# e2guardian config file for version 5.4.4 #NOTE This file (and any .Include<> files) are only read at start-up # # but the lists defined in this file are re-read on reload or gentle restart # as is any rooms directory files. ### Config is now split into sections as follows ### ### QUICK_START - Items to check to get you started ### NAMES_PATHS - Names & Path settings ### NETWORK - Network settings ### MITM - SSL MITM settings ### ICAP_SERVICE - ICAP server mode settings ### TRANSPARENT - Transparent proxy settings ### AUTH - Authentication (user and group assignment) ### settings and lists ### ACCESS_LOG - Access log settings ### MONITORING - Monitoring settings ### URL_FILTERING - URL filtering settings ### LIST_SETTINGS - Settings on how lists are handled ### AV_SCANNERS - AV scanner settings and lists ### HEADER - HTTP Header handling ### BLOCK_PAGE - Block Page formats and handling ### DOWNLOAD_MANAGER - Download manager settings ### PHRASES - Content phrase settings ### TUNING - Tuning parameters ### DEBUG - Debug settings ### PROCESS - e2guardian process settings ### OBSOLETE - Obsolete settings ### INFO - Info on new features etc ### ### QUICK_START section ### ### e2guardian will work as a normal http/s proxy server ### listening on port 8080 ### without you making any changes to this file. ### ### This section contains settings that you may want to ### change, e.g language, dockermode, to set ICAP mode or enable SSL MITM ### support ### # language to use from languagedir. language = 'ukenglish' #.Define LISTDIR # NEW in v5.4.2 - LISTDIR 'variable' definition # This works similarly to a shell environment variable # The text between <> will replace occurances of __LISTDIR__ in .conf and # list files. # See INFO section for more details # default LISTDIR value for e2guardian.conf is E2CONFDIR/lists/commom dockermode = on # # Container mode # the process will not fork into the background AND log in stdout # In this mode systemd service is disabled ! # Default: off # loop prevention # # For loop prevention purposes list all IPs e2g can be reached on # Include all e2g host server IPs and any VIP used when when in an array. # If squid in front then add ip of squid server and squid port in extracheckports # Specify each IP on an individual checkip line or multiple IP on a single line separated by ':' # #checkip = 127.0.0.1 #checkip = ip_of_server #checkip = 2nd ip of server #checkip = VIP of server # or #checkip = 127.0.0.1:ip_of_server:2nd IP of server:VIP # # Defaults: Not set - only loop prevention for 127.0.0.1 requests # #extracheckports = 3128 # # by default e2g will loop protect for all ports defined in filterports # If you are using squid in front or other device which re-assigns ports # then add the user-facing port(s) to extracheckports # Specify each port on an individual extracheckports line or multiple ports on a single line separated by ':' #transparenthttpsport = 8443 # #port for transparent https #NOTE: To make work firewall will need to redirect tcp port 443 on routed # packets to this port and ssl must be enabled with enablessl = on # default 0 - i.e. disabled icapport = 1344 # #port for ICAP server #if defined enables icap server mode # default is 0 - i.e. disabled #proxyip = 127.0.0.1 # # the ip of upstream proxy - optional - if blank e2g will go direct to sites. # default is "" i.e. no proxy #filtergroups = 1 # # filtergroups sets the number of filter groups. # A filter group is a set of content filtering options you can apply to a # group of users. # The value must be 1 or more. # e2guardian will automatically look for e2guardianfN.conf where N is the filter # group. # default 1 #defaultfiltergroup = 1; # # default filtergroup for standard (explicit proxy) mode # optional defaults to 1 #enablessl = on # # Enable SSL support # This must be present to enable MITM and Cert checking # If on you must also check the MITM section. # default is off ### ### END of QUICK_START section ### NAMES_PATHS section ### # servername = 'my_name" # # Default is to use the system name of the host in logs #daemonuser = 'e2guardian' #daemongroup = 'e2guardian' # # Daemon runas user and group # This is the user that e2guardian runs as. Normally the user/group nobody. # Uncomment to use. Defaults to the user/group set at compile time. # # Temp files created during virus scanning are given owner and group read # permmision so, if you have clamdscan plugin enabled, # the two processes must run with either the same group or user ID. languagedir = '/usr/share/e2guardian/languages' # # The HTML templates within this dir are only used when reportinglevel # is set to 3. When used, e2guardian will display the HTML file instead of # using the perl cgi script. This option is faster, cleaner # and easier to customise the access denied page. # The language file is used no matter what setting however. # #preauthstoryboard = '/etc/e2guardian/preauth.story' # # default '/etc/e2guardian/preauth.story' # perroomdirectory = '__LISTDIR__/../rooms/' # # Per-Room definition directory # A directory containing text files containing the room's name followed by IPs or ranges # and optionaly site and url lists # Think of it as bannediplist and/or exceptions on crack ### ### END of NAMES_PATHS section ### NETWORK section ### #filterip = # # the IP that e2guardian listens on. If left blank e2guardian will # listen on all IPs. That would include all NICs, loopback, modem, etc. # Normally you would have your firewall protecting this, but if you want # you can limit it to a certain IP. To bind to multiple interfaces, # specify each IP on an individual filterip line or separate IPs with ':' on a single line # default "" - listen on all IPs #filterports = 8080 #filterports = 8081 # # The port(s) that e2guardian listens to for proxy traffic. # Specify one line per port used for standard explict proxy or separate ports with ':' on a single line # These ports can also be used for redirected tranparent HTTP # Default is to listen on 8080 for proxy traffic #proxyport = 3128 # # the port e2guardian connects to any upstream proxy on # default 3128 ### ### END of NETWORK section ### MITM section ### # Check these settings if enablessl = on # For instructions on how to set this up # see notes/ssl_mitm #sslcertificatepath = '' # #SSL certificate checking path #Path to CA certificates used to validate the certificates of https sites. # if left blank openssl default ca certificate bundle will be used #Leave as default unless you want to load non-default cert bundle #SSL man in the middle cacertificatepath = '/etc/e2guardian/private/ca.pem' # #CA certificate path #Path to the CA certificate to use as a signing certificate for #generated certificates. # required if ssl_mitm is enabled. caprivatekeypath = '/etc/e2guardian/private/ca.key' # #CA private key path #path to the private key that matches the public key in the CA certificate. # required if ssl_mitm is enabled. certprivatekeypath = '/etc/e2guardian/private/cert.key' # #Cert private key path #The public / private key pair used by all generated certificates # required if ssl_mitm is enabled. generatedcertpath = '/etc/e2guardian/private/generatedcerts/' # #Generated cert path #The location where generated certificates will be saved for future use. #(must be writable by the e2 user) # required if ssl_mitm is enabled. #Warning: if you change the cert start/end time from default on a running # system you will need to clear the generated certificate # store and also may get problems on running client browsers # generatedcertstart = 1417872951 # #Generated cert start time (in unix time) - optional # defaults to 1417872951 = 6th Dec 2014 # generatedcertend = # #Generated cert end time (in unix time) - optional # defaults to generatedcertstart + 10 years #useopensslconf = off # # Use openssl configuration file # switch this on if you want e2g to read in openssl configuration # This is useful if you want to use a hardware acceleration engine. # default is off # opensslconffile = '/etc/e2guardian/openssl.conf' # # Alternate openssl configuration file # only used if useopensslconf = on # default is to use standard openssl configuration file # only use this if an alternate openssl configuration file is used for e2g # setcipherlist = "HIGH:!ADH:!MD5:!RC4:!SRP:!PSK:!DSS" # # Sets the cipher list used by openssl # Default is "HIGH:!ADH:!MD5:!RC4:!SRP:!PSK:!DSS" # May be withdrawn in future versions as best defined in openssl.conf # Sites that are impossible or undesirable to MITM # sitelist = 'name=nomitm,path=__LISTDIR__/nomitmsitelist' ipsitelist = 'name=nomitm,path=__LISTDIR__/nomitmsiteiplist' ### ### END of MITM section ### ICAP_SERVICE section ### #defaulticapfiltergroup = 1 # # default filtergroup for ICAP mode # defaults to 1 #icapreqmodurl = 'request' #Url to respond to ICAP reqmod queries # default 'request' #icapresmodurl = 'response' #Url to respond to ICAP respmod queries # default 'response' ### ### END of ICAP_SERVICE section ### TRANSPARENT section ### #defaulttransparentfiltergroup = 1; # # default filtergroup for transparent proxy mode (http and thttps) # optional defaults to 1 #useoriginalip = on # # This option only applies when request is transparent (http or https), # when no upstream proxy is used, and where it is possible to detect # the original destination ip & port # When enabled the upstream request will be directed at the original ip and port # and no DNS lookup will be performed. # This solves the 'snapchat' issue and also should increase speed of connection. # Currently this ONLY works on linux systems. # BSD developers, PLEASE HELP fix this for BSD, pfsense etc! # default = on (linux) ignored (bsd) ### ### END of TRANSPARENT section ### AUTH section ### ### In the context of e2guardian authentication is primarly ### the determination of the filter group to be used. ### ### Some of the plug-in also return a username which is ### then used in the access log # Auth plugins # # Handle the extraction of client usernames and groups from various sources, # enabling requests to be handled according to the settings of the user's # filter group. # ## There are five ways that e2g can be deployed and this affects the auth ## plugins available ## ## ## 'Standalone' - e2g handles client and upstream traffic ## ## 'Proxy-First' - client is logged in by proxy (squid) ## and proxy passes e2g the user name in a 'basic' proxy ## auth header ## ## 'Proxy-After' - client points to e2g which then uses upstream proxy ## This is the method used by dg/e2g until v5. ## If authentication