diff options
-rw-r--r-- | packages/squid_cache.xml | 31 | ||||
-rw-r--r-- | packages/squid_nac.xml | 108 | ||||
-rw-r--r-- | packages/squid_ng.inc | 552 | ||||
-rw-r--r-- | packages/squid_ng.xml | 386 | ||||
-rw-r--r-- | packages/squid_traffic.xml | 24 | ||||
-rw-r--r-- | packages/squid_upstream.xml | 28 |
6 files changed, 711 insertions, 418 deletions
diff --git a/packages/squid_cache.xml b/packages/squid_cache.xml index 60445a6a..8741f319 100644 --- a/packages/squid_cache.xml +++ b/packages/squid_cache.xml @@ -1,14 +1,10 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> - <info> - <name>squidcache</name> - </info> - - <files></files> - <menus></menus> - - <configpath>['installedpackages']['package']['squidcache']['configuration']['settings']</configpath> + <name>squidcache</name> + <title>Services: Squid Advanced Proxy</title> + <configpath>installedpackages->package->squidcache->configuration->settings</configpath> + <aftersaveredirect>/pkg_edit.php?xml=squid_cache.xml&id=0</aftersaveredirect> <tabs> @@ -40,12 +36,12 @@ <!-- <tab> <text>Authentication Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + <url>/pkg_edit.php?xml=squidauth.xml&id=0</url> </tab> <tab> <text>Users</text> - <url>/pkg_edit.php?xml=squid_users.xml&id=0</url> + <url>/pkg_edit.php?xml=squidusers.xml&id=0</url> </tab> --> </tabs> @@ -54,7 +50,7 @@ <field> <fielddescr>Memory Cache Size (MB)</fielddescr> <fieldname>memory_cache_size</fieldname> - <description>This is the amount of physical RAM to be used for negative cache and in-transit objects. This value should not exceed more than 50% of installed RAM. The minimum value is 1MB; the default is 2MB</description> + <description>This is the amount of physical RAM to be used for negative cache and in-transit objects. This value should not exceed more than 50% of installed RAM. The minimum value is 1MB; the default is 8MB</description> <size>4</size> <type>input</type> <validation>number</validation> @@ -130,7 +126,7 @@ <field> <fielddescr>Domain</fielddescr> <fieldname>domain</fieldname> - <description>If required, the specified domains will never be cached. Only enter one domain per line.</description> + <description>If required, the specified domains will never be cached. Enter domains separated by a semicolon (;).</description> <type>textarea</type> <rows>10</rows> <cols>50</cols> @@ -145,10 +141,11 @@ </fields> - <custom_php_global_functions> - </custom_php_global_functions> - - <custom_add_php_command> - </custom_add_php_command> + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + </packagegui>
\ No newline at end of file diff --git a/packages/squid_nac.xml b/packages/squid_nac.xml index b4e4ff24..70521b6d 100644 --- a/packages/squid_nac.xml +++ b/packages/squid_nac.xml @@ -1,14 +1,10 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> - <info> - <name>squidnac</name> - </info> - - <files></files> - <menus></menus> - - <configpath>['installedpackages']['package']['squidnac']['configuration']['settings']</configpath> + <name>squidnac</name> + <title>Services: Squid Advanced Proxy</title> + <configpath>installedpackages->package->squidnac->configuration->settings</configpath> + <aftersaveredirect>/pkg_edit.php?xml=squid_nac.xml&id=0</aftersaveredirect> <tabs> @@ -40,12 +36,12 @@ <!-- <tab> <text>Authentication Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + <url>/pkg_edit.php?xml=squidauth.xml&id=0</url> </tab> <tab> <text>Users</text> - <url>/pkg_edit.php?xml=squid_users.xml&id=0</url> + <url>/pkg_edit.php?xml=squidusers.xml&id=0</url> </tab> --> </tabs> @@ -54,65 +50,55 @@ <field> <fielddescr>Allowed Subnets</fielddescr> <fieldname>allowed_subnets</fieldname> - <type>rowhelper</type> - <rowhelper> - <rowhelperfield> - <fielddescr>Network Address</fielddescr> - <fieldname>allowed_network_address</fieldname> - <type>input</type> - <size>32</size> - <validation>number</validation> - </rowhelperfield> - - <rowhelperfield> - <fielddescr>Subnet Mask</fielddescr> - <fieldname>allowed_subnet_mask</fieldname> - <type>select</type> - <options> - <option><name>1</name><value>1</value></option> - <option><name>2</name><value>2</value></option> - <option><name>3</name><value>3</value></option> - <option><name>4</name><value>4</value></option> - <option><name>5</name><value>4</value></option> - <option><name>6</name><value>4</value></option> - <option><name>7</name><value>4</value></option> - <option><name>8</name><value>4</value></option> - <option><name>9</name><value>4</value></option> - <option><name>10</name><value>4</value></option> - <option><name>11</name><value>4</value></option> - <option><name>12</name><value>4</value></option> - <option><name>13</name><value>4</value></option> - <option><name>14</name><value>4</value></option> - <option><name>15</name><value>4</value></option> - <option><name>16</name><value>4</value></option> - <option><name>17</name><value>4</value></option> - <option><name>18</name><value>4</value></option> - <option><name>19</name><value>4</value></option> - <option><name>20</name><value>4</value></option> - <option><name>21</name><value>4</value></option> - <option><name>22</name><value>4</value></option> - <option><name>23</name><value>4</value></option> - <option><name>24</name><value>4</value></option> - <option><name>25</name><value>4</value></option> - <option><name>26</name><value>4</value></option> - <option><name>27</name><value>4</value></option> - <option><name>28</name><value>4</value></option> - <option><name>29</name><value>4</value></option> - <option><name>30</name><value>4</value></option> - <option><name>31</name><value>4</value></option> - <option><name>32</name><value>4</value></option> - </options> - </rowhelperfield> - </rowhelper> + <description>Subnets must be entered in the format of Network Address / Subnet Mask (e.g.: 192.168.1.0/24). Enter domains separated by a semicolon (;).</description> + <type>textarea</type> + <rows>5</rows> + <cols>50</cols> </field> <field> <fielddescr>Unrestricted IP Addresses</fielddescr> <fieldname>unrestricted_ip_address</fieldname> + <description>Specify each unrestricted IP address separated by a semicolon (;).