1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN""http://www.w3.org/TR/html4/loose.dtd">
5 >The Main Configuration File</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
10 TITLE="Privoxy 3.0.7 User Manual"
11 HREF="index.html"><LINK
13 TITLE="Privoxy Configuration"
14 HREF="configuration.html"><LINK
17 HREF="actions-file.html"><LINK
21 <LINK REL="STYLESHEET" TYPE="text/css" HREF="p_doc.css">
33 SUMMARY="Header navigation table"
42 >Privoxy 3.0.7 User Manual</TH
50 HREF="configuration.html"
64 HREF="actions-file.html"
79 >7. The Main Configuration File</A
82 > Again, the main configuration file is named <TT
86 Linux/Unix/BSD and OS/2, and <TT
90 Configuration lines consist of an initial keyword followed by a list of
91 values, all separated by whitespace (any number of spaces or tabs). For
102 >confdir /etc/privoxy</I
109 > Assigns the value <TT
116 > and thus indicates that the configuration
117 directory is named <SPAN
119 >"/etc/privoxy/"</SPAN
122 > All options in the config file except for <TT
129 > are optional. Watch out in the below description
130 for what happens if you leave them unset.</P
132 > The main config file controls all aspects of <SPAN
136 operation that are not location dependent (i.e. they apply universally, no matter
137 where you may be surfing).</P
144 >7.1. Local Set-up Documentation</A
147 > If you intend to operate <SPAN
151 than just yourself, it might be a good idea to let them know how to reach
152 you, what you block and why you do that, your policies, etc.
160 >7.1.1. user-manual</A
171 > Location of the <SPAN
181 >A fully qualified URI</P
196 >Effect if unset:</DT
200 HREF="http://www.privoxy.org/user-manual/"
202 >http://www.privoxy.org/<TT
209 will be used, where <TT
224 > The User Manual URI is the single best source of information on
228 >, and is used for help links from some
229 of the internal CGI pages. The manual itself is normally packaged with the
230 binary distributions, so you probably want to set this to a locally
237 > The best all purpose solution is simply to put the full local
256 > user-manual /usr/share/doc/privoxy/user-manual</PRE
263 > The User Manual is then available to anyone with access to
267 >, by following the built-in URL:
270 >http://config.privoxy.org/user-manual/</TT
272 (or the shortcut: <TT
274 >http://p.p/user-manual/</TT
278 > If the documentation is not on the local system, it can be accessed
279 from a remote server, as:
290 > user-manual http://example.com/privoxy/user-manual/</PRE
315 > If set, this option should be <SPAN
319 >the first option in the config
322 >, because it is used while the config file is being read
338 NAME="TRUST-INFO-URL"
339 >7.1.2. trust-info-url</A
350 > A URL to be displayed in the error page that users will see if access to an untrusted page is denied.
363 >Two example URLs are provided</P
366 >Effect if unset:</DT
369 > No links are displayed on the "untrusted" error page.
376 > The value of this option only matters if the experimental trust mechanism has been
378 HREF="config.html#TRUSTFILE"
389 > If you use the trust mechanism, it is a good idea to write up some on-line
390 documentation about your trust policy and to specify the URL(s) here.
391 Use multiple times for multiple URLs.
394 > The URL(s) should be added to the trustfile as well, so users don't end up
395 locked out from the information on why they were locked out in the first place!
407 >7.1.3. admin-address</A
418 > An email address to reach the <SPAN
443 >Effect if unset:</DT
446 > No email address is displayed on error pages and the CGI user interface.
460 are unset, the whole "Local Privoxy Support" box on all generated pages will
472 NAME="PROXY-INFO-URL"
473 >7.1.4. proxy-info-url</A
484 > A URL to documentation about the local <SPAN
488 configuration or policies.
510 >Effect if unset:</DT
513 > No link to local documentation is displayed on error pages and the CGI user interface.
527 are unset, the whole "Local Privoxy Support" box on all generated pages will
531 > This URL shouldn't be blocked ;-)
544 >7.2. Configuration and Log File Locations</A
550 > can (and normally does) use a number of
551 other files for additional configuration, help and logging.
