3272 GuardfractionFile FILENAME
3274 V3 authoritative directories only. Configures the location of the
3275 guardfraction file which contains information about how long relays
3276 have been guards. (Default: unset)
3277 MinMeasuredBWsForAuthToIgnoreAdvertised N
3279 A total value, in abstract bandwidth units, describing how much
3280 measured total bandwidth an authority should have observed on the
3281 network before it will treat advertised bandwidths as wholly
3282 unreliable. (Default: 500)
3283 MinUptimeHidServDirectoryV2 N seconds|minutes|hours|days|weeks
3285 Minimum uptime of a relay to be accepted as a hidden service
3286 directory by directory authorities. (Default: 96 hours)
3287 RecommendedClientVersions STRING
3289 STRING is a comma-separated list of Tor versions currently believed
3290 to be safe for clients to use. This information is included in
3291 version 2 directories. If this is not set then the value of
3292 RecommendedVersions is used. When this is set then
3293 VersioningAuthoritativeDirectory should be set too.
3294 RecommendedServerVersions STRING
3296 STRING is a comma-separated list of Tor versions currently believed
3297 to be safe for servers to use. This information is included in
3298 version 2 directories. If this is not set then the value of
3299 RecommendedVersions is used. When this is set then
3300 VersioningAuthoritativeDirectory should be set too.
3301 RecommendedVersions STRING
3303 STRING is a comma-separated list of Tor versions currently believed
3304 to be safe. The list is included in each directory, and nodes which
3305 pull down the directory learn whether they need to upgrade. This
3306 option can appear multiple times: the values from multiple lines
3307 are spliced together. When this is set then
3308 VersioningAuthoritativeDirectory should be set too.
3309 V3AuthDistDelay N seconds|minutes|hours
3311 V3 authoritative directories only. Configures the server’s
3312 preferred delay between publishing its consensus and signature and
3313 assuming it has all the signatures from all the other authorities.
3314 Note that the actual time used is not the server’s preferred time,
3315 but the consensus of all preferences. (Default: 5 minutes)
3316 V3AuthNIntervalsValid NUM
3318 V3 authoritative directories only. Configures the number of
3319 VotingIntervals for which each consensus should be valid for.
3320 Choosing high numbers increases network partitioning risks;
3321 choosing low numbers increases directory traffic. Note that the
3322 actual number of intervals used is not the server’s preferred
3323 number, but the consensus of all preferences. Must be at least 2.
3324 (Default: 3)
3325 V3AuthUseLegacyKey 0|1
3327 If set, the directory authority will sign consensuses not only with
3328 its own signing key, but also with a "legacy" key and certificate
3329 with a different identity. This feature is used to migrate
3330 directory authority keys in the event of a compromise. (Default: 0)
3331 V3AuthVoteDelay N seconds|minutes|hours
3333 V3 authoritative directories only. Configures the server’s
3334 preferred delay between publishing its vote and assuming it has all
3335 the votes from all the other authorities. Note that the actual time
3336 used is not the server’s preferred time, but the consensus of all
3337 preferences. (Default: 5 minutes)
3338 V3AuthVotingInterval N minutes|hours
3340 V3 authoritative directories only. Configures the server’s
3341 preferred voting interval. Note that voting will actually happen at
3342 an interval chosen by consensus from all the authorities' preferred
3343 intervals. This time SHOULD divide evenly into a day. (Default: 1
3344 hour)
3345 V3BandwidthsFile FILENAME
3347 V3 authoritative directories only. Configures the location of the
3348 bandwidth-authority generated file storing information on relays'
3349 measured bandwidth capacities. To avoid inconsistent reads,
3350 bandwidth data should be written to temporary file, then renamed to
3351 the configured filename. (Default: unset)
3352 VersioningAuthoritativeDirectory 0|1
3354 When this option is set to 1, Tor adds information on which
3355 versions of Tor are still believed safe for use to the published
3356 directory. Each version 1 authority is automatically a versioning
3357 authority; version 2 authorities provide this service optionally.
3358 See RecommendedVersions, RecommendedClientVersions, and
3359 RecommendedServerVersions.
3360
3362 The following options are used to configure a hidden service. Some
3363 options apply per service and some apply for the whole tor instance.
