Skip to content

Instantly share code, notes, and snippets.

@waaaaargh
Last active February 12, 2018 17:32
Show Gist options
  • Save waaaaargh/8271499 to your computer and use it in GitHub Desktop.
Save waaaaargh/8271499 to your computer and use it in GitHub Desktop.
[Draft] This document explains how to run multiple tor processes on one host.
Managing multiple Tor processes on one host
===========================================
Due to Tor's internal architecture, running only one Tor process per physical
host is often not enough. As a thumb rule, you should run one Tor process per
physical CPU core to make full use of the host's CPU power. This, however
brings with it other difficulties: The tor network limits the number of Tor
relays per IP in the consensus to 2. Also, the relay nodes should be rechable
on Port 80 and 443 since those ports are often unfiltered and unblocked.
1. Preparing Your Host
----------------------
This guide assumes that you have a Host with 4 CPU cores and that the IP
Addresses x.y.z.11 - x.y.z.15 are routed to it correctly.
2. Tor Configuration
--------------------
Managing multiple Tor processes requires an initscript that is different from
the one distributed by Tor's Debian Package.
```
# cd /etc/init.d
# mv tor tor.dist
# wget -O tor https://www.torservers.net/misc/config/initd-tor
```
The new initscript itself requires some changes in the Tor configs. Instead
of one `torrc` file, one file called `tor<n>.cfg` is needed per process.
Feel free to use the config file provided by torservers.net which you find
at http://www.torservers.net/misc/config/torrc as a template.
After editing the template according to your needs, copy it for each process
you want to run. The Following Attributes should be changed per process:
* ``Nickname``
* ``Address``
* ``OutboundBindAddress``
* ``ORListenAddress``
* ``DirListenAddress``
* ``DataDirectory``
* ``PidFile``
* ``Log notice file``
Make sure the locations that ``DataDirectory``, ``PidFile`` and
``Log notice file`` point to actually exist and are writable for the user running
Tor.
If you don't plan on running a web server on Port 80 that forwards Directory
requests to the tor processes, you should change ``DirListenAddress`` to a publicly
reachable IP Address, and - by convention - Port 80.
3. Running Tor
--------------
```
# /etc/init.d/tor start # starts tor 0-3
# /etc/init.d/tor stop # stops tor 0-3
# /etc/init.d tor reload tor2 tor3
# /etc/init.d/tor stop tor1
```
4. Infopages
------------
Most Tor exit relay operators consider it best practice to run a webserver on all
Exit nodes in order to facilitate Abuse handling [1].
torservers.net has a special page that clearly shows that this host is an exit
relay and offers contact information in case of abuse.
HTTP Requests to a resource under ``/tor`` are reverse-proxied to the corresponding
tor process by the webserver.
The first thing to do, is, of course install the webserver:
```
# apt-get install lighttpd
```
Now you should delete the default index that comes with lighttpd and deploy your own
info page to html.
```
# rm /var/www/index.lighttpd.html
```
For reverse Proxying the requests to the Tor processes, you need to activate lighttpd's
proxy module:
```
# lighttpd-enable-mod proxy
```
Now we need to edit the proxy config file at ``/etc/lighttpd/conf-enabled/10-proxy.conf``
to contain a block like this for every Tor process:
```
$SERVER["socket"] == "x.y.z.<n>:80" {
$HTTP["url"] =~ "^/tor(/|$)" {
proxy.server = ( "" => ( ( "host" => "127.0.0.1",
"port" => 903<n> ) ) )
}
}
```
Counterintuitively, You need to change lighttpd's bind address to localhost, the
``$SERVER["socket"]`` directive opens a port on its own.
```
# vi /etc/lighttpd/lighttpd.conf
...
server.bind = "127.0.0.1"
...
```
One last restart of lighttpd and the Tor processes and everything should be working:
```
# service tor stop
# service lighttpd restart
# service tor start
```
5. Feedback? Questions?
-----------------------
If you have any questions or feedback regarding this document, feel free to contact
me via mail: johannes [at] torservers.net
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment