+ never_direct allow all</pre>
+ </td>
+ </tr>
+ </table>
+ <p>You would then need to change your browser's proxy settings to <span class="APPLICATION">squid</span>'s
+ address and port. Squid normally uses port 3128. If unsure consult <tt class="LITERAL">http_port</tt> in
+ <tt class="FILENAME">squid.conf</tt>.</p>
+ <p>You could just as well decide to only forward requests you suspect of leading to Windows executables through
+ a virus-scanning parent proxy, say, on <tt class="LITERAL">antivir.example.com</tt>, port 8010:</p>
+ <table border="0" bgcolor="#E0E0E0" width="100%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward / .
+ forward /.*\.(exe|com|dll|zip)$ antivir.example.com:8010</pre>
+ </td>
+ </tr>
+ </table>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="FORWARDED-CONNECT-RETRIES" id="FORWARDED-CONNECT-RETRIES">7.5.4.
+ forwarded-connect-retries</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>How often Privoxy retries if a forwarded connection request fails.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Number of retries.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">0</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Connections forwarded through other proxies are treated like direct connections and no retry attempts
+ are made.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>forwarded-connect-retries</i></tt> is mainly interesting for socks4a
+ connections, where <span class="APPLICATION">Privoxy</span> can't detect why the connections failed. The
+ connection might have failed because of a DNS timeout in which case a retry makes sense, but it might
+ also have failed because the server doesn't exist or isn't reachable. In this case the retry will just
+ delay the appearance of Privoxy's error message.</p>
+ <p>Note that in the context of this option, <span class="QUOTE">"forwarded connections"</span> includes
+ all connections that Privoxy forwards through other proxies. This option is not limited to the HTTP
+ CONNECT method.</p>
+ <p>Only use this option, if you are getting lots of forwarding-related error messages that go away when
+ you try again manually. Start with a small value and check Privoxy's logfile from time to time, to see
+ how many retries are usually needed.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>forwarded-connect-retries 1</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ </div>
+ <div class="SECT2">
+ <h2 class="SECT2"><a name="MISC" id="MISC">7.6. Miscellaneous</a></h2>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="ACCEPT-INTERCEPTED-REQUESTS" id="ACCEPT-INTERCEPTED-REQUESTS">7.6.1.
+ accept-intercepted-requests</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Whether intercepted requests should be treated as valid.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or 1</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">0</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Only proxy requests are accepted, intercepted requests are treated as invalid.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>If you don't trust your clients and want to force them to use <span class=
+ "APPLICATION">Privoxy</span>, enable this option and configure your packet filter to redirect outgoing
+ HTTP connections into <span class="APPLICATION">Privoxy</span>.</p>
+ <p>Note that intercepting encrypted connections (HTTPS) isn't supported.</p>
+ <p>Make sure that <span class="APPLICATION">Privoxy's</span> own requests aren't redirected as well.
+ Additionally take care that <span class="APPLICATION">Privoxy</span> can't intentionally connect to
+ itself, otherwise you could run into redirection loops if <span class="APPLICATION">Privoxy's</span>
+ listening port is reachable by the outside or an attacker has access to the pages you visit.</p>
+ <p>If you are running Privoxy as intercepting proxy without being able to intercept all client requests
+ you may want to adjust the CGI templates to make sure they don't reference content from
+ config.privoxy.org.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>accept-intercepted-requests 1</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="ALLOW-CGI-REQUEST-CRUNCHING" id="ALLOW-CGI-REQUEST-CRUNCHING">7.6.2.
