@@ -1185,9 +1208,6 @@ body {
mostly behave like a normal, content-neutral proxy with both ad
blocking and content filtering disabled. See enable-remote-toggle below.
-
- The windows version will only display the toggle icon in the
- system tray if this option is present.
@@ -1233,15 +1253,15 @@ body {
block ads or filter content.
Access to the toggle feature can not be controlled separately by
- "ACLs" or HTTP authentication, so
- that everybody who can access not be controlled
+ separately by "ACLs" or HTTP
+ authentication, so that everybody who can access Privoxy (see "ACLs" and listen-address above) can toggle it for all
- users. So this option is not
- recommended for multi-user environments with untrusted
- users.
+ users. So this option is not recommended for multi-user
+ environments with untrusted users.
Note that malicious client side code (e.g Java) is also
capable of using this option.
@@ -1347,8 +1367,8 @@ body {
Notes:
- Access to the editor can not be controlled separately by
+ Access to the editor can not be controlled separately by
"ACLs" or HTTP authentication, so
that everybody who can access Privoxy (see listen-address above) can modify its
configuration for all users.
- This option is not
- recommended for environments with untrusted users and as
- a lot of Privoxy users don't
- read documentation, this feature is disabled by default.
+ This option is not recommended for environments with
+ untrusted users and as a lot of Privoxy users don't read documentation,
+ this feature is disabled by default.
Note that malicious client side code (e.g Java) is also
capable of using the actions editor and you shouldn't enable
@@ -1390,13 +1411,13 @@ body {
Type of value:
- 0 or 1
+ 0 or 1
Default value:
- 0
+ 0
Effect if unset:
@@ -1459,43 +1480,44 @@ body {
Type of value:
- src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]]
+ src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]]
- Where src_addr and
- dst_addr are IPv4 addresses in
- dotted decimal notation or valid DNS names, port is a port number, and src_masklen and dst_masklen are subnet masks in CIDR
+ Where src_addr and
+ dst_addr are IPv4 addresses
+ in dotted decimal notation or valid DNS names, port is a port number, and src_masklen and dst_masklen are subnet masks in CIDR
notation, i.e. integer values from 2 to 30 representing the
length (in bits) of the network address. The masks and the
whole destination part are optional.
If your system implements RFC
- 3493, then src_addr and
- dst_addr can be IPv6 addresses
- delimeted by brackets, port can
- be a number or a service name, and src_masklen and dst_masklen can be a number from 0 to
- 128.
+ 3493, then src_addr and
+ dst_addr can be IPv6
+ addresses delimeted by brackets, port can be a number or a service
+ name, and src_masklen and
+ dst_masklen can be a number
+ from 0 to 128.
Default value:
- Unset
+ Unset
- If no port is specified, any
- port will match. If no src_masklen or src_masklen is given, the complete IP
+ If no port is specified,
+ any port will match. If no src_masklen or src_masklen is given, the complete IP
address has to match (i.e. 32 bits for IPv4 and 128 bits for
IPv6).
@@ -1511,14 +1533,14 @@ body {
Access controls are included at the request of ISPs and
- systems administrators, and are not usually needed by individual
- users. For a typical home user, it will normally suffice
- to ensure that Privoxy only
- listens on the localhost (127.0.0.1) or internal (home) network
- address by means of the listen-address option.
+ systems administrators, and are not usually needed by individual
+ users. For a typical home user, it will normally
+ suffice to ensure that Privoxy
+ only listens on the localhost (127.0.0.1) or internal (home)
+ network address by means of the listen-address option.
Please see the warnings in the FAQ that Privoxy is not intended to be a substitute
@@ -1536,20 +1558,20 @@ body {
If Privoxy is using a
forwarder (see forward below) for a
particular destination URL, the dst_addr that is examined is the address
- of the forwarder and NOT the address of the ultimate
- target. This is necessary because it may be impossible for the
- local Privoxy to determine the
- IP address of the ultimate target (that's often what gateways
- are used for).
