aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--packages/squid_ng.inc428
1 files changed, 212 insertions, 216 deletions
diff --git a/packages/squid_ng.inc b/packages/squid_ng.inc
index 32cf68ca..dc18e349 100644
--- a/packages/squid_ng.inc
+++ b/packages/squid_ng.inc
@@ -31,15 +31,15 @@
*/
-function global_write_squid_config()
+function global_write_squid_config()
{
global $config;
conf_mount_rw();
config_lock();
-
+
/* define squid configuration file in variable for replace function */
$squidconfig = "/usr/local/etc/squid/squid.conf";
-
+
/* squid.xml values */
$active_interface = $config['installedpackages']['squid']['config'][0]['active_interface'];
$transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy'];
@@ -53,7 +53,7 @@ function global_write_squid_config()
$cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email'];
$error_language = $config['installedpackages']['squid']['config'][0]['error_language'];
$cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled'];
-
+
/* squid_upstream.xml values */
$proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding'];
$client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding'];
@@ -62,7 +62,7 @@ function global_write_squid_config()
$upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port'];
$upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username'];
$upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword'];
-
+
/* squid_cache.xml values */
$memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size'];
$harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size'];
@@ -73,7 +73,7 @@ function global_write_squid_config()
$cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement'];
$domain = $config['installedpackages']['squidcache']['config'][0]['domain'];
$enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline'];
-
+
/* squid_nac.xml values */
$allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'];
$unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address'];
@@ -81,7 +81,7 @@ function global_write_squid_config()
$banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses'];
$banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses'];
$override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts'];
-
+
/* squid_traffic.xml values */
$max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size'];
$max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size'];
@@ -90,7 +90,7 @@ function global_write_squid_config()
$throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files'];
$throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images'];
$throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia'];
-
+
/* squid_auth.xml values */
$auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method'];
$auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes'];
@@ -102,7 +102,7 @@ function global_write_squid_config()
$no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth'];
$min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length'];
$bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended'];
-
+
/* squid_extauth.xml (ldap) values */
$ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn'];
$ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server'];
@@ -110,21 +110,21 @@ function global_write_squid_config()
$ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port'];
$bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username'];
$bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password'];
-
+
/* squid_extauth.xml (radius) values */
$radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server'];
$radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port'];
$radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier'];
$radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret'];
-
+
/* static variable assignments for directory mapping */
$acldir = "/usr/local/etc/squid/advanced/acls";
$ncsadir = "/usr/local/etc/squid/advanced/ncsa";
$ntlmdir = "/usr/local/etc/squid/advanced/ntlm";
$radiusdir = "/usr/local/etc/squid/advanced/radius";
-
+
$fout = fopen($squidconfig, "w");
-
+
$config_array = array('shutdown_lifetime 5 seconds' . "\n\n");
if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) {
@@ -136,22 +136,22 @@ function global_write_squid_config()
unset($cachemgr_enabled);
if (!isset($icp_port) or ($icp_port == "")) {
- $icp_port = "3130";
+ $icp_port = "3130";
}
$config_array[] = 'icp_port ' . $icp_port . "\n";
unset($icp_port);
-
+
if(!isset($proxy_port) or ($proxy_port == "")) {
$proxy_port = "3128";
}
-
+
if (isset($transparent_proxy) && ($transparent_proxy != "on")) {
$int = convert_friendly_interface_to_real_interface_name($active_interface);
$listen_ip = find_interface_ip($int);
-
+
$config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n";
$config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n";
- $config_array[] = 'no_cache deny QUERY' . "\n\n";
+ $config_array[] = 'no_cache deny QUERY' . "\n\n";
}
$config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n";
unset($proxy_port);
@@ -160,63 +160,63 @@ function global_write_squid_config()