552 This section of the configuration file tells <SPAN
556 where to find those other files. </P
558 > The user running <SPAN
562 permission for all configuration files, and write permission to any files
563 that would be modified, such as log files and actions files.</P
581 >The directory where the other configuration files are located</P
593 >/etc/privoxy (Unix) <SPAN
602 > installation dir (Windows) </P
605 >Effect if unset:</DT
649 >An alternative directory where the templates are loaded from</P
664 >Effect if unset:</DT
667 >The templates are assumed to be located in confdir/template.</P
673 > Privoxy's original templates are usually overwritten
674 with each update. Use this option to relocate customized templates
675 that should be kept. Note that template variables might change
676 between updates and templates are not guaranteed to work with
680 > releases other than the one
704 > The directory where all logging takes place (i.e. where <TT
724 >/var/log/privoxy (Unix) <SPAN
733 > installation dir (Windows) </P
736 >Effect if unset:</DT
769 >7.2.4. actionsfile</A
772 NAME="DEFAULT.ACTION"
775 NAME="STANDARD.ACTION"
790 HREF="actions-file.html"
799 >Complete file name, relative to <TT
815 CLASS="LITERALLAYOUT"
816 > standard.action # Internal purposes, no editing recommended</P
823 CLASS="LITERALLAYOUT"
824 > default.action # Main actions file</P
831 CLASS="LITERALLAYOUT"
832 > user.action # User customizations</P
842 >Effect if unset:</DT
845 > No actions are taken at all. More or less neutral proxying.
855 > lines are permitted, and are in fact recommended!
859 The default values include standard.action, which is used for internal
860 purposes and should be loaded, default.action, which is the
864 > actions file maintained by the developers, and
868 >, where you can make your personal additions.
872 Actions files are where all the per site and per URL configuration is done for
873 ad blocking, cookie management, privacy considerations, etc.
874 There is no point in using <SPAN
878 least one actions file.
881 > Note that since Privoxy 3.0.7, the complete filename, including the <SPAN
885 extension has to be specified. The syntax change was necessary to be consistent
886 with the other file options and to allow previously forbidden characters.
898 >7.2.5. filterfile</A
901 NAME="DEFAULT.FILTER"
913 HREF="filter-file.html"
922 >File name, relative to <TT
931 >default.filter (Unix) <SPAN
937 > default.filter.txt (Windows)</P
940 >Effect if unset:</DT
943 > No textual content filtering takes place, i.e. all
947 HREF="actions-file.html#FILTER"
956 actions in the actions files are turned neutral.
966 > lines are permitted.
970 HREF="filter-file.html"
972 > contain content modification
974 HREF="appendix.html#REGEX"
975 >regular expressions</A
976 >. These rules permit
977 powerful changes on the content of Web pages, and optionally the headers
978 as well, e.g., you could try to disable your favorite JavaScript annoyances,
979 re-write the actual displayed text, or just have some fun
980 playing buzzword bingo with web pages.
987 HREF="actions-file.html#FILTER"
996 actions rely on the relevant filter (<TT
1002 to be defined in a filter file!
1005 > A pre-defined filter file called <TT
1009 a number of useful filters for common problems is included in the distribution.
1010 See the section on the <TT
1013 HREF="actions-file.html#FILTER"
1020 > It is recommended to place any locally adapted filters into a separate
1041 CLASS="VARIABLELIST"
1047 > The log file to use
1054 >File name, relative to <TT
1067 >Unset (commented out)</I
1069 >. When activated: logfile (Unix) <SPAN
1075 > privoxy.log (Windows)</P
1078 >Effect if unset:</DT
1081 > Logging is disabled unless <TT
1091 > The logfile is where all logging and error messages are written. The level
1092 of detail and number of messages are set with the <TT
1096 option (see below). The logfile can be useful for tracking down a problem with
1100 > (e.g., it's not blocking an ad you
1101 think it should block) and it can help you to monitor what your browser
1105 > Many users will never look at it, however, and it's a privacy risk
1106 if third parties can get access to it. It is therefore disabled by
1113 > For troubleshooting purposes, you will have to explicitly enable it.
1114 Please don't file any support requests without trying to reproduce
1115 the problem with logging enabled first. Once you read the log messages,
1116 you may even be able to solve the problem on your own.
1119 > Your logfile will grow indefinitely, and you will probably want to
1120 periodically remove it. On Unix systems, you can do this with a cron job
1124 >). For Red Hat based Linux distributions, a
1128 > script has been included.
1131 > Any log files must be writable by whatever user <SPAN
1135 is being run as (on Unix, default user id is <SPAN
1155 CLASS="VARIABLELIST"
1161 > The file to store intercepted cookies in
1168 >File name, relative to <TT
1181 >Unset (commented out)</I
1183 >. When activated: jarfile (Unix) <SPAN
1189 > privoxy.jar (Windows)</P
1192 >Effect if unset:</DT
1195 > Intercepted cookies are not stored in a dedicated log file.
