bridgedb.conf 10.3 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# -*- mode: python ; coding: utf-8 -*-
#
#   +---------------+
#   | bridgedb.conf |
#   +---------------+
#
# This file uses Python syntax, and is sourced as if it were a .py file. Just
# pretend you're writing Python, and everything will be peachy keen.
#______________________________________________________________________________
#
# This file is part of BridgeDB, a Tor bridge distribution system.
#
# :copyright: (c) 2007-2013, The Tor Project, Inc.
#             (c) 2007-2013, all sentient entities within the AUTHORS file
# :license: see LICENSE for licensing information
#______________________________________________________________________________
17

18
19
20
#===========================#
#  General-purpose options  #
#___________________________#
21

22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#----------------
# Required Files \  You'll want to make sure that these ones exist!
#------------------------------------------------------------------------------
#
# All filenames are taken as relative to the RUNTIME directory, which is the
# current working directory when you call the ``bridgedb`` script, or you may
# specify a particular RUNTIME directory by doing:
#
#     $ bridgedb -r /path/to/some/nice/place
#
# Obviously, this config file should live in that directory, so that BridgeDB
# can read it.
#------------------------------------------------------------------------------

# List of filenames from which we read ``@type bridge-server-descriptor``s, on
# startup and on SIGHUP.
BRIDGE_FILES = ["bridge-descriptors"]

# List of filenames from which we read ``@type bridge-extra-info``
# descriptors, for learning about a bridge's pluggable transports:
EXTRA_INFO_FILES = ["cached-extrainfo", "cached-extrainfo.new"]

# Filename from which we read ``@type bridge-network-status`` entries, for
# learning which current bridges are Running, as well as their IPv6 addresses.
STATUS_FILE = "networkstatus-bridges"

# Certificate file and private key for the HTTPS Distributor. To create a
# self-signed cert, run ``scripts/make-ssl-cert`` it will create these files
# in your current directory.
HTTPS_CERT_FILE="cert"
HTTPS_KEY_FILE="privkey.pem"

#----------------
# Output Files   \  Where to store created data
#------------------------------------------------------------------------------
#
# These will get automatically created for you, just specify where they should
# go.
#------------------------------------------------------------------------------
61

62
63
# Either a file to log to, or None if we should log to the console.
LOGFILE = "bridgedb.log"
aagbsn's avatar
aagbsn committed
64

65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
# File to which we dump bridge pool assignments for statistics.
ASSIGNMENTS_FILE = "assignments.log"

# File in which to write our pid
PIDFILE = "bridgedb.pid"

# Filename of the database to store persistent info in.
DB_FILE = "bridgedist.db"

# Filename to log changes to persistent info in. For debugging and bugfixing.
DB_LOG_FILE = "bridgedist.log"

# Filename where we store our secret HMAC root key. This file and the key
# inside are automatically created for you if they do not exist.
MASTER_KEY_FILE = "secret_key"

# Filename that contains blocked bridges list. Comment out to disable.
#COUNTRY_BLOCK_FILE = "blocked-bridges"

# A list of filenames that contain IP addresses (one per line) of proxies.
# All IP-based distributors that see an incoming connection from a proxy
# will treat them specially.
PROXY_LIST_FILES = []

#------------------
# Logging Options  \
#------------------------------------------------------------------------------
#
# Be sure to also see the LOGFILE option above!
#------------------------------------------------------------------------------

# One of "DEBUG", "INFO", "WARNING", "ERROR"...
LOGLEVEL = "DEBUG"

99
100
101
# If true, we scrub all potentially identifying information before we log it
SAFELOGGING = True

aagbsn's avatar
aagbsn committed
102
103
104
105
# Logfile rotation settings
LOGFILE_COUNT = 5
LOGFILE_ROTATE_SIZE = 10000000

106

107
108
# Only consider routers whose purpose matches this string.
BRIDGE_PURPOSE = "bridge"
109

