X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;ds=sidebyside;f=doc%2Fwebserver%2Fuser-manual%2Fconfig.html;h=bef8710e5e009a2297b5c353d34885a619a29418;hb=098f3f996e9465705bc3e02b9454b99568c8e372;hp=5cad65b767b7b00502457d2d1143b20a64bd0b2f;hpb=1c4bd7276a5f733e283c0484803bfca670f76654;p=privoxy.git diff --git a/doc/webserver/user-manual/config.html b/doc/webserver/user-manual/config.html index 5cad65b7..bef8710e 100644 --- a/doc/webserver/user-manual/config.html +++ b/doc/webserver/user-manual/config.html @@ -1,1049 +1,554 @@ - + -
-- By default, the main configuration file is named config, with the exception of Windows, where it is - named config.txt. Configuration lines - consist of an initial keyword followed by a list of values, all - separated by whitespace (any number of spaces or tabs). For example: -
--
-- confdir /etc/privoxy -
- -- Assigns the value /etc/privoxy to the option - confdir and thus indicates that the - configuration directory is named "/etc/privoxy/". -
-- All options in the config file except for confdir and logdir are - optional. Watch out in the below description for what happens if you - leave them unset. -
-- The main config file controls all aspects of Privoxy's operation that are not location - dependent (i.e. they apply universally, no matter where you may be - surfing). Like the filter and action files, the config file is a - plain text file and can be modified with a text editor like emacs, - vim or notepad.exe. -
-- If you intend to operate Privoxy - for more users than just yourself, it might be a good idea to let - them know how to reach you, what you block and why you do that, - your policies, etc. -
-- Location of the Privoxy - User Manual. -
-- A fully qualified URI -
-- Unset -
-- https://www.privoxy.org/version/user-manual/ will be - used, where version is - the Privoxy version. -
-- The User Manual URI is the single best source of - information on Privoxy, - and is used for help links from some of the internal CGI - pages. The manual itself is normally packaged with the - binary distributions, so you probably want to set this to a - locally installed copy. -
-- Examples: -
-- The best all purpose solution is simply to put the full - local PATH to where the User Manual is located: -
--
-
+ user-manual /usr/share/doc/privoxy/user-manual+ |
+
The User Manual is then available to anyone with access to Privoxy, + by following the built-in URL: http://config.privoxy.org/user-manual/ (or the + shortcut: http://p.p/user-manual/).
+If the documentation is not on the local system, it can be accessed from a remote server, as:
+
+ user-manual http://example.com/privoxy/user-manual/+ |
+
-- user-manual /usr/share/doc/privoxy/user-manual -- |
+ Warning |
- The User Manual is then available to anyone with access to - Privoxy, by following the - built-in URL: http://config.privoxy.org/user-manual/ (or - the shortcut: http://p.p/user-manual/). -
-- If the documentation is not on the local system, it can be - accessed from a remote server, as: -
--
-
-- user-manual http://example.com/privoxy/user-manual/ -+ |
+ If set, this option should be the first option in + the config file, because it is used while the config file is being read on + start-up. |
- Warning - | -
- - If set, this option should be the first option in - the config file, because it is used - while the config file is being read on start-up. - - |
-
- A URL to be displayed in the error page that users will see - if access to an untrusted page is denied. -
-- URL -
-- Unset -
-- No links are displayed on the "untrusted" error page. -
-- The value of this option only matters if the experimental - trust mechanism has been activated. (See trustfile below.) -
-- If you use the trust mechanism, it is a good idea to write - up some on-line documentation about your trust policy and - to specify the URL(s) here. Use multiple times for multiple - URLs. -
-- The URL(s) should be added to the trustfile as well, so - users don't end up locked out from the information on why - they were locked out in the first place! -
-A URL to be displayed in the error page that users will see if access to an untrusted page is + denied.
+URL
+Unset
+No links are displayed on the "untrusted" error page.
+The value of this option only matters if the experimental trust mechanism has been activated. (See + trustfile + below.)
+If you use the trust mechanism, it is a good idea to write up some on-line documentation about your + trust policy and to specify the URL(s) here. Use multiple times for multiple URLs.
+The URL(s) should be added to the trustfile as well, so users don't end up locked out from the + information on why they were locked out in the first place!
+- An email address to reach the Privoxy administrator. -
-- Email address -
-- Unset -
-- No email address is displayed on error pages and the CGI - user interface. -
-- If both admin-address and proxy-info-url are unset, the whole - "Local Privoxy Support" box on all generated pages will not - be shown. -
-An email address to reach the Privoxy administrator.
+Email address
+Unset
+No email address is displayed on error pages and the CGI user interface.
+If both admin-address and proxy-info-url are unset, + the whole "Local Privoxy Support" box on all generated pages will not be shown.
+- A URL to documentation about the local Privoxy setup, configuration or - policies. -
-- URL -
-- Unset -
-- No link to local documentation is displayed on error pages - and the CGI user interface. -
-- If both admin-address and proxy-info-url are unset, the whole - "Local Privoxy Support" box on all generated pages will not - be shown. -
-- This URL shouldn't be blocked ;-) -
-A URL to documentation about the local Privoxy setup, configuration + or policies.
+URL
+Unset
+No link to local documentation is displayed on error pages and the CGI user interface.
+If both admin-address and proxy-info-url are unset, + the whole "Local Privoxy Support" box on all generated pages will not be shown.
+This URL shouldn't be blocked ;-)
+- Privoxy can (and normally does) - use a number of other files for additional configuration, help and - logging. This section of the configuration file tells Privoxy where to find those other files. -
-- The user running Privoxy, must - have read permission for all configuration files, and write - permission to any files that would be modified, such as log files - and actions files. -
-- The directory where the other configuration files are - located. -
-- Path name -
-- /etc/privoxy (Unix) or Privoxy installation dir (Windows) -
-- Mandatory -
-- No trailing "/", please. -
-Privoxy can (and normally does) use a number of other files for additional + configuration, help and logging. This section of the configuration file tells Privoxy where to find those other files.
+The user running Privoxy, must have read permission for all configuration + files, and write permission to any files that would be modified, such as log files and actions files.
+The directory where the other configuration files are located.
+Path name
+/etc/privoxy (Unix) or Privoxy installation dir (Windows)
+Mandatory
+No trailing "/", please.
+- An alternative directory where the templates are loaded - from. -
-- Path name -
-- unset -
-- The templates are assumed to be located in - confdir/template. -
-- Privoxy's original - templates are usually overwritten with each update. Use - this option to relocate customized templates that should be - kept. As template variables might change between updates, - you shouldn't expect templates to work with Privoxy releases other than the one - they were part of, though. -
-An alternative directory where the templates are loaded from.
+Path name
+unset
+The templates are assumed to be located in confdir/template.
+Privoxy's original templates are usually overwritten with each + update. Use this option to relocate customized templates that should be kept. As template variables might + change between updates, you shouldn't expect templates to work with Privoxy releases other than the one they were part of, though.
+- A directory where Privoxy can create temporary files. -
-- Path name -
-- unset -
-- No temporary files are created, external filters don't - work. -
-- To execute external - filters, Privoxy - has to create temporary files. This directive specifies the - directory the temporary files should be written to. -
-- It should be a directory only Privoxy (and trusted users) can - access. -
-A directory where Privoxy can create temporary files.
+Path name
+unset
+No temporary files are created, external filters don't work.
+To execute external + filters, Privoxy has to create temporary files. This directive + specifies the directory the temporary files should be written to.
+It should be a directory only Privoxy (and trusted users) can + access.
+- The directory where all logging takes place (i.e. where the - logfile is located). -
-- Path name -
-- /var/log/privoxy (Unix) or Privoxy installation dir (Windows) -
-- Mandatory -
-- No trailing "/", please. -
-The directory where all logging takes place (i.e. where the logfile is + located).
+Path name
+/var/log/privoxy (Unix) or Privoxy installation dir (Windows)
+Mandatory
+No trailing "/", please.
+- The actions file(s) to use -
-- Complete file name, relative to confdir -
-
- - match-all.action # Actions that are applied to all sites and maybe overruled later on. - - |
-
- - default.action # Main actions file - - |
-
- - user.action # User customizations - - |
-
- No actions are taken at all. More or less neutral proxying. -
-- Multiple actionsfile lines are - permitted, and are in fact recommended! -
-- The default values are default.action, which is the "main" actions file maintained by the - developers, and user.action, - where you can make your personal additions. -
-- Actions files contain all the per site and per URL - configuration for ad blocking, cookie management, privacy - considerations, etc. -
-The actions file(s) to use
+Complete file name, relative to confdir
+
+ + match-all.action # Actions that are applied to all sites and maybe overruled later on. + |
+
+ + default.action # Main actions file + |
+
+ + user.action # User customizations + |
+
No actions are taken at all. More or less neutral proxying.
+Multiple actionsfile lines are permitted, and are in fact recommended!
+The default values are default.action, which is the "main" actions file maintained by the developers, and user.action, where you can make your personal additions.
+Actions files contain all the per site and per URL configuration for ad blocking, cookie management, + privacy considerations, etc.
+- The filter file(s) to use -
-- File name, relative to confdir -
-- default.filter (Unix) or default.filter.txt (Windows) -
-- No textual content filtering takes place, i.e. all +filter{name} actions in the actions - files are turned neutral. -
-- Multiple filterfile lines are - permitted. -
-- The filter files contain - content modification rules that use regular expressions. These rules - permit powerful changes on the content of Web pages, and - optionally the headers as well, e.g., you could try to - disable your favorite JavaScript annoyances, re-write the - actual displayed text, or just have some fun playing - buzzword bingo with web pages. -
-- The +filter{name} actions rely on the - relevant filter (name) - to be defined in a filter file! -
-- A pre-defined filter file called default.filter that contains a number of - useful filters for common problems is included in the - distribution. See the section on the filter action for - a list. -
-- It is recommended to place any locally adapted filters into - a separate file, such as user.filter. -
-The filter file(s) to use
+File name, relative to confdir
+default.filter (Unix) or default.filter.txt + (Windows)
+No textual content filtering takes place, i.e. all +filter{name} actions in the + actions files are turned neutral.
+Multiple filterfile lines are permitted.
