Dansguardian - First release

1 files changed, 715 insertions, 0 deletions

diff --git a/config/dansguardian/dansguardian.conf.template b/config/dansguardian/dansguardian.conf.template
new file mode 100755
index 00000000..7b3fcc4c
--- /dev/null
+++ b/config/dansguardian/dansguardian.conf.template
@@ -0,0 +1,715 @@
+<?php
+/*
+	dansguardian.inc
+	part of the Dansguardian package for pfSense
+	Copyright (C) 2012 Marcello Coutinho
+	All rights reserved.
+
+	Redistribution and use in source and binary forms, with or without
+	modification, are permitted provided that the following conditions are met:
+
+	1. Redistributions of source code must retain the above copyright notice,
+	   this list of conditions and the following disclaimer.
+
+	2. Redistributions in binary form must reproduce the above copyright
+	   notice, this list of conditions and the following disclaimer in the
+	   documentation and/or other materials provided with the distribution.
+
+	THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+	INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+	AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+	AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+	OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+	SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+	INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+	CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+	ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+	POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+#create dansguardian.conf
+	$dg=<<<EOF
+# DansGuardian config file for version 2.12.0.0
+
+# **NOTE** as of version 2.7.5 most of the list files are now in dansguardianf1.conf
+
+
+# Web Access Denied Reporting (does not affect logging)
+#
+# -1 = log, but do not block - Stealth mode
+#  0 = just say 'Access Denied'
+#  1 = report why but not what denied phrase
+#  2 = report fully
+#  3 = use HTML template file (accessdeniedaddress ignored) - recommended
+#
+reportinglevel = {$reportlevel}
+
+# Language dir where languages are stored for internationalisation.
+# The HTML template within this dir is only used when reportinglevel
+# is set to 3. When used, DansGuardian will display the HTML file instead of
+# using the perl cgi script.  This option is faster, cleaner
+# and easier to customise the access denied page.
+# The language file is used no matter what setting however.
+#
+languagedir = '/usr/local/share/dansguardian/languages'
+
+# language to use from languagedir.
+language = '{$reportlanguage}'
+
+# Logging Settings
+#
+# 0 = none  1 = just denied  2 = all text based  3 = all requests
+loglevel = {$loglevel}
+
+# Log Exception Hits
+# Log if an exception (user, ip, URL, phrase) is matched and so
+# the page gets let through.  Can be useful for diagnosing
+# why a site gets through the filter.
+# 0 = never log exceptions
+# 1 = log exceptions, but do not explicitly mark them as such
+# 2 = always log & mark exceptions (default)
+logexceptionhits = {$logexceptionhits}
+
+# Log File Format
+# 1 = DansGuardian format (space delimited)
+# 2 = CSV-style format
+# 3 = Squid Log File Format
+# 4 = Tab delimited
+logfileformat = {$logfileformat}
+
+# truncate large items in log lines
+# 0 = no truncating (default)
+#maxlogitemlength = 0
+
+# anonymize logs (blank out usernames & IPs)
+anonymizelogs = {$anonymizelogs}
+
+
+# Syslog logging
+#
+# Use syslog for access logging instead of logging to the file
+# at the defined or built-in "loglocation"
+#logsyslog = off
+
+# Log file location
+# 
+# Defines the log directory and filename.
+loglocation = '/var/log/dansguardian/access.log'
+
+
+# Statistics log file location
+#
+# Defines the stat file directory and filename.
+# Only used in conjunction with maxips > 0
+# Once every 3 minutes, the current number of IPs in the cache, and the most
+# that have been in the cache since the daemon was started, are written to this
+# file. IPs persist in the cache for 7 days.
+statlocation = '/var/log/dansguardian/stats'
+
+
+# Network Settings
+# 
+# the IP that DansGuardian listens on.  If left blank DansGuardian will
+# listen on all IPs.  That would include all NICs, loopback, modem, etc.
+# Normally you would have your firewall protecting this, but if you want
+# you can limit it to a certain IP. To bind to multiple interfaces,
+# specify each IP on an individual filterip line.
+# You can have the same IP twice so long as it has a different port.
