diff options
| author | Marcello Coutinho <marcellocoutinho@gmail.com> | 2012-04-13 20:11:05 -0300 |
|---|---|---|
| committer | marcelloc <marcellocoutinho@gmail.com> | 2012-04-13 20:11:05 -0300 |
| commit | 69645670dbac91bbc6eff5846124fb68f6458c9f (patch) | |
| tree | 28fb7eadffc310ea2ee6a5c0afc37b72fc8c1f6b /config/squid-reverse | |
| parent | 39e0478f04d889ae93dac2ab742162d75667b5fa (diff) | |
| download | pfsense-packages-69645670dbac91bbc6eff5846124fb68f6458c9f.tar.gz pfsense-packages-69645670dbac91bbc6eff5846124fb68f6458c9f.tar.bz2 pfsense-packages-69645670dbac91bbc6eff5846124fb68f6458c9f.zip | |
squid3 - merge squid3 and squid-reverse in one package
Diffstat (limited to 'config/squid-reverse')
| -rw-r--r-- | config/squid-reverse/squid.inc | 430 | ||||
| -rw-r--r-- | config/squid-reverse/squid.xml | 126 | ||||
| -rw-r--r-- | config/squid-reverse/squid_auth.xml | 136 | ||||
| -rw-r--r-- | config/squid-reverse/squid_cache.xml | 180 | ||||
| -rw-r--r-- | config/squid-reverse/squid_nac.xml | 35 | ||||
| -rw-r--r-- | config/squid-reverse/squid_reverse.inc | 176 | ||||
| -rw-r--r-- | config/squid-reverse/squid_reverse.xml | 88 | ||||
| -rw-r--r-- | config/squid-reverse/squid_reverse_general.xml | 241 | ||||
| -rw-r--r-- | config/squid-reverse/squid_reverse_peer.xml | 159 | ||||
| -rwxr-xr-x | config/squid-reverse/squid_reverse_sync.xml | 105 | ||||
| -rw-r--r-- | config/squid-reverse/squid_reverse_uri.xml | 155 | ||||
| -rwxr-xr-x | config/squid-reverse/squid_sync.xml | 121 | ||||
| -rw-r--r-- | config/squid-reverse/squid_traffic.xml | 42 | ||||
| -rw-r--r-- | config/squid-reverse/squid_upstream.xml | 24 | ||||
| -rw-r--r-- | config/squid-reverse/squid_users.xml | 24 |
15 files changed, 1589 insertions, 453 deletions
diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index df171137..08f57b52 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -4,7 +4,8 @@ squid.inc Copyright (C) 2006-2009 Scott Ullrich Copyright (C) 2006 Fernando Lemos - Copyright (C) 2008 Martin Fuchs + Copyright (C) 2012 Martin Fuchs + Copyright (C) 2012 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without @@ -43,9 +44,16 @@ define('SQUID_CONFBASE', '/usr/local/etc/squid'); define('SQUID_BASE', '/var/squid/'); define('SQUID_ACLDIR', '/var/squid/acl'); define('SQUID_PASSWD', '/var/etc/squid.passwd'); +define('SQUID_LIB','/var/squid/lib'); +define('SQUID_SSL_DB','/var/squid/lib/ssl_db'); $valid_acls = array(); +function sq_text_area_decode($text){ + return preg_replace('/\r\n/', "\n",base64_decode($text)); +} + + function squid_get_real_interface_address($iface) { global $config; @@ -120,11 +128,17 @@ function squid_is_valid_acl($acl) { function squid_install_command() { global $config; global $g; + update_status("Checking if there is configuration to migrate... One moment please..."); /* migrate existing csv config fields */ - $settingsauth = $config['installedpackages']['squidauth']['config'][0]; - $settingscache = $config['installedpackages']['squidcache']['config'][0]; - $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - + if (is_array($config['installedpackages']['squidauth']['config'])) + $settingsauth = $config['installedpackages']['squidauth']['config'][0]; + if (is_array($config['installedpackages']['squidcache']['config'])) + $settingscache = $config['installedpackages']['squidcache']['config'][0]; + if (is_array($config['installedpackages']['squidnac']['config'])) + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + if (is_array($config['installedpackages']['squid']['config'])) + $settingsgen = $config['installedpackages']['squid']['config'][0]; + /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; @@ -153,7 +167,6 @@ function squid_install_command() { $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; } } - if(! empty($settingsnac['banned_hosts'])) { if(strstr($settingsnac['banned_hosts'], ",")) { $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); @@ -195,7 +208,49 @@ function squid_install_command() { $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; } } - + + /*Migrate reverse settings*/ + if (is_array($config['installedpackages']['squidreverse'])){ + $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0]; + + //Settings + if (!is_array($config['installedpackages']['squidreversegeneral'])){ + $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings; + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); + } + + //PEERS + if (!is_array($config['installedpackages']['squidreversepeer'])){ + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) + foreach (explode(";",$cache_peers) as $cache_peer) + $config['installedpackages']['squidreversepeer']['config'][]=array('description'=>'migrated', + 'enable'=> 'on', + 'name'=> $cache_peer[0], + 'port'=> $cache_peer[1], + 'protocol' => $cache_peer[2]); + } + + //MAPPINGS + if (!is_array($config['installedpackages']['squidreverseuri'])){ + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){ + foreach (explode(";",$acls) as $acl) + array_push(${'peer_'.$acl[0]},$acl[1]); + } + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) + foreach (explode(";",$uris) as $uri){ + $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); + $config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated', + 'enable'=> 'on', + 'name'=> $uri[0], + 'uri'=> $uri[1], + 'vhost' => $uri[2], + 'peers'=>$peer_list); + } + } + } + update_status("Writing configuration... One moment please..."); write_config(); @@ -214,7 +269,9 @@ function squid_install_command() { foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, - SQUID_BASE ) as $dir) { + SQUID_BASE, + SQUID_LIB, + SQUID_SSL_DB ) as $dir) { make_dirs($dir); squid_chown_recursive($dir, 'proxy', 'proxy'); } @@ -272,12 +329,12 @@ function squid_deinstall_command() { function squid_before_form_general($pkg) { $values = get_dir(SQUID_CONFBASE . '/errors/'); - // Get rid of '..' and '.' + // Get rid of '..' and '.' and ... array_shift($values); array_shift($values); array_shift($values); array_shift($values); - + $name = array(); foreach ($values as $value) $names[] = implode(" ", explode("_", $value)); @@ -712,7 +769,6 @@ cache_mgr $email access_log $logdir_access cache_log $logdir_cache cache_store_log none - sslcrtd_children 0 EOD; @@ -785,11 +841,9 @@ function squid_resync_cache() { } else { $disk_cache_system = $settings['harddisk_cache_system']; } - - if ($disk_cache_system == "null") { - $disk_cache_opts = "{$disk_cache_system} /tmp"; - } else { - $disk_cache_opts = "{$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; + #'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. + if ($disk_cache_system != "null") { + $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; } $conf = <<<EOD @@ -797,7 +851,7 @@ cache_mem $memory_cache_size MB maximum_object_size_in_memory $max_objsize_in_mem KB memory_replacement_policy $memory_policy cache_replacement_policy $cache_policy -cache_dir $disk_cache_opts +$disk_cache_opts minimum_object_size $min_objsize KB maximum_object_size $max_objsize KB offline_mode $offline_mode @@ -807,7 +861,7 @@ EOD; if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; - $donotcache = base64_decode($settings['donotcache']); + $donotcache = sq_text_area_decode($settings['donotcache']); if (!empty($donotcache)) { file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; @@ -876,16 +930,16 @@ acl dynamic urlpath_regex cgi-bin \? EOD; - $allowed_subnets = explode("\n", base64_decode($settings['allowed_subnets'])); - $allowed = ""; - foreach ($allowed_subnets as $subnet) { - if(!empty($subnet)) { - $subnet = trim($subnet); - $allowed .= "$subnet "; - } - } - if (!empty($allowed)) { - $conf .