+The filter files contain content modification rules that use regular expressions. These rules permit powerful changes on the content of Web + pages, and optionally the headers as well, e.g., you could try to disable your favorite JavaScript + annoyances, re-write the actual displayed text, or just have some fun playing buzzword bingo with web + pages.
+The +filter{name} actions rely on the relevant filter (name) to be defined in a filter file!
+A pre-defined filter file called default.filter that contains a number of + useful filters for common problems is included in the distribution. See the section on the filter action for a list.
+It is recommended to place any locally adapted filters into a separate file, such as user.filter.
+- The log file to use -
-- File name, relative to logdir -
-- Unset (commented - out). When activated: logfile (Unix) or - privoxy.log (Windows). -
-- No logfile is written. -
-- The logfile is where all logging and error messages are - written. The level of detail and number of messages are set - with the debug option (see below). - The logfile can be useful for tracking down a problem with - Privoxy (e.g., it's not - blocking an ad you think it should block) and it can help - you to monitor what your browser is doing. -
-- Depending on the debug options below, the logfile may be a - privacy risk if third parties can get access to it. As most - users will never look at it, Privoxy only logs fatal errors by - default. -
-- For most troubleshooting purposes, you will have to change - that, please refer to the debugging section for details. -
-- Any log files must be writable by whatever user Privoxy is being run as (on - Unix, default user id is "privoxy"). -
-- To prevent the logfile from growing indefinitely, it is - recommended to periodically rotate or shorten it. Many - operating systems support log rotation out of the box, some - require additional software to do it. For details, please - refer to the documentation for your operating system. -
-The log file to use
+File name, relative to logdir
+Unset (commented out). When activated: logfile + (Unix) or privoxy.log (Windows).
+No logfile is written.
+The logfile is where all logging and error messages are written. The level of detail and number of + messages are set with the debug option (see below). The logfile can be useful + for tracking down a problem with Privoxy (e.g., it's not blocking an ad + you think it should block) and it can help you to monitor what your browser is doing.
+Depending on the debug options below, the logfile may be a privacy risk if third parties can get + access to it. As most users will never look at it, Privoxy only logs + fatal errors by default.
+For most troubleshooting purposes, you will have to change that, please refer to the debugging section + for details.
+Any log files must be writable by whatever user Privoxy is being run + as (on Unix, default user id is "privoxy").
+To prevent the logfile from growing indefinitely, it is recommended to periodically rotate or shorten + it. Many operating systems support log rotation out of the box, some require additional software to do + it. For details, please refer to the documentation for your operating system.
+- The name of the trust file to use -
-- File name, relative to confdir -
-- Unset (commented - out). When activated: trust (Unix) or trust.txt - (Windows) -
-- The entire trust mechanism is disabled. -
-- The trust mechanism is an experimental feature for building - white-lists and should be used with care. It is NOT - recommended for the casual user. -
-- If you specify a trust file, Privoxy will only allow access to - sites that are specified in the trustfile. Sites can be - listed in one of two ways: -
-- Prepending a ~ character limits - access to this site only (and any sub-paths within this - site), e.g. ~www.example.com - allows access to ~www.example.com/features/news.html, etc. -
-- Or, you can designate sites as trusted referrers, by - prepending the name with a + - character. The effect is that access to untrusted sites - will be granted -- but only if a link from this trusted - referrer was used to get there. The link target will then - be added to the "trustfile" so - that future, direct accesses will be granted. Sites added - via this mechanism do not become trusted referrers - themselves (i.e. they are added with a ~ designation). There is a limit of 512 such - entries, after which new entries will not be made. -
-- If you use the + operator in the - trust file, it may grow considerably over time. -
-- It is recommended that Privoxy be compiled with the --disable-force, --disable-toggle and --disable-editor options, if this feature is - to be used. -
-- Possible applications include limiting Internet access for - children. -
-The name of the trust file to use
+File name, relative to confdir
+Unset (commented out). When activated: trust + (Unix) or trust.txt (Windows)
+The entire trust mechanism is disabled.
+The trust mechanism is an experimental feature for building white-lists and should be used with care. + It is NOT recommended for the casual user.
+If you specify a trust file, Privoxy will only allow access to sites + that are specified in the trustfile. Sites can be listed in one of two ways:
+Prepending a ~ character limits access to this site only (and any sub-paths + within this site), e.g. ~www.example.com allows access to ~www.example.com/features/news.html, etc.
+Or, you can designate sites as trusted + referrers, by prepending the name with a + character. The effect is + that access to untrusted sites will be granted -- but only if a link from this trusted referrer was used + to get there. The link target will then be added to the "trustfile" so that + future, direct accesses will be granted. Sites added via this mechanism do not become trusted referrers + themselves (i.e. they are added with a ~ designation). There is a limit of 512 + such entries, after which new entries will not be made.
+If you use the + operator in the trust file, it may grow considerably over + time.
+It is recommended that Privoxy be compiled with the --disable-force, --disable-toggle and --disable-editor options, if this feature is to be used.
+Possible applications include limiting Internet access for children.
+- These options are mainly useful when tracing a problem. Note that - you might also want to invoke Privoxy with the --no-daemon command line option when debugging. -
-- Key values that determine what information gets logged. -
-- Integer values -
-- 0 (i.e.: only fatal errors (that cause Privoxy to exit) are - logged) -
-- Default value is used (see above). -
-- The available debug levels are: -
--
-
-- debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. + + |
+
To select multiple debug levels, you can either add them or use multiple debug lines.
+A debug level of 1 is informative because it will show you each request as it happens. 1, 1024, 4096 and 8192 are recommended so that you will notice + when things go wrong. The other levels are probably only of interest if you are hunting down a specific + problem. They can produce a hell of an output (especially 16).
+If you are used to the more verbose settings, simply enable the debug lines below again.
+If you want to use pure CLF (Common Log Format), you should set "debug 512" + ONLY and not enable anything else.
+Privoxy has a hard-coded limit for the length of log messages. If + it's reached, messages are logged truncated and marked with "... [too long, + truncated]".
+Please don't file any support requests without trying to reproduce the problem with increased debug + level first. Once you read the log messages, you may even be able to solve the problem on your own.
+- Whether to run only one server thread. -
-- 1 or - 0 -
-- 0 -
-- Multi-threaded (or, where unavailable: forked) operation, - i.e. the ability to serve multiple requests simultaneously. -
-- This option is only there for debugging purposes. It will drastically - reduce performance. -
-Whether to run only one server thread.
+1 or 0
+0
+Multi-threaded (or, where unavailable: forked) operation, i.e. the ability to serve multiple requests + simultaneously.
+This option is only there for debugging purposes. It will + drastically reduce performance.
+- The hostname shown on the CGI pages. -
-- Text -
-- Unset -
-- The hostname provided by the operating system is used. -
-- On some misconfigured systems resolving the hostname fails - or takes too much time and slows Privoxy down. Setting a - fixed hostname works around the problem. -
-- In other circumstances it might be desirable to show a - hostname other than the one returned by the operating - system. For example if the system has several different - hostnames and you don't want to use the first one. -
-- Note that Privoxy does not validate the specified hostname - value. -
-The hostname shown on the CGI pages.
+Text
+Unset
+The hostname provided by the operating system is used.
+On some misconfigured systems resolving the hostname fails or takes too much time and slows Privoxy + down. Setting a fixed hostname works around the problem.
+In other circumstances it might be desirable to show a hostname other than the one returned by the + operating system. For example if the system has several different hostnames and you don't want to use the + first one.
+Note that Privoxy does not validate the specified hostname value.
+- This section of the config file controls the security-relevant - aspects of Privoxy's - configuration. -
-- The address and TCP port on which Privoxy will listen for client - requests. -
-- [IP-Address]:Port -
-- [Hostname]:Port -
-- 127.0.0.1:8118 -
-- Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is - suitable and recommended for home users who run Privoxy on the same machine as - their browser. -
-- You will need to configure your browser(s) to this proxy - address and port. -
-- If you already have another service running on port 8118, - or if you want to serve requests from other machines (e.g. - on your local network) as well, you will need to override - the default. -
-- You can use this statement multiple times to make Privoxy listen on more ports or - more IP addresses. Suitable if - your operating system does not support sharing IPv6 and IPv4 - protocols on the same socket. -
-- If a hostname is used instead of an IP address, Privoxy will try to resolve it - to an IP address and if there are multiple, use the first - one returned. -
-- If the address for the hostname isn't already known on the - system (for example because it's in /etc/hostname), this - may result in DNS traffic. -
-- If the specified address isn't available on the system, or - if the hostname can't be resolved, Privoxy will fail to start. -
-- IPv6 addresses containing colons have to be quoted by - brackets. They can only be used if Privoxy has been compiled with IPv6 - support. If you aren't sure if your version supports it, - have a look at http://config.privoxy.org/show-status. -
-- Some operating systems will prefer IPv6 to IPv4 addresses - even if the system has no IPv6 connectivity which is - usually not expected by the user. Some even rely on DNS to - resolve localhost which mean the "localhost" address used - may not actually be local. -
-- It is therefore recommended to explicitly configure the - intended IP address instead of relying on the operating - system, unless there's a strong reason not to. -
-- If you leave out the address, Privoxy will bind to all IPv4 - interfaces (addresses) on your machine and may become - reachable from the Internet and/or the local network. Be - aware that some GNU/Linux distributions modify that - behaviour without updating the documentation. Check for - non-standard patches if your Privoxy version behaves differently. -
-- If you configure Privoxy - to be reachable from the network, consider using access control lists (ACL's, see - below), and/or a firewall. -
-- If you open Privoxy to - untrusted users, you will also want to make sure that the - following actions are disabled: enable-edit-actions - and enable-remote-toggle -
-- Suppose you are running Privoxy on a machine which has the - address 192.168.0.1 on your local private network - (192.168.0.0) and has another outside connection with a - different address. You want it to serve requests from - inside only: -
--
-
-- listen-address 192.168.0.1:8118 -- |
-
- Suppose you are running Privoxy on an IPv6-capable machine and - you want it to listen on the IPv6 address of the loopback - device: -
--
-
-- listen-address [::1]:8118 -- |
-
This section of the config file controls the security-relevant aspects of Privoxy's configuration.
