Purpose : Used with other docs and files only.
- $Id: p-config.sgml,v 2.115 2016/03/17 10:43:20 fabiankeil Exp $
+ $Id: p-config.sgml,v 2.124 2017/02/20 13:44:54 fabiankeil Exp $
- Copyright (C) 2001-2016 Privoxy Developers http://www.privoxy.org/
+ Copyright (C) 2001-2017 Privoxy Developers https://www.privoxy.org/
See LICENSE.
========================================================================
Sample Configuration File for Privoxy &p-version;
</title>
<para>
- $Id: p-config.sgml,v 2.115 2016/03/17 10:43:20 fabiankeil Exp $
+ $Id: p-config.sgml,v 2.124 2017/02/20 13:44:54 fabiankeil Exp $
</para>
<para>
-Copyright (C) 2001-2016 Privoxy Developers http://www.privoxy.org/
+Copyright (C) 2001-2017 Privoxy Developers https://www.privoxy.org/
</para>
<para>
<literallayout>
-#################################################################
- #
- Table of Contents #
- #
- I. INTRODUCTION #
- II. FORMAT OF THE CONFIGURATION FILE #
- #
- 1. LOCAL SET-UP DOCUMENTATION #
- 2. CONFIGURATION AND LOG FILE LOCATIONS #
- 3. DEBUGGING #
- 4. ACCESS CONTROL AND SECURITY #
- 5. FORWARDING #
- 6. MISCELLANEOUS #
- 7. WINDOWS GUI OPTIONS #
- #
-#################################################################
+##################################################################
+ #
+ Table of Contents #
+ #
+ I. INTRODUCTION #
+ II. FORMAT OF THE CONFIGURATION FILE #
+ #
+ 1. LOCAL SET-UP DOCUMENTATION #
+ 2. CONFIGURATION AND LOG FILE LOCATIONS #
+ 3. DEBUGGING #
+ 4. ACCESS CONTROL AND SECURITY #
+ 5. FORWARDING #
+ 6. MISCELLANEOUS #
+ 7. WINDOWS GUI OPTIONS #
+ #
+##################################################################
</literallayout>
</para>
<term>Effect if unset:</term>
<listitem>
<para>
- <ulink url="http://www.privoxy.org/user-manual/">http://www.privoxy.org/<replaceable class="parameter">version</replaceable>/user-manual/</ulink>
+ <ulink url="https://www.privoxy.org/user-manual/">https://www.privoxy.org/<replaceable class="parameter">version</replaceable>/user-manual/</ulink>
will be used, where <replaceable class="parameter">version</replaceable> is the <application>Privoxy</application> version.
</para>
</listitem>
</varlistentry>
</variablelist>
-<![%config-file;[<literallayout>@@#user-manual http://www.privoxy.org/user-manual/</literallayout>]]>
+<![%config-file;[<literallayout>@@#user-manual https://www.privoxy.org/user-manual/</literallayout>]]>
</sect3>
<![%config-file;[<literallayout>@@enable-proxy-authentication-forwarding 0</literallayout>]]>
</sect3>
+<!-- ~~~~~ New section ~~~~~ -->
+<sect3 renderas="sect4" id="trusted-cgi-referer"><title>trusted-cgi-referer</title>
+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ A trusted website or webpage whose links can be followed to reach sensitive CGI pages
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para>URL or URL prefix</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para>Unset</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Effect if unset:</term>
+ <listitem>
+ <para>
+ No external pages are considered trusted referers.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ Before &my-app; accepts configuration changes through CGI pages like
+ <link linkend="client-specific-tag">client-tags</link> or the
+ <link linkend="enable-remote-toggle">remote toggle</link>, it checks
+ the Referer header to see if the request comes from a trusted source.
+ </para>
+ <para>
+ By default only the webinterface domains
+ <ulink url="http://config.privoxy.org/">config.privoxy.org</ulink>
+ and
+ <ulink url="http://p.p/">p.p</ulink>
+ are considered trustworthy.
+ Requests originating from other domains are rejected to prevent
+ third-parties from modifiying Privoxy's state by e.g. embedding
+ images that result in CGI requests.
+ </para>
+ <para>
+ In some environments it may be desirable to embed links to CGI pages
+ on external pages, for example on an Intranet homepage the Privoxy admin
+ controls.
+ </para>
+ <para>
+ The <quote>trusted-cgi-referer</quote> option can be used to add that page,
+ or the whole domain, as trusted source so the resulting requests aren't
+ rejected.
