X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fwebserver%2Fuser-manual%2Fconfiguration.html;h=267e3bb03d82b4f6cde98015ef29d6b30a8ba8ad;hb=6b9ad095f7f923facf79cb437893be824cf0bbde;hp=9fe64ac3002786741a9812a10b223f8abd1a3f44;hpb=0a3750f6302df8349b5be2e15a9a4fefe3c35889;p=privoxy.git diff --git a/doc/webserver/user-manual/configuration.html b/doc/webserver/user-manual/configuration.html index 9fe64ac3..267e3bb0 100644 --- a/doc/webserver/user-manual/configuration.html +++ b/doc/webserver/user-manual/configuration.html @@ -1,6227 +1,273 @@ -
All Privoxy configuration is stored - in text files. These files can be edited with a text editor. - Many important aspects of Privoxy can - also be controlled easily with a web browser. -
Privoxy's user interface can be reached through the special - URL http://config.privoxy.org/ - (shortcut: http://p.p/), - which is a built-in page and works without Internet access. - You will see the following section:
This should be self-explanatory. Note the first item leads to an editor for the - "actions list", which is where the ad, banner, cookie, - and URL blocking magic is configured as well as other advanced features of - Privoxy. This is an easy way to adjust various - aspects of Privoxy configuration. The actions - file, and other configuration files, are explained in detail below.
"Toggle Privoxy On or Off" is handy for sites that might - have problems with your current actions and filters. You can in fact use - it as a test to see whether it is Privoxy - causing the problem or not. Privoxy continues - to run as a proxy in this case, but all filtering is disabled. There - is even a toggle Bookmarklet offered, so - that you can toggle Privoxy with one click from - your browser.
For Unix, *BSD and Linux, all configuration files are located in - /etc/privoxy/ by default. For MS Windows, OS/2, and - AmigaOS these are all in the same directory as the - Privoxy executable. The name - and number of configuration files has changed from previous versions, and is - subject to change as development progresses.
The installed defaults provide a reasonable starting point, though - some settings may be aggressive by some standards. For the time being, the - principle configuration files are:
The main configuration file is named config - on Linux, Unix, BSD, OS/2, and AmigaOS and config.txt - on Windows. This is a required file. -
default.action (the main actions file) is used to define - the default settings for various "actions" relating to images, banners, - pop-ups, access restrictions, banners and cookies. -
Multiple actions files may be defined in config. These - are processed in the order they are defined. Local customizations and locally - preferred exceptions to the default policies as defined in - default.action are probably best applied in - user.action, which should be preserved across - upgrades. standard.action is also included. This is mostly - for Privoxy's internal use. -
- There is also a web based editor that can be accessed from - http://config.privoxy.org/show-status/ - (Shortcut: http://p.p/show-status/) for the - various actions files. -
default.filter (the filter - file) can be used to re-write the raw page content, including - viewable text as well as embedded HTML and JavaScript, and whatever else - lurks on any given web page. The filtering jobs are only pre-defined here; - whether to apply them or not is up to the actions files. -
All files use the "#" character to denote a - comment (the rest of the line will be ignored) angd understand line continuation - through placing a backslash ("\") as the very last character - in a line. If the # is preceded by a backslash, it looses - its special function. Placing a # in front of an otherwise - valid configuration line to prevent it from being interpreted is called "commenting - out" that line.
The actions files and default.filter - can use Perl style regular expressions for - maximum flexibility.
After making any changes, there is no need to restart - Privoxy in order for the changes to take - effect. Privoxy detects such changes - automatically. Note, however, that it may take one or two additional - requests for the change to take effect. When changing the listening address - of Privoxy, these "wake up" requests - must obviously be sent to the old listening address.
While under development, the configuration content is subject to change. - The below documentation may not be accurate by the time you read this. - Also, what constitutes a "default" setting, may change, so - please check all your configuration files on important issues.