+The address and TCP port on which Privoxy will listen for client + requests.
+[IP-Address]:Port
+[Hostname]:Port
+127.0.0.1:8118
+Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is suitable and recommended for home users who run + Privoxy on the same machine as their browser.
+You will need to configure your browser(s) to this proxy address and port.
+If you already have another service running on port 8118, or if you want to serve requests from other + machines (e.g. on your local network) as well, you will need to override the default.
+You can use this statement multiple times to make Privoxy listen on + more ports or more IP addresses. Suitable if your operating system does not + support sharing IPv6 and IPv4 protocols on the + same socket.
+If a hostname is used instead of an IP address, Privoxy will try to + resolve it to an IP address and if there are multiple, use the first one returned.
+If the address for the hostname isn't already known on the system (for example because it's in + /etc/hostname), this may result in DNS traffic.
+If the specified address isn't available on the system, or if the hostname can't be resolved, + Privoxy will fail to start. On GNU/Linux, and other platforms that can + listen on not yet assigned IP addresses, Privoxy will start and will listen on the specified address + whenever the IP address is assigned to the system
+IPv6 addresses containing colons have to be quoted by brackets. They can only be used if Privoxy has been compiled with IPv6 support. If you aren't sure if your version + supports it, have a look at http://config.privoxy.org/show-status.
+Some operating systems will prefer IPv6 to IPv4 addresses even if the system has no IPv6 connectivity + which is usually not expected by the user. Some even rely on DNS to resolve localhost which mean the + "localhost" address used may not actually be local.
+It is therefore recommended to explicitly configure the intended IP address instead of relying on the + operating system, unless there's a strong reason not to.
+If you leave out the address, Privoxy will bind to all IPv4 + interfaces (addresses) on your machine and may become reachable from the Internet and/or the local + network. Be aware that some GNU/Linux distributions modify that behaviour without updating the + documentation. Check for non-standard patches if your Privoxy version + behaves differently.
+If you configure Privoxy to be reachable from the network, consider + using access control lists (ACL's, see below), and/or a firewall.
+If you open Privoxy to untrusted users, you will also want to make + sure that the following actions are disabled: enable-edit-actions and enable-remote-toggle
+Suppose you are running Privoxy on a machine which has the address + 192.168.0.1 on your local private network (192.168.0.0) and has another outside connection with a + different address. You want it to serve requests from inside only:
+
+ listen-address 192.168.0.1:8118+ |
+
Suppose you are running Privoxy on an IPv6-capable machine and you + want it to listen on the IPv6 address of the loopback device:
+
+ listen-address [::1]:8118+ |
+
- Initial state of "toggle" status -
-- 1 or 0 -
-- 1 -
-- Act as if toggled on -
-- If set to 0, Privoxy will - start in "toggled off" mode, - i.e. mostly behave like a normal, content-neutral proxy - with both ad blocking and content filtering disabled. See - enable-remote-toggle below. -
-Initial state of "toggle" status
+1 or 0
+1
+Act as if toggled on
+If set to 0, Privoxy will start in "toggled + off" mode, i.e. mostly behave like a normal, content-neutral proxy with both ad blocking and + content filtering disabled. See enable-remote-toggle below.
+- Whether or not the web-based - toggle feature may be used -
-- 0 or 1 -
-- 0 -
-- The web-based toggle feature is disabled. -
-- When toggled off, Privoxy - mostly acts like a normal, content-neutral proxy, i.e. - doesn't block ads or filter content. -
-- Access to the toggle feature can not be controlled separately by - "ACLs" or HTTP authentication, - so that everybody who can access Privoxy (see "ACLs" and listen-address above) can toggle it for all - users. So this option is not recommended for multi-user - environments with untrusted users. -
-- Note that malicious client side code (e.g Java) is also - capable of using this option. -
-- As a lot of Privoxy users - don't read documentation, this feature is disabled by - default. -
-- Note that you must have compiled Privoxy with support for this feature, - otherwise this option has no effect. -
-Whether or not the web-based toggle + feature may be used
+0 or 1
+0
+The web-based toggle feature is disabled.
+When toggled off, Privoxy mostly acts like a normal, content-neutral + proxy, i.e. doesn't block ads or filter content.
+Access to the toggle feature can not be + controlled separately by "ACLs" or HTTP authentication, so that everybody who + can access Privoxy (see "ACLs" and listen-address above) can toggle it for all users. So this option is not recommended for multi-user environments with untrusted + users.
+Note that malicious client side code (e.g Java) is also capable of using this option.
+As a lot of Privoxy users don't read documentation, this feature is + disabled by default.
+Note that you must have compiled Privoxy with support for this + feature, otherwise this option has no effect.
+- Whether or not Privoxy recognizes special HTTP headers to - change its behaviour. -
-- 0 or 1 -
-- 0 -
-- Privoxy ignores special HTTP headers. -
-- When toggled on, the client can change Privoxy's behaviour by setting special - HTTP headers. Currently the only supported special header - is "X-Filter: No", to disable - filtering for the ongoing request, even if it is enabled in - one of the action files. -
-- This feature is disabled by default. If you are using Privoxy in a environment with - trusted clients, you may enable this feature at your - discretion. Note that malicious client side code (e.g Java) - is also capable of using this feature. -
-- This option will be removed in future releases as it has - been obsoleted by the more general header taggers. -
-Whether or not Privoxy recognizes special HTTP headers to change its behaviour.
+0 or 1
+0
+Privoxy ignores special HTTP headers.
+When toggled on, the client can change Privoxy's behaviour by setting + special HTTP headers. Currently the only supported special header is "X-Filter: + No", to disable filtering for the ongoing request, even if it is enabled in one of the action + files.
+This feature is disabled by default. If you are using Privoxy in a + environment with trusted clients, you may enable this feature at your discretion. Note that malicious + client side code (e.g Java) is also capable of using this feature.
+This option will be removed in future releases as it has been obsoleted by the more general header + taggers.
+- Whether or not the web-based actions file editor may be used -
-- 0 or 1 -
-- 0 -
-- The web-based actions file editor is disabled. -
-- Access to the editor can not be controlled separately by "ACLs" or HTTP authentication, so that - everybody who can access Privoxy (see "ACLs" and listen-address above) can modify its - configuration for all users. -
-- This option is not recommended for environments with - untrusted users and as a lot of Privoxy users don't read - documentation, this feature is disabled by default. -
-- Note that malicious client side code (e.g Java) is also - capable of using the actions editor and you shouldn't - enable this options unless you understand the consequences - and are sure your browser is configured correctly. -
-- Note that you must have compiled Privoxy with support for this feature, - otherwise this option has no effect. -
-Whether or not the web-based actions + file editor may be used
+0 or 1
+0
+The web-based actions file editor is disabled.
+Access to the editor can not be controlled + separately by "ACLs" or HTTP authentication, so that everybody who can access + Privoxy (see "ACLs" and listen-address above) can modify its configuration for all users.
+This option is not recommended for environments + with untrusted users and as a lot of Privoxy users don't read + documentation, this feature is disabled by default.
+Note that malicious client side code (e.g Java) is also capable of using the actions editor and you + shouldn't enable this options unless you understand the consequences and are sure your browser is + configured correctly.
+Note that you must have compiled Privoxy with support for this + feature, otherwise this option has no effect.
+- Whether the user is allowed to ignore blocks and can "go there anyway". -
-- 0 or 1 -
-- 0 -
-- Blocks are not enforced. -
-- Privoxy is mainly used to - block and filter requests as a service to the user, for - example to block ads and other junk that clogs the pipes. - Privoxy's configuration - isn't perfect and sometimes innocent pages are blocked. In - this situation it makes sense to allow the user to enforce - the request and have Privoxy ignore the block. -
-- In the default configuration Privoxy's "Blocked" page contains a "go there anyway" link to adds a special - string (the force prefix) to the request URL. If that link - is used, Privoxy will - detect the force prefix, remove it again and let the - request pass. -
-- Of course Privoxy can also - be used to enforce a network policy. In that case the user - obviously should not be able to bypass any blocks, and - that's what the "enforce-blocks" - option is for. If it's enabled, Privoxy hides the "go there anyway" link. If the user adds the - force prefix by hand, it will not be accepted and the - circumvention attempt is logged. -
-- enforce-blocks 1 -
-Whether the user is allowed to ignore blocks and can "go there anyway".
+0 or 1
+0
+Blocks are not enforced.
+Privoxy is mainly used to block and filter requests as a service to + the user, for example to block ads and other junk that clogs the pipes. Privoxy's configuration isn't perfect and sometimes innocent pages are blocked. In + this situation it makes sense to allow the user to enforce the request and have Privoxy ignore the block.
+In the default configuration Privoxy's "Blocked" page contains a "go there anyway" link to adds a + special string (the force prefix) to the request URL. If that link is used, Privoxy will detect the force prefix, remove it again and let the request pass.
+Of course Privoxy can also be used to enforce a network policy. In + that case the user obviously should not be able to bypass any blocks, and that's what the "enforce-blocks" option is for. If it's enabled, Privoxy + hides the "go there anyway" link. If the user adds the force prefix by hand, + it will not be accepted and the circumvention attempt is logged.
