When you provide 3 auth plugins (for example) and only 2 filter_ports e2guardian
crash with a SYSSEGV.

Replace there {Dans,e2}guardian.

I'm using e2guardian (3.03) on debian 7.6
I've enabled 2 group. First Group named 'Standard' has got groupmode = 1.
The second group named 'VIP' has groupmode=2.

when a user of VIP group try to browse internet I've the following segfault:
kernel: [ 6535.277384] e2guardian[27594]: segfault at ef854f0 ip 000000000046b4ac sp 00007fff6d548890 error 4 in e2guardian[400000+a4000]

and the user is not able to open any pages.

If I set for VIP group the groupmode =1 all is working

Config problem; check allowed values for maxsparechildren
Error parsing the e2guardian.conf file or other e2guardian configuration files

But actually it was minchildren = 120 which was incorrect; setting it back to 64 made e2guardian to start. BTW, it would be nice to provide max values for maxchildren, minchildren, minsparechildren, etc in comments of e2guardian.conf.

The response from the server contained duplicate headers. This problem is generally the result of a misconfigured website or proxy. Only the website or proxy administrator can fix this issue. Error code: ERR_RESPONSE_HEADERS_MULTIPLE_LOCATION

Using IP auth with a temporary bypass link. Works in safari on OS X, But nowhere else.

Built with:  '--prefix=/usr' '--sysconfdir=/etc' '--localstatedir=/var' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--enable-email=yes' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--with-filedescriptors=65536' 'CXXFLAGS=-DFD_SETSIZE=65536'

Custom block page: https://github.com/visd/e2guardian-install/blob/master/template.html

Wireshark capture: http://cl.ly/1o203j411z18 (Now with response)

Actually to increase maxchildren beyond the usual value a change in system file still needed

• Increase FD_SETSIZE -

The point is in FatController.cpp (at least a point ...), the result is related to FD_SETSIZE beyond the return is -1

if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0)

Hi,
thanks for your works
I have create a patch for e2guardian to use new avast2014 antivirus for linux, there are some few change on protocol. The patch maintains compatibility for old avast engine.
How can submit a patch?

Please see https://sourceforge.net/p/dansguardian/patches/17/

Seem to be since dansguardian code but logs only shows http traffic. All https are sent do squid but not logged on e2guardian access.log

Using version 3.0.4

Built with: '--localstatedir=/var' '--with-logdir=/var/log' '--with-piddir=/var/run' '--enable-fancydm' '--enable-clamd=yes' '--enable-icap' '--enable-ntlm' '--enable-dnsauth' '--with-filedescriptors=8192' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd10.1' 'build_alias=amd64-portbld-freebsd10.1' 'CXX=c++' 'CXXFLAGS=-O2 -pipe -I/usr/local/include -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing -DLIBICONV_PLUG' 'LDFLAGS= -fstack-protector' 'LIBS=' 'CPPFLAGS=-I/usr/local/include -DLIBICONV_PLUG' 'CC=cc' 'CFLAGS=-O2 -pipe -I/usr/local/include -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing' 'CPP=cpp' 'PKG_CONFIG=pkgconf'

Hello,
How could I report any security bugs in e2g in private?
e2guardian does not offer such a possibility

http://e2guardian.org/ can't be resolved (I'm on OpenDNS).

Greetings,
Mat2

Hi,

hope this is o.k. when I open a issue for the development branch, but we've tried the latest stable AND we're tried the latest development-branch.

With the latest stable, we have to configure the whole certificate things, like described in the notes/ssl_mitm, to get e2guardian to start, without any other personal configuration - AND IT WORKS!

With the development-branch, we don't have to configure the ssl_mitm things to get e2guardian,
without any other personal configuration to start - BUT IT DOESN'T WORK!

We always set /etc/e2guardian/e2gaurdianf1.conf --> ssl_mitm = on

Could it be, that there is a problem with the development-branch and ssl_mitm?

Thank you!
Klaus.

The TA3.com television site employs video content that is unavailable when using e2guardian - there is only red frame with "unauthorised embed" message instead of video. The problem has also been encountered with Dansguardian 2.10.1.1. I positively confirm that with the same firewall and proxy configuration, the video works well if not passed thru e2guardian.

I personally want an easy (system) way to install and update this. So maybe PPA?
And thanks for making a fork and maintaining the code.

When Squid is stopped (or die) e2guardian still open for connections.
I think, a good feature should be to add an option who stop e2guardian (or a least down the port) when the proxy is dead.

With this, the load balancer can see that the server is down and move the traffic to another

Hi,

I'm actually using the latest version of your DansGuardian fork (2.12.0.7.2), which I downloaded fro numsys.eu just yesterday, which I suspect to be quite similar to the e2guardian for now (I discovered e2guardian just now).

