Many web updates

Server/Repo.Update.sh

@@ -18,7 +18,9 @@ mkcd ./Root
 		cpfile "etc/systemd/system/$f.service"
 	done
 
+	CpItem etc/nginx/nginx.conf
 	CpSufx "etc/nginx/sites-available/*." conf old
+	CpItem etc/tor/torrc
 	CpSufx "Server/Scripts/Backup/*." sh cfg
 	CpItem Server/Scripts/OneShot.AfterBoot.sh
 

Server/Root/Server/Scripts/Backup/CloudBackup.sh

@@ -23,50 +23,61 @@ BackPathCrypt() {
 	ccencryptNow "./${Folder}${Ext}" "${Key}"
 }
 
-cd ./Server-Backup-Limited
-BackPathCrypt "Invidious-User" "${BackupKey_Git_Invidious}" ".7z"
-#BackPathCrypt "wallabag-data" "${BackupKey_Git_wallabag}"
-BackPathCrypt "FreshRSS-data" "${BackupKey_Git_FreshRSS}"
-#BackPathCrypt "shiori-data" "${BackupKey_Git_Shiori}"
-# "${BackupKey_Git_aria2}" ".7z"
-GitPush
-cd ..
+ServerBackupLimited(){
+	cd ./Server-Backup-Limited
+	#BackPathCrypt "Invidious-User" "${BackupKey_Git_Invidious}" ".7z"
+	#BackPathCrypt "wallabag-data" "${BackupKey_Git_wallabag}"
+	BackPathCrypt FreshRSS "${BackupKey_Git_FreshRSS}"
+	#BackPathCrypt "FreshRSS-data" "${BackupKey_Git_FreshRSS}"
+	#BackPathCrypt "shiori-data" "${BackupKey_Git_Shiori}"
+	# "${BackupKey_Git_aria2}" ".7z"
+	GitPush
+	cd ..
+}
 
-cd ./Articles-Backup-Private
-EchoExec rm -rf ./shiori-data
-EchoExec cp -rp "../shiori-data/Latest.d" "./shiori-data"
-GitPush
-cd ..
+ArticlesBackupPrivate(){
+	cd ./Articles-Backup-Private
+	EchoExec rm -rf ./shiori-data
+	EchoExec cp -rp "../shiori-data/Latest.d" "./shiori-data"
+	GitPush
+	cd ..
+}
 
-exit
+SpaccBbsBackup(){
+	cd ./SpaccBBS-Backup-phpBB-2023
+	EchoExec rm -rf ./SpaccBBS || true
+	EchoExec cp -rp ../SpaccBBS/Latest.d ./SpaccBBS
+	EchoExec cp ../SpaccBBS/Db.Latest.sql.tar.xz ./Db.sql.tar.xz
+	for File in \
+		./Db.sql.tar.xz \
+		./SpaccBBS/config.php \
+		./SpaccBBS/arrowchat/includes/config.php \
+	; do ccencryptNow "$File" "$BackupKey_Git_SpaccBBS"
+	done
+	GitPush
+	cd ..
+}
 
