X-Git-Url: http://www.privoxy.org/gitweb/?a=blobdiff_plain;f=doc%2Fwebserver%2Ffaq%2Fconfiguration.html;h=6268bd906f5a4e120727756c68d8160499e4a94f;hb=6d58d4306d46d1b5a7d7c249d349fbc4568ccc1c;hp=45bfeacfedf5a630f2edc4eb98556be02667fd55;hpb=c5aed82a9a4d52c7f44885058167a6e402815226;p=privoxy.git diff --git a/doc/webserver/faq/configuration.html b/doc/webserver/faq/configuration.html index 45bfeacf..6268bd90 100644 --- a/doc/webserver/faq/configuration.html +++ b/doc/webserver/faq/configuration.html @@ -1,11 +1,11 @@ +
Next |
# Allow all cookies for Yahoo login: +# +{ -crunch-incoming-cookies -crunch-outgoing-cookies -session-cookies-only } +.login.yahoo.com |
These kinds of sites are often quite complex and heavy with + Javascript and + thus "fragile". So if still a problem, + we have an alias just for such + sticky situations: +
# Gmail is a _fragile_ site: +# +{ fragile } + # Gmail is ... + mail.google.com |
Be sure to flush your browser's caches whenever making these kinds of + changes, just to make sure the changes "take". +
Make sure the domain, host and path are appropriate as well. Your browser can + tell you where you are specifically and you should use that information for + your configuration settings. Note that above it is not referenced as + gmail.com, which is a valid domain name. +
Configuring Privoxy is not entirely trivial. To + help you get started, we provide you with three different default action + "profiles" in the web based actions file editor at http://config.privoxy.org/show-status. + See the the User Manual - for an explanation of each.
User + Manual for a list of actions, and how the default + profiles are set. +Earlier versions included three different versions - default.action files. The new scheme allows for - greater flexibility of local configuration, and for browser based - configuration.
Where the defaults are likely to break some sites, exceptions for + known popular "problem" sites are included, but in + general, the more aggressive your default settings are, the more exceptions + you will have to make later. New users are best to start off in + "Cautious" setting. This is safest and will have the fewest + problems. See the User Manual + for a more detailed discussion.It should be noted that the "Advanced" profile (formerly known + as the "Adventuresome" profile) is more + aggressive, and will make use of some of + Privoxy's advanced features. Use at your own risk!
What I don't understand, is how I can browser edit the config file as a -regular user, while the whole It may seem strange that regular users can edit the config files with their + browsers, although the whole /etc/privoxy hierarchy -belongs to the user "privoxy", with only 644 permissions.
When you use the browser-based editor, When you use the browser-based editor, Privoxy -itself is writing to the config files. Because -Privoxy is running as the user "privoxy", it can -update the config files. +>, + it can update its own config files.
If you don't like this, setting "enable-edit-actions 0" in the -config file will disable the browser-based editor. If you're that paranoid, -you should also consider setting "enable-remote-toggle 0" to prevent -browser-based enabling/disabling of If you run Privoxy for multiple untrusted users (e.g. in + a LAN) or aren't entirely in control of your own browser, you will probably want + to make sure that the the web-based editor and remote toggle features are + "off" by setting "enable-edit-actions + 0" and "enable-remote-toggle + 0" in the main configuration file.
Note that normally only local users can connect to - As of Privoxy, so this is not (normally) a security -problem. +> 3.0.7 these options are disabled by default.
The "default.filter" file is where "filters" The default.filter - are defined, which are used to "filter" any - web page content. By "filtering" we mean it can modify, remove, - or change filters as supplied by the developers are defined. + Filters are a special subset of actions that can be used to modify or + remove web page content or headers on the fly. Content filters can + be applied to anything on the page, including HTML tags, and - JavaScript. Regular expressions are used to accomplish this, and operate - on a line by line basis. This is potentially a very powerful feature, but - requires some expertise.
in the page source, + header filters can be applied to either server or client headers. + Regular expressions are used to accomplish this.There are a number of pre-defined filters to deal with common annoyances. The + filters are only defined here, to invoke them, you need to use the + filter + action in one of the actions files. Content filtering is automatically + disabled for inappropriate MIME types, but if you now better than Privoxy + what should or should not be filtered you can filter any content you like.
Filters should + not be confused with blocks, which + is a completely different action, and is more typically used to block ads and + unwanted sites.