I'm running it under OpenBSD 5.3 (latest version), but there seems to be an issue with it: at some point, for some reason I can't figure out, it just starts spawning processes (forking) beyond the maxchildren limit and filling up the processes table. This happened twice for me already -- the first time it filled up the process table up to 1310 processes (the normal limit, when maxchildren was at 120 I think). I then increased kern.maxproc to 8192, and this morning the same thing happened.

I compiled it with the following options:

$ /usr/local/sbin/dansguardian-2.12.0.7 -v
DansGuardian 2.12.0.7 http://numsys.eu - Unofficial Release ! -

Built with:  '--with-proxygroup=_dansguardian' '--with-proxyuser=_dansguardian' '--enable-segv-backtrace=no' '--prefix=' '--exec-prefix=/usr/local'

By the way, I'm using it because the latest "official" release of DansGuardian was having issues as well. Primarily, it would "freeze" at some point for unspecified amounts of time under medium load, and then resume operation. This release threw the error "Error connecting to proxy", which I didn't experience when trying out your release, although I did experience these freezes at some points. I already upgraded squid from 2.7 to 3.1, and the problem doesn't seem to be there... I'm beginning to suspect of the OS, but when I try to look to find for errors or anything there, I can't find any... Do you have a clue of what may be causing this?

Also, the hardware we're running it on is quite old (a Celeron with 512MB of RAM), which we intend to replace shortly but, again, other than seeing the CPU at 100% at some points, I don't see other limits being reached, or the machine becoming totally unresponsive.

Thank you very much for your work!

Running -g should, not kill active download.

But e2 was frozen, with this message
Jun 12 15:39:07 test e2guardian[8336]: Could not open room definitions directory: No such file or directory

compiled 3.1.2 with
./configure --with-filedescriptors=1024 --with-proxygroup=dansguardian --with-proxyuser=dansguardian --enable-email --enable-sslextralists --enable-orig-ip

v3.0.4 works great, however 3.1.2 could not start, with error "Couldn't open ca certificate", while
using the same config file on both

First I downloaded the source and ./configure worked properly, but then in the make phase it came back with automake errors. It needed automake 1.9 or higher but I have 1.11... Then I found it also needs autoconf 2.67 or higher and latest for my OS via yum (Scientific Linux) is 2.63... Then after trying to compile autoconf 2.69, it failed because it needs GNU M4 1.4.16+, but latest for SL is 1.4.13.... THEN after those 2 are compiled and installed, the newer versions of those 2 need a newer automake, but the redhat link listed in "yum info automake" is invalid so needed to compile from source....
So now with those 3 updated and updated to make 4.0 (M4 1.4.17, autoconf 2.69, automake 1.14), the below shown "./configure" returns this error and an online search came back with nothing:
./configure: line 8576: syntax error near unexpected token DGPIDDIR,"$piddir"' ./configure: line 8576:AC_FINALIZE_VAR(DGPIDDIR,"$piddir")'

Configure options:
./configure '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-piddir=/var/run' '--with-proxyuser=dansguardian' '--with-proxygroup=dansguardian' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' '--enable-pcre=yes' '--enable-locallists' '--with-filedescriptors=8192' '--with-sysconfsubdir=/etc/e2guardian/'

I tried the configure both with and without the mentioned options '--with-piddir=/var/' '--with-logdir=/var/' but the error persists either way.
I tried to comment out that one line and comes back with another error:
./configure: line 8603: syntax error near unexpected token DGLOGLOCATION,"$logdir"' ./configure: line 8603:AC_FINALIZE_VAR(DGLOGLOCATION,"$logdir")'

Looking in the configure file, I see there are a total of 7 of these, so I would rather not start commenting out "AC_FINALIZE_VAR" lines to get this to work as I am unsure what the final result will be (especially since the last one deals with a needed .conf file(s).

Although looking at the older DG 2.12.0.3, the lower section had a different structure that worked within CentOS based installs, instead of the AC_FINALIZE_VAR.

From older DG 2.12.0.3 configure file (lines 7386 to 7422):
test "x$prefix" = xNONE && prefix="$ac_default_prefix"
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
DGLIBDIR="${libdir}"
DGLIBDIR=eval echo $DGLIBDIR
DGLIBDIR=eval echo $DGLIBDIR

test "x$prefix" = xNONE && prefix="$ac_default_prefix"
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
DGBINDIR="${sbindir}"
DGBINDIR=eval echo $DGBINDIR
DGBINDIR=eval echo $DGBINDIR

test "x$prefix" = xNONE && prefix="$ac_default_prefix"
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
DGCONFDIR="${dgsysconfdir}"
DGCONFDIR=eval echo $DGCONFDIR
DGCONFDIR=eval echo $DGCONFDIR

test "x$prefix" = xNONE && prefix="$ac_default_prefix"
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
DGDATADIR="${datadir}/${PACKAGE_NAME}"
DGDATADIR=eval echo $DGDATADIR
DGDATADIR=eval echo $DGDATADIR

test "x$prefix" = xNONE && prefix="$ac_default_prefix"
test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
DGCONFFILE="${dgsysconfdir}/${PACKAGE_NAME}.conf"
DGCONFFILE=eval echo $DGCONFFILE
DGCONFFILE=eval echo $DGCONFFILE

