diff options
| -rw-r--r-- | packages/squid.xml | 400 | ||||
| -rw-r--r-- | packages/squid_auth.inc | 353 | ||||
| -rw-r--r-- | packages/squid_auth.xml | 136 | ||||
| -rw-r--r-- | packages/squid_cache.xml | 19 | ||||
| -rw-r--r-- | packages/squid_nac.xml | 13 | ||||
| -rw-r--r-- | packages/squid_ng.inc | 397 | ||||
| -rw-r--r-- | packages/squid_ng.xml | 224 | ||||
| -rw-r--r-- | packages/squid_traffic.xml | 13 | ||||
| -rw-r--r-- | packages/squid_upstream.xml | 14 |
9 files changed, 1256 insertions, 313 deletions
diff --git a/packages/squid.xml b/packages/squid.xml new file mode 100644 index 00000000..cc746c70 --- /dev/null +++ b/packages/squid.xml @@ -0,0 +1,400 @@ +<?xml version="1.0" encoding="utf-8" ?> + +<packagegui> + <name>squidng</name> + <title>Services: Squid Advanced Proxy</title> + <category>Security</category> + <version>2.5.10_4</version> + <configpath>installedpackages->package->squidng->configuration->settings</configpath> + + <aftersaveredirect>/pkg_edit.php?xml=squid.xml&id=0</aftersaveredirect> + + <menu> + <name>Squid Advanced Proxy</name> + <tooltiptext>Modify settings for Squid Advanced Proxy</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </menu> + + <!-- TODO: Add xml to parse proxy logs into readable format + <menu> + <name>Proxy Log</name> + <section>Status</section> + <configfile>squid_log.xml</configfile> + </menu> --> + + <files> + <file> + <type>package</type> + <location>ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-current/Latest/squid.tbz</location> + </file> + <file> + <type>package</type> + <location>ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-6-current/Latest/squidGuard.tbz</location> + </file> + + <!-- retrieves the configuration file for upstream proxy settings --> + + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_ng.inc</location> + </file> + + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_auth.inc</location> + </file> + + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_upstream.xml</location> + </file> + + <!-- retrieves the configuration file for cache management --> + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_cache.xml</location> + </file> + + <!-- retrieves the configuration file for network access control --> + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_nac.xml</location> + </file> + + <!-- retrieves the configuration file for traffic management --> + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_traffic.xml</location> + </file> + + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_auth.xml</location> + </file> + + <file> + <type>configfile</type> + <location>http://www.pfsense.com/packages/config/squid_extauth.xml</location> + </file> + + </files> + + <tabs> + <tab> + <text>General Settings</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + <active/> + </tab> + + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + + <tab> + <text>Network Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + + <tab> + <text>Extended Auth Settings</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> + </tab> + </tabs> + + <fields> + <field> + <fielddescr>Proxy Listening Interface</fielddescr> + <fieldname>active_interface</fieldname> + <description>This defines the active listening interface to which the proxy server will listen for its requests.</description> + <type>interfaces_selection</type> + </field> + + <field> + <fielddescr>Transparent Proxy</fielddescr> + <fieldname>transparent_proxy</fieldname> + <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> + <type>checkbox</type> + </field> + + <field> + <fielddescr>Log Enabled</fielddescr> + <fieldname>log_enabled</fieldname> + <description>This enables the Web Proxy logging feature. All clients requests will be written to a log file viewable under Services -> Proxy Log.</description> + <type>checkbox</type> + </field> + + <field> + <fielddescr>URL Filtering Enabled</fielddescr> + <fieldname>urlfilter_enable</fieldname> + <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description> + <type>checkbox</type> + </field> + + <field> + <fielddescr>Log Query Terms</fielddescr> + <fieldname>log_query_terms</fieldname> + <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description> + <type>checkbox</type> + </field> + + <field> + <fielddescr>Log User Agents</fielddescr> + <fieldname>log_user_agents</fieldname> + <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description> + <type>checkbox</type> + </field> + + <field> + <combinefieldsend>true</combinefieldsend> + <fielddescr>Proxy Port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description> + <size>4</size> + <type>input</type> + </field> + + <field> + <fielddescr>ICP Port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description> + <size>4</size> + <type>input</type> + </field> + + <field> + <fielddescr>Visible Hostname</fielddescr> + <fieldname>visible_hostname</fieldname> + <description>This URL is displayed on the Proxy Server error messages.</description> + <size>35</size> + <type>input</type> + </field> + + <field> + <fielddescr>Cache Administrator E-Mail</fielddescr> + <fieldname>cache_admin_email</fieldname> + <description>This E-Mail address is displayed on the Proxy Server error messages.</description> + <size>35</size> + <type>input</type> + </field> + + <field> + <fielddescr>Error Messages Language</fielddescr> + <fieldname>error_language</fieldname> + <description>Select the language in which the Proxy Server shall display error messages to users.</description> + <type>select</type> + <options> + <option><name>Bulgarian</name><value>Bulgarian</value></option> + <option><name>Catalan</name><value>Catalan</value></option> + <option><name>Czech</name><value>Czech</value></option> + <option><name>Danish</name><value>Danish</value></option> + <option><name>Dutch</name><value>Dutch</value></option> + <option><name>English</name><value>English</value></option> + <option><name>Estonian</name><value>Estonian</value></option> + <option><name>Finnish</name><value>Finnish</value></option> + <option><name>French</name><value>French</value></option> + <option><name>German</name><value>German</value></option> + <option><name>Hebrew</name><value>Hebrew</value></option> + <option><name>Hungarian</name><value>Hungarian</value></option> + <option><name>Italian</name><value>Italian</value></option> + <option><name>Japanese</name><value>Japanese</value></option> + <option><name>Korean</name><value>Korean</value></option> + <option><name>Lithuanian</name><value>Lithuanian</value></option> + <option><name>Polish</name><value>Polish</value></option> + <option><name>Portuguese</name><value>Portuguese</value></option> + <option><name>Romanian</name><value>Romanian</value></option> + <option><name>Russian-1251</name><value>Russian-1251</value></option> + <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option> + <option><name>Serbian</name><value>Serbian</value></option> + <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option> + <option><name>Slovak</name><value>Slovak</value></option> + <option><name>Spanish</name><value>Spanish</value></option> + <option><name>Swedish</name><value>Swedish</value></option> + <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option> + <option><name>Turkish</name><value>Turkish</value></option> + </options> + </field> + + </fields> + + <!