+ allow-cgi-request-crunching</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Whether requests to <span class="APPLICATION">Privoxy's</span> CGI pages can be blocked or
+ redirected.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or 1</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">0</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p><span class="APPLICATION">Privoxy</span> ignores block and redirect actions for its CGI pages.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>By default <span class="APPLICATION">Privoxy</span> ignores block or redirect actions for its CGI
+ pages. Intercepting these requests can be useful in multi-user setups to implement fine-grained access
+ control, but it can also render the complete web interface useless and make debugging problems painful if
+ done without care.</p>
+ <p>Don't enable this option unless you're sure that you really need it.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>allow-cgi-request-crunching 1</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="SPLIT-LARGE-FORMS" id="SPLIT-LARGE-FORMS">7.6.3. split-large-forms</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Whether the CGI interface should stay compatible with broken HTTP clients.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or 1</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">0</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>The CGI form generate long GET URLs.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p><span class="APPLICATION">Privoxy's</span> CGI forms can lead to rather long URLs. This isn't a
+ problem as far as the HTTP standard is concerned, but it can confuse clients with arbitrary URL length
+ limitations.</p>
+ <p>Enabling split-large-forms causes <span class="APPLICATION">Privoxy</span> to divide big forms into
+ smaller ones to keep the URL length down. It makes editing a lot less convenient and you can no longer
+ submit all changes at once, but at least it works around this browser bug.</p>
+ <p>If you don't notice any editing problems, there is no reason to enable this option, but if one of the
+ submit buttons appears to be broken, you should give it a try.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>split-large-forms 1</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="KEEP-ALIVE-TIMEOUT" id="KEEP-ALIVE-TIMEOUT">7.6.4. keep-alive-timeout</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Number of seconds after which an open connection will no longer be reused.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Time in seconds.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Connections are not kept alive.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This option allows clients to keep the connection to <span class="APPLICATION">Privoxy</span> alive.
+ If the server supports it, <span class="APPLICATION">Privoxy</span> will keep the connection to the
+ server alive as well. Under certain circumstances this may result in speed-ups.</p>
+ <p>By default, <span class="APPLICATION">Privoxy</span> will close the connection to the server if the
+ client connection gets closed, or if the specified timeout has been reached without a new request coming
+ in. This behaviour can be changed with the <a href="#CONNECTION-SHARING" target=
+ "_top">connection-sharing</a> option.</p>
+ <p>This option has no effect if <span class="APPLICATION">Privoxy</span> has been compiled without
+ keep-alive support.</p>
+ <p>Note that a timeout of five seconds as used in the default configuration file significantly decreases
+ the number of connections that will be reused. The value is used because some browsers limit the number
+ of connections they open to a single host and apply the same limit to proxies. This can result in a
+ single website <span class="QUOTE">"grabbing"</span> all the connections the browser allows, which means
+ connections to other websites can't be opened until the connections currently in use time out.</p>
+ <p>Several users have reported this as a Privoxy bug, so the default value has been reduced. Consider
+ increasing it to 300 seconds or even more if you think your browser can handle it. If your browser
+ appears to be hanging, it probably can't.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>keep-alive-timeout 300</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="TOLERATE-PIPELINING" id="TOLERATE-PIPELINING">7.6.5. tolerate-pipelining</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Whether or not pipelined requests should be served.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or 1.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>If Privoxy receives more than one request at once, it terminates the client connection after serving
+ the first one.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p><span class="APPLICATION">Privoxy</span> currently doesn't pipeline outgoing requests, thus allowing
+ pipelining on the client connection is not guaranteed to improve the performance.</p>
+ <p>By default <span class="APPLICATION">Privoxy</span> tries to discourage clients from pipelining by
+ discarding aggressively pipelined requests, which forces the client to resend them through a new
+ connection.</p>
+ <p>This option lets <span class="APPLICATION">Privoxy</span> tolerate pipelining. Whether or not that
+ improves performance mainly depends on the client configuration.</p>
+ <p>If you are seeing problems with pages not properly loading, disabling this option could work around
+ the problem.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>tolerate-pipelining 1</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="DEFAULT-SERVER-TIMEOUT" id="DEFAULT-SERVER-TIMEOUT">7.6.6.