110
# How many clusters do we group IPs in when distributing bridges based on IP?
111
112
113
# Note that if PROXY_LIST_FILES is set (below), what we actually do here
# is use one higher than the number here, and the extra cluster is used
# for answering requests made by IP addresses in the PROXY_LIST_FILES file.
114
115
N_IP_CLUSTERS = 4

116
# If possible, always give a certain number of answers with a given ORPort.
117
118
# This is a list of ``(port, minimum)`` tuples.
FORCE_PORTS = [(443, 1)]
119

120
121
# If possible, always give a certain number of answers with a given flag.
# Only "stable" is now supported.  This is a list of (flag,minimum) tuples.
122
FORCE_FLAGS = [("Stable", 1)]
123

124
125
126
127
128
129
130
131
132
#-------------------------------
# HTTP(S) Distribution Options  \
#------------------------------------------------------------------------------
#
# These options configure the behaviour of the web interface bridge
# distribution mechanism. If HTTPS_DIST is enabled, make sure that the above
# HTTPS_CERT_FILE and HTTPS_KEY_FILE options point to the correct location of
# your SSL certificate and key!
#------------------------------------------------------------------------------
133

134
# Set to ``True`` to enable distribution via HTTP or HTTPS; False otherwise.
135
HTTPS_DIST = True
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

# (string or None) The IP address where we listen for HTTPS connections. If
# ``None``, listen on the default interface.
HTTPS_BIND_IP = '127.0.0.1'

# (integer or None) The port to listen on for incoming HTTPS connections.
HTTPS_PORT = 6789

# How many bridges do we give back in an answer?
HTTPS_N_BRIDGES_PER_ANSWER = 3

# Should we tell http users about the bridge fingerprints?  Turn this on
# once we have the vidalia/tor interaction fixed for everbody.
HTTPS_INCLUDE_FINGERPRINTS = True

151
152
153
154
# If true, there is a trusted proxy relaying incoming messages to us: take
# the *last* entry from its X-Forwarded-For header as the client's IP.
HTTPS_USE_IP_FROM_FORWARDED_HEADER = False

155
156
157
158
159
160
161
162
163
164
# (string or None) The IP address to listen on for unencrypted HTTP
# connections. Set to ``None`` to disable unencrypted connections to the web
# interface.
HTTP_UNENCRYPTED_BIND_IP = None

# (integer or None) The port to listen on for incoming HTTP connections.
HTTP_UNENCRYPTED_PORT = None

# Same as the ``HTTPS_USE_IP_FROM_FORWARDED_HEADER`` option, but for
# unencrypted connections.
165
HTTP_USE_IP_FROM_FORWARDED_HEADER = False
166

167
168
169
# The number of bridges to hand out per response by the unencrypted HTTP
# distributor
HTTP_N_BRIDGES_PER_ANSWER = 3
170

171
172
173
174
175
176
177
178
179
#-------------------------------
# Email Distribution Options    \
#------------------------------------------------------------------------------
#
# These options configure the behaviour of the email bridge distribution
# mechanism. If EMAIL_DIST is enabled, make sure that the above
# HTTPS_CERT_FILE and HTTPS_KEY_FILE options point to the correct location of
# your SSL certificate and key!
# ------------------------------------------------------------------------------
180

181
# True if we are enabling distribution via Email; false otherwise.
182
EMAIL_DIST = True
183

Roger Dingledine's avatar
Roger Dingledine committed
184
# What email addresses do we use for outgoing email?  EMAIL_FROM_ADDR goes
185
186
187
188
# in the From: line in outgoing headers, and EMAIL_SMTP_FROM_ADDR goes in
# the MAIL FROM header in outgoing SMTP.
EMAIL_FROM_ADDR = "bridges@torproject.org"
EMAIL_SMTP_FROM_ADDR = "bridges@torproject.org"
aagbsn's avatar
aagbsn committed
189
190
EMAIL_SMTP_HOST = "127.0.0.1"
EMAIL_SMTP_PORT = 25
191

