5 $Id: user-manual.sgml,v 1.68 2002/04/04 18:46:47 swa Exp $
7 The user manual gives users information on how to install, configure and use
10 Privoxy is a web proxy with advanced filtering capabilities for protecting
11 privacy, filtering web page content, managing cookies, controlling access, and
12 removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a
13 very flexible configuration and can be customized to suit individual needs and
14 tastes. Privoxy has application for both stand-alone systems and multi-user
17 Privoxy is based on the code of the Internet Junkbuster (tm). Junkbuster was
18 originally written by JunkBusters Corporation, and was released as free
19 open-source software under the GNU GPL. Stefan Waldherr made many improvements,
20 and started the SourceForge project to continue development.
22 Privoxy continues the Junkbuster tradition, but adds many refinements,
23 enhancements and new features.
25 You can find the latest version of the user manual at http://www.privoxy.org/
26 user-manual/. Please see the Contact section on how to contact the developers.
28 -------------------------------------------------------------------------------
46 4. Quickstart to Using Privoxy
48 4.1. Command Line Options
50 5. Privoxy Configuration
52 5.1. Controlling Privoxy with Your Web Browser
53 5.2. Configuration Files Overview
54 5.3. The Main Configuration File
56 5.3.1. Defining Other Configuration Files
57 5.3.2. Other Configuration Options
58 5.3.3. Access Control List (ACL)
60 5.3.5. Windows GUI Options
64 5.4.1. URL Domain and Path Syntax
71 6. Contacting the Developers, Bug Reporting and Feature Requests
72 7. Copyright and History
80 9.1. Regular Expressions
81 9.2. Privoxy's Internal Pages
85 9.3. Anatomy of an Action
87 -------------------------------------------------------------------------------
91 This documentation is included with the current BETA version of Privoxy,
92 v.2.9.13, and is mostly complete at this point. The most up to date reference
93 for the time being is still the comments in the source files and in the
94 individual configuration files. Development of version 3.0 is currently nearing
95 completion, and includes many significant changes and enhancements over earlier
96 versions. The target release date for stable v3.0 is "soon" ;-).
98 Since this is a BETA version, not all new features are well tested. This
99 documentation may be slightly out of sync as a result (especially with CVS
100 sources). And there may be bugs, though hopefully not many!
102 -------------------------------------------------------------------------------
106 In addition to Internet Junkbuster's traditional feature of ad and banner
107 blocking and cookie management, Privoxy provides new features, some of them
108 currently under development:
110 * Integrated browser based configuration and control utility (http://p.p).
111 Browser-based tracing of rule and filter effects.
113 * Blocking of annoying pop-up browser windows.
115 * HTTP/1.1 compliant (most, but not all 1.1 features are supported).
117 * Support for Perl Compatible Regular Expressions in the configuration files,
118 and generally a more sophisticated and flexible configuration syntax over
123 * Web page content filtering (removes banners based on size, invisible
124 "web-bugs", JavaScript, pop-ups, status bar abuse, etc.)
126 * Bypass many click-tracking scripts (avoids script redirection).
128 * Multi-threaded (POSIX and native threads).
130 * Auto-detection and re-reading of config file changes.
132 * User-customizable HTML templates (e.g. 404 error page).
134 * Improved cookie management features (e.g. session based cookies).
136 * Improved signal handling, and a true daemon mode (Unix).
138 * Builds from source on most UNIX-like systems. Packages available for: Linux
139 (RedHat, SuSE, or Debian), Windows, Sun Solaris, Mac OSX, OS/2, HP-UX 11
142 * In addition, the configuration is much more powerful and versatile
145 -------------------------------------------------------------------------------
149 Privoxy is available as raw source code (tarball or via CVS), or pre-compiled
150 binaries for various platforms. See the Privoxy Project Page for the most up to
151 date release information. Privoxy is also available via CVS. This is the
152 recommended approach at this time. But please be aware that CVS is constantly
153 changing, and it may break in mysterious ways.
155 At present, Privoxy is known to run on Win32, Mac OSX, OS/2, AmigaOS, Linux
156 (RedHat, Suse, Debian), FreeBSD, and many flavors of Unix. There are source and
157 binary releases for these available for download at http://sourceforge.net/
158 project/showfiles.php?group_id=11118.
160 -------------------------------------------------------------------------------
164 There are several ways to install Privoxy.
166 To build Privoxy from source, autoconf and GNU make (gmake) are required.
167 Source is available as gzipped tar archives. For this, first unpack the source:
169 tar xzvf privoxy-2.9.13-beta-src* [.tgz or .tar.gz]
170 cd privoxy-2.9.13-beta
173 For retrieving the current CVS sources, you'll need the CVS package installed
174 first. Note CVS source is development quality, and may not be stable, or well
175 tested. To download CVS source:
177 cvs -d:pserver:anonymous@cvs.ijbswa.sourceforge.net:/cvsroot/ijbswa login
178 cvs -z3 -d:pserver:anonymous@cvs.ijbswa.sourceforge.net:/cvsroot/ijbswa co current
182 This will create a directory named current/, which will contain the source
185 Then, in either case, to build from unpacked tarball or CVS source:
189 ./configure (--help to see options)
190 make (the make from gnu, gmake for *BSD)
192 make -n install (to see where all the files will go)
193 make install (to really install)
196 Redhat and SuSE src and binary RPMs can be built with "make redhat-dist" or "
197 make suse-dist" from unpacked sources. You will need to run "autoconf;
198 autoheader; ./configure" beforehand. *BSD will require gmake (from http://
201 For Redhat and SuSE Linux RPM packages, see below.
203 -------------------------------------------------------------------------------
207 To build Redhat RPM packages from source, install source as above. Then:
215 This will create both binary and src RPMs in the usual places. Example:
217 /usr/src/redhat/RPMS/i686/privoxy-2.9.13-1.i686.rpm
219 /usr/src/redhat/SRPMS/privoxy-2.9.13-1.src.rpm
221 To install, of course:
223 rpm -Uvv /usr/src/redhat/RPMS/i686/privoxy-2.9.13-1.i686.rpm
226 This will place the Privoxy configuration files in /etc/privoxy/, and log files
227 in /var/log/privoxy/. Run ckconfig privoxy on to have Privoxy start
228 automatically during init.
230 -------------------------------------------------------------------------------
234 To build SuSE RPM packages, install source as above. Then:
242 This will create both binary and src RPMs in the usual places. Example:
244 /usr/src/packages/RPMS/i686/privoxy-2.9.13-1.i686.rpm
246 /usr/src/packages/SRPMS/privoxy-2.9.13-1.src.rpm
248 To install, of course:
250 rpm -Uvv /usr/src/packages/RPMS/i686/privoxy-2.9.13-1.i686.rpm
253 This will place the Privoxy configuration files in /etc/privoxy/, and log files
254 in /var/log/privoxy/.
256 -------------------------------------------------------------------------------
260 Privoxy is packaged in a WarpIN self- installing archive. The self-installing
261 program will be named depending on the release version, something like:
262 privoxyos2_setup_2.9.13.exe. In order to install it, simply run this executable
263 or double-click on its icon and follow the WarpIN installation panels. A shadow
264 of the Privoxy executable will be placed in your startup folder so it will
265 start automatically whenever OS/2 starts.
267 The directory you choose to install Privoxy into will contain all of the
270 If you would like to build binary images on OS/2 yourself, you will need a few
271 Unix-like tools: autoconf, autoheader and sh. These tools will be used to
272 create the required config.h file, which is not part of the source distribution
273 because it differs based on platform. You will also need a compiler. The
274 distribution has been created using IBM VisualAge compilers, but you can use
275 any compiler you like. GCC/EMX has the disadvantage of needing to be
276 single-threaded due to a limitation of EMX's implementation of the select()
279 In addition to needing the source code distribution as outlined earlier, you
280 will want to extract the os2seutp directory from CVS:
282 cvs -d:pserver:anonymous@cvs.ijbswa.sourceforge.net:/cvsroot/ijbswa login
283 cvs -z3 -d:pserver:anonymous@cvs.ijbswa.sourceforge.net:/cvsroot/ijbswa co os2setup
286 This will create a directory named os2setup/, which will contain the
287 Makefile.vac makefile and os2build.cmd which is used to completely create the
288 binary distribution. The sequence of events for building the executable for
289 yourself goes something like this:
296 nmake -f Makefile.vac
299 You will see this sequence laid out in os2build.cmd.
301 -------------------------------------------------------------------------------
305 Click-click. (I need help on this. Not a clue here. Also for configuration
308 -------------------------------------------------------------------------------
312 Some quick notes on other Operating Systems.
314 For FreeBSD (and other *BSDs?), the build will require gmake instead of the
315 included make. gmake is available from http://www.gnu.org. The rest should be
316 the same as above for Linux/Unix.
318 -------------------------------------------------------------------------------
320 4. Quickstart to Using Privoxy
322 Before launching Privoxy for the first time, you will want to configure your
323 browser(s) to use Privoxy as a HTTP and HTTPS proxy. The default is localhost
324 for the proxy address, and port 8118 (earlier versions used port 800). This is
325 the one required configuration that must be done!
327 With Netscape (and Mozilla), this can be set under Edit -> Preferences ->
328 Advanced -> Proxies -> HTTP Proxy. For Internet Explorer: Tools -> Internet
329 Properties -> Connections -> LAN Setting. Then, check "Use Proxy" and fill in
330 the appropriate info (Address: localhost, Port: 8118). Include if HTTPS proxy
333 After doing this, flush your browser's disk and memory caches to force a
334 re-reading of all pages and get rid of any ads that may be cached. You are now
335 ready to start enjoying the benefits of using Privoxy.
