aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRenato Botelho <renato@netgate.com>2015-11-30 14:03:01 -0200
committerRenato Botelho <renato@netgate.com>2015-11-30 14:03:01 -0200
commit1ffd0c4e5b8a4f7e4d729b535397d59f4284d34e (patch)
treeb47227b22255b2d7c6ca73805675d6e1236f6a46
parenta438e606188e774fe195cba1dc94a0b61d591ec1 (diff)
parent0ba2a29b68eddd9b8ffa616d1375117c3761100e (diff)
downloadpfsense-packages-1ffd0c4e5b8a4f7e4d729b535397d59f4284d34e.tar.gz
pfsense-packages-1ffd0c4e5b8a4f7e4d729b535397d59f4284d34e.tar.bz2
pfsense-packages-1ffd0c4e5b8a4f7e4d729b535397d59f4284d34e.zip
Merge pull request #1194 from doktornotor/patch-1
-rwxr-xr-xconfig/squid3/34/squid.inc156
-rw-r--r--config/squid3/34/squid.xml78
-rw-r--r--config/squid3/34/squid_antivirus.inc6
-rwxr-xr-xconfig/squid3/34/squid_auth.xml3
-rwxr-xr-xconfig/squid3/34/squid_reverse.inc205
-rwxr-xr-xconfig/squid3/34/squid_reverse_general.xml84
-rwxr-xr-xconfig/squid3/34/squid_reverse_peer.xml11
-rwxr-xr-xconfig/squid3/34/squid_reverse_redir.xml7
-rwxr-xr-xconfig/squid3/34/squid_reverse_sync.xml7
-rwxr-xr-xconfig/squid3/34/squid_reverse_uri.xml6
-rwxr-xr-xconfig/squid3/34/squid_sync.xml7
-rwxr-xr-xconfig/squid3/34/squid_upstream.xml3
-rw-r--r--pkg_config.10.xml2
13 files changed, 416 insertions, 159 deletions
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc
index aab4d134..952d50d8 100755
--- a/config/squid3/34/squid.inc
+++ b/config/squid3/34/squid.inc
@@ -66,7 +66,7 @@ define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid');
define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf');
define('SQUID_ACLDIR', '/var/squid/acl');
define('SQUID_PASSWD', '/var/etc/squid.passwd');
-define('SQUID_SSL_DB','/var/squid/lib/ssl_db');
+define('SQUID_SSL_DB', '/var/squid/lib/ssl_db');
$valid_acls = array();
@@ -148,15 +148,11 @@ function squid_enabled() {
// check whether Squid is enabled ...
if ($config['installedpackages']['squid']['config'][0]['enable_squid'] == "on") {
// ... and has at least one interface configured ...
- if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") {
+ if (!empty($config['installedpackages']['squid']['config'][0]['active_interface'])) {
+ $proxy_enabled = true;
+ // ... or whether Squid reverse proxy is enabled
+ } elseif (squid_reverse_enabled()) {
$proxy_enabled = true;
- } else {
- // ... or has at least one reverse interface configured
- if (is_array($config['installedpackages']['squidreversegeneral']['config'])) {
- if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") {
- $proxy_enabled = true;
- }
- }
}
}
}
@@ -724,16 +720,27 @@ function squid_validate_general($post, &$input_errors) {
// force users to configure cache
if (!is_array($config['installedpackages']['squidcache']['config'])) {
- $input_errors[] = 'Please, configure and save \'Local Cache\' settings first.';
+ $input_errors[] = "Please, configure and save 'Local Cache' settings first.";
}
- $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
- $port = $post['proxy_port'] ? $post['proxy_port'] : $port;
+ // force users to select at least one proxy or reverse proxy interface when enabling Squid
+ if ($post['enable_squid'] == "on") {
+ // if reverse proxy is configured, perhaps the user wants to use the reverse proxy features only
+ if (!squid_reverse_enabled()) {
+ if (empty($post['active_interface'])) {
+ $input_errors[] = "You must select at least one interface under 'Proxy Interface(s)' to enable Squid proxy.";
+ $input_errors[] = "If you intend to use Squid as reverse proxy ONLY, then visit Services: Squid Proxy Server: General, configure and save the reverse proxy settings first.";
+ }
+ } else {
+ log_error("[squid] Enabled as reverse proxy ONLY. If this is not what you intended, visit Services: Squid Proxy Server: General and configure proxy interfaces.");
+ }
+ }
$icp_port = trim($post['icp_port']);
if (!empty($icp_port) && !is_port($icp_port)) {
- $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field.';
+ $input_errors[] = "You must enter a valid port number in the 'ICP port' field.";
}
+ unset($icp_port);
if (substr($post['log_dir'], -1, 1) == '/') {
$input_errors[] = 'Log location must not end with a / character.';
@@ -748,26 +755,63 @@ function squid_validate_general($post, &$input_errors) {
}
$log_rotate = trim($post['log_rotate']);
-
if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) {
$input_errors[] = "You must enter a valid number of days in the 'Log rotate' field.";
}
+ unset($log_rotate);
+ // check that the proxy port does not clash with WebGUI
+ $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
+ $port = $post['proxy_port'] ? $post['proxy_port'] : $port;
$webgui_port = $config['system']['webgui']['port'];
-
if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) {
$webgui_port = 80;
}
if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) {
$webgui_port = 443;
}
-
if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) {
$input_errors[] = "You can not run Squid on the same port as the pfSense WebGUI";
}
+ unset($port, $webgui_port);
+
+ if ($post['transparent_proxy'] == 'on') {
+ if (empty($post['transparent_active_interface'])) {
+ $input_errors[] = "You must select at least one interface under 'Transparent Proxy Interface(s)' when 'Transparent HTTP Proxy' is enabled.";
+ } else {
+ // allow transparent proxy only on interfaces where Squid is actually running to keep configuration sane
+ $a_ifaces = $post['active_interface'] ?: array();
+ $t_ifaces = $post['transparent_active_interface'];
+ foreach ($t_ifaces as $t_iface) {
+ if (!in_array($t_iface, $a_ifaces)) {
+ $err_iface = convert_friendly_interface_to_friendly_descr($t_iface);
+ $input_errors[] = "'Transparent Proxy Interface(s)' may only contain interfaces also selected in 'Proxy Interface(s)' above. '{$err_iface}' is not valid.";
+ unset($err_iface);
+ }
+ }
+ unset($a_ifaces, $t_iface, $t_ifaces);
+ }
+ }
- if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) {
- $input_errors[] = "SSL interception cannot be enabled without a CA.";
+ if ($post['ssl_proxy'] == 'on') {
+ if ($post['dca'] == 'none') {
+ $input_errors[] = "SSL interception cannot be enabled without a CA.";
+ }
+ if (empty($post['ssl_active_interface'])) {
+ $input_errors[] = "You must select at least one interface under 'SSL Intercept Interface(s)' when 'HTTPS/SSL Interception' is enabled.";
+ } else {
+ // allow HTTPS/SSL Interception only on interfaces where Squid is actually running to keep configuration sane
