-# Sample Configuration File for Privoxy 3.0.29
+# Sample Configuration File for Privoxy 3.0.33
#
-# Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
+# Copyright (C) 2001-2021 Privoxy Developers https://www.privoxy.org/
#
#####################################################################
# #
# 4. ACCESS CONTROL AND SECURITY #
# 5. FORWARDING #
# 6. MISCELLANEOUS #
-# 7. TLS #
+# 7. HTTPS INSPECTION (EXPERIMENTAL) #
# 8. WINDOWS GUI OPTIONS #
# #
#####################################################################
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
+#actionsfile regression-tests.action # Tests for privoxy-regression-test
#
# 2.6. filterfile
# ================
#
# debug 1 # Log the destination for each request. See also debug 1024.
# debug 2 # show each connection status
-# debug 4 # show I/O status
+# debug 4 # show tagging-related messages
# debug 8 # show header parsing
# debug 16 # log all data written to the network
# debug 32 # debug force feature
# each request as it happens. 1, 1024, 4096 and 8192 are
# recommended so that you will notice when things go wrong. The
# other levels are probably only of interest if you are hunting
-# down a specific problem. They can produce a hell of an output
+# down a specific problem. They can produce a lot of output
# (especially 16).
#
# If you are used to the more verbose settings, simply enable
# you read the log messages, you may even be able to solve the
# problem on your own.
#
-#debug 1 # Log the destination for each request.
+#debug 1 # Log the destination for each request. See also debug 1024.
+#debug 2 # show each connection status
+#debug 4 # show tagging-related messages
+#debug 8 # show header parsing
+#debug 128 # debug redirects
+#debug 256 # debug GIF de-animation
+#debug 512 # Common Log Format
#debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
#debug 4096 # Startup banner and warnings
#debug 8192 # Non-fatal errors
+#debug 65536 # Log applying actions
#
# 3.2. single-threaded
# =====================
# consider using access control lists (ACL's, see below), and/or
# a firewall.
#
-# If you open Privoxy to untrusted users, you will also want to
-# make sure that the following actions are disabled:
+# If you open Privoxy to untrusted users, you should also make
+# sure that the following actions are disabled:
# enable-edit-actions and enable-remote-toggle
#
# Example:
# might want to make some exceptions:
#
# forward 192.168.*.*/ .
-# forward 10.*.*.*/ .
-# forward 127.*.*.*/ .
+# forward 10.*.*.*/ .
+# forward 127.*.*.*/ .
#
# Unencrypted connections to systems in these address ranges
# will be as (un)secure as the local network is, but the
# network by using their names, you will need additional
# exceptions that look like this:
#
-# forward localhost/ .
+# forward localhost/ .
#
#
# 5.3. forwarded-connect-retries
# speedups. There are also a few privacy implications you should
# be aware of.
#
-# If this option is effective, outgoing connections are shared
+# If this option is enabled, outgoing connections are shared
# between clients (if there are more than one) and closing the
-# browser that initiated the outgoing connection does no longer
-# affect the connection between Privoxy and the server unless
-# the client's request hasn't been completed yet.
+# browser that initiated the outgoing connection does not affect
+# the connection between Privoxy and the server unless the
+# client's request hasn't been completed yet.
#
# If the outgoing connection is idle, it will not be closed
# until either Privoxy's or the server's timeout is reached.
# If you aren't using an occasionally slow proxy like Tor,
# reducing it to a few seconds should be fine.
#
+# +-----------------------------------------------------+
+# | Warning |
+# |-----------------------------------------------------|
+# |When a TLS library is being used to read or write |
+# |data from a socket with https-inspection enabled the |
+# |socket-timeout currently isn't applied and the |
+# |timeout used depends on the library (which may not |
+# |even use a timeout). |
+# +-----------------------------------------------------+
# Example:
#
# socket-timeout 300
#
# 128
#
-# Effect if unset:
+# Notes:
#
# Connections are served until a resource limit is reached.
#
-# Notes:
-#
# Privoxy creates one thread (or process) for every incoming
# client connection that isn't rejected based on the access
# control settings.
# limit below the one enforced by the operating system.
#
# One most POSIX-compliant systems Privoxy can't properly deal
-# with more than FD_SETSIZE file descriptors at the same time
-# and has to reject connections if the limit is reached. This
-# will likely change in a future version, but currently this
-# limit can't be increased without recompiling Privoxy with a
-# different FD_SETSIZE limit.
+# with more than FD_SETSIZE file descriptors if Privoxy has been
+# configured to use select() and has to reject connections if
+# the limit is reached. When using select() this limit therefore
+# can't be increased without recompiling Privoxy with a
+# different FD_SETSIZE limit unless Privoxy is running on
+# Windows with _WIN32 defined.
+#
+# When Privoxy has been configured to use poll() the FD_SETSIZE
+# limit does not apply.
