X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=config;h=59d4efeacfd1c7f595fffa77e9cc918640f175ff;hp=ff6e7c3c05a12be3159eb92024b6e1e6f50758aa;hb=36416c0286f2e84d8c2e892b1adc3216fea50720;hpb=2e8c7e4321104708859ad7bf3e5697c0897778c5 diff --git a/config b/config index ff6e7c3c..59d4efea 100644 --- a/config +++ b/config @@ -1,8 +1,6 @@ -# Sample Configuration File for Privoxy 3.0.27 +# Sample Configuration File for Privoxy 3.0.29 # -# $Id: config,v 1.115 2017/06/26 12:17:17 fabiankeil Exp $ -# -# Copyright (C) 2001-2017 Privoxy Developers https://www.privoxy.org/ +# Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/ # ##################################################################### # # @@ -17,7 +15,8 @@ # 4. ACCESS CONTROL AND SECURITY # # 5. FORWARDING # # 6. MISCELLANEOUS # -# 7. WINDOWS GUI OPTIONS # +# 7. TLS # +# 8. WINDOWS GUI OPTIONS # # # ##################################################################### # @@ -568,7 +567,7 @@ logfile logfile # # The available debug levels are: # -# debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. +# debug 1 # Log the destination for each request. See also debug 1024. # debug 2 # show each connection status # debug 4 # show I/O status # debug 8 # show header parsing @@ -610,7 +609,7 @@ logfile logfile # you read the log messages, you may even be able to solve the # problem on your own. # -#debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. +#debug 1 # Log the destination for each request. #debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. #debug 4096 # Startup banner and warnings #debug 8192 # Non-fatal errors @@ -732,7 +731,11 @@ logfile logfile # result in DNS traffic. # # If the specified address isn't available on the system, or if -# the hostname can't be resolved, Privoxy will fail to start. +# the hostname can't be resolved, Privoxy will fail to start. On +# GNU/Linux, and other platforms that can listen on not yet +# assigned IP addresses, Privoxy will start and will listen on +# the specified address whenever the IP address is assigned to +# the system # # IPv6 addresses containing colons have to be quoted by # brackets. They can only be used if Privoxy has been compiled @@ -997,7 +1000,7 @@ enforce-blocks 0 # whole destination part are optional. # # If your system implements RFC 3493, then src_addr and dst_addr -# can be IPv6 addresses delimeted by brackets, port can be a +# can be IPv6 addresses delimited by brackets, port can be a # number or a service name, and src_masklen and dst_masklen can # be a number from 0 to 128. # @@ -1208,6 +1211,9 @@ enable-proxy-authentication-forwarding 0 # requests aren't rejected. Requests are accepted if the # specified trusted-cgi-refer is the prefix of the Referer. # +# If the trusted source is supposed to access the CGI pages via +# JavaScript the cors-allowed-origin option can be used. +# # +-----------------------------------------------------+ # | Warning | # |-----------------------------------------------------| @@ -1217,8 +1223,54 @@ enable-proxy-authentication-forwarding 0 # |the user's knowledge. | # +-----------------------------------------------------+ # -trusted-cgi-referer http://www.example.org/ +#trusted-cgi-referer http://www.example.org/local-privoxy-control-page +# +# 4.11. cors-allowed-origin +# ========================== +# +# Specifies: +# +# A trusted website which can access Privoxy's CGI pages through +# JavaScript. +# +# Type of value: +# +# URL +# +# Default value: +# +# Unset +# +# Effect if unset: +# +# No external sites get access via cross-origin resource +# sharing. +# +# Notes: +# +# Modern browsers by default prevent cross-origin requests made +# via JavaScript to Privoxy's CGI interface even if Privoxy +# would trust the referer because it's white listed via the +# trusted-cgi-referer directive. +# +# Cross-origin resource sharing (CORS) is a mechanism to allow +# cross-origin requests. # +# The "cors-allowed-origin" option can be used to specify a +# domain that is allowed to make requests to Privoxy CGI +# interface via JavaScript. It is used in combination with the +# trusted-cgi-referer directive. +# +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |Declaring domains the admin doesn't control | +# |trustworthy may allow malicious third parties to | +# |modify Privoxy's internal state against the user's | +# |wishes and without the user's knowledge. | +# +-----------------------------------------------------+ +# +#cors-allowed-origin http://www.example.org/ # # 5. FORWARDING # ============== @@ -1320,7 +1372,7 @@ trusted-cgi-referer http://www.example.org/ # # Type of value: # -# target_pattern socks_proxy[:port] http_parent[:port] +# target_pattern [user:pass@]socks_proxy[:port] http_parent[:port] # # where target_pattern is a URL pattern that specifies to which # requests (i.e. URLs) this forward rule shall apply. Use / to @@ -1328,7 +1380,8 @@ trusted-cgi-referer http://www.example.org/ # addresses in dotted decimal notation or valid DNS names ( # http_parent may be "." to denote "no HTTP forwarding"), and # the optional port parameters are TCP ports, i.e. integer -# values from 1 to 65535 +# values from 1 to 65535. user and pass can be used for SOCKS5 +# authentication if required. # # Default value: # @@ -1383,6 +1436,11 @@ trusted-cgi-referer http://www.example.org/ # # forward-socks4 / socks-gw.example.com:1080 . # +# To connect SOCKS5 proxy which requires username/password +# authentication: +# +# forward-socks5 / user:pass@socks-gw.example.com:1080 . +# # To chain Privoxy and Tor, both running on the same system, you # would use something like: # @@ -1928,13 +1986,13 @@ socket-timeout 300 # Notes: # # Under