<!entity p-authors SYSTEM "p-authors.sgml">
<!entity config SYSTEM "p-config.sgml">
<!entity changelog SYSTEM "changelog.sgml">
-<!entity p-version "3.0.29">
+<!entity p-version "3.0.35">
<!entity p-status "UNRELEASED">
<!entity % p-authors-formal "INCLUDE"> <!-- include additional text, etc -->
<!entity % p-not-stable "INCLUDE">
Purpose : user manual
- Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
+ Copyright (C) 2001-2023 Privoxy Developers https://www.privoxy.org/
See LICENSE.
========================================================================
<subscript>
<!-- Completely the wrong markup, but very little is allowed -->
<!-- in this part of an article. FIXME -->
- <link linkend="copyright">Copyright</link> &my-copy; 2001-2020 by
+ <link linkend="copyright">Copyright</link> &my-copy; 2001-2023 by
<ulink url="https://www.privoxy.org/">Privoxy Developers</ulink>
</subscript>
</pubdate>
<para>
In addition to the core
features of ad blocking and
- <ulink url="http://en.wikipedia.org/wiki/Browser_cookie">cookie</ulink> management,
+ <ulink url="https://en.wikipedia.org/wiki/Browser_cookie">cookie</ulink> management,
<application>Privoxy</application> provides many supplemental
features<![%p-not-stable;[, some of them currently under development]]>,
that give the end-user more control, more privacy and more freedom:
</sect3>
-<!-- ~~~~~ New section ~~~~~ -->
-<sect3 id="installation-os2"><title>OS/2</title>
-
-<para>
- First, make sure that no previous installations of
- <application>Junkbuster</application> and / or
- <application>Privoxy</application> are left on your
- system. Check that no <application>Junkbuster</application>
- or <application>Privoxy</application> objects are in
- your startup folder.
-</para>
-
-<para>
- Then, just double-click the WarpIN self-installing archive, which will
- guide you through the installation process. A shadow of the
- <application>Privoxy</application> executable will be placed in your
- startup folder so it will start automatically whenever OS/2 starts.
-</para>
-
-<para>
- The directory you choose to install <application>Privoxy</application>
- into will contain all of the configuration files.
-</para>
-</sect3>
-
<!-- ~~~~~ New section ~~~~~ -->
<sect3 id="installation-mac"><title>Mac OS X</title>
<para>
</sect3>
<!-- ~~~~~ New section ~~~~~ -->
-<sect3 id="installation-freebsd"><title>FreeBSD</title>
+<sect3 id="installation-freebsd"><title>FreeBSD and ElectroBSD</title>
<para>
Privoxy is part of FreeBSD's Ports Collection, you can build and install
it with <literal>cd /usr/ports/www/privoxy; make install clean</literal>.
</para>
+<para>
+ If your system is configured to install binary packages you can
+ try to install &my-app; with <literal>pkg install privoxy</literal>.
+</para>
</sect3>
</sect2>
Run the setup program and from View / Category select:
</para>
<screen>
- Devel
- autoconf 2.5
- automake 1.15
- binutils
- cmake
- gcc-core
- gcc-g++
- git
- make
- mingw64-i686-gcc-core
- mingw64-i686-zlib
- Editors
- vim
- Libs
- libxslt: GNOME XSLT library (runtime)
- Net
- curl
- openssh
- Text
- docbook-dssl
- docbook-sgml31
- docbook-utils
- openjade
- Utils
- gnupg
- Web
- w3m
+Devel
+ autoconf 2.5
+ automake 1.15
+ binutils
+ cmake
+ gcc-core
+ gcc-g++
+ git
+ make
+ mingw64-i686-gcc-core
+ mingw64-i686-zlib
+Editors
+ vim
+Libs
+ libxslt: GNOME XSLT library (runtime)
+Net
+ curl
+ openssh
+Text
+ docbook-dssl
+ docbook-sgml31
+ docbook-utils
+ openjade
+Utils
+ gnupg
+Web
+ w3m
</screen>
<para>
If you haven't already downloaded the Privoxy source code, get it now:
</para>
<screen>
- mkdir <root-dir>
- cd <root-dir>
- git clone https://www.privoxy.org/git/privoxy.git
+mkdir <root-dir>
+cd <root-dir>
+git clone https://www.privoxy.org/git/privoxy.git
</screen>
<para>
unzip into <root-dir> and build the software:
</para>
<screen>
- cd <root-dir>
- cd tidy-html5-x.y.z/build/cmake
- cmake ../.. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIB:BOOL=OFF -DCMAKE_INSTALL_PREFIX=/usr/local
- make && make install
+cd <root-dir>
+cd tidy-html5-x.y.z/build/cmake
+cmake ../.. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIB:BOOL=OFF -DCMAKE_INSTALL_PREFIX=/usr/local
+make && make install
</screen>
<para>
<!-- FIXME: which version(s) are known to work? -->
<ulink url="https://sourceforge.net/projects/nsis/files/NSIS%203/">
https://sourceforge.net/projects/nsis/files/NSIS%203/</ulink>
- and extract the NSIS directory to <literal>privoxy/windows</literal>.
- Then edit the windows/GNUmakefile to set the location of the NSIS executable - eg:
+ and extract the NSIS directory to <literal>/<root-dir>/nsis/</literal>.
+ Then edit the <filename>windows/GNUmakefile</filename> to set the location
+ of the NSIS executable - eg:
</para>
<screen>
# Path to NSIS
-MAKENSIS = ./nsis/makensis.exe
+MAKENSIS = /<root-dir>/nsis/makensis.exe
+</screen>
+
+ <para>
+ Get the latest 8.x PCRE code from
+ <ulink url="https://sourceforge.net/projects/pcre/files/pcre/">PCRE
+ https://sourceforge.net/projects/pcre/files/pcre/</ulink>
+ and build the static PCRE libraries with
+
+ <screen>
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="-fstack-protector-strong"
+export CPPFLAGS="-DPCRE_STATIC"
+
+./configure --host=i686-w64-mingw32 \
+ --prefix=/usr/local/i686-w64-mingw32 \
+ --enable-utf --enable-unicode-properties \
+ --enable-jit \
+ --enable-newline-is-anycrlf \
+ --enable-pcre16 \
+ --enable-pcre32 \
+ --disable-pcregrep-libbz2 \
+ --disable-pcregrep-libz \
+ --disable-pcretest-libreadline \
+ --disable-stack-for-recursion \
+ --enable-static --disable-shared \
+ && make
</screen>
+ </para>
+
+
+ <para>
+ If you want to be able to have Privoxy do TLS Inspection, get the latest
+ 2.28.x MBED-TLS library source code from
+ <ulink url="https://github.com/Mbed-TLS/mbedtls/tags">
+ https://github.com/Mbed-TLS/mbedtls/tags</ulink>,
+ extract the tar file into <literal><root-dir></literal>
+ and build the static libraries with
+ <programlisting>
+export WINDOWS_BUILD=1
+# build for a Windows platform
+
+unset DEBUG
+
+export CC=i686-w64-mingw32-gcc
+export LD=i686-w64-mingw32-gcc
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="${LDFLAGS} -fstack-protector-strong"
+
+make lib
+# build the libraries
+</programlisting>
+ </para>
+
+
+ <para>
+ Get the brotli library from
+ <ulink url="https://github.com/google/brotli/releases">
+ https://github.com/google/brotli/releases</ulink>
+ and build the static libraries with
+ <programlisting>
+./bootstrap
+# to create the GNU autotools files
+
+autoconf
+
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="${LDFLAGS} -fstack-protector-strong"
+
+./configure --host=i686-w64-mingw32 \
+ --prefix=/usr/local/i686-w64-mingw32 \
+ --enable-static \
+ --disable-shared \
+ --with-gnu-ld \
+ --disable-silent-rules \
+ && make
+</programlisting>
+ </para>
+
+
</sect4>
To build just the Privoxy executable and not the whole installation package, do:
</para>
<programlisting>
- cd <root-dir>/privoxy
- ./windows/MYconfigure && make
+cd <root-dir>/privoxy
+./windows/MYconfigure && make
</programlisting>
<para>
for building software, so the process is:
</para>
<programlisting>
- $ autoheader # creates config.h.in
- $ autoconf # uses config.h.in to create the configure shell script
- $ ./configure [options] # creates GNUmakefile
- $ make [options] # builds the program
+autoheader # creates config.h.in
+autoconf # uses config.h.in to create the configure shell script
+./configure [options] # creates GNUmakefile
+make [options] # builds the program
</programlisting>
<para>
--enable-zlib
--enable-static-linking
--disable-pthread
- --disable-dynamic-pcre
+ --with-brotli
+ --with-mbedtls
</literallayout>
<para>
</para>
<programlisting>
- $ export CFLAGS="-O2" # set gcc optimization level
- $ export LDFLAGS="-Wl,--nxcompat" # Enable DEP
- $ ./configure --host=i686-w64-mingw32 --enable-mingw32 --enable-zlib \
- > --enable-static-linking --disable-pthread --disable-dynamic-pcre
- $ make # build Privoxy
+$ export CFLAGS="-O2" # set gcc optimization level
+$ export LDFLAGS="-Wl,--nxcompat" # Enable DEP
+$ ./configure --host=i686-w64-mingw32 --enable-mingw32 --enable-zlib \
+> --enable-static-linking --disable-pthread
+$ make # build Privoxy
</programlisting>
<para>
use, filtering, you will need to force compression off. Example:
</para>
<screen>
- { +<link linkend="filter">filter</link>{google} +<link linkend="prevent-compression">prevent-compression</link> }
- .google.</screen>
+{ +<link linkend="filter">filter</link>{google} +<link linkend="prevent-compression">prevent-compression</link> }
+.google.
