By default, the main configuration file is named config, with the exception of Windows, where it is named
- config.txt. Configuration lines consist of an
- initial keyword followed by a list of values, all separated by whitespace
- (any number of spaces or tabs). For example:
-
-
confdir /etc/privoxy
-
-
Assigns the value /etc/privoxy to the option
- confdir and thus indicates that the
- configuration directory is named "/etc/privoxy/".
-
-
All options in the config file except for confdir and logdir are optional.
- Watch out in the below description for what happens if you leave them
- unset.
-
-
The main config file controls all aspects of Privoxy's operation that are not location dependent
- (i.e. they apply universally, no matter where you may be surfing). Like
- the filter and action files, the config file is a plain text file and can
- be modified with a text editor like emacs, vim or notepad.exe.
If you intend to operate Privoxy
- for more users than just yourself, it might be a good idea to let them
- know how to reach you, what you block and why you do that, your
- policies, etc.
The User Manual URI is the single best source of information
- on Privoxy, and is used for
- help links from some of the internal CGI pages. The manual
- itself is normally packaged with the binary distributions, so
- you probably want to set this to a locally installed copy.
-
-
Examples:
-
-
The best all purpose solution is simply to put the full
- local PATH to where the User Manual is located:
-
-
-
-
-
+
+
+ The Main Configuration File
+
+
+
+
+
+
+
+
+
+
+
+ By default, the main configuration file is named config, with the exception of Windows, where it is
+ named config.txt. Configuration lines
+ consist of an initial keyword followed by a list of values, all
+ separated by whitespace (any number of spaces or tabs). For example:
+
+
+
+
+ confdir /etc/privoxy
+
+
+
+ Assigns the value /etc/privoxy to the option
+ confdir and thus indicates that the
+ configuration directory is named "/etc/privoxy/".
+
+
+ All options in the config file except for confdir and logdir are
+ optional. Watch out in the below description for what happens if you
+ leave them unset.
+
+
+ The main config file controls all aspects of Privoxy's operation that are not location
+ dependent (i.e. they apply universally, no matter where you may be
+ surfing). Like the filter and action files, the config file is a
+ plain text file and can be modified with a text editor like emacs,
+ vim or notepad.exe.
+
+ If you intend to operate Privoxy
+ for more users than just yourself, it might be a good idea to let
+ them know how to reach you, what you block and why you do that,
+ your policies, etc.
+
+ The User Manual URI is the single best source of
+ information on Privoxy,
+ and is used for help links from some of the internal CGI
+ pages. The manual itself is normally packaged with the
+ binary distributions, so you probably want to set this to a
+ locally installed copy.
+
+
+ Examples:
+
+
+ The best all purpose solution is simply to put the full
+ local PATH to where the User Manual is located:
+
+
+
+
+
+
+
user-manual /usr/share/doc/privoxy/user-manual
-
-
-
-
-
The User Manual is then available to anyone with access to
- Privoxy, by following the
- built-in URL: http://config.privoxy.org/user-manual/ (or the
- shortcut: http://p.p/user-manual/).
-
-
If the documentation is not on the local system, it can be
- accessed from a remote server, as:
+ The User Manual is then available to anyone with access to
+ Privoxy, by following the
+ built-in URL: http://config.privoxy.org/user-manual/ (or
+ the shortcut: http://p.p/user-manual/).
+
+
+ If the documentation is not on the local system, it can be
+ accessed from a remote server, as:
+
+
+
+
-
-
If set, this option should be the first option in the
- config file, because it is used while the
- config file is being read on start-up.
A URL to be displayed in the error page that users will see
- if access to an untrusted page is denied.
-
-
-
Type of value:
-
-
URL
-
-
-
Default value:
-
-
-
Unset
-
-
-
Effect if unset:
-
-
-
No links are displayed on the "untrusted" error page.
-
-
-
Notes:
-
-
-
The value of this option only matters if the experimental
- trust mechanism has been activated. (See trustfile below.)
-
-
If you use the trust mechanism, it is a good idea to write
- up some on-line documentation about your trust policy and to
- specify the URL(s) here. Use multiple times for multiple
- URLs.
-
-
The URL(s) should be added to the trustfile as well, so
- users don't end up locked out from the information on why they
- were locked out in the first place!
-
-
+
+
+
+
+ Warning
+
+
+
+
+
+ If set, this option should be the first option in
+ the config file, because it is used
+ while the config file is being read on start-up.
+
+ A URL to be displayed in the error page that users will see
+ if access to an untrusted page is denied.
+
+
+
+ Type of value:
+
+
+
+ URL
+
+
+
+ Default value:
+
+
+
+ Unset
+
+
+
+ Effect if unset:
+
+
+
+ No links are displayed on the "untrusted" error page.
+
+
+
+ Notes:
+
+
+
+ The value of this option only matters if the experimental
+ trust mechanism has been activated. (See trustfile below.)
+
+
+ If you use the trust mechanism, it is a good idea to write
+ up some on-line documentation about your trust policy and
+ to specify the URL(s) here. Use multiple times for multiple
+ URLs.
+
+
+ The URL(s) should be added to the trustfile as well, so
+ users don't end up locked out from the information on why
+ they were locked out in the first place!
+
Privoxy can (and normally does) use
- a number of other files for additional configuration, help and logging.
- This section of the configuration file tells Privoxy where to find those other files.
-
-
The user running Privoxy, must have
- read permission for all configuration files, and write permission to
- any files that would be modified, such as log files and actions
- files.
An alternative directory where the templates are loaded
- from.
-
-
-
Type of value:
-
-
-
Path name
-
-
-
Default value:
-
-
-
unset
-
-
-
Effect if unset:
-
-
-
The templates are assumed to be located in
- confdir/template.
-
-
-
Notes:
-
-
-
Privoxy's original
- templates are usually overwritten with each update. Use this
- option to relocate customized templates that should be kept. As
- template variables might change between updates, you shouldn't
- expect templates to work with Privoxy releases other than the one they
- were part of, though.
+ Privoxy can (and normally does)
+ use a number of other files for additional configuration, help and
+ logging. This section of the configuration file tells Privoxy where to find those other files.
+
+
+ The user running Privoxy, must
+ have read permission for all configuration files, and write
+ permission to any files that would be modified, such as log files
+ and actions files.
+
A directory where Privoxy can create temporary files.
-
-
-
Type of value:
-
-
-
Path name
-
-
-
Default value:
-
-
-
unset
-
-
-
Effect if unset:
-
-
-
No temporary files are created, external filters don't
- work.
-
-
-
Notes:
-
-
-
To execute external
- filters, Privoxy has
- to create temporary files. This directive specifies the
- directory the temporary files should be written to.
-
-
It should be a directory only Privoxy (and trusted users) can
- access.
+ An alternative directory where the templates are loaded
+ from.
+
+
+
+ Type of value:
+
+
+
+ Path name
+
+
+
+ Default value:
+
+
+
+ unset
+
+
+
+ Effect if unset:
+
+
+
+ The templates are assumed to be located in
+ confdir/template.
+
+
+
+ Notes:
+
+
+
+ Privoxy's original
+ templates are usually overwritten with each update. Use
+ this option to relocate customized templates that should be
+ kept. As template variables might change between updates,
+ you shouldn't expect templates to work with Privoxy releases other than the one
+ they were part of, though.
+
+ A directory where Privoxy can create temporary files.
+
+
+
+ Type of value:
+
+
+
+ Path name
+
+
+
+ Default value:
+
+
+
+ unset
+
+
+
+ Effect if unset:
+
+
+
+ No temporary files are created, external filters don't
+ work.
+
+
+
+ Notes:
+
+
+
+ To execute external
+ filters, Privoxy
+ has to create temporary files. This directive specifies the
+ directory the temporary files should be written to.
+
+
+ It should be a directory only Privoxy (and trusted users) can
+ access.
+
- match-all.action # Actions that are applied to all sites and maybe overruled later on.
-
-
-
-
-
-
- default.action # Main actions file
-
-
-
-
-
-
- user.action # User customizations
-
-
-
-
-
-
-
Effect if unset:
-
-
-
No actions are taken at all. More or less neutral
- proxying.
-
-
-
Notes:
-
-
-
Multiple actionsfile lines are
- permitted, and are in fact recommended!
-
-
The default values are default.action, which is the "main" actions file maintained by the
- developers, and user.action, where
- you can make your personal additions.
-
-
Actions files contain all the per site and per URL
- configuration for ad blocking, cookie management, privacy
- considerations, etc. There is no point in using Privoxy without at least one actions
- file.
-
-
Note that since Privoxy 3.0.7, the complete filename,
- including the ".action" extension
- has to be specified. The syntax change was necessary to be
- consistent with the other file options and to allow previously
- forbidden characters.
default.filter (Unix) or default.filter.txt (Windows)
-
-
-
Effect if unset:
-
-
-
No textual content filtering takes place, i.e. all
- +filter{name} actions in the actions
- files are turned neutral.
-
-
-
Notes:
-
-
-
Multiple filterfile lines are
- permitted.
-
-
The filter files contain
- content modification rules that use regular expressions. These rules
- permit powerful changes on the content of Web pages, and
- optionally the headers as well, e.g., you could try to disable
- your favorite JavaScript annoyances, re-write the actual
- displayed text, or just have some fun playing buzzword bingo
- with web pages.
-
-
The +filter{name} actions rely on the
- relevant filter (name) to
- be defined in a filter file!
-
-
A pre-defined filter file called default.filter that contains a number of useful
- filters for common problems is included in the distribution.
- See the section on the filter action for a
- list.
-
-
It is recommended to place any locally adapted filters into
- a separate file, such as user.filter.
+ match-all.action # Actions that are applied to all sites and maybe overruled later on.
+
+
+
+
+
+
+ default.action # Main actions file
+
+
+
+
+
+
+ user.action # User customizations
+
+
+
+
+
+
+
+ Effect if unset:
+
+
+
+ No actions are taken at all. More or less neutral proxying.
+
+
+
+ Notes:
+
+
+
+ Multiple actionsfile lines are
+ permitted, and are in fact recommended!
+
+
+ The default values are default.action, which is the "main" actions file maintained by the
+ developers, and user.action,
+ where you can make your personal additions.
+
+
+ Actions files contain all the per site and per URL
+ configuration for ad blocking, cookie management, privacy
+ considerations, etc.
+
Unset (commented
- out). When activated: logfile (Unix) or privoxy.log
- (Windows).
-
-
-
Effect if unset:
-
-
-
No logfile is written.
-
-
-
Notes:
-
-
-
The logfile is where all logging and error messages are
- written. The level of detail and number of messages are set
- with the debug option (see below). The
- logfile can be useful for tracking down a problem with
- Privoxy (e.g., it's not
- blocking an ad you think it should block) and it can help you
- to monitor what your browser is doing.
-
-
Depending on the debug options below, the logfile may be a
- privacy risk if third parties can get access to it. As most
- users will never look at it, Privoxy 3.0.7 and later only log fatal
- errors by default.
-
-
For most troubleshooting purposes, you will have to change
- that, please refer to the debugging section for details.
-
-
Your logfile will grow indefinitely, and you will probably
- want to periodically remove it. On Unix systems, you can do
- this with a cron job (see "man
- cron").
-
-
Any log files must be writable by whatever user Privoxy is being run as (on Unix, default
- user id is "privoxy").
