diff options
31 files changed, 3141 insertions, 2580 deletions
diff --git a/config/squid/squid.inc b/config/squid/squid.inc index 5a0946bb..4cfb9af8 100644 --- a/config/squid/squid.inc +++ b/config/squid/squid.inc @@ -926,6 +926,16 @@ EOD; function squid_resync_auth() { global $config, $valid_acls; + if (!is_array($config['installedpackages']['squidauth'])) { + $config['installedpackages']['squidauth']['config'][0] = array(); + } + if (!is_array($config['installedpackages']['squidnac'])) { + $config['installedpackages']['squidnac']['config'][0] = array(); + } + if (!is_array($config['installedpackages']['squid'])) { + $config['installedpackages']['squid']['config'][0] = array(); + } + $settings = $config['installedpackages']['squidauth']['config'][0]; $settingsnac = $config['installedpackages']['squidnac']['config'][0]; $settingsconfig = $config['installedpackages']['squid']['config'][0]; diff --git a/config/squid3/34/check_ip.php b/config/squid3/34/check_ip.php index 5865037b..2fb43339 100644 --- a/config/squid3/34/check_ip.php +++ b/config/squid3/34/check_ip.php @@ -1,9 +1,10 @@ #!/usr/local/bin/php -q <?php -/* $Id$ */ /* check_ip.php + part of pfSense (https://www.pfSense.org/) Copyright (C) 2013-2015 Marcello Coutinho + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -29,43 +30,45 @@ */ require_once("config.inc"); error_reporting(0); +global $g; // stdin loop -if (! defined(STDIN)) { - define("STDIN", fopen("php://stdin", "r")); +if (!defined(STDIN)) { + define("STDIN", fopen("php://stdin", "r")); +} +if (!defined(STDOUT)) { + define("STDOUT", fopen('php://stdout', 'w')); +} +while (!feof(STDIN)) { + $line = trim(fgets(STDIN)); } -if (! defined(STDOUT)){ - define("STDOUT", fopen('php://stdout', 'w')); - } -while( !feof(STDIN)){ - $line = trim(fgets(STDIN)); - // %SRC unset($cp_db); -$files=scandir($g['vardb_path']); -foreach ($files as $file){ - if (preg_match("/captive.*db/",$file)){ - $result=squid_cp_read_db("{$g['vardb_path']}/{$file}"); - foreach ($result as $rownum => $row){ - $cp_db[$rownum]=implode(",",$row); - } +$files = scandir($g['vardb_path']); +foreach ($files as $file) { + if (preg_match("/captive.*db/", $file)) { + $result = squid_cp_read_db("{$g['vardb_path']}/{$file}"); + foreach ($result as $rownum => $row) { + $cp_db[$rownum] = implode(",", $row); } } - $usuario=""; - //1419045939,1419045939,2000,2000,192.168.10.11,192.168.10.11,08:00:27:5c:e1:ee,08:00:27:5c:e1:ee,marcello,marcello,605a1f46e2d64556,605a1f46e2d64556,,,,,,,,,,,first,first - if (is_array($cp_db)){ - foreach ($cp_db as $cpl){ - $fields=explode(",",$cpl); - if ($fields[4] != "" && $fields[4]==$line) - $usuario=$fields[8]; - } - } - if ($usuario !="") - $resposta="OK user={$usuario}"; - else - $resposta="ERR"; - fwrite (STDOUT, "{$resposta}\n"); - unset($cp_db); + $usuario = ""; + //1419045939,1419045939,2000,2000,192.168.10.11,192.168.10.11,08:00:27:5c:e1:ee,08:00:27:5c:e1:ee,marcello,marcello,605a1f46e2d64556,605a1f46e2d64556,,,,,,,,,,,first,first + if (is_array($cp_db)) { + foreach ($cp_db as $cpl) { + $fields = explode(",", $cpl); + if ($fields[4] != "" && $fields[4] == $line) { + $usuario = $fields[8]; + } + } + } + if ($usuario != "") { + $resposta = "OK user={$usuario}"; + } else { + $resposta = "ERR"; + } + fwrite(STDOUT, "{$resposta}\n"); + unset($cp_db); } /* read captive portal DB into array */ @@ -75,14 +78,13 @@ function squid_cp_read_db($file) { if ($DB) { $response = $DB->query("SELECT * FROM captiveportal"); if ($response != FALSE) { - while ($row = $response->fetchArray()) + while ($row = $response->fetchArray()) { $cpdb[] = $row; + } } $DB->close(); } - return $cpdb; } ?> - diff --git a/config/squid3/34/pkg_squid.inc b/config/squid3/34/pkg_squid.inc index 47b64e2d..8439fa5f 100644 --- a/config/squid3/34/pkg_squid.inc +++ b/config/squid3/34/pkg_squid.inc @@ -8,4 +8,4 @@ $shortcuts['squid']['log'] = "squid_monitor.php"; $shortcuts['squid']['status'] = "status_services.php"; $shortcuts['squid']['service'] = "squid"; -?>
\ No newline at end of file +?> diff --git a/config/squid3/34/sqpmon.sh b/config/squid3/34/sqpmon.sh index 244b3b61..48854565 100644 --- a/config/squid3/34/sqpmon.sh +++ b/config/squid3/34/sqpmon.sh @@ -1,8 +1,10 @@ #!/bin/sh # $Id$ */ # -# sqpmon.sh -# Copyright (C) 2006 Scott Ullrich +# sqpmon.sh +# part of pfSense (https://www.pfSense.org/) +# Copyright (C) 2006 Scott Ullrich +# Copyright (C) 2015 ESF, LLC # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -27,8 +29,8 @@ # POSSIBILITY OF SUCH DAMAGE. # -if [ `pgrep -f "sqpmon.sh"|wc -l` -ge 1 ]; then - exit 0 +if [ `/bin/pgrep -f "sqpmon.sh" | /usr/bin/wc -l` -ge 1 ]; then + exit 0 fi set -e @@ -36,7 +38,7 @@ set -e LOOP_SLEEP=55 if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm + /bin/rm -f /var/run/squid_alarm fi # Sleep 5 seconds on startup not to mangle with existing boot scripts. @@ -44,32 +46,32 @@ sleep 5 # Squid monitor 1.2 while [ /bin/true ]; do - if [ ! -f /var/run/squid_alarm ]; then - NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -lt 1 ]; then - # squid is down - echo "Squid has exited. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm - /usr/local/etc/rc.d/squid.sh start - sleep 3 - echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - touch /var/run/squid_alarm - fi - fi - NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -gt 0 ]; then - if [ -f /var/run/squid_alarm ]; then - echo "Squid has resumed. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - rm /var/run/squid_alarm - fi - fi - sleep $LOOP_SLEEP + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`/bin/ps auxw | /usr/bin/grep "[s]quid -f" | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + /usr/bin/logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | /usr/bin/logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | /usr/bin/logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`/bin/ps auxw | /usr/bin/grep "[s]quid -f" | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + /usr/bin/logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + /bin/rm -f /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP done if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm + /bin/rm -f /var/run/squid_alarm fi diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 665c0d7c..e906a1bb 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -1,12 +1,13 @@ <?php -/* $Id$ */ /* squid.inc + part of pfSense (https://www.pfSense.org/) Copyright (C) 2006-2009 Scott Ullrich Copyright (C) 2006 Fernando Lemos Copyright (C) 2012 Martin Fuchs Copyright (C) 2012-2014 Marcello Coutinho Copyright (C) 2013 Gekkenhuis + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -30,7 +31,6 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ - require_once('globals.inc'); require_once('config.inc'); require_once('util.inc'); @@ -38,13 +38,14 @@ require_once('pfsense-utils.inc'); require_once('pkg-utils.inc'); require_once('service-utils.inc'); -if (!function_exists("filter_configure")) +if (!function_exists("filter_configure")) { require_once("filter.inc"); +} $shortcut_section = "squid"; global $pfs_version; -$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); +$pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3); if ($pfs_version == "2.1" || $pfs_version == "2.2") { define('SQUID_BASE', '/usr/pbi/squid-' . php_uname("m")); define('SQUID_LOCALBASE', SQUID_BASE . "/local"); @@ -65,24 +66,27 @@ define('SQUID_SSL_DB','/var/squid/lib/ssl_db'); $valid_acls = array(); -$uname=posix_uname(); -if ($uname['machine']=='amd64') +$uname = posix_uname(); +if ($uname['machine'] == 'amd64') { ini_set('memory_limit', '250M'); +} function sq_text_area_decode($text) { - return preg_replace('/\r\n/', "\n",base64_decode($text)); + return preg_replace('/\r\n/', "\n", base64_decode($text)); } function squid_get_real_interface_address($iface) { - if (!function_exists("get_interface_ip")) + if (!function_exists("get_interface_ip")) { require_once("interfaces.inc"); + } return array(get_interface_ip($iface), gen_subnet_mask(get_interface_subnet($iface))); } function squid_chown_recursive($dir, $user, $group) { - if ($dir == '/usr/local') + if ($dir == '/usr/local') { return; + } chown($dir, $user); chgrp($dir, $group); @@ -102,46 +106,50 @@ function squid_chown_recursive($dir, $user, $group) { } function squid_check_clamav_user($user) { - if (SQUID_BASE == '/usr/local') + if (SQUID_BASE == '/usr/local') { return; + } - $_gc = exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return); - $user_arg=($sq_ex_return == 0?"mod":"add"); - $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return); - if ($sq_ex_return != 0) - log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output)); + $_gc = exec("/usr/sbin/pw usershow {$user}", $sq_ex_output, $sq_ex_return); + $user_arg = ($sq_ex_return == 0 ? "mod" : "add"); + $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return); + if ($sq_ex_return != 0) { + log_error("Squid - Could not change clamav user settings. " . serialize($sq_ex_output)); + } } /* setup cache */ -function squid_dash_z($cache_action='none') { +function squid_dash_z($cache_action = 'none') { global $config; //Do nothing if there is no cache config - if (!is_array($config['installedpackages']['squidcache']['config'])) + if (!is_array($config['installedpackages']['squidcache']['config'])) { return; + } $settings = $config['installedpackages']['squidcache']['config'][0]; // If the cache system is null, there is no need to initialize the (irrelevant) cache dir. - if ($settings['harddisk_cache_system'] == "null") + if ($settings['harddisk_cache_system'] == "null") { return; + } $cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); if ($cache_action == "clean" && file_exists($cachedir)) { - rename ($cachedir, "{$cachedir}.old"); + rename($cachedir, "{$cachedir}.old"); mwexec_bg("/bin/rm -rf {$cachedir}.old"); } if (!is_dir($cachedir)) { log_error("Creating Squid cache dir {$cachedir}"); - @mkdir($cachedir, 0755, true); + safe_mkdir($cachedir, 0755); @chown($cachedir, SQUID_UID); @chgrp($cachedir, SQUID_GID); } - if (!is_dir($cachedir.'/00')) { - log_error("Creating squid cache subdirs in $cachedir"); + if (!is_dir($cachedir . '/00')) { + log_error("Creating Squid cache subdirs in $cachedir"); mwexec(SQUID_BASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE); sleep(5); mwexec(SQUID_BASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE); @@ -160,8 +168,9 @@ function squid_dash_z($cache_action='none') { function squid_is_valid_acl($acl) { global $valid_acls; - if (!is_array($valid_acls)) + if (!is_array($valid_acls)) { return; + } return in_array($acl, $valid_acls); } @@ -171,19 +180,22 @@ function squid_install_command() { update_status("Checking if there is configuration to migrate... One moment please..."); /* migrate existing csv config fields */ - if (is_array($config['installedpackages']['squidauth']['config'])) + if (is_array($config['installedpackages']['squidauth']['config'])) { $settingsauth = $config['installedpackages']['squidauth']['config'][0]; - if (is_array($config['installedpackages']['squidcache']['config'])) + } + if (is_array($config['installedpackages']['squidcache']['config'])) { $settingscache = $config['installedpackages']['squidcache']['config'][0]; - if (is_array($config['installedpackages']['squidnac']['config'])) + } + if (is_array($config['installedpackages']['squidnac']['config'])) { $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - if (is_array($config['installedpackages']['squid']['config'])) + } + if (is_array($config['installedpackages']['squid']['config'])) { $settingsgen = $config['installedpackages']['squid']['config'][0]; + } - if (SQUID_BASE != '/usr/local' && - file_exists('/usr/local/bin/check_ip.php') && - !file_exists(SQUID_BASE . '/bin/check_ip.php')) + if (SQUID_BASE != '/usr/local' && file_exists('/usr/local/bin/check_ip.php') && !file_exists(SQUID_BASE . '/bin/check_ip.php')) { symlink("/usr/local/bin/check_ip.php", SQUID_BASE . "/bin/check_ip.php"); + } /* Set storage system */ if ($g['platform'] == "nanobsd") { @@ -248,22 +260,22 @@ function squid_install_command() { $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; } - /*Migrate reverse settings*/ + /* migrate reverse settings */ if (is_array($config['installedpackages']['squidreverse'])) { - $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0]; + $old_reverse_settings = $config['installedpackages']['squidreverse']['config'][0]; - //Settings + // settings if (!is_array($config['installedpackages']['squidreversegeneral'])) { - $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings; - unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); - unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); - unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); + $config['installedpackages']['squidreversegeneral']['config'][0] = $old_reverse_settings; + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); } - //PEERS + // peers if (!is_array($config['installedpackages']['squidreversepeer'])) { - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { - foreach (explode(";",$cache_peers) as $cache_peer) { + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { + foreach (explode(";", $cache_peers) as $cache_peer) { $config['installedpackages']['squidreversepeer']['config'][] = array( 'description' => 'migrated', 'enable' => 'on', @@ -275,16 +287,16 @@ function squid_install_command() { } } - //MAPPINGS + // mappings if (!is_array($config['installedpackages']['squidreverseuri'])) { - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { - foreach (explode(";",$acls) as $acl) { + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { + foreach (explode(";", $acls) as $acl) { array_push(${'peer_'.$acl[0]},$acl[1]); } } - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { - foreach (explode(";",$uris) as $uri) { - $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { + foreach (explode(";", $uris) as $uri) { + $peer_list = (is_array(${'peer_' . $uri[0]}) ? implode(",", ${'peer_' . $uri[0]}) : ""); $config['installedpackages']['squidreverseuri']['config'][] = array( 'description' => 'migrated', 'enable' => 'on', @@ -299,147 +311,89 @@ function squid_install_command() { } update_status("Writing configuration... One moment please..."); - write_config(); - /* create cache */ - update_status("Creating squid cache pools... One moment please..."); - squid_dash_z(); - /* make sure pinger is executable and suid root */ // XXX: Bug #5114 - if (file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) - chgrp(SQUID_LOCALBASE. "/libexec/squid/pinger", SQUID_GID); - - // XXX: Is it really necessary? - if (file_exists("/usr/local/etc/rc.d/squid")) - unlink_if_exists("/usr/local/etc/rc.d/squid"); + if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) { + chgrp(SQUID_LOCALBASE . "/libexec/squid/pinger", SQUID_GID); + } squid_write_rcfile(); // XXX: Is it really necessary? mode is set to 0755 in squid.xml - if (file_exists("/usr/local/pkg/swapstate_check.php")) + if (file_exists("/usr/local/pkg/swapstate_check.php")) { @chmod("/usr/local/pkg/swapstate_check.php", 0755); + } write_rcfile(array( "file" => "sqp_monitor.sh", "start" => "/usr/local/pkg/sqpmon.sh &", - "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill") + "stop" => "/bin/ps awux | /usr/bin/grep \"sqpmon\" | /usr/bin/grep -v \"grep\" | /usr/bin/grep -v \"php\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill") ); - foreach (array( SQUID_CONFBASE, - SQUID_ACLDIR, - SQUID_SSL_DB ) as $dir) { - @mkdir($dir, 0755, true); - squid_chown_recursive($dir, SQUID_UID, SQUID_GID); + // make a backup of default c-icap config file on install; also see squid_resync_antivirus() function below + if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { + if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { + copy(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); + } } - /* kill any running proxy alarm scripts */ - update_status("Checking for running processes... One moment please..."); - log_error("Stopping any running proxy monitors"); - mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); - sleep(1); + foreach (array(SQUID_CONFBASE, SQUID_ACLDIR, SQUID_SSL_DB) as $dir) { + safe_mkdir($dir, 0755); + squid_chown_recursive($dir, SQUID_UID, SQUID_GID); + } if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf'); - update_status("Checking cache... One moment please..."); - squid_dash_z(); - - if (!is_service_running('squid')) { - update_status("Starting... One moment please..."); - log_error("Starting Squid"); - mwexec_bg(SQUID_BASE. "/sbin/squid -f " . SQUID_CONFFILE); - } else { - update_status("Reloading Squid for configuration sync... One moment please..."); - log_error("Reloading Squid for configuration sync"); - mwexec_bg(SQUID_BASE. "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); - } - - /* restart proxy alarm scripts */ - log_error("Starting a proxy monitor script"); - mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); - - update_status("Reconfiguring filter... One moment please..."); - filter_configure(); } function squid_deinstall_command() { global $config, $g; - $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; squid_install_cron(false); - if (is_array($config['installedpackages']['squidcache'])) + if (is_array($config['installedpackages']['squidcache'])) { $settings = $config['installedpackages']['squidcache']['config'][0]; - else + } else { $settings = array(); + } $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); update_status("Removing cache ... One moment please..."); update_output_window("$plswait_txt"); // XXX: Is it ok to remove cache and logs? It's going to happen every time package is updated - mwexec_bg("rm -rf {$cachedir}"); - mwexec("rm -rf {$logdir}"); + mwexec_bg("/bin/rm -rf {$cachedir}"); + mwexec("/bin/rm -rf {$logdir}"); update_status("Finishing package cleanup."); mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh'); - mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); - mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); - mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep \"squid\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep \"dnsserver\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep \"unlinkd\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); update_status("Reloading filter..."); filter_configure(); } -function squid_before_form_general(&$pkg) { - $values = get_dir(SQUID_CONFBASE . '/errors/'); - /* - * XXX: This logic is broken. Probably the idea in the past - * was to skip '.', '..'. 'COPYRIGHT' and 'TRANSLATORS' and - * errors subdirectories used to be more meaning, like 'English' - * or Brazillian_Portuguese. - * - * Nowadays they are 'en', 'pt-br', ... and also there is a - * 'templates' directory to be skipped - */ - // Get rid of '..' and '.' and ... - array_shift($values); - array_shift($values); - array_shift($values); - array_shift($values); - - $name = array(); - foreach ($values as $value) - $names[] = implode(" ", explode("_", $value)); - - $i = 0; - foreach ($pkg['fields']['field'] as $field) { - if ($field['fieldname'] == 'error_language') - break; - $i++; - } - $field = &$pkg['fields']['field'][$i]; - - for ($i = 0; $i < count($values) - 1; $i++) - $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); -} - function squid_validate_antivirus($post, &$input_errors) { global $config; - if ($post['enable'] != "on") + if ($post['enable'] != "on") { return; + } - if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)) { - $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})"; - $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. "; + if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/", $post['squidclamav'], $a_match)) { + $input_errors[] = "SquidClamav warnings redirect points to sample config domain ({$a_match[1]})"; + $input_errors[] = "Change redirect info on 'squidclamav.conf' field to pfSense GUI or an external host."; } if ($post['c-icap_conf']) { - if (!preg_match("/squid_clamav/",$post['c-icap_conf'])) { - $input_errors[] ="c-icap Squidclamav service definition is no present."; - $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; + if (!preg_match("/squid_clamav/", $post['c-icap_conf'])) { + $input_errors[] = "c-icap Squidclamav service definition is not present."; + $input_errors[] = "Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; } - if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)) { - $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; + if (preg_match("/(Manager:Apassword\S+)/", $post['c-icap_conf'], $c_match)) { + $input_errors[] = "Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; } } } @@ -447,31 +401,37 @@ function squid_validate_antivirus($post, &$input_errors) { function squid_validate_general($post, &$input_errors) { global $config; - if (is_array($config['installedpackages']['squid'])) + if (is_array($config['installedpackages']['squid'])) { $settings = $config['installedpackages']['squid']['config'][0]; - else + } else { $settings = array(); + } $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $port = $post['proxy_port'] ? $post['proxy_port'] : $port; $icp_port = trim($post['icp_port']); - if (!empty($icp_port) && !is_port($icp_port)) - $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; + if (!empty($icp_port) && !is_port($icp_port)) { + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field.'; + } - if (substr($post['log_dir'], -1, 1) == '/') - $input_errors[] = 'You may not end log location with an / mark'; + if (substr($post['log_dir'], -1, 1) == '/') { + $input_errors[] = 'Log location must not end with a / character.'; + } - if ($post['log_dir']{0} != '/') - $input_errors[] = 'You must start log location with a / mark'; + if ($post['log_dir']{0} != '/') { + $input_errors[] = 'Log location must start with a / character.'; + } - if (strlen($post['log_dir']) <= 3) - $input_errors[] = "That is not a valid log location dir"; + if (strlen($post['log_dir']) <= 3) { + $input_errors[] = "Configured log location directory is not valid."; + } $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) - $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field'; + if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) { + $input_errors[] = "You must enter a valid number of days in the 'Log rotate' field."; + } $webgui_port = $config['system']['webgui']['port']; @@ -483,7 +443,7 @@ function squid_validate_general($post, &$input_errors) { } if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { - $input_errors[] = "You can not run squid on the same port as the webgui"; + $input_errors[] = "You can not run Squid on the same port as the pfSense WebGUI"; } if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) { @@ -493,15 +453,17 @@ function squid_validate_general($post, &$input_errors) { foreach (array('defined_ip_proxy_off') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); - if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) - $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) { + $input_errors[] = "'Bypass proxy for these source IPs' entry '$host' is not a valid IP address, hostname, or alias."; + } } } foreach (array('defined_ip_proxy_off_dest') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); - if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) - $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) { + $input_errors[] = "'Bypass proxy for these destination IPs' entry '$host' is not a valid IP address, hostname, or alias."; + } } } @@ -509,7 +471,7 @@ function squid_validate_general($post, &$input_errors) { $altdns = explode(";", ($post['dns_nameservers'])); foreach ($altdns as $dnssrv) { if (!is_ipaddr($dnssrv)) { - $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + $input_errors[] = "You must enter a valid IP address in the 'Alternate DNS servers' field."; break; } } @@ -517,24 +479,27 @@ function squid_validate_general($post, &$input_errors) { } function squid_validate_upstream($post, &$input_errors) { - if ($post['enabled'] != 'on') + if ($post['enabled'] != 'on') { return; + } $addr = trim($post['proxyaddr']); if (empty($addr)) { - $input_errors[] = 'The field \'Hostname\' is required'; + $input_errors[] = "The 'Proxy hostname' field is required"; } else { - if (!is_ipaddr($addr) && !is_domain($addr)) - $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + if (!is_ipaddr($addr) && !is_domain($addr)) { + $input_errors[] = "You must enter a valid IP address or host name in the 'Proxy hostname' field."; + } } foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { $port = trim($post[$field]); if (empty($port)) { - $input_errors[] = "The field '$name' is required"; + $input_errors[] = "The '$name' field is required."; } else { - if (!is_port($port)) - $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + if (!is_port($port)) { + $input_errors[] = "The '$name' field must contain a valid port number (1-65535)."; + } } } } @@ -548,31 +513,36 @@ function squid_validate_cache($post, &$input_errors) { foreach ($num_fields as $field => $name) { $value = trim($post[$field]); - if (!is_numericint($value)) - $input_errors[] = "You must enter a valid value for '$field'"; + if (!is_numericint($value)) { + $input_errors[] = "You must enter a valid value for '$field'."; + } } $value = trim($post['minimum_object_size']); - if (!is_numericint($value)) - $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + if (!is_numericint($value)) { + $input_errors[] = "You must enter a valid value for 'Minimum object size'."; + } if (!empty($post['cache_swap_low'])) { $value = trim($post['cache_swap_low']); - if (!is_numericint($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + if (!is_numericint($value) || ($value > 100)) { + $input_errors[] = "You must enter a valid value for 'Low-water-mark'."; + } } if (!empty($post['cache_swap_high'])) { $value = trim($post['cache_swap_high']); - if (!is_numericint($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + if (!is_numericint($value) || ($value > 100)) { + $input_errors[] = "You must enter a valid value for 'High-water-mark'."; + } } if ($post['donotcache'] != "") { foreach (split("\n", $post['donotcache']) as $host) { $host = trim($host); - if (!is_ipaddr($host) && !is_domain($host)) - $input_errors[] = "The host '$host' is not a valid IP or host name"; + if (!is_ipaddr($host) && !is_domain($host)) { + $input_errors[] = "The host '$host' is not a valid IP or hostname."; + } } } @@ -583,19 +553,22 @@ function squid_validate_nac($post, &$input_errors) { $allowed_subnets = explode("\n", $post['allowed_subnets']); foreach ($allowed_subnets as $subnet) { $subnet = trim($subnet); - if (!empty($subnet) && !is_subnet($subnet)) - $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; + if (!empty($subnet) && !is_subnet($subnet)) { + $input_errors[] = "The subnet '$subnet' is not a valid CIDR range."; + } } foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) { - if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)) { - for ($x=0; $x < count($matches[1]); $x++) { + if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@", $_POST[$hosts], $matches)) { + for ($x = 0; $x < count($matches[1]); $x++) { if ($matches[2][$x] == "") { - if (!is_ipaddr($matches[1][$x])) - $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address"; + if (!is_ipaddr($matches[1][$x])) { + $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address."; + } } else { - if (!is_subnet($matches[0][$x])) - $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range"; + if (!is_subnet($matches[0][$x])) { + $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range."; + } } } } @@ -604,22 +577,25 @@ function squid_validate_nac($post, &$input_errors) { foreach (array('unrestricted_macs', 'banned_macs') as $macs) { foreach (explode("\n", $post[$macs]) as $mac) { $mac = trim($mac); - if (!empty($mac) && !is_macaddr($mac)) - $input_errors[] = "The mac '$mac' is not a valid MAC address"; + if (!empty($mac) && !is_macaddr($mac)) { + $input_errors[] = "'$mac' is not a valid MAC address."; + } } } foreach (explode(",", $post['timelist']) as $time) { $time = trim($time); - if (!empty($time) && !squid_is_timerange($time)) - $input_errors[] = "The time range '$time' is not a valid time range"; + if (!empty($time) && !squid_is_timerange($time)) { + $input_errors[] = "The time range '$time' is not a valid time range."; + } } if (!empty($post['ext_cachemanager'])) { $extmgr = explode(";", ($post['ext_cachemanager'])); foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + if (!is_ipaddr($mgr)) { + $input_errors[] = "You must enter a valid IP address in the 'External Cache Manager' field'."; + } } } } @@ -634,26 +610,30 @@ function squid_validate_traffic($post, &$input_errors) { foreach ($num_fields as $field => $name) { $value = trim($post[$field]); - if (!is_numericint($value)) - $input_errors[] = "The field '$name' must contain a positive number"; + if (!is_numericint($value)) { + $input_errors[] = "The '$name' field must contain a positive integer."; + } } if (!empty($post['quick_abort_min'])) { $value = trim($post['quick_abort_min']); - if (!is_numericint($value)) - $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + if ((!is_numericint($value)) && ($value !== -1)) { + $input_errors[] = "'Finish when remaining KB' must contain a positive integer or '-1'."; + } } if (!empty($post['quick_abort_max'])) { $value = trim($post['quick_abort_max']); - if (!is_numericint($value)) - $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + if (!is_numericint($value)) { + $input_errors[] = "'Abort when remaining KB' must contain a positive integer."; + } } if (!empty($post['quick_abort_pct'])) { $value = trim($post['quick_abort_pct']); - if (!is_numericint($value) || ($value > 100)) - $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; + if (!is_numericint($value) || ($value > 100)) { + $input_errors[] = "'Finish when remaining %' must contain valid percentage (1-100)."; + } } } @@ -663,33 +643,37 @@ function squid_validate_reverse($post, &$input_errors) { if (!empty($post['reverse_ip'])) { $reverse_ip = explode(";", ($post['reverse_ip'])); foreach ($reverse_ip as $reip) { - if (!is_ipaddr(trim($reip))) - $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; + if (!is_ipaddr(trim($reip))) { + $input_errors[] = "You must enter a valid IP address in the 'User-defined reverse-proxy IPs' field. '$reip' is invalid."; + } } } $fqdn = trim($post['reverse_external_fqdn']); - if (!empty($fqdn) && !is_domain($fqdn)) - $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; + if (!empty($fqdn) && !is_domain($fqdn)) { + $input_errors[] = "'External FQDN' field must contain a valid domain name."; + } $port = trim($post['reverse_http_port']); - // XXX: Where is $portrange being defined ??? - preg_match("/(\d+)/",`sysctl net.inet.ip.portrange.reservedhigh`,$portrange); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; + preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); + if (!empty($port) && !is_port($port)) { + $input_errors[] = "'Reverse HTTP port' must contain a valid port number."; + } if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "The field 'reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; + $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; } $port = trim($post['reverse_https_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; + if (!empty($port) && !is_port($port)) { + $input_errors[] = "'Reverse HTTPS port' must contain a valid port number."; + } if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "The field 'reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; + $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; } - if ($post['reverse_ssl_cert'] == 'none') + if ($post['reverse_ssl_cert'] == 'none') { $input_errors[] = 'A valid certificate for the external interface must be selected'; + } if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; @@ -698,8 +682,9 @@ function squid_validate_reverse($post, &$input_errors) { if (!empty($post['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); foreach ($reverse_owa_ip as $reowaip) { - if (!is_ipaddr(trim($reowaip))) - $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; + if (!is_ipaddr(trim($reowaip))) { + $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA frontend IP address' field. '$reowaip' is invalid."; + } } } @@ -707,13 +692,16 @@ function squid_validate_reverse($post, &$input_errors) { if (!empty($contents)) { $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (!is_ipaddr($cfg[1])) - $input_errors[] = "please choose a valid IP in the cache peer configuration."; - if (!is_port($cfg[2])) - $input_errors[] = "please choose a valid port in the cache peer configuration."; - if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) - $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + $cfg = explode(";", ($def)); + if (!is_ipaddr($cfg[1])) { + $input_errors[] = "Please choose a valid IP in the cache peer configuration."; + } + if (!is_port($cfg[2])) { + $input_errors[] = "Please choose a valid port in the cache peer configuration."; + } + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) { + $input_errors[] = "Please choose HTTP or HTTPS in the cache peer configuration."; + } } } } @@ -726,48 +714,55 @@ function squid_validate_auth($post, &$input_errors) { foreach ($num_fields as $field) { $value = trim($post[$field[0]]); - if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) - $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) { + $input_errors[] = "The '{$field[1]}' field must contain a valid number greater than {$field[2]}"; + } } $auth_method = $post['auth_method']; if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { $server = trim($post['auth_server']); - if (empty($server)) - $input_errors[] = 'The field \'Authentication server\' is required'; - else if (!is_ipaddr($server) && !is_domain($server)) - $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + if (empty($server)) { + $input_errors[] = "'Authentication server' is required."; + } elseif (!is_ipaddr($server) && !is_domain($server)) { + $input_errors[] = "'Authentication server' must contain a valid IP address or domain name."; + } $port = trim($post['auth_server_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + if (!empty($port) && !is_port($port)) { + $input_errors[] = "'Authentication server port' must contain a valid port number."; + } switch ($auth_method) { - case 'ldap': - $user = trim($post['ldap_user']); - if (empty($user)) - $input_errors[] = 'The field \'LDAP server user DN\' is required'; - else if (!