commit 44537c472d59df783724f248d0902fdca1e1ec8a
Author: Damian Johnson <[email protected]>
Date: Tue Sep 13 09:36:44 2016 -0700
Update config options and fallback directories
Quite a few updates. Getting our cache back in sync.
---
stem/cached_tor_manual.cfg | 111 ++++++++++++++++++++-----------
stem/descriptor/fallback_directories.cfg | 9 +--
2 files changed, 74 insertions(+), 46 deletions(-)
diff --git a/stem/cached_tor_manual.cfg b/stem/cached_tor_manual.cfg
index dfdd31c..0b8eea9 100644
--- a/stem/cached_tor_manual.cfg
+++ b/stem/cached_tor_manual.cfg
@@ -6,11 +6,11 @@ description
|Basically, Tor provides a distributed network of servers or relays ("onion
routers"). Users bounce their TCP streams -- web traffic, ftp, ssh, etc. --
around the network, and recipients, observers, and even the relays themselves
have difficulty tracking the source of the stream.
|
|By default, tor will act as a client only. To help the network by providing
bandwidth as a relay, change the ORPort configuration option -- see below.
Please also consult the documentation on the Tor Project's website.
-man_commit c6846d7bf0d8a382bea17304ea29a51c3a895f90
-stem_commit 1c9727dc1117f6c94cc7b195760a31e48b57111a
+man_commit 9f0cb5af1559d4dab0a49017bdd5f37b0af588f8
+stem_commit 3d0e999f8073bed67d84bb863560078e923a8b57
commandline_options -f FILE => Specify a new configuration file to contain
further Tor configuration options OR pass - to make Tor read its configuration
from standard input. (Default: @CONFDIR@/torrc, or $HOME/.torrc if that file is
not found)
commandline_options --ignore-missing-torrc => Specifies that Tor should treat
a missing torrc file as though it were empty. Ordinarily, Tor does this for
missing default torrc files, but not for those specified on the command line.
-commandline_options --passphrase-fd FILEDES => Filedescriptor to read the
passphrase from. Note that unlike with the tor-gencert program, the entire file
contents are read and used as the passphrase, including any trailing newlines.
Default: read from the terminal.
+commandline_options --list-deprecated-options => List all valid options that
are scheduled to become obsolete in a future version. (This is a warning, not a
promise.)
commandline_options --list-fingerprint => Generate your keys and output your
nickname and fingerprint.
commandline_options --defaults-torrc FILE => Specify a file in which to find
default values for Tor options. The contents of this file are overridden by
those in the regular configuration file, and by those on the command line.
(Default: @CONFDIR@/torrc-defaults.)
commandline_options --allow-missing-torrc => Do not require that configuration
file specified by -f exist if default torrc can be accessed.
@@ -18,6 +18,7 @@ commandline_options --nt-service => Used internally to
implement a Windows servi
commandline_options --verify-config => Verify the configuration file is valid.
commandline_options --service remove|start|stop => Remove, start, or stop a
configured Tor Windows service.
commandline_options --quiet|--hush => Override the default console log. By
default, Tor starts out logging messages at level "notice" and higher to the
console. It stops doing so after it parses its configuration, if the
configuration tells it to log anywhere else. You can override this behavior
with the --hush option, which tells Tor to only send warnings and errors to the
console, or with the --quiet option, which tells Tor not to log to the console
at all.
+commandline_options --passphrase-fd FILEDES => Filedescriptor to read the
passphrase from. Note that unlike with the tor-gencert program, the entire file
contents are read and used as the passphrase, including any trailing newlines.
Default: read from the terminal.
commandline_options --keygen [--newpass] => Running "tor --keygen" creates a
new ed25519 master identity key for a relay, or only a fresh temporary signing
key and certificate, if you already have a master key. Optionally you can
encrypt the master identity key with a passphrase: Tor will ask you for one. If
you don't want to encrypt the master key, just don't enter any passphrase when
asked. The --newpass option should be used with --keygen only when you need to
add, change, or remove a passphrase on an existing ed25519 master identity key.