is enabled on proxy, then ## sslreplace, 'Transparent' or IP auth will not work. ## ## 'Transparent' - 80/443 requests are redirected to e2g on gateway ## Can be used with Standalone or Proxy-After mode ## Note: only IP based plugins will be used in this ## and so normaly it is not possible to capture the ## user name. However, devices using transparent ## can be put in their own default group. ## ## 'ICAP mode' - All trafic goes via squid and squid uses e2g as an ## ICAP server. ## ICAP has built in auth as username is supplied in the ICAP header ## by squid. The user is checked against the filtergroupslist to get the ## group. To cater for the situation where user is missing ip based ## plugins such as 'ip' can be used as fall back. ## ## Note that e2g can support multiple methods at the same time, ## e.g. Standalone, Transparent and ICAP server ## There are three types of plugin ## 'Native', 'Proxy-first' and 'Proxy-after' ## 'Native' plugins - these do not require use of a proxy #authplugin = '/etc/e2guardian/authplugins/ident.conf' # Requires identd running on each client - gives username # Group based on ip or ip range - pseudo username of the ip #authplugin = '/etc/e2guardian/authplugins/ip.conf' # Group based on e2g port number - pseudo username of the port # for this option the ports have to be declared as multiple filterport line #authplugin = '/etc/e2guardian/authplugins/port.conf' # User and group obtained from dns entries mapping ip to user/group # dns entries maintained by separate authentication program. #authplugin = '/etc/e2guardian/authplugins/dnsauth.conf' # HELP - more native plugins needed! 'basic' etc. ## 'Proxy-first' plugin - requires a proxy in front to do the user ## authentication. # Use pf-basic.conf where proxy is doing auth in front of e2g # New in v5.4 #authplugin = '/etc/e2guardian/authplugins/pf-basic.conf' # User defined in header - requires interception prior to e2g # to add headers #authplugin = '/etc/e2guardian/authplugins/proxy-header.conf' # ip plugin can also be used in Proxy first mode. ## 'Proxy-after' plugins - requires a proxy behind. ## These are pass-through plugins which reply on sniffing the ## proxy auth headers between client and proxy to get username ## - DEPRECIATED and will be removed in next release ## - Use Proxy-first plugin and squid in front of e2g instead # Basic auth on back-end proxy #authplugin = '/etc/e2guardian/authplugins/proxy-basic.conf' ## - DEPRECIATED and will be removed in next release # Digest auth on back-end proxy #authplugin = '/etc/e2guardian/authplugins/proxy-digest.conf' ## - DEPRECIATED and will be removed in next release # NTLM (only v1) auth on back-end proxy #authplugin = '/etc/e2guardian/authplugins/proxy-ntlm.conf' ## - DEPRECIATED and will be removed in next release # All native plugins can also be used in proxy-after mode # but only when auth is not forced by the upstream proxy ## Auth mapping files - Map users (or client IPs) to filter groups ## Note that from v5.4 lists used by auth plugins are defined here and ## not in auth *.conf files # Generic user to group mapping - used by default by basic, digest, ntlm, # ident & icap plugins maplist = 'name=defaultusermap, path=__LISTDIR__/../authplugins/filtergroupslist' # for ip auth ipmaplist = 'name=ipmap, path=__LISTDIR__/../authplugins/ipgroups' # for port auth maplist = 'name=portmap, path=__LISTDIR__/../authplugins/portgroups' # If on a user without group is considered like unauthenfied # E2guardian tries the next plugin # If off the user is connected with defaultgroup # Defaults to off # authrequiresuserandgroup = off # Authentication exception/banned clients # # bannediplist is ONLY for banned client IP iplist = 'name=bannedclient,messageno=100,logmessageno=103,path=__LISTDIR__/bannediplist' # exceptioniplist is ONLY for exception client IP iplist = 'name=exceptionclient,messageno=600,path=__LISTDIR__/exceptioniplist' reverseclientiplookups = off # Reverse lookups for banned and exception IP clients. # If set to on, e2guardian will look up the forward DNS for the IP # of the connecting computer. # If a client computer is matched against an IP given in the lists, then the # IP will be recorded in any log entries; if forward DNS is successful and a # match occurs against a hostname, the hostname will be logged instead. # It will reduce searching speed somewhat so unless you have a local DNS server, # leave it off. # Put client dns names in bannedclientlist if required #sitelist = 'name=bannedclient,messageno=100,logmessageno=104,path=__LISTDIR__/bannedclientlist' # Put client dns names in exceptionclientlist if required #sitelist = 'name=exceptionclient,messageno=631,path=__LISTDIR__/exceptionclientlist' # authexception lists are for exception sites/urls allowed before authentication # to allow for machines to update without user authentication ipsitelist = 'name=authexception,messageno=602,path=__LISTDIR__/authexceptioniplist' sitelist = 'name=authexception,messageno=602,path=__LISTDIR__/authexceptionsitelist' urllist = 'name=authexception,messageno=603,path=__LISTDIR__/authexceptionurllist' regexpboollist = 'name=browser,path=__LISTDIR__/browserregexplist' # # List of regexp that match match User-agent of browsers # Used to determine if client is a