+{$filterip}
+
+# the ports that DansGuardian listens to.  Specify one line per filterip
+# line.  You can specify different authentication mechanisms per port but
+# only if the mechanisms can co-exist (e.g. basic/proxy auth can't)
+#filterports = 8080
+#filterports = 8081
+{$filterports}
+
+# the ip of the proxy (default is the loopback - i.e. this server)
+proxyip = 127.0.0.1
+
+# the port DansGuardian connects to proxy on
+proxyport = 3128
+
+# Whether to retrieve the original destination IP in transparent proxy
+# setups and check it against the domain pulled from the HTTP headers.
+#
+# Be aware that when visiting sites which use a certain type of round-robin
+# DNS for load balancing, DG may mark requests as invalid unless DG gets
+# exactly the same answers to its DNS requests as clients.  The chances of
+# this happening can be increased if all clients and servers on the same LAN
+# make use of a local, caching DNS server instead of using upstream DNS
+# directly.
+#
+# See http://www.kb.cert.org/vuls/id/435052
+# on (default) | off
+#!! Not compiled !! originalip = on
+
+# accessdeniedaddress is the address of your web server to which the cgi
+# dansguardian reporting script was copied. Only used in reporting levels 1 and 2.
+#
+# This webserver must be either:
+#  1. Non-proxied. Either a machine on the local network, or listed as an exception
+#     in your browser's proxy configuration.
+#  2. Added to the exceptionsitelist. Option 1 is preferable; this option is
+#     only for users using both transparent proxying and a non-local server
+#     to host this script.
+#
+# Individual filter groups can override this setting in their own configuration.
+#
+accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl'
+
+# Non standard delimiter (only used with accessdeniedaddress)
+# To help preserve the full banned URL, including parameters, the variables
+# passed into the access denied CGI are separated using non-standard
+# delimiters. This can be useful to ensure correct operation of the filter
+# bypass modes. Parameters are split using "::" in place of "&", and "==" in
+# place of "=".
+# Default is enabled, but to go back to the standard mode, disable it.
+nonstandarddelimiter = {$nonstandarddelimiter}
+
+
+
+# Banned image replacement
+# Images that are banned due to domain/url/etc reasons including those
+# in the adverts blacklists can be replaced by an image.  This will,
+# for example, hide images from advert sites and remove broken image
+# icons from banned domains.
+# on (default) | off
+usecustombannedimage = {$usecustombannedimage}
+custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif'
+
+
+#Banned flash replacement
+usecustombannedflash = {$usecustombannedflash}
+custombannedflashfile = '/usr/local/share/dansguardian/blockedflash.swf'
+
+
+
+# Filter groups options
+# filtergroups sets the number of filter groups. A filter group is a set of content
+# filtering options you can apply to a group of users.  The value must be 1 or more.
+# DansGuardian will automatically look for dansguardianfN.conf where N is the filter
+# group.  To assign users to groups use the filtergroupslist option.  All users default
+# to filter group 1.  You must have some sort of authentication to be able to map users
+# to a group.  The more filter groups the more copies of the lists will be in RAM so
+# use as few as possible.
+filtergroups = {$filtergroups}
+filtergroupslist = '/usr/local/etc/dansguardian/lists/filtergroupslist'
+
+
+
+# Authentication files location
+bannediplist = '/usr/local/etc/dansguardian/lists/bannediplist'
+exceptioniplist = '/usr/local/etc/dansguardian/lists/exceptioniplist'
+
+# Per-Room blocking definition directory
+# A directory containing text files containing the room's name followed by IPs or ranges
+# Think of it as bannediplist on crack
+perroomblockingdirectory = '/usr/local/etc/dansguardian/lists/bannedrooms/'
+
+# Show weighted phrases found
+# If enabled then the phrases found that made up the total which excedes
+# the naughtyness limit will be logged and, if the reporting level is
+# high enough, reported. on | off
+showweightedfound = {$showweightedfound}
+
+# Weighted phrase mode
+# There are 3 possible modes of operation:
+# 0 = off = do not use the weighted phrase feature.
+# 1 = on, normal = normal weighted phrase operation.
+# 2 = on, singular = each weighted phrase found only counts once on a page.
+# 
+# IMPORTANT: Note that setting this to "0" turns off all features which
+# extract phrases from page content, including banned & exception
+# phrases (not just weighted), search term filtering, and scanning for
+# links to banned URLs.
+#
+weightedphrasemode = {$weightedphrasemode}
+
+
+
+# Positive (clean) result caching for URLs
+# Caches good pages so they don't need to be scanned again.
+# It also works with AV plugins.