-- The below writes the configuration as defined by the GUI options --> + <custom_php_global_functions> + function write_static_squid_config() { + global $config; + $lancfg = $config['interfaces']['lan']; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $fout = fopen("/usr/local/etc/squid/squid.conf","w"); + fwrite($fout, "#\n"); + fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); + fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); + fwrite($fout, "#\n"); + fwrite($fout, "shutdown_lifetime 5 seconds\n"); + fwrite($fout, "icp_port 0\n"); + fwrite($fout, "\n"); + + fwrite($fout, "http_port 3128\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); + fwrite($fout, "no_cache deny QUERY\n"); + fwrite($fout, "\n"); + + fwrite($fout, "pid_filename /var/run/squid.pid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_mem 8 MB\n"); + fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); + fwrite($fout, "\n"); + + fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); + fwrite($fout, "\n"); + + fwrite($fout, "memory_replacement_policy heap GDSF\n"); + fwrite($fout, "cache_replacement_policy heap GDSF\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_access_log /dev/null\n"); + fwrite($fout, "cache_log /dev/null\n"); + fwrite($fout, "cache_store_log none\n"); + fwrite($fout, "\n"); + + fwrite($fout, "log_mime_hdrs off\n"); + fwrite($fout, "emulate_httpd_log on\n"); + fwrite($fout, "forwarded_for off\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl Safe_ports port 80 # http\n"); + fwrite($fout, "acl Safe_ports port 21 # ftp\n"); + fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n"); + fwrite($fout, "acl Safe_ports port 70 # gopher\n"); + fwrite($fout, "acl Safe_ports port 210 # wais\n"); + fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); + fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); + fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); + fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); + fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); + fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl CONNECT method CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#access to squid; local machine; no restrictions\n"); + fwrite($fout, "http_access allow localnet\n"); + fwrite($fout, "http_access allow localhost\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Deny non web services\n"); + fwrite($fout, "http_access deny !Safe_ports\n"); + fwrite($fout, "http_access deny CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Set custom configured ACLs\n"); + fwrite($fout, "http_access deny all\n"); + fwrite($fout, "visible_hostname pfSense\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_effective_user squid\n"); + fwrite($fout, "cache_effective_group squid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "maximum_object_size 4096 KB\n"); + fwrite($fout, "minimum_object_size 0 KB\n"); + fwrite($fout, "\n"); + + fwrite($fout, "request_body_max_size 0 KB\n"); + fwrite($fout, "reply_body_max_size 0 allow all\n"); + fwrite($fout, "\n"); + + fwrite($fout, "httpd_accel_host virtual\n"); + fwrite($fout, "httpd_accel_port 80\n"); + fwrite($fout, "httpd_accel_with_proxy on\n"); + fwrite($fout, "httpd_accel_uses_host_header on\n"); + + fclose($fout); + } <!-- end function write_static_squid_config() --> + </custom_php_global_functions> + + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec_bg("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + + <custom_php_install_command> + write_static_squid_config(); <!-- write initial static config for transparent proxy --> + + update_output_window("Creating Squid Advanced Proxy initialization scripts..."); + $fout = fopen("/usr/local/etc/rc.d/squid.sh","w"); + fwrite($fout, "#!/bin/sh\n"); + fwrite($fout, "#$pfSense: /usr/local/sbin/rc.d/squid.sh\n\n"); + fwrite($fout, "touch /tmp/ro_root_mount\n"); + fwrite($fout, "/usr/local/sbin/squid -D\n"); + fwrite($fout, "touch /tmp/filter_dirty\n"); + fclose($fout); + + chmod("/usr/local/etc/rc.d/squid.sh", 755); + + <!-- create log directory hierarchies if they don't exist --> + update_output_window("Creating required directory hierarchies..."); + + if (!file_exists("/var/squid/logs")) mwexec("mkdir -p /var/squid/logs"); + if (!file_exists("/var/squid/cache")) mwexec("mkdir -p /var/squid/cache"); + if (!file_exists("/usr/local/etc/squid/advanced/acls")) mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); + if (!file_exists("/usr/local/etc/squid/advanced/radius")) mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); + + update_output_window("Initializing Cache... This may take a moment..."); + exec("/usr/local/sbin/squid -z"); + + update_output_window("Starting Squid Advanced Proxy..."); + mwexec_bg("/usr/local/etc/rc.d/squid.sh"); + filter_configure(); + </custom_php_install_command> + + <custom_php_deinstall_command> + mwexec("rm -rf /usr/local/squid"); + mwexec("rm -rf /var/squid/cache"); + mwexec("rm -rf /usr/local/etc/squid"); + + unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); + unlink_if_exists("/usr/local/etc/squid"); + unlink_if_exists("/usr/local/libexec/squid"); + + filter_configure(); + </custom_php_deinstall_command> + + <start_command>/usr/local/etc/rc.d/squid.sh</start_command> + + <process_kill_command>/usr/local/sbin/squid -k shutdown</process_kill_command> + +</packagegui> +
\ No newline at end of file diff --git a/packages/squid_auth.inc b/packages/squid_auth.inc new file mode 100644 index 00000000..7b29ce00 --- /dev/null +++ b/packages/squid_auth.inc @@ -0,0 +1,353 @@ +<?php +/* $Id$ */ + +/* + squid_auth.inc + part of pfSense (www.pfSense.com) + + Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +function global_eval_auth_options(){ + conf_mount_rw(); + config_lock(); + + global $config; + + $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; + + switch ($auth_method) { + case "none": + $filecontents = file('/usr/local/pkg/squid_auth.xml'); + + $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + + dynamic_no_auth(); + break; + case "local_auth": + dynamic_auth_content(); + dynamic_local_auth(); + break; + case "ldap_bind": + $filecontents = file('/usr/local/pkg/squid_auth.xml'); + + $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + + dynamic_ldap_auth(); + break; + case "domain_auth": + $filecontents = file('/usr/local/pkg/squid_auth.xml'); + + $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + + dynamic_domain_auth(); + break; + case "radius_auth": + $filecontents = file('/usr/local/pkg/squid_auth.xml'); + + $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + + dynamic_radius_auth(); + break; + default: + $filecontents = file('/usr/local/pkg/squid_auth.xml'); + + $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + + dynamic_no_auth(); + break; + } + + conf_mount_ro(); + config_unlock(); + +} /* end function global_eval_auth_options */ + +function dynamic_no_auth() { + conf_mount_rw(); + config_lock(); + + global $config; + + $pkgfile = "/usr/local/pkg/squid_extauth.xml"; + + $fout = fopen($pkgfile, "w"); + + fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextnoauth</name>\n"); + fwrite($fout, " <title>Services: Squid Advanced Proxy -> Extended Authentication Settings</title>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n"); + fwrite($fout, " <fieldname>no_auth</fieldname>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, ' require_once("/usr/local/pkg/squid_ng.inc");' . "\n"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, ' mwexec("/usr/local/sbin/squid -k reconfigure");' . "\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + + fclose($fout); +} + +function dynamic_local_auth() { + conf_mount_rw(); + config_lock(); + + global $config; + + $pkgfile = "/usr/local/pkg/squid_extauth.xml"; + + $fout = fopen($pkgfile, "w"); + + fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n"); + fwrite($fout, "\n"); + fwrite($fout, "<packagegui>\n"); + fwrite($fout, " <name>squidextlocalauth</name>\n"); + fwrite($fout, " <title>Services: Squid Advanced Proxy -> Extended Authentication Settings</title>\n"); + fwrite($fout, " <version>2.5.10_4</version>\n"); + fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <files></files>\n"); + fwrite($fout, " <menu></menu>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tabs>\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>General Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Upstream Proxy</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Cache Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Network Access Control</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Traffic Mgmt</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <tab>\n"); + fwrite($fout, " <text>Extended Auth Settings</text>\n"); + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + fwrite($fout, " <active/>\n"); + fwrite($fout, " </tab>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </tabs>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <adddeleteeditpagefields>\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Username</fielddescr>\n"); + fwrite($fout, " <fieldname>username</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Description</fielddescr>\n"); + fwrite($fout, " <fieldname>description</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <columnitem>\n"); + fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); + fwrite($fout, " <fieldname>group</fieldname>\n"); + fwrite($fout, " </columnitem>\n"); + fwrite($fout, " </adddeleteeditpagefields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <fields>\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Username</fielddescr>\n"); + fwrite($fout, " <fieldname>username</fieldname>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>15</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Password</fielddescr>\n"); + fwrite($fout, " <fieldname>password</fieldname>\n"); + fwrite($fout, " <type>password</type>\n"); + fwrite($fout, " <size>8</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n"); + fwrite($fout, " <fieldname>description</fieldname>\n"); + fwrite($fout, " <type>input</type>\n"); + fwrite($fout, " <size>30</size>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <field>\n"); + fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); + fwrite($fout, " <fieldname>group</fieldname>\n"); + fwrite($fout, " <type>select</type>\n"); + fwrite($fout, " <options>\n"); + fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n"); + fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n"); + fwrite($fout, " </options>\n"); + fwrite($fout, " </field>\n"); + fwrite($fout, "\n"); + fwrite($fout, " </fields>\n"); + fwrite($fout, "\n"); + fwrite($fout, " <custom_add_php_command_late>\n"); + fwrite($fout, ' require_once("/usr/local/pkg/squid_ng.inc");' . "\n"); + fwrite($fout, "\n"); + fwrite($fout, ' if ($password == $confirm_password) { ' . "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, " }\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, ' mwexec("/usr/local/sbin/squid -k reconfigure");' . "\n"); + fwrite($fout, " </custom_add_php_command_late>\n"); + fwrite($fout, "\n"); + fwrite($fout, "</packagegui>\n"); + + fclose($fout); + + conf_mount_ro(); + config_unlock(); +} /* end function dynamic_local_auth */ + +/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ +function dynamic_auth_content() { + + if ($handle = opendir('/usr/local/pkg')) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + + $filecontents = file("/usr/local/pkg/" . $file); + + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } +} /* end function dynamic_auth_content */ + +?>
\ No newline at end of file diff --git a/packages/squid_auth.xml b/packages/squid_auth.xml new file mode 100644 index 00000000..f1d0d14c --- /dev/null +++ b/packages/squid_auth.xml @@ -0,0 +1,136 @@ +<?xml version="1.0" encoding="utf-8" ?> + +<packagegui> + <name>squidauth</name> + <title>Services: Proxy Server -> Authentication Settings</title> + <category>Security</category> + <version>2.5.10_4</version> + <configpath>installedpackages->package->squidauth->configuration->settings</configpath> + + <files></files> + <menu></menu> + + <aftersaveredirect>/pkg_edit.php?xml=squid_auth.xml&id=0</aftersaveredirect> + + <tabs> + <tab> + <text>General Settings</text> + <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + </tab> + + <tab> + <text>Upstream Proxy</text> + <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + </tab> + + <tab> + <text>Cache Mgmt</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + + <tab> + <text>Network Access Control</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + <active/> + </tab> + + <tab> + <text>Extended Auth Settings</text> + <url>/pkg.php?xml=squid_extauth.xml&id=0</url> + </tab> + </tabs> + + <fields> + <field> + <fielddescr>Authentication Methods</fielddescr> + <fieldname>auth_method</fieldname> + <description>Select a valid authentication method. This will allow users to be authenticated by external entities or a minimum, a local password in order to access websites. The default value is "None".</description> + <type>select</type> + <options> + <option><name>None</name><value>none</value></option> + <option><name>Local Authentication</name><value>local_auth</value></option> + <option><name>LDAP Authentication</name><value>ldap_bind</value></option> + <option><name>NT Domain Authentication</name><value>domain_auth</value></option> + <option><name>RADIUS Authentication</name><value>radius_auth</value></option> + </options> + </field> + + <field> + <fielddescr>Number of Authentication Processes</fielddescr> + <fieldname>auth_processes</fieldname> + <description>The number of authenticator processes to spawn at one time. If many authentications are expected within a short timeframe, increase this number accordingly. The default value is 5.</description> + <type>input</type> + <size>4</size> + </field> + + <field> + <fielddescr>Authentication Cache TTL (in minutes)</fielddescr> + <fieldname>auth_cache_ttl</fieldname> + <description>This specifies how long Squid assumes an externally validated username and password combination is valid for. Upon reaching the timeframe set within this value, user(s) will be re-prompted to authenticate.</description> + <type>input</type> + <size>4</size> + </field> + + <field> + <fielddescr>Limit IP Addresses per User</fielddescr> + <fieldname>limit_ip_addr</fieldname> + <description>A number can be specified to enforce restrictions to prevent potential replay attacks limiting the number of times a user can login from a different source IP address. The default value is 2.</description> + <type>input</type> + <size>4</size> + </field> + + <field> + <fielddescr>User/IP Cache TTL (in minutes)</fielddescr> + <fieldname>user_ip_cache_ttl</fieldname> + <description>This value controls how long the proxy will remember the IP address that is associated with a user. This is used in conjuction with the above option.</description> + <type>input</type> + <size>4</size> + </field> + + <field> + <fielddescr>Require Authentication for Unrestricted Source Addresses</fielddescr> + <fieldname>req_unrestricted_auth</fieldname> + <description></description> + <type>checkbox</type> + </field> + + <field> + <fielddescr>Authentication Realm Prompt</fielddescr> + <fieldname>auth_realm_prompt</fieldname> + <description>This text will be displayed at the top of the authentication request window.</description> + <type>input</type> + <size>40</size> + </field> + + <field> + <fielddescr>Domains Without Authentication</fielddescr> + <fieldname>no_domain_auth</fieldname> + <description></description> + <type>textarea</type> + <rows>5</rows> + <cols>50</cols> + </field> + + </fields> + + <custom_add_php_command_late> + require_once("/usr/local/pkg/squid_ng.inc"); + require_once("/usr/local/pkg/squid_auth.inc"); + + global_eval_auth_options(); + + global_write_squid_config(); + mwexec_bg("/usr/local/sbin/squid -k reconfigure"); + </custom_add_php_command_late> + +</packagegui>