+ $a_ifaces = $post['active_interface'] ?: array();
+ $s_ifaces = $post['ssl_active_interface'];
+ foreach ($s_ifaces as $s_iface) {
+ if (!in_array($s_iface, $a_ifaces)) {
+ $err_iface = convert_friendly_interface_to_friendly_descr($s_iface);
+ $input_errors[] = "'SSL Intercept Interface(s)' may only contain interfaces also selected in 'Proxy Interface(s)' above. '{$err_iface}' is not valid.";
+ unset($err_iface);
+ }
+ }
+ unset($a_ifaces, $s_ifaces, $s_iface);
+ }
}
foreach (array('defined_ip_proxy_off') as $hosts) {
@@ -778,6 +822,8 @@ function squid_validate_general($post, &$input_errors) {
}
}
}
+ unset($host, $hosts);
+
foreach (array('defined_ip_proxy_off_dest') as $hosts) {
foreach (explode(";", $post[$hosts]) as $host) {
$host = trim($host);
@@ -786,6 +832,7 @@ function squid_validate_general($post, &$input_errors) {
}
}
}
+ unset($host, $hosts);
if (!empty($post['dns_nameservers'])) {
$altdns = explode(";", ($post['dns_nameservers']));
@@ -796,6 +843,7 @@ function squid_validate_general($post, &$input_errors) {
}
}
}
+ unset($altdns, $dnssrv);
}
/* Proxy Server: Remote Proxy Settings input validation */
@@ -823,6 +871,7 @@ function squid_validate_upstream($post, &$input_errors) {
}
}
}
+ unset($port);
}
/* Proxy Server: Cache Management input validation */
@@ -846,17 +895,20 @@ function squid_validate_cache($post, &$input_errors) {
$input_errors[] = "You must enter a valid value for '$field'.";
}
}
+ unset($num_fields);
$value = trim($post['minimum_object_size']);
if (!is_numericint($value)) {
$input_errors[] = "You must enter a valid value for 'Minimum object size'.";
}
+ unset($value);
if (!empty($post['cache_swap_low'])) {
$value = trim($post['cache_swap_low']);
if (!is_numericint($value) || ($value > 100)) {
$input_errors[] = "You must enter a valid value for 'Low-water-mark'.";
}
+ unset($value);
}
if (!empty($post['cache_swap_high'])) {
@@ -864,6 +916,7 @@ function squid_validate_cache($post, &$input_errors) {
if (!is_numericint($value) || ($value > 100)) {
$input_errors[] = "You must enter a valid value for 'High-water-mark'.";
}
+ unset($value);
}
if ($post['donotcache'] != "") {
@@ -873,6 +926,7 @@ function squid_validate_cache($post, &$input_errors) {
$input_errors[] = "The host '$host' is not a valid IP or hostname.";
}
}
+ unset($host);
}
if (substr($post['harddisk_cache_location'], -1, 1) == '/') {
@@ -897,6 +951,7 @@ function squid_validate_nac($post, &$input_errors) {
$input_errors[] = "'Allowed Subnets' must be a valid CIDR range or 'all'. The subnet '$subnet' is not valid.";
}
}
+ unset($allowed_subnets);
foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) {
if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@", $_POST[$hosts], $matches)) {
@@ -921,6 +976,7 @@ function squid_validate_nac($post, &$input_errors) {
$input_errors[] = "'$mac' is not a valid MAC address.";
}
}
+ unset($mac);
}
foreach (explode(",", $post['timelist']) as $time) {
@@ -929,6 +985,7 @@ function squid_validate_nac($post, &$input_errors) {
$input_errors[] = "The time range '$time' is not a valid time range.";
}
}
+ unset($time);
if (!empty($post['ext_cachemanager'])) {
$extmgr = explode(";", ($post['ext_cachemanager']));
@@ -938,6 +995,7 @@ function squid_validate_nac($post, &$input_errors) {
}
}
}
+ unset($extmgr);
}
/* Proxy server: Traffic Management input validation */
@@ -955,6 +1013,7 @@ function squid_validate_traffic($post, &$input_errors) {
$input_errors[] = "The '$name' field must contain a positive integer.";
}
}
+ unset($num_fields);
if (!empty($post['quick_abort_min'])) {
$value = trim($post['quick_abort_min']);
@@ -982,6 +1041,7 @@ function squid_validate_traffic($post, &$input_errors) {
if ($post['throttle_binaries'] == "" && $post['throttle_cdimages'] == "" && $post['throttle_multimedia'] == "" && $others == "") {
$input_errors[] = "'Throttle Only Specific Extensions' enabled but no extensions specified. Select some options under 'Squid Transfer Extension Settings' or disable this option.";
}
+ unset($others);
}
}
@@ -999,6 +1059,7 @@ function squid_validate_auth($post, &$input_errors) {
$input_errors[] = "The '{$field[1]}' field must contain a valid number greater than {$field[2]}";
}
}
+ unset($num_fields);
$auth_method = $post['auth_method'];
if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) {
@@ -1046,6 +1107,7 @@ function squid_validate_auth($post, &$input_errors) {
}
}
}
+ unset($auth_method, $port, $server, $secret, $user);
}
/* Proxy Server: General Settings configuration handler */
@@ -1108,7 +1170,7 @@ function squid_resync_general() {
}
}
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
- $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
+ $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3129);
// Read assigned interfaces
$real_ifaces = array();
@@ -1116,7 +1178,7 @@ function squid_resync_general() {
if ($settings['active_interface']) {
$proxy_ifaces = explode(",", $settings['active_interface']);
} else {
- $proxy_ifaces = array("lan");
+ $proxy_ifaces = array();
}
if ($settings['transparent_proxy'] == "on") {
@@ -1136,7 +1198,7 @@ function squid_resync_general() {
foreach ($ssl_ifaces as $s_iface) {
$s_iface_ip = squid_get_real_interface_address($s_iface);
if ($s_iface_ip[0]) {
- $real_ifaces[]=$s_iface_ip;
+ $real_ifaces[] = $s_iface_ip;
}
}
} else {
@@ -1147,11 +1209,16 @@ function squid_resync_general() {
foreach ($proxy_ifaces as $iface) {
$iface_ip = squid_get_real_interface_address($iface);
if ($iface_ip[0]) {
- $real_ifaces[] = $iface_ip;
- if (in_array($iface, $ssl_ifaces)) {
- $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n";
+ // do not add loopback twice when transparent proxy is enabled
+ if ($iface_ip[0] == "127.0.0.1" && $settings['transparent_proxy'] == "on") {
+ continue;
} else {
- $conf .= "http_port {$iface_ip[0]}:{$port}\n";
+ $real_ifaces[] = $iface_ip;
+ if (in_array($iface, $ssl_ifaces)) {
+ $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n";
+ } else {
+ $conf .= "http_port {$iface_ip[0]}:{$port}\n";
+ }
}
}
}
@@ -1165,7 +1232,7 @@ function squid_resync_general() {
}
}
$icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0);
- $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off" );
+ $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off");
$piddir = "{$g['varrun_path']}/squid";
$pidfile = "{$piddir}/squid.pid";
if (!is_dir($piddir)) {
@@ -1237,9 +1304,11 @@ EOD;
}
}
}
- $conf .= "# Allow local network(s) on interface(s)\n";
- $conf .= "acl localnet src $src\n";
- $valid_acls[] = 'localnet';
+ if (!empty($src)) {
+ $conf .= "# Allow local network(s) on interface(s)\n";
+ $conf .= "acl localnet src $src\n";
+ $valid_acls[] = 'localnet';
+ }
}
if ($settings['xforward_mode']) {
@@ -1411,25 +1480,33 @@ function squid_resync_upstream() {
function squid_resync_nac() {
global $config, $valid_acls;
- $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
if (is_array($config['installedpackages']['squidnac'])) {
$settings = $config['installedpackages']['squidnac']['config'][0];
} else {
$settings = array();
}
+ if (is_array($config['installedpackages']['squid'])) {
+ $squidsettings = $config['installedpackages']['squid']['config'][0];
+ } else {
+ $squidsettings = array();
+ }
+
$webgui_port = $config['system']['webgui']['port'];
$addtl_ports = $settings['addtl_ports'];
$addtl_sslports = $settings['addtl_sslports'];
- $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
- $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
+ // do not add (default) proxy ports when using Squid as reverse proxy only
+ if (!empty($squidsettings['active_interface'])) {
+ $port = $squidsettings['proxy_port'] ? $squidsettings['proxy_port'] : 3128;
+ $ssl_port = $squidsettings['ssl_proxy_port'] ? $squidsettings['ssl_proxy_port'] : 3129;
+ }
$conf = <<< EOD
# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
-acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port $ssl_port 1025-65535 $addtl_ports
-acl sslports port 443 563 $webgui_port $addtl_sslports
+acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 {$webgui_port} {$port} {$ssl_port} 1025-65535 {$addtl_ports}
+acl sslports port 443 563 {$webgui_port} {$addtl_sslports}
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object
@@ -1731,9 +1808,9 @@ function squid_resync_auth() {
$conf .= "always_direct allow all\n";
$conf .= "ssl_bump server-first all\n";
}
- $conf .= "# Setup allowed acls\n";
+ $conf .= "# Setup allowed ACLs\n";
$allowed = array('allowed_subnets');
- if ($settingsconfig['allow_interface'] == 'on') {
+ if ($settingsconfig['allow_interface'] == 'on' && !empty($settingsconfig['active_interface'])) {
$conf .= "# Allow local network(s) on interface(s)\n";
$allowed[] = "localnet";
}
@@ -1952,10 +2029,13 @@ function squid_generate_rules($type) {
file_put_contents($cp_file, $new_cp_inc, LOCK_EX);
}
- // do not install any firewall rules if Squid is disabled
+ // do not install any firewall rules if Squid is disabled or used as reverse proxy only
if (!squid_enabled()) {
log_error("[squid] Installed but disabled. Not installing '{$type}' rules.");
return;
+ } elseif (empty($squid_conf['active_interface'])) {
+ log_error("[squid] Configured as reverse proxy only. Not installing '{$type}' rules.");
+ return;
}
// normal squid rule check
@@ -1984,7 +2064,7 @@ function squid_generate_rules($type) {
}
$port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128);
- $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127);
+ $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3129);
$fw_aliases = filter_generate_aliases();
if (strstr($fw_aliases, "pptp =")) {
diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml
index 28326d7f..82fe44b8 100644
--- a/config/squid3/34/squid.xml
+++ b/config/squid3/34/squid.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squid</name>
- <version>0.4.0</version>
+ <version>0.4.5</version>
<title>Proxy Server: General Settings</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<menu>
@@ -254,7 +254,7 @@
<description>
<![CDATA[
Check to enable the Squid proxy.<br/>
- Note: If unchecked, <strong>all</strong> Squid services will be disabled and stopped.<br/>
+ <strong><span class="errmsg">Note:</span> If unchecked, ALL Squid services will be disabled and stopped.</strong>
]]>
</description>
<type>checkbox</type>
@@ -277,21 +277,24 @@
<description>
<![CDATA[
The interface(s) the proxy server will bind to.<br/>
- <strong>Note: Use CTRL + click to select multiple interfaces.</strong>
+ Note: Use CTRL + click to select multiple interfaces.
]]>
</description>
<type>interfaces_selection</type>
- <required/>
<default_value>lan</default_value>
<multiple/>
</field>
<field>
<fielddescr>Proxy Port</fielddescr>
<fieldname>proxy_port</fieldname>
- <description>This is the port the proxy server will listen on.</description>
+ <description>
+ <![CDATA[
+ This is the port the proxy server will listen on.<br/>
+ (Default: 3128)
+ ]]>
+ </description>
<type>input</type>
<size>5</size>
- <required/>
<default_value>3128</default_value>
</field>
<field>
@@ -386,12 +389,12 @@
<description>
<![CDATA[
The interface(s) the proxy server will transparently intercept requests on.<br/>
- <strong>Note: Use CTRL + click to select multiple interfaces.</strong>
+ Note: Use CTRL + click to select multiple interfaces.
]]>
</description>
<type>interfaces_selection</type>
- <required/>
<default_value>lan</default_value>
+ <hideinterfaceregex>loopback</hideinterfaceregex>
<multiple/>
</field>
<field>
@@ -410,7 +413,7 @@
<description>
<![CDATA[
Do not forward traffic from these <strong>source</strong> IPs, CIDR nets, hostnames, or aliases through the proxy server but let it pass directly through the firewall.
- (Applies only to transparent mode.)<br/><br/>
+ (Applies only to transparent mode.)<br/>
<strong>Note: Separate entries by semi-colons (;)</strong>
]]>
</description>
@@ -422,8 +425,8 @@
<fieldname>defined_ip_proxy_off_dest</fieldname>
<description>
<![CDATA[
- Do not proxy traffic going to these <strong>destination</strong> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall.<br/>
- (Applies only to transparent mode.)<br/><br/>
+ Do not proxy traffic going to these <strong>destination</strong> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall.
+ (Applies only to transparent mode.)<br/>
<strong>Note: Separate entries by semi-colons (;)</strong>
]]>
</description>
@@ -435,7 +438,7 @@
<type>listtopic</type>
</field>
<field>
- <fielddescr>HTTPS/SSL interception</fielddescr>
+ <fielddescr>HTTPS/SSL Interception</fielddescr>
<fieldname>ssl_proxy</fieldname>
<description>Enable SSL filtering.</description>
<type>checkbox</type>
@@ -447,18 +450,23 @@
<description>
<![CDATA[
The interface(s) the proxy server will intercept SSL requests on.<br/>
- <strong>Note: Use CTRL + click to select multiple interfaces.</strong>
+ Note: Use CTRL + click to select multiple interfaces.
