X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fsource%2Fp-config.sgml;h=a7405d9692ca6bea70c6b62d43bc0b0cb5afc2b0;hp=3d36a54c676219c7963375c31993b21033c541b9;hb=4d554d8176039481313a3fb2ab2cf56e5a84cb4e;hpb=41619752a67313004a1e3cdde8c30fc4c44cd844 diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml index 3d36a54c..a7405d96 100644 --- a/doc/source/p-config.sgml +++ b/doc/source/p-config.sgml @@ -3,9 +3,9 @@ Purpose : Used with other docs and files only. - $Id: p-config.sgml,v 2.79 2011/09/04 11:10:12 fabiankeil Exp $ + $Id: p-config.sgml,v 2.122 2016/05/22 12:41:50 fabiankeil Exp $ - Copyright (C) 2001-2011 Privoxy Developers http://www.privoxy.org/ + Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/ See LICENSE. ======================================================================== @@ -94,32 +94,33 @@ @@TITLE<!-- between the @@ is stripped by Makefile -->@@ - Sample Configuration File for Privoxy v&p-version; + Sample Configuration File for Privoxy &p-version; - $Id: p-config.sgml,v 2.79 2011/09/04 11:10:12 fabiankeil Exp $ + $Id: p-config.sgml,v 2.122 2016/05/22 12:41:50 fabiankeil Exp $ -Copyright (C) 2001-2011 Privoxy Developers http://www.privoxy.org/ +Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/ -################################################################# - # - Table of Contents # - # - I. INTRODUCTION # - II. FORMAT OF THE CONFIGURATION FILE # - # - 1. LOCAL SET-UP DOCUMENTATION # - 2. CONFIGURATION AND LOG FILE LOCATIONS # - 3. DEBUGGING # - 4. ACCESS CONTROL AND SECURITY # - 5. FORWARDING # - 6. WINDOWS GUI OPTIONS # - # -################################################################# +################################################################## + # + Table of Contents # + # + I. INTRODUCTION # + II. FORMAT OF THE CONFIGURATION FILE # + # + 1. LOCAL SET-UP DOCUMENTATION # + 2. CONFIGURATION AND LOG FILE LOCATIONS # + 3. DEBUGGING # + 4. ACCESS CONTROL AND SECURITY # + 5. FORWARDING # + 6. MISCELLANEOUS # + 7. WINDOWS GUI OPTIONS # + # +################################################################## @@ -228,7 +229,7 @@ II. FORMAT OF THE CONFIGURATION FILE Effect if unset: - http://www.privoxy.org/version/user-manual/ + https://www.privoxy.org/version/user-manual/ will be used, where version is the Privoxy version. @@ -315,7 +316,7 @@ II. FORMAT OF THE CONFIGURATION FILE -@@#user-manual http://www.privoxy.org/user-manual/]]> +@@#user-manual https://www.privoxy.org/user-manual/]]> @@ -533,16 +534,6 @@ II. FORMAT OF THE CONFIGURATION FILE No trailing /, please. - @@ -597,6 +588,55 @@ II. FORMAT OF THE CONFIGURATION FILE + +temporary-directory + + + + Specifies: + + A directory where Privoxy can create temporary files. + + + + Type of value: + + Path name + + + + Default value: + + unset + + + + Effect if unset: + + No temporary files are created, external filters don't work. + + + + Notes: + + + To execute external filters, + Privoxy has to create temporary files. + This directive specifies the directory the temporary files should + be written to. + + + It should be a directory only Privoxy + (and trusted users) can access. + + + + + +@@#temporary-directory .]]> + + + logdir @@ -703,13 +743,6 @@ actionsfile Actions files contain all the per site and per URL configuration for ad blocking, cookie management, privacy considerations, etc. - There is no point in using Privoxy without at - least one actions file. - - - Note that since Privoxy 3.0.7, the complete filename, including the .action - extension has to be specified. The syntax change was necessary to be consistent - with the other file options and to allow previously forbidden characters. @@ -846,23 +879,22 @@ actionsfile Depending on the debug options below, the logfile may be a privacy risk if third parties can get access to it. As most users will never look - at it, Privoxy 3.0.7 and later only log fatal - errors by default. + at it, Privoxy only logs fatal errors by default. For most troubleshooting purposes, you will have to change that, please refer to the debugging section for details. - - Your logfile will grow indefinitely, and you will probably want to - periodically remove it. On Unix systems, you can do this with a cron job - (see man cron). For Red Hat based Linux distributions, a - logrotate script has been included. - Any log files must be writable by whatever user Privoxy is being run as (on Unix, default user id is privoxy). + + To prevent the logfile from growing indefinitely, it is recommended to + periodically rotate or shorten it. Many operating systems support log + rotation