Move all code to squid_ng.inc

author: Scott Ullrich <sullrich@pfsense.org> 2006-01-25 03:29:49 +0000
committer: Scott Ullrich <sullrich@pfsense.org> 2006-01-25 03:29:49 +0000
commit: b95f641ed9819669a47ac05bb6954f870770e769 (patch)
tree: 6eb3b6893daaa0a3fc3bd4accd1199856314b49d /packages/squid_ng.inc
parent: 2afdaf2b9264262fe8638b5ac509500d2727e86a (diff)
download: pfsense-packages-b95f641ed9819669a47ac05bb6954f870770e769.tar.gz
pfsense-packages-b95f641ed9819669a47ac05bb6954f870770e769.tar.bz2
pfsense-packages-b95f641ed9819669a47ac05bb6954f870770e769.zip
1 files changed, 217 insertions, 0 deletions
diff --git a/packages/squid_ng.inc b/packages/squid_ng.inc
index 02e152d0..91f39776 100644
--- a/packages/squid_ng.inc
+++ b/packages/squid_ng.inc
@@ -790,6 +790,223 @@ function global_write_squid_config()
 	touch($squidconfig);
 } /* end function write_squid_config */
 
+function custom_php_install_command() {
+		/* write initial static config for transparent proxy */
+		write_static_squid_config();	
+		
+		touch("/tmp/custom_php_install_command");
+
+		/*    make sure this all exists, see:
+		 *    http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391
+		 */
+		update_output_window("Setting up Squid environment...");
+		mwexec("mkdir -p /var/squid");
+		mwexec("chown squid:squid /var/squid");
+		mwexec("mkdir -p /var/squid/logs");
+		mwexec("chown squid:squid /var/squid/logs");
+		mwexec("mkdir -p /var/squid/cache");
+		mwexec("chown squid:squid /var/squid/cache");
+		mwexec("mkdir -p /usr/local/etc/squid/advanced");
+		mwexec("chown squid:squid /usr/local/etc/squid/advanced");
+		mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
+		mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls");
+		mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl");
+		mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl");
+		mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
+		mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
+		mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf");
+		
+		update_output_window("Creating Proxy Server initialization scripts...");
+		$start = <<<EOD
+touch /tmp/ro_root_mount
+/usr/local/sbin/squid -D
+touch /tmp/filter_dirty
+EOD;
+		$stop = "/usr/local/sbin/squid -k shutdown";
+		write_rcfile(array(
+					"file" => "squid.sh",
+					"start" => $start,
+					"stop" => $stop
+				)
+		);
+	
+		mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh");
+			
+		/* create log directory hierarchies if they don't exist */
+		update_output_window("Creating required directory hierarchies...");
+		
+		if (!file_exists("/var/squid/logs")) {
+			mwexec("mkdir -p /var/squid/logs");
+		}
+		mwexec("/usr/sbin/chown squid:squid /var/squid/logs");
+		
+		
+		if (!file_exists("/var/squid/cache")) {
+			mwexec("mkdir -p /var/squid/cache");
+		}
+		mwexec("/usr/sbin/chown squid:squid /var/squid/cache");
+		
+		if (!file_exists("/usr/local/etc/squid/advanced/acls")) {
+			mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
+		}
+		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls");
+		
+		if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) {
+			mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
+		}
+		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa");
+			
+		if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) {
+			mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm");
+		}
+		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm");		
+		
+		if (!file_exists("/usr/local/etc/squid/advanced/radius")) {
+			mwexec("mkdir -p /usr/local/etc/squid/advanced/radius");
+		}
+		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius");
+		
+		/* EmanuelG: update pf group ownership settings to enhance squid performance and correct issue relating */
+		/*           to error message: parseHttpRequest: PF open failed: (13) Permission denied               */
+		mwexec("chgrp squid /dev/pf");
+		mwexec("chmod g+rw /dev/pf");
+		
+		$devfs_file = fopen("/etc/devfs.conf", "a");
+		fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. ");
+		fwrite($devfs_file, "own pf root:squid");
+		fwrite($devfs_file, "perm pf 0640"); 
+		fclose($devfs_file);
+		
+		update_output_window("Initializing Cache... This may take a moment...");
+		mwexec("/usr/local/sbin/squid -z");
+		
+		update_output_window("Starting Proxy Server...");
+		start_service("squid");
+}
+
+function custom_php_deinstall_command() {
+	update_output_window("Stopping proxy service...");
+	stop_service("squid");
+	sleep(1);
+	/* brute force any remaining squid processes out */
+	mwexec("/usr/bin/killall squid");