browser # and decide whether to send a block page or go MITM ### ### END of AUTH section ### ACCESS_LOG section ### ## Location and format #loglocation = '/var/log/e2guardian/access.log' # Log file location # # Defines the log directory and filename. #logsyslog = off # Syslog logging # Use syslog for access logging instead of logging to the file # at the defined or built-in "loglocation" nologger = off # Disable logging process # on|off (defaults to off) #namesuffix = "" #Suffix to append to program name when logging through syslog # Default is blank #logfileformat = 8 # Log File Format # 1 = Dansguardian format (space delimited) # 2 = CSV-style format # 3 = Squid Log File Format # 4 = Tab delimited # Protex format type 5 Tab delimited, squid style format with extra fields # for filter block/result codes, reasons, filter group, and system name # used in arrays so that combined logs show originating server. # 5 = Protex format # Protex format type 6 Same format as above but system name field is blank # used in stand-alone systems. # 6 = Protex format with server field blanked # 7 = Same as 5, but with searchterms and EXTFLAGS added # See notes/New_log_fileds_in_log_format7-8.pdf for details # 8 = Same as 7, but with server field blanked # Default is 8 #anonymizelogs = off # anonymize logs (blank out client usernames & IPs) # default off ## What requests to log # Note: These options may be replaced by storyboard function in v5.5 # With the settings as distributed all requests (apart from ADs) will # be logged. #loglevel = 3 # 0 = none 1 = just denied 2 = all text based 3 = all requests # default 3 #logexceptionhits = 2 # Log Exception Hits # Log if an exception (user, ip, URL, phrase) is matched and so # the page gets let through. Can be useful for diagnosing # why a site gets through the filter. # 0 = never log exceptions # 1 = log exceptions, but do not explicitly mark them as such # 2 = always log & mark exceptions (default) #logadblocks = off # Enable logging of "ADs" category blocks # on|off (defaults to off) ## What extra data is to be logged #showweightedfound = on # Show weighted phrases found # If enabled then the phrases found that made up the total which excedes # the naughtyness limit will be logged and, if the reporting level is # high enough, reported. on | off # default is on #showallweightedfound = off # Show all weighted phrases found # If enabled then the phrases found that made up the total will be logged and, if the reporting level is # high enough, reported. on | off # default is off #logclienthostnames = off # Perform reverse lookups on client IPs for successful requests. # If set to on, e2guardian will look up the forward DNS for the IP # of the connecting computer, and log host names (where available) rather than # IPs against requests. # This is not dependent on reverseclientiplookups being enabled; however, if it # is, enabling this option does not incur any additional DNS requests. #loguseragent = off # Enable logging of client User-Agent # Some browsers will cause a *lot* of extra information on each line! # on|off (defaults to off) #logclientnameandip = on # Enable logging of both client hostname and its IP # If off the hostname will be logged instead of IP # Applies only to log formats 5, 6, 7 & 8. # on|off (defaults to on) # Needs to be turned off if you are using sarg log analysis. #dnsuserloggingdomain = "" # Used to get user/domain from special dns zone for logging purposes only # Similar to dnsauth plugin operation but only for logging. ## Log formating options #usedashforblank = on # use dash ('-') instead of blank fields in log # This is essential for space delimited log formats, and makes all log types easier to read # But can be turned off if this causes a problem with log analysis # on|off (defaults to on) #logtimestamp = off # Add unix timestamp to time field so that date/time in readable format # and unix timestamp - applies only to log formats 1,2 and 4 # default off #logid1 = "" #logid2 = "" # only used in logformats 1, 2 and 4 # default "" #productid = '2' # Used in SG_LOGFORMAT # default 2 ## Other access log options #maxlogitemlength = 2000 # truncate large items in log lines # allowable values 10 to 32000 # default 2000 # unlimited not longer allowed - 0 will now set default of 2000 ### ### END of ACCESS_LOG section ### MONITORING section ### dstatlocation = '/var/log/e2guardian/dstats.log' # Dymamic statistics log file location # # Defines the dstats file directory and filename. # Once every 'dstatinterval' seconds, stats on number of threads in use, # Q sizes and other useful information is written to this file. # Format is similar to sar. See notes/dstats_format for more details. # Default "" - do not to write stats. #dstatinterval = 300 # = 5 minutes # Interval in seconds between stats output # Default 300 (= 5 mins) # Minimum 10 # Maximum 3600 (= 1 hour) #statshumanreadable = off # Time format for dstat is epoch GMT+0 by default | statshumanreadable # change to local zone # default off # internaltesturl = 'internal.test.e2guardian.org' # # A pretend url for testing e2g is working. # # It returns a small page containing OK if working ok. # # Used by loadbalancers and monitoring software (e.g. smokeping) # to detect if e2g is functioning. # # It is