X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fsource%2Fuser-manual.sgml;h=0c5ee3003363528c7757a0a05f1ec35637fd8080;hb=HEAD;hp=b6f663ea6aba09c419c89da49baa0638e7396685;hpb=869a8de291688e072f0dbf6835386fcdf5698566;p=privoxy.git diff --git a/doc/source/user-manual.sgml b/doc/source/user-manual.sgml index b6f663ea..a1b86b18 100644 --- a/doc/source/user-manual.sgml +++ b/doc/source/user-manual.sgml @@ -10,10 +10,11 @@ + - + @@ -34,7 +35,7 @@ Purpose : user manual - Copyright (C) 2001-2018 Privoxy Developers https://www.privoxy.org/ + Copyright (C) 2001-2023 Privoxy Developers https://www.privoxy.org/ See LICENSE. ======================================================================== @@ -53,7 +54,7 @@ - Copyright &my-copy; 2001-2018 by + Copyright &my-copy; 2001-2023 by Privoxy Developers @@ -132,7 +133,7 @@ Hal. In addition to the core features of ad blocking and - cookie management, + cookie management, Privoxy provides many supplemental features, that give the end-user more control, more privacy and more freedom: @@ -226,31 +227,6 @@ How to install the binary packages depends on your operating system: - -OS/2 - - - First, make sure that no previous installations of - Junkbuster and / or - Privoxy are left on your - system. Check that no Junkbuster - or Privoxy objects are in - your startup folder. - - - - Then, just double-click the WarpIN self-installing archive, which will - guide you through the installation process. A shadow of the - Privoxy executable will be placed in your - startup folder so it will start automatically whenever OS/2 starts. - - - - The directory you choose to install Privoxy - into will contain all of the configuration files. - - - Mac OS X @@ -326,12 +302,16 @@ How to install the binary packages depends on your operating system: -FreeBSD +FreeBSD and ElectroBSD Privoxy is part of FreeBSD's Ports Collection, you can build and install it with cd /usr/ports/www/privoxy; make install clean. + + If your system is configured to install binary packages you can + try to install &my-app; with pkg install privoxy. + @@ -366,42 +346,42 @@ How to install the binary packages depends on your operating system: Run the setup program and from View / Category select: - Devel - autoconf 2.5 - automake 1.15 - binutils - cmake - gcc-core - gcc-g++ - git - make - mingw64-i686-gcc-core - mingw64-i686-zlib - Editors - vim - Libs - libxslt: GNOME XSLT library (runtime) - Net - curl - openssh - Text - docbook-dssl - docbook-sgml31 - docbook-utils - openjade - Utils - gnupg - Web - w3m +Devel + autoconf 2.5 + automake 1.15 + binutils + cmake + gcc-core + gcc-g++ + git + make + mingw64-i686-gcc-core + mingw64-i686-zlib +Editors + vim +Libs + libxslt: GNOME XSLT library (runtime) +Net + curl + openssh +Text + docbook-dssl + docbook-sgml31 + docbook-utils + openjade +Utils + gnupg +Web + w3m If you haven't already downloaded the Privoxy source code, get it now: - mkdir <root-dir> - cd <root-dir> - git clone https://www.privoxy.org/git/privoxy.git +mkdir <root-dir> +cd <root-dir> +git clone https://www.privoxy.org/git/privoxy.git @@ -411,10 +391,10 @@ How to install the binary packages depends on your operating system: unzip into <root-dir> and build the software: - cd <root-dir> - cd tidy-html5-x.y.z/build/cmake - cmake ../.. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIB:BOOL=OFF -DCMAKE_INSTALL_PREFIX=/usr/local - make && make install +cd <root-dir> +cd tidy-html5-x.y.z/build/cmake +cmake ../.. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIB:BOOL=OFF -DCMAKE_INSTALL_PREFIX=/usr/local +make && make install @@ -422,13 +402,92 @@ How to install the binary packages depends on your operating system: https://sourceforge.net/projects/nsis/files/NSIS%203/ - and extract the NSIS directory to privoxy/windows. - Then edit the windows/GNUmakefile to set the location of the NSIS executable - eg: + and extract the NSIS directory to /<root-dir>/nsis/. + Then edit the windows/GNUmakefile to set the location + of the NSIS executable - eg: # Path to NSIS -MAKENSIS = ./nsis/makensis.exe +MAKENSIS = /<root-dir>/nsis/makensis.exe + + + + Get the latest 8.x PCRE code from + PCRE + https://sourceforge.net/projects/pcre/files/pcre/ + and build the static PCRE libraries with + + +export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2" +export LDFLAGS="-fstack-protector-strong" +export CPPFLAGS="-DPCRE_STATIC" + +./configure --host=i686-w64-mingw32 \ + --prefix=/usr/local/i686-w64-mingw32 \ + --enable-utf --enable-unicode-properties \ + --enable-jit \ + --enable-newline-is-anycrlf \ + --enable-pcre16 \ + --enable-pcre32 \ + --disable-pcregrep-libbz2 \ + --disable-pcregrep-libz \ + --disable-pcretest-libreadline \ + --disable-stack-for-recursion \ + --enable-static --disable-shared \ + && make + + + + + If you want to be able to have Privoxy do TLS Inspection, get the latest + 2.28.x MBED-TLS library source code from + + https://github.com/Mbed-TLS/mbedtls/tags, + extract the tar file into <root-dir> + and build the static libraries with + +export WINDOWS_BUILD=1 +# build for a Windows platform + +unset DEBUG + +export CC=i686-w64-mingw32-gcc +export LD=i686-w64-mingw32-gcc +export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2" +export LDFLAGS="${LDFLAGS} -fstack-protector-strong" + +make lib +# build the libraries + + + + + + Get the brotli library from + + https://github.com/google/brotli/releases + and build the static libraries with + +./bootstrap +# to create the GNU autotools files + +autoconf + +export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2" +export LDFLAGS="${LDFLAGS} -fstack-protector-strong" + +./configure --host=i686-w64-mingw32 \ + --prefix=/usr/local/i686-w64-mingw32 \ + --enable-static \ + --disable-shared \ + --with-gnu-ld \ + --disable-silent-rules \ + && make + + + + @@ -438,8 +497,8 @@ MAKENSIS = ./nsis/makensis.exe To build just the Privoxy executable and not the whole installation package, do: - cd <root-dir>/privoxy - ./windows/MYconfigure && make +cd <root-dir>/privoxy +./windows/MYconfigure && make @@ -447,10 +506,10 @@ MAKENSIS = ./nsis/makensis.exe for building software, so the process is: - $ autoheader # creates config.h.in - $ autoconf # uses config.h.in to create the configure shell script - $ ./configure [options] # creates GNUmakefile - $ make [options] # builds the program +autoheader # creates config.h.in +autoconf # uses config.h.in to create the configure shell script +./configure [options] # creates GNUmakefile +make [options] # builds the program @@ -463,7 +522,8 @@ MAKENSIS = ./nsis/makensis.exe --enable-zlib --enable-static-linking --disable-pthread - --disable-dynamic-pcre + --with-brotli + --with-mbedtls @@ -472,11 +532,11 @@ MAKENSIS = ./nsis/makensis.exe - $ export