Again, the main configuration file is named config on - Linux/Unix/BSD and OS/2, and config.txt on Windows. - Configuration lines consist of an initial keyword followed by a list of - values, all separated by whitespace (any number of spaces or tabs). For - example:
confdir /etc/privoxy
-
Assigns the value /etc/privoxy to the option - confdir and thus indicates that the configuration - directory is named "/etc/privoxy/".
All options in the config file except for confdir and - logdir are optional. Watch out in the below description - for what happens if you leave them unset.
The main config file controls all aspects of Privoxy's - operation that are not location dependent (i.e. they apply universally, no matter - where you may be surfing).
Privoxy can (and normally does) use a number of - other files for additional configuration and logging. - This section of the configuration file tells Privoxy - where to find those other files.
The directory where the other configuration files are located
Path name
/etc/privoxy (Unix) or Privoxy installation dir (Windows)
Mandatory
No trailing "/", please -
When development goes modular and multi-user, the blocker, filter, and - per-user config will be stored in subdirectories of "confdir". - For now, the configuration directory structure is flat, except for - confdir/templates, where the HTML templates for CGI - output reside (e.g. Privoxy's 404 error page). -
The directory where all logging takes place (i.e. where logfile and - jarfile are located) -
Path name
/var/log/privoxy (Unix) or Privoxy installation dir (Windows)
Mandatory
No trailing "/", please -
The actions file(s) to use -
File name, relative to confdir
standard # Internal purposes, recommended not editing - |
default # Main actions file - |
user # User customizations - |
No actions are taken at all. Simple neutral proxying. -
Multiple actionsfile lines are OK and are in fact recommended! -
- The default values include standard.action, which is used for internal - purposes and should be loaded, default.action, which is the - "main" actions file maintained by the developers, and - user.action, where you can make your personal additions. -
- There is no point in using Privoxy without an actions file. -
The filter file to use -
File name, relative to confdir
default.filter (Unix) or default.filter.txt (Windows)
No textual content filtering takes place, i.e. all - +filter{name} - actions in the actions files are turned off -
The "default.filter" file contains content modification rules - that use "regular expressions". These rules permit powerful - changes on the content of Web pages, e.g., you could disable your favorite - JavaScript annoyances, re-write the actual displayed text, or just have some - fun replacing "Microsoft" with "MicroSuck" wherever - it appears on a Web page. -
The log file to use -
File name, relative to logdir
logfile (Unix) or privoxy.log (Windows)
No log file is used, all log messages go to the console (stderr). -
The windows version will additionally log to the console. -
The logfile is where all logging and error messages are written. The level - of detail and number of messages are set with the debug - option (see below). The logfile can be useful for tracking down a problem with - Privoxy (e.g., it's not blocking an ad you - think it should block) but in most cases you probably will never look at it. -
Your logfile will grow indefinitely, and you will probably want to - periodically remove it. On Unix systems, you can do this with a cron job - (see "man cron"). For Red Hat, a logrotate - script has been included. -
On SuSE Linux systems, you can place a line like "/var/log/privoxy.* - +1024k 644 nobody.nogroup" in /etc/logfiles, with - the effect that cron.daily will automatically archive, gzip, and empty the - log, when it exceeds 1M size. -
The file to store intercepted cookies in -
File name, relative to logdir
jarfile (Unix) or privoxy.jar (Windows)
Intercepted cookies are not stored at all. -
The jarfile may grow to ridiculous sizes over time. -
The trust file to use -
File name, relative to confdir
Unset (commented out). When activated: trust (Unix) or trust.txt (Windows)
The whole trust mechanism is turned off. -
The trust mechanism is an experimental feature for building white-lists and should - be used with care. It is NOT recommended for the casual user. -
If you specify a trust file, Privoxy will only allow - access to sites that are named in the trustfile. - You can also mark sites as trusted referrers (with +), with - the effect that access to untrusted sites will be granted, if a link from a - trusted referrer was used. - The link target will then be added to the "trustfile". - Possible applications include limiting Internet access for children. -
If you use + operator in the trust file, it may grow considerably over time. -
