X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Ftext%2Fuser-manual.txt;h=f229e8838b814b03636527ab13a64fd6592994c3;hp=8ff73fd675d43819ca05099fd38e679cd628d53e;hb=72081f829de368392d04076728f8c991178c0080;hpb=b2687ece44b11a6704f0c82359d66bf4c799e465 diff --git a/doc/text/user-manual.txt b/doc/text/user-manual.txt index 8ff73fd6..f229e883 100644 --- a/doc/text/user-manual.txt +++ b/doc/text/user-manual.txt @@ -1,1490 +1,4511 @@ -output is user-manual Using catalogs: /etc/sgml/sgml-docbook-3.1.cat Using -stylesheet: /usr/share/sgml/docbook/utils-0.6/docbook-utils.dsl#html Working -on: /home/hal/junkbuster/current/doc/source/user-manual.sgml Junkbuster User Manual - -By: Junkbuster Developers -Abstract -The user manual gives the users -information on how to install and -configure Internet Junkbuster. Internet -Junkbuster is an application that -provides privacy and security to users -of the World Wide Web. - -You can find the latest version of the -user manual at http:// -ijbswa.sourceforge.net/user-manual/. - -Feel free to send a note to the -developers at -ijbswa-developers@lists.sourceforge.net -. - - ----------------------------------------------------------- +Privoxy 3.0.3 User Manual -Table of Contents -Introduction -Installation -Junkbuster Configuration -Quickstart to Using Junkbuster -Contact the Developers -Copyright and History -See also -Appendix +[ Copyright © 2001 - 2004 by Privoxy Developers ] + +$Id: user-manual.txt,v 1.60.2.7 2004/01/30 23:46:57 oes Exp $ -Introduction +The User Manual gives users information on how to install, configure and use +Privoxy. -Internet Junkbuster is a web proxy with advanced filtering capabilities for -protecting privacy, filtering web page content, managing cookies, controlling -access, and removing ads, banners, pop-ups and other obnoxious Internet Junk. -Junkbuster has a very flexible configuration and can be customized to suit -individual needs and tastes. Internet Junkbuster has application for both -stand-alone systems and multi-user networks. +Privoxy is a web proxy with advanced filtering capabilities for protecting +privacy, modifying web page content, managing cookies, controlling access, and +removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a +very flexible configuration and can be customized to suit individual needs and +tastes. Privoxy has application for both stand-alone systems and multi-user +networks. -This documentation is included with the current development version of Internet -Junkbuster and is incomplete at this point. The most up to date reference for -the time being is still the comments in the source files and in the individual -configuration files. Development of version 3.0 is currently underway, and -includes many significant changes and enhancements over earlier verions. The -target release date for stable v3.0 is December 2001. +Privoxy is based on Internet Junkbuster (tm). -Since this is a development version, some features are in the process of being -implemented. This documentation may be slightly out of sync as a result. And -there are bugs, though hopefully not many! +You can find the latest version of the User Manual at http://www.privoxy.org/ +user-manual/. Please see the Contact section on how to contact the developers. ------------------------------------------------------------------------------- -New Features +Table of Contents +1. Introduction -In addition to Junkbuster's traditional features of ad and banner blocking and -cookie management, this is a list of new features currently under development: + 1.1. Features - * Modularized configuration that will allow for system wide settings, and - individual user settings. - - * A browser based GUI configuration utility (not finished). - - * Blocking of annoying pop-up browser windows (previously available as a - patch). - - * Partial support for HTTP/1.1. - - * Support for Perl Compatible Regular Expressions in the configuration files, - and generally a more sophisticated configuration syntax over previous - versions. - - * Web page content filtering. - - * Multi-threaded. - -------------------------------------------------------------------------------- +2. Installation -Installation + 2.1. Binary Packages -Junkbuster is available as raw source code, or pre-compiled binaries. See the -Junkbuster Home Page for current release info. Junkbuster is also available via -CVS. This is the recommended approach at this time. But please be aware that -CVS is constantly changing, and it may break in mysterious ways. + 2.1.1. Red Hat, SuSE and Conectiva RPMs + 2.1.2. Debian + 2.1.3. Windows + 2.1.4. Solaris, NetBSD, FreeBSD, HP-UX + 2.1.5. OS/2 + 2.1.6. Mac OSX + 2.1.7. AmigaOS + 2.1.8. Gentoo + + 2.2. Building from Source + 2.3. Keeping your Installation Up-to-Date + +3. Note to Upgraders +4. Quickstart to Using Privoxy -------------------------------------------------------------------------------- + 4.1. Quickstart to Ad Blocking -Source +5. Starting Privoxy -For gzipped tar archives, unpack the source: + 5.1. Red Hat and Conectiva + 5.2. Debian + 5.3. SuSE + 5.4. Windows + 5.5. Solaris, NetBSD, FreeBSD, HP-UX and others + 5.6. OS/2 + 5.7. Mac OSX + 5.8. AmigaOS + 5.9. Gentoo + 5.10. Command Line Options - tar zxvf ijb_source_2.9* - cd ijb_source_2.9* - +6. Privoxy Configuration -For retrieving the current CVS sources, you'll need the CVS package installed -first. To download CVS source: + 6.1. Controlling Privoxy with Your Web Browser + 6.2. Configuration Files Overview - cvs -d:pserver:anonymous@cvs.ijbswa.sourceforge.net:/cvsroot/ijbswa login - cvs -z3 -d:pserver:anonymous@cvs.ijbswa.sourceforge.net:/cvsroot/ijbswa co current - cd current - +7. The Main Configuration File -This will create a directory named current/, which will contain the source -tree. + 7.1. Configuration and Log File Locations -Then, in either case, to build from source: + 7.1.1. confdir + 7.1.2. logdir + 7.1.3. actionsfile + 7.1.4. filterfile + 7.1.5. logfile + 7.1.6. jarfile + 7.1.7. trustfile - autoconf #recommended for CVS source - ./configure - make - su - make install - + 7.2. Local Set-up Documentation -For Redhat and SuSE Linux RPM packages, see below. + 7.2.1. user-manual + 7.2.2. trust-info-url + 7.2.3. admin-address + 7.2.4. proxy-info-url -------------------------------------------------------------------------------- + 7.3. Debugging -Red Hat + 7.3.1. debug + 7.3.2. single-threaded -To build Redhat RPM packages, install source as above. Then: + 7.4. Access Control and Security - autoconf #recommended for CVS source - ./configure - make redhat-dist - + 7.4.1. listen-address + 7.4.2. toggle + 7.4.3. enable-remote-toggle + 7.4.4. enable-edit-actions + 7.4.5. ACLs: permit-access and deny-access + 7.4.6. buffer-limit -This will create both binary and src RPMs in the usual places. Example: + 7.5. Forwarding - /usr/src/redhat/RPMS/i686/junkbuster-2.9.8-1.i686.rpm + 7.5.1. forward + 7.5.2. forward-socks4 and forward-socks4a + 7.5.3. Advanced Forwarding Examples - /usr/src/redhat/SRPMS/junkbuster-2.9.9-1.src.rpm + 7.6. Windows GUI Options -To install, of course: +8. Actions Files - rpm -Uvv /usr/src/redhat/RPMS/i686/junkbuster-2.9.9-1.i686.rpm - + 8.1. Finding the Right Mix + 8.2. How to Edit + 8.3. How Actions are Applied to URLs + 8.4. Patterns -This will place the Junkbuster configuration files in /etc/junkbuster/, and log -files in /var/log/junkbuster/. + 8.4.1. The Domain Pattern + 8.4.2. The Path Pattern -------------------------------------------------------------------------------- + 8.5. Actions + + 8.5.1. add-header + 8.5.2. block + 8.5.3. crunch-incoming-cookies + 8.5.4. crunch-outgoing-cookies + 8.5.5. deanimate-gifs + 8.5.6. downgrade-http-version + 8.5.7. fast-redirects + 8.5.8. filter + 8.5.9. handle-as-image + 8.5.10. hide-forwarded-for-headers + 8.5.11. hide-from-header + 8.5.12. hide-referrer + 8.5.13. hide-user-agent + 8.5.14. kill-popups + 8.5.15. limit-connect + 8.5.16. prevent-compression + 8.5.17. send-vanilla-wafer + 8.5.18. send-wafer + 8.5.19. session-cookies-only + 8.5.20. set-image-blocker + 8.5.21. Summary + + 8.6. Aliases + 8.7. Actions Files Tutorial + + 8.7.1. default.action + 8.7.2. user.action -SuSE +9. The Filter File -To build SuSE RPM packages, install source as above. Then: + 9.1. Filter File Tutorial + 9.2. The Pre-defined Filters - autoconf #recommended for CVS source - ./configure - make suse-dist - +10. Templates +11. Contacting the Developers, Bug Reporting and Feature Requests -This will create both binary and src RPMs in the usual places. Example: + 11.1. Get Support + 11.2. Report Bugs + 11.3. Request New Features + 11.4. Report Ads or Other Actions-Related Problems + 11.5. Other - /usr/src/suse/RPMS/i686/junkbuster-2.9.9-1.i686.rpm +12. Privoxy Copyright, License and History - /usr/src/suse/SRPMS/junkbuster-2.9.9-1.src.rpm + 12.1. License + 12.2. History + 12.3. Authors -To install, of course: +13. See Also +14. Appendix - rpm -Uvv /usr/src/suse/RPMS/i686/junkbuster-2.9.9-1.i686.rpm - + 14.1. Regular Expressions + 14.2. Privoxy's Internal Pages -This will place the Junkbuster configuration files in /etc/junkbuster/, and log -files in /var/log/junkbuster/. + 14.2.1. Bookmarklets + + 14.3. Chain of Events + 14.4. Anatomy of an Action + +1. Introduction + +This documentation is included with the current stable version of Privoxy, +v.3.0.3. ------------------------------------------------------------------------------- -OS/2 +1.1. Features -The OS/2 version of Junkbuster requires the EMX runtime library to be -installed. The EMX runtime library is available on the hobbes OS/2 archive, -among many other locations: http://hobbes.nmsu.edu/cgi-bin/h-search?sh=1&button -=Search&key=emxrt.zip&stype=all&sort=type&dir=%2Fpub%2Fos2%2Fdev%2Femx%2Fv0.9d +In addition to Internet Junkbuster's traditional features of ad and banner +blocking and cookie management, Privoxy provides new features: -Junkbuster is packaged in a WarpIN self- installing archive. The -self-installing program will be named depending on the release version, -something like: ijbos123.exe. In order to install it, simply run this -executable or double-click on its icon and follow the WarpIN installation -panels. A shadow of the Junkbuster executable will be placed in your startup -folder so it will start automatically whenever OS/2 starts. + * Integrated browser based configuration and control utility at http:// + config.privoxy.org/ (shortcut: http://p.p/). Browser-based tracing of rule + and filter effects. Remote toggling. -The directory you choose to install Junkbuster into will contain all of the -configuration files. + * Web page content filtering (removes banners based on size, invisible + "web-bugs", JavaScript and HTML annoyances, pop-up windows, etc.) -If you would like to build binary images on OS/2 yourself, you will need a -working EMX/GCC environment, plus several Unix-like tools. The Hobbes OS/2 -archive is a good place to start when building such an environment. A set of -Unix-like tools named gnupack is located here: http://hobbes.nmsu.edu/cgi-bin/ -h-search?sh=1&key=gnupack&stype=all&sort=type&dir=%2Fpub%2Fos2%2Fapps + * Modularized configuration that allows for standard settings and user + settings to reside in separate files, so that installing updated actions + files won't overwrite individual user settings. -Once you have the source code unpacked as above, you can build the binaries -from the current/ directory: + * HTTP/1.1 compliant (but not all optional 1.1 features are supported). - autoconf - sh configure - make - + * Support for Perl Compatible Regular Expressions in the configuration files, + and generally a more sophisticated and flexible configuration syntax over + previous versions. -------------------------------------------------------------------------------- + * Improved cookie management features (e.g. session based cookies). -Windows + * GIF de-animation. -Click-click. (I need help on this. Not a clue here. Also for configuration -section below. HB.) + * Bypass many click-tracking scripts (avoids script redirection). -------------------------------------------------------------------------------- + * Multi-threaded (POSIX and native threads). -Other + * User-customizable HTML templates for all proxy-generated pages (e.g. + "blocked" page). -Some quick notes on other Operating Systems. + * Auto-detection and re-reading of config file changes. -For FreeBSD (and other *BSDs?), the build will need gmake instead of the -included make. gmake is available from http://www.gnu.org. The rest should be -the same as above for Linux/Unix. + * Improved signal handling, and a true daemon mode (Unix). -------------------------------------------------------------------------------- + * Every feature now controllable on a per-site or per-location basis, + configuration more powerful and versatile over-all. -Junkbuster Configuration + * Many smaller new features added, limitations and bugs removed, and security + holes fixed. -For Unix, *BSD and Linux, all configuraton files are located in /etc/junkbuster -/ by default. For MS Windows and OS/2, these are all in the same directory as -the Junkbuster executable. The name and number of configuration files has -changed from previous versions, and is subject to change as development -progresses. +------------------------------------------------------------------------------- -The installed defaults provide a reasonable starting point. For the time being, -there are only three default configuration files (this will change in time): +2. Installation - * The main configuration file is named config on Linux, Unix, BSD, and OS/2, - and junkbustr.txt on Windows. On Amiga, it is AmiTCP:db/junkbuster/config. - - * The actionsfile file is used to define various actions relating to images, - banners, pop-ups, banners and cookies. There is a CGI based editor for this - file that can be accessed via http://ijbswa.sourceforge.net/config/. (Still - under active development.) - - * The re_filterfile file can be used to rewrite the raw page content, - including text as well as embedded HTML and JavaScript. - -actionsfile and re_filterfile can use Perl style regular expressions for -maximum flexibility. All files use the "#" character to denote a comment. Such -lines are not processed by Junkbuster. After making any changes, restart -Junkbuster in order for the changes to take effect. +Privoxy is available both in convenient pre-compiled packages for a wide range +of operating systems, and as raw source code. For most users, we recommend +using the packages, which can be downloaded from our Privoxy Project Page. + +Note: If you have a previous Junkbuster or Privoxy installation on your system, +you will need to remove it. On some platforms, this may be done for you as part +of their installation procedure. (See below for your platform). In any case be +sure to backup your old configuration if it is valuable to you. See the note to +upgraders section below. ------------------------------------------------------------------------------- -The Main Configuration File +2.1. Binary Packages -Again, the main configuration file is named config on Linux/Unix/BSD and OS/2, -and junkbustr.txt on Windows. Configuration lines consist of an initial keyword -followed by a list of values, all separated by whitespace (any number of spaces -or tabs). For example: +How to install the binary packages depends on your operating system: - blockfile blocklist.ini - +------------------------------------------------------------------------------- -Indicates that the blockfile is named "blocklist.ini". +2.1.1. Red Hat, SuSE and Conectiva RPMs -A "#" indicates a comment. Any part of a line following a "#" is ignored, -except if the "#" is preceded by a "\". +RPMs can be installed with rpm -Uvh privoxy-3.0.3-1.rpm, and will use /etc/ +privoxy for the location of configuration files. -Thus, by placing a "#" at the start of an existing configuration line, you can -make it a comment and it will be treated as if it weren't there. This is called -"commenting out" an option and can be useful to turn off features: If you -comment out the "logfile" line, junkbuster will not log to a file at all. Watch -for the "default:" section in each explanation to see what happens if the -option is left unset (or commented out). +Note that on Red Hat, Privoxy will not be automatically started on system boot. +You will need to enable that using chkconfig, ntsysv, or similar methods. Note +that SuSE will automatically start Privoxy in the boot process. -Long lines can be continued on the next line by using a "\" as the very last -character. +If you have problems with failed dependencies, try rebuilding the SRC RPM: rpm +--rebuild privoxy-3.0.3-1.src.rpm. This will use your locally installed +libraries and RPM version. -There are various aspects of Junkbuster behavior that can be tuned. +Also note that if you have a Junkbuster RPM installed on your system, you need +to remove it first, because the packages conflict. Otherwise, RPM will try to +remove Junkbuster automatically, before installing Privoxy. ------------------------------------------------------------------------------- -Defining Other Configuration Files +2.1.2. Debian -Junkbuster can use a number of other files to tell it what ads to block, what -cookies to accept, etc. This section of the configuration file tells Junkbuster -where to find all those other files. +DEBs can be installed with apt-get install privoxy, and will use /etc/privoxy +for the location of configuration files. -On Windows, Junkbuster looks for these files in the same directory as the -executable. On Unix and OS/2, Junkbuster looks for these files in the current -working directory. In either case, an absolute path name can be used to avoid -problems. +------------------------------------------------------------------------------- -When development goes modular and multiuser, the blocker, filter, and per-user -config will be stored in subdirectories of "confdir". For now, only confdir/ -templates is used for storing HTML templates for CGI results. +2.1.3. Windows -The location of the configuration files: +Just double-click the installer, which will guide you through the installation +process. You will find the configuration files in the same directory as you +installed Privoxy in. We do not use the registry of Windows. - confdir /etc/junkbuster # No trailing /, please. - +------------------------------------------------------------------------------- -The directory where all logging (i.e. logfile and jarfile) takes place. No -trailing "/", please: +2.1.4. Solaris, NetBSD, FreeBSD, HP-UX - logdir /var/log/junkbuster - +Create a new directory, cd to it, then unzip and untar the archive. For the +most part, you'll have to figure out where things go. -Note that all file specifications below are relative to the above two -directories! +------------------------------------------------------------------------------- -The "actionsfile" contains patterns to specify the actions to apply to requests -for each site. Default: Cookies to and from all destinations are filtered. -Popups are disabled for all sites. All sites are filtered if re_filterfile -specified. No sites are blocked. An empty image is displayed for filtered ads -and other images (formerly "tinygif"). The syntax of this file is explained in -detail below. +2.1.5. OS/2 - actionsfile actionsfile - +First, make sure that no previous installations of Junkbuster and / or Privoxy +are left on your system. Check that no Junkbuster or Privoxy objects are in +your startup folder. -The "re_filterfile" file contains content modification rules. These rules -permit powerful changes on the content of Web pages, e.g., you could disable -your favourite JavaScript annoyances, rewrite the actual content, or just have -some fun replacing "Microsoft" with "MicroSuck" wherever it appears on a Web -page. Default: No content modification, or whatever the developers are playing -with :-/ +Then, just double-click the WarpIN self-installing archive, which will guide +you through the installation process. A shadow of the Privoxy executable will +be placed in your startup folder so it will start automatically whenever OS/2 +starts. - re_filterfile re_filterfile - +The directory you choose to install Privoxy into will contain all of the +configuration files. -The logfile is where all logging and error messages are written. The logfile -can be useful for tracking down a problem with Junkbuster (e.g., it's not -blocking an ad you think it should block) but in most cases you probably will -never look at it. +------------------------------------------------------------------------------- -Your logfile will grow indefinitely, and you will probably want to periodically -remove it. On Unix systems, you can do this with a cron job (see "man cron"). -For Redhat, a logrotate script has been included. +2.1.6. Mac OSX -On SuSE Linux systems, you can place a line like "/var/log/junkbuster.