if (!file_exists($acldir)) {
mwexec("/bin/mkdir -p " . $acldir);
}
-
+
$aclout = fopen($acldir . "/dst_nocache.acl","w");
-
+
$domain_array = split("; ",$domain);
foreach ($domain_array as $no_cache_domain) {
fwrite($aclout, $no_cache_domain . "\n");
}
-
+
fclose($aclout);
-
+
$config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n";
$config_array[] = 'no_cache deny no_cache_domains' . "\n\n";
}
unset($no_cache_domain);
unset($domain_array);
unset($domain);
-
+
$config_array[] = 'cache_effective_user squid' . "\n";
- $config_array[] = 'cache_effective_group squid' . "\n\n";
+ $config_array[] = 'cache_effective_group squid' . "\n\n";
$config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n";
-
+
if (!isset($memory_cache_size) or ($memory_cache_size == "")) {
$memory_cache_size = "8";
}
$config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n";
unset($memory_cache_size);
-
+
if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) {
$harddisk_cache_size = "500";
}
-
+
if (!isset($level_subdirs) or ($level_subdirs == "")) {
$level_subdirs = "16";
}
-
+
$config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n";
unset($harddisk_cache_size);
unset($level_subdirs);
-
+
if (!isset($error_language) or ($error_language == "")) {
$error_language = "English";
}
$config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n";
unset($error_language);
-
+
if (isset($offline_mode) && ($offline_mode == "on")) {
$config_array[] = 'offline_mode on' . "\n\n";
} else {
$config_array[] = 'offline_mode off' . "\n\n";
}
-
+
if (!isset($memory_replacement) or ($memory_replacement == "")) {
$memory_replacement = "heap GDSF";
}
$config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n";
unset($memory_replacement);
-
+
if (!isset($cache_replacement) or ($cache_replacement == "")) {
$cache_replacement="heap GDSF";
}
@@ -239,13 +239,13 @@ function global_write_squid_config()
$config_array[] = 'strip_query_terms on' . "\n";
}
unset($log_query_terms);
-
+
$config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n";
unset($log_user_agents);
-
+
$config_array[] = 'log_mime_hdrs off' . "\n";
$config_array[] = 'emulate_httpd_log on' . "\n";
-
+
switch ($user_forwarding) {
case "on":
$config_array[] = 'forwarded_for on' . "\n\n";
@@ -258,7 +258,7 @@ function global_write_squid_config()
break;
}
unset($user_forwarding);
-
+
switch ($auth_method) {
case "none":
break;
@@ -268,22 +268,22 @@ function global_write_squid_config()
$auth_processes = "5";
}
$config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
-
+
if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
$auth_realm_prompt = "pfSense Advanced Proxy";
}
$config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
-
+
if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
$auth_cache_ttl = "60";
}
$config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
$config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
-
+
unset($auth_realm_prompt);
unset($auth_processes);
- unset($auth_cache_ttl);
-
+ unset($auth_cache_ttl);
+
break;
case "radius_auth";
$config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n";
@@ -291,62 +291,62 @@ function global_write_squid_config()
$auth_processes = "5";
}
$config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
-
+
if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
$auth_realm_prompt = "pfSense Advanced Proxy";
}
$config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
-
+
if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
$auth_cache_ttl = "60";
- }
+ }
$config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
- $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
-
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
unset($auth_realm_prompt);
unset($auth_processes);
unset($auth_cache_ttl);
-
+
break;
case "ldap_bind";
- $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n";
$config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth';
$config_array[] = ' -b "' . $ldap_basedn . '"';
$config_array[] = ' -D "' . $bind_dn_username . '"';
$config_array[] = " -w " . $bind_dn_password;
$config_array[] = ' -f "(&(objectClass=person)(cn=%s))"';
$config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n";
-
+
if (!isset($auth_processes) or ($auth_processes == "")) {
$auth_processes = "5";
}
$config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
-
+
if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
$auth_realm_prompt = "pfSense Advanced Proxy";
}
$config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
-
+
if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
$auth_cache_ttl = "60";
}
- $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
$config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
-
+
unset($auth_realm_prompt);
unset($auth_processes);
unset($auth_cache_ttl);
-
+
break;
case "windows_auth";
break;
}
-
+
if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) {
if (!file_exists($acldir)) {
mwexec("/bin/mkdir -p " . $acldir);
}
-
+
$binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n";
$throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w");