If you intend to operate Privoxy for more users - that just yourself, it might be a good idea to let them know how to reach - you, what you block and why you do that, your policies etc. -
A URL to be displayed in the error page that users will see if access to an untrusted page is denied. -
URL
Two example URL are provided
No links are displayed on the "untrusted" error page. -
The value of this option only matters if the experimental trust mechanism has been - activated. (See trustfile above.) -
If you use the trust mechanism, it is a good idea to write up some on-line - documentation about your trust policy and to specify the URL(s) here. - Use multiple times for multiple URLs. -
The URL(s) should be added to the trustfile as well, so users don't end up - locked out from the information on why they were locked out in the first place! -
An email address to reach the proxy administrator. -
Email address
Unset
No email address is displayed on error pages and the CGI user interface. -
If both admin-address and proxy-info-url - are unset, the whole "Local Privoxy Support" box on all generated pages will - not be shown. -
A URL to documentation about the local Privoxy setup, - configuration or policies. -
URL
Unset
No link to local documentation is displayed on error pages and the CGI user interface. -
If both admin-address and proxy-info-url - are unset, the whole "Local Privoxy Support" box on all generated pages will - not be shown. -
This URL shouldn't be blocked ;-) -
These options are mainly useful when tracing a problem. - Note that you might also want to invoke - Privoxy with the --no-daemon - command line option when debugging. -
Key values that determine what information gets logged. -
Integer values
12289 (i.e.: URLs plus informational and warning messages)
Nothing gets logged. -
The available debug levels are: -
debug 1 # show each GET/POST/CONNECT request - debug 2 # show each connection status - debug 4 # show I/O status - debug 8 # show header parsing - debug 16 # log all data into the logfile - debug 32 # debug force feature - debug 64 # debug regular expression filter - debug 128 # debug fast redirects - debug 256 # debug GIF de-animation - debug 512 # Common Log Format - debug 1024 # debug kill pop-ups - debug 4096 # Startup banner and warnings. - debug 8192 # Non-fatal errors |
To select multiple debug levels, you can either add them or use - multiple debug lines. -
A debug level of 1 is informative because it will show you each request - as it happens. 1, 4096 and 8192 are highly recommended - so that you will notice when things go wrong. The other levels are probably - only of interest if you are hunting down a specific problem. They can produce - a hell of an output (especially 16). - -
The reporting of fatal errors (i.e. ones which crash - Privoxy) is always on and cannot be disabled. -
If you want to use CLF (Common Log Format), you should set "debug - 512" ONLY and not enable anything else. -
Whether to run only one server thread -
None
Unset
Multi-threaded (or, where unavailable: forked) operation, i.e. the ability to - serve multiple requests simultaneously. -
This option is only there for debug purposes and you should never - need to use it. It will drastically reduce performance. -
This section of the config file controls the security-relevant aspects - of Privoxy's configuration. -
The IP address and TCP port on which Privoxy will - listen for client requests. -
[IP-Address]:Port
localhost:8118
Bind to localhost (127.0.0.1), port 8118. This is suitable and recommended for - home users who run Privoxy on the same machine as - their browser. -
You will need to configure your browser(s) to this proxy address and port. -
If you already have another service running on port 8118, or if you want to - serve requests from other machines (e.g. on your local network) as well, you - will need to override the default. -
If you leave out the IP address, Privoxy will - bind to all interfaces (addresses) on your machine and may become reachable - from the Internet. In that case, consider using access control lists (ACL's) - (see "ACLs" below), or a firewall. -
Suppose you are running Privoxy on - a machine which has the address 192.168.0.1 on your local private network - (192.168.0.0) and has another outside connection with a different address. - You want it to serve requests from inside only: -
listen-address 192.168.0.1:8118 |
Initial state of "toggle" status -
1 or 0
1
Act as if toggled on -
If set to 0, Privoxy will start in - "toggled off" mode, i.e. behave like a normal, content-neutral - proxy. See enable-remote-toggle - below. This is not really useful anymore, since toggling is much easier - via the web - interface then via editing the conf file. -
The windows version will only display the toggle icon in the system tray - if this option is present. -
Whether or not the web-based toggle - feature may be used -
0 or 1
1
The web-based toggle feature is disabled. -