* +1024k -644 nobody.nogroup" in /etc/logfiles, with the effect that cron.daily will -automatically archive, gzip, and empty the log, when it exceeds 1M size. +Unzip the downloaded file (you can either double-click on the file from the +finder, or from the desktop if you downloaded it there). Then, double-click on +the package installer icon named Privoxy.pkg and follow the installation +process. Privoxy will be installed in the folder /Library/Privoxy. It will +start automatically whenever you start up. To prevent it from starting +automatically, remove or rename the folder /Library/StartupItems/Privoxy. -Default: Log to the a file named logfile. Comment out to disable logging. +To start Privoxy by hand, double-click on StartPrivoxy.command in the /Library/ +Privoxy folder. Or, type this command in the Terminal: - logfile logfile - + /Library/Privoxy/StartPrivoxy.command -The "jarfile" defines where Junkbuster stores the cookies it intercepts. Note -that if you use a "jarfile", it may grow quite large. Default: Don't store -intercepted cookies. - #jarfile jarfile - -If you specify a "trustfile", Junkbuster will only allow access to sites that -are named in the trustfile. You can also mark sites as trusted referrers, with -the effect that access to untrusted sites will be granted, if a link from a -trusted referrer was used. The link target will then be added to the -"trustfile". This is a very restrictive feature that typical users most -propably want to leave disabled. Default: Disabled, don't use the trust -mechanism. +You will be prompted for the administrator password. - #trustfile trust - +------------------------------------------------------------------------------- -If you use the trust mechanism, it is a good idea to write up some online -documentation about your blocking policy and to specify the URL(s) here. They -will appear on the page that your users receive when they try to access -untrusted content. Use multiple times for multiple URLs. Default: Don't display -links on the "untrusted" info page. +2.1.7. AmigaOS - trust-info-url http://www.your-site.com/why_we_block.html - trust-info-url http://www.your-site.com/what_we_allow.html - +Copy and then unpack the lha archive to a suitable location. All necessary +files will be installed into Privoxy directory, including all configuration and +log files. To uninstall, just remove this directory. ------------------------------------------------------------------------------- -Other Configuration Options +2.1.8. Gentoo -This part of the configuration file contains options that control how -Junkbuster operates. +Gentoo source packages (Ebuilds) for Privoxy are contained in the Gentoo +Portage Tree (they are not on the download page, but there is a Gentoo section, +where you can see when a new Privoxy Version is added to the Portage Tree). -"Admin-address" should be set to the email address of the proxy administrator. -It is used in many of the proxy-generated pages. Default: fill@me.in.please. +Before installing Privoxy under Gentoo just do first emerge rsync to get the +latest changes from the Portage tree. With emerge privoxy you install the +latest version. - #admin-address fill@me.in.please - +Configuration files are in /etc/privoxy, the documentation is in /usr/share/doc +/privoxy-3.0.3 and the Log directory is in /var/log/privoxy. -"Proxy-info-url" can be set to a URL that contains more info about this -Junkbuster installation, it's configuration and policies. It is used in many of -the proxy-generated pages and its use is highly recommended in multi-user -installations, since your users will want to know why certain content is -blocked or modified. Default: Don't show a link to online documentation. +------------------------------------------------------------------------------- - proxy-info-url http://www.your-site.com/proxy.html - +2.2. Building from Source -"Listen-address" specifies the address and port where Junkbuster will listen -for connections from your Web browser. The default is to listen on the -localhost port 8000, and this is suitable for most users. (In your web browser, -under proxy configuration, list the proxy server as "localhost" and the port as -"8000"). - -If you already have another service running on port 8000, or if you want to -serve requests from other machines (e.g. on your local network) as well, you -will need to override the default. The syntax is "listen-address -[]:". If you leave out the IP adress, junkbuster will bind to -all interfaces (addresses) on your machine and may become reachable from the -internet. In that case, consider using access control lists (acl's) (see -"aclfile" above). - -For example, suppose you are running Junkbuster on a machine which has the -address 192.168.0.1 on your local private network (192.168.0.0) and has another -outside connection with a different address. You want it to serve requests from -inside only: - - listen-address 192.168.0.1:8000 - +The most convenient way to obtain the Privoxy sources is to download the source +tarball from our project page. -If you want it to listen on all addresses (including the outside connection): +If you like to live on the bleeding edge and are not afraid of using possibly +unstable development versions, you can check out the up-to-the-minute version +directly from the CVS repository or simply download the nightly CVS tarball. - listen-address :8000 - +To build Privoxy from source, autoconf, GNU make (gmake), and, of course, a C +compiler like gcc are required. -If you do this, consider using ACLs (see "aclfile" above). Note: you will need -to point your browser(s) to the address and port that you have configured here. -Default: localhost:8000 (127.0.0.1:8000). - -The debug option sets the level of debugging information to log in the logfile -(and to the console in the Windows version). A debug level of 1 is informative -because it will show you each request as it happens. Higher levels of debug are -probably only of interest to developers. - - debug 1 # GPC = show each GET/POST/CONNECT request - debug 2 # CONN = show each connection status - debug 4 # IO = show I/O status - debug 8 # HDR = show header parsing - debug 16 # LOG = log all data into the logfile - debug 32 # FRC = debug force feature - debug 64 # REF = debug regular expression filter - debug 128 # = debug fast redirects - debug 256 # = debug GIF deanimation - debug 512 # CLF = Common Log Format - debug 1024 # = debug kill popups - debug 4096 # INFO = Startup banner and warnings. - debug 8192 # ERROR = Non-fatal errors - - -It is highly recommended that you enable ERROR reporting (debug 8192), at least -until the next stable release. - -The reporting of FATAL errors (i.e. ones which crash JunkBuster) is always on -and cannot be disabled. - -If you want to use CLF (Common Log Format), you should set "debug 512" ONLY, do -not enable anything else. - -Multiple "debug" directives, are OK - they're logical-OR'd together. - - debug 15 # same as setting the first 4 listed above - +When building from a source tarball (either release version or nightly CVS +tarball), first unpack the source: -Default: + tar xzvf privoxy-3.0.3-src* [.tgz or .tar.gz] + cd privoxy-3.0.3 - debug 1 # URLs - debug 4096 # Info - debug 8192 # Errors - *we highly recommended enabling this* - -Junkbuster normally uses "multi-threading", a software technique that permits -it to handle many different requests simultaneously. In some cases you may wish -to disable this -- particularly if you're trying to debug a problem. The -"single-threaded" option forces Junkbuster to handle requests sequentially. -Default: Multi-threaded mode. +For retrieving the current CVS sources, you'll need CVS installed. Note that +sources from CVS are development quality, and may not be stable, or well +tested. To download CVS source: - #single-threaded - + cvs -d:pserver:anonymous@cvs.ijbswa.sourceforge.net:/cvsroot/ijbswa login + cvs -z3 -d:pserver:anonymous@cvs.ijbswa.sourceforge.net:/cvsroot/ijbswa co current + cd current -"toggle" allows you to temporarily disable all Junkbuster's filtering. Just set -"toggle 0". -The Windows version of Junkbuster puts an icon in the system tray, which allows -you to change this option without having to edit this file. If you right-click -on that icon (or select the "Options" menu), one choice is "Enable". Clicking -on enable toggles Junkbuster on and off. This is useful if you want to -temporarily disable Junkbuster, e.g., to access a site that requires cookies -which you normally have blocked. +This will create a directory named current/, which will contain the source +tree. -"toggle 1" means Junkbuster runs normally, "toggle 0" means that Junkbuster -becomes a non-anonymizing non-blocking proxy. Default: 1. +Then, in either case, to build from unpacked tarball or CVS source: - toggle 1 - + autoheader + autoconf + ./configure # (--help to see options) + make # (the make from gnu, gmake for *BSD) + su + make -n install # (to see where all the files will go) + make install # (to really install) -For content filtering, i.e. the "+filter" and "+deanimate-gif" actions, it is -neccessary that Junkbuster buffers up the entire document body. This can be -potentially dangerous, since a server could just keep sending data indefinitely -and wait for your RAM to exhaust. -The buffer-limit option lets you set the maximum size in Kbytes that each -buffer may use. When the documents buffer exceeds this size, it is flushed to -the client unfiltered and no further attempt to filter the rest of it is made. -Remember that there may multiple threads running, which might require -increasing the "buffer-limit" Kbytes each, unless you have enabled -"single-threaded" above. +If you have gnu make, you can have the first four steps automatically done for +you by just typing: - buffer-limit 4069 - + make -To enable the web-based actionsfile editor set enable-edit-actions to 1, or 0 -to disable. Note that you must have compiled JunkBuster with support for this -feature, otherwise this option has no effect. This internal page can be reached -at http://ijbswa.sourceforge.net/config/. -Security note: If this is enabled, anyone who can use the proxy can edit the -actions file, and their changes will affect all users. For shared proxies, you -probably want to disable this. Default: enabled. +in the freshly downloaded or unpacked source directory. - enable-edit-actions 1 - +For more detailed instructions on how to build Redhat and SuSE RPMs, Windows +self-extracting installers, building on platforms with special requirements +etc, please consult the developer manual. + +------------------------------------------------------------------------------- -Allow JunkBuster to be toggled on and off remotely, using your web browser. Set -"enable-remote-toggle"to 1 to enable, and 0 to disable. Note that you must have -compiled JunkBuster with support for this feature, otherwise this option has no -effect. +2.3. Keeping your Installation Up-to-Date -Security note: If this is enabled, anyone who can use the proxy can toggle it -on or off, and their changes will affect all users. For shared proxies, you -probably want to disable this. Default: enabled. +As user feedback comes in and development continues, we will make updated +versions of both the main actions file (as a separate package) and the software +itself (including the actions file) available for download. - enable-remote-toggle 1 - +If you wish to receive an email notification whenever we release updates of +Privoxy or the actions file, subscribe to our announce mailing list, +ijbswa-announce@lists.sourceforge.net. + +In order not to loose your personal changes and adjustments when updating to +the latest default.action file we strongly recommend that you use user.action +for your customization of Privoxy. See the Chapter on actions files for +details. ------------------------------------------------------------------------------- -Access Control List (ACL) +3. Note to Upgraders -Access controls are included at the request of some ISPs and systems -administrators, and are not usually needed by individual users. Please note the -warnings in the FAQ that this proxy is not intended to be a substitute for a -firewall or to encourage anyone to defer addressing basic security weaknesses. +There are very significant changes from earlier Junkbuster versions to the +current Privoxy. The number, names, syntax, and purposes of configuration files +have substantially changed. Junkbuster 2.0.x configuration files will not +migrate, Junkbuster 2.9.x and Privoxy configurations will need to be ported. +The functionalities of the old blockfile, cookiefile and imagelist are now +combined into the "actions files". default.action, is the main actions file. +Local exceptions should best be put into user.action. -If no access settings are specified, the proxy talks to anyone that connects. -If any access settings file are specified, then the proxy talks only to IP -addresses permitted somewhere in this file and not denied later in this file. +A "filter file" (typically default.filter) is new as of Privoxy 2.9.x, and +provides some of the new sophistication (explained below). config is much the +same as before. -Summary -- if using an ACL: +If upgrading from a 2.0.x version, you will have to use the new config files, +and possibly adapt any personal rules from your older files. When porting +personal rules over from the old blockfile to the new actions files, please +note that even the pattern syntax has changed. If upgrading from 2.9.x +development versions, it is still recommended to use the new configuration +files. -Client must have permission to receive service. +A quick list of things to be aware of before upgrading: -LAST match in ACL wins. + * The default listening port is now 8118 due to a conflict with another + service (NAS). -Default behavior is to deny service. + * Some installers may remove earlier versions completely. Save any important + configuration files! -The syntax for an entry in the Access Control List is: + * Privoxy is controllable with a web browser at the special URL: http:// + config.privoxy.org/ (Shortcut: http://p.p/). Many aspects of configuration + can be done here, including temporarily disabling Privoxy. - ACTION SRC_ADDR[/SRC_MASKLEN] [ DST_ADDR[/DST_MASKLEN] ] - + * The primary configuration files for cookie management, ad and banner + blocking, and many other aspects of Privoxy configuration are the actions + files. It is strongly recommended to become familiar with the new actions + concept below, before modifying these files. Locally defined rules should + go into user.action. -Where the individual fields are: + * Some installers may not automatically start Privoxy after installation. - ACTION = "permit-access" or "deny-access" +------------------------------------------------------------------------------- - SRC_ADDR = client hostname or dotted IP address - SRC_MASKLEN = number of bits in the subnet mask for the source +4. Quickstart to Using Privoxy - DST_ADDR = server or forwarder hostname or dotted IP address - DST_MASKLEN = number of bits in the subnet mask for the target - + * If upgrading, from versions before 2.9.16, please back up any configuration + files. See the Note to Upgraders Section. -The field separator (FS) is whitespace (space or tab). + * Install Privoxy. See the Installation Section below for platform specific + information. -IMPORTANT NOTE: If the junkbuster is using a forwarder (see below) or a gateway -for a particular destination URL, the DST_ADDR that is examined is the address -of the forwarder or the gateway and NOT the address of the ultimate target. -This is necessary because it may be impossible for the local Junkbuster to -determine the address of the ultimate target (that's often what gateways are -used for). + * Advanced users and those who want to offer Privoxy service to more than + just their local machine should check the main config file, especially the + security-relevant options. These are off by default. -Here are a few examples to show how the ACL features work: + * Start Privoxy, if the installation program has not done this already (may + vary according to platform). See the section Starting Privoxy. -"localhost" is OK -- no DST_ADDR implies that ALL destination addresses are OK: + * Set your browser to use Privoxy as HTTP and HTTPS (SSL) proxy by setting + the proxy configuration for address of 127.0.0.1 and port 8118. (Junkbuster + and earlier versions of Privoxy used port 8000.) See the section Starting + Privoxy below for more details on this. - permit-access localhost - + * Flush your browser's disk and memory caches, to remove any cached ad + images. If using Privoxy to manage cookies, you should remove any currently + stored cookies too. -A silly example to illustrate permitting any host on the class-C subnet with -Junkbuster to go anywhere: + * A default installation should provide a reasonable starting point for most. + There will undoubtedly be occasions where you will want to adjust the + configuration, but that can be dealt with as the need arises. Little to no + initial configuration is required in most cases. - permit-access www.junkbusters.com/24 - + See the Configuration section for more configuration options, and how to + customize your installation. -Except deny one particular IP address from using it at all: + * If you experience ads that slipped through, innocent images that are + blocked, or otherwise feel the need to fine-tune Privoxy's behaviour, take + a look at the actions files. As a quick start, you might find the richly + commented examples helpful. You can also view and edit the actions files + through the web-based user interface. The Appendix "Anatomy of an Action" + has hints how to debug actions that "misbehave". - deny-access ident.junkbusters.com - + * For easy access to Privoxy's most important controls, drag the provided + Bookmarklets into your browser's personal toolbar. -You can also specify an explicit network address and subnet mask. Explicit -addresses do not have to be resolved to be used. + * Please see the section Contacting the Developers on how to report bugs or + problems with websites or to get help. - permit-access 207.153.200.0/24 - + * Now enjoy surfing with enhanced comfort and privacy! -A subnet mask of 0 matches anything, so the next line permits everyone. +------------------------------------------------------------------------------- - permit-access 0.0.0.0/0 - +4.1. Quickstart to Ad Blocking + +Ad blocking is but one of Privoxy's array of features. Many of these features +are for the technically minded advanced user. But, ad and banner blocking is +surely common ground for everybody. + +This section will provide a quick summary of ad blocking so you can get up to +speed quickly without having to read the more extensive information provided +below, though this is highly recommended. + +First a bit of a warning ... blocking ads is much like blocking SPAM: the more +aggressive you are about it, the more likely you are to block things that were +not intended. So there is a trade off here. If you want extreme ad free +browsing, be prepared to deal with more "problem" sites, and to spend more time +adjusting the configuration to solve these unintended consequences. In short, +there is not an easy way to eliminate all ads. Either take the easy way and +settle for most ads blocked with the default configuration, or jump in and +tweak it for your personal surfing habits and preferences. + +Secondly, a brief explanation of Privoxy's "actions". "Actions" in this +context, are the directives we use to tell Privoxy to perform some task +relating to HTTP transactions (i.e. web browsing). We tell Privoxy to take some +"action". Each action has a unique name and function. While there are many +potential actions in Privoxy's arsenal, only a few are used for ad blocking. +Actions, and action configuration files, are explained in depth below. + +Actions are specified in Privoxy's configuration, followed by one or more URLs +to which the action should apply. URLs can actually be URL type patterns that +use wildcards so they can apply potentially to a range of similar URLs. The +actions, together with the URL patterns are called a section. + +When you connect to a website, the full URL will either match one or more of +the sections as defined in Privoxy's configuration, or not. If so, then Privoxy +will perform the respective actions. If not, then nothing special happens. +Furthermore, web pages may contain embedded, secondary URLs that your web +browser will use to load additional components of the page, as it parses the +original page's HTML content. An ad image for instance, is just an URL embedded +in the page somewhere. The image itself may be on the same server, or a server +somewhere else on the Internet. Complex web pages will have many such embedded +URLs. + +The actions we need to know about for ad blocking are: block, handle-as-image, +and set-image-blocker: + + * block - this action stops any contact between your browser and any URL + patterns that match this action's configuration. It can be used for + blocking ads, but also anything that is determined to be unwanted. By + itself, it simply stops any communication with the remote server and sends + Privoxy's own built-in BLOCKED page instead to let you now what has + happened. + + * handle-as-image - tells Privoxy to treat this URL as an image. Privoxy's + default configuration already does this for all common image types (e.g. + GIF), but there are many situations where this is not so easy to determine. + So we'll force it in these cases. This is particularly important for ad + blocking, since only if we know that it's an image of some kind, can we + replace it with an image of our choosing, instead of the Privoxy BLOCKED + page (which would only result in a "broken image" icon). There are some + limitations to this though. For instance, you can't just brute-force an + image substitution for an entire HTML page in most situations. + + * set-image-blocker - tells Privoxy what to display in place of an ad image + that has hit a block rule. For this to come into play, the URL must match a + block action somewhere in the configuration, and, it must also match an + handle-as-image action. + + The configuration options on what to display instead of the ad are: + + pattern - a checkerboard pattern, so that an ad replacement is obvious. + This is the default. + + blank - A very small empty GIF image is displayed. This is the so-called + "invisible" configuration option. + + http:// - A redirect to any image anywhere of the user's choosing + (advanced usage). + +The quickest way to adjust any of these settings is with your browser through +the special Privoxy editor at http://config.privoxy.org/show-status (shortcut: +http://p.p/show-status). This is an internal page, and does not require +Internet access. Select the appropriate "actions" file, and click "Edit". It is +best to put personal or local preferences in user.action since this is not +meant to be overwritten during upgrades, and will over-ride the settings in +other files. Here you can insert new "actions", and URLs for ad blocking or +other purposes, and make other adjustments to the configuration. Privoxy will +detect these changes automatically. + +A quick and simple step by step example: + + * Right click on the ad image to be blocked, then select "Copy Link Location" + from the pop-up menu. + + * Set your browser to http://config.privoxy.org/show-status + + * Find user.action in the top section, and click on "Edit": + + Figure 1. Actions Files in Use + + [files-in-u] + + * You should have a section with only block listed under "Actions:". If not, + click a "Insert new section below" button, and in the new section that just + appeared, click the Edit button right under the word "Actions:". This will + bring up a list of all actions. Find block near the top, and click in the + "Enabled" column, then "Submit" just below the list. + + * Now, in the block actions section, click the "Add" button, and paste the + URL the browser got from "Copy Link Location". Remove the http:// at the + beginning of the URL. Then, click "Submit" (or "OK" if in a pop-up window). + + * Now go back to the original page, and press SHIFT-Reload (or flush all + browser caches). The image should be gone now. + +This is a very