+</screen>
<para>
Or if you use a number of filters, or filter many sites, you may just want
to turn off compression for all sites in
<listitem>
<para>
Set your browser to use <application>Privoxy</application> as HTTP and
- HTTPS (SSL) <ulink url="http://en.wikipedia.org/wiki/Proxy_server">proxy</ulink>
+ HTTPS (SSL) <ulink url="https://en.wikipedia.org/wiki/Proxy_server">proxy</ulink>
by setting the proxy configuration for address of
<literal>127.0.0.1</literal> and port <literal>8118</literal>.
<emphasis>DO NOT</emphasis> activate proxying for <literal>FTP</literal> or
<para>
Flush your browser's disk and memory caches, to remove any cached ad images.
If using <application>Privoxy</application> to manage
- <ulink url="http://en.wikipedia.org/wiki/Browser_cookie">cookies</ulink>,
+ <ulink url="https://en.wikipedia.org/wiki/Browser_cookie">cookies</ulink>,
you should remove any currently stored cookies too.
</para>
</listitem>
Before launching <application>Privoxy</application> for the first time, you
will want to configure your browser(s) to use
<application>Privoxy</application> as a HTTP and HTTPS (SSL)
- <ulink url="http://en.wikipedia.org/wiki/Proxy_server">proxy</ulink>. The default is
+ <ulink url="https://en.wikipedia.org/wiki/Proxy_server">proxy</ulink>. The default is
127.0.0.1 (or localhost) for the proxy address, and port 8118 (earlier versions
used port 8000). This is the one configuration step <emphasis>that must be done
</emphasis>!
<!-- image of Mozilla Proxy configuration -->
<figure pgwide="0" float="0"><title>Proxy Configuration Showing
- Mozilla/Netscape HTTP and HTTPS (SSL) Settings</title>
+ Mozilla Firefox HTTP and HTTPS (SSL) Settings</title>
<mediaobject>
<imageobject>
<imagedata fileref="proxy_setup.jpg" format="jpg">
</imageobject>
<textobject>
- <phrase>[ Screenshot of Mozilla Proxy Configuration ]</phrase>
+ <phrase>[ Screenshot of Mozilla Firefox Proxy Configuration ]</phrase>
</textobject>
</mediaobject>
</figure>
</para>
<literallayout>
- <guibutton>Tools</guibutton> -> <guibutton>Options</guibutton> -> <guibutton>Advanced</guibutton> -> <guibutton>Network</guibutton> -><guibutton>Connection</guibutton> -> <guibutton>Settings</guibutton>
+ <guibutton>Edit</guibutton> -> <guibutton>Preferences</guibutton> -> <guibutton>Network Settings</guibutton> -> <guibutton>Settings</guibutton>
</literallayout>
<para>
<para>
After doing this, flush your browser's disk and memory caches to force a
re-reading of all pages and to get rid of any ads that may be cached. Remove
- any <ulink url="http://en.wikipedia.org/wiki/Browser_cookie">cookies</ulink>,
+ any <ulink url="https://en.wikipedia.org/wiki/Browser_cookie">cookies</ulink>,
if you want <application>Privoxy</application> to manage that. You are now
ready to start enjoying the benefits of using
<application>Privoxy</application>!
file.
</para>
<screen>
- # /etc/init.d/privoxy start
+# /etc/init.d/privoxy start
</screen>
</sect2>
To start <application>Privoxy</application> manually, run:
</para>
<screen>
- # service privoxy onestart
+# service privoxy onestart
</screen>
</sect2>
Example Unix startup command:
</para>
<screen>
- # /usr/sbin/privoxy --user privoxy /etc/privoxy/config
+# /usr/sbin/privoxy --user privoxy /etc/privoxy/config
</screen>
<para>
Note that if you installed <application>Privoxy</application> through
</para>
</sect2>
-<sect2 id="start-os2">
-<title>OS/2</title>
-<para>
- During installation, <application>Privoxy</application> is configured to
- start automatically when the system restarts. You can start it manually by
- double-clicking on the <application>Privoxy</application> icon in the
- <application>Privoxy</application> folder.
-</para>
-</sect2>
-
<sect2 id="start-macosx">
<title>Mac OS X</title>
<para>
▪ <ulink url="http://config.privoxy.org/show-status">View & change the current configuration</ulink>
</member>
<member>
- ▪ <ulink url="http://config.privoxy.org/client-tags">View or toggle the tags that can be set based on the clients address</ulink>
+ ▪ <ulink url="http://config.privoxy.org/client-tags">View or toggle the tags that can be set based on the client's address</ulink>
</member>
<member>
▪ <ulink url="http://config.privoxy.org/show-request">View the request headers.</ulink>
<title>Configuration Files Overview</title>
<para>
For Unix, *BSD and GNU/Linux, all configuration files are located in
- <filename>/etc/privoxy/</filename> by default. For MS Windows and OS/2
+ <filename>/etc/privoxy/</filename> by default. For MS Windows
these are all in the same directory as the
<application>Privoxy</application> executable. <![%p-not-stable;[ The name
and number of configuration files has changed from previous versions, and is
<listitem>
<para>
The <link linkend="config">main configuration file</link> is named <filename>config</filename>
- on GNU/Linux, Unix, BSD, and OS/2, and <filename>config.txt</filename>
+ on GNU/Linux, Unix, BSD, and <filename>config.txt</filename>
on Windows. This is a required file.
</para>
</listitem>
The default profiles, and their associated actions, as pre-defined in
<filename>default.action</filename> are:
</para>
- <table frame=all><title>Default Configurations</title>
+ <table frame=all id="default-configurations"><title>Default Configurations</title>
<tgroup cols=4 align=left colsep=1 rowsep=1>
<colspec colname=c1>
<colspec colname=c2>
might look like:
</para>
- <screen>
- { +<literal>handle-as-image</literal> +<literal>block{Banner ads.}</literal> }
- # Block these as if they were images. Send no block page.
- banners.example.com
- media.example.com/.*banners
- .example.com/images/ads/</screen>
+<screen>
+{ +<literal>handle-as-image</literal> +<literal>block{Banner ads.}</literal> }
+# Block these as if they were images. Send no block page.
+banners.example.com
+media.example.com/.*banners
+.example.com/images/ads/
+</screen>
<para>
You can trace this process for URL patterns and any given URL by visiting <ulink
The pattern matching syntax is different for the host and path parts of
the URL. The host part uses a simple globbing type matching technique,
while the path part uses more flexible
- <ulink url="http://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
+ <ulink url="https://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
Expressions</quote></ulink> (POSIX 1003.2).
</para>
<para>
themselves. These work similarly to shell globbing type wild-cards:
<quote>*</quote> represents zero or more arbitrary characters (this is
equivalent to the
- <ulink url="http://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
+ <ulink url="https://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
Expression</quote></ulink> based syntax of <quote>.*</quote>),
<quote>?</quote> represents any single character (this is equivalent to the
regular expression syntax of a simple <quote>.</quote>), and you can define
While flexible, this is not the sophistication of full regular expression based syntax.
</para>
+<para>
+ When compiled with FEATURE_PCRE_HOST_PATTERNS patterns can be prefixed with
+ <quote>PCRE-HOST-PATTERN:</quote> in which case full regular expression
+ (PCRE) can be used for the host pattern as well.
+</para>
+
</sect3>
<!-- ~ End section ~ -->
<para>
<application>Privoxy</application> uses <quote>modern</quote> POSIX 1003.2
- <ulink url="http://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
+ <ulink url="https://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
Expressions</quote></ulink> for matching the path portion (after the slash),
and is thus more flexible.
</para>
<!-- XXX: This section contains duplicates content from the
client-specific-tag documentation. -->
-<warning>
-<para>
- This is an experimental feature. The syntax is likely to change in future versions.
-</para>
-</warning>
-
<para>
Client tag patterns are not set based on HTTP headers but based on
the client's IP address. Users can enable them themselves, but the
<quote>disabled</quote>. Syntax:
</para>
<screen>
- +<replaceable class="function">name</replaceable> # enable action <replaceable class="parameter">name</replaceable>
- -<replaceable class="function">name</replaceable> # disable action <replaceable class="parameter">name</replaceable></screen>
++<replaceable class="function">name</replaceable> # enable action <replaceable class="parameter">name</replaceable>
+-<replaceable class="function">name</replaceable> # disable action <replaceable class="parameter">name</replaceable>
+</screen>
<para>
Example: <literal>+handle-as-image</literal>
</para>
Parameterized, where some value is required in order to enable this type of action.
