-# Sample Configuration File for Privoxy 3.0.25
-#
-# $Id: config,v 1.109 2016/03/17 10:43:39 fabiankeil Exp $
-#
-# Copyright (C) 2001-2016 Privoxy Developers http://www.privoxy.org/
-#
-####################################################################
-# #
-# Table of Contents #
-# #
-# I. INTRODUCTION #
-# II. FORMAT OF THE CONFIGURATION FILE #
-# #
-# 1. LOCAL SET-UP DOCUMENTATION #
-# 2. CONFIGURATION AND LOG FILE LOCATIONS #
-# 3. DEBUGGING #
-# 4. ACCESS CONTROL AND SECURITY #
-# 5. FORWARDING #
-# 6. MISCELLANEOUS #
-# 7. WINDOWS GUI OPTIONS #
-# #
-####################################################################
+# Sample Configuration File for Privoxy 3.0.29
+#
+# Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
+#
+#####################################################################
+# #
+# Table of Contents #
+# #
+# I. INTRODUCTION #
+# II. FORMAT OF THE CONFIGURATION FILE #
+# #
+# 1. LOCAL SET-UP DOCUMENTATION #
+# 2. CONFIGURATION AND LOG FILE LOCATIONS #
+# 3. DEBUGGING #
+# 4. ACCESS CONTROL AND SECURITY #
+# 5. FORWARDING #
+# 6. MISCELLANEOUS #
+# 7. TLS #
+# 8. WINDOWS GUI OPTIONS #
+# #
+#####################################################################
#
#
# I. INTRODUCTION
#
# Effect if unset:
#
-# http://www.privoxy.org/version/user-manual/ will be used,
+# https://www.privoxy.org/version/user-manual/ will be used,
# where version is the Privoxy version.
#
# Notes:
# config file, because it is used while the config file is
# being read.
#
-#user-manual http://www.privoxy.org/user-manual/
+#user-manual https://www.privoxy.org/user-manual/
#
# 1.2. trust-info-url
# ====================
# problem on your own.
#
#debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
-#debug 1024 # Actions that are applied to all sites and maybe overruled later on.
+#debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
#debug 4096 # Startup banner and warnings
#debug 8192 # Non-fatal errors
#
#
enable-proxy-authentication-forwarding 0
#
+# 4.10. trusted-cgi-referer
+# ==========================
+#
+# Specifies:
+#
+# A trusted website or webpage whose links can be followed to
+# reach sensitive CGI pages
+#
+# Type of value:
+#
+# URL or URL prefix
+#
+# Default value:
+#
+# Unset
+#
+# Effect if unset:
+#
+# No external pages are considered trusted referers.
+#
+# Notes:
+#
+# Before Privoxy accepts configuration changes through CGI pages
+# like client-tags or the remote toggle, it checks the Referer
+# header to see if the request comes from a trusted source.
+#
+# By default only the webinterface domains config.privoxy.org
+# and p.p are considered trustworthy. Requests originating from
+# other domains are rejected to prevent third-parties from
+# modifiying Privoxy's state by e.g. embedding images that
+# result in CGI requests.
+#
+# In some environments it may be desirable to embed links to CGI
+# pages on external pages, for example on an Intranet homepage
+# the Privoxy admin controls.
+#
+# The "trusted-cgi-referer" option can be used to add that page,
+# or the whole domain, as trusted source so the resulting
+# requests aren't rejected. Requests are accepted if the
+# specified trusted-cgi-refer is the prefix of the Referer.
+#
+# If the trusted source is supposed to access the CGI pages via
+# JavaScript the cors-allowed-origin option can be used.
+#
+# +-----------------------------------------------------+
+# | Warning |
+# |-----------------------------------------------------|
+# |Declaring pages the admin doesn't control trustworthy|
+# |may allow malicious third parties to modify Privoxy's|
+# |internal state against the user's wishes and without |
+# |the user's knowledge. |
+# +-----------------------------------------------------+
+#
+#trusted-cgi-referer http://www.example.org/local-privoxy-control-page
+#
+# 4.11. cors-allowed-origin
+# ==========================
+#
+# Specifies:
+#
+# A trusted website which can access Privoxy's CGI pages through
+# JavaScript.
+#
+# Type of value:
+#
+# URL
+#
+# Default value:
+#
+# Unset
+#
+# Effect if unset:
+#
+# No external sites get access via cross-origin resource
+# sharing.