out of the box, some require additional software to do it. + For details, please refer to the documentation for your operating system. + @@ -1020,6 +1052,7 @@ actionsfile debug 4096 # Startup banner and warnings. debug 8192 # Non-fatal errors debug 32768 # log all data read from the network + debug 65536 # Log the applying actions @@ -1032,12 +1065,6 @@ actionsfile so that you will notice when things go wrong. The other levels are probably only of interest if you are hunting down a specific problem. They can produce a hell of an output (especially 16). - - - - &my-app; used to ship with the debug levels recommended above enabled by - default, but due to privacy concerns 3.0.7 and later are configured to - only log fatal errors. If you are used to the more verbose settings, simply enable the debug lines @@ -1083,13 +1110,13 @@ actionsfile Type of value: - None + 1 or 0 Default value: - Unset + 0 @@ -1112,7 +1139,7 @@ actionsfile -@@#single-threaded]]> +@@#single-threaded 1]]> @@ -1291,12 +1318,6 @@ actionsfile linkend="enable-edit-actions">enable-edit-actions and enable-remote-toggle - - With the exception noted above, listening on multiple addresses is currently - not supported by Privoxy directly. - It can be done on most operating systems by letting a packet filter - redirect request for certain addresses to Privoxy, though. - @@ -1371,18 +1392,6 @@ actionsfile toggled off mode, i.e. mostly behave like a normal, content-neutral proxy with both ad blocking and content filtering disabled. See enable-remote-toggle below. - - - - The windows version will only display the toggle icon in the system tray - if this option is present. @@ -1888,6 +1897,67 @@ ACLs: permit-access and deny-access @@buffer-limit 4096]]> + +enable-proxy-authentication-forwarding + + + Specifies: + + + Whether or not proxy authentication through &my-app; should work. + + + + + Type of value: + + 0 or 1 + + + + Default value: + + 0 + + + + Effect if unset: + + + Proxy authentication headers are removed. + + + + + Notes: + + + Privoxy itself does not support proxy authentication, but can + allow clients to authenticate against Privoxy's parent proxy. + + + By default Privoxy (3.0.21 and later) don't do that and remove + Proxy-Authorization headers in requests and Proxy-Authenticate + headers in responses to make it harder for malicious sites to + trick inexperienced users into providing login information. + + + If this option is enabled the headers are forwarded. + + + Enabling this option is not recommended if there is + no parent proxy that requires authentication or if the local network between + Privoxy and the parent proxy isn't trustworthy. If proxy authentication is + only required for some requests, it is recommended to use a client header filter + to remove the authentication headers for requests where they aren't needed. + + + + + +@@enable-proxy-authentication-forwarding 0]]> + + @@ -2034,7 +2104,7 @@ ACLs: permit-access and deny-access -forward-socks4, forward-socks4a and forward-socks5 +forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t @@ -2097,6 +2167,12 @@ forward-socks4, forward-socks4a and forward-socks5 With forward-socks5 the DNS resolution will happen on the remote server as well. + + forward-socks5t works like vanilla forward-socks5 but + lets &my-app; additionally use Tor-specific SOCKS extensions. Currently the only supported + SOCKS extension is optimistic data which can reduce the latency for the first request made + on a newly created connection. + socks_proxy and http_parent can be a @@ -2145,11 +2221,16 @@ forward-socks4, forward-socks4a and forward-socks5 - forward-socks5 / 127.0.0.1:9050 . + forward-socks5t / 127.0.0.1:9050 . - - + + Note that if you got Tor through one of the bundles, you may + have to change the port from 9050 to 9150 (or even another one). + For details, please check the documentation on the + Tor website. + + The public Tor network can't be used to reach your local network, if you need to access local servers you therefore might want to make some exceptions: @@ -2386,6 +2467,9 @@ forward-socks4, forward-socks4a and forward-socks5 option and configure your packet filter to redirect outgoing HTTP connections into Privoxy. + + Note that intercepting encrypted connections (HTTPS) isn't supported. + Make sure that Privoxy's own requests aren't redirected as well. Additionally take care that @@ -2394,6 +2478,12 @@ forward-socks4, forward-socks4a and forward-socks5 Privoxy's listening port is reachable by the outside or an attacker has access to the pages you visit. + + If you are