Happens with the user.action that only got edited via web interface, but also happens with the match-all.action, which is very simple: { \ +change-x-forwarded-for{block} \ +client-header-tagger{css-requests} \ +client-header-tagger{image-requests} \ +hide-from-header{block} \ +set-image-blocker{pattern} \ } With the match-all, it segfaults like this: (gdb) bt #0 0x00000008465507b4 in strlen () from /lib/libc.so.7 #1 0x00000008465bde72 in strdup () from /lib/libc.so.7 #2 0x000000000023fe9c in map...
3.0.34 segfaults Editing actions
Thanks for the report. Does this happen for all action files or only one specific one? Did you modify the action file(s) that trigger the segfault?
3.0.34 segfaults Editing actions
Thank you! Regarding i.kommersant.ru, geoblocking is possible, but not sure, because... curl works for me: curl -v --head https://i.kommersant.ru/ * Host i.kommersant.ru:443 was resolved. * IPv6: (none) * IPv4: 185.147.37.72 * Trying 185.147.37.72:443... * Connected to i.kommersant.ru (185.147.37.72) port 443 * ALPN: curl offers h2,http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (IN), TLS handshake, Server hello (2):...
I can reproduce the issue that the comments don't load on https://www.kommersant.ru/ but on my systems the problem seems to be that connections to i.kommersant.ru already fail before the TLS handshake: fk@elektrobier ~ $curl -v --head https://i.kommersant.ru/ * Host i.kommersant.ru:443 was resolved. * IPv6: (none) * IPv4: 185.147.37.72 * Trying 185.147.37.72:443... * connect to 185.147.37.72 port 443 from 95.211.138.7 port 63777 failed: Operation timed out * Failed to connect to i.kommersant.ru port...
If it's not too much trouble for you, please spread the word. Regarding i.kommersant.ru, if you open this link "https://www.kommersant.ru/doc/6821399#comments" and click the blue button under the message, user comments should load, but instead you will see that message in the log, and the comments will not load.
If it's not too much trouble for you, please spread the word. Regarding i.kommersant.ru, if you open this link "https://www.kommersant.ru/doc/6821399" and click the blue button under the message, user comments should load, but instead you will see that message in the log, and the comments will not load.
i.kommersant.ru remains unreachable for me but I can reproduce the problem with https://traxxas.com/ with both Privoxy and curl linked against wolfSSL 5.7. I consider this a wolfSSL bug worth reporting upstream. Do you want to do it or should I?
WolfSSL 5.7 i.kommersant.ru works when you click the button (if there is one) under the news. The site that definitely does not work for me with WolfSSL: traxxas.com, instead of opening it I see the message: Server certificate verification failed Privoxy was unable to securely connect to the destination server. Reason: received alert fatal error In the log there is a message "Error: X509 certificate verification for traxxas.com failed with error -313: received alert fatal error"
Which WolfSSL version do you use? When I try i.kommersant.ru it doesn't seem to respond to requests to port 443 so it doesn't work with either OpenSSL or WolfSSL for me.
Fix build on macOS
Thanks a lot for the patch. Pushed to git master.
Fix build on macOS
I'm sorry, I didn't check everything again. 51.254.149.60 is some kind of proxy, I checked something once and forgot. I'm really sorry...
ipleak.net site does not work
I can't reproduce the problem. The site is working for me. ipleak.net seems to resolve to 95.85.16.212 on my system though.
ipleak.net site does not work
I managed to build a version with wolfssl. But some domains don’t work, the log shows the message “Error: X509 certificate verification for i.kommersant.ru failed with error -308: error state on socket”, while it works with openssl.
On Sun, Jun 9, 2024 at 9:26 AM Fabian Keil wrote: summary: trustfile qwantjunior --> Trust mechanism not working for https requests status: pending --> closed-fixed assigned_to: Fabian Keil Comment: This should be fixed in git master now. Confirmed. Works for me now.
Trust mechanism not working for https requests
This should be fixed in git master now. Thanks for the report.