+ default-server-timeout</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Assumed server-side keep-alive timeout if not specified by the server.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Time in seconds.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Connections for which the server didn't specify the keep-alive timeout are not reused.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Enabling this option significantly increases the number of connections that are reused, provided the
+ <a href="#KEEP-ALIVE-TIMEOUT" target="_top">keep-alive-timeout</a> option is also enabled.</p>
+ <p>While it also increases the number of connections problems when <span class=
+ "APPLICATION">Privoxy</span> tries to reuse a connection that already has been closed on the server side,
+ or is closed while <span class="APPLICATION">Privoxy</span> is trying to reuse it, this should only be a
+ problem if it happens for the first request sent by the client. If it happens for requests on reused
+ client connections, <span class="APPLICATION">Privoxy</span> will simply close the connection and the
+ client is supposed to retry the request without bothering the user.</p>
+ <p>Enabling this option is therefore only recommended if the <a href="#CONNECTION-SHARING" target=
+ "_top">connection-sharing</a> option is disabled.</p>
+ <p>It is an error to specify a value larger than the <a href="#KEEP-ALIVE-TIMEOUT" target=
+ "_top">keep-alive-timeout</a> value.</p>
+ <p>This option has no effect if <span class="APPLICATION">Privoxy</span> has been compiled without
+ keep-alive support.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>default-server-timeout 60</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CONNECTION-SHARING" id="CONNECTION-SHARING">7.6.7. connection-sharing</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Whether or not outgoing connections that have been kept alive should be shared between different
+ incoming connections.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or 1</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Connections are not shared.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This option has no effect if <span class="APPLICATION">Privoxy</span> has been compiled without
+ keep-alive support, or if it's disabled.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Note that reusing connections doesn't necessary cause speedups. There are also a few privacy
+ implications you should be aware of.</p>
+ <p>If this option is effective, outgoing connections are shared between clients (if there are more than
+ one) and closing the browser that initiated the outgoing connection does no longer affect the connection
+ between <span class="APPLICATION">Privoxy</span> and the server unless the client's request hasn't been
+ completed yet.</p>
+ <p>If the outgoing connection is idle, it will not be closed until either <span class=
+ "APPLICATION">Privoxy's</span> or the server's timeout is reached. While it's open, the server knows that
+ the system running <span class="APPLICATION">Privoxy</span> is still there.</p>
+ <p>If there are more than one client (maybe even belonging to multiple users), they will be able to reuse
+ each others connections. This is potentially dangerous in case of authentication schemes like NTLM where
+ only the connection is authenticated, instead of requiring authentication for each request.</p>
+ <p>If there is only a single client, and if said client can keep connections alive on its own, enabling
+ this option has next to no effect. If the client doesn't support connection keep-alive, enabling this
+ option may make sense as it allows <span class="APPLICATION">Privoxy</span> to keep outgoing connections
+ alive even if the client itself doesn't support it.</p>
+ <p>You should also be aware that enabling this option increases the likelihood of getting the "No server
+ or forwarder data" error message, especially if you are using a slow connection to the Internet.</p>
+ <p>This option should only be used by experienced users who understand the risks and can weight them
+ against the benefits.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>connection-sharing 1</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="SOCKET-TIMEOUT" id="SOCKET-TIMEOUT">7.6.8. socket-timeout</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Number of seconds after which a socket times out if no data is received.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Time in seconds.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>A default value of 300 seconds is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>The default is quite high and you probably want to reduce it. If you aren't using an occasionally slow
+ proxy like Tor, reducing it to a few seconds should be fine.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>socket-timeout 300</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="MAX-CLIENT-CONNECTIONS" id="MAX-CLIENT-CONNECTIONS">7.6.9.
+ max-client-connections</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Maximum number of client connections that will be served.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Positive number.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>128</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Connections are served until a resource limit is reached.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p><span class="APPLICATION">Privoxy</span> creates one thread (or process) for every incoming client
+ connection that isn't rejected based on the access control settings.</p>
+ <p>If the system is powerful enough, <span class="APPLICATION">Privoxy</span> can theoretically deal with
+ several hundred (or thousand) connections at the same time, but some operating systems enforce resource
+ limits by shutting down offending processes and their default limits may be below the ones <span class=
+ "APPLICATION">Privoxy</span> would require under heavy load.</p>
+ <p>Configuring <span class="APPLICATION">Privoxy</span> to enforce a connection limit below the thread or
+ process limit used by the operating system makes sure this doesn't happen. Simply increasing the
+ operating system's limit would work too, but if <span class="APPLICATION">Privoxy</span> isn't the only
+ application running on the system, you may actually want to limit the resources used by <span class=
+ "APPLICATION">Privoxy</span>.</p>
+ <p>If <span class="APPLICATION">Privoxy</span> is only used by a single trusted user, limiting the number
+ of client connections is probably unnecessary. If there are multiple possibly untrusted users you
+ probably still want to additionally use a packet filter to limit the maximal number of incoming
