privoxy configuration

7/31/2019 privoxy configuration

1/30

#SampleConfigurationFileforPrivoxy##Id:config,v##Copyright(C)2001-2009PrivoxyDevelopershttp://www.privoxy.org/########################################################################TableofContents####I.INTRODUCTION##II.FORMATOFTHECONFIGURATIONFILE####1.LOCALSET-UPDOCUMENTATION##2.CONFIGURATIONANDLOGFILELOCATIONS##3.DEBUGGING##4.ACCESSCONTROLANDSECURITY##5.FORWARDING##6.WINDOWSGUIOPTIONS##########################################################################I.INTRODUCTION

#===============##ThisfileholdsPrivoxy'smainconfiguration.Privoxydetects#configurationchangesautomatically,soyoudon'thavetorestart#itunlessyouwanttoloadadifferentconfigurationfile.##Theconfigurationwillbereloadedwiththefirstrequestafter#thechangewasdone,thisrequestitselfwillstillusetheold#configuration,though.Inotherwords:ittakestworequestsbefore#youseetheresultofyourchanges.Requeststhataredroppeddue#toACLdon'ttriggerreloads.##WhenstartingPrivoxyonUnixsystems,givethelocationofthis

#fileaslastargument.OnWindowssystems,Privoxywilllookfor#thisfilewiththename'config.txt'inthecurrentworkingdirectory#ofthePrivoxyprocess.###II.FORMATOFTHECONFIGURATIONFILE#====================================##Configurationlinesconsistofaninitialkeywordfollowedbya#listofvalues,allseparatedbywhitespace(anynumberofspaces#ortabs).Forexample,##actionsfiledefault.action

##Indicatesthattheactionsfileisnamed'default.action'.##The'#'indicatesacomment.Anypartofalinefollowinga'#'#isignored,exceptifthe'#'isprecededbya'\'.##Thus,byplacinga#atthestartofanexistingconfiguration#line,youcanmakeitacommentanditwillbetreatedasifit#weren'tthere.Thisiscalled"commentingout"anoptionandcan#beuseful.Removingthe#againiscalled"uncommenting".


2/30

##Notethatcommentingoutanoptionandleavingitatitsdefault#aretwocompletelydifferentthings!Mostoptionsbehavevery#differentlywhenunset.Seethe"Effectifunset"explanationin#eachoption'sdescriptionfordetails.##Longlinescanbecontinuedonthenextlinebyusinga`\'asthe#lastcharacter.####1.LOCALSET-UPDOCUMENTATION#==============================##IfyouintendtooperatePrivoxyformoreusersthanjustyourself,#itmightbeagoodideatoletthemknowhowtoreachyou,what#youblockandwhyyoudothat,yourpolicies,etc.####1.1.user-manual#=================##Specifies:

##LocationofthePrivoxyUserManual.##Typeofvalue:##AfullyqualifiedURI##Defaultvalue:##Unset##Effectifunset:#

#http://www.privoxy.org/version/user-manual/willbeused,#whereversionisthePrivoxyversion.##Notes:##TheUserManualURIisthesinglebestsourceofinformationon#Privoxy,andisusedforhelplinksfromsomeoftheinternal#CGIpages.Themanualitselfisnormallypackagedwiththe#binarydistributions,soyouprobablywanttosetthistoa#locallyinstalledcopy.##Examples:#

#Thebestallpurposesolutionissimplytoputthefulllocal#PATHtowheretheUserManualislocated:##user-manual/usr/share/doc/privoxy/user-manual###TheUserManualisthenavailabletoanyonewith#accesstoPrivoxy,byfollowingthebuilt-inURL:#http://config.privoxy.org/user-manual/(ortheshortcut:#http://p.p/user-manual/).


3/30

##Ifthedocumentationisnotonthelocalsystem,itcanbe#accessedfromaremoteserver,as:##user-manualhttp://example.com/privoxy/user-manual/###WARNING!!!##Ifset,thisoptionshouldbethefirstoptionintheconfig#file,becauseitisusedwhiletheconfigfileisbeingread.#user-manual/usr/share/doc/privoxy/user-manual###1.2.trust-info-url#====================##Specifies:##AURLtobedisplayedintheerrorpagethatuserswillseeif#accesstoanuntrustedpageisdenied.##Typeofvalue:

##URL##Defaultvalue:##Unset##Effectifunset:##Nolinksaredisplayedonthe"untrusted"errorpage.##Notes:#

#Thevalueofthisoptiononlymattersiftheexperimentaltrust#mechanismhasbeenactivated.(Seetrustfilebelow.)##Ifyouusethetrustmechanism,itisagoodideatowrite#upsomeon-linedocumentationaboutyourtrustpolicyandto#specifytheURL(s)here.UsemultipletimesformultipleURLs.##TheURL(s)shouldbeaddedtothetrustfileaswell,sousers#don'tenduplockedoutfromtheinformationonwhytheywere#lockedoutinthefirstplace!##trust-info-urlhttp://www.example.com/why_we_block.html#trust-info-urlhttp://www.example.com/what_we_allow.html

###1.3.admin-address#===================##Specifies:##AnemailaddresstoreachthePrivoxyadministrator.##Typeofvalue:


4/30

##Emailaddress##Defaultvalue:##Unset##Effectifunset:##NoemailaddressisdisplayedonerrorpagesandtheCGIuser#interface.##Notes:##Ifbothadmin-addressandproxy-info-urlareunset,thewhole#"LocalPrivoxySupport"boxonallgeneratedpageswillnot#beshown.##[email protected]###1.4.proxy-info-url#====================#

#Specifies:##AURLtodocumentationaboutthelocalPrivoxysetup,#configurationorpolicies.##Typeofvalue:##URL##Defaultvalue:##Unset#

#Effectifunset:##Nolinktolocaldocumentationisdisplayedonerrorpagesand#theCGIuserinterface.##Notes:##Ifbothadmin-addressandproxy-info-urlareunset,thewhole#"LocalPrivoxySupport"boxonallgeneratedpageswillnot#beshown.##ThisURLshouldn'tbeblocked;-)#