On Thu, Jun 6, 2024 at 9:01 AM Fabian Keil wrote: status: open --> pending Comment: Looks like you need https inspection: https://www.privoxy.org/user-manual/actions-file.html#HTTPS-INSPECTION Even with https inspection it doesn't work. For example 20:41:45.951 7f6322ffd700 Header: scan: CONNECT manytools.org:443 HTTP/1.1 20:41:45.951 7f6322ffd700 Header: scan: User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 20:41:45.951 7f6322ffd700 Header: scan: Proxy-Connection:...
trustfile qwantjunior
Looks like you need https inspection: https://www.privoxy.org/user-manual/actions-file.html#HTTPS-INSPECTION
filter{fun} cannot verify working
Did you actually add patterns (like "/") below the "{+https-inspection}" line and the "+filter{}" lines? Does https://config.privoxy.org/show-url-info show that https inspection and the filters you want are enabled? Did you enable the debug settings recommended at https://www.privoxy.org/user-manual/contact.html and check the log file?
I have FEATURE_TRUST to Yes in 'Conditional #defines:'. And also 'Referer https://www.qwantjunior.com/' with https://myhttpheader.com/. Here is the log: 2024-06-03 23:51:14.499 f7452440 Header: New HTTP Request-Line: CONNECT / HTTP/1.1 2024-06-03 23:51:14.506 f6aff440 Header: scan: CONNECT www.qwantjunior.com:443 HTTP/1.1 2024-06-03 23:51:14.506 f6aff440 Header: scan: User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0 2024-06-03 23:51:14.506 f6aff440 Header:...
I have FEATURE_TRUST to Yes in 'Conditional #defines:'. And also 'Referer https://www.qwantjunior.com/' with https://myhttpheader.com/.
I have FEATURE_TRUST to Yes in 'Conditional #defines:'. And also 'Referer https://www.qwantjunior.com/' with https://myhttpheader.com/.
Small correction: I also tried: default.action: - uncommented {+https-inspection}, placed it at the end of the file - check if filter{fun} is enabled google for macrosoft does not alter the name of microsoft
filter{fun} cannot verify working
On Sat, Jun 1, 2024 at 9:38 AM Laurent Caumont wrote: Thank you for your tips but that doesn't work to follow links. When you make a search and you click on the proposed link, that fails. Easiest thing first, goto http://config.privoxy.org/show-status Under 'Conditional #defines:' is there a 'FEATURE_TRUST' with 'Yes ' in the 'Enabled?' column? If no you'll need to get/build a version of privoxy that has it enabled. But my guess for why it isn't working is that the browser is not sending a Referer...
Thank you for your tips but that doesn't work to follow links. When you make a search and you click on the proposed link, that fails. My kid is 10. I don't think he is able to understand how this protection works now. I'm agree this protection will be not enough in the futur but it will probably be useless too since I will let him access more and more.
Thanks a lot for the patch, however I think we should allow multple log files with different debug settings and not simple add a new log file with debug settings hard-coded to CLF. We could allow multple logfile directives and extend the directive to take an optional second argument to specify the debug settings for the file.
At the moment you have to disable https inspection for targets that should be reachable with CONNECT requests without https data.
On Fri, May 31, 2024 at 11:09 AM Laurent Caumont wrote: [support-requests:#1767] trustfile qwantjunior Status: open Group: 3.0.32 Created: Fri May 31, 2024 03:09 PM UTC by Laurent Caumont Last Updated: Fri May 31, 2024 03:09 PM UTC Owner: nobody Hello, I'm trying to add a kid portal for my kids through the trust file. Adding all the references in whitelist is not possible in this case. But that doesn't work. The site is: https://www.qwantjunior.com/ So, I added +www.qwantjunior.com at the end of...
trustfile qwantjunior
This is a patch to implement the separate logging. I don't know whether the implementation is as it should be or if there are any other areas within privoxy that need to take account of it, but I have been running privoxy for about a year with this patch and had not have had any problems either with proxy operation or log generation.