+# 0 = off (recommended for ISPs with users with disimilar browsing)
+# 1000 = recommended for most users
+# 5000 = suggested max upper limit
+# If you're using an AV plugin then use at least 5000.
+urlcachenumber = {$urlcachenumber}
+#
+# Age before they are stale and should be ignored in seconds
+# 0 = never
+# 900 = recommended = 15 mins
+urlcacheage ={$urlcacheage} 
+
+
+
+# Cache for content (AV) scan results as 'clean'
+# By default, to save CPU, files scanned and found to be
+# clean are inserted into the clean cache and NOT scanned
+# again for a while.  If you don't like this then choose
+# to disable it.
+# on = cache results; do not re-scan
+# off = do not cache; always re-scan
+# (on|off) default = on.
+scancleancache = {$scancleancache}
+
+
+
+# Smart, Raw and Meta/Title phrase content filtering options
+# Smart is where the multiple spaces and HTML are removed before phrase filtering
+# Raw is where the raw HTML including meta tags are phrase filtered
+# Meta/Title is where only meta and title tags are phrase filtered (v. quick)
+# CPU usage can be effectively halved by using setting 0 or 1 compared to 2
+# 0 = raw only
+# 1 = smart only
+# 2 = both of the above (default)
+# 3 = meta/title
+phrasefiltermode = {$phrasefiltermode}
+
+# Lower casing options
+# When a document is scanned the uppercase letters are converted to lower case
+# in order to compare them with the phrases.  However this can break Big5 and
+# other 16-bit texts.  If needed preserve the case.  As of version 2.7.0 accented
+# characters are supported.
+# 0 = force lower case (default)
+# 1 = do not change case
+# 2 = scan first in lower case, then in original case
+preservecase = {$preservecase}
+
+# Note:
+# If phrasefiltermode and preserve case are both 2, this equates to 4 phrase
+# filtering passes. If you have a large enough userbase for this to be a
+# worry, and need to filter pages in exotic character encodings, it may be
+# better to run two instances on separate servers: one with preservecase 1
+# (and possibly forcequicksearch 1) and non ASCII/UTF-8 phrase lists, and one
+# with preservecase 0 and ASCII/UTF-8 lists.
+
+
+
+# Hex decoding options
+# When a document is scanned it can optionally convert %XX to chars.
+# If you find documents are getting past the phrase filtering due to encoding
+# then enable.  However this can break Big5 and other 16-bit texts.
+# off = disabled (default)
+# on = enabled
+hexdecodecontent = {$hexdecodecontent}
+
+
+
+# Force Quick Search rather than DFA search algorithm
+# The current DFA implementation is not totally 16-bit character compatible
+# but is used by default as it handles large phrase lists much faster.
+# If you wish to use a large number of 16-bit character phrases then
+# enable this option.
+# off (default) | on (Big5 compatible)
+forcequicksearch = {$forcequicksearch}
+
+
+
+# Reverse lookups for banned site and URLs.
+# If set to on, DansGuardian will look up the forward DNS for an IP URL
+# address and search for both in the banned site and URL lists.  This would
+# prevent a user from simply entering the IP for a banned address.
+# It will reduce searching speed somewhat so unless you have a local caching
+# DNS server, leave it off and use the Blanket IP Block option in the
+# bannedsitelist file instead.
+reverseaddresslookups = {$reverseaddresslookups}
+
+
+
+# Reverse lookups for banned and exception IP lists.
+# If set to on, DansGuardian will look up the forward DNS for the IP
+# of the connecting computer.  This means you can put in hostnames in
+# the exceptioniplist and bannediplist.
+# If a client computer is matched against an IP given in the lists, then the
+# IP will be recorded in any log entries; if forward DNS is successful and a
+# match occurs against a hostname, the hostname will be logged instead.
+# It will reduce searching speed somewhat so unless you have a local DNS server, 
+# leave it off.
+reverseclientiplookups = {$reverseclientiplookups}
+
+
+# Perform reverse lookups on client IPs for successful requests.
+# If set to on, DansGuardian will look up the forward DNS for the IP
+# of the connecting computer, and log host names (where available) rather than
+# IPs against requests.
+# This is not dependent on reverseclientiplookups being enabled; however, if it
+# is, enabling this option does not incur any additional forward DNS requests.
+logclienthostnames = {$logclienthostnames}
+
+
+# Build bannedsitelist and bannedurllist cache files.
+# This will compare the date stamp of the list file with the date stamp of
+# the cache file and will recreate as needed.