-cd ./SpaccBBS-Backup-phpBB-2023
-EchoExec rm -rf ./SpaccBBS || true
-EchoExec cp -rp ../SpaccBBS/Latest.d ./SpaccBBS
-EchoExec cp ../SpaccBBS/Db.Latest.sql.tar.xz ./Db.sql.tar.xz
-for File in \
-	./Db.sql.tar.xz \
-	./SpaccBBS/config.php \
-	./SpaccBBS/arrowchat/includes/config.php \
-; do ccencryptNow "$File" "$BackupKey_Git_SpaccBBS"
-done
-GitPush
-cd ..
-
-McServer="SpaccCraft"
-McEdition="Beta-1.7.3"
-McGit="spacccraft-b1.7.3-backup4"
-DestPath="${BackupsBase}/${McServer}/${McGit}"
-if [ -d "${DestPath}" ]
-then
-	#cd "/Server/${McServer}"
-	cd "${BackupsBase}/${McServer}"
-	rm -rf "${DestPath}/${McEdition}"
-	cp ./*.sh "${DestPath}/"
-	cp -r "./${McEdition}/Latest.d" "${DestPath}/${McEdition}"
-	GitPullPushPath "${DestPath}"
-fi
+SpaccBbsBackup(){
+	McServer="SpaccCraft"
+	McEdition="Beta-1.7.3"
+	McGit="spacccraft-b1.7.3-backup4"
+	DestPath="${BackupsBase}/${McServer}/${McGit}"
+	if [ -d "${DestPath}" ]
+	then
+		#cd "/Server/${McServer}"
+		cd "${BackupsBase}/${McServer}"
+		rm -rf "${DestPath}/${McEdition}"
+		cp ./*.sh "${DestPath}/"
+		cp -r "./${McEdition}/Latest.d" "${DestPath}/${McEdition}"
+		GitPullPushPath "${DestPath}"
+	fi
+}
 
+ServerBackupLimited
+ArticlesBackupPrivate
+SpaccBbsBackup
+SpaccCraftBackup
 GitPullPushPath "/Cloud/Repos/Personal-Game-Saves"
 #GitPullPushPath "/media/Disk/Configs"
 

Server/Root/Server/Scripts/Backup/ExternalDataBackup.sh

@@ -6,11 +6,11 @@ set -e
 
 # Invidious personal JSON dump
 InvidiousPersonalJsonDump(){
-Name="Invidious-User"
-mkdir -vp "./${Name}"
-curl \
-	"${Invidious_Backup_URL}/subscription_manager?action_takeout=1&format=json" \
-	-H "${Invidious_Backup_Cookie}" \
+	Name="Invidious-User"
+	mkdir -vp "./${Name}"
+	curl \
+		"${Invidious_Backup_URL}/subscription_manager?action_takeout=1&format=json" \
+		-H "${Invidious_Backup_Cookie}" \
 	| 7z a -mmt1 -mx9 "./${Name}/${RunDate}.7z" -si && cp -v "./${Name}/${RunDate}.7z" "./${Name}/Latest.7z"
 }
 

Server/Root/Server/Scripts/Backup/ServerDataBackup.sh

@@ -23,9 +23,10 @@ SimpleBackup(){
 }
 
 #SimpleBackup "wallabag-data"
-SimpleBackup "FreshRSS-data"
+#SimpleBackup "FreshRSS-data"
+SimpleBackup FreshRSS www
 
-SimpleBackup "shiori-data" "Shiori"
+SimpleBackup shiori-data Shiori
 rm -v ./shiori-data/Latest.d/archive/* || true
 
 SimpleBackup SpaccBBS www

Server/Root/etc/nginx/nginx.conf

@@ -0,0 +1,92 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+	upstream php {
+		server unix:/var/run/php/php7.4-fpm.sock;
+	}
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	server_names_hash_bucket_size 128;
+	map_hash_bucket_size 128;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+
+	client_max_body_size 8M;
+
+	more_clear_headers  "Server";
+	more_clear_headers  "server";
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}

Server/Root/etc/nginx/sites-available/SpaccBBS.conf

@@ -1,11 +1,12 @@
-upstream php {
-	server unix:/var/run/php/php7.4-fpm.sock;
+map $http_host $SpaccBbsMap {
+	'bbs.spacc.eu.org' '1';
+	'bbs.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion' '2';
 }
 