= "acl allowed_subnets src $allowed\n"; + $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); + #$allowed = ""; + #foreach ($allowed_subnets as $subnet) { + # if(!empty($subnet)) { + # $subnet = trim($subnet); + # $allowed .= "$subnet "; + # } + #} + if (!empty($allowed_subnets)) { + $conf .= "acl allowed_subnets src $allowed_subnets\n"; $valid_acls[] = 'allowed_subnets'; } @@ -895,7 +949,7 @@ EOD; 'blacklist' => 'dstdom_regex -i', ); foreach ($options as $option => $directive) { - $contents = base64_decode($settings[$option]); + $contents = sq_text_area_decode($settings[$option]); if (!empty($contents)) { file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; @@ -911,7 +965,6 @@ cache deny dynamic http_access allow manager localhost EOD; - if(!empty($settings['ext_cachemanager'])) { $extmgr = explode(";", ($settings['ext_cachemanager'])); $count = 1; @@ -1030,174 +1083,26 @@ function squid_get_server_certs() { return $cert_arr; } -function squid_resync_reverse() { - global $config, $valid_acls; - if(!is_array($valid_acls)) - return; - $settings = $config['installedpackages']['squidreverse']['config'][0]; - $conf = ''; - - $conf .= "# Reverse Proxy settings\n"; - - if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { - $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); - if ($svr_cert != false) { - if(base64_decode($svr_cert['crt'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($svr_cert['crt'])); - $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; - } - if(base64_decode($svr_cert['prv'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",base64_decode($svr_cert['prv'])); - $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; - }}} - - if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); - - $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); - $real_ifaces = array(); - foreach (explode(",", $ifaces) as $i => $iface) { - $real_ifaces[] = squid_get_real_interface_address($iface); - if($real_ifaces[$i][0]) { - //HTTP - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; - //HTTPS - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:443 accel cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:443 accel cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; - } - } - if(!empty($settings['reverse_ip'])) { - $reverse_ip = explode(";", ($settings['reverse_ip'])); - foreach ($reverse_ip as $reip) { - - //HTTP - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$reip}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$reip}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$reip}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$reip}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; - //HTTPS - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$reip}:443 accel cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$reip}:{$settings['reverse_https_port']} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$reip}:443 accel cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$reip}:{$settings['reverse_https_port']} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; - - }} - - //PEERS - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs\n"; - - $contents = base64_decode($settings['reverse_cache_peer']); - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != '' && ($cfg[2]) != ''){ - $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver login=PASS "; - if($cfg[3] == 'HTTPS') - $conf .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf .= "name={$cfg[0]}\n"; - }}} - - //ACLs - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/owa.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchange.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/public.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchweb.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/ecp.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/OAB.*$\n"; - } - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_activesync'] == 'on')) { - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/Microsoft-Server-ActiveSync.*$\n"; - } - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_rpchttp'] == 'on')) { - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/rpc/rpcproxy.dll.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/rpcwithcert/rpcproxy.dll.*$\n"; - } - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_webservice'] == 'on')) { - $conf .= "ignore_expect_100 on\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/EWS.*$\n"; - } - - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/autodiscover.*$\n"; - -// $conf .= "ssl_unclean_shutdown on"; - - } - - $contents = base64_decode($settings['revrse_uri']); - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - if($cfg[2] != '') - $conf .= "acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; - if($cfg[2] == '') - $conf .= "acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; - }}} - - - //ACCESS - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { - $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; - $conf .= "cache_peer_access OWA_HOST_pfs deny allsrc\n"; - $conf .= "never_direct allow OWA_URI_pfs\n"; - $conf .= "http_access allow OWA_URI_pfs\n"; - } - - $contents = base64_decode($settings['reverse_acl']); - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; - }} - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "cache_peer_access {$cfg[0]} deny allsrc\n"; - }} - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "never_direct allow {$cfg[1]}\n"; - }} - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "http_access allow {$cfg[1]}\n"; - }} - } - - $conf .= "\n"; - - if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET allsrc\n"; - return $conf; -} +#squid reverse +include('/usr/local/pkg/squid_reverse.inc'); function squid_resync_auth() { global $config, $valid_acls; - $settings = $config['installedpackages']['squidauth']['config'][0]; - $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - $settingsconfig = $config['installedpackages']['squid']['config'][0]; + if (is_array($config['installedpackages']['squidauth']['config'])) + $settings = $config['installedpackages']['squidauth']['config'][0]; + if (is_array($config['installedpackages']['squidnac']['config'])) + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + if (is_array($config['installedpackages']['squid']['config'])) + $settingsconfig = $config['installedpackages']['squid']['config'][0]; $conf = ''; - // Custom Options - if(!empty($config['installedpackages']['squid']['config'][0]['custom_options'])) { - $custopts = explode(";", ($config['installedpackages']['squid']['config'][0]['custom_options'])); - $conf .= "# Custom options\n"; - foreach ($custopts as $custopt) { - $conf .= $custopt."\n"; - } - } + // Package integration + if(!empty($settingsconfig['custom_options'])) + $conf.=preg_replace('/;/',"\n",$settingconfig['custom_options']); + + // Custom User Options + $conf .= "# Custom options\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n"; // Deny the banned guys before allowing the good guys if(! empty($settingsnac['banned_hosts'])) { @@ -1349,6 +1254,15 @@ function squid_resync_msnt() { function squid_resync() { global $config; conf_mount_rw(); + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + SQUID_BASE, + SQUID_LIB, + SQUID_SSL_DB ) as $dir) { + make_dirs($dir); + chown($dir, 'proxy'); + chgrp($dir, 'proxy'); + } $conf = squid_resync_general() . "\n"; $conf .= squid_resync_cache() . "\n"; $conf .= squid_resync_redirector() . "\n"; @@ -1359,6 +1273,7 @@ function squid_resync() { $conf .