+	mwexec("/usr/bin/killall pinger");
+	update_output_window("Recursively removing directories hierarchies...");
+	update_output_window("If existant, log files in /var/squid/logs will remain...");
+	mwexec("rm -rf /usr/local/squid");
+	mwexec("rm -rf /var/squid/cache");	
+	mwexec("rm -rf /usr/local/etc/squid");
+	update_output_window("Removing configuration files...");
+	unlink_if_exists("/usr/local/etc/rc.d/squid.sh");
+	unlink_if_exists("/usr/local/etc/squid");
+	unlink_if_exists("/usr/local/libexec/squid");
+	filter_configure();
+}
+
+function write_static_squid_config() {
+	touch("/tmp/write_static_squid_config");
+	global $config;
+	$lancfg = $config['interfaces']['lan'];
+	$lanif = $lancfg['if'];
+	$lanip = $lancfg['ipaddr'];
+	$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+	$lansn = $lancfg['subnet'];
+	
+	$fout = fopen("/usr/local/etc/squid/squid.conf","w");
+	fwrite($fout, "#\n");
+	fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n");
+	fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n");
+	fwrite($fout, "#\n");
+	fwrite($fout, "shutdown_lifetime 5 seconds\n");            
+	fwrite($fout, "icp_port 0\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n");
+	fwrite($fout, "no_cache deny QUERY\n");
+	fwrite($fout, "\n");
+		   
+	fwrite($fout, "pid_filename /var/run/squid.pid\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "cache_mem 8 MB\n");
+	fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "memory_replacement_policy heap GDSF\n");
+	fwrite($fout, "cache_replacement_policy heap GDSF\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "cache_access_log /dev/null\n");
+	fwrite($fout, "cache_log /dev/null\n");
+	fwrite($fout, "cache_store_log none\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "log_mime_hdrs off\n");
+	fwrite($fout, "emulate_httpd_log on\n");
+	fwrite($fout, "forwarded_for off\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n");
+	fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n");
+	fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n");
+	fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n");
+	fwrite($fout, "acl Safe_ports port 80 # http\n");
+	fwrite($fout, "acl Safe_ports port 21 # ftp\n");
+	fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n");
+	fwrite($fout, "acl Safe_ports port 70 # gopher\n");
+	fwrite($fout, "acl Safe_ports port 210 # wais\n");
+	fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n");
+	fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n");
+	fwrite($fout, "acl Safe_ports port 488 # gss-http\n");
+	fwrite($fout, "acl Safe_ports port 591 # filemaker\n");
+	fwrite($fout, "acl Safe_ports port 777 # multiling http\n");
+	fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "acl CONNECT method CONNECT\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "#access to squid; local machine; no restrictions\n");
+	fwrite($fout, "http_access allow localnet\n");
+	fwrite($fout, "http_access allow localhost\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "#Deny non web services\n");
+	fwrite($fout, "http_access deny !Safe_ports\n");
+	fwrite($fout, "http_access deny CONNECT !SSL_ports\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "#Set custom configured ACLs\n");
+	fwrite($fout, "http_access deny all\n");
+	fwrite($fout, "visible_hostname pfSense\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "cache_effective_user squid\n");
+	fwrite($fout, "cache_effective_group squid\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "maximum_object_size 4096 KB\n");
+	fwrite($fout, "minimum_object_size 0 KB\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "request_body_max_size 0 KB\n");
+	fwrite($fout, "reply_body_max_size 0 allow all\n");
+	fwrite($fout, "\n");
+	
+	fwrite($fout, "httpd_accel_host virtual\n");
+	fwrite($fout, "httpd_accel_port 80\n");
+	fwrite($fout, "httpd_accel_with_proxy on\n");
+	fwrite($fout, "httpd_accel_uses_host_header on\n");            
+	
+	fclose($fout);	
+}
+
 function mod_htpasswd() {
 	global $config;
 	conf_mount_rw();
author	Scott Ullrich <sullrich@pfsense.org>	2006-01-25 03:29:49 +0000
committer	Scott Ullrich <sullrich@pfsense.org>	2006-01-25 03:29:49 +0000
commit	b95f641ed9819669a47ac05bb6954f870770e769 (patch)
tree	6eb3b6893daaa0a3fc3bd4accd1199856314b49d /packages/squid_ng.inc
parent	2afdaf2b9264262fe8638b5ac509500d2727e86a (diff)
download	pfsense-packages-b95f641ed9819669a47ac05bb6954f870770e769.tar.gz pfsense-packages-b95f641ed9819669a47ac05bb6954f870770e769.tar.bz2 pfsense-packages-b95f641ed9819669a47ac05bb6954f870770e769.zip