diff options
| -rw-r--r-- | config/freeradius2/freeradius.inc | 117 | ||||
| -rw-r--r-- | config/freeradius2/freeradius.xml | 4 | ||||
| -rw-r--r-- | config/freeradius2/freeradius_view_config.php | 2 | ||||
| -rw-r--r-- | config/freeradius2/freeradiusauthorizedmacs.xml | 2 | ||||
| -rw-r--r-- | config/freeradius2/freeradiuscerts.xml | 4 | ||||
| -rw-r--r-- | config/freeradius2/freeradiusclients.xml | 4 | ||||
| -rw-r--r-- | config/freeradius2/freeradiuseapconf.xml | 2 | ||||
| -rw-r--r-- | config/freeradius2/freeradiusinterfaces.xml | 4 | ||||
| -rw-r--r-- | config/freeradius2/freeradiusmodulesldap.xml | 6 | ||||
| -rw-r--r-- | config/freeradius2/freeradiussettings.xml | 6 | ||||
| -rw-r--r-- | config/freeradius2/freeradiussqlconf.xml | 6 | ||||
| -rw-r--r-- | config/freeradius2/freeradiussync.xml | 28 | ||||
| -rwxr-xr-x | config/squid3/33/squid.inc | 112 | ||||
| -rw-r--r-- | config/squid3/33/squid.xml | 25 | ||||
| -rwxr-xr-x | config/squid3/33/squid_cache.xml | 11 | ||||
| -rw-r--r-- | config/squidGuard/squidguard.inc | 7 | ||||
| -rw-r--r-- | pkg_config.8.xml | 9 | ||||
| -rw-r--r-- | pkg_config.8.xml.amd64 | 9 |
18 files changed, 224 insertions, 134 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index eecfec84..b2df3d0b 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -4,7 +4,7 @@ /* freeradius.inc part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> Copyright (C) 2013 Marcello Coutinho All rights reserved. @@ -2521,52 +2521,75 @@ conf_mount_ro(); /* Uses XMLRPC to synchronize the changes to a remote node */ function freeradius_sync_on_changes() { global $config, $g; - $varsyncenablexmlrpc = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc']; - $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; - - // if checkbox is NOT checked do nothing - if(!$varsyncenablexmlrpc) { + if (is_array($config['installedpackages']['freeradiussync'])){ + $synconchanges = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc']; + $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; + } + else + { return; } - - log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds."); - - // if checkbox is checked get IP and password of the destination hosts - foreach ($config['installedpackages']['freeradiussync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - // if checkbox is NOT checked do nothing - if($sh['varsyncdestinenable']) { - $varsyncprotocol = $sh['varsyncprotocol']; - $sync_to_ip = $sh['varsyncipaddress']; - $password = $sh['varsyncpassword']; - $varsyncport = $sh['varsyncport']; - // check if all credentials are complete for this host - if($password && $sync_to_ip && $varsyncport && $varsyncprotocol) { - freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol); + + // if checkbox is NOT checked do nothing + switch ($synconchanges){ + case "manual": + if (is_array($config['installedpackages']['freeradiussync']['config'][0]['row'])){ + $rs=$config['installedpackages']['freeradiussync']['config'][0]['row']; + } + else{ + log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no hosts to push on FreeRADIUS config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['varsyncdestinenable']="on"; + $rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https"); + $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; + $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443"); + if (! is_ipaddr($system_carp['synchronizetoip'])){ + log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config."); + return; + } + } + else{ + log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[FreeRADIUS]: xmlrpc sync is starting with timeout {$varsynctimeout} seconds."); + foreach($rs as $sh){ + if($sh['varsyncdestinenable']){ + $varsyncprotocol = $sh['varsyncprotocol']; + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + $varsyncport = $sh['varsyncport']; + if($password && $sync_to_ip) + freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout); + else + log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); } else { - log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); + log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); } } - else { - log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); + log_error("[FreeRADIUS]: xmlrpc sync is ending."); } - } - } - log_error("FreeRADIUS: Finished XMLRPC process (freeradius_do_xmlrpc_sync)."); } /* Do the actual XMLRPC sync */ -function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol) { +function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) { global $config, $g; - $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout']; - - if($varsynctimeout == '' || $varsynctimeout == 0) { + if($varsynctimeout == '' || $varsynctimeout == 0) $varsynctimeout = 150; - } - - // log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds."); if(!