You will be prompted for the old passphase (if any), and the new passphrase (if
any). When generating a master key, you will probably want to use
--DataDirectory to control where the keys and certificates will be stored, and
--SigningKeyLifetime to control their lifetimes. Their behavior is as
documented in the server options section below. (You must have write access to
the specified DataDirectory.) To use the generated files, you must copy the
m to the DataDirectory/keys directory of your Tor daemon, and make sure that
they are owned by the user actually running the Tor daemon on your system.
commandline_options --list-torrc-options => List all valid options.
commandline_options --service install [--options command-line options] =>
Install an instance of Tor as a Windows service, with the provided command-line
options. Current instructions can be found at
https://www.torproject.org/docs/faq#NTService
@@ -307,6 +308,15 @@ config_options.SocksPort.description
|PreferIPv6
| Tells exits that, if a host has both an IPv4 and an IPv6 address, we
would prefer to connect to it via IPv6. (IPv4 is the default.)
|
+|NoDNSRequest
+| Do not ask exits to resolve DNS addresses in SOCKS5 requests. Tor will
connect to IPv4 addresses, IPv6 addresses (if IPv6Traffic is set) and .onion
addresses.
+|
+|NoOnionTraffic
+| Do not connect to .onion addresses in SOCKS5 requests.
+|
+|OnionTrafficOnly
+| Tell the tor client to only connect to .onion addresses in response to
SOCKS5 requests on this connection. This is equivalent to NoDNSRequest,
NoIPv4Traffic, NoIPv6Traffic. The corresponding NoOnionTrafficOnly flag is not
supported.
+|
|CacheIPv4DNS
| Tells the client to remember IPv4 DNS answers we receive from exit nodes
via this connection. (On by default.)
|
@@ -336,6 +346,10 @@ config_options.SocksPort.description
|
|PreferSOCKSNoAuth
| Ordinarily, when an application offers both "username/password
authentication" and "no authentication" to Tor via SOCKS5, Tor selects
username/password authentication so that IsolateSOCKSAuth can work. This can
confuse some applications, if they offer a username/password combination then
get confused when asked for one. You can disable this behavior, so that Tor
will select "No authentication" when IsolateSOCKSAuth is disabled, or when this
option is set.
+|
+| Flags are processed left to right. If flags conflict, the last flag
on the
+| line is used, and all earlier flags are ignored. No error is issued
for
+| conflicting flags.
config_options.SocksListenAddress.category Client
config_options.SocksListenAddress.name SocksListenAddress
config_options.SocksListenAddress.usage IP[:PORT]
@@ -380,7 +394,7 @@ config_options.UseEntryGuards.category Client
config_options.UseEntryGuards.name UseEntryGuards
config_options.UseEntryGuards.usage 0|1
config_options.UseEntryGuards.summary Use guard relays for first hop
-config_options.UseEntryGuards.description If this option is set to 1, we pick
a few long-term entry servers, and try to stick with them. This is desirable
because constantly changing servers increases the odds that an adversary who
owns some servers will observe a fraction of your paths. (Default: 1)
+config_options.UseEntryGuards.description If this option is set to 1, we pick
a few long-term entry servers, and try to stick with them. This is desirable
because constantly changing servers increases the odds that an adversary who
owns some servers will observe a fraction of your paths. Entry Guards can not
be used by Directory Authorities, Single Onion Services, and Tor2web clients.
In these cases, the this option is ignored. (Default: 1)
config_options.UseEntryGuardsAsDirGuards.category Client
config_options.UseEntryGuardsAsDirGuards.name UseEntryGuardsAsDirGuards
config_options.UseEntryGuardsAsDirGuards.usage 0|1
@@ -438,7 +452,7 @@ config_options.VirtualAddrNetworkIPv6.summary IPv6 address
range to use when nee
config_options.VirtualAddrNetworkIPv6.description
|When Tor needs to assign a virtual (unused) address because of a MAPADDRESS
command from the controller or the AutomapHostsOnResolve feature, Tor picks an
unassigned address from this range. (Defaults: 127.192.0.0/10 and [FE80::]/10
respectively.)
|
-|When providing proxy server service to a network of computers using a tool
like dns-proxy-tor, change the IPv4 network to "10.192.0.0/10" or
"172.16.0.0/12" and change the IPv6 network to "[FC00]/7". The default
VirtualAddrNetwork address ranges on a properly configured machine will route
to the loopback or link-local interface. For local use, no change to the
default VirtualAddrNetwork setting is needed.
