Squid updates from Michael Capp

3 files changed, 224 insertions, 61 deletions

diff --git a/packages/squid_auth.inc b/packages/squid_auth.inc
index 7b29ce00..ae431f22 100644
--- a/packages/squid_auth.inc
+++ b/packages/squid_auth.inc
@@ -41,35 +41,15 @@ function global_eval_auth_options(){
 	
 	switch ($auth_method) {
 		case "none":
-			$filecontents = file('/usr/local/pkg/squid_auth.xml');
-			
-			$fout = fopen("/usr/local/pkg/squid_auth.xml","w");
-			foreach($filecontents as $line) {
-				if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
-					fwrite($fout, "			<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
-				} else {
-					fwrite($fout, $line);
-				}
-			}
-			
+			dynamic_auth_content("pkg_edit");
 			dynamic_no_auth();
 			break;
 		case "local_auth":
-			dynamic_auth_content();
+			dynamic_auth_content("pkg");
 			dynamic_local_auth();
 			break;
 		case "ldap_bind":
-			$filecontents = file('/usr/local/pkg/squid_auth.xml');
-			
-			$fout = fopen("/usr/local/pkg/squid_auth.xml","w");
-			foreach($filecontents as $line) {
-				if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
-					fwrite($fout, "			<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
-				} else {
-					fwrite($fout, $line);
-				}
-			}
-					
+			dynamic_auth_content("pkg_edit");	
 			dynamic_ldap_auth();
 			break;
 		case "domain_auth":
@@ -134,7 +114,7 @@ function dynamic_no_auth() {
 	fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n");
 	fwrite($fout, "<packagegui>\n");
 	fwrite($fout, "	<name>squidextnoauth</name>\n");
-	fwrite($fout, "	<title>Services: Squid Advanced Proxy -> Extended Authentication Settings</title>\n");
+	fwrite($fout, "	<title>Services: Proxy Server -> Extended Authentication Settings</title>\n");
 	fwrite($fout, "	<configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n");
 	fwrite($fout, "\n");
 	fwrite($fout, "	<aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>\n");
@@ -211,7 +191,7 @@ function dynamic_local_auth() {
 	fwrite($fout, "\n");
 	fwrite($fout, "<packagegui>\n");
 	fwrite($fout, "	<name>squidextlocalauth</name>\n");
-	fwrite($fout, "	<title>Services: Squid Advanced Proxy -> Extended Authentication Settings</title>\n");
+	fwrite($fout, "	<title>Services: Proxy Server -> Extended Authentication Settings</title>\n");
 	fwrite($fout, "	<version>2.5.10_4</version>\n");
 	fwrite($fout, "	<configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n");
 	fwrite($fout, "\n");
@@ -328,21 +308,172 @@ function dynamic_local_auth() {
 	config_unlock();
 } /* end function dynamic_local_auth */
 