1202 > The jarfile may grow to ridiculous sizes over time.
1205 > If debug 8 (show header parsing) is enabled, cookies are
1206 also written to the logfile with the rest of the headers.
1207 Therefore this option isn't very useful and may be removed
1208 in future releases. Please report to the developers if you
1221 >7.2.8. trustfile</A
1226 CLASS="VARIABLELIST"
1232 > The name of the trust file to use
1239 >File name, relative to <TT
1252 >Unset (commented out)</I
1254 >. When activated: trust (Unix) <SPAN
1260 > trust.txt (Windows)</P
1263 >Effect if unset:</DT
1266 > The entire trust mechanism is disabled.
1273 > The trust mechanism is an experimental feature for building white-lists and should
1274 be used with care. It is <SPAN
1280 > recommended for the casual user.
1283 > If you specify a trust file, <SPAN
1287 access to sites that are specified in the trustfile. Sites can be listed
1294 > character limits access to this site
1295 only (and any sub-paths within this site), e.g.
1298 >~www.example.com</TT
1302 >~www.example.com/features/news.html</TT
1306 > Or, you can designate sites as <SPAN
1310 >trusted referrers</I
1313 prepending the name with a <TT
1316 > character. The effect is that
1317 access to untrusted sites will be granted -- but only if a link from this
1318 trusted referrer was used to get there. The link target will then be added
1322 > so that future, direct accesses will be
1323 granted. Sites added via this mechanism do not become trusted referrers
1324 themselves (i.e. they are added with a <TT
1328 There is a limit of 512 such entries, after which new entries will not be
1332 > If you use the <TT
1335 > operator in the trust file, it may grow
1336 considerably over time.
1339 > It is recommended that <SPAN
1345 >--disable-force</TT
1348 >--disable-toggle</TT
1352 > --disable-editor</TT
1353 > options, if this feature is to be
1357 > Possible applications include limiting Internet access for children.
1373 > These options are mainly useful when tracing a problem.
1374 Note that you might also want to invoke
1382 command line option when debugging.
1395 CLASS="VARIABLELIST"
1401 > Key values that determine what information gets logged to the
1403 HREF="config.html#LOGFILE"
1424 >12289 (i.e.: URLs plus informational and warning messages)</P
1427 >Effect if unset:</DT
1430 > Nothing gets logged.
1437 > The available debug levels are:
1447 CLASS="PROGRAMLISTING"
1448 > debug 1 # show each GET/POST/CONNECT request
1449 debug 2 # show each connection status
1450 debug 4 # show I/O status
1451 debug 8 # show header parsing
1452 debug 16 # log all data written to the network into the logfile
1453 debug 32 # debug force feature
1454 debug 64 # debug regular expression filters
1455 debug 128 # debug redirects
1456 debug 256 # debug GIF de-animation
1457 debug 512 # Common Log Format
1458 debug 1024 # debug kill pop-ups
1459 debug 2048 # CGI user interface
1460 debug 4096 # Startup banner and warnings.
1461 debug 8192 # Non-fatal errors</PRE
1468 > To select multiple debug levels, you can either add them or use
1475 > A debug level of 1 is informative because it will show you each request
1476 as it happens. <SPAN
1480 >1, 4096 and 8192 are highly recommended</I
1483 so that you will notice when things go wrong. The other levels are probably
1484 only of interest if you are hunting down a specific problem. They can produce
1485 a hell of an output (especially 16).
1489 > The reporting of <SPAN
1495 > errors (i.e. ones which causes
1499 > to exit) is always on and cannot be disabled.
1502 > If you want to use CLF (Common Log Format), you should set <SPAN
1512 > and not enable anything else.
1518 > has a hard-coded limit for the
1519 length of log messages. If it's reached, messages are logged truncated
1520 and marked with <SPAN
1522 >"... [too long, truncated]"</SPAN
1534 NAME="SINGLE-THREADED"
1535 >7.3.2. single-threaded</A
1540 CLASS="VARIABLELIST"
1546 > Whether to run only one server thread
1574 >Effect if unset:</DT
1577 > Multi-threaded (or, where unavailable: forked) operation, i.e. the ability to
1578 serve multiple requests simultaneously.
1585 > This option is only there for debugging purposes and you should never
1586 need to use it. <SPAN
1590 >It will drastically reduce performance.</I
1604 NAME="ACCESS-CONTROL"
1605 >7.4. Access Control and Security</A
1608 > This section of the config file controls the security-relevant aspects
1619 NAME="LISTEN-ADDRESS"
1620 >7.4.1. listen-address</A
1625 CLASS="VARIABLELIST"
1631 > The IP address and TCP port on which <SPAN
1635 listen for client requests.