+|When providing proxy server service to a network of computers using a tool
like dns-proxy-tor, change the IPv4 network to "10.192.0.0/10" or
"172.16.0.0/12" and change the IPv6 network to "[FC00::]/7". The default
VirtualAddrNetwork address ranges on a properly configured machine will route
to the loopback or link-local interface. For local use, no change to the
default VirtualAddrNetwork setting is needed.
config_options.AllowNonRFC953Hostnames.category Client
config_options.AllowNonRFC953Hostnames.name AllowNonRFC953Hostnames
config_options.AllowNonRFC953Hostnames.usage 0|1
@@ -558,7 +572,7 @@ config_options.Tor2webMode.category Client
config_options.Tor2webMode.name Tor2webMode
config_options.Tor2webMode.usage 0|1
config_options.Tor2webMode.summary Establish non-anonymous hidden service
connections
-config_options.Tor2webMode.description When this option is set, Tor connects
to hidden services non-anonymously. This option also disables client
connections to non-hidden-service hostnames through Tor. It must only be used
when running a tor2web Hidden Service web proxy. To enable this option the
compile time flag --enable-tor2web-mode must be specified. (Default: 0)
+config_options.Tor2webMode.description When this option is set, Tor connects
to hidden services non-anonymously. This option also disables client
connections to non-hidden-service hostnames through Tor. It must only be used
when running a tor2web Hidden Service web proxy. To enable this option the
compile time flag --enable-tor2web-mode must be specified. Since Tor2webMode is
non-anonymous, you can not run an anonymous Hidden Service on a tor version
compiled with Tor2webMode. (Default: 0)
config_options.Tor2webRendezvousPoints.category Client
config_options.Tor2webRendezvousPoints.name Tor2webRendezvousPoints
config_options.Tor2webRendezvousPoints.usage node,node,...
@@ -576,11 +590,6 @@ config_options.UseMicrodescriptors.name UseMicrodescriptors
config_options.UseMicrodescriptors.usage 0|1|auto
config_options.UseMicrodescriptors.summary Retrieve microdescriptors rather
than server descriptors
config_options.UseMicrodescriptors.description Microdescriptors are a smaller
version of the information that Tor needs in order to build its circuits. Using
microdescriptors makes Tor clients download less directory information, thus
saving bandwidth. Directory caches need to fetch regular descriptors and
microdescriptors, so this option doesn't save any bandwidth for them. If this
option is set to "auto" (recommended) then it is on for all clients that do not
set FetchUselessDescriptors. (Default: auto)
-config_options.UseNTorHandshake.category Client
-config_options.UseNTorHandshake.name UseNTorHandshake
-config_options.UseNTorHandshake.usage 0|1|auto
-config_options.UseNTorHandshake.summary Use ntor for establishing circuits
with relays
-config_options.UseNTorHandshake.description The "ntor" circuit-creation
handshake is faster and (we think) more secure than the original ("TAP")
circuit handshake, but starting to use it too early might make your client
stand out. If this option is 0, your Tor client won't use the ntor handshake.
If it's 1, your Tor client will use the ntor handshake to extend circuits
through servers that support it. If this option is "auto", then your client
will use the ntor handshake once enough directory authorities recommend it.
(Default: 1)
config_options.PathBiasCircThreshold.category Client
config_options.PathBiasCircThreshold.name PathBiasCircThreshold
config_options.PathBiasCircThreshold.usage NUM
@@ -671,32 +680,32 @@ config_options.PathsNeededToBuildCircuits.description Tor
clients don't build ci
config_options.ClientBootstrapConsensusAuthorityDownloadSchedule.category
Client
config_options.ClientBootstrapConsensusAuthorityDownloadSchedule.name
ClientBootstrapConsensusAuthorityDownloadSchedule
config_options.ClientBootstrapConsensusAuthorityDownloadSchedule.usage N,N,...
-config_options.ClientBootstrapConsensusAuthorityDownloadSchedule.summary
+config_options.ClientBootstrapConsensusAuthorityDownloadSchedule.summary
Schedule when bootstrapping for when to download resources from authorities
config_options.ClientBootstrapConsensusAuthorityDownloadSchedule.description
Schedule for when clients should download consensuses from authorities if they
are bootstrapping (that is, they don't have a usable, reasonably live
consensus). Only used by clients fetching from a list of fallback directory
mirrors. This schedule is advanced by (potentially concurrent) connection
attempts, unlike other schedules, which are advanced by connection failures.
(Default: 10, 11, 3600, 10800, 25200, 54000, 111600, 262800)
config_options.ClientBootstrapConsensusFallbackDownloadSchedule.category Client
config_options.ClientBootstrapConsensusFallbackDownloadSchedule.name
ClientBootstrapConsensusFallbackDownloadSchedule
config_options.ClientBootstrapConsensusFallbackDownloadSchedule.usage N,N,...