+function dynamic_ldap_auth() {
+	conf_mount_rw();
+	config_lock();
+	
+	global $config;
+
+	$pkgfile = "/usr/local/pkg/squid_extauth.xml";
+	
+	$fout = fopen($pkgfile, "w");
+	
+	fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "<packagegui>\n");
+	fwrite($fout, "	<name>squidextldapauth</name>\n");
+	fwrite($fout, "	<title>Services: Proxy Server -> Extended Auth Settings</title>\n");
+	fwrite($fout, "	<version>2.5.11</version>\n");
+	fwrite($fout, "	<configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "	<files></files>\n");
+	fwrite($fout, "	<menu></menu>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "	<aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "	<tabs>\n");
+	fwrite($fout, "		<tab>\n");
+	fwrite($fout, "			<text>General Settings</text>\n");
+	fwrite($fout, "			<url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>\n");
+	fwrite($fout, "		</tab>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<tab>\n");
+	fwrite($fout, "			<text>Upstream Proxy</text>\n");
+	fwrite($fout, "			<url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>\n");
+	fwrite($fout, "		</tab>\n");
+	fwrite($fout, "\n");		
+	fwrite($fout, "		<tab>\n");
+	fwrite($fout, "			<text>Cache Mgmt</text>\n");
+	fwrite($fout, "			<url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>\n");
+	fwrite($fout, "		</tab>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<tab>\n");
+	fwrite($fout, "			<text>Network Access Control</text>\n");
+	fwrite($fout, "			<url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>\n");
+	fwrite($fout, "		</tab>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<tab>\n");
+	fwrite($fout, "			<text>Traffic Mgmt</text>\n");
+	fwrite($fout, "			<url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>\n");
+	fwrite($fout, "		</tab>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<tab>\n");
+	fwrite($fout, "			<text>Auth Settings</text>\n");
+	fwrite($fout, "			<url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>\n");
+	fwrite($fout, "		</tab>\n");
+	fwrite($fout, "\n");		
+	fwrite($fout, "		<tab>\n");
+	fwrite($fout, "			<text>Extended Auth Settings</text>\n");
+	fwrite($fout, "			<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+	fwrite($fout, "			<active/>\n");
+	fwrite($fout, "		</tab>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "	</tabs>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "	<fields>\n");
+	fwrite($fout, "		<field>\n");
+	fwrite($fout, "			<fielddescr>Base DN</fielddescr>\n");
+	fwrite($fout, "			<fieldname>ldap_basedn</fieldname>\n");
+	fwrite($fout, "			<description>This is the base where the LDAP search starts.  All subsequent organizational units (OUs)will be included.  Example: "ou=users,o=company" will search for users in and under the specified company.</description>\n");
+	fwrite($fout, "			<type>input</type>\n");
+	fwrite($fout, "			<size>50</size>\n");
+	fwrite($fout, "		</field>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<field>\n");
+	fwrite($fout, "			<fielddescr>LDAP Server</fielddescr>\n");
+	fwrite($fout, "			<fieldname>ldap_server</fieldname>\n");
+	fwrite($fout, "			<description>This is the LDAP server that the bind will be attempted against.</description>\n");
+	fwrite($fout, "			<type>input</type>\n");
+	fwrite($fout, "			<size>20</size>\n");
+	fwrite($fout, "		</field>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<field>\n");
+	fwrite($fout, "			<fielddescr>LDAP Type</fielddescr>\n");
+	fwrite($fout, "			<fieldname>ldap_type</fieldname>\n");
+	fwrite($fout, "			<description>This specifies the supported LDAP types.</description>\n");
+	fwrite($fout, "			<type>select</type>\n");
+	fwrite($fout, "			<options>\n");
+	fwrite($fout, "				<option><name>Active Directory</name><value>active_directory</value></option>\n");
+	fwrite($fout, "				<option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n");
+	fwrite($fout, "				<option><name>LDAP v2</name><value>ldap_v2</value></option>\n");
+	fwrite($fout, "				<option><name>LDAP v3</name><value>ldap_v3</value></option>\n");
+	fwrite($fout, "			</options>\n");
+	fwrite($fout, "		</field>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<field>\n");
+	fwrite($fout, "			<fielddescr>LDAP Port</fielddescr>\n");
+	fwrite($fout, "			<fieldname>ldap_port</fieldname>\n");
+	fwrite($fout, '			<description>This is the port that LDAP bind will attempt on.  The default is "389".</description>' . "\n");
+	fwrite($fout, "			<type>input</type>\n");
+	fwrite($fout, "			<size>5</size>\n");
+	fwrite($fout, "		</field>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<field>\n");
+	fwrite($fout, "			<fielddescr>Bind DN Username</fielddescr>\n");
+	fwrite($fout, "			<fieldname>bind_dn_username</fieldname>\n");
+	fwrite($fout, '			<description>If "anonymous bind" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>' . "\n");
+	fwrite($fout, "			<type>input</type>\n");
+	fwrite($fout, "			<size>30</size>\n");
+	fwrite($fout, "		</field>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		<field>\n");
+	fwrite($fout, "			<fielddescr>Bind DN Password</fielddescr>\n");
+	fwrite($fout, "			<fieldname>bind_dn_password</fieldname>\n");
+	fwrite($fout, "			<description>This is the associated password with the Bind DN Username previously specified.</description>\n");
+	fwrite($fout, "			<type>password</type>\n");
+	fwrite($fout, "		</field>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "	</fields>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "	<custom_add_php_command_late>\n");
+	fwrite($fout, '		require_once("/usr/local/pkg/squid_ng.inc");' . "\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		if ($password == $confirm_password) {\n");
+	fwrite($fout, '			mwexec("/usr/bin/htpasswd -b /usr/local/etc/squid/advanced/ncsa/passwd "' . $username . " " . $password . "\n");
+	fwrite($fout, "		}\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "		global_write_squid_config();\n");
+	fwrite($fout, '		mwexec("/usr/local/sbin/squid -k reconfigure");' . "\n");
+	fwrite($fout, "	</custom_add_php_command_late>\n");
+	fwrite($fout, "\n");
+	fwrite($fout, "</packagegui>\n");
+}
+
 /* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */
-function dynamic_auth_content() {
+function dynamic_auth_content($pkgvar) {
 
