1TOR(1) Tor Manual TOR(1)
2
6 tor - The second-generation onion router
7
9 tor [OPTION value]...
10
12 Tor is a connection-oriented anonymizing communication service. Users
13 choose a source-routed path through a set of nodes, and negotiate a
14 "virtual circuit" through the network. Each node in a virtual circuit
15 knows its predecessor and successor nodes, but no other nodes. Traffic
16 flowing down the circuit is unwrapped by a symmetric key at each node,
17 which reveals the downstream node.
18 Basically, Tor provides a distributed network of servers or relays
20 ("onion routers"). Users bounce their TCP streams, including web
21 traffic, ftp, ssh, etc., around the network, so that recipients,
22 observers, and even the relays themselves have difficulty tracking the
23 source of the stream.
24 Note
26 By default, tor acts as a client only. To help the network by
27 providing bandwidth as a relay, change the ORPort configuration
28 option as mentioned below. Please also consult the documentation on
29 the Tor Project’s website.
30
32 Tor has a powerful command-line interface. This section lists optional
33 arguments you can specify at the command line using the tor command.
34 Configuration options can be specified on the command line in the
36 format --OptionName OptionValue, on the command line in the format
37 OptionName OptionValue, or in a configuration file. For instance, you
38 can tell Tor to start listening for SOCKS connections on port 9999 by
39 passing either --SocksPort 9999 or SocksPort 9999 on the command line,
40 or by specifying SocksPort 9999 in the configuration file. On the
41 command line, quote option values that contain spaces. For instance, if
42 you want Tor to log all debugging messages to debug.log, you must
43 specify --Log "debug file debug.log".
44 Note
46 Configuration options on the command line override those in
47 configuration files. See THE CONFIGURATION FILE FORMAT for more
48 information.
49 The following options in this section are only recognized on the tor
51 command line, not in a configuration file.
52 -h, --help
54 Display a short help message and exit.
55 -f, --torrc-file FILE
57 Specify a new configuration file to contain further Tor
58 configuration options, or pass - to make Tor read its configuration
59 from standard input. (Default: /etc/tor/torrc, or $HOME/.torrc if
60 that file is not found)
61 --allow-missing-torrc
63 Allow the configuration file specified by -f to be missing, if the
64 defaults-torrc file (see below) is accessible.
65 --defaults-torrc FILE
67 Specify a file in which to find default values for Tor options. The
68 contents of this file are overridden by those in the regular
69 configuration file, and by those on the command line. (Default:
70 /etc/tor/torrc-defaults.)
71 --ignore-missing-torrc
73 Specify that Tor should treat a missing torrc file as though it
74 were empty. Ordinarily, Tor does this for missing default torrc
75 files, but not for those specified on the command line.
76 --hash-password PASSWORD
78 Generate a hashed password for control port access.
79 --list-fingerprint [key type]
81 Generate your keys and output your nickname and fingerprint.
82 Optionally, you can specify the key type as rsa (default) or
83 ed25519.
84 --verify-config
86 Verify whether the configuration file is valid.
87 --dump-config short|full
89 Write a list of Tor’s configured options to standard output. When
90 the short flag is selected, only write the options that are
91 different from their default values When full is selected, write
92 every option.
93 --service install [--options command-line options]
95 Install an instance of Tor as a Windows service, with the provided
96 command-line options. Current instructions can be found at
97 https://www.torproject.org/docs/faq#NTService
98 --service remove|start|stop
100 Remove, start, or stop a configured Tor Windows service.
101 --nt-service
103 Used internally to implement a Windows service.
104 --list-torrc-options
106 List all valid options.
107 --list-deprecated-options
109 List all valid options that are scheduled to become obsolete in a
110 future version. (This is a warning, not a promise.)
111 --list-modules
113 List whether each optional module has been compiled into Tor. (Any
114 module not listed is not optional in this version of Tor.)
115 --version
117 Display Tor version and exit. The output is a single line of the
118 format "Tor version [version number]." (The version number format
119 is as specified in version-spec.txt.)
120 --quiet|--hush
122 Override the default console logging behavior. By default, Tor
123 starts out logging messages at level "notice" and higher to the
124 console. It stops doing so after it parses its configuration, if
125 the configuration tells it to log anywhere else. These options
126 override the default console logging behavior. Use the --hush
127 option if you want Tor to log only warnings and errors to the
128 console, or use the --quiet option if you want Tor not to log to
129 the console at all.
130 --keygen [--newpass]
132 Running tor --keygen creates a new ed25519 master identity key for
133 a relay, or only a fresh temporary signing key and certificate, if
134 you already have a master key. Optionally, you can encrypt the
135 master identity key with a passphrase. When Tor asks you for a
136 passphrase and you don’t want to encrypt the master key, just don’t
137 enter any passphrase when asked.
138 Use the --newpass option with --keygen only when you need to add,
141 change, or remove a passphrase on an existing ed25519 master
142 identity key. You will be prompted for the old passphrase (if any),
143 and the new passphrase (if any).
144 Note
146 When generating a master key, you may want to use
147 --DataDirectory to control where the keys and certificates will
148 be stored, and --SigningKeyLifetime to control their lifetimes.
149 See SERVER OPTIONS to learn more about the behavior of these
150 options. You must have write access to the specified
151 DataDirectory.
152 To use the generated files, you must copy them to the
153 DataDirectory/keys directory of your Tor daemon, and make sure that
154 they are owned by the user actually running the Tor daemon on your
155 system.
156 --passphrase-fd FILEDES
158 File descriptor to read the passphrase from. Note that unlike with
159 the tor-gencert program, the entire file contents are read and used
160 as the passphrase, including any trailing newlines. If the file
161 descriptor is not specified, the passphrase is read from the
162 terminal by default.
163 --key-expiration [purpose] [--format iso8601|timestamp]
165 The purpose specifies which type of key certificate to determine
166 the expiration of. The only currently recognised purpose is "sign".
167 Running tor --key-expiration sign will attempt to find your signing
170 key certificate and will output, both in the logs as well as to
171 stdout. The optional --format argument lets you specify the time
172 format. Currently, iso8601 and timestamp are supported. If --format
173 is not specified, the signing key certificate’s expiration time
174 will be in ISO-8601 format. For example, the output sent to stdout
175 will be of the form: "signing-cert-expiry: 2017-07-25 08:30:15
176 UTC". If --format timestamp is specified, the signing key
177 certificate’s expiration time will be in Unix timestamp format. For
178 example, the output sent to stdout will be of the form:
179 "signing-cert-expiry: 1500971415".
180 --dbg-...
182 Tor may support other options beginning with the string "dbg".
183 These are intended for use by developers to debug and test Tor.
184 They are not supported or guaranteed to be stable, and you should
185 probably not use them.
186
188 All configuration options in a configuration are written on a single
189 line by default. They take the form of an option name and a value, or
190 an option name and a quoted value (option value or option "value").
191 Anything after a # character is treated as a comment. Options are
192 case-insensitive. C-style escaped characters are allowed inside quoted
193 values. To split one configuration entry into multiple lines, use a
194 single backslash character (\) before the end of the line. Comments can
195 be used in such multiline entries, but they must start at the beginning
196 of a line.
197 Configuration options can be imported from files or folders using the
199 %include option with the value being a path. This path can have
200 wildcards. Wildcards are expanded first, then sorted using lexical
201 order. Then, for each matching file or folder, the following rules are
202 followed: if the path is a file, the options from the file will be
203 parsed as if they were written where the %include option is. If the
204 path is a folder, all files on that folder will be parsed following
205 lexical order. Files starting with a dot are ignored. Files in
206 subfolders are ignored. The %include option can be used recursively.
207 New configuration files or directories cannot be added to already
208 running Tor instance if Sandbox is enabled.
209 The supported wildcards are * meaning any number of characters
211 including none and ? meaning exactly one character. These characters
212 can be escaped by preceding them with a backslash, except on Windows.
213 Files starting with a dot are not matched when expanding wildcards
214 unless the starting dot is explicitly in the pattern, except on
215 Windows.
216 By default, an option on the command line overrides an option found in
218 the configuration file, and an option in a configuration file overrides
219 one in the defaults file.
220 This rule is simple for options that take a single value, but it can
222 become complicated for options that are allowed to occur more than
223 once: if you specify four SocksPorts in your configuration file, and
224 one more SocksPort on the command line, the option on the command line
225 will replace all of the SocksPorts in the configuration file. If this
226 isn’t what you want, prefix the option name with a plus sign (+), and
227 it will be appended to the previous set of options instead. For
228 example, setting SocksPort 9100 will use only port 9100, but setting
229 +SocksPort 9100 will use ports 9100 and 9050 (because this is the
230 default).
231 Alternatively, you might want to remove every instance of an option in
233 the configuration file, and not replace it at all: you might want to
234 say on the command line that you want no SocksPorts at all. To do that,
235 prefix the option name with a forward slash (/). You can use the plus
236 sign (+) and the forward slash (/) in the configuration file and on the
237 command line.
238
240 AccelDir DIR
241 Specify this option if using dynamic hardware acceleration and the
242 engine implementation library resides somewhere other than the
243 OpenSSL default. Can not be changed while tor is running.
244 AccelName NAME
246 When using OpenSSL hardware crypto acceleration attempt to load the
247 dynamic engine of this name. This must be used for any dynamic
248 hardware engine. Names can be verified with the openssl engine
249 command. Can not be changed while tor is running.
250 If the engine name is prefixed with a "!", then Tor will exit if
253 the engine cannot be loaded.
254 AlternateBridgeAuthority [nickname] [flags] ipv4address:port
256 fingerprint, AlternateDirAuthority [nickname] [flags] ipv4address:port
257 fingerprint
258 These options behave as DirAuthority, but they replace fewer of the
259 default directory authorities. Using AlternateDirAuthority replaces
260 the default Tor directory authorities, but leaves the default
261 bridge authorities in place. Similarly, AlternateBridgeAuthority
262 replaces the default bridge authority, but leaves the directory
263 authorities alone.
264 AvoidDiskWrites 0|1
266 If non-zero, try to write to disk less frequently than we would
267 otherwise. This is useful when running on flash memory or other
268 media that support only a limited number of writes. (Default: 0)
269 BandwidthBurst N
271 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
272 Limit the maximum token bucket size (also known as the burst) to
273 the given number of bytes in each direction. (Default: 1 GByte)
274 BandwidthRate N
276 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
277 A token bucket limits the average incoming bandwidth usage on this
278 node to the specified number of bytes per second, and the average
279 outgoing bandwidth usage to that same value. If you want to run a
280 relay in the public network, this needs to be at the very least 75
281 KBytes for a relay (that is, 600 kbits) or 50 KBytes for a bridge
282 (400 kbits) — but of course, more is better; we recommend at least
283 250 KBytes (2 mbits) if possible. (Default: 1 GByte)
284 Note that this option, and other bandwidth-limiting options, apply
287 to TCP data only: They do not count TCP headers or DNS traffic.
288 Tor uses powers of two, not powers of ten, so 1 GByte is
291 1024*1024*1024 bytes as opposed to 1 billion bytes.
292 With this option, and in other options that take arguments in
295 bytes, KBytes, and so on, other formats are also supported.
296 Notably, "KBytes" can also be written as "kilobytes" or "kb";
297 "MBytes" can be written as "megabytes" or "MB"; "kbits" can be
298 written as "kilobits"; and so forth. Case doesn’t matter. Tor also
299 accepts "byte" and "bit" in the singular. The prefixes "tera" and
300 "T" are also recognized. If no units are given, we default to
301 bytes. To avoid confusion, we recommend writing "bytes" or "bits"
302 explicitly, since it’s easy to forget that "B" means bytes, not
303 bits.
304 CacheDirectory DIR
306 Store cached directory data in DIR. Can not be changed while tor is
307 running. (Default: uses the value of DataDirectory.)
308 CacheDirectoryGroupReadable 0|1|auto
310 If this option is set to 0, don’t allow the filesystem group to
311 read the CacheDirectory. If the option is set to 1, make the
312 CacheDirectory readable by the default GID. If the option is
313 "auto", then we use the setting for DataDirectoryGroupReadable when
314 the CacheDirectory is the same as the DataDirectory, and 0
315 otherwise. (Default: auto)
316 CircuitPriorityHalflife NUM
318 If this value is set, we override the default algorithm for
319 choosing which circuit’s cell to deliver or relay next. It is
320 delivered first to the circuit that has the lowest weighted cell
321 count, where cells are weighted exponentially according to this
322 value (in seconds). If the value is -1, it is taken from the
323 consensus if possible else it will fallback to the default value of
324 30. Minimum: 1, Maximum: 2147483647. This can be defined as a float
325 value. This is an advanced option; you generally shouldn’t have to
326 mess with it. (Default: -1)
327 ClientTransportPlugin transport socks4|socks5 IP:PORT,
329 ClientTransportPlugin transport exec path-to-binary [options]
330 In its first form, when set along with a corresponding Bridge line,
331 the Tor client forwards its traffic to a SOCKS-speaking proxy on
332 "IP:PORT". (IPv4 addresses should written as-is; IPv6 addresses
333 should be wrapped in square brackets.) It’s the duty of that proxy
334 to properly forward the traffic to the bridge.
335 In its second form, when set along with a corresponding Bridge
338 line, the Tor client launches the pluggable transport proxy
339 executable in path-to-binary using options as its command-line
340 options, and forwards its traffic to it. It’s the duty of that
341 proxy to properly forward the traffic to the bridge. (Default:
342 none)
343 ConnLimit NUM
345 The minimum number of file descriptors that must be available to
346 the Tor process before it will start. Tor will ask the OS for as
347 many file descriptors as the OS will allow (you can find this by
348 "ulimit -H -n"). If this number is less than ConnLimit, then Tor
349 will refuse to start.
350 Tor relays need thousands of sockets, to connect to every other
353 relay. If you are running a private bridge, you can reduce the
354 number of sockets that Tor uses. For example, to limit Tor to 500
355 sockets, run "ulimit -n 500" in a shell. Then start tor in the same
356 shell, with ConnLimit 500. You may also need to set DisableOOSCheck
357 0.
358 Unless you have severely limited sockets, you probably don’t need
361 to adjust ConnLimit itself. It has no effect on Windows, since that
362 platform lacks getrlimit(). (Default: 1000)
363 ConstrainedSockets 0|1
365 If set, Tor will tell the kernel to attempt to shrink the buffers
366 for all sockets to the size specified in ConstrainedSockSize. This
367 is useful for virtual servers and other environments where system
368 level TCP buffers may be limited. If you’re on a virtual server,
369 and you encounter the "Error creating network socket: No buffer
370 space available" message, you are likely experiencing this problem.
371 The preferred solution is to have the admin increase the buffer
374 pool for the host itself via /proc/sys/net/ipv4/tcp_mem or
375 equivalent facility; this configuration option is a second-resort.
376 The DirPort option should also not be used if TCP buffers are
379 scarce. The cached directory requests consume additional sockets
380 which exacerbates the problem.
381 You should not enable this feature unless you encounter the "no
384 buffer space available" issue. Reducing the TCP buffers affects
385 window size for the TCP stream and will reduce throughput in
386 proportion to round trip time on long paths. (Default: 0)
387 ConstrainedSockSize N bytes|KBytes
389 When ConstrainedSockets is enabled the receive and transmit buffers
390 for all sockets will be set to this limit. Must be a value between
391 2048 and 262144, in 1024 byte increments. Default of 8192 is
392 recommended.
393 ControlPort [address:]port|unix:path|auto [flags]
395 If set, Tor will accept connections on this port and allow those
396 connections to control the Tor process using the Tor Control
397 Protocol (described in control-spec.txt in torspec). Note: unless
398 you also specify one or more of HashedControlPassword or
399 CookieAuthentication, setting this option will cause Tor to allow
400 any process on the local host to control it. (Setting both
401 authentication methods means either method is sufficient to
402 authenticate to Tor.) This option is required for many Tor
403 controllers; most use the value of 9051. If a unix domain socket is
404 used, you may quote the path using standard C escape sequences. You
405 can specify this directive multiple times, to bind to multiple
406 address/port pairs. Set it to "auto" to have Tor pick a port for
407 you. (Default: 0)
408 Recognized flags are:
411 GroupWritable
413 Unix domain sockets only: makes the socket get created as
414 group-writable.
415 WorldWritable
417 Unix domain sockets only: makes the socket get created as
418 world-writable.
419 RelaxDirModeCheck
421 Unix domain sockets only: Do not insist that the directory that
422 holds the socket be read-restricted.
423 ControlPortFileGroupReadable 0|1
425 If this option is set to 0, don’t allow the filesystem group to
426 read the control port file. If the option is set to 1, make the
427 control port file readable by the default GID. (Default: 0)
428 ControlPortWriteToFile Path
430 If set, Tor writes the address and port of any control port it
431 opens to this address. Usable by controllers to learn the actual
432 control port when ControlPort is set to "auto".
433 ControlSocket Path
435 Like ControlPort, but listens on a Unix domain socket, rather than
436 a TCP socket. 0 disables ControlSocket. (Unix and Unix-like
437 systems only.) (Default: 0)
438 ControlSocketsGroupWritable 0|1
440 If this option is set to 0, don’t allow the filesystem group to
441 read and write unix sockets (e.g. ControlSocket). If the option is
442 set to 1, make the control socket readable and writable by the
443 default GID. (Default: 0)
444 CookieAuthentication 0|1
446 If this option is set to 1, allow connections on the control port
447 when the connecting process knows the contents of a file named
448 "control_auth_cookie", which Tor will create in its data directory.
449 This authentication method should only be used on systems with good
450 filesystem security. (Default: 0)
451 CookieAuthFile Path
453 If set, this option overrides the default location and file name
454 for Tor’s cookie file. (See CookieAuthentication.)
455 CookieAuthFileGroupReadable 0|1
457 If this option is set to 0, don’t allow the filesystem group to
458 read the cookie file. If the option is set to 1, make the cookie
459 file readable by the default GID. [Making the file readable by
460 other groups is not yet implemented; let us know if you need this
461 for some reason.] (Default: 0)
462 CountPrivateBandwidth 0|1
464 If this option is set, then Tor’s rate-limiting applies not only to
465 remote connections, but also to connections to private addresses
466 like 127.0.0.1 or 10.0.0.1. This is mostly useful for debugging
467 rate-limiting. (Default: 0)
468 DataDirectory DIR
470 Store working data in DIR. Can not be changed while tor is running.
471 (Default: ~/.tor if your home directory is not /; otherwise,
472 /var/lib/tor. On Windows, the default is your ApplicationData
473 folder.)
474 DataDirectoryGroupReadable 0|1
476 If this option is set to 0, don’t allow the filesystem group to
477 read the DataDirectory. If the option is set to 1, make the
478 DataDirectory readable by the default GID. (Default: 0)
479 DirAuthority [nickname] [flags] ipv4address:dirport fingerprint
481 Use a nonstandard authoritative directory server at the provided
482 address and port, with the specified key fingerprint. This option
483 can be repeated many times, for multiple authoritative directory
484 servers. Flags are separated by spaces, and determine what kind of
485 an authority this directory is. By default, an authority is not
486 authoritative for any directory style or version unless an
487 appropriate flag is given.
488 Tor will use this authority as a bridge authoritative directory if
491 the "bridge" flag is set. If a flag "orport=orport" is given, Tor
492 will use the given port when opening encrypted tunnels to the
493 dirserver. If a flag "weight=num" is given, then the directory
494 server is chosen randomly with probability proportional to that
495 weight (default 1.0). If a flag "v3ident=fp" is given, the
496 dirserver is a v3 directory authority whose v3 long-term signing
497 key has the fingerprint fp. Lastly, if an
498 "ipv6=[ipv6address]:orport" flag is present, then the directory
499 authority is listening for IPv6 connections on the indicated IPv6
500 address and OR Port.
501 Tor will contact the authority at ipv4address to download directory
504 documents. Clients always use the ORPort. Relays usually use the
505 DirPort, but will use the ORPort in some circumstances. If an IPv6
506 ORPort is supplied, clients will also download directory documents
507 at the IPv6 ORPort, if they are configured to use IPv6.
508 If no DirAuthority line is given, Tor will use the default
511 directory authorities. NOTE: this option is intended for setting up
512 a private Tor network with its own directory authorities. If you
513 use it, you will be distinguishable from other users, because you
514 won’t believe the same authorities they do.
515 DirAuthorityFallbackRate NUM
517 When configured to use both directory authorities and fallback
518 directories, the directory authorities also work as fallbacks. They
519 are chosen with their regular weights, multiplied by this number,
520 which should be 1.0 or less. The default is less than 1, to reduce
521 load on authorities. (Default: 0.1)
522 DisableAllSwap 0|1
524 If set to 1, Tor will attempt to lock all current and future memory
525 pages, so that memory cannot be paged out. Windows, OS X and
526 Solaris are currently not supported. We believe that this feature
527 works on modern Gnu/Linux distributions, and that it should work on
528 *BSD systems (untested). This option requires that you start your
529 Tor as root, and you should use the User option to properly reduce
530 Tor’s privileges. Can not be changed while tor is running.
531 (Default: 0)
532 DisableDebuggerAttachment 0|1
534 If set to 1, Tor will attempt to prevent basic debugging attachment
535 attempts by other processes. This may also keep Tor from generating
536 core files if it crashes. It has no impact for users who wish to
537 attach if they have CAP_SYS_PTRACE or if they are root. We believe
538 that this feature works on modern Gnu/Linux distributions, and that
539 it may also work on *BSD systems (untested). Some modern Gnu/Linux
540 systems such as Ubuntu have the kernel.yama.ptrace_scope sysctl and
541 by default enable it as an attempt to limit the PTRACE scope for
542 all user processes by default. This feature will attempt to limit
543 the PTRACE scope for Tor specifically - it will not attempt to
544 alter the system wide ptrace scope as it may not even exist. If you
545 wish to attach to Tor with a debugger such as gdb or strace you
546 will want to set this to 0 for the duration of your debugging.
