Changes between Version 13 and Version 14 of doc/OpenbsdChrootedTorScript


Ignore:
Timestamp:
Sep 20, 2011, 3:50:36 PM (8 years ago)
Author:
nella
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • doc/OpenbsdChrootedTorScript

    v13 v14  
    66
    77
    8 These scripts perform almost all of the steps involved in creating a chroot
    9 in OpenBSD for tor.  It now includes all the configuration files you
    10 will need.
    11 
    12 When a new version of tor is released, I run this script and copy my old
    13 '''/home/chrooted/tor/etc/tor/systrace''' directory over.
     8These scripts perform almost all of the steps involved in creating a chroot in OpenBSD for tor. It now includes all the configuration files you will need.
     9
     10When a new version of tor is released, I run this script and copy my old '''/home/chrooted/tor/etc/tor/systrace''' directory over.
    1411
    1512The systrace policies and updated rc.local are included here.
     
    1714 == Cautions ==
    1815
    19 Currently tested but still needs more testing.  I use these for my own
    20 setup.  Don't run these on any kind of production system.  However, if
    21 you have a spare machine around, try it out.
     16Currently tested but still needs more testing. I use these for my own setup. Don't run these on any kind of production system. However, if you have a spare machine around, try it out.
    2217
    2318 == Notes ==
    2419
    25 OpenBSD 3.8 now has a recent version of libevent!  So there is no need to
    26 compile your own any longer.  Watch out for the dsocks package in 3.8
    27 though.  It does not include the tor-dns-proxy.py script that I use as
    28 a DNS resolver.  I had to download it from the upstream location.
     20OpenBSD 3.8 now has a recent version of libevent! So there is no need to compile your own any longer. Watch out for the dsocks package in 3.8 though. It does not include the tor-dns-proxy.py script that I use as a DNS resolver. I had to download it from the upstream location.
    2921You may have to modify your systrace policies for python 2.4 as well.
    3022It uses libstdc++ now.
    3123
    32 Eventually, I would like to turn this script into a perl module.  That
    33 way the error checking is more robust (or even present).
    34 
    35 Also, it would be nice if I could upload my chroot to some website
    36 so people can easily download files and compare their configuration
    37 with mine.
     24Eventually, I would like to turn this script into a perl module. That way the error checking is more robust (or even present).
     25
     26Also, it would be nice if I could upload my chroot to some website so people can easily download files and compare their configuration with mine.
    3827
    3928 === Stage 1: Run as root ===
    4029
    41 I hard coded the paths to '''/home/chrooted/tor''' on purpose.  If this
    42 is ever converted into perl, then with the '''use strict;''' mode I
    43 would add the path as a parameter.  Since the shell won't warn you if you
    44 have a typo, I try to use hard coded paths as much as possible.
    45 
    46 Be sure to change the '''TOR_BUILD_USER''' and '''TOR_BUILD_GROUP''' to your
    47 own user.  This is who is building the source.  The files themselves will
    48 later be owned by '''_tor''' or '''root''' depending on the file.
     30I hard coded the paths to '''/home/chrooted/tor''' on purpose. If this is ever converted into perl, then with the '''use strict;''' mode I would add the path as a parameter. Since the shell won't warn you if you have a typo, I try to use hard coded paths as much as possible.
     31
     32Be sure to change the '''TOR_BUILD_USER''' and '''TOR_BUILD_GROUP''' to your own user. This is who is building the source. The files themselves will later be owned by '''_tor''' or '''root''' depending on the file.
    4933
    5034'''tor_stage1_root.sh'''
     
    6448
    6549if [ ! "`/usr/bin/id -u`" = "0" ]; then
    66         echo "Error: Must run $0 with root priviledges"
     50        echo "Error: Must run $0 with root privileges"
    6751        exit 1
    6852fi
     
    158142
    159143if [ "`/usr/bin/id -u`" = "0" ]; then
    160         echo "Error: Must run $0 WITHOUT root priviledges"
     144        echo "Error: Must run $0 WITHOUT root privileges"
    161145        exit 1
    162146fi
     
