aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xconfig/squid3/33/squid.inc107
-rw-r--r--config/squid3/33/squid.xml14
-rwxr-xr-xconfig/squid3/33/squid_cache.xml11
-rw-r--r--pkg_config.8.xml5
-rw-r--r--pkg_config.8.xml.amd645
5 files changed, 100 insertions, 42 deletions
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc
index 94c85a7e..4ca1672f 100755
--- a/config/squid3/33/squid.inc
+++ b/config/squid3/33/squid.inc
@@ -777,6 +777,41 @@ function squid_install_cron($should_install) {
configure_cron();
}
+function squid_check_ca_hashes(){
+ global $config,$g;
+
+ #check certificates
+ $cert_count=0;
+ if (is_dir(SQUID_LOCALBASE. '/share/certs'))
+ if ($handle = opendir(SQUID_LOCALBASE.'/usr/local/share/certs')) {
+ while (false !== ($file = readdir($handle)))
+ if (preg_match ("/\d+.0/",$file))
+ $cert_count++;
+ }
+ closedir($handle);
+ if ($cert_count < 10){
+ conf_mount_rw();
+ #create ca-root hashes from ca-root-nss package
+ log_error("Creating root certificate bundle hashes from the Mozilla Project");
+ $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt');
+ $cert=0;
+ foreach ($cas as $ca){
+ if (preg_match("/--BEGIN CERTIFICATE--/",$ca))
+ $cert=1;
+ if ($cert == 1)
+ $crt.=$ca;
+ if (preg_match("/-END CERTIFICATE-/",$ca)){
+ file_put_contents("/tmp/cert.pem",$crt, LOCK_EX);
+ $cert_hash=array();
+ exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash);
+ file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX);
+ $crt="";
+ $cert=0;
+ }
+ }
+ }
+}
+
function squid_resync_general() {
global $g, $config, $valid_acls;
@@ -785,10 +820,10 @@ function squid_resync_general() {
else
$settings=array();
$conf = "# This file is automatically generated by pfSense\n";
- $conf .= "# Do not edit manually !\n";
+ $conf .= "# Do not edit manually !\n\n";
#Check ssl interception
- $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
if (($settings['ssl_proxy'] == 'on')) {
+ squid_check_ca_hashes();
$srv_cert = lookup_cert($settings["dcert"]);
if ($srv_cert != false) {
if(base64_decode($srv_cert['prv'])) {
@@ -803,15 +838,19 @@ function squid_resync_general() {
squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy');
$crt_pk=SQUID_CONFBASE."/serverkey.pem";
file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
-
- $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size={$sslcrtd_children}MB cert={$crt_pk}\n";
- $interception_checks="";
+ $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
+ $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk}\n";
+ $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n";
+ $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
+ $interception_checks .= 'sslproxy_capath '.SQUID_LOCALBASE.'/share/certs'."\n";
if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
$interception_checks.="sslproxy_cert_error allow all\n";
if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
$interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n";
- if ($settings["interception_adapt"] != "")
- $interception_checks.="sslproxy_cert_adapt {$settings["interception_adapt"]}\n";
+ if ($settings["interception_adapt"] != ""){
+ foreach (explode(",",$settings["interception_adapt"]) as $adapt)
+ $interception_checks.="sslproxy_cert_adapt {$adapt} all\n";
+ }
}
}
}
@@ -887,7 +926,7 @@ function squid_resync_general() {
$logdir_cache = $logdir . '/cache.log';
$logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
- $conf .= <<<EOD
+ $conf .= <<< EOD
icp_port {$icp_port}
dns_v4_first {$dns_v4_first}
pid_filename {$pidfile}
@@ -900,7 +939,6 @@ cache_mgr {$email}
access_log {$logdir_access}
cache_log {$logdir_cache}
cache_store_log none
-sslcrtd_children {$sslcrtd_children}
{$interception_checks}
EOD;
@@ -912,7 +950,7 @@ $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate'];
$conf .= "logfile_rotate {$rotate}\n";
squid_install_cron(true);
- $conf .= <<<EOD
+ $conf .= <<< EOD
shutdown_lifetime 3 seconds
EOD;
@@ -987,7 +1025,7 @@ if(empty($settings['cache_dynamic_content'])){
}
else{
if(preg_match('/youtube/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
@@ -998,7 +1036,7 @@ cache allow youtube