+enforce-blocks 1
+- Who can access what. -
-- src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]] -
-- Where src_addr and dst_addr are IPv4 addresses - in dotted decimal notation or valid DNS names, port is a port number, and src_masklen and dst_masklen are subnet masks in - CIDR notation, i.e. integer values from 2 to 30 - representing the length (in bits) of the network address. - The masks and the whole destination part are optional. -
-- If your system implements RFC - 3493, then src_addr - and dst_addr can be - IPv6 addresses delimeted by brackets, port can be a number or a service - name, and src_masklen - and dst_masklen can be - a number from 0 to 128. -
-- Unset -
-- If no port is - specified, any port will match. If no src_masklen or src_masklen is given, the - complete IP address has to match (i.e. 32 bits for IPv4 and - 128 bits for IPv6). -
-- Don't restrict access further than implied by listen-address -
-- Access controls are included at the request of ISPs and - systems administrators, and are not usually needed by individual - users. For a typical home user, it will normally - suffice to ensure that Privoxy only listens on the localhost - (127.0.0.1) or internal (home) network address by means of - the listen-address option. -
-- Please see the warnings in the FAQ that Privoxy is not intended to be a - substitute for a firewall or to encourage anyone to defer - addressing basic security weaknesses. -
-- Multiple ACL lines are OK. If any ACLs are specified, Privoxy only talks to IP - addresses that match at least one permit-access line and don't match any - subsequent deny-access line. In - other words, the last match wins, with the default being - deny-access. -
-- If Privoxy is using a - forwarder (see forward below) for - a particular destination URL, the dst_addr that is examined is the - address of the forwarder and NOT the address of the ultimate - target. This is necessary because it may be impossible for - the local Privoxy to - determine the IP address of the ultimate target (that's - often what gateways are used for). -
-- You should prefer using IP addresses over DNS names, - because the address lookups take time. All DNS names must - resolve! You can not use domain patterns like "*.org" or partial domain names. If a - DNS name resolves to multiple IP addresses, only the first - one is used. -
-- Some systems allow IPv4 clients to connect to IPv6 server - sockets. Then the client's IPv4 address will be translated - by the system into IPv6 address space with special prefix - ::ffff:0:0/96 (so called IPv4 mapped IPv6 address). Privoxy can handle it and maps - such ACL addresses automatically. -
-- Denying access to particular sites by ACL may have - undesired side effects if the site in question is hosted on - a machine which also hosts other sites (most sites are). -
-- Explicitly define the default behavior if no ACL and listen-address are set: "localhost" is OK. The absence of a dst_addr implies that all - destination addresses are OK: -
--
-
-- permit-access localhost -- |
-
- Allow any host on the same class C subnet as - www.privoxy.org access to nothing but www.example.com (or - other domains hosted on the same system): -
--
-
-- permit-access www.privoxy.org/24 www.example.com/32 -- |
-
- Allow access from any host on the 26-bit subnet - 192.168.45.64 to anywhere, with the exception that - 192.168.45.73 may not access the IP address behind - www.dirty-stuff.example.com: -
--
-
-- permit-access 192.168.45.64/26 - deny-access 192.168.45.73 www.dirty-stuff.example.com -- |
-
- Allow access from the IPv4 network 192.0.2.0/24 even if - listening on an IPv6 wild card address (not supported on - all platforms): -
--
-
-- permit-access 192.0.2.0/24 -- |
-
- This is equivalent to the following line even if listening - on an IPv4 address (not supported on all platforms): -
--
-
-- permit-access [::ffff:192.0.2.0]/120 -- |
-
Who can access what.
+src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]]
+Where src_addr and dst_addr + are IPv4 addresses in dotted decimal notation or valid DNS names, port is a port number, and src_masklen and + dst_masklen are subnet masks in CIDR notation, i.e. integer values + from 2 to 30 representing the length (in bits) of the network address. The masks and the whole + destination part are optional.
+If your system implements RFC 3493, + then src_addr and dst_addr can be + IPv6 addresses delimeted by brackets, port can be a number or a + service name, and src_masklen and dst_masklen can be a number from 0 to 128.
+Unset
+If no port is specified, any port will match. If no src_masklen or src_masklen is given, the + complete IP address has to match (i.e. 32 bits for IPv4 and 128 bits for IPv6).
+Don't restrict access further than implied by listen-address
+Access controls are included at the request of ISPs and systems administrators, and are not usually needed by individual users. For a typical home + user, it will normally suffice to ensure that Privoxy only listens on + the localhost (127.0.0.1) or internal (home) network address by means of the listen-address + option.
+Please see the warnings in the FAQ that Privoxy is not intended to be + a substitute for a firewall or to encourage anyone to defer addressing basic security weaknesses.
+Multiple ACL lines are OK. If any ACLs are specified, Privoxy only + talks to IP addresses that match at least one permit-access line and don't match + any subsequent deny-access line. In other words, the last match wins, with the + default being deny-access.
+If Privoxy is using a forwarder (see forward + below) for a particular destination URL, the dst_addr that is + examined is the address of the forwarder and NOT + the address of the ultimate target. This is necessary because it may be impossible for the local + Privoxy to determine the IP address of the ultimate target (that's often + what gateways are used for).
+You should prefer using IP addresses over DNS names, because the address lookups take time. All DNS + names must resolve! You can not use domain patterns + like "*.org" or partial domain names. If a DNS name resolves to multiple IP + addresses, only the first one is used.
+Some systems allow IPv4 clients to connect to IPv6 server sockets. Then the client's IPv4 address will + be translated by the system into IPv6 address space with special prefix ::ffff:0:0/96 (so called IPv4 + mapped IPv6 address). Privoxy can handle it and maps such ACL addresses + automatically.
+Denying access to particular sites by ACL may have undesired side effects if the site in question is + hosted on a machine which also hosts other sites (most sites are).
+Explicitly define the default behavior if no ACL and listen-address are set: + "localhost" is OK. The absence of a dst_addr implies that all + destination addresses are OK:
+
+ permit-access localhost+ |
+
Allow any host on the same class C subnet as www.privoxy.org access to nothing but www.example.com (or + other domains hosted on the same system):
+
+ permit-access www.privoxy.org/24 www.example.com/32+ |
+
Allow access from any host on the 26-bit subnet 192.168.45.64 to anywhere, with the exception that + 192.168.45.73 may not access the IP address behind www.dirty-stuff.example.com:
+
+ permit-access 192.168.45.64/26 + deny-access 192.168.45.73 www.dirty-stuff.example.com+ |
+
Allow access from the IPv4 network 192.0.2.0/24 even if listening on an IPv6 wild card address (not + supported on all platforms):
+
+ permit-access 192.0.2.0/24+ |
+
This is equivalent to the following line even if listening on an IPv4 address (not supported on all + platforms):
+
+ permit-access [::ffff:192.0.2.0]/120+ |
+
- Maximum size of the buffer for content filtering. -
-- Size in Kbytes -
-- 4096 -
-- Use a 4MB (4096 KB) limit. -
-- For content filtering, i.e. the +filter and +deanimate-gif actions, it is necessary that - Privoxy buffers the entire - document body. This can be potentially dangerous, since a - server could just keep sending data indefinitely and wait - for your RAM to exhaust -- with nasty consequences. Hence - this option. -
-- When a document buffer size reaches the buffer-limit, it is flushed to the client - unfiltered and no further attempt to filter the rest of the - document is made. Remember that there may be multiple - threads running, which might require up to buffer-limit Kbytes each, unless you - have enabled "single-threaded" - above. -
-Maximum size of the buffer for content filtering.
+Size in Kbytes
+4096
+Use a 4MB (4096 KB) limit.
+For content filtering, i.e. the +filter and +deanimate-gif actions, it is necessary that Privoxy + buffers the entire document body. This can be potentially dangerous, since a server could just keep + sending data indefinitely and wait for your RAM to exhaust -- with nasty consequences. Hence this + option.
+When a document buffer size reaches the buffer-limit, it is flushed to the + client unfiltered and no further attempt to filter the rest of the document is made. Remember that there + may be multiple threads running, which might require up to buffer-limit Kbytes + each, unless you have enabled "single-threaded" above.
+- Whether or not proxy authentication through Privoxy should work. -
-- 0 or 1 -
-- 0 -
-- Proxy authentication headers are removed. -
-- Privoxy itself does not support proxy authentication, but - can allow clients to authenticate against Privoxy's parent - proxy. -
-- By default Privoxy (3.0.21 and later) don't do that and - remove Proxy-Authorization headers in requests and - Proxy-Authenticate headers in responses to make it harder - for malicious sites to trick inexperienced users into - providing login information. -
-- If this option is enabled the headers are forwarded. -
-- Enabling this option is not recommended if there is no parent - proxy that requires authentication or if the local network - between Privoxy and the parent proxy isn't trustworthy. If - proxy authentication is only required for some requests, it - is recommended to use a client header filter to remove the - authentication headers for requests where they aren't - needed. -
-Whether or not proxy authentication through Privoxy should work.
+0 or 1
+0
+Proxy authentication headers are removed.
+Privoxy itself does not support proxy authentication, but can allow clients to authenticate against + Privoxy's parent proxy.
+By default Privoxy (3.0.21 and later) don't do that and remove Proxy-Authorization headers in requests + and Proxy-Authenticate headers in responses to make it harder for malicious sites to trick inexperienced + users into providing login information.
+If this option is enabled the headers are forwarded.
+Enabling this option is not recommended if there + is no parent proxy that requires authentication or if the local network between Privoxy and the parent + proxy isn't trustworthy. If proxy authentication is only required for some requests, it is recommended to + use a client header filter to remove the authentication headers for requests where they aren't + needed.
