• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unofficial E2guardian package for pfSense

Cache/Proxy
70
1.2k
1.4m
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    exograpix
    last edited by May 4, 2017, 4:09 PM

    Thanks marcelloc for your effort, if possible, please provide us exact steps to install and configure for e2guardian. guide will be highly appreciated.

    1 Reply Last reply Reply Quote 0
    • P
      pfsensation
      last edited by May 4, 2017, 10:17 PM May 4, 2017, 10:02 PM

      @exograpix:

      Thanks marcelloc for your effort, if possible, please provide us exact steps to install and configure for e2guardian. guide will be highly appreciated.

      Basic setup is explained in OP and on Github.

      @Marcelloc, the search engine tab is still broken in the GUI D:  However, wanted to say hats off to you man! Just got this setup in my home environment, no longer in VM. I've only got it setup basically with domain blocking now. I know phrase lists work since I tested in a virtual environment, I will set that up too when I understand how it properly works. As the algorithm of how the system decides a website is good or bad + the options available is slightly overwhelming.

      1 Reply Last reply Reply Quote 0
      • P
        pfsensation
        last edited by May 7, 2017, 9:12 PM May 5, 2017, 8:14 PM

        @marcelloc:

        e2guardian v 4.1 is stable now. I'll start updating the package for this new version.

        Looks like it will not need anymore changes on SO to allow more then 1024 clients. On current compiled version I've set it to 4096 IIRC.

        https://github.com/e2guardian/e2guardian/releases

        Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY  ;) ;)

        Edit: Can't seem to update PfSense after installing this. Is it something to do with the repo? PfSense says it's up to date and on the latest version (2.3.3_1) when 2.3.4 is out.

        1 Reply Last reply Reply Quote 0
        • M
          Morlac
          last edited by May 8, 2017, 7:51 PM

          Hello,

          Regarding the missed up search engine tab, in pkg_e2guardian_search_acl.xml around line 100 ~ 104, the <field>is miss spilled as <felid>or something like that.
          Easily fixed but have no idea how to push back the fix :(
          Thanks.</felid></field>

          1 Reply Last reply Reply Quote 0
          • M
            marcelloc
            last edited by May 8, 2017, 7:55 PM

            @Morlac:

            Hello,

            Regarding the missed up search engine tab, in pkg_e2guardian_search_acl.xml around line 100 ~ 104, the <field>is miss spilled as <felid>or something like that.
            Easily fixed but have no idea how to push back the fix :(
            Thanks.</felid></field>

            Thanks, I'll push that fix.  :)

            https://github.com/marcelloc/Unofficial-pfSense-packages/commit/dc5984bf0d04ead4cb1ea1afcbd325cd2c0098f4

            Treinamentos de Elite: http://sys-squad.com

            Help a community developer! ;D

            1 Reply Last reply Reply Quote 0
            • M
              marcelloc
              last edited by May 8, 2017, 8:00 PM

              @pfsensation:

              Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY  ;) ;)

              The code is not running that stable on FreeBSD. I've opened a ticket on e2guardian project and sending them information to get it stable on freebsd too.

              Treinamentos de Elite: http://sys-squad.com

              Help a community developer! ;D

              1 Reply Last reply Reply Quote 0
              • M
                Morlac
                last edited by May 9, 2017, 11:27 AM

                Hello Again

                I thought to post this as well.
                Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)

                so far it is working nicely and Chrome does not complain anymore.

                NOTE: While compiling on FreeBSD, I had to fix the '-lresolv' library not found problem since FreeBSD does not have this library. This is only valid when you want DNSAuthentication.

                BR

                1 Reply Last reply Reply Quote 0
                • P
                  pfsensation
                  last edited by May 9, 2017, 11:28 AM

                  @marcelloc:

                  @pfsensation:

                  Thank you again for all your hard work, I look very forward to the update! Could you have a look at the issue with the search engine tab also? According to this : https://github.com/e2guardian/e2guardian/issues/216 issues with E2Guardian and Google Chrome should be fixed so which means I can finally enable MITM and get full protection! YAY  ;) ;)

                  The code is not running that stable on FreeBSD. I've opened a ticket on e2guardian project and sending them information to get it stable on freebsd too.

                  Yeah I just saw it on Github, thanks for the amazing work once again!

                  However did you look into my issue? I'm unable to update pfsense after installing E2 Guardian, or do I have to uninstall it? When I try updating it just says up to date when it's a version behind the latest release.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfsensation
                    last edited by May 9, 2017, 11:31 AM

                    @Morlac:

                    Hello Again

                    I thought to post this as well.
                    Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)

                    so far it is working nicely and Chrome does not complain anymore.

                    NOTE: While compiling on FreeBSD, I had to fix the '-lresolv' library not found problem since FreeBSD does not have this library. This is only valid when you want DNSAuthentication.