EOC;
}
if(preg_match('/windows/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Windows Update refresh_pattern
range_offset_limit -1
@@ -1010,7 +1048,7 @@ EOC;
}
if(preg_match('/symantec/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Symantec refresh_pattern
range_offset_limit -1
@@ -1020,7 +1058,7 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re
EOC;
}
if(preg_match('/avast/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Avast refresh_pattern
range_offset_limit -1
@@ -1029,7 +1067,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i
EOC;
}
if(preg_match('/avira/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Avira refresh_pattern
range_offset_limit -1
@@ -1037,18 +1075,21 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43
EOC;
}
- $refresh_conf=<<<EOC
+ $refresh_conf=<<< EOC
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
+
EOC;
-
}
-
- $conf .= <<<EOD
+
+ If ($settings['custom_refresh_patterns'] !="")
+ $conf .= sq_text_area_decode($settings['custom_refresh_patterns']);
+
+ $conf .= <<< EOD
cache_mem $memory_cache_size MB
maximum_object_size_in_memory {$max_objsize_in_mem} KB
memory_replacement_policy {$memory_policy}
@@ -1067,11 +1108,12 @@ EOD;
if (!empty($donotcache)) {
file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
- $conf .= 'cache deny donotcache';
+ $conf .= "cache deny donotcache\n";
}
elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
unlink(SQUID_ACLDIR . '/donotcache.acl');
}
+ $conf .= "cache allow all\n";
return $conf.$refresh_conf;
}
@@ -1133,7 +1175,7 @@ function squid_resync_nac() {
$addtl_sslports = $settings['addtl_sslports'];
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
- $conf = <<<EOD
+ $conf = <<< EOD
# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
@@ -1152,7 +1194,6 @@ acl connect method CONNECT
acl HTTP proto HTTP
acl HTTPS proto HTTPS
-
EOD;
$allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets']));
@@ -1187,7 +1228,7 @@ EOD;
}
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
http_access allow manager localhost
EOD;
@@ -1204,7 +1245,7 @@ EOD;
}
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
http_access deny manager
http_access allow purge localhost
@@ -1262,7 +1303,7 @@ function squid_resync_antivirus(){
$clwarn="clwarn.cgi.pt_BR";
copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi");
- $conf = <<<EOF
+ $conf = <<< EOF
icap_enable on
icap_send_client_ip {$icap_send_client_ip}
icap_send_client_username {$icap_send_client_username}
@@ -1412,7 +1453,7 @@ function squid_resync_traffic() {
$perhost = -1;
else
$perhost *= 1024;
- $conf .= <<<EOD
+ $conf .= <<< EOD
delay_pools 1
delay_class 1 2
delay_parameters 1 $overall/$overall $perhost/$perhost
@@ -1608,23 +1649,23 @@ function squid_resync_auth() {
$prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy');
switch ($auth_method) {
case 'local':
- $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n";
+ $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/baisc_ncsa_auth ' . SQUID_PASSWD . "\n";
break;
case 'ldap':
$port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
$password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
- $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
+ $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
break;
case 'radius':
$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
- $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
break;
case 'msnt':
- $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/msnt_auth\n";
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
squid_resync_msnt();
break;
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
auth_param basic children $processes
auth_param basic realm $prompt
auth_param basic credentialsttl $auth_ttl minutes
@@ -1788,7 +1829,7 @@ function squid_print_javascript_auth() {
// No authentication for transparent proxy
if ($transparent_proxy) {
- $javascript = <<<EOD
+ $javascript = <<< EOD
<script language="JavaScript">
<!--
function on_auth_method_changed() {
@@ -1816,7 +1857,7 @@ function on_auth_method_changed() {
EOD;
}
else {
- $javascript = <<<EOD
+ $javascript = <<< EOD