    212196        for lib in `/usr/bin/ldd tor-${TOR_VERSION}/src/or/tor | /usr/bin/egrep '^[[:space:]]+[0-9a-f]{8}[[:space:]]+[0-9a-f]{8}' | /usr/bin/sed -e 's/.* //' | /usr/bin/grep '^/usr'`; do
    213197                echo "Copying library \"${lib}\""
    214                 /bin/cp ${lib} /home/chrooted/tor/${lib} 
     198                /bin/cp ${lib} /home/chrooted/tor/${lib}
    215199        done
    216200fi
     
    275259
    276260if [ ! "`/usr/bin/id -u`" = "0" ]; then
    277         echo "Error: Must run $0 with root priviledges"
     261        echo "Error: Must run $0 with root privileges"
    278262        exit 1
    279263fi
     
    780764#  =======================================
    781765#
    782 #  Privoxy can (and normally does) use a number of other files for 
    783 #  additional configuration, help and logging. This section of the 
     766#  Privoxy can (and normally does) use a number of other files for
     767#  additional configuration, help and logging. This section of the
    784768#  configuration file tells Privoxy where to find those other files.
    785769#
     
    787771#  configuration files, and write permission to any files that would
    788772#  be modified, such as log files and actions files.
    789 #   
    790 
    791 # 
     773#
     774
     775#
    792776#  1.1. confdir
    793777#  ============
    794778#
    795779#  Specifies:
    796 # 
     780#
    797781#      The directory where the other configuration files are located
    798 # 
     782#
    799783#  Type of value:
    800784#
    801785#      Path name
    802 # 
    803 #  Default value:
    804 # 
     786#
     787#  Default value:
     788#
    805789#      /etc/privoxy (Unix) or Privoxy installation dir (Windows)
    806 # 
    807 #  Effect if unset:
    808 # 
     790#
     791#  Effect if unset:
     792#
    809793#      Mandatory
    810 # 
    811 #  Notes:
    812 # 
     794#
     795#  Notes:
     796#
    813797#      No trailing "/", please
    814798#
    815799#      When development goes modular and multi-user, the blocker,
    816800#      filter, and per-user config will be stored in subdirectories of
    817 #      "confdir". For now, the configuration directory structure is   
     801#      "confdir". For now, the configuration directory structure is
    818802#      flat, except for confdir/templates, where the HTML templates
    819803#      for CGI output reside (e.g. Privoxy's 404 error page).
    820 # 
     804#
    821805confdir /etc/privoxy
    822806
     
    829813#      The directory where all logging takes place (i.e. where logfile
    830814#      and jarfile are located)
    831 # 
     815#
    832816#  Type of value:
    833817#
    834818#      Path name
    835 # 
    836 #  Default value:
    837 # 
     819#
     820#  Default value:
     821#
    838822#      /var/log/privoxy (Unix) or Privoxy installation dir (Windows)
    839 # 
    840 #  Effect if unset:
    841 # 
     823#
     824#  Effect if unset:
     825#
    842826#      Mandatory
    843 # 
    844 #  Notes:
    845 # 
     827#
     828#  Notes:
     829#
    846830#      No trailing "/", please
    847831#
     
    865849#
    866850#        default      # Main actions file
    867 #     
     851#
    868852#        user         # User customizations
    869 #     
     853#
    870854#  Effect if unset:
    871855#
     
    873857#
    874858#  Notes:
    875 # 
     859#
    876860#      Multiple actionsfile lines are permitted, and are in fact
    877861#      recommended!
     
