| 1 | ========================= |
|---|
| 2 | How To Configure A Server |
|---|
| 3 | ========================= |
|---|
| 4 | |
|---|
| 5 | Many Tahoe-LAFS nodes run as "servers", meaning they provide services for |
|---|
| 6 | other machines (i.e. "clients"). The two most important kinds are the |
|---|
| 7 | Introducer, and Storage Servers. |
|---|
| 8 | |
|---|
| 9 | To be useful, servers must be reachable by clients. Tahoe servers can listen |
|---|
| 10 | on TCP ports, and advertise their "location" (hostname and TCP port number) |
|---|
| 11 | so clients can connect to them. They can also listen on Tor "onion services" |
|---|
| 12 | and I2P ports. |
|---|
| 13 | |
|---|
| 14 | Storage servers advertise their location by announcing it to the Introducer, |
|---|
| 15 | which then broadcasts the location to all clients. So once the location is |
|---|
| 16 | determined, you don't need to do anything special to deliver it. |
|---|
| 17 | |
|---|
| 18 | The Introducer itself has a location, which must be manually delivered to all |
|---|
| 19 | storage servers and clients. You might email it to the new members of your |
|---|
| 20 | grid. This location (along with other important cryptographic identifiers) is |
|---|
| 21 | written into a file named ``private/introducer.furl`` in the Introducer's |
|---|
| 22 | base directory, and should be provided as the ``--introducer=`` argument to |
|---|
| 23 | ``tahoe create-client`` or ``tahoe create-node``. |
|---|
| 24 | |
|---|
| 25 | The first step when setting up a server is to figure out how clients will |
|---|
| 26 | reach it. Then you need to configure the server to listen on some ports, and |
|---|
| 27 | then configure the location properly. |
|---|
| 28 | |
|---|
| 29 | Manual Configuration |
|---|
| 30 | ==================== |
|---|
| 31 | |
|---|
| 32 | Each server has two settings in their ``tahoe.cfg`` file: ``tub.port``, and |
|---|
| 33 | ``tub.location``. The "port" controls what the server node listens to: this |
|---|
| 34 | is generally a TCP port. |
|---|
| 35 | |
|---|
| 36 | The "location" controls what is advertised to the outside world. This is a |
|---|
| 37 | "foolscap connection hint", and it includes both the type of the connection |
|---|
| 38 | (tcp, tor, or i2p) and the connection details (hostname/address, port |
|---|
| 39 | number). Various proxies, port-forwardings, and privacy networks might be |
|---|
| 40 | involved, so it's not uncommon for ``tub.port`` and ``tub.location`` to look |
|---|
| 41 | different. |
|---|
| 42 | |
|---|
| 43 | You can directly control the ``tub.port`` and ``tub.location`` configuration |
|---|
| 44 | settings by providing ``--port=`` and ``--location=`` when running ``tahoe |
|---|
| 45 | create-node``. |
|---|
| 46 | |
|---|
| 47 | Automatic Configuration |
|---|
| 48 | ======================= |
|---|
| 49 | |
|---|
| 50 | Instead of providing ``--port=/--location=``, you can use ``--listen=``. |
|---|
| 51 | Servers can listen on TCP, Tor, I2P, a combination of those, or none at all. |
|---|
| 52 | The ``--listen=`` argument controls which kinds of listeners the new server |
|---|
| 53 | will use. |
|---|
| 54 | |
|---|
| 55 | ``--listen=none`` means the server should not listen at all. This doesn't |
|---|
| 56 | make sense for a server, but is appropriate for a client-only node. The |
|---|
| 57 | ``tahoe create-client`` command automatically includes ``--listen=none``. |
|---|
| 58 | |
|---|
| 59 | ``--listen=tcp`` is the default, and turns on a standard TCP listening port. |
|---|
| 60 | Using ``--listen=tcp`` requires a ``--hostname=`` argument too, which will be |
|---|
| 61 | incorporated into the node's advertised location. We've found that computers |
|---|
| 62 | cannot reliably determine their externally-reachable hostname, so rather than |
|---|
