- debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
+ debug 1 # Log the destination for each request. See also debug 1024.
debug 2 # show each connection status
debug 4 # show I/O status
debug 8 # show header parsing
@@ -918,7 +918,7 @@
hides the "go there anyway" link. If the user adds the force prefix by hand,
it will not be accepted and the circumvention attempt is logged.
- Examples:
+ Example:
enforce-blocks 1
@@ -947,7 +947,7 @@
destination part are optional.
If your system implements RFC 3493,
then src_addr and dst_addr can be
- IPv6 addresses delimeted by brackets, port can be a number or a
+ IPv6 addresses delimited by brackets, port can be a number or a
service name, and src_masklen and dst_masklen can be a number from 0 to 128.
@@ -1547,7 +1547,7 @@
you try again manually. Start with a small value and check Privoxy's logfile from time to time, to see
how many retries are usually needed.
- Examples:
+ Example:
forwarded-connect-retries 1
@@ -1592,7 +1592,7 @@
you may want to adjust the CGI templates to make sure they don't reference content from
config.privoxy.org.
- Examples:
+ Example:
accept-intercepted-requests 1
@@ -1629,7 +1629,7 @@
done without care.
Don't enable this option unless you're sure that you really need it.
- Examples:
+ Example:
allow-cgi-request-crunching 1
@@ -1667,7 +1667,7 @@
If you don't notice any editing problems, there is no reason to enable this option, but if one of the
submit buttons appears to be broken, you should give it a try.
- Examples:
+ Example:
split-large-forms 1
@@ -1714,7 +1714,7 @@
increasing it to 300 seconds or even more if you think your browser can handle it. If your browser
appears to be hanging, it probably can't.
- Examples:
+ Example:
keep-alive-timeout 300
@@ -1754,7 +1754,7 @@
If you are seeing problems with pages not properly loading, disabling this option could work around
the problem.
- Examples:
+ Example:
tolerate-pipelining 1
@@ -1799,7 +1799,7 @@
This option has no effect if Privoxy has been compiled without
keep-alive support.
- Examples:
+ Example:
default-server-timeout 60
@@ -1855,7 +1855,7 @@
This option should only be used by experienced users who understand the risks and can weight them
against the benefits.
- Examples:
+ Example:
connection-sharing 1
@@ -1887,7 +1887,7 @@
The default is quite high and you probably want to reduce it. If you aren't using an occasionally slow
proxy like Tor, reducing it to a few seconds should be fine.
- Examples:
+ Example:
socket-timeout 300
@@ -1940,7 +1940,7 @@
reached. This will likely change in a future version, but currently this limit can't be increased without
recompiling Privoxy with a different FD_SETSIZE limit.
- Examples:
+ Example:
max-client-connections 256
@@ -1970,9 +1970,9 @@
Notes:
Under high load incoming connection may queue up before Privoxy gets around to serve them. The queue
- length is limitted by the operating system. Once the queue is full, additional connections are dropped
+ length is limited by the operating system. Once the queue is full, additional connections are dropped
before Privoxy can accept and serve them.
- Increasing the queue length allows Privoxy to accept more incomming connections that arrive roughly at
+ Increasing the queue length allows Privoxy to accept more incoming connections that arrive roughly at
the same time.
Note that Privoxy can only request a certain queue length, whether or not the requested length is
actually used depends on the operating system which may use a different length instead.
@@ -1982,7 +1982,7 @@
Effectively using a value above 128 usually requires changing the system configuration as well. On
FreeBSD-based system the limit is controlled by the kern.ipc.soacceptqueue sysctl.
- Examples:
+ Example:
listen-backlog 4096
@@ -2022,7 +2022,7 @@
"https://www.freebsd.org/cgi/man.cgi?query=accf_http" target="_top">accf_http(9) man page to learn
how to enable the support in the operating system.
- Examples:
+ Example:
enable-accept-filter 1
@@ -2286,7 +2286,7 @@
"_top">http://config.privoxy.org/client-tags therefore provides a "enable this tag temporarily"
option. If it is used, the tag will be set until the client-tag-lifetime is over.
- Examples:
+ Example:
@@ -2343,7 +2343,7 @@
change the client tags for other clients or increase Privoxy's memory requirements by registering lots of
client tag settings for clients that don't exist.
- Examples:
+ Example:
@@ -2390,7 +2390,7 @@
memory is (currently) cleared before using it, a buffer that is too large can actually reduce the
throughput.
- Examples:
+ Example:
@@ -2406,7 +2406,10 @@
-
+
+ HTTPS inspection allows to filter encrypted requests. This is only supported when Privoxy has been built with FEATURE_HTTPS_INSPECTION.
@@ -2434,7 +2437,7 @@
The permissions should only let Privoxy and the Privoxy admin access the directory.
- Examples:
+ Example:
ca-directory /usr/local/etc/privoxy/CA
@@ -2472,7 +2475,7 @@
The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
cacert.crt -days 3650
- Examples:
+ Example:
ca-cert-file root.crt
@@ -2504,7 +2507,7 @@
This directive specifies the name of the CA key file in ".pem" format. See the ca-cert-file for a command to generate it.
- Examples:
+ Example:
ca-key-file cakey.pem
@@ -2537,7 +2540,7 @@
certificates for intercepted requests.
Note that the password is shown on the CGI page so don't reuse an important one.
- Examples:
+ Example:
ca-password blafasel
@@ -2551,7 +2554,7 @@
- Specifies:
-
-
Directory to safe generated keys and certificates.
+ Directory to save generated keys and certificates.
- Type of value:
-
@@ -2575,8 +2578,24 @@
"_top">ca-cert-key.
The permissions should only let Privoxy and the Privoxy admin access the directory.
+
+
+
+ Warning |
+
+
+
+ Privoxy currently does not garbage-collect obsolete keys and
+ certificates and does not keep track of how may keys and certificates exist.
+ Privoxy admins should monitor the size of the directory
+ and/or make sure there is sufficient space available. A cron job to limit the number of keys and
+ certificates to a certain number may be worth considering.
+ |
+
+
+
- - Examples:
+ - Example:
-
certificate-directory /usr/local/var/privoxy/certs
@@ -2584,7 +2603,129 @@
-
+
+
+
+ - Specifies:
+ -
+
A list of ciphers to use in TLS handshakes
+
+ - Type of value:
+ -
+
Text
+
+ - Default value:
+ -
+
None
+
+ - Effect if unset:
+ -
+
A default value is inherited from the TLS library.
+
+ - Notes:
+ -
+
This directive allows to specify a non-default list of ciphers to use in TLS handshakes with clients
+ and servers.
+ Ciphers are separated by colons. Which ciphers are supported depends on the TLS library. When using
+ OpenSSL, unsupported ciphers are skipped. When using MbedTLS they are rejected.
+
+
+
+ Warning |
+
+
+
+ Specifying an unusual cipher list makes fingerprinting easier. Note that the default list
+ provided by the TLS library may be unusual when compared to the one used by modern browsers as
+ well.
+ |
+
+
+
+
+ - Examples:
+ -
+
+
+
+ # Explicitly set a couple of ciphers with names used by MbedTLS
+ cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+
+ |
+
+
+
+
+
+ # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+
+ |
+
+
+
+
+
+ # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+ cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+
+ |
+
+
+
+
+
+
+ |