</description> <type>textarea</type> - <rows>10</rows> + <rows>5</rows> + <cols>50</cols> + </field> + + <field> + <fielddescr>Unrestricted MAC Addresses</fielddescr> + <fieldname>unrestricted_mac_addresses</fieldname> + <description>Specify each unrestricted MAC address separated by a semicolon (;).</description> + <type>textarea</type> + <rows>5</rows> + <cols>50</cols> + </field> + + <field> + <fielddescr>Banned IP Addresses</fielddescr> + <fieldname>banned_ip_addresses</fieldname> + <description>Specify each banned IP address separated by a semicolon (l).</description> + <type>textarea</type> + <rows>5</rows> + <cols>50</cols> + </field> + + <field> + <fielddescr>Banned MAC Addresses</fielddescr> + <fieldname>banned_mac_addresses</fieldname> + <description>Specify each banned MAC address separated by a semicolon (;).</description> + <type>textarea</type> + <rows>5</rows> <cols>50</cols> </field> </fields> + + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + </packagegui>
\ No newline at end of file diff --git a/packages/squid_ng.inc b/packages/squid_ng.inc new file mode 100644 index 00000000..33845789 --- /dev/null +++ b/packages/squid_ng.inc @@ -0,0 +1,552 @@ +<?php +/* $Id$ */ + +/* + squid_ng.inc + part of pfSense (www.pfSense.com) + + Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +function global_write_squid_config() { + conf_mount_rw(); + config_lock(); + + global $config; + + /* define squid configuration file in variable for replace function */ + $squidconfig = "/usr/local/etc/squid/squid.conf"; + + /* squid_ng.xml values */ + $active_interface = $config['installedpackages']['squidng']['config'][0]['active_interface']; + $transparent_proxy = $config['installedpackages']['squidng']['config'][0]['transparent_proxy']; + $log_enabled = $config['installedpackages']['squidng']['config'][0]['log_enabled']; + $urlfilter_enable = $config['installedpackages']['squidng']['config'][0]['urlfilter_enable']; + $log_query_terms = $config['installedpackages']['squidng']['config'][0]['log_query_terms']; + $log_user_agents = $config['installedpackages']['squidng']['config'][0]['log_user_agents']; + $proxy_port = $config['installedpackages']['squidng']['config'][0]['proxy_port']; + $visible_hostname = $config['installedpackages']['squidng']['config'][0]['visible_hostname']; + $cache_admin_email = $config['installedpackages']['squidng']['config'][0]['cache_admin_email']; + $error_language = $config['installedpackages']['squidng']['config'][0]['error_language']; + + /* squid_upstream.xml values */ + $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; + $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; + $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; + $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; + $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; + $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; + $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; + + /* squidcache.xml values */ + $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; + $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; + $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; + $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; + $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; + $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; + $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; + $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; + $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; + + /* squidnac.xml values */ + $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; + $unrestricted_ip_address = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; + $unrestricted_mac_addresses = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; + $banned_ip_addresses = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; + $banned_mac_addresses = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; + + /* squidtraffic.xml values */ + $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; + $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; + $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; + $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; + $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; + $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; + $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; + + /* squidauth.xml values (placeholder for now) */ + $no_auth = $config['installedpackages']['squidtraffic']['config'][0]['no_auth']; + $local_auth = $config['installedpackages']['squidtraffic']['config'][0]['local_auth']; + $ldap_auth = $config['installedpackages']['squidtraffic']['config'][0]['ldap_auth']; + $windows_auth = $config['installedpackages']['squidtraffic']['config'][0]['windows_auth']; + $radius_auth = $config['installedpackages']['squidtraffic']['config'][0]['radius_auth']; + $auth_processes = $config['installedpackages']['squidtraffic']['config'][0]['auth_processes']; + $auth_cache_ttl = $config['installedpackages']['squidtraffic']['config'][0]['auth_cache_ttl']; + $limit_ip_addr = $config['installedpackages']['squidtraffic']['config'][0]['limit_ip_addr']; + $user_ip_cache_ttl = $config['installedpackages']['squidtraffic']['config'][0]['user_ip_cache_ttl']; + $req_unrestricted_auth = $config['installedpackages']['squidtraffic']['config'][0]['req_unrestricted_auth']; + $auth_realm_prompt = $config['installedpackages']['squidtraffic']['config'][0]['auth_realm_prompt']; + $no_domain_auth = $config['installedpackages']['squidtraffic']['config'][0]['no_domain_auth']; + $min_pass_length = $config['installedpackages']['squidtraffic']['config'][0]['min_pass_length']; + $bypass_extended = $config['installedpackages']['squidtraffic']['config'][0]['bypass_extended']; + + $fout = fopen($squidconfig,"w"); + + /* option: shutdown_lifetime */ + fwrite($fout, "shutdown_lifetime 5 seconds\n"); + fwrite($fout, "\n"); + + /* option: icp_port */ + if($icp_port == "") $icp_port="3130"; + fwrite($fout, "icp_port " . $icp_port . "\n"); + + /* option: http_port */ + if($http_port == "") $http_port="3128"; + $int = convert_friendly_interface_to_real_interface_name($config['installedpackages']['squidng']['config'][0]['active_interface']); + $listen_ip = find_interface_ip($int); + fwrite($fout, "http_port " . $listen_ip . ":" . $http_port . "\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); + fwrite($fout, "no_cache deny QUERY\n"); + + if ($domain !