Move tor-full to site cookbooks
This commit is contained in:
@@ -0,0 +1,124 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>This is a Tor Exit Router</title>
|
||||
|
||||
<!--
|
||||
|
||||
This notice is intended to be placed on a virtual host for a domain that
|
||||
your Tor exit node IP reverse resolves to so that people who may be about
|
||||
to file an abuse complaint would check it first before bothering you or
|
||||
your ISP. Ex:
|
||||
http://tor-exit.yourdomain.org or http://tor-readme.yourdomain.org.
|
||||
|
||||
This type of setup has proven very effective at reducing abuse complaints
|
||||
for exit node operators.
|
||||
|
||||
There are a few places in this document that you may want to customize.
|
||||
They are marked with FIXME.
|
||||
|
||||
-->
|
||||
|
||||
</head>
|
||||
<body bgcolor=white text=black>
|
||||
|
||||
<center><h1>This is a Tor Exit Router</h1></center>
|
||||
|
||||
<p>Most likely you are accessing this website because you had some issue with
|
||||
the traffic coming from this IP. This router is part of the <a
|
||||
href="https://www.torproject.org/">Tor Anonymity Network</a>, which is
|
||||
dedicated to providing people with anonymity who need it most: average
|
||||
computer users. This router IP should be generating no other traffic, unless
|
||||
it has been compromised.
|
||||
|
||||
<p>
|
||||
|
||||
While Tor is not designed for malicious computer users, it is inevitable that
|
||||
some may use the network for malicious ends. In the mind of this operator,
|
||||
the social need for easily accessible censorship-resistant anonymous
|
||||
communication trumps the risk. Tor sees use by many important segments of the
|
||||
population, including whistle blowers, journalists, Chinese dissidents
|
||||
skirting the Great Firewall and oppressive censorship, abuse victims,
|
||||
stalker targets, the US military, and law enforcement, just to name a few.
|
||||
|
||||
<p>
|
||||
|
||||
<!-- FIXME: you should probably grab your own copy of how_tor_works_thumb.png
|
||||
and serve it locally -->
|
||||
<center><a href="https://www.torproject.org/overview.html">
|
||||
<img src="http://www.torproject.org/images/how_tor_works_thumb.png"></a></center>
|
||||
|
||||
<p>
|
||||
|
||||
In terms of applicable law, the best way to understand Tor is to consider it a
|
||||
network of routers operating as common carriers, much like the Internet
|
||||
backbone. However, unlike the Internet backbone routers, Tor routers
|
||||
explicitly do not contain identifiable routing information about the source of
|
||||
a packet.
|
||||
|
||||
<p>
|
||||
|
||||
As such, there is little the operator of this router can do to help you track
|
||||
the connection further. This router maintains no logs of any of the Tor
|
||||
traffic, so there is little that can be done to trace either legitimate or
|
||||
illegitimate traffic (or to filter one from the other). Attempts to
|
||||
seize this router will accomplish nothing.
|
||||
<p>
|
||||
|
||||
<!--- FIXME: US-Only section. Remove if you are a non-US operator -->
|
||||
|
||||
Furthermore, this machine also serves as a carrier of email, which means that
|
||||
its contents are further protected under the ECPA. <a
|
||||
href="http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002707----000-.html">18
|
||||
USC 2707</a> explicitly allows for civil remedies ($1000/account
|
||||
<i><b><u>plus</u></b></i> legal fees)
|
||||
in the event of a seizure executed without good faith or probable cause (it
|
||||
should be clear at this point that traffic with an originating IP address of
|
||||
<%= node['tor']['relay']['Address'] %> should not constitute probable cause to seize the
|
||||
machine). Similar considerations exist for 1st amendment content on this
|
||||
machine.
|
||||
|
||||
<p>
|
||||
|
||||
<!-- FIXME: May or may not be US-only. Some non-US tor nodes have in
|
||||
fact reported DMCA harassment... -->
|
||||
|
||||
If you are a representative of a company who feels that this router is being
|
||||
used to violate the DMCA, please be aware that this machine does not host or
|
||||
contain any illegal content. Also be aware that network infrastructure
|
||||
maintainers are not liable for the type of content that passes over their
|
||||
equipment, in accordance with <a
|
||||
href="http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000512----000-.html">DMCA
|
||||
"safe harbor" provisions</a>. In other words, you will have just as much luck
|
||||
sending a takedown notice to the Internet backbone providers. Please consult
|
||||
<a href="https://www.torproject.org/eff/tor-dmca-response.html">EFF's prepared
|
||||
response</a> for more information on this matter.
