{ +handle-as-image +block{Banner ads.} }
# Block these as if they were images. Send no block page.
- banners.example.com
- media.example.com/.*banners
- .example.com/images/ads/
This is an experimental feature. The syntax is likely to change in future versions.
-
-
-
-
Client tag patterns are not set based on HTTP headers but based on the client's IP address. Users can enable
them themselves, but the Privoxy admin controls which tags are available and what their effect is.
After a client-specific tag has been defined with the
# Add a DNT ("Do not track") header to all requests,
-# event to those that already have one.
-#
-# This is just an example, not a recommendation.
-#
-# There is no reason to believe that user-tracking websites care
-# about the DNT header and depending on the User-Agent, adding the
-# header may make user-tracking easier.
-{+add-header{DNT: 1}}
-/
+
# Add a DNT ("Do not track") header to all requests,
+ # event to those that already have one.
+ #
+ # This is just an example, not a recommendation.
+ #
+ # There is no reason to believe that user-tracking websites care
+ # about the DNT header and depending on the User-Agent, adding the
+ # header may make user-tracking easier.
+ {+add-header{DNT: 1}}
+ /
Block requests based on the content of the body data.
+
+
Effect:
+
+
Client request bodies to which this action applies are filtered on-the-fly through the specified
+ regular expression based substitutions, the result is used as tag.
+
+
Type:
+
+
Multi-value.
+
+
Parameter:
+
+
The name of a client-body tagger, as defined in one of the filter
+ files.
+
+
Notes:
+
+
Please refer to the filter file chapter to learn how to create your own
+ client-body tagger.
+
Client-body taggers are applied to each request body on its own, and as the body isn't modified, each
+ tagger "sees" the original.
+
Chunk-encoded request bodies currently can't be tagged. Request bodies larger than the buffer-limit
+ can't be tagged either.
+
+
Example usage (section):
+
+
+
+
+
# Apply blafasel tagger.
+ {+client-body-tagger{blafasel}}
+ /
+
+ # Block request based on the tag created by the blafasel tagger.
+ {+block{Request body contains blafasel}}
+ TAG:^content contains blafasel$
# Tag every request with the User-Agent header
-{+client-header-tagger{user-agent}}
-/
+
# Tag every request with the User-Agent header
+ {+client-header-tagger{user-agent}}
+ /
-# Tagging itself doesn't change the action
-# settings, sections with TAG patterns do:
-#
-# If it's a download agent, use a different forwarding proxy,
-# show the real User-Agent and make sure resume works.
-{+forward-override{forward-socks5 10.0.0.2:2222 .} \
- -hide-if-modified-since \
- -overwrite-last-modified \
- -hide-user-agent \
- -filter \
- -deanimate-gifs \
-}
-TAG:^User-Agent: NetBSD-ftp/
-TAG:^User-Agent: Novell ZYPP Installer
-TAG:^User-Agent: RPM APT-HTTP/
-TAG:^User-Agent: fetch libfetch/
-TAG:^User-Agent: Ubuntu APT-HTTP/
-TAG:^User-Agent: MPlayer/
+ # Tagging itself doesn't change the action
+ # settings, sections with TAG patterns do:
+ #
+ # If it's a download agent, use a different forwarding proxy,
+ # show the real User-Agent and make sure resume works.
+ {+forward-override{forward-socks5 10.0.0.2:2222 .} \
+ -hide-if-modified-since \
+ -overwrite-last-modified \
+ -hide-user-agent \
+ -filter \
+ -deanimate-gifs \
+ }
+ TAG:^User-Agent: NetBSD-ftp/
+ TAG:^User-Agent: Novell ZYPP Installer
+ TAG:^User-Agent: RPM APT-HTTP/
+ TAG:^User-Agent: fetch libfetch/
+ TAG:^User-Agent: Ubuntu APT-HTTP/
+ TAG:^User-Agent: MPlayer/
-
# Tag all requests with the Range header set
-{+client-header-tagger{range-requests}}
-/
+
# Tag all requests with the Range header set
+ {+client-header-tagger{range-requests}}
+ /
-# Disable filtering for the tagged requests.