+ default.filter (Unix) or default.filter.txt (Windows)
+
+
+
+ Effect if unset:
+
+
+
+ No textual content filtering takes place, i.e. all +filter{name} actions in the actions
+ files are turned neutral.
+
+
+
+ Notes:
+
+
+
+ Multiple filterfile lines are
+ permitted.
+
+
+ The filter files contain
+ content modification rules that use regular expressions. These rules
+ permit powerful changes on the content of Web pages, and
+ optionally the headers as well, e.g., you could try to
+ disable your favorite JavaScript annoyances, re-write the
+ actual displayed text, or just have some fun playing
+ buzzword bingo with web pages.
+
+
+ The +filter{name} actions rely on the
+ relevant filter (name)
+ to be defined in a filter file!
+
+
+ A pre-defined filter file called default.filter that contains a number of
+ useful filters for common problems is included in the
+ distribution. See the section on the filter action for
+ a list.
+
+
+ It is recommended to place any locally adapted filters into
+ a separate file, such as user.filter.
+
Unset (commented
- out). When activated: trust (Unix) or trust.txt
- (Windows)
-
-
-
Effect if unset:
-
-
-
The entire trust mechanism is disabled.
-
-
-
Notes:
-
-
-
The trust mechanism is an experimental feature for building
- white-lists and should be used with care. It is NOT recommended for
- the casual user.
-
-
If you specify a trust file, Privoxy will only allow access to sites
- that are specified in the trustfile. Sites can be listed in one
- of two ways:
-
-
Prepending a ~ character limits
- access to this site only (and any sub-paths within this site),
- e.g. ~www.example.com allows access to
- ~www.example.com/features/news.html,
- etc.
-
-
Or, you can designate sites as trusted referrers, by
- prepending the name with a +
- character. The effect is that access to untrusted sites will be
- granted -- but only if a link from this trusted referrer was
- used to get there. The link target will then be added to the
- "trustfile" so that future, direct
- accesses will be granted. Sites added via this mechanism do not
- become trusted referrers themselves (i.e. they are added with a
- ~ designation). There is a limit of
- 512 such entries, after which new entries will not be made.
-
-
If you use the + operator in the
- trust file, it may grow considerably over time.
-
-
It is recommended that Privoxy be compiled with the --disable-force, --disable-toggle and --disable-editor options, if this feature is to
- be used.
-
-
Possible applications include limiting Internet access for
- children.
+ Unset (commented
+ out). When activated: logfile (Unix) or
+ privoxy.log (Windows).
+
+
+
+ Effect if unset:
+
+
+
+ No logfile is written.
+
+
+
+ Notes:
+
+
+
+ The logfile is where all logging and error messages are
+ written. The level of detail and number of messages are set
+ with the debug option (see below).
+ The logfile can be useful for tracking down a problem with
+ Privoxy (e.g., it's not
+ blocking an ad you think it should block) and it can help
+ you to monitor what your browser is doing.
+
+
+ Depending on the debug options below, the logfile may be a
+ privacy risk if third parties can get access to it. As most
+ users will never look at it, Privoxy only logs fatal errors by
+ default.
+
+
+ For most troubleshooting purposes, you will have to change
+ that, please refer to the debugging section for details.
+
+
+ Any log files must be writable by whatever user Privoxy is being run as (on
+ Unix, default user id is "privoxy").
+
+
+ To prevent the logfile from growing indefinitely, it is
+ recommended to periodically rotate or shorten it. Many
+ operating systems support log rotation out of the box, some
+ require additional software to do it. For details, please
+ refer to the documentation for your operating system.
+
+ Unset (commented
+ out). When activated: trust (Unix) or trust.txt
+ (Windows)
+
+
+
+ Effect if unset:
+
+
+
+ The entire trust mechanism is disabled.
+
+
+
+ Notes:
+
+
+
+ The trust mechanism is an experimental feature for building
+ white-lists and should be used with care. It is NOT
+ recommended for the casual user.
+
+
+ If you specify a trust file, Privoxy will only allow access to
+ sites that are specified in the trustfile. Sites can be
+ listed in one of two ways:
+
+
+ Prepending a ~ character limits
+ access to this site only (and any sub-paths within this
+ site), e.g. ~www.example.com
+ allows access to ~www.example.com/features/news.html, etc.
+
+
+ Or, you can designate sites as trusted referrers, by
+ prepending the name with a +
+ character. The effect is that access to untrusted sites
+ will be granted -- but only if a link from this trusted
+ referrer was used to get there. The link target will then
+ be added to the "trustfile" so
+ that future, direct accesses will be granted. Sites added
+ via this mechanism do not become trusted referrers
+ themselves (i.e. they are added with a ~ designation). There is a limit of 512 such
+ entries, after which new entries will not be made.
+
+
+ If you use the + operator in the
+ trust file, it may grow considerably over time.
+
+
+ It is recommended that Privoxy be compiled with the --disable-force, --disable-toggle and --disable-editor options, if this feature is
+ to be used.
+
+
+ Possible applications include limiting Internet access for
+ children.
+
These options are mainly useful when tracing a problem. Note that
- you might also want to invoke Privoxy
- with the --no-daemon command line option when
- debugging.
+ These options are mainly useful when tracing a problem. Note that
+ you might also want to invoke Privoxy with the --no-daemon command line option when debugging.
+
+ Key values that determine what information gets logged.
+
+
+
+ Type of value:
+
+
+
+ Integer values
+
+
+
+ Default value:
+
+
+
+ 0 (i.e.: only fatal errors (that cause Privoxy to exit) are
+ logged)
+
+
+
+ Effect if unset:
+
+
+
+ Default value is used (see above).
+
+
+
+ Notes:
+
+
+
+ The available debug levels are:
+
+
+
+
+
+
+
debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
debug 2 # show each connection status
@@ -892,1301 +1061,1564 @@
debug 32768 # log all data read from the network
debug 65536 # Log the applying actions
-
-
-
-
-
To select multiple debug levels, you can either add them or
- use multiple debug lines.
-
-
A debug level of 1 is informative because it will show you
- each request as it happens. 1, 1024, 4096 and 8192 are recommended so
- that you will notice when things go wrong. The other levels are
- probably only of interest if you are hunting down a specific
- problem. They can produce a hell of an output (especially
- 16).
-
-
Privoxy used to ship with
- the debug levels recommended above enabled by default, but due
- to privacy concerns 3.0.7 and later are configured to only log
- fatal errors.
-
-
If you are used to the more verbose settings, simply enable
- the debug lines below again.
-
-
If you want to use pure CLF (Common Log Format), you should
- set "debug 512"ONLY and not enable
- anything else.
-
-
Privoxy has a hard-coded
- limit for the length of log messages. If it's reached, messages
- are logged truncated and marked with "...
- [too long, truncated]".
+
+
+
-
Please don't file any support requests without trying to
- reproduce the problem with increased debug level first. Once
- you read the log messages, you may even be able to solve the
- problem on your own.
-
-
+
+ To select multiple debug levels, you can either add them or
+ use multiple debug lines.
+
+
+ A debug level of 1 is informative because it will show you
+ each request as it happens. 1, 1024, 4096 and 8192 are
+ recommended so that you will notice when things
+ go wrong. The other levels are probably only of interest if
+ you are hunting down a specific problem. They can produce a
+ hell of an output (especially 16).
+
+
+ If you are used to the more verbose settings, simply enable
+ the debug lines below again.
+
+
+ If you want to use pure CLF (Common Log Format), you should
+ set "debug 512"ONLY and not
+ enable anything else.
+
+
+ Privoxy has a hard-coded
+ limit for the length of log messages. If it's reached,
+ messages are logged truncated and marked with "... [too long, truncated]".
+
+
+ Please don't file any support requests without trying to
+ reproduce the problem with increased debug level first.
+ Once you read the log messages, you may even be able to
+ solve the problem on your own.
+
+ The hostname provided by the operating system is used.
+
+
+
+ Notes:
+
+
+
+ On some misconfigured systems resolving the hostname fails
+ or takes too much time and slows Privoxy down. Setting a
+ fixed hostname works around the problem.
+
+
+ In other circumstances it might be desirable to show a
+ hostname other than the one returned by the operating
+ system. For example if the system has several different
+ hostnames and you don't want to use the first one.
+
+
+ Note that Privoxy does not validate the specified hostname
+ value.
+
The hostname provided by the operating system is used.
-
-
-
Notes:
-
-
-
On some misconfigured systems resolving the hostname fails
- or takes too much time and slows Privoxy down. Setting a fixed
- hostname works around the problem.
-
-
In other circumstances it might be desirable to show a
- hostname other than the one returned by the operating system.
- For example if the system has several different hostnames and
- you don't want to use the first one.
-
-
Note that Privoxy does not validate the specified hostname
- value.
The address and TCP port on which Privoxy will listen for client
- requests.
-
-
-
Type of value:
-
-
-
[IP-Address]:Port
-
-
[Hostname]:Port
-
-
-
Default value:
-
-
-
127.0.0.1:8118
-
-
-
Effect if unset:
-
-
-
Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is
- suitable and recommended for home users who run Privoxy on the same machine as their
- browser.
-
-
-
Notes:
-
-
-
You will need to configure your browser(s) to this proxy
- address and port.
-
-
If you already have another service running on port 8118, or
- if you want to serve requests from other machines (e.g. on your
- local network) as well, you will need to override the
- default.
-
-
You can use this statement multiple times to make
- Privoxy listen on more ports
- or more IP addresses. Suitable if
- your operating system does not support sharing IPv6 and IPv4
- protocols on the same socket.
-
-
If a hostname is used instead of an IP address, Privoxy will try to resolve it to an IP
- address and if there are multiple, use the first one
- returned.
-
-
If the address for the hostname isn't already known on the
- system (for example because it's in /etc/hostname), this may
- result in DNS traffic.
-
-
If the specified address isn't available on the system, or
- if the hostname can't be resolved, Privoxy will fail to start.
-
-
IPv6 addresses containing colons have to be quoted by
- brackets. They can only be used if Privoxy has been compiled with IPv6
- support. If you aren't sure if your version supports it, have a
- look at http://config.privoxy.org/show-status.
-
-
Some operating systems will prefer IPv6 to IPv4 addresses
- even if the system has no IPv6 connectivity which is usually
- not expected by the user. Some even rely on DNS to resolve
- localhost which mean the "localhost" address used may not
- actually be local.
-
-
It is therefore recommended to explicitly configure the
- intended IP address instead of relying on the operating system,
- unless there's a strong reason not to.
-
-
If you leave out the address, Privoxy will bind to all IPv4 interfaces
- (addresses) on your machine and may become reachable from the
- Internet and/or the local network. Be aware that some GNU/Linux
- distributions modify that behaviour without updating the
- documentation. Check for non-standard patches if your
- Privoxy version behaves
- differently.
-
-
If you configure Privoxy to
- be reachable from the network, consider using access control lists (ACL's, see below),
- and/or a firewall.
-
-
If you open Privoxy to
- untrusted users, you will also want to make sure that the
- following actions are disabled: enable-edit-actions
- and enable-remote-toggle
-
-
-
Example:
-
-
-
Suppose you are running Privoxy on a machine which has the address
- 192.168.0.1 on your local private network (192.168.0.0) and has
- another outside connection with a different address. You want
- it to serve requests from inside only:
+ The address and TCP port on which Privoxy will listen for client
+ requests.