If you are familiar with regular expressions, and HTML, you can look at the provided default.filter with a text editor and see - some of things it can be used for.
with a text editor and define + your own filters. This is potentially a very powerful feature, but + requires some expertise in both regular expressions and HTML/HTTP. + You should + place any modifications to the default filters, or any new ones you create + in a separate file, such as user.filter, so they won't + be overwritten during upgrades. + The ability to define multiple filter files + in config is a new feature as of v. 3.0.5.Presently, there is no GUI editor option for this part of the configuration, - but you can disable/enable various sections of the included default - file with the "View & change the current configuration" from - your browser.
There is no GUI editor option for this part of the configuration, + but you can disable/enable the various pre-defined filters of the included + default.filter file with the web-based actions file editor. + Note that the custom actions editor must be explicitly enabled in + the main config file (see enable-edit-actions).If you intend to develop your own filters, you might want to have a look at + Privoxy-Filter-Test.
Privoxy only responds to requests - from localhost. To have it act as a server for a network, this needs to be - changed in the main config file where the Privoxy127.0.0.1 (localhost). To have it act as a server for + a network, this needs to be changed in the main configuration file. Look for + the listen-address - configuration is located. In that file is a "listen-address" - option. It may be commented out with a "#" symbol. Make sure - it is uncommented, and assign it the address of the LAN gateway interface, - and port number to use:
symbol. Make sure + it is uncommented, and assign it the address of the LAN gateway interface, + and port number to use. Assuming your LAN address is 192.168.1.1 and you + wish to run Privoxy on port 8118, this line + should look like:
listen-address :8118 |
And then use Privoxy's + permit-access + feature to limit connections. A firewall in this situation is recommended + as well.
The above steps should be the same for any TCP network, regardless of + operating system.
If you run Privoxy on a LAN with untrusted users, + we recommend that you double-check the access control and security + options!
This is a configuration option for images that - Privoxy is stopping. You have the choice of a - checkerboard pattern, a transparent 1x1 GIF image (aka The replacement for blocked images can be controlled with the set-image-blocker + action. You have the choice of a checkerboard pattern, a transparent 1x1 GIF + image (aka "blank"), - or a custom URL of your choice. Note that to fit this category, the URL must - match both the ), or a redirect to a custom image of your choice. + Note that this choice only has effect for images which are blocked as images, i.e. + whose URLs match both a "+handle-as-image"handle-as-image - and - "+block" actions.
block action.If you want to see nothing, then change the - If you want to see nothing, then change the "+set-image-blocker"set-image-blocker - action to "+image-blocker{blank}". This can be done from the - to "View & change the current configuration" selection at "blank". This can be done by editing the + user.action file, or through the http://p.p/. Or by hand editing the appropriate - actions file. This will only effect what is defined as "images" - though. Also, some URLs that generate the bright red "Blocked" - banner, can be moved to the "+set-image-blocker" section for the - same reason, but there are some limits and risks to this (see below).
web-based actions file editor.This can be helpful for troubleshooting problems. It might also be good - for anyone new to Privoxy so that they can - see if their favorite pages are displaying correctly, and +> Remember that telling which image is an ad and which + isn't, is an educated guess. While we hope that the standard configuration + is rather smart, it will make occasional mistakes. The checkerboard image is visually + decent, and it shows you where images have been blocked, which can be very + helpful in case some navigation aid or otherwise innocent image was + erroneously blocked. It is recommended for new users so they can Privoxy is not inadvertently removing something - important.
"see" what is happening. Some people might also enjoy seeing how + many banners they don't have to see.This happens when the banners are not embedded in the HTML code of the + page itself, but in separate HTML (sub)documents that are loaded into (i)frames + or (i)layers, and these external HTML documents are blocked. Being non-images + they get replaced by a substitute HTML page rather than a substitute image, + which wouldn't work out technically, since the browser expects and accepts + only HTML when it has requested an HTML document.
The substitute page adapts to the available space and shows itself as a + miniature two-liner if loaded into small frames, or full-blown with a + large red "BLOCKED" banner if space allows.
If you prefer the banners to be blocked by images, you must see to it that + the HTML documents in which they are embedded are not blocked. Clicking + the "Blocked". Why and how do I get rid of this?"See why" link offered in the substitute page will show + you which rule blocked the page. After changing the rule and un-blocking + the HTML documents, the browser will try to load the actual banner images + and the usual image blocking will (hopefully!) kick in.
These are URLs that match something in one of - Yes. Version 3.0.5 introduces full Privoxy's block actions - (Windows service + functionality. See "+block" the User Manual). - It is meant to be a warning so that you know something has been blocked and - an easy way for you to see why. These are handled differently than what has - been defined explicitly as "images" (e.g. ads that are GIF image - files). Depending on the URL itself, it is sometimes hard for +> for details on how to install and configure Privoxy to really know whether there is indeed an - ad image there or not. And there are limitations as to what +> as a service.
Earlier 3.x versions could run as a system service using srvany.exe. + See the discussion at http://sourceforge.net/tracker/?func=detail&atid=361118&aid=485617&group_id=11118, + for details, and a sample configuration.
This can be done and is often useful to combine the benefits of Privoxy can do to "fool" the - browser.
with those of a another proxy. + See the forwarding chapter + in the User Manual which + describes how to do this, and the How do I use Privoxy together with + Tor section below.For instance, if the ad is in a frame, then it is embedded in the separate - HTML page used for the frame. In this case, you cannot just substitute an - aribitrary image (like we would for a No, its more complicated than that. This only works with special kinds + of proxies known as "blank" image), for an HTML - page. The browser is expecting an HTML page, and that is what it must have - for frames. Such situations can be a little trickier to deal with, and - Privoxy may show the "intercepting" proxies (see below).
If you want these to be treated as if they were images, so that they can be - made invisible, you can try moving the offending URL from the - "+block" section to the The whole idea of Privoxy is to modify client requests + and server responses in all sorts of ways and therefore + it's not a transparent proxy as described in + RFC 2616.
However, some people say "+imageblock" section of - your actions file. Just be forewarned, if any URL is made - "transparent proxy" when they + mean "invisible", you may not have any inkling that something has - been removed from that page, or why. If this approach does not work, then you are - probably dealing with a frame (or "intercepting proxy". If you are one of them, + please read the next entry.
To deal with this situation, you could modify the +> Privoxy can't intercept traffic itself, + but it can handle requests that where intercepted and redirected + with a packet filter (like PF or + iptables), as long as the Host + header is present. +
As the Host header is required by HTTP/1.1 and as most + web sites rely on it anyway, this limitation shouldn't be a problem.
Please refer to your packet filter's documentation to learn how to + intercept and redirect traffic into Privoxy. + Afterward you just have to configure Privoxy to + accept + intercepted requests.
Versions of Outlook prior to Office 2007, use "block" HTML template that is used by +CLASS="APPLICATION" +>Internet Explorer components to both render HTML, + and fetch any HTTP requests that may be embedded in an HTML email. So however + you have Privoxy configured to work with IE, this + configuration should automatically be shared, at least with older version of + Internet Explorer.
Starting with Office 2007, Microsoft is instead using the MS-Word rendering + engine with Outlook. It is unknown whether this can be configured to use a + proxy. +
The short answer is, you can't. Privoxy has no way + of knowing which particular application makes a request, so there is no way to + distinguish between web pages and HTML mail. Privoxy to display this, and make it something - more to your liking. Currently, there is no configuration option for this. - You will have to modify, or create your own page, and use this to replace +> just blindly proxies all requests. In the + case of Outlook Express (see above), OE uses + IE anyway, and there is no way for Privoxy to ever + be able to distinguish between them (nor could any other proxy type application for + that matter).
For a good discussion of some of the issues involved (including privacy and + security issues), see + http://sourceforge.net/tracker/?func=detail&atid=211118&aid=629518&group_id=11118.
Cookies can be + set in several ways. The classic method is via the templates/blocked, which is what +CLASS="LITERAL" +>Set-Cookie HTTP header. This is straightforward, and an + easy one to manipulate, such as the Privoxy concept of + session-cookies-only. + There is also the possibility of using + Javascript to + set cookies (Privoxy calls these content-cookies). This + is trickier because the syntax can vary widely, and thus requires a certain + amount of guesswork. It is not realistic to catch all of these short of + disabling Javascript, which would break many sites. And lastly, if the + cookies are embedded in a HTTPS/SSL secure session via Javascript, they are beyond Privoxy's reach.
All in all, Privoxy uses to display the can help manage cookies in general, can help minimize + the loss of privacy posed by cookies, but can't realistically stop all + cookies.
No, in fact there are many beneficial uses of + cookies. Cookies are just a + method that browsers can use to store data between pages, or between browser + sessions. Sometimes there is a good reason for this, and the user's life is a + bit easier as a result. But there is a long history of some websites taking + advantage of this layer of trust, and using the data they glean from you and + your browsing habits for their own purposes, and maybe to your potential + detriment. Such sites are using you and storing their data on your system. + That is why the privacy conscious watch from whom those cookies come, and why + they really need to be there.
See the + Wikipedia cookie + definition for more.
There are several actions that relate to cookies. The default behavior is to + allow only "Blocked""session cookies", which means the cookies only last + for the current browser session. This eliminates most kinds of abuse related + to cookies. But there may be cases where you want cookies to last.
To disable all cookie actions, so that cookies are allowed unrestricted, + both in and out, for example.com:
{ -crunch-incoming-cookies -crunch-outgoing-cookies -session-cookies-only -filter{content-cookies} } + .example.com |
Place the above in user.action. Note that some of these may + be off by default anyway, so this might be redundant, but there is no harm + being explicit in what you want to happen. user.action - page.
allow-all-cookies.Another way to deal with this is find why and where - Each instance of Privoxy is blocking the frame, and - diable this. Then let the "+set-image-blocker" action - handle the ad that is embedded in the frame's HTML page.
has its own + configuration, including such attributes as the TCP port that it listens on. + What you can do is run multiple instances of Privoxy, each with + a unique + listen-address + configuration setting, and configuration path, and then + each of these can have their own configurations. Think of it as per-port + configuration.+ Simple enough for a few users, but for large installations, consider having + groups of users that might share like configurations.
There is not enough available space to fit the entire Blocked page. Try right - clicking on the visible portion, and select "Show Frame", - or equivalent. This will usually allow you to see the entire Privoxy +> Sure. There are a couple of things you can do for simple white-listing. + Here's one real easy one:
############################################################ + # Blacklist + ############################################################ + { +block } + / # Block *all* URLs + + ############################################################ + # Whitelist + ############################################################ + { -block } + kids.example.com + toys.example.com + games.example.com |
This allows access to only those three sites by first blocking all URLs, and + then subsequently allowing three specific exceptions.
Another approach is Privoxy's + trustfile concept, which incorporates the notion of "Blocked" page, and from there you can see just what is being - blocked, and why.
"trusted referrers". See the Trust documentation + for details.As of Privoxy 2.9.14, the Blocked banner page is re-sizeable, and tries - to adjust to the allotted space. There may be occassions where there - just isn't enough room to display much of anything useful though.
These are fairly simple approaches and are not completely foolproof. There + are various other configuration options that should be disabled (described + elsewhere here and in the User Manual) + so that users can't modify their own configuration and easily circumvent the + whitelist.Ad blocking is achieved through a complex application of various Privoxy + actions. These + actions are deployed against simple images, banners, flash animations, + text pages, JavaScript, pop-ups and pop-unders, etc., so its not as simple as + just turning one or two actions off. The various actions that make up + Privoxy run as a service -on Win2K/NT? ad blocking are hard-coded into the default configuration files. It + has been assumed that everyone using Privoxy is interested in this + particular feature. +
If you want to do without this, there are several approaches you can take: + You can manually undo the many block rules in + default.action. Or even easier, just create your own + default.action file from scratch without the many ad + blocking rules, and corresponding exceptions. Or lastly, if you are not + concerned about the additional blocks that are done for privacy reasons, you + can very easily over-ride all blocking with the + following very simple rule in your user.action: +
# Unblock everybody, everywhere + { -block } + / # UN-Block *all* URLs |
+ Or even a more comprehensive reversing of various ad related actions:
# Unblock everybody, everywhere, and turn off appropriate filtering, etc + { -block \ + -filter{banners-by-size} \ + -filter{banners-by-link} \ + allow-popups \ + } + / # UN-Block *all* URLs and allow ads |
This last "action" in this compound statement, + allow-popups, is an alias that disables + various pop-up blocking features.
Yes, it can run as a system service using srvany.exe. - The only catch is that this will effectively disable the +> Privoxy "templates" are specialized text files utilized by Privoxy icon in the taskbar. You can have - one or the other, but not both at this time :(
for various purposes and can easily be modified using any text + editor. All the template pages are installed in a sub-directory appropriately + named: templates. Knowing something about HTML syntax + will of course be helpful.There is a pending feature request for this functionality. See - thread: Be forewarned that the default templates are subject to being overwritten + during upgrades. You can, however, create completely new templates, + place them in another directory and specify the alternate path in the main + config. For details, have a look at the http://sourceforge.net/tracker/?func=detail&atid=361118&aid=485617&group_id=11118, - for details, and a sample configuration.
templdir option.There is more than one way to do it (although Perl is not involved).
Editing the BLOCKED template page (see above) may dissuade some users, but + this method is easily circumvented. Where you need this level of control, you + might want to build Privoxy work with other -proxies like from source, and disable various features that are + available as compile-time options. You should + configure the sources as follows:
./configure --disable-toggle --disable-editor --disable-force |
This will create an executable with hard-coded security features so that + Squid?Privoxy does not allow easy bypassing of blocked sites, or changing the + current configuration via any connected user's web browser.
This can be done. See the Finally, all of these features can also be toggled on/off via options in + Privoxy's main user manual, - which describes how to do this.
config file which + means you don't have to recompile anything.