1661 >Effect if unset:</DT
1664 > Bind to 127.0.0.1 (localhost), port 8118. This is suitable and recommended for
1665 home users who run <SPAN
1668 > on the same machine as
1676 > You will need to configure your browser(s) to this proxy address and port.
1679 > If you already have another service running on port 8118, or if you want to
1680 serve requests from other machines (e.g. on your local network) as well, you
1681 will need to override the default.
1684 > If you leave out the IP address, <SPAN
1688 bind to all interfaces (addresses) on your machine and may become reachable
1689 from the Internet. In that case, consider using <A
1690 HREF="config.html#ACLS"
1691 >access control lists</A
1692 > (ACL's, see below), and/or
1699 > to untrusted users, you will
1700 also want to make sure that the following actions are disabled: <TT
1703 HREF="config.html#ENABLE-EDIT-ACTIONS"
1704 >enable-edit-actions</A
1710 HREF="config.html#ENABLE-REMOTE-TOGGLE"
1711 >enable-remote-toggle</A
1720 > Suppose you are running <SPAN
1724 a machine which has the address 192.168.0.1 on your local private network
1725 (192.168.0.0) and has another outside connection with a different address.
1726 You want it to serve requests from inside only:
1736 CLASS="PROGRAMLISTING"
1737 > listen-address 192.168.0.1:8118</PRE
1758 CLASS="VARIABLELIST"
1764 > Initial state of "toggle" status
1780 >Effect if unset:</DT
1783 > Act as if toggled on
1790 > If set to 0, <SPAN
1796 >"toggled off"</SPAN
1797 > mode, i.e. mostly behave like a normal,
1798 content-neutral proxy with both ad blocking and content filtering
1801 >enable-remote-toggle</TT
1805 > The windows version will only display the toggle icon in the system tray
1806 if this option is present.
1817 NAME="ENABLE-REMOTE-TOGGLE"
1818 >7.4.3. enable-remote-toggle</A
1823 CLASS="VARIABLELIST"
1829 > Whether or not the <A
1830 HREF="http://config.privoxy.org/toggle"
1850 >Effect if unset:</DT
1853 > The web-based toggle feature is disabled.
1860 > When toggled off, <SPAN
1863 > mostly acts like a normal,
1864 content-neutral proxy, i.e. doesn't block ads or filter content.
1867 > Access to the toggle feature can <SPAN
1874 controlled separately by <SPAN
1877 > or HTTP authentication,
1878 so that everybody who can access <SPAN
1889 toggle it for all users. So this option is <SPAN
1896 for multi-user environments with untrusted users.
1899 > Note that malicious client side code (e.g Java) is also
1900 capable of using this option.
1907 documentation, this feature has been disabled by default.
1910 > Note that you must have compiled <SPAN
1914 support for this feature, otherwise this option has no effect.
1925 NAME="ENABLE-REMOTE-HTTP-TOGGLE"
1926 >7.4.4. enable-remote-http-toggle</A
1931 CLASS="VARIABLELIST"
1937 > Whether or not Privoxy recognizes special HTTP headers to change its behaviour.
1953 >Effect if unset:</DT
1956 > Privoxy ignores special HTTP headers.
1963 > When toggled on, the client can change <SPAN
1967 behaviour by setting special HTTP headers. Currently the only supported
1968 special header is <SPAN
1970 >"X-Filter: No"</SPAN
1971 >, to disable filtering for
1972 the ongoing request, even if it is enabled in one of the action files.
1975 > This feature is disabled by default. If you are using
1979 > in a environment with trusted clients,
1980 you may enable this feature at your discretion. Note that malicious client
1981 side code (e.g Java) is also capable of using this feature.
1984 > This option may be removed in future releases as it has been obsoleted
1985 by the more general header taggers.
1996 NAME="ENABLE-EDIT-ACTIONS"
1997 >7.4.5. enable-edit-actions</A
2002 CLASS="VARIABLELIST"
2008 > Whether or not the <A
2009 HREF="http://config.privoxy.org/show-status"
2029 >Effect if unset:</DT
2032 > The web-based actions file editor is disabled.
2039 > Access to the editor can <SPAN
2046 controlled separately by <SPAN
2049 > or HTTP authentication,
2050 so that everybody who can access <SPAN
2061 modify its configuration for all users.