-#
-# With filtering enabled Privoxy would remove the Range headers
-# to be able to filter the whole response. The downside is that
-# it prevents clients from resuming downloads or skipping over
-# parts of multimedia files.
-{-filter -deanimate-gifs}
-TAG:^RANGE-REQUEST$
+ # Disable filtering for the tagged requests.
+ #
+ # With filtering enabled Privoxy would remove the Range headers
+ # to be able to filter the whole response. The downside is that
+ # it prevents clients from resuming downloads or skipping over
+ # parts of multimedia files.
+ {-filter -deanimate-gifs}
+ TAG:^RANGE-REQUEST$
-
# Tag all requests with the client IP address
-#
-# (Technically the client IP address isn't included in the
-# client headers but client-header taggers can set it anyway.
-# For details see the tagger in default.filter)
-{+client-header-tagger{client-ip-address}}
-/
+
# Tag all requests with the client IP address
+ #
+ # (Technically the client IP address isn't included in the
+ # client headers but client-header taggers can set it anyway.
+ # For details see the tagger in default.filter)
+ {+client-header-tagger{client-ip-address}}
+ /
-# Change forwarding settings for requests coming from address 10.0.0.1
-{+forward-override{forward-socks5 127.0.1.2:2222 .}}
-TAG:^IP-ADDRESS: 10\.0\.0\.1$
+ # Change forwarding settings for requests coming from address 10.0.0.1
+ {+forward-override{forward-socks5 127.0.1.2:2222 .}}
+ TAG:^IP-ADDRESS: 10\.0\.0\.1$
# Check if www.example.net/ really uses valid XHTML
+ { +content-type-overwrite{application/xml} }
+ www.example.net/
-# but leave the content type unmodified if the URL looks like a style sheet
-{-content-type-overwrite}
-www.example.net/.*\.css$
-www.example.net/.*style
+ # but leave the content type unmodified if the URL looks like a style sheet
+ {-content-type-overwrite}
+ www.example.net/.*\.css$
+ www.example.net/.*style
# Let the browser revalidate cached documents but don't
-# allow the server to use the revalidation headers for user tracking.
-{+hide-if-modified-since{-60} \
- +overwrite-last-modified{randomize} \
- +crunch-if-none-match}
-/
+
# Let the browser revalidate cached documents but don't
+ # allow the server to use the revalidation headers for user tracking.
+ {+hide-if-modified-since{-60} \
+ +overwrite-last-modified{randomize} \
+ +crunch-if-none-match}
+ /
# Use an ssh tunnel for requests previously tagged as
-# "User-Agent: fetch libfetch/2.0" and make sure
-# resuming downloads continues to work.
-#
-# This way you can continue to use Tor for your normal browsing,
-# without overloading the Tor network with your FreeBSD ports updates
-# or downloads of bigger files like ISOs.
-#
-# Note that HTTP headers are easy to fake and therefore their
-# values are as (un)trustworthy as your clients and users.
-{+forward-override{forward-socks5 10.0.0.2:2222 .} \
- -hide-if-modified-since \
- -overwrite-last-modified \
-}
-TAG:^User-Agent: fetch libfetch/2\.0$
+
# Use an ssh tunnel for requests previously tagged as
+ # "User-Agent: fetch libfetch/2.0" and make sure
+ # resuming downloads continues to work.
+ #
+ # This way you can continue to use Tor for your normal browsing,
+ # without overloading the Tor network with your FreeBSD ports updates
+ # or downloads of bigger files like ISOs.
+ #
+ # Note that HTTP headers are easy to fake and therefore their
+ # values are as (un)trustworthy as your clients and users.
+ {+forward-override{forward-socks5 10.0.0.2:2222 .} \
+ -hide-if-modified-since \
+ -overwrite-last-modified \
+ }
+ TAG:^User-Agent: fetch libfetch/2\.0$
# Block all documents on example.org that end with ".js",
-# but send an empty document instead of the usual HTML message.
