├── .gitmodules ├── BASE_Events.PNG ├── BASE_Overview.PNG ├── LICENSE ├── Lightbeam_noproxy.png ├── Lightbeam_proxy.png ├── README.md ├── blacklist.txt ├── blockips.conf ├── com.github.essandess.easylist-pac.plist ├── config ├── deprecated ├── Squid.wrapper ├── disable.sh ├── macosfortress_boot_check ├── net.securemecca.pac.plist ├── org.adblockplus.privoxy-adblock.plist └── squid-27.conf ├── disable.sh ├── macosfortress_setup_check.sh ├── match-all.action ├── net.dshield.block.plist ├── net.emergingthreats.blockips.plist ├── net.hphosts.hosts.plist ├── net.openbsd.pf.brutexpire.plist ├── net.openbsd.pf.plist ├── org.opensource.flashcookiedelete.plist ├── org.squid-cache.squid-rotate.plist ├── pf.conf ├── pf_attacks ├── pf_restart ├── privoxy_restart ├── proxy.pac ├── readme-and-install.sh ├── squid.conf ├── squid_restart ├── user.action └── whitelist.txt /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "privoxy-adblock"] 2 | path = deprecated/privoxy-adblock 3 | url = ../privoxy-adblock.git 4 | [submodule "easylist-pac-privoxy"] 5 | path = easylist-pac-privoxy 6 | url = ../easylist-pac-privoxy.git 7 | branch = master 8 | [submodule "macOS-clamAV"] 9 | path = deprecated/macOS-clamAV 10 | url = ../macOS-clamAV.git 11 | -------------------------------------------------------------------------------- /BASE_Events.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/essandess/macOS-Fortress/fa709de78eef46d930d0930d22c60d85166019ce/BASE_Events.PNG -------------------------------------------------------------------------------- /BASE_Overview.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/essandess/macOS-Fortress/fa709de78eef46d930d0930d22c60d85166019ce/BASE_Overview.PNG -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 essandess 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /Lightbeam_noproxy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/essandess/macOS-Fortress/fa709de78eef46d930d0930d22c60d85166019ce/Lightbeam_noproxy.png -------------------------------------------------------------------------------- /Lightbeam_proxy.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/essandess/macOS-Fortress/fa709de78eef46d930d0930d22c60d85166019ce/Lightbeam_proxy.png -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | macOS-Fortress 2 | =========== 3 | 4 | # macOS-Fortress: Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers; with On-Demand and On-Access Anti-Virus Scanning 5 | 6 | Kernel-level, OS-level, and client-level security for macOS. Built to address a steady stream of attacks visible on snort and server logs, as well as blocks ads, malicious scripts, and conceal information used to track you around the web. After this package was installed, snort and other detections have fallen to a fraction with a few simple blocking actions. This setup is a lot more capable and effective than using a simple adblocking browser add-on. There's a world of difference between ad-filled web pages with and without a filtering proxy server. It's also saved me from inadvertantly clicking on phishing links. 7 | 8 | ## Proxy features 9 | * macOS adaptive firewall 10 | * Adaptive firewall to brute force attacks 11 | * IP blocks updated about twice a day from emergingthreats.net (IP blocks, compromised hosts, Malvertisers) and [dshield.org](https://secure.dshield.org)’s top-20 12 | * Host blocks updated about twice a day from [hphosts.net](https://www.hosts-file.net) 13 | * HTTPS Inspection using [Privoxy](http://www.privoxy.org) 14 | * [EasyList](https://easylist.to/index.html) Tracker and Adblock Rules for [Privoxy](http://www.privoxy.org) with [adblock2privoxy](../../../adblock2privoxy) 15 | * Incorporates multiple blocking rulesets into both Privoxy and PAC formats, including [easyprivacy.txt](https://easylist.to/easylist/easyprivacy.txt), [easylist.txt](https://easylist.to/easylist/easylist.txt), [fanboy-annoyance.txt](https://easylist.to/easylist/fanboy-annoyance.txt), [fanboy-social.txt](https://easylist.to/easylist/fanboy-social.txt), [antiadblockfilters.txt](https://easylist-downloads.adblockplus.org/antiadblockfilters.txt), [malwaredomains_full.txt](https://easylist-downloads.adblockplus.org/malwaredomains_full.txt), and the anti-spamware list [adblock-list.txt](https://raw.githubusercontent.com/Dawsey21/Lists/master/adblock-list.txt). 16 | 17 | ## Anti-Virus features 18 | * Configures [clamAV](http://www.clamav.net) for macOS with regular on-demand scans and on-access scanning of user `Downloads` 19 | and `Desktop` directories. 20 | * See the [MacPorts](https://www.macports.org/) port `clamav-server` for details, `port notes clamav-server`. 21 | 22 | ## Installation 23 | 24 | ```bash 25 | sudo port install macos-fortress 26 | port notes macos-fortress 27 | sudo port load macos-fortress 28 | ``` 29 | 30 | After initial installation, it is necessary to kickstart these launch daemons, which run on a schedule, and do not run at load time: 31 | 32 | ```bash 33 | sudo launchctl kickstart -k system/org.macports.macos-fortress-dshield 34 | sudo launchctl kickstart -k system/org.macports.macos-fortress-emergingthreats 35 | sudo launchctl kickstart -k system/org.macports.macos-fortress-hphosts 36 | sudo launchctl kickstart -k system/org.macports.adblock2privoxy 37 | sudo launchctl kickstart -k system/org.macports.macos-fortress-easylistpac 38 | ``` 39 | 40 | The default web server is native macOS Apache, which must be started with the command: 41 | ```bash 42 | sudo apachectl start 43 | ``` 44 | 45 | Note that all files in this repo are superceded by the MacPorts port 46 | [macos-fortress](https://github.com/macports/macports-ports/tree/master/net/macos-fortress), including the 47 | deprecated installation script [readme-and-install.sh](./readme-and-install.sh). 48 | 49 | ### Firewall-only installation 50 | 51 | ```bash 52 | sudo port install macos-fortress-pf 53 | port notes macos-fortress-pf 54 | sudo port load macos-fortress-pf 55 | ``` 56 | 57 | ### Proxy-only installation 58 | 59 | ```bash 60 | sudo port install macos-fortress-proxy 61 | port notes macos-fortress-proxy 62 | sudo port load macos-fortress-proxy 63 | ``` 64 | 65 | ## Check and troubleshoot setup 66 | 67 | > `sudo sh macosfortress_setup_check.sh` 68 | 69 | Working output: 70 | ``` 71 | Checking macOS-Fortress installed items (run as sudo)… 72 | 73 | Checking launchd.plist files… 74 | [✅] /Library/LaunchDaemons/net.openbsd.pf.plist exists 75 | [✅] /Library/LaunchDaemons/net.openbsd.pf.brutexpire.plist exists 76 | [✅] /Library/LaunchDaemons/net.emergingthreats.blockips.plist exists 77 | [✅] /Library/LaunchDaemons/net.dshield.block.plist exists 78 | [✅] /Library/LaunchDaemons/net.hphosts.hosts.plist exists 79 | [✅] /Library/LaunchDaemons/com.github.essandess.easylist-pac.plist exists 80 | [✅] /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.plist exists 81 | [✅] /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.nginx.plist exists 82 | [✅] /Library/LaunchDaemons/org.squid-cache.squid-rotate.plist exists 83 | [✅] /Library/LaunchDaemons/org.macports.Privoxy.plist exists 84 | [✅] /Library/LaunchDaemons/org.macports.clamd.plist exists 85 | [✅] /Library/LaunchDaemons/org.macports.freshclam.plist exists 86 | [✅] /Library/LaunchDaemons/org.macports.ClamavScanSchedule.plist exists 87 | [✅] /Library/LaunchDaemons/org.macports.ClamavScanOnAccess.plist exists 88 | 89 | Checking launchd.plist's. These should all be installed with return 90 | code 0 (2d column of `sudo launchctl list`)… 91 | [✅] - 0 com.github.essandess.easylist-pac 92 | [✅] - 0 net.dshield.block 93 | [✅] 91695 0 org.macports.ClamdScanOnAccess 94 | [✅] - 0 org.macports.freshclam 95 | [✅] - 0 net.openbsd.pf 96 | [✅] - 0 com.github.essandess.adblock2privoxy 97 | [✅] 35403 0 org.macports.clamd 98 | [✅] - 0 org.macports.ClamavScanSchedule 99 | [✅] - 0 net.openbsd.pf.brutexpire 100 | [✅] - 0 net.emergingthreats.blockips 101 | [✅] 36183 0 org.macports.Privoxy 102 | [✅] 5578 0 com.github.essandess.adblock2privoxy.nginx 103 | [✅] - 0 net.hphosts.hosts 104 | 105 | Checking PF files… 106 | [✅] /etc/pf.conf exists 107 | [✅] /usr/local/etc/blockips.conf exists 108 | [✅] /usr/local/etc/emerging-Block-IPs.txt exists 109 | [✅] /usr/local/etc/compromised-ips.txt exists 110 | [✅] /usr/local/etc/dshield_block_ip.txt exists 111 | [✅] /usr/local/etc/block.txt exists 112 | [✅] /usr/local/etc/block.txt.asc exists 113 | 114 | Checking PF… 115 | [✅] PF is enabled and running 116 | 117 | Checking hphosts files… 118 | [✅] /etc/hosts-hphosts exists 119 | [✅] /usr/local/etc/hosts.zip exists 120 | [✅] /usr/local/etc/hphosts-partial.asp exists 121 | [✅] /usr/local/etc/whitelist.txt exists 122 | [✅] /usr/local/etc/blacklist.txt exists 123 | 124 | Checking /etc/hosts-hphosts creation… 125 | [✅] /etc/hosts-hphosts exists 126 | 127 | Checking proxy PAC and proxy chain files… 128 | [✅] /Library/WebServer/Documents/proxy.pac.orig exists 129 | [✅] /Library/WebServer/Documents/proxy.pac exists 130 | [✅] /usr/local/bin/easylist_pac.py exists 131 | [✅] /usr/local/bin/adblock2privoxy exists 132 | [✅] /usr/local/etc/proxy.pac exists 133 | [✅] /usr/local/etc/adblock2privoxy/nginx.conf exists 134 | [✅] /usr/local/etc/adblock2privoxy/css/default.html exists 135 | [✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.action exists 136 | [✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.filter exists 137 | [✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.system.action exists 138 | [✅] /usr/local/etc/adblock2privoxy/privoxy/ab2p.system.filter exists 139 | [✅] /opt/local/etc/privoxy/config exists 140 | [✅] /opt/local/var/log/privoxy/logfile exists 141 | 142 | Checking proxy status… 143 | [✅] Privoxy is running properly 144 | [✅] Privoxy config http://p.p/ via http://localhost:3128 is running properly 145 | [✅] nginx is running properly 146 | [✅] PAC /Library/WebServer/Documents/proxy.pac.orig passes Javascript parsing 147 | [✅] PAC /Library/WebServer/Documents/proxy.pac passes Javascript parsing 148 | [✅] Web server for http://localhost/proxy.pac is running properly 149 | [✅] Blackhole server for http://localhost:8119/ is running properly 150 | ``` 151 | 152 | ## Disabling 153 | 154 | ``` 155 | sudo port unload macos-fortress 156 | ``` 157 | 158 | or 159 | 160 | ``` 161 | sudo port uninstall macos-fortress 162 | ``` 163 | 164 | This repo is superceded by the MacPorts port 165 | [macos-fortress](https://github.com/macports/macports-ports/tree/master/net/macos-fortress), including the 166 | deprecated disable/uninstall script [disable.sh](./disable.sh), which was originally used to unload all launch daemons, 167 | disable the pf firewall, and list all installed files **without** removing them. 168 | 169 | ## Configuration modifications 170 | 171 | There are three major, independent, and configurable components to the repo: the PF firewall, the proxy chain, and the 172 | AV scanner. Here are a few configuration pointers. 173 | 174 | ### PF firewall 175 | 176 | The file [pf.conf](./pf.conf) controls the firewall ruleset and likely must be edited on a specific computer and network, or 177 | edited for a VPN server [configuration](../../../macos-openvpn-server/pf.conf). 178 | 179 | * The PF firewall can be disabled with the command: 180 | > `sudo pfctl -d` 181 | * The variable `int_if` for the internal interface is set to `en0`. This should be changed to the active interface on your 182 | computer, which can be determined with the command `ifconfig -a`, or more specificall: 183 | > `ifconfig | pcregrep -M -o '^[^\t:]+:([^\n]|\n\t)*status: active' | egrep -o -m 1 '^[^\t:]+'` 184 | * The table `` is set to the standard reserved ranges `{ 10/8, 172.16/12, 192.168/16 }`. This must be changed 185 | to the CIDR ranges on the specific LAN. 186 | * Specific services accessible only on the LAN and on the open internet should be selected and set in the appropriate 187 | variables. See `/etc/services`. 188 | * The PF firewall ruleset can be flushed, enabled, and reintialized with the command: 189 | > `sudo pfctl -Fall && sudo pfctl -ef /etc/pf.conf` 190 | * See the `pfctl` commands in the script [pf_attacks](./pf_attacks) to determine IP addresses and counts for the various 191 | blocked IPs. E.g., the adaptive table `` is shown using the command: 192 | > `sudo pfctl -t bruteforce -Ts` 193 | 194 | ### Proxy 195 | 196 | Privoxy on port 8118 is configured in [config](./config) to sent web requests to the internet, wih HTTPS inspection configured for 197 | blocking content within TLS encrypted tunnels—the great majorityof we content. An auxiliary nginx webserver for CSS-based 198 | element hiding is configured on port 8119. Privoxy `.action` and `.filter` files, and nginx `.css` files are created from Easylist rules 199 | using the repo [adblock2privoxy](../../../adblock2privoxy). 200 | 201 | Browsing to the privoxy configuration page http://p.p/ through any of these proxy configurations is a check on whether the 202 | proxy is running and configured correctly. 203 | 204 | To provide these services on a firewalled LAN, edit the privoxy and nginx configuration files 205 | [config](./config), and [nginx.conf](../../../adblock2privoxy//nginx.conf) so that they're 206 | available for devices on the LAN, or connecting from a [VPN tunnel](../../../macos-openvpn-server/). 207 | 208 | ### Macports updates 209 | 210 | Update Macports packages regularly. This command with update the Macports database, update all installed packages, and uninstall all older, inactive versions. 211 | 212 | `sudo bash -c 'port selfupdate ; port -puN upgrade outdated ; port uninstall inactive'` 213 | 214 | ### Warning about Privoxy compression 215 | 216 | Though it's possible to build Privoxy with the `configure` `--enable-compression` option, 217 | compressed HTTP traffic within a [VPN tunnel](../../../macos-openvpn-server) exposes your traffic to the 218 | CRIME/BEAST/[VORACLE](https://openvpn.net/security-advisory/the-voracle-attack-vulnerability/) attacks and is generally not 219 | recommended. 220 | 221 | ## Installation details 222 | The MacPorts port 223 | [macos-fortress](https://github.com/macports/macports-ports/tree/master/net/macos-fortress) 224 | (`sudo port install macos-fortress`) installs and configures an macOS Firewall and Privatizing 225 | Proxy. It will: 226 | * Uses Macports to download and install several key utilities and applications (wget gnupg p7zip squid privoxy nmap) 227 | * Configure macOS's PF native firewall (man pfctl, man pf.conf), and privoxy 228 | * Networking on the local computer can be set up to use this Automatic Proxy Configuration without breaking App Store or other updates (see Privoxy config) 229 | * Uncomment the nat directive in pf.conf if you wish to set up an [OpenVPN server](../../../macos-openvpn-server) 230 | * Install and launch daemons that download and regularly update open source IP and host blacklists. The sources are emergingthreats.net (net.emergingthreats.blockips.plist), dshield.org (net.dshield.block.plist), hosts-file.net (net.hphosts.hosts.plist) 231 | * After installation the connection between clients and the internet looks this this: 232 | 233 | > **Application** :arrow_right: **`proxy.pac`** :arrow_right:port 8118:arrow_right: **Privoxy** :arrow_right: **Internet** 234 | 235 | An auxilliary nginx-based webserver (nominally on `localhost:8119`) is used for both a `proxy.pac` ad and tracker blackhole and for CSS element blocking rules with the Privoxy configuration generated by [adblock2privoxy](../../../adblock2privoxy). 236 | 237 | ## Public Service Announcement 238 | 239 | This firewall is configured to block all known tracker and adware content—in the browser, in-app, wherever it finds them. Many websites now offer an additional way to block ads: subscribe to their content. Security and privacy will always necessitate ad blocking, but now that this software has become mainstream with mainstream effects, ad blocker users must consider the [potential impact](http://arstechnica.com/business/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love/) of ad blocking on the writers and publications that are important to them. Personally, two publications that I gladly pay for, especially for their important 2016 US Presidential election coverage, are the *[New York Times](http://www.nytimes.com)* and *[The Atlantic](http://www.theatlantic.com)*. I encourage all users to subscribe to their own preferred publications and writers. 240 | 241 | 242 | ## Tracker blocking 243 | 244 | [Lightbeam](https://www.mozilla.org/en-US/lightbeam/), the tracking tracker Firefox add-on, shows how ad- and tracker-blocking works to prevent third parties monitoring you or your children's online activities. My daughter enjoys the learning exercises at the children's website [ABCya!](http://www.abcya.com). The Lightbeam graph below on the left shows all the third party trackers after less than a minute of browser activity, without using a privatizing proxy. The graph on the right shows all this tracker activity blocked when this privatizing proxy is used. 245 | 246 | 247 | ![Lightbeam graph without proxy](Lightbeam_noproxy.png)| ![Lightbeam graph without proxy](Lightbeam_proxy.png) 248 | ------------ | ------------- 249 | Lightbeam graph without proxy | Lightbeam graph with proxy 250 | 251 | This problem is the subject of Gary Kovacs's TED talk, *Tracking Our Online Trackers:* 252 | 253 | [![Tracking our online trackers](https://www.wired.com/images_blogs/business/2012/02/6792752454_99d91d2a92_z.jpg)](https://www.youtube.com/watch?v=f_f5wNw-2c0 "Tracking our online trackers") 254 | 255 | 256 | ## Attack blocking 257 | 258 | The snort intrusion detection system reports far fewer events when known attack sites are blackholed by the packet filter: 259 | 260 | ![snort+BASE Overview](BASE_Overview.PNG)| ![snort+BASE Events](BASE_Events.PNG) 261 | ------------ | ------------- 262 | snort+BASE Overview | snort+BASE Events 263 | 264 | ## Notes 265 | 266 | * Configure the squid proxy to accept connections on the LAN IP and set LAN device Automatic Proxy Configurations to http://lan_ip/proxy.pac to protect devices on the LAN. 267 | * Count the number of attacks since boot with the script pf_attacks. ``Attack'' is defined as the number of blocked IPs in PF's bruteforce table plus the number of denied connections from blacklisted IPs in the tables compromised_ips, dshield_block_ip, and emerging_threats. 268 | * Both squid and Privoxy are configured to forge the User-Agent. The default is an iPad to allow mobile device access. Change this to your local needs if necessary. 269 | * Whitelist or blacklist specific domain names with the files `/usr/local/etc/whitelist.txt` and `/usr/local/etc/blacklist.txt`. After editing these file, use launchctl to unload and load the plist `/Library/LaunchDaemons/net.hphosts.hosts.plist`, which recreates the hostfile `/etc/hosts-hphost` and reconfigures the squid proxy to use the updates. 