Again, the main configuration file is named 7.1. Local Set-up Documentation7.1. Local Set-up Documentation
If you intend to operate 7.1.1. user-manual7.1.1. user-manual Examples:
@@ -261,8 +263,12 @@ CLASS="SCREEN"
>
The User Manual is then available to anyone with access to the proxy, by
- following the built-in URL: The User Manual is then available to anyone with access to
+ Privoxy, by following the built-in URL:
+ http://config.privoxy.org/user-manual/
@@ -333,8 +339,8 @@ CLASS="SECT3"
CLASS="SECT3"
>7.1.2. trust-info-url7.1.2. trust-info-url Two example URL are provided If you use the trust mechanism, it is a good idea to write up some on-line
@@ -401,8 +413,8 @@ CLASS="SECT3"
CLASS="SECT3"
>7.1.3. admin-address7.1.3. admin-address An email address to reach the proxy administrator.
+> An email address to reach the Privoxy administrator.
7.2.1. confdir7.2.1. confdir The directory where the other configuration files are located When development goes modular and multi-user, the blocker, filter, and
- per-user config will be stored in subdirectories of "confdir".
- For now, the configuration directory structure is flat, except for
- confdir/templates, where the HTML templates for CGI
- output reside (e.g. An alternative directory where the templates are loaded from. Path name unset The templates are assumed to be located in confdir/template. Privoxy's 404 error page).
+> original templates are usually
+ overwritten with each update. Use this option to relocate customized
+ templates that should be kept. As template variables might change
+ between updates, you shouldn't expect templates to work with
+ Privoxy releases other than the one
+ they were part of, though.
The directory where all logging takes place (i.e. where The directory where all logging takes place
+ (i.e. where the logfile and
- jarfile are located)
+> is located).
File name, relative to Complete file name, relative to confdir, without the .action suffix standard # Internal purposes, no editing recommended7.2.2. templdir
7.2.2. logdir7.2.3. logdir
default # Main actions file
default.action # Main actions fileuser # User customizations
user.action # User customizationsNo actions are taken at all. Simple neutral proxying. +> No actions are taken at all. More or less neutral proxying.
- The default values include standard.action, which is used for internal - purposes and should be loaded, default.action, which is the + The default values are default.action, which is the "main"
- Actions files are where all the per site and per URL configuration is done for + Actions files contain all the per site and per URL configuration for ad blocking, cookie management, privacy considerations, etc. There is no point in using without at least one actions file.
Note that since Privoxy 3.0.7, the complete filename, including the ".action" + extension has to be specified. The syntax change was necessary to be consistent + with the other file options and to allow previously forbidden characters. +
7.2.4. filterfile7.2.5. filterfileregular expressions. These rules permit powerful changes on the content of Web pages, and optionally the headers - as well, e.g., you could disable your favorite JavaScript annoyances, + as well, e.g., you could try to disable your favorite JavaScript annoyances, re-write the actual displayed text, or just have some fun playing buzzword bingo with web pages. 7.2.5. logfile7.2.6. logfilelogfile (Unix) Unset (commented out). When activated: logfile (Unix) or privoxy.log (Windows)
privoxy.log (Windows).No log file is used, all log messages go to the console (STDERR). +> No logfile is written.
Depending on the debug options below, the logfile may be a privacy risk + if third parties can get access to it. As most users will never look + at it, Privoxy 3.0.7 and later only log fatal + errors by default. +
For most troubleshooting purposes, you will have to change that, + please refer to the debugging section for details.
Your logfile will grow indefinitely, and you will probably want to @@ -1050,30 +1128,18 @@ CLASS="APPLICATION" (see "man cron"). For Red Hat, a ). For Red Hat based Linux distributions, a + logrotate - script has been included. -
On SuSE Linux systems, you can place a line like "/var/log/privoxy.* - +1024k 644 nobody.nogroup" in /etc/logfiles, with - the effect that cron.daily will automatically archive, gzip, and empty the - log, when it exceeds 1M size. +> script has been included.
Any log files must be writable by whatever user Privoxy - is being run as (default on UNIX, user id is "privoxy"). @@ -1087,71 +1153,9 @@ CLASS="SECT3" >
The file to store intercepted cookies in -
File name, relative to logdir
Unset (commented out). When activated: jarfile (Unix) or privoxy.jar (Windows)
Intercepted cookies are not stored in a dedicated log file. -
The jarfile may grow to ridiculous sizes over time. -
If debug 8 (show header parsing) is enabled, cookies are - written to the logfile with the rest of the headers. -
The trust file to use +> The name of the trust file to use
The entire trust mechanism is turned off. +> The entire trust mechanism is disabled.