+#
+# Notes:
+#
+# Modern browsers by default prevent cross-origin requests made
+# via JavaScript to Privoxy's CGI interface even if Privoxy
+# would trust the referer because it's white listed via the
+# trusted-cgi-referer directive.
+#
+# Cross-origin resource sharing (CORS) is a mechanism to allow
+# cross-origin requests.
+#
+# The "cors-allowed-origin" option can be used to specify a
+# domain that is allowed to make requests to Privoxy CGI
+# interface via JavaScript. It is used in combination with the
+# trusted-cgi-referer directive.
+#
+# +-----------------------------------------------------+
+# | Warning |
+# |-----------------------------------------------------|
+# |Declaring domains the admin doesn't control |
+# |trustworthy may allow malicious third parties to |
+# |modify Privoxy's internal state against the user's |
+# |wishes and without the user's knowledge. |
+# +-----------------------------------------------------+
+#
+#cors-allowed-origin http://www.example.org/
+#
# 5. FORWARDING
# ==============
#
#
# Type of value:
#
-# target_pattern socks_proxy[:port] http_parent[:port]
+# target_pattern [user:pass@]socks_proxy[:port] http_parent[:port]
#
# where target_pattern is a URL pattern that specifies to which
# requests (i.e. URLs) this forward rule shall apply. Use / to
# addresses in dotted decimal notation or valid DNS names (
# http_parent may be "." to denote "no HTTP forwarding"), and
# the optional port parameters are TCP ports, i.e. integer
-# values from 1 to 65535
+# values from 1 to 65535. user and pass can be used for SOCKS5
+# authentication if required.
#
# Default value:
#
#
# forward-socks4 / socks-gw.example.com:1080 .
#
+# To connect SOCKS5 proxy which requires username/password
+# authentication:
+#
+# forward-socks5 / user:pass@socks-gw.example.com:1080 .
+#
# To chain Privoxy and Tor, both running on the same system, you
# would use something like:
#
# loops if Privoxy's listening port is reachable by the outside
# or an attacker has access to the pages you visit.
#
+# If you are running Privoxy as intercepting proxy without being
+# able to intercept all client requests you may want to adjust
+# the CGI templates to make sure they don't reference content
+# from config.privoxy.org.
+#
# Examples:
#
# accept-intercepted-requests 1
#
#max-client-connections 256
#
-# 6.10. handle-as-empty-doc-returns-ok
+# 6.10. listen-backlog
+# =====================
+#
+# Specifies:
+#
+# Connection queue length requested from the operating system.
+#
+# Type of value:
+#
+# Number.
+#
+# Default value:
+#
+# 128
+#
+# Effect if unset:
+#
+# A connection queue length of 128 is requested from the
+# operating system.
+#
+# Notes:
+#
+# Under high load incoming connection may queue up before
+# Privoxy gets around to serve them. The queue length is
+# limitted by the operating system. Once the queue is full,
+# additional connections are dropped before Privoxy can accept
+# and serve them.
+#
+# Increasing the queue length allows Privoxy to accept more
+# incomming connections that arrive roughly at the same time.
+#
+# Note that Privoxy can only request a certain queue length,
+# whether or not the requested length is actually used depends
+# on the operating system which may use a different length
+# instead.
+#
+# On many operating systems a limit of -1 can be specified to
+# instruct the operating system to use the maximum queue length
+# allowed. Check the listen man page to see if your platform
+# allows this.
+#
+# On some platforms you can use "netstat -Lan -p tcp" to see the
+# effective queue length.
+#
+# Effectively using a value above 128 usually requires changing
+# the system configuration as well. On FreeBSD-based system the
+# limit is controlled by the kern.ipc.soacceptqueue sysctl.
+#
+# Examples:
+#
+# listen-backlog 4096
+#
+#listen-backlog -1
+#
+# 6.11. enable-accept-filter
+# ===========================
+#
+# Specifies:
+#
+# Whether or not Privoxy should use an accept filter
+#
+# Type of value:
+#
+# 0 or 1
+#
+# Default value:
+#
+# 0
+#
+# Effect if unset:
+#
+# No accept filter is enabled.
+#
+# Notes:
+#
+# Accept filters reduce the number of context switches by not
+# passing sockets for new connections to Privoxy until a
+# complete HTTP request is available.
