X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=doc%2Fwebserver%2Fuser-manual%2Fconfig.html;h=ad7c817918da0f4b7891810f1db02ec6139e66e1;hp=ad8e518e7856b5db52832501452c14c1f4e0c7ae;hb=2d1af75a04189057eb4cf4949908a3cdf9ca2b6e;hpb=2727c136ceb730015412df0cf32d8761ffe13930 diff --git a/doc/webserver/user-manual/config.html b/doc/webserver/user-manual/config.html index ad8e518e..ad7c8179 100644 --- a/doc/webserver/user-manual/config.html +++ b/doc/webserver/user-manual/config.html @@ -547,8 +547,8 @@
- 
  debug     1 # Log the destination for each request Privoxy let through. See also debug 1024.
+                    
  debug     1 # Log the destination for each request. See also debug 1024.
   debug     2 # show each connection status
   debug     4 # show I/O status
   debug     8 # show header parsing
@@ -689,7 +689,9 @@
               
If the address for the hostname isn't already known on the system (for example because it's in
               /etc/hostname), this may result in DNS traffic.

               
If the specified address isn't available on the system, or if the hostname can't be resolved,
-              Privoxy will fail to start.

+              Privoxy will fail to start. On GNU/Linux, and other platforms that can
+              listen on not yet assigned IP addresses, Privoxy will start and will listen on the specified address
+              whenever the IP address is assigned to the system

               
IPv6 addresses containing colons have to be quoted by brackets. They can only be used if Privoxy has been compiled with IPv6 support. If you aren't sure if your version
               supports it, have a look at http://config.privoxy.org/show-status.

@@ -916,7 +918,7 @@
               hides the "go there anyway" link. If the user adds the force prefix by hand,
               it will not be accepted and the circumvention attempt is logged.

             
-            
Examples:

+            
Example:

             

               
enforce-blocks 1

             

@@ -945,7 +947,7 @@
               destination part are optional.

               
If your system implements RFC 3493,
               then src_addr and dst_addr can be
-              IPv6 addresses delimeted by brackets, port can be a number or a
+              IPv6 addresses delimited by brackets, port can be a number or a
               service name, and src_masklen and dst_masklen can be a number from 0 to 128.

             
@@ -1382,8 +1384,8 @@
               
@@ -1545,7 +1547,7 @@
               you try again manually. Start with a small value and check Privoxy's logfile from time to time, to see
               how many retries are usually needed.

-            
Examples:

+            
Example:

               
forwarded-connect-retries 1

             

@@ -1590,7 +1592,7 @@
               you may want to adjust the CGI templates to make sure they don't reference content from
               config.privoxy.org.

-            
Examples:

+            
Example:

               
accept-intercepted-requests 1

             

@@ -1627,7 +1629,7 @@
               done without care.
Don't enable this option unless you're sure that you really need it.

-            
Examples:

+            
Example:

               
allow-cgi-request-crunching 1

             

@@ -1665,7 +1667,7 @@
               
If you don't notice any editing problems, there is no reason to enable this option, but if one of the
               submit buttons appears to be broken, you should give it a try.

-            
Examples:

+            
Example:

               
split-large-forms 1

             

@@ -1712,7 +1714,7 @@
               increasing it to 300 seconds or even more if you think your browser can handle it. If your browser
               appears to be hanging, it probably can't.

-            
Examples:

+            
Example:

               
keep-alive-timeout 300

             

@@ -1752,7 +1754,7 @@
               
If you are seeing problems with pages not properly loading, disabling this option could work around
               the problem.

-            
Examples:

+            
Example:

               
tolerate-pipelining 1

             

@@ -1797,7 +1799,7 @@
               
This option has no effect if Privoxy has been compiled without
               keep-alive support.

-            
Examples:

+            
Example:

               
default-server-timeout 60

             

@@ -1853,7 +1855,7 @@
               
This option should only be used by experienced users who understand the risks and can weight them
               against the benefits.

-            
Examples:

+            
Example:

               
connection-sharing 1

             

@@ -1885,7 +1887,7 @@
               
The default is quite high and you probably want to reduce it. If you aren't using an occasionally slow
               proxy like Tor, reducing it to a few seconds should be fine.

-            
Examples:

+            
Example:

               
socket-timeout 300

             

@@ -1938,7 +1940,7 @@
               reached. This will likely change in a future version, but currently this limit can't be increased without
               recompiling Privoxy with a different FD_SETSIZE limit.