Replacing this last section with the older config file entries does allow it to configure properly albeit with a few warnings like this:
WARNING: 'Makefile.in' seems to ignore the --datarootdir setting
which I can live with for now.
After that, make, and make install worked without any errors.

So it looks like the AC_FINALIZE_VAR needs to be expanded some to properly point to the appropriate locations. I am not sure if this is RedHat/CentOS specific, so some OS variables may also be needed.

In this example www.sex.com is a forbidden website. I set this website as homepage in firefox.

Local user is "gnunux" in windows 7 not integrated in any domain. When I start firefox, squid force authentification, firefox send local NTLM token but e2guardian denied access to this site.

The problem is local user in my computer is set as user in log:

Feb 2 16:50:09 internet e2guardian[2885]: "2015.2.2 16:50:09","gnunux","10.3.2.50","http://www.sex.com","*DENIED* Site interdit: sex.com","GET","0","0","","1","403","-","","","","","-","-",""
Feb 2 16:50:10 internet e2guardian[2885]: "2015.2.2 16:50:10","gnunux","10.3.2.50","http://www.sex.com/favicon.ico","*DENIED* Site interdit: sex.com","GET","0","0","","1","403","-","","","","","-","-",""

Second example, homepage is set to an allowed website (perdu.com). When firefox start, i'm logging in squid with domain user "admin".
Just after, I tried to access to sex.com.

Has you can see, one the first acces to sex.com is associate to "admin" user. Others are associated to my local user "gnunux":

Feb 2 16:58:22 internet e2guardian[2885]: "2015.2.2 16:58:22","admin","10.3.2.50","http://www.perdu.com","","GET","204","0","","1","200","text/html","","","","","-","-",""
Feb 2 16:58:37 internet e2guardian[2885]: "2015.2.2 16:58:37","admin","10.3.2.50","http://sex.com","*DENIED* Site interdit: sex.com","GET","0","0","","1","403","-","","","","","-","-",""
Feb 2 16:58:37 internet e2guardian[2885]: "2015.2.2 16:58:37","gnunux","10.3.2.50","http://sex.com/favicon.ico","*DENIED* Site interdit: sex.com","GET","0","0","","1","403","-","","","","","-","-",""
Feb 2 16:58:37 internet e2guardian[2885]: "2015.2.2 16:58:37","gnunux","10.3.2.50","http://sex.com/favicon.ico","*DENIED* Site interdit: sex.com","GET","0","0","","1","403","-","","","","","-","-",""
Feb 2 16:58:42 internet e2guardian[2885]: "2015.2.2 16:58:42","gnunux","10.3.2.50","http://sex.com","*DENIED* Site interdit: sex.com","GET","0","0","","1","403","-","","","","","-","-",""

Here is a PCAP file (rename with png extension) for first example:
https://cloud.githubusercontent.com/assets/150240/6003615/44c2480e-aafd-11e4-8955-62a05ba828bd.png

I have build 3.0.4 on a Banana Pi running Openwrt, with apache as the forward proxy. This setup has worked well on the raspbery pi with the same openwrt custom build, but for some reason when visiting some sites e2guardian seems to crash on the Banana PI. The Banana Pi is much faster and think I may see more resouce use due to its speed and double amount of ram. Since the device is a small foot print I don't have alot of tools on the system to debug whats going on.
I know for sure that if I visit http://www.timesunion.com e2guardian crashes. I've increased logging but can't seem to see what the issue is.
Looking for some debug guidance.

Here https://groups.google.com/forum/#!forum/e2guardian
Thank

I currently use Digest authentication for staff and pupil filtering. I have discovered a number of issues with this. Ipads, Iphones etc do not work with proxy authentication so I have to do IP Authentication for tablets and phones. Some programs like Flash player require you to put in the username and password for the download as they don't seem to use the authentication within the browser. Lastly, when Firefox is updated, it does not use authentication for the first use. You always have to close the browser and restart to make firefox use the proxy authentication. I have also had to create quite a few exceptions to the squid.conf file for websites that windows needs to access. I also had some issues with Internet Explorer prior to version 11.

