diff options
-rwxr-xr-x | config/squid3/34/squid.inc | 156 | ||||
-rw-r--r-- | config/squid3/34/squid.xml | 78 | ||||
-rw-r--r-- | config/squid3/34/squid_antivirus.inc | 6 | ||||
-rwxr-xr-x | config/squid3/34/squid_auth.xml | 3 | ||||
-rwxr-xr-x | config/squid3/34/squid_reverse.inc | 205 | ||||
-rwxr-xr-x | config/squid3/34/squid_reverse_general.xml | 84 | ||||
-rwxr-xr-x | config/squid3/34/squid_reverse_peer.xml | 11 | ||||
-rwxr-xr-x | config/squid3/34/squid_reverse_redir.xml | 7 | ||||
-rwxr-xr-x | config/squid3/34/squid_reverse_sync.xml | 7 | ||||
-rwxr-xr-x | config/squid3/34/squid_reverse_uri.xml | 6 | ||||
-rwxr-xr-x | config/squid3/34/squid_sync.xml | 7 | ||||
-rwxr-xr-x | config/squid3/34/squid_upstream.xml | 3 | ||||
-rw-r--r-- | pkg_config.10.xml | 2 |
13 files changed, 416 insertions, 159 deletions
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index aab4d134..952d50d8 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -66,7 +66,7 @@ define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid'); define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf'); define('SQUID_ACLDIR', '/var/squid/acl'); define('SQUID_PASSWD', '/var/etc/squid.passwd'); -define('SQUID_SSL_DB','/var/squid/lib/ssl_db'); +define('SQUID_SSL_DB', '/var/squid/lib/ssl_db'); $valid_acls = array(); @@ -148,15 +148,11 @@ function squid_enabled() { // check whether Squid is enabled ... if ($config['installedpackages']['squid']['config'][0]['enable_squid'] == "on") { // ... and has at least one interface configured ... - if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") { + if (!empty($config['installedpackages']['squid']['config'][0]['active_interface'])) { + $proxy_enabled = true; + // ... or whether Squid reverse proxy is enabled + } elseif (squid_reverse_enabled()) { $proxy_enabled = true; - } else { - // ... or has at least one reverse interface configured - if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { - if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { - $proxy_enabled = true; - } - } } } } @@ -724,16 +720,27 @@ function squid_validate_general($post, &$input_errors) { // force users to configure cache if (!is_array($config['installedpackages']['squidcache']['config'])) { - $input_errors[] = 'Please, configure and save \'Local Cache\' settings first.'; + $input_errors[] = "Please, configure and save 'Local Cache' settings first."; } - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $port = $post['proxy_port'] ? $post['proxy_port'] : $port; + // force users to select at least one proxy or reverse proxy interface when enabling Squid + if ($post['enable_squid'] == "on") { + // if reverse proxy is configured, perhaps the user wants to use the reverse proxy features only + if (!squid_reverse_enabled()) { + if (empty($post['active_interface'])) { + $input_errors[] = "You must select at least one interface under 'Proxy Interface(s)' to enable Squid proxy."; + $input_errors[] = "If you intend to use Squid as reverse proxy ONLY, then visit Services: Squid Proxy Server: General, configure and save the reverse proxy settings first."; + } + } else { + log_error("[squid] Enabled as reverse proxy ONLY. If this is not what you intended, visit Services: Squid Proxy Server: General and configure proxy interfaces."); + } + } $icp_port = trim($post['icp_port']); if (!empty($icp_port) && !is_port($icp_port)) { - $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field.'; + $input_errors[] = "You must enter a valid port number in the 'ICP port' field."; } + unset($icp_port); if (substr($post['log_dir'], -1, 1) == '/') { $input_errors[] = 'Log location must not end with a / character.'; @@ -748,26 +755,63 @@ function squid_validate_general($post, &$input_errors) { } $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) { $input_errors[] = "You must enter a valid number of days in the 'Log rotate' field."; } + unset($log_rotate); + // check that the proxy port does not clash with WebGUI + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $port = $post['proxy_port'] ? $post['proxy_port'] : $port; $webgui_port = $config['system']['webgui']['port']; - if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { $webgui_port = 80; } if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { $webgui_port = 443; } - if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { $input_errors[] = "You can not run Squid on the same port as the pfSense WebGUI"; } + unset($port, $webgui_port); + + if ($post['transparent_proxy'] == 'on') { + if (empty($post['transparent_active_interface'])) { + $input_errors[] = "You must select at least one interface under 'Transparent Proxy Interface(s)' when 'Transparent HTTP Proxy' is enabled."; + } else { + // allow transparent proxy only on interfaces where Squid is actually running to keep configuration sane + $a_ifaces = $post['active_interface'] ?: array(); + $t_ifaces = $post['transparent_active_interface']; + foreach ($t_ifaces as $t_iface) { + if (!in_array($t_iface, $a_ifaces)) { + $err_iface = convert_friendly_interface_to_friendly_descr($t_iface); + $input_errors[] = "'Transparent Proxy Interface(s)' may only contain interfaces also selected in 'Proxy Interface(s)' above. '{$err_iface}' is not valid."; + unset($err_iface); + } + } + unset($a_ifaces, $t_iface, $t_ifaces); + } + } - if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) { - $input_errors[] = "SSL interception cannot be enabled without a CA."; + if ($post['ssl_proxy'] == 'on') { + if ($post['dca'] == 'none') { + $input_errors[] = "SSL interception cannot be enabled without a CA."; + } + if (empty($post['ssl_active_interface'])) { + $input_errors[] = "You must select at least one interface under 'SSL Intercept Interface(s)' when 'HTTPS/SSL Interception' is enabled."; + } else { + // allow HTTPS/SSL Interception only on interfaces where Squid is actually running to keep configuration sane + $a_ifaces = $post['active_interface'] ?: array(); + $s_ifaces = $post['ssl_active_interface']; + foreach ($s_ifaces as $s_iface) { + if (!in_array($s_iface, $a_ifaces)) { + $err_iface = convert_friendly_interface_to_friendly_descr($s_iface); + $input_errors[] = "'SSL Intercept Interface(s)' may only contain interfaces also selected in 'Proxy Interface(s)' above. '{$err_iface}' is not