|
||||
|
||||
<p>For more information, please consult the following documentation:
|
||||
|
||||
<ol>
|
||||
<li><a href="https://www.torproject.org/overview.html">Tor Overview</a></li>
|
||||
<li><a href="https://www.torproject.org/faq-abuse.html">Tor Abuse FAQ</a></li>
|
||||
<li><a href="https://www.torproject.org//eff/tor-legal-faq.html">Tor Legal FAQ</a></li>
|
||||
</ol>
|
||||
<p>
|
||||
|
||||
That being said, if you still have a complaint about the router, you may
|
||||
email the <a href="mailto:<%= node['tor']['relay']['ContactInfo'] %>">maintainer</a>. If
|
||||
complaints are related to a particular service that is being abused, I will
|
||||
consider removing that service from my exit policy, which would prevent my
|
||||
router from allowing that traffic to exit through it. I can only do this on an
|
||||
IP+destination port basis, however. Common P2P ports are
|
||||
already blocked.
|
||||
|
||||
<p>You also have the option of blocking this IP address and others on
|
||||
the Tor network if you so desire. The Tor project provides a <a
|
||||
href="https://www.torproject.org/cvs/tor/contrib/exitlist">python script</a> to
|
||||
extract all IP addresses of Tor exit nodes, and an official <a
|
||||
href="http://exitlist.torproject.org/">DNSRBL</a> is also available to
|
||||
determine if a given IP address is actually a Tor exit server. Please
|
||||
be considerate
|
||||
when using these options. It would be unfortunate to deny all Tor users access
|
||||
to your site indefinitely simply because of a few bad apples.
|
||||
|
||||
</body>
|
||||
</html>
|
||||
235
site-cookbooks/tor-full/templates/default/torrc.erb
Normal file
235
site-cookbooks/tor-full/templates/default/torrc.erb
Normal file
@@ -0,0 +1,235 @@
|
||||
###############################################################
|
||||
#This file was automatically generated and dropped off by Chef!
|
||||
###############################################################
|
||||
|
||||
## Configuration file for a typical Tor user
|
||||
## Last updated 12 September 2012 for Tor 0.2.4.3-alpha.
|
||||
## (may or may not work for much older or much newer versions of Tor.)
|
||||
##
|
||||
## Lines that begin with "## " try to explain what's going on. Lines
|
||||
## that begin with just "#" are disabled commands: you can enable them
|
||||
## by removing the "#" symbol.
|
||||
##
|
||||
## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
|
||||
## for more options you can use in this file.
|
||||
##
|
||||
## Tor will look for this file in various places based on your platform:
|
||||
## https://www.torproject.org/docs/faq#torrc
|
||||
|
||||
## Tor opens a socks proxy on port 9050 by default -- even if you don't
|
||||
## configure one below. Set "SocksPort 0" if you plan to run Tor only
|
||||
## as a relay, and not make any local application connections yourself.
|
||||
#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
|
||||
#SocksPort 192.168.0.1:9100 # Bind to this address:port too.
|
||||
<% if node['tor']['SocksPorts'].length > 0 %>
|
||||
<% node['tor']['SocksPorts'].each do |socksPort| -%>
|
||||
SocksPort <%= socksPort %>
|
||||
<% end -%>
|
||||
<% else %>
|
||||
SocksPort 0
|
||||
<% end %>
|
||||
|
||||
## Entry policies to allow/deny SOCKS requests based on IP address.
|
||||
## First entry that matches wins. If no SocksPolicy is set, we accept
|
||||
## all (and only) requests that reach a SocksPort. Untrusted users who
|
||||
## can access your SocksPort may be able to learn about the connections
|
||||
## you make.
|
||||
#SocksPolicy accept 192.168.0.0/16
|
||||
#SocksPolicy reject *
|
||||
|
||||
## Logs go to stdout at level "notice" unless redirected by something
|
||||
## else, like one of the below lines. You can have as many Log lines as
|
||||
## you want.
|
||||
##
|
||||
## We advise using "notice" in most cases, since anything more verbose
|
||||
## may provide sensitive information to an attacker who obtains the logs.
|
||||
##
|
||||
## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
|
||||
#Log notice file /var/log/tor/notices.log
|
||||
## Send every possible message to /var/log/tor/debug.log
|
||||
#Log debug file /var/log/tor/debug.log
|
||||
## Use the system log instead of Tor's logfiles
|
||||
#Log notice syslog
|
||||
## To send all messages to stderr:
|
||||
#Log debug stderr
|
||||
Log <%= node['tor']['MinLogLevel'] %> <%= node['tor']['LogDestination']=="syslog" ? "" : "file " %><%= node['tor']['LogDestination'] %>
