e2guardian / e2guardian

E2guardian is a web content filter that can work in proxy, transparent or icap server modes
http://www.e2guardian.org
GNU General Public License v2.0
479 stars 139 forks source link

ERR_TOO_MANY_REDIRECTS #176

Open avdreith opened 7 years ago

avdreith commented 7 years ago

Hello, I installed e2guardian 3.5.0 with mitm-support on Ubuntu 16.04 64 bit. First everything looked good. HTTPS-conections are tested by e2guardian. For example virusscanning also works on HTTPS. But now I'm expeariencing something strange. For example, when I open https://wiki.ubuntuusers.de first everything is ok. But after some time of surfing on this site, no pictures are beeing shown anymore. If I click on a picture Google Chrome displays the message "ERR_TOO_MANY_REDIRECTS" and recomends to delete my cookies. After deleting the cookies the site works for a couple of minutes. This also happens on other sites. The access.log don't show much information. The affected picture is logged again and again as listed below in:

2017.2.13 20:15:39 192.168.177.25 192.168.177.25 https://media-cdn.ubuntu-de.org/wiki/attachments/59/00/iagno.png GET 0 0 1 302 - Standard - - 2017.2.13 20:15:39 192.168.177.25 192.168.177.25 https://media-cdn.ubuntu-de.org/wiki/attachments/59/00/iagno.png GET 0 0 1 302 - Standard - - 2017.2.13 20:15:39 192.168.177.25 192.168.177.25 https://media-cdn.ubuntu-de.org/wiki/attachments/59/00/iagno.png GET 0 0 1 302 - Standard - - 2017.2.13 20:15:39 192.168.177.25 192.168.177.25 https://media-cdn.ubuntu-de.org/wiki/attachments/59/00/iagno.png GET 0 0 1 302 - Standard - - 2017.2.13 20:15:39 192.168.177.25 192.168.177.25 https://media-cdn.ubuntu-de.org/wiki/attachments/59/00/iagno.png GET 0 0 1 302 - Standard - - ....

The syslog contains this (logsslerrors = on):

Feb 13 20:15:36 server e2guardian[14783]: ssl_write failed

I'm not sure if this problem is related to bug #96. Openssl should be version 1.0.2g on ubuntu 16.04. Which solved this bug.

avdreith commented 7 years ago

Hello, am I the only one who experiences this? Is there no sollution? Anything else works perfectly. And it would be nice if this could be solved. Can I contribute more information like congfig files?

In the meantime I made a second fresh e2guardian installation. With the same result. And i don't think that this is due to an misconfiguration. Because it seams to happen randomly.

fredbcode commented 7 years ago

Sorry I'm not using SSLMITM right now You can also post your question here https://groups.google.com/forum/#!forum/e2guardian

winewood commented 7 years ago

YES! Thank you for posting this avdreith. This was the second problem I was waiting to post after the Youtube issue. Any HTTPS site will do this at times. google, youtube etc. This only happens with SSLMITM enabled. Discovered it does it mainly with Google Chrome. Do not get this on Firefox. When researching Chrome it stated that is was due to the way the browser handles the traffic. It will put itself into a loop when it doesn't see the traffic shaped as expected. I would suggest clearing all your browser information and starting with a new cache. My children who are constantly using this filter on another computer have stopped getting this and are always filtered, but I still do as I enable/disable my filter on my browser to troubleshoot and do not clear cache each time. My son to my understanding has not seen this on his cell phone (android mobile chrome) Samsung 7S.

Avdreith, have you seen it ever on a browser besides Chrome? Do you get this if you clear all history/cache, close browser, then retry?

fredbcode commented 7 years ago

Can you make a try with the dev branch 3.5.1, please ?

avdreith commented 7 years ago

Hello, I tried 3.5.1 with my old config files. I still have the same error from the subject.

Am 13.03.2017 um 11:33 schrieb Fredb:

Can you make a try with the dev branch 3.5.1, please ?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/e2guardian/e2guardian/issues/176#issuecomment-286070363, or mute the thread https://github.com/notifications/unsubscribe-auth/AYjyIsS9_-adZeGqzS4MZi81LM8yr4Baks5rlRtsgaJpZM4L_oPV.

spikedrba commented 7 years ago

@avdreith could you please share all the steps you took and configs you changed to set up your e2guardian instance? I'd like to repro if possible so maybe I can help with investigation. thanks

winewood commented 7 years ago

Have been testing for 1.5 day and the recent patches have seemed to fix this issue. Will have to generate more testing to be sure, but so far so good.

./autogen.sh && ./configure '--prefix=/usr' '--enable-clamd=no' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' '--enable-pcre=yes' '--enable-sslmitm=yes'

Edit: still getting them in google.com using Chrome.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/e2guardian/e2guardian/issues/176#issuecomment-286269079, or mute the thread https://github.com/notifications/unsubscribe-auth/AXl4wUobetVmyaIsHhhpIx3ltNASmAPVks5rlcklgaJpZM4L_oPV .

fredbcode commented 7 years ago

Ok great, this confirm that there is a more large problem with http redirect code, I think that my fix is not "clean" enough

Le 16 mars 2017 16:18:04 GMT+01:00, Wade Young notifications@github.com a écrit :

Have been testing for 1.5 day and the recent patches have seemed to fix this issue. Will have to generate more testing to be sure, but so far so good.

./autogen.sh && ./configure '--prefix=/usr' '--enable-clamd=no' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' '--enable-pcre=yes' '--enable-sslmitm=yes'

On Mon, Mar 13, 2017 at 5:54 PM, Spike notifications@github.com wrote:

@avdreith https://github.com/avdreith could you please share all the steps you took and configs you changed to set up your e2guardian instance? I'd like to repro if possible so maybe I can help with investigation. thanks

— You are receiving this because you commented. Reply to this email directly, view it on GitHub

https://github.com/e2guardian/e2guardian/issues/176#issuecomment-286269079, or mute the thread

https://github.com/notifications/unsubscribe-auth/AXl4wUobetVmyaIsHhhpIx3ltNASmAPVks5rlcklgaJpZM4L_oPV .

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/e2guardian/e2guardian/issues/176#issuecomment-287090361

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

avdreith commented 7 years ago

Hello, here is how i installed e2guardian:

e2guardian 3.5.1

Built with: '--prefix=/usr' '--enable-clamd=yes' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' '--enable-pcre=yes' '--enable-avastd=yes' '--enable-kavd=yes' '--enable-sslmitm=yes'

My two conig files are also attached.