Syntax:
</para>
- <screen>
- +<replaceable class="function">name</replaceable>{<replaceable class="parameter">param</replaceable>} # enable action and set parameter to <replaceable class="parameter">param</replaceable>,
- # overwriting parameter from previous match if necessary
- -<replaceable class="function">name</replaceable> # disable action. The parameter can be omitted</screen>
+ <screen>
++<replaceable class="function">name</replaceable>{<replaceable class="parameter">param</replaceable>} # enable action and set parameter to <replaceable class="parameter">param</replaceable>,
+ # overwriting parameter from previous match if necessary
+-<replaceable class="function">name</replaceable> # disable action. The parameter can be omitted
+</screen>
<para>
Note that if the URL matches multiple positive forms of a parameterized action,
the last match wins, i.e. the params from earlier matches are simply ignored.
that can be executed for the same request repeatedly, like adding multiple
headers, or filtering through multiple filters. Syntax:
</para>
- <screen>
- +<replaceable class="function">name</replaceable>{<replaceable class="parameter">param</replaceable>} # enable action and add <replaceable class="parameter">param</replaceable> to the list of parameters
- -<replaceable class="function">name</replaceable>{<replaceable class="parameter">param</replaceable>} # remove the parameter <replaceable class="parameter">param</replaceable> from the list of parameters
- # If it was the last one left, disable the action.
- <replaceable class="parameter">-name</replaceable> # disable this action completely and remove all parameters from the list</screen>
+ <screen>
++<replaceable class="function">name</replaceable>{<replaceable class="parameter">param</replaceable>} # enable action and add <replaceable class="parameter">param</replaceable> to the list of parameters
+-<replaceable class="function">name</replaceable>{<replaceable class="parameter">param</replaceable>} # remove the parameter <replaceable class="parameter">param</replaceable> from the list of parameters
+ # If it was the last one left, disable the action.
+<replaceable class="parameter">-name</replaceable> # disable this action completely and remove all parameters from the list
+</screen>
<para>
Examples: <literal>+add-header{X-Fun-Header: Some text}</literal> and
<literal>+filter{html-annoyances}</literal>
<varlistentry>
<term>Example usage (section):</term>
<listitem>
- <screen>{+block{No nasty stuff for you.}}
+ <screen>
+{+block{No nasty stuff for you.}}
# Block and replace with "blocked" page
- .nasty-stuff.example.com
+.nasty-stuff.example.com
{+block{Doubleclick banners.} +handle-as-image}
# Block and replace with image
- .ad.doubleclick.net
- .ads.r.us/banners/
+.ad.doubleclick.net
+.ads.r.us/banners/
{+block{Layered ads.} +handle-as-empty-document}
# Block and then ignore
- adserver.example.net/.*\.js$</screen>
+adserver.example.net/.*\.js$
+</screen>
</listitem>
</varlistentry>
one. This can be used to rewrite the request destination behind the client's
back, for example to specify a Tor exit relay for certain requests.
</para>
+ <para>
+ Note that to change the destination host for
+ <link linkend="HTTPS-INSPECTION">https-inspected</link>
+ requests a protocol and host has to be added to the URI.
+ </para>
+ <para>
+ If <link linkend="HTTPS-INSPECTION">https inspection</link>
+ is enabled, the protocol can be downgraded from https to http
+ but upgrading a request from http to https is currently not
+ supported.
+ </para>
+ <para>
+ After detecting a rewrite, &my-app; does not update the actions
+ used for the request based on the new host.
+ </para>
<para>
Please refer to the <link linkend="filter-file">filter file chapter</link>
to learn which client-header filters are available by default, and how to
</variablelist>
</sect3>
+<!-- ~~~~~ New section ~~~~~ -->
+<sect3 renderas="sect4" id="client-body-filter">
+<title>client-body-filter</title>
+
+<variablelist>
+ <varlistentry>
+ <term>Typical use:</term>
+ <listitem>
+ <para>
+ Rewrite or remove client request body.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Effect:</term>
+ <listitem>
+ <para>
+ All request bodies to which this action applies are filtered on-the-fly through
+ the specified regular expression based substitutions.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Type:</term>
+ <!-- boolean, parameterized, Multi-value -->
+ <listitem>
+ <para>Multi-value.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Parameter:</term>
+ <listitem>
+ <para>
+ The name of a client-body filter, as defined in one of the
+ <link linkend="filter-file">filter files</link>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ Please refer to the <link linkend="filter-file">filter file chapter</link>
+ to learn how to create your own client-body filters.
+ </para>
+ <para>
+ The distribution <filename>default.filter</filename> file contains a selection of
+ client-body filters for example purposes.
+ </para>
+ <para>
+ The amount of data that can be filtered is limited by the
+ <literal><link linkend="buffer-limit">buffer-limit</link></literal>
+ option in the main <link linkend="config">config file</link>. The
+ default is 4096 KB (4 Megs). Once this limit is exceeded, the whole
+ request body is passed through unfiltered.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Example usage (section):</term>
+ <listitem>
+ <screen>
+# Remove "test" everywhere in the request body
+{+client-body-filter{remove-test}}
+/
+</screen>
+ </listitem>
+ </varlistentry>
+
+</variablelist>
+</sect3>
+
+
+<!-- ~~~~~ New section ~~~~~ -->
+<sect3 renderas="sect4" id="client-body-tagger">
+<title>client-body-tagger</title>
+
+<variablelist>
+ <varlistentry>
+ <term>Typical use:</term>
+ <listitem>
+ <para>
+ Block requests based on the content of the body data.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Effect:</term>
+ <listitem>
+ <para>
+ Client request bodies to which this action applies are filtered on-the-fly through
+ the specified regular expression based substitutions, the result is used as tag.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Type:</term>
+ <!-- boolean, parameterized, Multi-value -->
+ <listitem>
+ <para>Multi-value.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Parameter:</term>
+ <listitem>
+ <para>
+ The name of a client-body tagger, as defined in one of the
+ <link linkend="filter-file">filter files</link>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ Please refer to the <link linkend="filter-file">filter file chapter</link>
+ to learn how to create your own client-body tagger.
+ </para>
+ <para>
+ Client-body taggers are applied to each request body on its own,
+ and as the body isn't modified, each tagger "sees" the original.
+ </para>
+ <para>
+ Chunk-encoded request bodies currently can't be tagged.
+ Request bodies larger than the buffer-limit can't be tagged either.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Example usage (section):</term>
+ <listitem>
+ <screen>
+# Apply blafasel tagger.
+{+client-body-tagger{blafasel}}
+/
+
+# Block request based on the tag created by the blafasel tagger.
+{+block{Request body contains blafasel}}
+TAG:^content contains blafasel$
+</screen>
+ </listitem>
+ </varlistentry>
+
+</variablelist>
+</sect3>
+
<!-- ~~~~~ New section ~~~~~ -->
<sect3 renderas="sect4" id="client-header-tagger">
linkend="external-filter-syntax">syntax</link></literal>
may change in the future.
</para>
+ <para>
+ If you want to apply external filters to images or other content
+ that isn't text-based, enable the
+ <literal><link linkend="force-text-mode">force-text-mode</link></literal>
+ action as well.
+ </para>
</listitem>
</varlistentry>
<term>Example usage:</term>
<listitem>
<screen>
- { +fast-redirects{simple-check} }
- one.example.com
+{ +fast-redirects{simple-check} }
+one.example.com
- { +fast-redirects{check-decoded-url} }
- another.example.com/testing</screen>
+{ +fast-redirects{check-decoded-url} }
+another.example.com/testing
+</screen>
</listitem>
</varlistentry>
<para>
<quote>Rolling your own</quote>
filters requires a knowledge of
- <ulink url="http://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
+ <ulink url="https://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
Expressions</quote></ulink> and
- <ulink url="http://en.wikipedia.org/wiki/Html"><quote>HTML</quote></ulink>.
+ <ulink url="https://en.wikipedia.org/wiki/Html"><quote>HTML</quote></ulink>.
This is very powerful feature, and potentially very intrusive.
Filters should be used with caution, and where an equivalent
<quote>action</quote> is not available.
