Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unofficial E2guardian package for pfSense

    Scheduled Pinned Locked Moved Cache/Proxy
    1.2k Posts 70 Posters 1.4m Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      danjeman
      last edited by

      A method of configuring it to listen on a CARP address via the GUI would be great too - Squid you can do this from the 'Advanced Features - Custom Options'… or is this not possible with e2g, looks like multi interface listen causes problems at the moment?

      1 Reply Last reply Reply Quote 0
      • marcellocM
        marcelloc
        last edited by

        @danjeman:

        It looks like multi interface listen causes problems at the moment?

        Not anymore. I've hard coded a config option util multi auth psr port is better implemented on gui.

        Treinamentos de Elite: http://sys-squad.com

        Help a community developer! ;D

        1 Reply Last reply Reply Quote 0
        • S
          Stewart
          last edited by

          How do we update?  Rerun the script?  That's what I've done and I've got some changes.

          1 Reply Last reply Reply Quote 0
          • marcellocM
            marcelloc
            last edited by

            @Stewart:

            How do we update?  Rerun the script?  That's what I've done and I've got some changes.

            Yes, rerun. Few days ago I've updated the e2guardian binaries to include icap and dnsauth.

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • S
              Stewart
              last edited by

              I reran the script and suddenly e2Guardian wouldn't load.  The error was:

              /usr/local/etc/rc.d/e2guardian.sh: WARNING: failed to start e2guardian
              Error parsing the e2guardian.conf file or other e2guardian configuration files
              Error loading auth plugins
              auth_plugin_load() returned NULL pointer with config file: /usr/local/etc/e2guardian/authplugins/proxy-header.conf 
              Unable read plugin config plugname variable /usr/local/etc/e2guardian/authplugins/proxy-header.conf 
              

              I was able to get it to start by uncommenting the last 3 lines in /usr/local/etc/e2guardian/authplugins/proxy-header.conf:

              
              low case
              header = ''
              
              plugname = 'proxy-header'
              
              

              Not sure what uncommenting them does but it allows it to load.

              1 Reply Last reply Reply Quote 0
              • S
                Stewart
                last edited by

                Well, it loads but it doesn't do anything.  Whether I try to create a NAT rule or just set the browser to 8080, no pages load.  They all just time out.  I'm watching /var/log/system.log but it isn't showing anything.

                1 Reply Last reply Reply Quote 0
                • marcellocM
                  marcelloc
                  last edited by

                  I'll what's different from my working e2guardian.  Did you selected any authentication method?

                  Treinamentos de Elite: http://sys-squad.com

                  Help a community developer! ;D

                  1 Reply Last reply Reply Quote 0
                  • S
                    Stewart
                    last edited by

                    I've tried Proxy-Basic and none.  Now, some pages load.  Others are blocked but show a category of NA.  I also can't get to the pfSense GUI from the local network.  Is there a way to reset to defaults in case I've done something?

                    Edit:  i am getting a bunch of:

                    Apr 10 17:25:20 	e2guardian 	53019 	stats reset to freechildren 16 busychildren 2 numchildren 18
                    Apr 10 17:25:20 	e2guardian 	53019 	freechildren 15 + busychildren 2 != numchildren 18
                    Apr 10 17:25:20 	e2guardian 	53019 	stats reset to freechildren 16 busychildren 2 numchildren 18
                    Apr 10 17:25:20 	e2guardian 	53019 	freechildren 16 + busychildren 1 != numchildren 18
                    Apr 10 17:25:20 	e2guardian 	53019 	stats reset to freechildren 17 busychildren 1 numchildren 18
                    Apr 10 17:25:21 	e2guardian 	53019 	freechildren 16 + busychildren 1 != numchildren 18
                    Apr 10 17:25:21 	e2guardian 	53019 	stats reset to freechildren 17 busychildren 1 numchildren 18
                    Apr 10 17:25:21 	e2guardian 	53019 	freechildren 15 + busychildren 2 != numchildren 18
                    Apr 10 17:25:21 	e2guardian 	53019 	stats reset to freechildren 16 busychildren 2 numchildren 18
                    Apr 10 17:25:21 	e2guardian 	53019 	freechildren 14 + busychildren 3 != numchildren 18
                    Apr 10 17:25:21 	e2guardian 	53019 	stats reset to freechildren 15 busychildren 3 numchildren 18
                    Apr 10 17:25:21 	e2guardian 	53019 	freechildren 14 + busychildren 3 != numchildren 18
                    Apr 10 17:25:21 	e2guardian 	53019 	stats reset to freechildren 15 busychildren 3 numchildren 18
                    Apr 10 17:26:36 	e2guardian 	53019 	freechildren 16 + busychildren 1 != numchildren 18
                    Apr 10 17:26:36 	e2guardian 	53019 	stats reset to freechildren 17 busychildren 1 numchildren 18
                    Apr 10 17:26:36 	e2guardian 	53019 	freechildren 16 + busychildren 1 != numchildren 18
                    Apr 10 17:26:36 	e2guardian 	53019 	stats reset to freechildren 17 busychildren 1 numchildren 18
                    Apr 10 17:26:36 	e2guardian 	53019 	freechildren 17 + busychildren 0 != numchildren 18
                    Apr 10 17:26:36 	e2guardian 	53019 	stats reset to freechildren 18 busychildren 0 numchildren 18
                    Apr 10 17:26:37 	e2guardian 	53019 	freechildren 17 + busychildren 0 != numchildren 18
                    Apr 10 17:26:37 	e2guardian 	53019 	stats reset to freechildren 18 busychildren 0 numchildren 18
                    Apr 10 17:26:39 	e2guardian 	53019 	freechildren 17 + busychildren 0 != numchildren 18
                    Apr 10 17:26:39 	e2guardian 	53019 	stats reset to freechildren 18 busychildren 0 numchildren 18 
                    