]]>
</description>
<type>interfaces_selection</type>
- <required/>
<default_value>lan</default_value>
+ <hideinterfaceregex>loopback</hideinterfaceregex>
<multiple/>
</field>
<field>
<fielddescr>SSL Proxy port</fielddescr>
<fieldname>ssl_proxy_port</fieldname>
- <description>This is the port the proxy server will listen on to intercept SSL while using transparent proxy.</description>
+ <description>
+ <![CDATA[
+ This is the port the proxy server will listen on to intercept SSL while using transparent proxy.<br/>
+ (Default: 3129)
+ ]]>
+ </description>
<type>input</type>
<size>5</size>
<default_value>3129</default_value>
@@ -477,6 +485,8 @@
<source><![CDATA[$config['ca']]]></source>
<source_name>descr</source_name>
<source_value>refid</source_value>
+ <show_disable_value>none</show_disable_value>
+ <default_value>none</default_value>
</field>
<field>
<fielddescr>SSL Certificate Deamon Children</fielddescr>
@@ -514,7 +524,7 @@
<description>
<![CDATA[
Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br/>
- Hint: Set the subject CN - see <a href="http://wiki.squid-cache.org/Features/MimicSslServerCert">fake certificate properties documentation</a> for details.
+ <strong>Hint:</strong> Set the subject CN - see <a href="http://wiki.squid-cache.org/Features/MimicSslServerCert">fake certificate properties documentation</a> for details.
]]>
</description>
<type>select</type>
@@ -565,6 +575,25 @@
<size>5</size>
</field>
<field>
+ <fielddescr>Log Pages Denied by SquidGuard</fielddescr>
+ <fieldname>log_sqd</fieldname>
+ <description>
+ <![CDATA[
+ Makes it possible for SquidGuard denied log to be included on Squid logs.<br/>
+ <strong>Note: This option will only work if you include the code below in your sgerror.php file.</strong><br/>
+ This forces the client browser to send a second request to Squid with the denied string in URL.<br/><br/>
+ $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?");<br/>
+ $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';<br/><br/>
+ <strong>Hint: You MUST remove extra spaces in the above iframe HTML tags.</strong>
+ ]]>
+ </description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <name>Headers Handling, Language and Other Customizations</name>
+ <type>listtopic</type>
+ </field>
+ <field>
<fielddescr>Visible Hostname</fielddescr>
<fieldname>visible_hostname</fieldname>
<description>This is the hostname to be displayed in proxy server error messages.</description>
@@ -663,21 +692,6 @@
<type>checkbox</type>
</field>
<field>
- <fielddescr>Log Pages Denied by SquidGuard</fielddescr>
- <fieldname>log_sqd</fieldname>
- <description>
- <![CDATA[
- Makes it possible for SquidGuard denied log to be included on Squid logs.<br/>
- <strong>Note: This option will only work if you include the code below in your sgerror.php file.</strong><br/>
- This forces the client browser to send a second request to Squid with the denied string in URL.<br/><br/>
- $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?");<br/>
- $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';<br/><br/>
- <strong>Hint: You MUST remove extra spaces in the above iframe HTML tags.</strong>
- ]]>
- </description>
- <type>checkbox</type>
- </field>
- <field>
<fielddescr>URI Whitespace Characters Handling</fielddescr>
<fieldname>uri_whitespace</fieldname>
<description>
@@ -710,7 +724,7 @@
<fieldname>custom_options</fieldname>
<description>
<![CDATA[
- Squid options added from packages like SquidGuard or HAVP for Squid integration.
+ Squid options added from packages like SquidGuard for Squid integration.
]]>
</description>
<type>textarea</type>
diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc
index 82768f4b..e22ae039 100644
--- a/config/squid3/34/squid_antivirus.inc
+++ b/config/squid3/34/squid_antivirus.inc
@@ -392,14 +392,14 @@ EOF;
$freshclam_m[0] = "@#This file was automatically generated by pfSense@";
$freshclam_r[0] = "#This file was automatically generated by pfSense WebGUI configuration";
$clamav_mirrors = "";
- if ($antivirus_config['clamav_dbregion'] != "") {
- $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n";
- }
if ($antivirus_config['clamav_dbservers'] != "") {
foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) {
$clamav_mirrors .= "DatabaseMirror {$dbserver}\n";
}
}
+ if ($antivirus_config['clamav_dbregion'] != "") {
+ $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n";
+ }
if ($clamav_mirrors != "") {
$freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@";
$freshclam_r[1] = "{$clamav_mirrors}";
diff --git a/config/squid3/34/squid_auth.xml b/config/squid3/34/squid_auth.xml
index 58a0bf12..2c36fcf3 100755
--- a/config/squid3/34/squid_auth.xml
+++ b/config/squid3/34/squid_auth.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squidauth</name>
- <version>0.3.5</version>
+ <version>0.4.5</version>
<title>Proxy Server: Authentication</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>
@@ -98,7 +98,6 @@
<fieldname>auth_method</fieldname>
<description>Select an authentication method. This will allow users to be authenticated by local or external services.</description>
<type>select</type>
- <required/>
<default_value>none</default_value>
<options>
<option><name>None</name><value>none</value></option>
diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc
index b302c8b1..74aab0a1 100755
--- a/config/squid3/34/squid_reverse.inc
+++ b/config/squid3/34/squid_reverse.inc
@@ -30,6 +30,7 @@
POSSIBILITY OF SUCH DAMAGE.