 server {
 	listen 80;
 	listen 443 ssl;
-	server_name bbs.spacc.eu.org;
+	server_name bbs.spacc.eu.org bbs.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion;
 	ssl_certificate /etc/letsencrypt/live/bbs.spacc.eu.org/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/bbs.spacc.eu.org/privkey.pem;
 	ssl_prefer_server_ciphers on;
@@ -72,4 +73,30 @@ server {
 		deny all;
 		internal;
 	}
+
+	location /wap {
+		rewrite ^ $scheme://$host/?style=4 redirect;
+	}
+	location /lite {
+		rewrite ^ $scheme://$host/wap redirect;
+	}
+
+	#if ($SpaccBbsMap = '1') {
+	#	location /wwwroot {
+	#		rewrite ^(.*) $scheme://hlb0.octt.eu.org/$request_uri redirect;
+	#	}
+	#}
+	#if ($SpaccBbsMap = '2') {
+	#	location /wwwroot {
+	#		rewrite ^(.*) $scheme://octt.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion/$request_uri redirect;
+	#	}
+	#}
+	location /wwwroot {
+		if ($SpaccBbsMap = '1') {
+			rewrite ^(.*) $scheme://hlb0.octt.eu.org/$request_uri redirect;
+		}
+		if ($SpaccBbsMap = '2') {
+			rewrite ^(.*) $scheme://octt.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion/$request_uri redirect;
+		}
+	}
 }

Server/Root/etc/nginx/sites-available/articles.conf

@@ -1,6 +1,7 @@
 server {
+	listen 80;
 	listen 443 ssl;
-	server_name articles.octt.eu.org;
+	server_name articles.octt.eu.org articles.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion;
 	ssl_certificate /etc/letsencrypt/live/articles.octt.eu.org/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/articles.octt.eu.org/privkey.pem;
 	ssl_prefer_server_ciphers on;
@@ -16,8 +17,9 @@ server {
 }
 
 server {
+	listen 80;
 	listen 443 ssl;
-	server_name ShioriFeed.octt.eu.org;
+	server_name ShioriFeed.octt.eu.org ShioriFeed.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion;
 	ssl_certificate /etc/letsencrypt/live/shiorifeed.octt.eu.org/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/shiorifeed.octt.eu.org/privkey.pem;
 	ssl_prefer_server_ciphers on;

Server/Root/etc/nginx/sites-available/feeds.conf

@@ -1,17 +1,48 @@
 server {
+	listen 80;
 	listen 443 ssl;
-	server_name feeds.octt.eu.org;
+	server_name feeds.octt.eu.org feeds.spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad.onion;
 	ssl_certificate /etc/letsencrypt/live/feeds.octt.eu.org/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/feeds.octt.eu.org/privkey.pem;
 	ssl_prefer_server_ciphers on;
+
+	#location / {
+	#	proxy_http_version 1.1;
+	#	proxy_pass http://localhost:8017;
+	#	proxy_set_header X-Real-IP $remote_addr;
+	#	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+	#	proxy_set_header X-Forwarded-Proto $scheme;
+	#	proxy_set_header Upgrade $http_upgrade;
+	#	proxy_set_header Connection "upgrade";
+	#	sub_filter '</body>' '<script> function ForceUpdateFeeds(){ var Count = 0; Array.from(document.querySelectorAll(atob("KltpZF49ImZfIl0uaXRlbS5mZWVk"))).forEach(function(El){ Count++; fetch(location.origin + "/i/?c=feed&a=actualize&id=" + El.id.split("_")[1]); }); setTimeout(function(){ location.reload(); }, Count * 4000); }; </script></body>';
+	#	sub_filter '<a id="actualize"' '<a class="btn" href="#" title="Force update feeds" onclick="javascript:ForceUpdateFeeds();">Force update feeds</a><a id="actualize"';
+	#	sub_filter_once on;
+	#}
+
+	root /Server/www/FreshRSS/p;
+	index index.php index.html index.htm;
+
+	# nginx log files
+	access_log /var/log/nginx/FreshRSS.access.log;
+	error_log /var/log/nginx/FreshRSS.error.log;
+
+	# php files handling
+	# this regex is mandatory because of the API
+	location ~ ^.+?\.php(/.*)?$ {
+		fastcgi_pass php;
+		fastcgi_split_path_info ^(.+\.php)(/.*)$;
+		# By default, the variable PATH_INFO is not set under PHP-FPM
+		# But FreshRSS API greader.php need it. If you have a “Bad Request” error, double check this var!
+		# NOTE: the separate $path_info variable is required. For more details, see:
+		# https://trac.nginx.org/nginx/ticket/321
+		set $path_info $fastcgi_path_info;
+		fastcgi_param PATH_INFO $path_info;
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+	}
+
 	location / {
-		proxy_http_version 1.1;
-		proxy_pass http://localhost:8017;
-		proxy_set_header X-Real-IP $remote_addr;
-		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-		proxy_set_header X-Forwarded-Proto $scheme;
-		proxy_set_header Upgrade $http_upgrade;
-		proxy_set_header Connection "upgrade";
+		try_files $uri $uri/ index.php;
 		sub_filter '</body>' '<script> function ForceUpdateFeeds(){ var Count = 0; Array.from(document.querySelectorAll(atob("KltpZF49ImZfIl0uaXRlbS5mZWVk"))).forEach(function(El){ Count++; fetch(location.origin + "/i/?c=feed&a=actualize&id=" + El.id.split("_")[1]); }); setTimeout(function(){ location.reload(); }, Count * 4000); }; </script></body>';
 		sub_filter '<a id="actualize"' '<a class="btn" href="#" title="Force update feeds" onclick="javascript:ForceUpdateFeeds();">Force update feeds</a><a id="actualize"';
 		sub_filter_once on;