None of these are E2Guardian issues obviously, but it does highlight the fact that basic and digest authentication is not the best way to provide group flitering. Ip authentication is not practical if you don't have layer 2 and layer 3 switches to create the IP address ranges based on where the computers are connected up. Also it prevents different filtering if different users logon. Active directory authentication again does not work for Ipads etc.

So I was wondering if its possible to create authentication based on the port that E2Guardian is using. For example, I could set staff to use proxy server 192.168.0.1 port 3128 and set the kids to use proxy server 192.168.0.1 port 3129 and tell the filtergroupslist file that port 3128 uses dansguardianf1 and port 3129 uses dansguardianf2. Currently we cannot do that, but I wonder if that could be a new feature as its the simplest way to provide silent authentication. Its easy to deploy the proxy server details to kids or staff and would work with ipads, iphones and allow all windows services to access the Internet if they need to.

Thank you.

hello,
does e2guardian can work without any proxy (squid) ?

Hi,

Although no one probably uses Bing I have a small issue with it. I am trying to make sure that Bing Safesearch feature is enforced.

e2g Seems to classify Bing as a Proxy site. If I run bing through the an exception list then it works but the URL Regex re-write does not take effect. If I use grey lists it seems to be the same.

Why is Bing classed as a proxy site and is there any way I can have it accessible but still be process through the regex url re-writer?

Thanks

Hi,

when I start the e2guardian, following error message occurs on /var/log/messages

Feb 23 16:55:32 server systemd: Starting E2guardian Web filtering...
Feb 23 16:55:32 server systemd: Failed to read PID from file /run/e2guardian.pid: Invalid argument
Feb 23 16:55:32 server systemd: Started E2guardian Web filtering.
Feb 23 16:55:34 server e2guardian[19944]: Started sucessfully.

Following list the directory:

/run
-rw-r--r-- 1 root e2guardian 6 Feb 23 16:55 /run/e2guardian.pid
/run/e2guardian:
total 0

Please, is this a bug, or did I something wrong?

The e2guardian was compiled without settings at: --with-piddir!

Thank you!
Klaus

Using e2guardian 3.0.4 and cntlm 0.92.3 authentification don't work. Using the same version of e2guardian with an older version of cntlm (0.35) works fine.

I'm debugging and looking for more informations if somebody have any idea please let me know.

(PS: Same problem with dansguardian)

Hi
I'm using e2guardian 3.1.2 in combination with squid 3.3.8 and kerberos auth. It looks like e2guardian can not log username using squidn with this configuration.

e2guardian 3.1.2

Built with: '--prefix=/usr' '--enable-clamd=yes' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' '--enable-pcre=yes' '--with-filedescriptors=1024' '--enable-locallists=yes'

squid:
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

squid.conf:

negotiate kerberos and ntlm authentication

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NFIMA --kerberos /usr/local/bin/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 40
auth_param negotiate keep_alive off

pure ntlm authentication

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NFIMA
auth_param ntlm children 40
auth_param ntlm keep_alive off

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

With this configuration e2guardian doesn't log the username.

2015.4.30 10:08:42 - 192.168.254.1 http://www.android.com/new/images/logos-2x/android-wordmark-ffffff.png GET 3619 0 1 200 image/png STANDARD - -

if I comment out the kerberos part in squid and I leave only pure NTLM auth all is working as expected:

2015.4.30 10:06:45 myusername 192.168.254.1 http://www.android.com/new/images/device-slider/wear-black-on.png GET 29337 0 1 200 image/png STANDARD - -

It happen with any website. If I connect directly to squid (so I bypass e2guardian) the username is logged on my squid/access.log.

Maybe kerberos auth is not supported?

Thank you for your support
L.

Please, could You compile in the clamav support in e2guardian Debian package? I have found this functionality useful in DG and would miss it.

Hello.

If I compile e2guardian on FreeBSD with filedescriptors >1024, then e2guardian fails to start with error:

Compiled with --with-filedescriptors too high
You should upgrade your FD_SETSIZE=1024
E2guardian compiled with with-filedescriptors=8192
Or reduce --with-filedescriptors=8192 under 1024

Alexander

Blanket block not working in develop release

One of the things that I have discovered upon blocking facebook.com and facebook.net, is that nearly 90% of access denied in the logs is showing that facebook was blocked. But this is very misleading, because its not because people are visiting the website facebook.com but rather because of facebook and other social network widgets on the website page that you are visiting. For example one school uses http://www.tagxedo.com/ and on that page, you have facebook and twitter widgets. If you block the website www.facebook.com and facebook.net it will show up a big access denied over the widget and the logs will report that facebook has been blocked.

The two problems is that this creates unsightly access denied banners on parts of the page and the second problem is the staggering number of websites that seem to have a link or widget to facebook, with the result that you have an incredibly high number of access denied in the dansguardian logs which is not really accurate as people like ourselves are more interested in only seeing access denied for websites that the user themselves actually visits, rather than 3rd party links!

