X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fsource%2Fuser-manual.sgml;h=0c5ee3003363528c7757a0a05f1ec35637fd8080;hb=HEAD;hp=01601cdc74c405a9b6d3c2af141d3e177f6910a7;hpb=451adf5e77554240efa778fc2e52e5d5b52c2059;p=privoxy.git
diff --git a/doc/source/user-manual.sgml b/doc/source/user-manual.sgml
index 01601cdc..a1b86b18 100644
--- a/doc/source/user-manual.sgml
+++ b/doc/source/user-manual.sgml
@@ -10,10 +10,11 @@
+
-
+
@@ -30,13 +31,11 @@
Privoxy">
]>
- Copyright &my-copy; 2001-2017 by
+ Copyright &my-copy; 2001-2023 by
Privoxy Developers
-$Id: user-manual.sgml,v 2.221 2017/05/20 09:27:54 fabiankeil Exp $
-
-OS/2
-
-
- First, make sure that no previous installations of
- Junkbuster and / or
- Privoxy are left on your
- system. Check that no Junkbuster
- or Privoxy objects are in
- your startup folder.
-
-
-
-
- Then, just double-click the WarpIN self-installing archive, which will
- guide you through the installation process. A shadow of the
- Privoxy executable will be placed in your
- startup folder so it will start automatically whenever OS/2 starts.
-
-
-
- The directory you choose to install Privoxy
- into will contain all of the configuration files.
-
-
-
Mac OS X
@@ -330,12 +302,16 @@ How to install the binary packages depends on your operating system:
-FreeBSD
+FreeBSD and ElectroBSD
Privoxy is part of FreeBSD's Ports Collection, you can build and install
it with cd /usr/ports/www/privoxy; make install clean.
+
+ If your system is configured to install binary packages you can
+ try to install &my-app; with pkg install privoxy.
+
@@ -344,30 +320,235 @@ How to install the binary packages depends on your operating system:
Building from Source
- The most convenient way to obtain the Privoxy sources
- is to download the source tarball from our
- project download
- page.
-
-
-
- If you like to live on the bleeding edge and are not afraid of using
- possibly unstable development versions, you can check out the up-to-the-minute
- version directly from the
- CVS repository.
-
+ The most convenient way to obtain the Privoxy source
+ code is to download the source tarball from our
+
+ project download page,
+ or you can get the up-to-the-minute, possibly unstable, development version from
+ https://www.privoxy.org/.
&buildsource;
+
+ Windows
+
+ Setup
+
+ Install the Cygwin utilities needed to build Privoxy.
+ If you have a 64 bit CPU (which most people do by now), get the
+ Cygwin setup-x86_64.exe program here
+ (the .sig file is here).
+
+
+ Run the setup program and from View / Category select:
+
+
+Devel
+ autoconf 2.5
+ automake 1.15
+ binutils
+ cmake
+ gcc-core
+ gcc-g++
+ git
+ make
+ mingw64-i686-gcc-core
+ mingw64-i686-zlib
+Editors
+ vim
+Libs
+ libxslt: GNOME XSLT library (runtime)
+Net
+ curl
+ openssh
+Text
+ docbook-dssl
+ docbook-sgml31
+ docbook-utils
+ openjade
+Utils
+ gnupg
+Web
+ w3m
+
+
+
+ If you haven't already downloaded the Privoxy source code, get it now:
+
+
+mkdir <root-dir>
+cd <root-dir>
+git clone https://www.privoxy.org/git/privoxy.git
+
+
+
+ Get the source code (.zip or .tar.gz) for tidy from
+
+ https://github.com/htacg/tidy-html5/releases,
+ unzip into <root-dir> and build the software:
+
+
+cd <root-dir>
+cd tidy-html5-x.y.z/build/cmake
+cmake ../.. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIB:BOOL=OFF -DCMAKE_INSTALL_PREFIX=/usr/local
+make && make install
+
+
+
+ If you want to be able to make a Windows release package, get the NSIS .zip file from
+
+
+ https://sourceforge.net/projects/nsis/files/NSIS%203/
+ and extract the NSIS directory to /<root-dir>/nsis/.
+ Then edit the windows/GNUmakefile to set the location
+ of the NSIS executable - eg:
+
+
+# Path to NSIS
+MAKENSIS = /<root-dir>/nsis/makensis.exe
+
+
+
+ Get the latest 8.x PCRE code from
+ PCRE
+ https://sourceforge.net/projects/pcre/files/pcre/
+ and build the static PCRE libraries with
+
+
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="-fstack-protector-strong"
+export CPPFLAGS="-DPCRE_STATIC"
+
+./configure --host=i686-w64-mingw32 \
+ --prefix=/usr/local/i686-w64-mingw32 \
+ --enable-utf --enable-unicode-properties \
+ --enable-jit \
+ --enable-newline-is-anycrlf \
+ --enable-pcre16 \
+ --enable-pcre32 \
+ --disable-pcregrep-libbz2 \
+ --disable-pcregrep-libz \
+ --disable-pcretest-libreadline \
+ --disable-stack-for-recursion \
+ --enable-static --disable-shared \
+ && make
+
+
+
+
+
+ If you want to be able to have Privoxy do TLS Inspection, get the latest
+ 2.28.x MBED-TLS library source code from
+
+ https://github.com/Mbed-TLS/mbedtls/tags,
+ extract the tar file into <root-dir>
+ and build the static libraries with
+
+export WINDOWS_BUILD=1
+# build for a Windows platform
+
+unset DEBUG
+
+export CC=i686-w64-mingw32-gcc
+export LD=i686-w64-mingw32-gcc
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="${LDFLAGS} -fstack-protector-strong"
+
+make lib
+# build the libraries
+
+
+
+
+
+ Get the brotli library from
+
+ https://github.com/google/brotli/releases
+ and build the static libraries with
+
+./bootstrap
+# to create the GNU autotools files
+
+autoconf
+
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="${LDFLAGS} -fstack-protector-strong"
+
+./configure --host=i686-w64-mingw32 \
+ --prefix=/usr/local/i686-w64-mingw32 \
+ --enable-static \
+ --disable-shared \
+ --with-gnu-ld \
+ --disable-silent-rules \
+ && make
+
+
+
+
+
+
+
+ Build
+
+
+ To build just the Privoxy executable and not the whole installation package, do:
+
+
+cd <root-dir>/privoxy
+./windows/MYconfigure && make
+
+
+
+ Privoxy uses the GNU Autotools
+ for building software, so the process is:
+
+
+autoheader # creates config.h.in
+autoconf # uses config.h.in to create the configure shell script
+./configure [options] # creates GNUmakefile
+make [options] # builds the program
+
+
+
+ The usual configure options for building a native Windows application under cygwin are
+
+
+
+ --host=i686-w64-mingw32
+ --enable-mingw32
+ --enable-zlib
+ --enable-static-linking
+ --disable-pthread
+ --with-brotli
+ --with-mbedtls
+
+
+
+ You can set the CFLAGS and LDFLAGS envars before
+ running configure to set compiler and linker flags. For example:
+
+
+
+$ export CFLAGS="-O2" # set gcc optimization level
+$ export LDFLAGS="-Wl,--nxcompat" # Enable DEP
+$ ./configure --host=i686-w64-mingw32 --enable-mingw32 --enable-zlib \
+> --enable-static-linking --disable-pthread
+$ make # build Privoxy
+
+
+
+ See the Developer's Manual
+ for building a Windows release package.
+
+
+
+
+
+
Keeping your Installation Up-to-Date
@@ -410,7 +591,6 @@ How to install the binary packages depends on your operating system:
versions of Privoxy:
-
@@ -495,11 +675,10 @@ How to install the binary packages depends on your operating system:
that filtering does not work on compressed pages, so if you use, or want to
use, filtering, you will need to force compression off. Example:
-
- { +filter{google} +prevent-compression }
- .google.
-
+{ +filter{google} +prevent-compression }
+.google.
+
Or if you use a number of filters, or filter many sites, you may just want
to turn off compression for all sites in
@@ -527,14 +706,13 @@ How to install the binary packages depends on your operating system:
-->
-Quickstart to Using Privoxy
-
+
@@ -566,7 +744,7 @@ How to install the binary packages depends on your operating system:
Set your browser to use Privoxy as HTTP and
- HTTPS (SSL) proxy
+ HTTPS (SSL) proxy
by setting the proxy configuration for address of
127.0.0.1 and port 8118.
DO NOT activate proxying for FTP or
@@ -579,7 +757,7 @@ How to install the binary packages depends on your operating system:
Flush your browser's disk and memory caches, to remove any cached ad images.
If using Privoxy to manage
- cookies,
+ cookies,
you should remove any currently stored cookies too.
@@ -634,7 +812,6 @@ How to install the binary packages depends on your operating system:
-
@@ -711,7 +888,6 @@ How to install the binary packages depends on your operating system:
set-image-blocker:
-
@@ -786,7 +962,6 @@ How to install the binary packages depends on your operating system:
-
Advanced users will eventually want to explore &my-app;
@@ -832,7 +1007,6 @@ How to install the binary packages depends on your operating system:
A quick and simple step by step example:
-
@@ -856,7 +1030,6 @@ How to install the binary packages depends on your operating system:
- Actions Files in Use
@@ -867,7 +1040,6 @@ How to install the binary packages depends on your operating system:
-
@@ -902,7 +1074,6 @@ How to install the binary packages depends on your operating system:
-
This is a very crude and simple example. There might be good reasons to use a
@@ -939,7 +1110,7 @@ How to install the binary packages depends on your operating system:
Before launching Privoxy for the first time, you
will want to configure your browser(s) to use
Privoxy as a HTTP and HTTPS (SSL)
- proxy. The default is
+ proxy. The default is
127.0.0.1 (or localhost) for the proxy address, and port 8118 (earlier versions
used port 8000). This is the one configuration step that must be done
!
@@ -950,19 +1121,17 @@ How to install the binary packages depends on your operating system:
- Proxy Configuration Showing
- Mozilla/Netscape HTTP and HTTPS (SSL) Settings
+ Mozilla Firefox HTTP and HTTPS (SSL) Settings
- [ Screenshot of Mozilla Proxy Configuration ]
+ [ Screenshot of Mozilla Firefox Proxy Configuration ]
-
@@ -970,8 +1139,7 @@ How to install the binary packages depends on your operating system:
- Tools -> Options -> Advanced -> Network ->Connection -> Settings
-
+ Edit -> Preferences -> Network Settings -> Settings
@@ -980,7 +1148,6 @@ How to install the binary packages depends on your operating system:
Edit -> Preferences -> General -> Connection Settings -> Manual Proxy Configuration
-
@@ -994,7 +1161,6 @@ How to install the binary packages depends on your operating system:
Edit -> Preferences -> Advanced -> Proxies -> HTTP Proxy
-
@@ -1014,7 +1180,6 @@ How to install the binary packages depends on your operating system:
- Proxy Configuration Showing
Internet Explorer HTTP and HTTPS (Secure) Settings
@@ -1026,13 +1191,12 @@ How to install the binary packages depends on your operating system:
-
After doing this, flush your browser's disk and memory caches to force a
re-reading of all pages and to get rid of any ads that may be cached. Remove
- any cookies,
+ any cookies,
if you want Privoxy to manage that. You are now
ready to start enjoying the benefits of using
Privoxy!
@@ -1054,11 +1218,9 @@ How to install the binary packages depends on your operating system:
/etc/privoxy/config as its main configuration
file.
