Document the haproxy option of HiddenServiceExportCircuitID.

See: https://bugs.torproject.org/4700

diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index df298e1d775fd8c0db67cc69d0b358f0e1b8c027..124b01053ade515f87085f6207a76f488f6b627f 100644 (file)
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -2839,7 +2839,28 @@ The following options are used to configure a hidden service.
    The onion service will use the given protocol to expose the global circuit
    identifier of each inbound client circuit via the selected protocol. The only
    protocol supported right now \'haproxy\'. This option is only for v3
-   services. (Default: none)
+   services. (Default: none) +
+ +
+   The haproxy option works in the following way: when the feature is
+   enabled, the Tor process will write a header line when a client is connecting
+   to the onion service. The header will look like this: +
+ +
+   "PROXY TCP6 fc00:dead:beef:4dad::ffff:ffff ::1 65535 42\r\n" +
+ +
+   We encode the "global circuit identifier" as the last 32-bits of the first
+   IPv6 address. All other values in the header can safely be ignored. You can
+   compute the global circuit identifier using the following formula given the
+   IPv6 address "fc00:dead:beef:4dad::AABB:CCDD": +
+ +
+      global_circuit_id = (0xAA << 24) + (0xBB << 16) + (0xCC << 8) + 0xDD; +
+ +
+   In the case above, where the last 32-bit is 0xffffffff, the global circuit
+   identifier would be 4294967295. You can use this value together with Tor's
+   control port where it is possible to terminate a circuit given the global
+   circuit identifier. For more information about this see controls-spec.txt. +
+ +
+   The HAProxy version 1 proxy protocol is described in detail at
+   https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
 
 [[HiddenServiceMaxStreams]] **HiddenServiceMaxStreams** __N__::
    The maximum number of simultaneous streams (connections) per rendezvous