X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fsource%2Fp-config.sgml;h=b5c8500f64415dbd7a808b5581b3e445690a52ef;hp=2e7c50e5e149d2b87f583872475adf6c609ec4f9;hb=6575a2e4dbfe2dfcbcc2199e9528971d30def28e;hpb=30c327078f448691a723d6d09734dc096f41b329
diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml
index 2e7c50e5..b5c8500f 100644
--- a/doc/source/p-config.sgml
+++ b/doc/source/p-config.sgml
@@ -3,7 +3,7 @@
Purpose : Used with other docs and files only.
- Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
+ Copyright (C) 2001-2021 Privoxy Developers https://www.privoxy.org/
See LICENSE.
========================================================================
@@ -90,7 +90,7 @@
Sample Configuration File for Privoxy &p-version;
-Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
+Copyright (C) 2001-2021 Privoxy Developers https://www.privoxy.org/
@@ -107,7 +107,7 @@ Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
4. ACCESS CONTROL AND SECURITY #
5. FORWARDING #
6. MISCELLANEOUS #
- 7. TLS #
+ 7. HTTPS INSPECTION (EXPERIMENTAL) #
8. WINDOWS GUI OPTIONS #
#
##################################################################
@@ -738,6 +738,7 @@ actionsfile
fk 2007-11-07
-->
@@actionsfile user.action # User customizations]]>
+@@#regression-tests.action # Tests for privoxy-regression-test]]>
@@ -1018,7 +1019,7 @@ actionsfile
debug 1 # Log the destination for each request. See also debug 1024.
debug 2 # show each connection status
- debug 4 # show I/O status
+ debug 4 # show tagging-related messages
debug 8 # show header parsing
debug 16 # log all data written to the network
debug 32 # debug force feature
@@ -1269,7 +1270,7 @@ actionsfile
They can only be used if Privoxy has
been compiled with IPv6 support. If you aren't sure if your version
supports it, have a look at
- http://config.privoxy.org/show-status.
+ http://config.privoxy.org/show-status.
Some operating systems will prefer IPv6 to IPv4 addresses even if the
@@ -1630,7 +1631,7 @@ actionsfile
- Examples:
+ Example:
enforce-blocks 1
@@ -2508,7 +2509,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
forwarded-connect-retries 1
@@ -2585,7 +2586,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
accept-intercepted-requests 1
@@ -2643,7 +2644,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
allow-cgi-request-crunching 1
@@ -2710,7 +2711,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
split-large-forms 1
@@ -2793,7 +2794,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
keep-alive-timeout 300
@@ -2862,7 +2863,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
tolerate-pipelining 1
@@ -2943,7 +2944,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
default-server-timeout 60
@@ -2951,7 +2952,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
-@@#default-server-timeout 60]]>
+@@#default-server-timeout 5]]>
@@ -3042,7 +3043,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
connection-sharing 1
@@ -3098,7 +3099,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
socket-timeout 300
@@ -3186,7 +3187,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
max-client-connections 256
@@ -3265,7 +3266,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
listen-backlog 4096
@@ -3336,7 +3337,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
enable-accept-filter 1
@@ -3582,7 +3583,10 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Note that sorting headers in an uncommon way will make fingerprinting
- actually easier. Encrypted headers are not affected by this directive.
+ actually easier.
+ Encrypted headers are not affected by this directive unless
+ https-inspection
+ is enabled.
@@ -3596,9 +3600,13 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Referer \
Cookie \
DNT \
+ Connection \
+ Pragma \
+ Upgrade-Insecure-Requests \
If-Modified-Since \
Cache-Control \
Content-Length \
+ Origin \
Content-Type
]]>
@@ -3632,12 +3640,6 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Notes:
-
-
- This is an experimental feature. The syntax is likely to change
- in future versions.
-
-
Client-specific tags allow Privoxy admins to create different
profiles and let the users chose which one they want without
@@ -3671,7 +3673,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Clients can request tags to be set by using the CGI interface http://config.privoxy.org/client-tags.
The specific tag description is only used on the web page and should
- be phrased in away that the user understand the effect of the tag.
+ be phrased in away that the user understands the effect of the tag.
@@ -3683,6 +3685,11 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
# that are enabled based on CLIENT-TAG patterns.
client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
client-specific-tag disable-content-filters Disable content-filters but do not affect other actions
+ client-specific-tag overrule-redirects Overrule redirect sections
+ client-specific-tag allow-cookies Do not crunch cookies in either direction
+ client-specific-tag change-tor-socks-port Change forward-socks5 settings to use a different Tor socks port (and circuits)
+ client-specific-tag no-https-inspection Disable HTTPS inspection
+ client-specific-tag no-tls-verification Don't verify certificates when http-inspection is enabled
@@ -3718,12 +3725,6 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Notes:
-
-
- This is an experimental feature. The syntax is likely to change
- in future versions.
