Changes between Version 1454 and Version 1455 of doc/TorFAQ


Ignore:
Timestamp:
Jul 22, 2014, 8:18:41 AM (3 years ago)
Author:
aexl
Comment:

no dirport for bridge, orlistenaddress and dirlistenaddress are deprecated (#5597)

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorFAQ

    v1454 v1455  
    208208
    209209=== How can I make my relay accessible to people stuck behind restrictive firewalls? ===
    210 Expose your Tor relay on port 443 (HTTPS) so that people whose firewalls restrict them to HTTPS can still get to it. Also, you should expose your directory mirror on port 80 (that even works if Apache is already listening there).
     210Expose your Tor relay on port 443 (HTTPS) so that people whose firewalls restrict them to HTTPS can still get to it. Also, you should expose your directory mirror on port 80 (that even works if Apache is already listening there; but not working for a bridge).
    211211
    212212'''If you're using the version of Tor packaged for Debian''' (or Debian-based distributions like Ubuntu) then you can do this by setting orport to 443 and dirport to 80 in your relay's torrc.
     
    214214However, if you '''aren't''' using Tor's deb package then this will take some more work. Binding to ports under 1024 usually requires you to run as root, and running Tor as root is not recommended (in case there are unknown exploitable bugs).  Instead, you should configure Tor to '''advertise''' its orport as 443, but really bind to another port (such as 9001).  Then, set up your computer to forward incoming connections from port 443 to port 9001.
    215215
    216 The Tor side is pretty easy: just set "orport 443" and "orlistenaddress 0.0.0.0:9001" in your torrc file.  This will make your Tor relay listen for connections to any of its IPs on port 9001, but tell the world that it's listening on port 443 instead. Similarly, "dirport 80" and "dirlistenaddress 0.0.0.0:9030" will bind to port 9030 locally but advertise port 80.
     216The Tor side is pretty easy - just set this in your torrc file:
     217{{{
     218ORPort 443 NoListen
     219ORPort 0.0.0.0:9001 NoAdvertise
     220}}}
     221This will make your Tor relay listen for connections to any of its IPs on port 9001, but tell the world that it's listening on port 443 instead. Similarly, "DirPort 80" and "DirPort 0.0.0.0:9030 NoAdvertise" will bind to port 9030 locally but advertise port 80.
    217222
    218223If your relay has multiple IP addresses and you want to advertise a port on an IP address that isn't your default IP, you can do this with Tor's "Address" config option.
     
    234239 * When using shorewall (version 2.2.3) you may find it helpful to do add something like this (inside /etc/shorewall/rules):
    235240{{{
    236    # DirListenAddress $IP:9091
     241   # DirPort $IP:9091 NoAdvertise #Listen address
    237242   DNAT    net     $FW:$IP:9091  tcp     80      -       $IP
    238243   ACCEPT  $FW:$IP       net     tcp     9091
    239    # ORListenAddress $IP:9090
     244   # ORPort $IP:9090 NoAdvertise #Listen address
    240245   DNAT    net     $FW:$IP:9090  tcp     443     -       $IP
    241246   ACCEPT  $FW:$IP       net     tcp     9090