-	if ($handle = opendir('/usr/local/pkg')) {
-		while (($file = readdir($handle)) != false) {
-			if (stristr($file, "squid_") && stristr($file, ".xml")) {
+	if ($pkgvar == "pkg") {
+		if ($handle = opendir('/usr/local/pkg')) {
+			while (($file = readdir($handle)) != false) {
+				if (stristr($file, "squid_") && stristr($file, ".xml")) {
+				
+					$filecontents = file("/usr/local/pkg/" . $file);
+			
+					$fout = fopen("/usr/local/pkg/" . $file,"w");
+					foreach($filecontents as $line) {
+						if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>")) {
+							fwrite($fout, "			<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+						} else {
+							fwrite($fout, $line);
+						}
+					}
+				}
+			}
+		}
+	} else {
+			if ($handle = opendir('/usr/local/pkg')) {
+			while (($file = readdir($handle)) != false) {
+				if (stristr($file, "squid_") && stristr($file, ".xml")) {
 				
-				$filecontents = file("/usr/local/pkg/" . $file);
+					$filecontents = file("/usr/local/pkg/" . $file);
 			
-				$fout = fopen("/usr/local/pkg/" . $file,"w");
-				foreach($filecontents as $line) {
-					if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>")) {
-						fwrite($fout, "			<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>\n");
-					} else {
-						fwrite($fout, $line);
+					$fout = fopen("/usr/local/pkg/" . $file,"w");
+					foreach($filecontents as $line) {
+						if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
+							fwrite($fout, "			<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+						} else {
+							fwrite($fout, $line);
+						}
 					}
 				}
 			}
diff --git a/packages/squid_ng.inc b/packages/squid_ng.inc
index 6a92718b..da3e2a6f 100644
--- a/packages/squid_ng.inc
+++ b/packages/squid_ng.inc
@@ -88,7 +88,7 @@ function global_write_squid_config() {
     $throttle_cd_images    = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images'];
     $throttle_multimedia   = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia'];
                              
-    /* TODO: squid_auth.xml values (placeholder for now) */
+    /* squid_auth.xml values */
 	$auth_method           = $config['installedpackages']['squidauth']['config'][0]['auth_method'];
 	$auth_processes        = $config['installedpackages']['squidauth']['config'][0]['auth_processes'];
 	$auth_cache_ttl        = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl'];
@@ -100,6 +100,14 @@ function global_write_squid_config() {
 	$min_pass_length       = $config['installedpackages']['squidauth']['config'][0]['min_pass_length'];
 	$bypass_extended       = $config['installedpackages']['squidauth']['config'][0]['bypass_extended'];
 	
