E2Guardian v5.5.5 Stable Release

This is the stable version v5.5.5r

Improvements

Improve list error reporting to show list files and configuration files that have failing files under their tree.

Change default generatedcertstart to 1st Apr 2024

Change method of generating Certificate serial numbers #631
When generating Serial numbers from host names a hash of the rootCA,
start_date and end_date is added to the CN and hashed to produce a unique serial
number. This means that the serial number for a host will change if
the rootCA or start/end date is changed. This will force a re-generation
of the certificate.
The generated cert store should be cleared to remove the now stale
certificates previously generated.

A number of bug-fixes applied (see ChangeLog for details.)

Users should upgrade as soon as possible

If the default value of generatedcertstart is being used in older versions generated certificates will cease to be valid on 5th December 2024.

Many thanks to all contributors and those reporting bugs!

What's Changed

• Add Spanish translation for message: 122 by @leo95batista in #784
• Upgrade to Debian12 in CI/CD by @fredbcode in #791
• {NEWIN_{v4,v5},configs/e2guardian*.conf.in}: Various typo fixes. by @sunweaver in #796

Full Changelog: v5.5.4r...v5.5.5r

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu/v5.5/
Official Images on Docker Hub: https://hub.docker.com/r/fredbcode/e2guardian

E2Guardian v5.6 Pre-release

This is the pre-release version for v5.6 (v5.6.0pre)

New features

Per filter group language support (user messages in language
different to language defined in e2guardian.conf).  Logging is
always performed in main language.

Per category block templates.
See data/languages/ukenglish/category_block_templates.d/README

New storyboard functions destipin and responsecodein added for
Geolocation filtering and testing of results codes.
See notes/GeoLocation and notes/V5_Storyboard.pdf

Logic changed so that destination IP DNS lookup can be made earlier when
required for Geolocation lookup.

Logformat files replace hard-coded logformat numbers.  Provides for
flexible reporting including reporting on request and response headers.
See notes/LogFormatFiles

New RequestID (consisting of TreadID + StartUtime) can be used in logs to
 uniquely identify a request.

Amend dnsauth to accept fg group names as well as fg group numbers.

A large number of outstanding feature requests are actioned  in this version.

See ChangeLog for details of bug fixes

Many thanks to everyone who has contributed to this version.

Please can developers test and feedback so that we can release as stable shortly?

Note: Some configuration files in this version are not fully backward compatible with v5.5 configuration files.

Please read notes/NEWIN_v5 before installing.

If upgrading from an version earlier then v5.4 please read notes/Upgrading_to_V5.4

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu/

E2guardian V5.5.4 Stable Release

This is the stable version v5.5.4r

Fix possible XSS vulnerability in bypass url - issue #782
Correct INSTALL file - issue #781
Fix bug #780 - e2g crashes if invalid group name is provided via BearerBasic
auth plugin
Update of Italian messages

Users should upgrade NOW, if they are using the bypass feature or the BearerBasic authentication plugin as this fixes vulnerabilities in these features.

Bug fixes (From v5.5.3)

Some fairly major changes to list handling and search code in order to fix possible 'hanging' pointer issue on list search returns (see issue #768)

Also, a number of bug-fixes applied (see ChangeLog for details.)

New features (From v5.5.2)

• UDP logging option added (based on code/idea by KDG)
• Add SEMI-TRUSTED flag to logs
• Add kiddle search terms extractor #739 refers
• Add storyboarding, list definitions, message for TLD allowed
  as suggested by Dalacor #733.
  Note I have used allowedtldlist rather than exceptiontld. Exceptions
  generally override everything but this list is used in blanketblock and
  so will be overridden by exception site urls etc.
• Log rotation (see https://github.com/e2guardian/e2guardian/blob/v5.5.dev/notes/rotating_logs)
• New Logger/Debug integrated from coding by KDGundermann (see https://github.com/e2guardian/e2guardian/blob/v5.5/notes/HOWTO_Logger.md)
• IO (normal and MITM ssl) rewritten
  • timeouts now honored when in MITM mode
  • faster throughput - less io system calls
  • double-buffered duplex tunneling
• Removal of support for pre v1.1 OpenSSL versions
• Secure TLS proxy option added
• Semi-exception lists and logic added - allows reverse logic for selected sites - i.e. Trust a site - but block some urls within site.
• Alert log option - can be used to email alerts/reports etc
• Response log option which logs all responses
• New storyboard flag ( alert ) and states added ( categoryin )
• New list type categorylist added
• Much code tidying