@@ -359,14 +359,14 @@ function global_write_squid_config()
unset($throttle_binary_files);
unset($throttle_out);
unset($binary_out);
-
+
if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) {
if (!file_exists($acldir)) {
mwexec("/bin/mkdir -p " . $acldir);
}
-
+
$cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n";
-
+
$throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w");
fwrite($throttle_out, $cd_out);
fclose($throttle_out);
@@ -379,41 +379,41 @@ function global_write_squid_config()
unset($throttle_cd_images);
unset($throttle_out);
unset($cd_out);
-
+
if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) {
if (!file_exists($acldir)) {
- mwexec("/bin/mkdir -p " . $acldir);
+ mwexec("/bin/mkdir -p " . $acldir);
}
-
- $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n";
-
+
+ $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n";
+
$throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w");
fwrite($throttle_out, $multimedia_out);
fclose($throttle_out);
$config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n";
} else {
if (file_exists($acldir . "/dst_throttle_multimedia.acl")) {
- unlink($acldir . "/dst_throttle_multimedia.acl");
+ unlink($acldir . "/dst_throttle_multimedia.acl");
}
- }
+ }
unset($throttle_multimedia);
unset($multimedia_out);
unset($throttle_out);
-
+
$config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n";
-
+
/* obtain interface subnet and address for Squid rules */
$lactive_interface = strtolower($active_interface);
-
+
$lancfg = $config['interfaces'][$lactive_interface];
$lanif = $lancfg['if'];
$lanip = $lancfg['ipaddr'];
$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
- $lansn = $lancfg['subnet'];
+ $lansn = $lancfg['subnet'];
$config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n";
$config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n";
- $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n";
+ $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n";
$config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n";
$config_array[] = 'acl Safe_ports port 80 # http' . "\n";
$config_array[] = 'acl Safe_ports port 21 # ftp' . "\n";
@@ -426,7 +426,7 @@ function global_write_squid_config()
$config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n";
$config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n";
$config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n";
-
+
/* allow access through proxy for custom admin port */
$custom_port = $config['system']['webgui']['port'];
if (isset($custom_port) && ($custom_port !== "")) {
@@ -447,78 +447,78 @@ function global_write_squid_config()
}
unset($admin_protocol);
}
-
+
/* define override hosts as specified in squid_nac.xml */
if (isset($override_hosts) && ($override_hosts !== "")) {
if (!file_exists($acldir)) {
mwexec("/bin/mkdir -p " . $acldir);
}
-
+
$aclout = fopen($acldir . "/src_override_hosts.acl", "w");
-
+
$override_hosts_array = split("; ", $override_hosts);
foreach ($override_hosts_array as $ind_override_host) {
fwrite($aclout, $ind_override_host . "\n");
}
-
+
fclose($aclout);
-
+
$config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n";
- }
+ }
/* clear variables */
unset($override_hosts_array);
unset($ind_override_host);
unset($override_hosts);
-
+
/* define subnets allowed to utilize proxy service */
if (isset($allowed_subnets) && ($allowed_subnets !== "")) {
if (!file_exists($acldir)) {
mwexec("/bin/mkdir -p " . $acldir);
mwexec("touch {$acldir}/src_subnets.acl");
}
-
+
$aclout = fopen($acldir . "/src_subnets.acl","w");
-
+
$allowed_subnets_array = split("; ",$allowed_subnets);
foreach ($allowed_subnets_array as $ind_allowed_subnets) {
fwrite($aclout, $ind_allowed_subnets . "\n");
}
-
- fclose($aclout);
+
+ fclose($aclout);
} else {
-
+
$aclout = fopen($acldir . "/src_subnets.acl","w");
fwrite($aclout, $lansa . "/" . $lansn . "\n");
fclose($aclout);
}
-
+
$config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n";
-
+
unset($allowed_subnets_array);
unset($ind_allowed_subnets);
unset($allowed_subnets);
-
+
/* define ip addresses that have 'unrestricted' access */
if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) {
if (!file_exists($acldir)) {
mwexec("/bin/mkdir -p " . $acldir);
}
-
+
$aclout = fopen($acldir . "/src_unrestricted_ip.acl","w");
-
+
$unrestricted_ip_array = split("; ",$unrestricted_ip_addr);
foreach ($unrestricted_ip_array as $ind_unrestricted_ip) {
fwrite($aclout, $ind_unrestricted_ip . "\n");
}
-
+
fclose($aclout);
-
+
$config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n";
}
unset($unrestricted_ip_array);
unset($unrestricted_ip_addr);
unset($ind_unrestricted_ip);
-
+
/* define mac addresses that have 'unrestricted' access */
if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) {
if (!file_exists($acldir)) {
@@ -526,20 +526,20 @@ function global_write_squid_config()
}
$aclout = fopen($acldir . "/src_unrestricted_mac.acl","w");
-
+
$unrestricted_mac_array = split("; ",$unrestricted_mac_addr);
foreach ($unrestricted_mac_array as $ind_unrestricted_mac) {
fwrite($aclout, $ind_unrestricted_mac . "\n");
