X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fsource%2Fp-config.sgml;h=e9e8310f94d0e7cd9bc7b854a4901cdd39ea0ba5;hp=877cbdf0548c0c1ffd3d6a963510e1cf77e9b649;hb=53704ce1e734b0cbcf86ee262c8e38c0c3b2651c;hpb=f81cc485c64f26bbb699e948c655bd036f8d103c
diff --git a/doc/source/p-config.sgml b/doc/source/p-config.sgml
index 877cbdf0..e9e8310f 100644
--- a/doc/source/p-config.sgml
+++ b/doc/source/p-config.sgml
@@ -3,7 +3,7 @@
Purpose : Used with other docs and files only.
- Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
+ Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
See LICENSE.
========================================================================
@@ -90,7 +90,7 @@
Sample Configuration File for Privoxy &p-version;
-Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
+Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
@@ -107,7 +107,7 @@ Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
4. ACCESS CONTROL AND SECURITY #
5. FORWARDING #
6. MISCELLANEOUS #
- 7. TLS #
+ 7. HTTPS INSPECTION (EXPERIMENTAL) #
8. WINDOWS GUI OPTIONS #
#
##################################################################
@@ -1016,7 +1016,7 @@ actionsfile
The available debug levels are:
- debug 1 # Log the destination for each request &my-app; let through. See also debug 1024.
+ debug 1 # Log the destination for each request. See also debug 1024.
debug 2 # show each connection status
debug 4 # show I/O status
debug 8 # show header parsing
@@ -1630,7 +1630,7 @@ actionsfile
- Examples:
+ Example:
enforce-blocks 1
@@ -1677,7 +1677,7 @@ ACLs: permit-access and deny-access
If your system implements
RFC 3493, then
src_addr and dst_addr can be IPv6 addresses delimeted by
+ class="parameter">dst_addr can be IPv6 addresses delimited by
brackets, port can be a number
or a service name, and
src_masklen and
@@ -2508,7 +2508,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
forwarded-connect-retries 1
@@ -2585,7 +2585,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
accept-intercepted-requests 1
@@ -2643,7 +2643,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
allow-cgi-request-crunching 1
@@ -2710,7 +2710,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
split-large-forms 1
@@ -2793,7 +2793,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
keep-alive-timeout 300
@@ -2862,7 +2862,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
tolerate-pipelining 1
@@ -2943,7 +2943,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
default-server-timeout 60
@@ -2951,7 +2951,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
-@@#default-server-timeout 60]]>
+@@#default-server-timeout 5]]>
@@ -3042,7 +3042,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
connection-sharing 1
@@ -3098,7 +3098,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
socket-timeout 300
@@ -3186,7 +3186,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
max-client-connections 256
@@ -3235,13 +3235,13 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Under high load incoming connection may queue up before Privoxy
- gets around to serve them. The queue length is limitted by the
+ gets around to serve them. The queue length is limited by the
operating system. Once the queue is full, additional connections
are dropped before Privoxy can accept and serve them.
Increasing the queue length allows Privoxy to accept more
- incomming connections that arrive roughly at the same time.
+ incoming connections that arrive roughly at the same time.
Note that Privoxy can only request a certain queue length,
@@ -3265,7 +3265,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
listen-backlog 4096
@@ -3336,7 +3336,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
enable-accept-filter 1
@@ -3739,7 +3739,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
# Increase the time to life for temporarily enabled tags to 3 minutes
@@ -3811,7 +3811,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
# Allow systems that can reach Privoxy to provide the client
@@ -3884,7 +3884,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
# Increase the receive buffer size
@@ -3900,8 +3900,14 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
-
-TLS/SSL
+
+HTTPS Inspection (Experimental)
+
+
+ HTTPS inspection allows to filter encrypted requests.
+ This is only supported when Privoxy
+ has been built with FEATURE_HTTPS_INSPECTION.
+
@@ -3952,7 +3958,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
ca-directory /usr/local/etc/privoxy/CA
@@ -4007,12 +4013,23 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
in ".crt" format.
- It can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
+ The file is used by &my-app; to generate website certificates
+ when https inspection is enabled with the
+ https-inspection
+ action.
+
+
+ &my-app; clients should import the certificate so that they
+ can validate the generated certificates.
+
+
+ The file can be generated with:
+ openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
- Examples:
+ Example:
ca-cert-file root.crt
@@ -4070,7 +4087,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
ca-key-file cakey.pem
@@ -4078,7 +4095,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
-@@#ca-key-file root.pem]]>
+@@#ca-key-file cakey.pem]]>
@@ -4132,7 +4149,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
ca-password blafasel
@@ -4153,7 +4170,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
Specifies:
- Directory to safe generated keys and certificates.
+ Directory to save generated keys and certificates.
@@ -4184,16 +4201,37 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
This directive specifies the directory where generated
- TLS/SSL keys and certificates are saved.
+ TLS/SSL keys and certificates are saved when https inspection
+ is enabled with the
+ https-inspection
+ action.
- The permissions should only let &my-app; and the &my-app;
+ The keys and certificates currently have to be deleted manually
+ when changing the ca-cert-file
+ and the ca-cert-key.
+
+
+ The permissions should only let &my-app; and the &my-app;
admin access the directory.
+
+
+ &my-app; currently does not garbage-collect obsolete keys
+ and certificates and does not keep track of how may keys
+ and certificates exist.
+
+
+ &my-app; admins should monitor the size of the directory
+ and/or make sure there is sufficient space available.
+ A cron job to limit the number of keys and certificates
+ to a certain number may be worth considering.
+
+
- Examples:
+ Example:
certificate-directory /usr/local/var/privoxy/certs
@@ -4208,6 +4246,131 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
+cipher-list
+
+
+ Specifies:
+
+
+ A list of ciphers to use in TLS handshakes
+
+
+
+
+ Type of value:
+
+
+ Text
+
+
+
+
+ Default value:
+
+ None
+
+
+
+ Effect if unset:
+
+
+ A default value is inherited from the TLS library.
+
+
+
+
+ Notes:
+
+
+ This directive allows to specify a non-default list of ciphers to use
+ in TLS handshakes with clients and servers.
+
+
+ Ciphers are separated by colons. Which ciphers are supported
+ depends on the TLS library. When using OpenSSL, unsupported ciphers
+ are skipped. When using MbedTLS they are rejected.
+
+
+
+ Specifying an unusual cipher list makes fingerprinting easier.
+ Note that the default list provided by the TLS library may
+ be unusual when compared to the one used by modern browsers
+ as well.
+
+
+
+
+
+ Examples:
+
+
+ # Explicitly set a couple of ciphers with names used by MbedTLS
+ cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+
+
+ # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+
+
+ # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+ cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+
+
+
+
+
+
+
+
+
+
trusted-cas-file
@@ -4245,7 +4408,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
This directive specifies the trusted CAs file that is used when validating
- certificates for intercepted TLS/SSL request.
+ certificates for intercepted TLS/SSL requests.
An example file can be downloaded from
@@ -4254,7 +4417,7 @@ forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t
- Examples:
+ Example:
trusted-cas-file trusted_cas_file.pem