aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--packages/squid_auth.inc160
-rw-r--r--packages/squid_ng.inc684
-rw-r--r--packages/squid_ng.xml33
3 files changed, 496 insertions, 381 deletions
diff --git a/packages/squid_auth.inc b/packages/squid_auth.inc
index ae431f22..e5eb2d2a 100644
--- a/packages/squid_auth.inc
+++ b/packages/squid_auth.inc
@@ -31,21 +31,21 @@
*/
-function global_eval_auth_options(){
+function global_eval_auth_options()
+{
+ global $config;
conf_mount_rw();
config_lock();
- global $config;
-
- $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method'];
-
- switch ($auth_method) {
+ switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) {
case "none":
dynamic_auth_content("pkg_edit");
dynamic_no_auth();
break;
case "local_auth":
dynamic_auth_content("pkg");
+ /* create empty passwd file to prevent stat error with squid reload */
+ touch ("/usr/local/etc/squid/advanced/ncsa/passwd");
dynamic_local_auth();
break;
case "ldap_bind":
@@ -54,62 +54,31 @@ function global_eval_auth_options(){
break;
case "domain_auth":
$filecontents = file('/usr/local/pkg/squid_auth.xml');
-
- $fout = fopen("/usr/local/pkg/squid_auth.xml","w");
- foreach($filecontents as $line) {
- if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
- fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
- } else {
- fwrite($fout, $line);
- }
- }
-
+ dynamic_auth_content("pkg_edit");
dynamic_domain_auth();
break;
case "radius_auth":
$filecontents = file('/usr/local/pkg/squid_auth.xml');
-
- $fout = fopen("/usr/local/pkg/squid_auth.xml","w");
- foreach($filecontents as $line) {
- if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
- fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
- } else {
- fwrite($fout, $line);
- }
- }
-
+ dynamic_auth_content("pkg_edit");
dynamic_radius_auth();
break;
default:
$filecontents = file('/usr/local/pkg/squid_auth.xml');
-
- $fout = fopen("/usr/local/pkg/squid_auth.xml","w");
- foreach($filecontents as $line) {
- if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
- fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
- } else {
- fwrite($fout, $line);
- }
- }
-
+ dynamic_auth_content("pkg_edit");
dynamic_no_auth();
break;
}
- conf_mount_ro();
config_unlock();
+ conf_mount_ro();
} /* end function global_eval_auth_options */
function dynamic_no_auth() {
- conf_mount_rw();
- config_lock();
-
global $config;
-
- $pkgfile = "/usr/local/pkg/squid_extauth.xml";
-
- $fout = fopen($pkgfile, "w");
+ conf_mount_rw();
+
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n");
fwrite($fout, "<packagegui>\n");
@@ -175,23 +144,22 @@ function dynamic_no_auth() {
fwrite($fout, "</packagegui>\n");
fclose($fout);
+
+ /* mount filesystem read-only */
+ conf_mount_ro();
}
function dynamic_local_auth() {
- conf_mount_rw();
- config_lock();
-
global $config;
+ conf_mount_rw();
- $pkgfile = "/usr/local/pkg/squid_extauth.xml";
-
- $fout = fopen($pkgfile, "w");
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n");
fwrite($fout, "\n");
fwrite($fout, "<packagegui>\n");
fwrite($fout, " <name>squidextlocalauth</name>\n");
- fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n");
+ fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n");
fwrite($fout, " <version>2.5.10_4</version>\n");
fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n");
fwrite($fout, "\n");
@@ -293,9 +261,7 @@ function dynamic_local_auth() {
fwrite($fout, " <custom_add_php_command_late>\n");
fwrite($fout, ' require_once("/usr/local/pkg/squid_ng.inc");' . "\n");
fwrite($fout, "\n");
- fwrite($fout, ' if ($password == $confirm_password) { ' . "\n");
- fwrite($fout, " mod_htpasswd();\n");
- fwrite($fout, " }\n");
+ fwrite($fout, " mod_htpasswd();\n");
fwrite($fout, " global_write_squid_config();\n");
fwrite($fout, ' mwexec("/usr/local/sbin/squid -k reconfigure");' . "\n");
fwrite($fout, " </custom_add_php_command_late>\n");
@@ -304,19 +270,15 @@ function dynamic_local_auth() {
fclose($fout);
+ /* mount filesystem read-only */
conf_mount_ro();
- config_unlock();
-} /* end function dynamic_local_auth */
+}
function dynamic_ldap_auth() {
- conf_mount_rw();
- config_lock();
-
global $config;
+ conf_mount_rw();
- $pkgfile = "/usr/local/pkg/squid_extauth.xml";
-
- $fout = fopen($pkgfile, "w");
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n");
fwrite($fout, "\n");
@@ -374,7 +336,7 @@ function dynamic_ldap_auth() {
fwrite($fout, " <field>\n");
fwrite($fout, " <fielddescr>Base DN</fielddescr>\n");
fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n");
- fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: "ou=users,o=company" will search for users in and under the specified company.</description>\n");
+ fwrite($fout, ' <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: "ou=users,o=company" will search for users in and under the specified company.</description>' . "\n");
fwrite($fout, " <type>input</type>\n");
fwrite($fout, " <size>50</size>\n");
fwrite($fout, " </field>\n");
@@ -428,57 +390,59 @@ function dynamic_ldap_auth() {
fwrite($fout, " <custom_add_php_command_late>\n");
fwrite($fout, ' require_once("/usr/local/pkg/squid_ng.inc");' . "\n");
fwrite($fout, "\n");
- fwrite($fout, " if ($password == $confirm_password) {\n");
- fwrite($fout, ' mwexec("/usr/bin/htpasswd -b /usr/local/etc/squid/advanced/ncsa/passwd "' . $username . " " . $password . "\n");
- fwrite($fout, " }\n");
+ fwrite($fout, " mod_htpasswd();\n");
fwrite($fout, "\n");
fwrite($fout, " global_write_squid_config();\n");