| 63 | having the server make a guess (or scanning its interfaces for IP addresses |
|---|
| 64 | that might or might not be appropriate), node creation requires the user to |
|---|
| 65 | provide the hostname. |
|---|
| 66 | |
|---|
| 67 | ``--listen=tor`` will talk to a local Tor daemon and create a new "onion |
|---|
| 68 | server" address (which look like ``alzrgrdvxct6c63z.onion``). Likewise |
|---|
| 69 | ``--listen=i2p`` will talk to a local I2P daemon and create a new server |
|---|
| 70 | address. See :doc:`anonymity-configuration` for details. |
|---|
| 71 | |
|---|
| 72 | You could listen on all three by using ``--listen=tcp,tor,i2p``. |
|---|
| 73 | |
|---|
| 74 | Deployment Scenarios |
|---|
| 75 | ==================== |
|---|
| 76 | |
|---|
| 77 | The following are some suggested scenarios for configuring servers using |
|---|
| 78 | various network transports. These examples do not include specifying an |
|---|
| 79 | introducer FURL which normally you would want when provisioning storage |
|---|
| 80 | nodes. For these and other configuration details please refer to |
|---|
| 81 | :doc:`configuration`. |
|---|
| 82 | |
|---|
| 83 | #. `Server has a public DNS name`_ |
|---|
| 84 | #. `Server has a public IPv4/IPv6 address`_ |
|---|
| 85 | #. `Server is behind a firewall with port forwarding`_ |
|---|
| 86 | #. `Using I2P/Tor to Avoid Port-Forwarding`_ |
|---|
| 87 | |
|---|
| 88 | |
|---|
| 89 | Server has a public DNS name |
|---|
| 90 | ---------------------------- |
|---|
| 91 | |
|---|
| 92 | The simplest case is where your server host is directly connected to the |
|---|
| 93 | internet, without a firewall or NAT box in the way. Most VPS (Virtual Private |
|---|
| 94 | Server) and colocated servers are like this, although some providers block |
|---|
| 95 | many inbound ports by default. |
|---|
| 96 | |
|---|
| 97 | For these servers, all you need to know is the external hostname. The system |
|---|
| 98 | administrator will tell you this. The main requirement is that this hostname |
|---|
| 99 | can be looked up in DNS, and it will map to an IPv4 or IPv6 address which |
|---|
| 100 | will reach the machine. |
|---|
| 101 | |
|---|
| 102 | If your hostname is ``example.net``, then you'll create the introducer like |
|---|
| 103 | this:: |
|---|
| 104 | |
|---|
| 105 | tahoe create-introducer --hostname example.com ~/introducer |
|---|
| 106 | |
|---|
| 107 | or a storage server like:: |
|---|
| 108 | |
|---|
| 109 | tahoe create-node --hostname=example.net |
|---|
| 110 | |
|---|
| 111 | These will allocate a TCP port (e.g. 12345), assign ``tub.port`` to be |
|---|
| 112 | ``tcp:12345``, and ``tub.location`` will be ``tcp:example.com:12345``. |
|---|
| 113 | |
|---|
| 114 | Ideally this should work for IPv6-capable hosts too (where the DNS name |
|---|
| 115 | provides an "AAAA" record, or both "A" and "AAAA"). However Tahoe-LAFS |
|---|
| 116 | support for IPv6 is new, and may still have problems. Please see ticket |
|---|
| 117 | `#867`_ for details. |
|---|
| 118 | |
|---|
| 119 | .. _#867: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/867 |
|---|
| 120 | |
|---|
| 121 | |
|---|
| 122 | Server has a public IPv4/IPv6 address |
|---|
| 123 | ------------------------------------- |
|---|
| 124 | |
|---|
| 125 | If the host has a routeable (public) IPv4 address (e.g. ``203.0.113.1``), but |
|---|
| 126 | no DNS name, you will need to choose a TCP port (e.g. ``3457``), and use the |
|---|
| 127 | following:: |
|---|
| 128 | |
|---|
| 129 | tahoe create-node --port=tcp:3457 --location=tcp:203.0.113.1:3457 |
|---|
| 130 | |
|---|
| 131 | ``--port`` is an "endpoint specification string" that controls which local |
|---|
| 132 | port the node listens on. ``--location`` is the "connection hint" that it |
|---|
| 133 | advertises to others, and describes the outbound connections that those |
