+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ Key values that determine what information gets logged.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para>Integer values</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para>12289 (i.e.: URLs plus informational and warning messages)</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Effect if unset:</term>
+ <listitem>
+ <para>
+ Nothing gets logged.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ The available debug levels are:
+ </para>
+ <para>
+ <programlisting>
+ debug 1 # show each GET/POST/CONNECT request
+ debug 2 # show each connection status
+ debug 4 # show I/O status
+ debug 8 # show header parsing
+ debug 16 # log all data into the logfile
+ debug 32 # debug force feature
+ debug 64 # debug regular expression filter
+ debug 128 # debug fast redirects
+ debug 256 # debug GIF de-animation
+ debug 512 # Common Log Format
+ debug 1024 # debug kill pop-ups
+ debug 4096 # Startup banner and warnings.
+ debug 8192 # Non-fatal errors
+ </programlisting>
+ </para>
+ <para>
+ To select multiple debug levels, you can either add them or use
+ multiple <literal>debug</literal> lines.
+ </para>
+ <para>
+ A debug level of 1 is informative because it will show you each request
+ as it happens. <emphasis>1, 4096 and 8192 are highly recommended</emphasis>
+ so that you will notice when things go wrong. The other levels are probably
+ only of interest if you are hunting down a specific problem. They can produce
+ a hell of an output (especially 16).
+ <!-- LOL -->
+ </para>
+ <para>
+ The reporting of <emphasis>fatal</emphasis> errors (i.e. ones which crash
+ <application>Privoxy</application>) is always on and cannot be disabled.
+ </para>
+ <para>
+ If you want to use CLF (Common Log Format), you should set <quote>debug
+ 512</quote> <emphasis>ONLY</emphasis> and not enable anything else.
+ </para>
+ </listitem>
+ </varlistentry>
+</variablelist>
+</sect4>
+
+<sect4><title>single-threaded</title>
+
+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ Whether to run only one server thread
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para><emphasis>None</emphasis></para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para><emphasis>Unset</emphasis></para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Effect if unset:</term>
+ <listitem>
+ <para>
+ Multi-threaded (or, where unavailable: forked) operation, i.e. the ability to
+ serve multiple requests simultaneously.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ This option is only there for debug purposes and you should never
+ need to use it. <emphasis>It will drastically reduce performance.</emphasis>
+ </para>
+ </listitem>
+ </varlistentry>
+</variablelist>
+</sect4>
+
+</sect3>
+
+<!-- ~~~~~ New section ~~~~~ -->
+
+<sect3>
+<title>Access Control and Security</title>
+
+ <para>
+ This section of the config file controls the security-relevant aspects
+ of <application>Privoxy</application>'s configuration.
+ </para>
+
+<sect4><title>listen-address</title>
+
+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ The IP address and TCP port on which <application>Privoxy</application> will
+ listen for client requests.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para>[<replaceable class="parameter">IP-Address</replaceable>]:<replaceable class="parameter">Port</replaceable></para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para>localhost:8118</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Effect if unset:</term>
+ <listitem>
+ <para>
+ Bind to localhost (127.0.0.1), port 8118. This is suitable and recommended for
+ home users who run <application>Privoxy</application> on the same machine as
+ their browser.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ You will need to configure your browser(s) to this proxy address and port.
+ </para>
+ <para>
+ If you already have another service running on port 8118, or if you want to
+ serve requests from other machines (e.g. on your local network) as well, you
+ will need to override the default.
+ </para>
+ <para>
+ If you leave out the IP address, <application>Privoxy</application> will
+ bind to all interfaces (addresses) on your machine and may become reachable
+ from the Internet. In that case, consider using access control lists (acl's)
+ (see <quote>ACLs</quote> below), or a firewall.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Example:</term>
+ <listitem>
+ <para>
+ Suppose you are running <application>Privoxy</application> on
+ a machine which has the address 192.168.0.1 on your local private network
+ (192.168.0.0) and has another outside connection with a different address.
+ You want it to serve requests from inside only:
+ </para>
+ <para>
+ <programlisting>
+ listen-address 192.168.0.1:8118
+ </programlisting>
+ </para>
+ </listitem>
+ </varlistentry>
+</variablelist>
+</sect4>
+
+<sect4><title>toggle</title>
+
+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ Initial state of "toggle" status
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para>1 or 0</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para>1</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Effect if unset:</term>
+ <listitem>
+ <para>
+ Act as if toggled on
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ If set to 0, <application>Privoxy</application> will start in
+ <quote>toggled off</quote> mode, i.e. behave like a normal, content-neutral
+ proxy. See <literal>enable-remote-toggle</literal>
+ below. This is not really useful anymore, since toggling is much easier
+ via <ulink url="http://config.privoxy.org/toggle">the web
+ interface</ulink> then via editing the <filename>conf</filename> file.
+ </para>
+ <para>
+ The windows version will only display the toggle icon in the system tray
+ if this option is present.
+ </para>
+ </listitem>
+ </varlistentry>
+</variablelist>
+</sect4>
+
+
+<sect4><title>enable-remote-toggle</title>
+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ Whether or not the <ulink url="http://config.privoxy.org/toggle">web-based toggle
+ feature</ulink> may be used
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para>0 or 1</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para>1</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Effect if unset:</term>
+ <listitem>
+ <para>
+ The web-based toggle feature is disabled.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ When toggled off, <application>Privoxy</application> acts like a normal,
+ content-neutral proxy, i.e. it acts as if none of the actions applied to
+ any URL.
