Unofficial E2guardian package for pfSense
-
EDIT: SSL interception isn't working.
Some config changes on this 4.1 are "asking" for a service restart.
I'm using ssl interception, with basic authentication and the custom html error page working
Do I need to edit that : /usr/local/openssl/openssl.cnf ?
No. That message is from the bsd package. Not related to e2guardian.
I'm using IP Authentication and SSL interception / forging doesn't seem to work at all. Some configs seem to not load up correctly in the GUI until I saved them again, then their correct metadata loaded. I also tried rebooting etc. Didn't fix the SSL issue.
-
I'm using IP Authentication and SSL interception / forging doesn't seem to work at all.
I'll set ip Authentication to see if I get same result.
I'm using squid as parent proxy to be able to use it's authentication.
-
I'm using IP Authentication and SSL interception / forging doesn't seem to work at all.
I'll set ip Authentication to see if I get same result.
I'm using squid as parent proxy to be able to use it's authentication.
I'm also using Squid as a parent proxy, but no extra authentication on that. It's acting quite strange, but I definitely do feel that web pages are snappier. It doesn't feel like everything is going through a proxy anymore. And memory usage so far has dropped by 15% for me, not sure if that's because of SSL issue though.
-
I can't reproduce the issue here. :(
I got ip authentication, correct group, ssl interception and deny pages.
I've unselected soft restart on general tab and also did a restart few seconds after apply config.
-
I'm using IP Authentication and SSL interception / forging doesn't seem to work at all.
Did you enabled ssl on general tab?
It's a new option introduced on 4.1
-
Did you enabled ssl on general tab?
It's a new option introduced on 4.1
DAMNIT! That was it. For some reason before, that option didn't show / or I might have missed it (forgive me it's 2:32am in London).
It really does seem a lot faster, and some programs which were giving some trouble before with SSL interception. Seem to be working now. :O
Thanks a lot Marcello for your hard work and effort! Hats off to you! :)
-
DAMNIT! That was it. For some reason before, that option didn't show / or I might have missed it (forgive me it's 2:32am in London).
It really does seem a lot faster, and some programs which were giving some trouble before with SSL interception. Seem to be working now. :O
Thanks a lot Marcello for your hard work and effort! Hats off to you! :)
GREAT!!!! 8) If we can confirm it's working better and faster, I'll remove soon the 3.5.1 package from Unofficial repo and wait for a 4.1.1 release to update Freebsd ports repo.
-
DAMNIT! That was it. For some reason before, that option didn't show / or I might have missed it (forgive me it's 2:32am in London).
It really does seem a lot faster, and some programs which were giving some trouble before with SSL interception. Seem to be working now. :O
Thanks a lot Marcello for your hard work and effort! Hats off to you! :)
GREAT!!!! 8) If we can confirm it's working better and faster, I'll remove soon the 3.5.1 package from Unofficial repo and wait for a 4.1.1 release to update Freebsd ports repo.
Sure, but before you do, maybe you should add some code to re-initialise those config files people already have. Because it needs to adjust to the new layout and grab that meta data. Not sure if any of it causes a big deal though.
Here's an example of what data didn't load before "re-saving" the group configs:
Also, is there a way to cache HTTPS content through Squid using E2Guardian? Squid still has that issue with Subject Alternative Name, and it cannot do the interception anymore as that function is broken. Since E2Guardian is able to do it, and it works correctly. Is there a quick way to get this to work? I got a 140GB hard drive in my box, may as well make full use of it. :P
-
Squid still has that issue with Subject Alternative Name, and it cannot do the interception anymore as that function is broken.
I did not know that. You mean current ssl splice all feature?
Sure, but before you do, maybe you should add some code to re-initialise those config files people already have
Most config until now can be kept but e2guardian is improving/changing the config structure a lot between versions.
Here's an example of what data didn't load before "re-saving" the group configs:
This is just cosmetic. It does not affect config files at all.
Also, is there a way to cache HTTPS content through Squid using E2Guardian?
Not sure. But you can try to disable server certificate check and enable squid interception too.
-
Not sure. But you can try to disable server certificate check and enable squid interception too.