I use clamd and avast for virus scanning. kaspersky is not used.

Am 13.03.2017 um 23:54 schrieb Spike:

@avdreith https://github.com/avdreith could you please share all the steps you took and configs you changed to set up your e2guardian instance? I'd like to repro if possible so maybe I can help with investigation. thanks

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/e2guardian/e2guardian/issues/176#issuecomment-286269079, or mute the thread https://github.com/notifications/unsubscribe-auth/AYjyIh2mJl7fjNWhylczukSKdKvDEdv7ks5rlcklgaJpZM4L_oPV.

e2guardian filter group config file for version 3.5.0

Filter group mode

This option determines whether members of this group have their web access

unfiltered, filtered, or banned.

#

0 = banned

1 = filtered

2 = unfiltered (exception)

#

Only filter groups with a mode of 1 need to define phrase, URL, site, extension,

mimetype and PICS lists; in other modes, these options are ignored to conserve

memory.

#

Defaults to 0 if unspecified.

Unauthenticated users are treated as being in the first filter group.

groupmode = 1

Filter group name

Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to

name the group in the access logs

Defaults to empty string

groupname = ''

groupname = 'Standard'

Enable legacy (DG) ssl logic

Note that the logic for handling SSL is changed. In DG when either blanket block (or SSL blanket block)

was active then an SSL site would not be blocked if site name matched either exceptionsitelist or greysitelist.

In e2guardian with blanket block (or SSL blanket block) active an SSL site will only be allowed if it matches

exceptionsitelist or greysslsitelist. This ensures that only trusted sites can be accessed via SSL.

The greysslsitelist is used in order to allow a site to drop through so that it's domain can be mangled via urlregexplist,

e.g. To use the Google mechanism for prevention of https Google search, or to allow an SSL site whilst blocking the corresponding http: site.

#

Default off (logic as above)

For legacy (DG style) logic then set ssllegacylogic to on

Note that MITM cannot work with this flag set

ssllegacylogic = off

Content filtering files location (domains and urls size are limited to 2048 characters)

bannedphraselist = '/etc/e2guardian/lists/bannedphraselist'

weightedphraselist = '/etc/e2guardian/lists/weightedphraselist'

exceptionphraselist = '/etc/e2guardian/lists/exceptionphraselist'

bannedsitelist = '/etc/e2guardian/lists/bannedsitelist' greysitelist = '/etc/e2guardian/lists/greysitelist'

bannedsslsitelist = '/etc/e2guardian/lists/bannedsslsitelist'

greysslsitelist = '/etc/e2guardian/lists/greysslsitelist'

exceptionsitelist = '/etc/e2guardian/lists/exceptionsitelist' bannedurllist = '/etc/e2guardian/lists/bannedurllist' greyurllist = '/etc/e2guardian/lists/greyurllist' exceptionurllist = '/etc/e2guardian/lists/exceptionurllist' exceptionregexpurllist = '/etc/e2guardian/lists/exceptionregexpurllist' bannedregexpurllist = '/etc/e2guardian/lists/bannedregexpurllist'

picsfile = '/etc/e2guardian/lists/pics'

contentregexplist = '/etc/e2guardian/lists/contentregexplist' urlregexplist = '/etc/e2guardian/lists/urlregexplist'

refererexceptionsitelist = '/etc/e2guardian/lists/refererexceptionsitelist'

refererexceptionurllist = '/etc/e2guardian/lists/refererexceptionurllist'

embededreferersitelist = '/etc/e2guardian/lists/embededreferersitelist'

embededrefererurllist = '/etc/e2guardian/lists/embededrefererurllist'

urlredirectregexplist = '/etc/e2guardian/lists/urlredirectregexplist'

local versions of lists (where LOCAL_LISTS enabled)

enablelocallists = on/off

localbannedsitelist = '/etc/e2guardian/lists/localbannedsitelist'

localgreysitelist = '/etc/e2guardian/lists/localgreysitelist'

localexceptionsitelist = '/etc/e2guardian/lists/localexceptionsitelist'

localbannedurllist = '/etc/e2guardian/lists/localbannedurllist'

localgreyurllist = '/etc/e2guardian/lists/localgreyurllist'

localexceptionurllist = '/etc/e2guardian/lists/localexceptionurllist'

localbannedsslsitelist = '/etc/e2guardian/lists/localbannedsslsitelist'

localgreysslsitelist = '/etc/e2guardian/lists/localgreysslsitelist'

localbannedsearchlist = '/etc/e2guardian/lists/localbannedsearchlist'

!! Not compiled !! authexceptionsitelist = '/etc/e2guardian/lists/authexceptionsitelist' !! Not compiled !! authexceptionurllist = '/etc/e2guardian/lists/authexceptionurllist'

Filetype filtering

#

Allow bannedregexpurllist with grey list mode

bannedregexpheaderlist and bannedregexpurllist

#

bannedregexwithblanketblock = off

#

Blanket download blocking

If enabled, all files will be blocked, unless they match the

exceptionextensionlist or exceptionmimetypelist.

These lists do not override virus scanning.

Exception lists defined above override all types of filtering, including

the blanket download block.

Defaults to disabled.

(on | off)

# blockdownloads = off exceptionextensionlist = '/etc/e2guardian/lists/exceptionextensionlist' exceptionmimetypelist = '/etc/e2guardian/lists/exceptionmimetypelist' #

Use the following lists to block specific kinds of file downloads.

The two exception lists above can be used to override these.

# bannedextensionlist = '/etc/e2guardian/lists/bannedextensionlist' bannedmimetypelist = '/etc/e2guardian/lists/bannedmimetypelist' #

In either file filtering mode, the following list can be used to override

MIME type & extension blocks for particular domains & URLs (trusted download sites).

# exceptionfilesitelist = '/etc/e2guardian/lists/exceptionfilesitelist' exceptionfileurllist = '/etc/e2guardian/lists/exceptionfileurllist'

POST protection (web upload and forms)

does not block forms without any file upload, i.e. this is just for

blocking or limiting uploads

measured in kibibytes after MIME encoding and header bumph

use 0 for a complete block

use higher (e.g. 512 = 512Kbytes) for limiting

use -1 for no blocking

maxuploadsize = 512

maxuploadsize = 0

maxuploadsize = -1

Categorise without blocking:

Supply categorised lists here and the category string shall be logged against

matching requests, but matching these lists does not perform any filtering

action.

logsitelist = '/etc/e2guardian/lists/logsitelist'

logurllist = '/etc/e2guardian/lists/logurllist'

logregexpurllist = '/etc/e2guardian/lists/logregexpurllist'

Outgoing HTTP header rules:

Optional lists for blocking based on, and modification of, outgoing HTTP

request headers. Format for headerregexplist is one modification rule per

line, similar to content/URL modifications. Format for

bannedregexpheaderlist is one regular expression per line, with matching

headers causing a request to be blocked.