+ "REPLACEABLE">dst_addr that is examined is the
+ address of the forwarder and NOT the address of the ultimate target.
+ This is necessary because it may be impossible for the local
+ Privoxy to determine the IP
+ address of the ultimate target (that's often what gateways are
+ used for).
You should prefer using IP addresses over DNS names, because
the address lookups take time. All DNS names must resolve! You
- can not use domain
- patterns like "*.org" or partial
- domain names. If a DNS name resolves to multiple IP addresses,
- only the first one is used.
+ can not
+ use domain patterns like "*.org" or
+ partial domain names. If a DNS name resolves to multiple IP
+ addresses, only the first one is used.
Some systems allow IPv4 clients to connect to IPv6 server
sockets. Then the client's IPv4 address will be translated by
@@ -1569,11 +1591,11 @@ body {
Explicitly define the default behavior if no ACL and
listen-address are set: "localhost" is OK. The absence of a dst_addr implies that all destination addresses are
- OK:
+ "REPLACEABLE">dst_addr implies that all destination
+ addresses are OK:
-
+
@@ -1587,7 +1609,7 @@ body {
access to nothing but www.example.com (or other domains hosted
on the same system):
-
+
@@ -1602,7 +1624,7 @@ body {
192.168.45.73 may not access the IP address behind
www.dirty-stuff.example.com:
-
+
@@ -1617,7 +1639,7 @@ body {
listening on an IPv6 wild card address (not supported on all
platforms):
-
+
@@ -1630,7 +1652,7 @@ body {
This is equivalent to the following line even if listening
on an IPv4 address (not supported on all platforms):
-
+
@@ -1692,8 +1714,68 @@ body {
document is made. Remember that there may be multiple threads
running, which might require up to buffer-limit Kbytes each, unless you have enabled
- "single-threaded" above.
+ "emphasis">each, unless you have
+ enabled "single-threaded" above.
+
+
+
+
+
+
+
+
+
+
+ - Specifies:
+
+ -
+
Whether or not proxy authentication through Privoxy should work.
+
+
+ - Type of value:
+
+ -
+
0 or 1
+
+
+ - Default value:
+
+ -
+
0
+
+
+ - Effect if unset:
+
+ -
+
Proxy authentication headers are removed.
+
+
+ - Notes:
+
+ -
+
Privoxy itself does not support proxy authentication, but
+ can allow clients to authenticate against Privoxy's parent
+ proxy.
+
+ By default Privoxy (3.0.21 and later) don't do that and
+ remove Proxy-Authorization headers in requests and
+ Proxy-Authenticate headers in responses to make it harder for
+ malicious sites to trick inexperienced users into providing
+ login information.
+
+ If this option is enabled the headers are forwarded.
+
+ Enabling this option is not recommended if there is no parent
+ proxy that requires authentication or if the local network
+ between Privoxy and the parent proxy isn't trustworthy. If
+ proxy authentication is only required for some requests, it is
+ recommended to use a client header filter to remove the
+ authentication headers for requests where they aren't
+ needed.
@@ -1741,18 +1823,18 @@ body {
Type of value:
- target_pattern http_parent[:port]
+ target_pattern
+ http_parent[:port]
- where target_pattern is a
- URL pattern that
+ where target_pattern is
+ a URL pattern that
specifies to which requests (i.e. URLs) this forward rule shall
apply. Use / to denote "all URLs". http_parent[:port] is the DNS name or IP address of
- the parent HTTP proxy through which the requests should be
+ "REPLACEABLE">http_parent[:port] is the DNS name or IP address
+ of the parent HTTP proxy through which the requests should be
forwarded, optionally followed by its listening port (default:
8000). Use a single dot (.) to denote
"no forwarding".
@@ -1761,7 +1843,8 @@ body {
Default value:
- Unset
+ Unset
Effect if unset:
@@ -1773,17 +1856,17 @@ body {
Notes:
- If http_parent is
+ If http_parent is
".", then requests are not forwarded
to another HTTP proxy but are made directly to the web
servers.