I tried that, didn't seem to work. Maybe you can have a look at that when you have time. To clarify, Squid cannot create forged certificates that Chrome, Firefox, or any modern app will really accept. Since the code hasn't been updated to comply with RFC, afaik. It doesn't provide the Subject Alternative Name in the certificate, only provides "common name".
I meant, since E2Guardian is able to create certificates which are accepted and complies with RFC. Maybe we can still cache it using Squid, not sure if it's possible but should be since it's the parent proxy. But I guess this is something that will need to be looked into, it probably will have to anyways so that caching can work without conflicing with Squid (if Squid gets updated to work properly with SAN). In addition, I get the feeling, most people would be using E2Guardian with Squid anyways, so it makes sense to make full use of this setup.
Playing around with 4.1, it really does seem so much faster. I can't even tell there's a proxy in between, until I try going to a blocked site and see the blocked page. However, I have uncovered one bug so far. It's that SSL regex under "Site Lists" tab, doesn't seem to be working. I was using it to enforce YouTube restricted mode for kids / guests. While allowing it for certain users. It's something I can live with for now though. But nevertheless, it's a bug to be noted/checked, I guess.
-
Hmm, had two crashes so far using 4.1 since yesterday. I'd recommend everyone hold out for a bit for everything to stabilise before updating.
Unfortunately I wasn't able to capture any meaningful information, except this crash log. Only things I implemented was the WPAD and the new E2Guardian update since yesterday. And I have suspicions that it maybe E2Guardian.https://ybin.me/p/e151f6a30f575c86#bQ6m4FCp/t6wWPLfFblyNmknhsZUXF0riaC3GJIlBBk=
-
how many users connected?
-
how many users connected?
Just a handful to be honest. For now only 4 devices doing MITM, and another 3 without MITM. It's a home environment so, not that big of a load. My machine load averages are barely going past 0.20, considering what I have running and this is a dual core machine. Pretty much same exact setup minus WPAD package on 3.5.1, barely any hiccups at all after initial setup. I was able to run it for over a week without a single issue.
With 4.1, today everything suddenly started loading super slow. I restarted the service, and everything was well again. Leading me to believe this is an issue with 4.1. Have you had a chance at all to take a look at why the SSL regex wasn't working?
For now, I'm glad 4.1, at least runs on pfSense, I'm just worried about the stability. Obviously I am running this at home, so some downtime isn't that big of a deal. But others may use it in their business or something. Especially as there is no filtering solution for pfSense which supports MITM anymore. SquidGuard doesn't work. -
Have you had a chance at all to take a look at why the SSL regex wasn't working?
I've tested th sslregex with youtube today. worked fine(with the restart service after apply).
#SSL site modifying Regular Expressions # Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" #
I'll test on a big environment next week, about 720 workstations. Hope it goes fine.
Especially as there is no filtering solution for pfSense which supports MITM anymore. SquidGuard doesn't work.
That's true. My test machines did not crashed any time but it's a single user with multiple tab test.
Can you test it on 2.4 beta too?
-
I've tested th sslregex with youtube today. worked fine(with the restart service after apply).
#SSL site modifying Regular Expressions # Enforce restricted mode in YouTube # "(^https://www.youtube.com)"->"https://restrict.youtube.com" "(^https://m.youtube.com)"->"https://restrict.youtube.com" "(^https://youtubei.googleapis.com)"->"https://restrict.youtube.com" "(^https://youtube.googleapis.com)"->"https://restrict.youtube.com" "(^https://www.youtube-nocookie.com)"->"https://restrict.youtube.com" #
It seems I've run into the same problem lol. For Youtube Restricted mode, I've created a separate config so I can easily switch it on and off as required on a per group basis. It didn't work before, however, now after saving that config again, and restarting. It seems to be functioning as expected. Currently I am unaware of if these weird things are happening because I upgraded E2Guardian over SSH, or not, as no one else seems to have replied regarding the update yet.
I'll test on a big environment next week, about 720 workstations. Hope it goes fine.
Awesome! Let us know how it goes!
Can you test it on 2.4 beta too?
Unfortunately, I'll be unable to test this thoroughly as I need my home network running. And I don't believe I can test long enough or simulate proper real world load in a virtual setup, since the crashes don't happen immediately and often take a couple of hours.