\ No newline at end of file diff --git a/packages/squid_cache.xml b/packages/squid_cache.xml index 8741f319..33fc5f5e 100644 --- a/packages/squid_cache.xml +++ b/packages/squid_cache.xml @@ -2,7 +2,7 @@ <packagegui> <name>squidcache</name> - <title>Services: Squid Advanced Proxy</title> + <title>Services: Proxy Server -> Cache Management</title> <configpath>installedpackages->package->squidcache->configuration->settings</configpath> <aftersaveredirect>/pkg_edit.php?xml=squid_cache.xml&id=0</aftersaveredirect> @@ -34,16 +34,15 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> - <!-- <tab> - <text>Authentication Settings</text> - <url>/pkg_edit.php?xml=squidauth.xml&id=0</url> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=squidusers.xml&id=0</url> + <text>Extended Auth Settings</text> + <url>/pkg.php?xml=squid_extauth.xml&id=0</url> </tab> - --> </tabs> <fields> @@ -103,7 +102,7 @@ <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GSDF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GSDF: Greedy-Dual Size Frequency </b> - The Heap GSDF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 4096 KB to maximuze the potential byte hit rate improvement of LFUDA.</description> <type>select</type> <options> - <option><name>LRU</name><value>LRU</value></option> + <option><name>LRU</name><value>lru</value></option> <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> <option><name>Heap GDSF</name><value>heap GSDF</value></option> <option><name>Heap LRU</name><value>heap LRU</value></option> @@ -113,10 +112,10 @@ <field> <fielddescr>Cache Replacement Policy</fielddescr> <fieldname>cache_replacement</fieldname> - <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA.</description> + <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> <type>select</type> <options> - <option><name>LRU</name><value>LRU</value></option> + <option><name>LRU</name><value>lru</value></option> <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> <option><name>Heap GDSF</name><value>heap GSDF</value></option> <option><name>Heap LRU</name><value>heap LRU</value></option> diff --git a/packages/squid_nac.xml b/packages/squid_nac.xml index 70521b6d..b15e5481 100644 --- a/packages/squid_nac.xml +++ b/packages/squid_nac.xml @@ -2,7 +2,7 @@ <packagegui> <name>squidnac</name> - <title>Services: Squid Advanced Proxy</title> + <title>Services: Proxy Server -> Network Access Control</title> <configpath>installedpackages->package->squidnac->configuration->settings</configpath> <aftersaveredirect>/pkg_edit.php?xml=squid_nac.xml&id=0</aftersaveredirect> @@ -34,16 +34,15 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> - <!-- <tab> - <text>Authentication Settings</text> - <url>/pkg_edit.php?xml=squidauth.xml&id=0</url> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=squidusers.xml&id=0</url> + <text>Extended Auth Settings</text> + <url>/pkg.php?xml=squid_extauth.xml&id=0</url> </tab> - --> </tabs> <fields> diff --git a/packages/squid_ng.inc b/packages/squid_ng.inc index 5d49c1b6..6a92718b 100644 --- a/packages/squid_ng.inc +++ b/packages/squid_ng.inc @@ -40,69 +40,71 @@ function global_write_squid_config() { /* define squid configuration file in variable for replace function */ $squidconfig = "/usr/local/etc/squid/squid.conf"; - /* squid_ng.xml values */ - $active_interface = $config['installedpackages']['squidng']['config'][0]['active_interface']; - $transparent_proxy = $config['installedpackages']['squidng']['config'][0]['transparent_proxy']; - $log_enabled = $config['installedpackages']['squidng']['config'][0]['log_enabled']; - $urlfilter_enable = $config['installedpackages']['squidng']['config'][0]['urlfilter_enable']; - $log_query_terms = $config['installedpackages']['squidng']['config'][0]['log_query_terms']; - $log_user_agents = $config['installedpackages']['squidng']['config'][0]['log_user_agents']; - $proxy_port = $config['installedpackages']['squidng']['config'][0]['proxy_port']; - $visible_hostname = $config['installedpackages']['squidng']['config'][0]['visible_hostname']; - $cache_admin_email = $config['installedpackages']['squidng']['config'][0]['cache_admin_email']; - $error_language = $config['installedpackages']['squidng']['config'][0]['error_language']; + /* squid.xml values */ + $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; + $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; + $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; + $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; + $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; + $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; + $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; + $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; + $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; + $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; /* squid_upstream.xml values */ - $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; - $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; - $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; - $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; - $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; - $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; - $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; + $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; + $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; + $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; + $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; + $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; + $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; + $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; - /* squidcache.xml values */ - $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; - $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; - $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; - $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; - $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; - $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; - $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; - $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; - $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; + /* squid_cache.xml values */ + $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; + $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; + $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; + $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; + $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; + $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; + $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; + $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; + $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; - /* squidnac.xml values */ - $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; - $unrestricted_ip_address = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; - $unrestricted_mac_addresses = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; - $banned_ip_addresses = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; - $banned_mac_addresses = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; + /* squid_nac.xml values */ + $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; + $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; + $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; + $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; + $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; - /* squidtraffic.xml values */ - $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; - $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; - $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; - $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; + /* squid_traffic.xml values */ + $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; + $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; + $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; + $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; - $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; - $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; + $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; + $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; - /* squidauth.xml values (placeholder for now) */ - $no_auth = $config['installedpackages']['squidtraffic']['config'][0]['no_auth']; - $local_auth = $config['installedpackages']['squidtraffic']['config'][0]['local_auth']; - $ldap_auth = $config['installedpackages']['squidtraffic']['config'][0]['ldap_auth']; - $windows_auth = $config['installedpackages']['squidtraffic']['config'][0]['windows_auth']; - $radius_auth = $config['installedpackages']['squidtraffic']['config'][0]['radius_auth']; - $auth_processes = $config['installedpackages']['squidtraffic']['config'][0]['auth_processes']; - $auth_cache_ttl = $config['installedpackages']['squidtraffic']['config'][0]['auth_cache_ttl']; - $limit_ip_addr = $config['installedpackages']['squidtraffic']['config'][0]['limit_ip_addr']; - $user_ip_cache_ttl = $config['installedpackages']['squidtraffic']['config'][0]['user_ip_cache_ttl']; - $req_unrestricted_auth = $config['installedpackages']['squidtraffic']['config'][0]['req_unrestricted_auth']; - $auth_realm_prompt = $config['installedpackages']['squidtraffic']['config'][0]['auth_realm_prompt']; - $no_domain_auth = $config['installedpackages']['squidtraffic']['config'][0]['no_domain_auth']; - $min_pass_length = $config['installedpackages']['squidtraffic']['config'][0]['min_pass_length']; - $bypass_extended = $config['installedpackages']['squidtraffic']['config'][0]['bypass_extended']; + /* TODO: squid_auth.xml values (placeholder for now) */ + $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; + $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; + $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; + $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; + $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; + $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; + $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; + $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; + $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; + $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; + + /* static variable assignments for directory mapping */ + $acldir = "/usr/local/etc/squid/advanced/acls"; + $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; + $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; + $radiusdir = "/usr/local/etc/squid/advanced/radius"; $fout = fopen($squidconfig,"w"); @@ -114,25 +116,23 @@ function global_write_squid_config() { if($icp_port == "") $icp_port="3130"; fwrite($fout, "icp_port " . $icp_port . "\n"); - /* option: http_port */ - if($http_port == "") $http_port="3128"; - if($config['installedpackages']['squidng']['config'][0]['active_interface'] == "LAN") { - $listen_ip = find_interface_ip($config['interfaces']['lan']['if']); - } elseif($int == "WAN") { - $listen_ip = find_interface_ip($config['interfaces']['wan']['if']); - } else { - $int = convert_friendly_interface_to_real_interface_name($config['installedpackages']['squidng']['config'][0]['active_interface']); + /* option: proxy_port */ + if($proxy_port == "") $proxy_port="3128"; + if (isset($transparent_proxy) && ($transparent_proxy != "on")) { + $int = convert_friendly_interface_to_real_interface_name($active_interface); $listen_ip = find_interface_ip($int); - } - fwrite($fout, "http_port " . $listen_ip . ":" . $http_port . "\n"); - fwrite($fout, "\n"); + + fwrite($fout, "http_port " . $listen_ip . ":" . $proxy_port . "\n"); + fwrite($fout, "\n"); - fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); - fwrite($fout, "no_cache deny QUERY\n"); + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); + fwrite($fout, "no_cache deny QUERY\n"); + } - if ($domain !== "") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); - $aclout = fopen("/usr/local/etc/squid/acls/dst_nocache.acl","w"); + /* option: acl no cache domains */ + if (isset($domain) && $domain !== "") { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + $aclout = fopen($acldir . "/dst_nocache.acl","w"); $domain_array = split(";",$domain); foreach ($domain_array as $no_cache_domain) { @@ -141,7 +141,7 @@ function global_write_squid_config() { fclose($aclout); - fwrite($fout, 'acl no_cache_domains dstdomain "/usr/local/etc/squid/acls/dst_nocache.acl"' . "\n"); + fwrite($fout, 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"); fwrite($fout, "no_cache deny no_cache_domains\n"); } @@ -158,25 +158,32 @@ function global_write_squid_config() { fwrite($fout, "cache_mem " . $memory_cache_size . " MB\n"); if ($harddisk_cache_size == "") $harddisk_cache_size="500"; if ($level_subdirs == "") $level_subdirs="16"; - fwrite($fout, "cache_dir aufs /var/squid/cache " . $harddisk_cache_size . " " . $level_subdirs . " 256\n"); + fwrite($fout, "cache_dir diskd /var/squid/cache " . $harddisk_cache_size . " " . $level_subdirs . " 256\n"); fwrite($fout, "\n"); if ($error_language == "") $error_language="English"; fwrite($fout, "error_directory /usr/local/etc/squid/errors/" . $error_language . "\n"); fwrite($fout, "\n"); - if ($offline_mode == "on") { + if (isset($offline_mode) and ($offline_mode == "on")) { fwrite($fout, "offline_mode on\n"); fwrite($fout, "\n"); + } else { + fwrite($fout, "offline_mode off\n"); + fwrite($fout, "\n"); } - if ($memory_replacement == "") $memory_replacement="heap GDSF"; + if (!isset($cache_replacement) or ($memory_replacement == "")) $memory_replacement="heap GDSF"; fwrite($fout, "memory_replacement_policy " . $memory_replacement . "\n"); - if ($cache_replacement == "") $cache_replacement="heap GDSF"; + if (!isset($cache_replacement) or ($cache_replacement == "")) $cache_replacement="heap GDSF"; fwrite($fout, "cache_replacement_policy " . $cache_replacement . "\n"); fwrite($fout, "\n"); if ($log_enabled == "on" ) { + if (!file_exists("/var/squid/logs")) { + mwexec("mkdir -p /var/squid/logs"); + mwexec("chown squid:squid /var/squid/logs"); + } fwrite($fout, "cache_access_log /var/squid/logs/access.log\n"); fwrite($fout, "cache_log /var/squid/logs/cache.log\n"); fwrite($fout, "cache_store_log none\n"); @@ -193,71 +200,94 @@ function global_write_squid_config() { } if ($log_user_agents == "on") { + if (!file_exists("/var/squid/logs")) mwexec("mkdir -p /var/squid/logs"); fwrite($fout, "useragent_log /var/squid/logs/useragent.log\n"); } fwrite($fout, "\n"); fwrite($fout, "log_mime_hdrs off\n"); fwrite($fout, "emulate_httpd_log on\n"); - if ($client_ip_forwarding !== "on") { - fwrite($fout, "forwarded_for off\n"); - } elseif ($user_forwarding !== "on") { - fwrite($fout, "forwarded_for off\n"); - } else { - fwrite($fout, "forwarded_for on\n"); - } + + switch ($user_forwarding) { + case "on": + fwrite($fout, "forwarded_for on\n"); + break; + case "off": + fwrite($fout, "forwarded_for off\n"); + break; + default: + fwrite($fout, "forwarded_for off\n"); + break; + } fwrite($fout, "\n"); if ($no_auth == "on") { fwrite($fout, "\n"); } - if ($local_auth == "on") { - fwrite($fout, "auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd\n"); - fwrite($fout, "auth_param basic children 5\n"); - fwrite($fout, "auth_param basic realm pfSense Advanced Proxy Service\n"); - fwrite($fout, "auth_param basic credentialsttl 60 minutes\n"); - fwrite($fout, "\n"); + switch ($auth_method) { + case "none": + break; + case "local_auth": + fwrite($fout, "auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd\n"); + if (!isset($auth_processes) or ($auth_processes == "")) $auth_processes = "5"; + fwrite($fout, "auth_param basic children " . $auth_processes . "\n"); + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) $auth_realm_prompt = "pfSense Advanced Proxy"; + fwrite($fout, "auth_param basic realm " . $auth_realm_prompt . "\n"); + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) $auth_cache_ttl = "60"; + fwrite($fout, "auth_param basic credentialsttl " . $auth_cache_ttl . " minutes\n"); + fwrite($fout, "\n"); + fwrite($fout, "acl for_inetusers proxy_auth REQUIRED\n"); + fwrite($fout, "\n"); + break; + case "radius_auth"; + break; + case "ldap_auth"; + break; + case "windows_auth"; + break; + default: + break; } - - /* TODO: placeholder for local user management */ - - if ($throttle_binary_files == "on") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); - $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; + + if (isset($throttle_binary_files) && $throttle_binary_files == "on") { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; - $throttle_out = fopen("/usr/local/etc/squid/acls/dst_throttle_binary.acl","w"); + $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); fwrite($throttle_out, $binary_out); - fwrite($fout, 'acl for_throttled_binary url_regex -i "/usr/local/etc/squid/acls/dst_throttle_binary.acl"' . "\n"); fclose($throttle_out); + fwrite($fout, 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"); } else { - if (file_exists("/usr/local/etc/squid/acls/dst_throttle_binary.acl")) unlink("/usr/local/etc/squid/acls/dst_throttle_binary.acl"); + if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); } - if ($throttle_cd_images == "on") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + if (isset($throttle_cd_images) && $throttle_cd_images == "on") { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; - $throttle_out = fopen("/usr/local/etc/squid/acls/dst_throttle_cd.acl","w"); + $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); fwrite($throttle_out, $cd_out); - fwrite($fout, 'acl for_throttled_cd url_regex -i "/usr/local/etc/squid/acls/dst_throttle_cd.acl"' . "\n"); fclose($throttle_out); + fwrite($fout, 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"); } else { - if (file_exists("/usr/local/etc/squid/acls/dst_throttle_cd.acl")) unlink("/usr/local/etc/squid/acls/dst_throttle_cd.acl"); + if (file_exists($acldir . "/dst_throttle_cd.acl")) unlink($acldir . "/dst_throttle_cd.acl"); } - if ($throttle_multimedia == "on") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + if (isset($throttle_multimedia) && $throttle_multimedia == "on") { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; - $throttle_out = fopen("/usr/local/etc/squid/acls/dst_throttle_multimedia.acl","w"); + $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); fwrite($throttle_out, $multimedia_out); - fwrite($fout, 'acl for_throttled_multimedia url_regex -i "/usr/local/etc/squid/acls/dst_throttle_multimedia.acl"' . "\n"); fclose($throttle_out); + fwrite($fout, 'acl for_throttled_multimedia url_regex -i "' . $acldir . 'dst_throttle_multimedia.acl"' . "\n"); } else { - if (file_exists("/usr/local/etc/squid/acls/dst_throttle_multimedia.acl")) unlink("/usr/local/etc/squid/acls/dst_throttle_multimedia.acl"); + if (file_exists($acldir . "/dst_throttle_multimedia.acl")) unlink($acldir . "/dst_throttle_multimedia.acl"); } fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); @@ -275,6 +305,7 @@ function global_write_squid_config() { fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl SSL_ports port 443 563\n"); fwrite($fout, "acl Safe_ports port 80 # http\n"); fwrite($fout, "acl Safe_ports port 21 # ftp\n"); fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n"); @@ -291,14 +322,14 @@ function global_write_squid_config() { /* allow access through proxy for custom admin port */ $custom_port = $config['system']['webgui']['port']; if ($custom_port !== "") { - fwrite($fout, "acl pf_admin_port port " . $custom_port . "\n"); + fwrite($fout, "acl pf_admin_port port " . $custom_port . "\n"); } /* define subnets allowed to utilize proxy service */ - if ($allowed_subnets !== "") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + if (isset($allowed_subnets) && ($allowed_subnets !== "")) { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); - $aclout = fopen("/usr/local/etc/squid/acls/src_subnets.acl","w"); + $aclout = fopen($acldir . "/src_subnets.acl","w"); $allowed_subnets_array = split(";",$allowed_subnets); foreach ($allowed_subnets_array as $ind_allowed_subnets) { @@ -307,72 +338,74 @@ function global_write_squid_config() { fclose($aclout); - fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/acls/src_subnets.acl"' . "\n"); + fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"); } /* define ip addresses that have 'unrestricted' access */ - if ($unrestricted_ip_address !== "") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); - $aclout = fopen("/usr/local/etc/squid/acls/src_unrestricted_ip.acl","w"); + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); - $unrestricted_ip_array = split(";",$unrestricted_ip_address); + $unrestricted_ip_array = split(";",$unrestricted_ip_addr); foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { fwrite($aclout, $ind_unrestricted_ip . "\n"); } fclose($aclout); - fwrite($fout, 'acl pf_unrestricted_ip src "/usr/local/etc/squid/acls/src_unrestricted_ip.acl"' . "\n"); + fwrite($fout, 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"); } /* define mac addresses that have 'unrestricted' access */ - if ($unrestricted_mac_addresses !== "") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); - $aclout = fopen("/usr/local/etc/squid/acls/src_unrestricted_mac.acl","w"); + $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); - $unrestricted_mac_array = split(";",$unrestricted_mac_addresses); + $unrestricted_mac_array = split(";",$unrestricted_mac_addr); foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { fwrite($aclout, $ind_unrestricted_mac . "\n"); } fclose($aclout); - fwrite($fout, 'acl pf_unrestricted_mac src "/usr/local/etc/squid/acls/src_unrestricted_mac.acl"' . "\n"); + fwrite($fout, 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"); } /* define ip addresses that are banned from using the proxy service */ - if ($banned_ip_addresses !== "") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); - $aclout = fopen("/usr/local/etc/squid/acls/src_banned_ip.acl","w"); + $aclout = fopen($acldir . "/src_banned_ip.acl","w"); - $banned_ip_array = split(";",$banned_ip_addresses); + $banned_ip_array = split(";",$banned_ip_addr); foreach ($banned_ip_array as $ind_banned_ip) { fwrite($aclout, $ind_banned_ip . "\n"); } fclose($aclout); - fwrite($fout, 'acl pf_banned_ip src "/usr/local/etc/squid/acls/src_banned_ip.acl"' . "\n"); + fwrite($fout, 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"); } /* define mac addresses that are banned from using the proxy service */ - if ($banned_mac_addresses !== "") { - if (!file_exists("/usr/local/etc/squid/acls")) mwexec("/bin/mkdir -p /usr/local/etc/squid/acls"); + if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { + if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); - $aclout = fopen("/usr/local/etc/squid/acls/src_banned_mac.acl","w"); + $aclout = fopen($acldir . "/src_banned_mac.acl","w"); - $banned_mac_array = split(";",$banned_mac_addresses); + $banned_mac_array = split(";",$banned_mac_addr); foreach ($banned_mac_array as $ind_banned_mac) { fwrite($aclout, $ind_banned_mac . "\n"); } fclose($aclout); - fwrite($fout, 'acl pf_banned_mac src "/usr/local/etc/squid/acls/src_banned_mac.acl"' . "\n"); + fwrite($fout, 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"); } - + + fwrite($fout, "acl pf_ips dst " . $lanip . "\n"); + fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"); fwrite($fout, "acl CONNECT method CONNECT\n"); fwrite($fout, "\n"); @@ -383,14 +416,18 @@ function global_write_squid_config() { fwrite($fout, "#Deny non web services\n"); fwrite($fout, "http_access deny !Safe_ports\n"); - fwrite($fout, "http_access deny CONNECT\n"); + fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); fwrite($fout, "\n"); fwrite($fout, "#Set custom configured ACLs\n"); + if (isset($auth_method) and ($auth_method != "no_auth")) { + fwrite($fout, "http_access allow pf_networks for_inetusers within_timeframe\n"); + } + fwrite($fout, "http_access deny all\n"); fwrite($fout, "\n"); - if ($dl_overall !== "" and $dl_per_host == "") { + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { fwrite($fout, "#Set throttle and bandwidth restrictions\n"); fwrite($fout, "delay_pools 1\n"); @@ -403,18 +440,18 @@ function global_write_squid_config() { } /* if no unrestricted ip addresses are defined; this line is ignored */ - if ($unrestricted_ip_address == "") fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); fwrite($fout, "#delay_access 1 deny for_extended_users\n"); /* this will define bandwidth delay restrictions for specified throttles */ - if ($throttle_binary_files == "on") { + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { fwrite($fout, "delay_access 1 allow all for_throttled_binary\n"); } - if ($throttle_cd_images == "on") { + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { fwrite($fout, "delay_access 1 allow all for_throttled_cd\n"); } - if ($throttle_multimedia == "on") { + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n"); } else { fwrite($fout, "delay_access 1 allow all\n"); @@ -422,7 +459,7 @@ function global_write_squid_config() { fwrite($fout, "delay_initial_bucket_level 100%\n\n"); } - if ($dl_per_host !