+
+
+
+ Type of value:
+
+
+
+ [IP-Address]:Port
+
+
+ [Hostname]:Port
+
+
+
+ Default value:
+
+
+
+ 127.0.0.1:8118
+
+
+
+ Effect if unset:
+
+
+
+ Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is
+ suitable and recommended for home users who run Privoxy on the same machine as
+ their browser.
+
+
+
+ Notes:
+
+
+
+ You will need to configure your browser(s) to this proxy
+ address and port.
+
+
+ If you already have another service running on port 8118,
+ or if you want to serve requests from other machines (e.g.
+ on your local network) as well, you will need to override
+ the default.
+
+
+ You can use this statement multiple times to make Privoxy listen on more ports or
+ more IP addresses. Suitable if
+ your operating system does not support sharing IPv6 and IPv4
+ protocols on the same socket.
+
+
+ If a hostname is used instead of an IP address, Privoxy will try to resolve it
+ to an IP address and if there are multiple, use the first
+ one returned.
+
+
+ If the address for the hostname isn't already known on the
+ system (for example because it's in /etc/hostname), this
+ may result in DNS traffic.
+
+
+ If the specified address isn't available on the system, or
+ if the hostname can't be resolved, Privoxy will fail to start.
+
+
+ IPv6 addresses containing colons have to be quoted by
+ brackets. They can only be used if Privoxy has been compiled with IPv6
+ support. If you aren't sure if your version supports it,
+ have a look at http://config.privoxy.org/show-status.
+
+
+ Some operating systems will prefer IPv6 to IPv4 addresses
+ even if the system has no IPv6 connectivity which is
+ usually not expected by the user. Some even rely on DNS to
+ resolve localhost which mean the "localhost" address used
+ may not actually be local.
+
+
+ It is therefore recommended to explicitly configure the
+ intended IP address instead of relying on the operating
+ system, unless there's a strong reason not to.
+
+
+ If you leave out the address, Privoxy will bind to all IPv4
+ interfaces (addresses) on your machine and may become
+ reachable from the Internet and/or the local network. Be
+ aware that some GNU/Linux distributions modify that
+ behaviour without updating the documentation. Check for
+ non-standard patches if your Privoxy version behaves differently.
+
+
+ If you configure Privoxy
+ to be reachable from the network, consider using access control lists (ACL's, see
+ below), and/or a firewall.
+
+
+ If you open Privoxy to
+ untrusted users, you will also want to make sure that the
+ following actions are disabled: enable-edit-actions
+ and enable-remote-toggle
+
+
+
+ Example:
+
+
+
+ Suppose you are running Privoxy on a machine which has the
+ address 192.168.0.1 on your local private network
+ (192.168.0.0) and has another outside connection with a
+ different address. You want it to serve requests from
+ inside only:
+
+
+
+
+
+
+
listen-address 192.168.0.1:8118
-
-
-
-
-
Suppose you are running Privoxy on an IPv6-capable machine and you
- want it to listen on the IPv6 address of the loopback
- device:
+
+
+
-
-
-
-
+
+ Suppose you are running Privoxy on an IPv6-capable machine and
+ you want it to listen on the IPv6 address of the loopback
+ device:
+
If set to 0, Privoxy will
- start in "toggled off" mode, i.e.
- mostly behave like a normal, content-neutral proxy with both ad
- blocking and content filtering disabled. See enable-remote-toggle below.
+ If set to 0, Privoxy will
+ start in "toggled off" mode,
+ i.e. mostly behave like a normal, content-neutral proxy
+ with both ad blocking and content filtering disabled. See
+ enable-remote-toggle below.
+
When toggled off, Privoxy
- mostly acts like a normal, content-neutral proxy, i.e. doesn't
- block ads or filter content.
-
-
Access to the toggle feature can not be controlled
- separately by "ACLs" or HTTP
- authentication, so that everybody who can access Privoxy (see "ACLs" and listen-address above) can toggle it for all
- users. So this option is not recommended for multi-user
- environments with untrusted users.
-
-
Note that malicious client side code (e.g Java) is also
- capable of using this option.
-
-
As a lot of Privoxy users
- don't read documentation, this feature is disabled by
- default.
-
-
Note that you must have compiled Privoxy with support for this feature,
- otherwise this option has no effect.
+ When toggled off, Privoxy
+ mostly acts like a normal, content-neutral proxy, i.e.
+ doesn't block ads or filter content.
+
+
+ Access to the toggle feature can not be controlled separately by
+ "ACLs" or HTTP authentication,
+ so that everybody who can access Privoxy (see "ACLs" and listen-address above) can toggle it for all
+ users. So this option is not recommended for multi-user
+ environments with untrusted users.
+
+
+ Note that malicious client side code (e.g Java) is also
+ capable of using this option.
+
+
+ As a lot of Privoxy users
+ don't read documentation, this feature is disabled by
+ default.
+
+
+ Note that you must have compiled Privoxy with support for this feature,
+ otherwise this option has no effect.
+
Whether or not Privoxy recognizes special HTTP headers to
- change its behaviour.
-
-
-
Type of value:
-
-
-
0 or 1
-
-
-
Default value:
-
-
-
0
-
-
-
Effect if unset:
-
-
-
Privoxy ignores special HTTP headers.
-
-
-
Notes:
-
-
-
When toggled on, the client can change Privoxy's behaviour by setting special
- HTTP headers. Currently the only supported special header is
- "X-Filter: No", to disable filtering
- for the ongoing request, even if it is enabled in one of the
- action files.
-
-
This feature is disabled by default. If you are using
- Privoxy in a environment with
- trusted clients, you may enable this feature at your
- discretion. Note that malicious client side code (e.g Java) is
- also capable of using this feature.
-
-
This option will be removed in future releases as it has
- been obsoleted by the more general header taggers.
+ Whether or not Privoxy recognizes special HTTP headers to
+ change its behaviour.
+
+
+
+ Type of value:
+
+
+
+ 0 or 1
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Effect if unset:
+
+
+
+ Privoxy ignores special HTTP headers.
+
+
+
+ Notes:
+
+
+
+ When toggled on, the client can change Privoxy's behaviour by setting special
+ HTTP headers. Currently the only supported special header
+ is "X-Filter: No", to disable
+ filtering for the ongoing request, even if it is enabled in
+ one of the action files.
+
+
+ This feature is disabled by default. If you are using Privoxy in a environment with
+ trusted clients, you may enable this feature at your
+ discretion. Note that malicious client side code (e.g Java)
+ is also capable of using this feature.
+
+
+ This option will be removed in future releases as it has
+ been obsoleted by the more general header taggers.
+
Access to the editor can not be controlled separately by
- "ACLs" or HTTP authentication, so
- that everybody who can access Privoxy (see "ACLs" and listen-address above) can modify its
- configuration for all users.
-
-
This option is not recommended for environments with
- untrusted users and as a lot of Privoxy users don't read documentation,
- this feature is disabled by default.
-
-
Note that malicious client side code (e.g Java) is also
- capable of using the actions editor and you shouldn't enable
- this options unless you understand the consequences and are
- sure your browser is configured correctly.
-
-
Note that you must have compiled Privoxy with support for this feature,
- otherwise this option has no effect.
+ The web-based actions file editor is disabled.
+
+
+
+ Notes:
+
+
+
+ Access to the editor can not be controlled separately by "ACLs" or HTTP authentication, so that
+ everybody who can access Privoxy (see "ACLs" and listen-address above) can modify its
+ configuration for all users.
+
+
+ This option is not recommended for environments with
+ untrusted users and as a lot of Privoxy users don't read
+ documentation, this feature is disabled by default.
+
+
+ Note that malicious client side code (e.g Java) is also
+ capable of using the actions editor and you shouldn't
+ enable this options unless you understand the consequences
+ and are sure your browser is configured correctly.
+
+
+ Note that you must have compiled Privoxy with support for this feature,
+ otherwise this option has no effect.
+
Whether the user is allowed to ignore blocks and can
- "go there anyway".
-
-
-
Type of value:
-
-
-
0 or 1
-
-
-
Default value:
-
-
-
0
-
-
-
Effect if unset:
-
-
-
Blocks are not enforced.
-
-
-
Notes:
-
-
-
Privoxy is mainly used to
- block and filter requests as a service to the user, for example
- to block ads and other junk that clogs the pipes. Privoxy's configuration isn't perfect and
- sometimes innocent pages are blocked. In this situation it
- makes sense to allow the user to enforce the request and have
- Privoxy ignore the block.
-
-
In the default configuration Privoxy's"Blocked" page contains a "go there anyway" link to adds a special string
- (the force prefix) to the request URL. If that link is used,
- Privoxy will detect the force
- prefix, remove it again and let the request pass.
-
-
Of course Privoxy can also
- be used to enforce a network policy. In that case the user
- obviously should not be able to bypass any blocks, and that's
- what the "enforce-blocks" option is
- for. If it's enabled, Privoxy
- hides the "go there anyway" link. If
- the user adds the force prefix by hand, it will not be accepted
- and the circumvention attempt is logged.
+ Whether the user is allowed to ignore blocks and can "go there anyway".
+
+
+
+ Type of value:
+
+
+
+ 0 or 1
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Effect if unset:
+
+
+
+ Blocks are not enforced.
+
+
+
+ Notes:
+
+
+
+ Privoxy is mainly used to
+ block and filter requests as a service to the user, for
+ example to block ads and other junk that clogs the pipes.
+ Privoxy's configuration
+ isn't perfect and sometimes innocent pages are blocked. In
+ this situation it makes sense to allow the user to enforce
+ the request and have Privoxy ignore the block.
+
+
+ In the default configuration Privoxy's"Blocked" page contains a "go there anyway" link to adds a special
+ string (the force prefix) to the request URL. If that link
+ is used, Privoxy will
+ detect the force prefix, remove it again and let the
+ request pass.
+
+
+ Of course Privoxy can also
+ be used to enforce a network policy. In that case the user
+ obviously should not be able to bypass any blocks, and
+ that's what the "enforce-blocks"
+ option is for. If it's enabled, Privoxy hides the "go there anyway" link. If the user adds the
+ force prefix by hand, it will not be accepted and the
+ circumvention attempt is logged.
+
Where src_addr and
- dst_addr are IPv4 addresses
- in dotted decimal notation or valid DNS names, port is a port number, and src_masklen and dst_masklen are subnet masks in CIDR
- notation, i.e. integer values from 2 to 30 representing the
- length (in bits) of the network address. The masks and the
- whole destination part are optional.
-
-
If your system implements RFC
- 3493, then src_addr and
- dst_addr can be IPv6
- addresses delimeted by brackets, port can be a number or a service
- name, and src_masklen and
- dst_masklen can be a number
- from 0 to 128.
-
-
-
Default value:
-
-
-
Unset
-
-
If no port is specified,
- any port will match. If no src_masklen or src_masklen is given, the complete IP
- address has to match (i.e. 32 bits for IPv4 and 128 bits for
- IPv6).
-
-
-
Effect if unset:
-
-
-
Don't restrict access further than implied by listen-address
-
-
-
Notes:
-
-
-
Access controls are included at the request of ISPs and
- systems administrators, and are not usually needed by individual
- users. For a typical home user, it will normally
- suffice to ensure that Privoxy
- only listens on the localhost (127.0.0.1) or internal (home)
- network address by means of the listen-address option.