= squid_resync_auth(); squid_resync_users(); squid_write_rcfile(); + squid_sync_on_changes(); /* make sure pinger is executable */ if(file_exists("/usr/local/libexec/squid/pinger")) @@ -1666,8 +1581,8 @@ function squid_write_rcfile() { $rc = array(); $rc['file'] = 'squid.sh'; $rc['start'] = <<<EOD -if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then - /usr/local/sbin/squid -D +if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then + /usr/local/sbin/squid fi EOD; @@ -1680,8 +1595,8 @@ killall pinger 2>/dev/null EOD; $rc['restart'] = <<<EOD -if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then - /usr/local/sbin/squid -D +if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then + /usr/local/sbin/squid else /usr/local/sbin/squid -k reconfigure fi @@ -1690,4 +1605,127 @@ EOD; conf_mount_rw(); write_rcfile($rc); } + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function squid_sync_on_changes() { + global $config, $g; + + log_error("[squid] xmlrpc sync is starting."); + $synconchanges = $config['installedpackages']['squidsync']['config'][0]['synconchanges']; + if(!$synconchanges) + return; + foreach ($config['installedpackages']['squidsync']['config'] as $rs ){ + foreach($rs['row'] as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + squid_do_xmlrpc_sync($sync_to_ip, $username, $password); + } + } + log_error("[squid] xmlrpc sync is ending."); +} +/* Do the actual XMLRPC sync */ +function squid_do_xmlrpc_sync($sync_to_ip, $username, $password) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['squid'] = $config['installedpackages']['squid']; + $xml['squidupstream'] = $config['installedpackages']['squidupstream']; + $xml['squidcache'] = $config['installedpackages']['squidcache']; + $xml['squidnac'] = $config['installedpackages']['squidnac']; + $xml['squidtraffic'] = $config['installedpackages']['squidtraffic']; + $xml['squidreverse'] = $config['installedpackages']['squidreverse']; + $xml['squidauth'] = $config['installedpackages']['squidauth']; + $xml['squidusers'] = $config['installedpackages']['squidusers']; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning squid XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } else { + log_error("squid XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell squid to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/squid.inc');\n"; + $execcmd .= "sync_package_squid();"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("squid XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } else { + log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} + ?> diff --git a/config/squid-reverse/squid.xml b/config/squid-reverse/squid.xml index fdeaacb9..c4a64cf7 100644 --- a/config/squid-reverse/squid.xml +++ b/config/squid-reverse/squid.xml @@ -55,6 +55,12 @@ <section>Services</section> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </menu> + <menu> + <name>Reverse Proxy</name> + <tooltiptext>Modify the proxy reverse server's settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </menu> <service> <name>squid</name> <rcfile>squid.sh</rcfile> @@ -68,15 +74,15 @@ <active/> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -84,17 +90,17 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <!-- Installation --> <additional_files_needed> @@ -105,6 +111,26 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_general.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_general_peer.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_general_uri.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/squid-reverse/squid_cache.xml</item> </additional_files_needed> <additional_files_needed> @@ -159,6 +185,10 @@ </additional_files_needed> <fields> <field> + <name>Squid General Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Proxy interface</fielddescr> <fieldname>active_interface</fieldname> <description>The interface(s) the proxy server will bind to.</description> @@ -168,6 +198,23 @@ <multiple/> </field> <field> + <fielddescr>Proxy port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the proxy server will listen on.</description> + <type>input</type> + <size>5</size> + <required/> + <default_value>3128</default_value> + </field> + <field> + <fielddescr>ICP port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> + <type>input</type> + <size>5</size> + </field> + + <field> <fielddescr>Allow users on interface</fielddescr> <fieldname>allow_interface</fieldname> <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description> @@ -194,14 +241,25 @@ <fieldname>defined_ip_proxy_off</fieldname> <description>Do not forward traffic from these <b>source</b> IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> <type>input</type> - <size>80</size> + <size>70</size> </field> <field> <fielddescr>Bypass proxy for these destination IPs</fielddescr> <fieldname>defined_ip_proxy_off_dest</fieldname> <description>Do not proxy traffic going to these <b>destination</b> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> <type>input</type> - <size>80</size> + <size>70</size> + </field> + <field> + <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> + <fieldname>dns_nameservers</fieldname> + <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + <field> + <name>Logging Settings</name> + <type>listtopic</type> </field> <field> <fielddescr>Enabled logging</fielddescr> @@ -227,22 +285,6 @@ <size>5</size> </field> <field> - <fielddescr>Proxy port</fielddescr> - <fieldname>proxy_port</fieldname> - <description>This is the port the proxy server will listen on.</description> - <type>input</type> - <size>5</size> - <required/> - <default_value>3128</default_value> - </field> - <field> - <fielddescr>ICP port</fielddescr> - <fieldname>icp_port</fieldname> - <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> - <type>input</type> - <size>5</size> - </field> - <field> <fielddescr>Visible hostname</fielddescr> <fieldname>visible_hostname</fieldname> <description>This is the URL to be displayed in proxy server error messages.</description> @@ -307,26 +349,34 @@ </options> </field> <field> - <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> - <fieldname>dns_nameservers</fieldname> - <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> - <type>input</type> - <size>60</size> - </field> - <field> <fielddescr>Suppress Squid Version</fielddescr> <fieldname>disable_squidversion</fieldname> <description>If set, suppress Squid version string info in HTTP headers and HTML error pages.</description> <type>checkbox</type> </field> - <field> - <fielddescr>Custom Options</fielddescr> + <field> + <name>Custom Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Integrations</fielddescr> <fieldname>custom_options</fieldname> - <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the configuration. They need to be squid.conf native options, otherwise squid will NOT work.</description> + <description><![CDATA[Squid options added from packages like squidguard or havp for squid integration.]]></description> <type>textarea</type> - <cols>65</cols> + <encoding>base64</encoding> + <cols>78</cols> <rows>5</rows> </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom_options_squid3</fieldname> + <description><![CDATA[Put your own custom options here,one per line. They'll be added to the configuration.<br> + <strong>They need to be squid.conf native options, otherwise squid will NOT work.</strong>]]></description> + <type>textarea</type> + <encoding>base64</encoding> + <cols>78</cols> + <rows>10</rows> + </field> </fields> <custom_php_command_before_form> squid_before_form_general(&$pkg); diff --git a/config/squid-reverse/squid_auth.xml b/config/squid-reverse/squid_auth.xml index 8d6e046e..e04dbfba 100644 --- a/config/squid-reverse/squid_auth.xml +++ b/config/squid-reverse/squid_auth.xml @@ -55,15 +55,15 @@ <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -71,21 +71,25 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> <active/> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Squid Authentication General Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Authentication method</fielddescr> <fieldname>auth_method</fieldname> <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description> @@ -102,17 +106,6 @@ <onchange>on_auth_method_changed()</onchange> </field> <field> - <fielddescr>LDAP version</fielddescr> - <fieldname>ldap_version</fieldname> - <description>Enter LDAP protocol version (2 or 3).</description> - <type>select</type> - <default_value>2</default_value> - <options> - <option><name>2</name><value>2</value></option> - <option><name>3</name><value>3</value></option> - </options> - </field> - <field> <fielddescr>Authentication server</fielddescr> <fieldname>auth_server</fieldname> <description>Enter here the IP or hostname of the server that will perform the authentication.</description> @@ -127,11 +120,57 @@ <size>60</size> </field> <field> - <fielddescr>NT domain</fielddescr> - <fieldname>auth_ntdomain</fieldname> - <description>Enter here the NT domain.</description> + <fielddescr>Authentication prompt</fielddescr> + <fieldname>auth_prompt</fieldname> + <description>This string will be displayed at the top of the authentication request window.</description> + <type>input</type> + <default_value>Please enter your credentials to access the proxy</default_value> + </field> + <field> + <fielddescr>Authentication processes</fielddescr> + <fieldname>auth_processes</fieldname> + <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> <type>input</type> <size>60</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Authentication TTL</fielddescr> + <fieldname>auth_ttl</fieldname> + <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <type>input</type> + <size>60</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> + <fieldname>unrestricted_auth</fieldname> + <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Subnets that don't need authentication</fielddescr> + <fieldname>no_auth_hosts</fieldname> + <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <name>Squid Authentication Ldap Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>LDAP version</fielddescr> + <fieldname>ldap_version</fieldname> + <description>Enter LDAP protocol version (2 or 3).</description> + <type>select</type> + <default_value>2</default_value> + <options> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> + </options> </field> <field> <fielddescr>LDAP server user DN</fielddescr> @@ -171,10 +210,14 @@ <default_value>(&(objectClass=person)(uid=%s))</default_value> </field> <field> - <fielddescr>RADIUS secret</fielddescr> - <fieldname>radius_secret</fieldname> - <description>The RADIUS secret for RADIUS authentication.</description> - <type>password</type> + <name>Squid Authentication NT Domain Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>NT domain</fielddescr> + <fieldname>auth_ntdomain</fieldname> + <description>Enter here the NT domain.</description> + <type>input</type> <size>60</size> </field> <field> @@ -185,42 +228,15 @@ <size>60</size> </field> <field> - <fielddescr>Authentication prompt</fielddescr> - <fieldname>auth_prompt</fieldname> - <description>This string will be displayed at the top of the authentication request window.</description> - <type>input</type> - <default_value>Please enter your credentials to access the proxy</default_value> - </field> - <field> - <fielddescr>Authentication processes</fielddescr> - <fieldname>auth_processes</fieldname> - <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> - <type>input</type> - <size>60</size> - <default_value>5</default_value> + <name>Squid Authentication Radius Settings</name> + <type>listtopic</type> </field> <field> - <fielddescr>Authentication TTL</fielddescr> - <fieldname>auth_ttl</fieldname> - <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> - <type>input</type> + <fielddescr>RADIUS secret</fielddescr> + <fieldname>radius_secret</fieldname> + <description>The RADIUS secret for RADIUS authentication.</description> + <type>password</type> <size>60</size> - <default_value>60</default_value> - </field> - <field> - <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> - <fieldname>unrestricted_auth</fieldname> - <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Subnets that don't need authentication</fielddescr> - <fieldname>no_auth_hosts</fieldname> - <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> </field> </fields> <custom_php_validation_command> diff --git a/config/squid-reverse/squid_cache.xml b/config/squid-reverse/squid_cache.xml index beafa5dd..ce7bd585 100644 --- a/config/squid-reverse/squid_cache.xml +++ b/config/squid-reverse/squid_cache.xml @@ -50,21 +50,21 @@ <title>Proxy server: Cache management</title> <include_file>squid.inc</include_file> <tabs> - <tab> +<tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> <active/> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -72,25 +72,86 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Squid Cache General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Cache replacement policy</fielddescr> + <fieldname>cache_replacement_policy</fieldname> + <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> + <type>select</type> + <default_value>heap LFUDA</default_value> + <options> + <option><name>LRU</name><value>lru</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> + <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LRU</name><value>heap LRU</value></option> + </options> + </field> + <field> + <fielddescr>Low-water-mark in %</fielddescr> + <fieldname>cache_swap_low</fieldname> + <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> + <type>input</type> + <size>5</size> + <default_value>90</default_value> + </field> + <field> + <fielddescr>High-water-mark in %</fielddescr> + <fieldname>cache_swap_high</fieldname> + <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> + <type>input</type> + <size>5</size> + <default_value>95</default_value> + </field> + <field> + <fielddescr>Do not cache</fielddescr> + <fieldname>donotcache</fieldname> + <description>Enter each domain or IP address on a new line that should never be cached.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Enable offline mode</fielddescr> + <fieldname>enable_offline</fieldname> + <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> + <type>checkbox</type> + <required/> + </field> + <field> + <fielddescr>External Cache-Managers</fielddescr> + <fieldname>ext_cachemanager</fieldname> + <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Hard disk cacheSettings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Hard disk cache size</fielddescr> <fieldname>harddisk_cache_size</fieldname> <description>This is the amount of disk space (in megabytes) to use for cached objects.</description> <type>input</type> <required/> + <size>10</size> <default_value>100</default_value> </field> <field> @@ -107,6 +168,22 @@ </options> </field> <field> + <fielddescr>Level 1 subdirectories</fielddescr> + <fieldname>level1_subdirs</fieldname> + <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> + <type>select</type> + <default_value>16</default_value> + <options> + <option><name>4</name><value>4</value></option> + <option><name>8</name><value>8</value></option> + <option><name>16</name><value>16</value></option> + <option><name>32</name><value>32</value></option> + <option><name>64</name><value>64</value></option> + <option><name>128</name><value>128</value></option> + <option><name>256</name><value>256</value></option> + </options> + </field> + <field> <fielddescr>Hard disk cache location</fielddescr> <fieldname>harddisk_cache_location</fieldname> <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description> @@ -116,19 +193,12 @@ <default_value>/var/squid/cache</default_value> </field> <field> - <fielddescr>Memory cache size</fielddescr> - <fieldname>memory_cache_size</fieldname> - <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> - <type>input</type> - <required/> - <default_value>8</default_value> - </field> - <field> <fielddescr>Minimum object size</fielddescr> <fieldname>minimum_object_size</fieldname> <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description> <type>input</type> <required /> + <size>10</size> <default_value>0</default_value> </field> <field> @@ -137,33 +207,32 @@ <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description> <type>input</type> <required/> + <size>10</size> <default_value>4</default_value> </field> <field> + <name>Squid Memory Cache Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Memory cache size</fielddescr> + <fieldname>memory_cache_size</fieldname> + <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> + <type>input</type> + <size>10</size> + <required/> + <default_value>8</default_value> + </field> + <field> <fielddescr>Maximum object size in RAM</fielddescr> <fieldname>maximum_objsize_in_mem</fieldname> <description>Objects smaller than the size specified (in kilobytes) will be saved in RAM. Default is 32.</description> <type>input</type> + <size>10</size> <required/> <default_value>32</default_value> </field> <field> - <fielddescr>Level 1 subdirectories</fielddescr> - <fieldname>level1_subdirs</fieldname> - <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> - <type>select</type> - <default_value>16</default_value> - <options> - <option><name>4</name><value>4</value></option> - <option><name>8</name><value>8</value></option> - <option><name>16</name><value>16</value></option> - <option><name>32</name><value>32</value></option> - <option><name>64</name><value>64</value></option> - <option><name>128</name><value>128</value></option> - <option><name>256</name><value>256</value></option> - </options> - </field> - <field> <fielddescr>Memory replacement policy</fielddescr> <fieldname>memory_replacement_policy</fieldname> <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA.</description> @@ -176,49 +245,6 @@ <option><name>Heap LRU</name><value>heap LRU</value></option> </options> </field> - <field> - <fielddescr>Cache replacement policy</fielddescr> - <fieldname>cache_replacement_policy</fieldname> - <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> - <type>select</type> - <default_value>heap LFUDA</default_value> - <options> - <option><name>LRU</name><value>lru</value></option> - <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> - <option><name>Heap GDSF</name><value>heap GDSF</value></option> - <option><name>Heap LRU</name><value>heap LRU</value></option> - </options> - </field> - <field> - <fielddescr>Low-water-mark in %</fielddescr> - <fieldname>cache_swap_low</fieldname> - <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> - <type>input</type> - <default_value>90</default_value> - </field> - <field> - <fielddescr>High-water-mark in %</fielddescr> - <fieldname>cache_swap_high</fieldname> - <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> - <type>input</type> - <default_value>95</default_value> - </field> - <field> - <fielddescr>Do not cache</fielddescr> - <fieldname>donotcache</fieldname> - <description>Enter each domain or IP address on a new line that should never be cached.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - <field> - <fielddescr>Enable offline mode</fielddescr> - <fieldname>enable_offline</fieldname> - <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> - <type>checkbox</type> - <required/> - </field> </fields> <custom_php_command_before_form> if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { diff --git a/config/squid-reverse/squid_nac.xml b/config/squid-reverse/squid_nac.xml index 7b333141..cb986f2b 100644 --- a/config/squid-reverse/squid_nac.xml +++ b/config/squid-reverse/squid_nac.xml @@ -50,20 +50,20 @@ <title>Proxy server: Access control</title> <include_file>squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> <active/> </tab> @@ -72,20 +72,24 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Squid Access Control Lists</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Allowed subnets</fielddescr> <fieldname>allowed_subnets</fieldname> <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description> @@ -131,12 +135,9 @@ <encoding>base64</encoding> </field> <field> - <fielddescr>External Cache-Managers</fielddescr> - <fieldname>ext_cachemanager</fieldname> - <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> - <type>input</type> - <size>60</size> - </field> + <name>Squid Allowed ports</name> + <type>listtopic</type> + </field> <field> <fielddescr>acl safeports</fielddescr> <fieldname>addtl_ports</fieldname> diff --git a/config/squid-reverse/squid_reverse.inc b/config/squid-reverse/squid_reverse.inc new file mode 100644 index 00000000..c34f74e5 --- /dev/null +++ b/config/squid-reverse/squid_reverse.inc @@ -0,0 +1,176 @@ +<?php +/* $Id$ */ +/* + squid_reverse.inc + Copyright (C) 2012 Martin Fuchs + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function squid_resync_reverse() { + global $config; + //if(!is_array($valid_acls)) + // return; + + //CONFIG FILE + if (is_array($config['installedpackages']['squidreversegeneral'])) + $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; + if (is_array($config['installedpackages']['squidreversepeer'])) + $reverse_peers=$config['installedpackages']['squidreversepeer']['config']; + if (is_array($config['installedpackages']['squidreverseuri'])) + $reverse_maps=$config['installedpackages']['squidreverseuri']['config']; + + $conf = "# Reverse Proxy settings\n"; + + if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { + $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",sq_text_area_decode($svr_cert['crt'])); + $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; + } + if(base64_decode($svr_cert['prv'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",sq_text_area_decode($svr_cert['prv'])); + $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; + } + } + } + + if (!empty($settings['reverse_int_ca'])) + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decodedecode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); + + $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); + $real_ifaces = array(); + + #set HTTP port and defsite + $http_port=(empty($settings['reverse_http_port'])?"80":$settings['reverse_http_port']); + $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']); + + #set HTTPS port and defsite + $https_port=(empty($settings['reverse_https_port'])?"80":$settings['reverse_https_port']); + $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']); + + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + //HTTP + if (!empty($settings['reverse_http'])) + $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite}\n"; + } + } + + if(!empty($settings['reverse_ip'])) { + $reverse_ip = explode(";", ($settings['reverse_ip'])); + foreach ($reverse_ip as $reip) { + //HTTP + if (!empty($settings['reverse_http'])) + $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite}\n"; + } + } + + //PEERS + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) + $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs\n"; + + $active_peers=array(); + foreach ($reverse_peers as $rp){ + if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query originserver login=PASS "; + if($rp['protocol'] == 'HTTPS') + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf_peer .= "name={$rp['name']}\n\n"; + + // add peer only if reverse proxy is enabled for http + if($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on"){ + $conf .= $conf_peer; + array_push($active_peers,$rp['name']); + } + // add peer only if if reverse proxy is enabled for https + if($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on"){ + $conf .= $conf_peer; + array_push($active_peers,$rp['name']); + } + } + } + + //ACLS and MAPPINGS + + //create an empty owa_dirs to populate based on user selected options + $owa_dirs=array(); + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on"){ + if(!empty($settings['reverse_owa_ip'])){ + array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); + if($settings['reverse_owa_activesync']) + array_push($owa_dirs,'Microsoft-Server-ActiveSync'); + if($settngs['reverse_owa_rpchttp']) + array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); + if($settings['reverse_owa_autodiscover']) + array_push($owa_dirs,'autodiscover'); + if($settings['reverse_owa_webservice']){ + array_push($owa_dirs,'EWS'); + $conf .= "ignore_expect_100 on\n"; + } + } + foreach ($owa_dirs as $owa_dir) + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + } + //$conf .= "ssl_unclean_shutdown on"; + foreach ($reverse_maps as $rm){ + if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!="") + foreach ($rm['row'] as $uri){ + $url_regex=($uri['vhost'] == ''?$settings['reverse_external_fqdn']:$uri['vhost']); + $conf .= "acl {$rm['name']} url_regex -i {$url_regex}/{$uri['uri']}.*$\n"; + $cache_peer_never_direct_conf .= "never_direct allow {$rm['name']}\n"; + $http_access_conf .= "http_access allow {$rm['name']}\n"; + foreach (explode(',',$rm['peers']) as $map_peer) + if (in_array($map_peer,$active_peers)){ + $cache_peer_allow_conf .= "cache_peer_access {$map_peer} allow {$rm['name']}\n"; + $cache_peer_deny_conf .= "cache_peer_access {$map_peer} deny allsrc\n"; + } + } + } + + //ACCESS + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; + $conf .= "cache_peer_access OWA_HOST_pfs deny allsrc\n"; + $conf .= "never_direct allow OWA_URI_pfs\n"; + $conf .= "http_access allow OWA_URI_pfs\n"; + } + + $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; + + if (!empty($settings['deny_info_tcp_reset'])) + $conf .= "deny_info TCP_RESET allsrc\n"; + + return $conf; +} +?> diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index e3f57b13..ae0c0e8a 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -50,47 +50,50 @@ <title>Proxy server: Reverse Proxy</title> <include_file>squid.inc</include_file> <tabs> - <tab> +<tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> <text>Traffic Mgmt</text> <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Reverse Proxy</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - <active/> </tab> <tab> - <text>Reverse Settings</text> + <text>Reverse</text> <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> <active/> - </tab> + </tab> <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Squid Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Reverse Proxy interface</fielddescr> <fieldname>reverse_interface</fieldname> <description>The interface(s) the reverse-proxy server will bind to.</description> @@ -104,7 +107,7 @@ <fieldname>reverse_ip</fieldname> <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description> <type>input</type> - <size>80</size> + <size>70</size> </field> <field> <fielddescr>external FQDN</fielddescr> @@ -112,7 +115,18 @@ <description>The external full-qualified-domain-name of the WAN address.</description> <type>input</type> <required/> - <size>80</size> + <size>70</size> + </field> + <field> + <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> + <fieldname>deny_info_tcp_reset</fieldname> + <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>Squid Reverse HTTP Settings</name> + <type>listtopic</type> </field> <field> <fielddescr>Enable HTTP reverse mode</fielddescr> @@ -139,11 +153,15 @@ <size>60</size> </field> <field> + <name>Squid Reverse HTTPS Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Enable HTTPS reverse proxy</fielddescr> <fieldname>reverse_https</fieldname> <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> <type>checkbox</type> - <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_ignore_ssl_valid,reverse_ssl_chain</enablefields> + <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> <required/> <default_value>off</default_value> </field> @@ -166,8 +184,8 @@ <fielddescr>reverse SSL certificate</fielddescr> <fieldname>reverse_ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> - <type>select_source</type> - <source><![CDATA[squid_get_server_certs()]]></source> + <type>select_source</type> + <source><![CDATA[$config['cert']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> </field> @@ -181,13 +199,6 @@ <encoding>base64</encoding> </field> <field> - <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> - <fieldname>deny_info_tcp_reset</fieldname> - <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> - <type>checkbox</type> - <default_value>on</default_value> - </field> - <field> <fielddescr>Ignore internal Certificate validation</fielddescr> <fieldname>reverse_ignore_ssl_valid</fieldname> <description>If this field is checked, internal certificate validation will be ignored.</description> @@ -223,7 +234,8 @@ <field> <fielddescr>Enable Exchange WebServices</fielddescr> <fieldname>reverse_owa_webservice</fieldname> - <description>If this field is checked, Exchange WebServices will be enabled.</description> + <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br> + <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description> <type>checkbox</type> </field> <field> @@ -233,10 +245,16 @@ <type>checkbox</type> </field> <field> + <name>Squid Reverse Mappings</name> + <type>listtopic</type> + </field> + <field> <fielddescr><b>peer definitions</b> <br>publishing hosts</fielddescr> <fieldname>reverse_cache_peer</fieldname> - <description>Enter each peer definition on a new line. Directives have to be separated by a semicolon(;). <br>syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS] <br>example: HOST1;192.168.0.1;80;HTTP <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> - </description> + <description><![CDATA[Enter each peer definition on a new line. Directives have to be separated by a semicolon(;).<BR> + syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS]<br> + example: HOST1;192.168.0.1;80;HTTP<br> + <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description> <type>textarea</type> <cols>60</cols> <rows>10</rows> @@ -244,9 +262,12 @@ </field> <field> <fielddescr><b>URI definitions</b> <br>published URIs</fielddescr> - <fieldname>revrse_uri</fieldname> - <description>Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;).<br>syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn]) <br>(a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://) <br>example: URI1;public;server.pfsense.org. <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> - </description> + <fieldname>reverse_uri</fieldname> + <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;)<BR> + syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn]) <BR> + (a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://)<BR> + example: URI1;public;server.pfsense.org.<BR> + <STRONG>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</STRONG>]]></description> <type>textarea</type> <cols>60</cols> <rows>10</rows> @@ -255,8 +276,9 @@ <field> <fielddescr><b>ACL definitions</b> <br>published URIs</fielddescr> <fieldname>reverse_acl</fieldname> - <description>Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;). <br>syntax: [peer alias];[uri group alias] <br>example: HOST1;URI1 <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> - </description> + <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;). <br> + syntax: [peer alias];[uri group alias] <br>example: HOST1;URI1 <br> + <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description> <type>textarea</type> <cols>60</cols> <rows>10</rows> diff --git a/config/squid-reverse/squid_reverse_general.xml b/config/squid-reverse/squid_reverse_general.xml new file mode 100644 index 00000000..00c8d4a5 --- /dev/null +++ b/config/squid-reverse/squid_reverse_general.xml @@ -0,0 +1,241 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_general.