fwrite($fout, ' mwexec("/usr/local/sbin/squid -k reconfigure");' . "\n");
fwrite($fout, " </custom_add_php_command_late>\n");
fwrite($fout, "\n");
fwrite($fout, "</packagegui>\n");
+
+ fclose($fout);
+
+ /* mount filesystem read-only */
+ conf_mount_ro();
}
/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */
function dynamic_auth_content($pkgvar) {
-
- if ($pkgvar == "pkg") {
- if ($handle = opendir('/usr/local/pkg')) {
- while (($file = readdir($handle)) != false) {
- if (stristr($file, "squid_") && stristr($file, ".xml")) {
-
- $filecontents = file("/usr/local/pkg/" . $file);
-
- $fout = fopen("/usr/local/pkg/" . $file,"w");
- foreach($filecontents as $line) {
- if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>")) {
- fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>\n");
- } else {
- fwrite($fout, $line);
+
+ switch ($pkgvar) {
+ case "pkg":
+ if ($handle = opendir('/usr/local/pkg')) {
+ while (($file = readdir($handle)) != false) {
+ if (stristr($file, "squid_") && stristr($file, ".xml")) {
+ $filecontents = file("/usr/local/pkg/" . $file);
+ $fout = fopen("/usr/local/pkg/" . $file, "w");
+ foreach($filecontents as $line) {
+ if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>")) {
+ fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ } else {
+ fwrite($fout, $line);
+ }
}
}
}
- }
- }
- } else {
+ }
+ break;
+
+ case "pkg_edit":
if ($handle = opendir('/usr/local/pkg')) {
- while (($file = readdir($handle)) != false) {
- if (stristr($file, "squid_") && stristr($file, ".xml")) {
-
- $filecontents = file("/usr/local/pkg/" . $file);
-
- $fout = fopen("/usr/local/pkg/" . $file,"w");
- foreach($filecontents as $line) {
- if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
- fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
- } else {
- fwrite($fout, $line);
+ while (($file = readdir($handle)) != false) {
+ if (stristr($file, "squid_") && stristr($file, ".xml")) {
+ $filecontents = file("/usr/local/pkg/" . $file);
+ $fout = fopen("/usr/local/pkg/" . $file,"w");
+ foreach($filecontents as $line) {
+ if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ } else {
+ fwrite($fout, $line);
+ }
}
}
}
}
- }
+ break;
}
-} /* end function dynamic_auth_content */
-
-?> \ No newline at end of file
+
+} /* end function dynamic_auth_content */ \ No newline at end of file
diff --git a/packages/squid_ng.inc b/packages/squid_ng.inc
index 8c32ccf5..47a19635 100644
--- a/packages/squid_ng.inc
+++ b/packages/squid_ng.inc
@@ -31,12 +31,12 @@
*/
-function global_write_squid_config() {
+function global_write_squid_config()
+{
+ global $config;
conf_mount_rw();
config_lock();
-
- global $config;
-
+
/* define squid configuration file in variable for replace function */
$squidconfig = "/usr/local/etc/squid/squid.conf";
@@ -109,217 +109,295 @@ function global_write_squid_config() {
$bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username'];
$bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password'];
+ /* squid_extauth.xml (radius) values */
+ $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server'];
+ $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port'];
+ $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier'];
+ $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret'];
+
/* static variable assignments for directory mapping */
$acldir = "/usr/local/etc/squid/advanced/acls";
$ncsadir = "/usr/local/etc/squid/advanced/ncsa";
$ntlmdir = "/usr/local/etc/squid/advanced/ntlm";
$radiusdir = "/usr/local/etc/squid/advanced/radius";
-
- $fout = fopen($squidconfig,"w");
-
- /* option: shutdown_lifetime */
- fwrite($fout, "shutdown_lifetime 5 seconds\n");
- fwrite($fout, "\n");
+
+ $fout = fopen($squidconfig, "w");
+
+ $config_array = array('shutdown_lifetime 5 seconds' . "\n\n");
- /* option: icp_port */
- if($icp_port == "") $icp_port="3130";
- fwrite($fout, "icp_port " . $icp_port . "\n");
+ if (!isset($icp_port) or ($icp_port == "")) {
+ $icp_port = "3130";
+ }
+ $config_array[] = 'icp_port ' . $icp_port . "\n";
+ unset($icp_port);
- /* option: proxy_port */
- if($proxy_port == "") $proxy_port="3128";
+ if(!isset($proxy_port) or ($proxy_port == "")) {
+ $proxy_port = "3128";
+ }
+
if (isset($transparent_proxy) && ($transparent_proxy != "on")) {
$int = convert_friendly_interface_to_real_interface_name($active_interface);
$listen_ip = find_interface_ip($int);
- fwrite($fout, "http_port " . $listen_ip . ":" . $proxy_port . "\n");
- fwrite($fout, "\n");
-
- fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n");
- fwrite($fout, "no_cache deny QUERY\n");
+ $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n";
+ $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n";
+ $config_array[] = 'no_cache deny QUERY' . "\n\n";
}
+ unset($proxy_port);
+
+ if (isset($domain) && ($domain !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/dst_nocache.acl","w");
- /* option: acl no cache domains */
- if (isset($domain) && $domain !== "") {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
- $aclout = fopen($acldir . "/dst_nocache.acl","w");
-
- $domain_array = split(";",$domain);
- foreach ($domain_array as $no_cache_domain) {
+ $domain_array = split("; ",$domain);
+ foreach ($domain_array as $no_cache_domain) {
fwrite($aclout, $no_cache_domain . "\n");
}
-
+
fclose($aclout);
- fwrite($fout, 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n");
- fwrite($fout, "no_cache deny no_cache_domains\n");
+ $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n";
