X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=config;h=6c1aa9d516868279922da2ebcc312f15cff1f2f5;hp=2e3dee59adeb290b8bdbb37771107d23f6e94e96;hb=a2f8296e90e9bc3c4e4fa50c9b42e3f12bce24ca;hpb=7b7cf8c81400bfdbb49318f141600b2adc8f904a diff --git a/config b/config index 2e3dee59..6c1aa9d5 100644 --- a/config +++ b/config @@ -1,24 +1,24 @@ -# Sample Configuration File for Privoxy v3.0.20 -# -# $Id: config,v 1.100 2013/01/09 15:07:39 fabiankeil Exp $ -# -# Copyright (C) 2001-2013 Privoxy Developers http://www.privoxy.org/ -# -#################################################################### -# # -# Table of Contents # -# # -# I. INTRODUCTION # -# II. FORMAT OF THE CONFIGURATION FILE # -# # -# 1. LOCAL SET-UP DOCUMENTATION # -# 2. CONFIGURATION AND LOG FILE LOCATIONS # -# 3. DEBUGGING # -# 4. ACCESS CONTROL AND SECURITY # -# 5. FORWARDING # -# 6. WINDOWS GUI OPTIONS # -# # -#################################################################### +# Sample Configuration File for Privoxy 3.0.30 +# +# Copyright (C) 2001-2021 Privoxy Developers https://www.privoxy.org/ +# +##################################################################### +# # +# Table of Contents # +# # +# I. INTRODUCTION # +# II. FORMAT OF THE CONFIGURATION FILE # +# # +# 1. LOCAL SET-UP DOCUMENTATION # +# 2. CONFIGURATION AND LOG FILE LOCATIONS # +# 3. DEBUGGING # +# 4. ACCESS CONTROL AND SECURITY # +# 5. FORWARDING # +# 6. MISCELLANEOUS # +# 7. HTTPS INSPECTION (EXPERIMENTAL) # +# 8. WINDOWS GUI OPTIONS # +# # +##################################################################### # # # I. INTRODUCTION @@ -68,7 +68,6 @@ # last character. # # -# # 1. LOCAL SET-UP DOCUMENTATION # ============================== # @@ -77,7 +76,6 @@ # you, what you block and why you do that, your policies, etc. # # -# # 1.1. user-manual # ================= # @@ -95,7 +93,7 @@ # # Effect if unset: # -# http://www.privoxy.org/version/user-manual/ will be used, +# https://www.privoxy.org/version/user-manual/ will be used, # where version is the Privoxy version. # # Notes: @@ -129,8 +127,7 @@ # config file, because it is used while the config file is # being read. # -#user-manual http://www.privoxy.org/user-manual/ -# +#user-manual https://www.privoxy.org/user-manual/ # # 1.2. trust-info-url # ==================== @@ -168,7 +165,6 @@ #trust-info-url http://www.example.com/why_we_block.html #trust-info-url http://www.example.com/what_we_allow.html # -# # 1.3. admin-address # =================== # @@ -197,7 +193,6 @@ # #admin-address privoxy-admin@example.com # -# # 1.4. proxy-info-url # ==================== # @@ -229,7 +224,6 @@ # #proxy-info-url http://www.example.com/proxy-service.html # -# # 2. CONFIGURATION AND LOG FILE LOCATIONS # ======================================== # @@ -242,7 +236,6 @@ # be modified, such as log files and actions files. # # -# # 2.1. confdir # ============= # @@ -268,7 +261,6 @@ # confdir . # -# # 2.2. templdir # ============== # @@ -298,8 +290,37 @@ confdir . # #templdir . # +# 2.3. temporary-directory +# ========================= +# +# Specifies: +# +# A directory where Privoxy can create temporary files. +# +# Type of value: +# +# Path name +# +# Default value: +# +# unset +# +# Effect if unset: +# +# No temporary files are created, external filters don't work. +# +# Notes: +# +# To execute external filters, Privoxy has to create temporary +# files. This directive specifies the directory the temporary +# files should be written to. +# +# It should be a directory only Privoxy (and trusted users) can +# access. # -# 2.3. logdir +#temporary-directory . +# +# 2.4. logdir # ============ # # Specifies: @@ -325,8 +346,7 @@ confdir . # logdir . # -# -# 2.4. actionsfile +# 2.5. actionsfile # ================= # # Specifies: @@ -360,20 +380,14 @@ logdir . # # Actions files contain all the per site and per URL # configuration for ad blocking, cookie management, privacy -# considerations, etc. There is no point in using Privoxy -# without at least one actions file. -# -# Note that since Privoxy 3.0.7, the complete filename, -# including the ".action" extension has to be specified. The -# syntax change was necessary to be consistent with the other -# file options and to allow previously forbidden characters. +# considerations, etc. # actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on. actionsfile default.action # Main actions file actionsfile user.action # User customizations +#regression-tests.action # Tests for privoxy-regression-test # -# -# 2.5. filterfile +# 2.6. filterfile # ================ # # Specifies: @@ -418,8 +432,7 @@ actionsfile user.action # User customizations filterfile default.filter filterfile user.filter # User customizations # -# -# 2.6. logfile +# 2.7. logfile # ============= # # Specifies: @@ -450,23 +463,24 @@ filterfile user.filter # User customizations # # Depending on the debug options below, the logfile may be a # privacy risk if third