CFLAGS="-O2" # set gcc optimization level - $ export LDFLAGS="-Wl,--nxcompat" # Enable DEP - $ ./configure --host=i686-w64-mingw32 --enable-mingw32 --enable-zlib \ - > --enable-static-linking --disable-pthread --disable-dynamic-pcre - $ make # build Privoxy +$ export CFLAGS="-O2" # set gcc optimization level +$ export LDFLAGS="-Wl,--nxcompat" # Enable DEP +$ ./configure --host=i686-w64-mingw32 --enable-mingw32 --enable-zlib \ +> --enable-static-linking --disable-pthread +$ make # build Privoxy @@ -616,8 +676,9 @@ MAKENSIS = ./nsis/makensis.exe use, filtering, you will need to force compression off. Example: - { +filter{google} +prevent-compression } - .google. +{ +filter{google} +prevent-compression } +.google. + Or if you use a number of filters, or filter many sites, you may just want to turn off compression for all sites in @@ -683,7 +744,7 @@ MAKENSIS = ./nsis/makensis.exe Set your browser to use Privoxy as HTTP and - HTTPS (SSL) proxy + HTTPS (SSL) proxy by setting the proxy configuration for address of 127.0.0.1 and port 8118. DO NOT activate proxying for FTP or @@ -696,7 +757,7 @@ MAKENSIS = ./nsis/makensis.exe Flush your browser's disk and memory caches, to remove any cached ad images. If using Privoxy to manage - cookies, + cookies, you should remove any currently stored cookies too. @@ -1049,7 +1110,7 @@ MAKENSIS = ./nsis/makensis.exe Before launching Privoxy for the first time, you will want to configure your browser(s) to use Privoxy as a HTTP and HTTPS (SSL) - proxy. The default is + proxy. The default is 127.0.0.1 (or localhost) for the proxy address, and port 8118 (earlier versions used port 8000). This is the one configuration step that must be done ! @@ -1061,13 +1122,13 @@ MAKENSIS = ./nsis/makensis.exe
Proxy Configuration Showing - Mozilla/Netscape HTTP and HTTPS (SSL) Settings + Mozilla Firefox HTTP and HTTPS (SSL) Settings - [ Screenshot of Mozilla Proxy Configuration ] + [ Screenshot of Mozilla Firefox Proxy Configuration ]
@@ -1078,7 +1139,7 @@ MAKENSIS = ./nsis/makensis.exe - Tools -> Options -> Advanced -> Network ->Connection -> Settings + Edit -> Preferences -> Network Settings -> Settings @@ -1135,7 +1196,7 @@ MAKENSIS = ./nsis/makensis.exe After doing this, flush your browser's disk and memory caches to force a re-reading of all pages and to get rid of any ads that may be cached. Remove - any cookies, + any cookies, if you want Privoxy to manage that. You are now ready to start enjoying the benefits of using Privoxy! @@ -1158,7 +1219,7 @@ MAKENSIS = ./nsis/makensis.exe file. - # /etc/init.d/privoxy start +# /etc/init.d/privoxy start @@ -1179,7 +1240,7 @@ MAKENSIS = ./nsis/makensis.exe To start Privoxy manually, run: - # service privoxy onestart +# service privoxy onestart @@ -1207,7 +1268,7 @@ Click on the &my-app; Icon to start Privoxy. If no co Example Unix startup command: - # /usr/sbin/privoxy --user privoxy /etc/privoxy/config +# /usr/sbin/privoxy --user privoxy /etc/privoxy/config Note that if you installed Privoxy through @@ -1217,16 +1278,6 @@ Example Unix startup command: - -OS/2 - - During installation, Privoxy is configured to - start automatically when the system restarts. You can start it manually by - double-clicking on the Privoxy icon in the - Privoxy folder. - - - Mac OS X @@ -1517,7 +1568,7 @@ for details.         ▪  View & change the current configuration -         ▪  View the source code version numbers +         ▪  View or toggle the tags that can be set based on the client's address         ▪  View the request headers. @@ -1576,7 +1627,7 @@ for details. Configuration Files Overview For Unix, *BSD and GNU/Linux, all configuration files are located in - /etc/privoxy/ by default. For MS Windows and OS/2 + /etc/privoxy/ by default. For MS Windows these are all in the same directory as the Privoxy executable. The main configuration file is named config - on GNU/Linux, Unix, BSD, and OS/2, and config.txt + on GNU/Linux, Unix, BSD, and config.txt on Windows. This is a required file. @@ -1793,7 +1844,7 @@ for details. The default profiles, and their associated actions, as pre-defined in default.action are: - Default Configurations +
Default Configurations @@ -2036,12 +2087,13 @@ for details. might look like: - - { +handle-as-image +block{Banner ads.} } - # Block these as if they were images. Send no block page. - banners.example.com - media.example.com/.*banners - .example.com/images/ads/ + +{ +handle-as-image +block{Banner ads.} } +# Block these as if they were images. Send no block page. +banners.example.com +media.example.com/.*banners +.example.com/images/ads/ + You can trace this process for URL patterns and any given URL by visiting Regular + Regular Expressions (POSIX 1003.2). @@ -2241,7 +2293,7 @@ for details. themselves. These work similarly to shell globbing type wild-cards: * represents zero or more arbitrary characters (this is equivalent to the - Regular + Regular Expression based syntax of .*), ? represents any single character (this is equivalent to the regular expression syntax of a simple .), and you can define @@ -2293,6 +2345,12 @@ for details. While flexible, this is not the sophistication of full regular expression based syntax. + + When compiled with FEATURE_PCRE_HOST_PATTERNS patterns can be prefixed with + PCRE-HOST-PATTERN: in which case full regular expression + (PCRE) can be used for the host pattern as well. + + @@ -2303,7 +2361,7 @@ for details. Privoxy uses modern POSIX 1003.2 - Regular + Regular Expressions for matching the path portion (after the slash), and is thus more flexible. @@ -2482,12 +2540,6 @@ for details. - - - This is an experimental feature. The syntax is likely to change in future versions. - - - Client tag patterns are not set based on HTTP headers but based on the client's IP address. Users can enable them themselves, but the @@ -2573,8 +2625,9 @@ example.org/blocked-example-page disabled. Syntax: - +name # enable action name - -name # disable action name ++name # enable action name +-name # disable action name + Example: +handle-as-image @@ -2586,10 +2639,11 @@ example.org/blocked-example-page Parameterized, where some value is required in order to enable this type of action. Syntax: - - +name{param} # enable action and set parameter to param, - # overwriting parameter from previous match if necessary - -name # disable action. The parameter can be omitted + ++name{param} # enable action and set parameter to param, + # overwriting parameter from previous match if necessary +-name # disable action. The parameter can be omitted + Note that if the URL matches multiple positive forms of a parameterized action, the last match wins, i.e. the params from earlier matches are simply ignored. @@ -2608,11 +2662,12 @@ example.org/blocked-example-page that can be executed for the same request repeatedly, like adding multiple headers, or filtering through multiple filters. Syntax: - - +name{param} # enable action and add param to the list of parameters - -name{param} # remove the parameter param from the list of parameters - # If it was the last one left, disable the action. - -name # disable this action completely and remove all parameters from the list + ++name{param} # enable action and add param to the list of parameters +-name{param} # remove the parameter param from the list of parameters + # If it was the last one left, disable the action. +-name # disable this action completely and remove all parameters from the list + Examples: +add-header{X-Fun-Header: Some text} and +filter{html-annoyances} @@ -2812,18 +2867,20 @@ example.org/blocked-example-page Example usage (section): - {+block{No nasty stuff for you.