+ $config_array[] = 'no_cache deny no_cache_domains' . "\n\n";
+ }
+ unset($no_cache_domain);
+ unset($domain_array);
+ unset($domain);
+
+ $config_array[] = 'cache_effective_user squid' . "\n";
+ $config_array[] = 'cache_effective_group squid' . "\n\n";
+ $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n";
+
+ if (!isset($memory_cache_size) or ($memory_cache_size == "")) {
+ $memory_cache_size = "8";
+ }
+ $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n";
+ unset($memory_cache_size);
+
+ if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) {
+ $harddisk_cache_size = "500";
+ }
+
+ if (!isset($level_subdirs) or ($level_subdirs == "")) {
+ $level_subdirs = "16";
}
+
+ $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n";
+ unset($harddisk_cache_size);
+ unset($level_subdirs);
+
+ if (!isset($error_language) or ($error_language == "")) {
+ $error_language = "English";
+ }
+ $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n";
+ unset($error_language);
- fwrite($fout, "\n");
-
- fwrite($fout, "cache_effective_user squid\n");
- fwrite($fout, "cache_effective_group squid\n");
- fwrite($fout, "\n");
-
- fwrite($fout, "pid_filename /var/run/squid.pid\n");
- fwrite($fout, "\n");
-
- if ($memory_cache_size == "") $memory_cache_size="8";
- fwrite($fout, "cache_mem " . $memory_cache_size . " MB\n");
- if ($harddisk_cache_size == "") $harddisk_cache_size="500";
- if ($level_subdirs == "") $level_subdirs="16";
- fwrite($fout, "cache_dir diskd /var/squid/cache " . $harddisk_cache_size . " " . $level_subdirs . " 256\n");
- fwrite($fout, "\n");
-
- if ($error_language == "") $error_language="English";
- fwrite($fout, "error_directory /usr/local/etc/squid/errors/" . $error_language . "\n");
- fwrite($fout, "\n");
-
- if (isset($offline_mode) and ($offline_mode == "on")) {
- fwrite($fout, "offline_mode on\n");
- fwrite($fout, "\n");
+ if (isset($offline_mode) && ($offline_mode == "on")) {
+ $config_array[] = 'offline_mode on' . "\n\n";
} else {
- fwrite($fout, "offline_mode off\n");
- fwrite($fout, "\n");
+ $config_array[] = 'offline_mode off' . "\n\n";
}
- if (!isset($cache_replacement) or ($memory_replacement == "")) $memory_replacement="heap GDSF";
- fwrite($fout, "memory_replacement_policy " . $memory_replacement . "\n");
- if (!isset($cache_replacement) or ($cache_replacement == "")) $cache_replacement="heap GDSF";
- fwrite($fout, "cache_replacement_policy " . $cache_replacement . "\n");
- fwrite($fout, "\n");
+ if (!isset($memory_replacement) or ($memory_replacement == "")) {
+ $memory_replacement = "heap GDSF";
+ }
+ $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n";
+ unset($memory_replacement);
+
+ if (!isset($cache_replacement) or ($cache_replacement == "")) {
+ $cache_replacement="heap GDSF";
+ }
+ $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n";
+ unset($cache_replacement);
- if ($log_enabled == "on" ) {
+ if (isset($log_enabled) && ($log_enabled == "on" )) {
if (!file_exists("/var/squid/logs")) {
mwexec("mkdir -p /var/squid/logs");
mwexec("chown squid:squid /var/squid/logs");
}
- fwrite($fout, "cache_access_log /var/squid/logs/access.log\n");
- fwrite($fout, "cache_log /var/squid/logs/cache.log\n");
- fwrite($fout, "cache_store_log none\n");
+ $config_array[] = 'cache_access_log /var/squid/logs/access.log' . "\n";
+ $config_array[] = 'cache_log /var/squid/logs/cache.log' . "\n";
+ $config_array[] = 'cache_store_log none' . "\n";
} else {
- fwrite($fout, "cache_access_log /dev/null\n");
- fwrite($fout, "cache_log /dev/null\n");
- fwrite($fout, "cache_store_log none\n");
+ $config_array[] = 'cache_access_log /dev/null' . "\n";
+ $config_array[] = 'cache_log /dev/null' . "\n";
+ $config_array[] = 'cache_store_log none' . "\n";
}
+ unset($log_enabled);
- if ($log_query_terms == "on") {
- fwrite($fout, "strip_query_terms off\n");
+ if (isset($log_query_terms) && ($log_query_terms == "on")) {
+ $config_array[] = 'strip_query_terms off' . "\n";
} else {
- fwrite($fout, "strip_query_terms on\n");
+ $config_array[] = 'strip_query_terms on' . "\n";
}
+ unset($log_query_terms);
- if ($log_user_agents == "on") {
+ if (isset($log_user_agents) && ($log_user_agents == "on")) {
if (!file_exists("/var/squid/logs")) mwexec("mkdir -p /var/squid/logs");
- fwrite($fout, "useragent_log /var/squid/logs/useragent.log\n");
+ $config_array[] = 'useragent_log /var/squid/logs/useragent.log' . "\n\n";
}
- fwrite($fout, "\n");
+ unset($log_user_agents);
- fwrite($fout, "log_mime_hdrs off\n");
- fwrite($fout, "emulate_httpd_log on\n");
+ $config_array[] = 'log_mime_hdrs off' . "\n";
+ $config_array[] = 'emulate_httpd_log on' . "\n";
switch ($user_forwarding) {
case "on":
- fwrite($fout, "forwarded_for on\n");
+ $config_array[] = 'forwarded_for on' . "\n\n";
break;
case "off":
- fwrite($fout, "forwarded_for off\n");
+ $config_array[] = 'forwarded_for off' . "\n\n";
break;
default:
- fwrite($fout, "forwarded_for off\n");
+ $config_array[] = 'forwarded_for off' . "\n\n";
break;
}
- fwrite($fout, "\n");
+ unset($user_forwarding);
- if ($no_auth == "on") {
- fwrite($fout, "\n");
- }
-
switch ($auth_method) {
case "none":
break;
case "local_auth":
- fwrite($fout, "auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd\n");
- if (!isset($auth_processes) or ($auth_processes == "")) $auth_processes = "5";
- fwrite($fout, "auth_param basic children " . $auth_processes . "\n");
-
- if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) $auth_realm_prompt = "pfSense Advanced Proxy";