parties can get access to it. As most -# users will never look at it, Privoxy 3.0.7 and later only log -# fatal errors by default. +# users will never look at it, Privoxy only logs fatal errors by +# default. # # For most troubleshooting purposes, you will have to change # that, please refer to the debugging section for details. # -# Your logfile will grow indefinitely, and you will probably -# want to periodically remove it. On Unix systems, you can do -# this with a cron job (see "man cron"). -# # Any log files must be writable by whatever user Privoxy is # being run as (on Unix, default user id is "privoxy"). # -logfile logfile +# To prevent the logfile from growing indefinitely, it is +# recommended to periodically rotate or shorten it. Many +# operating systems support log rotation out of the box, some +# require additional software to do it. For details, please +# refer to the documentation for your operating system. # +logfile logfile # -# 2.7. trustfile +# 2.8. trustfile # =============== # # Specifies: @@ -522,7 +536,6 @@ logfile logfile # #trustfile trust # -# # 3. DEBUGGING # ============= # @@ -531,7 +544,6 @@ logfile logfile # line option when debugging. # # -# # 3.1. debug # =========== # @@ -556,9 +568,9 @@ logfile logfile # # The available debug levels are: # -# debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. +# debug 1 # Log the destination for each request. See also debug 1024. # debug 2 # show each connection status -# debug 4 # show I/O status +# debug 4 # show tagging-related messages # debug 8 # show header parsing # debug 16 # log all data written to the network # debug 32 # debug force feature @@ -583,10 +595,6 @@ logfile logfile # down a specific problem. They can produce a hell of an output # (especially 16). # -# Privoxy used to ship with the debug levels recommended above -# enabled by default, but due to privacy concerns 3.0.7 and -# later are configured to only log fatal errors. -# # If you are used to the more verbose settings, simply enable # the debug lines below again. # @@ -602,12 +610,11 @@ logfile logfile # you read the log messages, you may even be able to solve the # problem on your own. # -#debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. -#debug 1024 # Actions that are applied to all sites and maybe overruled later on. +#debug 1 # Log the destination for each request. +#debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. #debug 4096 # Startup banner and warnings #debug 8192 # Non-fatal errors # -# # 3.2. single-threaded # ===================== # @@ -617,11 +624,11 @@ logfile logfile # # Type of value: # -# None +# 1 or 0 # # Default value: # -# Unset +# 0 # # Effect if unset: # @@ -633,8 +640,7 @@ logfile logfile # This option is only there for debugging purposes. It will # drastically reduce performance. # -#single-threaded -# +#single-threaded 1 # # 3.3. hostname # ============== @@ -671,7 +677,6 @@ logfile logfile # #hostname hostname.example.org # -# # 4. ACCESS CONTROL AND SECURITY # =============================== # @@ -679,7 +684,6 @@ logfile logfile # aspects of Privoxy's configuration. # # -# # 4.1. listen-address # ==================== # @@ -728,7 +732,11 @@ logfile logfile # result in DNS traffic. # # If the specified address isn't available on the system, or if -# the hostname can't be resolved, Privoxy will fail to start. +# the hostname can't be resolved, Privoxy will fail to start. On +# GNU/Linux, and other platforms that can listen on not yet +# assigned IP addresses, Privoxy will start and will listen on +# the specified address whenever the IP address is assigned to +# the system # # IPv6 addresses containing colons have to be quoted by # brackets. They can only be used if Privoxy has been compiled @@ -778,7 +786,6 @@ logfile logfile # listen-address 127.0.0.1:8118 # -# # 4.2. toggle # ============ # @@ -807,7 +814,6 @@ listen-address 127.0.0.1:8118 # toggle 1 # -# # 4.3. enable-remote-toggle # ========================== # @@ -850,7 +856,6 @@ toggle 1 # enable-remote-toggle 0 # -# # 4.4. enable-remote-http-toggle # =============================== # @@ -889,7 +894,6 @@ enable-remote-toggle 0 # enable-remote-http-toggle 0 # -# # 4.5. enable-edit-actions # ========================= # @@ -930,7 +934,6 @@ enable-remote-http-toggle 0 # enable-edit-actions 0 # -# # 4.6. enforce-blocks # ==================== # @@ -973,13 +976,12 @@ enable-edit-actions 0 # link. If the user adds the force prefix by hand, it will not # be accepted and the circumvention attempt is logged. # -# Examples: +# Example: # # enforce-blocks 1 # enforce-blocks 0 # -# # 4.7. ACLs: permit-access and deny-access # ========================================= # @@ -999,7 +1001,7 @@ enforce-blocks 0 # whole destination part are optional. # # If your system implements RFC 3493, then src_addr and dst_addr -# can be IPv6 addresses delimeted by brackets, port can be a +# can be IPv6 addresses delimited