|---|
| 134 | clients will make, so it needs to work from their location on the network. |
|---|
| 135 | |
|---|
| 136 | Tahoe-LAFS nodes listen on all interfaces by default. When the host is |
|---|
| 137 | multi-homed, you might want to make the listening port bind to just one |
|---|
| 138 | specific interface by adding a ``interface=`` option to the ``--port=`` |
|---|
| 139 | argument:: |
|---|
| 140 | |
|---|
| 141 | tahoe create-node --port=tcp:3457:interface=203.0.113.1 --location=tcp:203.0.113.1:3457 |
|---|
| 142 | |
|---|
| 143 | If the host's public address is IPv6 instead of IPv4, use square brackets to |
|---|
| 144 | wrap the address, and change the endpoint type to ``tcp6``:: |
|---|
| 145 | |
|---|
| 146 | tahoe create-node --port=tcp6:3457 --location=tcp:[2001:db8::1]:3457 |
|---|
| 147 | |
|---|
| 148 | You can use ``interface=`` to bind to a specific IPv6 interface too, however |
|---|
| 149 | you must backslash-escape the colons, because otherwise they are interpreted |
|---|
| 150 | as delimiters by the Twisted "endpoint" specification language. The |
|---|
| 151 | ``--location=`` argument does not need colons to be escaped, because they are |
|---|
| 152 | wrapped by the square brackets:: |
|---|
| 153 | |
|---|
| 154 | tahoe create-node --port=tcp6:3457:interface=2001\:db8\:\:1 --location=tcp:[2001:db8::1]:3457 |
|---|
| 155 | |
|---|
| 156 | For IPv6-only hosts with AAAA DNS records, if the simple ``--hostname=`` |
|---|
| 157 | configuration does not work, they can be told to listen specifically on an |
|---|
| 158 | IPv6-enabled port with this:: |
|---|
| 159 | |
|---|
| 160 | tahoe create-node --port=tcp6:3457 --location=tcp:example.net:3457 |
|---|
| 161 | |
|---|
| 162 | |
|---|
| 163 | Server is behind a firewall with port forwarding |
|---|
| 164 | ------------------------------------------------ |
|---|
| 165 | |
|---|
| 166 | To configure a storage node behind a firewall with port forwarding you will |
|---|
| 167 | need to know: |
|---|
| 168 | |
|---|
| 169 | * public IPv4 address of the router |
|---|
| 170 | * the TCP port that is available from outside your network |
|---|
| 171 | * the TCP port that is the forwarding destination |
|---|
| 172 | * internal IPv4 address of the storage node (the storage node itself is |
|---|
| 173 | unaware of this address, and it is not used during ``tahoe create-node``, |
|---|
| 174 | but the firewall must be configured to send connections to this) |
|---|
| 175 | |
|---|
| 176 | The internal and external TCP port numbers could be the same or different |
|---|
| 177 | depending on how the port forwarding is configured. If it is mapping ports |
|---|
| 178 | 1-to-1, and the public IPv4 address of the firewall is 203.0.113.1 (and |
|---|
| 179 | perhaps the internal IPv4 address of the storage node is 192.168.1.5), then |
|---|
| 180 | use a CLI command like this:: |
|---|
| 181 | |
|---|
| 182 | tahoe create-node --port=tcp:3457 --location=tcp:203.0.113.1:3457 |
|---|
| 183 | |
|---|
| 184 | If however the firewall/NAT-box forwards external port *6656* to internal |
|---|
| 185 | port 3457, then do this:: |
|---|
| 186 | |
|---|
| 187 | tahoe create-node --port=tcp:3457 --location=tcp:203.0.113.1:6656 |
|---|
| 188 | |
|---|
| 189 | |
|---|
| 190 | Using I2P/Tor to Avoid Port-Forwarding |
|---|
| 191 | -------------------------------------- |
|---|
| 192 | |
|---|
| 193 | I2P and Tor onion services, among other great properties, also provide NAT |
|---|
| 194 | penetration without port-forwarding, hostnames, or IP addresses. So setting |
|---|
| 195 | up a server that listens only on Tor is simple:: |
|---|
| 196 | |
|---|
| 197 | tahoe create-node --listen=tor |
|---|
| 198 | |
|---|
| 199 | For more information about using Tahoe-LAFS with I2p and Tor see |
|---|
| 200 | :doc:`anonymity-configuration` |
|---|