|
||||
|
||||
## Uncomment this to start the process in the background... or use
|
||||
## --runasdaemon 1 on the command line. This is ignored on Windows;
|
||||
## see the FAQ entry if you want Tor to run as an NT service.
|
||||
#RunAsDaemon 1
|
||||
|
||||
## The directory for keeping all the keys/etc. By default, we store
|
||||
## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
|
||||
DataDirectory <%= node['tor']['DataDirectory'] %>
|
||||
|
||||
## The port on which Tor will listen for local connections from Tor
|
||||
## controller applications, as documented in control-spec.txt.
|
||||
#ControlPort 9051
|
||||
## If you enable the controlport, be sure to enable one of these
|
||||
## authentication methods, to prevent attackers from accessing it.
|
||||
#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
|
||||
#CookieAuthentication 1
|
||||
|
||||
############### This section is just for location-hidden services ###
|
||||
|
||||
## Once you have configured a hidden service, you can look at the
|
||||
## contents of the file ".../hidden_service/hostname" for the address
|
||||
## to tell people.
|
||||
##
|
||||
## HiddenServicePort x y:z says to redirect requests on port x to the
|
||||
## address y:z.
|
||||
|
||||
#HiddenServiceDir /var/lib/tor/hidden_service/
|
||||
#HiddenServicePort 80 127.0.0.1:80
|
||||
|
||||
#HiddenServiceDir /var/lib/tor/other_hidden_service/
|
||||
#HiddenServicePort 80 127.0.0.1:80
|
||||
#HiddenServicePort 22 127.0.0.1:22
|
||||
<% node['tor']['HiddenServices'].each do |name, service| -%>
|
||||
|
||||
HiddenServiceDir <%= service.HiddenServiceDir %>
|
||||
<% service.HiddenServicePorts.each do |port| -%>
|
||||
HiddenServicePort <%= port %>
|
||||
<% end -%>
|
||||
<% end -%>
|
||||
|
||||
<% if node['tor']['relay']['enabled'] %>
|
||||
################ This section is just for relays #####################
|
||||
#
|
||||
## See https://www.torproject.org/docs/tor-doc-relay for details.
|
||||
|
||||
## Required: what port to advertise for incoming Tor connections.
|
||||
ORPort <%= node['tor']['relay']['ORPort'] %>
|
||||
## If you want to listen on a port other than the one advertised in
|
||||
## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
|
||||
## follows. You'll need to do ipchains or other port forwarding
|
||||
## yourself to make this work.
|
||||
#ORPort 443 NoListen
|
||||
#ORPort 127.0.0.1:9090 NoAdvertise
|
||||
|
||||
## The IP address or full DNS name for incoming connections to your
|
||||
## relay. Leave commented out and Tor will guess.
|
||||
<% unless node['tor']['relay']['Address'].nil? %>
|
||||
Address <%= node['tor']['relay']['Address'] %>
|
||||
<% end %>
|
||||
|
||||
## If you have multiple network interfaces, you can specify one for
|
||||
## outgoing traffic to use.
|
||||
<% unless node['tor']['relay']['OutboundBindAddress'].nil? %>
|
||||
OutboundBindAddress <%= node['tor']['relay']['OutboundBindAddress'] %>
|
||||
<% end %>
|
||||
|
||||
## A handle for your relay, so people don't have to refer to it by key.
|
||||
Nickname <%= node['tor']['relay']['Nickname'] %>
|
||||
|
||||
## Define these to limit how much relayed traffic you will allow. Your
|
||||
## own traffic is still unthrottled. Note that RelayBandwidthRate must
|
||||
## be at least 20 KB.
|
||||
## Note that units for these config options are bytes per second, not bits
|
||||
## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
|
||||
<% unless node['tor']['relay']['RelayBandwidthRate'].nil? %>
|
||||
RelayBandwidthRate <%= node['tor']['relay']['RelayBandwidthRate'] %> KB
|
||||
<% end %>
|
||||
<% unless node['tor']['relay']['RelayBandwidthRate'].nil? %>
|
||||
RelayBandwidthBurst <%= node['tor']['relay']['RelayBandwidthBurst'] %> KB
|
||||
<% end %>
|
||||
#RelayBandwidthRate 100 KB # Throttle traffic to 100KB/s (800Kbps)
|
||||
#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
|
||||
|
||||
## Use these to restrict the maximum traffic per day, week, or month.
|
||||
## Note that this threshold applies separately to sent and received bytes,
|
||||
## not to their sum: setting "4 GB" may allow up to 8 GB total before
|
||||
## hibernating.
|
||||
##
|
||||
## Set a maximum of 4 gigabytes each way per period.
|
||||
#AccountingMax 4 GB
|
||||
## Each period starts daily at midnight (AccountingMax is per day)
|
||||
#AccountingStart day 00:00
|
||||
## Each period starts on the 3rd of the month at 15:00 (AccountingMax
|
||||
## is per month)
|
||||
#AccountingStart month 3 15:00
|
||||
|
||||
## Contact info to be published in the directory, so we can contact you
|
||||
## if your relay is misconfigured or something else goes wrong. Google
|
||||
## indexes this, so spammers might also collect it.
|
||||
#ContactInfo Random Person nobody AT example dot com
|
||||
## You might also include your PGP or GPG fingerprint if you have one:
|
||||
#ContactInfo 0xFFFFFFFF Random Person nobody AT example dot com
|
||||
<% unless node['tor']['relay']['ContactInfo'].nil? %>
|
||||
ContactInfo <%= node['tor']['relay']['ContactInfo'] %>
|
||||
<% end %>
|
||||
|
||||
## Uncomment this to mirror directory information for others. Please do
|
||||
## if you have enough bandwidth.
|
||||
#DirPort 9030 # what port to advertise for directory connections
|
||||
## If you want to listen on a port other than the one advertised in
|
||||
## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
|
||||
## follows. below too. You'll need to do ipchains or other port
|
||||
## forwarding yourself to make this work.
|
||||
#DirPort 80 NoListen
|
||||
#DirPort 127.0.0.1:9091 NoAdvertise
|
||||
## Uncomment to return an arbitrary blob of html on your DirPort. Now you
|
||||
## can explain what Tor is if anybody wonders why your IP address is
|
||||
## contacting them. See contrib/tor-exit-notice.html in Tor's source
|
||||
## distribution for a sample.
|
||||
<% if node['tor']['relay']['DirPortFrontPage'].is_a? String %>
|
||||
DirPortFrontPage <%= node['tor']['relay']['DirPortFrontPage'] %>
|
||||
<% elsif node['tor']['relay']['DirPortFrontPage'] %>
|
||||
DirPortFrontPage /etc/tor/tor-exit-notice.html
|
||||
<% end %>
|
||||
<% if node['tor']['relay']['Directory'] %>
|
||||
DirPort <%= node['tor']['relay']['DirPort'] %>
|
||||
<% end %>
|
||||
|
||||
## Uncomment this if you run more than one Tor relay, and add the identity
|
||||
## key fingerprint of each Tor relay you control, even if they're on
|
||||
## different networks. You declare it here so Tor clients can avoid
|
||||
## using more than one of your relays in a single circuit. See
|
||||
## https://www.torproject.org/docs/faq#MultipleRelays
|
||||
## However, you should never include a bridge's fingerprint here, as it would
|
||||
## break its concealability and potentionally reveal its IP/TCP address.
|
||||
#MyFamily $keyid,$keyid,...
|
||||
<% if node['tor']['relay']['MyFamily'].length > 0 %>
|
||||
MyFamily <%= node['tor']['relay']['MyFamily'].join(",") %>
|
||||
<% end %>
|
||||
|
||||
## A comma-separated list of exit policies. They're considered first
|
||||
## to last, and the first match wins. If you want to _replace_
|
||||
## the default exit policy, end this with either a reject *:* or an
|
||||
## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
|
||||
## default exit policy. Leave commented to just use the default, which is
|
||||
## described in the man page or at
|
||||
## https://www.torproject.org/documentation.html
|
||||
##
|
||||
## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
|
||||
## for issues you might encounter if you use the default exit policy.
|
||||
##
|
||||
## If certain IPs and ports are blocked externally, e.g. by your firewall,
|
||||
## you should update your exit policy to reflect this -- otherwise Tor
|
||||
## users will be told that those destinations are down.
|
||||
##
|
||||
## For security, by default Tor rejects connections to private (local)
|
||||
## networks, including to your public IP address. See the man page entry
|
||||
## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
|
||||
##
|
||||
#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
|
||||
#ExitPolicy accept *:119 # accept nntp as well as default exit policy
|
||||
#ExitPolicy reject *:* # no exits allowed
|
||||
<% node['tor']['relay']['ExitPolicy'].each do |exitPolicy| -%>
|
||||
ExitPolicy <%= exitPolicy %>
|
||||
<% end -%>
|
||||
|
||||
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
|
||||
## main directory. Since there is no complete public list of them, even an
|
||||
## ISP that filters connections to all the known Tor relays probably
|
||||
## won't be able to block all the bridges. Also, websites won't treat you
|
||||
## differently because they won't know you're running Tor. If you can
|
||||
## be a real relay, please do; but if not, be a bridge!
|
||||
BridgeRelay <%= node['tor']['relay']['BridgeRelay'] %>
|
||||
## By default, Tor will advertise your bridge to users through various
|
||||
## mechanisms like https://bridges.torproject.org/. If you want to run
|
||||
## a private bridge, for example because you'll give out your bridge
|
||||
## address manually to your friends, uncomment this line:
|
||||
PublishServerDescriptor <%= node['tor']['relay']['PublishServerDescriptor'] %>
|
||||
<% end %>
|
||||
Reference in New Issue
Block a user