547 Normal users should leave it on. Disabling this option while Tor is
548 running is prohibited. (Default: 1)
549 DisableNetwork 0|1
551 When this option is set, we don’t listen for or accept any
552 connections other than controller connections, and we close (and
553 don’t reattempt) any outbound connections. Controllers sometimes
554 use this option to avoid using the network until Tor is fully
555 configured. Tor will make still certain network-related calls (like
556 DNS lookups) as a part of its configuration process, even if
557 DisableNetwork is set. (Default: 0)
558 ExtendByEd25519ID 0|1|auto
560 If this option is set to 1, we always try to include a relay’s
561 Ed25519 ID when telling the preceding relay in a circuit to extend
562 to it. If this option is set to 0, we never include Ed25519 IDs
563 when extending circuits. If the option is set to "auto", we obey a
564 parameter in the consensus document. (Default: auto)
565 ExtORPort [address:]port|auto
567 Open this port to listen for Extended ORPort connections from your
568 pluggable transports.
569 (Default: DataDirectory/extended_orport_auth_cookie)
571 ExtORPortCookieAuthFile Path
573 If set, this option overrides the default location and file name
574 for the Extended ORPort’s cookie file — the cookie file is needed
575 for pluggable transports to communicate through the Extended
576 ORPort.
577 ExtORPortCookieAuthFileGroupReadable 0|1
579 If this option is set to 0, don’t allow the filesystem group to
580 read the Extended OR Port cookie file. If the option is set to 1,
581 make the cookie file readable by the default GID. [Making the file
582 readable by other groups is not yet implemented; let us know if you
583 need this for some reason.] (Default: 0)
584 FallbackDir ipv4address:dirport orport=orport id=fingerprint
586 [weight=num] [ipv6=[ipv6address]:orport]
587 When tor is unable to connect to any directory cache for directory
588 info (usually because it doesn’t know about any yet) it tries a
589 hard-coded directory. Relays try one directory authority at a time.
590 Clients try multiple directory authorities and FallbackDirs, to
591 avoid hangs on startup if a hard-coded directory is down. Clients
592 wait for a few seconds between each attempt, and retry FallbackDirs
593 more often than directory authorities, to reduce the load on the
594 directory authorities.
595 FallbackDirs should be stable relays with stable IP addresses,
598 ports, and identity keys. They must have a DirPort.
599 By default, the directory authorities are also FallbackDirs.
602 Specifying a FallbackDir replaces Tor’s default hard-coded
603 FallbackDirs (if any). (See DirAuthority for an explanation of each
604 flag.)
605 FetchDirInfoEarly 0|1
607 If set to 1, Tor will always fetch directory information like other
608 directory caches, even if you don’t meet the normal criteria for
609 fetching early. Normal users should leave it off. (Default: 0)
610 FetchDirInfoExtraEarly 0|1
612 If set to 1, Tor will fetch directory information before other
613 directory caches. It will attempt to download directory information
614 closer to the start of the consensus period. Normal users should
615 leave it off. (Default: 0)
616 FetchHidServDescriptors 0|1
618 If set to 0, Tor will never fetch any hidden service descriptors
619 from the rendezvous directories. This option is only useful if
620 you’re using a Tor controller that handles hidden service fetches
621 for you. (Default: 1)
622 FetchServerDescriptors 0|1
624 If set to 0, Tor will never fetch any network status summaries or
625 server descriptors from the directory servers. This option is only
626 useful if you’re using a Tor controller that handles directory
627 fetches for you. (Default: 1)
628 FetchUselessDescriptors 0|1
630 If set to 1, Tor will fetch every consensus flavor, and all server
631 descriptors and authority certificates referenced by those
632 consensuses, except for extra info descriptors. When this option is
633 1, Tor will also keep fetching descriptors, even when idle. If set
634 to 0, Tor will avoid fetching useless descriptors: flavors that it
635 is not using to build circuits, and authority certificates it does
636 not trust. When Tor hasn’t built any application circuits, it will
637 go idle, and stop fetching descriptors. This option is useful if
638 you’re using a tor client with an external parser that uses a full
639 consensus. This option fetches all documents except extrainfo
640 descriptors, DirCache fetches and serves all documents except
641 extrainfo descriptors, DownloadExtraInfo* fetches extrainfo
642 documents, and serves them if DirCache is on, and
643 UseMicrodescriptors changes the flavor of consensuses and
644 descriptors that is fetched and used for building circuits.
645 (Default: 0)
646 HardwareAccel 0|1
648 If non-zero, try to use built-in (static) crypto hardware
649 acceleration when available. Can not be changed while tor is
650 running. (Default: 0)
651 HashedControlPassword hashed_password
653 Allow connections on the control port if they present the password
654 whose one-way hash is hashed_password. You can compute the hash of
655 a password by running "tor --hash-password password". You can
656 provide several acceptable passwords by using more than one
657 HashedControlPassword line.
658 HTTPProxy host[:port]
660 Tor will make all its directory requests through this host:port (or
661 host:80 if port is not specified), rather than connecting directly
662 to any directory servers. (DEPRECATED: As of 0.3.1.0-alpha you
663 should use HTTPSProxy.)
664 HTTPProxyAuthenticator username:password
666 If defined, Tor will use this username:password for Basic HTTP
667 proxy authentication, as in RFC 2617. This is currently the only
668 form of HTTP proxy authentication that Tor supports; feel free to
669 submit a patch if you want it to support others. (DEPRECATED: As of
670 0.3.1.0-alpha you should use HTTPSProxyAuthenticator.)
671 HTTPSProxy host[:port]
673 Tor will make all its OR (SSL) connections through this host:port
674 (or host:443 if port is not specified), via HTTP CONNECT rather
675 than connecting directly to servers. You may want to set
676 FascistFirewall to restrict the set of ports you might try to
677 connect to, if your HTTPS proxy only allows connecting to certain
678 ports.
679 HTTPSProxyAuthenticator username:password
681 If defined, Tor will use this username:password for Basic HTTPS
682 proxy authentication, as in RFC 2617. This is currently the only
683 form of HTTPS proxy authentication that Tor supports; feel free to
684 submit a patch if you want it to support others.
685 KeepalivePeriod NUM
687 To keep firewalls from expiring connections, send a padding
688 keepalive cell every NUM seconds on open connections that are in
689 use. (Default: 5 minutes)
690 KeepBindCapabilities 0|1|auto
692 On Linux, when we are started as root and we switch our identity
693 using the User option, the KeepBindCapabilities option tells us
694 whether to try to retain our ability to bind to low ports. If this
695 value is 1, we try to keep the capability; if it is 0 we do not;
696 and if it is auto, we keep the capability only if we are configured
697 to listen on a low port. Can not be changed while tor is running.
698 (Default: auto.)
699 Log minSeverity[-maxSeverity] stderr|stdout|syslog
701 Send all messages between minSeverity and maxSeverity to the
702 standard output stream, the standard error stream, or to the system
703 log. (The "syslog" value is only supported on Unix.) Recognized
704 severity levels are debug, info, notice, warn, and err. We advise
705 using "notice" in most cases, since anything more verbose may
706 provide sensitive information to an attacker who obtains the logs.
707 If only one severity level is given, all messages of that level or
708 higher will be sent to the listed destination.
709 Some low-level logs may be sent from signal handlers, so their
712 destination logs must be signal-safe. These low-level logs include
713 backtraces, logging function errors, and errors in code called by
714 logging functions. Signal-safe logs are always sent to stderr or
715 stdout. They are also sent to a limited number of log files that
716 are configured to log messages at error severity from the bug or
717 general domains. They are never sent as syslogs, control port log
718 events, or to any API-based log destinations.
719 Log minSeverity[-maxSeverity] file FILENAME
721 As above, but send log messages to the listed filename. The "Log"
722 option may appear more than once in a configuration file. Messages
723 are sent to all the logs that match their severity level.
724 Log [domain,...]minSeverity[-maxSeverity] ... file FILENAME
726 Log [domain,...]minSeverity[-maxSeverity] ... stderr|stdout|syslog
728 As above, but select messages by range of log severity and by a set
729 of "logging domains". Each logging domain corresponds to an area of
730 functionality inside Tor. You can specify any number of severity
731 ranges for a single log statement, each of them prefixed by a
732 comma-separated list of logging domains. You can prefix a domain
733 with ~ to indicate negation, and use * to indicate "all domains".
734 If you specify a severity range without a list of domains, it
735 matches all domains.
736 This is an advanced feature which is most useful for debugging one
739 or two of Tor’s subsystems at a time.
740 The currently recognized domains are: general, crypto, net, config,
743 fs, protocol, mm, http, app, control, circ, rend, bug, dir,
744 dirserv, or, edge, acct, hist, handshake, heartbeat, channel,
745 sched, guard, consdiff, dos, process, pt, btrack, and mesg. Domain
746 names are case-insensitive.
747 For example, "Log [handshake]debug [~net,~mm]info notice stdout"
750 sends to stdout: all handshake messages of any severity, all
751 info-and-higher messages from domains other than networking and
752 memory management, and all messages of severity notice or higher.
753 LogMessageDomains 0|1
755 If 1, Tor includes message domains with each log message. Every log
756 message currently has at least one domain; most currently have
757 exactly one. This doesn’t affect controller log messages. (Default:
758 0)
759 LogTimeGranularity NUM
761 Set the resolution of timestamps in Tor’s logs to NUM milliseconds.
762 NUM must be positive and either a divisor or a multiple of 1
763 second. Note that this option only controls the granularity written
764 by Tor to a file or console log. Tor does not (for example) "batch
765 up" log messages to affect times logged by a controller, times
766 attached to syslog messages, or the mtime fields on log files.
767 (Default: 1 second)
768 MaxAdvertisedBandwidth N
770 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
771 If set, we will not advertise more than this amount of bandwidth
772 for our BandwidthRate. Server operators who want to reduce the
773 number of clients who ask to build circuits through them (since
774 this is proportional to advertised bandwidth rate) can thus reduce
775 the CPU demands on their server without impacting network
776 performance.
777 MaxUnparseableDescSizeToLog N bytes|KBytes|MBytes|GBytes|TBytes
779 Unparseable descriptors (e.g. for votes, consensuses, routers) are
780 logged in separate files by hash, up to the specified size in
781 total. Note that only files logged during the lifetime of this Tor
782 process count toward the total; this is intended to be used to
783 debug problems without opening live servers to resource exhaustion
784 attacks. (Default: 10 MBytes)
785 MetricsPort [address:]port [format]
787 WARNING: Before enabling this, it is important to understand that
788 exposing tor metrics publicly is dangerous to the Tor network
789 users. Please take extra precaution and care when opening this
790 port. Set a very strict access policy with MetricsPortPolicy and
791 consider using your operating systems firewall features for defense
792 in depth.
793 We recommend, for the prometheus format, that the only address that
795 can access this port should be the Prometheus server itself.
796 Remember that the connection is unencrypted (HTTP) hence consider
797 using a tool like stunnel to secure the link from this port to the
798 server.
799 If set, open this port to listen for an HTTP GET request to
801 "/metrics". Upon a request, the collected metrics in the the tor
802 instance are formatted for the given format and then sent back. If
803 this is set, MetricsPortPolicy must be defined else every request
804 will be rejected.
805 Supported format is "prometheus" which is also the default if not
807 set. The Prometheus data model can be found here:
808 https://prometheus.io/docs/concepts/data_model/
809 The tor metrics are constantly collected and they solely consists
811 of counters. Thus, asking for those metrics is very lightweight on
812 the tor process. (Default: None)
813 As an example, here only 5.6.7.8 will be allowed to connect:
815 MetricsPort 1.2.3.4:9035
817 MetricsPortPolicy accept 5.6.7.8
818 MetricsPortPolicy policy,policy,...
820 Set an entrance policy for the MetricsPort, to limit who can access
821 it. The policies have the same form as exit policies below, except
822 that port specifiers are ignored. For multiple entries, this line
823 can be used multiple times. It is a reject all by default policy.
824 (Default: None)
825 Please, keep in mind here that if the server collecting metrics on
827 the MetricsPort is behind a NAT, then everything behind it can
828 access it. This is similar for the case of allowing localhost,
829 every users on the server will be able to access it. Again,
830 strongly consider using a tool like stunnel to secure the link or
831 to strengthen access control.
832 NoExec 0|1
834 If this option is set to 1, then Tor will never launch another
835 executable, regardless of the settings of ClientTransportPlugin or
836 ServerTransportPlugin. Once this option has been set to 1, it
837 cannot be set back to 0 without restarting Tor. (Default: 0)
838 OutboundBindAddress IP
840 Make all outbound connections originate from the IP address
841 specified. This is only useful when you have multiple network
842 interfaces, and you want all of Tor’s outgoing connections to use a
843 single one. This option may be used twice, once with an IPv4
844 address and once with an IPv6 address. IPv6 addresses should be
845 wrapped in square brackets. This setting will be ignored for
846 connections to the loopback addresses (127.0.0.0/8 and ::1), and is
847 not used for DNS requests as well.
848 OutboundBindAddressExit IP
850 Make all outbound exit connections originate from the IP address
851 specified. This option overrides OutboundBindAddress for the same
852 IP version. This option may be used twice, once with an IPv4
853 address and once with an IPv6 address. IPv6 addresses should be
854 wrapped in square brackets. This setting will be ignored for
855 connections to the loopback addresses (127.0.0.0/8 and ::1).
856 OutboundBindAddressOR IP
858 Make all outbound non-exit (relay and other) connections originate
859 from the IP address specified. This option overrides
860 OutboundBindAddress for the same IP version. This option may be
861 used twice, once with an IPv4 address and once with an IPv6
862 address. IPv6 addresses should be wrapped in square brackets. This
863 setting will be ignored for connections to the loopback addresses
864 (127.0.0.0/8 and ::1).
865 __OwningControllerProcess PID
867 Make Tor instance periodically check for presence of a controller
868 process with given PID and terminate itself if this process is no
869 longer alive. Polling interval is 15 seconds.
870 PerConnBWBurst N
872 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
873 If this option is set manually, or via the "perconnbwburst"
874 consensus field, Tor will use it for separate rate limiting for
875 each connection from a non-relay. (Default: 0)
876 PerConnBWRate N
878 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
879 If this option is set manually, or via the "perconnbwrate"
880 consensus field, Tor will use it for separate rate limiting for
881 each connection from a non-relay. (Default: 0)
882 OutboundBindAddressPT IP
884 Request that pluggable transports makes all outbound connections
885 originate from the IP address specified. Because outgoing
886 connections are handled by the pluggable transport itself, it is
887 not possible for Tor to enforce whether the pluggable transport
888 honors this option. This option overrides OutboundBindAddress for
889 the same IP version. This option may be used twice, once with an
890 IPv4 address and once with an IPv6 address. IPv6 addresses should
891 be wrapped in square brackets. This setting will be ignored for
892 connections to the loopback addresses (127.0.0.0/8 and ::1).
893 PidFile FILE
895 On startup, write our PID to FILE. On clean shutdown, remove FILE.
896 Can not be changed while tor is running.
897 ProtocolWarnings 0|1
899 If 1, Tor will log with severity 'warn' various cases of other
900 parties not following the Tor specification. Otherwise, they are
901 logged with severity 'info'. (Default: 0)
902 RelayBandwidthBurst N
904 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
905 If not 0, limit the maximum token bucket size (also known as the
906 burst) for _relayed traffic_ to the given number of bytes in each
907 direction. They do not include directory fetches by the relay (from
908 authority or other relays), because that is considered "client"
909 activity. (Default: 0)
910 RelayBandwidthRate N
912 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
913 If not 0, a separate token bucket limits the average incoming
914 bandwidth usage for _relayed traffic_ on this node to the specified
915 number of bytes per second, and the average outgoing bandwidth
916 usage to that same value. Relayed traffic currently is calculated
917 to include answers to directory requests, but that may change in
918 future versions. They do not include directory fetches by the relay
919 (from authority or other relays), because that is considered
920 "client" activity. (Default: 0)
921 RephistTrackTime N seconds|minutes|hours|days|weeks
923 Tells an authority, or other node tracking node reliability and
924 history, that fine-grained information about nodes can be discarded
925 when it hasn’t changed for a given amount of time. (Default: 24
926 hours)
927 RunAsDaemon 0|1
929 If 1, Tor forks and daemonizes to the background. This option has
930 no effect on Windows; instead you should use the --service
931 command-line option. Can not be changed while tor is running.
932 (Default: 0)
933 SafeLogging 0|1|relay
935 Tor can scrub potentially sensitive strings from log messages (e.g.
936 addresses) by replacing them with the string [scrubbed]. This way
937 logs can still be useful, but they don’t leave behind personally
938 identifying information about what sites a user might have visited.
939 If this option is set to 0, Tor will not perform any scrubbing, if
942 it is set to 1, all potentially sensitive strings are replaced. If
943 it is set to relay, all log messages generated when acting as a
944 relay are sanitized, but all messages generated when acting as a
945 client are not. Note: Tor may not heed this option when logging at
946 log levels below Notice. (Default: 1)
947 Sandbox 0|1
949 If set to 1, Tor will run securely through the use of a syscall
950 sandbox. Otherwise the sandbox will be disabled. The option only
951 works on Linux-based operating systems, and only when Tor has been
952 built with the libseccomp library. Note that this option may be
953 incompatible with some versions of libc, and some kernel versions.
954 This option can not be changed while tor is running.
955 When the Sandbox is 1, the following options can not be changed
958 when tor is running: Address, ConnLimit, CookieAuthFile,
959 DirPortFrontPage, ExtORPortCookieAuthFile, Logs,
960 ServerDNSResolvConfFile, ClientOnionAuthDir (and any files in it
961 won’t reload on HUP signal).
962 Launching new Onion Services through the control port is not
965 supported with current syscall sandboxing implementation.
966 Tor must remain in client or server mode (some changes to
969 ClientOnly and ORPort are not allowed). Currently, if Sandbox is 1,
970 ControlPort command "GETINFO address" will not work.
971 When using %include in the tor configuration files, reloading the
974 tor configuration is not supported after adding new configuration
975 files or directories.
976 (Default: 0)
979 Schedulers KIST|KISTLite|Vanilla
981 Specify the scheduler type that tor should use. The scheduler is
982 responsible for moving data around within a Tor process. This is an
983 ordered list by priority which means that the first value will be
984 tried first and if unavailable, the second one is tried and so on.
985 It is possible to change these values at runtime. This option
986 mostly effects relays, and most operators should leave it set to
987 its default value. (Default: KIST,KISTLite,Vanilla)
988 The possible scheduler types are:
991 KIST: Kernel-Informed Socket Transport. Tor will use TCP
993 information from the kernel to make informed decisions regarding
994 how much data to send and when to send it. KIST also handles
995 traffic in batches (see KISTSchedRunInterval) in order to improve
996 traffic prioritization decisions. As implemented, KIST will only
997 work on Linux kernel version 2.6.39 or higher.
998 KISTLite: Same as KIST but without kernel support. Tor will use all
1001 the same mechanics as with KIST, including the batching, but its
1002 decisions regarding how much data to send will not be as good.
1003 KISTLite will work on all kernels and operating systems, and the
1004 majority of the benefits of KIST are still realized with KISTLite.
1005 Vanilla: The scheduler that Tor used before KIST was implemented.
1008 It sends as much data as possible, as soon as possible. Vanilla
1009 will work on all kernels and operating systems.
1010 KISTSchedRunInterval NUM msec
1012 If KIST or KISTLite is used in the Schedulers option, this controls
1013 at which interval the scheduler tick is. If the value is 0 msec,
1014 the value is taken from the consensus if possible else it will
1015 fallback to the default 10 msec. Maximum possible value is 100
1016 msec. (Default: 0 msec)
1017 KISTSockBufSizeFactor NUM
1019 If KIST is used in Schedulers, this is a multiplier of the
1020 per-socket limit calculation of the KIST algorithm. (Default: 1.0)
1021 Socks4Proxy host[:port]
1023 Tor will make all OR connections through the SOCKS 4 proxy at
1024 host:port (or host:1080 if port is not specified).
1025 Socks5Proxy host[:port]
1027 Tor will make all OR connections through the SOCKS 5 proxy at
1028 host:port (or host:1080 if port is not specified).
1029 Socks5ProxyUsername username
1031 Socks5ProxyPassword password
1033 If defined, authenticate to the SOCKS 5 server using username and
1034 password in accordance to RFC 1929. Both username and password must
1035 be between 1 and 255 characters.