by brackets, port can be a # number or a service name, and src_masklen and dst_masklen can # be a number from 0 to 128. # @@ -1091,7 +1093,6 @@ enforce-blocks 0 # permit-access [::ffff:192.0.2.0]/120 # # -# # 4.8. buffer-limit # ================== # @@ -1129,6 +1130,148 @@ enforce-blocks 0 # buffer-limit 4096 # +# 4.9. enable-proxy-authentication-forwarding +# ============================================ +# +# Specifies: +# +# Whether or not proxy authentication through Privoxy should +# work. +# +# Type of value: +# +# 0 or 1 +# +# Default value: +# +# 0 +# +# Effect if unset: +# +# Proxy authentication headers are removed. +# +# Notes: +# +# Privoxy itself does not support proxy authentication, but can +# allow clients to authenticate against Privoxy's parent proxy. +# +# By default Privoxy (3.0.21 and later) don't do that and remove +# Proxy-Authorization headers in requests and Proxy-Authenticate +# headers in responses to make it harder for malicious sites to +# trick inexperienced users into providing login information. +# +# If this option is enabled the headers are forwarded. +# +# Enabling this option is not recommended if there is no parent +# proxy that requires authentication or if the local network +# between Privoxy and the parent proxy isn't trustworthy. If +# proxy authentication is only required for some requests, it is +# recommended to use a client header filter to remove the +# authentication headers for requests where they aren't needed. +# +enable-proxy-authentication-forwarding 0 +# +# 4.10. trusted-cgi-referer +# ========================== +# +# Specifies: +# +# A trusted website or webpage whose links can be followed to +# reach sensitive CGI pages +# +# Type of value: +# +# URL or URL prefix +# +# Default value: +# +# Unset +# +# Effect if unset: +# +# No external pages are considered trusted referers. +# +# Notes: +# +# Before Privoxy accepts configuration changes through CGI pages +# like client-tags or the remote toggle, it checks the Referer +# header to see if the request comes from a trusted source. +# +# By default only the webinterface domains config.privoxy.org +# and p.p are considered trustworthy. Requests originating from +# other domains are rejected to prevent third-parties from +# modifiying Privoxy's state by e.g. embedding images that +# result in CGI requests. +# +# In some environments it may be desirable to embed links to CGI +# pages on external pages, for example on an Intranet homepage +# the Privoxy admin controls. +# +# The "trusted-cgi-referer" option can be used to add that page, +# or the whole domain, as trusted source so the resulting +# requests aren't rejected. Requests are accepted if the +# specified trusted-cgi-refer is the prefix of the Referer. +# +# If the trusted source is supposed to access the CGI pages via +# JavaScript the cors-allowed-origin option can be used. +# +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |Declaring pages the admin doesn't control trustworthy| +# |may allow malicious third parties to modify Privoxy's| +# |internal state against the user's wishes and without | +# |the user's knowledge. | +# +-----------------------------------------------------+ +# +#trusted-cgi-referer http://www.example.org/local-privoxy-control-page +# +# 4.11. cors-allowed-origin +# ========================== +# +# Specifies: +# +# A trusted website which can access Privoxy's CGI pages through +# JavaScript. +# +# Type of value: +# +# URL +# +# Default value: +# +# Unset +# +# Effect if unset: +# +# No external sites get access via cross-origin resource +# sharing. +# +# Notes: +# +# Modern browsers by default prevent cross-origin requests made +# via JavaScript to Privoxy's CGI interface even if Privoxy +# would trust the referer because it's white listed via the +# trusted-cgi-referer directive. +# +# Cross-origin resource sharing (CORS) is a mechanism to allow +# cross-origin requests. +# +# The "cors-allowed-origin" option can be used to specify a +# domain that is allowed to make requests to Privoxy CGI +# interface via JavaScript. It is used in combination with the +# trusted-cgi-referer directive. +# +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |Declaring domains the admin doesn't control | +# |trustworthy may allow malicious third parties to | +# |modify Privoxy's internal state against the user's | +# |wishes and without the user's knowledge. | +# +-----------------------------------------------------+ +# +#cors-allowed-origin http://www.example.org/ # # 5. FORWARDING # ============== @@ -1153,7 +1296,6 @@ buffer-limit 4096 # 4 and SOCKS 4A protocols. # # -# # 5.1. forward # ============= # @@ -1221,7 +1363,6 @@ buffer-limit 4096 # forward <[2-3][0-9a-f][0-9a-f][0-9a-f]:*> . # # -# # 5.2. forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t # ========================================================================= # @@ -1232,7 +1373,7 @@ buffer-limit 4096 # # Type of value: # -# target_pattern socks_proxy[:port] http_parent[:port] +# target_pattern [user:pass@]socks_proxy[:port] http_parent[:port] # # where target_pattern is a URL pattern that specifies to which # requests (i.e. URLs) this forward rule shall apply. Use / to @@ -1240,7 +1381,8 @@ buffer-limit 4096 # addresses in dotted decimal notation or valid DNS names ( # http_parent may be "." to denote "no HTTP forwarding"), and # the optional port parameters are TCP ports, i.e. integer -# values from 1 to 65535 +# values from 1 to 65535. user and pass can be used for SOCKS5 +# authentication if required. # # Default value: # @@ -1295,10 +1437,20 @@ buffer-limit 4096 # # forward-socks4 / socks-gw.example.com:1080 . # +# To connect SOCKS5 proxy which requires username/password +# authentication: +# +# forward-socks5 / user:pass@socks-gw.example.com:1080 . +# # To chain Privoxy and Tor, both running on the same system, you # would use something like: # -# forward-socks5 / 127.0.0.1:9050 . +# forward-socks5t / 127.0.0.1:9050 . +# +# Note that if you got Tor through one of the bundles, you may +# have to change the port from 9050 to 9150 (or even another +# one). For details, please check the documentation on the Tor +# website. # # The public Tor network can't be used to reach your local # network, if you need to access local servers you therefore @@ -1322,7 +1474,6 @@ buffer-limit 4096 # forward localhost/ . # # -# # 5.3. forwarded-connect-retries # =============================== # @@ -1365,17 +1516,15 @@ buffer-limit 4096 # logfile from time to time, to see how many retries are usually # needed. # -# Examples: +# Example: # # forwarded-connect-retries 1 # forwarded-connect-retries 0 # -# # 6. MISCELLANEOUS # ================= # -# # 6.1. accept-intercepted-requests # ================================= # @@ -1402,19 +1551,26 @@ forwarded-connect-retries 0 # Privoxy, enable this option and configure your packet filter # to redirect outgoing HTTP connections into Privoxy. # +# Note that intercepting encrypted connections (HTTPS) isn't +# supported. +# # Make sure that Privoxy's own requests aren't redirected as # well. Additionally take care that Privoxy can't intentionally # connect to itself, otherwise you could run into redirection # loops if Privoxy's listening port is reachable by the outside # or an attacker has access to the pages you visit. # -# Examples: +# If you are running Privoxy as intercepting proxy without being +# able to intercept all client requests you may want to adjust +# the CGI templates to make sure they don't reference content +# from config.privoxy.org. +# +# Example: # # accept-intercepted-requests 1 # accept-intercepted-requests 0 # -# # 6.2. allow-cgi-request-crunching # ================================= # @@ -1446,13 +1602,12 @@ accept-intercepted-requests 0 # Don't enable this option unless you're sure that you really # need it. # -# Examples: +# Example: # # allow-cgi-request-crunching 1 # allow-cgi-request-crunching 0 # -# # 6.3. split-large-forms # ======================= # @@ -1489,13 +1644,12 @@ allow-cgi-request-crunching 0 # to enable this option, but if one of the submit buttons # appears to be broken, you should give it a try. # -# Examples: +# Example: # # split-large-forms 1 # split-large-forms 0 # -# # 6.4. keep-alive-timeout # ======================== # @@ -1546,13 +1700,12 @@ split-large-forms 0 # seconds or even more if you think your browser can handle it. # If your browser appears to be hanging, it probably can't. # -# Examples: +# Example: # # keep-alive-timeout 300 # keep-alive-timeout 5 # -# # 6.5. tolerate-pipelining # ========================= # @@ -1590,13 +1743,12 @@ keep-alive-timeout 5 # If you are seeing problems with pages not properly loading, # disabling this option could work around the problem. # -# Examples: +# Example: # # tolerate-pipelining 1 # tolerate-pipelining 1 # -# # 6.6. default-server-timeout # ============================ # @@ -1642,12 +1794,11 @@ tolerate-pipelining 1 # This option has no effect if Privoxy has been compiled without # keep-alive support. # -# Examples: +# Example: # # default-server-timeout 60 # -#default-server-timeout 60 -# +#default-server-timeout 5 # # 6.7. connection-sharing # ======================== @@ -1713,13 +1864,12 @@ tolerate-pipelining 1 # This option should only be used by experienced users who # understand the risks and can weight them against the benefits. # -# Examples: +# Example: # # connection-sharing 1 # #connection-sharing 1 # -# # 6.8. socket-timeout # ==================== # @@ -1746,13 +1896,12 @@ tolerate-pipelining 1 # If you aren't using an occasionally slow proxy like Tor, # reducing it to a few seconds should be fine. # -# Examples: +# Example: # # socket-timeout 300 # socket-timeout 300 # -# # 6.9. max-client-connections # ============================ # @@ -1766,7 +1915,7 @@ socket-timeout 300 # # Default