    886870#      privacy considerations, etc. There is no point in using Privoxy
    887871#      without at least one actions file.
    888 #     
     872#
    889873actionsfile standard  # Internal purpose, recommended
    890874actionsfile default   # Main actions file
    891875actionsfile user      # User customizations
    892876
    893 # 
     877#
    894878#  1.4. filterfile
    895879#  ===============
    896 #     
     880#
    897881#  Specifies:
    898882#
    899883#      The filter file to use
    900884#
    901 #  Type of value: 
    902 # 
     885#  Type of value:
     886#
    903887#      File name, relative to confdir
    904 # 
     888#
    905889#  Default value:
    906890#
    907891#      default.filter (Unix) or default.filter.txt (Windows)
    908 # 
     892#
    909893#  Effect if unset:
    910894#
     
    923907#      The +filter{name} actions rely on the relevant filter (name)
    924908#      to be defined in the filter file!
    925 # 
     909#
    926910#      A pre-defined filter file called default.filter that contains
    927911#      a bunch of handy filters for common problems is included in the
     
    930914filterfile default.filter
    931915
    932 # 
     916#
    933917#  1.5. logfile
    934 #  ============   
    935 #     
     918#  ============
     919#
    936920#  Specifies:
    937921#
    938922#      The log file to use
    939923#
    940 #  Type of value: 
    941 # 
     924#  Type of value:
     925#
    942926#      File name, relative to logdir
    943 # 
     927#
    944928#  Default value:
    945929#
     
    960944#      an ad you think it should block) but in most cases you probably
    961945#      will never look at it.
    962 #     
     946#
    963947#      Your logfile will grow indefinitely, and you will probably
    964948#      want to periodically remove it. On Unix systems, you can do
    965949#      this with a cron job (see "man cron"). For Red Hat, a logrotate
    966950#      script has been included.
    967 #     
     951#
    968952#      On SuSE Linux systems, you can place a line like
    969953#      "/var/log/privoxy.* +1024k 644 nobody.nogroup" in /etc/logfiles,
    970 #      with the effect that cron.daily will automatically archive, 
     954#      with the effect that cron.daily will automatically archive,
    971955#      gzip, and empty the log, when it exceeds 1M size.
    972956#
    973 #      Any log files must be writable by whatever user Privoxy is 
     957#      Any log files must be writable by whatever user Privoxy is
    974958#      being run as (default on UNIX, user id is "privoxy").
    975959#
    976960logfile logfile
    977961
    978 # 
     962#
    979963#  1.6. jarfile
    980 #  ============   
    981 #     
     964#  ============
     965#
    982966#  Specifies:
    983967#
    984968#      The file to store intercepted cookies in
    985969#
    986 #  Type of value: 
    987 # 
     970#  Type of value:
     971#
    988972#      File name, relative to logdir
    989 # 
     973#
    990974#  Default value:
    991975#
     
    1007991#
    1008992#  Specifies:
    1009 #     
     993#
    1010994#      The trust file to use
    1011995#
     
    1015999#
    10161000#  Default value:
    1017 #     
     1001#
    10181002#      Unset (commented out). When activated: trust (Unix) or trust.txt
    10191003#      (Windows)
    1020 #     
     1004#
    10211005#  Effect if unset:
    10221006#
    10231007#      The entire trust mechanism is turned off.
    1024 #     
     1008#
    10251009#  Notes:
    10261010#
     
    10281012#      white-lists and should be used with care. It is NOT recommended
    10291013#      for the casual user.
    1030 # 
     1014#
    10311015#      If you specify a trust file, Privoxy will only allow access to
    10321016#      sites that are specified in the trustfile. Sites can be listed
     
    10351019#      Prepending a ~ character limits access to this site only (and
    10361020#      any sub-paths within this site), e.g. ~www.example.com.
    1037 # 
     1021#
    10381022#      Or, you can designate sites as trusted referrers, by prepending
    10391023#      the name with a + character. The effect is that access to
     
    10461030#      If you use the + operator in the trust file, it may grow
    10471031#      considerably over time.
    1048 # 
     1032#
    10491033#      It is recommended that Privoxy be compiled with the
    10501034#      --disable-force, --disable-toggle and --disable-editor options,
     
    10531037#      Possible applications include limiting Internet access for
    10541038#      children.
    1055 # 
    1056 #trustfile trust 
    1057 
    1058 # 
     1039#
     1040#trustfile trust
     1041
     1042#
    10591043#  2. LOCAL SET-UP DOCUMENTATION
    10601044#  =============================
     