1036 SyslogIdentityTag tag
1038 When logging to syslog, adds a tag to the syslog identity such that
1039 log entries are marked with "Tor-tag". Can not be changed while tor
1040 is running. (Default: none)
1041 TCPProxy protocol host:port
1043 Tor will use the given protocol to make all its OR (SSL)
1044 connections through a TCP proxy on host:port, rather than
1045 connecting directly to servers. You may want to set FascistFirewall
1046 to restrict the set of ports you might try to connect to, if your
1047 proxy only allows connecting to certain ports. There is no
1048 equivalent option for directory connections, because all Tor client
1049 versions that support this option download directory documents via
1050 OR connections.
1051 The only protocol supported right now 'haproxy'. This option is only for
1054 clients. (Default: none) +
1055 The HAProxy version 1 proxy protocol is described in detail at
1057 https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt +
1058 Both source IP address and source port will be set to zero.
1060 TruncateLogFile 0|1
1062 If 1, Tor will overwrite logs at startup and in response to a HUP
1063 signal, instead of appending to them. (Default: 0)
1064 UnixSocksGroupWritable 0|1
1066 If this option is set to 0, don’t allow the filesystem group to
1067 read and write unix sockets (e.g. SocksPort unix:). If the option
1068 is set to 1, make the Unix socket readable and writable by the
1069 default GID. (Default: 0)
1070 UseDefaultFallbackDirs 0|1
1072 Use Tor’s default hard-coded FallbackDirs (if any). (When a
1073 FallbackDir line is present, it replaces the hard-coded
1074 FallbackDirs, regardless of the value of UseDefaultFallbackDirs.)
1075 (Default: 1)
1076 User Username
1078 On startup, setuid to this user and setgid to their primary group.
1079 Can not be changed while tor is running.
1080
1082 The following options are useful only for clients (that is, if
1083 SocksPort, HTTPTunnelPort, TransPort, DNSPort, or NATDPort is
1084 non-zero):
1085 AllowNonRFC953Hostnames 0|1
1087 When this option is disabled, Tor blocks hostnames containing
1088 illegal characters (like @ and :) rather than sending them to an
1089 exit node to be resolved. This helps trap accidental attempts to
1090 resolve URLs and so on. (Default: 0)
1091 AutomapHostsOnResolve 0|1
1093 When this option is enabled, and we get a request to resolve an
1094 address that ends with one of the suffixes in AutomapHostsSuffixes,
1095 we map an unused virtual address to that address, and return the
1096 new virtual address. This is handy for making ".onion" addresses
1097 work with applications that resolve an address and then connect to
1098 it. (Default: 0)
1099 AutomapHostsSuffixes SUFFIX,SUFFIX,...
1101 A comma-separated list of suffixes to use with
1102 AutomapHostsOnResolve. The "." suffix is equivalent to "all
1103 addresses." (Default: .exit,.onion).
1104 Bridge [transport] IP:ORPort [fingerprint]
1106 When set along with UseBridges, instructs Tor to use the relay at
1107 "IP:ORPort" as a "bridge" relaying into the Tor network. If
1108 "fingerprint" is provided (using the same format as for
1109 DirAuthority), we will verify that the relay running at that
1110 location has the right fingerprint. We also use fingerprint to look
1111 up the bridge descriptor at the bridge authority, if it’s provided
1112 and if UpdateBridgesFromAuthority is set too.
1113 If "transport" is provided, it must match a ClientTransportPlugin
1116 line. We then use that pluggable transport’s proxy to transfer data
1117 to the bridge, rather than connecting to the bridge directly. Some
1118 transports use a transport-specific method to work out the remote
1119 address to connect to. These transports typically ignore the
1120 "IP:ORPort" specified in the bridge line.
1121 Tor passes any "key=val" settings to the pluggable transport proxy
1124 as per-connection arguments when connecting to the bridge. Consult
1125 the documentation of the pluggable transport for details of what
1126 arguments it supports.
1127 CircuitPadding 0|1
1129 If set to 0, Tor will not pad client circuits with additional cover
1130 traffic. Only clients may set this option. This option should be
1131 offered via the UI to mobile users for use where bandwidth may be
1132 expensive. If set to 1, padding will be negotiated as per the
1133 consensus and relay support (unlike ConnectionPadding,
1134 CircuitPadding cannot be force-enabled). (Default: 1)
1135 ReducedCircuitPadding 0|1
1137 If set to 1, Tor will only use circuit padding algorithms that have
1138 low overhead. Only clients may set this option. This option should
1139 be offered via the UI to mobile users for use where bandwidth may
1140 be expensive. (Default: 0)
1141 ClientBootstrapConsensusAuthorityDownloadInitialDelay N
1143 Initial delay in seconds for when clients should download
1144 consensuses from authorities if they are bootstrapping (that is,
1145 they don’t have a usable, reasonably live consensus). Only used by
1146 clients fetching from a list of fallback directory mirrors. This
1147 schedule is advanced by (potentially concurrent) connection
1148 attempts, unlike other schedules, which are advanced by connection
1149 failures. (Default: 6)
1150 ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay N
1152 Initial delay in seconds for when clients should download
1153 consensuses from authorities if they are bootstrapping (that is,
1154 they don’t have a usable, reasonably live consensus). Only used by
1155 clients which don’t have or won’t fetch from a list of fallback
1156 directory mirrors. This schedule is advanced by (potentially
1157 concurrent) connection attempts, unlike other schedules, which are
1158 advanced by connection failures. (Default: 0)
1159 ClientBootstrapConsensusFallbackDownloadInitialDelay N
1161 Initial delay in seconds for when clients should download
1162 consensuses from fallback directory mirrors if they are
1163 bootstrapping (that is, they don’t have a usable, reasonably live
1164 consensus). Only used by clients fetching from a list of fallback
1165 directory mirrors. This schedule is advanced by (potentially
1166 concurrent) connection attempts, unlike other schedules, which are
1167 advanced by connection failures. (Default: 0)
1168 ClientBootstrapConsensusMaxInProgressTries NUM
1170 Try this many simultaneous connections to download a consensus
1171 before waiting for one to complete, timeout, or error out.
1172 (Default: 3)
1173 ClientDNSRejectInternalAddresses 0|1
1175 If true, Tor does not believe any anonymously retrieved DNS answer
1176 that tells it that an address resolves to an internal address (like
1177 127.0.0.1 or 192.168.0.1). This option prevents certain
1178 browser-based attacks; it is not allowed to be set on the default
1179 network. (Default: 1)
1180 ClientOnionAuthDir path
1182 Path to the directory containing v3 hidden service authorization
1183 files. Each file is for a single onion address, and the files MUST
1184 have the suffix ".auth_private" (i.e. "bob_onion.auth_private").
1185 The content format MUST be:
1186 <onion-address>:descriptor:x25519:<base32-encoded-privkey>
1188 The <onion-address> MUST NOT have the ".onion" suffix. The
1190 <base32-encoded-privkey> is the base32 representation of the raw
1191 key bytes only (32 bytes for x25519). See Appendix G in the
1192 rend-spec-v3.txt file of torspec for more information.
1193 ClientOnly 0|1
1195 If set to 1, Tor will not run as a relay or serve directory
1196 requests, even if the ORPort, ExtORPort, or DirPort options are
1197 set. (This config option is mostly unnecessary: we added it back
1198 when we were considering having Tor clients auto-promote themselves
1199 to being relays if they were stable and fast enough. The current
1200 behavior is simply that Tor is a client unless ORPort, ExtORPort,
1201 or DirPort are configured.) (Default: 0)
1202 ClientPreferIPv6DirPort 0|1|auto
1204 If this option is set to 1, Tor prefers a directory port with an
1205 IPv6 address over one with IPv4, for direct connections, if a given
1206 directory server has both. (Tor also prefers an IPv6 DirPort if
1207 IPv4Client is set to 0.) If this option is set to auto, clients
1208 prefer IPv4. Other things may influence the choice. This option
1209 breaks a tie to the favor of IPv6. (Default: auto) (DEPRECATED:
1210 This option has had no effect for some time.)
1211 ClientPreferIPv6ORPort 0|1|auto
1213 If this option is set to 1, Tor prefers an OR port with an IPv6
1214 address over one with IPv4 if a given entry node has both. (Tor
1215 also prefers an IPv6 ORPort if IPv4Client is set to 0.) If this
1216 option is set to auto, Tor bridge clients prefer the configured
1217 bridge address, and other clients prefer IPv4. Other things may
1218 influence the choice. This option breaks a tie to the favor of
1219 IPv6. (Default: auto)
1220 ClientRejectInternalAddresses 0|1
1222 If true, Tor does not try to fulfill requests to connect to an
1223 internal address (like 127.0.0.1 or 192.168.0.1) unless an exit
1224 node is specifically requested (for example, via a .exit hostname,
1225 or a controller request). If true, multicast DNS hostnames for
1226 machines on the local network (of the form *.local) are also
1227 rejected. (Default: 1)
1228 ClientUseIPv4 0|1
1230 If this option is set to 0, Tor will avoid connecting to directory
1231 servers and entry nodes over IPv4. Note that clients with an IPv4
1232 address in a Bridge, proxy, or pluggable transport line will try
1233 connecting over IPv4 even if ClientUseIPv4 is set to 0. (Default:
1234 1)
1235 ClientUseIPv6 0|1
1237 If this option is set to 1, Tor might connect to directory servers
1238 or entry nodes over IPv6. For IPv6 only hosts, you need to also set
1239 ClientUseIPv4 to 0 to disable IPv4. Note that clients configured
1240 with an IPv6 address in a Bridge, proxy, or pluggable transportline
1241 will try connecting over IPv6 even if ClientUseIPv6 is set to 0.
1242 (Default: 0)
1243 ConnectionPadding 0|1|auto
1245 This option governs Tor’s use of padding to defend against some
1246 forms of traffic analysis. If it is set to auto, Tor will send
1247 padding only if both the client and the relay support it. If it is
1248 set to 0, Tor will not send any padding cells. If it is set to 1,
1249 Tor will still send padding for client connections regardless of
1250 relay support. Only clients may set this option. This option should
1251 be offered via the UI to mobile users for use where bandwidth may
1252 be expensive. (Default: auto)
1253 ReducedConnectionPadding 0|1
1255 If set to 1, Tor will not not hold OR connections open for very
1256 long, and will send less padding on these connections. Only clients
1257 may set this option. This option should be offered via the UI to
1258 mobile users for use where bandwidth may be expensive. (Default: 0)
1259 DNSPort [address:]port|auto [isolation flags]
1261 If non-zero, open this port to listen for UDP DNS requests, and
1262 resolve them anonymously. This port only handles A, AAAA, and PTR
1263 requests---it doesn’t handle arbitrary DNS request types. Set the
1264 port to "auto" to have Tor pick a port for you. This directive can
1265 be specified multiple times to bind to multiple addresses/ports.
1266 See SocksPort for an explanation of isolation flags. (Default: 0)
1267 DownloadExtraInfo 0|1
1269 If true, Tor downloads and caches "extra-info" documents. These
1270 documents contain information about servers other than the
1271 information in their regular server descriptors. Tor does not use
1272 this information for anything itself; to save bandwidth, leave this
1273 option turned off. (Default: 0)
1274 EnforceDistinctSubnets 0|1
1276 If 1, Tor will not put two servers whose IP addresses are "too
1277 close" on the same circuit. Currently, two addresses are "too
1278 close" if they lie in the same /16 range. (Default: 1)
1279 FascistFirewall 0|1
1281 If 1, Tor will only create outgoing connections to ORs running on
1282 ports that your firewall allows (defaults to 80 and 443; see
1283 FirewallPorts). This will allow you to run Tor as a client behind a
1284 firewall with restrictive policies, but will not allow you to run
1285 as a server behind such a firewall. If you prefer more fine-grained
1286 control, use ReachableAddresses instead.
1287 FirewallPorts PORTS
1289 A list of ports that your firewall allows you to connect to. Only
1290 used when FascistFirewall is set. This option is deprecated; use
1291 ReachableAddresses instead. (Default: 80, 443)
1292 HTTPTunnelPort [address:]port|auto [isolation flags]
1294 Open this port to listen for proxy connections using the "HTTP
1295 CONNECT" protocol instead of SOCKS. Set this to 0 if you don’t want
1296 to allow "HTTP CONNECT" connections. Set the port to "auto" to have
1297 Tor pick a port for you. This directive can be specified multiple
1298 times to bind to multiple addresses/ports. If multiple entries of
1299 this option are present in your configuration file, Tor will
1300 perform stream isolation between listeners by default. See
1301 SocksPort for an explanation of isolation flags. (Default: 0)
1302 LongLivedPorts PORTS
1304 A list of ports for services that tend to have long-running
1305 connections (e.g. chat and interactive shells). Circuits for
1306 streams that use these ports will contain only high-uptime nodes,
1307 to reduce the chance that a node will go down before the stream is
1308 finished. Note that the list is also honored for circuits (both
1309 client and service side) involving hidden services whose virtual
1310 port is in this list. (Default: 21, 22, 706, 1863, 5050, 5190,
1311 5222, 5223, 6523, 6667, 6697, 8300)
1312 MapAddress address newaddress
1314 When a request for address arrives to Tor, it will transform to
1315 newaddress before processing it. For example, if you always want
1316 connections to www.example.com to exit via torserver (where
1317 torserver is the fingerprint of the server), use "MapAddress
1318 www.example.com www.example.com.torserver.exit". If the value is
1319 prefixed with a "*.", matches an entire domain. For example, if you
1320 always want connections to example.com and any if its subdomains to
1321 exit via torserver (where torserver is the fingerprint of the
1322 server), use "MapAddress *.example.com
1323 *.example.com.torserver.exit". (Note the leading "*." in each part
1324 of the directive.) You can also redirect all subdomains of a domain
1325 to a single address. For example, "MapAddress *.example.com
1326 www.example.com". If the specified exit is not available, or the
1327 exit can not connect to the site, Tor will fail any connections to
1328 the mapped address.+
1329 NOTES:
1331 1. When evaluating MapAddress expressions Tor stops when it hits
1333 the most recently added expression that matches the requested
1334 address. So if you have the following in your torrc,
1335 www.torproject.org will map to 198.51.100.1:
1336 MapAddress www.torproject.org 192.0.2.1
1338 MapAddress www.torproject.org 198.51.100.1
1339 2. Tor evaluates the MapAddress configuration until it finds no
1341 matches. So if you have the following in your torrc,
1342 www.torproject.org will map to 203.0.113.1:
1343 MapAddress 198.51.100.1 203.0.113.1
1345 MapAddress www.torproject.org 198.51.100.1
1346 3. The following MapAddress expression is invalid (and will be
1348 ignored) because you cannot map from a specific address to a
1349 wildcard address:
1350 MapAddress www.torproject.org *.torproject.org.torserver.exit
1352 4. Using a wildcard to match only part of a string (as in
1354 *ample.com) is also invalid.
1355 5. Tor maps hostnames and IP addresses separately. If you
1357 MapAddress a DNS name, but use an IP address to connect, then
1358 Tor will ignore the DNS name mapping.
1359 6. MapAddress does not apply to redirects in the application
1361 protocol. For example, HTTP redirects and alt-svc headers will
1362 ignore mappings for the original address. You can use a
1363 wildcard mapping to handle redirects within the same site.
1364 MaxCircuitDirtiness NUM
1366 Feel free to reuse a circuit that was first used at most NUM
1367 seconds ago, but never attach a new stream to a circuit that is too
1368 old. For hidden services, this applies to the last time a circuit
1369 was used, not the first. Circuits with streams constructed with
1370 SOCKS authentication via SocksPorts that have
1371 KeepAliveIsolateSOCKSAuth also remain alive for MaxCircuitDirtiness
1372 seconds after carrying the last such stream. (Default: 10 minutes)
1373 MaxClientCircuitsPending NUM
1375 Do not allow more than NUM circuits to be pending at a time for
1376 handling client streams. A circuit is pending if we have begun
1377 constructing it, but it has not yet been completely constructed.
1378 (Default: 32)
1379 NATDPort [address:]port|auto [isolation flags]
1381 Open this port to listen for connections from old versions of ipfw
1382 (as included in old versions of FreeBSD, etc) using the NATD
1383 protocol. Use 0 if you don’t want to allow NATD connections. Set
1384 the port to "auto" to have Tor pick a port for you. This directive
1385 can be specified multiple times to bind to multiple
1386 addresses/ports. If multiple entries of this option are present in
1387 your configuration file, Tor will perform stream isolation between
1388 listeners by default. See SocksPort for an explanation of isolation
1389 flags.
1390 This option is only for people who cannot use TransPort. (Default:
1393 0)
1394 NewCircuitPeriod NUM
1396 Every NUM seconds consider whether to build a new circuit.
1397 (Default: 30 seconds)
1398 PathBiasCircThreshold NUM
1400 PathBiasDropGuards NUM
1402 PathBiasExtremeRate NUM
1404 PathBiasNoticeRate NUM
1406 PathBiasWarnRate NUM
1408 PathBiasScaleThreshold NUM
1410 These options override the default behavior of Tor’s (currently
1411 experimental) path bias detection algorithm. To try to find broken
1412 or misbehaving guard nodes, Tor looks for nodes where more than a
1413 certain fraction of circuits through that guard fail to get built.
1414 The PathBiasCircThreshold option controls how many circuits we need
1417 to build through a guard before we make these checks. The
1418 PathBiasNoticeRate, PathBiasWarnRate and PathBiasExtremeRate
1419 options control what fraction of circuits must succeed through a
1420 guard so we won’t write log messages. If less than
1421 PathBiasExtremeRate circuits succeed and PathBiasDropGuards is set
1422 to 1, we disable use of that guard.
1423 When we have seen more than PathBiasScaleThreshold circuits through
1426 a guard, we scale our observations by 0.5 (governed by the
1427 consensus) so that new observations don’t get swamped by old ones.
1428 By default, or if a negative value is provided for one of these
1431 options, Tor uses reasonable defaults from the networkstatus
1432 consensus document. If no defaults are available there, these
1433 options default to 150, .70, .50, .30, 0, and 300 respectively.
1434 PathBiasUseThreshold NUM
1436 PathBiasNoticeUseRate NUM
1438 PathBiasExtremeUseRate NUM
1440 PathBiasScaleUseThreshold NUM
1442 Similar to the above options, these options override the default
1443 behavior of Tor’s (currently experimental) path use bias detection
1444 algorithm.
1445 Where as the path bias parameters govern thresholds for
1448 successfully building circuits, these four path use bias parameters
1449 govern thresholds only for circuit usage. Circuits which receive no
1450 stream usage are not counted by this detection algorithm. A used
1451 circuit is considered successful if it is capable of carrying
1452 streams or otherwise receiving well-formed responses to RELAY
1453 cells.
1454 By default, or if a negative value is provided for one of these
1457 options, Tor uses reasonable defaults from the networkstatus
1458 consensus document. If no defaults are available there, these
1459 options default to 20, .80, .60, and 100, respectively.
1460 PathsNeededToBuildCircuits NUM
1462 Tor clients don’t build circuits for user traffic until they know
1463 about enough of the network so that they could potentially
1464 construct enough of the possible paths through the network. If this
1465 option is set to a fraction between 0.25 and 0.95, Tor won’t build
1466 circuits until it has enough descriptors or microdescriptors to
1467 construct that fraction of possible paths. Note that setting this
1468 option too low can make your Tor client less anonymous, and setting
1469 it too high can prevent your Tor client from bootstrapping. If this
1470 option is negative, Tor will use a default value chosen by the
1471 directory authorities. If the directory authorities do not choose a
1472 value, Tor will default to 0.6. (Default: -1)
1473 ReachableAddresses IP[/MASK][:PORT]...
1475 A comma-separated list of IP addresses and ports that your firewall
1476 allows you to connect to. The format is as for the addresses in
1477 ExitPolicy, except that "accept" is understood unless "reject" is
1478 explicitly provided. For example, 'ReachableAddresses 99.0.0.0/8,
1479 reject 18.0.0.0/8:80, accept *:80' means that your firewall allows
1480 connections to everything inside net 99, rejects port 80
1481 connections to net 18, and accepts connections to port 80
1482 otherwise. (Default: 'accept *:*'.)
1483 ReachableDirAddresses IP[/MASK][:PORT]...
1485 Like ReachableAddresses, a list of addresses and ports. Tor will
1486 obey these restrictions when fetching directory information, using
1487 standard HTTP GET requests. If not set explicitly then the value of
1488 ReachableAddresses is used. If HTTPProxy is set then these
1489 connections will go through that proxy. (DEPRECATED: This option
1490 has had no effect for some time.)
1491 ReachableORAddresses IP[/MASK][:PORT]...
1493 Like ReachableAddresses, a list of addresses and ports. Tor will
1494 obey these restrictions when connecting to Onion Routers, using
1495 TLS/SSL. If not set explicitly then the value of ReachableAddresses
1496 is used. If HTTPSProxy is set then these connections will go
1497 through that proxy.
1498 The separation between ReachableORAddresses and
1501 ReachableDirAddresses is only interesting when you are connecting
1502 through proxies (see HTTPProxy and HTTPSProxy). Most proxies limit
1503 TLS connections (which Tor uses to connect to Onion Routers) to
1504 port 443, and some limit HTTP GET requests (which Tor uses for
1505 fetching directory information) to port 80.
1506 SafeSocks 0|1
1508 When this option is enabled, Tor will reject application
1509 connections that use unsafe variants of the socks protocol — ones
1510 that only provide an IP address, meaning the application is doing a
1511 DNS resolve first. Specifically, these are socks4 and socks5 when
1512 not doing remote DNS. (Default: 0)
1513 TestSocks 0|1
1515 When this option is enabled, Tor will make a notice-level log entry
1516 for each connection to the Socks port indicating whether the
1517 request used a safe socks protocol or an unsafe one (see
1518 SafeSocks). This helps to determine whether an application using
1519 Tor is possibly leaking DNS requests. (Default: 0)
1520 WarnPlaintextPorts port,port,...
1522 Tells Tor to issue a warnings whenever the user tries to make an
1523 anonymous connection to one of these ports. This option is designed
1524 to alert users to services that risk sending passwords in the
1525 clear. (Default: 23,109,110,143)
1526 RejectPlaintextPorts port,port,...
1528 Like WarnPlaintextPorts, but instead of warning about risky port
1529 uses, Tor will instead refuse to make the connection. (Default:
1530 None)
1531 SocksPolicy policy,policy,...
1533 Set an entrance policy for this server, to limit who can connect to
1534 the SocksPort and DNSPort ports. The policies have the same form as
1535 exit policies below, except that port specifiers are ignored. Any
1536 address not matched by some entry in the policy is accepted.