== "") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + $aclout = fopen("/usr/local/etc/squid/acls/dst_nocache.acl","w"); + + $domain_array = split(";",$domain); + foreach ($domain_array as $no_cache_domain) { + fwrite($aclout, $no_cache_domain . "\n"); + } + + fclose($aclout); + + fwrite($fout, 'acl no_cache_domains dstdomain "/usr/local/etc/squid/acls/dst_nocache.acl"' . "\n"); + fwrite($fout, "no_cache deny no_cache_domains\n"); + } + + fwrite($fout, "\n"); + + fwrite($fout, "cache_effective_user squid\n"); + fwrite($fout, "cache_effective_group squid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "pid_filename /var/run/squid.pid\n"); + fwrite($fout, "\n"); + + if ($memory_cache_size == "") $memory_cache_size="8"; + fwrite($fout, "cache_mem " . $memory_cache_size . " MB\n"); + if ($harddisk_cache_size == "") $harddisk_cache_size="500"; + if ($level_subdirs == "") $level_subdirs="16"; + fwrite($fout, "cache_dir aufs /var/squid/cache " . $harddisk_cache_size . " " . $level_subdirs . " 256\n"); + fwrite($fout, "\n"); + + if ($error_language == "") $error_language="English"; + fwrite($fout, "error_directory /usr/local/etc/squid/errors/" . $error_language . "\n"); + fwrite($fout, "\n"); + + if ($offline_mode == "on") { + fwrite($fout, "offline_mode on\n"); + fwrite($fout, "\n"); + } + + if ($memory_replacement == "") $memory_replacement="heap GDSF"; + fwrite($fout, "memory_replacement_policy " . $memory_replacement . "\n"); + if ($cache_replacement == "") $cache_replacement="heap GDSF"; + fwrite($fout, "cache_replacement_policy " . $cache_replacement . "\n"); + fwrite($fout, "\n"); + + if ($log_enabled == "on" ) { + fwrite($fout, "cache_access_log /var/squid/logs/access.log\n"); + fwrite($fout, "cache_log /var/squid/logs/cache.log\n"); + fwrite($fout, "cache_store_log none\n"); + } else { + fwrite($fout, "cache_access_log /dev/null\n"); + fwrite($fout, "cache_log /dev/null\n"); + fwrite($fout, "cache_store_log none\n"); + } + + if ($log_query_terms == "on") { + fwrite($fout, "strip_query_terms off\n"); + } else { + fwrite($fout, "strip_query_terms on\n"); + } + + if ($log_user_agents == "on") { + fwrite($fout, "useragent_log /var/squid/logs/useragent.log\n"); + } + fwrite($fout, "\n"); + + fwrite($fout, "log_mime_hdrs off\n"); + fwrite($fout, "emulate_httpd_log on\n"); + if ($client_ip_forwarding !== "on") { + fwrite($fout, "forwarded_for off\n"); + } elseif ($user_forwarding !== "on") { + fwrite($fout, "forwarded_for off\n"); + } else { + fwrite($fout, "forwarded_for on\n"); + } + fwrite($fout, "\n"); + + if ($no_auth == "on") { + fwrite($fout, "\n"); + } + + if ($local_auth == "on") { + fwrite($fout, "auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd\n"); + fwrite($fout, "auth_param basic children 5\n"); + fwrite($fout, "auth_param basic realm pfSense Advanced Proxy Service\n"); + fwrite($fout, "auth_param basic credentialsttl 60 minutes\n"); + fwrite($fout, "\n"); + } + + /* TODO: placeholder for local user management */ + + if ($throttle_binary_files == "on") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; + + $throttle_out = fopen("/usr/local/etc/squid/acls/dst_throttle_binary.acl","w"); + fwrite($throttle_out, $binary_out); + fwrite($fout, 'acl for_throttled_binary url_regex -i "/usr/local/etc/squid/acls/dst_throttle_binary.acl"' . "\n"); + fclose($throttle_out); + } else { + if (file_exists("/usr/local/etc/squid/acls/dst_throttle_binary.acl")) unlink("/usr/local/etc/squid/acls/dst_throttle_binary.acl"); + } + + if ($throttle_cd_images == "on") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + + $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; + + $throttle_out = fopen("/usr/local/etc/squid/acls/dst_throttle_cd.acl","w"); + fwrite($throttle_out, $cd_out); + fwrite($fout, 'acl for_throttled_cd url_regex -i "/usr/local/etc/squid/acls/dst_throttle_cd.acl"' . "\n"); + fclose($throttle_out); + } else { + if (file_exists("/usr/local/etc/squid/acls/dst_throttle_cd.acl")) unlink("/usr/local/etc/squid/acls/dst_throttle_cd.acl"); + } + + if ($throttle_multimedia == "on") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + + $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; + + $throttle_out = fopen("/usr/local/etc/squid/acls/dst_throttle_multimedia.acl","w"); + fwrite($throttle_out, $multimedia_out); + fwrite($fout, 'acl for_throttled_multimedia url_regex -i "/usr/local/etc/squid/acls/dst_throttle_multimedia.acl"' . "\n"); + fclose($throttle_out); + } else { + if (file_exists("/usr/local/etc/squid/acls/dst_throttle_multimedia.acl")) unlink("/usr/local/etc/squid/acls/dst_throttle_multimedia.acl"); + } + + fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); + fwrite($fout, "\n"); + + /* obtain interface subnet and address for Squid rules */ + $lactive_interface = strtolower($active_interface); + + $lancfg = $config['interfaces'][$lactive_interface]; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl Safe_ports port 80 # http\n"); + fwrite($fout, "acl Safe_ports port 21 # ftp\n"); + fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n"); + fwrite($fout, "acl Safe_ports port 70 # gopher\n"); + fwrite($fout, "acl Safe_ports port 210 # wais\n"); + fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); + fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); + fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); + fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); + fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); + fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); + fwrite($fout, "\n"); + + /* allow access through proxy for custom admin port */ + $custom_port = $config['system']['webgui']['port']; + if ($custom_port !== "") { + fwrite($fout, "acl pf_admin_port port " . $custom_port . "\n"); + } + + /* define subnets allowed to utilize proxy service */ + if ($allowed_subnets !== "") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + + $aclout = fopen("/usr/local/etc/squid/acls/src_subnets.acl","w"); + + $allowed_subnets_array = split(";",$allowed_subnets); + foreach ($allowed_subnets_array as $ind_allowed_subnets) { + fwrite($aclout, $ind_allowed_subnets . "\n"); + } + + fclose($aclout); + + fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/acls/src_subnets.acl"' . "\n"); + } + + /* define ip addresses that have 'unrestricted' access */ + if ($unrestricted_ip_address !== "") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + $aclout = fopen("/usr/local/etc/squid/acls/src_unrestricted_ip.acl","w"); + + $unrestricted_ip_array = split(";",$unrestricted_ip_address); + foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { + fwrite($aclout, $ind_unrestricted_ip . "\n"); + } + + fclose($aclout); + + fwrite($fout, 'acl pf_unrestricted_ip src "/usr/local/etc/squid/acls/src_unrestricted_ip.acl"' . "\n"); + } + + /* define mac addresses that have 'unrestricted' access */ + if ($unrestricted_mac_addresses !== "") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + + $aclout = fopen("/usr/local/etc/squid/acls/src_unrestricted_mac.acl","w"); + + $unrestricted_mac_array = split(";",$unrestricted_mac_addresses); + foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { + fwrite($aclout, $ind_unrestricted_mac . "\n"); + } + + fclose($aclout); + + fwrite($fout, 'acl pf_unrestricted_mac src "/usr/local/etc/squid/acls/src_unrestricted_mac.acl"' . "\n"); + } + + /* define ip addresses that are banned from using the proxy service */ + if ($banned_ip_addresses !== "") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + + $aclout = fopen("/usr/local/etc/squid/acls/src_banned_ip.acl","w"); + + $banned_ip_array = split(";",$banned_ip_addresses); + foreach ($banned_ip_array as $ind_banned_ip) { + fwrite($aclout, $ind_banned_ip . "\n"); + } + + fclose($aclout); + + fwrite($fout, 'acl pf_banned_ip src "/usr/local/etc/squid/acls/src_banned_ip.acl"' . "\n"); + } + + /* define mac addresses that are banned from using the proxy service */ + if ($banned_mac_addresses !== "") { + if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + + $aclout = fopen("/usr/local/etc/squid/acls/src_banned_mac.acl","w"); + + $banned_mac_array = split(";",$banned_mac_addresses); + foreach ($banned_mac_array as $ind_banned_mac) { + fwrite($aclout, $ind_banned_mac . "\n"); + } + + fclose($aclout); + + fwrite($fout, 'acl pf_banned_mac src "/usr/local/etc/squid/acls/src_banned_mac.acl"' . "\n"); + } + + fwrite($fout, "acl CONNECT method CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#access to squid; local machine; no restrictions\n"); + fwrite($fout, "http_access allow localnet\n"); + fwrite($fout, "http_access allow localhost\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Deny non web services\n"); + fwrite($fout, "http_access deny !Safe_ports\n"); + fwrite($fout, "http_access deny CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Set custom configured ACLs\n"); + fwrite($fout, "http_access deny all\n"); + fwrite($fout, "\n"); + + if ($dl_overall !== "" and $dl_per_host == "") { + fwrite($fout, "#Set throttle and bandwidth restrictions\n"); + + fwrite($fout, "delay_pools 1\n"); + fwrite($fout, "delay_class 1 3\n"); + + if ($dl_overall == "unlimited") { + fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . "\n"); + } else { + fwrite($fout, "delay_parameters 1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . " -1/-1 -1/-1\n"); + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if ($unrestricted_ip_address == "") fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); + + fwrite($fout, "#delay_access 1 deny for_extended_users\n"); + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_binary\n"); + } + if ($throttle_cd_images == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_cd\n"); + } + if ($throttle_multimedia == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n"); + } else { + fwrite($fout, "delay_access 1 allow all\n"); + } + fwrite($fout, "delay_initial_bucket_level 100%\n\n"); + } + + if ($dl_per_host !== "" and $dl_overall == "") { + fwrite($fout, "#Set throttle and bandwidth restrictions\n"); + + fwrite($fout, "delay_pools 1\n"); + fwrite($fout, "delay_class 1 3\n"); + + if ($dl_per_host == "unlimited") { + fwrite($fout, "delay_parameters 1 " . ($dl_per_host * 125) . "/" . ($dl_per_host * 250) . "-1/-1 -1/-1\n"); + } else { + fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_per_host * 125) . "/" . ($dl_per_host * 250) . "\n"); + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if ($unrestricted_ip_address !== "") fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); + + fwrite($fout, "#delay_access 1 deny for_extended_users\n"); + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_binary\n"); + } + if ($throttle_cd_images == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_cd\n"); + } + if ($throttle_multimedia == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n"); + } else { + fwrite($fout, "delay_access 1 allow all\n"); + } + fwrite($fout, "delay_initial_bucket_level 100%\n\n"); + fwrite($fout, "\n"); + } + + if ($dl_overall !== "" and $dl_per_host !== "") { + /* if no bandwidth restrictions are specified, then these parameters are not necessary */ + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + fwrite($fout, "#Set throttle and bandwidth restrictions\n"); + + if ($dl_overall == "unlimited" and $dl_per_host !== "") { + fwrite($fout, "delay_pools 1\n"); + fwrite($fout, "delay_class 1 3\n"); + fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_per_host * 125) . "/" . ($dl_overall * 250) . "\n"); + } elseif ($dl_overall !== "" and $dl_per_host == "unlimited") { + fwrite($fout, "delay_pools 1\n"); + fwrite($fout, "delay_class 1 3\n"); + fwrite($fout, "delay_parameters 1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . " -1/-1 -1/-1\n"); + } + } + + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if ($unrestricted_ip_address !