3364 The next section describes the per service options that can only be set
3366 after the HiddenServiceDir directive
3367 PER SERVICE OPTIONS:
3369 HiddenServiceAllowUnknownPorts 0|1
3371 If set to 1, then connections to unrecognized ports do not cause
3372 the current hidden service to close rendezvous circuits. (Setting
3373 this to 0 is not an authorization mechanism; it is instead meant to
3374 be a mild inconvenience to port-scanners.) (Default: 0)
3375 HiddenServiceAuthorizeClient auth-type client-name,client-name,...
3377 If configured, the v2 hidden service is accessible for authorized
3378 clients only. The auth-type can either be 'basic' for a
3379 general-purpose authorization protocol or 'stealth' for a less
3380 scalable protocol that also hides service activity from
3381 unauthorized clients. Only clients that are listed here are
3382 authorized to access the hidden service. Valid client names are 1
3383 to 16 characters long and only use characters in A-Za-z0-9+-_ (no
3384 spaces). If this option is set, the hidden service is not
3385 accessible for clients without authorization any more. Generated
3386 authorization data can be found in the hostname file. Clients need
3387 to put this authorization data in their configuration file using
3388 HidServAuth. This option is only for v2 services; v3 services
3389 configure client authentication in a subdirectory of
3390 HiddenServiceDir instead (see CLIENT AUTHORIZATION).
3391 HiddenServiceDir DIRECTORY
3393 Store data files for a hidden service in DIRECTORY. Every hidden
3394 service must have a separate directory. You may use this option
3395 multiple times to specify multiple services. If DIRECTORY does not
3396 exist, Tor will create it. Please note that you cannot add new
3397 Onion Service to already running Tor instance if Sandbox is
3398 enabled. (Note: in current versions of Tor, if DIRECTORY is a
3399 relative path, it will be relative to the current working directory
3400 of Tor instance, not to its DataDirectory. Do not rely on this
3401 behavior; it is not guaranteed to remain the same in future
3402 versions.)
3403 HiddenServiceDirGroupReadable 0|1
3405 If this option is set to 1, allow the filesystem group to read the
3406 hidden service directory and hostname file. If the option is set to
3407 0, only owner is able to read the hidden service directory.
3408 (Default: 0) Has no effect on Windows.
3409 HiddenServiceEnableIntroDoSDefense 0|1
3411 Enable DoS defense at the intropoint level. When this is enabled,
3412 the rate and burst parameter (see below) will be sent to the intro
3413 point which will then use them to apply rate limiting for
3414 introduction request to this service.
3415 The introduction point honors the consensus parameters except if
3417 this is specifically set by the service operator using this option.
3418 The service never looks at the consensus parameters in order to
3419 enable or disable this defense. (Default: 0)
3420 HiddenServiceEnableIntroDoSBurstPerSec NUM
3422 The allowed client introduction burst per second at the
3423 introduction point. If this option is 0, it is considered infinite
3424 and thus if HiddenServiceEnableIntroDoSDefense is set, it then
3425 effectively disables the defenses. (Default: 200)
3426 HiddenServiceEnableIntroDoSRatePerSec NUM
3428 The allowed client introduction rate per second at the introduction
3429 point. If this option is 0, it is considered infinite and thus if
3430 HiddenServiceEnableIntroDoSDefense is set, it then effectively
3431 disables the defenses. (Default: 25)
3432 HiddenServiceExportCircuitID protocol
3434 The onion service will use the given protocol to expose the global
3435 circuit identifier of each inbound client circuit. The only
3436 protocol supported right now 'haproxy'. This option is only for v3
3437 services. (Default: none)
3438 The haproxy option works in the following way: when the feature is
3441 enabled, the Tor process will write a header line when a client is
3442 connecting to the onion service. The header will look like this:
3443 "PROXY TCP6 fc00:dead:beef:4dad::ffff:ffff ::1 65535 42\r\n"
3446 We encode the "global circuit identifier" as the last 32-bits of
3449 the first IPv6 address. All other values in the header can safely
3450 be ignored. You can compute the global circuit identifier using the
3451 following formula given the IPv6 address
3452 "fc00:dead:beef:4dad::AABB:CCDD":
3453 global_circuit_id = (0xAA << 24) + (0xBB << 16) + (0xCC << 8) +
3456 0xDD;
3457 In the case above, where the last 32-bits are 0xffffffff, the
3460 global circuit identifier would be 4294967295. You can use this
3461 value together with Tor’s control port to terminate particular
3462 circuits using their global circuit identifiers. For more
3463 information about this see control-spec.txt.
3464 The HAProxy version 1 protocol is described in detail at
3467 https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
3468 HiddenServiceOnionBalanceInstance 0|1
3470 If set to 1, this onion service becomes an OnionBalance instance
3471 and will accept client connections destined to an OnionBalance
3472 frontend. In this case, Tor expects to find a file named
3473 "ob_config" inside the HiddenServiceDir directory with content:
3474 MasterOnionAddress <frontend_onion_address>
3476 where <frontend_onion_address> is the onion address of the
3478 OnionBalance frontend (e.g.
3479 wrxdvcaqpuzakbfww5sxs6r2uybczwijzfn2ezy2osaj7iox7kl7nhad.onion).