-
- # /etc/init.d/privoxy start
+# /etc/init.d/privoxy start
-
@@ -1077,11 +1239,9 @@ How to install the binary packages depends on your operating system:
To start Privoxy manually, run:
-
- # service privoxy onestart
+# service privoxy onestart
-
@@ -1107,11 +1267,9 @@ Click on the &my-app; Icon to start Privoxy. If no co
Example Unix startup command:
-
- # /usr/sbin/privoxy --user privoxy /etc/privoxy/config
+# /usr/sbin/privoxy --user privoxy /etc/privoxy/config
-
Note that if you installed Privoxy through
a package manager, the package will probably contain a platform-specific
@@ -1120,16 +1278,6 @@ Example Unix startup command:
-
-OS/2
-
- During installation, Privoxy is configured to
- start automatically when the system restarts. You can start it manually by
- double-clicking on the Privoxy icon in the
- Privoxy folder.
-
-
-
Mac OS X
@@ -1258,7 +1406,6 @@ must find a better place for this paragraph
command-line options:
-
@@ -1374,7 +1521,6 @@ must find a better place for this paragraph
-
On MS Windows only there are two additional
@@ -1411,20 +1557,18 @@ for details.
(shortcut: http://p.p/),
which is a built-in page and works without Internet access.
You will see the following section:
-
-
+ Privoxy Menu
-
▪ View & change the current configuration
- ▪ View the source code version numbers
+ ▪ View or toggle the tags that can be set based on the client's address
▪ View the request headers.
@@ -1482,9 +1626,9 @@ for details.
Configuration Files Overview
- For Unix, *BSD and Linux, all configuration files are located in
- /etc/privoxy/ by default. For MS Windows, OS/2, and
- AmigaOS these are all in the same directory as the
+ For Unix, *BSD and GNU/Linux, all configuration files are located in
+ /etc/privoxy/ by default. For MS Windows
+ these are all in the same directory as the
Privoxy executable.
@@ -1496,13 +1640,12 @@ for details.
principle configuration files are:
-
The main configuration file is named config
- on Linux, Unix, BSD, OS/2, and AmigaOS and config.txt
+ on GNU/Linux, Unix, BSD, and config.txt
on Windows. This is a required file.
@@ -1554,7 +1697,6 @@ for details.
-
The syntax of the configuration and filter files may change between different
@@ -1640,7 +1782,6 @@ for details.
are three action files included with Privoxy with
differing purposes:
-
@@ -1703,8 +1844,7 @@ for details.
The default profiles, and their associated actions, as pre-defined in
default.action are:
-
-
Default Configurations
+
Default Configurations
@@ -1821,11 +1961,9 @@ for details.
-
-
The list of actions files to be used are defined in the main configuration
@@ -1949,14 +2087,13 @@ for details.
might look like:
-
-
- { +handle-as-image +block{Banner ads.} }
- # Block these as if they were images. Send no block page.
- banners.example.com
- media.example.com/.*banners
- .example.com/images/ads/
-
+
+{ +handle-as-image +block{Banner ads.} }
+# Block these as if they were images. Send no block page.
+banners.example.com
+media.example.com/.*banners
+.example.com/images/ads/
+
You can trace this process for URL patterns and any given URL by visiting Regular
+ Regular
Expressions (POSIX 1003.2).
@@ -2156,7 +2293,7 @@ for details.
themselves. These work similarly to shell globbing type wild-cards:
* represents zero or more arbitrary characters (this is
equivalent to the
- Regular
+ Regular
Expression based syntax of .*),
? represents any single character (this is equivalent to the
regular expression syntax of a simple .), and you can define
@@ -2208,6 +2345,12 @@ for details.
While flexible, this is not the sophistication of full regular expression based syntax.
+
+ When compiled with FEATURE_PCRE_HOST_PATTERNS patterns can be prefixed with
+ PCRE-HOST-PATTERN: in which case full regular expression
+ (PCRE) can be used for the host pattern as well.
+
+
@@ -2218,7 +2361,7 @@ for details.
Privoxy uses modern POSIX 1003.2
- Regular
+ Regular
Expressions for matching the path portion (after the slash),
and is thus more flexible.
@@ -2397,12 +2540,6 @@ for details.
-
-
- This is an experimental feature. The syntax is likely to change in future versions.
-
-
-
Client tag patterns are not set based on HTTP headers but based on
the client's IP address. Users can enable them themselves, but the
@@ -2433,7 +2570,6 @@ for details.
Example:
-
# If the admin defined the client-specific-tag circumvent-blocks,
# and the request comes from a client that previously requested
@@ -2446,7 +2582,6 @@ CLIENT-TAG:^circumvent-blocks$
# the previous one.
{+block{Nobody is supposed to request this.}}
example.org/blocked-example-page
-
@@ -2468,7 +2603,6 @@ example.org/blocked-example-page
following patterns, and -block means don't
block URLs that match the following patterns, even if +block
previously applied.
-
@@ -2484,18 +2618,16 @@ example.org/blocked-example-page
Actions fall into three categories:
-
Boolean, i.e the action can only be enabled or
disabled. Syntax:
-
- +name # enable action name
- -name # disable action name
-
++name # enable action name
+-name # disable action name
+
Example: +handle-as-image
@@ -2507,12 +2639,11 @@ example.org/blocked-example-page
Parameterized, where some value is required in order to enable this type of action.
Syntax:
-
-
- +name{param} # enable action and set parameter to param,
- # overwriting parameter from previous match if necessary
- -name # disable action. The parameter can be omitted
-
+
++name{param} # enable action and set parameter to param,
+ # overwriting parameter from previous match if necessary
+-name # disable action. The parameter can be omitted
+
Note that if the URL matches multiple positive forms of a parameterized action,
the last match wins, i.e. the params from earlier matches are simply ignored.
@@ -2531,13 +2662,12 @@ example.org/blocked-example-page
that can be executed for the same request repeatedly, like adding multiple
headers, or filtering through multiple filters. Syntax:
-
-
- +name{param} # enable action and add param to the list of parameters
- -name{param} # remove the parameter param from the list of parameters
- # If it was the last one left, disable the action.
- -name # disable this action completely and remove all parameters from the list
-
+
++name{param} # enable action and add param to the list of parameters
+-name{param} # remove the parameter param from the list of parameters
+ # If it was the last one left, disable the action.
+-name # disable this action completely and remove all parameters from the list
+
Examples: +add-header{X-Fun-Header: Some text} and
+filter{html-annoyances}
@@ -2545,7 +2675,6 @@ example.org/blocked-example-page
-
If nothing is specified in any actions file, no actions are
@@ -2640,7 +2769,6 @@ example.org/blocked-example-page
Example usage:
- # Add a DNT ("Do not track") header to all requests,
# event to those that already have one.
#
@@ -2651,7 +2779,6 @@ example.org/blocked-example-page
# header may make user-tracking easier.
{+add-header{DNT: 1}}
/
-
@@ -2740,20 +2867,20 @@ example.org/blocked-example-page
Example usage (section):
-
- {+block{No nasty stuff for you.}}
+
+{+block{No nasty stuff for you.}}
# Block and replace with "blocked" page
- .nasty-stuff.example.com
+.nasty-stuff.example.com
{+block{Doubleclick banners.} +handle-as-image}
# Block and replace with image
- .ad.doubleclick.net
- .ads.r.us/banners/
+.ad.doubleclick.net
+.ads.r.us/banners/
{+block{Layered ads.} +handle-as-empty-document}
# Block and then ignore
- adserver.example.net/.*\.js$
-
+adserver.example.net/.*\.js$
+
@@ -2824,9 +2951,7 @@ example.org/blocked-example-page
Example usage:
- +change-x-forwarded-for{block}
-
@@ -2892,6 +3017,21 @@ example.org/blocked-example-page
one. This can be used to rewrite the request destination behind the client's
back, for example to specify a Tor exit relay for certain requests.
+
+ Note that to change the destination host for
+ https-inspected
+ requests a protocol and host has to be added to the URI.
+
+
+ If https inspection
+ is enabled, the protocol can be downgraded from https to http
+ but upgrading a request from http to https is currently not
+ supported.
+
+
+ After detecting a rewrite, &my-app; does not update the actions
+ used for the request based on the new host.
+
Please refer to the filter file chapter
to learn which client-header filters are available by default, and how to
@@ -2904,30 +3044,27 @@ example.org/blocked-example-page
Example usage (section):
-
# Hide Tor exit notation in Host and Referer Headers
{+client-header-filter{hide-tor-exit-notation}}
/
-
-
+
-
-
-client-header-tagger
+
+client-body-filterTypical use:
- Block requests based on their headers.
+ Rewrite or remove client request body.
@@ -2936,9 +3073,8 @@ example.org/blocked-example-page
Effect:
- Client headers to which this action applies are filtered on-the-fly through
- the specified regular expression based substitutions, the result is used as
- tag.
+ All request bodies to which this action applies are filtered on-the-fly through
+ the specified regular expression based substitutions.
@@ -2955,7 +3091,7 @@ example.org/blocked-example-page
Parameter:
- The name of a client-header tagger, as defined in one of the
+ The name of a client-body filter, as defined in one of the
filter files.
@@ -2965,77 +3101,31 @@ example.org/blocked-example-page
Notes:
- Client-header taggers are applied to each header on its own,
- and as the header isn't modified, each tagger sees
- the original.
+ Please refer to the filter file chapter
+ to learn how to create your own client-body filters.
- Client-header taggers are the first actions that are executed
- and their tags can be used to control every other action.
+ The distribution default.filter file contains a selection of
+ client-body filters for example purposes.
-
+
+ The amount of data that can be filtered is limited by the
+ buffer-limit
+ option in the main config file. The
+ default is 4096 KB (4 Megs). Once this limit is exceeded, the whole
+ request body is passed through unfiltered.
+
+
Example usage (section):
-
-
-# Tag every request with the User-Agent header
-{+client-header-tagger{user-agent}}
-/
-
-# Tagging itself doesn't change the action
-# settings, sections with TAG patterns do:
-#
-# If it's a download agent, use a different forwarding proxy,
-# show the real User-Agent and make sure resume works.
-{+forward-override{forward-socks5 10.0.0.2:2222 .} \
- -hide-if-modified-since \
- -overwrite-last-modified \
- -hide-user-agent \
- -filter \
- -deanimate-gifs \
-}
-TAG:^User-Agent: NetBSD-ftp/
-TAG:^User-Agent: Novell ZYPP Installer
-TAG:^User-Agent: RPM APT-HTTP/
-TAG:^User-Agent: fetch libfetch/
-TAG:^User-Agent: Ubuntu APT-HTTP/
-TAG:^User-Agent: MPlayer/
-
-
-
-
-# Tag all requests with the Range header set
-{+client-header-tagger{range-requests}}
-/
-
-# Disable filtering for the tagged requests.
-#
-# With filtering enabled Privoxy would remove the Range headers
-# to be able to filter the whole response. The downside is that
-# it prevents clients from resuming downloads or skipping over
-# parts of multimedia files.
-{-filter -deanimate-gifs}
-TAG:^RANGE-REQUEST$
-
-
-
-# Tag all requests with the client IP address
-#
-# (Technically the client IP address isn't included in the
-# client headers but client-header taggers can set it anyway.
-# For details see the tagger in default.filter)
-{+client-header-tagger{client-ip-address}}
+# Remove "test" everywhere in the request body
+{+client-body-filter{remove-test}}
/
-
-# Change forwarding settings for requests coming from address 10.0.0.1
-{+forward-override{forward-socks5 127.0.1.2:2222 .}}
-TAG:^IP-ADDRESS: 10\.0\.0\.1$
-
-
+
@@ -3044,14 +3134,16 @@ TAG:^IP-ADDRESS: 10\.0\.0\.1$
-
-content-type-overwrite
+
+client-body-taggerTypical use:
- Stop useless download menus from popping up, or change the browser's rendering mode
+
+ Block requests based on the content of the body data.