Another website that is problem is google analytics. I discovered google analytics was being blocked because the word anal was in the headerreg file. I have since removed that. However, again google analytics was showing a high number of access denied in the logs - however no end user actually accesses that website!

Is it possible to change the way Dansguardian works so that it only logs websites that have actually been visited by the end user as this is what is of interest to network administrators as the current logging of all facebook and twitter widgets actually distorts the picture as a result.

Thank you.

Todo: what is needed for e2guardian to works with IPV6 ?
Old patch for DG here: https://github.com/e2guardian/e2guardian/blob/master/DGnotes/ipv6_Sascha_Hlusiak_need_help.patch

From Bryce Yancey

I second the request for ICAP server support in DG. ICAP support would not replace squid, rather, it would provide a better method to interface with squid.

I've been using DG for years, and as far as I'm concerned, it's flexability and filtering capabilities are as good or better than any other solution out there (commercial or otherwise). The problem is, I've recently encountered a use-case where the proxy chaining approach used to connect DG and Squid isn't going to work for me, and I've started evaluating an alternative solution using squid and qlproxy which communicate via ICAP. This setup solves the technical issues I have with proxy chaining, but the felxablity of Dansguardian is sorely missed.

At it's core, DG is not a proxy, it's a content filtering and adaptation engine which requires integration with a true proxy (squid) to fully operate. Yet it behaves as a proxy in order to integrate with squid via proxy chaining. This works, but it's not the most elegant solution. The ICAP protocol (Internet Content Adaptation Protocol) exists to faciliate precisely the type of function that Dansguardian performs. It allows an ICAP client (Squid) to pass content to an ICAP server (would be DG) for content filtering and adaptation. Squid directly handles both the user facing and web facing interfaces.

Here's how Dansguardian connects to Squid at present:

   (8080)          (3128)    (80)

BROWSER<-->DANSGUARDIAN<-->SQUID<-->WWW

With ICAP Support, it would look something like this.

   (3128)    (80)

BROWSER<-->SQUID<-->WWW
| ^
V |
DANSGUARDIAN
(ICAP SERVER)

I've been trying to allow a single external IP (non-LAN) through my firewall to utilize my filtering proxy. This may be possible, but I have not yet been able to get this to work correctly with squid+DG using proxy chaining, however, it was very straight forward to get it working with squid+qlproxy and icap. I simply updated my acl's in squid, and it worked. Never had to touch qlproxy, which makes sense, as it's not a function of the actual flitering capablities.

There are also more and more sites out there that are starting to use HTTPS for internet browsing privacy (as opposed to simply protecting online financial transactions, etc.) This is great from a privacy perspective, but it's frustrating when you're trying to provide a safe internet zone inside your own home, and all one has to do to circumvent your painstakingly implemented DG server is perform a google search, or find a proxy service that utilizes HTTPS. I know it's controversial, but when used in the proper context with the knowledge of all users (in my case, family members), SSL Intercept is a powerfull tool to deal with this. Adding ICAP support to Dansguardian would allow it to be used in conjunction with Squid's sslbump capabilities to implement SSL Intercept. If you google, there's actually a number of posts out on the web asking for this type of support.

Just a couple examples of advantages of supporting ICAP server functionality within DG.

Hi there,

IF I enable a ssldeniedrewrite = on the I get an error from google chrome:

Error code: ERR_RESPONSE_HEADERS_TRUNCATED.

Is this normal? I tried with chrome 39 and 41.

Can you check this link:

https://groups.google.com/forum/m/#!topic/jasig-cas-user/TWaFzCEVTyk

From Bryce Yancey

I second the request for ICAP server support in DG. ICAP support would not replace squid, rather, it would provide a better method to interface with squid.

I've been using DG for years, and as far as I'm concerned, it's flexability and filtering capabilities are as good or better than any other solution out there (commercial or otherwise). The problem is, I've recently encountered a use-case where the proxy chaining approach used to connect DG and Squid isn't going to work for me, and I've started evaluating an alternative solution using squid and qlproxy which communicate via ICAP. This setup solves the technical issues I have with proxy chaining, but the felxablity of Dansguardian is sorely missed.

At it's core, DG is not a proxy, it's a content filtering and adaptation engine which requires integration with a true proxy (squid) to fully operate. Yet it behaves as a proxy in order to integrate with squid via proxy chaining. This works, but it's not the most elegant solution. The ICAP protocol (Internet Content Adaptation Protocol) exists to faciliate precisely the type of function that Dansguardian performs. It allows an ICAP client (Squid) to pass content to an ICAP server (would be DG) for content filtering and adaptation. Squid directly handles both the user facing and web facing interfaces.