$user) - $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; - break; - case 'radius': - $secret = trim($post['radius_secret']); - if (empty($secret)) - $input_errors[] = 'The field \'RADIUS secret\' is required'; - break; - case 'msnt': - foreach (explode(",", trim($post['msnt_secondary'])) as $server) { - if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) - $input_errors[] = "The host '$server' is not a valid IP address or domain name"; - } - break; + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) { + $input_errors[] = "'LDAP server user DN' is required."; + } elseif (!$user) { + $input_errors[] = "'LDAP server user DN' must be a valid DN."; + } + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) { + $input_errors[] = "'RADIUS secret' is required."; + } + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) { + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + } + break; } $no_auth = explode("\n", $post['no_auth_hosts']); foreach ($no_auth as $host) { $host = trim($host); - if (!empty($host) && !is_subnet($host)) + if (!empty($host) && !is_subnet($host)) { $input_errors[] = "The host '$host' is not a valid CIDR range"; + } } } } @@ -786,14 +781,14 @@ function squid_install_cron($should_install) { $settings = array(); } - $cron_cmd = ($settings['clear_cache'] == 'on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); + $cron_cmd = ($settings['clear_cache'] == 'on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); $cron_cmd .= SQUID_BASE . "/sbin/squid -k rotate -f " . SQUID_CONFFILE; install_cron_job("{$cron_cmd}", $should_install, "0", "0", "*", "*", "*", "root"); $swapstate_cmd = "/usr/local/pkg/swapstate_check.php clean; "; if ($should_install) { if ($settings['clear_cache'] == 'on' ) { - install_cron_job("{$swapstate_cmd}", true, "*/15"); + install_cron_job("{$swapstate_cmd}", true, "*/360"); } else { install_cron_job("{$swapstate_cmd}", false); } @@ -803,15 +798,16 @@ function squid_install_cron($should_install) { } function squid_check_ca_hashes() { - global $config,$g; + global $config, $g; // check certificates $cert_count = 0; - if (is_dir(SQUID_LOCALBASE. '/share/certs')) { - if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) { + if (is_dir(SQUID_LOCALBASE . '/share/certs')) { + if ($handle = opendir(SQUID_LOCALBASE . '/share/certs')) { while (false !== ($file = readdir($handle))) { - if (preg_match ("/\d+.0/",$file)) + if (preg_match ("/\d+.0/",$file)) { $cert_count++; + } } closedir($handle); } @@ -820,20 +816,22 @@ function squid_check_ca_hashes() { conf_mount_rw(); // create ca-root hashes from ca-root-nss package log_error("Creating root certificate bundle hashes from the Mozilla Project"); - $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); - $cert=0; + $cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt'); + $cert = 0; foreach ($cas as $ca) { - if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) - $cert=1; - if ($cert == 1) - $crt.=$ca; - if (preg_match("/-END CERTIFICATE-/",$ca)) { - file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); - $cert_hash=array(); - exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); - file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); - $crt=""; - $cert=0; + if (preg_match("/--BEGIN CERTIFICATE--/", $ca)) { + $cert = 1; + } + if ($cert == 1) { + $crt .= $ca; + } + if (preg_match("/-END CERTIFICATE-/", $ca)) { + file_put_contents("/tmp/cert.pem", $crt, LOCK_EX); + $cert_hash = array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem", $cert_hash); + file_put_contents(SQUID_LOCALBASE . "/share/certs/" . $cert_hash[0] . ".0", $crt, LOCK_EX); + $crt = ""; + $cert = 0; } } } @@ -842,10 +840,11 @@ function squid_check_ca_hashes() { function squid_resync_general() { global $g, $config, $valid_acls; - if (is_array($config['installedpackages']['squid'])) + if (is_array($config['installedpackages']['squid'])) { $settings = $config['installedpackages']['squid']['config'][0]; - else - $settings=array(); + } else { + $settings = array(); + } $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n\n"; @@ -855,31 +854,34 @@ function squid_resync_general() { $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { if (base64_decode($srv_cert['prv'])) { - // check if ssl_db was initilized by squid + // check if ssl_db was initilized by Squid if (!file_exists(SQUID_SSL_DB . "/serial")) { if (is_dir(SQUID_SSL_DB)) { mwexec("/bin/rm -rf " . SQUID_SSL_DB); } - mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB); + mwexec(SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB); } // force squid user permission on /var/squid/lib/ssl_db/ squid_chown_recursive(SQUID_SSL_DB, SQUID_UID, SQUID_GID); - // cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext - $crt_pk=SQUID_CONFBASE."/serverkey.pem"; - $crt_capath=SQUID_LOCALBASE."/share/certs/"; - file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); - $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); - $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; - $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n"; + // cert, key, version, cipher, options, clientca, cafile, capath, crlfile, dhparams, sslflags, sslcontext + $crt_pk = SQUID_CONFBASE . "/serverkey.pem"; + $crt_capath = SQUID_LOCALBASE . "/share/certs/"; + file_put_contents($crt_pk, base64_decode($srv_cert['prv']) . base64_decode($srv_cert['crt'])); + $sslcrtd_children = ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); + $ssl_interception .= "ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=" . ($sslcrtd_children*2) . "MB cert={$crt_pk} capath={$crt_capath}\n"; + $interception_checks = "sslcrtd_program " . SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n"; $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; $interception_checks .= "sslproxy_capath {$crt_capath}\n"; - if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) - $interception_checks.="sslproxy_cert_error allow all\n"; - if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) - $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; + if (preg_match("/sslproxy_cert_error/", $settings["interception_checks"])) { + $interception_checks .= "sslproxy_cert_error allow all\n"; + } + if (preg_match("/sslproxy_flags/", $settings["interception_checks"])) { + $interception_checks .= "sslproxy_flags DONT_VERIFY_PEER\n"; + } if ($settings["interception_adapt"] != "") { - foreach (explode(",",$settings["interception_adapt"]) as $adapt) - $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; + foreach (explode(",", $settings["interception_adapt"]) as $adapt) { + $interception_checks .= "sslproxy_cert_adapt {$adapt} all\n"; + } } } } @@ -890,47 +892,51 @@ function squid_resync_general() { // Read assigned interfaces $real_ifaces = array(); - if ($settings['active_interface']) + if ($settings['active_interface']) { $proxy_ifaces = explode(",", $settings['active_interface']); - else - $proxy_ifaces=array("lan"); + } else { + $proxy_ifaces = array("lan"); + } - if ($settings['transparent_proxy']=="on") { + if ($settings['transparent_proxy'] == "on") { $transparent_ifaces = explode(",", $settings['transparent_active_interface']); foreach ($transparent_ifaces as $t_iface) { $t_iface_ip = squid_get_real_interface_address($t_iface); - if ($t_iface_ip[0]) - $real_ifaces[]=$t_iface_ip; + if ($t_iface_ip[0]) { + $real_ifaces[] = $t_iface_ip; + } } } else { - $transparent_ifaces=array(); + $transparent_ifaces = array(); } - if ($settings['ssl_proxy']=="on") { + if ($settings['ssl_proxy'] == "on") { $ssl_ifaces = explode(",", $settings['ssl_active_interface']); foreach ($ssl_ifaces as $s_iface) { $s_iface_ip = squid_get_real_interface_address($s_iface); - if ($s_iface_ip[0]) + if ($s_iface_ip[0]) { $real_ifaces[]=$s_iface_ip; + } } } else { - $ssl_ifaces=array(); + $ssl_ifaces = array(); } // check all proxy interfaces selected foreach ($proxy_ifaces as $iface) { $iface_ip = squid_get_real_interface_address($iface); if ($iface_ip[0]) { - $real_ifaces[]=$iface_ip; - if (in_array($iface,$ssl_ifaces)) + $real_ifaces[] = $iface_ip; + if (in_array($iface,$ssl_ifaces)) { $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; - else + } else { $conf .= "http_port {$iface_ip[0]}:{$port}\n"; + } } } if (($settings['transparent_proxy'] == 'on')) { - if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0) { + if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces) > 0) { $conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n"; $conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n"; } else { @@ -938,11 +944,11 @@ function squid_resync_general() { } } $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); - $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); - $piddir="{$g['varrun_path']}/squid"; + $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off" ); + $piddir = "{$g['varrun_path']}/squid"; $pidfile = "{$piddir}/squid.pid"; if (!is_dir($piddir)) { - @mkdir($piddir, 0755, true); + safe_mkdir($piddir, 0755); squid_chown_recursive($piddir, SQUID_UID, 'wheel'); } $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); @@ -952,13 +958,13 @@ function squid_resync_general() { $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); if (!is_dir($logdir)) { - @mkdir($logdir, 0755, true); + safe_mkdir($logdir, 0755); squid_chown_recursive($logdir, SQUID_UID, SQUID_GID); } $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); - $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on'; - $pinger_program=SQUID_LOCALBASE."/libexec/squid/pinger"; + $pinger_helper = ($settings['disable_pinger']) == 'on' ? 'off' : 'on'; + $pinger_program = SQUID_LOCALBASE . "/libexec/squid/pinger"; $squid_uid = SQUID_UID; $squid_gid = SQUID_GID; @@ -1000,35 +1006,42 @@ EOD; list($ip, $mask) = $iface; $ip = long2ip(ip2long($ip) & ip2long($mask)); $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); - if (!preg_match("@$ip/$mask@",$src)) + if (!preg_match("@$ip/$mask@", $src)) { $src .= " $ip/$mask"; + } } $conf .= "# Allow local network(s) on interface(s)\n"; $conf .= "acl localnet src $src\n"; $valid_acls[] = 'localnet'; } - if ($settings['xforward_mode']) + if ($settings['xforward_mode']) { $conf .= "forwarded_for {$settings['xforward_mode']}\n"; - else - $conf .= "forwarded_for on\n"; //only used for first run + } else { + // only used for first run + $conf .= "forwarded_for on\n"; + } - if ($settings['disable_via']) + if ($settings['disable_via']) { $conf .= "via off\n"; + } - if ($settings['disable_squidversion']) + if ($settings['disable_squidversion']) { $conf .= "httpd_suppress_version_string on\n"; + } - if (!empty($settings['uri_whitespace'])) + if (!empty($settings['uri_whitespace'])) { $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; - else - $conf .= "uri_whitespace strip\n"; //only used for first run + } else { + // only used for first run + $conf .= "uri_whitespace strip\n"; + } if (!empty($settings['dns_nameservers'])) { $altdns = explode(";", ($settings['dns_nameservers'])); $conf .= "dns_nameservers "; foreach ($altdns as $dnssrv) { - $conf .= $dnssrv." "; + $conf .= $dnssrv . " "; } } @@ -1038,19 +1051,20 @@ EOD; function squid_resync_cache() { global $config, $g; - if (is_array($config['installedpackages']['squidcache'])) + if (is_array($config['installedpackages']['squidcache'])) { $settings = $config['installedpackages']['squidcache']['config'][0]; - else + } else { $settings = array(); + } - //apply cache settings - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + // apply cache settings + $cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16); - $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); - $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size']." KB" : "10 KB"); + $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 64); + $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] . " MB" : "4 MB"); $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); - $max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32); + $max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 256); $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF'); $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); @@ -1066,15 +1080,15 @@ function squid_resync_cache() { } // 'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. if ($disk_cache_system != "null") { - $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; + $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; } - //check dynamic content + // check dynamic content if (empty($settings['cache_dynamic_content'])) { - $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; - $conf.="cache deny dynamic\n"; - } else if (preg_match('/youtube/',$settings['refresh_patterns'])) { + $conf .= 'acl dynamic urlpath_regex cgi-bin \?' . "\n"; + $conf .= "cache deny dynamic\n"; + } elseif (preg_match('/youtube/', $settings['refresh_patterns'])) { // Broken (Bug #3847) and not working (http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube#Discussion) -/* $conf.=<<< EOC +/* $conf .= <<< EOC # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private @@ -1085,8 +1099,8 @@ cache allow youtube EOC; */ } - if (preg_match('/windows/',$settings['refresh_patterns'])) { - $conf.=<<< EOC + if (preg_match('/windows/', $settings['refresh_patterns'])) { + $conf .= <<< EOC # Windows Update refresh_pattern range_offset_limit -1 @@ -1097,8 +1111,8 @@ refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 EOC; } - if (preg_match('/symantec/',$settings['refresh_patterns'])) { - $conf.=<<< EOC + if (preg_match('/symantec/', $settings['refresh_patterns'])) { + $conf .= <<< EOC # Symantec refresh_pattern range_offset_limit -1 @@ -1107,8 +1121,8 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re EOC; } - if (preg_match('/avast/',$settings['refresh_patterns'])) { - $conf.=<<< EOC + if (preg_match('/avast/', $settings['refresh_patterns'])) { + $conf .= <<< EOC # Avast refresh_pattern range_offset_limit -1 @@ -1116,7 +1130,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i EOC; } - if (preg_match('/avira/',$settings['refresh_patterns'])) { + if (preg_match('/avira/', $settings['refresh_patterns'])) { $conf.=<<< EOC # Avira refresh_pattern @@ -1125,7 +1139,7 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43 EOC; } - $refresh_conf=<<< EOC + $refresh_conf = <<< EOC # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 @@ -1135,32 +1149,36 @@ refresh_pattern . 0 20% 4320 EOC; - if ($settings['custom_refresh_patterns'] !="") - $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; + if ($settings['custom_refresh_patterns'] != "") { + $conf .= sq_text_area_decode($settings['custom_refresh_patterns']) . "\n"; + } $conf .= <<< EOD -cache_mem $memory_cache_size MB +cache_mem {$memory_cache_size} MB maximum_object_size_in_memory {$max_objsize_in_mem} KB memory_replacement_policy {$memory_policy} cache_replacement_policy {$cache_policy} minimum_object_size {$min_objsize} KB maximum_object_size {$max_objsize} -$disk_cache_opts +{$disk_cache_opts} offline_mode {$offline_mode} EOD; - if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; - if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; + if (!empty($settings['cache_swap_low'])) { + $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; + } + if (!empty($settings['cache_swap_high'])) { + $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; + } $donotcache = sq_text_area_decode($settings['donotcache']); if (!empty($donotcache)) { file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; $conf .= "cache deny donotcache\n"; - } - elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { + } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { unlink(SQUID_ACLDIR . '/donotcache.acl'); } $conf .= "cache allow all\n"; @@ -1171,17 +1189,19 @@ EOD; function squid_resync_upstream() { global $config; - if (!is_array($config['installedpackages']['squidremote']['config'])) + if (!is_array($config['installedpackages']['squidremote']['config'])) { $config['installedpackages']['squidremote']['config'] = array(); + } $conf = "\n#Remote proxies\n"; foreach ($config['installedpackages']['squidremote']['config'] as $settings) { if ($settings['enable'] == 'on') { $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} "; - if ($settings['icpport'] == '7') + if ($settings['icpport'] == '7') { $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; - else + } else { $conf .= "{$settings['icpport']} "; + } // auth settings if (!empty($settings['username']) && !empty($settings['password'])) { $conf .= " login={$settings['username']}:{$settings['password']}"; @@ -1189,14 +1209,18 @@ function squid_resync_upstream() { $conf .= "{$settings['authoption']} "; } // other options settings - if (!empty($settings['weight'])) + if (!empty($settings['weight'])) { $conf .= "weight={$settings['weight']} "; - if (!empty($settings['basetime'])) + } + if (!empty($settings['basetime'])) { $conf .= "basetime={$settings['basetime']} "; - if (!empty($settings['ttl'])) + } + if (!empty($settings['ttl'])) { $conf .= "ttl={$settings['ttl']} "; - if (!empty($settings['nodelay'])) + } + if (!empty($settings['nodelay'])) { $conf .= "no-delay"; + } } $conf .= "\n"; } @@ -1208,7 +1232,8 @@ function squid_resync_redirector() { // XXX: What port provide squirm binary? It's not present $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); - if ($httpav_enabled) { + $redirector = "/usr/local/bin/squirm"; + if (($httpav_enabled) && is_executable($redirector)) { $conf = "url_rewrite_program /usr/local/bin/squirm\n"; } else { $conf = "# No redirector configured\n"; @@ -1220,10 +1245,11 @@ function squid_resync_nac() { global $config, $valid_acls; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - if (is_array($config['installedpackages']['squidnac'])) + if (is_array($config['installedpackages']['squidnac'])) { $settings = $config['installedpackages']['squidnac']['config'][0]; - else + } else { $settings = array(); + } $webgui_port = $config['system']['webgui']['port']; $addtl_ports = $settings['addtl_ports']; $addtl_sslports = $settings['addtl_sslports']; @@ -1250,7 +1276,7 @@ acl HTTPS proto HTTPS EOD; - $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); + $allowed_subnets = preg_replace("/\s+/"," ", sq_text_area_decode($settings['allowed_subnets'])); if (!empty($allowed_subnets)) { $conf .= "acl allowed_subnets src $allowed_subnets\n"; $valid_acls[] = 'allowed_subnets'; @@ -1271,8 +1297,7 @@ EOD; file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; $valid_acls[] = $option; - } - elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { + } elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { unlink(SQUID_ACLDIR . "/$option.acl"); } } @@ -1320,28 +1345,26 @@ function squid_resync_antivirus() { else $antivirus_config = array(); - if ($antivirus_config['enable']=="on") { + if ($antivirus_config['enable'] == "on") { switch ($antivirus_config['client_info']) { - case "both": - default: - $icap_send_client_ip="on"; - $icap_send_client_username="on"; - break; - case "IP": - $icap_send_client_ip="on"; - $icap_send_client_username="off"; - break; - case "username": - $icap_send_client_ip="off"; - $icap_send_client_username="on"; - break; - case "none": - $icap_send_client_ip="off"; - $icap_send_client_username="off"; - break; + case "both": + default: + $icap_send_client_ip = "on"; + $icap_send_client_username = "on"; + break; + case "ip": + $icap_send_client_ip = "on"; + $icap_send_client_username = "off"; + break; + case "username": + $icap_send_client_ip = "off"; + $icap_send_client_username = "on"; + break; + case "none": + $icap_send_client_ip = "off"; + $icap_send_client_username = "off"; + break; } - if (is_array($config['installedpackages']['squid'])) - $squid_config=$config['installedpackages']['squid']['config'][0]; $conf = <<< EOF icap_enable on @@ -1360,66 +1383,84 @@ adaptation_access service_avi_resp allow all EOF; // check if icap is enabled on rc.conf.local + // XXX: This whole thing sucks and should be redone to install/enable services in pfSense way if (file_exists("/etc/rc.conf.local")) { - $rc_old_file=file("/etc/rc.conf.local"); + $rc_old_file = file("/etc/rc.conf.local"); foreach ($rc_old_file as $rc_line) { - if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)) { - $rc_file.=$matches[1].'="YES"'."\n"; - ${$matches[1]}="ok"; + if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/", $rc_line, $matches)) { + $rc_file .= $matches[1] . '="YES"' . "\n"; + ${$matches[1]} = "ok"; + } else { + $rc_file .= $rc_line; } - else - $rc_file.=$rc_line; } } - if (!isset($c_icap_enable)) - $rc_file.='c_icap_enable="YES"'."\n"; - if (!isset($clamav_clamd_enable)) - $rc_file.='clamav_clamd_enable="YES"'."\n"; - file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX); + if (!isset($c_icap_enable)) { + $rc_file .= 'c_icap_enable="YES"' . "\n"; + } + if (!isset($clamav_clamd_enable)) { + $rc_file .= 'clamav_clamd_enable="YES"' . "\n"; + } + file_put_contents("/etc/rc.conf.local", $rc_file, LOCK_EX); squid_check_clamav_user('clamav'); // patch sample files to pfsense dirs // squidclamav.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")) { - $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default"); - $clamav_m[0]="@/var/run/clamav/clamd.ctl@"; - $clamav_m[1]="@cgi-bin/clwarn.cgi@"; - $clamav_r[0]="/var/run/clamav/clamd.sock"; - $clamav_r[1]="squid_clwarn.php"; - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX); + if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { + if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default")) { + $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default"); + $clamav_m[0] = "@/var/run/clamav/clamd.ctl@"; + $clamav_m[1] = "@cgi-bin/clwarn.cgi@"; + $clamav_r[0] = "/var/run/clamav/clamd.sock"; + $clamav_r[1] = "squid_clwarn.php"; + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX); } } // c-icap.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")) { - $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default"); - if (!preg_match("/squid_clamav/",$sample_file)) - $sample_file.="\nService squid_clamav squidclamav.so\n"; - $cicap_m[0]="@Manager:Apassword\S+@"; - $cicap_r[0]=""; - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",preg_replace($cicap_m,$cicap_r,$sample_file),LOCK_EX); + // make a backup of default c-icap.conf.sample first + // unlike with other config files, the file distributed in package is called c-icap.conf.sample, not c-icap.conf.default + if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { + copy(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); + } + if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { + $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); + if (!preg_match("/squid_clamav/", $sample_file)) { + $sample_file .= "\nService squid_clamav squidclamav.so\n"; } - } - //check squidclamav files until pbis are gone(https://redmine.pfsense.org/issues/4197) - $ln_icap= array('bin/c-icap','bin/c-icap-client','c-icap-config','c-icap-libicapapi-config','c-icap-stretch','lib/c_icap','share/c_icap','etc/c-icap'); + $cicap_m[0] = "@Manager:Apassword\S+@"; + $cicap_r[0] = ""; + // XXX: Bug #4615 + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + $cicap_m[1] = "@DebugLevel\s1@"; + $cicap_r[1] = "DebugLevel 0"; + $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; + $cicap_r[2] = "AccessLog $logdir/c-icap-access.log"; + $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; + $cicap_r[3] = "ServerLog $logdir/c-icap-server.log"; + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); + } + + // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) + $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); foreach ($ln_icap as $ln) { - if (!file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE."/{$ln}")) - symlink(SQUID_LOCALBASE."/{$ln}","/usr/local/{$ln}"); + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { + symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); + } + } + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { + symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); } - if (!file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5")) - symlink(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5","/usr/local/lib/libicapapi.so.3"); - $loadsample=0; - if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))); + $loadsample = 0; + if ($antivirus_config['squidclamav'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['squidclamav'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"))); + if ($antivirus_config['c-icap_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample"))); + if ($antivirus_config['c-icap_magic'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample"))); $loadsample++; } if ($loadsample > 0) { @@ -1435,24 +1476,25 @@ EOF; "/var/db/clamav" => "clamav" ); foreach ($dirs as $dir_path => $dir_user) { - if (!is_dir($dir_path)) - @mkdir($dir_path, 0755, true); + safe_mkdir($dir_path, 0755); squid_chown_recursive($dir_path, $dir_user, "wheel"); } // Check clamav database - if (count(glob("/var/db/clamav/*d"))==0) { - log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background."); - mwexec_bg(SQUID_BASE."/bin/freshclam"); + if (count(glob("/var/db/clamav/*d")) == 0) { + log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); + mwexec_bg(SQUID_BASE . "/bin/freshclam"); } $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); - foreach ($rcd_files as $rcd_file) - if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) - symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); + foreach ($rcd_files as $rcd_file) { + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/etc/rc.d/{$rcd_file}")) { + symlink(SQUID_LOCALBASE . "/etc/rc.d/{$rcd_file}", "/usr/local/etc/rc.d/{$rcd_file}"); + } + } // write advanced icap config files - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX); - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX); - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX); // check antivirus daemons // check icap @@ -1460,38 +1502,39 @@ EOF; mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); } else { // check c-icap user on startup file - $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; + $c_icap_rcfile = "/usr/local/etc/rc.d/c-icap"; if (file_exists($c_icap_rcfile)) { - $sample_file=file_get_contents($c_icap_rcfile); - $cicapm[0]="@c_icap_user=.*}@"; - $cicapr[0]='c_icap_user="clamav"}'; - $cicapm[1]="@/usr/local@"; - $cicapr[1]=SQUID_LOCALBASE; - file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX); + $sample_file = file_get_contents($c_icap_rcfile); + $cicapm[0] = "@c_icap_user=.*}@"; + $cicapr[0] = 'c_icap_user="clamav"}'; + $cicapm[1] = "@/usr/local@"; + $cicapr[1] = SQUID_LOCALBASE; + file_put_contents($c_icap_rcfile, preg_replace($cicapm, $cicapr, $sample_file), LOCK_EX); } mwexec_bg("/usr/local/etc/rc.d/c-icap start"); } // check clamav/freshclam - $rc_files=array("clamav-freshclam","clamav-clamd"); - $clamm[0]="@/usr/local/(bin|sbin)@"; - $clamm[1]="@/local/(bin|sbin)@"; - $clamm[2]="@/usr/local/etc@"; - $clamm[3]="@enable:=NO@"; - $clamr[0]=SQUID_BASE."/bin"; - $clamr[1]="/bin"; - $clamr[2]=SQUID_LOCALBASE."/etc"; - $clamr[3]="enable:=YES"; + $rc_files = array("clamav-freshclam", "clamav-clamd"); + $clamm[0] = "@/usr/local/(bin|sbin)@"; + $clamm[1] = "@/local/(bin|sbin)@"; + $clamm[2] = "@/usr/local/etc@"; + $clamm[3] = "@enable:=NO@"; + $clamr[0] = SQUID_BASE . "/bin"; + $clamr[1] = "/bin"; + $clamr[2] = SQUID_LOCALBASE . "/etc"; + $clamr[3] = "enable:=YES"; foreach ($rc_files as $rc_file) { - $clamav_rcfile="/usr/local/etc/rc.d/{$rc_file}"; + $clamav_rcfile = "/usr/local/etc/rc.d/{$rc_file}"; if (file_exists($clamav_rcfile)) { - $sample_file=file_get_contents($clamav_rcfile); - file_put_contents($clamav_rcfile,preg_replace($clamm,$clamr,$sample_file),LOCK_EX); + $sample_file = file_get_contents($clamav_rcfile); + file_put_contents($clamav_rcfile, preg_replace($clamm, $clamr, $sample_file), LOCK_EX); } } - if (is_process_running("clamd")) + if (is_process_running("clamd")) { mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); - else + } else { mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); + } } return $conf; } @@ -1499,40 +1542,48 @@ EOF; function squid_resync_traffic() { global $config, $valid_acls; - if (!is_array($valid_acls)) + if (!is_array($valid_acls)) { return; - if (is_array($config['installedpackages']['squidtraffic'])) + } + if (is_array($config['installedpackages']['squidtraffic'])) { $settings = $config['installedpackages']['squidtraffic']['config'][0]; - else + } else { $settings = array(); + } $conf = ''; - if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") + if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") { $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; - if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") + } + if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") { $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; - if (!empty($settings['quick_abort_pct'])) + } + if (!empty($settings['quick_abort_pct'])) { $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; + } $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0); $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0); $conf .= "request_body_max_size $up_limit KB\n"; - if ($down_limit != 0) + if ($down_limit != 0) { $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n"; + } // Only apply throttling past 10MB // XXX: Should this really be hardcoded? $threshold = 10 * 1024 * 1024; $overall = $settings['overall_throttling']; - if (!isset($overall) || ($overall == 0)) + if (!isset($overall) || ($overall == 0)) { $overall = -1; - else + } else { $overall *= 1024; + } $perhost = $settings['perhost_throttling']; - if (!isset($perhost) || ($perhost == 0)) + if (!isset($perhost) || ($perhost == 0)) { $perhost = -1; - else + } else { $perhost *= 1024; + } $conf .= <<< EOD delay_pools 1 delay_class 1 2 @@ -1555,21 +1606,22 @@ EOD; $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com'; $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi'; $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m'; - foreach (array( 'throttle_binaries' => $binaries, - 'throttle_cdimages' => $cdimages, - 'throttle_multimedia' => $multimedia) as $field => $set) { - if ($settings[$field] == 'on') + foreach (array('throttle_binaries' => $binaries, 'throttle_cdimages' => $cdimages, 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') { $exts = array_merge($exts, explode(",", $set)); + } } foreach (explode(",", $settings['throttle_others']) as $ext) { - if (!empty($ext)) + if (!empty($ext)) { $exts[] = $ext; + } } $contents = ''; - foreach ($exts as $ext) + foreach ($exts as $ext) { $contents .= "\.$ext\$\n"; + } file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); $conf .= "# Throttle extensions matched in the url\n"; @@ -1598,24 +1650,27 @@ include('/usr/local/pkg/squid_reverse.inc'); function squid_resync_auth() { global $config, $valid_acls; - $write_config=0; + $write_config = 0; if (!is_array($config['installedpackages']['squidauth']['config'])) { - $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none"); + $config['installedpackages']['squidauth']['config'][] = array('auth_method'=> "none"); $write_config++; } $settings = $config['installedpackages']['squidauth']['config'][0]; - if (is_array($config['installedpackages']['squidnac']['config'])) + if (is_array($config['installedpackages']['squidnac']['config'])) { $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - else + } else { $settingsnac = array(); + } - if (is_array($config['installedpackages']['squid']['config'])) + if (is_array($config['installedpackages']['squid']['config'])) { $settingsconfig = $config['installedpackages']['squid']['config'][0]; - else + } else { $settingsconfig = array(); + } - if ($write_config > 0) + if ($write_config > 0) { write_config(); + } $conf = ''; @@ -1627,17 +1682,17 @@ function squid_resync_auth() { // Package integration if (!empty($settingsconfig['custom_options'])) { - $co_preg[0]='/;/'; - $co_rep[0]="\n"; - $co_preg[1]="/redirect_program/"; - $co_rep[1]="url_rewrite_program"; - $co_preg[2]="/redirector_bypass/"; - $co_rep[2]="url_rewrite_bypass"; - $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n"; + $co_preg[0] = '/;/'; + $co_rep[0] = "\n"; + $co_preg[1] = "/redirect_program/"; + $co_rep[1] = "url_rewrite_program"; + $co_preg[2] = "/redirector_bypass/"; + $co_rep[2] = "url_rewrite_bypass"; + $conf .= "# Package Integration\n" . preg_replace($co_preg, $co_rep, $settingsconfig['custom_options']) . "\n\n"; } // Custom User Options before authentication acls - $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n"; + $conf .