+
@@ -3059,16 +3151,17 @@ TAG:^IP-ADDRESS: 10\.0\.0\.1$
Effect:
- Replaces the Content-Type: HTTP server header.
+ Client request bodies to which this action applies are filtered on-the-fly through
+ the specified regular expression based substitutions, the result is used as tag.
Type:
-
+
- Parameterized.
+ Multi-value.
@@ -3076,7 +3169,8 @@ TAG:^IP-ADDRESS: 10\.0\.0\.1$
Parameter:
- Any string.
+ The name of a client-body tagger, as defined in one of the
+ filter files.
@@ -3085,67 +3179,261 @@ TAG:^IP-ADDRESS: 10\.0\.0\.1$
Notes:
- The Content-Type: HTTP server header is used by the
- browser to decide what to do with the document. The value of this
- header can cause the browser to open a download menu instead of
- displaying the document by itself, even if the document's format is
- supported by the browser.
-
-
- The declared content type can also affect which rendering mode
- the browser chooses. If XHTML is delivered as text/html,
- many browsers treat it as yet another broken HTML document.
- If it is send as application/xml, browsers with
- XHTML support will only display it, if the syntax is correct.
-
-
- If you see a web site that proudly uses XHTML buttons, but sets
- Content-Type: text/html, you can use &my-app;
- to overwrite it with application/xml and validate
- the web master's claim inside your XHTML-supporting browser.
- If the syntax is incorrect, the browser will complain loudly.
-
-
- You can also go the opposite direction: if your browser prints
- error messages instead of rendering a document falsely declared
- as XHTML, you can overwrite the content type with
- text/html and have it rendered as broken HTML document.
-
-
- By default content-type-overwrite only replaces
- Content-Type: headers that look like some kind of text.
- If you want to overwrite it unconditionally, you have to combine it with
- force-text-mode.
- This limitation exists for a reason, think twice before circumventing it.
+ Please refer to the filter file chapter
+ to learn how to create your own client-body tagger.
- Most of the time it's easier to replace this action with a custom
- server-header filter.
- It allows you to activate it for every document of a certain site and it will still
- only replace the content types you aimed at.
+ Client-body taggers are applied to each request body on its own,
+ and as the body isn't modified, each tagger "sees" the original.
- Of course you can apply content-type-overwrite
- to a whole site and then make URL based exceptions, but it's a lot
- more work to get the same precision.
+ Chunk-encoded request bodies currently can't be tagged.
+ Request bodies larger than the buffer-limit can't be tagged either.
- Example usage (sections):
+ Example usage (section):
-
- # Check if www.example.net/ really uses valid XHTML
-{ +content-type-overwrite{application/xml} }
-www.example.net/
+
+# Apply blafasel tagger.
+{+client-body-tagger{blafasel}}
+/
+
+# Block request based on the tag created by the blafasel tagger.
+{+block{Request body contains blafasel}}
+TAG:^content contains blafasel$
+
+
+
+
+
+
+
+
+
+
+client-header-tagger
+
+
+
+ Typical use:
+
+
+ Block requests based on their headers.
+
+
+
+
+
+ Effect:
+
+
+ Client headers to which this action applies are filtered on-the-fly through
+ the specified regular expression based substitutions, the result is used as
+ tag.
+
+
+
+
+
+ Type:
+
+
+ Multi-value.
+
+
+
+
+ Parameter:
+
+
+ The name of a client-header tagger, as defined in one of the
+ filter files.
+
+
+
+
+
+ Notes:
+
+
+ Client-header taggers are applied to each header on its own,
+ and as the header isn't modified, each tagger sees
+ the original.
+
+
+ Client-header taggers are the first actions that are executed
+ and their tags can be used to control every other action.
+
+
+
+
+
+ Example usage (section):
+
+
+# Tag every request with the User-Agent header
+{+client-header-tagger{user-agent}}
+/
+
+# Tagging itself doesn't change the action
+# settings, sections with TAG patterns do:
+#
+# If it's a download agent, use a different forwarding proxy,
+# show the real User-Agent and make sure resume works.
+{+forward-override{forward-socks5 10.0.0.2:2222 .} \
+ -hide-if-modified-since \
+ -overwrite-last-modified \
+ -hide-user-agent \
+ -filter \
+ -deanimate-gifs \
+}
+TAG:^User-Agent: NetBSD-ftp/
+TAG:^User-Agent: Novell ZYPP Installer
+TAG:^User-Agent: RPM APT-HTTP/
+TAG:^User-Agent: fetch libfetch/
+TAG:^User-Agent: Ubuntu APT-HTTP/
+TAG:^User-Agent: MPlayer/
+
+
+
+# Tag all requests with the Range header set
+{+client-header-tagger{range-requests}}
+/
+
+# Disable filtering for the tagged requests.
+#
+# With filtering enabled Privoxy would remove the Range headers
+# to be able to filter the whole response. The downside is that
+# it prevents clients from resuming downloads or skipping over
+# parts of multimedia files.
+{-filter -deanimate-gifs}
+TAG:^RANGE-REQUEST$
+
+
+
+# Tag all requests with the client IP address
+#
+# (Technically the client IP address isn't included in the
+# client headers but client-header taggers can set it anyway.
+# For details see the tagger in default.filter)
+{+client-header-tagger{client-ip-address}}
+/
+
+# Change forwarding settings for requests coming from address 10.0.0.1
+{+forward-override{forward-socks5 127.0.1.2:2222 .}}
+TAG:^IP-ADDRESS: 10\.0\.0\.1$
+
+
+
+
+
+
+
+
+
+
+content-type-overwrite
+
+
+
+ Typical use:
+
+ Stop useless download menus from popping up, or change the browser's rendering mode
+
+
+
+
+ Effect:
+
+
+ Replaces the Content-Type: HTTP server header.
+
+
+
+
+
+ Type:
+
+
+ Parameterized.
+
+
+
+
+ Parameter:
+
+
+ Any string.
+
+
+
+
+
+ Notes:
+
+
+ The Content-Type: HTTP server header is used by the
+ browser to decide what to do with the document. The value of this
+ header can cause the browser to open a download menu instead of
+ displaying the document by itself, even if the document's format is
+ supported by the browser.
+
+
+ The declared content type can also affect which rendering mode
+ the browser chooses. If XHTML is delivered as text/html,
+ many browsers treat it as yet another broken HTML document.
+ If it is send as application/xml, browsers with
+ XHTML support will only display it, if the syntax is correct.
+
+
+ If you see a web site that proudly uses XHTML buttons, but sets
+ Content-Type: text/html, you can use &my-app;
+ to overwrite it with application/xml and validate
+ the web master's claim inside your XHTML-supporting browser.
+ If the syntax is incorrect, the browser will complain loudly.
+
+
+ You can also go the opposite direction: if your browser prints
+ error messages instead of rendering a document falsely declared
+ as XHTML, you can overwrite the content type with
+ text/html and have it rendered as broken HTML document.
+
+
+ By default content-type-overwrite only replaces
+ Content-Type: headers that look like some kind of text.
+ If you want to overwrite it unconditionally, you have to combine it with
+ force-text-mode.
+ This limitation exists for a reason, think twice before circumventing it.
+
+
+ Most of the time it's easier to replace this action with a custom
+ server-header filter.
+ It allows you to activate it for every document of a certain site and it will still
+ only replace the content types you aimed at.
+
+
+ Of course you can apply content-type-overwrite
+ to a whole site and then make URL based exceptions, but it's a lot
+ more work to get the same precision.
+
+
+
+
+
+ Example usage (sections):
+
+ # Check if www.example.net/ really uses valid XHTML
+{ +content-type-overwrite{application/xml} }
+www.example.net/
# but leave the content type unmodified if the URL looks like a style sheet
{-content-type-overwrite}
www.example.net/.*\.css$
www.example.net/.*style
-
@@ -3224,12 +3512,10 @@ new action
Example usage (section):
- # Block the non-existent "Privacy-Violation:" client header
{ +crunch-client-header{Privacy-Violation:} }
/
-
-
+
@@ -3306,14 +3592,13 @@ new action
Example usage (section):
- # Let the browser revalidate cached documents but don't
# allow the server to use the revalidation headers for user tracking.
{+hide-if-modified-since{-60} \
+overwrite-last-modified{randomize} \
+crunch-if-none-match}
-/
-
+/
+
@@ -3381,9 +3666,7 @@ new action
Example usage:
- +crunch-incoming-cookies
-
@@ -3460,11 +3743,10 @@ new action
Example usage (section):
- # Crunch server headers that try to prevent caching
{ +crunch-server-header{no-cache} }
-/
-
+/
+
@@ -3531,9 +3813,7 @@ new action
Example usage:
- +crunch-outgoing-cookies
-
@@ -3601,14 +3881,82 @@ new action
Example usage:
- +deanimate-gifs{last}
-
+
+
+
+delay-response
+
+
+
+ Typical use:
+
+ Delay responses to the client to reduce the load
+
+
+
+
+ Effect:
+
+
+ Delays responses to the client by sending the response in ca. 10 byte chunks.
+
+
+
+
+
+ Type:
+
+
+ Parameterized.
+
+
+
+
+ Parameter:
+
+
+ Number of milliseconds
+
+
+
+
+
+ Notes:
+
+
+ Sometimes when JavaScript code is used to fetch advertisements
+ it doesn't respect Privoxy's blocks and retries to fetch the
+ same resource again causing unnecessary load on the client.
+
+
+ This action delays responses to the client and can be combined
+ with blocks
+ to slow down the JavaScript code, thus reducing
+ the load on the client.
+
+
+ When used without blocks
+ the action can also be used to simulate a slow internet connection.
+
+
+
+
+
+ Example usage:
+
+ +delay-response{100}
+
+
+
+
+
+
downgrade-http-version
@@ -3673,16 +4021,15 @@ new action
Example usage (section):
- {+downgrade-http-version}
problem-host.example.com
-
+
external-filter
@@ -3756,6 +4103,12 @@ problem-host.example.com
linkend="external-filter-syntax">syntax
may change in the future.
+
+ If you want to apply external filters to images or other content
+ that isn't text-based, enable the
+ force-text-mode
+ action as well.
+
@@ -3763,9 +4116,7 @@ problem-host.example.com
Example usage:
- +external-filter{fancy-filter}
-
@@ -3870,7 +4221,7 @@ problem-host.example.com
looks for the string http://, either in plain text
(invalid but often used) or encoded as http%3a//.
Some sites use their own URL encoding scheme, encrypt the address
- of the target server or replace it with a database id. In theses cases
+ of the target server or replace it with a database id. In these cases
fast-redirects is fooled and the request reaches the
redirection server where it probably gets logged.
@@ -3880,14 +4231,13 @@ problem-host.example.com
Example usage:
-
- { +fast-redirects{simple-check} }
- one.example.com
+{ +fast-redirects{simple-check} }
+one.example.com
- { +fast-redirects{check-decoded-url} }
- another.example.com/testing
-
+{ +fast-redirects{check-decoded-url} }
+another.example.com/testing
+
@@ -3967,15 +4317,15 @@ problem-host.example.com
Rolling your own
filters requires a knowledge of
- Regular
+ Regular
Expressions and
- HTML.
+ HTML.
This is very powerful feature, and potentially very intrusive.