- fwrite($fout, "auth_param basic realm " . $auth_realm_prompt . "\n");
-
- if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) $auth_cache_ttl = "60";
- fwrite($fout, "auth_param basic credentialsttl " . $auth_cache_ttl . " minutes\n");
- fwrite($fout, "\n");
- fwrite($fout, "acl for_inetusers proxy_auth REQUIRED\n");
- fwrite($fout, "\n");
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n";
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
break;
case "radius_auth";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n";
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
break;
case "ldap_bind";
- /* fwrite($fout, 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"); */
- fwrite($fout, "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth");
- fwrite($fout, ' -b "' . $ldap_basedn . '"');
- fwrite($fout, ' -D "' . $bind_dn_username . '"');
- fwrite($fout, " -w " . $bind_dn_password);
- fwrite($fout, ' -f "(&(objectClass=person)(cn=%s))"');
- fwrite($fout, " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n");
-
- if (!isset($auth_processes) or ($auth_processes == "")) $auth_processes = "5";
- fwrite($fout, "auth_param basic children " . $auth_processes . "\n");
-
- if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) $auth_realm_prompt = "pfSense Advanced Proxy";
- fwrite($fout, "auth_param basic realm " . $auth_realm_prompt . "\n");
-
- if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) $auth_cache_ttl = "60";
- fwrite($fout, "auth_param basic credentialsttl " . $auth_cache_ttl . " minutes\n");
- fwrite($fout, "\n");
- fwrite($fout, "acl for_inetusers proxy_auth REQUIRED\n");
- fwrite($fout, "\n");
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth';
+ $config_array[] = ' -b "' . $ldap_basedn . '"';
+ $config_array[] = ' -D "' . $bind_dn_username . '"';
+ $config_array[] = " -w " . $bind_dn_password;
+ $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"';
+ $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n";
+
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
break;
case "windows_auth";
break;
- default:
- break;
}
- if (isset($throttle_binary_files) && $throttle_binary_files == "on") {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
- $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n";
+ if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n";
- $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w");
- fwrite($throttle_out, $binary_out);
- fclose($throttle_out);
- fwrite($fout, 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n");
- } else {
- if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl");
+ $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w");
+ fwrite($throttle_out, $binary_out);
+ fclose($throttle_out);
+ $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n";
+ } else {
+ if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl");
}
+ unset($throttle_binary_files);
+ unset($throttle_out);
+ unset($binary_out);
- if (isset($throttle_cd_images) && $throttle_cd_images == "on") {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
+ if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
$cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n";
$throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w");
fwrite($throttle_out, $cd_out);
fclose($throttle_out);
- fwrite($fout, 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n");
+ $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n";
} else {
- if (file_exists($acldir . "/dst_throttle_cd.acl")) unlink($acldir . "/dst_throttle_cd.acl");
+ if (file_exists($acldir . "/dst_throttle_cd.acl")) {
+ unlink($acldir . "/dst_throttle_cd.acl");
+ }
}
+ unset($throttle_cd_images);
+ unset($throttle_out);
+ unset($cd_out);
- if (isset($throttle_multimedia) && $throttle_multimedia == "on") {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
+ if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
$multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n";
$throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w");
fwrite($throttle_out, $multimedia_out);
fclose($throttle_out);
- fwrite($fout, 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n");
+ $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n";
} else {
- if (file_exists($acldir . "/dst_throttle_multimedia.acl")) unlink($acldir . "/dst_throttle_multimedia.acl");
+ if (file_exists($acldir . "/dst_throttle_multimedia.acl")) {
+ unlink($acldir . "/dst_throttle_multimedia.acl");
+ }
}
+ unset($throttle_multimedia);
+ unset($multimedia_out);
+ unset($throttle_out);
- fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n");
- fwrite($fout, "\n");
+ $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n";
/* obtain interface subnet and address for Squid rules */
$lactive_interface = strtolower($active_interface);
@@ -330,45 +408,48 @@ function global_write_squid_config() {
$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
$lansn = $lancfg['subnet'];
- fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n");
- fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n");
- fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n");
- fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n");
- fwrite($fout, "acl Safe_ports port 80 # http\n");
- fwrite($fout, "acl Safe_ports port 21 # ftp\n");
- fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n");
- fwrite($fout, "acl Safe_ports port 70 # gopher\n");
- fwrite($fout, "acl Safe_ports port 210 # wais\n");
- fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n");
- fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n");
- fwrite($fout, "acl Safe_ports port 488 # gss-http\n");
- fwrite($fout, "acl Safe_ports port 591 # filemaker\n");
- fwrite($fout, "acl Safe_ports port 777 # multiling http\n");
- fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n");
- fwrite($fout, "\n");
+ $config_array[] = 'acl all src ' . $lansa . '/' . $lansn . "\n";
+ $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n";
+ $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n";
+ $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n";
+ $config_array[] = 'acl Safe_ports port 80 # http' . "\n";
+ $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n";
+ $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n";
+ $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n";
+ $config_array[] = 'acl Safe_ports port 210 # wais' . "\n";
+ $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n";
+ $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n";
+ $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n";
+ $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n";
+ $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n";
+ $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n";
/* allow access through proxy for custom admin port */
$custom_port = $config['system']['webgui']['port'];
if (isset($custom_port) && ($custom_port !== "")) {
- fwrite($fout, "acl pf_admin_port port " . $custom_port . "\n");
+ $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n";
+ unset($custom_port);
} else {
$admin_protocol = $config['system']['webgui']['protocol'];
switch ($admin_protocol) {
case "http";
- fwrite($fout, "acl pf_admin_port port 80\n");
+ $config_array[] = 'acl pf_admin_port port 80' ."\n";
break;
case "https";
- fwrite($fout, "acl pf_admin_port port 443\n");
+ $config_array[] = 'acl pf_admin_port port 443' . "\n";
break;
default;
- fwrite($fout, "acl pf_admin_port port 80\n");
+ $config_array[] = 'acl pf_admin_port port 80' . "\n";
break;
}
+ unset($admin_protocol);
}
/* define override hosts as specified in squid_nac.xml */
if (isset($override_hosts) && ($override_hosts !== "")) {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
$aclout = fopen($acldir . "/src_override_hosts.acl", "w");
@@ -379,280 +460,327 @@ function global_write_squid_config() {
fclose($aclout);
- fwrite($fout, 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n");
+ $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n";
}
+ /* clear variables */
+ unset($override_hosts_array);
+ unset($ind_override_host);
+ unset($override_hosts);
/* define subnets allowed to utilize proxy service */
if (isset($allowed_subnets) && ($allowed_subnets !== "")) {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
$aclout = fopen($acldir . "/src_subnets.acl","w");
- $allowed_subnets_array = split(";",$allowed_subnets);
+ $allowed_subnets_array = split("; ",$allowed_subnets);
foreach ($allowed_subnets_array as $ind_allowed_subnets) {
fwrite($aclout, $ind_allowed_subnets . "\n");
}
- fclose($aclout);
-
- fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n");
+ fclose($aclout);
} else {
+
$aclout = fopen($acldir . "/src_subnets.acl","w");
fwrite($aclout, $lansa . "/" . $lansn . "\n");
fclose($aclout);
}
-
+
+ $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n";
+
+ unset($allowed_subnets_array);
+ unset($ind_allowed_subnets);
+ unset($allowed_subnets);
/* define ip addresses that have 'unrestricted' access */
if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
$aclout = fopen($acldir . "/src_unrestricted_ip.acl","w");
- $unrestricted_ip_array = split(";",$unrestricted_ip_addr);
+ $unrestricted_ip_array = split("; ",$unrestricted_ip_addr);
foreach ($unrestricted_ip_array as $ind_unrestricted_ip) {
fwrite($aclout, $ind_unrestricted_ip . "\n");
}
fclose($aclout);
- fwrite($fout, 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n");
+ $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n";
}
+ unset($unrestricted_ip_array);
+ unset($unrestricted_ip_addr);
+ unset($ind_unrestricted_ip);
/* define mac addresses that have 'unrestricted' access */
if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
$aclout = fopen($acldir . "/src_unrestricted_mac.acl","w");
- $unrestricted_mac_array = split(";",$unrestricted_mac_addr);
+ $unrestricted_mac_array = split("; ",$unrestricted_mac_addr);
foreach ($unrestricted_mac_array as $ind_unrestricted_mac) {
fwrite($aclout, $ind_unrestricted_mac . "\n");
}
fclose($aclout);
- fwrite($fout, 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n");
+ $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n";
}
+ unset($unrestricted_mac_array);
+ unset($unrestricted_mac_addr);
+ unset($ind_unrestricted_mac);
/* define ip addresses that are banned from using the proxy service */
if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
$aclout = fopen($acldir . "/src_banned_ip.acl","w");
- $banned_ip_array = split(";",$banned_ip_addr);
+ $banned_ip_array = split("; ",$banned_ip_addr);
foreach ($banned_ip_array as $ind_banned_ip) {
fwrite($aclout, $ind_banned_ip . "\n");
}
fclose($aclout);
- fwrite($fout, 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n");
+ $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n";
}
+ unset($banned_ip_addr);
+ unset($banned_ip_addr);
+ unset($ind_banned_ip);
/* define mac addresses that are banned from using the proxy service */
if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) {
