[-]
[+]
|
Changed |
_service:tar_git:harbour-privoxy.spec
|
|
[-]
[+]
|
Changed |
_service
^
|
@@ -2,7 +2,7 @@
<service name="tar_git">
<param name="url">https://gitlab.com/nephros/harbour-privoxy</param>
<param name="branch"></param>
- <param name="revision">3.0.34+obs3</param>
+ <param name="revision">3.0.34+obs7</param>
<param name="token"/>
<param name="debian">N</param>
<param name="dumb">N</param>
|
[-]
[+]
|
Changed |
_service:tar_git:harbour-privoxy-3.0.34+obs7.tar.gz/README.md
^
|
@@ -13,7 +13,7 @@
----
-### About Sailfish OS Upgrades
+## About Sailfish OS Upgrades
If you came here because of a scary warning in the Release Notes, they are
correct that Privoxy can affect theupdate process. **But only** if you:
@@ -27,372 +27,12 @@
repositories with your Privoxy setup previously, it won't affect them now.
Still, please heed the advice of disabling Privoxy before trying to upgrade.
-See notes below in the https inspection section for some details.
-
-
-----
-## User Guide
-
-**Table of Contents**
-
-- [User Guide](#user-guide)
- * [Enable the service](#enable-the-service)
- * [Configure Sailfish OS to use the Proxy](#configure-sailfish-os-to-use-the-proxy)
- * [HTTPS support](#https-support)
- + [Generate a CA certificate](#generate-a-ca-certificate)
- + [Add the CA certificate to the Sailfish Browser trust list (NSS)](#add-the-ca-certificate-to-the-sailfish-browser-trust-list--nss-)
- + [Add the CA certificate to the local Sailfish trust list (OpenSSL)](#add-the-ca-certificate-to-the-local-sailfish-trust-list--openssl-)
- + [Make the Browser use a proxy for HTTPS as well](#make-the-browser-use-a-proxy-for-https-as-well)
- * [Other stuff](#other-stuff)
- + [Enable the local documentation](#enable-the-local-documentation)
- + [Tor and I2P integration](#tor-and-i2p-integration)
- + [Add additional action files](#add-additional-action-files)
- - [Tools and lists available on the web](#tools-and-lists-available-on-the-web)
- - [Converting hosts files to filter files](#converting-hosts-files-to-filter-files)
- - [The AdBlock2Privoxy (AB2P) Method](#the-adblock2privoxy--ab2p--method)
- * [Enable the AB2P functionality on the device:](#enable-the-ab2p-functionality-on-the-device-)
- - [The deprecated "extra-lists" package](#the-deprecated--extra-lists--package)
- * [Housekeeping and Plumbing](#housekeeping-and-plumbing)
+See https inspection section in the [User Guide](docs/Userguide.md) for some details.
----
-## Enable the service
-Start the systemd service (as root)
-
- # systemctl enable harbour-privoxy.service
- # systemctl start harbour-privoxy.service
-
-## Configure Sailfish OS to use the Proxy
-
-Configure your application to use a proxy at http://127.0.0.1:8118.
-
-You can do that through `Settings -> Mobile Network -> Advanced`. (Note that
-many applications do not actually use the "Global Proxy" option.
-
-One notable example of software that DOES respect the Global Proxy setting is
-the SailfishOS package update and install mechanism, so the Store App, System
-Updates, `pkcon`, `zypper` and so on go through the proxy to download packages.
-So, be very careful with your filter and blocking configurations, or you might
-actually break these temporarily.
-
-For the Sailfish Browser, proxy settings can be done on the about:config page:
-
- network.proxy.http = 127.0.0.1
- network.proxy.http_port = 8118
- network.proxy.type = 1
-
-and maybe also
-
- network.http.proxy.pipelining = false
-
-If you find an app that does not respect the "Global Proxy" setting, e.g. apps
-using QtWebView components, you can coax it into using it by setting the
-environment variable `http_proxy`. Again, depending on the app it may or may
-not actually respect that. But Qt components at least do.
-
- env http_proxy=http://127.0.0.1:8118 harbour-appname
-
-And you're good to go. Test your configuration by browsing to [http://p.p](http://p.p)
-
-Please refer to the [Privoxy documentation](https://www.privoxy.org/user-manual/quickstart.html) on where to go from here.
-
-**Notes about the SailfishOS package**
-
-Some things are changed from the upstream distribution:
-
- - The daemon is run from systemd in system context, but as defaultuser/nemo
- - most things have been renamed from `privoxy` to `harbour-privoxy`
- - configuration lives under `/usr/share/harbour-privoxy/conf`, not `/etc/privoxy`
- - in order to run the daemon and access the config files, the user must be in the `inet` group
-
-## HTTPS support
-
-To enable the support for HTTPS inspection, additional steps are necessary.
-
-**NOTE:** This basically works by doing SSL/TLS MITM (man-in-the-middle) using
-widely accessible, system-wide trusted certificate.
-This is a *tremendous* security risk and opens up all your internet usage to
-potential tampering.
-
-Be careful about what you're doing here.
-
-### Generate a CA certificate
-
-Generate Certificate CA files necessary for applications to trust Privoxy:
-
-1. Go to `/usr/share/harbour-privoxy/ssl/ca`
-1. Inspect the `generate-ca-certs.sh` script and `harbour-privoxy-ca.cnf` OpenSSL config file to make sure they do what you want. Note that if you change the password, you will have to change the `ca-password` directive in `conf.sailfish` as well.