Here's how Dansguardian connects to Squid at present:

   (8080)          (3128)    (80)

BROWSER<-->DANSGUARDIAN<-->SQUID<-->WWW

With ICAP Support, it would look something like this.

   (3128)    (80)

BROWSER<-->SQUID<-->WWW
| ^
V |
DANSGUARDIAN
(ICAP SERVER)

I've been trying to allow a single external IP (non-LAN) through my firewall to utilize my filtering proxy. This may be possible, but I have not yet been able to get this to work correctly with squid+DG using proxy chaining, however, it was very straight forward to get it working with squid+qlproxy and icap. I simply updated my acl's in squid, and it worked. Never had to touch qlproxy, which makes sense, as it's not a function of the actual flitering capablities.

There are also more and more sites out there that are starting to use HTTPS for internet browsing privacy (as opposed to simply protecting online financial transactions, etc.) This is great from a privacy perspective, but it's frustrating when you're trying to provide a safe internet zone inside your own home, and all one has to do to circumvent your painstakingly implemented DG server is perform a google search, or find a proxy service that utilizes HTTPS. I know it's controversial, but when used in the proper context with the knowledge of all users (in my case, family members), SSL Intercept is a powerfull tool to deal with this. Adding ICAP support to Dansguardian would allow it to be used in conjunction with Squid's sslbump capabilities to implement SSL Intercept. If you google, there's actually a number of posts out on the web asking for this type of support.

Just a couple examples of advantages of supporting ICAP server functionality within DG.

Recently compiled on FeeBSD 8.3 to put it on pfSense. Two files were missing from the lists - authexceptionsitelist and authexceptionurllist. e2guardian would not start with out them (said they were required) so I just created them empty...

Feature request!

Would it be possible to implement into e2Guardian a feature where it can scan the pictures on the page and block the picture if there is a high percentage of skin tone on the page.

e2guardian only focus on weightlisting text content and not the pictures. The pic rating only works if the website developer includes the picture rating in a certain category.

Sometimes one can come across websites where there is nudity displayed but its not being blocked because there is no text that is being filtered out so the picture gets displayed. Thank you

Hello,
e2g does not treat punctuation marks (, . etc) the same as spaces when parsing weighted phrase lists. Therefore
< sex ><200>
will not match "sex.".

Because of that, most of the weighted phrases in e2g do not enforce end of word at the end or beginning of the phrase. That can lead to overblocking when a phrase appears in the middle of another unrelated word (possibly in a different lang).

Impact of this is probably not big, may be bigger in some combination of languages.

Would be very useful to have a list of files that were changed when program is updated, so that its easy to backup the lists directory and the dansguardian.conf and dansguardianf1.conf files and restore them after upgrading to a new version.

If there was a file listing what files were updated in the updated version, then it would be very easy to see what files in the lists directory have changed so that program updates are not overwritten when restoring the lists directory. Its convenient to backup and restore the lists directory and dansguardian.conf config files as the settings in these files are specifc to the network installed. Thank you

With e2guardianf1.conf and groupmode = 0 identification doesn't works for any group, e2guardianf2.conf, e2guardianf3.conf, etc

Getting this error under heavy load. E2Guardian is not bound to the port anymore at this point and fails to pass any traffic.

Configure script:

./configure \
--prefix=/usr \
--datadir=/usr/share \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--localstatedir=/var \
--with-proxyuser=nobody \
--with-proxygroup=nogroup \
--enable-pcre=no \
--enable-email \
--with-filedescriptors=65536 \
CXXFLAGS=-DFD_SETSIZE=65536

e2guardian.conf:

reportinglevel = 3
languagedir = '/usr/share/e2guardian/languages'
language = 'ukenglish'
loglevel = 1
logexceptionhits = 2
logfileformat = 1
maxuploadsize = -1
filterip = 172.16.0.10
filterports = 8080
proxyip = 127.0.0.1
proxyport = 3128
accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/e2guardian.pl'
usecustombannedimage = on
custombannedimagefile = '/usr/share/e2guardian/transparent1x1.gif'
usecustombannedflash = on
custombannedflashfile = '/usr/share/e2guardian/blockedflash.swf'
filtergroups = 6
filtergroupslist = '/etc/e2guardian/lists/filtergroupslist'
bannediplist = '/etc/e2guardian/lists/bannediplist'
exceptioniplist = '/etc/e2guardian/lists/exceptioniplist'
perroomblockingdirectory = '/etc/e2guardian/lists/bannedrooms/'
showweightedfound = on
weightedphrasemode = 2
urlcachenumber = 5000
urlcacheage = 900
scancleancache = on
phrasefiltermode = 1
preservecase = 0
hexdecodecontent = off
forcequicksearch = on
reverseaddresslookups = off
reverseclientiplookups = off
logclienthostnames = off
createlistcachefiles = on
prefercachedlists = off
maxcontentfiltersize = 256
maxcontentramcachescansize = 2000
maxcontentfilecachescansize = 20000
proxytimeout = 20
proxyexchange = 20
pcontimeout = 55
filecachedir = '/tmp'
deletedownloadedtempfiles = on
initialtrickledelay = 20
trickledelay = 10
downloadmanager = '/etc/e2guardian/downloadmanagers/fancy.conf'
downloadmanager = '/etc/e2guardian/downloadmanagers/default.conf'
contentscannertimeout = 60
contentscanexceptions = off
authplugin = '/etc/e2guardian/authplugins/ip.conf'
recheckreplacedurls = off
forwardedfor = off
usexforwardedfor = off
logconnectionhandlingerrors = on
logchildprocesshandling = off
maxchildren = 8192
minchildren = 32
minsparechildren = 32
preforkchildren = 128
maxsparechildren = 128
maxagechildren = 100000
maxips = 0
ipcfilename = '/tmp/.dguardianipc'
urlipcfilename = '/tmp/.dguardianurlipc'
ipipcfilename = '/tmp/.dguardianipipc'
nodaemon = off
nologger = off
logadblocks = off
loguseragent = off
daemonuser = 'nobody'
daemongroup = 'nogroup'
softrestart = off
mailer = '/usr/sbin/sendmail -t'

I think the problem is the $(transform) step which prepends /usr/local. When prefix is set to /usr/local this is not needed.

I fixed this in both doc/Makefile.in and src/Makefile.in in order to successfully install.

./configure --program-prefix=/usr/local

make

[snip]

make install

Making install in doc
test -z "/usr/local/share/doc/e2guardian" || /usr/home/andmore/develop/e2guardian/install-sh -d "/usr/local/share/doc/e2guardian"
/usr/bin/install -c -m 644 'AuthPlugins' '/usr/local/share/doc/e2guardian/AuthPlugins'
/usr/bin/install -c -m 644 'ContentScanners' '/usr/local/share/doc/e2guardian/ContentScanners'
/usr/bin/install -c -m 644 'DownloadManagers' '/usr/local/share/doc/e2guardian/DownloadManagers'
/usr/bin/install -c -m 644 'FAQ' '/usr/local/share/doc/e2guardian/FAQ'
/usr/bin/install -c -m 644 'FAQ.html' '/usr/local/share/doc/e2guardian/FAQ.html'
/usr/bin/install -c -m 644 'Plugins' '/usr/local/share/doc/e2guardian/Plugins'
test -z "/usr/local/man/man8" || /usr/home/andmore/develop/e2guardian/install-sh -d "/usr/local/man/man8"
/usr/bin/install -c -m 644 './e2guardian.8' '/usr/local/man/man8//usr/locale2guardian.8'
install: /usr/local/man/man8//usr/locale2guardian.8: No such file or directory
*** Error code 71

Stop in /usr/home/andmore/develop/e2guardian/doc.
*** Error code 1

Stop in /usr/home/andmore/develop/e2guardian/doc.
*** Error code 1

Stop in /usr/home/andmore/develop/e2guardian.

Is it possible to get e2guardian to listed on 80. Netfilter is taking up to many resources NATing from 80 to 8080. One possible solution that would solve my issue is to have e2guardian listen on port 80. Tried setting daemonuser and daemongroup to root. But still doesn't seem to work.

Hi,

I am looking for an easy way to run e2guardian with different configuration sets on different IP addresses assigned to my box. Essentially I want to run a Dev and Prod version.

My initial testing has been with the older version of DG so I will compile e2 guardian and move over to the that this afternoon but I just wanted to check if the behaviour was the same. Trying to run a new dg process with a different config file provided with the -c command tells me that DG appears to already be running. Is this the same with e2guardian.

Although quiet old this post indicates that I need to compile multiple versions and run them independently any ideas if e2g is going to behave the same.

http://nelmar-carag.blogspot.com.au/2008/09/multiple-instances-of-dansguardian-on.html

e2guardian-port.o e2guardian-ntlm.o e2guardian-digest.o -lpcreposix -lpcre -lz
e2guardian-dnsauth.o: In function dnsauthinstance::getdnstxt(String&)': /root/e2guardian-3.0.3/src/authplugins/dnsauth.cpp:232: undefined reference to__res_querydomain'
/root/e2guardian-3.0.3/src/authplugins/dnsauth.cpp:239: undefined reference to ns_initparse' /root/e2guardian-3.0.3/src/authplugins/dnsauth.cpp:253: undefined reference tons_parserr'
collect2: error: ld returned 1 exit status
make[2]: *** [e2guardian] Erreur 1
make[2]: quittant le répertoire « /root/e2guardian-3.0.3/src »
make[1]: *** [all-recursive] Erreur 1
make[1]: quittant le répertoire « /root/e2guardian-3.0.3 »
make: *** [all] Erreur 2