-config_options.ClientBootstrapConsensusFallbackDownloadSchedule.summary
+config_options.ClientBootstrapConsensusFallbackDownloadSchedule.summary
Schedule when bootstrapping for when to download resources from fallback
authorities
config_options.ClientBootstrapConsensusFallbackDownloadSchedule.description
Schedule for when clients should download consensuses from fallback directory
mirrors if they are bootstrapping (that is, they don't have a usable,
reasonably live consensus). Only used by clients fetching from a list of
fallback directory mirrors. This schedule is advanced by (potentially
concurrent) connection attempts, unlike other schedules, which are advanced by
connection failures. (Default: 0, 1, 4, 11, 3600, 10800, 25200, 54000, 111600,
262800)
config_options.ClientBootstrapConsensusAuthorityOnlyDownloadSchedule.category
Client
config_options.ClientBootstrapConsensusAuthorityOnlyDownloadSchedule.name
ClientBootstrapConsensusAuthorityOnlyDownloadSchedule
config_options.ClientBootstrapConsensusAuthorityOnlyDownloadSchedule.usage
N,N,...
-config_options.ClientBootstrapConsensusAuthorityOnlyDownloadSchedule.summary
+config_options.ClientBootstrapConsensusAuthorityOnlyDownloadSchedule.summary
Schedule when bootstrapping for when to download resources from authorities
when fallbacks unavailable
config_options.ClientBootstrapConsensusAuthorityOnlyDownloadSchedule.description
Schedule for when clients should download consensuses from authorities if they
are bootstrapping (that is, they don't have a usable, reasonably live
consensus). Only used by clients which don't have or won't fetch from a list of
fallback directory mirrors. This schedule is advanced by (potentially
concurrent) connection attempts, unlike other schedules, which are advanced by
connection failures. (Default: 0, 3, 7, 3600, 10800, 25200, 54000, 111600,
262800)
config_options.ClientBootstrapConsensusMaxDownloadTries.category Client
config_options.ClientBootstrapConsensusMaxDownloadTries.name
ClientBootstrapConsensusMaxDownloadTries
config_options.ClientBootstrapConsensusMaxDownloadTries.usage NUM
-config_options.ClientBootstrapConsensusMaxDownloadTries.summary
+config_options.ClientBootstrapConsensusMaxDownloadTries.summary Number of
times to attempt downloading consensus
config_options.ClientBootstrapConsensusMaxDownloadTries.description Try this
many times to download a consensus while bootstrapping using fallback directory
mirrors before giving up. (Default: 7)
config_options.ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries.category
Client
config_options.ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries.name
ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries
config_options.ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries.usage NUM
-config_options.ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries.summary
+config_options.ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries.summary
Number of times to attempt downloading consensus from authorities
config_options.ClientBootstrapConsensusAuthorityOnlyMaxDownloadTries.description
Try this many times to download a consensus while bootstrapping using
authorities before giving up. (Default: 4)
config_options.ClientBootstrapConsensusMaxInProgressTries.category Client
config_options.ClientBootstrapConsensusMaxInProgressTries.name
ClientBootstrapConsensusMaxInProgressTries
config_options.ClientBootstrapConsensusMaxInProgressTries.usage NUM
-config_options.ClientBootstrapConsensusMaxInProgressTries.summary
+config_options.ClientBootstrapConsensusMaxInProgressTries.summary Number of
consensus download requests to allow in-flight at once
config_options.ClientBootstrapConsensusMaxInProgressTries.description Try this
many simultaneous connections to download a consensus before waiting for one to
complete, timeout, or error out. (Default: 4)
config_options.DirPortFrontPage.category Directory
config_options.DirPortFrontPage.name DirPortFrontPage
@@ -844,7 +853,7 @@ config_options.ControlPort.name ControlPort
config_options.ControlPort.usage PORT|unix:path|auto [flags]
config_options.ControlPort.summary Port providing access to tor controllers
(nyx, vidalia, etc)
config_options.ControlPort.description
-|If set, Tor will accept connections on this port and allow those connections
to control the Tor process using the Tor Control Protocol (described in
control-spec.txt in torspec). Note: unless you also specify one or more of
HashedControlPassword or CookieAuthentication, setting this option will cause
Tor to allow any process on the local host to control it. (Setting both
authentication methods means eithermethod is sufficient to authenticate to
Tor.) This option is required for many Tor controllers; most use the value of
9051. Set it to "auto" to have Tor pick a port for you. (Default: 0)
+|If set, Tor will accept connections on this port and allow those connections
to control the Tor process using the Tor Control Protocol (described in
control-spec.txt in torspec). Note: unless you also specify one or more of
HashedControlPassword or CookieAuthentication, setting this option will cause
Tor to allow any process on the local host to control it. (Setting both
authentication methods means either method is sufficient to authenticate to
Tor.) This option is required for many Tor controllers; most use the value of
9051. Set it to "auto" to have Tor pick a port for you. (Default: 0)
|
|Recognized flags are...
