--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"\r
+ "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">\r
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">\r
+<head>\r
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />\r
+<meta name="generator" content="AsciiDoc 8.4.5" />\r
+<title>TOR(1)</title>\r
+<style type="text/css">\r
+/* Debug borders */\r
+p, li, dt, dd, div, pre, h1, h2, h3, h4, h5, h6 {\r
+/*\r
+ border: 1px solid red;\r
+*/\r
+}\r
+\r
+body {\r
+ margin: 1em 5% 1em 5%;\r
+}\r
+\r
+a {\r
+ color: blue;\r
+ text-decoration: underline;\r
+}\r
+a:visited {\r
+ color: fuchsia;\r
+}\r
+\r
+em {\r
+ font-style: italic;\r
+ color: navy;\r
+}\r
+\r
+strong {\r
+ font-weight: bold;\r
+ color: #083194;\r
+}\r
+\r
+tt {\r
+ color: navy;\r
+}\r
+\r
+h1, h2, h3, h4, h5, h6 {\r
+ color: #527bbd;\r
+ font-family: sans-serif;\r
+ margin-top: 1.2em;\r
+ margin-bottom: 0.5em;\r
+ line-height: 1.3;\r
+}\r
+\r
+h1, h2, h3 {\r
+ border-bottom: 2px solid silver;\r
+}\r
+h2 {\r
+ padding-top: 0.5em;\r
+}\r
+h3 {\r
+ float: left;\r
+}\r
+h3 + * {\r
+ clear: left;\r
+}\r
+\r
+div.sectionbody {\r
+ font-family: serif;\r
+ margin-left: 0;\r
+}\r
+\r
+hr {\r
+ border: 1px solid silver;\r
+}\r
+\r
+p {\r
+ margin-top: 0.5em;\r
+ margin-bottom: 0.5em;\r
+}\r
+\r
+ul, ol, li > p {\r
+ margin-top: 0;\r
+}\r
+\r
+pre {\r
+ padding: 0;\r
+ margin: 0;\r
+}\r
+\r
+span#author {\r
+ color: #527bbd;\r
+ font-family: sans-serif;\r
+ font-weight: bold;\r
+ font-size: 1.1em;\r
+}\r
+span#email {\r
+}\r
+span#revnumber, span#revdate, span#revremark {\r
+ font-family: sans-serif;\r
+}\r
+\r
+div#footer {\r
+ font-family: sans-serif;\r
+ font-size: small;\r
+ border-top: 2px solid silver;\r
+ padding-top: 0.5em;\r
+ margin-top: 4.0em;\r
+}\r
+div#footer-text {\r
+ float: left;\r
+ padding-bottom: 0.5em;\r
+}\r
+div#footer-badges {\r
+ float: right;\r
+ padding-bottom: 0.5em;\r
+}\r
+\r
+div#preamble {\r
+ margin-top: 1.5em;\r
+ margin-bottom: 1.5em;\r
+}\r
+div.tableblock, div.imageblock, div.exampleblock, div.verseblock,\r
+div.quoteblock, div.literalblock, div.listingblock, div.sidebarblock,\r
+div.admonitionblock {\r
+ margin-top: 1.5em;\r
+ margin-bottom: 1.5em;\r
+}\r
+div.admonitionblock {\r
+ margin-top: 2.5em;\r
+ margin-bottom: 2.5em;\r
+}\r
+\r
+div.content { /* Block element content. */\r
+ padding: 0;\r
+}\r
+\r
+/* Block element titles. */\r
+div.title, caption.title {\r
+ color: #527bbd;\r
+ font-family: sans-serif;\r
+ font-weight: bold;\r
+ text-align: left;\r
+ margin-top: 1.0em;\r
+ margin-bottom: 0.5em;\r
+}\r
+div.title + * {\r
+ margin-top: 0;\r
+}\r
+\r
+td div.title:first-child {\r
+ margin-top: 0.0em;\r
+}\r
+div.content div.title:first-child {\r
+ margin-top: 0.0em;\r
+}\r
+div.content + div.title {\r
+ margin-top: 0.0em;\r
+}\r
+\r
+div.sidebarblock > div.content {\r
+ background: #ffffee;\r
+ border: 1px solid silver;\r
+ padding: 0.5em;\r
+}\r
+\r
+div.listingblock > div.content {\r
+ border: 1px solid silver;\r
+ background: #f4f4f4;\r
+ padding: 0.5em;\r
+}\r
+\r
+div.quoteblock {\r
+ padding-left: 2.0em;\r
+ margin-right: 10%;\r
+}\r
+div.quoteblock > div.attribution {\r
+ padding-top: 0.5em;\r
+ text-align: right;\r
+}\r
+\r
+div.verseblock {\r
+ padding-left: 2.0em;\r
+ margin-right: 10%;\r
+}\r
+div.verseblock > div.content {\r
+ white-space: pre;\r
+}\r
+div.verseblock > div.attribution {\r
+ padding-top: 0.75em;\r
+ text-align: left;\r
+}\r
+/* DEPRECATED: Pre version 8.2.7 verse style literal block. */\r
+div.verseblock + div.attribution {\r
+ text-align: left;\r
+}\r
+\r
+div.admonitionblock .icon {\r
+ vertical-align: top;\r
+ font-size: 1.1em;\r
+ font-weight: bold;\r
+ text-decoration: underline;\r
+ color: #527bbd;\r
+ padding-right: 0.5em;\r
+}\r
+div.admonitionblock td.content {\r
+ padding-left: 0.5em;\r
+ border-left: 2px solid silver;\r
+}\r
+\r
+div.exampleblock > div.content {\r
+ border-left: 2px solid silver;\r
+ padding: 0.5em;\r
+}\r
+\r
+div.imageblock div.content { padding-left: 0; }\r
+span.image img { border-style: none; }\r
+a.image:visited { color: white; }\r
+\r
+dl {\r
+ margin-top: 0.8em;\r
+ margin-bottom: 0.8em;\r
+}\r
+dt {\r
+ margin-top: 0.5em;\r
+ margin-bottom: 0;\r
+ font-style: normal;\r
+ color: navy;\r
+}\r
+dd > *:first-child {\r
+ margin-top: 0.1em;\r
+}\r
+\r
+ul, ol {\r
+ list-style-position: outside;\r
+}\r
+ol.arabic {\r
+ list-style-type: decimal;\r
+}\r
+ol.loweralpha {\r
+ list-style-type: lower-alpha;\r
+}\r
+ol.upperalpha {\r
+ list-style-type: upper-alpha;\r
+}\r
+ol.lowerroman {\r
+ list-style-type: lower-roman;\r
+}\r
+ol.upperroman {\r
+ list-style-type: upper-roman;\r
+}\r
+\r
+div.compact ul, div.compact ol,\r
+div.compact p, div.compact p,\r
+div.compact div, div.compact div {\r
+ margin-top: 0.1em;\r
+ margin-bottom: 0.1em;\r
+}\r
+\r
+div.tableblock > table {\r
+ border: 3px solid #527bbd;\r
+}\r
+thead {\r
+ font-family: sans-serif;\r
+ font-weight: bold;\r
+}\r
+tfoot {\r
+ font-weight: bold;\r
+}\r
+td > div.verse {\r
+ white-space: pre;\r
+}\r
+p.table {\r
+ margin-top: 0;\r
+}\r
+/* Because the table frame attribute is overriden by CSS in most browsers. */\r
+div.tableblock > table[frame="void"] {\r
+ border-style: none;\r
+}\r
+div.tableblock > table[frame="hsides"] {\r
+ border-left-style: none;\r
+ border-right-style: none;\r
+}\r
+div.tableblock > table[frame="vsides"] {\r
+ border-top-style: none;\r
+ border-bottom-style: none;\r
+}\r
+\r
+\r
+div.hdlist {\r
+ margin-top: 0.8em;\r
+ margin-bottom: 0.8em;\r
+}\r
+div.hdlist tr {\r
+ padding-bottom: 15px;\r
+}\r
+dt.hdlist1.strong, td.hdlist1.strong {\r
+ font-weight: bold;\r
+}\r
+td.hdlist1 {\r
+ vertical-align: top;\r
+ font-style: normal;\r
+ padding-right: 0.8em;\r
+ color: navy;\r
+}\r
+td.hdlist2 {\r
+ vertical-align: top;\r
+}\r
+div.hdlist.compact tr {\r
+ margin: 0;\r
+ padding-bottom: 0;\r
+}\r
+\r
+.comment {\r
+ background: yellow;\r
+}\r
+\r
+@media print {\r
+ div#footer-badges { display: none; }\r
+}\r
+\r
+div#toctitle {\r
+ color: #527bbd;\r
+ font-family: sans-serif;\r
+ font-size: 1.1em;\r
+ font-weight: bold;\r
+ margin-top: 1.0em;\r
+ margin-bottom: 0.1em;\r
+}\r
+\r
+div.toclevel1, div.toclevel2, div.toclevel3, div.toclevel4 {\r
+ margin-top: 0;\r
+ margin-bottom: 0;\r
+}\r
+div.toclevel2 {\r
+ margin-left: 2em;\r
+ font-size: 0.9em;\r
+}\r
+div.toclevel3 {\r
+ margin-left: 4em;\r
+ font-size: 0.9em;\r
+}\r
+div.toclevel4 {\r
+ margin-left: 6em;\r
+ font-size: 0.9em;\r
+}\r
+/* Overrides for manpage documents */\r
+h1 {\r
+ padding-top: 0.5em;\r
+ padding-bottom: 0.5em;\r
+ border-top: 2px solid silver;\r
+ border-bottom: 2px solid silver;\r
+}\r
+h2 {\r
+ border-style: none;\r
+}\r
+div.sectionbody {\r
+ margin-left: 5%;\r
+}\r
+\r
+@media print {\r
+ div#toc { display: none; }\r
+}\r
+\r
+/* Workarounds for IE6's broken and incomplete CSS2. */\r
+\r
+div.sidebar-content {\r
+ background: #ffffee;\r
+ border: 1px solid silver;\r
+ padding: 0.5em;\r
+}\r
+div.sidebar-title, div.image-title {\r
+ color: #527bbd;\r
+ font-family: sans-serif;\r
+ font-weight: bold;\r
+ margin-top: 0.0em;\r
+ margin-bottom: 0.5em;\r
+}\r
+\r
+div.listingblock div.content {\r
+ border: 1px solid silver;\r
+ background: #f4f4f4;\r
+ padding: 0.5em;\r
+}\r
+\r
+div.quoteblock-attribution {\r
+ padding-top: 0.5em;\r
+ text-align: right;\r
+}\r
+\r
+div.verseblock-content {\r
+ white-space: pre;\r
+}\r
+div.verseblock-attribution {\r
+ padding-top: 0.75em;\r
+ text-align: left;\r
+}\r
+\r
+div.exampleblock-content {\r
+ border-left: 2px solid silver;\r
+ padding-left: 0.5em;\r
+}\r
+\r
+/* IE6 sets dynamically generated links as visited. */\r
+div#toc a:visited { color: blue; }\r
+</style>\r
+</head>\r
+<body>\r
+<div id="header">\r
+<h1>\r
+TOR(1) Manual Page\r
+</h1>\r
+<h2>NAME</h2>\r
+<div class="sectionbody">\r
+<p>tor -\r
+ The second-generation onion router\r
+</p>\r
+</div>\r
+</div>\r
+<h2 id="_synopsis">SYNOPSIS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p><strong>tor</strong> [<em>OPTION</em> <em>value</em>]…</p></div>\r
+</div>\r
+<h2 id="_description">DESCRIPTION</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p><em>tor</em> is a connection-oriented anonymizing communication\r
+service. Users choose a source-routed path through a set of nodes, and\r
+negotiate a "virtual circuit" through the network, in which each node\r
+knows its predecessor and successor, but no others. Traffic flowing down\r
+the circuit is unwrapped by a symmetric key at each node, which reveals\r
+the downstream node.<br /></p></div>\r
+<div class="paragraph"><p>Basically <em>tor</em> provides a distributed network of servers ("onion routers").\r
+Users bounce their TCP streams — web traffic, ftp, ssh, etc — around the\r
+routers, and recipients, observers, and even the routers themselves have\r
+difficulty tracking the source of the stream.</p></div>\r
+</div>\r
+<h2 id="_options">OPTIONS</h2>\r
+<div class="sectionbody">\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>-h</strong>, <strong>-help</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Display a short help message and exit.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>-f</strong> <em>FILE</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ FILE contains further "option value" pairs. (Default: /etc/tor/torrc)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>--hash-password</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Generates a hashed password for control port access.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>--list-fingerprint</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Generate your keys and output your nickname and fingerprint.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>--verify-config</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Verify the configuration file is valid.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>--nt-service</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ <strong>--service [install|remove|start|stop]</strong> Manage the Tor Windows\r
+ NT/2000/XP service. Current instructions can be found at\r
+ <a href="https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#WinNTService">https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#WinNTService</a>\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>--list-torrc-options</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ List all valid options.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>--version</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Display Tor version and exit.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>--quiet</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Do not start Tor with a console log unless explicitly requested to do so.\r
+ (By default, Tor starts out logging messages at level "notice" or higher to\r
+ the console, until it has parsed its configuration.)\r
+</p>\r
+</dd>\r
+</dl></div>\r
+<div class="paragraph"><p>Other options can be specified either on the command-line (--option\r
+ value), or in the configuration file (option value or option "value").\r
+ Options are case-insensitive. C-style escaped characters are allowed inside\r
+ quoted values. Options on the command line take precedence over\r
+ options found in the configuration file, except indicated otherwise. To\r
+ split one configuration entry into multiple lines, use a single \ before\r
+ the end of the line. Comments can be used in such multiline entries, but\r
+ they must start at the beginning of a line.</p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>BandwidthRate</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A token bucket limits the average incoming bandwidth usage on this node to\r
+ the specified number of bytes per second, and the average outgoing\r
+ bandwidth usage to that same value. If you want to run a relay in the\r
+ public network, this needs to be <em>at the very least</em> 20 KB (that is,\r
+ 20480 bytes). (Default: 5 MB)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>BandwidthBurst</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Limit the maximum token bucket size (also known as the burst) to the given\r
+ number of bytes in each direction. (Default: 10 MB)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>MaxAdvertisedBandwidth</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, we will not advertise more than this amount of bandwidth for our\r
+ BandwidthRate. Server operators who want to reduce the number of clients\r
+ who ask to build circuits through them (since this is proportional to\r
+ advertised bandwidth rate) can thus reduce the CPU demands on their server\r
+ without impacting network performance.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RelayBandwidthRate</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If not 0, a separate token bucket limits the average incoming bandwidth\r
+ usage for _relayed traffic_ on this node to the specified number of bytes\r
+ per second, and the average outgoing bandwidth usage to that same value.\r
+ Relayed traffic currently is calculated to include answers to directory\r
+ requests, but that may change in future versions. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RelayBandwidthBurst</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If not 0, limit the maximum token bucket size (also known as the burst) for\r
+ _relayed traffic_ to the given number of bytes in each direction.\r
+ (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>PerConnBWRate</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, do separate rate limiting for each connection from a non-relay.\r
+ You should never need to change this value, since a network-wide value is\r