+ </para>
+ <para>
+ For the time being, access to the toggle feature can <emphasis>not</emphasis> be
+ controlled separately by <quote>ACLs</quote> or HTTP authentication,
+ so that everybody who can access <application>Privoxy</application> (see
+ <quote>ACLs</quote> and <literal>listen-address</literal> above) can
+ toggle it for all users. So this option is <emphasis>not recommended</emphasis>
+ for multi-user environments with untrusted users.
+ </para>
+ <para>
+ Note that you must have compiled <application>Privoxy</application> with
+ support for this feature, otherwise this option has no effect.
+ </para>
+ </listitem>
+ </varlistentry>
+</variablelist>
+</sect4>
+
+
+<sect4><title>enable-edit-actions</title>
+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ Whether or not the <ulink url="http://config.privoxy.org/edit-actions">web-based actions
+ file editor</ulink> may be used
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para>0 or 1</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para>1</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Effect if unset:</term>
+ <listitem>
+ <para>
+ The web-based actions file editor is disabled.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ For the time being, access to the editor can <emphasis>not</emphasis> be
+ controlled separately by <quote>ACLs</quote> or HTTP authentication,
+ so that everybody who can access <application>Privoxy</application> (see
+ <quote>ACLs</quote> and <literal>listen-address</literal> above) can
+ modify its configuration for all users. So this option is <emphasis>not
+ recommended</emphasis> for multi-user environments with untrusted users.
+ </para>
+ <para>
+ Note that you must have compiled <application>Privoxy</application> with
+ support for this feature, otherwise this option has no effect.
+ </para>
+ </listitem>
+ </varlistentry>
+</variablelist>
+</sect4>
+
+<sect4><title>ACLs: permit-access and deny-access</title>
+<variablelist>
+ <varlistentry>
+ <term>Specifies:</term>
+ <listitem>
+ <para>
+ Who can access what.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Type of value:</term>
+ <listitem>
+ <para>
+ <replaceable class="parameter">src_addr</replaceable>[/<replaceable class="parameter">src_masklen</replaceable>]
+ [<replaceable class="parameter">dst_addr</replaceable>[/<replaceable class="parameter">dst_masklen</replaceable>]]
+ </para>
+ <para>
+ Where <replaceable class="parameter">src_addr</replaceable> and
+ <replaceable class="parameter">dst_addr</replaceable> are IP addresses in dotted decimal notation or valid
+ DNS names, and <replaceable class="parameter">src_masklen</replaceable> and
+ <replaceable class="parameter">dst_masklen</replaceable> are subnet masks in CIDR notation, i.e. integer
+ values from 2 to 30 representing the length (in bits) of the network address. The masks and the whole
+ destination part are optional.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Default value:</term>
+ <listitem>
+ <para><emphasis>Unset</emphasis></para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Effect if unset:</term>
+ <listitem>
+ <para>
+ Don't restrict access further than implied by <literal>listen-address</literal>
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ Access controls are included at the request of ISPs and systems
+ administrators, and <emphasis>are not usually needed by individual users</emphasis>.
+ For a typical home user, it will normally suffice to ensure that
+ <application>Privoxy</application> only listens on the localhost or internal (home)
+ network address by means of the <literal>listen-address</literal> option.
+ </para>
+ <para>
+ Please see the warnings in the FAQ that this proxy is not intended to be a substitute
+ for a firewall or to encourage anyone to defer addressing basic security
+ weaknesses.
+ </para>
+ <para>
+ Multiple ACL lines are OK.
+ If any ACLs are specified, then the <application>Privoxy</application>
+ talks only to IP addresses that match at least one <literal>permit-access</literal> line
+ and don't match any subsequent <literal>deny-access</literal> line. In other words, the
+ last match wins, with the default being <literal>deny-access</literal>.
+ </para>
+ <para>
+ If <application>Privoxy</application> is using a forwarder (see <literal>forward</literal> below)
+ for a particular destination URL, the <replaceable class="parameter">dst_addr</replaceable>
+ that is examined is the address of the forwarder and <emphasis>NOT</emphasis> the address
+ of the ultimate target. This is necessary because it may be impossible for the local
+ <application>Privoxy</application> to determine the IP address of the
+ ultimate target (that's often what gateways are used for).
+ </para>
+ <para>
+ You should prefer using IP addresses over DNS names, because the address lookups take
+ time. All DNS names must resolve! You can <emphasis>not</emphasis> use domain patterns
+ like <quote>*.org</quote> or partial domain names. If a DNS name resolves to multiple
+ IP addresses, only the first one is used.
+ </para>
+ <para>
+ Denying access to particular sites by ACL may have undesired side effects
+ if the site in question is hosted on a machine which also hosts other sites.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Examples:</term>
+ <listitem>
+ <para>
+ Explicitly define the default behavior if no ACL and
+ <literal>listen-address</literal> are set: <quote>localhost</quote>
+ is OK. The absence of a <replaceable class="parameter">dst_addr</replaceable> implies that
+ <emphasis>all</emphasis> destination addresses are OK:
+ </para>
+ <para>
+ <screen>
+ permit-access localhost
+ </screen>
+ </para>
+ <para>
+ Allow any host on the same class C subnet as www.privoxy.org access to
+ nothing but www.example.com:
+ </para>
+ <para>
+ <screen>
+ permit-access www.privoxy.org/24 www.example.com/32
+ </screen>
+ </para>
+ <para>
+ Allow access from any host on the 26-bit subnet 192.168.45.64 to anywhere,
+ with the exception that 192.168.45.73 may not access www.dirty-stuff.example.com:
+ </para>
+ <para>
+ <screen>
+ permit-access 192.168.45.64/26
+ deny-access 192.168.45.73 www.dirty-stuff.example.com
+ </screen>
+ </para>
+ </listitem>
+ </varlistentry>
+</variablelist>
+</sect4>