Headers are matched/replaced on a line-by-line basis, not as a contiguous

block.

Use for example, to remove cookies or prevent certain user-agents.

headerregexplist = '/etc/e2guardian/lists/headerregexplist' bannedregexpheaderlist = '/etc/e2guardian/lists/bannedregexpheaderlist'

addheaderregexplist = '/etc/e2guardian/lists/addheaderregexplist'

Phrase filtering additional mime types (by default text/*)

textmimetypes = 'application/xhtml+xml,application/xml,application/json,application/javascript,application/x-javascript'

Weighted phrase mode

0 = off = do not use the weighted phrase feature.

1 = on, normal = normal weighted phrase operation.

2 = on, singular = each weighted phrase found only counts once on a page.

IMPORTANT: Note that setting this to "0" turns off all features which

extract phrases from page content, including banned & exception

phrases (not just weighted), search term filtering, and scanning for

links to banned URLs.

Defaults to 1.

weightedphrasemode = 1

Naughtiness limit

This the limit over which the page will be blocked. Each weighted phrase is given

a value either positive or negative and the values added up. Phrases to do with

good subjects will have negative values, and bad subjects will have positive

values. See the weightedphraselist file for examples.

As a guide:

55 is for young children, 110 for old children, 175 for young adults.

default 50

naughtynesslimit = 50000

Search term blocking

Search terms can be extracted from search URLs and filtered using one or

both of two different methods.

Method 1 is that developed by Protex where specific

search terms are contained in a bannedsearchlist.

(localbannedsearchlist and bannedsearchoveridelist can be used to supplement

and override this list as required.)

These lists contain banned search words combinations on each line.

Words are separated by '+' and must be in sorted order within a line.

so to block 'sexy girl' then the list must contain the line

girl+sexy

and this will block both 'sexy girl' and 'girl sexy'

To use this method, the searchregexplist must be enabled and the bannedsearchlist(s) defined

Method 2 is uses the

bannedphraselist, weightedphraselist and exceptionphraselist, with a separate

threshold for blocking than that used for normal page content.

The bannedsearchoveridelist can be used to overide the phrase blocking.

For method 2, the searchregexplist must be enabled and searchtermlimit

must be greater than 0.

#

Search engine regular expression list (need for both options)

List of regular expressions for matching search engine URLs. It is assumed

that the search terms themselves will be contained in the

of output of each expression.

searchregexplist = '/etc/e2guardian/lists/searchregexplist'

# #

Override list - overrides both bannedsearchlist and searchterm limit

Similar to exception list but only on the search term. The actual

returned content of the page may still be content checked.

bannedsearchoveridelist = '/etc/e2guardian/lists/bannedsearchoveridelist'

Banned Search Term list(s) for option 1

bannedsearchlist = '/etc/e2guardian/lists/bannedsearchlist'

Search term limit (for Option 2)

The limit over which requests will be blocked for containing search terms

which match the weightedphraselist. This should usually be lower than the

'naughtynesslimit' value above, because the amount of text being filtered

is only a few words, rather than a whole page. A value of around 40 is recommended

for children.

A value of 0 here indicates that no phrase filtering should be performed

on the search terms.

searchtermlimit = 0

#

Search term phrase lists (for Option 2)

If the three lines below are uncommented, search term blocking will use

the banned, weighted & exception phrases from these lists, instead of using

the same phrase lists as for page content. This is optional but recommended,

as weights for individual phrases in the "normal" lists may not be

appropriate for blocking when those phrases appear in a much smaller block

of text.

Please note that all or none of the below should be uncommented, not a

mixture.

bannedsearchtermlist = '/etc/e2guardian/lists/bannedsearchtermlist'

weightedsearchtermlist = '/etc/e2guardian/lists/weightedsearchtermlist'

exceptionsearchtermlist = '/etc/e2guardian/lists/exceptionsearchtermlist'

Category display threshold

This option only applies to pages blocked by weighted phrase filtering.

Defines the minimum score that must be accumulated within a particular

category in order for it to show up on the block pages' category list.

All categories under which the page scores positively will be logged; those

that were not displayed to the user appear in brackets.

#

-1 = display only the highest scoring category

0 = display all categories (default)

> 0 = minimum score for a category to be displayed

categorydisplaythreshold = 0

Embedded URL weighting

When set to something greater than zero, this option causes URLs embedded within a

page's HTML (from links, image tags, etc.) to be extracted and checked against the

bannedsitelist and bannedurllist. Each link to a banned page causes the amount set

here to be added to the page's weighting.

The behaviour of this option with regards to multiple occurrences of a site/URL is

affected by the weightedphrasemode setting.

#

NB: Currently, this feature uses regular expressions that require the PCRE library.

As such, it is only available if you compiled e2guardian with '--enable-pcre=yes'.

You can check compile-time options by running 'e2guardian -v'.

#

Set to 0 to disable.

Defaults to 0.

WARNING: This option is highly CPU intensive!

embeddedurlweight = 0

Enable PICS rating support

#

Defaults to disabled

(on | off)

enablepics = off

Temporary Denied Page Bypass

This provides a link on the denied page to bypass the ban for a few minutes. To be

secure it uses a random hashed secret generated at daemon startup. You define the

number of seconds the bypass will function for before the deny will appear again.

To allow the link on the denied page to appear you will need to edit the template.html

or e2guardian.pl file for your language.

300 = enable for 5 minutes

0 = disable ( defaults to 0 )

-1 = enable but you require a separate program/CGI to generate a valid link

bypass = 0

Temporary Denied Page Bypass Secret Key

Rather than generating a random key you can specify one. It must be more than 8 chars.

'' = generate a random one (recommended and default)

'Mary had a little lamb.' = an example

'76b42abc1cd0fdcaf6e943dcbc93b826' = an example

bypasskey = ''

Infection/Scan Error Bypass

Similar to the 'bypass' setting, but specifically for bypassing files scanned and found

to be infected, or files that trigger scanner errors - for example, archive types with

recognised but unsupported compression schemes, or corrupt archives.