Server/Root/etc/nginx/sites-available/root.conf

@@ -33,6 +33,7 @@ server {
 	ssl_prefer_server_ciphers on;
 	error_page 403 = /404.html;
 	error_page 404 = /404.html;
+
 	location / {
 		root /Server/www/root;
 		if ($request_uri ~ ^([^.\?]*[^/])$) {
@@ -45,6 +46,7 @@ server {
 		#error_page 404 = /404.html;
 		#rewrite  ^/(\?.*)?$ index.html$1 permanent;
 	}
+
 	location /Drive/ {
 		root /Server/www;
 		autoindex on;
@@ -65,6 +67,7 @@ server {
 		sub_filter '<h1>Index of /Drive/' '<h1>Index of <a href="/Drive/">/Drive</a>/';
 		sub_filter_once off;
 	}
+
 	location /Drive/Telegram/ {
 		rewrite ^/Drive/Telegram/(.*)$ /$1 break;
 		proxy_http_version 1.1;
@@ -81,4 +84,8 @@ server {
 		sub_filter '<source src="/' '<source src="/Drive/Telegram/';
 		sub_filter_once off;
 	}
+
+	location /wwwroot/ {
+		rewrite ^/wwwroot/(.*)$ /$1 permanent;
+	}
 }

Server/Root/etc/systemd/system/diycron.service

@@ -6,8 +6,8 @@ StartLimitIntervalSec=0
 Type=simple
 Restart=always
 RestartSec=10
-CPUQuota=90%
-MemoryMax=400M
+#CPUQuota=90%
+#MemoryMax=400M
 User=root
 ExecStart=sh -c "cat /var/log/diycron.log >> /var/log/diycron.log.old; sh /etc/diycron > /var/log/diycron.log"
 [Install]