$password) return; @@ -2600,7 +2623,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn /* set a few variables needed for sync code borrowed from filter.inc */ $url = $synchronizetoip; - log_error("FreeRADIUS: Beginning FreeRADIUS XMLRPC sync with {$url}:{$port}."); + log_error("[FreeRADIUS]: Beginning FreeRADIUS XMLRPC sync with {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -2611,22 +2634,22 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn $resp = $cli->send($msg, $varsynctimeout); if(!$resp) { $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port}."; - log_error("FreeRADIUS: $error"); - file_notice("sync_settings", $error, "freeradius Settings Sync", ""); + log_error("[FreeRADIUS]: $error"); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error("FreeRADIUS: $error"); - file_notice("sync_settings", $error, "freeradius Settings Sync", ""); + log_error("[FreeRADIUS]: $error"); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); } else { - log_error("FreeRADIUS: XMLRPC has synced data successfully with {$url}:{$port}."); + log_error("[FreeRADIUS]: XMLRPC has synced data successfully with {$url}:{$port}."); } - /* tell freeradius to reload our settings on the destionation sync host. */ + /* tell FreeRADIUS to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/freeradius.inc');\n"; - // pfblocker just needed one fuction to reload after XMLRPC. freeRADIUS needs more so we point to a fuction below which contains all fuctions + // pfblocker just needed one fuction to reload after XMLRPC. FreeRADIUS needs more so we point to a fuction below which contains all fuctions $execcmd .= "freeradius_all_after_XMLRPC_resync();"; /* assemble xmlrpc payload */ @@ -2635,7 +2658,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn XML_RPC_encode($execcmd) ); - log_error("FreeRADIUS XMLRPC is reloading data on {$url}:{$port}."); + log_error("[FreeRADIUS]: XMLRPC is reloading data on {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials('admin', $password); @@ -2643,21 +2666,19 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn if(!$resp) { $error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; log_error($error); - file_notice("sync_settings", $error, "freeradius Settings Sync", ""); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $varsynctimeout); $error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); - file_notice("sync_settings", $error, "freeradius Settings Sync", ""); + file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", ""); } else { - log_error("FreeRADIUS: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); + log_error("[FreeRADIUS]: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); } } -// ##### The part above is based on the code of pfblocker ##### - // This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files (clients.conf, users) // Adding more functions will increase the to sync function freeradius_all_after_XMLRPC_resync() { diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml index fdadab89..c9381c81 100644 --- a/config/freeradius2/freeradius.xml +++ b/config/freeradius2/freeradius.xml @@ -9,7 +9,7 @@ /* freeradius.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradius</name> - <version>2.1.12</version> + <version>2.2.0</version> <title>FreeRADIUS: Users</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <menu> diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php index a29e1a55..a1943653 100644 --- a/config/freeradius2/freeradius_view_config.php +++ b/config/freeradius2/freeradius_view_config.php @@ -2,7 +2,7 @@ /* freeradius_view_config.php part of pfSense (http://www.pfsense.com/) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> based on postfix_view_config.php based on varnish_view_config. diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml index 173f8f00..235d0218 100644 --- a/config/freeradius2/freeradiusauthorizedmacs.xml +++ b/config/freeradius2/freeradiusauthorizedmacs.xml @@ -9,7 +9,7 @@ /* freeradiusauthorizedmacs.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml index 21f18643..6108215b 100644 --- a/config/freeradius2/freeradiuscerts.xml +++ b/config/freeradius2/freeradiuscerts.xml @@ -9,7 +9,7 @@ /* freeradiuscerts.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -290,4 +290,4 @@ <custom_php_resync_config_command> freeradius_allcertcnf_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml index 87d8a11f..215a751e 100644 --- a/config/freeradius2/freeradiusclients.xml +++ b/config/freeradius2/freeradiusclients.xml @@ -9,7 +9,7 @@ /* freeradiusclients.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -246,4 +246,4 @@ <custom_php_resync_config_command> freeradius_clients_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml index a2dd2b99..8f8e4dc7 100644 --- a/config/freeradius2/freeradiuseapconf.xml +++ b/config/freeradius2/freeradiuseapconf.xml @@ -9,7 +9,7 @@ /* freeradiuseapconf.