== "") fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); + + fwrite($fout, "#delay_access 1 deny for_extended_users\n"); + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_binary\n"); + } + if ($throttle_cd_images == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_cd\n"); + } + if ($throttle_multimedia == "on") { + fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n"); + } else { + fwrite($fout, "delay_access 1 allow all\n"); + } + fwrite($fout, "delay_initial_bucket_level 100%\n\n"); + } + } + + fwrite($fout, "#Strip HTTP Header\n"); + fwrite($fout, "header_access X-Forwarded-For deny all\n"); + fwrite($fout, "header_access Via deny all\n"); + fwrite($fout, "\n"); + + /* TODO: acl customization for snmp support */ + fwrite($fout, "snmp_access deny all\n"); + fwrite($fout, "\n"); + + if ($urlfilter_enable == "on") { + fwrite($fout, "redirect_program /usr/sbin/squidGuard"); + fwrite($fout, "redirect_children 5"); + fwrite($fout, "\n"); + } + + if ($max_upload_size != "") { + fwrite($fout, "request_body_max_size " . $max_download_size . "KB\n"); + } + + if ($max_download_size != "") { + if ($unrestricted_ip_addresses !== "") fwrite($fout, "reply_body_max_size 0 allow pf_unrestricted_ip\n"); + fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); + fwrite($fout, "reply_body_max_size " . $max_download_size * 1024 . " allow all\n"); + fwrite($fout, "\n"); + } + + if ($visible_hostname !== "") { + fwrite($fout, "visible_hostname " . $visible_hostname . "\n"); + } + + if ($cache_admin_email !== "") { + fwrite($fout, "cache_mgr " . $cache_admin_email . "\n"); + fwrite($fout, "\n"); + } + + if ($maximum_object_size == "") $maximum_object_size="4096"; + if ($minimum_object_size == "") $minimum_object_size="0"; + fwrite($fout, "maximum_object_size " . $maximum_object_size . " KB\n"); + fwrite($fout, "minimum_object_size " . $minimum_object_size . " KB\n"); + fwrite($fout, "\n"); + + if ($proxy_forwarding == "on") { + fwrite($fout, "cache_peer " . $upstream_proxy . "parent " . $upstream_proxy_port . "3130 login=" . upstream_username . ":" . upstream_password . " default no-query\n"); + fwrite($fout, "never_direct allow all\n"); + } + + if ($transparent_proxy == "on") { + fwrite($fout, "httpd_accel_host virtual\n"); + fwrite($fout, "httpd_accel_port 80\n"); + fwrite($fout, "httpd_accel_with_proxy on\n"); + fwrite($fout, "httpd_accel_uses_host_header on\n"); + fwrite($fout, "\n"); + } + + fclose($fout); + + conf_mount_ro(); + config_unlock(); + + touch($squidconfig); +} /* end function write_squid_config */ + diff --git a/packages/squid_ng.xml b/packages/squid_ng.xml index 0df323d5..bb8a2692 100644 --- a/packages/squid_ng.xml +++ b/packages/squid_ng.xml @@ -2,26 +2,32 @@ <packagegui> <name>squidng</name> + <title>Services: Squid Advanced Proxy</title> <category>Security</category> <version>2.5.10_4</version> - <title>Services: Squid Advanced Proxy</title> + <configpath>installedpackages->package->squidng->configuration->settings</configpath> <!-- This defines the location where the config is stored within pfSense's xml based global store --> - <configpath>['installedpackages']['package']['squidng']['configuration']['settings']</configpath> <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&id=0</aftersaveredirect> + <menu> + <name>Squid Advanced Proxy</name> + <tooltiptext>Modify settings for Squid Advanced Proxy</tooltiptext> + <section>Services</section> + </menu> + <!-- TODO: Add xml to parse proxy logs into readable format <menu> <name>Proxy Log</name> <section>Status</section> <configfile>squid_log.xml</configfile> </menu> --> - + <files> <file> <type>package</type> - <location>ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/www/squid-2.5.10_4.tbz</location> + <location>http://www.pfsense.org/packages/All/squid-2.5.STABLE10.tbz</location> </file> <file> <type>package</type> @@ -29,6 +35,12 @@ </file> <!-- retrieves the configuration file for upstream proxy settings --> + + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_ng.inc</location> + </file> + <file> <type>configfile</type> <location>http://www.pfsense.com/packages/config/squid_upstream.xml</location> @@ -68,14 +80,6 @@ </files> - <menus> - <menu> - <name>Squid Advanced Proxy</name> - <tooltiptext>Modify settings for Squid Advanced Proxy</tooltiptext> - <section>Services</section> - </menu> - </menus> - <tabs> <tab> <text>General Settings</text> @@ -198,41 +202,40 @@ <description>Select the language in which the Proxy Server shall display error messages to users.</description> <type>select</type> <options> - <option><name>Bulgarian</name><value>bulgarian</value></option> - <option><name>Catalan</name><value>catalan</value></option> - <option><name>Czech</name><value>czech</value></option> - <option><name>Danish</name><value>danish</value></option> - <option><name>Dutch</name><value>dutch</value></option> - <option><name>English</name><value>english</value></option> - <option><name>Estonian</name><value>estonian</value></option> - <option><name>Finnish</name><value>finnish</value></option> - <option><name>French</name><value>french</value></option> - <option><name>German</name><value>german</value></option> - <option><name>Hebrew</name><value>hebrew</value></option> - <option><name>Hungarian</name><value>hungarian</value></option> - <option><name>Italian</name><value>italian</value></option> - <option><name>Japanese</name><value>japanese</value></option> - <option><name>Korean</name><value>korean</value></option> - <option><name>Lithuanian</name><value>lithuanian</value></option> - <option><name>Polish</name><value>polish</value></option> - <option><name>Portuguese</name><value>portuguese</value></option> - <option><name>Romanian</name><value>romanian</value></option> - <option><name>Russian-1251</name><value>russian_1251</value></option> - <option><name>Russian-koi8-r</name><value>russian_koi8</value></option> - <option><name>Serbian</name><value>serbian</value></option> - <option><name>Simplified Chinese</name><value>simplified_chinese</value></option> - <option><name>Slovak</name><value>slovak</value></option> - <option><name>Spanish</name><value>spanish</value></option> - <option><name>Swedish</name><value>swedish</value></option> - <option><name>Traditional