+- This feature allows routing of HTTP requests through a chain of - multiple proxies. -
-- Forwarding can be used to chain Privoxy with a caching proxy to - speed up browsing. Using a parent proxy may also be necessary if - the machine that Privoxy runs on - has no direct Internet access. -
-- Note that parent proxies can severely decrease your privacy level. - For example a parent proxy could add your IP address to the request - headers and if it's a caching proxy it may add the "Etag" header to revalidation requests again, even - though you configured Privoxy to remove it. It may also ignore - Privoxy's header time randomization and use the original values - which could be used by the server as cookie replacement to track - your steps between visits. -
-- Also specified here are SOCKS proxies. Privoxy supports the SOCKS 4 and SOCKS 4A - protocols. -
-- To which parent HTTP proxy specific requests should be - routed. -
-- target_pattern http_parent[:port] -
-- where target_pattern is - a URL pattern - that specifies to which requests (i.e. URLs) this forward - rule shall apply. Use / to denote - "all URLs". http_parent[:port] is the DNS name or IP - address of the parent HTTP proxy through which the requests - should be forwarded, optionally followed by its listening - port (default: 8000). Use a single dot (.) to denote "no - forwarding". -
-- Unset -
-- Don't use parent HTTP proxies. -
-- If http_parent is ".", then requests are not forwarded - to another HTTP proxy but are made directly to the web - servers. -
-- http_parent can be a - numerical IPv6 address (if RFC - 3493 is implemented). To prevent clashes with the port - delimiter, the whole IP address has to be put into - brackets. On the other hand a target_pattern containing an IPv6 - address has to be put into angle brackets (normal brackets - are reserved for regular expressions already). -
-- Multiple lines are OK, they are checked in sequence, and - the last match wins. -
-- Everything goes to an example parent proxy, except SSL on - port 443 (which it doesn't handle): -
--
-
-- forward / parent-proxy.example.org:8080 - forward :443 . -- |
-
- Everything goes to our example ISP's caching proxy, except - for requests to that ISP's sites: -
--
-
-- forward / caching-proxy.isp.example.net:8000 - forward .isp.example.net . -- |
+ Warning |
- Parent proxy specified by an IPv6 address: -
--
-
-- forward / [2001:DB8::1]:8000 -+ |
+ Declaring pages the admin doesn't control trustworthy may allow malicious third parties to + modify Privoxy's internal state against the user's wishes and without the user's knowledge. |
- Suppose your parent proxy doesn't support IPv6: -
--
-
-- forward / parent-proxy.example.org:8000 - forward ipv6-server.example.org . - forward <[2-3][0-9a-f][0-9a-f][0-9a-f]:*> . -- |
-
- Through which SOCKS proxy (and optionally to which parent - HTTP proxy) specific requests should be routed. -
-- target_pattern socks_proxy[:port] http_parent[:port] -
-- where target_pattern is - a URL pattern - that specifies to which requests (i.e. URLs) this forward - rule shall apply. Use / to denote - "all URLs". http_parent and socks_proxy are IP addresses in - dotted decimal notation or valid DNS names (http_parent may be "." to denote "no HTTP - forwarding"), and the optional port parameters are TCP ports, - i.e. integer values from 1 to 65535 -
-- Unset -
-- Don't use SOCKS proxies. -
-- Multiple lines are OK, they are checked in sequence, and - the last match wins. -
-- The difference between forward-socks4 and forward-socks4a is that in the SOCKS 4A - protocol, the DNS resolution of the target hostname happens - on the SOCKS server, while in SOCKS 4 it happens locally. -
-- With forward-socks5 the DNS - resolution will happen on the remote server as well. -
-- forward-socks5t works like vanilla - forward-socks5 but lets Privoxy additionally use - Tor-specific SOCKS extensions. Currently the only supported - SOCKS extension is optimistic data which can reduce the - latency for the first request made on a newly created - connection. -
-- socks_proxy and http_parent can be a - numerical IPv6 address (if RFC - 3493 is implemented). To prevent clashes with the port - delimiter, the whole IP address has to be put into - brackets. On the other hand a target_pattern containing an IPv6 - address has to be put into angle brackets (normal brackets - are reserved for regular expressions already). -
-- If http_parent is ".", then requests are not forwarded - to another HTTP proxy but are made (HTTP-wise) directly to - the web servers, albeit through a SOCKS proxy. -
-- From the company example.com, direct connections are made - to all "internal" domains, but - everything outbound goes through their ISP's proxy by way - of example.com's corporate SOCKS 4A gateway to the - Internet. -
--
-
-- forward-socks4a / socks-gw.example.com:1080 www-cache.isp.example.net:8080 - forward .example.com . -- |
-
- A rule that uses a SOCKS 4 gateway for all destinations but - no HTTP parent looks like this: -
--
-
-- forward-socks4 / socks-gw.example.com:1080 . -- |
-
- To chain Privoxy and Tor, both running on the same system, - you would use something like: -
--
-
-- forward-socks5t / 127.0.0.1:9050 . -- |
+ Warning |
- Note that if you got Tor through one of the bundles, you - may have to change the port from 9050 to 9150 (or even - another one). For details, please check the documentation - on the Tor - website. -
-- The public Tor network - can't be used to reach your local network, if you need to - access local servers you therefore might want to make some - exceptions: -
--
-
-- forward 192.168.*.*/ . - forward 10.*.*.*/ . - forward 127.*.*.*/ . -+ |
+ Declaring domains the admin doesn't control trustworthy may allow malicious third parties to + modify Privoxy's internal state against the user's wishes and without the user's knowledge. |
- Unencrypted connections to systems in these address ranges - will be as (un)secure as the local network is, but the - alternative is that you can't reach the local network - through Privoxy at all. Of - course this may actually be desired and there is no reason - to make these exceptions if you aren't sure you need them. -
-- If you also want to be able to reach servers in your local - network by using their names, you will need additional - exceptions that look like this: -
--
-
-- forward localhost/ . -- |
-
- If you have links to multiple ISPs that provide various special - content only to their subscribers, you can configure multiple - Privoxies which have connections - to the respective ISPs to act as forwarders to each other, so - that your - users can see the internal content of all ISPs. -
-- Assume that host-a has a PPP connection to isp-a.example.net. And - host-b has a PPP connection to isp-b.example.org. Both run Privoxy. Their forwarding - configuration can look like this: -
-- host-a: -
--
-
-- forward / . - forward .isp-b.example.net host-b:8118 -- |
-
- host-b: -
--
-
-- forward / . - forward .isp-a.example.org host-a:8118 -- |
-
- Now, your users can set their browser's proxy to use either - host-a or host-b and be able to browse the internal content of - both isp-a and isp-b. -
-- If you intend to chain Privoxy - and squid locally, then chaining - as browser -> squid -> privoxy is - the recommended way. -
-- Assuming that Privoxy and squid run on the same box, your squid configuration could then look - like this: -
--
-
-- # Define Privoxy as parent proxy (without ICP) + + + |
+
You would then need to change your browser's proxy settings to squid's + address and port. Squid normally uses port 3128. If unsure consult http_port in + squid.conf.
+You could just as well decide to only forward requests you suspect of leading to Windows executables through + a virus-scanning parent proxy, say, on antivir.example.com, port 8010:
+
+ forward / . + forward /.*\.(exe|com|dll|zip)$ antivir.example.com:8010+ |
+
How often Privoxy retries if a forwarded connection request fails.
+Number of retries.
+0
+Connections forwarded through other proxies are treated like direct connections and no retry attempts + are made.
+forwarded-connect-retries is mainly interesting for socks4a + connections, where Privoxy can't detect why the connections failed. The + connection might have failed because of a DNS timeout in which case a retry makes sense, but it might + also have failed because the server doesn't exist or isn't reachable. In this case the retry will just + delay the appearance of Privoxy's error message.
+Note that in the context of this option, "forwarded connections" includes + all connections that Privoxy forwards through other proxies. This option is not limited to the HTTP + CONNECT method.
+Only use this option, if you are getting lots of forwarding-related error messages that go away when + you try again manually. Start with a small value and check Privoxy's logfile from time to time, to see + how many retries are usually needed.
+forwarded-connect-retries 1
+- How often Privoxy retries if a forwarded connection request - fails. -
-- Number of retries. -
-- 0 -
-- Connections forwarded through other proxies are treated - like direct connections and no retry attempts are made. -
-- forwarded-connect-retries is - mainly interesting for socks4a connections, where Privoxy can't detect why the - connections failed. The connection might have failed - because of a DNS timeout in which case a retry makes sense, - but it might also have failed because the server doesn't - exist or isn't reachable. In this case the retry will just - delay the appearance of Privoxy's error message. -
-- Note that in the context of this option, "forwarded connections" includes all - connections that Privoxy forwards through other proxies. - This option is not limited to the HTTP CONNECT method. -
-- Only use this option, if you are getting lots of - forwarding-related error messages that go away when you try - again manually. Start with a small value and check - Privoxy's logfile from time to time, to see how many - retries are usually needed. -
-- forwarded-connect-retries 1 -
-Whether intercepted requests should be treated as valid.
+0 or 1
+0
+Only proxy requests are accepted, intercepted requests are treated as invalid.
+If you don't trust your clients and want to force them to use Privoxy, enable this option and configure your packet filter to redirect outgoing + HTTP connections into Privoxy.
+Note that intercepting encrypted connections (HTTPS) isn't supported.
+Make sure that Privoxy's own requests aren't redirected as well. + Additionally take care that Privoxy can't intentionally connect to + itself, otherwise you could run into redirection loops if Privoxy's + listening port is reachable by the outside or an attacker has access to the pages you visit.
+If you are running Privoxy as intercepting proxy without being able to intercept all client requests + you may want to adjust the CGI templates to make sure they don't reference content from + config.privoxy.org.
+accept-intercepted-requests 1
+- Whether intercepted requests should be treated as valid. -
-- 0 or 1 -
-- 0 -
-- Only proxy requests are accepted, intercepted requests are - treated as invalid. -
-- If you don't trust your clients and want to force them to - use Privoxy, enable this - option and configure your packet filter to redirect - outgoing HTTP connections into Privoxy. -
-- Note that intercepting encrypted connections (HTTPS) isn't - supported. -
-- Make sure that Privoxy's - own requests aren't redirected as well. Additionally take - care that Privoxy can't - intentionally connect to itself, otherwise you could run - into redirection loops if Privoxy's listening port is reachable - by the outside or an attacker has access to the pages you - visit. -
-- If you are running Privoxy as intercepting proxy without - being able to intercept all client requests you may want to - adjust the CGI templates to make sure they don't reference - content from config.privoxy.org. -
-- accept-intercepted-requests 1 -
-Whether requests to Privoxy's CGI pages can be blocked or + redirected.
+0 or 1
+0
+Privoxy ignores block and redirect actions for its CGI pages.
+By default Privoxy ignores block or redirect actions for its CGI + pages. Intercepting these requests can be useful in multi-user setups to implement fine-grained access + control, but it can also render the complete web interface useless and make debugging problems painful if + done without care.
+Don't enable this option unless you're sure that you really need it.
+allow-cgi-request-crunching 1
+- Whether requests to Privoxy's CGI pages can be blocked or - redirected. -
-- 0 or 1 -
-- 0 -
-- Privoxy ignores block and - redirect actions for its CGI pages. -
-- By default Privoxy ignores - block or redirect actions for its CGI pages. Intercepting - these requests can be useful in multi-user setups to - implement fine-grained access control, but it can also - render the complete web interface useless and make - debugging problems painful if done without care. -
-- Don't enable this option unless you're sure that you really - need it. -
-- allow-cgi-request-crunching 1 -
-Whether the CGI interface should stay compatible with broken HTTP clients.