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> Copyright (C) 2013 Marcello Coutinho (revocation list code) All rights reserved. diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml index c944ac17..1233f72f 100644 --- a/config/freeradius2/freeradiusinterfaces.xml +++ b/config/freeradius2/freeradiusinterfaces.xml @@ -9,7 +9,7 @@ /* freeradiusinterfaces.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -185,4 +185,4 @@ <custom_php_resync_config_command> freeradius_settings_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index 0fa98493..c7b5e79d 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -9,7 +9,7 @@ /* freeradiusmodulesldap.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiusmodulesldap</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: LDAP</title> <aftersaveredirect>pkg_edit.php?xml=freeradiusmodulesldap.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> @@ -705,4 +705,4 @@ <custom_php_resync_config_command> freeradius_modulesldap_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml index 4bc98723..1d908ca4 100644 --- a/config/freeradius2/freeradiussettings.xml +++ b/config/freeradius2/freeradiussettings.xml @@ -9,7 +9,7 @@ /* freeradiussettings.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiussettings</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: Settings</title> <aftersaveredirect>pkg_edit.php?xml=freeradiussettings.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> @@ -376,4 +376,4 @@ <custom_php_resync_config_command> freeradius_settings_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml index 6851711c..bb72a07a 100644 --- a/config/freeradius2/freeradiussqlconf.xml +++ b/config/freeradius2/freeradiussqlconf.xml @@ -9,7 +9,7 @@ /* freeradiussqlconf.xml part of pfSense (http://www.pfSense.com) - Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,7 +45,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiussqlconf</name> - <version>none</version> + <version>2.2.0</version> <title>FreeRADIUS: SQL</title> <aftersaveredirect>pkg_edit.php?xml=freeradiussqlconf.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/freeradius.inc</include_file> @@ -621,4 +621,4 @@ <custom_php_resync_config_command> freeradius_sqlconf_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml index 5f1acc74..be678e5a 100644 --- a/config/freeradius2/freeradiussync.xml +++ b/config/freeradius2/freeradiussync.xml @@ -9,8 +9,8 @@ /* freeradiussync.xml part of pfSense (http://www.pfSense.com) -Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de> -Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com> +Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> +Copyright (C) 2013 Marcello Coutinho <marcellocoutinho@gmail.com> based on pfblocker_sync.xml All rights reserved. @@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE. <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>freeradiussync</name> - <version>2.1.12</version> + <version>2.2.0</version> <title>FreeRADIUS: XMLRPC Sync</title> <include_file>/usr/local/pkg/freeradius.inc</include_file> <menu> @@ -111,23 +111,29 @@ POSSIBILITY OF SUCH DAMAGE. </tabs> <fields> <field> - <name>freeRADIUS XMLRPC Sync</name> + <name>FreeRADIUS XMLRPC Sync</name> <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync freeRADIUS configuration changes?</fielddescr> + <fielddescr>Enable Sync</fielddescr> <fieldname>varsyncenablexmlrpc</fieldname> <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> - Only <b>Users</b>, <b>MACs</b> and <b>NAS / Clients</b> will be synced.<br> - <b>Important:</b> Only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> - <type>checkbox</type> + <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> </field> <field> - <fielddescr>XMLRPC timeout</fielddescr> + <fielddescr>XMLRPC timeout</fielddescr> <fieldname>varsynctimeout</fieldname> <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> <type>input</type> - <default_value>150</default_value> + <default_value>150</default_value> <size>5</size> </field> @@ -166,7 +172,7 @@ POSSIBILITY OF SUCH DAMAGE. <type>input</type> <size>3</size> </rowhelperfield> - <rowhelperfield> + <rowhelperfield> <fielddescr>GUI Admin Password</fielddescr> <fieldname>varsyncpassword</fieldname> <description><![CDATA[Password of the user "admin" on the destination host.]]></description> diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 94c85a7e..8eb9f2fa 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -777,6 +777,41 @@ function squid_install_cron($should_install) { configure_cron(); } +function squid_check_ca_hashes(){ + global $config,$g; + + #check certificates + $cert_count=0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) + if ($handle = opendir(SQUID_LOCALBASE.'