I've just had my E2Guardian service stop again, here's the errors I managed to catch this time around in the logs.
2 21:22:55 e2guardian 573 Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf Jun 2 21:26:50 check_reload_status Linkup starting re0 Jun 2 21:26:50 kernel re0: link state changed to DOWN Jun 2 21:26:51 check_reload_status Reloading filter Jun 2 21:28:31 php-fpm 68338 /index.php: Successful login for user 'admin' from: 172.16.1.1 Jun 2 21:50:35 php-fpm 89081 /index.php: Successful login for user 'admin' from: 172.16.1.8 Jun 2 21:52:24 php-fpm 81052 /pkg_edit.php: Reloading E2guardian Jun 2 21:53:27 pfsense.kortex nginx: 2017/06/02 21:53:27 [error] 23127#100120: *93 open() "/usr/local/www/vendor/datatable/css/jquery.dataTables.min.css" failed (2: No such file or directory), client: 172.16.1.8, server: , request: "GET /vendor/datatable/css/jquery.dataTables.min.css HTTP/1.1", host: "pfsense.kortex", referrer: "https://pfsense.kortex/e2guardian_about.php" Jun 2 21:53:27 pfsense.kortex nginx: 2017/06/02 21:53:27 [error] 23127#100120: *93 open() "/usr/local/www/vendor/datatable/css/jquery.dataTables.min.css" failed (2: No such file or directory), client: 172.16.1.8, server: , request: "GET /vendor/datatable/css/jquery.dataTables.min.css HTTP/1.1", host: "pfsense.kortex", referrer: "https://pfsense.kortex/e2guardian_about.php"
Seems like there's missing web config files? pfSense.kortex leads to 172.16.1.1 which is my pfsense box.
I'm also getting the errors below from nginx, I'm guessing it's due to the WPAD package?
Jun 2 21:22:50 nginx 2017/06/02 21:22:50 [emerg] 98077#100105: bind() to 172.16.1.1:80 failed (48: Address already in use) Jun 2 21:22:50 nginx 2017/06/02 21:22:50 [emerg] 98077#100105: bind() to 172.16.1.1:80 failed (48: Address already in use) Jun 2 21:22:50 nginx 2017/06/02 21:22:50 [emerg] 98077#100105: bind() to 172.16.1.1:80 failed (48: Address already in use) Jun 2 21:22:50 nginx 2017/06/02 21:22:50 [emerg] 98077#100105: bind() to 172.16.1.1:80 failed (48: Address already in use)
I have followed all your installation notes, and have configured it as it's meant to be. I have changed the webconfig port to HTTPS (443) then turned off WebGUI redirection. However… I do have a NAT rule redirecting HTTP traffic through E2Guardian, as it doesn't have this function automatically. Since it doesn't seem practical to fumble around with user authentication and CA's if friends and family come along.
EDIT: Found out how to reproduce the issue and make E2Guardian crash. I am using IP based authenticated since this is a home network and I want things as simple as possible. For all members of the family, and close relatives, they have been given a static IP and have been assigned to a group. However, if anyone else that hasn't specifically been assigned to a group tries to access a blocked site, E2Guardian crashes.
Aren't unauthenticated users meant to be assiged to the default group? That's how it was in 3.5.1?
How did I test this?