This is a patch to implement the separate logging. I don't know whether the implementation is as it should be or if there are any other areas within privoxy that need to take account of it, but I have been running privoxy for about a year with this patch and had not have had any problems either with proxy operation or log generastion.
buffer overflow in regression test 776
Sometimes I only need to write down my problem and find the solution minutes later... The issue is already fixed in 19d7684ca10f6c1279568aa19e9a9da2276851f1. So I close this ticket now...
buffer overflow in regression test 776
What do I need to do?
CONNECT method for http sites
This is expected behavior. If https inspection is enabled Privoxy expects the use of https in case of CONNECT requests.
Sorry, the examples should be like this: GET http://somesite.com/ HTTP/1.1 CONNECT somesite.com:80 HTTP/1.1
Sorry, the examples should be like this: GET http://somesite.com/ HTTP/1.1 CONNECT somesite.com HTTP/1.1
Sorry, the examples should be like this: GET http://somesite.com/ HTTP/1.1 CONNECT http://somesite.com/ HTTP/1.1
CONNECT method for http sites
As an ElectroBSD user I use the FreeBSD ports system with a modified security/wolfssl port: PORTNAME= wolfssl PORTVERSION= 5.7.0 PORTREVISION= 2 CATEGORIES= security devel MASTER_SITES= https://www.wolfssl.com/ \ LOCAL/fox MAINTAINER= fox@FreeBSD.org COMMENT= Embedded SSL C-Library WWW= https://www.wolfssl.com/ LICENSE= GPLv2+ LICENSE_FILE= ${WRKSRC}/COPYING USES= autoreconf cpe libtool zip USE_LDCONFIG= yes GNU_CONFIGURE= yes CONFIGURE_ARGS= --disable-dependency-tracking \ --enable-certgen \ --enable-des3...
Unfortunately, my knowledge is not enough to do this. Same here. And the wolfssl support forum isn't any help: https://www.wolfssl.com/forums/post7561.html Fabian, Could you show how you built wolfssl and then privoxy? Thanks Lee
Unfortunately, my knowledge is not enough to do this.
WOLFSSL_ALT_NAMES is not a configure option but has to be set with the CFLAGS. I use: CFLAGS+= -DWOLFSSL_ALT_NAMES -DFP_MAX_BITS=8192 -DNO_WOLFSSL_STUB -DWOLFSSL_ALT_CERT_CHAINS -DHAVE_IO_TIMEOUT
I built wolfssl with your config. There is still an error when compiling: gcc -c -pipe -march=native -mtune=native -O2 -pipe -fno-plt -DNDEBUG -pthread -Wall wolfssl.c -o wolfssl.o grep -v '^#MASTER#' default.action.master > default.action wolfssl.c:78:2: warning: #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS [-Wcpp] 78 | #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS | ^~~~~~~ wolfssl.c:1739:2: error: #error wolfSSL lacks Subject Alternative Name support...
I built wolfssl with your config. There is still an error when compiling: gcc -c -pipe -march=native -mtune=native -O2 -pipe -fno-plt -DNDEBUG -pthread -Wall wolfssl.c -o wolfssl.o grep -v '^#MASTER#' default.action.master > default.action wolfssl.c:78:2: warning: #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS [-Wcpp] 78 | #warning wolfSSL has been compiled without WOLFSSL_ALT_CERT_CHAINS | ^~~~~~~ wolfssl.c:1739:2: error: #error wolfSSL lacks Subject Alternative Name support...
Building Privoxy using wolfssl
Thanks a lot for the report. "Subject Alternative Name" support is required so you have to use a wolfSSL build that has been compiled with WOLFSSL_ALT_NAMES. If you rebuild wolfSSL anyway you may want to compare your defines with mine: https://lists.privoxy.org/pipermail/privoxy-devel/2024-March/000751.html I just added another header which should also help so please try to recompile after pulling the current git master branch.