/usr/local/share/certs')) { + while (false !== ($file = readdir($handle))) + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + if ($cert_count < 10){ + conf_mount_rw(); + #create ca-root hashes from ca-root-nss package + log_error("Creating root certificate bundle hashes from the Mozilla Project"); + $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); + $cert=0; + foreach ($cas as $ca){ + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + $cert=1; + if ($cert == 1) + $crt.=$ca; + if (preg_match("/-END CERTIFICATE-/",$ca)){ + file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); + $cert_hash=array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); + file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); + $crt=""; + $cert=0; + } + } + } +} + function squid_resync_general() { global $g, $config, $valid_acls; @@ -785,11 +820,11 @@ function squid_resync_general() { else $settings=array(); $conf = "# This file is automatically generated by pfSense\n"; - $conf .= "# Do not edit manually !\n"; + $conf .= "# Do not edit manually !\n\n"; #Check ssl interception - $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); if (($settings['ssl_proxy'] == 'on')) { - $srv_cert = lookup_cert($settings["dcert"]); + squid_check_ca_hashes(); + $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { if(base64_decode($srv_cert['prv'])) { #check if ssl_db was initilized by squid @@ -801,17 +836,23 @@ function squid_resync_general() { } #force squid user permission on /var/squid/lib/ssl_db/ squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); + # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext $crt_pk=SQUID_CONFBASE."/serverkey.pem"; + $crt_capath=SQUID_LOCALBASE."/share/certs/"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); - - $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size={$sslcrtd_children}MB cert={$crt_pk}\n"; - $interception_checks=""; + $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); + $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; + $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; + $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; + $interception_checks .= "sslproxy_capath {$crt_capath}\n"; if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; - if ($settings["interception_adapt"] != "") - $interception_checks.="sslproxy_cert_adapt {$settings["interception_adapt"]}\n"; + if ($settings["interception_adapt"] != ""){ + foreach (explode(",",$settings["interception_adapt"]) as $adapt) + $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; + } } } } @@ -887,7 +928,7 @@ function squid_resync_general() { $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); - $conf .= <<<EOD + $conf .= <<< EOD icp_port {$icp_port} dns_v4_first {$dns_v4_first} pid_filename {$pidfile} @@ -900,7 +941,6 @@ cache_mgr {$email} access_log {$logdir_access} cache_log {$logdir_cache} cache_store_log none -sslcrtd_children {$sslcrtd_children} {$interception_checks} EOD; @@ -912,7 +952,7 @@ $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; $conf .= "logfile_rotate {$rotate}\n"; squid_install_cron(true); - $conf .= <<<EOD + $conf .= <<< EOD shutdown_lifetime 3 seconds EOD; @@ -987,7 +1027,7 @@ if(empty($settings['cache_dynamic_content'])){ } else{ if(preg_match('/youtube/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private @@ -998,7 +1038,7 @@ cache allow youtube EOC; } if(preg_match('/windows/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Windows Update refresh_pattern range_offset_limit -1 @@ -1010,7 +1050,7 @@ EOC; } if(preg_match('/symantec/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Symantec refresh_pattern range_offset_limit -1 @@ -1020,7 +1060,7 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re EOC; } if(preg_match('/avast/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Avast refresh_pattern range_offset_limit -1 @@ -1029,7 +1069,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i EOC; } if(preg_match('/avira/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Avira refresh_pattern range_offset_limit -1 @@ -1037,18 +1077,22 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43 EOC; } - $refresh_conf=<<<EOC + $refresh_conf=<<< EOC # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 + EOC; - } + + If ($settings['custom_refresh_patterns'] !="") + $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; + + $conf .= <<< EOD - $conf .= <<<EOD cache_mem $memory_cache_size MB maximum_object_size_in_memory {$max_objsize_in_mem} KB memory_replacement_policy {$memory_policy} @@ -1067,11 +1111,12 @@ EOD; if (!empty($donotcache)) { file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; - $conf .= 'cache deny donotcache'; + $conf .