crude and simple example. There might be good reasons to use a +wildcard pattern match to include potentially similar images from the same +site. For a more extensive explanation of "patterns", and the entire actions +concept, see the Actions section. + +For advanced users who want to hand edit their config files, you might want to +now go to the Actions Files Tutorial. The ideas explained therein also apply to +the web-based editor. -Note, you cannot say: +------------------------------------------------------------------------------- - permit-access .org - +5. Starting Privoxy -to allow all *.org domains. Every IP address listed must resolve fully. +Before launching Privoxy for the first time, you will want to configure your +browser(s) to use Privoxy as a HTTP and HTTPS proxy. The default is 127.0.0.1 +(or localhost) for the proxy address, and port 8118 (earlier versions used port +8000). This is the one configuration step that must be done! -An ISP may want to provide a Junkbuster that is accessible by "the world" and -yet restrict use of some of their private content to hosts on its internal -network (i.e. its own subscribers). Say, for instance the ISP owns the Class-B -IP address block 123.124.0.0 (a 16 bit netmask). This is how they could do it: +Please note that Privoxy can only proxy HTTP and HTTPS traffic. It will not +work with FTP or other protocols. - permit-access 0.0.0.0/0 0.0.0.0/0 # other clients can go anywhere - # with the following exceptions: - - deny-access 0.0.0.0/0 123.124.0.0/16 # block all external requests for - # sites on the ISP's network +Figure 2. Proxy Configuration (Mozilla) - permit 0.0.0.0/0 www.my_isp.com # except for the ISP's main - # web site +[proxy_setu] - permit 123.124.0.0/16 0.0.0.0/0 # the ISP's clients can go - # anywhere - +With Netscape (and Mozilla), this can be set under: -Note that if some hostnames are listed with multiple IP addresses, the primary -value returned by DNS (via gethostbyname()) is used. Default: Anyone can access -the proxy. + Edit + |_ + Preferences + |_ + Advanced + |_ + Proxies + |_ + HTTP Proxy -------------------------------------------------------------------------------- +For Internet Explorer: -Forwarding + Tools + |_ + Internet Properties + |_ + Connections + |_ + LAN Settings -This feature allows chaining of HTTP requests via multiple proxies. It can be -used to better protect privacy and confidentiality when accessing specific -domains by routing requests to those domains to a special purpose filtering -proxy such as lpwa.com. Or to use a caching proxy to speed up browsing. +Then, check "Use Proxy" and fill in the appropriate info (Address: 127.0.0.1, +Port: 8118). Include HTTPS (SSL), if you want HTTPS proxy support too. -It can also be used in an environment with multiple networks to route requests -via multiple gateways allowing transparent access to multiple networks without -having to modify browser configurations. +After doing this, flush your browser's disk and memory caches to force a +re-reading of all pages and to get rid of any ads that may be cached. You are +now ready to start enjoying the benefits of using Privoxy! -Also specified here are SOCKS proxies. Junkbuster SOCKS 4 and SOCKS 4A. The -difference is that SOCKS 4A will resolve the target hostname using DNS on the -SOCKS server, not our local DNS client. +Privoxy is typically started by specifying the main configuration file to be +used on the command line. If no configuration file is specified on the command +line, Privoxy will look for a file named config in the current directory. +Except on Win32 where it will try config.txt. -The syntax of each line is: +------------------------------------------------------------------------------- - forward target_domain[:port] http_proxy_host[:port] - forward-socks4 target_domain[:port] socks_proxy_host[:port] http_proxy_host[: -port] - forward-socks4a target_domain[:port] socks_proxy_host[:port] http_proxy_host[: -port] - +5.1. Red Hat and Conectiva -If http_proxy_host is ".", then requests are not forwarded to a HTTP proxy but -are made directly to the web servers. +We use a script. Note that Red Hat does not start Privoxy upon booting per +default. It will use the file /etc/privoxy/config as its main configuration +file. -Lines are checked in sequence, and the last match wins. + # /etc/rc.d/init.d/privoxy start -There is an implicit line equivalent to the following, which specifies that -anything not finding a match on the list is to go out without forwarding or -gateway protocol, like so: - forward .* . # implicit - +------------------------------------------------------------------------------- -In the following common configuration, everything goes to Lucent's LPWA, except -SSL on port 443 (which it doesn't handle): +5.2. Debian - forward .* lpwa.com:8000 - forward :443 . - +We use a script. Note that Debian starts Privoxy upon booting per default. It +will use the file /etc/privoxy/config as its main configuration file. -See the FAQ for instructions on how to automate the login procedure for LPWA. -Some users have reported difficulties related to LPWA's use of "." as the last -element of the domain, and have said that this can be fixed with this: + # /etc/init.d/privoxy start - forward lpwa. lpwa.com:8000 - -(NOTE: the syntax for specifiying target_domain has changed since the previous -paragraph was written -- it will not work now. More information is welcome.) +------------------------------------------------------------------------------- -In this fictitious example, everything goes via an ISP's caching proxy, except -requests to that ISP: +5.3. SuSE - forward .* caching.myisp.net:8000 - forward myisp.net . - +We use a script. It will use the file /etc/privoxy/config as its main +configuration file. Note that SuSE starts Privoxy upon booting your PC. -For the @home network, we're told the forwarding configuration is this: + # rcprivoxy start - forward .* proxy:8080 - -Also, we're told they insist on getting cookies and JavaScript, so you need to -add home.com to the cookie file. We consider JavaScript a security risk. Java -need not be enabled. +------------------------------------------------------------------------------- -In this example direct connections are made to all "internal" domains, but -everything else goes through Lucent's LPWA by way of the company's SOCKS -gateway to the Internet. +5.4. Windows - forward_socks4 .* lpwa.com:8000 firewall.my_company.com:1080 - forward my_company.com . - +Click on the Privoxy Icon to start Privoxy. If no configuration file is +specified on the command line, Privoxy will look for a file named config.txt. +Note that Windows will automatically start Privoxy upon booting you PC. -This is how you could set up a site that always uses SOCKS but no forwarders: +------------------------------------------------------------------------------- - forward_socks4a .* . firewall.my_company.com:1080 - +5.5. Solaris, NetBSD, FreeBSD, HP-UX and others -An advanced example for network administrators: +Example Unix startup command: -If you have links to multiple ISPs that provide various special content to -their subscribers, you can configure forwarding to pass requests to the -specific host that's connected to that ISP so that everybody can see all of the -content on all of the ISPs. + # /usr/sbin/privoxy /etc/privoxy/config -This is a bit tricky, but here's an example: -host-a has a PPP connection to isp-a.com. And host-b has a PPP connection to -isp-b.com. host-a can run a Junkbuster proxy with forwarding like this: +------------------------------------------------------------------------------- - forward .* . - forward isp-b.com host-b:8000 - +5.6. OS/2 -host-b can run a Junkbuster proxy with forwarding like this: +During installation, Privoxy is configured to start automatically when the +system restarts. You can start it manually by double-clicking on the Privoxy +icon in the Privoxy folder. - forward .* . - forward isp-a.com host-a:8000 - +------------------------------------------------------------------------------- -Now, anyone on the Internet (including users on host-a and host-b) can set -their browser's proxy to either host-a or host-b and be able to browse the -content on isp-a or isp-b. - -Here's another practical example, for University of Kent at Canterbury students -with a network connection in their room, who need to use the University's Squid -web cache. - - forward *. ssbcache.ukc.ac.uk:3128 # Use the proxy, except for: - forward .ukc.ac.uk . # Anything on the same domain as us - forward * . # Host with no domain specified - forward 129.12.*.* . # A dotted IP on our /16 network. - forward 127.*.*.* . # Loopback address - forward localhost.localdomain . # Loopback address - forward www.ukc.mirror.ac.uk . # Specific host - +5.7. Mac OSX -If you intend to chain Junkbuster and squid locally, then chain as browser -> -squid -> junkbuster is the recommended way. +During installation, Privoxy is configured to start automatically when the +system restarts. To start Privoxy by hand, double-click on the +StartPrivoxy.command icon in the /Library/Privoxy folder. Or, type this command +in the Terminal: -Your squid configuration could then look like this: + /Library/Privoxy/StartPrivoxy.command - # Define junkbuster as parent cache - - cache_peer 127.0.0.1 parent 8000 0 no-query - - # Define ACL for protocol FTP - acl FTP proto FTP - # Do not forward ACL FTP to junkbuster - always_direct allow FTP - # Do not forward ACL CONNECT (https) to junkbuster - always_direct allow CONNECT +You will be prompted for the administrator password. - # Forward the rest to junkbuster - never_direct allow all - +------------------------------------------------------------------------------- + +5.8. AmigaOS + +Start Privoxy (with RUN <>NIL:) in your startnet script (AmiTCP), in +s:user-startup (RoadShow), as startup program in your startup script (Genesis), +or as startup action (Miami and MiamiDx). Privoxy will automatically quit when +you quit your TCP/IP stack (just ignore the harmless warning your TCP/IP stack +may display that Privoxy is still running). ------------------------------------------------------------------------------- -Windows GUI Options +5.9. Gentoo -Junkbuster has a number of options specific to the Windows GUI interface: +A script is again used. It will use the file /etc/privoxy/config as its main +configuration file. -If "activity-animation" is set to 1, the Junkbuster icon will animate when -"Junkbuster" is active. To turn off, set to 0. + /etc/init.d/privoxy start - activity-animation 1 - -If "log-messages" is set to 1, Junkbuster will log messages to the console -window: - log-messages 1 - +Note that Privoxy is not automatically started at boot time by default. You can +change this with the rc-update command. -If "log-buffer-size" is set to 1, the size of the log buffer, i.e. the amount -of memory used for the log messages displayed in the console window, will be -limited to "log-max-lines" (see below). + rc-update add privoxy default -Warning: Setting this to 0 will result in the buffer to grow infinitely and eat -up all your memory! - log-buffer-size 1 - -log-max-lines is the maximum number of lines held in the log buffer. See above. +------------------------------------------------------------------------------- - log-max-lines 200 - +5.10. Command Line Options -If "log-highlight-messages" is set to 1, Junkbuster will highlight portions of -the log messages with a bold-faced font: +Privoxy may be invoked with the following command-line options: - log-highlight-messages 1 - + * --version -The font used in the console window: + Print version info and exit. Unix only. - log-font-name Comic Sans MS - + * --help -Font size used in the console window: + Print short usage info and exit. Unix only. - log-font-size 8 - + * --no-daemon -"show-on-task-bar" controls whether or not Junkbuster will appear as a button -on the Task bar when minimized: + Don't become a daemon, i.e. don't fork and become process group leader, and + don't detach from controlling tty. Unix only. - show-on-task-bar 0 - + * --pidfile FILE -If "close-button-minimizes" is set to 1, the Windows close button will minimize -Junkbuster instead of closing the program (close with the exit option on the -File menu). + On startup, write the process ID to FILE. Delete the FILE on exit. Failure + to create or delete the FILE is non-fatal. If no FILE option is given, no + PID file will be used. Unix only. - close-button-minimizes 1 - + * --user USER[.GROUP] -The "hide-console" option is specific to the MS-Win console version of -JunkBuster. If this option is used, Junkbuster will disconnect from and hide -the command console. + After (optionally) writing the PID file, assume the user ID of USER, and if + included the GID of GROUP. Exit if the privileges are not sufficient to do + so. Unix only. - #hide-console - + * --chroot -------------------------------------------------------------------------------- + Before changing to the user ID given in the --user option, chroot to that + user's home directory, i.e. make the kernel pretend to the Privoxy process + that the directory tree starts there. If set up carefully, this can limit + the impact of possible vulnerabilities in Privoxy to the files contained in + that hierarchy. Unix only. -The Actions File + * configfile -The "actionsfile" is used to define what actions Junkbuster takes, and thus -determines how images, cookies and various other aspects of HTTP content and -transactions are handled. Images can be anything you want, including ads, -banners, or just some obnoxious image that you would rather not see. Cookies -can be accepted or rejected. The default file is in fact named actionsfile. + If no configfile is included on the command line, Privoxy will look for a + file named "config" in the current directory (except on Win32 where it will + look for "config.txt" instead). Specify full path to avoid confusion. If no + config file is found, Privoxy will fail to start. -To determine which actions apply to a request, the URL of the request is -compared to all patterns in this file. Every time it matches, the list of -applicable actions for the URL is incrementally updated. You can trace this -process by visiting http://i.j.b/show-url-info. +------------------------------------------------------------------------------- -There are four types of lines in this file: comments (begin with a "#" -character), actions, aliases and patterns, all of which are explained below. +6. Privoxy Configuration + +All Privoxy configuration is stored in text files. These files can be edited +with a text editor. Many important aspects of Privoxy can also be controlled +easily with a web browser. ------------------------------------------------------------------------------- -URL Domain and Path Syntax +6.1. Controlling Privoxy with Your Web Browser -Generally, a pattern has the form /, where both the and - part are optional. If you only specify a domain part, the "/" can be -left out: +Privoxy's user interface can be reached through the special URL http:// +config.privoxy.org/ (shortcut: http://p.p/), which is a built-in page and works +without Internet access. You will see the following section: -www.example.com - is a domain only pattern and will match any request to -"www.example.com". + Privoxy Menu + ? View & change the current configuration + ? View the source code version numbers + ? View the request headers. + ? Look up which actions apply to a URL and why + ? Toggle Privoxy on or off + ? Documentation -www.example.com/ - means exactly the same. -www.example.com/index.html - matches only the single document "/index.html" on -"www.example.com". +This should be self-explanatory. Note the first item leads to an editor for the +actions files, which is where the ad, banner, cookie, and URL blocking magic is +configured as well as other advanced features of Privoxy. This is an easy way +to adjust various aspects of Privoxy configuration. The actions file, and other +configuration files, are explained in detail below. -/index.html - matches the document "/index.html", regardless of the domain. +"Toggle Privoxy On or Off" is handy for sites that might have problems with +your current actions and filters. You can in fact use it as a test to see +whether it is Privoxy causing the problem or not. Privoxy continues to run as a +proxy in this case, but all manipulation is disabled, i.e. Privoxy acts like a +normal forwarding proxy. There is even a toggle Bookmarklet offered, so that +you can toggle Privoxy with one click from your browser. -index.html - matches nothing, since it would be interpreted as a domain name -and there is no top-level domain called ".html". +------------------------------------------------------------------------------- -The matching of the domain part offers some flexible options: if the domain -starts or ends with a dot, it becomes unanchored at that end. For example: +6.2. Configuration Files Overview + +For Unix, *BSD and Linux, all configuration files are located in /etc/privoxy/ +by default. For MS Windows, OS/2, and AmigaOS these are all in the same +directory as the Privoxy executable. + +The installed defaults provide a reasonable starting point, though some +settings may be aggressive by some standards. For the time being, the principle +configuration files are: + + * The main configuration file is named config on Linux, Unix, BSD, OS/2, and + AmigaOS and config.txt on Windows. This is a required file. + + * default.action (the main actions file) is used to define which "actions" + relating to banner-blocking, images, pop-ups, content modification, cookie + handling etc should be applied by default. It also defines many exceptions + (both positive and negative) from this default set of actions that enable + Privoxy to selectively eliminate the junk, and only the junk, on as many + websites as possible. + + Multiple actions files may be defined in config. These are processed in the + order they are defined. Local customizations and locally preferred + exceptions to the default policies as defined in default.action (which you + will most probably want to define sooner or later) are probably best + applied in user.action, where you can preserve them across upgrades. + standard.action is for Privoxy's internal use. + + There is also a web based editor that can be accessed from http:// + config.privoxy.org/show-status (Shortcut: http://p.p/show-status) for the + various actions files. + + * default.filter (the filter file) can be used to re-write the raw page + content, including viewable text as well as embedded HTML and JavaScript, + and whatever else lurks on any given web page. The filtering jobs are only + pre-defined here; whether to apply them or not is up to the actions files. + Only one filter file may be defined. + +All files use the "#" character to denote a comment (the rest of the line will +be ignored) and understand line continuation through placing a backslash ("\") +as the very last character in a line. If the # is preceded by a backslash, it +looses its special function. Placing a # in front of an otherwise valid +configuration line to prevent it from being interpreted is called "commenting +out" that line. + +The actions files and default.filter can use Perl style regular expressions for +maximum flexibility. + +After making any changes, there is no need to restart Privoxy in order for the +changes to take effect. Privoxy detects such changes automatically. Note, +however, that it may take one or two additional requests for the change to take +effect. When changing the listening address of Privoxy, these "wake up" +requests must obviously be sent to the old listening address. -.example.com - matches any domain that ENDS in ".example.com". +------------------------------------------------------------------------------- -www. - matches any domain that STARTS with "www". +7. The Main Configuration File -Additionally, there are wildcards that you can use in the domain names -themselves. They work pretty similar to shell wildcards: "*" stands for zero or -more arbitrary characters, "?" stands for any single character. And you can -define charachter classes in square brackets and they can be freely mixed: +Again, the main configuration file is named config on Linux/Unix/BSD and OS/2, +and config.txt on Windows. Configuration lines consist of an initial keyword +followed by a list of values, all separated by whitespace (any number of spaces +or tabs). For example: -ad*.example.com - matches "adserver.example.com", "ads.example.com", etc but -not "sfads.example.com". + confdir /etc/privoxy -*ad*.example.com - matches all of the above, and then some. +Assigns the value /etc/privoxy to the option confdir and thus indicates that +the configuration directory is named "/etc/privoxy/". -.?pix.com - matches "www.ipix.com", "pictures.epix.com", "a.b.c.d.e.upix.com", -etc. +All options in the config file except for confdir and logdir are optional. +Watch out in the below description for what happens if you leave them unset. -www[1-9a-ez].example.com - matches "www1.example.com", "www4.example.com", -"wwwd.example.com", "wwwz.example.com", etc., but not "wwww.example.com". +The main config file controls all aspects of Privoxy's operation that are not +location dependent (i.e. they apply universally, no matter where you may be +surfing). -If Junkbuster was compiled with "pcre" support (default), Perl compatible -regular expressions can be used. See the pcre/docs/ direcory or "man perlre" -(also available on http://www.perldoc.com/perl5.6/pod/perlre.html) for details. -A brief discussion of regular expressions is in the Appendix. For instance: +------------------------------------------------------------------------------- -/.*/advert[0-9]+\.jpe?g - would match a URL from any domain, with any path that -includes "advert" followed immediately by one or more digits, then a "." and -ending in either "jpeg" or "jpg". So we match "example.com/ads/advert2.jpg", -and "www.example.com/ads/banners/advert39.jpeg", but not "www.example.com/ads/ -banners/advert39.gif" (no gifs in the example pattern). +7.1. Configuration and Log File Locations -Please note that matching in the path is case INSENSITIVE by default, but you -can switch to case sensitive at any point in the pattern by using the "(?-i)" -switch: +Privoxy can (and normally does) use a number of other files for additional +configuration, help and logging. This section of the configuration file tells +Privoxy where to find those other files. -www.example.com/(?-i)PaTtErN.