337 Privoxy is typically started by specifying the main configuration file to be
338 used on the command line. Example Unix startup command:
341 # /usr/sbin/privoxy /etc/privoxy/config
345 An init script is provided for SuSE and Redhat.
347 For for SuSE: /etc/rc.d/privoxy start
349 For RedHat: /etc/rc.d/init.d/privoxy start
351 If no configuration file is specified on the command line, Privoxy will look
352 for a file named config in the current directory. Except on Win32 where it will
353 try config.txt. If no file is specified on the command line and no default
354 configuration file can be found, Privoxy will fail to start.
356 The included default configuration files should give a reasonable starting
357 point, though may be somewhat aggressive in blocking junk. Most of the per site
358 configuration is done in the "actions" files. These are where various cookie
359 actions are defined, ad and banner blocking, and other aspects of Privoxy
360 configuration. There are several such files included, with varying levels of
363 You will probably want to keep an eye out for sites that require persistent
364 cookies, and add these to default.action as needed. By default, most of these
365 will be accepted only during the current browser session, until you add them to
366 the configuration. If you want the browser to handle this instead, you will
367 need to edit default.action and disable this feature. If you use more than one
368 browser, it would make more sense to let Privoxy handle this. In which case,
369 the browser(s) should be set to accept all cookies.
371 Privoxy is HTTP/1.1 compliant, but not all 1.1 features are as yet implemented.
372 If browsers that support HTTP/1.1 (like Mozilla or recent versions of I.E.)
373 experience problems, you might try to force HTTP/1.0 compatibility. For
374 Mozilla, look under Edit -> Preferences -> Debug -> Networking. Or set the
375 "+downgrade" config option in default.action.
377 After running Privoxy for a while, you can start to fine tune the configuration
378 to suit your personal, or site, preferences and requirements. There are many,
379 many aspects that can be customized. "Actions" (as specified in default.action)
380 can be adjusted by pointing your browser to http://p.p/, and then follow the
381 link to "edit the actions list". (This is an internal page and does not require
384 In fact, various aspects of Privoxy configuration can be viewed from this page,
385 including current configuration parameters, source code version numbers, the
386 browser's request headers, and "actions" that apply to a given URL. In addition
387 to the default.action file editor mentioned above, Privoxy can also be turned
388 "on" and "off" from this page.
390 If you encounter problems, please verify it is a Privoxy bug, by disabling
391 Privoxy, and then trying the same page. Also, try another browser if possible
392 to eliminate browser or site problems. Before reporting it as a bug, see if
393 there is not a configuration option that is enabled that is causing the page
394 not to load. You can then add an exception for that page or site. For instance,
395 try adding it to the {fragile} section of default.action. This will turn off
396 most actions for this site. For more on troubleshooting problem sites, see the
397 Appendix. If a bug, please report it to the developers (see below).
399 -------------------------------------------------------------------------------
401 4.1. Command Line Options
403 Privoxy may be invoked with the following command-line options:
407 Print version info and exit, Unix only.
411 Print a short usage info and exit, Unix only.
415 Don't become a daemon, i.e. don't fork and become process group leader,
416 don't detach from controlling tty. Unix only.
420 On startup, write the process ID to FILE. Delete the FILE on exit. Failiure
421 to create or delete the FILE is non-fatal. If no FILE option is given, no
422 PID file will be used. Unix only.
424 * --user USER[.GROUP]
426 After (optionally) writing the PID file, assume the user ID of USER, and if
427 included the GID of GROUP. Exit if the privileges are not sufficient to do
432 If no configfile is included on the command line, Privoxy will look for a
433 file named "config" in the current directory (except on Win32 where it will
434 look for "config.txt" instead). Specify full path to avoid confusion.
436 -------------------------------------------------------------------------------
438 5. Privoxy Configuration
440 All Privoxy configuration is stored in text files. These files can be edited
441 with a text editor. Many important aspects of Privoxy can also be controlled
442 easily with a web browser.
444 -------------------------------------------------------------------------------
446 5.1. Controlling Privoxy with Your Web Browser
448 Privoxy can be reached by the special URL http://p.p/ (or alternately http://
449 config.privoxy.org/), which is an internal page. You will see the following
452 Please choose from the following options:
454 * Show information about the current configuration
455 * Show the source code version numbers
456 * Show the client's request headers.
457 * Show which actions apply to a URL and why
458 * Toggle Privoxy on or off
459 * Edit the actions list
463 This should be self-explanatory. Note the last item is an editor for the
464 "actions list", which is where much of the ad, banner, cookie, and URL blocking
465 magic is configured as well as other advanced features of Privoxy. This is an
466 easy way to adjust various aspects of Privoxy configuration. The actions file,
467 and other configuration files, are explained in detail below. Privoxy will
468 automatically detect any changes to these files.
470 "Toggle Privoxy On or Off" is handy for sites that might have problems with
471 your current actions and filters, or just to test if a site misbehaves, whether
472 it is Privoxy causing the problem or not. Privoxy continues to run as a proxy
473 in this case, but all filtering is disabled.
475 -------------------------------------------------------------------------------
477 5.2. Configuration Files Overview
479 For Unix, *BSD and Linux, all configuration files are located in /etc/privoxy/
480 by default. For MS Windows, OS/2, and AmigaOS these are all in the same
481 directory as the Privoxy executable. The name and number of configuration files
482 has changed from previous versions, and is subject to change as development
485 The installed defaults provide a reasonable starting point, though possibly
486 aggressive by some standards. For the time being, there are only three default
487 configuration files (this may change in time):
489 * The main configuration file is named config on Linux, Unix, BSD, OS/2, and
490 AmigaOS and config.txt on Windows.
492 * The default.action file is used to define various "actions" relating to
493 images, banners, pop-ups, access restrictions, banners and cookies. There
494 is a CGI based editor for this file that can be accessed via http://p.p.
495 (Other actions files are included as well with differing levels of
496 filtering and blocking, e.g. basic.action.)
498 * The default.filter file can be used to re-write the raw page content,
499 including viewable text as well as embedded HTML and JavaScript, and
500 whatever else lurks on any given web page.
502 default.action and default.filter can use Perl style regular expressions for
503 maximum flexibility. All files use the "#" character to denote a comment. Such
504 lines are not processed by Privoxy. After making any changes, there is no need
505 to restart Privoxy in order for the changes to take effect. Privoxy should
506 detect such changes automatically.
508 While under development, the configuration content is subject to change. The
509 below documentation may not be accurate by the time you read this. Also, what
510 constitutes a "default" setting, may change, so please check all your
511 configuration files on important issues.
513 -------------------------------------------------------------------------------
515 5.3. The Main Configuration File
517 Again, the main configuration file is named config on Linux/Unix/BSD and OS/2,
518 and config.txt on Windows. Configuration lines consist of an initial keyword
519 followed by a list of values, all separated by whitespace (any number of spaces
520 or tabs). For example:
522 blockfile blocklist.ini
525 Indicates that the blockfile is named "blocklist.ini". (A default installation
528 A "#" indicates a comment. Any part of a line following a "#" is ignored,
529 except if the "#" is preceded by a "\".
531 Thus, by placing a "#" at the start of an existing configuration line, you can
532 make it a comment and it will be treated as if it weren't there. This is called
533 "commenting out" an option and can be useful to turn off features: If you
534 comment out the "logfile" line, Privoxy will not log to a file at all. Watch
535 for the "default:" section in each explanation to see what happens if the
536 option is left unset (or commented out).
538 Long lines can be continued on the next line by using a "\" as the very last
541 There are various aspects of Privoxy behavior that can be tuned.
543 -------------------------------------------------------------------------------
545 5.3.1. Defining Other Configuration Files
547 Privoxy can use a number of other files to tell it what ads to block, what
548 cookies to accept, and perform other functions. This section of the
549 configuration file tells Privoxy where to find all those other files.
551 On Windows and AmigaOS, Privoxy looks for these files in the same directory as
552 the executable. On Unix and OS/2, Privoxy looks for these files in the current
553 working directory. In either case, an absolute path name can be used to avoid
556 When development goes modular and multi-user, the blocker, filter, and per-user
557 config will be stored in subdirectories of "confdir". For now, only confdir/
558 templates is used for storing HTML templates for CGI results.
560 The location of the configuration files:
562 confdir /etc/privoxy # No trailing /, please.
565 The directory where all logging (i.e. logfile and jarfile) takes place. No
566 trailing "/", please:
568 logdir /var/log/privoxy
571 Note that all file specifications below are relative to the above two
574 The "default.action" file contains patterns to specify the actions to apply to
575 requests for each site. Default: Cookies to and from all destinations are kept
576 only during the current browser session (i.e. they are not saved to disk).
577 Pop-ups are disabled for all sites. All sites are filtered through selected
578 sections of "default.filter". No sites are blocked. Privoxy displays a
579 checkboard type pattern for filtered ads and other images. The syntax of this
580 file is explained in detail below. Other "actions" files are included, and you
581 are free to use any of them. They have varying degrees of aggressiveness.