The option specifies the number of seconds for which the bypass link will be valid.

300 = enable for 5 minutes

0 = disable (default)

-1 = enable, but require a separate program/CGI to generate a valid link

infectionbypass = 0

Infection/Scan Error Bypass Secret Key

Same as the 'bypasskey' option, but used for infection bypass mode.

infectionbypasskey = ''

Infection/Scan Error Bypass on Scan Errors Only

Enable this option to allow infectionbypass links only when virus scanning fails,

not when a file is found to contain a virus.

on = enable (default and highly recommended)

off = disable

infectionbypasserrorsonly = on

Disable content scanning

If you enable this option you will disable content scanning for this group.

Content scanning primarily is AV scanning (if enabled) but could include

other types.

(on|off) default = off.

disablecontentscan = off

Enable Deep URL Analysis

When enabled, DG looks for URLs within URLs, checking against the bannedsitelist and

bannedurllist. This can be used, for example, to block images originating from banned

sites from appearing in Google Images search results, as the original URLs are

embedded in the thumbnail GET requests.

(on|off) default = off

deepurlanalysis = off

reportinglevel

#

-1 = log, but do not block - Stealth mode

0 = just say 'Access Denied'

1 = report why but not what denied phrase

2 = report fully

3 = use HTML template file (accessdeniedaddress ignored) - recommended

#

If defined, this overrides the global setting in e2guardian.conf for

members of this filter group.

# reportinglevel = 3

accessdeniedaddress is the address of your web server to which the cgi

e2guardian reporting script was copied. Only used in reporting levels

1 and 2.

#

This webserver must be either:

1. Non-proxied. Either a machine on the local network, or listed as an

exception in your browser's proxy configuration.

2. Added to the exceptionsitelist. Option 1 is preferable; this option is

only for users using both transparent proxying and a non-local server

to host this script.

#

accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/e2guardian.pl'

sslaccessdeniedaddress is the address of your web server to which the static page

e2guardian reporting was copied.

With ssldeniedrewrite 'off' it works only with firefox

With ssldeniedrewrite 'on' there are several limitations, SSL warning, basic page, etc, eg this webserver can't be listed as an

exception in your browser's proxy configuration.

Keep in mind, this is only a trick to avoid blank page, the best way still to use SSLMITM

sslaccessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/denyssl.htm'

Break SSL protocol and redirect to another HTTPS website for denied page (sslaccessdeniedaddress url)

ssldeniedrewrite = 'on'

HTML Template override

If defined, this specifies a custom HTML template file for members of this

filter group, overriding the global setting in e2guardian.conf. This is

only used in reporting level 3.

#

The default template file path is //template.h

e.g. /usr/share/e2guardian/languages/ukenglish/template.html when using 'ukenglish'

language.

#

This option generates a file path of the form:

//

e.g. /usr/share/e2guardian/languages/ukenglish/custom.html

#

htmltemplate = 'custom.html'

Non standard delimiter (only used with accessdeniedaddress)

To help preserve the full banned URL, including parameters, the variables

passed into the access denied CGI are separated using non-standard

delimiters. This can be useful to ensure correct operation of the filter

bypass modes. Parameters are split using "::" in place of "&", and "==" in

place of "=".

Default is enabled, but to go back to the standard mode, disable it.

nonstandarddelimiter = off

Email reporting - original patch by J. Gauthier

Use SMTP

If on, will enable system wide events to be reported by email.

need to configure mail program (see 'mailer' in global config)

and email recipients

default usesmtp = off

usesmtp = on

mailfrom

who the email would come from

example: mailfrom = 'e2guardian@mycompany.com'

mailfrom = ''

avadmin

who the virus emails go to (if notify av is on)

example: avadmin = 'admin@mycompany.com'

avadmin = ''

contentdmin

who the content emails go to (when thresholds are exceeded)

and contentnotify is on

example: contentadmin = 'admin@mycompany.com'

contentadmin = ''

avsubject

Subject of the email sent when a virus is caught.

only applicable if notifyav is on

default avsubject = 'e2guardian virus block'

avsubject = 'e2guardian virus block'

content

Subject of the email sent when violation thresholds are exceeded

default contentsubject = 'e2guardian violation'

contentsubject = 'e2guardian violation'

notifyAV

This will send a notification, if usesmtp/notifyav is on, any time an

infection is found.

Important: If this option is off, viruses will still be recorded like a

content infraction.

notifyav = on

notifycontent

This will send a notification, if usesmtp is on, based on thresholds

below

notifycontent = on

thresholdbyuser

results are only predictable with user authenticated configs

if enabled the violation/threshold count is kept track of by the user

thresholdbyuser = off

violations

number of violations before notification

setting to 0 will never trigger a notification

violations = 10

threshold

this is in seconds. If 'violations' occur in 'threshold' seconds, then

a notification is made.

if this is set to 0, then whenever the set number of violations are made a

notifaction will be sent.

threshold = 0

SSL site rewriting (i.e. CNAME)

Rewrite hostname in ssl connect

better than adding CNAME records to DNS

Use to enforce Youtube restricted mode

sslsiteregexplist = '/etc/e2guardian/lists/sslsiteregexplist'

SSL certificate checking

Check that ssl certificates for servers on https connections are valid

and signed by a ca in the configured path

sslcertcheck = on

SSL man in the middle

Forge ssl certificates for all non-exception sites, decrypt the data then re encrypt it

using a different private key. Used to filter ssl sites

sslmitm = on

Limit SSL MITM to sites in greysslsitelist(s)

ignored if sslmitm is off

SSL sites not matching greysslsitelist will be treat as if sslmitm is off.

onlymitmsslgrey = off

Enable MITM site certificate checking

ignored if sslmitm is off

default (recommended) is 'on'

mitmcheckcert = on

Do not check ssl certificates for sites listed

Can be used to allow sites with self-signed or invalid certificates

or to reduced CPU load by not checking certs on heavily used sites (e.g. Google, Bing)

Use with caution!

Ignored if mitmcheckcert is 'off'

nocheckcertsitelist = '/etc/e2guardian/lists/nocheckcertsitelist'

e2guardian config file for version 3.5.0

Language dir where languages are stored for internationalisation.

The HTML template within this dir is only used when reportinglevel

is set to 3. When used, e2guardian will display the HTML file instead of

using the perl cgi script. This option is faster, cleaner

and easier to customise the access denied page.

