X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=config;h=c38b7f56522e5c99b3df179c1875879df39fbd5e;hp=8be4fb21009491399b92aad6b0f80442a5de02d0;hb=5beea1ee85b4d721beede7b29264fa527061a664;hpb=36541076ffd4a1bce4ece3ece6410764bab8f2aa diff --git a/config b/config index 8be4fb21..c38b7f56 100644 --- a/config +++ b/config @@ -1,6 +1,6 @@ -# Sample Configuration File for Privoxy 3.0.29 +# Sample Configuration File for Privoxy 3.0.33 # -# Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/ +# Copyright (C) 2001-2021 Privoxy Developers https://www.privoxy.org/ # ##################################################################### # # @@ -15,7 +15,7 @@ # 4. ACCESS CONTROL AND SECURITY # # 5. FORWARDING # # 6. MISCELLANEOUS # -# 7. TLS # +# 7. HTTPS INSPECTION (EXPERIMENTAL) # # 8. WINDOWS GUI OPTIONS # # # ##################################################################### @@ -385,6 +385,7 @@ logdir . actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on. actionsfile default.action # Main actions file actionsfile user.action # User customizations +#actionsfile regression-tests.action # Tests for privoxy-regression-test # # 2.6. filterfile # ================ @@ -569,7 +570,7 @@ logfile logfile # # debug 1 # Log the destination for each request. See also debug 1024. # debug 2 # show each connection status -# debug 4 # show I/O status +# debug 4 # show tagging-related messages # debug 8 # show header parsing # debug 16 # log all data written to the network # debug 32 # debug force feature @@ -591,7 +592,7 @@ logfile logfile # each request as it happens. 1, 1024, 4096 and 8192 are # recommended so that you will notice when things go wrong. The # other levels are probably only of interest if you are hunting -# down a specific problem. They can produce a hell of an output +# down a specific problem. They can produce a lot of output # (especially 16). # # If you are used to the more verbose settings, simply enable @@ -609,10 +610,17 @@ logfile logfile # you read the log messages, you may even be able to solve the # problem on your own. # -#debug 1 # Log the destination for each request. +#debug 1 # Log the destination for each request. See also debug 1024. +#debug 2 # show each connection status +#debug 4 # show tagging-related messages +#debug 8 # show header parsing +#debug 128 # debug redirects +#debug 256 # debug GIF de-animation +#debug 512 # Common Log Format #debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. #debug 4096 # Startup banner and warnings #debug 8192 # Non-fatal errors +#debug 65536 # Log applying actions # # 3.2. single-threaded # ===================== @@ -763,8 +771,8 @@ logfile logfile # consider using access control lists (ACL's, see below), and/or # a firewall. # -# If you open Privoxy to untrusted users, you will also want to -# make sure that the following actions are disabled: +# If you open Privoxy to untrusted users, you should also make +# sure that the following actions are disabled: # enable-edit-actions and enable-remote-toggle # # Example: @@ -975,7 +983,7 @@ enable-edit-actions 0 # link. If the user adds the force prefix by hand, it will not # be accepted and the circumvention attempt is logged. # -# Examples: +# Example: # # enforce-blocks 1 # @@ -1456,8 +1464,8 @@ enable-proxy-authentication-forwarding 0 # might want to make some exceptions: # # forward 192.168.*.*/ . -# forward 10.*.*.*/ . -# forward 127.*.*.*/ . +# forward 10.*.*.*/ . +# forward 127.*.*.*/ . # # Unencrypted connections to systems in these address ranges # will be as (un)secure as the local network is, but the @@ -1470,7 +1478,7 @@ enable-proxy-authentication-forwarding 0 # network by using their names, you will need additional # exceptions that look like this: # -# forward localhost/ . +# forward localhost/ . # # # 5.3. forwarded-connect-retries @@ -1515,7 +1523,7 @@ enable-proxy-authentication-forwarding 0 # logfile from time to time, to see how many retries are usually # needed. # -# Examples: +# Example: # # forwarded-connect-retries 1 # @@ -1564,7 +1572,7 @@ forwarded-connect-retries 0 # the CGI templates to make sure they don't reference content # from config.privoxy.org. # -# Examples: +# Example: # # accept-intercepted-requests 1 # @@ -1601,7 +1609,7 @@ accept-intercepted-requests 0 # Don't enable this option unless you're sure that you really # need it. # -# Examples: +# Example: # # allow-cgi-request-crunching 1 # @@ -1643,7 +1651,7 @@ allow-cgi-request-crunching 0 # to enable this option, but if one of the submit buttons # appears to be broken, you should give it a try. # -# Examples: +# Example: # # split-large-forms 1 # @@ -1699,7 +1707,7 @@ split-large-forms 0 # seconds or even more if you think your browser can handle it. # If your browser appears to be hanging, it probably can't. # -# Examples: +# Example: # # keep-alive-timeout 300 # @@ -1742,7 +1750,7 @@ keep-alive-timeout 5 # If you are seeing problems with pages not properly loading, # disabling this option could work around the problem. # -# Examples: +# Example: # # tolerate-pipelining 1 # @@ -1793,7 +1801,7 @@ tolerate-pipelining 1 # This option has no effect if Privoxy has been compiled without # keep-alive support. # -# Examples: +# Example: # # default-server-timeout 60 # @@ -1830,11 +1838,11 @@ tolerate-pipelining 1 # speedups. There are also a few privacy implications you should # be aware of. # -# If this option is effective, outgoing connections are shared +# If this option is enabled, outgoing connections are shared # between clients (if there are more than one) and closing the -# browser that initiated the outgoing connection does no longer -# affect the connection between Privoxy and the server unless -# the client's request hasn't been completed yet. +# browser that initiated the outgoing connection does not affect +# the connection between Privoxy and the server unless the +# client's request hasn't been completed yet. # # If the outgoing connection is idle, it will not be closed # until either Privoxy's or the server's timeout is reached. @@ -1863,7 +1871,7 @@ tolerate-pipelining 1 # This option should only be used by experienced users who # understand the risks and can weight them against the benefits. # -# Examples: +# Example: # # connection-sharing 1 # @@ -1895,7 +1903,16 @@ tolerate-pipelining 1 # If you aren't using an occasionally slow proxy like Tor, # reducing it to a few seconds should be fine. # -# Examples: +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |When a TLS library is being used to read or write | +# |data from a socket with https-inspection enabled the | +# |socket-timeout currently isn't applied and the | +# |timeout used depends on the library (which may not | +# |even use a timeout). | +# +-----------------------------------------------------+ +# Example: # # socket-timeout 300 # @@ -1916,12 +1933,10 @@ socket-timeout 300 # # 128 # -# Effect if unset: +# Notes: # # Connections are served until a resource limit is reached. # -# Notes: -# # Privoxy creates one thread (or process) for every incoming # client connection that isn't rejected based on the access # control settings. @@ -1951,13 +1966,17 @@ socket-timeout 300 # limit below the one enforced by the operating system. # # One most POSIX-compliant systems Privoxy can't properly deal -# with more than FD_SETSIZE file descriptors at the same time -# and has to reject connections if the limit is reached. This -# will likely change in a future version, but currently this -# limit can't be increased without recompiling Privoxy with a -# different FD_SETSIZE limit. +# with more than FD_SETSIZE file descriptors if Privoxy has been +# configured to use select() and has to reject connections if +# the limit is reached. When using select() this limit therefore +# can't be increased without recompiling Privoxy with a +# different FD_SETSIZE limit unless Privoxy is running on +# Windows with _WIN32 defined. # -# Examples: +# When Privoxy has been configured to use poll() the FD_SETSIZE +# limit does not apply. +# +# Example: # # max-client-connections 256 # @@ -2011,7 +2030,7 @@ socket-timeout 300 # the system configuration as well. On FreeBSD-based system the # limit is controlled by the kern.ipc.soacceptqueue sysctl. # -# Examples: +# Example: # # listen-backlog 4096 # @@ -2053,7 +2072,7 @@ socket-timeout 300 # systems. Check the accf_http(9) man page to learn how to # enable the support in the operating system. # -# Examples: +# Example: # # enable-accept-filter 1 # @@ -2168,19 +2187,18 @@ socket-timeout 300 # # Examples: # -# # Best speed (compared to the other levels) -# compression-level 1 -# -# # Best compression -# compression-level 9 +# # Best speed (compared to the other levels) +# compression-level 1 # -# # No compression. Only useful for testing as the added header -# # slightly increases the amount of data that has to be sent. -# # If your benchmark shows that using this compression level -# # is superior to using no compression at all, the benchmark -# # is likely to be flawed. -# compression-level 0 +# # Best compression +# compression-level 9 # +# # No compression. Only useful for testing as the added header +# # slightly increases the amount of data that has to be sent. +# # If your benchmark shows that using this compression level +# # is superior to using no compression at all, the benchmark +# # is likely to be flawed. +# compression-level 0 # #compression-level 1 # @@ -2216,7 +2234,7 @@ socket-timeout 300 # # Note that sorting headers in an uncommon way will make # fingerprinting actually easier. Encrypted headers are not -# affected by this directive. +# affected by this directive unless https-inspection is enabled. # #client-header-order Host \ # User-Agent \ @@ -2227,12 +2245,15 @@ socket-timeout 300 # Referer \ # Cookie \ # DNT \ +# Connection \ +# Pragma \ +# Upgrade-Insecure-Requests \ # If-Modified-Since \ # Cache-Control \ # Content-Length \ +# Origin \ # Content-Type # -# # 6.16. client-specific-tag # ========================== # @@ -2252,13 +2273,6 @@ socket-timeout 300 # # Notes: # -# +-----------------------------------------------------+ -# | Warning | -# |-----------------------------------------------------| -# |This is an experimental feature. The syntax is likely| -# |to change in future versions. | -# +-----------------------------------------------------+ -# # Client-specific tags allow Privoxy admins to create different # profiles and let the users chose which one they want without # impacting other users. @@ -2287,7 +2301,7 @@ socket-timeout 300 # Clients can request tags to be set by using the CGI interface # http://config.privoxy.org/client-tags. The specific tag # description is only used on the web page and should be phrased -# in away that the user understand the effect of the tag. +# in away that the user understands the effect of the tag. # # Examples: # @@ -2295,6 +2309,11 @@ socket-timeout 300 # # that are enabled based on CLIENT-TAG patterns. # client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions # client-specific-tag disable-content-filters Disable content-filters but do not affect other actions +# client-specific-tag overrule-redirects Overrule redirect sections +# client-specific-tag allow-cookies Do not crunch cookies in either direction +# client-specific-tag change-tor-socks-port Change forward-socks5 settings to use a different Tor socks port (and circuits) +# client-specific-tag no-https-inspection Disable HTTPS inspection +# client-specific-tag no-tls-verification Don't verify certificates when http-inspection is enabled # # # 6.17. client-tag-lifetime @@ -2314,13 +2333,6 @@ socket-timeout 300 # # Notes: # -# +-----------------------------------------------------+ -# | Warning | -# |-----------------------------------------------------| -# |This is an experimental feature. The syntax is likely| -# |to change in future versions. | -# +-----------------------------------------------------+ -# # In case of some tags users may not want to enable them # permanently, but only for a short amount of time, for example # to circumvent a block that is the result of an overly-broad @@ -2331,13 +2343,12 @@ socket-timeout 300 # it is used, the tag will be set until the client-tag-lifetime # is over. # -# Examples: +# Example: # # # Increase the time to life for temporarily enabled tags to 3 minutes # client-tag-lifetime 180 # # -# # 6.18. trust-x-forwarded-for # ============================ # @@ -2356,13 +2367,6 @@ socket-timeout 300 # # Notes: # -# +-----------------------------------------------------+ -# | Warning | -# |-----------------------------------------------------| -# |This is an experimental feature. The syntax is likely| -# |to change in future versions. | -# +-----------------------------------------------------+ -# # If clients reach Privoxy through another proxy, for example a # load balancer, Privoxy can't tell the client's IP address from # the connection. If multiple clients use the same proxy, they @@ -2385,14 +2389,13 @@ socket-timeout 300 # registering lots of client tag settings for clients that don't # exist. # -# Examples: +# Example: # # # Allow systems that can reach Privoxy to provide the client # # IP address with a X-Forwarded-For header. # trust-x-forwarded-for 1 # # -# # 6.19. receive-buffer-size # ========================== # @@ -2433,14 +2436,20 @@ socket-timeout 300 # cleared before using it, a buffer that is too large can # actually reduce the throughput. # -# Examples: +# Example: # # # Increase the receive buffer size # receive-buffer-size 32768 # # -# 7. TLS/SSL INSPECTION -# ====================== +# 7. HTTPS INSPECTION (EXPERIMENTAL) +# =================================== +# +# HTTPS inspection allows to filter encrypted requests and +# responses. This is only supported when Privoxy has been built with +# FEATURE_HTTPS_INSPECTION. If you aren't sure if your version +# supports it, have a look at http://config.privoxy.org/show-status. +# # # 7.1. ca-directory # ================== @@ -2470,7 +2479,7 @@ socket-timeout 300 # The permissions should only let Privoxy and the Privoxy admin # access the directory. # -# Examples: +# Example: # # ca-directory /usr/local/etc/privoxy/CA # @@ -2510,7 +2519,7 @@ socket-timeout 300 # The file can be generated with: openssl req -new -x509 # -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650 # -# Examples: +# Example: # # ca-cert-file root.crt # @@ -2538,9 +2547,14 @@ socket-timeout 300 # Notes: # # This directive specifies the name of the CA key file in ".pem" -# format. See the ca-cert-file for a command to generate it. +# format. The ca-cert-file section contains a command to +# generate it. # -# Examples: +# The CA key is used by Privoxy to sign generated certificates. +# +# Access to the key should be limited to Privoxy. +# +# Example: # # ca-key-file cakey.pem # @@ -2571,10 +2585,18 @@ socket-timeout 300 # is used when Privoxy generates certificates for intercepted # requests. # -# Note that the password is shown on the CGI page so don't reuse -# an important one. -# -# Examples: +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |Note that the password is shown on the CGI page so | +# |don't reuse an important one. | +# | | +# |If disclosure of the password is a compliance issue | +# |consider blocking the relevant CGI requests after | +# |enabling the enforce-blocks and | +# |allow-cgi-request-crunching. | +# +-----------------------------------------------------+ +# Example: # # ca-password blafasel # @@ -2611,13 +2633,121 @@ socket-timeout 300 # The permissions should only let Privoxy and the Privoxy admin # access the directory. # -# Examples: +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |Privoxy currently does not garbage-collect obsolete | +# |keys and certificates and does not keep track of how | +# |may keys and certificates exist. | +# | | +# |Privoxy admins should monitor the size of the | +# |directory and/or make sure there is sufficient space | +# |available. A cron job to limit the number of keys and| +# |certificates to a certain number may be worth | +# |considering. | +# +-----------------------------------------------------+ +# Example: # # certificate-directory /usr/local/var/privoxy/certs # #certificate-directory /usr/local/var/privoxy/certs # -# 7.6. trusted-cas-file +# 7.6. cipher-list +# ================= +# +# Specifies: +# +# A list of ciphers to use in TLS handshakes +# +# Type of value: +# +# Text +# +# Default value: +# +# None +# +# Effect if unset: +# +# A default value is inherited from the TLS library. +# +# Notes: +# +# This directive allows to specify a non-default list of ciphers +# to use in TLS handshakes with clients and servers. +# +# Ciphers are separated by colons. Which ciphers are supported +# depends on the TLS library. When using OpenSSL, unsupported +# ciphers are skipped. When using MbedTLS they are rejected. +# +# +-----------------------------------------------------+ +# | Warning | +# |-----------------------------------------------------| +# |Specifying