                    in the log now.

                    1 Reply Last reply Reply Quote 0
                    • marcellocM
                      marcelloc
                      last edited by

                      Unselect any autentication, save and apply(and maybe restart the service). The small documentation on proxy-header says that you must select a http header field to identify as users, and then add them on groups

                      
                      # Proxy-header auth plugin
                      # FredB August 2016
                      # Identifies users with header;
                      # relies upon the upstream proxy.
                      # Eg: in groups file
                      # Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0=filter3
                      # here:
                      # header = 'user-agent'
                      
                      

                      Treinamentos de Elite: http://sys-squad.com

                      Help a community developer! ;D

                      1 Reply Last reply Reply Quote 0
                      • D
                        danjeman
                        last edited by

                        Have updated looks ok so far except on the menus if you go to IPs then ACLs changes to Access Lists - will clear cache etc. and check again…

                        Don't believe sync has ever worked with the default 'Sync to configured system backup server' either - this is the log entry..

                        Apr 11 11:57:52 php-fpm 69222 /pkg_edit.php: [E2guardian] xmlrpc sync is enabled but there is no system backup hosts to push squid config.
                        Apr 11 11:57:52 php-fpm 69222 /pkg_edit.php: Reloading E2guardian

                        Every other package syncs fine with this setting.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Stewart
                          last edited by

                          @marcelloc:

                          Unselect any autentication, save and apply(and maybe restart the service). The small documentation on proxy-header says that you must select a http header field to identify as users, and then add them on groups

                          
                          # Proxy-header auth plugin
                          # FredB August 2016
                          # Identifies users with header;
                          # relies upon the upstream proxy.
                          # Eg: in groups file
                          # Mozilla/5.0 (Windows NT 6.1; rv:47.0) Gecko/20100101 Firefox/47.0=filter3
                          # here:
                          # header = 'user-agent'
                          
                          

                          Is there a difference between "None" and not having any selected?

                          1 Reply Last reply Reply Quote 0
                          • S
                            Stewart
                            last edited by

                            With no authentication set I now get an Access Denied page from Squid.

                            When I access a page the Squid logs show:

                            1491926079.428      3 127.0.0.1 TCP_MISS/403 4185 GET http://forum.pfsense.com/ - HIER_NONE/- text/html
                            1491926079.455    248 127.0.0.1 TCP_MISS/403 4287 GET http://forum.pfsense.com/ - ORIGINAL_DST/127.0.0.1 text/html
                            1491926079.499      2 127.0.0.1 TCP_MEM_HIT/200 13066 GET http://localhost:3128/squid-internal-static/icons/SN.png - HIER_NONE/- image/png
                            1491926079.599      1 127.0.0.1 TAG_NONE/409 4118 CONNECT urs.microsoft.com:443 - HIER_NONE/- text/html
                            1491926079.601      1 127.0.0.1 TAG_NONE/409 4118 CONNECT urs.microsoft.com:443 - HIER_NONE/- text/html
                            

                            /var/log/e2guardian/access.log shows:

                            2017.4.11 13:29:04 - 192.168.1.100 http://forum.pfsense.com/  GET 3849 0  1 403 text/html  Default   - -
                            2017.4.11 13:29:04 - 192.168.1.100 https://urs.microsoft.com:443  CONNECT 4118 0  1 200 -  Default   - -
                            2017.4.11 13:29:04 - 192.168.1.100 https://urs.microsoft.com:443  CONNECT 4118 0  1 200 -  Default   - -
                            
                            

                            No matter what page I go to, I get those same 5 lines.  The first 2 vary depending on where I go but the last 3 are exactly the same.  If I point directly to the Squid proxy port then pages load.  If I pass through transparently then it works.  If I point to the port 8080 for e2guardian it fails.  I've gone back and undone the changes I made to proxy-header.conf and everything loads properly now.  I've deselected all auth plugins on the General page.

