BitTorrent

It's really easy to help Tails users downloading it over BitTorrent... especially if you are already a BitTorrent user.

1. Get the latest BitTorrent files

Here are the latest available BitTorrent files:

2. Share Tails images

Feed your preferred BitTorrent client with the .torrent files downloaded at the previous step. Make sure you open and/or forward the needed ports in your router and/or firewall configuration so that you are a real seed.

3. Stay tuned!

As a contributor to Tails availability over BitTorrent, it is very important you share the very latest published version, and only this one: users need to be able to quickly download it and upgrade when we release security fixes, and there is no need to help propagate outdated versions with security flaws.

A way to do this is to configure software to automatically download and seed Tails over BitTorrent.

Else, new versions are announced on:

• our news list
• our RSS and Atom feeds that announce new available BitTorrent files.

HTTPS

Requirements

In order to efficiently help users download Tails images and upgrades, you need:

• a 1Gbps Internet uplink or faster

• 80 GiB of disk space

• sufficiently privileged access to a HTTPS web server

• unfiltered access to your web server (no GeoIP blocking, no IP bans, no CAPTCHAs, etc.): we want people everywhere to be able to download Tails

• either a system operated by a professional team, or a high-availability setup

If you satisfy these practical requirements, please read on! Else, please consider seeding Tails images over BitTorrent instead.

The big picture

All downloads are currently served from a diverse pool of mirrors (see the design document for details).

Every HTTPS mirror makes our files available under a fixed URL (e.g. https://yourdomain.org/pub/tails/) that contains per-version sub-directories (such as https://yourdomain.org/pub/tails/stable/tails-i386-lenny-0.6.2/).

Alongside our mirror pool redirecting to mirrors using their own domain, we maintain a DNS Round Robin pool for the dl.amnesia.boum.org hostname. This pool serves as a fallback, we add only a few fast and reliable mirrors to it.

We only accept mirrors that provide a SSL certificate deemed valid by Firefox for the exact hostname used.

Pick a hostname for your mirror

Your web server needs to answer HTTP and HTTPS requests sent to a dedicated hostname that is unique, within our mirror pool. Furthermore, your web server should answer requests sent to dl.amnesia.boum.org (your mirror could be added to our fallback mirror pool at any moment).

Use a hostname of your choice, under a domain you control. For example, if you control example.com, you can call your Tails mirror tails.example.com.

Manual set up

1. Set up your web server

Set up a virtual host for the hostname chosen at the previous step. The virtual host will need to have indexing enabled.

Files must be served over HTTP and HTTPS. To be helpful in our context, this requires a certificate that is considered valid by mainstream web browsers; you can get such a certificate free of charge, from Let's Encrypt for example.

Apache configuration example

<VirtualHost YOUR_WEBSERVER_IP:80>
   ServerName yourdomain.org
   ServerAlias dl.amnesia.boum.org
   RewriteEngine On
   RewriteRule ^/?(.*) https://%{SERVER_NAME}/pub/$1 [R=permanent,L]
</VirtualHost>

<VirtualHost YOUR_WEBSERVER_IP:443>
   ServerName yourdomain.org
   ServerAdmin YOUR_EMAIL

   SSLEngine on
   SSLCertificateFile /etc/apache2/ssl/apache.crt
   SSLCertificateKeyFile /etc/apache2/ssl/apache.key

   DocumentRoot /var/www/YOUR_PATH/
   <Directory /var/www/YOUR_PATH/>
      Options Indexes
      AllowOverride None
      IndexIgnore README.html
      IndexOptions FancyIndexing FoldersFirst IgnoreCase NameWidth=50
      IndexOrderDefault Descending Date
   </Directory>
</VirtualHost>

Lighttpd configuration example

$HTTP["host"] =~ "^(\d+\.)?dl\.amnesia\.boum\.org$" {
    server.document-root = "/var/www/YOUR_PATH/"
    server.dir-listing = "enable"
}

nginx configuration example

server {
    server_name dl.amnesia.boum.org;
    root /var/www/YOUR_PATH;
    location / {
        autoindex on;
    }
}

2. Download the files

Download a snapshot of the current Tails files:

rsync -rt --delete \
         mirrors.rsync.tails.boum.org::amnesia-archive /var/www/YOUR_PATH/

3. Schedule the pulling of the files

Your mirror should sync every hour + a random time (maximum 40 minutes). Use cron or equivalent to schedule the same rsync command as above. For example, you can create a file in /etc/cron.d/ with this content:

0 * * * * root sleep $(shuf --input-range=0-2400 --head-count=1) && flock -n /var/run/lock/tails-mirror-rsync rsync -rt --delete mirrors.rsync.tails.boum.org::amnesia-archive /var/www/YOUR_PATH/

You can now ask for your mirror to be added to the pool.

Set up with Puppet

It is assumed that Puppet is already installed and configured to function well for your infrastructure.

1. Clone the tails Puppet module

Clone the module inside the puppet modules' directory of your puppetmaster. On Debian, this directory should be /etc/puppet/modules.

 git clone \
     https://gitlab.tails.boum.org/tails/puppet-tails.git \
     /etc/puppet/modules/tails

2. Use the tails::mirror class

On a node where you wish setup the mirror you should include the class like

 include tails::mirror

If you need to adjust any parameters of the class, you should declare it like

 class { 'tails::mirror':
   webserver   => 'apache2',
   server_name => 'tails.example.com',
   mirror_path => '/srv/tails/mirror',
 }

Configurable parameters

See the documentation on top of the module.

Go wild: ask for your mirror to be added to the pool

As soon as your web server is ready, please email us its IP address so that we can add it to the Round Robin pool.

Talk to us

To get in touch with the team that manages our pool of mirror, write to tails-mirrors@boum.org (OpenPGP key).