192
193
194
# Reject any RCPT TO lines that aren't to this user.
EMAIL_USERNAME = "bridges"

195
# Canonical versions of domains that we will reply to.
196
197
EMAIL_DOMAINS = ["gmail.com", "yahoo.com"]

198
199
# Map from unofficial domain to canonical domain.
EMAIL_DOMAIN_MAP = { "mail.google.com" : "gmail.com",
200
201
                     "googlemail.com" : "gmail.com"}

202
203
204
# Map from canonical domain to list of options for that domain.  Recognized
# options are:
#     "ignore_dots" -- the service ignores "." characters in email addresses.
205
206
#     "dkim" -- if there is not a X-DKIM-Authentication-Result header
#        with the value "pass", then drop the message.
207
208
#
# Note that unrecognized options are ignored; be sure to spell them right!
209
EMAIL_DOMAIN_RULES = { 'gmail.com' : ["ignore_dots", "dkim"],
210
211
                       'yahoo.com' : ["dkim"]}

212
# If there are any IPs in this list, only allow incoming connections from
213
# those IPs.
214
215
EMAIL_RESTRICT_IPS = []

216
# IP and port to listen on for email connections. Debugging only.
217
EMAIL_BIND_IP="127.0.0.1"
218
EMAIL_PORT=6725
219

Roger Dingledine's avatar
Roger Dingledine committed
220
# How many bridges do we give back in an answer?
221
EMAIL_N_BRIDGES_PER_ANSWER=3
222

223
224
# Should we tell http users about the bridge fingerprints?  Turn this on
# once we have the vidalia/tor interaction fixed for everbody.
Isis Lovecruft's avatar
Isis Lovecruft committed
225
EMAIL_INCLUDE_FINGERPRINTS = True
226

227
# Configuration options for GPG signed messages
Isis Lovecruft's avatar
Isis Lovecruft committed
228
229
EMAIL_GPG_SIGNING_ENABLED = True
EMAIL_GPG_SIGNING_KEY = 'gnupghome/TESTING.subkeys.sec'
230

231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
#-------------------------------
# Hashring Allocation Options   \
#------------------------------------------------------------------------------
#
# These options determine the proportions of bridges per hashring. When
# BridgeDB receives a descriptor for a new bridge, that bridge is assigned to
# a hashring. For example, if ``HTTPS_DIST`` and ``EMAIL_DIST`` are both
# enabled, there is a hashring for bridges allocated to the HTTP(S)
# Distributor, and another for the Email Distributor. In addition, an
# "Unallocated" hashring is always created, in order to reserve some portion
# of bridges for manual distribution, or as backup in the case of a major
# blocking event. Once a bridge is assigned to one of these allocation groups,
# it stays there; there is currently no mechanism for changing a bridge's
# hashring allocation.
#
# The bridges are allocated to these groups with the following proportions:
#
#     ``HTTPS_SHARE`` : ``EMAIL_SHARE`` : ``RESERVED_SHARE``
# ------------------------------------------------------------------------------

# The proportion of bridges to allocate to HTTP distribution.
HTTPS_SHARE = 10
253

254
255
# The proportion of bridges to allocate to Email distribution.
EMAIL_SHARE = 10
256

257
258
259
260
261
262
263
264
# An integer specifying the proportion of bridges which should remain
# unallocated, for backup usage and manual distribution.
RESERVED_SHARE = 2

# A dictionary of {FILENAME: NUMBER} where FILENAME is a string specifying the
# filename to store a certain NUMBER (an integer) of bridges in. The number of
# bridges here is *not* a share/proportion, as above; instead it's literally
# the number of bridges.
265
FILE_BUCKETS = {}
aagbsn's avatar
aagbsn committed
266
267
268
269

# Options related to recaptcha support.
# Enable/Disable recaptcha
RECAPTCHA_ENABLED = False
270

aagbsn's avatar
aagbsn committed
271
272
# Recaptcha API keys
RECAPTCHA_PUB_KEY = ''
273
RECAPTCHA_PRIV_KEY = ''