    10651049#
    10661050
    1067 #     
     1051#
    10681052#  2.1. user-manual
    10691053#  ================
    1070 #     
     1054#
    10711055#  Specifies:
    10721056#
    10731057#      Location of the Privoxy User Manual.
    1074 #     
     1058#
    10751059#  Type of value:
    10761060#
    10771061#      A fully qualified URI
    1078 # 
    1079 #  Default value:
    1080 # 
     1062#
     1063#  Default value:
     1064#
    10811065#      Unset
    1082 #     
     1066#
    10831067#  Effect if unset:
    10841068#
    10851069#      http://www.privoxy.org/version/user-manual/ will be used,
    10861070#      where version is the Privoxy version.
    1087 # 
    1088 #  Notes:
    1089 # 
     1071#
     1072#  Notes:
     1073#
    10901074#      The User Manual URI is used for help links from some of the
    10911075#      internal CGI pages. The manual itself is normally packaged
    10921076#      with the binary distributions, so you probably want to set this
    10931077#      to a locally installed copy. For multi-user setups, you could
    1094 #      provide a copy on a local webserver for all your users and use 
     1078#      provide a copy on a local webserver for all your users and use
    10951079#      the corresponding URL here.
    10961080#
    10971081#      Examples:
    1098 # 
     1082#
    10991083#      Unix, in local filesystem:
    11001084#
     
    11031087#      Windows, in local filesystem, must use forward slash notation,
    11041088#      and %20 to denote spaces in path names:
    1105 # 
     1089#
    11061090#       user-manual file:///c:/some%20dir/privoxy/user-manual/index.html
    11071091#
    11081092#      Windows, UNC notation (forward slashes required again):
    1109 # 
     1093#
    11101094#       user-manual file://///some-server/some-path/privoxy/user-manual/index.html
    11111095#
    1112 #      Any platform, on local webserver (called "local-webserver"):   
    1113 # 
     1096#      Any platform, on local webserver (called "local-webserver"):
     1097#
    11141098#       user-manual  http://local-webserver/privoxy-user-manual/
    11151099#
    11161100#      WARNING!!!
    1117 #     
     1101#
    11181102#          If set, this option should be the first option in the config
    11191103#          file, because it is used while the config file is being read.
    1120 #     
     1104#
    11211105#user-manual http://www.privoxy.org/user-manual/
    11221106
     
    11331117#
    11341118#      URL
    1135 # 
    1136 #  Default value:
    1137 # 
     1119#
     1120#  Default value:
     1121#
    11381122#      Two example URL are provided
    1139 #     
     1123#
    11401124#  Effect if unset:
    11411125#
    11421126#      No links are displayed on the "untrusted" error page.
    1143 #     
    1144 #  Notes:
    1145 # 
     1127#
     1128#  Notes:
     1129#
    11461130#      The value of this option only matters if the experimental trust
    11471131#      mechanism has been activated. (See trustfile above.)
    1148 # 
     1132#
    11491133#      If you use the trust mechanism, it is a good idea to write
    11501134#      up some on-line documentation about your trust policy and to
    11511135#      specify the URL(s) here. Use multiple times for multiple URLs.
    11521136#
    1153 #      The URL(s) should be added to the trustfile as well, so users 
     1137#      The URL(s) should be added to the trustfile as well, so users
    11541138#      don't end up locked out from the information on why they were
    11551139#      locked out in the first place!
    1156 #       
     1140#
    11571141#trust-info-url  http://www.example.com/why_we_block.html
    11581142#trust-info-url  http://www.example.com/what_we_allow.html
    11591143
    1160 #       
     1144#
    11611145#  2.3. admin-address
    11621146#  ==================
    1163 # 
     1147#
    11641148#  Specifies:
    11651149#
     
    11841168#      "Local Privoxy Support" box on all generated pages will not
    11851169#      be shown.
    1186 #     
     1170#
    11871171#admin-address privoxy-admin@example.com
    11881172
     