= "# Custom options before auth\n" . sq_text_area_decode($settingsconfig['custom_options_squid3']) . "\n\n"; // Deny the banned guys before allowing the good guys if (!empty($settingsnac['banned_hosts'])) { @@ -1655,7 +1710,7 @@ function squid_resync_auth() { // Unrestricted hosts take precedence over blacklist if (!empty($settingsnac['unrestricted_hosts'])) { - if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") { + if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth'] != "on") { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_hosts\n"; } @@ -1694,39 +1749,43 @@ function squid_resync_auth() { } // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) + if ($settingsconfig['log_sqd']) { $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; + } $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); if ($transparent_proxy) { - if (preg_match ("/(none|cp)/",$settings['auth_method'])) - $auth_method=$settings['auth_method']; - else - $auth_method="none"; + if (preg_match ("/(none|cp)/", $settings['auth_method'])) { + $auth_method = $settings['auth_method']; + } else { + $auth_method = "none"; + } } else { - $auth_method=$settings['auth_method']; + $auth_method = $settings['auth_method']; } // Allow the remaining ACLs if no authentication is set if ($auth_method == 'none' || $auth_method == 'cp') { // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny sglog\n"; + if ($settingsconfig['log_sqd']) { + $conf .= "http_access deny sglog\n"; + } } - if ($auth_method == 'none' ) { + if ($auth_method == 'none') { // SSL interception acl options part 2 without authentication if ($settingsconfig['ssl_proxy'] == "on") { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; } - $conf .="# Setup allowed acls\n"; + $conf .= "# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { $conf .= "# Allow local network(s) on interface(s)\n"; $allowed[] = "localnet"; } $allowed = array_filter($allowed, 'squid_is_valid_acl'); - foreach ($allowed as $acl) + foreach ($allowed as $acl) { $conf .= "http_access allow $acl\n"; + } } else { $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { @@ -1739,26 +1798,26 @@ function squid_resync_auth() { $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { - case 'local': - $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; - break; - case 'ldap': - $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); - $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; - break; - case 'radius': - $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; - break; - case 'cp': - $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; - $conf .= "acl password external check_cp\n"; - break; - case 'msnt': - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; - squid_resync_msnt(); - break; + case 'local': + $conf .= 'auth_param basic program ' . SQUID_LOCALBASE . '/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'cp': + $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC " . SQUID_BASE . "/bin/check_ip.php\n"; + $conf .= "acl password external check_cp\n"; + break; + case 'msnt': + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; + squid_resync_msnt(); + break; } if ($auth_method != 'cp') { $conf .= <<< EOD @@ -1770,7 +1829,7 @@ acl password proxy_auth REQUIRED EOD; } // Custom User Options after authentication definition - $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n"; + $conf .= "# Custom options after auth\n" . sq_text_area_decode($settingsconfig['custom_options2_squid3']) . "\n\n"; // SSL interception acl options part 2 if ($settingsconfig['ssl_proxy'] == "on") { @@ -1790,16 +1849,19 @@ EOD; $passwordless = array_filter($passwordless, 'squid_is_valid_acl'); // Allow the ACLs that don't need to authenticate - foreach ($passwordless as $acl) + foreach ($passwordless as $acl) { $conf .= "http_access allow $acl\n"; + } // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + if ($settingsconfig['log_sqd']) { + $conf .= "http_access deny password sglog\n"; + } // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) + foreach ($password as $acl) { $conf .= "http_access allow password $acl\n"; + } } $conf .= "# Default block all to be sure\n"; @@ -1814,8 +1876,9 @@ function squid_resync_users() { $users = $config['installedpackages']['squidusers']['config']; $contents = ''; if (is_array($users)) { - foreach ($users as $user) + foreach ($users as $user) { $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; + } } file_put_contents(SQUID_PASSWD, $contents); chown(SQUID_PASSWD, SQUID_UID); @@ -1825,20 +1888,21 @@ function squid_resync_users() { function squid_resync_msnt() { global $config; - if (is_array($config['installedpackages']['squidauth'])) + if (is_array($config['installedpackages']['squidauth'])) { $settings = $config['installedpackages']['squidauth']['config'][0]; - else + } else { $settings = array(); + } $pdcserver = $settings['auth_server']; - $bdcserver = str_replace(',',' ',$settings['msnt_secondary']); + $bdcserver = str_replace(',', ' ', $settings['msnt_secondary']); $ntdomain = $settings['auth_ntdomain']; - file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}"); - chown(SQUID_CONFBASE."/msntauth.conf", SQUID_UID); - chmod(SQUID_CONFBASE."/msntauth.conf", 0600); + file_put_contents(SQUID_CONFBASE . "/msntauth.conf", "server {$pdcserver} {$bdcserver} {$ntdomain}"); + chown(SQUID_CONFBASE . "/msntauth.conf", SQUID_UID); + chmod(SQUID_CONFBASE . "/msntauth.conf", 0600); } -function squid_resync($via_rpc="no") { +function squid_resync($via_rpc = "no") { global $config; // detect boot process @@ -1846,20 +1910,19 @@ function squid_resync($via_rpc="no") { if (!platform_booting()) { unset($boot_process); } else { - $boot_process="on"; + $boot_process = "on"; } } - log_error("[Squid] - Squid_resync function call pr:".is_process_running('squid')." bp:".isset($boot_process)." rpc:".$via_rpc); + log_error("[Squid] - Squid_resync function call pr:" . is_process_running('squid') . " bp:" . isset($boot_process) . " rpc:" . $via_rpc); - if (is_process_running('squid') && isset($boot_process) && $via_rpc=="no") + if (is_process_running('squid') && isset($boot_process) && $via_rpc == "no") { return; + } conf_mount_rw(); - foreach (array( SQUID_CONFBASE, - SQUID_ACLDIR, - SQUID_SSL_DB ) as $dir) { - @mkdir($dir, 0755, true); + foreach (array(SQUID_CONFBASE, SQUID_ACLDIR, SQUID_SSL_DB) as $dir) { + safe_mkdir($dir, 0755); squid_chown_recursive($dir, SQUID_UID, SQUID_GID); } $conf = squid_resync_general() . "\n"; @@ -1869,58 +1932,87 @@ function squid_resync($via_rpc="no") { $conf .= squid_resync_nac() . "\n"; $conf .= squid_resync_traffic() . "\n"; $conf .= squid_resync_reverse() . "\n"; - $conf .= squid_resync_auth()."\n"; + $conf .= squid_resync_auth() . "\n"; $conf .= squid_resync_antivirus(); squid_resync_users(); squid_write_rcfile(); - if (!isset($boot_process) || $via_rpc="yes") + if (!isset($boot_process) || $via_rpc == "yes") { squid_sync_on_changes(); + } // write config file file_put_contents(SQUID_CONFFILE, $conf); /* make sure pinger is executable and suid root */ // XXX: Bug #5114 - if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) - chgrp(SQUID_LOCALBASE. "/libexec/squid/pinger", SQUID_GID); + if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) { + chgrp(SQUID_LOCALBASE . "/libexec/squid/pinger", SQUID_GID); + } - $log_dir=""; - // check if squid is enabled + $log_dir = ""; + $squid_enabled = false; if (is_array($config['installedpackages']['squid']['config'])) { - if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "") - $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; - } - // check if squidreverse is enabled - else if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { - if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") - $log_dir="/var/squid/logs/"; + // check if Squid is enabled + if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") { + $squid_enabled = true; + } + } elseif (is_array($config['installedpackages']['squidreversegeneral']['config'])) { + // check if squidreverse is enabled + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { + $squid_enabled = true; + } } - // do not start squid if there is no log dir - if ($log_dir != "") { - if (!is_dir($log_dir)) { - log_error("Creating squid log dir $log_dir"); - @mkdir($log_dir, 0755, true); - squid_chown_recursive($log_dir, SQUID_UID, SQUID_GID); + // create log dir if required + if (is_array($config['installedpackages']['squid']['config'])) { + if ($config['installedpackages']['squid']['config'][0]['log_dir'] != "") { + $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'] . '/'; } + } else { + $log_dir = "/var/squid/logs/"; + } + if (!is_dir($log_dir)) { + log_error("Creating Squid log dir $log_dir"); + safe_mkdir($log_dir, 0755); + squid_chown_recursive($log_dir, SQUID_UID, SQUID_GID); + } - squid_dash_z(); + // check cache dir and create if necessary + squid_dash_z(); + // reconfigure and (re)start service as needed if enabled, otherwise stop them + // do not (re)start squid services on boot + if ((!isset($boot_process)) && ($squid_enabled)) { + /* kill any running proxy alarm scripts */ + log_error("Stopping any running proxy monitors"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + sleep(1); if (!is_service_running('squid')) { log_error("Starting Squid"); mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); - } else if (!isset($boot_process)) { + } else { log_error("Reloading Squid for configuration sync"); mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } - - // Sleep for a couple seconds to give squid a chance to fire up fully. - for ($i=0; $i < 10; $i++) { - if (!is_service_running('squid')) + // sleep for a couple seconds to give squid a chance to fire up fully. + for ($i = 0; $i < 10; $i++) { + if (!is_service_running('squid')) { sleep(1); + } } - filter_configure(); + /* restart proxy alarm scripts */ + log_error("Starting a proxy monitor script"); + mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); + } elseif (!$squid_enabled) { + /* Squid is disabled - kill any running proxy alarm scripts and stop Squid services */ + log_error("Stopping any running proxy monitors"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + sleep(1); + log_error("Stopping Squid"); + stop_service("squid"); } + + filter_configure(); conf_mount_ro(); } @@ -1931,7 +2023,7 @@ function squid_print_javascript_auth() { // No authentication for transparent proxy if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) { $javascript = <<< EOD -<script language="JavaScript"> +<script type="text/javascript"> <!-- function on_auth_method_changed() { document.iform.auth_method.disabled = 1; @@ -1958,7 +2050,7 @@ function on_auth_method_changed() { EOD; } else { $javascript = <<< EOD -<script language="JavaScript"> +<script type="text/javascript"> <!-- function on_auth_method_changed() { var field = document.iform.auth_method; @@ -2072,68 +2164,53 @@ EOD; } function squid_print_javascript_auth2() { - print("<script language=\"JavaScript\">on_auth_method_changed()</script>\n"); + print("<script type=\"text/javascript\">on_auth_method_changed()</script>\n"); } function squid_generate_rules($type) { - global $config; + global $config, $pfs_version; $squid_conf = $config['installedpackages']['squid']['config'][0]; //check captive portal option - $cp_file='/etc/inc/captiveportal.inc'; - $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); + $cp_file = '/etc/inc/captiveportal.inc'; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $cp_inc = file($cp_file); - $new_cp_inc=""; + $new_cp_inc = ""; $found_rule=0; foreach ($cp_inc as $line) { - $new_line=$line; + $new_line = $line; //remove applied squid patch - if (preg_match('/skipto 65314 ip/',$line)) { + if (preg_match('/skipto 65314 ip/', $line)) { $found_rule++; - $new_line =""; + $new_line = ""; } - if (substr($pfsense_version,0,3) > 2.0) { - if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']) { - $found_rule++; - $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - } - } else { - //add squid patch option based on current config - if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']) { - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= $line; - } - if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']) { - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - $new_line .= $line; - } + if (preg_match('/255.255.255.255/', $line) && $squid_conf['patch_cp']) { + $found_rule++; + $new_line .= "\t" . '$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} ' . $port . ' in\n";' . "\n"; + $new_line .= "\t" . '$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} ' . $port . ' to any out\n";' . "\n"; } $new_cp_inc .= $new_line; } - if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { - copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + if (!file_exists('/root/' . $pfs_version . '.captiveportal.inc.backup')) { + copy($cp_file, '/root/' . $pfs_version . '.captiveportal.inc.backup'); } if ($found_rule > 0) { - file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + file_put_contents($cp_file, $new_cp_inc, LOCK_EX); } - //normal squid rule check + // normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; } if (!is_service_running('squid')) { - log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); + log_error("Squid is installed but not started. Not installing \"{$type}\" rules."); return; } // Read assigned interfaces $proxy_ifaces = explode(",", $squid_conf['active_interface']); $proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces); - if ($squid_conf['transparent_proxy']=="on") { + if ($squid_conf['transparent_proxy'] == "on") { $transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']); $transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces); } else { @@ -2150,118 +2227,123 @@ function squid_generate_rules($type) { $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127); $fw_aliases = filter_generate_aliases(); - if (strstr($fw_aliases, "pptp =")) + if (strstr($fw_aliases, "pptp =")) { $PPTP_ALIAS = "\$pptp"; - else + } else { $PPTP_ALIAS = "\$PPTP"; - if (strstr($fw_aliases, "PPPoE =")) + } + if (strstr($fw_aliases, "PPPoE =")) { $PPPOE_ALIAS = "\$PPPoE"; - else + } else { $PPPOE_ALIAS = "\$pppoe"; + } // define ports based on transparent options and ssl filtering - $pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80"); + $pf_rule_port = ($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80"); switch($type) { - case 'nat': - $rules .= "\n# Setup Squid proxy redirect\n"; - if ($squid_conf['private_subnet_proxy_off'] == 'on') { - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } } - /* Handle PPTP case */ - if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if (!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) { + $ip_proxy_off = '$' . $ip_proxy_off; + } + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip, 2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; + } } - } - if (!empty($squid_conf['defined_ip_proxy_off'])) { - $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); - $exempt_ip = ""; - foreach ($defined_ip_proxy_off as $ip_proxy_off) { - if (!empty($ip_proxy_off)) { - $ip_proxy_off = trim($ip_proxy_off); - if (is_alias($ip_proxy_off)) - $ip_proxy_off = '$'.$ip_proxy_off; - $exempt_ip .= ", $ip_proxy_off"; + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if (!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) { + $ip_proxy_off_dest = '$' . $ip_proxy_off_dest; + } + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest, 2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; } } - $exempt_ip = substr($exempt_ip,2); - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; + foreach ($transparent_ifaces as $t_iface) { + $pf_transparent_rule_port = (in_array($t_iface, $ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; + if (in_array($t_iface, $ssl_ifaces)) { + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + } } /* Handle PPPOE case */ if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; } /* Handle PPTP case */ if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; - } - } - if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { - $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); - $exempt_dest = ""; - foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { - if (!empty($ip_proxy_off_dest)) { - $ip_proxy_off_dest = trim($ip_proxy_off_dest); - if (is_alias($ip_proxy_off_dest)) - $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; - $exempt_dest .= ", $ip_proxy_off_dest"; - } + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; } - $exempt_dest = substr($exempt_dest,2); + $rules .= "\n"; + break; + case 'filter': + case 'rule': foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; + $pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; + // $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; + $rules .= "\n"; } - /* Handle PPPOE case */ - if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; } - /* Handle PPTP case */ if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; } - } - foreach ($transparent_ifaces as $t_iface) { - $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; - if (in_array($t_iface,$ssl_ifaces)) - $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; - } - /* Handle PPPOE case */ - if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; - } - /* Handle PPTP case */ - if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; - } - $rules .= "\n"; - break; - case 'filter': - case 'rule': - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); - $rules .= "# Setup squid pass rules for proxy\n"; - $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; - // $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; - $rules .= "\n"; - }; - if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { - $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; - } - if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; - } - break; - default: - break; + break; + default: + break; } return $rules; @@ -2269,35 +2351,35 @@ function squid_generate_rules($type) { function squid_write_rcfile() { /* Declare a variable for the SQUID_CONFFILE constant. */ - /* Then the variable can be referenced easily in the Heredoc text that generates the rc file. */ + /* Then the variable can be referenced easily in the heredoc text that generates the rc file. */ $squid_conffile_var = SQUID_CONFFILE; $squid_base = SQUID_BASE; $rc = array(); $rc['file'] = 'squid.sh'; - $rc['start'] = <<<EOD -#sysctl net.inet.ip.portrange.reservedhigh=0 -if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then + $rc['start'] = <<< EOD +#/sbin/sysctl net.inet.ip.portrange.reservedhigh=0 +if [ -z "`/bin/ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then {$squid_base}/sbin/squid -f {$squid_conffile_var} fi EOD; - $rc['stop'] = <<<EOD + $rc['stop'] = <<< EOD {$squid_base}/sbin/squid -k shutdown -f {$squid_conffile_var} # Just to be sure... sleep 5 -if [ -f /usr/bin/ipcs ];then +if [ -x /usr/bin/ipcs ]; then # http://man.chinaunix.net/newsoft/squid/Squid_FAQ/FAQ-22.html#ss22.8 -ipcs | grep '^[mq]' | awk '{printf "ipcrm -%s %s\\n", $1, $2}' | /bin/sh +/usr/bin/ipcs | /usr/bin/grep '^[mq]' | /usr/bin/awk '{printf "ipcrm -%s %s\\n", $1, $2}' | /bin/sh fi -killall -9 squid 2>/dev/null -killall pinger 2>/dev/null +/usr/bin/killall -9 squid 2>/dev/null +/usr/bin/killall pinger 2>/dev/null EOD; - $rc['restart'] = <<<EOD -if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then + $rc['restart'] = <<< EOD +if [ -z "`ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then {$squid_base}/sbin/squid -f {$squid_conffile_var} else {$squid_base}/sbin/squid -k reconfigure -f {$squid_conffile_var} @@ -2313,46 +2395,48 @@ EOD; function squid_sync_on_changes() { global $config, $g; if (is_array($config['installedpackages']['squidsync']['config'])) { - $squid_sync=$config['installedpackages']['squidsync']['config'][0]; + $squid_sync = $config['installedpackages']['squidsync']['config'][0]; $synconchanges = $squid_sync['synconchanges']; $synctimeout = $squid_sync['synctimeout']; switch ($synconchanges) { - case "manual": - if (is_array($squid_sync[row])) { - $rs=$squid_sync[row]; - } else { - log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); - return; - } - break; - case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['ipaddress']=$system_carp['synchronizetoip']; - $rs[0]['username']=$system_carp['username']; - $rs[0]['password']=$system_carp['password']; - } else { - log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + case "manual": + if (is_array($squid_sync['row'])) { + $rs = $squid_sync['row']; + } else { + log_error("[squid] XMLRPC sync is enabled but there is no hosts to push on Squid config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { + $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else { + log_error("[squid] XMLRPC sync is enabled but there is no system backup hosts to push Squid config."); + return; + } + break; + default: return; - } - break; - default: - return; - break; + break; } if (is_array($rs)) { - log_error("[squid] xmlrpc sync is starting."); + log_error("[squid] XMLRPC sync is starting."); foreach ($rs as $sh) { $sync_to_ip = $sh['ipaddress']; $password = $sh['password']; - if ($sh['username']) + if ($sh['username']) { $username = $sh['username']; - else + } else { $username = 'admin'; - if ($password && $sync_to_ip) - squid_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + if ($password && $sync_to_ip) { + squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + } } - log_error("[squid] xmlrpc sync is ending."); + log_error("[squid] XMLRPC sync is ending."); } } } @@ -2360,17 +2444,21 @@ function squid_sync_on_changes() { function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { global $config, $g; - if (!$username) + if (!$username) { return; + } - if (!$password) + if (!$password) { return; + } - if (!$sync_to_ip) + if (!$sync_to_ip) { return; + } - if (!$synctimeout) - $synctimeout=250; + if (!$synctimeout) { + $synctimeout = 250; + } $xmlrpc_sync_neighbor = $sync_to_ip; @@ -2379,7 +2467,7 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $synchronizetoip .= "://"; } $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ + /* If port is empty let's rely on the protocol selection */ if ($port == "") { if ($config['system']['webgui']['protocol'] == "http") $port = "80"; @@ -2388,7 +2476,7 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { } $synchronizetoip .= $sync_to_ip; - /* xml will hold the sections to sync */ + /* XML will hold the sections to sync */ $xml = array(); $xml['squid'] = $config['installedpackages']['squid']; $xml['squidupstream'] = $config['installedpackages']['squidupstream']; @@ -2401,64 +2489,65 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $xml['squidreverseuri'] = $config['installedpackages']['squidreverseuri']; $xml['squidauth'] = $config['installedpackages']['squidauth']; $xml['squidusers'] = $config['installedpackages']['squidusers']; - /* assemble xmlrpc payload */ + /* Assemble XMLRPC payload */ $params = array( XML_RPC_encode($password), XML_RPC_encode($xml) ); - /* set a few variables needed for sync code borrowed from filter.inc */ + /* Set a few variables needed for sync */ $url = $synchronizetoip; - log_error("[Squid] Beginning squid XMLRPC sync to {$url}:{$port}."); + log_error("[squid] Beginning Squid XMLRPC sync to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - if ($g['debug']) + if ($g['debug']) { $cli->setDebug(1); - /* send our XMLRPC message and timeout after defined sync timeout value*/ + } + /* Send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; + $error = "A communication error occurred while attempting Squid XMLRPC sync with {$url}:{$port}."; log_error($error); - file_notice("sync_settings", $error, "squid Settings Sync", ""); + file_notice("sync_settings", $error, "Squid Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "An error code was received while attempting Squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); - file_notice("sync_settings", $error, "squid Settings Sync", ""); + file_notice("sync_settings", $error, "Squid Settings Sync", ""); } else { - log_error("[Squid] XMLRPC sync successfully completed with {$url}:{$port}."); + log_error("[squid] XMLRPC sync successfully completed with {$url}:{$port}."); } - /* tell squid to reload our settings on the destination sync host. */ + /* Tell Squid to reload our settings on the destination sync host. */ $method = 'pfsense.exec_php'; - $execcmd = "require_once('/usr/local/pkg/squid.inc');\n"; + $execcmd = "require_once('/usr/local/pkg/squid.inc');\n"; $execcmd .= "squid_resync('yes');"; - /* assemble xmlrpc payload */ + /* Assemble XMLRPC payload */ $params = array( XML_RPC_encode($password), XML_RPC_encode($execcmd) ); - log_error("[Squid] XMLRPC reload data {$url}:{$port}."); + log_error("[squid] XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + $error = "A communication error occurred while attempting Squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); - file_notice("sync_settings", $error, "squid Settings Sync", ""); + file_notice("sync_settings", $error, "Squid Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "[Squid] An error code was received while attempting Squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); - file_notice("sync_settings", $error, "squid Settings Sync", ""); + file_notice("sync_settings", $error, "Squid Settings Sync", ""); } else { - log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("Squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } } diff --git a/config/squid3/34/squid.priv.inc b/config/squid3/34/squid.priv.inc new file mode 100644 index 00000000..66607c86 --- /dev/null +++ b/config/squid3/34/squid.priv.inc @@ -0,0 +1,63 @@ +<?php +/* + squid.priv.inc + part of pfSense (http://www.pfSense.org/) + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +global $priv_list; + +$priv_list['page-services-squid3'] = array(); +$priv_list['page-services-squid3']['name'] = "WebCfg - Services: Squid3 package"; +$priv_list['page-services-squid3']['descr'] = "Allow access to Squid3 package GUI"; +$priv_list['page-services-squid3']['match'] = array(); + +$priv_list['page-services-squid3']['match'][] = "pkg.php?xml=squid_reverse_peer.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg.php?xml=squid_reverse_redir.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg.php?xml=squid_reverse_uri.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg.php?xml=squid_upstream.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg.php?xml=squid_users.xml*"; + +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_antivirus.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_auth.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_cache.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_nac.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_reverse.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_reverse_general.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_reverse_peer.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_reverse_redir.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_reverse_sync.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_reverse_uri.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_sync.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_traffic.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_upstream.xml*"; +$priv_list['page-services-squid3']['match'][] = "pkg_edit.php?xml=squid_users.xml*"; + +$priv_list['page-services-squid3']['match'][] = "shortcuts/pkg_squid.inc*"; +$priv_list['page-services-squid3']['match'][] = "squid_monitor.php*"; +$priv_list['page-services-squid3']['match'][] = "squid_monitor_data.php*"; +$priv_list['page-services-squid3']['match'][] = "squid_log_parser.php*"; + +?> diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 96f2610c..ded59d42 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -2,62 +2,58 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2013-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squid</name> - <version>0.2.8</version> - <title>Proxy server: General settings</title> + <version>0.3.5</version> + <title>Proxy Server: General Settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <menu> - <name>Proxy server</name> - <tooltiptext>Modify the proxy server's settings</tooltiptext> + <name>Squid Proxy Server</name> + <tooltiptext>Modify the proxy server settings</tooltiptext> <section>Services</section> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </menu> <menu> - <name>Reverse Proxy</name> - <tooltiptext>Modify the proxy reverse server's settings</tooltiptext> + <name>Squid Reverse Proxy</name> + <tooltiptext>Modify the reverse proxy server settings</tooltiptext> <section>Services</section> <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> </menu> @@ -65,19 +61,19 @@ <name>squid</name> <rcfile>squid.sh</rcfile> <executable>squid</executable> - <description>Proxy server Service</description> + <description>Squid Proxy Server Service</description> </service> <service> <name>clamd</name> <rcfile>clamav-clamd</rcfile> <executable>clamd</executable> - <description>Clamav Antivirus</description> + <description>ClamAV Antivirus</description> </service> <service> <name>c-icap</name> <rcfile>c-icap</rcfile> <executable>c-icap</executable> - <description>Icap inteface for squid and clamav integration</description> + <description>ICAP Inteface for Squid and ClamAV integration</description> </service> <tabs> <tab> @@ -114,7 +110,7 @@ <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> @@ -122,143 +118,140 @@ <url>/pkg_edit.php?xml=squid_sync.xml</url> </tab> </tabs> - <!-- Installation --> + <!-- START INC files --> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> + <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/squid3/34/squid.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_general.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_peer.xml</item> + <prefix>/usr/local/www/shortcuts/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_uri.xml</item> + <prefix>/etc/inc/priv/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid.priv.inc</item> </additional_files_needed> + <!-- END INC files --> + <!-- START XML files --> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_sync.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_sync.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_auth.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> + <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/squid3/34/squid_cache.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> + <prefix>/usr/local/pkg/</prefix> <item>https://packages.pfsense.org/packages/config/squid3/34/squid_nac.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_traffic.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_upstream.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_general.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_peer.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.inc</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_redir.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_auth.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_sync.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_users.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_uri.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus.xml</item> + <prefix>/usr/local/pkg/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_sync.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/sqpmon.sh</item> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_traffic.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/swapstate_check.php</item> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_upstream.xml</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_redir.xml</item> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_users.xml</item> </additional_files_needed> + <!-- END XML files --> + <!-- START additional PHP files --> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>0755</chmod> + <prefix>/usr/local/www/</prefix> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_clwarn.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/squid3/34/squid_monitor.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>0755</chmod> + <prefix>/usr/local/www/</prefix> <item>https://packages.pfsense.org/packages/config/squid3/34/squid_monitor_data.php</item> </additional_files_needed> + <!-- END additional PHP files --> + <!-- START executable CLI scripts --> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_log_parser.php</item> + <prefix>/usr/local/bin/</prefix> + <chmod>0755</chmod> + <item>https://packages.pfsense.org/packages/config/squid3/34/check_ip.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_clwarn.php</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>https://packages.pfsense.org/packages/config/squid3/34/sqpmon.sh</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/www/shortcuts/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc</item> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_log_parser.php</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/bin/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/check_ip.php</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>https://packages.pfsense.org/packages/config/squid3/34/swapstate_check.php</item> </additional_files_needed> + <!