                    BR

                    How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.

                    Edit: I have already generated a CA and set it in the general tab.

                    1 Reply Last reply Reply Quote 0
                    • M
                      Morlac
                      last edited by May 9, 2017, 12:07 PM

                      @pfsensation:

                      How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.

                      Edit: I have already generated a CA and set it in the general tab.

                      yes, I generated a CA and then installed it office wide.
                      From the pfSense, I used marcelloc install script to prepare everything installing TinyProxy along the way. Not using squid yet, but plan on once I full test the setup. I really need the caching ability of squid.

                      Configuration is a bit messy since some SSL/MITM options are not available in the GUI. I did everything I needed from the GUI i.e. blocking some site, installing blacklists…etc then went on to edit the config files manually to enable MITM.

                      In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
                      cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
                      caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
                      certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
                      generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'

                      In e2guardianf1.conf, I made sure the following are configured:
                      reportinglevel = 3
                      ssldeniedrewrite = 'on'
                      htmltemplate = 'template.html'

                      the sslsiteregexplist file did not exist so I Created an empty one... not sure if its needed or not.

                      sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'

                      sslmitm = on

                      Other than, all defaults really.
                      Previously, MITM was working nice in IE 11 but Chrome complained and refused to work without policy changes. So I compiled the E2G 3.5.1 with the certificate generation code from v4.1 and Chrome is happy now.

                      BR

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfsensation
                        last edited by May 9, 2017, 1:02 PM

                        @Morlac:

                        @pfsensation:

                        How exactly have you got it setup? I'm running into difficulties with MITM again. Have you setup ssl inspection in squid at all? Or you just set it up on E2G, if so which options did you change? Since I tried it using group settings before.

                        Edit: I have already generated a CA and set it in the general tab.

                        yes, I generated a CA and then installed it office wide.
                        From the pfSense, I used marcelloc install script to prepare everything installing TinyProxy along the way. Not using squid yet, but plan on once I full test the setup. I really need the caching ability of squid.

                        Configuration is a bit messy since some SSL/MITM options are not available in the GUI. I did everything I needed from the GUI i.e. blocking some site, installing blacklists…etc then went on to edit the config files manually to enable MITM.

                        In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
                        cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
                        caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
                        certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
                        generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'

                        In e2guardianf1.conf, I made sure the following are configured:
                        reportinglevel = 3
                        ssldeniedrewrite = 'on'
                        htmltemplate = 'template.html'

                        the sslsiteregexplist file did not exist so I Created an empty one... not sure if its needed or not.

                        sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'

                        sslmitm = on

                        Other than, all defaults really.
                        Previously, MITM was working nice in IE 11 but Chrome complained and refused to work without policy changes. So I compiled the E2G 3.5.1 with the certificate generation code from v4.1 and Chrome is happy now.

                        BR

                        Thank you very much for that detailed explanation bro. Perhaps since 4.1 isn't stable enough on FreeBSD yet, maybe Marcelloc could update his package to add the Chrome SAN patch and make it possible to fully configure SSL mitm from the GUI. However I will try enabling it manually like you did. Unfortunately,  what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.

                        1 Reply Last reply Reply Quote 0
                        • B
                          Bismarck
                          last edited by May 9, 2017, 1:32 PM

                          @pfsensation:

                          However I will try enabling it manually like you did. Unfortunately,  what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.

                          Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:

                          https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776

                          1 Reply Last reply Reply Quote 0
                          • M
                            marcelloc
                            last edited by May 9, 2017, 2:31 PM May 9, 2017, 2:25 PM

                            @Morlac:

                            Hello Again

                            I thought to post this as well.
                            Since a lot of people are interested in getting MITM working with Chrome 58, I copied the CertificateAuthority.cpp & CertificateAuthority.hpp from version 4.1 to e2guardian v3.5.1 and compiled again (replace the v3.5.1 files with the ones from V4.1)

                            I'm buiding it with these changes and 4096 max clients util 4.1 is fine on FreeBSD . Thanks for the contribution.

                            EDIT: Done
                            https://github.com/marcelloc/Unofficial-pfSense-packages/commit/36678fe4cb3868065f5f84d90796c76fe515045c

                            Treinamentos de Elite: http://sys-squad.com

                            Help a community developer! ;D

                            1 Reply Last reply Reply Quote 0
                            • M
                              marcelloc
                              last edited by May 9, 2017, 3:29 PM

                              @Morlac:

                              In e2guardian.conf, the following is checked (these should be done automatically for you when you enable/save the settings in the GUI):
                              cacertificatepath = '/etc/ssl/demoCA/cacert.pem'
                              caprivatekeypath = '/etc/ssl/demoCA/private/cakey.pem'
                              certprivatekeypath = '/etc/ssl/demoCA/private/serverkey.pem'
                              generatedcertpath = '/usr/local/etc/e2guardian/ssl/generatedcerts'

                              In e2guardianf1.conf, I made sure the following are configured:
                              reportinglevel = 3
                              ssldeniedrewrite = 'on'
                              htmltemplate = 'template.html'

                              the sslsiteregexplist file did not exist so I Created an empty one… not sure if its needed or not.