valid."; + unset($err_iface); + } + } + unset($a_ifaces, $s_ifaces, $s_iface); + } } foreach (array('defined_ip_proxy_off') as $hosts) { @@ -778,6 +822,8 @@ function squid_validate_general($post, &$input_errors) { } } } + unset($host, $hosts); + foreach (array('defined_ip_proxy_off_dest') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); @@ -786,6 +832,7 @@ function squid_validate_general($post, &$input_errors) { } } } + unset($host, $hosts); if (!empty($post['dns_nameservers'])) { $altdns = explode(";", ($post['dns_nameservers'])); @@ -796,6 +843,7 @@ function squid_validate_general($post, &$input_errors) { } } } + unset($altdns, $dnssrv); } /* Proxy Server: Remote Proxy Settings input validation */ @@ -823,6 +871,7 @@ function squid_validate_upstream($post, &$input_errors) { } } } + unset($port); } /* Proxy Server: Cache Management input validation */ @@ -846,17 +895,20 @@ function squid_validate_cache($post, &$input_errors) { $input_errors[] = "You must enter a valid value for '$field'."; } } + unset($num_fields); $value = trim($post['minimum_object_size']); if (!is_numericint($value)) { $input_errors[] = "You must enter a valid value for 'Minimum object size'."; } + unset($value); if (!empty($post['cache_swap_low'])) { $value = trim($post['cache_swap_low']); if (!is_numericint($value) || ($value > 100)) { $input_errors[] = "You must enter a valid value for 'Low-water-mark'."; } + unset($value); } if (!empty($post['cache_swap_high'])) { @@ -864,6 +916,7 @@ function squid_validate_cache($post, &$input_errors) { if (!is_numericint($value) || ($value > 100)) { $input_errors[] = "You must enter a valid value for 'High-water-mark'."; } + unset($value); } if ($post['donotcache'] != "") { @@ -873,6 +926,7 @@ function squid_validate_cache($post, &$input_errors) { $input_errors[] = "The host '$host' is not a valid IP or hostname."; } } + unset($host); } if (substr($post['harddisk_cache_location'], -1, 1) == '/') { @@ -897,6 +951,7 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "'Allowed Subnets' must be a valid CIDR range or 'all'. The subnet '$subnet' is not valid."; } } + unset($allowed_subnets); foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) { if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@", $_POST[$hosts], $matches)) { @@ -921,6 +976,7 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "'$mac' is not a valid MAC address."; } } + unset($mac); } foreach (explode(",", $post['timelist']) as $time) { @@ -929,6 +985,7 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "The time range '$time' is not a valid time range."; } } + unset($time); if (!empty($post['ext_cachemanager'])) { $extmgr = explode(";", ($post['ext_cachemanager'])); @@ -938,6 +995,7 @@ function squid_validate_nac($post, &$input_errors) { } } } + unset($extmgr); } /* Proxy server: Traffic Management input validation */ @@ -955,6 +1013,7 @@ function squid_validate_traffic($post, &$input_errors) { $input_errors[] = "The '$name' field must contain a positive integer."; } } + unset($num_fields); if (!empty($post['quick_abort_min'])) { $value = trim($post['quick_abort_min']); @@ -982,6 +1041,7 @@ function squid_validate_traffic($post, &$input_errors) { if ($post['throttle_binaries'] == "" && $post['throttle_cdimages'] == "" && $post['throttle_multimedia'] == "" && $others == "") { $input_errors[] = "'Throttle Only Specific Extensions' enabled but no extensions specified. Select some options under 'Squid Transfer Extension Settings' or disable this option."; } + unset($others); } } @@ -999,6 +1059,7 @@ function squid_validate_auth($post, &$input_errors) { $input_errors[] = "The '{$field[1]}' field must contain a valid number greater than {$field[2]}"; } } + unset($num_fields); $auth_method = $post['auth_method']; if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { @@ -1046,6 +1107,7 @@ function squid_validate_auth($post, &$input_errors) { } } } + unset($auth_method, $port, $server, $secret, $user); } /* Proxy Server: General Settings configuration handler */ @@ -1108,7 +1170,7 @@ function squid_resync_general() { } } $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); + $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3129); // Read assigned interfaces $real_ifaces = array(); @@ -1116,7 +1178,7 @@ function squid_resync_general() { if ($settings['active_interface']) { $proxy_ifaces = explode(",", $settings['active_interface']); } else { - $proxy_ifaces = array("lan"); + $proxy_ifaces = array(); } if ($settings['transparent_proxy'] == "on") { @@ -1136,7 +1198,7 @@ function squid_resync_general() { foreach ($ssl_ifaces as $s_iface) { $s_iface_ip = squid_get_real_interface_address($s_iface); if ($s_iface_ip[0]) { - $real_ifaces[]=$s_iface_ip; + $real_ifaces[] = $s_iface_ip; } } } else { @@ -1147,11 +1209,16 @@ function squid_resync_general() { foreach ($proxy_ifaces as $iface) { $iface_ip = squid_get_real_interface_address($iface); if ($iface_ip[0]) { - $real_ifaces[] = $iface_ip; - if (in_array($iface, $ssl_ifaces)) { - $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; + // do not add loopback twice when transparent proxy is enabled + if ($iface_ip[0] == "127.0.0.1" && $settings['transparent_proxy'] == "on") { + continue; } else { - $conf .= "http_port {$iface_ip[0]}:{$port}\n"; + $real_ifaces[] = $iface_ip; + if (in_array($iface, $ssl_ifaces)) { + $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; + } else { + $conf .= "http_port {$iface_ip[0]}:{$port}\n"; + } } } } @@ -1165,7 +1232,7 @@ function squid_resync_general() { } } $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); - $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off" ); + $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off"); $piddir = "{$g['varrun_path']}/squid"; $pidfile = "{$piddir}/squid.pid"; if (!is_dir($piddir)) { @@ -1237,9 +1304,11 @@ EOD; } } } - $conf .= "# Allow local network(s) on interface(s)\n"; - $conf .= "acl localnet src $src\n"; - $valid_acls[] = 'localnet'; + if (!empty($src)) { + $conf .= "# Allow local network(s) on interface(s)\n"; + $conf .