1537 SocksPort [address:]port|unix:path|auto [flags] [isolation flags]
1539 Open this port to listen for connections from SOCKS-speaking
1540 applications. Set this to 0 if you don’t want to allow application
1541 connections via SOCKS. Set it to "auto" to have Tor pick a port for
1542 you. This directive can be specified multiple times to bind to
1543 multiple addresses/ports. If a unix domain socket is used, you may
1544 quote the path using standard C escape sequences. Most flags are
1545 off by default, except where specified. Flags that are on by
1546 default can be disabled by putting "No" before the flag name.
1547 (Default: 9050)
1548 NOTE: Although this option allows you to specify an IP address
1551 other than localhost, you should do so only with extreme caution.
1552 The SOCKS protocol is unencrypted and (as we use it)
1553 unauthenticated, so exposing it in this way could leak your
1554 information to anybody watching your network, and allow anybody to
1555 use your computer as an open proxy.
1556 If multiple entries of this option are present in your
1559 configuration file, Tor will perform stream isolation between
1560 listeners by default. The isolation flags arguments give Tor rules
1561 for which streams received on this SocksPort are allowed to share
1562 circuits with one another. Recognized isolation flags are:
1563 IsolateClientAddr
1565 Don’t share circuits with streams from a different client
1566 address. (On by default and strongly recommended when
1567 supported; you can disable it with NoIsolateClientAddr.
1568 Unsupported and force-disabled when using Unix domain sockets.)
1569 IsolateSOCKSAuth
1571 Don’t share circuits with streams for which different SOCKS
1572 authentication was provided. (For HTTPTunnelPort connections,
1573 this option looks at the Proxy-Authorization and
1574 X-Tor-Stream-Isolation headers. On by default; you can disable
1575 it with NoIsolateSOCKSAuth.)
1576 IsolateClientProtocol
1578 Don’t share circuits with streams using a different protocol.
1579 (SOCKS 4, SOCKS 5, HTTPTunnelPort connections, TransPort
1580 connections, NATDPort connections, and DNSPort requests are all
1581 considered to be different protocols.)
1582 IsolateDestPort
1584 Don’t share circuits with streams targeting a different
1585 destination port.
1586 IsolateDestAddr
1588 Don’t share circuits with streams targeting a different
1589 destination address.
1590 KeepAliveIsolateSOCKSAuth
1592 If IsolateSOCKSAuth is enabled, keep alive circuits while they
1593 have at least one stream with SOCKS authentication active.
1594 After such a circuit is idle for more than MaxCircuitDirtiness
1595 seconds, it can be closed.
1596 SessionGroup=INT
1598 If no other isolation rules would prevent it, allow streams on
1599 this port to share circuits with streams from every other port
1600 with the same session group. (By default, streams received on
1601 different SocksPorts, TransPorts, etc are always isolated from
1602 one another. This option overrides that behavior.)
1603 Other recognized flags for a SocksPort are:
1605 NoIPv4Traffic
1607 Tell exits to not connect to IPv4 addresses in response to
1608 SOCKS requests on this connection.
1609 IPv6Traffic
1611 Tell exits to allow IPv6 addresses in response to SOCKS
1612 requests on this connection, so long as SOCKS5 is in use.
1613 (SOCKS4 can’t handle IPv6.)
1614 PreferIPv6
1616 Tells exits that, if a host has both an IPv4 and an IPv6
1617 address, we would prefer to connect to it via IPv6. (IPv4 is
1618 the default.)
1619 NoDNSRequest
1621 Do not ask exits to resolve DNS addresses in SOCKS5 requests.
1622 Tor will connect to IPv4 addresses, IPv6 addresses (if
1623 IPv6Traffic is set) and .onion addresses.
1624 NoOnionTraffic
1626 Do not connect to .onion addresses in SOCKS5 requests.
1627 OnionTrafficOnly
1629 Tell the tor client to only connect to .onion addresses in
1630 response to SOCKS5 requests on this connection. This is
1631 equivalent to NoDNSRequest, NoIPv4Traffic, NoIPv6Traffic. The
1632 corresponding NoOnionTrafficOnly flag is not supported.
1633 CacheIPv4DNS
1635 Tells the client to remember IPv4 DNS answers we receive from
1636 exit nodes via this connection.
1637 CacheIPv6DNS
1639 Tells the client to remember IPv6 DNS answers we receive from
1640 exit nodes via this connection.
1641 GroupWritable
1643 Unix domain sockets only: makes the socket get created as
1644 group-writable.
1645 WorldWritable
1647 Unix domain sockets only: makes the socket get created as
1648 world-writable.
1649 CacheDNS
1651 Tells the client to remember all DNS answers we receive from
1652 exit nodes via this connection.
1653 UseIPv4Cache
1655 Tells the client to use any cached IPv4 DNS answers we have
1656 when making requests via this connection. (NOTE: This option,
1657 or UseIPv6Cache or UseDNSCache, can harm your anonymity, and
1658 probably won’t help performance as much as you might expect.
1659 Use with care!)
1660 UseIPv6Cache
1662 Tells the client to use any cached IPv6 DNS answers we have
1663 when making requests via this connection.
1664 UseDNSCache
1666 Tells the client to use any cached DNS answers we have when
1667 making requests via this connection.
1668 NoPreferIPv6Automap
1670 When serving a hostname lookup request on this port that should
1671 get automapped (according to AutomapHostsOnResolve), if we
1672 could return either an IPv4 or an IPv6 answer, prefer an IPv4
1673 answer. (Tor prefers IPv6 by default.)
1674 PreferSOCKSNoAuth
1676 Ordinarily, when an application offers both "username/password
1677 authentication" and "no authentication" to Tor via SOCKS5, Tor
1678 selects username/password authentication so that
1679 IsolateSOCKSAuth can work. This can confuse some applications,
1680 if they offer a username/password combination then get confused
1681 when asked for one. You can disable this behavior, so that Tor
1682 will select "No authentication" when IsolateSOCKSAuth is
1683 disabled, or when this option is set.
1684 ExtendedErrors
1686 Return extended error code in the SOCKS reply. So far, the
1687 possible errors are:
1688 X'F0' Onion Service Descriptor Can Not be Found
1690 The requested onion service descriptor can't be found on the
1692 hashring and thus not reachable by the client. (v3 only)
1693 X'F1' Onion Service Descriptor Is Invalid
1695 The requested onion service descriptor can't be parsed or
1697 signature validation failed. (v3 only)
1698 X'F2' Onion Service Introduction Failed
1700 All introduction attempts failed either due to a combination of
1702 NACK by the intro point or time out. (v3 only)
1703 X'F3' Onion Service Rendezvous Failed
1705 Every rendezvous circuit has timed out and thus the client is
1707 unable to rendezvous with the service. (v3 only)
1708 X'F4' Onion Service Missing Client Authorization
1710 Client was able to download the requested onion service descriptor
1712 but is unable to decrypt its content because it is missing client
1713 authorization information. (v3 only)
1714 X'F5' Onion Service Wrong Client Authorization
1716 Client was able to download the requested onion service descriptor
1718 but is unable to decrypt its content using the client
1719 authorization information it has. This means the client access
1720 were revoked. (v3 only)
1721 X'F6' Onion Service Invalid Address
1723 The given .onion address is invalid. In one of these cases this
1725 error is returned: address checksum doesn't match, ed25519 public
1726 key is invalid or the encoding is invalid. (v3 only)
1727 X'F7' Onion Service Introduction Timed Out
1729 Similar to X'F2' code but in this case, all introduction attempts
1731 have failed due to a time out. (v3 only)
1732 Flags are processed left to right. If flags conflict, the last flag
1734 on the line is used, and all earlier flags are ignored. No error is
1735 issued for conflicting flags.
1736 TokenBucketRefillInterval NUM [msec|second]
1738 Set the refill delay interval of Tor’s token bucket to NUM
1739 milliseconds. NUM must be between 1 and 1000, inclusive. When Tor
1740 is out of bandwidth, on a connection or globally, it will wait up
1741 to this long before it tries to use that connection again. Note
1742 that bandwidth limits are still expressed in bytes per second: this
1743 option only affects the frequency with which Tor checks to see
1744 whether previously exhausted connections may read again. Can not be
1745 changed while tor is running. (Default: 100 msec)
1746 TrackHostExits host,.domain,...
1748 For each value in the comma separated list, Tor will track recent
1749 connections to hosts that match this value and attempt to reuse the
1750 same exit node for each. If the value is prepended with a '.', it
1751 is treated as matching an entire domain. If one of the values is
1752 just a '.', it means match everything. This option is useful if you
1753 frequently connect to sites that will expire all your
1754 authentication cookies (i.e. log you out) if your IP address
1755 changes. Note that this option does have the disadvantage of making
1756 it more clear that a given history is associated with a single
1757 user. However, most people who would wish to observe this will
1758 observe it through cookies or other protocol-specific means anyhow.
1759 TrackHostExitsExpire NUM
1761 Since exit servers go up and down, it is desirable to expire the
1762 association between host and exit server after NUM seconds. The
1763 default is 1800 seconds (30 minutes).
1764 TransPort [address:]port|auto [isolation flags]
1766 Open this port to listen for transparent proxy connections. Set
1767 this to 0 if you don’t want to allow transparent proxy connections.
1768 Set the port to "auto" to have Tor pick a port for you. This
1769 directive can be specified multiple times to bind to multiple
1770 addresses/ports. If multiple entries of this option are present in
1771 your configuration file, Tor will perform stream isolation between
1772 listeners by default. See SocksPort for an explanation of isolation
1773 flags.
1774 TransPort requires OS support for transparent proxies, such as
1777 BSDs' pf or Linux’s IPTables. If you’re planning to use Tor as a
1778 transparent proxy for a network, you’ll want to examine and change
1779 VirtualAddrNetwork from the default setting. (Default: 0)
1780 TransProxyType default|TPROXY|ipfw|pf-divert
1782 TransProxyType may only be enabled when there is transparent proxy
1783 listener enabled.
1784 Set this to "TPROXY" if you wish to be able to use the TPROXY Linux
1787 module to transparently proxy connections that are configured using
1788 the TransPort option. Detailed information on how to configure the
1789 TPROXY feature can be found in the Linux kernel source tree in the
1790 file Documentation/networking/tproxy.txt.
1791 Set this option to "ipfw" to use the FreeBSD ipfw interface.
1794 On *BSD operating systems when using pf, set this to "pf-divert" to
1797 take advantage of divert-to rules, which do not modify the packets
1798 like rdr-to rules do. Detailed information on how to configure pf
1799 to use divert-to rules can be found in the pf.conf(5) manual page.
1800 On OpenBSD, divert-to is available to use on versions greater than
1801 or equal to OpenBSD 4.4.
1802 Set this to "default", or leave it unconfigured, to use regular
1805 IPTables on Linux, or to use pf rdr-to rules on *BSD systems.
1806 (Default: "default")
1809 UpdateBridgesFromAuthority 0|1
1811 When set (along with UseBridges), Tor will try to fetch bridge
1812 descriptors from the configured bridge authorities when feasible.
1813 It will fall back to a direct request if the authority responds
1814 with a 404. (Default: 0)
1815 UseBridges 0|1
1817 When set, Tor will fetch descriptors for each bridge listed in the
1818 "Bridge" config lines, and use these relays as both entry guards
1819 and directory guards. (Default: 0)
1820 UseEntryGuards 0|1
1822 If this option is set to 1, we pick a few long-term entry servers,
1823 and try to stick with them. This is desirable because constantly
1824 changing servers increases the odds that an adversary who owns some
1825 servers will observe a fraction of your paths. Entry Guards can not
1826 be used by Directory Authorities or Single Onion Services. In these
1827 cases, this option is ignored. (Default: 1)
1828 UseGuardFraction 0|1|auto
1830 This option specifies whether clients should use the guardfraction
1831 information found in the consensus during path selection. If it’s
1832 set to auto, clients will do what the UseGuardFraction consensus
1833 parameter tells them to do. (Default: auto)
1834 GuardLifetime N days|weeks|months
1836 If UseEntryGuards is set, minimum time to keep a guard on our guard
1837 list before picking a new one. If less than one day, we use
1838 defaults from the consensus directory. (Default: 0)
1839 NumDirectoryGuards NUM
1841 If UseEntryGuards is set to 1, we try to make sure we have at least
1842 NUM routers to use as directory guards. If this option is set to 0,
1843 use the value from the guard-n-primary-dir-guards-to-use consensus
1844 parameter, and default to 3 if the consensus parameter isn’t set.
1845 (Default: 0)
1846 NumEntryGuards NUM
1848 If UseEntryGuards is set to 1, we will try to pick a total of NUM
1849 routers as long-term entries for our circuits. If NUM is 0, we try
1850 to learn the number from the guard-n-primary-guards-to-use
1851 consensus parameter, and default to 1 if the consensus parameter
1852 isn’t set. (Default: 0)
1853 NumPrimaryGuards NUM
1855 If UseEntryGuards is set to 1, we will try to pick NUM routers for
1856 our primary guard list, which is the set of routers we strongly
1857 prefer when connecting to the Tor network. If NUM is 0, we try to
1858 learn the number from the guard-n-primary-guards consensus
1859 parameter, and default to 3 if the consensus parameter isn’t set.
1860 (Default: 0)
1861 UseMicrodescriptors 0|1|auto
1863 Microdescriptors are a smaller version of the information that Tor
1864 needs in order to build its circuits. Using microdescriptors makes
1865 Tor clients download less directory information, thus saving
1866 bandwidth. Directory caches need to fetch regular descriptors and
1867 microdescriptors, so this option doesn’t save any bandwidth for
1868 them. For legacy reasons, auto is accepted, but it has the same
1869 effect as 1. (Default: auto)
1870 VirtualAddrNetworkIPv4 IPv4Address/bits
1872 VirtualAddrNetworkIPv6 [IPv6Address]/bits
1874 When Tor needs to assign a virtual (unused) address because of a
1875 MAPADDRESS command from the controller or the AutomapHostsOnResolve
1876 feature, Tor picks an unassigned address from this range.
1877 (Defaults: 127.192.0.0/10 and [FE80::]/10 respectively.)
1878 When providing proxy server service to a network of computers using
1881 a tool like dns-proxy-tor, change the IPv4 network to
1882 "10.192.0.0/10" or "172.16.0.0/12" and change the IPv6 network to
1883 "[FC00::]/7". The default VirtualAddrNetwork address ranges on a
1884 properly configured machine will route to the loopback or
1885 link-local interface. The maximum number of bits for the network
1886 prefix is set to 104 for IPv6 and 16 for IPv4. However, a larger
1887 network (that is, one with a smaller prefix length) is preferable,
1888 since it reduces the chances for an attacker to guess the used IP.
1889 For local use, no change to the default VirtualAddrNetwork setting
1890 is needed.
1891
1893 The following options are useful for configuring timeouts related to
1894 building Tor circuits and using them:
1895 CircuitsAvailableTimeout NUM
1897 Tor will attempt to keep at least one open, unused circuit
1898 available for this amount of time. This option governs how long
1899 idle circuits are kept open, as well as the amount of time Tor will
1900 keep a circuit open to each of the recently used ports. This way
1901 when the Tor client is entirely idle, it can expire all of its
1902 circuits, and then expire its TLS connections. Note that the actual
1903 timeout value is uniformly randomized from the specified value to
1904 twice that amount. (Default: 30 minutes; Max: 24 hours)
1905 LearnCircuitBuildTimeout 0|1
1907 If 0, CircuitBuildTimeout adaptive learning is disabled. (Default:
1908 1)
1909 CircuitBuildTimeout NUM
1911 Try for at most NUM seconds when building circuits. If the circuit
1912 isn’t open in that time, give up on it. If LearnCircuitBuildTimeout
1913 is 1, this value serves as the initial value to use before a
1914 timeout is learned. If LearnCircuitBuildTimeout is 0, this value is
1915 the only value used. (Default: 60 seconds)
1916 CircuitStreamTimeout NUM
1918 If non-zero, this option overrides our internal timeout schedule
1919 for how many seconds until we detach a stream from a circuit and
1920 try a new circuit. If your network is particularly slow, you might
1921 want to set this to a number like 60. (Default: 0)
1922 SocksTimeout NUM
1924 Let a socks connection wait NUM seconds handshaking, and NUM
1925 seconds unattached waiting for an appropriate circuit, before we
1926 fail it. (Default: 2 minutes)
1927
1929 Tor can enter dormant mode to conserve power and network bandwidth. The
1930 following options control when Tor enters and leaves dormant mode:
1931 DormantCanceledByStartup 0|1
1933 By default, Tor starts in active mode if it was active the last
1934 time it was shut down, and in dormant mode if it was dormant. But
1935 if this option is true, Tor treats every startup event as user
1936 activity, and Tor will never start in Dormant mode, even if it has
1937 been unused for a long time on previous runs. (Default: 0)
1938 Note: Packagers and application developers should change the value
1940 of this option only with great caution: it has the potential to
1941 create spurious traffic on the network. This option should only be
1942 used if Tor is started by an affirmative user activity (like
1943 clicking on an application or running a command), and not if Tor is
1944 launched for some other reason (for example, by a startup process,
1945 or by an application that launches itself on every login.)
1946 DormantClientTimeout N minutes|hours|days|weeks
1948 If Tor spends this much time without any client activity, enter a
1949 dormant state where automatic circuits are not built, and directory
1950 information is not fetched. Does not affect servers or onion
1951 services. Must be at least 10 minutes. (Default: 24 hours)
1952 DormantOnFirstStartup 0|1
1954 If true, then the first time Tor starts up with a fresh
1955 DataDirectory, it starts in dormant mode, and takes no actions
1956 until the user has made a request. (This mode is recommended if
1957 installing a Tor client for a user who might not actually use it.)
1958 If false, Tor bootstraps the first time it is started, whether it
1959 sees a user request or not.
1960 After the first time Tor starts, it begins in dormant mode if it
1962 was dormant before, and not otherwise. (Default: 0)
1963 DormantTimeoutDisabledByIdleStreams 0|1
1965 If true, then any open client stream (even one not reading or
1966 writing) counts as client activity for the purpose of
1967 DormantClientTimeout. If false, then only network activity counts.
1968 (Default: 1)
1969 DormantTimeoutEnabled 0|1
1971 If false, then no amount of time without activity is sufficient to
1972 make Tor go dormant. Setting this option to zero is only
1973 recommended for special-purpose applications that need to use the
1974 Tor binary for something other than sending or receiving Tor
1975 traffic. (Default: 1)
1976
1978 The following options restrict the nodes that a tor client (or onion
1979 service) can use while building a circuit. These options can weaken
1980 your anonymity by making your client behavior different from other Tor
1981 clients:
1982 EntryNodes node,node,...
1984 A list of identity fingerprints and country codes of nodes to use
1985 for the first hop in your normal circuits. Normal circuits include
1986 all circuits except for direct connections to directory servers.
1987 The Bridge option overrides this option; if you have configured
1988 bridges and UseBridges is 1, the Bridges are used as your entry
1989 nodes.
1990 This option can appear multiple times: the values from multiple
1993 lines are spliced together.
1994 The ExcludeNodes option overrides this option: any node listed in
1997 both EntryNodes and ExcludeNodes is treated as excluded. See
1998 ExcludeNodes for more information on how to specify nodes.
1999 ExcludeNodes node,node,...
2001 A list of identity fingerprints, country codes, and address
2002 patterns of nodes to avoid when building a circuit. Country codes
2003 are 2-letter ISO3166 codes, and must be wrapped in braces;
2004 fingerprints may be preceded by a dollar sign. (Example:
2005 ExcludeNodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, {cc},
2006 255.254.0.0/8)
2007 This option can appear multiple times: the values from multiple
2010 lines are spliced together.
2011 By default, this option is treated as a preference that Tor is
2014 allowed to override in order to keep working. For example, if you
2015 try to connect to a hidden service, but you have excluded all of
2016 the hidden service’s introduction points, Tor will connect to one
2017 of them anyway. If you do not want this behavior, set the
2018 StrictNodes option (documented below).
2019 Note also that if you are a relay, this (and the other node
2022 selection options below) only affects your own circuits that Tor
2023 builds for you. Clients can still build circuits through you to any
2024 node. Controllers can tell Tor to build circuits through any node.
2025 Country codes are case-insensitive. The code "{??}" refers to nodes
2028 whose country can’t be identified. No country code, including {??},
2029 works if no GeoIPFile can be loaded. See also the
2030 GeoIPExcludeUnknown option below.
2031 ExcludeExitNodes node,node,...
2033 A list of identity fingerprints, country codes, and address
2034 patterns of nodes to never use when picking an exit node---that is,
2035 a node that delivers traffic for you outside the Tor network. Note
2036 that any node listed in ExcludeNodes is automatically considered to
2037 be part of this list too. See ExcludeNodes for more information on
2038 how to specify nodes. See also the caveats on the ExitNodes option
2039 below.
2040 This option can appear multiple times: the values from multiple
2042 lines are spliced together.
2043 ExitNodes node,node,...
2046 A list of identity fingerprints, country codes, and address
2047 patterns of nodes to use as exit node---that is, a node that
2048 delivers traffic for you outside the Tor network. See ExcludeNodes
2049 for more information on how to specify nodes.
2050 This option can appear multiple times: the values from multiple
2053 lines are spliced together.
2054 Note that if you list too few nodes here, or if you exclude too
2057 many exit nodes with ExcludeExitNodes, you can degrade
2058 functionality. For example, if none of the exits you list allows
2059 traffic on port 80 or 443, you won’t be able to browse the web.