    11991183#
    12001184#      URL
    1201 # 
    1202 #  Default value:
    1203 # 
     1185#
     1186#  Default value:
     1187#
    12041188#      Unset
    1205 #     
     1189#
    12061190#  Effect if unset:
    12071191#
    12081192#      No link to local documentation is displayed on error pages and
    12091193#      the CGI user interface.
    1210 #       
    1211 #  Notes:
    1212 # 
     1194#
     1195#  Notes:
     1196#
    12131197#      If both admin-address and proxy-info-url are unset, the whole
    12141198#      "Local Privoxy Support" box on all generated pages will not
     
    12161200#
    12171201#      This URL shouldn't be blocked ;-)
    1218 # 
     1202#
    12191203#proxy-info-url http://www.example.com/proxy-service.html
    12201204
    12211205#
    1222 #  3. DEBUGGING 
     1206#  3. DEBUGGING
    12231207#  ============
    12241208#
     
    12401224#
    12411225#      Integer values
    1242 # 
    1243 #  Default value:
    1244 # 
     1226#
     1227#  Default value:
     1228#
    12451229#      12289 (i.e.: URLs plus informational and warning messages)
    1246 #     
     1230#
    12471231#  Effect if unset:
    12481232#
     
    12701254#      To select multiple debug levels, you can either add them or
    12711255#      use multiple debug lines.
    1272 # 
     1256#
    12731257#      A debug level of 1 is informative because it will show you each
    12741258#      request as it happens. 1, 4096 and 8192 are highly recommended
     
    12791263#      The reporting of fatal errors (i.e. ones which crash Privoxy)
    12801264#      is always on and cannot be disabled.
    1281 # 
     1265#
    12821266#      If you want to use CLF (Common Log Format), you should set
    12831267#      "debug 512" ONLY and not enable anything else.
    1284 # 
     1268#
    12851269#debug   1    # show each GET/POST/CONNECT request
    12861270debug   4096 # Startup banner and warnings
    12871271debug   8192 # Errors - *we highly recommended enabling this*
    12881272
    1289 # 
     1273#
    12901274#  3.2. single-threaded
    12911275#  ====================
    1292 # 
    1293 #  Specifies:
    1294 # 
     1276#
     1277#  Specifies:
     1278#
    12951279#      Whether to run only one server thread
    1296 #     
     1280#
    12971281#  Type of value:
    12981282#
     
    13071291#      Multi-threaded (or, where unavailable: forked) operation,
    13081292#      i.e. the ability to serve multiple requests simultaneously.
    1309 #         
    1310 #  Notes:
    1311 #         
     1293#
     1294#  Notes:
     1295#
    13121296#      This option is only there for debug purposes and you should
    13131297#      never need to use it. It will drastically reduce performance.
    1314 #         
     1298#
    13151299#single-threaded
    13161300
    1317 # 
     1301#
    13181302#  4. ACCESS CONTROL AND SECURITY
    13191303#  ==============================
    1320 # 
     1304#
    13211305#  This section of the config file controls the security-relevant
    13221306#  aspects of Privoxy's configuration.
    13231307#
    13241308
    1325 # 
    1326 #  4.1. listen-address 
    1327 #  =================== 
    1328 # 
    1329 #  Specifies:
    1330 # 
     1309#
     1310#  4.1. listen-address
     1311#  ===================
     1312#
     1313#  Specifies:
     1314#
    13311315#      The IP address and TCP port on which Privoxy will listen for
    13321316#      client requests.
    1333 # 
    1334 #  Type of value:
    1335 #         
     1317#
     1318#  Type of value:
     1319#
    13361320#      [IP-Address]:Port
    13371321#
     
    13491333#
    13501334#      You will need to configure your browser(s) to this proxy address
    1351 #      and port. 
     1335#      and port.
    13521336#
    13531337#      If you already have another service running on port 8118, or
     