-1. Run `/bin/sh generate-ca-certs.sh`
-1. make sure the file names and locations match the ones configured in section 7 of `conf.sailfish`
-1. check permissions on the files and directory, you don't want anyone to steal and replace these
-
-Now that you have the certificates, note that *uninstalling* harbour-privoxy
-will remove them. Pure updates should leave them intact.
-
-As a final step, we need to give Privoxy a list of trusted CAs. This is the file name given in the `trusted-cas-file` directive, and its default is `trustedCAs.pem`.
-Luckily we do not need to build that, the OS already has a suitable file. Let's just symlink it:
-
- # ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /usr/share/harbour-privoxy/ssl/ca/trustedCAs.pem
-
-### Add the CA certificate to the Sailfish Browser trust list (NSS)
-
-You need to add the CA as trusted to the Mozilla certificate store, otherwise
-the browser will not accept any https connections. You may have to install the
-`nss-tools` package to get `certutil`.
-See [this post](https://together.jolla.com/question/835/browser-personal-certificates-import/?answer=8170) for more.
-
-
-If you want to install it for **all users**, run as root:
-
- # certutil -A -n "Privoxy CA" -t "TC,," -d /etc/pki/nssdb -i /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt
-
-**OR** for one user only, as user, **under SailfishOS versions 4.0 and above**:
-
- $ certutil -A -n "Privoxy CA" -t "TC,," -d ${HOME}/.local/share/org.sailfishos/browser/.mozilla/ -i /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt
-
-**OR** for one user only, as user, **under SailfishOS versions < 4.x**:
-
- $ certutil -A -n "Privoxy CA" -t "TC,," -d ${HOME}/.mozilla/mozembed/ -i /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt
-
-To check that is has been installed:
-
- certutil -L -d ${HOME}/.local/share/org.sailfishos/browser/.mozilla
-
-
-Other applications which use Silica WebView may need this also. In that case,
-the .mozilla location should be under
-`${HOME}/.cache/<<OrganizationName>>/<<ApplicationName>>/.mozilla`.
-
-This will make the Sailfish Browser, and other mozilla-based applications, trust the new CA certificate.
-To check that it is working, open any https:// website and tap the little padlock in the address bar.
-It should show your certificate as CA.
-
-Removing the certificate again:
-
- $ certutil -D -n "Privoxy CA" -d ${HOME}/.local/share/org.sailfishos/browser/.mozilla/
-
-**OR**
-
- # certutil -D -n "Privoxy CA" -t "TC,," -d /etc/pki/nssdb -i /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt
-
-### Add the CA certificate to the local Sailfish trust list (OpenSSL)
-
-SSL-enabled application apart from the browser may use the OpenSSL certificate
-store instead of NSS. So your CA needs to be there and trusted as well.
-
-This should be done according to the procedure laid out in `/etc/pki/ca-trust/source/README`.
-So, take the certificate just generated, and place it there:
-
- # cp /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt /etc/pki/ca-trust/source/anchors/
- # update-ca-trust
-
-You can check whether it worked by going to Settings -> Certificates -> TLS and
-search for "Harbour"
-
-### Make the Browser use a proxy for HTTPS as well
-
-Like above, configure the Browser to use the proxy:
-
- network.proxy.ssl = 127.0.0.1
- network.proxy.ssl_port = 8118
-
-Now, there are things like HSTS, csp, and others which are supposed to make you
-safer, but contribute to sites breaking due to ad blocking. Some settings will
-improve behaviour, but reduce security/safety. Some of them are given below.
-You may want to study [arkenfox](https://github.com/arkenfox/user.js) for
-detailed info.
-
-*Caveat Emptor*.
-
- security.mixed_content.block_active_content
- browser.xul.error_pages.expert_bad_cert
- security.csp.enable
- security.ssl.enable_ocsp_must_staple
- security.ssl.enable_ocsp_stapling
-
-
-## Other stuff
-### Enable the local documentation
-
-If you want the documentation, you can install the `harbour-privoxy-docs` RPM
-package. It is available in the same repository as the harbour-privoxy package
-but will not show up in Storeman.
-So use pkcon or zypper.
-
-You will then need the config file to say (this should be enabled by default):
-
- user-manual /usr/share/doc/harbour-privoxy/user-manual
-
-Having the docs available locally is useful as the config web page links to it
-in places.
-
-### Tor and I2P integration
-
-You can use this in combination with the Tor proxy. Just add/uncomment the line
-
- forward-socks5t / 127.0.0.1:9050 .
-
-in Section 5.2 of `config.sailfish` (it's around line 1400).
-
-For I2P, running a local i2pd, use:
-
- forward-socks5 / 127.0.0.1:4447 .
-
-To only use the tor/i2p networks for hidden services, make this:
-
- forward-socks5t *.onion 127.0.0.1:4445 .
- forward-socks5 *.i2p 127.0.0.1:4447 .
-
-### Add additional action files
-
-#### Tools and lists available on the web
-
-There are some ways to generate additional filter/action files from online
-sources such as AdBlock Plus.
-
-There are several projects to check out:
-
- - https://github.com/essandess/adblock2privoxy <-- this is the base for the AD2P method described below
- - https://github.com/Andrwe/privoxy-blocklist
- - https://github.com/FunCyRanger/privoxy-blocklist/
- - https://pgl.yoyo.org/adservers/ <-- website which generates ready-made files. Select the "junkbuster" format for that one!
