diff options
author | doktornotor <notordoktor@gmail.com> | 2015-10-06 05:17:58 +0200 |
---|---|---|
committer | doktornotor <notordoktor@gmail.com> | 2015-10-06 05:17:58 +0200 |
commit | 0b7b038ad2a82751872d3c9c2df9412bcc7c7419 (patch) | |
tree | 873740efe0640046d2864f52f29d5401b8fb0cf2 /config/squid3 | |
parent | b52dc8a8896e6b268611959f5c79dcfb85c0ec84 (diff) | |
download | pfsense-packages-0b7b038ad2a82751872d3c9c2df9412bcc7c7419.tar.gz pfsense-packages-0b7b038ad2a82751872d3c9c2df9412bcc7c7419.tar.bz2 pfsense-packages-0b7b038ad2a82751872d3c9c2df9412bcc7c7419.zip |
Major rework of antivirus features logic
- Users can either maintain raw config files now, or use the GUI options, but not both at the same time.
- Added extensive descriptions regarding the config files / config.xml configuration handling
- Install/deinstall of AV-related stuff moved here from squid.inc
Diffstat (limited to 'config/squid3')
-rw-r--r-- | config/squid3/34/squid_antivirus.inc | 718 |
1 files changed, 540 insertions, 178 deletions
diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index ac78ad44..7a82464a 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -32,8 +32,11 @@ require_once('config.inc'); /* This file is currently only being included in squid.inc and not used separately */ // require_once('squid.inc'); +/* + * Utility functions + */ -/* Only needed for PBI/pfSense <2.3 */ +/* clamav user account hadling (only needed for PBI/pfSense <2.3) */ function squid_check_clamav_user($user) { if (SQUID_BASE == '/usr/local') { return; @@ -47,57 +50,7 @@ function squid_check_clamav_user($user) { } } -/* Create /usr/local/etc/rc.d/clamd.sh rcfile */ -function squid_write_clamd_rcfile() { - $squid_base = SQUID_BASE; - $rc = array(); - $rc['file'] = 'clamd.sh'; - $rc['start'] = <<< EOD - -if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ];then - echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" - exit 1 -fi - -{$squid_base}/bin/clamd --config-file="{$squid_base}/local/etc/clamd.conf" - -EOD; - - $rc['stop'] = <<< EOD - -/usr/bin/killall clamd 2>/dev/null -# Just to be sure... -sleep 5 -if [ -n "`/bin/ps auxw | /usr/bin/grep "[c]lamd" | /usr/bin/awk '{print $2}'`" ]; then - /usr/bin/killall -9 clamd 2>/dev/null -fi - -EOD; - - conf_mount_rw(); - write_rcfile($rc); - conf_mount_ro(); -} - -/* Create /usr/local/etc/rc.d/c-icap.sh rcfile */ -function squid_write_cicap_rcfile() { - $c_icap_rcfile = "c-icap.sh"; - $cicap_libdir = SQUID_LOCALBASE . "/lib"; - $cicap_bin = SQUID_LOCALBASE . "/bin/c-icap"; - $cicap_conf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; - $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; - $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; - conf_mount_rw(); - write_rcfile(array( - "file" => "{$c_icap_rcfile}", - "start" => "{$cicap_start_cmd}", - "stop" => "{$cicap_stop_cmd}" - ) - ); - conf_mount_ro(); -} - -/* ClamAV antivirus definitions updates via cron */ +/* Antivirus definitions updates via cron */ function squid_install_freshclam_cron($should_install) { global $config; @@ -124,13 +77,139 @@ function squid_install_freshclam_cron($should_install) { } } -/* Manually update ClamAV virus definitions (via the GUI button) */ +/* Manually update ClamAV virus definitions via the GUI button */ function squid_update_clamav() { log_error("Updating ClamAV definitions now... This will take a while. Check /var/log/clamav/freshclam.log for progress information."); mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); } -/* Antivirus features configuration */ +/* + * Squid package install/uninstall + */ + +/* Run on Squid package install */ +function squid_antivirus_install_command() { + // antivirus rc scripts + squid_write_cicap_rcfile(); + squid_write_clamd_rcfile(); + + // antivirus config files + squid_antivirus_install_config_files(); + + // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) + $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); + foreach ($ln_icap as $ln) { + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { + symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); + } + } + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { + symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); + } + + // check dirs + $dirs = array( + "/var/run/c-icap" => "clamav", + "/var/log/c-icap" => "clamav", + "/var/log/clamav" => "clamav", + "/var/run/clamav" => "clamav", + "/var/db/clamav" => "clamav" + ); + foreach ($dirs as $dir_path => $dir_user) { + safe_mkdir($dir_path, 0755); + squid_chown_recursive($dir_path, $dir_user, "wheel"); + } + + // remove unwanted PBI rc scripts + unlink_if_exists("/usr/local/etc/rc.d/c-icap"); + unlink_if_exists("/usr/local/etc/rc.d/clamav-clamd"); + unlink_if_exists("/usr/local/etc/rc.d/clamav-freshclam"); +} + +/* Run on Squid package uninstall */ +function squid_antivirus_deinstall_command() { + /* kill all running services */ + if (is_process_running("c-icap")) { + mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); + } + mwexec("/bin/ps awux | /usr/bin/grep '[c]lamd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep '[f]reshclam' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + + /* remove cronjobs */ + squid_install_freshclam_cron(false); + + /* delete rc scripts */ + unlink_if_exists('/usr/local/etc/rc.d/squid.sh'); + unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); + unlink_if_exists('/usr/local/etc/rc.d/clamd.sh'); + + /* clean up created PBI symlinks */ + update_output_window("Finishing package cleanup."); + if (SQUID_LOCALBASE != '/usr/local') { + $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); + foreach ($ln_icap as $ln) { + if (is_link("/usr/local/{$ln}")) { + unlink("/usr/local/{$ln}"); + } + } + if (is_link("/usr/local/lib/libicapapi.so.3")) { + unlink("/usr/local/lib/libicapapi.so.3"); + } + } + + /* clean up created directories if 'Keep Settings/Data' is disabled */ + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + $keep = ($squidsettings['keep_squid_data'] ? true : false); + + if (!$keep) { + update_output_window("Removing antivirus definitions and logs ... One moment please..."); + $dirs = array("/var/run/c-icap", "/var/log/c-icap", "/var/log/clamav", "/var/run/clamav", "/var/db/clamav"); + foreach ($dirs as $dir) { + if (is_dir("{$dir}")) { + mwexec("/bin/rm -rf {$dir}"); + } + } + } + + /* check if clamav/c_icap is enabled in rc.conf.local */ + // XXX: This hasn't been used since 0.3.7; to be removed in future + if (file_exists("/etc/rc.conf.local")) { + update_output_window("Removing antivirus services from /etc/rc.conf.local..."); + $sample_file = file_get_contents("/etc/rc.conf.local"); + $rcconf_local_m[0] = "@c_icap_enable(.*)\n@"; + $rcconf_local_m[1] = "@clamav_clamd_enable(.*)\n@"; + $rcconf_local_r[0] = ""; + $rcconf_local_r[1] = ""; + file_put_contents("/etc/rc.conf.local", preg_replace($rcconf_local_m, $rcconf_local_r, $sample_file), LOCK_EX); + } +} + +/* + * Antivirus features configuration + * + * <file>.conf is the actual configuration file used for services. + * <file>.conf.pfsense is a template file patched for pfSense; should be never altered beyond initial install. + * <file>.conf.{sample,default} are templates distributed directly with PBI/package; + * If <file>.conf.default does not exist, a backup copy is made from another distributed files before patching it for pfSense. + * + * Configuration via the GUI options: + * <file>.conf is always (re)generated from the <file>.conf.pfsense on package resync, + * with additional patches depending on the GUI configuration options configured by user. + * Directly editing files via 'Advanced Features' is disabled in the GUI. + * + * Manual Configuration + * When the user enables 'Manual Configuration' for the first time, the config.xml settings are + * serialized from <file>.conf.pfsense template patched for pfSense. After this initial configuration, + * <file>.conf is always (re)generated from config.xml as long as 'Manual Configuration' is enabled in settings. + * In this case, any additional configuration made in the Antivirus GUI outside of 'Advanced Features' + * is unset on saving settings; after that, those options are disabled in the GUI and have no effect any more. + */ + +/* Proxy Server: Antivirus configuration handler */ function