value: # -# None +# 128 # # Effect if unset: # @@ -1802,13 +1951,117 @@ socket-timeout 300 # Obviously using this option only makes sense if you choose a # limit below the one enforced by the operating system. # -# Examples: +# One most POSIX-compliant systems Privoxy can't properly deal +# with more than FD_SETSIZE file descriptors at the same time +# and has to reject connections if the limit is reached. This +# will likely change in a future version, but currently this +# limit can't be increased without recompiling Privoxy with a +# different FD_SETSIZE limit. +# +# Example: # # max-client-connections 256 # #max-client-connections 256 # -# 1.6.10. handle-as-empty-doc-returns-ok +# 6.10. listen-backlog +# ===================== +# +# Specifies: +# +# Connection queue length requested from the operating system. +# +# Type of value: +# +# Number. +# +# Default value: +# +# 128 +# +# Effect if unset: +# +# A connection queue length of 128 is requested from the +# operating system. +# +# Notes: +# +# Under high load incoming connection may queue up before +# Privoxy gets around to serve them. The queue length is limited +# by the operating system. Once the queue is full, additional +# connections are dropped before Privoxy can accept and serve +# them. +# +# Increasing the queue length allows Privoxy to accept more +# incoming connections that arrive roughly at the same time. +# +# Note that Privoxy can only request a certain queue length, +# whether or not the requested length is actually used depends +# on the operating system which may use a different length +# instead. +# +# On many operating systems a limit of -1 can be specified to +# instruct the operating system to use the maximum queue length +# allowed. Check the listen man page to see if your platform +# allows this. +# +# On some platforms you can use "netstat -Lan -p tcp" to see the +# effective queue length. +# +# Effectively using a value above 128 usually requires changing +# the system configuration as well. On FreeBSD-based system the +# limit is controlled by the kern.ipc.soacceptqueue sysctl. +# +# Example: +# +# listen-backlog 4096 +# +#listen-backlog -1 +# +# 6.11. enable-accept-filter +# =========================== +# +# Specifies: +# +# Whether or not Privoxy should use an accept filter +# +# Type of value: +# +# 0 or 1 +# +# Default value: +# +# 0 +# +# Effect if unset: +# +# No accept filter is enabled. +# +# Notes: +# +# Accept filters reduce the number of context switches by not +# passing sockets for new connections to Privoxy until a +# complete HTTP request is available. +# +# As a result, Privoxy can process the whole request right away +# without having to wait for additional data first. +# +# For this option to work, Privoxy has to be compiled with +# FEATURE_ACCEPT_FILTER and the operating system has to support +# it (which may require loading a kernel module). +# +# Currently accept filters are only supported on FreeBSD-based +# systems. Check the accf_http(9) man page to learn how to +# enable the support in the operating system. +# +# Example: +# +# enable-accept-filter 1 +# +#enable-accept-filter 1 +# +# 6.12. handle-as-empty-doc-returns-ok +# ===================================== # # Specifies: # @@ -1835,17 +2088,18 @@ socket-timeout 300 # # Notes: # -# This is a work-around for Firefox bug 492459: " Websites are -# no longer rendered if SSL requests for JavaScripts are blocked -# by a proxy. " (https://bugzilla.mozilla.org/show_bug.cgi?id= -# 492459) As the bug has been fixed for quite some time this -# option should no longer be needed and will be removed in a -# future release. Please speak up if you have a reason why the -# option should be kept around. +# This directive was added as a work-around for Firefox bug +# 492459: "Websites are no longer rendered if SSL requests for +# JavaScripts are blocked by a proxy." +# (https://bugzilla.mozilla.org/show_bug.cgi?id=492459), the bug +# has been fixed for quite some time, but this directive is also +# useful to make it harder for websites to detect whether or not +# resources are being blocked. # #handle-as-empty-doc-returns-ok 1 # -# 1.6.11. enable-compression +# 6.13. enable-compression +# ========================= # # Specifies: # @@ -1885,7 +2139,8 @@ socket-timeout 300 # #enable-compression 1 # -# 1.6.12. compression-level +# 6.14. compression-level +# ======================== # # Specifies: # @@ -1930,7 +2185,8 @@ socket-timeout 300 # #compression-level 1 # -# 1.6.13. client-header-order +# 6.15. client-header-order +# ========================== # # Specifies: # @@ -1961,44 +2217,567 @@ socket-timeout 300 # # Note that sorting headers in an uncommon way will make # fingerprinting actually easier. Encrypted headers are not -# affected by this directive. +# affected by this directive unless https-inspection is enabled. # #client-header-order Host \ +# User-Agent \ # Accept \ # Accept-Language \ # Accept-Encoding \ # Proxy-Connection \ # Referer \ # Cookie \ +# DNT \ +# Connection \ +# Pragma \ +# Upgrade-Insecure-Requests \ # If-Modified-Since \ # Cache-Control \ # Content-Length \ +# Origin \ # Content-Type # +# 6.16. client-specific-tag +# ========================== +# +# Specifies: +# +# The name of a tag that will always be set for clients that +# requested it through the webinterface. +# +# Type of value: +# +# Tag name followed by a description that will be shown in the +# webinterface +# +# Default value: +# +# None +# +# Notes: +# +# Client-specific tags allow Privoxy admins to create different +# profiles and let the users chose which one they want without +# impacting other users. +# +# One use case is allowing users to circumvent certain blocks +# without having to allow them to circumvent all blocks. This is +# not possible with the enable-remote-toggle feature because it +# would bluntly disable all blocks for all users and also affect +# other actions like filters. It also is set globally which +# renders it useless in most multi-user setups. +# +# After a client-specific tag has been defined with the +# client-specific-tag directive, action sections can be +# activated based on the tag by using a CLIENT-TAG pattern. The +# CLIENT-TAG pattern is evaluated at the same priority as URL +# patterns, as a result the last matching pattern wins. Tags +# that are created based on client or server headers are +# evaluated later on and can overrule CLIENT-TAG and URL +# patterns! +# +# The tag is set for all requests that come from clients that +# requested it to be set. Note that "clients" are differentiated +# by IP address, if the IP address changes the tag has to be +# requested again. +# +# Clients can request tags to be set by using the CGI interface +# http://config.privoxy.org/client-tags. The specific tag +# description is only used on the web page and should be phrased +# in away that the user understands the effect of the tag. +# +# Examples: +# +# # Define a couple of tags, the described effect requires action sections +# # that are enabled based on CLIENT-TAG patterns. +# client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions +# client-specific-tag disable-content-filters Disable content-filters but do not affect other actions +# client-specific-tag overrule-redirects Overrule redirect sections +# client-specific-tag allow-cookies Do not crunch cookies in either direction +# client-specific-tag change-tor-socks-port Change forward-socks5 settings to use a different Tor socks port (and circuits) +# client-specific-tag no-https-inspection Disable HTTPS inspection +# client-specific-tag no-tls-verification Don't verify certificates when http-inspection is enabled +# +# +# 6.17. client-tag-lifetime +# ========================== +# +# Specifies: +# +# How long a temporarily enabled tag remains enabled. +# +# Type of value: +# +# Time in seconds. +# +# Default value: +# +# 60 +# +# Notes: +# +# In case of some tags users may not want to enable them +# permanently, but only for a short amount of time, for example +# to circumvent a block that is the result of an overly-broad +# URL pattern. +# +# The CGI interface http://config.privoxy.org/client-tags +# therefore provides a "enable this tag temporarily" option. If +# it is used, the tag will be set until the client-tag-lifetime +# is over. +# +# Example: +# +# # Increase the time to life for temporarily enabled tags to 3 minutes +# client-tag-lifetime 180 +# +# +# +# 6.18. trust-x-forwarded-for +# ============================ +# +# Specifies: +# +# Whether or not Privoxy should use IP addresses specified with +# the X-Forwarded-For header +# +# Type of value: +# +# 0 or one +# +# Default value: +# +# 0 +# +# Notes: +# +# If clients reach Privoxy through another proxy, for example a +# load balancer, Privoxy can't tell the client's IP address from +# the connection. If multiple clients use the same proxy, they +# will share the same client tag settings which is usually not +# desired. +# +# This option lets Privoxy use the X-Forwarded-For header value +# as client IP address. If the proxy sets the header, multiple +# clients using the same proxy do not share the same client tag +# settings. +# +# This option should only be enabled if Privoxy can only be +# reached through a proxy and if the proxy can be trusted to set +# the header correctly. It is recommended that ACL are used to +# make sure only trusted systems can reach Privoxy. +# +# If access to Privoxy isn't limited to trusted systems, this +# option would allow malicious clients to change the client tags +# for other clients or increase Privoxy's memory requirements by +# registering lots of client tag settings for clients that don't +# exist. +# +# Example: +# +# # Allow systems that can reach Privoxy to provide the client +# # IP address with a X-Forwarded-For header. +# trust-x-forwarded-for 