Many thanks to everyone who has contributed to this version, especially to Kurt for the new Logger code - it makes debugging and testing so much easier!

Note: Some configuration files in this version are not fully backward compatible with v5.4 configuration files.

Please read notes/NEWIN_v5 before installing.

If upgrading from an version earlier then v5.4 please read notes/Upgrading_to_V5.4

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu

Stable E2Guardian v5.4.7r

This is the stable release for version v5.4 (v5.4.7r)

It is likely to be the final v5.4 release as v5.5 is now stable

Fixes in v5.4.7r

Fix possible XSS in bypass url - issue #782

If use are using v5.4 and using the bypass feature, upgrade urgently as this fixes a vulnerability in this feature.

Fixes in v5.4.6r
Amended Spanish tranlations
reduce artifact ttl: new gitlab limit of 5GB
Fix odd memory issue with some lists
- replace std::sort with std::stable_sort
Update README.md
Remove specific link to v5.4
Add packages links

Fixes in v5.4.5r

Fix #713 max value for maxheaderlines increased to 2500

Fixes in v5.4.4r
Fix bug #727 - some lists not being sorted correctly
Fix #725 - Local grey match not overriding main exception match
Fix #720 - Upper case search terms not blocked
Update spelling in message 160
Fix bug #712 - Upstream connect failure message wrong
Fix #695 and fix #711 - connecttimeout being ignored
Fix #695 bannediplist missing
Fix bug #707 cert hostnames not being checked - only happens when openssl v1.1 is used
Fix spelling of 'implement' (and derived words).
configure.ac: Don't expand AM_INIT_AUTOMAKE multiple times.
Fix default size of maxcontentramcachescansize option in configs/e2guardian.conf.in
Make sure values of maxcontentfiltersize and maxcontentramcachesize obey to the requirements in the (inline) documentation.
Fix default non-initialized default for max_content_ramcache_scan_size.
Update gitlab-ci: Remove unused makefile file in docker images
Update gitlab-ci: test for finding data path
Fix typo in comments of e2guardianf1.conf.in
Fix c string conversion compiler error
Correct miss spelling in conf file #691
Fix #686 icap default filtergroup is not set.
Fix #685 - uppercase domain in user never matches
Fix pid error at start
Fix bug #684 - crash when only one entry in a maplist
Fix c string conversion compiler error
Fix #677 exceptionfile not checked when checking request before checking
file extension
Fix #679 SQUID+ICAP protocol error / timeout/no response: out_res_body_flag was not reset
Add official docker hub image
Possible fix for #676 - Added conditional pid check
Fix #678 -N reloading instead of quitting with e2guardian -q
Fix #675 Logs user, url being anonymized at random, messages in storyboard no longer being honored
Fix #674 messages and categories set in pre-auth.story are blanked.

New feature
#692 - add extracheckports option to allow loop checking when squid in front

New features in v5.4.3r :-

Auth list files moved into storyboard system - fixes #458
Improve auth plugin logic - add per-plugin default group options
On single list reading failure do not abort but check rest of config
Tidy up request log output
New usedashforblank option for logs
Extended logs added (type 7 & 8) and -EXTFLAGS- added to block page params
Add searchterms field to log types 7,8 - new logclientnameandip config flag
Make consistent punctuation removal in NaughtyFilter
Time based list and storyboard functions added - #529
SB: Add timed blanket block
SB: Add support for log-only function (logcategory flag)
SB: Response HTTP header modification added & listenportin state added
SB: Add #568 feature - give warning when defined list is not used
New useoriginalip option - solves issues with some apps who use non-stqndard SNI.
nomitm lists added for sites which refuse to be mitm.
nolog lists added and actioned via new SB entry point - for clearer logs
searchexception list added to override searchregexplist
Re-organized phrase lists and lists directory - see lists/README
Re-organized e2guardian.conf and e2guardianf1.conf - easier to follow and more guidance notes
New pf-basic auth plugin - for use with squid used for auth in front of e2g.