#proxy-info-urlhttp://www.example.com/proxy-service.html###2.CONFIGURATIONANDLOGFILELOCATIONS#========================================##Privoxycan(andnormallydoes)useanumberofotherfilesfor#additionalconfiguration,helpandlogging.Thissectionofthe#configurationfiletellsPrivoxywheretofindthoseotherfiles.#


5/30

#TheuserrunningPrivoxy,musthavereadpermissionforall#configurationfiles,andwritepermissiontoanyfilesthatwould#bemodified,suchaslogfilesandactionsfiles.####2.1.confdir#=============##Specifies:##Thedirectorywheretheotherconfigurationfilesarelocated.##Typeofvalue:##Pathname##Defaultvalue:##/etc/privoxy(Unix)orPrivoxyinstallationdir(Windows)##Effectifunset:##Mandatory

##Notes:##Notrailing"/",please.#confdir/etc/privoxy###2.2.templdir#==============##Specifies:#

#Analternativedirectorywherethetemplatesareloadedfrom.##Typeofvalue:##Pathname##Defaultvalue:##unset##Effectifunset:##Thetemplatesareassumedtobelocatedinconfdir/template.

##Notes:##Privoxy'soriginaltemplatesareusuallyoverwrittenwitheach#update.Usethisoptiontorelocatecustomizedtemplatesthat#shouldbekept.Astemplatevariablesmightchangebetween#updates,youshouldn'texpecttemplatestoworkwithPrivoxy#releasesotherthantheonetheywerepartof,though.##templdir.


6/30

###2.3.logdir#============##Specifies:##Thedirectorywhereallloggingtakesplace(i.e.wherethe#logfileislocated).##Typeofvalue:##Pathname##Defaultvalue:##/var/log/privoxy(Unix)orPrivoxyinstallationdir(Windows)##Effectifunset:##Mandatory##Notes:#

#Notrailing"/",please.#logdir/var/log/privoxy###2.4.actionsfile#=================##Specifies:##Theactionsfile(s)touse##Typeofvalue:

##Completefilename,relativetoconfdir##Defaultvalues:##match-all.action#Actionsthatareappliedtoallsitesandmaybeoverruledlateron.##default.action#Mainactionsfile##user.action#Usercustomizations##Effectifunset:

##Noactionsaretakenatall.Moreorlessneutralproxying.##Notes:##Multipleactionsfilelinesarepermitted,andareinfact#recommended!##Thedefaultvaluesaredefault.action,whichisthe"main"#actionsfilemaintainedbythedevelopers,anduser.action,


7/30

#whereyoucanmakeyourpersonaladditions.##ActionsfilescontainallthepersiteandperURLconfiguration#foradblocking,cookiemanagement,privacyconsiderations,#etc.ThereisnopointinusingPrivoxywithoutatleastone#actionsfile.##NotethatsincePrivoxy3.0.7,thecompletefilename,including#the".action"extensionhastobespecified.Thesyntaxchange#wasnecessarytobeconsistentwiththeotherfileoptionsand#toallowpreviouslyforbiddencharacters.#actionsfilematch-all.action#Actionsthatareappliedtoallsitesandmaybeoverruledlateron.actionsfiledefault.action#Mainactionsfileactionsfileuser.action#Usercustomizations###2.5.filterfile#================##Specifies:##Thefilterfile(s)touse

##Typeofvalue:##Filename,relativetoconfdir##Defaultvalue:##default.filter(Unix)ordefault.filter.txt(Windows)##Effectifunset:##Notextualcontentfilteringtakesplace,i.e.all+filter{name}#actionsintheactionsfilesareturnedneutral.

##Notes:##Multiplefilterfilelinesarepermitted.##Thefilterfilescontaincontentmodificationrulesthatuse#regularexpressions.Theserulespermitpowerfulchangesonthe#contentofWebpages,andoptionallytheheadersaswell,e.g.,#youcouldtrytodisableyourfavoriteJavaScriptannoyances,#re-writetheactualdisplayedtext,orjusthavesomefun#playingbuzzwordbingowithwebpages.##The+filter{name}actionsrelyontherelevantfilter(name)

#tobedefinedinafilterfile!##Apre-definedfilterfilecalleddefault.filterthatcontainsa#numberofusefulfiltersforcommonproblemsisincludedinthe#distribution.Seethesectiononthefilteractionforalist.##Itisrecommendedtoplaceanylocallyadaptedfiltersintoa#separatefile,suchasuser.filter.#filterfiledefault.filter


8/30

#filterfileuser.filter#Usercustomizations###2.6.logfile#=============##Specifies:##Thelogfiletouse##Typeofvalue:##Filename,relativetologdir##Defaultvalue:##Unset(commentedout).Whenactivated:logfile(Unix)or#privoxy.log(Windows).##Effectifunset:##Nologfileiswritten.##Notes:

##Thelogfileiswherealllogginganderrormessagesare#written.Thelevelofdetailandnumberofmessagesaresetwith#thedebugoption(seebelow).Thelogfilecanbeusefulfor#trackingdownaproblemwithPrivoxy(e.g.,it'snotblocking#anadyouthinkitshouldblock)anditcanhelpyoutomonitor#whatyourbrowserisdoing.##Dependingonthedebugoptionsbelow,thelogfilemaybea#privacyriskifthirdpartiescangetaccesstoit.Asmost#userswillneverlookatit,Privoxy3.0.7andlateronlylog#fatalerrorsbydefault.#

#Formosttroubleshootingpurposes,youwillhavetochangethat,#pleaserefertothedebuggingsectionfordetails.##Yourlogfilewillgrowindefinitely,andyouwillprobably#wanttoperiodicallyremoveit.OnUnixsystems,youcando#thiswithacronjob(see"mancron").ForRedHatbasedLinux#distributions,alogrotatescripthasbeenincluded.##AnylogfilesmustbewritablebywhateveruserPrivoxyis#beingrunas(onUnix,defaultuseridis"privoxy").#logfilelogfile#

##2.7.trustfile#===============##Specifies:##Thenameofthetrustfiletouse##Typeofvalue:#


9/30

#Filename,relativetoconfdir##Defaultvalue:##Unset(commentedout).Whenactivated:trust(Unix)ortrust.txt#(Windows)##Effectifunset:##Theentiretrustmechanismisdisabled.##Notes:##Thetrustmechanismisanexperimentalfeatureforbuilding#white-listsandshouldbeusedwithcare.ItisNOTrecommended#forthecasualuser.##Ifyouspecifyatrustfile,Privoxywillonlyallowaccessto#sitesthatarespecifiedinthetrustfile.Sitescanbelisted#inoneoftwoways:##Prependinga~characterlimitsaccesstothissiteonly(and#anysub-pathswithinthissite),e.g.~www.example.comallows#accessto~www.example.com/features/news.html,etc.