1 +# +# +# +# 6.19. receive-buffer-size +# ========================== +# +# Specifies: +# +# The size of the buffer Privoxy uses to receive data from the +# server. +# +# Type of value: +# +# Size in bytes +# +# Default value: +# +# 5000 +# +# Notes: +# +# Increasing the receive-buffer-size increases Privoxy's memory +# usage but can lower the number of context switches and thereby +# reduce the cpu usage and potentially increase the throughput. +# +# This is mostly relevant for fast network connections and large +# downloads that don't require filtering. +# +# Reducing the buffer size reduces the amount of memory Privoxy +# needs to handle the request but increases the number of +# systemcalls and may reduce the throughput. +# +# A dtrace command like: "sudo dtrace -n 'syscall::read:return / +# execname == "privoxy"/ { @[execname] = llquantize(arg0, 10, 0, +# 5, 20); @m = max(arg0)}'" can be used to properly tune the +# receive-buffer-size. On systems without dtrace, strace or +# truss may be used as less convenient alternatives. +# +# If the buffer is too large it will increase Privoxy's memory +# footprint without any benefit. As the memory is (currently) +# cleared before using it, a buffer that is too large can +# actually reduce the throughput. +# +# Example: +# +# # Increase the receive buffer size +# receive-buffer-size 32768 +# +# +# 7. HTTPS INSPECTION (EXPERIMENTAL) +# =================================== +# +# HTTPS inspection allows to filter encrypted requests and +# responses. This is only supported when Privoxy has been built with +# FEATURE_HTTPS_INSPECTION. If you aren't sure if your version +# supports it, have a look at http://config.privoxy.org/show-status. +# +# +# 7.1. ca-directory +# ================== +# +# Specifies: +# +# Directory with the CA key, the CA certificate and the trusted +# CAs file. +# +# Type of value: +# +# Text +# +# Default value: +# +# Empty string +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the directory where the CA key, the +# CA certificate and the trusted CAs file are located. +# +# The permissions should only let Privoxy and the Privoxy admin +# access the directory. +# +# Example: +# +# ca-directory /usr/local/etc/privoxy/CA +# +#ca-directory /usr/local/etc/privoxy/CA +# +# 7.2. ca-cert-file +# ================== +# +# Specifies: +# +# The CA certificate file in ".crt" format. +# +# Type of value: +# +# Text +# +# Default value: +# +# cacert.crt +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the name of the CA certificate file +# in ".crt" format. +# +# The file is used by Privoxy to generate website certificates +# when https inspection is enabled with the https-inspection +# action. +# +# Privoxy clients should import the certificate so that they can +# validate the generated certificates. # +# The file can be generated with: openssl req -new -x509 +# -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650 # -# 7. WINDOWS GUI OPTIONS +# Example: +# +# ca-cert-file root.crt +# +#ca-cert-file cacert.crt +# +# 7.3. ca-key-file +# ================= +# +# Specifies: +# +# The CA key file in ".pem" format. +# +# Type of value: +# +# Text +# +# Default value: +# +# cacert.pem +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the name of the CA key file in ".pem" +# format. The ca-cert-file section contains a command to +# generate it. +# +# The CA key is used by Privoxy to sign generated certificates. +# +# Access to the key should be limited to Privoxy. +# +# Example: +# +# ca-key-file cakey.pem +# +#ca-key-file cakey.pem +# +# 7.4. ca-password +# ================= +# +# Specifies: +# +# The password for the CA keyfile. +# +# Type of value: +# +# Text +# +# Default value: +# +# Empty string +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the password for the CA keyfile that +# is used when Privoxy generates certificates for intercepted +# requests. +# +# Note that the password is shown on the CGI page so don't reuse +# an important one. +# +# Example: +# +# ca-password blafasel +# +#ca-password swordfish +# +# 7.5. certificate-directory +# =========================== +# +# Specifies: +# +# Directory to save generated keys and certificates. +# +# Type of value: +# +# Text +# +# Default value: +# +# ./certs +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the directory where generated TLS/SSL +# keys and certificates are saved when https inspection is +# enabled with the https-inspection action. +# +# The keys and certificates currently have to be deleted +# manually when changing the ca-cert-file and the ca-cert-key. +# +# The permissions should only let Privoxy and the Privoxy admin +# access the directory. +# +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |Privoxy currently does not garbage-collect obsolete | +# |keys and certificates and does not keep track of how | +# |may keys and certificates exist. | +# | | +# |Privoxy admins should monitor