-
-
Please see the warnings in the FAQ that Privoxy is not intended to be a substitute
- for a firewall or to encourage anyone to defer addressing basic
- security weaknesses.
-
-
Multiple ACL lines are OK. If any ACLs are specified,
- Privoxy only talks to IP
- addresses that match at least one permit-access line and don't match any
- subsequent deny-access line. In other
- words, the last match wins, with the default being deny-access.
-
-
If Privoxy is using a
- forwarder (see forward below) for a
- particular destination URL, the dst_addr that is examined is the
- address of the forwarder and NOT the address of the ultimate target.
- This is necessary because it may be impossible for the local
- Privoxy to determine the IP
- address of the ultimate target (that's often what gateways are
- used for).
-
-
You should prefer using IP addresses over DNS names, because
- the address lookups take time. All DNS names must resolve! You
- can not
- use domain patterns like "*.org" or
- partial domain names. If a DNS name resolves to multiple IP
- addresses, only the first one is used.
-
-
Some systems allow IPv4 clients to connect to IPv6 server
- sockets. Then the client's IPv4 address will be translated by
- the system into IPv6 address space with special prefix
- ::ffff:0:0/96 (so called IPv4 mapped IPv6 address).
- Privoxy can handle it and maps
- such ACL addresses automatically.
-
-
Denying access to particular sites by ACL may have undesired
- side effects if the site in question is hosted on a machine
- which also hosts other sites (most sites are).
-
-
-
Examples:
-
-
-
Explicitly define the default behavior if no ACL and
- listen-address are set: "localhost" is OK. The absence of a dst_addr implies that all destination
- addresses are OK:
+ Where src_addr and dst_addr are IPv4 addresses
+ in dotted decimal notation or valid DNS names, port is a port number, and src_masklen and dst_masklen are subnet masks in
+ CIDR notation, i.e. integer values from 2 to 30
+ representing the length (in bits) of the network address.
+ The masks and the whole destination part are optional.
+
+
+ If your system implements RFC
+ 3493, then src_addr
+ and dst_addr can be
+ IPv6 addresses delimeted by brackets, port can be a number or a service
+ name, and src_masklen
+ and dst_masklen can be
+ a number from 0 to 128.
+
+
+
+ Default value:
+
+
+
+ Unset
+
+
+ If no port is
+ specified, any port will match. If no src_masklen or src_masklen is given, the
+ complete IP address has to match (i.e. 32 bits for IPv4 and
+ 128 bits for IPv6).
+
+
+
+ Effect if unset:
+
+
+
+ Don't restrict access further than implied by listen-address
+
+
+
+ Notes:
+
+
+
+ Access controls are included at the request of ISPs and
+ systems administrators, and are not usually needed by individual
+ users. For a typical home user, it will normally
+ suffice to ensure that Privoxy only listens on the localhost
+ (127.0.0.1) or internal (home) network address by means of
+ the listen-address option.
+
+
+ Please see the warnings in the FAQ that Privoxy is not intended to be a
+ substitute for a firewall or to encourage anyone to defer
+ addressing basic security weaknesses.
+
+
+ Multiple ACL lines are OK. If any ACLs are specified, Privoxy only talks to IP
+ addresses that match at least one permit-access line and don't match any
+ subsequent deny-access line. In
+ other words, the last match wins, with the default being
+ deny-access.
+
+
+ If Privoxy is using a
+ forwarder (see forward below) for
+ a particular destination URL, the dst_addr that is examined is the
+ address of the forwarder and NOT the address of the ultimate
+ target. This is necessary because it may be impossible for
+ the local Privoxy to
+ determine the IP address of the ultimate target (that's
+ often what gateways are used for).
+
+
+ You should prefer using IP addresses over DNS names,
+ because the address lookups take time. All DNS names must
+ resolve! You can not use domain patterns like "*.org" or partial domain names. If a
+ DNS name resolves to multiple IP addresses, only the first
+ one is used.
+
+
+ Some systems allow IPv4 clients to connect to IPv6 server
+ sockets. Then the client's IPv4 address will be translated
+ by the system into IPv6 address space with special prefix
+ ::ffff:0:0/96 (so called IPv4 mapped IPv6 address). Privoxy can handle it and maps
+ such ACL addresses automatically.
+
+
+ Denying access to particular sites by ACL may have
+ undesired side effects if the site in question is hosted on
+ a machine which also hosts other sites (most sites are).
+
+
+
+ Examples:
+
+
+
+ Explicitly define the default behavior if no ACL and listen-address are set: "localhost" is OK. The absence of a dst_addr implies that all
+ destination addresses are OK:
+
+
+
+
+
+
+
permit-access localhost
-
-
-
-
-
Allow any host on the same class C subnet as www.privoxy.org
- access to nothing but www.example.com (or other domains hosted
- on the same system):
+
+
+
-
-
-
-
+
+ Allow any host on the same class C subnet as
+ www.privoxy.org access to nothing but www.example.com (or
+ other domains hosted on the same system):
+
Allow access from any host on the 26-bit subnet
- 192.168.45.64 to anywhere, with the exception that
- 192.168.45.73 may not access the IP address behind
- www.dirty-stuff.example.com:
+
+
+
-
-
-
-
+
+ Allow access from any host on the 26-bit subnet
+ 192.168.45.64 to anywhere, with the exception that
+ 192.168.45.73 may not access the IP address behind
+ www.dirty-stuff.example.com:
+
For content filtering, i.e. the +filter and +deanimate-gif actions, it is necessary that
- Privoxy buffers the entire
- document body. This can be potentially dangerous, since a
- server could just keep sending data indefinitely and wait for
- your RAM to exhaust -- with nasty consequences. Hence this
- option.
-
-
When a document buffer size reaches the buffer-limit, it is flushed to the client
- unfiltered and no further attempt to filter the rest of the
- document is made. Remember that there may be multiple threads
- running, which might require up to buffer-limit Kbytes each, unless you have
- enabled "single-threaded" above.
+ Maximum size of the buffer for content filtering.
+
+
+
+ Type of value:
+
+
+
+ Size in Kbytes
+
+
+
+ Default value:
+
+
+
+ 4096
+
+
+
+ Effect if unset:
+
+
+
+ Use a 4MB (4096 KB) limit.
+
+
+
+ Notes:
+
+
+
+ For content filtering, i.e. the +filter and +deanimate-gif actions, it is necessary that
+ Privoxy buffers the entire
+ document body. This can be potentially dangerous, since a
+ server could just keep sending data indefinitely and wait
+ for your RAM to exhaust -- with nasty consequences. Hence
+ this option.
+
+
+ When a document buffer size reaches the buffer-limit, it is flushed to the client
+ unfiltered and no further attempt to filter the rest of the
+ document is made. Remember that there may be multiple
+ threads running, which might require up to buffer-limit Kbytes each, unless you
+ have enabled "single-threaded"
+ above.
+
Whether or not proxy authentication through Privoxy should work.
-
-
-
Type of value:
-
-
-
0 or 1
-
-
-
Default value:
-
-
-
0
-
-
-
Effect if unset:
-
-
-
Proxy authentication headers are removed.
-
-
-
Notes:
-
-
-
Privoxy itself does not support proxy authentication, but
- can allow clients to authenticate against Privoxy's parent
- proxy.
-
-
By default Privoxy (3.0.21 and later) don't do that and
- remove Proxy-Authorization headers in requests and
- Proxy-Authenticate headers in responses to make it harder for
- malicious sites to trick inexperienced users into providing
- login information.
-
-
If this option is enabled the headers are forwarded.
-
-
Enabling this option is not recommended if there is no parent
- proxy that requires authentication or if the local network
- between Privoxy and the parent proxy isn't trustworthy. If
- proxy authentication is only required for some requests, it is
- recommended to use a client header filter to remove the
- authentication headers for requests where they aren't
- needed.
+ Whether or not proxy authentication through Privoxy should work.
+
+
+
+ Type of value:
+
+
+
+ 0 or 1
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Effect if unset:
+
+
+
+ Proxy authentication headers are removed.
+
+
+
+ Notes:
+
+
+
+ Privoxy itself does not support proxy authentication, but
+ can allow clients to authenticate against Privoxy's parent
+ proxy.
+
+
+ By default Privoxy (3.0.21 and later) don't do that and
+ remove Proxy-Authorization headers in requests and
+ Proxy-Authenticate headers in responses to make it harder
+ for malicious sites to trick inexperienced users into
+ providing login information.
+
+
+ If this option is enabled the headers are forwarded.
+
+
+ Enabling this option is not recommended if there is no parent
+ proxy that requires authentication or if the local network
+ between Privoxy and the parent proxy isn't trustworthy. If
+ proxy authentication is only required for some requests, it
+ is recommended to use a client header filter to remove the
+ authentication headers for requests where they aren't
+ needed.
+
This feature allows routing of HTTP requests through a chain of
- multiple proxies.
-
-
Forwarding can be used to chain Privoxy with a caching proxy to
- speed up browsing. Using a parent proxy may also be necessary if the
- machine that Privoxy runs on has no
- direct Internet access.
-
-
Note that parent proxies can severely decrease your privacy level.
- For example a parent proxy could add your IP address to the request
- headers and if it's a caching proxy it may add the "Etag" header to revalidation requests again, even
- though you configured Privoxy to remove it. It may also ignore
- Privoxy's header time randomization and use the original values which
- could be used by the server as cookie replacement to track your steps
- between visits.
-
-
Also specified here are SOCKS proxies. Privoxy supports the SOCKS 4 and SOCKS 4A
- protocols.
To which parent HTTP proxy specific requests should be
- routed.
-
-
-
Type of value:
-
-
-
target_pattern
- http_parent[:port]
-
-
where target_pattern is
- a URL pattern that
- specifies to which requests (i.e. URLs) this forward rule shall
- apply. Use / to denote "all URLs". http_parent[:port] is the DNS name or IP address
- of the parent HTTP proxy through which the requests should be
- forwarded, optionally followed by its listening port (default:
- 8000). Use a single dot (.) to denote
- "no forwarding".
-
-
-
Default value:
-
-
-
Unset
-
-
-
Effect if unset:
-
-
-
Don't use parent HTTP proxies.
-
-
-
Notes:
-
-
-
If http_parent is
- ".", then requests are not forwarded
- to another HTTP proxy but are made directly to the web
- servers.
-
-
http_parent can be a
- numerical IPv6 address (if RFC 3493
- is implemented). To prevent clashes with the port delimiter,
- the whole IP address has to be put into brackets. On the other
- hand a target_pattern
- containing an IPv6 address has to be put into angle brackets
- (normal brackets are reserved for regular expressions
- already).
-
-
Multiple lines are OK, they are checked in sequence, and the
- last match wins.
-
-
-
Examples:
-
-
-
Everything goes to an example parent proxy, except SSL on
- port 443 (which it doesn't handle):
+ This feature allows routing of HTTP requests through a chain of
+ multiple proxies.
+
+
+ Forwarding can be used to chain Privoxy with a caching proxy to
+ speed up browsing. Using a parent proxy may also be necessary if
+ the machine that Privoxy runs on
+ has no direct Internet access.
+
+
+ Note that parent proxies can severely decrease your privacy level.
+ For example a parent proxy could add your IP address to the request
+ headers and if it's a caching proxy it may add the "Etag" header to revalidation requests again, even
+ though you configured Privoxy to remove it. It may also ignore
+ Privoxy's header time randomization and use the original values
+ which could be used by the server as cookie replacement to track
+ your steps between visits.
