+ </div>
+ </div>
+ <div class="SECT2">
+ <h2 class="SECT2"><a name="FORWARDING" id="FORWARDING">7.5. Forwarding</a></h2>
+ <p>This feature allows routing of HTTP requests through a chain of multiple proxies.</p>
+ <p>Forwarding can be used to chain Privoxy with a caching proxy to speed up browsing. Using a parent proxy may
+ also be necessary if the machine that <span class="APPLICATION">Privoxy</span> runs on has no direct Internet
+ access.</p>
+ <p>Note that parent proxies can severely decrease your privacy level. For example a parent proxy could add your
+ IP address to the request headers and if it's a caching proxy it may add the <span class="QUOTE">"Etag"</span>
+ header to revalidation requests again, even though you configured Privoxy to remove it. It may also ignore
+ Privoxy's header time randomization and use the original values which could be used by the server as cookie
+ replacement to track your steps between visits.</p>
+ <p>Also specified here are SOCKS proxies. <span class="APPLICATION">Privoxy</span> supports the SOCKS 4 and SOCKS
+ 4A protocols.</p>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="FORWARD" id="FORWARD">7.5.1. forward</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>To which parent HTTP proxy specific requests should be routed.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>target_pattern</i></tt> <tt class=
+ "REPLACEABLE"><i>http_parent</i></tt>[:<tt class="REPLACEABLE"><i>port</i></tt>]</p>
+ <p>where <tt class="REPLACEABLE"><i>target_pattern</i></tt> is a <a href=
+ "actions-file.html#AF-PATTERNS">URL pattern</a> that specifies to which requests (i.e. URLs) this forward
+ rule shall apply. Use <tt class="LITERAL">/</tt> to denote <span class="QUOTE">"all URLs"</span>.
+ <tt class="REPLACEABLE"><i>http_parent</i></tt>[:<tt class="REPLACEABLE"><i>port</i></tt>] is the DNS
+ name or IP address of the parent HTTP proxy through which the requests should be forwarded, optionally
+ followed by its listening port (default: 8000). Use a single dot (<tt class="LITERAL">.</tt>) to denote
+ <span class="QUOTE">"no forwarding"</span>.</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">Unset</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Don't use parent HTTP proxies.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>If <tt class="REPLACEABLE"><i>http_parent</i></tt> is <span class="QUOTE">"."</span>, then requests
+ are not forwarded to another HTTP proxy but are made directly to the web servers.</p>
+ <p><tt class="REPLACEABLE"><i>http_parent</i></tt> can be a numerical IPv6 address (if <a href=
+ "http://tools.ietf.org/html/rfc3493" target="_top">RFC 3493</a> is implemented). To prevent clashes with
+ the port delimiter, the whole IP address has to be put into brackets. On the other hand a <tt class=
+ "REPLACEABLE"><i>target_pattern</i></tt> containing an IPv6 address has to be put into angle brackets
+ (normal brackets are reserved for regular expressions already).</p>
+ <p>Multiple lines are OK, they are checked in sequence, and the last match wins.</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>Everything goes to an example parent proxy, except SSL on port 443 (which it doesn't handle):</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward / parent-proxy.example.org:8080
+ forward :443 .</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Everything goes to our example ISP's caching proxy, except for requests to that ISP's sites:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward / caching-proxy.isp.example.net:8000
+ forward .isp.example.net .</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Parent proxy specified by an IPv6 address:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="PROGRAMLISTING"> forward / [2001:DB8::1]:8000</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Suppose your parent proxy doesn't support IPv6:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="PROGRAMLISTING"> forward / parent-proxy.example.org:8000
+ forward ipv6-server.example.org .
+ forward <[2-3][0-9a-f][0-9a-f][0-9a-f]:*> .</pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="SOCKS" id="SOCKS">7.5.2. forward-socks4, forward-socks4a, forward-socks5 and
+ forward-socks5t</a></h4><a name="FORWARD-SOCKS4" id="FORWARD-SOCKS4"></a><a name="FORWARD-SOCKS4A" id=
+ "FORWARD-SOCKS4A"></a>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Through which SOCKS proxy (and optionally to which parent HTTP proxy) specific requests should be
+ routed.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>target_pattern</i></tt> [<tt class=
+ "REPLACEABLE"><i>user</i></tt>:<tt class="REPLACEABLE"><i>pass</i></tt>@]<tt class=
+ "REPLACEABLE"><i>socks_proxy</i></tt>[:<tt class="REPLACEABLE"><i>port</i></tt>] <tt class=
+ "REPLACEABLE"><i>http_parent</i></tt>[:<tt class="REPLACEABLE"><i>port</i></tt>]</p>
+ <p>where <tt class="REPLACEABLE"><i>target_pattern</i></tt> is a <a href=
+ "actions-file.html#AF-PATTERNS">URL pattern</a> that specifies to which requests (i.e. URLs) this forward
+ rule shall apply. Use <tt class="LITERAL">/</tt> to denote <span class="QUOTE">"all URLs"</span>.