</para>
<para>
- The amount of data that can be filtered is limited to the
+ The amount of data that can be filtered is limited by the
<literal><link linkend="buffer-limit">buffer-limit</link></literal>
option in the main <link linkend="config">config file</link>. The
default is 4096 KB (4 Megs). Once this limit is exceeded, the buffered
<anchor id="filter-no-ping">
</para>
<screen>+filter{no-ping} # Removes non-standard ping attributes in <a> and <area> tags.</screen>
+ <para>
+ <anchor id="filter-bundeswehr.de">
+ </para>
+ <screen>+filter{bundeswehr.de} # Hide the cookie and privacy info banner on bundeswehr.de.</screen>
+ <para>
+ <anchor id="filter-github">
+ </para>
+ <screen>+filter{github} # Removes the annoying "Sign-Up" banner and the Cookie disclaimer.</screen>
<para>
<anchor id="filter-google">
</para>
<screen>+filter{google} # CSS-based block for Google text ads. Also removes a width limitation and the toolbar advertisement.</screen>
+ <para>
+ <anchor id="filter-imdb">
+ </para>
+ <screen>+filter{imdb} # Removes some ads on IMDb.</screen>
<para>
<anchor id="filter-yahoo">
</para>
<anchor id="filter-blogspot">
</para>
<screen>+filter{blogspot} # Cleans up some Blogspot blogs. Read the fine print before using this.</screen>
+ <para>
+ <anchor id="filter-sourceforge">
+ </para>
+ <screen>+filter{sourceforge} # Reduces the amount of ads for proprietary software on SourceForge.</screen>
</listitem>
</varlistentry>
</variablelist>
<varlistentry>
<term>Example usage:</term>
<listitem>
- <screen># Disarm the download link in Sourceforge's patch tracker
+ <screen>
+# Disarm the download link in Sourceforge's patch tracker
{ -filter \
- +content-type-overwrite{text/plain}\
- +hide-content-disposition{block} }
- .sourceforge.net/tracker/download\.php</screen>
+ +content-type-overwrite{text/plain} \
+ +hide-content-disposition{block} \
+}
+.sourceforge.net/tracker/download\.php
+</screen>
</listitem>
</varlistentry>
</variablelist>
More information on known user-agent strings can be found at
<ulink url="http://www.user-agents.org/">http://www.user-agents.org/</ulink>
and
- <ulink url="http://en.wikipedia.org/wiki/User_agent">http://en.wikipedia.org/wiki/User_agent</ulink>.
+ <ulink url="https://en.wikipedia.org/wiki/User_agent">http://en.wikipedia.org/wiki/User_agent</ulink>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Example usage:</term>
<listitem>
- <screen>+hide-user-agent{Netscape 6.1 (X11; I; Linux 2.4.18 i686)}</screen>
+ <screen>+hide-user-agent{Mozilla/5.0 (X11; ElectroBSD i386; rv:78.0) Gecko/20100101 Firefox/78.0}</screen>
</listitem>
</varlistentry>
</variablelist>
<listitem>
<para>
This action allows &my-app; to filter encrypted requests and responses.
- For this to work &my-app; has to generate a certificate and send it
- to the client which has to accept it.
+ For this to work &my-app; has to generate a certificate for the web site
+ and send it to the client which has to accept it.
</para>
<para>
Before this works the directives in the
- <literal><ulink url="config.html#TLS">TLS section</ulink></literal>
+ <literal><ulink url="config.html#HTTPS-INSPECTION-DIRECTIVES">HTTPS inspection section</ulink></literal>
of the config file have to be configured.
</para>
<para>
<screen>
{+ignore-certificate-errors}
www.example.org
- </screen>
+</screen>
</listitem>
</varlistentry>
</variablelist>
#
{ +filter{tiny-textforms} +prevent-compression }
# Match only these sites
- .google.
- sourceforge.net
- sf.net
+.google.
+sourceforge.net
+sf.net
# Or instead, we could set a universal default:
#
{ +prevent-compression }
- / # Match all sites
+/ # Match all sites
# Then maybe make exceptions for broken sites:
#
{ -prevent-compression }
-.compusa.com/</screen>
+.compusa.com/
+</screen>
</listitem>
</varlistentry>
<varlistentry>
<term>Example usage:</term>
<listitem>
- <screen># Let the browser revalidate without being tracked across sessions
+ <screen>
+# Let the browser revalidate without being tracked across sessions
{ +hide-if-modified-since{-60} \
- +overwrite-last-modified{randomize} \
- +crunch-if-none-match}
-/</screen>
+ +overwrite-last-modified{randomize} \
+ +crunch-if-none-match \
+}
+/
+</screen>
</listitem>
</varlistentry>
</variablelist>
<varlistentry>
<term>Example usages:</term>
<listitem>
- <screen># Replace example.com's style sheet with another one
+ <screen>
+# Replace example.com's style sheet with another one
{ +redirect{http://localhost/css-replacements/example.com.css} }
- example.com/stylesheet\.css
+example.com/stylesheet\.css
# Create a short, easy to remember nickname for a favorite site
# (relies on the browser to accept and forward invalid URLs to &my-app;)
{ +redirect{https://www.privoxy.org/user-manual/actions-file.html} }
- a
+a
# Always use the expanded view for Undeadly.org articles
# (Note the $ at the end of the URL pattern to make sure
# Redirect Destination = https://www.illumos.org/issues/4974
i[0-9][0-9][0-9][0-9]*/
+# Redirect requests for the old Tor Hidden Service of the Privoxy website to the new one
+{+redirect{s@^http://jvauzb4sb3bwlsnc.onion/@http://l3tczdiiwoo63iwxty4lhs6p7eaxop5micbn7vbliydgv63x5zrrrfyd.onion/@}}
+jvauzb4sb3bwlsnc.onion/
+
# Redirect remote requests for this manual
# to the local version delivered by Privoxy
{+redirect{s@^http://www@http://config@}}
<!-- ~~~~~ New section ~~~~~ -->
-<sect3 renderas="sect4" id="session-cookies-only">
-<title>session-cookies-only</title>
+<sect3 renderas="sect4" id="suppress-tag">
+<title>suppress-tag</title>
<variablelist>
<varlistentry>
<term>Typical use:</term>
<listitem>
<para>
- Allow only temporary <quote>session</quote> cookies (for the current
- browser session <emphasis>only</emphasis>).
+ Suppress client or server tag.
</para>
</listitem>
</varlistentry>
<term>Effect:</term>
<listitem>
<para>
- Deletes the <quote>expires</quote> field from <quote>Set-Cookie:</quote>
- server headers. Most browsers will not store such cookies permanently and
- forget them in between sessions.
+ Server or client tags to which this action applies are not added to the request,
+ thus making all actions that are specific to these request tags inactive.
</para>
</listitem>
</varlistentry>
-<varlistentry>
+ <varlistentry>
<term>Type:</term>
- <!-- Boolean, Parameterized, Multi-value -->
+ <!-- boolean, parameterized, Multi-value -->
<listitem>
- <para>Boolean.</para>
+ <para>Multi-value.</para>
</listitem>
</varlistentry>
<term>Parameter:</term>
<listitem>
<para>
- N/A
+ The result tag of a server-header or client-header tagger, as defined in one of the
+ <link linkend="filter-file">filter files</link>.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>Notes:</term>
+ <term>Example usage (section):</term>
+ <listitem>
+ <screen>
+# Suppress tag produced by range-requests client-header tagger for requests coming from address 10.0.0.1
+{+suppress-tag{RANGE-REQUEST}}
+TAG:^IP-ADDRESS: 10\.0\.0\.1$
+</screen>
+ </listitem>
+ </varlistentry>
+
+</variablelist>
+</sect3>
+
+
+<!-- ~~~~~ New section ~~~~~ -->
+<sect3 renderas="sect4" id="session-cookies-only">
+<title>session-cookies-only</title>
+
+<variablelist>
+ <varlistentry>
+ <term>Typical use:</term>
<listitem>
<para>
- This is less strict than <literal><link linkend="crunch-incoming-cookies">crunch-incoming-cookies</link></literal> /
- <literal><link linkend="crunch-outgoing-cookies">crunch-outgoing-cookies</link></literal> and allows you to browse
- websites that insist or rely on setting cookies, without compromising your privacy too badly.
+ Allow only temporary <quote>session</quote> cookies (for the current
+ browser session <emphasis>only</emphasis>).
</para>
- <para>
- Most browsers will not permanently store cookies that have been processed by
- <literal>session-cookies-only</literal> and will forget about them between sessions.
- This makes profiling cookies useless, but won't break sites which require cookies so
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Effect:</term>
+ <listitem>
+ <para>
+ Deletes the <quote>expires</quote> field from <quote>Set-Cookie:</quote>
+ server headers. Most browsers will not store such cookies permanently and
+ forget them in between sessions.
+ </para>
+ </listitem>
+ </varlistentry>
+
+<varlistentry>
+ <term>Type:</term>
+ <!-- Boolean, Parameterized, Multi-value -->
+ <listitem>
+ <para>Boolean.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Parameter:</term>
+ <listitem>
+ <para>
+ N/A
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Notes:</term>
+ <listitem>
+ <para>
+ This is less strict than <literal><link linkend="crunch-incoming-cookies">crunch-incoming-cookies</link></literal> /
+ <literal><link linkend="crunch-outgoing-cookies">crunch-outgoing-cookies</link></literal> and allows you to browse
+ websites that insist or rely on setting cookies, without compromising your privacy too badly.
+ </para>
+ <para>
+ Most browsers will not permanently store cookies that have been processed by
+ <literal>session-cookies-only</literal> and will forget about them between sessions.
+ This makes profiling cookies useless, but won't break sites which require cookies so
that you can log in for transactions. This is generally turned on for all
sites, and is the recommended setting.
</para>
</para>
<screen>
- # Useful custom aliases we can use later.