-- END executable CLI scripts --> + <advanced_options>enabled</advanced_options> <fields> <field> <name>Squid General Settings</name> <type>listtopic</type> </field> <field> - <fielddescr>Proxy interface(s)</fielddescr> + <fielddescr>Proxy Interface(s)</fielddescr> <fieldname>active_interface</fieldname> - <description>The interface(s) the proxy server will bind to.</description> + <description> + <![CDATA[ + The interface(s) the proxy server will bind to.<br/> + <strong>Note: Use CTRL + click to select multiple interfaces.</strong> + ]]> + </description> <type>interfaces_selection</type> <required/> <default_value>lan</default_value> <multiple/> </field> <field> - <fielddescr>Proxy port</fielddescr> + <fielddescr>Proxy Port</fielddescr> <fieldname>proxy_port</fieldname> <description>This is the port the proxy server will listen on.</description> <type>input</type> @@ -267,44 +260,71 @@ <default_value>3128</default_value> </field> <field> - <fielddescr>ICP port</fielddescr> + <fielddescr>ICP Port</fielddescr> <fieldname>icp_port</fieldname> - <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> + <description> + <![CDATA[ + This is the port the proxy server will send and receive ICP queries to and from neighbor caches.<br/> + Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP. + ]]> + </description> <type>input</type> <size>5</size> </field> <field> - <fielddescr>Allow users on interface</fielddescr> + <fielddescr>Allow Users on Interface</fielddescr> <fieldname>allow_interface</fieldname> - <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description> + <description> + <![CDATA[ + If checked, the users connected to the interface(s) selected in the 'Proxy interface(s)' field will be allowed to use the proxy.<br/> + There will be no need to add the interface's subnet to the list of allowed subnets. + ]]> + </description> <type>checkbox</type> - <required/> <default_value>on</default_value> </field> <field> - <fielddescr>Patch captive portal</fielddescr> + <fielddescr>Patch Captive Portal</fielddescr> <fieldname>patch_cp</fieldname> - <description><![CDATA[Enable this option to force captive portal to non transparent proxy users.<br> - <strong>NOTE:</strong> You may need to reapply captive portal config after changing this option.]]></description> + <description> + <![CDATA[ + Enable this option to force Captive Portal to non transparent proxy users.<br/> + <strong>Note:</strong> You may need to reapply Captive Portal settings after changing this option.<br/> + <strong><span class="errmsg">Warning:</span> This alters /etc/inc/captiveportal.inc file! USE WITH CAUTION!</strong> (A backup is made available under /root directory.) + ]]> + </description> <type>checkbox</type> </field> <field> - <fielddescr>Resolv dns v4 first</fielddescr> + <fielddescr>Resolve DNS IPv4 First</fielddescr> <fieldname>dns_v4_first</fieldname> - <description><![CDATA[Enable this option to force dns v4 lookup first. This option is very usefull if you have problems to access https sites.]]></description> + <description> + <![CDATA[ + Enable this to force DNS IPv4 lookup first. This option is very useful if you have problems accessing HTTPS sites. + ]]> + </description> <type>checkbox</type> </field> <field> <fielddescr>Disable ICMP</fielddescr> <fieldname>disable_pinger</fieldname> - <description><![CDATA[Enable this option to disable squid ICMP pinger helper.]]></description> + <description> + <![CDATA[ + Check this to disable Squid ICMP pinger helper. + ]]> + </description> <type>checkbox</type> </field> <field> - <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> + <fielddescr>Use Alternate DNS Servers for the Proxy Server</fielddescr> <fieldname>dns_nameservers</fieldname> - <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> + <description> + <![CDATA[ + If you want to use DNS servers other than the DNS forwarder/resolver configured in pfSense, enter the IP(s) here.<br/> + <strong>Note: Separate entries by semi-colons (;)</strong> + ]]> + </description> <type>input</type> <size>70</size> </field> @@ -313,59 +333,88 @@ <type>listtopic</type> </field> <field> - <fielddescr>Transparent HTTP proxy</fielddescr> + <fielddescr>Transparent HTTP Proxy</fielddescr> <fieldname>transparent_proxy</fieldname> - <description><![CDATA[Enable transparent mode to forward all requests for destination port 80 to the proxy server without any additional configuration necessary.<br> - <strong>NOTE:</strong> Transparent mode will filter ssl(port 443) if enable men-in-the-middle options below.<br> - To filter both http and https protocol without intercepting ssl connections, enable WPAD/PAC options on your dns/dhcp.]]></description> + <description> + <![CDATA[ + Enable transparent mode to forward all requests for destination port 80 to the proxy server without any additional configuration being necessary.<br/> + <strong>Note:</strong> Transparent mode will filter SSL (port 443) if you enable man-in-the-middle options below.<br/> + In order to proxy both HTTP and HTTPS protocols without intercepting SSL connections, configure WPAD/PAC options on your DNS/DHCP servers. + ]]> + </description> <type>checkbox</type> - <enablefields>transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> - <required/> + <enablefields>transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> </field> <field> - <fielddescr>Transparent Proxy interface(s)</fielddescr> + <fielddescr>Transparent Proxy Interface(s)</fielddescr> <fieldname>transparent_active_interface</fieldname> - <description>The interface(s) the proxy server will transparent intercept requests.</description> + <description> + <![CDATA[ + The interface(s) the proxy server will transparently intercept requests on.<br/> + <strong>Note: Use CTRL + click to select multiple interfaces.</strong> + ]]> + </description> <type>interfaces_selection</type> <required/> <default_value>lan</default_value> <multiple/> </field> <field> - <fielddescr>Bypass proxy for Private Address destination</fielddescr> + <fielddescr>Bypass Proxy for Private Address Destination</fielddescr> <fieldname>private_subnet_proxy_off</fieldname> - <description>Do not forward traffic to Private Address Space (RFC 1918) <b>destination</b> through the proxy server but directly through the firewall.</description> + <description> + <![CDATA[ + Do not forward traffic to Private Address Space (RFC 1918) <strong>destinations</strong> through the proxy server but let is pass directly through the firewall. + ]]> + </description> <type>checkbox</type> </field> <field> - <fielddescr>Bypass proxy for these source IPs</fielddescr> + <fielddescr>Bypass Proxy for These Source IPs</fielddescr> <fieldname>defined_ip_proxy_off</fieldname> - <description>Do not forward traffic from these <b>source</b> IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> + <description> + <![CDATA[ + Do not forward traffic from these <strong>source</strong> IPs, CIDR nets, hostnames, or aliases through the proxy server but let it pass directly through the firewall. + (Applies only to transparent mode.)<br/><br/> + <strong>Note: Separate entries by semi-colons (;)</strong> + ]]> + </description> <type>input</type> - <size>70</size> + <size>70</size> </field> <field> - <fielddescr>Bypass proxy for these destination IPs</fielddescr> + <fielddescr>Bypass Proxy for These Destination IPs</fielddescr> <fieldname>defined_ip_proxy_off_dest</fieldname> - <description>Do not proxy traffic going to these <b>destination</b> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> + <description> + <![CDATA[ + Do not proxy traffic going to these <strong>destination</strong> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall.<br/> + (Applies only to transparent mode.)<br/><br/> + <strong>Note: Separate entries by semi-colons (;)</strong> + ]]> + </description> <type>input</type> - <size>70</size> + <size>70</size> </field> <field> - <name>SSL man in the middle Filtering</name> + <name>SSL Man In the Middle Filtering</name> <type>listtopic</type> </field> <field> <fielddescr>HTTPS/SSL interception</fielddescr> <fieldname>ssl_proxy</fieldname> - <description><![CDATA[Enable SSL filtering.]]></description> + <description>Enable SSL filtering.</description> <type>checkbox</type> - <enablefields>ssl_active_interface,dcert,sslcrtd_children,ssl_proxy_port,interception_checks</enablefields> + <enablefields>ssl_active_interface,dca,sslcrtd_children,ssl_proxy_port,interception_checks</enablefields> </field> <field> - <fielddescr>SSL Intercept interface(s)</fielddescr> + <fielddescr>SSL Intercept Interface(s)</fielddescr> <fieldname>ssl_active_interface</fieldname> - <description>The interface(s) the proxy server will intercept ssl requests.</description> + <description> + <![CDATA[ + The interface(s) the proxy server will intercept SSL requests on.<br/> + <strong>Note: Use CTRL + click to select multiple interfaces.</strong> + ]]> + </description> <type>interfaces_selection</type> <required/> <default_value>lan</default_value> @@ -374,7 +423,7 @@ <field> <fielddescr>SSL Proxy port</fielddescr> <fieldname>ssl_proxy_port</fieldname> - <description>This is the port the proxy server will listen on to intercept ssl while using transparent proxy.</description> + <description>This is the port the proxy server will listen on to intercept SSL while using transparent proxy.</description> <type>input</type> <size>5</size> <default_value>3129</default_value> @@ -382,44 +431,62 @@ <field> <fielddescr>CA</fielddescr> <fieldname>dca</fieldname> - <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br> - To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br> - Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description> - <type>select_source</type> + <description> + <![CDATA[ + Select Certificate Authority to use when SSL interception is enabled.<br/> + To create a CA on pfSense, go to <strong>System -> Cert Manager</strong>.<br/> + Install the CA certificate as a Trusted Root CA on each computer you want to filter SSL on to avoid SSL error on each connection. + ]]> + </description> + <type>select_source</type> <source><![CDATA[$config['ca']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> </field> <field> - <fielddescr>sslcrtd children</fielddescr> + <fielddescr>SSL Certificate Deamon Children</fielddescr> <fieldname>sslcrtd_children</fieldname> - <description><![CDATA[This is the number of ssl crt deamon children to start. Default value is 5.<br> - if Squid is used in busy environments this may need to be increased, as well as the number of 'sslcrtd_children']]></description> + <description> + <![CDATA[ + This is the number of SSL certificate deamon children to start. If Squid is used in busy environments, this may need to be increased.<br/> + Default: 5 + ]]> + </description> <type>input</type> <size>2</size> <default_value>5</default_value> </field> <field> - <fielddescr>Remote Cert checks</fielddescr> + <fielddescr>Remote Cert Checks</fielddescr> <fieldname>interception_checks</fieldname> - <description><![CDATA[Select remote ssl cert checks to do.<br>Defaul is to do not select any of these options.]]></description> - <type>select</type> - <options> - <option><name>Accept remote server certificate Erros</name><value>sslproxy_cert_error</value></option> + <description> + <![CDATA[ + Select remote SSL certificate checks to perform.<br/> + Note: Use CTRL + click to select multiple options.<br/> + ]]> + </description> + <type>select</type> + <options> + <option><name>Accept remote server certificate with errors</name><value>sslproxy_cert_error</value></option> <option><name>Do not verify remote certificate</name><value>sslproxy_flags</value></option> - </options> - <multiple/> - <size>3</size> + </options> + <multiple/> + <size>3</size> </field> <field> - <fielddescr>Certificate adapt</fielddescr> + <fielddescr>Certificate Adapt</fielddescr> <fieldname>interception_adapt</fieldname> - <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description> + <description> + <![CDATA[ + Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br/> + Hint: Set the subject CN - see <a href="http://wiki.squid-cache.org/Features/MimicSslServerCert">fake certificate properties documentation</a> for details. + ]]> + </description> <type>select</type> <options> - <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option> - <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option> - <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option> + <option><name>Sets the "Not After" (setValidAfter)</name><value>setValidAfter</value></option> + <option><name>Sets the "Not Before" (setValidBefore)</name><value>setValidBefore</value></option> + <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option> </options> <multiple/> <size>3</size> @@ -429,38 +496,49 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enabled logging</fielddescr> + <fielddescr>Enable Logging</fielddescr> <fieldname>log_enabled</fieldname> - <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> + <description> + <![CDATA[ + This will enable the access log. + <strong>Warning:</strong> Do not switch this on if you don't have much disk space left. + ]]> + </description> <type>checkbox</type> - <enablefields>log_query_terms,log_user_agents</enablefields> + <enablefields>log_dir,log_rotate</enablefields> </field> <field> - <fielddescr>Log store directory</fielddescr> + <fielddescr>Log Store Directory</fielddescr> <fieldname>log_dir</fieldname> - <description>The directory where the log will be stored (note: do not end with a / mark)</description> + <description> + <![CDATA[ + The directory where the log will be stored.<br/> + Default: /var/squid/logs<br/> + <strong>Note: Do NOT include the trailing / when setting a custom location.</strong> + ]]> + </description> <type>input</type> <size>60</size> <required/> <default_value>/var/squid/logs</default_value> </field> <field> - <fielddescr>Log rotate</fielddescr> + <fielddescr>Rotate Logs</fielddescr> <fieldname>log_rotate</fieldname> <description>Defines how many days of logfiles will be kept. Rotation is disabled if left empty.</description> <type>input</type> <size>5</size> </field> <field> - <fielddescr>Visible hostname</fielddescr> + <fielddescr>Visible Hostname</fielddescr> <fieldname>visible_hostname</fieldname> - <description>This is the URL to be displayed in proxy server error messages.</description> + <description>This is the hostname to be displayed in proxy server error messages.</description> <type>input</type> <size>60</size> <default_value>localhost</default_value> </field> <field> - <fielddescr>Administrator email</fielddescr> + <fielddescr>Administrator's Email</fielddescr> <fieldname>admin_email</fieldname> <description>This is the email address displayed in error messages to the users.</description> <type>input</type> @@ -468,16 +546,71 @@ <default_value>admin@localhost</default_value> </field> <field> - <fielddescr>Language</fielddescr> + <fielddescr>Error Language</fielddescr> <fieldname>error_language</fieldname> <description>Select the language in which the proxy server will display error messages to users.</description> <type>select</type> <default_value>en</default_value> + <options> + <option><name>af</name><value>af</value></option> + <option><name>ar</name><value>ar</value></option> + <option><name>az</name><value>az</value></option> + <option><name>bg</name><value>bg</value></option> + <option><name>ca</name><value>ca</value></option> + <option><name>cs</name><value>cs</value></option> + <option><name>da</name><value>da</value></option> + <option><name>de</name><value>de</value></option> + <option><name>el</name><value>el</value></option> + <option><name>en</name><value>en</value></option> + <option><name>es</name><value>es</value></option> + <option><name>et</name><value>et</value></option> + <option><name>fa</name><value>fa</value></option> + <option><name>fi</name><value>fi</value></option> + <option><name>fr</name><value>fr</value></option> + <option><name>he</name><value>he</value></option> + <option><name>hu</name><value>hu</value></option> + <option><name>hy</name><value>hy</value></option> + <option><name>id</name><value>id</value></option> + <option><name>it</name><value>it</value></option> + <option><name>ja</name><value>ja</value></option> + <option><name>ko</name><value>ko</value></option> + <option><name>lt</name><value>lt</value></option> + <option><name>lv</name><value>lv</value></option> + <option><name>ms</name><value>ms</value></option> + <option><name>nl</name><value>nl</value></option> + <option><name>oc</name><value>oc</value></option> + <option><name>pl</name><value>pl</value></option> + <option><name>pt</name><value>pt</value></option> + <option><name>pt-br</name><value>pt-br</value></option> + <option><name>ro</name><value>ro</value></option> + <option><name>ru</name><value>ru</value></option> + <option><name>sk</name><value>sk</value></option> + <option><name>sl</name><value>sl</value></option> + <option><name>sr-cyrl</name><value>sr-cyrl</value></option> + <option><name>sr-latn</name><value>sr-latn</value></option> + <option><name>sv</name><value>sv</value></option> + <option><name>th</name><value>th</value></option> + <option><name>tr</name><value>tr</value></option> + <option><name>uk</name><value>uk</value></option> + <option><name>uz</name><value>uz</value></option> + <option><name>vi</name><value>vi</value></option> + <option><name>zh-cn</name><value>zh-cn</value></option> + <option><name>zh-tw</name><value>zh-tw</value></option> + </options> </field> <field> - <fielddescr>X-Forward Mode</fielddescr> + <fielddescr>X-Forwarded Header Mode</fielddescr> <fieldname>xforward_mode</fieldname> - <description><p><b> on:</b> Squid will append your client's IP address in the HTTP requests it forwards. (Default)<p> By default it looks like: X-Forwarded-For: 192.1.2.3 <p> <b> off:</b> It will appear as: X-Forwarded-For: unknown<p> <b> transparent:</b> Squid will not alter the X-Forwarded-For header in any way.<p> <b> delete:</b> Squid will delete the entire X-Forwarded-For header.<p> <b> truncate:</b> Squid will remove all existing X-Forwarded-For entries, and place the client IP as the sole entry.</description> + <description> + <![CDATA[ + <strong>on:</strong> Squid will append your client's IP address in the HTTP requests it forwards. The header looks like: X-Forwarded-For: 192.1.2.3.<br/> + <strong>off:</strong> Squid will NOT append your client's IP address in the HTTP requests it forwards. The header looks like: X-Forwarded-For: unknown<br/> + <strong>transparent:</strong> Squid will not alter the X-Forwarded-For header in any way.<br/> + <strong>delete:</strong> Squid will delete the entire X-Forwarded-For header.<br/> + <strong>truncate:</strong> Squid will remove all existing X-Forwarded-For header entries and place the client's IP address as the only header entry.<br/><br/> + Default: on + ]]> + </description> <type>select</type> <default_value>on</default_value> <options> @@ -489,26 +622,39 @@ </options> </field> <field> - <fielddescr>Disable VIA</fielddescr> + <fielddescr>Disable VIA Header</fielddescr> <fieldname>disable_via</fieldname> <description>If not set, Squid will include a Via header in requests and replies as required by RFC2616.</description> <type>checkbox</type> </field> <field> - <fielddescr>Log denied pages by squidguard</fielddescr> + <fielddescr>Log Pages Denied by SquidGuard</fielddescr> <fieldname>log_sqd</fieldname> - <description><![CDATA[Enable squidguard denied log to be included on squid logs.<br> - <strong>Note:</strong> This option only will work if you include this code on your sgerror.php file to force client browser send a second request to squid with denied string on url.<br><br> - $sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");<br> - $str[] = '< iframe > src="'.$cl['u'].$sge_prefix.'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';<br><br> - removing extra space on iframe html code.]]></description> + <description> + <![CDATA[ + Makes it possible for SquidGuard denied log to be included on Squid logs.<br/> + <strong>Note: This option will only work if you include the code below in your sgerror.php file.</strong><br/> + This forces the client browser to send a second request to Squid with the denied string in URL.<br/><br/> + $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?");<br/> + $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';<br/><br/> + <strong>Hint: You MUST remove extra spaces in the above iframe HTML tags.</strong> + ]]> + </description> <type>checkbox</type> </field> <field> - <fielddescr>What to do with requests that have whitespace characters in the URI</fielddescr> + <fielddescr>URI Whitespace Characters Handling</fielddescr> <fieldname>uri_whitespace</fieldname> - <description><b> strip:</b> The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. <p> <b> deny:</b> The request is denied. The user receives an "Invalid Request" message.<p> <b> allow:</b> The request is allowed and the URI is not changed. The whitespace characters remain in the URI.<p> <b> encode:</b> The request is allowed and the whitespace characters are encoded according to RFC1738.<p> <b> chop:</b> The request is allowed and the URI is chopped at the first whitespace.</description> - <type>select</type> + <description> + <![CDATA[ + <strong>strip:</strong> The whitespace characters are stripped out of the URI. This is the behavior recommended by RFC2396. + <strong>deny:</strong> The request is denied. The user receives an "Invalid Request" message. + <strong>allow:</strong> The request is allowed and the URI is not changed. The whitespace characters remain in the URI. + <strong>encode:</strong> The request is allowed and the whitespace characters are encoded according to RFC1738. + <strong>chop:</strong> The request is allowed and the URI is chopped at the first whitespace. + ]]> + </description> + <type>select</type> <default_value>strip</default_value> <options> <option><name>strip</name><value>strip</value></option> @@ -521,45 +667,53 @@ <field> <fielddescr>Suppress Squid Version</fielddescr> <fieldname>disable_squidversion</fieldname> - <description>If set, suppress Squid version string info in HTTP headers and HTML error pages.</description> + <description>Suppresses Squid version string info in HTTP headers and HTML error pages if enabled.</description> <type>checkbox</type> </field> <field> - <name>Custom Settings</name> - <type>listtopic</type> - </field> - <field> <fielddescr>Integrations</fielddescr> <fieldname>custom_options</fieldname> - <description><![CDATA[Squid options added from packages like squidguard or havp for squid integration.]]></description> + <description> + <![CDATA[ + Squid options added from packages like SquidGuard or HAVP for Squid integration. + ]]> + </description> <type>textarea</type> <cols>78</cols> <rows>5</rows> + <advancedfield/> </field> - <field> - <fielddescr>Custom ACLS (Before_Auth)</fielddescr> + <field> + <fielddescr>Custom ACLS (Before Auth)</fielddescr> <fieldname>custom_options_squid3</fieldname> - <description><![CDATA[Put your own custom options here,one per line. They'll be added to the configuration before authetication acls(if any).<br> - <strong>They need to be squid.conf native options, otherwise squid will NOT work.</strong>]]></description> + <description> + <![CDATA[ + Put your own custom options here, one per line. They'll be added to the configuration before authetication ACLS (if any).<br/> + <strong><span class="errmsg">Warning:</span> These need to be squid.conf native options, otherwise Squid will NOT work.</strong> + ]]> + </description> <type>textarea</type> <encoding>base64</encoding> <cols>78</cols> <rows>10</rows> + <advancedfield/> </field> - <field> - <fielddescr>Custom ACLS (After_Auth)</fielddescr> + <field> + <fielddescr>Custom ACLS (After Auth)</fielddescr> <fieldname>custom_options2_squid3</fieldname> - <description><![CDATA[Put your own custom options here,one per line. They'll be added to the configuration after authetication definition(if any).<br> - <strong>They need to be squid.conf native options, otherwise squid will NOT work.</strong>]]></description> + <description> + <![CDATA[ + Put your own custom options here, one per line. They'll be added to the configuration after authentication definition (if any).<br/> + <strong><span class="errmsg">Warning:</span> These need to be squid.conf native options, otherwise Squid will NOT work.</strong> + ]]> + </description> <type>textarea</type> <encoding>base64</encoding> <cols>78</cols> <rows>10</rows> + <advancedfield/> </field> </fields> - <custom_php_command_before_form> - squid_before_form_general($pkg); - </custom_php_command_before_form> <custom_add_php_command> squid_resync(); </custom_add_php_command> @@ -568,18 +722,20 @@ </custom_php_validation_command> <custom_php_resync_config_command> squid_resync(); - unlink_if_exists("/usr/local/etc/rc.d/squid"); </custom_php_resync_config_command> <custom_php_install_command> + <![CDATA[ update_status("Checking Squid cache... One moment please..."); - update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); squid_install_command(); - squid_resync(); exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + ]]> </custom_php_install_command> <custom_php_deinstall_command> + <![CDATA[ squid_deinstall_command(); exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); + ]]> </custom_php_deinstall_command> <filter_rules_needed>squid_generate_rules</filter_rules_needed> </packagegui> diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml index 5c1b57d5..8d74eb2a 100755 --- a/config/squid3/34/squid_antivirus.xml +++ b/config/squid3/34/squid_antivirus.xml @@ -2,56 +2,52 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - squid_antivirus.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2013-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_antivirus.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2013-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidantivirus</name> - <version>none</version> + <version>0.3.5</version> <title>Proxy server: Antivirus</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> @@ -74,7 +70,6 @@ <tab> <text>Traffic Mgmt</text> <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> <tab> <text>Authentication</text> @@ -85,7 +80,7 @@ <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> @@ -93,36 +88,36 @@ <url>/pkg_edit.php?xml=squid_sync.xml</url> </tab> </tabs> + <advanced_options>enabled</advanced_options> <fields> <field> - <name>Clamav anti-virus integration using c-icap</name> + <name>ClamAV Anti-Virus Integration Using C-ICAP</name> <type>listtopic</type> </field> - <field> + <field> <fielddescr>Enable</fielddescr> <fieldname>enable</fieldname> - <description>Enable squid antivirus check using clamav.</description> - <enablefields>max_check_size,Timeout,MaxKeepAliveRequests,KeepAliveTimeout,StartServers,MaxServers</enablefields> + <description>Enable Squid antivirus check using ClamAV.</description> <type>checkbox</type> </field> <field> - <fielddescr>Client forward options</fielddescr> + <fielddescr>Client Forward Options</fielddescr> <fieldname>client_info</fieldname> - <description><![CDATA[Select what client info to forward to clamav.]]></description> - <type>select</type> + <description> + <![CDATA[ + Select what client info to forward to ClamAV. + ]]> + </description> + <type>select</type> <default_value>both</default_value> <options> - <option><name>Send Both client username and ip info(Default)</name><value>both</value></option> + <option><name>Send both client username and IP info (Default)</name><value>both</value></option> <option><name>Send only client username</name><value>username</value></option> - <option><name>Send only client ip</name><value>ip</value></option> + <option><name>Send only client IP</name><value>ip</value></option> <option><name>Do not send client info</name><value>none</value></option> </options> </field> <field> - <name>Advanced options</name> - <type>listtopic</type> - </field> - <field> <fielddescr>squidclamav.conf</fielddescr> <fieldname>squidclamav</fieldname> <description>squidclamav.conf file. Leave empty to load sample file. Edit only if you know what are you doing.</description> @@ -130,8 +125,9 @@ <encoding>base64</encoding> <cols>75</cols> <rows>15</rows> + <advancedfield/> </field> - <field> + <field> <fielddescr>c-icap.conf</fielddescr> <fieldname>c-icap_conf</fieldname> <description>c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing.</description> @@ -139,6 +135,7 @@ <encoding>base64</encoding> <cols>75</cols> <rows>15</rows> + <advancedfield/> </field> <field> <fielddescr>c-icap.magic</fielddescr> @@ -148,6 +145,7 @@ <encoding>base64</encoding> <cols>75</cols> <rows>15</rows> + <advancedfield/> </field> </fields> <custom_php_validation_command> diff --git a/config/squid3/34/squid_auth.xml b/config/squid3/34/squid_auth.xml index 7f54b156..e2bae945 100755 --- a/config/squid3/34/squid_auth.xml +++ b/config/squid3/34/squid_auth.xml @@ -2,53 +2,48 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_auth.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidauth</name> - <version>none</version> - <title>Proxy server: Authentication</title> + <version>0.3.5</version> + <title>Proxy Server: Authentication</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> @@ -85,7 +80,7 @@ <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> @@ -99,7 +94,7 @@ <type>listtopic</type> </field> <field> - <fielddescr>Authentication method</fielddescr> + <fielddescr>Authentication Method</fielddescr> <fieldname>auth_method</fieldname> <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description> <type>select</type> @@ -111,33 +106,38 @@ <option><name>LDAP</name><value>ldap</value></option> <option><name>RADIUS</name><value>radius</value></option> <option><name>Captive Portal</name><value>cp</value></option> - <option><name>NT domain</name><value>msnt</value></option> + <option><name>NT Domain</name><value>msnt</value></option> </options> <onchange>on_auth_method_changed()</onchange> </field> <field> - <fielddescr>Authentication server</fielddescr> + <fielddescr>Authentication Server</fielddescr> <fieldname>auth_server</fieldname> - <description>Enter here the IP or hostname of the server that will perform the authentication.</description> + <description>Enter the IP or hostname of the server that will perform the authentication here.</description> <type>input</type> <size>60</size> </field> <field> <fielddescr>Authentication server port</fielddescr> <fieldname>auth_server_port</fieldname> - <description>Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port.</description> + <description> + <![CDATA[ + Enter the port to use to connect to the authentication server here.<br/> + Leave this field blank to use the authentication method's default port. + ]]> + </description> <type>input</type> <size>60</size> </field> <field> - <fielddescr>Authentication prompt</fielddescr> + <fielddescr>Authentication Prompt</fielddescr> <fieldname>auth_prompt</fieldname> <description>This string will be displayed at the top of the authentication request window.</description> <type>input</type> <default_value>Please enter your credentials to access the proxy</default_value> </field> <field> - <fielddescr>Authentication processes</fielddescr> + <fielddescr>Authentication Processes</fielddescr> <fieldname>auth_processes</fieldname> <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> <type>input</type> @@ -147,74 +147,87 @@ <field> <fielddescr>Authentication TTL</fielddescr> <fieldname>auth_ttl</fieldname> - <description>This specifies for how long (in seconds) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.Default value is 5.</description> + <description> + <![CDATA[ + This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live).<br/> + When the TTL expires, the user will be prompted for credentials again.<br/> + Default value: 5. + ]]> + </description> <type>input</type> <size>5</size> <default_value>5</default_value> </field> <field> - <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> + <fielddescr>Require Authentication for Unrestricted Hosts</fielddescr> <fieldname>unrestricted_auth</fieldname> - <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> + <description>If enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> <type>checkbox</type> </field> <field> - <fielddescr>Subnets that don't need authentication</fielddescr> + <fielddescr>Subnets That Don't Need Authentication</fielddescr> <fieldname>no_auth_hosts</fieldname> - <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> + <description> + <![CDATA[ + Enter subnet(s) or IP address(es) (in CIDR format) that should NOT be asked for authentication to access the proxy.<br/> + Example (subnet): 10.5.0.0/16<br/> + Example (single host): 192.168.1.50/32<br/><br/> + <strong>Note: Put each entry on a separate line.</strong> + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> <encoding>base64</encoding> </field> <field> - <name>Squid Authentication Ldap Settings</name> + <name>Squid Authentication LDAP Settings</name> <type>listtopic</type> </field> <field> <fielddescr>LDAP version</fielddescr> <fieldname>ldap_version</fieldname> - <description>Enter LDAP protocol version (2 or 3).</description> + <description>Select LDAP protocol version.</description> <type>select</type> <default_value>2</default_value> <options> - <option><name>2</name><value>2</value></option> - <option><name>3</name><value>3</value></option> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> </options> </field> <field> - <fielddescr>LDAP server user DN</fielddescr> + <fielddescr>LDAP Server User DN</fielddescr> <fieldname>ldap_user</fieldname> - <description>Enter here the user DN to use to connect to the LDAP server.