->Prevent abuse of <SPAN
-CLASS="APPLICATION"
->Privoxy</SPAN
-> as a TCP proxy relay or disable SSL for untrusted sites</P
-></DD
-><DT
->Effect:</DT
-><DD
-><P
-> Specifies to which ports HTTP CONNECT requests are allowable.
- </P
-></DD
-><DT
->Type:</DT
-><DD
-><P
->Parameterized.</P
-></DD
-><DT
->Parameter:</DT
-><DD
-><P
-> A comma-separated list of ports or port ranges (the latter using dashes, with the minimum
- defaulting to 0 and the maximum to 65K).
- </P
-></DD
-><DT
->Notes:</DT
-><DD
-><P
-> By default, i.e. if no <TT
-CLASS="LITERAL"
->limit-connect</TT
-> action applies,
- <SPAN
-CLASS="APPLICATION"
->Privoxy</SPAN
-> only allows HTTP CONNECT
- requests to port 443 (the standard, secure HTTPS port). Use
- <TT
-CLASS="LITERAL"
->limit-connect</TT
-> if more fine-grained control is desired
- for some or all destinations.
- </P
-><P
-> The CONNECT methods exists in HTTP to allow access to secure websites
- (<SPAN
-CLASS="QUOTE"
->"https://"</SPAN
-> URLs) through proxies. It works very simply:
- the proxy connects to the server on the specified port, and then
- short-circuits its connections to the client and to the remote server.
- This can be a big security hole, since CONNECT-enabled proxies can be
- abused as TCP relays very easily.
- </P
-><P
-> <SPAN
-CLASS="APPLICATION"
->Privoxy</SPAN
-> relays HTTPS traffic without seeing
- the decoded content. Websites can leverage this limitation to circumvent <SPAN
-CLASS="APPLICATION"
->Privoxy</SPAN
->'s
- filters. By specifying an invalid port range you can disable HTTPS entirely.
- If you plan to disable SSL by default, consider enabling
- <TT
-CLASS="LITERAL"
-><A
-HREF="actions-file.html#TREAT-FORBIDDEN-CONNECTS-LIKE-BLOCKS"
->treat-forbidden-connects-like-blocks</A
-></TT
->
- as well, to be able to quickly create exceptions.
- </P
-></DD
-><DT
->Example usages:</DT
-><DD
-><P
-> <TABLE
-BORDER="0"
-BGCOLOR="#E0E0E0"
-WIDTH="90%"
-><TR
-><TD
-><PRE
-CLASS="SCREEN"
->+limit-connect{443} # This is the default and need not be specified.
-+limit-connect{80,443} # Ports 80 and 443 are OK.
-+limit-connect{-3, 7, 20-100, 500-} # Ports less than 3, 7, 20 to 100 and above 500 are OK.
-+limit-connect{-} # All ports are OK
-+limit-connect{,} # No HTTPS/SSL traffic is allowed</PRE
-></TD
-></TR
-></TABLE
->
- </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><H4
-CLASS="SECT3"
-><A
-NAME="PREVENT-COMPRESSION"
->8.5.29. prevent-compression</A
-></H4
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->Typical use:</DT
-><DD
-><P
-> Ensure that servers send the content uncompressed, so it can be
- passed through <TT
-CLASS="LITERAL"
-><A
-HREF="actions-file.html#FILTER"
->filter</A
-></TT
->s.
- </P
-></DD
-><DT
->Effect:</DT
-><DD
-><P
-> Removes the Accept-Encoding header which can be used to ask for compressed transfer.
- </P
-></DD
-><DT
->Type:</DT
-><DD
-><P
->Boolean.</P
-></DD
-><DT
->Parameter:</DT
-><DD
-><P
-> N/A
- </P
-></DD
-><DT
->Notes:</DT
-><DD
-><P
-> More and more websites send their content compressed by default, which
- is generally a good idea and saves bandwidth. But the <TT
-CLASS="LITERAL"
-><A
-HREF="actions-file.html#FILTER"
->filter</A
-></TT
->, <TT
-CLASS="LITERAL"
-><A
-HREF="actions-file.html#DEANIMATE-GIFS"
->deanimate-gifs</A
-></TT
->
- and <TT
-CLASS="LITERAL"
-><A
-HREF="actions-file.html#KILL-POPUPS"
->kill-popups</A
-></TT
-> actions need
- access to the uncompressed data.
- </P
-><P
-> When compiled with zlib support (available since <SPAN
-CLASS="APPLICATION"
->Privoxy</SPAN
-> 3.0.7), content that should be
- filtered is decompressed on-the-fly and you don't have to worry about this action.
- If you are using an older <SPAN
-CLASS="APPLICATION"
->Privoxy</SPAN
-> version, or one that hasn't been compiled with zlib
- support, this action can be used to convince the server to send the content uncompressed.
- </P
-><P
-> Most text-based instances compress very well, the size is seldom decreased by less than 50%,
- for markup-heavy instances like news feeds saving more than 90% of the original size isn't
- unusual.
- </P
-><P
-> Not using compression will therefore slow down the transfer, and you should only
- enable this action if you really need it. As of <SPAN
-CLASS="APPLICATION"
->Privoxy</SPAN
-> 3.0.7 it's disabled in all
- predefined action settings.
- </P
-><P
-> Note that some (rare) ill-configured sites don't handle requests for uncompressed
- documents correctly. Broken PHP applications tend to send an empty document body,
- some IIS versions only send the beginning of the content. If you enable
- <TT
-CLASS="LITERAL"
->prevent-compression</TT
-> per default, you might want to add
- exceptions for those sites. See the example for how to do that.
- </P
-></DD
-><DT
->Example usage (sections):</DT
-><DD
-><P
-> <TABLE
-BORDER="0"
-BGCOLOR="#E0E0E0"
-WIDTH="90%"
-><TR
-><TD
-><PRE
-CLASS="SCREEN"
-># Selectively turn off compression, and enable a filter
-#
-{ +filter{tiny-textforms} +prevent-compression }
-# Match only these sites
- .google.
- sourceforge.net
- sf.net
-
-# Or instead, we could set a universal default:
-#
-{ +prevent-compression }
- / # Match all sites
-
-# Then maybe make exceptions for broken sites:
-#
-{ -prevent-compression }
-.compusa.com/</PRE
-></TD
-></TR
-></TABLE
->
- </P
-></DD
-></DL
-></DIV
-></DIV
-><DIV
-CLASS="SECT3"
-><H4
-CLASS="SECT3"
-><A
-NAME="OVERWRITE-LAST-MODIFIED"
->8.5.30. overwrite-last-modified</A
-></H4
-><P
-></P
-><DIV
-CLASS="VARIABLELIST"
-><DL
-><DT
->Typical use:</DT
-><DD
-><P
->Prevent yet another way to track the user's steps between sessions.</P