-# Sample Configuration File for Privoxy 3.0.29
+# Sample Configuration File for Privoxy 3.0.31
#
-# Copyright (C) 2001-2019 Privoxy Developers https://www.privoxy.org/
+# Copyright (C) 2001-2021 Privoxy Developers https://www.privoxy.org/
#
#####################################################################
# #
# 4. ACCESS CONTROL AND SECURITY #
# 5. FORWARDING #
# 6. MISCELLANEOUS #
-# 7. WINDOWS GUI OPTIONS #
+# 7. HTTPS INSPECTION (EXPERIMENTAL) #
+# 8. WINDOWS GUI OPTIONS #
# #
#####################################################################
#
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
actionsfile user.action # User customizations
+#actionsfile regression-tests.action # Tests for privoxy-regression-test
#
# 2.6. filterfile
# ================
#
# The available debug levels are:
#
-# debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
+# debug 1 # Log the destination for each request. See also debug 1024.
# debug 2 # show each connection status
-# debug 4 # show I/O status
+# debug 4 # show tagging-related messages
# debug 8 # show header parsing
# debug 16 # log all data written to the network
# debug 32 # debug force feature
# you read the log messages, you may even be able to solve the
# problem on your own.
#
-#debug 1 # Log the destination for each request Privoxy let through. See also debug 1024.
+#debug 1 # Log the destination for each request.
#debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
#debug 4096 # Startup banner and warnings
#debug 8192 # Non-fatal errors
# result in DNS traffic.
#
# If the specified address isn't available on the system, or if
-# the hostname can't be resolved, Privoxy will fail to start.
+# the hostname can't be resolved, Privoxy will fail to start. On
+# GNU/Linux, and other platforms that can listen on not yet
+# assigned IP addresses, Privoxy will start and will listen on
+# the specified address whenever the IP address is assigned to
+# the system
#
# IPv6 addresses containing colons have to be quoted by
# brackets. They can only be used if Privoxy has been compiled
# link. If the user adds the force prefix by hand, it will not
# be accepted and the circumvention attempt is logged.
#
-# Examples:
+# Example:
#
# enforce-blocks 1
#
# whole destination part are optional.
#
# If your system implements RFC 3493, then src_addr and dst_addr
-# can be IPv6 addresses delimeted by brackets, port can be a
+# can be IPv6 addresses delimited by brackets, port can be a
# number or a service name, and src_masklen and dst_masklen can
# be a number from 0 to 128.
#
#
# Type of value:
#
-# target_pattern socks_proxy[:port] http_parent[:port]
+# target_pattern [user:pass@]socks_proxy[:port] http_parent[:port]
#
# where target_pattern is a URL pattern that specifies to which
# requests (i.e. URLs) this forward rule shall apply. Use / to
# addresses in dotted decimal notation or valid DNS names (
# http_parent may be "." to denote "no HTTP forwarding"), and
# the optional port parameters are TCP ports, i.e. integer
-# values from 1 to 65535
+# values from 1 to 65535. user and pass can be used for SOCKS5
+# authentication if required.
#
# Default value:
#
#
# forward-socks4 / socks-gw.example.com:1080 .
#
+# To connect SOCKS5 proxy which requires username/password
+# authentication:
+#
+# forward-socks5 / user:pass@socks-gw.example.com:1080 .
+#
# To chain Privoxy and Tor, both running on the same system, you
# would use something like:
#
# logfile from time to time, to see how many retries are usually
# needed.
#
-# Examples:
+# Example:
#
# forwarded-connect-retries 1
#
# the CGI templates to make sure they don't reference content
# from config.privoxy.org.
#
-# Examples:
+# Example:
#
# accept-intercepted-requests 1
#
# Don't enable this option unless you're sure that you really
# need it.
#
-# Examples:
+# Example:
#
# allow-cgi-request-crunching 1
#
# to enable this option, but if one of the submit buttons
# appears to be broken, you should give it a try.
#
-# Examples:
+# Example:
#
# split-large-forms 1
#
# seconds or even more if you think your browser can handle it.
# If your browser appears to be hanging, it probably can't.
#
-# Examples:
+# Example:
#
# keep-alive-timeout 300
#
# If you are seeing problems with pages not properly loading,
# disabling this option could work around the problem.
#
-# Examples:
+# Example:
#
# tolerate-pipelining 1
#
# This option has no effect if Privoxy has been compiled without
# keep-alive support.
#
-# Examples:
+# Example:
#
# default-server-timeout 60
#
-#default-server-timeout 60
+#default-server-timeout 5
#
# 6.7. connection-sharing
# ========================
# This option should only be used by experienced users who
# understand the risks and can weight them against the benefits.
#
-# Examples:
+# Example:
#
# connection-sharing 1
#
# If you aren't using an occasionally slow proxy like Tor,
# reducing it to a few seconds should be fine.
#
-# Examples:
+# Example:
#
# socket-timeout 300
#
# limit can't be increased without recompiling Privoxy with a
# different FD_SETSIZE limit.
#
-# Examples:
+# Example:
#
# max-client-connections 256
#
# Notes:
#
# Under high load incoming connection may queue up before
-# Privoxy gets around to serve them. The queue length is
-# limitted by the operating system. Once the queue is full,
-# additional connections are dropped before Privoxy can accept
-# and serve them.
+# Privoxy gets around to serve them. The queue length is limited
+# by the operating system. Once the queue is full, additional
+# connections are dropped before Privoxy can accept and serve
+# them.
#
# Increasing the queue length allows Privoxy to accept more
-# incomming connections that arrive roughly at the same time.
+# incoming connections that arrive roughly at the same time.
#
# Note that Privoxy can only request a certain queue length,
# whether or not the requested length is actually used depends
# the system configuration as well. On FreeBSD-based system the
# limit is controlled by the kern.ipc.soacceptqueue sysctl.
#
-# Examples:
+# Example:
#
# listen-backlog 4096
#
# systems. Check the accf_http(9) man page to learn how to
# enable the support in the operating system.
#
-# Examples:
+# Example:
#
# enable-accept-filter 1
#
#
# Note that sorting headers in an uncommon way will make
# fingerprinting actually easier. Encrypted headers are not
-# affected by this directive.
+# affected by this directive unless https-inspection is enabled.
#
#client-header-order Host \
# User-Agent \
# Referer \
# Cookie \
# DNT \
+# Connection \
+# Pragma \
+# Upgrade-Insecure-Requests \
# If-Modified-Since \
# Cache-Control \
# Content-Length \
+# Origin \
# Content-Type
#
-#
# 6.16. client-specific-tag
# ==========================
#
#
# Notes:
#
-# +-----------------------------------------------------+
-# | Warning |
-# |-----------------------------------------------------|
-# |This is an experimental feature. The syntax is likely|
-# |to change in future versions. |
-# +-----------------------------------------------------+
-#
# Client-specific tags allow Privoxy admins to create different
# profiles and let the users chose which one they want without
# impacting other users.
# Clients can request tags to be set by using the CGI interface
# http://config.privoxy.org/client-tags. The specific tag
# description is only used on the web page and should be phrased
-# in away that the user understand the effect of the tag.
+# in away that the user understands the effect of the tag.
#
# Examples:
#
# # Define a couple of tags, the described effect requires action sections
# # that are enabled based on CLIENT-TAG patterns.
# client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
-# disable-content-filters Disable content-filters but do not affect other actions
-#
+# client-specific-tag disable-content-filters Disable content-filters but do not affect other actions
+# client-specific-tag overrule-redirects Overrule redirect sections
+# client-specific-tag allow-cookies Do not crunch cookies in either direction
+# client-specific-tag change-tor-socks-port Change forward-socks5 settings to use a different Tor socks port (and circuits)
+# client-specific-tag no-https-inspection Disable HTTPS inspection
+# client-specific-tag no-tls-verification Don't verify certificates when http-inspection is enabled
