<head>
<title>The Main Configuration File</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79">
- <link rel="HOME" title="Privoxy 3.0.29 User Manual" href="index.html">
+ <link rel="HOME" title="Privoxy 3.0.30 User Manual" href="index.html">
<link rel="PREVIOUS" title="Privoxy Configuration" href="configuration.html">
<link rel="NEXT" title="Actions Files" href="actions-file.html">
<link rel="STYLESHEET" type="text/css" href="../p_doc.css">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
- <th colspan="3" align="center">Privoxy 3.0.29 User Manual</th>
+ <th colspan="3" align="center">Privoxy 3.0.30 User Manual</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href="configuration.html" accesskey="P">Prev</a></td>
<table border="0" bgcolor="#E0E0E0" width="90%">
<tr>
<td>
- <pre class="PROGRAMLISTING"> debug 1 # Log the destination for each request <span class=
- "APPLICATION">Privoxy</span> let through. See also debug 1024.
+ <pre class=
+ "PROGRAMLISTING"> debug 1 # Log the destination for each request. See also debug 1024.
debug 2 # show each connection status
- debug 4 # show I/O status
+ debug 4 # show tagging-related messages
debug 8 # show header parsing
debug 16 # log all data written to the network
debug 32 # debug force feature
whenever the IP address is assigned to the system</p>
<p>IPv6 addresses containing colons have to be quoted by brackets. They can only be used if <span class=
"APPLICATION">Privoxy</span> has been compiled with IPv6 support. If you aren't sure if your version
- supports it, have a look at <tt class="LITERAL">http://config.privoxy.org/show-status</tt>.</p>
+ supports it, have a look at <a href="http://config.privoxy.org/show-status" target=
+ "_top">http://config.privoxy.org/show-status</a>.</p>
<p>Some operating systems will prefer IPv6 to IPv4 addresses even if the system has no IPv6 connectivity
which is usually not expected by the user. Some even rely on DNS to resolve localhost which mean the
"localhost" address used may not actually be local.</p>
hides the <span class="QUOTE">"go there anyway"</span> link. If the user adds the force prefix by hand,
it will not be accepted and the circumvention attempt is logged.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>enforce-blocks 1</p>
</dd>
destination part are optional.</p>
<p>If your system implements <a href="http://tools.ietf.org/html/rfc3493" target="_top">RFC 3493</a>,
then <tt class="REPLACEABLE"><i>src_addr</i></tt> and <tt class="REPLACEABLE"><i>dst_addr</i></tt> can be
- IPv6 addresses delimeted by brackets, <tt class="REPLACEABLE"><i>port</i></tt> can be a number or a
+ IPv6 addresses delimited by brackets, <tt class="REPLACEABLE"><i>port</i></tt> can be a number or a
service name, and <tt class="REPLACEABLE"><i>src_masklen</i></tt> and <tt class=
"REPLACEABLE"><i>dst_masklen</i></tt> can be a number from 0 to 128.</p>
</dd>
you try again manually. Start with a small value and check Privoxy's logfile from time to time, to see
how many retries are usually needed.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>forwarded-connect-retries 1</p>
</dd>
you may want to adjust the CGI templates to make sure they don't reference content from
config.privoxy.org.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>accept-intercepted-requests 1</p>
</dd>
done without care.</p>
<p>Don't enable this option unless you're sure that you really need it.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>allow-cgi-request-crunching 1</p>
</dd>
<p>If you don't notice any editing problems, there is no reason to enable this option, but if one of the
submit buttons appears to be broken, you should give it a try.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>split-large-forms 1</p>
</dd>
increasing it to 300 seconds or even more if you think your browser can handle it. If your browser
appears to be hanging, it probably can't.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>keep-alive-timeout 300</p>
</dd>
<p>If you are seeing problems with pages not properly loading, disabling this option could work around
the problem.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>tolerate-pipelining 1</p>
</dd>
<p>This option has no effect if <span class="APPLICATION">Privoxy</span> has been compiled without
keep-alive support.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>default-server-timeout 60</p>
</dd>
<p>This option should only be used by experienced users who understand the risks and can weight them
against the benefits.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>connection-sharing 1</p>
</dd>
<p>The default is quite high and you probably want to reduce it. If you aren't using an occasionally slow
proxy like Tor, reducing it to a few seconds should be fine.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>socket-timeout 300</p>
</dd>
reached. This will likely change in a future version, but currently this limit can't be increased without
recompiling <span class="APPLICATION">Privoxy</span> with a different FD_SETSIZE limit.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>max-client-connections 256</p>
</dd>
<dt>Notes:</dt>
<dd>
<p>Under high load incoming connection may queue up before Privoxy gets around to serve them. The queue
- length is limitted by the operating system. Once the queue is full, additional connections are dropped
+ length is limited by the operating system. Once the queue is full, additional connections are dropped