high load incoming connection may queue up before -# Privoxy gets around to serve them. The queue length is -# limitted by the operating system. Once the queue is full, -# additional connections are dropped before Privoxy can accept -# and serve them. +# Privoxy gets around to serve them. The queue length is limited +# by the operating system. Once the queue is full, additional +# connections are dropped before Privoxy can accept and serve +# them. # # Increasing the queue length allows Privoxy to accept more -# incomming connections that arrive roughly at the same time. +# incoming connections that arrive roughly at the same time. # # Note that Privoxy can only request a certain queue length, # whether or not the requested length is actually used depends @@ -2161,6 +2219,7 @@ socket-timeout 300 # affected by this directive. # #client-header-order Host \ +# User-Agent \ # Accept \ # Accept-Language \ # Accept-Encoding \ @@ -2235,8 +2294,7 @@ socket-timeout 300 # # Define a couple of tags, the described effect requires action sections # # that are enabled based on CLIENT-TAG patterns. # client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions -# disable-content-filters Disable content-filters but do not affect other actions -# +# client-specific-tag disable-content-filters Disable content-filters but do not affect other actions # # # 6.17. client-tag-lifetime @@ -2381,29 +2439,234 @@ socket-timeout 300 # receive-buffer-size 32768 # # +# 7. TLS/SSL INSPECTION +# ====================== +# +# 7.1. ca-directory +# ================== +# +# Specifies: +# +# Directory with the CA key, the CA certificate and the trusted +# CAs file. +# +# Type of value: +# +# Text +# +# Default value: +# +# Empty string +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the directory where the CA key, the +# CA certificate and the trusted CAs file are located. +# +# The permissions should only let Privoxy and the Privoxy admin +# access the directory. +# +# Examples: +# +# ca-directory /usr/local/etc/privoxy/CA +# +#ca-directory /usr/local/etc/privoxy/CA +# +# 7.2. ca-cert-file +# ================== +# +# Specifies: +# +# The CA certificate file in ".crt" format. +# +# Type of value: +# +# Text +# +# Default value: +# +# cacert.crt +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the name of the CA certificate file +# in ".crt" format. +# +# The file is used by Privoxy to generate website certificates +# when https inspection is enabled with the https-inspection +# action. +# +# Privoxy clients should import the certificate so that they can +# validate the generated certificates. +# +# The file can be generated with: openssl req -new -x509 +# -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650 +# +# Examples: +# +# ca-cert-file root.crt +# +#ca-cert-file cacert.crt # -# 7. WINDOWS GUI OPTIONS +# 7.3. ca-key-file +# ================= +# +# Specifies: +# +# The CA key file in ".pem" format. +# +# Type of value: +# +# Text +# +# Default value: +# +# cacert.pem +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the name of the CA key file in ".pem" +# format. See the ca-cert-file for a command to generate it. +# +# Examples: +# +# ca-key-file cakey.pem +# +#ca-key-file root.pem +# +# 7.4. ca-password +# ================= +# +# Specifies: +# +# The password for the CA keyfile. +# +# Type of value: +# +# Text +# +# Default value: +# +# Empty string +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the password for the CA keyfile that +# is used when Privoxy generates certificates for intercepted +# requests. +# +# Note that the password is shown on the CGI page so don't reuse +# an important one. +# +# Examples: +# +# ca-password blafasel +# +#ca-password swordfish +# +# 7.5. certificate-directory +# =========================== +# +# Specifies: +# +# Directory to save generated keys and certificates. +# +# Type of value: +# +# Text +# +# Default value: +# +# ./certs +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the directory where generated TLS/SSL +# keys and certificates are saved when https inspection is +# enabled with the https-inspection action. +# +# The keys and certificates currently have to be deleted +# manually when changing the ca-cert-file and the ca-cert-key. +# +# The permissions should only let Privoxy and the Privoxy admin +# access the directory. +# +# Examples: +# +# certificate-directory /usr/local/var/privoxy/certs +# +#certificate-directory /usr/local/var/privoxy/certs +# +# 7.6. trusted-cas-file +# ====================== +# +# Specifies: +# +# The trusted CAs file in ".pem" format. +# +# Type of value: +# +# File name relative to ca-directory +# +# Default value: +# +# trustedCAs.pem +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the trusted CAs file that is used +# when validating certificates for intercepted TLS/SSL requests. +# +# An example file can be downloaded from https://curl.haxx.se/ca +# /cacert.pem. +# +# Examples: +# +# trusted-cas-file trusted_cas_file.pem +# +#trusted-cas-file trustedCAs.pem +# +# 8. WINDOWS GUI OPTIONS # ======================= # # Privoxy has a number of options specific to the Windows GUI # interface: # # -# # If "activity-animation" is set to 1, the Privoxy icon will animate # when "Privoxy" is active. To turn off, set to 0. # #activity-animation 1 # -# -# # If "log-messages" is set to 1, Privoxy copies log messages to the # console window. The log detail depends on the debug directive. # #log-messages 1 # -# -# # If "log-buffer-size" is set to 1, the size of the log buffer, i.e. # the amount of memory used for the log messages displayed in the # console window, will be limited to "log-max-lines" (see below).