X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fwebserver%2Fuser-manual%2Fconfig.html;h=3037bc6c355f94e89093f923d781ecf8cf3be208;hb=810f3be765caec21020f70cfcf0ffb217cc27323;hp=e0566ac5931f2ae31f0886f9f93d8c3cfa75302f;hpb=0f3edd93a652011049e2bfc9b67947f92e236ef8;p=privoxy.git diff --git a/doc/webserver/user-manual/config.html b/doc/webserver/user-manual/config.html index e0566ac5..3037bc6c 100644 --- a/doc/webserver/user-manual/config.html +++ b/doc/webserver/user-manual/config.html @@ -547,8 +547,8 @@
- 
  debug     1 # Log the destination for each request Privoxy let through. See also debug 1024.
+                    
  debug     1 # Log the destination for each request. See also debug 1024.
   debug     2 # show each connection status
   debug     4 # show I/O status
   debug     8 # show header parsing
@@ -918,7 +918,7 @@
               hides the "go there anyway" link. If the user adds the force prefix by hand,
               it will not be accepted and the circumvention attempt is logged.

             
-            
Examples:

+            
Example:

             

               
enforce-blocks 1

             

@@ -947,7 +947,7 @@
               destination part are optional.

               
If your system implements RFC 3493,
               then src_addr and dst_addr can be
-              IPv6 addresses delimeted by brackets, port can be a number or a
+              IPv6 addresses delimited by brackets, port can be a number or a
               service name, and src_masklen and dst_masklen can be a number from 0 to 128.

             
@@ -1547,7 +1547,7 @@
               you try again manually. Start with a small value and check Privoxy's logfile from time to time, to see
               how many retries are usually needed.

             
-            
Examples:

+            
Example:

             

               
forwarded-connect-retries 1

             

@@ -1592,7 +1592,7 @@
               you may want to adjust the CGI templates to make sure they don't reference content from
               config.privoxy.org.

             
-            
Examples:

+            
Example:

             

               
accept-intercepted-requests 1

             

@@ -1629,7 +1629,7 @@
               done without care.

               
Don't enable this option unless you're sure that you really need it.

             
-            
Examples:

+            
Example:

             

               
allow-cgi-request-crunching 1

             

@@ -1667,7 +1667,7 @@
               
If you don't notice any editing problems, there is no reason to enable this option, but if one of the
               submit buttons appears to be broken, you should give it a try.

             
-            
Examples:

+            
Example:

             

               
split-large-forms 1

             

@@ -1714,7 +1714,7 @@
               increasing it to 300 seconds or even more if you think your browser can handle it. If your browser
               appears to be hanging, it probably can't.

             
-            
Examples:

+            
Example:

             

               
keep-alive-timeout 300

             

@@ -1754,7 +1754,7 @@
               
If you are seeing problems with pages not properly loading, disabling this option could work around
               the problem.

             
-            
Examples:

+            
Example:

             

               
tolerate-pipelining 1

             

@@ -1799,7 +1799,7 @@
               
This option has no effect if Privoxy has been compiled without
               keep-alive support.

             
-            
Examples:

+            
Example:

             

               
default-server-timeout 60

             

@@ -1855,7 +1855,7 @@
               
This option should only be used by experienced users who understand the risks and can weight them
               against the benefits.

             
-            
Examples:

+            
Example:

             

               
connection-sharing 1

             

@@ -1887,7 +1887,7 @@
               
The default is quite high and you probably want to reduce it. If you aren't using an occasionally slow
               proxy like Tor, reducing it to a few seconds should be fine.

             
-            
Examples:

+            
Example:

             

               
socket-timeout 300

             

@@ -1940,7 +1940,7 @@
               reached. This will likely change in a future version, but currently this limit can't be increased without
               recompiling Privoxy with a different FD_SETSIZE limit.

             
-            
Examples:

+            
Example:

             

               
max-client-connections 256

             

@@ -1970,9 +1970,9 @@
             
Notes:

             

               
Under high load incoming connection may queue up before Privoxy gets around to serve them. The queue
-              length is limitted by the operating system. Once the queue is full, additional connections are dropped
+              length is limited by the operating system. Once the queue is full, additional connections are dropped
               before Privoxy can accept and serve them.

-              
Increasing the queue length allows Privoxy to accept more incomming connections that arrive roughly at
+              
Increasing the queue length allows Privoxy to accept more incoming connections that arrive roughly at
               the same time.

               
Note that Privoxy can only request a certain queue length, whether or not the requested length is
               actually used depends on the operating system which may use a different length instead.

@@ -1982,7 +1982,7 @@
               
Effectively using a value above 128 usually requires changing the system configuration as well. On
               FreeBSD-based system the limit is controlled by the kern.ipc.soacceptqueue sysctl.