}
-
+
fclose($aclout);
-
+
$config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n";
}
unset($unrestricted_mac_array);
unset($unrestricted_mac_addr);
unset($ind_unrestricted_mac);
-
+
/* define ip addresses that are banned from using the proxy service */
if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) {
if (!file_exists($acldir)) {
@@ -547,54 +547,54 @@ function global_write_squid_config()
}
$aclout = fopen($acldir . "/src_banned_ip.acl","w");
-
+
$banned_ip_array = split("; ",$banned_ip_addr);
foreach ($banned_ip_array as $ind_banned_ip) {
fwrite($aclout, $ind_banned_ip . "\n");
}
-
+
fclose($aclout);
-
+
$config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n";
}
unset($banned_ip_addr);
unset($banned_ip_addr);
unset($ind_banned_ip);
-
+
/* define mac addresses that are banned from using the proxy service */
if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) {
if (!file_exists($acldir)) {
mwexec("/bin/mkdir -p " . $acldir);
}
-
+
$aclout = fopen($acldir . "/src_banned_mac.acl","w");
-
+
$banned_mac_array = split("; ",$banned_mac_addr);
foreach ($banned_mac_array as $ind_banned_mac) {
fwrite($aclout, $ind_banned_mac . "\n");
}
-
+
fclose($aclout);
-
+
$config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n";
}
unset($banned_mac_array);
unset($banned_mac_addr);
unset($ind_banned_mac);
-
+
$config_array[] = 'acl pf_ips dst ' . $lanip . "\n";
$config_array[] = 'acl CONNECT method CONNECT' . "\n\n";
-
+
if (isset($auth_method) && ($auth_method == "none")) {
$config_array[] = 'http_access allow localnet' . "\n";
}
$config_array[] = 'http_access allow localhost' . "\n";
-
+
if (isset($override_hosts) && ($override_hosts !== "")) {
$config_array[] = 'http_access allow override_hosts' . "\n";
}
$config_array[] = "\n";
-
+
switch ($config['system']['webgui']['protocol']) {
case "http":
$config_array[] = 'http_access allow pf_ips' . "\n";
@@ -607,29 +607,29 @@ function global_write_squid_config()
$config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n";
break;
}
-
+
$config_array[] = 'http_access deny !Safe_ports' . "\n";
$config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n";
-
+
if (isset($auth_method) && ($auth_method != "none")) {
$config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n";
}
-
+
$config_array[] = 'http_access deny all' . "\n\n";
-
+
if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) {
$config_array[] = 'delay_pools 1' . "\n";
$config_array[] = 'delay_class 1 3' . "\n";
-
+
if ($dl_overall == "unlimited") {
$config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n";
} else {
$config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n";
}
-
- /* if no unrestricted ip addresses are defined; this line is ignored */
+
+ /* if no unrestricted ip addresses are defined; this line is ignored */
if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
-
+
/* this will define bandwidth delay restrictions for specified throttles */
if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) {
$config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
@@ -641,24 +641,24 @@ function global_write_squid_config()
$config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n";
} else {
$config_array[] = 'delay_access 1 allow all' . "\n";
- }
+ }
$config_array[] = 'delay_initial_bucket_level 100%' . "\n\n";
}
-
+
if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) {
$config_array[] = 'delay_pools 1' . "\n";
$config_array[] = 'delay_class 1 3' . "\n";
-
+
if ($dl_per_host == "unlimited") {
$config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n";
} else {
$config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n";
}
- /* if no unrestricted ip addresses are defined; this line is ignored */
+ /* if no unrestricted ip addresses are defined; this line is ignored */
if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
-
- /* this will define bandwidth delay restrictions for specified throttles */
+
+ /* this will define bandwidth delay restrictions for specified throttles */
if ($throttle_binary_files == "on") {
$config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
}
@@ -672,12 +672,12 @@ function global_write_squid_config()
}
$config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n";
}
-
+
if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) {
/* if no bandwidth restrictions are specified, then these parameters are not necessary */
- if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
+ if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
- if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) {
+ if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) {
$config_array[] = 'delay_pools 1' . "\n";
$config_array[] = 'delay_class 1 3' . "\n";
$config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n";
@@ -687,9 +687,9 @@ function global_write_squid_config()
$config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n";
}
}
-
+
if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
-
+
/* if no unrestricted ip addresses are defined; this line is ignored */
if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