270 | * Sometimes pf and privoxy do not launch at boot, in spite of the use of the use of their launch daemons. Fix this by hand after boot with the scripts `macosfortress_boot_check`, or individually using `pf_restart`, `privoxy_restart`, and `squid_restart`. And please post a solution if you find one. 271 | * All open source updates are done using the `wget -N` option to save everyone's bandwidth 272 | 273 | ## Security 274 | 275 | * These services are intended to be run on a secure LAN behind a router firewall. 276 | * The default proxy configuration will only accept connections made from the local computer (localhost). If you change this to accept connections from any client on your LAN, do not configure the router to forward ports 8118, or you will be running an open web proxy. 277 | -------------------------------------------------------------------------------- /blacklist.txt: -------------------------------------------------------------------------------- 1 | 2 | # blacklisted hosts of the form "127.0.0.1 hostname.tld" appened to /etc/hosts 3 | # 127.0.0.1 www.ahostnamethatyouwanttoblackholebutwillneveractuallyseeontheinternet.net 4 | # https://krebsonsecurity.com/2014/01/deconstructing-the-9-84-credit-card-hustle/ 5 | 127.0.0.1 callscs.in 6 | 127.0.0.1 cewebcs.com 7 | 127.0.0.1 cs-casa.com 8 | 127.0.0.1 cewcs.com 9 | 127.0.0.1 eduacc.in 10 | 127.0.0.1 educs.in 11 | 127.0.0.1 eetsac.com 12 | 127.0.0.1 etosac.com 13 | 127.0.0.1 feosac.com 14 | 127.0.0.1 foculu.com 15 | 127.0.0.1 homecs.in 16 | 127.0.0.1 iawcs.com 17 | 127.0.0.1 iewcs.com 18 | 127.0.0.1 livecs.in 19 | 127.0.0.1 netcs.in 20 | 127.0.0.1 ntccs.in 21 | 127.0.0.1 ntsupp.com 22 | 127.0.0.1 onwsac.com 23 | 127.0.0.1 premcs.in 24 | 127.0.0.1 profcs.com 25 | 127.0.0.1 quikcs.com 26 | 127.0.0.1 sacluc.com 27 | 127.0.0.1 sacsis.com 28 | 127.0.0.1 sewcs.com 29 | 127.0.0.1 suppcs.in 30 | 127.0.0.1 tdwcs.com 31 | 127.0.0.1 techcs.in 32 | 127.0.0.1 vagacs.com 33 | 127.0.0.1 webcs.in 34 | 35 | # https://guardianapp.com/ios-app-location-report-sep2018.html 36 | 127.0.0.1 api.areametrics.com 37 | 127.0.0.1 in.cuebiq.com 38 | 127.0.0.1 et.intake.factual.com 39 | 127.0.0.1 api.factual.com 40 | 127.0.0.1 api.beaconsinspace.com 41 | 127.0.0.1 api.huq.io 42 | 127.0.0.1 m2m-api.inmarket.com 43 | 127.0.0.1 mobileapi.mobiquitynetworks.com 44 | 127.0.0.1 sdk.revealmobile.com 45 | 127.0.0.1 api.safegraph.com 46 | 127.0.0.1 incoming-data-sense360.s3.amazonaws.com 47 | 127.0.0.1 ios-quinoa-personal-identify-prod.sense360eng.com 48 | 127.0.0.1 ios-quinoa-events-prod.sense360eng.com 49 | 127.0.0.1 ios-quinoa-high-frequency-events-prod.sense360eng.com 50 | 127.0.0.1 v1.blueberry.cloud.databerries.com 51 | 127.0.0.1 pie.wirelessregistry.com 52 | 53 | # Blocking this domain breaks CNN app live streaming -- send to nginx blackhole 54 | # To diagnose: 55 | # tcpdump -e -ttt -i en0 -w my-iPad-cnn-3128.pcap src my-iPad or dst my-iPad 56 | # grep -a 'URL: .*$/\1/; print;' | uniq 57 | 127.0.0.1:8119 bea4.v.fwmrm.net 58 | -------------------------------------------------------------------------------- /blockips.conf: -------------------------------------------------------------------------------- 1 | # Define tables and drop rules for open source IP blocks 2 | # Reload with: 3 | # pfctl -a blockips -T load -f /usr/local/etc/blockips.conf 4 | 5 | # Emerging Threats Open Source, http://rules.emergingthreats.net/fwrules/ 6 | 7 | # http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt 8 | table persist file "/usr/local/etc/emerging-Block-IPs.txt" 9 | block drop log quick from to any 10 | 11 | # http://rules.emergingthreats.net/blockrules/compromised-ips.txt 12 | table persist file "/usr/local/etc/compromised-ips.txt" 13 | block drop log quick from to any 14 | 15 | # THIS RULESET HAS BEEN OBSOLETED!! 16 | # http://rules.emergingthreats.net/blockrules/rbn-ips.txt 17 | #table persist file "/usr/local/etc/rbn-ips.txt" 18 | #block drop log quick from to any 19 | 20 | # http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt 21 | #table persist file "/usr/local/etc/rbn-malvertisers-ips.txt" 22 | #block drop log quick from to any 23 | 24 | # dshield.org block list 25 | table persist file "/usr/local/etc/dshield_block_ip.txt" 26 | block drop log quick from to any 27 | -------------------------------------------------------------------------------- /com.github.essandess.easylist-pac.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | com.github.essandess.easylist-pac 7 | Program 8 | /bin/bash 9 | ProgramArguments 10 | 11 | /bin/bash 12 | -c 13 | PATH=$PATH:/opt/local/bin PROXY_PAC_DIRECTORY=/Library/WebServer/Documents PYTHONIOENCODING=utf_8 ; /bin/mkdir -p /usr/local/etc ; ( /bin/test -f $PROXY_PAC_DIRECTORY/proxy.pac.orig || /usr/bin/install -m 644 -S $PROXY_PAC_DIRECTORY/proxy.pac $PROXY_PAC_DIRECTORY/proxy.pac.orig ) && /usr/local/bin/easylist_pac.py -p 127.0.0.1:3128 -b 127.0.0.1:8119 -d /usr/local/etc -P $PROXY_PAC_DIRECTORY/proxy.pac.orig && /usr/bin/install -m 644 -g admin -S /usr/local/etc/proxy.pac $PROXY_PAC_DIRECTORY/proxy.pac 14 | 15 | RunAtLoad 16 | 17 | StartCalendarInterval 18 | 19 | 20 | Weekday 21 | 7 22 | Hour 23 | 1 24 | Minute 25 | 10 26 | 27 | 28 | StandardErrorPath 29 | /var/log/system.log 30 | StandardOutPath 31 | /var/log/system.log 32 | 33 | 34 | -------------------------------------------------------------------------------- /config: -------------------------------------------------------------------------------- 1 | # Sample Configuration File for Privoxy 3.0.26 2 | # 3 | # $Id: config,v 1.112 2016/08/26 13:14:18 fabiankeil Exp $ 4 | # 5 | # Copyright (C) 2001-2016 Privoxy Developers https://www.privoxy.org/ 6 | # 7 | ##################################################################### 8 | # # 9 | # Table of Contents # 10 | # # 11 | # I. INTRODUCTION # 12 | # II. FORMAT OF THE CONFIGURATION FILE # 13 | # # 14 | # 1. LOCAL SET-UP DOCUMENTATION # 15 | # 2. CONFIGURATION AND LOG FILE LOCATIONS # 16 | # 3. DEBUGGING # 17 | # 4. ACCESS CONTROL AND SECURITY # 18 | # 5. FORWARDING # 19 | # 6. MISCELLANEOUS # 20 | # 7. WINDOWS GUI OPTIONS # 21 | # # 22 | ##################################################################### 23 | # 24 | # 25 | # I. INTRODUCTION 26 | # =============== 27 | # 28 | # This file holds Privoxy's main configuration. Privoxy detects 29 | # configuration changes automatically, so you don't have to restart 30 | # it unless you want to load a different configuration file. 31 | # 32 | # The configuration will be reloaded with the first request after 33 | # the change was done, this request itself will still use the old 34 | # configuration, though. In other words: it takes two requests 35 | # before you see the result of your changes. Requests that are 36 | # dropped due to ACL don't trigger reloads. 37 | # 38 | # When starting Privoxy on Unix systems, give the location of this 39 | # file as last argument. On Windows systems, Privoxy will look for 40 | # this file with the name 'config.txt' in the current working 41 | # directory of the Privoxy process. 42 | # 43 | # 44 | # II. FORMAT OF THE CONFIGURATION FILE 45 | # ==================================== 46 | # 47 | # Configuration lines consist of an initial keyword followed by a 48 | # list of values, all separated by whitespace (any number of spaces 49 | # or tabs). For example, 50 | # 51 | # actionsfile default.action 52 | # 53 | # Indicates that the actionsfile is named 'default.action'. 54 | # 55 | # The '#' indicates a comment. Any part of a line following a '#' is 56 | # ignored, except if the '#' is preceded by a '\'. 57 | # 58 | # Thus, by placing a # at the start of an existing configuration 59 | # line, you can make it a comment and it will be treated as if it 60 | # weren't there. This is called "commenting out" an option and can 61 | # be useful. Removing the # again is called "uncommenting". 62 | # 63 | # Note that commenting out an option and leaving it at its default 64 | # are two completely different things! Most options behave very 65 | # differently when unset. See the "Effect if unset" explanation in 66 | # each option's description for details. 67 | # 68 | # Long lines can be continued on the next line by using a `\' as the 69 | # last character. 70 | # 71 | # 72 | # 1. LOCAL SET-UP DOCUMENTATION 73 | # ============================== 74 | # 75 | # If you intend to operate Privoxy for more users than just 76 | # yourself, it might be a good idea to let them know how to reach 77 | # you, what you block and why you do that, your policies, etc. 78 | # 79 | # 80 | # 1.1. user-manual 81 | # ================= 82 | # 83 | # Specifies: 84 | # 85 | # Location of the Privoxy User Manual. 86 | # 87 | # Type of value: 88 | # 89 | # A fully qualified URI 90 | # 91 | # Default value: 92 | # 93 | # Unset 94 | # 95 | # Effect if unset: 96 | # 97 | # https://www.privoxy.org/version/user-manual/ will be used, 98 | # where version is the Privoxy version. 99 | # 100 | # Notes: 101 | # 102 | # The User Manual URI is the single best source of information 103 | # on Privoxy, and is used for help links from some of the 104 | # internal CGI pages. The manual itself is normally packaged 105 | # with the binary distributions, so you probably want to set 106 | # this to a locally installed copy. 107 | # 108 | # Examples: 109 | # 110 | # The best all purpose solution is simply to put the full local 111 | # PATH to where the User Manual is located: 112 | # 113 | # user-manual /usr/share/doc/privoxy/user-manual 114 | # 115 | # The User Manual is then available to anyone with access to 116 | # Privoxy, by following the built-in URL: http:// 117 | # config.privoxy.org/user-manual/ (or the shortcut: http://p.p/ 118 | # user-manual/). 119 | # 120 | # If the documentation is not on the local system, it can be 121 | # accessed from a remote server, as: 122 | # 123 | # user-manual http://example.com/privoxy/user-manual/ 124 | # 125 | # WARNING!!! 126 | # 127 | # If set, this option should be the first option in the 128 | # config file, because it is used while the config file is 129 | # being read. 130 | # 131 | #user-manual https://www.privoxy.org/user-manual/ 132 | # 133 | # 1.2. trust-info-url 134 | # ==================== 135 | # 136 | # Specifies: 137 | # 138 | # A URL to be displayed in the error page that users will see if 139 | # access to an untrusted page is denied. 140 | # 141 | # Type of value: 142 | # 143 | # URL 144 | # 145 | # Default value: 146 | # 147 | # Unset 148 | # 149 | # Effect if unset: 150 | # 151 | # No links are displayed on the "untrusted" error page. 152 | # 153 | # Notes: 154 | # 155 | # The value of this option only matters if the experimental 156 | # trust mechanism has been activated. (See trustfile below.) 157 | # 158 | # If you use the trust mechanism, it is a good idea to write up 159 | # some on-line documentation about your trust policy and to 160 | # specify the URL(s) here. Use multiple times for multiple URLs. 161 | # 162 | # The URL(s) should be added to the trustfile as well, so users 163 | # don't end up locked out from the information on why they were 164 | # locked out in the first place! 165 | # 166 | #trust-info-url http://www.example.com/why_we_block.html 167 | #trust-info-url http://www.example.com/what_we_allow.html 168 | # 169 | # 1.3. admin-address 170 | # =================== 171 | # 172 | # Specifies: 173 | # 174 | # An email address to reach the Privoxy administrator. 175 | # 176 | # Type of value: 177 | # 178 | # Email address 179 | # 180 | # Default value: 181 | # 182 | # Unset 183 | # 184 | # Effect if unset: 185 | # 186 | # No email address is displayed on error pages and the CGI user 187 | # interface. 188 | # 189 | # Notes: 190 | # 191 | # If both admin-address and proxy-info-url are unset, the whole 192 | # "Local Privoxy Support" box on all generated pages will not be 193 | # shown. 194 | # 195 | #admin-address privoxy-admin@example.com 196 | admin-address root@localhost 197 | # 198 | # 1.4. proxy-info-url 199 | # ==================== 200 | # 201 | # Specifies: 202 | # 203 | # A URL to documentation about the local Privoxy setup, 204 | # configuration or policies. 205 | # 206 | # Type of value: 207 | # 208 | # URL 209 | # 210 | # Default value: 211 | # 212 | # Unset 213 | # 214 | # Effect if unset: 215 | # 216 | # No link to local documentation is displayed on error pages and 217 | # the CGI user interface. 218 | # 219 | # Notes: 220 | # 221 | # If both admin-address and proxy-info-url are unset, the whole 222 | # "Local Privoxy Support" box on all generated pages will not be 223 | # shown. 224 | # 225 | # This URL shouldn't be blocked ;-) 226 | # 227 | #proxy-info-url http://www.example.com/proxy-service.html 228 | # 229 | # 2. CONFIGURATION AND LOG FILE LOCATIONS 230 | # ======================================== 231 | # 232 | # Privoxy can (and normally does) use a number of other files for 233 | # additional configuration, help and logging. This section of the 234 | # configuration file tells Privoxy where to find those other files. 235 | # 236 | # The user running Privoxy, must have read permission for all 237 | # configuration files, and write permission to any files that would 238 | # be modified, such as log files and actions files. 239 | # 240 | # 241 | # 2.1. confdir 242 | # ============= 243 | # 244 | # Specifies: 245 | # 246 | # The directory where the other configuration files are located. 247 | # 248 | # Type of value: 249 | # 250 | # Path name 251 | # 252 | # Default value: 253 | # 254 | # /etc/privoxy (Unix) or Privoxy installation dir (Windows) 255 | # 256 | # Effect if unset: 257 | # 258 | # Mandatory 259 | # 260 | # Notes: 261 | # 262 | # No trailing "/", please. 263 | # 264 | confdir /opt/local/etc/privoxy 265 | # 266 | # 2.2. templdir 267 | # ============== 268 | # 269 | # Specifies: 270 | # 271 | # An alternative directory where the templates are loaded from. 272 | # 273 | # Type of value: 274 | # 275 | # Path name 276 | # 277 | # Default value: 278 | # 279 | # unset 280 | # 281 | # Effect if unset: 282 | # 283 | # The templates are assumed to be located in confdir/template. 284 | # 285 | # Notes: 286 | # 287 | # Privoxy's original templates are usually overwritten with each 288 | # update. Use this option to relocate customized templates that 289 | # should be kept. As template variables might change between 290 | # updates, you shouldn't expect templates to work with Privoxy 291 | # releases other than the one they were part of, though. 292 | # 293 | #templdir . 294 | # 295 | # 2.3. temporary-directory 296 | # ========================= 297 | # 298 | # Specifies: 299 | # 300 | # A directory where Privoxy can create temporary files. 301 | # 302 | # Type of value: 303 | # 304 | # Path name 305 | # 306 | # Default value: 307 | # 308 | # unset 309 | # 310 | # Effect if unset: 311 | # 312 | # No temporary files are created, external filters don't work. 313 | # 314 | # Notes: 315 | # 316 | # To execute external filters, Privoxy has to create temporary 317 | # files. This directive specifies the directory the temporary 318 | # files should be written to. 319 | # 320 | # It should be a directory only Privoxy (and trusted users) can 321 | # access. 322 | # 323 | #temporary-directory . 324 | # 325 | # 2.4. logdir 326 | # ============ 327 | # 328 | # Specifies: 329 | # 330 | # The directory where all logging takes place (i.e. where the 331 | # logfile is located). 332 | # 333 | # Type of value: 334 | # 335 | # Path name 336 | # 337 | # Default value: 338 | # 339 | # /var/log/privoxy (Unix) or Privoxy installation dir (Windows) 340 | # 341 | # Effect if unset: 342 | # 343 | # Mandatory 344 | # 345 | # Notes: 346 | # 347 | # No trailing "/", please. 348 | # 349 | logdir /opt/local/var/log/privoxy 350 | # 351 | # 2.5. actionsfile 352 | # ================= 353 | # 354 | # Specifies: 355 | # 356 | # The actions file(s) to use 357 | # 358 | # Type of value: 359 | # 360 | # Complete file name, relative to confdir 361 | # 362 | # Default values: 363 | # 364 | # match-all.action # Actions that are applied to all sites and maybe overruled later on. 365 | # 366 | # default.action # Main actions file 367 | # 368 | # user.action # User customizations 369 | # 370 | # Effect if unset: 371 | # 372 | # No actions are taken at all. More or less neutral proxying. 373 | # 374 | # Notes: 375 | # 376 | # Multiple actionsfile lines are permitted, and are in fact 377 | # recommended! 378 | # 379 | # The default values are default.action, which is the "main" 380 | # actions file maintained by the developers, and user.action, 381 | # where you can make your personal additions. 382 | # 383 | # Actions files contain all the per site and per URL 384 | # configuration for ad blocking, cookie management, privacy 385 | # considerations, etc. 386 | # 387 | actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on. 388 | actionsfile default.action # Main actions file 389 | actionsfile user.action # User customizations 390 | actionsfile /usr/local/etc/adblock2privoxy/privoxy/ab2p.system.action 391 | actionsfile /usr/local/etc/adblock2privoxy/privoxy/ab2p.action 392 | # 393 | # 2.6. filterfile 394 | # ================ 395 | # 396 | # Specifies: 397 | # 398 | # The filter file(s) to use 399 | # 400 | # Type of value: 401 | # 402 | # File name, relative to confdir 403 | # 404 | # Default value: 405 | # 406 | # default.filter (Unix) or default.filter.txt (Windows) 407 | # 408 | # Effect if unset: 409 | # 410 | # No textual content filtering takes place, i.e. all +filter{name} 411 | # actions in the actions files are turned neutral. 412 | # 413 | # Notes: 414 | # 415 | # Multiple filterfile lines are permitted. 416 | # 417 | # The filter files contain content modification rules that use 418 | # regular expressions. These rules permit powerful changes on 419 | # the content of Web pages, and optionally the headers as well, 420 | # e.g., you could try to disable your favorite JavaScript 421 | # annoyances, re-write the actual displayed text, or just have 422 | # some fun playing buzzword bingo with web pages. 423 | # 424 | # The +filter{name} actions rely on the relevant filter (name) 425 | # to be defined in a filter file! 426 | # 427 | # A pre-defined filter file called default.filter that contains 428 | # a number of useful filters for common problems is included in 429 | # the distribution. See the section on the filter action for a 430 | # list. 431 | # 432 | # It is recommended to place any locally adapted filters into a 433 | # separate file, such as user.filter. 