When toggled off, Privoxy acts like a normal, - content-neutral proxy, i.e. it acts as if none of the actions applied to - any URL. -
For the time being, access to the toggle feature can not be - controlled separately by "ACLs" or HTTP authentication, - so that everybody who can access Privoxy (see - "ACLs" and listen-address above) can - toggle it for all users. So this option is not recommended - for multi-user environments with untrusted users. -
Note that you must have compiled Privoxy with - support for this feature, otherwise this option has no effect. -
Whether or not the web-based actions - file editor may be used -
0 or 1
1
The web-based actions file editor is disabled. -
For the time being, access to the editor can not be - controlled separately by "ACLs" or HTTP authentication, - so that everybody who can access Privoxy (see - "ACLs" and listen-address above) can - modify its configuration for all users. So this option is not - recommended for multi-user environments with untrusted users. -
Note that you must have compiled Privoxy with - support for this feature, otherwise this option has no effect. -
Who can access what. -
src_addr[/src_masklen] - [dst_addr[/dst_masklen]] -
Where src_addr and - dst_addr are IP addresses in dotted decimal notation or valid - DNS names, and src_masklen and - dst_masklen are subnet masks in CIDR notation, i.e. integer - values from 2 to 30 representing the length (in bits) of the network address. The masks and the whole - destination part are optional. -
Unset
Don't restrict access further than implied by listen-address -
Access controls are included at the request of ISPs and systems - administrators, and are not usually needed by individual users. - For a typical home user, it will normally suffice to ensure that - Privoxy only listens on the localhost or internal (home) - network address by means of the listen-address option. -
Please see the warnings in the FAQ that this proxy is not intended to be a substitute - for a firewall or to encourage anyone to defer addressing basic security - weaknesses. -
Multiple ACL lines are OK. - If any ACLs are specified, then the Privoxy - talks only to IP addresses that match at least one permit-access line - and don't match any subsequent deny-access line. In other words, the - last match wins, with the default being deny-access. -
If Privoxy is using a forwarder (see forward below) - for a particular destination URL, the dst_addr - that is examined is the address of the forwarder and NOT the address - of the ultimate target. This is necessary because it may be impossible for the local - Privoxy to determine the IP address of the - ultimate target (that's often what gateways are used for). -
You should prefer using IP addresses over DNS names, because the address lookups take - time. All DNS names must resolve! You can not use domain patterns - like "*.org" or partial domain names. If a DNS name resolves to multiple - IP addresses, only the first one is used. -
Denying access to particular sites by ACL may have undesired side effects - if the site in question is hosted on a machine which also hosts other sites. -
Explicitly define the default behavior if no ACL and - listen-address are set: "localhost" - is OK. The absence of a dst_addr implies that - all destination addresses are OK: -
permit-access localhost |
Allow any host on the same class C subnet as www.privoxy.org access to - nothing but www.example.com: -
permit-access www.privoxy.org/24 www.example.com/32 |
Allow access from any host on the 26-bit subnet 192.168.45.64 to anywhere, - with the exception that 192.168.45.73 may not access www.dirty-stuff.example.com: -
permit-access 192.168.45.64/26 - deny-access 192.168.45.73 www.dirty-stuff.example.com |
Maximum size of the buffer for content filtering. -
Size in Kbytes
4096
Use a 4MB (4096 KB) limit. -
For content filtering, i.e. the +filter and - +deanimate-gif actions, it is necessary that - Privoxy buffers the entire document body. - This can be potentially dangerous, since a server could just keep sending - data indefinitely and wait for your RAM to exhaust -- with nasty consequences. - Hence this option. -
When a document buffer size reaches the buffer-limit, it is - flushed to the client unfiltered and no further attempt to - filter the rest of the document is made. Remember that there may be multiple threads - running, which might require up to buffer-limit Kbytes - each, unless you have enabled "single-threaded" - above. -
This feature allows routing of HTTP requests through a chain of - multiple proxies. - It can be used to better protect privacy and confidentiality when - accessing specific domains by routing requests to those domains - through an anonymous public proxy (see e.g. http://www.multiproxy.org/anon_list.htm) - Or to use a caching proxy to speed up browsing. Or chaining to a parent - proxy may be necessary because the machine that Privoxy - runs on has no direct Internet access.