+#
+# As a result, Privoxy can process the whole request right away
+# without having to wait for additional data first.
+#
+# For this option to work, Privoxy has to be compiled with
+# FEATURE_ACCEPT_FILTER and the operating system has to support
+# it (which may require loading a kernel module).
+#
+# Currently accept filters are only supported on FreeBSD-based
+# systems. Check the accf_http(9) man page to learn how to
+# enable the support in the operating system.
+#
+# Examples:
+#
+# enable-accept-filter 1
+#
+#enable-accept-filter 1
+#
+# 6.12. handle-as-empty-doc-returns-ok
# =====================================
#
# Specifies:
#
#handle-as-empty-doc-returns-ok 1
#
-# 6.11. enable-compression
+# 6.13. enable-compression
# =========================
#
# Specifies:
#
#enable-compression 1
#
-# 6.12. compression-level
+# 6.14. compression-level
# ========================
#
# Specifies:
#
#compression-level 1
#
-# 6.13. client-header-order
+# 6.15. client-header-order
# ==========================
#
# Specifies:
# affected by this directive.
#
#client-header-order Host \
+# User-Agent \
# Accept \
# Accept-Language \
# Accept-Encoding \
# Content-Type
#
#
-# 6.14. client-specific-tag
+# 6.16. client-specific-tag
# ==========================
#
# Specifies:
# requested again.
#
# Clients can request tags to be set by using the CGI interface
-# http://config.privoxy.org/show-client-tags. The specific tag
+# http://config.privoxy.org/client-tags. The specific tag
# description is only used on the web page and should be phrased
# in away that the user understand the effect of the tag.
#
#
#
#
-# 6.15. client-tag-lifetime
+# 6.17. client-tag-lifetime
# ==========================
#
# Specifies:
# to circumvent a block that is the result of an overly-broad
# URL pattern.
#
-# The CGI interface http://config.privoxy.org/show-client-tags
+# The CGI interface http://config.privoxy.org/client-tags
# therefore provides a "enable this tag temporarily" option. If
# it is used, the tag will be set until the client-tag-lifetime
# is over.
#
#
#
-# 7. WINDOWS GUI OPTIONS
+# 6.18. trust-x-forwarded-for
+# ============================
+#
+# Specifies:
+#
+# Whether or not Privoxy should use IP addresses specified with
+# the X-Forwarded-For header
+#
+# Type of value:
+#
+# 0 or one
+#
+# Default value:
+#
+# 0
+#
+# Notes:
+#
+# +-----------------------------------------------------+
+# | Warning |
+# |-----------------------------------------------------|
+# |This is an experimental feature. The syntax is likely|
+# |to change in future versions. |
+# +-----------------------------------------------------+
+#
+# If clients reach Privoxy through another proxy, for example a
+# load balancer, Privoxy can't tell the client's IP address from
+# the connection. If multiple clients use the same proxy, they
+# will share the same client tag settings which is usually not
+# desired.
+#
+# This option lets Privoxy use the X-Forwarded-For header value
+# as client IP address. If the proxy sets the header, multiple
+# clients using the same proxy do not share the same client tag
+# settings.
+#
+# This option should only be enabled if Privoxy can only be
+# reached through a proxy and if the proxy can be trusted to set
+# the header correctly. It is recommended that ACL are used to
+# make sure only trusted systems can reach Privoxy.
+#
+# If access to Privoxy isn't limited to trusted systems, this
+# option would allow malicious clients to change the client tags
+# for other clients or increase Privoxy's memory requirements by
+# registering lots of client tag settings for clients that don't
+# exist.
+#
+# Examples:
+#
+# # Allow systems that can reach Privoxy to provide the client
+# # IP address with a X-Forwarded-For header.
+# trust-x-forwarded-for 1
+#
+#
+#
+# 6.19. receive-buffer-size
+# ==========================
+#
+# Specifies:
+#
+# The size of the buffer Privoxy uses to receive data from the
+# server.
+#
+# Type of value:
+#
+# Size in bytes
+#
+# Default value:
+#
+# 5000
+#
+# Notes:
+#
+# Increasing the receive-buffer-size increases Privoxy's memory
+# usage but can lower the number of context switches and thereby
+# reduce the cpu usage and potentially increase the throughput.