before Privoxy can accept and serve them.</p>
- <p>Increasing the queue length allows Privoxy to accept more incomming connections that arrive roughly at
+ <p>Increasing the queue length allows Privoxy to accept more incoming connections that arrive roughly at
the same time.</p>
<p>Note that Privoxy can only request a certain queue length, whether or not the requested length is
actually used depends on the operating system which may use a different length instead.</p>
<p>Effectively using a value above 128 usually requires changing the system configuration as well. On
FreeBSD-based system the limit is controlled by the kern.ipc.soacceptqueue sysctl.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>listen-backlog 4096</p>
</dd>
"https://www.freebsd.org/cgi/man.cgi?query=accf_http" target="_top">accf_http(9) man page</a> to learn
how to enable the support in the operating system.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>enable-accept-filter 1</p>
</dd>
headers will be emitted in the order given, headers whose name isn't explicitly specified are added at
the end.</p>
<p>Note that sorting headers in an uncommon way will make fingerprinting actually easier. Encrypted
- headers are not affected by this directive.</p>
+ headers are not affected by this directive unless <tt class="LITERAL"><a href=
+ "actions-file.html#HTTPS-INSPECTION" target="_top">https-inspection</a></tt> is enabled.</p>
</dd>
</dl>
</div>
</dd>
<dt>Notes:</dt>
<dd>
- <div class="WARNING">
- <table class="WARNING" border="1" width="90%">
- <tr>
- <td align="center"><b>Warning</b></td>
- </tr>
- <tr>
- <td align="left">
- <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
- </td>
- </tr>
- </table>
- </div>
<p>Client-specific tags allow Privoxy admins to create different profiles and let the users chose which
one they want without impacting other users.</p>
<p>One use case is allowing users to circumvent certain blocks without having to allow them to circumvent
<p>Clients can request tags to be set by using the CGI interface <a href=
"http://config.privoxy.org/client-tags" target="_top">http://config.privoxy.org/client-tags</a>. The
specific tag description is only used on the web page and should be phrased in away that the user
- understand the effect of the tag.</p>
+ understands the effect of the tag.</p>
</dd>
<dt>Examples:</dt>
<dd>
<pre class="SCREEN"> # Define a couple of tags, the described effect requires action sections
# that are enabled based on CLIENT-TAG patterns.
client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
- client-specific-tag disable-content-filters Disable content-filters but do not affect other actions</pre>
+ client-specific-tag disable-content-filters Disable content-filters but do not affect other actions
+ client-specific-tag overrule-redirects Overrule redirect sections
+ client-specific-tag allow-cookies Do not crunch cookies in either direction
+ client-specific-tag change-tor-socks-port Change forward-socks5 settings to use a different Tor socks port (and circuits)
+ client-specific-tag no-https-inspection Disable HTTPS inspection
+ client-specific-tag no-tls-verification Don't verify certificates when http-inspection is enabled</pre>
</td>
</tr>
</table>
</dd>
<dt>Notes:</dt>
<dd>
- <div class="WARNING">
- <table class="WARNING" border="1" width="90%">
- <tr>
- <td align="center"><b>Warning</b></td>
- </tr>
- <tr>
- <td align="left">
- <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
- </td>
- </tr>
- </table>
- </div>
<p>In case of some tags users may not want to enable them permanently, but only for a short amount of
time, for example to circumvent a block that is the result of an overly-broad URL pattern.</p>
<p>The CGI interface <a href="http://config.privoxy.org/client-tags" target=
"_top">http://config.privoxy.org/client-tags</a> therefore provides a "enable this tag temporarily"
option. If it is used, the tag will be set until the client-tag-lifetime is over.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<table border="0" bgcolor="#E0E0E0" width="90%">
<tr>
</dd>
<dt>Notes:</dt>
<dd>
- <div class="WARNING">
- <table class="WARNING" border="1" width="90%">
- <tr>
- <td align="center"><b>Warning</b></td>
- </tr>
- <tr>
- <td align="left">
- <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
- </td>
- </tr>
- </table>
- </div>
<p>If clients reach Privoxy through another proxy, for example a load balancer, Privoxy can't tell the
client's IP address from the connection. If multiple clients use the same proxy, they will share the same
client tag settings which is usually not desired.</p>
change the client tags for other clients or increase Privoxy's memory requirements by registering lots of
client tag settings for clients that don't exist.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<table border="0" bgcolor="#E0E0E0" width="90%">
<tr>
memory is (currently) cleared before using it, a buffer that is too large can actually reduce the
throughput.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<table border="0" bgcolor="#E0E0E0" width="90%">
<tr>
</div>
</div>
<div class="SECT2">
- <h2 class="SECT2"><a name="TLS" id="TLS">7.7. TLS/SSL</a></h2>
+ <h2 class="SECT2"><a name="HTTPS-INSPECTION-DIRECTIVES" id="HTTPS-INSPECTION-DIRECTIVES">7.7. HTTPS Inspection
+ (Experimental)</a></h2>