##Or,youcandesignatesitesastrustedreferrers,byprepending#thenamewitha+character.Theeffectisthataccessto#untrustedsiteswillbegranted--butonlyifalinkfrom#thistrustedreferrerwasusedtogetthere.Thelinktarget#willthenbeaddedtothe"trustfile"sothatfuture,direct#accesseswillbegranted.Sitesaddedviathismechanismdo#notbecometrustedreferrersthemselves(i.e.theyareadded#witha~designation).Thereisalimitof512suchentries,#afterwhichnewentrieswillnotbemade.##Ifyouusethe+operatorinthetrustfile,itmaygrow#considerablyovertime.

##ItisrecommendedthatPrivoxybecompiledwiththe#--disable-force,--disable-toggleand--disable-editoroptions,#ifthisfeatureistobeused.##PossibleapplicationsincludelimitingInternetaccessfor#children.##trustfiletrust###3.DEBUGGING#=============

##Theseoptionsaremainlyusefulwhentracingaproblem.Notethat#youmightalsowanttoinvokePrivoxywiththe--no-daemoncommand#lineoptionwhendebugging.####3.1.debug#===========#


10/30

#Specifies:##Keyvaluesthatdeterminewhatinformationgetslogged.##Typeofvalue:##Integervalues##Defaultvalue:##0(i.e.:onlyfatalerrors(thatcausePrivoxytoexit)arelogged)##Effectifunset:##Defaultvalueisused(seeabove).##Notes:##Theavailabledebuglevelsare:##debug1#LogthedestinationforeachrequestPrivoxyletthrough.Seealsodebug1024.#debug2#showeachconnectionstatus#debug4#showI/Ostatus

#debug8#showheaderparsing#debug16#logalldatawrittentothenetworkintothelogfile#debug32#debugforcefeature#debug64#debugregularexpressionfilters#debug128#debugredirects#debug256#debugGIFde-animation#debug512#CommonLogFormat#debug1024#LogthedestinationforrequestsPrivoxydidn'tletthrough,andthereasonwhy.#debug2048#CGIuserinterface#debug4096#Startupbannerandwarnings.#debug8192#Non-fatalerrors#

##Toselectmultipledebuglevels,youcaneitheraddthemor#usemultipledebuglines.##Adebuglevelof1isinformativebecauseitwillshowyoueach#requestasithappens.1,1024,4096and8192arerecommended#sothatyouwillnoticewhenthingsgowrong.Theotherlevels#areprobablyonlyofinterestifyouarehuntingdownaspecific#problem.Theycanproduceahellofanoutput(especially16).##Privoxyusedtoshipwiththedebuglevelsrecommendedabove#enabledbydefault,butduetoprivacyconcerns3.0.7andlater#areconfiguredtoonlylogfatalerrors.

##Ifyouareusedtothemoreverbosesettings,simplyenable#thedebuglinesbelowagain.##IfyouwanttousepureCLF(CommonLogFormat),youshouldset#"debug512"ONLYandnotenableanythingelse.##Privoxyhasahard-codedlimitforthelengthoflogmessages.If#it'sreached,messagesareloggedtruncatedandmarkedwith#"...[toolong,truncated]".


11/30

##Pleasedon'tfileanysupportrequestswithouttryingto#reproducetheproblemwithincreaseddebuglevelfirst.Once#youreadthelogmessages,youmayevenbeabletosolvethe#problemonyourown.##debug1#LogthedestinationforeachrequestPrivoxyletthrough.#debug1024#LogthedestinationforrequestsPrivoxydidn'tletthrough,andthereasonwhy.#debug4096#Startupbannerandwarnings#debug8192#Non-fatalerrors###3.2.single-threaded#=====================##Specifies:##Whethertorunonlyoneserverthread.##Typeofvalue:##None#

#Defaultvalue:##Unset##Effectifunset:##Multi-threaded(or,whereunavailable:forked)operation,#i.e.theabilitytoservemultiplerequestssimultaneously.##Notes:##Thisoptionisonlytherefordebuggingpurposes.Itwill#drasticallyreduceperformance.

##single-threaded###3.3.hostname#==============##Specifies:##ThehostnameshownontheCGIpages.##Typeofvalue:#

#Text##Defaultvalue:##Unset##Effectifunset:##Thehostnameprovidedbytheoperatingsystemisused.#


12/30

#Notes:##Onsomemisconfiguredsystemsresolvingthehostnamefailsor#takestoomuchtimeandslowsPrivoxydown.Settingafixed#hostnameworksaroundtheproblem.##Inothercircumstancesitmightbedesirabletoshowahostname#otherthantheonereturnedbytheoperatingsystem.Forexample#ifthesystemhasseveraldifferenthostnamesandyoudon't#wanttousethefirstone.##NotethatPrivoxydoesnotvalidatethespecifiedhostnamevalue.##hostnamehostname.example.org###4.ACCESSCONTROLANDSECURITY#===============================##Thissectionoftheconfigfilecontrolsthesecurity-relevant#aspectsofPrivoxy'sconfiguration.###

#4.1.listen-address#====================##Specifies:##TheIPaddressandTCPportonwhichPrivoxywilllistenfor#clientrequests.##Typeofvalue:##[IP-Address]:Port##Defaultvalue:

##127.0.0.1:8118##Effectifunset:##Bindto127.0.0.1(IPv4localhost),port8118.Thisissuitable#andrecommendedforhomeuserswhorunPrivoxyonthesame#machineastheirbrowser.##Notes:##Youwillneedtoconfigureyourbrowser(s)tothisproxyaddress#andport.