    13591343#      from the Internet. In that case, consider using access control
    13601344#      lists (ACL's, see below), and/or a firewall.
    1361 #         
    1362 #      If you open Privoxy to untrusted users, you will also want 
    1363 #      to turn off the enable-edit-actions and enable-remote-toggle 
     1345#
     1346#      If you open Privoxy to untrusted users, you will also want
     1347#      to turn off the enable-edit-actions and enable-remote-toggle
    13641348#      options!
    13651349#
    13661350#  Example:
    1367 # 
     1351#
    13681352#      Suppose you are running Privoxy on a machine which has the
    13691353#      address 192.168.0.1 on your local private network (192.168.0.0)
    13701354#      and has another outside connection with a different address. You
    13711355#      want it to serve requests from inside only:
    1372 # 
     1356#
    13731357#        listen-address  192.168.0.1:8118
    13741358#
    13751359listen-address  127.0.0.1:8118
    13761360
    1377 # 
     1361#
    13781362#  4.2. toggle
    13791363#  ===========
    1380 # 
     1364#
    13811365#  Specifies:
    13821366#
    13831367#      Initial state of "toggle" status
    1384 # 
    1385 #  Type of value:
    1386 #         
     1368#
     1369#  Type of value:
     1370#
    13871371#      1 or 0
    13881372#
     
    13981382#
    13991383#      If set to 0, Privoxy will start in "toggled off" mode,
    1400 #      i.e. behave like a normal, content-neutral proxy where all ad   
     1384#      i.e. behave like a normal, content-neutral proxy where all ad
    14011385#      blocking, filtering, etc are disabled. See enable-remote-toggle
    14021386#      below. This is not really useful anymore, since toggling is
    14031387#      much easier via the web interface than via editing the conf file.
    14041388#
    1405 #      The windows version will only display the toggle icon in the 
     1389#      The windows version will only display the toggle icon in the
    14061390#      system tray if this option is present.
    14071391#
    14081392toggle  1
    14091393
    1410 #     
     1394#
    14111395#  4.3. enable-remote-toggle
    14121396#  =========================
    1413 #     
    1414 #  Specifies: 
     1397#
     1398#  Specifies:
    14151399#
    14161400#      Whether or not the web-based toggle feature may be used
    1417 # 
    1418 #  Type of value:
    1419 #         
     1401#
     1402#  Type of value:
     1403#
    14201404#      0 or 1
    14211405#
     
    14421426#      Note that you must have compiled Privoxy with support for this
    14431427#      feature, otherwise this option has no effect.
    1444 # 
     1428#
    14451429enable-remote-toggle  1
    14461430
     
    14621446#
    14631447#  Effect if unset:
    1464 # 
     1448#
    14651449#      The web-based actions file editor is disabled.
    1466 #     
     1450#
    14671451#  Notes:
    14681452#
    14691453#      For the time being, access to the editor can not be controlled
    1470 #      separately by "ACLs" or HTTP authentication, so that everybody 
    1471 #      who can access Privoxy (see "ACLs" and listen-address above)   
     1454#      separately by "ACLs" or HTTP authentication, so that everybody
     1455#      who can access Privoxy (see "ACLs" and listen-address above)
    14721456#      can modify its configuration for all users. So this option is
    14731457#      not recommended for multi-user environments with untrusted users.
     
    14751459#      Note that you must have compiled Privoxy with support for this
    14761460#      feature, otherwise this option has no effect.
    1477 # 
     1461#
    14781462enable-edit-actions 1
    14791463
     
    15121496#      or internal (home) network address by means of the listen-address
    15131497#      option.
    1514 # 
     1498#
    15151499#      Please see the warnings in the FAQ that this proxy is not
    15161500#      intended to be a substitute for a firewall or to encourage
     
    15181502#
    15191503#      Multiple ACL lines are OK. If any ACLs are specified, then
    1520 #      the Privoxy talks only to IP addresses that match at least one 
    1521 #      permit-access line and don't match any subsequent deny-access 
    1522 #      line. In other words, the last match wins, with the default 
     1504#      the Privoxy talks only to IP addresses that match at least one
     1505#      permit-access line and don't match any subsequent deny-access
     1506#      line. In other words, the last match wins, with the default
    15231507#      being deny-access.
    15241508#
     