                            EDIT:  Well, not every time.  I also get

                            1491928118.800 86400440 192.168.1.157 TAG_NONE/200 0 CONNECT 216.58.218.2:443 - HIER_NONE/- -
                            1491928118.800 86400301 192.168.1.157 TAG_NONE_TIMEDOUT/409 0 CONNECT pagead2.googlesyndication.com:443 - HIER_NONE/- text/html;charset=utf-8
                            
                            

                            EDIT 2:  Here's my config:

                            forcequicksearch = off
                            reverseaddresslookups = off
                            reverseclientiplookups = off
                            logclienthostnames = off
                            createlistcachefiles = on
                            prefercachedlists = off
                            maxcontentfiltersize = 256
                            maxcontentramcachescansize = 1000
                            maxcontentfilecachescansize = 2000
                            filecachedir = '/tmp'
                            deletedownloadedtempfiles = on
                            initialtrickledelay = 20
                            trickledelay = 20
                            downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/fancy.conf'
                            downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/trickle.conf'
                            downloadmanager = '/usr/local/etc/e2guardian/downloadmanagers/default.conf'
                            contentscannertimeout = 60
                            contentscanexceptions = off
                            mapauthtoports = off
                            recheckreplacedurls = off
                            forwardedfor = off
                            usexforwardedfor = off
                            logconnectionhandlingerrors = on
                            logsslerrors = off
                            logchildprocesshandling = off
                            maxchildren = 120
                            minchildren = 8
                            minsparechildren = 8
                            preforkchildren = 10
                            maxsparechildren = 64
                            maxagechildren = 500
                            maxips = 0
                            ipcfilename = '/tmp/.dguardianipc'
                            urlipcfilename = '/tmp/.dguardianurlipc'
                            ipipcfilename = '/tmp/.dguardianipipc'
                            nodaemon = off
                            nologger = off
                            logadblocks = off
                            loguseragent =
                            daemonuser = 'clamav'
                            daemongroup = 'nobody'
                            softrestart = on
                            cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
                            caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
                            certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
                            generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'
                            
                            
                            1 Reply Last reply Reply Quote 0
                            • P
                              pfsensation
                              last edited by

                              Wanted to say, thanks for bringing this project back alive. Been waiting an extremely long time for E2 Guardian, as it seems to tick all my boxes in being able to scan HTTPS traffic properly, without having to rely on a black list or DNS based blocking. Most people don't seem to understand the importance of HTTPS scanning, even knowing that there's always new proxies, and websites coming along to bypass blocks.

                              How is the status of the package now? I see Stewart is saying that it isn't working, is it working for everyone else?

                              1 Reply Last reply Reply Quote 0
                              • marcellocM
                                marcelloc
                                last edited by

                                I've tested normal proxy and SSL interception. Did not started testing authentication and antivirus integration

                                Treinamentos de Elite: http://sys-squad.com

                                Help a community developer! ;D

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Stewart
                                  last edited by

                                  @pfsensation:

                                  Wanted to say, thanks for bringing this project back alive. Been waiting an extremely long time for E2 Guardian, as it seems to tick all my boxes in being able to scan HTTPS traffic properly, without having to rely on a black list or DNS based blocking. Most people don't seem to understand the importance of HTTPS scanning, even knowing that there's always new proxies, and websites coming along to bypass blocks.

                                  How is the status of the package now? I see Stewart is saying that it isn't working, is it working for everyone else?

                                  I've wiped the box I was having problems with and will go back to testing once my other projects simmer down since I couldn't ever get it to work properly.  I'll report back here once I get back on it.

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pfsensation
                                    last edited by

                                    So I got this setup at basic level, and have got a phrase list up. However, how do I get it to scan HTTPS sites? I have a phrase list up for pornography, and it seems to be working for http sites but not HTTPS. And now it seems more and more websites are moving to HTTPS.

                                    I am purely trying to test the phrase matching system, and make sure that this system is able to block those sites.

                                    1 Reply Last reply Reply Quote 0
                                    • marcellocM
                                      marcelloc
                                      last edited by

                                      Create the CA on pfSense
                                      apply it on e2guardian config
                                      Install ca certificate on browser

                                      Treinamentos de Elite: http://sys-squad.com

                                      Help a community developer! ;D

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Stewart
                                        last edited by

                                        @marcelloc:

                                        Create the CA on pfSense
                                        apply it on e2guardian config
                                        Install ca certificate on browser

                                        I thought it could be done transparently in e2Guardian.  Is that not so?

                                        1 Reply Last reply Reply Quote 0
                                        • P
                                          pfsensation
                                          last edited by

                                          @marcelloc:

                                          Create the CA on pfSense
                                          apply it on e2guardian config
                                          Install ca certificate on browser

                                          Got it working by setting "Filter SSL sites forging SSL certificates" on group settings. However I am getting a error saying common name invalid on chrome, its working on Edge and Internet Explorer. Also, is there anyway to modify the block page? The standard DansGuardian one looks pretty terrible.

                                          1 Reply Last reply Reply Quote 0
                                          • marcellocM
                                            marcelloc
                                            last edited by

                                            @Stewart:

                                            I thought it could be done transparently in e2Guardian.  Is that not so?

                                            I don't think so. To anylize the page content, it needs to be in the middle. The splice all feature on squid, if I'm not worng, extracts sites included on remote ip certificate and check against acls, no interception at all is done this way.

                                            Treinamentos de Elite: http://sys-squad.com

                                            Help a community developer! ;D

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.