- if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir);
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
- $aclout = fopen($acldir . "/src_banned_mac.acl","w");
+ $aclout = fopen($acldir . "/src_banned_mac.acl","w");
- $banned_mac_array = split(";",$banned_mac_addr);
- foreach ($banned_mac_array as $ind_banned_mac) {
- fwrite($aclout, $ind_banned_mac . "\n");
- }
+ $banned_mac_array = split("; ",$banned_mac_addr);
+ foreach ($banned_mac_array as $ind_banned_mac) {
+ fwrite($aclout, $ind_banned_mac . "\n");
+ }
fclose($aclout);
- fwrite($fout, 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n");
+ $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n";
}
+ unset($banned_mac_array);
+ unset($banned_mac_addr);
+ unset($ind_banned_mac);
- fwrite($fout, "acl pf_ips dst " . $lanip . "\n");
- fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n");
- fwrite($fout, "acl CONNECT method CONNECT\n");
- fwrite($fout, "\n");
+ $config_array[] = 'acl pf_ips dst ' . $lanip . "\n";
+ $config_array[] = 'acl CONNECT method CONNECT' . "\n\n";
- fwrite($fout, "#access to squid; local machine; no restrictions\n");
- if (isset($auth_method) && ($auth_method == "none")) fwrite($fout, "http_access allow localnet\n");
- fwrite($fout, "http_access allow localhost\n");
+ if (isset($auth_method) && ($auth_method == "none")) {
+ $config_array[] = 'http_access allow localnet' . "\n";
+ }
+ $config_array[] = 'http_access allow localhost' . "\n";
- if (isset($override_hosts) && ($override_hosts !== "")) fwrite($fout, "http_access allow override_hosts\n");
- fwrite($fout, "\n");
+ if (isset($override_hosts) && ($override_hosts !== "")) {
+ $config_array[] = 'http_access allow override_hosts' . "\n";
+ }
+ $config_array[] = "\n";
- fwrite($fout, "#GUI admin to allow local connections\n");
- if ($config['system']['webgui']['protocol'] == "http") fwrite($fout, "http_access allow pf_ips pf_networks pf_admin_port\n");
- if ($config['system']['webgui']['protocol'] == "https") fwrite($fout, "http_access allow CONNECT pf_ips pf_networks pf_admin_port\n");
+ switch ($config['system']['webgui']['protocol']) {
+ case "http":
+ $config_array[] = 'http_access allow pf_ips' . "\n";
+ $config_array[] = 'http_access allow pf_admin_port' . "\n";
+ $config_array[] = 'http_access deny !pf_networks' . "\n\n";
+ break;
+ case "https":
+ $config_array[] = 'http_access allow CONNECT pf_ips' . "\n";
+ $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n";
+ $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n";
+ break;
+ }
- fwrite($fout, "#Deny non web services\n");
- fwrite($fout, "http_access deny !Safe_ports\n");
- fwrite($fout, "http_access deny CONNECT !SSL_ports\n");
- fwrite($fout, "\n");
+ $config_array[] = 'http_access deny !Safe_ports' . "\n";
+ $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n";
- fwrite($fout, "#Set custom configured ACLs\n");
if (isset($auth_method) && ($auth_method != "none")) {
- fwrite($fout, "http_access allow pf_networks for_inetusers within_timeframe\n");
+ $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n";
}
- fwrite($fout, "http_access deny all\n");
- fwrite($fout, "\n");
+ $config_array[] = 'http_access deny all' . "\n\n";
if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) {
- fwrite($fout, "#Set throttle and bandwidth restrictions\n");
-
- fwrite($fout, "delay_pools 1\n");
- fwrite($fout, "delay_class 1 3\n");
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
if ($dl_overall == "unlimited") {
- fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . "\n");
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n";
} else {
- fwrite($fout, "delay_parameters 1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . " -1/-1 -1/-1\n");
+ $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n";
}
/* if no unrestricted ip addresses are defined; this line is ignored */
- if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n");
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
- fwrite($fout, "#delay_access 1 deny for_extended_users\n");
-
/* this will define bandwidth delay restrictions for specified throttles */
if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) {
- fwrite($fout, "delay_access 1 allow all for_throttled_binary\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
}
if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) {
- fwrite($fout, "delay_access 1 allow all for_throttled_cd\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
}
if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) {
- fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n";
} else {
- fwrite($fout, "delay_access 1 allow all\n");
+ $config_array[] = 'delay_access 1 allow all' . "\n";
}
- fwrite($fout, "delay_initial_bucket_level 100%\n\n");
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n";
}
if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) {
- fwrite($fout, "#Set throttle and bandwidth restrictions\n");
-
- fwrite($fout, "delay_pools 1\n");
- fwrite($fout, "delay_class 1 3\n");
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
if ($dl_per_host == "unlimited") {
- fwrite($fout, "delay_parameters 1 " . ($dl_per_host * 125) . "/" . ($dl_per_host * 250) . "-1/-1 -1/-1\n");
+ $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n";
} else {
- fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_per_host * 125) . "/" . ($dl_per_host * 250) . "\n");
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n";
}