    15291513#      local Privoxy to determine the IP address of the ultimate target
    15301514#      (that's often what gateways are used for).
    1531 # 
     1515#
    15321516#      You should prefer using IP addresses over DNS names, because
    15331517#      the address lookups take time. All DNS names must resolve! You
     
    15431527#
    15441528#      Explicitly define the default behavior if no ACL and
    1545 #      listen-address are set: "localhost" is OK. The absence of a 
     1529#      listen-address are set: "localhost" is OK. The absence of a
    15461530#      dst_addr implies that all destination addresses are OK:
    15471531#
     
    15501534#      Allow any host on the same class C subnet as www.privoxy.org
    15511535#      access to nothing but www.example.com:
    1552 # 
     1536#
    15531537#        permit-access  www.privoxy.org/24 www.example.com/32
    15541538#
     
    15611545#
    15621546
    1563 #     
     1547#
    15641548#  4.6. buffer-limit
    15651549#  =================
    1566 #     
     1550#
    15671551#  Specifies:
    15681552#
     
    15741558#
    15751559#  Default value:
    1576 #     
     1560#
    15771561#      4096
    1578 #     
     1562#
    15791563#  Effect if unset:
    15801564#
    15811565#      Use a 4MB (4096 KB) limit.
    1582 #     
    1583 #  Notes:
    1584 #     
    1585 #      For content filtering, i.e. the +filter and +deanimate-gif 
     1566#
     1567#  Notes:
     1568#
     1569#      For content filtering, i.e. the +filter and +deanimate-gif
    15861570#      actions, it is necessary that Privoxy buffers the entire document
    15871571#      body. This can be potentially dangerous, since a server could
     
    16001584#  5. FORWARDING
    16011585#  =============
    1602 # 
     1586#
    16031587#  This feature allows routing of HTTP requests through a chain
    16041588#  of multiple proxies. It can be used to better protect privacy
    1605 #  and confidentiality when accessing specific domains by routing   
     1589#  and confidentiality when accessing specific domains by routing
    16061590#  requests to those domains through an anonymous public proxy (see
    16071591#  e.g. http://www.multiproxy.org/anon_list.htm) Or to use a caching
     
    16121596#  Also specified here are SOCKS proxies. Privoxy supports the SOCKS
    16131597#  4 and SOCKS 4A protocols.
    1614 # 
    1615 
    1616 #     
     1598#
     1599
     1600#
    16171601#  5.1. forward
    16181602#  ============
    1619 #     
     1603#
    16201604#  Specifies:
    16211605#
     
    16341618#
    16351619#  Default value:
    1636 #     
     1620#
    16371621#      Unset
    1638 #     
     1622#
    16391623#  Effect if unset:
    16401624#
    16411625#      Don't use parent HTTP proxies.
    1642 #     
    1643 #  Notes:
    1644 #     
    1645 #      If http_parent is ".", then requests are not forwarded to   
     1626#
     1627#  Notes:
     1628#
     1629#      If http_parent is ".", then requests are not forwarded to
    16461630#      another HTTP proxy but are made directly to the web servers.
    16471631#
    16481632#      Multiple lines are OK, they are checked in sequence, and the
    16491633#      last match wins.
    1650 # 
     1634#
    16511635#  Examples:
    1652 # 
     1636#
    16531637#      Everything goes to an example anonymizing proxy, except SSL on
    16541638#      port 443 (which it doesn't handle):
    1655 # 
     1639#
    16561640#        forward   /      anon-proxy.example.org:8080
    16571641#        forward   :443   .
    1658 # 
     1642#
    16591643#      Everything goes to our example ISP's caching proxy, except for
    16601644#      requests to that ISP's sites:
     