+ connections per client. Otherwise a malicious user could intentionally create a high number of
+ connections to prevent other users from using <span class="APPLICATION">Privoxy</span>.</p>
+ <p>Obviously using this option only makes sense if you choose a limit below the one enforced by the
+ operating system.</p>
+ <p>One most POSIX-compliant systems <span class="APPLICATION">Privoxy</span> can't properly deal with
+ more than FD_SETSIZE file descriptors at the same time and has to reject connections if the limit is
+ reached. This will likely change in a future version, but currently this limit can't be increased without
+ recompiling <span class="APPLICATION">Privoxy</span> with a different FD_SETSIZE limit.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>max-client-connections 256</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="LISTEN-BACKLOG" id="LISTEN-BACKLOG">7.6.10. listen-backlog</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Connection queue length requested from the operating system.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Number.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>128</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>A connection queue length of 128 is requested from the operating system.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Under high load incoming connection may queue up before Privoxy gets around to serve them. The queue
+ length is limited by the operating system. Once the queue is full, additional connections are dropped
+ before Privoxy can accept and serve them.</p>
+ <p>Increasing the queue length allows Privoxy to accept more incoming connections that arrive roughly at
+ the same time.</p>
+ <p>Note that Privoxy can only request a certain queue length, whether or not the requested length is
+ actually used depends on the operating system which may use a different length instead.</p>
+ <p>On many operating systems a limit of -1 can be specified to instruct the operating system to use the
+ maximum queue length allowed. Check the listen man page to see if your platform allows this.</p>
+ <p>On some platforms you can use "netstat -Lan -p tcp" to see the effective queue length.</p>
+ <p>Effectively using a value above 128 usually requires changing the system configuration as well. On
+ FreeBSD-based system the limit is controlled by the kern.ipc.soacceptqueue sysctl.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>listen-backlog 4096</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="ENABLE-ACCEPT-FILTER" id="ENABLE-ACCEPT-FILTER">7.6.11.
+ enable-accept-filter</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Whether or not Privoxy should use an accept filter</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or 1</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>0</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>No accept filter is enabled.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Accept filters reduce the number of context switches by not passing sockets for new connections to
+ Privoxy until a complete HTTP request is available.</p>
+ <p>As a result, Privoxy can process the whole request right away without having to wait for additional
+ data first.</p>
+ <p>For this option to work, Privoxy has to be compiled with FEATURE_ACCEPT_FILTER and the operating
+ system has to support it (which may require loading a kernel module).</p>
+ <p>Currently accept filters are only supported on FreeBSD-based systems. Check the <a href=
+ "https://www.freebsd.org/cgi/man.cgi?query=accf_http" target="_top">accf_http(9) man page</a> to learn
+ how to enable the support in the operating system.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>enable-accept-filter 1</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="HANDLE-AS-EMPTY-DOC-RETURNS-OK" id="HANDLE-AS-EMPTY-DOC-RETURNS-OK">7.6.12.
+ handle-as-empty-doc-returns-ok</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The status code Privoxy returns for pages blocked with <tt class="LITERAL"><a href=
+ "actions-file.html#HANDLE-AS-EMPTY-DOCUMENT" target="_top">+handle-as-empty-document</a></tt>.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or 1</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>0</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Privoxy returns a status 403(forbidden) for all blocked pages.</p>
+ </dd>
+ <dt>Effect if set:</dt>
+ <dd>
+ <p>Privoxy returns a status 200(OK) for pages blocked with +handle-as-empty-document and a status
+ 403(Forbidden) for all other blocked pages.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive was added as a work-around for Firefox bug 492459: <span class="QUOTE">"Websites are no
+ longer rendered if SSL requests for JavaScripts are blocked by a proxy."</span> ( <a href=
+ "https://bugzilla.mozilla.org/show_bug.cgi?id=492459" target=
+ "_top">https://bugzilla.mozilla.org/show_bug.cgi?id=492459</a>), the bug has been fixed for quite some
+ time, but this directive is also useful to make it harder for websites to detect whether or not resources
+ are being blocked.</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="ENABLE-COMPRESSION" id="ENABLE-COMPRESSION">7.6.13. enable-compression</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Whether or not buffered content is compressed before delivery.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or 1</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>0</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Privoxy does not compress buffered content.</p>
+ </dd>
+ <dt>Effect if set:</dt>
+ <dd>
+ <p>Privoxy compresses buffered content before delivering it to the client, provided the client supports
+ it.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive is only supported if Privoxy has been compiled with FEATURE_COMPRESSION, which should
+ not to be confused with FEATURE_ZLIB.</p>
+ <p>Compressing buffered content is mainly useful if Privoxy and the client are running on different
+ systems. If they are running on the same system, enabling compression is likely to slow things down. If
+ you didn't measure otherwise, you should assume that it does and keep this option disabled.</p>
+ <p>Privoxy will not compress buffered content below a certain length.</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="COMPRESSION-LEVEL" id="COMPRESSION-LEVEL">7.6.14. compression-level</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The compression level that is passed to the zlib library when compressing buffered content.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Positive number ranging from 0 to 9.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>1</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Compressing the data more takes usually longer than compressing it less or not compressing it at all.