Building Privoxy using wolfssl
Bad news: Building failed, It's too complicated for me. Good news is i found other way to get what i want. Daedalus(DOT, DOH, host for block system built-in ad) + servdroid(local res, custom homepage for browsers) + fennec(ublock0+tampermoney+headereditor) or Termux + docker(noroot)[https://github.com/dev-bittu/docker-in-termux] +privoxy(--with-openssl--with-brotli--enable-compression)[https://github.com/Tardo/docker-privoxy-https] I'm using the first set, it work quite well, second one is buggy...
Bad news: Building failed, It's too complicated for me. Good news is i found other way to get what i want. Deadalus(DOT, DOH, host) + servdroid(local res, custom homepage) + fennec(ublock0+tampermoney+headereditor) or Termux + docker(noroot)[https://github.com/dev-bittu/docker-in-termux] +privoxy(--with-openssl--with-brotli--enable-compression)[https://github.com/Tardo/docker-privoxy-https]
Bad news: Building failed, It's too complicated for me. Good news is i found other way to get what i want. Deadalus(DOT, DOH, host) + servdroid(local res, custom homepage) + fennec(ublock0+tampermoney+headereditor) or termux + docker(noroot)[https://github.com/dev-bittu/docker-in-termux] +privoxy(--with-openssl--with-brotli--enable-compression)[https://github.com/Tardo/docker-privoxy-https]
Ok, i will try it later, thank you, Lee. Btw i'm the one asked for that guide on github many years ago, I just forgot that account's pwd. That guide help me alot, i always check it first when new privoxy be released.
On Thu, Feb 15, 2024 at 3:32 AM LE37 wrote: [support-requests:#1764] how to build privoxy for android Status: open Group: 3.0.34 Created: Thu Feb 15, 2024 08:32 AM UTC by LE37 Last Updated: Thu Feb 15, 2024 08:32 AM UTC Owner: nobody Greeting, all. How to cross build privoxy v3.34 with FEATURE_HTTPS_INSPECTION for android11 on win10? Is there a step by step guide for noob? I haven't seen a step-by-step guide for noobs. Everything I've found requires [what I consider above average] background knowledge....
how to build privoxy for android
I agree that this would be a useful feature and would welcome patches too. Also the documentation should probably be improved but as I currently don't have any Windows systems I'm not the right person to do it.
Coredump crash upon first client connection with forward-socks4a (__fortify_fail)
Thanks for the report and please excuse the late response. I consider this a GCC problem and not a Privoxy bug but we have a work around in the git master branch already: https://www.privoxy.org/gitweb/?p=privoxy.git;a=commit;h=19d7684ca10f6c1279568aa19e9a9da2276851f1
On Thu, Jan 25, 2024 at 4:40 AM Miguel Nieto wrote: [feature-requests:#608] Option to silently install as a service Status: open Group: future Created: Thu Jan 25, 2024 09:40 AM UTC by Miguel Nieto Last Updated: Thu Jan 25, 2024 09:40 AM UTC Owner: nobody In Windows, when invoking with --install / --uninstall paramter, privoxy installs a windows service and shows a message with the result. This User's action may prevent to install privoxy as a service from a script. --install leaves the service added...
Option to silently install as a service
Coredump crash upon first client connection
Use some internal variables
There are examples in regression-tests.action: https://www.privoxy.org/gitweb/?p=privoxy.git;a=blob;f=regression-tests.action;h=92b4388b959e8f3945068156af100b00d642bbbb;hb=HEAD#l1153 The user manual probably should have an example as well, though.
On Thu, Dec 28, 2023 at 3:06 PM withoutname wrote: I meant an example of a filter and/or action. Recall that Fabian said From the 3.0.29 release notes: "Allow to use extended host patterns and vanilla host patterns at the same time by prefixing extended host patterns with "PCRE-HOST-PATTERN:". To enable this, configure with --enable-pcre-host-patterns." and then I replied that --enable-pcre-host-patterns wasn't configured on the windows build of privoxy. So you need to build it yourself and then...