2060 Note also that not every circuit is used to deliver traffic outside
2063 of the Tor network. It is normal to see non-exit circuits (such as
2064 those used to connect to hidden services, those that do directory
2065 fetches, those used for relay reachability self-tests, and so on)
2066 that end at a non-exit node. To keep a node from being used
2067 entirely, see ExcludeNodes and StrictNodes.
2068 The ExcludeNodes option overrides this option: any node listed in
2071 both ExitNodes and ExcludeNodes is treated as excluded.
2072 The .exit address notation, if enabled via MapAddress, overrides
2075 this option.
2076 GeoIPExcludeUnknown 0|1|auto
2078 If this option is set to auto, then whenever any country code is
2079 set in ExcludeNodes or ExcludeExitNodes, all nodes with unknown
2080 country ({??} and possibly {A1}) are treated as excluded as well.
2081 If this option is set to 1, then all unknown countries are treated
2082 as excluded in ExcludeNodes and ExcludeExitNodes. This option has
2083 no effect when a GeoIP file isn’t configured or can’t be found.
2084 (Default: auto)
2085 HSLayer2Nodes node,node,...
2087 A list of identity fingerprints, nicknames, country codes, and
2088 address patterns of nodes that are allowed to be used as the second
2089 hop in all client or service-side Onion Service circuits. This
2090 option mitigates attacks where the adversary runs middle nodes and
2091 induces your client or service to create many circuits, in order to
2092 discover your primary guard node. (Default: Any node in the network
2093 may be used in the second hop.)
2094 (Example: HSLayer2Nodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234,
2096 {cc}, 255.254.0.0/8)
2097 This option can appear multiple times: the values from multiple
2100 lines are spliced together.
2101 When this is set, the resulting hidden service paths will look
2104 like:
2105 C - G - L2 - M - Rend
2107 C - G - L2 - M - HSDir
2109 C - G - L2 - M - Intro
2111 S - G - L2 - M - Rend
2113 S - G - L2 - M - HSDir
2115 S - G - L2 - M - Intro
2117 where C is this client, S is the service, G is the Guard node, L2
2120 is a node from this option, and M is a random middle node. Rend,
2121 HSDir, and Intro point selection is not affected by this option.
2122 This option may be combined with HSLayer3Nodes to create paths of
2124 the form:
2125 C - G - L2 - L3 - Rend
2127 C - G - L2 - L3 - M - HSDir
2129 C - G - L2 - L3 - M - Intro
2131 S - G - L2 - L3 - M - Rend
2133 S - G - L2 - L3 - HSDir
2135 S - G - L2 - L3 - Intro
2137 ExcludeNodes have higher priority than HSLayer2Nodes, which means
2140 that nodes specified in ExcludeNodes will not be picked.
2141 When either this option or HSLayer3Nodes are set, the /16 subnet
2143 and node family restrictions are removed for hidden service
2144 circuits. Additionally, we allow the guard node to be present as
2145 the Rend, HSDir, and IP node, and as the hop before it. This is
2146 done to prevent the adversary from inferring information about our
2147 guard, layer2, and layer3 node choices at later points in the path.
2148 This option is meant to be managed by a Tor controller such as
2150 https://github.com/mikeperry-tor/vanguards that selects and updates
2151 this set of nodes for you. Hence it does not do load balancing if
2152 fewer than 20 nodes are selected, and if no nodes in HSLayer2Nodes
2153 are currently available for use, Tor will not work. Please use
2154 extreme care if you are setting this option manually.
2155 HSLayer3Nodes node,node,...
2157 A list of identity fingerprints, nicknames, country codes, and
2158 address patterns of nodes that are allowed to be used as the third
2159 hop in all client and service-side Onion Service circuits. This
2160 option mitigates attacks where the adversary runs middle nodes and
2161 induces your client or service to create many circuits, in order to
2162 discover your primary or Layer2 guard nodes. (Default: Any node in
2163 the network may be used in the third hop.)
2164 (Example: HSLayer3Nodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234,
2166 {cc}, 255.254.0.0/8)
2167 This option can appear multiple times: the values from multiple
2170 lines are spliced together.
2171 When this is set by itself, the resulting hidden service paths will
2174 look like:
2175 C - G - M - L3 - Rend
2177 C - G - M - L3 - M - HSDir
2179 C - G - M - L3 - M - Intro
2181 S - G - M - L3 - M - Rend
2183 S - G - M - L3 - HSDir
2185 S - G - M - L3 - Intro
2187 where C is this client, S is the service, G is the Guard node, L2
2189 is a node from this option, and M is a random middle node. Rend,
2190 HSDir, and Intro point selection is not affected by this option.
2191 While it is possible to use this option by itself, it should be
2193 combined with HSLayer2Nodes to create paths of the form:
2194 C - G - L2 - L3 - Rend
2196 C - G - L2 - L3 - M - HSDir
2198 C - G - L2 - L3 - M - Intro
2200 S - G - L2 - L3 - M - Rend
2202 S - G - L2 - L3 - HSDir
2204 S - G - L2 - L3 - Intro
2206 ExcludeNodes have higher priority than HSLayer3Nodes, which means
2209 that nodes specified in ExcludeNodes will not be picked.
2210 When either this option or HSLayer2Nodes are set, the /16 subnet
2212 and node family restrictions are removed for hidden service
2213 circuits. Additionally, we allow the guard node to be present as
2214 the Rend, HSDir, and IP node, and as the hop before it. This is
2215 done to prevent the adversary from inferring information about our
2216 guard, layer2, and layer3 node choices at later points in the path.
2217 This option is meant to be managed by a Tor controller such as
2219 https://github.com/mikeperry-tor/vanguards that selects and updates
2220 this set of nodes for you. Hence it does not do load balancing if
2221 fewer than 20 nodes are selected, and if no nodes in HSLayer3Nodes
2222 are currently available for use, Tor will not work. Please use
2223 extreme care if you are setting this option manually.
2224 MiddleNodes node,node,...
2226 A list of identity fingerprints and country codes of nodes to use
2227 for "middle" hops in your normal circuits. Normal circuits include
2228 all circuits except for direct connections to directory servers.
2229 Middle hops are all hops other than exit and entry.
2230 This option can appear multiple times: the values from multiple
2232 lines are spliced together.
2233 This is an experimental feature that is meant to be used by
2236 researchers and developers to test new features in the Tor network
2237 safely. Using it without care will strongly influence your
2238 anonymity. Other tor features may not work with MiddleNodes. This
2239 feature might get removed in the future.
2240 The HSLayer2Node and HSLayer3Node options override this option for onion
2242 service circuits, if they are set. The vanguards addon will read this
2243 option, and if set, it will set HSLayer2Nodes and HSLayer3Nodes to nodes
2244 from this set.
2245 The ExcludeNodes option overrides this option: any node listed in both
2247 MiddleNodes and ExcludeNodes is treated as excluded. See
2248 the <<ExcludeNodes,ExcludeNodes>> for more information on how to specify nodes.
2249 NodeFamily node,node,...
2251 The Tor servers, defined by their identity fingerprints, constitute
2252 a "family" of similar or co-administered servers, so never use any
2253 two of them in the same circuit. Defining a NodeFamily is only
2254 needed when a server doesn’t list the family itself (with
2255 MyFamily). This option can be used multiple times; each instance
2256 defines a separate family. In addition to nodes, you can also list
2257 IP address and ranges and country codes in {curly braces}. See
2258 ExcludeNodes for more information on how to specify nodes.
2259 StrictNodes 0|1
2261 If StrictNodes is set to 1, Tor will treat solely the ExcludeNodes
2262 option as a requirement to follow for all the circuits you
2263 generate, even if doing so will break functionality for you
2264 (StrictNodes does not apply to ExcludeExitNodes, ExitNodes,
2265 MiddleNodes, or MapAddress). If StrictNodes is set to 0, Tor will
2266 still try to avoid nodes in the ExcludeNodes list, but it will err
2267 on the side of avoiding unexpected errors. Specifically,
2268 StrictNodes 0 tells Tor that it is okay to use an excluded node
2269 when it is necessary to perform relay reachability self-tests,
2270 connect to a hidden service, provide a hidden service to a client,
2271 fulfill a .exit request, upload directory information, or download
2272 directory information. (Default: 0)
2273
2275 The following options are useful only for servers (that is, if ORPort
2276 is non-zero):
2277 AccountingMax N
2279 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
2280 Limits the max number of bytes sent and received within a set time
2281 period using a given calculation rule (see AccountingStart and
2282 AccountingRule). Useful if you need to stay under a specific
2283 bandwidth. By default, the number used for calculation is the max
2284 of either the bytes sent or received. For example, with
2285 AccountingMax set to 1 TByte, a server could send 900 GBytes and
2286 receive 800 GBytes and continue running. It will only hibernate
2287 once one of the two reaches 1 TByte. This can be changed to use the
2288 sum of the both bytes received and sent by setting the
2289 AccountingRule option to "sum" (total bandwidth in/out). When the
2290 number of bytes remaining gets low, Tor will stop accepting new
2291 connections and circuits. When the number of bytes is exhausted,
2292 Tor will hibernate until some time in the next accounting period.
2293 To prevent all servers from waking at the same time, Tor will also
2294 wait until a random point in each period before waking up. If you
2295 have bandwidth cost issues, enabling hibernation is preferable to
2296 setting a low bandwidth, since it provides users with a collection
2297 of fast servers that are up some of the time, which is more useful
2298 than a set of slow servers that are always "available".
2299 Note that (as also described in the Bandwidth section) Tor uses
2302 powers of two, not powers of ten: 1 GByte is 1024*1024*1024, not
2303 one billion. Be careful: some internet service providers might
2304 count GBytes differently.
2305 AccountingRule sum|max|in|out
2307 How we determine when our AccountingMax has been reached (when we
2308 should hibernate) during a time interval. Set to "max" to calculate
2309 using the higher of either the sent or received bytes (this is the
2310 default functionality). Set to "sum" to calculate using the sent
2311 plus received bytes. Set to "in" to calculate using only the
2312 received bytes. Set to "out" to calculate using only the sent
2313 bytes. (Default: max)
2314 AccountingStart day|week|month [day] HH:MM
2316 Specify how long accounting periods last. If month is given, each
2317 accounting period runs from the time HH:MM on the dayth day of one
2318 month to the same day and time of the next. The relay will go at
2319 full speed, use all the quota you specify, then hibernate for the
2320 rest of the period. (The day must be between 1 and 28.) If week is
2321 given, each accounting period runs from the time HH:MM of the dayth
2322 day of one week to the same day and time of the next week, with
2323 Monday as day 1 and Sunday as day 7. If day is given, each
2324 accounting period runs from the time HH:MM each day to the same
2325 time on the next day. All times are local, and given in 24-hour
2326 time. (Default: "month 1 0:00")
2327 Address address
2329 The address of this server, or a fully qualified domain name of
2330 this server that resolves to an address. You can leave this unset,
2331 and Tor will try to guess your address. If a domain name is
2332 provided, Tor will attempt to resolve it and use the underlying
2333 IPv4/IPv6 address as its publish address (taking precedence over
2334 the ORPort configuration). The publish address is the one used to
2335 tell clients and other servers where to find your Tor server; it
2336 doesn’t affect the address that your server binds to. To bind to a
2337 different address, use the ORPort and OutboundBindAddress options.
2338 AddressDisableIPv6 0|1
2340 By default, Tor will attempt to find the IPv6 of the relay if there
2341 is no IPv4Only ORPort. If set, this option disables IPv6 auto
2342 discovery. This disables IPv6 address resolution, IPv6 ORPorts, and
2343 IPv6 reachability checks. Also, the relay won’t publish an IPv6
2344 ORPort in its descriptor. (Default: 0)
2345 AssumeReachable 0|1
2347 This option is used when bootstrapping a new Tor network. If set to
2348 1, don’t do self-reachability testing; just upload your server
2349 descriptor immediately. (Default: 0)
2350 AssumeReachableIPv6 0|1|auto
2352 Like AssumeReachable, but affects only the relay’s own IPv6 ORPort.
2353 If this value is set to "auto", then Tor will look at
2354 AssumeReachable instead. (Default: auto)
2355 BridgeRelay 0|1
2357 Sets the relay to act as a "bridge" with respect to relaying
2358 connections from bridge users to the Tor network. It mainly causes
2359 Tor to publish a server descriptor to the bridge database, rather
2360 than to the public directory authorities.
2361 Note: make sure that no MyFamily lines are present in your torrc
2364 when relay is configured in bridge mode.
2365 BridgeDistribution string
2367 If set along with BridgeRelay, Tor will include a new line in its
2368 bridge descriptor which indicates to the BridgeDB service how it
2369 would like its bridge address to be given out. Set it to "none" if
2370 you want BridgeDB to avoid distributing your bridge address, or
2371 "any" to let BridgeDB decide. See
2372 https://bridges.torproject.org/info for a more up-to-date list of
2373 options. (Default: any)
2374 ContactInfo email_address
2376 Administrative contact information for this relay or bridge. This
2377 line can be used to contact you if your relay or bridge is
2378 misconfigured or something else goes wrong. Note that we archive
2379 and publish all descriptors containing these lines and that Google
2380 indexes them, so spammers might also collect them. You may want to
2381 obscure the fact that it’s an email address and/or generate a new
2382 address for this purpose.
2383 ContactInfo must be set to a working address if you run more than
2386 one relay or bridge. (Really, everybody running a relay or bridge
2387 should set it.)
2388 DisableOOSCheck 0|1
2390 This option disables the code that closes connections when Tor
2391 notices that it is running low on sockets. Right now, it is on by
2392 default, since the existing out-of-sockets mechanism tends to kill
2393 OR connections more than it should. (Default: 1)
2394 ExitPolicy policy,policy,...
2396 Set an exit policy for this server. Each policy is of the form
2397 "accept[6]|reject[6] ADDR[/MASK][:PORT]". If /MASK is omitted then
2398 this policy just applies to the host given. Instead of giving a
2399 host or network you can also use "*" to denote the universe
2400 (0.0.0.0/0 and ::/0), or *4 to denote all IPv4 addresses, and *6 to
2401 denote all IPv6 addresses. PORT can be a single port number, an
2402 interval of ports "FROM_PORT-TO_PORT", or "*". If PORT is omitted,
2403 that means "*".
2404 For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*"
2407 would reject any IPv4 traffic destined for MIT except for
2408 web.mit.edu, and accept any other IPv4 or IPv6 traffic.
2409 Tor also allows IPv6 exit policy entries. For instance, "reject6
2412 [FC00::]/7:*" rejects all destinations that share 7 most
2413 significant bit prefix with address FC00::. Respectively, "accept6
2414 [C000::]/3:*" accepts all destinations that share 3 most
2415 significant bit prefix with address C000::.
2416 accept6 and reject6 only produce IPv6 exit policy entries. Using an
2419 IPv4 address with accept6 or reject6 is ignored and generates a
2420 warning. accept/reject allows either IPv4 or IPv6 addresses. Use *4
2421 as an IPv4 wildcard address, and *6 as an IPv6 wildcard address.
2422 accept/reject * expands to matching IPv4 and IPv6 wildcard address
2423 rules.
2424 To specify all IPv4 and IPv6 internal and link-local networks
2427 (including 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16,
2428 10.0.0.0/8, 172.16.0.0/12, [::]/8, [FC00::]/7, [FE80::]/10,
2429 [FEC0::]/10, [FF00::]/8, and [::]/127), you can use the "private"
2430 alias instead of an address. ("private" always produces rules for
2431 IPv4 and IPv6 addresses, even when used with accept6/reject6.)
2432 Private addresses are rejected by default (at the beginning of your
2435 exit policy), along with any configured primary public IPv4 and
2436 IPv6 addresses. These private addresses are rejected unless you set
2437 the ExitPolicyRejectPrivate config option to 0. For example, once
2438 you’ve done that, you could allow HTTP to 127.0.0.1 and block all
2439 other connections to internal networks with "accept
2440 127.0.0.1:80,reject private:*", though that may also allow
2441 connections to your own computer that are addressed to its public
2442 (external) IP address. See RFC 1918 and RFC 3330 for more details
2443 about internal and reserved IP address space. See
2444 ExitPolicyRejectLocalInterfaces if you want to block every address
2445 on the relay, even those that aren’t advertised in the descriptor.
2446 This directive can be specified multiple times so you don’t have to
2449 put it all on one line.
2450 Policies are considered first to last, and the first match wins. If
2453 you want to allow the same ports on IPv4 and IPv6, write your rules
2454 using accept/reject *. If you want to allow different ports on IPv4
2455 and IPv6, write your IPv6 rules using accept6/reject6 *6, and your
2456 IPv4 rules using accept/reject *4. If you want to _replace_ the
2457 default exit policy, end your exit policy with either a reject *:*
2458 or an accept *:*. Otherwise, you’re _augmenting_ (prepending to)
2459 the default exit policy.
2460 If you want to use a reduced exit policy rather than the default
2463 exit policy, set "ReducedExitPolicy 1". If you want to replace the
2464 default exit policy with your custom exit policy, end your exit
2465 policy with either a reject : or an accept :. Otherwise, you’re
2466 augmenting (prepending to) the default or reduced exit policy.
2467 The default exit policy is:
2470 reject *:25
2472 reject *:119
2473 reject *:135-139
2474 reject *:445
2475 reject *:563
2476 reject *:1214
2477 reject *:4661-4666
2478 reject *:6346-6429
2479 reject *:6699
2480 reject *:6881-6999
2481 accept *:*
2482 Since the default exit policy uses accept/reject *, it applies to
2484 both IPv4 and IPv6 addresses.
2485 ExitPolicyRejectLocalInterfaces 0|1
2487 Reject all IPv4 and IPv6 addresses that the relay knows about, at
2488 the beginning of your exit policy. This includes any
2489 OutboundBindAddress, the bind addresses of any port options, such
2490 as ControlPort or DNSPort, and any public IPv4 and IPv6 addresses
2491 on any interface on the relay. (If IPv6Exit is not set, all IPv6
2492 addresses will be rejected anyway.) See above entry on ExitPolicy.
2493 This option is off by default, because it lists all public relay IP
2494 addresses in the ExitPolicy, even those relay operators might
2495 prefer not to disclose. (Default: 0)
2496 ExitPolicyRejectPrivate 0|1
2498 Reject all private (local) networks, along with the relay’s
2499 advertised public IPv4 and IPv6 addresses, at the beginning of your
2500 exit policy. See above entry on ExitPolicy. (Default: 1)
2501 ExitRelay 0|1|auto
2503 Tells Tor whether to run as an exit relay. If Tor is running as a
2504 non-bridge server, and ExitRelay is set to 1, then Tor allows
2505 traffic to exit according to the ExitPolicy option, the
2506 ReducedExitPolicy option, or the default ExitPolicy (if no other
2507 exit policy option is specified).
2508 If ExitRelay is set to 0, no traffic is allowed to exit, and the
2511 ExitPolicy, ReducedExitPolicy, and IPv6Exit options are ignored.
2512 If ExitRelay is set to "auto", then Tor checks the ExitPolicy,
2515 ReducedExitPolicy, and IPv6Exit options. If at least one of these
2516 options is set, Tor behaves as if ExitRelay were set to 1. If none
2517 of these exit policy options are set, Tor behaves as if ExitRelay
2518 were set to 0. (Default: auto)
2519 ExtendAllowPrivateAddresses 0|1
2521 When this option is enabled, Tor will connect to relays on
2522 localhost, RFC1918 addresses, and so on. In particular, Tor will
2523 make direct OR connections, and Tor routers allow EXTEND requests,
2524 to these private addresses. (Tor will always allow connections to
2525 bridges, proxies, and pluggable transports configured on private
2526 addresses.) Enabling this option can create security issues; you
2527 should probably leave it off. (Default: 0)
2528 GeoIPFile filename
2530 A filename containing IPv4 GeoIP data, for use with by-country
2531 statistics.
2532 GeoIPv6File filename
2534 A filename containing IPv6 GeoIP data, for use with by-country
2535 statistics.
2536 HeartbeatPeriod N minutes|hours|days|weeks
2538 Log a heartbeat message every HeartbeatPeriod seconds. This is a
2539 log level notice message, designed to let you know your Tor server
2540 is still alive and doing useful things. Settings this to 0 will
2541 disable the heartbeat. Otherwise, it must be at least 30 minutes.
2542 (Default: 6 hours)
2543 IPv6Exit 0|1
2545 If set, and we are an exit node, allow clients to use us for IPv6
2546 traffic. When this option is set and ExitRelay is auto, we act as
2547 if ExitRelay is 1. (Default: 0)
2548 KeyDirectory DIR
2550 Store secret keys in DIR. Can not be changed while tor is running.
2551 (Default: the "keys" subdirectory of DataDirectory.)