@@ -711,94 +711,94 @@ function global_write_squid_config()
$config_array[] = 'header_access X-Forwarded-For deny all' . "\n";
$config_array[] = 'header_access Via deny all' . "\n\n";
-
+
/* TODO: acl customization for snmp support */
/* fwrite($fout, "\n"); */
if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) {
$config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n";
$config_array[] = 'redirect_children 5' . "\n\n";
- }
-
+ }
+
if (isset($max_upload_size) && ($max_upload_size != "")) {
$config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n";
}
-
+
if (isset($max_download_size) && ($max_download_size != "")) {
if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n";
/* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */
$config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n";
}
-
+
/* set default value for maximum_object_size */
if (!isset($maximum_object_size) or ($maximum_object_size == "")) {
$maximum_object_size = "4096";
}
-
+
/* set default value for minimum_object_size */
if (!isset($minimum_object_size) or ($minimum_object_size == "")) {
$minimum_object_size = "0";
}
$config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n";
$config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n";
-
+
if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) {
$config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n";
$config_array[] = 'never_direct allow all' . "\n";
- }
+ }
unset($proxy_forwarding);
-
-
- /* define default ruleset for transparent proxy operation */
+
+
+ /* define default ruleset for transparent proxy operation */
if (isset($transparent_proxy) && ($transparent_proxy == "on")) {
$config_array[] = 'httpd_accel_host virtual' . "\n";
$config_array[] = 'httpd_accel_port 80' . "\n";
$config_array[] = 'httpd_accel_with_proxy on' . "\n";
- $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n";
+ $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n";
}
- unset($transparent_proxy);
+ unset($transparent_proxy);
+
-
/* define visible hostname */
if (isset($visible_hostname) && ($visible_hostname !== "")) {
$config_array[] = 'visible_hostname ' . $visible_hostname . "\n";
- }
+ }
unset($visible_hostname);
-
+
/* define cache administrators email address within error messages */
if (isset($cache_admin_email) && ($cache_admin_email !== "")) {
$config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n";
- }
+ }
unset($cache_admin_email);
-
+
/* write configuration file */
- foreach ($config_array as $config_item)
- {
+ foreach ($config_array as $config_item)
+ {
fwrite($fout, trim($config_item));
-
- if (stristr($config_item, "\n"))
- {
- for ($i = 1; $i < count(explode("\n", $config_item)); $i++)
+
+ if (stristr($config_item, "\n"))
+ {
+ for ($i = 1; $i < count(explode("\n", $config_item)); $i++)
{
fwrite($fout, "\n");
}
}
-
+
}
fclose($fout);
-
+
conf_mount_ro();
config_unlock();
-
+
touch($squidconfig);
} /* end function write_squid_config */
function custom_php_install_command() {
/* write initial static config for transparent proxy */
- write_static_squid_config();
-
+ write_static_squid_config();
+
touch("/tmp/custom_php_install_command");
-
+
/* make sure this all exists, see:
* http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391
*/
@@ -818,8 +818,8 @@ function custom_php_install_command() {
mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf");
-
-
+
+
/* set a few extra items noted by regan */
update_output_window("Creating logs and setting user information...");
$fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w");
@@ -840,13 +840,9 @@ function custom_php_install_command() {
fclose($fdsquid);
mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh");
mwexec("/usr/local/etc/rc.d/aSquid.sh");
-
+
update_output_window("Creating Proxy Server initialization scripts...");
- $start = <<<EOD
-touch /tmp/ro_root_mount
-/usr/local/sbin/squid -D
-touch /tmp/filter_dirty
-EOD;
+ $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty";
$stop = "/usr/local/sbin/squid -k shutdown";
write_rcfile(array(
"file" => "squid.sh",
@@ -854,52 +850,52 @@ EOD;
"stop" => $stop
)
);
-
+
mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh");
-
+
/* create log directory hierarchies if they don't exist */
update_output_window("Creating required directory hierarchies...");
-
+
if (!file_exists("/var/squid/logs")) {
mwexec("mkdir -p /var/squid/logs");
}
mwexec("/usr/sbin/chown squid:squid /var/squid/logs");
-
-
+
+
if (!file_exists("/var/squid/cache")) {
mwexec("mkdir -p /var/squid/cache");
}
mwexec("/usr/sbin/chown squid:squid /var/squid/cache");
-
+
if (!file_exists("/usr/local/etc/squid/advanced/acls")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
}
mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls");
-
+
if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
}
mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa");
-
+
if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm");
}
- mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm");
-
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm");
+