Filters should be used with caution, and where an equivalent
action is not available.
- The amount of data that can be filtered is limited to the
+ The amount of data that can be filtered is limited by the
buffer-limit
option in the main config file. The
default is 4096 KB (4 Megs). Once this limit is exceeded, the buffered
@@ -4029,112 +4379,128 @@ problem-host.example.com
- +filter{js-annoyances} # Get rid of particularly annoying JavaScript abuse.
+ +filter{js-annoyances} # Get rid of particularly annoying JavaScript abuse.
- +filter{js-events} # Kill JavaScript event bindings and timers (Radically destructive! Only for extra nasty sites).
+ +filter{js-events} # Kill JavaScript event bindings and timers (Radically destructive! Only for extra nasty sites).
- +filter{html-annoyances} # Get rid of particularly annoying HTML abuse.
+ +filter{html-annoyances} # Get rid of particularly annoying HTML abuse.
- +filter{content-cookies} # Kill cookies that come in the HTML or JS content.
+ +filter{content-cookies} # Kill cookies that come in the HTML or JS content.
- +filter{refresh-tags} # Kill automatic refresh tags if refresh time is larger than 9 seconds.
+ +filter{refresh-tags} # Kill automatic refresh tags if refresh time is larger than 9 seconds.
- +filter{unsolicited-popups} # Disable only unsolicited pop-up windows.
+ +filter{unsolicited-popups} # Disable only unsolicited pop-up windows.
- +filter{all-popups} # Kill all popups in JavaScript and HTML.
+ +filter{all-popups} # Kill all popups in JavaScript and HTML.
- +filter{img-reorder} # Reorder attributes in <img> tags to make the banners-by-* filters more effective.
+ +filter{img-reorder} # Reorder attributes in <img> tags to make the banners-by-* filters more effective.
- +filter{banners-by-size} # Kill banners by size.
+ +filter{banners-by-size} # Kill banners by size.
- +filter{banners-by-link} # Kill banners by their links to known clicktrackers.
+ +filter{banners-by-link} # Kill banners by their links to known clicktrackers.
- +filter{webbugs} # Squish WebBugs (1x1 invisible GIFs used for user tracking).
+ +filter{webbugs} # Squish WebBugs (1x1 invisible GIFs used for user tracking).
- +filter{tiny-textforms} # Extend those tiny textareas up to 40x80 and kill the hard wrap.
+ +filter{tiny-textforms} # Extend those tiny textareas up to 40x80 and kill the hard wrap.
- +filter{jumping-windows} # Prevent windows from resizing and moving themselves.
+ +filter{jumping-windows} # Prevent windows from resizing and moving themselves.
- +filter{frameset-borders} # Give frames a border and make them resizable.
+ +filter{frameset-borders} # Give frames a border and make them resizable.
- +filter{iframes} # Removes all detected iframes. Should only be enabled for individual sites.
+ +filter{iframes} # Removes all detected iframes. Should only be enabled for individual sites.
- +filter{demoronizer} # Fix MS's non-standard use of standard charsets.
+ +filter{demoronizer} # Fix MS's non-standard use of standard charsets.
- +filter{shockwave-flash} # Kill embedded Shockwave Flash objects.
+ +filter{shockwave-flash} # Kill embedded Shockwave Flash objects.
- +filter{quicktime-kioskmode} # Make Quicktime movies saveable.
+ +filter{quicktime-kioskmode} # Make Quicktime movies saveable.
- +filter{fun} # Text replacements for subversive browsing fun!
+ +filter{fun} # Text replacements for subversive browsing fun!
- +filter{crude-parental} # Crude parental filtering. Note that this filter doesn't work reliably.
+ +filter{crude-parental} # Crude parental filtering. Note that this filter doesn't work reliably.
- +filter{ie-exploits} # Disable some known Internet Explorer bug exploits.
+ +filter{ie-exploits} # Disable some known Internet Explorer bug exploits.
- +filter{site-specifics} # Cure for site-specific problems. Don't apply generally!
+ +filter{site-specifics} # Cure for site-specific problems. Don't apply generally!
+ +filter{no-ping} # Removes non-standard ping attributes in <a> and <area> tags.
+
+
+ +filter{bundeswehr.de} # Hide the cookie and privacy info banner on bundeswehr.de.
+
+
+
+ +filter{github} # Removes the annoying "Sign-Up" banner and the Cookie disclaimer.
+ +filter{google} # CSS-based block for Google text ads. Also removes a width limitation and the toolbar advertisement.
+
+
+ +filter{imdb} # Removes some ads on IMDb.
- +filter{yahoo} # CSS-based block for Yahoo text ads. Also removes a width limitation.
+ +filter{yahoo} # CSS-based block for Yahoo text ads. Also removes a width limitation.
- +filter{msn} # CSS-based block for MSN text ads. Also removes tracking URLs and a width limitation.
+ +filter{msn} # CSS-based block for MSN text ads. Also removes tracking URLs and a width limitation.
+ +filter{blogspot} # Cleans up some Blogspot blogs. Read the fine print before using this.
+
+
+ +filter{sourceforge} # Reduces the amount of ads for proprietary software on SourceForge.
@@ -4204,11 +4570,9 @@ new action
Example usage:
-
+force-text-mode
-
-
+
@@ -4337,7 +4701,6 @@ new action
Example usage:
-
# Use an ssh tunnel for requests previously tagged as
# User-Agent: fetch libfetch/2.0 and make sure
@@ -4354,8 +4717,7 @@ new action
-overwrite-last-modified \
}
TAG:^User-Agent: fetch libfetch/2\.0$
-
-
+
@@ -4427,13 +4789,11 @@ new action
Example usage:
- # Block all documents on example.org that end with ".js",
# but send an empty document instead of the usual HTML message.
{+block{Blocked JavaScript} +handle-as-empty-document}
example.org/.*\.js$
-
-
+
@@ -4508,7 +4868,6 @@ example.org/.*\.js$
Example usage (sections):
- # Generic image extensions:
#
{+handle-as-image}
@@ -4520,7 +4879,6 @@ example.org/.*\.js$
{+block{Nasty banners.} +handle-as-image}
nasty-banner-server.example.com/junk.cgi\?output=trash
-
@@ -4600,13 +4958,12 @@ new action
Example usage (section):
- # Pretend to use Canadian language settings.
{+hide-accept-language{en-ca} \
+hide-user-agent{Mozilla/5.0 (X11; U; OpenBSD i386; en-CA; rv:1.8.0.4) Gecko/20060628 Firefox/1.5.0.4} \
}
-/
-
+/
+
@@ -4690,13 +5047,14 @@ new action
Example usage:
-
- # Disarm the download link in Sourceforge's patch tracker
+
+# Disarm the download link in Sourceforge's patch tracker
{ -filter \
- +content-type-overwrite{text/plain}\
- +hide-content-disposition{block} }
- .sourceforge.net/tracker/download\.php
-
+ +content-type-overwrite{text/plain} \
+ +hide-content-disposition{block} \
+}
+.sourceforge.net/tracker/download\.php
+
@@ -4779,13 +5137,11 @@ new action
Example usage (section):
- # Let the browser revalidate but make tracking based on the time less likely.
{+hide-if-modified-since{-60} \
+overwrite-last-modified{randomize} \
+crunch-if-none-match}
/
-
@@ -4854,10 +5210,9 @@ new action
Example usage:
-
- +hide-from-header{block} or
+ +hide-from-header{block}
+ or+hide-from-header{spam-me-senseless@sittingduck.example.com}
-
@@ -4958,10 +5313,9 @@ new action
Example usage:
-
- +hide-referrer{forge} or
+ +hide-referrer{forge}
+ or+hide-referrer{http://www.yahoo.com/}
-
@@ -5032,7 +5386,7 @@ new action
More information on known user-agent strings can be found at
http://www.user-agents.org/
and
- http://en.wikipedia.org/wiki/User_agent.
+ http://en.wikipedia.org/wiki/User_agent.
@@ -5040,9 +5394,152 @@ new action
Example usage:
+ +hide-user-agent{Mozilla/5.0 (X11; ElectroBSD i386; rv:78.0) Gecko/20100101 Firefox/78.0}
+
+
+
+
+
+
+
+
+https-inspection
+
+
+
+ Typical use:
+
+ Filter encrypted requests and responses
+
+
+
+
+ Effect:
+
+
+ Encrypted requests are decrypted, filtered and forwarded encrypted.
+
+
+
+
+
+ Type:
+
+
+ Boolean.
+
+
+
+
+ Parameter:
+
+
+ N/A
+
+
+
+
+
+ Notes:
+
+
+ This action allows &my-app; to filter encrypted requests and responses.
+ For this to work &my-app; has to generate a certificate for the web site
+ and send it to the client which has to accept it.
+
+
+ Before this works the directives in the
+ HTTPS inspection section
+ of the config file have to be configured.
+
+
+ Note that the action has to be enabled based on the CONNECT
+ request which doesn't contain a path. Enabling it based on
+ a pattern with path doesn't work as the path is only seen
+ by &my-app; if the action is already enabled.
+
+
+
+
+
+ Example usage (section):
+
+ {+https-inspection}
+www.example.com
+
+
+
+
+
+
+
+
+
+ignore-certificate-errors
+
+
+
+ Typical use:
+
+ Filter encrypted requests and responses without verifying the certificate
+
+
+
+
+ Effect:
+
+
+ Encrypted requests are forwarded to sites without verifying the certificate.
+
+
+
+
+
+ Type:
+
+
+ Boolean.
+
+
+
+
+ Parameter:
+
+
+ N/A
+
+
+
+
+
+ Notes:
+
+
+ When the
+ +https-inspection
+ action is used &my-app; by default verifies that the remote site uses a valid
+ certificate.
+
+
+ If the certificate can't be validated by &my-app; the connection is aborted.
+
+
+ This action disables the certificate check so requests to sites
+ with certificates that can't be validated are allowed.
+
- +hide-user-agent{Netscape 6.1 (X11; I; Linux 2.4.18 i686)}
+ Note that enabling this action allows Man-in-the-middle attacks.
+
+
+
+
+ Example usage:
+
+
+ {+ignore-certificate-errors}
+ www.example.org
+
@@ -5118,13 +5615,11 @@ new action
- +limit-connect{443} # Port 443 is OK.
+limit-connect{80,443} # Ports 80 and 443 are OK.
+limit-connect{-3, 7, 20-100, 500-} # Ports less than 3, 7, 20 to 100 and above 500 are OK.
+limit-connect{-} # All ports are OK
+limit-connect{,} # No HTTPS/SSL traffic is allowed
-
@@ -5209,10 +5704,7 @@ new action
Example usages:
-
- +limit-cookie-lifetime{60}
-
-
+ +limit-cookie-lifetime{60}
@@ -5288,9 +5780,10 @@ new action
Note that some (rare) ill-configured sites don't handle requests for uncompressed
documents correctly. Broken PHP applications tend to send an empty document body,
- some IIS versions only send the beginning of the content. If you enable
- prevent-compression per default, you might want to add
- exceptions for those sites. See the example for how to do that.
+ some IIS versions only send the beginning of the content and some content delivery
+ networks let the connection time out.
+ If you enable prevent-compression per default, you might
+ want to add exceptions for those sites. See the example for how to do that.
@@ -5298,26 +5791,25 @@ new action
Example usage (sections):
-
# Selectively turn off compression, and enable a filter
#
{ +filter{tiny-textforms} +prevent-compression }
# Match only these sites
- .google.
- sourceforge.net
- sf.net
+.google.
