<head>
<title>The Main Configuration File</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.79">
- <link rel="HOME" title="Privoxy 3.0.29 User Manual" href="index.html">
+ <link rel="HOME" title="Privoxy 3.0.33 User Manual" href="index.html">
<link rel="PREVIOUS" title="Privoxy Configuration" href="configuration.html">
<link rel="NEXT" title="Actions Files" href="actions-file.html">
<link rel="STYLESHEET" type="text/css" href="../p_doc.css">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
- <th colspan="3" align="center">Privoxy 3.0.29 User Manual</th>
+ <th colspan="3" align="center">Privoxy 3.0.33 User Manual</th>
</tr>
<tr>
<td width="10%" align="left" valign="bottom"><a href="configuration.html" accesskey="P">Prev</a></td>
<pre class=
"PROGRAMLISTING"> debug 1 # Log the destination for each request. See also debug 1024.
debug 2 # show each connection status
- debug 4 # show I/O status
+ debug 4 # show tagging-related messages
debug 8 # show header parsing
debug 16 # log all data written to the network
debug 32 # debug force feature
<p>A debug level of 1 is informative because it will show you each request as it happens. <span class=
"emphasis"><i class="EMPHASIS">1, 1024, 4096 and 8192 are recommended</i></span> so that you will notice
when things go wrong. The other levels are probably only of interest if you are hunting down a specific
- problem. They can produce a hell of an output (especially 16).</p>
+ problem. They can produce a lot of output (especially 16).</p>
<p>If you are used to the more verbose settings, simply enable the debug lines below again.</p>
<p>If you want to use pure CLF (Common Log Format), you should set <span class="QUOTE">"debug 512"</span>
<span class="emphasis"><i class="EMPHASIS">ONLY</i></span> and not enable anything else.</p>
whenever the IP address is assigned to the system</p>
<p>IPv6 addresses containing colons have to be quoted by brackets. They can only be used if <span class=
"APPLICATION">Privoxy</span> has been compiled with IPv6 support. If you aren't sure if your version
- supports it, have a look at <tt class="LITERAL">http://config.privoxy.org/show-status</tt>.</p>
+ supports it, have a look at <a href="http://config.privoxy.org/show-status" target=
+ "_top">http://config.privoxy.org/show-status</a>.</p>
<p>Some operating systems will prefer IPv6 to IPv4 addresses even if the system has no IPv6 connectivity
which is usually not expected by the user. Some even rely on DNS to resolve localhost which mean the
"localhost" address used may not actually be local.</p>
behaves differently.</p>
<p>If you configure <span class="APPLICATION">Privoxy</span> to be reachable from the network, consider
using <a href="config.html#ACLS">access control lists</a> (ACL's, see below), and/or a firewall.</p>
- <p>If you open <span class="APPLICATION">Privoxy</span> to untrusted users, you will also want to make
-
sure that the following actions are disabled: <tt class="LITERAL"><a href=
+ <p>If you open <span class="APPLICATION">Privoxy</span> to untrusted users, you should also make sure
+ that the following actions are disabled: <tt class="LITERAL"><a href=
"config.html#ENABLE-EDIT-ACTIONS">enable-edit-actions</a></tt> and <tt class="LITERAL"><a href=
"config.html#ENABLE-REMOTE-TOGGLE">enable-remote-toggle</a></tt></p>
</dd>
<table border="0" bgcolor="#E0E0E0" width="90%">
<tr>
<td>
- <pre class="SCREEN"> forward localhost/ .</pre>
+ <pre class="SCREEN"> forward localhost/ .</pre>
</td>
</tr>
</table>
<dd>
<p>Note that reusing connections doesn't necessary cause speedups. There are also a few privacy
implications you should be aware of.</p>
- <p>If this option is effective, outgoing connections are shared between clients (if there are more than
- one) and closing the browser that initiated the outgoing connection does no longer affect the connection
+ <p>If this option is enabled, outgoing connections are shared between clients (if there are more than
+ one) and closing the browser that initiated the outgoing connection does not affect the connection
between <span class="APPLICATION">Privoxy</span> and the server unless the client's request hasn't been
completed yet.</p>
<p>If the outgoing connection is idle, it will not be closed until either <span class=
<dd>
<p>128</p>
</dd>
- <dt>Effect if unset:</dt>
- <dd>
- <p>Connections are served until a resource limit is reached.</p>
- </dd>
<dt>Notes:</dt>
<dd>
+ <p>Connections are served until a resource limit is reached.</p>
<p><span class="APPLICATION">Privoxy</span> creates one thread (or process) for every incoming client
connection that isn't rejected based on the access control settings.</p>
<p>If the system is powerful enough, <span class="APPLICATION">Privoxy</span> can theoretically deal with
<table border="0" bgcolor="#E0E0E0" width="90%">
<tr>
<td>
- <pre class="SCREEN"> # Best speed (compared to the other levels)
- compression-level 1
+ <pre class="SCREEN"> # Best speed (compared to the other levels)
+ compression-level 1
- # Best compression
- compression-level 9
+ # Best compression
+ compression-level 9
- # No compression. Only useful for testing as the added header
- # slightly increases the amount of data that has to be sent.