-
-#### Converting hosts files to filter files
-
-This is quite trivial. If you have a hosts file you can convert it to a simple
-privoxy actions file. Find scripts `hosts2privoxy.sh` and
-`hosts2privoxy_dl.sh` in the `extras` directory which do this.
-
-These have only been tested with some hosts files, so might require slight
-modifications for others, but you can see the format.
-
-If you are also using [Defender II](https://openrepos.net/content/peterleinchen/defender-ii-updated-encrypted-devices-originated-nodevel)
-you can re-use its list if you want.
-
-
-Doing this is effective, but offers quite unsophisticated protection. Also,
-these lists tend to be large, leading to memory and performance problems.
-
-#### The AdBlock2Privoxy (AB2P) Method
-
-The AdBlock2Privoxy is a tool which can convert AdBlock lists to privoxy config files.
-It also has a quite clever solution for the fact that Privoxy can not do
-element hiding well: it generates CSS files which implement the element hiding,
-and relies on a small http server running alongside privoxy to provide them.
-Privoxy can then inject them into pages.
-
-
-**Using the provided example package**
-
-`harbour-privoxy` ships with an example package for AB2P. You can install the
-`harbour-privoxy-ab2p` RPM package. It is available in the same repository as
-the harbour-privoxy package but will not show up in Storeman. So use pkcon or
-zypper.
-
-Because the generated files are quite large, they are distributed for
-SailfishOS as a compressed package. To use them, extract the ab2p.tar.xz
-package into the `extras/ab2p` folder. Don't be fooled, the 1MB package
-decompresses into hundred(s) of megabytes!!
-
-The provided example package is built from the configuration seen in
-`ab2p_general.task`. Read it to find which adblock lists have been used.
-
-**Using automatically generated tarballs**
-
-This GitLab project uses CI to build a set of preconfigured tarballs every four weeks. Hop over to the [Releases](https://gitlab.com/nephros/harbour-privoxy/-/releases) section to get them.
-
-They come in three variants:
-
- - general: the same configuration that comes with the example package, but likely more up-to-date.
- - noelemhide: generated from the EasyList "No Element Hiding" list, offers blocking only with none of the CSS tricks.
- - nephros: Yours Truly's current/preferred configuration. May fit you needs as well, or may not.
-
-**Building your own variant with custom lists**
-
-To get this working you must generate the custom blocking configuration on a PC where you have a haskell runtime available.
-OR, you could use my Gitlab CI template at
-[gitlab.com/nephros](https://gitlab.com/nephros/ci-templates/-/blob/master/other/ab2p-builder.yml)
-to let docker do all the hard work.
-
-On a local PC:
-1. Get the source from https://github.com/FunCyRanger/adblock2privoxy
-2. Compile the tool according to the instructions for adblock2privoxy
-3. Generate blocking .action, .filter and CSS files:
- - you MUST use the following options for the httpd provided with this package:
- - `stack run adblock2privoxy -- -p ./ab2p/ -w ./ab2p/css -d 127.0.0.1:8119 <<URLS for filter files>>`
-
-WARNING: Large files will need more memory, more CPU, and make the proxy operate slower.
-Be careful and reasonable about which filter lists you choose to convert.
-
-##### Enable the AB2P functionality on the device:
-
-1. Copy the files onto the Sailfish device, into the `/conf/extras/ab2p` folder. It should end up looking like this:
-
-```
- /usr/share/harbour-privoxy/conf/extra/ab2p/
- /usr/share/harbour-privoxy/conf/extra/ab2p/ab2p.action
- /usr/share/harbour-privoxy/conf/extra/ab2p/ab2p.system.action
- /usr/share/harbour-privoxy/conf/extra/ab2p/ab2p.filter
- /usr/share/harbour-privoxy/conf/extra/ab2p/ab2p.system.filter
- /usr/share/harbour-privoxy/conf/extra/ab2p/css/
-```
-
-2. Add the appropriate action and filterfile options to the privoxy config file
-
-```
- actionsfile extra/ab2p/ab2p.action
- actionsfile extra/ab2p/ab2p.system.action
- filterfile extra/ab2p/ab2p.filter
- filterfile extra/ab2p/ab2p.system.filter
-```
-
-3. make sure the `harbour-privoxy-httpd.service` is running. It should start together with the privoxy service automatically.
-
-#### The deprecated "extra-lists" package
-
-**DEPRECATION NOTICE**: The plain conversion scripts from this package never
-worked very well, so there will be no updates to these. This section here is
-for older releases which have the `-extra-lists` package.
-
-It is recommended to use the AB2P method.
-
-Experimental pre-generated files, and a slightly modified version of the script
-from the latter project are available in the `harbour-privoxy-extra-lists`
-package. Like -docs above, you will have to use zypper or pkcon to install it.
-
-To use the pre-generated files:
-
- - decompress the .xz files you want to use
- - activate/add the corresponding `actionsfile` and `filterfile` directives in `config.sailfish`
-
-See [EasyList.to](https://easylist.to) for information what the lists do exactly.
-
-Not all of them are tested, but Yours Truly uses easyprivacy, fanboy-social,
-and antiadblock successfully.