See ChangeLog for full details.

Configs are compatible with v5.4.3r and v5.4.4r.

The configs are not fully compatible with v5.3 - see notes/Upgrading_to_v5.4

Please report any issues prefixed with v5.4.

Many thanks to all who have contributed and raised issues and suggestions.

Philip

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu/v5.4/
Official Images on Docker Hub: https://hub.docker.com/r/fredbcode/e2guardian

E2guardian V5.5.3 Stable Release

This is the stable version v5.5.3r

This release is identical (apart from version suffix) to release v5.5.3pre which has now been load tested. No issues have been reported with v5.5.3pre and we now consider it stable.

Some fairly major changes to list handling and search code in order to fix possible 'hanging' pointer issue on list search returns (see issue #768)

Also, a number of bug-fixes applied (see ChangeLog for details.)

New features (From v5.5.2)

• UDP logging option added (based on code/idea by KDG)
• Add SEMI-TRUSTED flag to logs
• Add kiddle search terms extractor #739 refers
• Add storyboarding, list definitions, message for TLD allowed
  as suggested by Dalacor #733.
  Note I have used allowedtldlist rather than exceptiontld. Exceptions
  generally override everything but this list is used in blanketblock and
  so will be overridden by exception site urls etc.
• Log rotation (see https://github.com/e2guardian/e2guardian/blob/v5.5.dev/notes/rotating_logs)
• New Logger/Debug integrated from coding by KDGundermann (see https://github.com/e2guardian/e2guardian/blob/v5.5/notes/HOWTO_Logger.md)
• IO (normal and MITM ssl) rewritten
  • timeouts now honored when in MITM mode
  • faster throughput - less io system calls
  • double-buffered duplex tunneling
• Removal of support for pre v1.1 OpenSSL versions
• Secure TLS proxy option added
• Semi-exception lists and logic added - allows reverse logic for selected sites - i.e. Trust a site - but block some urls within site.
• Alert log option - can be used to email alerts/reports etc
• Response log option which logs all responses
• New storyboard flag ( alert ) and states added ( categoryin )
• New list type categorylist added
• Much code tidying

Many thanks to everyone who has contributed to this version, especially to Kurt for the new Logger code - it makes debugging and testing so much easier!

Note: Some configuration files in this version are not fully backward compatible with v5.4 configuration files.

Please read notes/NEWIN_v5 before installing.

If upgrading from an version earlier then v5.4 please read notes/Upgrading_to_V5.4

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu

What's Changed

• fixing error with uint32_t by @Arjow in #772

New Contributors

• @Arjow made their first contribution in #772

Full Changelog: v5.5.2r...v5.5.3r

E2guardian V5.5.3 pre-release

This is the pre-release version v5.5.3pre

Why revert to pre-release? This is due to some fairly major changes to list handling and search code in order to fix possible 'hanging' pointer issue on list search returns (see issue #768)

Also, a number of bug-fixes applied (see ChangeLog for details.)

Please test and report any issues. Once any issues are resolved will issue as stable

New features (From v5.5.2)

