X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fsource%2Fuser-manual.sgml;h=a1b86b1820c09e365c843fbb12af9b764465657a;hp=d9ee3ea0eccbd1238759b5a1ad91f95e9cda6095;hb=HEAD;hpb=8875cc0bd68dd60dfc150adf6d147eec216789ec
diff --git a/doc/source/user-manual.sgml b/doc/source/user-manual.sgml
index d9ee3ea0..a1b86b18 100644
--- a/doc/source/user-manual.sgml
+++ b/doc/source/user-manual.sgml
@@ -10,10 +10,11 @@
+
-
+
@@ -34,7 +35,7 @@
Purpose : user manual
- Copyright (C) 2001-2020 Privoxy Developers https://www.privoxy.org/
+ Copyright (C) 2001-2023 Privoxy Developers https://www.privoxy.org/
See LICENSE.
========================================================================
@@ -53,7 +54,7 @@
- Copyright &my-copy; 2001-2020 by
+ Copyright &my-copy; 2001-2023 by
Privoxy Developers
@@ -132,7 +133,7 @@ Hal.
In addition to the core
features of ad blocking and
- cookie management,
+ cookie management,
Privoxy provides many supplemental
features,
that give the end-user more control, more privacy and more freedom:
@@ -226,31 +227,6 @@ How to install the binary packages depends on your operating system:
-
-OS/2
-
-
- First, make sure that no previous installations of
- Junkbuster and / or
- Privoxy are left on your
- system. Check that no Junkbuster
- or Privoxy objects are in
- your startup folder.
-
-
-
- Then, just double-click the WarpIN self-installing archive, which will
- guide you through the installation process. A shadow of the
- Privoxy executable will be placed in your
- startup folder so it will start automatically whenever OS/2 starts.
-
-
-
- The directory you choose to install Privoxy
- into will contain all of the configuration files.
-
-
-
Mac OS X
@@ -326,12 +302,16 @@ How to install the binary packages depends on your operating system:
-FreeBSD
+FreeBSD and ElectroBSD
Privoxy is part of FreeBSD's Ports Collection, you can build and install
it with cd /usr/ports/www/privoxy; make install clean.
+
+ If your system is configured to install binary packages you can
+ try to install &my-app; with pkg install privoxy.
+
@@ -366,42 +346,42 @@ How to install the binary packages depends on your operating system:
Run the setup program and from View / Category select:
- Devel
- autoconf 2.5
- automake 1.15
- binutils
- cmake
- gcc-core
- gcc-g++
- git
- make
- mingw64-i686-gcc-core
- mingw64-i686-zlib
- Editors
- vim
- Libs
- libxslt: GNOME XSLT library (runtime)
- Net
- curl
- openssh
- Text
- docbook-dssl
- docbook-sgml31
- docbook-utils
- openjade
- Utils
- gnupg
- Web
- w3m
+Devel
+ autoconf 2.5
+ automake 1.15
+ binutils
+ cmake
+ gcc-core
+ gcc-g++
+ git
+ make
+ mingw64-i686-gcc-core
+ mingw64-i686-zlib
+Editors
+ vim
+Libs
+ libxslt: GNOME XSLT library (runtime)
+Net
+ curl
+ openssh
+Text
+ docbook-dssl
+ docbook-sgml31
+ docbook-utils
+ openjade
+Utils
+ gnupg
+Web
+ w3m
If you haven't already downloaded the Privoxy source code, get it now:
- mkdir <root-dir>
- cd <root-dir>
- git clone https://www.privoxy.org/git/privoxy.git
+mkdir <root-dir>
+cd <root-dir>
+git clone https://www.privoxy.org/git/privoxy.git
@@ -411,10 +391,10 @@ How to install the binary packages depends on your operating system:
unzip into <root-dir> and build the software:
- cd <root-dir>
- cd tidy-html5-x.y.z/build/cmake
- cmake ../.. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIB:BOOL=OFF -DCMAKE_INSTALL_PREFIX=/usr/local
- make && make install
+cd <root-dir>
+cd tidy-html5-x.y.z/build/cmake
+cmake ../.. -DCMAKE_BUILD_TYPE=Release -DBUILD_SHARED_LIB:BOOL=OFF -DCMAKE_INSTALL_PREFIX=/usr/local
+make && make install
@@ -422,13 +402,92 @@ How to install the binary packages depends on your operating system:
https://sourceforge.net/projects/nsis/files/NSIS%203/
- and extract the NSIS directory to privoxy/windows.
- Then edit the windows/GNUmakefile to set the location of the NSIS executable - eg:
+ and extract the NSIS directory to /<root-dir>/nsis/.
+ Then edit the windows/GNUmakefile to set the location
+ of the NSIS executable - eg:
# Path to NSIS
-MAKENSIS = ./nsis/makensis.exe
+MAKENSIS = /<root-dir>/nsis/makensis.exe
+
+
+
+ Get the latest 8.x PCRE code from
+ PCRE
+ https://sourceforge.net/projects/pcre/files/pcre/
+ and build the static PCRE libraries with
+
+
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="-fstack-protector-strong"
+export CPPFLAGS="-DPCRE_STATIC"
+
+./configure --host=i686-w64-mingw32 \
+ --prefix=/usr/local/i686-w64-mingw32 \
+ --enable-utf --enable-unicode-properties \
+ --enable-jit \
+ --enable-newline-is-anycrlf \
+ --enable-pcre16 \
+ --enable-pcre32 \
+ --disable-pcregrep-libbz2 \
+ --disable-pcregrep-libz \
+ --disable-pcretest-libreadline \
+ --disable-stack-for-recursion \
+ --enable-static --disable-shared \
+ && make
+
+
+
+
+ If you want to be able to have Privoxy do TLS Inspection, get the latest
+ 2.28.x MBED-TLS library source code from
+
+ https://github.com/Mbed-TLS/mbedtls/tags,
+ extract the tar file into <root-dir>
+ and build the static libraries with
+
+export WINDOWS_BUILD=1
+# build for a Windows platform
+
+unset DEBUG
+
+export CC=i686-w64-mingw32-gcc
+export LD=i686-w64-mingw32-gcc
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="${LDFLAGS} -fstack-protector-strong"
+
+make lib
+# build the libraries
+
+
+
+
+
+ Get the brotli library from
+
+ https://github.com/google/brotli/releases
+ and build the static libraries with
+
+./bootstrap
+# to create the GNU autotools files
+
+autoconf
+
+export CFLAGS="-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
+export LDFLAGS="${LDFLAGS} -fstack-protector-strong"
+
+./configure --host=i686-w64-mingw32 \
+ --prefix=/usr/local/i686-w64-mingw32 \
+ --enable-static \
+ --disable-shared \
+ --with-gnu-ld \
+ --disable-silent-rules \
+ && make
+
+
+
+
@@ -438,8 +497,8 @@ MAKENSIS = ./nsis/makensis.exe
To build just the Privoxy executable and not the whole installation package, do:
- cd <root-dir>/privoxy
- ./windows/MYconfigure && make
+cd <root-dir>/privoxy
+./windows/MYconfigure && make
@@ -447,10 +506,10 @@ MAKENSIS = ./nsis/makensis.exe
for building software, so the process is:
- $ autoheader # creates config.h.in
- $ autoconf # uses config.h.in to create the configure shell script
- $ ./configure [options] # creates GNUmakefile
- $ make [options] # builds the program
+autoheader # creates config.h.in
+autoconf # uses config.h.in to create the configure shell script
+./configure [options] # creates GNUmakefile
+make [options] # builds the program
@@ -463,7 +522,8 @@ MAKENSIS = ./nsis/makensis.exe
--enable-zlib
--enable-static-linking
--disable-pthread
- --disable-dynamic-pcre
+ --with-brotli
+ --with-mbedtls
@@ -472,11 +532,11 @@ MAKENSIS = ./nsis/makensis.exe
- $ export CFLAGS="-O2" # set gcc optimization level
- $ export LDFLAGS="-Wl,--nxcompat" # Enable DEP
- $ ./configure --host=i686-w64-mingw32 --enable-mingw32 --enable-zlib \
- > --enable-static-linking --disable-pthread --disable-dynamic-pcre
- $ make # build Privoxy
+$ export CFLAGS="-O2" # set gcc optimization level
+$ export LDFLAGS="-Wl,--nxcompat" # Enable DEP
+$ ./configure --host=i686-w64-mingw32 --enable-mingw32 --enable-zlib \
+> --enable-static-linking --disable-pthread
+$ make # build Privoxy
@@ -616,8 +676,9 @@ MAKENSIS = ./nsis/makensis.exe
use, filtering, you will need to force compression off. Example:
- { +filter{google} +prevent-compression }
- .google.