+# If a .processed file exists for an item (e.g. domain/URL) list, then that
+# will be used instead, if it is up to date (i.e. newer than the unprocessed
+# list file).
+# This can increase process start speed on slow computers.
+# Fast computers do not need this option.
+# on | off, default = on
+createlistcachefiles = {$createlistcachefiles}
+
+
+# Prefer cached list files
+# If enabled, DansGuardian will always prefer to load ".processed" versions of
+# list files, regardless of their time stamps relative to the original
+# unprocessed lists.  This is not generally useful unless you have a specific
+# list update process which results in - for example - up-to-date, pre-sorted
+# ".processed" list files with dummy unprocessed files.
+# on | off, default = off
+prefercachedlists = {$prefercachedlists}
+
+
+
+# POST protection (web upload and forms)
+# does not block forms without any file upload, i.e. this is just for
+# blocking or limiting uploads
+# measured in kibibytes after MIME encoding and header bumph
+# use 0 for a complete block
+# use higher (e.g. 512 = 512Kbytes) for limiting
+# use -1 for no blocking
+#maxuploadsize = 512
+#maxuploadsize = 0
+maxuploadsize = {$maxuploadsize}
+
+
+
+# Max content filter size
+# Sometimes web servers label binary files as text which can be very
+# large which causes a huge drain on memory and cpu resources.
+# To counter this, you can limit the size of the document to be
+# filtered and get it to just pass it straight through.
+# This setting also applies to content regular expression modification.
+# The value must not be higher than maxcontentramcachescansize
+# The size is in Kibibytes - eg 2048 = 2Mb
+# use 0 to set it to maxcontentramcachescansize
+maxcontentfiltersize = {$maxcontentfiltersize}
+
+
+
+# Max content ram cache scan size
+# This is only used if you use a content scanner plugin such as AV
+# This is the max size of file that DG will download and cache
+# in RAM.  After this limit is reached it will cache to disk
+# This value must be less than or equal to maxcontentfilecachescansize.
+# The size is in Kibibytes - eg 10240 = 10Mb
+# use 0 to set it to maxcontentfilecachescansize
+# This option may be ignored by the configured download manager.
+maxcontentramcachescansize = {$maxcontentramcachescansize}
+
+
+
+# Max content file cache scan size
+# This is only used if you use a content scanner plugin such as AV
+# This is the max size file that DG will download
+# so that it can be scanned or virus checked.
+# This value must be greater or equal to maxcontentramcachescansize.
+# The size is in Kibibytes - eg 10240 = 10Mb
+maxcontentfilecachescansize = {$maxcontentfilecachescansize}
+
+
+
+# File cache dir
+# Where DG will download files to be scanned if too large for the
+# RAM cache.
+filecachedir = '/tmp'
+
+
+
+# Delete file cache after user completes download
+# When a file gets save to temp it stays there until it is deleted.
+# You can choose to have the file deleted when the user makes a sucessful
+# download.  This will mean if they click on the link to download from
+# the temp store a second time it will give a 404 error.
+# You should configure something to delete old files in temp to stop it filling up.
+# on|off (defaults to on)
+deletedownloadedtempfiles = {$deletedownloadedtempfiles}
+
+
+
+# Initial Trickle delay
+# This is the number of seconds a browser connection is left waiting
+# before first being sent *something* to keep it alive.  The
+# *something* depends on the download manager chosen.
+# Do not choose a value too low or normal web pages will be affected.
+# A value between 20 and 110 would be sensible
+# This may be ignored by the configured download manager.
+initialtrickledelay = {$initialtrickledelay}
+
+
+
+# Trickle delay
+# This is the number of seconds a browser connection is left waiting
+# before being sent more *something* to keep it alive.  The
+# *something* depends on the download manager chosen.
+# This may be ignored by the configured download manager.
+trickledelay = {$trickledelay}
+
+
+
+# Download Managers
+# These handle downloads of files to be filtered and scanned.
+# They differ in the method they deal with large downloads.
+# Files usually need to be downloaded 100% before they can be
+# filtered and scanned before being sent on to the browser.
+# Normally the browser can just wait, but with content scanning,
+# for example to AV, the browser may timeout or the user may get
+# confused so the download manager has to do some sort of
+# 'keep alive'.
+#
+# There are various methods possible but not all are included.