* - will match only documents whose path starts -with "PaTtErN" in exactly this capitalization. +The user running Privoxy, must have read permission for all configuration +files, and write permission to any files that would be modified, such as log +files and actions files. ------------------------------------------------------------------------------- -Actions +7.1.1. confdir -Actions are enabled if preceded with a "+", and disabled if preceded with a -"-". Actions are invoked by enclosing the action name in curly braces (e.g. -{+some_action}), followed by a list of URLs to which the action applies. There -are three classes of actions: +Specifies: - * Boolean (e.g. "+/-block"): - - {+name} # enable this action - {-name} # disable this action - - - * Parameterized (e.g. "+/-hide-user-agent"): - - {+name{param}} # enable action and set parameter to "param" - {-name} # disable action - - - * Multi-value (e.g. "{+/-add-header{Name: value}}", "{+/-wafer{name=value}} - "): - - {+name{param}} # enable action and add parameter "param" - {-name{param}} # remove the parameter "param" - {-name} # disable this action totally - - -If nothing is specified in this file, no "actions" are taken. So in this case -JunkBuster would just be a normal, non-blocking, non-anonymizing proxy. You -must specifically enable the privacy and blocking features you need (although -the provided default actionsfile file will give a good starting point). + The directory where the other configuration files are located -Later defined actions always over-ride earlier ones. For multi-valued actions, -the actions are applied in the order they are specified. +Type of value: -The list of valid Junkbuster "actions" are: + Path name - * Add the specified HTTP header, which is not checked for validity. You may - specify this many times to specify many different headers: - - +add-header{Name: value} - - - * Block this URL totally. - - +block - - - * De-animate all animated GIF images, i.e. reduce them to their last frame. - This will also shrink the images considerably (in bytes, not pixels!). If - the option "first" is given, the first frame of the animation is used as - the replacement. If "last" is given, the last frame of the animation is - used instead, which propably makes more sense for most banner animations, - but also has the risk of not showing the entire last frame (if it is only a - delta to an earlier frame). - - +deanimate-gifs{last} - +deanimate-gifs{first} - - - * "+downgrade" will downgrade HTTP/1.1 client requests to HTTP/1.0 and - downgrade the responses as well. Use this action for servers that use HTTP/ - 1.1 protocol features that Junkbuster doesn't handle well yet. HTTP/1.1 is - only partially implemented. Default is not to downgrade requests. - - +downgrade - - - * Many sites, like yahoo.com, don't just link to other sites. Instead, they - will link to some script on their own server, giving the destination as a - parameter, which will then redirect you to the final target. URLs resulting - from this scheme typically look like: http://some.place/some_script?http:// - some.where-else. - - Sometimes, there are even multiple consecutive redirects encoded in the - URL. These redirections via scripts make your web browing more traceable, - since the server from which you follow such a link can see where you go to. - Apart from that, valuable bandwidth and time is wasted, while your browser - ask the server for one redirect after the other. Plus, it feeds the - advertisers. - - The "+fast-redirects" option enables interception of these requests by - Junkbuster, who will cut off all but the last valid URL in the request and - send a local redirect back to your browser without contacting the remote - site. - - +fast-redirects - - - * Filter the website through the re_filterfile: - - +filter{filename} - - - * Block any existing X-Forwarded-for header, and do not add a new one: - - +hide-forwarded - - - * If the browser sends a "From:" header containing your e-mail address, this - either completely removes the header ("block"), or changes it to the - specified e-mail address. - - +hide-from{block} - +hide-from{spam@sittingduck.xqq} - - - * Don't send the "Referer:" (sic) header to the web site. You can block it, - forge a URL to the same server as the request (which is preferred because - some sites will not send images otherwise) or set it to a constant string - of your choice. - - +hide-referer{block} - +hide-referer{forge} - +hide-referer{http://nowhere.com} - - - * Alternative spelling of "+hide-referer". It has the same parameters, and - can be freely mixed with, "+hide-referer". ("referrer" is the correct - English spelling, however the HTTP specification has a bug - it requires it - to be spelled "referer".) - - +hide-referrer{...} - - - * Change the "User-Agent:" header so web servers can't tell your browser - type. Warning! This breaks many web sites. Specify the user-agent value you - want. Example, pretend to be using Netscape on Linux: - - +hide-user-agent{Mozilla (X11; I; Linux 2.0.32 i586)} - - - * Treat this URL as an image. This only matters if it's also "+block"ed, in - which case a "blocked" image can be sent rather than a HTML page. See - "+image-blocker{}" below for the control over what is actually sent. - - +image - - - * Decides what to do with URLs that end up tagged with "{+block +image}". - There are 4 options. "-image-blocker" will send a HTML "blocked" page, - usually resulting in a "broken image" icon. "+image-blocker{logo}" will - send a "JunkBuster" image. "+image-blocker{blank}" will send a 1x1 - transparent GIF image. And finally, "+image-blocker{http://xyz.com}" will - send a HTTP temporary redirect to the specified image. This has the - advantage of the icon being being cached by the browser, which will speed - up the display. - - +image-blocker{logo} - +image-blocker{blank} - +image-blocker{http://i.j.b/send-banner} - - - * By default (i.e. in the absence of a "+limit-connect" action), Junkbuster - will only allow CONNECT requests to port 443, which is the standard port - for https as a precaution. - - The CONNECT methods exists in HTTP to allow access to secure websites - (https:// URLs) through proxies. It works very simply: the proxy connects - to the server on the specified port, and then short-circuits its - connections to the client and to the remote proxy. This can be a big - security hole, since CONNECT-enabled proxies can be abused as TCP relays - very easily. - - If you want to allow CONNECT for more ports than this, or want to forbid - CONNECT altogether, you can specify a comma separated list of ports and - port ranges (the latter using dashes, with the minimum defaulting to 0 and - max to 65K): - - +limit-connect{443} # This is the default and need no be specified. - +limit-connect{80,443} # Ports 80 and 443 are OK. - +limit-connect{-3, 7, 20-100, 500-} # Port less than 3, 7, 20 to 100 - #and above 500 are OK. - - - * "+no-compression" prevents the website from compressing the data. Some - websites do this, which can be a problem for Junkbuster, since "+filter", - "+no-popup" and "+gif-deanimate" will not work on compressed data. This - will slow down connections to those websites, though. Default is - "nocompression" is turned on. - - +nocompression - - - * Prevent the website from reading cookies: - - +no-cookies-read - - - * Prevent the website from setting cookies: - - +no-cookies-set - - - * Filter the website through a built-in filter to disable those obnoxious - JavaScript pop-up windows via window.open(), etc. The two alternative - spellings are equivalent. - - +no-popup - +no-popups - - - * This action only applies if you are using a jarfile for saving cookies. It - sends a cookie to every site stating that you do not accept any copyright - on cookies sent to you, and asking them not to track you. Of course, this - is a (relatively) unique header they could use to track you. - - +vanilla-wafer - - - * This allows you to add an arbitrary cookie. It can be specified multiple - times in order to add as many cookies as you like. - - +wafer{name=value} - - -The meaning of any of the above is reversed by preceding the action with a "-", -in place of the "+". - -Some examples: - -Turn off cookies by default, then allow a few through for specified sites: - - # Turn off all cookies - { +no-cookies-read } - { +no-cookies-set } - - # Execeptions to the above, sites that need cookies - { -no-cookies-read } - { -no-cookies-set } - .javasoft.com - .sun.com - .yahoo.com - .msdn.microsoft.com - .redhat.com - - # Alternative way of saying the same thing - {-no-cookies-set -no-cookies-read} - .sourceforge.net - .sf.net - +Default value: -Now turn off "fast redirects", and then we allow two exceptions: + /etc/privoxy (Unix) or Privoxy installation dir (Windows) - # Turn them off! - {+fast-redirects} - - # Reverse it for these two sites, which don't work right without it. - {-fast-redirects} - www.ukc.ac.uk/cgi-bin/wac\.cgi\? - login.yahoo.com - +Effect if unset: -Turn on page filtering, with one exception for sourceforge: + Mandatory - # Run everything through the default filter file (re_filterfile): - {+filter} - - # But please don't re_filter code from sourceforge! - {-filter} - .cvs.sourceforge.net - +Notes: -Now some URLs that we want "blocked", ie we won't see them. Many of these use -regular expressions that will expand to match multiple URLs: - - # Blocklist: - {+block} - /.*/(.*[-_.])?ads?[0-9]?(/|[-_.].*|\.(gif|jpe?g)) - /.*/(.*[-_.])?count(er)?(\.cgi|\.dll|\.exe|[?/]) - /.*/(ng)?adclient\.cgi - /.*/(plain|live|rotate)[-_.]?ads?/ - /.*/(sponsor)s?[0-9]?/ - /.*/_?(plain|live)?ads?(-banners)?/ - /.*/abanners/ - /.*/ad(sdna_image|gifs?)/ - /.*/ad(server|stream|juggler)\.(cgi|pl|dll|exe) - /.*/adbanners/ - /.*/adserver - /.*/adstream\.cgi - /.*/adv((er)?ts?|ertis(ing|ements?))?/ - /.*/banner_?ads/ - /.*/banners?/ - /.*/banners?\.cgi/ - /.*/cgi-bin/centralad/getimage - /.*/images/addver\.gif - /.*/images/marketing/.*\.(gif|jpe?g) - /.*/popupads/ - /.*/siteads/ - /.*/sponsor.*\.gif - /.*/sponsors?[0-9]?/ - /.*/advert[0-9]+\.jpg - /Media/Images/Adds/ - /ad_images/ - /adimages/ - /.*/ads/ - /bannerfarm/ - /grafikk/annonse/ - /graphics/defaultAd/ - /image\.ng/AdType - /image\.ng/transactionID - /images/.*/.*_anim\.gif # alvin brattli - /ip_img/.*\.(gif|jpe?g) - /rotateads/ - /rotations/ - /worldnet/ad\.cgi - /cgi-bin/nph-adclick.exe/ - /.*/Image/BannerAdvertising/ - /.*/ad-bin/ - /.*/adlib/server\.cgi - /autoads/ - + No trailing "/", please + + When development goes modular and multi-user, the blocker, filter, and + per-user config will be stored in subdirectories of "confdir". For now, the + configuration directory structure is flat, except for confdir/templates, + where the HTML templates for CGI output reside (e.g. Privoxy's 404 error + page). ------------------------------------------------------------------------------- -Aliases +7.1.2. logdir -Custom "actions", known to Junkbuster as "aliases", can be defined by combining -other "actions". These can in turn be invoked just like the built-in "actions". -Currently, an alias can contain any character except space, tab, "=", "{" or "} -". But please use only "a"- "z", "0"-"9", "+", and "-". Alias names are not -case sensitive, and must be defined before anything else in actionsfile! And -there can only be one set of "aliases" defined. +Specifies: -Now let's define a few aliases: + The directory where all logging takes place (i.e. where logfile and jarfile + are located) - # Useful customer aliases we can use later. These must come first! - {{alias}} - +no-cookies = +no-cookies-set +no-cookies-read - -no-cookies = -no-cookies-set -no-cookies-read - fragile = - -block -no-cookies -filter -fast-redirects -hide-referer -no-popups - shop = -no-cookies -filter -fast-redirects - +imageblock = +block +image - - #For people who don't like to type too much: ;-) - c0 = +no-cookies - c1 = -no-cookies - c2 = -no-cookies-set +no-cookies-read - c3 = +no-cookies-set -no-cookies-read - #... etc. Customize to your heart's content. - +Type of value: -Some examples using our "shop" and "fragile" aliases from above: + Path name - # These sites are very complex and require - # minimal interference. - {fragile} - .office.microsoft.com - .windowsupdate.microsoft.com - .nytimes.com +Default value: - # Shopping sites - still want to block ads. - {shop} - .quietpc.com - .worldpay.com # for quietpc.com - .jungle.com - .scan.co.uk + /var/log/privoxy (Unix) or Privoxy installation dir (Windows) - # These shops require pop-ups - {shop -no-popups} - .dabs.com - .overclockers.co.uk - +Effect if unset: -------------------------------------------------------------------------------- + Mandatory -The Filter File +Notes: -The filter file defines what filtering of web pages Junkbuster does. The -default filter file is re_filterfile, located in the config directory. In this -file, any document content, whether viewable text or embedded non-visible -content, can be changed. + No trailing "/", please -This file uses regular expressions to alter or remove any string in the target -page. Some examples from the included default re_filterfile: +------------------------------------------------------------------------------- -Stop web pages from displaying annoying messages in the status bar by deleting -such references: +7.1.3. actionsfile - # The status bar is for displaying link targets, not pointless buzzwords. - # Again, check it out on http://www.airport-cgn.de/. - s/status='.*?';*//ig - +Specifies: -Just for kicks, replace any occurrence of "Microsoft" with "MicroSuck": + The actions file(s) to use - s/microsoft(?!.com)/MicroSuck/ig - +Type of value: -Kill those auto-refresh tags: + File name, relative to confdir, without the .action suffix - # Kill refresh tags. I like to refresh myself. Manually. - # check it out on http://www.airport-cgn.de/ and go to the arrivals page. - # - s/]*http-equiv[^>]*refresh.*URL=([^>]*?)"?>//i - s/]*http-equiv="?page-enter"?[^>]*content=[^>]*>//i - +Default values: -------------------------------------------------------------------------------- + standard # Internal purposes, no editing recommended -Quickstart to Using Junkbuster + default # Main actions file -Install package, then run and enjoy! Junbuster accepts only one command line -option -- the configuration file to be used. Example Unix startup command: + user # User customizations - - # /usr/sbin/junkbuster /etc/junkbuster/config & - - +Effect if unset: -If no configuration file is specified on the command line, Junkbuster will look -for a file named config in the current directory. Except on Amiga where it will -look for AmiTCP:db/junkbuster/config and Win32 where it will try junkbstr.txt. -If no file is specified on the command line and no default configuration file -can be found, Junkbuster will fail to start. + No actions are taken at all. Simple neutral proxying. -Be sure your browser is set to use the proxy which is by default at localhost, -port 8000. With Netscape (and Mozilla), this can be set under Edit -> -Preferences -> Advanced -> Proxies -> HTTP Proxy. For Internet Explorer: Tools -> Internet Properties -> Connections -> LAN Setting. Then, check "Use Proxy" -and fill in the appropriate info (Address: localhost, Port: 8000). Include if -HTTPS proxy support too. +Notes: -The included default configuration files should give a reasonable starting -point, though may be somewhat aggressive in blocking junk. You will probably -want to keep an eye out for sites that require cookies, and add these to -actionsfile as needed. By default, most of these will be blocked until you add -them to the configuration. If you want the browser to handle this instead, you -will need to edit actionsfile and disable this feature. If you use more than -one browser, it would make more sense to let Junkbuster handle this. In which -case, the browser(s) should be set to accept all cookies. + Multiple actionsfile lines are permitted, and are in fact recommended! -If a particular site shows problems loading properly, try adding it to the -{fragile} section of actionsfile. This will turn off most actions for this -site. + The default values include standard.action, which is used for internal + purposes and should be loaded, default.action, which is the "main" actions + file maintained by the developers, and user.action, where you can make your + personal additions. -HTTP/1.1 support is not fully implemented. If browsers that support HTTP/1.1 -(like Mozilla or recent versions of I.E.) experience problems, you might try to -force HTTP/1.0 compatiblity. For Mozilla, look under Edit -> Preferences -> -Debug -> Networking. Or set the "+downgrade" config option in actionsfile. + Actions files are where all the per site and per URL configuration is done + for ad blocking, cookie management, privacy considerations, etc. There is + no point in using Privoxy without at least one actions file. -After running Junkbuster for a while, you can start to fine tune the -configuration to suit your personal, or site, preferences and requirements. -There are many, many aspects that can be customized. "Actions" (from -actionsfile) can be adjusted by pointing your browser to http:// -ijbswa.sourceforge.net/config/, and then follow the link to "edit the actions -list". (This is an internal page and does not require Internet access.) +------------------------------------------------------------------------------- -In fact, various aspects of Junkbuster configuration can be viewed from this -page, including current configuration parameters, source code version numbers, -the browser's request headers, and "actions" that apply to a given URL. In -addition to the actionsfile editor mentioned above, Junkbuster can also be -turned "on" and "off" from this page. +7.1.4. filterfile -If you encounter problems, please verify it is a Junkbuster bug, by disabling -Junkbuster, and then trying the same page. Also, try another browser if -possible to eliminate browser or site problems. Before reporting it as a bug, -see if there is not a configuration option that is enabled that is causing the -page not to load. You can then add an exception for that page or site. If a -bug, please report it to the developers (see below). +Specifies: -------------------------------------------------------------------------------- + The filter file to use -Contact the Developers +Type of value: -Feature requests and other questions should be posted to the Feature request -page at SourceForge. There is also an archive there. + File name, relative to confdir -Anyone interested in actively participating in development and related -discussions can join the appropriate mailing list here. Archives are available -here too. +Default value: -Please report bugs, using the form at Sourceforge. Please try to verify that it -is a Junkbuster bug, and not a browser or site bug first. Also, check to make -sure this is not already a known bug. + default.filter (Unix) or default.filter.txt (Windows) -------------------------------------------------------------------------------- +Effect if unset: -Copyright and History + No textual content filtering takes place, i.e. all +filter{name} actions in + the actions files are turned neutral. -License +Notes: -Internet Junkbuster is free software; you can redistribute it and/or modify it -under the terms of the GNU General Public License as published by the Free -Software Foundation; either version 2 of the License, or (at your option) any -later version. + The filter file contains content modification rules that use regular + expressions. These rules permit powerful changes on the content of Web + pages, e.g., you could disable your favorite JavaScript annoyances, + re-write the actual displayed text, or just have some fun replacing + "Microsoft" with "MicroSuck" wherever it appears on a Web page. -This program is distributed in the hope that it will be useful, but WITHOUT ANY -WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A -PARTICULAR PURPOSE. See the GNU General Public License for more details, which -is available from the Free Software Foundation, Inc, 59 Temple Place - Suite -330, Boston, MA 02111-1307, USA. + The +filter{name} actions rely on the relevant filter (name) to be defined + in the filter file! + + A pre-defined filter file called default.filter that contains a bunch of + handy filters for common problems is included in the distribution. See the + section on the filter action for a list. ------------------------------------------------------------------------------- -History +7.1.5. logfile -Junkbuster was originally written by Anonymous Coders and JunkBusters -Corporation, and was released as free open-source software under the GNU GPL. -Stefan Waldherr made many improvements, and started the SourceForge project to -rekindle development. The last stable release was v2.0.2, which has now grown -whiskers ;-). +Specifies: -------------------------------------------------------------------------------- + The log file to use -See also +Type of value: - http://sourceforge.net/projects/ijbswa + File name, relative to logdir - http://ijbswa.sourceforge.net/ +Default value: - http://ijbswa.sourceforge.net/config/ + logfile (Unix) or privoxy.log (Windows) - http://www.junkbusters.com/ht/en/cookies.html +Effect if unset: - http://www.waldherr.org/junkbuster/ + No log file is used, all log messages go to the console (STDERR). - http://privacy.net/analyze/ +Notes: - http://www.squid-cache.org/ + The logfile is where all logging and error messages are written. The level + of detail and number of messages are set with the debug option (see below). + The logfile can be useful for tracking down a problem with Privoxy (e.g., + it's not blocking an ad you think it should block) but in most cases you + probably will never look at it. - + Your logfile will grow indefinitely, and you will probably want to + periodically remove it. On Unix systems, you can do this with a cron job + (see "man cron"). For Red Hat, a logrotate script has been included. + + On SuSE Linux systems, you can place a line like "/var/log/privoxy.