                              sslsiteregexplist = '/usr/local/etc/e2guardian/lists/sslsiteregexplist'

                              sslmitm = on

                              Also included on package
                              https://github.com/marcelloc/Unofficial-pfSense-packages/commit/f83a44d1ef96ec2a81d785ac6695072c9aa99e8d

                              Treinamentos de Elite: http://sys-squad.com

                              Help a community developer! ;D

                              1 Reply Last reply Reply Quote 0
                              • P
                                pfsensation
                                last edited by May 9, 2017, 4:08 PM

                                @Bismarck:

                                @pfsensation:

                                However I will try enabling it manually like you did. Unfortunately,  what I'm most worried about at the minute is the fact that pfsense doesn't update after installing E2G. I'm stuck on 2.3.3.

                                Just in case you have problems to update to 2.3.4-RELEASE because of bugged pkg:

                                https://forum.pfsense.org/index.php?topic=130071.msg716776#msg716776

                                Thank you very much that small guide on fixing the issue. It's weird though, no one else seems to have reported it. I will try this out and see if my pfsense finally updates after I get back home.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  marcelloc
                                  last edited by May 9, 2017, 4:12 PM

                                  @pfsensation:

                                  Have you already updated the package? Would love to get Chrome working with MITM.

                                  yes.  :)

                                  I'll start testing on my vm soon.

                                  Treinamentos de Elite: http://sys-squad.com

                                  Help a community developer! ;D

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pfsensation
                                    last edited by May 9, 2017, 9:53 PM

                                    @marcelloc:

                                    @pfsensation:

                                    Have you already updated the package? Would love to get Chrome working with MITM.

                                    yes.  :)

                                    I'll start testing on my vm soon.

                                    Awesome!

                                    Is there a way to exclude URL's and IP's? For example in Squid we can set certain URL's/IP's to bypass the proxy altogether. This is useful in situations where apps have certificate pinning enabled and will not accept any other certification other than the one the developer has baked in.  Not sure if there's a way to do this already (maybe exclusions section?), but definitely need this when I do enable HTTPS MITM, since it is a home network and a lot of mobile devices will be on it.

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pfsensation
                                      last edited by May 15, 2017, 9:28 PM May 15, 2017, 7:56 PM

                                      So I was looking through the source code of the smoothwall block page at my college, hoping that I could play around with it and tinker it a bit to work with E2Guardian at home just for the lulz or just see how modified it is from the Dansguardian it started from.

                                      I ended up finding a lot of interesting stuff such as how they optimise loading using base64 stuff, RegEx like code, and some interesting javascript implementations to load up a CA cert popup. In addition to that, adding code to increase compatibility with browsers and as such.
                                      Could you have a look through it Marcello, and see if anything useful could be extracted from this and used in E2Guardian? I've already managed to try things like base64 encoding with E2G logo, it does seem slightly quicker. For organisations where many devices and block pages are presented, this may help a tonne and speed things up while reducing load on the server.

                                      Link to source: https://ybin.me/p/f3e93b53881d53d1#wDDjXNWK8ThA//iIuYtOOJLkxDRPWN3ygvRSrVJgQbo=

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        marcelloc
                                        last edited by May 21, 2017, 3:08 AM

                                        @pfsensation:

                                        @marcelloc:

                                        @pfsensation:

                                        Have you already updated the package? Would love to get Chrome working with MITM.

                                        yes.  :)

                                        I'll start testing on my vm soon.

                                        Awesome!

                                        Is there a way to exclude URL's and IP's?

                                        You mean a do way to do not connect to e2guardian based on ip or hosts? If so, as package do not has a transparent proxy configuration implemented yet, you can do it on proxy configuration tab on your browser.
                                        If you create more then one group on e2guardian, you can do an ip based authentication, and allow some source ips to do not be filtered by your proxy rules.

                                        Treinamentos de Elite: http://sys-squad.com

                                        Help a community developer! ;D

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          marcelloc
                                          last edited by May 21, 2017, 3:13 AM

                                          @pfsensation:

                                          Could you have a look through it Marcello, and see if anything useful could be extracted from this and used in E2Guardian?

                                          Sure. I'll se it as soon as possible. Thank's for the contribution.  :)

                                          Treinamentos de Elite: http://sys-squad.com

                                          Help a community developer! ;D

                                          1 Reply Last reply Reply Quote 0
                                          88 out of 1213
                                          • First post
                                            88/1213
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.