# e2guardian filter group config file for version 5.3.1 # This file is re-read on gentle restart and any changes actioned # Filter group mode IS NOT LONGER SUPPORTED # Unauthenticated users are treated as being in the default filter group. # groupmode = 1 #DISABLED # Filter group name # Used to fill in the -FILTERGROUP- placeholder in the HTML template file, and to # name the group in the access logs # Defaults to empty string #groupname = '' groupname = 'no_name_group' # Much logic has moved to storyboard files storyboard = '/etc/e2guardian/examplef1.story' # Enable legacy (DG) ssl logic # # The following option is replaced by storyboard logic # ssllegacylogic = off # Content filtering files location bannedphraselist = '/etc/e2guardian/lists/bannedphraselist' weightedphraselist = '/etc/e2guardian/lists/weightedphraselist' exceptionphraselist = '/etc/e2guardian/lists/exceptionphraselist' ### NOTE - New format for all other list definitions in v5.0 ### see notes/V5_list_definition for details #banned lists sitelist = 'name=banned,messageno=500,path=/etc/e2guardian/lists/bannedsitelist' ipsitelist = 'name=banned,messageno=510,path=/etc/e2guardian/lists/bannedsiteiplist' urllist = 'name=banned,messageno=501,path=/etc/e2guardian/lists/bannedurllist' regexpboollist = 'name=banned,messageno=503,path=/etc/e2guardian/lists/bannedregexpurllist' regexpboollist = 'name=banneduseragent,messageno=522,path=/etc/e2guardian/lists/bannedregexpuseragentlist' sitelist = 'name=bannedssl,messageno=520,path=/etc/e2guardian/lists/bannedsslsitelist' ipsitelist = 'name=bannedssl,messageno=520,path=/etc/e2guardian/lists/bannedsslsiteiplist' #grey (i.e. content check) lists sitelist = 'name=grey,path=/etc/e2guardian/lists/greysitelist' ipsitelist = 'name=grey,path=/etc/e2guardian/lists/greysiteiplist' urllist = 'name=grey,path=/etc/e2guardian/lists/greyurllist' sitelist = 'name=greyssl,path=/etc/e2guardian/lists/greysslsitelist' ipsitelist = 'name=greyssl,path=/etc/e2guardian/lists/greysslsiteiplist' #exception lists sitelist = 'name=exception,messageno=602,path=/etc/e2guardian/lists/exceptionsitelist' ipsitelist = 'name=exception,messageno=602,path=/etc/e2guardian/lists/exceptionsiteiplist' urllist = 'name=exception,messageno=603,path=/etc/e2guardian/lists/exceptionurllist' regexpboollist = 'name=exception,messageno=609,path=/etc/e2guardian/lists/exceptionregexpurllist' regexpboollist = 'name=exceptionuseragent,messageno=610,path=/etc/e2guardian/lists/exceptionregexpuseragentlist' sitelist = 'name=refererexception,messageno=620,path=/etc/e2guardian/lists/refererexceptionsitelist' ipsitelist = 'name=refererexception,messageno=620,path=/etc/e2guardian/lists/refererexceptionsiteiplist' urllist = 'name=refererexception,messageno=620,path=/etc/e2guardian/lists/refererexceptionurllist' sitelist = 'name=embededreferer,path=/etc/e2guardian/lists/embededreferersitelist' ipsitelist = 'name=embededreferer,path=/etc/e2guardian/lists/embededreferersiteiplist' urllist = 'name=embededreferer,path=/etc/e2guardian/lists/embededrefererurllist' #modification lists regexpreplacelist = 'name=change,path=/etc/e2guardian/lists/urlregexplist' regexpreplacelist = 'name=sslreplace,path=/etc/e2guardian/lists/sslsiteregexplist' #redirection lists regexpreplacelist = 'name=redirect,path=/etc/e2guardian/lists/urlredirectregexplist' contentregexplist = '/etc/e2guardian/lists/contentregexplist' # local versions of lists #local banned sitelist = 'name=localbanned,messageno=560,path=/etc/e2guardian/lists/localbannedsitelist' #ipsitelist = 'name=localbanned,messageno=560,path=/etc/e2guardian/lists/localbannedsiteiplist' #urllist = 'name=localbanned,messageno=561,path=/etc/e2guardian/lists/localbannedurllist' #sitelist = 'name=localbannedssl,messageno=580,path=/etc/e2guardian/lists/localbannedsslsitelist' #ipsitelist = 'name=localbannedssl,messageno=580,path=/etc/e2guardian/lists/localbannedsslsiteiplist' searchlist = 'name=localbanned,messageno=581,path=/etc/e2guardian/lists/localbannedsearchlist' #local grey lists sitelist = 'name=localgrey,path=/etc/e2guardian/lists/localgreysitelist' #ipsitelist = 'name=localgrey,path=/etc/e2guardian/lists/localgreysiteiplist' #urllist = 'name=localgrey,path=/etc/e2guardian/lists/localgreyurllist' sitelist = 'name=localgreyssl,path=/etc/e2guardian/lists/localgreysslsitelist' #ipsitelist = 'name=localgreyssl,path=/etc/e2guardian/lists/localgreysslsiteiplist' #local exception lists sitelist = 'name=localexception,messageno=662,path=/etc/e2guardian/lists/localexceptionsitelist' #ipsitelist = 'name=localexception,messageno=662,path=/etc/e2guardian/lists/localexceptionsiteiplist' #urllist = 'name=localexception,messageno=663,path=/etc/e2guardian/lists/localexceptionurllist' # Filetype filtering # # Allow bannedregexpurllist with grey list mode # # The following option is replaced by storyboard logic # bannedregexwithblanketblock = off # # The following option is replaced by storyboard logic #blockdownloads = off # Phrase filtering additional mime types (by default text/*) # textmimetypes = 'application/xhtml+xml,application/xml,application/json,application/javascript,application/x-javascript' # Uncomment the two lines below if want to only allow extentions/mime types in these lists # You will also need to uncomment the checkfiletype function in site.story to enable this #fileextlist = 'name=exceptionextension,path=/etc/e2guardian/lists/exceptionextensionlist' #mimelist = 'name=exceptionmime,path=/etc/e2guardian/lists/exceptionmimelist' # # Use the following lists to block specific kinds of file downloads. # fileextlist = 'name=bannedextension,messageno=900,path=/etc/e2guardian/lists/bannedextensionlist' mimelist = 'name=bannedmime,messageno=800,path=/etc/e2guardian/lists/bannedmimetypelist' # # In either file filtering mode, the following list can be used to override # MIME type & extension blocks for particular domains & URLs (trusted download sites). # sitelist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfilesitelist' ipsitelist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfilesiteiplist' urllist = 'name=exceptionfile,path=/etc/e2guardian/lists/exceptionfileurllist' # POST protection (web upload and forms) # does not block forms without any file upload, i.e. this is just for # blocking or limiting uploads # measured in kibibytes after MIME encoding and header bumph # use 0 for a complete block # use higher (e.g. 512 = 512Kbytes) for limiting # use -1 for no blocking # NOTE: POST PROTECTION IS NOT YET IMPLIMENTED IN V5 #maxuploadsize = 512 #maxuploadsize = 0 maxuploadsize = -1 # Categorise without blocking: # Supply categorised lists here and the category string shall be logged against # matching requests, but matching these lists does not perform any filtering # action. #sitelist = 'name=log,path=/etc/e2guardian/lists/logsitelist' #ipsitelist = 'name=log,path=/etc/e2guardian/lists/logsiteiplist' #urllist = 'name=log,path=/etc/e2guardian/lists/logurllist' #regexpboollist = 'name=log,path=/etc/e2guardian/lists/logregexpurllist' # Outgoing HTTP header rules: # Optional lists for blocking based on, and modification of, outgoing HTTP # request headers. Format for headerregexplist is one modification rule per # line, similar to content/URL modifications. Format for # bannedregexpheaderlist is one regular expression per line, with matching # headers causing a request to be blocked. # Headers are matched/replaced on a line-by-line basis, not as a contiguous # block. # Use for example, to remove cookies or prevent certain user-agents. regexpreplacelist = 'name=headermods,path=/etc/e2guardian/lists/headerregexplist' regexpboollist = 'name=bannedheader,path=/etc/e2guardian/lists/bannedregexpheaderlist' regexpboollist = 'name=exceptionheader,path=/etc/e2guardian/lists/exceptionregexpheaderlist' # used for Youtube add cookies etc regexpreplacelist = 'name=addheader,path=/etc/e2guardian/lists/addheaderregexplist' #Virus checking exceptions - matched urls will not be virus checked #mimelist = 'name=exceptionvirus,path=/etc/e2guardian/lists/contentscanners/exceptionvirusmimetypelist' #fileextlist = 'name=exceptionvirus,path=/etc/e2guardian/lists/contentscanners/exceptionvirusextensionlist' #sitelist = 'name=exceptionvirus,path=/etc/e2guardian/lists/contentscanners/exceptionvirussitelist' #ipsitelist = 'name=exceptionvirus,path=/etc/e2guardian/lists/contentscanners/exceptionvirussiteiplist' #urllist = 'name=exceptionvirus,path=/etc/e2guardian/lists/contentscanners/exceptionvirusurllist' # Weighted phrase mode # Optional; overrides the weightedphrasemode option in e2guardian.conf # for this particular group. See documentation for supported values in # that file. #weightedphrasemode = 0 # Naughtiness limit # This the limit over which the page will be blocked. Each weighted phrase is given # a value either positive or negative and the values added up. Phrases to do with # good subjects will have negative values, and bad subjects will have positive # values. See the weightedphraselist file for examples. # As a guide: # 50 is for young children, 100 for old children, 160 for young adults. naughtynesslimit = 50 # Search term blocking # Search terms can be extracted from search URLs and