* +1024k + 644 nobody.nogroup" in /etc/logfiles, with the effect that cron.daily will + automatically archive, gzip, and empty the log, when it exceeds 1M size. + + Any log files must be writable by whatever user Privoxy is being run as + (default on UNIX, user id is "privoxy"). ------------------------------------------------------------------------------- -Appendix +7.1.6. jarfile -Regular Expressions +Specifies: -Junkbuster can use "regular expressions" in various config files. Assuming -support for "pcre" (Perl Compatible Regular Expressions) is compiled in, which -is the default. Such configuration directives do not require regular -expressions, but they can be used to increase flexibility by matching a pattern -with wildcards against URLs. + The file to store intercepted cookies in -If you are reading this, you probably don't understand what "regular -expressions" are, or what they can do. So this will be a very brief +Type of value: + + File name, relative to logdir + +Default value: + + jarfile (Unix) or privoxy.jar (Windows) + +Effect if unset: + + Intercepted cookies are not stored at all. + +Notes: + + The jarfile may grow to ridiculous sizes over time. + +------------------------------------------------------------------------------- + +7.1.7. trustfile + +Specifies: + + The trust file to use + +Type of value: + + File name, relative to confdir + +Default value: + + Unset (commented out). When activated: trust (Unix) or trust.txt (Windows) + +Effect if unset: + + The entire trust mechanism is turned off. + +Notes: + + The trust mechanism is an experimental feature for building white-lists and + should be used with care. It is NOT recommended for the casual user. + + If you specify a trust file, Privoxy will only allow access to sites that + are specified in the trustfile. Sites can be listed in one of two ways: + + Prepending a ~ character limits access to this site only (and any sub-paths + within this site), e.g. ~www.example.com. + + Or, you can designate sites as trusted referrers, by prepending the name + with a + character. The effect is that access to untrusted sites will be + granted -- but only if a link from this trusted referrer was used. The link + target will then be added to the "trustfile" so that future, direct + accesses will be granted. Sites added via this mechanism do not become + trusted referrers themselves (i.e. they are added with a ~ designation). + + If you use the + operator in the trust file, it may grow considerably over + time. + + It is recommended that Privoxy be compiled with the --disable-force, + --disable-toggle and --disable-editor options, if this feature is to be + used. + + Possible applications include limiting Internet access for children. + +------------------------------------------------------------------------------- + +7.2. Local Set-up Documentation + +If you intend to operate Privoxy for more users than just yourself, it might be +a good idea to let them know how to reach you, what you block and why you do +that, your policies, etc. + +------------------------------------------------------------------------------- + +7.2.1. user-manual + +Specifies: + + Location of the Privoxy User Manual. + +Type of value: + + A fully qualified URI + +Default value: + + Unset + +Effect if unset: + + http://www.privoxy.org/version/user-manual/ will be used, where version is + the Privoxy version. + +Notes: + + The User Manual URI is used for help links from some of the internal CGI + pages. The manual itself is normally packaged with the binary + distributions, so you probably want to set this to a locally installed + copy. For multi-user setups, you could provide a copy on a local webserver + for all your users and use the corresponding URL here. + + Examples: + + Unix, in local filesystem: + + user-manual file:///usr/share/doc/privoxy-3.0.3/user-manual/ + + + Windows, in local filesystem, must use forward slash notation: + + user-manual file:/c:/some-dir/privoxy-3.0.3/user-manual/ + + + Windows, UNC notation (with forward slashes): + + user-manual file://///some-server/some-path/privoxy-3.0.3/user-manual/ + + + Any platform, on local webserver (called "local-webserver"): + + user-manual http://local-webserver/privoxy-user-manual/ + + + +-----------------------------------------------------------------+ + | Warning | + |-----------------------------------------------------------------| + |If set, this option should be the first option in the config | + |file, because it is used while the config file is being read. | + +-----------------------------------------------------------------+ + +------------------------------------------------------------------------------- + +7.2.2. trust-info-url + +Specifies: + + A URL to be displayed in the error page that users will see if access to an + untrusted page is denied. + +Type of value: + + URL + +Default value: + + Two example URL are provided + +Effect if unset: + + No links are displayed on the "untrusted" error page. + +Notes: + + The value of this option only matters if the experimental trust mechanism + has been activated. (See trustfile above.) + + If you use the trust mechanism, it is a good idea to write up some on-line + documentation about your trust policy and to specify the URL(s) here. Use + multiple times for multiple URLs. + + The URL(s) should be added to the trustfile as well, so users don't end up + locked out from the information on why they were locked out in the first + place! + +------------------------------------------------------------------------------- + +7.2.3. admin-address + +Specifies: + + An email address to reach the proxy administrator. + +Type of value: + + Email address + +Default value: + + Unset + +Effect if unset: + + No email address is displayed on error pages and the CGI user interface. + +Notes: + + If both admin-address and proxy-info-url are unset, the whole "Local + Privoxy Support" box on all generated pages will not be shown. + +------------------------------------------------------------------------------- + +7.2.4. proxy-info-url + +Specifies: + + A URL to documentation about the local Privoxy setup, configuration or + policies. + +Type of value: + + URL + +Default value: + + Unset + +Effect if unset: + + No link to local documentation is displayed on error pages and the CGI user + interface. + +Notes: + + If both admin-address and proxy-info-url are unset, the whole "Local + Privoxy Support" box on all generated pages will not be shown. + + This URL shouldn't be blocked ;-) + +------------------------------------------------------------------------------- + +7.3. Debugging + +These options are mainly useful when tracing a problem. Note that you might +also want to invoke Privoxy with the --no-daemon command line option when +debugging. + +------------------------------------------------------------------------------- + +7.3.1. debug + +Specifies: + + Key values that determine what information gets logged to the logfile. + +Type of value: + + Integer values + +Default value: + + 12289 (i.e.: URLs plus informational and warning messages) + +Effect if unset: + + Nothing gets logged. + +Notes: + + The available debug levels are: + + debug 1 # show each GET/POST/CONNECT request + debug 2 # show each connection status + debug 4 # show I/O status + debug 8 # show header parsing + debug 16 # log all data into the logfile + debug 32 # debug force feature + debug 64 # debug regular expression filter + debug 128 # debug fast redirects + debug 256 # debug GIF de-animation + debug 512 # Common Log Format + debug 1024 # debug kill pop-ups + debug 2048 # CGI user interface + debug 4096 # Startup banner and warnings. + debug 8192 # Non-fatal errors + + + To select multiple debug levels, you can either add them or use multiple + debug lines. + + A debug level of 1 is informative because it will show you each request as + it happens. 1, 4096 and 8192 are highly recommended so that you will notice + when things go wrong. The other levels are probably only of interest if you + are hunting down a specific problem. They can produce a hell of an output + (especially 16). + + The reporting of fatal errors (i.e. ones which crash Privoxy) is always on + and cannot be disabled. + + If you want to use CLF (Common Log Format), you should set "debug 512" ONLY + and not enable anything else. + +------------------------------------------------------------------------------- + +7.3.2. single-threaded + +Specifies: + + Whether to run only one server thread + +Type of value: + + None + +Default value: + + Unset + +Effect if unset: + + Multi-threaded (or, where unavailable: forked) operation, i.e. the ability + to serve multiple requests simultaneously. + +Notes: + + This option is only there for debug purposes and you should never need to + use it. It will drastically reduce performance. + +------------------------------------------------------------------------------- + +7.4. Access Control and Security + +This section of the config file controls the security-relevant aspects of +Privoxy's configuration. + +------------------------------------------------------------------------------- + +7.4.1. listen-address + +Specifies: + + The IP address and TCP port on which Privoxy will listen for client + requests. + +Type of value: + + [IP-Address]:Port + +Default value: + + 127.0.0.1:8118 + +Effect if unset: + + Bind to 127.0.0.1 (localhost), port 8118. This is suitable and recommended + for home users who run Privoxy on the same machine as their browser. + +Notes: + + You will need to configure your browser(s) to this proxy address and port. + + If you already have another service running on port 8118, or if you want to + serve requests from other machines (e.g. on your local network) as well, + you will need to override the default. + + If you leave out the IP address, Privoxy will bind to all interfaces + (addresses) on your machine and may become reachable from the Internet. In + that case, consider using access control lists (ACL's, see below), and/or a + firewall. + + If you open Privoxy to untrusted users, you will also want to turn off the + enable-edit-actions and enable-remote-toggle options! + +Example: + + Suppose you are running Privoxy on a machine which has the address + 192.168.0.1 on your local private network (192.168.0.0) and has another + outside connection with a different address. You want it to serve requests + from inside only: + + listen-address 192.168.0.1:8118 + + +------------------------------------------------------------------------------- + +7.4.2. toggle + +Specifies: + + Initial state of "toggle" status + +Type of value: + + 1 or 0 + +Default value: + + 1 + +Effect if unset: + + Act as if toggled on + +Notes: + + If set to 0, Privoxy will start in "toggled off" mode, i.e. behave like a + normal, content-neutral proxy where all ad blocking, filtering, etc are + disabled. See enable-remote-toggle below. This is not really useful + anymore, since toggling is much easier via the web interface than via + editing the conf file. + + The windows version will only display the toggle icon in the system tray if + this option is present. + +------------------------------------------------------------------------------- + +7.4.3. enable-remote-toggle + +Specifies: + + Whether or not the web-based toggle feature may be used + +Type of value: + + 0 or 1 + +Default value: + + 1 + +Effect if unset: + + The web-based toggle feature is disabled. + +Notes: + + When toggled off, Privoxy acts like a normal, content-neutral proxy, i.e. + it acts as if none of the actions applied to any URL. + + For the time being, access to the toggle feature can not be controlled + separately by "ACLs" or HTTP authentication, so that everybody who can + access Privoxy (see "ACLs" and listen-address above) can toggle it for all + users. So this option is not recommended for multi-user environments with + untrusted users. + + Note that you must have compiled Privoxy with support for this feature, + otherwise this option has no effect. + +------------------------------------------------------------------------------- + +7.4.4. enable-edit-actions + +Specifies: + + Whether or not the web-based actions file editor may be used + +Type of value: + + 0 or 1 + +Default value: + + 1 + +Effect if unset: + + The web-based actions file editor is disabled. + +Notes: + + For the time being, access to the editor can not be controlled separately + by "ACLs" or HTTP authentication, so that everybody who can access Privoxy + (see "ACLs" and listen-address above) can modify its configuration for all + users. So this option is not recommended for multi-user environments with + untrusted users. + + Note that you must have compiled Privoxy with support for this feature, + otherwise this option has no effect. + +------------------------------------------------------------------------------- + +7.4.5. ACLs: permit-access and deny-access + +Specifies: + + Who can access what. + +Type of value: + + src_addr[/src_masklen] [dst_addr[/dst_masklen]] + + Where src_addr and dst_addr are IP addresses in dotted decimal notation or + valid DNS names, and src_masklen and dst_masklen are subnet masks in CIDR + notation, i.e. integer values from 2 to 30 representing the length (in + bits) of the network address. The masks and the whole destination part are + optional. + +Default value: + + Unset + +Effect if unset: + + Don't restrict access further than implied by listen-address + +Notes: + + Access controls are included at the request of ISPs and systems + administrators, and are not usually needed by individual users. For a + typical home user, it will normally suffice to ensure that Privoxy only + listens on the localhost (127.0.0.1) or internal (home) network address by + means of the listen-address option. + + Please see the warnings in the FAQ that this proxy is not intended to be a + substitute for a firewall or to encourage anyone to defer addressing basic + security weaknesses. + + Multiple ACL lines are OK. If any ACLs are specified, then the Privoxy + talks only to IP addresses that match at least one permit-access line and + don't match any subsequent deny-access line. In other words, the last match + wins, with the default being deny-access. + + If Privoxy is using a forwarder (see forward below) for a particular + destination URL, the dst_addr that is examined is the address of the + forwarder and NOT the address of the ultimate target. This is necessary + because it may be impossible for the local Privoxy to determine the IP + address of the ultimate target (that's often what gateways are used for). + + You should prefer using IP addresses over DNS names, because the address + lookups take time. All DNS names must resolve! You can not use domain + patterns like "*.org" or partial domain names. If a DNS name resolves to + multiple IP addresses, only the first one is used. + + Denying access to particular sites by ACL may have undesired side effects + if the site in question is hosted on a machine which also hosts other + sites. + +Examples: + + Explicitly define the default behavior if no ACL and listen-address are + set: "localhost" is OK. The absence of a dst_addr implies that all + destination addresses are OK: + + permit-access localhost + + + Allow any host on the same class C subnet as www.privoxy.org access to + nothing but www.example.com: + + permit-access www.privoxy.org/24 www.example.com/32 + + + Allow access from any host on the 26-bit subnet 192.168.45.64 to anywhere, + with the exception that 192.168.45.73 may not access + www.dirty-stuff.example.com: + + permit-access 192.168.45.64/26 + deny-access 192.168.45.73 www.dirty-stuff.example.com + + +------------------------------------------------------------------------------- + +7.4.6. buffer-limit + +Specifies: + + Maximum size of the buffer for content filtering. + +Type of value: + + Size in Kbytes + +Default value: + + 4096 + +Effect if unset: + + Use a 4MB (4096 KB) limit. + +Notes: + + For content filtering, i.e. the +filter and +deanimate-gif actions, it is + necessary that Privoxy buffers the entire document body. This can be + potentially dangerous, since a server could just keep sending data + indefinitely and wait for your RAM to exhaust -- with nasty consequences. + Hence this option. + + When a document buffer size reaches the buffer-limit, it is flushed to the + client unfiltered and no further attempt to filter the rest of the document + is made. Remember that there may be multiple threads running, which might + require up to buffer-limit Kbytes each, unless you have enabled + "single-threaded" above. + +------------------------------------------------------------------------------- + +7.5. Forwarding + +This feature allows routing of HTTP requests through a chain of multiple +proxies. It can be used to better protect privacy and confidentiality when +accessing specific domains by routing requests to those domains through an +anonymous public proxy (see e.g. http://www.multiproxy.org/anon_list.htm) Or to +use a caching proxy to speed up browsing. Or chaining to a parent proxy may be +necessary because the machine that Privoxy runs on has no direct Internet +access. + +Also specified here are SOCKS proxies. Privoxy supports the SOCKS 4 and SOCKS +4A protocols. + +------------------------------------------------------------------------------- + +7.5.1. forward + +Specifies: + + To which parent HTTP proxy specific requests should be routed. + +Type of value: + + target_pattern http_parent[:port] + + where target_pattern is a URL pattern that specifies to which requests + (i.e. URLs) this forward rule shall apply. Use / to denote "all URLs". + http_parent[:port] is the DNS name or IP address of the parent HTTP proxy + through which the requests should be forwarded, optionally followed by its + listening port (default: 8080). Use a single dot (.) to denote "no + forwarding". + +Default value: + + Unset + +Effect if unset: + + Don't use parent HTTP proxies. + +Notes: + + If http_parent is ".", then requests are not forwarded to another HTTP + proxy but are made directly to the web servers. + + Multiple lines are OK, they are checked in sequence, and the last match + wins. + +Examples: + + Everything goes to an example anonymizing proxy, except SSL on port 443 + (which it doesn't handle): + + forward / anon-proxy.example.org:8080 + forward :443 . + + + Everything goes to our example ISP's caching proxy, except for requests to + that ISP's sites: + + forward / caching-proxy.example-isp.net:8000 + forward .example-isp.net . + + +------------------------------------------------------------------------------- + +7.5.2. forward-socks4 and forward-socks4a + +Specifies: + + Through which SOCKS proxy (and to which parent HTTP proxy) specific + requests should be routed. + +Type of value: + + target_pattern socks_proxy[:port] http_parent[:port] + + where target_pattern is a URL pattern that specifies to which requests + (i.e. URLs) this forward rule shall apply. Use / to denote "all URLs". + http_parent and socks_proxy are IP addresses in dotted decimal notation or + valid DNS names (http_parent may be "." to denote "no HTTP forwarding"), + and the optional port parameters are TCP ports, i.e. integer values from 1 + to 64535 + +Default value: + + Unset + +Effect if unset: + + Don't use SOCKS proxies. + +Notes: + + Multiple lines are OK, they are checked in sequence, and the last match + wins. + + The difference between forward-socks4 and forward-socks4a is that in the + SOCKS 4A protocol, the DNS resolution of the target hostname happens on the + SOCKS server, while in SOCKS 4 it happens locally. + + If http_parent is ".", then requests are not forwarded to another HTTP + proxy but are made (HTTP-wise) directly to the web servers, albeit through + a SOCKS proxy. + +Examples: + + From the company example.com, direct connections are made to all "internal" + domains, but everything outbound goes through their ISP's proxy by way of + example.com's corporate SOCKS 4A gateway to the Internet. + + forward-socks4a / socks-gw.example.com:1080 www-cache.example-isp.net:8080 + forward .example.com . + + + A rule that uses a SOCKS 4 gateway for all destinations but no HTTP parent + looks like this: + + forward-socks4 / socks-gw.example.com:1080 . + + +------------------------------------------------------------------------------- + +7.5.3. Advanced Forwarding Examples + +If you have links to multiple ISPs that provide various special content only to +their subscribers, you can configure multiple Privoxies which have connections +to the respective ISPs to act as forwarders to each other, so that your users +can see the internal content of all ISPs. + +Assume that host-a has a PPP connection to isp-a.net. And host-b has a PPP +connection to isp-b.net. Both run Privoxy. Their forwarding configuration can +look like this: + +host-a: + + forward / . + forward .isp-b.net host-b:8118 + + +host-b: + + forward / . + forward .isp-a.net host-a:8118 + + +Now, your users can set their browser's proxy to use either host-a or host-b +and be able to browse the internal content of both isp-a and isp-b. + +If you intend to chain Privoxy and squid locally, then chain as browser -> +squid -> privoxy is the recommended way. + +Assuming that Privoxy and squid run on the same box, your squid configuration +could then look like this: + + # Define Privoxy as parent proxy (without ICP) + cache_peer 127.0.0.1 parent 8118 7 no-query + + # Define ACL for protocol FTP + acl ftp proto FTP + + # Do not forward FTP requests to Privoxy + always_direct allow ftp + + # Forward all the rest to Privoxy + never_direct allow all + + +You would then need to change your browser's proxy settings to squid's address +and port. Squid normally uses port 3128. If unsure consult http_port in +squid.conf. + +You could just as well decide to only forward requests for Windows executables +through a virus-scanning parent proxy, say, on antivir.example.com, port 8010: + + forward / . + forward /.*\.