+-
+ AllowInvalidNodes entry|exit|middle|introduction|rendezvous|…
+
+-
+
+ If some Tor servers are obviously not working right, the directory
+ authorities can manually mark them as invalid, meaning that it’s not
+ recommended you use them for entry or exit positions in your circuits. You
+ can opt to use them in some circuit positions, though. The default is
+ "middle,rendezvous", and other choices are not advised.
+
+
+-
+ ExcludeSingleHopRelays 0|1
+
+-
+
+ This option controls whether circuits built by Tor will include relays with
+ the AllowSingleHopExits flag set to true. If ExcludeSingleHopRelays is set
+ to 0, these relays will be included. Note that these relays might be at
+ higher risk of being seized or observed, so they are not normally
+ included. Also note that relatively few clients turn off this option,
+ so using these relays might make your client stand out.
+ (Default: 1)
+
+
+-
+ Bridge [transport] IP:ORPort [fingerprint]
+
+-
+
+ When set along with UseBridges, instructs Tor to use the relay at
+ "IP:ORPort" as a "bridge" relaying into the Tor network. If "fingerprint"
+ is provided (using the same format as for DirAuthority), we will verify that
+ the relay running at that location has the right fingerprint. We also use
+ fingerprint to look up the bridge descriptor at the bridge authority, if
+ it’s provided and if UpdateBridgesFromAuthority is set too.
+
+ If "transport" is provided, it must match a ClientTransportPlugin line. We
+ then use that pluggable transport’s proxy to transfer data to the bridge,
+ rather than connecting to the bridge directly. Some transports use a
+ transport-specific method to work out the remote address to connect to.
+ These transports typically ignore the "IP:ORPort" specified in the bridge
+ line.
+
+
+-
+ LearnCircuitBuildTimeout 0|1
+
+-
+
+ If 0, CircuitBuildTimeout adaptive learning is disabled. (Default: 1)
+
+
+-
+ CircuitBuildTimeout NUM
+
+-
+
+ Try for at most NUM seconds when building circuits. If the circuit isn’t
+ open in that time, give up on it. If LearnCircuitBuildTimeout is 1, this
+ value serves as the initial value to use before a timeout is learned. If
+ LearnCircuitBuildTimeout is 0, this value is the only value used.
+ (Default: 60 seconds)
+
+
+-
+ CircuitIdleTimeout NUM
+
+-
+
+ If we have kept a clean (never used) circuit around for NUM seconds, then
+ close it. This way when the Tor client is entirely idle, it can expire all
+ of its circuits, and then expire its TLS connections. Also, if we end up
+ making a circuit that is not useful for exiting any of the requests we’re
+ receiving, it won’t forever take up a slot in the circuit list. (Default: 1
+ hour)
+
+
+-
+ CircuitStreamTimeout NUM
+
+-
+
+ If non-zero, this option overrides our internal timeout schedule for how
+ many seconds until we detach a stream from a circuit and try a new circuit.
+ If your network is particularly slow, you might want to set this to a
+ number like 60. (Default: 0)
+
+
+-
+ ClientOnly 0|1
+
+-
+
+ If set to 1, Tor will not run as a relay or serve
+ directory requests, even if the ORPort, ExtORPort, or DirPort options are
+ set. (This config option is
+ mostly unnecessary: we added it back when we were considering having
+ Tor clients auto-promote themselves to being relays if they were stable
+ and fast enough. The current behavior is simply that Tor is a client
+ unless ORPort, ExtORPort, or DirPort are configured.) (Default: 0)
+
+
+-
+ ExcludeNodes node,node,…
+
+-
+
+ A list of identity fingerprints, country codes, and address
+ patterns of nodes to avoid when building a circuit. Country codes are
+ 2-letter ISO3166 codes, and must
+ be wrapped in braces; fingerprints may be preceded by a dollar sign.
+ (Example:
+ ExcludeNodes ABCD1234CDEF5678ABCD1234CDEF5678ABCD1234, {cc}, 255.254.0.0/8)
+
+ By default, this option is treated as a preference that Tor is allowed
+ to override in order to keep working.