= "cache deny donotcache\n"; } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { unlink(SQUID_ACLDIR . '/donotcache.acl'); } + $conf .= "cache allow all\n"; return $conf.$refresh_conf; } @@ -1133,7 +1178,7 @@ function squid_resync_nac() { $addtl_sslports = $settings['addtl_sslports']; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); - $conf = <<<EOD + $conf = <<< EOD # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. @@ -1152,7 +1197,6 @@ acl connect method CONNECT acl HTTP proto HTTP acl HTTPS proto HTTPS - EOD; $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); @@ -1187,7 +1231,7 @@ EOD; } } - $conf .= <<<EOD + $conf .= <<< EOD http_access allow manager localhost EOD; @@ -1204,7 +1248,7 @@ EOD; } } - $conf .= <<<EOD + $conf .= <<< EOD http_access deny manager http_access allow purge localhost @@ -1262,7 +1306,7 @@ function squid_resync_antivirus(){ $clwarn="clwarn.cgi.pt_BR"; copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi"); - $conf = <<<EOF + $conf = <<< EOF icap_enable on icap_send_client_ip {$icap_send_client_ip} icap_send_client_username {$icap_send_client_username} @@ -1412,7 +1456,7 @@ function squid_resync_traffic() { $perhost = -1; else $perhost *= 1024; - $conf .= <<<EOD + $conf .= <<< EOD delay_pools 1 delay_class 1 2 delay_parameters 1 $overall/$overall $perhost/$perhost @@ -1608,23 +1652,23 @@ function squid_resync_auth() { $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { case 'local': - $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; break; case 'ldap': $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; break; case 'radius': $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; case 'msnt': - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/msnt_auth\n"; + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; squid_resync_msnt(); break; } - $conf .= <<<EOD + $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt auth_param basic credentialsttl $auth_ttl minutes @@ -1650,7 +1694,7 @@ EOD; // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) - $conf .="http_access deny passowrd sglog\n"; + $conf .="http_access deny password sglog\n"; // Allow the other ACLs as long as they authenticate foreach ($password as $acl) @@ -1788,7 +1832,7 @@ function squid_print_javascript_auth() { // No authentication for transparent proxy if ($transparent_proxy) { - $javascript = <<<EOD + $javascript = <<< EOD <script language="JavaScript"> <!-- function on_auth_method_changed() { @@ -1816,7 +1860,7 @@ function on_auth_method_changed() { EOD; } else { - $javascript = <<<EOD + $javascript = <<< EOD <script language="JavaScript"> <!-- function on_auth_method_changed() { diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index 25c1b212..d64aabb9 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -370,12 +370,13 @@ <default_value>3129</default_value> </field> <field> - <fielddescr>Cert</fielddescr> - <fieldname>dcert</fieldname> - <description><![CDATA[Select Certificate to use in SSL interception<br> - To create a Certificate on pfsense, go to <strong>system -> Cert Manager<strong>]]></description> + <fielddescr>CA</fielddescr> + <fieldname>dca</fieldname> + <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br> + To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br> + Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description> <type>select_source</type> - <source><![CDATA[$config['cert']]]></source> + <source><![CDATA[$config['ca']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> </field> @@ -401,11 +402,17 @@ <size>3</size> </field> <field> - <fielddescr>sslcrtd adapt</fielddescr> + <fielddescr>Certificate adapt</fielddescr> <fieldname>interception_adapt</fieldname> - <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: setCommonName ssl::certDomainMismatch<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description> - <type>input</type> - <size>70</size> + <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description> + <type>select</type> + <options> + <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option> + <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option> + <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option> + </options> + <multiple/> + <size>3</size> </field> <field> <name>Logging Settings</name> diff --git a/config/squid3/33/squid_cache.xml b/config/squid3/33/squid_cache.xml index 9d982dcb..26d6463c 100755 --- a/config/squid3/33/squid_cache.xml +++ b/config/squid3/33/squid_cache.xml @@ -284,7 +284,16 @@ </options> <multiple/> <size>06</size> - </field> + </field> + <field> + <fielddescr>Custom refresh_patterns</fielddescr> + <fieldname>custom_refresh_patterns</fieldname> + <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description> + <type>textarea</type> + <cols>67</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> </fields> <custom_php_command_before_form> if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { diff --git a/config/squidGuard/squidguard.inc b/config/squidGuard/squidguard.inc index f3126649..1ea1b5a5 100644 --- a/config/squidGuard/squidguard.inc +++ b/config/squidGuard/squidguard.inc @@ -645,10 +645,11 @@ function squidguard_before_form_dest($pkg) { $i=0; foreach($pkg['fields']['field'] as $field) { # order - if (is_array($destination_items) && $field['fieldname'] == 'order') { + if ($field['fieldname'] == 'order') { $fld = &$pkg['fields']['field'][$i]; - foreach($destination_items as $nmkey => $nm) - $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nmkey); + if (is_array($destination_items)) + foreach($destination_items as $nmkey => $nm) + $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nmkey); $fld['options']['option'][] = array('name'=>'--- Last ---', 'value'=>'9999'); $fld['options']['option'][] = array('name'=>'-----', 'value'=>''); # ! this is must be last ! } diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 5e804019..48acfbb5 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -1101,7 +1101,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]></descr> <pkginfolink>http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>2.1.12_1/2.2.0 pkg v1.6.7</version> + <version>2.1.12_1/2.2.0 pkg v1.6.7_2</version> <status>RC1</status> <required_version>2.0</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> @@ -1272,7 +1272,7 @@ <pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>3.3.4 pkg 2.1</version> + <version>3.3.4 pkg 2.1.2</version> <status>beta</status> <required_version>2.0</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> @@ -1280,10 +1280,11 @@ <depends_on_package>squid-3.3.4.tbz</depends_on_package> <depends_on_package>libltdl-2.4.2.tbz</depends_on_package> <depends_on_package>libwww-5.4.0_4.tbz</depends_on_package> + <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package> <build_pbi> <ports_before>www/libwww</ports_before> <port>www/squid33</port> - <ports_after>www/squid_radius_auth security/clamav www/squidclamav</ports_after> + <ports_after>www/squid_radius_auth security/clamav www/squidclamav security/ca_root_nss</ports_after> </build_pbi> <build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI SNMP ECAP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> <config_file>http://www.pfsense.org/packages/config/squid3/33/squid.xml</config_file> @@ -1352,7 +1353,7 @@ <website>http://www.squidGuard.org/</website> <maintainer>dv_serg@mail.ru</maintainer> <category>Network Management</category> - <version>1.4_4 pkg v.1.9.3</version> + <version>1.4_4 pkg v.1.9.4</version> <status>Beta</status> <required_version>1.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/8/All/</depends_on_package_base_url> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index d12d782d..459581fa 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -1088,7 +1088,7 @@ On pfSense docs there is a how-to which could help you on porting users.]]></descr> <pkginfolink>http://doc.pfsense.org/index.php/FreeRADIUS_2.x_package</pkginfolink> <category>System</category> - <version>2.1.12_1/2.2.0 pkg v1.6.7</version> + <version>2.1.12_1/2.2.0 pkg v1.6.7_2</version> <status>RC1</status> <required_version>2.0</required_version> <maintainer>nachtfalkeaw@web.de</maintainer> @@ -1259,7 +1259,7 @@ <pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>3.3.4 pkg 2.1</version> + <version>3.3.4 pkg 2.1.2</version> <status>beta</status> <required_version>2.0</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> @@ -1267,10 +1267,11 @@ <depends_on_package>squid-3.3.4.tbz</depends_on_package> <depends_on_package>libltdl-2.4.2.tbz</depends_on_package> <depends_on_package>libwww-5.4.0_4.tbz</depends_on_package> + <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package> <build_pbi> <ports_before>www/libwww</ports_before> <port>www/squid33</port> - <ports_after>www/squid_radius_auth security/clamav www/squidclamav</ports_after> + <ports_after>www/squid_radius_auth security/clamav www/squidclamav security/ca_root_nss</ports_after> </build_pbi> <build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI ECAP SNMP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> <config_file>http://www.pfsense.org/packages/config/squid3/33/squid.xml</config_file> @@ -1339,7 +1340,7 @@ <website>http://www.squidGuard.org/</website> <maintainer>dv_serg@mail.ru</maintainer> <category>Network Management</category> - <version>1.4_4 pkg v.1.9.3</version> + <version>1.4_4 pkg v.1.9.4</version> <status>Beta</status> <required_version>1.1</required_version> <depends_on_package_base_url>http://files.pfsense.org/packages/amd64/8/All/</depends_on_package_base_url> |