+ Which level is best depends on the connection between Privoxy and the client. If you can't be bothered to
+ benchmark it for yourself, you should stick with the default and keep compression disabled.</p>
+ <p>If compression is disabled, the compression level is irrelevant.</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Best speed (compared to the other levels)
+ compression-level 1
+
+ # Best compression
+ compression-level 9
+
+ # No compression. Only useful for testing as the added header
+ # slightly increases the amount of data that has to be sent.
+ # If your benchmark shows that using this compression level
+ # is superior to using no compression at all, the benchmark
+ # is likely to be flawed.
+ compression-level 0</pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CLIENT-HEADER-ORDER" id="CLIENT-HEADER-ORDER">7.6.15. client-header-order</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The order in which client headers are sorted before forwarding them.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Client header names delimited by spaces or tabs</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>By default <span class="APPLICATION">Privoxy</span> leaves the client headers in the order they were
+ sent by the client. Headers are modified in-place, new headers are added at the end of the already
+ existing headers.</p>
+ <p>The header order can be used to fingerprint client requests independently of other headers like the
+ User-Agent.</p>
+ <p>This directive allows to sort the headers differently to better mimic a different User-Agent. Client
+ headers will be emitted in the order given, headers whose name isn't explicitly specified are added at
+ the end.</p>
+ <p>Note that sorting headers in an uncommon way will make fingerprinting actually easier. Encrypted
+ headers are not affected by this directive.</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CLIENT-SPECIFIC-TAG" id="CLIENT-SPECIFIC-TAG">7.6.16. client-specific-tag</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The name of a tag that will always be set for clients that requested it through the webinterface.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Tag name followed by a description that will be shown in the
+ webinterface</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ <p>Client-specific tags allow Privoxy admins to create different profiles and let the users chose which
+ one they want without impacting other users.</p>
+ <p>One use case is allowing users to circumvent certain blocks without having to allow them to circumvent
+ all blocks. This is not possible with the <a href="config.html#ENABLE-REMOTE-TOGGLE">enable-remote-toggle
+ feature</a> because it would bluntly disable all blocks for all users and also affect other actions like
+ filters. It also is set globally which renders it useless in most multi-user setups.</p>
+ <p>After a client-specific tag has been defined with the client-specific-tag directive, action sections
+ can be activated based on the tag by using a <a href="actions-file.html#CLIENT-TAG-PATTERN" target=
+ "_top">CLIENT-TAG</a> pattern. The CLIENT-TAG pattern is evaluated at the same priority as URL patterns,
+ as a result the last matching pattern wins. Tags that are created based on client or server headers are
+ evaluated later on and can overrule CLIENT-TAG and URL patterns!</p>
+ <p>The tag is set for all requests that come from clients that requested it to be set. Note that
+ "clients" are differentiated by IP address, if the IP address changes the tag has to be requested
+ again.</p>
+ <p>Clients can request tags to be set by using the CGI interface <a href=
+ "http://config.privoxy.org/client-tags" target="_top">http://config.privoxy.org/client-tags</a>. The
+ specific tag description is only used on the web page and should be phrased in away that the user
+ understand the effect of the tag.</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Define a couple of tags, the described effect requires action sections
+ # that are enabled based on CLIENT-TAG patterns.