##Ifyoualreadyhaveanotherservicerunningonport8118,or#ifyouwanttoserverequestsfromothermachines(e.g.onyour#localnetwork)aswell,youwillneedtooverridethedefault.##IPv6addressescontainingcolonshavetobequotedbybrackets.##IfyouleaveouttheIPaddress,PrivoxywillbindtoallIPv4#interfaces(addresses)onyourmachineandmaybecomereachable#fromtheInternet.Inthatcase,considerusingaccesscontrol


13/30

#lists(ACL's,seebelow),and/orafirewall.Ifthehostname#islocalhost,PrivoxywillexplicitlytrytobindtoanIPv4#address.Forotherhostnamesitdependsontheoperatingsystem#whichIPversionwillbeused.##IfyouopenPrivoxytountrustedusers,youwillalso#wanttomakesurethatthefollowingactionsaredisabled:#enable-edit-actionsandenable-remote-toggle##Example:##SupposeyouarerunningPrivoxyonamachinewhichhasthe#address192.168.0.1onyourlocalprivatenetwork(192.168.0.0)#andhasanotheroutsideconnectionwithadifferentaddress.You#wantittoserverequestsfrominsideonly:##listen-address192.168.0.1:8118###SupposeyouarerunningPrivoxyonanIPv6-capablemachineand#youwantittolistenontheIPv6addressoftheloopbackdevice:##listen-address[::1]:8118#

#listen-addresslocalhost:8118###4.2.toggle#============##Specifies:##Initialstateof"toggle"status##Typeofvalue:#

#1or0##Defaultvalue:##1##Effectifunset:##Actasiftoggledon##Notes:##Ifsetto0,Privoxywillstartin"toggledoff"mode,

#i.e.mostlybehavelikeanormal,content-neutralproxy#withbothadblockingandcontentfilteringdisabled.See#enable-remote-togglebelow.##Thewindowsversionwillonlydisplaythetoggleiconinthe#systemtrayifthisoptionispresent.#toggle1##


14/30

#4.3.enable-remote-toggle#==========================##Specifies:##Whetherornottheweb-basedtogglefeaturemaybeused##Typeofvalue:##0or1##Defaultvalue:##0##Effectifunset:##Theweb-basedtogglefeatureisdisabled.##Notes:##Whentoggledoff,Privoxymostlyactslikeanormal,#content-neutralproxy,i.e.doesn'tblockadsorfiltercontent.#

#Accesstothetogglefeaturecannotbecontrolledseparatelyby#"ACLs"orHTTPauthentication,sothateverybodywhocanaccess#Privoxy(see"ACLs"andlisten-addressabove)cantoggleit#forallusers.Sothisoptionisnotrecommendedformulti-user#environmentswithuntrustedusers.##Notethatmaliciousclientsidecode(e.gJava)isalsocapable#ofusingthisoption.##AsalotofPrivoxyusersdon'treaddocumentation,thisfeature#isdisabledbydefault.##NotethatyoumusthavecompiledPrivoxywithsupportforthis

#feature,otherwisethisoptionhasnoeffect.#enable-remote-toggle0###4.4.enable-remote-http-toggle#===============================##Specifies:##WhetherornotPrivoxyrecognizesspecialHTTPheaderstochange#itsbehaviour.#

#Typeofvalue:##0or1##Defaultvalue:##0##Effectifunset:#


15/30

#PrivoxyignoresspecialHTTPheaders.##Notes:##Whentoggledon,theclientcanchangePrivoxy'sbehaviourby#settingspecialHTTPheaders.Currentlytheonlysupported#specialheaderis"X-Filter:No",todisablefilteringfor#theongoingrequest,evenifitisenabledinoneofthe#actionfiles.##Thisfeatureisdisabledbydefault.IfyouareusingPrivoxyin#aenvironmentwithtrustedclients,youmayenablethisfeature#atyourdiscretion.Notethatmaliciousclientsidecode(e.g#Java)isalsocapableofusingthisfeature.##Thisoptionwillberemovedinfuturereleasesasithasbeen#obsoletedbythemoregeneralheadertaggers.#enable-remote-http-toggle0###4.5.enable-edit-actions#=========================#

#Specifies:##Whetherornottheweb-basedactionsfileeditormaybeused##Typeofvalue:##0or1##Defaultvalue:##0##Effectifunset:

##Theweb-basedactionsfileeditorisdisabled.##Notes:##Accesstotheeditorcannotbecontrolledseparatelyby#"ACLs"orHTTPauthentication,sothateverybodywhocanaccess#Privoxy(see"ACLs"andlisten-addressabove)canmodifyits#configurationforallusers.##Thisoptionisnotrecommendedforenvironmentswithuntrusted#usersandasalotofPrivoxyusersdon'treaddocumentation,#thisfeatureisdisabledbydefault.

##Notethatmaliciousclientsidecode(e.gJava)isalsocapable#ofusingtheactionseditorandyoushouldn'tenablethis#optionsunlessyouunderstandtheconsequencesandaresure#yourbrowserisconfiguredcorrectly.##NotethatyoumusthavecompiledPrivoxywithsupportforthis#feature,otherwisethisoptionhasnoeffect.#enable-edit-actions0


16/30

###4.6.enforce-blocks#====================##Specifies:##Whethertheuserisallowedtoignoreblocksandcan"gothere#anyway".##Typeofvalue:##0or1##Defaultvalue:##0##Effectifunset:##Blocksarenotenforced.##Notes:#

#Privoxyismainlyusedtoblockandfilterrequestsasaservice#totheuser,forexampletoblockadsandotherjunkthatclogs#thepipes.Privoxy'sconfigurationisn'tperfectandsometimes#innocentpagesareblocked.Inthissituationitmakessenseto#allowtheusertoenforcetherequestandhavePrivoxyignore#theblock.##InthedefaultconfigurationPrivoxy's"Blocked"pagecontains#a"gothereanyway"linktoaddsaspecialstring(theforce#prefix)totherequestURL.Ifthatlinkisused,Privoxy#willdetecttheforceprefix,removeitagainandletthe#requestpass.#