/* if no unrestricted ip addresses are defined; this line is ignored */
- if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n");
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
- fwrite($fout, "#delay_access 1 deny for_extended_users\n");
-
/* this will define bandwidth delay restrictions for specified throttles */
if ($throttle_binary_files == "on") {
- fwrite($fout, "delay_access 1 allow all for_throttled_binary\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
}
if ($throttle_cd_images == "on") {
- fwrite($fout, "delay_access 1 allow all for_throttled_cd\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
}
if ($throttle_multimedia == "on") {
- fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n";
} else {
- fwrite($fout, "delay_access 1 allow all\n");
+ $config_array[] = 'delay_access 1 allow all' . "\n";
}
- fwrite($fout, "delay_initial_bucket_level 100%\n\n");
- fwrite($fout, "\n");
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n";
}
if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) {
/* if no bandwidth restrictions are specified, then these parameters are not necessary */
if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
- fwrite($fout, "#Set throttle and bandwidth restrictions\n");
if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) {
- fwrite($fout, "delay_pools 1\n");
- fwrite($fout, "delay_class 1 3\n");
- fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_per_host * 125) . "/" . ($dl_overall * 250) . "\n");
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n";
} elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) {
- fwrite($fout, "delay_pools 1\n");
- fwrite($fout, "delay_class 1 3\n");
- fwrite($fout, "delay_parameters 1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . " -1/-1 -1/-1\n");
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+ $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n";
}
}
if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
/* if no unrestricted ip addresses are defined; this line is ignored */
- if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n");
-
- fwrite($fout, "#delay_access 1 deny for_extended_users\n");
-
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
+
/* this will define bandwidth delay restrictions for specified throttles */
if ($throttle_binary_files == "on") {
- fwrite($fout, "delay_access 1 allow all for_throttled_binary\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
}
if ($throttle_cd_images == "on") {
- fwrite($fout, "delay_access 1 allow all for_throttled_cd\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
}
if ($throttle_multimedia == "on") {
- fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n");
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n";
} else {
- fwrite($fout, "delay_access 1 allow all\n");
+ $config_array[] = 'delay_access 1 allow all' . "\n";
}
- fwrite($fout, "delay_initial_bucket_level 100%\n\n");
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n";
}
}
- fwrite($fout, "#Strip HTTP Header\n");
- fwrite($fout, "header_access X-Forwarded-For deny all\n");
- fwrite($fout, "header_access Via deny all\n");
- fwrite($fout, "\n");
+ $config_array[] = 'header_access X-Forwarded-For deny all' . "\n";
+ $config_array[] = 'header_access Via deny all' . "\n\n";
/* TODO: acl customization for snmp support */
- fwrite($fout, "\n");
+ /* fwrite($fout, "\n"); */
if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) {
- fwrite($fout, "redirect_program /usr/sbin/squidGuard");
- fwrite($fout, "redirect_children 5");
- fwrite($fout, "\n");
+ $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n";
+ $config_array[] = 'redirect_children 5' . "\n\n";
}
if (isset($max_upload_size) && ($max_upload_size != "")) {
- fwrite($fout, "request_body_max_size " . $max_download_size . "KB\n");
+ $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n";
}
if (isset($max_download_size) && ($max_download_size != "")) {
- if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "reply_body_max_size 0 allow pf_unrestricted_ip\n");
- fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n");
- fwrite($fout, "reply_body_max_size " . $max_download_size * 1024 . " allow all\n");
- fwrite($fout, "\n");
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n";
+ /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */
+ $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n";
}
- if ($maximum_object_size == "") $maximum_object_size="4096";
- if ($minimum_object_size == "") $minimum_object_size="0";
- fwrite($fout, "maximum_object_size " . $maximum_object_size . " KB\n");
- fwrite($fout, "minimum_object_size " . $minimum_object_size . " KB\n");
- fwrite($fout, "\n");
+ /* set default value for maximum_object_size */
+ if (!isset($maximum_object_size) or ($maximum_object_size == "")) {
+ $maximum_object_size = "4096";
+ }
+
+ /* set default value for minimum_object_size */
+ if (!isset($minimum_object_size) or ($minimum_object_size == "")) {
+ $minimum_object_size = "0";
+ }
+ $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n";
+ $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n";
- if ($proxy_forwarding == "on") {
- fwrite($fout, "cache_peer " . $upstream_proxy . "parent " . $upstream_proxy_port . "3130 login=" . upstream_username . ":" . upstream_password . " default no-query\n");
- fwrite($fout, "never_direct allow all\n");
+ if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) {