-{+block{Blocked JavaScript} +handle-as-empty-document}
-example.org/.*\.js$
+
# Block all documents on example.org that end with ".js",
+ # but send an empty document instead of the usual HTML message.
+ {+block{Blocked JavaScript} +handle-as-empty-document}
+ example.org/.*\.js$
# Generic image extensions:
+ #
+ {+handle-as-image}
+ /.*\.(gif|jpg|jpeg|png|bmp|ico)$
-# These don't look like images, but they're banners and should be
-# blocked as images:
-#
-{+block{Nasty banners.} +handle-as-image}
-nasty-banner-server.example.com/junk.cgi\?output=trash
+ # These don't look like images, but they're banners and should be
+ # blocked as images:
+ #
+ {+block{Nasty banners.} +handle-as-image}
+ nasty-banner-server.example.com/junk.cgi\?output=trash
# Let the browser revalidate but make tracking based on the time less likely.
-{+hide-if-modified-since{-60} \
- +overwrite-last-modified{randomize} \
- +crunch-if-none-match}
-/
+
# Let the browser revalidate but make tracking based on the time less likely.
+ {+hide-if-modified-since{-60} \
+ +overwrite-last-modified{randomize} \
+ +crunch-if-none-match}
+ /
This action allows Privoxy to filter encrypted requests and
- responses. For this to work Privoxy has to generate a certificate and
- send it to the client which has to accept it.
+ responses. For this to work Privoxy has to generate a certificate for
+ the web site and send it to the client which has to accept it.
Before this works the directives in the HTTPS inspection section of the config
file have to be configured.
Note that the action has to be enabled based on the CONNECT request which doesn't contain a path.
Enabling it based on a pattern with path doesn't work as the path is only seen by Privoxy if the action is already enabled.
+limit-connect{443} # Port 443 is OK.
-+limit-connect{80,443} # Ports 80 and 443 are OK.
-+limit-connect{-3, 7, 20-100, 500-} # Ports less than 3, 7, 20 to 100 and above 500 are OK.
-+limit-connect{-} # All ports are OK
-+limit-connect{,} # No HTTPS/SSL traffic is allowed
+
+limit-connect{443} # Port 443 is OK.
+ +limit-connect{80,443} # Ports 80 and 443 are OK.
+ +limit-connect{-3, 7, 20-100, 500-} # Ports less than 3, 7, 20 to 100 and above 500 are OK.
+ +limit-connect{-} # All ports are OK
+ +limit-connect{,} # No HTTPS/SSL traffic is allowed
# Selectively turn off compression, and enable a filter
-#
-{ +filter{tiny-textforms} +prevent-compression }
-# Match only these sites
- .google.
- sourceforge.net
- sf.net
+
# Selectively turn off compression, and enable a filter
+ #
+ { +filter{tiny-textforms} +prevent-compression }
+ # Match only these sites
+ .google.