434 | # 435 | filterfile default.filter 436 | filterfile user.filter # User customizations 437 | filterfile /usr/local/etc/adblock2privoxy/privoxy/ab2p.system.filter 438 | filterfile /usr/local/etc/adblock2privoxy/privoxy/ab2p.filter 439 | # 440 | # 2.7. logfile 441 | # ============= 442 | # 443 | # Specifies: 444 | # 445 | # The log file to use 446 | # 447 | # Type of value: 448 | # 449 | # File name, relative to logdir 450 | # 451 | # Default value: 452 | # 453 | # Unset (commented out). When activated: logfile (Unix) or 454 | # privoxy.log (Windows). 455 | # 456 | # Effect if unset: 457 | # 458 | # No logfile is written. 459 | # 460 | # Notes: 461 | # 462 | # The logfile is where all logging and error messages are 463 | # written. The level of detail and number of messages are set 464 | # with the debug option (see below). The logfile can be useful 465 | # for tracking down a problem with Privoxy (e.g., it's not 466 | # blocking an ad you think it should block) and it can help you 467 | # to monitor what your browser is doing. 468 | # 469 | # Depending on the debug options below, the logfile may be a 470 | # privacy risk if third parties can get access to it. As most 471 | # users will never look at it, Privoxy only logs fatal errors by 472 | # default. 473 | # 474 | # For most troubleshooting purposes, you will have to change 475 | # that, please refer to the debugging section for details. 476 | # 477 | # Any log files must be writable by whatever user Privoxy is 478 | # being run as (on Unix, default user id is "privoxy"). 479 | # 480 | # To prevent the logfile from growing indefinitely, it is 481 | # recommended to periodically rotate or shorten it. Many 482 | # operating systems support log rotation out of the box, some 483 | # require additional software to do it. For details, please 484 | # refer to the documentation for your operating system. 485 | # 486 | logfile logfile 487 | # 488 | # 2.8. trustfile 489 | # =============== 490 | # 491 | # Specifies: 492 | # 493 | # The name of the trust file to use 494 | # 495 | # Type of value: 496 | # 497 | # File name, relative to confdir 498 | # 499 | # Default value: 500 | # 501 | # Unset (commented out). When activated: trust (Unix) or 502 | # trust.txt (Windows) 503 | # 504 | # Effect if unset: 505 | # 506 | # The entire trust mechanism is disabled. 507 | # 508 | # Notes: 509 | # 510 | # The trust mechanism is an experimental feature for building 511 | # white-lists and should be used with care. It is NOT 512 | # recommended for the casual user. 513 | # 514 | # If you specify a trust file, Privoxy will only allow access to 515 | # sites that are specified in the trustfile. Sites can be listed 516 | # in one of two ways: 517 | # 518 | # Prepending a ~ character limits access to this site only (and 519 | # any sub-paths within this site), e.g. ~www.example.com allows 520 | # access to ~www.example.com/features/news.html, etc. 521 | # 522 | # Or, you can designate sites as trusted referrers, by 523 | # prepending the name with a + character. The effect is that 524 | # access to untrusted sites will be granted -- but only if a 525 | # link from this trusted referrer was used to get there. The 526 | # link target will then be added to the "trustfile" so that 527 | # future, direct accesses will be granted. Sites added via this 528 | # mechanism do not become trusted referrers themselves (i.e. 529 | # they are added with a ~ designation). There is a limit of 512 530 | # such entries, after which new entries will not be made. 531 | # 532 | # If you use the + operator in the trust file, it may grow 533 | # considerably over time. 534 | # 535 | # It is recommended that Privoxy be compiled with the 536 | # --disable-force, --disable-toggle and --disable-editor 537 | # options, if this feature is to be used. 538 | # 539 | # Possible applications include limiting Internet access for 540 | # children. 541 | # 542 | #trustfile trust 543 | # 544 | # 3. DEBUGGING 545 | # ============= 546 | # 547 | # These options are mainly useful when tracing a problem. Note that 548 | # you might also want to invoke Privoxy with the --no-daemon command 549 | # line option when debugging. 550 | # 551 | # 552 | # 3.1. debug 553 | # =========== 554 | # 555 | # Specifies: 556 | # 557 | # Key values that determine what information gets logged. 558 | # 559 | # Type of value: 560 | # 561 | # Integer values 562 | # 563 | # Default value: 564 | # 565 | # 0 (i.e.: only fatal errors (that cause Privoxy to exit) are 566 | # logged) 567 | # 568 | # Effect if unset: 569 | # 570 | # Default value is used (see above). 571 | # 572 | # Notes: 573 | # 574 | # The available debug levels are: 575 | # 576 | # debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. 577 | # debug 2 # show each connection status 578 | # debug 4 # show I/O status 579 | # debug 8 # show header parsing 580 | # debug 16 # log all data written to the network 581 | # debug 32 # debug force feature 582 | # debug 64 # debug regular expression filters 583 | # debug 128 # debug redirects 584 | # debug 256 # debug GIF de-animation 585 | # debug 512 # Common Log Format 586 | # debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. 587 | # debug 2048 # CGI user interface 588 | # debug 4096 # Startup banner and warnings. 589 | # debug 8192 # Non-fatal errors 590 | # debug 32768 # log all data read from the network 591 | # debug 65536 # Log the applying actions 592 | # 593 | # To select multiple debug levels, you can either add them or 594 | # use multiple debug lines. 595 | # 596 | # A debug level of 1 is informative because it will show you 597 | # each request as it happens. 1, 1024, 4096 and 8192 are 598 | # recommended so that you will notice when things go wrong. The 599 | # other levels are probably only of interest if you are hunting 600 | # down a specific problem. They can produce a hell of an output 601 | # (especially 16). 602 | # 603 | # If you are used to the more verbose settings, simply enable 604 | # the debug lines below again. 605 | # 606 | # If you want to use pure CLF (Common Log Format), you should 607 | # set "debug 512" ONLY and not enable anything else. 608 | # 609 | # Privoxy has a hard-coded limit for the length of log messages. 610 | # If it's reached, messages are logged truncated and marked with 611 | # "... [too long, truncated]". 612 | # 613 | # Please don't file any support requests without trying to 614 | # reproduce the problem with increased debug level first. Once 615 | # you read the log messages, you may even be able to solve the 616 | # problem on your own. 617 | # 618 | #debug 1 # Log the destination for each request Privoxy let through. See also debug 1024. 619 | #debug 1024 # Actions that are applied to all sites and maybe overruled later on. 620 | #debug 4096 # Startup banner and warnings 621 | #debug 8192 # Non-fatal errors 622 | # 623 | # 3.2. single-threaded 624 | # ===================== 625 | # 626 | # Specifies: 627 | # 628 | # Whether to run only one server thread. 629 | # 630 | # Type of value: 631 | # 632 | # 1 or 0 633 | # 634 | # Default value: 635 | # 636 | # 0 637 | # 638 | # Effect if unset: 639 | # 640 | # Multi-threaded (or, where unavailable: forked) operation, i.e. 641 | # the ability to serve multiple requests simultaneously. 642 | # 643 | # Notes: 644 | # 645 | # This option is only there for debugging purposes. It will 646 | # drastically reduce performance. 647 | # 648 | #single-threaded 1 649 | # 650 | # 3.3. hostname 651 | # ============== 652 | # 653 | # Specifies: 654 | # 655 | # The hostname shown on the CGI pages. 656 | # 657 | # Type of value: 658 | # 659 | # Text 660 | # 661 | # Default value: 662 | # 663 | # Unset 664 | # 665 | # Effect if unset: 666 | # 667 | # The hostname provided by the operating system is used. 668 | # 669 | # Notes: 670 | # 671 | # On some misconfigured systems resolving the hostname fails or 672 | # takes too much time and slows Privoxy down. Setting a fixed 673 | # hostname works around the problem. 674 | # 675 | # In other circumstances it might be desirable to show a 676 | # hostname other than the one returned by the operating system. 677 | # For example if the system has several different hostnames and 678 | # you don't want to use the first one. 679 | # 680 | # Note that Privoxy does not validate the specified hostname 681 | # value. 682 | # 683 | hostname localhost 684 | # 685 | # 4. ACCESS CONTROL AND SECURITY 686 | # =============================== 687 | # 688 | # This section of the config file controls the security-relevant 689 | # aspects of Privoxy's configuration. 690 | # 691 | # 692 | # 4.1. listen-address 693 | # ==================== 694 | # 695 | # Specifies: 696 | # 697 | # The address and TCP port on which Privoxy will listen for 698 | # client requests. 699 | # 700 | # Type of value: 701 | # 702 | # [IP-Address]:Port 703 | # 704 | # [Hostname]:Port 705 | # 706 | # Default value: 707 | # 708 | # 127.0.0.1:8118 709 | # 710 | # Effect if unset: 711 | # 712 | # Bind to 127.0.0.1 (IPv4 localhost), port 8118. This is 713 | # suitable and recommended for home users who run Privoxy on the 714 | # same machine as their browser. 715 | # 716 | # Notes: 717 | # 718 | # You will need to configure your browser(s) to this proxy 719 | # address and port. 720 | # 721 | # If you already have another service running on port 8118, or 722 | # if you want to serve requests from other machines (e.g. on 723 | # your local network) as well, you will need to override the 724 | # default. 725 | # 726 | # You can use this statement multiple times to make Privoxy 727 | # listen on more ports or more IP addresses. Suitable if your 728 | # operating system does not support sharing IPv6 and IPv4 729 | # protocols on the same socket. 730 | # 731 | # If a hostname is used instead of an IP address, Privoxy will 732 | # try to resolve it to an IP address and if there are multiple, 733 | # use the first one returned. 734 | # 735 | # If the address for the hostname isn't already known on the 736 | # system (for example because it's in /etc/hostname), this may 737 | # result in DNS traffic. 738 | # 739 | # If the specified address isn't available on the system, or if 740 | # the hostname can't be resolved, Privoxy will fail to start. 741 | # 742 | # IPv6 addresses containing colons have to be quoted by 743 | # brackets. They can only be used if Privoxy has been compiled 744 | # with IPv6 support. If you aren't sure if your version supports 745 | # it, have a look at http://config.privoxy.org/show-status. 746 | # 747 | # Some operating systems will prefer IPv6 to IPv4 addresses even 748 | # if the system has no IPv6 connectivity which is usually not 749 | # expected by the user. Some even rely on DNS to resolve 750 | # localhost which mean the "localhost" address used may not 751 | # actually be local. 752 | # 753 | # It is therefore recommended to explicitly configure the 754 | # intended IP address instead of relying on the operating 755 | # system, unless there's a strong reason not to. 756 | # 757 | # If you leave out the address, Privoxy will bind to all IPv4 758 | # interfaces (addresses) on your machine and may become 759 | # reachable from the Internet and/or the local network. Be aware 760 | # that some GNU/Linux distributions modify that behaviour 761 | # without updating the documentation. Check for non-standard 762 | # patches if your Privoxy version behaves differently. 763 | # 764 | # If you configure Privoxy to be reachable from the network, 765 | # consider using access control lists (ACL's, see below), and/or 766 | # a firewall. 767 | # 768 | # If you open Privoxy to untrusted users, you will also want to 769 | # make sure that the following actions are disabled: 770 | # enable-edit-actions and enable-remote-toggle 771 | # 772 | # Example: 773 | # 774 | # Suppose you are running Privoxy on a machine which has the 775 | # address 192.168.0.1 on your local private network 776 | # (192.168.0.0) and has another outside connection with a 777 | # different address. You want it to serve requests from inside 778 | # only: 779 | # 780 | # listen-address 192.168.0.1:8118 781 | # 782 | # Suppose you are running Privoxy on an IPv6-capable machine and 783 | # you want it to listen on the IPv6 address of the loopback 784 | # device: 785 | # 786 | # listen-address [::1]:8118 787 | # 788 | listen-address 127.0.0.1:8118 789 | # 790 | # 4.2. toggle 791 | # ============ 792 | # 793 | # Specifies: 794 | # 795 | # Initial state of "toggle" status 796 | # 797 | # Type of value: 798 | # 799 | # 1 or 0 800 | # 801 | # Default value: 802 | # 803 | # 1 804 | # 805 | # Effect if unset: 806 | # 807 | # Act as if toggled on 808 | # 809 | # Notes: 810 | # 811 | # If set to 0, Privoxy will start in "toggled off" mode, i.e. 812 | # mostly behave like a normal, content-neutral proxy with both 813 | # ad blocking and content filtering disabled. See 814 | # enable-remote-toggle below. 815 | # 816 | toggle 1 817 | # 818 | # 4.3. enable-remote-toggle 819 | # ========================== 820 | # 821 | # Specifies: 822 | # 823 | # Whether or not the web-based toggle feature may be used 824 | # 825 | # Type of value: 826 | # 827 | # 0 or 1 828 | # 829 | # Default value: 830 | # 831 | # 0 832 | # 833 | # Effect if unset: 834 | # 835 | # The web-based toggle feature is disabled. 836 | # 837 | # Notes: 838 | # 839 | # When toggled off, Privoxy mostly acts like a normal, 840 | # content-neutral proxy, i.e. doesn't block ads or filter 841 | # content. 842 | # 843 | # Access to the toggle feature can not be controlled separately 844 | # by "ACLs" or HTTP authentication, so that everybody who can 845 | # access Privoxy (see "ACLs" and listen-address above) can 846 | # toggle it for all users. So this option is not recommended for 847 | # multi-user environments with untrusted users. 848 | # 849 | # Note that malicious client side code (e.g Java) is also 850 | # capable of using this option. 851 | # 852 | # As a lot of Privoxy users don't read documentation, this 853 | # feature is disabled by default. 854 | # 855 | # Note that you must have compiled Privoxy with support for this 856 | # feature, otherwise this option has no effect. 857 | # 858 | enable-remote-toggle 0 859 | # 860 | # 4.4. enable-remote-http-toggle 861 | # =============================== 862 | # 863 | # Specifies: 864 | # 865 | # Whether or not Privoxy recognizes special HTTP headers to 866 | # change its behaviour. 867 | # 868 | # Type of value: 869 | # 870 | # 0 or 1 871 | # 872 | # Default value: 873 | # 874 | # 0 875 | # 876 | # Effect if unset: 877 | # 878 | # Privoxy ignores special HTTP headers. 879 | # 880 | # Notes: 881 | # 882 | # When toggled on, the client can change Privoxy's behaviour by 883 | # setting special HTTP headers. Currently the only supported 884 | # special header is "X-Filter: No", to disable filtering for the 885 | # ongoing request, even if it is enabled in one of the action 886 | # files. 887 | # 888 | # This feature is disabled by default. If you are using Privoxy 889 | # in a environment with trusted clients, you may enable this 890 | # feature at your discretion. Note that malicious client side 891 | # code (e.g Java) is also capable of using this feature. 892 | # 893 | # This option will be removed in future releases as it has been 894 | # obsoleted by the more general header taggers. 895 | # 896 | enable-remote-http-toggle 0 897 | # 898 | # 4.5. enable-edit-actions 899 | # ========================= 900 | # 901 | # Specifies: 902 | # 903 | # Whether or not the web-based actions file editor may be used 904 | # 905 | # Type of value: 906 | # 907 | # 0 or 1 908 | # 909 | # Default value: 910 | # 911 | # 0 912 | # 913 | # Effect if unset: 914 | # 915 | # The web-based actions file editor is disabled. 916 | # 917 | # Notes: 918 | # 919 | # Access to the editor can not be controlled separately by 920 | # "ACLs" or HTTP authentication, so that everybody who can 921 | # access Privoxy (see "ACLs" and listen-address above) can 922 | # modify its configuration for all users. 923 | # 924 | # This option is not recommended for environments with untrusted 925 | # users and as a lot of Privoxy users don't read documentation, 926 | # this feature is disabled by default. 927 | # 928 | # Note that malicious client side code (e.g Java) is also 929 | # capable of using the actions editor and you shouldn't enable 930 | # this options unless you understand the consequences and are 931 | # sure your browser is configured correctly. 932 | # 933 | # Note that you must have compiled Privoxy with support for this 934 | # feature, otherwise this option has no effect. 935 | # 936 | enable-edit-actions 0 937 | # 938 | # 4.6. enforce-blocks 939 | # ==================== 940 | # 941 | # Specifies: 942 | # 943 | # Whether the user is allowed to ignore blocks and can "go there 944 | # anyway". 945 | # 946 | # Type of value: 947 | # 948 | # 0 or 1 949 | # 950 | # Default value: 951 | # 952 | # 0 953 | # 954 | # Effect if unset: 955 | # 956 | # Blocks are not enforced. 957 | # 958 | # Notes: 959 | # 960 | # Privoxy is mainly used to block and filter requests as a 961 | # service to the user, for example to block ads and other junk 962 | # that clogs the pipes. Privoxy's configuration isn't perfect 963 | # and sometimes innocent pages are blocked. In this situation it 964 | # makes sense to allow the user to enforce the request and have 965 | # Privoxy ignore the block. 966 | # 967 | # In the default configuration Privoxy's "Blocked" page contains 968 | # a "go there anyway" link to adds a special string (the force 969 | # prefix) to the request URL. If that link is used, Privoxy will 970 | # detect the force prefix, remove it again and let the request 971 | # pass. 972 | # 973 | # Of course Privoxy can also be used to enforce a network 974 | # policy. In that case the user obviously should not be able to 975 | # bypass any blocks, and that's what the "enforce-blocks" option 976 | # is for. If it's enabled, Privoxy hides the "go there anyway" 977 | # link. If the user adds the force prefix by hand, it will not 978 | # be accepted and the circumvention attempt is logged. 979 | # 980 | # Examples: 981 | # 982 | # enforce-blocks 1 983 | # 984 | enforce-blocks 0 985 | # 986 | # 4.7. ACLs: permit-access and deny-access 987 | # ========================================= 988 | # 989 | # Specifies: 990 | # 991 | # Who can access what. 992 | # 993 | # Type of value: 994 | # 995 | # src_addr[:port][/src_masklen] [dst_addr[:port][/dst_masklen]] 996 | # 997 | # Where src_addr and dst_addr are IPv4 addresses in dotted 998 | # decimal notation or valid DNS names, port is a port number, 999 | # and src_masklen and dst_masklen are subnet masks in CIDR 1000 | # notation, i.e. integer values from 2 to 30 representing the 1001 | # length (in bits) of the network address. The masks and the 1002 | # whole destination part are optional. 