-
-
In case of some tags users may not want to enable them permanently,
but only for a short amount of time, for example to circumvent a block
@@ -3739,7 +3740,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
# Increase the time to life for temporarily enabled tags to 3 minutes
@@ -3779,12 +3780,6 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Notes:
-
-
- This is an experimental feature. The syntax is likely to change
- in future versions.
-
-
If clients reach Privoxy through another proxy, for example a load
balancer, Privoxy can't tell the client's IP address from the connection.
@@ -3811,7 +3806,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
# Allow systems that can reach Privoxy to provide the client
@@ -3884,7 +3879,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
# Increase the receive buffer size
@@ -3900,8 +3895,16 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
-
-TLS/SSL
+
+HTTPS Inspection (Experimental)
+
+
+ HTTPS inspection allows to filter encrypted requests and responses.
+ This is only supported when Privoxy
+ has been built with FEATURE_HTTPS_INSPECTION.
+ If you aren't sure if your version supports it, have a look at
+ http://config.privoxy.org/show-status.
+
@@ -3952,7 +3955,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
ca-directory /usr/local/etc/privoxy/CA
@@ -4018,12 +4021,12 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
The file can be generated with:
- openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
+ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
- Examples:
+ Example:
ca-cert-file root.crt
@@ -4074,14 +4077,20 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Notes:
- This directive specifies the name of the CA key file
- in ".pem" format. See the ca-cert-file
- for a command to generate it.
+ This directive specifies the name of the CA key file in ".pem" format.
+ The ca-cert-file section contains
+ a command to generate it.
+
+
+ The CA key is used by &my-app; to sign generated certificates.
+
+
+ Access to the key should be limited to Privoxy.
- Examples:
+ Example:
ca-key-file cakey.pem
@@ -4089,7 +4098,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
-@@#ca-key-file root.pem]]>
+@@#ca-key-file cakey.pem]]>
@@ -4143,7 +4152,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
ca-password blafasel
@@ -4164,7 +4173,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Specifies:
- Directory to safe generated keys and certificates.
+ Directory to save generated keys and certificates.
@@ -4206,13 +4215,26 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
and the ca-cert-key.
- The permissions should only let &my-app; and the &my-app;
+ The permissions should only let &my-app; and the &my-app;
admin access the directory.
+
+
+ &my-app; currently does not garbage-collect obsolete keys
+ and certificates and does not keep track of how may keys
+ and certificates exist.
+
+
+ &my-app; admins should monitor the size of the directory
+ and/or make sure there is sufficient space available.
+ A cron job to limit the number of keys and certificates
+ to a certain number may be worth considering.
+
+
- Examples:
+ Example:
certificate-directory /usr/local/var/privoxy/certs
@@ -4227,6 +4249,131 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
+cipher-list
+
+
+ Specifies:
+
+
+ A list of ciphers to use in TLS handshakes
+
+
+
+
+ Type of value:
+
+
+ Text
+
+
+
+
+ Default value:
+
+ None
+
+
+
+ Effect if unset:
+
+
+ A default value is inherited from the TLS library.
+
+
+
+
+ Notes:
+
+
+ This directive allows to specify a non-default list of ciphers to use
+ in TLS handshakes with clients and servers.
+
+
+ Ciphers are separated by colons. Which ciphers are supported
+ depends on the TLS library. When using OpenSSL, unsupported ciphers
+ are skipped. When using MbedTLS they are rejected.
+
+
+
+ Specifying an unusual cipher list makes fingerprinting easier.
+ Note that the default list provided by the TLS library may
+ be unusual when compared to the one used by modern browsers
+ as well.
+
+
+
+
+
+ Examples:
+
+
+ # Explicitly set a couple of ciphers with names used by MbedTLS
+ cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+
+
+ # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+
+
+ # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+ cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+
+
+
+
+
+
+
+
+
+
trusted-cas-file
@@ -4268,12 +4415,14 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
An example file can be downloaded from
- https://curl.haxx.se/ca/cacert.pem.
+ https://curl.se/ca/cacert.pem.
+ If you want to create the file yourself, please see:
+ https://curl.se/docs/caextract.html.
- Examples:
+ Example:
trusted-cas-file trusted_cas_file.pem