The language file is used no matter what setting however.

# languagedir = '/usr/share/e2guardian/languages'

language to use from languagedir.

language = 'german'

Logging Settings

#

0 = none 1 = just denied 2 = all text based 3 = all requests

loglevel = 3

Log Exception Hits

Log if an exception (user, ip, URL, phrase) is matched and so

the page gets let through. Can be useful for diagnosing

why a site gets through the filter.

0 = never log exceptions

1 = log exceptions, but do not explicitly mark them as such

2 = always log & mark exceptions (default)

logexceptionhits = 0

Log File Format

1 = Dansguardian format (space delimited)

2 = CSV-style format

3 = Squid Log File Format

4 = Tab delimited

5 = Protex format – Tab delimited, squid style format with extra fields

for filter block/result codes, reasons, filter group, and system name –

used in arrays so that combined logs show originating server.

6 = Protex format with server field blanked

used in stand-alone systems.

7 = Squid Log File Format Secure extension (SF Actions, use comercial report tools (ex: McAfee Webreport))

logfileformat = 1

Log a specific value from header

low case only

only used with logs: 1,5 and 6

logheadervalue = 'proxy-authorization:'

truncate large items in log lines

allowable values 10 to 32000

default 2000

unlimited not longer allowed - 0 will now set default of 2000

maxlogitemlength = 2000

anonymize logs (blank out usernames & IPs)

anonymizelogs = off

Syslog logging

#

Use syslog for access logging instead of logging to the file

at the defined or built-in "loglocation"

logsyslog = off

Suffix to append to program name when logging through syslog

Default is the e2Guardian instance number

namesuffix = $z

Log file location

Defines the log directory and filename.

loglocation = '/var/log/e2guardian/access.log'

Dymamic statistics log file location

#

Defines the dstats file directory and filename.

Once every 'dstatinterval' seconds, stats on number of children, in use and free, number of

connections and connections per second are written to this

file. Format is similar to sar.

Default is not to write stats.

dstatlocation = '/var/log/e2guardian/dstats.log'

Interval between stats output

Default 300 = 5 mins

Minimum 60

Maximum 3600 = 1 hour

dstatinterval = 300 # = 5 minutes

Statistics log file location

#

Defines the stat file directory and filename.

Only used in conjunction with maxips > 0

Once every 3 minutes, the current number of IPs in the cache, and the most

that have been in the cache since the daemon was started, are written to this

file. IPs persist in the cache for 7 days.

statlocation = '/var/log/e2guardian/stats'

Network Settings

the IP that e2guardian listens on. If left blank e2guardian will

listen on all IPs. That would include all NICs, loopback, modem, etc.

Normally you would have your firewall protecting this, but if you want

you can limit it to a certain IP. To bind to multiple interfaces,

specify each IP on an individual filterip line.

If mapportstoips is 'on' you can have the same IP twice so long as

it has a different port.

filterip =

the ports that e2guardian listens to. Specify one line per filterip

line. If both mapportstoips and mapauthtoports are set to 'on'

you can specify different authentication mechanisms per port but

only if the mechanisms can co-exist (e.g. basic/proxy auth can't)

filterports = 8080

filterports = 8081

Map ports to IPs

If enabled map filterports to filterip - number of filterports must then be same as

number of filterip

If disabled will listen on all filterports on all filterips.

on (default) | off

mapportstoips= off

the ip of the proxy (default is the loopback - i.e. this server)

proxyip = 127.0.0.1

the port e2guardian connects to proxy on

proxyport = 3128

Proxy timeout

Set tcp timeout between the Proxy and e2guardian

Min 5 - Max 100

proxytimeout = 20

Proxy failure log interval

The interval between log status entries when proxy is not responding

minimum is proxytimeout - maximum 3600 (= 1 hour)

default = 600 (= 10 mins)

proxyfailureloginterval = 600

Proxy header exchange

Set timeout between the Proxy and e2guardian

Min 20 - Max 300

proxyexchange = 20

Pconn timeout

how long a persistent connection will wait for other requests

squid apparently defaults to 1 minute (persistent_request_timeout),

so wait slightly less than this to avoid duff pconns.

Min 5 - Max 300

pcontimeout = 55

Whether to retrieve the original destination IP in transparent proxy

setups and check it against the domain pulled from the HTTP headers.

#

Be aware that when visiting sites which use a certain type of round-robin

DNS for load balancing, DG may mark requests as invalid unless DG gets

exactly the same answers to its DNS requests as clients. The chances of

this happening can be increased if all clients and servers on the same LAN

make use of a local, caching DNS server instead of using upstream DNS

directly.

#

See http://www.kb.cert.org/vuls/id/435052

on (default) | off

!! Not compiled !! originalip = off

Banned image replacement

Images that are banned due to domain/url/etc reasons including those

in the adverts blacklists can be replaced by an image. This will,

for example, hide images from advert sites and remove broken image

icons from banned domains.

on (default) | off

usecustombannedimage = on custombannedimagefile = '/usr/share/e2guardian/transparent1x1.gif'

Banned flash replacement

usecustombannedflash = on custombannedflashfile = '/usr/share/e2guardian/blockedflash.swf'

Filter groups options

filtergroups sets the number of filter groups. A filter group is a set of content

filtering options you can apply to a group of users. The value must be 1 or more.

e2guardian will automatically look for e2guardianfN.conf where N is the filter

group. To assign users to groups use the filtergroupslist option. All users default

to filter group 1. You must have some sort of authentication to be able to map users

to a group. The more filter groups the more copies of the lists will be in RAM so

use as few as possible.

filtergroups = 2 filtergroupslist = '/etc/e2guardian/lists/filtergroupslist'

Authentication files location

bannediplist = '/etc/e2guardian/lists/bannediplist' exceptioniplist = '/etc/e2guardian/lists/exceptioniplist'

Per-Room definition directory

A directory containing text files containing the room's name followed by IPs or ranges

and optionally site and url lists

Think of it as bannediplist and/or exceptions on crack

 perroomdirectory = '/etc/e2guardian/lists/rooms/'

Show weighted phrases found

If enabled then the phrases found that made up the total which excedes

the naughtyness limit will be logged and, if the reporting level is

high enough, reported. on | off

showweightedfound = on

Positive (clean) result caching for URLs

Caches good pages so they don't need to be scanned again.