-            
Examples:

+            
Example:

               
max-client-connections 256

             

@@ -1968,9 +1970,9 @@
             
Notes:

               
Under high load incoming connection may queue up before Privoxy gets around to serve them. The queue
-              length is limitted by the operating system. Once the queue is full, additional connections are dropped
+              length is limited by the operating system. Once the queue is full, additional connections are dropped
               before Privoxy can accept and serve them.

-              
Increasing the queue length allows Privoxy to accept more incomming connections that arrive roughly at
+              
Increasing the queue length allows Privoxy to accept more incoming connections that arrive roughly at
               the same time.

               
Note that Privoxy can only request a certain queue length, whether or not the requested length is
               actually used depends on the operating system which may use a different length instead.

@@ -1980,7 +1982,7 @@
               
Effectively using a value above 128 usually requires changing the system configuration as well. On
               FreeBSD-based system the limit is controlled by the kern.ipc.soacceptqueue sysctl.

             

-            
Examples:

+            
Example:

               
listen-backlog 4096

             

@@ -2020,7 +2022,7 @@
               "https://www.freebsd.org/cgi/man.cgi?query=accf_http" target="_top">accf_http(9) man page to learn
               how to enable the support in the operating system.

-            
Examples:

+            
Example:

               
enable-accept-filter 1

             

@@ -2240,7 +2242,7 @@
                     
    # Define a couple of tags, the described effect requires action sections
     # that are enabled based on CLIENT-TAG patterns.
     client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
-    disable-content-filters Disable content-filters but do not affect other actions

+    client-specific-tag disable-content-filters Disable content-filters but do not affect other actions

                 

                   
-                    
-                    forward-socks4a   /              socks-gw.example.com:1080  www-cache.isp.example.net:8080
+                    
  forward-socks4a   /              socks-gw.example.com:1080  www-cache.isp.example.net:8080
   forward           .example.com   .

                   

                 

             
             
             
             
               
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
             
                   
                 
               

@@ -2284,7 +2286,7 @@
               "_top">http://config.privoxy.org/client-tags therefore provides a "enable this tag temporarily"
               option. If it is used, the tag will be set until the client-tag-lifetime is over.

             
-            
Examples:

+            
Example:

             

               
@@ -2341,7 +2343,7 @@
               change the client tags for other clients or increase Privoxy's memory requirements by registering lots of
               client tag settings for clients that don't exist.

-            
Examples:

+            
Example:

               

                 

             
             

@@ -2388,7 +2390,7 @@
               memory is (currently) cleared before using it, a buffer that is too large can actually reduce the
               throughput.

-            
Examples:

+            
Example:

               

                 

             
             

@@ -2404,7 +2406,10 @@
       

-      
7.7. TLS/SSL

+      
7.7. HTTPS Inspection
+      (Experimental)

+      
HTTPS inspection allows to filter encrypted requests. This is only supported when Privoxy has been built with FEATURE_HTTPS_INSPECTION.

       

         
7.7.1. ca-directory

         

@@ -2429,8 +2434,10 @@
             

               
This directive specifies the directory where the CA key, the CA certificate and the trusted CAs file
               are located.

+              
The permissions should only let Privoxy and the Privoxy admin access the directory.

             

-            
Examples:

+            
Example:

             

               
ca-directory /usr/local/etc/privoxy/CA

             

@@ -2460,10 +2467,15 @@
             
Notes:

             

               
This directive specifies the name of the CA certificate file in ".crt" format.

-              
It can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.crt
-              -days 3650

+              
The file is used by Privoxy to generate website certificates when
+              https inspection is enabled with the https-inspection action.

+              
Privoxy clients should import the certificate so that they can
+              validate the generated certificates.

+              
The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
+              cacert.crt -days 3650

             

-            
Examples:

+            
Example:

             

               
ca-cert-file root.crt

             

@@ -2495,7 +2507,7 @@
               
This directive specifies the name of the CA key file in ".pem" format. See the ca-cert-file for a command to generate it.

             
-            
Examples:

+            
Example:

             

               
ca-key-file cakey.pem

             

@@ -2528,7 +2540,7 @@
               certificates for intercepted requests.

               
Note that the password is shown on the CGI page so don't reuse an important one.

             
-            
Examples:

+            
Example:

             

               
ca-password blafasel

             

@@ -2542,7 +2554,7 @@
           

             
Specifies:

             

-              
Directory to safe generated keys and certificates.