+# The author does not have the time to write them all so I have
+# included a plugin systam.  Also, not all methods work with all
+# browsers and clients.  Specifically some fancy methods don't
+# work with software that downloads updates.  To solve this,
+# each plugin can support a regular expression for matching
+# the client's user-agent string, and lists of the mime types
+# and extensions it should manage.
+#
+# Note that these are the matching methods provided by the base plugin
+# code, and individual plugins may override or add to them.
+# See the individual plugin conf files for supported options.
+#
+# The plugins are matched in the order you specify and the last
+# one is forced to match as the default, regardless of user agent
+# and other matching mechanisms.
+#
+downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/fancy.conf'
+##!! Not compiled !! downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/trickle.conf'
+downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/default.conf'
+
+
+
+# Content Scanners (Also known as AV scanners)
+# These are plugins that scan the content of all files your browser fetches
+# for example to AV scan.  The options are limitless.  Eventually all of
+# DansGuardian will be plugin based.  You can have more than one content
+# scanner. The plugins are run in the order you specify.
+# This is one of the few places you can have multiple options of the same name.
+#
+# Some of the scanner(s) require 3rd party software and libraries eg clamav.
+# See the individual plugin conf file for more options (if any).
+#
+{$contentscanners}
+
+
+# Content scanner timeout
+# Some of the content scanners support using a timeout value to stop
+# processing (eg AV scanning) the file if it takes too long.
+# If supported this will be used.
+# The default of 60 seconds is probably reasonable.
+contentscannertimeout = {$contentscannertimeout}
+
+
+
+# Content scan exceptions
+# If 'on' exception sites, urls, users etc will be scanned
+# This is probably not desirable behavour as exceptions are
+# supposed to be trusted and will increase load.
+# Correct use of grey lists are a better idea.
+# (on|off) default = off
+contentscanexceptions = {$contentscanexceptions}
+
+
+
+# Auth plugins
+# These replace the usernameidmethod* options in previous versions. They
+# handle the extraction of client usernames from various sources, such as
+# Proxy-Authorisation headers and ident servers, enabling requests to be
+# handled according to the settings of the user's filter group.
+# Multiple plugins can be specified, and will be used per port in the order
+# filterports are listed.
+#
+# If you do not use multiple filter groups, you need not specify this option.
+#
+#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-basic.conf'
+#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-digest.conf'
+#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-ntlm.conf'
+#authplugin = '/usr/local/etc/dansguardian/authplugins/ident.conf'
+#authplugin = '/usr/local/etc/dansguardian/authplugins/ip.conf'
+{$authplugin}
+
+
+# Re-check replaced URLs
+# As a matter of course, URLs undergo regular expression search/replace (urlregexplist)
+# *after* checking the exception site/URL/regexpURL lists, but *before* checking against
+# the banned site/URL lists, allowing certain requests that would be matched against the
+# latter in their original state to effectively be converted into grey requests.
+# With this option enabled, the exception site/URL/regexpURL lists are also re-checked
+# after replacement, making it possible for URL replacement to trigger exceptions based
+# on them.
+# Defaults to off.
+recheckreplacedurls = {$recheckreplacedurls}
+
+
+
+# Misc settings
+
+# if on it adds an X-Forwarded-For: <clientip> to the HTTP request
+# header.  This may help solve some problem sites that need to know the
+# source ip. on | off
+forwardedfor = {$forwardedfor}
+
+
+# if on it uses the X-Forwarded-For: <clientip> to determine the client
+# IP. This is for when you have squid between the clients and DansGuardian.
+# Warning - headers are easily spoofed. on | off
+usexforwardedfor = {$usexforwardedfor}
+
+
+# if on it logs some debug info regarding fork()ing and accept()ing which
+# can usually be ignored.  These are logged by syslog.  It is safe to leave
+# it on or off
+logconnectionhandlingerrors = {$logconnectionhandlingerrors}
+
+
+
+# Fork pool options
+
+# If on, this causes DG to write to the log file whenever child processes are
+# created or destroyed (other than by crashes). This information can help in
+# understanding and tuning the following parameters, but is not generally
+# useful in production.
+logchildprocesshandling = {$logchildprocesshandling}
+
+# sets the maximum number of processes to spawn to handle the incoming
+# connections.  Max value usually 250 depending on OS.
+# On large sites you might want to try 180.
+maxchildren = {$maxchildren}
+
+
+# sets the minimum number of processes to spawn to handle the incoming connections.
+# On large sites you might want to try 32.
