X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fwebserver%2Ffaq%2Fconfiguration.html;h=f436199df90997a0794bd593ea66c8cfcff9ce72;hp=339b7629754a8b784575df3640d1bd349053f284;hb=3239e60560e2c55a06477816cdcc1dd30c0f4e72;hpb=16e9ef297b4cf15a61876abcc794e5a058500e4b diff --git a/doc/webserver/faq/configuration.html b/doc/webserver/faq/configuration.html index 339b7629..f436199d 100644 --- a/doc/webserver/faq/configuration.html +++ b/doc/webserver/faq/configuration.html @@ -1,10 +1,11 @@ +
Next |
# Allow all cookies for Yahoo login: +# +{ -crunch-incoming-cookies -crunch-outgoing-cookies -session-cookies-only } +.login.yahoo.com |
These kinds of sites are often quite complex and heavy with + Javascript and + thus "fragile". So if still a problem, + we have an user-manualalias just for such + sticky situations: +
# Gmail is a _fragile_ site: +# +{ fragile } + # Gmail is ... + mail.google.com |
Be sure to flush your browser's caches whenever making these kinds of + changes, just to make sure the changes "take". - Please refer to that.
Make sure the domain, host and path are appropriate as well. Your browser can + tell you where you are specifically and you should use that information for + your configuration settings. Note that above it is not referenced as + gmail.com, which is a valid domain name. +
The easiest way to do this, is to access Configuring Privoxy - with your web browser at is not entirely trivial. To + help you get started, we provide you with three different default action + "profiles" in the web based actions file editor at http://p.p/, - and then select - "http://config.privoxy.org/show-status. + See the Edit the actions list" - from the selection list. You can also do this by editing the appropriate - file with a text editor.
User + Manual for a list of actions, and how the default + profiles are set. +Please see the - Where the defaults are likely to break some sites, exceptions for + known popular "problem" sites are included, but in + general, the more aggressive your default settings are, the more exceptions + you will have to make later. New users are best to start off in + "Cautious" setting. This is safest and will have the fewest + problems. See the user-manual for a - detailed explanation of these and other configuration files, and their - various options and syntax.
User Manual + for a more detailed discussion.It should be noted that the "Advanced" profile (formerly known + as the "Adventuresome" profile) is more + aggressive, and will make use of some of + Privoxy's advanced features. Use at your own risk!
Configuring It may seem strange that regular users can edit the config files with their + browsers, although the whole /etc/privoxy hierarchy + belongs to the user "privoxy", with only 644 permissions. +
When you use the browser-based editor, Privoxy + itself is writing to the config files. Because + Privoxy is running as the user "privoxy", + it can update its own config files. +
If you run Privoxy is not easy. To help you get -started, we provide you with three different default configurations. The -following table shows you, which features are enabled in each configuration. +> for multiple untrusted users (e.g. in + a LAN), you will probably want to make sure that the turn the web-based + editor and remote toggle features are "off" by setting "enable-edit-actions + 0" and "enable-remote-toggle + 0" in the main configuration file.
Note that in the default configuration, only local users (i.e. those on + "localhost") can connect to Privoxy, + so this is (normally) not a security problem. +
The default.filter + file is where filters as supplied by the developers are defined. + Filters are a special subset of actions that can be used to modify or + remove, web page content on the fly. Filters apply to anything + in the page source (and optionally both client and server headers), including + HTML tags, and JavaScript. Regular expressions are used to accomplish this. + There are a number of pre-defined filters to deal with common annoyances. The + filters are only defined here, to invoke them, you need to use the + filter + action in one of the actions files. Filtering is automatically + disabled for inappropriate MIME types.
Table 1. Default Configurations
Feature | default.action | basic.action | intermediate.action | advanced.action |
---|---|---|---|---|
ad-filtering | ? | x | x | x |
blank image | ? | x | x | x |
de-animate GIFs | ? | x | x | x |
referer forging | ? | x | x | x |
jon's +no-cookies-keep (i.e. session cookies only) | ? | x | x | x |
no-popup windows | ? | x | x | |
fast redirects | ? | x | x | |
hide-referrer | ? | x | x | |
hide-useragent | ? | x | x | |
content-modification | ? | x | ||
feature-x | ? |
feature-y | ? |
Save the file, and restart Privoxy. Configure + all browsers on the network then to use this address and port number.
Alternately, you can have Privoxy listen on + all available interfaces:
feature-z | ? |
And then use Privoxy's + permit-access + feature to limit connections. A firewall in this situation is recommended + as well.