1003 | # 1004 | # If your system implements RFC 3493, then src_addr and dst_addr 1005 | # can be IPv6 addresses delimeted by brackets, port can be a 1006 | # number or a service name, and src_masklen and dst_masklen can 1007 | # be a number from 0 to 128. 1008 | # 1009 | # Default value: 1010 | # 1011 | # Unset 1012 | # 1013 | # If no port is specified, any port will match. If no 1014 | # src_masklen or src_masklen is given, the complete IP address 1015 | # has to match (i.e. 32 bits for IPv4 and 128 bits for IPv6). 1016 | # 1017 | # Effect if unset: 1018 | # 1019 | # Don't restrict access further than implied by listen-address 1020 | # 1021 | # Notes: 1022 | # 1023 | # Access controls are included at the request of ISPs and 1024 | # systems administrators, and are not usually needed by 1025 | # individual users. For a typical home user, it will normally 1026 | # suffice to ensure that Privoxy only listens on the localhost 1027 | # (127.0.0.1) or internal (home) network address by means of the 1028 | # listen-address option. 1029 | # 1030 | # Please see the warnings in the FAQ that Privoxy is not 1031 | # intended to be a substitute for a firewall or to encourage 1032 | # anyone to defer addressing basic security weaknesses. 1033 | # 1034 | # Multiple ACL lines are OK. If any ACLs are specified, Privoxy 1035 | # only talks to IP addresses that match at least one 1036 | # permit-access line and don't match any subsequent deny-access 1037 | # line. In other words, the last match wins, with the default 1038 | # being deny-access. 1039 | # 1040 | # If Privoxy is using a forwarder (see forward below) for a 1041 | # particular destination URL, the dst_addr that is examined is 1042 | # the address of the forwarder and NOT the address of the 1043 | # ultimate target. This is necessary because it may be 1044 | # impossible for the local Privoxy to determine the IP address 1045 | # of the ultimate target (that's often what gateways are used 1046 | # for). 1047 | # 1048 | # You should prefer using IP addresses over DNS names, because 1049 | # the address lookups take time. All DNS names must resolve! You 1050 | # can not use domain patterns like "*.org" or partial domain 1051 | # names. If a DNS name resolves to multiple IP addresses, only 1052 | # the first one is used. 1053 | # 1054 | # Some systems allow IPv4 clients to connect to IPv6 server 1055 | # sockets. Then the client's IPv4 address will be translated by 1056 | # the system into IPv6 address space with special prefix 1057 | # ::ffff:0:0/96 (so called IPv4 mapped IPv6 address). Privoxy 1058 | # can handle it and maps such ACL addresses automatically. 1059 | # 1060 | # Denying access to particular sites by ACL may have undesired 1061 | # side effects if the site in question is hosted on a machine 1062 | # which also hosts other sites (most sites are). 1063 | # 1064 | # Examples: 1065 | # 1066 | # Explicitly define the default behavior if no ACL and 1067 | # listen-address are set: "localhost" is OK. The absence of a 1068 | # dst_addr implies that all destination addresses are OK: 1069 | # 1070 | # permit-access localhost 1071 | # 1072 | # Allow any host on the same class C subnet as www.privoxy.org 1073 | # access to nothing but www.example.com (or other domains hosted 1074 | # on the same system): 1075 | # 1076 | # permit-access www.privoxy.org/24 www.example.com/32 1077 | # 1078 | # Allow access from any host on the 26-bit subnet 192.168.45.64 1079 | # to anywhere, with the exception that 192.168.45.73 may not 1080 | # access the IP address behind www.dirty-stuff.example.com: 1081 | # 1082 | # permit-access 192.168.45.64/26 1083 | # deny-access 192.168.45.73 www.dirty-stuff.example.com 1084 | # 1085 | # Allow access from the IPv4 network 192.0.2.0/24 even if 1086 | # listening on an IPv6 wild card address (not supported on all 1087 | # platforms): 1088 | # 1089 | # permit-access 192.0.2.0/24 1090 | # 1091 | # This is equivalent to the following line even if listening on 1092 | # an IPv4 address (not supported on all platforms): 1093 | # 1094 | # permit-access [::ffff:192.0.2.0]/120 1095 | # 1096 | # 1097 | # 4.8. buffer-limit 1098 | # ================== 1099 | # 1100 | # Specifies: 1101 | # 1102 | # Maximum size of the buffer for content filtering. 1103 | # 1104 | # Type of value: 1105 | # 1106 | # Size in Kbytes 1107 | # 1108 | # Default value: 1109 | # 1110 | # 4096 1111 | # 1112 | # Effect if unset: 1113 | # 1114 | # Use a 4MB (4096 KB) limit. 1115 | # 1116 | # Notes: 1117 | # 1118 | # For content filtering, i.e. the +filter and +deanimate-gif 1119 | # actions, it is necessary that Privoxy buffers the entire 1120 | # document body. This can be potentially dangerous, since a 1121 | # server could just keep sending data indefinitely and wait for 1122 | # your RAM to exhaust -- with nasty consequences. Hence this 1123 | # option. 1124 | # 1125 | # When a document buffer size reaches the buffer-limit, it is 1126 | # flushed to the client unfiltered and no further attempt to 1127 | # filter the rest of the document is made. Remember that there 1128 | # may be multiple threads running, which might require up to 1129 | # buffer-limit Kbytes each, unless you have enabled 1130 | # "single-threaded" above. 1131 | # 1132 | buffer-limit 4096 1133 | # 1134 | # 4.9. enable-proxy-authentication-forwarding 1135 | # ============================================ 1136 | # 1137 | # Specifies: 1138 | # 1139 | # Whether or not proxy authentication through Privoxy should 1140 | # work. 1141 | # 1142 | # Type of value: 1143 | # 1144 | # 0 or 1 1145 | # 1146 | # Default value: 1147 | # 1148 | # 0 1149 | # 1150 | # Effect if unset: 1151 | # 1152 | # Proxy authentication headers are removed. 1153 | # 1154 | # Notes: 1155 | # 1156 | # Privoxy itself does not support proxy authentication, but can 1157 | # allow clients to authenticate against Privoxy's parent proxy. 1158 | # 1159 | # By default Privoxy (3.0.21 and later) don't do that and remove 1160 | # Proxy-Authorization headers in requests and Proxy-Authenticate 1161 | # headers in responses to make it harder for malicious sites to 1162 | # trick inexperienced users into providing login information. 1163 | # 1164 | # If this option is enabled the headers are forwarded. 1165 | # 1166 | # Enabling this option is not recommended if there is no parent 1167 | # proxy that requires authentication or if the local network 1168 | # between Privoxy and the parent proxy isn't trustworthy. If 1169 | # proxy authentication is only required for some requests, it is 1170 | # recommended to use a client header filter to remove the 1171 | # authentication headers for requests where they aren't needed. 1172 | # 1173 | enable-proxy-authentication-forwarding 0 1174 | # 1175 | # 5. FORWARDING 1176 | # ============== 1177 | # 1178 | # This feature allows routing of HTTP requests through a chain of 1179 | # multiple proxies. 1180 | # 1181 | # Forwarding can be used to chain Privoxy with a caching proxy to 1182 | # speed up browsing. Using a parent proxy may also be necessary if 1183 | # the machine that Privoxy runs on has no direct Internet access. 1184 | # 1185 | # Note that parent proxies can severely decrease your privacy level. 1186 | # For example a parent proxy could add your IP address to the 1187 | # request headers and if it's a caching proxy it may add the "Etag" 1188 | # header to revalidation requests again, even though you configured 1189 | # Privoxy to remove it. It may also ignore Privoxy's header time 1190 | # randomization and use the original values which could be used by 1191 | # the server as cookie replacement to track your steps between 1192 | # visits. 1193 | # 1194 | # Also specified here are SOCKS proxies. Privoxy supports the SOCKS 1195 | # 4 and SOCKS 4A protocols. 1196 | # 1197 | # 1198 | # 5.1. forward 1199 | # ============= 1200 | # 1201 | # Specifies: 1202 | # 1203 | # To which parent HTTP proxy specific requests should be routed. 1204 | # 1205 | # Type of value: 1206 | # 1207 | # target_pattern http_parent[:port] 1208 | # 1209 | # where target_pattern is a URL pattern that specifies to which 1210 | # requests (i.e. URLs) this forward rule shall apply. Use / to 1211 | # denote "all URLs". http_parent[:port] is the DNS name or IP 1212 | # address of the parent HTTP proxy through which the requests 1213 | # should be forwarded, optionally followed by its listening port 1214 | # (default: 8000). Use a single dot (.) to denote "no 1215 | # forwarding". 1216 | # 1217 | # Default value: 1218 | # 1219 | # Unset 1220 | # 1221 | # Effect if unset: 1222 | # 1223 | # Don't use parent HTTP proxies. 1224 | # 1225 | # Notes: 1226 | # 1227 | # If http_parent is ".", then requests are not forwarded to 1228 | # another HTTP proxy but are made directly to the web servers. 1229 | # 1230 | # http_parent can be a numerical IPv6 address (if RFC 3493 is 1231 | # implemented). To prevent clashes with the port delimiter, the 1232 | # whole IP address has to be put into brackets. On the other 1233 | # hand a target_pattern containing an IPv6 address has to be put 1234 | # into angle brackets (normal brackets are reserved for regular 1235 | # expressions already). 1236 | # 1237 | # Multiple lines are OK, they are checked in sequence, and the 1238 | # last match wins. 1239 | # 1240 | # Examples: 1241 | # 1242 | # Everything goes to an example parent proxy, except SSL on port 1243 | # 443 (which it doesn't handle): 1244 | # 1245 | # forward / parent-proxy.example.org:8080 1246 | # forward :443 . 1247 | # 1248 | # Everything goes to our example ISP's caching proxy, except for 1249 | # requests to that ISP's sites: 1250 | # 1251 | # forward / caching-proxy.isp.example.net:8000 1252 | # forward .isp.example.net . 1253 | # 1254 | # Parent proxy specified by an IPv6 address: 1255 | # 1256 | # forward / [2001:DB8::1]:8000 1257 | # 1258 | # Suppose your parent proxy doesn't support IPv6: 1259 | # 1260 | # forward / parent-proxy.example.org:8000 1261 | # forward ipv6-server.example.org . 1262 | # forward <[2-3][0-9a-f][0-9a-f][0-9a-f]:*> . 1263 | # 1264 | # 1265 | # See http://www.christianschenk.org/blog/enhancing-your-privacy-using-squid-and-privoxy/ 1266 | forward / . 1267 | forward :443 . 1268 | 1269 | # I2P 1270 | #forward .i2p localhost:4443 1271 | 1272 | # 5.2. forward-socks4, forward-socks4a, forward-socks5 and forward-socks5t 1273 | # ========================================================================= 1274 | # 1275 | # Specifies: 1276 | # 1277 | # Through which SOCKS proxy (and optionally to which parent HTTP 1278 | # proxy) specific requests should be routed. 1279 | # 1280 | # Type of value: 1281 | # 1282 | # target_pattern socks_proxy[:port] http_parent[:port] 1283 | # 1284 | # where target_pattern is a URL pattern that specifies to which 1285 | # requests (i.e. URLs) this forward rule shall apply. Use / to 1286 | # denote "all URLs". http_parent and socks_proxy are IP 1287 | # addresses in dotted decimal notation or valid DNS names ( 1288 | # http_parent may be "." to denote "no HTTP forwarding"), and 1289 | # the optional port parameters are TCP ports, i.e. integer 1290 | # values from 1 to 65535 1291 | # 1292 | # Default value: 1293 | # 1294 | # Unset 1295 | # 1296 | # Effect if unset: 1297 | # 1298 | # Don't use SOCKS proxies. 1299 | # 1300 | # Notes: 1301 | # 1302 | # Multiple lines are OK, they are checked in sequence, and the 1303 | # last match wins. 1304 | # 1305 | # The difference between forward-socks4 and forward-socks4a is 1306 | # that in the SOCKS 4A protocol, the DNS resolution of the 1307 | # target hostname happens on the SOCKS server, while in SOCKS 4 1308 | # it happens locally. 1309 | # 1310 | # With forward-socks5 the DNS resolution will happen on the 1311 | # remote server as well. 1312 | # 1313 | # forward-socks5t works like vanilla forward-socks5 but lets 1314 | # Privoxy additionally use Tor-specific SOCKS extensions. 1315 | # Currently the only supported SOCKS extension is optimistic 1316 | # data which can reduce the latency for the first request made 1317 | # on a newly created connection. 1318 | # 1319 | # socks_proxy and http_parent can be a numerical IPv6 address 1320 | # (if RFC 3493 is implemented). To prevent clashes with the port 1321 | # delimiter, the whole IP address has to be put into brackets. 1322 | # On the other hand a target_pattern containing an IPv6 address 1323 | # has to be put into angle brackets (normal brackets are 1324 | # reserved for regular expressions already). 1325 | # 1326 | # If http_parent is ".", then requests are not forwarded to 1327 | # another HTTP proxy but are made (HTTP-wise) directly to the 1328 | # web servers, albeit through a SOCKS proxy. 1329 | # 1330 | # Examples: 1331 | # 1332 | # From the company example.com, direct connections are made to 1333 | # all "internal" domains, but everything outbound goes through 1334 | # their ISP's proxy by way of example.com's corporate SOCKS 4A 1335 | # gateway to the Internet. 1336 | # 1337 | # forward-socks4a / socks-gw.example.com:1080 www-cache.isp.example.net:8080 1338 | # forward .example.com . 1339 | # 1340 | # A rule that uses a SOCKS 4 gateway for all destinations but no 1341 | # HTTP parent looks like this: 1342 | # 1343 | # forward-socks4 / socks-gw.example.com:1080 . 1344 | # 1345 | # To chain Privoxy and Tor, both running on the same system, you 1346 | # would use something like: 1347 | # 1348 | # forward-socks5t / 127.0.0.1:9050 . 1349 | # 1350 | # Note that if you got Tor through one of the bundles, you may 1351 | # have to change the port from 9050 to 9150 (or even another 1352 | # one). For details, please check the documentation on the Tor 1353 | # website. 1354 | # 1355 | # The public Tor network can't be used to reach your local 1356 | # network, if you need to access local servers you therefore 1357 | # might want to make some exceptions: 1358 | # 1359 | # forward 192.168.*.*/ . 1360 | # forward 10.*.*.*/ . 1361 | # forward 127.*.*.*/ . 1362 | # 1363 | # Unencrypted connections to systems in these address ranges 1364 | # will be as (un)secure as the local network is, but the 1365 | # alternative is that you can't reach the local network through 1366 | # Privoxy at all. Of course this may actually be desired and 1367 | # there is no reason to make these exceptions if you aren't sure 1368 | # you need them. 1369 | # 1370 | # If you also want to be able to reach servers in your local 1371 | # network by using their names, you will need additional 1372 | # exceptions that look like this: 1373 | # 1374 | # forward localhost/ . 1375 | # 1376 | # 1377 | # 5.3. forwarded-connect-retries 1378 | # =============================== 1379 | # 1380 | # Specifies: 1381 | # 1382 | # How often Privoxy retries if a forwarded connection request 1383 | # fails. 1384 | # 1385 | # Type of value: 1386 | # 1387 | # Number of retries. 1388 | # 1389 | # Default value: 1390 | # 1391 | # 0 1392 | # 1393 | # Effect if unset: 1394 | # 1395 | # Connections forwarded through other proxies are treated like 1396 | # direct connections and no retry attempts are made. 1397 | # 1398 | # Notes: 1399 | # 1400 | # forwarded-connect-retries is mainly interesting for socks4a 1401 | # connections, where Privoxy can't detect why the connections 1402 | # failed. The connection might have failed because of a DNS 1403 | # timeout in which case a retry makes sense, but it might also 1404 | # have failed because the server doesn't exist or isn't 1405 | # reachable. In this case the retry will just delay the 1406 | # appearance of Privoxy's error message. 1407 | # 1408 | # Note that in the context of this option, "forwarded 1409 | # connections" includes all connections that Privoxy forwards 1410 | # through other proxies. This option is not limited to the HTTP 1411 | # CONNECT method. 1412 | # 1413 | # Only use this option, if you are getting lots of 1414 | # forwarding-related error messages that go away when you try 1415 | # again manually. Start with a small value and check Privoxy's 1416 | # logfile from time to time, to see how many retries are usually 1417 | # needed. 1418 | # 1419 | # Examples: 1420 | # 1421 | # forwarded-connect-retries 1 1422 | # 1423 | forwarded-connect-retries 0 1424 | # 1425 | # 6. MISCELLANEOUS 1426 | # ================= 1427 | # 1428 | # 6.1. accept-intercepted-requests 1429 | # ================================= 1430 | # 1431 | # Specifies: 1432 | # 1433 | # Whether intercepted requests should be treated as valid. 1434 | # 1435 | # Type of value: 1436 | # 1437 | # 0 or 1 1438 | # 1439 | # Default value: 1440 | # 1441 | # 0 1442 | # 1443 | # Effect if unset: 1444 | # 1445 | # Only proxy requests are accepted, intercepted requests are 1446 | # treated as invalid. 1447 | # 1448 | # Notes: 1449 | # 1450 | # If you don't trust your clients and want to force them to use 1451 | # Privoxy, enable this option and configure your packet filter 1452 | # to redirect outgoing HTTP connections into Privoxy. 1453 | # 1454 | # Note that intercepting encrypted connections (HTTPS) isn't 1455 | # supported. 1456 | # 1457 | # Make sure that Privoxy's own requests aren't redirected as 1458 | # well. Additionally take care that Privoxy can't intentionally 1459 | # connect to itself, otherwise you could run into redirection 1460 | # loops if Privoxy's listening port is reachable by the outside 1461 | # or an attacker has access to the pages you visit. 1462 | # 1463 | # If you are running Privoxy as intercepting proxy without being 1464 | # able to intercept all client requests you may want to adjust 1465 | # the CGI templates to make sure they don't reference content 1466 | # from config.privoxy.org. 1467 | # 1468 | # Examples: 1469 | # 1470 | # accept-intercepted-requests 1 1471 | # 1472 | accept-intercepted-requests 0 1473 | # 1474 | # 6.2. allow-cgi-request-crunching 1475 | # ================================= 1476 | # 1477 | # Specifies: 1478 | # 1479 | # Whether requests to Privoxy's CGI pages can be blocked or 1480 | # redirected. 1481 | # 1482 | # Type of value: 1483 | # 1484 | # 0 or 1 1485 | # 1486 | # Default value: 1487 | # 1488 | # 0 1489 | # 1490 | # Effect if unset: 1491 | # 1492 | # Privoxy ignores block and redirect actions for its CGI pages. 1493 | # 1494 | # Notes: 1495 | # 1496 | # By default Privoxy ignores block or redirect actions for its 1497 | # CGI pages. Intercepting these requests can be useful in 1498 | # multi-user setups to implement fine-grained access control, 1499 | # but it can also render the complete web interface useless and 1500 | # make debugging problems painful if done without care. 1501 | # 1502 | # Don't enable this option unless you're sure that you really 1503 | # need it. 1504 | # 1505 | # Examples: 1506 | # 1507 | # allow-cgi-request-crunching 1 1508 | # 1509 | allow-cgi-request-crunching 0 1510 | # 1511 | # 6.3. split-large-forms 1512 | # ======================= 1513 | # 1514 | # Specifies: 1515 | # 1516 | # Whether the CGI interface should stay compatible with broken 1517 | # HTTP clients. 