+{ +filter{google} +prevent-compression }
+.google.
+
Or if you use a number of filters, or filter many sites, you may just want
to turn off compression for all sites in
@@ -683,7 +744,7 @@ MAKENSIS = ./nsis/makensis.exe
Set your browser to use Privoxy as HTTP and
- HTTPS (SSL) proxy
+ HTTPS (SSL) proxy
by setting the proxy configuration for address of
127.0.0.1 and port 8118.
DO NOT activate proxying for FTP or
@@ -696,7 +757,7 @@ MAKENSIS = ./nsis/makensis.exe
Flush your browser's disk and memory caches, to remove any cached ad images.
If using Privoxy to manage
- cookies,
+ cookies,
you should remove any currently stored cookies too.
@@ -1049,7 +1110,7 @@ MAKENSIS = ./nsis/makensis.exe
Before launching Privoxy for the first time, you
will want to configure your browser(s) to use
Privoxy as a HTTP and HTTPS (SSL)
- proxy. The default is
+ proxy. The default is
127.0.0.1 (or localhost) for the proxy address, and port 8118 (earlier versions
used port 8000). This is the one configuration step that must be done
!
@@ -1061,13 +1122,13 @@ MAKENSIS = ./nsis/makensis.exe
Proxy Configuration Showing
- Mozilla/Netscape HTTP and HTTPS (SSL) Settings
+ Mozilla Firefox HTTP and HTTPS (SSL) Settings
- [ Screenshot of Mozilla Proxy Configuration ]
+ [ Screenshot of Mozilla Firefox Proxy Configuration ]
@@ -1078,7 +1139,7 @@ MAKENSIS = ./nsis/makensis.exe
- Tools -> Options -> Advanced -> Network ->Connection -> Settings
+ Edit -> Preferences -> Network Settings -> Settings
@@ -1135,7 +1196,7 @@ MAKENSIS = ./nsis/makensis.exe
After doing this, flush your browser's disk and memory caches to force a
re-reading of all pages and to get rid of any ads that may be cached. Remove
- any cookies,
+ any cookies,
if you want Privoxy to manage that. You are now
ready to start enjoying the benefits of using
Privoxy!
@@ -1158,7 +1219,7 @@ MAKENSIS = ./nsis/makensis.exe
file.
- # /etc/init.d/privoxy start
+# /etc/init.d/privoxy start
@@ -1179,7 +1240,7 @@ MAKENSIS = ./nsis/makensis.exe
To start Privoxy manually, run:
- # service privoxy onestart
+# service privoxy onestart
@@ -1207,7 +1268,7 @@ Click on the &my-app; Icon to start Privoxy. If no co
Example Unix startup command:
- # /usr/sbin/privoxy --user privoxy /etc/privoxy/config
+# /usr/sbin/privoxy --user privoxy /etc/privoxy/config
Note that if you installed Privoxy through
@@ -1217,16 +1278,6 @@ Example Unix startup command:
-
-OS/2
-
- During installation, Privoxy is configured to
- start automatically when the system restarts. You can start it manually by
- double-clicking on the Privoxy icon in the
- Privoxy folder.
-
-
-
Mac OS X
@@ -1517,7 +1568,7 @@ for details.
▪ View & change the current configuration
- ▪ View or toggle the tags that can be set based on the clients address
+ ▪ View or toggle the tags that can be set based on the client's address
▪ View the request headers.
@@ -1576,7 +1627,7 @@ for details.
Configuration Files Overview
For Unix, *BSD and GNU/Linux, all configuration files are located in
- /etc/privoxy/ by default. For MS Windows and OS/2
+ /etc/privoxy/ by default. For MS Windows
these are all in the same directory as the
Privoxy executable.
The main configuration file is named config
- on GNU/Linux, Unix, BSD, and OS/2, and config.txt
+ on GNU/Linux, Unix, BSD, and config.txt
on Windows. This is a required file.
@@ -1793,7 +1844,7 @@ for details.
The default profiles, and their associated actions, as pre-defined in
default.action are:
-
Default Configurations
+
Default Configurations
@@ -2036,12 +2087,13 @@ for details.
might look like:
-
- { +handle-as-image +block{Banner ads.} }
- # Block these as if they were images. Send no block page.
- banners.example.com
- media.example.com/.*banners
- .example.com/images/ads/
+
+{ +handle-as-image +block{Banner ads.} }
+# Block these as if they were images. Send no block page.
+banners.example.com
+media.example.com/.*banners
+.example.com/images/ads/
+
You can trace this process for URL patterns and any given URL by visiting Regular
+ Regular
Expressions (POSIX 1003.2).
@@ -2241,7 +2293,7 @@ for details.
themselves. These work similarly to shell globbing type wild-cards:
* represents zero or more arbitrary characters (this is
equivalent to the
- Regular
+ Regular
Expression based syntax of .*),
? represents any single character (this is equivalent to the
regular expression syntax of a simple .), and you can define
@@ -2293,6 +2345,12 @@ for details.
While flexible, this is not the sophistication of full regular expression based syntax.
+
+ When compiled with FEATURE_PCRE_HOST_PATTERNS patterns can be prefixed with
+ PCRE-HOST-PATTERN: in which case full regular expression
+ (PCRE) can be used for the host pattern as well.
+
+
@@ -2303,7 +2361,7 @@ for details.
Privoxy uses modern POSIX 1003.2
- Regular
+ Regular
Expressions for matching the path portion (after the slash),
and is thus more flexible.
@@ -2482,12 +2540,6 @@ for details.
-
-
- This is an experimental feature. The syntax is likely to change in future versions.
-
-
-
Client tag patterns are not set based on HTTP headers but based on
the client's IP address. Users can enable them themselves, but the
@@ -2573,8 +2625,9 @@ example.org/blocked-example-page
disabled. Syntax:
- +name # enable action name
- -name # disable action name
++name # enable action name
+-name # disable action name
+
Example: +handle-as-image
@@ -2586,10 +2639,11 @@ example.org/blocked-example-page
Parameterized, where some value is required in order to enable this type of action.
Syntax:
-
- +name{param} # enable action and set parameter to param,
- # overwriting parameter from previous match if necessary
- -name # disable action. The parameter can be omitted
+
++name{param} # enable action and set parameter to param,
+ # overwriting parameter from previous match if necessary
+-name # disable action. The parameter can be omitted
+
Note that if the URL matches multiple positive forms of a parameterized action,
the last match wins, i.e. the params from earlier matches are simply ignored.
@@ -2608,11 +2662,12 @@ example.org/blocked-example-page
that can be executed for the same request repeatedly, like adding multiple
headers, or filtering through multiple filters. Syntax:
-
- +name{param} # enable action and add param to the list of parameters
- -name{param} # remove the parameter param from the list of parameters
- # If it was the last one left, disable the action.
- -name # disable this action completely and remove all parameters from the list
+
++name{param} # enable action and add param to the list of parameters
+-name{param} # remove the parameter param from the list of parameters
+ # If it was the last one left, disable the action.
+-name # disable this action completely and remove all parameters from the list
+
Examples: +add-header{X-Fun-Header: Some text} and
+filter{html-annoyances}
@@ -2812,18 +2867,20 @@ example.org/blocked-example-page
Example usage (section):
- {+block{No nasty stuff for you.}}
+
+{+block{No nasty stuff for you.}}
# Block and replace with "blocked" page
- .nasty-stuff.example.com
+.nasty-stuff.example.com
{+block{Doubleclick banners.} +handle-as-image}
# Block and replace with image
- .ad.doubleclick.net
- .ads.r.us/banners/
+.ad.doubleclick.net
+.ads.r.us/banners/
{+block{Layered ads.} +handle-as-empty-document}
# Block and then ignore
- adserver.example.net/.*\.js$
+adserver.example.net/.*\.js$
+
@@ -2960,6 +3017,21 @@ example.org/blocked-example-page
one. This can be used to rewrite the request destination behind the client's
back, for example to specify a Tor exit relay for certain requests.
+
+ Note that to change the destination host for
+ https-inspected
+ requests a protocol and host has to be added to the URI.
+
+
+ If https inspection
+ is enabled, the protocol can be downgraded from https to http
+ but upgrading a request from http to https is currently not
+ supported.
+
+
+ After detecting a rewrite, &my-app; does not update the actions
+ used for the request based on the new host.
+
Please refer to the filter file chapter
to learn which client-header filters are available by default, and how to
@@ -2983,6 +3055,162 @@ example.org/blocked-example-page
+
+
+client-body-filter
+
+
+
+ Typical use:
+
+
+ Rewrite or remove client request body.
+
+
+
+
+
+ Effect:
+
+
+ All request bodies to which this action applies are filtered on-the-fly through
+ the specified regular expression based substitutions.
+
+
+
+
+
+ Type:
+
+
+ Multi-value.
+
+
+
+
+ Parameter:
+
+
+ The name of a client-body filter, as defined in one of the
+ filter files.
+
+
+
+
+
+ Notes:
+
+
+ Please refer to the filter file chapter
+ to learn how to create your own client-body filters.
+
+
+ The distribution default.filter file contains a selection of
+ client-body filters for example purposes.
+
+
+ The amount of data that can be filtered is limited by the
+ buffer-limit
+ option in the main config file. The
+ default is 4096 KB (4 Megs). Once this limit is exceeded, the whole
+ request body is passed through unfiltered.
+
+
+
+
+
+ Example usage (section):
+
+
+# Remove "test" everywhere in the request body
+{+client-body-filter{remove-test}}
+/
+
+
+
+
+
+
+
+
+
+
+client-body-tagger
+
+
+
+ Typical use:
+
+
+ Block requests based on the content of the body data.
+
+
+
+
+
+ Effect:
+
+
+ Client request bodies to which this action applies are filtered on-the-fly through
+ the specified regular expression based substitutions, the result is used as tag.
+
+
+
+
+
+ Type:
+
+
+ Multi-value.
+
+
+
+
+ Parameter:
+
+
+ The name of a client-body tagger, as defined in one of the
+ filter files.
+
+
+
+
+
+ Notes:
+
+
+ Please refer to the filter file chapter
+ to learn how to create your own client-body tagger.
+
+
+ Client-body taggers are applied to each request body on its own,
+ and as the body isn't modified, each tagger "sees" the original.
+
+
+ Chunk-encoded request bodies currently can't be tagged.
+ Request bodies larger than the buffer-limit can't be tagged either.
+
+
+
+
+
+ Example usage (section):
+
+
+# Apply blafasel tagger.
+{+client-body-tagger{blafasel}}
+/
+
+# Block request based on the tag created by the blafasel tagger.
+{+block{Request body contains blafasel}}
+TAG:^content contains blafasel$
+
+
+
+
+
+
+
@@ -3875,6 +4103,12 @@ problem-host.example.com
linkend="external-filter-syntax">syntax
may change in the future.
+
+ If you want to apply external filters to images or other content
+ that isn't text-based, enable the
+ force-text-mode
+ action as well.
+
@@ -3998,11 +4232,12 @@ problem-host.example.com
Example usage:
- { +fast-redirects{simple-check} }
- one.example.com
+{ +fast-redirects{simple-check} }
+one.example.com
- { +fast-redirects{check-decoded-url} }
- another.example.com/testing
+{ +fast-redirects{check-decoded-url} }
+another.example.com/testing
+
@@ -4082,15 +4317,15 @@ problem-host.example.com
Rolling your own
filters requires a knowledge of
- Regular
+ Regular
Expressions and
- HTML.
+ HTML.
This is very powerful feature, and potentially very intrusive.
Filters should be used with caution, and where an equivalent
action is not available.
- The amount of data that can be filtered is limited to the
+ The amount of data that can be filtered is limited by the
buffer-limit
option in the main config file. The
default is 4096 KB (4 Megs). Once this limit is exceeded, the buffered
@@ -4234,10 +4469,22 @@ problem-host.example.com
+filter{no-ping} # Removes non-standard ping attributes in <a> and <area> tags.
+
+
+
+ +filter{bundeswehr.de} # Hide the cookie and privacy info banner on bundeswehr.de.
+
+
+
+ +filter{github} # Removes the annoying "Sign-Up" banner and the Cookie disclaimer.+filter{google} # CSS-based block for Google text ads. Also removes a width limitation and the toolbar advertisement.
+
+
+
+ +filter{imdb} # Removes some ads on IMDb.
@@ -4250,6 +4497,10 @@ problem-host.example.com
+filter{blogspot} # Cleans up some Blogspot blogs. Read the fine print before using this.
+
+
+
+ +filter{sourceforge} # Reduces the amount of ads for proprietary software on SourceForge.
@@ -4796,11 +5047,14 @@ new action
Example usage:
- # Disarm the download link in Sourceforge's patch tracker
+
+# Disarm the download link in Sourceforge's patch tracker
{ -filter \
- +content-type-overwrite{text/plain}\
- +hide-content-disposition{block} }
- .sourceforge.net/tracker/download\.php
+ +content-type-overwrite{text/plain} \
+ +hide-content-disposition{block} \
+}
+.sourceforge.net/tracker/download\.php
+
@@ -5132,7 +5386,7 @@ new action
More information on known user-agent strings can be found at
http://www.user-agents.org/
and
- http://en.wikipedia.org/wiki/User_agent.
+ http://en.wikipedia.org/wiki/User_agent.
@@ -5140,7 +5394,7 @@ new action
Example usage:
- +hide-user-agent{Netscape 6.1 (X11; I; Linux 2.4.18 i686)}
+ +hide-user-agent{Mozilla/5.0 (X11; ElectroBSD i386; rv:78.0) Gecko/20100101 Firefox/78.0}
@@ -5190,12 +5444,12 @@ new action
This action allows &my-app; to filter encrypted requests and responses.
- For this to work &my-app; has to generate a certificate and send it
- to the client which has to accept it.
+ For this to work &my-app; has to generate a certificate for the web site
+ and send it to the client which has to accept it.
Before this works the directives in the
- TLS section
+ HTTPS inspection section
of the config file have to be configured.
@@ -5267,11 +5521,14 @@ www.example.com
certificate.
- If the certificate is invalid the connection is aborted.
+ If the certificate can't be validated by &my-app; the connection is aborted.
+
+
+ This action disables the certificate check so requests to sites
+ with certificates that can't be validated are allowed.
- This action disabled the certificate check allowing requests to sites
- with invalid certificates.
+ Note that enabling this action allows Man-in-the-middle attacks.
@@ -5282,7 +5539,7 @@ www.example.com
{+ignore-certificate-errors}
www.example.org
-
+
@@ -5539,19 +5796,20 @@ www.example.com
#
{ +filter{tiny-textforms} +prevent-compression }
# Match only these sites
- .google.
- sourceforge.net
- sf.net
+.google.
+sourceforge.net
+sf.net
# Or instead, we could set a universal default:
#
{ +prevent-compression }
- / # Match all sites
+/ # Match all sites
# Then maybe make exceptions for broken sites:
#
{ -prevent-compression }
-.compusa.com/
+.compusa.com/
+
@@ -5643,11 +5901,14 @@ new action
Example usage:
- # Let the browser revalidate without being tracked across sessions
+
+# Let the browser revalidate without being tracked across sessions
{ +hide-if-modified-since{-60} \
- +overwrite-last-modified{randomize} \
- +crunch-if-none-match}
-/
+ +overwrite-last-modified{randomize} \
+ +crunch-if-none-match \
+}
+/
+
@@ -5738,14 +5999,15 @@ new action
Example usages:
- # Replace example.com's style sheet with another one
+
+# Replace example.com's style sheet with another one
{ +redirect{http://localhost/css-replacements/example.com.css} }
- example.com/stylesheet\.css
+example.com/stylesheet\.css
# Create a short, easy to remember nickname for a favorite site
# (relies on the browser to accept and forward invalid URLs to &my-app;)
{ +redirect{https://www.privoxy.org/user-manual/actions-file.html} }
- a
+a
# Always use the expanded view for Undeadly.org articles
# (Note the $ at the end of the URL pattern to make sure
@@ -5774,6 +6036,10 @@ example.com/.*toChange=(?!bar)
# Redirect Destination = https://www.illumos.org/issues/4974
i[0-9][0-9][0-9][0-9]*/
+# Redirect requests for the old Tor Hidden Service of the Privoxy website to the new one
+{+redirect{s@^http://jvauzb4sb3bwlsnc.onion/@http://l3tczdiiwoo63iwxty4lhs6p7eaxop5micbn7vbliydgv63x5zrrrfyd.onion/@}}
+jvauzb4sb3bwlsnc.onion/
+
# Redirect remote requests for this manual
# to the local version delivered by Privoxy
{+redirect{s@^http://www@http://config@}}
@@ -5955,16 +6221,15 @@ TAG:^image/
-
-session-cookies-only
+
+suppress-tagTypical use:
- Allow only temporary session cookies (for the current
- browser session only).
+ Suppress client or server tag.
@@ -5973,18 +6238,17 @@ TAG:^image/
Effect:
- Deletes the expires field from Set-Cookie:
- server headers. Most browsers will not store such cookies permanently and
- forget them in between sessions.
+ Server or client tags to which this action applies are not added to the request,
+ thus making all actions that are specific to these request tags inactive.
-
+ Type:
-
+
- Boolean.
+ Multi-value.
@@ -5992,21 +6256,80 @@ TAG:^image/
Parameter:
- N/A
+ The result tag of a server-header or client-header tagger, as defined in one of the
+ filter files.
- Notes:
+ Example usage (section):
+
+
+# Suppress tag produced by range-requests client-header tagger for requests coming from address 10.0.0.1
+{+suppress-tag{RANGE-REQUEST}}
+TAG:^IP-ADDRESS: 10\.0\.0\.1$
+
+
+
+
+
+
+
+
+
+
+session-cookies-only
+
+
+
+ Typical use:
- This is less strict than crunch-incoming-cookies /
- crunch-outgoing-cookies and allows you to browse
- websites that insist or rely on setting cookies, without compromising your privacy too badly.
+ Allow only temporary session cookies (for the current
+ browser session only).
-
- Most browsers will not permanently store cookies that have been processed by
+
+
+
+
+ Effect:
+
+
+ Deletes the expires field from Set-Cookie:
+ server headers. Most browsers will not store such cookies permanently and
+ forget them in between sessions.
+
+
+
+
+
+ Type:
+
+
+ Boolean.
+
+
+
+
+ Parameter:
+
+
+ N/A
+
+
+
+
+
+ Notes:
+
+
+ This is less strict than crunch-incoming-cookies /
+ crunch-outgoing-cookies and allows you to browse
+ websites that insist or rely on setting cookies, without compromising your privacy too badly.
+
+
+ Most browsers will not permanently store cookies that have been processed by
session-cookies-only and will forget about them between sessions.
This makes profiling cookies useless, but won't break sites which require cookies so
that you can log in for transactions. This is generally turned on for all
@@ -6215,32 +6538,33 @@ TAG:^image/
- # Useful custom aliases we can use later.
- #
- # Note the (required!) section header line and that this section
- # must be at the top of the actions file!
- #
- {{alias}}
+# Useful custom aliases we can use later.
+#
+# Note the (required!) section header line and that this section
+# must be at the top of the actions file!