I meant an example of a filter and/or action. When compiled with FEATURE_PCRE_HOST_PATTERNS patterns can be prefixed with "PCRE-HOST-PATTERN:" in which case full regular expression (PCRE) can be used for the host pattern as well. What prefix are we talking about and where should it be?
I meant an example of a filter and/or action.
On Mon, Dec 25, 2023 at 1:06 PM withoutname wrote: Please provide an example configuration to enable this feature. You're going to have to build Privoxy for yourself. The instructions for building Privoxy here: https://www.privoxy.org/user-manual/installation.html#INSTALLATION-SOURCE and the windows-specific instructions are here: https://www.privoxy.org/user-manual/installation.html#WINBUILD-CYGWIN NOTE: I need to update the bit about getting the latest 8.x PCRE code. The 8.x version of the PCRE...
Please provide an example configuration to enable this feature.
OK I understood.
Messages like "Cannot open template file /etc/privoxy/templates/connect-failed: Too many open files"
Setting "accept-intercepted-requests 0" in your setup seems like the right thing to do as you are redirecting intercepted connections into Squid and not into Privoxy. With "accept-intercepted-requests 1" one has to be careful and prevent Privoxy from connecting to itself. Quoting the documentation: "Make sure that Privoxy's own requests aren't redirected as well. Additionally take care that Privoxy can't intentionally connect to itself, otherwise you could run into redirection loops if Privoxy's...
IPv6 address leak
Great. Thanks for reporting back.
When you suggested that the problem might be related to Squid, you prompted me to analyze this situation. In the end, I found out that the problem was related to the "accept-intercepted-requests 1" option. I tried setting it to 0 and so far this problem has not occurred. But the message "Error: ::1's request: 'GET /squid-internal-dynamic/netdb HTTP/1.1' is invalid. Privoxy isn't configured to accept intercepted requests" appeared in the log. There are also others that are similar (I changed the contents...
So far this is what I see. But this coincides when for some reason Privoxy increases (or something forces it to do so) the number of threads (first picture). At this moment, the messages that were reported in my initial message appear in the log. Regarding Squid, I don’t understand what you mean, but I’ll describe the config. Privoxy is an upstream proxy for Squid, the Squid config is literally as in the documentation from Privoxy. Ports 80 and 443 are redirected to Squid via iptables. Privoxy: ......
Yes I am sure. I looked at the log and realized I was wrong. Those domains that define my ipv6 connection are pretty much a tor proxy, this can be seen in the log. Once again I apologize for the false alarm.
Yes I am sure.
Note that most client connections need two file descriptors to be served so with 8192 client connections may need ~16384 file descriptors. It's unclear to me why the processor load should significantly increase when the limit is reached, though. Also 8192 connections seem to be a lot for up to three clients. In ticket #1762 you wrote that you are Squid in "transparent mode". Is it possible that some of Privoxy's outgoing connections are intercepted again? Enabling logging would probably help to diagnose...
IPv6 address leak
Are you sure the IPv6 requests from the browser are actually intercepted and reach Privoxy? A log excerpt with the debug setting recommended at: https://www.privoxy.org/user-manual/contact.html would probably help.
Fix type errors in configure script
Thanks for the updated patch. Pushed to master.
IPv6 address leak
Updated patch, looks better now.
These probes only have uninitialized variable warnings: configure:5348: gcc -c -pipe -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Werror=implicit-function-declaration -Werror=implicit-int -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection...
Fix type errors in configure script
Thanks a lot for the patch. Did these probes actually fail for you and the patch was sufficient to solve the problem? The patch looks correct to me but it's unclear to me why other probes with pointers that point to garbage wouldn't need adjustment as well. For example the gethostbyaddr_r() probe: AC_CHECK_FUNC(gethostbyaddr_r, [ AC_MSG_CHECKING([signature of gethostbyaddr_r]) AC_TRY_COMPILE([ # include <netdb.h> ], [ struct hostent *h, *hp; char *a, *b; int l, bl, t, e; (void) gethostbyaddr_r(a,...
Patch
Fix type errors in configure script