[Privoxy-users] Suggestions and Routing question

Fabian Keil fk at fabiankeil.de
Tue Jun 28 11:03:31 UTC 2016


Unknown <arkmail0 at riseup.net> wrote:

> Hi. Thanks for your reply!

You're welcome.

> > I'm frequently annoyed by websites that force me to use HTTPS  
> 
> Well, Privoxy is a software/developer website, and having all pages on HTTPS
> is better than plain HTTP. For example, when I visit 'php.net(HTTP)', it redirect to
> 'secure.php.net(HTTPS)'. There's also a famous "HTTPS-Everywhere" add-on too.
> The world is shifting to HTTPS :-)

www.privoxy.org is available through HTTPS already,
users that prefer HTTP can still use it.

The announcements and the CGI pages use the https:// URLs so users who
don't care should get the encrypted version by default.

Users who feel like it can use Privoxy (or 'HTTPS-Everywhere') to redirect
http://www.privoxy.org/ to https://www.privoxy.org/ themselves.

> At least, how about changing this link to HTTPS? If you use HTTP for downloading,
> someone might temper the packet.
> 
> http://www.privoxy.org/sf-download-mirror/

If you get the link through an unencrypted connection an attacker
can modify it anyway. The "download Privoxy here" link at
https://www.privoxy.org/ already uses https.

> (Personally, I prefer (.onion Website) >>> (HTTPS) > (HTTP).)

I intend to add support for this once "Let's encrypt" certificates
can be requested for onion URLs.

> > RSS
> > Patches for this are welcome of course.  
> 
> Does your webserver can use PHP?
> If so, I'll see what I can do. (e.g., converting current release text to rss format automatically)

Thanks for the offer.

The website is static, the tool chain to generate is based on GNU Make,
Docbook and Perl. Changing the documentation frame work is on the TODO
list (#41) but I doubt we'll ever use one based on PHP:
http://ijbswa.cvs.sourceforge.net/viewvc/ijbswa/current/TODO?view=markup#l107

The TODO list should be available through https:// once we migrated
the repository away from SF, this is item #54 on the list.

> > If you want to prevent clients from making any requests to ports
> > other than 80 and 443, you'll need the block{} action as well.  
> 
> ...Eh, really? I've using Privoxy for many years and I use '+limit-connect{80,443}'.
> When I tried to access 'something:8888/', privoxy serves "HTTP 503 Forward failed".

You get that error message if nothing is listening at the port you are trying
to access (or another error prevents Privoxy from connection to the destination).

If the limit-connect{} action triggers you get a 403 error:

fk at r500 ~ $curl --head https://example.org/
HTTP/1.1 403 Request blocked by Privoxy
Content-Length: 8990
Content-Type: text/html
Cache-Control: no-cache
Date: Tue, 28 Jun 2016 10:42:31 GMT
Last-Modified: Wed, 08 Jun 1955 12:00:00 GMT
Expires: Sat, 17 Jun 2000 12:00:00 GMT
Pragma: no-cache
Connection: close

curl: (56) Received HTTP code 403 from proxy after CONNECT
 
> 
> Okay, so based on the manual, I wrote something like this;
> 
> ===(actions)===
> {+client-header-tagger{client-ip-address}}
> /
> 
> {+forward-override{forward .} +limit-connect{8888}}
> TAG:^client-ip-address: 9.8.7.6/
> ===============
> 
> I don't use any filterfile, so I'm not sure this will work; I'll try this later.

Taggers are defined in filter files, so you'll need at least one.
The client-ip-address client-header-tagger is defined in default.filter.

The tag pattern should be something like 'TAG:^IP-ADDRESS: 127.0.0.1$'.
You can add "debug 8" to let Privoxy log which tags are created and whether
or not they affected the action settings. Example:

12:49:35.763 003 Header: Tagger 'listen-address' added tag 'LISTEN-ADDRESS: 127.0.0.1:8118'. No action bits update necessary.
12:49:35.763 003 Header: Tagger 'client-ip-address' added tag 'IP-ADDRESS: 127.0.0.1'. Action bits updated accordingly.

> > In the future, please use separate mails for unrelated topics.  
> 
> Sorry about this, I'll separate email next time if I have something for Privoxy.

Thanks.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-users/attachments/20160628/250d70fc/attachment.bin>


More information about the Privoxy-users mailing list