+sourceforge.net
+sf.net
# Or instead, we could set a universal default:
#
{ +prevent-compression }
- / # Match all sites
+/ # Match all sites
# Then maybe make exceptions for broken sites:
#
{ -prevent-compression }
-.compusa.com/
-
+.compusa.com/
+
@@ -5409,13 +5901,14 @@ new action
Example usage:
-
- # Let the browser revalidate without being tracked across sessions
+
+# Let the browser revalidate without being tracked across sessions
{ +hide-if-modified-since{-60} \
- +overwrite-last-modified{randomize} \
- +crunch-if-none-match}
-/
-
+ +overwrite-last-modified{randomize} \
+ +crunch-if-none-match \
+}
+/
+
@@ -5506,15 +5999,15 @@ new action
Example usages:
-
- # Replace example.com's style sheet with another one
+
+# Replace example.com's style sheet with another one
{ +redirect{http://localhost/css-replacements/example.com.css} }
- example.com/stylesheet\.css
+example.com/stylesheet\.css
# Create a short, easy to remember nickname for a favorite site
# (relies on the browser to accept and forward invalid URLs to &my-app;)
{ +redirect{https://www.privoxy.org/user-manual/actions-file.html} }
- a
+a
# Always use the expanded view for Undeadly.org articles
# (Note the $ at the end of the URL pattern to make sure
@@ -5543,11 +6036,14 @@ example.com/.*toChange=(?!bar)
# Redirect Destination = https://www.illumos.org/issues/4974
i[0-9][0-9][0-9][0-9]*/
+# Redirect requests for the old Tor Hidden Service of the Privoxy website to the new one
+{+redirect{s@^http://jvauzb4sb3bwlsnc.onion/@http://l3tczdiiwoo63iwxty4lhs6p7eaxop5micbn7vbliydgv63x5zrrrfyd.onion/@}}
+jvauzb4sb3bwlsnc.onion/
+
# Redirect remote requests for this manual
# to the local version delivered by Privoxy
{+redirect{s@^http://www@http://config@}}
www.privoxy.org/user-manual/
-
@@ -5621,15 +6117,13 @@ www.privoxy.org/user-manual/
Example usage (section):
-
{+server-header-filter{html-to-xml}}
example.org/xml-instance-that-is-delivered-as-html
{+server-header-filter{xml-to-html}}
example.org/instance-that-is-delivered-as-xml-but-is-not
-
-
+
@@ -5706,7 +6200,6 @@ example.org/instance-that-is-delivered-as-xml-but-is-not
Example usage (section):
-
# Tag every request with the content type declared by the server
{+server-header-tagger{content-type}}
@@ -5719,8 +6212,64 @@ example.org/instance-that-is-delivered-as-xml-but-is-not
# silly example.
{+external-filter{rotate-image} +force-text-mode}
TAG:^image/
-
-
+
+
+
+
+
+
+
+
+
+
+suppress-tag
+
+
+
+ Typical use:
+
+
+ Suppress client or server tag.
+
+
+
+
+
+ Effect:
+
+
+ Server or client tags to which this action applies are not added to the request,
+ thus making all actions that are specific to these request tags inactive.
+
+
+
+
+
+ Type:
+
+
+ Multi-value.
+
+
+
+
+ Parameter:
+
+
+ The result tag of a server-header or client-header tagger, as defined in one of the
+ filter files.
+
+
+
+
+
+ Example usage (section):
+
+
+# Suppress tag produced by range-requests client-header tagger for requests coming from address 10.0.0.1
+{+suppress-tag{RANGE-REQUEST}}
+TAG:^IP-ADDRESS: 10\.0\.0\.1$
+
@@ -5813,9 +6362,7 @@ TAG:^image/
Example usage:
- +session-cookies-only
-
@@ -5915,21 +6462,15 @@ TAG:^image/
Built-in pattern:
- +set-image-blocker{pattern}
-
Redirect to the BSD daemon:
- +set-image-blocker{http://www.freebsd.org/gifs/dae_up3.gif}
-
Redirect to the built-in pattern for better caching:
- +set-image-blocker{http://config.privoxy.org/send-banner?type=pattern}
-
@@ -5996,35 +6537,34 @@ TAG:^image/
Now let's define some aliases...
-
- # Useful custom aliases we can use later.
- #
- # Note the (required!) section header line and that this section
- # must be at the top of the actions file!
- #
- {{alias}}
+# Useful custom aliases we can use later.
+#
+# Note the (required!) section header line and that this section
+# must be at the top of the actions file!
+#
+{{alias}}
- # These aliases just save typing later:
- # (Note that some already use other aliases!)
- #
- +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies
- -crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies
- +block-as-image = +block{Blocked image.} +handle-as-image
- allow-all-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies}
+# These aliases just save typing later:
+# (Note that some already use other aliases!)
+#
++crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies
+-crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies
++block-as-image = +block{Blocked image.} +handle-as-image
+allow-all-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies}
- # These aliases define combinations of actions
- # that are useful for certain types of sites:
- #
- fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer -prevent-compression
+# These aliases define combinations of actions
+# that are useful for certain types of sites:
+#
+fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer -prevent-compression
- shop = -crunch-all-cookies -filter{all-popups}
+shop = -crunch-all-cookies -filter{all-popups}
- # Short names for other aliases, for really lazy people ;-)
- #
- c0 = +crunch-all-cookies
- c1 = -crunch-all-cookies
-
+# Short names for other aliases, for really lazy people ;-)
+#
+c0 = +crunch-all-cookies
+c1 = -crunch-all-cookies
+
...and put them to use. These sections would appear in the lower part of an
@@ -6032,31 +6572,30 @@ TAG:^image/
up for the / pattern):
-
- # These sites are either very complex or very keen on
- # user data and require minimal interference to work:
- #
- {fragile}
- .office.microsoft.com
- .windowsupdate.microsoft.com
- # Gmail is really mail.google.com, not gmail.com
- mail.google.com
-
- # Shopping sites:
- # Allow cookies (for setting and retrieving your customer data)
- #
- {shop}
- .quietpc.com
- .worldpay.com # for quietpc.com
- mybank.example.com
+# These sites are either very complex or very keen on
+# user data and require minimal interference to work:
+#
+{fragile}
+.office.microsoft.com
+.windowsupdate.microsoft.com
+# Gmail is really mail.google.com, not gmail.com
+mail.google.com
- # These shops require pop-ups:
- #
- {-filter{all-popups} -filter{unsolicited-popups}}
- .dabs.com
- .overclockers.co.uk
-
+# Shopping sites:
+# Allow cookies (for setting and retrieving your customer data)
+#
+{shop}
+.quietpc.com
+.worldpay.com # for quietpc.com
+mybank.example.com
+
+# These shops require pop-ups:
+#
+{-filter{all-popups} -filter{unsolicited-popups}}
+.dabs.com
+.overclockers.co.uk
+
Aliases like shop and fragile are typically used for
@@ -6107,7 +6646,6 @@ hal stop here
multiple lines with line continuation.
-
{ \
+change-x-forwarded-for{block} \
@@ -6115,8 +6653,7 @@ hal stop here
+set-image-blocker{pattern} \
}
/ # Match all URLs
-
-
+
The default behavior is now set.
@@ -6143,14 +6680,12 @@ hal stop here
that prevents older &my-app; versions from reading the file:
-
##########################################################################
# Settings -- Don't change! For internal Privoxy use ONLY.
##########################################################################
{{settings}}
for-privoxy-version=3.0.11
-
After that comes the (optional) alias section. We'll use the example
@@ -6158,7 +6693,6 @@ for-privoxy-version=3.0.11
that also explains why and how aliases are used:
-
##########################################################################
# Aliases
@@ -6170,7 +6704,7 @@ for-privoxy-version=3.0.11
#
+crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies
-crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies
- +block-as-image = +block{Blocked image.} +handle-as-image
+ +block-as-image = +block{Blocked image.} +handle-as-image
mercy-for-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies}
# These aliases define combinations of actions
@@ -6178,7 +6712,6 @@ for-privoxy-version=3.0.11
#
fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer
shop = -crunch-all-cookies -filter{all-popups}
-
The first of our specialized sections is concerned with fragile
@@ -6189,7 +6722,6 @@ for-privoxy-version=3.0.11
of actions explicitly:
-
##########################################################################
# Exceptions for sites that'll break under the default action set:
@@ -6201,7 +6733,6 @@ for-privoxy-version=3.0.11
.office.microsoft.com # surprise, surprise!
.windowsupdate.microsoft.com
mail.google.com
-
Shopping sites are not as fragile, but they typically
@@ -6209,7 +6740,6 @@ mail.google.com
carts or item details. Again, we'll use a pre-defined alias:
-
# Shopping sites:
#
@@ -6218,7 +6748,6 @@ mail.google.com
.worldpay.com # for quietpc.com
.jungle.com
.scan.co.uk
-
The fast-redirects
@@ -6226,7 +6755,6 @@ mail.google.com
breaks some sites. So disable it for popular sites where we know it misbehaves:
-
{ -fast-redirects }
login.yahoo.com
@@ -6235,7 +6763,6 @@ edit.*.yahoo.com
.altavista.com/.*(like|url|link):http
.altavista.com/trans.*urltext=http
.nytimes.com
-
It is important that Privoxy knows which
@@ -6250,7 +6777,6 @@ edit.*.yahoo.com
good start:
-
##########################################################################
# Images:
@@ -6261,7 +6787,6 @@ edit.*.yahoo.com
#
{ +handle-as-image }
/.*\.(gif|jpe?g|png|bmp|ico)$
-
And then there are known banner sources. They often use scripts to
@@ -6278,7 +6803,6 @@ edit.*.yahoo.com
action before, it still applies and needn't be repeated:
-
# Known ad generators:
#
@@ -6290,7 +6814,6 @@ ar.atwola.com
.a[0-9].yimg.com/(?:(?!/i/).)*$
bs*.gsanet.com
.qkimg.net
-
One of the most important jobs of Privoxy
@@ -6310,7 +6833,6 @@ bs*.gsanet.com
to keep the example short:
-
##########################################################################
# Block these fine banners:
@@ -6329,7 +6851,6 @@ count*.
# Site-specific patterns (abbreviated):
#
.hitbox.com
-
It's quite remarkable how many advertisers actually call their banner
@@ -6359,7 +6880,6 @@ count*.
with no block action applying.
-
##########################################################################
# Save some innocent victims of the above generic block patterns:
@@ -6383,7 +6903,6 @@ ad[ud]*. # (adult.* and add.*)
#
www.globalintersec.com/adv # (adv = advanced)
www.ugu.com/sui/ugu/adv
-
Filtering source code can have nasty side effects,
@@ -6393,7 +6912,6 @@ www.ugu.com/sui/ugu/adv
disables all filters in one fell swoop!
-
# Don't filter code!
#
@@ -6403,7 +6921,6 @@ bugzilla.
developer.
wiki.
.sourceforge.net
-
The actual default.action is of course much more
@@ -6437,10 +6954,8 @@ wiki.
