diff options
author | alainabbas <alain.abbas@libertech.fr> | 2014-11-12 16:36:28 +0100 |
---|---|---|
committer | alainabbas <alain.abbas@libertech.fr> | 2014-11-12 16:36:28 +0100 |
commit | 7c6bdcb88f5d0a57fdc9c0b2025260b556005655 (patch) | |
tree | c6c888b40bad01c60131530e07fc0a383ef653fe /config | |
parent | bf28487b17524bbe7165c5a061d63c9f7ceb5ba2 (diff) | |
download | pfsense-packages-7c6bdcb88f5d0a57fdc9c0b2025260b556005655.tar.gz pfsense-packages-7c6bdcb88f5d0a57fdc9c0b2025260b556005655.tar.bz2 pfsense-packages-7c6bdcb88f5d0a57fdc9c0b2025260b556005655.zip |
Update squid_reverse.inc
Adding the Certificate peer authentication in the reverse proxy and the revocation list
Diffstat (limited to 'config')
-rwxr-xr-x | config/squid3/33/squid_reverse.inc | 36 |
1 files changed, 34 insertions, 2 deletions
diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc index 1332f220..152d3d12 100755 --- a/config/squid3/33/squid_reverse.inc +++ b/config/squid3/33/squid_reverse.inc @@ -58,8 +58,27 @@ function squid_resync_reverse() { $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; } } + } + //Add Ca certificate for Client Validation + if (isset($settings["reverse_check_clientca"]) && $settings["reverse_check_clientca"] == "on") { + $clientca_cert=lookup_ca($settings["reverse_ssl_clientca"]); + $clientca_prm=''; + if ( $clientca_cert != false){ + if(base64_decode($clientca_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientca"]}.crt",sq_text_area_decode($clientca_cert['crt'])); + $clientca_prm = "clientca=" . SQUID_CONFBASE . "/{$settings["reverse_ssl_clientca"]}.crt "; + } + } + $crl=lookup_crl($settings["reverse_ssl_clientcrl"]); + crl_update($crl); + if ( $crl != false){ + if(base64_decode($crl['text'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl",base64_decode($crl['text'])); + $clientca_prm .= "crlfile=" . SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl sslflags=VERIFY_CRL "; + } + } } - + if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); @@ -82,7 +101,7 @@ function squid_resync_reverse() { $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; //HTTPS if (!empty($settings['reverse_https'])) - $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} ".$clientca_prm."key={$reverse_key} defaultsite={$https_defsite} vhost\n"; } } @@ -242,4 +261,17 @@ function squid_resync_reverse() { return $conf; } +function squid_refresh_crl() +{ + global $config; + if (isset($settings["reverse_check_clientca"]) && $settings["reverse_check_clientca"] == "on") { + $crl=lookup_crl($settings["reverse_ssl_clientcrl"]); + crl_update($crl); + if ( $crl != false){ + if(base64_decode($crl['text'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl",base64_decode($crl['text'])); + } + } + } +} ?> |