(exe|com|dll|zip)$ antivir.example.com:8010 + + +------------------------------------------------------------------------------- + +7.6. Windows GUI Options + +Privoxy has a number of options specific to the Windows GUI interface: + +If "activity-animation" is set to 1, the Privoxy icon will animate when +"Privoxy" is active. To turn off, set to 0. + + activity-animation 1 + + +If "log-messages" is set to 1, Privoxy will log messages to the console window: + + log-messages 1 + + +If "log-buffer-size" is set to 1, the size of the log buffer, i.e. the amount +of memory used for the log messages displayed in the console window, will be +limited to "log-max-lines" (see below). + +Warning: Setting this to 0 will result in the buffer to grow infinitely and eat +up all your memory! + + log-buffer-size 1 + + +log-max-lines is the maximum number of lines held in the log buffer. See above. + + log-max-lines 200 + + +If "log-highlight-messages" is set to 1, Privoxy will highlight portions of the +log messages with a bold-faced font: + + log-highlight-messages 1 + + +The font used in the console window: + + log-font-name Comic Sans MS + + +Font size used in the console window: + + log-font-size 8 + + +"show-on-task-bar" controls whether or not Privoxy will appear as a button on +the Task bar when minimized: + + show-on-task-bar 0 + + +If "close-button-minimizes" is set to 1, the Windows close button will minimize +Privoxy instead of closing the program (close with the exit option on the File +menu). + + close-button-minimizes 1 + + +The "hide-console" option is specific to the MS-Win console version of Privoxy. +If this option is used, Privoxy will disconnect from and hide the command +console. + + #hide-console + + +------------------------------------------------------------------------------- + +8. Actions Files + +The actions files are used to define what actions Privoxy takes for which URLs, +and thus determine how ad images, cookies and various other aspects of HTTP +content and transactions are handled, and on which sites (or even parts +thereof). There are three such files included with Privoxy with differing +purposes: + + * default.action - is the primary action file that sets the initial values + for all actions. It is intended to provide a base level of functionality + for Privoxy's array of features. So it is a set of broad rules that should + work reasonably well for users everywhere. This is the file that the + developers are keeping updated, and making available to users. + + * user.action - is intended to be for local site preferences and exceptions. + As an example, if your ISP or your bank has specific requirements, and need + special handling, this kind of thing should go here. This file will not be + upgraded. + + * standard.action - is used by the web based editor, to set various + pre-defined sets of rules for the default actions section in + default.action. These have increasing levels of aggressiveness and have no + influence on your browsing unless you select them explicitly in the editor. + It is not recommend to edit this file. + + The default profiles, and their associated actions, as pre-defined in + standard.action are: + + Table 1. Default Configurations + + +------------------------------------------------------------+ + | Feature | Cautious | Medium |Adventuresome| + |---------------------+-----------+------------+-------------| + |Ad-blocking by URL |yes |yes |yes | + |---------------------+-----------+------------+-------------| + |Ad-filtering by size |yes |yes |yes | + |---------------------+-----------+------------+-------------| + |GIF de-animation |no |yes |yes | + |---------------------+-----------+------------+-------------| + |Referer forging |no |yes |yes | + |---------------------+-----------+------------+-------------| + |Cookie handling |none |session-only|kill | + |---------------------+-----------+------------+-------------| + |Pop-up killing |unsolicited|unsolicited |all | + |---------------------+-----------+------------+-------------| + |Fast redirects |no |no |yes | + |---------------------+-----------+------------+-------------| + |HTML taming |yes |yes |yes | + |---------------------+-----------+------------+-------------| + |JavaScript taming |yes |yes |yes | + |---------------------+-----------+------------+-------------| + |Web-bug killing |yes |yes |yes | + |---------------------+-----------+------------+-------------| + |Fun text replacements|no |no |yes | + |---------------------+-----------+------------+-------------| + |Image tag reordering |no |no |yes | + |---------------------+-----------+------------+-------------| + |Ad-filtering by link |no |no |yes | + |---------------------+-----------+------------+-------------| + |Demoronizer |no |no |yes | + +------------------------------------------------------------+ + +The list of actions files to be used are defined in the main configuration +file, and are processed in the order they are defined (e.g. default.action is +typically process before user.action). The content of these can all be viewed +and edited from http://config.privoxy.org/show-status. + +An actions file typically has multiple sections. If you want to use "aliases" +in an actions file, you have to place the (optional) alias section at the top +of that file. Then comes the default set of rules which will apply universally +to all sites and pages (be very careful with using such a universal set in +user.action or any other actions file after default.action, because it will +override the result from consulting any previous file). And then below that, +exceptions to the defined universal policies. You can regard user.action as an +appendix to default.action, with the advantage that is a separate file, which +makes preserving your personal settings across Privoxy upgrades easier. + +Actions can be used to block anything you want, including ads, banners, or just +some obnoxious URL that you would rather not see. Cookies can be accepted or +rejected, or accepted only during the current browser session (i.e. not written +to disk), content can be modified, JavaScripts tamed, user-tracking fooled, and +much more. See below for a complete list of actions. + +------------------------------------------------------------------------------- + +8.1. Finding the Right Mix + +Note that some actions, like cookie suppression or script disabling, may render +some sites unusable that rely on these techniques to work properly. Finding the +right mix of actions is not always easy and certainly a matter of personal +taste. In general, it can be said that the more "aggressive" your default +settings (in the top section of the actions file) are, the more exceptions for +"trusted" sites you will have to make later. If, for example, you want to +crunch all cookies per default, you'll have to make exceptions from that rule +for sites that you regularly use and that require cookies for actually useful +puposes, like maybe your bank, favorite shop, or newspaper. + +We have tried to provide you with reasonable rules to start from in the +distribution actions files. But there is no general rule of thumb on these +things. There just are too many variables, and sites are constantly changing. +Sooner or later you will want to change the rules (and read this chapter again +:). + +------------------------------------------------------------------------------- + +8.2. How to Edit + +The easiest way to edit the actions files is with a browser by using our +browser-based editor, which can be reached from http://config.privoxy.org/ +show-status. The editor allows both fine-grained control over every single +feature on a per-URL basis, and easy choosing from wholesale sets of defaults +like "Cautious", "Medium" or "Adventuresome". Warning: the "Adventuresome" +setting is not only more aggressive, but includes settings that are fun and +subversive, and which some may find of dubious merit! + +If you prefer plain text editing to GUIs, you can of course also directly edit +the the actions files. Look at default.action which is richly commented. + +------------------------------------------------------------------------------- + +8.3. How Actions are Applied to URLs + +Actions files are divided into sections. There are special sections, like the " +alias" sections which will be discussed later. For now let's concentrate on +regular sections: They have a heading line (often split up to multiple lines +for readability) which consist of a list of actions, separated by whitespace +and enclosed in curly braces. Below that, there is a list of URL patterns, each +on a separate line. + +To determine which actions apply to a request, the URL of the request is +compared to all patterns in each action file file. Every time it matches, the +list of applicable actions for the URL is incrementally updated, using the +heading of the section in which the pattern is located. If multiple matches for +the same URL set the same action differently, the last match wins. If not, the +effects are aggregated. E.g. a URL might match a regular section with a heading +line of { +handle-as-image }, then later another one with just { +block }, +resulting in both actions to apply. + +You can trace this process for any given URL by visiting http:// +config.privoxy.org/show-url-info. + +More detail on this is provided in the Appendix, Anatomy of an Action. + +------------------------------------------------------------------------------- + +8.4. Patterns + +As mentioned, Privoxy uses "patterns" to determine what actions might apply to +which sites and pages your browser attempts to access. These "patterns" use +wild card type pattern matching to achieve a high degree of flexibility. This +allows one expression to be expanded and potentially match against many similar +patterns. + +Generally, a Privoxy pattern has the form /, where both the + and are optional. (This is why the special / pattern matches +all URLs). Note that the protocol portion of the URL pattern (e.g. http://) +should not be included in the pattern. This is assumed already! + +www.example.com/ + + is a domain-only pattern and will match any request to www.example.com, + regardless of which document on that server is requested. + +www.example.com + + means exactly the same. For domain-only patterns, the trailing / may be + omitted. + +www.example.com/index.html + + matches only the single document /index.html on www.example.com. + +/index.html + + matches the document /index.html, regardless of the domain, i.e. on any web + server. + +index.html + + matches nothing, since it would be interpreted as a domain name and there + is no top-level domain called .html. + +------------------------------------------------------------------------------- + +8.4.1. The Domain Pattern + +The matching of the domain part offers some flexible options: if the domain +starts or ends with a dot, it becomes unanchored at that end. For example: + +.example.com + + matches any domain that ENDS in .example.com + +www. + + matches any domain that STARTS with www. + +.example. + + matches any domain that CONTAINS .example. (Correctly speaking: It matches + any FQDN that contains example as a domain.) + +Additionally, there are wild-cards that you can use in the domain names +themselves. They work pretty similar to shell wild-cards: "*" stands for zero +or more arbitrary characters, "?" stands for any single character, you can +define character classes in square brackets and all of that can be freely +mixed: + +ad*.example.com + + matches "adserver.example.com", "ads.example.com", etc but not + "sfads.example.com" + +*ad*.example.com + + matches all of the above, and then some. + +.?pix.com + + matches www.ipix.com, pictures.epix.com, a.b.c.d.e.upix.com etc. + +www[1-9a-ez].example.c* + + matches www1.example.com, www4.example.cc, wwwd.example.cy, + wwwz.example.com etc., but not wwww.example.com. + +------------------------------------------------------------------------------- + +8.4.2. The Path Pattern + +Privoxy uses Perl compatible regular expressions (through the PCRE library) for +matching the path. + +There is an Appendix with a brief quick-start into regular expressions, and +full (very technical) documentation on PCRE regex syntax is available on-line +at http://www.pcre.org/man.txt. You might also find the Perl man page on +regular expressions (man perlre) useful, which is available on-line at http:// +www.perldoc.com/perl5.6/pod/perlre.html. + +Note that the path pattern is automatically left-anchored at the "/", i.e. it +matches as if it would start with a "^" (regular expression speak for the +beginning of a line). + +Please also note that matching in the path is CASE INSENSITIVE by default, but +you can switch to case sensitive at any point in the pattern by using the "(? +-i)" switch: www.example.com/(?-i)PaTtErN.* will match only documents whose +path starts with PaTtErN in exactly this capitalization. + +------------------------------------------------------------------------------- + +8.5. Actions + +All actions are disabled by default, until they are explicitly enabled +somewhere in an actions file. Actions are turned on if preceded with a "+", and +turned off if preceded with a "-". So a +action means "do that action", e.g. ++block means "please block URLs that match the following patterns", and -block +means "don't block URLs that match the following patterns, even if +block +previously applied." + +Again, actions are invoked by placing them on a line, enclosed in curly braces +and separated by whitespace, like in {+some-action -some-other-action +{some-parameter}}, followed by a list of URL patterns, one per line, to which +they apply. Together, the actions line and the following pattern lines make up +a section of the actions file. + +There are three classes of actions: + + * Boolean, i.e the action can only be "enabled" or "disabled". Syntax: + + +name # enable action name + -name # disable action name + + + Example: +block + + * Parameterized, where some value is required in order to enable this type of + action. Syntax: + + +name{param} # enable action and set parameter to param, + # overwriting parameter from previous match if necessary + -name # disable action. The parameter can be omitted + + + Note that if the URL matches multiple positive forms of a parameterized + action, the last match wins, i.e. the params from earlier matches are + simply ignored. + + Example: +hide-user-agent{ Mozilla 1.0 } + + * Multi-value. These look exactly like parameterized actions, but they behave + differently: If the action applies multiple times to the same URL, but with + different parameters, all the parameters from all matches are remembered. + This is used for actions that can be executed for the same request + repeatedly, like adding multiple headers, or filtering through multiple + filters. Syntax: + + +name{param} # enable action and add param to the list of parameters + -name{param} # remove the parameter param from the list of parameters + # If it was the last one left, disable the action. + -name # disable this action completely and remove all parameters from the list + + + Examples: +add-header{X-Fun-Header: Some text} and +filter{html-annoyances} + +If nothing is specified in any actions file, no "actions" are taken. So in this +case Privoxy would just be a normal, non-blocking, non-anonymizing proxy. You +must specifically enable the privacy and blocking features you need (although +the provided default actions files will give a good starting point). + +Later defined actions always over-ride earlier ones. So exceptions to any rules +you make, should come in the latter part of the file (or in a file that is +processed later when using multiple actions files). For multi-valued actions, +the actions are applied in the order they are specified. Actions files are +processed in the order they are defined in config (the default installation has +three actions files). It also quite possible for any given URL pattern to match +more than one pattern and thus more than one set of actions! + +The list of valid Privoxy actions are: + +------------------------------------------------------------------------------- + +8.5.1. add-header + +Typical use: + + Confuse log analysis, custom applications + +Effect: + + Sends a user defined HTTP header to the web server. + +Type: + + Multi-value. + +Parameter: + + Any string value is possible. Validity of the defined HTTP headers is not + checked. It is recommended that you use the "X-" prefix for custom headers. + +Notes: + + This action may be specified multiple times, in order to define multiple + headers. This is rarely needed for the typical user. If you don't know what + "HTTP headers" are, you definitely don't need to worry about this one. + +Example usage: + + +add-header{X-User-Tracking: sucks} + + +------------------------------------------------------------------------------- + +8.5.2. block + +Typical use: + + Block ads or other obnoxious content + +Effect: + + Requests for URLs to which this action applies are blocked, i.e. the + requests are not forwarded to the remote server, but answered locally with + a substitute page or image, as determined by the handle-as-image and + set-image-blocker actions. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + Privoxy sends a special "BLOCKED" page for requests to blocked pages. This + page contains links to find out why the request was blocked, and a + click-through to the blocked content (the latter only if compiled with the + force feature enabled). The "BLOCKED" page adapts to the available screen + space -- it displays full-blown if space allows, or miniaturized and + text-only if loaded into a small frame or window. If you are using Privoxy + right now, you can take a look at the "BLOCKED" page. + + A very important exception occurs if both block and handle-as-image, apply + to the same request: it will then be replaced by an image. If + set-image-blocker (see below) also applies, the type of image will be + determined by its parameter, if not, the standard checkerboard pattern is + sent. + + It is important to understand this process, in order to understand how + Privoxy deals with ads and other unwanted content. + + The filter action can perform a very similar task, by "blocking" banner + images and other content through rewriting the relevant URLs in the + document's HTML source, so they don't get requested in the first place. + Note that this is a totally different technique, and it's easy to confuse + the two. + +Example usage (section): + + {+block} # Block and replace with "blocked" page + .nasty-stuff.example.com + + {+block +handle-as-image} # Block and replace with image + .ad.doubleclick.net + .ads.r.us + + +------------------------------------------------------------------------------- + +8.5.3. crunch-incoming-cookies + +Typical use: + + Prevent the web server from setting any cookies on your system + +Effect: + + Deletes any "Set-Cookie:" HTTP headers from server replies. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + This action is only concerned with incoming cookies. For outgoing cookies, + use crunch-outgoing-cookies. Use both to disable cookies completely. + + It makes no sense at all to use this action in conjunction with the + session-cookies-only action, since it would prevent the session cookies + from being set. See also filter-content-cookies. + +Example usage: + + +crunch-incoming-cookies + + +------------------------------------------------------------------------------- + +8.5.4. crunch-outgoing-cookies + +Typical use: + + Prevent the web server from reading any cookies from your system + +Effect: + + Deletes any "Cookie:" HTTP headers from client requests. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + This action is only concerned with outgoing cookies. For incoming cookies, + use crunch-incoming-cookies. Use both to disable cookies completely. + + It makes no sense at all to use this action in conjunction with the + session-cookies-only action, since it would prevent the session cookies + from being read. + +Example usage: + + +crunch-outgoing-cookies + + +------------------------------------------------------------------------------- + +8.5.5. deanimate-gifs + +Typical use: + + Stop those annoying, distracting animated GIF images. + +Effect: + + De-animate GIF animations, i.e. reduce them to their first or last image. + +Type: + + Parameterized. + +Parameter: + + "last" or "first" + +Notes: + + This will also shrink the images considerably (in bytes, not pixels!). If + the option "first" is given, the first frame of the animation is used as + the replacement. If "last" is given, the last frame of the animation is + used instead, which probably makes more sense for most banner animations, + but also has the risk of not showing the entire last frame (if it is only a + delta to an earlier frame). + + You can safely use this action with patterns that will also match non-GIF + objects, because no attempt will be made at anything that doesn't look like + a GIF. + +Example usage: + + +deanimate-gifs{last} + + +------------------------------------------------------------------------------- + +8.5.6. downgrade-http-version + +Typical use: + + Work around (very rare) problems with HTTP/1.1 + +Effect: + + Downgrades HTTP/1.1 client requests and server replies to HTTP/1.0. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + This is a left-over from the time when Privoxy didn't support important + HTTP/1.1 features well. It is left here for the unlikely case that you + experience HTTP/1.1 related problems with some server out there. Not all + (optional) HTTP/1.1 features are supported yet, so there is a chance you + might need this action. + +Example usage (section): + + {+downgrade-http-version} + problem-host.example.com + + +------------------------------------------------------------------------------- + +8.5.7. fast-redirects + +Typical use: + + Fool some click-tracking scripts and speed up indirect links + +Effect: + + Cut off all but the last valid URL from requests. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + Many sites, like yahoo.com, don't just link to other sites. Instead, they + will link to some script on their own servers, giving the destination as a + parameter, which will then redirect you to the final target. URLs resulting + from this scheme typically look like: http://some.place/click-tracker.cgi? + target=http://some.where.else. + + Sometimes, there are even multiple consecutive redirects encoded in the + URL. These redirections via scripts make your web browsing more traceable, + since the server from which you follow such a link can see where you go to. + Apart from that, valuable bandwidth and time is wasted, while your browser + ask the server for one redirect after the other. Plus, it feeds the + advertisers. + + This feature is currently not very smart and is scheduled for improvement. + It is likely to break some sites. You should expect to need possibly many + exceptions to this action, if it is enabled by default in default.action. + Some sites just don't work without it. + +Example usage: + + {+fast-redirects} + + +------------------------------------------------------------------------------- + +8.5.8. filter + +Typical use: + + Get rid of HTML and JavaScript annoyances, banner advertisements (by size), + do fun text replacements, etc. + +Effect: + + All files of text-based type, most notably HTML and JavaScript, to which + this action applies, are filtered on-the-fly through the specified regular + expression based substitutions. (Note: as of version 3.0.3 plain text + documents are exempted from filtering, because web servers often use the + text/plain MIME type for all files whose type they don't know.) + +Type: + + Parameterized. + +Parameter: + + The name of a filter, as defined in the filter file (typically + default.filter, set by the filterfile option in the config file). When used + in its negative form, and without parameters, filtering is completely + disabled. + +Notes: + + For your convenience, there are a number of pre-defined filters available + in the distribution filter file that you can use. See the examples below + for a list. + + Filtering requires buffering the page content, which may appear to slow + down page rendering since nothing is displayed until all content has passed + the filters. (It does not really take longer, but seems that way since the + page is not incrementally displayed.) This effect will be more noticeable + on slower connections. + + This is very powerful feature, but "rolling your own" filters requires a + knowledge of regular expressions and HTML. + + The amount of data that can be filtered is limited to the buffer-limit + option in the main config file. The default is 4096 KB (4 Megs). Once this + limit is exceeded, the buffered data, and all pending data, is passed + through unfiltered. + + Inadequate MIME types, such as zipped files, are not filtered at all. + (Again, only text-based types except plain text). Encrypted SSL data (from + HTTPS servers) cannot be filtered either, since this would violate the + integrity of the secure transaction. In some situations it might be + necessary to protect certain text, like source code, from filtering by + defining appropriate -filter sections. + + At this time, Privoxy cannot (yet!) uncompress compressed documents. If you + want filtering to work on all documents, even those that would normally be + sent compressed, use the prevent-compression action in conjunction with + filter. + + Filtering can achieve some of the same effects as the block action, i.e. it + can be used to block ads and banners. But the mechanism works quite + differently. One effective use, is to block ad banners based on their size + (see below), since many of these seem to be somewhat standardized. + + Feedback with suggestions for new or improved filters is particularly + welcome! + + The below list has only the names and a one-line description of each + predefined filter. There are more verbose explanations of what these + filters do in the filter file chapter. + +Example usage (with filters from the distribution default.filter file). See the + Predefined Filters section for more explanation on each: + + +filter{js-annoyances} # Get rid of particularly annoying JavaScript abuse + + + +filter{js-events} # Kill all JS event bindings (Radically destructive! Only for extra nasty sites) + + + +filter{html-annoyances} # Get rid of particularly annoying HTML abuse + + + +filter{content-cookies} # Kill cookies that come in the HTML or JS content + + + +filter{refresh-tags} # Kill automatic refresh tags (for dial-on-demand setups) + + + +filter{unsolicited-popups} # Disable only unsolicited pop-up windows + + + +filter{all-popups} # Kill all popups in JavaScript and HTML + + + +filter{img-reorder} # Reorder attributes in tags to make the banners-by-* filters more effective + + + +filter{banners-by-size} # Kill banners by size + + + +filter{banners-by-link} # Kill banners by their links to known clicktrackers + + + +filter{webbugs} # Squish WebBugs (1x1 invisible GIFs used for user tracking) + + + +filter{tiny-textforms} # Extend those tiny textareas up to 40x80 and kill the hard wrap + + + +filter{jumping-windows} # Prevent windows from resizing and moving themselves + + + +filter{frameset-borders} # Give frames a border and make them resizable + + + +filter{demoronizer} # Fix MS's non-standard use of standard charsets + + + +filter{shockwave-flash} # Kill embedded Shockwave Flash objects + + + +filter{quicktime-kioskmode} # Make Quicktime movies saveable + + + +filter{fun} # Text replacements for subversive browsing fun! + + + +filter{crude-parental} # Crude parental filtering (demo only) + + + +filter{ie-exploits} # Disable some known Internet Explorer bug exploits + + +------------------------------------------------------------------------------- + +8.5.9. handle-as-image + +Typical use: + + Mark URLs as belonging to images (so they'll be replaced by images if they + get blocked) + +Effect: + + This action alone doesn't do anything noticeable. It just marks URLs as + images. If the block action also applies, the presence or absence of this + mark decides whether an HTML "blocked" page, or a replacement image (as + determined by the set-image-blocker action) will be sent to the client as a + substitute for the blocked content. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + The below generic example section is actually part of default.action. It + marks all URLs with well-known image file name extensions as images and + should be left intact. + + Users will probably only want to use the handle-as-image action in + conjunction with block, to block sources of banners, whose URLs don't + reflect the file type, like in the second example section. + + Note that you cannot treat HTML pages as images in most cases. For + instance, (in-line) ad frames require an HTML page to be sent, or they + won't display properly. Forcing handle-as-image in this situation will not + replace the ad frame with an image, but lead to error messages. + +Example usage (sections): + + # Generic image extensions: + # + {+handle-as-image} + /.*\.(gif|jpg|jpeg|png|bmp|ico)$ + + # These don't look like images, but they're banners and should be + # blocked as images: + # + {+block +handle-as-image} + some.nasty-banner-server.com/junk.cgi?output=trash + + # Banner source! Who cares if they also have non-image content? + ad.doubleclick.net + + +------------------------------------------------------------------------------- + +8.5.10. hide-forwarded-for-headers + +Typical use: + + Improve privacy by hiding the true source of the request + +Effect: + + Deletes any existing "X-Forwarded-for:" HTTP header from client requests, + and prevents adding a new one. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + It is fairly safe to leave this on. + + This action is scheduled for improvement: It should be able to generate + forged "X-Forwarded-for:" headers using random IP addresses from a + specified network, to make successive requests from the same client look + like requests from a pool of different users sharing the same proxy. + +Example usage: + + +hide-forwarded-for-headers + + +------------------------------------------------------------------------------- + +8.5.11. hide-from-header + +Typical use: + + Keep your (old and ill) browser from telling web servers your email address + +Effect: + + Deletes any existing "From:" HTTP header, or replaces it with the specified + string. + +Type: + + Parameterized. + +Parameter: + + Keyword: "block", or any user defined value. + +Notes: + + The keyword "block" will completely remove the header (not to be confused + with the block action). + + Alternately, you can specify any value you prefer to be sent to the web + server. If you do, it is a matter of fairness not to use any address that + is actually used by a real person. + + This action is rarely needed, as modern web browsers don't send "From:" + headers anymore. + +Example usage: + + +hide-from-header{block} + + + or + + +hide-from-header{spam-me-senseless@sittingduck.example.com} + + +------------------------------------------------------------------------------- + +8.5.12. hide-referrer + +Typical use: + + Conceal which link you followed to get to a particular site + +Effect: + + Deletes the "Referer:" (sic) HTTP header from the client request, or + replaces it with a forged one. + +Type: + + Parameterized. + +Parameter: + + + "block" to delete the header completely. + + + "forge" to pretend to be coming from the homepage of the server we are + talking to. + + + Any other string to set a user defined referrer. + +Notes: + + "forge" is the preferred option here, since some servers will not send + images back otherwise, in an attempt to prevent their valuable content from + being embedded elsewhere (and hence, without being surrounded by their + banners). + + hide-referer is an alternate spelling of hide-referrer and the two can be + can be freely substituted with each other. ("referrer" is the correct + English spelling, however the HTTP specification has a bug - it requires it + to be spelled as "referer".) + +Example usage: + + +hide-referrer{forge} + + + or + + +hide-referrer{http://www.yahoo.com/} + + +------------------------------------------------------------------------------- + +8.5.13. hide-user-agent + +Typical use: + + Conceal your type of browser and client operating system + +Effect: + + Replaces the value of the "User-Agent:" HTTP header in client requests with + the specified value. + +Type: + + Parameterized. + +Parameter: + + Any user-defined string. + +Notes: + + +-----------------------------------------------------------------+ + | Warning | + |-----------------------------------------------------------------| + |This breaks many web sites that depend on looking at this header | + |in order to customize their content for different browsers | + |(which, by the way, is NOT a smart way to do that!). | + +-----------------------------------------------------------------+ + + Using this action in multi-user setups or wherever different types of + browsers will access the same Privoxy is not recommended. In single-user, + single-browser setups, you might use it to delete your OS version + information from the headers, because it is an invitation to exploit known + bugs for your OS. It is also occasionally useful to forge this in order to + access sites that won't let you in otherwise (though there may be a good + reason in some cases). Example of this: some MSN sites will not let Mozilla + enter, yet forging to a Netscape 6.1 user-agent works just fine. (Must be + just a silly MS goof, I'm sure :-). + + This action is scheduled for improvement. + +Example usage: + + +hide-user-agent{Netscape 6.1 (X11; I; Linux 2.4.18 i686)} + + +------------------------------------------------------------------------------- + +8.5.14. kill-popups + +Typical use: + + Eliminate those annoying pop-up windows (deprecated) + +Effect: + + While loading the document, replace JavaScript code that opens pop-up + windows with (syntactically neutral) dummy code on the fly. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + This action is basically a built-in, hardwired special-purpose filter + action, but there are important differences: For kill-popups, the document + need not be buffered, so it can be incrementally rendered while + downloading. But kill-popups doesn't catch as many pop-ups as filter + {all-popups} does and is not as smart as filter{unsolicited-popups} is. + + Think of it as a fast and efficient replacement for a filter that you can + use if you don't want any filtering at all. Note that it doesn't make sense + to combine it with any filter action, since as soon as one filter applies, + the whole document needs to be buffered anyway, which destroys the + advantage of the kill-popups action over its filter equivalent. + + Killing all pop-ups unconditionally is problematic. Many shops and banks + rely on pop-ups to display forms, shopping carts etc, and the filter + {unsolicited-popups} does a fairly good job of catching only the unwanted + ones. + + If the only kind of pop-ups that you want to kill are exit consoles (those + really nasty windows that appear when you close an other one), you might + want to use filter{js-annoyances} instead. + +Example usage: + + +kill-popups + + +------------------------------------------------------------------------------- + +8.5.15. limit-connect + +Typical use: + + Prevent abuse of Privoxy as a TCP proxy relay + +Effect: + + Specifies to which ports HTTP CONNECT requests are allowable. + +Type: + + Parameterized. + +Parameter: + + A comma-separated list of ports or port ranges (the latter using dashes, + with the minimum defaulting to 0 and the maximum to 65K). + +Notes: + + By default, i.e. if no limit-connect action applies, Privoxy only allows + HTTP CONNECT requests to port 443 (the standard, secure HTTPS port). Use + limit-connect if more fine-grained control is desired for some or all + destinations. + + The CONNECT methods exists in HTTP to allow access to secure websites + ("https://" URLs) through proxies. It works very simply: the proxy connects + to the server on the specified port, and then short-circuits its + connections to the client and to the remote server. This can be a big + security hole, since CONNECT-enabled proxies can be abused as TCP relays + very easily. + + If you don't know what any of this means, there probably is no reason to + change this one, since the default is already very restrictive. + +Example usages: + + +limit-connect{443} # This is the default and need not be specified. + +limit-connect{80,443} # Ports 80 and 443 are OK. + +limit-connect{-3, 7, 20-100, 500-} # Ports less than 3, 7, 20 to 100 and above 500 are OK. + +limit-connect{-} # All ports are OK (gaping security hole!) + + +------------------------------------------------------------------------------- + +8.5.16. prevent-compression + +Typical use: + + Ensure that servers send the content uncompressed, so it can be passed + through filters + +Effect: + + Adds a header to the request that asks for uncompressed transfer. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + More and more websites send their content compressed by default, which is + generally a good idea and saves bandwidth. But for the filter, + deanimate-gifs and kill-popups actions to work, Privoxy needs access to the + uncompressed data. Unfortunately, Privoxy can't yet(!) uncompress, filter, + and re-compress the content on the fly. So if you want to ensure that all + websites, including those that normally compress, can be filtered, you need + to use this action. + + This will slow down transfers from those websites, though. If you use any + of the above-mentioned actions, you will typically want to use + prevent-compression in conjunction with them. + + Note that some (rare) ill-configured sites don't handle requests for + uncompressed documents correctly (they send an empty document body). If you + use prevent-compression per default, you'll have to add exceptions for + those sites. See the example for how to do that. + +Example usage (sections): + + # Set default: + # + {+prevent-compression} + / # Match all sites + + # Make exceptions for ill sites: + # + {-prevent-compression} + www.debianhelp.org + www.pclinuxonline.com + + +------------------------------------------------------------------------------- + +8.5.17. send-vanilla-wafer + +Typical use: + + Feed log analysis scripts with useless data. + +Effect: + + Sends a cookie with each request stating that you do not accept any + copyright on cookies sent to you, and asking the site operator not to track + you. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + The vanilla wafer is a (relatively) unique header and could conceivably be + used to track you. + + This action is rarely used and not enabled in the default configuration. + +Example usage: + + +send-vanilla-wafer + + +------------------------------------------------------------------------------- + +8.5.18. send-wafer + +Typical use: + + Send custom cookies or feed log analysis scripts with even more useless + data. + +Effect: + + Sends a custom, user-defined cookie with each request. + +Type: + + Multi-value. + +Parameter: + + A string of the form "name=value". + +Notes: + + Being multi-valued, multiple instances of this action can apply to the same + request, resulting in multiple cookies being sent. + + This action is rarely used and not enabled in the default configuration. + +Example usage (section): + + {+send-wafer{UsingPrivoxy=true}} + my-internal-testing-server.void + + +------------------------------------------------------------------------------- + +8.5.19. session-cookies-only + +Typical use: + + Allow only temporary "session" cookies (for the current browser session + only). + +Effect: + + Deletes the "expires" field from "Set-Cookie:" server headers. Most + browsers will not store such cookies permanently and forget them in between + sessions. + +Type: + + Boolean. + +Parameter: + + N/A + +Notes: + + This is less strict than crunch-incoming-cookies / crunch-outgoing-cookies + and allows you to browse websites that insist or rely on setting cookies, + without compromising your privacy too badly. + + Most browsers will not permanently store cookies that have been processed + by session-cookies-only and will forget about them between sessions. This + makes profiling cookies useless, but won't break sites which require + cookies so that you can log in for transactions. This is generally turned + on for all sites, and is the recommended setting. + + It makes no sense at all to use session-cookies-only together with + crunch-incoming-cookies or crunch-outgoing-cookies. If you do, cookies will + be plainly killed. + + Note that it is up to the browser how it handles such cookies without an + "expires" field. If you use an exotic browser, you might want to try it out + to be sure. + + This setting also has no effect on cookies that may have been stored + previously by the browser before starting Privoxy. These would have to be + removed manually. + + Privoxy also uses the content-cookies filter to block some types of + cookies. Content cookies are not effected by session-cookies-only. + +Example usage: + + +session-cookies-only + + +------------------------------------------------------------------------------- + +8.5.20. set-image-blocker + +Typical use: + + Choose the replacement for blocked images + +Effect: + + This action alone doesn't do anything noticeable. If both block and + handle-as-image also apply, i.e. if the request is to be blocked as an + image, then the parameter of this action decides what will be sent as a + replacement. + +Type: + + Parameterized. + +Parameter: + + + "pattern" to send a built-in checkerboard pattern image. The image is + visually decent, scales very well, and makes it obvious where banners + were busted. + + + "blank" to send a built-in transparent image. This makes banners + disappear completely, but makes it hard to detect where Privoxy has + blocked images on a given page and complicates troubleshooting if + Privoxy has blocked innocent images, like navigation icons. + + + "target-url" to send a redirect to target-url. You can redirect to any + image anywhere, even in your local filesystem (via "file:///" URL). + + A good application of redirects is to use special Privoxy-built-in + URLs, which send the built-in images, as target-url. This has the same + visual effect as specifying "blank" or "pattern" in the first place, + but enables your browser to cache the replacement image, instead of + requesting it over and over again. + +Notes: + + The URLs for the built-in images are "http://config.privoxy.org/ + send-banner?type=type", where type is either "blank" or "pattern". + + There is a third (advanced) type, called "auto". It is NOT to be used in + set-image-blocker, but meant for use from filters. Auto will select the + type of image that would have applied to the referring page, had it been an + image. + +Example usage: + + Built-in pattern: + + +set-image-blocker{pattern} + + + Redirect to the BSD devil: + + +set-image-blocker{http://www.freebsd.org/gifs/dae_up3.gif} + + + Redirect to the built-in pattern for better caching: + + +set-image-blocker{http://config.privoxy.org/send-banner?type=pattern} + + +------------------------------------------------------------------------------- + +8.5.21. Summary + +Note that many of these actions have the potential to cause a page to +misbehave, possibly even not to display at all. There are many ways a site +designer may choose to design his site, and what HTTP header content, and other +criteria, he may depend on. There is no way to have hard and fast rules for all +sites. See the Appendix for a brief example on troubleshooting actions. + +------------------------------------------------------------------------------- + +8.6. Aliases + +Custom "actions", known to Privoxy as "aliases", can be defined by combining +other actions. These can in turn be invoked just like the built-in actions. +Currently, an alias name can contain any character except space, tab, "=", "{" +and "}", but we strongly recommend that you only use "a" to "z", "0" to "9", +"+", and "-". Alias names are not case sensitive, and are not required to start +with a "+" or "-" sign, since they are merely textually expanded. + +Aliases can be used throughout the actions file, but they must be defined in a +special section at the top of the file! And there can only be one such section +per actions file. Each actions file may have its own alias section, and the +aliases defined in it are only visible within that file. + +There are two main reasons to use aliases: One is to save typing for frequently +used combinations of actions, the other one is a gain in flexibility: If you +decide once how you want to handle shops by defining an alias called "shop", +you can later change your policy on shops in one place, and your changes will +take effect everywhere in the actions file where the "shop" alias is used. +Calling aliases by their purpose also makes your actions files more readable. + +Currently, there is one big drawback to using aliases, though: Privoxy's +built-in web-based action file editor honors aliases when reading the actions +files, but it expands them before writing. So the effects of your aliases are +of course preserved, but the aliases themselves are lost when you edit sections +that use aliases with it. This is likely to change in future versions of +Privoxy. + +Now let's define some aliases... + + # Useful custom aliases we can use later. + # + # Note the (required!) section header line and that this section + # must be at the top of the actions file! + # + {{alias}} + + # These aliases just save typing later: + # (Note that some already use other aliases!) + # + +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies + -crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies + block-as-image = +block +handle-as-image + mercy-for-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies} + + # These aliases define combinations of actions + # that are useful for certain types of sites: + # + fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer -kill-popups + shop = -crunch-all-cookies -filter{all-popups} -kill-popups + + # Short names for other aliases, for really lazy people ;-) + # + c0 = +crunch-all-cookies + c1 = -crunch-all-cookies + + +...and put them to use. These sections would appear in the lower part of an +actions