Hi
I'm using e2guardian 3.1.2 in combination with squid 3.3.8 and kerberos auth. It looks like e2guardian has some problem with this configuration.

e2guardian 3.1.2

Built with: '--prefix=/usr' '--enable-clamd=yes' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' '--enable-pcre=yes' '--with-filedescriptors=1024' '--enable-locallists=yes'

squid:
Squid Cache: Version 3.3.8
configure options: '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--disable-strict-error-checking' '--exec_prefix=/usr' '--libexecdir=/usr/lib64/squid' '--localstatedir=/var' '--datadir=/usr/share/squid' '--sysconfdir=/etc/squid' '--with-logdir=$(localstatedir)/log/squid' '--with-pidfile=$(localstatedir)/run/squid.pid' '--disable-dependency-tracking' '--enable-eui' '--enable-follow-x-forwarded-for' '--enable-auth' '--enable-auth-basic=DB,LDAP,MSNT,MSNT-multi-domain,NCSA,NIS,PAM,POP3,RADIUS,SASL,SMB,getpwnam' '--enable-auth-ntlm=smb_lm,fake' '--enable-auth-digest=file,LDAP,eDirectory' '--enable-auth-negotiate=kerberos' '--enable-external-acl-helpers=file_userip,LDAP_group,time_quota,session,unix_group,wbinfo_group' '--enable-cache-digests' '--enable-cachemgr-hostname=localhost' '--enable-delay-pools' '--enable-epoll' '--enable-icap-client' '--enable-ident-lookups' '--enable-linux-netfilter' '--enable-removal-policies=heap,lru' '--enable-snmp' '--enable-ssl' '--enable-ssl-crtd' '--enable-storeio=aufs,diskd,ufs' '--enable-wccpv2' '--enable-esi' '--enable-ecap' '--with-aio' '--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl' '--with-openssl' '--with-pthreads' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'LDFLAGS=-Wl,-z,relro -pie -Wl,-z,relro -Wl,-z,now' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fpie' 'PKG_CONFIG_PATH=%{_PKG_CONFIG_PATH}:/usr/lib64/pkgconfig:/usr/share/pkgconfig'

squid.conf:

negotiate kerberos and ntlm authentication

auth_param negotiate program /usr/local/bin/negotiate_wrapper -d --ntlm /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NFIMA --kerberos /usr/local/bin/squid_kerb_auth -d -s GSS_C_NO_NAME
auth_param negotiate children 40
auth_param negotiate keep_alive off

pure ntlm authentication

auth_param ntlm program /usr/bin/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp --domain=NFIMA
auth_param ntlm children 40
auth_param ntlm keep_alive off

auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 10
auth_param basic realm Squid proxy-caching web server

auth_param basic credentialsttl 2 hours

With this configuration e2guardian doesn't log the username.

2015.4.30 10:08:42 - 192.168.254.1 http://www.android.com/new/images/logos-2x/android-wordmark-ffffff.png GET 3619 0 1 200 image/png STANDARD - -

After a couple of minute where everithing works as expected the browser fall back to basic auth and it prompt for username / password.

if I comment out the kerberos part in squid and I leave only pure NTLM auth all is working as expected:

2015.4.30 10:06:45 myusername 192.168.254.1 http://www.android.com/new/images/device-slider/wear-black-on.png GET 29337 0 1 200 image/png STANDARD - -

no username / password is requested

It happen with any website. If I connect directly to squid (so I bypass e2guardian) everything looks good.

Maybe kerberos auth is not supported?

Thank you for your support
L.

If you type in any blocked website such as www.facebook.com in the address bar, it will come up with an access denied which is expected as we have that blocked.
However if you type in facebook in the google search bar and the then click on a facebook link - nothing seems to happen. It doesn't open the page or do anything. It appears as if you hadn't clicked anything. However if you right click the link and say open in a new tab it will then open up with the expected access denied page.

I have a feeling that this is related to either recent versions of browsers - I use Firefox and Internet Explorer. In Firefox and IE 11, nothing happens, however in IE8 on Windows 2008 Server, when you click on the link, it comes up with the access denied page as expected.

therefore I assume that eGuardian needs to be updated to work with the way browsers now work as something about the way browsers work has changed.

Thank you.

When loglevel = 1 logexceptionhits is disabled
I think this not logical because logevel = 2 & 3 show all the requests

loglevel = 1 and logexceptionhits = 2 should be work together