|
@@ -1056,7 +1065,7 @@ config_options.LogMessageDomains.description If 1, Tor
includes message domains
config_options.MaxUnparseableDescSizeToLog.category General
config_options.MaxUnparseableDescSizeToLog.name MaxUnparseableDescSizeToLog
config_options.MaxUnparseableDescSizeToLog.usage N bytes|KBytes|MBytes|GBytes
-config_options.MaxUnparseableDescSizeToLog.summary
+config_options.MaxUnparseableDescSizeToLog.summary Size of the dedicated log
for unparseable descriptors
config_options.MaxUnparseableDescSizeToLog.description Unparseable descriptors
(e.g. for votes, consensuses, routers) are logged in separate files by hash, up
to the specified size in total. Note that only files logged during the lifetime
of this Tor process count toward the total; this is intended to be used to
debug problems without opening live servers to resource exhaustion attacks.
(Default: 10 MB)
config_options.OutboundBindAddress.category General
config_options.OutboundBindAddress.name OutboundBindAddress
@@ -1108,7 +1117,7 @@ config_options.SafeLogging.description
|If this option is set to 0, Tor will not perform any scrubbing, if it is set
to 1, all potentially sensitive strings are replaced. If it is set to relay,
all log messages generated when acting as a relay are sanitized, but all
messages generated when acting as a client are not. (Default: 1)
config_options.User.category General
config_options.User.name User
-config_options.User.usage UID
+config_options.User.usage Username
config_options.User.summary UID for the process when started
config_options.User.description On startup, setuid to this user and setgid to
their primary group.
config_options.KeepBindCapabilities.category General
@@ -1141,21 +1150,6 @@ config_options.CircuitPriorityHalflife.name
CircuitPriorityHalflife
config_options.CircuitPriorityHalflife.usage NUM1
config_options.CircuitPriorityHalflife.summary Overwrite method for
prioritizing traffic among relayed connections
config_options.CircuitPriorityHalflife.description If this value is set, we
override the default algorithm for choosing which circuit's cell to deliver or
relay next. When the value is 0, we round-robin between the active circuits on
a connection, delivering one cell from each in turn. When the value is
positive, we prefer delivering cells from whichever connection has the lowest
weighted cell count, where cells are weighted exponentially according to the
supplied CircuitPriorityHalflife value (in seconds). If this option is not set
at all, we use the behavior recommended in the current consensus networkstatus.
This is an advanced option; you generally shouldn't have to mess with it.
(Default: not set)
-config_options.DisableIOCP.category General
-config_options.DisableIOCP.name DisableIOCP
-config_options.DisableIOCP.usage 0|1
-config_options.DisableIOCP.summary Disables use of the Windows IOCP networking
API
-config_options.DisableIOCP.description If Tor was built to use the Libevent's
"bufferevents" networking code and you're running on Windows, setting this
option to 1 will tell Libevent not to use the Windows IOCP networking API.
(Default: 1)
-config_options.UserspaceIOCPBuffers.category General
-config_options.UserspaceIOCPBuffers.name UserspaceIOCPBuffers
-config_options.UserspaceIOCPBuffers.usage 0|1
-config_options.UserspaceIOCPBuffers.summary Disable kernel-space IOCP TCP
buffers
-config_options.UserspaceIOCPBuffers.description If IOCP is enabled (see
DisableIOCP above), setting this option to 1 will tell Tor to disable
kernel-space TCP buffers, in order to avoid needless copy operations and try
not to run out of non-paged RAM. This feature is experimental; don't use it yet
unless you're eager to help tracking down bugs. (Default: 0)
-config_options.UseFilteringSSLBufferevents.category General
-config_options.UseFilteringSSLBufferevents.name UseFilteringSSLBufferevents
-config_options.UseFilteringSSLBufferevents.usage 0|1
-config_options.UseFilteringSSLBufferevents.summary Use SSL for a chain of
bufferevents
-config_options.UseFilteringSSLBufferevents.description Tells Tor to do its SSL
communication using a chain of bufferevents: one for SSL and one for
networking. This option has no effect if bufferevents are disabled (in which
case it can't turn on), or if IOCP bufferevents are enabled (in which case it
can't turn off). This option is useful for debugging only; most users shouldn't
touch it. (Default: 0)
config_options.CountPrivateBandwidth.category General
config_options.CountPrivateBandwidth.name CountPrivateBandwidth
config_options.CountPrivateBandwidth.usage 0|1
@@ -1211,7 +1205,7 @@ config_options.ExitPolicy.description
|
|To specify all IPv4 and IPv6 internal and link-local networks (including
0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8,
172.16.0.0/12, [::]/8, [FC00::]/7, [FE80::]/10, [FEC0::]/10, [FF00::]/8, and
[::]/127), you can use the "private" alias instead of an address. ("private"
always produces rules for IPv4 and IPv6 addresses, even when used with
accept6/reject6.)