+ sourceforge.net
+ sf.net
-# Or instead, we could set a universal default:
-#
-{ +prevent-compression }
- / # Match all sites
+ # Or instead, we could set a universal default:
+ #
+ { +prevent-compression }
+ / # Match all sites
-# Then maybe make exceptions for broken sites:
-#
-{ -prevent-compression }
-.compusa.com/
+ # Then maybe make exceptions for broken sites:
+ #
+ { -prevent-compression }
+ .compusa.com/
# Let the browser revalidate without being tracked across sessions
-{ +hide-if-modified-since{-60} \
- +overwrite-last-modified{randomize} \
- +crunch-if-none-match}
-/
+
# Let the browser revalidate without being tracked across sessions
+ { +hide-if-modified-since{-60} \
+ +overwrite-last-modified{randomize} \
+ +crunch-if-none-match \
+ }
+ /
# Replace example.com's style sheet with another one
-{ +redirect{http://localhost/css-replacements/example.com.css} }
- example.com/stylesheet\.css
+
# Replace example.com's style sheet with another one
+ { +redirect{http://localhost/css-replacements/example.com.css} }
+ example.com/stylesheet\.css
-# Create a short, easy to remember nickname for a favorite site
-# (relies on the browser to accept and forward invalid URLs to Privoxy)
-{ +redirect{https://www.privoxy.org/user-manual/actions-file.html} }
- a
+ # Create a short, easy to remember nickname for a favorite site
+ # (relies on the browser to accept and forward invalid URLs to Privoxy)
+ { +redirect{https://www.privoxy.org/user-manual/actions-file.html} }
+ a
-# Always use the expanded view for Undeadly.org articles
-# (Note the $ at the end of the URL pattern to make sure
-# the request for the rewritten URL isn't redirected as well)
-{+redirect{s@$@&mode=expanded@}}
-undeadly.org/cgi\?action=article&sid=\d*$
+ # Always use the expanded view for Undeadly.org articles
+ # (Note the $ at the end of the URL pattern to make sure
+ # the request for the rewritten URL isn't redirected as well)
+ {+redirect{s@$@&mode=expanded@}}
+ undeadly.org/cgi\?action=article&sid=\d*$
-# Redirect Google search requests to MSN
-{+redirect{s@^http://[^/]*/search\?q=([^&]*).*@http://search.msn.com/results.aspx?q=$1@}}
-.google.com/search
+ # Redirect Google search requests to MSN
+ {+redirect{s@^http://[^/]*/search\?q=([^&]*).*@http://search.msn.com/results.aspx?q=$1@}}
+ .google.com/search
-# Redirect MSN search requests to Yahoo
-{+redirect{s@^http://[^/]*/results\.aspx\?q=([^&]*).*@http://search.yahoo.com/search?p=$1@}}
-search.msn.com//results\.aspx\?q=
+ # Redirect MSN search requests to Yahoo
+ {+redirect{s@^http://[^/]*/results\.aspx\?q=([^&]*).*@http://search.yahoo.com/search?p=$1@}}
+ search.msn.com//results\.aspx\?q=
-# Redirect http://example.com/&bla=fasel&toChange=foo (and any other value but "bar")
-# to http://example.com/&bla=fasel&toChange=bar
-#
-# The URL pattern makes sure that the following request isn't redirected again.
-{+redirect{s@toChange=[^&]+@toChange=bar@}}
-example.com/.*toChange=(?!bar)
+ # Redirect http://example.com/&bla=fasel&toChange=foo (and any other value but "bar")
+ # to http://example.com/&bla=fasel&toChange=bar
+ #
+ # The URL pattern makes sure that the following request isn't redirected again.
+ {+redirect{s@toChange=[^&]+@toChange=bar@}}
+ example.com/.*toChange=(?!bar)
-# Add a shortcut to look up illumos bugs
-{+redirect{s@^http://i([0-9]+)/.*@https://www.illumos.org/issues/$1@}}
-# Redirected URL = http://i4974/
-# Redirect Destination = https://www.illumos.org/issues/4974
-i[0-9][0-9][0-9][0-9]*/
+ # Add a shortcut to look up illumos bugs
+ {+redirect{s@^http://i([0-9]+)/.*@https://www.illumos.org/issues/$1@}}
+ # Redirected URL = http://i4974/
+ # Redirect Destination = https://www.illumos.org/issues/4974
+ i[0-9][0-9][0-9][0-9]*/
-# Redirect requests for the old Tor Hidden Service of the Privoxy website to the new one
-{+redirect{s@^http://jvauzb4sb3bwlsnc.onion/@http://l3tczdiiwoo63iwxty4lhs6p7eaxop5micbn7vbliydgv63x5zrrrfyd.onion/@}}
-jvauzb4sb3bwlsnc.onion/
+ # Redirect requests for the old Tor Hidden Service of the Privoxy website to the new one
+ {+redirect{s@^http://jvauzb4sb3bwlsnc.onion/@http://l3tczdiiwoo63iwxty4lhs6p7eaxop5micbn7vbliydgv63x5zrrrfyd.onion/@}}
+ jvauzb4sb3bwlsnc.onion/
-# Redirect remote requests for this manual
-# to the local version delivered by Privoxy
-{+redirect{s@^http://www@http://config@}}
-www.privoxy.org/user-manual/
+ # Redirect remote requests for this manual
+ # to the local version delivered by Privoxy
+ {+redirect{s@^http://www@http://config@}}
+ www.privoxy.org/user-manual/
# Tag every request with the content type declared by the server
-{+server-header-tagger{content-type}}
-/
+
# Tag every request with the content type declared by the server
+ {+server-header-tagger{content-type}}
+ /
-# If the response has a tag starting with 'image/' enable an external
-# filter that only applies to images.