squid_resync_antivirus() { global $config; @@ -140,6 +219,7 @@ function squid_resync_antivirus() { $antivirus_config = array(); } + // squid.conf antivirus integration if (squid_enabled() && ($antivirus_config['enable'] == "on")) { switch ($antivirus_config['client_info']) { case "both": @@ -179,146 +259,412 @@ EOF; // check clamav user squid_check_clamav_user('clamav'); - // patch sample files to pfsense dirs - // squidclamav.conf - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default"); - $clamav_m[0] = "@/var/run/clamav/clamd.ctl@"; - $clamav_m[1] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; - $clamav_r[0] = "/var/run/clamav/clamd.sock"; - $clamav_r[1] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; - if ($antivirus_config['clamav_safebrowsing'] == "on") { - $clamav_m[2] = "@safebrowsing\s0@"; - $clamav_r[2] = "safebrowsing 1"; - } else { - $clamav_m[2] = "@safebrowsing\s1@"; - $clamav_r[2] = "safebrowsing 0"; + + if ($antivirus_config['enable_advanced'] == "enabled") { + // User is managing raw configuration, so we unset the configuration options set via GUI + squid_antivirus_toggle_raw_config(true); + // Generate the raw configuration if missing + $rawopts = array("raw_squidclamav_conf", "raw_cicap_conf", "raw_cicap_magic", "raw_freshclam_conf", "raw_clamd_conf"); + foreach ($rawopts as $rawopt) { + if ($antivirus_config[$rawopt] == "") { + squid_antivirus_get_raw_config(); + } } - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX); - } - // c-icap.conf - // make a backup of default c-icap.conf.sample first - // unlike with other config files, the file distributed in package is called c-icap.conf.sample, not c-icap.conf.default - if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - copy(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - } - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - if (!preg_match("/squid_clamav/", $sample_file)) { - $sample_file .= "\nService squid_clamav squidclamav.so\n"; + // Create configuration files + squid_antivirus_put_raw_config($config['installedpackages']['squidantivirus']['config'][0]); + } else { + // unset raw configuration options + squid_antivirus_toggle_raw_config(false); + + // patch sample files to pfsense dirs + // squidclamav.conf + $cf = SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf"; + if (file_exists("{$cf}.pfsense")) { + $sample_file = file_get_contents("{$cf}.pfsense"); + if ($antivirus_config['clamav_safebrowsing'] == "on") { + $squidclamav_m[0] = "@safebrowsing\s0@"; + $squidclamav_r[0] = "safebrowsing 1"; + } + if ($antivirus_config['clamav_url'] != "") { + $squidclamav_m[1] = "@redirect http@"; + $squidclamav_r[1] = "{$antivirus_config['clamav_url']}"; + } + file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - template not found; could not generate {$cf} file!"); } - $cicap_m[0] = "@Manager:Apassword\S+@"; - $cicap_r[0] = ""; - // XXX: Bug #4615 - if (is_array($config['installedpackages']['squid'])) { - $squidsettings = $config['installedpackages']['squid']['config'][0]; + + // c-icap.conf + $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; + if (file_exists("{$cf}.pfsense")) { + $sample_file = file_get_contents("{$cf}.pfsense"); + if (!preg_match("/squid_clamav/", $sample_file)) { + $sample_file .= "\nService squid_clamav squidclamav.so\n"; + } + // XXX: Bug #4615 + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); + $cicap_m[0] = "@DebugLevel\s1@"; + $cicap_r[0] = "DebugLevel 0"; + $cicap_m[1] = "@AccessLog /var/squid/logs/c-icap-access.log@"; + $cicap_r[1] = "AccessLog {$logdir}/c-icap-access.log"; + $cicap_m[2] = "@ServerLog /var/squid/logs/c-icap-server.log@"; + $cicap_r[2] = "ServerLog {$logdir}/c-icap-server.log"; + file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); } else { - $squidsettings = array(); + log_error("Squid - template not found; could not generate {$cf} file!"); } - $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); - $cicap_m[1] = "@DebugLevel\s1@"; - $cicap_r[1] = "DebugLevel 0"; - $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; - $cicap_r[2] = "AccessLog $logdir/c-icap-access.log"; - $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; - $cicap_r[3] = "ServerLog $logdir/c-icap-server.log"; - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); - } - // freshclam.conf - // make a backup of default freshclam.conf.sample first - if (!file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { - copy(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", SQUID_LOCALBASE . "/etc/freshclam.conf.default"); - } - if (file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.default"); - $freshclam_m[0] = "@#Example@"; - $freshclam_r[0] = ""; - $clamav_mirrors = ""; - if ($antivirus_config['clamav_dbregion'] != "") { - $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; + + // c-icap.magic + // just make a copy of pfSense template, nothing configurable via GUI options here + $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic"; + if (file_exists("{$cf}.pfsense")) { + copy("{$cf}.pfsense", "{$cf}"); + } else { + log_error("Squid - template not found; could not generate {$cf} file!"); } - if ($antivirus_config['clamav_dbservers'] != "") { - foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { - $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; + + // freshclam.conf + $cf = SQUID_LOCALBASE . "/etc/freshclam.conf"; + if (file_exists("{$cf}.pfsense")) { + $sample_file = file_get_contents("{$cf}.pfsense"); + $clamav_mirrors = ""; + if ($antivirus_config['clamav_dbregion'] != "") { + $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; } + if ($antivirus_config['clamav_dbservers'] != "") { + foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { + $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; + } + } + if ($clamav_mirrors != "") { + $freshclam_m[0] = "@#DatabaseMirror db.XY.clamav.net@"; + $freshclam_r[0] = "{$clamav_mirrors}"; + } + if ($antivirus_config['clamav_safebrowsing'] == "on") { + $freshclam_m[1] = "@#SafeBrowsing yes@"; + $freshclam_r[1] = "SafeBrowsing yes"; + } + file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - template not found; could not generate {$cf} file!"); } - if ($clamav_mirrors != "") { - $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; - $freshclam_r[1] = "{$clamav_mirrors}"; - } - if ($antivirus_config['clamav_safebrowsing'] == "on") { - $freshclam_m[2] = "@#SafeBrowsing yes@"; - $freshclam_r[2] = "SafeBrowsing yes"; + + // clamd.conf + // just make a copy of pfSense template, nothing configurable via GUI options here + $cf = SQUID_LOCALBASE . "/etc/clamd.conf"; + if (file_exists("{$cf}.pfsense")) { + copy("{$cf}.pfsense", "{$cf}"); } else { - if (!preg_match("@#SafeBrowsing yes@", file_get_contents($sample_file))) { - $freshclam_m[2] = "@SafeBrowsing yes@"; - $freshclam_r[2] = "#SafeBrowsing yes"; - } + log_error("Squid - template not found; could not generate {$cf} file!"); } - file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + unset($cf); } + // freshclam cronjob squid_install_freshclam_cron(true); - // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) - $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); - foreach ($ln_icap as $ln) { - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { - symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); - } - } - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { - symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); - } + } + // this will (re)start or stop/disable services as needed + // depending on whether Squid proxy and/or antivirus features are enabled + squid_restart_antivirus(); - $loadsample = 0; - if ($antivirus_config['squidclamav'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['squidclamav'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample"))); - $loadsample++; + return $conf; +} + +/* Patch paths and settings in configuration files template for pfSense-specific values on install */ +function squid_antivirus_install_config_files() { + global $config; + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + // squidclamav.conf + // there is no squidclamav.conf.sample packaged, use squidclamav.conf if really needed + $cf = SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}", "{$cf}.default"); + } + if (file_exists("{$cf}.default")) { + $sample_file = file_get_contents("{$cf}.default"); + $squidclamav_m[0] = "@# SquidClamav default configuration file@"; + $squidclamav_r[0] = "#This file was automatically generated by pfSense"; + $squidclamav_m[1] = "@/var/run/clamav/clamd.ctl@"; + $squidclamav_r[1] = "/var/run/clamav/clamd.sock"; + $squidclamav_m[2] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; + $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; + file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - could not patch {$cf} template file!"); + } + + // c-icap.conf + // there is no c-icap.conf.sample packaged, use c-icap.conf if really needed + $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}", "{$cf}.default"); + } + if (file_exists("{$cf}.default")) { + $sample_file = file_get_contents("{$cf}.default"); + if (!preg_match("/squid_clamav/", $sample_file)) { + $sample_file .= "\nService squid_clamav squidclamav.so\n"; } - if ($antivirus_config['c-icap_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample"))); - $loadsample++; + $cicap_m[0] = "@# This file contains the default settings for c-icap@"; + $cicap_r[0] = "#This file was automatically generated by pfSense"; + $cicap_m[1] = "@DebugLevel\s1@"; + $cicap_r[1] = "DebugLevel 0"; + $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; + $cicap_r[2] = "AccessLog /var/squid/logs/c-icap-access.log"; + $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; + $cicap_r[3] = "ServerLog /var/squid/logs/c-icap-server.log"; + file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - could not patch {$cf} template file!"); + } + + // c-icap.magic + // just make a backup and pfSense template copies of default c-icap.magic, we are not patching anything here + $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}.sample", "{$cf}.default"); + } + if (!file_exists("{$cf}.pfsense")) { + copy("{$cf}.sample", "{$cf}.pfsense"); + } + + // clamd.conf + // make a backup of default clamd.conf.sample first + $cf = SQUID_LOCALBASE . "/etc/clamd.conf"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}.sample", "{$cf}.default"); + } + if (file_exists("{$cf}.default")) { + $sample_file = file_get_contents("{$cf}.default"); + $clamd_m[0] = "@## Example config file for the Clam AV daemon@"; + $clamd_r[0] = "#This file was automatically generated by pfSense"; + $clamd_m[1] = "@# Comment or remove the line below.@"; + $clamd_r[1] = ""; + $clamd_m[2] = "@#Example@"; + $clamd_r[2] = ""; + file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - could not patch {$cf} template file!"); + } + + // freshclam.conf + // make a backup of default freshclam.conf.sample first + $cf = SQUID_LOCALBASE . "/etc/freshclam.conf"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}.sample", "{$cf}.default"); + } + if (file_exists("{$cf}.default")) { + $sample_file = file_get_contents("{$cf}.default"); + $freshclam_m[0] = "@## Example config file for freshclam@"; + $freshclam_r[0] = "#This file was automatically generated by pfSense"; + $freshclam_m[1] = "@# Comment or remove the line below.@"; + $freshclam_r[1] = ""; + $freshclam_m[2] = "@#Example@"; + $freshclam_r[2] = ""; + file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - could not patch {$cf} template file!"); + } + unset($cf); +} + +/* Get the raw pfSense template files for manual configuration and serialize them to config.xml */ +function squid_antivirus_get_raw_config() { + global $config; + $loaded = false; + $rawfiles = array("squidclamav.conf", "c-icap.conf", "c-icap.magic", "freshclam.conf", "clamd.conf"); + + foreach ($rawfiles as $rawfile) { + switch ($rawfile) { + case 'squidclamav.conf': + $confdir = "/c-icap"; + $confopt = "raw_squidclamav_conf"; + break; + case 'c-icap.conf': + $confdir = "/c-icap"; + $confopt = "raw_cicap_conf"; + break; + case 'c-icap.magic': + $confdir = "/c-icap"; + $confopt = "raw_cicap_magic"; + break; + case 'freshclam.conf': + $confdir = ""; + $confopt = "raw_freshclam_conf"; + break; + case 'clamd.conf': + $confdir = ""; + $confopt = "raw_clamd_conf"; + break; + default: + $confdir = ""; + $confopt = ""; + break; } - if ($antivirus_config['c-icap_magic'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample"))); - $loadsample++; + // get the config from the files if not set (yet) in config.xml + if ($confopt) { + $conffile = SQUID_LOCALBASE . "/etc" . "{$confdir}" . "/{$rawfile}.pfsense"; + if (file_exists($conffile)) { + if ($config['installedpackages']['squidantivirus']['config'][0][$confopt] == "") { + $config['installedpackages']['squidantivirus']['config'][0][$confopt] = base64_encode(str_replace("\r", "", file_get_contents("{$conffile}"))); + log_error("Squid - Successfully loaded {$conffile} configuration file"); + $loaded = true; + } + // Just a fallback attempt if people do things in weird order on a completely fresh install perhaps; should not be ever needed + } else { + squid_antivirus_install_config_files(); + if (file_exists($conffile)) { + $config['installedpackages']['squidantivirus']['config'][0][$confopt] = base64_encode(str_replace("\r", "", file_get_contents("{$conffile}"))); + log_error("Squid - Successfully loaded {$conffile} configuration file"); + $loaded = true; + } else { + log_error("Squid - '{$conffile}' template does not exist; could not load advanced {$rawfile} configuration!"); + } + } } - if ($antivirus_config['freshclam_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['freshclam_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample"))); - $loadsample++; + } + if ($loaded) { + write_config("Squid - Loaded raw configuration files", false); + log_error("Squid - Successfully loaded raw configuration files"); + } +} + +/* Toggle the raw config state */ +function squid_antivirus_toggle_raw_config($state) { + global $config; + if ($state) { + // manual configuration enabled + $opts = array("clamav_url", "clamav_safebrowsing", "clamav_update", "clamav_dbregion", "clamav_dbservers"); + foreach ($opts as $opt) { + if (isset($config['installedpackages']['squidantivirus']['config'][0][$opt])) { + unset($config['installedpackages']['squidantivirus']['config'][0][$opt]); + log_error("Squid - Loaded {$opt} raw configuration file..."); + } } - if ($loadsample > 0) { - write_config(); - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + log_error("Squid - Loading raw configuration files..."); + squid_antivirus_get_raw_config(); + } else { + // manual configuration disabled + $opts = array("raw_squidclamav_conf", "raw_cicap_conf", "raw_cicap_magic", "raw_freshclam_conf", "raw_clamd_conf"); + foreach ($opts as $opt) { + if (isset($config['installedpackages']['squidantivirus']['config'][0][$opt])) { + unset($config['installedpackages']['squidantivirus']['config'][0][$opt]); + log_error("Squid - Unloaded {$opt} raw configuration file..."); + } } - // check dirs - $dirs = array( - "/var/run/c-icap" => "clamav", - "/var/log/c-icap" => "clamav", - "/var/log/clamav" => "clamav", - "/var/run/clamav" => "clamav", - "/var/db/clamav" => "clamav" - ); - foreach ($dirs as $dir_path => $dir_user) { - safe_mkdir($dir_path, 0755); - squid_chown_recursive($dir_path, $dir_user, "wheel"); + $config['installedpackages']['squidantivirus']['config'][0]['enable_advanced'] = "disabled"; + } +} + +/* Write the raw config files to disk from config.xml configuration */ +function squid_antivirus_put_raw_config($rawfiles) { + if (is_array($rawfiles)) { + foreach ($rawfiles as $rawfile => $rawconfig) { + switch ($rawfile) { + case 'raw_squidclamav_conf': + $confdir = "/c-icap"; + $conffile = "/squidclamav.conf"; + break; + case 'raw_cicap_conf': + $confdir = "/c-icap"; + $conffile = "/c-icap.conf"; + break; + case 'raw_cicap_magic': + $confdir = "/c-icap"; + $conffile = "/c-icap.magic"; + break; + case 'raw_freshclam_conf': + $confdir = ""; + $conffile = "freshclam.conf"; + break; + case 'raw_clamd_conf': + $confdir = ""; + $conffile = "clamd.conf"; + break; + default: + $confdir = ""; + $conffile = ""; + break; + } + if ($conffile && $rawconfig) { + squid_antivirus_write_conffile($confdir, $conffile, $rawconfig); + } } + } +} - // write advanced clamav/icap config files - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf", base64_decode($antivirus_config['freshclam_conf']), LOCK_EX); +/* Helper function for