2064 > This option is <SPAN
2071 with untrusted users and is therefore disabled by default.
2074 > Note that malicious client side code (e.g Java) is also
2075 capable of using the actions editor and you shouldn't enable
2076 this options unless you understand the consequences and are
2077 sure your browser is configured correctly.
2084 documentation, this feature has been disabled by default.
2087 > Note that you must have compiled <SPAN
2091 support for this feature, otherwise this option has no effect.
2102 NAME="ENFORCE-BLOCKS"
2103 >7.4.6. enforce-blocks</A
2108 CLASS="VARIABLELIST"
2114 > Whether the user is allowed to ignore blocks and can <SPAN
2116 >"go there anyway"</SPAN
2145 >Effect if unset:</DT
2148 > Blocks are not enforced.
2158 > is mainly used to block and filter
2159 requests as a service to the user, for example to block ads and other
2160 junk that clogs the pipes. <SPAN
2164 isn't perfect and sometimes innocent pages are blocked. In this situation it
2165 makes sense to allow the user to enforce the request and have
2172 > In the default configuration <SPAN
2179 > page contains a <SPAN
2181 >"go there anyway"</SPAN
2183 link to adds a special string (the force prefix) to the request URL.
2184 If that link is used, <SPAN
2188 detect the force prefix, remove it again and let the request pass.
2194 > can also be used to enforce
2195 a network policy. In that case the user obviously should not be able to
2196 bypass any blocks, and that's what the <SPAN
2198 >"enforce-blocks"</SPAN
2200 option is for. If it's enabled, <SPAN
2206 >"go there anyway"</SPAN
2207 > link. If the user adds the force
2208 prefix by hand, it will not be accepted and the circumvention attempt
2228 >7.4.7. ACLs: permit-access and deny-access</A
2231 NAME="PERMIT-ACCESS"
2239 CLASS="VARIABLELIST"
2245 > Who can access what.
2287 > are IP addresses in dotted decimal notation or valid
2299 > are subnet masks in CIDR notation, i.e. integer
2300 values from 2 to 30 representing the length (in bits) of the network address. The masks and the whole
2301 destination part are optional.
2317 >Effect if unset:</DT
2320 > Don't restrict access further than implied by <TT
2330 > Access controls are included at the request of ISPs and systems
2331 administrators, and <SPAN
2335 >are not usually needed by individual users</I
2338 For a typical home user, it will normally suffice to ensure that
2342 > only listens on the localhost
2343 (127.0.0.1) or internal (home) network address by means of the
2345 HREF="config.html#LISTEN-ADDRESS"
2357 > Please see the warnings in the FAQ that this proxy is not intended to be a substitute
2358 for a firewall or to encourage anyone to defer addressing basic security
2362 > Multiple ACL lines are OK.
2363 If any ACLs are specified, <SPAN
2367 to IP addresses that match at least one <TT
2371 and don't match any subsequent <TT
2374 > line. In other words, the
2375 last match wins, with the default being <TT
2384 > is using a forwarder (see <TT
2388 for a particular destination URL, the <TT
2394 that is examined is the address of the forwarder and <SPAN
2401 of the ultimate target. This is necessary because it may be impossible for the local
2405 > to determine the IP address of the
2406 ultimate target (that's often what gateways are used for).
2409 > You should prefer using IP addresses over DNS names, because the address lookups take
2410 time. All DNS names must resolve! You can <SPAN
2416 > use domain patterns
2420 > or partial domain names. If a DNS name resolves to multiple
2421 IP addresses, only the first one is used.
2424 > Denying access to particular sites by ACL may have undesired side effects
2425 if the site in question is hosted on a machine which also hosts other sites
2433 > Explicitly define the default behavior if no ACL and
2441 is OK. The absence of a <TT
2453 > destination addresses are OK:
2464 > permit-access localhost</PRE
2471 > Allow any host on the same class C subnet as www.privoxy.org access to
2472 nothing but www.example.com (or other domains hosted on the same system):
2483 > permit-access www.privoxy.org/24 www.example.com/32</PRE
2490 > Allow access from any host on the 26-bit subnet 192.168.45.64 to anywhere,
2491 with the exception that 192.168.45.73 may not access the IP address behind
2492 www.dirty-stuff.example.com:
2503 > permit-access 192.168.45.64/26
2504 deny-access 192.168.45.73 www.dirty-stuff.example.com</PRE
2520 >7.4.8. buffer-limit</A
2525 CLASS="VARIABLELIST"
2531 > Maximum size of the buffer for content filtering.