It also works with AV plugins.

0 = off (recommended for ISPs with users with disimilar browsing)

1000 = recommended for most users

5000 = suggested max upper limit

If you're using an AV plugin then use at least 5000.

urlcachenumber = 1000 #

Age before they are stale and should be ignored in seconds

0 = never

900 = recommended = 15 mins

urlcacheage = 900

Cache for content (AV) scan results as 'clean'

By default, to save CPU, files scanned and found to be

clean are inserted into the clean cache and NOT scanned

again for a while. If you don't like this then choose

to disable it.

on = cache results; do not re-scan

off = do not cache; always re-scan

(on|off) default = on.

scancleancache = on

Smart, Raw and Meta/Title phrase content filtering options

Smart is where the multiple spaces and HTML are removed before phrase filtering

Raw is where the raw HTML including meta tags are phrase filtered

Meta/Title is where only meta and title tags are phrase filtered (v. quick)

CPU usage can be effectively halved by using setting 0 or 1 compared to 2

0 = raw only

1 = smart only

2 = both of the above (default)

3 = meta/title

phrasefiltermode = 2

Lower casing options

When a document is scanned the uppercase letters are converted to lower case

in order to compare them with the phrases. However this can break Big5 and

other 16-bit texts. If needed preserve the case. As of version 2.7.0 accented

characters are supported.

0 = force lower case (default)

1 = do not change case

2 = scan first in lower case, then in original case

preservecase = 0

Note:

If phrasefiltermode and preserve case are both 2, this equates to 4 phrase

filtering passes. If you have a large enough userbase for this to be a

worry, and need to filter pages in exotic character encodings, it may be

better to run two instances on separate servers: one with preservecase 1

(and possibly forcequicksearch 1) and non ASCII/UTF-8 phrase lists, and one

with preservecase 0 and ASCII/UTF-8 lists.

Hex decoding options

When a document is scanned it can optionally convert %XX to chars.

If you find documents are getting past the phrase filtering due to encoding

then enable. However this can break Big5 and other 16-bit texts.

off = disabled (default)

on = enabled

hexdecodecontent = off

Force Quick Search rather than DFA search algorithm

The current DFA implementation is not totally 16-bit character compatible

but is used by default as it handles large phrase lists much faster.

If you wish to use a large number of 16-bit character phrases then

enable this option.

off (default) | on (Big5 compatible)

forcequicksearch = off

Reverse lookups for banned site and URLs.

If set to on, e2guardian will look up the forward DNS for an IP URL

address and search for both in the banned site and URL lists. This would

prevent a user from simply entering the IP for a banned address.

It will reduce searching speed somewhat so unless you have a local caching

DNS server, leave it off and use the Blanket IP Block option in the

bannedsitelist file instead.

reverseaddresslookups = off

Reverse lookups for banned and exception IP lists.

If set to on, e2guardian will look up the forward DNS for the IP

of the connecting computer. This means you can put in hostnames in

the exceptioniplist and bannediplist.

If a client computer is matched against an IP given in the lists, then the

IP will be recorded in any log entries; if forward DNS is successful and a

match occurs against a hostname, the hostname will be logged instead.

It will reduce searching speed somewhat so unless you have a local DNS server,

leave it off.

reverseclientiplookups = off

Perform reverse lookups on client IPs for successful requests.

If set to on, e2guardian will look up the forward DNS for the IP

of the connecting computer, and log host names (where available) rather than

IPs against requests.

This is not dependent on reverseclientiplookups being enabled; however, if it

is, enabling this option does not incur any additional forward DNS requests.

logclienthostnames = off

Build bannedsitelist and bannedurllist cache files.

This will compare the date stamp of the list file with the date stamp of

the cache file and will recreate as needed.

If a .processed file exists for an item (e.g. domain/URL) list, then that

will be used instead, if it is up to date (i.e. newer than the unprocessed

list file).

NOTE: this option is no longer needed, buggy and is depreciated

NOTE: So leave it 'off' unless you require it for some non-standard set-up!

on | off, default = off

createlistcachefiles = off

Prefer cached list files

If enabled, e2guardian will always prefer to load ".processed" versions of

list files, regardless of their time stamps relative to the original

unprocessed lists. This is not generally useful unless you have a specific

list update process which results in - for example - up-to-date, pre-sorted

".processed" list files with dummy unprocessed files.

on | off, default = off

prefercachedlists = off

Max content filter size

Sometimes web servers label binary files as text which can be very

large which causes a huge drain on memory and cpu resources.

To counter this, you can limit the size of the document to be

filtered and get it to just pass it straight through.

This setting also applies to content regular expression modification.

The value must not be higher than maxcontentramcachescansize

The size is in Kibibytes - eg 2048 = 2Mb

use 0 to set it to maxcontentramcachescansize

#

IMPORTANT: Note that setting this to "0" turns off all features which

extract phrases from page content, including banned & exception

phrases (not just weighted), search term filtering, and scanning for

links to banned URLs.

maxcontentfiltersize = 256

Max content ram cache scan size

This is only used if you use a content scanner plugin such as AV

This is the max size of file that DG will download and cache

in RAM. After this limit is reached it will cache to disk

This value must be less than or equal to maxcontentfilecachescansize.

The size is in Kibibytes - eg 10240 = 10Mb

use 0 to set it to maxcontentfilecachescansize

This option may be ignored by the configured download manager.

maxcontentramcachescansize = 2000

Max content file cache scan size

This is only used if you use a content scanner plugin such as AV

This is the max size file that DG will download

so that it can be scanned or virus checked.

This value must be greater or equal to maxcontentramcachescansize.

The size is in Kibibytes - eg 10240 = 10Mb

maxcontentfilecachescansize = 20000

File cache dir

Where DG will download files to be scanned if too large for the

RAM cache.

filecachedir = '/tmp'

Delete file cache after user completes download

When a file gets save to temp it stays there until it is deleted.

You can choose to have the file deleted when the user makes a sucessful

download. This will mean if they click on the link to download from

the temp store a second time it will give a 404 error.

You should configure something to delete old files in temp to stop it filling up.

on|off (defaults to on)

deletedownloadedtempfiles = on

Initial Trickle delay

This is the number of seconds a browser connection is left waiting

before first being sent something to keep it alive. The

something depends on the download manager chosen.

Do not choose a value too low or normal web pages will be affected.