+0 or 1
+0
+The CGI form generate long GET URLs.
+Privoxy's CGI forms can lead to rather long URLs. This isn't a + problem as far as the HTTP standard is concerned, but it can confuse clients with arbitrary URL length + limitations.
+Enabling split-large-forms causes Privoxy to divide big forms into + smaller ones to keep the URL length down. It makes editing a lot less convenient and you can no longer + submit all changes at once, but at least it works around this browser bug.
+If you don't notice any editing problems, there is no reason to enable this option, but if one of the + submit buttons appears to be broken, you should give it a try.
+split-large-forms 1
+- Whether the CGI interface should stay compatible with - broken HTTP clients. -
-- 0 or 1 -
-- 0 -
-- The CGI form generate long GET URLs. -
-- Privoxy's CGI forms can - lead to rather long URLs. This isn't a problem as far as - the HTTP standard is concerned, but it can confuse clients - with arbitrary URL length limitations. -
-- Enabling split-large-forms causes Privoxy to divide big forms into - smaller ones to keep the URL length down. It makes editing - a lot less convenient and you can no longer submit all - changes at once, but at least it works around this browser - bug. -
-- If you don't notice any editing problems, there is no - reason to enable this option, but if one of the submit - buttons appears to be broken, you should give it a try. -
-- split-large-forms 1 -
-Number of seconds after which an open connection will no longer be reused.
+Time in seconds.
+None
+Connections are not kept alive.
+This option allows clients to keep the connection to Privoxy alive. + If the server supports it, Privoxy will keep the connection to the + server alive as well. Under certain circumstances this may result in speed-ups.
+By default, Privoxy will close the connection to the server if the + client connection gets closed, or if the specified timeout has been reached without a new request coming + in. This behaviour can be changed with the connection-sharing option.
+This option has no effect if Privoxy has been compiled without + keep-alive support.
+Note that a timeout of five seconds as used in the default configuration file significantly decreases + the number of connections that will be reused. The value is used because some browsers limit the number + of connections they open to a single host and apply the same limit to proxies. This can result in a + single website "grabbing" all the connections the browser allows, which means + connections to other websites can't be opened until the connections currently in use time out.
+Several users have reported this as a Privoxy bug, so the default value has been reduced. Consider + increasing it to 300 seconds or even more if you think your browser can handle it. If your browser + appears to be hanging, it probably can't.
+keep-alive-timeout 300
+- Number of seconds after which an open connection will no - longer be reused. -
-- Time in seconds. -
-- None -
-- Connections are not kept alive. -
-- This option allows clients to keep the connection to Privoxy alive. If the server - supports it, Privoxy will - keep the connection to the server alive as well. Under - certain circumstances this may result in speed-ups. -
-- By default, Privoxy will - close the connection to the server if the client connection - gets closed, or if the specified timeout has been reached - without a new request coming in. This behaviour can be - changed with the connection-sharing option. -
-- This option has no effect if Privoxy has been compiled without - keep-alive support. -
-- Note that a timeout of five seconds as used in the default - configuration file significantly decreases the number of - connections that will be reused. The value is used because - some browsers limit the number of connections they open to - a single host and apply the same limit to proxies. This can - result in a single website "grabbing" all the connections the browser - allows, which means connections to other websites can't be - opened until the connections currently in use time out. -
-- Several users have reported this as a Privoxy bug, so the - default value has been reduced. Consider increasing it to - 300 seconds or even more if you think your browser can - handle it. If your browser appears to be hanging, it - probably can't. -
-- keep-alive-timeout 300 -
-Whether or not pipelined requests should be served.
+0 or 1.
+None
+If Privoxy receives more than one request at once, it terminates the client connection after serving + the first one.
+Privoxy currently doesn't pipeline outgoing requests, thus allowing + pipelining on the client connection is not guaranteed to improve the performance.
+By default Privoxy tries to discourage clients from pipelining by + discarding aggressively pipelined requests, which forces the client to resend them through a new + connection.
+This option lets Privoxy tolerate pipelining. Whether or not that + improves performance mainly depends on the client configuration.
+If you are seeing problems with pages not properly loading, disabling this option could work around + the problem.
+tolerate-pipelining 1
+- Whether or not pipelined requests should be served. -
-- 0 or 1. -
-- None -
-- If Privoxy receives more than one request at once, it - terminates the client connection after serving the first - one. -
-- Privoxy currently doesn't - pipeline outgoing requests, thus allowing pipelining on the - client connection is not guaranteed to improve the - performance. -
-- By default Privoxy tries - to discourage clients from pipelining by discarding - aggressively pipelined requests, which forces the client to - resend them through a new connection. -
-- This option lets Privoxy - tolerate pipelining. Whether or not that improves - performance mainly depends on the client configuration. -
-- If you are seeing problems with pages not properly loading, - disabling this option could work around the problem. -
-- tolerate-pipelining 1 -
-Assumed server-side keep-alive timeout if not specified by the server.
+Time in seconds.
+None
+Connections for which the server didn't specify the keep-alive timeout are not reused.
+Enabling this option significantly increases the number of connections that are reused, provided the + keep-alive-timeout option is also enabled.
+While it also increases the number of connections problems when Privoxy tries to reuse a connection that already has been closed on the server side, + or is closed while Privoxy is trying to reuse it, this should only be a + problem if it happens for the first request sent by the client. If it happens for requests on reused + client connections, Privoxy will simply close the connection and the + client is supposed to retry the request without bothering the user.
+Enabling this option is therefore only recommended if the connection-sharing option is disabled.
+It is an error to specify a value larger than the keep-alive-timeout value.
+This option has no effect if Privoxy has been compiled without + keep-alive support.
+default-server-timeout 60
+- Assumed server-side keep-alive timeout if not specified by - the server. -
-- Time in seconds. -
-- None -
-- Connections for which the server didn't specify the - keep-alive timeout are not reused. -
-- Enabling this option significantly increases the number of - connections that are reused, provided the keep-alive-timeout - option is also enabled. -
-- While it also increases the number of connections problems - when Privoxy tries to - reuse a connection that already has been closed on the - server side, or is closed while Privoxy is trying to reuse it, this - should only be a problem if it happens for the first - request sent by the client. If it happens for requests on - reused client connections, Privoxy will simply close the - connection and the client is supposed to retry the request - without bothering the user. -
-- Enabling this option is therefore only recommended if the - connection-sharing option is disabled. -
-- It is an error to specify a value larger than the keep-alive-timeout - value. -
-- This option has no effect if Privoxy has been compiled without - keep-alive support. -
-- default-server-timeout 60 -
-Whether or not outgoing connections that have been kept alive should be shared between different + incoming connections.
+0 or 1
+None
+Connections are not shared.
+This option has no effect if Privoxy has been compiled without + keep-alive support, or if it's disabled.
+Note that reusing connections doesn't necessary cause speedups. There are also a few privacy + implications you should be aware of.
+If this option is effective, outgoing connections are shared between clients (if there are more than + one) and closing the browser that initiated the outgoing connection does no longer affect the connection + between Privoxy and the server unless the client's request hasn't been + completed yet.
+If the outgoing connection is idle, it will not be closed until either Privoxy's or the server's timeout is reached. While it's open, the server knows that + the system running Privoxy is still there.
+If there are more than one client (maybe even belonging to multiple users), they will be able to reuse + each others connections. This is potentially dangerous in case of authentication schemes like NTLM where + only the connection is authenticated, instead of requiring authentication for each request.
+If there is only a single client, and if said client can keep connections alive on its own, enabling + this option has next to no effect. If the client doesn't support connection keep-alive, enabling this + option may make sense as it allows Privoxy to keep outgoing connections + alive even if the client itself doesn't support it.
+You should also be aware that enabling this option increases the likelihood of getting the "No server + or forwarder data" error message, especially if you are using a slow connection to the Internet.
+This option should only be used by experienced users who understand the risks and can weight them + against the benefits.
+connection-sharing 1
+- Whether or not outgoing connections that have been kept - alive should be shared between different incoming - connections. -
-- 0 or 1 -
-- None -
-- Connections are not shared. -
-- This option has no effect if Privoxy has been compiled without - keep-alive support, or if it's disabled. -
-- Note that reusing connections doesn't necessary cause - speedups. There are also a few privacy implications you - should be aware of. -
-- If this option is effective, outgoing connections are - shared between clients (if there are more than one) and - closing the browser that initiated the outgoing connection - does no longer affect the connection between Privoxy and the server unless the - client's request hasn't been completed yet. -
-- If the outgoing connection is idle, it will not be closed - until either Privoxy's or - the server's timeout is reached. While it's open, the - server knows that the system running Privoxy is still there. -
-- If there are more than one client (maybe even belonging to - multiple users), they will be able to reuse each others - connections. This is potentially dangerous in case of - authentication schemes like NTLM where only the connection - is authenticated, instead of requiring authentication for - each request. -
-- If there is only a single client, and if said client can - keep connections alive on its own, enabling this option has - next to no effect. If the client doesn't support connection - keep-alive, enabling this option may make sense as it - allows Privoxy to keep - outgoing connections alive even if the client itself - doesn't support it. -
-- You should also be aware that enabling this option - increases the likelihood of getting the "No server or - forwarder data" error message, especially if you are using - a slow connection to the Internet. -
-- This option should only be used by experienced users who - understand the risks and can weight them against the - benefits. -
-- connection-sharing 1 -
-Number of seconds after which a socket times out if no data is received.
+Time in seconds.
+None
+A default value of 300 seconds is used.
+The default is quite high and you probably want to reduce it. If you aren't using an occasionally slow + proxy like Tor, reducing it to a few seconds should be fine.
+socket-timeout 300
+- Number of seconds after which a socket times out if no data - is received. -
-- Time in seconds. -
-- None -
-- A default value of 300 seconds is used. -
-- The default is quite high and you probably want to reduce - it. If you aren't using an occasionally slow proxy like - Tor, reducing it to a few seconds should be fine. -
-- socket-timeout 300 -
-Maximum number of client connections that will be served.
+Positive number.
+128
+Connections are served until a resource limit is reached.