#
# Example:
#
#
# Examples:
#
-# # Best speed (compared to the other levels)
-# compression-level 1
+# # Best speed (compared to the other levels)
+# compression-level 1
#
-# # Best compression
-# compression-level 9
-#
-# # No compression. Only useful for testing as the added header
-# # slightly increases the amount of data that has to be sent.
-# # If your benchmark shows that using this compression level
-# # is superior to using no compression at all, the benchmark
-# # is likely to be flawed.
-# compression-level 0
+# # Best compression
+# compression-level 9
#
+# # No compression. Only useful for testing as the added header
+# # slightly increases the amount of data that has to be sent.
+# # If your benchmark shows that using this compression level
+# # is superior to using no compression at all, the benchmark
+# # is likely to be flawed.
+# compression-level 0
#
#compression-level 1
#
#
# Note that sorting headers in an uncommon way will make
# fingerprinting actually easier. Encrypted headers are not
-# affected by this directive.
+# affected by this directive unless https-inspection is enabled.
#
#client-header-order Host \
# User-Agent \
# Referer \
# Cookie \
# DNT \
+# Connection \
+# Pragma \
+# Upgrade-Insecure-Requests \
# If-Modified-Since \
# Cache-Control \
# Content-Length \
+# Origin \
# Content-Type
#
-#
# 6.16. client-specific-tag
# ==========================
#
#
# Notes:
#
-# +-----------------------------------------------------+
-# | Warning |
-# |-----------------------------------------------------|
-# |This is an experimental feature. The syntax is likely|
-# |to change in future versions. |
-# +-----------------------------------------------------+
-#
# Client-specific tags allow Privoxy admins to create different
# profiles and let the users chose which one they want without
# impacting other users.
# Clients can request tags to be set by using the CGI interface
# http://config.privoxy.org/client-tags. The specific tag
# description is only used on the web page and should be phrased
-# in away that the user understand the effect of the tag.
+# in away that the user understands the effect of the tag.
#
# Examples:
#
# # that are enabled based on CLIENT-TAG patterns.
# client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
# client-specific-tag disable-content-filters Disable content-filters but do not affect other actions
+# client-specific-tag overrule-redirects Overrule redirect sections
+# client-specific-tag allow-cookies Do not crunch cookies in either direction
+# client-specific-tag change-tor-socks-port Change forward-socks5 settings to use a different Tor socks port (and circuits)
+# client-specific-tag no-https-inspection Disable HTTPS inspection
+# client-specific-tag no-tls-verification Don't verify certificates when http-inspection is enabled
#
#
# 6.17. client-tag-lifetime
#
# Notes:
#
-# +-----------------------------------------------------+
-# | Warning |
-# |-----------------------------------------------------|
-# |This is an experimental feature. The syntax is likely|
-# |to change in future versions. |
-# +-----------------------------------------------------+
-#
# In case of some tags users may not want to enable them
# permanently, but only for a short amount of time, for example
# to circumvent a block that is the result of an overly-broad
# client-tag-lifetime 180
#
#
-#
# 6.18. trust-x-forwarded-for
# ============================
#
#
# Notes:
#
-# +-----------------------------------------------------+
-# | Warning |
-# |-----------------------------------------------------|
-# |This is an experimental feature. The syntax is likely|
-# |to change in future versions. |
-# +-----------------------------------------------------+
-#
# If clients reach Privoxy through another proxy, for example a
# load balancer, Privoxy can't tell the client's IP address from
# the connection. If multiple clients use the same proxy, they
# trust-x-forwarded-for 1
#
#
-#
# 6.19. receive-buffer-size
# ==========================
#
# receive-buffer-size 32768
#
#
-# 7. TLS/SSL INSPECTION (EXPERIMENTAL)
-# =====================================
+# 7. HTTPS INSPECTION (EXPERIMENTAL)
+# ===================================
+#
+# HTTPS inspection allows to filter encrypted requests and
+# responses. This is only supported when Privoxy has been built with
+# FEATURE_HTTPS_INSPECTION. If you aren't sure if your version
+# supports it, have a look at http://config.privoxy.org/show-status.
+#
#
# 7.1. ca-directory
# ==================
# Notes:
#
# This directive specifies the name of the CA key file in ".pem"
-# format. See the ca-cert-file for a command to generate it.
+# format. The ca-cert-file section contains a command to
+# generate it.
+#
+# The CA key is used by Privoxy to sign generated certificates.
+#
+# Access to the key should be limited to Privoxy.
#
# Example:
#
# is used when Privoxy generates certificates for intercepted
# requests.
#
-# Note that the password is shown on the CGI page so don't reuse
-# an important one.