+	/* squid_extauth.xml (ldap) values */
+	$ldap_basedn		   = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn'];
+	$ldap_server		   = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server'];
+	$ldap_type			   = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type'];
+	$ldap_port			   = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port'];
+	$bind_dn_username	   = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username'];
+	$bind_dn_password	   = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password'];
+	
 	/* static variable assignments for directory mapping */
 	$acldir    = "/usr/local/etc/squid/advanced/acls";
 	$ncsadir   = "/usr/local/etc/squid/advanced/ncsa";
@@ -244,7 +252,26 @@ function global_write_squid_config() {
 			break;
 		case "radius_auth";
 			break;
-		case "ldap_auth";
+		case "ldap_bind";
+			/* fwrite($fout, 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"); */
+			fwrite($fout, "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth");
+			fwrite($fout, ' -b "' . $ldap_basedn . '"');
+			fwrite($fout, ' -D "' . $bind_dn_username . '"');
+			fwrite($fout, " -w " . $bind_dn_password);
+			fwrite($fout, ' -f "(&(objectClass=person)(cn=%s))"');
+			fwrite($fout, " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n");
+			
+			if (!isset($auth_processes) or ($auth_processes == "")) $auth_processes = "5";
+			fwrite($fout, "auth_param basic children " . $auth_processes . "\n");
+			
+			if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) $auth_realm_prompt = "pfSense Advanced Proxy";
+			fwrite($fout, "auth_param basic realm " . $auth_realm_prompt . "\n");
+			
+			if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) $auth_cache_ttl = "60";
+			fwrite($fout, "auth_param basic credentialsttl " . $auth_cache_ttl . " minutes\n");
+			fwrite($fout, "\n");
+			fwrite($fout, "acl for_inetusers proxy_auth REQUIRED\n");
+			fwrite($fout, "\n");			
 			break;
 		case "windows_auth";
 			break;
@@ -339,7 +366,12 @@ function global_write_squid_config() {
 		fclose($aclout);
 				
 		fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n");
+	} else {
+		$aclout = fopen($acldir . "/src_subnets.acl","w");
+		fwrite($aclout, $lansa . "/" . $lansn . "\n");
+		fclose($aclout);
 	}
+		
 			
 	/* define ip addresses that have 'unrestricted' access */
 	if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) {
@@ -410,9 +442,14 @@ function global_write_squid_config() {
     fwrite($fout, "\n");
             
     fwrite($fout, "#access to squid; local machine; no restrictions\n");
-    fwrite($fout, "http_access allow localnet\n");
+    if (isset($auth_method) && ($auth_method == "none")) fwrite($fout, "http_access allow localnet\n");
+ 
     fwrite($fout, "http_access allow localhost\n");
 	fwrite($fout, "\n");
+	
+	fwrite($fout, "#GUI admin to allow local connections\n");
+	if ($config['system']['webgui']['protocol'] == "http")  fwrite($fout, "http_access allow pf_ips pf_networks pf_admin_port\n");
+	if ($config['system']['webgui']['protocol'] == "https") fwrite($fout, "http_access allow CONNECT pf_ips pf_networks pf_admin_port\n");
        		
 	fwrite($fout, "#Deny non web services\n");
     fwrite($fout, "http_access deny !Safe_ports\n");
@@ -420,7 +457,7 @@ function global_write_squid_config() {
     fwrite($fout, "\n");
             
     fwrite($fout, "#Set custom configured ACLs\n");
-    if (isset($auth_method) and ($auth_method != "no_auth")) {
+    if (isset($auth_method) && ($auth_method != "none")) {
     	fwrite($fout, "http_access allow pf_networks for_inetusers within_timeframe\n");
     }
     
diff --git a/packages/squid_ng.xml b/packages/squid_ng.xml
index b47b5416..06a86634 100644
--- a/packages/squid_ng.xml
+++ b/packages/squid_ng.xml
@@ -22,12 +22,6 @@
 		<section>Status</section>
 		<configfile>squid_log.xml</configfile>
 	</menu> -->
-
-	<additional_files_needed>
-		<prefix>/usr/local/pkg/</prefix>
-		<chmod>0755</chmod>
-		<item>http://www.pfsense.com/packages/config/squid.xml</item>
-	</additional_files_needed>
 			