= "acl localnet src $src\n"; + $valid_acls[] = 'localnet'; + } } if ($settings['xforward_mode']) { @@ -1411,25 +1480,33 @@ function squid_resync_upstream() { function squid_resync_nac() { global $config, $valid_acls; - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); if (is_array($config['installedpackages']['squidnac'])) { $settings = $config['installedpackages']['squidnac']['config'][0]; } else { $settings = array(); } + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + $webgui_port = $config['system']['webgui']['port']; $addtl_ports = $settings['addtl_ports']; $addtl_sslports = $settings['addtl_sslports']; - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); + // do not add (default) proxy ports when using Squid as reverse proxy only + if (!empty($squidsettings['active_interface'])) { + $port = $squidsettings['proxy_port'] ? $squidsettings['proxy_port'] : 3128; + $ssl_port = $squidsettings['ssl_proxy_port'] ? $squidsettings['ssl_proxy_port'] : 3129; + } $conf = <<< EOD # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all -acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port $ssl_port 1025-65535 $addtl_ports -acl sslports port 443 563 $webgui_port $addtl_sslports +acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 {$webgui_port} {$port} {$ssl_port} 1025-65535 {$addtl_ports} +acl sslports port 443 563 {$webgui_port} {$addtl_sslports} # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object @@ -1731,9 +1808,9 @@ function squid_resync_auth() { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; } - $conf .= "# Setup allowed acls\n"; + $conf .= "# Setup allowed ACLs\n"; $allowed = array('allowed_subnets'); - if ($settingsconfig['allow_interface'] == 'on') { + if ($settingsconfig['allow_interface'] == 'on' && !empty($settingsconfig['active_interface'])) { $conf .= "# Allow local network(s) on interface(s)\n"; $allowed[] = "localnet"; } @@ -1952,10 +2029,13 @@ function squid_generate_rules($type) { file_put_contents($cp_file, $new_cp_inc, LOCK_EX); } - // do not install any firewall rules if Squid is disabled + // do not install any firewall rules if Squid is disabled or used as reverse proxy only if (!squid_enabled()) { log_error("[squid] Installed but disabled. Not installing '{$type}' rules."); return; + } elseif (empty($squid_conf['active_interface'])) { + log_error("[squid] Configured as reverse proxy only. Not installing '{$type}' rules."); + return; } // normal squid rule check @@ -1984,7 +2064,7 @@ function squid_generate_rules($type) { } $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); - $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127); + $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3129); $fw_aliases = filter_generate_aliases(); if (strstr($fw_aliases, "pptp =")) { diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 28326d7f..82fe44b8 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squid</name> - <version>0.4.0</version> + <version>0.4.5</version> <title>Proxy Server: General Settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <menu> @@ -254,7 +254,7 @@ <description> <![CDATA[ Check to enable the Squid proxy.<br/> - Note: If unchecked, <strong>all</strong> Squid services will be disabled and stopped.<br/> + <strong><span class="errmsg">Note:</span> If unchecked, ALL Squid services will be disabled and stopped.</strong> ]]> </description> <type>checkbox</type> @@ -277,21 +277,24 @@ <description> <![CDATA[ The interface(s) the proxy server will bind to.<br/> - <strong>Note: Use CTRL + click to select multiple interfaces.</strong> + Note: Use CTRL + click to select multiple interfaces. ]]> </description> <type>interfaces_selection</type> - <required/> <default_value>lan</default_value> <multiple/> </field> <field> <fielddescr>Proxy Port</fielddescr> <fieldname>proxy_port</fieldname> - <description>This is the port the proxy server will listen on.</description> + <description> + <![CDATA[ + This is the port the proxy server will listen on.<br/> + (Default: 3128) + ]]> + </description> <type>input</type> <size>5</size> - <required/> <default_value>3128</default_value> </field> <field> @@ -386,12 +389,12 @@ <description> <![CDATA[ The interface(s) the proxy server will transparently intercept requests on.<br/> - <strong>Note: Use CTRL + click to select multiple interfaces.</strong> + Note: Use CTRL + click to select multiple interfaces. ]]> </description> <type>interfaces_selection</type> - <required/> <default_value>lan</default_value> + <hideinterfaceregex>loopback</hideinterfaceregex> <multiple/> </field> <field> @@ -410,7 +413,7 @@ <description> <![CDATA[ Do not forward traffic from these <strong>source</strong> IPs, CIDR nets, hostnames, or aliases through the proxy server but let it pass directly through the firewall. - (Applies only to transparent mode.)<br/><br/> + (Applies only to transparent mode.)<br/> <strong>Note: Separate entries by semi-colons (;)</strong> ]]> </description> @@ -422,8 +425,8 @@ <fieldname>defined_ip_proxy_off_dest</fieldname> <description> <![CDATA[ - Do not proxy traffic going to these <strong>destination</strong> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall.<br/> - (Applies only to transparent mode.)<br/><br/> + Do not proxy traffic going to these <strong>destination</strong> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. + (Applies only to transparent mode.)<br/> <strong>Note: Separate entries by semi-colons (;)</strong> ]]> </description> @@ -435,7 +438,7 @@ <type>listtopic</type> </field> <field> - <fielddescr>HTTPS/SSL interception</fielddescr> + <fielddescr>HTTPS/SSL Interception</fielddescr> <fieldname>ssl_proxy</fieldname> <description>Enable SSL filtering.</description> <type>checkbox</type> @@ -447,18 +450,23 @@ <description> <![CDATA[ The interface(s) the proxy server will intercept SSL requests on.<br/> - <strong>Note: Use CTRL + click to select multiple interfaces.</strong> + Note: Use CTRL + click to select multiple interfaces. ]]> </description> <type>interfaces_selection</type> - <required/> <default_value>lan</default_value> + <hideinterfaceregex>loopback</hideinterfaceregex> <multiple/> </field> <field> <fielddescr>SSL Proxy port</fielddescr> <fieldname>ssl_proxy_port</fieldname> - <description>This is the port the proxy server will listen on to intercept SSL while using transparent proxy.</description> + <description> + <![CDATA[ + This is the port the proxy server will listen on to intercept SSL while using transparent proxy.<br/> + (Default: 3129) + ]]> + </description> <type>input</type> <size>5</size> <default_value>3129</default_value> @@ -477,6 +485,8 @@ <source><![CDATA[$config['ca']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> + <show_disable_value>none</show_disable_value> + <default_value>none</default_value> </field> <field> <fielddescr>SSL Certificate Deamon Children</fielddescr> @@ -514,7 +524,7 @@ <description> <![CDATA[ Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br/> - Hint: Set the subject CN - see <a href="http://wiki.squid-cache.org/Features/MimicSslServerCert">fake certificate properties documentation</a> for details. + <strong>Hint:</strong> Set the subject CN - see <a href="http://wiki.squid-cache.org/Features/MimicSslServerCert">fake certificate properties documentation</a> for details. ]]> </description> <type>select</type> @@ -565,6 +575,25 @@ <size>5</size> </field> <field> + <fielddescr>Log Pages Denied by SquidGuard</fielddescr> + <fieldname>log_sqd</fieldname> + <description> + <![CDATA[ + Makes it possible for SquidGuard denied log to be included on Squid logs.<br/> + <strong>Note: This option will only work if you include the code below in your sgerror.php file.</strong><br/> + This forces the client browser to send a second request to Squid with the denied string in URL.<br/><br/> + $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?");<br/> + $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';<br/><br/> + <strong>Hint: You MUST remove extra spaces in the above iframe HTML tags.</strong> + ]]> + </description> + <type>checkbox</type> + </field> + <field> + <name>Headers Handling, Language and Other Customizations</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Visible Hostname</fielddescr> <fieldname>visible_hostname</fieldname> <description>This is the hostname to be displayed in proxy server error messages.</description> @@ -663,21 +692,6 @@ <type>checkbox</type> </field> <field> - <fielddescr>Log Pages Denied by SquidGuard</fielddescr> - <fieldname>log_sqd</fieldname> - <description> - <![CDATA[ - Makes it possible for SquidGuard denied log to be included on Squid logs.<br/> - <strong>Note: This option will only work if you include the code below in your sgerror.php file.</strong><br/> - This forces the client browser to send a second request to Squid with the denied string in URL.<br/><br/> - $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?");<br/> - $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';<br/><br/> - <strong>Hint: You MUST remove extra spaces in the above iframe HTML tags.</strong> - ]]> - </description> - <type>checkbox</type> - </field> - <field> <fielddescr>URI Whitespace Characters Handling</fielddescr> <fieldname>uri_whitespace</fieldname> <description> @@ -710,7 +724,7 @@ <fieldname>custom_options</fieldname> <description> <![CDATA[ - Squid options added from packages like SquidGuard or HAVP for Squid integration. + Squid options added from packages like SquidGuard for Squid integration. ]]> </description> <type>textarea</type> diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 82768f4b..e22ae039 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -392,14 +392,14 @@ EOF; $freshclam_m[0] = "@#This file was automatically generated by pfSense@"; $freshclam_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; $clamav_mirrors = ""; - if ($antivirus_config['clamav_dbregion'] != "") { - $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; - } if ($antivirus_config['clamav_dbservers'] != "") { foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; } } + if ($antivirus_config['clamav_dbregion'] != "") { + $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; + } if ($clamav_mirrors != "") { $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; $freshclam_r[1] = "{$clamav_mirrors}"; diff --git a/config/squid3/34/squid_auth.xml b/config/squid3/34/squid_auth.xml index 58a0bf12..2c36fcf3 100755 --- a/config/squid3/34/squid_auth.xml +++ b/config/squid3/34/squid_auth.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidauth</name> - <version>0.3.5</version> + <version>0.4.5</version> <title>Proxy Server: Authentication</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -98,7 +98,6 @@ <fieldname>auth_method</fieldname> <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description> <type>select</type> - <required/> <default_value>none</default_value> <options> <option><name>None</name><value>none</value></option> diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index b302c8b1..74aab0a1 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -30,6 +30,7 @@ POSSIBILITY OF SUCH DAMAGE. */ require_once('certs.inc'); +require_once("pfsense-utils.inc"); require_once('util.inc'); /* This file is currently only being included in squid.inc and not used separately */ // require_once('squid.inc'); @@ -41,48 +42,85 @@ function squid_resync_reverse() { // config file if (is_array($config['installedpackages']['squidreversegeneral'])) { $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; + } else { + $settings = array(); } if (is_array($config['installedpackages']['squidreversepeer'])) { $reverse_peers = $config['installedpackages']['squidreversepeer']['config']; + } else { + $reverse_peers = array(); } if (is_array($config['installedpackages']['squidreverseuri'])) { $reverse_maps = $config['installedpackages']['squidreverseuri']['config']; + } else { + $reverse_maps = array(); } if (is_array($config['installedpackages']['squidreverseredir'])) { $reverse_redir = $config['installedpackages']['squidreverseredir']['config']; + } else { + $reverse_redir = array(); } $conf = "# Reverse Proxy settings\n"; - if (isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { - $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if (isset($settings['reverse_ssl_cert']) && $settings['reverse_ssl_cert'] != "none") { + $svr_cert = lookup_cert($settings['reverse_ssl_cert']); if ($svr_cert != false) { if (base64_decode($svr_cert['crt'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", sq_text_area_decode($svr_cert['crt'])); - $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt", sq_text_area_decode($svr_cert['crt'])); + $reverse_crt = SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt"; } if (base64_decode($svr_cert['prv'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", sq_text_area_decode($svr_cert['prv'])); - $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.key", sq_text_area_decode($svr_cert['prv'])); + $reverse_key = SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.key"; } } } if (!empty($settings['reverse_int_ca'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", "\n" . sq_text_area_decode($settings['reverse_int_ca']), FILE_APPEND | LOCK_EX); + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt", "\n" . sq_text_area_decode($settings['reverse_int_ca']), FILE_APPEND | LOCK_EX); + } + + if (isset($settings['reverse_check_clientca']) && $settings['reverse_check_clientca'] == "on") { + if (isset($settings['reverse_ssl_clientca']) && $settings['reverse_ssl_clientca'] != 'none') { + $clientca_cert = lookup_ca($settings['reverse_ssl_clientca']); + $clientca_opts = ''; + if ($clientca_cert != false) { + if (base64_decode($clientca_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt", sq_text_area_decode($clientca_cert['prv'])); + $clientca_opts = "clientca=" . SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt"; + } + if (base64_decode($clientca_cert['prv'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt", "\n" . sq_text_area_decode($clientca_cert['crt']), FILE_APPEND | LOCK_EX); + } + } + } + if (isset($settings['reverse_ssl_clientcrl']) && $settings['reverse_ssl_clientcrl'] != 'none') { + $crl = lookup_crl($settings['reverse_ssl_clientcrl']); + crl_update($crl); + if ($crl != false) { + if (base64_decode($crl['text'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl", sq_text_area_decode($crl['text'])); + $clientca_opts .= " crlfile=" . SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl sslflags=VERIFY_CRL"; + } + } + } } $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); // set HTTP port and defsite - $http_port = (empty($settings['reverse_http_port']) ? "80" : $settings['reverse_http_port']); + $http_port = (!is_port($settings['reverse_http_port']) ? "80" : $settings['reverse_http_port']); $http_defsite = (empty($settings['reverse_http_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_http_defsite']); // set HTTPS port and defsite - $https_port = (empty($settings['reverse_https_port']) ? "443" : $settings['reverse_https_port']); + $https_port = (!is_port($settings['reverse_https_port']) ? "443" : $settings['reverse_https_port']); $https_defsite = (empty($settings['reverse_https_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_https_defsite']); + // Ignore Internal Certificate Validation + $sslflags = ($settings['reverse_ignore_ssl_valid'] == "on" ? "sslflags=DONT_VERIFY_PEER" : ""); + foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if ($real_ifaces[$i][0]) { @@ -92,7 +130,7 @@ function squid_resync_reverse() { } //HTTPS if (!empty($settings['reverse_https'])) { - $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} {$clientca_opts} defaultsite={$https_defsite} vhost\n"; } } } @@ -112,13 +150,13 @@ function squid_resync_reverse() { } // peers - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { + if ($settings['reverse_owa'] == 'on') { if (!empty($settings['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip'])); $casnr = 0; foreach ($reverse_owa_ip as $reowaip) { $casnr++; - $conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n"; + $conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl {$sslflags} front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n"; $conf .= "cache_peer {$reowaip} parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_{$casnr}_pfs\n"; } } @@ -131,7 +169,7 @@ function squid_resync_reverse() { $conf_peer = "#{$rp['description']}\n"; $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; if ($rp['protocol'] == 'HTTPS') { - $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf_peer .= "ssl {$sslflags} front-end-https=auto "; } $conf_peer .= "name=rvp_{$rp['name']}\n\n"; @@ -259,7 +297,7 @@ function squid_resync_reverse() { $conf .= "http_access allow OWA_URI_pfs\n"; } - $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; + $conf .= $cache_peer_allow_conf . $cache_peer_deny_conf . $cache_peer_never_direct_conf . $http_access_conf . "\n"; if (!empty($settings['deny_info_tcp_reset'])) { $conf .= "deny_info TCP_RESET allsrc\n"; @@ -268,6 +306,46 @@ function squid_resync_reverse() { return $conf; } +/* Refresh Client Certificate Revocation List */ +function squid_refresh_crl() { + global $config; + + if (is_array($config['installedpackages']['squidreversegeneral'])) { + $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; + } else { + $settings = array(); + } + + if (isset($settings['reverse_check_clientca']) && $settings['reverse_check_clientca'] == "on" && isset($settings['reverse_ssl_clientcrl']) && $settings['reverse_ssl_clientcrl'] != 'none') { + $crl = lookup_crl($settings['reverse_ssl_clientcrl']); + crl_update($crl); + if ($crl != false) { + if (base64_decode($crl['text'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl", sq_text_area_decode($crl['text'])); + } + } + } +} + +/* Check whether Squid reverse proxy is enabled */ +function squid_reverse_enabled() { + global $config, $reverse_proxy_enabled; + $reverse_proxy_enabled = false; + + if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { + // check whether HTTP or HTTPS reverse proxy is enabled ... + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_http'] == "on" || + $config['installedpackages']['squidreversegeneral']['config'][0]['reverse_https'] == "on") { + // ... and has at least one reverse interface configured + if (!empty($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'])) { + $reverse_proxy_enabled = true; + } + } + } + + return $reverse_proxy_enabled; +} + /* Migrate reverse proxy configuration from old Squid package versions */ function squid_reverse_upgrade_config() { global $config; @@ -325,51 +403,84 @@ function squid_reverse_upgrade_config() { function squid_validate_reverse($post, &$input_errors) { global $config; + /* Manually refresh client CRL */ + if ($post['refresh_crl'] == 'Refresh CRL') { + log_error("[squid] Client Certificate Revocation List refresh forced via GUI. Refreshing now..."); + squid_refresh_crl(); + } + + if ($post['reverse_http'] == 'on' || $post['reverse_https'] == 'on') { + if (empty($post['reverse_interface'])) { + $input_errors[] = "You must select at least one interface under 'Reverse Proxy Interface(s)' to