+ For example, if you try to connect to a hidden service,
+ but you have excluded all of the hidden service’s introduction points,
+ Tor will connect to one of them anyway. If you do not want this
+ behavior, set the StrictNodes option (documented below).
+
+ Note also that if you are a relay, this (and the other node selection
+ options below) only affects your own circuits that Tor builds for you.
+ Clients can still build circuits through you to any node. Controllers
+ can tell Tor to build circuits through any node.
+
+ Country codes are case-insensitive. The code "{??}" refers to nodes whose
+ country can’t be identified. No country code, including {??}, works if
+ no GeoIPFile can be loaded. See also the GeoIPExcludeUnknown option below.
+
+
+-
+ ExcludeExitNodes node,node,…
+
+-
+
+ A list of identity fingerprints, country codes, and address
+ patterns of nodes to never use when picking an exit node---that is, a
+ node that delivers traffic for you outside the Tor network. Note that any
+ node listed in ExcludeNodes is automatically considered to be part of this
+ list too. See
+ the ExcludeNodes option for more information on how to specify
+ nodes. See also the caveats on the "ExitNodes" option below.
+
+
+-
+ GeoIPExcludeUnknown 0|1|auto
+
+-
+
+ If this option is set to auto, then whenever any country code is set in
+ ExcludeNodes or ExcludeExitNodes, all nodes with unknown country ({??} and
+ possibly {A1}) are treated as excluded as well. If this option is set to
+ 1, then all unknown countries are treated as excluded in ExcludeNodes
+ and ExcludeExitNodes. This option has no effect when a GeoIP file isn’t
+ configured or can’t be found. (Default: auto)
+
+
+-
+ ExitNodes node,node,…
+
+-
+
+ A list of identity fingerprints, country codes, and address
+ patterns of nodes to use as exit node---that is, a
+ node that delivers traffic for you outside the Tor network. See
+ the ExcludeNodes option for more information on how to specify nodes.
+
+ Note that if you list too few nodes here, or if you exclude too many exit
+ nodes with ExcludeExitNodes, you can degrade functionality. For example,
+ if none of the exits you list allows traffic on port 80 or 443, you won’t
+ be able to browse the web.
+
+ Note also that not every circuit is used to deliver traffic outside of
+ the Tor network. It is normal to see non-exit circuits (such as those
+ used to connect to hidden services, those that do directory fetches,
+ those used for relay reachability self-tests, and so on) that end
+ at a non-exit node. To
+ keep a node from being used entirely, see ExcludeNodes and StrictNodes.
+
+ The ExcludeNodes option overrides this option: any node listed in both
+ ExitNodes and ExcludeNodes is treated as excluded.
+
+ The .exit address notation, if enabled via AllowDotExit, overrides
+ this option.
+
+
+-
+ EntryNodes node,node,…
+
+-
+
+ A list of identity fingerprints and country codes of nodes
+ to use for the first hop in your normal circuits.
+ Normal circuits include all
+ circuits except for direct connections to directory servers. The Bridge
+ option overrides this option; if you have configured bridges and
+ UseBridges is 1, the Bridges are used as your entry nodes.
+
+ The ExcludeNodes option overrides this option: any node listed in both
+ EntryNodes and ExcludeNodes is treated as excluded. See
+ the ExcludeNodes option for more information on how to specify nodes.
+
+
+-
+ StrictNodes 0|1
+
+-
+
+ If StrictNodes is set to 1, Tor will treat the ExcludeNodes option as a
+ requirement to follow for all the circuits you generate, even if doing so
+ will break functionality for you. If StrictNodes is set to 0, Tor will
+ still try to avoid nodes in the ExcludeNodes list, but it will err on the
+ side of avoiding unexpected errors. Specifically, StrictNodes 0 tells
+ Tor that it is okay to use an excluded node when it is necessary to
+ perform relay reachability self-tests, connect to
+ a hidden service, provide a hidden service to a client, fulfill a .exit
+ request, upload directory information, or download directory information.
+ (Default: 0)
+
+
+-
+ FascistFirewall 0|1
+
+-
+
+ If 1, Tor will only create outgoing connections to ORs running on ports
+ that your firewall allows (defaults to 80 and 443; see FirewallPorts).