+ <tt class="REPLACEABLE"><i>http_parent</i></tt> and <tt class="REPLACEABLE"><i>socks_proxy</i></tt> are
+ IP addresses in dotted decimal notation or valid DNS names (<tt class=
+ "REPLACEABLE"><i>http_parent</i></tt> may be <span class="QUOTE">"."</span> to denote <span class=
+ "QUOTE">"no HTTP forwarding"</span>), and the optional <tt class="REPLACEABLE"><i>port</i></tt>
+ parameters are TCP ports, i.e. integer values from 1 to 65535. <tt class="REPLACEABLE"><i>user</i></tt>
+ and <tt class="REPLACEABLE"><i>pass</i></tt> can be used for SOCKS5 authentication if required.</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">Unset</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Don't use SOCKS proxies.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Multiple lines are OK, they are checked in sequence, and the last match wins.</p>
+ <p>The difference between <tt class="LITERAL">forward-socks4</tt> and <tt class=
+ "LITERAL">forward-socks4a</tt> is that in the SOCKS 4A protocol, the DNS resolution of the target
+ hostname happens on the SOCKS server, while in SOCKS 4 it happens locally.</p>
+ <p>With <tt class="LITERAL">forward-socks5</tt> the DNS resolution will happen on the remote server as
+ well.</p>
+ <p><tt class="LITERAL">forward-socks5t</tt> works like vanilla <tt class="LITERAL">forward-socks5</tt>
+ but lets <span class="APPLICATION">Privoxy</span> additionally use Tor-specific SOCKS extensions.
+ Currently the only supported SOCKS extension is optimistic data which can reduce the latency for the
+ first request made on a newly created connection.</p>
+ <p><tt class="REPLACEABLE"><i>socks_proxy</i></tt> and <tt class="REPLACEABLE"><i>http_parent</i></tt>
+ can be a numerical IPv6 address (if <a href="http://tools.ietf.org/html/rfc3493" target="_top">RFC
+ 3493</a> is implemented). To prevent clashes with the port delimiter, the whole IP address has to be put
+ into brackets. On the other hand a <tt class="REPLACEABLE"><i>target_pattern</i></tt> containing an IPv6
+ address has to be put into angle brackets (normal brackets are reserved for regular expressions
+ already).</p>
+ <p>If <tt class="REPLACEABLE"><i>http_parent</i></tt> is <span class="QUOTE">"."</span>, then requests
+ are not forwarded to another HTTP proxy but are made (HTTP-wise) directly to the web servers, albeit
+ through a SOCKS proxy.</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>From the company example.com, direct connections are made to all <span class="QUOTE">"internal"</span>
+ domains, but everything outbound goes through their ISP's proxy by way of example.com's corporate SOCKS
+ 4A gateway to the Internet.</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class=
+ "SCREEN"> forward-socks4a / socks-gw.example.com:1080 www-cache.isp.example.net:8080
+ forward .example.com .</pre>
+ </td>
+ </tr>
+ </table>
+ <p>A rule that uses a SOCKS 4 gateway for all destinations but no HTTP parent looks like this:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward-socks4 / socks-gw.example.com:1080 .</pre>
+ </td>
+ </tr>
+ </table>
+ <p>To connect SOCKS5 proxy which requires username/password authentication:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward-socks5 / user:pass@socks-gw.example.com:1080 .</pre>
+ </td>
+ </tr>
+ </table>
+ <p>To chain Privoxy and Tor, both running on the same system, you would use something like:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward-socks5t / 127.0.0.1:9050 .</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Note that if you got Tor through one of the bundles, you may have to change the port from 9050 to 9150
+ (or even another one). For details, please check the documentation on the <a href=
+ "https://torproject.org/" target="_top">Tor website</a>.</p>
+ <p>The public <span class="APPLICATION">Tor</span> network can't be used to reach your local network, if
+ you need to access local servers you therefore might want to make some exceptions:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward 192.168.*.*/ .
+ forward 10.*.*.*/ .
+ forward 127.*.*.*/ .</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Unencrypted connections to systems in these address ranges will be as (un)secure as the local network
+ is, but the alternative is that you can't reach the local network through <span class=
+ "APPLICATION">Privoxy</span> at all. Of course this may actually be desired and there is no reason to
+ make these exceptions if you aren't sure you need them.</p>
+ <p>If you also want to be able to reach servers in your local network by using their names, you will need
+ additional exceptions that look like this:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward localhost/ .</pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="ADVANCED-FORWARDING-EXAMPLES" id="ADVANCED-FORWARDING-EXAMPLES">7.5.3. Advanced
+ Forwarding Examples</a></h4>
+ <p>If you have links to multiple ISPs that provide various special content only to their subscribers, you can
+ configure multiple <span class="APPLICATION">Privoxies</span> which have connections to the respective ISPs to
+ act as forwarders to each other, so that <span class="emphasis"><i class="EMPHASIS">your</i></span> users can
+ see the internal content of all ISPs.</p>
+ <p>Assume that host-a has a PPP connection to isp-a.example.net. And host-b has a PPP connection to
+ isp-b.example.org. Both run <span class="APPLICATION">Privoxy</span>. Their forwarding configuration can look
+ like this:</p>
+ <p>host-a:</p>
+ <table border="0" bgcolor="#E0E0E0" width="100%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward / .
+ forward .isp-b.example.net host-b:8118</pre>
+ </td>
+ </tr>
+ </table>
+ <p>host-b:</p>
+ <table border="0" bgcolor="#E0E0E0" width="100%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward / .
+ forward .isp-a.example.org host-a:8118</pre>
+ </td>
+ </tr>
+ </table>
+ <p>Now, your users can set their browser's proxy to use either host-a or host-b and be able to browse the
+ internal content of both isp-a and isp-b.</p>
+ <p>If you intend to chain <span class="APPLICATION">Privoxy</span> and <span class="APPLICATION">squid</span>
+ locally, then chaining as <tt class="LITERAL">browser -> squid -> privoxy</tt> is the recommended
+ way.</p>
+ <p>Assuming that <span class="APPLICATION">Privoxy</span> and <span class="APPLICATION">squid</span> run on the
+ same box, your <span class="APPLICATION">squid</span> configuration could then look like this:</p>
+ <table border="0" bgcolor="#E0E0E0" width="100%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Define Privoxy as parent proxy (without ICP)