The above steps should be the same for any TCP network, regardless of + operating system.
If you run Privoxy on a LAN with untrusted users, + we recommend that you double-check the access control and security + options!
The replacement for blocked images can be controlled with the set-image-blocker + action. You have the choice of a checkerboard pattern, a transparent 1x1 GIF + image (aka "blank"), or a redirect to a custom image of your choice. + Note that this choice only has effect for images which are blocked as images, i.e. + whose URLs match both a handle-as-image + and block action.
If you want to see nothing, then change the set-image-blocker + action to "blank". This can be done by editing the + user.action file, or through the web-based actions file editor.
Remember that telling which image is an ad and which + isn't, is an educated guess. While we hope that the standard configuration + is rather smart, it will make occasional mistakes. The checkerboard image is visually + decent, and it shows you where images have been blocked, which can be very + helpful in case some navigation aid or otherwise innocent image was + erroneously blocked. It is recommended for new users so they can + "see" what is happening. Some people might also enjoy seeing how + many banners they don't have to see.
This happens when the banners are not embedded in the HTML code of the + page itself, but in separate HTML (sub)documents that are loaded into (i)frames + or (i)layers, and these external HTML documents are blocked. Being non-images + they get replaced by a substitute HTML page rather than a substitute image, + which wouldn't work out technically, since the browser expects and accepts + only HTML when it has requested an HTML document.
The substitute page adapts to the available space and shows itself as a + miniature two-liner if loaded into small frames, or full-blown with a + large red "BLOCKED" banner if space allows.
If you prefer the banners to be blocked by images, you must see to it that + the HTML documents in which they are embedded are not blocked. Clicking + the "See why" link offered in the substitute page will show + you which rule blocked the page. After changing the rule and un-blocking + the HTML documents, the browser will try to load the actual banner images + and the usual image blocking will (hopefully!) kick in.
Yes. Version 3.0.5 introduces full Windows service + functionality. See the User Manual for details on how to install and configure + Privoxy as a service.
Earlier 3.x versions could run as a system service using srvany.exe. + See the discussion at http://sourceforge.net/tracker/?func=detail&atid=361118&aid=485617&group_id=11118, + for details, and a sample configuration.
This can be done and is often useful to combine the benefits of + Privoxy with those of a another proxy. + See the forwarding chapter + in the User Manual which + describes how to do this, and the How do I use Privoxy together with + Tor section below.
No, its more complicated than that. This only works with special kinds + of proxies known as "intercepting" proxies (see below).
The whole idea of Privoxy is to modify client requests + and server responses in all sorts of ways and therefore + it's not a transparent proxy as described in + RFC 2616.
However, some people say "transparent proxy" when they + mean "intercepting proxy". If you are one of them, + please read the next entry.
Privoxy can't intercept traffic itself, + but it can handle requests that where intercepted and redirected + with a packet filter (like PF or + iptables), as long as the Host + header is present. +
As the Host header is required by HTTP/1.1 and as most + web sites don't work if it isn't set, this limitation shouldn't be a + problem.
Please refer to your packet filter's documentation to learn how to + intercept and redirect traffic into Privoxy. Afterward you just have + to configure Privoxy to + accept intercepted requests.
Outlook Express uses Internet Explorer + components to both render HTML, and fetch any HTTP requests that may be embedded in an HTML email. + So however you have Privoxy configured to work + with IE, this configuration should automatically be shared.
The short answer is, you can't. Privoxy has no way + of knowing which particular application makes a request, so there is no way to + distinguish between web pages and HTML mail. + Privoxy just blindly proxies all requests. In the + case of Outlook Express (see above), OE uses + IE anyway, and there is no way for Privoxy to ever + be able to distinguish between them (nor could any other proxy type application for + that matter).
For a good discussion of some of the issues involved (including privacy and + security issues), see + http://sourceforge.net/tracker/?func=detail&atid=211118&aid=629518&group_id=11118.
