<head>
<title>The Main Configuration File</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79">
- <link rel="HOME" title="Privoxy 3.0.28 User Manual" href="index.html">
+ <link rel="HOME" title="Privoxy 3.0.29 User Manual" href="index.html">
<link rel="PREVIOUS" title="Privoxy Configuration" href="configuration.html">
<link rel="NEXT" title="Actions Files" href="actions-file.html">
<link rel="STYLESHEET" type="text/css" href="../p_doc.css">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
- <th colspan="3" align="center">Privoxy 3.0.28 User Manual</th>
+ <th colspan="3" align="center">Privoxy 3.0.29 User Manual</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href="configuration.html" accesskey="P">Prev</a></td>
<table border="0" bgcolor="#E0E0E0" width="90%">
<tr>
<td>
- <pre class="PROGRAMLISTING"> debug 1 # Log the destination for each request <span class=
- "APPLICATION">Privoxy</span> let through. See also debug 1024.
+ <pre class=
+ "PROGRAMLISTING"> debug 1 # Log the destination for each request. See also debug 1024.
debug 2 # show each connection status
debug 4 # show I/O status
debug 8 # show header parsing
<p>If the address for the hostname isn't already known on the system (for example because it's in
/etc/hostname), this may result in DNS traffic.</p>
<p>If the specified address isn't available on the system, or if the hostname can't be resolved,
- <span class="APPLICATION">Privoxy</span> will fail to start.</p>
+ <span class="APPLICATION">Privoxy</span> will fail to start. On GNU/Linux, and other platforms that can
+ listen on not yet assigned IP addresses, Privoxy will start and will listen on the specified address
+ whenever the IP address is assigned to the system</p>
<p>IPv6 addresses containing colons have to be quoted by brackets. They can only be used if <span class=
"APPLICATION">Privoxy</span> has been compiled with IPv6 support. If you aren't sure if your version
supports it, have a look at <tt class="LITERAL">http://config.privoxy.org/show-status</tt>.</p>
destination part are optional.</p>
<p>If your system implements <a href="http://tools.ietf.org/html/rfc3493" target="_top">RFC 3493</a>,
then <tt class="REPLACEABLE"><i>src_addr</i></tt> and <tt class="REPLACEABLE"><i>dst_addr</i></tt> can be
- IPv6 addresses delimeted by brackets, <tt class="REPLACEABLE"><i>port</i></tt> can be a number or a
+ IPv6 addresses delimited by brackets, <tt class="REPLACEABLE"><i>port</i></tt> can be a number or a
service name, and <tt class="REPLACEABLE"><i>src_masklen</i></tt> and <tt class=
"REPLACEABLE"><i>dst_masklen</i></tt> can be a number from 0 to 128.</p>
</dd>
<p>The <span class="QUOTE">"trusted-cgi-referer"</span> option can be used to add that page, or the whole
domain, as trusted source so the resulting requests aren't rejected. Requests are accepted if the
specified trusted-cgi-refer is the prefix of the Referer.</p>
+ <p>If the trusted source is supposed to access the CGI pages via JavaScript the <a href=
+ "config.html#CORS-ALLOWED-ORIGIN">cors-allowed-origin</a> option can be used.</p>
<div class="WARNING">
<table class="WARNING" border="1" width="90%">
<tr>
</dl>
</div>
</div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CORS-ALLOWED-ORIGIN" id="CORS-ALLOWED-ORIGIN">7.4.11. cors-allowed-origin</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>A trusted website which can access <span class="APPLICATION">Privoxy</span>'s CGI pages through
+ JavaScript.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>URL</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p>Unset</p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>No external sites get access via cross-origin resource sharing.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>Modern browsers by default prevent cross-origin requests made via JavaScript to <span class=
+ "APPLICATION">Privoxy</span>'s CGI interface even if <span class="APPLICATION">Privoxy</span> would trust
+ the referer because it's white listed via the <a href=
+ "config.html#TRUSTED-CGI-REFERER">trusted-cgi-referer</a> directive.</p>
+ <p><a href="https://en.wikipedia.org/wiki/Cross-origin_resource_sharing" target="_top">Cross-origin
+ resource sharing (CORS)</a> is a mechanism to allow cross-origin requests.</p>
+ <p>The <span class="QUOTE">"cors-allowed-origin"</span> option can be used to specify a domain that is
+ allowed to make requests to Privoxy CGI interface via JavaScript. It is used in combination with the
+ <a href="config.html#TRUSTED-CGI-REFERER">trusted-cgi-referer</a> directive.</p>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p>Declaring domains the admin doesn't control trustworthy may allow malicious third parties to
+ modify Privoxy's internal state against the user's wishes and without the user's knowledge.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </dd>
+ </dl>
+ </div>
+ </div>
</div>
<div class="SECT2">
<h2 class="SECT2"><a name="FORWARDING" id="FORWARDING">7.5. Forwarding</a></h2>
</dd>
<dt>Type of value:</dt>
<dd>
- <p><tt class="REPLACEABLE"><i>target_pattern</i></tt> <tt class=
+ <p><tt class="REPLACEABLE"><i>target_pattern</i></tt> [<tt class=
+ "REPLACEABLE"><i>user</i></tt>:<tt class="REPLACEABLE"><i>pass</i></tt>@]<tt class=
"REPLACEABLE"><i>socks_proxy</i></tt>[:<tt class="REPLACEABLE"><i>port</i></tt>] <tt class=
"REPLACEABLE"><i>http_parent</i></tt>[:<tt class="REPLACEABLE"><i>port</i></tt>]</p>