-
-**NOTE:** the conversion script is not perfect. It can generate some rules that:
- - may cause privoxy to write errors about filters to the log. These are harmless
- - may cause privoxy startup to fail. This is worse of course. To correct:
- - enable logging in the config file
- - run harbour-privoxy --no-daemon --config-test /path/to/config
- - check for Fatal error lines in the log (grep Fatal logfile)
- - the error will give the line number and filename for the offending rule. Edit the file and correct/remove it
- - you may have to repeat this a couple of times to catch all of them...
-
-You may call the `privoxy-blocklist_check_and_fix.sh` script to check the files beforehand.
-
-----
-
-## Housekeeping and Plumbing
-
-harbour-privoxy ships with these SystemD units:
-
- - `harbour-privoxy.service` <-- the main service
- - `harbour-privoxy-httpd.service` <-- minimal http server for AB2P, serves local content (css, fonts etc)
- - `harbour-privoxy-log2jrnl.service` <-- forwards entries from the log file to journald
+## Installation Instructions
- - `harbour-privoxy-housekeeping.timer` <-- this triggers the housekeeping services every 24 hours
- - `harbour-privoxy-housekeeping.target` <-- target which starts the others, below
- - `harbour-privoxy-clean-certs.service` <-- member of housekeeping, cleans out the generated https certs
- - `harbour-privoxy-clean-log.service` <-- member of housekeeping, empties the log file from time to time
+See the User Guide on how to proceed after installation:
+[User Guide](docs/Userguide.md)
|
[-]
[+]
|
Added |
_service:tar_git:harbour-privoxy-3.0.34+obs7.tar.gz/docs/Userguide.md
^
|
@@ -0,0 +1,130 @@
+# User Guide
+
+**Table of Contents**
+
+- [User Guide](#user-guide)
+ * [Enable the service](#enable-the-service)
+ * [Configure Sailfish OS to use the Proxy](#configure-sailfish-os-to-use-the-proxy)
+ * [HTTPS support](#https-support)
+ * [Other stuff](#other-stuff)
+ + [Enable the local documentation](#enable-the-local-documentation)
+ + [Tor and I2P integration](#tor-and-i2p-integration)
+ + [Add additional action files](#add-additional-action-files)
+ - [Tools and lists available on the web](#tools-and-lists-available-on-the-web)
+ - [Converting hosts files to filter files](#converting-hosts-files-to-filter-files)
+ - [The AdBlock2Privoxy (AB2P) Method](#the-adblock2privoxy--ab2p--method)
+ * [Enable the AB2P functionality on the device:](#enable-the-ab2p-functionality-on-the-device-)
+ - [The deprecated "extra-lists" package](#the-deprecated--extra-lists--package)
+ * [Housekeeping and Plumbing](#housekeeping-and-plumbing)
+
+----
+
+## Enable the service
+Start the systemd service (as root)
+
+ # systemctl enable harbour-privoxy.service
+ # systemctl start harbour-privoxy.service
+
+## Configure Sailfish OS to use the Proxy
+
+Configure your application to use a proxy at http://127.0.0.1:8118.
+
+You can do that through `Settings -> Mobile Network -> Advanced`. (Note that
+many applications do not actually use the "Global Proxy" option.
+
+One notable example of software that DOES respect the Global Proxy setting is
+the SailfishOS package update and install mechanism, so the Store App, System
+Updates, `pkcon`, `zypper` and so on go through the proxy to download packages.
+So, be very careful with your filter and blocking configurations, or you might
+actually break these temporarily.
+
+For the Sailfish Browser, proxy settings can be done on the about:config page:
+
+ network.proxy.http = 127.0.0.1
+ network.proxy.http_port = 8118
+ network.proxy.type = 1
+
+and maybe also
+
+ network.http.proxy.pipelining = false
+
+If you find an app that does not respect the "Global Proxy" setting, e.g. apps
+using QtWebView components, you can coax it into using it by setting the
+environment variable `http_proxy`. Again, depending on the app it may or may
+not actually respect that. But Qt components at least do.
+
+ env http_proxy=http://127.0.0.1:8118 harbour-appname
+
+And you're good to go. Test your configuration by browsing to [http://p.p](http://p.p)
+
+Please refer to the [Privoxy documentation](https://www.privoxy.org/user-manual/quickstart.html) on where to go from here.
+
+**Notes about the SailfishOS package**
+
+Some things are changed from the upstream distribution:
+
+ - The daemon is run from systemd in system context, but as defaultuser/nemo
+ - most things have been renamed from `privoxy` to `harbour-privoxy`
+ - configuration lives under `/usr/share/harbour-privoxy/conf`, not `/etc/privoxy`
+ - in order to run the daemon and access the config files, the user must be in the `inet` group
+
+### Add additional rules and action files
+
+See the [Rules page](Userguide_Rules.md) for instructions.
+
+## HTTPS support
+
+As most of the WWW is HTTPS nowadays, having Privoxy only act on HTTP pages is
+not very useful. To enable the support for HTTPS inspection, additional steps
+are necessary.
+
+See the [HTTPS support page](Userguide_HTTPS.md) for instructions.
+
+
+## Other stuff
+### Enable the local documentation
+
+If you want the documentation, you can install the `harbour-privoxy-docs` RPM
+package. It is available in the same repository as the harbour-privoxy package
+but will not show up in Storeman.
+So use pkcon or zypper.
+
+You will then need the config file to say (this should be enabled by default):
+
+ user-manual /usr/share/doc/harbour-privoxy/user-manual
+
+Having the docs available locally is useful as the config web page links to it
+in places.