running Privoxy as intercepting proxy without being + able to intercept all client requests you may want to adjust + the CGI templates to make sure they don't reference content from + config.privoxy.org. + @@ -2600,7 +2690,7 @@ forward-socks4, forward-socks4a and forward-socks5 Several users have reported this as a Privoxy bug, so the default value has been reduced. Consider increasing it to 300 seconds or even more if you think your browser can handle - it. If your browser appears to be hanging it can't. + it. If your browser appears to be hanging, it probably can't. @@ -2617,6 +2707,75 @@ forward-socks4, forward-socks4a and forward-socks5 +tolerate-pipelining + + + Specifies: + + + Whether or not pipelined requests should be served. + + + + + Type of value: + + + 0 or 1. + + + + + Default value: + + None + + + + Effect if unset: + + + If Privoxy receives more than one request at once, it terminates the + client connection after serving the first one. + + + + + Notes: + + + &my-app; currently doesn't pipeline outgoing requests, + thus allowing pipelining on the client connection is not + guaranteed to improve the performance. + + + By default &my-app; tries to discourage clients from pipelining + by discarding aggressively pipelined requests, which forces the + client to resend them through a new connection. + + + This option lets &my-app; tolerate pipelining. Whether or not + that improves performance mainly depends on the client configuration. + + + If you are seeing problems with pages not properly loading, + disabling this option could work around the problem. + + + + + Examples: + + + tolerate-pipelining 1 + + + + +@@tolerate-pipelining 1]]> + + + default-server-timeout @@ -2874,7 +3033,7 @@ forward-socks4, forward-socks4a and forward-socks5 Default value: - None + 128 @@ -2919,6 +3078,13 @@ forward-socks4, forward-socks4a and forward-socks5 Obviously using this option only makes sense if you choose a limit below the one enforced by the operating system. + + One most POSIX-compliant systems &my-app; can't properly deal with + more than FD_SETSIZE file descriptors at the same time and has to reject + connections if the limit is reached. This will likely change in a + future version, but currently this limit can't be increased without + recompiling &my-app; with a different FD_SETSIZE limit. + @@ -2981,15 +3147,13 @@ forward-socks4, forward-socks4a and forward-socks5 Notes: - This is a work-around for Firefox bug 492459: - - Websites are no longer rendered if SSL requests for JavaScripts are blocked by a proxy. - + This directive was added as a work-around for Firefox bug 492459: + Websites are no longer rendered if SSL requests for JavaScripts are blocked by a proxy. (https://bugzilla.mozilla.org/show_bug.cgi?id=492459) - As the bug has been fixed for quite some time this option should no longer - be needed and will be removed in a future release. Please speak up if you - have a reason why the option should be kept around. + >https://bugzilla.mozilla.org/show_bug.cgi?id=492459), + the bug has been fixed for quite some time, but this directive is also useful + to make it harder for websites to detect whether or not resources are being + blocked. @@ -3126,10 +3290,300 @@ forward-socks4, forward-socks4a and forward-socks5 - +client-header-order + + + Specifies: + + + The order in which client headers are sorted before forwarding them. + + + + + Type of value: + + + Client header names delimited by spaces or tabs + + + + + Default value: + + None + + + + Notes: + + + By default &my-app; leaves the client headers in the order they + were sent by the client. Headers are modified in-place, new headers + are added at the end of the already existing headers. + + + The header order can be used to fingerprint client requests + independently of other headers like the User-Agent. + + + This directive allows to sort the headers differently to better + mimic a different User-Agent. Client headers will be emitted + in the order given, headers whose name isn't explicitly specified + are added at the end. + + + Note that sorting headers in an uncommon way will make fingerprinting + actually easier. Encrypted headers are not affected by this directive. + + + + +@@#client-header-order Host \ + User-Agent \ + Accept \ + Accept-Language \ + Accept-Encoding \ + Proxy-Connection \ + Referer \ + Cookie \ + DNT \ + If-Modified-Since \ + Cache-Control \ + Content-Length \ + Content-Type +]]> + + + +client-specific-tag + + + Specifies: + + + The name of a tag that will always be set for clients that + requested it through the