Server/Root/etc/tor/torrc

@@ -0,0 +1,192 @@
+## Configuration file for a typical Tor user
+## Last updated 9 October 2013 for Tor 0.2.5.2-alpha.
+## (may or may not work for much older or much newer versions of Tor.)
+##
+## Lines that begin with "## " try to explain what's going on. Lines
+## that begin with just "#" are disabled commands: you can enable them
+## by removing the "#" symbol.
+##
+## See 'man tor', or https://www.torproject.org/docs/tor-manual.html,
+## for more options you can use in this file.
+##
+## Tor will look for this file in various places based on your platform:
+## https://www.torproject.org/docs/faq#torrc
+
+## Tor opens a socks proxy on port 9050 by default -- even if you don't
+## configure one below. Set "SocksPort 0" if you plan to run Tor only
+## as a relay, and not make any local application connections yourself.
+#SocksPort 9050 # Default: Bind to localhost:9050 for local connections.
+#SocksPort 192.168.0.1:9100 # Bind to this address:port too.
+
+## Entry policies to allow/deny SOCKS requests based on IP address.
+## First entry that matches wins. If no SocksPolicy is set, we accept
+## all (and only) requests that reach a SocksPort. Untrusted users who
+## can access your SocksPort may be able to learn about the connections
+## you make.
+#SocksPolicy accept 192.168.0.0/16
+#SocksPolicy reject *
+
+## Logs go to stdout at level "notice" unless redirected by something
+## else, like one of the below lines. You can have as many Log lines as
+## you want.
+##
+## We advise using "notice" in most cases, since anything more verbose
+## may provide sensitive information to an attacker who obtains the logs.
+##
+## Send all messages of level 'notice' or higher to /var/log/tor/notices.log
+#Log notice file /var/log/tor/notices.log
+## Send every possible message to /var/log/tor/debug.log
+#Log debug file /var/log/tor/debug.log
+## Use the system log instead of Tor's logfiles
+#Log notice syslog
+## To send all messages to stderr:
+#Log debug stderr
+
+## Uncomment this to start the process in the background... or use
+## --runasdaemon 1 on the command line. This is ignored on Windows;
+## see the FAQ entry if you want Tor to run as an NT service.
+#RunAsDaemon 1
+
+## The directory for keeping all the keys/etc. By default, we store
+## things in $HOME/.tor on Unix, and in Application Data\tor on Windows.
+#DataDirectory /var/lib/tor
+
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+#ControlPort 9051
+## If you enable the controlport, be sure to enable one of these
+## authentication methods, to prevent attackers from accessing it.
+#HashedControlPassword 16:872860B76453A77D60CA2BB8C1A7042072093276A3D701AD684053EC4C
+#CookieAuthentication 1
+
+############### This section is just for location-hidden services ###
+
+## Once you have configured a hidden service, you can look at the
+## contents of the file ".../hidden_service/hostname" for the address
+## to tell people.
+##
+## HiddenServicePort x y:z says to redirect requests on port x to the
+## address y:z.
+
+HiddenServiceDir /var/lib/tor/HiddenServices/spaccsoj3trhzowrrblzb5m6hgkwu6syghnmhett7gvxbrz5zhsrs4ad/
+HiddenServicePort 80 127.0.0.1:80
+
+#HiddenServiceDir /var/lib/tor/other_hidden_service/
+#HiddenServicePort 80 127.0.0.1:80
+#HiddenServicePort 22 127.0.0.1:22
+
+################ This section is just for relays #####################
+#
+## See https://www.torproject.org/docs/tor-doc-relay for details.
+
+## Required: what port to advertise for incoming Tor connections.
+#ORPort 9001
+## If you want to listen on a port other than the one advertised in
+## ORPort (e.g. to advertise 443 but bind to 9090), you can do it as
+## follows.  You'll need to do ipchains or other port forwarding
+## yourself to make this work.
+#ORPort 443 NoListen
+#ORPort 127.0.0.1:9090 NoAdvertise
+
+## The IP address or full DNS name for incoming connections to your
+## relay. Leave commented out and Tor will guess.
+#Address noname.example.com
+
+## If you have multiple network interfaces, you can specify one for
+## outgoing traffic to use.
+# OutboundBindAddress 10.0.0.5
+
+## A handle for your relay, so people don't have to refer to it by key.
+#Nickname ididnteditheconfig
+
+## Define these to limit how much relayed traffic you will allow. Your
+## own traffic is still unthrottled. Note that RelayBandwidthRate must
+## be at least 20 KB.
+## Note that units for these config options are bytes per second, not bits
+## per second, and that prefixes are binary prefixes, i.e. 2^10, 2^20, etc.