+
+### Tor and I2P integration
+
+You can use this in combination with the Tor proxy. Just add/uncomment the line
+
+ forward-socks5t / 127.0.0.1:9050 .
+
+in Section 5.2 of `config.sailfish` (it's around line 1400).
+
+For I2P, running a local i2pd, use:
+
+ forward-socks5 / 127.0.0.1:4447 .
+
+To only use the tor/i2p networks for hidden services, make this:
+
+ forward-socks5t *.onion 127.0.0.1:4445 .
+ forward-socks5 *.i2p 127.0.0.1:4447 .
+
+----
+
+## Housekeeping and Plumbing
+
+harbour-privoxy ships with these SystemD units:
+
+ - `harbour-privoxy.service` <-- the main service
+ - `harbour-privoxy-httpd.service` <-- minimal http server for AB2P, serves local content (css, fonts etc)
+ - `harbour-privoxy-log2jrnl.service` <-- forwards entries from the log file to journald
+
+ - `harbour-privoxy-housekeeping.timer` <-- this triggers the housekeeping services every 24 hours
+ - `harbour-privoxy-housekeeping.target` <-- target which starts the others, below
+ - `harbour-privoxy-clean-certs.service` <-- member of housekeeping, cleans out the generated https certs
+ - `harbour-privoxy-clean-log.service` <-- member of housekeeping, empties the log file from time to time
+
|
[-]
[+]
|
Added |
_service:tar_git:harbour-privoxy-3.0.34+obs7.tar.gz/docs/Userguide_HTTPS.md
^
|
@@ -0,0 +1,115 @@
+# User Guide: HTTPS support
+
+**Table of Contents**
+
+ - [Generate a CA certificate](#generate-a-ca-certificate)
+ - [Add the CA certificate to the Sailfish Browser trust list (NSS)](#add-the-ca-certificate-to-the-sailfish-browser-trust-list--nss-)
+ - [Add the CA certificate to the local Sailfish trust list (OpenSSL)](#add-the-ca-certificate-to-the-local-sailfish-trust-list--openssl-)
+ - [Make the Browser use a proxy for HTTPS as well](#make-the-browser-use-a-proxy-for-https-as-well)
+
+----
+
+To enable the support for HTTPS inspection, additional steps are necessary.
+
+**NOTE:** This basically works by doing SSL/TLS MITM (man-in-the-middle) using
+widely accessible, system-wide trusted certificate.
+This is a *tremendous* security risk and opens up all your internet usage to
+potential tampering.
+
+Be careful about what you're doing here.
+
+## Generate a CA certificate
+
+Generate Certificate CA files necessary for applications to trust Privoxy:
+
+1. Go to `/usr/share/harbour-privoxy/ssl/ca`
+1. Inspect the `generate-ca-certs.sh` script and `harbour-privoxy-ca.cnf` OpenSSL config file to make sure they do what you want. Note that if you change the password, you will have to change the `ca-password` directive in `conf.sailfish` as well.
+1. Run `/bin/sh generate-ca-certs.sh`
+1. make sure the file names and locations match the ones configured in section 7 of `conf.sailfish`
+1. check permissions on the files and directory, you don't want anyone to steal and replace these
+
+Now that you have the certificates, note that *uninstalling* harbour-privoxy
+will remove them. Pure updates should leave them intact.
+
+As a final step, we need to give Privoxy a list of trusted CAs. This is the file name given in the `trusted-cas-file` directive, and its default is `trustedCAs.pem`.
+Luckily we do not need to build that, the OS already has a suitable file. Let's just symlink it:
+
+ # ln -s /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /usr/share/harbour-privoxy/ssl/ca/trustedCAs.pem
+
+## Add the CA certificate to the Sailfish Browser trust list (NSS)
+
+You need to add the CA as trusted to the Mozilla certificate store, otherwise
+the browser will not accept any https connections. You may have to install the
+`nss-tools` package to get `certutil`.
+See [this post](https://together.jolla.com/question/835/browser-personal-certificates-import/?answer=8170) for more.
+
+
+If you want to install it for **all users**, run as root:
+
+ # certutil -A -n "Privoxy CA" -t "TC,," -d /etc/pki/nssdb -i /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt
+
+**OR** for one user only, as user, **under SailfishOS versions 4.0 and above**:
+
+ $ certutil -A -n "Privoxy CA" -t "TC,," -d ${HOME}/.local/share/org.sailfishos/browser/.mozilla/ -i /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt
+
+**OR** for one user only, as user, **under SailfishOS versions < 4.x**:
+
+ $ certutil -A -n "Privoxy CA" -t "TC,," -d ${HOME}/.mozilla/mozembed/ -i /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt
+
+To check that is has been installed:
+
+ certutil -L -d ${HOME}/.local/share/org.sailfishos/browser/.mozilla
+
+
+Other applications which use Silica WebView may need this also. In that case,
+the .mozilla location should be under
+`${HOME}/.cache/<<OrganizationName>>/<<ApplicationName>>/.mozilla`.
+
+This will make the Sailfish Browser, and other mozilla-based applications, trust the new CA certificate.
+To check that it is working, open any https:// website and tap the little padlock in the address bar.
+It should show your certificate as CA.
