+>4096</P
+></DD
+><DT
+>Effect if unset:</DT
+><DD
+><P
+> Use a 4MB (4096 KB) limit.
+ </P
+></DD
+><DT
+>Notes:</DT
+><DD
+><P
+> For content filtering, i.e. the <TT
+CLASS="LITERAL"
+>+filter</TT
+> and
+ <TT
+CLASS="LITERAL"
+>+deanimate-gif</TT
+> actions, it is necessary that
+ <SPAN
+CLASS="APPLICATION"
+>Privoxy</SPAN
+> buffers the entire document body.
+ This can be potentially dangerous, since a server could just keep sending
+ data indefinitely and wait for your RAM to exhaust -- with nasty consequences.
+ Hence this option.
+ </P
+><P
+> When a document buffer size reaches the <TT
+CLASS="LITERAL"
+>buffer-limit</TT
+>, it is
+ flushed to the client unfiltered and no further attempt to
+ filter the rest of the document is made. Remember that there may be multiple threads
+ running, which might require up to <TT
+CLASS="LITERAL"
+>buffer-limit</TT
+> Kbytes
+ <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>each</I
+></SPAN
+>, unless you have enabled <SPAN
+CLASS="QUOTE"
+>"single-threaded"</SPAN
+>
+ above.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+></DIV
+><DIV
+CLASS="SECT2"
+><H2
+CLASS="SECT2"
+><A
+NAME="FORWARDING"
+>7.5. Forwarding</A
+></H2
+><P
+> This feature allows routing of HTTP requests through a chain of
+ multiple proxies.</P
+><P
+> Forwarding can be used to chain Privoxy with a caching proxy to speed
+ up browsing. Using a parent proxy may also be necessary if the machine
+ that <SPAN
+CLASS="APPLICATION"
+>Privoxy</SPAN
+> runs on has no direct Internet access.</P
+><P
+> Note that parent proxies can severely decrease your privacy level.
+ For example a parent proxy could add your IP address to the request
+ headers and if it's a caching proxy it may add the <SPAN
+CLASS="QUOTE"
+>"Etag"</SPAN
+>
+ header to revalidation requests again, even though you configured Privoxy
+ to remove it. It may also ignore Privoxy's header time randomization and use the
+ original values which could be used by the server as cookie replacement
+ to track your steps between visits.</P
+><P
+> Also specified here are SOCKS proxies. <SPAN
+CLASS="APPLICATION"
+>Privoxy</SPAN
+>
+ supports the SOCKS 4 and SOCKS 4A protocols.</P
+><DIV
+CLASS="SECT3"
+><H4
+CLASS="SECT3"
+><A
+NAME="FORWARD"
+>7.5.1. forward</A
+></H4
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>Specifies:</DT
+><DD
+><P
+> To which parent HTTP proxy specific requests should be routed.
+ </P
+></DD
+><DT
+>Type of value:</DT
+><DD
+><P
+> <TT
+CLASS="REPLACEABLE"
+><I
+>target_pattern</I
+></TT
+>
+ <TT
+CLASS="REPLACEABLE"
+><I
+>http_parent</I
+></TT
+>[:<TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+>]
+ </P
+><P
+> where <TT
+CLASS="REPLACEABLE"
+><I
+>target_pattern</I
+></TT
+> is a <A
+HREF="actions-file.html#AF-PATTERNS"
+>URL pattern</A
+>
+ that specifies to which requests (i.e. URLs) this forward rule shall apply. Use <TT
+CLASS="LITERAL"
+>/</TT
+> to
+ denote <SPAN
+CLASS="QUOTE"
+>"all URLs"</SPAN
+>.
+ <TT
+CLASS="REPLACEABLE"
+><I
+>http_parent</I
+></TT
+>[:<TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+>]
+ is the DNS name or IP address of the parent HTTP proxy through which the requests should be forwarded,
+ optionally followed by its listening port (default: 8080).
+ Use a single dot (<TT
+CLASS="LITERAL"
+>.</TT
+>) to denote <SPAN
+CLASS="QUOTE"
+>"no forwarding"</SPAN
+>.
+ </P
+></DD
+><DT
+>Default value:</DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Unset</I
+></SPAN
+></P
+></DD
+><DT
+>Effect if unset:</DT
+><DD
+><P
+> Don't use parent HTTP proxies.
+ </P
+></DD
+><DT
+>Notes:</DT
+><DD
+><P
+> If <TT
+CLASS="REPLACEABLE"
+><I
+>http_parent</I
+></TT
+> is <SPAN
+CLASS="QUOTE"
+>"."</SPAN
+>, then requests are not
+ forwarded to another HTTP proxy but are made directly to the web servers.
+ </P
+><P
+> Multiple lines are OK, they are checked in sequence, and the last match wins.