- #
- # Note the (required!) section header line and that this section
- # must be at the top of the actions file!
- #
- {{alias}}
+# Useful custom aliases we can use later.
+#
+# Note the (required!) section header line and that this section
+# must be at the top of the actions file!
+#
+{{alias}}
- # These aliases just save typing later:
- # (Note that some already use other aliases!)
- #
- +crunch-all-cookies = +<link linkend="CRUNCH-INCOMING-COOKIES">crunch-incoming-cookies</link> +<link linkend="CRUNCH-OUTGOING-COOKIES">crunch-outgoing-cookies</link>
- -crunch-all-cookies = -<link linkend="CRUNCH-INCOMING-COOKIES">crunch-incoming-cookies</link> -<link linkend="CRUNCH-OUTGOING-COOKIES">crunch-outgoing-cookies</link>
- +block-as-image = +block{Blocked image.} +handle-as-image
- allow-all-cookies = -crunch-all-cookies -<link linkend="SESSION-COOKIES-ONLY">session-cookies-only</link> -<link linkend="FILTER-CONTENT-COOKIES">filter{content-cookies}</link>
+# These aliases just save typing later:
+# (Note that some already use other aliases!)
+#
++crunch-all-cookies = +<link linkend="CRUNCH-INCOMING-COOKIES">crunch-incoming-cookies</link> +<link linkend="CRUNCH-OUTGOING-COOKIES">crunch-outgoing-cookies</link>
+-crunch-all-cookies = -<link linkend="CRUNCH-INCOMING-COOKIES">crunch-incoming-cookies</link> -<link linkend="CRUNCH-OUTGOING-COOKIES">crunch-outgoing-cookies</link>
++block-as-image = +block{Blocked image.} +handle-as-image
+allow-all-cookies = -crunch-all-cookies -<link linkend="SESSION-COOKIES-ONLY">session-cookies-only</link> -<link linkend="FILTER-CONTENT-COOKIES">filter{content-cookies}</link>
- # These aliases define combinations of actions
- # that are useful for certain types of sites:
- #
- fragile = -<link linkend="BLOCK">block</link> -<link linkend="FILTER">filter</link> -crunch-all-cookies -<link linkend="FAST-REDIRECTS">fast-redirects</link> -<link linkend="HIDE-REFERER">hide-referrer</link> -<link linkend="PREVENT-COMPRESSION">prevent-compression</link>
+# These aliases define combinations of actions
+# that are useful for certain types of sites:
+#
+fragile = -<link linkend="BLOCK">block</link> -<link linkend="FILTER">filter</link> -crunch-all-cookies -<link linkend="FAST-REDIRECTS">fast-redirects</link> -<link linkend="HIDE-REFERER">hide-referrer</link> -<link linkend="PREVENT-COMPRESSION">prevent-compression</link>
- shop = -crunch-all-cookies -<link linkend="FILTER-ALL-POPUPS">filter{all-popups}</link>
+shop = -crunch-all-cookies -<link linkend="FILTER-ALL-POPUPS">filter{all-popups}</link>
- # Short names for other aliases, for really lazy people ;-)
- #
- c0 = +crunch-all-cookies
- c1 = -crunch-all-cookies</screen>
+# Short names for other aliases, for really lazy people ;-)
+#
+c0 = +crunch-all-cookies
+c1 = -crunch-all-cookies
+</screen>
<para>
...and put them to use. These sections would appear in the lower part of an
</para>
<screen>
- # These sites are either very complex or very keen on
- # user data and require minimal interference to work:
- #
- {fragile}
- .office.microsoft.com
- .windowsupdate.microsoft.com
- # Gmail is really mail.google.com, not gmail.com
- mail.google.com
-
- # Shopping sites:
- # Allow cookies (for setting and retrieving your customer data)
- #
- {shop}
- .quietpc.com
- .worldpay.com # for quietpc.com
- mybank.example.com
+# These sites are either very complex or very keen on
+# user data and require minimal interference to work:
+#
+{fragile}
+.office.microsoft.com
+.windowsupdate.microsoft.com
+# Gmail is really mail.google.com, not gmail.com
+mail.google.com
- # These shops require pop-ups:
- #
- {-filter{all-popups} -filter{unsolicited-popups}}
- .dabs.com
- .overclockers.co.uk</screen>
+# Shopping sites:
+# Allow cookies (for setting and retrieving your customer data)
+#
+{shop}
+.quietpc.com
+.worldpay.com # for quietpc.com
+mybank.example.com
+
+# These shops require pop-ups:
+#
+{-filter{all-popups} -filter{unsolicited-popups}}
+.dabs.com
+.overclockers.co.uk
+</screen>
<para>
Aliases like <quote>shop</quote> and <quote>fragile</quote> are typically used for
#
+crunch-all-cookies = +<link linkend="CRUNCH-INCOMING-COOKIES">crunch-incoming-cookies</link> +<link linkend="CRUNCH-OUTGOING-COOKIES">crunch-outgoing-cookies</link>
-crunch-all-cookies = -<link linkend="CRUNCH-INCOMING-COOKIES">crunch-incoming-cookies</link> -<link linkend="CRUNCH-OUTGOING-COOKIES">crunch-outgoing-cookies</link>
- +block-as-image = +block{Blocked image.} +handle-as-image
+ +block-as-image = +block{Blocked image.} +handle-as-image
mercy-for-cookies = -crunch-all-cookies -<link linkend="SESSION-COOKIES-ONLY">session-cookies-only</link> -<link linkend="FILTER-CONTENT-COOKIES">filter{content-cookies}</link>
# These aliases define combinations of actions
<screen>
{ allow-all-cookies }
- sourceforge.net
- .yahoo.com
- .msdn.microsoft.com
- .redhat.com</screen>
+sourceforge.net
+.yahoo.com
+.msdn.microsoft.com
+.redhat.com
+</screen>
<para>
Your bank is allergic to some filter, but you don't know which, so you disable them all:
<screen>
{ -<link linkend="FILTER">filter</link> }
- .your-home-banking-site.com</screen>
+.your-home-banking-site.com
+</screen>
<para>
Some file types you may not want to filter for various reasons:
<screen>
{ +<link linkend="BLOCK">block</link>{Nasty ads.} }
- www.example.com/nasty-ads/sponsor\.gif
- another.example.net/more/junk/here/</screen>
+www.example.com/nasty-ads/sponsor\.gif
+another.example.net/more/junk/here/
+</screen>
<para>
The URLs of dynamically generated banners, especially from large banner
<screen>
{ +block-as-image }
- .doubleclick.net
- .fastclick.net
- /Realmedia/ads/
- ar.atwola.com/</screen>
+.doubleclick.net
+.fastclick.net
+/Realmedia/ads/
+ar.atwola.com/
+</screen>
<para>
Now you noticed that the default configuration breaks Forbes Magazine,
<screen>
{ fragile }
- .forbes.com
- webmail.example.com
- .mybank.com</screen>
+.forbes.com
+webmail.example.com
+.mybank.com
+</screen>
<para>
You like the <quote>fun</quote> text replacements in <filename>default.filter</filename>,
<screen>
{ +<link linkend="filter-fun">filter{fun}</link> }
- / # For ALL sites!</screen>
+/ # For ALL sites!
+</screen>
<para>
Note that the above is not really a good idea: There are exceptions
<screen>
{ allow-ads }
- .sourceforge.net
- .slashdot.org
- .osdn.net</screen>
+.sourceforge.net
+.slashdot.org
+.osdn.net
+</screen>
<para>
Note that <literal>allow-ads</literal> has been aliased to
<screen>
{ handle-as-text }
- /.*\.sh$</screen>
+/.*\.sh$
+</screen>
<para>
<filename>user.action</filename> is generally the best place to define
</para>
<para>
- &my-app; supports three different pcrs-based filter actions:
+ &my-app; supports four different pcrs-based filter actions:
<literal><link linkend="filter">filter</link></literal> to
rewrite the content that is send to the client,
<literal><link linkend="client-header-filter">client-header-filter</link></literal>
- to rewrite headers that are send by the client, and
+ to rewrite headers that are send by the client,
<literal><link linkend="server-header-filter">server-header-filter</link></literal>
- to rewrite headers that are send by the server.
+ to rewrite headers that are send by the server, and
+ <literal><link linkend="client-body-filter">client-body-filter</link></literal>
+ to rewrite client request body.
</para>
<para>
- &my-app; also supports two tagger actions:
- <literal><link linkend="client-header-tagger">client-header-tagger</link></literal>
+ &my-app; also supports three tagger actions:
+ <literal><link linkend="client-header-tagger">client-header-tagger</link></literal>,
+ <literal><link linkend="client-body-tagger">client-body-tagger</link></literal>
and
<literal><link linkend="server-header-tagger">server-header-tagger</link></literal>.