1518 | # 1519 | # Type of value: 1520 | # 1521 | # 0 or 1 1522 | # 1523 | # Default value: 1524 | # 1525 | # 0 1526 | # 1527 | # Effect if unset: 1528 | # 1529 | # The CGI form generate long GET URLs. 1530 | # 1531 | # Notes: 1532 | # 1533 | # Privoxy's CGI forms can lead to rather long URLs. This isn't a 1534 | # problem as far as the HTTP standard is concerned, but it can 1535 | # confuse clients with arbitrary URL length limitations. 1536 | # 1537 | # Enabling split-large-forms causes Privoxy to divide big forms 1538 | # into smaller ones to keep the URL length down. It makes 1539 | # editing a lot less convenient and you can no longer submit all 1540 | # changes at once, but at least it works around this browser 1541 | # bug. 1542 | # 1543 | # If you don't notice any editing problems, there is no reason 1544 | # to enable this option, but if one of the submit buttons 1545 | # appears to be broken, you should give it a try. 1546 | # 1547 | # Examples: 1548 | # 1549 | # split-large-forms 1 1550 | # 1551 | split-large-forms 0 1552 | # 1553 | # 6.4. keep-alive-timeout 1554 | # ======================== 1555 | # 1556 | # Specifies: 1557 | # 1558 | # Number of seconds after which an open connection will no 1559 | # longer be reused. 1560 | # 1561 | # Type of value: 1562 | # 1563 | # Time in seconds. 1564 | # 1565 | # Default value: 1566 | # 1567 | # None 1568 | # 1569 | # Effect if unset: 1570 | # 1571 | # Connections are not kept alive. 1572 | # 1573 | # Notes: 1574 | # 1575 | # This option allows clients to keep the connection to Privoxy 1576 | # alive. If the server supports it, Privoxy will keep the 1577 | # connection to the server alive as well. Under certain 1578 | # circumstances this may result in speed-ups. 1579 | # 1580 | # By default, Privoxy will close the connection to the server if 1581 | # the client connection gets closed, or if the specified timeout 1582 | # has been reached without a new request coming in. This 1583 | # behaviour can be changed with the connection-sharing option. 1584 | # 1585 | # This option has no effect if Privoxy has been compiled without 1586 | # keep-alive support. 1587 | # 1588 | # Note that a timeout of five seconds as used in the default 1589 | # configuration file significantly decreases the number of 1590 | # connections that will be reused. The value is used because 1591 | # some browsers limit the number of connections they open to a 1592 | # single host and apply the same limit to proxies. This can 1593 | # result in a single website "grabbing" all the connections the 1594 | # browser allows, which means connections to other websites 1595 | # can't be opened until the connections currently in use time 1596 | # out. 1597 | # 1598 | # Several users have reported this as a Privoxy bug, so the 1599 | # default value has been reduced. Consider increasing it to 300 1600 | # seconds or even more if you think your browser can handle it. 1601 | # If your browser appears to be hanging, it probably can't. 1602 | # 1603 | # Examples: 1604 | # 1605 | # keep-alive-timeout 300 1606 | # 1607 | keep-alive-timeout 300 1608 | # 1609 | # 6.5. tolerate-pipelining 1610 | # ========================= 1611 | # 1612 | # Specifies: 1613 | # 1614 | # Whether or not pipelined requests should be served. 1615 | # 1616 | # Type of value: 1617 | # 1618 | # 0 or 1. 1619 | # 1620 | # Default value: 1621 | # 1622 | # None 1623 | # 1624 | # Effect if unset: 1625 | # 1626 | # If Privoxy receives more than one request at once, it 1627 | # terminates the client connection after serving the first one. 1628 | # 1629 | # Notes: 1630 | # 1631 | # Privoxy currently doesn't pipeline outgoing requests, thus 1632 | # allowing pipelining on the client connection is not guaranteed 1633 | # to improve the performance. 1634 | # 1635 | # By default Privoxy tries to discourage clients from pipelining 1636 | # by discarding aggressively pipelined requests, which forces 1637 | # the client to resend them through a new connection. 1638 | # 1639 | # This option lets Privoxy tolerate pipelining. Whether or not 1640 | # that improves performance mainly depends on the client 1641 | # configuration. 1642 | # 1643 | # If you are seeing problems with pages not properly loading, 1644 | # disabling this option could work around the problem. 1645 | # 1646 | # Examples: 1647 | # 1648 | # tolerate-pipelining 1 1649 | # 1650 | #tolerate-pipelining 1 1651 | # 1652 | # 6.6. default-server-timeout 1653 | # ============================ 1654 | # 1655 | # Specifies: 1656 | # 1657 | # Assumed server-side keep-alive timeout if not specified by the 1658 | # server. 1659 | # 1660 | # Type of value: 1661 | # 1662 | # Time in seconds. 1663 | # 1664 | # Default value: 1665 | # 1666 | # None 1667 | # 1668 | # Effect if unset: 1669 | # 1670 | # Connections for which the server didn't specify the keep-alive 1671 | # timeout are not reused. 1672 | # 1673 | # Notes: 1674 | # 1675 | # Enabling this option significantly increases the number of 1676 | # connections that are reused, provided the keep-alive-timeout 1677 | # option is also enabled. 1678 | # 1679 | # While it also increases the number of connections problems 1680 | # when Privoxy tries to reuse a connection that already has been 1681 | # closed on the server side, or is closed while Privoxy is 1682 | # trying to reuse it, this should only be a problem if it 1683 | # happens for the first request sent by the client. If it 1684 | # happens for requests on reused client connections, Privoxy 1685 | # will simply close the connection and the client is supposed to 1686 | # retry the request without bothering the user. 1687 | # 1688 | # Enabling this option is therefore only recommended if the 1689 | # connection-sharing option is disabled. 1690 | # 1691 | # It is an error to specify a value larger than the 1692 | # keep-alive-timeout value. 1693 | # 1694 | # This option has no effect if Privoxy has been compiled without 1695 | # keep-alive support. 1696 | # 1697 | # Examples: 1698 | # 1699 | # default-server-timeout 60 1700 | # 1701 | default-server-timeout 60 1702 | # 1703 | # 6.7. connection-sharing 1704 | # ======================== 1705 | # 1706 | # Specifies: 1707 | # 1708 | # Whether or not outgoing connections that have been kept alive 1709 | # should be shared between different incoming connections. 1710 | # 1711 | # Type of value: 1712 | # 1713 | # 0 or 1 1714 | # 1715 | # Default value: 1716 | # 1717 | # None 1718 | # 1719 | # Effect if unset: 1720 | # 1721 | # Connections are not shared. 1722 | # 1723 | # Notes: 1724 | # 1725 | # This option has no effect if Privoxy has been compiled without 1726 | # keep-alive support, or if it's disabled. 1727 | # 1728 | # Notes: 1729 | # 1730 | # Note that reusing connections doesn't necessary cause 1731 | # speedups. There are also a few privacy implications you should 1732 | # be aware of. 1733 | # 1734 | # If this option is effective, outgoing connections are shared 1735 | # between clients (if there are more than one) and closing the 1736 | # browser that initiated the outgoing connection does no longer 1737 | # affect the connection between Privoxy and the server unless 1738 | # the client's request hasn't been completed yet. 1739 | # 1740 | # If the outgoing connection is idle, it will not be closed 1741 | # until either Privoxy's or the server's timeout is reached. 1742 | # While it's open, the server knows that the system running 1743 | # Privoxy is still there. 1744 | # 1745 | # If there are more than one client (maybe even belonging to 1746 | # multiple users), they will be able to reuse each others 1747 | # connections. This is potentially dangerous in case of 1748 | # authentication schemes like NTLM where only the connection is 1749 | # authenticated, instead of requiring authentication for each 1750 | # request. 1751 | # 1752 | # If there is only a single client, and if said client can keep 1753 | # connections alive on its own, enabling this option has next to 1754 | # no effect. If the client doesn't support connection 1755 | # keep-alive, enabling this option may make sense as it allows 1756 | # Privoxy to keep outgoing connections alive even if the client 1757 | # itself doesn't support it. 1758 | # 1759 | # You should also be aware that enabling this option increases 1760 | # the likelihood of getting the "No server or forwarder data" 1761 | # error message, especially if you are using a slow connection 1762 | # to the Internet. 1763 | # 1764 | # This option should only be used by experienced users who 1765 | # understand the risks and can weight them against the benefits. 1766 | # 1767 | # Examples: 1768 | # 1769 | # connection-sharing 1 1770 | # 1771 | connection-sharing 0 1772 | # 1773 | # 6.8. socket-timeout 1774 | # ==================== 1775 | # 1776 | # Specifies: 1777 | # 1778 | # Number of seconds after which a socket times out if no data is 1779 | # received. 1780 | # 1781 | # Type of value: 1782 | # 1783 | # Time in seconds. 1784 | # 1785 | # Default value: 1786 | # 1787 | # None 1788 | # 1789 | # Effect if unset: 1790 | # 1791 | # A default value of 300 seconds is used. 1792 | # 1793 | # Notes: 1794 | # 1795 | # The default is quite high and you probably want to reduce it. 1796 | # If you aren't using an occasionally slow proxy like Tor, 1797 | # reducing it to a few seconds should be fine. 1798 | # 1799 | # Examples: 1800 | # 1801 | # socket-timeout 300 1802 | # 1803 | socket-timeout 60 1804 | # 1805 | # 6.9. max-client-connections 1806 | # ============================ 1807 | # 1808 | # Specifies: 1809 | # 1810 | # Maximum number of client connections that will be served. 1811 | # 1812 | # Type of value: 1813 | # 1814 | # Positive number. 1815 | # 1816 | # Default value: 1817 | # 1818 | # 128 1819 | # 1820 | # Effect if unset: 1821 | # 1822 | # Connections are served until a resource limit is reached. 1823 | # 1824 | # Notes: 1825 | # 1826 | # Privoxy creates one thread (or process) for every incoming 1827 | # client connection that isn't rejected based on the access 1828 | # control settings. 1829 | # 1830 | # If the system is powerful enough, Privoxy can theoretically 1831 | # deal with several hundred (or thousand) connections at the 1832 | # same time, but some operating systems enforce resource limits 1833 | # by shutting down offending processes and their default limits 1834 | # may be below the ones Privoxy would require under heavy load. 1835 | # 1836 | # Configuring Privoxy to enforce a connection limit below the 1837 | # thread or process limit used by the operating system makes 1838 | # sure this doesn't happen. Simply increasing the operating 1839 | # system's limit would work too, but if Privoxy isn't the only 1840 | # application running on the system, you may actually want to 1841 | # limit the resources used by Privoxy. 1842 | # 1843 | # If Privoxy is only used by a single trusted user, limiting the 1844 | # number of client connections is probably unnecessary. If there 1845 | # are multiple possibly untrusted users you probably still want 1846 | # to additionally use a packet filter to limit the maximal 1847 | # number of incoming connections per client. Otherwise a 1848 | # malicious user could intentionally create a high number of 1849 | # connections to prevent other users from using Privoxy. 1850 | # 1851 | # Obviously using this option only makes sense if you choose a 1852 | # limit below the one enforced by the operating system. 1853 | # 1854 | # One most POSIX-compliant systems Privoxy can't properly deal 1855 | # with more than FD_SETSIZE file descriptors at the same time 1856 | # and has to reject connections if the limit is reached. This 1857 | # will likely change in a future version, but currently this 1858 | # limit can't be increased without recompiling Privoxy with a 1859 | # different FD_SETSIZE limit. 1860 | # 1861 | # Examples: 1862 | # 1863 | # max-client-connections 256 1864 | # 1865 | max-client-connections 256 1866 | # 1867 | # 6.10. handle-as-empty-doc-returns-ok 1868 | # ===================================== 1869 | # 1870 | # Specifies: 1871 | # 1872 | # The status code Privoxy returns for pages blocked with 1873 | # +handle-as-empty-document. 1874 | # 1875 | # Type of value: 1876 | # 1877 | # 0 or 1 1878 | # 1879 | # Default value: 1880 | # 1881 | # 0 1882 | # 1883 | # Effect if unset: 1884 | # 1885 | # Privoxy returns a status 403(forbidden) for all blocked pages. 1886 | # 1887 | # Effect if set: 1888 | # 1889 | # Privoxy returns a status 200(OK) for pages blocked with 1890 | # +handle-as-empty-document and a status 403(Forbidden) for all 1891 | # other blocked pages. 1892 | # 1893 | # Notes: 1894 | # 1895 | # This directive was added as a work-around for Firefox bug 1896 | # 492459: "Websites are no longer rendered if SSL requests for 1897 | # JavaScripts are blocked by a proxy." 1898 | # (https://bugzilla.mozilla.org/show_bug.cgi?id=492459), the bug 1899 | # has been fixed for quite some time, but this directive is also 1900 | # useful to make it harder for websites to detect whether or not 1901 | # resources are being blocked. 1902 | # 1903 | #handle-as-empty-doc-returns-ok 1 1904 | # 1905 | # 6.11. enable-compression 1906 | # ========================= 1907 | # 1908 | # Specifies: 1909 | # 1910 | # Whether or not buffered content is compressed before delivery. 1911 | # 1912 | # Type of value: 1913 | # 1914 | # 0 or 1 1915 | # 1916 | # Default value: 1917 | # 1918 | # 0 1919 | # 1920 | # Effect if unset: 1921 | # 1922 | # Privoxy does not compress buffered content. 1923 | # 1924 | # Effect if set: 1925 | # 1926 | # Privoxy compresses buffered content before delivering it to 1927 | # the client, provided the client supports it. 1928 | # 1929 | # Notes: 1930 | # 1931 | # This directive is only supported if Privoxy has been compiled 1932 | # with FEATURE_COMPRESSION, which should not to be confused with 1933 | # FEATURE_ZLIB. 1934 | # 1935 | # Compressing buffered content is mainly useful if Privoxy and 1936 | # the client are running on different systems. If they are 1937 | # running on the same system, enabling compression is likely to 1938 | # slow things down. If you didn't measure otherwise, you should 1939 | # assume that it does and keep this option disabled. 1940 | # 1941 | # Privoxy will not compress buffered content below a certain 1942 | # length. 1943 | # 1944 | #enable-compression 1 1945 | # 1946 | # 6.12. compression-level 1947 | # ======================== 1948 | # 1949 | # Specifies: 1950 | # 1951 | # The compression level that is passed to the zlib library when 1952 | # compressing buffered content. 1953 | # 1954 | # Type of value: 1955 | # 1956 | # Positive number ranging from 0 to 9. 1957 | # 1958 | # Default value: 1959 | # 1960 | # 1 1961 | # 1962 | # Notes: 1963 | # 1964 | # Compressing the data more takes usually longer than 1965 | # compressing it less or not compressing it at all. Which level 1966 | # is best depends on the connection between Privoxy and the 1967 | # client. If you can't be bothered to benchmark it for yourself, 1968 | # you should stick with the default and keep compression 1969 | # disabled. 1970 | # 1971 | # If compression is disabled, the compression level is 1972 | # irrelevant. 1973 | # 1974 | # Examples: 1975 | # 1976 | # # Best speed (compared to the other levels) 1977 | # compression-level 1 1978 | # 1979 | # # Best compression 1980 | # compression-level 9 1981 | # 1982 | # # No compression. Only useful for testing as the added header 1983 | # # slightly increases the amount of data that has to be sent. 1984 | # # If your benchmark shows that using this compression level 1985 | # # is superior to using no compression at all, the benchmark 1986 | # # is likely to be flawed. 1987 | # compression-level 0 1988 | # 1989 | # 1990 | #compression-level 9 1991 | # 1992 | # 6.13. client-header-order 1993 | # ========================== 1994 | # 1995 | # Specifies: 1996 | # 1997 | # The order in which client headers are sorted before forwarding 1998 | # them. 1999 | # 2000 | # Type of value: 2001 | # 2002 | # Client header names delimited by spaces or tabs 2003 | # 2004 | # Default value: 2005 | # 2006 | # None 2007 | # 2008 | # Notes: 2009 | # 2010 | # By default Privoxy leaves the client headers in the order they 2011 | # were sent by the client. Headers are modified in-place, new 2012 | # headers are added at the end of the already existing headers. 2013 | # 2014 | # The header order can be used to fingerprint client requests 2015 | # independently of other headers like the User-Agent. 2016 | # 2017 | # This directive allows to sort the headers differently to 2018 | # better mimic a different User-Agent. Client headers will be 2019 | # emitted in the order given, headers whose name isn't 2020 | # explicitly specified are added at the end. 2021 | # 2022 | # Note that sorting headers in an uncommon way will make 2023 | # fingerprinting actually easier. Encrypted headers are not 2024 | # affected by this directive. 2025 | # 2026 | #client-header-order Host \ 2027 | # Accept \ 2028 | # Accept-Language \ 2029 | # Accept-Encoding \ 2030 | # Proxy-Connection \ 2031 | # Referer \ 2032 | # Cookie \ 2033 | # DNT \ 2034 | # If-Modified-Since \ 2035 | # Cache-Control \ 2036 | # Content-Length \ 2037 | # Content-Type 2038 | # 2039 | # 2040 | # 6.14. client-specific-tag 2041 | # ========================== 2042 | # 2043 | # Specifies: 2044 | # 2045 | # The name of a tag that will always be set for clients that 2046 | # requested it through the webinterface. 2047 | # 2048 | # Type of value: 2049 | # 2050 | # Tag name followed by a description that will be shown in the 2051 | # webinterface 2052 | # 2053 | # Default value: 2054 | # 2055 | # None 2056 | # 2057 | # Notes: 2058 | # 2059 | # +-----------------------------------------------------+ 2060 | # | Warning | 2061 | # |-----------------------------------------------------| 2062 | # |This is an experimental feature. The syntax is likely| 2063 | # |to change in future versions. | 2064 | # +-----------------------------------------------------+ 2065 | # 2066 | # Client-specific tags allow Privoxy admins to create different 2067 | # profiles and let the users chose which one they want without 2068 | # impacting other users. 2069 | # 2070 | # One use case is allowing users to circumvent certain blocks 2071 | # without having to allow them to circumvent all blocks. This is 2072 | # not possible with the enable-remote-toggle feature because it 2073 | # would bluntly disable all blocks for all users and also affect 2074 | # other actions like filters. It also is set globally which 2075 | # renders it useless in most multi-user setups. 