the size of the | +# |directory and/or make sure there is sufficient space | +# |available. A cron job to limit the number of keys and| +# |certificates to a certain number may be worth | +# |considering. | +# +-----------------------------------------------------+ +# Example: +# +# certificate-directory /usr/local/var/privoxy/certs +# +#certificate-directory /usr/local/var/privoxy/certs +# +# 7.6. cipher-list +# ================= +# +# Specifies: +# +# A list of ciphers to use in TLS handshakes +# +# Type of value: +# +# Text +# +# Default value: +# +# None +# +# Effect if unset: +# +# A default value is inherited from the TLS library. +# +# Notes: +# +# This directive allows to specify a non-default list of ciphers +# to use in TLS handshakes with clients and servers. +# +# Ciphers are separated by colons. Which ciphers are supported +# depends on the TLS library. When using OpenSSL, unsupported +# ciphers are skipped. When using MbedTLS they are rejected. +# +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |Specifying an unusual cipher list makes | +# |fingerprinting easier. Note that the default list | +# |provided by the TLS library may be unusual when | +# |compared to the one used by modern browsers as well. | +# +-----------------------------------------------------+ +# Examples: +# +# # Explicitly set a couple of ciphers with names used by MbedTLS +# cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\ +# TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\ +# TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\ +# TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\ +# TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\ +# TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\ +# TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\ +# TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\ +# TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\ +# TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\ +# TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\ +# TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\ +# TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +# TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\ +# TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\ +# TLS-DHE-RSA-WITH-AES-256-CCM:\ +# TLS-DHE-RSA-WITH-AES-256-CCM-8:\ +# TLS-DHE-RSA-WITH-AES-128-CCM:\ +# TLS-DHE-RSA-WITH-AES-128-CCM-8:\ +# TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +# TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\ +# TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\ +# TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +# TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\ +# TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\ +# TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 +# +# +# # Explicitly set a couple of ciphers with names used by OpenSSL +# cipher-list ECDHE-RSA-AES256-GCM-SHA384:\ +# ECDHE-ECDSA-AES256-GCM-SHA384:\ +# DH-DSS-AES256-GCM-SHA384:\ +# DHE-DSS-AES256-GCM-SHA384:\ +# DH-RSA-AES256-GCM-SHA384:\ +# DHE-RSA-AES256-GCM-SHA384:\ +# ECDH-RSA-AES256-GCM-SHA384:\ +# ECDH-ECDSA-AES256-GCM-SHA384:\ +# ECDHE-RSA-AES128-GCM-SHA256:\ +# ECDHE-ECDSA-AES128-GCM-SHA256:\ +# DH-DSS-AES128-GCM-SHA256:\ +# DHE-DSS-AES128-GCM-SHA256:\ +# DH-RSA-AES128-GCM-SHA256:\ +# DHE-RSA-AES128-GCM-SHA256:\ +# ECDH-RSA-AES128-GCM-SHA256:\ +# ECDH-ECDSA-AES128-GCM-SHA256:\ +# ECDHE-RSA-AES256-GCM-SHA384:\ +# AES128-SHA +# +# +# # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS) +# cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH +# +# +# +# 7.7. trusted-cas-file +# ====================== +# +# Specifies: +# +# The trusted CAs file in ".pem" format. +# +# Type of value: +# +# File name relative to ca-directory +# +# Default value: +# +# trustedCAs.pem +# +# Effect if unset: +# +# Default value is used. +# +# Notes: +# +# This directive specifies the trusted CAs file that is used +# when validating certificates for intercepted TLS/SSL requests. +# +# An example file can be downloaded from https://curl.se/ca/cacert.pem. +# If you want to create the file yourself, please +# see: https://curl.se/docs/caextract.html. +# +# Example: +# +# trusted-cas-file trusted_cas_file.pem +# +#trusted-cas-file trustedCAs.pem +# +# 8. WINDOWS GUI OPTIONS # ======================= # # Privoxy has a number of options specific to the Windows GUI # interface: # # -# # If "activity-animation" is set to 1, the Privoxy icon will animate # when "Privoxy" is active. To turn off, set to 0. # #activity-animation 1 # -# -# # If "log-messages" is set to 1, Privoxy copies log messages to the # console window. The log detail depends on the debug directive. # #log-messages 1 # -# -# # If "log-buffer-size" is set to 1, the size of the log buffer, i.e. # the amount of memory used for the log messages displayed in the # console window, will be limited to "log-max-lines" (see below).