Taggers and filters use the same syntax in the filter files, the difference
filter file is organized in sections, which are called <emphasis>filters</emphasis>
here. Each filter consists of a heading line, that starts with one of the
<emphasis>keywords</emphasis> <literal>FILTER:</literal>,
- <literal>CLIENT-HEADER-FILTER:</literal> or <literal>SERVER-HEADER-FILTER:</literal>
+ <literal>CLIENT-HEADER-FILTER:</literal>, <literal>SERVER-HEADER-FILTER:</literal> or
+ <literal>CLIENT-BODY-FILTER:</literal>
followed by the filter's <emphasis>name</emphasis>, and a short (one line)
<emphasis>description</emphasis> of what it does. Below that line
come the <emphasis>jobs</emphasis>, i.e. lines that define the actual
<para>
If you are new to
- <ulink url="http://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
+ <ulink url="https://en.wikipedia.org/wiki/Regular_expressions"><quote>Regular
Expressions</quote></ulink>, you might want to take a look at
the <link linkend="regex">Appendix on regular expressions</link>, and
see the <ulink url="http://perldoc.perl.org/perlre.html">Perl
<term><emphasis>banners-by-link</emphasis></term>
<listitem>
<para>
- This is an experimental filter that attempts to kill any banners if
- their URLs seem to point to known or suspected click trackers. It is currently
- not of much value and is not recommended for use by default.
+ This filter attempts to kill any banners if their URLs seem to point
+ to known or suspected click trackers. It is currently not of much value
+ and is not recommended for use by default.
</para>
</listitem>
</varlistentry>
<!-- ~ End section ~ -->
+<!-- ~~~~~ New section ~~~~~ -->
+
+<sect1 id="howto"><title>HOWTOs</title>
+
+<!-- ~~~~~~~~ New section Header ~~~~~~~~~ -->
+<sect2 id="h2-https-inspection"><title>HTTPS-Inspection HOWTO</title>
+<sect3 id="h2-hi-tls"><title>How TLS Certificates for websites work
+</title>
+<para>
+ The website owner generates a (private) TLS key and a Certificate
+ Signing Request (CSR).
+</para>
+<para>
+ The CSR is then sent to a Certification Authority (CA), which
+ verifies that the owner is the actual owner of the website. This can
+ be done by proving that the owner has technical write access to the
+ site or the site's DNS, or by verifying the identity of the
+ organization running the site using telephone and public databases.
+</para>
+<para>
+ If the verification is successful, the CA signs the CSR and creates a
+ certificate that certifies that the private TLS key actually belongs
+ to the website name and/or organization that owns the domain.
+</para>
+<para>
+ This TLS certificate is then added to the web server configuration,
+ and when a browser accesses the website, it verifies that the TLS
+ certificate presented to the browser is valid for that domain.
+</para>
+<para>
+ To do this, each browser has the certificates of multiple CAs in its
+ trust store. Only if the certificate of the CA, that signed the web
+ server is in the trust store, the browser will accept the
+ certificate, otherwise the browser will complain about a broken
+ certificate.
+</para>
+<para>
+ If this check passes, the browser sends a random number encrypted
+ with the server's public key to the server, and both compute a shared
+ secret using the Diffie-Hellman key exchange algorithm. Now server
+ and browser can communicate, but no one else can break that
+ communication because it's encrypted between them.
+</para>
+</sect3>
+
+<sect3 id="h2-hi-works"><title>How HTTPS inspection works</title>
+<para>
+ When we try to inspect HTTPS traffic, we have to break the TLS
+ encryption between browser and web server without being the browser
+ or the web server. This is exactly what TLS tries to avoid, as it's
+ a man-in-the-middle-attack.
+</para>
+<para>
+ To do this, Privoxy uses it's own (private) CA (let's call it
+ "Privoxy CA"), which has to be added to the trust store of every
+ single browser that should be used with Privoxy and HTTPS inspection.
+</para>
+<para>
+ Now Privoxy breaks the connection between browser and webserver by
+ acting as a browser/client when talking to the webserver (including
+ checking the webserver's TLS certificate against it's own trust
+ store). Now Privoxy can read and modify the traffic from the
+ webserver.
+</para>
+<para>
+ On the other hand, Privoxy itself encrypts the traffic it sends to
+ the browser using an on the fly self-created TLS server certificate
+ that is signed by Privoxy CA.
+</para>
+</sect3>
+
+<sect3 id="h2-hi-invalid-cert"><title>What happens, if the original
+ certificate is invalid?</title>
+<para>
+ If Privoxy detects, that a TLS certificate is not valid, because the
+ certificate is expired, doesn't match the hostname, is self signed or
+ similar, Privoxy blocks the requests and returns an error message
+ explaining the problem to avoid that the user/browser communicates
+ over an insecure communication channel.
+</para>
+<para>
+ To check this behavior, simply go to
+ <ulink url="https://badssl.com/">https://badssl.com/</ulink>
+</para>
+</sect3>
+
+<sect3 id="h2-hi-prerequisites"><title>HTTPS inspection prerequisites
+</title>
+<para>
+ HTTPS inspection in Privoxy can only be used, if Privoxy is built
+ with FEATURE_HTTPS_INSPECTION. You can check if this feature
+ is enabled at
+ <ulink url="http://config.privoxy.org/show-status">http://config.privoxy.org/show-status</ulink>
+ in the "Conditional #defines" section.
+</para>
+<para>
+ If the feature is not enabled, you may need to
+ <link linkend="installation-source">build Privoxy from source</link>
+ to enable it. You can use either
+ <ulink url="https://www.trustedfirmware.org/projects/mbed-tls/">MbedTLS</ulink>
+ or <ulink url="https://www.openssl.org/">OpenSSL</ulink>. It's up to
+ you, which one to use, they both behave the same for HTTPS inspection.
+</para>
+<para>
+ After installing the development libraries for either OpenSSL or
+ MbedTLS, you can run <command>./configure</command> with
+ either the <command>--with-openssl</command> or
+ <command>--with-mbedtls</command> option.
+</para>
+<para>
+ Check the output of <command>./configure</command>, it must contain
+ one of these the following two lines, otherwise HTTPS inspection will
+ not work:
+</para>
+ <screen>
+configure: Detected OpenSSL. Enabling https inspection.
+configure: Detected mbedTLS. Enabling https inspection.
+</screen>
+<para>
+ If you do not find any of these lines, the output of
+ <command>./configure</command> will tell you what went wrong.
+</para>
+<para>
+ You should then proceed with the
+ <link linkend="installation-source">source install</link>.
+ Finally, check the FEATURE_HTTPS_INSPECTION status in
+ <ulink url="http://config.privoxy.org/show-status">http://config.privoxy.org/show-status</ulink>
+ again.
+</para>
+</sect3>
+
+<sect3 id="h2-hi-config"><title>Configuring HTTPS inspection in Privoxy
+</title>
+<para>
+ First, you need to create the private key and certificate for the
+ "Privoxy CA". This can be done using openssl with the following
+ command:
+ <screen>
+openssl req -new -x509 -extensions v3_ca -keyout privoxy.pem -out privoxy.crt -days 3650
+</screen>
+</para>
+<para>
+ Here we have defined a CA validity of 10 years (3650 days). You
+ should decide for yourself what is a good validity. A shorter
+ validity makes your system more secure (it doesn't hurt that long if
+ the key gets lost to an attacker), but if the certificate expires
+ before you have replaced it with a new one in Privoxy and in all
+ browsers, the communication will fail.
+</para>
+<para>
+ During the key generation you will be asked for a "pass phrase".
+ This pass phrase will appear in the Privoxy config CGI, so don't
+ reuse it elsewhere!
+</para>
+<para>
+ Then you will be asked for Country Name, State/Province, Locality,
+ Orginzation Name, Common Name, and Email Address. You should add
+ some useful data here, because these entries are shown by the browser
+ as "Issuer Name" when you inspect a certificate from an
+ https-inspection site. Especially the "Common Name" will be shown as
+ the name of your CA, so it's good if you (and other users of your
+ Privoxy instance) are able to identify this CA.
+</para>
+<para>
+ Copy the private key (<filename>privoxy.pem</filename>) and the CA
+ certificate (<filename>privoxy.crt</filename>) into
+ the <link linkend="ca-directory">ca-directory</link> (defined
+ in <link linkend="config">config</link>).
+</para>
+<para>
+ Make sure that the private key (<filename>privoxy.pem</filename> in
+ the above example) is only accessible to the user running Privoxy
+ (usually named "privoxy"):
+</para>
+ <screen>
+chmod 600 privoxy.pem
+chown privoxy privoxy.pem
+</screen>
+<para>
+ Now adjust your Privoxy <link linkend="config">configuration</link>:
+</para>
+ <screen>
+<link linkend="ca-directory">ca-directory</link> /etc/privoxy/CA # read-only
+<link linkend="ca-cert-file">ca-cert-file</link> privoxy.crt # in ca-directory
+<link linkend="ca-key-file">ca-key-file</link> privoxy.pem # in ca-directory
+<link linkend="ca-password">ca-password</link> passphrasefromabove
+<link linkend="certificate-directory">certificate-directory</link> /var/lib/privoxy/certs
+<link linkend="trusted-cas-file">trusted-cas-file</link> /etc/ssl/certs/ca-certificates.crt
+</screen>
+<para>
+ <link linkend="certificate-directory">certificate-directory</link>
+ contains the (on the fly) created webserver keys and certificates.