+#
+{{alias}}
- # These aliases just save typing later:
- # (Note that some already use other aliases!)
- #
- +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies
- -crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies
- +block-as-image = +block{Blocked image.} +handle-as-image
- allow-all-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies}
+# These aliases just save typing later:
+# (Note that some already use other aliases!)
+#
++crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies
+-crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies
++block-as-image = +block{Blocked image.} +handle-as-image
+allow-all-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies}
- # These aliases define combinations of actions
- # that are useful for certain types of sites:
- #
- fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer -prevent-compression
+# These aliases define combinations of actions
+# that are useful for certain types of sites:
+#
+fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer -prevent-compression
- shop = -crunch-all-cookies -filter{all-popups}
+shop = -crunch-all-cookies -filter{all-popups}
- # Short names for other aliases, for really lazy people ;-)
- #
- c0 = +crunch-all-cookies
- c1 = -crunch-all-cookies
+# Short names for other aliases, for really lazy people ;-)
+#
+c0 = +crunch-all-cookies
+c1 = -crunch-all-cookies
+
...and put them to use. These sections would appear in the lower part of an
@@ -6249,28 +6573,29 @@ TAG:^image/
- # These sites are either very complex or very keen on
- # user data and require minimal interference to work:
- #
- {fragile}
- .office.microsoft.com
- .windowsupdate.microsoft.com
- # Gmail is really mail.google.com, not gmail.com
- mail.google.com
-
- # Shopping sites:
- # Allow cookies (for setting and retrieving your customer data)
- #
- {shop}
- .quietpc.com
- .worldpay.com # for quietpc.com
- mybank.example.com
+# These sites are either very complex or very keen on
+# user data and require minimal interference to work:
+#
+{fragile}
+.office.microsoft.com
+.windowsupdate.microsoft.com
+# Gmail is really mail.google.com, not gmail.com
+mail.google.com
- # These shops require pop-ups:
- #
- {-filter{all-popups} -filter{unsolicited-popups}}
- .dabs.com
- .overclockers.co.uk
+# Shopping sites:
+# Allow cookies (for setting and retrieving your customer data)
+#
+{shop}
+.quietpc.com
+.worldpay.com # for quietpc.com
+mybank.example.com
+
+# These shops require pop-ups:
+#
+{-filter{all-popups} -filter{unsolicited-popups}}
+.dabs.com
+.overclockers.co.uk
+
Aliases like shop and fragile are typically used for
@@ -6379,7 +6704,7 @@ for-privoxy-version=3.0.11
#
+crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies
-crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies
- +block-as-image = +block{Blocked image.} +handle-as-image
+ +block-as-image = +block{Blocked image.} +handle-as-image
mercy-for-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies}
# These aliases define combinations of actions
@@ -6679,10 +7004,11 @@ handle-as-text = -filter +-filter +-filter }
- .your-home-banking-site.com
+.your-home-banking-site.com
+
Some file types you may not want to filter for various reasons:
@@ -6721,8 +7048,9 @@ stupid-server.example.com/
{ +block{Nasty ads.} }
- www.example.com/nasty-ads/sponsor\.gif
- another.example.net/more/junk/here/
+www.example.com/nasty-ads/sponsor\.gif
+another.example.net/more/junk/here/
+
The URLs of dynamically generated banners, especially from large banner
@@ -6738,10 +7066,11 @@ stupid-server.example.com/
{ +block-as-image }
- .doubleclick.net
- .fastclick.net
- /Realmedia/ads/
- ar.atwola.com/
+.doubleclick.net
+.fastclick.net
+/Realmedia/ads/
+ar.atwola.com/
+
Now you noticed that the default configuration breaks Forbes Magazine,
@@ -6757,9 +7086,10 @@ stupid-server.example.com/
{ fragile }
- .forbes.com
- webmail.example.com
- .mybank.com
+.forbes.com
+webmail.example.com
+.mybank.com
+
You like the fun text replacements in default.filter,
@@ -6770,7 +7100,8 @@ stupid-server.example.com/
{ +filter{fun} }
- / # For ALL sites!
+/ # For ALL sites!
+
Note that the above is not really a good idea: There are exceptions
@@ -6789,9 +7120,10 @@ stupid-server.example.com/
{ allow-ads }
- .sourceforge.net
- .slashdot.org
- .osdn.net
+.sourceforge.net
+.slashdot.org
+.osdn.net
+
Note that allow-ads has been aliased to
@@ -6809,7 +7141,8 @@ stupid-server.example.com/
{ handle-as-text }
- /.*\.sh$
+/.*\.sh$
+
user.action is generally the best place to define
@@ -6846,18 +7179,21 @@ stupid-server.example.com/
- &my-app; supports three different pcrs-based filter actions:
+ &my-app; supports four different pcrs-based filter actions:
filter to
rewrite the content that is send to the client,
client-header-filter
- to rewrite headers that are send by the client, and
+ to rewrite headers that are send by the client,
server-header-filter
- to rewrite headers that are send by the server.
+ to rewrite headers that are send by the server, and
+ client-body-filter
+ to rewrite client request body.
- &my-app; also supports two tagger actions:
- client-header-tagger
+ &my-app; also supports three tagger actions:
+ client-header-tagger,
+ client-body-tagger
and
server-header-tagger.
Taggers and filters use the same syntax in the filter files, the difference
@@ -6911,7 +7247,8 @@ stupid-server.example.com/
filter file is organized in sections, which are called filters
here. Each filter consists of a heading line, that starts with one of the
keywordsFILTER:,
- CLIENT-HEADER-FILTER: or SERVER-HEADER-FILTER:
+ CLIENT-HEADER-FILTER:, SERVER-HEADER-FILTER: or
+ CLIENT-BODY-FILTER:
followed by the filter's name, and a short (one line)
description of what it does. Below that line
come the jobs, i.e. lines that define the actual
@@ -6978,7 +7315,7 @@ stupid-server.example.com/
If you are new to
- Regular
+ Regular
Expressions, you might want to take a look at
the Appendix on regular expressions, and
see the Perl
@@ -7390,9 +7727,9 @@ pre-defined filters for your convenience:
banners-by-link
- This is an experimental filter that attempts to kill any banners if
- their URLs seem to point to known or suspected click trackers. It is currently
- not of much value and is not recommended for use by default.
+ This filter attempts to kill any banners if their URLs seem to point
+ to known or suspected click trackers. It is currently not of much value
+ and is not recommended for use by default.
@@ -7841,6 +8178,340 @@ EXTERNAL-FILTER: citation-needed Adds a "[citation needed]" tag to an image. The
+
+
+HOWTOs
+
+
+HTTPS-Inspection HOWTO
+How TLS Certificates for websites work
+
+
+ The website owner generates a (private) TLS key and a Certificate
+ Signing Request (CSR).
+
+
+ The CSR is then sent to a Certification Authority (CA), which
+ verifies that the owner is the actual owner of the website. This can
+ be done by proving that the owner has technical write access to the
+ site or the site's DNS, or by verifying the identity of the
+ organization running the site using telephone and public databases.
