1## Example vanguards configuration file 2# 3# The values in this file are the defaults. You do not need to specify 4# options in your config file unless you wish to change the defaults. 5 6## Global options 7[Global] 8 9# IP address that the Tor control port is listening on: 10control_ip = 127.0.0.1 11 12# TCP port the control port is listening on: 13control_port = 9051 14 15# If set, use this filesystem control socket instead of IP+Port: 16control_socket = 17 18# If set, use this as the control port password: 19control_pass = 20 21# Enable/disable active vanguard update of layer2 and layer3 guards 22enable_vanguards = True 23 24# Enable/disable the bandwidth side channel detection checks: 25enable_bandguards = True 26 27# Enable/disable circuit build timeout analysis (informational only): 28enable_cbtverify = False 29 30# Enable/disable checks on Rendezvous Point overuse attacks: 31enable_rendguard = True 32 33# Close circuits upon suspected attack conditions: 34close_circuits = True 35 36# If True, we write (or update/rotate) layer2 and layer3 vanguards in torrc, 37# then exit. This option disables the bandguards and rendguard defenses. 38one_shot_vanguards = False 39 40# The current loglevel: 41loglevel = NOTICE 42 43# If specified, log to this file instead of stdout: 44logfile = 45 46# Name of state file (with absolute path, or relative to current directory): 47state_file = vanguards.state 48 49 50## Vanguards: layer1, layer2, and layer3 rotation params. 51[Vanguards] 52 53# How long to keep our layer1 guard (0 means use Tor default): 54layer1_lifetime_days = 0 55 56# The maximum amount of time to keep a layer2 guard: 57max_layer2_lifetime_hours = 1080 58 59# The maximum amount of time to keep a layer3 guard: 60max_layer3_lifetime_hours = 48 61 62# The minimum amount of time to keep a layer2 guard: 63min_layer2_lifetime_hours = 24 64 65# The minimum amount of time to keep a layer3 guard: 66min_layer3_lifetime_hours = 1 67 68# The number of layer1 guards: 69num_layer1_guards = 2 70 71# The number of layer2 guards: 72num_layer2_guards = 3 73 74# The number of layer3 guards: 75num_layer3_guards = 8 76 77 78## Bandguards: Mechanisms to detect + mitigate bandwidth side channel attacks. 79[Bandguards] 80 81# Maximum number of hours to allow any circuit to remain open 82# (set to 0 to disable): 83circ_max_age_hours = 24 84 85# Maximum amount of kilobytes that can be present in a hidden service 86# descriptor before we close the circuit (set to 0 to disable): 87circ_max_hsdesc_kilobytes = 30 88 89# Total maximum megabytes on any circuit before we close it. Note that 90# while HTTP GET can resume if this limit is hit, HTTP POST will not. 91# This means that applications that require large data submission (eg 92# SecureDrop or onionshare) should set this much higher 93# (or set to 0 to disable): 94circ_max_megabytes = 0 95 96# Warn if we can't build or use circuits for this many seconds. 97circ_max_disconnected_secs = 30 98 99# Warn if we are disconnected from the Tor network for this many seconds. 100conn_max_disconnected_secs = 15 101 102## Rendguard: Monitors service-side Rendezvous Points to detect misuse/attack 103[Rendguard] 104 105# No relay should show up as a Rendezvous Point more often than this ratio 106# multiplied by its bandwidth weight: 107rend_use_max_use_to_bw_ratio = 5.0 108 109# What is percent of the network weight is not in the consensus right now? 110# Put another way, the max number of rend requests from relays not in the 111# consensus is rend_use_max_use_to_bw_ratio times this churn rate. 112rend_use_max_consensus_weight_churn = 1.0 113 114# Close circuits where the Rendezvous Point appears too often. Note that an 115# adversary can deliberately cause RP overuse in order to impact availability. 116# If this is a concern, either set this to false, or raise the ratio 117# parameter above. 118rend_use_close_circuits_on_overuse = True 119 120# Total number of circuits we need before we begin enforcing rendezvous point 121# ratio limits: 122rend_use_global_start_count = 1000 123 124# Number of times a relay must be seen as a Rendezvous Point before applying 125# ratio limits: 126rend_use_relay_start_count = 100 127 128# Divide all relay counts by two once the total circuit count hits this many: 129rend_use_scale_at_count = 20000 130