• UDP logging option added (based on code/idea by KDG)
• Add SEMI-TRUSTED flag to logs
• Add kiddle search terms extractor #739 refers
• Add storyboarding, list definitions, message for TLD allowed
  as suggested by Dalacor #733.
  Note I have used allowedtldlist rather than exceptiontld. Exceptions
  generally override everything but this list is used in blanketblock and
  so will be overridden by exception site urls etc.
• Log rotation (see https://github.com/e2guardian/e2guardian/blob/v5.5.dev/notes/rotating_logs)
• New Logger/Debug integrated from coding by KDGundermann (see https://github.com/e2guardian/e2guardian/blob/v5.5/notes/HOWTO_Logger.md)
• IO (normal and MITM ssl) rewritten
  • timeouts now honored when in MITM mode
  • faster throughput - less io system calls
  • double-buffered duplex tunneling
• Removal of support for pre v1.1 OpenSSL versions
• Secure TLS proxy option added
• Semi-exception lists and logic added - allows reverse logic for selected sites - i.e. Trust a site - but block some urls within site.
• Alert log option - can be used to email alerts/reports etc
• Response log option which logs all responses
• New storyboard flag ( alert ) and states added ( categoryin )
• New list type categorylist added
• Much code tidying

Many thanks to everyone who has contributed to this version, especially to Kurt for the new Logger code - it makes debugging and testing so much easier!

Note: Some configuration files in this version are not fully backward compatible with v5.4 configuration files.

Please read notes/NEWIN_v5 before installing.

If upgrading from an version earlier then v5.4 please read notes/Upgrading_to_V5.4

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu

What's Changed

• fixing error with uint32_t by @Arjow in #772

New Contributors

• @Arjow made their first contribution in #772

Full Changelog: v5.5.2r...v5.5.3pre

Stable E2Guardian v5.5.2r

This is the first stable version for v5.5 (v5.5.2r)

New features

• UDP logging option added (based on code/idea by KDG)
• Add SEMI-TRUSTED flag to logs
• Add kiddle search terms extractor #739 refers
• Add storyboarding, list definitions, message for TLD allowed
  as suggested by Dalacor #733.
  Note I have used allowedtldlist rather than exceptiontld. Exceptions
  generally override everything but this list is used in blanketblock and
  so will be overridden by exception site urls etc.
• Log rotation (see https://github.com/e2guardian/e2guardian/blob/v5.5.dev/notes/rotating_logs)
• New Logger/Debug integrated from coding by KDGundermann (see https://github.com/e2guardian/e2guardian/blob/v5.5/notes/HOWTO_Logger.md)
• IO (normal and MITM ssl) rewritten
  • timeouts now honored when in MITM mode
  • faster throughput - less io system calls
  • double-buffered duplex tunneling
• Removal of support for pre v1.1 OpenSSL versions
• Secure TLS proxy option added
• Semi-exception lists and logic added - allows reverse logic for selected sites - i.e. Trust a site - but block some urls within site.
• Alert log option - can be used to email alerts/reports etc
• Response log option which logs all responses
• New storyboard flag ( alert ) and states added ( categoryin )
• New list type categorylist added
• Much code tidying

Many thanks to everyone who has contributed to this version, especially to Kurt for the new Logger code - it makes debugging and testing so much easier!

Note: Some configuration files in this version are not fully backward compatible with v5.4 configuration files.

Please read notes/NEWIN_v5 before installing.

If upgrading from an version earlier then v5.4 please read notes/Upgrading_to_V5.4

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu

What's Changed

• Add OPENSSL_CFLAGS/_LIBS for openssl11 support by @opoplawski in #728
• Fix build error AM_INIT_AUTOMAKE expanded multiple times v5.5 by @meyertime in #748

Full Changelog: v5.5.1pre...v5.5.2r

Stable E2Guardian v5.4.6r

This is the stable release for version v5.4 (v5.4.6r)

It is likely to be the final v5.4 release as v5.5 is now stable

Fixes in v5.4.6r
Amended Spanish tranlations
reduce artifact ttl: new gitlab limit of 5GB
Fix odd memory issue with some lists
- replace std::sort with std::stable_sort
Update README.md
Remove specific link to v5.4
Add packages links