enable HTTP Reverse Proxy."; + } + $fqdn = trim($post['reverse_external_fqdn']); + if (empty($fqdn) || !is_domain($fqdn)) { + $input_errors[] = "'External FQDN' field must contain a valid domain name."; + } + unset($fqdn); + } + if (!empty($post['reverse_ip'])) { $reverse_ip = explode(";", ($post['reverse_ip'])); foreach ($reverse_ip as $reip) { - if (!is_ipaddr(trim($reip))) { - $input_errors[] = "You must enter a valid IP address in the 'User-defined reverse-proxy IPs' field. '$reip' is invalid."; + if (!is_ipaddr_configured(trim($reip))) { + $input_errors[] = "You must enter a valid, locally configured IP address in the 'User Defined Reverse Proxy IPs' field. '$reip' is invalid."; } } + unset($reverse_ip); } - $fqdn = trim($post['reverse_external_fqdn']); - if (!empty($fqdn) && !is_domain($fqdn)) { - $input_errors[] = "'External FQDN' field must contain a valid domain name."; + if ($post['reverse_http'] == 'on') { + $port = trim($post['reverse_http_port']); + preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); + if (!is_port($port)) { + $input_errors[] = "'Reverse HTTP port' must contain a valid port number."; + } + if (is_port($port) && $port <= $portrange[1]) { + $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon."; + } + unset($port, $portrange); } - $port = trim($post['reverse_http_port']); - preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); - if (!empty($port) && !is_port($port)) { - $input_errors[] = "'Reverse HTTP port' must contain a valid port number."; - } - if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; - } - $port = trim($post['reverse_https_port']); - if (!empty($port) && !is_port($port)) { - $input_errors[] = "'Reverse HTTPS port' must contain a valid port number."; - } - if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; - } - if ($post['reverse_ssl_cert'] == 'none') { - $input_errors[] = 'A valid certificate for the external interface must be selected'; - } + if ($post['reverse_https'] == 'on') { + $port = trim($post['reverse_https_port']); + preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); + if (!is_port($port)) { + $input_errors[] = "'Reverse HTTPS port' must contain a valid port number."; + } + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { + $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon."; + } + unset($port, $portrange); + + if ($post['reverse_ssl_cert'] == 'none') { + $input_errors[] = "A valid certificate for the external interface must be selected when 'HTTPS Reverse Proxy' is enabled."; + } - if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { - $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + if ($post['reverse_check_clientca'] == 'on') { + if ($post['reverse_ssl_clientca'] == 'none') { + $input_errors[] = "A valid 'Client Certificate CA' must be selected when 'Check Client Certificate' is enabled"; + } + } } - if (!empty($post['reverse_owa_ip'])) { - $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); - foreach ($reverse_owa_ip as $reowaip) { - if (!is_ipaddr(trim($reowaip))) { - $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA frontend IP address' field. '$reowaip' is invalid."; + if ($post['reverse_owa'] == 'on') { + if ($post['reverse_https'] != 'on') { + $input_errors[] = "You have to enable HTTPS Reverse Proxy to enable OWA support."; + } + + if (!empty($post['reverse_owa_ip'])) { + $reowaips = explode(";", ($post['reverse_owa_ip'])); + foreach ($reowaips as $reowaip) { + if (!is_ipaddr(trim($reowaip))) { + $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA Frontend IP Address(es)' field. '$reowaip' is invalid."; + } } + unset($reowaips); + } else { + $input_errors[] = "You must enter at least one valid IP address in the 'CAS-Array / OWA Frontend IP Address(es)' field."; } } @@ -388,7 +499,9 @@ function squid_validate_reverse($post, &$input_errors) { $input_errors[] = "Please choose HTTP or HTTPS in the cache peer configuration."; } } + unset($cfg, $defs); } + unset($contents); } ?> diff --git a/config/squid3/34/squid_reverse_general.xml b/config/squid3/34/squid_reverse_general.xml index 90babcd0..def3b55c 100755 --- a/config/squid3/34/squid_reverse_general.xml +++ b/config/squid3/34/squid_reverse_general.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidreversegeneral</name> - <version>0.3.8</version> + <version>0.4.5</version> <title>Reverse Proxy Server: General</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -78,16 +78,18 @@ <type>listtopic</type> </field> <field> - <fielddescr>Reverse Proxy Interface</fielddescr> + <fielddescr>Reverse Proxy Interface(s)</fielddescr> <fieldname>reverse_interface</fieldname> <description> <![CDATA[ - The interface(s) the reverse-proxy server will bind to.<br/> - Use CTRL + click to select multiple interfaces. + The interface(s) the reverse-proxy server will bind to (usually WAN).<br/> + Use CTRL + click to select multiple interfaces.<br/><br/> + <strong><span class="errmsg">Important:</span><br/></strong> + <strong>To use Squid as a reverse proxy ONLY:</strong> After saving configuration here, you must tick the 'Enable Squid Proxy' checkbox under Services - Squid Proxy Server - General and click Save there.<br/> + <strong>To disable the reverse proxy ONLY (without disabling Squid completely):</strong> Unselect all 'Reverse Proxy Interface(s)', uncheck both 'Enable HTTP Reverse Proxy' and 'Enable HTTPS Reverse Proxy' below and click Save. ]]> </description> <type>interfaces_selection</type> - <required/> <default_value>wan</default_value> <multiple/> </field> @@ -97,7 +99,8 @@ <description> <![CDATA[ Squid will additionally bind to these user-defined IPs for reverse proxy operation. Useful for virtual IPs such as CARP.<br/> - <strong>Note: Separate entries by semi-colons (;)</strong> + Note: Separate entries by semi-colons (;)<br/><br/> + <strong><span class="errmsg">Important:</span> Any entry here must be a valid, locally configured IP address.</strong> ]]> </description> <type>input</type> @@ -108,7 +111,6 @@ <fieldname>reverse_external_fqdn</fieldname> <description>The external fully qualified domain name of the WAN IP address.</description> <type>input</type> - <required/> <size>70</size> </field> <field> @@ -123,17 +125,16 @@ <type>listtopic</type> </field> <field> - <fielddescr>Enable HTTP Reverse Mode</fielddescr> + <fielddescr>Enable HTTP Reverse Proxy</fielddescr> <fieldname>reverse_http</fieldname> <description> <![CDATA[ If checked, the proxy server will act in HTTP reverse mode.