2552 KeyDirectoryGroupReadable 0|1|auto
2554 If this option is set to 0, don’t allow the filesystem group to
2555 read the KeyDirectory. If the option is set to 1, make the
2556 KeyDirectory readable by the default GID. If the option is "auto",
2557 then we use the setting for DataDirectoryGroupReadable when the
2558 KeyDirectory is the same as the DataDirectory, and 0 otherwise.
2559 (Default: auto)
2560 MainloopStats 0|1
2562 Log main loop statistics every HeartbeatPeriod seconds. This is a
2563 log level notice message designed to help developers instrumenting
2564 Tor’s main event loop. (Default: 0)
2565 MaxMemInQueues N bytes|KBytes|MBytes|GBytes
2567 This option configures a threshold above which Tor will assume that
2568 it needs to stop queueing or buffering data because it’s about to
2569 run out of memory. If it hits this threshold, it will begin killing
2570 circuits until it has recovered at least 10% of this memory. Do not
2571 set this option too low, or your relay may be unreliable under
2572 load. This option only affects some queues, so the actual process
2573 size will be larger than this. If this option is set to 0, Tor will
2574 try to pick a reasonable default based on your system’s physical
2575 memory. (Default: 0)
2576 MaxOnionQueueDelay NUM [msec|second]
2578 If we have more onionskins queued for processing than we can
2579 process in this amount of time, reject new ones. (Default: 1750
2580 msec)
2581 MyFamily fingerprint,fingerprint,...
2583 Declare that this Tor relay is controlled or administered by a
2584 group or organization identical or similar to that of the other
2585 relays, defined by their (possibly $-prefixed) identity
2586 fingerprints. This option can be repeated many times, for
2587 convenience in defining large families: all fingerprints in all
2588 MyFamily lines are merged into one list. When two relays both
2589 declare that they are in the same 'family', Tor clients will not
2590 use them in the same circuit. (Each relay only needs to list the
2591 other servers in its family; it doesn’t need to list itself, but it
2592 won’t hurt if it does.) Do not list any bridge relay as it would
2593 compromise its concealment.
2594 If you run more than one relay, the MyFamily option on each relay
2597 must list all other relays, as described above.
2598 Note: do not use MyFamily when configuring your Tor instance as a
2601 bridge.
2602 Nickname name
2604 Set the server’s nickname to 'name'. Nicknames must be between 1
2605 and 19 characters inclusive, and must contain only the characters
2606 [a-zA-Z0-9]. If not set, Unnamed will be used. Relays can always be
2607 uniquely identified by their identity fingerprints.
2608 NumCPUs num
2610 How many processes to use at once for decrypting onionskins and
2611 other parallelizable operations. If this is set to 0, Tor will try
2612 to detect how many CPUs you have, defaulting to 1 if it can’t tell.
2613 (Default: 0)
2614 OfflineMasterKey 0|1
2616 If non-zero, the Tor relay will never generate or load its master
2617 secret key. Instead, you’ll have to use "tor --keygen" to manage
2618 the permanent ed25519 master identity key, as well as the
2619 corresponding temporary signing keys and certificates. (Default: 0)
2620 ORPort [address:]PORT|auto [flags]
2622 Advertise this port to listen for connections from Tor clients and
2623 servers. This option is required to be a Tor server. Set it to
2624 "auto" to have Tor pick a port for you. Set it to 0 to not run an
2625 ORPort at all. This option can occur more than once. (Default: 0)
2626 Tor recognizes these flags on each ORPort:
2629 NoAdvertise
2631 By default, we bind to a port and tell our users about it. If
2632 NoAdvertise is specified, we don’t advertise, but listen
2633 anyway. This can be useful if the port everybody will be
2634 connecting to (for example, one that’s opened on our firewall)
2635 is somewhere else.
2636 NoListen
2638 By default, we bind to a port and tell our users about it. If
2639 NoListen is specified, we don’t bind, but advertise anyway.
2640 This can be useful if something else (for example, a firewall’s
2641 port forwarding configuration) is causing connections to reach
2642 us.
2643 IPv4Only
2645 If the address is absent, or resolves to both an IPv4 and an
2646 IPv6 address, only listen to the IPv4 address.
2647 IPv6Only
2649 If the address is absent, or resolves to both an IPv4 and an
2650 IPv6 address, only listen to the IPv6 address.
2651 For obvious reasons, NoAdvertise and NoListen are mutually
2653 exclusive, and IPv4Only and IPv6Only are mutually exclusive.
2654 PublishServerDescriptor 0|1|v3|bridge,...
2656 This option specifies which descriptors Tor will publish when
2657 acting as a relay. You can choose multiple arguments, separated by
2658 commas.
2659 If this option is set to 0, Tor will not publish its descriptors to
2662 any directories. (This is useful if you’re testing out your server,
2663 or if you’re using a Tor controller that handles directory
2664 publishing for you.) Otherwise, Tor will publish its descriptors of
2665 all type(s) specified. The default is "1", which means "if running
2666 as a relay or bridge, publish descriptors to the appropriate
2667 authorities". Other possibilities are "v3", meaning "publish as if
2668 you’re a relay", and "bridge", meaning "publish as if you’re a
2669 bridge".
2670 ReducedExitPolicy 0|1
2672 If set, use a reduced exit policy rather than the default one.
2673 The reduced exit policy is an alternative to the default exit
2676 policy. It allows as many Internet services as possible while still
2677 blocking the majority of TCP ports. Currently, the policy allows
2678 approximately 65 ports. This reduces the odds that your node will
2679 be used for peer-to-peer applications.
2680 The reduced exit policy is:
2683 accept *:20-21
2685 accept *:22
2686 accept *:23
2687 accept *:43
2688 accept *:53
2689 accept *:79
2690 accept *:80-81
2691 accept *:88
2692 accept *:110
2693 accept *:143
2694 accept *:194
2695 accept *:220
2696 accept *:389
2697 accept *:443
2698 accept *:464
2699 accept *:465
2700 accept *:531
2701 accept *:543-544
2702 accept *:554
2703 accept *:563
2704 accept *:587
2705 accept *:636
2706 accept *:706
2707 accept *:749
2708 accept *:873
2709 accept *:902-904
2710 accept *:981
2711 accept *:989-990
2712 accept *:991
2713 accept *:992
2714 accept *:993
2715 accept *:994
2716 accept *:995
2717 accept *:1194
2718 accept *:1220
2719 accept *:1293
2720 accept *:1500
2721 accept *:1533
2722 accept *:1677
2723 accept *:1723
2724 accept *:1755
2725 accept *:1863
2726 accept *:2082
2727 accept *:2083
2728 accept *:2086-2087
2729 accept *:2095-2096
2730 accept *:2102-2104
2731 accept *:3128
2732 accept *:3389
2733 accept *:3690
2734 accept *:4321
2735 accept *:4643
2736 accept *:5050
2737 accept *:5190
2738 accept *:5222-5223
2739 accept *:5228
2740 accept *:5900
2741 accept *:6660-6669
2742 accept *:6679
2743 accept *:6697
2744 accept *:8000
2745 accept *:8008
2746 accept *:8074
2747 accept *:8080
2748 accept *:8082
2749 accept *:8087-8088
2750 accept *:8232-8233
2751 accept *:8332-8333
2752 accept *:8443
2753 accept *:8888
2754 accept *:9418
2755 accept *:9999
2756 accept *:10000
2757 accept *:11371
2758 accept *:19294
2759 accept *:19638
2760 accept *:50002
2761 accept *:64738
2762 reject *:*
2763 (Default: 0)
2765 RefuseUnknownExits 0|1|auto
2767 Prevent nodes that don’t appear in the consensus from exiting using
2768 this relay. If the option is 1, we always block exit attempts from
2769 such nodes; if it’s 0, we never do, and if the option is "auto",
2770 then we do whatever the authorities suggest in the consensus (and
2771 block if the consensus is quiet on the issue). (Default: auto)
2772 ServerDNSAllowBrokenConfig 0|1
2774 If this option is false, Tor exits immediately if there are
2775 problems parsing the system DNS configuration or connecting to
2776 nameservers. Otherwise, Tor continues to periodically retry the
2777 system nameservers until it eventually succeeds. (Default: 1)
2778 ServerDNSAllowNonRFC953Hostnames 0|1
2780 When this option is disabled, Tor does not try to resolve hostnames
2781 containing illegal characters (like @ and :) rather than sending
2782 them to an exit node to be resolved. This helps trap accidental
2783 attempts to resolve URLs and so on. This option only affects name
2784 lookups that your server does on behalf of clients. (Default: 0)
2785 ServerDNSDetectHijacking 0|1
2787 When this option is set to 1, we will test periodically to
2788 determine whether our local nameservers have been configured to
2789 hijack failing DNS requests (usually to an advertising site). If
2790 they are, we will attempt to correct this. This option only affects
2791 name lookups that your server does on behalf of clients. (Default:
2792 1)
2793 ServerDNSRandomizeCase 0|1
2795 When this option is set, Tor sets the case of each character
2796 randomly in outgoing DNS requests, and makes sure that the case
2797 matches in DNS replies. This so-called "0x20 hack" helps resist
2798 some types of DNS poisoning attack. For more information, see
2799 "Increased DNS Forgery Resistance through 0x20-Bit Encoding". This
2800 option only affects name lookups that your server does on behalf of
2801 clients. (Default: 1)
2802 ServerDNSResolvConfFile filename
2804 Overrides the default DNS configuration with the configuration in
2805 filename. The file format is the same as the standard Unix
2806 "resolv.conf" file (7). This option, like all other ServerDNS
2807 options, only affects name lookups that your server does on behalf
2808 of clients. (Defaults to use the system DNS configuration or a
2809 localhost DNS service in case no nameservers are found in a given
2810 configuration.)
2811 ServerDNSSearchDomains 0|1
2813 If set to 1, then we will search for addresses in the local search
2814 domain. For example, if this system is configured to believe it is
2815 in "example.com", and a client tries to connect to "www", the
2816 client will be connected to "www.example.com". This option only
2817 affects name lookups that your server does on behalf of clients.
2818 (Default: 0)
2819 ServerDNSTestAddresses hostname,hostname,...
2821 When we’re detecting DNS hijacking, make sure that these valid
2822 addresses aren’t getting redirected. If they are, then our DNS is
2823 completely useless, and we’ll reset our exit policy to "reject
2824 *:*". This option only affects name lookups that your server does
2825 on behalf of clients. (Default: "www.google.com, www.mit.edu,
2826 www.yahoo.com, www.slashdot.org")
2827 ServerTransportListenAddr transport IP:PORT
2829 When this option is set, Tor will suggest IP:PORT as the listening
2830 address of any pluggable transport proxy that tries to launch
2831 transport. (IPv4 addresses should written as-is; IPv6 addresses
2832 should be wrapped in square brackets.) (Default: none)
2833 ServerTransportOptions transport k=v k=v ...
2835 When this option is set, Tor will pass the k=v parameters to any
2836 pluggable transport proxy that tries to launch transport.
2837 (Example: ServerTransportOptions obfs45 shared-secret=bridgepasswd
2839 cache=/var/lib/tor/cache) (Default: none)
2840 ServerTransportPlugin transport exec path-to-binary [options]
2842 The Tor relay launches the pluggable transport proxy in
2843 path-to-binary using options as its command-line options, and
2844 expects to receive proxied client traffic from it. (Default: none)
2845 ShutdownWaitLength NUM
2847 When we get a SIGINT and we’re a server, we begin shutting down: we
2848 close listeners and start refusing new circuits. After NUM seconds,
2849 we exit. If we get a second SIGINT, we exit immediately. (Default:
2850 30 seconds)
2851 SigningKeyLifetime N days|weeks|months
2853 For how long should each Ed25519 signing key be valid? Tor uses a
2854 permanent master identity key that can be kept offline, and
2855 periodically generates new "signing" keys that it uses online. This
2856 option configures their lifetime. (Default: 30 days)
2857 SSLKeyLifetime N minutes|hours|days|weeks
2859 When creating a link certificate for our outermost SSL handshake,
2860 set its lifetime to this amount of time. If set to 0, Tor will
2861 choose some reasonable random defaults. (Default: 0)
2862
2864 Relays publish most statistics in a document called the extra-info
2865 document. The following options affect the different types of
2866 statistics that Tor relays collect and publish:
2867 BridgeRecordUsageByCountry 0|1
2869 When this option is enabled and BridgeRelay is also enabled, and we
2870 have GeoIP data, Tor keeps a per-country count of how many client
2871 addresses have contacted it so that it can help the bridge
2872 authority guess which countries have blocked access to it. If
2873 ExtraInfoStatistics is enabled, it will be published as part of the
2874 extra-info document. (Default: 1)
2875 CellStatistics 0|1
2877 Relays only. When this option is enabled, Tor collects statistics
2878 about cell processing (i.e. mean time a cell is spending in a
2879 queue, mean number of cells in a queue and mean number of processed
2880 cells per circuit) and writes them into disk every 24 hours. Onion
2881 router operators may use the statistics for performance monitoring.
2882 If ExtraInfoStatistics is enabled, it will published as part of the
2883 extra-info document. (Default: 0)
2884 ConnDirectionStatistics 0|1
2886 Relays only. When this option is enabled, Tor writes statistics on
2887 the amounts of traffic it passes between itself and other relays to
2888 disk every 24 hours. Enables relay operators to monitor how much
2889 their relay is being used as middle node in the circuit. If
2890 ExtraInfoStatistics is enabled, it will be published as part of the
2891 extra-info document. (Default: 0)
2892 DirReqStatistics 0|1
2894 Relays and bridges only. When this option is enabled, a Tor
2895 directory writes statistics on the number and response time of
2896 network status requests to disk every 24 hours. Enables relay and
2897 bridge operators to monitor how much their server is being used by
2898 clients to learn about Tor network. If ExtraInfoStatistics is
2899 enabled, it will published as part of the extra-info document.
2900 (Default: 1)
2901 EntryStatistics 0|1
2903 Relays only. When this option is enabled, Tor writes statistics on
2904 the number of directly connecting clients to disk every 24 hours.
2905 Enables relay operators to monitor how much inbound traffic that
2906 originates from Tor clients passes through their server to go
2907 further down the Tor network. If ExtraInfoStatistics is enabled, it
2908 will be published as part of the extra-info document. (Default: 0)
2909 ExitPortStatistics 0|1
2911 Exit relays only. When this option is enabled, Tor writes
2912 statistics on the number of relayed bytes and opened stream per
2913 exit port to disk every 24 hours. Enables exit relay operators to
2914 measure and monitor amounts of traffic that leaves Tor network
2915 through their exit node. If ExtraInfoStatistics is enabled, it will
2916 be published as part of the extra-info document. (Default: 0)
2917 ExtraInfoStatistics 0|1
2919 When this option is enabled, Tor includes previously gathered
2920 statistics in its extra-info documents that it uploads to the
2921 directory authorities. Disabling this option also removes bandwidth
2922 usage statistics, and GeoIPFile and GeoIPv6File hashes from the
2923 extra-info file. Bridge ServerTransportPlugin lines are always
2924 included in the extra-info file, because they are required by
2925 BridgeDB. (Default: 1)
2926 HiddenServiceStatistics 0|1
2928 Relays and bridges only. When this option is enabled, a Tor relay
2929 writes obfuscated statistics on its role as hidden-service
2930 directory, introduction point, or rendezvous point to disk every 24
2931 hours. If ExtraInfoStatistics is enabled, it will be published as
2932 part of the extra-info document. (Default: 1)
2933 PaddingStatistics 0|1
2935 Relays and bridges only. When this option is enabled, Tor collects
2936 statistics for padding cells sent and received by this relay, in
2937 addition to total cell counts. These statistics are rounded, and
2938 omitted if traffic is low. This information is important for load
2939 balancing decisions related to padding. If ExtraInfoStatistics is
2940 enabled, it will be published as a part of the extra-info document.
2941 (Default: 1)
2942
2944 The following options are useful only for directory servers. (Relays
2945 with enough bandwidth automatically become directory servers; see
2946 DirCache for details.)
2947 DirCache 0|1
2949 When this option is set, Tor caches all current directory documents
2950 except extra info documents, and accepts client requests for them.
2951 If DownloadExtraInfo is set, cached extra info documents are also
2952 cached. Setting DirPort is not required for DirCache, because
2953 clients connect via the ORPort by default. Setting either DirPort
2954 or BridgeRelay and setting DirCache to 0 is not supported.
2955 (Default: 1)
2956 DirPolicy policy,policy,...
2958 Set an entrance policy for this server, to limit who can connect to
2959 the directory ports. The policies have the same form as exit
2960 policies above, except that port specifiers are ignored. Any
2961 address not matched by some entry in the policy is accepted.
2962 DirPort [address:]PORT|auto [flags]
2964 If this option is nonzero, advertise the directory service on this
2965 port. Set it to "auto" to have Tor pick a port for you. This option
2966 can occur more than once, but only one advertised DirPort is
2967 supported: all but one DirPort must have the NoAdvertise flag set.
2968 (Default: 0)
2969 The same flags are supported here as are supported by ORPort.
2972 As of Tor 0.4.6.1-alpha, non-authoritative relays (see
2974 AuthoritativeDirectory) will not publish the DirPort but will still
2975 listen on it. Clients don’t use the DirPorts on relays, so it is
2976 safe for you to remove the DirPort from your torrc configuration.
2977 DirPortFrontPage FILENAME
2979 When this option is set, it takes an HTML file and publishes it as
2980 "/" on the DirPort. Now relay operators can provide a disclaimer
2981 without needing to set up a separate webserver. There’s a sample
2982 disclaimer in contrib/operator-tools/tor-exit-notice.html.
2983 MaxConsensusAgeForDiffs N minutes|hours|days|weeks
2985 When this option is nonzero, Tor caches will not try to generate
2986 consensus diffs for any consensus older than this amount of time.
2987 If this option is set to zero, Tor will pick a reasonable default
2988 from the current networkstatus document. You should not set this
2989 option unless your cache is severely low on disk space or CPU. If
2990 you need to set it, keeping it above 3 or 4 hours will help clients
2991 much more than setting it to zero. (Default: 0)
2992
2994 Tor has three built-in mitigation options that can be individually
2995 enabled/disabled and fine-tuned, but by default Tor directory
2996 authorities will define reasonable values for relays and no explicit
2997 configuration is required to make use of these protections. The
2998 mitigations take place at relays, and are as follows:
2999 1. If a single client address makes too many concurrent connections
3001 (this is configurable via DoSConnectionMaxConcurrentCount), hang up
3002 on further connections.
3003 2. If a single client IP address (v4 or v6) makes circuits too quickly
3005 (default values are more than 3 per second, with an allowed burst
3006 of 90, see DoSCircuitCreationRate and DoSCircuitCreationBurst)
3007 while also having too many connections open (default is 3, see
3008 DoSCircuitCreationMinConnections), tor will refuse any new circuit
3009 (CREATE cells) for the next while (random value between 1 and 2
3010 hours).
3011 3. If a client asks to establish a rendezvous point to you directly
3013 (ex: Tor2Web client), ignore the request.
3014 These defenses can be manually controlled by torrc options, but relays
3016 will also take guidance from consensus parameters using these same
3017 names, so there’s no need to configure anything manually. In doubt, do
3018 not change those values.
3019 The values set by the consensus, if any, can be found here:
3021 https://consensus-health.torproject.org/#consensusparams
3022 If any of the DoS mitigations are enabled, a heartbeat message will
3024 appear in your log at NOTICE level which looks like:
3025 DoS mitigation since startup: 429042 circuits rejected, 17 marked addresses.
3027 2238 connections closed. 8052 single hop clients refused.
3028 The following options are useful only for a public relay. They control
3030 the Denial of Service mitigation subsystem described above.
3031 DoSCircuitCreationEnabled 0|1|auto
3033 Enable circuit creation DoS mitigation. If set to 1 (enabled), tor
3034 will cache client IPs along with statistics in order to detect
3035 circuit DoS attacks. If an address is positively identified, tor
3036 will activate defenses against the address. See
3037 DoSCircuitCreationDefenseType option for more details. This is a
3038 client to relay detection only. "auto" means use the consensus
3039 parameter. If not defined in the consensus, the value is 0.
3040 (Default: auto)
3041 DoSCircuitCreationBurst NUM
3043 The allowed circuit creation burst per client IP address. If the
3044 circuit rate and the burst are reached, a client is marked as
3045 executing a circuit creation DoS. "0" means use the consensus
3046 parameter. If not defined in the consensus, the value is 90.
3047 (Default: 0)
3048 DoSCircuitCreationDefenseTimePeriod N seconds|minutes|hours
3050 The base time period in seconds that the DoS defense is activated
3051 for. The actual value is selected randomly for each activation from
3052 N+1 to 3/2 * N. "0" means use the consensus parameter. If not
3053 defined in the consensus, the value is 3600 seconds (1 hour).
3054 (Default: 0)
3055 DoSCircuitCreationDefenseType NUM
3057 This is the type of defense applied to a detected client address.
3058 The possible values are:
3059 1: No defense.
3061 2: Refuse circuit creation for the
3063 DoSCircuitCreationDefenseTimePeriod period of time.
3064 "0" means use the consensus parameter. If not defined in the
3066 consensus, the value is 2. (Default: 0)
3067 DoSCircuitCreationMinConnections NUM
3069 Minimum threshold of concurrent connections before a client address
3070 can be flagged as executing a circuit creation DoS. In other words,
3071 once a client address reaches the circuit rate and has a minimum of
3072 NUM concurrent connections, a detection is positive. "0" means use
3073 the consensus parameter. If not defined in the consensus, the value
3074 is 3. (Default: 0)
3075 DoSCircuitCreationRate NUM
3077 The allowed circuit creation rate per second applied per client IP
3078 address. If this option is 0, it obeys a consensus parameter. If
3079 not defined in the consensus, the value is 3. (Default: 0)
3080 DoSConnectionEnabled 0|1|auto
3082 Enable the connection DoS mitigation. If set to 1 (enabled), for
3083 client address only, this allows tor to mitigate against large
3084 number of concurrent connections made by a single IP address.
3085 "auto" means use the consensus parameter. If not defined in the
3086 consensus, the value is 0. (Default: auto)
3087 DoSConnectionDefenseType NUM
3089 This is the type of defense applied to a detected client address
3090 for the connection mitigation. The possible values are:
3091 1: No defense.
3093 2: Immediately close new connections.
3095 "0" means use the consensus parameter. If not defined in the
3097 consensus, the value is 2. (Default: 0)
3098 DoSConnectionMaxConcurrentCount NUM
3100 The maximum threshold of concurrent connection from a client IP
3101 address. Above this limit, a defense selected by
3102 DoSConnectionDefenseType is applied. "0" means use the consensus
3103 parameter. If not defined in the consensus, the value is 100.
