diff options
| -rw-r--r-- | files/tor-exit-notice.html | 144 | ||||
| -rw-r--r-- | manifests/daemon.pp | 66 | ||||
| -rw-r--r-- | templates/torrc.relay.erb | 2 |
3 files changed, 181 insertions, 31 deletions
diff --git a/files/tor-exit-notice.html b/files/tor-exit-notice.html new file mode 100644 index 0000000..de3be17 --- /dev/null +++ b/files/tor-exit-notice.html @@ -0,0 +1,144 @@ +<?xml version="1.0"?> +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<meta http-equiv="Content-Type" content="text/html;charset=utf-8" /> +<title>This is a Tor Exit Router</title> + +<!-- + +This notice is intended to be placed on a virtual host for a domain that +your Tor exit node IP reverse resolves to so that people who may be about +to file an abuse complaint would check it first before bothering you or +your ISP. Ex: +http://tor-exit.yourdomain.org or http://tor-readme.yourdomain.org. + +This type of setup has proven very effective at reducing abuse complaints +for exit node operators. + +There are a few places in this document that you may want to customize. +They are marked with FIXME. + +--> + +</head> +<body> + +<p style="text-align:center; font-size:xx-large; font-weight:bold">This is a +Tor Exit Router</p> + +<p> +Most likely you are accessing this website because you had some issue with +the traffic coming from this IP. This router is part of the <a +href="https://www.torproject.org/">Tor Anonymity Network</a>, which is +dedicated to <a href="https://www.torproject.org/about/overview">providing +privacy</a> to people who need it most: average computer users. This +router IP should be generating no other traffic, unless it has been +compromised.</p> + + +<!-- FIXME: you should probably grab your own copy of how_tor_works_thumb.png + and serve it locally --> + +<p style="text-align:center"> +<a href="https://www.torproject.org/about/overview"> +<img src="https://www.torproject.org/images/how_tor_works_thumb.png" alt="How Tor works" style="border-style:none"/> +</a></p> + +<p> +Tor sees use by <a href="https://www.torproject.org/about/torusers">many +important segments of the population</a>, including whistle blowers, +journalists, Chinese dissidents skirting the Great Firewall and oppressive +censorship, abuse victims, stalker targets, the US military, and law +enforcement, just to name a few. While Tor is not designed for malicious +computer users, it is true that they can use the network for malicious ends. +In reality however, the actual amount of <a +href="https://www.torproject.org/docs/faq-abuse">abuse</a> is quite low. This +is largely because criminals and hackers have significantly better access to +privacy and anonymity than do the regular users whom they prey upon. Criminals +can and do <a +href="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_tools.html">build, +sell, and trade</a> far larger and <a +href="http://voices.washingtonpost.com/securityfix/2008/08/web_fraud_20_distributing_your.html">more +powerful networks</a> than Tor on a daily basis. Thus, in the mind of this +operator, the social need for easily accessible censorship-resistant private, +anonymous communication trumps the risk of unskilled bad actors, who are +almost always more easily uncovered by traditional police work than by +extensive monitoring and surveillance anyway.</p> + +<p> +In terms of applicable law, the best way to understand Tor is to consider it a +network of routers operating as common carriers, much like the Internet +backbone. However, unlike the Internet backbone routers, Tor routers +explicitly do not contain identifiable routing information about the source of +a packet, and no single Tor node can determine both the origin and destination +of a given transmission.</p> + +<p> +As such, there is little the operator of this router can do to help you track +the connection further. This router maintains no logs of any of the Tor +traffic, so there is little that can be done to trace either legitimate or +illegitimate traffic (or to filter one from the other). Attempts to +seize this router will accomplish nothing.</p> + +<!