webinterface. + + + + + Type of value: + + + Tag name followed by a description that will be shown in the webinterface + + + + + Default value: + + None + + + + Notes: + + + + This is an experimental feature. The syntax is likely to change + in future versions. + + + + Client-specific tags allow Privoxy admins to create different + profiles and let the users chose which one they want without + impacting other users. + + + One use case is allowing users to circumvent certain blocks + without having to allow them to circumvent all blocks. + This is not possible with the + enable-remote-toggle feature + because it would bluntly disable all blocks for all users and also affect + other actions like filters. + It also is set globally which renders it useless in most multi-user setups. + + + After a client-specific tag has been defined with the client-specific-tag + directive, action sections can be activated based on the tag by using a + CLIENT-TAG pattern. + The CLIENT-TAG pattern is evaluated at the same priority + as URL patterns, as a result the last matching pattern wins. + Tags that are created based on client or server headers are evaluated + later on and can overrule CLIENT-TAG and URL patterns! + + + The tag is set for all requests that come from clients that requested + it to be set. + Note that "clients" are differentiated by IP address, + if the IP address changes the tag has to be requested again. + + + Clients can request tags to be set by using the CGI interface http://config.privoxy.org/client-tags. + The specific tag description is only used on the web page and should + be phrased in away that the user understand the effect of the tag. + + + + + Examples: + + + + # Define a couple of tags, the described effect requires action sections + # that are enabled based on CLIENT-TAG patterns. + client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions + disable-content-filters Disable content-filters but do not affect other actions + + + + + + +client-tag-lifetime + + + Specifies: + + + How long a temporarily enabled tag remains enabled. + + + + + Type of value: + + + Time in seconds. + + + + + Default value: + + 60 + + + + Notes: + + + + This is an experimental feature. The syntax is likely to change + in future versions. + + + + In case of some tags users may not want to enable them permanently, + but only for a short amount of time, for example to circumvent a block + that is the result of an overly-broad URL pattern. + + + The CGI interface http://config.privoxy.org/client-tags + therefore provides a "enable this tag temporarily" option. + If it is used, the tag will be set until the client-tag-lifetime + is over. + + + + + Examples: + + + + # Increase the time to life for temporarily enabled tags to 3 minutes + client-tag-lifetime 180 + + + + + + + + + +trust-x-forwarded-for + + + Specifies: + + + Whether or not Privoxy should use IP addresses specified with the X-Forwarded-For header + + + + + Type of value: + + + 0 or one + + + + + Default value: + + 0 + + + + Notes: + + + + This is an experimental feature. The syntax is likely to change + in future versions. + + + + If clients reach Privoxy through another proxy, for example a load + balancer, Privoxy can't tell the client's IP address from the connection. + If multiple clients use the same proxy, they will share the same + client tag settings which is usually not desired. + + + This option lets Privoxy use the X-Forwarded-For header value as + client IP address. If the proxy sets the header, multiple clients + using the same proxy do not share the same client tag settings. + + + This option should only be enabled if Privoxy can only be reached + through a proxy and if the proxy can be trusted to set the header + correctly. It is recommended that ACL are used to make sure only + trusted systems can reach Privoxy. + + + If access to Privoxy isn't limited to trusted systems, this option + would allow malicious clients to change the client tags for other + clients or increase Privoxy's memory requirements by registering + lots of client tag settings for clients that don't exist. + + + + + Examples: + + + + # Allow systems that can reach Privoxy to provide the client + # IP address with a X-Forwarded-For header. + trust-x-forwarded-for 1 + + + + + + + + + + @@ -3165,8 +3619,9 @@ forward-socks4, forward-socks4a and forward-socks5 @@]]> If log-messages is set to 1, - Privoxy will log messages to the console - window: + Privoxy copies log messages to the console + window. + The log detail depends on the debug directive. @@#log-messages 1]]>