Chinese</name><value>traditional_chinese</value></option> - <option><name>Turkish</name><value>turkish</value></option> + <option><name>Bulgarian</name><value>Bulgarian</value></option> + <option><name>Catalan</name><value>Catalan</value></option> + <option><name>Czech</name><value>Czech</value></option> + <option><name>Danish</name><value>Danish</value></option> + <option><name>Dutch</name><value>Dutch</value></option> + <option><name>English</name><value>English</value></option> + <option><name>Estonian</name><value>Estonian</value></option> + <option><name>Finnish</name><value>Finnish</value></option> + <option><name>French</name><value>French</value></option> + <option><name>German</name><value>German</value></option> + <option><name>Hebrew</name><value>Hebrew</value></option> + <option><name>Hungarian</name><value>Hungarian</value></option> + <option><name>Italian</name><value>Italian</value></option> + <option><name>Japanese</name><value>Japanese</value></option> + <option><name>Korean</name><value>Korean</value></option> + <option><name>Lithuanian</name><value>Lithuanian</value></option> + <option><name>Polish</name><value>Polish</value></option> + <option><name>Portuguese</name><value>Portuguese</value></option> + <option><name>Romanian</name><value>Romanian</value></option> + <option><name>Russian-1251</name><value>Russian-1251</value></option> + <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option> + <option><name>Serbian</name><value>Serbian</value></option> + <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option> + <option><name>Slovak</name><value>Slovak</value></option> + <option><name>Spanish</name><value>Spanish</value></option> + <option><name>Swedish</name><value>Swedish</value></option> + <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option> + <option><name>Turkish</name><value>Turkish</value></option> </options> </field> </fields> - - <!-- The below writes the configuration as defined by the GUI options --> + <!-- The below writes the configuration as defined by the GUI options --> <custom_php_global_functions> function write_static_squid_config() { global $config; @@ -242,7 +245,7 @@ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; - $fout = fopen("/usr/local/etc/squid/squid.conf.new","w"); + $fout = fopen("/usr/local/etc/squid/squid.conf","w"); fwrite($fout, "#\n"); fwrite($fout, "# This file was automatically generated by the pfSense package manager\n"); fwrite($fout, "# This default policy enables transparent proxy with no local disk logging\n"); @@ -256,28 +259,20 @@ fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); fwrite($fout, "no_cache deny QUERY\n"); - if ($domain != "") { - $aclout = fopen("/usr/local/etc/squid/dst_nocache.acl","w"); - $each_domain = explode(" ", $domain); - foreach ($each_domain as $line) { - fwrite($aclout, $line . "\n"); - } - fclose($aclout); - } fwrite($fout, "\n"); fwrite($fout, "pid_filename /var/run/squid.pid\n"); fwrite($fout, "\n"); fwrite($fout, "cache_mem 8 MB\n"); - fwrite($fout, "cache_dir aufs /usr/local/squid/cache 500 16 256\n"); + fwrite($fout, "cache_dir ufs /var/squid/cache 500 16 256\n"); fwrite($fout, "\n"); - fwrite($fout, "error_directory /usr/local/squid/etc/errors/English\n"); + fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); fwrite($fout, "\n"); fwrite($fout, "memory_replacement_policy heap LRU\n"); - fwrite($fout, "cache_replacement_policy heap GSDF\n"); + fwrite($fout, "cache_replacement_policy heap GDSF\n"); fwrite($fout, "\n"); fwrite($fout, "cache_access_log /dev/null\n"); @@ -296,7 +291,6 @@ fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); - fwrite($fout, "acl SSL_ports port 443 563\n"); fwrite($fout, "acl Safe_ports port 80 # http\n"); fwrite($fout, "acl Safe_ports port 21 # ftp\n"); fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n"); @@ -336,7 +330,7 @@ fwrite($fout, "#Strip HTTP Header\n"); fwrite($fout, "header_access X-Forwarded-For deny all\n"); - fwrite($fout, "header_access deny all\n"); + fwrite($fout, "header_access Via deny all\n"); fwrite($fout, "\n"); fwrite($fout, "maximum_object_size 4096 KB\n"); @@ -349,279 +343,40 @@ fclose($fout); } <!-- end function write_static_squid_config() --> - - function global_write_squid_config() { - global $config; - - <!-- define squid configuration file in variable for replace function --> - $squidconfig = "/usr/local/etc/squid/squid.conf.new"; - - <!-- squid_ng.xml values --> - $active_interface = $config['installedpackages']['squidng']['config'][0]['active_interface']; - $transparent_proxy = $config['installedpackages']['squidng']['config'][0]['transparent_proxy']; - $log_enabled = $config['installedpackages']['squidng']['config'][0]['log_enabled']; - $urlfilter_enable = $config['installedpackages']['squidng']['config'][0]['urlfilter_enable']; - $log_query_terms = $config['installedpackages']['squidng']['config'][0]['log_query_terms']; - $log_user_agents = $config['installedpackages']['squidng']['config'][0]['log_user_agents']; - $proxy_port = $config['installedpackages']['squidng']['config'][0]['proxy_port']; - $visible_hostname = $config['installedpackages']['squidng']['config'][0]['visible_hostname']; - $cache_admin_email = $config['installedpackages']['squidng']['config'][0]['cache_admin_email']; - $error_language = $config['installedpackages']['squidng']['config'][0]['error_language']; - - <!-- squid_upstream.xml values --> - $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; - $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; - $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; - $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; - $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; - $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; - $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; - - <!-- squid_cache.xml values --> - $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; - $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; - $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; - $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; - $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; - $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; - $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; - <!-- $domain <rowhelper> --> - $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; - - <!-- squid_nac.xml values --> - $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; - <!-- allowed_network_address <rowhelper --> - <!-- allowed_subnet_mask <rowhelper --> - $unrestricted_ip_address = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; - - <!-- squid_traffic.xml values --> - $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; - $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; - $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; - $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; - $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; - $throttle_cd_image = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_image']; - $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; - - $fout = fopen($squidconfig,"w"); - - <!-- option: shutdown_lifetime --> - fwrite($fout, "shutdown_lifetime 5 seconds\n"); - fwrite($fout, "\n"); - - <!-- option: icp_port --> - if($icp_port == "") $icp_port="3130"; - fwrite($fout, "icp_port " . $icp_port . "\n"); - - <!-- option: http_port --> - if($http_port == "") $http_port="3128"; - $int = convert_friendly_interface_to_real_interface_name($config['installedpackages']['squidng']['config'][0]['active_interface']); - $listen_ip = find_interface_ip($int); - fwrite($fout, "http_port " . $listen_ip . ":" . $http_port . "\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); - fwrite($fout, "non_cache deny QUERY\n"); - - - fwrite($fout, "\n"); - - fwrite($fout, "cache_effective_user squid\n"); - fwrite($fout, "cache_effective_group squid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "pid_filename /var/run/squid.pid\n"); - fwrite($fout, "\n"); - - if ($memory_cache_size == "") $memory_cache_size="8"; - fwrite($fout, "cache_mem " . $memory_cache_size . " MB\n"); - if ($harddisk_cache_size == "") $harddisk_cache_size="500"; - if ($level_subdirs == "") $level_subdirs="16"; - fwrite($fout, "cache_dirs aufs /usr/local/squid/cache " . $harddisk_cache_size . " " . $level_subdirs . " 256\n"); - fwrite($fout, "\n"); - - if ($error_language == "") $error_language="English"; - fwrite($fout, "error_directory /usr/local/squid/etc/errors/" . $error_language . "\n"); - fwrite($fout, "\n"); - - if ($offline_mode == "on") { - fwrite($fout, "offline_mode on\n"); - fwrite($fout, "\n"); - } - - if ($memory_replacement == "") $memory_replacement="heap GSDF"; - fwrite($fout, "memory_replacement_policy " . $memory_replacement . "\n"); - if ($cache_replacement == "") $cache_replacement="heap GSDF"; - fwrite($fout, "cache_replacement_policy " . $cache_replacement . "\n"); - fwrite($fout, "\n"); - - if ($log_enabled == "on" ) { - fwrite($fout, "cache_access_log /var/log/squid/access.log\n"); - fwrite($fout, "cache_log /var/log/squid/cache.log\n"); - fwrite($fout, "cache_store_log none\n"); - } else { - fwrite($fout, "cache_access_log /dev/null\n"); - fwrite($fout, "cache_log /dev/null\n"); - fwrite($fout, "cache_store_log none\n"); - } - - if ($log_query_terms == "on") { - fwrite($fout, "strip_query_terms off\n"); - } else { - fwrite($fout, "strip_query_terms on\n"); - } - - if ($log_user_agents == "on") { - fwrite($fout, "useragent_log /var/log/squid/useragent.log\n"); - } - fwrite($fout, "\n"); - - fwrite($fout, "log_mime_hdrs off\n"); - fwrite($fout, "emulate_httpd_log on\n"); - if ($client_ip_forwarding !== "on") { - fwrite($fout, "forwarded_for off\n"); - } elseif ($user_forwarding !== "on") { - fwrite($fout, "forwarded_for off\n"); - } else { - fwrite($fout, "forwarded_for on\n"); - } - fwrite($fout, "\n"); - - fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); - fwrite($fout, "\n"); - - <!-- obtain interface subnet and address for Squid rules --> - $lactive_interface = strtolower($active_interface); - - $lancfg = $config['interfaces'][$lactive_interface]; - $lanif = $lancfg['if']; - $lanip = $lancfg['ipaddr']; - $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); - $lansn = $lancfg['subnet']; - - fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); - fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); - fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); - fwrite($fout, "acl SSL_ports port 443 563\n"); - fwrite($fout, "acl Safe_ports port 80 # http\n"); - fwrite($fout, "acl Safe_ports port 21 # ftp\n"); - fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n"); - fwrite($fout, "acl Safe_ports port 70 # gopher\n"); - fwrite($fout, "acl Safe_ports port 210 # wais\n"); - fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); - fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); - fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); - fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); - fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); - fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl CONNECT method CONNECT\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#access to squid; local machine; no restrictions\n"); - fwrite($fout, "http_access allow localnet\n"); - fwrite($fout, "http_access allow localhost\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Deny non web services\n"); - fwrite($fout, "http_access deny !Safe_ports\n"); - fwrite($fout, "http_access deny CONNECT\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Set custom configured ACLs\n"); - fwrite($fout, "http_access deny all\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_effective_user squid\n"); - fwrite($fout, "cache_effective_group squid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Strip HTTP Header\n"); - fwrite($fout, "header_access X-Forwarded-For deny all\n"); - fwrite($fout, "header_access deny all\n"); - fwrite($fout, "\n"); - - if ($urlfilter_enable == "on") { - fwrite($fout, "redirect_program /usr/sbin/squidGuard"); - fwrite($fout, "redirect_children 5"); - } - - if ($visible_hostname !== "") { - fwrite($fout, "visible_hostname " . $visible_hostname . "\n"); - } - - if ($cache_admin_email !