#OfcoursePrivoxycanalsobeusedtoenforceanetwork#policy.Inthatcasetheuserobviouslyshouldnotbeableto#bypassanyblocks,andthat'swhatthe"enforce-blocks"option#isfor.Ifit'senabled,Privoxyhidesthe"gothereanyway"#link.Iftheuseraddstheforceprefixbyhand,itwillnot#beacceptedandthecircumventionattemptislogged.##Examples:##enforce-blocks1#enforce-blocks0#

##4.7.ACLs:permit-accessanddeny-access#=========================================##Specifies:##Whocanaccesswhat.##Typeofvalue:#


17/30

#src_addr[:port][/src_masklen][dst_addr[:port][/dst_masklen]]##Wheresrc_addranddst_addrareIPv4addressesindotted#decimalnotationorvalidDNSnames,portisaportnumber,and#src_masklenanddst_masklenaresubnetmasksinCIDRnotation,#i.e.integervaluesfrom2to30representingthelength#(inbits)ofthenetworkaddress.Themasksandthewhole#destinationpartareoptional.##IfyoursystemimplementsRFC3493,thensrc_addranddst_addr#canbeIPv6addressesdelimetedbybrackets,portcanbea#numberoraservicename,andsrc_masklenanddst_masklencan#beanumberfrom0to128.##Defaultvalue:##Unset##Ifnoportisspecified,anyportwillmatch.Ifnosrc_masklen#orsrc_masklenisgiven,thecompleteIPaddresshastomatch#(i.e.32bitsforIPv4and128bitsforIPv6).##Effectifunset:#

#Don'trestrictaccessfurtherthanimpliedbylisten-address##Notes:##AccesscontrolsareincludedattherequestofISPsandsystems#administrators,andarenotusuallyneededbyindividual#users.Foratypicalhomeuser,itwillnormallysufficeto#ensurethatPrivoxyonlylistensonthelocalhost(127.0.0.1)#orinternal(home)networkaddressbymeansofthelisten-address#option.##PleaseseethewarningsintheFAQthatPrivoxyisnotintended#tobeasubstituteforafirewallortoencourageanyoneto

#deferaddressingbasicsecurityweaknesses.##MultipleACLlinesareOK.IfanyACLsarespecified,Privoxy#onlytalkstoIPaddressesthatmatchatleastonepermit-access#lineanddon'tmatchanysubsequentdeny-accessline.Inother#words,thelastmatchwins,withthedefaultbeingdeny-access.##IfPrivoxyisusingaforwarder(seeforwardbelow)fora#particulardestinationURL,thedst_addrthatisexaminedis#theaddressoftheforwarderandNOTtheaddressoftheultimate#target.Thisisnecessarybecauseitmaybeimpossibleforthe#localPrivoxytodeterminetheIPaddressoftheultimatetarget#(that'softenwhatgatewaysareusedfor).

##YoushouldpreferusingIPaddressesoverDNSnames,because#theaddresslookupstaketime.AllDNSnamesmustresolve!You#cannotusedomainpatternslike"*.org"orpartialdomain#names.IfaDNSnameresolvestomultipleIPaddresses,only#thefirstoneisused.##SomesystemsallowsIPv4clienttoconnecttoIPv6server#socket.Thentheclient'sIPv4addresswillbetranslatedby#systemintoIPv6addressspacewithspecialprefix::ffff:0:0/96


18/30

#(socalledIPv4mappedIPv6address).Privoxycanhandleit#andmapssuchACLaddressesautomatically.##DenyingaccesstoparticularsitesbyACLmayhaveundesired#sideeffectsifthesiteinquestionishostedonamachine#whichalsohostsothersites(mostsitesare).##Examples:##ExplicitlydefinethedefaultbehaviorifnoACLand#listen-addressareset:"localhost"isOK.Theabsenceofa#dst_addrimpliesthatalldestinationaddressesareOK:##permit-accesslocalhost###AllowanyhostonthesameclassCsubnetaswww.privoxy.org#accesstonothingbutwww.example.com(orotherdomainshosted#onthesamesystem):##permit-accesswww.privoxy.org/24www.example.com/32###Allowaccessfromanyhostonthe26-bitsubnet192.168.45.64to

#anywhere,withtheexceptionthat192.168.45.73maynotaccess#theIPaddressbehindwww.dirty-stuff.example.com:##permit-access192.168.45.64/26#deny-access192.168.45.73www.dirty-stuff.example.com##AllowaccessfromtheIPv4network192.0.2.0/24eveniflistening#onanIPv6wildcardaddress(notsupportedonallplatforms):##permit-access192.0.2.0/24###Thisisequivalenttothefollowinglineeveniflisteningon

#anIPv4address(notsupportedonallplatforms):##permit-access[::ffff:192.0.2.0]/120###4.8.buffer-limit#==================##Specifies:##Maximumsizeofthebufferforcontentfiltering.##Typeofvalue:

##SizeinKbytes##Defaultvalue:##4096##Effectifunset:##Usea4MB(4096KB)limit.