<script language="JavaScript">
<!--
function on_auth_method_changed() {
diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml
index 25c1b212..dbaf0895 100644
--- a/config/squid3/33/squid.xml
+++ b/config/squid3/33/squid.xml
@@ -401,11 +401,17 @@
<size>3</size>
</field>
<field>
- <fielddescr>sslcrtd adapt</fielddescr>
+ <fielddescr>Certificate adapt</fielddescr>
<fieldname>interception_adapt</fieldname>
- <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: setCommonName ssl::certDomainMismatch<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
- <type>input</type>
- <size>70</size>
+ <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
+ <type>select</type>
+ <options>
+ <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option>
+ <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option>
+ <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option>
+ </options>
+ <multiple/>
+ <size>3</size>
</field>
<field>
<name>Logging Settings</name>
diff --git a/config/squid3/33/squid_cache.xml b/config/squid3/33/squid_cache.xml
index 9d982dcb..26d6463c 100755
--- a/config/squid3/33/squid_cache.xml
+++ b/config/squid3/33/squid_cache.xml
@@ -284,7 +284,16 @@
</options>
<multiple/>
<size>06</size>
- </field>
+ </field>
+ <field>
+ <fielddescr>Custom refresh_patterns</fielddescr>
+ <fieldname>custom_refresh_patterns</fieldname>
+ <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description>
+ <type>textarea</type>
+ <cols>67</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
</fields>
<custom_php_command_before_form>
if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) {
diff --git a/pkg_config.8.xml b/pkg_config.8.xml
index de39724d..cbaa5ea2 100644
--- a/pkg_config.8.xml
+++ b/pkg_config.8.xml
@@ -1272,7 +1272,7 @@
<pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink>
<website>http://www.squid-cache.org/</website>
<category>Network</category>
- <version>3.3.4 pkg 2.1</version>
+ <version>3.3.4 pkg 2.1.1</version>
<status>beta</status>
<required_version>2.0</required_version>
<maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer>
@@ -1280,10 +1280,11 @@
<depends_on_package>squid-3.3.4.tbz</depends_on_package>
<depends_on_package>libltdl-2.4.2.tbz</depends_on_package>
<depends_on_package>libwww-5.4.0_4.tbz</depends_on_package>
+ <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package>
<build_pbi>
<ports_before>www/libwww</ports_before>
<port>www/squid33</port>
- <ports_after>www/squid_radius_auth security/clamav www/squidclamav</ports_after>
+ <ports_after>www/squid_radius_auth security/clamav www/squidclamav security/ca_root_nss</ports_after>
</build_pbi>
<build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI SNMP ECAP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options>
<config_file>http://www.pfsense.org/packages/config/squid3/33/squid.xml</config_file>
diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64
index 87c92f4c..bc44aa70 100644
--- a/pkg_config.8.xml.amd64
+++ b/pkg_config.8.xml.amd64
@@ -1259,7 +1259,7 @@
<pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink>
<website>http://www.squid-cache.org/</website>
<category>Network</category>
- <version>3.3.4 pkg 2.1</version>
+ <version>3.3.4 pkg 2.1.1</version>
<status>beta</status>
<required_version>2.0</required_version>
<maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer>
@@ -1267,10 +1267,11 @@
<depends_on_package>squid-3.3.4.tbz</depends_on_package>
<depends_on_package>libltdl-2.4.2.tbz</depends_on_package>
<depends_on_package>libwww-5.4.0_4.tbz</depends_on_package>
+ <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package>
<build_pbi>
<ports_before>www/libwww</ports_before>
<port>www/squid33</port>
- <ports_after>www/squid_radius_auth security/clamav www/squidclamav</ports_after>
+ <ports_after>www/squid_radius_auth security/clamav www/squidclamav security/ca_root_nss</ports_after>
</build_pbi>
<build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI ECAP SNMP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options>
<config_file>http://www.pfsense.org/packages/config/squid3/33/squid.xml</config_file>