+#
+# This is mostly relevant for fast network connections and large
+# downloads that don't require filtering.
+#
+# Reducing the buffer size reduces the amount of memory Privoxy
+# needs to handle the request but increases the number of
+# systemcalls and may reduce the throughput.
+#
+# A dtrace command like: "sudo dtrace -n 'syscall::read:return /
+# execname == "privoxy"/ { @[execname] = llquantize(arg0, 10, 0,
+# 5, 20); @m = max(arg0)}'" can be used to properly tune the
+# receive-buffer-size. On systems without dtrace, strace or
+# truss may be used as less convenient alternatives.
+#
+# If the buffer is too large it will increase Privoxy's memory
+# footprint without any benefit. As the memory is (currently)
+# cleared before using it, a buffer that is too large can
+# actually reduce the throughput.
+#
+# Examples:
+#
+# # Increase the receive buffer size
+# receive-buffer-size 32768
+#
+#
+# 7. TLS/SSL
+# ===========
+#
+# 7.1. ca-directory
+# ==================
+#
+# Specifies:
+#
+# Directory with the CA key, the CA certificate and the trusted
+# CAs file.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# Empty string
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the directory where the CA key, the
+# CA certificate and the trusted CAs file are located.
+#
+# Examples:
+#
+# ca-directory /usr/local/etc/privoxy/CA
+#
+#ca-directory /usr/local/etc/privoxy/CA
+#
+# 7.2. ca-cert-file
+# ==================
+#
+# Specifies:
+#
+# The CA certificate file in ".crt" format.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# cacert.crt
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the name of the CA certificate file
+# in ".crt" format.
+#
+# It can be generated with: openssl req -new -x509 -extensions
+# v3_ca -keyout cakey.pem -out cacert.crt -days 3650
+#
+# Examples:
+#
+# ca-cert-file root.crt
+#
+#ca-cert-file cacert.crt
+#
+# 7.3. ca-key-file
+# =================
+#
+# Specifies:
+#
+# The CA key file in ".pem" format.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# cacert.pem
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the name of the CA key file in ".pem"
+# format. See the ca-cert-file for a command to generate it.
+#
+# Examples:
+#
+# ca-key-file cakey.pem
+#
+#ca-key-file root.pem
+#
+# 7.4. ca-password
+# =================
+#
+# Specifies:
+#
+# The password for the CA keyfile.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# Empty string
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the password for the CA keyfile that
+# is used when Privoxy generates certificates for intercepted
+# requests.
+#
+# Note that the password is shown on the CGI page so don't reuse
+# an important one.
+#
+# Examples:
+#
+# ca-password blafasel
+#
+#ca-password swordfish
+#
+# 7.5. certificate-directory
+# ===========================
+#
+# Specifies:
+#
+# Directory to safe generated keys and certificates.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# ./certs
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the directory where generated TLS/SSL
+# keys and certificates are saved.
+#
+# Examples:
+#
+# certificate-directory /usr/local/var/privoxy/certs
+#
+#certificate-directory /usr/local/var/privoxy/certs
+#
+# 7.6. trusted-cas-file
+# ======================
+#
+# Specifies:
+#
+# The trusted CAs file in ".pem" format.
+#
+# Type of value:
+#
+# File name relative to ca-directory
+#
+# Default value:
+#
+# trustedCAs.pem
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the trusted CAs file that is used
+# when validating certificates for intercepted TLS/SSL request.
+#
+# An example file can be downloaded from https://curl.haxx.se/ca
+# /cacert.pem.
+#
+# Examples:
+#
+# trusted-cas-file trusted_cas_file.pem
+#
+#trusted-cas-file trustedCAs.pem
+#
+# 8. WINDOWS GUI OPTIONS
# =======================
#
# Privoxy has a number of options specific to the Windows GUI
# interface:
#
#
-#
# If "activity-animation" is set to 1, the Privoxy icon will animate
# when "Privoxy" is active. To turn off, set to 0.
#
#activity-animation 1
#
-#
-#
# If "log-messages" is set to 1, Privoxy copies log messages to the
# console window. The log detail depends on the debug directive.
#
#log-messages 1
#
-#
-#
# If "log-buffer-size" is set to 1, the size of the log buffer, i.e.
# the amount of memory used for the log messages displayed in the
# console window, will be limited to "log-max-lines" (see below).
projects / privoxy.git / blobdiff