Also specified here are SOCKS proxies. Privoxy - supports the SOCKS 4 and SOCKS 4A protocols.
To which parent HTTP proxy specific requests should be routed. -
target_domain[:port] - http_parent[/port] -
Where target_domain is a domain name pattern (see the - chapter on domain matching in the default.action file), - http_parent is the address of the parent HTTP proxy - as an IP addresses in dotted decimal notation or as a valid DNS name (or "." to denote - "no forwarding", and the optional - port parameters are TCP ports, i.e. integer - values from 1 to 64535 -
Unset
Don't use parent HTTP proxies. -
If http_parent is ".", then requests are not - forwarded to another HTTP proxy but are made directly to the web servers. -
Multiple lines are OK, they are checked in sequence, and the last match wins. -
Everything goes to an example anonymizing proxy, except SSL on port 443 (which it doesn't handle): -
forward .* anon-proxy.example.org:8080 - forward :443 . |
Everything goes to our example ISP's caching proxy, except for requests - to that ISP's sites: -
forward .*. caching-proxy.example-isp.net:8000 - forward .example-isp.net . |
Through which SOCKS proxy (and to which parent HTTP proxy) specific requests should be routed. -
target_domain[:port] - socks_proxy[/port] - http_parent[/port] -
Where target_domain is a domain name pattern (see the - chapter on domain matching in the default.action file), - http_parent and socks_proxy - are IP addresses in dotted decimal notation or valid DNS names (http_parent - may be "." to denote "no HTTP forwarding"), and the optional - port parameters are TCP ports, i.e. integer values from 1 to 64535 -
Unset
Don't use SOCKS proxies. -
Multiple lines are OK, they are checked in sequence, and the last match wins. -
The difference between forward-socks4 and forward-socks4a - is that in the SOCKS 4A protocol, the DNS resolution of the target hostname happens on the SOCKS - server, while in SOCKS 4 it happens locally. -
If http_parent is ".", then requests are not - forwarded to another HTTP proxy but are made (HTTP-wise) directly to the web servers, albeit through - a SOCKS proxy. -
From the company example.com, direct connections are made to all - "internal" domains, but everything outbound goes through - their ISP's proxy by way of example.com's corporate SOCKS 4A gateway to - the Internet. -
forward-socks4a .*. socks-gw.example.com:1080 www-cache.example-isp.net:8080 - forward .example.com . |
A rule that uses a SOCKS 4 gateway for all destinations but no HTTP parent looks like this: -
forward-socks4 .*. socks-gw.example.com:1080 . |
If you have links to multiple ISPs that provide various special content - only to their subscribers, you can configure multiple Privoxies - which have connections to the respective ISPs to act as forwarders to each other, so that - your users can see the internal content of all ISPs.
Assume that host-a has a PPP connection to isp-a.net. And host-b has a PPP connection to - isp-b.net. Both run Privoxy. Their forwarding - configuration can look like this:
host-a:
forward .*. . - forward .isp-b.net host-b:8118 |
host-b:
forward .*. . - forward .isp-a.net host-a:8118 |
Now, your users can set their browser's proxy to use either - host-a or host-b and be able to browse the internal content - of both isp-a and isp-b.
If you intend to chain Privoxy and - squid locally, then chain as - browser -> squid -> privoxy is the recommended way.
Assuming that Privoxy and squid - run on the same box, your squid configuration could then look like this:
# Define Privoxy as parent proxy (without ICP) - cache_peer 127.0.0.1 parent 8118 7 no-query + - # Define ACL for protocol FTP - acl ftp proto FTP + + + |
All Privoxy configuration is stored + in text files. These files can be edited with a text editor. Many + important aspects of Privoxy can also be + controlled easily with a web browser.