3480 HiddenServiceMaxStreams N
3482 The maximum number of simultaneous streams (connections) per
3483 rendezvous circuit. The maximum value allowed is 65535. (Setting
3484 this to 0 will allow an unlimited number of simultaneous streams.)
3485 (Default: 0)
3486 HiddenServiceMaxStreamsCloseCircuit 0|1
3488 If set to 1, then exceeding HiddenServiceMaxStreams will cause the
3489 offending rendezvous circuit to be torn down, as opposed to stream
3490 creation requests that exceed the limit being silently ignored.
3491 (Default: 0)
3492 HiddenServiceNumIntroductionPoints NUM
3494 Number of introduction points the hidden service will have. You
3495 can’t have more than 10 for v2 service and 20 for v3. (Default: 3)
3496 HiddenServicePort VIRTPORT [TARGET]
3498 Configure a virtual port VIRTPORT for a hidden service. You may use
3499 this option multiple times; each time applies to the service using
3500 the most recent HiddenServiceDir. By default, this option maps the
3501 virtual port to the same port on 127.0.0.1 over TCP. You may
3502 override the target port, address, or both by specifying a target
3503 of addr, port, addr:port, or unix:path. (You can specify an IPv6
3504 target as [addr]:port. Unix paths may be quoted, and may use
3505 standard C escapes.) You may also have multiple lines with the same
3506 VIRTPORT: when a user connects to that VIRTPORT, one of the TARGETs
3507 from those lines will be chosen at random. Note that address-port
3508 pairs have to be comma-separated.
3509 HiddenServiceVersion 2|3
3511 A list of rendezvous service descriptor versions to publish for the
3512 hidden service. Currently, versions 2 and 3 are supported.
3513 (Default: 3)
3514 RendPostPeriod N seconds|minutes|hours|days|weeks
3516 Every time the specified period elapses, Tor uploads any rendezvous
3517 service descriptors to the directory servers. This information is
3518 also uploaded whenever it changes. Minimum value allowed is 10
3519 minutes and maximum is 3.5 days. This option is only for v2
3520 services. (Default: 1 hour)
3521 PER INSTANCE OPTIONS:
3523 HiddenServiceSingleHopMode 0|1
3525 Experimental - Non Anonymous Hidden Services on a tor instance in
3526 HiddenServiceSingleHopMode make one-hop (direct) circuits between
3527 the onion service server, and the introduction and rendezvous
3528 points. (Onion service descriptors are still posted using 3-hop
3529 paths, to avoid onion service directories blocking the service.)
3530 This option makes every hidden service instance hosted by a tor
3531 instance a Single Onion Service. One-hop circuits make Single Onion
3532 servers easily locatable, but clients remain location-anonymous.
3533 However, the fact that a client is accessing a Single Onion rather
3534 than a Hidden Service may be statistically distinguishable.
3535 WARNING: Once a hidden service directory has been used by a tor
3538 instance in HiddenServiceSingleHopMode, it can NEVER be used again
3539 for a hidden service. It is best practice to create a new hidden
3540 service directory, key, and address for each new Single Onion
3541 Service and Hidden Service. It is not possible to run Single Onion
3542 Services and Hidden Services from the same tor instance: they
3543 should be run on different servers with different IP addresses.
3544 HiddenServiceSingleHopMode requires HiddenServiceNonAnonymousMode
3547 to be set to 1. Since a Single Onion service is non-anonymous, you
3548 can not configure a SOCKSPort on a tor instance that is running in
3549 HiddenServiceSingleHopMode. Can not be changed while tor is
3550 running. (Default: 0)
3551 HiddenServiceNonAnonymousMode 0|1
3553 Makes hidden services non-anonymous on this tor instance. Allows
3554 the non-anonymous HiddenServiceSingleHopMode. Enables direct
3555 connections in the server-side hidden service protocol. If you are
3556 using this option, you need to disable all client-side services on
3557 your Tor instance, including setting SOCKSPort to "0". Can not be
3558 changed while tor is running. (Default: 0)
3559 PublishHidServDescriptors 0|1
3561 If set to 0, Tor will run any hidden services you configure, but it
3562 won’t advertise them to the rendezvous directory. This option is
3563 only useful if you’re using a Tor controller that handles hidserv
3564 publishing for you. (Default: 1)
3565
3567 (Version 3 only)
3568 Service side:
3570 To configure client authorization on the service side, the
3572 "<HiddenServiceDir>/authorized_clients/" directory needs to exist. Each file
3573 in that directory should be suffixed with ".auth" (i.e. "alice.auth"; the
3574 file name is irrelevant) and its content format MUST be:
3575 <auth-type>:<key-type>:<base32-encoded-public-key>
3577 The supported <auth-type> are: "descriptor". The supported <key-type> are:
3579 "x25519". The <base32-encoded-public-key> is the base32 representation of
3580 the raw key bytes only (32 bytes for x25519).