+
+
+ Also specified here are SOCKS proxies. Privoxy supports the SOCKS 4 and SOCKS 4A
+ protocols.
+
+ To which parent HTTP proxy specific requests should be
+ routed.
+
+
+
+ Type of value:
+
+
+
+ target_patternhttp_parent[:port]
+
+
+ where target_pattern is
+ a URL pattern
+ that specifies to which requests (i.e. URLs) this forward
+ rule shall apply. Use / to denote
+ "all URLs". http_parent[:port] is the DNS name or IP
+ address of the parent HTTP proxy through which the requests
+ should be forwarded, optionally followed by its listening
+ port (default: 8000). Use a single dot (.) to denote "no
+ forwarding".
+
+
+
+ Default value:
+
+
+
+ Unset
+
+
+
+ Effect if unset:
+
+
+
+ Don't use parent HTTP proxies.
+
+
+
+ Notes:
+
+
+
+ If http_parent is ".", then requests are not forwarded
+ to another HTTP proxy but are made directly to the web
+ servers.
+
+
+ http_parent can be a
+ numerical IPv6 address (if RFC
+ 3493 is implemented). To prevent clashes with the port
+ delimiter, the whole IP address has to be put into
+ brackets. On the other hand a target_pattern containing an IPv6
+ address has to be put into angle brackets (normal brackets
+ are reserved for regular expressions already).
+
+
+ Multiple lines are OK, they are checked in sequence, and
+ the last match wins.
+
+
+
+ Examples:
+
+
+
+ Everything goes to an example parent proxy, except SSL on
+ port 443 (which it doesn't handle):
+
where target_pattern is
- a URL pattern that
- specifies to which requests (i.e. URLs) this forward rule shall
- apply. Use / to denote "all URLs". http_parent and socks_proxy are IP addresses in
- dotted decimal notation or valid DNS names (http_parent may be "." to denote "no HTTP
- forwarding"), and the optional port parameters are TCP ports, i.e.
- integer values from 1 to 65535
-
-
-
Default value:
-
-
-
Unset
-
-
-
Effect if unset:
-
-
-
Don't use SOCKS proxies.
-
-
-
Notes:
-
-
-
Multiple lines are OK, they are checked in sequence, and the
- last match wins.
-
-
The difference between forward-socks4 and forward-socks4a is that in the SOCKS 4A
- protocol, the DNS resolution of the target hostname happens on
- the SOCKS server, while in SOCKS 4 it happens locally.
-
-
With forward-socks5 the DNS
- resolution will happen on the remote server as well.
-
-
forward-socks5t works like vanilla
- forward-socks5 but lets Privoxy additionally use Tor-specific
- SOCKS extensions. Currently the only supported SOCKS extension
- is optimistic data which can reduce the latency for the first
- request made on a newly created connection.
-
-
socks_proxy and
- http_parent can be a
- numerical IPv6 address (if RFC 3493
- is implemented). To prevent clashes with the port delimiter,
- the whole IP address has to be put into brackets. On the other
- hand a target_pattern
- containing an IPv6 address has to be put into angle brackets
- (normal brackets are reserved for regular expressions
- already).
-
-
If http_parent is
- ".", then requests are not forwarded
- to another HTTP proxy but are made (HTTP-wise) directly to the
- web servers, albeit through a SOCKS proxy.
-
-
-
Examples:
-
-
-
From the company example.com, direct connections are made to
- all "internal" domains, but
- everything outbound goes through their ISP's proxy by way of
- example.com's corporate SOCKS 4A gateway to the Internet.
+ where target_pattern is
+ a URL pattern
+ that specifies to which requests (i.e. URLs) this forward
+ rule shall apply. Use / to denote
+ "all URLs". http_parent and socks_proxy are IP addresses in
+ dotted decimal notation or valid DNS names (http_parent may be "." to denote "no HTTP
+ forwarding"), and the optional port parameters are TCP ports,
+ i.e. integer values from 1 to 65535
+
+
+
+ Default value:
+
+
+
+ Unset
+
+
+
+ Effect if unset:
+
+
+
+ Don't use SOCKS proxies.
+
+
+
+ Notes:
+
+
+
+ Multiple lines are OK, they are checked in sequence, and
+ the last match wins.
+
+
+ The difference between forward-socks4 and forward-socks4a is that in the SOCKS 4A
+ protocol, the DNS resolution of the target hostname happens
+ on the SOCKS server, while in SOCKS 4 it happens locally.
+
+
+ With forward-socks5 the DNS
+ resolution will happen on the remote server as well.
+
+
+ forward-socks5t works like vanilla
+ forward-socks5 but lets Privoxy additionally use
+ Tor-specific SOCKS extensions. Currently the only supported
+ SOCKS extension is optimistic data which can reduce the
+ latency for the first request made on a newly created
+ connection.
+
+
+ socks_proxy and http_parent can be a
+ numerical IPv6 address (if RFC
+ 3493 is implemented). To prevent clashes with the port
+ delimiter, the whole IP address has to be put into
+ brackets. On the other hand a target_pattern containing an IPv6
+ address has to be put into angle brackets (normal brackets
+ are reserved for regular expressions already).
+
+
+ If http_parent is ".", then requests are not forwarded
+ to another HTTP proxy but are made (HTTP-wise) directly to
+ the web servers, albeit through a SOCKS proxy.
+
+
+
+ Examples:
+
+
+
+ From the company example.com, direct connections are made
+ to all "internal" domains, but
+ everything outbound goes through their ISP's proxy by way
+ of example.com's corporate SOCKS 4A gateway to the
+ Internet.
+
A rule that uses a SOCKS 4 gateway for all destinations but
- no HTTP parent looks like this:
+
+
+
-
-
-
-
+
+ A rule that uses a SOCKS 4 gateway for all destinations but
+ no HTTP parent looks like this:
+
+
+
+
+
+
+
forward-socks4 / socks-gw.example.com:1080 .
-
-
-
-
-
To chain Privoxy and Tor, both running on the same system,
- you would use something like:
+
+
+
-
-
-
-
+
+ To chain Privoxy and Tor, both running on the same system,
+ you would use something like:
+
+
+
+
+
+
+
forward-socks5t / 127.0.0.1:9050 .
-
-
-
-
-
The public Tor network
- can't be used to reach your local network, if you need to
- access local servers you therefore might want to make some
- exceptions:
+
+
+
-
-
-
-
+
+ Note that if you got Tor through one of the bundles, you
+ may have to change the port from 9050 to 9150 (or even
+ another one). For details, please check the documentation
+ on the Tor
+ website.
+
+
+ The public Tor network
+ can't be used to reach your local network, if you need to
+ access local servers you therefore might want to make some
+ exceptions:
+
Unencrypted connections to systems in these address ranges
- will be as (un)secure as the local network is, but the
- alternative is that you can't reach the local network through
- Privoxy at all. Of course this
- may actually be desired and there is no reason to make these
- exceptions if you aren't sure you need them.
-
-
If you also want to be able to reach servers in your local
- network by using their names, you will need additional
- exceptions that look like this:
+
+
+
-
-
-
-
+
+ Unencrypted connections to systems in these address ranges
+ will be as (un)secure as the local network is, but the
+ alternative is that you can't reach the local network
+ through Privoxy at all. Of
+ course this may actually be desired and there is no reason
+ to make these exceptions if you aren't sure you need them.
+
+
+ If you also want to be able to reach servers in your local
+ network by using their names, you will need additional
+ exceptions that look like this:
+
If you have links to multiple ISPs that provide various special
- content only to their subscribers, you can configure multiple
- Privoxies which have connections to
- the respective ISPs to act as forwarders to each other, so that
- your users can
- see the internal content of all ISPs.
-
-
Assume that host-a has a PPP connection to isp-a.example.net. And
- host-b has a PPP connection to isp-b.example.org. Both run
- Privoxy. Their forwarding
- configuration can look like this:
+ If you have links to multiple ISPs that provide various special
+ content only to their subscribers, you can configure multiple
+ Privoxies which have connections
+ to the respective ISPs to act as forwarders to each other, so
+ that your
+ users can see the internal content of all ISPs.
+
+
+ Assume that host-a has a PPP connection to isp-a.example.net. And
+ host-b has a PPP connection to isp-b.example.org. Both run Privoxy. Their forwarding
+ configuration can look like this:
+
Now, your users can set their browser's proxy to use either host-a
- or host-b and be able to browse the internal content of both isp-a
- and isp-b.
-
-
If you intend to chain Privoxy
- and squid locally, then chaining as
- browser -> squid -> privoxy is the
- recommended way.
-
-
Assuming that Privoxy and
- squid run on the same box, your
- squid configuration could then look
- like this:
-
-
-
-
-
+
+
+
+
+
+ Now, your users can set their browser's proxy to use either
+ host-a or host-b and be able to browse the internal content of
+ both isp-a and isp-b.
+
+
+ If you intend to chain Privoxy
+ and squid locally, then chaining
+ as browser -> squid -> privoxy is
+ the recommended way.
+
+
+ Assuming that Privoxy and squid run on the same box, your squid configuration could then look
+ like this:
+
+
+
+
+
+
+
# Define Privoxy as parent proxy (without ICP)
cache_peer 127.0.0.1 parent 8118 7 no-query
@@ -2199,885 +2631,1093 @@
# Forward all the rest to Privoxy
never_direct allow all
-
-
-
-
-
You would then need to change your browser's proxy settings to
- squid's address and port. Squid
- normally uses port 3128. If unsure consult http_port in squid.conf.
-
-
You could just as well decide to only forward requests you suspect
- of leading to Windows executables through a virus-scanning parent
- proxy, say, on antivir.example.com, port
- 8010:
-
-
-
-
-
+
+
+
+
+
+ You would then need to change your browser's proxy settings to
+ squid's address and port. Squid
+ normally uses port 3128. If unsure consult http_port in squid.conf.
+
+
+ You could just as well decide to only forward requests you
+ suspect of leading to Windows executables through a
+ virus-scanning parent proxy, say, on antivir.example.com, port 8010:
+
How often Privoxy retries if a forwarded connection request
- fails.
-
-
-
Type of value:
-
-
-
Number of retries.
-
-
-
Default value:
-
-
-
0
-
-
-
Effect if unset:
-
-
-
Connections forwarded through other proxies are treated like
- direct connections and no retry attempts are made.
-
-
-
Notes:
-
-
-
forwarded-connect-retries is mainly
- interesting for socks4a connections, where Privoxy can't detect why the connections
- failed. The connection might have failed because of a DNS
- timeout in which case a retry makes sense, but it might also
- have failed because the server doesn't exist or isn't
- reachable. In this case the retry will just delay the
- appearance of Privoxy's error message.
-
-
Note that in the context of this option, "forwarded connections" includes all connections
- that Privoxy forwards through other proxies. This option is not
- limited to the HTTP CONNECT method.
-
-
Only use this option, if you are getting lots of
- forwarding-related error messages that go away when you try
- again manually. Start with a small value and check Privoxy's
- logfile from time to time, to see how many retries are usually
- needed.
Whether intercepted requests should be treated as valid.
-
-
-
Type of value:
-
-
-
0 or 1
-
-
-
Default value:
-
-
-
0
-
-
-
Effect if unset:
-
-
-
Only proxy requests are accepted, intercepted requests are
- treated as invalid.