filtered using one or # both of two different methods. # Method 1 is that developed by Protex where specific # search terms are contained in a bannedsearchlist. # (localbannedsearchlist and bannedsearchoveridelist can be used to suppliment # and overide this list as required.) # These lists contain banned search words combinations on each line. # Words are separated by '+' and must be in sorted order within a line. # so to block 'sexy girl' then the list must contain the line # girl+sexy # and this will block both 'sexy girl' and 'girl sexy' # To use this method, the searchregexplist must be enabled and the bannedsearchlist(s) defined # Method 2 is uses the # bannedphraselist, weightedphraselist and exceptionphraselist, with a separate # threshold for blocking than that used for normal page content. # To do this, the searchregexplist must be enabled and searchtermlimit # must be greater than 0. # # Search engine regular expression list (need for both options) # List of regular expressions for matching search engine URLs. It is assumed # that the search terms themselves will be contained in the # of output of each expression. regexpreplacelist = 'name=searchterms,path=/etc/e2guardian/lists/searchregexplist' # # Banned Search Term list(s) for option 1 searchlist = 'name=banned,path=/etc/e2guardian/lists/bannedsearchlist' searchlist = 'name=override,path=/etc/e2guardian/lists/bannedsearchoveridelist' # Search term limit (for Option 2) # The limit over which requests will be blocked for containing search terms # which match the weightedphraselist. This should usually be lower than the # 'naughtynesslimit' value above, because the amount of text being filtered # is only a few words, rather than a whole page. # This option must be uncommented if searchregexplist is uncommented. # A value of 0 here indicates that search terms should be extracted, # but no phrase filtering should be performed on the resulting text. #searchtermlimit = 0 # # Search term phrase lists (for Option 2) # If the three lines below are uncommented, search term blocking will use # the banned, weighted & exception phrases from these lists, instead of using # the same phrase lists as for page content. This is optional but recommended, # as weights for individual phrases in the "normal" lists may not be # appropriate for blocking when those phrases appear in a much smaller block # of text. # Please note that all or none of the below should be uncommented, not a # mixture. # NOTE: these are phrase lists and still use the old style defines #bannedsearchtermlist = '/etc/e2guardian/lists/bannedsearchtermlist' #weightedsearchtermlist = '/etc/e2guardian/lists/weightedsearchtermlist' #exceptionsearchtermlist = '/etc/e2guardian/lists/exceptionsearchtermlist' # Category display threshold # This option only applies to pages blocked by weighted phrase filtering. # Defines the minimum score that must be accumulated within a particular # category in order for it to show up on the block pages' category list. # All categories under which the page scores positively will be logged; those # that were not displayed to the user appear in brackets. # # -1 = display only the highest scoring category # 0 = display all categories (default) # > 0 = minimum score for a category to be displayed categorydisplaythreshold = 0 # Embedded URL weighting # When set to something greater than zero, this option causes URLs embedded within a # page's HTML (from links, image tags, etc.) to be extracted and checked against the # bannedsitelist and bannedurllist. Each link to a banned page causes the amount set # here to be added to the page's weighting. # The behaviour of this option with regards to multiple occurrences of a site/URL is # affected by the weightedphrasemode setting. # # NB: Currently, this feature uses regular expressions that require the PCRE library. # As such, it is only available if you compiled e2guardian with '--enable-pcre=yes'. # You can check compile-time options by running 'e2guardian -v'. # # Set to 0 to disable. # Defaults to 0. # WARNING: This option is highly CPU intensive! embeddedurlweight = 0 # Temporary Denied Page Bypass # This provides a link on the denied page to bypass the ban for a few minutes. To be # secure it uses a random hashed secret generated at daemon startup. You define the # number of seconds the bypass will function for before the deny will appear again. # To allow the link on the denied page to appear you will need to edit the template.html # or e2guardian.pl file for your language. # 300 = enable for 5 minutes # 0 = disable ( defaults to 0 ) # -1 - depreciated - for backward compatability enables cgibypass with bypassversion 1 bypass = 0 # Byapss version 2 is experimental, provide a secure cgi communication (see notes/cgi_bypass documentation) # # Bypass version # can be 1 or 2 # Always use v2 unless you have old style cgi hash generation in use # Default is 1 # bypassversion = 2 # cgibypass - Use a separate program/CGI to (in v1 generate) or (in v2 validate) link # 'on' or 'off' (default) # cgibypass = 'off' # Temporary Denied Page Bypass Secret Key # Rather than generating a random key you can specify one. It must be more than 8 chars. # '' = generate a random one (recommended and default) # 'Mary had a little lamb.' = an example # '76b42abc1cd0fdcaf6e943dcbc93b826' = an example bypasskey = '' # magic key for cgi bypass v2 - used to sign communications between e2g and cgi # default is blank #cgikey = 'you must change this text in order to be secure' # Users will not be able to bypass sites/urls in these lists sitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsitelistwithbypass' #ipsitelist = 'name=bannedbypass,messageno=500,path=/etc/e2guardian/lists/bannedsiteiplistwithbypass' #urllist = 'name=bannedbypass,messageno=501,path=/etc/e2guardian/lists/bannedurllistwithbypass' # Infection/Scan Error Bypass # Similar to the 'bypass' setting, but specifically for bypassing files scanned and found # to be infected, or files that trigger scanner errors - for example, archive types with # recognised but unsupported compression schemes, or corrupt archives. # The option specifies the number of seconds for which the bypass link will be valid. # 300 = enable for 5 minutes # 0 = disable (default) # -1 - depreciated - for backward compatability enables cgiinfectionbypass with bypassversion 1 infectionbypass = 0 # cgiinfectionbypass - Use a separate program/CGI to (v1 generate) or (v2 validate) link # 'on' or 'off' (default) # cgiinfectionbypass = 'off' # Infection/Scan Error Bypass Secret Key # Same as the 'bypasskey' option, but used for infection bypass mode. infectionbypasskey = '' # Infection/Scan Error Bypass on Scan Errors Only # Enable this option to allow infectionbypass links only when virus scanning fails, # not when a file is found to contain a virus. # on = enable (default and highly recommended) # off = disable infectionbypasserrorsonly = on # Disable content scanning # If you enable this option you will disable content scanning for this group. # Content scanning primarily is AV scanning (if enabled) but could include # other types. # (on|off) default = off. disablecontentscan = off # Disable content scanning with error (timeout, AV crash, etc) # If you enable this option you will allow object with an unexpected result # Content scanning primarily is AV scanning (if enabled) but could include # other types. # With "on" you can allow INFECTED objects # (on|off) default = off. (default and highly recommended) disablecontentscanerror = off # If 'on' exception sites, urls, users etc will be scanned # This is probably not desirable behavour as exceptions are # supposed to be trusted and will increase load. # Correct use of grey lists are a better idea. # (on|off) default = off contentscanexceptions = off # Auth plugins # Enable Deep URL Analysis # When enabled, DG looks for URLs within URLs, checking against the bannedsitelist and # bannedurllist. This can be used, for example, to block images originating from banned # sites from appearing in Google Images search results, as the original URLs are # embedded in the thumbnail GET requests. # (on|off) default = off deepurlanalysis = off # reportinglevel # # -1 = log, but do not block - Stealth mode # 0 = just say 'Access Denied' # 1 = report why but not what denied phrase # 2 = report fully # 3 = use HTML template file (accessdeniedaddress ignored) - recommended # # If defined, this overrides the global setting in e2guardian.conf for # members of this filter group. # reportinglevel = 3 # accessdeniedaddress is the address of your web server to which the cgi # e2guardian reporting script was copied. Only used in reporting levels # 1 and 2. # # This webserver must be either: # 1. Non-proxied. Either a machine on the local network, or listed as an # exception in your browser's proxy configuration. # 2. Added to the exceptionsitelist. Option 1 is preferable; this option is # only for users using both transparent proxying and a non-local server # to host this script. # #accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/e2guardian.pl' # HTML Template override # If defined, this specifies a custom HTML template file for members