7. The Main Configuration File

Location of the Privoxy User Manual.

A fully qualified URI

Unset

https://www.privoxy.org/version/user-manual/ will be used, where version is the Privoxy version.

The User Manual URI is the single best source of information on Privoxy, and is used for help links from some of the internal CGI pages. The manual itself is normally packaged with the binary distributions, so you probably want to set this to a locally installed copy.

Examples:

The best all purpose solution is simply to put the full local PATH to where the User Manual is located:

  user-manual  /usr/share/doc/privoxy/user-manual

The User Manual is then available to anyone with access to Privoxy, by following the built-in URL: http://config.privoxy.org/user-manual/ (or the shortcut: http://p.p/user-manual/).

If the documentation is not on the local system, it can be accessed from a remote server, as:

  user-manual  http://example.com/privoxy/user-manual/

A URL to be displayed in the error page that users will see if access to an untrusted page is denied.

URL

Unset

No links are displayed on the "untrusted" error page.

The value of this option only matters if the experimental trust mechanism has been activated. (See trustfile below.)

If you use the trust mechanism, it is a good idea to write up some on-line documentation about your trust policy and to specify the URL(s) here. Use multiple times for multiple URLs.

The URL(s) should be added to the trustfile as well, so users don't end up locked out from the information on why they were locked out in the first place!

An email address to reach the Privoxy administrator.

Email address

Unset

No email address is displayed on error pages and the CGI user interface.

If both admin-address and proxy-info-url are unset, the whole "Local Privoxy Support" box on all generated pages will not be shown.

A URL to documentation about the local Privoxy setup, configuration or policies.

URL

Unset

No link to local documentation is displayed on error pages and the CGI user interface.

If both admin-address and proxy-info-url are unset, the whole "Local Privoxy Support" box on all generated pages will not be shown.

This URL shouldn't be blocked ;-)

The directory where the other configuration files are located.

Path name

/etc/privoxy (Unix) or Privoxy installation dir (Windows)

Mandatory

No trailing "/", please.

An alternative directory where the templates are loaded from.

Path name

unset

The templates are assumed to be located in confdir/template.

Privoxy's original templates are usually overwritten with each update. Use this option to relocate customized templates that should be kept. As template variables might change between updates, you shouldn't expect templates to work with Privoxy releases other than the one they were part of, though.

A directory where Privoxy can create temporary files.

Path name

unset

No temporary files are created, external filters don't work.

To execute external filters, Privoxy has to create temporary files. This directive specifies the directory the temporary files should be written to.

It should be a directory only Privoxy (and trusted users) can access.

The directory where all logging takes place (i.e. where the logfile is located).

Path name

/var/log/privoxy (Unix) or Privoxy installation dir (Windows)

Mandatory

No trailing "/", please.

The actions file(s) to use

Complete file name, relative to confdir

No actions are taken at all. More or less neutral proxying.

Multiple actionsfile lines are permitted, and are in fact recommended!

The default values are default.action, which is the "main" actions file maintained by the developers, and user.action, where you can make your personal additions.

Actions files contain all the per site and per URL configuration for ad blocking, cookie management, privacy considerations, etc.

The filter file(s) to use

File name, relative to confdir

default.filter (Unix) or default.filter.txt (Windows)

No textual content filtering takes place, i.e. all +filter{name} actions in the actions files are turned neutral.

Multiple filterfile lines are permitted.

The filter files contain content modification rules that use regular expressions. These rules permit powerful changes on the content of Web pages, and optionally the headers as well, e.g., you could try to disable your favorite JavaScript annoyances, re-write the actual displayed text, or just have some fun playing buzzword bingo with web pages.

The +filter{name} actions rely on the relevant filter (name) to be defined in a filter file!

A pre-defined filter file called default.filter that contains a number of useful filters for common problems is included in the distribution. See the section on the filter action for a list.

It is recommended to place any locally adapted filters into a separate file, such as user.filter.

The log file to use

File name, relative to logdir

Unset (commented out). When activated: logfile (Unix) or privoxy.log (Windows).

No logfile is written.