Or, you can designate sites as + character. The effect is that access to untrusted sites will be granted -- but only if a link from this - trusted referrer was used. The link target will then be added to the - "trustfile" so that future, direct accesses will be granted. - Sites added via this mechanism do not become trusted referrers themselves - (i.e. they are added with a so that future, direct accesses will be + granted. Sites added via this mechanism do not become trusted referrers + themselves (i.e. they are added with a ~ designation). + There is a limit of 512 such entries, after which new entries will not be + made.
If you use the 7.3. Debugging7.3. Debugging
These options are mainly useful when tracing a problem. Note that you might also want to invoke @@ -1313,8 +1323,8 @@ CLASS="SECT3" CLASS="SECT3" >7.3.1. debug7.3.1. debug
Key values that determine what information gets logged to the - logfile. +> Key values that determine what information gets logged.
12289 (i.e.: URLs plus informational and warning messages)
0 (i.e.: only fatal errors (that cause Privoxy to exit) are logged)Nothing gets logged. +> Default value is used (see above).
debug 1 # show each GET/POST/CONNECT request - debug 2 # show each connection status - debug 4 # show I/O status - debug 8 # show header parsing - debug 16 # log all data into the logfile - debug 32 # debug force feature - debug 64 # debug regular expression filter - debug 128 # debug fast redirects - debug 256 # debug GIF de-animation - debug 512 # Common Log Format - debug 1024 # debug kill pop-ups - debug 2048 # CGI user interface - debug 4096 # Startup banner and warnings. - debug 8192 # Non-fatal errorsdebug 1 # Log the destination for each request Privoxy let through. See also debug 1024. + debug 2 # show each connection status + debug 4 # show I/O status + debug 8 # show header parsing + debug 16 # log all data written to the network into the logfile + debug 32 # debug force feature + debug 64 # debug regular expression filters + debug 128 # debug redirects + debug 256 # debug GIF de-animation + debug 512 # Common Log Format + debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. + debug 2048 # CGI user interface + debug 4096 # Startup banner and warnings. + debug 8192 # Non-fatal errors
The reporting of fatal errors (i.e. ones which crash - Privoxy) is always on and cannot be disabled. +> used to ship with the debug levels recommended above enabled by + default, but due to privacy concerns 3.0.7 and later are configured to + only log fatal errors. +
If you are used to the more verbose settings, simply enable the debug lines + below again.
If you want to use CLF (Common Log Format), you should set If you want to use pure CLF (Common Log Format), you should set "debug 512" and not enable anything else.
Privoxy has a hard-coded limit for the + length of log messages. If it's reached, messages are logged truncated + and marked with "... [too long, truncated]". +
Please don't file any support requests without trying to reproduce + the problem with increased debug level first. Once you read the log + messages, you may even be able to solve the problem on your own. +
Whether to run only one server thread +> Whether to run only one server thread.
This option is only there for debug purposes and you should never - need to use it. This option is only there for debugging purposes. +
The hostname shown on the CGI pages. +
Text
Unset
The hostname provided by the operating system is used. +
On some misconfigured systems resolving the hostname fails or + takes too much time and slows Privoxy down. Setting a fixed hostname + works around the problem. +
In other circumstances it might be desirable to show a hostname + other than the one returned by the operating system. For example + if the system has several different hostnames and you don't want + to use the first one. +
Note that Privoxy does not validate the specified hostname value. +
This section of the config file controls the security-relevant aspects
of 7.4.1. listen-address7.4.1. listen-address The windows version will only display the toggle icon in the system tray
@@ -1740,8 +1817,8 @@ CLASS="SECT3"
CLASS="SECT3"
>7.4.3. enable-remote-toggle7.4.3. enable-remote-toggle 1 For the time being, access to the toggle feature can Access to the toggle feature can Note that malicious client side code (e.g Java) is also
+ capable of using this option.
+ As a lot of Privoxy users don't read
+ documentation, this feature is disabled by default.
+ Note that you must have compiled Privoxy7.4.4. enable-remote-http-toggle7.4.4. enable-remote-http-toggle 1 If you are using This feature is disabled by default. If you are using
+ Privoxy in a
- multi-user environment or with untrustworthy clients and want to
- enforce filtering, you will have to disable this option,
- otherwise you can ignore it.