-
# My user.action file. <fred@example.com>
-
As aliases are local to the actions
@@ -6448,7 +6963,6 @@ wiki.
default.action, unless you repeat them here:
-
# Aliases are local to the file they are defined in.
# (Re-)define aliases for this file:
@@ -6479,8 +6993,6 @@ allow-ads = -block -filter{banners-by-size} -filter{banners-by-link}
# MIME types. We want the browser to force these to be text documents.
handle-as-text = -filter +-content-type-overwrite{text/plain} +-force-text-mode -hide-content-disposition
-
-
Say you have accounts on some sites that you visit regularly, and
you don't want to have to log in manually each time. So you'd like
@@ -6490,30 +7002,27 @@ handle-as-text = -filter +-filter }
- .your-home-banking-site.com
-
+.your-home-banking-site.com
+
Some file types you may not want to filter for various reasons:
-
# Technical documentation is likely to contain strings that might
# erroneously get altered by the JavaScript-oriented filters:
@@ -6525,7 +7034,6 @@ handle-as-text = -filter +-block action. Say you've
@@ -6538,12 +7046,11 @@ stupid-server.example.com/
in default.action anyway:
-
{ +block{Nasty ads.} }
- www.example.com/nasty-ads/sponsor\.gif
- another.example.net/more/junk/here/
-
+www.example.com/nasty-ads/sponsor\.gif
+another.example.net/more/junk/here/
+
The URLs of dynamically generated banners, especially from large banner
@@ -6557,14 +7064,13 @@ stupid-server.example.com/
browser. Use cautiously.
-
{ +block-as-image }
- .doubleclick.net
- .fastclick.net
- /Realmedia/ads/
- ar.atwola.com/
-
+.doubleclick.net
+.fastclick.net
+/Realmedia/ads/
+ar.atwola.com/
+
Now you noticed that the default configuration breaks Forbes Magazine,
@@ -6578,13 +7084,12 @@ stupid-server.example.com/
that misbehave, and add those to our personalized list of troublemakers:
-
{ fragile }
- .forbes.com
- webmail.example.com
- .mybank.com
-
+.forbes.com
+webmail.example.com
+.mybank.com
+
You like the fun text replacements in default.filter,
@@ -6593,11 +7098,10 @@ stupid-server.example.com/
update-safe config, once and for all:
-
{ +filter{fun} }
- / # For ALL sites!
-
+/ # For ALL sites!
+
Note that the above is not really a good idea: There are exceptions
@@ -6614,13 +7118,12 @@ stupid-server.example.com/
sites that you feel provide value to you:
-
{ allow-ads }
- .sourceforge.net
- .slashdot.org
- .osdn.net
-
+.sourceforge.net
+.slashdot.org
+.osdn.net
+
Note that allow-ads has been aliased to
@@ -6636,11 +7139,10 @@ stupid-server.example.com/
it should I choose to.
-
{ handle-as-text }
- /.*\.sh$
-
+/.*\.sh$
+
user.action is generally the best place to define
@@ -6652,11 +7154,9 @@ stupid-server.example.com/
paths and patterns:
-
{ +set-image-blocker{blank} }
/ # ALL sites
-
@@ -6679,18 +7179,21 @@ stupid-server.example.com/
- &my-app; supports three different pcrs-based filter actions:
+ &my-app; supports four different pcrs-based filter actions:
filter to
rewrite the content that is send to the client,
client-header-filter
- to rewrite headers that are send by the client, and
+ to rewrite headers that are send by the client,
server-header-filter
- to rewrite headers that are send by the server.
+ to rewrite headers that are send by the server, and
+ client-body-filter
+ to rewrite client request body.
- &my-app; also supports two tagger actions:
- client-header-tagger
+ &my-app; also supports three tagger actions:
+ client-header-tagger,
+ client-body-tagger
and
server-header-tagger.
Taggers and filters use the same syntax in the filter files, the difference
@@ -6744,7 +7247,8 @@ stupid-server.example.com/
filter file is organized in sections, which are called filters
here. Each filter consists of a heading line, that starts with one of the
keywordsFILTER:,
- CLIENT-HEADER-FILTER: or SERVER-HEADER-FILTER:
+ CLIENT-HEADER-FILTER:, SERVER-HEADER-FILTER: or
+ CLIENT-BODY-FILTER:
followed by the filter's name, and a short (one line)
description of what it does. Below that line
come the jobs, i.e. lines that define the actual
@@ -6768,9 +7272,7 @@ stupid-server.example.com/
like this:
-FILTER: foo Replace all "foo" with "bar"
-
Below that line, and up to the next header line, come the jobs that
@@ -6813,7 +7315,7 @@ stupid-server.example.com/
If you are new to
- Regular
+ Regular
Expressions, you might want to take a look at
the Appendix on regular expressions, and
see the Perl
@@ -6836,9 +7338,7 @@ stupid-server.example.com/
needed:
-s/foo/bar/
-
But wait! Didn't the comment say that all occurrences
@@ -6847,17 +7347,14 @@ stupid-server.example.com/
we'll need to add the g option:
-s/foo/bar/g
-
Our complete filter now looks like this:
-
+
FILTER: foo Replace all "foo" with "bar"
s/foo/bar/g
-
Let's look at some real filters for more interesting examples. Here you see
@@ -6866,14 +7363,12 @@ s/foo/bar/g
-
FILTER: js-annoyances Get rid of particularly annoying JavaScript abuse
# Get rid of JavaScript referrer tracking. Test page: http://www.randomoddness.com/untitled.htm
#
s|(<script.*)document\.referrer(.*</script>)|$1"Not Your Business!"$2|Usg
-
Following the header line and a comment, you see the job. Note that it uses
@@ -6955,12 +7450,10 @@ s|(<script.*)document\.referrer(.*</script>)|$1"Not Your Business!"$2|U
this time only point out the constructs of special interest:
-
# The status bar is for displaying link targets, not pointless blahblah
#
s/window\.status\s*=\s*(['"]).*?\1/dUmMy=1/ig
-\s stands for whitespace characters (space, tab, newline,
@@ -6983,12 +7476,10 @@ s/window\.status\s*=\s*(['"]).*?\1/dUmMy=1/ig
you move your mouse over links.
-
# Kill OnUnload popups. Yummy. Test: http://www.zdnet.com/zdsubs/yahoo/tree/yfs.html
#
s/(<body [^>]*)onunload(.*>)/$1never$2/iU
-
Including the
@@ -7009,14 +7500,12 @@ s/(<body [^>]*)onunload(.*>)/$1never$2/iU
The last example is from the fun department:
-
FILTER: fun Fun text replacements
# Spice the daily news:
#
s/microsoft(?!\.com)/MicroSuck/ig
-
Note the (?!\.com) part (a so-called negative lookahead)
@@ -7026,7 +7515,6 @@ s/microsoft(?!\.com)/MicroSuck/ig
still replacing the word everywhere else.
-
# Buzzword Bingo (example for extended regex syntax)
#
@@ -7042,7 +7530,6 @@ s* industry[ -]leading \
| unrivalled \
*<font color="red"><b>BINGO!</b></font> \
*igx
-
The x option in this job turns on extended syntax, and allows for
@@ -7077,6 +7564,7 @@ pre-defined filters for your convenience:
The purpose of this filter is to get rid of particularly annoying JavaScript abuse.
To that end, it
+
@@ -7100,7 +7588,6 @@ pre-defined filters for your convenience:
-
Use with caution. This is an aggressive filter, and can break sites that
rely heavily on JavaScript.
@@ -7240,9 +7727,9 @@ pre-defined filters for your convenience:
banners-by-link
- This is an experimental filter that attempts to kill any banners if
- their URLs seem to point to known or suspected click trackers. It is currently
- not of much value and is not recommended for use by default.
+ This filter attempts to kill any banners if their URLs seem to point
+ to known or suspected click trackers. It is currently not of much value
+ and is not recommended for use by default.
@@ -7324,7 +7811,7 @@ pre-defined filters for your convenience:
sometimes appear on some pages, or user agents that don't correct for this on
the fly.
@@ -7559,7 +8046,7 @@ pre-defined filters for your convenience:
&my-app; will temporary store the content to filter in the
temporary-directory.
-
+
EXTERNAL-FILTER: cat Pointless example filter that doesn't actually modify the content
/bin/cat
@@ -7585,7 +8072,6 @@ EXTERNAL-FILTER: rotate-image Rotate an image by 180 degree. Test filter with li
EXTERNAL-FILTER: citation-needed Adds a "[citation needed]" tag to an image. The coordinates may need adjustment.
/usr/local/bin/convert - -pointsize 16 -fill white -annotate +17+418 "[citation needed]" -
-
@@ -7619,84 +8105,414 @@ EXTERNAL-FILTER: citation-needed Adds a "[citation needed]" tag to an image. The
(Privoxy must be running for the above links to work as
intended.)
-
+
+
+ These templates are stored in a subdirectory of the configuration
+ directory called templates. On Unixish platforms,
+ this is typically
+ /etc/privoxy/templates/.
+
+
+
+ The templates are basically normal HTML files, but with place-holders (called symbols
+ or exports), which Privoxy fills at run time. It
+ is possible to edit the templates with a normal text editor, should you want
+ to customize them. (Not recommended for the casual
+ user). Should you create your own custom templates, you should use
+ the config setting templdir
+ to specify an alternate location, so your templates do not get overwritten
+ during upgrades.
+
+
+ Note that just like in configuration files, lines starting
+ with # are ignored when the templates are filled in.
+
+
+
+ The place-holders are of the form @name@, and you will
+ find a list of available symbols, which vary from template to template,
+ in the comments at the start of each file. Note that these comments are not
+ always accurate, and that it's probably best to look at the existing HTML
+ code to find out which symbols are supported and what they are filled in with.
+
+
+
+ A special application of this substitution mechanism is to make whole
+ blocks of HTML code disappear when a specific symbol is set. We use this
+ for many purposes, one of them being to include the beta warning in all
+ our user interface (CGI) pages when Privoxy
+ is in an alpha or beta development stage:
+
+
+
+<!-- @if-unstable-start -->
+
+ ... beta warning HTML code goes here ...
+
+<!-- if-unstable-end@ -->
+
+
+ If the "unstable" symbol is set, everything in between and including
+ @if-unstable-start and if-unstable-end@
+ will disappear, leaving nothing but an empty comment:
+
+
+ <!-- -->
+
+
+ There's also an if-then-else construct and an #include
+ mechanism, but you'll sure find out if you are inclined to edit the
+ templates ;-)
+
+
+
+ All templates refer to a style located at
+ http://config.privoxy.org/send-stylesheet.
+ This is, of course, locally served by Privoxy
+ and the source for it can be found and edited in the
+ cgi-style.css template.
+
+
+
+
+
+
+
+
+
+HOWTOs
+
+
+HTTPS-Inspection HOWTO
+How TLS Certificates for websites work
+
+
+ The website owner generates a (private) TLS key and a Certificate
+ Signing Request (CSR).
+
+
+ The CSR is then sent to a Certification Authority (CA), which
+ verifies that the owner is the actual owner of the website. This can
+ be done by proving that the owner has technical write access to the
+ site or the site's DNS, or by verifying the identity of the
+ organization running the site using telephone and public databases.
+
+
+ If the verification is successful, the CA signs the CSR and creates a
+ certificate that certifies that the private TLS key actually belongs
+ to the website name and/or organization that owns the domain.
+
+
+ This TLS certificate is then added to the web server configuration,
+ and when a browser accesses the website, it verifies that the TLS
+ certificate presented to the browser is valid for that domain.
+
+
+ To do this, each browser has the certificates of multiple CAs in its
+ trust store. Only if the certificate of the CA, that signed the web
+ server is in the trust store, the browser will accept the
+ certificate, otherwise the browser will complain about a broken
+ certificate.
+
+
+ If this check passes, the browser sends a random number encrypted
+ with the server's public key to the server, and both compute a shared
+ secret using the Diffie-Hellman key exchange algorithm. Now server
+ and browser can communicate, but no one else can break that
+ communication because it's encrypted between them.
