Unofficial E2guardian package for pfSense
-
Can you place the file in a more user friendly folder name?
You can also reinstall the package. On my test vm I have no erros on this file.
Reinstall you mean to execute install_e2guardian_23.sh again? That should overwrite all the files? Or should I remove e2g from /usr/local/pkg?
-
After I created another Group I see this errors:
May 25 19:17:16 e2guardian 70838 Error opening sslsiteregexplist
May 25 19:17:16 e2guardian 70838 Error reading file /usr/local/etc/e2guardian/lists/sslsiteregexplist.g_Authenticated: No such file or directoryThe file in fact does not exist.
The Group use the "Default" ACL which has SSL Regex disabled, so why is looking for the file?Looking in the lists folder I see that the other *.g_Authenticated files were created maybe all of them except the sslsiteregexplist.
-
-
I have something missing between e2g and squid.
I activated squid authentication against local table and enabled Proxy-Basic in e2g, but web browsers are not asking for user/pass.What can I provide to get help?
Just to add some info:
I added a second Group ("Authenticated") (copy of Default group but different name). Added 1 user to the new group ("test").
Default Group has no users assigned.Trying to solve the problem by myself made squid listen on LAN interface only and set e2g to parent proxy 192.168.1.1 (pfsense/squid LAN IP) to see if Authentication happen to be on LAN interface.
Did nmap -p3128 192.168.1.1 and it found the port open and squid as service.
Squid refused the e2g connection. Set back squid to listen on loopback and e2g to parent proxy default (empty / 127.0.0.1), then connection was successful.
So still web browsers pass without asking user/pass.
-
but I'll test on a fresh 2.3.4 install too.
I did a fresh install, installed cron package from gui and then e2guardian from console, configured shalist and waited short time until it was downloaded and applied, after it, configured some gui options, saved and applied config. Service is running fine.
-
So still web browsers pass without asking user/pass.
I'm installing squid to do some authentication tests
-
So still web browsers pass without asking user/pass.
I'm installing squid to do some authentication tests
Thanks. Without authentication the Groups are not really used.
-
Thanks. Without authentication the Groups are not really used.
METHOD 1(sandwich mode)
on e2guardian,
-
select tinyproxy as parent proxy (127.0.0.1:8888)
-
create a second group and include a user on it
-
on general tab, Selected proxy-basic and proxy digest
-
save, apply
on squid,
-
configured local authentication
-
create a test/lab user
-
configured remote cache with e2guardian ip, port peer type parent method round-robin and proxy only
-
save
METHOD 2
on e2guardian,
-
select squid not on loopback as parent proxy (192.168.0.38:3128)
-
create a second group and include a user on it
-
on general tab, Selected proxy-basic, proxy-ntml(maybe optional) and proxy-digest
-
save, apply
on squid,
-
listen squid on lan interface
-
configure local authentication
-
create a test/lab user
-
save
with these setups, I have users under e2guardian logs
-
-
Thanks. Without authentication the Groups are not really used.
METHOD 1(sandwich mode)
on e2guardian,
-
select tinyproxy as parent proxy (127.0.0.1:8888)
-
created a second group and included lab user on it
-
on general tab, Selected proxy-basic and proxy digest
-
save, apply
on squid,
-
configured local authentication
-
created a lab user
-
configured remote cache with e2guardian ip, port peer type parent method round-robin and proxy only
METHOD 2
on e2guardian,
-
select squid not on loopback as parent proxy (192.168.0.38:3128)
-
created a second group and included lab user on it
-
on general tab, Selected proxy-basic, proxy-ntml(maybe optional) and proxy-digest
-
save, apply
on squid,
-
configured local authentication
-
created a lab user
with these setups, I have users under e2guardian logs
I tried method two, but selecting only proxy-basic. Set the ip of the squid/proxy which is 192.168.1.1 (the same as e2g and pfsense - they are on same server/box).
But did not work. e2g could not connect to squid for some weird reason.
Tried again, but now I set both IP and port of squid even if port was default value. This time worked.
-
-
Try a service stop/start and try to watch the traffic with tcpdump.
You can also test on console if a telnet in squid port connects.
-
I am still missing the fix to the sslsiteregexplist.g_Authenticated: No such file or directory error.
I think the error is some missing code for the ssl regex section, because looking the folder the other *.g_Authenticated files are being created.
I guess I can create the file manually as a work around, but I prefer that this is solved in the code.
-
I'll test again with the ssl inspection enabled to see if still has something to fix.
-
I am still missing the fix to the sslsiteregexplist.g_Authenticated: No such file or directory error.
Got the same error with the subsequent groups. I'll check the code to see what is wrong and tell you when it's fixed.
-
I am still missing the fix to the sslsiteregexplist.g_Authenticated: No such file or directory error.
fetch the e2guardian.inc file again via ssh, edit and save config and see if it's finally fixed
fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian/files/usr/local/pkg/e2guardian.inc -
I am still missing the fix to the sslsiteregexplist.g_Authenticated: No such file or directory error.
Got the same error with the subsequent groups. I'll check the code to see what is wrong and tell you when it's fixed.
Is good that you could replicate the problem.
Thank you for your efforts.
-
I am still missing the fix to the sslsiteregexplist.g_Authenticated: No such file or directory error.
fetch the e2guardian.inc file again via ssh, edit and save config and see if it's finally fixed
fetch -o /usr/local/pkg/e2guardian.inc https://raw.githubusercontent.com/marcelloc/Unofficial-pfSense-packages/master/pkg-e2guardian/files/usr/local/pkg/e2guardian.incDone.
It worked. File was created in the folder and was found.
Thank you again.
This was a minor error but I guess the pfsense people are being critical and that is why it is still not on the pfsense repo.
-
Thank you for your efforts.
Except for the clamav integration and coexistence with squid setup(I did not had time to test yet), I'm running e2Guardian with ssl interception(facebook, youtube videos), authentication and non-sandwich mode.
E2guardian 3.5.1 with 4.1 backport cert fix is working really nice. 8)
-
Thank you for your efforts.
Except for the clamav integration and coexistence with squid setup(I did not had time to test yet), I'm running e2Guardian with ssl interception(facebook, youtube videos), authentication and non-sandwich mode.
E2guardian 3.5.1 with 4.1 backport cert fix is working really nice. 8)
In my opinion is ready for a version 1.0 in the pfsense repo. In my case I feel already have the features I need for production.
-
If you need wpad or planning to test, I've finished a package for it on my repo.
-
If you need wpad or planning to test, I've finished a package for it on my repo.
I use wpad but do not use it for "Auto detect" proxy, because Windows OS machines have a bug that fail to auto detect successfully. They do download the wpad file but they do not update the file correctly. They have a registry key/value that is set the first time with the wpad file if any found, but latter if the wpad changes or is found, the registry key fails to be updated. It is easier to create a Domain gpo setting the wpad.
It would be nice to be able to download directly from pfsense box instead to have other web server to serve it.