    16621646#        forward   /                  caching-proxy.example-isp.net:8000
    16631647#        forward   .example-isp.net   .
    1664 # 
    1665 
    1666 #     
     1648#
     1649
     1650#
    16671651#  5.2. forward-socks4 and forward-socks4a
    16681652#  =======================================
    1669 #     
     1653#
    16701654#  Specifies:
    16711655#
     
    16811665#      denote "all URLs".  http_parent and socks_proxy are IP addresses
    16821666#      in dotted decimal notation or valid DNS names (http_parent may
    1683 #      be "." to denote "no HTTP forwarding"), and the optional port   
     1667#      be "." to denote "no HTTP forwarding"), and the optional port
    16841668#      parameters are TCP ports, i.e. integer values from 1 to 64535
    16851669#
    16861670#  Default value:
    1687 #     
     1671#
    16881672#      Unset
    1689 #     
     1673#
    16901674#  Effect if unset:
    16911675#
    16921676#      Don't use SOCKS proxies.
    1693 #     
    1694 #  Notes:
    1695 #     
     1677#
     1678#  Notes:
     1679#
    16961680#      Multiple lines are OK, they are checked in sequence, and the
    16971681#      last match wins.
    1698 # 
     1682#
    16991683#      The difference between forward-socks4 and forward-socks4a
    17001684#      is that in the SOCKS 4A protocol, the DNS resolution of the
    1701 #      target hostname happens on the SOCKS server, while in SOCKS 4 
     1685#      target hostname happens on the SOCKS server, while in SOCKS 4
    17021686#      it happens locally.
    17031687#
     
    17051689#      HTTP proxy but are made (HTTP-wise) directly to the web servers,
    17061690#      albeit through a SOCKS proxy.
    1707 #       
     1691#
    17081692#  Examples:
    1709 #     
     1693#
    17101694#      From the company example.com, direct connections are made to all
    17111695#      "internal" domains, but everything outbound goes through their
    1712 #      ISP's proxy by way of example.com's corporate SOCKS 4A gateway   
     1696#      ISP's proxy by way of example.com's corporate SOCKS 4A gateway
    17131697#      to the Internet.
    1714 # 
     1698#
    17151699#        forward-socks4a   /              socks-gw.example.com:1080   www-cache.example-isp.net:8080
    17161700#        forward           .example.com   .
    1717 # 
     1701#
    17181702#      A rule that uses a SOCKS 4 gateway for all destinations but no
    17191703#      HTTP parent looks like this:
    1720 # 
     1704#
    17211705#        forward-socks4   /               socks-gw.example.com:1080  .
    17221706#
    17231707forward-socks4a         /       127.0.0.1:9050 .
    17241708
    1725 # 
     1709#
    17261710#  6. WINDOWS GUI OPTIONS
    17271711#  ======================
     
    17311715#
    17321716
    1733 #  If "activity-animation" is set to 1, the Privoxy icon will animate 
     1717#  If "activity-animation" is set to 1, the Privoxy icon will animate
    17341718#  when "Privoxy" is active. To turn off, set to 0.
    17351719#
     
    17381722#  If "log-messages" is set to 1, Privoxy will log messages to the
    17391723#  console window:
    1740 # 
     1724#
    17411725#log-messages   1
    17421726
     
    17471731#  Warning: Setting this to 0 will result in the buffer to grow
    17481732#  infinitely and eat up all your memory!
    1749 #     
     1733#
    17501734#log-buffer-size 1
    17511735
    17521736#  log-max-lines is the maximum number of lines held in the log
    17531737#  buffer. See above.
    1754 #     
     1738#
    17551739#log-max-lines 200
    17561740
    17571741#  If "log-highlight-messages" is set to 1, Privoxy will highlight
    17581742#  portions of the log messages with a bold-faced font:
    1759 #     
     1743#
    17601744#log-highlight-messages 1
    17611745
    17621746#  The font used in the console window:
    1763 #     
     1747#
    17641748#log-font-name Comic Sans MS
    17651749
    1766 #  Font size used in the console window:   
     1750#  Font size used in the console window:
    17671751#log-font-size 8
    17681752
     
    17851769
    17861770#
    1787 }}}
     1771}}