+
+
+
+How HTTPS inspection works
+
+ When we try to inspect HTTPS traffic, we have to break the TLS
+ encryption between browser and web server without being the browser
+ or the web server. This is exactly what TLS tries to avoid, as it's
+ a man-in-the-middle-attack.
+
+
+ To do this, Privoxy uses it's own (private) CA (let's call it
+ "Privoxy CA"), which has to be added to the trust store of every
+ single browser that should be used with Privoxy and HTTPS inspection.
+
+
+ Now Privoxy breaks the connection between browser and webserver by
+ acting as a browser/client when talking to the webserver (including
+ checking the webserver's TLS certificate against it's own trust
+ store). Now Privoxy can read and modify the traffic from the
+ webserver.
+
+
+ On the other hand, Privoxy itself encrypts the traffic it sends to
+ the browser using an on the fly self-created TLS server certificate
+ that is signed by Privoxy CA.
+
+
+
+What happens, if the original
+ certificate is invalid?
+
+ If Privoxy detects, that a TLS certificate is not valid, because the
+ certificate is expired, doesn't match the hostname, is self signed or
+ similar, Privoxy blocks the requests and returns an error message
+ explaining the problem to avoid that the user/browser communicates
+ over an insecure communication channel.
+
+
+ To check this behavior, simply go to
+ https://badssl.com/
+
+
+
+HTTPS inspection prerequisites
+
+
+ HTTPS inspection in Privoxy can only be used, if Privoxy is built
+ with FEATURE_HTTPS_INSPECTION. You can check if this feature
+ is enabled at
+ http://config.privoxy.org/show-status
+ in the "Conditional #defines" section.
+
+
+ If the feature is not enabled, you may need to
+ build Privoxy from source
+ to enable it. You can use either
+ MbedTLS
+ or OpenSSL. It's up to
+ you, which one to use, they both behave the same for HTTPS inspection.
+
+
+ After installing the development libraries for either OpenSSL or
+ MbedTLS, you can run ./configure with
+ either the --with-openssl or
+ --with-mbedtls option.
+
+
+ Check the output of ./configure, it must contain
+ one of these the following two lines, otherwise HTTPS inspection will
+ not work:
+
+
+configure: Detected OpenSSL. Enabling https inspection.
+configure: Detected mbedTLS. Enabling https inspection.
+
+
+ If you do not find any of these lines, the output of
+ ./configure will tell you what went wrong.
+
+
+ You should then proceed with the
+ source install.
+ Finally, check the FEATURE_HTTPS_INSPECTION status in
+ http://config.privoxy.org/show-status
+ again.
+
+
+
+Configuring HTTPS inspection in Privoxy
+
+
+ First, you need to create the private key and certificate for the
+ "Privoxy CA". This can be done using openssl with the following
+ command:
+
+openssl req -new -x509 -extensions v3_ca -keyout privoxy.pem -out privoxy.crt -days 3650
+
+
+
+ Here we have defined a CA validity of 10 years (3650 days). You
+ should decide for yourself what is a good validity. A shorter
+ validity makes your system more secure (it doesn't hurt that long if
+ the key gets lost to an attacker), but if the certificate expires
+ before you have replaced it with a new one in Privoxy and in all
+ browsers, the communication will fail.
+
+
+ During the key generation you will be asked for a "pass phrase".
+ This pass phrase will appear in the Privoxy config CGI, so don't
+ reuse it elsewhere!
+
+
+ Then you will be asked for Country Name, State/Province, Locality,
+ Orginzation Name, Common Name, and Email Address. You should add
+ some useful data here, because these entries are shown by the browser
+ as "Issuer Name" when you inspect a certificate from an
+ https-inspection site. Especially the "Common Name" will be shown as
+ the name of your CA, so it's good if you (and other users of your
+ Privoxy instance) are able to identify this CA.
+
+
+ Copy the private key (privoxy.pem) and the CA
+ certificate (privoxy.crt) into
+ the ca-directory (defined
+ in config).
+
+
+ Make sure that the private key (privoxy.pem in
+ the above example) is only accessible to the user running Privoxy
+ (usually named "privoxy"):
+
+
+chmod 600 privoxy.pem
+chown privoxy privoxy.pem
+
+
+ Now adjust your Privoxy configuration:
+
+
+ca-directory /etc/privoxy/CA # read-only
+ca-cert-file privoxy.crt # in ca-directory
+ca-key-file privoxy.pem # in ca-directory
+ca-password passphrasefromabove
+certificate-directory /var/lib/privoxy/certs
+trusted-cas-file /etc/ssl/certs/ca-certificates.crt
+
- These templates are stored in a subdirectory of the configuration
- directory called templates. On Unixish platforms,
- this is typically
- /etc/privoxy/templates/.
+ certificate-directory
+ contains the (on the fly) created webserver keys and certificates.
+ It should only be readable by the privoxy user only:
-
+
+chown privoxy /var/lib/privoxy/certs
+chmod 700 /var/lib/privoxy/certs.
+
- The templates are basically normal HTML files, but with place-holders (called symbols
- or exports), which Privoxy fills at run time. It
- is possible to edit the templates with a normal text editor, should you want
- to customize them. (Not recommended for the casual
- user). Should you create your own custom templates, you should use
- the config setting templdir
- to specify an alternate location, so your templates do not get overwritten
- during upgrades.
-
-
- Note that just like in configuration files, lines starting
- with # are ignored when the templates are filled in.
+ trusted-cas-file is the trust
+ store containing the certificates of all CAs that should be accepted.
+ Each browser comes with it's own trust store. Most Unix systems also
+ ship with a truststore. Debian ships it's truststore
+ in /etc/ssl/certs/ca-certificates.crt, which is
+ installed by the ca-certificates package and can be updated using
+ update-ca-certificates(8). Alternatively, such a file (extracted
+ from Mozilla) can be downloaded
+ from https://curl.se/docs/caextract.html.
+
+Browser configuration
- The place-holders are of the form @name@, and you will
- find a list of available symbols, which vary from template to template,
- in the comments at the start of each file. Note that these comments are not
- always accurate, and that it's probably best to look at the existing HTML
- code to find out which symbols are supported and what they are filled in with.
+ As written above, each browser you use must now trust the newly
+ created Privoxy CA certificate (privoxy.crt).
-
- A special application of this substitution mechanism is to make whole
- blocks of HTML code disappear when a specific symbol is set. We use this
- for many purposes, one of them being to include the beta warning in all
- our user interface (CGI) pages when Privoxy
- is in an alpha or beta development stage:
+ In Firefox you can do this by opening the preferences "Edit" ->
+ "Settings" -> "Privacy & Security" or by typing
+ about:preferences#privacy
+ in the URL. Then go down to the "Certificates" section and click on
+ "View Certificates". Click on the "Authorities" tab and "Import..."
+ your privoxy.crt. In the "CA certificate trust
+ settings" select "This certificate can identify websites".
+
+
+ In Chrome based browsers, go to the settings and select "Privacy and
+ security"
+ (chrome://settings/privacy).
+ Click on "Security" and on the opened sub-page on "Manage
+ certificates". Now go to the "Authorities" tab and
+ import privoxy.crt and configure that you trust
+ the certificate for website identification.
+
+Enabeling HTTPS inspection
+
+ Currently no pages use HTTPS inspection, you need to enable this for
+ some (or all) domains first
+ using user.action (either by editing
+ the file by hand or via the CGI (this requires
+ enable-edit-actions
+ to be enabled in config) at
+ http://config.privoxy.org/show-status
+ (click on user.action Edit button).
+
+ Here you can enable HTTPS inspection for individual sites:
+
-<!-- @if-unstable-start -->
+{+https-inspection}
+.badssl.com
+clienttest.ssllabs.com
+
+
+ You can add more individual sites or wildcards (one per line).
+
+
+ Alternatively, you can use a client-tag to dynamically enable/disable
+ this feature via the browser, as described in the next chapter.
+
+
- ... beta warning HTML code goes here ...
+
-<!-- if-unstable-end@ -->
+
+Client Tags HOWTO
+
+ Client-Tags are a mechanism to dynamically/temporarily enable/disable
+ features in Privoxy per browser.
-
- If the "unstable" symbol is set, everything in between and including
- @if-unstable-start and if-unstable-end@
- will disappear, leaving nothing but an empty comment:
+ In our example, we use this for the following two use cases:
+
+ Enable TOR anonymous proxy
+ Enable https-inspection
+
-
- <!-- -->
+ To use this feature, you must first define a tag name and a tag
+ description for each client-tag in config,
+ like this:
-
+
+client-specific-tag tor Use Tor anonymous proxy
+client-specific-tag https-inspection Enable https-inspection
+
- There's also an if-then-else construct and an #include
- mechanism, but you'll sure find out if you are inclined to edit the
- templates ;-)
+ Now you can open http://config.privoxy.org/client-tags
+ or http://p.p/client-tags
+ and can enable/disable the tag there (you may want to add a bookmark
+ for this in your browser for quick access, but it's also available as
+ a link at http://p.p).
-
- All templates refer to a style located at
- http://config.privoxy.org/send-stylesheet.
- This is, of course, locally served by Privoxy
- and the source for it can be found and edited in the
- cgi-style.css template.
+ It's also possible to temporarily enable a tag, which by default
+ means 3 minutes (=180 seconds) (and can be changed via the
+ client-tag-lifetime option
+ in config).
+
+
+ But before this has any effect, you have to use the client tag in
+ your user.action like this:
+
+
+{+forward-override{forward-socks5t 127.0.0.1:9050 .} }
+CLIENT-TAG:^tor$
+
+
+ This means, that if the "tor" client tag is enabled, all traffic is
+ forwarded by Privoxy through socks5t to a locally installed tor proxy
+ listening on port 9050.
+
+
+ Similarly, you can specify to use the https-inspection client tag to
+ enable https-inspection:
+
+
+{+https-inspection}
+CLIENT-TAG:^https-inspection$
+
+
+ The tag will be set for all requests coming from clients that have
+ requested it to be set. Note that "clients" are distinguished by IP
+ address, if the IP address changes, the tag must be requested again.
+
-
Contacting the Developers, Bug Reporting and Feature
@@ -7720,17 +8536,64 @@ RequestsPrivoxy is free software; you can
- redistribute it and/or modify it under the terms of the
- GNU General Public License, version 2,
- as published by the Free Software Foundation and included in
- the next section.
+ redistribute and/or modify its source code under the terms
+ of the GNU General Public License
+ as published by the Free Software Foundation, either version 2
+ of the license, or (at your option) any later version.
+
+
+
+ The same is true for Privoxy binaries
+ unless they are linked with a
+ mbed TLS version
+ that is licensed under the Apache 2.0 license in which
+ case you can redistribute and/or modify the Privoxy
+ binaries under the terms of the GNU General Public License
+ as published by the Free Software Foundation, either version 3
+ of the license, or (at your option) any later version.
+
+
+
+ Both licenses are included in the next section.
License
+
+GNU General Public License version 2
+
+
+
+GNU General Public License version 3
+
+
+
+Third-party licenses and copyrights
+
+ Privoxy depends on a couple of third-party libraries which have seperate licenses.
+ Please refer to the third-party websites for up-to-date license and copyright
+ information.
+
+
+ Privoxy depends on pcre.
+
+
+ When compiled with FEATURE_BROTLI (optional), Privoxy depends on
+ brotli.
+
-
+ When compiled with FEATURE_HTTPS_INSPECTION (optional),
+ Privoxy depends on a TLS library. The supported libraries are
+ LibreSSL,
+ mbed TLS 2.28.x and
+ OpenSSL and
+ wolfSSL.