- http_parent can be a
+ http_parent can be a
numerical IPv6 address (if RFC 3493
is implemented). To prevent clashes with the port delimiter,
the whole IP address has to be put into brackets. On the other
- hand a target_pattern
+ hand a target_pattern
containing an IPv6 address has to be put into angle brackets
(normal brackets are reserved for regular expressions
already).
@@ -1798,7 +1881,7 @@ body {
Everything goes to an example parent proxy, except SSL on
port 443 (which it doesn't handle):
-
+
@@ -1812,7 +1895,7 @@ body {
Everything goes to our example ISP's caching proxy, except
for requests to that ISP's sites:
-
+
@@ -1825,7 +1908,7 @@ body {
Parent proxy specified by an IPv6 address:
-
+
@@ -1837,7 +1920,7 @@ body {
Suppose your parent proxy doesn't support IPv6:
-
+
@@ -1855,9 +1938,9 @@ body {
+ forward-socks4a, forward-socks5 and forward-socks5t
@@ -1871,31 +1954,32 @@ body {
- Type of value:
-
-
target_pattern socks_proxy[:port] http_parent[:port]
+ target_pattern
+ socks_proxy[:port] http_parent[:port]
- where target_pattern is a
- URL pattern that
+ where target_pattern is
+ a URL pattern that
specifies to which requests (i.e. URLs) this forward rule shall
apply. Use / to denote "all URLs". http_parent and socks_proxy are IP addresses in dotted
- decimal notation or valid DNS names (http_parent may be http_parent and socks_proxy are IP addresses in
+ dotted decimal notation or valid DNS names (http_parent may be "." to denote "no HTTP
forwarding"), and the optional port parameters are TCP ports, i.e.
+ "REPLACEABLE">port parameters are TCP ports, i.e.
integer values from 1 to 65535
- Default value:
-
-
Unset
+ Unset
- Effect if unset:
@@ -1919,17 +2003,25 @@ body {
With forward-socks5 the DNS
resolution will happen on the remote server as well.
- socks_proxy and http_parent can be a numerical IPv6
- address (if RFC 3493 is implemented). To prevent clashes
- with the port delimiter, the whole IP address has to be put
- into brackets. On the other hand a target_pattern containing an IPv6 address
- has to be put into angle brackets (normal brackets are reserved
- for regular expressions already).
-
- If http_parent is
+ forward-socks5t works like vanilla
+ forward-socks5 but lets Privoxy additionally use Tor-specific
+ SOCKS extensions. Currently the only supported SOCKS extension
+ is optimistic data which can reduce the latency for the first
+ request made on a newly created connection.
+
+ socks_proxy and
+ http_parent can be a
+ numerical IPv6 address (if RFC 3493
+ is implemented). To prevent clashes with the port delimiter,
+ the whole IP address has to be put into brackets. On the other
+ hand a target_pattern
+ containing an IPv6 address has to be put into angle brackets
+ (normal brackets are reserved for regular expressions
+ already).
+
+ If http_parent is
".", then requests are not forwarded
to another HTTP proxy but are made (HTTP-wise) directly to the
web servers, albeit through a SOCKS proxy.
@@ -1943,7 +2035,7 @@ body {
everything outbound goes through their ISP's proxy by way of
example.com's corporate SOCKS 4A gateway to the Internet.
-
+
@@ -1957,7 +2049,7 @@ body {
A rule that uses a SOCKS 4 gateway for all destinations but
no HTTP parent looks like this:
-
+
@@ -1970,22 +2062,28 @@ body {
To chain Privoxy and Tor, both running on the same system,
you would use something like:
-
+
- forward-socks5 / 127.0.0.1:9050 .
+ forward-socks5t / 127.0.0.1:9050 .
|
+ Note that if you got Tor through one of the bundles, you may
+ have to change the port from 9050 to 9150 (or even another
+ one). For details, please check the documentation on the
+ Tor
+ website.