+ </P
+></DD
+><DT
+>Examples:</DT
+><DD
+><P
+> Everything goes to an example parent proxy, except SSL on port 443 (which it doesn't handle):
+ </P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward / parent-proxy.example.org:8080
+ forward :443 .</PRE
+></TD
+></TR
+></TABLE
+>
+ </P
+><P
+> Everything goes to our example ISP's caching proxy, except for requests
+ to that ISP's sites:
+ </P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward / caching-proxy.isp.example.net:8000
+ forward .isp.example.net .</PRE
+></TD
+></TR
+></TABLE
+>
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="SECT3"
+><H4
+CLASS="SECT3"
+><A
+NAME="SOCKS"
+>7.5.2. forward-socks4 and forward-socks4a</A
+></H4
+><A
+NAME="FORWARD-SOCKS4"
+></A
+><A
+NAME="FORWARD-SOCKS4A"
+></A
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>Specifies:</DT
+><DD
+><P
+> Through which SOCKS proxy (and optionally to which parent HTTP proxy) specific requests should be routed.
+ </P
+></DD
+><DT
+>Type of value:</DT
+><DD
+><P
+> <TT
+CLASS="REPLACEABLE"
+><I
+>target_pattern</I
+></TT
+>
+ <TT
+CLASS="REPLACEABLE"
+><I
+>socks_proxy</I
+></TT
+>[:<TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+>]
+ <TT
+CLASS="REPLACEABLE"
+><I
+>http_parent</I
+></TT
+>[:<TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+>]
+ </P
+><P
+> where <TT
+CLASS="REPLACEABLE"
+><I
+>target_pattern</I
+></TT
+> is a <A
+HREF="actions-file.html#AF-PATTERNS"
+>URL pattern</A
+>
+ that specifies to which requests (i.e. URLs) this forward rule shall apply. Use <TT
+CLASS="LITERAL"
+>/</TT
+> to
+ denote <SPAN
+CLASS="QUOTE"
+>"all URLs"</SPAN
+>.
+ <TT
+CLASS="REPLACEABLE"
+><I
+>http_parent</I
+></TT
+> and <TT
+CLASS="REPLACEABLE"
+><I
+>socks_proxy</I
+></TT
+>
+ are IP addresses in dotted decimal notation or valid DNS names (<TT
+CLASS="REPLACEABLE"
+><I
+>http_parent</I
+></TT
+>
+ may be <SPAN
+CLASS="QUOTE"
+>"."</SPAN
+> to denote <SPAN
+CLASS="QUOTE"
+>"no HTTP forwarding"</SPAN
+>), and the optional
+ <TT
+CLASS="REPLACEABLE"
+><I
+>port</I
+></TT
+> parameters are TCP ports, i.e. integer values from 1 to 64535
+ </P
+></DD
+><DT
+>Default value:</DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>Unset</I
+></SPAN
+></P
+></DD
+><DT
+>Effect if unset:</DT
+><DD
+><P
+> Don't use SOCKS proxies.
+ </P
+></DD
+><DT
+>Notes:</DT
+><DD
+><P
+> Multiple lines are OK, they are checked in sequence, and the last match wins.
+ </P
+><P
+> The difference between <TT
+CLASS="LITERAL"
+>forward-socks4</TT
+> and <TT
+CLASS="LITERAL"
+>forward-socks4a</TT
+>
+ is that in the SOCKS 4A protocol, the DNS resolution of the target hostname happens on the SOCKS
+ server, while in SOCKS 4 it happens locally.
+ </P
+><P
+> If <TT
+CLASS="REPLACEABLE"
+><I
+>http_parent</I
+></TT
+> is <SPAN
+CLASS="QUOTE"
+>"."</SPAN
+>, then requests are not
+ forwarded to another HTTP proxy but are made (HTTP-wise) directly to the web servers, albeit through
+ a SOCKS proxy.
+ </P
+></DD
+><DT
+>Examples:</DT
+><DD
+><P
+> From the company example.com, direct connections are made to all
+ <SPAN
+CLASS="QUOTE"
+>"internal"</SPAN
+> domains, but everything outbound goes through
+ their ISP's proxy by way of example.com's corporate SOCKS 4A gateway to
+ the Internet.
+ </P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward-socks4a / socks-gw.example.com:1080 www-cache.isp.example.net:8080
+ forward .example.com .</PRE
+></TD
+></TR
+></TABLE
+>
+ </P
+><P
+> A rule that uses a SOCKS 4 gateway for all destinations but no HTTP parent looks like this:
+ </P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward-socks4 / socks-gw.example.com:1080 .</PRE
+></TD
+></TR
+></TABLE
+>
+ </P
+><P
+> To chain Privoxy and Tor, both running on the same system, you would use
+ something like:
+ </P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward-socks4a / 127.0.0.1:9050 .</PRE
+></TD
+></TR
+></TABLE
+>
+ </P
+><P
+> The public <SPAN
+CLASS="APPLICATION"
+>Tor</SPAN
+> network can't be used to
+ reach your local network, if you need to access local servers you
+ therefore might want to make some exceptions:
+ </P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward 192.168.*.*/ .