== "" and $dl_overall == "") { + if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { fwrite($fout, "#Set throttle and bandwidth restrictions\n"); fwrite($fout, "delay_pools 1\n"); @@ -435,7 +472,7 @@ function global_write_squid_config() { } /* if no unrestricted ip addresses are defined; this line is ignored */ - if ($unrestricted_ip_address !== "") fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); fwrite($fout, "#delay_access 1 deny for_extended_users\n"); @@ -455,16 +492,16 @@ function global_write_squid_config() { fwrite($fout, "\n"); } - if ($dl_overall !== "" and $dl_per_host !== "") { + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { /* if no bandwidth restrictions are specified, then these parameters are not necessary */ if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { fwrite($fout, "#Set throttle and bandwidth restrictions\n"); - if ($dl_overall == "unlimited" and $dl_per_host !== "") { + if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { fwrite($fout, "delay_pools 1\n"); fwrite($fout, "delay_class 1 3\n"); fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_per_host * 125) . "/" . ($dl_overall * 250) . "\n"); - } elseif ($dl_overall !== "" and $dl_per_host == "unlimited") { + } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { fwrite($fout, "delay_pools 1\n"); fwrite($fout, "delay_class 1 3\n"); fwrite($fout, "delay_parameters 1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . " -1/-1 -1/-1\n"); @@ -474,7 +511,7 @@ function global_write_squid_config() { if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { /* if no unrestricted ip addresses are defined; this line is ignored */ - if ($unrestricted_ip_address !== "") fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); fwrite($fout, "#delay_access 1 deny for_extended_users\n"); @@ -500,35 +537,25 @@ function global_write_squid_config() { fwrite($fout, "\n"); /* TODO: acl customization for snmp support */ - fwrite($fout, "snmp_access deny all\n"); fwrite($fout, "\n"); - if ($urlfilter_enable == "on") { + if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { fwrite($fout, "redirect_program /usr/sbin/squidGuard"); fwrite($fout, "redirect_children 5"); fwrite($fout, "\n"); } - if ($max_upload_size != "") { + if (isset($max_upload_size) && ($max_upload_size != "")) { fwrite($fout, "request_body_max_size " . $max_download_size . "KB\n"); } - if ($max_download_size != "") { - if ($unrestricted_ip_addresses !== "") fwrite($fout, "reply_body_max_size 0 allow pf_unrestricted_ip\n"); + if (isset($max_download_size) && ($max_download_size != "")) { + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "reply_body_max_size 0 allow pf_unrestricted_ip\n"); fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); fwrite($fout, "reply_body_max_size " . $max_download_size * 1024 . " allow all\n"); fwrite($fout, "\n"); } - if ($visible_hostname !== "") { - fwrite($fout, "visible_hostname " . $visible_hostname . "\n"); - } - - if ($cache_admin_email !== "") { - fwrite($fout, "cache_mgr " . $cache_admin_email . "\n"); - fwrite($fout, "\n"); - } - if ($maximum_object_size == "") $maximum_object_size="4096"; if ($minimum_object_size == "") $minimum_object_size="0"; fwrite($fout, "maximum_object_size " . $maximum_object_size . " KB\n"); @@ -547,6 +574,15 @@ function global_write_squid_config() { fwrite($fout, "httpd_accel_uses_host_header on\n"); fwrite($fout, "\n"); } + + if (isset($visible_hostname) && ($visible_hostname !== "")) { + fwrite($fout, "visible_hostname " . $visible_hostname . "\n"); + } + + if (isset($cache_admin_email) && ($cache_admin_email !== "")) { + fwrite($fout, "cache_mgr " . $cache_admin_email . "\n"); + fwrite($fout, "\n"); + } fclose($fout); @@ -555,4 +591,43 @@ function global_write_squid_config() { touch($squidconfig); } /* end function write_squid_config */ + +function mod_htpasswd() { + conf_mount_rw(); + config_lock(); + global $config; + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + + $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); + + if($config['installedpackages']['squidextlocalauth']['config'] != "") { + foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { + $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); + fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); + } + } + + fclose($passfile); + + conf_mount_ro(); + config_unlock(); +} + +function generate_htpasswd($username, $password) { + $all = explode( " ", + "a b c d e f g h i j k l m n o p q r s t u v w x y z " + . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " + . "0 1 2 3 4 5 6 7 8 9"); + + for ($i = 0; $i < 9; $i++) { + srand((double)microtime()*1000000); + $randy = rand(0,61); + $seed .= $all[$randy]; + } + + $crypt = crypt($password, "$1$$seed"); + return $crypt; +} + diff --git a/packages/squid_ng.xml b/packages/squid_ng.xml index ccfed7f2..7d3cb5c8 100644 --- a/packages/squid_ng.xml +++ b/packages/squid_ng.xml @@ -2,115 +2,73 @@ <packagegui> <name>squid</name> - <title>Services: Squid Advanced Proxy</title> + <title>Services: Proxy Server</title> <category>Security</category> <version>2.5.10_4</version> <configpath>installedpackages->package->squidng->configuration->settings</configpath> - <!-- This defines the location where the config is stored within pfSense's - xml based global store --> <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&id=0</aftersaveredirect> - - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>http://www.pfsense.com/packages/config/squid_cache.xml</item> + + <menu> + <name>Squid</name> + <tooltiptext>Modify settings for Proxy Server</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + </menu> + + <!-- TODO: Add xml to parse proxy logs into readable format + <menu> + <name>Proxy Log</name> + <section>Status</section> + <configfile>squid_log.xml</configfile> + </menu> --> + + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid_cache.xml</item> </additional_files_needed> - <additional_files_needed> + + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.com/packages/config/squid_nac.xml</item> </additional_files_needed> - <additional_files_needed> + + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.com/packages/config/squid_ng.inc</item> </additional_files_needed> - <additional_files_needed> + + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.com/packages/config/squid_traffic.xml</item> </additional_files_needed> - <additional_files_needed> + + <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.com/packages/config/squid_upstream.xml</item> </additional_files_needed> + + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid_auth.xml</item> + </additional_files_needed> - <menu> - <name>Squid</name> - <tooltiptext>Modify settings for Squid Advanced Proxy</tooltiptext> - <section>Services</section> - <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> - </menu> - - <!-- TODO: Add xml to parse proxy logs into readable format - <menu> - <name>Proxy Log</name> - <section>Status</section> - <configfile>squid_log.xml</configfile> - </menu> --> - - <files> - <file> - <type>package</type> - <location>http://www.pfsense.org/packages/All/squid-2.5.STABLE10.tbz</location> - </file> - <file> - <type>package</type> - <location>ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/www/squidGuard-1.2.0_1.tbz</location> - </file> - - <!-- retrieves the configuration file for upstream proxy settings --> - - <file> - <type>configfile</type> - <location>http://www.pfsense.com/packages/config/squid_ng.inc</location> - </file> - - <file> - <type>configfile</type> - <location>http://www.pfsense.com/packages/config/squid_upstream.xml</location> - </file> - - <!-- retrieves the configuration file for cache management --> - <file> - <type>configfile</type> - <location>http://www.pfsense.com/packages/config/squid_cache.xml</location> - </file> - - <!-- retrieves the configuration file for network access control --> - <file> - <type>configfile</type> - <location>http://www.pfsense.com/packages/config/squid_nac.xml</location> - </file> - - <!-- retrieves the configuration file for traffic management --> - <file> - <type>configfile</type> - <location>http://www.pfsense.com/packages/config/squid_traffic.xml</location> - </file> - - <!