3581 Each file MUST contain one line only. Any malformed file will be
3583 ignored. Client authorization will only be enabled for the service if tor
3584 successfully loads at least one authorization file.
3585 Note that once you've configured client authorization, anyone else with the
3587 address won't be able to access it from this point on. If no authorization is
3588 configured, the service will be accessible to anyone with the onion address.
3589 Revoking a client can be done by removing their ".auth" file, however the
3591 revocation will be in effect only after the tor process gets restarted even if
3592 a SIGHUP takes place.
3593 Client side:
3595 To access a v3 onion service with client authorization as a client, make sure
3597 you have ClientOnionAuthDir set in your torrc. Then, in the
3598 <ClientOnionAuthDir> directory, create an .auth_private file for the onion
3599 service corresponding to this key (i.e. 'bob_onion.auth_private'). The
3600 contents of the <ClientOnionAuthDir>/<user>.auth_private file should look like:
3601 <56-char-onion-addr-without-.onion-part>:descriptor:x25519:<x25519 private key in base32>
3603 For more information, please see
3605 https://2019.www.torproject.org/docs/tor-onion-service.html.en#ClientAuthorization
3606 .
3607
3609 The following options are used for running a testing Tor network.
3610 TestingTorNetwork 0|1
3612 If set to 1, Tor adjusts default values of the configuration
3613 options below, so that it is easier to set up a testing Tor
3614 network. May only be set if non-default set of DirAuthorities is
3615 set. Cannot be unset while Tor is running. (Default: 0)
3616 DirAllowPrivateAddresses 1
3619 EnforceDistinctSubnets 0
3620 AuthDirMaxServersPerAddr 0
3621 ClientBootstrapConsensusAuthorityDownloadInitialDelay 0
3622 ClientBootstrapConsensusFallbackDownloadInitialDelay 0
3623 ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay 0
3624 ClientDNSRejectInternalAddresses 0
3625 ClientRejectInternalAddresses 0
3626 CountPrivateBandwidth 1
3627 ExitPolicyRejectPrivate 0
3628 ExtendAllowPrivateAddresses 1
3629 V3AuthVotingInterval 5 minutes
3630 V3AuthVoteDelay 20 seconds
3631 V3AuthDistDelay 20 seconds
3632 TestingV3AuthInitialVotingInterval 150 seconds
3633 TestingV3AuthInitialVoteDelay 20 seconds
3634 TestingV3AuthInitialDistDelay 20 seconds
3635 TestingAuthDirTimeToLearnReachability 0 minutes
3636 MinUptimeHidServDirectoryV2 0 minutes
3637 TestingServerDownloadInitialDelay 0
3638 TestingClientDownloadInitialDelay 0
3639 TestingServerConsensusDownloadInitialDelay 0
3640 TestingClientConsensusDownloadInitialDelay 0
3641 TestingBridgeDownloadInitialDelay 10
3642 TestingBridgeBootstrapDownloadInitialDelay 0
3643 TestingClientMaxIntervalWithoutRequest 5 seconds
3644 TestingDirConnectionMaxStall 30 seconds
3645 TestingEnableConnBwEvent 1
3646 TestingEnableCellStatsEvent 1
3647 RendPostPeriod 2 minutes
3648 TestingAuthDirTimeToLearnReachability N seconds|minutes|hours
3650 After starting as an authority, do not make claims about whether
3651 routers are Running until this much time has passed. Changing this
3652 requires that TestingTorNetwork is set. (Default: 30 minutes)
3653 TestingAuthKeyLifetime N seconds|minutes|hours|days|weeks|months
3655 Overrides the default lifetime for a signing Ed25519 TLS Link
3656 authentication key. (Default: 2 days)
3657 TestingAuthKeySlop N seconds|minutes|hours
3659 TestingBridgeBootstrapDownloadInitialDelay N
3661 Initial delay in seconds for when clients should download each
3662 bridge descriptor when they have just started, or when they can not
3663 contact any of their bridges. Changing this requires that
3664 TestingTorNetwork is set. (Default: 0)
3665 TestingBridgeDownloadInitialDelay N
3667 Initial delay in seconds for when clients should download each
3668 bridge descriptor when they know that one or more of their
3669 configured bridges are running. Changing this requires that
3670 TestingTorNetwork is set. (Default: 10800)
3671 TestingClientConsensusDownloadInitialDelay N
3673 Initial delay in seconds for when clients should download
3674 consensuses. Changing this requires that TestingTorNetwork is set.