+ forward 10.*.*.*/ .
+ forward 127.*.*.*/ .</PRE
+></TD
+></TR
+></TABLE
+>
+ </P
+><P
+> Unencrypted connections to systems in these address ranges will
+ be as (un)secure as the local network is, but the alternative is that you
+ can't reach the local network through <SPAN
+CLASS="APPLICATION"
+>Privoxy</SPAN
+>
+ at all. Of course this may actually be desired and there is no reason
+ to make these exceptions if you aren't sure you need them.
+ </P
+><P
+> If you also want to be able to reach servers in your local network by
+ using their names, you will need additional exceptions that look like
+ this:
+ </P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="90%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward localhost/ .</PRE
+></TD
+></TR
+></TABLE
+>
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="SECT3"
+><H4
+CLASS="SECT3"
+><A
+NAME="ADVANCED-FORWARDING-EXAMPLES"
+>7.5.3. Advanced Forwarding Examples</A
+></H4
+><P
+> If you have links to multiple ISPs that provide various special content
+ only to their subscribers, you can configure multiple <SPAN
+CLASS="APPLICATION"
+>Privoxies</SPAN
+>
+ which have connections to the respective ISPs to act as forwarders to each other, so that
+ <SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>your</I
+></SPAN
+> users can see the internal content of all ISPs.</P
+><P
+> Assume that host-a has a PPP connection to isp-a.example.net. And host-b has a PPP connection to
+ isp-b.example.org. Both run <SPAN
+CLASS="APPLICATION"
+>Privoxy</SPAN
+>. Their forwarding
+ configuration can look like this:</P
+><P
+> host-a:</P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward / .
+ forward .isp-b.example.net host-b:8118</PRE
+></TD
+></TR
+></TABLE
+></P
+><P
+> host-b:</P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward / .
+ forward .isp-a.example.org host-a:8118</PRE
+></TD
+></TR
+></TABLE
+></P
+><P
+> Now, your users can set their browser's proxy to use either
+ host-a or host-b and be able to browse the internal content
+ of both isp-a and isp-b.</P
+><P
+> If you intend to chain <SPAN
+CLASS="APPLICATION"
+>Privoxy</SPAN
+> and
+ <SPAN
+CLASS="APPLICATION"
+>squid</SPAN
+> locally, then chaining as
+ <TT
+CLASS="LITERAL"
+>browser -> squid -> privoxy</TT
+> is the recommended way. </P
+><P
+> Assuming that <SPAN
+CLASS="APPLICATION"
+>Privoxy</SPAN
+> and <SPAN
+CLASS="APPLICATION"
+>squid</SPAN
+>
+ run on the same box, your <SPAN
+CLASS="APPLICATION"
+>squid</SPAN
+> configuration could then look like this:</P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> # Define Privoxy as parent proxy (without ICP)
+ cache_peer 127.0.0.1 parent 8118 7 no-query
+
+ # Define ACL for protocol FTP
+ acl ftp proto FTP
+
+ # Do not forward FTP requests to Privoxy
+ always_direct allow ftp
+
+ # Forward all the rest to Privoxy
+ never_direct allow all</PRE
+></TD
+></TR
+></TABLE
+></P
+><P
+> You would then need to change your browser's proxy settings to <SPAN
+CLASS="APPLICATION"
+>squid</SPAN
+>'s address and port.
+ Squid normally uses port 3128. If unsure consult <TT
+CLASS="LITERAL"
+>http_port</TT
+> in <TT
+CLASS="FILENAME"
+>squid.conf</TT
+>.</P
+><P
+> You could just as well decide to only forward requests you suspect
+ of leading to Windows executables through a virus-scanning parent proxy,
+ say, on <TT
+CLASS="LITERAL"
+>antivir.example.com</TT
+>, port 8010:</P
+><P
+> <TABLE
+BORDER="0"
+BGCOLOR="#E0E0E0"
+WIDTH="100%"
+><TR
+><TD
+><PRE
+CLASS="SCREEN"
+> forward / .
+ forward /.*\.(exe|com|dll|zip)$ antivir.example.com:8010</PRE
+></TD
+></TR
+></TABLE
+> </P
+></DIV
+><DIV
+CLASS="SECT3"
+><H4
+CLASS="SECT3"
+><A
+NAME="FORWARDED-CONNECT-RETRIES"
+>7.5.4. forwarded-connect-retries</A
+></H4
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>Specifies:</DT
+><DD
+><P
+> How often Privoxy retries if a forwarded connection request fails.
+ </P
+></DD
+><DT
+>Type of value:</DT
+><DD
+><P
+> <TT
+CLASS="REPLACEABLE"
+><I
+>Number of retries.</I
+></TT
+>
+ </P
+></DD
+><DT
+>Default value:</DT
+><DD
+><P
+><SPAN
+CLASS="emphasis"
+><I
+CLASS="EMPHASIS"
+>0</I
+></SPAN
+></P