+ Requests are accepted if the specified trusted-cgi-refer is the prefix
+ of the Referer.
+ </para>
+ <warning>
+ <para>
+ Declaring pages the admin doesn't control trustworthy may allow
+ malicious third parties to modify Privoxy's internal state against
+ the user's wishes and without the user's knowledge.
+ </para>
+ </warning>
+ </listitem>
+ </varlistentry>
+</variablelist>
+
+<![%config-file;[<literallayout>@@trusted-cgi-referer http://www.example.org/local-privoxy-control-page</literallayout>]]>
+</sect3>
+
</sect2>
<!-- ~ End section ~ -->
<application>Privoxy's</application> listening port is reachable
by the outside or an attacker has access to the pages you visit.
</para>
+ <para>
+ If you are running Privoxy as intercepting proxy without being
+ able to intercept all client requests you may want to adjust
+ the CGI templates to make sure they don't reference content from
+ config.privoxy.org.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<para>
After a client-specific tag has been defined with the client-specific-tag
directive, action sections can be activated based on the tag by using a
- <ulink url="#CLIENT-TAG-PATTERN">CLIENT-TAG</ulink> pattern.
+ <ulink url="actions-file.html#CLIENT-TAG-PATTERN">CLIENT-TAG</ulink> pattern.
The CLIENT-TAG pattern is evaluated at the same priority
as URL patterns, as a result the last matching pattern wins.
Tags that are created based on client or server headers are evaluated
</para>
<para>
Clients can request tags to be set by using the CGI interface <ulink
- url="http://config.privoxy.org/show-client-tags">http://config.privoxy.org/show-client-tags</ulink>.
+ url="http://config.privoxy.org/client-tags">http://config.privoxy.org/client-tags</ulink>.
The specific tag description is only used on the web page and should
be phrased in away that the user understand the effect of the tag.
</para>
<varlistentry>
<term>Default value:</term>
<listitem>
- <para>None</para>
+ <para>60</para>
</listitem>
</varlistentry>
<varlistentry>
</para>
<para>
The CGI interface <ulink
- url="http://config.privoxy.org/show-client-tags">http://config.privoxy.org/show-client-tags</ulink>
+ url="http://config.privoxy.org/client-tags">http://config.privoxy.org/client-tags</ulink>
therefore provides a "enable this tag temporarily" option.
If it is used, the tag will be set until the client-tag-lifetime
is over.
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>Examples:</term>
+ <listitem>
+ <para>
+ <screen>
+ # Increase the time to life for temporarily enabled tags to 3 minutes
+ client-tag-lifetime 180
+ </screen>
+ </para>
+ </listitem>
+ </varlistentry>
+</variablelist>
+</sect3>
+
+<!-- ~ End section ~ -->
+
+<sect3 renderas="sect4" id="trust-x-forwarded-for"><title>trust-x-forwarded-for</title>
+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ Whether or not Privoxy should use IP addresses specified with the X-Forwarded-For header
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para>
+ <replaceable>0 or one</replaceable>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para>0</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <warning>
+ <para>
+ This is an experimental feature. The syntax is likely to change
+ in future versions.
+ </para>
+ </warning>
+ <para>
+ If clients reach Privoxy through another proxy, for example a load
+ balancer, Privoxy can't tell the client's IP address from the connection.
+ If multiple clients use the same proxy, they will share the same
+ client tag settings which is usually not desired.
+ </para>
+ <para>
+ This option lets Privoxy use the X-Forwarded-For header value as
+ client IP address. If the proxy sets the header, multiple clients
+ using the same proxy do not share the same client tag settings.
+ </para>
+ <para>
+ This option should only be enabled if Privoxy can only be reached
+ through a proxy and if the proxy can be trusted to set the header
+ correctly. It is recommended that ACL are used to make sure only
+ trusted systems can reach Privoxy.
+ </para>
+ <para>
+ If access to Privoxy isn't limited to trusted systems, this option
+ would allow malicious clients to change the client tags for other
+ clients or increase Privoxy's memory requirements by registering
+ lots of client tag settings for clients that don't exist.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Examples:</term>
+ <listitem>
+ <para>
+ <screen>
+ # Allow systems that can reach Privoxy to provide the client
+ # IP address with a X-Forwarded-For header.
+ trust-x-forwarded-for 1
+ </screen>
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</sect3>
<!-- ~ End section ~ -->
-
<!-- ~~~~~ New section ~~~~~ -->
<sect2 id="windows-gui">
projects / privoxy.git / blobdiff