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreversegeneral</name> + <version>none</version> + <title>Reverse Proxy server: General</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml&id=0</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml</url> + </tab> + </tabs> + <fields> + <field> + <name>Squid Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Reverse Proxy interface</fielddescr> + <fieldname>reverse_interface</fieldname> + <description>The interface(s) the reverse-proxy server will bind to.</description> + <type>interfaces_selection</type> + <required/> + <default_value>wan</default_value> + <multiple/> + </field> + <field> + <fielddescr>User-defined reverse-proxy IPs</fielddescr> + <fieldname>reverse_ip</fieldname> + <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + <field> + <fielddescr>external FQDN</fielddescr> + <fieldname>reverse_external_fqdn</fieldname> + <description>The external full-qualified-domain-name of the WAN address.</description> + <type>input</type> + <required/> + <size>70</size> + </field> + <field> + <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> + <fieldname>deny_info_tcp_reset</fieldname> + <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>Squid Reverse HTTP Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable HTTP reverse mode</fielddescr> + <fieldname>reverse_http</fieldname> + <description>If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <type>checkbox</type> + <enablefields>reverse_http_port,reverse_http_defsite</enablefields> + <required/> + <default_value>off</default_value> + </field> + <field> + <fielddescr>reverse HTTP port</fielddescr> + <fieldname>reverse_http_port</fieldname> + <description>This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80)</description> + <type>input</type> + <size>5</size> + <default_value>80</default_value> + </field> + <field> + <fielddescr>reverse HTTP default site</fielddescr> + <fieldname>reverse_http_defsite</fieldname> + <description>This is the HTTP reverse default site. (leave empty to use the external fqdn)</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Reverse HTTPS Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable HTTPS reverse proxy</fielddescr> + <fieldname>reverse_https</fieldname> + <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <type>checkbox</type> + <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> + <required/> + <default_value>off</default_value> + </field> + <field> + <fielddescr>reverse HTTPS port</fielddescr> + <fieldname>reverse_https_port</fieldname> + <description>This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443)</description> + <type>input</type> + <size>5</size> + <default_value>443</default_value> + </field> + <field> + <fielddescr>reverse HTTPS default site</fielddescr> + <fieldname>reverse_https_defsite</fieldname> + <description>This is the HTTPS reverse default site. (leave empty to use the external fqdn)</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>reverse SSL certificate</fielddescr> + <fieldname>reverse_ssl_cert</fieldname> + <description>Choose the SSL Server Certificate here.</description> + <type>select_source</type> + <source><![CDATA[$config['cert']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>intermediate CA certificate (if needed)</fielddescr> + <fieldname>reverse_int_ca</fieldname> + <description>Paste a signed certificate in X.509 PEM format here.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Ignore internal Certificate validation</fielddescr> + <fieldname>reverse_ignore_ssl_valid</fieldname> + <description>If this field is checked, internal certificate validation will be ignored.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>OWA Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable OWA reverse proxy</fielddescr> + <fieldname>reverse_owa</fieldname> + <description>If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.</description> + <type>checkbox</type> + <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> + </field> + <field> + <fielddescr>OWA frontend IP address</fielddescr> + <fieldname>reverse_owa_ip</fieldname> + <description>This is the internal IP Address of the OWA frontend server.</description> + <type>input</type> + <size>15</size> + </field> + <field> + <fielddescr>Enable ActiveSync</fielddescr> + <fieldname>reverse_owa_activesync</fieldname> + <description>If this field is checked, ActiveSync will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Outlook Anywhere</fielddescr> + <fieldname>reverse_owa_rpchttp</fieldname> + <description>If this field is checked, RPC over HTTP will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Exchange WebServices</fielddescr> + <fieldname>reverse_owa_webservice</fieldname> + <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br> + <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable AutoDiscover</fielddescr> + <fieldname>reverse_owa_autodiscover</fieldname> + <description>If this field is checked, AutoDiscover will be enabled.</description> + <type>checkbox</type> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_reverse($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid-reverse/squid_reverse_peer.xml b/config/squid-reverse/squid_reverse_peer.xml new file mode 100644 index 00000000..e32e1973 --- /dev/null +++ b/config/squid-reverse/squid_reverse_peer.xml @@ -0,0 +1,159 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_peer.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreversepeer</name> + <version>none</version> + <title>Reverse Proxy server: Peers</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Alias</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Ip address</fielddescr> + <fieldname>ip</fieldname> + </columnitem> + <columnitem> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + </columnitem> + <columnitem> + <fielddescr>Protocol</fielddescr> + <fieldname>Protocol</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Reverse Peer Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable this peer</fielddescr> + <fieldname>enable</fieldname> + <description>If this field is checked, then this peer will be available for reverse config.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Peer Alias</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this peer on squid reverse conf<br> + example: HOST1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer IP</fielddescr> + <fieldname>ip</fieldname> + <description><![CDATA[Ip Address of this peer.<br> + example: 192.168.0.1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer Port</fielddescr> + <fieldname>port</fieldname> + <description><![CDATA[Listening port of this peer.<br> + example: 80]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer Protocol</fielddescr> + <fieldname>protocol</fieldname> + <description><![CDATA[Protocol listening on this peer port.]]