2076 | # 2077 | # After a client-specific tag has been defined with the 2078 | # client-specific-tag directive, action sections can be 2079 | # activated based on the tag by using a CLIENT-TAG pattern. The 2080 | # CLIENT-TAG pattern is evaluated at the same priority as URL 2081 | # patterns, as a result the last matching pattern wins. Tags 2082 | # that are created based on client or server headers are 2083 | # evaluated later on and can overrule CLIENT-TAG and URL 2084 | # patterns! 2085 | # 2086 | # The tag is set for all requests that come from clients that 2087 | # requested it to be set. Note that "clients" are differentiated 2088 | # by IP address, if the IP address changes the tag has to be 2089 | # requested again. 2090 | # 2091 | # Clients can request tags to be set by using the CGI interface 2092 | # http://config.privoxy.org/client-tags. The specific tag 2093 | # description is only used on the web page and should be phrased 2094 | # in away that the user understand the effect of the tag. 2095 | # 2096 | # Examples: 2097 | # 2098 | # # Define a couple of tags, the described effect requires action sections 2099 | # # that are enabled based on CLIENT-TAG patterns. 2100 | # client-specific-tag circumvent-blocks Overrule blocks but do not affect other actions 2101 | # disable-content-filters Disable content-filters but do not affect other actions 2102 | # 2103 | # 2104 | # 2105 | # 6.15. client-tag-lifetime 2106 | # ========================== 2107 | # 2108 | # Specifies: 2109 | # 2110 | # How long a temporarily enabled tag remains enabled. 2111 | # 2112 | # Type of value: 2113 | # 2114 | # Time in seconds. 2115 | # 2116 | # Default value: 2117 | # 2118 | # 60 2119 | # 2120 | # Notes: 2121 | # 2122 | # +-----------------------------------------------------+ 2123 | # | Warning | 2124 | # |-----------------------------------------------------| 2125 | # |This is an experimental feature. The syntax is likely| 2126 | # |to change in future versions. | 2127 | # +-----------------------------------------------------+ 2128 | # 2129 | # In case of some tags users may not want to enable them 2130 | # permanently, but only for a short amount of time, for example 2131 | # to circumvent a block that is the result of an overly-broad 2132 | # URL pattern. 2133 | # 2134 | # The CGI interface http://config.privoxy.org/client-tags 2135 | # therefore provides a "enable this tag temporarily" option. If 2136 | # it is used, the tag will be set until the client-tag-lifetime 2137 | # is over. 2138 | # 2139 | # Examples: 2140 | # 2141 | # # Increase the time to life for temporarily enabled tags to 3 minutes 2142 | # client-tag-lifetime 180 2143 | # 2144 | # 2145 | # 2146 | # 6.16. trust-x-forwarded-for 2147 | # ============================ 2148 | # 2149 | # Specifies: 2150 | # 2151 | # Whether or not Privoxy should use IP addresses specified with 2152 | # the X-Forwarded-For header 2153 | # 2154 | # Type of value: 2155 | # 2156 | # 0 or one 2157 | # 2158 | # Default value: 2159 | # 2160 | # 0 2161 | # 2162 | # Notes: 2163 | # 2164 | # +-----------------------------------------------------+ 2165 | # | Warning | 2166 | # |-----------------------------------------------------| 2167 | # |This is an experimental feature. The syntax is likely| 2168 | # |to change in future versions. | 2169 | # +-----------------------------------------------------+ 2170 | # 2171 | # If clients reach Privoxy through another proxy, for example a 2172 | # load balancer, Privoxy can't tell the client's IP address from 2173 | # the connection. If multiple clients use the same proxy, they 2174 | # will share the same client tag settings which is usually not 2175 | # desired. 2176 | # 2177 | # This option lets Privoxy use the X-Forwarded-For header value 2178 | # as client IP address. If the proxy sets the header, multiple 2179 | # clients using the same proxy do not share the same client tag 2180 | # settings. 2181 | # 2182 | # This option should only be enabled if Privoxy can only be 2183 | # reached through a proxy and if the proxy can be trusted to set 2184 | # the header correctly. It is recommended that ACL are used to 2185 | # make sure only trusted systems can reach Privoxy. 2186 | # 2187 | # If access to Privoxy isn't limited to trusted systems, this 2188 | # option would allow malicious clients to change the client tags 2189 | # for other clients or increase Privoxy's memory requirements by 2190 | # registering lots of client tag settings for clients that don't 2191 | # exist. 2192 | # 2193 | # Examples: 2194 | # 2195 | # # Allow systems that can reach Privoxy to provide the client 2196 | # # IP address with a X-Forwarded-For header. 2197 | # trust-x-forwarded-for 1 2198 | # 2199 | # 2200 | # 2201 | # 7. WINDOWS GUI OPTIONS 2202 | # ======================= 2203 | # 2204 | # Privoxy has a number of options specific to the Windows GUI 2205 | # interface: 2206 | # 2207 | # 2208 | # 2209 | # If "activity-animation" is set to 1, the Privoxy icon will animate 2210 | # when "Privoxy" is active. To turn off, set to 0. 2211 | # 2212 | #activity-animation 1 2213 | # 2214 | # 2215 | # 2216 | # If "log-messages" is set to 1, Privoxy copies log messages to the 2217 | # console window. The log detail depends on the debug directive. 2218 | # 2219 | #log-messages 1 2220 | # 2221 | # 2222 | # 2223 | # If "log-buffer-size" is set to 1, the size of the log buffer, i.e. 2224 | # the amount of memory used for the log messages displayed in the 2225 | # console window, will be limited to "log-max-lines" (see below). 2226 | # 2227 | # Warning: Setting this to 0 will result in the buffer to grow 2228 | # infinitely and eat up all your memory! 2229 | # 2230 | #log-buffer-size 1 2231 | # 2232 | # 2233 | # 2234 | # log-max-lines is the maximum number of lines held in the log 2235 | # buffer. See above. 2236 | # 2237 | #log-max-lines 200 2238 | # 2239 | # 2240 | # 2241 | # If "log-highlight-messages" is set to 1, Privoxy will highlight 2242 | # portions of the log messages with a bold-faced font: 2243 | # 2244 | #log-highlight-messages 1 2245 | # 2246 | # 2247 | # 2248 | # The font used in the console window: 2249 | # 2250 | #log-font-name Comic Sans MS 2251 | # 2252 | # 2253 | # 2254 | # Font size used in the console window: 2255 | # 2256 | #log-font-size 8 2257 | # 2258 | # 2259 | # 2260 | # "show-on-task-bar" controls whether or not Privoxy will appear as 2261 | # a button on the Task bar when minimized: 2262 | # 2263 | #show-on-task-bar 0 2264 | # 2265 | # 2266 | # 2267 | # If "close-button-minimizes" is set to 1, the Windows close button 2268 | # will minimize Privoxy instead of closing the program (close with 2269 | # the exit option on the File menu). 2270 | # 2271 | #close-button-minimizes 1 2272 | # 2273 | # 2274 | # 2275 | # The "hide-console" option is specific to the MS-Win console 2276 | # version of Privoxy. If this option is used, Privoxy will 2277 | # disconnect from and hide the command console. 2278 | # 2279 | #hide-console 2280 | # 2281 | # 2282 | # 2283 | -------------------------------------------------------------------------------- /deprecated/Squid.wrapper: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # 3 | # MacPorts generated daemondo support script 4 | # 5 | 6 | # 7 | # Init 8 | # 9 | prefix=/opt/local 10 | 11 | # 12 | # Start 13 | # 14 | Start() 15 | { 16 | cd /opt/local/var/squid 17 | if [ ! -d "/opt/local/var/squid/cache/00" ]; then 18 | /opt/local/sbin/squid -s -z 19 | fi 20 | /opt/local/sbin/squid -s -N 21 | } 22 | 23 | # 24 | # Stop 25 | # 26 | Stop() 27 | { 28 | cd /opt/local/var/squid 29 | /opt/local/sbin/squid -k shutdown 30 | while /opt/local/sbin/squid -k check; do 31 | sleep 1 32 | done 33 | } 34 | 35 | # 36 | # Restart 37 | # 38 | Restart() 39 | { 40 | Stop 41 | Start 42 | } 43 | 44 | # 45 | # Run 46 | # 47 | Run() 48 | { 49 | case $1 in 50 | start ) Start ;; 51 | stop ) Stop ;; 52 | restart) Restart ;; 53 | * ) echo "$0: unknown argument: $1";; 54 | esac 55 | } 56 | 57 | # 58 | # Run a phase based on the selector 59 | # 60 | Run $1 61 | -------------------------------------------------------------------------------- /deprecated/disable.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | 3 | # OS X Fortress: Firewall, Blackhole, and Privatizing Proxy 4 | # for Trackers, Attackers, Malware, Adware, and Spammers 5 | 6 | # disable.sh 7 | 8 | # commands 9 | SUDO=/usr/bin/sudo 10 | PORT=/opt/local/bin/port 11 | LAUNCHCTL=/bin/launchctl 12 | PFCTL=/sbin/pfctl 13 | KILLALL=/usr/bin/killall 14 | CAT=/bin/cat 15 | ECHO=/bin/echo 16 | 17 | $CAT < 2 | 3 | 4 | 5 | Label 6 | net.securemecca.pac.plist 7 | Program 8 | /bin/bash 9 | ProgramArguments 10 | 11 | /bin/bash 12 | -c 13 | export PROXY_PAC_DIRECTORY=/Library/WebServer/Documents; /bin/mkdir -p /usr/local/etc ; ( /bin/test -f $PROXY_PAC_DIRECTORY/proxy.pac.orig || /usr/bin/install -m 644 -S $PROXY_PAC_DIRECTORY/proxy.pac $PROXY_PAC_DIRECTORY/proxy.pac.orig ) && /bin/cp $PROXY_PAC_DIRECTORY/proxy.pac.orig /tmp/proxy.pac.orig && /opt/local/bin/wget -N -P /usr/local/etc http://securemecca.com/Downloads/AutoPac_EN.unx.7z && /opt/local/bin/7za x -aoa -o/tmp /usr/local/etc/AutoPac_EN.unx.7z AutoPac_EN.unx && /opt/local/bin/gpg --verify /tmp/AutoPac_EN.unx/proxy_en.sig /tmp/AutoPac_EN.unx/proxy_en && /usr/bin/printf '// *Modified for mydomainname.com*\n// King of the PAC from http://securemecca.com/pac.html:\n' > /tmp/proxy.pac && /usr/bin/sed -E 's/return[ \t]+normal/return MyFindProxyForURL(url.toString(), host)/g' /tmp/AutoPac_EN.unx/proxy_en >> /tmp/proxy.pac && /usr/bin/sed -E 's/function[ \t]+FindProxyForURL/function MyFindProxyForURL/' /tmp/proxy.pac.orig >> /tmp/proxy.pac && /usr/bin/install -m 644 -g admin -S /tmp/proxy.pac $PROXY_PAC_DIRECTORY/proxy.pac ; /bin/rm -fr /tmp/proxy.pac /tmp/proxy.pac.orig /tmp/AutoPac_EN.unx 14 | 15 | RunAtLoad 16 | 17 | StartInterval 18 | 90450 19 | ServiceDescription 20 | securemecca.com King of the PAC Modification 21 | StandardErrorPath 22 | /var/log/system.log 23 | StandardOutPath 24 | /var/log/system.log 25 | 26 | 27 | -------------------------------------------------------------------------------- /deprecated/org.adblockplus.privoxy-adblock.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | org.adblockplus.privoxy-adblock.plist 7 | Program 8 | /bin/bash 9 | ProgramArguments 10 | 11 | /bin/bash 12 | -c 13 | /usr/local/bin/privoxy-adblock.sh && /bin/launchctl unload -w /Library/LaunchDaemons/org.macports.Privoxy.plist && /bin/launchctl load -w /Library/LaunchDaemons/org.macports.Privoxy.plist 14 | 15 | RunAtLoad 16 | 17 | StartInterval 18 | 90450 19 | ServiceDescription 20 | GitHub skroll/privoxy-adblock fork 21 | StandardErrorPath 22 | /var/log/system.log 23 | StandardOutPath 24 | /var/log/system.log 25 | 26 | 27 | -------------------------------------------------------------------------------- /disable.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | 3 | # macOS-Fortress: Firewall, Blackhole, and Privatizing Proxy 4 | # for Trackers, Attackers, Malware, Adware, and Spammers 5 | 6 | # disable.sh 7 | 8 | # commands 9 | SUDO=/usr/bin/sudo 10 | PORT=/opt/local/bin/port 11 | LAUNCHCTL=/bin/launchctl 12 | PFCTL=/sbin/pfctl 13 | KILLALL=/usr/bin/killall 14 | CAT=/bin/cat 15 | ECHO=/bin/echo 16 | 17 | $CAT </dev/null 2>&1 \ 285 | && echo "[✅] PAC $PROXY_PAC_DIRECTORY/proxy.pac.orig passes Javascript parsing" \ 286 | || echo "[❌] PAC $PROXY_PAC_DIRECTORY/proxy.pac.orig fails Javascript parsing" ; \ 287 | fi 288 | if [ -x $JSC -a -f $PROXY_PAC_DIRECTORY/proxy.pac ]; then \ 289 | $JSC $PROXY_PAC_DIRECTORY/proxy.pac >/dev/null 2>&1 \ 290 | && echo "[✅] PAC $PROXY_PAC_DIRECTORY/proxy.pac passes Javascript parsing" \ 291 | || echo "[❌] PAC $PROXY_PAC_DIRECTORY/proxy.pac fails Javascript parsing" ; \ 292 | fi 293 | 294 | # proxy.pac on proxy server 295 | if [[ `$CURL -s --head http://${PROXY_PAC_SERVER}/proxy.pac | $HEAD -n 1 | $GREP "HTTP/1.\d [23]\d\d"` ]]; then 296 | echo "[✅] Web server for http://${PROXY_PAC_SERVER}/proxy.pac is running properly" 297 | else 298 | $CAT < 2 | 3 | 4 | 5 | Label 6 | net.dshield.block 7 | Program 8 | /bin/bash 9 | ProgramArguments 10 | 11 | /bin/bash 12 | -c 13 | /bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://feeds.dshield.org/block.txt && /opt/local/bin/wget -N -P /usr/local/etc http://feeds.dshield.org/block.txt.asc && /opt/local/bin/gpg --verify /usr/local/etc/block.txt.asc /usr/local/etc/block.txt && /usr/bin/perl -ane 'use POSIX; use Data::Validate::IP; my $vip=Data::Validate::IP->new; if (/^\w*#/) { print; } elsif ($vip->is_ipv4($F[0]) & $vip->is_ipv4($F[1]) & isdigit($F[2]) & (0<= $F[2] & $F[2]<=32)) { print $F[0], "/", $F[2], "\n"; }' /usr/local/etc/block.txt > /tmp/dshield_block_ip.txt && /usr/bin/install -m 644 -g admin -S /tmp/dshield_block_ip.txt /usr/local/etc/dshield_block_ip.txt ; /bin/rm -f /tmp/dshield_block_ip.txt ; /sbin/pfctl -a blockips -T load -f /usr/local/etc/blockips.conf 14 | 15 | RunAtLoad 16 | 17 | StartInterval 18 | 11250 19 | StandardErrorPath 20 | /var/log/pf.log 21 | StandardOutPath 22 | /var/log/pf.log 23 | 24 | 25 | -------------------------------------------------------------------------------- /net.emergingthreats.blockips.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | net.emergingthreats.blockips 7 | Program 8 | /bin/bash 9 | ProgramArguments 10 | 11 | /bin/bash 12 | -c 13 | /bin/mkdir -p /usr/local/etc ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt ; /opt/local/bin/wget -N -P /usr/local/etc http://rules.emergingthreats.net/blockrules/compromised-ips.txt ; /sbin/pfctl -a blockips -T load -f /usr/local/etc/blockips.conf 14 | 15 | RunAtLoad 16 | 17 | StartInterval 18 | 47250 19 | StandardErrorPath 20 | /var/log/pf.log 21 | StandardOutPath 22 | /var/log/pf.log 23 | 24 | 25 | -------------------------------------------------------------------------------- /net.hphosts.hosts.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | net.hphosts.hosts 7 | Program 8 | /bin/bash 9 | ProgramArguments 10 | 11 | /bin/bash 12 | -c 13 | /bin/mkdir -p /usr/local/etc ; ( /bin/test -f /etc/hosts.orig || /usr/bin/install -m 644 -S /etc/hosts /etc/hosts.orig ) && /bin/cp /etc/hosts.orig /tmp/hosts && /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/download/hosts.zip && /opt/local/bin/wget -N -P /usr/local/etc http://hosts-file.net/hphosts-partial.asp && /usr/bin/unzip -o /usr/local/etc/hosts.zip -d /tmp/hphosts && /opt/local/bin/gpg --verify /tmp/hphosts/hosts.txt.asc /tmp/hphosts/hosts.txt && ( /bin/test -f /usr/local/etc/whitelist.txt || /usr/bin/printf '\n# whitelisted hosts (FQDN and DN) will be deleted from hphost'"'"'s host.zip\n#\n' > /usr/local/etc/whitelist.txt ) && /usr/bin/printf '\n# hpHosts hosts.txt from http://hosts-file.net/download/hosts.zip:\n' > /tmp/hosts-block.txt && /bin/cat /tmp/hphosts/hosts.txt | tr -d '\015' | /usr/bin/perl -ane 'use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }' >> /tmp/hosts-block.txt && /usr/bin/printf '\n# hpHosts hphosts-partial.asp from http://hosts-file.net/hphosts-partial.asp:\n' >> /tmp/hosts-block.txt && /bin/cat /usr/local/etc/hphosts-partial.asp | tr -d '\015' | /usr/bin/perl -ane 'use POSIX; use Data::Validate::Domain qw(is_domain); { if (/^127\.0\.0\.1\s*(.+)$/) { print qq#127.0.0.1\t$1\n# if is_domain($1); } else { print; } }' >> /tmp/hosts-block.txt && ( /bin/test -f /usr/local/etc/blacklist.txt && /bin/cat /usr/local/etc/blacklist.txt >> /tmp/hosts ) && /usr/bin/grep -v -E "`/usr/bin/perl -ane 'BEGIN{$s=qw#\\s+(#}; { if (!/^\w*#/&length($F[0])>0){$s = $s . $F[0] . qw(|);}} END{$s = substr($s,0,length($s)-1) . qw#)\\s*#; $s=~s/\\./\\\\./g; print $s;}' /usr/local/etc/whitelist.txt`" /tmp/hosts-block.txt >> /tmp/hosts && /usr/bin/install -m 644 -S /tmp/hosts /etc/hosts-hphosts ; /bin/rm -fr /tmp/hosts /tmp/hphosts /tmp/hosts-block.txt ; /opt/local/sbin/squid -k reconfigure 14 | 15 | RunAtLoad 16 | 17 | StartInterval 18 | 86850 19 | StandardErrorPath 20 | /var/log/system.log 21 | StandardOutPath 22 | /var/log/system.log 23 | 24 | 25 | -------------------------------------------------------------------------------- /net.openbsd.pf.brutexpire.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | net.openbsd.pf.brutexpire 7 | Program 8 | /sbin/pfctl 9 | ProgramArguments 10 | 11 | /sbin/pfctl 12 | -t 13 | bruteforce 14 | -T 15 | expire 16 | 604800 17 | 18 | RunAtLoad 19 | 20 | StartInterval 21 | 86400 22 | StandardErrorPath 23 | /var/log/pf.log 24 | StandardOutPath 25 | /var/log/pf.log 26 | 27 | 28 | -------------------------------------------------------------------------------- /net.openbsd.pf.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Disabled 6 | false 7 | Label 8 | net.openbsd.pf 9 | WorkingDirectory 10 | /var/run 11 | Program 12 | /bin/bash 13 | ProgramArguments 14 | 15 | /bin/bash 16 | -c 17 | for tt in {1..4}; do if [[ `/sbin/ifconfig | /opt/local/bin/pcregrep -M -o '^[^\t:]+:([^\n]|\n\t)*status: active' | /usr/bin/egrep -o -m 1 '^[^\t:]+'` = '' ]]; then /bin/sleep 45; else /sbin/pfctl -Fall && /sbin/pfctl -ef /etc/pf.conf; break; fi; done 18 | 19 | RunAtLoad 20 | 21 | StandardErrorPath 22 | /var/log/pf.log 23 | StandardOutPath 24 | /var/log/pf.log 25 | 26 | 27 | -------------------------------------------------------------------------------- /org.opensource.flashcookiedelete.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Disabled 6 | 7 | Label 8 | org.opensource.flashcookiedelete.plist 9 | Program 10 | /bin/bash 11 | ProgramArguments 12 | 13 | /bin/bash 14 | -c 15 | /usr/bin/find ~/Library/Preferences/Macromedia/Flash\ Player ! -path ~/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys/settings.sol -delete 16 | 17 | RunAtLoad 18 | 19 | ServiceDescription 20 | Delete Flash Cookies 21 | StartInterval 22 | 1800 23 | 24 | 25 | -------------------------------------------------------------------------------- /org.squid-cache.squid-rotate.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | org.squid-cache.squid-rotate 7 | ProgramArguments 8 | 9 | /bin/bash 10 | -c 11 | /opt/local/sbin/squid -k rotate ; find /opt/local/var/squid/logs -mindepth 1 -mtime +30 -exec /bin/rm {} ';' 12 | 13 | StartCalendarInterval 14 | 15 | Hour 16 | 0 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /pf.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Default PF configuration file. 3 | # 4 | # This file contains the main ruleset, which gets automatically loaded 5 | # at startup. PF will not be automatically enabled, however. Instead, 6 | # each component which utilizes PF is responsible for enabling and disabling 7 | # PF via -E and -X as documented in pfctl(8). That will ensure that PF 8 | # is disabled only when the last enable reference is released. 