3675 (Default: 0)
3676 TestingClientDownloadInitialDelay N
3678 Initial delay in seconds for when clients should download things in
3679 general. Changing this requires that TestingTorNetwork is set.
3680 (Default: 0)
3681 TestingClientMaxIntervalWithoutRequest N seconds|minutes
3683 When directory clients have only a few descriptors to request, they
3684 batch them until they have more, or until this amount of time has
3685 passed. Changing this requires that TestingTorNetwork is set.
3686 (Default: 10 minutes)
3687 TestingDirAuthVoteExit node,node,...
3689 A list of identity fingerprints, country codes, and address
3690 patterns of nodes to vote Exit for regardless of their uptime,
3691 bandwidth, or exit policy. See ExcludeNodes for more information on
3692 how to specify nodes.
3693 In order for this option to have any effect, TestingTorNetwork has
3696 to be set. See ExcludeNodes for more information on how to specify
3697 nodes.
3698 TestingDirAuthVoteExitIsStrict 0|1
3700 If True (1), a node will never receive the Exit flag unless it is
3701 specified in the TestingDirAuthVoteExit list, regardless of its
3702 uptime, bandwidth, or exit policy.
3703 In order for this option to have any effect, TestingTorNetwork has
3706 to be set.
3707 TestingDirAuthVoteGuard node,node,...
3709 A list of identity fingerprints and country codes and address
3710 patterns of nodes to vote Guard for regardless of their uptime and
3711 bandwidth. See ExcludeNodes for more information on how to specify
3712 nodes.
3713 In order for this option to have any effect, TestingTorNetwork has
3716 to be set.
3717 TestingDirAuthVoteGuardIsStrict 0|1
3719 If True (1), a node will never receive the Guard flag unless it is
3720 specified in the TestingDirAuthVoteGuard list, regardless of its
3721 uptime and bandwidth.
3722 In order for this option to have any effect, TestingTorNetwork has
3725 to be set.
3726 TestingDirAuthVoteHSDir node,node,...
3728 A list of identity fingerprints and country codes and address
3729 patterns of nodes to vote HSDir for regardless of their uptime and
3730 DirPort. See ExcludeNodes for more information on how to specify
3731 nodes.
3732 In order for this option to have any effect, TestingTorNetwork must
3735 be set.
3736 TestingDirAuthVoteHSDirIsStrict 0|1
3738 If True (1), a node will never receive the HSDir flag unless it is
3739 specified in the TestingDirAuthVoteHSDir list, regardless of its
3740 uptime and DirPort.
3741 In order for this option to have any effect, TestingTorNetwork has
3744 to be set.
3745 TestingDirConnectionMaxStall N seconds|minutes
3747 Let a directory connection stall this long before expiring it.
3748 Changing this requires that TestingTorNetwork is set. (Default: 5
3749 minutes)
3750 TestingEnableCellStatsEvent 0|1
3752 If this option is set, then Tor controllers may register for
3753 CELL_STATS events. Changing this requires that TestingTorNetwork is
3754 set. (Default: 0)
3755 TestingEnableConnBwEvent 0|1
3757 If this option is set, then Tor controllers may register for
3758 CONN_BW events. Changing this requires that TestingTorNetwork is
3759 set. (Default: 0)
3760 TestingLinkCertLifetime N seconds|minutes|hours|days|weeks|months
3762 Overrides the default lifetime for the certificates used to
3763 authenticate our X509 link cert with our ed25519 signing key.
3764 (Default: 2 days)
3765 TestingLinkKeySlop N seconds|minutes|hours
3767 TestingMinExitFlagThreshold N
3769 KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
3770 Sets a lower-bound for assigning an exit flag when running as an
3771 authority on a testing network. Overrides the usual default lower
3772 bound of 4 KBytes. (Default: 0)
3773 TestingMinFastFlagThreshold N
3775 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
3776 Minimum value for the Fast flag. Overrides the ordinary minimum
3777 taken from the consensus when TestingTorNetwork is set. (Default:
3778 0.)
3779 TestingServerConsensusDownloadInitialDelay N
3781 Initial delay in seconds for when servers should download
3782 consensuses. Changing this requires that TestingTorNetwork is set.