+
+
+ If the verification is successful, the CA signs the CSR and creates a
+ certificate that certifies that the private TLS key actually belongs
+ to the website name and/or organization that owns the domain.
+
+
+ This TLS certificate is then added to the web server configuration,
+ and when a browser accesses the website, it verifies that the TLS
+ certificate presented to the browser is valid for that domain.
+
+
+ To do this, each browser has the certificates of multiple CAs in its
+ trust store. Only if the certificate of the CA, that signed the web
+ server is in the trust store, the browser will accept the
+ certificate, otherwise the browser will complain about a broken
+ certificate.
+
+
+ If this check passes, the browser sends a random number encrypted
+ with the server's public key to the server, and both compute a shared
+ secret using the Diffie-Hellman key exchange algorithm. Now server
+ and browser can communicate, but no one else can break that
+ communication because it's encrypted between them.
+
+
+
+How HTTPS inspection works
+
+ When we try to inspect HTTPS traffic, we have to break the TLS
+ encryption between browser and web server without being the browser
+ or the web server. This is exactly what TLS tries to avoid, as it's
+ a man-in-the-middle-attack.
+
+
+ To do this, Privoxy uses it's own (private) CA (let's call it
+ "Privoxy CA"), which has to be added to the trust store of every
+ single browser that should be used with Privoxy and HTTPS inspection.
+
+
+ Now Privoxy breaks the connection between browser and webserver by
+ acting as a browser/client when talking to the webserver (including
+ checking the webserver's TLS certificate against it's own trust
+ store). Now Privoxy can read and modify the traffic from the
+ webserver.
+
+
+ On the other hand, Privoxy itself encrypts the traffic it sends to
+ the browser using an on the fly self-created TLS server certificate
+ that is signed by Privoxy CA.
+
+
+
+What happens, if the original
+ certificate is invalid?
+
+ If Privoxy detects, that a TLS certificate is not valid, because the
+ certificate is expired, doesn't match the hostname, is self signed or
+ similar, Privoxy blocks the requests and returns an error message
+ explaining the problem to avoid that the user/browser communicates
+ over an insecure communication channel.
+
+
+ To check this behavior, simply go to
+ https://badssl.com/
+
+
+
+HTTPS inspection prerequisites
+
+
+ HTTPS inspection in Privoxy can only be used, if Privoxy is built
+ with FEATURE_HTTPS_INSPECTION. You can check if this feature
+ is enabled at
+ http://config.privoxy.org/show-status
+ in the "Conditional #defines" section.
+
+
+ If the feature is not enabled, you may need to
+ build Privoxy from source
+ to enable it. You can use either
+ MbedTLS
+ or OpenSSL. It's up to
+ you, which one to use, they both behave the same for HTTPS inspection.
+
+
+ After installing the development libraries for either OpenSSL or
+ MbedTLS, you can run ./configure with
+ either the --with-openssl or
+ --with-mbedtls option.
+
+
+ Check the output of ./configure, it must contain
+ one of these the following two lines, otherwise HTTPS inspection will
+ not work:
+
+
+configure: Detected OpenSSL. Enabling https inspection.
+configure: Detected mbedTLS. Enabling https inspection.
+
+
+ If you do not find any of these lines, the output of
+ ./configure will tell you what went wrong.
+
+
+ You should then proceed with the
+ source install.
+ Finally, check the FEATURE_HTTPS_INSPECTION status in
+ http://config.privoxy.org/show-status
+ again.
+
+
+
+Configuring HTTPS inspection in Privoxy
+
+
+ First, you need to create the private key and certificate for the
+ "Privoxy CA". This can be done using openssl with the following
+ command:
+
+openssl req -new -x509 -extensions v3_ca -keyout privoxy.pem -out privoxy.crt -days 3650
+
+
+
+ Here we have defined a CA validity of 10 years (3650 days). You
+ should decide for yourself what is a good validity. A shorter
+ validity makes your system more secure (it doesn't hurt that long if
+ the key gets lost to an attacker), but if the certificate expires
+ before you have replaced it with a new one in Privoxy and in all
+ browsers, the communication will fail.
+
+
+ During the key generation you will be asked for a "pass phrase".
+ This pass phrase will appear in the Privoxy config CGI, so don't
+ reuse it elsewhere!
+
+
+ Then you will be asked for Country Name, State/Province, Locality,
+ Orginzation Name, Common Name, and Email Address. You should add
+ some useful data here, because these entries are shown by the browser
+ as "Issuer Name" when you inspect a certificate from an
+ https-inspection site. Especially the "Common Name" will be shown as
+ the name of your CA, so it's good if you (and other users of your
+ Privoxy instance) are able to identify this CA.
+
+
+ Copy the private key (privoxy.pem) and the CA
+ certificate (privoxy.crt) into
+ the ca-directory (defined
+ in config).
+
+
+ Make sure that the private key (privoxy.pem in
+ the above example) is only accessible to the user running Privoxy
+ (usually named "privoxy"):
+
+
+chmod 600 privoxy.pem
+chown privoxy privoxy.pem
+
+
+ Now adjust your Privoxy configuration:
+
+
+ca-directory /etc/privoxy/CA # read-only
+ca-cert-file privoxy.crt # in ca-directory
+ca-key-file privoxy.pem # in ca-directory
+ca-password passphrasefromabove
+certificate-directory /var/lib/privoxy/certs
+trusted-cas-file /etc/ssl/certs/ca-certificates.crt
+
+
+ certificate-directory
+ contains the (on the fly) created webserver keys and certificates.
+ It should only be readable by the privoxy user only:
+
+
+chown privoxy /var/lib/privoxy/certs
+chmod 700 /var/lib/privoxy/certs.
+
+
+ trusted-cas-file is the trust
+ store containing the certificates of all CAs that should be accepted.
+ Each browser comes with it's own trust store. Most Unix systems also
+ ship with a truststore. Debian ships it's truststore
+ in /etc/ssl/certs/ca-certificates.crt, which is
+ installed by the ca-certificates package and can be updated using
+ update-ca-certificates(8). Alternatively, such a file (extracted
+ from Mozilla) can be downloaded
+ from https://curl.se/docs/caextract.html.
+
+
+
+Browser configuration
+
+ As written above, each browser you use must now trust the newly
+ created Privoxy CA certificate (privoxy.crt).
+
+
+ In Firefox you can do this by opening the preferences "Edit" ->
+ "Settings" -> "Privacy & Security" or by typing
+ about:preferences#privacy
+ in the URL. Then go down to the "Certificates" section and click on
+ "View Certificates". Click on the "Authorities" tab and "Import..."
+ your privoxy.crt. In the "CA certificate trust
+ settings" select "This certificate can identify websites".
+
+
+ In Chrome based browsers, go to the settings and select "Privacy and
+ security"
+ (chrome://settings/privacy).
+ Click on "Security" and on the opened sub-page on "Manage
+ certificates". Now go to the "Authorities" tab and
+ import privoxy.crt and configure that you trust
+ the certificate for website identification.