-- FIXME: US-Only section. Remove if you are a non-US operator --> + +<p> +Furthermore, this machine also serves as a carrier of email, which means that +its contents are further protected under the ECPA. <a +href="http://www4.law.cornell.edu/uscode/html/uscode18/usc_sec_18_00002707----000-.html">18 +USC 2707</a> explicitly allows for civil remedies ($1000/account +<i><b>plus</b></i> legal fees) +in the event of a seizure executed without good faith or probable cause (it +should be clear at this point that traffic with an originating IP address of +FIXME_DNS_NAME should not constitute probable cause to seize the +machine). Similar considerations exist for 1st amendment content on this +machine.</p> + +<!-- FIXME: May or may not be US-only. Some non-US tor nodes have in + fact reported DMCA harassment... --> + +<p> +If you are a representative of a company who feels that this router is being +used to violate the DMCA, please be aware that this machine does not host or +contain any illegal content. Also be aware that network infrastructure +maintainers are not liable for the type of content that passes over their +equipment, in accordance with <a +href="http://www4.law.cornell.edu/uscode/html/uscode17/usc_sec_17_00000512----000-.html">DMCA +"safe harbor" provisions</a>. In other words, you will have just as much luck +sending a takedown notice to the Internet backbone providers. Please consult +<a href="https://www.torproject.org/eff/tor-dmca-response">EFF's prepared +response</a> for more information on this matter.</p> + +<p>For more information, please consult the following documentation:</p> + +<ol> +<li><a href="https://www.torproject.org/about/overview">Tor Overview</a></li> +<li><a href="https://www.torproject.org/docs/faq-abuse">Tor Abuse FAQ</a></li> +<li><a href="https://www.torproject.org/eff/tor-legal-faq">Tor Legal FAQ</a></li> +</ol> + +<p> +That being said, if you still have a complaint about the router, you may +email the <a href="mailto:FIXME_YOUR_EMAIL_ADDRESS">maintainer</a>. If +complaints are related to a particular service that is being abused, I will +consider removing that service from my exit policy, which would prevent my +router from allowing that traffic to exit through it. I can only do this on an +IP+destination port basis, however. Common P2P ports are +already blocked.</p> + +<p> +You also have the option of blocking this IP address and others on +the Tor network if you so desire. The Tor project provides a <a +href="https://check.torproject.org/cgi-bin/TorBulkExitList.py">web service</a> +to fetch a list of all IP addresses of Tor exit nodes that allow exiting to a +specified IP:port combination, and an official <a +href="https://www.torproject.org/tordnsel/dist/">DNSRBL</a> is also available to +determine if a given IP address is actually a Tor exit server. Please +be considerate +when using these options. It would be unfortunate to deny all Tor users access +to your site indefinitely simply because of a few bad apples.</p> + +</body> +</html> diff --git a/manifests/daemon.pp b/manifests/daemon.pp index 80da4c7..ad84589 100644 --- a/manifests/daemon.pp +++ b/manifests/daemon.pp @@ -50,7 +50,7 @@ class tor::daemon inherits tor { } # tor configuration file - concatenated_file { '${config_file}': + concatenated_file { "${config_file}": dir => $spool_dir, header => "${spool_dir}/00.header" mode => 0600, @@ -59,10 +59,10 @@ class tor::daemon inherits tor { } # config file headers - file { '${spool_dir}/00.header': + file { "${spool_dir}/00.header": content => template('tor/header.erb'), - require => File['${spool_dir}'], - notify => Exec['concat_${config_file}'], + require => File["${spool_dir}"], + notify => Exec["concat_${config_file}"], ensure => present, owner => 'debian-tor', group => 'debian-tor', mode => 0755, } @@ -70,10 +70,10 @@ class tor::daemon inherits tor { # global configurations define tor::global_opts( $log_rules = [ 'notice file /var/log/tor/notices.log' ], $ensure = present ) { - file { '${spool_dir}/01.global': + file { "${spool_dir}/01.global": content => template('tor/global.erb'), - require => File['${spool_dir}'], - notify => Exec['concat_${config_file}'], + require => File["${spool_dir}"], + notify => Exec["concat_${config_file}"], ensure => $ensure, owner => 'debian-tor', group => 