3783 (Default: 0)
3784 TestingServerDownloadInitialDelay N
3786 Initial delay in seconds for when servers should download things in
3787 general. Changing this requires that TestingTorNetwork is set.
3788 (Default: 0)
3789 TestingSigningKeySlop N seconds|minutes|hours
3791 How early before the official expiration of a an Ed25519 signing
3792 key do we replace it and issue a new key? (Default: 3 hours for
3793 link and auth; 1 day for signing.)
3794 TestingV3AuthInitialDistDelay N seconds|minutes|hours
3796 Like V3AuthDistDelay, but for initial voting interval before the
3797 first consensus has been created. Changing this requires that
3798 TestingTorNetwork is set. (Default: 5 minutes)
3799 TestingV3AuthInitialVoteDelay N seconds|minutes|hours
3801 Like V3AuthVoteDelay, but for initial voting interval before the
3802 first consensus has been created. Changing this requires that
3803 TestingTorNetwork is set. (Default: 5 minutes)
3804 TestingV3AuthInitialVotingInterval N seconds|minutes|hours
3806 Like V3AuthVotingInterval, but for initial voting interval before
3807 the first consensus has been created. Changing this requires that
3808 TestingTorNetwork is set. (Default: 30 minutes)
3809 TestingV3AuthVotingStartOffset N seconds|minutes|hours
3811 Directory authorities offset voting start time by this much.
3812 Changing this requires that TestingTorNetwork is set. (Default: 0)
3813
3815 These options are not saved to the torrc file by the "SAVECONF"
3816 controller command. Other options of this type are documented in
3817 control-spec.txt, section 5.4. End-users should mostly ignore them.
3818 __ControlPort, __DirPort, __DNSPort, __ExtORPort, __NATDPort, __ORPort,
3820 __SocksPort, __TransPort
3821 These underscore-prefixed options are variants of the regular Port
3822 options. They behave the same, except they are not saved to the
3823 torrc file by the controller’s SAVECONF command.
3824
3826 Tor catches the following signals:
3827 SIGTERM
3829 Tor will catch this, clean up and sync to disk if necessary, and
3830 exit.
3831 SIGINT
3833 Tor clients behave as with SIGTERM; but Tor servers will do a
3834 controlled slow shutdown, closing listeners and waiting 30 seconds
3835 before exiting. (The delay can be configured with the
3836 ShutdownWaitLength config option.)
3837 SIGHUP
3839 The signal instructs Tor to reload its configuration (including
3840 closing and reopening logs), and kill and restart its helper
3841 processes if applicable.
3842 SIGUSR1
3844 Log statistics about current connections, past connections, and
3845 throughput.
3846 SIGUSR2
3848 Switch all logs to loglevel debug. You can go back to the old
3849 loglevels by sending a SIGHUP.
3850 SIGCHLD
3852 Tor receives this signal when one of its helper processes has
3853 exited, so it can clean up.
3854 SIGPIPE
3856 Tor catches this signal and ignores it.
3857 SIGXFSZ
3859 If this signal exists on your platform, Tor catches and ignores it.
3860
3862 /etc/tor/torrc
3863 Default location of the configuration file.
3864 $HOME/.torrc
3866 Fallback location for torrc, if /etc/tor/torrc is not found.
3867 /var/lib/tor/
3869 The tor process stores keys and other data here.
3870 CacheDirectory/cached-certs
3872 Contains downloaded directory key certificates that are used to
3873 verify authenticity of documents generated by the Tor directory
3874 authorities.
3875 CacheDirectory/cached-consensus and/or cached-microdesc-consensus
3877 The most recent consensus network status document we’ve downloaded.
3878 CacheDirectory/cached-descriptors and cached-descriptors.new
3880 These files contain the downloaded router statuses. Some routers
3881 may appear more than once; if so, the most recently published
3882 descriptor is used. Lines beginning with @-signs are annotations
3883 that contain more information about a given router. The .new file
3884 is an append-only journal; when it gets too large, all entries are
3885 merged into a new cached-descriptors file.
3886 CacheDirectory/cached-extrainfo and cached-extrainfo.new
3888 Similar to cached-descriptors, but holds optionally-downloaded
3889 "extra-info" documents. Relays use these documents to send
3890 inessential information about statistics, bandwidth history, and
3891 network health to the authorities. They aren’t fetched by default.
3892 See DownloadExtraInfo for more information.
3893 CacheDirectory/cached-microdescs and cached-microdescs.new
3895 These files hold downloaded microdescriptors. Lines beginning with
3896 @-signs are annotations that contain more information about a given
3897 router. The .new file is an append-only journal; when it gets too
3898 large, all entries are merged into a new cached-microdescs file.
3899 DataDirectory/state
3901 Contains a set of persistent key-value mappings. These include:
3902 · the current entry guards and their status.
3904 · the current bandwidth accounting values.
3906 · when the file was last written
3908 · what version of Tor generated the state file
3910 · a short history of bandwidth usage, as produced in the server
3912 descriptors.
3913 DataDirectory/sr-state
3915 Authority only. This file is used to record information about the
3916 current status of the shared-random-value voting state.
3917 CacheDirectory/diff-cache
3919 Directory cache only. Holds older consensuses and diffs from oldest
3920 to the most recent consensus of each type compressed in various
3921 ways. Each file contains a set of key-value arguments describing
3922 its contents, followed by a single NUL byte, followed by the main
3923 file contents.
3924 DataDirectory/bw_accounting
3926 This file is obsolete and the data is now stored in the state file
3927 instead. Used to track bandwidth accounting values (when the
3928 current period starts and ends; how much has been read and written
3929 so far this period).
3930 DataDirectory/control_auth_cookie
3932 This file can be used only when cookie authentication is enabled.
3933 Used for cookie authentication with the controller. Location can be
3934 overridden by the CookieAuthFile configuration option. Regenerated
3935 on startup. See control-spec.txt in torspec for details.
3936 DataDirectory/lock
3938 This file is used to prevent two Tor instances from using the same
3939 data directory. If access to this file is locked, data directory is
3940 already in use by Tor.
3941 DataDirectory/key-pinning-journal
3943 Used by authorities. A line-based file that records mappings
3944 between RSA1024 and Ed25519 identity keys. Authorities enforce
3945 these mappings, so that once a relay has picked an Ed25519 key,
3946 stealing or factoring the RSA1024 key will no longer let an
3947 attacker impersonate the relay.
3948 KeyDirectory/authority_identity_key
3950 A v3 directory authority’s master identity key, used to
3951 authenticate its signing key. Tor doesn’t use this while it’s
3952 running. The tor-gencert program uses this. If you’re running an
3953 authority, you should keep this key offline, and not put it in this
3954 file.
3955 KeyDirectory/authority_certificate
3957 Only directory authorities use this file. A v3 directory
3958 authority’s certificate which authenticates the authority’s current
3959 vote- and consensus-signing key using its master identity key.
3960 KeyDirectory/authority_signing_key
3962 Only directory authorities use this file. A v3 directory
3963 authority’s signing key that is used to sign votes and consensuses.
3964 Corresponds to the authority_certificate cert.
3965 KeyDirectory/legacy_certificate
3967 As authority_certificate; used only when V3AuthUseLegacyKey is set.
3968 See documentation for V3AuthUseLegacyKey.
3969 KeyDirectory/legacy_signing_key
3971 As authority_signing_key: used only when V3AuthUseLegacyKey is set.
3972 See documentation for V3AuthUseLegacyKey.
3973 KeyDirectory/secret_id_key
3975 A relay’s RSA1024 permanent identity key, including private and
3976 public components. Used to sign router descriptors, and to sign
3977 other keys.
3978 KeyDirectory/ed25519_master_id_public_key
3980 The public part of a relay’s Ed25519 permanent identity key.
3981 KeyDirectory/ed25519_master_id_secret_key
3983 The private part of a relay’s Ed25519 permanent identity key. This
3984 key is used to sign the medium-term ed25519 signing key. This file
3985 can be kept offline or encrypted. If so, Tor will not be able to
3986 generate new signing keys automatically; you’ll need to use tor
3987 --keygen to do so.
3988 KeyDirectory/ed25519_signing_secret_key
3990 The private and public components of a relay’s medium-term Ed25519
3991 signing key. This key is authenticated by the Ed25519 master key,
3992 which in turn authenticates other keys (and router descriptors).
3993 KeyDirectory/ed25519_signing_cert
3995 The certificate which authenticates "ed25519_signing_secret_key" as
3996 having been signed by the Ed25519 master key.
3997 KeyDirectory/secret_onion_key and secret_onion_key.old
3999 A relay’s RSA1024 short-term onion key. Used to decrypt old-style
4000 ("TAP") circuit extension requests. The .old file holds the
4001 previously generated key, which the relay uses to handle any
4002 requests that were made by clients that didn’t have the new one.
4003 KeyDirectory/secret_onion_key_ntor and secret_onion_key_ntor.old
4005 A relay’s Curve25519 short-term onion key. Used to handle modern
4006 ("ntor") circuit extension requests. The .old file holds the
4007 previously generated key, which the relay uses to handle any
4008 requests that were made by clients that didn’t have the new one.