 	<additional_files_needed>
 		<prefix>/usr/local/pkg/</prefix>
@@ -35,13 +29,13 @@
 		<item>http://www.pfsense.com/packages/config/squid_cache.xml</item>
 	</additional_files_needed>
 	
-	<additional_files_needed>
+    <additional_files_needed>
 	    <prefix>/usr/local/pkg/</prefix>
 	    <chmod>0755</chmod>
 	    <item>http://www.pfsense.com/packages/config/squid_nac.xml</item>
 	</additional_files_needed>
     	
-	<additional_files_needed>
+    <additional_files_needed>
 	    <prefix>/usr/local/pkg/</prefix>
 	    <chmod>0755</chmod>
 	    <item>http://www.pfsense.com/packages/config/squid_ng.inc</item>
@@ -64,12 +58,6 @@
 		<chmod>0755</chmod>
 		<item>http://www.pfsense.com/packages/config/squid_auth.xml</item>
 	</additional_files_needed>
-
-	<additional_files_needed>
-		<prefix>/usr/local/pkg/</prefix>
-		<chmod>0755</chmod>
-		<item>http://www.pfsense.com/packages/config/squid_auth.inc</item>
-	</additional_files_needed>
 	
 	<additional_files_needed>
 		<prefix>/usr/local/pkg/</prefix>
@@ -361,33 +349,35 @@
 		
 		if (!file_exists("/var/squid/logs")) {
 			mwexec("mkdir -p /var/squid/logs");
-			mwexec("chown squid:squid /var/squid/logs");
 		}
+		mwexec("/usr/sbin/chown squid:squid /var/squid/logs");
+		
 		
 		if (!file_exists("/var/squid/cache")) {
 			mwexec("mkdir -p /var/squid/cache");
-			mwexec("chown squid:squid /var/squid/cache");
 		}
+		mwexec("/usr/sbin/chown squid:squid /var/squid/cache");
+		
 		
 		if (!file_exists("/usr/local/etc/squid/advanced/acls")) {
 			mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
-			mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls");
 		}
+		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls");
 		
 		if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) {
 			mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
-			mwexec("chown squid:squid /usr/local/etc/squid/advanced/ncsa");
 		}
-		
+		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa");
+			
 		if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) {
 			mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm");
-			mwexec("chown squid:squid /usr/local/etc/squid/advanced/ntlm");
 		}
+		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm");		
 		
 		if (!file_exists("/usr/local/etc/squid/advanced/radius")) {
 			mwexec("mkdir -p /usr/local/etc/squid/advanced/radius");
-			mwexec("chown squid:squid /usr/local/etc/squid/advanced/radius");
 		}
+		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius");
 		
 		update_output_window("Initializing Cache... This may take a moment...");
 		mwexec("/usr/local/sbin/squid -z");
@@ -398,10 +388,15 @@
 	</custom_php_install_command>
 
 	<custom_php_deinstall_command>
+		update_output_window("Stopping proxy service...");
+		mwexec("/usr/local/sbin/squid -k shutdown");
+	
+		update_output_window("Recursively removing directories hierarchies...");
 		mwexec("rm -rf /usr/local/squid");
 		mwexec("rm -rf /var/squid/cache");	
 		mwexec("rm -rf /usr/local/etc/squid");
 		
+		update_output_window("Removing configuration files...");
 		unlink_if_exists("/usr/local/etc/rc.d/squid.sh");
 		unlink_if_exists("/usr/local/etc/squid");
 		unlink_if_exists("/usr/local/libexec/squid");