+ published in the consensus and your relay will use that value. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>PerConnBWBurst</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, do separate rate limiting for each connection from a non-relay.\r
+ You should never need to change this value, since a network-wide value is\r
+ published in the consensus and your relay will use that value. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ConnLimit</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The minimum number of file descriptors that must be available to the Tor\r
+ process before it will start. Tor will ask the OS for as many file\r
+ descriptors as the OS will allow (you can find this by "ulimit -H -n").\r
+ If this number is less than ConnLimit, then Tor will refuse to start.<br />\r
+<br />\r
+ You probably don’t need to adjust this. It has no effect on Windows\r
+ since that platform lacks getrlimit(). (Default: 1000)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ConstrainedSockets</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, Tor will tell the kernel to attempt to shrink the buffers for all\r
+ sockets to the size specified in <strong>ConstrainedSockSize</strong>. This is useful for\r
+ virtual servers and other environments where system level TCP buffers may\r
+ be limited. If you’re on a virtual server, and you encounter the "Error\r
+ creating network socket: No buffer space available" message, you are\r
+ likely experiencing this problem.<br />\r
+<br />\r
+ The preferred solution is to have the admin increase the buffer pool for\r
+ the host itself via /proc/sys/net/ipv4/tcp_mem or equivalent facility;\r
+ this configuration option is a second-resort.<br />\r
+<br />\r
+ The DirPort option should also not be used if TCP buffers are scarce. The\r
+ cached directory requests consume additional sockets which exacerbates\r
+ the problem.<br />\r
+<br />\r
+ You should <strong>not</strong> enable this feature unless you encounter the "no buffer\r
+ space available" issue. Reducing the TCP buffers affects window size for\r
+ the TCP stream and will reduce throughput in proportion to round trip\r
+ time on long paths. (Default: 0.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ConstrainedSockSize</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When <strong>ConstrainedSockets</strong> is enabled the receive and transmit buffers for\r
+ all sockets will be set to this limit. Must be a value between 2048 and\r
+ 262144, in 1024 byte increments. Default of 8192 is recommended.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ControlPort</strong> <em>PORT</em>|<strong>auto</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, Tor will accept connections on this port and allow those\r
+ connections to control the Tor process using the Tor Control Protocol\r
+ (described in control-spec.txt). Note: unless you also specify one or\r
+ more of <strong>HashedControlPassword</strong> or <strong>CookieAuthentication</strong>,\r
+ setting this option will cause Tor to allow any process on the local\r
+ host to control it. (Setting both authentication methods means either\r
+ method is sufficient to authenticate to Tor.) This\r
+ option is required for many Tor controllers; most use the value of 9051.\r
+ Set it to "auto" to have Tor pick a port for you. (Default: 0).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ControlListenAddress</strong> <em>IP</em>[:<em>PORT</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Bind the controller listener to this address. If you specify a port, bind\r
+ to this port rather than the one specified in ControlPort. We strongly\r
+ recommend that you leave this alone unless you know what you’re doing,\r
+ since giving attackers access to your control listener is really\r
+ dangerous. (Default: 127.0.0.1) This directive can be specified multiple\r
+ times to bind to multiple addresses/ports.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ControlSocket</strong> <em>Path</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Like ControlPort, but listens on a Unix domain socket, rather than a TCP\r
+ socket. (Unix and Unix-like systems only.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ControlSocketsGroupWritable</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this option is set to 0, don’t allow the filesystem group to read and\r
+ write unix sockets (e.g. ControlSocket). If the option is set to 1, make\r
+ the control socket readable and writable by the default GID. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HashedControlPassword</strong> <em>hashed_password</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Allow connections on the control port if they present\r
+ the password whose one-way hash is <em>hashed_password</em>. You\r
+ can compute the hash of a password by running "tor --hash-password\r
+ <em>password</em>". You can provide several acceptable passwords by using more\r
+ than one HashedControlPassword line.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>CookieAuthentication</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this option is set to 1, allow connections on the control port\r
+ when the connecting process knows the contents of a file named\r
+ "control_auth_cookie", which Tor will create in its data directory. This\r
+ authentication method should only be used on systems with good filesystem\r
+ security. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>CookieAuthFile</strong> <em>Path</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, this option overrides the default location and file name\r
+ for Tor’s cookie file. (See CookieAuthentication above.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>CookieAuthFileGroupReadable</strong> <strong>0</strong>|<strong>1</strong>|<em>Groupname</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this option is set to 0, don’t allow the filesystem group to read the\r
+ cookie file. If the option is set to 1, make the cookie file readable by\r
+ the default GID. [Making the file readable by other groups is not yet\r
+ implemented; let us know if you need this for some reason.] (Default: 0).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ControlPortWriteToFile</strong> <em>Path</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, Tor writes the address and port of any control port it opens to\r
+ this address. Usable by controllers to learn the actual control port\r
+ when ControlPort is set to "auto".\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ControlPortFileGroupReadable</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this option is set to 0, don’t allow the filesystem group to read the\r
+ control port file. If the option is set to 1, make the control port\r
+ file readable by the default GID. (Default: 0).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DataDirectory</strong> <em>DIR</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Store working data in DIR (Default: /var/lib/tor)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DirServer</strong> [<em>nickname</em>] [<strong>flags</strong>] <em>address</em>:<em>port</em> <em>fingerprint</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Use a nonstandard authoritative directory server at the provided address\r
+ and port, with the specified key fingerprint. This option can be repeated\r
+ many times, for multiple authoritative directory servers. Flags are\r
+ separated by spaces, and determine what kind of an authority this directory\r
+ is. By default, every authority is authoritative for current ("v2")-style\r
+ directories, unless the "no-v2" flag is given. If the "v1" flags is\r
+ provided, Tor will use this server as an authority for old-style (v1)\r
+ directories as well. (Only directory mirrors care about this.) Tor will\r
+ use this server as an authority for hidden service information if the "hs"\r
+ flag is set, or if the "v1" flag is set and the "no-hs" flag is <strong>not</strong> set.\r
+ Tor will use this authority as a bridge authoritative directory if the\r
+ "bridge" flag is set. If a flag "orport=<strong>port</strong>" is given, Tor will use the\r
+ given port when opening encrypted tunnels to the dirserver. Lastly, if a\r
+ flag "v3ident=<strong>fp</strong>" is given, the dirserver is a v3 directory authority\r
+ whose v3 long-term signing key has the fingerprint <strong>fp</strong>.<br />\r
+<br />\r
+ If no <strong>dirserver</strong> line is given, Tor will use the default directory\r
+ servers. NOTE: this option is intended for setting up a private Tor\r
+ network with its own directory authorities. If you use it, you will be\r
+ distinguishable from other users, because you won’t believe the same\r
+ authorities they do.\r
+</p>\r
+</dd>\r
+</dl></div>\r
+<div class="paragraph"><p><strong>AlternateDirAuthority</strong> [<em>nickname</em>] [<strong>flags</strong>] <em>address</em>:<em>port</em> <em>fingerprint</em><br /></p></div>\r
+<div class="paragraph"><p><strong>AlternateHSAuthority</strong> [<em>nickname</em>] [<strong>flags</strong>] <em>address</em>:<em>port</em> <em>fingerprint</em><br /></p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>AlternateBridgeAuthority</strong> [<em>nickname</em>] [<strong>flags</strong>] <em>address</em>:<em>port</em> <em> fingerprint</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ As DirServer, but replaces less of the default directory authorities. Using\r
+ AlternateDirAuthority replaces the default Tor directory authorities, but\r
+ leaves the hidden service authorities and bridge authorities in place.\r
+ Similarly, Using AlternateHSAuthority replaces the default hidden service\r
+ authorities, but not the directory or bridge authorities.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DisableAllSwap</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 1, Tor will attempt to lock all current and future memory pages,\r
+ so that memory cannot be paged out. Windows, OS X and Solaris are currently\r
+ not supported. We believe that this feature works on modern Gnu/Linux\r
+ distributions, and that it should work on *BSD systems (untested). This\r
+ option requires that you start your Tor as root, and you should use the\r
+ <strong>User</strong> option to properly reduce Tor’s privileges. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FetchDirInfoEarly</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 1, Tor will always fetch directory information like other\r
+ directory caches, even if you don’t meet the normal criteria for fetching\r
+ early. Normal users should leave it off. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FetchDirInfoExtraEarly</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 1, Tor will fetch directory information before other directory\r
+ caches. It will attempt to download directory information closer to the\r
+ start of the consensus period. Normal users should leave it off.\r
+ (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FetchHidServDescriptors</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 0, Tor will never fetch any hidden service descriptors from the\r
+ rendezvous directories. This option is only useful if you’re using a Tor\r
+ controller that handles hidden service fetches for you. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FetchServerDescriptors</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 0, Tor will never fetch any network status summaries or server\r
+ descriptors from the directory servers. This option is only useful if\r
+ you’re using a Tor controller that handles directory fetches for you.\r
+ (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FetchUselessDescriptors</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 1, Tor will fetch every non-obsolete descriptor from the\r
+ authorities that it hears about. Otherwise, it will avoid fetching useless\r
+ descriptors, for example for routers that are not running. This option is\r
+ useful if you’re using the contributed "exitlist" script to enumerate Tor\r
+ nodes that exit to certain addresses. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HTTPProxy</strong> <em>host</em>[:<em>port</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor will make all its directory requests through this host:port (or host:80\r
+ if port is not specified), rather than connecting directly to any directory\r
+ servers.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HTTPProxyAuthenticator</strong> <em>username:password</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If defined, Tor will use this username:password for Basic HTTP proxy\r
+ authentication, as in RFC 2617. This is currently the only form of HTTP\r
+ proxy authentication that Tor supports; feel free to submit a patch if you\r
+ want it to support others.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HTTPSProxy</strong> <em>host</em>[:<em>port</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor will make all its OR (SSL) connections through this host:port (or\r
+ host:443 if port is not specified), via HTTP CONNECT rather than connecting\r
+ directly to servers. You may want to set <strong>FascistFirewall</strong> to restrict\r
+ the set of ports you might try to connect to, if your HTTPS proxy only\r
+ allows connecting to certain ports.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HTTPSProxyAuthenticator</strong> <em>username:password</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If defined, Tor will use this username:password for Basic HTTPS proxy\r
+ authentication, as in RFC 2617. This is currently the only form of HTTPS\r
+ proxy authentication that Tor supports; feel free to submit a patch if you\r
+ want it to support others.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>Socks4Proxy</strong> <em>host</em>[:<em>port</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor will make all OR connections through the SOCKS 4 proxy at host:port\r
+ (or host:1080 if port is not specified).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>Socks5Proxy</strong> <em>host</em>[:<em>port</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor will make all OR connections through the SOCKS 5 proxy at host:port\r
+ (or host:1080 if port is not specified).\r
+</p>\r
+</dd>\r
+</dl></div>\r
+<div class="paragraph"><p><strong>Socks5ProxyUsername</strong> <em>username</em><br /></p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>Socks5ProxyPassword</strong> <em>password</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If defined, authenticate to the SOCKS 5 server using username and password\r
+ in accordance to RFC 1929. Both username and password must be between 1 and\r
+ 255 characters.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>KeepalivePeriod</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ To keep firewalls from expiring connections, send a padding keepalive cell\r
+ every NUM seconds on open connections that are in use. If the connection\r
+ has no open circuits, it will instead be closed after NUM seconds of\r
+ idleness. (Default: 5 minutes)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>Log</strong> <em>minSeverity</em>[-<em>maxSeverity</em>] <strong>stderr</strong>|<strong>stdout</strong>|<strong>syslog</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Send all messages between <em>minSeverity</em> and <em>maxSeverity</em> to the standard\r
+ output stream, the standard error stream, or to the system log. (The\r
+ "syslog" value is only supported on Unix.) Recognized severity levels are\r
+ debug, info, notice, warn, and err. We advise using "notice" in most cases,\r
+ since anything more verbose may provide sensitive information to an\r
+ attacker who obtains the logs. If only one severity level is given, all\r
+ messages of that level or higher will be sent to the listed destination.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>Log</strong> <em>minSeverity</em>[-<em>maxSeverity</em>] <strong>file</strong> <em>FILENAME</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ As above, but send log messages to the listed filename. The\r
+ "Log" option may appear more than once in a configuration file.\r
+ Messages are sent to all the logs that match their severity\r
+ level.\r
+</p>\r
+</dd>\r
+</dl></div>\r
+<div class="paragraph"><p><strong>Log</strong> <strong>[</strong><em>domain</em>,…<strong>]</strong><em>minSeverity</em>[-<em>maxSeverity</em>] … <strong>file</strong> <em>FILENAME</em><br /></p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>Log</strong> <strong>[</strong><em>domain</em>,…<strong>]</strong><em>minSeverity</em>[-<em>maxSeverity</em>] … <strong>stderr</strong>|<strong>stdout</strong>|<strong>syslog</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ As above, but select messages by range of log severity <em>and</em> by a\r
+ set of "logging domains". Each logging domain corresponds to an area of\r
+ functionality inside Tor. You can specify any number of severity ranges\r
+ for a single log statement, each of them prefixed by a comma-separated\r
+ list of logging domains. You can prefix a domain with ~ to indicate\r
+ negation, and use * to indicate "all domains". If you specify a severity\r
+ range without a list of domains, it matches all domains.<br />\r
+<br />\r
+ This is an advanced feature which is most useful for debugging one or two\r
+ of Tor’s subsystems at a time.<br />\r
+<br />\r
+ The currently recognized domains are: general, crypto, net, config, fs,\r
+ protocol, mm, http, app, control, circ, rend, bug, dir, dirserv, or, edge,\r
+ acct, hist, and handshake. Domain names are case-insensitive.<br />\r
+<br />\r
+ For example, "<tt>Log [handshake]debug [~net,~mm]info notice stdout</tt>" sends\r
+ to stdout: all handshake messages of any severity, all info-and-higher\r
+ messages from domains other than networking and memory management, and all\r
+ messages of severity notice or higher.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>LogMessageDomains</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If 1, Tor includes message domains with each log message. Every log\r
+ message currently has at least one domain; most currently have exactly\r
+ one. This doesn’t affect controller log messages. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>OutboundBindAddress</strong> <em>IP</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Make all outbound connections originate from the IP address specified. This\r
+ is only useful when you have multiple network interfaces, and you want all\r
+ of Tor’s outgoing connections to use a single one. This setting will be\r
+ ignored for connections to the loopback addresses (127.0.0.0/8 and ::1).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>PidFile</strong> <em>FILE</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ On startup, write our PID to FILE. On clean shutdown, remove\r
+ FILE.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ProtocolWarnings</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If 1, Tor will log with severity 'warn' various cases of other parties not\r
+ following the Tor specification. Otherwise, they are logged with severity\r
+ 'info'. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RunAsDaemon</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If 1, Tor forks and daemonizes to the background. This option has no effect\r
+ on Windows; instead you should use the --service command-line option.\r
+ (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SafeLogging</strong> <strong>0</strong>|<strong>1</strong>|<strong>relay</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor can scrub potentially sensitive strings from log messages (e.g.\r
+ addresses) by replacing them with the string [scrubbed]. This way logs can\r
+ still be useful, but they don’t leave behind personally identifying\r
+ information about what sites a user might have visited.<br />\r
+<br />\r
+ If this option is set to 0, Tor will not perform any scrubbing, if it is\r
+ set to 1, all potentially sensitive strings are replaced. If it is set to\r
+ relay, all log messages generated when acting as a relay are sanitized, but\r
+ all messages generated when acting as a client are not. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>User</strong> <em>UID</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ On startup, setuid to this user and setgid to their primary group.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HardwareAccel</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If non-zero, try to use built-in (static) crypto hardware acceleration when\r
+ available. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AccelName</strong> <em>NAME</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When using OpenSSL hardware crypto acceleration attempt to load the dynamic\r
+ engine of this name. This must be used for any dynamic hardware engine.\r
+ Names can be verified with the openssl engine command.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AccelDir</strong> <em>DIR</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Specify this option if using dynamic hardware acceleration and the engine\r
+ implementation library resides somewhere other than the OpenSSL default.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AvoidDiskWrites</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If non-zero, try to write to disk less frequently than we would otherwise.\r
+ This is useful when running on flash memory or other media that support\r
+ only a limited number of writes. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TunnelDirConns</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If non-zero, when a directory server we contact supports it, we will build\r
+ a one-hop circuit and make an encrypted connection via its ORPort.\r
+ (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>PreferTunneledDirConns</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If non-zero, we will avoid directory servers that don’t support tunneled\r
+ directory connections, when possible. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>CircuitPriorityHalflife</strong> <em>NUM1</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this value is set, we override the default algorithm for choosing which\r
+ circuit’s cell to deliver or relay next. When the value is 0, we\r
+ round-robin between the active circuits on a connection, delivering one\r
+ cell from each in turn. When the value is positive, we prefer delivering\r
+ cells from whichever connection has the lowest weighted cell count, where\r
+ cells are weighted exponentially according to the supplied\r
+ CircuitPriorityHalflife value (in seconds). If this option is not set at\r
+ all, we use the behavior recommended in the current consensus\r
+ networkstatus. This is an advanced option; you generally shouldn’t have\r
+ to mess with it. (Default: not set.)\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_client_options">CLIENT OPTIONS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>The following options are useful only for clients (that is, if\r
+<strong>SocksPort</strong> is non-zero):</p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>AllowInvalidNodes</strong> <strong>entry</strong>|<strong>exit</strong>|<strong>middle</strong>|<strong>introduction</strong>|<strong>rendezvous</strong>|<strong>…</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If some Tor servers are obviously not working right, the directory\r
+ authorities can manually mark them as invalid, meaning that it’s not\r
+ recommended you use them for entry or exit positions in your circuits. You\r
+ can opt to use them in some circuit positions, though. The default is\r
+ "middle,rendezvous", and other choices are not advised.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ExcludeSingleHopRelays</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ This option controls whether circuits built by Tor will include relays with\r
+ the AllowSingleHopExits flag set to true. If ExcludeSingleHopRelays is set\r
+ to 0, these relays will be included. Note that these relays might be at\r
+ higher risk of being seized or observed, so they are not normally\r
+ included. Also note that relatively few clients turn off this option,\r
+ so using these relays might make your client stand out.\r
+ (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>Bridge</strong> <em>IP</em>:<em>ORPort</em> [fingerprint]\r
+</dt>\r
+<dd>\r
+<p>\r
+ When set along with UseBridges, instructs Tor to use the relay at\r
+ "IP:ORPort" as a "bridge" relaying into the Tor network. If "fingerprint"\r
+ is provided (using the same format as for DirServer), we will verify that\r
+ the relay running at that location has the right fingerprint. We also use\r
+ fingerprint to look up the bridge descriptor at the bridge authority, if\r
+ it’s provided and if UpdateBridgesFromAuthority is set too.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>LearnCircuitBuildTimeout</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If 0, CircuitBuildTimeout adaptive learning is disabled. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>CircuitBuildTimeout</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Try for at most NUM seconds when building circuits. If the circuit isn’t\r
+ open in that time, give up on it. If LearnCircuitBuildTimeout is 1, this\r
+ value serves as the initial value to use before a timeout is learned. If\r
+ LearnCircuitBuildTimeout is 0, this value is the only value used.\r
+ (Default: 60 seconds.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>CircuitIdleTimeout</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If we have kept a clean (never used) circuit around for NUM seconds, then\r
+ close it. This way when the Tor client is entirely idle, it can expire all\r
+ of its circuits, and then expire its TLS connections. Also, if we end up\r
+ making a circuit that is not useful for exiting any of the requests we’re\r
+ receiving, it won’t forever take up a slot in the circuit list. (Default: 1\r
+ hour.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>CircuitStreamTimeout</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If non-zero, this option overrides our internal timeout schedule for how\r
+ many seconds until we detach a stream from a circuit and try a new circuit.\r
+ If your network is particularly slow, you might want to set this to a\r
+ number like 60. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ClientOnly</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 1, Tor will under no circumstances run as a server or serve\r
+ directory requests. The default is to run as a client unless ORPort is\r
+ configured. (Usually, you don’t need to set this; Tor is pretty smart at\r
+ figuring out whether you are reliable and high-bandwidth enough to be a\r
+ useful server.) (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ExcludeNodes</strong> <em>node</em>,<em>node</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A list of identity fingerprints, nicknames, country codes and address\r
+ patterns of nodes to avoid when building a circuit.\r
+ (Example:\r
+ ExcludeNodes SlowServer, ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, {cc}, 255.254.0.0/8)<br />\r
+<br />\r
+ By default, this option is treated as a preference that Tor is allowed\r
+ to override in order to keep working.\r
+ For example, if you try to connect to a hidden service,\r
+ but you have excluded all of the hidden service’s introduction points,\r
+ Tor will connect to one of them anyway. If you do not want this\r
+ behavior, set the StrictNodes option (documented below). <br />\r
+<br />\r
+ Note also that if you are a relay, this (and the other node selection\r
+ options below) only affects your own circuits that Tor builds for you.\r
+ Clients can still build circuits through you to any node. Controllers\r
+ can tell Tor to build circuits through any node.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ExcludeExitNodes</strong> <em>node</em>,<em>node</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A list of identity fingerprints, nicknames, country codes and address\r
+ patterns of nodes to never use when picking an exit node---that is, a\r
+ node that delivers traffic for you outside the Tor network. Note that any\r
+ node listed in ExcludeNodes is automatically considered to be part of this\r
+ list too. See also the caveats on the "ExitNodes" option below.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ExitNodes</strong> <em>node</em>,<em>node</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A list of identity fingerprints, nicknames, country codes and address\r
+ patterns of nodes to use as exit node---that is, a\r
+ node that delivers traffic for you outside the Tor network.<br />\r
+<br />\r
+ Note that if you list too few nodes here, or if you exclude too many exit\r
+ nodes with ExcludeExitNodes, you can degrade functionality. For example,\r
+ if none of the exits you list allows traffic on port 80 or 443, you won’t\r
+ be able to browse the web.<br />\r
+<br />\r
+ Note also that not every circuit is used to deliver traffic outside of\r
+ the Tor network. It is normal to see non-exit circuits (such as those\r
+ used to connect to hidden services, those that do directory fetches,\r
+ those used for relay reachability self-tests, and so on) that end\r
+ at a non-exit node. To\r
+ keep a node from being used entirely, see ExcludeNodes and StrictNodes.<br />\r
+<br />\r
+ The ExcludeNodes option overrides this option: any node listed in both\r
+ ExitNodes and ExcludeNodes is treated as excluded.<br />\r
+<br />\r
+ The .exit address notation, if enabled via AllowDotExit, overrides\r
+ this option.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>EntryNodes</strong> <em>node</em>,<em>node</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A list of identity fingerprints and nicknames of nodes\r
+ to use for the first hop in your normal circuits. (Country codes and\r
+ address patterns are not yet supported.) Normal circuits include all\r
+ circuits except for direct connections to directory servers. The Bridge\r
+ option overrides this option; if you have configured bridges and\r
+ UseBridges is 1, the Bridges are used as your entry nodes.<br />\r
+<br />\r
+ The ExcludeNodes option overrides this option: any node listed in both\r
+ EntryNodes and ExcludeNodes is treated as excluded.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>StrictNodes</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If StrictNodes is set to 1, Tor will treat the ExcludeNodes option as a\r
+ requirement to follow for all the circuits you generate, even if doing so\r
+ will break functionality for you. If StrictNodes is set to 0, Tor will\r
+ still try to avoid nodes in the ExcludeNodes list, but it will err on the\r
+ side of avoiding unexpected errors. Specifically, StrictNodes 0 tells\r
+ Tor that it is okay to use an excluded node when it is <strong>necessary</strong> to\r
+ perform relay reachability self-tests, connect to\r
+ a hidden service, provide a hidden service to a client, fulfill a .exit\r
+ request, upload directory information, or download directory information.\r
+ (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FascistFirewall</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If 1, Tor will only create outgoing connections to ORs running on ports\r
+ that your firewall allows (defaults to 80 and 443; see <strong>FirewallPorts</strong>).\r
+ This will allow you to run Tor as a client behind a firewall with\r
+ restrictive policies, but will not allow you to run as a server behind such\r
+ a firewall. If you prefer more fine-grained control, use\r
+ ReachableAddresses instead.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FirewallPorts</strong> <em>PORTS</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A list of ports that your firewall allows you to connect to. Only used when\r
+ <strong>FascistFirewall</strong> is set. This option is deprecated; use ReachableAddresses\r
+ instead. (Default: 80, 443)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HidServAuth</strong> <em>onion-address</em> <em>auth-cookie</em> [<em>service-name</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Client authorization for a hidden service. Valid onion addresses contain 16\r
+ characters in a-z2-7 plus ".onion", and valid auth cookies contain 22\r
+ characters in A-Za-z0-9+/. The service name is only used for internal\r
+ purposes, e.g., for Tor controllers. This option may be used multiple times\r
+ for different hidden services. If a hidden service uses authorization and\r
+ this option is not set, the hidden service is not accessible. Hidden\r
+ services can be configured to require authorization using the\r
+ <strong>HiddenServiceAuthorizeClient</strong> option.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ReachableAddresses</strong> <em>ADDR</em>[/<em>MASK</em>][:<em>PORT</em>]…\r
+</dt>\r
+<dd>\r
+<p>\r
+ A comma-separated list of IP addresses and ports that your firewall allows\r
+ you to connect to. The format is as for the addresses in ExitPolicy, except\r
+ that "accept" is understood unless "reject" is explicitly provided. For\r
+ example, 'ReachableAddresses 99.0.0.0/8, reject 18.0.0.0/8:80, accept\r
+ *:80' means that your firewall allows connections to everything inside net\r
+ 99, rejects port 80 connections to net 18, and accepts connections to port\r
+ 80 otherwise. (Default: 'accept *:*'.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ReachableDirAddresses</strong> <em>ADDR</em>[/<em>MASK</em>][:<em>PORT</em>]…\r
+</dt>\r
+<dd>\r
+<p>\r
+ Like <strong>ReachableAddresses</strong>, a list of addresses and ports. Tor will obey\r
+ these restrictions when fetching directory information, using standard HTTP\r
+ GET requests. If not set explicitly then the value of\r
+ <strong>ReachableAddresses</strong> is used. If <strong>HTTPProxy</strong> is set then these\r
+ connections will go through that proxy.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ReachableORAddresses</strong> <em>ADDR</em>[/<em>MASK</em>][:<em>PORT</em>]…\r
+</dt>\r
+<dd>\r
+<p>\r
+ Like <strong>ReachableAddresses</strong>, a list of addresses and ports. Tor will obey\r
+ these restrictions when connecting to Onion Routers, using TLS/SSL. If not\r
+ set explicitly then the value of <strong>ReachableAddresses</strong> is used. If\r
+ <strong>HTTPSProxy</strong> is set then these connections will go through that proxy.<br />\r
+<br />\r
+ The separation between <strong>ReachableORAddresses</strong> and\r
+ <strong>ReachableDirAddresses</strong> is only interesting when you are connecting\r
+ through proxies (see <strong>HTTPProxy</strong> and <strong>HTTPSProxy</strong>). Most proxies limit\r
+ TLS connections (which Tor uses to connect to Onion Routers) to port 443,\r
+ and some limit HTTP GET requests (which Tor uses for fetching directory\r
+ information) to port 80.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>LongLivedPorts</strong> <em>PORTS</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A list of ports for services that tend to have long-running connections\r
+ (e.g. chat and interactive shells). Circuits for streams that use these\r
+ ports will contain only high-uptime nodes, to reduce the chance that a node\r
+ will go down before the stream is finished. (Default: 21, 22, 706, 1863,\r
+ 5050, 5190, 5222, 5223, 6667, 6697, 8300)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>MapAddress</strong> <em>address</em> <em>newaddress</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When a request for address arrives to Tor, it will rewrite it to newaddress\r
+ before processing it. For example, if you always want connections to\r
+ www.indymedia.org to exit via <em>torserver</em> (where <em>torserver</em> is the\r
+ nickname of the server), use "MapAddress www.indymedia.org\r
+ www.indymedia.org.torserver.exit".\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>NewCircuitPeriod</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Every NUM seconds consider whether to build a new circuit. (Default: 30\r
+ seconds)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>MaxCircuitDirtiness</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Feel free to reuse a circuit that was first used at most NUM seconds ago,\r
+ but never attach a new stream to a circuit that is too old. (Default: 10\r
+ minutes)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>NodeFamily</strong> <em>node</em>,<em>node</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The Tor servers, defined by their identity fingerprints or nicknames,\r
+ constitute a "family" of similar or co-administered servers, so never use\r
+ any two of them in the same circuit. Defining a NodeFamily is only needed\r
+ when a server doesn’t list the family itself (with MyFamily). This option\r
+ can be used multiple times.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>EnforceDistinctSubnets</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If 1, Tor will not put two servers whose IP addresses are "too close" on\r
+ the same circuit. Currently, two addresses are "too close" if they lie in\r
+ the same /16 range. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SocksPort</strong> <em>PORT</em>|<strong>auto</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Advertise this port to listen for connections from Socks-speaking\r
+ applications. Set this to 0 if you don’t want to allow application\r
+ connections via SOCKS. Set it to "auto" to have Tor pick a port for\r
+ you. (Default: 9050)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SocksListenAddress</strong> <em>IP</em>[:<em>PORT</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Bind to this address to listen for connections from Socks-speaking\r
+ applications. (Default: 127.0.0.1) You can also specify a port (e.g.\r
+ 192.168.0.1:9100). This directive can be specified multiple times to bind\r
+ to multiple addresses/ports.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SocksPolicy</strong> <em>policy</em>,<em>policy</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Set an entrance policy for this server, to limit who can connect to the\r
+ SocksPort and DNSPort ports. The policies have the same form as exit\r
+ policies below.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SocksTimeout</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Let a socks connection wait NUM seconds handshaking, and NUM seconds\r
+ unattached waiting for an appropriate circuit, before we fail it. (Default:\r
+ 2 minutes.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TrackHostExits</strong> <em>host</em>,<em>.domain</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ For each value in the comma separated list, Tor will track recent\r
+ connections to hosts that match this value and attempt to reuse the same\r
+ exit node for each. If the value is prepended with a '.', it is treated as\r
+ matching an entire domain. If one of the values is just a '.', it means\r
+ match everything. This option is useful if you frequently connect to sites\r
+ that will expire all your authentication cookies (i.e. log you out) if\r
+ your IP address changes. Note that this option does have the disadvantage\r
+ of making it more clear that a given history is associated with a single\r
+ user. However, most people who would wish to observe this will observe it\r
+ through cookies or other protocol-specific means anyhow.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TrackHostExitsExpire</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Since exit servers go up and down, it is desirable to expire the\r
+ association between host and exit server after NUM seconds. The default is\r
+ 1800 seconds (30 minutes).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>UpdateBridgesFromAuthority</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When set (along with UseBridges), Tor will try to fetch bridge descriptors\r
+ from the configured bridge authorities when feasible. It will fall back to\r
+ a direct request if the authority responds with a 404. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>UseBridges</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When set, Tor will fetch descriptors for each bridge listed in the "Bridge"\r
+ config lines, and use these relays as both entry guards and directory\r
+ guards. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>UseEntryGuards</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this option is set to 1, we pick a few long-term entry servers, and try\r
+ to stick with them. This is desirable because constantly changing servers\r
+ increases the odds that an adversary who owns some servers will observe a\r
+ fraction of your paths. (Defaults to 1.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>NumEntryGuards</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If UseEntryGuards is set to 1, we will try to pick a total of NUM routers\r
+ as long-term entries for our circuits. (Defaults to 3.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SafeSocks</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, Tor will reject application connections that\r
+ use unsafe variants of the socks protocol — ones that only provide an IP\r
+ address, meaning the application is doing a DNS resolve first.\r
+ Specifically, these are socks4 and socks5 when not doing remote DNS.\r
+ (Defaults to 0.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TestSocks</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, Tor will make a notice-level log entry for\r
+ each connection to the Socks port indicating whether the request used a\r
+ safe socks protocol or an unsafe one (see above entry on SafeSocks). This\r
+ helps to determine whether an application using Tor is possibly leaking\r
+ DNS requests. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>WarnUnsafeSocks</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, Tor will warn whenever a request is\r
+ received that only contains an IP address instead of a hostname. Allowing\r
+ applications to do DNS resolves themselves is usually a bad idea and\r
+ can leak your location to attackers. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>VirtualAddrNetwork</strong> <em>Address</em>/<em>bits</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When Tor needs to assign a virtual (unused) address because of a MAPADDRESS\r
+ command from the controller or the AutomapHostsOnResolve feature, Tor\r
+ picks an unassigned address from this range. (Default:\r
+ 127.192.0.0/10)<br />\r
+<br />\r
+ When providing proxy server service to a network of computers using a tool\r
+ like dns-proxy-tor, change this address to "10.192.0.0/10" or\r
+ "172.16.0.0/12". The default <strong>VirtualAddrNetwork</strong> address range on a\r
+ properly configured machine will route to the loopback interface. For\r
+ local use, no change to the default VirtualAddrNetwork setting is needed.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AllowNonRFC953Hostnames</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is disabled, Tor blocks hostnames containing illegal\r
+ characters (like @ and :) rather than sending them to an exit node to be\r
+ resolved. This helps trap accidental attempts to resolve URLs and so on.\r
+ (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AllowDotExit</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If enabled, we convert "www.google.com.foo.exit" addresses on the\r
+ SocksPort/TransPort/NATDPort into "www.google.com" addresses that exit from\r
+ the node "foo". Disabled by default since attacking websites and exit\r
+ relays can use it to manipulate your path selection. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FastFirstHopPK</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is disabled, Tor uses the public key step for the first\r
+ hop of creating circuits. Skipping it is generally safe since we have\r
+ already used TLS to authenticate the relay and to establish forward-secure\r
+ keys. Turning this option off makes circuit building slower.<br />\r
+<br />\r
+ Note that Tor will always use the public key step for the first hop if it’s\r
+ operating as a relay, and it will never use the public key step if it\r
+ doesn’t yet know the onion key of the first hop. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TransPort</strong> <em>PORT</em>|<strong>auto</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If non-zero, enables transparent proxy support on <em>PORT</em> (by convention,\r
+ 9040). Requires OS support for transparent proxies, such as BSDs' pf or\r
+ Linux’s IPTables. If you’re planning to use Tor as a transparent proxy for\r
+ a network, you’ll want to examine and change VirtualAddrNetwork from the\r
+ default setting. You’ll also want to set the TransListenAddress option for\r
+ the network you’d like to proxy. Set it to "auto" to have Tor pick a\r
+ port for you. (Default: 0).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TransListenAddress</strong> <em>IP</em>[:<em>PORT</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Bind to this address to listen for transparent proxy connections. (Default:\r
+ 127.0.0.1). This is useful for exporting a transparent proxy server to an\r
+ entire network.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>NATDPort</strong> <em>PORT</em>|<strong>auto</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Allow old versions of ipfw (as included in old versions of FreeBSD, etc.)\r
+ to send connections through Tor using the NATD protocol. This option is\r
+ only for people who cannot use TransPort. Set it to "auto" to have Tor\r
+ pick a port for you. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>NATDListenAddress</strong> <em>IP</em>[:<em>PORT</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Bind to this address to listen for NATD connections. (Default: 127.0.0.1).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AutomapHostsOnResolve</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, and we get a request to resolve an address\r
+ that ends with one of the suffixes in <strong>AutomapHostsSuffixes</strong>, we map an\r
+ unused virtual address to that address, and return the new virtual address.\r
+ This is handy for making ".onion" addresses work with applications that\r
+ resolve an address and then connect to it. (Default: 0).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AutomapHostsSuffixes</strong> <em>SUFFIX</em>,<em>SUFFIX</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A comma-separated list of suffixes to use with <strong>AutomapHostsOnResolve</strong>.\r
+ The "." suffix is equivalent to "all addresses." (Default: .exit,.onion).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DNSPort</strong> <em>PORT</em>|<strong>auto</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If non-zero, Tor listens for UDP DNS requests on this port and resolves\r
+ them anonymously. Set it to "auto" to have Tor pick a port for\r
+ you. (Default: 0).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DNSListenAddress</strong> <em>IP</em>[:<em>PORT</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Bind to this address to listen for DNS connections. (Default: 127.0.0.1).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ClientDNSRejectInternalAddresses</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If true, Tor does not believe any anonymously retrieved DNS answer that\r
+ tells it that an address resolves to an internal address (like 127.0.0.1 or\r
+ 192.168.0.1). This option prevents certain browser-based attacks; don’t\r
+ turn it off unless you know what you’re doing. (Default: 1).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ClientRejectInternalAddresses</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If true, Tor does not try to fulfill requests to connect to an internal\r
+ address (like 127.0.0.1 or 192.168.0.1) <em>unless a exit node is\r
+ specifically requested</em> (for example, via a .exit hostname, or a\r
+ controller request). (Default: 1).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DownloadExtraInfo</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If true, Tor downloads and caches "extra-info" documents. These documents\r
+ contain information about servers other than the information in their\r
+ regular router descriptors. Tor does not use this information for anything\r
+ itself; to save bandwidth, leave this option turned off. (Default: 0).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FallbackNetworkstatusFile</strong> <em>FILENAME</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If Tor doesn’t have a cached networkstatus file, it starts out using this\r
+ one instead. Even if this file is out of date, Tor can still use it to\r
+ learn about directory mirrors, so it doesn’t need to put load on the\r
+ authorities. (Default: None).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>WarnPlaintextPorts</strong> <em>port</em>,<em>port</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tells Tor to issue a warnings whenever the user tries to make an anonymous\r
+ connection to one of these ports. This option is designed to alert users\r
+ to services that risk sending passwords in the clear. (Default:\r
+ 23,109,110,143).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RejectPlaintextPorts</strong> <em>port</em>,<em>port</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Like WarnPlaintextPorts, but instead of warning about risky port uses, Tor\r
+ will instead refuse to make the connection. (Default: None).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AllowSingleHopCircuits</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set, the attached Tor controller can use relays\r
+ that have the <strong>AllowSingleHopExits</strong> option turned on to build\r
+ one-hop Tor connections. (Default: 0)\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_server_options">SERVER OPTIONS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>The following options are useful only for servers (that is, if ORPort\r
+is non-zero):</p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>Address</strong> <em>address</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The IP address or fully qualified domain name of this server (e.g.\r
+ moria.mit.edu). You can leave this unset, and Tor will guess your IP\r
+ address. This IP address is the one used to tell clients and other\r
+ servers where to find your Tor server; it doesn’t affect the IP that your\r
+ Tor client binds to. To bind to a different address, use the\r
+ *ListenAddress and OutboundBindAddress options.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AllowSingleHopExits</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ This option controls whether clients can use this server as a single hop\r
+ proxy. If set to 1, clients can use this server as an exit even if it is\r
+ the only hop in the circuit. Note that most clients will refuse to use\r
+ servers that set this option, since most clients have\r
+ ExcludeSingleHopRelays set. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AssumeReachable</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ This option is used when bootstrapping a new Tor network. If set to 1,\r
+ don’t do self-reachability testing; just upload your server descriptor\r
+ immediately. If <strong>AuthoritativeDirectory</strong> is also set, this option\r
+ instructs the dirserver to bypass remote reachability testing too and list\r
+ all connected servers as running.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>BridgeRelay</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Sets the relay to act as a "bridge" with respect to relaying connections\r
+ from bridge users to the Tor network. It mainly causes Tor to publish a\r
+ server descriptor to the bridge database, rather than publishing a relay\r
+ descriptor to the public directory authorities.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ContactInfo</strong> <em>email_address</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Administrative contact information for server. This line might get picked\r
+ up by spam harvesters, so you may want to obscure the fact that it’s an\r
+ email address.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ExitPolicy</strong> <em>policy</em>,<em>policy</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Set an exit policy for this server. Each policy is of the form\r
+ "<strong>accept</strong>|<strong>reject</strong> <em>ADDR</em>[/<em>MASK</em>][:<em>PORT</em>]". If /<em>MASK</em> is\r
+ omitted then this policy just applies to the host given. Instead of giving\r
+ a host or network you can also use "*" to denote the universe (0.0.0.0/0).\r
+ <em>PORT</em> can be a single port number, an interval of ports\r
+ "<em>FROM_PORT</em>-<em>TO_PORT</em>", or "*". If <em>PORT</em> is omitted, that means\r
+ "*".<br />\r
+<br />\r
+ For example, "accept 18.7.22.69:*,reject 18.0.0.0/8:*,accept *:*" would\r
+ reject any traffic destined for MIT except for web.mit.edu, and accept\r
+ anything else.<br />\r
+<br />\r
+ To specify all internal and link-local networks (including 0.0.0.0/8,\r
+ 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8, and\r
+ 172.16.0.0/12), you can use the "private" alias instead of an address.\r
+ These addresses are rejected by default (at the beginning of your exit\r
+ policy), along with your public IP address, unless you set the\r
+ ExitPolicyRejectPrivate config option to 0. For example, once you’ve done\r
+ that, you could allow HTTP to 127.0.0.1 and block all other connections to\r
+ internal networks with "accept 127.0.0.1:80,reject private:*", though that\r
+ may also allow connections to your own computer that are addressed to its\r
+ public (external) IP address. See RFC 1918 and RFC 3330 for more details\r
+ about internal and reserved IP address space.<br />\r
+<br />\r
+ This directive can be specified multiple times so you don’t have to put it\r
+ all on one line.<br />\r
+<br />\r
+ Policies are considered first to last, and the first match wins. If you\r
+ want to _replace_ the default exit policy, end your exit policy with\r
+ either a reject *:* or an accept *:*. Otherwise, you’re _augmenting_\r
+ (prepending to) the default exit policy. The default exit policy is:<br />\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><tt>reject *:25\r
+reject *:119\r
+reject *:135-139\r
+reject *:445\r
+reject *:563\r
+reject *:1214\r
+reject *:4661-4666\r
+reject *:6346-6429\r
+reject *:6699\r
+reject *:6881-6999\r
+accept *:*</tt></pre>\r
+</div></div>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ExitPolicyRejectPrivate</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Reject all private (local) networks, along with your own public IP address,\r
+ at the beginning of your exit policy. See above entry on ExitPolicy.\r
+ (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>MaxOnionsPending</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If you have more than this number of onionskins queued for decrypt, reject\r
+ new ones. (Default: 100)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>MyFamily</strong> <em>node</em>,<em>node</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Declare that this Tor server is controlled or administered by a group or\r
+ organization identical or similar to that of the other servers, defined by\r
+ their identity fingerprints or nicknames. When two servers both declare\r
+ that they are in the same 'family', Tor clients will not use them in the\r
+ same circuit. (Each server only needs to list the other servers in its\r
+ family; it doesn’t need to list itself, but it won’t hurt.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>Nickname</strong> <em>name</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Set the server’s nickname to 'name'. Nicknames must be between 1 and 19\r
+ characters inclusive, and must contain only the characters [a-zA-Z0-9].\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>NumCPUs</strong> <em>num</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ How many processes to use at once for decrypting onionskins. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ORPort</strong> <em>PORT</em>|<strong>auto</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Advertise this port to listen for connections from Tor clients and\r
+ servers. This option is required to be a Tor server.\r
+ Set it to "auto" to have Tor pick a port for you. (Default: 0).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ORListenAddress</strong> <em>IP</em>[:<em>PORT</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Bind to this IP address to listen for connections from Tor clients and\r
+ servers. If you specify a port, bind to this port rather than the one\r
+ specified in ORPort. (Default: 0.0.0.0) This directive can be specified\r
+ multiple times to bind to multiple addresses/ports.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>PublishServerDescriptor</strong> <strong>0</strong>|<strong>1</strong>|<strong>v1</strong>|<strong>v2</strong>|<strong>v3</strong>|<strong>bridge</strong>,<strong>…</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ This option specifies which descriptors Tor will publish when acting as\r
+ a relay. You can\r
+ choose multiple arguments, separated by commas.\r
+<br />\r
+ If this option is set to 0, Tor will not publish its\r
+ descriptors to any directories. (This is useful if you’re testing\r
+ out your server, or if you’re using a Tor controller that handles directory\r
+ publishing for you.) Otherwise, Tor will publish its descriptors of all\r
+ type(s) specified. The default is "1",\r
+ which means "if running as a server, publish the\r
+ appropriate descriptors to the authorities".\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ShutdownWaitLength</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When we get a SIGINT and we’re a server, we begin shutting down:\r
+ we close listeners and start refusing new circuits. After <strong>NUM</strong>\r
+ seconds, we exit. If we get a second SIGINT, we exit immedi-\r
+ ately. (Default: 30 seconds)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AccountingMax</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>|<strong>TB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Never send more than the specified number of bytes in a given accounting\r
+ period, or receive more than that number in the period. For example, with\r
+ AccountingMax set to 1 GB, a server could send 900 MB and receive 800 MB\r
+ and continue running. It will only hibernate once one of the two reaches 1\r
+ GB. When the number of bytes gets low, Tor will stop accepting new\r
+ connections and circuits. When the number of bytes\r
+ is exhausted, Tor will hibernate until some\r
+ time in the next accounting period. To prevent all servers from waking at\r
+ the same time, Tor will also wait until a random point in each period\r
+ before waking up. If you have bandwidth cost issues, enabling hibernation\r
+ is preferable to setting a low bandwidth, since it provides users with a\r
+ collection of fast servers that are up some of the time, which is more\r
+ useful than a set of slow servers that are always "available".\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AccountingStart</strong> <strong>day</strong>|<strong>week</strong>|<strong>month</strong> [<em>day</em>] <em>HH:MM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Specify how long accounting periods last. If <strong>month</strong> is given, each\r
+ accounting period runs from the time <em>HH:MM</em> on the <em>dayth</em> day of one\r
+ month to the same day and time of the next. (The day must be between 1 and\r
+ 28.) If <strong>week</strong> is given, each accounting period runs from the time <em>HH:MM</em>\r
+ of the <em>dayth</em> day of one week to the same day and time of the next week,\r
+ with Monday as day 1 and Sunday as day 7. If <strong>day</strong> is given, each\r
+ accounting period runs from the time <em>HH:MM</em> each day to the same time on\r
+ the next day. All times are local, and given in 24-hour time. (Defaults to\r
+ "month 1 0:00".)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RefuseUnknownExits</strong> <strong>0</strong>|<strong>1</strong>|<strong>auto</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Prevent nodes that don’t appear in the consensus from exiting using this\r
+ relay. If the option is 1, we always block exit attempts from such\r
+ nodes; if it’s 0, we never do, and if the option is "auto", then we do\r
+ whatever the authorities suggest in the consensus. (Defaults to auto.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ServerDNSResolvConfFile</strong> <em>filename</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Overrides the default DNS configuration with the configuration in\r
+ <em>filename</em>. The file format is the same as the standard Unix\r
+ "<strong>resolv.conf</strong>" file (7). This option, like all other ServerDNS options,\r
+ only affects name lookups that your server does on behalf of clients.\r
+ (Defaults to use the system DNS configuration.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ServerDNSAllowBrokenConfig</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this option is false, Tor exits immediately if there are problems\r
+ parsing the system DNS configuration or connecting to nameservers.\r
+ Otherwise, Tor continues to periodically retry the system nameservers until\r
+ it eventually succeeds. (Defaults to "1".)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ServerDNSSearchDomains</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 1, then we will search for addresses in the local search domain.\r
+ For example, if this system is configured to believe it is in\r
+ "example.com", and a client tries to connect to "www", the client will be\r
+ connected to "www.example.com". This option only affects name lookups that\r
+ your server does on behalf of clients. (Defaults to "0".)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ServerDNSDetectHijacking</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set to 1, we will test periodically to determine\r
+ whether our local nameservers have been configured to hijack failing DNS\r
+ requests (usually to an advertising site). If they are, we will attempt to\r
+ correct this. This option only affects name lookups that your server does\r
+ on behalf of clients. (Defaults to "1".)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ServerDNSTestAddresses</strong> <em>address</em>,<em>address</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When we’re detecting DNS hijacking, make sure that these <em>valid</em> addresses\r
+ aren’t getting redirected. If they are, then our DNS is completely useless,\r
+ and we’ll reset our exit policy to "reject <strong>:</strong>". This option only affects\r
+ name lookups that your server does on behalf of clients. (Defaults to\r
+ "www.google.com, www.mit.edu, www.yahoo.com, www.slashdot.org".)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ServerDNSAllowNonRFC953Hostnames</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is disabled, Tor does not try to resolve hostnames\r
+ containing illegal characters (like @ and :) rather than sending them to an\r
+ exit node to be resolved. This helps trap accidental attempts to resolve\r
+ URLs and so on. This option only affects name lookups that your server does\r
+ on behalf of clients. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>BridgeRecordUsageByCountry</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled and BridgeRelay is also enabled, and we have\r
+ GeoIP data, Tor keeps a keep a per-country count of how many client\r
+ addresses have contacted it so that it can help the bridge authority guess\r
+ which countries have blocked access to it. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ServerDNSRandomizeCase</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set, Tor sets the case of each character randomly in\r
+ outgoing DNS requests, and makes sure that the case matches in DNS replies.\r
+ This so-called "0x20 hack" helps resist some types of DNS poisoning attack.\r
+ For more information, see "Increased DNS Forgery Resistance through\r
+ 0x20-Bit Encoding". This option only affects name lookups that your server\r
+ does on behalf of clients. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>GeoIPFile</strong> <em>filename</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A filename containing GeoIP data, for use with BridgeRecordUsageByCountry.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>CellStatistics</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, Tor writes statistics on the mean time that\r
+ cells spend in circuit queues to disk every 24 hours. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DirReqStatistics</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, Tor writes statistics on the number and\r
+ response time of network status requests to disk every 24 hours.\r
+ (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>EntryStatistics</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, Tor writes statistics on the number of\r
+ directly connecting clients to disk every 24 hours. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ExitPortStatistics</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, Tor writes statistics on the number of relayed\r
+ bytes and opened stream per exit port to disk every 24 hours. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ExtraInfoStatistics</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is enabled, Tor includes previously gathered statistics in\r
+ its extra-info documents that it uploads to the directory authorities.\r
+ (Default: 0)\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_directory_server_options">DIRECTORY SERVER OPTIONS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>The following options are useful only for directory servers (that is,\r
+if DirPort is non-zero):</p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>AuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set to 1, Tor operates as an authoritative directory\r
+ server. Instead of caching the directory, it generates its own list of\r
+ good servers, signs it, and sends that to the clients. Unless the clients\r
+ already have you listed as a trusted directory, you probably do not want\r
+ to set this option. Please coordinate with the other admins at\r
+ <a href="mailto:tor-ops@torproject.org">tor-ops@torproject.org</a> if you think you should be a directory.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DirPortFrontPage</strong> <em>FILENAME</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set, it takes an HTML file and publishes it as "/" on\r
+ the DirPort. Now relay operators can provide a disclaimer without needing\r
+ to set up a separate webserver. There’s a sample disclaimer in\r
+ contrib/tor-exit-notice.html.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V1AuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor\r
+ generates version 1 directory and running-routers documents (for legacy\r
+ Tor clients up to 0.1.0.x).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V2AuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor\r
+ generates version 2 network statuses and serves descriptors, etc as\r
+ described in doc/spec/dir-spec-v2.txt (for Tor clients and servers running\r
+ 0.1.1.x and 0.1.2.x).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V3AuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor\r
+ generates version 3 network statuses and serves descriptors, etc as\r
+ described in doc/spec/dir-spec.txt (for Tor clients and servers running at\r
+ least 0.2.0.x).\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>VersioningAuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set to 1, Tor adds information on which versions of\r
+ Tor are still believed safe for use to the published directory. Each\r
+ version 1 authority is automatically a versioning authority; version 2\r
+ authorities provide this service optionally. See <strong>RecommendedVersions</strong>,\r