+ This will allow you to run Tor as a client behind a firewall with
+ restrictive policies, but will not allow you to run as a server behind such
+ a firewall. If you prefer more fine-grained control, use
+ ReachableAddresses instead.
+
+
+-
+ FirewallPorts PORTS
+
+-
+
+ A list of ports that your firewall allows you to connect to. Only used when
+ FascistFirewall is set. This option is deprecated; use ReachableAddresses
+ instead. (Default: 80, 443)
+
+
+-
+ ReachableAddresses ADDR[/MASK][:PORT]…
+
+-
+
+ A comma-separated list of IP addresses and ports that your firewall allows
+ you to connect to. The format is as for the addresses in ExitPolicy, except
+ that "accept" is understood unless "reject" is explicitly provided. For
+ example, 'ReachableAddresses 99.0.0.0/8, reject 18.0.0.0/8:80, accept
+ *:80' means that your firewall allows connections to everything inside net
+ 99, rejects port 80 connections to net 18, and accepts connections to port
+ 80 otherwise. (Default: 'accept *:*'.)
+
+
+-
+ ReachableDirAddresses ADDR[/MASK][:PORT]…
+
+-
+
+ Like ReachableAddresses, a list of addresses and ports. Tor will obey
+ these restrictions when fetching directory information, using standard HTTP
+ GET requests. If not set explicitly then the value of
+ ReachableAddresses is used. If HTTPProxy is set then these
+ connections will go through that proxy.
+
+
+-
+ ReachableORAddresses ADDR[/MASK][:PORT]…
+
+-
+
+ Like ReachableAddresses, a list of addresses and ports. Tor will obey
+ these restrictions when connecting to Onion Routers, using TLS/SSL. If not
+ set explicitly then the value of ReachableAddresses is used. If
+ HTTPSProxy is set then these connections will go through that proxy.
+
+ The separation between ReachableORAddresses and
+ ReachableDirAddresses is only interesting when you are connecting
+ through proxies (see HTTPProxy and HTTPSProxy). Most proxies limit
+ TLS connections (which Tor uses to connect to Onion Routers) to port 443,
+ and some limit HTTP GET requests (which Tor uses for fetching directory
+ information) to port 80.
+
+
+-
+ HidServAuth onion-address auth-cookie [service-name]
+
+-
+
+ Client authorization for a hidden service. Valid onion addresses contain 16
+ characters in a-z2-7 plus ".onion", and valid auth cookies contain 22
+ characters in A-Za-z0-9+/. The service name is only used for internal
+ purposes, e.g., for Tor controllers. This option may be used multiple times
+ for different hidden services. If a hidden service uses authorization and
+ this option is not set, the hidden service is not accessible. Hidden
+ services can be configured to require authorization using the
+ HiddenServiceAuthorizeClient option.
+
+
+-
+ CloseHSClientCircuitsImmediatelyOnTimeout 0|1
+
+-
+
+ If 1, Tor will close unfinished hidden service client circuits
+ which have not moved closer to connecting to their destination
+ hidden service when their internal state has not changed for the
+ duration of the current circuit-build timeout. Otherwise, such
+ circuits will be left open, in the hope that they will finish
+ connecting to their destination hidden services. In either case,
+ another set of introduction and rendezvous circuits for the same
+ destination hidden service will be launched. (Default: 0)
+
+
+-
+ CloseHSServiceRendCircuitsImmediatelyOnTimeout 0|1
+
+-
+
+ If 1, Tor will close unfinished hidden-service-side rendezvous
+ circuits after the current circuit-build timeout. Otherwise, such
+ circuits will be left open, in the hope that they will finish
+ connecting to their destinations. In either case, another
+ rendezvous circuit for the same destination client will be
+ launched. (Default: 0)
+
+
+-
+ LongLivedPorts PORTS
+
+-
+
+ A list of ports for services that tend to have long-running connections
+ (e.g. chat and interactive shells). Circuits for streams that use these
+ ports will contain only high-uptime nodes, to reduce the chance that a node
+ will go down before the stream is finished. Note that the list is also
+ honored for circuits (both client and service side) involving hidden
+ services whose virtual port is in this list. (Default: 21, 22, 706,
+ 1863, 5050, 5190, 5222, 5223, 6523, 6667, 6697, 8300)
+
+
+-
+ MapAddress address newaddress
+
+-
+
+ When a request for address arrives to Tor, it will transform to newaddress
+ before processing it. For example, if you always want connections to
+ www.example.com to exit via torserver (where torserver is the
+ fingerprint of the server), use "MapAddress www.example.com
+ www.example.com.torserver.exit". If the value is prefixed with a
+ "*.", matches an entire domain. For example, if you
+ always want connections to example.com and any if its subdomains
+ to exit via
+ torserver (where torserver is the fingerprint of the server), use
+ "MapAddress *.example.com *.example.com.torserver.exit". (Note the
+ leading "*." in each part of the directive.) You can also redirect all
+ subdomains of a domain to a single address. For example, "MapAddress
+ *.example.com www.example.com".