-
-
-
Notes:
-
-
-
If you don't trust your clients and want to force them to
- use Privoxy, enable this
- option and configure your packet filter to redirect outgoing
- HTTP connections into Privoxy.
-
-
Note that intercepting encrypted connections (HTTPS) isn't
- supported.
-
-
Make sure that Privoxy's
- own requests aren't redirected as well. Additionally take care
- that Privoxy can't
- intentionally connect to itself, otherwise you could run into
- redirection loops if Privoxy's
- listening port is reachable by the outside or an attacker has
- access to the pages you visit.
+ How often Privoxy retries if a forwarded connection request
+ fails.
+
+
+
+ Type of value:
+
+
+
+ Number of retries.
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Effect if unset:
+
+
+
+ Connections forwarded through other proxies are treated
+ like direct connections and no retry attempts are made.
+
+
+
+ Notes:
+
+
+
+ forwarded-connect-retries is
+ mainly interesting for socks4a connections, where Privoxy can't detect why the
+ connections failed. The connection might have failed
+ because of a DNS timeout in which case a retry makes sense,
+ but it might also have failed because the server doesn't
+ exist or isn't reachable. In this case the retry will just
+ delay the appearance of Privoxy's error message.
+
+
+ Note that in the context of this option, "forwarded connections" includes all
+ connections that Privoxy forwards through other proxies.
+ This option is not limited to the HTTP CONNECT method.
+
+
+ Only use this option, if you are getting lots of
+ forwarding-related error messages that go away when you try
+ again manually. Start with a small value and check
+ Privoxy's logfile from time to time, to see how many
+ retries are usually needed.
+
Whether requests to Privoxy's CGI pages can be blocked or
- redirected.
-
-
-
Type of value:
-
-
-
0 or 1
-
-
-
Default value:
-
-
-
0
-
-
-
Effect if unset:
-
-
-
Privoxy ignores block and
- redirect actions for its CGI pages.
-
-
-
Notes:
-
-
-
By default Privoxy ignores
- block or redirect actions for its CGI pages. Intercepting these
- requests can be useful in multi-user setups to implement
- fine-grained access control, but it can also render the
- complete web interface useless and make debugging problems
- painful if done without care.
-
-
Don't enable this option unless you're sure that you really
- need it.
+ Whether intercepted requests should be treated as valid.
+
+
+
+ Type of value:
+
+
+
+ 0 or 1
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Effect if unset:
+
+
+
+ Only proxy requests are accepted, intercepted requests are
+ treated as invalid.
+
+
+
+ Notes:
+
+
+
+ If you don't trust your clients and want to force them to
+ use Privoxy, enable this
+ option and configure your packet filter to redirect
+ outgoing HTTP connections into Privoxy.
+
+ Make sure that Privoxy's
+ own requests aren't redirected as well. Additionally take
+ care that Privoxy can't
+ intentionally connect to itself, otherwise you could run
+ into redirection loops if Privoxy's listening port is reachable
+ by the outside or an attacker has access to the pages you
+ visit.
+
+
+ If you are running Privoxy as intercepting proxy without
+ being able to intercept all client requests you may want to
+ adjust the CGI templates to make sure they don't reference
+ content from config.privoxy.org.
+
Whether the CGI interface should stay compatible with broken
- HTTP clients.
-
-
-
Type of value:
-
-
-
0 or 1
-
-
-
Default value:
-
-
-
0
-
-
-
Effect if unset:
-
-
-
The CGI form generate long GET URLs.
-
-
-
Notes:
-
-
-
Privoxy's CGI forms can
- lead to rather long URLs. This isn't a problem as far as the
- HTTP standard is concerned, but it can confuse clients with
- arbitrary URL length limitations.
-
-
Enabling split-large-forms causes Privoxy to divide big forms into smaller
- ones to keep the URL length down. It makes editing a lot less
- convenient and you can no longer submit all changes at once,
- but at least it works around this browser bug.
-
-
If you don't notice any editing problems, there is no reason
- to enable this option, but if one of the submit buttons appears
- to be broken, you should give it a try.
+ Whether requests to Privoxy's CGI pages can be blocked or
+ redirected.
+
+
+
+ Type of value:
+
+
+
+ 0 or 1
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Effect if unset:
+
+
+
+ Privoxy ignores block and
+ redirect actions for its CGI pages.
+
+
+
+ Notes:
+
+
+
+ By default Privoxy ignores
+ block or redirect actions for its CGI pages. Intercepting
+ these requests can be useful in multi-user setups to
+ implement fine-grained access control, but it can also
+ render the complete web interface useless and make
+ debugging problems painful if done without care.
+
+
+ Don't enable this option unless you're sure that you really
+ need it.
+
Number of seconds after which an open connection will no
- longer be reused.
-
-
-
Type of value:
-
-
-
Time in seconds.
-
-
-
Default value:
-
-
-
None
-
-
-
Effect if unset:
-
-
-
Connections are not kept alive.
-
-
-
Notes:
-
-
-
This option allows clients to keep the connection to
- Privoxy alive. If the server
- supports it, Privoxy will keep
- the connection to the server alive as well. Under certain
- circumstances this may result in speed-ups.
-
-
By default, Privoxy will
- close the connection to the server if the client connection
- gets closed, or if the specified timeout has been reached
- without a new request coming in. This behaviour can be changed
- with the connection-sharing option.
-
-
This option has no effect if Privoxy has been compiled without
- keep-alive support.
-
-
Note that a timeout of five seconds as used in the default
- configuration file significantly decreases the number of
- connections that will be reused. The value is used because some
- browsers limit the number of connections they open to a single
- host and apply the same limit to proxies. This can result in a
- single website "grabbing" all the
- connections the browser allows, which means connections to
- other websites can't be opened until the connections currently
- in use time out.
-
-
Several users have reported this as a Privoxy bug, so the
- default value has been reduced. Consider increasing it to 300
- seconds or even more if you think your browser can handle it.
- If your browser appears to be hanging, it probably can't.
+ Whether the CGI interface should stay compatible with
+ broken HTTP clients.
+
+
+
+ Type of value:
+
+
+
+ 0 or 1
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Effect if unset:
+
+
+
+ The CGI form generate long GET URLs.
+
+
+
+ Notes:
+
+
+
+ Privoxy's CGI forms can
+ lead to rather long URLs. This isn't a problem as far as
+ the HTTP standard is concerned, but it can confuse clients
+ with arbitrary URL length limitations.
+
+
+ Enabling split-large-forms causes Privoxy to divide big forms into
+ smaller ones to keep the URL length down. It makes editing
+ a lot less convenient and you can no longer submit all
+ changes at once, but at least it works around this browser
+ bug.
+
+
+ If you don't notice any editing problems, there is no
+ reason to enable this option, but if one of the submit
+ buttons appears to be broken, you should give it a try.
+
Whether or not pipelined requests should be served.
-
-
-
Type of value:
-
-
-
0 or 1.
-
-
-
Default value:
-
-
-
None
-
-
-
Effect if unset:
-
-
-
If Privoxy receives more than one request at once, it
- terminates the client connection after serving the first
- one.
-
-
-
Notes:
-
-
-
Privoxy currently doesn't
- pipeline outgoing requests, thus allowing pipelining on the
- client connection is not guaranteed to improve the
- performance.
-
-
By default Privoxy tries to
- discourage clients from pipelining by discarding aggressively
- pipelined requests, which forces the client to resend them
- through a new connection.
-
-
This option lets Privoxy
- tolerate pipelining. Whether or not that improves performance
- mainly depends on the client configuration.
-
-
If you are seeing problems with pages not properly loading,
- disabling this option could work around the problem.
+ Number of seconds after which an open connection will no
+ longer be reused.
+
+
+
+ Type of value:
+
+
+
+ Time in seconds.
+
+
+
+ Default value:
+
+
+
+ None
+
+
+
+ Effect if unset:
+
+
+
+ Connections are not kept alive.
+
+
+
+ Notes:
+
+
+
+ This option allows clients to keep the connection to Privoxy alive. If the server
+ supports it, Privoxy will
+ keep the connection to the server alive as well. Under
+ certain circumstances this may result in speed-ups.
+
+
+ By default, Privoxy will
+ close the connection to the server if the client connection
+ gets closed, or if the specified timeout has been reached
+ without a new request coming in. This behaviour can be
+ changed with the connection-sharing option.
+
+
+ This option has no effect if Privoxy has been compiled without
+ keep-alive support.
+
+
+ Note that a timeout of five seconds as used in the default
+ configuration file significantly decreases the number of
+ connections that will be reused. The value is used because
+ some browsers limit the number of connections they open to
+ a single host and apply the same limit to proxies. This can
+ result in a single website "grabbing" all the connections the browser
+ allows, which means connections to other websites can't be
+ opened until the connections currently in use time out.
+
+
+ Several users have reported this as a Privoxy bug, so the
+ default value has been reduced. Consider increasing it to
+ 300 seconds or even more if you think your browser can
+ handle it. If your browser appears to be hanging, it
+ probably can't.
+
Assumed server-side keep-alive timeout if not specified by
- the server.
-
-
-
Type of value:
-
-
-
Time in seconds.
-
-
-
Default value:
-
-
-
None
-
-
-
Effect if unset:
-
-
-
Connections for which the server didn't specify the
- keep-alive timeout are not reused.
-
-
-
Notes:
-
-
-
Enabling this option significantly increases the number of
- connections that are reused, provided the keep-alive-timeout
- option is also enabled.
-
-
While it also increases the number of connections problems
- when Privoxy tries to reuse a
- connection that already has been closed on the server side, or
- is closed while Privoxy is
- trying to reuse it, this should only be a problem if it happens
- for the first request sent by the client. If it happens for
- requests on reused client connections, Privoxy will simply close the connection
- and the client is supposed to retry the request without
- bothering the user.
-
-
Enabling this option is therefore only recommended if the
- connection-sharing option is disabled.
-
-
It is an error to specify a value larger than the keep-alive-timeout
- value.
-
-
This option has no effect if Privoxy has been compiled without
- keep-alive support.
+ Whether or not pipelined requests should be served.
+
+
+
+ Type of value:
+
+
+
+ 0 or 1.
+
+
+
+ Default value:
+
+
+
+ None
+
+
+
+ Effect if unset:
+
+
+
+ If Privoxy receives more than one request at once, it
+ terminates the client connection after serving the first
+ one.
+
+
+
+ Notes:
+
+
+
+ Privoxy currently doesn't
+ pipeline outgoing requests, thus allowing pipelining on the
+ client connection is not guaranteed to improve the
+ performance.
+
+
+ By default Privoxy tries
+ to discourage clients from pipelining by discarding
+ aggressively pipelined requests, which forces the client to
+ resend them through a new connection.
+
+
+ This option lets Privoxy
+ tolerate pipelining. Whether or not that improves
+ performance mainly depends on the client configuration.
+
+
+ If you are seeing problems with pages not properly loading,
+ disabling this option could work around the problem.
+
Whether or not outgoing connections that have been kept
- alive should be shared between different incoming
- connections.
-
-
-
Type of value:
-
-
-
0 or 1
-
-
-
Default value:
-
-
-
None
-
-
-
Effect if unset:
-
-
-
Connections are not shared.
-
-
-
Notes:
-
-
-
This option has no effect if Privoxy has been compiled without
- keep-alive support, or if it's disabled.
-
-
-
Notes:
-
-
-
Note that reusing connections doesn't necessary cause
- speedups. There are also a few privacy implications you should
- be aware of.
-
-
If this option is effective, outgoing connections are shared
- between clients (if there are more than one) and closing the
- browser that initiated the outgoing connection does no longer
- affect the connection between Privoxy and the server unless the client's
- request hasn't been completed yet.
-
-
If the outgoing connection is idle, it will not be closed
- until either Privoxy's or the
- server's timeout is reached. While it's open, the server knows
- that the system running Privoxy is still there.
-
-
If there are more than one client (maybe even belonging to
- multiple users), they will be able to reuse each others
- connections. This is potentially dangerous in case of
- authentication schemes like NTLM where only the connection is
- authenticated, instead of requiring authentication for each
- request.
-
-
If there is only a single client, and if said client can
- keep connections alive on its own, enabling this option has
- next to no effect. If the client doesn't support connection
- keep-alive, enabling this option may make sense as it allows
- Privoxy to keep outgoing
- connections alive even if the client itself doesn't support
- it.
-
-
You should also be aware that enabling this option increases
- the likelihood of getting the "No server or forwarder data"
- error message, especially if you are using a slow connection to
- the Internet.
-
-
This option should only be used by experienced users who
- understand the risks and can weight them against the
- benefits.
+ Assumed server-side keep-alive timeout if not specified by
+ the server.
+
+
+
+ Type of value:
+
+
+
+ Time in seconds.
+
+
+
+ Default value:
+
+
+
+ None
+
+
+
+ Effect if unset:
+
+
+
+ Connections for which the server didn't specify the
+ keep-alive timeout are not reused.
+
+
+
+ Notes:
+
+
+
+ Enabling this option significantly increases the number of
+ connections that are reused, provided the keep-alive-timeout
+ option is also enabled.
+
+
+ While it also increases the number of connections problems
+ when Privoxy tries to
+ reuse a connection that already has been closed on the
+ server side, or is closed while Privoxy is trying to reuse it, this
+ should only be a problem if it happens for the first
+ request sent by the client. If it happens for requests on
+ reused client connections, Privoxy will simply close the
+ connection and the client is supposed to retry the request
+ without bothering the user.
+
+
+ Enabling this option is therefore only recommended if the
+ connection-sharing option is disabled.
+
+
+ It is an error to specify a value larger than the keep-alive-timeout
+ value.
+
+
+ This option has no effect if Privoxy has been compiled without
+ keep-alive support.
+
Number of seconds after which a socket times out if no data
- is received.
-
-
-
Type of value:
-
-
-
Time in seconds.
-
-
-
Default value:
-
-
-
None
-
-
-
Effect if unset:
-
-
-
A default value of 300 seconds is used.
-
-
-
Notes:
-
-
-
The default is quite high and you probably want to reduce
- it. If you aren't using an occasionally slow proxy like Tor,
- reducing it to a few seconds should be fine.
+ Whether or not outgoing connections that have been kept
+ alive should be shared between different incoming
+ connections.
+
+
+
+ Type of value:
+
+
+
+ 0 or 1
+
+
+
+ Default value:
+
+
+
+ None
+
+
+
+ Effect if unset:
+
+
+
+ Connections are not shared.
+
+
+
+ Notes:
+
+
+
+ This option has no effect if Privoxy has been compiled without
+ keep-alive support, or if it's disabled.
+
+
+
+ Notes:
+
+
+
+ Note that reusing connections doesn't necessary cause
+ speedups. There are also a few privacy implications you
+ should be aware of.
+
+
+ If this option is effective, outgoing connections are
+ shared between clients (if there are more than one) and
+ closing the browser that initiated the outgoing connection
+ does no longer affect the connection between Privoxy and the server unless the
+ client's request hasn't been completed yet.
+
+
+ If the outgoing connection is idle, it will not be closed
+ until either Privoxy's or
+ the server's timeout is reached. While it's open, the
+ server knows that the system running Privoxy is still there.
+
+
+ If there are more than one client (maybe even belonging to
+ multiple users), they will be able to reuse each others
+ connections. This is potentially dangerous in case of
+ authentication schemes like NTLM where only the connection
+ is authenticated, instead of requiring authentication for
+ each request.
+
+
+ If there is only a single client, and if said client can
+ keep connections alive on its own, enabling this option has
+ next to no effect. If the client doesn't support connection
+ keep-alive, enabling this option may make sense as it
+ allows Privoxy to keep
+ outgoing connections alive even if the client itself
+ doesn't support it.
+
+
+ You should also be aware that enabling this option
+ increases the likelihood of getting the "No server or
+ forwarder data" error message, especially if you are using
+ a slow connection to the Internet.
+
+
+ This option should only be used by experienced users who
+ understand the risks and can weight them against the
+ benefits.
+
Maximum number of client connections that will be
- served.
-
-
-
Type of value:
-
-
-
Positive number.
-
-
-
Default value:
-
-
-
128
-
-
-
Effect if unset:
-
-
-
Connections are served until a resource limit is
- reached.
-
-
-
Notes:
-
-
-
Privoxy creates one thread
- (or process) for every incoming client connection that isn't
- rejected based on the access control settings.
-
-
If the system is powerful enough, Privoxy can theoretically deal with
- several hundred (or thousand) connections at the same time, but
- some operating systems enforce resource limits by shutting down
- offending processes and their default limits may be below the
- ones Privoxy would require
- under heavy load.
-
-
Configuring Privoxy to
- enforce a connection limit below the thread or process limit
- used by the operating system makes sure this doesn't happen.
- Simply increasing the operating system's limit would work too,
- but if Privoxy isn't the only
- application running on the system, you may actually want to
- limit the resources used by Privoxy.
-
-
If Privoxy is only used by
- a single trusted user, limiting the number of client
- connections is probably unnecessary. If there are multiple
- possibly untrusted users you probably still want to
- additionally use a packet filter to limit the maximal number of
- incoming connections per client. Otherwise a malicious user
- could intentionally create a high number of connections to
- prevent other users from using Privoxy.
-
-
Obviously using this option only makes sense if you choose a
- limit below the one enforced by the operating system.
-
-
One most POSIX-compliant systems Privoxy can't properly deal with more than
- FD_SETSIZE file descriptors at the same time and has to reject
- connections if the limit is reached. This will likely change in
- a future version, but currently this limit can't be increased
- without recompiling Privoxy
- with a different FD_SETSIZE limit.
+ Number of seconds after which a socket times out if no data
+ is received.
+
+
+
+ Type of value:
+
+
+
+ Time in seconds.
+
+
+
+ Default value:
+
+
+
+ None
+
+
+
+ Effect if unset:
+
+
+
+ A default value of 300 seconds is used.
+
+
+
+ Notes:
+
+
+
+ The default is quite high and you probably want to reduce
+ it. If you aren't using an occasionally slow proxy like
+ Tor, reducing it to a few seconds should be fine.
+
Privoxy returns a status 403(forbidden) for all blocked
- pages.
-
-
-
Effect if set:
-
-
-
Privoxy returns a status 200(OK) for pages blocked with
- +handle-as-empty-document and a status 403(Forbidden) for all
- other blocked pages.
-
-
-
Notes:
-
-
-
This directive was added as a work-around for Firefox bug
- 492459: " Websites are no longer rendered
- if SSL requests for JavaScripts are blocked by a proxy.
- " (https://bugzilla.mozilla.org/show_bug.cgi?id=492459),
- the bug has been fixed for quite some time, but this directive
- is also useful to make it harder for websites to detect whether
- or not resources are being blocked.
+ Maximum number of client connections that will be served.
+
+
+
+ Type of value:
+
+
+
+ Positive number.
+
+
+
+ Default value:
+
+
+
+ 128
+
+
+
+ Effect if unset:
+
+
+
+ Connections are served until a resource limit is reached.
+
+
+
+ Notes:
+
+
+
+ Privoxy creates one thread
+ (or process) for every incoming client connection that
+ isn't rejected based on the access control settings.
+
+
+ If the system is powerful enough, Privoxy can theoretically deal with
+ several hundred (or thousand) connections at the same time,
+ but some operating systems enforce resource limits by
+ shutting down offending processes and their default limits
+ may be below the ones Privoxy would require under heavy
+ load.
+
+
+ Configuring Privoxy to
+ enforce a connection limit below the thread or process
+ limit used by the operating system makes sure this doesn't
+ happen. Simply increasing the operating system's limit
+ would work too, but if Privoxy isn't the only application
+ running on the system, you may actually want to limit the
+ resources used by Privoxy.
+
+
+ If Privoxy is only used by
+ a single trusted user, limiting the number of client
+ connections is probably unnecessary. If there are multiple
+ possibly untrusted users you probably still want to
+ additionally use a packet filter to limit the maximal
+ number of incoming connections per client. Otherwise a
+ malicious user could intentionally create a high number of
+ connections to prevent other users from using Privoxy.
+
+
+ Obviously using this option only makes sense if you choose
+ a limit below the one enforced by the operating system.
+
+
+ One most POSIX-compliant systems Privoxy can't properly deal with more
+ than FD_SETSIZE file descriptors at the same time and has
+ to reject connections if the limit is reached. This will
+ likely change in a future version, but currently this limit
+ can't be increased without recompiling Privoxy with a different FD_SETSIZE
+ limit.
+
Whether or not buffered content is compressed before
- delivery.
-
-
-
Type of value:
-
-
-
0 or 1
-
-
-
Default value:
-
-
-
0
-
-
-
Effect if unset:
-
-
-
Privoxy does not compress buffered content.
-
-
-
Effect if set:
-
-
-
Privoxy compresses buffered content before delivering it to
- the client, provided the client supports it.
-
-
-
Notes:
-
-
-
This directive is only supported if Privoxy has been
- compiled with FEATURE_COMPRESSION, which should not to be
- confused with FEATURE_ZLIB.
-
-
Compressing buffered content is mainly useful if Privoxy and
- the client are running on different systems. If they are
- running on the same system, enabling compression is likely to
- slow things down. If you didn't measure otherwise, you should
- assume that it does and keep this option disabled.
-
-
Privoxy will not compress buffered content below a certain
- length.
+ Privoxy returns a status 403(forbidden) for all blocked
+ pages.
+
+
+
+ Effect if set:
+
+
+
+ Privoxy returns a status 200(OK) for pages blocked with
+ +handle-as-empty-document and a status 403(Forbidden) for
+ all other blocked pages.
+
+
+
+ Notes:
+
+
+
+ This directive was added as a work-around for Firefox bug
+ 492459: "Websites are no longer
+ rendered if SSL requests for JavaScripts are blocked by a
+ proxy." (https://bugzilla.mozilla.org/show_bug.cgi?id=492459),
+ the bug has been fixed for quite some time, but this
+ directive is also useful to make it harder for websites to
+ detect whether or not resources are being blocked.
+
The compression level that is passed to the zlib library
- when compressing buffered content.
-
-
-
Type of value:
-
-
-
Positive number ranging from 0 to
- 9.
-
-
-
Default value:
-
-
-
1
-
-
-
Notes:
-
-
-
Compressing the data more takes usually longer than
- compressing it less or not compressing it at all. Which level
- is best depends on the connection between Privoxy and the
- client. If you can't be bothered to benchmark it for yourself,
- you should stick with the default and keep compression
- disabled.