></description> + <type>select</type> + <options> + <option> <name>HTTP</name> <value>HTTP</value> </option> + <option> <name>HTTPS</name> <value>HTTPS</value> </option> + </options> + </field> + <field> + <fielddescr>Peer Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[Peer Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_reverse($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid-reverse/squid_reverse_sync.xml b/config/squid-reverse/squid_reverse_sync.xml new file mode 100755 index 00000000..9395f6d7 --- /dev/null +++ b/config/squid-reverse/squid_reverse_sync.xml @@ -0,0 +1,105 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_sync.xml + part of the sarg package for pfSense + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidsync</name> + <version>1.0</version> + <title>Reverse Proxy server: XMLRPC Sync</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml&id=0</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml&id=0</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync squid configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Automatically sync squid(normal and reverse) changes to the hosts defined below.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid-reverse/squid_reverse_uri.xml b/config/squid-reverse/squid_reverse_uri.xml new file mode 100644 index 00000000..57ce5832 --- /dev/null +++ b/config/squid-reverse/squid_reverse_uri.xml @@ -0,0 +1,155 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_general.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreverseuri</name> + <version>none</version> + <title>Reverse Proxy server: Mappings</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml&id=0</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Group Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Peers</fielddescr> + <fieldname>peers</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Reverse Peer Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable this URI</fielddescr> + <fieldname>enable</fieldname> + <description><![CDATA[If this field is checked, then this URI(Uniform Resource Name) will be available for reverse config.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Group name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this URI on squid reverse conf<br> + example: URI1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Group Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[URI Group Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Peers</fielddescr> + <fieldname>peers</fieldname> + <description><![CDATA[Apply this Group Mappings to selected Peers<br> + Use CTRL + click to select.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['squidreversepeer']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>05</size> + </field> + <field> + <fielddescr><![CDATA[URIs]]></fielddescr> + <fieldname>none</fieldname> + <description><![CDATA[URI to publish]]></description> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>URI</fielddescr> + <fieldname>uri</fieldname> + <type>input</type> + <size>25</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>[http://|https://]vhost fqdn(optional)</fielddescr> + <fieldname>vhost</fieldname> + <type>input</type> + <size>40</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid-reverse/squid_sync.xml b/config/squid-reverse/squid_sync.xml new file mode 100755 index 00000000..5af26a7a --- /dev/null +++ b/config/squid-reverse/squid_sync.xml @@ -0,0 +1,121 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_sync.xml + part of the sarg package for pfSense + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidsync</name> + <version>1.0</version> + <title>Proxy server: XMLRPC Sync</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Upstream</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + <tab> + <text>Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync squid configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Automatically sync squid(normal and reverse) changes to the hosts defined below.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid-reverse/squid_traffic.xml b/config/squid-reverse/squid_traffic.xml index c56ca73f..40e8eb97 100644 --- a/config/squid-reverse/squid_traffic.xml +++ b/config/squid-reverse/squid_traffic.xml @@ -50,20 +50,20 @@ <title>Proxy server: Traffic management</title> <include_file>squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -72,24 +72,29 @@ <active/> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> - </tabs> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> <fields> <field> + <name>Squid Traffic Managment Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Maximum download size</fielddescr> <fieldname>max_download_size</fieldname> <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description> <type>input</type> + <size>10</size> <required/> <default_value>0</default_value> </field> @@ -98,6 +103,7 @@ <fieldname>max_upload_size</fieldname> <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description> <type>input</type> + <size>10</size> <required/> <default_value>0</default_value> </field> @@ -106,6 +112,7 @@ <fieldname>overall_throttling</fieldname> <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description> <type>input</type> + <size>10</size> <required/> <default_value>0</default_value> </field> @@ -114,10 +121,15 @@ <fieldname>perhost_throttling</fieldname> <description>This value specifies the download throttling per host. Set to 0 to disable this.</description> <type>input</type> + <size>10</size> <required/> <default_value>0</default_value> </field> <field> + <name>Squid Transfer Extension Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Throttle only specific extensions</fielddescr> <fieldname>throttle_specific</fieldname> <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description> @@ -151,10 +163,15 @@ <size>60</size> </field> <field> + <name>Squid Transfer Quick Abort Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Finish transfer if less than x KB remaining</fielddescr> <fieldname>quick_abort_min</fieldname> <description>If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately.</description> <type>input</type> + <size>10</size> <default_value>0</default_value> </field> <field> @@ -169,6 +186,7 @@ <fieldname>quick_abort_pct</fieldname> <description>If more than x % of the transfer has completed, it will finish the retrieval.</description> <type>input</type> + <size>10</size> <default_value>0</default_value> </field> </fields> diff --git a/config/squid-reverse/squid_upstream.xml b/config/squid-reverse/squid_upstream.xml index 3d4d1611..d3c10771 100644 --- a/config/squid-reverse/squid_upstream.xml +++ b/config/squid-reverse/squid_upstream.xml @@ -50,21 +50,21 @@ <title>Proxy server: Upstream proxy settings</title> <include_file>squid.inc</include_file> <tabs> - <tab> +<tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> <active/> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -72,20 +72,24 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Upstream proxy settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Enable forwarding</fielddescr> <fieldname>proxy_forwarding</fieldname> <description>This option enables the proxy server to forward requests to an upstream server.</description> diff --git a/config/squid-reverse/squid_users.xml b/config/squid-reverse/squid_users.xml index f2f8fe1c..d51a5f87 100644 --- a/config/squid-reverse/squid_users.xml +++ b/config/squid-reverse/squid_users.xml @@ -52,20 +52,20 @@ <delete_string>A proxy server user has been deleted.</delete_string> <addedit_string>A proxy server user has been created/modified.</addedit_string> <tabs> - <tab> +<tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -73,18 +73,18 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> <active/> </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <adddeleteeditpagefields> <columnitem> @@ -98,6 +98,10 @@ </adddeleteeditpagefields> <fields> <field> + <name>Squid Local Users</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Username</fielddescr> <fieldname>username</fieldname> <description>Enter the username here.</description> |