+Privoxy creates one thread (or process) for every incoming client + connection that isn't rejected based on the access control settings.
+If the system is powerful enough, Privoxy can theoretically deal with + several hundred (or thousand) connections at the same time, but some operating systems enforce resource + limits by shutting down offending processes and their default limits may be below the ones Privoxy would require under heavy load.
+Configuring Privoxy to enforce a connection limit below the thread or + process limit used by the operating system makes sure this doesn't happen. Simply increasing the + operating system's limit would work too, but if Privoxy isn't the only + application running on the system, you may actually want to limit the resources used by Privoxy.
+If Privoxy is only used by a single trusted user, limiting the number + of client connections is probably unnecessary. If there are multiple possibly untrusted users you + probably still want to additionally use a packet filter to limit the maximal number of incoming + connections per client. Otherwise a malicious user could intentionally create a high number of + connections to prevent other users from using Privoxy.
+Obviously using this option only makes sense if you choose a limit below the one enforced by the + operating system.
+One most POSIX-compliant systems Privoxy can't properly deal with + more than FD_SETSIZE file descriptors at the same time and has to reject connections if the limit is + reached. This will likely change in a future version, but currently this limit can't be increased without + recompiling Privoxy with a different FD_SETSIZE limit.
+max-client-connections 256
+- Maximum number of client connections that will be served. -
-- Positive number. -
-- 128 -
-- Connections are served until a resource limit is reached. -
-- Privoxy creates one thread - (or process) for every incoming client connection that - isn't rejected based on the access control settings. -
-- If the system is powerful enough, Privoxy can theoretically deal with - several hundred (or thousand) connections at the same time, - but some operating systems enforce resource limits by - shutting down offending processes and their default limits - may be below the ones Privoxy would require under heavy - load. -
-- Configuring Privoxy to - enforce a connection limit below the thread or process - limit used by the operating system makes sure this doesn't - happen. Simply increasing the operating system's limit - would work too, but if Privoxy isn't the only application - running on the system, you may actually want to limit the - resources used by Privoxy. -
-- If Privoxy is only used by - a single trusted user, limiting the number of client - connections is probably unnecessary. If there are multiple - possibly untrusted users you probably still want to - additionally use a packet filter to limit the maximal - number of incoming connections per client. Otherwise a - malicious user could intentionally create a high number of - connections to prevent other users from using Privoxy. -
-- Obviously using this option only makes sense if you choose - a limit below the one enforced by the operating system. -
-- One most POSIX-compliant systems Privoxy can't properly deal with more - than FD_SETSIZE file descriptors at the same time and has - to reject connections if the limit is reached. This will - likely change in a future version, but currently this limit - can't be increased without recompiling Privoxy with a different FD_SETSIZE - limit. -
-- max-client-connections 256 -
-Connection queue length requested from the operating system.
+Number.
+128
+A connection queue length of 128 is requested from the operating system.
+Under high load incoming connection may queue up before Privoxy gets around to serve them. The queue + length is limitted by the operating system. Once the queue is full, additional connections are dropped + before Privoxy can accept and serve them.
+Increasing the queue length allows Privoxy to accept more incomming connections that arrive roughly at + the same time.
+Note that Privoxy can only request a certain queue length, whether or not the requested length is + actually used depends on the operating system which may use a different length instead.
+On many operating systems a limit of -1 can be specified to instruct the operating system to use the + maximum queue length allowed. Check the listen man page to see if your platform allows this.
+On some platforms you can use "netstat -Lan -p tcp" to see the effective queue length.
+Effectively using a value above 128 usually requires changing the system configuration as well. On + FreeBSD-based system the limit is controlled by the kern.ipc.soacceptqueue sysctl.
+listen-backlog 4096
+- The status code Privoxy returns for pages blocked with +handle-as-empty-document. -
-- 0 or 1 -
-- 0 -
-- Privoxy returns a status 403(forbidden) for all blocked - pages. -
-- Privoxy returns a status 200(OK) for pages blocked with - +handle-as-empty-document and a status 403(Forbidden) for - all other blocked pages. -
-- This directive was added as a work-around for Firefox bug - 492459: "Websites are no longer - rendered if SSL requests for JavaScripts are blocked by a - proxy." (https://bugzilla.mozilla.org/show_bug.cgi?id=492459), - the bug has been fixed for quite some time, but this - directive is also useful to make it harder for websites to - detect whether or not resources are being blocked. -
-Whether or not Privoxy should use an accept filter
+0 or 1
+0
+No accept filter is enabled.
+Accept filters reduce the number of context switches by not passing sockets for new connections to + Privoxy until a complete HTTP request is available.
+As a result, Privoxy can process the whole request right away without having to wait for additional + data first.
+For this option to work, Privoxy has to be compiled with FEATURE_ACCEPT_FILTER and the operating + system has to support it (which may require loading a kernel module).
+Currently accept filters are only supported on FreeBSD-based systems. Check the accf_http(9) man page to learn + how to enable the support in the operating system.
+enable-accept-filter 1
+- Whether or not buffered content is compressed before - delivery. -
-- 0 or 1 -
-- 0 -
-- Privoxy does not compress buffered content. -
-- Privoxy compresses buffered content before delivering it to - the client, provided the client supports it. -
-- This directive is only supported if Privoxy has been - compiled with FEATURE_COMPRESSION, which should not to be - confused with FEATURE_ZLIB. -
-- Compressing buffered content is mainly useful if Privoxy - and the client are running on different systems. If they - are running on the same system, enabling compression is - likely to slow things down. If you didn't measure - otherwise, you should assume that it does and keep this - option disabled. -
-- Privoxy will not compress buffered content below a certain - length. -
-The status code Privoxy returns for pages blocked with +handle-as-empty-document.
+0 or 1
+0
+Privoxy returns a status 403(forbidden) for all blocked pages.
+Privoxy returns a status 200(OK) for pages blocked with +handle-as-empty-document and a status + 403(Forbidden) for all other blocked pages.
+This directive was added as a work-around for Firefox bug 492459: "Websites are no + longer rendered if SSL requests for JavaScripts are blocked by a proxy." ( https://bugzilla.mozilla.org/show_bug.cgi?id=492459), the bug has been fixed for quite some + time, but this directive is also useful to make it harder for websites to detect whether or not resources + are being blocked.
+- The compression level that is passed to the zlib library - when compressing buffered content. -
-- Positive number ranging from 0 - to 9. -
-- 1 -
-- Compressing the data more takes usually longer than - compressing it less or not compressing it at all. Which - level is best depends on the connection between Privoxy and - the client. If you can't be bothered to benchmark it for - yourself, you should stick with the default and keep - compression disabled. -
-- If compression is disabled, the compression level is - irrelevant. -
--
-
-- # Best speed (compared to the other levels) + + |
+
- The order in which client headers are sorted before - forwarding them. -
-- Client header names delimited by - spaces or tabs -
-- None -
-- By default Privoxy leaves - the client headers in the order they were sent by the - client. Headers are modified in-place, new headers are - added at the end of the already existing headers. -
-- The header order can be used to fingerprint client requests - independently of other headers like the User-Agent. -
-- This directive allows to sort the headers differently to - better mimic a different User-Agent. Client headers will be - emitted in the order given, headers whose name isn't - explicitly specified are added at the end. -
-- Note that sorting headers in an uncommon way will make - fingerprinting actually easier. Encrypted headers are not - affected by this directive. -
-The order in which client headers are sorted before forwarding them.
+Client header names delimited by spaces or tabs
+None
+By default Privoxy leaves the client headers in the order they were + sent by the client. Headers are modified in-place, new headers are added at the end of the already + existing headers.
+The header order can be used to fingerprint client requests independently of other headers like the + User-Agent.
+This directive allows to sort the headers differently to better mimic a different User-Agent. Client + headers will be emitted in the order given, headers whose name isn't explicitly specified are added at + the end.
+Note that sorting headers in an uncommon way will make fingerprinting actually easier. Encrypted + headers are not affected by this directive.
+- The name of a tag that will always be set for clients that - requested it through the webinterface. -
-- Tag name followed by a - description that will be shown in the webinterface -
-- None -
-- Warning - | -
- - This is an experimental feature. The syntax is - likely to change in future versions. - - |
-
- Client-specific tags allow Privoxy admins to create - different profiles and let the users chose which one they - want without impacting other users. -
-- One use case is allowing users to circumvent certain blocks - without having to allow them to circumvent all blocks. This - is not possible with the enable-remote-toggle - feature because it would bluntly disable all blocks for - all users and also affect other actions like filters. It - also is set globally which renders it useless in most - multi-user setups. -
-- After a client-specific tag has been defined with the - client-specific-tag directive, action sections can be - activated based on the tag by using a CLIENT-TAG pattern. The CLIENT-TAG pattern is - evaluated at the same priority as URL patterns, as a result - the last matching pattern wins. Tags that are created based - on client or server headers are evaluated later on and can - overrule CLIENT-TAG and URL patterns! -
-- The tag is set for all requests that come from clients that - requested it to be set. Note that "clients" are - differentiated by IP address, if the IP address changes the - tag has to be requested again. -
-- Clients can request tags to be set by using the CGI - interface http://config.privoxy.org/client-tags. - The specific tag description is only used on the web page - and should be phrased in away that the user understand the - effect of the tag. -
--
-
-- # Define a couple of tags, the described effect requires action sections - # that are enabled based on CLIENT-TAG patterns. - client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions - disable-content-filters Disable content-filters but do not affect other actions - -+ | Warning | +
+ This is an experimental feature. The syntax is likely to change in future versions. |
Client-specific tags allow Privoxy admins to create different profiles and let the users chose which + one they want without impacting other users.
+One use case is allowing users to circumvent certain blocks without having to allow them to circumvent + all blocks. This is not possible with the enable-remote-toggle + feature because it would bluntly disable all blocks for all users and also affect other actions like + filters. It also is set globally which renders it useless in most multi-user setups.
+After a client-specific tag has been defined with the client-specific-tag directive, action sections + can be activated based on the tag by using a CLIENT-TAG pattern. The CLIENT-TAG pattern is evaluated at the same priority as URL patterns, + as a result the last matching pattern wins. Tags that are created based on client or server headers are + evaluated later on and can overrule CLIENT-TAG and URL patterns!