2547 >Effect if unset:</DT
2550 > Use a 4MB (4096 KB) limit.
2557 > For content filtering, i.e. the <TT
2564 > actions, it is necessary that
2568 > buffers the entire document body.
2569 This can be potentially dangerous, since a server could just keep sending
2570 data indefinitely and wait for your RAM to exhaust -- with nasty consequences.
2574 > When a document buffer size reaches the <TT
2578 flushed to the client unfiltered and no further attempt to
2579 filter the rest of the document is made. Remember that there may be multiple threads
2580 running, which might require up to <TT
2590 >, unless you have enabled <SPAN
2592 >"single-threaded"</SPAN
2610 > This feature allows routing of HTTP requests through a chain of
2611 multiple proxies.</P
2613 > Forwarding can be used to chain Privoxy with a caching proxy to speed
2614 up browsing. Using a parent proxy may also be necessary if the machine
2618 > runs on has no direct Internet access.</P
2620 > Note that parent proxies can severely decrease your privacy level.
2621 For example a parent proxy could add your IP address to the request
2622 headers and if it's a caching proxy it may add the <SPAN
2626 header to revalidation requests again, even though you configured Privoxy
2627 to remove it. It may also ignore Privoxy's header time randomization and use the
2628 original values which could be used by the server as cookie replacement
2629 to track your steps between visits.</P
2631 > Also specified here are SOCKS proxies. <SPAN
2635 supports the SOCKS 4 and SOCKS 4A protocols.</P
2647 CLASS="VARIABLELIST"
2653 > To which parent HTTP proxy specific requests should be routed.
2685 HREF="actions-file.html#AF-PATTERNS"
2688 that specifies to which requests (i.e. URLs) this forward rule shall apply. Use <TT
2707 is the DNS name or IP address of the parent HTTP proxy through which the requests should be forwarded,
2708 optionally followed by its listening port (default: 8080).
2709 Use a single dot (<TT
2714 >"no forwarding"</SPAN
2731 >Effect if unset:</DT
2734 > Don't use parent HTTP proxies.
2749 >, then requests are not
2750 forwarded to another HTTP proxy but are made directly to the web servers.
2753 > Multiple lines are OK, they are checked in sequence, and the last match wins.
2760 > Everything goes to an example parent proxy, except SSL on port 443 (which it doesn't handle):
2771 > forward / parent-proxy.example.org:8080
2779 > Everything goes to our example ISP's caching proxy, except for requests
2780 to that ISP's sites:
2791 > forward / caching-proxy.example-isp.net:8000
2792 forward .example-isp.net .</PRE
2808 >7.5.2. forward-socks4 and forward-socks4a</A
2811 NAME="FORWARD-SOCKS4"
2814 NAME="FORWARD-SOCKS4A"
2819 CLASS="VARIABLELIST"
2825 > Through which SOCKS proxy (and optionally to which parent HTTP proxy) specific requests should be routed.
2868 HREF="actions-file.html#AF-PATTERNS"
2871 that specifies to which requests (i.e. URLs) this forward rule shall apply. Use <TT
2890 are IP addresses in dotted decimal notation or valid DNS names (<TT
2901 >"no HTTP forwarding"</SPAN
2902 >), and the optional
2908 > parameters are TCP ports, i.e. integer values from 1 to 64535
2924 >Effect if unset:</DT
2927 > Don't use SOCKS proxies.
2934 > Multiple lines are OK, they are checked in sequence, and the last match wins.
2937 > The difference between <TT
2942 >forward-socks4a</TT
2944 is that in the SOCKS 4A protocol, the DNS resolution of the target hostname happens on the SOCKS
2945 server, while in SOCKS 4 it happens locally.
2956 >, then requests are not
2957 forwarded to another HTTP proxy but are made (HTTP-wise) directly to the web servers, albeit through
2965 > From the company example.com, direct connections are made to all
2969 > domains, but everything outbound goes through
2970 their ISP's proxy by way of example.com's corporate SOCKS 4A gateway to
2982 > forward-socks4a / socks-gw.example.com:1080 www-cache.example-isp.net:8080
2983 forward .example.com .</PRE
2990 > A rule that uses a SOCKS 4 gateway for all destinations but no HTTP parent looks like this:
3001 > forward-socks4 / socks-gw.example.com:1080 .</PRE
3008 > To chain Privoxy and Tor, both running on the same system, you should use
3020 > forward-socks4a / 127.0.0.1:9050 .</PRE
3030 > network can't be used to
3031 reach your local network, if you need to access local servers you
3032 therefore might want to make some exceptions:
3043 > forward 192.168.*.*/ .