+#RelayBandwidthRate 100 KB  # Throttle traffic to 100KB/s (800Kbps)
+#RelayBandwidthBurst 200 KB # But allow bursts up to 200KB/s (1600Kbps)
+
+## Use these to restrict the maximum traffic per day, week, or month.
+## Note that this threshold applies separately to sent and received bytes,
+## not to their sum: setting "4 GB" may allow up to 8 GB total before
+## hibernating.
+##
+## Set a maximum of 4 gigabytes each way per period.
+#AccountingMax 4 GB
+## Each period starts daily at midnight (AccountingMax is per day)
+#AccountingStart day 00:00
+## Each period starts on the 3rd of the month at 15:00 (AccountingMax
+## is per month)
+#AccountingStart month 3 15:00
+
+## Administrative contact information for this relay or bridge. This line
+## can be used to contact you if your relay or bridge is misconfigured or
+## something else goes wrong. Note that we archive and publish all
+## descriptors containing these lines and that Google indexes them, so
+## spammers might also collect them. You may want to obscure the fact that
+## it's an email address and/or generate a new address for this purpose.
+#ContactInfo Random Person <nobody AT example dot com>
+## You might also include your PGP or GPG fingerprint if you have one:
+#ContactInfo 0xFFFFFFFF Random Person <nobody AT example dot com>
+
+## Uncomment this to mirror directory information for others. Please do
+## if you have enough bandwidth.
+#DirPort 9030 # what port to advertise for directory connections
+## If you want to listen on a port other than the one advertised in
+## DirPort (e.g. to advertise 80 but bind to 9091), you can do it as
+## follows.  below too. You'll need to do ipchains or other port
+## forwarding yourself to make this work.
+#DirPort 80 NoListen
+#DirPort 127.0.0.1:9091 NoAdvertise
+## Uncomment to return an arbitrary blob of html on your DirPort. Now you
+## can explain what Tor is if anybody wonders why your IP address is
+## contacting them. See contrib/tor-exit-notice.html in Tor's source
+## distribution for a sample.
+#DirPortFrontPage /etc/tor/tor-exit-notice.html
+
+## Uncomment this if you run more than one Tor relay, and add the identity
+## key fingerprint of each Tor relay you control, even if they're on
+## different networks. You declare it here so Tor clients can avoid
+## using more than one of your relays in a single circuit. See
+## https://www.torproject.org/docs/faq#MultipleRelays
+## However, you should never include a bridge's fingerprint here, as it would
+## break its concealability and potentionally reveal its IP/TCP address.
+#MyFamily $keyid,$keyid,...
+
+## A comma-separated list of exit policies. They're considered first
+## to last, and the first match wins. If you want to _replace_
+## the default exit policy, end this with either a reject *:* or an
+## accept *:*. Otherwise, you're _augmenting_ (prepending to) the
+## default exit policy. Leave commented to just use the default, which is
+## described in the man page or at
+## https://www.torproject.org/documentation.html
+##
+## Look at https://www.torproject.org/faq-abuse.html#TypicalAbuses
+## for issues you might encounter if you use the default exit policy.
+##
+## If certain IPs and ports are blocked externally, e.g. by your firewall,
+## you should update your exit policy to reflect this -- otherwise Tor
+## users will be told that those destinations are down.
+##
+## For security, by default Tor rejects connections to private (local)
+## networks, including to your public IP address. See the man page entry
+## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
+##
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
+#ExitPolicy accept *:119 # accept nntp as well as default exit policy
+#ExitPolicy reject *:* # no exits allowed
+
+## Bridge relays (or "bridges") are Tor relays that aren't listed in the
+## main directory. Since there is no complete public list of them, even an
+## ISP that filters connections to all the known Tor relays probably
+## won't be able to block all the bridges. Also, websites won't treat you
+## differently because they won't know you're running Tor. If you can
+## be a real relay, please do; but if not, be a bridge!
+#BridgeRelay 1
+## By default, Tor will advertise your bridge to users through various
+## mechanisms like https://bridges.torproject.org/. If you want to run
+## a private bridge, for example because you'll give out your bridge
+## address manually to your friends, uncomment this line:
+#PublishServerDescriptor 0
+