kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
pkgsrc/www/e2guardian/options.mk
sborrill 0237e17be3 e2guardian: update to 5.1.1 
Note that large sections of the code has been re-written and there are
significant changes to the configuration files in this release.

The v5 is written in c++11 and so to compile it you will need gcc v5.4
or later. (or another complier that supports the full c++11).
Note that the target systems may also need an c++11 library update.

REVISED LIST and STORYBOARDING MODEL

Version 5 has a completely revised model for defining and using lists.

List definition is now separated from list application. Lists are no longer
hard-coded, but mapped to a function using a storyboard.

Filtering logic flow is simplified and made more consistent.  Requests are
analysed first and flags set (exception, grey, blocked etc) and once this
checking is complete actions are taken.  Large sections of duplicate logic
has been removed from ConnectionHandler and large sections are now
separate functions.

Storyboarding is a simple scripting language that maps lists to functions
and allows flags to be set.

This means that new lists can be added without changing the code, by adding
a new list definition and then applying it in a revised storyboard.

A different storyboard can be applied to each filtergroup, so if required,
each filtergroup can have a different logic flow.

Please read notes/V5_list_definition.pdf & notes/V5_Storyboard.pdf for
details.

TRANSPARENT HTTPS

    Detects SNI and flags whether traffic is TLS.
    Currently limited to port 443 traffic.

ICAP SERVER

    REQMOD and RESPMOD mode supported.
    See notes/icap.

DIRECT UPSTREAM ACCESS I.e. not via proxy.

    To implement globaly comment out 'proxyip =' in e2guardian.conf.

    The storyboard action setgodirect can be used within checkrequest functions
    to enable selected protocols/site/urls to godirect.
    e.g. to send all connect requests directly add
		if(connect) setgodirect
	to a requestchecks function.
    This can be also useful to by-pass squid for some requests (e.g. os update
    sites) when squid authentication methods are being used.

STORYBOARD TRACING

    New option 'storyboardtrace' to enable tracing output -
    for storyboard bug-fixing

READABLE THREAD_ID FOR LOGS & DEBUG

    Most debug and syslog messages are now prefixed with a thread ID as
    follows:-

    master: for master thread

    listen1_proxy:  normal proxy listener
    listen1_thttps: tranparent https listener
    listen1_icap: icap listener

    where '1' is index

    hw10: for http_worker threads where '10' is the thread number

    log: for logging thread

REVISED DEBUG STAGE 1

    The following low level debugs are no longer enabled by DGDEBUG:

    Network sockets - use NETDEBUG instead

    Regular expressions - use REDEBUG instead

    This reduces the volume of information and makes the debug
    log easier to read.

REVISED DEBUG STAGE 2

    New debuglevel option in e2guardian.conf.  Allows some debuging on
    production systems.   Currently just for ICAP and CLAMAV.  Will be
    extended to other sections of code in future releases.

HTTP/1.1

    Support for HTTP v1.1 completed - including Chunked encoding

ANTI-VIRUS PLUGINS

    Anti-virus plugins implimented for proxy, trans and ICAP

INCLUDE FILES IN e2guardianf1.conf

    Filtergroup configuration files may now include other files, enabling
    a more DRY approach to configuration. So configuration common to several
    filtergroups can be placed in a file which is included in the filtergroup
    config file.

    Syntax is same as list includes  -
    .include<full_path_to_file>

    Where single options and list defines with the same name are
    repeated only the last one read will be actioned.  This differs
    from pre-v5 versions where the first single option was actioned and any
    repeats ignored.  This allows the overwriting of single options and
    re-definion of lists in a structured way.

LIST INPUT VIA STDIN

This replaces the totalblocklist in previous versions allowing multiple
lists to be loaded via stdin.  See notes/lists_via_stdin.

OPENSSL v1.1 SUPPORT

    Will now support OpenSSL v1.1 as well as v1.0.2 or above

------------------------------
New in v4 (v4.1).

The v4 is written in c++11 and so to compile it you will need gcc v5.4
or later. (or another complier that supports the c++11 std::thread library).
Note that the target systems may also need an c++11 library update.

REVISED PROCESS MODEL

The parent children process model (which does not scale for very large numbers
of connections) is replaced with a queue/threads based model.

The main thread now only deals with set-up of the logging, listener, and worker
threads, the input (and reinput) of the lists, signals and statistics.

The treads communicate via fi-fo queues within memory and so there is no need
for ipc pipes.

A listener thread is set up for each ip/port combination. They listen for a
connection, accept it and then push the new connection socket on the
appropriate worker queue.

The worker threads pop connections from the worker queue and deal with the
connection.

When a worker wants to log a request it pushes the logging data onto the log
queue. The logging thread will pop the data from the queue, format it and
write it to the log.

Most of the above logic is in FatControler.cpp.  The logic is now much simpler
and has reduced the amount of code in FatControler by over 50%.

Socket classes have been extensively modified to remove interrupt handling (for
list reload etc) and all select calls are removed.  So there is no longer a
need to modify FD_SETSIZE.

New LOptionContainer class has been written to hold list and filter group
setings.   On gentle restart a new LOptionContainer object is created and
loaded with filter group and list settings.   Once fully read in a global
shared pointer is switched from the old list to the new, making actioning
list changes immediate an with no interruption to service.

NOTES FOR PREVIOUS VERSION  - v4.0.1

All pics support has been removed
Mail option not yet implemented.
Url cache not implimented
IP cache not implimented
Auth plugins - tested and working
Scan plugins - some tested
New e2guardian.conf options
   httpworkers
   enablessl
2018-07-16 14:12:34 +00:00

64 lines
1.3 KiB
Makefile
Raw Blame History

# $NetBSD: options.mk,v 1.3 2018/07/16 14:12:34 sborrill Exp $
PKG_OPTIONS_VAR= PKG_OPTIONS.e2guardian
PKG_SUPPORTED_OPTIONS= debug email commandline clamd ssl icap
PKG_SUGGESTED_OPTIONS= email ssl
.include "../../mk/bsd.options.mk"
.if !empty(PKG_OPTIONS:Mdebug)
CONFIGURE_ARGS+= --with-dgdebug
.endif
##
## Enables reporting by email
##
.if !empty(PKG_OPTIONS:Memail)
CONFIGURE_ARGS+= --enable-email
.endif
##
## Enable support for ICAP AV server content scanner
##
PLIST_VARS+= icap
.if !empty(PKG_OPTIONS:Micap)
CONFIGURE_ARGS+= --enable-icap
PLIST.icap= yes
EGFILES_EXTRA+= contentscanners/icap.conf
.endif
##
## Enables ssl MITM
##
.if !empty(PKG_OPTIONS:Mssl)
CONFIGURE_ARGS+= --enable-sslmitm
. include "../../security/openssl/buildlink3.mk"
.endif
# PLIST.avscan is shared between content scanners
PLIST_VARS+= avscan
##
## Enable command line content scanner
##
PLIST_VARS+= cli
.if !empty(PKG_OPTIONS:Mcommandline)
CONFIGURE_ARGS+= --enable-commandline
PLIST.cli= yes
PLIST.avscan= yes
EGFILES_EXTRA+= contentscanners/commandlinescan.conf
.endif
##
## Enable ClamD content scanner
##
PLIST_VARS+= clamd
.if !empty(PKG_OPTIONS:Mclamd)
CONFIGURE_ARGS+= --enable-clamd
PLIST.clamd= yes
PLIST.avscan= yes
EGFILES_EXTRA+= contentscanners/clamdscan.conf
.endif
.if !empty(PLIST.avscan)
EGFILES_LIST+= ${.CURDIR}/files/configfiles.avscan
.endif
Reference in a new issue View git blame Copy permalink