|
-|Private addresses are rejected by default (at the beginning of your exit
policy), along with any configured primary public IPv4 and IPv6 addresses, and
any public IPv4 and IPv6 addresses on any interface on the relay. These private
addresses are rejected unless you set the ExitPolicyRejectPrivate config option
to 0. For example, once you've done that, you could allow HTTP to 127.0.0.1 and
block all other connections to internal networks with "accept
127.0.0.1:80,reject private:*", though that may also allow connections to your
own computer that are addressed to its public (external) IP address. See RFC
1918 and RFC 3330 for more details about internal and reserved IP address space.
+|Private addresses are rejected by default (at the beginning of your exit
policy), along with any configured primary public IPv4 and IPv6 addresses.
These private addresses are rejected unless you set the ExitPolicyRejectPrivate
config option to 0. For example, once you've done that, you could allow HTTP to
127.0.0.1 and block all other connections to internal networks with "accept
127.0.0.1:80,reject private:*", though that may also allow connections to your
own computer that are addressed to its public (external) IP address. See RFC
1918 and RFC 3330 for more details about internal and reserved IP address
space. See ExitPolicyRejectLocalInterfaces if you want to block every address
on the relay, even those that aren't advertised in the descriptor.
|
|This directive can be specified multiple times so you don't have to put it
all on one line.
|
@@ -1235,7 +1229,12 @@ config_options.ExitPolicyRejectPrivate.category Relay
config_options.ExitPolicyRejectPrivate.name ExitPolicyRejectPrivate
config_options.ExitPolicyRejectPrivate.usage 0|1
config_options.ExitPolicyRejectPrivate.summary Prevent exiting connection on
the local network
-config_options.ExitPolicyRejectPrivate.description Reject all private (local)
networks, along with any configured public IPv4 and IPv6 addresses, at the
beginning of your exit policy. (This includes the IPv4 and IPv6 addresses
advertised by the relay, any OutboundBindAddress, and the bind addresses of any
port options, such as ORPort and DirPort.) This also rejects any public IPv4
and IPv6 addresses on any interface on the relay. (If IPv6Exit is not set, all
IPv6 addresses will be rejected anyway.) See above entry on ExitPolicy.
(Default: 1)
+config_options.ExitPolicyRejectPrivate.description Reject all private (local)
networks, along with the relay's advertised public IPv4 and IPv6 addresses, at
the beginning of your exit policy. See above entry on ExitPolicy. (Default: 1)
+config_options.ExitPolicyRejectLocalInterfaces.category Relay
+config_options.ExitPolicyRejectLocalInterfaces.name
ExitPolicyRejectLocalInterfaces
+config_options.ExitPolicyRejectLocalInterfaces.usage 0|1
+config_options.ExitPolicyRejectLocalInterfaces.summary
+config_options.ExitPolicyRejectLocalInterfaces.description Reject all IPv4 and
IPv6 addresses that the relay knows about, at the beginning of your exit
policy. This includes any OutboundBindAddress, the bind addresses of any port
options, such as ControlPort or DNSPort, and any public IPv4 and IPv6 addresses
on any interface on the relay. (If IPv6Exit is not set, all IPv6 addresses will
be rejected anyway.) See above entry on ExitPolicy. This option is off by
default, because it lists all public relay IP addresses in the ExitPolicy, even
those relay operators might prefer not to disclose. (Default: 0)
config_options.IPv6Exit.category Relay
config_options.IPv6Exit.name IPv6Exit
config_options.IPv6Exit.usage 0|1
@@ -1453,6 +1452,11 @@ config_options.MaxMemInQueues.name MaxMemInQueues
config_options.MaxMemInQueues.usage N bytes|KB|MB|GB
config_options.MaxMemInQueues.summary Threshold at which tor will terminate
circuits to avoid running out of memory
config_options.MaxMemInQueues.description This option configures a threshold
above which Tor will assume that it needs to stop queueing or buffering data
because it's about to run out of memory. If it hits this threshold, it will
begin killing circuits until it has recovered at least 10% of this memory. Do
not set this option too low, or your relay may be unreliable under load. This
option only affects some queues, so the actual process size will be larger than
this. If this option is set to 0, Tor will try to pick a reasonable default
based on your system's physical memory. (Default: 0)
+config_options.DisableOOSCheck.category Relay
+config_options.DisableOOSCheck.name DisableOOSCheck
+config_options.DisableOOSCheck.usage 0|1
+config_options.DisableOOSCheck.summary
+config_options.DisableOOSCheck.description This option disables the code that
closes connections when Tor notices that it is running low on sockets. Right
now, it is on by default, since the existing out-of-sockets mechanism tends to
kill OR connections more than it should. (Default: 1)
config_options.SigningKeyLifetime.category Relay
config_options.SigningKeyLifetime.name SigningKeyLifetime
config_options.SigningKeyLifetime.usage N days|weeks|months
@@ -1518,6 +1522,30 @@ config_options.HiddenServiceNumIntroductionPoints.name
HiddenServiceNumIntroduct
config_options.HiddenServiceNumIntroductionPoints.usage NUM
config_options.HiddenServiceNumIntroductionPoints.summary Number of
introduction points the hidden service will have
config_options.HiddenServiceNumIntroductionPoints.description Number of
introduction points the hidden service will have. You can't have more than 10.