*/
require_once('certs.inc');
+require_once("pfsense-utils.inc");
require_once('util.inc');
/* This file is currently only being included in squid.inc and not used separately */
// require_once('squid.inc');
@@ -41,48 +42,85 @@ function squid_resync_reverse() {
// config file
if (is_array($config['installedpackages']['squidreversegeneral'])) {
$settings = $config['installedpackages']['squidreversegeneral']['config'][0];
+ } else {
+ $settings = array();
}
if (is_array($config['installedpackages']['squidreversepeer'])) {
$reverse_peers = $config['installedpackages']['squidreversepeer']['config'];
+ } else {
+ $reverse_peers = array();
}
if (is_array($config['installedpackages']['squidreverseuri'])) {
$reverse_maps = $config['installedpackages']['squidreverseuri']['config'];
+ } else {
+ $reverse_maps = array();
}
if (is_array($config['installedpackages']['squidreverseredir'])) {
$reverse_redir = $config['installedpackages']['squidreverseredir']['config'];
+ } else {
+ $reverse_redir = array();
}
$conf = "# Reverse Proxy settings\n";
- if (isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") {
- $svr_cert = lookup_cert($settings["reverse_ssl_cert"]);
+ if (isset($settings['reverse_ssl_cert']) && $settings['reverse_ssl_cert'] != "none") {
+ $svr_cert = lookup_cert($settings['reverse_ssl_cert']);
if ($svr_cert != false) {
if (base64_decode($svr_cert['crt'])) {
- file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", sq_text_area_decode($svr_cert['crt']));
- $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt";
+ file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt", sq_text_area_decode($svr_cert['crt']));
+ $reverse_crt = SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt";
}
if (base64_decode($svr_cert['prv'])) {
- file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", sq_text_area_decode($svr_cert['prv']));
- $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key";
+ file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.key", sq_text_area_decode($svr_cert['prv']));
+ $reverse_key = SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.key";
}
}
}
if (!empty($settings['reverse_int_ca'])) {
- file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", "\n" . sq_text_area_decode($settings['reverse_int_ca']), FILE_APPEND | LOCK_EX);
+ file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt", "\n" . sq_text_area_decode($settings['reverse_int_ca']), FILE_APPEND | LOCK_EX);
+ }
+
+ if (isset($settings['reverse_check_clientca']) && $settings['reverse_check_clientca'] == "on") {
+ if (isset($settings['reverse_ssl_clientca']) && $settings['reverse_ssl_clientca'] != 'none') {
+ $clientca_cert = lookup_ca($settings['reverse_ssl_clientca']);
+ $clientca_opts = '';
+ if ($clientca_cert != false) {
+ if (base64_decode($clientca_cert['crt'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt", sq_text_area_decode($clientca_cert['prv']));
+ $clientca_opts = "clientca=" . SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt";
+ }
+ if (base64_decode($clientca_cert['prv'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt", "\n" . sq_text_area_decode($clientca_cert['crt']), FILE_APPEND | LOCK_EX);
+ }
+ }
+ }
+ if (isset($settings['reverse_ssl_clientcrl']) && $settings['reverse_ssl_clientcrl'] != 'none') {
+ $crl = lookup_crl($settings['reverse_ssl_clientcrl']);
+ crl_update($crl);
+ if ($crl != false) {
+ if (base64_decode($crl['text'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl", sq_text_area_decode($crl['text']));
+ $clientca_opts .= " crlfile=" . SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl sslflags=VERIFY_CRL";
+ }
+ }
+ }
}
$ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan');
$real_ifaces = array();
// set HTTP port and defsite
- $http_port = (empty($settings['reverse_http_port']) ? "80" : $settings['reverse_http_port']);
+ $http_port = (!is_port($settings['reverse_http_port']) ? "80" : $settings['reverse_http_port']);
$http_defsite = (empty($settings['reverse_http_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_http_defsite']);
// set HTTPS port and defsite
- $https_port = (empty($settings['reverse_https_port']) ? "443" : $settings['reverse_https_port']);
+ $https_port = (!is_port($settings['reverse_https_port']) ? "443" : $settings['reverse_https_port']);
$https_defsite = (empty($settings['reverse_https_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_https_defsite']);
+ // Ignore Internal Certificate Validation
+ $sslflags = ($settings['reverse_ignore_ssl_valid'] == "on" ? "sslflags=DONT_VERIFY_PEER" : "");
+
foreach (explode(",", $ifaces) as $i => $iface) {
$real_ifaces[] = squid_get_real_interface_address($iface);
if ($real_ifaces[$i][0]) {
@@ -92,7 +130,7 @@ function squid_resync_reverse() {
}
//HTTPS
if (!empty($settings['reverse_https'])) {
- $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n";
+ $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} {$clientca_opts} defaultsite={$https_defsite} vhost\n";
}
}
}
@@ -112,13 +150,13 @@ function squid_resync_reverse() {
}
// peers
- if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) {
+ if ($settings['reverse_owa'] == 'on') {
if (!empty($settings['reverse_owa_ip'])) {
$reverse_owa_ip = explode(";", ($settings['reverse_owa_ip']));
$casnr = 0;
foreach ($reverse_owa_ip as $reowaip) {
$casnr++;
- $conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n";
+ $conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl {$sslflags} front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n";
$conf .= "cache_peer {$reowaip} parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_{$casnr}_pfs\n";
}
}
@@ -131,7 +169,7 @@ function squid_resync_reverse() {
$conf_peer = "#{$rp['description']}\n";
$conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ";
if ($rp['protocol'] == 'HTTPS') {
- $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto ";
+ $conf_peer .= "ssl {$sslflags} front-end-https=auto ";
}
$conf_peer .= "name=rvp_{$rp['name']}\n\n";
@@ -259,7 +297,7 @@ function squid_resync_reverse() {
$conf .= "http_access allow OWA_URI_pfs\n";
}
- $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n";
+ $conf .= $cache_peer_allow_conf . $cache_peer_deny_conf . $cache_peer_never_direct_conf . $http_access_conf . "\n";
if (!empty($settings['deny_info_tcp_reset'])) {
$conf .= "deny_info TCP_RESET allsrc\n";
@@ -268,6 +306,46 @@ function squid_resync_reverse() {
return $conf;
}
+/* Refresh Client Certificate Revocation List */
+function squid_refresh_crl() {
+ global $config;
+
+ if (is_array($config['installedpackages']['squidreversegeneral'])) {
+ $settings = $config['installedpackages']['squidreversegeneral']['config'][0];
+ } else {
+ $settings = array();
+ }
+
+ if (isset($settings['reverse_check_clientca']) && $settings['reverse_check_clientca'] == "on" && isset($settings['reverse_ssl_clientcrl']) && $settings['reverse_ssl_clientcrl'] != 'none') {
+ $crl = lookup_crl($settings['reverse_ssl_clientcrl']);
+ crl_update($crl);
+ if ($crl != false) {
+ if (base64_decode($crl['text'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl", sq_text_area_decode($crl['text']));
+ }
+ }
+ }
+}
+
+/* Check whether Squid reverse proxy is enabled */
+function squid_reverse_enabled() {
+ global $config, $reverse_proxy_enabled;
+ $reverse_proxy_enabled = false;
+
+ if (is_array($config['installedpackages']['squidreversegeneral']['config'])) {
+ // check whether HTTP or HTTPS reverse proxy is enabled ...