- # If your benchmark shows that using this compression level
- # is superior to using no compression at all, the benchmark
- # is likely to be flawed.
- compression-level 0</pre>
+ # No compression. Only useful for testing as the added header
+ # slightly increases the amount of data that has to be sent.
+ # If your benchmark shows that using this compression level
+ # is superior to using no compression at all, the benchmark
+ # is likely to be flawed.
+ compression-level 0</pre>
</td>
</tr>
</table>
headers will be emitted in the order given, headers whose name isn't explicitly specified are added at
the end.</p>
<p>Note that sorting headers in an uncommon way will make fingerprinting actually easier. Encrypted
- headers are not affected by this directive.</p>
+ headers are not affected by this directive unless <tt class="LITERAL"><a href=
+ "actions-file.html#HTTPS-INSPECTION" target="_top">https-inspection</a></tt> is enabled.</p>
</dd>
</dl>
</div>
</dd>
<dt>Notes:</dt>
<dd>
- <div class="WARNING">
- <table class="WARNING" border="1" width="90%">
- <tr>
- <td align="center"><b>Warning</b></td>
- </tr>
- <tr>
- <td align="left">
- <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
- </td>
- </tr>
- </table>
- </div>
<p>Client-specific tags allow Privoxy admins to create different profiles and let the users chose which
one they want without impacting other users.</p>
<p>One use case is allowing users to circumvent certain blocks without having to allow them to circumvent
<p>Clients can request tags to be set by using the CGI interface <a href=
"http://config.privoxy.org/client-tags" target="_top">http://config.privoxy.org/client-tags</a>. The
specific tag description is only used on the web page and should be phrased in away that the user
- understand the effect of the tag.</p>
+ understands the effect of the tag.</p>
</dd>
<dt>Examples:</dt>
<dd>
<pre class="SCREEN"> # Define a couple of tags, the described effect requires action sections