+ client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
+ client-specific-tag disable-content-filters Disable content-filters but do not affect other actions</pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CLIENT-TAG-LIFETIME" id="CLIENT-TAG-LIFETIME">7.6.17. client-tag-lifetime</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>How long a temporarily enabled tag remains enabled.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Time in seconds.</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>60</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ <p>In case of some tags users may not want to enable them permanently, but only for a short amount of
+ time, for example to circumvent a block that is the result of an overly-broad URL pattern.</p>
+ <p>The CGI interface <a href="http://config.privoxy.org/client-tags" target=
+ "_top">http://config.privoxy.org/client-tags</a> therefore provides a "enable this tag temporarily"
+ option. If it is used, the tag will be set until the client-tag-lifetime is over.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Increase the time to life for temporarily enabled tags to 3 minutes
+ client-tag-lifetime 180</pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="TRUST-X-FORWARDED-FOR" id="TRUST-X-FORWARDED-FOR">7.6.18.
+ trust-x-forwarded-for</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Whether or not Privoxy should use IP addresses specified with the X-Forwarded-For header</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>0 or one</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>0</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ <p>If clients reach Privoxy through another proxy, for example a load balancer, Privoxy can't tell the
+ client's IP address from the connection. If multiple clients use the same proxy, they will share the same
+ client tag settings which is usually not desired.</p>
+ <p>This option lets Privoxy use the X-Forwarded-For header value as client IP address. If the proxy sets
+ the header, multiple clients using the same proxy do not share the same client tag settings.</p>
+ <p>This option should only be enabled if Privoxy can only be reached through a proxy and if the proxy can
+ be trusted to set the header correctly. It is recommended that ACL are used to make sure only trusted
+ systems can reach Privoxy.</p>
+ <p>If access to Privoxy isn't limited to trusted systems, this option would allow malicious clients to
+ change the client tags for other clients or increase Privoxy's memory requirements by registering lots of
+ client tag settings for clients that don't exist.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Allow systems that can reach Privoxy to provide the client
+ # IP address with a X-Forwarded-For header.
+ trust-x-forwarded-for 1</pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="RECEIVE-BUFFER-SIZE" id="RECEIVE-BUFFER-SIZE">7.6.19. receive-buffer-size</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The size of the buffer Privoxy uses to receive data from the server.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p><tt class="REPLACEABLE"><i>Size in bytes</i></tt></p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>5000</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Increasing the receive-buffer-size increases Privoxy's memory usage but can lower the number of
+ context switches and thereby reduce the cpu usage and potentially increase the throughput.</p>
+ <p>This is mostly relevant for fast network connections and large downloads that don't require
+ filtering.</p>
+ <p>Reducing the buffer size reduces the amount of memory Privoxy needs to handle the request but
+ increases the number of systemcalls and may reduce the throughput.</p>
+ <p>A dtrace command like: <span class="QUOTE">"sudo dtrace -n 'syscall::read:return /execname ==
+ "privoxy"/ { @[execname] = llquantize(arg0, 10, 0, 5, 20); @m = max(arg0)}'"</span> can be used to
+ properly tune the receive-buffer-size. On systems without dtrace, strace or truss may be used as less
+ convenient alternatives.</p>
+ <p>If the buffer is too large it will increase Privoxy's memory footprint without any benefit. As the
+ memory is (currently) cleared before using it, a buffer that is too large can actually reduce the
+ throughput.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Increase the receive buffer size
+ receive-buffer-size 32768</pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ </div>
+ <div class="SECT2">
+ <h2 class="SECT2"><a name="HTTPS-INSPECTION-DIRECTIVES" id="HTTPS-INSPECTION-DIRECTIVES">7.7. HTTPS Inspection
+ (Experimental)</a></h2>
+ <p>HTTPS inspection allows to filter encrypted requests. This is only supported when <span class=
+ "APPLICATION">Privoxy</span> has been built with FEATURE_HTTPS_INSPECTION.</p>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CA-DIRECTORY" id="CA-DIRECTORY">7.7.1. ca-directory</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Directory with the CA key, the CA certificate and the trusted CAs file.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">Empty string</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the directory where the CA key, the CA certificate and the trusted CAs file
+ are located.</p>
+ <p>The permissions should only let <span class="APPLICATION">Privoxy</span> and the <span class=
+ "APPLICATION">Privoxy</span> admin access the directory.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>ca-directory /usr/local/etc/privoxy/CA</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CA-CERT-FILE" id="CA-CERT-FILE">7.7.2. ca-cert-file</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The CA certificate file in ".crt" format.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">cacert.crt</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the name of the CA certificate file in ".crt" format.</p>
+ <p>The file is used by <span class="APPLICATION">Privoxy</span> to generate website certificates when
+ https inspection is enabled with the <tt class="LITERAL"><a href="actions-file.html#HTTPS-INSPECTION"
+ target="_top">https-inspection</a></tt> action.</p>
+ <p><span class="APPLICATION">Privoxy</span> clients should import the certificate so that they can
+ validate the generated certificates.</p>
+ <p>The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
+ cacert.crt -days 3650</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>ca-cert-file root.crt</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CA-KEY-FILE" id="CA-KEY-FILE">7.7.3. ca-key-file</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The CA key file in ".pem" format.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">cacert.pem</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the name of the CA key file in ".pem" format. See the <a href="#CA-CERT-FILE"
+ target="_top">ca-cert-file</a> for a command to generate it.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>ca-key-file cakey.pem</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CA-PASSWORD" id="CA-PASSWORD">7.7.4. ca-password</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The password for the CA keyfile.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">Empty string</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the password for the CA keyfile that is used when Privoxy generates
+ certificates for intercepted requests.</p>
+ <p>Note that the password is shown on the CGI page so don't reuse an important one.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>ca-password blafasel</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CERTIFICATE-DIRECTORY" id="CERTIFICATE-DIRECTORY">7.7.5.