Fixes in v5.4.5r

Fix #713 max value for maxheaderlines increased to 2500

Fixes in v5.4.4r
Fix bug #727 - some lists not being sorted correctly
Fix #725 - Local grey match not overriding main exception match
Fix #720 - Upper case search terms not blocked
Update spelling in message 160
Fix bug #712 - Upstream connect failure message wrong
Fix #695 and fix #711 - connecttimeout being ignored
Fix #695 bannediplist missing
Fix bug #707 cert hostnames not being checked - only happens when openssl v1.1 is used
Fix spelling of 'implement' (and derived words).
configure.ac: Don't expand AM_INIT_AUTOMAKE multiple times.
Fix default size of maxcontentramcachescansize option in configs/e2guardian.conf.in
Make sure values of maxcontentfiltersize and maxcontentramcachesize obey to the requirements in the (inline) documentation.
Fix default non-initialized default for max_content_ramcache_scan_size.
Update gitlab-ci: Remove unused makefile file in docker images
Update gitlab-ci: test for finding data path
Fix typo in comments of e2guardianf1.conf.in
Fix c string conversion compiler error
Correct miss spelling in conf file #691
Fix #686 icap default filtergroup is not set.
Fix #685 - uppercase domain in user never matches
Fix pid error at start
Fix bug #684 - crash when only one entry in a maplist
Fix c string conversion compiler error
Fix #677 exceptionfile not checked when checking request before checking
file extension
Fix #679 SQUID+ICAP protocol error / timeout/no response: out_res_body_flag was not reset
Add official docker hub image
Possible fix for #676 - Added conditional pid check
Fix #678 -N reloading instead of quitting with e2guardian -q
Fix #675 Logs user, url being anonymized at random, messages in storyboard no longer being honored
Fix #674 messages and categories set in pre-auth.story are blanked.

New feature
#692 - add extracheckports option to allow loop checking when squid in front

New features in v5.4.3r :-

Auth list files moved into storyboard system - fixes #458
Improve auth plugin logic - add per-plugin default group options
On single list reading failure do not abort but check rest of config
Tidy up request log output
New usedashforblank option for logs
Extended logs added (type 7 & 8) and -EXTFLAGS- added to block page params
Add searchterms field to log types 7,8 - new logclientnameandip config flag
Make consistent punctuation removal in NaughtyFilter
Time based list and storyboard functions added - #529
SB: Add timed blanket block
SB: Add support for log-only function (logcategory flag)
SB: Response HTTP header modification added & listenportin state added
SB: Add #568 feature - give warning when defined list is not used
New useoriginalip option - solves issues with some apps who use non-stqndard SNI.
nomitm lists added for sites which refuse to be mitm.
nolog lists added and actioned via new SB entry point - for clearer logs
searchexception list added to override searchregexplist
Re-organized phrase lists and lists directory - see lists/README
Re-organized e2guardian.conf and e2guardianf1.conf - easier to follow and more guidance notes
New pf-basic auth plugin - for use with squid used for auth in front of e2g.

See ChangeLog for full details.

Configs are compatible with v5.4.3r and v5.4.4r.

The configs are not fully compatible with v5.3 - see notes/Upgrading_to_v5.4

Please report any issues prefixed with v5.4.

Many thanks to all who have contributed and raised issues and suggestions.

Philip

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu/v5.4/
Official Images on Docker Hub: https://hub.docker.com/r/fredbcode/e2guardian

Near stable prerelease v5.5

This is the near-stable pre-release version for v5.5 (v5.5.1pre)

New features

• Log rotation (see https://github.com/e2guardian/e2guardian/blob/v5.5.dev/notes/rotating_logs)
• New Logger/Debug integrated from coding by KDGundermann (see https://github.com/e2guardian/e2guardian/blob/v5.5/notes/HOWTO_Logger.md)
• IO (normal and MITM ssl) rewritten
  • timeouts now honored when in MITM mode
  • faster throughput - less io system calls
  • double-buffered duplex tunneling
• Removal of support for pre v1.1 OpenSSL versions
• Secure TLS proxy option added
• Semi-exception lists and logic added - allows reverse logic for selected sites - i.e. Trust a site - but block some urls within site.
• Alert log option - can be used to email alerts/reports etc
• Response log option which logs all responses
• New storyboard flag ( alert ) and states added ( categoryin )
• New list type categorylist added
• Much code tidying

Many thanks to everyone who has contributed to this version, especially to Kurt for the new Logger code - it makes debugging and testing so much easier!