19/30

##Notes:##Forcontentfiltering,i.e.the+filterand+deanimate-gif#actions,itisnecessarythatPrivoxybufferstheentiredocument#body.Thiscanbepotentiallydangerous,sinceaservercould#justkeepsendingdataindefinitelyandwaitforyourRAMto#exhaust--withnastyconsequences.Hencethisoption.##Whenadocumentbuffersizereachesthebuffer-limit,itis#flushedtotheclientunfilteredandnofurtherattempttofilter#therestofthedocumentismade.Rememberthattheremaybe#multiplethreadsrunning,whichmightrequireuptobuffer-limit#Kbyteseach,unlessyouhaveenabled"single-threaded"above.#buffer-limit4096###5.FORWARDING#==============##ThisfeatureallowsroutingofHTTPrequeststhroughachainof#multipleproxies.#

#ForwardingcanbeusedtochainPrivoxywithacachingproxyto#speedupbrowsing.Usingaparentproxymayalsobenecessaryif#themachinethatPrivoxyrunsonhasnodirectInternetaccess.##Notethatparentproxiescanseverelydecreaseyourprivacy#level.ForexampleaparentproxycouldaddyourIPaddresstothe#requestheadersandifit'sacachingproxyitmayaddthe"Etag"#headertorevalidationrequestsagain,eventhoughyouconfigured#Privoxytoremoveit.ItmayalsoignorePrivoxy'sheadertime#randomizationandusetheoriginalvalueswhichcouldbeusedby#theserverascookiereplacementtotrackyourstepsbetweenvisits.##AlsospecifiedhereareSOCKSproxies.PrivoxysupportstheSOCKS

#4andSOCKS4Aprotocols.####5.1.forward#=============##Specifies:##TowhichparentHTTPproxyspecificrequestsshouldberouted.##Typeofvalue:#

#target_patternhttp_parent[:port]##wheretarget_patternisaURLpatternthatspecifiestowhich#requests(i.e.URLs)thisforwardruleshallapply.Use/#todenote"allURLs".http_parent[:port]istheDNSnameor#IPaddressoftheparentHTTPproxythroughwhichtherequests#shouldbeforwarded,optionallyfollowedbyitslisteningport#(default:8000).Useasingledot(.)todenote"noforwarding".##Defaultvalue:


20/30

##Unset##Effectifunset:##Don'tuseparentHTTPproxies.##Notes:##Ifhttp_parentis".",thenrequestsarenotforwardedto#anotherHTTPproxybutaremadedirectlytothewebservers.##http_parentcanbeanumericalIPv6address(ifRFC3493is#implemented).Topreventclasheswiththeportdelimiter,#thewholeIPaddresshastobeputintobrackets.Ontheother#handatarget_patterncontaininganIPv6addresshastobeput#intoanglebrackets(normalbracketsarereservedforregular#expressionsalready).##MultiplelinesareOK,theyarecheckedinsequence,andthe#lastmatchwins.##Examples:#

#Everythinggoestoanexampleparentproxy,exceptSSLonport#443(whichitdoesn'thandle):##forward/parent-proxy.example.org:8080#forward:443.###EverythinggoestoourexampleISP'scachingproxy,exceptfor#requeststothatISP'ssites:##forward/caching-proxy.isp.example.net:8000#forward.isp.example.net.#

##ParentproxyspecifiedbyanIPv6address:##foward/[2001:DB8::1]:8000###Supposeyourparentproxydoesn'tsupportIPv6:##forward/parent-proxy.example.org:8000#forwardipv6-server.example.org.#forward.##

#5.2.forward-socks4,forward-socks4aandforward-socks5#========================================================##Specifies:##ThroughwhichSOCKSproxy(andoptionallytowhichparentHTTP#proxy)specificrequestsshouldberouted.##Typeofvalue:#


21/30

#target_patternsocks_proxy[:port]http_parent[:port]##wheretarget_patternisaURLpatternthatspecifiestowhich#requests(i.e.URLs)thisforwardruleshallapply.Use/to#denote"allURLs".http_parentandsocks_proxyareIPaddresses#indotteddecimalnotationorvalidDNSnames(http_parentmay#be"."todenote"noHTTPforwarding"),andtheoptionalport#parametersareTCPports,i.e.integervaluesfrom1to65535##Defaultvalue:##Unset##Effectifunset:##Don'tuseSOCKSproxies.##Notes:##MultiplelinesareOK,theyarecheckedinsequence,andthe#lastmatchwins.##Thedifferencebetweenforward-socks4andforward-socks4a#isthatintheSOCKS4Aprotocol,theDNSresolutionofthe

#targethostnamehappensontheSOCKSserver,whileinSOCKS4#ithappenslocally.##Withforward-socks5theDNSresolutionwillhappenontheremote#serveraswell.##socks_proxyandhttp_parentcanbeanumericalIPv6address#(ifRFC3493isimplemented).Topreventclasheswiththeport#delimiter,thewholeIPaddresshastobeputintobrackets.On#theotherhandatarget_patterncontaininganIPv6addresshas#tobeputintoanglebrackets(normalbracketsarereserved#forregularexpressionsalready).#

#Ifhttp_parentis".",thenrequestsarenotforwardedtoanother#HTTPproxybutaremade(HTTP-wise)directlytothewebservers,#albeitthroughaSOCKSproxy.##Examples:##Fromthecompanyexample.com,directconnectionsaremadetoall#"internal"domains,buteverythingoutboundgoesthroughtheir#ISP'sproxybywayofexample.com'scorporateSOCKS4Agateway#totheInternet.##forward-socks4a/socks-gw.example.com:1080www-cache.isp.example.net:8080

#forward.example.com.###ArulethatusesaSOCKS4gatewayforalldestinationsbutno#HTTPparentlookslikethis:##forward-socks4/socks-gw.example.com:1080.###TochainPrivoxyandTor,bothrunningonthesamesystem,


22/30

#youwouldusesomethinglike:##forward-socks5/127.0.0.1:9050.###ThepublicTornetworkcan'tbeusedtoreachyourlocalnetwork,#ifyouneedtoaccesslocalserversyouthereforemightwant#tomakesomeexceptions:##forward192.168.*.*/.#forward10.*.*.*/.#forward127.*.*.*/.###Unencryptedconnectionstosystemsintheseaddressrangeswill#beas(un)secureasthelocalnetworkis,butthealternative#isthatyoucan'treachthelocalnetworkthroughPrivoxyat#all.Ofcoursethismayactuallybedesiredandthereisno#reasontomaketheseexceptionsifyouaren'tsureyouneedthem.##Ifyoualsowanttobeabletoreachserversinyourlocal#networkbyusingtheirnames,youwillneedadditionalexceptions#thatlooklikethis:#