-#
-# Note that the filter is not available by default, it's just a
-# silly example.
-{+external-filter{rotate-image} +force-text-mode}
-TAG:^image/
+ # If the response has a tag starting with 'image/' enable an external
+ # filter that only applies to images.
+ #
+ # Note that the filter is not available by default, it's just a
+ # silly example.
+ {+external-filter{rotate-image} +force-text-mode}
+ TAG:^image/
# Suppress tag produced by range-requests client-header tagger for requests coming from address 10.0.0.1
-{+suppress-tag{RANGE-REQUEST}}
-TAG:^IP-ADDRESS: 10\.0\.0\.1$
+ "SCREEN"> # Suppress tag produced by range-requests client-header tagger for requests coming from address 10.0.0.1
+ {+suppress-tag{RANGE-REQUEST}}
+ TAG:^IP-ADDRESS: 10\.0\.0\.1$
Note that many of these actions have the potential to cause a page to misbehave, possibly even not to
display at all. There are many ways a site designer may choose to design his site, and what HTTP header
content, and other criteria, he may depend on. There is no way to have hard and fast rules for all sites. See
@@ -3344,40 +3395,40 @@ TAG:^IP-ADDRESS: 10\.0\.0\.1$
-
# Useful custom aliases we can use later.
- #
- # Note the (required!) section header line and that this section
- # must be at the top of the actions file!
- #
- {{alias}}
+
# These sites are either very complex or very keen on
- # user data and require minimal interference to work:
- #
- {fragile}
- .office.microsoft.com
- .windowsupdate.microsoft.com
- # Gmail is really mail.google.com, not gmail.com
- mail.google.com
+
# These sites are either very complex or very keen on
+ # user data and require minimal interference to work:
+ #
+ {fragile}
+ .office.microsoft.com
+ .windowsupdate.microsoft.com
+ # Gmail is really mail.google.com, not gmail.com
+ mail.google.com
- # Shopping sites:
- # Allow cookies (for setting and retrieving your customer data)
- #
- {shop}
- .quietpc.com
- .worldpay.com # for quietpc.com
- mybank.example.com
+ # Shopping sites:
+ # Allow cookies (for setting and retrieving your customer data)
+ #
+ {shop}
+ .quietpc.com
+ .worldpay.com # for quietpc.com
+ mybank.example.com
- # These shops require pop-ups:
- #
- {-filter{all-popups} -filter{unsolicited-popups}}
+ # These shops require pop-ups:
+ #
+ {-filter{all-popups} -filter{unsolicited-popups}}
.dabs.com
.overclockers.co.uk
##########################################################################
-# Exceptions for sites that'll break under the default action set:
-##########################################################################
+
##########################################################################
+ # Exceptions for sites that'll break under the default action set:
+ ##########################################################################
-# "Fragile" Use a minimum set of actions for these sites (see alias above):
-#
-{ fragile }
-.office.microsoft.com # surprise, surprise!
-.windowsupdate.microsoft.com
-mail.google.com
+ # "Fragile" Use a minimum set of actions for these sites (see alias above):
+ #
+ { fragile }
+ .office.microsoft.com # surprise, surprise!