+minchildren = {$minchildren}
+
+
+# sets the minimum number of processes to be kept ready to handle connections.
+# On large sites you might want to try 8.
+minsparechildren = {$minsparechildren}
+
+
+# sets the minimum number of processes to spawn when it runs out
+# On large sites you might want to try 10.
+preforkchildren = {$preforkchildren}
+
+
+# sets the maximum number of processes to have doing nothing.
+# When this many are spare it will cull some of them.
+# On large sites you might want to try 64.
+maxsparechildren = {$maxsparechildren}
+
+
+# sets the maximum age of a child process before it croaks it.
+# This is the number of connections they handle before exiting.
+# On large sites you might want to try 10000.
+maxagechildren = {$maxagechildren}
+
+
+# Sets the maximum number client IP addresses allowed to connect at once.
+# Use this to set a hard limit on the number of users allowed to concurrently
+# browse the web. Set to 0 for no limit, and to disable the IP cache process.
+maxips = {$maxips}
+
+
+
+# Process options
+# (Change these only if you really know what you are doing).
+# These options allow you to run multiple instances of DansGuardian on a single machine.
+# Remember to edit the log file path above also if that is your intention.
+
+# IPC filename
+# 
+# Defines IPC server directory and filename used to communicate with the log process.
+ipcfilename = '/tmp/.dguardianipc'
+
+# URL list IPC filename
+# 
+# Defines URL list IPC server directory and filename used to communicate with the URL
+# cache process.
+urlipcfilename = '/tmp/.dguardianurlipc'
+
+# IP list IPC filename
+#
+# Defines IP list IPC server directory and filename, for communicating with the client
+# IP cache process.
+ipipcfilename = '/tmp/.dguardianipipc'
+
+# PID filename
+# 
+# Defines process id directory and filename.
+#pidfilename = '/var/run/dansguardian.pid'
+
+# Disable daemoning
+# If enabled the process will not fork into the background.
+# It is not usually advantageous to do this.
+# on|off (defaults to off)
+nodaemon = {$nodaemon}
+
+# Disable logging process
+# on|off (defaults to off)
+nologger = {$nologger}
+
+# Enable logging of "ADs" category blocks
+# on|off (defaults to off)
+logadblocks = {$logadblocks}
+
+# Enable logging of client User-Agent
+# Some browsers will cause a *lot* of extra information on each line!
+# on|off (defaults to off)
+loguseragent = {$loguseragent}
+
+# Daemon runas user and group
+# This is the user that DansGuardian runs as.  Normally the user/group nobody.
+# Uncomment to use.  Defaults to the user set at compile time.
+# Temp files created during virus scanning are given owner and group read
+# permissions; to use content scanners based on external processes, such as
+# clamdscan, the two processes must run with either the same group or user ID.
+daemonuser = '{$daemonuser}'
+daemongroup = '{$daemongroup}'
+
+# Soft restart
+# When on this disables the forced killing off all processes in the process group.
+# This is not to be confused with the -g run time option - they are not related.
+# on|off (defaults to off)
+softrestart = {$softrestart}
+
+# Mail program
+# Path (sendmail-compatible) email program, with options.
+# Not used if usesmtp is disabled (filtergroup specific).
+#!! Not compiled !!mailer = '/usr/sbin/sendmail -t'
+
+#SSL certificate checking path
+#Path to CA certificates used to validate the certificates of https sites.
+#sslcertificatepath = '/etc/ssl/certs/'
+
+#SSL man in the middle
+#CA certificate path
+#Path to the CA certificate to use as a signing certificate for 
+#generated certificates.
+#cacertificatepath = '/home/stephen/dginstall/ca.pem'
+{$ca_pem}
+
+#CA private key path
+#path to the private key that matches the public key in the CA certificate.
+#caprivatekeypath = '/home/stephen/dginstall/ca.key'
+{$ca_pk}
+
+#Cert private key path
+#The public / private key pair used by all generated certificates
+#certprivatekeypath = '/home/stephen/dginstall/cert.key'
+{$cert_key}
+
+#Generated cert path
+#The location where generated certificates will be saved for future use.
+#(must be writable by the dg user)
+#generatedcertpath = '/home/stephen/dginstall/generatedcerts/'
+
+#Generated link path = ''
+#The location where symlinks to certificates will be created.
+#(must be writable by the dg user)
+#generatedlinkpath = '/home/stephen/dginstall/generatedlinks/'
+	
+EOF;
+?>