<br/> - <strong>Note: You must add a proper firewall rule with destination 'WAN Address'.</strong> + <strong><span class="errmsg">Important:</span> You must add a proper firewall rule with destination matching the 'Reverse Proxy Interface(s)' address.</strong> ]]> </description> <type>checkbox</type> <enablefields>reverse_http_port,reverse_http_defsite</enablefields> - <required/> <default_value>off</default_value> </field> <field> @@ -141,7 +142,7 @@ <fieldname>reverse_http_port</fieldname> <description> <![CDATA[ - This is the port the HTTP reverse proxy will listen on. Default value will be used if left empty.<br/> + This is the port the HTTP reverse proxy will listen on.<br/> Default: 80 ]]> </description> @@ -159,7 +160,7 @@ ]]> </description> <type>input</type> - <size>60</size> + <size>70</size> </field> <field> <name>Squid Reverse HTTPS Settings</name> @@ -171,12 +172,11 @@ <description> <![CDATA[ If checked, the proxy server will act in HTTPS reverse mode.<br/> - <strong>Note: You must add a proper firewall rule with destination 'WAN Address'.</strong> + <strong><span class="errmsg">Important:</span> You must add a proper firewall rule with destination matching the 'Reverse Proxy Interface(s)' address.</strong> ]]> </description> <type>checkbox</type> - <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> - <required/> + <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_check_clientca,reverse_owa</enablefields> <default_value>off</default_value> </field> <field> @@ -184,7 +184,7 @@ <fieldname>reverse_https_port</fieldname> <description> <![CDATA[ - This is the port the HTTPS reverse proxy will listen on. Default value will be used if left empty.<br/> + This is the port the HTTPS reverse proxy will listen on.<br/> Default: 443 ]]> </description> @@ -198,20 +198,22 @@ <description> <![CDATA[ This is the HTTPS reverse proxy default site.<br/> - Note: Leave empty to use 'External FQDN' value specified above. + Note: Leave empty to use 'External FQDN' value specified in 'Squid Reverse Proxy General Settings'. ]]> </description> <type>input</type> - <size>60</size> + <size>70</size> </field> <field> <fielddescr>Reverse SSL Certificate</fielddescr> <fieldname>reverse_ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> <type>select_source</type> - <source>$config['cert']</source> + <source><![CDATA[$config['cert']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> + <show_disable_value>none</show_disable_value> + <default_value>none</default_value> </field> <field> <fielddescr>Intermediate CA Certificate (If Needed)</fielddescr> @@ -234,6 +236,43 @@ <default_value>on</default_value> </field> <field> + <fielddescr>Check Client Certificate</fielddescr> + <fieldname>reverse_check_clientca</fieldname> + <description>If checked, clients need a client certificate to authenticate.</description> + <type>checkbox</type> + <default_value>off</default_value> + </field> + <field> + <fielddescr>Client Certificate CA</fielddescr> + <fieldname>reverse_ssl_clientca</fieldname> + <description>Choose the CA used to issue client authentication certificates.</description> + <type>select_source</type> + <source><![CDATA[$config['ca']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + <show_disable_value>none</show_disable_value> + <default_value>none</default_value> + </field> + <field> + <fielddescr>Client Certificate Revocation List</fielddescr> + <fieldname>reverse_ssl_clientcrl</fieldname> + <description> + <![CDATA[ + Choose the CRL used for client certificates revocation. If set to 'none', no CRL validation will be performed.<br/> + <strong>Note: This must match the 'Client Certificate CA' selected above!</strong><br/><br/> + <strong><span class="errmsg">Important:</span></strong> After updating the CRL in System - Cert Manager - Certificate Revocation, remember to press the 'Refresh CRL' button below.<br/> + Otherwise, the updated CRL will not have any effect on Squid reverse proxy users!<br/><br/> + <input name='refresh_crl' id='refresh_crl' type='submit' value='Refresh CRL' /> + ]]> + </description> + <type>select_source</type> + <source><![CDATA[$config['crl']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + <show_disable_value>none</show_disable_value> + <default_value>none</default_value> + </field> + <field> <name>OWA Reverse Proxy General Settings</name> <type>listtopic</type> </field> @@ -245,12 +284,12 @@ <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> </field> <field> - <fielddescr>CAS-Array / OWA Frontend IP Address</fielddescr> + <fielddescr>CAS-Array / OWA Frontend IP Address(es)</fielddescr> <fieldname>reverse_owa_ip</fieldname> <description> <![CDATA[ These are the internal IPs of the CAS-Array (OWA frontend servers).<br/> - <strong>Note: Separate entries by semi-colons (;)</strong> + Note: Separate entries by semi-colons (;) ]]> </description> <type>input</type> @@ -305,7 +344,8 @@ <custom_php_validation_command> <![CDATA[ if (!empty($_POST) && !squid_enabled()) { - $input_errors[] = "Squid is disabled. You must enable Squid proxy under Services - Squid Proxy Server - General."; + $errmsg = "Squid is disabled. You must enable Squid proxy under Services - Squid Proxy Server - General."; + file_notice("squidreversegeneral", $errmsg, "Squid Reverse Proxy", ""); } squid_validate_reverse($_POST, $input_errors); ]]> diff --git a/config/squid3/34/squid_reverse_peer.xml b/config/squid3/34/squid_reverse_peer.xml index fabc5b92..f5ab7544 100755 --- a/config/squid3/34/squid_reverse_peer.xml +++ b/config/squid3/34/squid_reverse_peer.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidreversepeer</name> - <version>0.3.5</version> + <version>0.4.5</version> <title>Reverse Proxy Server: Peers</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -119,7 +119,8 @@ ]]> </description> <type>input</type> - <size>20</size> + <size>30</size> + <required/> </field> <field> <fielddescr>Peer IP</fielddescr> @@ -131,7 +132,8 @@ ]]> </description> <type>input</type> - <size>20</size> + <size>30</size> + <required/> </field> <field> <fielddescr>Peer Port</fielddescr> @@ -143,7 +145,8 @@ ]]> </description> <type>input</type> - <size>20</size> + <size>5</size> + <required/> </field> <field> <fielddescr>Peer Protocol</fielddescr> diff --git a/config/squid3/34/squid_reverse_redir.xml b/config/squid3/34/squid_reverse_redir.xml index cf5fdb45..3be74353 100755 --- a/config/squid3/34/squid_reverse_redir.xml +++ b/config/squid3/34/squid_reverse_redir.