583 actionsfile default.action
586 The "default.filter" file contains content modification rules that use "regular
587 expressions". These rules permit powerful changes on the content of Web pages,
588 e.g., you could disable your favorite JavaScript annoyances, re-write the
589 actual displayed text, or just have some fun replacing "Microsoft" with
590 "MicroSuck" wherever it appears on a Web page. Default: whatever the developers
593 Filtering requires buffering the page content, which may appear to slow down
594 page rendering since nothing is displayed until all content has passed the
595 filters. (It does not really take longer, but seems that way since the page is
596 not incrementally displayed.) This effect will be more noticeable on slower
599 filterfile default.filter
602 The logfile is where all logging and error messages are written. The logfile
603 can be useful for tracking down a problem with Privoxy (e.g., it's not blocking
604 an ad you think it should block) but in most cases you probably will never look
607 Your logfile will grow indefinitely, and you will probably want to periodically
608 remove it. On Unix systems, you can do this with a cron job (see "man cron").
609 For Redhat, a logrotate script has been included.
611 On SuSE Linux systems, you can place a line like "/var/log/privoxy.* +1024k 644
612 nobody.nogroup" in /etc/logfiles, with the effect that cron.daily will
613 automatically archive, gzip, and empty the log, when it exceeds 1M size.
615 Default: Log to the a file named logfile. Comment out to disable logging.
620 The "jarfile" defines where Privoxy stores the cookies it intercepts. Note that
621 if you use a "jarfile", it may grow quite large. Default: Don't store
627 If you specify a "trustfile", Privoxy will only allow access to sites that are
628 named in the trustfile. You can also mark sites as trusted referrers, with the
629 effect that access to untrusted sites will be granted, if a link from a trusted
630 referrer was used. The link target will then be added to the "trustfile". This
631 is a very restrictive feature that typical users most probably want to leave
632 disabled. Default: Disabled, don't use the trust mechanism.
637 If you use the trust mechanism, it is a good idea to write up some on-line
638 documentation about your blocking policy and to specify the URL(s) here. They
639 will appear on the page that your users receive when they try to access
640 untrusted content. Use multiple times for multiple URLs. Default: Don't display
641 links on the "untrusted" info page.
643 trust-info-url http://www.example.com/why_we_block.html
644 trust-info-url http://www.example.com/what_we_allow.html
647 -------------------------------------------------------------------------------
649 5.3.2. Other Configuration Options
651 This part of the configuration file contains options that control how Privoxy
654 "Admin-address" should be set to the email address of the proxy administrator.
655 It is used in many of the proxy-generated pages. Default: fill@me.in.please.
657 #admin-address fill@me.in.please
660 "Proxy-info-url" can be set to a URL that contains more info about this Privoxy
661 installation, it's configuration and policies. It is used in many of the
662 proxy-generated pages and its use is highly recommended in multi-user
663 installations, since your users will want to know why certain content is
664 blocked or modified. Default: Don't show a link to on-line documentation.
666 proxy-info-url http://www.example.com/proxy.html
669 "Listen-address" specifies the address and port where Privoxy will listen for
670 connections from your Web browser. The default is to listen on the localhost
671 port 8118, and this is suitable for most users. (In your web browser, under
672 proxy configuration, list the proxy server as "localhost" and the port as
675 If you already have another service running on port 8118, or if you want to
676 serve requests from other machines (e.g. on your local network) as well, you
677 will need to override the default. The syntax is "listen-address
678 [<ip-address>]:<port>". If you leave out the IP address, Privoxy will bind to
679 all interfaces (addresses) on your machine and may become reachable from the
680 Internet. In that case, consider using access control lists (acl's) (see
681 "aclfile" above), or a firewall.
683 For example, suppose you are running Privoxy on a machine which has the address
684 192.168.0.1 on your local private network (192.168.0.0) and has another outside
685 connection with a different address. You want it to serve requests from inside
688 listen-address 192.168.0.1:8118
691 If you want it to listen on all addresses (including the outside connection):
696 If you do this, consider using ACLs (see "aclfile" above). Note: you will need
697 to point your browser(s) to the address and port that you have configured here.
698 Default: localhost:8118 (127.0.0.1:8118).
700 The debug option sets the level of debugging information to log in the logfile
701 (and to the console in the Windows version). A debug level of 1 is informative
702 because it will show you each request as it happens. Higher levels of debug are
703 probably only of interest to developers.
705 debug 1 # GPC = show each GET/POST/CONNECT request
706 debug 2 # CONN = show each connection status
707 debug 4 # IO = show I/O status
708 debug 8 # HDR = show header parsing
709 debug 16 # LOG = log all data into the logfile
710 debug 32 # FRC = debug force feature
711 debug 64 # REF = debug regular expression filter
712 debug 128 # = debug fast redirects
713 debug 256 # = debug GIF de-animation
714 debug 512 # CLF = Common Log Format
715 debug 1024 # = debug kill pop-ups
716 debug 4096 # INFO = Startup banner and warnings.
717 debug 8192 # ERROR = Non-fatal errors
720 It is highly recommended that you enable ERROR reporting (debug 8192), at least
721 until v3.0 is released.
723 The reporting of FATAL errors (i.e. ones which crash Privoxy) is always on and
726 If you want to use CLF (Common Log Format), you should set "debug 512" ONLY, do
727 not enable anything else.
729 Multiple "debug" directives, are OK - they're logical-OR'd together.
731 debug 15 # same as setting the first 4 listed above
738 debug 8192 # Errors - *we highly recommended enabling this*
741 Privoxy normally uses "multi-threading", a software technique that permits it
742 to handle many different requests simultaneously. In some cases you may wish to
743 disable this -- particularly if you're trying to debug a problem. The
744 "single-threaded" option forces Privoxy to handle requests sequentially.
745 Default: Multi-threaded mode.
750 "toggle" allows you to temporarily disable all Privoxy's filtering. Just set
753 The Windows version of Privoxy puts an icon in the system tray, which also
754 allows you to change this option. If you right-click on that icon (or select
755 the "Options" menu), one choice is "Enable". Clicking on enable toggles Privoxy
756 on and off. This is useful if you want to temporarily disable Privoxy, e.g., to
757 access a site that requires cookies which you would otherwise have blocked.
758 This can also be toggled via a web browser at the Privoxy internal address of
759 http://p.p on any platform.
761 "toggle 1" means Privoxy runs normally, "toggle 0" means that Privoxy becomes a
762 non-anonymizing non-blocking proxy. Default: 1 (on).
767 For content filtering, i.e. the "+filter" and "+deanimate-gif" actions, it is
768 necessary that Privoxy buffers the entire document body. This can be
769 potentially dangerous, since a server could just keep sending data indefinitely
770 and wait for your RAM to exhaust. With nasty consequences.
772 The buffer-limit option lets you set the maximum size in Kbytes that each
773 buffer may use. When the documents buffer exceeds this size, it is flushed to
774 the client unfiltered and no further attempt to filter the rest of it is made.
775 Remember that there may multiple threads running, which might require
776 increasing the "buffer-limit" Kbytes each, unless you have enabled
777 "single-threaded" above.
782 To enable the web-based default.action file editor set enable-edit-actions to
783 1, or 0 to disable. Note that you must have compiled Privoxy with support for
784 this feature, otherwise this option has no effect. This internal page can be
785 reached at http://p.p.
787 Security note: If this is enabled, anyone who can use the proxy can edit the
788 actions file, and their changes will affect all users. For shared proxies, you
789 probably want to disable this. Default: enabled.
791 enable-edit-actions 1
794 Allow Privoxy to be toggled on and off remotely, using your web browser. Set
795 "enable-remote-toggle"to 1 to enable, and 0 to disable. Note that you must have
796 compiled Privoxy with support for this feature, otherwise this option has no
799 Security note: If this is enabled, anyone who can use the proxy can toggle it
800 on or off (see http://p.p), and their changes will affect all users. For shared
801 proxies, you probably want to disable this. Default: enabled.
803 enable-remote-toggle 1
806 -------------------------------------------------------------------------------
808 5.3.3. Access Control List (ACL)
810 Access controls are included at the request of some ISPs and systems
811 administrators, and are not usually needed by individual users. Please note the
812 warnings in the FAQ that this proxy is not intended to be a substitute for a
813 firewall or to encourage anyone to defer addressing basic security weaknesses.
815 If no access settings are specified, the proxy talks to anyone that connects.
816 If any access settings file are specified, then the proxy talks only to IP
817 addresses permitted somewhere in this file and not denied later in this file.
819 Summary -- if using an ACL:
821 Client must have permission to receive service.
823 LAST match in ACL wins.
825 Default behavior is to deny service.
827 The syntax for an entry in the Access Control List is:
829 ACTION SRC_ADDR[/SRC_MASKLEN] [ DST_ADDR[/DST_MASKLEN] ]
832 Where the individual fields are:
834 ACTION = "permit-access" or "deny-access"
836 SRC_ADDR = client hostname or dotted IP address
837 SRC_MASKLEN = number of bits in the subnet mask for the source
839 DST_ADDR = server or forwarder hostname or dotted IP address
840 DST_MASKLEN = number of bits in the subnet mask for the target
843 The field separator (FS) is whitespace (space or tab).
845 IMPORTANT NOTE: If Privoxy is using a forwarder (see below) or a gateway for a
846 particular destination URL, the DST_ADDR that is examined is the address of the
847 forwarder or the gateway and NOT the address of the ultimate target. This is
848 necessary because it may be impossible for the local Privoxy to determine the
849 address of the ultimate target (that's often what gateways are used for).