of this # filter group, overriding the global setting in e2guardian.conf. This is # only used in reporting level 3. # # The default template file path is //template.html # e.g. /usr/share/e2guardian/languages/ukenglish/template.html when using 'ukenglish' # language. # # This option generates a file path of the form: # // # e.g. /usr/share/e2guardian/languages/ukenglish/custom.html # #htmltemplate = 'custom.html' #Template for use to report network issues and sites which are not responding # The default template file path is //neterr_template.html # e.g. /usr/share/e2guardian/languages/ukenglish/neterr_template.html when using 'ukenglish' # language. #neterrtemplate = 'custom_neterr_template.html' # Non standard delimiter (only used with accessdeniedaddress) # To help preserve the full banned URL, including parameters, the variables # passed into the access denied CGI are separated using non-standard # delimiters. This can be useful to ensure correct operation of the filter # bypass modes. Parameters are split using "::" in place of "&", and "==" in # place of "=". # Default is enabled, but to go back to the standard mode, disable it. #nonstandarddelimiter = off # Email reporting - original patch by J. Gauthier # Use SMTP # If on, will enable system wide events to be reported by email. # need to configure mail program (see 'mailer' in global config) # and email recipients # default usesmtp = off usesmtp = off #NOT YET TESTED # mailfrom # who the email would come from # example: mailfrom = 'e2guardian@mycompany.com' mailfrom = '' # avadmin # who the virus emails go to (if notify av is on) # example: avadmin = 'admin@mycompany.com' avadmin = '' # contentdmin # who the content emails go to (when thresholds are exceeded) # and contentnotify is on # example: contentadmin = 'admin@mycompany.com' contentadmin = '' # avsubject # Subject of the email sent when a virus is caught. # only applicable if notifyav is on # default avsubject = 'e2guardian virus block' avsubject = 'e2guardian virus block' # content # Subject of the email sent when violation thresholds are exceeded # default contentsubject = 'e2guardian violation' contentsubject = 'e2guardian violation' # notifyAV # This will send a notification, if usesmtp/notifyav is on, any time an # infection is found. # Important: If this option is off, viruses will still be recorded like a # content infraction. notifyav = off # notifycontent # This will send a notification, if usesmtp is on, based on thresholds # below notifycontent = off # thresholdbyuser # results are only predictable with user authenticated configs # if enabled the violation/threshold count is kept track of by the user thresholdbyuser = off #violations # number of violations before notification # setting to 0 will never trigger a notification violations = 0 #threshold # this is in seconds. If 'violations' occur in 'threshold' seconds, then # a notification is made. # if this is set to 0, then whenever the set number of violations are made a # notifaction will be sent. threshold = 0 #NOTE to enable SSL MITM or NON-MITM SSL CERT checking # enablessl must be defined as 'yes' in e2guardian.conf #SSL certificate checking # Check that ssl certificates for servers on https connections are valid # and signed by a ca in the configured path # ONLY for connections that are NOT MITM #sslcertcheck = off - NOT implimented in V5 yet #SSL man in the middle # Forge ssl certificates for all non-exception sites, decrypt the data then re encrypt it # using a different private key. Used to filter ssl sites sslmitm = off #Limit SSL MITM to sites in greysslsitelist(s) # ignored if sslmitm is off # SSL sites not matching greysslsitelist will be treat as if sslmitm is off. # The following option is replaced by storyboard logic #onlymitmsslgrey = off - ignored in V5 # Enable MITM site certificate checking # ignored if sslmitm is off # default (recommended) is 'on' mitmcheckcert = on #Do not check ssl certificates for sites listed # Can be used to allow sites with self-signed or invalid certificates # or to reduced CPU load by not checking certs on heavily used sites (e.g. Google, Bing) # Use with caution! # Ignored if mitmcheckcert is 'off' #nocheckcertsitelist = '/etc/e2guardian/lists/nocheckcertsitelist' sitelist = 'name=nocheckcert,path=/etc/e2guardian/lists/nocheckcertsitelist' ipsitelist = 'name=nocheckcert,path=/etc/e2guardian/lists/nocheckcertsiteiplist' # # Auto switch to MITM with upstream connection error or to deliver block page # ignored if sslmitm is off # To revert to v4 type behavour switch this off # Default is 'on' # automitm = on