9 | # 10 | # Care must be taken to ensure that the main ruleset does not get flushed, 11 | # as the nested anchors rely on the anchor point defined here. In addition, 12 | # to the anchors loaded by this file, some system services would dynamically 13 | # insert anchors into the main ruleset. These anchors will be added only when 14 | # the system service is used and would removed on termination of the service. 15 | # 16 | # See pf.conf(5) for syntax. 17 | # 18 | 19 | # References for modifications: 20 | # The Book of PF by Peter N.M. Hansteen, p. 21 21 | # http://ikawnoclast.com/security/mac-os-x-pf-firewall-avoiding-known-bad-guys/ 22 | # http://support.apple.com/kb/HT5519?viewlocale=en_US&locale=en_US 23 | # http://blog.scottlowe.org/2013/05/15/using-pf-on-os-x-mountain-lion/ 24 | # http://krypted.com/mac-security/a-cheat-sheet-for-using-pf-in-os-x-lion-and-up/ 25 | 26 | 27 | # Internal interface; use the command `ifconfig -a` or: 28 | # $ ifconfig | pcregrep -M -o '^[^\t:]+:([^\n]|\n\t)*status: active' | egrep -o -m 1 '^[^\t:]+' 29 | int_if = "en0" 30 | 31 | # VPN network (uncomment '#vpn#' comment lines) 32 | # $vpn_net == utun0/24 when Tunnelblick creates utun0 33 | #vpn# vpn_net = "10.8.0/24" # utun0 interface doesn't exist at boot time 34 | 35 | 36 | # Options 37 | set block-policy return 38 | set fingerprints "/etc/pf.os" 39 | set ruleset-optimization basic 40 | set skip on lo0 41 | 42 | 43 | # Normalization 44 | # Scrub incoming packets 45 | scrub in all no-df 46 | 47 | # 48 | # com.apple anchor point 49 | # 50 | scrub-anchor "com.apple/*" 51 | 52 | 53 | # Queueing 54 | 55 | 56 | # Translation 57 | 58 | # OpenVPN Server NAT 59 | # 60 | # The Book of PF, p. 21 61 | # Allow VPN connections to the VPN host: 62 | # http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work 63 | #tun_if = "utun0" 64 | #no nat on ! $tun_if from $vpn_net to ($int_if) 65 | #nat on ! $tun_if from $vpn_net to ! ($int_if) -> ($int_if) 66 | # Use a list in case Tunnelblick creates multiples utun interaces 67 | #tun_if = "{ utun0, utun1, utun2, utun3, utun4, utun5, utun6, utun7, utun8, utun9 }" 68 | #vpn# not_tun_if = "{ !utun0, !utun1, !utun2, !utun3, !utun4, !utun5, !utun6, !utun7, !utun8, !utun9 }" 69 | #vpn# no nat on $not_tun_if from $vpn_net to ($int_if) 70 | #vpn# nat on $not_tun_if from $vpn_net to ! ($int_if) -> ($int_if) 71 | # This rule must be included below BEFORE these packets are passed by other rules: 72 | # pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if 73 | 74 | nat-anchor "com.apple/*" 75 | rdr-anchor "com.apple/*" 76 | dummynet-anchor "com.apple/*" 77 | anchor "com.apple/*" 78 | load anchor "com.apple" from "/etc/pf.anchors/com.apple" 79 | 80 | # macOS Server Adaptive Firewall 81 | # Comment out for non-macOS Server instances 82 | # anchor "com.apple.server-firewall/*" 83 | # load anchor "com.apple.server-firewall" from "/etc/pf.anchors/com.apple.server-firewall" 84 | 85 | # Filtering 86 | 87 | # Block by default 88 | block all 89 | 90 | # Debugging: 91 | #pass quick log (all, to pflog0) all 92 | #block log (all, to pflog0) all 93 | 94 | # debugging rules 95 | # $ sudo ifconfig pflog0 create 96 | # $ sudo tcpdump -n -e -ttt -i pflog0 97 | # $ sudo ifconfig pflog0 destroy 98 | # block log (all, to pflog0) all 99 | 100 | # Allow VPN connections to the VPN host: 101 | # http://serverfault.com/questions/555594/troubleshoot-broken-tcp-from-openvpn-client-to-server-but-ping-traceroute-work 102 | # pass in quick on $tun_if reply-to $tun_if from $vpn_net to $int_if 103 | # Rule for a lot of utun interfaces in case Tunnelblick creates extras 104 | #vpn# pass in quick on utun0 reply-to utun0 from $vpn_net to $int_if 105 | #vpn# pass in quick on utun1 reply-to utun1 from $vpn_net to $int_if 106 | #vpn# pass in quick on utun2 reply-to utun2 from $vpn_net to $int_if 107 | #vpn# pass in quick on utun3 reply-to utun3 from $vpn_net to $int_if 108 | #vpn# pass in quick on utun4 reply-to utun4 from $vpn_net to $int_if 109 | #vpn# pass in quick on utun5 reply-to utun5 from $vpn_net to $int_if 110 | #vpn# pass in quick on utun6 reply-to utun6 from $vpn_net to $int_if 111 | #vpn# pass in quick on utun7 reply-to utun7 from $vpn_net to $int_if 112 | #vpn# pass in quick on utun8 reply-to utun8 from $vpn_net to $int_if 113 | #vpn# pass in quick on utun9 reply-to utun9 from $vpn_net to $int_if 114 | 115 | # Local net 116 | table const { 10/8, 172.16/12, 192.168/16 } 117 | table const { ::1, fe80::/10 } 118 | 119 | pass quick inet from to any keep state 120 | pass quick inet6 from to any keep state 121 | 122 | # Antispoof 123 | antispoof log quick for $int_if inet 124 | 125 | # Block to/from illegal destinations or sources 126 | block drop in log quick from no-route to any 127 | block drop in log quick from urpf-failed to any 128 | # This is observed on macOS 129 | #block drop in log quick on $int_if from any to 255.255.255.255 130 | 131 | # Whitelist 132 | # Hardcoded IPs 133 | #mydomainname_com = "xxx.xxx.xxx.xxx" 134 | #table const { $mydomainname_com } 135 | #pass in quick from 136 | #pass out quick to 137 | 138 | # Block brute force attacks 139 | table persist 140 | block drop log quick from 141 | 142 | # Allow application-specific traffic over these interfaces 143 | # multicast DNS 144 | pass on $int_if proto { udp, tcp } to { 224.0.0.2, 224.0.0.18, 224.0.0.251 } port mdns 145 | pass on $int_if proto igmp to { 224.0.0.1, 224.0.0.22, 224.0.0.251 } 146 | 147 | # quick pass of Tor relay ports to avoid blocks below 148 | #tor_relay = "{ 9001, 9030 }" 149 | #pass in quick proto tcp from any to $int_if port $tor_relay 150 | #pass out quick proto tcp from $int_if port $tor_relay to any 151 | 152 | # Open Source IP blocks 153 | # Refresh with pfctl -a blockips -T load -f /usr/local/etc/blockips.conf 154 | anchor 'blockips' label "Open Source IP Blocks" 155 | load anchor 'blockips' from '/usr/local/etc/blockips.conf' 156 | 157 | # ICMP 158 | icmp_types = "echoreq" 159 | pass inet proto icmp from $int_if:network to any icmp-type $icmp_types 160 | pass inet proto icmp from any to $int_if icmp-type $icmp_types 161 | 162 | # allow out the default range for traceroute(8): 163 | # "base+nhops*nqueries-1" (33434+64*3-1) 164 | pass out on $int_if inet proto udp from any to any port 33433 >< 33626 165 | 166 | # Allow critical system traffic 167 | pass in quick inet proto udp from port bootps to port bootpc 168 | pass out quick inet proto udp from port bootpc to port bootps 169 | 170 | # LAN services: block access, except from localnet 171 | lan_udp_services = "{ domain, 5001, postgresql }" 172 | lan_tcp_services = "{ domain, auth, nntp, www, \ 173 | 311, 3128, 5001, 5900:5909, privoxy, postgresql, \ 174 | 8123, 8180, 8181, 9150, 9151 }" 175 | block in proto tcp from any to $int_if port $lan_tcp_services 176 | block in proto udp from any to $int_if port $lan_udp_services 177 | 178 | pass in inet proto udp from $int_if:network to $int_if port $lan_udp_services 179 | pass in inet proto tcp from $int_if:network to $int_if port $lan_tcp_services 180 | pass out proto udp from $int_if port $lan_udp_services to $int_if:network 181 | pass out proto tcp from $int_if port $lan_tcp_services to $int_if:network 182 | 183 | # Add vpn_net if running OpenVPN 184 | #vpn# pass in inet proto udp from $vpn_net to $int_if port $lan_udp_services 185 | #vpn# pass in inet proto tcp from $vpn_net to $int_if port $lan_tcp_services 186 | #vpn# pass out proto udp from $int_if port $lan_udp_services to $vpn_net 187 | #vpn# pass out proto tcp from $int_if port $lan_tcp_services to $vpn_net 188 | 189 | # Internet services 190 | internet_udp_services = "{ https, 500, openvpn, \ 191 | 1701, 4500, 5060, 5190, 5297, 5298, 5678, 16384 }" 192 | internet_tcp_services = "{ 995, 1640, 1723, 2195, \ 193 | 2196, 4190, 5218, 5223, 5190, 5220, 5222, 5298, \ 194 | 8008, 8443, 8800, 8843, 9001, 9030 }" 195 | pass in proto udp from any to $int_if port $internet_udp_services 196 | pass in proto tcp from any to $int_if port $internet_tcp_services 197 | pass out inet proto udp from $int_if to any port $internet_udp_services 198 | pass out inet proto tcp from $int_if to any port $internet_tcp_services 199 | 200 | #apns_services = "{ 2195, 2196 }" 201 | #pass in proto tcp from any port $apns_services to 202 | #pass out inet proto tcp to any port $apns_services from 203 | 204 | # ssh really restrictive 205 | pass in inet proto tcp from any to $int_if port ssh \ 206 | keep state (max-src-conn 5, max-src-conn-rate 5/2, \ 207 | overload flush global) 208 | pass out inet proto tcp from $int_if port ssh 209 | 210 | # web, mail more restrictive 211 | pass in inet proto tcp from any to $int_if \ 212 | port { smtp, https, imap, submission, imaps } \ 213 | keep state (max-src-nodes 50, max-src-conn 200, max-src-conn-rate 100/10, \ 214 | overload flush global) 215 | pass out inet proto tcp from $int_if to any \ 216 | port { smtp, imap4-ssl, imap, submission, imaps } 217 | 218 | # I2P 219 | #i2p_port = "65530" 220 | #pass in inet proto { udp, tcp } from any to $int_if port $i2p_port 221 | #pass out inet proto { udp, tcp } from $int_if port $i2p_port to any 222 | -------------------------------------------------------------------------------- /pf_attacks: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Count attacks on the PF firewall 4 | 5 | num=0 6 | 7 | res=$(sudo pfctl -t bruteforce -Ts 2>&1 | sed -e 1,2d | wc -l) 8 | num=$((num + res)) 9 | 10 | res=$(sudo pfctl -a blockips -t compromised_ips -Ts -v 2>&1 | sed -e 1,2d | egrep -e 'Packets: [^0]' | wc -l) 11 | num=$((num + res)) 12 | 13 | res=$(sudo pfctl -a blockips -t dshield_block_ip -Ts -v 2>&1 | sed -e 1,2d | egrep -e 'Packets: [^0]' | wc -l) 14 | num=$((num + res)) 15 | 16 | res=$(sudo pfctl -a blockips -t emerging_threats -Ts -v 2>&1 | sed -e 1,2d | egrep -e 'Packets: [^0]' | wc -l) 17 | num=$((num + res)) 18 | 19 | echo $num 20 | -------------------------------------------------------------------------------- /pf_restart: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | 3 | # restart pf 4 | 5 | sudo launchctl unload -w /Library/LaunchDaemons/net.openbsd.pf.plist 6 | sudo launchctl load -w /Library/LaunchDaemons/net.openbsd.pf.plist 7 | -------------------------------------------------------------------------------- /privoxy_restart: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | 3 | # restart Privoxy 4 | 5 | sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Privoxy.plist 6 | sudo launchctl load -w /Library/LaunchDaemons/org.macports.Privoxy.plist 7 | -------------------------------------------------------------------------------- /proxy.pac: -------------------------------------------------------------------------------- 1 | function FindProxyForURL(url, host) 2 | { 3 | if ( 4 | // Bypass proxy on the LAN for local DNS domainname 5 | // (host == "mydomainname.com") || 6 | // dnsDomainIs(host, ".mydomainname.com") || 7 | // (host == "mydomainname.private") || 8 | // dnsDomainIs(host, ".mydomainname.private") || 9 | // isPlainHostName(host) || 10 | shExpMatch(host, "10.*") || 11 | shExpMatch(host, "172.16.*") || 12 | shExpMatch(host, "192.168.*") || 13 | shExpMatch(host, "127.*") || 14 | dnsDomainIs(host, ".LOCAL") || 15 | // (dnsDomainIs(host, ".local") && 16 | // !dnsDomainIs(host, ".mydomainname.com")) || 17 | (url.substring(0,3) == "ftp") || 18 | // TV Guide listings on EyeTV; TitanTV Remote Scheduling 19 | (host == "epg.eyetv.com") || 20 | (host == "xmlrpc.macrovision.com") || 21 | (host == "partners.titantv.com") || 22 | dnsDomainIs(host, ".apple.com") || 23 | (url.substring(0,5) != "http:") 24 | ) 25 | return "DIRECT"; 26 | else 27 | // Use the listen address for squid 28 | // return "PROXY mydomainname.com:3128"; 29 | return "PROXY 127.0.0.1:3128"; 30 | } 31 | -------------------------------------------------------------------------------- /readme-and-install.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | 3 | # macOS Fortress: Firewall, Blackhole, and Privatizing Proxy 4 | # for Trackers, Attackers, Malware, Adware, and Spammers 5 | # with On-Demand and On-Access Anti-Virus Scanning 6 | 7 | # commands 8 | SUDO=/usr/bin/sudo 9 | INSTALL=/usr/bin/install 10 | PORT=/opt/local/bin/port 11 | CPAN=/usr/bin/cpan 12 | GPG=/opt/local/bin/gpg 13 | CURL=/usr/bin/curl 14 | OPEN=/usr/bin/open 15 | DIFF=/usr/bin/diff 16 | PATCH=/usr/bin/patch 17 | LAUNCHCTL=/bin/launchctl 18 | APACHECTL=/usr/sbin/apachectl 19 | SERVERADMIN=/Applications/Server.app/Contents/ServerRoot/usr/sbin/serveradmin 20 | PFCTL=/sbin/pfctl 21 | MKDIR=/bin/mkdir 22 | CHOWN=/usr/sbin/chown 23 | CAT=/bin/cat 24 | ECHO=/bin/echo 25 | MORE=/usr/bin/more 26 | LSOF=/usr/sbin/lsof 27 | CP=/bin/cp 28 | RM=/bin/rm 29 | SH=/bin/sh 30 | FMT=/usr/bin/fmt 31 | EGREP=/usr/bin/egrep 32 | RSYNC=/usr/bin/rsync 33 | STACK=/usr/local/bin/stack 34 | ADBLOCK2PRIVOXY=/usr/local/bin/adblock2privoxy 35 | 36 | $CAT <<'HELPSTRING' | $MORE 37 | macOS Fortress: Firewall, Blackhole, and Privatizing Proxy 38 | for Trackers, Attackers, Malware, Adware, and Spammers 39 | 40 | Kernel-level, OS-level, and client-level security for macOS. Built to 41 | address a steady stream of attacks visible on snort and server logs, 42 | as well as blocks ads, malicious scripts, and conceal information used 43 | to track you around the web. After this package was installed, snort 44 | and other detections have fallen to a fraction with a few simple 45 | blocking actions. This setup is a lot more capable and effective than 46 | using a simple adblocking browser Add-On. There's a world of 47 | difference between ad-filled web pages with and without a filtering 48 | proxy server. It's also saved me from inadvertantly clicking on 49 | phishing links. 50 | 51 | This package uses these features: 52 | 53 | * macOS adaptive firewall 54 | * Adaptive firewall to brute force attacks 55 | * IP blocks updated about twice a day from emergingthreats.net 56 | (IP blocks, compromised hosts, Malvertisers) and 57 | dshield.org’s top-20 58 | * Host blocks updated about twice a day from hphosts.net 59 | * Special proxy.pac host blacklisting from hostsfile.org 60 | * On-Demand and On-Access Anti-Virus 61 | 62 | This install script installs and configures a macOS Firewall and Privatizing 63 | Proxy, and macOS On-Demand and On-Access Anti-Virus. It will: 64 | 65 | * Download and install several key utilities and applications 66 | (wget gnupg2 p7zip squid privoxy nmap) 67 | * Configure macOS's PF native firewall (man pfctl, man pf.conf), 68 | squid, and privoxy 69 | * Turn on macOS's native Apache webserver to serve the 70 | Automatic proxy configuration http://localhost/proxy.pac 71 | * Networking on the local computer can be set up to use this 72 | Automatic Proxy Configuration without breaking App Store or 73 | other updates (see squid.conf) 74 | * Uncomment the nat directive in pf.conf if you wish to set up 75 | an OpenVPN server 76 | * Install and launch daemons that download and regularly 77 | update open source IP and host blacklists. The sources are 78 | emergingthreats.net (net.emergingthreats.blockips.plist), 79 | dshield.org (net.dshield.block.plist), hosts-file.net 80 | (net.hphosts.hosts.plist), and EasyList 81 | (com.github.essandess.easylist-pac.plist) 82 | * On-Demand and On-Access Anti-Virus using clamAV; both scheduled 83 | full volume scans and on-access scans of all user Downloads and 84 | Desktop directories are performed 85 | * After installation the connection between clients and the 86 | internet looks this this: 87 | 88 | Application <--port 3128--> Squid <--port 8118--> Privoxy <----> Internet 89 | 90 | Installation: 91 | 92 | sudo port install macos-fortress 93 | 94 | Notes: 95 | 96 | * Configure the squid proxy to accept connections on the LAN IP 97 | and set LAN device Automatic Proxy Configurations to 98 | http://lan_ip/proxy.pac to protect devices on the LAN. 99 | * Count the number of attacks since boot with the script 100 | pf_attacks. ``Attack'' is defined as the number of blocked IPs 101 | in PF's bruteforce table plus the number of denied connections 102 | from blacklisted IPs in the tables compromised_ips, 103 | dshield_block_ip, and emerging_threats. 104 | * Both squid and Privoxy are configured to forge the User-Agent. 105 | The default is an iPad to allow mobile device access. Change 106 | this to your local needs if necessary. 107 | * Whitelist or blacklist specific domain names with the files 108 | /usr/local/etc/whitelist.txt and 109 | /usr/local/etc/blacklist.txt. After editing these file, use 110 | launchctl to unload and load the plist 111 | /Library/LaunchDaemons/net.hphosts.hosts.plist, which 112 | recreates the hostfile /etc/hosts-hphost and reconfigures 113 | the squid proxy to use the updates. 114 | * Sometimes pf and privoxy do not launch at boot, in spite of 115 | the use of the use of their launch daemons. Fix this by 116 | hand after boot with the scripts macosfortress_setup_check.sh, or 117 | individually using pf_restart, privoxy_restart, and 118 | squid_restart. And please post a solution if you find one. 119 | * All open source updates are done using the 'wget -N' option 120 | to save everyone's bandwidth 121 | 122 | Security: 123 | 124 | * These services are intended to be run on a secure LAN behind 125 | a router firewall. 126 | * Even though the default proxy configuration will only accept 127 | connections made from the local computer (localhost), do not 128 | configure the router to forward ports 3128 or 8118 in case 129 | you ever change this or you will be running an open web proxy. 130 | HELPSTRING 131 | 132 | $CAT < /tmp/squid.conf.patch 292 | $SUDO -E $PATCH -p5 /opt/local/etc/squid/squid.conf < /tmp/squid.conf.patch 293 | $RM /tmp/squid.conf.patch 294 | 295 | # rotate squid logs 296 | if ! [ -f /Library/LaunchDaemons/org.squid-cache.squid-rotate.plist ] 297 | then 298 | $SUDO -E $INSTALL -m 644 ./org.squid-cache.squid-rotate.plist /Library/LaunchDaemons 299 | fi 300 | if ! [ -d /opt/local/var/squid/logs ]; then 301 | $SUDO -E $MKDIR -p -m 644 /opt/local/var/squid/logs 302 | $SUDO -E $CHOWN -R squid:squid /opt/local/var/squid 303 | fi 304 | 305 | $SUDO -E /opt/local/sbin/squid -s -z --foreground 306 | 307 | # privoxy 308 | 309 | #config 310 | $SUDO -E $INSTALL -m 640 -o privoxy -g privoxy -B .orig /opt/local/etc/privoxy/config /opt/local/etc/privoxy/config.orig 311 | $DIFF -NaurdwB -I '^ *#.*' /opt/local/etc/privoxy/config ./config > /tmp/config.patch 312 | $SUDO -E $PATCH -p5 /opt/local/etc/privoxy/config < /tmp/config.patch 313 | $SUDO -E $CHOWN privoxy:privoxy /opt/local/etc/privoxy/config 314 | $RM /tmp/config.patch 315 | 316 | #match-all.action 317 | $SUDO -E $INSTALL -m 640 -o privoxy -g privoxy -B .orig /opt/local/etc/privoxy/match-all.action /opt/local/etc/privoxy/match-all.action.orig 318 | $DIFF -NaurdwB -I '^ *#.