What I don't understand, is how I can browser edit the config file as a -regular user, while the whole /etc/privoxy hierarchy -belongs to the user "privoxy", with only 644 permissions. -
When you use the browser-based editor, Cookies can be + set in several ways. The classic method is via the + Set-Cookie HTTP header. This is straightforward, and an + easy one to manipulate, such as the Privoxy -itself is writing to the config files. Because - concept of + session-cookies-only. + There is also the possibility of using + Javascript to + set cookies (Privoxy is running as the user "privoxy", it can -update the config files. -
If you don't like this, setting "enable-edit-actions 0" in the -config file will disable the browser-based editor. If you're that paranoid, -you should also consider setting "enable-remote-toggle 0" to prevent -browser-based enabling/disabling of calls these content-cookies). This + is trickier because the syntax can vary widely, and thus requires a certain + amount of guesswork. It is not realistic to catch all of these short of + disabling Javascript, which would break many sites. And lastly, if the + cookies are embedded in a HTTPS/SSL secure session via Javascript, they are beyond + Privoxy. -
Privoxy's reach.Note that normally only local users can connect to - All in all, Privoxy, so this is not (normally) a security -problem. -
can help manage cookies in general, can help minimize + the loss of privacy posed by cookies, but can't realistically stop all + cookies.The "default.filter" file is used to "filter" any - web page content. By "filtering" we mean it can modify, remove, - or change No, in fact there are many beneficial uses of + cookies. Cookies are just a + method that browsers can use to store data between pages, or between browser + sessions. Sometimes there is a good reason for this, and the user's life is a + bit easier as a result. But there is a long history of some websites taking + advantage of this layer of trust, and using the data they glean from you and + your browsing habits for their own purposes, and maybe to your potential + detriment. Such sites are using you and storing their data on your system. + That is why the privacy conscious watch from whom those cookies come, and why + they really anything on the page, including HTML tags, and - JavaScript. Regular expressions are used to accomplish this, and operate - on a line by line basis. This is potentially a very powerful feature, but - requires some expertise.
If you are familiar with regular expressions, and HTML, you can look at - the provided default.filter with a text editor and see - some of things it can be used for.
need to be there.Presently, there is no GUI editor option for this part of the configuration, - but you can disable/enable various sections of the included default - file with the "Actions List Editor" from your browser.
See the + Wikipedia cookie + definition for more.By default, Privoxy only responds to requests - from localhost. To have it act as a server for a network, this needs to be - changed in the main config file where the Privoxy - configuration is located. In that file is a "listen-address" - option. It may be commented out with a There are several actions that relate to cookies. The default behavior is to + allow only "#" symbol. Make sure - it is uncommented, and assign it the address of the LAN gateway interface, - and port number to use:
"session cookies", which means the cookies only last + for the current browser session. This eliminates most kinds of abuse related + to cookies. But there may be cases where you want cookies to last.To disable all cookie actions, so that cookies are allowed unrestricted, + both in and out, for example.com:
listen-address 192.168.1.1:8118 -{ -crunch-incoming-cookies -crunch-outgoing-cookies -session-cookies-only -filter{content-cookies} } + .example.com |
Save the file, and restart Privoxy. Configure - all browsers on the network then to use this address and port number.
Place the above in user.action. Note that some of these may + be off by default anyway, so this might be redundant, but there is no harm + being explicit in what you want to happen. user.action + includes an alias for this situation, called + allow-all-cookies.This is a configuration option for images that - Each instance of Privoxy is stopping. You have the choice of a checkerboard - pattern, a transparent 1x1 GIF image (aka "blank"), or a custom - URL of your choice. Note that to fit this category, the URL must match both - the "+image" and "+block" actions.
If you want to see nothing, then change the "+image-blocker" - action to "+image-blocker{blank}". This can be done from the - "Edit Actions List" selection at has its own + configuration, including such attributes as the TCP port that it listens on. + What you can do is run multiple instances of Privoxy, each with + a unique + http://p.p/. Or by hand editing the appropriate - actions file. This will only effect what is defined as "images" - though. Also, some URLs that generate the bright red "Blocked"listen-address - banner, can be moved to the "+image-blocker" section for the - same reason, but there are some limits and risks to this (see below).
+ Simple enough for a few users, but for large installations, consider having + groups of users that might share like configurations.
This can be helpful for troubleshooting problems. It might also be good - for anyone new to Sure. There are a couple of things you can do for simple white-listing. + Here's one real easy one:
############################################################ + # Blacklist + ############################################################ + { +block } + / # Block *all* URLs + + ############################################################ + # Whitelist + ############################################################ + { -block } + kids.example.com + toys.example.com + games.example.com |
This allows access to only those three sites by first blocking all URLs, and + then subsequently allowing three specific exceptions.
A more interesting approach is Privoxy so that they can - see if their favorite pages are displaying correctly, and +>Privoxy's + trustfile concept, which incorporates the notion of Privoxy is not inadvertently removing something - important.