4009 DataDirectory/fingerprint
4011 Only used by servers. Contains the fingerprint of the server’s
4012 identity key.
4013 DataDirectory/hashed-fingerprint
4015 Only used by bridges. Contains the hashed fingerprint of the
4016 bridge’s identity key. (That is, the hash of the hash of the
4017 identity key.)
4018 DataDirectory/approved-routers
4020 Only used by authoritative directory servers. Each line lists a
4021 status and an identity, separated by whitespace. Identities can be
4022 hex-encoded RSA fingerprints, or base-64 encoded ed25519 public
4023 keys. See the fingerprint file in a tor relay’s DataDirectory for
4024 an example fingerprint line. If the status is !reject, then
4025 descriptors from the given identity are rejected by this server. If
4026 it is !invalid then descriptors are accepted, but marked in the
4027 vote as not valid. If it is !badexit, then the authority will vote
4028 for it to receive a BadExit flag, indicating that it shouldn’t be
4029 used for traffic leaving the Tor network. (Neither rejected nor
4030 invalid relays are included in the consensus.)
4031 DataDirectory/v3-status-votes
4033 Only for v3 authoritative directory servers. This file contains
4034 status votes from all the authoritative directory servers.
4035 CacheDirectory/unverified-consensus
4037 Contains a network consensus document that has been downloaded, but
4038 which we didn’t have the right certificates to check yet.
4039 CacheDirectory/unverified-microdesc-consensus
4041 Contains a microdescriptor-flavored network consensus document that
4042 has been downloaded, but which we didn’t have the right
4043 certificates to check yet.
4044 DataDirectory/unparseable-desc
4046 Onion server descriptors that Tor was unable to parse are dumped to
4047 this file. Only used for debugging.
4048 DataDirectory/router-stability
4050 Only used by authoritative directory servers. Tracks measurements
4051 for router mean-time-between-failures so that authorities have a
4052 fair idea of how to set their Stable flags.
4053 DataDirectory/stats/dirreq-stats
4055 Only used by directory caches and authorities. This file is used to
4056 collect directory request statistics.
4057 DataDirectory/stats/entry-stats
4059 Only used by servers. This file is used to collect incoming
4060 connection statistics by Tor entry nodes.
4061 DataDirectory/stats/bridge-stats
4063 Only used by servers. This file is used to collect incoming
4064 connection statistics by Tor bridges.
4065 DataDirectory/stats/exit-stats
4067 Only used by servers. This file is used to collect outgoing
4068 connection statistics by Tor exit routers.
4069 DataDirectory/stats/buffer-stats
4071 Only used by servers. This file is used to collect buffer usage
4072 history.
4073 DataDirectory/stats/conn-stats
4075 Only used by servers. This file is used to collect approximate
4076 connection history (number of active connections over time).
4077 DataDirectory/stats/hidserv-stats
4079 Only used by servers. This file is used to collect approximate
4080 counts of what fraction of the traffic is hidden service rendezvous
4081 traffic, and approximately how many hidden services the relay has
4082 seen.
4083 DataDirectory/networkstatus-bridges`
4085 Only used by authoritative bridge directories. Contains information
4086 about bridges that have self-reported themselves to the bridge
4087 authority.
4088 HiddenServiceDirectory/hostname
4090 The <base32-encoded-fingerprint>.onion domain name for this hidden
4091 service. If the hidden service is restricted to authorized clients
4092 only, this file also contains authorization data for all clients.
4093 Note
4095 The clients will ignore any extra subdomains prepended to a
4096 hidden service hostname. Supposing you have "xyz.onion" as your
4097 hostname, you can ask your clients to connect to
4098 "www.xyz.onion" or "irc.xyz.onion" for virtual-hosting
4099 purposes.
4100 HiddenServiceDirectory/private_key
4102 Contains the private key for this hidden service.
4103 HiddenServiceDirectory/client_keys
4105 Contains authorization data for a hidden service that is only
4106 accessible by authorized clients.
4107 HiddenServiceDirectory/onion_service_non_anonymous
4109 This file is present if a hidden service key was created in
4110 HiddenServiceNonAnonymousMode.
4111
4113 For more information, refer to the Tor Project website at
4114 https://www.torproject.org/ and the Tor specifications at
4115 https://spec.torproject.org. See also torsocks(1) and torify(1).
4116
4118 Because Tor is still under development, there may be plenty of bugs.
4119 Please report them at https://bugs.torproject.org/.
4120Tor 03/15/2021 TOR(1)