A value between 20 and 110 would be sensible

This may be ignored by the configured download manager.

initialtrickledelay = 20

Trickle delay

This is the number of seconds a browser connection is left waiting

before being sent more something to keep it alive. The

something depends on the download manager chosen.

This may be ignored by the configured download manager.

trickledelay = 10

Download Managers

These handle downloads of files to be filtered and scanned.

They differ in the method they deal with large downloads.

Files usually need to be downloaded 100% before they can be

filtered and scanned before being sent on to the browser.

Normally the browser can just wait, but with content scanning,

for example to AV, the browser may timeout or the user may get

confused so the download manager has to do some sort of

'keep alive'.

#

There are various methods possible but not all are included.

The author does not have the time to write them all so I have

included a plugin system. Also, not all methods work with all

browsers and clients. Specifically some fancy methods don't

work with software that downloads updates. To solve this,

each plugin can support a regular expression for matching

the client's user-agent string, and lists of the mime types

and extensions it should manage.

#

Note that these are the matching methods provided by the base plugin

code, and individual plugins may override or add to them.

See the individual plugin conf files for supported options.

#

The plugins are matched in the order you specify and the last

one is forced to match as the default, regardless of user agent

and other matching mechanisms.

# downloadmanager = '/etc/e2guardian/downloadmanagers/fancy.conf'

downloadmanager = '/etc/e2guardian/downloadmanagers/trickle.conf'

downloadmanager = '/etc/e2guardian/downloadmanagers/default.conf'

Content Scanners (Also known as AV scanners)

These are plugins that scan the content of all files your browser fetches

for example to AV scan. The options are limitless. Eventually all of

e2guardian will be plugin based. You can have more than one content

scanner. The plugins are run in the order you specify.

This is one of the few places you can have multiple options of the same name.

#

Some of the scanner(s) require 3rd party software and libraries eg clamav.

See the individual plugin conf file for more options (if any).

# contentscanner = '/etc/e2guardian/contentscanners/avastdscan.conf' contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf'

contentscanner = '/etc/e2guardian/contentscanners/kavdscan.conf'

contentscanner = '/etc/e2guardian/contentscanners/icapscan.conf'

contentscanner = '/etc/e2guardian/contentscanners/commandlinescan.conf'

Content scanner timeout

Some of the content scanners support using a timeout value to stop

processing (eg AV scanning) the file if it takes too long.

If supported this will be used.

The default of 60 seconds is probably reasonable.

contentscannertimeout = 60

Content scan exceptions

If 'on' exception sites, urls, users etc will be scanned

This is probably not desirable behavour as exceptions are

supposed to be trusted and will increase load.

Correct use of grey lists are a better idea.

(on|off) default = off

contentscanexceptions = off

Auth plugins

#

Handle the extraction of client usernames from various sources, such as

Proxy-Authorisation headers and ident servers, enabling requests to be

handled according to the settings of the user's filter group.

Multiple plugins can be specified, and will be used per port in the order

filterports are listed.

#

If you do not use multiple filter groups, you need not specify this option.

#

authplugin = '/etc/e2guardian/authplugins/proxy-basic.conf'

authplugin = '/etc/e2guardian/authplugins/proxy-digest.conf'

authplugin = '/etc/e2guardian/authplugins/proxy-ntlm.conf'

authplugin = '/etc/e2guardian/authplugins/ident.conf'

authplugin = '/etc/e2guardian/authplugins/ip.conf'

authplugin = '/etc/e2guardian/authplugins/proxy-header.conf'

Map auth to ports

If enabled map auth plugins to ips/ports - number of authplugins must then be same as

number of ports

If disabled scan authplugins on all ports - number of authplugins can then be different

to number of ports

on (default) | off

mapauthtoports = off

Re-check replaced URLs

As a matter of course, URLs undergo regular expression search/replace (urlregexplist)

after checking the exception site/URL/regexpURL lists, but before checking against

the banned site/URL lists, allowing certain requests that would be matched against the

latter in their original state to effectively be converted into grey requests.

With this option enabled, the exception site/URL/regexpURL lists are also re-checked

after replacement, making it possible for URL replacement to trigger exceptions based

on them.

Defaults to off.

recheckreplacedurls = off

Misc settings

if on it adds an X-Forwarded-For: to the HTTP request

header. This may help solve some problem sites that need to know the

source ip. on | off

forwardedfor = off

if on it uses the X-Forwarded-For: to determine the client

IP. This is for when you have squid between the clients and e2guardian.

Warning - headers are easily spoofed. on | off

usexforwardedfor = off

as mentioned above, the headers can be easily spoofed in order to fake the

request origin by setting the X-Forwarded-For header. If you have the

"usexforwardedfor" option enabled, you may want to specify the IPs from which

this kind of header is allowed, such as another upstream proxy server for

instance If you want authorize multiple IPs, specify each one on an individual

xforwardedforfilterip line.

xforwardedforfilterip =

if on it logs some debug info regarding fork()ing and accept()ing which

can usually be ignored. These are logged by syslog. It is safe to leave

it on or off

logconnectionhandlingerrors = on

If on it logs detailed error info regarding SSL error returns.

These are logged by syslog. Default is off.

logsslerrors = on

Fork pool options

If on, this causes DG to write to the log file whenever child processes are

created or destroyed (other than by crashes). This information can help in

understanding and tuning the following parameters, but is not generally

useful in production.

logchildprocesshandling = off

sets the maximum number of processes to spawn to handle the incoming

connections. Max value usually 250 depending on OS.

On large sites you might want to try 380.

maxchildren = 180

sets the minimum number of processes to spawn to handle the incoming connections.

On large sites you might want to try 64.

minchildren = 20

sets the minimum number of processes to be kept ready to handle connections.

On large sites you might want to try 16.

minsparechildren = 16

sets the minimum number of processes to spawn when it runs out

On large sites you might want to try 20.

preforkchildren = 10

sets the maximum number of processes to have doing nothing.

When this many are spare it will cull some of them.

On large sites you might want to try 64.

Note: This value must be greater than minchildren, but

less than maxchildren.

maxsparechildren = 32

sets the maximum age of a child process before it croaks it.

This is the number of connections they handle before exiting.

On large sites you might want to try 10000.

maxagechildren = 500

sets the number of child process to kill/fork at each 5 sec interval.

during at gentle restart

defaults to preforkchildren

gentlechunk=10

Sets the maximum number client IP addresses allowed to connect at once.

Use this to set a hard limit on the number of users allowed to concurrently

browse the web. Set to 0 for no limit, and to disable the IP cache process.

maxips = 0

Process options

(Change these only if you really know what you are doing).

These options allow you to run multiple instances of e2guardian on a single machine.

Remember to edit the log file path above also if that is your intention.

IPC filename

Defines IPC server directory and filename used to communicate with the log process.

ipcfilename = '/tmp/.e2guardianipc'

URL list IPC filename

Defines URL list IPC server directory and filename used to communicate with the URL

cache process.

urlipcfilename = '/tmp/.e2guardianurlipc'

IP list IPC filename

#

Defines IP list IPC server directory and filename, for communicating with the client

IP cache process.

ipipcfilename = '/tmp/.e2guardianipipc'

PID filename

Defines process id directory and filename.

pidfilename = '/var/run/e2guardian.pid'

Disable daemoning

If enabled the process will not fork into the background.

It is not usually advantageous to do this.

on|off (defaults to off)

nodaemon = off

Disable logging process

on|off (defaults to off)

nologger = off

Enable logging of "ADs" category blocks

on|off (defaults to off)

logadblocks = off

Enable logging of client User-Agent

Some browsers will cause a lot of extra information on each line!

on|off (defaults to off)

loguseragent = off

Daemon run as user and group

This is the user that e2guardian runs as. Normally the user/group nobody.

Uncomment to use. Defaults to the user set at compile time.

Temp files created during virus scanning are given owner and group read

permissions; to use content scanners based on external processes, such as

clamdscan, the two processes must run with either the same group or user ID.

Configuration files and lists must be owned by daemonuser

daemonuser = 'e2guardian' daemongroup = 'clamav'

daemonuser = 'root'

daemongroup = 'root'

Soft restart

When on this disables the forced killing off all processes in the process group.

This is not to be confused with the -g run time option - they are not related.

on|off (defaults to off)

softrestart = off

Mail program

Path (sendmail-compatible) email program, with options.

Not used if usesmtp is disabled (filtergroup specific).

mailer = '/usr/sbin/sendmail -t'

SSL certificate checking path

Path to CA certificates used to validate the certificates of https sites.

if left blank openssl default ca certificate bundle will be used

Leave as default unless you want to load non-default cert bundle

sslcertificatepath = ''

SSL man in the middle

CA certificate path

Path to the CA certificate to use as a signing certificate for

generated certificates.

default is blank - required if ssl_mitm is enabled.

cacertificatepath = '/etc/e2guardian/ssl_cert/my_rootCA.crt'

CA private key path

path to the private key that matches the public key in the CA certificate.

default is blank - required if ssl_mitm is enabled.

caprivatekeypath = '/etc/e2guardian/ssl_cert/private_root.pem'

Cert private key path

The public / private key pair used by all generated certificates

default is blank - required if ssl_mitm is enabled.

certprivatekeypath = '/etc/e2guardian/ssl_cert/private_cert.pem'

Generated cert path

The location where generated certificates will be saved for future use.

(must be writable by the dg user)

default is blank - required if ssl_mitm is enabled.

generatedcertpath = '/etc/e2guardian/generatedcerts/'

Warning: if you change the cert start/end time from default on a running

system you will need to clear the generated certificate

store and also may get problems on running client browsers

Generated cert start time (in unix time) - optional

defaults to 1417872951 = 6th Dec 2014

generatedcertstart = 1417872951

Generated cert end time (in unix time) - optional

defaults to generatedcertstart + 10 years

genratedcertend =

generatedcertstart =

monitor helper path

If defined this script/binary will be called with start or stop appended as follows:-

At start after e2guardian has started monitorstart children with ' start' appended

When e2guardian is stopping with ' stop' appended

If cache stops responding with ' stop' appended

When cache resumes with ' start' appended

monitorhelper = '/usr/local/bin/mymonitor'

monitor flag prefix path

If defined path will be used to generate flag files as follows:-

At start after e2guardian has started monitorstart children with 'running' appended

When e2guardian is stopping with 'paused' appended

If cache stops responding with 'paused' appended

When cache resumes with 'running' appended

monitorflagprefix = '/tmp/e2g_runflag'

monitorstart - defaults to minchildren

valid values between 1 and minchildren

monitorstart = 0

winewood commented 7 years ago

Fred, not sure if you noticed but I hit an edit on that reply that showed that some of my clients were still getting that error, although the frequency was not as much. I do think there are some bugs with the re-direct code. Can you tell me what I need to do to document them for you when I find them? I can script out a grab of the logs and send them to you directly if you wish.

On Thu, Mar 16, 2017 at 1:12 PM, Fredb notifications@github.com wrote:

Ok great, this confirm that there is a more large problem with http redirect code, I think that my fix is not "clean" enough

Le 16 mars 2017 16:18:04 GMT+01:00, Wade Young notifications@github.com a écrit :

Have been testing for 1.5 day and the recent patches have seemed to fix this issue. Will have to generate more testing to be sure, but so far so good.

./autogen.sh && ./configure '--prefix=/usr' '--enable-clamd=no' '--with-proxyuser=e2guardian' '--with-proxygroup=e2guardian' '--sysconfdir=/etc' '--localstatedir=/var' '--enable-icap=yes' '--enable-commandline=yes' '--enable-email=yes' '--enable-ntlm=yes' '--enable-trickledm=yes' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' 'CXXFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' 'LDFLAGS=-Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' 'CFLAGS=-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security' '--enable-pcre=yes' '--enable-sslmitm=yes'

On Mon, Mar 13, 2017 at 5:54 PM, Spike notifications@github.com wrote:

@avdreith https://github.com/avdreith could you please share all the steps you took and configs you changed to set up your e2guardian instance? I'd like to repro if possible so maybe I can help with investigation. thanks

— You are receiving this because you commented. Reply to this email directly, view it on GitHub

https://github.com/e2guardian/e2guardian/issues/ 176#issuecomment-286269079, or mute the thread

https://github.com/notifications/unsubscribe-auth/ AXl4wUobetVmyaIsHhhpIx3ltNASmAPVks5rlcklgaJpZM4L_oPV .

-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/e2guardian/e2guardian/issues/ 176#issuecomment-287090361

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/e2guardian/e2guardian/issues/176#issuecomment-287145305, or mute the thread https://github.com/notifications/unsubscribe-auth/AXl4wR1Zzcb7s1t3E6eMLSorgLL8Lnzsks5rmXuGgaJpZM4L_oPV .