+
+Removing the certificate again:
+
+ $ certutil -D -n "Privoxy CA" -d ${HOME}/.local/share/org.sailfishos/browser/.mozilla/
+
+**OR**
+
+ # certutil -D -n "Privoxy CA" -t "TC,," -d /etc/pki/nssdb -i /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt
+
+## Add the CA certificate to the local Sailfish trust list (OpenSSL)
+
+SSL-enabled application apart from the browser may use the OpenSSL certificate
+store instead of NSS. So your CA needs to be there and trusted as well.
+
+This should be done according to the procedure laid out in `/etc/pki/ca-trust/source/README`.
+So, take the certificate just generated, and place it there:
+
+ # cp /usr/share/harbour-privoxy/ssl/ca/privoxy-ca-cert.crt /etc/pki/ca-trust/source/anchors/
+ # update-ca-trust
+
+You can check whether it worked by going to Settings -> Certificates -> TLS and
+search for "Harbour"
+
+## Make the Browser use a proxy for HTTPS as well
+
+Like above, configure the Browser to use the proxy:
+
+ network.proxy.ssl = 127.0.0.1
+ network.proxy.ssl_port = 8118
+
+Now, there are things like HSTS, csp, and others which are supposed to make you
+safer, but contribute to sites breaking due to ad blocking. Some settings will
+improve behaviour, but reduce security/safety. Some of them are given below.
+You may want to study [arkenfox](https://github.com/arkenfox/user.js) for
+detailed info.
+
+*Caveat Emptor*.
+
+ security.mixed_content.block_active_content
+ browser.xul.error_pages.expert_bad_cert
+ security.csp.enable
+ security.ssl.enable_ocsp_must_staple
+ security.ssl.enable_ocsp_stapling
+
+
|
[-]
[+]
|
Added |
_service:tar_git:harbour-privoxy-3.0.34+obs7.tar.gz/docs/Userguide_Rules.md
^
|
@@ -0,0 +1,186 @@
+# User Guide: Add additional action files
+
+**Table of Contents**
+
+ - [The AdBlock2Privoxy (AB2P) Method](#the-adblock2privoxy--ab2p--method)
+ * [Enable the AB2P functionality on the device:](#enable-the-ab2p-functionality-on-the-device-)
+ - [Tools and lists available on the web](#tools-and-lists-available-on-the-web)
+ - [Converting hosts files to filter files](#converting-hosts-files-to-filter-files)
+ - [The deprecated "extra-lists" package](#the-deprecated--extra-lists--package)
+
+----
+## The AdBlock2Privoxy (AB2P) Method
+
+AdBlock2Privoxy is a tool which can convert AdBlock lists to Privoxy config
+files. It also has a quite clever solution for the fact that Privoxy can not
+do element hiding well: it generates CSS files which implement the element
+hiding, and relies on a small http server running alongside Privoxy to
+serve them.
+Privoxy can then inject the hiding CSS snippets into pages.
+
+You have three possibilities to get such converted files:
+
+**Using the provided example package**
+
+`harbour-privoxy` ships with an example package for AB2P. You can install the
+`harbour-privoxy-ab2p` RPM package. It is available in the same repository as
+the harbour-privoxy package but will not show up in Storeman. So use pkcon or
+zypper. It will show up in Chum GUI though under additional packages.
+
+Because the generated files are quite large, they are distributed for
+SailfishOS as a compressed package. To use them, extract the ab2p.tar.xz
+package into the `extras/ab2p` folder. Don't be fooled, the 1MB package
+decompresses into hundred(s) of megabytes!!
+
+The provided example package is built from the configuration seen in
+`ab2p_general.task`. Read it to find which adblock lists have been used.
+
+Note the example package is convenient, but not updated very often. It is best
+to update its files from one of the other methods after becoming familiar with
+AB2P.
+
+**Using automatically generated tarballs**
+
+This GitLab project uses CI to build a set of preconfigured tarballs every four
+weeks. Hop over to the
+[Releases](https://gitlab.com/nephros/harbour-privoxy/-/releases) section to
+get them.
+
+They come in three variants:
+
+ - general: the same configuration that comes with the example package, but likely more up-to-date.
+ - noelemhide: generated from the EasyList "No Element Hiding" list, offers blocking only with none of the CSS tricks.
+ - nephros: Yours Truly's current/preferred configuration. May fit you needs as well, or may not.
+
+On the download page you will also find a script you can run (after you have
+installed the files) to update from the web if desired.
+
+**Building your own variant with custom lists**
+
+To get this working you must generate the custom blocking configuration on a PC where you have a haskell runtime available.
+OR, you could use my Gitlab CI template at
+[gitlab.com/nephros](https://gitlab.com/nephros/ci-templates/-/blob/master/other/ab2p-builder.yml)
+to let docker do all the hard work.
+
+On a local PC:
+1. Get the source from https://github.com/FunCyRanger/adblock2privoxy
+2. Compile the tool according to the instructions for adblock2privoxy
+3. Generate blocking .action, .filter and CSS files:
+ - you MUST use the following options for the httpd provided with this package:
+ - `stack run adblock2privoxy -- -p ./ab2p/ -w ./ab2p/css -d 127.0.0.1:8119 <<URLS for filter files>>`
+
+WARNING: Converting large files, or large amounts of files, will lead to
+Privoxy needing more memory, more CPU, and make the proxy operate slower.
+Be careful and reasonable about which filter lists you choose to convert.