3104 (Default: 0)
3105 DoSConnectionConnectRate NUM
3107 The allowed rate of client connection from a single address per
3108 second. Coupled with the burst (see below), if the limit is
3109 reached, the address is marked and a defense is applied
3110 (DoSConnectionDefenseType) for a period of time defined by
3111 DoSConnectionConnectDefenseTimePeriod. If not defined or set to 0,
3112 it is controlled by a consensus parameter. (Default: 0)
3113 DoSConnectionConnectBurst NUM
3115 The allowed burst of client connection from a single address per
3116 second. See the DoSConnectionConnectRate for more details on this
3117 detection. If not defined or set to 0, it is controlled by a
3118 consensus parameter. (Default: 0)
3119 DoSConnectionConnectDefenseTimePeriod N seconds|minutes|hours
3121 The base time period in seconds that the client connection defense
3122 is activated for. The actual value is selected randomly for each
3123 activation from N+1 to 3/2 * N. If not defined or set to 0, it is
3124 controlled by a consensus parameter. (Default: 24 hours)
3125 DoSRefuseSingleHopClientRendezvous 0|1|auto
3127 Refuse establishment of rendezvous points for single hop clients.
3128 In other words, if a client directly connects to the relay and
3129 sends an ESTABLISH_RENDEZVOUS cell, it is silently dropped. "auto"
3130 means use the consensus parameter. If not defined in the consensus,
3131 the value is 0. (Default: auto)
3132
3134 The following options enable operation as a directory authority, and
3135 control how Tor behaves as a directory authority. You should not need
3136 to adjust any of them if you’re running a regular relay or exit server
3137 on the public Tor network.
3138 AuthoritativeDirectory 0|1
3140 When this option is set to 1, Tor operates as an authoritative
3141 directory server. Instead of caching the directory, it generates
3142 its own list of good servers, signs it, and sends that to the
3143 clients. Unless the clients already have you listed as a trusted
3144 directory, you probably do not want to set this option.
3145 BridgeAuthoritativeDir 0|1
3147 When this option is set in addition to AuthoritativeDirectory, Tor
3148 accepts and serves server descriptors, but it caches and serves the
3149 main networkstatus documents rather than generating its own.
3150 (Default: 0)
3151 V3AuthoritativeDirectory 0|1
3153 When this option is set in addition to AuthoritativeDirectory, Tor
3154 generates version 3 network statuses and serves descriptors, etc as
3155 described in dir-spec.txt file of torspec (for Tor clients and
3156 servers running at least 0.2.0.x).
3157 AuthDirBadExit AddressPattern...
3159 Authoritative directories only. A set of address patterns for
3160 servers that will be listed as bad exits in any network status
3161 document this authority publishes, if AuthDirListBadExits is set.
3162 (The address pattern syntax here and in the options below is the
3165 same as for exit policies, except that you don’t need to say
3166 "accept" or "reject", and ports are not needed.)
3167 AuthDirFastGuarantee N
3169 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
3170 Authoritative directories only. If non-zero, always vote the Fast
3171 flag for any relay advertising this amount of capacity or more.
3172 (Default: 100 KBytes)
3173 AuthDirGuardBWGuarantee N
3175 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
3176 Authoritative directories only. If non-zero, this advertised
3177 capacity or more is always sufficient to satisfy the bandwidth
3178 requirement for the Guard flag. (Default: 2 MBytes)
3179 AuthDirHasIPv6Connectivity 0|1
3181 Authoritative directories only. When set to 0, OR ports with an
3182 IPv6 address are not included in the authority’s votes. When set to
3183 1, IPv6 OR ports are tested for reachability like IPv4 OR ports. If
3184 the reachability test succeeds, the authority votes for the IPv6
3185 ORPort, and votes Running for the relay. If the reachability test
3186 fails, the authority does not vote for the IPv6 ORPort, and does
3187 not vote Running (Default: 0)
3188 The content of the consensus depends on the number of voting authorities
3191 that set AuthDirHasIPv6Connectivity:
3192 If no authorities set AuthDirHasIPv6Connectivity 1, there will be no
3194 IPv6 ORPorts in the consensus.
3195 If a minority of authorities set AuthDirHasIPv6Connectivity 1,
3197 unreachable IPv6 ORPorts will be removed from the consensus. But the
3198 majority of IPv4-only authorities will still vote the relay as Running.
3199 Reachable IPv6 ORPort lines will be included in the consensus
3200 If a majority of voting authorities set AuthDirHasIPv6Connectivity 1,
3202 relays with unreachable IPv6 ORPorts will not be listed as Running.
3203 Reachable IPv6 ORPort lines will be included in the consensus
3204 (To ensure that any valid majority will vote relays with unreachable
3205 IPv6 ORPorts not Running, 75% of authorities must set
3206 AuthDirHasIPv6Connectivity 1.)
3207 AuthDirInvalid AddressPattern...
3209 Authoritative directories only. A set of address patterns for
3210 servers that will never be listed as "valid" in any network status
3211 document that this authority publishes.
3212 AuthDirListBadExits 0|1
3214 Authoritative directories only. If set to 1, this directory has
3215 some opinion about which nodes are unsuitable as exit nodes. (Do
3216 not set this to 1 unless you plan to list non-functioning exits as
3217 bad; otherwise, you are effectively voting in favor of every
3218 declared exit as an exit.)
3219 AuthDirMaxServersPerAddr NUM
3221 Authoritative directories only. The maximum number of servers that
3222 we will list as acceptable on a single IP address. Set this to "0"
3223 for "no limit". (Default: 2)
3224 AuthDirPinKeys 0|1
3226 Authoritative directories only. If non-zero, do not allow any relay
3227 to publish a descriptor if any other relay has reserved its
3228 <Ed25519,RSA> identity keypair. In all cases, Tor records every
3229 keypair it accepts in a journal if it is new, or if it differs from
3230 the most recently accepted pinning for one of the keys it contains.
3231 (Default: 1)
3232 AuthDirReject AddressPattern...
3234 Authoritative directories only. A set of address patterns for
3235 servers that will never be listed at all in any network status
3236 document that this authority publishes, or accepted as an OR
3237 address in any descriptor submitted for publication by this
3238 authority.
3239 AuthDirBadExitCCs CC,...
3241 AuthDirInvalidCCs CC,...
3243 AuthDirRejectRequestsUnderLoad 0|1
3245 If set, the directory authority will start rejecting directory
3246 requests from non relay connections by sending a 503 error code if
3247 it is under bandwidth pressure (reaching the configured limit if
3248 any). Relays will always tried to be answered even if this is on.
3249 (Default: 1)
3250 AuthDirRejectCCs CC,...
3252 Authoritative directories only. These options contain a
3253 comma-separated list of country codes such that any server in one
3254 of those country codes will be marked as a bad exit/invalid for
3255 use, or rejected entirely.
3256 AuthDirSharedRandomness 0|1
3258 Authoritative directories only. Switch for the shared random
3259 protocol. If zero, the authority won’t participate in the protocol.
3260 If non-zero (default), the flag "shared-rand-participate" is added
3261 to the authority vote indicating participation in the protocol.
3262 (Default: 1)
3263 AuthDirTestEd25519LinkKeys 0|1
3265 Authoritative directories only. If this option is set to 0, then we
3266 treat relays as "Running" if their RSA key is correct when we probe
3267 them, regardless of their Ed25519 key. We should only ever set this
3268 option to 0 if there is some major bug in Ed25519 link
3269 authentication that causes us to label all the relays as not
3270 Running. (Default: 1)
3271 AuthDirTestReachability 0|1
3273 Authoritative directories only. If set to 1, then we periodically
3274 check every relay we know about to see whether it is running. If
3275 set to 0, we vote Running for every relay, and don’t perform these
3276 tests. (Default: 1)
3277 BridgePassword Password
3279 If set, contains an HTTP authenticator that tells a bridge
3280 authority to serve all requested bridge information. Used by the
3281 (only partially implemented) "bridge community" design, where a
3282 community of bridge relay operators all use an alternate bridge
3283 directory authority, and their target user audience can
3284 periodically fetch the list of available community bridges to stay
3285 up-to-date. (Default: not set)
3286 ConsensusParams STRING
3288 STRING is a space-separated list of key=value pairs that Tor will
3289 include in the "params" line of its networkstatus vote. This
3290 directive can be specified multiple times so you don’t have to put
3291 it all on one line.
3292 DirAllowPrivateAddresses 0|1
3294 If set to 1, Tor will accept server descriptors with arbitrary
3295 "Address" elements. Otherwise, if the address is not an IP address
3296 or is a private IP address, it will reject the server descriptor.
3297 Additionally, Tor will allow exit policies for private networks to
3298 fulfill Exit flag requirements. (Default: 0)
3299 GuardfractionFile FILENAME
3301 V3 authoritative directories only. Configures the location of the
3302 guardfraction file which contains information about how long relays
3303 have been guards. (Default: unset)
3304 MinMeasuredBWsForAuthToIgnoreAdvertised N
3306 A total value, in abstract bandwidth units, describing how much
3307 measured total bandwidth an authority should have observed on the
3308 network before it will treat advertised bandwidths as wholly
3309 unreliable. (Default: 500)
3310 MinUptimeHidServDirectoryV2 N seconds|minutes|hours|days|weeks
3312 Minimum uptime of a relay to be accepted as a hidden service
3313 directory by directory authorities. (Default: 96 hours)
3314 RecommendedClientVersions STRING
3316 STRING is a comma-separated list of Tor versions currently believed
3317 to be safe for clients to use. This information is included in
3318 version 2 directories. If this is not set then the value of
3319 RecommendedVersions is used. When this is set then
3320 VersioningAuthoritativeDirectory should be set too.
3321 RecommendedServerVersions STRING
3323 STRING is a comma-separated list of Tor versions currently believed
3324 to be safe for servers to use. This information is included in
3325 version 2 directories. If this is not set then the value of
3326 RecommendedVersions is used. When this is set then
3327 VersioningAuthoritativeDirectory should be set too.
3328 RecommendedVersions STRING
3330 STRING is a comma-separated list of Tor versions currently believed
3331 to be safe. The list is included in each directory, and nodes which
3332 pull down the directory learn whether they need to upgrade. This
3333 option can appear multiple times: the values from multiple lines
3334 are spliced together. When this is set then
3335 VersioningAuthoritativeDirectory should be set too.
3336 V3AuthDistDelay N seconds|minutes|hours
3338 V3 authoritative directories only. Configures the server’s
3339 preferred delay between publishing its consensus and signature and
3340 assuming it has all the signatures from all the other authorities.
3341 Note that the actual time used is not the server’s preferred time,
3342 but the consensus of all preferences. (Default: 5 minutes)
3343 V3AuthNIntervalsValid NUM
3345 V3 authoritative directories only. Configures the number of
3346 VotingIntervals for which each consensus should be valid for.
3347 Choosing high numbers increases network partitioning risks;
3348 choosing low numbers increases directory traffic. Note that the
3349 actual number of intervals used is not the server’s preferred
3350 number, but the consensus of all preferences. Must be at least 2.
3351 (Default: 3)
3352 V3AuthUseLegacyKey 0|1
3354 If set, the directory authority will sign consensuses not only with
3355 its own signing key, but also with a "legacy" key and certificate
3356 with a different identity. This feature is used to migrate
3357 directory authority keys in the event of a compromise. (Default: 0)
3358 V3AuthVoteDelay N seconds|minutes|hours
3360 V3 authoritative directories only. Configures the server’s
3361 preferred delay between publishing its vote and assuming it has all
3362 the votes from all the other authorities. Note that the actual time
3363 used is not the server’s preferred time, but the consensus of all
3364 preferences. (Default: 5 minutes)
3365 V3AuthVotingInterval N minutes|hours
3367 V3 authoritative directories only. Configures the server’s
3368 preferred voting interval. Note that voting will actually happen at
3369 an interval chosen by consensus from all the authorities' preferred
3370 intervals. This time SHOULD divide evenly into a day. (Default: 1
3371 hour)
3372 V3BandwidthsFile FILENAME
3374 V3 authoritative directories only. Configures the location of the
3375 bandwidth-authority generated file storing information on relays'
3376 measured bandwidth capacities. To avoid inconsistent reads,
3377 bandwidth data should be written to temporary file, then renamed to
3378 the configured filename. (Default: unset)
3379 VersioningAuthoritativeDirectory 0|1
3381 When this option is set to 1, Tor adds information on which
3382 versions of Tor are still believed safe for use to the published
3383 directory. Each version 1 authority is automatically a versioning
3384 authority; version 2 authorities provide this service optionally.
3385 See RecommendedVersions, RecommendedClientVersions, and
3386 RecommendedServerVersions.
3387
3389 The following options are used to configure a hidden service. Some
3390 options apply per service and some apply for the whole tor instance.
3391 The next section describes the per service options that can only be set
3393 after the HiddenServiceDir directive
3394 PER SERVICE OPTIONS:
3396 HiddenServiceAllowUnknownPorts 0|1
3398 If set to 1, then connections to unrecognized ports do not cause
3399 the current hidden service to close rendezvous circuits. (Setting
3400 this to 0 is not an authorization mechanism; it is instead meant to
3401 be a mild inconvenience to port-scanners.) (Default: 0)
3402 HiddenServiceDir DIRECTORY
3404 Store data files for a hidden service in DIRECTORY. Every hidden
3405 service must have a separate directory. You may use this option
3406 multiple times to specify multiple services. If DIRECTORY does not
3407 exist, Tor will create it. Please note that you cannot add new
3408 Onion Service to already running Tor instance if Sandbox is
3409 enabled. (Note: in current versions of Tor, if DIRECTORY is a
3410 relative path, it will be relative to the current working directory
3411 of Tor instance, not to its DataDirectory. Do not rely on this
3412 behavior; it is not guaranteed to remain the same in future
3413 versions.)
3414 HiddenServiceDirGroupReadable 0|1
3416 If this option is set to 1, allow the filesystem group to read the
3417 hidden service directory and hostname file. If the option is set to
3418 0, only owner is able to read the hidden service directory.
3419 (Default: 0) Has no effect on Windows.
3420 HiddenServiceEnableIntroDoSDefense 0|1
3422 Enable DoS defense at the intropoint level. When this is enabled,
3423 the rate and burst parameter (see below) will be sent to the intro
3424 point which will then use them to apply rate limiting for
3425 introduction request to this service.
3426 The introduction point honors the consensus parameters except if
3428 this is specifically set by the service operator using this option.
3429 The service never looks at the consensus parameters in order to
3430 enable or disable this defense. (Default: 0)
3431 HiddenServiceEnableIntroDoSBurstPerSec NUM
3433 The allowed client introduction burst per second at the
3434 introduction point. If this option is 0, it is considered infinite
3435 and thus if HiddenServiceEnableIntroDoSDefense is set, it then
3436 effectively disables the defenses. (Default: 200)
3437 HiddenServiceEnableIntroDoSRatePerSec NUM
3439 The allowed client introduction rate per second at the introduction
3440 point. If this option is 0, it is considered infinite and thus if
3441 HiddenServiceEnableIntroDoSDefense is set, it then effectively
3442 disables the defenses. (Default: 25)
3443 HiddenServiceExportCircuitID protocol
3445 The onion service will use the given protocol to expose the global
3446 circuit identifier of each inbound client circuit. The only
3447 protocol supported right now 'haproxy'. This option is only for v3
3448 services. (Default: none)
3449 The haproxy option works in the following way: when the feature is
3452 enabled, the Tor process will write a header line when a client is
3453 connecting to the onion service. The header will look like this:
3454 "PROXY TCP6 fc00:dead:beef:4dad::ffff:ffff ::1 65535 42\r\n"
3457 We encode the "global circuit identifier" as the last 32-bits of
3460 the first IPv6 address. All other values in the header can safely
3461 be ignored. You can compute the global circuit identifier using the
3462 following formula given the IPv6 address
3463 "fc00:dead:beef:4dad::AABB:CCDD":
3464 global_circuit_id = (0xAA << 24) + (0xBB << 16) + (0xCC << 8) +
3467 0xDD;
3468 In the case above, where the last 32-bits are 0xffffffff, the
3471 global circuit identifier would be 4294967295. You can use this
3472 value together with Tor’s control port to terminate particular
3473 circuits using their global circuit identifiers. For more
3474 information about this see control-spec.txt.
3475 The HAProxy version 1 protocol is described in detail at
3478 https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
3479 HiddenServiceOnionBalanceInstance 0|1
3481 If set to 1, this onion service becomes an OnionBalance instance
3482 and will accept client connections destined to an OnionBalance
3483 frontend. In this case, Tor expects to find a file named
3484 "ob_config" inside the HiddenServiceDir directory with content:
3485 MasterOnionAddress <frontend_onion_address>
3487 where <frontend_onion_address> is the onion address of the
3489 OnionBalance frontend (e.g.
3490 wrxdvcaqpuzakbfww5sxs6r2uybczwijzfn2ezy2osaj7iox7kl7nhad.onion).
3491 HiddenServiceMaxStreams N
3493 The maximum number of simultaneous streams (connections) per
3494 rendezvous circuit. The maximum value allowed is 65535. (Setting
3495 this to 0 will allow an unlimited number of simultaneous streams.)
3496 (Default: 0)
3497 HiddenServiceMaxStreamsCloseCircuit 0|1
3499 If set to 1, then exceeding HiddenServiceMaxStreams will cause the
3500 offending rendezvous circuit to be torn down, as opposed to stream
3501 creation requests that exceed the limit being silently ignored.
3502 (Default: 0)
3503 HiddenServiceNumIntroductionPoints NUM
3505 Number of introduction points the hidden service will have. You
3506 can’t have more than 20. (Default: 3)
3507 HiddenServicePort VIRTPORT [TARGET]
3509 Configure a virtual port VIRTPORT for a hidden service. You may use
3510 this option multiple times; each time applies to the service using
3511 the most recent HiddenServiceDir. By default, this option maps the
3512 virtual port to the same port on 127.0.0.1 over TCP. You may
3513 override the target port, address, or both by specifying a target
3514 of addr, port, addr:port, or unix:path. (You can specify an IPv6
3515 target as [addr]:port. Unix paths may be quoted, and may use
3516 standard C escapes.) You may also have multiple lines with the same
3517 VIRTPORT: when a user connects to that VIRTPORT, one of the TARGETs
3518 from those lines will be chosen at random. Note that address-port
3519 pairs have to be comma-separated.
3520 HiddenServiceVersion 3
3522 A list of rendezvous service descriptor versions to publish for the
3523 hidden service. Currently, only version 3 is supported. (Default:
3524 3)
3525 PER INSTANCE OPTIONS:
3527 HiddenServiceSingleHopMode 0|1
3529 Experimental - Non Anonymous Hidden Services on a tor instance in
3530 HiddenServiceSingleHopMode make one-hop (direct) circuits between
3531 the onion service server, and the introduction and rendezvous
3532 points. (Onion service descriptors are still posted using 3-hop
3533 paths, to avoid onion service directories blocking the service.)
3534 This option makes every hidden service instance hosted by a tor
3535 instance a Single Onion Service. One-hop circuits make Single Onion
3536 servers easily locatable, but clients remain location-anonymous.
3537 However, the fact that a client is accessing a Single Onion rather
3538 than a Hidden Service may be statistically distinguishable.
3539 WARNING: Once a hidden service directory has been used by a tor
3542 instance in HiddenServiceSingleHopMode, it can NEVER be used again
3543 for a hidden service. It is best practice to create a new hidden
3544 service directory, key, and address for each new Single Onion
3545 Service and Hidden Service. It is not possible to run Single Onion
3546 Services and Hidden Services from the same tor instance: they
3547 should be run on different servers with different IP addresses.
3548 HiddenServiceSingleHopMode requires HiddenServiceNonAnonymousMode
3551 to be set to 1. Since a Single Onion service is non-anonymous, you
3552 can not configure a SOCKSPort on a tor instance that is running in
3553 HiddenServiceSingleHopMode. Can not be changed while tor is
3554 running. (Default: 0)
3555 HiddenServiceNonAnonymousMode 0|1
3557 Makes hidden services non-anonymous on this tor instance. Allows
3558 the non-anonymous HiddenServiceSingleHopMode. Enables direct
3559 connections in the server-side hidden service protocol. If you are
3560 using this option, you need to disable all client-side services on
3561 your Tor instance, including setting SOCKSPort to "0". Can not be
3562 changed while tor is running. (Default: 0)
3563 PublishHidServDescriptors 0|1
3565 If set to 0, Tor will run any hidden services you configure, but it
3566 won’t advertise them to the rendezvous directory. This option is
3567 only useful if you’re using a Tor controller that handles hidserv
3568 publishing for you. (Default: 1)
3569
3571 Service side:
3572 To configure client authorization on the service side, the
3574 "<HiddenServiceDir>/authorized_clients/" directory needs to exist. Each file
3575 in that directory should be suffixed with ".auth" (i.e. "alice.auth"; the
3576 file name is irrelevant) and its content format MUST be:
3577 <auth-type>:<key-type>:<base32-encoded-public-key>
3579 The supported <auth-type> are: "descriptor". The supported <key-type> are:
3581 "x25519". The <base32-encoded-public-key> is the base32 representation of
3582 the raw key bytes only (32 bytes for x25519).
3583 Each file MUST contain one line only. Any malformed file will be
3585 ignored. Client authorization will only be enabled for the service if tor
3586 successfully loads at least one authorization file.
3587 Note that once you've configured client authorization, anyone else with the
3589 address won't be able to access it from this point on. If no authorization is
3590 configured, the service will be accessible to anyone with the onion address.
3591 Revoking a client can be done by removing their ".auth" file, however the
3593 revocation will be in effect only after the tor process gets restarted even if
3594 a SIGHUP takes place.
3595 Client side:
3597 To access a v3 onion service with client authorization as a client, make sure
3599 you have ClientOnionAuthDir set in your torrc. Then, in the
3600 <ClientOnionAuthDir> directory, create an .auth_private file for the onion
3601 service corresponding to this key (i.e. 'bob_onion.auth_private'). The
3602 contents of the <ClientOnionAuthDir>/<user>.auth_private file should look like:
3603 <56-char-onion-addr-without-.onion-part>:descriptor:x25519:<x25519 private key in base32>
3605 For more information, please see
3607 https://2019.www.torproject.org/docs/tor-onion-service.html.en#ClientAuthorization
3608 .
3609
3611 The following options are used for running a testing Tor network.
3612 TestingTorNetwork 0|1
3614 If set to 1, Tor adjusts default values of the configuration
3615 options below, so that it is easier to set up a testing Tor
3616 network. May only be set if non-default set of DirAuthorities is
3617 set. Cannot be unset while Tor is running. (Default: 0)
3618 DirAllowPrivateAddresses 1
3621 EnforceDistinctSubnets 0
3622 AuthDirMaxServersPerAddr 0
3623 ClientBootstrapConsensusAuthorityDownloadInitialDelay 0
3624 ClientBootstrapConsensusFallbackDownloadInitialDelay 0
3625 ClientBootstrapConsensusAuthorityOnlyDownloadInitialDelay 0
3626 ClientDNSRejectInternalAddresses 0
3627 ClientRejectInternalAddresses 0
3628 CountPrivateBandwidth 1
3629 ExitPolicyRejectPrivate 0
3630 ExtendAllowPrivateAddresses 1
3631 V3AuthVotingInterval 5 minutes
3632 V3AuthVoteDelay 20 seconds
3633 V3AuthDistDelay 20 seconds
3634 TestingV3AuthInitialVotingInterval 150 seconds
3635 TestingV3AuthInitialVoteDelay 20 seconds
3636 TestingV3AuthInitialDistDelay 20 seconds
3637 TestingAuthDirTimeToLearnReachability 0 minutes
3638 MinUptimeHidServDirectoryV2 0 minutes
3639 TestingServerDownloadInitialDelay 0
3640 TestingClientDownloadInitialDelay 0
3641 TestingServerConsensusDownloadInitialDelay 0
3642 TestingClientConsensusDownloadInitialDelay 0
3643 TestingBridgeDownloadInitialDelay 10
3644 TestingBridgeBootstrapDownloadInitialDelay 0
3645 TestingClientMaxIntervalWithoutRequest 5 seconds
3646 TestingDirConnectionMaxStall 30 seconds
3647 TestingEnableConnBwEvent 1
3648 TestingEnableCellStatsEvent 1
3649 RendPostPeriod 2 minutes
3650 TestingAuthDirTimeToLearnReachability N seconds|minutes|hours
3652 After starting as an authority, do not make claims about whether
3653 routers are Running until this much time has passed. Changing this
3654 requires that TestingTorNetwork is set. (Default: 30 minutes)
3655 TestingAuthKeyLifetime N seconds|minutes|hours|days|weeks|months
3657 Overrides the default lifetime for a signing Ed25519 TLS Link
3658 authentication key. (Default: 2 days)
3659 TestingAuthKeySlop N seconds|minutes|hours
3661 TestingBridgeBootstrapDownloadInitialDelay N
3663 Initial delay in seconds for when clients should download each
3664 bridge descriptor when they have just started, or when they can not
3665 contact any of their bridges. Changing this requires that
3666 TestingTorNetwork is set. (Default: 0)
3667 TestingBridgeDownloadInitialDelay N
3669 Initial delay in seconds for when clients should download each
3670 bridge descriptor when they know that one or more of their
3671 configured bridges are running. Changing this requires that
3672 TestingTorNetwork is set. (Default: 10800)
3673 TestingClientConsensusDownloadInitialDelay N
3675 Initial delay in seconds for when clients should download
3676 consensuses. Changing this requires that TestingTorNetwork is set.
3677 (Default: 0)
3678 TestingClientDownloadInitialDelay N
3680 Initial delay in seconds for when clients should download things in
3681 general. Changing this requires that TestingTorNetwork is set.
3682 (Default: 0)
3683 TestingClientMaxIntervalWithoutRequest N seconds|minutes
3685 When directory clients have only a few descriptors to request, they
3686 batch them until they have more, or until this amount of time has
3687 passed. Changing this requires that TestingTorNetwork is set.
3688 (Default: 10 minutes)
3689 TestingDirAuthVoteExit node,node,...
3691 A list of identity fingerprints, country codes, and address
3692 patterns of nodes to vote Exit for regardless of their uptime,
3693 bandwidth, or exit policy. See ExcludeNodes for more information on
3694 how to specify nodes.
3695 In order for this option to have any effect, TestingTorNetwork has
3698 to be set. See ExcludeNodes for more information on how to specify
3699 nodes.
3700 TestingDirAuthVoteExitIsStrict 0|1
3702 If True (1), a node will never receive the Exit flag unless it is
3703 specified in the TestingDirAuthVoteExit list, regardless of its
3704 uptime, bandwidth, or exit policy.
3705 In order for this option to have any effect, TestingTorNetwork has
3708 to be set.
3709 TestingDirAuthVoteGuard node,node,...
3711 A list of identity fingerprints and country codes and address
3712 patterns of nodes to vote Guard for regardless of their uptime and
3713 bandwidth. See ExcludeNodes for more information on how to specify
3714 nodes.
3715 In order for this option to have any effect, TestingTorNetwork has
3718 to be set.
3719 TestingDirAuthVoteGuardIsStrict 0|1
3721 If True (1), a node will never receive the Guard flag unless it is
3722 specified in the TestingDirAuthVoteGuard list, regardless of its
3723 uptime and bandwidth.
3724 In order for this option to have any effect, TestingTorNetwork has
3727 to be set.
3728 TestingDirAuthVoteHSDir node,node,...
3730 A list of identity fingerprints and country codes and address
3731 patterns of nodes to vote HSDir for regardless of their uptime and
3732 DirPort. See ExcludeNodes for more information on how to specify
3733 nodes.
3734 In order for this option to have any effect, TestingTorNetwork must
3737 be set.
3738 TestingDirAuthVoteHSDirIsStrict 0|1
3740 If True (1), a node will never receive the HSDir flag unless it is
3741 specified in the TestingDirAuthVoteHSDir list, regardless of its
3742 uptime and DirPort.
3743 In order for this option to have any effect, TestingTorNetwork has
3746 to be set.
3747 TestingDirConnectionMaxStall N seconds|minutes
3749 Let a directory connection stall this long before expiring it.
3750 Changing this requires that TestingTorNetwork is set. (Default: 5
3751 minutes)
3752 TestingEnableCellStatsEvent 0|1
3754 If this option is set, then Tor controllers may register for
3755 CELL_STATS events. Changing this requires that TestingTorNetwork is
3756 set. (Default: 0)
3757 TestingEnableConnBwEvent 0|1
3759 If this option is set, then Tor controllers may register for
3760 CONN_BW events. Changing this requires that TestingTorNetwork is
3761 set. (Default: 0)
3762 TestingLinkCertLifetime N seconds|minutes|hours|days|weeks|months
3764 Overrides the default lifetime for the certificates used to
3765 authenticate our X509 link cert with our ed25519 signing key.
3766 (Default: 2 days)
3767 TestingLinkKeySlop N seconds|minutes|hours
3769 TestingMinExitFlagThreshold N
3771 KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
3772 Sets a lower-bound for assigning an exit flag when running as an
3773 authority on a testing network. Overrides the usual default lower
3774 bound of 4 KBytes. (Default: 0)
3775 TestingMinFastFlagThreshold N
3777 bytes|KBytes|MBytes|GBytes|TBytes|KBits|MBits|GBits|TBits
3778 Minimum value for the Fast flag. Overrides the ordinary minimum
3779 taken from the consensus when TestingTorNetwork is set. (Default:
3780 0.)
3781 TestingServerConsensusDownloadInitialDelay N
3783 Initial delay in seconds for when servers should download
3784 consensuses. Changing this requires that TestingTorNetwork is set.
3785 (Default: 0)
3786 TestingServerDownloadInitialDelay N
3788 Initial delay in seconds for when servers should download things in
3789 general. Changing this requires that TestingTorNetwork is set.
3790 (Default: 0)
3791 TestingSigningKeySlop N seconds|minutes|hours
3793 How early before the official expiration of a an Ed25519 signing
3794 key do we replace it and issue a new key? (Default: 3 hours for
3795 link and auth; 1 day for signing.)
3796 TestingV3AuthInitialDistDelay N seconds|minutes|hours
3798 Like V3AuthDistDelay, but for initial voting interval before the
3799 first consensus has been created. Changing this requires that
3800 TestingTorNetwork is set. (Default: 5 minutes)
3801 TestingV3AuthInitialVoteDelay N seconds|minutes|hours
3803 Like V3AuthVoteDelay, but for initial voting interval before the
3804 first consensus has been created. Changing this requires that
3805 TestingTorNetwork is set. (Default: 5 minutes)
3806 TestingV3AuthInitialVotingInterval N seconds|minutes|hours
3808 Like V3AuthVotingInterval, but for initial voting interval before
3809 the first consensus has been created. Changing this requires that
3810 TestingTorNetwork is set. (Default: 30 minutes)
3811 TestingV3AuthVotingStartOffset N seconds|minutes|hours
3813 Directory authorities offset voting start time by this much.
3814 Changing this requires that TestingTorNetwork is set. (Default: 0)
3815
3817 These options are not saved to the torrc file by the "SAVECONF"
3818 controller command. Other options of this type are documented in
3819 control-spec.txt, section 5.4. End-users should mostly ignore them.
3820 __ControlPort, __DirPort, __DNSPort, __ExtORPort, __NATDPort, __ORPort,
3822 __SocksPort, __TransPort
3823 These underscore-prefixed options are variants of the regular Port
3824 options. They behave the same, except they are not saved to the
3825 torrc file by the controller’s SAVECONF command.
3826
3828 Tor catches the following signals:
3829 SIGTERM
3831 Tor will catch this, clean up and sync to disk if necessary, and
3832 exit.
3833 SIGINT
3835 Tor clients behave as with SIGTERM; but Tor servers will do a
3836 controlled slow shutdown, closing listeners and waiting 30 seconds
3837 before exiting. (The delay can be configured with the
3838 ShutdownWaitLength config option.)
3839 SIGHUP
3841 The signal instructs Tor to reload its configuration (including
3842 closing and reopening logs), and kill and restart its helper
3843 processes if applicable.
3844 SIGUSR1
3846 Log statistics about current connections, past connections, and
3847 throughput.
3848 SIGUSR2
3850 Switch all logs to loglevel debug. You can go back to the old
3851 loglevels by sending a SIGHUP.
3852 SIGCHLD
3854 Tor receives this signal when one of its helper processes has
3855 exited, so it can clean up.
3856 SIGPIPE
3858 Tor catches this signal and ignores it.
3859 SIGXFSZ
3861 If this signal exists on your platform, Tor catches and ignores it.
3862
3864 /etc/tor/torrc
3865 Default location of the configuration file.
3866 $HOME/.torrc
3868 Fallback location for torrc, if /etc/tor/torrc is not found.
3869 /var/lib/tor/
3871 The tor process stores keys and other data here.
3872 CacheDirectory/cached-certs
3874 Contains downloaded directory key certificates that are used to
3875 verify authenticity of documents generated by the Tor directory
3876 authorities.
3877 CacheDirectory/cached-consensus and/or cached-microdesc-consensus
3879 The most recent consensus network status document we’ve downloaded.
3880 CacheDirectory/cached-descriptors and cached-descriptors.new
3882 These files contain the downloaded router statuses. Some routers
3883 may appear more than once; if so, the most recently published
3884 descriptor is used. Lines beginning with @-signs are annotations
3885 that contain more information about a given router. The .new file
3886 is an append-only journal; when it gets too large, all entries are
3887 merged into a new cached-descriptors file.
3888 CacheDirectory/cached-extrainfo and cached-extrainfo.new
3890 Similar to cached-descriptors, but holds optionally-downloaded
3891 "extra-info" documents. Relays use these documents to send
3892 inessential information about statistics, bandwidth history, and
3893 network health to the authorities. They aren’t fetched by default.
3894 See DownloadExtraInfo for more information.
3895 CacheDirectory/cached-microdescs and cached-microdescs.new
3897 These files hold downloaded microdescriptors. Lines beginning with
3898 @-signs are annotations that contain more information about a given
3899 router. The .new file is an append-only journal; when it gets too
3900 large, all entries are merged into a new cached-microdescs file.
3901 DataDirectory/state
3903 Contains a set of persistent key-value mappings. These include:
3904 • the current entry guards and their status.
3906 • the current bandwidth accounting values.
3908 • when the file was last written
3910 • what version of Tor generated the state file
3912 • a short history of bandwidth usage, as produced in the server
3914 descriptors.
3915 DataDirectory/sr-state
3917 Authority only. This file is used to record information about the
3918 current status of the shared-random-value voting state.
3919 CacheDirectory/diff-cache
3921 Directory cache only. Holds older consensuses and diffs from oldest
3922 to the most recent consensus of each type compressed in various
3923 ways. Each file contains a set of key-value arguments describing
3924 its contents, followed by a single NUL byte, followed by the main
3925 file contents.
3926 DataDirectory/bw_accounting
3928 This file is obsolete and the data is now stored in the state file
3929 instead. Used to track bandwidth accounting values (when the
3930 current period starts and ends; how much has been read and written
3931 so far this period).
3932 DataDirectory/control_auth_cookie
3934 This file can be used only when cookie authentication is enabled.
3935 Used for cookie authentication with the controller. Location can be
3936 overridden by the CookieAuthFile configuration option. Regenerated
3937 on startup. See control-spec.txt in torspec for details.
3938 DataDirectory/lock
3940 This file is used to prevent two Tor instances from using the same
3941 data directory. If access to this file is locked, data directory is
3942 already in use by Tor.
3943 DataDirectory/key-pinning-journal
3945 Used by authorities. A line-based file that records mappings
3946 between RSA1024 and Ed25519 identity keys. Authorities enforce
3947 these mappings, so that once a relay has picked an Ed25519 key,
3948 stealing or factoring the RSA1024 key will no longer let an
3949 attacker impersonate the relay.
3950 KeyDirectory/authority_identity_key
3952 A v3 directory authority’s master identity key, used to
3953 authenticate its signing key. Tor doesn’t use this while it’s
3954 running. The tor-gencert program uses this. If you’re running an
3955 authority, you should keep this key offline, and not put it in this
3956 file.
3957 KeyDirectory/authority_certificate
3959 Only directory authorities use this file. A v3 directory
3960 authority’s certificate which authenticates the authority’s current
3961 vote- and consensus-signing key using its master identity key.
3962 KeyDirectory/authority_signing_key
3964 Only directory authorities use this file. A v3 directory
3965 authority’s signing key that is used to sign votes and consensuses.
3966 Corresponds to the authority_certificate cert.
3967 KeyDirectory/legacy_certificate
3969 As authority_certificate; used only when V3AuthUseLegacyKey is set.
3970 See documentation for V3AuthUseLegacyKey.
3971 KeyDirectory/legacy_signing_key
3973 As authority_signing_key: used only when V3AuthUseLegacyKey is set.
3974 See documentation for V3AuthUseLegacyKey.
3975 KeyDirectory/secret_id_key
3977 A relay’s RSA1024 permanent identity key, including private and
3978 public components. Used to sign router descriptors, and to sign
3979 other keys.
3980 KeyDirectory/ed25519_master_id_public_key
3982 The public part of a relay’s Ed25519 permanent identity key.
3983 KeyDirectory/ed25519_master_id_secret_key
3985 The private part of a relay’s Ed25519 permanent identity key. This
3986 key is used to sign the medium-term ed25519 signing key. This file
3987 can be kept offline or encrypted. If so, Tor will not be able to
3988 generate new signing keys automatically; you’ll need to use tor
3989 --keygen to do so.
3990 KeyDirectory/ed25519_signing_secret_key
3992 The private and public components of a relay’s medium-term Ed25519
3993 signing key. This key is authenticated by the Ed25519 master key,
3994 which in turn authenticates other keys (and router descriptors).
3995 KeyDirectory/ed25519_signing_cert
3997 The certificate which authenticates "ed25519_signing_secret_key" as
3998 having been signed by the Ed25519 master key.
3999 KeyDirectory/secret_onion_key and secret_onion_key.old
4001 A relay’s RSA1024 short-term onion key. Used to decrypt old-style
4002 ("TAP") circuit extension requests. The .old file holds the
4003 previously generated key, which the relay uses to handle any
4004 requests that were made by clients that didn’t have the new one.
4005 KeyDirectory/secret_onion_key_ntor and secret_onion_key_ntor.old
4007 A relay’s Curve25519 short-term onion key. Used to handle modern
4008 ("ntor") circuit extension requests. The .old file holds the
4009 previously generated key, which the relay uses to handle any
4010 requests that were made by clients that didn’t have the new one.
4011 DataDirectory/fingerprint
4013 Only used by servers. Contains the fingerprint of the server’s
4014 identity key.
4015 DataDirectory/hashed-fingerprint
4017 Only used by bridges. Contains the hashed fingerprint of the
4018 bridge’s identity key. (That is, the hash of the hash of the
4019 identity key.)
4020 DataDirectory/approved-routers
4022 Only used by authoritative directory servers. Each line lists a
4023 status and an identity, separated by whitespace. Identities can be
4024 hex-encoded RSA fingerprints, or base-64 encoded ed25519 public
4025 keys. See the fingerprint file in a tor relay’s DataDirectory for
4026 an example fingerprint line. If the status is !reject, then
4027 descriptors from the given identity are rejected by this server. If
4028 it is !invalid then descriptors are accepted, but marked in the
4029 vote as not valid. If it is !badexit, then the authority will vote
4030 for it to receive a BadExit flag, indicating that it shouldn’t be
4031 used for traffic leaving the Tor network. (Neither rejected nor
4032 invalid relays are included in the consensus.)
4033 DataDirectory/v3-status-votes
4035 Only for v3 authoritative directory servers. This file contains
4036 status votes from all the authoritative directory servers.
4037 CacheDirectory/unverified-consensus
4039 Contains a network consensus document that has been downloaded, but
4040 which we didn’t have the right certificates to check yet.
4041 CacheDirectory/unverified-microdesc-consensus
4043 Contains a microdescriptor-flavored network consensus document that
4044 has been downloaded, but which we didn’t have the right
4045 certificates to check yet.
4046 DataDirectory/unparseable-desc
4048 Onion server descriptors that Tor was unable to parse are dumped to
4049 this file. Only used for debugging.
4050 DataDirectory/router-stability
4052 Only used by authoritative directory servers. Tracks measurements
4053 for router mean-time-between-failures so that authorities have a
4054 fair idea of how to set their Stable flags.
4055 DataDirectory/stats/dirreq-stats
4057 Only used by directory caches and authorities. This file is used to
4058 collect directory request statistics.
4059 DataDirectory/stats/entry-stats
4061 Only used by servers. This file is used to collect incoming
4062 connection statistics by Tor entry nodes.
4063 DataDirectory/stats/bridge-stats
4065 Only used by servers. This file is used to collect incoming
4066 connection statistics by Tor bridges.
4067 DataDirectory/stats/exit-stats
4069 Only used by servers. This file is used to collect outgoing
4070 connection statistics by Tor exit routers.
4071 DataDirectory/stats/buffer-stats
4073 Only used by servers. This file is used to collect buffer usage
4074 history.
4075 DataDirectory/stats/conn-stats
4077 Only used by servers. This file is used to collect approximate
4078 connection history (number of active connections over time).
4079 DataDirectory/stats/hidserv-stats
4081 Only used by servers. This file is used to collect approximate
4082 counts of what fraction of the traffic is hidden service rendezvous
4083 traffic, and approximately how many hidden services the relay has
4084 seen.
4085 DataDirectory/networkstatus-bridges`
4087 Only used by authoritative bridge directories. Contains information
4088 about bridges that have self-reported themselves to the bridge
4089 authority.
4090 HiddenServiceDirectory/hostname
4092 The <base32-encoded-fingerprint>.onion domain name for this hidden
4093 service. If the hidden service is restricted to authorized clients
4094 only, this file also contains authorization data for all clients.
4095 Note
4097 The clients will ignore any extra subdomains prepended to a
4098 hidden service hostname. Supposing you have "xyz.onion" as your
4099 hostname, you can ask your clients to connect to
4100 "www.xyz.onion" or "irc.xyz.onion" for virtual-hosting
4101 purposes.
4102 HiddenServiceDirectory/private_key
4104 Contains the private key for this hidden service.
4105 HiddenServiceDirectory/client_keys
4107 Contains authorization data for a hidden service that is only
4108 accessible by authorized clients.
4109 HiddenServiceDirectory/onion_service_non_anonymous
4111 This file is present if a hidden service key was created in
4112 HiddenServiceNonAnonymousMode.
4113
4115 For more information, refer to the Tor Project website at
4116 https://www.torproject.org/ and the Tor specifications at
4117 https://spec.torproject.org. See also torsocks(1) and torify(1).
4118
4120 Because Tor is still under development, there may be plenty of bugs.
4121 Please report them at https://bugs.torproject.org/.
4122Tor 05/07/2021 TOR(1)