# that are enabled based on CLIENT-TAG patterns.
client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions
- client-specific-tag disable-content-filters Disable content-filters but do not affect other actions</pre>
+ client-specific-tag disable-content-filters Disable content-filters but do not affect other actions
+ client-specific-tag overrule-redirects Overrule redirect sections
+ client-specific-tag allow-cookies Do not crunch cookies in either direction
+ client-specific-tag change-tor-socks-port Change forward-socks5 settings to use a different Tor socks port (and circuits)
+ client-specific-tag no-https-inspection Disable HTTPS inspection
+ client-specific-tag no-tls-verification Don't verify certificates when http-inspection is enabled</pre>
</td>
</tr>
</table>
</dd>
<dt>Notes:</dt>
<dd>
- <div class="WARNING">
- <table class="WARNING" border="1" width="90%">
- <tr>
- <td align="center"><b>Warning</b></td>
- </tr>
- <tr>
- <td align="left">
- <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
- </td>
- </tr>
- </table>
- </div>
<p>In case of some tags users may not want to enable them permanently, but only for a short amount of
time, for example to circumvent a block that is the result of an overly-broad URL pattern.</p>
<p>The CGI interface <a href="http://config.privoxy.org/client-tags" target=
</dd>
<dt>Notes:</dt>
<dd>
- <div class="WARNING">
- <table class="WARNING" border="1" width="90%">
- <tr>
- <td align="center"><b>Warning</b></td>
- </tr>
- <tr>
- <td align="left">
- <p>This is an experimental feature. The syntax is likely to change in future versions.</p>
- </td>
- </tr>
- </table>
- </div>
<p>If clients reach Privoxy through another proxy, for example a load balancer, Privoxy can't tell the
client's IP address from the connection. If multiple clients use the same proxy, they will share the same
client tag settings which is usually not desired.</p>
<div class="SECT2">
<h2 class="SECT2"><a name="HTTPS-INSPECTION-DIRECTIVES" id="HTTPS-INSPECTION-DIRECTIVES">7.7. HTTPS Inspection
(Experimental)</a></h2>
- <p>HTTPS inspection allows to filter encrypted requests. This is only supported when <span class=
- "APPLICATION">Privoxy</span> has been built with FEATURE_HTTPS_INSPECTION.</p>
+ <p>HTTPS inspection allows to filter encrypted requests and responses. This is only supported when <span class=
+ "APPLICATION">Privoxy</span> has been built with FEATURE_HTTPS_INSPECTION. If you aren't sure if your version
+ supports it, have a look at <a href="http://config.privoxy.org/show-status" target=
+ "_top">http://config.privoxy.org/show-status</a>.</p>
<div class="SECT3">
<h4 class="SECT3"><a name="CA-DIRECTORY" id="CA-DIRECTORY">7.7.1. ca-directory</a></h4>
<div class="VARIABLELIST">
target="_top">https-inspection</a></tt> action.</p>
<p><span class="APPLICATION">Privoxy</span> clients should import the certificate so that they can
validate the generated certificates.</p>
- <p>The file can be generated with: openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out
- cacert.crt -days 3650</p>
+ <p>The file can be generated with: <b class="COMMAND">openssl req -new -x509 -extensions v3_ca -keyout
+ cakey.pem -out cacert.crt -days 3650</b></p>
</dd>
<dt>Example:</dt>
<dd>
</dd>
<dt>Notes:</dt>
<dd>
- <p>This directive specifies the name of the CA key file in ".pem" format. See the <a href="#CA-CERT-FILE"
- target="_top">ca-cert-file</a> for a command to generate it.</p>
+ <p>This directive specifies the name of the CA key file in ".pem" format. The <a href="#CA-CERT-FILE"
+ target="_top">ca-cert-file section</a> contains a command to generate it.</p>
+ <p>The CA key is used by <span class="APPLICATION">Privoxy</span> to sign generated certificates.</p>
+ <p>Access to the key should be limited to Privoxy.</p>
</dd>
<dt>Example:</dt>
<dd>
<tr>
<td>
<pre class="SCREEN"> # Explicitly set a couple of ciphers with names used by MbedTLS
- cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
-TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
-TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
-TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
-TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
-TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
-TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
-TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
-TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
-TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
-TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
-TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
-TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
-TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
-TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
-TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
-TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
-TLS-DHE-RSA-WITH-AES-256-CCM:\
-TLS-DHE-RSA-WITH-AES-256-CCM-8:\
-TLS-DHE-RSA-WITH-AES-128-CCM:\
-TLS-DHE-RSA-WITH-AES-128-CCM-8:\
-TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
-TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
-TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
-TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
-TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
-TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
-TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
-TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
-TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
-TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384
- </pre>
+ cipher-list cipher-list TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+ TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256:\
+ TLS-DHE-RSA-WITH-CHACHA20-POLY1305-SHA256:\
+ TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:\
+ TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:\
+ TLS-ECDHE-ECDSA-WITH-AES-256-CCM:\
+ TLS-ECDHE-ECDSA-WITH-AES-256-CCM-8:\
+ TLS-ECDHE-ECDSA-WITH-AES-128-CCM:\
+ TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8:\
+ TLS-ECDHE-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+ TLS-ECDHE-ECDSA-WITH-CAMELLIA-256-GCM-SHA384:\
+ TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:\
+ TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:\
+ TLS-ECDHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+ TLS-ECDHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+ TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:\
+ TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:\
+ TLS-DHE-RSA-WITH-AES-256-CCM:\
+ TLS-DHE-RSA-WITH-AES-256-CCM-8:\
+ TLS-DHE-RSA-WITH-AES-128-CCM:\
+ TLS-DHE-RSA-WITH-AES-128-CCM-8:\
+ TLS-DHE-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+ TLS-DHE-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+ TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256:\
+ TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384:\
+ TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256:\
+ TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384:\
+ TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256:\
+ TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384:\
+ TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256:\
+ TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384</pre>
</td>
</tr>
</table>
<tr>
<td>
<pre class="SCREEN"> # Explicitly set a couple of ciphers with names used by OpenSSL
-cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
-ECDHE-ECDSA-AES256-GCM-SHA384:\
-DH-DSS-AES256-GCM-SHA384:\
-DHE-DSS-AES256-GCM-SHA384:\
-DH-RSA-AES256-GCM-SHA384:\
-DHE-RSA-AES256-GCM-SHA384:\
-ECDH-RSA-AES256-GCM-SHA384:\
-ECDH-ECDSA-AES256-GCM-SHA384:\
-ECDHE-RSA-AES128-GCM-SHA256:\
-ECDHE-ECDSA-AES128-GCM-SHA256:\
-DH-DSS-AES128-GCM-SHA256:\
-DHE-DSS-AES128-GCM-SHA256:\
-DH-RSA-AES128-GCM-SHA256:\
-DHE-RSA-AES128-GCM-SHA256:\
-ECDH-RSA-AES128-GCM-SHA256:\
-ECDH-ECDSA-AES128-GCM-SHA256:\
-ECDHE-RSA-AES256-GCM-SHA384:\
-AES128-SHA
- </pre>
+ cipher-list ECDHE-RSA-AES256-GCM-SHA384:\
+ ECDHE-ECDSA-AES256-GCM-SHA384:\
+ DH-DSS-AES256-GCM-SHA384:\
+ DHE-DSS-AES256-GCM-SHA384:\
+ DH-RSA-AES256-GCM-SHA384:\
+ DHE-RSA-AES256-GCM-SHA384:\
+ ECDH-RSA-AES256-GCM-SHA384:\
+ ECDH-ECDSA-AES256-GCM-SHA384:\
+ ECDHE-RSA-AES128-GCM-SHA256:\
+ ECDHE-ECDSA-AES128-GCM-SHA256:\
+ DH-DSS-AES128-GCM-SHA256:\
+ DHE-DSS-AES128-GCM-SHA256:\
+ DH-RSA-AES128-GCM-SHA256:\
+ DHE-RSA-AES128-GCM-SHA256:\
+ ECDH-RSA-AES128-GCM-SHA256:\
+ ECDH-ECDSA-AES128-GCM-SHA256:\
+ ECDHE-RSA-AES256-GCM-SHA384:\
+ AES128-SHA</pre>
</td>
</tr>
</table>
<td>
<pre class=
"SCREEN"> # Use keywords instead of explicitly naming the ciphers (Does not work with MbedTLS)
- cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
- </pre>
+ cipher-list ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH</pre>
</td>
</tr>
</table>
<dd>
<p>This directive specifies the trusted CAs file that is used when validating certificates for
intercepted TLS/SSL requests.</p>
- <p>An example file can be downloaded from <a href="https://curl.haxx.se/ca/cacert.pem" target=
- "_top">https://curl.haxx.se/ca/cacert.pem</a>.</p>
+ <p>An example file can be downloaded from <a href="https://curl.se/ca/cacert.pem" target=
+ "_top">https://curl.se/ca/cacert.pem</a>. If you want to create the file yourself, please see: <a href=
+ "https://curl.se/docs/caextract.html" target="_top">https://curl.se/docs/caextract.html</a>.</p>
</dd>
<dt>Example:</dt>
<dd>
projects / privoxy.git / blobdiff