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidreverseredir</name> - <version>0.3.7</version> + <version>0.4.5</version> <title>Reverse Proxy Server: Redirects</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -112,6 +112,7 @@ </description> <type>input</type> <size>20</size> + <required/> </field> <field> <fielddescr>Redirect Description</fielddescr> @@ -136,6 +137,7 @@ <option><name>HTTP</name><value>HTTP</value></option> <option><name>HTTPS</name><value>HTTPS</value></option> </options> + <required/> </field> <field> <fielddescr> @@ -154,6 +156,7 @@ <fieldname>uri</fieldname> <type>input</type> <size>60</size> + <required/> </rowhelperfield> </rowhelper> </field> @@ -168,6 +171,7 @@ </description> <type>input</type> <size>60</size> + <required/> </field> <field> <fielddescr>URL to Redirect To</fielddescr> @@ -175,6 +179,7 @@ <description>Enter the URL to redirect to here.</description> <type>input</type> <size>60</size> + <required/> </field> </fields> <custom_php_resync_config_command> diff --git a/config/squid3/34/squid_reverse_sync.xml b/config/squid3/34/squid_reverse_sync.xml index 1091fce8..ee4b7f84 100755 --- a/config/squid3/34/squid_reverse_sync.xml +++ b/config/squid3/34/squid_reverse_sync.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidsync</name> - <version>0.4.2</version> + <version>0.4.5</version> <title>Reverse Proxy Server: XMLRPC Sync</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -88,7 +88,6 @@ ]]> </description> <type>select</type> - <required/> <default_value>disabled</default_value> <options> <option><name>Sync to configured system backup server</name><value>auto</value></option> @@ -101,7 +100,6 @@ <fieldname>synctimeout</fieldname> <description>XMLRPC timeout in seconds.</description> <type>select</type> - <required/> <default_value>250</default_value> <options> <option><name>250 seconds (Default)</name><value>250</value></option> @@ -139,6 +137,7 @@ <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> <size>40</size> + <required/> </rowhelperfield> <rowhelperfield> <fielddescr>Port</fielddescr> @@ -146,6 +145,7 @@ <description><![CDATA[Choose the sync port of the destination host.]]></description> <type>input</type> <size>3</size> + <required/> </rowhelperfield> <rowhelperfield> <fielddescr>Admin Password</fielddescr> @@ -153,6 +153,7 @@ <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> <size>20</size> + <required/> </rowhelperfield> </rowhelper> </field> diff --git a/config/squid3/34/squid_reverse_uri.xml b/config/squid3/34/squid_reverse_uri.xml index 9a493a15..18b5e0e6 100755 --- a/config/squid3/34/squid_reverse_uri.xml +++ b/config/squid3/34/squid_reverse_uri.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidreverseuri</name> - <version>0.3.7</version> + <version>0.4.5</version> <title>Reverse Proxy Server: Mappings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -112,6 +112,7 @@ </description> <type>input</type> <size>20</size> + <required/> </field> <field> <fielddescr>Group Description</fielddescr> @@ -134,7 +135,7 @@ <source_name>name</source_name> <source_value>name</source_value> <multiple/> - <size>05</size> + <size>5</size> </field> <field> <fielddescr> @@ -154,6 +155,7 @@ <fieldname>uri</fieldname> <type>input</type> <size>70</size> + <required/> </rowhelperfield> </rowhelper> </field> diff --git a/config/squid3/34/squid_sync.xml b/config/squid3/34/squid_sync.xml index a7670ff5..b8b62460 100755 --- a/config/squid3/34/squid_sync.xml +++ b/config/squid3/34/squid_sync.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidsync</name> - <version>0.4.2</version> + <version>0.4.5</version> <title>Proxy Server: XMLRPC Sync</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -104,7 +104,6 @@ ]]> </description> <type>select</type> - <required/> <default_value>disabled</default_value> <options> <option><name>Sync to configured system backup server</name><value>auto</value></option> @@ -117,7 +116,6 @@ <fieldname>synctimeout</fieldname> <description>XMLRPC timeout in seconds.</description> <type>select</type> - <required/> <default_value>250</default_value> <options> <option><name>250 seconds (Default)</name><value>250</value></option> @@ -155,6 +153,7 @@ <description><![CDATA[IP address or hostname of the destination host.]]></description> <type>input</type> <size>40</size> + <required/> </rowhelperfield> <rowhelperfield> <fielddescr>Port</fielddescr> @@ -162,6 +161,7 @@ <description><![CDATA[Choose the sync port of the destination host.]]></description> <type>input</type> <size>3</size> + <required/> </rowhelperfield> <rowhelperfield> <fielddescr>Admin Password</fielddescr> @@ -169,6 +169,7 @@ <description><![CDATA[Password of the user "admin" on the destination host.]]></description> <type>password</type> <size>20</size> + <required/> </rowhelperfield> </rowhelper> </field> diff --git a/config/squid3/34/squid_upstream.xml b/config/squid3/34/squid_upstream.xml index 14e23216..46f2dfae 100755 --- a/config/squid3/34/squid_upstream.xml +++ b/config/squid3/34/squid_upstream.xml @@ -42,7 +42,7 @@ ]]> </copyright> <name>squidremote</name> - <version>0.3.5</version> + <version>0.4.5</version> <title>Proxy Server: Remote Proxy Settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> @@ -124,7 +124,6 @@ <fieldname>enable</fieldname> <description>This option enables the proxy server to forward requests to an upstream/neighbor server.</description> <type>checkbox</type> - <required/> </field> <field> <fielddescr>Hostname</fielddescr> diff --git a/pkg_config.10.xml b/pkg_config.10.xml index e7c29115..7e39e5e1 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -1089,7 +1089,7 @@ <pkginfolink>https://forum.pfsense.org/index.php?topic=100167.0</pkginfolink> <website>http://www.squid-cache.org/</website> <category>Services</category> - <version>0.4.4</version> + <version>0.4.5</version> <status>BETA</status> <required_version>2.2</required_version> <maintainer>marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org</maintainer> |