The logfile is where all logging and error messages are written. The level of detail and number of messages are set with the debug option (see below). The logfile can be useful for tracking down a problem with Privoxy (e.g., it's not blocking an ad you think it should block) and it can help you to monitor what your browser is doing.

Depending on the debug options below, the logfile may be a privacy risk if third parties can get access to it. As most users will never look at it, Privoxy only logs fatal errors by default.

For most troubleshooting purposes, you will have to change that, please refer to the debugging section for details.

Any log files must be writable by whatever user Privoxy is being run as (on Unix, default user id is "privoxy").

To prevent the logfile from growing indefinitely, it is recommended to periodically rotate or shorten it. Many operating systems support log rotation out of the box, some require additional software to do it. For details, please refer to the documentation for your operating system.

The name of the trust file to use

File name, relative to confdir

Unset (commented out). When activated: trust (Unix) or trust.txt (Windows)

The entire trust mechanism is disabled.

The trust mechanism is an experimental feature for building white-lists and should be used with care. It is NOT recommended for the casual user.

If you specify a trust file, Privoxy will only allow access to sites that are specified in the trustfile. Sites can be listed in one of two ways:

Prepending a ~ character limits access to this site only (and any sub-paths within this site), e.g. ~www.example.com allows access to ~www.example.com/features/news.html, etc.

Or, you can designate sites as trusted referrers, by prepending the name with a + character. The effect is that access to untrusted sites will be granted -- but only if a link from this trusted referrer was used to get there. The link target will then be added to the "trustfile" so that future, direct accesses will be granted. Sites added via this mechanism do not become trusted referrers themselves (i.e. they are added with a ~ designation). There is a limit of 512 such entries, after which new entries will not be made.

If you use the + operator in the trust file, it may grow considerably over time.

It is recommended that Privoxy be compiled with the --disable-force, --disable-toggle and --disable-editor options, if this feature is to be used.

Possible applications include limiting Internet access for children.

Key values that determine what information gets logged.

Integer values

0 (i.e.: only fatal errors (that cause Privoxy to exit) are logged)

Default value is used (see above).

The available debug levels are:

  debug     1 # Log the destination for each request. See also debug 1024.
  debug     2 # show each connection status
  debug     4 # show tagging-related messages
  debug     8 # show header parsing
  debug    16 # log all data written to the network
  debug    32 # debug force feature
  debug    64 # debug regular expression filters
  debug   128 # debug redirects
  debug   256 # debug GIF de-animation
  debug   512 # Common Log Format
  debug  1024 # Log the destination for requests Privoxy didn't let through, and the reason why.
  debug  2048 # CGI user interface
  debug  4096 # Startup banner and warnings.
  debug  8192 # Non-fatal errors
  debug 32768 # log all data read from the network
  debug 65536 # Log the applying actions

To select multiple debug levels, you can either add them or use multiple debug lines.

A debug level of 1 is informative because it will show you each request as it happens. 1, 1024, 4096 and 8192 are recommended so that you will notice when things go wrong. The other levels are probably only of interest if you are hunting down a specific problem. They can produce a hell of an output (especially 16).

If you are used to the more verbose settings, simply enable the debug lines below again.

If you want to use pure CLF (Common Log Format), you should set "debug 512" ONLY and not enable anything else.

Privoxy has a hard-coded limit for the length of log messages. If it's reached, messages are logged truncated and marked with "... [too long, truncated]".

Please don't file any support requests without trying to reproduce the problem with increased debug level first. Once you read the log messages, you may even be able to solve the problem on your own.

Whether to run only one server thread.

1 or 0

0

Multi-threaded (or, where unavailable: forked) operation, i.e. the ability to serve multiple requests simultaneously.

This option is only there for debugging purposes. It will drastically reduce performance.

The hostname shown on the CGI pages.

Text

Unset

The hostname provided by the operating system is used.

On some misconfigured systems resolving the hostname fails or takes too much time and slows Privoxy down. Setting a fixed hostname works around the problem.

In other circumstances it might be desirable to show a hostname other than the one returned by the operating system. For example if the system has several different hostnames and you don't want to use the first one.