There are big changes so please can developers test and feedback so that we can release as stable shortly?

Note: Some configuration files in this version are not fully backward compatible with v5.4 configuration files.

Please read notes/NEWIN_v5 before installing.

If upgrading from an version earlier then v5.4 please read notes/Upgrading_to_V5.4

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu

Stable E2guardian v5.4.5r

This is the stable release for version v5.4 (v5.4.5r)

It contains a single update to v5.4.4r

Fix #713 max value for maxheaderlines increased to 2500

Fixes in v5.4.4r
Fix bug #727 - some lists not being sorted correctly
Fix #725 - Local grey match not overriding main exception match
Fix #720 - Upper case search terms not blocked
Update spelling in message 160
Fix bug #712 - Upstream connect failure message wrong
Fix #695 and fix #711 - connecttimeout being ignored
Fix #695 bannediplist missing
Fix bug #707 cert hostnames not being checked - only happens when openssl v1.1 is used
Fix spelling of 'implement' (and derived words).
configure.ac: Don't expand AM_INIT_AUTOMAKE multiple times.
Fix default size of maxcontentramcachescansize option in configs/e2guardian.conf.in
Make sure values of maxcontentfiltersize and maxcontentramcachesize obey to the requirements in the (inline) documentation.
Fix default non-initialized default for max_content_ramcache_scan_size.
Update gitlab-ci: Remove unused makefile file in docker images
Update gitlab-ci: test for finding data path
Fix typo in comments of e2guardianf1.conf.in
Fix c string conversion compiler error
Correct miss spelling in conf file #691
Fix #686 icap default filtergroup is not set.
Fix #685 - uppercase domain in user never matches
Fix pid error at start
Fix bug #684 - crash when only one entry in a maplist
Fix c string conversion compiler error
Fix #677 exceptionfile not checked when checking request before checking
file extension
Fix #679 SQUID+ICAP protocol error / timeout/no response: out_res_body_flag was not reset
Add official docker hub image
Possible fix for #676 - Added conditional pid check
Fix #678 -N reloading instead of quitting with e2guardian -q
Fix #675 Logs user, url being anonymized at random, messages in storyboard no longer being honored
Fix #674 messages and categories set in pre-auth.story are blanked.

New feature
#692 - add extracheckports option to allow loop checking when squid in front

New features in v5.4.3r :-

Auth list files moved into storyboard system - fixes #458
Improve auth plugin logic - add per-plugin default group options
On single list reading failure do not abort but check rest of config
Tidy up request log output
New usedashforblank option for logs
Extended logs added (type 7 & 8) and -EXTFLAGS- added to block page params
Add searchterms field to log types 7,8 - new logclientnameandip config flag
Make consistent punctuation removal in NaughtyFilter
Time based list and storyboard functions added - #529
SB: Add timed blanket block
SB: Add support for log-only function (logcategory flag)
SB: Response HTTP header modification added & listenportin state added
SB: Add #568 feature - give warning when defined list is not used
New useoriginalip option - solves issues with some apps who use non-stqndard SNI.
nomitm lists added for sites which refuse to be mitm.
nolog lists added and actioned via new SB entry point - for clearer logs
searchexception list added to override searchregexplist
Re-organized phrase lists and lists directory - see lists/README
Re-organized e2guardian.conf and e2guardianf1.conf - easier to follow and more guidance notes
New pf-basic auth plugin - for use with squid used for auth in front of e2g.

See ChangeLog for full details.

Configs are compatible with v5.4.3r and v5.4.4r.

The configs are not fully compatible with v5.3 - see notes/Upgrading_to_v5.4

Please report any issues prefixed with v5.4.

Many thanks to all who have contributed and raised issues and suggestions.

Philip

Packages for Debian/Ubuntu: https://e2guardian.numsys.eu/v5.4/
Official Images on Docker Hub: https://hub.docker.com/r/fredbcode/e2guardian