+The tag is set for all requests that come from clients that requested it to be set. Note that + "clients" are differentiated by IP address, if the IP address changes the tag has to be requested + again.
+Clients can request tags to be set by using the CGI interface http://config.privoxy.org/client-tags. The + specific tag description is only used on the web page and should be phrased in away that the user + understand the effect of the tag.
+ +
+ # Define a couple of tags, the described effect requires action sections + # that are enabled based on CLIENT-TAG patterns. + client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions + client-specific-tag disable-content-filters Disable content-filters but do not affect other actions+ |
+
- How long a temporarily enabled tag remains enabled. -
-- Time in seconds. -
-- 60 -
-- Warning - | -
- - This is an experimental feature. The syntax is - likely to change in future versions. - - |
-
- In case of some tags users may not want to enable them - permanently, but only for a short amount of time, for - example to circumvent a block that is the result of an - overly-broad URL pattern. -
-- The CGI interface http://config.privoxy.org/client-tags therefore - provides a "enable this tag temporarily" option. If it is - used, the tag will be set until the client-tag-lifetime is - over. -
--
-
-- # Increase the time to life for temporarily enabled tags to 3 minutes - client-tag-lifetime 180 - -+ | Warning | +
+ This is an experimental feature. The syntax is likely to change in future versions. |
In case of some tags users may not want to enable them permanently, but only for a short amount of + time, for example to circumvent a block that is the result of an overly-broad URL pattern.
+The CGI interface http://config.privoxy.org/client-tags therefore provides a "enable this tag temporarily" + option. If it is used, the tag will be set until the client-tag-lifetime is over.
+ +
+ # Increase the time to life for temporarily enabled tags to 3 minutes + client-tag-lifetime 180+ |
+
- Whether or not Privoxy should use IP addresses specified - with the X-Forwarded-For header -
-- 0 or one -
-- 0 -
-- Warning - | -
- - This is an experimental feature. The syntax is - likely to change in future versions. - - |
-
- If clients reach Privoxy through another proxy, for example - a load balancer, Privoxy can't tell the client's IP address - from the connection. If multiple clients use the same - proxy, they will share the same client tag settings which - is usually not desired. -
-- This option lets Privoxy use the X-Forwarded-For header - value as client IP address. If the proxy sets the header, - multiple clients using the same proxy do not share the same - client tag settings. -
-- This option should only be enabled if Privoxy can only be - reached through a proxy and if the proxy can be trusted to - set the header correctly. It is recommended that ACL are - used to make sure only trusted systems can reach Privoxy. -
-- If access to Privoxy isn't limited to trusted systems, this - option would allow malicious clients to change the client - tags for other clients or increase Privoxy's memory - requirements by registering lots of client tag settings for - clients that don't exist. -
--
-
-- # Allow systems that can reach Privoxy to provide the client - # IP address with a X-Forwarded-For header. - trust-x-forwarded-for 1 - -+ | Warning | +
+ This is an experimental feature. The syntax is likely to change in future versions. |
If clients reach Privoxy through another proxy, for example a load balancer, Privoxy can't tell the + client's IP address from the connection. If multiple clients use the same proxy, they will share the same + client tag settings which is usually not desired.
+This option lets Privoxy use the X-Forwarded-For header value as client IP address. If the proxy sets + the header, multiple clients using the same proxy do not share the same client tag settings.
+This option should only be enabled if Privoxy can only be reached through a proxy and if the proxy can + be trusted to set the header correctly. It is recommended that ACL are used to make sure only trusted + systems can reach Privoxy.
+If access to Privoxy isn't limited to trusted systems, this option would allow malicious clients to + change the client tags for other clients or increase Privoxy's memory requirements by registering lots of + client tag settings for clients that don't exist.
+ +
+ # Allow systems that can reach Privoxy to provide the client + # IP address with a X-Forwarded-For header. + trust-x-forwarded-for 1+ |
+
- Privoxy has a number of options - specific to the Windows GUI interface: -
- -- If "activity-animation" is set to 1, the - Privoxy icon will animate when - "Privoxy" is active. To turn off, set to - 0. -
--
-
- activity-animation 1
-
-
- If "log-messages" is set to 1, Privoxy copies log messages to the - console window. The log detail depends on the debug directive. -
--
-
- log-messages 1
-
-
- If "log-buffer-size" is set to 1, the - size of the log buffer, i.e. the amount of memory used for the log - messages displayed in the console window, will be limited to "log-max-lines" (see below). -
-- Warning: Setting this to 0 will result in the buffer to grow - infinitely and eat up all your memory! -
--
-
- log-buffer-size 1
-
-
- log-max-lines is the maximum - number of lines held in the log buffer. See above. -
--
-
- log-max-lines 200
-
-
- If "log-highlight-messages" is set to 1, - Privoxy will highlight portions of - the log messages with a bold-faced font: -
--
-
- log-highlight-messages 1
-
-
- The font used in the console window: -
--
-
- log-font-name Comic Sans MS
-
-
- Font size used in the console window: -
--
-
- log-font-size 8
-
-
- "show-on-task-bar" controls whether or - not Privoxy will appear as a - button on the Task bar when minimized: -
--
-
- show-on-task-bar 0
-
-
- If "close-button-minimizes" is set to 1, - the Windows close button will minimize Privoxy instead of closing the program (close - with the exit option on the File menu). -
--
-
- close-button-minimizes 1
-
-
- The "hide-console" option is specific to - the MS-Win console version of Privoxy. If this option is used, Privoxy will disconnect from and hide the - command console. -
--
-
- #hide-console
-
-
The size of the buffer Privoxy uses to receive data from the server.
+Size in bytes
+5000
+Increasing the receive-buffer-size increases Privoxy's memory usage but can lower the number of + context switches and thereby reduce the cpu usage and potentially increase the throughput.
+This is mostly relevant for fast network connections and large downloads that don't require + filtering.
+Reducing the buffer size reduces the amount of memory Privoxy needs to handle the request but + increases the number of systemcalls and may reduce the throughput.
+A dtrace command like: "sudo dtrace -n 'syscall::read:return /execname == + "privoxy"/ { @[execname] = llquantize(arg0, 10, 0, 5, 20); @m = max(arg0)}'" can be used to + properly tune the receive-buffer-size. On systems without dtrace, strace or truss may be used as less + convenient alternatives.
+If the buffer is too large it will increase Privoxy's memory footprint without any benefit. As the + memory is (currently) cleared before using it, a buffer that is too large can actually reduce the + throughput.
+
+ # Increase the receive buffer size + receive-buffer-size 32768+ |
+
- Prev - | -- Home - | -- Next - | -
- Privoxy Configuration - | -- - | -- Actions Files - | -
Directory with the CA key, the CA certificate and the trusted CAs file.
+Text
+Empty string
+Default value is used.
+This directive specifies the directory where the CA key, the CA certificate and the trusted CAs file + are located.
+The permissions should only let Privoxy and the Privoxy admin access the directory.
+ca-directory /usr/local/etc/privoxy/CA
+The CA certificate file in ".crt" format.
+Text
+cacert.crt
+Default value is used.
+This directive specifies the name of the CA certificate file in ".crt" format.
+The file is used by Privoxy to generate website certificates when + https filtering is enabled with the enable-https-filtering action.
+Privoxy clients should import the certificate so that they can + validate the generated certificates.
+The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out + cacert.crt -days 3650
+ca-cert-file root.crt
+The CA key file in ".pem" format.
+Text
+cacert.pem
+Default value is used.
+This directive specifies the name of the CA key file in ".pem" format. See the ca-cert-file for a command to generate it.
+ca-key-file cakey.pem
+The password for the CA keyfile.
+Text
+Empty string
+Default value is used.
+This directive specifies the password for the CA keyfile that is used when Privoxy generates + certificates for intercepted requests.
+Note that the password is shown on the CGI page so don't reuse an important one.
+ca-password blafasel
+Directory to safe generated keys and certificates.
+Text
+./certs
+Default value is used.
+This directive specifies the directory where generated TLS/SSL keys and certificates are saved when + https filtering is enabled with the enable-https-filtering action.
+The keys and certificates currently have to be deleted manually when changing the ca-cert-file and the ca-cert-key.
+The permissions should only let Privoxy and the Privoxy admin access the directory.
+certificate-directory /usr/local/var/privoxy/certs
+The trusted CAs file in ".pem" format.
+File name relative to ca-directory
+trustedCAs.pem
+Default value is used.
+This directive specifies the trusted CAs file that is used when validating certificates for + intercepted TLS/SSL requests.
+An example file can be downloaded from https://curl.haxx.se/ca/cacert.pem.
+trusted-cas-file trusted_cas_file.pem
+Privoxy has a number of options specific to the Windows GUI + interface:
+If "activity-animation" is set to 1, the Privoxy + icon will animate when "Privoxy" is active. To turn off, set to 0.
+activity-animation + 1
+If "log-messages" is set to 1, Privoxy copies log + messages to the console window. The log detail depends on the debug + directive.
+log-messages + 1
+If "log-buffer-size" is set to 1, the size of the log buffer, i.e. the amount of + memory used for the log messages displayed in the console window, will be limited to "log-max-lines" (see below).
+Warning: Setting this to 0 will result in the buffer to grow infinitely and eat up all your memory!
+log-buffer-size + 1
+log-max-lines is the maximum number of lines held in the log buffer. See + above.
+log-max-lines + 200
+If "log-highlight-messages" is set to 1, Privoxy + will highlight portions of the log messages with a bold-faced font:
+log-highlight-messages + 1
+The font used in the console window:
+log-font-name Comic Sans + MS
+Font size used in the console window:
+log-font-size + 8
+"show-on-task-bar" controls whether or not Privoxy + will appear as a button on the Task bar when minimized:
+show-on-task-bar + 0
+If "close-button-minimizes" is set to 1, the Windows close button will minimize + Privoxy instead of closing the program (close with the exit option on the File + menu).
+close-button-minimizes + 1
+The "hide-console" option is specific to the MS-Win console version of Privoxy. If this option is used, Privoxy will disconnect + from and hide the command console.
+#hide-console