if (!file_exists("/usr/local/etc/squid/advanced/radius")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/radius");
}
mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius");
-
+
$devfs_file = fopen("/etc/devfs.conf", "a");
fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. ");
fwrite($devfs_file, "own pf root:squid");
- fwrite($devfs_file, "perm pf 0640");
+ fwrite($devfs_file, "perm pf 0640");
fclose($devfs_file);
-
+
update_output_window("Initializing Cache... This may take a moment...");
mwexec("/usr/local/sbin/squid -z");
-
+
update_output_window("Starting Proxy Server...");
start_service("squid");
}
@@ -910,7 +906,7 @@ function custom_php_deinstall_command() {
sleep(1);
/* brute force any remaining squid processes out */
mwexec("/usr/bin/killall squid");
- mwexec("/usr/bin/killall pinger");
+ mwexec("/usr/bin/killall pinger");
update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain...");
mwexec("rm -rf /var/squid/cache");
update_output_window("Removing configuration files...");
@@ -930,52 +926,52 @@ function write_static_squid_config() {
$lanip = $lancfg['ipaddr'];
$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
$lansn = $lancfg['subnet'];
-
+
$fout = fopen("/usr/local/etc/squid/squid.conf","w");
fwrite($fout, "#\n");
fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n");
fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n");
fwrite($fout, "#\n");
-
+
/* set # of dns children */
- fwrite($fout, "dns_children 15\n");
-
- fwrite($fout, "shutdown_lifetime 5 seconds\n");
+ fwrite($fout, "dns_children 15\n");
+
+ fwrite($fout, "shutdown_lifetime 5 seconds\n");
fwrite($fout, "icp_port 0\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n");
fwrite($fout, "no_cache deny QUERY\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "pid_filename /var/run/squid.pid\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "cache_mem 24 MB\n");
fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "memory_replacement_policy heap GDSF\n");
fwrite($fout, "cache_replacement_policy heap GDSF\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "cache_access_log none\n");
fwrite($fout, "cache_log none\n");
fwrite($fout, "cache_store_log none\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "log_mime_hdrs off\n");
fwrite($fout, "emulate_httpd_log on\n");
fwrite($fout, "forwarded_for off\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n");
fwrite($fout, "\n");
-
- fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n");
+
+ fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n");
fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n");
fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n");
fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n");
@@ -991,52 +987,52 @@ function write_static_squid_config() {
fwrite($fout, "acl Safe_ports port 777 # multiling http\n");
fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "acl CONNECT method CONNECT\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "#access to squid; local machine; no restrictions\n");
fwrite($fout, "http_access allow localnet\n");
fwrite($fout, "http_access allow localhost\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "#Deny non web services\n");
fwrite($fout, "http_access deny !Safe_ports\n");
fwrite($fout, "http_access deny CONNECT !SSL_ports\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "#Set custom configured ACLs\n");
fwrite($fout, "http_access deny all\n");
fwrite($fout, "visible_hostname pfSense\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "cache_effective_user squid\n");
fwrite($fout, "cache_effective_group squid\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "maximum_object_size 4096 KB\n");
fwrite($fout, "minimum_object_size 0 KB\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "request_body_max_size 0 KB\n");
fwrite($fout, "reply_body_max_size 0 allow all\n");
fwrite($fout, "\n");
-
+
fwrite($fout, "httpd_accel_host virtual\n");
fwrite($fout, "httpd_accel_port 80\n");
fwrite($fout, "httpd_accel_with_proxy on\n");
- fwrite($fout, "httpd_accel_uses_host_header on\n");
-
- fclose($fout);
+ fwrite($fout, "httpd_accel_uses_host_header on\n");
+
+ fclose($fout);
}
function mod_htpasswd() {
global $config;
conf_mount_rw();
config_lock();
-
+
if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
-
+
$passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+");
if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") {
@@ -1045,25 +1041,25 @@ function mod_htpasswd() {
fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n");
}
}
-
+
fclose($passfile);
-
+
conf_mount_ro();
- config_unlock();
+ config_unlock();
}
function generate_htpasswd($username, $password) {
- $all = explode( " ",
+ $all = explode( " ",
"a b c d e f g h i j k l m n o p q r s t u v w x y z "
. "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z "
- . "0 1 2 3 4 5 6 7 8 9");
-
+ . "0 1 2 3 4 5 6 7 8 9");
+
for ($i = 0; $i < 9; $i++) {
- srand((double)microtime()*1000000);
+ srand((double)microtime()*1000000);
$randy = rand(0,61);
$seed .= $all[$randy];
}
-
+
$crypt = crypt($password, "$1$$seed");
return $crypt;
}