851 Here are a few examples to show how the ACL features work:
853 "localhost" is OK -- no DST_ADDR implies that ALL destination addresses are OK:
855 permit-access localhost
858 A silly example to illustrate permitting any host on the class-C subnet with
859 Privoxy to go anywhere:
861 permit-access www.privoxy.com/24
864 Except deny one particular IP address from using it at all:
866 deny-access ident.privoxy.com
869 You can also specify an explicit network address and subnet mask. Explicit
870 addresses do not have to be resolved to be used.
872 permit-access 207.153.200.0/24
875 A subnet mask of 0 matches anything, so the next line permits everyone.
877 permit-access 0.0.0.0/0
880 Note, you cannot say:
885 to allow all *.org domains. Every IP address listed must resolve fully.
887 An ISP may want to provide a Privoxy that is accessible by "the world" and yet
888 restrict use of some of their private content to hosts on its internal network
889 (i.e. its own subscribers). Say, for instance the ISP owns the Class-B IP
890 address block 123.124.0.0 (a 16 bit netmask). This is how they could do it:
892 permit-access 0.0.0.0/0 0.0.0.0/0 # other clients can go anywhere
893 # with the following exceptions:
895 deny-access 0.0.0.0/0 123.124.0.0/16 # block all external requests for
896 # sites on the ISP's network
898 permit 0.0.0.0/0 www.my_isp.com # except for the ISP's main
901 permit 123.124.0.0/16 0.0.0.0/0 # the ISP's clients can go
905 Note that if some hostnames are listed with multiple IP addresses, the primary
906 value returned by DNS (via gethostbyname()) is used. Default: Anyone can access
909 -------------------------------------------------------------------------------
913 This feature allows chaining of HTTP requests via multiple proxies. It can be
914 used to better protect privacy and confidentiality when accessing specific
915 domains by routing requests to those domains to a special purpose filtering
916 proxy such as lpwa.com. Or to use a caching proxy to speed up browsing.
918 It can also be used in an environment with multiple networks to route requests
919 via multiple gateways allowing transparent access to multiple networks without
920 having to modify browser configurations.
922 Also specified here are SOCKS proxies. Privoxy SOCKS 4 and SOCKS 4A. The
923 difference is that SOCKS 4A will resolve the target hostname using DNS on the
924 SOCKS server, not our local DNS client.
926 The syntax of each line is:
928 forward target_domain[:port] http_proxy_host[:port]
929 forward-socks4 target_domain[:port] socks_proxy_host[:port] http_proxy_host[:
931 forward-socks4a target_domain[:port] socks_proxy_host[:port] http_proxy_host[:
935 If http_proxy_host is ".", then requests are not forwarded to a HTTP proxy but
936 are made directly to the web servers.
938 Lines are checked in sequence, and the last match wins.
940 There is an implicit line equivalent to the following, which specifies that
941 anything not finding a match on the list is to go out without forwarding or
942 gateway protocol, like so:
944 forward .* . # implicit
947 In the following common configuration, everything goes to Lucent's LPWA, except
948 SSL on port 443 (which it doesn't handle):
950 forward .* lpwa.com:8000
954 Some users have reported difficulties related to LPWA's use of "." as the last
955 element of the domain, and have said that this can be fixed with this:
957 forward lpwa. lpwa.com:8000
960 (NOTE: the syntax for specifying target_domain has changed since the previous
961 paragraph was written -- it will not work now. More information is welcome.)
963 In this fictitious example, everything goes via an ISP's caching proxy, except
964 requests to that ISP:
966 forward .* caching.myisp.net:8000
970 For the @home network, we're told the forwarding configuration is this:
972 forward .* proxy:8080
975 Also, we're told they insist on getting cookies and JavaScript, so you should
976 allow cookies from home.com. We consider JavaScript a potential security risk.
977 Java need not be enabled.
979 In this example direct connections are made to all "internal" domains, but
980 everything else goes through Lucent's LPWA by way of the company's SOCKS
981 gateway to the Internet.
983 forward-socks4 .* lpwa.com:8000 firewall.my_company.com:1080
984 forward my_company.com .
987 This is how you could set up a site that always uses SOCKS but no forwarders:
989 forward-socks4a .* . firewall.my_company.com:1080
992 An advanced example for network administrators:
994 If you have links to multiple ISPs that provide various special content to
995 their subscribers, you can configure forwarding to pass requests to the
996 specific host that's connected to that ISP so that everybody can see all of the
997 content on all of the ISPs.
999 This is a bit tricky, but here's an example:
1001 host-a has a PPP connection to isp-a.com. And host-b has a PPP connection to
1002 isp-b.com. host-a can run a Privoxy proxy with forwarding like this:
1005 forward isp-b.com host-b:8118
1008 host-b can run a Privoxy proxy with forwarding like this:
1011 forward isp-a.com host-a:8118
1014 Now, anyone on the Internet (including users on host-a and host-b) can set
1015 their browser's proxy to either host-a or host-b and be able to browse the
1016 content on isp-a or isp-b.
1018 Here's another practical example, for University of Kent at Canterbury students
1019 with a network connection in their room, who need to use the University's Squid
1022 forward *. ssbcache.ukc.ac.uk:3128 # Use the proxy, except for:
1023 forward .ukc.ac.uk . # Anything on the same domain as us
1024 forward * . # Host with no domain specified
1025 forward 129.12.*.* . # A dotted IP on our /16 network.
1026 forward 127.*.*.* . # Loopback address
1027 forward localhost.localdomain . # Loopback address
1028 forward www.ukc.mirror.ac.uk . # Specific host
1031 If you intend to chain Privoxy and squid locally, then chain as browser ->
1032 squid -> privoxy is the recommended way.
1034 Your squid configuration could then look like this (assuming that the IP
1035 address of the box is 192.168.0.1 ):
1037 # Define Privoxy as parent cache
1039 cache_peer 192.168.0.1 parent 8118 0 no-query
1041 # don't listen to the whole world
1042 http_port 192.168.0.1:3128
1044 # define the local lan
1045 acl mylocallan src 192.168.0.1-192.168.0.5/255.255.255.255
1047 # grant access for http to local lan
1048 http_access allow mylocallan
1050 # Define ACL for protocol FTP
1053 # Do not forward ACL FTP to privoxy
1054 always_direct allow FTP
1056 # Do not forward ACL CONNECT (https) to privoxy
1057 always_direct allow CONNECT
1059 # Forward the rest to privoxy
1060 never_direct allow all
1063 -------------------------------------------------------------------------------
1065 5.3.5. Windows GUI Options
1067 Privoxy has a number of options specific to the Windows GUI interface:
1069 If "activity-animation" is set to 1, the Privoxy icon will animate when
1070 "Privoxy" is active. To turn off, set to 0.
1072 activity-animation 1
1075 If "log-messages" is set to 1, Privoxy will log messages to the console window:
1080 If "log-buffer-size" is set to 1, the size of the log buffer, i.e. the amount
1081 of memory used for the log messages displayed in the console window, will be
1082 limited to "log-max-lines" (see below).
1084 Warning: Setting this to 0 will result in the buffer to grow infinitely and eat
1090 log-max-lines is the maximum number of lines held in the log buffer. See above.
1095 If "log-highlight-messages" is set to 1, Privoxy will highlight portions of the
1096 log messages with a bold-faced font:
1098 log-highlight-messages 1
1101 The font used in the console window:
1103 log-font-name Comic Sans MS
1106 Font size used in the console window:
1111 "show-on-task-bar" controls whether or not Privoxy will appear as a button on
1112 the Task bar when minimized:
1117 If "close-button-minimizes" is set to 1, the Windows close button will minimize
1118 Privoxy instead of closing the program (close with the exit option on the File
1121 close-button-minimizes 1
1124 The "hide-console" option is specific to the MS-Win console version of Privoxy.
1125 If this option is used, Privoxy will disconnect from and hide the command
1131 -------------------------------------------------------------------------------
1133 5.4. The Actions File
1135 The "default.action" file (formerly actionsfile or ijb.action) is used to
1136 define what actions Privoxy takes, and thus determines how ad images, cookies
1137 and various other aspects of HTTP content and transactions are handled. These
1138 can be accepted or rejected for all sites, or just those sites you choose. See
1139 below for a complete list of actions.
1141 Anything you want can blocked, including ads, banners, or just some obnoxious
1142 URL that you would rather not see. Cookies can be accepted or rejected, or
1143 accepted only during the current browser session (i.e. not written to disk).
1144 Changes to default.action should be immediately visible to Privoxy without the
1147 Note that some sites may misbehave, or possibly not work at all with some
1148 actions. This may require some tinkering with the rules to get the most mileage
1149 of Privoxy's features, and still be able to see and enjoy just what you want
1150 to. There is no general rule of thumb on these things. There just are too many
1151 variables, and sites are always changing.
1153 The easiest way to edit the "actions" file is with a browser by loading http://
1154 p.p/, and then select "Edit Actions List". A text editor can also be used.
1156 To determine which actions apply to a request, the URL of the request is
1157 compared to all patterns in this file. Every time it matches, the list of
1158 applicable actions for the URL is incrementally updated. You can trace this
1159 process by visiting http://p.p/show-url-info.
1161 There are four types of lines in this file: comments (begin with a "#"
1162 character), actions, aliases and patterns, all of which are explained below, as
1163 well as the configuration file syntax that Privoxy understands.
1165 -------------------------------------------------------------------------------
1167 5.4.1. URL Domain and Path Syntax
1169 Generally, a pattern has the form <domain>/<path>, where both the <domain> and
1170 <path> part are optional. If you only specify a domain part, the "/" can be
1173 www.example.com - is a domain only pattern and will match any request to
1176 www.example.com/ - means exactly the same.