tested for after connection is successful and a worker thread is # assigned, but before user auth and group assignment is made. # # This has been built in to e2g since v3, but this option allows the # url to be changed. # # default 'internal.test.e2guardian.org' # internalstatusurl = 'internal.status.e2guardian.org' # # A pretend url for checking the status of a user. # # It returns a small page providing various information # such as user name, ip, filtering group, server name, # e2guardian version, flags field. # # Designed to used by status software and by technical staff for testing # user access/assignment. # # It is tested for after user auth and group assignment is made, but # before any filtering is performed. # New in v5.4.3, this option allows the # url to be changed. # # default 'internal.status.e2guardian.org' # monitorflagprefix = '/var/run/e2g_flag_' # monitor flag prefix path # If defined path will be used to generate flag files as follows:- # # At start after e2guardian has started listener and worker threads with # 'running' appended # When e2guardian is stopping with 'paused' appended # default '' - flags disabled ### ### END of MONITORING section ### URL_FILTERING section ### reverseaddresslookups = off # Reverse lookups for site and URL lists. # If set to on, e2guardian will look up the forward DNS for an IP URL # address and search for both in the banned site and URL lists. This would # prevent a user from simply entering the IP for a banned address. # It will reduce searching speed somewhat so unless you have a local caching # DNS server, leave it off and use the Blanket IP Block option in the # f1.story file instead. ### ### END of URL_FILTERING section ### LIST_SETTINGS section ### # abortiflistmissing = off # Abort if a list is missing or unreadable # default is to warn but then ignore missing lists # To abort on missing list set to on # default "off" #searchsitelistforip = on #Search sitelist for ip sites # In v5 a separate set of lists has been introduced for IP sites # and normally e2g will no longer check site lists for ip's # If you want to keep backward list compatablity then set this to # 'on' - but note this incurs an overhead - putting IP in ipsitelists # and setting this to off gives the fastest implimentation. # default is 'on' ### ### END of LIST_SETTINGS section ### AV_SCANNERS section ### # Content Scanners (Also known as AV scanners) # These are plugins that scan the content of all files your browser fetches # for example to AV scan. You can have more than one content # scanner. The plugins are run in the order you specify. # This is one of the few places you can have multiple options of the same name. # # Some of the scanner(s) require 3rd party software and libraries eg clamav. # See the individual plugin conf file for more options (if any). # #contentscanner = '/etc/e2guardian/contentscanners/clamdscan.conf' #!! Not compiled !! contentscanner = '/etc/e2guardian/contentscanners/avastdscan.conf' #!! Not compiled !! contentscanner = '/etc/e2guardian/contentscanners/kavdscan.conf' #contentscanner = '/etc/e2guardian/contentscanners/icapscan.conf' # Warning: The commandlinescan plugin uses 'fork()' which does not work well # in a large multi-threaded program like e2g. It can cause unpredictable # crashes. # On a small scale system (home user) it may work ok, but not recommended for # larger scale systems. The more active threads, the more likely a crash is. # #contentscanner = '/etc/e2guardian/contentscanners/commandlinescan.conf' #contentscannertimeout = 60 # Content scanner timeout # Some of the content scanners support using a timeout value to stop # processing (eg AV scanning) the file if it takes too long. # If supported this will be used. # defaults to value of pcontimeout ### ### END of AV_SCANNERS section ### HEADER section ### #addforwardedfor = off # # if on it adds an X-Forwarded-For: to the HTTP request # header. This may help solve some problem sites that need to know the # source ip. on | off # default off # forwardedfor = off # # old name for addforwardedfor - retained for compatiblity. usexforwardedfor = off # # if on it uses the X-Forwarded-For: to determine the client # IP. This is for when you have squid between the clients and e2guardian. # Warning - headers are easily spoofed. on | off # default off # xforwardedforfilterip = # # as mentioned above, the headers can be easily spoofed in order to fake the # request origin by setting the X-Forwarded-For header. If you have the # "usexforwardedfor" option enabled, you may want to specify the IPs from which # this kind of header is allowed, such as another upstream proxy server for # instance If you want authorize multiple IPs, specify each one on an individual # xforwardedforfilterip line. # default no entries # maxheaderlines = 50 # # Limit number of http header lines in a request/response # (to guard against attacks) # Minimum 10 max 250 # default 50 ### ### END of HEADER section ### BLOCK_PAGE section ### #reportinglevel = 3 # # reportinglevel # # -1 = log, but do not block - Stealth mode # 0 = just say 'Access Denied' # 1 = report why but not what denied phrase # 2 = report fully # 3 = use HTML template file (accessdeniedaddress ignored) - recommended # # Defines the global setting - can