+ certificate-directory</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Directory to save generated keys and certificates.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">./certs</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the directory where generated TLS/SSL keys and certificates are saved when
+ https inspection is enabled with the <tt class="LITERAL"><a href="actions-file.html#HTTPS-INSPECTION"
+ target="_top">https-inspection</a></tt> action.</p>
+ <p>The keys and certificates currently have to be deleted manually when changing the <a href=
+ "#CA-CERT-FILE" target="_top">ca-cert-file</a> and the <a href="#CA-CERT-KEY" target=
+ "_top">ca-cert-key</a>.</p>
+ <p>The permissions should only let <span class="APPLICATION">Privoxy</span> and the <span class=
+ "APPLICATION">Privoxy</span> admin access the directory.</p>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p><span class="APPLICATION">Privoxy</span> currently does not garbage-collect obsolete keys and
+ certificates and does not keep track of how may keys and certificates exist.</p>
+ <p><span class="APPLICATION">Privoxy</span> admins should monitor the size of the directory
+ and/or make sure there is sufficient space available. A cron job to limit the number of keys and
+ certificates to a certain number may be worth considering.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>certificate-directory /usr/local/var/privoxy/certs</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CIPHER-LIST" id="CIPHER-LIST">7.7.6. cipher-list</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>A list of ciphers to use in TLS handshakes</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>A default value is inherited from the TLS library.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive allows to specify a non-default list of ciphers to use in TLS handshakes with clients
+ and servers.</p>
+ <p>Ciphers are separated by colons. Which ciphers are supported depends on the TLS library. When using
+ OpenSSL, unsupported ciphers are skipped. When using MbedTLS they are rejected.</p>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p>Specifying an unusual cipher list makes fingerprinting easier. Note that the default list
+ provided by the TLS library may be unusual when compared to the one used by modern browsers as
+ well.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Explicitly set a couple of ciphers with names used by MbedTLS
+ cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+ </pre>
+ </td>
+ </tr>
+ </table>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+ </pre>
+ </td>
+ </tr>
+ </table>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class=
+ "SCREEN"> # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+ cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="TRUSTED-CAS-FILE" id="TRUSTED-CAS-FILE">7.7.7. trusted-cas-file</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The trusted CAs file in ".pem" format.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>File name relative to ca-directory</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">trustedCAs.pem</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the trusted CAs file that is used when validating certificates for
+ intercepted TLS/SSL requests.</p>
+ <p>An example file can be downloaded from <a href="https://curl.haxx.se/ca/cacert.pem" target=
+ "_top">https://curl.haxx.se/ca/cacert.pem</a>.</p>
+ </dd>
+ <dt>Example:</dt>
+ <dd>
+ <p>trusted-cas-file trusted_cas_file.pem</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ </div>
+ <div class="SECT2">
+ <h2 class="SECT2"><a name="WINDOWS-GUI" id="WINDOWS-GUI">7.8. Windows GUI Options</a></h2>
+ <p><span class="APPLICATION">Privoxy</span> has a number of options specific to the Windows GUI
+ interface:</p><a name="ACTIVITY-ANIMATION" id="ACTIVITY-ANIMATION"></a>
+ <p>If <span class="QUOTE">"activity-animation"</span> is set to 1, the <span class="APPLICATION">Privoxy</span>