}} + +{+block{No nasty stuff for you.}} # Block and replace with "blocked" page - .nasty-stuff.example.com +.nasty-stuff.example.com {+block{Doubleclick banners.} +handle-as-image} # Block and replace with image - .ad.doubleclick.net - .ads.r.us/banners/ +.ad.doubleclick.net +.ads.r.us/banners/ {+block{Layered ads.} +handle-as-empty-document} # Block and then ignore - adserver.example.net/.*\.js$ +adserver.example.net/.*\.js$ + @@ -2960,6 +3017,21 @@ example.org/blocked-example-page one. This can be used to rewrite the request destination behind the client's back, for example to specify a Tor exit relay for certain requests. + + Note that to change the destination host for + https-inspected + requests a protocol and host has to be added to the URI. + + + If https inspection + is enabled, the protocol can be downgraded from https to http + but upgrading a request from http to https is currently not + supported. + + + After detecting a rewrite, &my-app; does not update the actions + used for the request based on the new host. + Please refer to the filter file chapter to learn which client-header filters are available by default, and how to @@ -2983,6 +3055,162 @@ example.org/blocked-example-page + + +client-body-filter + + + + Typical use: + + + Rewrite or remove client request body. + + + + + + Effect: + + + All request bodies to which this action applies are filtered on-the-fly through + the specified regular expression based substitutions. + + + + + + Type: + + + Multi-value. + + + + + Parameter: + + + The name of a client-body filter, as defined in one of the + filter files. + + + + + + Notes: + + + Please refer to the filter file chapter + to learn how to create your own client-body filters. + + + The distribution default.filter file contains a selection of + client-body filters for example purposes. + + + The amount of data that can be filtered is limited by the + buffer-limit + option in the main config file. The + default is 4096 KB (4 Megs). Once this limit is exceeded, the whole + request body is passed through unfiltered. + + + + + + Example usage (section): + + +# Remove "test" everywhere in the request body +{+client-body-filter{remove-test}} +/ + + + + + + + + + + +client-body-tagger + + + + Typical use: + + + Block requests based on the content of the body data. + + + + + + Effect: + + + Client request bodies to which this action applies are filtered on-the-fly through + the specified regular expression based substitutions, the result is used as tag. + + + + + + Type: + + + Multi-value. + + + + + Parameter: + + + The name of a client-body tagger, as defined in one of the + filter files. + + + + + + Notes: + + + Please refer to the filter file chapter + to learn how to create your own client-body tagger. + + + Client-body taggers are applied to each request body on its own, + and as the body isn't modified, each tagger "sees" the original. + + + Chunk-encoded request bodies currently can't be tagged. + Request bodies larger than the buffer-limit can't be tagged either. + + + + + + Example usage (section): + + +# Apply blafasel tagger. +{+client-body-tagger{blafasel}} +/ + +# Block request based on the tag created by the blafasel tagger. +{+block{Request body contains blafasel}} +TAG:^content contains blafasel$ + + + + + + + @@ -3659,6 +3887,76 @@ new action + + + +delay-response + + + + Typical use: + + Delay responses to the client to reduce the load + + + + + Effect: + + + Delays responses to the client by sending the response in ca. 10 byte chunks. + + + + + + Type: + + + Parameterized. + + + + + Parameter: + + + Number of milliseconds + + + + + + Notes: + + + Sometimes when JavaScript code is used to fetch advertisements + it doesn't respect Privoxy's blocks and retries to fetch the + same resource again causing unnecessary load on the client. + + + This action delays responses to the client and can be combined + with blocks + to slow down the JavaScript code, thus reducing + the load on the client. + + + When used without blocks + the action can also be used to simulate a slow internet connection. + + + + + + Example usage: + + +delay-response{100} + + + + + + downgrade-http-version @@ -3731,6 +4029,7 @@ problem-host.example.com + external-filter @@ -3804,6 +4103,12 @@ problem-host.example.com linkend="external-filter-syntax">syntax may change in the future. + + If you want to apply external filters to images or other content + that isn't text-based, enable the + force-text-mode + action as well. + @@ -3916,7 +4221,7 @@ problem-host.example.com looks for the string http://, either in plain text (invalid but often used) or encoded as http%3a//. Some sites use their own URL encoding scheme, encrypt the address - of the target server or replace it with a database id. In theses cases + of the target server or replace it with a database id. In these cases fast-redirects is fooled and the request reaches the redirection server where it probably gets logged. @@ -3927,11 +4232,12 @@ problem-host.example.com Example usage: - { +fast-redirects{simple-check} } - one.example.com +{ +fast-redirects{simple-check} } +one.example.com - { +fast-redirects{check-decoded-url} } - another.example.com/testing +{ +fast-redirects{check-decoded-url} } +another.example.com/testing + @@ -4011,15 +4317,15 @@ problem-host.example.com Rolling your own filters requires a knowledge of - Regular + Regular Expressions and - HTML. + HTML. This is very powerful feature, and potentially very intrusive. Filters should be used with caution, and where an equivalent action is not available. - The amount of data that can be filtered is limited to the + The amount of data that can be filtered is limited by the buffer-limit option in the main config file. The default is 4096 KB (4 Megs). Once this limit is exceeded, the buffered @@ -4163,10 +4469,22 @@ problem-host.example.com +filter{no-ping} # Removes