<p>where <tt class="REPLACEABLE"><i>target_pattern</i></tt> is a <a href=
IP addresses in dotted decimal notation or valid DNS names (<tt class=
"REPLACEABLE"><i>http_parent</i></tt> may be <span class="QUOTE">"."</span> to denote <span class=
"QUOTE">"no HTTP forwarding"</span>), and the optional <tt class="REPLACEABLE"><i>port</i></tt>
- parameters are TCP ports, i.e. integer values from 1 to 65535</p>
+ parameters are TCP ports, i.e. integer values from 1 to 65535. <tt class="REPLACEABLE"><i>user</i></tt>
+ and <tt class="REPLACEABLE"><i>pass</i></tt> can be used for SOCKS5 authentication if required.</p>
</dd>
<dt>Default value:</dt>
<dd>
</td>
</tr>
</table>
+ <p>To connect SOCKS5 proxy which requires username/password authentication:</p>
+ <table border="0" bgcolor="#E0E0E0" width="90%">
+ <tr>
+ <td>
+ <pre class="SCREEN"> forward-socks5 / user:pass@socks-gw.example.com:1080 .</pre>
+ </td>
+ </tr>
+ </table>
<p>To chain Privoxy and Tor, both running on the same system, you would use something like:</p>
<table border="0" bgcolor="#E0E0E0" width="90%">
<tr>
<dt>Notes:</dt>
<dd>
<p>Under high load incoming connection may queue up before Privoxy gets around to serve them. The queue
- length is limitted by the operating system. Once the queue is full, additional connections are dropped
+ length is limited by the operating system. Once the queue is full, additional connections are dropped
before Privoxy can accept and serve them.</p>
- <p>Increasing the queue length allows Privoxy to accept more incomming connections that arrive roughly at
+ <p>Increasing the queue length allows Privoxy to accept more incoming connections that arrive roughly at
the same time.</p>
<p>Note that Privoxy can only request a certain queue length, whether or not the requested length is
actually used depends on the operating system which may use a different length instead.</p>
<pre class="SCREEN"> # Define a couple of tags, the described effect requires action sections
# that are enabled based on CLIENT-TAG patterns.
client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
- disable-content-filters Disable content-filters but do not affect other actions</pre>
+ client-specific-tag disable-content-filters Disable content-filters but do not affect other actions</pre>
</td>
</tr>
</table>
</div>
</div>
<div class="SECT2">
- <h2 class="SECT2"><a name="WINDOWS-GUI" id="WINDOWS-GUI">7.7. Windows GUI Options</a></h2>
+ <h2 class="SECT2"><a name="TLS" id="TLS">7.7. TLS/SSL Inspection (Experimental)</a></h2>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CA-DIRECTORY" id="CA-DIRECTORY">7.7.1. ca-directory</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Directory with the CA key, the CA certificate and the trusted CAs file.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">Empty string</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the directory where the CA key, the CA certificate and the trusted CAs file
+ are located.</p>
+ <p>The permissions should only let <span class="APPLICATION">Privoxy</span> and the <span class=
+ "APPLICATION">Privoxy</span> admin access the directory.</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>ca-directory /usr/local/etc/privoxy/CA</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CA-CERT-FILE" id="CA-CERT-FILE">7.7.2. ca-cert-file</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The CA certificate file in ".crt" format.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">cacert.crt</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the name of the CA certificate file in ".crt" format.</p>
+ <p>The file is used by <span class="APPLICATION">Privoxy</span> to generate website certificates when
+ https inspection is enabled with the <tt class="LITERAL"><a href="actions-file.html#HTTPS-INSPECTION"
+ target="_top">https-inspection</a></tt> action.</p>
+ <p><span class="APPLICATION">Privoxy</span> clients should import the certificate so that they can
+ validate the generated certificates.</p>
+ <p>The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
+ cacert.crt -days 3650</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>ca-cert-file root.crt</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CA-KEY-FILE" id="CA-KEY-FILE">7.7.3. ca-key-file</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The CA key file in ".pem" format.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">cacert.pem</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the name of the CA key file in ".pem" format. See the <a href="#CA-CERT-FILE"
+ target="_top">ca-cert-file</a> for a command to generate it.</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>ca-key-file cakey.pem</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CA-PASSWORD" id="CA-PASSWORD">7.7.4. ca-password</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The password for the CA keyfile.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">Empty string</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the password for the CA keyfile that is used when Privoxy generates
+ certificates for intercepted requests.</p>
+ <p>Note that the password is shown on the CGI page so don't reuse an important one.</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>ca-password blafasel</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="CERTIFICATE-DIRECTORY" id="CERTIFICATE-DIRECTORY">7.7.5.