1178 www.example.com/index.html - matches only the single document "/index.html" on
1181 /index.html - matches the document "/index.html", regardless of the domain. So
1182 would match any page named "index.html" on any site.
1184 index.html - matches nothing, since it would be interpreted as a domain name
1185 and there is no top-level domain called ".html".
1187 The matching of the domain part offers some flexible options: if the domain
1188 starts or ends with a dot, it becomes unanchored at that end. For example:
1190 .example.com - matches any domain or sub-domain that ENDS in ".example.com".
1192 www. - matches any domain that STARTS with "www".
1194 Additionally, there are wild-cards that you can use in the domain names
1195 themselves. They work pretty similar to shell wild-cards: "*" stands for zero
1196 or more arbitrary characters, "?" stands for any single character. And you can
1197 define character classes in square brackets and they can be freely mixed:
1199 ad*.example.com - matches "adserver.example.com", "ads.example.com", etc but
1200 not "sfads.example.com".
1202 *ad*.example.com - matches all of the above, and then some.
1204 .?pix.com - matches "www.ipix.com", "pictures.epix.com", "a.b.c.d.e.upix.com",
1207 www[1-9a-ez].example.com - matches "www1.example.com", "www4.example.com",
1208 "wwwd.example.com", "wwwz.example.com", etc., but not "wwww.example.com".
1210 If Privoxy was compiled with "pcre" support (the default), Perl compatible
1211 regular expressions can be used. These are more flexible and powerful than
1212 other types of "regular expressions". See the pcre/docs/ directory or "man
1213 perlre" (also available on http://www.perldoc.com/perl5.6/pod/perlre.html) for
1214 details. A brief discussion of regular expressions is in the Appendix. For
1217 /.*/advert[0-9]+\.jpe?g - would match a URL from any domain, with any path that
1218 includes "advert" followed immediately by one or more digits, then a "." and
1219 ending in either "jpeg" or "jpg". So we match "example.com/ads/advert2.jpg",
1220 and "www.example.com/ads/banners/advert39.jpeg", but not "www.example.com/ads/
1221 banners/advert39.gif" (no gifs in the example pattern).
1223 Please note that matching in the path is case INSENSITIVE by default, but you
1224 can switch to case sensitive at any point in the pattern by using the "(?-i)"
1227 www.example.com/(?-i)PaTtErN.* - will match only documents whose path starts
1228 with "PaTtErN" in exactly this capitalization.
1230 -------------------------------------------------------------------------------
1234 Actions are enabled if preceded with a "+", and disabled if preceded with a
1235 "-". Actions are invoked by enclosing the action name in curly braces (e.g.
1236 {+some_action}), followed by a list of URLs to which the action applies. There
1237 are three classes of actions:
1239 * Boolean (e.g. "+/-block"):
1241 {+name} # enable this action
1242 {-name} # disable this action
1245 * parameterized (e.g. "+/-hide-user-agent"):
1247 {+name{param}} # enable action and set parameter to "param"
1248 {-name} # disable action
1251 * Multi-value (e.g. "{+/-add-header{Name: value}}", "{+/-wafer{name=value}}
1254 {+name{param}} # enable action and add parameter "param"
1255 {-name{param}} # remove the parameter "param"
1256 {-name} # disable this action totally
1259 If nothing is specified in this file, no "actions" are taken. So in this case
1260 Privoxy would just be a normal, non-blocking, non-anonymizing proxy. You must
1261 specifically enable the privacy and blocking features you need (although the
1262 provided default default.action file will give a good starting point).
1264 Later defined actions always over-ride earlier ones. So exceptions to any rules
1265 you make, should come in the latter part of the file. For multi-valued actions,
1266 the actions are applied in the order they are specified.
1268 The list of valid Privoxy "actions" are:
1270 * Add the specified HTTP header, which is not checked for validity. You may
1271 specify this many times to specify many different headers:
1273 +add-header{Name: value}
1276 * Block this URL totally. In a default installation, a "blocked" URL will
1277 result in bright red banner that says "BLOCKED", with a reason why it is
1278 being blocked, and an option to see it anyway. The page displayed for this
1279 is the "blocked" template file.
1284 * De-animate all animated GIF images, i.e. reduce them to their last frame.
1285 This will also shrink the images considerably (in bytes, not pixels!). If
1286 the option "first" is given, the first frame of the animation is used as
1287 the replacement. If "last" is given, the last frame of the animation is
1288 used instead, which probably makes more sense for most banner animations,
1289 but also has the risk of not showing the entire last frame (if it is only a
1290 delta to an earlier frame).
1292 +deanimate-gifs{last}
1293 +deanimate-gifs{first}
1296 * "+downgrade" will downgrade HTTP/1.1 client requests to HTTP/1.0 and
1297 downgrade the responses as well. Use this action for servers that use HTTP/
1298 1.1 protocol features that Privoxy doesn't handle well yet. HTTP/1.1 is
1299 only partially implemented. Default is not to downgrade requests.
1304 * Many sites, like yahoo.com, don't just link to other sites. Instead, they
1305 will link to some script on their own server, giving the destination as a
1306 parameter, which will then redirect you to the final target. URLs resulting
1307 from this scheme typically look like: http://some.place/some_script?http://
1310 Sometimes, there are even multiple consecutive redirects encoded in the
1311 URL. These redirections via scripts make your web browsing more traceable,
1312 since the server from which you follow such a link can see where you go to.
1313 Apart from that, valuable bandwidth and time is wasted, while your browser
1314 ask the server for one redirect after the other. Plus, it feeds the
1317 The "+fast-redirects" option enables interception of these types of
1318 requests by Privoxy, who will cut off all but the last valid URL in the
1319 request and send a local redirect back to your browser without contacting
1320 the intermediate site(s).
1325 * Apply the filters in the section_header section of the default.filter file
1326 to the site(s). default.filter sections are grouped according to like
1327 functionality. Filters can be used to re-write any of the raw page content.
1328 This is a potentially a very powerful feature!
1330 +filter{section_header}
1333 Filter sections that are pre-defined in the supplied default.filter
1336 html-annoyances: Get rid of particularly annoying HTML abuse.
1338 js-annoyances: Get rid of particularly annoying JavaScript abuse
1340 no-poups: Kill all popups in JS and HTML
1342 frameset-borders: Give frames a border
1344 webbugs: Squish WebBugs (1x1 invisible GIFs used for user tracking)
1346 no-refresh: Automatic refresh sucks on auto-dialup lines
1348 fun: Text replacements for subversive browsing fun!
1350 nimda: Remove (virus) Nimda code.
1352 banners-by-size: Kill banners by size
1354 crude-parental: Kill all web pages that contain the words "sex" or
1357 * Block any existing X-Forwarded-for header, and do not add a new one:
1362 * If the browser sends a "From:" header containing your e-mail address, this
1363 either completely removes the header ("block"), or changes it to the
1364 specified e-mail address.
1367 +hide-from{spam@sittingduck.xqq}
1370 * Don't send the "Referer:" (sic) header to the web site. You can block it,
1371 forge a URL to the same server as the request (which is preferred because
1372 some sites will not send images otherwise) or set it to a constant, user
1373 defined string of your choice.
1375 +hide-referer{block}
1376 +hide-referer{forge}
1377 +hide-referer{http://nowhere.com}
1380 * Alternative spelling of "+hide-referer". It has the same parameters, and
1381 can be freely mixed with, "+hide-referer". ("referrer" is the correct
1382 English spelling, however the HTTP specification has a bug - it requires it
1383 to be spelled "referer".)
1388 * Change the "User-Agent:" header so web servers can't tell your browser
1389 type. Warning! This breaks many web sites. Specify the user-agent value you
1390 want. Example, pretend to be using Netscape on Linux:
1392 +hide-user-agent{Mozilla (X11; I; Linux 2.0.32 i586)}
1395 * Treat this URL as an image. This only matters if it's also "+block"ed, in
1396 which case a "blocked" image can be sent rather than a HTML page. See
1397 "+image-blocker{}" below for the control over what is actually sent. If you
1398 want invisible ads, they should be defined as images and blocked. And also,
1399 "image-blocker" should be set to "blank". Note you cannot treat HTML pages
1400 as images in most cases. For instance, frames require an HTML page to
1401 display. So a frame that is an ad, cannot be treated as an image. Forcing
1402 an "image" in this situation just will not work.
1407 * Decides what to do with URLs that end up tagged with "{+block +image}", e.g
1408 an advertizement. There are five options. "-image-blocker" will send a HTML
1409 "blocked" page, usually resulting in a "broken image" icon. "+image-blocker
1410 {blank}" will send a 1x1 transparent GIF image. And finally,
1411 "+image-blocker{http://xyz.com}" will send a HTTP temporary redirect to the
1412 specified image. This has the advantage of the icon being being cached by
1413 the browser, which will speed up the display. "+image-blocker{pattern}"
1414 will send a checkboard type pattern
1416 +image-blocker{blank}
1417 +image-blocker{pattern}
1418 +image-blocker{http://p.p/send-banner}
1421 * By default (i.e. in the absence of a "+limit-connect" action), Privoxy will
1422 only allow CONNECT requests to port 443, which is the standard port for
1423 https as a precaution.
