Skip to content

Status

Verify the running deployment with the eghost operator CLI. eghost lives at /usr/local/bin/eghost on the host and wraps the in-container egctl plus the compose-level health checks into a single view.

Engine + sidecar status

The one-screen dashboard summarises the deployment:

$ eghost
EnforceGate vX — deployment dashboard

  release                    2026.30.0-EA

  Services (3)
    enforcegate                  Up 4h  (healthy)
    enforcegate-tls              Up 4h
    enforcegate-captive-portal   Up 4h

  Engine
    Defendr listener (:11224)    UP
    Control API (:11225)         UP
    Database                     UP
    Active policy set            12 rules (compiled 4h 12m ago)
    Connector sessions           5 of 5 UP/ACTIVE

For the detailed colored health view:

eghost status

For just the version of the CLI plus every running container's image version (useful for spotting a half-applied upgrade):

$ eghost version
  release                    2026.30.0-EA

  Images (from running containers):
    enforcegate                  2026.30.0-EA
    enforcegate-captive-portal   2026.30.0-EA
    enforcegate-tls              v2.10.2

For per-container uptime:

eghost uptime

Connector status

Verify the Squid connector(s) are connected to the engine via the engine's own CLI — eghost cli drops you into the interactive REPL:

$ eghost cli
> show neighbor summary
Types: C - Connector, CT - Connector over TLS, ? - Unknown

#   T    Neighbor ID      State        Address                Connected since
83  C    127.0.0.1        UP/ACTIVE    127.0.0.1:36392        0d 9h 55m 20s
84  C    127.0.0.1        UP/ACTIVE    127.0.0.1:36394        0d 9h 55m 20s
85  C    127.0.0.1        UP/ACTIVE    127.0.0.1:36396        0d 9h 55m 20s
86  C    127.0.0.1        UP/ACTIVE    127.0.0.1:36398        0d 9h 55m 20s
87  C    127.0.0.1        UP/ACTIVE    127.0.0.1:36400        0d 9h 55m 20s

For one-shot scripted use without entering the REPL:

docker exec enforcegate egctl show-neighbor-summary

The standalone image spawns 5 connector processes by default (matching the url_rewrite_children 5 directive in squid.conf) — all five should be UP/ACTIVE. Monitor the State column for UP/ACTIVE and the Connected since column for a consistently increasing uptime.

Compose-level health

The enforcegate service exposes a healthcheck that TCP-LISTEN-probes both Squid (:3128) and the engine's Defendr listener (:11224) via /proc/net/tcp. Either down → unhealthy. Both eghost and eghost ps surface the docker-level health for each service:

$ eghost ps
NAME                          STATUS                  PORTS
enforcegate                   Up 4h (healthy)         0.0.0.0:3128->3128/tcp
enforcegate-tls               Up 4h                   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp
enforcegate-captive-portal    Up 4h

The start_period of 90 s on the engine's healthcheck covers the first-boot DH parameter generation and the per-host cert DB seed; subsequent boots flip green much faster.

A live request

To confirm the full path is wired (Squid → connector → engine → policy match → response):

curl -x http://localhost:3128 https://www.exosys.ch -o /dev/null -w "%{http_code}\n"

A 200 confirms the proxy is forwarding, the connector is consulted, the engine matched a permit verdict, and the upstream completed.

Operator-visible state

Two eghost verbs surface deployment-time state that's frozen inside the image at build time:

eghost license             # current license activation state
eghost notices             # third-party software notices (default: standalone image)
eghost links               # operator URLs (portal, dashboards, docs) + reference commands

For the legal documents shipped read-only inside every container:

eghost shell -- cat /EULA.md
eghost shell -- cat /LICENSE.md
eghost shell -- cat /WARRANTY.md

If any service is not running or the engine reports errors, see troubleshooting.