+
+
+
+Enabeling HTTPS inspection
+
+ Currently no pages use HTTPS inspection, you need to enable this for
+ some (or all) domains first
+ using user.action (either by editing
+ the file by hand or via the CGI (this requires
+ enable-edit-actions
+ to be enabled in config) at
+ http://config.privoxy.org/show-status
+ (click on user.action Edit button).
+
+
+ Here you can enable HTTPS inspection for individual sites:
+
+
+{+https-inspection}
+.badssl.com
+clienttest.ssllabs.com
+
+
+ You can add more individual sites or wildcards (one per line).
+
+
+ Alternatively, you can use a client-tag to dynamically enable/disable
+ this feature via the browser, as described in the next chapter.
+
+
+
+
+
+
+Client Tags HOWTO
+
+ Client-Tags are a mechanism to dynamically/temporarily enable/disable
+ features in Privoxy per browser.
+
+
+ In our example, we use this for the following two use cases:
+
+ Enable TOR anonymous proxy
+ Enable https-inspection
+
+
+
+ To use this feature, you must first define a tag name and a tag
+ description for each client-tag in config,
+ like this:
+
+
+client-specific-tag tor Use Tor anonymous proxy
+client-specific-tag https-inspection Enable https-inspection
+
+
+ Now you can open http://config.privoxy.org/client-tags
+ or http://p.p/client-tags
+ and can enable/disable the tag there (you may want to add a bookmark
+ for this in your browser for quick access, but it's also available as
+ a link at http://p.p).
+
+
+ It's also possible to temporarily enable a tag, which by default
+ means 3 minutes (=180 seconds) (and can be changed via the
+ client-tag-lifetime option
+ in config).
+
+
+ But before this has any effect, you have to use the client tag in
+ your user.action like this:
+
+
+{+forward-override{forward-socks5t 127.0.0.1:9050 .} }
+CLIENT-TAG:^tor$
+
+
+ This means, that if the "tor" client tag is enabled, all traffic is
+ forwarded by Privoxy through socks5t to a locally installed tor proxy
+ listening on port 9050.
+
+
+ Similarly, you can specify to use the https-inspection client tag to
+ enable https-inspection:
+
+
+{+https-inspection}
+CLIENT-TAG:^https-inspection$
+
+
+ The tag will be set for all requests coming from clients that have
+ requested it to be set. Note that "clients" are distinguished by IP
+ address, if the IP address changes, the tag must be requested again.
+
+
+
+
+
+
+
@@ -7865,16 +8536,64 @@ Requests
Privoxy is free software; you can
- redistribute it and/or modify it under the terms of the
- GNU General Public License, version 2,
- as published by the Free Software Foundation and included in
- the next section.
+ redistribute and/or modify its source code under the terms
+ of the GNU General Public License
+ as published by the Free Software Foundation, either version 2
+ of the license, or (at your option) any later version.
+
+
+
+ The same is true for Privoxy binaries
+ unless they are linked with a
+ mbed TLS version
+ that is licensed under the Apache 2.0 license in which
+ case you can redistribute and/or modify the Privoxy
+ binaries under the terms of the GNU General Public License
+ as published by the Free Software Foundation, either version 3
+ of the license, or (at your option) any later version.
+
+
+
+ Both licenses are included in the next section.
License
-
+GNU General Public License version 2
+
+
+
+GNU General Public License version 3
+
+
+
+Third-party licenses and copyrights
+
+ Privoxy depends on a couple of third-party libraries which have seperate licenses.
+ Please refer to the third-party websites for up-to-date license and copyright
+ information.
+
+
+ Privoxy depends on pcre.
+
+
+ When compiled with FEATURE_BROTLI (optional), Privoxy depends on
+ brotli.
+
+
+ When compiled with FEATURE_HTTPS_INSPECTION (optional),
+ Privoxy depends on a TLS library. The supported libraries are
+ LibreSSL,
+ mbed TLS 2.28.x and
+ OpenSSL and
+ wolfSSL.
+
+
+ When compiled with FEATURE_ZLIB (optional),
+ Privoxy depends on zlib.
+
+
@@ -8451,11 +9170,11 @@ Requests
- Matches for http://www.google.com:
+Matches for http://www.google.com:
- In file: default.action [ View ][ Edit ]
+In file: default.action [ View ][ Edit ]
- {+change-x-forwarded-for{block}
+{+change-x-forwarded-for{block}
+deanimate-gifs {last}
+fast-redirects {check-decoded-url}
+filter {refresh-tags}
@@ -8467,14 +9186,14 @@ Requests
+hide-from-header {block}
+hide-referrer {forge}
+session-cookies-only
- +set-image-blocker {pattern}
+ +set-image-blocker {pattern} }
/
- { -session-cookies-only }
- .google.com
+{ -session-cookies-only }
+.google.com
- { -fast-redirects }
- .google.com
+{ -fast-redirects }
+.google.com
In file: user.action [ View ][ Edit ]
(no matches in this file)
@@ -8537,64 +9256,64 @@ In file: user.action [ View ][ Edit ]
- Final results:
-
- -add-header
- -block
- +change-x-forwarded-for{block}
- -client-header-filter{hide-tor-exit-notation}
- -content-type-overwrite
- -crunch-client-header
- -crunch-if-none-match
- -crunch-incoming-cookies
- -crunch-outgoing-cookies
- -crunch-server-header
- +deanimate-gifs {last}
- -downgrade-http-version
- -fast-redirects
- -filter {js-events}
- -filter {content-cookies}
- -filter {all-popups}
- -filter {banners-by-link}
- -filter {tiny-textforms}
- -filter {frameset-borders}
- -filter {demoronizer}
- -filter {shockwave-flash}
- -filter {quicktime-kioskmode}
- -filter {fun}
- -filter {crude-parental}
- -filter {site-specifics}
- -filter {js-annoyances}
- -filter {html-annoyances}
- +filter {refresh-tags}
- -filter {unsolicited-popups}
- +filter {img-reorder}
- +filter {banners-by-size}
- +filter {webbugs}
- +filter {jumping-windows}
- +filter {ie-exploits}
- -filter {google}
- -filter {yahoo}
- -filter {msn}
- -filter {blogspot}
- -filter {no-ping}
- -force-text-mode
- -handle-as-empty-document
- -handle-as-image
- -hide-accept-language
- -hide-content-disposition
- +hide-from-header {block}
- -hide-if-modified-since
- +hide-referrer {forge}
- -hide-user-agent
- -limit-connect
- -overwrite-last-modified
- -prevent-compression
- -redirect
- -server-header-filter{xml-to-html}
- -server-header-filter{html-to-xml}
- -session-cookies-only
- +set-image-blocker {pattern}
+Final results:
+
+-add-header
+-block
++change-x-forwarded-for{block}
+-client-header-filter{hide-tor-exit-notation}
+-content-type-overwrite
+-crunch-client-header
+-crunch-if-none-match
+-crunch-incoming-cookies
+-crunch-outgoing-cookies
+-crunch-server-header
++deanimate-gifs {last}
+-downgrade-http-version
+-fast-redirects
+-filter {js-events}
+-filter {content-cookies}
+-filter {all-popups}
+-filter {banners-by-link}
+-filter {tiny-textforms}
+-filter {frameset-borders}
+-filter {demoronizer}
+-filter {shockwave-flash}
+-filter {quicktime-kioskmode}
+-filter {fun}
+-filter {crude-parental}
+-filter {site-specifics}
+-filter {js-annoyances}
+-filter {html-annoyances}
++filter {refresh-tags}
+-filter {unsolicited-popups}
++filter {img-reorder}
++filter {banners-by-size}
++filter {webbugs}
++filter {jumping-windows}
++filter {ie-exploits}
+-filter {google}
+-filter {yahoo}
+-filter {msn}
+-filter {blogspot}
+-filter {no-ping}
+-force-text-mode
+-handle-as-empty-document
+-handle-as-image
+-hide-accept-language
+-hide-content-disposition
++hide-from-header {block}
+-hide-if-modified-since
++hide-referrer {forge}
+-hide-user-agent
+-limit-connect
+-overwrite-last-modified
+-prevent-compression
+-redirect
+-server-header-filter{xml-to-html}
+-server-header-filter{html-to-xml}
+-session-cookies-only
++set-image-blocker {pattern}
@@ -8609,14 +9328,14 @@ In file: user.action [ View ][ Edit ]
- { +block{Domains starts with "ad"} }
- ad*.