+
+### Enable the AB2P functionality on the device:
+
+Once you have your converted files, make Privoxy aware of them:
+
+1. Copy the files onto the Sailfish device (or extract them there), into the `/conf/extras/ab2p` folder. It should end up looking like this:
+
+```
+ /usr/share/harbour-privoxy/conf/extra/ab2p/
+ /usr/share/harbour-privoxy/conf/extra/ab2p/ab2p.action
+ /usr/share/harbour-privoxy/conf/extra/ab2p/ab2p.system.action
+ /usr/share/harbour-privoxy/conf/extra/ab2p/ab2p.filter
+ /usr/share/harbour-privoxy/conf/extra/ab2p/ab2p.system.filter
+ /usr/share/harbour-privoxy/conf/extra/ab2p/css/
+ /usr/share/harbour-privoxy/conf/extra/ab2p/css/... # <-- lots of files and dirs below here
+```
+
+2. Add the appropriate action and filterfile options to the privoxy config file
+
+```
+ actionsfile extra/ab2p/ab2p.action
+ actionsfile extra/ab2p/ab2p.system.action
+ filterfile extra/ab2p/ab2p.filter
+ filterfile extra/ab2p/ab2p.system.filter
+```
+
+3. make sure the `harbour-privoxy-httpd.service` is running. It should start
+ alongside the privoxy service automatically.
+
+
+## Tools and lists available on the web
+
+There are some ways to generate additional filter/action files from online
+sources such as AdBlock Plus.
+
+There are several projects to check out:
+
+ - https://github.com/essandess/adblock2privoxy <-- this is the base for the AD2P method described earlier
+ - https://github.com/Andrwe/privoxy-blocklist
+ - https://github.com/FunCyRanger/privoxy-blocklist/
+
+## Premade Privoxy Action files
+
+ A website which generates ready-made files. Select the "junkbuster" format for that one!
+
+ - https://pgl.yoyo.org/adservers/
+
+A script called `get_yoyo_org.sh` is provided in the `extras` directory which does this.
+
+## Regex lists
+
+ A reasonable alternative to either ab2p and hosts list is to use regexes.
+ While not as sophisticated as ab2p (no element hiding), they are still more
+ optimized for Privoxy than converting a hosts list
+
+These are sites hosting block lists in regex format:
+
+ - https://oisd.nl/setup
+
+A script called `get_oisd_nl.sh` is provided in the `extras` directory which does this.
+
+## Converting hosts files to filter files
+
+This is quite trivial. If you have a hosts file you can convert it to a simple
+privoxy actions file. Find scripts `hosts2privoxy.sh` and
+`hosts2privoxy_dl.sh` in the `extras` directory which do this.
+
+These have only been tested with some hosts files, so might require slight
+modifications for others, but you can see the format.
+
+If you are also using [Defender II](https://openrepos.net/content/peterleinchen/defender-ii-updated-encrypted-devices-originated-nodevel)
+you can re-use its list if you want.
+
+Doing this is effective, but offers quite unsophisticated protection. Also,
+these lists tend to be large, leading to memory and performance problems.
+
+----
+## The deprecated "extra-lists" package
+
+**DEPRECATION NOTICE**: The plain conversion scripts from this package never
+worked very well, so there will be no updates to these. This section here is
+for older releases which have the `-extra-lists` package.
+
+It is recommended to use the AB2P method.
+
+----
+Experimental pre-generated files, and a slightly modified version of the script
+from the `privoxy-blocklist` project are available in the
+`harbour-privoxy-extra-lists` package. You will have to use zypper or pkcon to
+install it.
+
+To use the pre-generated files:
+
+ - decompress the .xz files you want to use
+ - activate/add the corresponding `actionsfile` and `filterfile` directives in `config.sailfish`
+
+See [EasyList.to](https://easylist.to) for information what the lists do exactly.
+
+Not all of them are tested, but Yours Truly uses easyprivacy, fanboy-social,
+and antiadblock successfully.
+
+**NOTE:** the conversion script is not perfect. It can generate some rules that:
+ - may cause privoxy to write errors about filters to the log. These are harmless
+ - may cause privoxy startup to fail. This is worse of course. To correct:
+ - enable logging in the config file
+ - run harbour-privoxy --no-daemon --config-test /path/to/config
+ - check for Fatal error lines in the log (grep Fatal logfile)
+ - the error will give the line number and filename for the offending rule. Edit the file and correct/remove it
+ - you may have to repeat this a couple of times to catch all of them...
+
+You may call the `privoxy-blocklist_check_and_fix.sh` script to check the files beforehand.
+
|
[-]
[+]
|
Changed |
_service:tar_git:harbour-privoxy-3.0.34+obs7.tar.gz/files/config.sailfish
^
|
@@ -384,9 +384,12 @@
#
actionsfile match-all.action # Actions that are applied to all sites and maybe overruled later on.