3045 forward 127.*.*.*/ .</PRE
3052 > Unencrypted connections to systems in these address ranges will
3053 be as (un)secure as the local network is, but the alternative is that you
3054 can't reach the local network through <SPAN
3061 > If you also want to be able to reach servers in your local network by
3062 using their names, you will need additional exceptions that look like
3074 > forward localhost/ .</PRE
3089 NAME="ADVANCED-FORWARDING-EXAMPLES"
3090 >7.5.3. Advanced Forwarding Examples</A
3093 > If you have links to multiple ISPs that provide various special content
3094 only to their subscribers, you can configure multiple <SPAN
3098 which have connections to the respective ISPs to act as forwarders to each other, so that
3105 > users can see the internal content of all ISPs.</P
3107 > Assume that host-a has a PPP connection to isp-a.net. And host-b has a PPP connection to
3108 isp-b.net. Both run <SPAN
3112 configuration can look like this:</P
3125 forward .isp-b.net host-b:8118</PRE
3142 forward .isp-a.net host-a:8118</PRE
3148 > Now, your users can set their browser's proxy to use either
3149 host-a or host-b and be able to browse the internal content
3150 of both isp-a and isp-b.</P
3152 > If you intend to chain <SPAN
3159 > locally, then chain as
3162 >browser -> squid -> privoxy</TT
3163 > is the recommended way. </P
3165 > Assuming that <SPAN
3172 run on the same box, your <SPAN
3175 > configuration could then look like this:</P
3185 > # Define Privoxy as parent proxy (without ICP)
3186 cache_peer 127.0.0.1 parent 8118 7 no-query
3188 # Define ACL for protocol FTP
3191 # Do not forward FTP requests to Privoxy
3192 always_direct allow ftp
3194 # Forward all the rest to Privoxy
3195 never_direct allow all</PRE
3201 > You would then need to change your browser's proxy settings to <SPAN
3204 >'s address and port.
3205 Squid normally uses port 3128. If unsure consult <TT
3213 > You could just as well decide to only forward requests for Windows executables through
3214 a virus-scanning parent proxy, say, on <TT
3216 >antivir.example.com</TT
3228 forward /.*\.(exe|com|dll|zip)$ antivir.example.com:8010</PRE
3239 NAME="FORWARDED-CONNECT-RETRIES"
3240 >7.5.4. forwarded-connect-retries</A
3245 CLASS="VARIABLELIST"
3251 > How often Privoxy retries if a forwarded connection request fails.
3261 >Number of retries.</I
3279 >Effect if unset:</DT
3282 > Connections forwarded through other proxies are treated like direct connections and no retry attempts are made.
3292 >forwarded-connect-retries</I
3294 > is mainly interesting
3295 for socks4a connections, where <SPAN
3298 > can't detect why the connections failed.
3299 The connection might have failed because of a DNS timeout in which case a retry makes sense,
3300 but it might also have failed because the server doesn't exist or isn't reachable. In this
3301 case the retry will just delay the appearance of Privoxy's error message.
3304 > Note that in the context of this option, <SPAN
3306 >"forwarded connections"</SPAN
3307 > includes all connections
3308 that Privoxy forwards through other proxies. This option is not limited to the HTTP CONNECT method.
3311 > Only use this option, if you are getting lots of forwarding-related error messages
3312 that go away when you try again manually. Start with a small value and check Privoxy's
3313 logfile from time to time, to see how many retries are usually needed.
3320 > forwarded-connect-retries 1
3331 NAME="ACCEPT-INTERCEPTED-REQUESTS"
3332 >7.5.5. accept-intercepted-requests</A
3337 CLASS="VARIABLELIST"
3343 > Whether intercepted requests should be treated as valid.
3371 >Effect if unset:</DT
3374 > Only proxy requests are accepted, intercepted requests are treated as invalid.
3381 > If you don't trust your clients and want to force them
3386 option and configure your packet filter to redirect outgoing
3387 HTTP connections into <SPAN
3393 > Make sure that <SPAN
3397 aren't redirected as well. Additionally take care that
3401 > can't intentionally connect
3402 to itself, otherwise you could run into redirection loops if
3406 > listening port is reachable
3407 by the outside or an attacker has access to the pages you visit.
3414 > accept-intercepted-requests 1
3425 NAME="ALLOW-CGI-REQUEST-CRUNCHING"
3426 >7.5.6. allow-cgi-request-crunching</A
3431 CLASS="VARIABLELIST"
3437 > Whether requests to <SPAN
3440 > CGI pages can be blocked or redirected.