file and define exceptions to the default actions (as specified further +up for the "/" pattern): + + # These sites are either very complex or very keen on + # user data and require minimal interference to work: + # + {fragile} + .office.microsoft.com + .windowsupdate.microsoft.com + .nytimes.com + + # Shopping sites: + # Allow cookies (for setting and retrieving your customer data) + # + {shop} + .quietpc.com + .worldpay.com # for quietpc.com + .scan.co.uk + + # These shops require pop-ups: + # + {shop -kill-popups -filter{all-popups}} + .dabs.com + .overclockers.co.uk + + +Aliases like "shop" and "fragile" are often used for "problem" sites that +require some actions to be disabled in order to function properly. + +------------------------------------------------------------------------------- + +8.7. Actions Files Tutorial + +The above chapters have shown which actions files there are and how they are +organized, how actions are specified and applied to URLs, how patterns work, +and how to define and use aliases. Now, let's look at an example default.action +and user.action file and see how all these pieces come together: + +------------------------------------------------------------------------------- + +8.7.1. default.action + +Every config file should start with a short comment stating its purpose: + +# Sample default.action file + + +Then, since this is the default.action file, the first section is a special +section for internal use that you needn't change or worry about: + +########################################################################## +# Settings -- Don't change! For internal Privoxy use ONLY. +########################################################################## + +{{settings}} +for-privoxy-version=3.0 + + +After that comes the (optional) alias section. We'll use the example section +from the above chapter on aliases, that also explains why and how aliases are +used: + +########################################################################## +# Aliases +########################################################################## +{{alias}} + + # These aliases just save typing later: + # (Note that some already use other aliases!) + # + +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies + -crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies + block-as-image = +block +handle-as-image + mercy-for-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies} + + # These aliases define combinations of actions + # that are useful for certain types of sites: + # + fragile = -block -filter -crunch-all-cookies -fast-redirects -hide-referrer -kill-popups + shop = -crunch-all-cookies -filter{all-popups} -kill-popups + + +Now come the regular sections, i.e. sets of actions, accompanied by URL +patterns to which they apply. Remember all actions are disabled when matching +starts, so we have to explicitly enable the ones we want. + +The first regular section is probably the most important. It has only one +pattern, "/", but this pattern matches all URLs. Therefore, the set of actions +used in this "default" section will be applied to all requests as a start. It +can be partly or wholly overridden by later matches further down this file, or +in user.action, but it will still be largely responsible for your overall +browsing experience. + +Again, at the start of matching, all actions are disabled, so there is no real +need to disable any actions here, but we will do that nonetheless, to have a +complete listing for your reference. (Remember: a "+" preceding the action name +enables the action, a "-" disables!). Also note how this long line has been +made more readable by splitting it into multiple lines with line continuation. + +########################################################################## +# "Defaults" section: +########################################################################## + { \ + -add-header \ + -block \ + -crunch-incoming-cookies \ + -crunch-outgoing-cookies \ + +deanimate-gifs \ + -downgrade-http-version \ + +fast-redirects \ + +filter{js-annoyances} \ + -filter{js-events} \ + +filter{html-annoyances} \ + -filter{content-cookies} \ + +filter{refresh-tags} \ + +filter{unsolicited-popups} \ + -filter{all-popups} \ + +filter{img-reorder} \ + +filter{banners-by-size} \ + -filter{banners-by-link} \ + +filter{webbugs} \ + -filter{tiny-textforms} \ + +filter{jumping-windows} \ + -filter{frameset-borders} \ + -filter{demoronizer} \ + -filter{shockwave-flash} \ + -filter{quicktime-kioskmode} \ + -filter{fun} \ + -filter{crude-parental} \ + +filter{ie-exploits} \ + -handle-as-image \ + +hide-forwarded-for-headers \ + +hide-from-header{block} \ + +hide-referrer{forge} \ + -hide-user-agent \ + -kill-popups \ + -limit-connect \ + +prevent-compression \ + -send-vanilla-wafer \ + -send-wafer \ + +session-cookies-only \ + +set-image-blocker{pattern} \ + } + / # forward slash will match *all* potential URL patterns. + + +The default behavior is now set. Note that some actions, like not hiding the +user agent, are part of a "general policy" that applies universally and won't +get any exceptions defined later. Other choices, like not blocking (which is +understandably the default!) need exceptions, i.e. we need to specify +explicitly what we want to block in later sections. + +The first of our specialized sections is concerned with "fragile" sites, i.e. +sites that require minimum interference, because they are either very complex +or very keen on tracking you (and have mechanisms in place that make them +unusable for people who avoid being tracked). We will simply use our +pre-defined fragile alias instead of stating the list of actions explicitly: + +########################################################################## +# Exceptions for sites that'll break under the default action set: +########################################################################## + +# "Fragile" Use a minimum set of actions for these sites (see alias above): +# +{ fragile } +.office.microsoft.com # surprise, surprise! +.windowsupdate.microsoft.com + + +Shopping sites are not as fragile, but they typically require cookies to log +in, and pop-up windows for shopping carts or item details. Again, we'll use a +pre-defined alias: + +# Shopping sites: +# +{ shop } +.quietpc.com +.worldpay.com # for quietpc.com +.jungle.com +.scan.co.uk + + +The fast-redirects action, which we enabled per default above, breaks some +sites. So disable it for popular sites where we know it misbehaves: + +{ -fast-redirects } +login.yahoo.com +edit.*.yahoo.com +.google.com +.altavista.com/.*(like|url|link):http +.altavista.com/trans.*urltext=http +.nytimes.com + + +It is important that Privoxy knows which URLs belong to images, so that if they +are to be blocked, a substitute image can be sent, rather than an HTML page. +Contacting the remote site to find out is not an option, since it would destroy +the loading time advantage of banner blocking, and it would feed the +advertisers (in terms of money and information). We can mark any URL as an +image with the handle-as-image action, and marking all URLs that end in a known +image file extension is a good start: + +########################################################################## +# Images: +########################################################################## + +# Define which file types will be treated as images, in case they get +# blocked further down this file: +# +{ +handle-as-image } +/.*\.(gif|jpe?g|png|bmp|ico)$ + + +And then there are known banner sources. They often use scripts to generate the +banners, so it won't be visible from the URL that the request is for an image. +Hence we block them and mark them as images in one go, with the help of our +block-as-image alias defined above. (We could of course just as well use +block ++handle-as-image here.) Remember that the type of the replacement image is +chosen by the set-image-blocker action. Since all URLs have matched the default +section with its +set-image-blocker{pattern} action before, it still applies +and needn't be repeated: + +# Known ad generators: +# +{ block-as-image } +ar.atwola.com +.ad.doubleclick.net +.ad.*.doubleclick.net +.a.yimg.com/(?:(?!/i/).)*$ +.a[0-9].yimg.com/(?:(?!/i/).)*$ +bs*.gsanet.com +bs*.einets.com +.qkimg.net + + +One of the most important jobs of Privoxy is to block banners. A huge bunch of +them are already "blocked" by the filter{banners-by-size} action, which we +enabled above, and which deletes the references to banner images from the pages +while they are loaded, so the browser doesn't request them anymore, and hence +they don't need to be blocked here. But this naturally doesn't catch all +banners, and some people choose not to use filters, so we need a comprehensive +list of patterns for banner URLs here, and apply the block action to them. + +First comes a bunch of generic patterns, which do most of the work, by matching +typical domain and path name components of banners. Then comes a list of +individual patterns for specific sites, which is omitted here to keep the +example short: + +########################################################################## +# Block these fine banners: +########################################################################## +{ +block } + +# Generic patterns: +# +ad*. +.*ads. +banner?. +count*. +/.*count(er)?\.(pl|cgi|exe|dll|asp|php[34]?) +/(?:.*/)?(publicite|werbung|rekla(ma|me|am)|annonse|maino(kset|nta|s)?)/ + +# Site-specific patterns (abbreviated): +# +.hitbox.com + + +You wouldn't believe how many advertisers actually call their banner servers +ads.company.com, or call the directory in which the banners are stored simply +"banners". So the above generic patterns are surprisingly effective. + +But being very generic, they necessarily also catch URLs that we don't want to +block. The pattern .*ads. e.g. catches "nasty-ads.nasty-corp.com" as intended, +but also "downloads.sourcefroge.net" or "adsl.some-provider.net." So here come +some well-known exceptions to the +block section above. + +Note that these are exceptions to exceptions from the default! Consider the URL +"downloads.sourcefroge.net": Initially, all actions are deactivated, so it +wouldn't get blocked. Then comes the defaults section, which matches the URL, +but just deactivates the block action once again. Then it matches .*ads., an +exception to the general non-blocking policy, and suddenly +block applies. And +now, it'll match .*loads., where -block applies, so (unless it matches again +further down) it ends up with no block action applying. + +########################################################################## +# Save some innocent victims of the above generic block patterns: +########################################################################## + +# By domain: +# +{ -block } +adv[io]*. # (for advogato.org and advice.*) +adsl. # (has nothing to do with ads) +ad[ud]*. # (adult.* and add.*) +.edu # (universities don't host banners (yet!)) +.*loads. # (downloads, uploads etc) + +# By path: +# +/.*loads/ + +# Site-specific: +# +www.globalintersec.com/adv # (adv = advanced) +www.ugu.com/sui/ugu/adv + + +Filtering source code can have nasty side effects, so make an exception for our +friends at sourceforge.net, and all paths with "cvs" in them. Note that -filter +disables all filters in one fell swoop! + +# Don't filter code! +# +{ -filter } +/.*cvs +.sourceforge.net + + +The actual default.action is of course more comprehensive, but we hope this +example made clear how it works. + +------------------------------------------------------------------------------- + +8.7.2. user.action + +So far we are painting with a broad brush by setting general policies, which +would be a reasonable starting point for many people. Now, you might want to be +more specific and have customized rules that are more suitable to your personal +habits and preferences. These would be for narrowly defined situations like +your ISP or your bank, and should be placed in user.action, which is parsed +after all other actions files and hence has the last word, over-riding any +previously defined actions. user.action is also a safe place for your personal +settings, since default.action is actively maintained by the Privoxy developers +and you'll probably want to install updated versions from time to time. + +So let's look at a few examples of things that one might typically do in +user.action: + +# My user.action file. + + +As aliases are local to the actions file that they are defined in, you can't +use the ones from default.action, unless you repeat them here: + +# Aliases are local to the file they are defined in. +# (Re-)define aliases for this file: +# +{{alias}} +# +# These aliases just save typing later, and the alias names should +# be self explanatory. +# ++crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies +-crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies + allow-all-cookies = -crunch-all-cookies -session-cookies-only + allow-popups = -filter{all-popups} -kill-popups ++block-as-image = +block +handle-as-image +-block-as-image = -block + +# These aliases define combinations of actions that are useful for +# certain types of sites: +# +fragile = -block -crunch-all-cookies -filter -fast-redirects -hide-referrer -kill-popups +shop = -crunch-all-cookies allow-popups + +# Allow ads for selected useful free sites: +# +allow-ads = -block -filter{banners-by-size} -filter{banners-by-link} + + +Say you have accounts on some sites that you visit regularly, and you don't +want to have to log in manually each time. So you'd like to allow persistent +cookies for these sites. The allow-all-cookies alias defined above does exactly +that, i.e. it disables crunching of cookies in any direction, and the +processing of cookies to make them only temporary. + +{ allow-all-cookies } +sourceforge.net +sunsolve.sun.com +.slashdot.org +.yahoo.com +.msdn.microsoft.com +.redhat.com + + +Your bank is allergic to some filter, but you don't know which, so you disable +them all: + +{ -filter } +.your-home-banking-site.com + + +Some file types you may not want to filter for various reasons: + +# Technical documentation is likely to contain strings that might +# erroneously get altered by the JavaScript-oriented filters: +# +.tldp.org +/(.*/)?selfhtml/ + +# And this stupid host sends streaming video with a wrong MIME type, +# so that Privoxy thinks it is getting HTML and starts filtering: +# +stupid-server.example.com/ + + +Example of a simple block action. Say you've seen an ad on your favourite page +on example.com that you want to get rid of. You have right-clicked the image, +selected "copy image location" and pasted the URL below while removing the +leading http://, into a { +block } section. Note that { +handle-as-image } need +not be specified, since all URLs ending in .gif will be tagged as images by the +general rules as set in default.action anyway: + +{ +block } +www.example.com/nasty-ads/sponsor.gif +another.popular.site.net/more/junk/here/ + + +The URLs of dynamically generated banners, especially from large banner farms, +often don't use the well-known image file name extensions, which makes it +impossible for Privoxy to guess the file type just by looking at the URL. You +can use the +block-as-image alias defined above for these cases. Note that +objects which match this rule but then turn out NOT to be an image are +typically rendered as a "broken image" icon by the browser. Use cautiously. + +{ +block-as-image } +.doubleclick.net +/Realmedia/ads/ +ar.atwola.com/ + + +Now you noticed that the default configuration breaks Forbes Magazine, but you +were too lazy to find out which action is the culprit, and you were again too +lazy to give feedback, so you just used the fragile alias on the site, and -- +whoa! -- it worked. The fragile aliases disables those actions that are most +likely to break a site. Also, good for testing purposes to see if it is Privoxy +that is causing the problem or not. + +{ fragile } +.forbes.com + + +You like the "fun" text replacements in default.filter, but it is disabled in +the distributed actions file. (My colleagues on the team just don't have a +sense of humour, that's why! ;-). So you'd like to turn it on in your private, +update-safe config, once and for all: + +{ +filter{fun} } +/ # For ALL sites! + + +Note that the above is not really a good idea: There are exceptions to the +filters in default.action for things that really shouldn't be filtered, like +code on CVS->Web interfaces. Since user.action has the last word, these +exceptions won't be valid for the "fun" filtering specified here. + +You might also worry about how your favourite free websites are funded, and +find that they rely on displaying banner advertisements to survive. So you +might want to specifically allow banners for those sites that you feel provide +value to you: + +{ allow-ads } +.sourceforge.net +.slashdot.org +.osdn.net + + +Note that allow-ads has been aliased to -block, -filter{banners-by-size}, and - +filter{banners-by-link} above. + +user.action is generally the best place to define exceptions and additions to +the default policies of default.action. Some actions are safe to have their +default policies set here though. So let's set a default policy to have a +"blank" image as opposed to the checkerboard pattern for ALL sites. "/" of +course matches all URL paths and patterns: + +{ +set-image-blocker{blank} } +/ # ALL sites + + +------------------------------------------------------------------------------- + +9. The Filter File + +All text substitutions that can be invoked through the filter action must first +be defined in the filter file, which is typically called default.filter and +which can be selected through the filterfile config option. + +Typical reasons for doing such substitutions are to eliminate common annoyances +in HTML and JavaScript, such as pop-up windows, exit consoles, crippled windows +without navigation tools, the infamous tag etc, to suppress images with +certain width and height attributes (standard banner sizes or web-bugs), or +just to have fun. The possibilities are endless. + +Filtering works on any text-based document type, including HTML, JavaScript, +CSS etc. (all text/* MIME types, except text/plain). Substitutions are made at +the source level, so if you want to "roll your own" filters, you should be +familiar with HTML syntax. + +Just like the actions files, the filter file is organized in sections, which +are called filters here. Each filter consists of a heading line, that starts +with the keyword FILTER:, followed by the filter's name, and a short (one line) +description of what it does. Below that line come the jobs, i.e. lines that +define the actual text substitutions. By convention, the name of a filter +should describe what the filter eliminates. The comment is used in the +web-based user interface. + +Once a filter called name has been defined in the filter file, it can be +invoked by using an action of the form +filter{name} in any actions file. + +A filter header line for a filter called "foo" could look like this: + +FILTER: foo Replace all "foo" with "bar" + + +Below that line, and up to the next header line, come the jobs that define what +text replacements the filter executes. They are specified in a syntax that +imitates Perl's s/// operator. If you are familiar with Perl, you will find +this to be quite intuitive, and may want to look at the PCRS man page for the +subtle differences to Perl behaviour. Most notably, the non-standard option +letter U is supported, which turns the default to ungreedy matching. + +If you are new to regular expressions, you might want to take a look at the +Appendix on regular expressions, and see the Perl manual for the s/// +operator's syntax and Perl-style regular expressions in general. The below +examples might also help to get you started. + +------------------------------------------------------------------------------- + +9.1. Filter File Tutorial + +Now, let's complete our "foo" filter. We have already defined the heading, but +the jobs are still missing. Since all it does is to replace "foo" with "bar", +there is only one (trivial) job needed: + +s/foo/bar/ + + +But wait! Didn't the comment say that all occurrences of "foo" should be +replaced? Our current job will only take care of the first "foo" on each page. +For global substitution, we'll need to add the g option: + +s/foo/bar/g + + +Our complete filter now looks like this: + +FILTER: foo Replace all "foo" with "bar" +s/foo/bar/g + + +Let's look at some real filters for more interesting examples. Here you see a +filter that protects against some common annoyances that arise from JavaScript +abuse. Let's look at its jobs one after the other: + +FILTER: js-annoyances Get rid of particularly annoying JavaScript abuse + +# Get rid of JavaScript referrer tracking. Test page: http://www.randomoddness.com/untitled.htm +# +s|()|$1"Not Your Business!"$2|Usg + + +Following the header line and a comment, you see the job. Note that it uses | +as the delimiter instead of /, because the pattern contains a forward slash, +which would otherwise have to be escaped by a backslash (\). + +Now, let's examine the pattern: it starts with the text tag. + +That's more than we want, but the pattern continues: document\.referrer matches +only the exact string "document.referrer". The dot needed to be escaped, i.e. +preceded by a backslash, to take away its special meaning as a joker, and make +it just a regular dot. So far, the meaning is: Match from the start of the +first . You already know what .* means, so the whole +pattern translates to: Match from the start of the first " tag. Furthermore, the s +option says that the match may span multiple lines in the page, and the g +option again means that the substitution is global. + +So, to summarize, the pattern means: Match all scripts that contain the text +"document.referrer". Remember the parts of the script from (and including) the +start tag up to (and excluding) the string "document.referrer" as $1, and the +part following that string, up to and including the closing tag, as $2. + +Now the pattern is deciphered, but wasn't this about substituting things? So +lets look at the substitute: $1"Not Your Business!"$2 is easy to read: The text +remembered as $1, followed by "Not Your Business!" (including the quotation +marks!), followed by the text remembered as $2. This produces an exact copy of +the original string, with the middle part (the "document.referrer") replaced by +"Not Your Business!". + +The whole job now reads: Replace "document.referrer" by "Not Your Business!" +wherever it appears inside a