中继运营人员

我们旨在让搭建一个Tor 中继简单而又边界:

  • 如果中继有时下线,这并没有关系。 目录系统会迅速注意到这一点,并停止发布该中继。 但请试图确保这并不会太频繁地发生,因为当中继断连时,正在使用该中继进行的连接也会断开。
  • 每个 Tor 中继服务器都有一个出口法规则,它详细规定了中继服务器应该同意什么样的外部连接,或是拒绝什么样的外部连接。 如果你不喜欢允许别人的流量经由你的中继出口,你可以设置成仅允许从其他 Tor 中继的连接。
  • 你的中继服务器会被动地估计并公布它最近的带宽容量,所以高带宽的中继服务器会比低带宽服务器吸引更多的用户。因此,拥有低带宽中继服务器也是有用的。

当一个出口被错误地配置了,或是一个恶意出口,它会被分配给损坏出口标志。这会让 Tor 避免将那个中继服务器作为出口。事实上,有着这个标志的中继服务器就相当于不存在。 如果你有了这个旗帜标志,那么说明我们在从你的出口节点路由通信时发现了问题或可疑活动,但无法联系上你。请与问题中继服务器团队 取得联系,这样我们才能整治问题。

关于如何用你的 NAT/路由设备进行端口转发的指导,参见 portforward.com

如果你的中继在内网运行,你需要设置端口转发。 转发 TCP 连接取决于系统,但配有防火墙的客户端 FAQ 条目提供了一些关于如何做的例子。

另外,这里也有一个说明如何在 GNU/Linux 下使用 iptables 操作的例子:

/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 9001 -j ACCEPT

如果你有不同的(连接到互联网的)外部接口,你可能需要改动"eth0"。 因为你可能只有一个(除了环回接口)所以这应该不难找。

Why Relay Load Varies

Tor manages bandwidth across the entire network. It does a reasonable job for most relays. But Tor's goals are different to protocols like BitTorrent. Tor wants low-latency web pages, which requires fast connections with headroom. BitTorrent wants bulk downloads, which requires using all the bandwidth.

We're working on a new bandwidth scanner, which is easier to understand and maintain. It will have diagnostics for relays that don't get measured, and relays that have low measurements.

Why does Tor need bandwidth scanners?

Most providers tell you the maximum speed of your local connection. But Tor has users all over the world, and our users connect to one or two Guard relays at random. So we need to know how well each relay can connect to the entire world.

So even if all relay operators set their advertised bandwidth to their local connection speed, we would still need bandwidth authorities to balance the load between different parts of the Internet.

What is a normal relay load?

It's normal for most relays to be loaded at 30%-80% of their capacity. This is good for clients: an overloaded relay has high latency. (We want enough relays to so that each relay is loaded at 10%. Then Tor would be almost as fast as the wider Internet).

Sometimes, a relay is slow because its processor is slow or its connections are limited. Other times, it is the network that is slow: the relay has bad peering to most other tor relays, or is a long distance away.

Finding Out what is Limiting a Relay

Lots of things can slow down a relay. Here's how to track them down.

System Limits

  • Check RAM, CPU, and socket/file descriptor usage on your relay

Tor logs some of these when it starts. Others can be viewed using top or similar tools.

Provider Limits

  • Check the Internet peering (bandwidth, latency) from your relay's provider to other relays. Relays transiting via Comcast have been slow at times. Relays outside North America and Western Europe are usually slower.

Tor Network Limits

Relay bandwidth can be limited by a relay's own observed bandwidth, or by the directory authorities' measured bandwidth. Here's how to find out which measurement is limiting your relay:

  • Check each of the votes for your relay on consensus-health (large page), and check the median. If your relay is not marked Running by some directory authorities:
    • Does it have the wrong IPv4 or IPv6 address?
    • Is its IPv4 or IPv6 address unreachable from some networks?
    • Are there more than 2 relays on its IPv4 address?

Otherwise, check your relay's observed bandwidth and bandwidth rate (limit). Look up your relay on Metrics. Then mouse over the bandwidth heading to see the observed bandwidth and relay bandwidth rate.

Here is some more detail and some examples: Drop in consensus weight and Rampup speed of Exit relay.

How to fix it

The smallest of these figures is limiting the bandwidth allocated to the relay.

  • If it's the bandwidth rate, increase the BandwidthRate/Burst or RelayBandwidthRate/Burst in your torrc.
  • If it's the observed bandwidth, your relay won't ask for more bandwidth until it sees itself getting faster. You need to work out why it is slow.
  • If it's the median measured bandwidth, your relay looks slow from a majority of bandwidth authorities. You need to work out why they measure it slow.

Doing Your Own Relay Measurements

If your relay thinks it is slow, or the bandwidth authorities think it is slow, you can test the bandwidth yourself:

  • Run a test using tor to see how fast tor can get on your network/CPU.
  • Run a test using tor and chutney to find out how fast tor can get on your CPU. Keep increasing the data volume until the bandwidth stops increasing.

你有两种添加至 torrc 的方法:

带宽率是指条件允许的情况下,最大的长时间传输带宽(字节每秒)。 For example, you might want to choose "BandwidthRate 10 MBytes" for 10 megabytes per second (a fast connection), or "BandwidthRate 500 KBytes" for 500 kilobytes per second (a decent cable connection). 最小的 BandwidthRate 是 75KB 每秒。

BandwidthBurst是一个字节池,用于满足短期流量高于 BandwidthRate 但长期平均流量低于 BandwidthRate 的需求。 如果最近还未达平均水平且在速率低但爆发高的情况下,就会出现长期平均的情况,同时在高峰期仍允许更多的流量 。 比如,如果你选择了“带宽突发传输率 500KBytes” 并应用到你的带宽率,那么你的网速就永运不会超过50万字节每秒;但如果你选择了一个更高的带宽突发传输率(如5 MBytes),它就会允许更多的数据通过,直到资源池已满。

如果你有非对称连接(上传小于下载),比如一个电缆调制解调器,你应该把带宽率设置为小于较小带宽(通常是上传带宽)。 否则,你可能会在最大带宽使用时丢包——你可能需要实验哪些值使你的连接通畅。 然后设置BandwidthBurst与BandwidthRate相同。

基于 Linux 系统的 Tor 节点提供了另外一种选择:他们会优先将Tor置于其他运行网络之下,因此他们的私人网络运作不会被 Tor 影响。 在 Tor 源码发行版的 contrib 目录中可以找到一个执行此操作的脚本

此外,还有一些休眠选项,你可以要求 Tor 在每个时间段只提供一定量的带宽(比如每月 100 GB)。这些在休眠条目中有所涉及。

请注意,带宽率和带宽突发传输率都是以字节而不是比特为单位的。

简而言之,它这样工作:

  • There is a primary ed25519 identity secret key file named "ed25519_master_id_secret_key". 这是最重要的一个,所以请确保你在安全的地方存有备份——这份文件十分敏感,应得到充分保护。 如果你手动生成它,Tor 会对它进行加密并在被要求时输入密码。
  • 一个叫"ed25519_signing_secret_key"的中期签名密钥已经被生成,供Tor 使用。 Also, a certificate is generated named "ed25519_signing_cert" which is signed by the primary identity secret key and confirms that the medium term signing key is valid for a certain period of time. 默认有效期为30天,但这个时长可以在torrc里通过设置" 签名密钥有效时间 N 天|周|月 "来自行调节。
  • There is also a primary public key named "ed25519_master_id_public_key", which is the actual identity of the relay advertised in the network. This one is not sensitive and can be easily computed from "ed5519_master_id_secret_key".

Tor will only need access to the medium term signing key and certificate as long as they are valid, so the primary identity secret key can be kept outside DataDirectory/keys, on a storage media or a different computer. 你不得不在中期签名密钥和认证过期前手动更新它们,否则中继服务器上的Tor 进程会在到期时立刻退出。

这个功能是可选的,你不需要使用它除非你想这么做。 If you want your relay to run unattended for longer time without having to manually do the medium term signing key renewal on regular basis, best to leave the primary identity secret key in DataDirectory/keys, just make a backup in case you'll need to reinstall it. 如果你想要使用这个特殊功能,请参考我们在这个话题上更详细的指南

如果你的中继才刚刚开始运行,请给它一些时间。 Tor 根据带宽权威机构的报告来决定使用哪个中继服务器。这些机构测量你的中继服务器的容量,并随着时间推移,引导更多的通讯流量至你的中继服务器,直到它达到最佳运载量。 一个新的中继服务器的生命周期在这个博客帖子 里解释的更为详尽。 如果你运行中继服务器已经有一段时间了,并仍然有疑问,那么请尝试在tor-中继服务器名单 上提问。

  • 不要使用 Ubuntu 仓库中的包,它们未得到可靠更新。 如果你使用它们,你可能会错过重要的稳定性和安全性修复。
  • 运行下面的命令确定你 Ubuntu 的版本:
     ‪$ lsb_release -c
    
  • 以 root 用户身份把下面的行添加到 /etc/apt/sources.list 中。用前一步你获得的版本号代替'version':
     deb https://deb.torproject.org/torproject.org version main
     deb-src https://deb.torproject.org/torproject.org version main
    
  • 运行下面的命令来添加签名软件包的 gpg 公钥:
     ‪$ curl https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -
    
  • 运行下面的命令来检查签名并安装 tor:
     ‪$ sudo apt-get update
     ‪$ sudo apt-get install tor deb.torproject.org-keyring
    

On relay search we show an amber dot next to the relay nickname when it is overloaded. This means that one or many of the following load metrics have been triggered:

Note that if a relay reaches an overloaded state we show it for 72 hours after the relay has recovered.

假若发生节点过载,请执行以下步骤:

  1. https://status.torproject.org/ 的“Tor 网络”(Tor Network)分类检查任何已知问题。

  2. 考虑为你的系统调整 sysctl 优化网络,内存和 CPU 负载。

  3. 请考虑启用 MetricsPort 了解实际情况。

调整 sysctl 优化网络,内存和 CPU 负载

TCP port exhaustion

If you are experiencing TCP port exhaustion consider expanding your local port range. You can do that with

# sysctl -w net.ipv4.ip_local_port_range="15000 64000"

# echo 15000 64000 > /proc/sys/net/ipv4/ip_local_port_range

Keep in mind that tuning sysctl as described is not permanent and will be lost upon restart. You need to add the configuration to /etc/sysctl.conf or to a file in /etc/sysctl.d/ to make it permanent.

MetricsPort

To understand the well-being of Tor relays and the Tor network it is vital to provide and have access to relay metrics. Relay overload information has been added to relay descriptors since 0.4.6+ but it was not until Tor >= 0.4.7.1-alpha that an interface to the underlying relay metrics was available: the metrics port.

Enabling MetricsPort

Tor provides access to the metrics port via a torrc configuration option called MetricsPort.

It's important to understand that exposing the tor MetricsPort publicly is dangerous for the Tor network users, which is why that port is not enabled by default and its access has to be governed by an access policy. Please take extra precaution and care when opening this port, and close it when you are done debugging.

Let's assume you are the only user on a server that runs a Tor relay. You can enable the metrics port adding this to your torrc file:

MetricsPort 127.0.0.1:9035
MetricsPortPolicy accept 127.0.0.1

And then you will be able to easily retrieve the metrics with:

# curl http://127.0.0.1:9035/metrics

which are by default in a Prometheus format.

Note: every user on that server will be able to access those relay metrics in the example above. In general, set a very strict access policy with MetricsPortPolicy and consider using your operating systems firewall features for defense in depth.

For a more detailed explanation about MetricsPort and MetricsPortPolicy see tor's man page.

MetricsPort output

Here is an example of what output enabling MetricsPort will produce (we omitted any congestion control related metrics as we still need to stabilize that interface):

# HELP tor_relay_connections Total number of opened connections
# TYPE tor_relay_connections gauge
tor_relay_connections{type="OR listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="OR listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="OR listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="OR listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="OR",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="OR",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="OR",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="OR",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Exit",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Exit",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Exit",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Exit",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Socks listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Socks listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Socks listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Socks listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Socks",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Socks",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Socks",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Socks",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Directory listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Directory listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Directory listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Directory listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Directory",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Directory",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Directory",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Directory",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Control listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Control listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Control listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Control listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Control",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Control",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Control",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Control",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Transparent pf/netfilter listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Transparent pf/netfilter listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Transparent pf/netfilter listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Transparent pf/netfilter listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Transparent natd listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Transparent natd listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Transparent natd listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Transparent natd listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="DNS listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="DNS listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="DNS listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="DNS listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Extended OR",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Extended OR",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Extended OR",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Extended OR",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Extended OR listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Extended OR listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Extended OR listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Extended OR listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="HTTP tunnel listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="HTTP tunnel listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="HTTP tunnel listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="HTTP tunnel listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Metrics listener",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Metrics listener",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Metrics listener",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Metrics listener",direction="received",state="opened",family="ipv6"} 0
tor_relay_connections{type="Metrics",direction="initiated",state="opened",family="ipv4"} 0
tor_relay_connections{type="Metrics",direction="initiated",state="opened",family="ipv6"} 0
tor_relay_connections{type="Metrics",direction="received",state="opened",family="ipv4"} 0
tor_relay_connections{type="Metrics",direction="received",state="opened",family="ipv6"} 0
# HELP tor_relay_connections_total Total number of created/rejected connections
# TYPE tor_relay_connections_total counter
tor_relay_connections_total{type="OR listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="OR listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="OR listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="OR listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="OR listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="OR listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="OR",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="OR",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="OR",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="OR",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="OR",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="OR",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Exit",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Exit",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Exit",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Exit",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Exit",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Exit",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Socks listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Socks listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Socks listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Socks listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Socks listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Socks listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Socks",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Socks",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Socks",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Socks",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Socks",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Socks",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Directory listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Directory listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Directory listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Directory listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Directory listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Directory listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Directory",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Directory",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Directory",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Directory",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Directory",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Directory",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Control listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Control listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Control listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Control listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Control listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Control listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Control",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Control",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Control",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Control",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Control",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Control",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Transparent pf/netfilter listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Transparent natd listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="DNS listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="DNS listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="DNS listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="DNS listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="DNS listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="DNS listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Extended OR listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Extended OR listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="HTTP tunnel listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Metrics listener",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Metrics listener",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Metrics listener",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Metrics listener",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Metrics listener",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Metrics listener",direction="received",state="rejected",family="ipv6"} 0
tor_relay_connections_total{type="Metrics",direction="initiated",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Metrics",direction="initiated",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Metrics",direction="received",state="created",family="ipv4"} 0
tor_relay_connections_total{type="Metrics",direction="received",state="created",family="ipv6"} 0
tor_relay_connections_total{type="Metrics",direction="received",state="rejected",family="ipv4"} 0
tor_relay_connections_total{type="Metrics",direction="received",state="rejected",family="ipv6"} 0
# HELP tor_relay_flag Relay flags from consensus
# TYPE tor_relay_flag gauge
tor_relay_flag{type="Fast"} 0
tor_relay_flag{type="Exit"} 0
tor_relay_flag{type="Authority"} 0
tor_relay_flag{type="Stable"} 0
tor_relay_flag{type="HSDir"} 0
tor_relay_flag{type="Running"} 0
tor_relay_flag{type="V2Dir"} 0
tor_relay_flag{type="Sybil"} 0
tor_relay_flag{type="Guard"} 0
# HELP tor_relay_circuits_total Total number of circuits
# TYPE tor_relay_circuits_total gauge
tor_relay_circuits_total{state="opened"} 0
# HELP tor_relay_streams_total Total number of streams
# TYPE tor_relay_streams_total counter
tor_relay_streams_total{type="BEGIN"} 0
tor_relay_streams_total{type="BEGIN_DIR"} 0
tor_relay_streams_total{type="RESOLVE"} 0
# HELP tor_relay_traffic_bytes Traffic related counters
# TYPE tor_relay_traffic_bytes counter
tor_relay_traffic_bytes{direction="read"} 0
tor_relay_traffic_bytes{direction="written"} 0
# HELP tor_relay_dos_total Denial of Service defenses related counters
# TYPE tor_relay_dos_total counter
tor_relay_dos_total{type="circuit_rejected"} 0
tor_relay_dos_total{type="circuit_killed_max_cell"} 0
tor_relay_dos_total{type="circuit_killed_max_cell_outq"} 0
tor_relay_dos_total{type="marked_address"} 0
tor_relay_dos_total{type="marked_address_maxq"} 0
tor_relay_dos_total{type="conn_rejected"} 0
tor_relay_dos_total{type="concurrent_conn_rejected"} 0
tor_relay_dos_total{type="single_hop_refused"} 0
tor_relay_dos_total{type="introduce2_rejected"} 0
# HELP tor_relay_load_onionskins_total Total number of onionskins handled
# TYPE tor_relay_load_onionskins_total counter
tor_relay_load_onionskins_total{type="tap",action="processed"} 0
tor_relay_load_onionskins_total{type="tap",action="dropped"} 0
tor_relay_load_onionskins_total{type="fast",action="processed"} 0
tor_relay_load_onionskins_total{type="fast",action="dropped"} 0
tor_relay_load_onionskins_total{type="ntor",action="processed"} 0
tor_relay_load_onionskins_total{type="ntor",action="dropped"} 0
tor_relay_load_onionskins_total{type="ntor_v3",action="processed"} 0
tor_relay_load_onionskins_total{type="ntor_v3",action="dropped"} 0
# HELP tor_relay_exit_dns_query_total Total number of DNS queries done by this relay
# TYPE tor_relay_exit_dns_query_total counter
tor_relay_exit_dns_query_total 0
# HELP tor_relay_exit_dns_error_total Total number of DNS errors encountered by this relay
# TYPE tor_relay_exit_dns_error_total counter
tor_relay_exit_dns_error_total{reason="success"} 0
tor_relay_exit_dns_error_total{reason="format"} 0
tor_relay_exit_dns_error_total{reason="serverfailed"} 0
tor_relay_exit_dns_error_total{reason="notexist"} 0
tor_relay_exit_dns_error_total{reason="notimpl"} 0
tor_relay_exit_dns_error_total{reason="refused"} 0
tor_relay_exit_dns_error_total{reason="truncated"} 0
tor_relay_exit_dns_error_total{reason="unknown"} 0
tor_relay_exit_dns_error_total{reason="tor_timeout"} 0
tor_relay_exit_dns_error_total{reason="shutdown"} 0
tor_relay_exit_dns_error_total{reason="cancel"} 0
tor_relay_exit_dns_error_total{reason="nodata"} 0
# HELP tor_relay_load_oom_bytes_total Total number of bytes the OOM has freed by subsystem
# TYPE tor_relay_load_oom_bytes_total counter
tor_relay_load_oom_bytes_total{subsys="cell"} 0
tor_relay_load_oom_bytes_total{subsys="dns"} 0
tor_relay_load_oom_bytes_total{subsys="geoip"} 0
tor_relay_load_oom_bytes_total{subsys="hsdir"} 0
# HELP tor_relay_load_socket_total Total number of sockets
# TYPE tor_relay_load_socket_total gauge
tor_relay_load_socket_total{state="opened"} 0
tor_relay_load_socket_total 0
# HELP tor_relay_load_tcp_exhaustion_total Total number of times we ran out of TCP ports
# TYPE tor_relay_load_tcp_exhaustion_total counter
tor_relay_load_tcp_exhaustion_total 0
# HELP tor_relay_load_global_rate_limit_reached_total Total number of global connection bucket limit reached
# TYPE tor_relay_load_global_rate_limit_reached_total counter
tor_relay_load_global_rate_limit_reached_total{side="read"} 0
tor_relay_load_global_rate_limit_reached_total{side="write"} 0

Let's find out what some of these lines actually mean:

tor_relay_load_onionskins_total{type="ntor",action="dropped"} 0

When a relay starts seeing "dropped", it is a CPU/RAM problem usually.

Tor is sadly single threaded except for when the "onion skins" are processed. The "onion skins" are the cryptographic work that needs to be done on the famous "onion layers" in every circuits.

When tor processes the layers we use a thread pool and outsource all of that work to that pool. It can happen that this pool starts dropping work due to memory or CPU pressure and this will trigger an overload state.

If your server is running at capacity this will likely be triggered.

The ntor and ntor_v3 values will be the same at the moment which is a bug we need to fix.

tor_relay_exit_dns_error_total{...}

Any counter in the "*_dns_error_total" realm (apart from the one for successful queries) indicates a potential DNS related problem. However, we realized during the 0.4.7 release cycle that DNS errors are way too noisy and contain too many false positives to be useful for overload reporting purposes. We therefore don't use them anymore for that purpose starting with 0.4.6.9 and 0.4.7.4-alpha. However, we still keep DNS metrics around to give the relay operator insight into what is going on with their relay.

DNS timeout issues and errors only apply to Exit nodes.

tor_relay_load_oom_bytes_total{...}

An Out-Of-Memory invocation indicates a RAM problem. The relay might need more RAM or it is leaking memory. If you noticed that the tor process is leaking memory, please report the issue either via Tor gitLab or sending an email to the tor-relays mailing list.

Tor has its own OOM handler and it is invoked when 75%, of the total memory tor thinks is available, is reached. Thus, let say tor thinks it can use 2GB in total then at 1.5GB of memory usage, it will start freeing memory. That is considered an overload state.

To estimate the amount of memory it has available, when tor starts, it will use MaxMemInQueues or, if not set, will look at the total RAM available on the system and apply this algorithm:

    if RAM >= 8GB {
      memory = RAM * 40%
    } else {
      memory = RAM * 75%
    }
    /* Capped. */
    memory = min(memory, 8GB) -> [8GB on 64bit and 2GB on 32bit)
    /* Minimum value. */
    memory = max(250MB, memory)

To avoid an overloaded state we recommend to run a relay above 2GB of RAM on 64bit. 4GB is advised, although of course it doesn't hurt to add more RAM if you can.

One might notice that tor could be called by the OS OOM handler itself. Because tor takes the total memory on the system when it starts, if the overall system has many other applications running using RAM, it ends up eating too much memory. In this case the OS could OOM tor, without tor even noticing memory pressure.

tor_relay_load_socket_total

If the number of opened sockets is close to or the same as total sockets available then this indicates the relay is running out of sockets. The solution is to increase ulimit -n for the tor process.

tor_relay_load_tcp_exhaustion_total

These lines indicate the relay is running out of TCP ports.

Try to tune sysctl as described above.

tor_relay_load_global_rate_limit_reached_total

If this counter is incremented by some noticeable value over a short period of time, the relay is congested. It is likely being used as a Guard by a big onion service or for an ongoing DDoS on the network.

If your relay is still overloaded and you don't know why, please get in touch with network-report@torproject.org. You can encrypt your email using network-report OpenPGP key.

棒!如果你想允许几个中继来为网络贡献更多,我们很欢迎这样做。 但请不要在同一个网络上运行太多中继,因为分散与多样性是Tor 网络目标的一部分。

如果你真的决定要运行多个中继服务器,请打开每个中继服务器torrc上的“我的家庭”配置选项,列出在你控制下的所有中继服务器(用逗号隔开):

MyFamily $fingerprint1,$fingerprint2,$fingerprint3

每个指纹是40个字母组成的身份指纹(没有空格)。

这样的话,Tor 客户就会记住不要在单个环路里使用超过一个你的中继服务器。 如果你有这些计算机或其网络管理上的控制权,你就应该设置我的家庭,即使它们不全在同一个地理位置。

Tor has partial support for IPv6 and we encourage every relay operator to enable IPv6 functionality in their torrc configuration files when IPv6 connectivity is available. Tor 目前需要中继的 IPv4 地址,你不能在仅有 IPv6 的主机上运行 Tor 中继。

是的,你在一些攻击中确实能获得更好的匿名性。

最简单的例子是一个拥有一些数量Tor 中继的攻击者。 他们会看见一个来自你的连接,但他们不会知道这个连接是来自于你的电脑还是你的中继上的其他人。

有些情况下它爱莫能助:如果一个攻击者能观察你所有的通信往来,那么他很容易发现哪些连接被转发,哪些始于你。 (在这个情况下,他们仍然不知道你的目的地址,除非他们也在观察它们,但你的处境也不比一个普通客户端好。)

运行一个Tor中继也有一些坏处。 首先,我们只有几百个中继,而你恰好运行其中一个,这个事实对于攻击者来说是一个你把匿名看得很重要的信号。 第二,有一些更难以理解的攻击,并不通俗易懂或久经测试,涉及到利用你正在运行的中继的知识--例如,一个攻击者可能能够“观察”你是否在发送流量,即使他们不能实际观察你的网络,通过你的 Tor 中继转发流量并注意到流量时间的变化。

收益是否大于风险是一个开放的研究性问题。 很大程度上这取决于你最担心的攻击方式。 对于大多数用户来说,我们认为这是一种明智的举动。

Tor 通过询问计算机的主机名来猜测它的IP地址,然后解析那个主机名。人们往往在他们的 /etc/hosts 文件里有指向旧 IP 地址的旧条目。

如果那不能解决这个问题,你应该使用“地址”配置选项来具体说明你想选取的 IP 地址。如果你的计算机处于一个网络地址转换里,并只有一个内部IP地址,请查看以下关于如何进入动态IP地址的技术支持。

并且,如果你有许多地址,你可能也想要设置“OutboundBindAddress”,这样外部的连接就会来自你想要展示给世界的那个。

torrc文件里的会计选项让你能够明确规定你的中继服务器在一段时间内使用的最大流量。

    AccountingStart day week month [day] HH:MM

这详细规定了计数器应该在何时被重置。比方说,要想设置可供服务一星期的比特量(这在每周三上午10:00点会重置),你会使用:

    AccountingStart week 3 10:00
    AccountingMax 500 GBytes

这详细规定了你的中继服务器在一个计数周期内发送的最大数据量和接收的最大数据量。 当会计期间被(AcountingStart)重置后,AccountingMax 的计数器会被重置为0。

比如:假设你想要每天每个方向设置50GB的流量,那么计数器就应该在每天中午重置:

    AccountingStart day 12:00
    AccountingMax 50 GBytes

请注意,你的中继服务器不会在每个会计期间的一开始恰好被唤醒。 它会跟踪记录它在上一个时期里使用额度的速度有多快,并在新的时间间隔里选择一个随机的点唤醒。 这样我们就能避免数百个中继服务器在每个月的一开始就同时运行,结果在月末就没有服务器运行的情况发生。

相较于你的连接速率,如果你只能贡献一小部分带宽,我们推荐你使用日常账户,这样你就不会在每个月的第一天就把一整个月的额度全用光。 只要将你每月的限额除以30即可。你也可以考虑将流量限速,把你的额度覆盖更多的时间:如果你想要在每个方向提供X GB, 你可以将中继服务器的带宽率设为20*X KB. 比如,如果你每种方法都有50GB可提供,你也许要将你的中继服务器带宽率调为1000 KBytes: 这样你的中继服务器就总是可保持每天起码有一半的时间可以使用。

    AccountingStart day 0:00
    AccountingMax 50 GBytes
    RelayBandwidthRate 1000 KBytes
    RelayBandwidthBurst 5000 KBytes # 允许更高的短时流量但是保持平均

想了解更深入了解如何运行一个中继服务器,请参阅中继服务器设置指南

  • 出口节点是需求最大的一种中继服务器,但同时,它也面临着最大程度的法律曝光和风险(而且你不应该在你的家里运行它们)。
  • 如果你正考虑用最小代价运行一个中继,快速守卫中继也十分有用
  • Followed by bridges.

所有的传出连接必须被允许,这样每一个中继才可以与其他中继互相通讯。

在许多司法管辖区,Tor 中继服务器运行者是受公共承运人法律保护的,这条法律保护互联网服务提供者免受潜在的传播第三方内容的法律风险。 过滤某些流量的出口节点将丧失那些保护。

Tor促进了免费无干扰的网络访问。 出口中继不得过滤通过中继的互联网流量。 被检测到过滤流量的出口节点会被打上劣质出口的标签。

你是正确的,在大多数情况下,你的 Tor 中继服务器进一个比特就意味着要出一个比特,反之亦然。但也有几个例外:

如果你打开了你的 DirPort,那么 Tor 的客户端就会向你索要一份目录的拷贝。 他们发出的请求(一个 HTTP GET)十分的小,然而回复有时会非常大。 这应该能解释大多数你的“写入”比特量与“读取”比特量之间的不符。

当你以出口节点运行,并阅读了来自出口连接的几比特信息(比如一则即时信息或ssh连接),把它包裹成一个完整的512比特包以便在 Tor 网络里运输时,一个小小的例外会出现。

We're looking for people with reasonably reliable Internet connections, that have at least 10 Mbit/s (Mbps) available bandwidth each way. If that's you, please consider running a Tor relay.

Even if you do not have at least 10 Mbit/s of available bandwidth you can still help the Tor network by running a Tor bridge with obfs4 support. In that case you should have at least 1 MBit/s of available bandwidth.

很棒! 这就是我们实施出口政策的原因。

每个 Tor 中继拥有一条出口规则,用于指定允许或拒绝何种类型的出站连接通过该中继。 出口政策通过目录传送给 Tor 的客户,所以客户会自动避免挑选会拒绝退出到他们想要到达的目的地的出口中继服务器。 这样一来,每个中继服务器都可以决定服务,主人和它想让连接到达的网络,这些都基于滥用的可能性和它自身的状况。 Read the Support entry on issues you might encounter if you use the default exit policy, and then read Mike Perry's tips for running an exit node with minimal harassment.

默认的出口中继协议允许许多流行服务的获取权(如网页浏览),但出于滥用的潜在风险,限制了一些服务(如邮箱),还有一些是因为流量大小超出了 Tor 网络的承受范围(如默认文件共享端口)。 你可以通过编辑你的torrc文件来更改你自己的出口策略。 If you want to avoid most if not all abuse potential, set it to "reject *:*". 这个设置意味着你的中继服务器只会被用来中继 Tor 网络内部的通讯,而不是外部的网站连接或其他服务。

如果你确实允许任何出口连接,确保域名解析正常(也就是,你的电脑能正确解析网络地址)。 如果有任何你的计算机不能访问的资源(比如你被限制性防火墙或内容过滤器拦住了),请明确的在你的出口节点规定里驳回它们,否则其他 Tor 的用户也会被影响。

在升级你的 Tor 中继服务器,或把它转移到另一台计算机上时,重要的是保持同样的身份密钥(存储于你的数据词典里的"keys/ed25519_master_id_secret_key" and "keys/secret_id_key")。 给身份密钥进行备份,这样你就可以在未来修复中继服务器。这是我们推荐的确保中继服务器的名誉不被浪费的方法。

这意味着,如果你正在升级你的 Tor 中继服务器,且你没有更改torrc和数据词典,那么升级过程不会出现问题,你的中继服务器会继续使用相同的密钥。 如果你需要选择一个新的数据词典,请确保复制了你旧的keys/ed25519_master_id_secret_key and keys/secret_id_key。

If you are a bridge operator, also make sure to copy pt_state/. It contains data required for your bridge to keep working with the same bridge line.

Note: As of Tor 0.2.7 we are using new generation identities for relays based on ed25519 elliptic curve cryptography. 最终它们会取代老的 RSA 身份,来确保老版本的兼容性,但这不会立即发生。 直到那时,每个中继服务器都会有一个ed25519身份(身份密钥文件:keys/ed25519_master_id_secret_key)和一个 RSA 身份(身份密钥文件:keys/secret_id_key)。 你需要将两者都拷贝 / 备份,以便恢复你的中继服务器,更改你的数据词典或将中继服务器移植到另一台计算机上。

不要这么做。 如果司法部门察觉了你出口节点的数据流量,他们可能会没收你的电子设备。 出于这些原因,最好不要在你的家中或使用你家里的网络运行出口节点。

推荐在支持 Tor 的商业实体(例如某些 VPS 服务商 —— 译者注)上搭建 Tor 的出口节点。 你的出口节点有一个独立的 IP 地址,而且不会传输你的流量。 当然,你应该避免在你运行出口节点的电脑上存储任何敏感或与你有关的信息。

特别地,如果你正在使用Debian或Ubuntu,从 Tor 项目的存储库 里安装 Tor 会有许多好处。

  • Your ulimit -n gets set to 32768 high enough for Tor to keep open all the connections it needs.
  • 为 Tor 创建一个用户,所以 Tor 不需要root就能运行。
  • 一个启动脚本被包含在了里面,这样 Tor 就会在开机时自行启动。
  • Tor runs with --verify-config, so that most problems with your config file get caught.
  • Tor 可以捆绑低层级的接口,然后下放权限。

如果你允许了出口节点连接,那么人们通过你的中继服务器连接的一些服务就会连接回来,以收集更多关于你的信息。比如,一些 IRC 服务器会连接回你的identd接口来记录哪些用户建立了连接。(这实际上并不会奏效,因为 Tor 不知道这些信息,但他们还是会试一试。)此外,从你的节点出去的用户也许会吸引其他在 RC 服务器、网站等上的用户的注意,这些用户可能想要了解更多关于他们正在使用的这个中继服务器的主人的信息。

另一个原因是,在互联网上扫描公共代理的小组意识到有时 Tor 中继服务器会将它们的socks接口暴露给全世界。我们推荐你将socks接口只与本地网络捆绑。

在任何情况下,你都需要保持你的安全措施是最新的。在 Tor 中继服务器的安全措施 上阅读这篇文章以获得更多建议。

默认开放的端口如下,但请注意,中继运营者可以通过在 torrc 中配置或修改源代码以开放任何端口。 The default according to src/or/policies.c (line 85 and line 1901) from the source code release release-0.4.6:

reject 0.0.0.0/8
reject 169.254.0.0/16
reject 127.0.0.0/8
reject 192.168.0.0/16
reject 10.0.0.0/8
reject 172.16.0.0/12

reject *:25
reject *:119
reject *:135-139
reject *:445
reject *:563
reject *:1214
reject *:4661-4666
reject *:6346-6429
reject *:6699
reject *:6881-6999
accept *:*

BridgeDB 实施了六项机制以分发网桥:HTTPS, Moat, Email, Telegram, Settings 和 Reserved。 网桥运营者可以在中继搜索上查看他们的网桥正使用何种机制。 在表格中输入网桥的 <HASHED FINGERPRINT>,然后点击“搜索”。

运营者也可以选择他们的网桥使用何种分配方式。 要改变方式,请将 torrc 文件中的 BridgeDistribution 设置修改为以下之一:https,moat,email,telegram,settings,none,any。

阅读网桥安装后指南的更多内容。

Tor可以很好地处理使用动态IP地址的中继,这没有关系。 你只需要将你的torrc文件中的”Address“留空,然后 Tor 会猜出它来。

Tor 进程的两个客户和中继服务器功能都适用于在 AccountingMax带宽率里分配的参数。 因此你可能会发现,一旦你的 Tor 进入休眠,你就不能进行浏览了,而且在日志里会出现这样一条记录:

Bandwidth soft limit reached; commencing hibernation.
No new connections will be accepted

解决方案是运行两个Tor 进程——一个中继和一个客户端,每一个进程使用自己的配置。 做到这一点(如果你是从一个正在工作的中继服务器设置开始的话)的一种方法如下:

  • 在中继的Tor torrc文件中,将SocksPort设置为0.
  • 从torrc.样例中创建一个新的用户torrc 文件,并确保它与中继服务器使用的不是同一个登陆文件。 一种命名约定可以是 torrc.client 和 torrc.relay。
  • 修改 Tor 客户端和中继服务器启动脚本来包括-f /path/to/correct/torrc
  • 在 Linux/BSD/Mac OS X 系统中,将启动脚本改为Tor.clientTor.relay可以使系统配置的分离变得更轻松。

既然它现在是一名守卫了,客户们在其他地方使用它的频率变低了,但还没有许多客户将他们已有的守卫移走并把它当作守卫使用。 阅读这篇博客帖子 或名为 守卫的变迁:理解和改进Tor“入口守卫”选择的框架 的文档了解详情。

You can run a relay in Windows following this tutorials:

You should only run a Windows relay if you can run it 24/7. If you are unable to guarantee that, Snowflake is a better way to contribute your resources to the Tor network.

如果你的 Tor 中继服务器使用了比你预想中更多的记忆储存,这儿有几条减少足迹的贴士:

  • 如果你是 Linux 操作系统,你也许会在glibc的动态内存分配操作里遇到记忆储存碎片故障。 这就是说,当 or 将记忆储存释放回系统后,这些记忆储存的片段被分成了许多碎片,很难再被利用。 Tor 原始码是用 OpenBSD 的动态内存分配操作进行运输的,这个方法没有那么多的碎片故障(但代价是更高的 CPU 负荷)。 You can tell Tor to use this malloc implementation instead: ./configure --enable-openbsd-malloc.
  • 如果你正在运行一个高速中继服务器,这意味着你拥有许多 TLS 连接处于打开状态,你可能正有大量内存流失到了 OpenSSL 的内部缓冲储存器里(每个数据包 38KB+)。 我们已经给 OpenSSL 打过了补丁,来更激进地释放未使用的缓冲区记忆储存. 如果你升级到 OpenSSL 1.0.0或更新的版本,Tor 的构造进程会自动识别并使用这个特点。
  • 如果你仍然解决不了记忆存储加载的问题,不妨考虑一下减少你的中继服务器公布的带宽。 展示较少的带宽意味着你会吸引较少的用户,所以你的中继服务器的规模应该不会变得很大。 请查阅主页中的MaxAdvertisedBandwidth选项。

所有这些都说明,Tor 高速中继确实需要大量内存。高速出口节点占用500-1000 MB内存是不正常的。