non-standard ping attributes in <a> and <area> tags. + + + + +filter{bundeswehr.de} # Hide the cookie and privacy info banner on bundeswehr.de. + + + + +filter{github} # Removes the annoying "Sign-Up" banner and the Cookie disclaimer. +filter{google} # CSS-based block for Google text ads. Also removes a width limitation and the toolbar advertisement. + + + + +filter{imdb} # Removes some ads on IMDb. @@ -4179,6 +4497,10 @@ problem-host.example.com +filter{blogspot} # Cleans up some Blogspot blogs. Read the fine print before using this. + + + + +filter{sourceforge} # Reduces the amount of ads for proprietary software on SourceForge. @@ -4725,12 +5047,15 @@ new action Example usage: - # Disarm the download link in Sourceforge's patch tracker + +# Disarm the download link in Sourceforge's patch tracker { -filter \ - +content-type-overwrite{text/plain}\ - +hide-content-disposition{block} } - .sourceforge.net/tracker/download\.php - + +content-type-overwrite{text/plain} \ + +hide-content-disposition{block} \ +} +.sourceforge.net/tracker/download\.php + + @@ -5061,7 +5386,7 @@ new action More information on known user-agent strings can be found at http://www.user-agents.org/ and - http://en.wikipedia.org/wiki/User_agent. + http://en.wikipedia.org/wiki/User_agent. @@ -5069,7 +5394,152 @@ new action Example usage: - +hide-user-agent{Netscape 6.1 (X11; I; Linux 2.4.18 i686)} + +hide-user-agent{Mozilla/5.0 (X11; ElectroBSD i386; rv:78.0) Gecko/20100101 Firefox/78.0} + + + + + + + + +https-inspection + + + + Typical use: + + Filter encrypted requests and responses + + + + + Effect: + + + Encrypted requests are decrypted, filtered and forwarded encrypted. + + + + + + Type: + + + Boolean. + + + + + Parameter: + + + N/A + + + + + + Notes: + + + This action allows &my-app; to filter encrypted requests and responses. + For this to work &my-app; has to generate a certificate for the web site + and send it to the client which has to accept it. + + + Before this works the directives in the + HTTPS inspection section + of the config file have to be configured. + + + Note that the action has to be enabled based on the CONNECT + request which doesn't contain a path. Enabling it based on + a pattern with path doesn't work as the path is only seen + by &my-app; if the action is already enabled. + + + + + + Example usage (section): + + {+https-inspection} +www.example.com + + + + + + + + + +ignore-certificate-errors + + + + Typical use: + + Filter encrypted requests and responses without verifying the certificate + + + + + Effect: + + + Encrypted requests are forwarded to sites without verifying the certificate. + + + + + + Type: + + + Boolean. + + + + + Parameter: + + + N/A + + + + + + Notes: + + + When the + +https-inspection + action is used &my-app; by default verifies that the remote site uses a valid + certificate. + + + If the certificate can't be validated by &my-app; the connection is aborted. + + + This action disables the certificate check so requests to sites + with certificates that can't be validated are allowed. + + + Note that enabling this action allows Man-in-the-middle attacks. + + + + + + Example usage: + + + {+ignore-certificate-errors} + www.example.org + @@ -5310,9 +5780,10 @@ new action Note that some (rare) ill-configured sites don't handle requests for uncompressed documents correctly. Broken PHP applications tend to send an empty document body, - some IIS versions only send the beginning of the content. If you enable - prevent-compression per default, you might want to add - exceptions for those sites. See the example for how to do that. + some IIS versions only send the beginning of the content and some content delivery + networks let the connection time out. + If you enable prevent-compression per default, you might + want to add exceptions for those sites. See the example for how to do that. @@ -5325,19 +5796,20 @@ new action # { +filter{tiny-textforms} +prevent-compression } # Match only these sites - .google. - sourceforge.net - sf.net +.google. +sourceforge.net +sf.net # Or instead, we could set a universal default: # { +prevent-compression } - / # Match all sites +/ # Match all sites # Then maybe make exceptions for broken sites: # { -prevent-compression } -.compusa.com/ +.compusa.com/ + @@ -5429,11 +5901,14 @@ new action Example usage: - # Let the browser revalidate without being tracked across sessions + +# Let the browser revalidate without being tracked across sessions { +hide-if-modified-since{-60} \ - +overwrite-last-modified{randomize} \ - +crunch-if-none-match} -/ + +overwrite-last-modified{randomize} \ + +crunch-if-none-match \ +} +/ + @@ -5524,14 +5999,15 @@ new action Example usages: - # Replace example.com's style sheet with another one + +# Replace example.com's style sheet with another one { +redirect{http://localhost/css-replacements/example.com.css} } - example.com/stylesheet\.css +example.com/stylesheet\.css # Create a short, easy to remember nickname for a favorite site # (relies on the browser to accept and forward invalid URLs to &my-app;) { +redirect{https://www.privoxy.org/user-manual/actions-file.html} } - a +a # Always use the expanded view for Undeadly.org articles # (Note the $ at the end of the URL pattern to make sure @@ -5560,6 +6036,10 @@ example.com/.*toChange=(?!bar) # Redirect Destination = https://www.illumos.org/issues/4974 i[0-9][0-9][0-9][0-9]*/ +# Redirect requests for the old Tor Hidden Service of the Privoxy website to the new one +{+redirect{s@^http://jvauzb4sb3bwlsnc.onion/@http://l3tczdiiwoo63iwxty4lhs6p7eaxop5micbn7vbliydgv63x5zrrrfyd.onion/@}} +jvauzb4sb3bwlsnc.onion/ + # Redirect remote requests for this manual # to the local version delivered by Privoxy {+redirect{s@^http://www@http://config@}} @@ -5740,6 +6220,63 @@ TAG:^image/ + + +suppress-tag + + + + Typical use: + + + Suppress client or server tag. + + + + + + Effect: + + + Server or client tags to which this action applies are not added to the request, + thus making all actions that are specific to these request tags inactive. + + + + + + Type: + + + Multi-value. + + + + + Parameter: + + + The result tag of a server-header or client-header tagger, as defined in one of the + filter files. + + + + + + Example usage (section): + + +# Suppress tag produced by range-requests client-header tagger for requests coming from address 10.0.0.1 +{+suppress-tag{RANGE-REQUEST}} +TAG:^IP-ADDRESS: 10\.0\.0\.1$ + + + + + + + + session-cookies-only @@ -6001,32 +6538,33 @@ TAG:^image/ - # Useful custom aliases we can use later. - # - # Note the (required!) section header line and that this section - # must be at the top of the actions file! - # - {{alias}} +# Useful custom aliases we can use later. +# +# Note the (required!) section header line and that this section +# must be at the top of the actions file! +# +{{alias}} - # These aliases just save typing later: - # (Note that some already use other aliases!) - # - +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies - -crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies - +block-as-image = +block{Blocked image.