-#
+# +-----------------------------------------------------+
+# | Warning |
+# |-----------------------------------------------------|
+# |Note that the password is shown on the CGI page so |
+# |don't reuse an important one. |
+# | |
+# |If disclosure of the password is a compliance issue |
+# |consider blocking the relevant CGI requests after |
+# |enabling the enforce-blocks and |
+# |allow-cgi-request-crunching. |
+# +-----------------------------------------------------+
# Example:
#
# ca-password blafasel
# Examples:
#
# # Explicitly set a couple of ciphers with names used by MbedTLS
-# cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
-# TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
-# TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
-# TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
-# TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
-# TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
-# TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
-# TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
-# TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
-# TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
-# TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
-# TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
-# TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
-# TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
-# TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
-# TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
-# TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
-# TLS-DHE-RSA-WITH-AES-256-CCM:\
-# TLS-DHE-RSA-WITH-AES-256-CCM-8:\
-# TLS-DHE-RSA-WITH-AES-128-CCM:\
-# TLS-DHE-RSA-WITH-AES-128-CCM-8:\
-# TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
-# TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
-# TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
-# TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
-# TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
-# TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
-# TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
-# TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
-# TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
-# TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
-#
+# cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+# TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-DHE-RSA-WITH-AES-256-CCM:\
+# TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+# TLS-DHE-RSA-WITH-AES-128-CCM:\
+# TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+# TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
#
# # Explicitly set a couple of ciphers with names used by OpenSSL
-# cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
-# ECDHE-ECDSA-AES256-GCM-SHA384:\
-# DH-DSS-AES256-GCM-SHA384:\
-# DHE-DSS-AES256-GCM-SHA384:\
-# DH-RSA-AES256-GCM-SHA384:\
-# DHE-RSA-AES256-GCM-SHA384:\
-# ECDH-RSA-AES256-GCM-SHA384:\
-# ECDH-ECDSA-AES256-GCM-SHA384:\
-# ECDHE-RSA-AES128-GCM-SHA256:\
-# ECDHE-ECDSA-AES128-GCM-SHA256:\
-# DH-DSS-AES128-GCM-SHA256:\
-# DHE-DSS-AES128-GCM-SHA256:\
-# DH-RSA-AES128-GCM-SHA256:\
-# DHE-RSA-AES128-GCM-SHA256:\
-# ECDH-RSA-AES128-GCM-SHA256:\
-# ECDH-ECDSA-AES128-GCM-SHA256:\
-# ECDHE-RSA-AES256-GCM-SHA384:\
-# AES128-SHA
-#
-#
-# # Use keywords instead of explicity naming the ciphers (Does not work with MbedTLS)
-# cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
-#
+# cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+# ECDHE-ECDSA-AES256-GCM-SHA384:\
+# DH-DSS-AES256-GCM-SHA384:\
+# DHE-DSS-AES256-GCM-SHA384:\
+# DH-RSA-AES256-GCM-SHA384:\
+# DHE-RSA-AES256-GCM-SHA384:\
+# ECDH-RSA-AES256-GCM-SHA384:\
+# ECDH-ECDSA-AES256-GCM-SHA384:\
+# ECDHE-RSA-AES128-GCM-SHA256:\
+# ECDHE-ECDSA-AES128-GCM-SHA256:\
+# DH-DSS-AES128-GCM-SHA256:\
+# DHE-DSS-AES128-GCM-SHA256:\
+# DH-RSA-AES128-GCM-SHA256:\
+# DHE-RSA-AES128-GCM-SHA256:\
+# ECDH-RSA-AES128-GCM-SHA256:\
+# ECDH-ECDSA-AES128-GCM-SHA256:\
+# ECDHE-RSA-AES256-GCM-SHA384:\
+# AES128-SHA
+#
+# # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+# cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
#
#
# 7.7. trusted-cas-file
# This directive specifies the trusted CAs file that is used
# when validating certificates for intercepted TLS/SSL requests.
#
-# An example file can be downloaded from https://curl.haxx.se/ca
-# /cacert.pem.
+# An example file can be downloaded from https://curl.se/ca/cacert.pem.
+# If you want to create the file yourself, please
+# see: https://curl.se/docs/caextract.html.
#
# Example:
#
#
#log-buffer-size 1
#
-#
-#
# log-max-lines is the maximum number of lines held in the log
# buffer. See above.
#
#log-max-lines 200
#
-#
-#
# If "log-highlight-messages" is set to 1, Privoxy will highlight
# portions of the log messages with a bold-faced font:
#
#log-highlight-messages 1
#
-#
-#
# The font used in the console window:
#
#log-font-name Comic Sans MS
#
-#
-#
# Font size used in the console window:
#
#log-font-size 8
#
-#
-#
# "show-on-task-bar" controls whether or not Privoxy will appear as
# a button on the Task bar when minimized:
#
#show-on-task-bar 0
#
-#
-#
# If "close-button-minimizes" is set to 1, the Windows close button
# will minimize Privoxy instead of closing the program (close with
# the exit option on the File menu).
#
#close-button-minimizes 1
#
-#
-#
# The "hide-console" option is specific to the MS-Win console
# version of Privoxy. If this option is used, Privoxy will
# disconnect from and hide the command console.
#hide-console
#
#
-#
projects / privoxy.git / blobdiff