+ It should only be readable by the privoxy user only:
+</para>
+ <screen>
+chown privoxy /var/lib/privoxy/certs
+chmod 700 /var/lib/privoxy/certs.
+</screen>
+<para>
+ <link linkend="trusted-cas-file">trusted-cas-file</link> is the trust
+ store containing the certificates of all CAs that should be accepted.
+ Each browser comes with it's own trust store. Most Unix systems also
+ ship with a truststore. Debian ships it's truststore
+ in <filename>/etc/ssl/certs/ca-certificates.crt</filename>, which is
+ installed by the ca-certificates package and can be updated using
+ update-ca-certificates(8). Alternatively, such a file (extracted
+ from Mozilla) can be downloaded
+ from <ulink url="https://curl.se/docs/caextract.html">https://curl.se/docs/caextract.html</ulink>.
+</para>
+</sect3>
+
+<sect3 id="h2-hi-browser"><title>Browser configuration</title>
+<para>
+ As written above, each browser you use must now trust the newly
+ created Privoxy CA certificate (<filename>privoxy.crt</filename>).
+</para>
+<para>
+ In Firefox you can do this by opening the preferences "Edit" ->
+ "Settings" -> "Privacy & Security" or by typing
+ <ulink url="about:preferences#privacy">about:preferences#privacy</ulink>
+ in the URL. Then go down to the "Certificates" section and click on
+ "View Certificates". Click on the "Authorities" tab and "Import..."
+ your <filename>privoxy.crt</filename>. In the "CA certificate trust
+ settings" select "This certificate can identify websites".
+</para>
+<para>
+ In Chrome based browsers, go to the settings and select "Privacy and
+ security"
+ (<ulink url="chrome://settings/privacy">chrome://settings/privacy</ulink>).
+ Click on "Security" and on the opened sub-page on "Manage
+ certificates". Now go to the "Authorities" tab and
+ import <filename>privoxy.crt</filename> and configure that you trust
+ the certificate for website identification.
+</para>
+</sect3>
+
+<sect3 id="h2-hi-enable"><title>Enabeling HTTPS inspection</title>
+<para>
+ Currently no pages use HTTPS inspection, you need to enable this for
+ some (or all) domains first
+ using <link linkend="user-action">user.action</link> (either by editing
+ the file by hand or via the CGI (this requires
+ <link linkend="enable-edit-actions">enable-edit-actions</link>
+ to be enabled in config) at
+ <ulink url="http://config.privoxy.org/show-status">http://config.privoxy.org/show-status</ulink>
+ (click on user.action Edit button).
+</para>
+<para>
+ Here you can enable HTTPS inspection for individual sites:
+</para>
+ <screen>
+{+<link linkend="https-inspection">https-inspection</link>}
+.badssl.com
+clienttest.ssllabs.com
+</screen>
+<para>
+ You can add more individual sites or wildcards (one per line).
+</para>
+<para>
+ Alternatively, you can use a client-tag to dynamically enable/disable
+ this feature via the browser, as described in the next chapter.
+</para>
+</sect3>
+
+</sect2>
+
+<!-- ~~~~~~~~ New section Header ~~~~~~~~~ -->
+<sect2 id="h2-client-tags"><title>Client Tags HOWTO</title>
+<para>
+ Client-Tags are a mechanism to dynamically/temporarily enable/disable
+ features in Privoxy per browser.
+</para>
+<para>
+ In our example, we use this for the following two use cases:
+ <itemizedlist>
+ <listitem><para>Enable TOR anonymous proxy</para></listitem>
+ <listitem><para>Enable https-inspection</para></listitem>
+ </itemizedlist>
+</para>
+<para>
+ To use this feature, you must first define a tag name and a tag
+ description for each client-tag in <link linkend="config">config</link>,
+ like this:
+</para>
+ <screen>
+<link linkend="client-specific-tag">client-specific-tag</link> tor Use Tor anonymous proxy
+<link linkend="client-specific-tag">client-specific-tag</link> https-inspection Enable https-inspection
+</screen>
+<para>
+ Now you can open <ulink
+ url="http://config.privoxy.org/client-tags">http://config.privoxy.org/client-tags</ulink>
+ or <ulink url="http://p.p/client-tags">http://p.p/client-tags</ulink>
+ and can enable/disable the tag there (you may want to add a bookmark
+ for this in your browser for quick access, but it's also available as
+ a link at <ulink url="http://p.p">http://p.p</ulink>).
+</para>
+<para>
+ It's also possible to temporarily enable a tag, which by default
+ means 3 minutes (=180 seconds) (and can be changed via the
+ <link linkend="client-tag-lifetime">client-tag-lifetime</link> option
+ in <link linkend="config">config</link>).
+</para>
+<para>
+ But before this has any effect, you have to use the client tag in
+ your <link linkend="user-action">user.action</link> like this:
+</para>
+ <screen>
+{+<link linkend="forward-override">forward-override</link>{<link linkend="socks">forward-socks5t</link> 127.0.0.1:9050 .} }
+<link linkend="client-tag-pattern">CLIENT-TAG</link>:^tor$
+</screen>
+<para>
+ This means, that if the "tor" client tag is enabled, all traffic is
+ forwarded by Privoxy through socks5t to a locally installed tor proxy
+ listening on port 9050.
+</para>
+<para>
+ Similarly, you can specify to use the https-inspection client tag to
+ enable https-inspection:
+</para>
+ <screen>
+{+<link linkend="https-inspection">https-inspection</link>}
+<link linkend="client-tag-pattern">CLIENT-TAG</link>:^https-inspection$
+</screen>
+<para>
+ The tag will be set for all requests coming from clients that have
+ requested it to be set. Note that "clients" are distinguished by IP
+ address, if the IP address changes, the tag must be requested again.
+</para>
+</sect2>
+
+</sect1>
+
+<!-- ~ End section ~ -->
+
<!-- ~~~~~ New section ~~~~~ -->
<para>
The same is true for <application>Privoxy</application> binaries
- unless they are linked with
- <ulink url="https://tls.mbed.org/">mbed TLS</ulink> in which
- case you can redistribute them and/or modify them under the terms
- of the <citetitle>GNU General Public License</citetitle>
+ unless they are linked with a
+ <ulink url="https://www.trustedfirmware.org/projects/mbed-tls/">mbed TLS</ulink> version
+ that is licensed under the Apache 2.0 license in which
+ case you can redistribute and/or modify the <application>Privoxy</application>
+ binaries under the terms of the <citetitle>GNU General Public License</citetitle>
as published by the Free Software Foundation, either version 3
of the license, or (at your option) any later version.
</para>
<sect2 id="license"><title>License</title>
<sect3 id="gplv2"><title>GNU General Public License version 2</title>
- <screen><![ RCDATA [ &GPLv2; ]]></screen>
+ <literallayout class="Monospaced"><![ RCDATA [ &GPLv2; ]]></literallayout>
</sect3>
<sect3 id="gplv3"><title>GNU General Public License version 3</title>
- <screen><![ RCDATA [ &GPLv3; ]]></screen>
+ <literallayout class="Monospaced"><![ RCDATA [ &GPLv3; ]]></literallayout>
+</sect3>
+
+<sect3 id="third-party-licenses"><title>Third-party licenses and copyrights</title>
+<para>
+ Privoxy depends on a couple of third-party libraries which have seperate licenses.
+ Please refer to the third-party websites for up-to-date license and copyright
+ information.
+</para>
+<para>
+ Privoxy depends on <ulink url="https://pcre.org/">pcre</ulink>.
+</para>
+<para>
+ When compiled with FEATURE_BROTLI (optional), Privoxy depends on
+ <ulink url="https://www.brotli.org/">brotli</ulink>.
+</para>
+<para>
+ When compiled with FEATURE_HTTPS_INSPECTION (optional),
+ Privoxy depends on a TLS library. The supported libraries are
+ <ulink url="https://www.openssl.org/">LibreSSL</ulink>,
+ <ulink url="https://github.com/Mbed-TLS/mbedtls/tags">mbed TLS 2.28.x</ulink> and
+ <ulink url="https://www.openssl.org/">OpenSSL</ulink> and
+ <ulink url="https://www.wolfssl.com/">wolfSSL</ulink>.
+</para>
+<para>
+ When compiled with FEATURE_ZLIB (optional),
+ Privoxy depends on <ulink url="https://zlib.net/">zlib</ulink>.
