diff options
-rwxr-xr-x | config/squid3/33/squid.inc | 107 | ||||
-rw-r--r-- | config/squid3/33/squid.xml | 14 | ||||
-rwxr-xr-x | config/squid3/33/squid_cache.xml | 11 | ||||
-rw-r--r-- | pkg_config.8.xml | 5 | ||||
-rw-r--r-- | pkg_config.8.xml.amd64 | 5 |
5 files changed, 100 insertions, 42 deletions
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 94c85a7e..4ca1672f 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -777,6 +777,41 @@ function squid_install_cron($should_install) { configure_cron(); } +function squid_check_ca_hashes(){ + global $config,$g; + + #check certificates + $cert_count=0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) + if ($handle = opendir(SQUID_LOCALBASE.'/usr/local/share/certs')) { + while (false !== ($file = readdir($handle))) + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + if ($cert_count < 10){ + conf_mount_rw(); + #create ca-root hashes from ca-root-nss package + log_error("Creating root certificate bundle hashes from the Mozilla Project"); + $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); + $cert=0; + foreach ($cas as $ca){ + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + $cert=1; + if ($cert == 1) + $crt.=$ca; + if (preg_match("/-END CERTIFICATE-/",$ca)){ + file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); + $cert_hash=array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); + file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); + $crt=""; + $cert=0; + } + } + } +} + function squid_resync_general() { global $g, $config, $valid_acls; @@ -785,10 +820,10 @@ function squid_resync_general() { else $settings=array(); $conf = "# This file is automatically generated by pfSense\n"; - $conf .= "# Do not edit manually !\n"; + $conf .= "# Do not edit manually !\n\n"; #Check ssl interception - $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); if (($settings['ssl_proxy'] == 'on')) { + squid_check_ca_hashes(); $srv_cert = lookup_cert($settings["dcert"]); if ($srv_cert != false) { if(base64_decode($srv_cert['prv'])) { @@ -803,15 +838,19 @@ function squid_resync_general() { squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); $crt_pk=SQUID_CONFBASE."/serverkey.pem"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); - - $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size={$sslcrtd_children}MB cert={$crt_pk}\n"; - $interception_checks=""; + $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); + $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk}\n"; + $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; + $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; + $interception_checks .= 'sslproxy_capath '.SQUID_LOCALBASE.'/share/certs'."\n"; if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; - if ($settings["interception_adapt"] != "") - $interception_checks.="sslproxy_cert_adapt {$settings["interception_adapt"]}\n"; + if ($settings["interception_adapt"] != ""){ + foreach (explode(",",$settings["interception_adapt"]) as $adapt) + $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; + } } } } @@ -887,7 +926,7 @@ function squid_resync_general() { $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); - $conf .= <<<EOD + $conf .= <<< EOD icp_port {$icp_port} dns_v4_first {$dns_v4_first} pid_filename {$pidfile} @@ -900,7 +939,6 @@ cache_mgr {$email} access_log {$logdir_access} cache_log {$logdir_cache} cache_store_log none -sslcrtd_children {$sslcrtd_children} {$interception_checks} EOD; @@ -912,7 +950,7 @@ $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; $conf .= "logfile_rotate {$rotate}\n"; squid_install_cron(true); - $conf .= <<<EOD + $conf .= <<< EOD shutdown_lifetime 3 seconds EOD; @@ -987,7 +1025,7 @@ if(empty($settings['cache_dynamic_content'])){ } else{ if(preg_match('/youtube/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private @@ -998,7 +1036,7 @@ cache allow youtube EOC; } if(preg_match('/windows/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Windows Update refresh_pattern range_offset_limit -1 @@ -1010,7 +1048,7 @@ EOC; } if(preg_match('/symantec/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Symantec refresh_pattern range_offset_limit -1 @@ -1020,7 +1058,7 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re EOC; } if(preg_match('/avast/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Avast refresh_pattern range_offset_limit -1 @@ -1029,7 +1067,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i EOC; } if(preg_match('/avira/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Avira refresh_pattern range_offset_limit -1 @@ -1037,18 +1075,21 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43 EOC; } - $refresh_conf=<<<EOC + $refresh_conf=<<< EOC # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 + EOC; - } - - $conf .= <<<EOD + + If ($settings['custom_refresh_patterns'] !="") + $conf .= sq_text_area_decode($settings['custom_refresh_patterns']); + + $conf .= <<< EOD cache_mem $memory_cache_size MB maximum_object_size_in_memory {$max_objsize_in_mem} KB memory_replacement_policy {$memory_policy} @@ -1067,11 +1108,12 @@ EOD; if (!empty($donotcache)) { file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; - $conf .= 'cache deny donotcache'; + $conf .= "cache deny donotcache\n"; } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { unlink(SQUID_ACLDIR . '/donotcache.acl'); } + $conf .= "cache allow all\n"; return $conf.$refresh_conf; } @@ -1133,7 +1175,7 @@ function squid_resync_nac() { $addtl_sslports = $settings['addtl_sslports']; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); - $conf = <<<EOD + $conf = <<< EOD # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. @@ -1152,7 +1194,6 @@ acl connect method CONNECT acl HTTP proto HTTP acl HTTPS proto HTTPS - EOD; $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); @@ -1187,7 +1228,7 @@ EOD; } } - $conf .