1425 The CONNECT methods exists in HTTP to allow access to secure websites
1426 (https:// URLs) through proxies. It works very simply: the proxy connects
1427 to the server on the specified port, and then short-circuits its
1428 connections to the client and to the remote proxy. This can be a big
1429 security hole, since CONNECT-enabled proxies can be abused as TCP relays
1432 If you want to allow CONNECT for more ports than this, or want to forbid
1433 CONNECT altogether, you can specify a comma separated list of ports and
1434 port ranges (the latter using dashes, with the minimum defaulting to 0 and
1437 +limit-connect{443} # This is the default and need no be specified.
1438 +limit-connect{80,443} # Ports 80 and 443 are OK.
1439 +limit-connect{-3, 7, 20-100, 500-} # Port less than 3, 7, 20 to 100
1440 #and above 500 are OK.
1443 * "+no-compression" prevents the website from compressing the data. Some
1444 websites do this, which can be a problem for Privoxy, since "+filter",
1445 "+no-popup" and "+gif-deanimate" will not work on compressed data. This
1446 will slow down connections to those websites, though. Default is
1447 "no-compression" is turned on.
1452 * If the website sets cookies, "no-cookies-keep" will make sure they are
1453 erased when you exit and restart your web browser. This makes profiling
1454 cookies useless, but won't break sites which require cookies so that you
1455 can log in for transactions. Default: on.
1460 * Prevent the website from reading cookies:
1465 * Prevent the website from setting cookies:
1470 * Filter the website through a built-in filter to disable those obnoxious
1471 JavaScript pop-up windows via window.open(), etc. The two alternative
1472 spellings are equivalent.
1478 * This action only applies if you are using a jarfile for saving cookies. It
1479 sends a cookie to every site stating that you do not accept any copyright
1480 on cookies sent to you, and asking them not to track you. Of course, this
1481 is a (relatively) unique header they could use to track you.
1486 * This allows you to add an arbitrary cookie. It can be specified multiple
1487 times in order to add as many cookies as you like.
1492 The meaning of any of the above is reversed by preceding the action with a "-",
1493 in place of the "+".
1497 Turn off cookies by default, then allow a few through for specified sites:
1499 # Turn off all persistent cookies
1500 { +no-cookies-read }
1502 # Allow cookies for this browser session ONLY
1503 { +no-cookies-keep }
1505 # Exceptions to the above, sites that benefit from persistent cookies
1506 { -no-cookies-read }
1508 { -no-cookies-keep }
1515 # Alternative way of saying the same thing
1516 {-no-cookies-set -no-cookies-read -no-cookies-keep}
1521 Now turn off "fast redirects", and then we allow two exceptions:
1526 # Reverse it for these two sites, which don't work right without it.
1528 www.ukc.ac.uk/cgi-bin/wac\.cgi\?
1532 Turn on page filtering according to rules in the defined sections of
1533 refilterfile, and make one exception for sourceforge:
1535 # Run everything through the filter file, using only the
1536 # specified sections:
1537 +filter{html-annoyances} +filter{js-annoyances} +filter{no-popups}\
1538 +filter{webbugs} +filter{nimda} +filter{banners-by-size}
1540 # Then disable filtering of code from sourceforge!
1542 .cvs.sourceforge.net
1545 Now some URLs that we want "blocked" (normally generates the "blocked" banner).
1546 Many of these use regular expressions that will expand to match multiple URLs:
1550 /.*/(.*[-_.])?ads?[0-9]?(/|[-_.].*|\.(gif|jpe?g))
1551 /.*/(.*[-_.])?count(er)?(\.cgi|\.dll|\.exe|[?/])
1552 /.*/(ng)?adclient\.cgi
1553 /.*/(plain|live|rotate)[-_.]?ads?/
1554 /.*/(sponsor)s?[0-9]?/
1555 /.*/_?(plain|live)?ads?(-banners)?/
1557 /.*/ad(sdna_image|gifs?)/
1558 /.*/ad(server|stream|juggler)\.(cgi|pl|dll|exe)
1562 /.*/adv((er)?ts?|ertis(ing|ements?))?/
1566 /.*/cgi-bin/centralad/getimage
1567 /.*/images/addver\.gif
1568 /.*/images/marketing/.*\.(gif|jpe?g)
1572 /.*/sponsors?[0-9]?/
1573 /.*/advert[0-9]+\.jpg
1580 /graphics/defaultAd/
1582 /image\.ng/transactionID
1583 /images/.*/.*_anim\.gif # alvin brattli
1584 /ip_img/.*\.(gif|jpe?g)
1588 /cgi-bin/nph-adclick.exe/
1589 /.*/Image/BannerAdvertising/
1591 /.*/adlib/server\.cgi
1595 Note that many of these actions have the potential to cause a page to
1596 misbehave, possibly even not to display at all. There are many ways a site
1597 designer may choose to design his site, and what HTTP header content he may
1598 depend on. There is no way to have hard and fast rules for all sites. See the
1599 Appendix for a brief example on troubleshooting actions.
1601 -------------------------------------------------------------------------------
1605 Custom "actions", known to Privoxy as "aliases", can be defined by combining
1606 other "actions". These can in turn be invoked just like the built-in "actions".
1607 Currently, an alias can contain any character except space, tab, "=", "{" or "}
1608 ". But please use only "a"- "z", "0"-"9", "+", and "-". Alias names are not
1609 case sensitive, and must be defined before anything else in the
1610 default.actionfile! And there can only be one set of "aliases" defined.
1612 Now let's define a few aliases:
1614 # Useful custom aliases we can use later. These must come first!
1616 +no-cookies = +no-cookies-set +no-cookies-read
1617 -no-cookies = -no-cookies-set -no-cookies-read
1619 -block -no-cookies -filter -fast-redirects -hide-referer -no-popups
1620 shop = -no-cookies -filter -fast-redirects
1621 +imageblock = +block +image
1623 #For people who don't like to type too much: ;-)
1626 c2 = -no-cookies-set +no-cookies-read
1627 c3 = +no-cookies-set -no-cookies-read
1628 #... etc. Customize to your heart's content.
1631 Some examples using our "shop" and "fragile" aliases from above:
1633 # These sites are very complex and require
1634 # minimal interference.
1636 .office.microsoft.com
1637 .windowsupdate.microsoft.com
1640 # Shopping sites - still want to block ads.
1643 .worldpay.com # for quietpc.com
1647 # These shops require pop-ups
1653 The "shop" and "fragile" aliases are often used for "problem" sites that
1654 require most actions to be disabled in order to function properly.
1656 -------------------------------------------------------------------------------
1658 5.5. The Filter File
1660 Any web page can be dynamically modified with the filter file. This
1661 modification can be removal, or re-writing, of any web page content, including
1662 tags and non-visible content. The default filter file is default.filter,
1663 located in the config directory.
1665 This is potentially a very powerful feature, and requires knowledge of both
1666 "regular expression" and HTML in order create custom filters. But, there are a
1667 number of useful filters included with Privoxy for many common situations.
1669 The included example file is divided into sections. Each section begins with
1670 the FILTER keyword, followed by the identifier for that section, e.g. "FILTER:
1671 webbugs". Each section performs a similar type of filtering, such as
1674 This file uses regular expressions to alter or remove any string in the target
1675 page. The expressions can only operate on one line at a time. Some examples
1676 from the included default default.filter:
1678 Stop web pages from displaying annoying messages in the status bar by deleting
1681 FILTER: html-annoyances
1683 # New browser windows should be resizeable and have a location and status
1686 s/resizable="?(no|0)"?/resizable=1/ig s/noresize/yesresize/ig
1687 s/location="?(no|0)"?/location=1/ig s/status="?(no|0)"?/status=1/ig
1688 s/scrolling="?(no|0|Auto)"?/scrolling=1/ig
1689 s/menubar="?(no|0)"?/menubar=1/ig
1691 # The <BLINK> tag was a crime!
1693 s*<blink>|</blink>**ig
1697 #s/framespacing="?(no|0)"?//ig
1698 #s/margin(height|width)=[0-9]*//gi
1701 Just for kicks, replace any occurrence of "Microsoft" with "MicroSuck", and
1702 have a little fun with topical buzzwords:
1706 s/microsoft(?!.com)/MicroSuck/ig
1710 s/industry-leading|cutting-edge|award-winning/<font color=red><b>BINGO!</b></
1714 Kill those pesky little web-bugs:
1716 # webbugs: Squish WebBugs (1x1 invisible GIFs used for user tracking)
1719 s/<img\s+[^>]*?(width|height)\s*=\s*['"]?1\D[^>]*?(width|height)\s*=\s*['"]?1
1720 (\D[^>]*?)?>/<!-- Squished WebBug -->/sig
1723 -------------------------------------------------------------------------------
1727 When Privoxy displays one of its internal pages, such as a 404 Not Found error
1728 page, it uses the appropriate template. On Linux, BSD, and Unix, these are
1729 located in /etc/privoxy/templates by default. These may be customized, if
1732 The default "Blocked" banner page with the bright red top banner, is called
1733 just "blocked". This may be customized or replaced with something else if
1736 -------------------------------------------------------------------------------
1738 6. Contacting the Developers, Bug Reporting and Feature Requests
1740 We value your feedback. However, to provide you with the best support, please
1743 * Use the Sourceforge Support Forum to get help:
1745 http://sourceforge.net/tracker/?group_id=11118&atid=211118
1748 * Submit bugs only through our Sourceforge Bug Forum:
1750 http://sourceforge.net/tracker/?group_id=11118&atid=111118.