+ .windowsupdate.microsoft.com
+ mail.google.com
##########################################################################
+ # Images:
+ ##########################################################################
-# Define which file types will be treated as images, in case they get
-# blocked further down this file:
-#
-{ +handle-as-image }
-/.*\.(gif|jpe?g|png|bmp|ico)$
+ # Define which file types will be treated as images, in case they get
+ # blocked further down this file:
+ #
+ { +handle-as-image }
+ /.*\.(gif|jpe?g|png|bmp|ico)$
@@ -3591,16 +3642,16 @@ edit.*.yahoo.com
-
# Known ad generators:
-#
-{ +block-as-image }
-ar.atwola.com
-.ad.doubleclick.net
-.ad.*.doubleclick.net
-.a.yimg.com/(?:(?!/i/).)*$
-.a[0-9].yimg.com/(?:(?!/i/).)*$
-bs*.gsanet.com
-.qkimg.net
##########################################################################
-# Save some innocent victims of the above generic block patterns:
-##########################################################################
+
##########################################################################
+ # Save some innocent victims of the above generic block patterns:
+ ##########################################################################
-# By domain:
-#
-{ -block }
-adv[io]*. # (for advogato.org and advice.*)
-adsl. # (has nothing to do with ads)
-adobe. # (has nothing to do with ads either)
-ad[ud]*. # (adult.* and add.*)
-.edu # (universities don't host banners (yet!))
-.*loads. # (downloads, uploads etc)
+ # By domain:
+ #
+ { -block }
+ adv[io]*. # (for advogato.org and advice.*)
+ adsl. # (has nothing to do with ads)
+ adobe. # (has nothing to do with ads either)
+ ad[ud]*. # (adult.* and add.*)
+ .edu # (universities don't host banners (yet!))
+ .*loads. # (downloads, uploads etc)
-# By path:
-#
-/.*loads/
+ # By path:
+ #
+ /.*loads/
-# Site-specific:
-#
-www.globalintersec.com/adv # (adv = advanced)
-www.ugu.com/sui/ugu/adv
# Aliases are local to the file they are defined in.
-# (Re-)define aliases for this file:
-#
-{{alias}}
-#
-# These aliases just save typing later, and the alias names should
-# be self explanatory.
-#
-+crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies
--crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies
- allow-all-cookies = -crunch-all-cookies -session-cookies-only
- allow-popups = -filter{all-popups}
-+block-as-image = +block{Blocked as image.} +handle-as-image
--block-as-image = -block
+
# Aliases are local to the file they are defined in.
+ # (Re-)define aliases for this file:
+ #
+ {{alias}}
+ #
+ # These aliases just save typing later, and the alias names should
+ # be self explanatory.
+ #
+ +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies
+ -crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies
+ allow-all-cookies = -crunch-all-cookies -session-cookies-only
+ allow-popups = -filter{all-popups}
+ +block-as-image = +block{Blocked as image.} +handle-as-image
+ -block-as-image = -block
-# These aliases define combinations of actions that are useful for
-# certain types of sites:
-#
-fragile = -block -crunch-all-cookies -filter -fast-redirects -hide-referrer
-shop = -crunch-all-cookies allow-popups
+ # These aliases define combinations of actions that are useful for
+ # certain types of sites:
+ #
+ fragile = -block -crunch-all-cookies -filter -fast-redirects -hide-referrer
+ shop = -crunch-all-cookies allow-popups
-# Allow ads for selected useful free sites:
-#
-allow-ads = -block -filter{banners-by-size} -filter{banners-by-link}
+ # Allow ads for selected useful free sites:
+ #
+ allow-ads = -block -filter{banners-by-size} -filter{banners-by-link}
-# Alias for specific file types that are text, but might have conflicting
-# MIME types. We want the browser to force these to be text documents.
-handle-as-text = -filter +-filter +-content-type-overwrite{text/plain} +-force-text-mode -hide-content-disposition