3468 >Effect if unset:</DT
3474 > ignores block and redirect actions for its CGI pages.
3484 > ignores block or redirect actions
3485 for its CGI pages. Intercepting these requests can be useful in multi-user
3486 setups to implement fine-grained access control, but it can also render the complete
3487 web interface useless and make debugging problems painful if done without care.
3490 > Don't enable this option unless you're sure that you really need it.
3497 > allow-cgi-request-crunching 1
3508 NAME="SPLIT-LARGE-FORMS"
3509 >7.5.7. split-large-forms</A
3514 CLASS="VARIABLELIST"
3520 > Whether the CGI interface should stay compatible with broken HTTP clients.
3548 >Effect if unset:</DT
3551 > The CGI form generate long GET URLs.
3561 > CGI forms can lead to
3562 rather long URLs. This isn't a problem as far as the HTTP
3563 standard is concerned, but it can confuse clients with arbitrary
3564 URL lenght limitations.
3567 > Enabling split-large-forms causes <SPAN
3571 to devide big forms into smaller ones to keep the URL length down.
3572 It makes editing a lot less convenient and you can no longer
3573 submit all changes at once, but at least it works around this
3577 > If you don't notice any editing problems, there is no reason
3578 to enable this option, but if one of the submit buttons appears
3579 to be broken, you should give it a try.
3586 > split-large-forms 1
3599 >7.6. Windows GUI Options</A
3605 > has a number of options specific to the
3606 Windows GUI interface:</P
3608 NAME="ACTIVITY-ANIMATION"
3613 >"activity-animation"</SPAN
3618 > icon will animate when
3622 > is active. To turn off, set to 0.</P
3627 CLASS="LITERALLAYOUT"
3632 >activity-animation 1</I
3635 </P
3645 >"log-messages"</SPAN
3650 > will log messages to the console
3656 CLASS="LITERALLAYOUT"
3664 </P
3669 NAME="LOG-BUFFER-SIZE"
3675 >"log-buffer-size"</SPAN
3676 > is set to 1, the size of the log buffer,
3677 i.e. the amount of memory used for the log messages displayed in the
3678 console window, will be limited to <SPAN
3680 >"log-max-lines"</SPAN
3683 > Warning: Setting this to 0 will result in the buffer to grow infinitely and
3684 eat up all your memory!</P
3689 CLASS="LITERALLAYOUT"
3694 >log-buffer-size 1</I
3697 </P
3702 NAME="LOG-MAX-LINES"
3707 >log-max-lines</SPAN
3708 > is the maximum number of lines held
3709 in the log buffer. See above.</P
3714 CLASS="LITERALLAYOUT"
3719 >log-max-lines 200</I
3722 </P
3727 NAME="LOG-HIGHLIGHT-MESSAGES"
3732 >"log-highlight-messages"</SPAN
3737 > will highlight portions of the log
3738 messages with a bold-faced font:</P
3743 CLASS="LITERALLAYOUT"
3748 >log-highlight-messages 1</I
3751 </P
3756 NAME="LOG-FONT-NAME"
3759 > The font used in the console window:</P
3764 CLASS="LITERALLAYOUT"
3769 >log-font-name Comic Sans MS</I
3772 </P
3777 NAME="LOG-FONT-SIZE"
3780 > Font size used in the console window:</P
3785 CLASS="LITERALLAYOUT"
3793 </P
3798 NAME="SHOW-ON-TASK-BAR"
3804 >"show-on-task-bar"</SPAN
3805 > controls whether or not
3809 > will appear as a button on the Task bar
3815 CLASS="LITERALLAYOUT"
3820 >show-on-task-bar 0</I
3823 </P
3828 NAME="CLOSE-BUTTON-MINIMIZES"
3833 >"close-button-minimizes"</SPAN
3834 > is set to 1, the Windows close
3835 button will minimize <SPAN
3838 > instead of closing
3839 the program (close with the exit option on the File menu).</P
3844 CLASS="LITERALLAYOUT"
3849 >close-button-minimizes 1</I
3852 </P
3862 >"hide-console"</SPAN
3863 > option is specific to the MS-Win console
3867 >. If this option is used,
3871 > will disconnect from and hide the
3877 CLASS="LITERALLAYOUT"
3885 </P
3896 SUMMARY="Footer navigation table"
3907 HREF="configuration.html"
3925 HREF="actions-file.html"
3935 >Privoxy Configuration</TD
projects / privoxy.git / blob