             

-            
Examples:

+            
Example:

             

               
listen-backlog 4096

             

@@ -2022,7 +2022,7 @@
               "https://www.freebsd.org/cgi/man.cgi?query=accf_http" target="_top">accf_http(9) man page to learn
               how to enable the support in the operating system.

             
-            
Examples:

+            
Example:

             

               
enable-accept-filter 1

             

@@ -2286,7 +2286,7 @@
               "_top">http://config.privoxy.org/client-tags therefore provides a "enable this tag temporarily"
               option. If it is used, the tag will be set until the client-tag-lifetime is over.

             
-            
Examples:

+            
Example:

             

               
@@ -2343,7 +2343,7 @@
               change the client tags for other clients or increase Privoxy's memory requirements by registering lots of
               client tag settings for clients that don't exist.

-            
Examples:

+            
Example:

               

                 

             
             

@@ -2390,7 +2390,7 @@
               memory is (currently) cleared before using it, a buffer that is too large can actually reduce the
               throughput.

-            
Examples:

+            
Example:

               

                 

             
             

@@ -2406,7 +2406,10 @@
       

-      
7.7. TLS/SSL

+      
7.7. HTTPS Inspection
+      (Experimental)

+      
HTTPS inspection allows to filter encrypted requests. This is only supported when Privoxy has been built with FEATURE_HTTPS_INSPECTION.

       

         
7.7.1. ca-directory

         

@@ -2434,7 +2437,7 @@
               
The permissions should only let Privoxy and the Privoxy admin access the directory.

             
-            
Examples:

+            
Example:

             

               
ca-directory /usr/local/etc/privoxy/CA

             

@@ -2472,7 +2475,7 @@
               
The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
               cacert.crt -days 3650

             
-            
Examples:

+            
Example:

             

               
ca-cert-file root.crt

             

@@ -2504,7 +2507,7 @@
               
This directive specifies the name of the CA key file in ".pem" format. See the ca-cert-file for a command to generate it.

             
-            
Examples:

+            
Example:

             

               
ca-key-file cakey.pem

             

@@ -2537,7 +2540,7 @@
               certificates for intercepted requests.

               
Note that the password is shown on the CGI page so don't reuse an important one.

             
-            
Examples:

+            
Example:

             

               
ca-password blafasel

             

@@ -2551,7 +2554,7 @@
           

             
Specifies:

             

-              
Directory to safe generated keys and certificates.

+              
Directory to save generated keys and certificates.

             

             
Type of value:

             

@@ -2575,8 +2578,24 @@
               "_top">ca-cert-key.

               
The permissions should only let Privoxy and the Privoxy admin access the directory.

+              

+                

                 

     
     

+                  
+                    
+                  
+                  
+                    
+                  
+                
Warning

+                      
Privoxy currently does not garbage-collect obsolete keys and
+                      certificates and does not keep track of how may keys and certificates exist.

+                      
Privoxy admins should monitor the size of the directory
+                      and/or make sure there is sufficient space available. A cron job to limit the number of keys and
+                      certificates to a certain number may be worth considering.

+                    

+              
             

-            
Examples:

+            
Example:

             

               
certificate-directory /usr/local/var/privoxy/certs

             

@@ -2584,7 +2603,129 @@
         
       
       

-        
7.7.6. trusted-cas-file

+        
7.7.6. cipher-list

+        

+          

+            
Specifies:

+            

+              
A list of ciphers to use in TLS handshakes

+            

+            
Type of value:

+            

+              
Text

+            

+            
Default value:

+            

+              
None

+            

+            
Effect if unset:

+            

+              
A default value is inherited from the TLS library.

+            

+            
Notes:

+            

+              
This directive allows to specify a non-default list of ciphers to use in TLS handshakes with clients
+              and servers.

+              
Ciphers are separated by colons. Which ciphers are supported depends on the TLS library. When using
+              OpenSSL, unsupported ciphers are skipped. When using MbedTLS they are rejected.

+              

+                
+                  
+                    
+                  
+                  
+                    
+                  
+                
Warning

+                      
Specifying an unusual cipher list makes fingerprinting easier. Note that the default list
+                      provided by the TLS library may be unusual when compared to the one used by modern browsers as
+                      well.

+                    

+              

+            

+            
Examples:

+            

+              
+                
+                  
+                
+              

+                    
    # Explicitly set a couple of ciphers with names used by MbedTLS
+    cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+   

+                  

+              
+                
+                  
+                
+              

+                    
    # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+   

+                  

+              
+                
+                  
+                
+              

+                    
    # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+    cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+   

+                  

+            

+          

+        

+      

+      

+        
7.7.7. trusted-cas-file

         

           

             
Specifies:

@@ -2610,7 +2751,7 @@
               
An example file can be downloaded from https://curl.haxx.se/ca/cacert.pem.

             
-            
Examples:

+            
Example:

             

               
trusted-cas-file trusted_cas_file.pem