On my phone from time to time, I change my mac address in order to simulate a guest device without a assigned group, and to test the default group ACL's. As soon as I go to any blocked site using that, E2Guardian crashes. Furthermore, in the block page it doesn't even show the group as "Default". Am I going to have to manually put in like 200 guest IP's into the Default group IP tab? This worked perfectly before without any issues.In case you are wondering… This is what appears on the logs when this all happens:
Jun 3 00:33:46 kernel pid 7075 (e2guardian), uid 106: exited on signal 11 Jun 3 00:35:03 e2guardian 23849 Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf Jun 3 00:35:04 kernel pid 24676 (e2guardian), uid 106: exited on signal 11 Jun 3 00:35:11 check_reload_status Syncing firewall Jun 3 00:35:11 php-fpm 23959 /pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no Jun 3 00:35:12 check_reload_status Syncing firewall Jun 3 00:35:14 php-fpm 24910 /pkg_edit.php: Starting E2guardian Jun 3 00:35:14 php-fpm 37347 /pkg_edit.php: Reloading E2guardian Jun 3 00:35:18 e2guardian 37162 Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf Jun 3 00:35:19 kernel pid 44972 (e2guardian), uid 106: exited on signal 11 Jun 3 00:35:37 e2guardian 49484 Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf Jun 3 00:35:44 kernel pid 49895 (e2guardian), uid 106: exited on signal 11 Jun 3 00:36:10 check_reload_status Syncing firewall Jun 3 00:36:10 php-fpm 49681 /pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no Jun 3 00:36:11 check_reload_status Syncing firewall Jun 3 00:36:13 php-fpm 72183 /pkg.php: Starting E2guardian Jun 3 00:36:15 php-fpm 83374 /pkg.php: Reloading E2guardian Jun 3 00:36:17 e2guardian 83358 Reporting_level is : 0 file /usr/local/etc/e2guardian/e2guardianf3.conf Jun 3 00:36:30 kernel pid 92522 (e2guardian), uid 106: exited on signal 11 Jun 3 00:36:38 check_reload_status Syncing firewall Jun 3 00:36:38 php-fpm 83374 /pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no Jun 3 00:36:38 check_reload_status Syncing firewall Jun 3 00:36:42 check_reload_status Syncing firewall Jun 3 00:36:42 php-fpm 96436 /pkg_edit.php: [E2guardian] - Save settings package call pr: bp: rpc:no Jun 3 00:36:43 check_reload_status Syncing firewall Jun 3 00:36:44 php-fpm 99121 /pkg_edit.php: Starting E2guardian
EDIT 2: Tried manually adding my spoofed MAC address IP to the default group. And I still ended up with a crash. Even after a reinstallation… :(
Now I've created a new group and added the entire range of IP's excluding the ones already in a group, that didn't seem to do the trick either. I guess I actually manually have to input those IP's?**EDIT 3: After some even more digging… I found out that it wasn't related to the IP's or ranges being input into E2Guardian. I narrowed the issue being down the the IP having to be in the same subnet, if it's outside then it will cause E2Guardian to crash.
For example my DHCP range is from 172.16.1.2-172.16.2.255. Any 2.x IP, going to any block page would cause E2Guardian to crash. This was not the behaviour in 3.5.1, no such issue. I forced my IP to be 172.16.1.50 and this time E2Guardian didn't crash on the block page which 100% confirms this.**
I give up lol… Made my range only one subnet. And now having the issue again. What kinda weird bug is this? It seems very likely that it's a problem with the authentication. Since it ONLY crashes when the devices "group" cannot be found. And it doesn't automatically put that device in the default group or anything.
-
This missing files on about page should not be therw. It's from postfix package I'll fix it.
The socket already in use is a service recall pfSensedo on wpad every config save. I'll try to ignore these calls from system and restart only from gui save.
-
This missing files on about page should not be therw. It's from postfix package I'll fix it.
The socket already in use is a service recall pfSensedo on wpad every config save. I'll try to ignore these calls from system and restart only from gui save.
Check my edit, I have found a way to reproduce the crashes of E2Guardian easily.
-
Check my edit, I have found a way to reproduce the crashes of E2Guardian easily.
I've update my ports with current e2guardian code and removed the debug patches I've created while was trying to fix ILLEGAL INSTRUCTION bug we found before.
At least on 2.4 it's stable. I"ll update the binaries to 2.3 and also fix the about page.
-
pkg version 0.1.1 updates for 2.3 and 2.4 8)
No crashes on my tests until now.
-
pkg version 0.1.1 updates for 2.3 and 2.4 8)
No crashes on my tests until now.
I've upgraded to your latest package and I'm on pfsense 2.3.4, I'm still getting those crashes. :(
Have you been able to recreate the issue? Why is it giving so many issues on 2.3.4 if it works fine on 2.4?
Have you tried using multiple IP's? Currently I've assigned every single IP in my dhcp range to a group and I'm still having problems.Could it be something related to my custom block page? Since it also shows filtergroup, host name and IP address? I posted the source code here. I'll have to try with the default page later on and see if that makes a difference. Although I don't think that's the cause.