+ certificate-directory</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>Directory to save generated keys and certificates.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>Text</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">./certs</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the directory where generated TLS/SSL keys and certificates are saved when
+ https inspection is enabled with the <tt class="LITERAL"><a href="actions-file.html#HTTPS-INSPECTION"
+ target="_top">https-inspection</a></tt> action.</p>
+ <p>The keys and certificates currently have to be deleted manually when changing the <a href=
+ "#CA-CERT-FILE" target="_top">ca-cert-file</a> and the <a href="#CA-CERT-KEY" target=
+ "_top">ca-cert-key</a>.</p>
+ <p>The permissions should only let <span class="APPLICATION">Privoxy</span> and the <span class=
+ "APPLICATION">Privoxy</span> admin access the directory.</p>
+ <div class="WARNING">
+ <table class="WARNING" border="1" width="90%">
+ <tr>
+ <td align="center"><b>Warning</b></td>
+ </tr>
+ <tr>
+ <td align="left">
+ <p><span class="APPLICATION">Privoxy</span> currently does not garbage-collect obsolete keys and
+ certificates and does not keep track of how may keys and certificates exist.</p>
+ <p><span class="APPLICATION">Privoxy</span> admins should monitor the size of the directory
+ and/or make sure there is sufficient space available. A cron job to limit the number of keys and
+ certificates to a certain number may be worth considering.</p>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>certificate-directory /usr/local/var/privoxy/certs</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ <div class="SECT3">
+ <h4 class="SECT3"><a name="TRUSTED-CAS-FILE" id="TRUSTED-CAS-FILE">7.7.6. trusted-cas-file</a></h4>
+ <div class="VARIABLELIST">
+ <dl>
+ <dt>Specifies:</dt>
+ <dd>
+ <p>The trusted CAs file in ".pem" format.</p>
+ </dd>
+ <dt>Type of value:</dt>
+ <dd>
+ <p>File name relative to ca-directory</p>
+ </dd>
+ <dt>Default value:</dt>
+ <dd>
+ <p><span class="emphasis"><i class="EMPHASIS">trustedCAs.pem</i></span></p>
+ </dd>
+ <dt>Effect if unset:</dt>
+ <dd>
+ <p>Default value is used.</p>
+ </dd>
+ <dt>Notes:</dt>
+ <dd>
+ <p>This directive specifies the trusted CAs file that is used when validating certificates for
+ intercepted TLS/SSL requests.</p>
+ <p>An example file can be downloaded from <a href="https://curl.haxx.se/ca/cacert.pem" target=
+ "_top">https://curl.haxx.se/ca/cacert.pem</a>.</p>
+ </dd>
+ <dt>Examples:</dt>
+ <dd>
+ <p>trusted-cas-file trusted_cas_file.pem</p>
+ </dd>
+ </dl>
+ </div>
+ </div>
+ </div>
+ <div class="SECT2">
+ <h2 class="SECT2"><a name="WINDOWS-GUI" id="WINDOWS-GUI">7.8. Windows GUI Options</a></h2>
<p><span class="APPLICATION">Privoxy</span> has a number of options specific to the Windows GUI
interface:</p><a name="ACTIVITY-ANIMATION" id="ACTIVITY-ANIMATION"></a>
<p>If <span class="QUOTE">"activity-animation"</span> is set to 1, the <span class="APPLICATION">Privoxy</span>
projects / privoxy.git / blobdiff