'debian-tor', mode => 0755, } @@ -83,10 +83,10 @@ class tor::daemon inherits tor { define tor::socks( $socks_port = 0, $socks_listen_addresses = [], $socks_policies = [] ) { - file { '${spool_dir}/02.socks': + file { "${spool_dir}/02.socks": content => template('tor/socks.erb'), - require => File['${spool_dir}'], - notify => Exec['concat_${config_file}'], + require => File["${spool_dir}"], + notify => Exec["concat_${config_file}"], ensure => $ensure, owner => 'debian-tor', group => 'debian-tor', mode => 0755, } @@ -95,21 +95,21 @@ class tor::daemon inherits tor { # relay definition define tor::relay( $port = 0, $listen_addresses = [], - $nickname = '', - $address = $hostname, $relay_bandwidth_rate = 0, # KB/s, 0 for no limit. - $relay_bandwidth_burst = 0, # KB/s, 0 for no limit. - $accounting_max = 0, # GB, 0 for no limit. + $relay_bandwidth_burst = 0, # KB/s, 0 for no limit. + $accounting_max = 0, # GB, 0 for no limit. $accounting_start = [], $contact_info = '', - $my_family = '', + $my_family = '', # TODO: autofill with other relays $bridge_reay = 0, $ensure = present ) { + $nickname = $name + $address = $hostname - file { '${spool_dir}/03.relay': + file { "${spool_dir}/03.relay": content => template('tor/relay.erb'), - require => File['${spool_dir}'], - notify => Exec['concat_${config_file}'], + require => File["${spool_dir}"], + notify => Exec["concat_${config_file}"], ensure => $ensure, owner => 'debian-tor', group => 'debian-tor', mode => 0755, } @@ -119,10 +119,10 @@ class tor::daemon inherits tor { define tor::control( $port = 0, $hashed_control_password = '', $ensure = present ) { - file { '${spool_dir}/04.control': + file { "${spool_dir}/04.control": content => template('tor/control.erb'), - require => File['${spool_dir}'], - notify => Exec['concat_${config_file}'], + require => File["${spool_dir}"], + notify => Exec["concat_${config_file}"], ensure => $ensure, owner => 'debian-tor', group => 'debian-tor', mode => 0755, } @@ -131,10 +131,10 @@ class tor::daemon inherits tor { # hidden services definition define tor::hidden_service( $ports = [], $ensure = present ) { - file { '${spool_dir}/05.hidden_service.${name}': + file { "${spool_dir}/05.hidden_service.${name}": content => template('tor/hidden_service.erb'), - require => File['${spool_dir}'], - notify => Exec['concat_${config_file}'], + require => File["${spool_dir}"], + notify => Exec["concat_${config_file}"], ensure => $ensure, owner => 'debian-tor', group => 'debian-tor', mode => 0755, } @@ -145,10 +145,16 @@ class tor::daemon inherits tor { $listen_addresses = [], $port_front_page = '', $ensure = present ) { - file { '${spool_dir}/06.directory': + file { "${spool_dir}/06.directory": content => template('tor/directory.erb'), - require => File['${spool_dir}'], - notify => Exec['concat_${config_file}'], + require => [ File["${spool_dir}"], File['/etc/tor/tor-exit-notice.html'] ], + notify => Exec["concat_${config_file}"], + ensure => $ensure, + owner => 'debian-tor', group => 'debian-tor', mode => 0755, + } + file { '/etc/tor/tor-exit-notice.html': + source => "puppet://$server/modules/tor/tor-exit-notice", + require => File['/etc/tor'], ensure => $ensure, owner => 'debian-tor', group => 'debian-tor', mode => 0755, } @@ -158,10 +164,10 @@ class tor::daemon inherits tor { define tor::exit_policy( $accept = [], $reject = [], $ensure = present ) { - file { '${spool_dir}/07.exit_policy.${name}': + file { "${spool_dir}/07.exit_policy.${name}": content => template('tor/exit_policy.erb'), - require => File['${spool_dir}'], - notify => Exec['concat_${config_file}'], + require => File["${spool_dir}"], + notify => Exec["concat_${config_file}"], ensure => $ensure, owner => 'debian-tor', group => 'debian-tor', mode => 0755, } diff --git a/templates/torrc.relay.erb b/templates/torrc.relay.erb index d9f06ae..95496d6 100644 --- a/templates/torrc.relay.erb +++ b/templates/torrc.relay.erb @@ -19,7 +19,7 @@ RelayBandwidthBurst <%= relay_bandwidth_burst %> KB <%- end -%> <%- if accounting_max != '0' then -%> AccountingMax <%= accounting_max %> GB -<%- for accounting in accounting_start -%> +<%- if accounting_start then -%> AccountingStart <%= accounting_start %> <%- end -%> <%- end -%> |