+
+ NOTES:
+
+
+-
+
+When evaluating MapAddress expressions Tor stops when it hits the most
+ recently added expression that matches the requested address. So if you
+ have the following in your torrc, www.torproject.org will map to 1.1.1.1:
+
+
+
+
MapAddress www.torproject.org 2.2.2.2
+MapAddress www.torproject.org 1.1.1.1
+
+-
+
+Tor evaluates the MapAddress configuration until it finds no matches. So
+ if you have the following in your torrc, www.torproject.org will map to
+ 2.2.2.2:
+
+
+
+
MapAddress 1.1.1.1 2.2.2.2
+MapAddress www.torproject.org 1.1.1.1
+
+-
+
+The following MapAddress expression is invalid (and will be
+ ignored) because you cannot map from a specific address to a wildcard
+ address:
+
+
+
+
MapAddress www.torproject.org *.torproject.org.torserver.exit
+
+-
+
+Using a wildcard to match only part of a string (as in *ample.com) is
+ also invalid.
+
+
+
+-
+ NewCircuitPeriod NUM
+
+-
+
+ Every NUM seconds consider whether to build a new circuit. (Default: 30
+ seconds)
+
+
+-
+ MaxCircuitDirtiness NUM
+
+-
+
+ Feel free to reuse a circuit that was first used at most NUM seconds ago,
+ but never attach a new stream to a circuit that is too old. For hidden
+ services, this applies to the last time a circuit was used, not the
+ first. Circuits with streams constructed with SOCKS authentication via
+ SocksPorts that have KeepAliveIsolateSOCKSAuth ignore this value.
+ (Default: 10 minutes)
+
+
+-
+ MaxClientCircuitsPending NUM
+
+-
+
+ Do not allow more than NUM circuits to be pending at a time for handling
+ client streams. A circuit is pending if we have begun constructing it,
+ but it has not yet been completely constructed. (Default: 32)
+
+
+-
+ NodeFamily node,node,…
+
+-
+
+ The Tor servers, defined by their identity fingerprints,
+ constitute a "family" of similar or co-administered servers, so never use
+ any two of them in the same circuit. Defining a NodeFamily is only needed
+ when a server doesn’t list the family itself (with MyFamily). This option
+ can be used multiple times; each instance defines a separate family. In
+ addition to nodes, you can also list IP address and ranges and country
+ codes in {curly braces}. See the ExcludeNodes option for more
+ information on how to specify nodes.
+
+
+-
+ EnforceDistinctSubnets 0|1
+
+-
+
+ If 1, Tor will not put two servers whose IP addresses are "too close" on
+ the same circuit. Currently, two addresses are "too close" if they lie in
+ the same /16 range. (Default: 1)
+
+
+-
+ SocksPort [address:]port|unix:path|auto [flags] [isolation flags]
+
+-
+
+ Open this port to listen for connections from SOCKS-speaking
+ applications. Set this to 0 if you don’t want to allow application
+ connections via SOCKS. Set it to "auto" to have Tor pick a port for
+ you. This directive can be specified multiple times to bind
+ to multiple addresses/ports. If a unix domain socket is used, you may
+ quote the path using standard C escape sequences.