(Default: 3)
+config_options.HiddenServiceSingleHopMode.category Hidden Service
+config_options.HiddenServiceSingleHopMode.name HiddenServiceSingleHopMode
+config_options.HiddenServiceSingleHopMode.usage 0|1
+config_options.HiddenServiceSingleHopMode.summary
+config_options.HiddenServiceSingleHopMode.description
+|Experimental - Non Anonymous Hidden Services on a tor instance in
HiddenServiceSingleHopMode make one-hop (direct) circuits between the onion
service server, and the introduction and rendezvous points. (Onion service
descriptors are still posted using 3-hop paths, to avoid onion service
directories blocking the service.) This option makes every hidden service
instance hosted by a tor instance a Single Onion Service. One-hop circuits make
Single Onion servers easily locatable, but clients remain location-anonymous.
However, the fact that a client is accessing a Single Onion rather than a
Hidden Service may be statistically distinguishable.
+|
+| **WARNING:** Once a hidden service directory has been used by a tor
+| instance in HiddenServiceSingleHopMode, it can **NEVER** be used again for
+| a hidden service. It is best practice to create a new hidden service
+| directory, key, and address for each new Single Onion Service and Hidden
+| Service. It is not possible to run Single Onion Services and Hidden
+| Services from the same tor instance: they should be run on different
+| servers with different IP addresses.
+|
+| HiddenServiceSingleHopMode requires HiddenServiceNonAnonymousMode to be
set
+| to 1. Since a Single Onion is non-anonymous, you can not to run an
+| anonymous SOCKSPort on the same tor instance as a Single Onion service.
+| (Default: 0)
+config_options.HiddenServiceNonAnonymousMode.category Hidden Service
+config_options.HiddenServiceNonAnonymousMode.name HiddenServiceNonAnonymousMode
+config_options.HiddenServiceNonAnonymousMode.usage 0|1
+config_options.HiddenServiceNonAnonymousMode.summary
+config_options.HiddenServiceNonAnonymousMode.description Makes hidden services
non-anonymous on this tor instance. Allows the non-anonymous
HiddenServiceSingleHopMode. Enables direct connections in the server-side
hidden service protocol. (Default: 0)
config_options.TestingTorNetwork.category Testing
config_options.TestingTorNetwork.name TestingTorNetwork
config_options.TestingTorNetwork.usage 0|1
@@ -1759,7 +1787,7 @@ config_options.V3AuthoritativeDirectory.category Authority
config_options.V3AuthoritativeDirectory.name V3AuthoritativeDirectory
config_options.V3AuthoritativeDirectory.usage 0|1
config_options.V3AuthoritativeDirectory.summary Generates a version 3 consensus
-config_options.V3AuthoritativeDirectory.description When this option is set in
addition to AuthoritativeDirectory, Tor generates version 3 network statuses
and serves descriptors, etc as described in dir-spec.txt file of torspec (for
Tor clients and servers running atleast 0.2.0.x).