+ <strong>RecommendedClientVersions</strong>, and <strong>RecommendedServerVersions</strong>.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>NamingAuthoritativeDirectory</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set to 1, then the server advertises that it has\r
+ opinions about nickname-to-fingerprint bindings. It will include these\r
+ opinions in its published network-status pages, by listing servers with\r
+ the flag "Named" if a correct binding between that nickname and fingerprint\r
+ has been registered with the dirserver. Naming dirservers will refuse to\r
+ accept or publish descriptors that contradict a registered binding. See\r
+ <strong>approved-routers</strong> in the <strong>FILES</strong> section below.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HSAuthoritativeDir</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor also\r
+ accepts and serves v0 hidden service descriptors,\r
+ which are produced and used by Tor 0.2.1.x and older. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HidServDirectoryV2</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set, Tor accepts and serves v2 hidden service\r
+ descriptors. Setting DirPort is not required for this, because clients\r
+ connect via the ORPort by default. (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>BridgeAuthoritativeDir</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor\r
+ accepts and serves router descriptors, but it caches and serves the main\r
+ networkstatus documents rather than generating its own. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>MinUptimeHidServDirectoryV2</strong> <em>N</em> <strong>seconds</strong>|<strong>minutes</strong>|<strong>hours</strong>|<strong>days</strong>|<strong>weeks</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Minimum uptime of a v2 hidden service directory to be accepted as such by\r
+ authoritative directories. (Default: 25 hours)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DirPort</strong> <em>PORT</em>|<strong>auto</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this option is nonzero, advertise the directory service on this port.\r
+ Set it to "auto" to have Tor pick a port for you. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DirListenAddress</strong> <em>IP</em>[:<em>PORT</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Bind the directory service to this address. If you specify a port, bind to\r
+ this port rather than the one specified in DirPort. (Default: 0.0.0.0)\r
+ This directive can be specified multiple times to bind to multiple\r
+ addresses/ports.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DirPolicy</strong> <em>policy</em>,<em>policy</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Set an entrance policy for this server, to limit who can connect to the\r
+ directory ports. The policies have the same form as exit policies above.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>FetchV2Networkstatus</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, we try to fetch the (obsolete, unused) version 2 network status\r
+ consensus documents from the directory authorities. No currently\r
+ supported Tor version uses them. (Default: 0.)\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_directory_authority_server_options">DIRECTORY AUTHORITY SERVER OPTIONS</h2>\r
+<div class="sectionbody">\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>RecommendedVersions</strong> <em>STRING</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ STRING is a comma-separated list of Tor versions currently believed to be\r
+ safe. The list is included in each directory, and nodes which pull down the\r
+ directory learn whether they need to upgrade. This option can appear\r
+ multiple times: the values from multiple lines are spliced together. When\r
+ this is set then <strong>VersioningAuthoritativeDirectory</strong> should be set too.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RecommendedClientVersions</strong> <em>STRING</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ STRING is a comma-separated list of Tor versions currently believed to be\r
+ safe for clients to use. This information is included in version 2\r
+ directories. If this is not set then the value of <strong>RecommendedVersions</strong>\r
+ is used. When this is set then <strong>VersioningAuthoritativeDirectory</strong> should\r
+ be set too.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RecommendedServerVersions</strong> <em>STRING</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ STRING is a comma-separated list of Tor versions currently believed to be\r
+ safe for servers to use. This information is included in version 2\r
+ directories. If this is not set then the value of <strong>RecommendedVersions</strong>\r
+ is used. When this is set then <strong>VersioningAuthoritativeDirectory</strong> should\r
+ be set too.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>ConsensusParams</strong> <em>STRING</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ STRING is a space-separated list of key=value pairs that Tor will include\r
+ in the "params" line of its networkstatus vote.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>DirAllowPrivateAddresses</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 1, Tor will accept router descriptors with arbitrary "Address"\r
+ elements. Otherwise, if the address is not an IP address or is a private IP\r
+ address, it will reject the router descriptor. Defaults to 0.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirBadDir</strong> <em>AddressPattern…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. A set of address patterns for servers that\r
+ will be listed as bad directories in any network status document this\r
+ authority publishes, if <strong>AuthDirListBadDirs</strong> is set.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirBadExit</strong> <em>AddressPattern…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. A set of address patterns for servers that\r
+ will be listed as bad exits in any network status document this authority\r
+ publishes, if <strong>AuthDirListBadExits</strong> is set.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirInvalid</strong> <em>AddressPattern…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. A set of address patterns for servers that\r
+ will never be listed as "valid" in any network status document that this\r
+ authority publishes.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirReject</strong> <em>AddressPattern</em>…\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. A set of address patterns for servers that\r
+ will never be listed at all in any network status document that this\r
+ authority publishes, or accepted as an OR address in any descriptor\r
+ submitted for publication by this authority.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirListBadDirs</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. If set to 1, this directory has some\r
+ opinion about which nodes are unsuitable as directory caches. (Do not set\r
+ this to 1 unless you plan to list non-functioning directories as bad;\r
+ otherwise, you are effectively voting in favor of every declared\r
+ directory.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirListBadExits</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. If set to 1, this directory has some\r
+ opinion about which nodes are unsuitable as exit nodes. (Do not set this to\r
+ 1 unless you plan to list non-functioning exits as bad; otherwise, you are\r
+ effectively voting in favor of every declared exit as an exit.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirRejectUnlisted</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. If set to 1, the directory server rejects\r
+ all uploaded server descriptors that aren’t explicitly listed in the\r
+ fingerprints file. This acts as a "panic button" if we get hit with a Sybil\r
+ attack. (Default: 0)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirMaxServersPerAddr</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. The maximum number of servers that we will\r
+ list as acceptable on a single IP address. Set this to "0" for "no limit".\r
+ (Default: 2)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirMaxServersPerAuthAddr</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. Like AuthDirMaxServersPerAddr, but applies\r
+ to addresses shared with directory authorities. (Default: 5)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirFastGuarantee</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. If non-zero, always vote the\r
+ Fast flag for any relay advertising this amount of capacity or\r
+ more. (Default: 20 KB)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>AuthDirGuardBWGuarantee</strong> <em>N</em> <strong>bytes</strong>|<strong>KB</strong>|<strong>MB</strong>|<strong>GB</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authoritative directories only. If non-zero, this advertised capacity\r
+ or more is always sufficient to satisfy the bandwidth requirement\r
+ for the Guard flag. (Default: 250 KB)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>BridgePassword</strong> <em>Password</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, contains an HTTP authenticator that tells a bridge authority to\r
+ serve all requested bridge information. Used for debugging. (Default:\r
+ not set.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V3AuthVotingInterval</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ V3 authoritative directories only. Configures the server’s preferred voting\r
+ interval. Note that voting will <em>actually</em> happen at an interval chosen\r
+ by consensus from all the authorities' preferred intervals. This time\r
+ SHOULD divide evenly into a day. (Default: 1 hour)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V3AuthVoteDelay</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ V3 authoritative directories only. Configures the server’s preferred delay\r
+ between publishing its vote and assuming it has all the votes from all the\r
+ other authorities. Note that the actual time used is not the server’s\r
+ preferred time, but the consensus of all preferences. (Default: 5 minutes.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V3AuthDistDelay</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ V3 authoritative directories only. Configures the server’s preferred delay\r
+ between publishing its consensus and signature and assuming it has all the\r
+ signatures from all the other authorities. Note that the actual time used\r
+ is not the server’s preferred time, but the consensus of all preferences.\r
+ (Default: 5 minutes.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V3AuthNIntervalsValid</strong> <em>NUM</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ V3 authoritative directories only. Configures the number of VotingIntervals\r
+ for which each consensus should be valid for. Choosing high numbers\r
+ increases network partitioning risks; choosing low numbers increases\r
+ directory traffic. Note that the actual number of intervals used is not the\r
+ server’s preferred number, but the consensus of all preferences. Must be at\r
+ least 2. (Default: 3.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V3BandwidthsFile</strong> <em>FILENAME</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ V3 authoritative directories only. Configures the location of the\r
+ bandiwdth-authority generated file storing information on relays' measured\r
+ bandwidth capacities. (Default: unset.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>V3AuthUseLegacyKey</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set, the directory authority will sign consensuses not only with its\r
+ own signing key, but also with a "legacy" key and certificate with a\r
+ different identity. This feature is used to migrate directory authority\r
+ keys in the event of a compromise. (Default: 0.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RephistTrackTime</strong> <em>N</em> <strong>seconds</strong>|<strong>minutes</strong>|<strong>hours</strong>|<strong>days</strong>|<strong>weeks</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tells an authority, or other node tracking node reliability and history,\r
+ that fine-grained information about nodes can be discarded when it hasn’t\r
+ changed for a given amount of time. (Default: 24 hours)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>VoteOnHidServDirectoriesV2</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ When this option is set in addition to <strong>AuthoritativeDirectory</strong>, Tor\r
+ votes on whether to accept relays as hidden service directories.\r
+ (Default: 1)\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_hidden_service_options">HIDDEN SERVICE OPTIONS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>The following options are used to configure a hidden service.</p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>HiddenServiceDir</strong> <em>DIRECTORY</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Store data files for a hidden service in DIRECTORY. Every hidden service\r
+ must have a separate directory. You may use this option multiple times to\r
+ specify multiple services. DIRECTORY must be an existing directory.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HiddenServicePort</strong> <em>VIRTPORT</em> [<em>TARGET</em>]\r
+</dt>\r
+<dd>\r
+<p>\r
+ Configure a virtual port VIRTPORT for a hidden service. You may use this\r
+ option multiple times; each time applies to the service using the most\r
+ recent hiddenservicedir. By default, this option maps the virtual port to\r
+ the same port on 127.0.0.1. You may override the target port, address, or\r
+ both by specifying a target of addr, port, or addr:port. You may also have\r
+ multiple lines with the same VIRTPORT: when a user connects to that\r
+ VIRTPORT, one of the TARGETs from those lines will be chosen at random.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>PublishHidServDescriptors</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 0, Tor will run any hidden services you configure, but it won’t\r
+ advertise them to the rendezvous directory. This option is only useful if\r
+ you’re using a Tor controller that handles hidserv publishing for you.\r
+ (Default: 1)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HiddenServiceVersion</strong> <em>version</em>,<em>version</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A list of rendezvous service descriptor versions to publish for the hidden\r
+ service. Currently, only version 2 is supported. (Default: 2)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>HiddenServiceAuthorizeClient</strong> <em>auth-type</em> <em>client-name</em>,<em>client-name</em>,<em>…</em>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If configured, the hidden service is accessible for authorized clients\r
+ only. The auth-type can either be 'basic' for a general-purpose\r
+ authorization protocol or 'stealth' for a less scalable protocol that also\r
+ hides service activity from unauthorized clients. Only clients that are\r
+ listed here are authorized to access the hidden service. Valid client names\r
+ are 1 to 19 characters long and only use characters in A-Za-z0-9+-_ (no\r
+ spaces). If this option is set, the hidden service is not accessible for\r
+ clients without authorization any more. Generated authorization data can be\r
+ found in the hostname file. Clients need to put this authorization data in\r
+ their configuration file using <strong>HidServAuth</strong>.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>RendPostPeriod</strong> <em>N</em> <strong>seconds</strong>|<strong>minutes</strong>|<strong>hours</strong>|<strong>days</strong>|<strong>weeks</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Every time the specified period elapses, Tor uploads any rendezvous\r
+ service descriptors to the directory servers. This information is also\r
+ uploaded whenever it changes. (Default: 1 hour)\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_testing_network_options">TESTING NETWORK OPTIONS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>The following options are used for running a testing Tor network.</p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>TestingTorNetwork</strong> <strong>0</strong>|<strong>1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If set to 1, Tor adjusts default values of the configuration options below,\r
+ so that it is easier to set up a testing Tor network. May only be set if\r
+ non-default set of DirServers is set. Cannot be unset while Tor is running.\r
+ (Default: 0)<br />\r
+</p>\r
+<div class="literalblock">\r
+<div class="content">\r
+<pre><tt>ServerDNSAllowBrokenConfig 1\r
+DirAllowPrivateAddresses 1\r
+EnforceDistinctSubnets 0\r
+AssumeReachable 1\r
+AuthDirMaxServersPerAddr 0\r
+AuthDirMaxServersPerAuthAddr 0\r
+ClientDNSRejectInternalAddresses 0\r
+ClientRejectInternalAddresses 0\r
+ExitPolicyRejectPrivate 0\r
+V3AuthVotingInterval 5 minutes\r
+V3AuthVoteDelay 20 seconds\r
+V3AuthDistDelay 20 seconds\r
+MinUptimeHidServDirectoryV2 0 seconds\r
+TestingV3AuthInitialVotingInterval 5 minutes\r
+TestingV3AuthInitialVoteDelay 20 seconds\r
+TestingV3AuthInitialDistDelay 20 seconds\r
+TestingAuthDirTimeToLearnReachability 0 minutes\r
+TestingEstimatedDescriptorPropagationTime 0 minutes</tt></pre>\r
+</div></div>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TestingV3AuthInitialVotingInterval</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Like V3AuthVotingInterval, but for initial voting interval before the first\r
+ consensus has been created. Changing this requires that\r
+ <strong>TestingTorNetwork</strong> is set. (Default: 30 minutes)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TestingV3AuthInitialVoteDelay</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Like TestingV3AuthInitialVoteDelay, but for initial voting interval before\r
+ the first consensus has been created. Changing this requires that\r
+ <strong>TestingTorNetwork</strong> is set. (Default: 5 minutes)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TestingV3AuthInitialDistDelay</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Like TestingV3AuthInitialDistDelay, but for initial voting interval before\r
+ the first consensus has been created. Changing this requires that\r
+ <strong>TestingTorNetwork</strong> is set. (Default: 5 minutes)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TestingAuthDirTimeToLearnReachability</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ After starting as an authority, do not make claims about whether routers\r
+ are Running until this much time has passed. Changing this requires\r
+ that <strong>TestingTorNetwork</strong> is set. (Default: 30 minutes)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>TestingEstimatedDescriptorPropagationTime</strong> <em>N</em> <strong>minutes</strong>|<strong>hours</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Clients try downloading router descriptors from directory caches after this\r
+ time. Changing this requires that <strong>TestingTorNetwork</strong> is set. (Default:\r
+ 10 minutes)\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_signals">SIGNALS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>Tor catches the following signals:</p></div>\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>SIGTERM</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor will catch this, clean up and sync to disk if necessary, and exit.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SIGINT</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor clients behave as with SIGTERM; but Tor servers will do a controlled\r
+ slow shutdown, closing listeners and waiting 30 seconds before exiting.\r
+ (The delay can be configured with the ShutdownWaitLength config option.)\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SIGHUP</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The signal instructs Tor to reload its configuration (including closing and\r
+ reopening logs), and kill and restart its helper processes if applicable.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SIGUSR1</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Log statistics about current connections, past connections, and throughput.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SIGUSR2</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Switch all logs to loglevel debug. You can go back to the old loglevels by\r
+ sending a SIGHUP.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SIGCHLD</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor receives this signal when one of its helper processes has exited, so it\r
+ can clean up.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SIGPIPE</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Tor catches this signal and ignores it.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>SIGXFSZ</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ If this signal exists on your platform, Tor catches and ignores it.\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_files">FILES</h2>\r
+<div class="sectionbody">\r
+<div class="dlist"><dl>\r
+<dt class="hdlist1">\r
+<strong>/etc/tor/torrc</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The configuration file, which contains "option value" pairs.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<strong>/var/lib/tor/</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The tor process stores keys and other data here.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/cached-status/</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The most recently downloaded network status document for each authority.\r
+ Each file holds one such document; the filenames are the hexadecimal\r
+ identity key fingerprints of the directory authorities.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/cached-descriptors</strong> and <strong>cached-descriptors.new</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ These files hold downloaded router statuses. Some routers may appear more\r
+ than once; if so, the most recently published descriptor is used. Lines\r
+ beginning with @-signs are annotations that contain more information about\r
+ a given router. The ".new" file is an append-only journal; when it gets\r
+ too large, all entries are merged into a new cached-descriptors file.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/cached-routers</strong> and <strong>cached-routers.new</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Obsolete versions of cached-descriptors and cached-descriptors.new. When\r
+ Tor can’t find the newer files, it looks here instead.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/state</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ A set of persistent key-value mappings. These are documented in\r
+ the file. These include:\r
+</p>\r
+<div class="ulist"><ul>\r
+<li>\r
+<p>\r
+The current entry guards and their status.\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+The current bandwidth accounting values (unused so far; see\r
+ below).\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+When the file was last written\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+What version of Tor generated the state file\r
+</p>\r
+</li>\r
+<li>\r
+<p>\r
+A short history of bandwidth usage, as produced in the router\r
+ descriptors.\r
+</p>\r
+</li>\r
+</ul></div>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/bw_accounting</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Used to track bandwidth accounting values (when the current period starts\r
+ and ends; how much has been read and written so far this period). This file\r
+ is obsolete, and the data is now stored in the 'state' file as well. Only\r
+ used when bandwidth accounting is enabled.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/control_auth_cookie</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Used for cookie authentication with the controller. Location can be\r
+ overridden by the CookieAuthFile config option. Regenerated on startup. See\r
+ control-spec.txt for details. Only used when cookie authentication is\r
+ enabled.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/keys/</strong>*\r
+</dt>\r
+<dd>\r
+<p>\r
+ Only used by servers. Holds identity keys and onion keys.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/fingerprint</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Only used by servers. Holds the fingerprint of the server’s identity key.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/approved-routers</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Only for naming authoritative directory servers (see\r
+ <strong>NamingAuthoritativeDirectory</strong>). This file lists nickname to identity\r
+ bindings. Each line lists a nickname and a fingerprint separated by\r
+ whitespace. See your <strong>fingerprint</strong> file in the <em>DataDirectory</em> for an\r
+ example line. If the nickname is <strong>!reject</strong> then descriptors from the\r
+ given identity (fingerprint) are rejected by this server. If it is\r
+ <strong>!invalid</strong> then descriptors are accepted but marked in the directory as\r
+ not valid, that is, not recommended.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>DataDirectory</em><strong>/router-stability</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Only used by authoritative directory servers. Tracks measurements for\r
+ router mean-time-between-failures so that authorities have a good idea of\r
+ how to set their Stable flags.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>HiddenServiceDirectory</em><strong>/hostname</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The <base32-encoded-fingerprint>.onion domain name for this hidden service.\r
+ If the hidden service is restricted to authorized clients only, this file\r
+ also contains authorization data for all clients.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>HiddenServiceDirectory</em><strong>/private_key</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ The private key for this hidden service.\r
+</p>\r
+</dd>\r
+<dt class="hdlist1">\r
+<em>HiddenServiceDirectory</em><strong>/client_keys</strong>\r
+</dt>\r
+<dd>\r
+<p>\r
+ Authorization data for a hidden service that is only accessible by\r
+ authorized clients.\r
+</p>\r
+</dd>\r
+</dl></div>\r
+</div>\r
+<h2 id="_see_also">SEE ALSO</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p><strong>privoxy</strong>(1), <strong>tsocks</strong>(1), <strong>torify</strong>(1)<br /></p></div>\r
+<div class="paragraph"><p><strong>https://www.torproject.org/</strong></p></div>\r
+</div>\r
+<h2 id="_bugs">BUGS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>Plenty, probably. Tor is still in development. Please report them.</p></div>\r
+</div>\r
+<h2 id="_authors">AUTHORS</h2>\r
+<div class="sectionbody">\r
+<div class="paragraph"><p>Roger Dingledine [arma at mit.edu], Nick Mathewson [nickm at alum.mit.edu].</p></div>\r
+</div>\r
+<div id="footer">\r
+<div id="footer-text">\r
+Last updated 2011-12-15 11:28:37 EDT\r
+</div>\r
+</div>\r
+</body>\r
+</html>\r
projects / puppet-tor.git / commitdiff