+ (Default: 9050)
+
+ NOTE: Although this option allows you to specify an IP address
+ other than localhost, you should do so only with extreme caution.
+ The SOCKS protocol is unencrypted and (as we use it)
+ unauthenticated, so exposing it in this way could leak your
+ information to anybody watching your network, and allow anybody
+ to use your computer as an open proxy.
+
+ The isolation flags arguments give Tor rules for which streams
+ received on this SocksPort are allowed to share circuits with one
+ another. Recognized isolation flags are:
+
+
+-
+IsolateClientAddr
+
+-
+
+ Don’t share circuits with streams from a different
+ client address. (On by default and strongly recommended when
+ supported; you can disable it with NoIsolateClientAddr.
+ Unsupported and force-disabled when using Unix domain sockets.)
+
+
+-
+IsolateSOCKSAuth
+
+-
+
+ Don’t share circuits with streams for which different
+ SOCKS authentication was provided. (On by default;
+ you can disable it with NoIsolateSOCKSAuth.)
+
+
+-
+IsolateClientProtocol
+
+-
+
+ Don’t share circuits with streams using a different protocol.
+ (SOCKS 4, SOCKS 5, TransPort connections, NATDPort connections,
+ and DNSPort requests are all considered to be different protocols.)
+
+
+-
+IsolateDestPort
+
+-
+
+ Don’t share circuits with streams targeting a different
+ destination port.
+
+
+-
+IsolateDestAddr
+
+-
+
+ Don’t share circuits with streams targeting a different
+ destination address.
+
+
+-
+KeepAliveIsolateSOCKSAuth
+
+-
+
+ If IsolateSOCKSAuth is enabled, keep alive circuits that have
+ streams with SOCKS authentication set indefinitely.
+
+
+-
+SessionGroup=INT
+
+-
+
+ If no other isolation rules would prevent it, allow streams
+ on this port to share circuits with streams from every other
+ port with the same session group. (By default, streams received
+ on different SocksPorts, TransPorts, etc are always isolated from one
+ another. This option overrides that behavior.)
+
+
+
+-
+
+
+-
+
+ Other recognized flags for a SocksPort are:
+
+
+-
+NoIPv4Traffic
+
+-
+
+ Tell exits to not connect to IPv4 addresses in response to SOCKS
+ requests on this connection.
+
+
+-
+IPv6Traffic
+
+-
+
+ Tell exits to allow IPv6 addresses in response to SOCKS requests on
+ this connection, so long as SOCKS5 is in use. (SOCKS4 can’t handle
+ IPv6.)
+
+
+-
+PreferIPv6
+
+-
+
+ Tells exits that, if a host has both an IPv4 and an IPv6 address,
+ we would prefer to connect to it via IPv6. (IPv4 is the default.)
+
+
+-
+NoDNSRequest
+
+-
+
+ Do not ask exits to resolve DNS addresses in SOCKS5 requests. Tor will
+ connect to IPv4 addresses, IPv6 addresses (if IPv6Traffic is set) and
+ .onion addresses.
+
+
+-
+NoOnionTraffic
+
+-
+
+ Do not connect to .onion addresses in SOCKS5 requests.
+
+
+-
+OnionTrafficOnly
+
+-
+
+ Tell the tor client to only connect to .onion addresses in response to
+ SOCKS5 requests on this connection. This is equivalent to NoDNSRequest,
+ NoIPv4Traffic, NoIPv6Traffic. The corresponding NoOnionTrafficOnly
+ flag is not supported.
+
+
+-
+CacheIPv4DNS
+
+-
+
+ Tells the client to remember IPv4 DNS answers we receive from exit
+ nodes via this connection. (On by default.)
+
+
+-
+CacheIPv6DNS
+
+-
+
+ Tells the client to remember IPv6 DNS answers we receive from exit
+ nodes via this connection.
+
+
+-
+GroupWritable
+
+-
+
+ Unix domain sockets only: makes the socket get created as
+ group-writable.
+
+
+-
+WorldWritable
+
+-
+
+ Unix domain sockets only: makes the socket get created as
+ world-writable.
+
+
+-
+CacheDNS
+
+-
+
+ Tells the client to remember all DNS answers we receive from exit
+ nodes via this connection.
+
+
+-
+UseIPv4Cache
+
+-
+
+ Tells the client to use any cached IPv4 DNS answers we have when making
+ requests via this connection. (NOTE: This option, along UseIPv6Cache
+ and UseDNSCache, can harm your anonymity, and probably
+ won’t help performance as much as you might expect. Use with care!)
+
+
+-
+UseIPv6Cache
+
+-
+
+ Tells the client to use any cached IPv6 DNS answers we have when making
+ requests via this connection.
+
+
+-
+UseDNSCache
+
+-
+
+ Tells the client to use any cached DNS answers we have when making
+ requests via this connection.
+
+
+-
+PreferIPv6Automap
+
+-
+
+ When serving a hostname lookup request on this port that
+ should get automapped (according to AutomapHostsOnResolve),
+ if we could return either an IPv4 or an IPv6 answer, prefer
+ an IPv6 answer. (On by default.)
+
+
+-
+PreferSOCKSNoAuth
+
+-
+
+ Ordinarily, when an application offers both "username/password
+ authentication" and "no authentication" to Tor via SOCKS5, Tor
+ selects username/password authentication so that IsolateSOCKSAuth can
+ work. This can confuse some applications, if they offer a
+ username/password combination then get confused when asked for
+ one. You can disable this behavior, so that Tor will select "No
+ authentication" when IsolateSOCKSAuth is disabled, or when this
+ option is set.
+
+
+
+
Flags are processed left to right. If flags conflict, the last flag on the
+line is used, and all earlier flags are ignored. No error is issued for
+conflicting flags.
+
+
+-
+ SocksListenAddress IP[:PORT]
+
+-
+
+ Bind to this address to listen for connections from Socks-speaking
+ applications. (Default: 127.0.0.1) You can also specify a port (e.g.
+ 192.168.0.1:9100). This directive can be specified multiple times to bind
+ to multiple addresses/ports. (DEPRECATED: As of 0.2.3.x-alpha, you can
+ now use multiple SocksPort entries, and provide addresses for SocksPort
+ entries, so SocksListenAddress no longer has a purpose. For backward
+ compatibility, SocksListenAddress is only allowed when SocksPort is just
+ a port number.)
+
+
+-
+ SocksPolicy policy,policy,…
+
+-
+
+ Set an entrance policy for this server, to limit who can connect to the
+ SocksPort and DNSPort ports. The policies have the same form as exit
+ policies below, except that port specifiers are ignored. Any address
+ not matched by some entry in the policy is accepted.
+
+
+-
+ SocksTimeout NUM
+
+-
+
+ Let a socks connection wait NUM seconds handshaking, and NUM seconds
+ unattached waiting for an appropriate circuit, before we fail it. (Default:
+ 2 minutes)
+
+
+-
+ TokenBucketRefillInterval NUM [msec|second]
+
+-
+
+ Set the refill interval of Tor’s token bucket to NUM milliseconds.
+ NUM must be between 1 and 1000, inclusive. Note that the configured
+ bandwidth limits are still expressed in bytes per second: this
+ option only affects the frequency with which Tor checks to see whether
+ previously exhausted connections may read again. (Default: 100 msec)
+
+
+-
+ TrackHostExits host,.domain,…
+
+-
+
+ For each value in the comma separated list, Tor will track recent
+ connections to hosts that match this value and attempt to reuse the same
+ exit node for each. If the value is prepended with a '.', it is treated as
+ matching an entire domain. If one of the values is just a '.', it means
+ match everything. This option is useful if you frequently connect to sites
+ that will expire all your authentication cookies (i.e. log you out) if
+ your IP address changes. Note that this option does have the disadvantage
+ of making it more clear that a given history is associated with a single
+ user. However, most people who would wish to observe this will observe it
+ through cookies or other protocol-specific means anyhow.
+
+
+-
+ TrackHostExitsExpire NUM
+
+-
+
+ Since exit servers go up and down, it is desirable to expire the
+ association between host and exit server after NUM seconds. The default is
+ 1800 seconds (30 minutes).
+
+
+-
+ UpdateBridgesFromAuthority 0|1
+
+-
+
+ When set (along with UseBridges), Tor will try to fetch bridge descriptors
+ from the configured bridge authorities when feasible. It will fall back to
+ a direct request if the authority responds with a 404. (Default: 0)
+
+
+-
+ UseBridges 0|1
+
+-
+
+ When set, Tor will fetch descriptors for each bridge listed in the "Bridge"
+ config lines, and use these relays as both entry guards and directory
+ guards. (Default: 0)
+
+
+-
+ UseEntryGuards 0|1
+
+-
+
+ If this option is set to 1, we pick a few long-term entry servers, and try
+ to stick with them. This is desirable because constantly changing servers
+ increases the odds that an adversary who owns some servers will observe a
+ fraction of your paths. Entry Guards can not be used by Directory
+ Authorities, Single Onion Services, and Tor2web clients. In these cases,
+ the this option is ignored. (Default: 1)
+
+
+-
+ UseEntryGuardsAsDirGuards 0|1
+
+-
+
+ If this option is set to 1, and UseEntryGuards is also set to 1,
+ we try to use our entry guards as directory
+ guards, and failing that, pick more nodes to act as our directory guards.
+ This helps prevent an adversary from enumerating clients. It’s only
+ available for clients (non-relay, non-bridge) that aren’t configured to
+ download any non-default directory material. It doesn’t currently
+ do anything when we lack a live consensus. (Default: 1)
+
+
+-
+ GuardfractionFile FILENAME
+
+-
+
+ V3 authoritative directories only. Configures the location of the
+ guardfraction file which contains information about how long relays
+ have been guards. (Default: unset)
+
+
+-
+ UseGuardFraction 0|1|auto
+
+-
+
+ This torrc option specifies whether clients should use the
+ guardfraction information found in the consensus during path
+ selection. If it’s set to auto, clients will do what the
+ UseGuardFraction consensus parameter tells them to do. (Default: auto)
+
+
+-
+ NumEntryGuards NUM
+
+-
+
+ If UseEntryGuards is set to 1, we will try to pick a total of NUM routers
+ as long-term entries for our circuits. If NUM is 0, we try to learn
+ the number from the NumEntryGuards consensus parameter, and default
+ to 3 if the consensus parameter isn’t set. (Default: 0)
+
+
+-
+ NumDirectoryGuards NUM
+
+-
+
+ If UseEntryGuardsAsDirectoryGuards is enabled, we try to make sure we
+ have at least NUM routers to use as directory guards. If this option
+ is set to 0, use the value from the NumDirectoryGuards consensus
+ parameter, falling back to the value from NumEntryGuards if the
+ consensus parameter is 0 or isn’t set. (Default: 0)
+
+
+-
+ GuardLifetime N days|weeks|months
+
+-
+
+ If nonzero, and UseEntryGuards is set, minimum time to keep a guard before
+ picking a new one. If zero, we use the GuardLifetime parameter from the
+ consensus directory. No value here may be less than 1 month or greater
+ than 5 years; out-of-range values are clamped. (Default: 0)
+
+
+-
+ SafeSocks 0|1
+
+-
+
+ When this option is enabled, Tor will reject application connections that
+ use unsafe variants of the socks protocol — ones that only provide an IP
+ address, meaning the application is doing a DNS resolve first.
+ Specifically, these are socks4 and socks5 when not doing remote DNS.
+ (Default: 0)
+
+
+-
+ TestSocks 0|1
+
+-
+
+ When this option is enabled, Tor will make a notice-level log entry for
+ each connection to the Socks port indicating whether the request used a
+ safe socks protocol or an unsafe one (see above entry on SafeSocks). This
+ helps to determine whether an application using Tor is possibly leaking
+ DNS requests. (Default: 0)
+
+
+-
+ WarnUnsafeSocks 0|1
+
+-
+
+ When this option is enabled, Tor will warn whenever a request is
+ received that only contains an IP address instead of a hostname. Allowing
+ applications to do DNS resolves themselves is usually a bad idea and
+ can leak your location to attackers. (Default: 1)
+
+
+