+config_options.V3AuthoritativeDirectory.description When this option is set in
addition to AuthoritativeDirectory, Tor generates version 3 network statuses
and serves descriptors, etc as described in dir-spec.txt file of torspec (for
Tor clients and servers running at least 0.2.0.x).
config_options.VersioningAuthoritativeDirectory.category Authority
config_options.VersioningAuthoritativeDirectory.name
VersioningAuthoritativeDirectory
config_options.VersioningAuthoritativeDirectory.usage 0|1
@@ -1804,7 +1832,7 @@ config_options.DirAllowPrivateAddresses.category Authority
config_options.DirAllowPrivateAddresses.name DirAllowPrivateAddresses
config_options.DirAllowPrivateAddresses.usage 0|1
config_options.DirAllowPrivateAddresses.summary Toggles allowing arbitrary
input or non-public IPs in descriptors
-config_options.DirAllowPrivateAddresses.description If set to 1, Tor will
accept server descriptors with arbitrary "Address" elements. Otherwise, if the
address is not an IP address or is a private IP address, it will reject the
server descriptor. (Default: 0)
+config_options.DirAllowPrivateAddresses.description If set to 1, Tor will
accept server descriptors with arbitrary "Address" elements. Otherwise, if the
address is not an IP address or is a private IP address, it will reject the
server descriptor. Additionally, Tor will allow exit policies for private
networks to fulfill Exit flag requirements. (Default: 0)
config_options.AuthDirBadExit.category Authority
config_options.AuthDirBadExit.name AuthDirBadExit
config_options.AuthDirBadExit.usage AddressPattern...
@@ -1868,6 +1896,11 @@ config_options.AuthDirPinKeys.name AuthDirPinKeys
config_options.AuthDirPinKeys.usage 0|1
config_options.AuthDirPinKeys.summary Don't accept descriptors with
conflicting identity keypairs
config_options.AuthDirPinKeys.description Authoritative directories only. If
non-zero, do not allow any relay to publish a descriptor if any other relay has
reserved its <Ed25519,RSA> identity keypair. In all cases, Tor records every
keypair it accepts in a journal if it is new, or if it differs from the most
recently accepted pinning for one of the keys it contains. (Default: 0)
+config_options.AuthDirSharedRandomness.category Authority
+config_options.AuthDirSharedRandomness.name AuthDirSharedRandomness
+config_options.AuthDirSharedRandomness.usage 0|1
+config_options.AuthDirSharedRandomness.summary
+config_options.AuthDirSharedRandomness.description Authoritative directories
only. Switch for the shared random protocol. If zero, the authority won't
participate in the protocol. If non-zero (default), the flag
"shared-rand-participate" is added to the authority vote indicating
participation in the protocol. (Default: 1)
config_options.BridgePassword.category Authority
config_options.BridgePassword.name BridgePassword
config_options.BridgePassword.usage Password
diff --git a/stem/descriptor/fallback_directories.cfg
b/stem/descriptor/fallback_directories.cfg
index 3e18d93..94d9fcb 100644
--- a/stem/descriptor/fallback_directories.cfg
+++ b/stem/descriptor/fallback_directories.cfg
@@ -1,5 +1,5 @@
-tor_commit 26146dbe9eb2404274b7c51121710f3f3529c930
-stem_commit 1c9727dc1117f6c94cc7b195760a31e48b57111a
+tor_commit 1c4a2dd208601aca9fdd004929c283b9d44d7442
+stem_commit 3d0e999f8073bed67d84bb863560078e923a8b57
823AA81E277F366505545522CEDC2F529CE4DC3F.address 192.160.102.164
823AA81E277F366505545522CEDC2F529CE4DC3F.or_port 9001
823AA81E277F366505545522CEDC2F529CE4DC3F.dir_port 80
@@ -208,11 +208,6 @@ A0F06C2FADF88D3A39AA3072B406F09D7095AC9E.dir_port 80
30648BC64CEDB3020F4A405E4AB2A6347FB8FA22.address 213.61.66.118
30648BC64CEDB3020F4A405E4AB2A6347FB8FA22.or_port 9001
30648BC64CEDB3020F4A405E4AB2A6347FB8FA22.dir_port 9031
-08DC0F3C6E3D9C527C1FC8745D35DD1B0DE1875D.address 37.187.1.149
-08DC0F3C6E3D9C527C1FC8745D35DD1B0DE1875D.or_port 9001
-08DC0F3C6E3D9C527C1FC8745D35DD1B0DE1875D.dir_port 9030
-08DC0F3C6E3D9C527C1FC8745D35DD1B0DE1875D.orport6_address 2001:41d0:a:195::1
-08DC0F3C6E3D9C527C1FC8745D35DD1B0DE1875D.orport6_port 9001
2BA2C8E96B2590E1072AECE2BDB5C48921BF8510.address 144.76.26.175
2BA2C8E96B2590E1072AECE2BDB5C48921BF8510.or_port 9011
2BA2C8E96B2590E1072AECE2BDB5C48921BF8510.dir_port 9012
_______________________________________________
tor-commits mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits
