Tor有关Bridge relays的建议与配置方案

作者：Mike Zhang 来源：MIKE的自由网志

今天偶然间看到网上Andrew的一文“大声疾呼:请中国的Tor中继服务提供者仅把自己设置为”中间人””后， 深有感触。虽然实际使用中我并没有发现国内tor的relay服务器被出用最终出口的情况，但只要是公开的relay服务器肯定有可能被利用来做最终出 口。如果最终出口在大-陆-网络中的话，的确就失去意义了。虽然可能不会被找到访问者，但多少也有可能为tor的relay服务运行者带来多多少少地麻 烦。所以在大-陆-网络中设置仅以Bridge relays模式运行tor relay看来是十分有必要的。

Win版的Tor设置Bridge relays方式为：
设定->中继->Tor 网络中继->服务策略->清除所有的选择(也就是一个也别选中)->保存

Linux版的Tor设置Bridge relays的方式稍复杂点，我试了一下，具体设置如下：
# vi /usr/local/etc/tor/torrc

在原来的ORPort设置的最后面，把此设置打开：
ExitPolicy reject *:*
即不允许原来的tor relay任何服务作出口，由于我还要运行着tor的匿名网站，故此断的relay其它设置还要保留着。

然后在此配置文件的最后面，把Bridge Relay的相关配置的前三行enable：
ORPort 443
BridgeRelay 1
RelayBandwidthRate 500KBytes
#ExitPolicy reject *:*

保存后重启tor的服务即可。

如果你把debug的log打开，应该可以看到都是一些类似如下的日志记录：
Apr 05 11:44:23.939 [debug] directory_handle_command_get(): rewritten url as ‘/tor/server/d/0E1353F11009ECEA964B01930………………………………..(太长了，中间省略)…………………. z’.
Apr 05 11:44:23.939 [debug] conn_write_callback(): socket 19 wants to write.
Apr 05 11:44:23.939 [debug] connection_dir_finished_flushing(): Finished writing server response. Closing.
Apr 05 11:44:23.939 [debug] conn_close_if_marked(): Cleaning up connection (fd 19).
Apr 05 11:44:23.939 [debug] connection_remove(): removing socket 19 (type Directory), n_conns now 12
Apr 05 11:44:23.939 [debug] _connection_free(): closing fd 19.
Apr 05 11:44:24.034 [debug] conn_read_callback(): socket 8 wants to read.
Apr 05 11:44:24.034 [debug] connection_handle_listener_read(): Connection accepted on socket 19 (child of fd 8).
Apr 05 11:44:24.034 [debug] connection_add(): new conn type Directory, socket 19, n_conns 12.
Apr 05 11:44:24.166 [debug] conn_read_callback(): socket 19 wants to read.
Apr 05 11:44:24.166 [debug] read_to_chunk(): Read 1448 bytes. 1448 on inbuf.
Apr 05 11:44:24.166 [debug] fetch_from_buf_http(): headers not all here yet.
Apr 05 11:44:24.166 [debug] directory_handle_command(): command not all here yet.
Apr 05 11:44:24.181 [debug] global_read_bucket now 10485760.
Apr 05 11:44:24.181 [debug] global_write_bucket now 10485760.
Apr 05 11:44:24.181 [debug] global_relayed_read_bucket now 2048000.
Apr 05 11:44:24.181 [debug] global_relayed_write_bucket now 2048000.
Apr 05 11:44:24.181 [debug] or_conn->read_bucket now 10485760.
Apr 05 11:44:24.181 [debug] or_conn->read_bucket now 10485760.
Apr 05 11:44:24.181 [debug] circuit_is_acceptable(): Skipping one-hop circuit.
Apr 05 11:44:24.181 [debug] circuit_is_acceptable(): Skipping one-hop circuit.
Apr 05 11:44:24.181 [debug] circuit_get_open_circ_or_launch(): one on the way!
Apr 05 11:44:24.378 [debug] conn_read_callback(): socket 20 wants to read.
Apr 05 11:44:24.378 [debug] connection_read_to_buf(): 20: starting, inbuf_datalen 0 (0 pending in tls object). at_most 16384.
Apr 05 11:44:24.379 [debug] connection_read_to_buf(): After TLS read of 1024: 1098 read, 0 written
Apr 05 11:44:24.379 [debug] connection_or_process_cells_from_inbuf(): 20: starting, inbuf_datalen 1024 (0 pending in tls object).

这些log和之前非仅仅是bridge relays的模式的日志是完全不一样的。

同时在我把tor relay设置成bridge relays运行后，再检测原来设置在此之上的“http://o2ykh5czcfujbqty.onion/”的tor匿名网站也是正常的。

这样就一切ok设置好了。

关于Bridge relays在配置文件里有如下一段说明：
## Bridge relays (or “bridges” ) are Tor relays that aren’t listed in the
## main directory. Since there is no complete public list of them, even if an
## ISP is filtering connections to all the known Tor relays, they probably
## won’t be able to block all the bridges. Unlike running an exit relay,
## running a bridge relay just passes data to and from the Tor network –
## so it shouldn’t expose the operator to abuse complaints.

主要意思就是说以Bridge relays模式运行后，你的tor relay服务器就不会在公开的relay目录里显示出来了，这样可以防止被当地ISP根据公开的relay目录来block，当然你也只能作一个幕后英 雄了。:-)不过此种情况实在太适合我们目前的情况了，我把我的tor relay服务器调整成这种模式后，所以我也宁可当一个幕后英雄。

非常感谢Andrew在其blog上的文章给我的启发。