</description> + <description>Enter the user DN to use to connect to the LDAP server here.</description> <type>input</type> <size>60</size> </field> <field> - <fielddescr>LDAP password</fielddescr> + <fielddescr>LDAP Password</fielddescr> <fieldname>ldap_pass</fieldname> - <description>Enter here the password to use to connect to the LDAP server.</description> + <description>Enter the password to use to connect to the LDAP server here.</description> <type>password</type> <size>20</size> </field> <field> - <fielddescr>LDAP base domain</fielddescr> + <fielddescr>LDAP Base Domain</fielddescr> <fieldname>ldap_basedomain</fieldname> - <description>For LDAP authentication, enter here the base domain in the LDAP server.</description> + <description>Enter the base domain of the LDAP server here.</description> <type>input</type> <size>60</size> </field> <field> - <fielddescr>LDAP username DN attribute</fielddescr> + <fielddescr>LDAP Username DN Attribute</fielddescr> <fieldname>ldap_userattribute</fieldname> - <description>Enter LDAP username DN attibute.</description> + <description>Enter LDAP username DN attibute here.</description> <type>input</type> <size>20</size> <default_value>uid</default_value> </field> <field> - <fielddescr>LDAP search filter</fielddescr> + <fielddescr>LDAP Search Filter</fielddescr> <fieldname>ldap_filter</fieldname> - <description>Enter LDAP search filter.</description> + <description>Enter LDAP search filter here.</description> <type>input</type> <size>40</size> <default_value>(&(objectClass=person)(uid=%s))</default_value> @@ -224,27 +237,27 @@ <type>listtopic</type> </field> <field> - <fielddescr>NT domain</fielddescr> + <fielddescr>NT Domain</fielddescr> <fieldname>auth_ntdomain</fieldname> - <description>Enter here the NT domain.</description> + <description>Enter the NT domain here.</description> <type>input</type> <size>60</size> </field> <field> - <fielddescr>Secondary NT servers</fielddescr> + <fielddescr>Secondary NT Servers</fielddescr> <fieldname>msnt_secondary</fieldname> - <description>Comma-separated list of secondary servers to be used for NT domain authentication.</description> + <description>Enter comma-separated list of secondary servers to be used for NT domain authentication here.</description> <type>input</type> <size>60</size> </field> <field> - <name>Squid Authentication Radius Settings</name> + <name>Squid Authentication RADIUS Settings</name> <type>listtopic</type> </field> <field> - <fielddescr>RADIUS secret</fielddescr> + <fielddescr>RADIUS Secret</fielddescr> <fieldname>radius_secret</fieldname> - <description>The RADIUS secret for RADIUS authentication.</description> + <description>Enter the RADIUS secret for RADIUS authentication here.</description> <type>password</type> <size>20</size> </field> @@ -262,9 +275,12 @@ squid_print_javascript_auth2(); </custom_php_before_form_command> <custom_php_after_head_command> + <![CDATA[ $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); - if($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) + if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/", $config['installedpackages']['squidauth']['config'][0]['auth_method'])) { $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; + } squid_print_javascript_auth(); + ]]> </custom_php_after_head_command> </packagegui> diff --git a/config/squid3/34/squid_cache.xml b/config/squid3/34/squid_cache.xml index 3b2cd406..ff861897 100755 --- a/config/squid3/34/squid_cache.xml +++ b/config/squid3/34/squid_cache.xml @@ -2,56 +2,51 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_cache.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidcache</name> - <version>none</version> - <title>Proxy server: Cache management</title> + <version>0.3.5</version> + <title>Proxy Server: Cache management</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> -<tab> + <tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> @@ -85,7 +80,7 @@ <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> @@ -99,78 +94,120 @@ <type>listtopic</type> </field> <field> - <fielddescr>Cache replacement policy</fielddescr> + <fielddescr>Cache Replacement Policy</fielddescr> <fieldname>cache_replacement_policy</fieldname> - <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> + <description> + <![CDATA[ + The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects.<br/><br/> + <strong>Heap LFUDA:</strong> Keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate.<br/> + <strong>Heap GDSF:</strong> Optimizes object-hit rate by keeping smaller, popular objects in cache.<br/> + <strong>Heap LRU:</strong> Works like LRU, but uses a heap instead.<br/> + <strong>LRU:</strong> Keeps recently referenced objects (i.e., replaces the object that has not been accessed for the longest time).<br/> + Please see <a href="http://www.squid-cache.org/Doc/config/cache_replacement_policy/">cache_replacement_policy documentation</a> for additional details.<br/><br/> + Default: heap LFUDA + ]]> + </description> <type>select</type> <default_value>heap LFUDA</default_value> <options> - <option><name>LRU</name><value>lru</value></option> <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> <option><name>Heap GDSF</name><value>heap GDSF</value></option> <option><name>Heap LRU</name><value>heap LRU</value></option> + <option><name>LRU</name><value>lru</value></option> </options> </field> <field> - <fielddescr>Low-water-mark in %</fielddescr> + <fielddescr>Low-Water Mark in %</fielddescr> <fieldname>cache_swap_low</fieldname> - <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> + <description> + <![CDATA[ + The low-water mark for AUFS/UFS/diskd cache object eviction by the cache_replacement_policy algorithm.<br/> + Cache replacement begins when the swap usage is above this low-water mark and attempts to maintain utilisation near the low-water mark.<br/> + Please see <a href="http://www.squid-cache.org/Doc/config/cache_swap_low/">cache_swap_low documentation</a> for additional details.<br/> + ]]> + </description> <type>input</type> <size>5</size> <default_value>90</default_value> </field> <field> - <fielddescr>High-water-mark in %</fielddescr> + <fielddescr>High-Water Mark in %</fielddescr> <fieldname>cache_swap_high</fieldname> - <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> + <description> + <![CDATA[ + The high-water mark for AUFS/UFS/diskd cache object eviction by the cache_replacement_policy algorithm.<br/> + As swap utilization increases towards this high-water mark, object eviction becomes more agressive.<br/> + Please see <a href="http://www.squid-cache.org/Doc/config/cache_swap_high/">cache_swap_high documentation</a> for additional details.<br/> + ]]> + </description> <type>input</type> <size>5</size> <default_value>95</default_value> </field> <field> - <fielddescr>Do not cache</fielddescr> + <fielddescr>Do Not Cache</fielddescr> <fieldname>donotcache</fieldname> - <description>Enter each domain or IP address on a new line that should never be cached.</description> + <description> + <![CDATA[ + Enter domain(s) and/or IP address(es) that should never be cached.<br/> + <strong>Note: Put each entry on a separate line.</strong> + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> <encoding>base64</encoding> </field> <field> - <fielddescr>Enable offline mode</fielddescr> + <fielddescr>Enable Offline Mode</fielddescr> <fieldname>enable_offline</fieldname> - <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> + <description> + <![CDATA[ + Enable this option and the proxy server will never try to validate cached objects.<br/> + Offline mode gives access to more cached information than normally allowed (e.g., expired cached versions where the origin server should have been contacted otherwise). + ]]> + </description> <type>checkbox</type> <required/> </field> <field> - <fielddescr>External Cache-Managers</fielddescr> + <fielddescr>External Cache Managers</fielddescr> <fieldname>ext_cachemanager</fieldname> - <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> + <description> + <![CDATA[ + Enter the IPs for the external <a href="http://wiki.squid-cache.org/Features/CacheManager">Cache Managers</a> to be granted access to this proxy. + <strong>Note: Separate entries by semi-colons (;)</strong> + ]]> + </description> <type>input</type> <size>60</size> - </field> + </field> <field> - <name>Squid Hard disk cacheSettings</name> + <name>Squid Hard Disk Cache Settings</name> <type>listtopic</type> </field> <field> - <fielddescr>Hard disk cache size</fielddescr> + <fielddescr>Hard Disk Cache Size</fielddescr> <fieldname>harddisk_cache_size</fieldname> - <description>This is the amount of disk space (in megabytes) to use for cached objects.</description> + <description>Amount of disk space (in megabytes) to use for cached objects.</description> <type>input</type> <required/> <size>10</size> <default_value>100</default_value> </field> <field> - <fielddescr>Hard disk cache system</fielddescr> + <fielddescr>Hard Disk Cache System</fielddescr> <fieldname>harddisk_cache_system</fieldname> - <description><![CDATA[This specifies the kind of storage system to use. - <br><br><b>ufs</b> is the old well-known Squid storage format that has always been there. - <br><br><b>aufs</b> uses POSIX-threads to avoid blocking the main Squid process on disk-I/O. (Formerly known as async-io.) - <br><br><b>diskd</b> uses a separate process to avoid blocking the main Squid process on disk-I/O.<br>To use <b>ipcs</b> and <b>ipcrm</b> on squid, Download livefs.iso from ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/ mount it and copy <b>/usr/bin/ipcs</b> and <b>/usr/bin/ipcrm</b> to your system and set them as executables. - <br><br><b>null</b> Does not use any storage. Ideal for Embedded/NanoBSD.]]></description> + <description> + <![CDATA[ + This specifies the kind of storage system to use.<br/><br/> + <strong>ufs</strong> - the old well-known Squid storage format that has always been there.<br/> + <strong>aufs</strong> - uses POSIX threads to avoid blocking the main Squid process on disk I/O. (Formerly known as async-io.)<br/> + <strong>diskd</strong> - uses a separate process to avoid blocking the main Squid process on disk I/O.<br/> + <strong>null</strong> - does not use any storage. Ideal for Embedded/NanoBSD.<br/><br/> + Please see <a href="http://www.squid-cache.org/Doc/config/cache_dir/">cache_dir documentation</a> for additional details. + ]]> + </description> <type>select</type> <default_value>ufs</default_value> <options> @@ -181,16 +218,25 @@ </options> </field> <field> - <fielddescr>Clear cache on log rotate</fielddescr> + <fielddescr>Clear Cache on Log Rotate</fielddescr> <fieldname>clear_cache</fieldname> - <description><![CDATA[If set, Squid will clear cache and swap.state on every log rotate.<br> - This action will be executed automatically if the swap.state file is taking up more than 75% disk space,or the drive is 90%]]></description> + <description> + <![CDATA[ + If set, Squid will clear cache and swap.state every time the log is rotated.<br/> + Note: This action will be executed automatically if the swap.state file is taking up more than 75% of available space, or the filesystem is 90% full. + ]]> + </description> <type>checkbox</type> - </field> + </field> <field> - <fielddescr>Level 1 subdirectories</fielddescr> + <fielddescr>Level 1 Directories</fielddescr> <fieldname>level1_subdirs</fieldname> - <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> + <description> + <![CDATA[ + Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache.<br/> + This will <strong>significantly</strong> slow down the startup process of the proxy service, but can speed up the caching under certain conditions. + ]]> + </description> <type>select</type> <default_value>16</default_value> <options> @@ -204,27 +250,44 @@ </options> </field> <field> - <fielddescr>Hard disk cache location</fielddescr> + <fielddescr>Hard Disk Cache Location</fielddescr> <fieldname>harddisk_cache_location</fieldname> - <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description> + <description> + <![CDATA[ + This is the directory where the cache will be stored. If you change this location, Squid needs to make a new cache, this could take a while.<br/> + Default: /var/squid/cache<br/> + <strong>Note: Do NOT include the trailing / when setting a custom location.</strong> + ]]> + </description> <type>input</type> <size>60</size> <required/> <default_value>/var/squid/cache</default_value> </field> <field> - <fielddescr>Minimum object size</fielddescr> + <fielddescr>Minimum Object Size</fielddescr> <fieldname>minimum_object_size</fieldname> - <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description> + <description> + <![CDATA[ + Objects smaller than the size specified (in kilobytes) will not be saved on disk.<br/> + Default: 0 (meaning there is no minimum) + ]]> + </description> <type>input</type> <required /> <size>10</size> <default_value>0</default_value> </field> <field> - <fielddescr>Maximum object size</fielddescr> + <fielddescr>Maximum Object Size</fielddescr> <fieldname>maximum_object_size</fieldname> - <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description> + <description> + <![CDATA[ + Objects larger than the size specified (in megabytes) will not be saved on disk.<br/> + Hint: If increased speed is more important than saving bandwidth, this should be set to a low value.<br/> + Default: 4 (MB) + ]]> + </description> <type>input</type> <required/> <size>10</size> @@ -235,34 +298,56 @@ <type>listtopic</type> </field> <field> - <fielddescr>Memory cache size</fielddescr> + <fielddescr>Memory Cache Size</fielddescr> <fieldname>memory_cache_size</fieldname> - <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> + <description> + <![CDATA[ + Specifies the ideal amount of physical RAM (in megabytes) to be used for In-Transit objects, Hot Objects and Negative-Cached objects.<br/> + Please see <a href="http://www.squid-cache.org/Doc/config/cache_mem/">cache_mem documentation</a> for additional details.<br/> + This value should not exceed 50% of the installed RAM. The minimum value is 1MB.<br/><br/> + Default: 64 (MB) + ]]> + </description> <type>input</type> <size>10</size> <required/> - <default_value>8</default_value> + <default_value>64</default_value> </field> <field> - <fielddescr>Maximum object size in RAM</fielddescr> + <fielddescr>Maximum Object Size in RAM</fielddescr> <fieldname>maximum_objsize_in_mem</fieldname> - <description>Objects smaller than the size specified (in kilobytes) will be saved in RAM. Default is 32.</description> + <description> + <![CDATA[ + Objects greater than this size (in kilobytes) will not be attempted to kept in the memory cache.<br/> + Default: 256 (KB) + ]]> + </description> <type>input</type> <size>10</size> <required/> - <default_value>32</default_value> - </field> + <default_value>256</default_value> + </field> <field> - <fielddescr>Memory replacement policy</fielddescr> + <fielddescr>Memory Replacement Policy</fielddescr> <fieldname>memory_replacement_policy</fieldname> - <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA.</description> + <description> + <![CDATA[ + The memory replacement policy determines which objects are purged from memory when space is needed.<br/><br/> + <strong>Heap GDSF:</strong> Optimizes object-hit rate by keeping smaller, popular objects in cache.<br/> + <strong>Heap LFUDA:</strong> Keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate.<br/> + <strong>Heap LRU:</strong> Works like LRU, but uses a heap instead.<br/> + <strong>LRU:</strong> Keeps recently referenced objects (i.e., replaces the object that has not been accessed for the longest time).<br/> + Please see <a href="http://www.squid-cache.org/Doc/config/cache_replacement_policy/">cache_replacement_policy documentation</a> for additional details.<br/><br/> + Default: heap GDSF + ]]> + </description> <type>select</type> <default_value>heap GDSF</default_value> <options> - <option><name>LRU</name><value>lru</value></option> - <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> <option><name>Heap LRU</name><value>heap LRU</value></option> + <option><name>LRU</name><value>lru</value></option> </options> </field> <field> @@ -272,18 +357,25 @@ <field> <fielddescr>Cache Dynamic Content</fielddescr> <fieldname>cache_dynamic_content</fieldname> - <description><![CDATA[Select this option to <a target=_new href='http://wiki.squid-cache.org/ConfigExamples/DynamicContent'>enable caching of dynamic content.</a><br> - ]]></description> + <description> + <![CDATA[ + Select to <a href="http://wiki.squid-cache.org/ConfigExamples/DynamicContent">enable caching of dynamic content.</a><br/> + ]]> + </description> <type>checkbox</type> <size>10</size> </field> <field> <fielddescr>Refresh Patterns</fielddescr> <fieldname>refresh_patterns</fieldname> - <description><![CDATA[With dynamic cache enabled, you can also apply squid wiki refresh_patterns to sites like <a target=_new href='http://wiki.squid-cache.org/SquidFaq/WindowsUpdate'>windowsupdate</a><br> - <br><strong>Notes:</strong><br> - Squid wiki suggests 'Finish transfer if less than x KB remaining' on 'traffic mgmt' squid tab to -1 but you can apply your own values to control cache.<br><br> - set Maximum download size on 'traffic mgmt' squid tab to a value that fits patterns your are applying.<br>Microsoft may need 200Mb and youtube 4GB.]]></description> + <description> + <![CDATA[ + With dynamic cache enabled, you can also apply refresh_patterns to sites like <a href="http://wiki.squid-cache.org/SquidFaq/WindowsUpdate">Windows Updates</a><br/><br/> + <strong>Notes:</strong><br/> + - Squid wiki suggests setting 'Finish transfer if less than x KB remaining' on 'Traffic Mgmt' tab to -1 (but you can apply your own values to control cache).<br/> + - Set 'Maximum Download Size' on 'Traffic Mgmt' tab to a value that fits patterns your are applying. + ]]> + </description> <type>select</type> <default_value>none</default_value> <options> @@ -294,12 +386,17 @@ <option><name>Avast</name><value>avast</value></option> </options> <multiple/> - <size>06</size> + <size>05</size> </field> <field> <fielddescr>Custom refresh_patterns</fielddescr> <fieldname>custom_refresh_patterns</fieldname> - <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description> + <description> + <![CDATA[ + Enter custom refresh_patterns for better dynamic cache usage.<br/> + <strong>Note: These refresh_patterns will only be included if 'Cache Dynamic Content' is enabled.</strong> + ]]> + </description> <type>textarea</type> <cols>67</cols> <rows>5</rows> @@ -307,16 +404,21 @@ </field> </fields> <custom_php_command_before_form> - if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { + <![CDATA[ + if ($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { $needs_dash_z = true; } + ]]> </custom_php_command_before_form> <custom_php_validation_command> squid_validate_cache($_POST, $input_errors); </custom_php_validation_command> <custom_php_resync_config_command> + <![CDATA[ squid_resync(); - if($needs_dash_z) + if ($needs_dash_z) { squid_dash_z(); + } + ]]> </custom_php_resync_config_command> </packagegui> diff --git a/config/squid3/34/squid_clwarn.php b/config/squid3/34/squid_clwarn.php index 8de016f3..5ddf8171 100644 --- a/config/squid3/34/squid_clwarn.php +++ b/config/squid3/34/squid_clwarn.php @@ -1,22 +1,20 @@ <?php -/* ========================================================================== */ /* squid_clwarn.php - part of pfSense (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2015 Marcello Coutinho + Copyright (C) 2015 ESF, LLC All rights reserved. - */ -/* ========================================================================== */ -/* + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -28,49 +26,46 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ +*/ $VERSION = '6.10'; - $url = $_REQUEST['url']; -$virus=($_REQUEST['virus']?$_REQUEST['virus']:$_REQUEST['malware']); -$source = preg_replace("@/-@","",$_REQUEST['source']); +$url = $_REQUEST['url']; +$virus = ($_REQUEST['virus'] ? $_REQUEST['virus'] : $_REQUEST['malware']); +$source = preg_replace("@/-@", "", $_REQUEST['source']); $user = $_REQUEST['user']; - -$TITLE_VIRUS = "SquidClamAv $VERSION: Virus detected!"; +$TITLE_VIRUS = "SquidClamav $VERSION: Virus detected!"; $subtitle = 'Virus name'; $errorreturn = 'This file cannot be downloaded.'; $urlerror = 'contains a virus'; -if (preg_match("/Safebrowsing/",$virus)) { - $TITLE_VIRUS = "SquidClamAv $VERSION: Unsafe Browsing detected"; - $subtitle = 'Malware / pishing type'; +if (preg_match("/Safebrowsing/", $virus)) { + $TITLE_VIRUS = "SquidClamav $VERSION: Unsafe Browsing detected"; + $subtitle = 'Malware / phishing type'; $urlerror = 'is listed as suspicious'; - $errorreturn = 'This page can not be displayed'; + $errorreturn = 'This page cannot be displayed'; } -# Remove clamd infos +// Remove clamd infos $vp[0]="/stream: /"; $vp[1]="/ FOUND/"; $vr[0]=""; $vr[1]=""; -$virus = preg_replace($vp,$vr,$virus); - -error_log(date("Y-m-d H:i:s")." | VIRUS FOUND | ".$virus." | ".$url." | ".$source." | ".$user."\n", 3, "/var/log/c-icap/virus.log"); +$virus = preg_replace($vp, $vr, $virus); +error_log(date("Y-m-d H:i:s") . " | VIRUS FOUND | " . $virus . " | " . $url . " | " . $source . " | " . $user . "\n", 3, "/var/log/c-icap/virus.log"); ?> <style type="text/css"> .visu { border:1px solid #C0C0C0; color:#FFFFFF; - position: relative; - min-width: 13em; - max-width: 52em; - margin: 4em auto; - border: 1px solid ThreeDShadow; - border-radius: 10px; - padding: 3em; - -moz-padding-start: 30px; + position: relative; + min-width: 13em; + max-width: 52em; + margin: 4em auto; + border: 1px solid ThreeDShadow; + border-radius: 10px; + padding: 3em; + -moz-padding-start: 30px; background-color: #8b0000; } .visu h2, .visu h3, .visu h4 { @@ -80,17 +75,18 @@ error_log(date("Y-m-d H:i:s")." | VIRUS FOUND | ".$virus." | ".$url." | ".$sourc font-weight:bolder; } </style> - <div class="visu"> +<div class="visu"> <h2><?=$TITLE_VIRUS?></h2> - <hr> + <hr /> <p> - The requested URL <?=$url?> <?=$urlerror?><br> + The requested URL <?=$url?> <?=$urlerror?><br/> <?=$subtitle?>: <?=$virus?> - <p> + </p><p> <?=$errorreturn?> - <p> + </p><p> Origin: <?=$source?> / <?=$user?> - <p> - <hr> - <font color="blue"> Powered by <a href="http://squidclamav.darold.net/">SquidClamAv <?=$VERSION?></a>.</font> - </div> + </p><p> + <hr /> + <font color="blue"> Powered by <a href="http://squidclamav.darold.net/">SquidClamav <?=$VERSION?></a>.</font> + </p> +</div> diff --git a/config/squid3/34/squid_ident.php b/config/squid3/34/squid_ident.php deleted file mode 100644 index ad13beb6..00000000 --- a/config/squid3/34/squid_ident.php +++ /dev/null @@ -1,148 +0,0 @@ -#!/usr/bin/php -#http://blog.dataforce.org.uk/2010/03/Ident-Server -<?php - /** - * Simple PHP-Based inetd ident server, version 0.1. - * Copyright (c) 2010 - Shane "Dataforce" Mc Cormack - * This code is licensed under the MIT License, of which a copy can be found - * at http://www.opensource.org/licenses/mit-license.php - * - * The latest version of the code can be found at - * http://blog.dataforce.org.uk/index.php?p=news&id=135 - * - * This should be run from inetd, it will take input on stdin and write to stdout. - * - * By default users can spoof ident by having a .ident file in /home/<username>/.ident - * If this is present, it will be read. - * It should be a file with a format like so: - * - * <pid> <ident> - * <local host>:<local port>:<target host>:<target port> <ident> - * - * The first line that matches is used, any bit can be a * and it will always match, - * so "* user" is valid. In future more sophisticated matches will be permitted - * (eg 127.*) but for now its either all or nothing. - * - * Its worth noting that <target host> is the host that requests the ident, so if this - * is likely to be different than the host that was connected to, then "STRICT_HOST" will - * need to be set to false. - * - * At the moment <local host> is ignored, in future versions this might be changed, so - * it is still required. - * - * Lines with a ':' in them are assumed to be of the second format, and must contain - * all 4 sections or they will be ignored. - * - * Lines starting with a # are ignored. - * - * There are some special values that can be used as idents: - * ! = Send an error instead. - * * = Send the default ident. - * ? = Send a random ident (In future a 3rd parameter will specify the format, - * # for a number, @ for a letter, ? for either, but this is not implemented yet) - * - * In future there will also be support for /home/user/.ident.d/ directories, where - * every file will be read for the ident response untill one matches. - * This will allow multiple processes to create files rather than needing to - * lock and edit .ident - */ - - // Allow spoofing idents. - define('ALLOW_SPOOF', true); - - // Requesting host must be the same as the host that was connected to. - define('STRICT_HOST', true); - - // Error to send when '!' is used as an ident. - define('HIDE_ERROR', 'UNKNOWN-ERROR'); - - openlog('simpleIdent', LOG_PID | LOG_ODELAY, LOG_DAEMON); - - $result = 'ERROR : UNKNOWN-ERROR' . "\n"; - - $host = $_SERVER['REMOTE_HOST']; - - syslog(LOG_INFO, 'Connection from: '.$host); - - // Red in the line from the socket. - $fh = @fopen('php://stdin', 'r'); - if ($fh) { - $input = @fgets($fh); - $line = trim($input); - if ($input !== FALSE && !empty($line)) { - $result = trim($input) . ' : ' . $result; - // Get the data from it. - $bits = explode(',', $line); - $source = trim($bits[0]); - $dest = isset($bits[1]) ? trim($bits[1]) : ''; - - // Check if it is valid - if (preg_match('/^[0-9]+$/', $source) && preg_match('/^[0-9]+$/', $dest)) { - // Now actually look for this! - $match = STRICT_HOST ? ":$source .*$host:$dest " : ":$source.*:$dest"; - - $output = `netstat -napW 2>&1 | grep '$match' | awk '{print \$7}'`; - - $bits = explode('/', $output); - $pid = $bits[0]; - - if (preg_match('/^[0-9]+$/', $pid)) { - $user = `ps -o ruser=SOME-REALLY-WIDE-USERNAMES-ARE-PERMITTED-HERE $pid | tail -n 1`; - - $senduser = trim($user); - - // Look for special ident file: /home/user/.ident this is an ini-format file. - $file = '/home/'.trim($user).'/.ident'; - - if (file_exists($file)) { - $config = file($file, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES | FILE_TEXT); - foreach ($config as $line) { - // Ignore comments. - $line = trim($line); - if (substr($line, 1) == '#') { continue; } - - // Make sure line is valid. - $bits = explode(' ', $line); - if (count($bits) == 1) { continue; } - - // Check type of line - if (strpos($bits[0], ':') !== FALSE) { - // LocalHost:LocalPort:RemoteHost:RemotePort - $match = explode(':', $bits[0]); - if (count($match) != 4) { continue; } - - if (($match[1] == '*' || $match[1] == $source) && - ($match[2] == '*' || $match[2] == $host) && - ($match[3] == '*' || $match[3] == $dest)) { - syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); - $senduser = $bits[1]; - break; - } - } else if ($bits[0] == '*' || $bits[0] == $pid) { - syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); - $senduser = $bits[1]; - } - } - - if ($senduser == "*") { - $senduser = trim(user); - } else if ($senduser == "?") { - $senduser = 'user'.rand(1000,9999); - } - } - - if ($senduser != "!") { - $result = $source . ', ' . $dest . ' : USERID : UNIX : ' . trim($senduser); - } else { - $result = $source . ', ' . $dest . ' : ERROR : ' . HIDE_ERROR; - } - } - } - } - } - - echo $result; - syslog(LOG_INFO, 'Result: '.$result); - closelog(); - exit(0); -?> diff --git a/config/squid3/34/squid_log_parser.php b/config/squid3/34/squid_log_parser.php index 8d0cbc20..c55db021 100755 --- a/config/squid3/34/squid_log_parser.php +++ b/config/squid3/34/squid_log_parser.php @@ -1,24 +1,22 @@ #!/usr/local/bin/php -q <?php -/* ========================================================================== */ /* squid_log_parser.php - part of pfSense (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2012-2014 Marcello Coutinho - Copyright (C) 2012-2014 Carlos Cesario - carloscesario@gmail.com + Copyright (C) 2012-2014 Carlos Cesario <carloscesario@gmail.com> + Copyright (C) 2015 ESF, LLC All rights reserved. - */ -/* ========================================================================== */ -/* + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -30,28 +28,26 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - -# ------------------------------------------------------------------------------ -# Simple Squid Log parser to rewrite line with date/time human readable -# Usage: cat /var/squid/log/access.log | parser_squid_log.php -# ------------------------------------------------------------------------------ +*/ +/* +* Simple Squid Log parser to rewrite line with date/time human readable +* Usage: cat /var/squid/log/access.log | parser_squid_log.php +*/ $logline = fopen("php://stdin", "r"); -while(!feof($logline)) { +while (!feof($logline)) { $line = fgets($logline); $line = rtrim($line); if ($line != "") { $fields = explode(' ', $line); // Apply date format - $fields[0] = date("d.m.Y H:i:s",$fields[0]); - foreach($fields as $field) { - // Write the Squid log line with date/time human readable - echo "{$field} "; + $fields[0] = date("d.m.Y H:i:s", $fields[0]); + foreach ($fields as $field) { + // Write the Squid log line with human readable date/time + echo "{$field} "; } echo "\n"; } } fclose($logline); -?>