#
#
# 6.17. client-tag-lifetime
#
# Notes:
#
-# +-----------------------------------------------------+
-# | Warning |
-# |-----------------------------------------------------|
-# |This is an experimental feature. The syntax is likely|
-# |to change in future versions. |
-# +-----------------------------------------------------+
-#
# In case of some tags users may not want to enable them
# permanently, but only for a short amount of time, for example
# to circumvent a block that is the result of an overly-broad
# it is used, the tag will be set until the client-tag-lifetime
# is over.
#
-# Examples:
+# Example:
#
# # Increase the time to life for temporarily enabled tags to 3 minutes
# client-tag-lifetime 180
#
# Notes:
#
-# +-----------------------------------------------------+
-# | Warning |
-# |-----------------------------------------------------|
-# |This is an experimental feature. The syntax is likely|
-# |to change in future versions. |
-# +-----------------------------------------------------+
-#
# If clients reach Privoxy through another proxy, for example a
# load balancer, Privoxy can't tell the client's IP address from
# the connection. If multiple clients use the same proxy, they
# registering lots of client tag settings for clients that don't
# exist.
#
-# Examples:
+# Example:
#
# # Allow systems that can reach Privoxy to provide the client
# # IP address with a X-Forwarded-For header.
# cleared before using it, a buffer that is too large can
# actually reduce the throughput.
#
-# Examples:
+# Example:
#
# # Increase the receive buffer size
# receive-buffer-size 32768
#
#
+# 7. HTTPS INSPECTION (EXPERIMENTAL)
+# ===================================
+#
+# HTTPS inspection allows to filter encrypted requests and
+# responses. This is only supported when Privoxy has been built with
+# FEATURE_HTTPS_INSPECTION. If you aren't sure if your version
+# supports it, have a look at http://config.privoxy.org/show-status.
+#
+#
+# 7.1. ca-directory
+# ==================
+#
+# Specifies:
#
-# 7. WINDOWS GUI OPTIONS
+# Directory with the CA key, the CA certificate and the trusted
+# CAs file.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# Empty string
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the directory where the CA key, the
+# CA certificate and the trusted CAs file are located.
+#
+# The permissions should only let Privoxy and the Privoxy admin
+# access the directory.
+#
+# Example:
+#
+# ca-directory /usr/local/etc/privoxy/CA
+#
+#ca-directory /usr/local/etc/privoxy/CA
+#
+# 7.2. ca-cert-file
+# ==================
+#
+# Specifies:
+#
+# The CA certificate file in ".crt" format.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# cacert.crt
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the name of the CA certificate file
+# in ".crt" format.
+#
+# The file is used by Privoxy to generate website certificates
+# when https inspection is enabled with the https-inspection
+# action.
+#
+# Privoxy clients should import the certificate so that they can
+# validate the generated certificates.
+#
+# The file can be generated with: openssl req -new -x509
+# -extensions v3_ca -keyout cakey.pem -out cacert.crt -days 3650
+#
+# Example:
+#
+# ca-cert-file root.crt
+#
+#ca-cert-file cacert.crt
+#
+# 7.3. ca-key-file
+# =================
+#
+# Specifies:
+#
+# The CA key file in ".pem" format.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# cacert.pem
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the name of the CA key file in ".pem"
+# format. The ca-cert-file section contains a command to
+# generate it.
+#
+# The CA key is used by Privoxy to sign generated certificates.
+#
+# Access to the key should be limited to Privoxy.
+#
+# Example:
+#
+# ca-key-file cakey.pem
+#
+#ca-key-file cakey.pem
+#
+# 7.4. ca-password
+# =================
+#
+# Specifies:
+#
+# The password for the CA keyfile.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# Empty string
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the password for the CA keyfile that
+# is used when Privoxy generates certificates for intercepted
+# requests.
+#
+# Note that the password is shown on the CGI page so don't reuse
+# an important one.
+#
+# Example:
+#
+# ca-password blafasel
+#
+#ca-password swordfish
+#
+# 7.5. certificate-directory
+# ===========================
+#
+# Specifies:
+#
+# Directory to save generated keys and certificates.
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# ./certs
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the directory where generated TLS/SSL
+# keys and certificates are saved when https inspection is
+# enabled with the https-inspection action.
+#
+# The keys and certificates currently have to be deleted
+# manually when changing the ca-cert-file and the ca-cert-key.
+#
+# The permissions should only let Privoxy and the Privoxy admin
+# access the directory.