} +handle-as-image - allow-all-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies} +# These aliases just save typing later: +# (Note that some already use other aliases!) +# ++crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies +-crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies ++block-as-image = +block{Blocked image.} +handle-as-image +allow-all-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies} - # These aliases define combinations of actions - # that are useful for certain types of sites: - # - fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer -prevent-compression +# These aliases define combinations of actions +# that are useful for certain types of sites: +# +fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer -prevent-compression - shop = -crunch-all-cookies -filter{all-popups} +shop = -crunch-all-cookies -filter{all-popups} - # Short names for other aliases, for really lazy people ;-) - # - c0 = +crunch-all-cookies - c1 = -crunch-all-cookies +# Short names for other aliases, for really lazy people ;-) +# +c0 = +crunch-all-cookies +c1 = -crunch-all-cookies + ...and put them to use. These sections would appear in the lower part of an @@ -6035,28 +6573,29 @@ TAG:^image/ - # These sites are either very complex or very keen on - # user data and require minimal interference to work: - # - {fragile} - .office.microsoft.com - .windowsupdate.microsoft.com - # Gmail is really mail.google.com, not gmail.com - mail.google.com - - # Shopping sites: - # Allow cookies (for setting and retrieving your customer data) - # - {shop} - .quietpc.com - .worldpay.com # for quietpc.com - mybank.example.com +# These sites are either very complex or very keen on +# user data and require minimal interference to work: +# +{fragile} +.office.microsoft.com +.windowsupdate.microsoft.com +# Gmail is really mail.google.com, not gmail.com +mail.google.com - # These shops require pop-ups: - # - {-filter{all-popups} -filter{unsolicited-popups}} - .dabs.com - .overclockers.co.uk +# Shopping sites: +# Allow cookies (for setting and retrieving your customer data) +# +{shop} +.quietpc.com +.worldpay.com # for quietpc.com +mybank.example.com + +# These shops require pop-ups: +# +{-filter{all-popups} -filter{unsolicited-popups}} +.dabs.com +.overclockers.co.uk + Aliases like shop and fragile are typically used for @@ -6165,7 +6704,7 @@ for-privoxy-version=3.0.11 # +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies -crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies - +block-as-image = +block{Blocked image.} +handle-as-image + +block-as-image = +block{Blocked image.} +handle-as-image mercy-for-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies} # These aliases define combinations of actions @@ -6465,10 +7004,11 @@ handle-as-text = -filter +-filter +-filter } - .your-home-banking-site.com +.your-home-banking-site.com + Some file types you may not want to filter for various reasons: @@ -6507,8 +7048,9 @@ stupid-server.example.com/ { +block{Nasty ads.} } - www.example.com/nasty-ads/sponsor\.gif - another.example.net/more/junk/here/ +www.example.com/nasty-ads/sponsor\.gif +another.example.net/more/junk/here/ + The URLs of dynamically generated banners, especially from large banner @@ -6524,10 +7066,11 @@ stupid-server.example.com/ { +block-as-image } - .doubleclick.net - .fastclick.net - /Realmedia/ads/ - ar.atwola.com/ +.doubleclick.net +.fastclick.net +/Realmedia/ads/ +ar.atwola.com/ + Now you noticed that the default configuration breaks Forbes Magazine, @@ -6543,9 +7086,10 @@ stupid-server.example.com/ { fragile } - .forbes.com - webmail.example.com - .mybank.com +.forbes.com +webmail.example.com +.mybank.com + You like the fun text replacements in default.filter, @@ -6556,7 +7100,8 @@ stupid-server.example.com/ { +filter{fun} } - / # For ALL sites! +/ # For ALL sites! + Note that the above is not really a good idea: There are exceptions @@ -6575,9 +7120,10 @@ stupid-server.example.com/ { allow-ads } - .sourceforge.net - .slashdot.org - .osdn.net +.sourceforge.net +.slashdot.org +.osdn.net + Note that allow-ads has been aliased to @@ -6595,7 +7141,8 @@ stupid-server.example.com/ { handle-as-text } - /.*\.sh$ +/.*\.sh$ + user.action is generally the best place to define @@ -6632,18 +7179,21 @@ stupid-server.example.com/ - &my-app; supports three different pcrs-based filter actions: + &my-app; supports four different pcrs-based filter actions: filter to rewrite the content that is send to the client, client-header-filter - to rewrite headers that are send by the client, and + to rewrite headers that are send by the client, server-header-filter - to rewrite headers that are send by the server. + to rewrite headers that are send by the server, and + client-body-filter + to rewrite client request body. - &my-app; also supports two tagger actions: - client-header-tagger + &my-app; also supports three tagger actions: + client-header-tagger, + client-body-tagger and server-header-tagger. Taggers and filters use the same syntax in the filter files, the difference @@ -6697,7 +7247,8 @@ stupid-server.example.com/ filter file is organized in sections, which are called filters here. Each filter consists of a heading line, that starts with one of the keywords FILTER:, - CLIENT-HEADER-FILTER: or SERVER-HEADER-FILTER: + CLIENT-HEADER-FILTER:, SERVER-HEADER-FILTER: or + CLIENT-BODY-FILTER: followed by the filter's name, and a short (one line) description of what it does. Below that line come the jobs, i.e. lines that define the actual @@ -6764,7 +7315,7 @@ stupid-server.example.com/ If you are new to - Regular + Regular Expressions, you might want to take a look at the Appendix on regular expressions, and see the Perl @@ -7176,9 +7727,9 @@ pre-defined filters for your convenience: banners-by-link - This is an experimental filter that attempts to kill any banners if - their URLs seem to point to known or suspected click trackers. It is currently - not of much value and is not recommended for use by default. + This filter attempts to kill any banners if their URLs seem to point + to known or suspected click trackers. It is currently not of much value + and is not recommended for use by default. @@ -7260,7 +7811,7 @@ pre-defined filters for your convenience: sometimes appear on some pages, or user agents that don't correct for this on the fly. @@ -7627,6 +8178,340 @@ EXTERNAL-FILTER: citation-needed Adds a "[citation needed]" tag to an image. The + + +HOWTOs + + +HTTPS-Inspection HOWTO +How TLS Certificates for websites work + + + The website owner generates a (private) TLS key and a Certificate + Signing Request (CSR). + + + The CSR is then sent to a Certification Authority (CA), which + verifies that the owner is the actual owner of the website. This can + be done by proving that the owner has technical write access to the + site or the site's DNS, or by verifying the identity of the + organization running the site using telephone and public databases. + + + If the verification is successful, the CA signs the CSR and creates a + certificate that certifies that the private TLS key actually belongs + to the website name and/or organization that owns the domain. + + + This TLS certificate is then added to the web server configuration, + and when a browser accesses the website, it verifies that the TLS + certificate presented to the browser is valid for that domain. + + + To do this, each browser has the certificates of multiple CAs in its + trust store. Only if the certificate of the CA, that signed the web + server is in the trust store, the browser will accept the + certificate, otherwise the browser will complain about a broken + certificate. + + + If this check passes, the browser sends a random number encrypted + with the server's public key to the server, and both compute a shared + secret using the Diffie-Hellman key exchange algorithm. Now server + and browser can communicate, but no one else can break that + communication because it's encrypted between them. + + + +How HTTPS inspection works + + When we try to inspect HTTPS traffic, we have to break the TLS + encryption between browser and web server without being the browser + or the web server. This is exactly what TLS tries to avoid, as it's + a man-in-the-middle-attack. + + + To do this, Privoxy uses it's own (private) CA (let's call it + "Privoxy CA"), which has to be added to the trust store of every + single browser that should be used with Privoxy and HTTPS inspection. + + + Now Privoxy breaks the connection between browser and webserver by + acting as a browser/client when talking to the webserver (including + checking the webserver's TLS certificate against it's own trust + store). Now Privoxy can read and modify the traffic from the + webserver. + + + On the other hand, Privoxy itself encrypts the traffic it sends to + the browser using an on the fly self-created TLS server certificate + that is signed by Privoxy CA. + + + +What happens, if the original + certificate is invalid? + + If Privoxy detects, that a TLS certificate is not valid, because the + certificate is expired, doesn't match the hostname, is self signed or + similar, Privoxy blocks the requests and returns an error message + explaining the problem to avoid that the user/browser communicates + over an insecure communication channel. + + + To check this behavior, simply go to + https://badssl.com/ + + + +HTTPS inspection prerequisites + + + HTTPS inspection in Privoxy can only be used, if Privoxy is built + with FEATURE_HTTPS_INSPECTION. You can check if this feature + is enabled at + http://config.privoxy.org/show-status + in the "Conditional #defines" section. + + + If the feature is not enabled, you may need to + build Privoxy from source + to enable it. You can use either + MbedTLS + or OpenSSL. It's up to + you, which one to use, they both behave the same for HTTPS inspection. + + + After installing the development libraries for either OpenSSL or + MbedTLS, you can run ./configure with + either the --with-openssl or + --with-mbedtls option. + + + Check the output of ./configure, it must contain + one of these the following two lines, otherwise HTTPS inspection will + not work: + + +configure: Detected OpenSSL. Enabling https inspection. +configure: Detected mbedTLS. Enabling https inspection. + + + If you do not find any of these lines, the output of + ./configure will tell you what went wrong. + + + You should then proceed with the + source install. + Finally, check the FEATURE_HTTPS_INSPECTION status in + http://config.privoxy.org/show-status + again. + + + +Configuring HTTPS inspection in Privoxy + + + First, you need to create the private key and certificate for the + "Privoxy CA". This can be done using openssl with the following + command: + +openssl req -new -x509 -extensions v3_ca -keyout privoxy.pem -out privoxy.crt -days 3650 + + + + Here we have defined a CA validity of 10 years (3650 days). You + should decide for yourself what is a good validity. A shorter + validity makes your system more secure (it doesn't hurt that long if + the key gets lost to an attacker), but if the certificate expires + before you have replaced it with a new one in Privoxy and in all + browsers, the communication will fail. + + + During the key generation you will be asked for a "pass phrase". + This pass phrase will appear in the Privoxy config CGI, so don't + reuse it elsewhere! + + + Then you will be asked for Country Name, State/Province, Locality, + Orginzation Name, Common Name, and Email Address. You should add + some useful data here, because these entries are shown by the browser + as "Issuer Name" when you inspect a certificate from an + https-inspection site. Especially the "Common Name" will be shown as + the name of your CA, so it's good if you (and other users of your + Privoxy instance) are able to identify this CA. + + + Copy the private key (privoxy.pem) and the CA + certificate (privoxy.crt) into + the ca-directory (defined + in config). + + + Make sure that the private key (privoxy.pem in + the above example) is only accessible to the user running Privoxy + (usually named "privoxy"): + + +chmod 600 privoxy.pem +chown privoxy privoxy.pem + + + Now adjust your Privoxy configuration: + + +ca-directory /etc/privoxy/CA # read-only +ca-cert-file privoxy.crt # in ca-directory +ca-key-file privoxy.pem # in ca-directory +ca-password passphrasefromabove +certificate-directory /var/lib/privoxy/certs +trusted-cas-file /etc/ssl/certs/ca-certificates.crt + + + certificate-directory + contains the (on the fly) created webserver keys and certificates. + It should only be readable by the privoxy user only: + + +chown privoxy /var/lib/privoxy/certs +chmod 700 /var/lib/privoxy/certs. + + + trusted-cas-file is the trust + store containing the certificates of all CAs that should be accepted. + Each browser comes with it's own trust store. Most Unix systems also + ship with a truststore. Debian ships it's truststore + in /etc/ssl/certs/ca-certificates.crt, which is + installed by the ca-certificates package and can be updated using + update-ca-certificates(8). Alternatively, such a file (extracted + from Mozilla) can be downloaded + from https://curl.se/docs/caextract.html. + + + +Browser configuration + + As written above, each browser you use must now trust the newly + created Privoxy CA certificate (privoxy.crt). + + + In Firefox you can do this by opening the preferences "Edit" -> + "Settings" -> "Privacy & Security" or by typing + about:preferences#privacy + in the URL. Then go down to the "Certificates" section and click on + "View Certificates". Click on the "Authorities" tab and "Import..." + your privoxy.crt. In the "CA certificate trust + settings" select "This certificate can identify websites". + + + In Chrome based browsers, go to the settings and select "Privacy and + security" + (chrome://settings/privacy). + Click on "Security" and on the opened sub-page on "Manage + certificates". Now go to the "Authorities" tab and + import privoxy.crt and configure that you trust + the certificate for website identification. + + + +Enabeling HTTPS inspection + + Currently no pages use HTTPS inspection, you need to enable this for + some (or all) domains first + using user.action (either by editing + the file by hand or via the CGI (this requires + enable-edit-actions + to be enabled in config) at + http://config.privoxy.org/show-status + (click on user.action Edit button). + + + Here you can enable HTTPS inspection for individual sites: + + +{+https-inspection} +.badssl.com +clienttest.ssllabs.com + + + You can add more individual sites or wildcards (one per line). + + + Alternatively, you can use a client-tag to dynamically enable/disable + this feature via the browser, as described in the next chapter. + + + + + + +Client Tags HOWTO + + Client-Tags are a mechanism to dynamically/temporarily enable/disable + features in Privoxy per browser. + + + In our example, we use this for the following two use cases: + + Enable TOR anonymous proxy + Enable https-inspection + + + + To use this feature, you must first define a tag name and a tag + description for each client-tag in config, + like this: + + +client-specific-tag tor Use Tor anonymous proxy +client-specific-tag https-inspection Enable https-inspection + + + Now you can open http://config.privoxy.org/client-tags + or http://p.p/client-tags + and can enable/disable the tag there (you may want to add a bookmark + for this in your browser for quick access, but it's also available as + a link at http://p.p). + + + It's also possible to temporarily enable a tag, which by default + means 3 minutes (=180 seconds) (and can be changed via the + client-tag-lifetime option + in config). + + + But before this has any effect, you have to use the client tag in + your user.action like this: + + +{+forward-override{forward-socks5t 127.0.0.1:9050 .} } +CLIENT-TAG:^tor$ + + + This means, that if the "tor" client tag is enabled, all traffic is + forwarded by Privoxy through socks5t to a locally installed tor proxy + listening on port 9050. + + + Similarly, you can specify to use the https-inspection client tag to + enable https-inspection: + + +{+https-inspection} +CLIENT-TAG:^https-inspection$ + + + The tag will be set for all requests coming from clients that have + requested it to be set. Note that "clients" are distinguished by IP + address, if the IP address changes, the tag must be requested again. + + + + + + + @@ -7651,16 +8536,64 @@ Requests Privoxy is free software; you can - redistribute it and/or modify it under the terms of the - GNU General Public License, version 2, - as published by the Free Software Foundation and included in - the next section. + redistribute and/or modify its source code under the terms + of the GNU General Public License + as published by the Free Software Foundation, either version 2 + of the license, or (at your option) any later version. + + + + The same is true for Privoxy binaries + unless they are linked with a + mbed TLS version + that is licensed under the Apache 2.0 license in which + case you can redistribute and/or modify the Privoxy + binaries under the terms of the GNU General Public License + as published by the Free Software Foundation, either version 3 + of the license, or (at your option) any later version. + + + + Both licenses are included in the next section. License - +GNU General Public License version 2 + + + +GNU General Public License version 3 + + + +Third-party licenses and copyrights + + Privoxy depends on a couple of third-party libraries which have seperate licenses. + Please refer to the third-party websites for up-to-date license and copyright + information. + + + Privoxy depends on pcre. + + + When compiled with FEATURE_BROTLI (optional), Privoxy depends on + brotli. + + + When compiled with FEATURE_HTTPS_INSPECTION (optional), + Privoxy depends on a TLS library. The supported libraries are + LibreSSL, + mbed TLS 2.28.x and + OpenSSL and + wolfSSL. + + + When compiled with FEATURE_ZLIB (optional), + Privoxy depends on zlib. + + @@ -7971,23 +8904,23 @@ Requests - Show information about the current configuration, including viewing and - editing of actions files: + View and toggle client tags:
- http://config.privoxy.org/show-status + http://config.privoxy.org/client-tags
- Show the source code version numbers: + Show information about the current configuration, including viewing and + editing of actions files: -
+
- http://config.privoxy.org/show-version + http://config.privoxy.org/show-status
@@ -8237,11 +9170,11 @@ Requests - Matches for http://www.google.com: +Matches for http://www.google.com: - In file: default.action [ View ] [ Edit ] +In file: default.action [ View ] [ Edit ] - {+change-x-forwarded-for{block} +{+change-x-forwarded-for{block} +deanimate-gifs {last} +fast-redirects {check-decoded-url} +filter {refresh-tags} @@ -8253,14 +9186,14 @@ Requests +hide-from-header {block} +hide-referrer {forge} +session-cookies-only - +set-image-blocker {pattern} + +set-image-blocker {pattern} } / - { -session-cookies-only } - .google.com +{ -session-cookies-only } +.google.com - { -fast-redirects } - .google.com +{ -fast-redirects } +.google.com In file: user.action [ View ] [ Edit ] (no matches in this file) @@ -8323,64 +9256,64 @@ In file: user.action [ View ] [ Edit ] - Final results: - - -add-header - -block - +change-x-forwarded-for{block} - -client-header-filter{hide-tor-exit-notation} - -content-type-overwrite - -crunch-client-header - -crunch-if-none-match - -crunch-incoming-cookies - -crunch-outgoing-cookies - -crunch-server-header - +deanimate-gifs {last} - -downgrade-http-version - -fast-redirects - -filter {js-events} - -filter {content-cookies} - -filter {all-popups} - -filter {banners-by-link} - -filter {tiny-textforms} - -filter {frameset-borders} - -filter {demoronizer} - -filter {shockwave-flash} - -filter {quicktime-kioskmode} - -filter {fun} - -filter {crude-parental} - -filter {site-specifics} - -filter {js-annoyances} - -filter {html-annoyances} - +filter {refresh-tags} - -filter {unsolicited-popups} - +filter {img-reorder} - +filter {banners-by-size} - +filter {webbugs} - +filter {jumping-windows} - +filter {ie-exploits} - -filter {google} - -filter {yahoo} - -filter {msn} - -filter {blogspot} - -filter {no-ping} - -force-text-mode - -handle-as-empty-document - -handle-as-image - -hide-accept-language - -hide-content-disposition - +hide-from-header {block} - -hide-if-modified-since - +hide-referrer {forge} - -hide-user-agent - -limit-connect - -overwrite-last-modified - -prevent-compression - -redirect - -server-header-filter{xml-to-html} - -server-header-filter{html-to-xml} - -session-cookies-only - +set-image-blocker {pattern} +Final results: + +-add-header +-block ++change-x-forwarded-for{block} +-client-header-filter{hide-tor-exit-notation} +-content-type-overwrite +-crunch-client-header +-crunch-if-none-match +-crunch-incoming-cookies +-crunch-outgoing-cookies +-crunch-server-header ++deanimate-gifs {last} +-downgrade-http-version +-fast-redirects +-filter {js-events} +-filter {content-cookies} +-filter {all-popups} +-filter {banners-by-link} +-filter {tiny-textforms} +-filter {frameset-borders} +-filter {demoronizer} +-filter {shockwave-flash} +-filter {quicktime-kioskmode} +-filter {fun} +-filter {crude-parental} +-filter {site-specifics} +-filter {js-annoyances} +-filter {html-annoyances} ++filter {refresh-tags} +-filter {unsolicited-popups} ++filter {img-reorder} ++filter {banners-by-size} ++filter {webbugs} ++filter {jumping-windows} ++filter {ie-exploits} +-filter {google} +-filter {yahoo} +-filter {msn} +-filter {blogspot} +-filter {no-ping} +-force-text-mode +-handle-as-empty-document +-handle-as-image +-hide-accept-language +-hide-content-disposition ++hide-from-header {block} +-hide-if-modified-since ++hide-referrer {forge} +-hide-user-agent +-limit-connect +-overwrite-last-modified +-prevent-compression +-redirect +-server-header-filter{xml-to-html} +-server-header-filter{html-to-xml} +-session-cookies-only ++set-image-blocker {pattern} @@ -8395,14 +9328,14 @@ In file: user.action [ View ] [ Edit ] - { +block{Domains starts with "ad"} } - ad*. +{ +block{Domains starts with "ad"} } +ad*. - { +block{Domain contains "ad"} } - .ad. +{ +block{Domain contains "ad"} } +.ad. - { +block{Doubleclick banner server} +handle-as-image } - .[a-vx-z]*.doubleclick.net +{ +block{Doubleclick banner server} +handle-as-image } +.[a-vx-z]*.doubleclick.net @@ -8436,68 +9369,68 @@ In file: user.action [ View ] [ Edit ] - Matches for http://www.example.net/adsl/HOWTO/: - - In file: default.action [ View ] [ Edit ] - - {-add-header - -block - +change-x-forwarded-for{block} - -client-header-filter{hide-tor-exit-notation} - -content-type-overwrite - -crunch-client-header - -crunch-if-none-match - -crunch-incoming-cookies - -crunch-outgoing-cookies - -crunch-server-header - +deanimate-gifs - -downgrade-http-version - +fast-redirects {check-decoded-url} - -filter {js-events} - -filter {content-cookies} - -filter {all-popups} - -filter {banners-by-link} - -filter {tiny-textforms} - -filter {frameset-borders} - -filter {demoronizer} - -filter {shockwave-flash} - -filter {quicktime-kioskmode} - -filter {fun} - -filter {crude-parental} - -filter {site-specifics} - -filter {js-annoyances} - -filter {html-annoyances} - +filter {refresh-tags} - -filter {unsolicited-popups} - +filter {img-reorder} - +filter {banners-by-size} - +filter {webbugs} - +filter {jumping-windows} - +filter {ie-exploits} - -filter {google} - -filter {yahoo} - -filter {msn} - -filter {blogspot} - -filter {no-ping} - -force-text-mode - -handle-as-empty-document - -handle-as-image - -hide-accept-language - -hide-content-disposition - +hide-from-header{block} - +hide-referer{forge} - -hide-user-agent - -overwrite-last-modified - +prevent-compression - -redirect - -server-header-filter{xml-to-html} - -server-header-filter{html-to-xml} - +session-cookies-only - +set-image-blocker{blank} } - / - - { +block{Path contains "ads".} +handle-as-image } - /ads +Matches for http://www.example.net/adsl/HOWTO/: + +In file: default.action [ View ] [ Edit ] + +{-add-header + -block + +change-x-forwarded-for{block} + -client-header-filter{hide-tor-exit-notation} + -content-type-overwrite + -crunch-client-header + -crunch-if-none-match + -crunch-incoming-cookies + -crunch-outgoing-cookies + -crunch-server-header + +deanimate-gifs + -downgrade-http-version + +fast-redirects {check-decoded-url} + -filter {js-events} + -filter {content-cookies} + -filter {all-popups} + -filter {banners-by-link} + -filter {tiny-textforms} + -filter {frameset-borders} + -filter {demoronizer} + -filter {shockwave-flash} + -filter {quicktime-kioskmode} + -filter {fun} + -filter {crude-parental} + -filter {site-specifics} + -filter {js-annoyances} + -filter {html-annoyances} + +filter {refresh-tags} + -filter {unsolicited-popups} + +filter {img-reorder} + +filter {banners-by-size} + +filter {webbugs} + +filter {jumping-windows} + +filter {ie-exploits} + -filter {google} + -filter {yahoo} + -filter {msn} + -filter {blogspot} + -filter {no-ping} + -force-text-mode + -handle-as-empty-document + -handle-as-image + -hide-accept-language + -hide-content-disposition + +hide-from-header{block} + +hide-referer{forge} + -hide-user-agent + -overwrite-last-modified + +prevent-compression + -redirect + -server-header-filter{xml-to-html} + -server-header-filter{html-to-xml} + +session-cookies-only + +set-image-blocker{blank} } +/ + +{ +block{Path contains "ads".} +handle-as-image } +/ads @@ -8515,8 +9448,8 @@ In file: user.action [ View ] [ Edit ] - { -block } - /adsl +{ -block } +/adsl @@ -8532,8 +9465,8 @@ In file: user.action [ View ] [ Edit ] - { +block{Path starts with "ads".} +handle-as-image } - /ads +{ +block{Path starts with "ads".} +handle-as-image } +/ads @@ -8549,12 +9482,12 @@ In file: user.action [ View ] [ Edit ] - { shop } - .quietpc.com - .worldpay.com # for quietpc.com - .jungle.com - .scan.co.uk - .forbes.com +{ shop } +.quietpc.com +.worldpay.com # for quietpc.com +.jungle.com +.scan.co.uk +.forbes.com @@ -8564,11 +9497,11 @@ In file: user.action [ View ] [ Edit ] - { -filter } - # Disable ALL filter actions for sites in this section - .forbes.com - developer.ibm.com - localhost +{ -filter } +# Disable ALL filter actions for sites in this section +.forbes.com +developer.ibm.com +localhost @@ -8594,10 +9527,11 @@ In file: user.action [ View ] [ Edit ] - { fragile } - # Handle with care: easy to break - mail.google. - mybank.example.com +{ fragile } +# Handle with care: easy to break +mail.google. +mybank.example.com +