\ No newline at end of file +?> diff --git a/config/squid3/34/squid_monitor.php b/config/squid3/34/squid_monitor.php index 60a366fc..ba87f998 100755 --- a/config/squid3/34/squid_monitor.php +++ b/config/squid3/34/squid_monitor.php @@ -1,23 +1,21 @@ <?php -/* ========================================================================== */ /* squid_monitor.php - part of pfSense (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2012-2014 Marcello Coutinho - Copyright (C) 2012-2014 Carlos Cesario - carloscesario@gmail.com + Copyright (C) 2012-2014 Carlos Cesario <carloscesario@gmail.com> + Copyright (C) 2015 ESF, LLC All rights reserved. - */ -/* ========================================================================== */ -/* + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -29,19 +27,13 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - +*/ require_once("/etc/inc/util.inc"); require_once("/etc/inc/functions.inc"); require_once("/etc/inc/pkg-utils.inc"); require_once("/etc/inc/globals.inc"); require_once("guiconfig.inc"); -$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); -if(strstr($pfSversion, "1.2")) - $one_two = true; - $pgtitle = "Status: Proxy Monitor"; $shortcut_section = "squid"; include("head.inc"); @@ -51,44 +43,40 @@ include("head.inc"); <?php include("fbegin.inc"); ?> -<?php if($one_two): ?> - - <p class="pgtitle"><?=$pgtitle?></font></p> - -<?php endif; ?> - <?php if ($savemsg) print_info_box($savemsg); ?> <!-- Function to call programs logs --> -<script language="JavaScript"> - function showLog(content,url,program) - { - new PeriodicalExecuter(function(pe) { +<script type="text/javascript"> +//<![CDATA[ + function showLog(content, url, program) { + new PeriodicalExecuter(function (pe) { new Ajax.Updater(content, url, { - method: 'post', - asynchronous: true, - evalScripts: true, - parameters: { maxlines: $('maxlines').getValue(), - strfilter: $('strfilter').getValue(), - program: program } + method: 'post', + asynchronous: true, + evalScripts: true, + parameters: { + maxlines: $('maxlines').getValue(), + strfilter: $('strfilter').getValue(), + program: program + } }) }, 1) } +//]]> </script> <div id="mainlevel"> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tr><td> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> <?php $tab_array = array(); - if ($_REQUEST["menu"]=="reverse"){ + if ($_REQUEST["menu"] == "reverse") { $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid_reverse_general.xml&id=0"); $tab_array[] = array(gettext("Web Servers"), false, "/pkg.php?xml=squid_reverse_peer.xml"); $tab_array[] = array(gettext("Mappings"), false, "/pkg.php?xml=squid_reverse_uri.xml"); $tab_array[] = array(gettext("Redirects"), false, "/pkg.php?xml=squid_reverse_redir.xml"); $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php?menu=reverse"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_reverse_sync.xml"); - } - else{ + } else { $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid.xml&id=0"); $tab_array[] = array(gettext("Remote Cache"), false, "/pkg.php?xml=squid_upstream.xml"); $tab_array[] = array(gettext("Local Cache"), false, "/pkg_edit.php?xml=squid_cache.xml&id=0"); @@ -99,16 +87,15 @@ include("head.inc"); $tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=squid_users.xml"); $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_sync.xml"); - } + } display_top_tabs($tab_array); ?> -</td></tr> - <tr> - <td> -<div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; "> - <form id="paramsForm" name="paramsForm" method="post"> - <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> - <tbody> + </td></tr> + <tr><td> + <div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; "> + <form id="paramsForm" name="paramsForm" method="post"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <tbody> <tr> <td width="22%" valign="top" class="vncellreq">Max lines:</td> <td width="78%" class="vtable"> @@ -123,95 +110,87 @@ include("head.inc"); </select> <br/> <span class="vexpl"> - <?=gettext("Max. lines to be displayed.");?> + <?=gettext("Max. lines to be displayed.");?> </span> </td> </tr> <tr> <td width="22%" valign="top" class="vncellreq">String filter:</td> <td width="78%" class="vtable"> - <input name="strfilter" type="text" class="formfld search" id="strfilter" size="50" value=""> + <input name="strfilter" type="text" class="formfld search" id="strfilter" size="50" value="" /> <br/> <span class="vexpl"> - <?=gettext("Enter a grep like string/pattern to filterlog.");?><br> - <?=gettext("eg. username, ip addr, url.");?><br> - <?=gettext("Use <b>!</b> to invert the sense of matching, to select non-matching lines.");?> + <?=gettext("Enter a grep like string/pattern to filterlog.");?><br/> + <?=gettext("eg. username, ip addr, url.");?><br/> + <?=gettext("Use <b>!</b> to invert the sense of matching, to select non-matching lines.");?> </span> </td> </tr> - </tbody> - </table> - </form> - - <!-- Squid Table --> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tbody> - <tr> - <td> + </tbody> + </table> + </form> + + <!-- Squid Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr><td> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> - <td colspan="6" class="listtopic"><center><?=gettext("Squid Logs"); ?><center></td> + <td colspan="6" class="listtopic" align="center"><?=gettext("Squid Logs"); ?></td> </tr> <tbody id="squidView"> - <script language="JavaScript"> + <script type="text/javascript"> // Call function to show squid log - showLog('squidView', 'squid_monitor_data.php','squid'); + showLog('squidView', 'squid_monitor_data.php', 'squid'); </script> </tbody> </table> - </td> - </tr> - </tbody> - </table> -<?php if ($_REQUEST["menu"]!="reverse"){?> - <!-- SquidGuard Table --> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tbody> - <tr> - <td> + </td></tr> + </tbody> + </table> +<?php if ($_REQUEST["menu"] != "reverse") {?> + <!-- SquidGuard Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr><td> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> - <td colspan="5" class="listtopic"><center><?=gettext("SquidGuard Logs"); ?><center></td> + <td colspan="5" class="listtopic" align="center"><?=gettext("SquidGuard Logs"); ?></td> </tr> <tbody id="sguardView"> - <script language="JavaScript"> + <script type="text/javascript"> // Call function to show squidGuard log - showLog('sguardView', 'squid_monitor_data.php','sguard'); + showLog('sguardView', 'squid_monitor_data.php', 'sguard'); </script> </tbody> </table> - </td> - </tr> - </tbody> - </table> - <!-- clamav Table --> - <table width="100%" border="0" cellpadding="0" cellspacing="0"> - <tbody> - <tr> - <td> + </td></tr> + </tbody> + </table> + <!-- clamav Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr><td> <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> - <td colspan="6" class="listtopic"><center><?=gettext("clamav Logs"); ?><center></td> + <td colspan="6" class="listtopic" align="center"><?=gettext("clamav Logs"); ?></td> </tr> <tbody id="clamView"> - <script language="JavaScript"> + <script type="text/javascript"> // Call function to show squidGuard log - showLog('clamView', 'squid_monitor_data.php','clamav'); + showLog('clamView', 'squid_monitor_data.php', 'clamav'); </script> </tbody> </table> - </td> - </tr> - </tbody> - </table> -</div> + </td></tr> + </tbody> + </table> + </div> <?php }?> -</td> -</tr> -</table> + </td></tr> + </table> </div> - <?php include("fend.inc"); ?> diff --git a/config/squid3/34/squid_monitor_data.php b/config/squid3/34/squid_monitor_data.php index 9010f0a2..c2c3264d 100755 --- a/config/squid3/34/squid_monitor_data.php +++ b/config/squid3/34/squid_monitor_data.php @@ -1,23 +1,21 @@ <?php -/* ========================================================================== */ /* squid_monitor_data.php - part of pfSense (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2012-2014 Marcello Coutinho - Copyright (C) 2012-2014 Carlos Cesario - carloscesario@gmail.com + Copyright (C) 2012-2014 Carlos Cesario <carloscesario@gmail.com> + Copyright (C) 2015 ESF, LLC All rights reserved. - */ -/* ========================================================================== */ -/* + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -29,174 +27,167 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ -# ------------------------------------------------------------------------------ -# Defines -# ------------------------------------------------------------------------------ +*/ require_once("guiconfig.inc"); -# ------------------------------------------------------------------------------ -# Requests -# ------------------------------------------------------------------------------ +/* Requests */ if ($_POST) { - # Actions - $filter = preg_replace('/(@|!|>|<)/',"",htmlspecialchars($_POST['strfilter'])); + global $filter, $program; + // Actions + $filter = preg_replace('/(@|!|>|<)/', "", htmlspecialchars($_POST['strfilter'])); $program = strtolower($_POST['program']); - switch ($program) { - case 'squid': + switch ($program) { + case 'squid': // Define log file - $log='/var/squid/logs/access.log'; - //show table headers - show_tds(array("Date","IP","Status","Address","User","Destination")); - //fetch lines - $logarr=fetch_log($log); + $log = '/var/squid/logs/access.log'; + // Show table headers + show_tds(array("Date", "IP", "Status", "Address", "User", "Destination")); + // Fetch lines + $logarr = fetch_log($log); // Print lines - foreach ($logarr as $logent) { - // Split line by space delimiter - $logline = preg_split("/\s+/", $logent); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); - // Apply date format to first line - //$logline[0] = date("d.m.Y H:i:s",$logline[0]); + // Apply date format to first line + //$logline[0] = date("d.m.Y H:i:s",$logline[0]); - // Word wrap the URL - $logline[7] = htmlentities($logline[7]); - $logline[7] = html_autowrap($logline[7]); + // Word wrap the URL + $logline[7] = htmlentities($logline[7]); + $logline[7] = html_autowrap($logline[7]); - // Remove /(slash) in destination row - $logline_dest = preg_split("/\//", $logline[9]); + // Remove /(slash) in destination row + $logline_dest = preg_split("/\//", $logline[9]); - // Apply filter and color + // Apply filter and color // Need validate special chars - if ($filter != "") - $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline); + if ($filter != "") { + $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>", $logline); + } + echo "<tr valign=\"top\">\n"; - echo "<td class=\"listlr\" nowrap>{$logline[0]} {$logline[1]}</td>\n"; + echo "<td class=\"listlr\" nowrap=\"nowrap\">{$logline[0]} {$logline[1]}</td>\n"; echo "<td class=\"listr\">{$logline[3]}</td>\n"; echo "<td class=\"listr\">{$logline[4]}</td>\n"; - echo "<td class=\"listr\" width=\"*\">{$logline[7]}</td>\n"; + echo "<td class=\"listr\" width=\"*\">{$logline[7]}</td>\n"; echo "<td class=\"listr\">{$logline[8]}</td>\n"; echo "<td class=\"listr\">{$logline_dest[1]}</td>\n"; echo "</tr>\n"; - } + } break; case 'sguard'; - $log='/var/squidGuard/log/block.log'; - //show table headers - show_tds(array("Date-Time","ACL","Address","Host","User")); - //fetch lines - $logarr=fetch_log($log); - foreach ($logarr as $logent) { - // Split line by space delimiter - $logline = preg_split("/\s+/", $logent); - - // Apply time format - $logline[0] = date("d.m.Y", strtotime($logline[0])); - - // Word wrap the URL - $logline[4] = htmlentities($logline[4]); - $logline[4] = html_autowrap($logline[4]); - - - // Apply filter color - // Need validate special chars - if ($filter != "") - $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline); - - - echo "<tr>\n"; - echo "<td class=\"listlr\" nowrap>{$logline[0]} {$logline[1]}</td>\n"; - echo "<td class=\"listr\">{$logline[3]}</td>\n"; - echo "<td class=\"listr\" width=\"*\">{$logline[4]}</td>\n"; - echo "<td class=\"listr\">{$logline[5]}</td>\n"; - echo "<td class=\"listr\">{$logline[6]}</td>\n"; - echo "</tr>\n"; - } + $log = '/var/squidGuard/log/block.log'; + // Show table headers + show_tds(array("Date-Time", "ACL", "Address", "Host", "User")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y", strtotime($logline[0])); + + // Word wrap the URL + $logline[4] = htmlentities($logline[4]); + $logline[4] = html_autowrap($logline[4]); + + // Apply filter color + // Need validate special chars + if ($filter != "") { + $logline = preg_replace("@($filter)@i", "<span><font color='red'>$1</font></span>", $logline); + } + + echo "<tr>\n"; + echo "<td class=\"listlr\" nowrap=\"nowrap\">{$logline[0]} {$logline[1]}</td>\n"; + echo "<td class=\"listr\">{$logline[3]}</td>\n"; + echo "<td class=\"listr\" width=\"*\">{$logline[4]}</td>\n"; + echo "<td class=\"listr\">{$logline[5]}</td>\n"; + echo "<td class=\"listr\">{$logline[6]}</td>\n"; + echo "</tr>\n"; + } break; case 'clamav'; - // Define log file - $log='/var/log/c-icap/virus.log'; - //show table headers - show_tds(array("Date-Time","Message","Virus","URL","Host","User")); - //fetch lines - $logarr=fetch_log($log); - foreach ($logarr as $logent) { - // Split line by space delimiter - $logline = preg_split("/\|/", $logent); - - // Apply time format - $logline[0] = date("d.m.Y H:i:s", strtotime($logline[0])); - - // Word wrap the URL - $logline[3] = htmlentities($logline[3]); - $logline[3] = html_autowrap($logline[3]); - - echo "<tr>\n"; - echo "<td class=\"listlr\" nowrap>{$logline[0]}</td>\n"; - echo "<td class=\"listr\" nowrap>{$logline[1]}</td>\n"; - echo "<td class=\"listr\">{$logline[2]}</td>\n"; - echo "<td class=\"listr\">{$logline[3]}</td>\n"; - echo "<td class=\"listr\">{$logline[4]}</td>\n"; - echo "<td class=\"listr\">{$logline[5]}</td>\n"; - echo "</tr>\n"; - } - break; - } + // Define log file + $log = '/var/log/c-icap/virus.log'; + // Show table headers + show_tds(array("Date-Time", "Message", "Virus", "URL", "Host", "User")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\|/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y H:i:s", strtotime($logline[0])); + + // Word wrap the URL + $logline[3] = htmlentities($logline[3]); + $logline[3] = html_autowrap($logline[3]); + + echo "<tr>\n"; + echo "<td class=\"listlr\" nowrap=\"nowrap\">{$logline[0]}</td>\n"; + echo "<td class=\"listr\" nowrap=\"nowrap\">{$logline[1]}</td>\n"; + echo "<td class=\"listr\">{$logline[2]}</td>\n"; + echo "<td class=\"listr\">{$logline[3]}</td>\n"; + echo "<td class=\"listr\">{$logline[4]}</td>\n"; + echo "<td class=\"listr\">{$logline[5]}</td>\n"; + echo "</tr>\n"; + } + break; + } } -# ------------------------------------------------------------------------------ -# Functions -# ------------------------------------------------------------------------------ - -// From SquidGuard Package -function html_autowrap($cont) -{ - # split strings - $p = 0; +/* Functions */ +function html_autowrap($cont) { + // split strings + $p = 0; $pstep = 25; - $str = $cont; + $str = $cont; $cont = ''; - for ( $p = 0; $p < strlen($str); $p += $pstep ) { - $s = substr( $str, $p, $pstep ); - if ( !$s ) break; - $cont .= $s . "<wbr/>"; + for ($p = 0; $p < strlen($str); $p += $pstep) { + $s = substr($str, $p, $pstep); + if (!$s) { + break; + } + $cont .= $s . "<wbr />"; } return $cont; } - // Show Squid Logs -function fetch_log($log){ - global $filter,$program; - // Get Data from form post - $lines = $_POST['maxlines']; - if (preg_match("/!/",htmlspecialchars($_POST['strfilter']))) - $grep_arg="-iv"; - else - $grep_arg="-i"; - - //Check program to execute or no the parser - if($program == "squid") - $parser = "| php -q squid_log_parser.php"; - else +function fetch_log($log) { + global $filter, $program; + // Get data from form post + $lines = $_POST['maxlines']; + if (preg_match("/!/", htmlspecialchars($_POST['strfilter']))) { + $grep_arg = "-iv"; + } else { + $grep_arg = "-i"; + } + + // Check program to execute or no the parser + if ($program == "squid") { + $parser = "| /usr/local/bin/php -q squid_log_parser.php"; + } else { $parser = ""; + } - // Get logs based in filter expression - if($filter != "") { - exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines} {$parser} " , $logarr); - } - else { - exec("tail -r -n {$lines} {$log} {$parser}", $logarr); - } - // return logs - return $logarr; + // Get logs based in filter expression + if ($filter != "") { + exec("/usr/bin/tail -n 2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | /usr/bin/tail -r -n {$lines} {$parser} ", $logarr); + } else { + exec("/usr/bin/tail -r -n {$lines} {$log} {$parser}", $logarr); + } + // Return logs + return $logarr; }; -function show_tds($tds){ +function show_tds($tds) { echo "<tr valign='top'>\n"; foreach ($tds as $td){ - echo "<td class='listhdrr'>".gettext($td)."</td>\n"; - } + echo "<td class='listhdrr'>" . gettext($td) . "</td>\n"; + } echo "</tr>\n"; } diff --git a/config/squid3/34/squid_nac.xml b/config/squid3/34/squid_nac.xml index 70fe162f..fb7accc3 100755 --- a/config/squid3/34/squid_nac.xml +++ b/config/squid3/34/squid_nac.xml @@ -2,57 +2,52 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_nac.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidnac</name> - <version>none</version> - <title>Proxy server: Access control</title> + <version>0.3.5</version> + <title>Proxy Server: Access Control</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> @@ -85,7 +80,7 @@ <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> @@ -99,9 +94,15 @@ <type>listtopic</type> </field> <field> - <fielddescr>Allowed subnets</fielddescr> + <fielddescr>Allowed Subnets</fielddescr> <fieldname>allowed_subnets</fieldname> - <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description> + <description> + <![CDATA[ + Enter each subnet on a new line that is allowed to use the proxy.<br/> + The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24).<br/><br/> + Note: The proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy. + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> @@ -110,25 +111,42 @@ <field> <fielddescr>Unrestricted IPs</fielddescr> <fieldname>unrestricted_hosts</fieldname> - <description>Enter unrestricted IP address / network(in CIDR format) on a new line that is not to be filtered out by the other access control directives set in this page.</description> + <description> + <![CDATA[ + Enter unrestricted IP address(es) / network(s) in CIDR format.<br/> + Configured entries will NOT be filtered out by the other access control directives set in this page.<br/> + <strong>Note: Put each entry on a separate line.</strong> + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> <encoding>base64</encoding> </field> <field> - <fielddescr>Banned host addresses</fielddescr> + <fielddescr>Banned Hosts Addresses</fielddescr> <fieldname>banned_hosts</fieldname> - <description>Enter each IP address / network(in CIDR format) on a new line that is not to be allowed to use the proxy.</description> + <description> + <![CDATA[ + Enter IP address(es) / network(s) in CIDR format.<br/> + Configured entries will NOT be allowed to use the proxy.<br/> + <strong>Note: Put each entry on a separate line.</strong> + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> <encoding>base64</encoding> - </field> + </field> <field> <fielddescr>Whitelist</fielddescr> <fieldname>whitelist</fieldname> - <description>Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <description> + <![CDATA[ + Destination domains that will be accessible to the users that are allowed to use the proxy.<br/> + <strong>Note: Put each entry on a separate line.</strong> You also can use regular expressions. + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> @@ -137,46 +155,72 @@ <field> <fielddescr>Blacklist</fielddescr> <fieldname>blacklist</fieldname> - <description>Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <description> + <![CDATA[ + Destination domains that will be blocked for the users that are allowed to use the proxy.<br/> + <strong>Note: Put each entry on a separate line.</strong> You also can use regular expressions. + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> <encoding>base64</encoding> </field> <field> - <fielddescr>Block user agents</fielddescr> + <fielddescr>Block User Agents</fielddescr> <fieldname>block_user_agent</fieldname> - <description>Enter each user agent on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description> + <description> + <![CDATA[ + Enter user agents that will be blocked for the users that are allowed to use the proxy. + <strong>Note: Put each entry on a separate line.</strong> You also can use regular expressions. + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> <encoding>base64</encoding> </field> <field> - <fielddescr>Block MIME types (reply only)</fielddescr> + <fielddescr>Block MIME Types (Reply Only)</fielddescr> <fieldname>block_reply_mime_type</fieldname> - <description>Enter each MIME type on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. Useful to block javascript (application/x-javascript).</description> + <description> + <![CDATA[ + Enter <a href="http://www.iana.org/assignments/media-types/media-types.xhtml">MIME types</a> that will be blocked for the + users that are allowed to use the proxy. Useful to block javascript (application/javascript).<br/> + <strong>Note: Put each entry on a separate line.</strong> You also can use regular expressions. + ]]> + </description> <type>textarea</type> <cols>50</cols> <rows>5</rows> <encoding>base64</encoding> </field> <field> - <name>Squid Allowed ports</name> + <name>Squid Allowed Ports</name> <type>listtopic</type> </field> <field> - <fielddescr>acl safeports</fielddescr> + <fielddescr>ACL SafePorts</fielddescr> <fieldname>addtl_ports</fieldname> - <description>This is a space-separated list of "safe ports" in addition to the already defined list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535</description> + <description> + <![CDATA[ + This is a space-separated list of "safe ports" <strong>in addition</strong> to the predefined default list.<br/> + Default list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535 + ]]> + </description> <type>input</type> <size>60</size> <default_value></default_value> </field> <field> - <fielddescr>acl sslports</fielddescr> + <fielddescr>ACL SSLPorts</fielddescr> <fieldname>addtl_sslports</fieldname> - <description>This is a space-separated list of ports to allow SSL "CONNECT" in addition to the already defined list: 443 563</description> + <description> + <![CDATA[ + This is a space-separated list of ports to allow SSL "CONNECT" to <strong>in addition</strong> to the predefined default list.<br/> + Default list: 443 563 + ]]> + </description> <type>input</type> <size>60</size> <default_value></default_value> diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index f583ee12..32c3fa65 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -1,10 +1,11 @@ <?php -/* $Id$ */ /* squid_reverse.inc + part of pfSense (https://www.pfSense.org/) Copyright (C) 2012 Martin Fuchs Copyright (C) 2012-2014 Marcello Coutinho Copyright (C) 2013 Gekkenhuis + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,19 +29,26 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +require_once('certs.inc'); +/* This file is currently only being included in squid.inc and not used separately */ +// require_once('squid.inc'); function squid_resync_reverse() { global $config; - //CONFIG FILE - if (is_array($config['installedpackages']['squidreversegeneral'])) + // config file + if (is_array($config['installedpackages']['squidreversegeneral'])) { $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; - if (is_array($config['installedpackages']['squidreversepeer'])) - $reverse_peers=$config['installedpackages']['squidreversepeer']['config']; - if (is_array($config['installedpackages']['squidreverseuri'])) - $reverse_maps=$config['installedpackages']['squidreverseuri']['config']; - if (is_array($config['installedpackages']['squidreverseredir'])) - $reverse_redir=$config['installedpackages']['squidreverseredir']['config']; + } + if (is_array($config['installedpackages']['squidreversepeer'])) { + $reverse_peers = $config['installedpackages']['squidreversepeer']['config']; + } + if (is_array($config['installedpackages']['squidreverseuri'])) { + $reverse_maps = $config['installedpackages']['squidreverseuri']['config']; + } + if (is_array($config['installedpackages']['squidreverseredir'])) { + $reverse_redir = $config['installedpackages']['squidreverseredir']['config']; + } $conf = "# Reverse Proxy settings\n"; @@ -48,39 +56,42 @@ function squid_resync_reverse() { $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); if ($svr_cert != false) { if (base64_decode($svr_cert['crt'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",sq_text_area_decode($svr_cert['crt'])); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", sq_text_area_decode($svr_cert['crt'])); $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; } if (base64_decode($svr_cert['prv'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",sq_text_area_decode($svr_cert['prv'])); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", sq_text_area_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; } } } - if (!empty($settings['reverse_int_ca'])) - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); + if (!empty($settings['reverse_int_ca'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", "\n" . sq_text_area_decode($settings['reverse_int_ca']), FILE_APPEND | LOCK_EX); + } $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); // set HTTP port and defsite - $http_port=(empty($settings['reverse_http_port'])?"80":$settings['reverse_http_port']); - $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']); + $http_port = (empty($settings['reverse_http_port']) ? "80" : $settings['reverse_http_port']); + $http_defsite = (empty($settings['reverse_http_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_http_defsite']); // set HTTPS port and defsite - $https_port=(empty($settings['reverse_https_port'])?"443":$settings['reverse_https_port']); - $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']); + $https_port = (empty($settings['reverse_https_port']) ? "443" : $settings['reverse_https_port']); + $https_defsite = (empty($settings['reverse_https_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_https_defsite']); foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if ($real_ifaces[$i][0]) { //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + if ((!empty($settings['reverse_http'])) || ($settings['reverse_owa_autodiscover'] == 'on')) { $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + } //HTTPS - if (!empty($settings['reverse_https'])) + if (!empty($settings['reverse_https'])) { $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } } } @@ -88,15 +99,17 @@ function squid_resync_reverse() { $reverse_ip = explode(";", ($settings['reverse_ip'])); foreach ($reverse_ip as $reip) { //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + if ((!empty($settings['reverse_http'])) || ($settings['reverse_owa_autodiscover'] == 'on')) { $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + } //HTTPS - if (!empty($settings['reverse_https'])) + if (!empty($settings['reverse_https'])) { $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } } } - //PEERS + // peers if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { if (!empty($settings['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip'])); @@ -109,33 +122,34 @@ function squid_resync_reverse() { } } - $active_peers=array(); + $active_peers = array(); if (is_array($reverse_peers)) { foreach ($reverse_peers as $rp) { - if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !="") { - $conf_peer = "#{$rp['description']}\n"; - $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; - if ($rp['protocol'] == 'HTTPS') - $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf_peer .= "name=rvp_{$rp['name']}\n\n"; - - // add peer only if reverse proxy is enabled for http - if ($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on") { - $conf .= $conf_peer; - array_push($active_peers,$rp['name']); - } - // add peer only if if reverse proxy is enabled for https - if ($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on") { - if (!in_array($rp['name'],$active_peers)) { + if ($rp['enable'] == "on" && $rp['name'] != "" && $rp['ip'] != "" && $rp['port'] != "") { + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; + if ($rp['protocol'] == 'HTTPS') { + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + } + $conf_peer .= "name=rvp_{$rp['name']}\n\n"; + + // add peer only if reverse proxy is enabled for http + if ($rp['protocol'] == 'HTTP' && $settings['reverse_http'] == "on") { $conf .= $conf_peer; - array_push($active_peers,$rp['name']); + array_push($active_peers, $rp['name']); + } + // add peer only if if reverse proxy is enabled for https + if ($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] == "on") { + if (!in_array($rp['name'], $active_peers)) { + $conf .= $conf_peer; + array_push($active_peers, $rp['name']); } } } } } - //REDIRECTS + // redirects if (is_array($reverse_redir)) { foreach ($reverse_redir as $rdr) { if ($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { @@ -167,25 +181,30 @@ function squid_resync_reverse() { } } - //ACLS and MAPPINGS + // ACLs and mappings //create an empty owa_dirs to populate based on user selected options - $owa_dirs=array(); - if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on") { + $owa_dirs = array(); + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] == "on") { if (!empty($settings['reverse_owa_ip'])) { - array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); - if ($settings['reverse_owa_activesync']) - array_push($owa_dirs,'Microsoft-Server-ActiveSync'); - if ($settings['reverse_owa_rpchttp']) - array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); - if ($settings['reverse_owa_mapihttp']) - array_push($owa_dirs,'mapi'); - if ($settings['reverse_owa_webservice']) - array_push($owa_dirs,'EWS'); + array_push($owa_dirs, 'owa', 'exchange', 'public', 'exchweb', 'ecp', 'OAB'); + if ($settings['reverse_owa_activesync']) { + array_push($owa_dirs, 'Microsoft-Server-ActiveSync'); + } + if ($settings['reverse_owa_rpchttp']) { + array_push($owa_dirs, 'rpc/rpcproxy.dll', 'rpcwithcert/rpcproxy.dll'); + } + if ($settings['reverse_owa_mapihttp']) { + array_push($owa_dirs, 'mapi'); + } + if ($settings['reverse_owa_webservice']) { + array_push($owa_dirs, 'EWS'); + } } if (is_array($owa_dirs)) { - foreach ($owa_dirs as $owa_dir) + foreach ($owa_dirs as $owa_dir) { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + } } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { @@ -199,31 +218,31 @@ function squid_resync_reverse() { //$conf .= "ssl_unclean_shutdown on"; if (is_array($reverse_maps)) { foreach ($reverse_maps as $rm) { - if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!="" && is_array($rm['row'])) { + if ($rm['enable'] == "on" && $rm['name'] != "" && $rm['peers'] != "" && is_array($rm['row'])) { foreach ($rm['row'] as $uri) { - $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); + $url_regex = ($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n"; $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n"; if ($rm['name'] != $last_rm_name) { $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n"; $http_access_conf .= "http_access allow rvm_{$rm['name']}\n"; - foreach (explode(',',$rm['peers']) as $map_peer) { - if (in_array($map_peer,$active_peers)) { + foreach (explode(',', $rm['peers']) as $map_peer) { + if (in_array($map_peer, $active_peers)) { $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n"; $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n"; } } - $last_rm_name=$rm['name']; + $last_rm_name = $rm['name']; } } } } } - //ACCESS - if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + // access + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] == "on") { - for ($cascnt=1;$cascnt<$casnr+1;$cascnt++) { + for ($cascnt = 1; $cascnt < $casnr + 1; $cascnt++) { $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs deny allsrc\n"; @@ -236,8 +255,9 @@ function squid_resync_reverse() { $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; - if (!empty($settings['deny_info_tcp_reset'])) + if (!empty($settings['deny_info_tcp_reset'])) { $conf .= "deny_info TCP_RESET allsrc\n"; + } return $conf; } diff --git a/config/squid3/34/squid_reverse.xml b/config/squid3/34/squid_reverse.xml index 40fb0ec1..3617debc 100755 --- a/config/squid3/34/squid_reverse.xml +++ b/config/squid3/34/squid_reverse.xml @@ -2,55 +2,51 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_reverse.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidreverse</name> - <version>none</version> - <title>Proxy server: Reverse Proxy</title> + <version>0.3.5</version> + <title>Proxy Server: Reverse Proxy</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> -<tab> + <tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> @@ -84,7 +80,7 @@ <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> @@ -94,37 +90,47 @@ </tabs> <fields> <field> - <name>Squid Reverse proxy General Settings</name> + <name>Squid Reverse Proxy General Settings</name> <type>listtopic</type> </field> <field> - <fielddescr>Reverse Proxy interface</fielddescr> + <fielddescr>Reverse Proxy Interface</fielddescr> <fieldname>reverse_interface</fieldname> - <description>The interface(s) the reverse-proxy server will bind to.</description> + <description> + <![CDATA[ + The interface(s) the reverse-proxy server will bind to.<br/> + Use CTRL + click to select multiple interfaces. + ]]> + </description> <type>interfaces_selection</type> <required/> <default_value>wan</default_value> <multiple/> </field> <field> - <fielddescr>User-defined reverse-proxy IPs</fielddescr> + <fielddescr>User Defined Reverse Proxy IPs</fielddescr> <fieldname>reverse_ip</fieldname> - <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description> + <description> + <![CDATA[ + Squid will additionally bind to these user-defined IPs for reverse proxy operation. Useful for virtual IPs such as CARP.<br/> + <strong>Note: Separate entries by semi-colons (;)</strong> + ]]> + </description> <type>input</type> <size>70</size> - </field> + </field> <field> - <fielddescr>external FQDN</fielddescr> + <fielddescr>External FQDN</fielddescr> <fieldname>reverse_external_fqdn</fieldname> - <description>The external full-qualified-domain-name of the WAN address.</description> + <description>The external fully qualified domain name of the WAN IP address.</description> <type>input</type> <required/> <size>70</size> </field> <field> - <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> + <fielddescr>Reset TCP Connections on Unauthorized Requests</fielddescr> <fieldname>deny_info_tcp_reset</fieldname> - <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> + <description>If checked, the reverse proxy will reset the TCP connection if the request is unauthorized.</description> <type>checkbox</type> <default_value>on</default_value> </field> @@ -133,26 +139,41 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable HTTP reverse mode</fielddescr> + <fielddescr>Enable HTTP Reverse Mode</fielddescr> <fieldname>reverse_http</fieldname> - <description>If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <description> + <![CDATA[ + If checked, the proxy server will act in HTTP reverse mode.<br/> + <strong>Note: You must add a proper firewall rule with destination 'WAN Address'.</strong> + ]]> + </description> <type>checkbox</type> - <enablefields>reverse_http_port,reverse_http_defsite</enablefields> + <enablefields>reverse_http_port,reverse_http_defsite</enablefields> <required/> <default_value>off</default_value> </field> <field> - <fielddescr>reverse HTTP port</fielddescr> + <fielddescr>Reverse HTTP Port</fielddescr> <fieldname>reverse_http_port</fieldname> - <description>This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80)</description> + <description> + <![CDATA[ + This is the port the HTTP reverse proxy will listen on. Default value will be used if left empty.<br/> + Default: 80 + ]]> + </description> <type>input</type> <size>5</size> <default_value>80</default_value> </field> <field> - <fielddescr>reverse HTTP default site</fielddescr> + <fielddescr>Reverse HTTP Default Site</fielddescr> <fieldname>reverse_http_defsite</fieldname> - <description>This is the HTTP reverse default site. (leave empty to use the external fqdn)</description> + <description> + <![CDATA[ + This is the HTTP reverse proxy default site.<br/> + Note: Leave empty to use 'External FQDN' value specified above. + ]]> + </description> <type>input</type> <size>60</size> </field> @@ -161,99 +182,139 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable HTTPS reverse proxy</fielddescr> + <fielddescr>Enable HTTPS Reverse Proxy</fielddescr> <fieldname>reverse_https</fieldname> - <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <description> + <![CDATA[ + If checked, the proxy server will act in HTTPS reverse mode.<br/> + <strong>Note: You must add a proper firewall rule with destination 'WAN Address'.</strong> + ]]> + </description> <type>checkbox</type> <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> <required/> <default_value>off</default_value> - </field> + </field> <field> - <fielddescr>reverse HTTPS port</fielddescr> + <fielddescr>Reverse HTTPS Port</fielddescr> <fieldname>reverse_https_port</fieldname> - <description>This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443)</description> + <description> + <![CDATA[ + This is the port the HTTPS reverse proxy will listen on. Default value will be used if left empty.