-- TODO: retrieves the configuration file for authentication settings - <file> - <type>configfile</type> - <location>http://www.pfsense.com/packages/config/squid_auth.xml</location> - </file> - --> - - <!-- TODO: retrieves the configuration file for user definitions - <file> - <type>configfile</type> - <location>http://www.pfsense.com/packages/config/squid_users.xml</location> - </file> - --> - - </files> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/squid_extauth.xml</item> + </additional_files_needed> <tabs> <tab> <text>General Settings</text> - <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> <active/> </tab> @@ -134,17 +92,15 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> - <!-- <tab> - <text>Authentication Settings</text> + <text>Auth Settings</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=squid_users.xml&id=0</url> + <text>Extended Auth Settings</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> </tab> - --> </tabs> <fields> @@ -274,16 +230,13 @@ $fout = fopen("/usr/local/etc/squid/squid.conf","w"); fwrite($fout, "#\n"); - fwrite($fout, "# This file was automatically generated by the pfSense package manager\n"); - fwrite($fout, "# This default policy enables transparent proxy with no local disk logging\n"); + fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); + fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); fwrite($fout, "#\n"); fwrite($fout, "shutdown_lifetime 5 seconds\n"); fwrite($fout, "icp_port 0\n"); fwrite($fout, "\n"); - - fwrite($fout, "http_port 3128\n"); - fwrite($fout, "\n"); - + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); fwrite($fout, "no_cache deny QUERY\n"); fwrite($fout, "\n"); @@ -292,13 +245,13 @@ fwrite($fout, "\n"); fwrite($fout, "cache_mem 8 MB\n"); - fwrite($fout, "cache_dir ufs /var/squid/cache 500 16 256\n"); + fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); fwrite($fout, "\n"); fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); fwrite($fout, "\n"); - fwrite($fout, "memory_replacement_policy heap LRU\n"); + fwrite($fout, "memory_replacement_policy heap GDSF\n"); fwrite($fout, "cache_replacement_policy heap GDSF\n"); fwrite($fout, "\n"); @@ -347,19 +300,12 @@ fwrite($fout, "#Set custom configured ACLs\n"); fwrite($fout, "http_access deny all\n"); fwrite($fout, "visible_hostname pfSense\n"); - fwrite($fout, "httpd_accel_host virtual\n"); - fwrite($fout, "httpd_accel_port 80\n"); - fwrite($fout, "httpd_accel_with_proxy on\n"); - fwrite($fout, "httpd_accel_uses_host_header on\n"); + fwrite($fout, "\n"); + fwrite($fout, "cache_effective_user squid\n"); fwrite($fout, "cache_effective_group squid\n"); fwrite($fout, "\n"); - fwrite($fout, "#Strip HTTP Header\n"); - fwrite($fout, "header_access X-Forwarded-For deny all\n"); - fwrite($fout, "header_access Via deny all\n"); - fwrite($fout, "\n"); - fwrite($fout, "maximum_object_size 4096 KB\n"); fwrite($fout, "minimum_object_size 0 KB\n"); fwrite($fout, "\n"); @@ -368,6 +314,11 @@ fwrite($fout, "reply_body_max_size 0 allow all\n"); fwrite($fout, "\n"); + fwrite($fout, "httpd_accel_host virtual\n"); + fwrite($fout, "httpd_accel_port 80\n"); + fwrite($fout, "httpd_accel_with_proxy on\n"); + fwrite($fout, "httpd_accel_uses_host_header on\n"); + fclose($fout); } <!-- end function write_static_squid_config() --> </custom_php_global_functions> @@ -380,38 +331,69 @@ </custom_add_php_command_late> <custom_php_install_command> - write_static_squid_config(); <!-- write initial config to work --> + write_static_squid_config(); <!-- write initial static config for transparent proxy --> - update_output_window("Creating initialization scripts..."); + update_output_window("Creating Proxy Server initialization scripts..."); $fout = fopen("/usr/local/etc/rc.d/squid.sh","w"); fwrite($fout, "#!/bin/sh\n"); - fwrite($fout, "$pfSense: /usr/local/sbin/rc.d/squid.sh; created " . date(DATE_RFC822) . " mcapp\n"); - fwrite($fout, "\n"); - fwrite($fout, "touch /tmp/ro_root_mount\n\n"); - fwrite($fout, "/usr/local/sbin/squid -D\n\n"); - fwrite($fout, "touch /tmp/filter_dirty\n\n"); + fwrite($fout, "#$pfSense: /usr/local/sbin/rc.d/squid.sh\n\n"); + fwrite($fout, "touch /tmp/ro_root_mount\n"); + fwrite($fout, "/usr/local/sbin/squid -D\n"); + fwrite($fout, "touch /tmp/filter_dirty\n"); fclose($fout); - chmod("/usr/local/etc/rc.d/squid.sh", 755); + mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); + + <!-- create log directory hierarchies if they don't exist --> + update_output_window("Creating required directory hierarchies..."); + + if (!file_exists("/var/squid/logs")) { + mwexec("mkdir -p /var/squid/logs"); + mwexec("chown squid:squid /var/squid/logs"); + } if (!file_exists("/var/squid/cache")) { - update_output_window("Initializing Cache... This may take a moment..."); - mwexec("/usr/local/sbin/squid -z"); + mwexec("mkdir -p /var/squid/cache"); + mwexec("chown squid:squid /var/squid/cache"); + } + + if (!file_exists("/usr/local/etc/squid/advanced/acls")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); } - update_output_window("Starting Squid Advanced Proxy..."); - mwexec_bg("/usr/local/etc/rc.d/squid.sh"); + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/ncsa"); + } + + if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/ntlm"); + } + + if (!file_exists("/usr/local/etc/squid/advanced/radius")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/radius"); + } + + update_output_window("Initializing Cache... This may take a moment..."); + mwexec("/usr/local/sbin/squid -z"); + + update_output_window("Starting Proxy Server..."); + mwexec("/usr/local/etc/rc.d/squid.sh"); filter_configure(); </custom_php_install_command> <custom_php_deinstall_command> - rmdir_recursive("/usr/local/squid"); - unlink_if_exists("/var/mail/squid"); - unlink_if_exists("/usr/local/etc/rc.d/squid"); - unlink_if_exists("/usr/local/etc/squid/squid.conf"); + mwexec("rm -rf /usr/local/squid"); + mwexec("rm -rf /var/squid/cache"); + mwexec("rm -rf /usr/local/etc/squid"); + + unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); unlink_if_exists("/usr/local/etc/squid"); unlink_if_exists("/usr/local/libexec/squid"); - rmdir_recursive("/usr/local/etc/squid"); + filter_configure(); </custom_php_deinstall_command> diff --git a/packages/squid_traffic.xml b/packages/squid_traffic.xml index 90ecc7af..45b1ca76 100644 --- a/packages/squid_traffic.xml +++ b/packages/squid_traffic.xml @@ -2,7 +2,7 @@ <packagegui> <name>squidtraffic</name> - <title>Services: Squid Advanced Proxy</title> + <title>Services: Proxy Server -> Traffic Management</title> <configpath>installedpackages->package->squidtraffic->configuration->settings</configpath> <aftersaveredirect>/pkg_edit.php?xml=squid_traffic.xml&id=0</aftersaveredirect> @@ -34,16 +34,15 @@ <active/> </tab> - <!--<tab> - <text>Authentication Settings</text> - <url>/pkg_edit.php?xml=squidauth.xml&id=0</url> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=squidusers.xml&id=0</url> + <text>Extended Auth Settings</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> </tab> - --> </tabs> <fields> diff --git a/packages/squid_upstream.xml b/packages/squid_upstream.xml index b5270af4..06782610 100644 --- a/packages/squid_upstream.xml +++ b/packages/squid_upstream.xml @@ -2,7 +2,7 @@ <packagegui> <name>squidupstream</name> - <title>Services: Squid Advanced Proxy</title> + <title>Services: Proxy Server -> Upstream Proxy Settings</title> <configpath>installedpackages->package->squidupstream->configuration->settings</configpath> <aftersaveredirect>/pkg_edit.php?xml=squid_upstream.xml&id=0</aftersaveredirect> @@ -34,15 +34,15 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> - <!-- <tab> - <text>Authentication Settings</text> - <url>/pkg_edit.php?xml=squidauth.xml&id=0</url> + <tab> + <text>Auth Settings</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Users</text> - <url>/pkg_edit.php?xml=squidusers.xml&id=0</url> - </tab> --> + <text>Extended Auth Settings</text> + <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> + </tab> </tabs> <fields> |