#forwardlocalhost/.#####5.3.forwarded-connect-retries#===============================##Specifies:##HowoftenPrivoxyretriesifaforwardedconnectionrequest#fails.#

#Typeofvalue:##Numberofretries.##Defaultvalue:##0##Effectifunset:##Connectionsforwardedthroughotherproxiesaretreatedlike#directconnectionsandnoretryattemptsaremade.#

#Notes:##forwarded-connect-retriesismainlyinterestingforsocks4a#connections,wherePrivoxycan'tdetectwhytheconnections#failed.TheconnectionmighthavefailedbecauseofaDNStimeout#inwhichcasearetrymakessense,butitmightalsohavefailed#becausetheserverdoesn'texistorisn'treachable.Inthis#casetheretrywilljustdelaytheappearanceofPrivoxy's#errormessage.#


23/30

#Notethatinthecontextofthisoption,"forwardedconnections"#includesallconnectionsthatPrivoxyforwardsthroughother#proxies.ThisoptionisnotlimitedtotheHTTPCONNECTmethod.##Onlyusethisoption,ifyouaregettinglotsof#forwarding-relatederrormessagesthatgoawaywhenyoutryagain#manually.StartwithasmallvalueandcheckPrivoxy'slogfile#fromtimetotime,toseehowmanyretriesareusuallyneeded.##Examples:##forwarded-connect-retries1#forwarded-connect-retries0###6.MISCELLANEOUS#=================##6.1.accept-intercepted-requests#=================================##Specifies:#

#Whetherinterceptedrequestsshouldbetreatedasvalid.##Typeofvalue:##0or1##Defaultvalue:##0##Effectifunset:##Onlyproxyrequestsareaccepted,interceptedrequestsare

#treatedasinvalid.##Notes:##Ifyoudon'ttrustyourclientsandwanttoforcethemtouse#Privoxy,enablethisoptionandconfigureyourpacketfilter#toredirectoutgoingHTTPconnectionsintoPrivoxy.##MakesurethatPrivoxy'sownrequestsaren'tredirectedaswell.#AdditionallytakecarethatPrivoxycan'tintentionallyconnect#toitself,otherwiseyoucouldrunintoredirectionloopsif#Privoxy'slisteningportisreachablebytheoutsideoran#attackerhasaccesstothepagesyouvisit.

##Examples:##accept-intercepted-requests1#accept-intercepted-requests0###6.2.allow-cgi-request-crunching#=================================


24/30

##Specifies:##WhetherrequeststoPrivoxy'sCGIpagescanbeblockedor#redirected.##Typeofvalue:##0or1##Defaultvalue:##0##Effectifunset:##PrivoxyignoresblockandredirectactionsforitsCGIpages.##Notes:##BydefaultPrivoxyignoresblockorredirectactionsfor#itsCGIpages.Interceptingtheserequestscanbeusefulin#multi-usersetupstoimplementfine-grainedaccesscontrol,#butitcanalsorenderthecompletewebinterfaceuselessand

#makedebuggingproblemspainfulifdonewithoutcare.##Don'tenablethisoptionunlessyou'resurethatyoureally#needit.##Examples:##allow-cgi-request-crunching1#allow-cgi-request-crunching0###6.3.split-large-forms

#=======================##Specifies:##WhethertheCGIinterfaceshouldstaycompatiblewithbroken#HTTPclients.##Typeofvalue:##0or1##Defaultvalue:#

#0##Effectifunset:##TheCGIformgeneratelongGETURLs.##Notes:##Privoxy'sCGIformscanleadtoratherlongURLs.Thisisn't#aproblemasfarastheHTTPstandardisconcerned,butitcan


25/30

#confuseclientswitharbitraryURLlengthlimitations.##Enablingsplit-large-formscausesPrivoxytodividebigforms#intosmalleronestokeeptheURLlengthdown.Itmakesediting#alotlessconvenientandyoucannolongersubmitallchanges#atonce,butatleastitworksaroundthisbrowserbug.##Ifyoudon'tnoticeanyeditingproblems,thereisnoreason#toenablethisoption,butifoneofthesubmitbuttonsappears#tobebroken,youshouldgiveitatry.##Examples:##split-large-forms1#split-large-forms0###6.4.keep-alive-timeout#========================##Specifies:##Numberofsecondsafterwhichanopenconnectionwillnolonger

#bereused.##Typeofvalue:##Timeinseconds.##Defaultvalue:##None##Effectifunset:##Connectionsarenotkeptalive.

##Notes:##ThisoptionallowsclientstokeeptheconnectiontoPrivoxy#alive.Iftheserversupportsit,Privoxywillkeepthe#connectiontotheserveraliveaswell.Undercertain#circumstancesthismayresultinspeed-ups.##Bydefault,Privoxywillclosetheconnectiontotheserverif#theclientconnectiongetsclosed,orifthespecifiedtimeout#hasbeenreachedwithoutanewrequestcomingin.Thisbehaviour#canbechangedwiththeconnection-sharingoption.#

#ThisoptionhasnoeffectifPrivoxyhasbeencompiledwithout#keep-alivesupport.##Examples:##keep-alive-timeout300#keep-alive-timeout300##


26/30

#6.5.connection-sharing#========================##Specifies:##Whetherornotoutgoingconnectionsthathavebeenkeptalive#shouldbesharedbetweendifferentincomingconnections.##Typeofvalue:##0or1##Defaultvalue:##None##Effectifunset:##Connectionsarenotshared.##Notes:##ThisoptionhasnoeffectifPrivoxyhasbeencompiledwithout#keep-alivesupport,orifit'sdisabled.