be overrided in e2guardianf1.conf # # default 3 #usecustombannedimage = on # #custombannedimagefile = '/usr/share/e2guardian/transparent1x1.gif' # Banned image replacement # Images that are banned due to domain/url/etc reasons including those # in the adverts blacklists can be replaced by an image. This will, # for example, hide images from advert sites and remove broken image # icons from banned domains. # on (default) | off #usecustombannedflash = on # #custombannedflashfile = '/usr/share/e2guardian/blockedflash.swf' # #Banned flash replacement ### ### END of BLOCK_PAGE section ### DOWNLOAD_MANAGER section ### # Download Managers # These handle downloads of files to be filtered and scanned. # They differ in the method they deal with large downloads. # Files usually need to be downloaded 100% before they can be # filtered and scanned before being sent on to the browser. # Normally the browser can just wait, but with content scanning, # for example to AV, the browser may timeout or the user may get # confused so the download manager has to do some sort of # 'keep alive'. # # There are various methods possible but not all are included. # Also, not all methods work with all # browsers and clients. Specifically some fancy methods don't # work with software that downloads updates. To solve this, # each plugin can support a regular expression for matching # the client's user-agent string, and lists of the mime types # and extensions it should manage. # # Note that these are the matching methods provided by the base plugin # code, and individual plugins may override or add to them. # See the individual plugin conf files for supported options. # # The plugins are matched in the order you specify and the last # one is forced to match as the default, regardless of user agent # and other matching mechanisms. # # NOTE - ONLY default downloadmanager is supported in v5.4 # More will be supported in v5.5 downloadmanager = '/etc/e2guardian/downloadmanagers/default.conf' #filecachedir = '/tmp' # # File cache dir # Where E2 will download files to be scanned if too large for the # RAM cache. # default "/tmp" #deletedownloadedtempfiles = on # # Delete file cache after user completes download # When a file gets save to temp it stays there until it is deleted. # You can choose to have the file deleted when the user makes a sucessful # download. This will mean if they click on the link to download from # the temp store a second time it will give a 404 error. # You should configure something to delete old files in temp to stop it filling up. # on|off (defaults to on) #initialtrickledelay = 20 # # Initial Trickle delay # This is the number of seconds a browser connection is left waiting # before first being sent *something* to keep it alive. The # *something* depends on the download manager chosen. # Do not choose a value too low or normal web pages will be affected. # A value between 20 and 110 would be sensible # This may be ignored by the configured download manager. # default 20 #trickledelay = 10 # # Trickle delay # This is the number of seconds a browser connection is left waiting # before being sent more *something* to keep it alive. The # *something* depends on the download manager chosen. # This may be ignored by the configured download manager. # default 10 ### ### END of DOWNLOAD_MANAGER section ### PHRASES section ### weightedphrasemode = 2 # # Weighted phrase mode # There are 3 possible modes of operation: # 0 = off = do not use the weighted phrase feature. # 1 = on, normal = normal weighted phrase operation. # 2 = on, singular = each weighted phrase found only counts once on a page. # # IMPORTANT: Note that setting this to "0" turns off all features which # extract phrases from page content, including banned & exception # phrases (not just weighted), search term filtering, and scanning for # links to banned URLs. # #phrasefiltermode = 2 # # Smart, Raw and Meta/Title phrase content filtering options # Smart is where the multiple spaces and HTML are removed before phrase filtering # Raw is where the raw HTML including meta tags are phrase filtered # Meta/Title is where only meta and title tags are phrase filtered (v. quick) # CPU usage can be effectively halved by using setting 0 or 1 compared to 2 # 0 = raw only # 1 = smart only # 2 = both of the above # 3 = meta/title # default 2 #preservecase = 0 # # Lower casing options # When a document is scanned the uppercase letters are converted to lower case # in order to compare them with the phrases. However this can break Big5 and # other 16-bit texts. If needed preserve the case. As of version 2.7.0 accented # characters are supported. # 0 = force lower case (default) # 1 = do not change case # 2 = scan first in lower case, then in original case # Note: # If phrasefiltermode and preserve case are both 2, this equates to 4 phrase # filtering passes. If you have a large enough userbase for this to be a # worry, and need to filter pages in exotic character encodings, it may be # better to run two instances on separate servers: one with preservecase 1 # (and possibly forcequicksearch 1) and non ASCII/UTF-8 phrase lists, and one # with preservecase 0 and ASCII/UTF-8 lists. #hexdecodecontent = off # # Hex decoding options # When a document is scanned it can optionally