+
The public Tor network
can't be used to reach your local network, if you need to
access local servers you therefore might want to make some
exceptions:
-
+
@@ -2008,7 +2106,7 @@ body {
network by using their names, you will need additional
exceptions that look like this:
-
+
@@ -2031,8 +2129,8 @@ body {
content only to their subscribers, you can configure multiple
Privoxies which have connections to
the respective ISPs to act as forwarders to each other, so that
- your users can see the
- internal content of all ISPs.
+ your users can
+ see the internal content of all ISPs.
Assume that host-a has a PPP connection to isp-a.example.net. And
host-b has a PPP connection to isp-b.example.org. Both run
@@ -2041,7 +2139,7 @@ body {
host-a:
-
+
@@ -2054,7 +2152,7 @@ body {
host-b:
-
+
@@ -2079,7 +2177,7 @@ body {
squid configuration could then look
like this:
-
+
@@ -2109,7 +2207,7 @@ body {
proxy, say, on antivir.example.com, port
8010:
-
+
@@ -2137,13 +2235,13 @@ body {
- Type of value:
-
-
Number of retries.
+ Number of retries.
- Default value:
-
-
0
+ 0
- Effect if unset:
@@ -2156,8 +2254,9 @@ body {
- Notes:
-
-
forwarded-connect-retries is
- mainly interesting for socks4a connections, where forwarded-connect-retries is mainly
+ interesting for socks4a connections, where Privoxy can't detect why the connections
failed. The connection might have failed because of a DNS
timeout in which case a retry makes sense, but it might also
@@ -2206,13 +2305,13 @@ body {
- Type of value:
-
-
0 or 1
+ 0 or 1
- Default value:
-
-
0
+ 0
- Effect if unset:
@@ -2231,6 +2330,9 @@ body {
HTTP connections into Privoxy.
+ Note that intercepting encrypted connections (HTTPS) isn't
+ supported.
+
Make sure that Privoxy's
own requests aren't redirected as well. Additionally take care
that Privoxy can't
@@ -2267,13 +2369,13 @@ body {
- Type of value:
-
-
0 or 1
+ 0 or 1
- Default value:
-
-
0
+ 0
- Effect if unset:
@@ -2322,13 +2424,13 @@ body {
- Type of value:
-
-
0 or 1
+ 0 or 1
- Default value:
-
-
0
+ 0
- Effect if unset:
@@ -2381,7 +2483,7 @@ body {
- Type of value:
-
-
Time in seconds.
+ Time in seconds.
- Default value:
@@ -2429,7 +2531,7 @@ body {
Several users have reported this as a Privoxy bug, so the
default value has been reduced. Consider increasing it to 300
seconds or even more if you think your browser can handle it.
- If your browser appears to be hanging it can't.
+ If your browser appears to be hanging, it probably can't.
- Examples:
@@ -2441,9 +2543,71 @@ body {
+
+
+
+
+
+ - Specifies:
+
+ -
+
Whether or not pipelined requests should be served.
+
+
+ - Type of value:
+
+ -
+
0 or 1.
+
+
+ - Default value:
+
+ -
+
None
+
+
+ - Effect if unset:
+
+ -
+
If Privoxy receives more than one request at once, it
+ terminates the client connection after serving the first
+ one.
+
+
+ - Notes:
+
+ -
+
Privoxy currently doesn't
+ pipeline outgoing requests, thus allowing pipelining on the
+ client connection is not guaranteed to improve the
+ performance.
+
+ By default Privoxy tries to
+ discourage clients from pipelining by discarding aggressively
+ pipelined requests, which forces the client to resend them
+ through a new connection.
+
+ This option lets Privoxy
+ tolerate pipelining. Whether or not that improves performance
+ mainly depends on the client configuration.
+
+ If you are seeing problems with pages not properly loading,
+ disabling this option could work around the problem.
+
+
+ - Examples:
+
+ -
+
tolerate-pipelining 1
+
+
+
+ | | | | | | | | | | | | | | | | | |