+ icon will animate when <span class="QUOTE">"Privoxy"</span> is active. To turn off, set to 0.</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">activity-animation
+ 1</i></span></p><a name="LOG-MESSAGES" id="LOG-MESSAGES"></a>
+ <p>If <span class="QUOTE">"log-messages"</span> is set to 1, <span class="APPLICATION">Privoxy</span> copies log
+ messages to the console window. The log detail depends on the <a href="config.html#DEBUG">debug</a>
+ directive.</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">log-messages
+ 1</i></span></p><a name="LOG-BUFFER-SIZE" id="LOG-BUFFER-SIZE"></a>
+ <p>If <span class="QUOTE">"log-buffer-size"</span> is set to 1, the size of the log buffer, i.e. the amount of
+ memory used for the log messages displayed in the console window, will be limited to <span class=
+ "QUOTE">"log-max-lines"</span> (see below).</p>
+ <p>Warning: Setting this to 0 will result in the buffer to grow infinitely and eat up all your memory!</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">log-buffer-size
+ 1</i></span></p><a name="LOG-MAX-LINES" id="LOG-MAX-LINES"></a>
+ <p><span class="APPLICATION">log-max-lines</span> is the maximum number of lines held in the log buffer. See
+ above.</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">log-max-lines
+ 200</i></span></p><a name="LOG-HIGHLIGHT-MESSAGES" id="LOG-HIGHLIGHT-MESSAGES"></a>
+ <p>If <span class="QUOTE">"log-highlight-messages"</span> is set to 1, <span class="APPLICATION">Privoxy</span>
+ will highlight portions of the log messages with a bold-faced font:</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">log-highlight-messages
+ 1</i></span></p><a name="LOG-FONT-NAME" id="LOG-FONT-NAME"></a>
+ <p>The font used in the console window:</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">log-font-name Comic Sans
+ MS</i></span></p><a name="LOG-FONT-SIZE" id="LOG-FONT-SIZE"></a>
+ <p>Font size used in the console window:</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">log-font-size
+ 8</i></span></p><a name="SHOW-ON-TASK-BAR" id="SHOW-ON-TASK-BAR"></a>
+ <p><span class="QUOTE">"show-on-task-bar"</span> controls whether or not <span class="APPLICATION">Privoxy</span>
+ will appear as a button on the Task bar when minimized:</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">show-on-task-bar
+ 0</i></span></p><a name="CLOSE-BUTTON-MINIMIZES" id="CLOSE-BUTTON-MINIMIZES"></a>
+ <p>If <span class="QUOTE">"close-button-minimizes"</span> is set to 1, the Windows close button will minimize
+ <span class="APPLICATION">Privoxy</span> instead of closing the program (close with the exit option on the File
+ menu).</p>
+ <p class="LITERALLAYOUT"> <span class="emphasis"><i class="EMPHASIS">close-button-minimizes
+ 1</i></span></p><a name="HIDE-CONSOLE" id="HIDE-CONSOLE"></a>
+ <p>The <span class="QUOTE">"hide-console"</span> option is specific to the MS-Win console version of <span class=
+ "APPLICATION">Privoxy</span>. If this option is used, <span class="APPLICATION">Privoxy</span> will disconnect
+ from and hide the command console.</p>
+ <p class="LITERALLAYOUT"> #<span class="emphasis"><i class="EMPHASIS">hide-console</i></span></p>
+ </div>
+ </div>
+ <div class="NAVFOOTER">
+ <hr align="left" width="100%">
+ <table summary="Footer navigation table" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td width="33%" align="left" valign="top"><a href="configuration.html" accesskey="P">Prev</a></td>
+ <td width="34%" align="center" valign="top"><a href="index.html" accesskey="H">Home</a></td>
+ <td width="33%" align="right" valign="top"><a href="actions-file.html" accesskey="N">Next</a></td>
+ </tr>
+ <tr>
+ <td width="33%" align="left" valign="top">Privoxy Configuration</td>
+ <td width="34%" align="center" valign="top"> </td>
+ <td width="33%" align="right" valign="top">Actions Files</td>
+ </tr>
+ </table>
+ </div>
+</body>
+</html>