+{ +block{Domains starts with "ad"} }
+ad*.
- { +block{Domain contains "ad"} }
- .ad.
+{ +block{Domain contains "ad"} }
+.ad.
- { +block{Doubleclick banner server} +handle-as-image }
- .[a-vx-z]*.doubleclick.net
+{ +block{Doubleclick banner server} +handle-as-image }
+.[a-vx-z]*.doubleclick.net
@@ -8650,68 +9369,68 @@ In file: user.action [ View ][ Edit ]
- Matches for http://www.example.net/adsl/HOWTO/:
-
- In file: default.action [ View ][ Edit ]
-
- {-add-header
- -block
- +change-x-forwarded-for{block}
- -client-header-filter{hide-tor-exit-notation}
- -content-type-overwrite
- -crunch-client-header
- -crunch-if-none-match
- -crunch-incoming-cookies
- -crunch-outgoing-cookies
- -crunch-server-header
- +deanimate-gifs
- -downgrade-http-version
- +fast-redirects {check-decoded-url}
- -filter {js-events}
- -filter {content-cookies}
- -filter {all-popups}
- -filter {banners-by-link}
- -filter {tiny-textforms}
- -filter {frameset-borders}
- -filter {demoronizer}
- -filter {shockwave-flash}
- -filter {quicktime-kioskmode}
- -filter {fun}
- -filter {crude-parental}
- -filter {site-specifics}
- -filter {js-annoyances}
- -filter {html-annoyances}
- +filter {refresh-tags}
- -filter {unsolicited-popups}
- +filter {img-reorder}
- +filter {banners-by-size}
- +filter {webbugs}
- +filter {jumping-windows}
- +filter {ie-exploits}
- -filter {google}
- -filter {yahoo}
- -filter {msn}
- -filter {blogspot}
- -filter {no-ping}
- -force-text-mode
- -handle-as-empty-document
- -handle-as-image
- -hide-accept-language
- -hide-content-disposition
- +hide-from-header{block}
- +hide-referer{forge}
- -hide-user-agent
- -overwrite-last-modified
- +prevent-compression
- -redirect
- -server-header-filter{xml-to-html}
- -server-header-filter{html-to-xml}
- +session-cookies-only
- +set-image-blocker{blank} }
- /
-
- { +block{Path contains "ads".} +handle-as-image }
- /ads
+Matches for http://www.example.net/adsl/HOWTO/:
+
+In file: default.action [ View ][ Edit ]
+
+{-add-header
+ -block
+ +change-x-forwarded-for{block}
+ -client-header-filter{hide-tor-exit-notation}
+ -content-type-overwrite
+ -crunch-client-header
+ -crunch-if-none-match
+ -crunch-incoming-cookies
+ -crunch-outgoing-cookies
+ -crunch-server-header
+ +deanimate-gifs
+ -downgrade-http-version
+ +fast-redirects {check-decoded-url}
+ -filter {js-events}
+ -filter {content-cookies}
+ -filter {all-popups}
+ -filter {banners-by-link}
+ -filter {tiny-textforms}
+ -filter {frameset-borders}
+ -filter {demoronizer}
+ -filter {shockwave-flash}
+ -filter {quicktime-kioskmode}
+ -filter {fun}
+ -filter {crude-parental}
+ -filter {site-specifics}
+ -filter {js-annoyances}
+ -filter {html-annoyances}
+ +filter {refresh-tags}
+ -filter {unsolicited-popups}
+ +filter {img-reorder}
+ +filter {banners-by-size}
+ +filter {webbugs}
+ +filter {jumping-windows}
+ +filter {ie-exploits}
+ -filter {google}
+ -filter {yahoo}
+ -filter {msn}
+ -filter {blogspot}
+ -filter {no-ping}
+ -force-text-mode
+ -handle-as-empty-document
+ -handle-as-image
+ -hide-accept-language
+ -hide-content-disposition
+ +hide-from-header{block}
+ +hide-referer{forge}
+ -hide-user-agent
+ -overwrite-last-modified
+ +prevent-compression
+ -redirect
+ -server-header-filter{xml-to-html}
+ -server-header-filter{html-to-xml}
+ +session-cookies-only
+ +set-image-blocker{blank} }
+/
+
+{ +block{Path contains "ads".} +handle-as-image }
+/ads
@@ -8729,8 +9448,8 @@ In file: user.action [ View ][ Edit ]
- { -block }
- /adsl
+{ -block }
+/adsl
@@ -8746,8 +9465,8 @@ In file: user.action [ View ][ Edit ]
- { +block{Path starts with "ads".} +handle-as-image }
- /ads
+{ +block{Path starts with "ads".} +handle-as-image }
+/ads
@@ -8763,12 +9482,12 @@ In file: user.action [ View ][ Edit ]
- { shop }
- .quietpc.com
- .worldpay.com # for quietpc.com
- .jungle.com
- .scan.co.uk
- .forbes.com
+{ shop }
+.quietpc.com
+.worldpay.com # for quietpc.com
+.jungle.com
+.scan.co.uk
+.forbes.com
@@ -8778,11 +9497,11 @@ In file: user.action [ View ][ Edit ]
- { -filter }
- # Disable ALL filter actions for sites in this section
- .forbes.com
- developer.ibm.com
- localhost
+{ -filter }
+# Disable ALL filter actions for sites in this section
+.forbes.com
+developer.ibm.com
+localhost
@@ -8808,10 +9527,11 @@ In file: user.action [ View ][ Edit ]
- { fragile }
- # Handle with care: easy to break
- mail.google.
- mybank.example.com
+{ fragile }
+# Handle with care: easy to break
+mail.google.
+mybank.example.com
+