<br/> + Default: 443 + ]]> + </description> <type>input</type> <size>5</size> <default_value>443</default_value> </field> <field> - <fielddescr>reverse HTTPS default site</fielddescr> + <fielddescr>Reverse HTTPS Default Site</fielddescr> <fieldname>reverse_https_defsite</fieldname> - <description>This is the HTTPS reverse default site. (leave empty to use the external fqdn)</description> + <description> + <![CDATA[ + This is the HTTPS reverse proxy default site.<br/> + Note: Leave empty to use 'External FQDN' value specified above. + ]]> + </description> <type>input</type> <size>60</size> </field> <field> - <fielddescr>reverse SSL certificate</fielddescr> + <fielddescr>Reverse SSL Certificate</fielddescr> <fieldname>reverse_ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> - <type>select_source</type> - <source><![CDATA[$config['cert']]]></source> + <type>select_source</type> + <source>$config['cert']</source> <source_name>descr</source_name> <source_value>refid</source_value> </field> <field> - <fielddescr>intermediate CA certificate (if needed)</fielddescr> + <fielddescr>Intermediate CA Certificate (If Needed)</fielddescr> <fieldname>reverse_int_ca</fieldname> - <description>Paste a signed certificate in X.509 PEM format here.</description> + <description> + <![CDATA[ + Paste a signed certificate in X.509 <strong>PEM format</strong> here. + ]]> + </description> <type>textarea</type> - <cols>50</cols> + <cols>75</cols> <rows>5</rows> <encoding>base64</encoding> </field> <field> - <fielddescr>Ignore internal Certificate validation</fielddescr> + <fielddescr>Ignore Internal Certificate Validation</fielddescr> <fieldname>reverse_ignore_ssl_valid</fieldname> - <description>If this field is checked, internal certificate validation will be ignored.</description> - <type>checkbox</type> + <description>If checked, internal certificate validation will be ignored.</description> + <type>checkbox</type> <default_value>on</default_value> </field> <field> - <fielddescr>Enable OWA reverse proxy</fielddescr> + <name>OWA Reverse Proxy General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable OWA Reverse Proxy</fielddescr> <fieldname>reverse_owa</fieldname> - <description>If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.</description> + <description>If checked, Squid will act as an accelerator/SSL offloader for Outlook Web App.</description> <type>checkbox</type> - <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> + <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> </field> <field> - <fielddescr>CAS-Array / OWA frontend IP address</fielddescr> + <fielddescr>CAS-Array / OWA Frontend IP Address</fielddescr> <fieldname>reverse_owa_ip</fieldname> - <description>These are the internal IPs of the CAS-Array (OWA frontend servers). Separate by semi-colons (;). </description> + <description> + <![CDATA[ + These are the internal IPs of the CAS-Array (OWA frontend servers).<br/> + <strong>Note: Separate entries by semi-colons (;)</strong> + ]]> + </description> <type>input</type> <size>70</size> - </field> + </field> <field> <fielddescr>Enable ActiveSync</fielddescr> <fieldname>reverse_owa_activesync</fieldname> - <description>If this field is checked, ActiveSync will be enabled.</description> + <description>If checked, ActiveSync will be enabled.</description> <type>checkbox</type> </field> <field> <fielddescr>Enable Outlook Anywhere</fielddescr> <fieldname>reverse_owa_rpchttp</fieldname> - <description>If this field is checked, RPC over HTTP will be enabled.</description> + <description>If checked, RPC over HTTP will be enabled.</description> <type>checkbox</type> </field> <field> <fielddescr>Enable MAPI HTTP</fielddescr> <fieldname>reverse_owa_mapihttp</fieldname> - <description><![CDATA[If this field is checked, MAPI over HTTP will be enabled.<br> - <strong>This feature is only available with at least Exchange 2013 SP1</strong>]]></description> + <description> + <![CDATA[ + If checked, MAPI over HTTP will be enabled.<br/> + <strong>This feature is only available with at least Microsoft Exchange 2013 SP1</strong> + ]]> + </description> <type>checkbox</type> </field> <field> <fielddescr>Enable Exchange WebServices</fielddescr> <fieldname>reverse_owa_webservice</fieldname> - <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br> - <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description> + <description> + <![CDATA[ + If checked, Exchange WebServices will be enabled.<br/> + <strong>There are potential DoS side effects to its use. Please avoid unless really required.</strong> + ]]> + </description> <type>checkbox</type> </field> <field> <fielddescr>Enable AutoDiscover</fielddescr> <fieldname>reverse_owa_autodiscover</fieldname> - <description><![CDATA[If this field is checked, AutoDiscover will be enabled.<br> - <strong>You also should set up the autodiscover DNS-record to point to you WAN-IP.</strong>]]></description> + <description> + <![CDATA[ + If checked, AutoDiscover will be enabled.<br/> + <strong>You also should set up the autodiscover DNS record to point to you WAN IP.</strong> + ]]> + </description> <type>checkbox</type> </field> <field> @@ -261,49 +322,79 @@ <type>listtopic</type> </field> <field> - <fielddescr><b>peer definitions</b> <br>publishing hosts</fielddescr> + <fielddescr> + <![CDATA[ + Peer Definitions<br/> + Publishing Hosts + ]]> + </fielddescr> <fieldname>reverse_cache_peer</fieldname> - <description><![CDATA[Enter each peer definition on a new line. Directives have to be separated by a semicolon(;).<BR> - syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS]<br> - example: HOST1;192.168.0.1;80;HTTP<br> - <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description> + <description> + <![CDATA[ + Enter each peer definition on a new line. Directives have to be separated by a semicolon(;).<br/><br/> + Syntax: [peer alias];[internal ip address];[port];[HTTP/HTTPS]<br/> + Example: HOST1;192.168.0.1;80;HTTP<br/> + <strong><span class="errmsg">WARNING:</span> Wrong syntax usage will result in Squid not starting!</strong> + ]]> + </description> <type>textarea</type> <cols>60</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> - <fielddescr><b>URI definitions</b> <br>published URIs</fielddescr> + <fielddescr> + <![CDATA[ + URI Definitions<br/> + Published URIs + ]]> + </fielddescr> <fieldname>reverse_uri</fieldname> - <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;)<BR> - syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn]) <BR> - (a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://)<BR> - example: URI1;public;server.pfsense.org.<BR> - <STRONG>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</STRONG>]]></description> + <description> + <![CDATA[ + Enter each reverse ACL definition on a separate line. Directives have to be separated by a semicolon(;)<br/><br/> + Syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn])<br/> + Example: URI1;public;server.example.com<br/><br/> + Notes:<br/> + - A group can contain multiple URIs<br/> + - If [vhost fqdn] is ommited, 'External FQDN' is used<br/> + - You also can specify http:// or https://<br/><br/> + <strong><span class="errmsg">WARNING:</span> Wrong syntax usage will result in Squid not starting!</strong> + ]]> + </description> <type>textarea</type> <cols>60</cols> <rows>10</rows> <encoding>base64</encoding> - </field> + </field> <field> - <fielddescr><b>ACL definitions</b> <br>published URIs</fielddescr> + <fielddescr> + <![CDATA[ + ACL Definitions<br/> + Published URIs + ]]> + </fielddescr> <fieldname>reverse_acl</fieldname> - <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;). <br> - syntax: [peer alias];[uri group alias] <br>example: HOST1;URI1 <br> - <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description> + <description> + <![CDATA[ + Enter each reverse ACL definition on a new line. Directives have to be separated by a semicolon(;)<br/> + Syntax: [peer alias];[uri group alias]<br/> + Example: HOST1;URI1<br/> + <strong><span class="errmsg">WARNING:</span> Wrong syntax usage will result in Squid not starting!</strong> + ]]> + </description> <type>textarea</type> <cols>60</cols> <rows>10</rows> <encoding>base64</encoding> - </field> - -<!-- + </field> + <!-- <field> - <fielddescr>internal hosts</fielddescr> + <fielddescr>Internal Hosts</fielddescr> <type>rowhelper</type> <rowhelper> <rowhelperfield> - <fielddescr>IP address</fielddescr> + <fielddescr>IP Address</fielddescr> <fieldname>reverse_cache_peer_ip</fieldname> <type>input</type> <size>15</size> @@ -312,28 +403,27 @@ <fielddescr>Protocol</fielddescr> <fieldname>reverse_cache_peer_proto</fieldname> <type>select</type> - <options> - <option> <name>HTTP</name> <value>HTTP</value> </option> - <option> <name>HTTPS</name> <value>HTTPS</value> </option> - </options> + <options> + <option><name>HTTP</name><value>HTTP</value></option> + <option><name>HTTPS</name><value>HTTPS</value></option> + </options> </rowhelperfield> <rowhelperfield> - <fielddescr>port</fielddescr> + <fielddescr>Port</fielddescr> <fieldname>reverse_cache_peer_port</fieldname> <type>input</type> <size>5</size> </rowhelperfield> <rowhelperfield> - <fielddescr>peer name</fielddescr> + <fielddescr>Peer Name</fielddescr> <fieldname>reverse_cache_peer_name</fieldname> <type>input</type> <size>25</size> </rowhelperfield> </rowhelper> </field> - <field> - <fielddescr>published URI</fielddescr> + <fielddescr>Published URI</fielddescr> <type>rowhelper</type> <rowhelper> <rowhelperfield> @@ -343,19 +433,15 @@ <size>50</size> </rowhelperfield> <rowhelperfield> - <fielddescr>peer name</fielddescr> + <fielddescr>Peer Name</fielddescr> <fieldname>reverse_cache_peer</fieldname> <type>input</type> <size>25</size> </rowhelperfield> </rowhelper> </field> ---> - + --> </fields> - <custom_php_command_before_form> - squid_before_form_general($pkg); - </custom_php_command_before_form> <custom_php_validation_command> squid_validate_reverse($_POST, $input_errors); </custom_php_validation_command> diff --git a/config/squid3/34/squid_reverse_general.xml b/config/squid3/34/squid_reverse_general.xml index 3317ae18..19c504f1 100755 --- a/config/squid3/34/squid_reverse_general.xml +++ b/config/squid3/34/squid_reverse_general.xml @@ -2,56 +2,52 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - squid_reverse_general.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_reverse_general.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidreversegeneral</name> - <version>none</version> - <title>Reverse Proxy server: General</title> + <version>0.3.5</version> + <title>Reverse Proxy Server: General</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> <active/> </tab> @@ -68,7 +64,7 @@ <url>/pkg.php?xml=squid_reverse_redir.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php?menu=reverse</url> </tab> <tab> @@ -78,37 +74,47 @@ </tabs> <fields> <field> - <name>Squid Reverse proxy General Settings</name> + <name>Squid Reverse Proxy General Settings</name> <type>listtopic</type> </field> <field> - <fielddescr>Reverse Proxy interface</fielddescr> + <fielddescr>Reverse Proxy Interface</fielddescr> <fieldname>reverse_interface</fieldname> - <description>The interface(s) the reverse-proxy server will bind to.</description> + <description> + <![CDATA[ + The interface(s) the reverse-proxy server will bind to.<br/> + Use CTRL + click to select multiple interfaces. + ]]> + </description> <type>interfaces_selection</type> <required/> <default_value>wan</default_value> <multiple/> </field> <field> - <fielddescr>User-defined reverse-proxy IPs</fielddescr> + <fielddescr>User Defined Reverse Proxy IPs</fielddescr> <fieldname>reverse_ip</fieldname> - <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description> + <description> + <![CDATA[ + Squid will additionally bind to these user-defined IPs for reverse proxy operation. Useful for virtual IPs such as CARP.<br/> + <strong>Note: Separate entries by semi-colons (;)</strong> + ]]> + </description> <type>input</type> <size>70</size> - </field> + </field> <field> - <fielddescr>external FQDN</fielddescr> + <fielddescr>External FQDN</fielddescr> <fieldname>reverse_external_fqdn</fieldname> - <description>The external full-qualified-domain-name of the WAN address.</description> + <description>The external fully qualified domain name of the WAN IP address.</description> <type>input</type> <required/> <size>70</size> </field> <field> - <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> + <fielddescr>Reset TCP Connections on Unauthorized Requests</fielddescr> <fieldname>deny_info_tcp_reset</fieldname> - <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> + <description>If checked, the reverse proxy will reset the TCP connection if the request is unauthorized.</description> <type>checkbox</type> <default_value>on</default_value> </field> @@ -117,26 +123,41 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable HTTP reverse mode</fielddescr> + <fielddescr>Enable HTTP Reverse Mode</fielddescr> <fieldname>reverse_http</fieldname> - <description>If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <description> + <![CDATA[ + If checked, the proxy server will act in HTTP reverse mode.<br/> + <strong>Note: You must add a proper firewall rule with destination 'WAN Address'.</strong> + ]]> + </description> <type>checkbox</type> - <enablefields>reverse_http_port,reverse_http_defsite</enablefields> + <enablefields>reverse_http_port,reverse_http_defsite</enablefields> <required/> <default_value>off</default_value> </field> <field> - <fielddescr>reverse HTTP port</fielddescr> + <fielddescr>Reverse HTTP Port</fielddescr> <fieldname>reverse_http_port</fieldname> - <description>This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80)</description> + <description> + <![CDATA[ + This is the port the HTTP reverse proxy will listen on. Default value will be used if left empty.<br/> + Default: 80 + ]]> + </description> <type>input</type> <size>5</size> <default_value>80</default_value> </field> <field> - <fielddescr>reverse HTTP default site</fielddescr> + <fielddescr>Reverse HTTP Default Site</fielddescr> <fieldname>reverse_http_defsite</fieldname> - <description>This is the HTTP reverse default site. (leave empty to use the external fqdn)</description> + <description> + <![CDATA[ + This is the HTTP reverse proxy default site.<br/> + Note: Leave empty to use 'External FQDN' value specified above. + ]]> + </description> <type>input</type> <size>60</size> </field> @@ -145,109 +166,142 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable HTTPS reverse proxy</fielddescr> + <fielddescr>Enable HTTPS Reverse Proxy</fielddescr> <fieldname>reverse_https</fieldname> - <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <description> + <![CDATA[ + If checked, the proxy server will act in HTTPS reverse mode.<br/> + <strong>Note: You must add a proper firewall rule with destination 'WAN Address'.</strong> + ]]> + </description> <type>checkbox</type> <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> <required/> <default_value>off</default_value> - </field> + </field> <field> - <fielddescr>reverse HTTPS port</fielddescr> + <fielddescr>Reverse HTTPS Port</fielddescr> <fieldname>reverse_https_port</fieldname> - <description>This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443)</description> + <description> + <![CDATA[ + This is the port the HTTPS reverse proxy will listen on. Default value will be used if left empty.<br/> + Default: 443 + ]]> + </description> <type>input</type> <size>5</size> <default_value>443</default_value> </field> <field> - <fielddescr>reverse HTTPS default site</fielddescr> + <fielddescr>Reverse HTTPS Default Site</fielddescr> <fieldname>reverse_https_defsite</fieldname> - <description>This is the HTTPS reverse default site. (leave empty to use the external fqdn)</description> + <description> + <![CDATA[ + This is the HTTPS reverse proxy default site.<br/> + Note: Leave empty to use 'External FQDN' value specified above. + ]]> + </description> <type>input</type> <size>60</size> </field> <field> - <fielddescr>reverse SSL certificate</fielddescr> + <fielddescr>Reverse SSL Certificate</fielddescr> <fieldname>reverse_ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> - <type>select_source</type> - <source><![CDATA[$config['cert']]]></source> + <type>select_source</type> + <source>$config['cert']</source> <source_name>descr</source_name> <source_value>refid</source_value> </field> <field> - <fielddescr>intermediate CA certificate (if needed)</fielddescr> + <fielddescr>Intermediate CA Certificate (If Needed)</fielddescr> <fieldname>reverse_int_ca</fieldname> - <description>Paste a signed certificate in X.509 PEM format here.</description> + <description> + <![CDATA[ + Paste a signed certificate in X.509 <strong>PEM format</strong> here. + ]]> + </description> <type>textarea</type> - <cols>50</cols> + <cols>75</cols> <rows>5</rows> <encoding>base64</encoding> </field> <field> - <fielddescr>Ignore internal Certificate validation</fielddescr> + <fielddescr>Ignore Internal Certificate Validation</fielddescr> <fieldname>reverse_ignore_ssl_valid</fieldname> - <description>If this field is checked, internal certificate validation will be ignored.</description> - <type>checkbox</type> + <description>If checked, internal certificate validation will be ignored.</description> + <type>checkbox</type> <default_value>on</default_value> </field> <field> - <name>OWA Reverse proxy General Settings</name> + <name>OWA Reverse Proxy General Settings</name> <type>listtopic</type> </field> <field> - <fielddescr>Enable OWA reverse proxy</fielddescr> + <fielddescr>Enable OWA Reverse Proxy</fielddescr> <fieldname>reverse_owa</fieldname> - <description>If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.</description> + <description>If checked, Squid will act as an accelerator/SSL offloader for Outlook Web App.</description> <type>checkbox</type> - <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> + <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> </field> <field> - <fielddescr>CAS-Array / OWA frontend IP address</fielddescr> + <fielddescr>CAS-Array / OWA Frontend IP Address</fielddescr> <fieldname>reverse_owa_ip</fieldname> - <description>These are the internal IPs of the CAS-Array (OWA frontend servers). Separate by semi-colons (;). </description> + <description> + <![CDATA[ + These are the internal IPs of the CAS-Array (OWA frontend servers).<br/> + <strong>Note: Separate entries by semi-colons (;)</strong> + ]]> + </description> <type>input</type> <size>70</size> - </field> + </field> <field> <fielddescr>Enable ActiveSync</fielddescr> <fieldname>reverse_owa_activesync</fieldname> - <description>If this field is checked, ActiveSync will be enabled.</description> + <description>If checked, ActiveSync will be enabled.</description> <type>checkbox</type> </field> <field> <fielddescr>Enable Outlook Anywhere</fielddescr> <fieldname>reverse_owa_rpchttp</fieldname> - <description>If this field is checked, RPC over HTTP will be enabled.</description> + <description>If checked, RPC over HTTP will be enabled.</description> <type>checkbox</type> </field> <field> <fielddescr>Enable MAPI HTTP</fielddescr> <fieldname>reverse_owa_mapihttp</fieldname> - <description><![CDATA[If this field is checked, MAPI over HTTP will be enabled.<br> - <strong>This feature is only available with at least Exchange 2013 SP1</strong>]]></description> + <description> + <![CDATA[ + If checked, MAPI over HTTP will be enabled.<br/> + <strong>This feature is only available with at least Microsoft Exchange 2013 SP1</strong> + ]]> + </description> <type>checkbox</type> </field> <field> <fielddescr>Enable Exchange WebServices</fielddescr> <fieldname>reverse_owa_webservice</fieldname> - <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br> - <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description> + <description> + <![CDATA[ + If checked, Exchange WebServices will be enabled.<br/> + <strong>There are potential DoS side effects to its use. Please avoid unless really required.</strong> + ]]> + </description> <type>checkbox</type> </field> <field> <fielddescr>Enable AutoDiscover</fielddescr> <fieldname>reverse_owa_autodiscover</fieldname> - <description><![CDATA[If this field is checked, AutoDiscover will be enabled.<br> - <strong>You also should set up the autodiscover DNS-record to point to you WAN-IP.</strong>]]></description> + <description> + <![CDATA[ + If checked, AutoDiscover will be enabled.<br/> + <strong>You also should set up the autodiscover DNS record to point to you WAN IP.</strong> + ]]> + </description> <type>checkbox</type> </field> </fields> - <custom_php_command_before_form> - squid_before_form_general($pkg); - </custom_php_command_before_form> <custom_php_validation_command> squid_validate_reverse($_POST, $input_errors); </custom_php_validation_command> diff --git a/config/squid3/34/squid_reverse_peer.xml b/config/squid3/34/squid_reverse_peer.xml index eabc72ff..fabc5b92 100755 --- a/config/squid3/34/squid_reverse_peer.xml +++ b/config/squid3/34/squid_reverse_peer.xml @@ -2,56 +2,52 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - squid_reverse_peer.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_reverse_peer.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidreversepeer</name> - <version>none</version> - <title>Reverse Proxy server: Peers</title> + <version>0.3.5</version> + <title>Reverse Proxy Server: Peers</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> </tab> <tab> @@ -68,7 +64,7 @@ <url>/pkg.php?xml=squid_reverse_redir.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php?menu=reverse</url> </tab> <tab> @@ -86,7 +82,7 @@ <fieldname>name</fieldname> </columnitem> <columnitem> - <fielddescr>Ip address</fielddescr> + <fielddescr>IP Address</fielddescr> <fieldname>ip</fieldname> </columnitem> <columnitem> @@ -96,11 +92,11 @@ <columnitem> <fielddescr>Protocol</fielddescr> <fieldname>Protocol</fieldname> - </columnitem> + </columnitem> <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> </adddeleteeditpagefields> <fields> <field> @@ -108,56 +104,65 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable this peer</fielddescr> + <fielddescr>Enable This Peer</fielddescr> <fieldname>enable</fieldname> - <description>If this field is checked, then this peer will be available for reverse config.</description> + <description>If checked, then this peer will be available for reverse proxy configuration.</description> <type>checkbox</type> </field> <field> <fielddescr>Peer Alias</fielddescr> <fieldname>name</fieldname> - <description><![CDATA[Name to identify this peer on squid reverse conf<br> - example: HOST1]]></description> + <description> + <![CDATA[ + Name to identify this peer on Squid reverse proxy configuration.<br/> + Example: HOST1 + ]]> + </description> <type>input</type> <size>20</size> </field> <field> <fielddescr>Peer IP</fielddescr> <fieldname>ip</fieldname> - <description><![CDATA[Ip Address of this peer.<br> - example: 192.168.0.1]]></description> + <description> + <![CDATA[ + IP address of this peer.<br/> + Example: 192.168.0.1 + ]]> + </description> <type>input</type> <size>20</size> </field> <field> <fielddescr>Peer Port</fielddescr> <fieldname>port</fieldname> - <description><![CDATA[Listening port of this peer.<br> - example: 80]]></description> + <description> + <![CDATA[ + Listening port of this peer.<br/> + Example: 80 + ]]> + </description> <type>input</type> <size>20</size> </field> <field> <fielddescr>Peer Protocol</fielddescr> <fieldname>protocol</fieldname> - <description><![CDATA[Protocol listening on this peer port.]]></description> + <description>Select protocol listening on this peer port.</description> <type>select</type> - <options> - <option> <name>HTTP</name> <value>HTTP</value> </option> - <option> <name>HTTPS</name> <value>HTTPS</value> </option> - </options> + <options> + <option><name>HTTP</name> <value>HTTP</value></option> + <option><name>HTTPS</name> <value>HTTPS</value></option> + </options> </field> <field> <fielddescr>Peer Description</fielddescr> <fieldname>description</fieldname> - <description><![CDATA[Peer Description (optional)]]></description> + <description>Peer Description (Optional)</description> <type>input</type> <size>60</size> </field> </fields> - <custom_php_command_before_form> - squid_before_form_general($pkg); - </custom_php_command_before_form> <custom_php_validation_command> squid_validate_reverse($_POST, $input_errors); </custom_php_validation_command> diff --git a/config/squid3/34/squid_reverse_redir.xml b/config/squid3/34/squid_reverse_redir.xml index de25f56a..71653899 100755 --- a/config/squid3/34/squid_reverse_redir.xml +++ b/config/squid3/34/squid_reverse_redir.xml @@ -3,30 +3,29 @@ <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> - <![CDATA[ +<![CDATA[ /* $Id$ */ -/* ============================================================================ */ +/* ====================================================================================== */ /* squid_reverse_redir.xml - part of pfSense (http://www.pfSense.com) + part of pfSense (https://www.pfSense.org/) Copyright (C) 2013 Gekkenhuis + Copyright (C) 2015 ESF, LLC All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ============================================================================ */ +*/ +/* ====================================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -38,16 +37,13 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ============================================================================ */ +*/ +/* ====================================================================================== */ ]]> </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> <name>squidreverseredir</name> - <version>none</version> - <title>Reverse Proxy server: Redirects</title> + <version>0.3.5</version> + <title>Reverse Proxy Server: Redirects</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> @@ -68,7 +64,7 @@ <active/> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php?menu=reverse</url> </tab> <tab> @@ -82,13 +78,13 @@ <fieldname>enable</fieldname> </columnitem> <columnitem> - <fielddescr>Redirect Name</fielddescr> - <fieldname>name</fieldname> + <fielddescr>Redirect Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Redirect To</fielddescr> + <fieldname>redirurl</fieldname> </columnitem> - <columnitem> - <fielddescr>Redirect to</fielddescr> - <fieldname>redirurl</fieldname> - </columnitem> <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> @@ -100,83 +96,88 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable this redirect</fielddescr> + <fielddescr>Enable This Redirect</fielddescr> <fieldname>enable</fieldname> - <description><![CDATA[If this field is checked, then this redirect will be available for reverse config.]]></description> + <description>If checked, then this redirect will be available for reverse config.</description> <type>checkbox</type> </field> <field> - <fielddescr>Redirect name</fielddescr> + <fielddescr>Redirect Name</fielddescr> <fieldname>name</fieldname> - <description><![CDATA[Name to identify this redirect on squid reverse conf<br/> - example: REDIR1]]></description> + <description> + <![CDATA[ + Enter the name to identify this redirect in Squid reverse configuration.<br /> + Example: REDIR1 + ]]> + </description> <type>input</type> <size>20</size> </field> <field> <fielddescr>Redirect Description</fielddescr> <fieldname>description</fieldname> - <description><![CDATA[Redirect Description (optional)]]></description> + <description>Redirect Description (Optional)</description> <type>input</type> <size>60</size> </field> <field> <fielddescr>Redirect Protocol</fielddescr> <fieldname>protocol</fieldname> - <description><![CDATA[Protocol to redirect on.<br/> - Use CTRL + click to select multiple]]></description> + <description> + <![CDATA[ + Select the protocol to redirect on.<br/> + Use CTRL + click to select multiple options. + ]]> + </description> <type>select</type> <multiple/> <size>03</size> - <options> - <option> - <name>HTTP</name> - <value>HTTP</value> - </option> - <option> - <name>HTTPS</name> - <value>HTTPS</value> - </option> - </options> + <options> + <option><name>HTTP</name><value>HTTP</value></option> + <option><name>HTTPS</name><value>HTTPS</value></option> + </options> </field> <field> - <fielddescr>Blocked domains</fielddescr> + <fielddescr>Blocked Domains</fielddescr> <fieldname>none</fieldname> - <description>Domains to redirect for</description> + <description>Domains to redirect for.</description> <type>rowhelper</type> <rowhelper> <rowhelperfield> - <fielddescr><![CDATA[<strong>Domains to match</strong><br/><br/> - Samples: mydomain.com sub.mydomain.com www.mydomain.com<br/><br/> - Do not enter http:// or https:// here! only the hostname is required.]]></fielddescr> - <fieldname>uri</fieldname> - <type>input</type> - <size>60</size> - </rowhelperfield> + <fielddescr> + <![CDATA[ + Enter the domains to match here.<br/> + Example: example.com sub.example.com www.example.com<br/><br/> + Do <strong>NOT</strong> enter http:// or https:// here! Only the hostname is required. + ]]> + </fielddescr> + <fieldname>uri</fieldname> + <type>input</type> + <size>60</size> + </rowhelperfield> </rowhelper> </field> <field> - <fielddescr>Path regex</fielddescr> + <fielddescr>Path Regex</fielddescr> <fieldname>pathregex</fieldname> - <description><![CDATA[Path regex to match<br/><br/>]]> - Enter ^/$ to match the domain only.</description> + <description> + <![CDATA[ + Enter the path regex to match here.<br/> + Hint: Enter ^/$ to match the domain only. + ]]> + </description> <type>input</type> <size>60</size> </field> <field> - <fielddescr>URL to redirect to</fielddescr> + <fielddescr>URL to Redirect To</fielddescr> <fieldname>redirurl</fieldname> - <description><![CDATA[URL to redirect to]]></description> + <description>Enter the URL to redirect to here.</description> <type>input</type> <size>60</size> </field> </fields> - - <custom_php_command_before_form> - </custom_php_command_before_form> - <custom_php_validation_command> - </custom_php_validation_command> <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squid3/34/squid_reverse_sync.xml b/config/squid3/34/squid_reverse_sync.xml index 0dc816cb..3b929c8e 100755 --- a/config/squid3/34/squid_reverse_sync.xml +++ b/config/squid3/34/squid_reverse_sync.xml @@ -1,49 +1,49 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> - <![CDATA[ +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - squid_sync.xml - part of the sarg package for pfSense - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - */ -/* ========================================================================== */ + squid_reverse_sync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ ]]> </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> <name>squidsync</name> - <version>1.0</version> - <title>Reverse Proxy server: XMLRPC Sync</title> + <version>0.3.5</version> + <title>Reverse Proxy Server: XMLRPC Sync</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> @@ -78,9 +78,9 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync squid configuration changes</fielddescr> + <fielddescr>Automatically sync Squid configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>Select a sync method for squid.</description> + <description>Select a sync method for Squid.</description> <type>select</type> <required/> <default_value>auto</default_value> @@ -91,9 +91,9 @@ </options> </field> <field> - <fielddescr>Sync timeout</fielddescr> + <fielddescr>Sync Timeout</fielddescr> <fieldname>synctimeout</fieldname> - <description>Select sync max wait time</description> + <description>Select sync max wait time.</description> <type>select</type> <required/> <default_value>250</default_value> @@ -110,25 +110,23 @@ <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>IP Address</fielddescr> - <fieldname>ipaddress</fieldname> - <description>IP Address of remote server</description> - <type>input</type> - <size>20</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Password for remote server.</description> - <type>password</type> - <size>20</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP address of remote server.</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> </rowhelper> </field> </fields> - <custom_php_validation_command> - </custom_php_validation_command> <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> diff --git a/config/squid3/34/squid_reverse_uri.xml b/config/squid3/34/squid_reverse_uri.xml index 9a6f183f..164d6374 100755 --- a/config/squid3/34/squid_reverse_uri.xml +++ b/config/squid3/34/squid_reverse_uri.xml @@ -2,56 +2,52 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - squid_reverse_general.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_reverse_uri.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidreverseuri</name> - <version>none</version> - <title>Reverse Proxy server: Mappings</title> + <version>0.3.5</version> + <title>Reverse Proxy Server: Mappings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> </tab> <tab> @@ -68,7 +64,7 @@ <url>/pkg.php?xml=squid_reverse_redir.