+</para>
</sect3>
</sect2>
</para>
<screen>
- Matches for http://www.google.com:
+Matches for http://www.google.com:
- In file: default.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibutton>
+In file: default.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibutton>
- {+change-x-forwarded-for{block}
+{+change-x-forwarded-for{block}
+deanimate-gifs {last}
+fast-redirects {check-decoded-url}
+filter {refresh-tags}
+hide-from-header {block}
+hide-referrer {forge}
+session-cookies-only
- +set-image-blocker {pattern}
+ +set-image-blocker {pattern} }
/
- { -session-cookies-only }
- .google.com
+{ -session-cookies-only }
+.google.com
- { -fast-redirects }
- .google.com
+{ -fast-redirects }
+.google.com
In file: user.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibutton>
(no matches in this file)
</para>
<screen>
- Final results:
-
- -add-header
- -block
- +change-x-forwarded-for{block}
- -client-header-filter{hide-tor-exit-notation}
- -content-type-overwrite
- -crunch-client-header
- -crunch-if-none-match
- -crunch-incoming-cookies
- -crunch-outgoing-cookies
- -crunch-server-header
- +deanimate-gifs {last}
- -downgrade-http-version
- -fast-redirects
- -filter {js-events}
- -filter {content-cookies}
- -filter {all-popups}
- -filter {banners-by-link}
- -filter {tiny-textforms}
- -filter {frameset-borders}
- -filter {demoronizer}
- -filter {shockwave-flash}
- -filter {quicktime-kioskmode}
- -filter {fun}
- -filter {crude-parental}
- -filter {site-specifics}
- -filter {js-annoyances}
- -filter {html-annoyances}
- +filter {refresh-tags}
- -filter {unsolicited-popups}
- +filter {img-reorder}
- +filter {banners-by-size}
- +filter {webbugs}
- +filter {jumping-windows}
- +filter {ie-exploits}
- -filter {google}
- -filter {yahoo}
- -filter {msn}
- -filter {blogspot}
- -filter {no-ping}
- -force-text-mode
- -handle-as-empty-document
- -handle-as-image
- -hide-accept-language
- -hide-content-disposition
- +hide-from-header {block}
- -hide-if-modified-since
- +hide-referrer {forge}
- -hide-user-agent
- -limit-connect
- -overwrite-last-modified
- -prevent-compression
- -redirect
- -server-header-filter{xml-to-html}
- -server-header-filter{html-to-xml}
- -session-cookies-only
- +set-image-blocker {pattern}
+Final results:
+
+-add-header
+-block
++change-x-forwarded-for{block}
+-client-header-filter{hide-tor-exit-notation}
+-content-type-overwrite
+-crunch-client-header
+-crunch-if-none-match
+-crunch-incoming-cookies
+-crunch-outgoing-cookies
+-crunch-server-header
++deanimate-gifs {last}
+-downgrade-http-version
+-fast-redirects
+-filter {js-events}
+-filter {content-cookies}
+-filter {all-popups}
+-filter {banners-by-link}
+-filter {tiny-textforms}
+-filter {frameset-borders}
+-filter {demoronizer}
+-filter {shockwave-flash}
+-filter {quicktime-kioskmode}
+-filter {fun}
+-filter {crude-parental}
+-filter {site-specifics}
+-filter {js-annoyances}
+-filter {html-annoyances}
++filter {refresh-tags}
+-filter {unsolicited-popups}
++filter {img-reorder}
++filter {banners-by-size}
++filter {webbugs}
++filter {jumping-windows}
++filter {ie-exploits}
+-filter {google}
+-filter {yahoo}
+-filter {msn}
+-filter {blogspot}
+-filter {no-ping}
+-force-text-mode
+-handle-as-empty-document
+-handle-as-image
+-hide-accept-language
+-hide-content-disposition
++hide-from-header {block}
+-hide-if-modified-since
++hide-referrer {forge}
+-hide-user-agent
+-limit-connect
+-overwrite-last-modified
+-prevent-compression
+-redirect
+-server-header-filter{xml-to-html}
+-server-header-filter{html-to-xml}
+-session-cookies-only
++set-image-blocker {pattern}
</screen>
<para>
</para>
<screen>
- { +block{Domains starts with "ad"} }
- ad*.
+{ +block{Domains starts with "ad"} }
+ad*.
- { +block{Domain contains "ad"} }
- .ad.
+{ +block{Domain contains "ad"} }
+.ad.
- { +block{Doubleclick banner server} +handle-as-image }
- .[a-vx-z]*.doubleclick.net
+{ +block{Doubleclick banner server} +handle-as-image }
+.[a-vx-z]*.doubleclick.net
</screen>
<para>
</para>
<screen>
- Matches for http://www.example.net/adsl/HOWTO/:
-
- In file: default.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibutton>
-
- {-add-header
- -block
- +change-x-forwarded-for{block}
- -client-header-filter{hide-tor-exit-notation}
- -content-type-overwrite
- -crunch-client-header
- -crunch-if-none-match
- -crunch-incoming-cookies
- -crunch-outgoing-cookies
- -crunch-server-header
- +deanimate-gifs
- -downgrade-http-version
- +fast-redirects {check-decoded-url}
- -filter {js-events}
- -filter {content-cookies}
- -filter {all-popups}
- -filter {banners-by-link}
- -filter {tiny-textforms}
- -filter {frameset-borders}
- -filter {demoronizer}
- -filter {shockwave-flash}
- -filter {quicktime-kioskmode}
- -filter {fun}
- -filter {crude-parental}
- -filter {site-specifics}
- -filter {js-annoyances}
- -filter {html-annoyances}
- +filter {refresh-tags}
- -filter {unsolicited-popups}
- +filter {img-reorder}
- +filter {banners-by-size}
- +filter {webbugs}
- +filter {jumping-windows}
- +filter {ie-exploits}
- -filter {google}
- -filter {yahoo}
- -filter {msn}
- -filter {blogspot}
- -filter {no-ping}
- -force-text-mode
- -handle-as-empty-document
- -handle-as-image
- -hide-accept-language
- -hide-content-disposition
- +hide-from-header{block}
- +hide-referer{forge}
- -hide-user-agent
- -overwrite-last-modified
- +prevent-compression
- -redirect
- -server-header-filter{xml-to-html}
- -server-header-filter{html-to-xml}
- +session-cookies-only
- +set-image-blocker{blank} }
- /
-
- { +block{Path contains "ads".} +handle-as-image }
- /ads
+Matches for http://www.example.net/adsl/HOWTO/:
+
+In file: default.action <guibutton>[ View ]</guibutton> <guibutton>[ Edit ]</guibutton>
+
+{-add-header
+ -block
+ +change-x-forwarded-for{block}
+ -client-header-filter{hide-tor-exit-notation}
+ -content-type-overwrite
+ -crunch-client-header
+ -crunch-if-none-match
+ -crunch-incoming-cookies
+ -crunch-outgoing-cookies
+ -crunch-server-header
+ +deanimate-gifs
+ -downgrade-http-version
+ +fast-redirects {check-decoded-url}
+ -filter {js-events}
+ -filter {content-cookies}
+ -filter {all-popups}
+ -filter {banners-by-link}
+ -filter {tiny-textforms}
+ -filter {frameset-borders}
+ -filter {demoronizer}
+ -filter {shockwave-flash}
+ -filter {quicktime-kioskmode}
+ -filter {fun}
+ -filter {crude-parental}
+ -filter {site-specifics}
+ -filter {js-annoyances}
+ -filter {html-annoyances}
+ +filter {refresh-tags}
+ -filter {unsolicited-popups}
+ +filter {img-reorder}
+ +filter {banners-by-size}
+ +filter {webbugs}
+ +filter {jumping-windows}
+ +filter {ie-exploits}
+ -filter {google}
+ -filter {yahoo}
+ -filter {msn}
+ -filter {blogspot}
+ -filter {no-ping}
+ -force-text-mode
+ -handle-as-empty-document
+ -handle-as-image
+ -hide-accept-language
+ -hide-content-disposition
+ +hide-from-header{block}
+ +hide-referer{forge}
+ -hide-user-agent
+ -overwrite-last-modified
+ +prevent-compression
+ -redirect
+ -server-header-filter{xml-to-html}
+ -server-header-filter{html-to-xml}
+ +session-cookies-only
+ +set-image-blocker{blank} }
+/
+
+{ +block{Path contains "ads".} +handle-as-image }
+/ads
</screen>
<para>
</para>
<screen>
- { -block }
- /adsl
+{ -block }
+/adsl
</screen>
<para>
</para>
<screen>
- { +block{Path starts with "ads".} +handle-as-image }
- /ads
+{ +block{Path starts with "ads".} +handle-as-image }
+/ads
</screen>
<para>
</para>
<screen>
- { shop }
- .quietpc.com
- .worldpay.com # for quietpc.com
- .jungle.com
- .scan.co.uk
- .forbes.com
+{ shop }
+.quietpc.com
+.worldpay.com # for quietpc.com
+.jungle.com
+.scan.co.uk
+.forbes.com
</screen>
<para>
</para>
<screen>
- { -filter }
- # Disable ALL filter actions for sites in this section
- .forbes.com
- developer.ibm.com
- localhost
+{ -filter }
+# Disable ALL filter actions for sites in this section
+.forbes.com
+developer.ibm.com
+localhost
</screen>
<para>
</para>
<screen>
- { fragile }
- # Handle with care: easy to break
- mail.google.
- mybank.example.com</screen>
+{ fragile }
+# Handle with care: easy to break
+mail.google.
+mybank.example.com
+</screen>
<para>
projects / privoxy.git / blobdiff