1753 Make sure that the bug has not already been submitted. Please try to verify
1754 that it is a Privoxy bug, and not a browser or site bug first. If you are
1755 using your own custom configuration, please try the stock configs to see if
1756 the problem is a configuration related bug. And if not using the latest
1757 development snapshot, please try the latest one. Or even better, CVS
1758 sources. Please be sure to include the Privoxy/Junkbuster version,
1759 platform, browser, any pertinent log data, any other relevant details
1760 (please be specific) and, if possible, some way to reproduce the bug.
1762 * Submit feature requests only through our Sourceforge feature request
1765 http://sourceforge.net/tracker/?atid=361118&group_id=11118&func=browse.
1768 * For any other issues, feel free to use the mailing lists:
1770 http://sourceforge.net/mail/?group_id=11118.
1773 Anyone interested in actively participating in development and related
1774 discussions can also join the appropriate mailing list. Archives are
1777 -------------------------------------------------------------------------------
1779 7. Copyright and History
1783 Privoxy is free software; you can redistribute it and/or modify it under the
1784 terms of the GNU General Public License as published by the Free Software
1785 Foundation; either version 2 of the License, or (at your option) any later
1788 This program is distributed in the hope that it will be useful, but WITHOUT ANY
1789 WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
1790 PARTICULAR PURPOSE. See the GNU General Public License for more details, which
1791 is available from the Free Software Foundation, Inc, 59 Temple Place - Suite
1792 330, Boston, MA 02111-1307, USA.
1794 You should have received a copy of the GNU General Public License along with
1795 this program; if not, write to the Free Software Foundation, Inc., 59 Temple
1796 Place, Suite 330, Boston, MA 02111-1307 USA.
1798 -------------------------------------------------------------------------------
1802 Privoxy is evolved, and derived from, the Internet Junkbuster, with many
1803 improvments and enhancements over the original.
1805 Junkbuster was originally written by Anonymous Coders and Junkbuster's
1806 Corporation, and was released as free open-source software under the GNU GPL.
1807 Stefan Waldherr made many improvements, and started the SourceForge project
1808 Privoxy to rekindle development. There are now several active developers
1809 contributing. The last stable release of Junkbuster was v2.0.2, which has now
1812 -------------------------------------------------------------------------------
1816 Other references and sites of interest to Privoxy users:
1818 http://www.privoxy.org/, The Privoxy Home page.
1820 http://sourceforge.net/projects/ijbswa, the Project Page for Privoxy on
1823 http://p.p/, access Privoxy from your browser. Alternately, http://
1824 config.privoxy.org may work in some situations where the first does not.
1826 http://www.junkbusters.com/ht/en/cookies.html
1828 http://www.waldherr.org/junkbuster/
1830 http://privacy.net/analyze/
1832 http://www.squid-cache.org/
1836 -------------------------------------------------------------------------------
1840 9.1. Regular Expressions
1842 Privoxy can use "regular expressions" in various config files. Assuming support
1843 for "pcre" (Perl Compatible Regular Expressions) is compiled in, which is the
1844 default. Such configuration directives do not require regular expressions, but
1845 they can be used to increase flexibility by matching a pattern with wild-cards
1848 If you are reading this, you probably don't understand what "regular
1849 expressions" are, or what they can do. So this will be a very brief
1850 introduction only. A full explanation would require a book ;-)
1852 "Regular expressions" is a way of matching one character expression against
1853 another to see if it matches or not. One of the "expressions" is a literal
1854 string of readable characters (letter, numbers, etc), and the other is a
1855 complex string of literal characters combined with wild-cards, and other
1856 special characters, called meta-characters. The "meta-characters" have special
1857 meanings and are used to build the complex pattern to be matched against. Perl
1858 Compatible Regular Expressions is an enhanced form of the regular expression
1859 language with backward compatibility.
1861 To make a simple analogy, we do something similar when we use wild-card
1862 characters when listing files with the dir command in DOS. *.* matches all
1863 filenames. The "special" character here is the asterisk which matches any and
1864 all characters. We can be more specific and use ? to match just individual
1865 characters. So "dir file?.text" would match "file1.txt", "file2.txt", etc. We
1866 are pattern matching, using a similar technique to "regular expressions"!
1868 Regular expressions do essentially the same thing, but are much, much more
1869 powerful. There are many more "special characters" and ways of building complex
1870 patterns however. Let's look at a few of the common ones, and then some
1873 . - Matches any single character, e.g. "a", "A", "4", ":", or "@".
1875 ? - The preceding character or expression is matched ZERO or ONE times. Either/
1878 + - The preceding character or expression is matched ONE or MORE times.
1880 * - The preceding character or expression is matched ZERO or MORE times.
1882 \ - The "escape" character denotes that the following character should be taken
1883 literally. This is used where one of the special characters (e.g. ".") needs to
1884 be taken literally and not as a special meta-character.
1886 [] - Characters enclosed in brackets will be matched if any of the enclosed
1887 characters are encountered.
1889 () - parentheses are used to group a sub-expression, or multiple
1892 | - The "bar" character works like an "or" conditional statement. A match is
1893 successful if the sub-expression on either side of "|" matches.
1895 s/string1/string2/g - This is used to rewrite strings of text. "string1" is
1896 replaced by "string2" in this example.
1898 These are just some of the ones you are likely to use when matching URLs with
1899 Privoxy, and is a long way from a definitive list. This is enough to get us
1900 started with a few simple examples which may be more illuminating:
1902 /.*/banners/.* - A simple example that uses the common combination of "." and "
1903 *" to denote any character, zero or more times. In other words, any string at
1904 all. So we start with a literal forward slash, then our regular expression
1905 pattern (".*") another literal forward slash, the string "banners", another
1906 forward slash, and lastly another ".*". We are building a directory path here.
1907 This will match any file with the path that has a directory named "banners" in
1908 it. The ".*" matches any characters, and this could conceivably be more forward
1909 slashes, so it might expand into a much longer looking path. For example, this
1910 could match: "/eye/hate/spammers/banners/annoy_me_please.gif", or just "/
1911 banners/annoying.html", or almost an infinite number of other possible
1912 combinations, just so it has "banners" in the path somewhere.
1914 A now something a little more complex:
1916 /.*/adv((er)?ts?|ertis(ing|ements?))?/ - We have several literal forward
1917 slashes again ("/"), so we are building another expression that is a file path
1918 statement. We have another ".*", so we are matching against any conceivable
1919 sub-path, just so it matches our expression. The only true literal that must
1920 match our pattern is adv, together with the forward slashes. What comes after
1921 the "adv" string is the interesting part.
1923 Remember the "?" means the preceding expression (either a literal character or
1924 anything grouped with "(...)" in this case) can exist or not, since this means
1925 either zero or one match. So "((er)?ts?|ertis(ing|ements?))" is optional, as
1926 are the individual sub-expressions: "(er)", "(ing|ements?)", and the "s". The "
1927 |" means "or". We have two of those. For instance, "(ing|ements?)", can expand
1928 to match either "ing" OR "ements?". What is being done here, is an attempt at
1929 matching as many variations of "advertisement", and similar, as possible. So
1930 this would expand to match just "adv", or "advert", or "adverts", or
1931 "advertising", or "advertisement", or "advertisements". You get the idea. But
1932 it would not match "advertizements" (with a "z"). We could fix that by changing
1933 our regular expression to: "/.*/adv((er)?ts?|erti(s|z)(ing|ements?))?/", which
1934 would then match either spelling.
1936 /.*/advert[0-9]+\.(gif|jpe?g) - Again another path statement with forward
1937 slashes. Anything in the square brackets "[]" can be matched. This is using
1938 "0-9" as a shorthand expression to mean any digit one through nine. It is the
1939 same as saying "0123456789". So any digit matches. The "+" means one or more of
1940 the preceding expression must be included. The preceding expression here is
1941 what is in the square brackets -- in this case, any digit one through nine.
1942 Then, at the end, we have a grouping: "(gif|jpe?g)". This includes a "|", so
1943 this needs to match the expression on either side of that bar character also. A
1944 simple "gif" on one side, and the other side will in turn match either "jpeg"
1945 or "jpg", since the "?" means the letter "e" is optional and can be matched
1946 once or not at all. So we are building an expression here to match image GIF or
1947 JPEG type image file. It must include the literal string "advert", then one or
1948 more digits, and a "." (which is now a literal, and not a special character,
1949 since it is escaped with "\"), and lastly either "gif", or "jpeg", or "jpg".
1950 Some possible matches would include: "//advert1.jpg", "/nasty/ads/
1951 advert1234.gif", "/banners/from/hell/advert99.jpg". It would not match
1952 "advert1.gif" (no leading slash), or "/adverts232.jpg" (the expression does not
1953 include an "s"), or "/advert1.jsp" ("jsp" is not in the expression anywhere).
1955 s/microsoft(?!.com)/MicroSuck/i - This is a substitution. "MicroSuck" will
1956 replace any occurrence of "microsoft". The "i" at the end of the expression
1957 means ignore case. The "(?!.com)" means the match should fail if "microsoft" is
1958 followed by ".com". In other words, this acts like a "NOT" modifier. In case
1959 this is a hyperlink, we don't want to break it ;-).
1961 We are barely scratching the surface of regular expressions here so that you
1962 can understand the default Privoxy configuration files, and maybe use this
1963 knowledge to customize your own installation. There is much, much more that can
1964 be done with regular expressions. Now that you know enough to get started, you
1965 can learn more on your own :/
1967 More reading on Perl Compatible Regular expressions: http://www.perldoc.com/
1968 perl5.6/pod/perlre.html
1970 -------------------------------------------------------------------------------
1972 9.2. Privoxy's Internal Pages
1974 Since Privoxy proxies each requested web page, it is easy for Privoxy to trap
1975 certain special URLs. In this way, we can talk directly to Privoxy, and see how
1976 it is configured, see how our rules are being applied, change these rules and
1977 other configuration options, and even turn Privoxy's filtering off, all with a
1980 The URLs listed below are the special ones that allow direct access to Privoxy.
1981 Of course, Privoxy must be running to access these. If not, you will get a
1982 friendly error message. Internet access is not necessary either.
1984 * Privoxy main page:
1986 http://config.privoxy.org/
1988 Alternately, this may be reached at http://p.p/, but this variation may not
1989 work as reliably as the above in some configurations.
1991 * Show information about the current configuration:
1993 http://config.privoxy.org/show-status
1995 * Show the source code version numbers:
1997 http://config.privoxy.org/show-version
1999 * Show the client's request headers:
2001 http://config.privoxy.org/show-request
2003 * Show which actions apply to a URL and why:
2005 http://config.privoxy.org/show-url-info
2007 * Toggle Privoxy on or off. In this case, "Privoxy" continues to run, but
2008 only as a pass-through proxy, with no actions taking place:
2010 http://config.privoxy.org/toggle
2012 Short cuts. Turn off, then on:
2014 http://config.privoxy.org/toggle?set=disable
2016 http://config.privoxy.org/toggle?set=enable
2018 * Edit the actions list file:
2020 http://config.privoxy.org/edit-actions
2022 These may be bookmarked for quick reference.
2024 -------------------------------------------------------------------------------
2028 Here are some bookmarklets to allow you to easily access a "mini" version of
2029 this page. They are designed for MS Internet Explorer, but should work equally
2030 well in Netscape, Mozilla, and other browsers which support JavaScript. They
2031 are designed to run directly from your bookmarks - not by clicking the links
2032 below (although that will work for testing).
2034 To save them, right-click the link and choose "Add to Favorites" (IE) or "Add
2035 Bookmark" (Netscape). You will get a warning that the bookmark "may not be
2036 safe" - just click OK. Then you can run the Bookmarklet directly from your
2037 favourites/bookmarks. For even faster access, you can put them on the "Links"
2038 bar (IE) or the "Personal Toolbar" (Netscape), and run them with a single
2045 * Toggle Privoxy (Toggles between enabled and disabled)
2047 * View Privoxy Status
2049 Credit: The site which gave me the general idea for these bookmarklets is
2050 www.bookmarklets.com. They have more information about bookmarklets.
2052 -------------------------------------------------------------------------------
2054 9.3. Anatomy of an Action
2056 The way Privoxy applies "actions" and "filters" to any given URL can be
2057 complex, and not always so easy to understand what is happening. And sometimes
2058 we need to be able to see just what Privoxy is doing. Especially, if something
2059 Privoxy is doing is causing us a problem inadvertantly. It can be a little
2060 daunting to look at the actions and filters files themselves, since they tend
2061 to be filled with "regular expressions" whose consequences are not always so
2062 obvious. Privoxy provides the http://config.privoxy.org/show-url-info page that
2063 can show us very specifically how actions are being applied to any given URL.
2064 This is a big help for troubleshooting.
2066 First, enter one URL (or partial URL) at the prompt, and then Privoxy will tell
2067 us how the current configuration will handle it. This will not help with
2068 filtering effects from the default.filter file! It also will not tell you about
2069 any other URLs that may be embedded within the URL you are testing. For
2070 instance, images such as ads are expressed as URLs within the raw page source
2071 of HTML pages. So you will only get info for the actual URL that is pasted into
2072 the prompt area -- not any sub-URLs. If you want to know about embedded URLs
2073 like ads, you will have to dig those out of the HTML source. Use your browser's
2074 "View Page Source" option for this. Or right click on the ad, and grab the URL.
2076 Let's look at an example, google.com, one section at a time:
2078 System default actions:
2080 { -add-header -block -deanimate-gifs -downgrade -fast-redirects -filter
2081 -hide-forwarded -hide-from -hide-referer -hide-user-agent -image
2082 -image-blocker -limit-connect -no-compression -no-cookies-keep
2083 -no-cookies-read -no-cookies-set -no-popups -vanilla-wafer -wafer }
2087 This is the top section, and only tells us of the compiled in defaults. This is
2088 basically what Privoxy would do if there were not any "actions" defined, i.e.
2089 it does nothing. Every action is disabled. This is not particularly informative
2090 for our purposes here. OK, next section:
2092 Matches for http://google.com:
2094 { -add-header -block +deanimate-gifs -downgrade +fast-redirects
2095 +filter{html-annoyances} +filter{js-annoyances} +filter{no-popups}
2096 +filter{webbugs} +filter{nimda} +filter{banners-by-size} +filter{hal}
2097 +filter{fun} +hide-forwarded +hide-from{block} +hide-referer{forge}
2098 -hide-user-agent -image +image-blocker{blank} +no-compression
2099 +no-cookies-keep -no-cookies-read -no-cookies-set +no-popups
2100 -vanilla-wafer -wafer }
2103 { -no-cookies-keep -no-cookies-read -no-cookies-set }
2111 This is much more informative, and tells us how we have defined our "actions",
2112 and which ones match for our example, "google.com". The first grouping shows
2113 our default settings, which would apply to all URLs. If you look at your
2114 "actions" file, this would be the section just below the "aliases" section near
2115 the top. This applies to all URLs as signified by the single forward slash -- "
2118 These are the default actions we have enabled. But we can define additional
2119 actions that would be exceptions to these general rules, and then list specific
2120 URLs that these exceptions would apply to. Last match wins. Just below this
2121 then are two explict matches for ".google.com". The first is negating our
2122 various cookie blocking actions (i.e. we will allow cookies here). The second
2123 is allowing "fast-redirects". Note that there is a leading dot here --
2124 ".google.com". This will match any hosts and sub-domains, in the google.com
2125 domain also, such as "www.google.com". So, apparently, we have these actions
2126 defined somewhere in the lower part of our actions file, and "google.com" is
2127 referenced in these sections.
2129 And now we pull it altogether in the bottom section and summarize how Privoxy
2130 is appying all its "actions" to "google.com":
2134 -add-header -block -deanimate-gifs -downgrade -fast-redirects
2135 +filter{html-annoyances} +filter{js-annoyances} +filter{no-popups}
2136 +filter{webbugs} +filter{nimda} +filter{banners-by-size} +filter{hal}
2137 +filter{fun} +hide-forwarded +hide-from{block} +hide-referer{forge}
2138 -hide-user-agent -image +image-blocker{blank} -limit-connect +no-compression
2139 -no-cookies-keep -no-cookies-read -no-cookies-set +no-popups -vanilla-wafer
2144 Now another example, "ad.doubleclick.net":
2157 We'll just show the interesting part here, the explicit matches. It is matched
2158 three different times. Each as an "+block +image", which is the expanded form
2159 of one of our aliases that had been defined as: "+imageblock". ("Aliases" are
2160 defined in the first section of the actions file and typically used to combine
2161 more than one action.)
2163 Any one of these would have done the trick and blocked this as an unwanted
2164 image. This is unnecessarily redundant since the last case effectively would
2165 also cover the first. No point in taking chances with these guys though ;-)
2166 Note that if you want an ad or obnoxious URL to be invisible, it should be
2167 defined as "ad.doubleclick.net" is done here -- as both a "+block" and an
2168 "+image". The custom alias "+imageblock" does this for us.
2170 One last example. Let's try "http://www.rhapsodyk.net/adsl/HOWTO/". This one is
2171 giving us problems. We are getting a blank page. Hmmm...
2173 Matches for http://www.rhapsodyk.net/adsl/HOWTO/:
2175 { -add-header -block +deanimate-gifs -downgrade +fast-redirects
2176 +filter{html-annoyances} +filter{js-annoyances} +filter{no-popups}
2177 +filter{webbugs} +filter{nimda} +filter{banners-by-size} +filter{hal}
2178 +filter{fun} +hide-forwarded +hide-from{block} +hide-referer{forge}
2179 -hide-user-agent -image +image-blocker{blank} +no-compression
2180 +no-cookies-keep -no-cookies-read -no-cookies-set +no-popups
2181 -vanilla-wafer -wafer }
2189 Ooops, the "/adsl/" is matching "/ads"! But we did not want this at all! Now we
2190 see why we get the blank page. We could now add a new action below this that
2191 explictly does not block (-block) pages with "adsl". There are various ways to
2192 handle such exceptions. Example:
2199 Now the page displays ;-) Be sure to flush your browser's caches when making
2200 such changes. Or, try using Shift+Reload.
2202 But now what about a situation where we get no explicit matches like we did
2210 That actually was very telling and pointed us quickly to where the problem was.
2211 If you don't get this kind of match, then it means one of the default rules in
2212 the first section is causing the problem. This would require some guesswork,
2213 and maybe a little trial and error to isolate the offending rule. One likely
2214 cause would be one of the "{+filter}" actions. Try adding the URL for the site
2215 to one of aliases that turn off "+filter":
2219 .worldpay.com # for quietpc.com
2226 "{shop}" is an "alias" that expands to "{ -filter -no-cookies -no-cookies-keep
2227 }". Or you could do your own exception to negate filtering:
2234 "{fragile}" is an alias that disables most actions. This can be used as a last
2235 resort for problem sites. Remember to flush caches! If this still does not
2236 work, you will have to go through the remaining actions one by one to find
2237 which one(s) is causing the problem.