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php?menu=reverse</url> </tab> <tab> @@ -92,68 +88,77 @@ <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> - </columnitem> + </columnitem> </adddeleteeditpagefields> <fields> - <field> + <field> <name>Squid Reverse Peer Mappings</name> <type>listtopic</type> </field> - <field> - <fielddescr>Enable this URI</fielddescr> + <field> + <fielddescr>Enable This URI</fielddescr> <fieldname>enable</fieldname> - <description><![CDATA[If this field is checked, then this URI(Uniform Resource Name) will be available for reverse config.]]></description> + <description>If checked, then this URI (Uniform Resource Name) will be available for reverse proxy config.</description> <type>checkbox</type> </field> <field> - <fielddescr>Group name</fielddescr> + <fielddescr>Group Name</fielddescr> <fieldname>name</fieldname> - <description><![CDATA[Name to identify this URI on squid reverse conf<br> - example: URI1]]></description> + <description> + <![CDATA[ + Name to identify this URI on Squid reverse proxy configuration.<br/> + Example: URI1 + ]]> + </description> <type>input</type> <size>20</size> </field> <field> <fielddescr>Group Description</fielddescr> <fieldname>description</fieldname> - <description><![CDATA[URI Group Description (optional)]]></description> + <description>URI Group Description (Optional)</description> <type>input</type> <size>60</size> </field> <field> <fielddescr>Peers</fielddescr> <fieldname>peers</fieldname> - <description><![CDATA[Apply this Group Mappings to selected Peers<br> - Use CTRL + click to select.]]></description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['squidreversepeer']['config']]]></source> + <description> + <![CDATA[ + Apply these group mappings to the selected peers.<br/> + Use CTRL + click to select multiple peers. + ]]> + </description> + <type>select_source</type> + <source>$config['installedpackages']['squidreversepeer']['config']</source> <source_name>name</source_name> <source_value>name</source_value> <multiple/> <size>05</size> </field> - <field> - <fielddescr><![CDATA[URIs]]></fielddescr> + <field> + <fielddescr>URIs</fielddescr> <fieldname>none</fieldname> - <description><![CDATA[URI to publish]]></description> + <description>URI to publish.</description> <type>rowhelper</type> <rowhelper> <rowhelperfield> - <fielddescr><![CDATA[<strong>Url regex to match</strong><br><br> - Samples: .mydomain.com .mydomain.com/test<br> - www.mydomain.com http://www.mydomain.com/ ^http://www.mydomain.com/.*$]]></fielddescr> - <fieldname>uri</fieldname> - <type>input</type> - <size>70</size> - </rowhelperfield> + <fielddescr> + <![CDATA[ + Enter URL <strong>regex</strong> to match.<br/><br/> + Examples:<br/> + .mydomain.com .mydomain.com/test<br/> + www.mydomain.com http://www.mydomain.com/ ^http://www.mydomain.com/.*$ + ]]> + </fielddescr> + <fieldname>uri</fieldname> + <type>input</type> + <size>70</size> + </rowhelperfield> </rowhelper> - </field> + </field> </fields> - <custom_php_command_before_form> - </custom_php_command_before_form> - <custom_php_validation_command> - </custom_php_validation_command> <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squid3/34/squid_sync.xml b/config/squid3/34/squid_sync.xml index 7e632eab..29585dd8 100755 --- a/config/squid3/34/squid_sync.xml +++ b/config/squid3/34/squid_sync.xml @@ -1,48 +1,48 @@ <?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> - <![CDATA[ +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - squid_sync.xml - part of the sarg package for pfSense - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - */ -/* ========================================================================== */ + squid_sync.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ ]]> </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> <name>squidsync</name> - <version>1.0</version> + <version>0.3.5</version> <title>Proxy server: XMLRPC Sync</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -79,7 +79,7 @@ <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> @@ -94,9 +94,9 @@ <type>listtopic</type> </field> <field> - <fielddescr>Automatically sync squid configuration changes</fielddescr> + <fielddescr>Automatically sync Squid configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>Select a sync method for squid.</description> + <description>Select a sync method for Squid.</description> <type>select</type> <required/> <default_value>auto</default_value> @@ -107,9 +107,9 @@ </options> </field> <field> - <fielddescr>Sync timeout</fielddescr> + <fielddescr>Sync Timeout</fielddescr> <fieldname>synctimeout</fieldname> - <description>Select sync max wait time</description> + <description>Select sync max wait time.</description> <type>select</type> <required/> <default_value>250</default_value> @@ -126,25 +126,23 @@ <fieldname>none</fieldname> <type>rowhelper</type> <rowhelper> - <rowhelperfield> - <fielddescr>IP Address</fielddescr> - <fieldname>ipaddress</fieldname> - <description>IP Address of remote server</description> - <type>input</type> - <size>20</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr>Password</fielddescr> - <fieldname>password</fieldname> - <description>Password for remote server.</description> - <type>password</type> - <size>20</size> - </rowhelperfield> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP address of remote server.</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> </rowhelper> </field> </fields> - <custom_php_validation_command> - </custom_php_validation_command> <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> diff --git a/config/squid3/34/squid_traffic.xml b/config/squid3/34/squid_traffic.xml index 3439d598..135ef9ad 100755 --- a/config/squid3/34/squid_traffic.xml +++ b/config/squid3/34/squid_traffic.xml @@ -2,57 +2,52 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_traffic.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidtraffic</name> - <version>none</version> - <title>Proxy server: Traffic management</title> + <version>0.3.5</version> + <title>Proxy server: Traffic Management</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> @@ -85,7 +80,7 @@ <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> @@ -99,36 +94,57 @@ <type>listtopic</type> </field> <field> - <fielddescr>Maximum download size</fielddescr> + <fielddescr>Maximum Download Size</fielddescr> <fieldname>max_download_size</fieldname> - <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description> + <description> + <![CDATA[ + Limit the maximum total download size to the size specified here (in kilobytes).<br/> + Set to 0 to disable. + ]]> + </description> <type>input</type> - <size>10</size> + <size>10</size> <required/> <default_value>0</default_value> </field> <field> - <fielddescr>Maximum upload size</fielddescr> + <fielddescr>Maximum Upload Size</fielddescr> <fieldname>max_upload_size</fieldname> - <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description> + <description> + <![CDATA[ + Limit the maximum total upload size to the size specified here (in kilobytes).<br/> + Set to 0 to disable. + ]]> + </description> <type>input</type> <size>10</size> <required/> <default_value>0</default_value> </field> <field> - <fielddescr>Overall bandwidth throttling</fielddescr> + <fielddescr>Overall Bandwidth Throttling</fielddescr> <fieldname>overall_throttling</fieldname> - <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description> + <description> + <![CDATA[ + This value specifies the bandwidth throttle for downloads (in kilobytes per second).<br/> + Users will gradually have their download speed decreased according to this value.<br/> + Set to 0 to disable. + ]]> + </description> <type>input</type> <size>10</size> <required/> <default_value>0</default_value> </field> <field> - <fielddescr>Per-host throttling</fielddescr> + <fielddescr>Per-Host Throttling</fielddescr> <fieldname>perhost_throttling</fieldname> - <description>This value specifies the download throttling per host. Set to 0 to disable this.</description> + <description> + <![CDATA[ + This value specifies the download throttling per host.<br/> + Set to 0 to disable. + ]]> + </description> <type>input</type> <size>10</size> <required/> @@ -139,7 +155,7 @@ <type>listtopic</type> </field> <field> - <fielddescr>Throttle only specific extensions</fielddescr> + <fielddescr>Throttle Only Specific Extensions</fielddescr> <fieldname>throttle_specific</fieldname> <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description> <type>checkbox</type> @@ -147,25 +163,25 @@ <default_value>on</default_value> </field> <field> - <fielddescr>Throttle binary files</fielddescr> + <fielddescr>Throttle Binary Files</fielddescr> <fieldname>throttle_binaries</fieldname> <description>Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables.</description> <type>checkbox</type> </field> <field> - <fielddescr>Throttle CD images</fielddescr> + <fielddescr>Throttle CD/DVD Image Files</fielddescr> <fieldname>throttle_cdimages</fieldname> - <description>Check this to apply bandwidth throttle to CD image files.</description> + <description>Check this to apply bandwidth throttle to CD/DVD image files.</description> <type>checkbox</type> </field> <field> - <fielddescr>Throttle multimedia files</fielddescr> + <fielddescr>Throttle Multimedia Files</fielddescr> <fieldname>throttle_multimedia</fieldname> <description>Check this to apply bandwidth throttle to multimedia files, such as movies or songs.</description> <type>checkbox</type> </field> <field> - <fielddescr>Throttle other extensions</fielddescr> + <fielddescr>Throttle Other Extensions</fielddescr> <fieldname>throttle_others</fieldname> <description>Comma-separated list of extensions to apply bandwidth throttle to.</description> <type>input</type> @@ -176,9 +192,22 @@ <type>listtopic</type> </field> <field> + <field> + <type>info</type> + <description> + <![CDATA[ + The cache by default continues downloading aborted requests which are almost completed.<br/> + This may be undesirable on slow links and/or very busy caches. Impatient users may tie up file descriptors and + bandwidth by repeatedly requesting and immediately aborting downloads.<br/> + When the user aborts a request, Squid will compare the below values to the amount of data transferred so far.<br/><br/> + If you do not want any retrieval to continue after the client has aborted, set both values below to 0.<br/> + If you want retrievals to always continue if they are being cached, set 'Finish transfer if less than x KB remaining' to -1. + ]]> + </description> + </field> <fielddescr>Finish transfer if less than x KB remaining</fielddescr> <fieldname>quick_abort_min</fieldname> - <description>If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately.</description> + <description>If the transfer has less than x KB remaining, it will finish the retrieval.</description> <type>input</type> <size>10</size> <default_value>0</default_value> @@ -186,7 +215,7 @@ <field> <fielddescr>Abort transfer if more than x KB remaining</fielddescr> <fieldname>quick_abort_max</fieldname> - <description>If the transfer has more than x KB remaining, it will abort the retrieval. Set to 0 to abort the transfer immediately.</description> + <description>If the transfer has more than x KB remaining, it will abort the retrieval.</description> <type>input</type> <default_value>0</default_value> </field> @@ -197,7 +226,7 @@ <type>input</type> <size>10</size> <default_value>0</default_value> - </field> + </field> </fields> <custom_php_validation_command> squid_validate_traffic($_POST, $input_errors); diff --git a/config/squid3/34/squid_upstream.xml b/config/squid3/34/squid_upstream.xml index b8696750..14e23216 100755 --- a/config/squid3/34/squid_upstream.xml +++ b/config/squid3/34/squid_upstream.xml @@ -2,56 +2,51 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - squid_upstream.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_upstream.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidremote</name> - <version>none</version> - <title>Proxy server: Remote proxy settings</title> + <version>0.3.5</version> + <title>Proxy Server: Remote Proxy Settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> -<tab> + <tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> @@ -99,7 +94,7 @@ <fieldname>enable</fieldname> </columnitem> <columnitem> - <fielddescr>name</fielddescr> + <fielddescr>Name</fielddescr> <fieldname>proxyaddr</fieldname> </columnitem> <columnitem> @@ -109,17 +104,16 @@ <columnitem> <fielddescr>ICP</fielddescr> <fieldname>icpport</fieldname> - </columnitem> + </columnitem> <columnitem> - <fielddescr>Peer type</fielddescr> + <fielddescr>Peer Type</fielddescr> <fieldname>hierarchy</fieldname> </columnitem> <columnitem> <fielddescr>Method</fielddescr> <fieldname>peermethod</fieldname> - </columnitem> + </columnitem> </adddeleteeditpagefields> - <fields> <field> <name>General Settings</name> @@ -135,7 +129,7 @@ <field> <fielddescr>Hostname</fielddescr> <fieldname>proxyaddr</fieldname> - <description>Enter here the IP address or host name of the upstream proxy.</description> + <description>Enter the IP address or host name of the upstream proxy here.</description> <type>input</type> <size>35</size> <required/> @@ -143,48 +137,78 @@ <field> <fielddescr>Name</fielddescr> <fieldname>proxyname</fieldname> - <description>Unique name for the peer.Required if you have multiple peers on the same host but different ports.</description> + <description> + <![CDATA[ + Unique name for the peer.<br/> + <strong>Note: Name is required if you have multiple peers on the same host but different ports.</strong> + ]]> + </description> <type>input</type> <size>35</size> <required/> </field> <field> - <fielddescr>TCP port</fielddescr> + <fielddescr>TCP Port</fielddescr> <fieldname>proxyport</fieldname> - <description>Enter the port to use to connect to the upstream proxy.</description> + <description>Enter the port to use to connect to the upstream proxy here.</description> <type>input</type> <size>5</size> <default_value>3128</default_value> <required/> </field> + <!-- The commented-out options are not used anywhere in the code --> + <!-- <field> <fielddescr>Timeout</fielddescr> <fieldname>connecttimeout</fieldname> - <description>A peer-specific connect timeout. Also see the peer_connect_timeout directive.</description> + <description> + <![CDATA[ + A peer-specific connect timeout. This parameter specifies how long to wait for a pending TCP connection to a peer cache.<br/> + Also see <a href="http://www.squid-cache.org/Doc/config/peer_connect_timeout/">peer_connect_timeout directive</a>. + ]]> + </description> <type>input</type> <size>5</size> </field> <field> <fielddescr>Fail Limit</fielddescr> - <fieldname>connectfailLimit</fieldname> - <description>How many times connecting to a peer must fail before it is marked as down. Default is 10.</description> + <fieldname>connectfaillimit</fieldname> + <description> + <![CDATA[ + How many times connecting to a peer must fail before it is marked as down.<br/> + Default: 10 + ]]> + </description> <type>input</type> <size>5</size> <default_value>10</default_value> </field> <field> - <fielddescr>Max</fielddescr> + <fielddescr>Max Connections</fielddescr> <fieldname>maxconn</fieldname> - <description>Limit the amount of connections Squid may open to this peer.</description> + <description> + <![CDATA[ + Limit the amount of connections Squid may open to this peer.<br/> + Peer exceeding the limit is not used for new requests unless a standby connection is available.<br/> + <strong>Warning: This feature currently works poorly with idle persistent connections.</strong><br/> + See <a href="http://www.squid-cache.org/Doc/config/cache_peer/">cache_peer directive documentation</a> for details. + ]]> + </description> <type>input</type> <size>5</size> </field> + --> <field> - <fielddescr>Allow Miss</fielddescr> + <fielddescr>General Options (Allow Miss/No Tproxy/Proxy Only)</fielddescr> <fieldname>allowmiss</fieldname> - <description><![CDATA[<strong>allow-miss</strong> - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.<br><br> - <strong>no-tproxy</strong> - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.<br><br> - <strong>proxy-only</strong> - Objects fetched from the peer will not be stored locally.]]></description> + <description> + <![CDATA[ + <strong>allow-miss</strong> - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.<br/> + <strong>no-tproxy</strong> - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.<br/> + <strong>proxy-only</strong> - Objects fetched from the peer will not be stored locally.<br/><br/> + Note: Use CTRL + click to select multiple options. + ]]> + </description> <type>select</type> <default_value>allow-miss</default_value> <options> @@ -196,10 +220,18 @@ <size>4</size> </field> <field> - <name>Peer settings</name> + <name>Peer Settings</name> <type>listtopic</type> </field> <field> + <type>info</type> + <description> + <![CDATA[ + Please, see <a href="http://www.squid-cache.org/Doc/config/cache_peer/">cache_peer directive documentation</a> for detailed description of the settings below.<br/> + ]]> + </description> + </field> + <field> <fielddescr>Hierarchy</fielddescr> <fieldname>hierarchy</fieldname> <description>Specify remote caches hierarchy.</description> @@ -212,20 +244,21 @@ </options> </field> <field> - <fielddescr>Select method</fielddescr> + <fielddescr>Select Method</fielddescr> <fieldname>peermethod</fieldname> - <description><![CDATA[The default peer selection method is ICP, with the first responding peer being used as source. These options can be used for better load balancing.<br><br> - <strong>default</strong> - This is a parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.<br> - If specified more than once, only the first is used.<br><br> - <strong>round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.<br>weight=N can be used to add bias.<br><br> - <strong>weighted-round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.<br> - Closer parents are used more often. Usually used for background-ping parents. weight=N can be used to add bias.<br><br> - <strong>carp</strong> - Load-Balance parents which should be used as a CARP array. The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight.<br><br> - <strong>userhash</strong> - Load-balance parents based on the client proxy_auth or ident username.<br><br> - <strong>sourcehash</strong> - Load-balance parents based on the client source IP.<br><br> - <strong>multicast-siblings</strong> - To be used only for cache peers of type "multicast".<br> - ALL members of this multicast group have "sibling" relationship with it, not "parent". This is to a multicast group when the requested object would be fetched only from a "parent" cache, anyway.<br> - It's useful, e.g., when configuring a pool of redundant Squid proxies, being members of the same multicast group.]]></description> + <description> + <![CDATA[ + The default peer selection method is ICP, with the first responding peer being used as source. These options can be used for better load balancing.<br/> + Please see <a href="http://www.squid-cache.org/Doc/config/cache_peer/">cache_peer directive documentation</a> for details.<br/><br/> + <strong>default</strong> - Parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.<br/> + <strong>round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.<br/> + <strong>weighted-round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.<br/> + <strong>carp</strong> - Load-Balance parents which should be used as a CARP array.<br/> + <strong>userhash</strong> -Load-Balance parents based on the client proxy_auth or ident username.<br/> + <strong>sourcehash</strong> - Load-balance parents based on the client source IP.<br/> + <strong>multicast-siblings</strong> - To be used only for cache peers of type "multicast".<br/> + ]]> + </description> <type>select</type> <default_value>round-robin</default_value> <options> @@ -239,45 +272,68 @@ </options> </field> <field> - <fielddescr>weight</fielddescr> + <fielddescr>Weight</fielddescr> <fieldname>weight</fieldname> - <description>Use to affect the selection of a peer during any weighted peer-selection mechanisms. The weight must be an integer; default is 1,larger weights are favored more.</description> + <description> + <![CDATA[ + Use to affect the selection of a peer during any weighted peer-selection mechanisms.<br/> + <strong>Note: The weight must be an integer; larger weights are favored more.</strong><br/><br/> + Default: 1 + ]]> + </description> <type>input</type> <size>5</size> <default>1</default> </field> <field> - <fielddescr>basetime</fielddescr> + <fielddescr>Basetime</fielddescr> <fieldname>basetime</fieldname> - <description><![CDATA[Specify a base amount to be subtracted from round trip times of parents.<br> - It is subtracted before division by weight in calculating which parent to fectch from. If the rtt is less than the base time the rtt is set to a minimal value.]]></description> + <description> + <![CDATA[ + Specify a base amount to be subtracted from round trip times of parents.<br/> + It is subtracted before division by weight in calculating which parent to fetch from. If the RTT is less than the base time, the RTT is set to a minimal value. + ]]> + </description> <type>input</type> <size>5</size> <default>1</default> </field> <field> - <fielddescr>ttl</fielddescr> + <fielddescr>TTL</fielddescr> <fieldname>ttl</fieldname> - <description><![CDATA[Specify a TTL to use when sending multicast ICP queries to this address<br> - Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option.]]></description> + <description> + <![CDATA[ + Specify a TTL to use when sending multicast ICP queries to this address. Only useful when sending to a multicast group.<br/> + Note: Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option. + ]]> + </description> <type>input</type> <size>5</size> <default>1</default> </field> <field> - <fielddescr>no-delay</fielddescr> + <fielddescr>No Delay</fielddescr> <fieldname>nodelay</fieldname> - <description><![CDATA[To prevent access to this neighbor from influencing the delay pools.]]></description> + <description> + <![CDATA[ + Use to prevent access to this neighbor from influencing the delay pools. + ]]> + </description> <type>checkbox</type> </field> <field> - <name>ICP settings</name> + <name>ICP Settings</name> <type>listtopic</type> </field> <field> - <fielddescr>ICP port</fielddescr> + <fielddescr>ICP Port</fielddescr> <fieldname>icpport</fieldname> - <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description> + <description> + <![CDATA[ + Enter the port to connect to the upstream proxy for the ICP protocol.<br/> + <strong>Hint: Use port number 7 to disable ICP communication between the proxies.</strong> + ]]> + </description> <type>input</type> <size>5</size> <default_value>7</default_value> @@ -285,14 +341,16 @@ <field> <fielddescr>ICP Options</fielddescr> <fieldname>icpoptions</fieldname> - <description><![CDATA[You MUST also set icp_port and icp_access explicitly when using these options.<br> - The defaults will prevent peer traffic using ICP<br><br> - <strong>no-query</strong> - Disable ICP queries to this neighbor.<br><br> - <strong>multicast-responder</strong> -Indicates the named peer is a member of a multicast group.<br> - ICP queries will not be sent directly to the peer, but ICP replies will be accepted from it.<br><br> - <strong>closest-only</strong> - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.<br><br> - <strong>background-ping</strong> - To only send ICP queries to this neighbor infrequently.<br> - This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin.]]></description> + <description> + <![CDATA[ + <strong>Note: You MUST also set 'ICP Port' explicitly when using these options.</strong> The defaults will prevent peer traffic using ICP.<br/> + Please see <a href="http://www.squid-cache.org/Doc/config/cache_peer/">cache_peer directive documentation</a> for details.<br/><br/> + <strong>no-query</strong> - Disable ICP queries to this neighbor.<br/> + <strong>multicast-responder</strong> - Indicates the named peer is a member of a multicast group.<br/> + <strong>closest-only</strong> - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.<br/> + <strong>background-ping</strong> - To only send ICP queries to this neighbor infrequently.<br/> + ]]> + </description> <type>select</type> <default_value>no-query</default_value> <options> @@ -303,7 +361,7 @@ </options> </field> <field> - <name>Auth settings</name> + <name>Auth Settings</name> <type>listtopic</type> </field> <field> @@ -319,25 +377,21 @@ <type>password</type> </field> <field> - <fielddescr>Authentication options</fielddescr> + <fielddescr>Authentication Options</fielddescr> <fieldname>authoption</fieldname> - <description><![CDATA[<br><strong>login=user:password</strong> - If this is a personal/workgroup proxy and your parent requires proxy authentication.<br><br> - <strong>login=PASSTHRU</strong> - Send login details received from client to this peer. Authentication is not required by Squid for this to work.<br> - This will pass any form of authentication but only Basic auth will work through a proxy unless the connection-auth options are also used.<br><br> - <strong>login=PASS</strong> - Send login details received from client to this peer.Authentication is not required by this option.<br> - To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for a single login (one for proxy, one for origin server).<br> - Also be warned this will expose your users proxy password to the peer. USE WITH CAUTION<br><br> - <strong>login=*:password</strong> - Send the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user.<br><br> - <strong>login=NEGOTIATE</strong> - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> - The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used.<br> - WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br> - <strong>login=NEGOTIATE:principal_name</strong>If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> - The principal principal_name from the default keytab or defined by the environment variable KRB5_KTNAME will be used. - WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br> - <strong>connection-auth=on</strong> - Tell Squid that this peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br> - Default is auto to automatically determine the status of the peer.<br><br> - <strong>connection-auth=off</strong> - Tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br> - Default is auto to automatically determine the status of the peer.]]></description> + <description> + <![CDATA[ + Please see <a href="http://www.squid-cache.org/Doc/config/cache_peer/">cache_peer directive documentation</a> for details.<br/><br/> + <strong>login=user:password</strong> - If this is a personal/workgroup proxy and your parent requires proxy authentication.<br/> + <strong>login=PASSTHRU</strong> - Send login details received from client to this peer. Authentication is not required by Squid for this to work.<br/> + <strong>login=PASS</strong> - Send login details received from client to this peer. Authentication is not required by this option.<br/> + <strong>login=*:password</strong> - Send the username to the upstream cache, but with a fixed password.<br/> + <strong>login=NEGOTIATE</strong> - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> + <strong>login=NEGOTIATE:principal_name</strong> - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br/> + <strong>connection-auth=on</strong> - Peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br/> + <strong>connection-auth=off</strong> - Peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br/> + ]]> + </description> <type>select</type> <default_value>login=*:password</default_value> <options> diff --git a/config/squid3/34/squid_users.xml b/config/squid3/34/squid_users.xml index 835cf07b..f67db48e 100755 --- a/config/squid3/34/squid_users.xml +++ b/config/squid3/34/squid_users.xml @@ -2,58 +2,53 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> +<![CDATA[ /* $Id$ */ -/* ========================================================================== */ +/* ====================================================================================== */ /* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - Copyright (C) 2012-2014 Marcello Coutinho - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + squid_users.xml + part of pfSense (https://www.pfSense.org/) + Copyright (C) 2012-2014 Marcello Coutinho + Copyright (C) 2015 ESF, LLC + All rights reserved. +*/ +/* ====================================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ====================================================================================== */ + ]]> + </copyright> <name>squidusers</name> - <version>none</version> + <version>0.3.5</version> <title>Proxy server: Local users</title> <include_file>/usr/local/pkg/squid.inc</include_file> <delete_string>A proxy server user has been deleted.</delete_string> <addedit_string>A proxy server user has been created/modified.</addedit_string> <tabs> -<tab> + <tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> @@ -87,7 +82,7 @@ <active/> </tab> <tab> - <text>Real time</text> + <text>Real Time</text> <url>/squid_monitor.php</url> </tab> <tab> diff --git a/config/squid3/34/swapstate_check.php b/config/squid3/34/swapstate_check.php index 7a7ccd27..8b4c46bb 100644 --- a/config/squid3/34/swapstate_check.php +++ b/config/squid3/34/swapstate_check.php @@ -2,7 +2,9 @@ <?php /* swapstate_check.php + part of pfSense (https://www.pfSense.org/) Copyright (C) 2011 Jim Pingle + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -29,26 +31,44 @@ require_once('config.inc'); require_once('util.inc'); require_once('squid.inc'); +global $config; - $settings = $config['installedpackages']['squidcache']['config'][0]; +$settings = $config['installedpackages']['squidcache']['config'][0]; // Only check the cache if Squid is actually caching. // If there is no cache then quietly do nothing. -if ($settings['harddisk_cache_system'] != "null"){ - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); +if (isset($settings['harddisk_cache_system']) && $settings['harddisk_cache_system'] != "null") { + $cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $swapstate = $cachedir . '/swap.state'; - if (!file_exists($swapstate)) + if (!file_exists($swapstate)) { return; + } $disktotal = disk_total_space(dirname($cachedir)); $diskfree = disk_free_space(dirname($cachedir)); $diskusedpct = round((($disktotal - $diskfree) / $disktotal) * 100); $swapstate_size = filesize($swapstate); $swapstate_pct = round(($swapstate_size / $disktotal) * 100); - // If the swap.state file is taking up more than 75% disk space, - // or the drive is 90% full and swap.state is larger than 1GB, - // kill it and initiate a rotate to write a fresh copy. - if (($swapstate_pct > 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024)) || $argv[1]=="clean") { + // If the swap.state file is taking up more than 75% of disk space, + // or the drive is 90% full and swap.state is larger than 1GB, + // kill it and initiate a rotate to write a fresh copy. + $rotate_reason = ""; + if ($swapstate_pct > 75) { + $rotate_reason .= "$cachedir/swap.state file is taking up more than 75% of disk space. "; + } + if ($diskusedpct > 90) { + $rotate_reason .= "$cachedir filesystem is $diskusedpct pct full. "; + } + if ($swapstate_size > 1024*1024*1024) { + $rotate_reason .= "$cachedir/swap.state is larger than 1GB. "; + } + if ($settings['clear_cache'] == 'on') { + $rotate_reason .= "'Clear Cache on Log Rotate' is enabled in 'Local Cache' settings. "; + } + if ($argv[1] == "clean") { + $rotate_reason .= "Clear cache forced by cronjob. "; + } + if (($swapstate_pct > 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024)) || $argv[1] == "clean") { squid_dash_z('clean'); - log_error(gettext(sprintf("Squid cache and/or swap.state exceeded size limits. Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct))); + log_error(gettext(sprintf("$rotate_reason Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct))); } } ?> diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 274acc7e..500cfebc 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -1025,7 +1025,7 @@ <descr>High performance web proxy cache.</descr> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>4.3.9</version> + <version>4.3.10</version> <status>Stable</status> <required_version>2.2</required_version> <maintainer>fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> @@ -1052,7 +1052,7 @@ <pkginfolink>https://forum.pfsense.org/index.php/topic,48347.0.html</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>0.3.4</version> + <version>0.3.5</version> <status>beta</status> <required_version>2.2</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> diff --git a/pkg_config.8.xml b/pkg_config.8.xml index 018795bb..fa8ab622 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -1110,7 +1110,7 @@ <descr>High performance web proxy cache.</descr> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>2.7.9 pkg v.4.3.9</version> + <version>2.7.9 pkg v.4.3.10</version> <status>Stable</status> <required_version>2</required_version> <maintainer>fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 523c24b2..a2341c51 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -1097,7 +1097,7 @@ <descr>High performance web proxy cache.</descr> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>2.7.9 pkg v.4.3.9</version> + <version>2.7.9 pkg v.4.3.10</version> <status>Stable</status> <required_version>2</required_version> <maintainer>fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> |