actionsfile default.action # Main actions file
-### Extras with AB2P, see https://gitlab.com/nephros/harbour-privoxy/-/raw/master/files/extra/README_ab2p.md
+### Extras with AB2P, see https://gitlab.com/nephros/harbour-privoxy/-/blob/master/docs/Userguide_Rules.md
#actionsfile extra/ab2p/ab2p.system.action
#actionsfile extra/ab2p/ab2p.action
+### other Extras:
+#actionsfile extra/hosts_pgl_yoyo_org.action
+#actionsfile extra/small_oisd_nl.action
### Extras: end
#actionsfile user-agent.action # if you use uagen.pl to randomize user agent
# these should be the last in the list:
|
[-]
[+]
|
Changed |
_service:tar_git:harbour-privoxy.yaml
^
|
@@ -1,8 +1,7 @@
Name: harbour-privoxy
Summary: A "privacy enhancing proxy", filtering web pages and removing advertisements
Version: 3.0.34
-#Release: 1.2abcdef # N.M this is Debian Release N, nephros release M, plus git shortcommit added
-Release: 1.1.3 # the above, plus .x for OBS/Chum/git tag
+Release: 0
Group: Applications/Internet
#License: GPLv2+
# We link against either openSSL or MbedTLS, which are Apache-2.0
@@ -43,10 +42,9 @@
For Installation and Configuration instructions for SailfishOS, see the following link:
https://gitlab.com/nephros/harbour-privoxy/-/blob/master/README.md
- PackageName: Privoxy
+ Title: Privoxy
DeveloperName: Privoxy Developers
- DeveloperLogin: privoxy-devel@lists.privoxy.org
- PackagerName: nephros
+ PackagedBy: nephros
Categories:
- Network
Custom:
@@ -56,7 +54,7 @@
Screenshots:
- https://gitlab.com/nephros/harbour-privoxy/-/raw/obs/Screenshot_003.png
- https://gitlab.com/nephros/harbour-privoxy/-/raw/obs/Screenshot_004.png
- Url:
+ Links:
Homepage: https://privoxy.org
Help: https://www.privoxy.org/user-manual/index.html
Bugtracker: https://gitlab.com/nephros/harbour-privoxy/issues
@@ -143,6 +141,8 @@
- '%{confdir}/regression-tests.action'
- '%{confdir}/extra/hosts2privoxy.sh'
- '%{confdir}/extra/hosts2privoxy_dl.sh'
+ - '%{confdir}/extra/get_oisd_nl.sh'
+ - '%{confdir}/extra/get_yoyo_org.sh'
- '%defattr(664,root,%{daemon_group},-)'
- '%config(noreplace) %{confdir}/match-all.action'
- '%config(noreplace) %{confdir}/sailfish.action'
@@ -175,17 +175,17 @@
%{summary}.
%if "%{?vendor}" == "chum"
- PackageName: Privoxy tools
+ Title: Privoxy tools
+ Type: addon
DeveloperName: Privoxy Developers
- DeveloperLogin: privoxy-devel@lists.privoxy.org
- PackagerName: nephros
+ PackagedBy: nephros
Categories:
- Network
Custom:
Repo: https://www.privoxy.org/git/privoxy.git
PackagingRepo: https://gitlab.com/nephros/harbour-privoxy
Icon: https://gitlab.com/nephros/harbour-privoxy/-/raw/obs/files/harbour-privoxy_256.png
- Url:
+ Links:
Homepage: https://privoxy.org
Help: https://www.privoxy.org/user-manual/index.html
Bugtracker: https://gitlab.com/nephros/harbour-privoxy/issues
@@ -203,12 +203,14 @@
- Name: ab2p
Summary: pregenerated AdBlock blocking lists for %{name}
Group: Applications/Internet
- Version: 2021.01.21
+ Version: 2024.02.14
Release: 1
BuildArch: noarch
AutoDepend: false
Obsoletes:
- harbour-privoxy-extra-lists-ab2p <= 2021.01.21-2
+ # as OBS mangles our version, lets obsolete ourself:
+ - harbour-privoxy-ab2p < %{version}
Requires:
- harbour-privoxy-httpd
Files:
@@ -218,15 +220,17 @@
Description: |
%{summary}.
+ Please see the help/discussion link on how to use them.
+
%if "%{?vendor}" == "chum"
- PackageName: Privoxy AdBlock configuration
+ Title: Privoxy AdBlock configuration
DeveloperName: nephros
Categories:
- Network
Custom:
PackagingRepo: http://gitlab.com/nephros/harbour-privoxy
Icon: https://gitlab.com/nephros/harbour-privoxy/-/raw/obs/files/harbour-privoxy_256.png
- Url:
+ Links:
Help: https://gitlab.com/nephros/harbour-privoxy/-/blob/master/README.md#the-adblock2privoxy--ab2p--method
Bugtracker: https://gitlab.com/nephros/harbour-privoxy/issues
Donation: https://openrepos.net/donate
@@ -240,6 +244,7 @@
AutoDepend: false
Requires:
- python3-base
+ - harbour-privoxy = %{version}
RequiresPost:
- systemd
RequiresPostUn:
@@ -248,18 +253,22 @@
- '%{_unitdir}/%{name}-httpd.service'
- '%{_datadir}/%{name}/%{name}-httpd.py'
- '%{confdir}/extra/ab2p/blocked_128.png'
+ # i486 builds the compiled files on SFOS 3.2, others don't.
+ - '%exclude %{_datadir}/%{name}/%{name}-httpd.pyc'
+ - '%exclude %{_datadir}/%{name}/%{name}-httpd.pyo'
Description: |
%{summary}.
%if "%{?vendor}" == "chum"
- PackageName: Privoxy http server
+ Title: Privoxy http server
+ Type: addon
DeveloperName: nephros
Categories:
- Network
Custom:
PackagingRepo: http://gitlab.com/nephros/harbour-privoxy
Icon: https://gitlab.com/nephros/harbour-privoxy/-/raw/obs/files/harbour-privoxy_256.png
- Url:
+ Links:
Bugtracker: https://gitlab.com/nephros/harbour-privoxy/issues
Donation: https://openrepos.net/donate
%endif
|