+              
Directory to save generated keys and certificates.

             

             
Type of value:

             

@@ -2558,9 +2570,32 @@
             

             
Notes:

             

-              
This directive specifies the directory where generated TLS/SSL keys and certificates are saved.

+              
This directive specifies the directory where generated TLS/SSL keys and certificates are saved when
+              https inspection is enabled with the https-inspection action.

+              
The keys and certificates currently have to be deleted manually when changing the ca-cert-file and the ca-cert-key.

+              
The permissions should only let Privoxy and the Privoxy admin access the directory.

+              

+                

                 

     
     

+                  
+                    
+                  
+                  
+                    
+                  
+                
Warning

+                      
Privoxy currently does not garbage-collect obsolete keys and
+                      certificates and does not keep track of how may keys and certificates exist.

+                      
Privoxy admins should monitor the size of the directory
+                      and/or make sure there is sufficient space available. A cron job to limit the number of keys and
+                      certificates to a certain number may be worth considering.

+                    

+              
             

-            
Examples:

+            
Example:

             

               
certificate-directory /usr/local/var/privoxy/certs

             

@@ -2568,7 +2603,129 @@
         
       
       

-        
7.7.6. trusted-cas-file

+        
7.7.6. cipher-list

+        

+          

+            
Specifies:

+            

+              
A list of ciphers to use in TLS handshakes

+            

+            
Type of value:

+            

+              
Text

+            

+            
Default value:

+            

+              
None

+            

+            
Effect if unset:

+            

+              
A default value is inherited from the TLS library.

+            

+            
Notes:

+            

+              
This directive allows to specify a non-default list of ciphers to use in TLS handshakes with clients
+              and servers.

+              
Ciphers are separated by colons. Which ciphers are supported depends on the TLS library. When using
+              OpenSSL, unsupported ciphers are skipped. When using MbedTLS they are rejected.

+              

+                
+                  
+                    
+                  
+                  
+                    
+                  
+                
Warning

+                      
Specifying an unusual cipher list makes fingerprinting easier. Note that the default list
+                      provided by the TLS library may be unusual when compared to the one used by modern browsers as
+                      well.

+                    

+              

+            

+            
Examples:

+            

+              
+                
+                  
+                
+              

+                    
    # Explicitly set a couple of ciphers with names used by MbedTLS
+    cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-AES-256-CCM:\
+TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+TLS-DHE-RSA-WITH-AES-128-CCM:\
+TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+   

+                  

+              
+                
+                  
+                
+              

+                    
    # Explicitly set a couple of ciphers with names used by OpenSSL
+cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ECDHE-ECDSA-AES256-GCM-SHA384:\
+DH-DSS-AES256-GCM-SHA384:\
+DHE-DSS-AES256-GCM-SHA384:\
+DH-RSA-AES256-GCM-SHA384:\
+DHE-RSA-AES256-GCM-SHA384:\
+ECDH-RSA-AES256-GCM-SHA384:\
+ECDH-ECDSA-AES256-GCM-SHA384:\
+ECDHE-RSA-AES128-GCM-SHA256:\
+ECDHE-ECDSA-AES128-GCM-SHA256:\
+DH-DSS-AES128-GCM-SHA256:\
+DHE-DSS-AES128-GCM-SHA256:\
+DH-RSA-AES128-GCM-SHA256:\
+DHE-RSA-AES128-GCM-SHA256:\
+ECDH-RSA-AES128-GCM-SHA256:\
+ECDH-ECDSA-AES128-GCM-SHA256:\
+ECDHE-RSA-AES256-GCM-SHA384:\
+AES128-SHA
+   

+                  

+              
+                
+                  
+                
+              

+                    
    # Use keywords instead of explicity naming the ciphers (Does not work with MbedTLS)
+    cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+   

+                  

+            

+          

+        

+      

+      

+        
7.7.7. trusted-cas-file

         

           

             
Specifies:

@@ -2590,11 +2747,11 @@
             
Notes:

             

               
This directive specifies the trusted CAs file that is used when validating certificates for
-              intercepted TLS/SSL request.

+              intercepted TLS/SSL requests.

               
An example file can be downloaded from https://curl.haxx.se/ca/cacert.pem.

             

-            
Examples:

+            
Example:

             

               
trusted-cas-file trusted_cas_file.pem