= <<<EOD + $conf .= <<< EOD http_access allow manager localhost EOD; @@ -1204,7 +1245,7 @@ EOD; } } - $conf .= <<<EOD + $conf .= <<< EOD http_access deny manager http_access allow purge localhost @@ -1262,7 +1303,7 @@ function squid_resync_antivirus(){ $clwarn="clwarn.cgi.pt_BR"; copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi"); - $conf = <<<EOF + $conf = <<< EOF icap_enable on icap_send_client_ip {$icap_send_client_ip} icap_send_client_username {$icap_send_client_username} @@ -1412,7 +1453,7 @@ function squid_resync_traffic() { $perhost = -1; else $perhost *= 1024; - $conf .= <<<EOD + $conf .= <<< EOD delay_pools 1 delay_class 1 2 delay_parameters 1 $overall/$overall $perhost/$perhost @@ -1608,23 +1649,23 @@ function squid_resync_auth() { $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { case 'local': - $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/baisc_ncsa_auth ' . SQUID_PASSWD . "\n"; break; case 'ldap': $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; break; case 'radius': $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; case 'msnt': - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/msnt_auth\n"; + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; squid_resync_msnt(); break; } - $conf .= <<<EOD + $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt auth_param basic credentialsttl $auth_ttl minutes @@ -1788,7 +1829,7 @@ function squid_print_javascript_auth() { // No authentication for transparent proxy if ($transparent_proxy) { - $javascript = <<<EOD + $javascript = <<< EOD <script language="JavaScript"> <!-- function on_auth_method_changed() { @@ -1816,7 +1857,7 @@ function on_auth_method_changed() { EOD; } else { - $javascript = <<<EOD + $javascript = <<< EOD <script language="JavaScript"> <!-- function on_auth_method_changed() { diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index 25c1b212..dbaf0895 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -401,11 +401,17 @@ <size>3</size> </field> <field> - <fielddescr>sslcrtd adapt</fielddescr> + <fielddescr>Certificate adapt</fielddescr> <fieldname>interception_adapt</fieldname> - <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: setCommonName ssl::certDomainMismatch<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description> - <type>input</type> - <size>70</size> + <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description> + <type>select</type> + <options> + <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option> + <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option> + <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option> + </options> + <multiple/> + <size>3</size> </field> <field> <name>Logging Settings</name> diff --git a/config/squid3/33/squid_cache.xml b/config/squid3/33/squid_cache.xml index 9d982dcb..26d6463c 100755 --- a/config/squid3/33/squid_cache.xml +++ b/config/squid3/33/squid_cache.xml @@ -284,7 +284,16 @@ </options> <multiple/> <size>06</size> - </field> + </field> + <field> + <fielddescr>Custom refresh_patterns</fielddescr> + <fieldname>custom_refresh_patterns</fieldname> + <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description> + <type>textarea</type> + <cols>67</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> </fields> <custom_php_command_before_form> if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { diff --git a/pkg_config.8.xml b/pkg_config.8.xml index de39724d..cbaa5ea2 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -1272,7 +1272,7 @@ <pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>3.3.4 pkg 2.1</version> + <version>3.3.4 pkg 2.1.1</version> <status>beta</status> <required_version>2.0</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> @@ -1280,10 +1280,11 @@ <depends_on_package>squid-3.3.4.tbz</depends_on_package> <depends_on_package>libltdl-2.4.2.tbz</depends_on_package> <depends_on_package>libwww-5.4.0_4.tbz</depends_on_package> + <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package> <build_pbi> <ports_before>www/libwww</ports_before> <port>www/squid33</port> - <ports_after>www/squid_radius_auth security/clamav www/squidclamav</ports_after> + <ports_after>www/squid_radius_auth security/clamav www/squidclamav security/ca_root_nss</ports_after> </build_pbi> <build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI SNMP ECAP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> <config_file>http://www.pfsense.org/packages/config/squid3/33/squid.xml</config_file> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 87c92f4c..bc44aa70 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -1259,7 +1259,7 @@ <pkginfolink>http://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>3.3.4 pkg 2.1</version> + <version>3.3.4 pkg 2.1.1</version> <status>beta</status> <required_version>2.0</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> @@ -1267,10 +1267,11 @@ <depends_on_package>squid-3.3.4.tbz</depends_on_package> <depends_on_package>libltdl-2.4.2.tbz</depends_on_package> <depends_on_package>libwww-5.4.0_4.tbz</depends_on_package> + <depends_on_package>ca_root_nss-3.14.1.tbz</depends_on_package> <build_pbi> <ports_before>www/libwww</ports_before> <port>www/squid33</port> - <ports_after>www/squid_radius_auth security/clamav www/squidclamav</ports_after> + <ports_after>www/squid_radius_auth security/clamav www/squidclamav security/ca_root_nss</ports_after> </build_pbi> <build_options>c-icap_UNSET=IPV6 squid33_UNSET=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI ECAP SNMP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid33_SET=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD</build_options> <config_file>http://www.pfsense.org/packages/config/squid3/33/squid.xml</config_file> |