+> in a environment with trusted clients,
+ you may enable this feature at your discretion. Note that malicious client
+ side code (e.g Java) is also capable of using this feature.
+ This option will be removed in future releases as it has been obsoleted
+ by the more general header taggers.
1 For the time being, access to the editor can Access to the editor can listen-address above) can
- modify its configuration for all users. So this option is This option is not
- recommendednot recommended Note that malicious client side code (e.g Java) is also
+ capable of using the actions editor and you shouldn't enable
+ this options unless you understand the consequences and are
+ sure your browser is configured correctly.
Note that you must have compiled Whether the user is allowed to ignore blocks and can "go there anyway".
+ 0 or 1
+ 0 Blocks are not enforced.
+ Privoxy is mainly used to block and filter
+ requests as a service to the user, for example to block ads and other
+ junk that clogs the pipes. Privoxy's configuration
+ isn't perfect and sometimes innocent pages are blocked. In this situation it
+ makes sense to allow the user to enforce the request and have
+ Privoxy ignore the block.
+ In the default configuration Privoxy's
+ "Blocked" page contains a "go there anyway"
+ link to adds a special string (the force prefix) to the request URL.
+ If that link is used, Privoxy will
+ detect the force prefix, remove it again and let the request pass.
+ Of course Privoxy can also be used to enforce
+ a network policy. In that case the user obviously should not be able to
+ bypass any blocks, and that's what the "enforce-blocks"
+ option is for. If it's enabled, Privoxy hides
+ the "go there anyway" link. If the user adds the force
+ prefix by hand, it will not be accepted and the circumvention attempt
+ is logged.
+ enforce-blocks 1
+ Please see the warnings in the FAQ that this proxy is not intended to be a substitute
- for a firewall or to encourage anyone to defer addressing basic security
- weaknesses.
+> Please see the warnings in the FAQ that Privoxy
+ is not intended to be a substitute for a firewall or to encourage anyone
+ to defer addressing basic security weaknesses.
Multiple ACL lines are OK.
- If any ACLs are specified, then the Privoxy
- talks only to IP addresses that match at least one only talks
+ to IP addresses that match at least one permit-access line
@@ -2192,7 +2424,8 @@ CLASS="QUOTE"
Denying access to particular sites by ACL may have undesired side effects
- if the site in question is hosted on a machine which also hosts other sites.
+ if the site in question is hosted on a machine which also hosts other sites
+ (most sites are).
Allow any host on the same class C subnet as www.privoxy.org access to
- nothing but www.example.com:
+ nothing but www.example.com (or other domains hosted on the same system):
Allow access from any host on the 26-bit subnet 192.168.45.64 to anywhere,
- with the exception that 192.168.45.73 may not access www.dirty-stuff.example.com:
+ with the exception that 192.168.45.73 may not access the IP address behind
+ www.dirty-stuff.example.com:
This feature allows routing of HTTP requests through a chain of
- multiple proxies.
- It can be used to better protect privacy and confidentiality when
- accessing specific domains by routing requests to those domains
- through an anonymous public proxy (see e.g. http://www.multiproxy.org/anon_list.htm)
- Or to use a caching proxy to speed up browsing. Or chaining to a parent
- proxy may be necessary because the machine that Forwarding can be used to chain Privoxy with a caching proxy to speed
+ up browsing. Using a parent proxy may also be necessary if the machine
+ that Privoxy runs on has no direct Internet access. Note that parent proxies can severely decrease your privacy level.
+ For example a parent proxy could add your IP address to the request
+ headers and if it's a caching proxy it may add the "Etag"
- runs on has no direct Internet access. Also specified here are SOCKS proxies. 7.5.1. forward7.5.1. forward Everything goes to an example anonymizing proxy, except SSL on port 443 (which it doesn't handle):
+> Everything goes to an example parent proxy, except SSL on port 443 (which it doesn't handle):
Through which SOCKS proxy (and to which parent HTTP proxy) specific requests should be routed.
+> Through which SOCKS proxy (and optionally to which parent HTTP proxy) specific requests should be routed.
With forward-socks5 the DNS resolution will happen on the remote server as well.
+ If To chain Privoxy and Tor, both running on the same system, you should use
- the rule:
+> To chain Privoxy and Tor, both running on the same system, you would use
+ something like:
You could just as well decide to only forward requests for Windows executables through
- a virus-scanning parent proxy, say, on You could just as well decide to only forward requests you suspect
+ of leading to Windows executables through a virus-scanning parent proxy,
+ say, on antivir.example.com, port 8010: Forwarded connections are treated like direct connections and no retry attempts are made.