convert %XX to chars. # If you find documents are getting past the phrase filtering due to encoding # then enable. However this can break Big5 and other 16-bit texts. # off = disabled (default) # on = enabled #forcequicksearch = off # # Force Quick Search rather than DFA search algorithm # The current DFA implementation is not totally 16-bit character compatible # but is used by default as it handles large phrase lists much faster. # If you wish to use a large number of 16-bit character phrases then # enable this option. # off (default) | on (Big5 compatible) ### ### END of PHRASES section ### TUNING section ### #httpworkers = 500 # #sets the number of worker threads to use # # This figure is the maximum number of concurrent connections. # If more connections are made, connections will queue until a worker thread is free. # On large site you might want to try 5000 (max value 20000) # 500 is the default suitable for home or samll office use on 64-bit systems # On 32-bit systems reduce this to 300 to avoid exceeding the <4GB # virtual memory limit and on Linux decrease the thread stack size from # 10MB to 2MB (ulimit -s 2048) # default 500 #maxcontentfiltersize = 2048 # # Max content filter size # Sometimes web servers label binary files as text which can be very # large which causes a huge drain on memory and cpu resources. # To counter this, you can limit the size of the document to be # filtered and get it to just pass it straight through. # This setting also applies to content regular expression modification. # The value must not be higher than maxcontentramcachescansize # Do not set this too low as this will result in pages that contain a # long preamble not being content filtered # The size is in Kibibytes - eg 2048 = 2Mb # default 2048 #maxcontentramcachescansize = 2000 # # Max content ram cache scan size # This is only used if you use a content scanner plugin such as AV # This is the max size of file that e2g will download and cache # in RAM. After this limit is reached it will cache to disk # This value must be less than or equal to maxcontentfilecachescansize. # The size is in Kibibytes - eg 10240 = 10Mb # use 0 to set it to maxcontentfilecachescansize # This option may be ignored by the configured download manager. # default 2000 #maxcontentfilecachescansize = 20000 # # Max content file cache scan size # This is only used if you use a content scanner plugin such as AV # This is the max size file that E2 will download # so that it can be scanned or virus checked. # This value must be greater or equal to maxcontentramcachescansize. # The size is in Kibibytes - eg 10240 = 10Mb # default 20000 #proxytimeout = 5 # # Proxy timeout # Set tcp timeout between the Proxy and e2guardian # This is a connection timeout # If proxy is remote you may need to increase this to 10 or more. # Min 5 - Max 100 # default 5 #connecttimeout = 5 # # Connect timeout # Set tcp timeout between the e2guardian and upstream service (proxy or target host) # This is a connection timeout # For remote sites you may need to increase this to 10 or more. # Min 1 - Max 100 # default 5 # connectretries = 1 # # Connect retries # Set the number of retries to make on connection failure before giving up # Min 1 - Max 100 # default 1 #proxyexchange = 61 # # Proxy header exchange # Set timeout between an upstream Proxy and e2guardian # Min 20 - Max 300 # If this is higher than proxies timeout user will get proxy Gateway error page # If lower e2guardian Gateway error page # default 61 #pcontimeout = 55 # # Pconn timeout # how long a persistent connection will wait for other requests # Min 5 - Max 300 # default 55 ### ### END of TUNING section ### DEBUG section ### ## Things that can used on production binaries # storyboardtrace = on # # Storyboard tracing # Warning - produces verbose output - do not use in production # Output goes to syslog (or stderr when compiled with E2DEBUG defined) # default off # Use to debug storyboard logic flow #logsslerrors = on # # Logs openssl error 'stack' in syslog # Used to diagnose openssl errors # It is normal for some openssl errors to occur # Can be left on or off # default off #logconnectionhandlingerrors = on # # if on it logs some debug info regarding accept()ing and failed connections # which # can usually be ignored. These are logged by syslog. It is safe to leave # it on or off # default off #rqloglocation = '/var/log/e2guardian/request.log' # # Defines optional request log path # This is for useful for debug purposes to log all requests before processing or setting filter group # See notes/LogRequests for details # Default is "" - no request log ## Things that will only work if specifically compliled ## 'NEW' debug system (generaly compliled in release systems) ## Note that this is only partialy implimented and only works for ICAP, CLAMAV ## and ICAPC ## and so 'ALL' = 'ICAP,CLAMAV,ICAPC' only. ## To debug other areas of code re-compiling in debug mode is required ## It will be replaced by a new general logging system in v5.5 #debuglevel = 'ALL' # #Debug Level #Enable debug e2guardian #debug one value: #Eg # debuglevel = 'ICAP' #Enable ICAP debug informations only # #Eg # debuglevel = 'ALL' #Enable ALL debug informations # #Additive mode: #Eg # debuglevel = 'ICAP,NET' #Enable ICAP and NET