-
-
If compression is disabled, the compression level is
- irrelevant.
+ Whether or not buffered content is compressed before
+ delivery.
+
+
+
+ Type of value:
+
+
+
+ 0 or 1
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Effect if unset:
+
+
+
+ Privoxy does not compress buffered content.
+
+
+
+ Effect if set:
+
+
+
+ Privoxy compresses buffered content before delivering it to
+ the client, provided the client supports it.
+
+
+
+ Notes:
+
+
+
+ This directive is only supported if Privoxy has been
+ compiled with FEATURE_COMPRESSION, which should not to be
+ confused with FEATURE_ZLIB.
+
+
+ Compressing buffered content is mainly useful if Privoxy
+ and the client are running on different systems. If they
+ are running on the same system, enabling compression is
+ likely to slow things down. If you didn't measure
+ otherwise, you should assume that it does and keep this
+ option disabled.
+
+
+ Privoxy will not compress buffered content below a certain
+ length.
+
+ The compression level that is passed to the zlib library
+ when compressing buffered content.
+
+
+
+ Type of value:
+
+
+
+ Positive number ranging from 0
+ to 9.
+
+
+
+ Default value:
+
+
+
+ 1
+
+
+
+ Notes:
+
+
+
+ Compressing the data more takes usually longer than
+ compressing it less or not compressing it at all. Which
+ level is best depends on the connection between Privoxy and
+ the client. If you can't be bothered to benchmark it for
+ yourself, you should stick with the default and keep
+ compression disabled.
+
+
+ If compression is disabled, the compression level is
+ irrelevant.
+
+
+
+ Examples:
+
+
+
+
+
+
+
+
# Best speed (compared to the other levels)
compression-level 1
# Best compression
@@ -3090,192 +3730,553 @@
compression-level 0
The order in which client headers are sorted before
- forwarding them.
-
-
-
Type of value:
-
-
-
Client header names delimited by
- spaces or tabs
-
-
-
Default value:
-
-
-
None
-
-
-
Notes:
-
-
-
By default Privoxy leaves
- the client headers in the order they were sent by the client.
- Headers are modified in-place, new headers are added at the end
- of the already existing headers.
+ The order in which client headers are sorted before
+ forwarding them.
+
+
+
+ Type of value:
+
+
+
+ Client header names delimited by
+ spaces or tabs
+
+
+
+ Default value:
+
+
+
+ None
+
+
+
+ Notes:
+
+
+
+ By default Privoxy leaves
+ the client headers in the order they were sent by the
+ client. Headers are modified in-place, new headers are
+ added at the end of the already existing headers.
+
+
+ The header order can be used to fingerprint client requests
+ independently of other headers like the User-Agent.
+
+
+ This directive allows to sort the headers differently to
+ better mimic a different User-Agent. Client headers will be
+ emitted in the order given, headers whose name isn't
+ explicitly specified are added at the end.
+
+
+ Note that sorting headers in an uncommon way will make
+ fingerprinting actually easier. Encrypted headers are not
+ affected by this directive.
+
+ The name of a tag that will always be set for clients that
+ requested it through the webinterface.
+
+
+
+ Type of value:
+
+
+
+ Tag name followed by a
+ description that will be shown in the webinterface
+
+
+
+ Default value:
+
+
+
+ None
+
+
+
+ Notes:
+
+
+
+
+
+
+ Warning
+
+
+
+
+
+ This is an experimental feature. The syntax is
+ likely to change in future versions.
+
+
+
+
+
+
+ Client-specific tags allow Privoxy admins to create
+ different profiles and let the users chose which one they
+ want without impacting other users.
+
+
+ One use case is allowing users to circumvent certain blocks
+ without having to allow them to circumvent all blocks. This
+ is not possible with the enable-remote-toggle
+ feature because it would bluntly disable all blocks for
+ all users and also affect other actions like filters. It
+ also is set globally which renders it useless in most
+ multi-user setups.
+
+
+ After a client-specific tag has been defined with the
+ client-specific-tag directive, action sections can be
+ activated based on the tag by using a CLIENT-TAG pattern. The CLIENT-TAG pattern is
+ evaluated at the same priority as URL patterns, as a result
+ the last matching pattern wins. Tags that are created based
+ on client or server headers are evaluated later on and can
+ overrule CLIENT-TAG and URL patterns!
+
+
+ The tag is set for all requests that come from clients that
+ requested it to be set. Note that "clients" are
+ differentiated by IP address, if the IP address changes the
+ tag has to be requested again.
+
+
+ Clients can request tags to be set by using the CGI
+ interface http://config.privoxy.org/client-tags.
+ The specific tag description is only used on the web page
+ and should be phrased in away that the user understand the
+ effect of the tag.
+
+
+
+ Examples:
+
+
+
+
+
+
+
+
+ # Define a couple of tags, the described effect requires action sections
+ # that are enabled based on CLIENT-TAG patterns.
+ client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
+ disable-content-filters Disable content-filters but do not affect other actions
-
The header order can be used to fingerprint client requests
- independently of other headers like the User-Agent.
+ How long a temporarily enabled tag remains enabled.
+
+
+
+ Type of value:
+
+
+
+ Time in seconds.
+
+
+
+ Default value:
+
+
+
+ 60
+
+
+
+ Notes:
+
+
+
+
+
+
+ Warning
+
+
+
+
+
+ This is an experimental feature. The syntax is
+ likely to change in future versions.
+
+
+
+
+
+
+ In case of some tags users may not want to enable them
+ permanently, but only for a short amount of time, for
+ example to circumvent a block that is the result of an
+ overly-broad URL pattern.
+
+
+ The CGI interface http://config.privoxy.org/client-tags therefore
+ provides a "enable this tag temporarily" option. If it is
+ used, the tag will be set until the client-tag-lifetime is
+ over.
+
+
+
+ Examples:
+
+
+
+
+
+
+
+
+ # Increase the time to life for temporarily enabled tags to 3 minutes
+ client-tag-lifetime 180
-
This directive allows to sort the headers differently to
- better mimic a different User-Agent. Client headers will be
- emitted in the order given, headers whose name isn't explicitly
- specified are added at the end.
+ Whether or not Privoxy should use IP addresses specified
+ with the X-Forwarded-For header
+
+
+
+ Type of value:
+
+
+
+ 0 or one
+
+
+
+ Default value:
+
+
+
+ 0
+
+
+
+ Notes:
+
+
+
+
+
+
+ Warning
+
+
+
+
+
+ This is an experimental feature. The syntax is
+ likely to change in future versions.
+
+
+
+
+
+
+ If clients reach Privoxy through another proxy, for example
+ a load balancer, Privoxy can't tell the client's IP address
+ from the connection. If multiple clients use the same
+ proxy, they will share the same client tag settings which
+ is usually not desired.
+
+
+ This option lets Privoxy use the X-Forwarded-For header
+ value as client IP address. If the proxy sets the header,
+ multiple clients using the same proxy do not share the same
+ client tag settings.
+
+
+ This option should only be enabled if Privoxy can only be
+ reached through a proxy and if the proxy can be trusted to
+ set the header correctly. It is recommended that ACL are
+ used to make sure only trusted systems can reach Privoxy.
+
+
+ If access to Privoxy isn't limited to trusted systems, this
+ option would allow malicious clients to change the client
+ tags for other clients or increase Privoxy's memory
+ requirements by registering lots of client tag settings for
+ clients that don't exist.
+
+
+
+ Examples:
+
+
+
+
+
+
+
+
+ # Allow systems that can reach Privoxy to provide the client
+ # IP address with a X-Forwarded-For header.
+ trust-x-forwarded-for 1
-
Note that sorting headers in an uncommon way will make
- fingerprinting actually easier. Encrypted headers are not
- affected by this directive.
+ Privoxy has a number of options
+ specific to the Windows GUI interface:
+
+
+
+ If "activity-animation" is set to 1, the
+ Privoxy icon will animate when
+ "Privoxy" is active. To turn off, set to
+ 0.
+
+
+
+
+ activity-animation 1
+
+
+
+
+ If "log-messages" is set to 1, Privoxy copies log messages to the
+ console window. The log detail depends on the debug directive.
+
+
+
+
+ log-messages 1
+
+
+
+
+ If "log-buffer-size" is set to 1, the
+ size of the log buffer, i.e. the amount of memory used for the log
+ messages displayed in the console window, will be limited to "log-max-lines" (see below).
+
+
+ Warning: Setting this to 0 will result in the buffer to grow
+ infinitely and eat up all your memory!
+
+
+
+
+ log-buffer-size 1
+
+
+
+
+ log-max-lines is the maximum
+ number of lines held in the log buffer. See above.
+
+
+
+
+ log-max-lines 200
+
+
+
+
+ If "log-highlight-messages" is set to 1,
+ Privoxy will highlight portions of
+ the log messages with a bold-faced font:
+
+
+
+
+ log-highlight-messages 1
+
+
+
+
+ The font used in the console window:
+
+
+
+
+ log-font-name Comic Sans MS
+
+
+
+
+ Font size used in the console window:
+
+
+
+
+ log-font-size 8
+
+
+
+
+ "show-on-task-bar" controls whether or
+ not Privoxy will appear as a
+ button on the Task bar when minimized:
+
+
+
+
+ show-on-task-bar 0
+
+
+
+
+ If "close-button-minimizes" is set to 1,
+ the Windows close button will minimize Privoxy instead of closing the program (close
+ with the exit option on the File menu).
+
+
+
+
+ close-button-minimizes 1
+
+
+
+
+ The "hide-console" option is specific to
+ the MS-Win console version of Privoxy. If this option is used, Privoxy will disconnect from and hide the
+ command console.
+
Privoxy has a number of options
- specific to the Windows GUI interface:
-
-
If "activity-animation" is set to 1, the
- Privoxy icon will animate when
- "Privoxy" is active. To turn off, set to
- 0.
-
-
activity-animation 1
-
-
-
If "log-messages" is set to 1,
- Privoxy copies log messages to the
- console window. The log detail depends on the debug directive.
-
-
log-messages 1
-
-
-
If "log-buffer-size" is set to 1, the
- size of the log buffer, i.e. the amount of memory used for the log
- messages displayed in the console window, will be limited to
- "log-max-lines" (see below).
-
-
Warning: Setting this to 0 will result in the buffer to grow
- infinitely and eat up all your memory!
-
-
log-buffer-size 1
-
-
-
log-max-lines is the maximum number
- of lines held in the log buffer. See above.
-
-
log-max-lines 200
-
-
-
If "log-highlight-messages" is set to 1,
- Privoxy will highlight portions of the
- log messages with a bold-faced font:
-
-
log-highlight-messages 1
-
-
-
The font used in the console window:
-
-
log-font-name Comic Sans
- MS
-
-
-
Font size used in the console window:
-
-
log-font-size 8
-
-
-
"show-on-task-bar" controls whether or
- not Privoxy will appear as a button on
- the Task bar when minimized:
-
-
show-on-task-bar 0
-
-
-
If "close-button-minimizes" is set to 1,
- the Windows close button will minimize Privoxy instead of closing the program (close with
- the exit option on the File menu).
-
-
close-button-minimizes 1
-
-
-
The "hide-console" option is specific to
- the MS-Win console version of Privoxy.
- If this option is used, Privoxy will
- disconnect from and hide the command console.