##Notes:##Notethatreusingconnectionsdoesn'tnecessarycause#speedups.Therearealsoafewprivacyimplicationsyoushould#beawareof.##Ifthisoptioniseffective,outgoingconnectionsareshared#betweenclients(iftherearemorethanone)andclosingthe#browserthatinitiatedtheoutgoingconnectiondoesnolonger#affecttheconnectionbetweenPrivoxyandtheserverunless#theclient'srequesthasn'tbeencompletedyet.#

#Iftheoutgoingconnectionisidle,itwillnotbecloseduntil#eitherPrivoxy'sortheserver'stimeoutisreached.While#it'sopen,theserverknowsthatthesystemrunningPrivoxyis#stillthere.##Iftherearemorethanoneclient(maybeevenbelongingto#multipleusers),theywillbeabletoreuseeachothers#connections.Thisispotentiallydangerousincaseof#authenticationschemeslikeNTLMwhereonlytheconnection#isauthenticated,insteadofrequiringauthenticationfor#eachrequest.##Ifthereisonlyasingleclient,andifsaidclientcankeep

#connectionsaliveonitsown,enablingthisoptionhasnextto#noeffect.Iftheclientdoesn'tsupportconnectionkeep-alive,#enablingthisoptionmaymakesenseasitallowsPrivoxytokeep#outgoingconnectionsaliveeveniftheclientitselfdoesn't#supportit.##Youshouldalsobeawarethatenablingthisoptionincreases#thelikelihoodofgettingthe"Noserverorforwarderdata"#errormessage,especiallyifyouareusingaslowconnection#totheInternet.


27/30

##Thisoptionshouldonlybeusedbyexperienceduserswho#understandtherisksandcanweightthemagainstthebenefits.##Examples:##connection-sharing1##connection-sharing1###6.6.socket-timeout#====================##Specifies:##Numberofsecondsafterwhichasockettimesoutifnodata#isreceived.##Typeofvalue:##Timeinseconds.##Defaultvalue:

##None##Effectifunset:##Adefaultvalueof300secondsisused.##Notes:##ForSOCKSrequeststhetimeoutcurrentlydoesn'tstartuntil#theSOCKSserveracceptedtherequest.Thiswillbefixedin#thenextrelease.#

#Examples:##socket-timeout300#socket-timeout300###6.7.max-client-connections#============================##Specifies:##Maximumnumberofclientconnectionsthatwillbeserved.

##Typeofvalue:##Positivenumber.##Defaultvalue:##None##Effectifunset:


28/30

##Connectionsareserveduntilaresourcelimitisreached.##Notes:##Privoxycreatesonethread(orprocess)foreveryincoming#clientconnectionthatisn'trejectedbasedontheaccess#controlsettings.##Ifthesystemispowerfulenough,Privoxycantheoreticallydeal#withseveralhundred(orthousand)connectionsatthesametime,#butsomeoperatingsystemsenforceresourcelimitsbyshutting#downoffendingprocessesandtheirdefaultlimitsmaybebelow#theonesPrivoxywouldrequireunderheavyload.##ConfiguringPrivoxytoenforceaconnectionlimitbelowthe#threadorprocesslimitusedbytheoperatingsystemmakes#surethisdoesn'thappen.Simplyincreasingtheoperating#system'slimitwouldworktoo,butifPrivoxyisn'ttheonly#applicationrunningonthesystem,youmayactuallywantto#limittheresourcesusedbyPrivoxy.##IfPrivoxyisonlyusedbyasingletrusteduser,limitingthe#numberofclientconnectionsisprobablyunnecessary.Ifthere

#aremultiplepossiblyuntrustedusersyouprobablystillwant#toadditionallyuseapacketfiltertolimitthemaximalnumber#ofincomingconnectionsperclient.Otherwiseamalicioususer#couldintentionallycreateahighnumberofconnectionsto#preventotherusersfromusingPrivoxy.##Obviouslyusingthisoptiononlymakessenseifyouchoosea#limitbelowtheoneenforcedbytheoperatingsystem.##Examples:##max-client-connections256#

#max-client-connections256###6.8.handle-as-empty-doc-returns-ok#====================================##Note:##Thisisawork-aroundforFirefoxbug492459:Websitesareno#longerrenderedifSSLrequestsforJavaScriptsareblockedby#aproxy.(https://bugzilla.mozilla.org/show_bug.cgi?id=492459)##Specifies:

##ThestatuscodePrivoxyreturnsforpagesblockedwith#+handle-as-empty-document.##Typeofvalue:##0or1##Defaultvalue:#


29/30

#0##Effectifunset:##Privoxyreturnsastatus403(forbidden)forallblockedpages.##Effectifset:##Privoxyreturnsastatus200(OK)forpagesblockedwith#+handle-as-empty-documentandastatus403(Forbidden)forall#otherblockedpages.##handle-as-empty-doc-returns-ok0###7.WINDOWSGUIOPTIONS#=======================##PrivoxyhasanumberofoptionsspecifictotheWindowsGUI#interface:###If"activity-animation"issetto1,thePrivoxyiconwillanimate#when"Privoxy"isactive.Toturnoff,setto0.

##activity-animation1##If"log-messages"issetto1,Privoxywilllogmessagestothe#consolewindow:##log-messages1##If"log-buffer-size"issetto1,thesizeofthelogbuffer,#i.e.theamountofmemoryusedforthelogmessagesdisplayedin#theconsolewindow,willbelimitedto"log-max-lines"(seebelow).##Warning:Settingthisto0willresultinthebuffertogrow

#infinitelyandeatupallyourmemory!##log-buffer-size1##log-max-linesisthemaximumnumberoflinesheldinthelog#buffer.Seeabove.##log-max-lines200##If"log-highlight-messages"issetto1,Privoxywillhighlight#portionsofthelogmessageswithabold-facedfont:##log-highlight-messages1

##Thefontusedintheconsolewindow:##log-font-nameComicSansMS##Fontsizeusedintheconsolewindow:##log-font-size8##"show-on-task-bar"controlswhetherornotPrivoxywillappearas


30/30

#abuttonontheTaskbarwhenminimized:##show-on-task-bar0##If"close-button-minimizes"issetto1,theWindowsclosebutton#willminimizePrivoxyinsteadofclosingtheprogram(closewith#theexitoptionontheFilemenu).##close-button-minimizes1##The"hide-console"optionisspecifictotheMS-Winconsoleversion#ofPrivoxy.Ifthisoptionisused,Privoxywilldisconnectfrom#andhidethecommandconsole.##hide-console##

privoxy configuration

Documents