an unusual cipher list makes | +# |fingerprinting easier. Note that the default list | +# |provided by the TLS library may be unusual when | +# |compared to the one used by modern browsers as well. | +# +-----------------------------------------------------+ +# Examples: +# +# # Explicitly set a couple of ciphers with names used by MbedTLS +# cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\ +# TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\ +# TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\ +# TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\ +# TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\ +# TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\ +# TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\ +# TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\ +# TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\ +# TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\ +# TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\ +# TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\ +# TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +# TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\ +# TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\ +# TLS-DHE-RSA-WITH-AES-256-CCM:\ +# TLS-DHE-RSA-WITH-AES-256-CCM-8:\ +# TLS-DHE-RSA-WITH-AES-128-CCM:\ +# TLS-DHE-RSA-WITH-AES-128-CCM-8:\ +# TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +# TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\ +# TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\ +# TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\ +# TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\ +# TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\ +# TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\ +# TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384 +# +# # Explicitly set a couple of ciphers with names used by OpenSSL +# cipher-list ECDHE-RSA-AES256-GCM-SHA384:\ +# ECDHE-ECDSA-AES256-GCM-SHA384:\ +# DH-DSS-AES256-GCM-SHA384:\ +# DHE-DSS-AES256-GCM-SHA384:\ +# DH-RSA-AES256-GCM-SHA384:\ +# DHE-RSA-AES256-GCM-SHA384:\ +# ECDH-RSA-AES256-GCM-SHA384:\ +# ECDH-ECDSA-AES256-GCM-SHA384:\ +# ECDHE-RSA-AES128-GCM-SHA256:\ +# ECDHE-ECDSA-AES128-GCM-SHA256:\ +# DH-DSS-AES128-GCM-SHA256:\ +# DHE-DSS-AES128-GCM-SHA256:\ +# DH-RSA-AES128-GCM-SHA256:\ +# DHE-RSA-AES128-GCM-SHA256:\ +# ECDH-RSA-AES128-GCM-SHA256:\ +# ECDH-ECDSA-AES128-GCM-SHA256:\ +# ECDHE-RSA-AES256-GCM-SHA384:\ +# AES128-SHA +# +# # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS) +# cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH +# +# +# 7.7. trusted-cas-file # ====================== # # Specifies: @@ -2641,10 +2771,11 @@ socket-timeout 300 # This directive specifies the trusted CAs file that is used # when validating certificates for intercepted TLS/SSL requests. # -# An example file can be downloaded from https://curl.haxx.se/ca -# /cacert.pem. +# An example file can be downloaded from https://curl.se/ca/cacert.pem. +# If you want to create the file yourself, please +# see: https://curl.se/docs/caextract.html. # -# Examples: +# Example: # # trusted-cas-file trusted_cas_file.pem # @@ -2676,49 +2807,35 @@ socket-timeout 300 # #log-buffer-size 1 # -# -# # log-max-lines is the maximum number of lines held in the log # buffer. See above. # #log-max-lines 200 # -# -# # If "log-highlight-messages" is set to 1, Privoxy will highlight # portions of the log messages with a bold-faced font: # #log-highlight-messages 1 # -# -# # The font used in the console window: # #log-font-name Comic Sans MS # -# -# # Font size used in the console window: # #log-font-size 8 # -# -# # "show-on-task-bar" controls whether or not Privoxy will appear as # a button on the Task bar when minimized: # #show-on-task-bar 0 # -# -# # If "close-button-minimizes" is set to 1, the Windows close button # will minimize Privoxy instead of closing the program (close with # the exit option on the File menu). # #close-button-minimizes 1 # -# -# # The "hide-console" option is specific to the MS-Win console # version of Privoxy. If this option is used, Privoxy will # disconnect from and hide the command console. @@ -2726,4 +2843,3 @@ socket-timeout 300 #hide-console # # -#