== "") { - fwrite($fout, "cache_mgr " . $cache_admin_email . "\n"); - } - - if ($maximum_object_size == "") $maximum_object_size="4096"; - if ($minimum_object_size == "") $minimum_object_size="0"; - fwrite($fout, "maximum_object_size " . $maximum_object_size . " KB\n"); - fwrite($fout, "minimum_object_size " . $minimum_object_size . " KB\n"); - fwrite($fout, "\n"); - - if ($proxy_forwarding == "on") { - fwrite($fout, "cache_peer " . $upstream_proxy . "parent " . $upstream_proxy_port . "3130 login=" . upstream_username . ":" . upstream_password . " default no-query\n"); - fwrite($fout, "never_direct allow all\n"); - } - - if ($transparent_proxy == "on") { - fwrite($fout, "httpd_accel_host virtual\n"); - fwrite($fout, "httpd_accel_port 80\n"); - fwrite($fout, "httpd_accel_with_proxy on\n"); - fwrite($fout, "httpd_accel_uses_host_header on\n"); - fwrite($fout, "\n"); - } - - fclose($fout); - } <!-- end function write_squid_config --> - </custom_php_global_functions> - <custom_add_php_command> - function sync_package_squid () { - mwexec("/usr/local/sbin/squid -k reconfigure"); - conf_mount_ro(); <!-- mounts filesystems in read only mode --> - config_unlock(); <!-- unlock the config file --> - } <!-- end function sync_package_squid --> - - global_write_squid_config(); - <!-- sync_package_squid(); --> - </custom_add_php_command> - - <custom_php_resync_command> - function sync_package_squid() { - mwexec("/usr/local/sbin/squid -k reconfigure"); - conf_mount_ro(); <!-- mounts filesystems in read only mode --> - config_unlock(); <!-- unlock the config file --> - } - + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + global_write_squid_config(); - sync_package_squid(); - </custom_php_resync_command> + mwexec("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> <custom_php_install_command> write_static_squid_config(); <!-- write initial config to work --> + update_output_window("Creating initialization scripts..."); $fout = fopen("/usr/local/etc/rc.d/squid.sh","w"); fwrite($fout, "#!/bin/sh\n"); - fwrite($fout, "# PACKAGE: Squid\n); - fwrite($fout, "# EXECUTABLE: squid\n\n"); - fwrite($fout "# Alert system that we need the / mount rw\n"); - fwrite($fout, "touch /tmp/rw_root_mount\n\n"); + fwrite($fout, "$pfSense: /usr/local/sbin/rc.d/squid.sh; created " . date(DATE_RFC822) . " mcapp\n"); + fwrite($fout, "\n"); + fwrite($fout, "touch /tmp/ro_root_mount\n\n"); fwrite($fout, "/usr/local/sbin/squid -D\n\n"); - fwrite($fout, "touch /tmp/filter_dirty\n\n"); + fwrite($fout, "touch /tmp/filter_dirty\n\n"); fclose($fout); chmod("/usr/local/etc/rc.d/squid.sh", 755); - update_output_window("Configuring Squid... This may take a moment..."); - mwexec("/usr/local/sbin/squid -z"); - update_output_window("Starting Squid..."); + + if (!file_exists("/var/squid/cache")) { + update_output_window("Initializing Cache... This may take a moment..."); + mwexec("/usr/local/sbin/squid -z"); + } + + update_output_window("Starting Squid Advanced Proxy..."); mwexec_bg("/usr/local/etc/rc.d/squid.sh"); filter_configure(); </custom_php_install_command> - + <custom_php_deinstall_command> rmdir_recursive("/usr/local/squid"); unlink_if_exists("/var/mail/squid"); @@ -629,12 +384,13 @@ unlink_if_exists("/usr/local/etc/squid/squid.conf"); unlink_if_exists("/usr/local/etc/squid"); unlink_if_exists("/usr/local/libexec/squid"); + rmdir_recursive("/usr/local/etc/squid"); filter_configure(); </custom_php_deinstall_command> - <!-- <start_command>/usr/local/etc/rc.d/squid.sh</start_command> --> + <start_command>/usr/local/etc/rc.d/squid.sh</start_command> - <process_kill_command>squid</process_kill_command> + <process_kill_command>/usr/local/sbin/squid -k shutdown</process_kill_command> </packagegui>
\ No newline at end of file diff --git a/packages/squid_traffic.xml b/packages/squid_traffic.xml index 037752e2..90ecc7af 100644 --- a/packages/squid_traffic.xml +++ b/packages/squid_traffic.xml @@ -1,14 +1,10 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> - <info> - <name>squidtraffic</name> - </info> - - <files></files> - <menus></menus> - - <configpath>['installedpackages']['package']['squidtraffic']['configuration']['settings']</configpath> + <name>squidtraffic</name> + <title>Services: Squid Advanced Proxy</title> + <configpath>installedpackages->package->squidtraffic->configuration->settings</configpath> + <aftersaveredirect>/pkg_edit.php?xml=squid_traffic.xml&id=0</aftersaveredirect> <tabs> @@ -40,12 +36,12 @@ <!--<tab> <text>Authentication Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + <url>/pkg_edit.php?xml=squidauth.xml&id=0</url> </tab> <tab> <text>Users</text> - <url>/pkg_edit.php?xml=squid_users.xml&id=0</url> + <url>/pkg_edit.php?xml=squidusers.xml&id=0</url> </tab> --> </tabs> @@ -122,4 +118,12 @@ </field> </fields> + + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + </packagegui>
\ No newline at end of file diff --git a/packages/squid_upstream.xml b/packages/squid_upstream.xml index ab3eb008..b5270af4 100644 --- a/packages/squid_upstream.xml +++ b/packages/squid_upstream.xml @@ -1,17 +1,12 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> - <info> - <name>squidupstream</name> - </info> + <name>squidupstream</name> + <title>Services: Squid Advanced Proxy</title> + <configpath>installedpackages->package->squidupstream->configuration->settings</configpath> - <files></files> - <menus></menus> - - <configpath>['installedpackages']['package']['squidupstream']['configuration']['settings']</configpath> <aftersaveredirect>/pkg_edit.php?xml=squid_upstream.xml&id=0</aftersaveredirect> - <tabs> <tab> <text>General Settings</text> @@ -41,14 +36,13 @@ <!-- <tab> <text>Authentication Settings</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + <url>/pkg_edit.php?xml=squidauth.xml&id=0</url> </tab> <tab> <text>Users</text> - <url>/pkg_edit.php?xml=squid_users.xml&id=0</url> - </tab> - --> + <url>/pkg_edit.php?xml=squidusers.xml&id=0</url> + </tab> --> </tabs> <fields> @@ -105,7 +99,11 @@ </field> </fields> - <custom_php_global_functions> - </custom_php_global_functions> - + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + </packagegui>
\ No newline at end of file |