+ if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_http'] == "on" ||
+ $config['installedpackages']['squidreversegeneral']['config'][0]['reverse_https'] == "on") {
+ // ... and has at least one reverse interface configured
+ if (!empty($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'])) {
+ $reverse_proxy_enabled = true;
+ }
+ }
+ }
+
+ return $reverse_proxy_enabled;
+}
+
/* Migrate reverse proxy configuration from old Squid package versions */
function squid_reverse_upgrade_config() {
global $config;
@@ -325,51 +403,84 @@ function squid_reverse_upgrade_config() {
function squid_validate_reverse($post, &$input_errors) {
global $config;
+ /* Manually refresh client CRL */
+ if ($post['refresh_crl'] == 'Refresh CRL') {
+ log_error("[squid] Client Certificate Revocation List refresh forced via GUI. Refreshing now...");
+ squid_refresh_crl();
+ }
+
+ if ($post['reverse_http'] == 'on' || $post['reverse_https'] == 'on') {
+ if (empty($post['reverse_interface'])) {
+ $input_errors[] = "You must select at least one interface under 'Reverse Proxy Interface(s)' to enable HTTP Reverse Proxy.";
+ }
+ $fqdn = trim($post['reverse_external_fqdn']);
+ if (empty($fqdn) || !is_domain($fqdn)) {
+ $input_errors[] = "'External FQDN' field must contain a valid domain name.";
+ }
+ unset($fqdn);
+ }
+
if (!empty($post['reverse_ip'])) {
$reverse_ip = explode(";", ($post['reverse_ip']));
foreach ($reverse_ip as $reip) {
- if (!is_ipaddr(trim($reip))) {
- $input_errors[] = "You must enter a valid IP address in the 'User-defined reverse-proxy IPs' field. '$reip' is invalid.";
+ if (!is_ipaddr_configured(trim($reip))) {
+ $input_errors[] = "You must enter a valid, locally configured IP address in the 'User Defined Reverse Proxy IPs' field. '$reip' is invalid.";
}
}
+ unset($reverse_ip);
}
- $fqdn = trim($post['reverse_external_fqdn']);
- if (!empty($fqdn) && !is_domain($fqdn)) {
- $input_errors[] = "'External FQDN' field must contain a valid domain name.";
+ if ($post['reverse_http'] == 'on') {
+ $port = trim($post['reverse_http_port']);
+ preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange);
+ if (!is_port($port)) {
+ $input_errors[] = "'Reverse HTTP port' must contain a valid port number.";
+ }
+ if (is_port($port) && $port <= $portrange[1]) {
+ $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]}).";
+ $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon.";
+ }
+ unset($port, $portrange);
}
- $port = trim($post['reverse_http_port']);
- preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange);
- if (!empty($port) && !is_port($port)) {
- $input_errors[] = "'Reverse HTTP port' must contain a valid port number.";
- }
- if (!empty($port) && is_port($port) && $port <= $portrange[1]) {
- $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]}).";
- $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon.";
- }
- $port = trim($post['reverse_https_port']);
- if (!empty($port) && !is_port($port)) {
- $input_errors[] = "'Reverse HTTPS port' must contain a valid port number.";
- }
- if (!empty($port) && is_port($port) && $port <= $portrange[1]) {
- $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]}).";
- $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon.";
- }
- if ($post['reverse_ssl_cert'] == 'none') {
- $input_errors[] = 'A valid certificate for the external interface must be selected';
- }
+ if ($post['reverse_https'] == 'on') {
+ $port = trim($post['reverse_https_port']);
+ preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange);
+ if (!is_port($port)) {
+ $input_errors[] = "'Reverse HTTPS port' must contain a valid port number.";
+ }
+ if (!empty($port) && is_port($port) && $port <= $portrange[1]) {
+ $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]}).";
+ $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon.";
+ }
+ unset($port, $portrange);
+
+ if ($post['reverse_ssl_cert'] == 'none') {
+ $input_errors[] = "A valid certificate for the external interface must be selected when 'HTTPS Reverse Proxy' is enabled.";
+ }
- if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) {
- $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support.";
+ if ($post['reverse_check_clientca'] == 'on') {
+ if ($post['reverse_ssl_clientca'] == 'none') {
+ $input_errors[] = "A valid 'Client Certificate CA' must be selected when 'Check Client Certificate' is enabled";
+ }
+ }
}
- if (!empty($post['reverse_owa_ip'])) {
- $reverse_owa_ip = explode(";", ($post['reverse_owa_ip']));
- foreach ($reverse_owa_ip as $reowaip) {
- if (!is_ipaddr(trim($reowaip))) {
- $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA frontend IP address' field. '$reowaip' is invalid.";
+ if ($post['reverse_owa'] == 'on') {
+ if ($post['reverse_https'] != 'on') {
+ $input_errors[] = "You have to enable HTTPS Reverse Proxy to enable OWA support.";
+ }
+
+ if (!empty($post['reverse_owa_ip'])) {
+ $reowaips = explode(";", ($post['reverse_owa_ip']));
+ foreach ($reowaips as $reowaip) {
+ if (!is_ipaddr(trim($reowaip))) {
+ $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA Frontend IP Address(es)' field. '$reowaip' is invalid.";
+ }
}
+ unset($reowaips);
+ } else {
+ $input_errors[] = "You must enter at least one valid IP address in the 'CAS-Array / OWA Frontend IP Address(es)' field.";
}
}
@@ -388,7 +499,9 @@ function squid_validate_reverse($post, &$input_errors) {
$input_errors[] = "Please choose HTTP or HTTPS in the cache peer configuration.";
}
}
+ unset($cfg, $defs);
}
+ unset($contents);
}
?>
diff --git a/config/squid3/34/squid_reverse_general.xml b/config/squid3/34/squid_reverse_general.xml
index 90babcd0..def3b55c 100755
--- a/config/squid3/34/squid_reverse_general.xml
+++ b/config/squid3/34/squid_reverse_general.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squidreversegeneral</name>
- <version>0.3.8</version>
+ <version>0.4.5</version>
<title>Reverse Proxy Server: General</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>
@@ -78,16 +78,18 @@
<type>listtopic</type>
</field>
<field>
- <fielddescr>Reverse Proxy Interface</fielddescr>
+ <fielddescr>Reverse Proxy Interface(s)</fielddescr>
<fieldname>reverse_interface</fieldname>
<description>
<![CDATA[
- The interface(s) the reverse-proxy server will bind to.<br/>
- Use CTRL + click to select multiple interfaces.
+ The interface(s) the reverse-proxy server will bind to (usually WAN).<br/>
+ Use CTRL + click to select multiple interfaces.<br/><br/>
+ <strong><span class="errmsg">Important:</span><br/></strong>
+ <strong>To use Squid as a reverse proxy ONLY:</strong> After saving configuration here, you must tick the 'Enable Squid Proxy' checkbox under Services - Squid Proxy Server - General and click Save there.<br/>
+ <strong>To disable the reverse proxy ONLY (without disabling Squid completely):</strong> Unselect all 'Reverse Proxy Interface(s)', uncheck both 'Enable HTTP Reverse Proxy' and 'Enable HTTPS Reverse Proxy' below and click Save.