+#
+# +-----------------------------------------------------+
+# | Warning |
+# |-----------------------------------------------------|
+# |Privoxy currently does not garbage-collect obsolete |
+# |keys and certificates and does not keep track of how |
+# |may keys and certificates exist. |
+# | |
+# |Privoxy admins should monitor the size of the |
+# |directory and/or make sure there is sufficient space |
+# |available. A cron job to limit the number of keys and|
+# |certificates to a certain number may be worth |
+# |considering. |
+# +-----------------------------------------------------+
+# Example:
+#
+# certificate-directory /usr/local/var/privoxy/certs
+#
+#certificate-directory /usr/local/var/privoxy/certs
+#
+# 7.6. cipher-list
+# =================
+#
+# Specifies:
+#
+# A list of ciphers to use in TLS handshakes
+#
+# Type of value:
+#
+# Text
+#
+# Default value:
+#
+# None
+#
+# Effect if unset:
+#
+# A default value is inherited from the TLS library.
+#
+# Notes:
+#
+# This directive allows to specify a non-default list of ciphers
+# to use in TLS handshakes with clients and servers.
+#
+# Ciphers are separated by colons. Which ciphers are supported
+# depends on the TLS library. When using OpenSSL, unsupported
+# ciphers are skipped. When using MbedTLS they are rejected.
+#
+# +-----------------------------------------------------+
+# | Warning |
+# |-----------------------------------------------------|
+# |Specifying an unusual cipher list makes |
+# |fingerprinting easier. Note that the default list |
+# |provided by the TLS library may be unusual when |
+# |compared to the one used by modern browsers as well. |
+# +-----------------------------------------------------+
+# Examples:
+#
+# # Explicitly set a couple of ciphers with names used by MbedTLS
+# cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+# TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+# TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+# TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-DHE-RSA-WITH-AES-256-CCM:\
+# TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+# TLS-DHE-RSA-WITH-AES-128-CCM:\
+# TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+# TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+# TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+# TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+# TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+# TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
+#
+#
+# # Explicitly set a couple of ciphers with names used by OpenSSL
+# cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+# ECDHE-ECDSA-AES256-GCM-SHA384:\
+# DH-DSS-AES256-GCM-SHA384:\
+# DHE-DSS-AES256-GCM-SHA384:\
+# DH-RSA-AES256-GCM-SHA384:\
+# DHE-RSA-AES256-GCM-SHA384:\
+# ECDH-RSA-AES256-GCM-SHA384:\
+# ECDH-ECDSA-AES256-GCM-SHA384:\
+# ECDHE-RSA-AES128-GCM-SHA256:\
+# ECDHE-ECDSA-AES128-GCM-SHA256:\
+# DH-DSS-AES128-GCM-SHA256:\
+# DHE-DSS-AES128-GCM-SHA256:\
+# DH-RSA-AES128-GCM-SHA256:\
+# DHE-RSA-AES128-GCM-SHA256:\
+# ECDH-RSA-AES128-GCM-SHA256:\
+# ECDH-ECDSA-AES128-GCM-SHA256:\
+# ECDHE-RSA-AES256-GCM-SHA384:\
+# AES128-SHA
+#
+#
+# # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
+# cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
+#
+#
+#
+# 7.7. trusted-cas-file
+# ======================
+#
+# Specifies:
+#
+# The trusted CAs file in ".pem" format.
+#
+# Type of value:
+#
+# File name relative to ca-directory
+#
+# Default value:
+#
+# trustedCAs.pem
+#
+# Effect if unset:
+#
+# Default value is used.
+#
+# Notes:
+#
+# This directive specifies the trusted CAs file that is used
+# when validating certificates for intercepted TLS/SSL requests.
+#
+# An example file can be downloaded from https://curl.se/ca/cacert.pem.
+# If you want to create the file yourself, please
+# see: https://curl.se/docs/caextract.html.
+#
+# Example:
+#
+# trusted-cas-file trusted_cas_file.pem
+#
+#trusted-cas-file trustedCAs.pem
+#
+# 8. WINDOWS GUI OPTIONS
# =======================
#
# Privoxy has a number of options specific to the Windows GUI
# interface:
#
#
-#
# If "activity-animation" is set to 1, the Privoxy icon will animate
# when "Privoxy" is active. To turn off, set to 0.
#
#activity-animation 1
#
-#
-#
# If "log-messages" is set to 1, Privoxy copies log messages to the
# console window. The log detail depends on the debug directive.
#
#log-messages 1
#
-#
-#
# If "log-buffer-size" is set to 1, the size of the log buffer, i.e.
# the amount of memory used for the log messages displayed in the
# console window, will be limited to "log-max-lines" (see below).