+> Connections forwarded through other proxies are treated like direct connections and no retry attempts are made.
Only use this option, if you are getting many forwarding related error messages,
+> Note that in the context of this option, "forwarded connections" includes all connections
+ that Privoxy forwards through other proxies. This option is not limited to the HTTP CONNECT method.
+ Only use this option, if you are getting lots of forwarding-related error messages
that go away when you try again manually. Start with a small value and check Privoxy's
logfile from time to time, to see how many retries are usually needed.
Whether intercepted requests should be treated as valid.
+ 0 or 1
+ 0 Only proxy requests are accepted, intercepted requests are treated as invalid.
+ If you don't trust your clients and want to force them
+ to use Privoxy, enable this
+ option and configure your packet filter to redirect outgoing
+ HTTP connections into Privoxy.
+ Make sure that Privoxy's own requests
+ aren't redirected as well. Additionally take care that
+ Privoxy can't intentionally connect
+ to itself, otherwise you could run into redirection loops if
+ Privoxy's listening port is reachable
+ by the outside or an attacker has access to the pages you visit.
+ accept-intercepted-requests 1
+ Whether requests to Privoxy's CGI pages can be blocked or redirected.
+ 0 or 1
+ 0 Privoxy ignores block and redirect actions for its CGI pages.
+ By default Privoxy ignores block or redirect actions
+ for its CGI pages. Intercepting these requests can be useful in multi-user
+ setups to implement fine-grained access control, but it can also render the complete
+ web interface useless and make debugging problems painful if done without care.
+ Don't enable this option unless you're sure that you really need it.
+ allow-cgi-request-crunching 1
+ Whether the CGI interface should stay compatible with broken HTTP clients.
+ 0 or 1
+ 0 The CGI form generate long GET URLs.
+ Privoxy's CGI forms can lead to
+ rather long URLs. This isn't a problem as far as the HTTP
+ standard is concerned, but it can confuse clients with arbitrary
+ URL length limitations.
+ Enabling split-large-forms causes Privoxy
+ to divide big forms into smaller ones to keep the URL length down.
+ It makes editing a lot less convenient and you can no longer
+ submit all changes at once, but at least it works around this
+ browser bug.
+ If you don't notice any editing problems, there is no reason
+ to enable this option, but if one of the submit buttons appears
+ to be broken, you should give it a try.
+ split-large-forms 1
+ Number of seconds after which an open connection will no longer be reused.
+ Time in seconds.
+ None Connections are not reused.
+ This option has no effect if Privoxy
+ has been compiled without keep-alive support.
+ keep-alive-timeout 300
+ Number of seconds after which a socket times out if
+ no data is received.
+ Time in seconds.
+ None A default value of 180 seconds is used.
+ socket-timeout 180
+ 7.4.6. enforce-blocks
7.4.6. ACLs: permit-access and deny-access
7.4.7. ACLs: permit-access and deny-access7.4.7. buffer-limit7.4.8. buffer-limit
squid locally, then chain as
+> locally, then chaining as
browser -> squid -> privoxysquid.conf.
7.5.2. forward-socks4 and forward-socks4a7.5.2. forward-socks4, forward-socks4a and forward-socks5Specifies: forward / anon-proxy.example.org:8080
+> forward / parent-proxy.example.org:8080
forward :443 .
forward / caching-proxy.example-isp.net:8000
- forward .example-isp.net .
forward / caching-proxy.isp.example.net:8000
+ forward .isp.example.net . forward-socks4a / socks-gw.example.com:1080 www-cache.example-isp.net:8080
+> forward-socks4a / socks-gw.example.com:1080 www-cache.isp.example.net:8080
forward .example.com .
The public Tor network can't be used to reach your local network,
- therefore it's a good idea to make some exceptions:
+> network can't be used to
+ reach your local network, if you need to access local servers you
+ therefore might want to make some exceptions:
forward-socks4 / 127.0.0.1:9050 .
forward-socks4a / 127.0.0.1:9050 . forward / .
- forward .isp-a.net host-a:8118
7.5.5. accept-intercepted-requests
7.5.6. allow-cgi-request-crunching
7.5.7. split-large-forms
7.5.8. keep-alive-timeout
7.5.9. socket-timeout