*' /opt/local/etc/privoxy/match-all.action ./match-all.action > /tmp/match-all.action.patch 319 | $SUDO -E $PATCH -p5 /opt/local/etc/privoxy/match-all.action < /tmp/match-all.action.patch 320 | $SUDO -E $CHOWN privoxy:privoxy /opt/local/etc/privoxy/match-all.action 321 | $RM /tmp/match-all.action.patch 322 | 323 | #user.action 324 | $SUDO -E $INSTALL -m 644 -o privoxy -g privoxy -B .orig /opt/local/etc/privoxy/user.action /opt/local/etc/privoxy/user.action.orig 325 | $DIFF -NaurdwB -I '^ *#.*' /opt/local/etc/privoxy/user.action ./user.action > /tmp/user.action.patch 326 | $SUDO -E $PATCH -p5 /opt/local/etc/privoxy/user.action < /tmp/user.action.patch 327 | $SUDO -E $CHOWN privoxy:privoxy /opt/local/etc/privoxy/user.action 328 | $RM /tmp/user.action.patch 329 | 330 | $SUDO -E $BASH -c '( cd /opt/local/etc/privoxy ; /usr/sbin/chown privoxy:privoxy config* *.action *.filter )' 331 | 332 | #privoxy logs 333 | if ! [ -d /opt/local/var/log/privoxy ]; then 334 | $SUDO -E $MKDIR -m 644 /opt/local/var/log/privoxy 335 | $SUDO -E $CHOWN privoxy:privoxy /opt/local/var/log/privoxy 336 | fi 337 | 338 | # install the files 339 | $SUDO -E $CP /etc/hosts /etc/hosts.orig 340 | $SUDO -E $INSTALL -b -B .orig ./pf.conf /etc 341 | if ! [ -f /Library/LaunchDaemons/net.openbsd.pf.plist ] 342 | then 343 | $SUDO -E $INSTALL -m 644 ./net.openbsd.pf.plist /Library/LaunchDaemons 344 | fi 345 | if ! [ -f /Library/LaunchDaemons/net.openbsd.pf.brutexpire.plist ] 346 | then 347 | $SUDO -E $INSTALL -m 644 ./net.openbsd.pf.brutexpire.plist /Library/LaunchDaemons 348 | fi 349 | if ! [ -f /Library/LaunchDaemons/net.emergingthreats.blockips.plist ] 350 | then 351 | $SUDO -E $INSTALL -m 644 ./net.emergingthreats.blockips.plist /Library/LaunchDaemons 352 | fi 353 | if ! [ -f /Library/LaunchDaemons/net.dshield.block.plist ] 354 | then 355 | $SUDO -E $INSTALL -m 644 ./net.dshield.block.plist /Library/LaunchDaemons 356 | fi 357 | if ! [ -f /Library/LaunchDaemons/net.hphosts.hosts.plist ] 358 | then 359 | $SUDO -E $INSTALL -m 644 ./net.hphosts.hosts.plist /Library/LaunchDaemons 360 | fi 361 | if ! [ -f /Library/LaunchDaemons/com.github.essandess.easylist-pac.plist ] 362 | then 363 | $SUDO -E $INSTALL -m 644 ./com.github.essandess.easylist-pac.plist /Library/LaunchDaemons 364 | fi 365 | if ! [ -f /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.plist ] 366 | then 367 | $SUDO -E $INSTALL -m 644 ./easylist-pac-privoxy/adblock2privoxy/com.github.essandess.adblock2privoxy.plist /Library/LaunchDaemons 368 | fi 369 | if ! [ -f /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.nginx.plist ] 370 | then 371 | $SUDO -E $INSTALL -m 644 ./easylist-pac-privoxy/adblock2privoxy/com.github.essandess.adblock2privoxy.nginx.plist /Library/LaunchDaemons 372 | fi 373 | $INSTALL -m 644 ./org.opensource.flashcookiedelete.plist ~/Library/LaunchAgents 374 | $SUDO -E $MKDIR -p /usr/local/etc 375 | $SUDO -E $INSTALL -m 644 ./blockips.conf /usr/local/etc 376 | $SUDO -E $INSTALL -m 644 ./whitelist.txt /usr/local/etc 377 | $SUDO -E $INSTALL -m 644 ./blacklist.txt /usr/local/etc 378 | 379 | $SUDO -E $INSTALL -m 755 ./pf_attacks /usr/local/bin 380 | $SUDO -E $INSTALL -m 755 ./macosfortress_setup_check.sh /usr/local/bin 381 | $SUDO -E $INSTALL -m 755 ./pf_restart /usr/local/bin 382 | $SUDO -E $INSTALL -m 755 ./squid_restart /usr/local/bin 383 | $SUDO -E $INSTALL -m 755 ./privoxy_restart /usr/local/bin 384 | $SUDO -E $INSTALL -m 755 ./easylist-pac-privoxy/easylist_pac.py /usr/local/bin 385 | 386 | # launchd daemons 387 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/net.openbsd.pf.plist 388 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/net.openbsd.pf.brutexpire.plist 389 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/net.emergingthreats.blockips.plist 390 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/net.dshield.block.plist 391 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/net.hphosts.hosts.plist 392 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/com.github.essandess.easylist-pac.plist 393 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.plist 394 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/com.github.essandess.adblock2privoxy.nginx.plist 395 | $SUDO -E $LAUNCHCTL load -w /Library/LaunchDaemons/org.squid-cache.squid-rotate.plist 396 | 397 | # start these services for the 1st time because they use RunAtLoad false 398 | $SUDO -E $LAUNCHCTL start net.emergingthreats.blockips 399 | $SUDO -E $LAUNCHCTL start net.dshield.block 400 | $SUDO -E $LAUNCHCTL start net.hphosts.hosts 401 | $SUDO -E $LAUNCHCTL start com.github.essandess.easylist-pac 402 | $SUDO -E $LAUNCHCTL start com.github.essandess.adblock2privoxy 403 | 404 | $LAUNCHCTL load ~/Library/LaunchAgents/org.opensource.flashcookiedelete.plist 405 | 406 | $SUDO -E $PORT load squid4 407 | $SUDO -E $PORT load privoxy 408 | 409 | 410 | # Turn on macOS Server's adaptive firewall: 411 | if [ -d /Applications/Server.app ] 412 | then 413 | $SUDO -E /Applications/Server.app/Contents/ServerRoot/usr/sbin/serverctl enable service=com.apple.afctl 414 | $SUDO -E /Applications/Server.app/Contents/ServerRoot/usr/libexec/afctl -f 415 | fi 416 | 417 | 418 | # check after boot 419 | /usr/local/bin/macosfortress_setup_check.sh 420 | 421 | 422 | $CAT <<'URL_PATH_INCLUSION' 423 | To allow URL path blocking capability in HTTPS: 424 | 425 | * Chrome: 426 | $ defaults write com.google.Chrome PacHttpsUrlStrippingEnabled -bool false 427 | 428 | * Firefox, about:config: 429 | network.proxy.autoconfig_url.include_path : true 430 | URL_PATH_INCLUSION 431 | 432 | exit 0 433 | -------------------------------------------------------------------------------- /squid_restart: -------------------------------------------------------------------------------- 1 | #!/bin/bash -x 2 | 3 | # restart Squid 4 | 5 | sudo launchctl unload -w /Library/LaunchDaemons/org.macports.Squid.plist 6 | sudo killall '(squid-1)' 7 | sudo killall squid 8 | sleep 5 9 | sudo launchctl load -w /Library/LaunchDaemons/org.macports.Squid.plist 10 | -------------------------------------------------------------------------------- /user.action: -------------------------------------------------------------------------------- 1 | ###################################################################### 2 | # 3 | # File : $Source: /cvsroot/ijbswa/current/user.action,v $ 4 | # 5 | # $Id: user.action,v 1.13 2011/11/06 11:36:01 fabiankeil Exp $ 6 | # 7 | # Purpose : User-maintained actions file, see 8 | # http://www.privoxy.org/user-manual/actions-file.html 9 | # 10 | ###################################################################### 11 | 12 | # This is the place to add your personal exceptions and additions to 13 | # the general policies as defined in default.action. (Here they will be 14 | # safe from updates to default.action.) Later defined actions always 15 | # take precedence, so anything defined here should have the last word. 16 | 17 | # See http://www.privoxy.org/user-manual/actions-file.html, or the 18 | # comments in default.action, for an explanation of what an "action" is 19 | # and what each action does. 20 | 21 | # The examples included here either use bogus sites, or have the actual 22 | # rules commented out (with the '#' character). Useful aliases are 23 | # included in the top section as a convenience. 24 | 25 | ############################################################################# 26 | # Aliases 27 | ############################################################################# 28 | {{alias}} 29 | ############################################################################# 30 | # 31 | # You can define a short form for a list of permissions - e.g., instead 32 | # of "-crunch-incoming-cookies -crunch-outgoing-cookies -filter -fast-redirects", 33 | # you can just write "shop". This is called an alias. 34 | # 35 | # Currently, an alias can contain any character except space, tab, '=', '{' 36 | # or '}'. 37 | # But please use only 'a'-'z', '0'-'9', '+', and '-'. 38 | # 39 | # Alias names are not case sensitive. 40 | # 41 | # Aliases beginning with '+' or '-' may be used for system action names 42 | # in future releases - so try to avoid alias names like this. (e.g. 43 | # "+crunch-all-cookies" below is not a good name) 44 | # 45 | # Aliases must be defined before they are used. 46 | # 47 | # These aliases just save typing later: 48 | # 49 | +crunch-all-cookies = +crunch-incoming-cookies +crunch-outgoing-cookies 50 | -crunch-all-cookies = -crunch-incoming-cookies -crunch-outgoing-cookies 51 | allow-all-cookies = -crunch-all-cookies -session-cookies-only -filter{content-cookies} 52 | allow-popups = -filter{all-popups} -filter{unsolicited-popups} 53 | +block-as-image = +block{Blocked image request.} +handle-as-image 54 | -block-as-image = -block 55 | 56 | # These aliases define combinations of actions 57 | # that are useful for certain types of sites: 58 | # 59 | fragile = -block -crunch-all-cookies -filter -fast-redirects -hide-referer -prevent-compression 60 | shop = -crunch-all-cookies allow-popups 61 | 62 | # Your favourite blend of filters: 63 | # 64 | myfilters = +filter{html-annoyances} +filter{js-annoyances} +filter{all-popups}\ 65 | +filter{webbugs} +filter{banners-by-size} 66 | 67 | # Allow ads for selected useful free sites: 68 | # 69 | allow-ads = -block -filter{banners-by-size} -filter{banners-by-link} 70 | #... etc. Customize to your heart's content. 71 | 72 | ## end aliases ######################################################## 73 | ####################################################################### 74 | 75 | # Begin examples: ##################################################### 76 | 77 | # Say you have accounts on some sites that you visit regularly, and you 78 | # don't want to have to log in manually each time. So you'd like to allow 79 | # persistent cookies for these sites. The allow-all-cookies alias defined 80 | # above does exactly that, i.e. it disables crunching of cookies in any 81 | # direction, and the processing of cookies to make them only temporary. 82 | # 83 | { allow-all-cookies } 84 | #.sourceforge.net 85 | #sunsolve.sun.com 86 | #slashdot.org 87 | #.yahoo.com 88 | #.msdn.microsoft.com 89 | #.redhat.com 90 | 91 | # Say the site where you do your homebanking needs to open popup 92 | # windows, but you have chosen to kill popups uncoditionally by default. 93 | # This will allow it for your-example-bank.com: 94 | # 95 | { -filter{all-popups} } 96 | .banking.example.com 97 | 98 | # Some hosts and some file types you may not want to filter for 99 | # various reasons: 100 | # 101 | { -filter } 102 | 103 | # Technical documentation is likely to contain strings that might 104 | # erroneously get altered by the JavaScript-oriented filters: 105 | # 106 | #.tldp.org 107 | #/(.*/)?selfhtml/ 108 | 109 | # And this stupid host sends streaming video with a wrong MIME type, 110 | # so that Privoxy thinks it is getting HTML and starts filtering: 111 | # 112 | stupid-server.example.com/ 113 | 114 | 115 | # Example of a simple "block" action. Say you've seen an ad on your 116 | # favourite page on example.com that you want to get rid of. You have 117 | # right-clicked the image, selected "copy image location" and pasted 118 | # the URL below while removing the leading http://, into a { +block{reason} } 119 | # section. Note that { +handle-as-image } need not be specified, since 120 | # all URLs ending in .gif will be tagged as images by the general rules 121 | # as set in default.action anyway: 122 | # 123 | { +block{Nasty ads.} } 124 | www.example.com/nasty-ads/sponsor.gif 125 | 126 | # The URLs of dynamically generated banners, especially from large banner 127 | # farms, often don't use the well-known image file name extensions, which 128 | # makes it impossible for Privoxy to guess the file type just by looking 129 | # at the URL. 130 | # You can use the +block-as-image alias defined above for these cases. 131 | # Note that objects which match this rule but then turn out NOT to be an 132 | # image are typically rendered as a "broken image" icon by the browser. 133 | # Use cautiously. 134 | # 135 | { +block-as-image } 136 | #.doubleclick.net 137 | #/Realmedia/ads/ 138 | #ar.atwola.com/ 139 | 140 | # Now you noticed that the default configuration breaks Forbes 141 | # Magazine, but you were too lazy to find out which action is the 142 | # culprit, and you were again too lazy to give feedback, so you just 143 | # used the fragile alias on the site, and -- whoa! -- it worked. The 144 | # 'fragile' aliases disables those actions that are most likely to break 145 | # a site. Also, good for testing purposes to see if it is Privoxy that 146 | # is causing the problem or not. 147 | # 148 | { fragile } 149 | .forbes.com 150 | .abcya.com 151 | .att.com 152 | .forbes.com 153 | .neimanmarcus.com 154 | .tiffany.com 155 | 156 | # Here are some sites we wish to support, and we will allow their ads 157 | # through. 158 | # 159 | { allow-ads } 160 | www.thegreatcourses.com 161 | .kayak.com 162 | ads1.msn.com/ 163 | .bing.com/travel/jsxc\.vjs\? 164 | .onecause.com 165 | #.sourceforge.net 166 | #.slashdot.org 167 | #.osdn.net 168 | 169 | # user.action is generally the best place to define exceptions and 170 | # additions to the default policies of default.action. Some actions are 171 | # safe to have their default policies set here though. So let's set a 172 | # default policy to have a 'blank' image as opposed to the checkerboard 173 | # pattern for ALL sites. '/' of course matches all URLs. 174 | # patterns: 175 | # 176 | { +set-image-blocker{blank} } 177 | #/ 178 | 179 | # Enable the following section (not the regression-test directives) 180 | # to rewrite and redirect click-tracking URLs on news.google.com. 181 | # Disabling JavaScript should work as well and probably works more reliably. 182 | # 183 | # Redirected URL = http://news.google.com/news/url?ct2=us%2F0_0_s_1_1_a&sa=t&usg=AFQjCNHJWPc7ffoSXPSqBRz55jDA0KgxOQ&cid=8797762374160&url=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052970204485304576640791304008536.html&ei=YcqeTsymCIjxggf8uQE&rt=HOMEPAGE&vm=STANDARD&bvm=section&did=-6537064229385238098 184 | # Redirect Destination = http://online.wsj.com/article/SB10001424052970204485304576640791304008536.html 185 | # Ignore = Yes 186 | # 187 | {+fast-redirects{check-decoded-url}} 188 | news.google.com/news/url.*&url=http.*& 189 | 190 | # Enable the following section (not the regression-test directives) 191 | # to block various Facebook "like" and similar tracking URLs. At the 192 | # time this section was added it was reported to not break Facebook 193 | # itself but this may have changed by the time you read this. This URL 194 | # list is probably incomplete and if you don't have an account anyway, 195 | # you may prefer to block the whole domain. 196 | # 197 | # Blocked URL = http://www.facebook.com/plugins/likebox.php?href=http%3A%2F%2Ffacebook.com%2Farstechnica&width=300&colorscheme=light&show_faces=false&stream=false&header=false&height=62&border_color=%23FFFFFF 198 | # Ignore = Yes 199 | # Blocked URL = http://www.facebook.com/plugins/activity.php?site=arstechnica.com&width=300&height=370&header=false&colorscheme=light&recommendations=false&border_color=%23FFFFFF 200 | # Ignore = Yes 201 | # Blocked URL = http://www.facebook.com/plugins/fan.php?api_key=368513495882&connections=10&height=250&id=8304333127&locale=en_US&sdk=joey&stream=false&width=377 202 | # Ignore = Yes 203 | # Blocked URL = http://www.facebook.com/plugins/like.php?api_key=368513495882&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D3%23cb%3Df13997452c%26origin%3Dhttp%253A%252F%252Fonline.wsj.com%252Ff1b037e354%26relation%3Dparent.parent%26transport%3Dpostmessage&extended_social_context=false&href=http%3A%2F%2Fonline.wsj.com%2Farticle%2FSB10001424052970204485304576640791304008536.html&layout=button_count&locale=en_US&node_type=link&ref=wsj_share_FB&sdk=joey&send=false&show_faces=false&width=90 204 | # Ignore = Yes 205 | # 206 | {+block{Facebook "like" and similar tracking URLs.}} 207 | www.facebook.com/(extern|plugins)/(login_status|like(box)?|activity|fan)\.php 208 | 209 | # http://serverfault.com/questions/182293/privoxy-rule-to-block-facebook-spying 210 | { +block-as-image{People-tracking button.} } 211 | .facebook.com/(plugins|widgets)/(like|fan|activity).* 212 | 213 | # fix sites that privoxy breaks 214 | { fragile } 215 | ads1.msn.com/ 216 | .bing.com/travel/jsxc\.vjs\? 217 | .onecause.com 218 | .go.com 219 | .drugstore.com 220 | .neimanmarcus.com 221 | .evite.com 222 | 223 | # fix icloud, photostream 224 | { -block -filter -hide-user-agent -deanimate-gifs -hide-from-header -set-image-blocker } 225 | TAG:^User-Agent: PhotoStreamAgent/ 226 | .apple.com 227 | .icloud.com 228 | .amazonaws.com 229 | 230 | # sourceforge 231 | { -block -filter -deanimate-gifs} 232 | .sourceforge.net 233 | .dell.com 234 | 235 | # expedia 236 | { -hide-user-agent } 237 | .expedia.com 238 | 239 | # youtube 240 | # See: http://superuser.com/questions/199230/privoxy-causes-problem-for-ipod-touch-youtube-app 241 | { fragile -deanimate-gifs} 242 | .googlevideo.com 243 | 244 | { -filter -deanimate-gifs} 245 | .youtube.com 246 | .vimeo.com 247 | 248 | # TV Guide listings on EyeTV; TitanTV Remote Scheduling 249 | { -block -hide-user-agent } 250 | epg.eyetv.com 251 | partners.titantv.com 252 | .macrovision.com 253 | 254 | # don't filter downloads 255 | {-filter -deanimate-gifs} 256 | /.*\.iso(\?|$) 257 | /.*\.mp3(\?|$) 258 | /.*\.mp4(\?|$) 259 | /.*\.mov(\?|$) 260 | /.*\.mpg(\?|$) 261 | /.*\.ogg(\?|$) 262 | /.*\.aac(\?|$) 263 | /.*\.zip(\?|$) 264 | /.*\.pdf(\?|$) 265 | /.*\.dmg(\?|$) 266 | /.*\.tar(\?|$) 267 | /.*\.gz(\?|$) 268 | /.*\.dat(\?|$) 269 | -------------------------------------------------------------------------------- /whitelist.txt: -------------------------------------------------------------------------------- 1 | 2 | # whitelisted hosts (FQDN and DN) will be deleted frpm hphost's host.zip 3 | s3.amazonaws.com 4 | www.s3.amazonaws.com 5 | broker.adobe.com 6 | sstats.adobe.com 7 | stats.adobe.com 8 | j.mp 9 | securemetrics.apple.com 10 | autolinkmaker.itunes.apple.com 11 | rover.ebay.com 12 | yelp.com 13 | www.yelp.com 14 | inc.com 15 | www.inc.com 16 | gdlp01.c-wss.com 17 | h.online-metrix.net 18 | drugstore.com 19 | www.drugstore.com 20 | evite.com 21 | www.evite.com 22 | thedailybeast.com 23 | www.thedailybeast.com 24 | alibaba.com 25 | www.alibaba.com 26 | # iphonehacks.com 27 | # www.iphonehacks.com 28 | # www.kqzyfj.com 29 | funnyordie.com 30 | www.funnyordie.com 31 | intensedebate.com 32 | www.intensedebate.com 33 | 34 | # Blocking this domain breaks CNN app live streaming 35 | # To diagnose: 36 | # tcpdump -e -ttt -i en0 -w my-iPad-cnn-3128.pcap src my-iPad or dst my-iPad 37 | # grep -a 'URL: .*$/\1/; print;' | uniq 38 | bea4.v.fwmrm.net 39 | --------------------------------------------------------------------------------