+
+ When compiled with FEATURE_ZLIB (optional),
+ Privoxy depends on zlib.
+
+
@@ -7819,35 +8682,35 @@ Requests
and then some examples:
-
+. - Matches any single character, e.g. a,
A, 4, :, or @.
-
+
-
+? - The preceding character or expression is matched ZERO or ONE
times. Either/or.
-
+
-
++ - The preceding character or expression is matched ONE or MORE
times.
-
+
-
+* - The preceding character or expression is matched ZERO or MORE
times.
-
+
-
+\ - The escape character denotes that
the following character should be taken literally. This is used where one of the
@@ -7856,25 +8719,25 @@ Requests
sure the period is recognized only as a period (and not expanded to its
meta-character meaning of any single character).
-
+
-
+[ ] - Characters enclosed in brackets will be matched if
any of the enclosed characters are encountered. For instance, [0-9]
matches any numeric digit (zero through nine). As an example, we can combine
this with + to match any digit one of more times: [0-9]+.
-
+
-
+( ) - parentheses are used to group a sub-expression,
or multiple sub-expressions.
-
+
-
+| - The bar character works like an
or conditional statement. A match is successful if the
@@ -7883,7 +8746,7 @@ Requests
and would match either this example or that
example, and nothing else.
-
+
These are just some of the ones you are likely to use when matching URLs with
@@ -8011,7 +8874,6 @@ Requests
rules and other configuration options, and even turn
Privoxy's filtering off, all with
a web browser.
-
@@ -8022,7 +8884,6 @@ Requests
necessary either.
-
@@ -8043,23 +8904,23 @@ Requests
- Show information about the current configuration, including viewing and
- editing of actions files:
+ View and toggle client tags:
@@ -8114,7 +8975,6 @@ Requests
-
@@ -8128,7 +8988,6 @@ Requests
page is requested by your browser:
-
@@ -8237,7 +9096,7 @@ Requests
-
+
NOTE: This is somewhat of a simplistic overview of what happens with each URL
request. For the sake of brevity and simplicity, we have focused on
@@ -8310,13 +9169,12 @@ Requests
configuration may vary):
-
- Matches for http://www.google.com:
+Matches for http://www.google.com:
- In file: default.action [ View ][ Edit ]
+In file: default.action [ View ][ Edit ]
- {+change-x-forwarded-for{block}
+{+change-x-forwarded-for{block}
+deanimate-gifs {last}
+fast-redirects {check-decoded-url}
+filter {refresh-tags}
@@ -8328,19 +9186,18 @@ Requests
+hide-from-header {block}
+hide-referrer {forge}
+session-cookies-only
- +set-image-blocker {pattern}
+ +set-image-blocker {pattern} }
/
- { -session-cookies-only }
- .google.com
+{ -session-cookies-only }
+.google.com
- { -fast-redirects }
- .google.com
+{ -fast-redirects }
+.google.com
In file: user.action [ View ][ Edit ]
(no matches in this file)
-
This is telling us how we have defined our
@@ -8396,15 +9253,127 @@ In file: user.action [ View ][ Edit ]Privoxy is applying all its actions
to google.com:
+
+
+
+Final results:
+
+-add-header
+-block
++change-x-forwarded-for{block}
+-client-header-filter{hide-tor-exit-notation}
+-content-type-overwrite
+-crunch-client-header
+-crunch-if-none-match
+-crunch-incoming-cookies
+-crunch-outgoing-cookies
+-crunch-server-header
++deanimate-gifs {last}
+-downgrade-http-version
+-fast-redirects
+-filter {js-events}
+-filter {content-cookies}
+-filter {all-popups}
+-filter {banners-by-link}
+-filter {tiny-textforms}
+-filter {frameset-borders}
+-filter {demoronizer}
+-filter {shockwave-flash}
+-filter {quicktime-kioskmode}
+-filter {fun}
+-filter {crude-parental}
+-filter {site-specifics}
+-filter {js-annoyances}
+-filter {html-annoyances}
++filter {refresh-tags}
+-filter {unsolicited-popups}
++filter {img-reorder}
++filter {banners-by-size}
++filter {webbugs}
++filter {jumping-windows}
++filter {ie-exploits}
+-filter {google}
+-filter {yahoo}
+-filter {msn}
+-filter {blogspot}
+-filter {no-ping}
+-force-text-mode
+-handle-as-empty-document
+-handle-as-image
+-hide-accept-language
+-hide-content-disposition
++hide-from-header {block}
+-hide-if-modified-since
++hide-referrer {forge}
+-hide-user-agent
+-limit-connect
+-overwrite-last-modified
+-prevent-compression
+-redirect
+-server-header-filter{xml-to-html}
+-server-header-filter{html-to-xml}
+-session-cookies-only
++set-image-blocker {pattern}
+
+
+
+ Notice the only difference here to the previous listing, is to
+ fast-redirects and session-cookies-only,
+ which are activated specifically for this site in our configuration,
+ and thus show in the Final Results.
+
+
+
+ Now another example, ad.doubleclick.net:
+
+
+
+{ +block{Domains starts with "ad"} }
+ad*.
+
+{ +block{Domain contains "ad"} }
+.ad.
+{ +block{Doubleclick banner server} +handle-as-image }
+.[a-vx-z]*.doubleclick.net
+
+
+
+ We'll just show the interesting part here - the explicit matches. It is
+ matched three different times. Two +block{} sections,
+ and a +block{} +handle-as-image,
+ which is the expanded form of one of our aliases that had been defined as:
+ +block-as-image. (Aliases are defined in
+ the first section of the actions file and typically used to combine more
+ than one action.)
+
+
+
+ Any one of these would have done the trick and blocked this as an unwanted
+ image. This is unnecessarily redundant since the last case effectively
+ would also cover the first. No point in taking chances with these guys
+ though ;-) Note that if you want an ad or obnoxious
+ URL to be invisible, it should be defined as ad.doubleclick.net
+ is done here -- as both a +block{}
+ and an
+ +handle-as-image.
+ The custom alias +block-as-image just
+ simplifies the process and make it more readable.
+ One last example. Let's try http://www.example.net/adsl/HOWTO/.
+ This one is giving us problems. We are getting a blank page. Hmmm ...
+
+
+Matches for http://www.example.net/adsl/HOWTO/:
- Final results:
+In file: default.action [ View ][ Edit ]
- -add-header
+{-add-header
-block
+change-x-forwarded-for{block}
-client-header-filter{hide-tor-exit-notation}
@@ -8414,9 +9383,9 @@ In file: user.action [ View ][ Edit ][ View ][ Edit ]
-
-
-
- Notice the only difference here to the previous listing, is to
- fast-redirects and session-cookies-only,
- which are activated specifically for this site in our configuration,
- and thus show in the Final Results.
-
-
-
- Now another example, ad.doubleclick.net:
-
-
-
-
-
- { +block{Domains starts with "ad"} }
- ad*.
-
- { +block{Domain contains "ad"} }
- .ad.
-
- { +block{Doubleclick banner server} +handle-as-image }
- .[a-vx-z]*.doubleclick.net
-
-
-
-
- We'll just show the interesting part here - the explicit matches. It is
- matched three different times. Two +block{} sections,
- and a +block{} +handle-as-image,
- which is the expanded form of one of our aliases that had been defined as:
- +block-as-image. (Aliases are defined in
- the first section of the actions file and typically used to combine more
- than one action.)
-
-
-
- Any one of these would have done the trick and blocked this as an unwanted
- image. This is unnecessarily redundant since the last case effectively
- would also cover the first. No point in taking chances with these guys
- though ;-) Note that if you want an ad or obnoxious
- URL to be invisible, it should be defined as ad.doubleclick.net
- is done here -- as both a +block{}
- and an
- +handle-as-image.
- The custom alias +block-as-image just
- simplifies the process and make it more readable.
-
-
-
- One last example. Let's try http://www.example.net/adsl/HOWTO/.
- This one is giving us problems. We are getting a blank page. Hmmm ...
-
-
-
-
+ +session-cookies-only
+ +set-image-blocker{blank} }
+/
- Matches for http://www.example.net/adsl/HOWTO/:
-
- In file: default.action [ View ][ Edit ]
-
- {-add-header
- -block
- +change-x-forwarded-for{block}
- -client-header-filter{hide-tor-exit-notation}
- -content-type-overwrite
- -crunch-client-header
- -crunch-if-none-match
- -crunch-incoming-cookies
- -crunch-outgoing-cookies
- -crunch-server-header
- +deanimate-gifs
- -downgrade-http-version
- +fast-redirects {check-decoded-url}
- -filter {js-events}
- -filter {content-cookies}
- -filter {all-popups}
- -filter {banners-by-link}
- -filter {tiny-textforms}
- -filter {frameset-borders}
- -filter {demoronizer}
- -filter {shockwave-flash}
- -filter {quicktime-kioskmode}
- -filter {fun}
- -filter {crude-parental}
- -filter {site-specifics}
- -filter {js-annoyances}
- -filter {html-annoyances}
- +filter {refresh-tags}
- -filter {unsolicited-popups}
- +filter {img-reorder}
- +filter {banners-by-size}
- +filter {webbugs}
- +filter {jumping-windows}
- +filter {ie-exploits}
- -filter {google}
- -filter {yahoo}
- -filter {msn}
- -filter {blogspot}
- -filter {no-ping}
- -force-text-mode
- -handle-as-empty-document
- -handle-as-image
- -hide-accept-language
- -hide-content-disposition
- +hide-from-header{block}
- +hide-referer{forge}
- -hide-user-agent
- -overwrite-last-modified
- +prevent-compression
- -redirect
- -server-header-filter{xml-to-html}
- -server-header-filter{html-to-xml}
- +session-cookies-only
- +set-image-blocker{blank} }
- /
-
- { +block{Path contains "ads".} +handle-as-image }
- /ads
+{ +block{Path contains "ads".} +handle-as-image }
+/ads
-
Ooops, the /adsl/ is matching /ads in our
@@ -8599,13 +9447,10 @@ In file: user.action [ View ][ Edit ]
-
-
- { -block }
- /adsl
+{ -block }
+/adsl
-
Now the page displays ;-)
@@ -8619,13 +9464,10 @@ In file: user.action [ View ][ Edit ]
-
-
- { +block{Path starts with "ads".} +handle-as-image }
- /ads
+{ +block{Path starts with "ads".} +handle-as-image }
+/ads
-
That actually was very helpful and pointed us quickly to where the problem
@@ -8639,35 +9481,28 @@ In file: user.action [ View ][ Edit ]+filter:
-
-
- { shop }
- .quietpc.com
- .worldpay.com # for quietpc.com
- .jungle.com
- .scan.co.uk
- .forbes.com
+{ shop }
+.quietpc.com
+.worldpay.com # for quietpc.com
+.jungle.com
+.scan.co.uk
+.forbes.com
-{ shop } is an alias that expands to
{ -filter -session-cookies-only }.
Or you could do your own exception to negate filtering:
-
-
-
- { -filter }
- # Disable ALL filter actions for sites in this section
- .forbes.com
- developer.ibm.com
- localhost
+{ -filter }
+# Disable ALL filter actions for sites in this section
+.forbes.com
+developer.ibm.com
+localhost
-
This would turn off all filtering for these sites. This is best
@@ -8690,14 +9525,13 @@ In file: user.action [ View ][ Edit ]
-
-
- { fragile }
- # Handle with care: easy to break
- mail.google.
- mybank.example.com
-
+
+{ fragile }
+# Handle with care: easy to break
+mail.google.
+mybank.example.com
+