+ <p>HTTPS inspection allows to filter encrypted requests and responses. This is only supported when <span class=
+ "APPLICATION">Privoxy</span> has been built with FEATURE_HTTPS_INSPECTION. If you aren't sure if your version
+ supports it, have a look at <a href="http://config.privoxy.org/show-status" target=
+ "_top">http://config.privoxy.org/show-status</a>.</p>
<div class="SECT3">
<h4 class="SECT3"><a name="CA-DIRECTORY" id="CA-DIRECTORY">7.7.1. ca-directory</a></h4>
<div class="VARIABLELIST">
<p>The permissions should only let <span class="APPLICATION">Privoxy</span> and the <span class=
"APPLICATION">Privoxy</span> admin access the directory.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>ca-directory /usr/local/etc/privoxy/CA</p>
</dd>
target="_top">https-inspection</a></tt> action.</p>
<p><span class="APPLICATION">Privoxy</span> clients should import the certificate so that they can
validate the generated certificates.</p>
- <p>The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
- cacert.crt -days 3650</p>
+ <p>The file can be generated with: <b class="COMMAND">openssl req -new -x509 -extensions v3_ca -keyout
+ cakey.pem -out cacert.crt -days 3650</b></p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>ca-cert-file root.crt</p>
</dd>
</dd>
<dt>Notes:</dt>
<dd>
- <p>This directive specifies the name of the CA key file in ".pem" format. See the <a href="#CA-CERT-FILE"
- target="_top">ca-cert-file</a> for a command to generate it.</p>
+ <p>This directive specifies the name of the CA key file in ".pem" format. The <a href="#CA-CERT-FILE"
+ target="_top">ca-cert-file section</a> contains a command to generate it.</p>
+ <p>Access to the key should be limited to Privoxy.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>ca-key-file cakey.pem</p>
</dd>
certificates for intercepted requests.</p>
<p>Note that the password is shown on the CGI page so don't reuse an important one.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>ca-password blafasel</p>
</dd>
<dl>
<dt>Specifies:</dt>
<dd>
- <p>Directory to safe generated keys and certificates.</p>
+ <p>Directory to save generated keys and certificates.</p>
</dd>
<dt>Type of value:</dt>
<dd>
"_top">ca-cert-key</a>.</p>
<p>The permissions should only let <span class="APPLICATION">Privoxy</span> and the <span class=
"APPLICATION">Privoxy</span> admin access the directory.</p>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p><span class="APPLICATION">Privoxy</span> currently does not garbage-collect obsolete keys and
+ certificates and does not keep track of how may keys and certificates exist.</p>
+ <p><span class="APPLICATION">Privoxy</span> admins should monitor the size of the directory
+ and/or make sure there is sufficient space available. A cron job to limit the number of keys and
+ certificates to a certain number may be worth considering.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>certificate-directory /usr/local/var/privoxy/certs</p>
</dd>
</div>
</div>
<div class="SECT3">
- <h4 class="SECT3"><a name="TRUSTED-CAS-FILE" id="TRUSTED-CAS-FILE">7.7.6. trusted-cas-file</a></h4>
+ <h4 class="SECT3"><a name="CIPHER-LIST" id="CIPHER-LIST">7.7.6. cipher-list</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>A list of ciphers to use in TLS handshakes</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>None</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>A default value is inherited from the TLS library.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive allows to specify a non-default list of ciphers to use in TLS handshakes with clients
+ and servers.</p>
+ <p>Ciphers are separated by colons. Which ciphers are supported depends on the TLS library. When using
+ OpenSSL, unsupported ciphers are skipped. When using MbedTLS they are rejected.</p>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p>Specifying an unusual cipher list makes fingerprinting easier. Note that the default list
+ provided by the TLS library may be unusual when compared to the one used by modern browsers as
+ well.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Explicitly set a couple of ciphers with names used by MbedTLS
+ cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+ </pre>
+ </td>
+ </tr>
+ </table>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+ </pre>
+ </td>
+ </tr>
+ </table>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class=
+ "SCREEN"> # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+ cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+ </pre>
+ </td>
+ </tr>
+ </table>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="TRUSTED-CAS-FILE" id="TRUSTED-CAS-FILE">7.7.7. trusted-cas-file</a></h4>
<div class="VARIABLELIST">
<dl>
<dt>Specifies:</dt>
<dd>
<p>This directive specifies the trusted CAs file that is used when validating certificates for
intercepted TLS/SSL requests.</p>
- <p>An example file can be downloaded from <a href="https://curl.haxx.se/ca/cacert.pem" target=
- "_top">https://curl.haxx.se/ca/cacert.pem</a>.</p>
+ <p>An example file can be downloaded from <a href="https://curl.se/ca/cacert.pem" target=
+ "_top">https://curl.se/ca/cacert.pem</a>. If you want to create the file yourself, please see: <a href=
+ "https://curl.se/docs/caextract.html" target="_top">https://curl.se/docs/caextract.html</a>.</p>
</dd>
- <dt>Examples:</dt>
+ <dt>Example:</dt>
<dd>
<p>trusted-cas-file trusted_cas_file.pem</p>
</dd>
projects / privoxy.git / blobdiff