]]>
</description>
<type>interfaces_selection</type>
- <required/>
<default_value>wan</default_value>
<multiple/>
</field>
@@ -97,7 +99,8 @@
<description>
<![CDATA[
Squid will additionally bind to these user-defined IPs for reverse proxy operation. Useful for virtual IPs such as CARP.<br/>
- <strong>Note: Separate entries by semi-colons (;)</strong>
+ Note: Separate entries by semi-colons (;)<br/><br/>
+ <strong><span class="errmsg">Important:</span> Any entry here must be a valid, locally configured IP address.</strong>
]]>
</description>
<type>input</type>
@@ -108,7 +111,6 @@
<fieldname>reverse_external_fqdn</fieldname>
<description>The external fully qualified domain name of the WAN IP address.</description>
<type>input</type>
- <required/>
<size>70</size>
</field>
<field>
@@ -123,17 +125,16 @@
<type>listtopic</type>
</field>
<field>
- <fielddescr>Enable HTTP Reverse Mode</fielddescr>
+ <fielddescr>Enable HTTP Reverse Proxy</fielddescr>
<fieldname>reverse_http</fieldname>
<description>
<![CDATA[
If checked, the proxy server will act in HTTP reverse mode.<br/>
- <strong>Note: You must add a proper firewall rule with destination 'WAN Address'.</strong>
+ <strong><span class="errmsg">Important:</span> You must add a proper firewall rule with destination matching the 'Reverse Proxy Interface(s)' address.</strong>
]]>
</description>
<type>checkbox</type>
<enablefields>reverse_http_port,reverse_http_defsite</enablefields>
- <required/>
<default_value>off</default_value>
</field>
<field>
@@ -141,7 +142,7 @@
<fieldname>reverse_http_port</fieldname>
<description>
<![CDATA[
- This is the port the HTTP reverse proxy will listen on. Default value will be used if left empty.<br/>
+ This is the port the HTTP reverse proxy will listen on.<br/>
Default: 80
]]>
</description>
@@ -159,7 +160,7 @@
]]>
</description>
<type>input</type>
- <size>60</size>
+ <size>70</size>
</field>
<field>
<name>Squid Reverse HTTPS Settings</name>
@@ -171,12 +172,11 @@
<description>
<![CDATA[
If checked, the proxy server will act in HTTPS reverse mode.<br/>
- <strong>Note: You must add a proper firewall rule with destination 'WAN Address'.</strong>
+ <strong><span class="errmsg">Important:</span> You must add a proper firewall rule with destination matching the 'Reverse Proxy Interface(s)' address.</strong>
]]>
</description>
<type>checkbox</type>
- <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields>
- <required/>
+ <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_check_clientca,reverse_owa</enablefields>
<default_value>off</default_value>
</field>
<field>
@@ -184,7 +184,7 @@
<fieldname>reverse_https_port</fieldname>
<description>
<![CDATA[
- This is the port the HTTPS reverse proxy will listen on. Default value will be used if left empty.<br/>
+ This is the port the HTTPS reverse proxy will listen on.<br/>
Default: 443
]]>
</description>
@@ -198,20 +198,22 @@
<description>
<![CDATA[
This is the HTTPS reverse proxy default site.<br/>
- Note: Leave empty to use 'External FQDN' value specified above.
+ Note: Leave empty to use 'External FQDN' value specified in 'Squid Reverse Proxy General Settings'.
]]>
</description>
<type>input</type>
- <size>60</size>
+ <size>70</size>
</field>
<field>
<fielddescr>Reverse SSL Certificate</fielddescr>
<fieldname>reverse_ssl_cert</fieldname>
<description>Choose the SSL Server Certificate here.</description>
<type>select_source</type>
- <source>$config['cert']</source>
+ <source><![CDATA[$config['cert']]]></source>
<source_name>descr</source_name>
<source_value>refid</source_value>
+ <show_disable_value>none</show_disable_value>
+ <default_value>none</default_value>
</field>
<field>
<fielddescr>Intermediate CA Certificate (If Needed)</fielddescr>
@@ -234,6 +236,43 @@
<default_value>on</default_value>
</field>
<field>
+ <fielddescr>Check Client Certificate</fielddescr>
+ <fieldname>reverse_check_clientca</fieldname>
+ <description>If checked, clients need a client certificate to authenticate.</description>
+ <type>checkbox</type>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>Client Certificate CA</fielddescr>
+ <fieldname>reverse_ssl_clientca</fieldname>
+ <description>Choose the CA used to issue client authentication certificates.</description>
+ <type>select_source</type>
+ <source><![CDATA[$config['ca']]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ <show_disable_value>none</show_disable_value>
+ <default_value>none</default_value>
+ </field>
+ <field>
+ <fielddescr>Client Certificate Revocation List</fielddescr>
+ <fieldname>reverse_ssl_clientcrl</fieldname>
+ <description>
+ <![CDATA[
+ Choose the CRL used for client certificates revocation. If set to 'none', no CRL validation will be performed.<br/>
+ <strong>Note: This must match the 'Client Certificate CA' selected above!</strong><br/><br/>
+ <strong><span class="errmsg">Important:</span></strong> After updating the CRL in System - Cert Manager - Certificate Revocation, remember to press the 'Refresh CRL' button below.<br/>
+ Otherwise, the updated CRL will not have any effect on Squid reverse proxy users!<br/><br/>
+ <input name='refresh_crl' id='refresh_crl' type='submit' value='Refresh CRL' />
+ ]]>
+ </description>
+ <type>select_source</type>
+ <source><![CDATA[$config['crl']]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ <show_disable_value>none</show_disable_value>
+ <default_value>none</default_value>
+ </field>
+ <field>
<name>OWA Reverse Proxy General Settings</name>
<type>listtopic</type>
</field>
@@ -245,12 +284,12 @@
<enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields>
</field>
<field>
- <fielddescr>CAS-Array / OWA Frontend IP Address</fielddescr>
+ <fielddescr>CAS-Array / OWA Frontend IP Address(es)</fielddescr>
<fieldname>reverse_owa_ip</fieldname>
<description>
<![CDATA[
These are the internal IPs of the CAS-Array (OWA frontend servers).<br/>
- <strong>Note: Separate entries by semi-colons (;)</strong>
+ Note: Separate entries by semi-colons (;)
]]>
</description>
<type>input</type>
@@ -305,7 +344,8 @@
<custom_php_validation_command>
<![CDATA[
if (!empty($_POST) && !squid_enabled()) {
- $input_errors[] = "Squid is disabled. You must enable Squid proxy under Services - Squid Proxy Server - General.";
+ $errmsg = "Squid is disabled. You must enable Squid proxy under Services - Squid Proxy Server - General.";
+ file_notice("squidreversegeneral", $errmsg, "Squid Reverse Proxy", "");
}
squid_validate_reverse($_POST, $input_errors);
]]>
diff --git a/config/squid3/34/squid_reverse_peer.xml b/config/squid3/34/squid_reverse_peer.xml
index fabc5b92..f5ab7544 100755
--- a/config/squid3/34/squid_reverse_peer.xml
+++ b/config/squid3/34/squid_reverse_peer.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squidreversepeer</name>
- <version>0.3.5</version>
+ <version>0.4.5</version>
<title>Reverse Proxy Server: Peers</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>