"trusted referrers". See the User Manual Trust + documentation.These are fairly simple approaches and are not completely foolproof. There + are various other configuration options that should be disabled (described + elsewhere here and in the User Manual) + so that users can't modify their own configuration and easily circumvent the + whitelist.
These are URLs that match something in one of - Privoxy's block actions (+block). It is meant - to be a warning so that you know something has been blocked and an easy way - for you to see why. These are handled differently than what has been defined - explicitly as "images" (e.g. ad banners). Depending on the - URL itself, it is sometimes hard for Ad blocking is achieved through a complex application of various Privoxy to - really know whether there is indeed an ad image there or not. And there are - limitations as to what + actions. These + actions are deployed against simple images, banners, flash animations, + text pages, JavaScript, pop-ups and pop-unders, etc., so its not as simple as + just turning one or two actions off. The various actions that make up + Privoxy can do to - "fool" the browser.
For instance, if the ad is in a frame, then it is embedded in the separate - HTML page used for the frame. In this case, you cannot just substitute an - aribitray image (like we would for a "blank" image), for an HTML - page. The browser is expecting an HTML page, and that is what it must have - for frames. So this situation can be a little trickier to deal with, and - ad blocking are hard-coded into the default configuration files. It + has been assumed that everyone using Privoxy will use the "Blocked" page.
If you want these to be treated as if they were images, so that they can be - made invisible, you can try moving the offending URL from the - "+block" section to the "+imageblock" section of - your actions file. Just be forewarned, if any URL is made - "invisible", you may not have any inkling that something has - been removed from that page, or why. If this approach does not work, then you are - probably dealing with a frame (or "ilayer"), and the only thing - that can go there is an HTML page of some sort.
is interested in this + particular feature. +To deal with this situation, you could modify the - " If you want to do without this, there are several approaches you can take: + You can manually undo the many block rules in + block" HTML template that is used by - Privoxy to display this, and make it something - more to your liking. Currently, there is no configuration option for this. - You will have to modify, or create your own page, and use this to replace +>default.action. Or even easier, just create your own templates/blocked, which is what - Privoxy uses to display the "Blocked" - page.
default.action file from scratch without the many ad + blocking rules, and corresponding exceptions. Or lastly, if you are not + concerned about the additional blocks that are done for privacy reasons, you + can very easily over-ride all blocking with the + following very simple rule in your user.action: + Another way to deal with this is find why and where
- Privoxy is blocking the frame, and
- diable this. Then let the # Unblock everybody, everywhere
+ { -block }
+ / # UN-Block *all* URLs
+ Or even a more comprehensive reversing of various ad related actions:
# Unblock everybody, everywhere, and turn off appropriate filtering, etc + { -block \ + -filter{banners-by-size} \ + -filter{banners-by-link} \ + allow-popups \ + } + / # UN-Block *all* URLs and allow ads |
This last "+image-blocker" action - handle the ad that is embedded in the frame's HTML page.
"action" in this compound statement, + allow-popups, is an alias that disables + various pop-up blocking features.There is not enough space to fit the entire page. Try right clicking on the - visible, red portion, and select "Show Frame", or equivalent. - This will usually allow you to see the entire Privoxy "Blocked" - page, and from there you can see just what is being blocked, and why.
Yes, it can run as a system service using srvany.exe. - The only catch is that this will effectively disable the +> "templates" are specialized text files utilized by Privoxy icon in the taskbar. You can have - one or the other, but not both at this time :(
There is a pending feature request for this functionality. See - thread: http://sourceforge.net/tracker/?func=detail&atid=361118&aid=485617&group_id=11118, - for details, and a sample configuration.
for various purposes and can easily be modified using any text + editor. All the template pages are installed in a sub-directory appropriately + named: templates. Knowing something about HTML syntax + will of course be helpful. You cannot rename any of these files, or create + completely new templates, that is not possible. But you can change the page + content to whatever you like. Be forewarned that these files are subject to + being overwritten during upgrades, so be sure to save any customizations.There is more than one way to do it.
Editing the BLOCKED template page (see above) may dissuade some users, but + this method is easily circumvented. Where you need this level of control, you + should build Privoxy work with other -proxies like from source, and enable various features that are + available as compile-time options. You should + configure the sources as follows:
./configure --disable-toggle --disable-editor --disable-force |
This will create an executable with hard-coded security features so that + Squid?Privoxy does not allow easy bypassing of blocked sites, or changing the + current configuration via any connected user's web browser.
This can be done. See the Note that all of these features can also be toggled on/off via options in + Privoxy's main user manual, - which describes how to do this.
config file which + means you don't have to recompile anything.