+ +Privoxy's user interface can be + reached through the special URL http://config.privoxy.org/ (shortcut: http://p.p/), which is a built-in page + and works without Internet access. You will see the following + section:
+ +
+ + ++ + Privoxy Menu+ +
|
+
This should be self-explanatory. Note the first item leads to an + editor for the actions files, which is + where the ad, banner, cookie, and URL blocking magic is configured as + well as other advanced features of Privoxy. This is an easy way to adjust various + aspects of Privoxy configuration. The + actions file, and other configuration files, are explained in detail + below.
+ +"Toggle Privoxy On or Off" is handy for + sites that might have problems with your current actions and filters. + You can in fact use it as a test to see whether it is Privoxy causing the problem or not. Privoxy continues to run as a proxy in this case, + but all manipulation is disabled, i.e. Privoxy acts like a normal forwarding proxy.
+ +Note that several of the features described above are disabled by + default in Privoxy 3.0.7 beta and + later. Check the configuration + file to learn why and in which cases it's safe to enable them + again.
+For Unix, *BSD and Linux, all configuration files are located in + /etc/privoxy/ by default. For MS Windows, + OS/2, and AmigaOS these are all in the same directory as the + Privoxy executable. The name and + number of configuration files has changed from previous versions, and + is subject to change as development progresses.
+ +The installed defaults provide a reasonable starting point, though + some settings may be aggressive by some standards. For the time being, + the principle configuration files are:
+ +The main configuration file is named + config on Linux, Unix, BSD, OS/2, and + AmigaOS and config.txt on Windows. This + is a required file.
+match-all.action is used to define + which "actions" relating to + banner-blocking, images, pop-ups, content modification, cookie + handling etc should be applied by default. It should be the first + actions file loaded.
+ +default.action defines many exceptions + (both positive and negative) from the default set of actions that's + configured in match-all.action. It should + be the second actions file loaded and shouldn't be edited by the + user.
+ +Multiple actions files may be defined in config. These are processed in the order they are + defined. Local customizations and locally preferred exceptions to + the default policies as defined in match-all.action (which you will most probably want + to define sooner or later) are best applied in user.action, where you can preserve them across + upgrades. The file isn't installed by all installers, but you can + easily create it yourself with a text editor.
+ +There is also a web based editor that can be accessed from + http://config.privoxy.org/show-status (Shortcut: + http://p.p/show-status) for the various actions + files.
+"Filter files" (the filter file) can be used to re-write the raw + page content, including viewable text as well as embedded HTML and + JavaScript, and whatever else lurks on any given web page. The + filtering jobs are only pre-defined here; whether to apply them or + not is up to the actions files. default.filter includes various filters made + available for use by the developers. Some are much more intrusive + than others, and all should be used with caution. You may define + additional filter files in config as you + can with actions files. We suggest user.filter for any locally defined filters or + customizations.
+The syntax of the configuration and filter files may change between + different Privoxy versions, unfortunately some enhancements cost + backwards compatibility.
+ +All files use the "#" character to denote a comment (the rest of the + line will be ignored) and understand line continuation through placing + a backslash ("\") as the very last character + in a line. If the # is preceded by a + backslash, it looses its special function. Placing a # in front of an otherwise valid configuration line to + prevent it from being interpreted is called "commenting out" that line. + Blank lines are ignored.
+ +The actions files and filter files can use Perl style regular expressions for maximum + flexibility.
+ +After making any changes, there is no need to restart Privoxy in order for the changes to take effect. + Privoxy detects such changes + automatically. Note, however, that it may take one or two additional + requests for the change to take effect. When changing the listening + address of Privoxy, these "wake up" requests must obviously be sent to the + old listening + address.
+ +While under development, the configuration content is subject to + change. The below documentation may not be accurate by the time you + read this. Also, what constitutes a "default" setting, may change, so please check all your + configuration files on important issues.
+