debug informations # #Soustractive mode: #Eg # debuglevel = 'ALL,-ICAP' #Enable all debug informations but without ICAP debug informations # debuglevel = 'ALL,-ICAP,-NET,-FILTER' #Enable all debug informations but without ICAP, NETWORK and FILTER debug informations #by default disabled, if this option is required just uncomment the line below #works also with e2guardian -N (-N Do not go into the background) #Possible value : ICAP CLAMAV ICAPC (icap client) #debuglevelfile = '/var/log/e2guardian/debuge2' #Directory for result of debug level (log) #Works only if debuglevel is enabled # ### ### END of DEBUG section ### PROCESS section ### # Process options # (Change these only if you really know what you are doing). # These options allow you to run multiple instances of e2guardian on a single machine. # Remember to edit the log file path also if that is your intention. pidfilename = /run/e2guardian/e2.pid # # PID filename # # Defines process id directory and filename. #nodaemon = off # # Disable daemoning # If enabled the process will not fork into the background. # It is not usually advantageous to do this. # on|off (defaults to off) #mailer = '/usr/sbin/sendmail -t' # # Mail program # Path (sendmail-compatible) email program, with options. # Not used if usesmtp is disabled (filtergroup specific). ## Note that this is experimental in v5 - no support from maintainers # # Warning: This option uses 'fork()' which does not work well # in a large multi-threaded program like e2g. It can cause unpredictable # crashes. # On a small scale system (home user) it may work ok, but not recommended for # larger scale systems. The more active threads, the more likely a crash is. ### ### END of PROCESS section ### OBSOLETE section ### ### Directives here are depreciated and may already not work ### originalip = off # NOTE: This option is removed in v5.4 - if left and enabled would give too many # false positives. # contentscanexceptions = off # Content scan exceptions // THIS MOVED to e2guardianf1.conf #mapportstoips = off #mapauthtoports = off # Map auth to ports/ports to ip - does not work work correctly # - very confusing options # default off - to be removed in v5.5. # logheadervalue = 'proxy-authorization:' # Log a specific value from header # low case only # only used with logs: 1,5 and 6 #statlocation = "" # url cache/stats no longer in use #blockedcontentstore = "" # no longer in use #softrestart = off # no longer in use #proxyfailureloginterval = 0 # no longer in use #scancleancache = true # no longer in use #urlcachenumber = 0 # no longer in use #groupnamesfile = '' # no longer supportied - will be removed in v5.5 #urlcacheage= 0 # no longer in use #recheckreplacedurls = off - option does not work - may be removed in v5.5 # # Re-check replaced URLs # As a matter of course, URLs undergo regular expression search/replace (urlregexplist) # *after* checking the exception site/URL/regexpURL lists, but *before* checking against # the banned site/URL lists, allowing certain requests that would be matched against the # latter in their original state to effectively be converted into grey requests. # With this option enabled, the exception site/URL/regexpURL lists are also re-checked # after replacement, making it possible for URL replacement to trigger exceptions based # on them. # Defaults to off. #logchildprocesshandling - will be removed in v5.5 # no longer in use # monitorhelper = '/usr/local/bin/mymonitor' - to remove in v5.5 # monitor helper path # Not recommended - likely to cause crashes as it uses fork() # If defined this script/binary will be called with start or stop appended as follows:- # At start after e2guardian has started listener and worker threads with # ' start' appended # When e2guardian is stopping with ' stop' appended # default '' - monitor helper disabled ### ### END of OBSOLETE section ### INFO section ### ### No settings just info on new features etc # New in v5.4.2:- relative paths # Relative paths can used in .Include<> and list files. # The directory of current file will be inserted where the file name # does not start with '/' # Also NEW in v5.4.2 - LISTDIR 'variable' definition # LISTDIR can be defined in .conf files. # This allows for more readable configuration and for templating. # This works similarly to a shell environment variable # The text between <> will replace occurances of __LISTDIR__ in .conf and # list files. # Note: Currently only LISTDIR may be defined. # # The mapping is actioned as the file is read and is valid until another LISTDIR # is defined later in the file, or in an included .conf file. # # The scope of LISTDIR is in the rest of file it is defined in and all # .Include<> files or list files in that portion of the file. # It should be noted that re-definitions of single-line directives will # over write any earlier ones. # The same is true of list definitions. Later unique definitions will # override earlier ones. A unique list definition is formed from the # list type and the name. # # So, # sitelist = 'name=banned,path=x...' # and # urllist = 'name=banned,path=y...' # are both unique # but # sitelist = 'name=banned,path=x...' # and # sitelist = 'name=banned,path=z...' # are not and the later definition will override the first. ### ### END of INFO section