squid_antivirus_put_raw_config() */ +function squid_antivirus_write_conffile($dir, $file, $text) { + if ($file && $text) { + file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", base64_decode(preg_replace('/\r\n/', '\n', $text), LOCK_EX)); + log_error("Squid - Saved {$file} configuration file."); } - // this will (re)start or stop/disable services as needed - // depending on whether Squid proxy and/or antivirus features are enabled - squid_restart_antivirus(); +} - return $conf; +/* + * rc scripts and services + */ + +/* Create clamd.sh rc script */ +function squid_write_clamd_rcfile() { + $squid_base = SQUID_BASE; + $rc = array(); + $rc['file'] = 'clamd.sh'; + $rc['start'] = <<< EOD + +if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ]; then + echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" + exit 1 +fi + +{$squid_base}/bin/clamd --config-file="{$squid_base}/local/etc/clamd.conf" + +EOD; + + $rc['stop'] = <<< EOD + +/usr/bin/killall clamd 2>/dev/null +# Just to be sure... +sleep 5 +if [ -n "`/bin/ps auxw | /usr/bin/grep "[c]lamd" | /usr/bin/awk '{print $2}'`" ]; then + /usr/bin/killall -9 clamd 2>/dev/null +fi + +EOD; + + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); } -/* Antivirus services handling */ +/* Create c-icap.sh rc script */ +function squid_write_cicap_rcfile() { + $c_icap_rcfile = "c-icap.sh"; + $cicap_libdir = SQUID_LOCALBASE . "/lib"; + $cicap_bin = SQUID_LOCALBASE . "/bin/c-icap"; + $cicap_conf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; + $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; + $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; + conf_mount_rw(); + write_rcfile(array( + "file" => "{$c_icap_rcfile}", + "start" => "{$cicap_start_cmd}", + "stop" => "{$cicap_stop_cmd}" + ) + ); + conf_mount_ro(); +} + +/* (Re)start antivirus services if AV features are enabled; otherwise stop and disable them */ function squid_restart_antivirus() { global $config; if (is_array($config['installedpackages']['squidantivirus'])) { @@ -392,32 +738,42 @@ function squid_restart_antivirus() { } } -/* Input validation */ +/* + * Input validation + */ + +/* Proxy server: Antivirus input validation */ +/* Also handles manual AV updates and switching 'Manual Configuration' on/off */ function squid_validate_antivirus($post, &$input_errors) { global $config; + if (is_array($config['installedpackages']['squidantivirus'])) { + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } else { + $antivirus_config = array(); + } /* Manual ClamAV database update */ - if ($post['submit'] == 'Update AV') { + if ($post['update_av'] == 'Update AV') { squid_update_clamav(); return; } - if ($post['enable'] != "on") { + /* Load the raw config files if manual configuration is enabled */ + if ($post['load_advanced'] == 'Load Advanced') { + $config['installedpackages']['squidantivirus']['config'][0]['enable_advanced'] = "enabled"; + squid_antivirus_toggle_raw_config(true); return; } - if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/", $post['squidclamav'], $a_match)) { + if ($post['raw_squidclamav_conf'] && preg_match("/(\S+proxy.domain\S+)/", $post['raw_squidclamav_conf'], $a_match)) { $input_errors[] = "SquidClamav warnings redirect points to sample config domain ({$a_match[1]})"; $input_errors[] = "Change redirect info on 'squidclamav.conf' field to pfSense GUI or an external host."; } - if ($post['c-icap_conf']) { - if (!preg_match("/squid_clamav/", $post['c-icap_conf'])) { + if ($post['raw_cicap_conf']) { + if (!preg_match("/squid_clamav/", $post['raw_cicap_conf'])) { $input_errors[] = "c-icap Squidclamav service definition is not present."; $input_errors[] = "Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; } - if (preg_match("/(Manager:Apassword\S+)/", $post['c-icap_conf'], $c_match)) { - $input_errors[] = "Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; - } } if ($post['clamav_dbservers']) { @@ -428,6 +784,12 @@ function squid_validate_antivirus($post, &$input_errors) { } } } + + if ($post['clamav_url']) { + if (!filter_var($post['clamav_url'], FILTER_VALIDATE_URL)) { + $input_errors[] = "'Redirect URL' is not a valid URL."; + } + } } ?> |