Note that Privoxy does not validate the specified hostname value.

The address and TCP port on which Privoxy will listen for client requests.

[IP-Address]:Port

[Hostname]:Port

127.0.0.1:8118

Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is suitable and recommended for home users who run Privoxy on the same machine as their browser.

You will need to configure your browser(s) to this proxy address and port.

If you already have another service running on port 8118, or if you want to serve requests from other machines (e.g. on your local network) as well, you will need to override the default.

You can use this statement multiple times to make Privoxy listen on more ports or more IP addresses. Suitable if your operating system does not support sharing IPv6 and IPv4 protocols on the same socket.

If a hostname is used instead of an IP address, Privoxy will try to resolve it to an IP address and if there are multiple, use the first one returned.

If the address for the hostname isn't already known on the system (for example because it's in /etc/hostname), this may result in DNS traffic.

If the specified address isn't available on the system, or if the hostname can't be resolved, Privoxy will fail to start. On GNU/Linux, and other platforms that can listen on not yet assigned IP addresses, Privoxy will start and will listen on the specified address whenever the IP address is assigned to the system

IPv6 addresses containing colons have to be quoted by brackets. They can only be used if Privoxy has been compiled with IPv6 support. If you aren't sure if your version supports it, have a look at http://config.privoxy.org/show-status.

Some operating systems will prefer IPv6 to IPv4 addresses even if the system has no IPv6 connectivity which is usually not expected by the user. Some even rely on DNS to resolve localhost which mean the "localhost" address used may not actually be local.

It is therefore recommended to explicitly configure the intended IP address instead of relying on the operating system, unless there's a strong reason not to.

If you leave out the address, Privoxy will bind to all IPv4 interfaces (addresses) on your machine and may become reachable from the Internet and/or the local network. Be aware that some GNU/Linux distributions modify that behaviour without updating the documentation. Check for non-standard patches if your Privoxy version behaves differently.

If you configure Privoxy to be reachable from the network, consider using access control lists (ACL's, see below), and/or a firewall.

If you open Privoxy to untrusted users, you will also want to make sure that the following actions are disabled: enable-edit-actions and enable-remote-toggle

Suppose you are running Privoxy on a machine which has the address 192.168.0.1 on your local private network (192.168.0.0) and has another outside connection with a different address. You want it to serve requests from inside only:

  listen-address  192.168.0.1:8118

Suppose you are running Privoxy on an IPv6-capable machine and you want it to listen on the IPv6 address of the loopback device:

  listen-address [::1]:8118

Initial state of "toggle" status

1 or 0

1

Act as if toggled on

If set to 0, Privoxy will start in "toggled off" mode, i.e. mostly behave like a normal, content-neutral proxy with both ad blocking and content filtering disabled. See enable-remote-toggle below.

Whether or not the web-based toggle feature may be used

0 or 1

0

The web-based toggle feature is disabled.

When toggled off, Privoxy mostly acts like a normal, content-neutral proxy, i.e. doesn't block ads or filter content.

Access to the toggle feature can not be controlled separately by "ACLs" or HTTP authentication, so that everybody who can access Privoxy (see "ACLs" and listen-address above) can toggle it for all users. So this option is not recommended for multi-user environments with untrusted users.

Note that malicious client side code (e.g Java) is also capable of using this option.

As a lot of Privoxy users don't read documentation, this feature is disabled by default.

Note that you must have compiled Privoxy with support for this feature, otherwise this option has no effect.

Whether or not Privoxy recognizes special HTTP headers to change its behaviour.

0 or 1

0

Privoxy ignores special HTTP headers.

When toggled on, the client can change Privoxy's behaviour by setting special HTTP headers. Currently the only supported special header is "X-Filter: No", to disable filtering for the ongoing request, even if it is enabled in one of the action files.

This feature is disabled by default. If you are using Privoxy in a environment with trusted clients, you may enable this feature at your discretion. Note that malicious client side code (e.g Java) is also capable of using this feature.

This option will be removed in future releases as it has been obsoleted b