+ $config_array[] = 'cache_peer ' . $upstream_proxy . 'parent ' . $upstream_proxy_port . '3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n";
+ $config_array[] = 'never_direct allow all' . "\n";
}
-
- if ($transparent_proxy == "on") {
- fwrite($fout, "httpd_accel_host virtual\n");
- fwrite($fout, "httpd_accel_port 80\n");
- fwrite($fout, "httpd_accel_with_proxy on\n");
- fwrite($fout, "httpd_accel_uses_host_header on\n");
- fwrite($fout, "\n");
+ unset($proxy_forwarding);
+
+
+ /* define default ruleset for transparent proxy operation */
+ if (isset($transparent_proxy) && ($transparent_proxy == "on")) {
+ $config_array[] = 'httpd_accel_host virtual' . "\n";
+ $config_array[] = 'httpd_accel_port 80' . "\n";
+ $config_array[] = 'httpd_accel_with_proxy on' . "\n";
+ $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n";
}
+ unset($transparent_proxy);
+
+ /* define visible hostname */
if (isset($visible_hostname) && ($visible_hostname !== "")) {
- fwrite($fout, "visible_hostname " . $visible_hostname . "\n");
+ $config_array[] = 'visible_hostname ' . $visible_hostname . "\n";
}
+ unset($visible_hostname);
+ /* define cache administrators email address within error messages */
if (isset($cache_admin_email) && ($cache_admin_email !== "")) {
- fwrite($fout, "cache_mgr " . $cache_admin_email . "\n");
- fwrite($fout, "\n");
+ $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n";
}
-
+ unset($cache_admin_email);
+
+ /* write configuration file */
+ foreach ($config_array as $config_item)
+ {
+ fwrite($fout, trim($config_item));
+
+ if (stristr($config_item, "\n"))
+ {
+ for ($i = 1; $i < count(explode("\n", $config_item)); $i++)
+ {
+ fwrite($fout, "\n");
+ }
+ }
+
+ }
fclose($fout);
conf_mount_ro();
@@ -662,15 +790,15 @@ function global_write_squid_config() {
} /* end function write_squid_config */
function mod_htpasswd() {
+ global $config;
conf_mount_rw();
config_lock();
- global $config;
if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
$passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+");
- if($config['installedpackages']['squidextlocalauth']['config'] != "") {
+ if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") {
foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) {
$encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']);
fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n");
diff --git a/packages/squid_ng.xml b/packages/squid_ng.xml
index 06a86634..ddb19bf8 100644
--- a/packages/squid_ng.xml
+++ b/packages/squid_ng.xml
@@ -271,9 +271,10 @@
fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n");
fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n");
fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n");
+ fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n");
fwrite($fout, "acl Safe_ports port 80 # http\n");
fwrite($fout, "acl Safe_ports port 21 # ftp\n");
- fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n");
+ fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n");
fwrite($fout, "acl Safe_ports port 70 # gopher\n");
fwrite($fout, "acl Safe_ports port 210 # wais\n");
fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n");
@@ -294,7 +295,7 @@
fwrite($fout, "#Deny non web services\n");
fwrite($fout, "http_access deny !Safe_ports\n");
- fwrite($fout, "http_access deny CONNECT\n");
+ fwrite($fout, "http_access deny CONNECT !SSL_ports\n");
fwrite($fout, "\n");
fwrite($fout, "#Set custom configured ACLs\n");
@@ -333,10 +334,12 @@
<custom_php_install_command>
write_static_squid_config(); <!-- write initial static config for transparent proxy -->
+ touch("/tmp/custom_php_install_command">
+
update_output_window("Creating Proxy Server initialization scripts...");
$fout = fopen("/usr/local/etc/rc.d/squid.sh","w");
fwrite($fout, "#!/bin/sh\n");
- fwrite($fout, "#$pfSense: /usr/local/sbin/rc.d/squid.sh\n\n");
+ fwrite($fout, "#: /usr/local/etc/rc.d/squid.sh\n\n");
fwrite($fout, "touch /tmp/ro_root_mount\n");
fwrite($fout, "/usr/local/sbin/squid -D\n");
fwrite($fout, "touch /tmp/filter_dirty\n");
@@ -358,7 +361,6 @@
}
mwexec("/usr/sbin/chown squid:squid /var/squid/cache");
-
if (!file_exists("/usr/local/etc/squid/advanced/acls")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
}
@@ -379,6 +381,17 @@
}
mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius");
+ <-- EmanuelG: update pf group ownership settings to enhance squid performance and correct issue relating -->
+ <-- to error message: parseHttpRequest: PF open failed: (13) Permission denied -->
+ mwexec("chgrp squid /dev/pf");
+ mwexec("chmod g+rw /dev/pf");
+
+ $devfs_file = fopen("/etc/devfs.conf", "a");
+ fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable.
+ fwrite($devfs_file, "own pf root:squid");
+ fwrite($devfs_file, "perm pf 0640");
+ fclose($devfs_file);
+
update_output_window("Initializing Cache... This may take a moment...");
mwexec("/usr/local/sbin/squid -z");
@@ -389,9 +402,19 @@
<custom_php_deinstall_command>
update_output_window("Stopping proxy service...");
- mwexec("/usr/local/sbin/squid -k shutdown");
+
+ do while ((file_exists("/var/run/squid.pid") or ($i == 30)) {
+ mwexec("/usr/local/sbin/squid -k shutdown");
+ $i++;
+ }
+
+ if ($i == 30) {
+ $pid = shell_exec('nohup squid > /dev/null & echo $!');
+ shell_exec('kill -9 ' . $pid . '/dev/null');
+ }
update_output_window("Recursively removing directories hierarchies...");
+ update_output_window("If existant, log files in /var/squid/logs will remain...");
mwexec("rm -rf /usr/local/squid");
mwexec("rm -rf /var/squid/cache");
mwexec("rm -rf /usr/local/etc/squid");