@@ -119,7 +119,8 @@
]]>
</description>
<type>input</type>
- <size>20</size>
+ <size>30</size>
+ <required/>
</field>
<field>
<fielddescr>Peer IP</fielddescr>
@@ -131,7 +132,8 @@
]]>
</description>
<type>input</type>
- <size>20</size>
+ <size>30</size>
+ <required/>
</field>
<field>
<fielddescr>Peer Port</fielddescr>
@@ -143,7 +145,8 @@
]]>
</description>
<type>input</type>
- <size>20</size>
+ <size>5</size>
+ <required/>
</field>
<field>
<fielddescr>Peer Protocol</fielddescr>
diff --git a/config/squid3/34/squid_reverse_redir.xml b/config/squid3/34/squid_reverse_redir.xml
index cf5fdb45..3be74353 100755
--- a/config/squid3/34/squid_reverse_redir.xml
+++ b/config/squid3/34/squid_reverse_redir.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squidreverseredir</name>
- <version>0.3.7</version>
+ <version>0.4.5</version>
<title>Reverse Proxy Server: Redirects</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>
@@ -112,6 +112,7 @@
</description>
<type>input</type>
<size>20</size>
+ <required/>
</field>
<field>
<fielddescr>Redirect Description</fielddescr>
@@ -136,6 +137,7 @@
<option><name>HTTP</name><value>HTTP</value></option>
<option><name>HTTPS</name><value>HTTPS</value></option>
</options>
+ <required/>
</field>
<field>
<fielddescr>
@@ -154,6 +156,7 @@
<fieldname>uri</fieldname>
<type>input</type>
<size>60</size>
+ <required/>
</rowhelperfield>
</rowhelper>
</field>
@@ -168,6 +171,7 @@
</description>
<type>input</type>
<size>60</size>
+ <required/>
</field>
<field>
<fielddescr>URL to Redirect To</fielddescr>
@@ -175,6 +179,7 @@
<description>Enter the URL to redirect to here.</description>
<type>input</type>
<size>60</size>
+ <required/>
</field>
</fields>
<custom_php_resync_config_command>
diff --git a/config/squid3/34/squid_reverse_sync.xml b/config/squid3/34/squid_reverse_sync.xml
index 1091fce8..ee4b7f84 100755
--- a/config/squid3/34/squid_reverse_sync.xml
+++ b/config/squid3/34/squid_reverse_sync.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squidsync</name>
- <version>0.4.2</version>
+ <version>0.4.5</version>
<title>Reverse Proxy Server: XMLRPC Sync</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>
@@ -88,7 +88,6 @@
]]>
</description>
<type>select</type>
- <required/>
<default_value>disabled</default_value>
<options>
<option><name>Sync to configured system backup server</name><value>auto</value></option>
@@ -101,7 +100,6 @@
<fieldname>synctimeout</fieldname>
<description>XMLRPC timeout in seconds.</description>
<type>select</type>
- <required/>
<default_value>250</default_value>
<options>
<option><name>250 seconds (Default)</name><value>250</value></option>
@@ -139,6 +137,7 @@
<description><![CDATA[IP address or hostname of the destination host.]]></description>
<type>input</type>
<size>40</size>
+ <required/>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Port</fielddescr>
@@ -146,6 +145,7 @@
<description><![CDATA[Choose the sync port of the destination host.]]></description>
<type>input</type>
<size>3</size>
+ <required/>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Admin Password</fielddescr>
@@ -153,6 +153,7 @@
<description><![CDATA[Password of the user "admin" on the destination host.]]></description>
<type>password</type>
<size>20</size>
+ <required/>
</rowhelperfield>
</rowhelper>
</field>
diff --git a/config/squid3/34/squid_reverse_uri.xml b/config/squid3/34/squid_reverse_uri.xml
index 9a493a15..18b5e0e6 100755
--- a/config/squid3/34/squid_reverse_uri.xml
+++ b/config/squid3/34/squid_reverse_uri.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squidreverseuri</name>
- <version>0.3.7</version>
+ <version>0.4.5</version>
<title>Reverse Proxy Server: Mappings</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>
@@ -112,6 +112,7 @@
</description>
<type>input</type>
<size>20</size>
+ <required/>
</field>
<field>
<fielddescr>Group Description</fielddescr>
@@ -134,7 +135,7 @@
<source_name>name</source_name>
<source_value>name</source_value>
<multiple/>
- <size>05</size>
+ <size>5</size>
</field>
<field>
<fielddescr>
@@ -154,6 +155,7 @@
<fieldname>uri</fieldname>
<type>input</type>
<size>70</size>
+ <required/>
</rowhelperfield>
</rowhelper>
</field>
diff --git a/config/squid3/34/squid_sync.xml b/config/squid3/34/squid_sync.xml
index a7670ff5..b8b62460 100755
--- a/config/squid3/34/squid_sync.xml
+++ b/config/squid3/34/squid_sync.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squidsync</name>
- <version>0.4.2</version>
+ <version>0.4.5</version>
<title>Proxy Server: XMLRPC Sync</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>
@@ -104,7 +104,6 @@
]]>
</description>
<type>select</type>
- <required/>
<default_value>disabled</default_value>
<options>
<option><name>Sync to configured system backup server</name><value>auto</value></option>
@@ -117,7 +116,6 @@
<fieldname>synctimeout</fieldname>
<description>XMLRPC timeout in seconds.</description>
<type>select</type>
- <required/>
<default_value>250</default_value>
<options>
<option><name>250 seconds (Default)</name><value>250</value></option>
@@ -155,6 +153,7 @@
<description><![CDATA[IP address or hostname of the destination host.]]></description>
<type>input</type>
<size>40</size>
+ <required/>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Port</fielddescr>
@@ -162,6 +161,7 @@
<description><![CDATA[Choose the sync port of the destination host.]]></description>
<type>input</type>
<size>3</size>
+ <required/>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Admin Password</fielddescr>
@@ -169,6 +169,7 @@
<description><![CDATA[Password of the user "admin" on the destination host.]]></description>
<type>password</type>
<size>20</size>
+ <required/>
</rowhelperfield>
</rowhelper>
</field>
diff --git a/config/squid3/34/squid_upstream.xml b/config/squid3/34/squid_upstream.xml
index 14e23216..46f2dfae 100755
--- a/config/squid3/34/squid_upstream.xml
+++ b/config/squid3/34/squid_upstream.xml
@@ -42,7 +42,7 @@
]]>
</copyright>
<name>squidremote</name>
- <version>0.3.5</version>
+ <version>0.4.5</version>
<title>Proxy Server: Remote Proxy Settings</title>
<include_file>/usr/local/pkg/squid.inc</include_file>
<tabs>
@@ -124,7 +124,6 @@
<fieldname>enable</fieldname>
<description>This option enables the proxy server to forward requests to an upstream/neighbor server.</description>
<type>checkbox</type>
- <required/>
</field>
<field>
<fielddescr>Hostname</fielddescr>
diff --git a/pkg_config.10.xml b/pkg_config.10.xml
index e7c29115..7e39e5e1 100644
--- a/pkg_config.10.xml
+++ b/pkg_config.10.xml
@@ -1089,7 +1089,7 @@
<pkginfolink>https://forum.pfsense.org/index.php?topic=100167.0</pkginfolink>
<website>http://www.squid-cache.org/</website>
<category>Services</category>
- <version>0.4.4</version>
+ <version>0.4.5</version>
<status>BETA</status>
<required_version>2.2</required_version>
<maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer>