diff options
Diffstat (limited to 'config/squid-reverse')
23 files changed, 2938 insertions, 745 deletions
diff --git a/config/squid-reverse/proxy_monitor.sh b/config/squid-reverse/proxy_monitor.sh index fa5a87bb..e69de29b 100644 --- a/config/squid-reverse/proxy_monitor.sh +++ b/config/squid-reverse/proxy_monitor.sh @@ -1,72 +0,0 @@ -#!/bin/sh -# $Id$ */ -# -# proxy_monitor.sh -# Copyright (C) 2006 Scott Ullrich -# All rights reserved. -# -# Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions are met: -# -# 1. Redistributions of source code must retain the above copyright notice, -# this list of conditions and the following disclaimer. -# -# 2. Redistributions in binary form must reproduce the above copyright -# notice, this list of conditions and the following disclaimer in the -# documentation and/or other materials provided with the distribution. -# -# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, -# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -# POSSIBILITY OF SUCH DAMAGE. -# - -set -e - -LOOP_SLEEP=55 - -if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm -fi - -# Sleep 5 seconds on startup not to mangle with existing boot scripts. -sleep 5 - -# Squid monitor 1.2 -while [ /bin/true ]; do - if [ ! -f /var/run/squid_alarm ]; then - NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -lt 1 ]; then - # squid is down - echo "Squid has exited. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm - /usr/local/etc/rc.d/squid.sh start - sleep 3 - echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - touch /var/run/squid_alarm - fi - fi - NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -gt 0 ]; then - if [ -f /var/run/squid_alarm ]; then - echo "Squid has resumed. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - rm /var/run/squid_alarm - fi - fi - sleep $LOOP_SLEEP -done - -if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm -fi - diff --git a/config/squid-reverse/sqpmon.sh b/config/squid-reverse/sqpmon.sh new file mode 100644 index 00000000..244b3b61 --- /dev/null +++ b/config/squid-reverse/sqpmon.sh @@ -0,0 +1,75 @@ +#!/bin/sh +# $Id$ */ +# +# sqpmon.sh +# Copyright (C) 2006 Scott Ullrich +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +if [ `pgrep -f "sqpmon.sh"|wc -l` -ge 1 ]; then + exit 0 +fi + +set -e + +LOOP_SLEEP=55 + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + +# Sleep 5 seconds on startup not to mangle with existing boot scripts. +sleep 5 + +# Squid monitor 1.2 +while [ /bin/true ]; do + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + rm /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP +done + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 151f710c..941395f6 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -4,7 +4,8 @@ squid.inc Copyright (C) 2006-2009 Scott Ullrich Copyright (C) 2006 Fernando Lemos - Copyright (C) 2008 Martin Fuchs + Copyright (C) 2012 Martin Fuchs + Copyright (C) 2012 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without @@ -38,14 +39,32 @@ require_once('service-utils.inc'); if(!function_exists("filter_configure")) require_once("filter.inc"); - -define('SQUID_CONFBASE', '/usr/local/etc/squid'); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); +else + define('SQUID_LOCALBASE','/usr/local'); + +define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid'); +define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf'); define('SQUID_BASE', '/var/squid/'); define('SQUID_ACLDIR', '/var/squid/acl'); define('SQUID_PASSWD', '/var/etc/squid.passwd'); +define('SQUID_LIB','/var/squid/lib'); +define('SQUID_SSL_DB','/var/squid/lib/ssl_db'); $valid_acls = array(); +$uname=posix_uname(); +if ($uname['machine']=='amd64') + ini_set('memory_limit', '250M'); + + function sq_text_area_decode($text){ + return preg_replace('/\r\n/', "\n",base64_decode($text)); +} + + function squid_get_real_interface_address($iface) { global $config; @@ -77,6 +96,11 @@ function squid_chown_recursive($dir, $user, $group) { /* setup cache */ function squid_dash_z() { global $config; + + //Do nothing if there is no cache config + if (!is_array($config['installedpackages']['squidcache']['config'])) + return; + $settings = $config['installedpackages']['squidcache']['config'][0]; // If the cache system is null, there is no need to initialize the (irrelevant) cache dir. @@ -94,12 +118,12 @@ function squid_dash_z() { if(!is_dir($cachedir.'/00/')) { log_error("Creating squid cache subdirs in $cachedir"); - mwexec("/usr/local/sbin/squid -k shutdown"); + mwexec(SQUID_LOCALBASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE); sleep(5); - mwexec("/usr/local/sbin/squid -k kill"); + mwexec(SQUID_LOCALBASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE); // Double check permissions here, should be safe to recurse cache dir if it's small here. mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); - mwexec("/usr/local/sbin/squid -z"); + mwexec(SQUID_LOCALBASE. "/sbin/squid -z -f " . SQUID_CONFFILE); } if(file_exists("/var/squid/cache/swap.state")) { @@ -120,11 +144,17 @@ function squid_is_valid_acl($acl) { function squid_install_command() { global $config; global $g; + update_status("Checking if there is configuration to migrate... One moment please..."); /* migrate existing csv config fields */ - $settingsauth = $config['installedpackages']['squidauth']['config'][0]; - $settingscache = $config['installedpackages']['squidcache']['config'][0]; - $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - + if (is_array($config['installedpackages']['squidauth']['config'])) + $settingsauth = $config['installedpackages']['squidauth']['config'][0]; + if (is_array($config['installedpackages']['squidcache']['config'])) + $settingscache = $config['installedpackages']['squidcache']['config'][0]; + if (is_array($config['installedpackages']['squidnac']['config'])) + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + if (is_array($config['installedpackages']['squid']['config'])) + $settingsgen = $config['installedpackages']['squid']['config'][0]; + /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; @@ -153,7 +183,6 @@ function squid_install_command() { $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; } } - if(! empty($settingsnac['banned_hosts'])) { if(strstr($settingsnac['banned_hosts'], ",")) { $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); @@ -195,7 +224,49 @@ function squid_install_command() { $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; } } - + + /*Migrate reverse settings*/ + if (is_array($config['installedpackages']['squidreverse'])){ + $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0]; + + //Settings + if (!is_array($config['installedpackages']['squidreversegeneral'])){ + $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings; + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); + unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); + } + + //PEERS + if (!is_array($config['installedpackages']['squidreversepeer'])){ + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) + foreach (explode(";",$cache_peers) as $cache_peer) + $config['installedpackages']['squidreversepeer']['config'][]=array('description'=>'migrated', + 'enable'=> 'on', + 'name'=> $cache_peer[0], + 'port'=> $cache_peer[1], + 'protocol' => $cache_peer[2]); + } + + //MAPPINGS + if (!is_array($config['installedpackages']['squidreverseuri'])){ + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){ + foreach (explode(";",$acls) as $acl) + array_push(${'peer_'.$acl[0]},$acl[1]); + } + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) + foreach (explode(";",$uris) as $uri){ + $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); + $config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated', + 'enable'=> 'on', + 'name'=> $uri[0], + 'uri'=> $uri[1], + 'vhost' => $uri[2], + 'peers'=>$peer_list); + } + } + } + update_status("Writing configuration... One moment please..."); write_config(); @@ -204,18 +275,23 @@ function squid_install_command() { update_status("Creating squid cache pools... One moment please..."); squid_dash_z(); /* make sure pinger is executable */ - if(file_exists("/usr/local/libexec/squid/pinger")) - exec("/bin/chmod a+x /usr/local/libexec/squid/pinger"); + if(file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) + exec("/bin/chmod a+x ". SQUID_LOCALBASE. "/libexec/squid/pinger"); if(file_exists("/usr/local/etc/rc.d/squid")) exec("/bin/rm /usr/local/etc/rc.d/squid"); squid_write_rcfile(); - exec("chmod a+rx /usr/local/libexec/squid/dnsserver"); if(file_exists("/usr/local/pkg/swapstate_check.php")) exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php"); + write_rcfile(array( + "file" => "sqp_monitor.sh", + "start" => "/usr/local/pkg/sqpmon.sh &", + "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")); foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, - SQUID_BASE ) as $dir) { + SQUID_BASE, + SQUID_LIB, + SQUID_SSL_DB ) as $dir) { make_dirs($dir); squid_chown_recursive($dir, 'proxy', 'proxy'); } @@ -223,7 +299,7 @@ function squid_install_command() { /* kill any running proxy alarm scripts */ update_status("Checking for running processes... One moment please..."); log_error("Stopping any running proxy monitors"); - mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); sleep(1); if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) @@ -235,16 +311,16 @@ function squid_install_command() { if (!is_service_running('squid')) { update_status("Starting... One moment please..."); log_error("Starting Squid"); - mwexec_bg("/usr/local/sbin/squid -D"); + mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -f " . SQUID_CONFFILE); } else { update_status("Reloading Squid for configuration sync... One moment please..."); log_error("Reloading Squid for configuration sync"); - mwexec("/usr/local/sbin/squid -k reconfigure"); + mwexec(SQUID_LOCALBASE. "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } /* restart proxy alarm scripts */ log_error("Starting a proxy monitor script"); - mwexec_bg("/usr/local/etc/rc.d/proxy_monitor.sh"); + mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); update_status("Reconfiguring filter... One moment please..."); filter_configure(); @@ -254,7 +330,10 @@ function squid_deinstall_command() { global $config, $g; $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; squid_install_cron(false); - $settings = &$config['installedpackages']['squidcache']['config'][0]; + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); update_status("Removing swap.state ... One moment please..."); @@ -262,8 +341,8 @@ function squid_deinstall_command() { mwexec('rm -rf $cachedir/swap.state'); mwexec('rm -rf $logdir'); update_status("Finishing package cleanup."); - mwexec('rm -f /usr/local/etc/rc.d/proxy_monitor.sh'); - mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh'); mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); @@ -273,9 +352,12 @@ function squid_deinstall_command() { function squid_before_form_general($pkg) { $values = get_dir(SQUID_CONFBASE . '/errors/'); - // Get rid of '..' and '.' + // Get rid of '..' and '.' and ... array_shift($values); array_shift($values); + array_shift($values); + array_shift($values); + $name = array(); foreach ($values as $value) $names[] = implode(" ", explode("_", $value)); @@ -294,7 +376,10 @@ function squid_before_form_general($pkg) { function squid_validate_general($post, $input_errors) { global $config; - $settings = $config['installedpackages']['squid']['config'][0]; + if (is_array($config['installedpackages']['squid'])) + $settings = $config['installedpackages']['squid']['config'][0]; + else + $settings = array(); $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $port = $post['proxy_port'] ? $post['proxy_port'] : $port; @@ -313,7 +398,7 @@ function squid_validate_general($post, $input_errors) { $log_rotate = trim($post['log_rotate']); if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) - $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; + $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field'; $webgui_port = $config['system']['webgui']['port']; if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { @@ -347,12 +432,13 @@ function squid_validate_general($post, $input_errors) { foreach ($altdns as $dnssrv) { if (!is_ipaddr($dnssrv)) $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + break; }} } function squid_validate_upstream($post, $input_errors) { - if ($post['proxy_forwarding'] == 'on') { - $addr = trim($post['proxy_addr']); + if ($post['enabled'] == 'on') { + $addr = trim($post['proxyaddr']); if (empty($addr)) $input_errors[] = 'The field \'Hostname\' is required'; else { @@ -360,7 +446,7 @@ function squid_validate_upstream($post, $input_errors) { $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; } - foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { + foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { $port = trim($post[$field]); if (empty($port)) $input_errors[] = "The field '$name' is required"; @@ -420,10 +506,18 @@ function squid_validate_nac($post, $input_errors) { } foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { - foreach (explode("\n", $post[$hosts]) as $host) { - $host = trim($host); - if (!empty($host) && !is_ipaddr($host)) - $input_errors[] = "The host '$host' is not a valid IP address"; + + if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)){ + for ($x=0;$x < count($matches[1]);$x++){ + if ($matches[2][$x] == ""){ + if (!is_ipaddr($matches[1][$x])) + $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address"; + } + else{ + if (!is_subnet($matches[0][$x])) + $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range"; + } + } } } @@ -476,26 +570,34 @@ function squid_validate_traffic($post, $input_errors) { if (!empty($post['quick_abort_pct'])) { $value = trim($post['quick_abort_pct']); if (!is_numeric($value) || ($value > 100)) - $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; + $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; } } function squid_validate_reverse($post, $input_errors) { - $fqdn = trim($post['reverse_external_fqdn']); - if (!empty($fqdn) && !is_domain($fqdn)) - $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; + if(!empty($post['reverse_ip'])) { + $reverse_ip = explode(";", ($post['reverse_ip'])); + foreach ($reverse_ip as $reip) { + if (!is_ipaddr($reip)) + $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'; + break; + }} + + $fqdn = trim($post['reverse_external_fqdn']); + if (!empty($fqdn) && !is_domain($fqdn)) + $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; - $port = trim($post['reverse_http_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; + $port = trim($post['reverse_http_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; - $port = trim($post['reverse_https_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; + $port = trim($post['reverse_https_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; - if ($post['reverse_ssl_cert'] == 'none') - $input_errors[] = 'A valid certificate for the external interface must be selected'; + if ($post['reverse_ssl_cert'] == 'none') + $input_errors[] = 'A valid certificate for the external interface must be selected'; if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; @@ -506,9 +608,9 @@ function squid_validate_reverse($post, $input_errors) { $input_errors[] = 'A valid certificate for the external interface must be selected'; */ - $rowa = trim($post['reverse_owa_ip']); - if (!empty($rowa) && !is_ipaddr($rowa)) - $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; + $rowa = trim($post['reverse_owa_ip']); + if (!empty($rowa) && !is_ipaddr($rowa)) + $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; $contents = $post['reverse_cache_peer']; @@ -588,24 +690,28 @@ function squid_install_cron($should_install) { if(!$config['cron']['item']) return; - $settings = $config['installedpackages']['squidcache']['config'][0]; + + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); + $x=0; $rotate_job_id=-1; $swapstate_job_id=-1; foreach($config['cron']['item'] as $item) { if(strstr($item['task_name'], "squid_rotate_logs")) { - - $rotate_job_id = $x; - } elseif(strstr($item['task_name'], "squid_check_swapstate")) { - $swapstate_job_id = $x; + $rotate_job_id = $x; + } elseif(strstr($item['task_name'], "squid_check_swapstate")) { + $swapstate_job_id = $x; } $x++; } $need_write = false; switch($should_install) { case true: - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - if($rotate_job_id < 0) { + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + if($rotate_job_id < 0) { $cron_item = array(); $cron_item['task_name'] = "squid_rotate_logs"; $cron_item['minute'] = "0"; @@ -614,11 +720,12 @@ function squid_install_cron($should_install) { $cron_item['month'] = "*"; $cron_item['wday'] = "*"; $cron_item['who'] = "root"; - $cron_item['command'] = "/bin/rm {$cachedir}/swap.state; /usr/local/sbin/squid -k rotate"; + $cron_item['command'] = "/bin/rm {$cachedir}/swap.state; ". SQUID_LOCALBASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE; + /* Add this cron_item as a new entry at the end of the item array. */ $config['cron']['item'][] = $cron_item; $need_write = true; - } - if($swapstate_job_id < 0) { + } + if($swapstate_job_id < 0) { $cron_item = array(); $cron_item['task_name'] = "squid_check_swapstate"; $cron_item['minute'] = "*/15"; @@ -628,37 +735,40 @@ function squid_install_cron($should_install) { $cron_item['wday'] = "*"; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; + /* Add this cron_item as a new entry at the end of the item array. */ $config['cron']['item'][] = $cron_item; $need_write = true; - } - if ($need_write) { - $config['cron']['item'][] = $cron_item; + } + if ($need_write) { parse_config(true); write_config("Adding Squid Cron Jobs"); } - break; + break; case false: - if($rotate_job_id >= 0) { - unset($config['cron']['item'][$rotate_job_id]); - $need_write = true; - } - if($swapstate_job_id >= 0) { - unset($config['cron']['item'][$swapstate_job_id]); - $need_write = true; - } - if ($need_write) { - parse_config(true); - write_config("Removing Squid Cron Jobs"); - } - break; + if($rotate_job_id >= 0) { + unset($config['cron']['item'][$rotate_job_id]); + $need_write = true; + } + if($swapstate_job_id >= 0) { + unset($config['cron']['item'][$swapstate_job_id]); + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Removing Squid Cron Jobs"); + } + break; } configure_cron(); - } +} function squid_resync_general() { global $g, $config, $valid_acls; - $settings = $config['installedpackages']['squid']['config'][0]; + if (is_array($config['installedpackages']['squid'])) + $settings = $config['installedpackages']['squid']['config'][0]; + else + $settings=array(); $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n"; @@ -672,35 +782,38 @@ function squid_resync_general() { } } if (($settings['transparent_proxy'] == 'on')) { - $conf .= "http_port 127.0.0.1:" . $settings['proxy_port'] . " transparent\n"; + $conf .= "http_port 127.0.0.1:" . $settings['proxy_port'] . " intercept\n"; } - $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); - + $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 7); + $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); $pidfile = "{$g['varrun_path']}/squid.pid"; - $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); - $errordir = SQUID_CONFBASE . '/errors/' . $language; + $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); $icondir = SQUID_CONFBASE . '/icons'; $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); - + if (! is_dir($logdir)){ + make_dirs($logdir); + squid_chown_recursive($logdir, 'proxy', 'proxy'); + } $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); $conf .= <<<EOD -icp_port $icp_port - -pid_filename $pidfile +icp_port {$icp_port} +dns_v4_first {$dns_v4_first} +pid_filename {$pidfile} cache_effective_user proxy cache_effective_group proxy -error_directory $errordir -icon_directory $icondir -visible_hostname $hostname -cache_mgr $email -access_log $logdir_access -cache_log $logdir_cache +error_default_language {$language} +icon_directory {$icondir} +visible_hostname {$hostname} +cache_mgr {$email} +access_log {$logdir_access} +cache_log {$logdir_cache} cache_store_log none +sslcrtd_children 0 EOD; @@ -721,6 +834,7 @@ EOD; foreach ($real_ifaces as $iface) { list($ip, $mask) = $iface; $ip = long2ip(ip2long($ip) & ip2long($mask)); + $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); $src .= " $ip/$mask"; } $conf .= "# Allow local network(s) on interface(s)\n"; @@ -748,52 +862,118 @@ EOD; function squid_resync_cache() { global $config, $g; - - $settings = $config['installedpackages']['squidcache']['config'][0]; - + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); + //apply cache settings $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16); $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); - $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] : 10); + $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size']." KB" : "10 KB"); $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); $max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32); $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF'); $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); - + $conf = ''; if (!isset($settings['harddisk_cache_system'])) { - if ($g['platform'] == "nanobsd") { + if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) $disk_cache_system = 'null'; - } else { + else $disk_cache_system = 'ufs'; } - } else { + else{ $disk_cache_system = $settings['harddisk_cache_system']; - } + } + #'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. + if ($disk_cache_system != "null") { + $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; + } +//check dynamic content +if(empty($settings['cache_dynamic_content'])){ + $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; + $conf.="cache deny dynamic\n"; +} +else{ + if(preg_match('/youtube/',$settings['refresh_patterns'])){ + $conf.=<<<EOC +# Break HTTP standard for flash videos. Keep them in cache even if asked not to. +refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private - if ($disk_cache_system == "null") { - $disk_cache_opts = "{$disk_cache_system} /tmp"; - } else { - $disk_cache_opts = "{$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; +# Let the clients favorite video site through with full caching +acl youtube dstdomain .youtube.com +cache allow youtube + +EOC; } + if(preg_match('/windows/',$settings['refresh_patterns'])){ + $conf.=<<<EOC - $conf = <<<EOD -cache_mem $memory_cache_size MB -maximum_object_size_in_memory $max_objsize_in_mem KB -memory_replacement_policy $memory_policy -cache_replacement_policy $cache_policy -cache_dir $disk_cache_opts -minimum_object_size $min_objsize KB -maximum_object_size $max_objsize KB -offline_mode $offline_mode +# Windows Update refresh_pattern +range_offset_limit -1 +refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims +refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims +refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims + +EOC; + } + +if(preg_match('/symantec/',$settings['refresh_patterns'])){ + $conf.=<<<EOC + +# Symantec refresh_pattern +range_offset_limit -1 +refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims +refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims +EOC; + } +if(preg_match('/avast/',$settings['refresh_patterns'])){ + $conf.=<<<EOC + +# Avast refresh_pattern +range_offset_limit -1 +refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims + +EOC; + } +if(preg_match('/avira/',$settings['refresh_patterns'])){ + $conf.=<<<EOC + +# Avira refresh_pattern +range_offset_limit -1 +refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims + +EOC; + } + $refresh_conf=<<<EOC + +# Add any of your own refresh_pattern entries above these. +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 +EOC; + +} + + $conf .= <<<EOD +cache_mem $memory_cache_size MB +maximum_object_size_in_memory {$max_objsize_in_mem} KB +memory_replacement_policy {$memory_policy} +cache_replacement_policy {$cache_policy} +$disk_cache_opts +minimum_object_size {$min_objsize} KB +maximum_object_size {$max_objsize} +offline_mode {$offline_mode} EOD; if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; - $donotcache = base64_decode($settings['donotcache']); + $donotcache = sq_text_area_decode($settings['donotcache']); if (!empty($donotcache)) { file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; @@ -802,28 +982,39 @@ EOD; elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { unlink(SQUID_ACLDIR . '/donotcache.acl'); } - - return $conf; + return $conf.$refresh_conf; } function squid_resync_upstream() { global $config; - $settings = $config['installedpackages']['squidupstream']['config'][0]; - - $conf = ''; - if ($settings['proxy_forwarding'] == 'on') { - $conf .= "cache_peer {$settings['proxy_addr']} parent {$settings['proxy_port']} "; - if ($settings['icp_port'] == '7') - $conf .= "{$settings['icp_port']} no-query"; - else - $conf .= "{$settings['icp_port']}"; - - if (!empty($settings['username'])) - $conf .= " login={$settings['username']}"; - if (!empty($settings['password'])) - $conf .= ":{$settings['password']}"; - } - + $conf = "\n#Remote proxies\n"; + if (is_array($config['installedpackages']['squidremote']['config'])) + foreach ($config['installedpackages']['squidremote']['config'] as $settings){ + if ($settings['enable'] == 'on') { + $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} "; + if ($settings['icpport'] == '7') + $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; + else + $conf .= "{$settings['icpport']} "; + #auth settings + if (!empty($settings['username']) && !empty($settings['password'])){ + $conf .= " login={$settings['username']}:{$settings['password']}"; + } + else{ + $conf .= "{$settings['authoption']} "; + } + #other options settings + if (!empty($settings['weight'])) + $conf .= "weight={$settings['weight']} "; + if (!empty($settings['basetime'])) + $conf .= "basetime={$settings['basetime']} "; + if (!empty($settings['ttl'])) + $conf .= "ttl={$settings['ttl']} "; + if (!empty($settings['nodelay'])) + $conf .= "no-delay"; + } + $conf .= "\n"; + } return $conf; } @@ -842,8 +1033,11 @@ function squid_resync_redirector() { function squid_resync_nac() { global $config, $valid_acls; - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $settings = $config['installedpackages']['squidnac']['config'][0]; + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + if (is_array($config['installedpackages']['squidnac'])) + $settings = $config['installedpackages']['squidnac']['config'][0]; + else + $settings = array(); $webgui_port = $config['system']['webgui']['port']; $addtl_ports = $settings['addtl_ports']; $addtl_sslports = $settings['addtl_sslports']; @@ -851,27 +1045,27 @@ function squid_resync_nac() { $conf = <<<EOD # Setup some default acls -acl all src 0.0.0.0/0.0.0.0 -acl localhost src 127.0.0.1/255.255.255.255 +acl allsrc src all +acl localhost src 127.0.0.1/32 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port 1025-65535 $addtl_ports acl sslports port 443 563 $webgui_port $addtl_sslports acl manager proto cache_object acl purge method PURGE acl connect method CONNECT -acl dynamic urlpath_regex cgi-bin \? + EOD; - $allowed_subnets = explode("\n", base64_decode($settings['allowed_subnets'])); - $allowed = ""; - foreach ($allowed_subnets as $subnet) { - if(!empty($subnet)) { - $subnet = trim($subnet); - $allowed .= "$subnet "; - } - } - if (!empty($allowed)) { - $conf .= "acl allowed_subnets src $allowed\n"; + $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); + #$allowed = ""; + #foreach ($allowed_subnets as $subnet) { + # if(!empty($subnet)) { + # $subnet = trim($subnet); + # $allowed .= "$subnet "; + # } + #} + if (!empty($allowed_subnets)) { + $conf .= "acl allowed_subnets src $allowed_subnets\n"; $valid_acls[] = 'allowed_subnets'; } @@ -881,7 +1075,7 @@ EOD; 'blacklist' => 'dstdom_regex -i', ); foreach ($options as $option => $directive) { - $contents = base64_decode($settings[$option]); + $contents = sq_text_area_decode($settings[$option]); if (!empty($contents)) { file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; @@ -893,23 +1087,21 @@ EOD; } $conf .= <<<EOD -cache deny dynamic http_access allow manager localhost EOD; - if(!empty($settings['ext_cachemanager'])) { - $extmgr = explode(";", ($settings['ext_cachemanager'])); - $count = 1; - $conf .= "\n# Allow external cache managers\n"; -// $conf .= "acl ext_manager src ".$settings['ext_cachemanager']."\n"; - foreach ($extmgr as $mgr) { - $conf .= "acl ext_manager_".$count." src "; - $conf .= $mgr." "; - $conf .= "\n"; - $conf .= "http_access allow manager ext_manager_".$count."\n"; - $count += 1; - }} + if (is_array($config['installedpackages']['squidcache'])){ + $settings_ch = $config['installedpackages']['squidcache']['config'][0]; + if(!empty($settings_ch['ext_cachemanager'])) { + $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); + $conf .= "\n# Allow external cache managers\n"; + foreach ($extmgr as $mgr) { + $conf .= "acl ext_manager src {$mgr}\n"; + } + $conf .= "http_access allow manager ext_manager\n"; + } + } $conf .= <<<EOD @@ -929,20 +1121,29 @@ EOD; function squid_resync_traffic() { global $config, $valid_acls; + if(!is_array($valid_acls)) return; - $settings = $config['installedpackages']['squidtraffic']['config'][0]; + if (is_array($config['installedpackages']['squidtraffic'])) + $settings = $config['installedpackages']['squidtraffic']['config'][0]; + else + $settings = array(); + $conf = ''; - - if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; - if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; - if (!empty($settings['quick_abort_pct'])) $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; + if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") + $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; + if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") + $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; + if (!empty($settings['quick_abort_pct'])) + $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0); $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0); $conf .= "request_body_max_size $up_limit KB\n"; - $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " deny all\n"; + if ($down_limit != 0) + $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n"; + // Only apply throttling past 10MB // XXX: Should this really be hardcoded? $threshold = 10 * 1024 * 1024; @@ -996,10 +1197,10 @@ EOD; $conf .= "# Throttle extensions matched in the url\n"; $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; $conf .= "delay_access 1 allow throttle_exts\n"; - $conf .= "delay_access 1 deny all\n"; + $conf .= "delay_access 1 deny allsrc\n"; } else - $conf .= "delay_access 1 allow all\n"; + $conf .= "delay_access 1 allow allsrc\n"; return $conf; } @@ -1014,144 +1215,35 @@ function squid_get_server_certs() { return $cert_arr; } -function squid_resync_reverse() { - global $config, $valid_acls; - if(!is_array($valid_acls)) - return; - $settings = $config['installedpackages']['squidreverse']['config'][0]; - $conf = ''; - - $conf .= "# Reverse Proxy settings\n"; - - if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { - $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); - if ($svr_cert != false) { - if(base64_decode($svr_cert['crt'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($svr_cert['crt'])); - $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; - } - if(base64_decode($svr_cert['prv'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",base64_decode($svr_cert['prv'])); - $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; - }}} - - if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); - - $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); - $real_ifaces = array(); - foreach (explode(",", $ifaces) as $i => $iface) { - $real_ifaces[] = squid_get_real_interface_address($iface); - if($real_ifaces[$i][0]) { - //HTTP - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; - //HTTPS - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; - } - } - //PEERS - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=OWA_HOST_pfs\n"; - - $contents = base64_decode($settings['reverse_cache_peer']); - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != '' && ($cfg[2]) != ''){ - $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; - if($cfg[3] == 'HTTPS') - $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf .= "name={$cfg[0]}\n"; - }}} - - //ACLs - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/owa.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchange.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/public.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchwebexchweb.*$\n"; - } - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_activesync'] == 'on')) { - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/Microsoft-Server-ActiveSync.*$\n"; - } - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_rpchttp'] == 'on')) { - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/rpc/rpcproxy.dll.*$\n"; - $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; - } - - $contents = base64_decode($settings['revrse_uri']); - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - if($cfg[2] != '') - $conf .= "acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; - if($cfg[2] == '') - $conf .= "acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; - }}} - - - //ACCESS - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { - $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; - $conf .= "cache_peer_access OWA_HOST_pfs deny all\n"; - $conf .= "never_direct allow OWA_URI_pfs\n"; - $conf .= "http_access allow OWA_URI_pfs\n"; - } - - $contents = base64_decode($settings['reverse_acl']); - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; - }} - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "cache_peer_access {$cfg[0]} deny all\n"; - }} - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "never direct allow {$cfg[1]}\n"; - }} - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "http_access allow {$cfg[1]}\n"; - }} - } - - $conf .= "\n"; - - if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; - return $conf; -} +#squid reverse +include('/usr/local/pkg/squid_reverse.inc'); function squid_resync_auth() { global $config, $valid_acls; - $settings = $config['installedpackages']['squidauth']['config'][0]; - $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - $settingsconfig = $config['installedpackages']['squid']['config'][0]; + if (is_array($config['installedpackages']['squidauth']['config'])) + $settings = $config['installedpackages']['squidauth']['config'][0]; + else + $settings = array(); + + if (is_array($config['installedpackages']['squidnac']['config'])) + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + else + $settingsnac = array(); + + if (is_array($config['installedpackages']['squid']['config'])) + $settingsconfig = $config['installedpackages']['squid']['config'][0]; + else + $settingsconfig = array(); + $conf = ''; - // Custom Options - if(!empty($config['installedpackages']['squid']['config'][0]['custom_options'])) { - $custopts = explode(";", ($config['installedpackages']['squid']['config'][0]['custom_options'])); - $conf .= "# Custom options\n"; - foreach ($custopts as $custopt) { - $conf .= $custopt."\n"; - } - } + // Package integration + if(!empty($settingsconfig['custom_options'])) + $conf.="# Package Integration\n".preg_replace('/;/',"\n",$settingsconfig['custom_options'])."\n\n"; + + // Custom User Options + $conf .= "# Custom options\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n"; // Deny the banned guys before allowing the good guys if(! empty($settingsnac['banned_hosts'])) { @@ -1167,9 +1259,9 @@ function squid_resync_auth() { } } - // Unrestricted hosts take precendence over blacklist + // Unrestricted hosts take precedence over blacklist if(! empty($settingsnac['unrestricted_hosts'])) { - if (squid_is_valid_acl('unrestricted_hosts')) { + if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_hosts\n"; } @@ -1181,7 +1273,7 @@ function squid_resync_auth() { } } - // Whitelist and blacklist also take precendence over other allow rules + // Whitelist and blacklist also take precedence over other allow rules if(! empty($settingsnac['whitelist'])) { if (squid_is_valid_acl('whitelist')) { $conf .= "# Always allow access to whitelist domains\n"; @@ -1222,19 +1314,19 @@ function squid_resync_auth() { $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { case 'local': - $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; break; case 'ldap': $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; break; case 'radius': $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; case 'msnt': - $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/msnt_auth\n"; squid_resync_msnt(); break; } @@ -1268,7 +1360,7 @@ EOD; } $conf .= "# Default block all to be sure\n"; - $conf .= "http_access deny all\n"; + $conf .= "http_access deny allsrc\n"; return $conf; } @@ -1290,7 +1382,10 @@ function squid_resync_users() { function squid_resync_msnt() { global $config; - $settings = $config['installedpackages']['squidauth']['config'][0]; + if (is_array($config['installedpackages']['squidauth'])) + $settings = $config['installedpackages']['squidauth']['config'][0]; + else + $settings = array(); $pdcserver = $settings['auth_server']; $bdcserver = str_replace(',',' ',$settings['msnt_secondary']); $ntdomain = $settings['auth_ntdomain']; @@ -1302,7 +1397,29 @@ function squid_resync_msnt() { function squid_resync() { global $config; + + # detect boot process + if (is_array($_POST)){ + if (preg_match("/\w+/",$_POST['__csrf_magic'])) + unset($boot_process); + else + $boot_process="on"; + } + + if (is_process_running('squid') && isset($boot_process)) + return; + conf_mount_rw(); + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + SQUID_BASE, + SQUID_LIB, + SQUID_SSL_DB ) as $dir) { + make_dirs($dir); + chown($dir, 'proxy'); + chgrp($dir, 'proxy'); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } $conf = squid_resync_general() . "\n"; $conf .= squid_resync_cache() . "\n"; $conf .= squid_resync_redirector() . "\n"; @@ -1313,44 +1430,56 @@ function squid_resync() { $conf .= squid_resync_auth(); squid_resync_users(); squid_write_rcfile(); - - /* make sure pinger is executable */ - if(file_exists("/usr/local/libexec/squid/pinger")) - exec("chmod a+x /usr/local/libexec/squid/pinger"); - - foreach (array( SQUID_CONFBASE, - SQUID_ACLDIR, - SQUID_BASE ) as $dir) { - make_dirs($dir); - squid_chown_recursive($dir, 'proxy', 'proxy'); - } - + + if(!isset($boot_process)) + squid_sync_on_changes(); + + #write config file file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); - - $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; - - if(!is_dir($log_dir)) { - log_error("Creating squid log dir $log_dir"); - make_dirs($log_dir); - squid_chown_recursive($log_dir, 'proxy', 'proxy'); - } - - squid_dash_z(); - - if (!is_service_running('squid')) { - log_error("Starting Squid"); - mwexec("/usr/local/sbin/squid -D"); - } else { - log_error("Reloading Squid for configuration sync"); - mwexec("/usr/local/sbin/squid -k reconfigure"); - } - - // Sleep for a couple seconds to give squid a chance to fire up fully. - for ($i=0; $i < 10; $i++) { - if (!is_service_running('squid')) - sleep(1); + + /* make sure pinger is executable */ + if(file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) + exec("chmod a+x " . SQUID_LOCALBASE . "/libexec/squid/pinger"); + + $log_dir=""; + #check if squid is enabled + if (is_array($config['installedpackages']['squid']['config'])){ + if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "") + $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; + } + #check if squidreverse is enabled + else if (is_array($config['installedpackages']['squidreversegeneral']['config'])){ + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") + $log_dir="/var/squid/logs/"; + } + #do not start squid if there is no log dir + if ($log_dir != ""){ + if(!is_dir($log_dir)) { + log_error("Creating squid log dir $log_dir"); + make_dirs($log_dir); + squid_chown_recursive($log_dir, 'proxy', 'proxy'); + } + + squid_dash_z(); + + if (!is_service_running('squid')) { + log_error("Starting Squid"); + mwexec(SQUID_LOCALBASE . "/sbin/squid -f " . SQUID_CONFFILE); + } + else { + if (!isset($boot_process)){ + log_error("Reloading Squid for configuration sync"); + mwexec(SQUID_LOCALBASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); + } + } + + // Sleep for a couple seconds to give squid a chance to fire up fully. + for ($i=0; $i < 10; $i++) { + if (!is_service_running('squid')) + sleep(1); + } + filter_configure(); } - filter_configure(); conf_mount_ro(); } @@ -1493,7 +1622,42 @@ function squid_generate_rules($type) { global $config; $squid_conf = $config['installedpackages']['squid']['config'][0]; - + + //check captive portal option + $cp_file='/etc/inc/captiveportal.inc'; + $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line){ + $new_line=$line; + //remove applied squid patch + if (preg_match('/} set 1 skipto 65314/',$line)){ + $found_rule++; + $new_line =""; + } + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; + } + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; + } + $new_cp_inc .= $new_line; + } + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } + if($found_rule > 0){ + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + } + + //normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; } @@ -1617,16 +1781,21 @@ function squid_generate_rules($type) { } function squid_write_rcfile() { + /* Declare a variable for the SQUID_CONFFILE constant. */ + /* Then the variable can be referenced easily in the Heredoc text that generates the rc file. */ + $squid_conffile_var = SQUID_CONFFILE; + $squid_local_base = SQUID_LOCALBASE; $rc = array(); $rc['file'] = 'squid.sh'; $rc['start'] = <<<EOD -if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then - /usr/local/sbin/squid -D +if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then + {$squid_local_base}/sbin/squid -f {$squid_conffile_var} fi EOD; + $rc['stop'] = <<<EOD -/usr/local/sbin/squid -k shutdown +{$squid_local_base}/sbin/squid -k shutdown -f {$squid_conffile_var} # Just to be sure... sleep 5 killall -9 squid 2>/dev/null @@ -1634,14 +1803,140 @@ killall pinger 2>/dev/null EOD; $rc['restart'] = <<<EOD -if [ -z "`ps auxw | grep "[s]quid -D"|awk '{print $2}'`" ];then - /usr/local/sbin/squid -D +if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then + {$squid_local_base}/sbin/squid -f {$squid_conffile_var} else - /usr/local/sbin/squid -k reconfigure + {$squid_local_base}/sbin/squid -k reconfigure -f {$squid_conffile_var} fi EOD; conf_mount_rw(); write_rcfile($rc); + conf_mount_ro(); } + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function squid_sync_on_changes() { + global $config, $g; + + log_error("[squid] xmlrpc sync is starting."); + $synconchanges = $config['installedpackages']['squidsync']['config'][0]['synconchanges']; + if(!$synconchanges) + return; + foreach ($config['installedpackages']['squidsync']['config'] as $rs ){ + foreach($rs['row'] as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + squid_do_xmlrpc_sync($sync_to_ip, $username, $password); + } + } + log_error("[squid] xmlrpc sync is ending."); +} +/* Do the actual XMLRPC sync */ +function squid_do_xmlrpc_sync($sync_to_ip, $username, $password) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['squid'] = $config['installedpackages']['squid']; + $xml['squidupstream'] = $config['installedpackages']['squidupstream']; + $xml['squidcache'] = $config['installedpackages']['squidcache']; + $xml['squidnac'] = $config['installedpackages']['squidnac']; + $xml['squidtraffic'] = $config['installedpackages']['squidtraffic']; + $xml['squidreversegeneral'] = $config['installedpackages']['squidreversegeneral']; + $xml['squidreversepeer'] = $config['installedpackages']['squidreversepeer']; + $xml['squidreverseuri'] = $config['installedpackages']['squidreverseuri']; + $xml['squidauth'] = $config['installedpackages']['squidauth']; + $xml['squidusers'] = $config['installedpackages']['squidusers']; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning squid XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } else { + log_error("squid XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell squid to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/squid.inc');\n"; + $execcmd .= "squid_resync();"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("squid XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } else { + log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} + ?> diff --git a/config/squid-reverse/squid.xml b/config/squid-reverse/squid.xml index 5cb5ea4a..72c10ab6 100644 --- a/config/squid-reverse/squid.xml +++ b/config/squid-reverse/squid.xml @@ -10,6 +10,7 @@ authng.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2007 to whom it may belong + Copyright (C) 2012 Marcello Coutinho All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -46,7 +47,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squid</name> - <version>2.7.STABLE9</version> + <version>3.1.STABLE19</version> <title>Proxy server: General settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <menu> @@ -55,6 +56,12 @@ <section>Services</section> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </menu> + <menu> + <name>Reverse Proxy</name> + <tooltiptext>Modify the proxy reverse server's settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </menu> <service> <name>squid</name> <rcfile>squid.sh</rcfile> @@ -68,15 +75,15 @@ <active/> </tab> <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Local Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -84,17 +91,21 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <!-- Installation --> <additional_files_needed> @@ -105,6 +116,31 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_general.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_peer.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_uri.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/squid-reverse/squid_cache.xml</item> </additional_files_needed> <additional_files_needed> @@ -120,6 +156,11 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_ng.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/squid-reverse/squid_traffic.xml</item> </additional_files_needed> <additional_files_needed> @@ -135,30 +176,50 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_auth.xml</item> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_reverse.inc</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_users.xml</item> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_auth.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/etc/rc.d/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/proxy_monitor.sh</item> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_users.xml</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>http://www.pfsense.org/packages/config/squid-reverse/squid_cache.xml</item> + <item>http://www.pfsense.org/packages/config/squid-reverse/sqpmon.sh</item> </additional_files_needed> <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/squid-reverse/swapstate_check.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_monitor.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_monitor_data.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid-reverse/squid_log_parser.php</item> + </additional_files_needed> + <fields> <field> + <name>Squid General Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Proxy interface</fielddescr> <fieldname>active_interface</fieldname> <description>The interface(s) the proxy server will bind to.</description> @@ -168,6 +229,23 @@ <multiple/> </field> <field> + <fielddescr>Proxy port</fielddescr> + <fieldname>proxy_port</fieldname> + <description>This is the port the proxy server will listen on.</description> + <type>input</type> + <size>5</size> + <required/> + <default_value>3128</default_value> + </field> + <field> + <fielddescr>ICP port</fielddescr> + <fieldname>icp_port</fieldname> + <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> + <type>input</type> + <size>5</size> + </field> + + <field> <fielddescr>Allow users on interface</fielddescr> <fieldname>allow_interface</fieldname> <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description> @@ -178,13 +256,22 @@ <field> <fielddescr>Transparent proxy</fielddescr> <fieldname>transparent_proxy</fieldname> - <description>If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> + <description><![CDATA[Enable transparent mode to forward all requests for destination port 80 to the proxy server without any additional configuration necessary.<br> + <strong>NOTE:</strong> Transparent mode does not filter ssl(port 443) or any other http/https port.<br> + To filter both http and https protocol without touching user config, enable WPAD/PAC options on your dns/dhcp.]]></description> <type>checkbox</type> <enablefields>private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields> <required/> </field> <field> - <fielddescr>Bypass proxy for Private Address Space (RFC 1918) destination</fielddescr> + <fielddescr>Patch captive portal</fielddescr> + <fieldname>patch_cp</fieldname> + <description><![CDATA[Enable this option to force captive portal to non transparent proxy users.<br> + <strong>NOTE:</strong> You may need to reapply captive portal config after changing this option.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Bypass proxy for Private Address destination</fielddescr> <fieldname>private_subnet_proxy_off</fieldname> <description>Do not forward traffic to Private Address Space (RFC 1918) <b>destination</b> through the proxy server but directly through the firewall.</description> <type>checkbox</type> @@ -194,14 +281,31 @@ <fieldname>defined_ip_proxy_off</fieldname> <description>Do not forward traffic from these <b>source</b> IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> <type>input</type> - <size>80</size> + <size>70</size> </field> <field> <fielddescr>Bypass proxy for these destination IPs</fielddescr> <fieldname>defined_ip_proxy_off_dest</fieldname> <description>Do not proxy traffic going to these <b>destination</b> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description> <type>input</type> - <size>80</size> + <size>70</size> + </field> + <field> + <fielddescr>Resolv dns v4 first</fielddescr> + <fieldname>dns_v4_first</fieldname> + <description><![CDATA[Enable this option to force dns v4 lookup first. This option is very usefull if you have problems to access https sites.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> + <fieldname>dns_nameservers</fieldname> + <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + <field> + <name>Logging Settings</name> + <type>listtopic</type> </field> <field> <fielddescr>Enabled logging</fielddescr> @@ -227,22 +331,6 @@ <size>5</size> </field> <field> - <fielddescr>Proxy port</fielddescr> - <fieldname>proxy_port</fieldname> - <description>This is the port the proxy server will listen on.</description> - <type>input</type> - <size>5</size> - <required/> - <default_value>3128</default_value> - </field> - <field> - <fielddescr>ICP port</fielddescr> - <fieldname>icp_port</fieldname> - <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description> - <type>input</type> - <size>5</size> - </field> - <field> <fielddescr>Visible hostname</fielddescr> <fieldname>visible_hostname</fieldname> <description>This is the URL to be displayed in proxy server error messages.</description> @@ -263,7 +351,7 @@ <fieldname>error_language</fieldname> <description>Select the language in which the proxy server will display error messages to users.</description> <type>select</type> - <default_value>English</default_value> + <default_value>en</default_value> </field> <field> <fielddescr>Disable X-Forward</fielddescr> @@ -307,26 +395,33 @@ </options> </field> <field> - <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr> - <fieldname>dns_nameservers</fieldname> - <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description> - <type>input</type> - <size>60</size> - </field> - <field> <fielddescr>Suppress Squid Version</fielddescr> <fieldname>disable_squidversion</fieldname> <description>If set, suppress Squid version string info in HTTP headers and HTML error pages.</description> <type>checkbox</type> </field> - <field> - <fielddescr>Custom Options</fielddescr> + <field> + <name>Custom Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Integrations</fielddescr> <fieldname>custom_options</fieldname> - <description>You can put your own custom options here, separated by semi-colons (;). They'll be added to the configuration. They need to be squid.conf native options, otherwise squid will NOT work.</description> + <description><![CDATA[Squid options added from packages like squidguard or havp for squid integration.]]></description> <type>textarea</type> - <cols>65</cols> + <cols>78</cols> <rows>5</rows> </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom_options_squid3</fieldname> + <description><![CDATA[Put your own custom options here,one per line. They'll be added to the configuration.<br> + <strong>They need to be squid.conf native options, otherwise squid will NOT work.</strong>]]></description> + <type>textarea</type> + <encoding>base64</encoding> + <cols>78</cols> + <rows>10</rows> + </field> </fields> <custom_php_command_before_form> squid_before_form_general(&$pkg); @@ -339,7 +434,7 @@ </custom_php_validation_command> <custom_php_resync_config_command> squid_resync(); - exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + unlink_if_exists("/usr/local/etc/rc.d/squid"); </custom_php_resync_config_command> <custom_php_install_command> update_status("Checking Squid cache... One moment please..."); @@ -353,4 +448,4 @@ exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); </custom_php_deinstall_command> <filter_rules_needed>squid_generate_rules</filter_rules_needed> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squid-reverse/squid_auth.xml b/config/squid-reverse/squid_auth.xml index 8d6e046e..307669c5 100644 --- a/config/squid-reverse/squid_auth.xml +++ b/config/squid-reverse/squid_auth.xml @@ -48,22 +48,22 @@ <name>squidauth</name> <version>none</version> <title>Proxy server: Authentication</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Local Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -71,21 +71,29 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> <active/> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Squid Authentication General Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Authentication method</fielddescr> <fieldname>auth_method</fieldname> <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description> @@ -102,17 +110,6 @@ <onchange>on_auth_method_changed()</onchange> </field> <field> - <fielddescr>LDAP version</fielddescr> - <fieldname>ldap_version</fieldname> - <description>Enter LDAP protocol version (2 or 3).</description> - <type>select</type> - <default_value>2</default_value> - <options> - <option><name>2</name><value>2</value></option> - <option><name>3</name><value>3</value></option> - </options> - </field> - <field> <fielddescr>Authentication server</fielddescr> <fieldname>auth_server</fieldname> <description>Enter here the IP or hostname of the server that will perform the authentication.</description> @@ -127,11 +124,57 @@ <size>60</size> </field> <field> - <fielddescr>NT domain</fielddescr> - <fieldname>auth_ntdomain</fieldname> - <description>Enter here the NT domain.</description> + <fielddescr>Authentication prompt</fielddescr> + <fieldname>auth_prompt</fieldname> + <description>This string will be displayed at the top of the authentication request window.</description> + <type>input</type> + <default_value>Please enter your credentials to access the proxy</default_value> + </field> + <field> + <fielddescr>Authentication processes</fielddescr> + <fieldname>auth_processes</fieldname> + <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> <type>input</type> <size>60</size> + <default_value>5</default_value> + </field> + <field> + <fielddescr>Authentication TTL</fielddescr> + <fieldname>auth_ttl</fieldname> + <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <type>input</type> + <size>60</size> + <default_value>60</default_value> + </field> + <field> + <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> + <fieldname>unrestricted_auth</fieldname> + <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Subnets that don't need authentication</fielddescr> + <fieldname>no_auth_hosts</fieldname> + <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <name>Squid Authentication Ldap Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>LDAP version</fielddescr> + <fieldname>ldap_version</fieldname> + <description>Enter LDAP protocol version (2 or 3).</description> + <type>select</type> + <default_value>2</default_value> + <options> + <option><name>2</name><value>2</value></option> + <option><name>3</name><value>3</value></option> + </options> </field> <field> <fielddescr>LDAP server user DN</fielddescr> @@ -171,10 +214,14 @@ <default_value>(&(objectClass=person)(uid=%s))</default_value> </field> <field> - <fielddescr>RADIUS secret</fielddescr> - <fieldname>radius_secret</fieldname> - <description>The RADIUS secret for RADIUS authentication.</description> - <type>password</type> + <name>Squid Authentication NT Domain Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>NT domain</fielddescr> + <fieldname>auth_ntdomain</fieldname> + <description>Enter here the NT domain.</description> + <type>input</type> <size>60</size> </field> <field> @@ -185,42 +232,15 @@ <size>60</size> </field> <field> - <fielddescr>Authentication prompt</fielddescr> - <fieldname>auth_prompt</fieldname> - <description>This string will be displayed at the top of the authentication request window.</description> - <type>input</type> - <default_value>Please enter your credentials to access the proxy</default_value> + <name>Squid Authentication Radius Settings</name> + <type>listtopic</type> </field> <field> - <fielddescr>Authentication processes</fielddescr> - <fieldname>auth_processes</fieldname> - <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> - <type>input</type> - <size>60</size> - <default_value>5</default_value> - </field> - <field> - <fielddescr>Authentication TTL</fielddescr> - <fieldname>auth_ttl</fieldname> - <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> - <type>input</type> + <fielddescr>RADIUS secret</fielddescr> + <fieldname>radius_secret</fieldname> + <description>The RADIUS secret for RADIUS authentication.</description> + <type>password</type> <size>60</size> - <default_value>60</default_value> - </field> - <field> - <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> - <fieldname>unrestricted_auth</fieldname> - <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Subnets that don't need authentication</fielddescr> - <fieldname>no_auth_hosts</fieldname> - <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> </field> </fields> <custom_php_validation_command> diff --git a/config/squid-reverse/squid_cache.xml b/config/squid-reverse/squid_cache.xml index beafa5dd..7f371f49 100644 --- a/config/squid-reverse/squid_cache.xml +++ b/config/squid-reverse/squid_cache.xml @@ -48,23 +48,23 @@ <name>squidcache</name> <version>none</version> <title>Proxy server: Cache management</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> +<tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Local Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> <active/> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -72,25 +72,90 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Squid Cache General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Cache replacement policy</fielddescr> + <fieldname>cache_replacement_policy</fieldname> + <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> + <type>select</type> + <default_value>heap LFUDA</default_value> + <options> + <option><name>LRU</name><value>lru</value></option> + <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> + <option><name>Heap GDSF</name><value>heap GDSF</value></option> + <option><name>Heap LRU</name><value>heap LRU</value></option> + </options> + </field> + <field> + <fielddescr>Low-water-mark in %</fielddescr> + <fieldname>cache_swap_low</fieldname> + <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> + <type>input</type> + <size>5</size> + <default_value>90</default_value> + </field> + <field> + <fielddescr>High-water-mark in %</fielddescr> + <fieldname>cache_swap_high</fieldname> + <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> + <type>input</type> + <size>5</size> + <default_value>95</default_value> + </field> + <field> + <fielddescr>Do not cache</fielddescr> + <fieldname>donotcache</fieldname> + <description>Enter each domain or IP address on a new line that should never be cached.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Enable offline mode</fielddescr> + <fieldname>enable_offline</fieldname> + <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> + <type>checkbox</type> + <required/> + </field> + <field> + <fielddescr>External Cache-Managers</fielddescr> + <fieldname>ext_cachemanager</fieldname> + <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Hard disk cacheSettings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Hard disk cache size</fielddescr> <fieldname>harddisk_cache_size</fieldname> <description>This is the amount of disk space (in megabytes) to use for cached objects.</description> <type>input</type> <required/> + <size>10</size> <default_value>100</default_value> </field> <field> @@ -107,6 +172,22 @@ </options> </field> <field> + <fielddescr>Level 1 subdirectories</fielddescr> + <fieldname>level1_subdirs</fieldname> + <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> + <type>select</type> + <default_value>16</default_value> + <options> + <option><name>4</name><value>4</value></option> + <option><name>8</name><value>8</value></option> + <option><name>16</name><value>16</value></option> + <option><name>32</name><value>32</value></option> + <option><name>64</name><value>64</value></option> + <option><name>128</name><value>128</value></option> + <option><name>256</name><value>256</value></option> + </options> + </field> + <field> <fielddescr>Hard disk cache location</fielddescr> <fieldname>harddisk_cache_location</fieldname> <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description> @@ -116,19 +197,12 @@ <default_value>/var/squid/cache</default_value> </field> <field> - <fielddescr>Memory cache size</fielddescr> - <fieldname>memory_cache_size</fieldname> - <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> - <type>input</type> - <required/> - <default_value>8</default_value> - </field> - <field> <fielddescr>Minimum object size</fielddescr> <fieldname>minimum_object_size</fieldname> <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description> <type>input</type> <required /> + <size>10</size> <default_value>0</default_value> </field> <field> @@ -137,33 +211,32 @@ <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description> <type>input</type> <required/> + <size>10</size> <default_value>4</default_value> </field> <field> + <name>Squid Memory Cache Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Memory cache size</fielddescr> + <fieldname>memory_cache_size</fieldname> + <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description> + <type>input</type> + <size>10</size> + <required/> + <default_value>8</default_value> + </field> + <field> <fielddescr>Maximum object size in RAM</fielddescr> <fieldname>maximum_objsize_in_mem</fieldname> <description>Objects smaller than the size specified (in kilobytes) will be saved in RAM. Default is 32.</description> <type>input</type> + <size>10</size> <required/> <default_value>32</default_value> </field> <field> - <fielddescr>Level 1 subdirectories</fielddescr> - <fieldname>level1_subdirs</fieldname> - <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description> - <type>select</type> - <default_value>16</default_value> - <options> - <option><name>4</name><value>4</value></option> - <option><name>8</name><value>8</value></option> - <option><name>16</name><value>16</value></option> - <option><name>32</name><value>32</value></option> - <option><name>64</name><value>64</value></option> - <option><name>128</name><value>128</value></option> - <option><name>256</name><value>256</value></option> - </options> - </field> - <field> <fielddescr>Memory replacement policy</fielddescr> <fieldname>memory_replacement_policy</fieldname> <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA.</description> @@ -177,48 +250,36 @@ </options> </field> <field> - <fielddescr>Cache replacement policy</fielddescr> - <fieldname>cache_replacement_policy</fieldname> - <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description> - <type>select</type> - <default_value>heap LFUDA</default_value> - <options> - <option><name>LRU</name><value>lru</value></option> - <option><name>Heap LFUDA</name><value>heap LFUDA</value></option> - <option><name>Heap GDSF</name><value>heap GDSF</value></option> - <option><name>Heap LRU</name><value>heap LRU</value></option> - </options> - </field> - <field> - <fielddescr>Low-water-mark in %</fielddescr> - <fieldname>cache_swap_low</fieldname> - <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description> - <type>input</type> - <default_value>90</default_value> - </field> - <field> - <fielddescr>High-water-mark in %</fielddescr> - <fieldname>cache_swap_high</fieldname> - <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description> - <type>input</type> - <default_value>95</default_value> + <name>Dynamic and Update Content</name> + <type>listtopic</type> </field> <field> - <fielddescr>Do not cache</fielddescr> - <fieldname>donotcache</fieldname> - <description>Enter each domain or IP address on a new line that should never be cached.</description> - <type>textarea</type> - <cols>50</cols> - <rows>5</rows> - <encoding>base64</encoding> - </field> - <field> - <fielddescr>Enable offline mode</fielddescr> - <fieldname>enable_offline</fieldname> - <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description> + <fielddescr>Cache Dynamic Content</fielddescr> + <fieldname>cache_dynamic_content</fieldname> + <description><![CDATA[Select this option to <a target=_new href='http://wiki.squid-cache.org/ConfigExamples/DynamicContent'>enable caching of dynamic content.</a><br> + ]]></description> <type>checkbox</type> - <required/> + <size>10</size> </field> + <field> + <fielddescr>Refresh Patterns</fielddescr> + <fieldname>refresh_patterns</fieldname> + <description><![CDATA[With dynamic cache enabled, you can also apply squid wiki refresh_patterns to sites like <a target=_new href='http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube'>Youtube</a> and <a target=_new href='http://wiki.squid-cache.org/SquidFaq/WindowsUpdate'>windowsupdate</a><br> + <br><strong>Notes:</strong><br> + Squid wiki suggests 'Finish transfer if less than x KB remaining' on 'traffic mgmt' squid tab to -1 but you can apply your own values to control cache.<br><br> + set Maximum download size on 'traffic mgmt' squid tab to a value that fits patterns your are applying.<br>Microsoft may need 200Mb and youtube 4GB.]]></description> + <type>select</type> + <default_value>none</default_value> + <options> + <option><name>Youtube</name><value>youtube</value></option> + <option><name>Windows Update</name><value>windows</value></option> + <option><name>Symantec Antivirus</name><value>symantec</value></option> + <option><name>Avira</name><value>avira</value></option> + <option><name>Avast</name><value>avast</value></option> + </options> + <multiple/> + <size>06</size> + </field> </fields> <custom_php_command_before_form> if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { diff --git a/config/squid-reverse/squid_log_parser.php b/config/squid-reverse/squid_log_parser.php new file mode 100755 index 00000000..f6cd7de8 --- /dev/null +++ b/config/squid-reverse/squid_log_parser.php @@ -0,0 +1,57 @@ +#!/usr/local/bin/php -q +<?php +/* ========================================================================== */ +/* + squid_log_parser.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario - carloscesario@gmail.com + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +# ------------------------------------------------------------------------------ +# Simple Squid Log parser to rewrite line with date/time human readable +# Usage: cat /var/squid/log/access.log | parser_squid_log.php +# ------------------------------------------------------------------------------ + +$logline = fopen("php://stdin", "r"); +while(!feof($logline)) { + $line = fgets($logline); + $line = rtrim($line); + if ($line != "") { + $fields = explode(' ', $line); + // Apply date format + $fields[0] = date("d.m.Y H:i:s",$fields[0]); + foreach($fields as $field) { + // Write the Squid log line with date/time human readable + echo "{$field} "; + } + echo "\n"; + } +} +fclose($logline); +?>
\ No newline at end of file diff --git a/config/squid-reverse/squid_monitor.php b/config/squid-reverse/squid_monitor.php new file mode 100644 index 00000000..22d7dfcc --- /dev/null +++ b/config/squid-reverse/squid_monitor.php @@ -0,0 +1,196 @@ +<?php +/* ========================================================================== */ +/* + squid_monitor.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario - carloscesario@gmail.com + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + +require_once("/etc/inc/util.inc"); +require_once("/etc/inc/functions.inc"); +require_once("/etc/inc/pkg-utils.inc"); +require_once("/etc/inc/globals.inc"); +require_once("guiconfig.inc"); + +$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); +if(strstr($pfSversion, "1.2")) + $one_two = true; + +$pgtitle = "Status: Proxy Monitor"; +include("head.inc"); +?> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> + +<?php if($one_two): ?> + + <p class="pgtitle"><?=$pgtitle?></font></p> + +<?php endif; ?> + +<?php if ($savemsg) print_info_box($savemsg); ?> + +<!-- Function to call programs logs --> +<script language="JavaScript"> + function showLog(content,url,program) + { + new PeriodicalExecuter(function(pe) { + new Ajax.Updater(content, url, { + method: 'post', + asynchronous: true, + evalScripts: true, + parameters: { maxlines: $('maxlines').getValue(), + strfilter: $('strfilter').getValue(), + program: program } + }) + }, 1) + } +</script> +<div id="mainlevel"> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr><td> + <?php + $tab_array = array(); + if ($_REQUEST["menu"]=="reverse"){ + $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid_reverse_general.xml&id=0"); + $tab_array[] = array(gettext("Web Servers"), false, "/pkg.php?xml=squid_reverse_peer.xml"); + $tab_array[] = array(gettext("Mappings"), false, "/pkg.php?xml=squid_reverse_uri.xml"); + $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php?menu=reverse"); + $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_reverse_sync.xml"); + } + else{ + $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid.xml&id=0"); + $tab_array[] = array(gettext("Remote Cache"), false, "/pkg.php?xml=squid_upstream.xml"); + $tab_array[] = array(gettext("Local Cache"), false, "/pkg_edit.php?xml=squid_cache.xml&id=0"); + $tab_array[] = array(gettext("ACLs"), false, "/pkg_edit.php?xml=squid_nac.xml&id=0"); + $tab_array[] = array(gettext("Traffic Mgmt"), false, "/pkg_edit.php?xml=squid_traffic.xml&id=0"); + $tab_array[] = array(gettext("Authentication"), false, "/pkg_edit.php?xml=squid_auth.xml&id=0"); + $tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=squid_users.xml"); + $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php"); + $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_sync.xml"); + } + display_top_tabs($tab_array); + ?> +</td></tr> + <tr> + <td> +<div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; "> + <form id="paramsForm" name="paramsForm" method="post"> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6"> + <tbody> + <tr> + <td width="22%" valign="top" class="vncellreq">Max lines:</td> + <td width="78%" class="vtable"> + <select name="maxlines" id="maxlines"> + <option value="5">5 lines</option> + <option value="10" selected="selected">10 lines</option> + <option value="15">15 lines</option> + <option value="20">20 lines</option> + <option value="25">25 lines</option> + <option value="30">30 lines</option> + </select> + <br/> + <span class="vexpl"> + <?=gettext("Max. lines to be displayed.");?> + </span> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncellreq">String filter:</td> + <td width="78%" class="vtable"> + <input name="strfilter" type="text" class="formfld search" id="strfilter" size="50" value=""> + <br/> + <span class="vexpl"> + <?=gettext("Enter a grep like string/pattern to filterlog.");?><br> + <?=gettext("eg. username, ip addr, url.");?><br> + <?=gettext("Use <b>!</b> to invert the sense of matching, to select non-matching lines.");?> + </span> + </td> + </tr> + </tbody> + </table> + </form> + + <!-- Squid Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="6" class="listtopic"><center><?=gettext("Squid Logs"); ?><center></td> + </tr> + <tbody id="squidView"> + <script language="JavaScript"> + // Call function to show squid log + showLog('squidView', 'squid_monitor_data.php','squid'); + </script> + </tbody> + </table> + </td> + </tr> + </tbody> + </table> +<?php if ($_REQUEST["menu"]!="reverse"){?> + <!-- SquidGuard Table --> + <table width="100%" border="0" cellpadding="0" cellspacing="0"> + <tbody> + <tr> + <td> + <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0"> + <tr> + <td colspan="5" class="listtopic"><center><?=gettext("SquidGuard Logs"); ?><center></td> + </tr> + <tbody id="sguardView"> + <script language="JavaScript"> + // Call function to show squidGuard log + showLog('sguardView', 'squid_monitor_data.php','sguard'); + </script> + </tbody> + </table> + </td> + </tr> + </tbody> + </table> +</div> +<?php }?> +</td> +</tr> +</table> +</div> + + +<?php +include("fend.inc"); +?> + +</body> +</html> diff --git a/config/squid-reverse/squid_monitor_data.php b/config/squid-reverse/squid_monitor_data.php new file mode 100644 index 00000000..7e27919d --- /dev/null +++ b/config/squid-reverse/squid_monitor_data.php @@ -0,0 +1,175 @@ +<?php +/* ========================================================================== */ +/* + squid_monitor_data.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012 Carlos Cesario - carloscesario@gmail.com + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +# ------------------------------------------------------------------------------ +# Defines +# ------------------------------------------------------------------------------ +require_once("guiconfig.inc"); + +# ------------------------------------------------------------------------------ +# Requests +# ------------------------------------------------------------------------------ +if ($_POST) { + # Actions + $filter = preg_replace('/(@|!|>|<)/',"",htmlspecialchars($_POST['strfilter'])); + $program = strtolower($_POST['program']); + switch ($program) { + case 'squid': + // Define log file + $log='/var/squid/logs/access.log'; + //show table headers + show_tds(array("Date","IP","Status","Address","User","Destination")); + //fetch lines + $logarr=fetch_log($log); + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); + + // Apply date format to first line + //$logline[0] = date("d.m.Y H:i:s",$logline[0]); + + // Word wrap the URL + $logline[7] = htmlentities($logline[7]); + $logline[7] = html_autowrap($logline[7]); + + // Remove /(slash) in destination row + $logline_dest = preg_split("/\//", $logline[9]); + + // Apply filter and color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline); + echo "<tr valign=\"top\">\n"; + echo "<td class=\"listlr\" nowrap>{$logline[0]} {$logline[1]}</td>\n"; + echo "<td class=\"listr\">{$logline[3]}</td>\n"; + echo "<td class=\"listr\">{$logline[4]}</td>\n"; + echo "<td class=\"listr\" width=\"*\">{$logline[7]}</td>\n"; + echo "<td class=\"listr\">{$logline[8]}</td>\n"; + echo "<td class=\"listr\">{$logline_dest[1]}</td>\n"; + echo "</tr>\n"; + } + break; + case 'sguard'; + $log='/var/squidGuard/log/block.log'; + //show table headers + show_tds(array("Date-Time","ACL","Address","Host","User")); + //fetch lines + $logarr=fetch_log($log); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y", strtotime($logline[0])); + + // Word wrap the URL + $logline[4] = htmlentities($logline[4]); + $logline[4] = html_autowrap($logline[4]); + + + // Apply filter color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline); + + + echo "<tr>\n"; + echo "<td class=\"listlr\" nowrap>{$logline[0]} {$logline[1]}</td>\n"; + echo "<td class=\"listr\">{$logline[3]}</td>\n"; + echo "<td class=\"listr\" width=\"*\">{$logline[4]}</td>\n"; + echo "<td class=\"listr\">{$logline[5]}</td>\n"; + echo "<td class=\"listr\">{$logline[6]}</td>\n"; + echo "</tr>\n"; + } + break; + } +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + +// From SquidGuard Package +function html_autowrap($cont) +{ + # split strings + $p = 0; + $pstep = 25; + $str = $cont; + $cont = ''; + for ( $p = 0; $p < strlen($str); $p += $pstep ) { + $s = substr( $str, $p, $pstep ); + if ( !$s ) break; + $cont .= $s . "<wbr/>"; + } + return $cont; +} + + +// Show Squid Logs +function fetch_log($log){ + global $filter,$program; + // Get Data from form post + $lines = $_POST['maxlines']; + if (preg_match("/!/",htmlspecialchars($_POST['strfilter']))) + $grep_arg="-iv"; + else + $grep_arg="-i"; + + //Check program to execute or no the parser + if($program == "squid") + $parser = "| php -q squid_log_parser.php"; + else + $parser = ""; + + // Get logs based in filter expression + if($filter != "") { + exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines} {$parser} " , $logarr); + } + else { + exec("tail -r -n {$lines} {$log} {$parser}", $logarr); + } + // return logs + return $logarr; +}; + +function show_tds($tds){ + echo "<tr valign='top'>\n"; + foreach ($tds as $td){ + echo "<td class='listhdrr'>".gettext($td)."</td>\n"; + } + echo "</tr>\n"; +} + +?> diff --git a/config/squid-reverse/squid_nac.xml b/config/squid-reverse/squid_nac.xml index 7b333141..bc4a278e 100644 --- a/config/squid-reverse/squid_nac.xml +++ b/config/squid-reverse/squid_nac.xml @@ -48,22 +48,22 @@ <name>squidnac</name> <version>none</version> <title>Proxy server: Access control</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Local Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> <active/> </tab> @@ -72,20 +72,28 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Squid Access Control Lists</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Allowed subnets</fielddescr> <fieldname>allowed_subnets</fieldname> <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description> @@ -97,7 +105,7 @@ <field> <fielddescr>Unrestricted IPs</fielddescr> <fieldname>unrestricted_hosts</fieldname> - <description>Enter each unrestricted IP address on a new line that is not to be filtered out by the other access control directives set in this page.</description> + <description>Enter unrestricted IP address / network(in CIDR format) on a new line that is not to be filtered out by the other access control directives set in this page.</description> <type>textarea</type> <cols>50</cols> <rows>5</rows> @@ -106,7 +114,7 @@ <field> <fielddescr>Banned host addresses</fielddescr> <fieldname>banned_hosts</fieldname> - <description>Enter each IP address on a new line that is not to be allowed to use the proxy.</description> + <description>Enter each IP address / network(in CIDR format) on a new line that is not to be allowed to use the proxy.</description> <type>textarea</type> <cols>50</cols> <rows>5</rows> @@ -131,12 +139,9 @@ <encoding>base64</encoding> </field> <field> - <fielddescr>External Cache-Managers</fielddescr> - <fieldname>ext_cachemanager</fieldname> - <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description> - <type>input</type> - <size>60</size> - </field> + <name>Squid Allowed ports</name> + <type>listtopic</type> + </field> <field> <fielddescr>acl safeports</fielddescr> <fieldname>addtl_ports</fieldname> diff --git a/config/squid-reverse/squid_ng.inc b/config/squid-reverse/squid_ng.inc index 03f6d48c..b0604b02 100644 --- a/config/squid-reverse/squid_ng.inc +++ b/config/squid-reverse/squid_ng.inc @@ -796,11 +796,11 @@ function global_write_squid_config() touch($squidconfig); } /* end function write_squid_config */ -function custom_php_install_command() { +function squid3_custom_php_install_command() { /* write initial static config for transparent proxy */ write_static_squid_config(); - touch("/tmp/custom_php_install_command"); + touch("/tmp/squid3_custom_php_install_command"); /* make sure this all exists, see: * http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 @@ -903,7 +903,7 @@ function custom_php_install_command() { start_service("squid"); } -function custom_php_deinstall_command() { +function squid3_custom_php_deinstall_command() { update_output_window("Stopping proxy service..."); stop_service("squid"); sleep(1); diff --git a/config/squid-reverse/squid_ng.xml b/config/squid-reverse/squid_ng.xml index 5d956387..142536d6 100644 --- a/config/squid-reverse/squid_ng.xml +++ b/config/squid-reverse/squid_ng.xml @@ -255,13 +255,13 @@ start_service("squid"); </custom_add_php_command_late> <custom_php_install_command> - custom_php_install_command(); + squid3_custom_php_install_command(); write_static_squid_config(); mwexec("/usr/local/sbin/squid -k reconfigure"); start_service("squid"); </custom_php_install_command> <custom_php_deinstall_command> - custom_php_deinstall_command(); + squid3_custom_php_deinstall_command(); stop_service("squid"); </custom_php_deinstall_command> </packagegui> diff --git a/config/squid-reverse/squid_reverse.inc b/config/squid-reverse/squid_reverse.inc new file mode 100644 index 00000000..652931c8 --- /dev/null +++ b/config/squid-reverse/squid_reverse.inc @@ -0,0 +1,187 @@ +<?php +/* $Id$ */ +/* + squid_reverse.inc + Copyright (C) 2012 Martin Fuchs + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +function squid_resync_reverse() { + global $config; + //if(!is_array($valid_acls)) + // return; + + //CONFIG FILE + if (is_array($config['installedpackages']['squidreversegeneral'])) + $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; + if (is_array($config['installedpackages']['squidreversepeer'])) + $reverse_peers=$config['installedpackages']['squidreversepeer']['config']; + if (is_array($config['installedpackages']['squidreverseuri'])) + $reverse_maps=$config['installedpackages']['squidreverseuri']['config']; + + $conf = "# Reverse Proxy settings\n"; + + if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { + $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",sq_text_area_decode($svr_cert['crt'])); + $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; + } + if(base64_decode($svr_cert['prv'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",sq_text_area_decode($svr_cert['prv'])); + $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; + } + } + } + + if (!empty($settings['reverse_int_ca'])) + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); + + $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); + $real_ifaces = array(); + + #set HTTP port and defsite + $http_port=(empty($settings['reverse_http_port'])?"80":$settings['reverse_http_port']); + $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']); + + #set HTTPS port and defsite + $https_port=(empty($settings['reverse_https_port'])?"443":$settings['reverse_https_port']); + $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']); + + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + //HTTP + if (!empty($settings['reverse_http'])) + $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } + } + + if(!empty($settings['reverse_ip'])) { + $reverse_ip = explode(";", ($settings['reverse_ip'])); + foreach ($reverse_ip as $reip) { + //HTTP + if (!empty($settings['reverse_http'])) + $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } + } + + //PEERS + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) + $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_pfs\n"; + + $active_peers=array(); + if (is_array($reverse_peers)) + foreach ($reverse_peers as $rp){ + if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASS "; + if($rp['protocol'] == 'HTTPS') + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf_peer .= "name=rvp_{$rp['name']}\n\n"; + + // add peer only if reverse proxy is enabled for http + if($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on"){ + $conf .= $conf_peer; + array_push($active_peers,$rp['name']); + } + // add peer only if if reverse proxy is enabled for https + if($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on"){ + if (!in_array($rp['name'],$active_peers)){ + $conf .= $conf_peer; + array_push($active_peers,$rp['name']); + } + } + } + } + + //ACLS and MAPPINGS + + //create an empty owa_dirs to populate based on user selected options + $owa_dirs=array(); + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on"){ + if(!empty($settings['reverse_owa_ip'])){ + array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); + if($settings['reverse_owa_activesync']) + array_push($owa_dirs,'Microsoft-Server-ActiveSync'); + if($settings['reverse_owa_rpchttp']) + array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); + if($settings['reverse_owa_autodiscover']) + array_push($owa_dirs,'autodiscover'); + if($settings['reverse_owa_webservice']){ + array_push($owa_dirs,'EWS'); + $conf .= "ignore_expect_100 on\n"; + } + } + if (is_array($owa_dirs)) + foreach ($owa_dirs as $owa_dir) + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + } + //$conf .= "ssl_unclean_shutdown on"; + if (is_array($reverse_maps)) + foreach ($reverse_maps as $rm){ + if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!=""){ + if (is_array($rm['row'])) + foreach ($rm['row'] as $uri){ + $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); + //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n"; + $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n"; + if($rm['name'] != $last_rm_name){ + $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n"; + $http_access_conf .= "http_access allow rvm_{$rm['name']}\n"; + foreach (explode(',',$rm['peers']) as $map_peer) + if (in_array($map_peer,$active_peers)){ + $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n"; + $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n"; + } + $last_rm_name=$rm['name']; + } + } + } + } + + //ACCESS + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; + $conf .= "cache_peer_access OWA_HOST_pfs deny allsrc\n"; + $conf .= "never_direct allow OWA_URI_pfs\n"; + $conf .= "http_access allow OWA_URI_pfs\n"; + } + + $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; + + if (!empty($settings['deny_info_tcp_reset'])) + $conf .= "deny_info TCP_RESET allsrc\n"; + + return $conf; +} +?> diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index d921254f..ce09f8e7 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -50,47 +50,54 @@ <title>Proxy server: Reverse Proxy</title> <include_file>squid.inc</include_file> <tabs> - <tab> +<tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> + <text>Upstream</text> <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> <text>Traffic Mgmt</text> <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Reverse Proxy</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - <active/> </tab> <tab> - <text>Reverse Settings</text> + <text>Reverse</text> <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> <active/> - </tab> + </tab> <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <fields> <field> + <name>Squid Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Reverse Proxy interface</fielddescr> <fieldname>reverse_interface</fieldname> <description>The interface(s) the reverse-proxy server will bind to.</description> @@ -100,12 +107,30 @@ <multiple/> </field> <field> + <fielddescr>User-defined reverse-proxy IPs</fielddescr> + <fieldname>reverse_ip</fieldname> + <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + <field> <fielddescr>external FQDN</fielddescr> <fieldname>reverse_external_fqdn</fieldname> <description>The external full-qualified-domain-name of the WAN address.</description> <type>input</type> <required/> - <size>80</size> + <size>70</size> + </field> + <field> + <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> + <fieldname>deny_info_tcp_reset</fieldname> + <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>Squid Reverse HTTP Settings</name> + <type>listtopic</type> </field> <field> <fielddescr>Enable HTTP reverse mode</fielddescr> @@ -131,15 +156,19 @@ <type>input</type> <size>60</size> </field> - <field> + <field> + <name>Squid Reverse HTTPS Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Enable HTTPS reverse proxy</fielddescr> <fieldname>reverse_https</fieldname> - <description>If this field is checked, squid will act as an accelerator/SSL offload for Outlook Web Access.</description> + <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> <type>checkbox</type> - <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_ignore_ssl_valid,reverse_ssl_chain</enablefields> + <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> <required/> <default_value>off</default_value> - </field> + </field> <field> <fielddescr>reverse HTTPS port</fielddescr> <fieldname>reverse_https_port</fieldname> @@ -159,12 +188,12 @@ <fielddescr>reverse SSL certificate</fielddescr> <fieldname>reverse_ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> - <type>select_source</type> - <source><![CDATA[squid_get_server_certs()]]></source> + <type>select_source</type> + <source><![CDATA[$config['cert']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> </field> - <field> + <field> <fielddescr>intermediate CA certificate (if needed)</fielddescr> <fieldname>reverse_int_ca</fieldname> <description>Paste a signed certificate in X.509 PEM format here.</description> @@ -174,53 +203,62 @@ <encoding>base64</encoding> </field> <field> - <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> - <fieldname>deny_info_tcp_reset</fieldname> - <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> - <type>checkbox</type> - <default_value>on</default_value> - </field> - <field> <fielddescr>Ignore internal Certificate validation</fielddescr> <fieldname>reverse_ignore_ssl_valid</fieldname> <description>If this field is checked, internal certificate validation will be ignored.</description> <type>checkbox</type> <default_value>on</default_value> </field> - <field> + <field> <fielddescr>Enable OWA reverse proxy</fielddescr> <fieldname>reverse_owa</fieldname> - <description>If this field is checked, squid will act as an accelerator/SSL offload for Outlook Web Access.</description> + <description>If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.</description> <type>checkbox</type> - <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp</enablefields> - </field> + <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> + </field> <field> <fielddescr>OWA frontend IP address</fielddescr> <fieldname>reverse_owa_ip</fieldname> <description>This is the internal IP Address of the OWA frontend server.</description> <type>input</type> <size>15</size> - <default_value>localhost</default_value> </field> <field> <fielddescr>Enable ActiveSync</fielddescr> <fieldname>reverse_owa_activesync</fieldname> - <description>If this field is checked, ActiveSync support will be enabled.</description> + <description>If this field is checked, ActiveSync will be enabled.</description> <type>checkbox</type> </field> <field> <fielddescr>Enable Outlook Anywhere</fielddescr> <fieldname>reverse_owa_rpchttp</fieldname> - <description>If this field is checked, RPC over HTTP support will be enabled.</description> + <description>If this field is checked, RPC over HTTP will be enabled.</description> <type>checkbox</type> - <enablefields>extension_methods</enablefields> </field> - + <field> + <fielddescr>Enable Exchange WebServices</fielddescr> + <fieldname>reverse_owa_webservice</fieldname> + <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br> + <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable AutoDiscover</fielddescr> + <fieldname>reverse_owa_autodiscover</fieldname> + <description>If this field is checked, AutoDiscover will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <name>Squid Reverse Mappings</name> + <type>listtopic</type> + </field> <field> <fielddescr><b>peer definitions</b> <br>publishing hosts</fielddescr> <fieldname>reverse_cache_peer</fieldname> - <description>Enter each peer definition on a new line. Directives have to be separated by a semicolon(;). <br>syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS] <br>example: HOST1;192.168.0.1;80;HTTP <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> - </description> + <description><![CDATA[Enter each peer definition on a new line. Directives have to be separated by a semicolon(;).<BR> + syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS]<br> + example: HOST1;192.168.0.1;80;HTTP<br> + <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description> <type>textarea</type> <cols>60</cols> <rows>10</rows> @@ -228,9 +266,12 @@ </field> <field> <fielddescr><b>URI definitions</b> <br>published URIs</fielddescr> - <fieldname>revrse_uri</fieldname> - <description>Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;).<br>syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn]) <br>(a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://) <br>example: URI1;public;server.pfsense.org. <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> - </description> + <fieldname>reverse_uri</fieldname> + <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;)<BR> + syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn]) <BR> + (a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://)<BR> + example: URI1;public;server.pfsense.org.<BR> + <STRONG>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</STRONG>]]></description> <type>textarea</type> <cols>60</cols> <rows>10</rows> @@ -239,8 +280,9 @@ <field> <fielddescr><b>ACL definitions</b> <br>published URIs</fielddescr> <fieldname>reverse_acl</fieldname> - <description>Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;). <br>syntax: [peer alias];[uri group alias] <br>example: HOST1;URI1 <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> - </description> + <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;). <br> + syntax: [peer alias];[uri group alias] <br>example: HOST1;URI1 <br> + <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description> <type>textarea</type> <cols>60</cols> <rows>10</rows> diff --git a/config/squid-reverse/squid_reverse_general.xml b/config/squid-reverse/squid_reverse_general.xml new file mode 100644 index 00000000..ec0bcb7a --- /dev/null +++ b/config/squid-reverse/squid_reverse_general.xml @@ -0,0 +1,245 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_general.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreversegeneral</name> + <version>none</version> + <title>Reverse Proxy server: General</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + </tab> + </tabs> + <fields> + <field> + <name>Squid Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Reverse Proxy interface</fielddescr> + <fieldname>reverse_interface</fieldname> + <description>The interface(s) the reverse-proxy server will bind to.</description> + <type>interfaces_selection</type> + <required/> + <default_value>wan</default_value> + <multiple/> + </field> + <field> + <fielddescr>User-defined reverse-proxy IPs</fielddescr> + <fieldname>reverse_ip</fieldname> + <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + <field> + <fielddescr>external FQDN</fielddescr> + <fieldname>reverse_external_fqdn</fieldname> + <description>The external full-qualified-domain-name of the WAN address.</description> + <type>input</type> + <required/> + <size>70</size> + </field> + <field> + <fielddescr>Reset TCP connections if request is unauthorized</fielddescr> + <fieldname>deny_info_tcp_reset</fieldname> + <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>Squid Reverse HTTP Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable HTTP reverse mode</fielddescr> + <fieldname>reverse_http</fieldname> + <description>If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <type>checkbox</type> + <enablefields>reverse_http_port,reverse_http_defsite</enablefields> + <required/> + <default_value>off</default_value> + </field> + <field> + <fielddescr>reverse HTTP port</fielddescr> + <fieldname>reverse_http_port</fieldname> + <description>This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80)</description> + <type>input</type> + <size>5</size> + <default_value>80</default_value> + </field> + <field> + <fielddescr>reverse HTTP default site</fielddescr> + <fieldname>reverse_http_defsite</fieldname> + <description>This is the HTTP reverse default site. (leave empty to use the external fqdn)</description> + <type>input</type> + <size>60</size> + </field> + <field> + <name>Squid Reverse HTTPS Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable HTTPS reverse proxy</fielddescr> + <fieldname>reverse_https</fieldname> + <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address")</description> + <type>checkbox</type> + <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields> + <required/> + <default_value>off</default_value> + </field> + <field> + <fielddescr>reverse HTTPS port</fielddescr> + <fieldname>reverse_https_port</fieldname> + <description>This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443)</description> + <type>input</type> + <size>5</size> + <default_value>443</default_value> + </field> + <field> + <fielddescr>reverse HTTPS default site</fielddescr> + <fieldname>reverse_https_defsite</fieldname> + <description>This is the HTTPS reverse default site. (leave empty to use the external fqdn)</description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>reverse SSL certificate</fielddescr> + <fieldname>reverse_ssl_cert</fieldname> + <description>Choose the SSL Server Certificate here.</description> + <type>select_source</type> + <source><![CDATA[$config['cert']]]></source> + <source_name>descr</source_name> + <source_value>refid</source_value> + </field> + <field> + <fielddescr>intermediate CA certificate (if needed)</fielddescr> + <fieldname>reverse_int_ca</fieldname> + <description>Paste a signed certificate in X.509 PEM format here.</description> + <type>textarea</type> + <cols>50</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <fielddescr>Ignore internal Certificate validation</fielddescr> + <fieldname>reverse_ignore_ssl_valid</fieldname> + <description>If this field is checked, internal certificate validation will be ignored.</description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <name>OWA Reverse proxy General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable OWA reverse proxy</fielddescr> + <fieldname>reverse_owa</fieldname> + <description>If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.</description> + <type>checkbox</type> + <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields> + </field> + <field> + <fielddescr>OWA frontend IP address</fielddescr> + <fieldname>reverse_owa_ip</fieldname> + <description>This is the internal IP Address of the OWA frontend server.</description> + <type>input</type> + <size>15</size> + </field> + <field> + <fielddescr>Enable ActiveSync</fielddescr> + <fieldname>reverse_owa_activesync</fieldname> + <description>If this field is checked, ActiveSync will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Outlook Anywhere</fielddescr> + <fieldname>reverse_owa_rpchttp</fieldname> + <description>If this field is checked, RPC over HTTP will be enabled.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable Exchange WebServices</fielddescr> + <fieldname>reverse_owa_webservice</fieldname> + <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br> + <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable AutoDiscover</fielddescr> + <fieldname>reverse_owa_autodiscover</fieldname> + <description>If this field is checked, AutoDiscover will be enabled.</description> + <type>checkbox</type> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_reverse($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid-reverse/squid_reverse_peer.xml b/config/squid-reverse/squid_reverse_peer.xml new file mode 100644 index 00000000..6341567e --- /dev/null +++ b/config/squid-reverse/squid_reverse_peer.xml @@ -0,0 +1,163 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_peer.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreversepeer</name> + <version>none</version> + <title>Reverse Proxy server: Peers</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + <active/> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Alias</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Ip address</fielddescr> + <fieldname>ip</fieldname> + </columnitem> + <columnitem> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + </columnitem> + <columnitem> + <fielddescr>Protocol</fielddescr> + <fieldname>Protocol</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Reverse Peer Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable this peer</fielddescr> + <fieldname>enable</fieldname> + <description>If this field is checked, then this peer will be available for reverse config.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Peer Alias</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this peer on squid reverse conf<br> + example: HOST1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer IP</fielddescr> + <fieldname>ip</fieldname> + <description><![CDATA[Ip Address of this peer.<br> + example: 192.168.0.1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer Port</fielddescr> + <fieldname>port</fieldname> + <description><![CDATA[Listening port of this peer.<br> + example: 80]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Peer Protocol</fielddescr> + <fieldname>protocol</fieldname> + <description><![CDATA[Protocol listening on this peer port.]]></description> + <type>select</type> + <options> + <option> <name>HTTP</name> <value>HTTP</value> </option> + <option> <name>HTTPS</name> <value>HTTPS</value> </option> + </options> + </field> + <field> + <fielddescr>Peer Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[Peer Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + </fields> + <custom_php_command_before_form> + squid_before_form_general(&$pkg); + </custom_php_command_before_form> + <custom_php_validation_command> + squid_validate_reverse($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid-reverse/squid_reverse_sync.xml b/config/squid-reverse/squid_reverse_sync.xml new file mode 100755 index 00000000..408f14f1 --- /dev/null +++ b/config/squid-reverse/squid_reverse_sync.xml @@ -0,0 +1,109 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_sync.xml + part of the sarg package for pfSense + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidsync</name> + <version>1.0</version> + <title>Reverse Proxy server: XMLRPC Sync</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync squid configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Automatically sync squid(normal and reverse) changes to the hosts defined below.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid-reverse/squid_reverse_uri.xml b/config/squid-reverse/squid_reverse_uri.xml new file mode 100644 index 00000000..81c9af3b --- /dev/null +++ b/config/squid-reverse/squid_reverse_uri.xml @@ -0,0 +1,155 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_reverse_general.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidreverseuri</name> + <version>none</version> + <title>Reverse Proxy server: Mappings</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid_reverse_general.xml&id=0</url> + </tab> + <tab> + <text>Web Servers</text> + <url>/pkg.php?xml=squid_reverse_peer.xml</url> + </tab> + <tab> + <text>Mappings</text> + <url>/pkg.php?xml=squid_reverse_uri.xml</url> + <active/> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php?menu=reverse</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_reverse_sync.xml&id=0</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>Group Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Peers</fielddescr> + <fieldname>peers</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Squid Reverse Peer Mappings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable this URI</fielddescr> + <fieldname>enable</fieldname> + <description><![CDATA[If this field is checked, then this URI(Uniform Resource Name) will be available for reverse config.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Group name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Name to identify this URI on squid reverse conf<br> + example: URI1]]></description> + <type>input</type> + <size>20</size> + </field> + <field> + <fielddescr>Group Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[URI Group Description (optional)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>Peers</fielddescr> + <fieldname>peers</fieldname> + <description><![CDATA[Apply this Group Mappings to selected Peers<br> + Use CTRL + click to select.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['squidreversepeer']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>05</size> + </field> + <field> + <fielddescr><![CDATA[URIs]]></fielddescr> + <fieldname>none</fieldname> + <description><![CDATA[URI to publish]]></description> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr><![CDATA[<strong>Url regex to match</strong><br><br> + Samples: .mydomain.com .mydomain.com/test<br> + www.mydomain.com http://www.mydomain.com/ ^http://www.mydomain.com/.*$]]></fielddescr> + <fieldname>uri</fieldname> + <type>input</type> + <size>70</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui>
\ No newline at end of file diff --git a/config/squid-reverse/squid_sync.xml b/config/squid-reverse/squid_sync.xml new file mode 100755 index 00000000..62a726f4 --- /dev/null +++ b/config/squid-reverse/squid_sync.xml @@ -0,0 +1,125 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + squid_sync.xml + part of the sarg package for pfSense + Copyright (C) 2012 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidsync</name> + <version>1.0</version> + <title>Proxy server: XMLRPC Sync</title> + <include_file>/usr/local/pkg/squid.inc</include_file> + <tabs> + <tab> + <text>General</text> + <url>/pkg_edit.php?xml=squid.xml&id=0</url> + </tab> + <tab> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> + </tab> + <tab> + <text>Local Cache</text> + <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> + </tab> + <tab> + <text>Traffic Mgmt</text> + <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> + </tab> + <tab> + <text>Authentication</text> + <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> + </tab> + <tab> + <text>Users</text> + <url>/pkg.php?xml=squid_users.xml</url> + </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync squid configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Automatically sync squid(normal and reverse) changes to the hosts defined below.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + squid_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squid-reverse/squid_traffic.xml b/config/squid-reverse/squid_traffic.xml index c56ca73f..62269792 100644 --- a/config/squid-reverse/squid_traffic.xml +++ b/config/squid-reverse/squid_traffic.xml @@ -48,22 +48,22 @@ <name>squidtraffic</name> <version>none</version> <title>Proxy server: Traffic management</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> - <text>General</text> + <tab> + <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Local Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -72,24 +72,33 @@ <active/> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> - </tabs> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> + </tabs> <fields> <field> + <name>Squid Traffic Managment Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Maximum download size</fielddescr> <fieldname>max_download_size</fieldname> <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description> <type>input</type> + <size>10</size> <required/> <default_value>0</default_value> </field> @@ -98,6 +107,7 @@ <fieldname>max_upload_size</fieldname> <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description> <type>input</type> + <size>10</size> <required/> <default_value>0</default_value> </field> @@ -106,6 +116,7 @@ <fieldname>overall_throttling</fieldname> <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description> <type>input</type> + <size>10</size> <required/> <default_value>0</default_value> </field> @@ -114,10 +125,15 @@ <fieldname>perhost_throttling</fieldname> <description>This value specifies the download throttling per host. Set to 0 to disable this.</description> <type>input</type> + <size>10</size> <required/> <default_value>0</default_value> </field> <field> + <name>Squid Transfer Extension Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Throttle only specific extensions</fielddescr> <fieldname>throttle_specific</fieldname> <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description> @@ -151,10 +167,15 @@ <size>60</size> </field> <field> + <name>Squid Transfer Quick Abort Settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Finish transfer if less than x KB remaining</fielddescr> <fieldname>quick_abort_min</fieldname> <description>If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately.</description> <type>input</type> + <size>10</size> <default_value>0</default_value> </field> <field> @@ -169,6 +190,7 @@ <fieldname>quick_abort_pct</fieldname> <description>If more than x % of the transfer has completed, it will finish the retrieval.</description> <type>input</type> + <size>10</size> <default_value>0</default_value> </field> </fields> diff --git a/config/squid-reverse/squid_upstream.xml b/config/squid-reverse/squid_upstream.xml index 3d4d1611..049d301c 100644 --- a/config/squid-reverse/squid_upstream.xml +++ b/config/squid-reverse/squid_upstream.xml @@ -7,9 +7,10 @@ /* $Id$ */ /* ========================================================================== */ /* - authng.xml + squid_upstream.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2007 to whom it may belong + Copyright (C) 2012 Marcello Coutinho All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,26 +46,26 @@ <description>Describe your package here</description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> - <name>squidupstream</name> + <name>squidremote</name> <version>none</version> - <title>Proxy server: Upstream proxy settings</title> - <include_file>squid.inc</include_file> + <title>Proxy server: Remote proxy settings</title> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> - <tab> +<tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> <active/> </tab> <tab> - <text>Cache Mgmt</text> + <text>Local Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -72,50 +73,236 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Status</fielddescr> + <fieldname>enable</fieldname> + </columnitem> + <columnitem> + <fielddescr>name</fielddescr> + <fieldname>proxyaddr</fieldname> + </columnitem> + <columnitem> + <fielddescr>Port</fielddescr> + <fieldname>proxyport</fieldname> + </columnitem> + <columnitem> + <fielddescr>ICP</fielddescr> + <fieldname>icpport</fieldname> + </columnitem> + <columnitem> + <fielddescr>Peer type</fielddescr> + <fieldname>hierarchy</fieldname> + </columnitem> + <columnitem> + <fielddescr>Method</fielddescr> + <fieldname>peermethod</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> <field> - <fielddescr>Enable forwarding</fielddescr> - <fieldname>proxy_forwarding</fieldname> - <description>This option enables the proxy server to forward requests to an upstream server.</description> + <name>General Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>enable</fieldname> + <description>This option enables the proxy server to forward requests to an upstream/neighbor server.</description> <type>checkbox</type> - <enablefields>proxy_addr,proxy_port,icp_port,username,password</enablefields> <required/> </field> <field> <fielddescr>Hostname</fielddescr> - <fieldname>proxy_addr</fieldname> + <fieldname>proxyaddr</fieldname> <description>Enter here the IP address or host name of the upstream proxy.</description> <type>input</type> + <size>35</size> + <required/> + </field> + <field> + <fielddescr>Name</fielddescr> + <fieldname>proxyname</fieldname> + <description>Unique name for the peer.Required if you have multiple peers on the same host but different ports.</description> + <type>input</type> + <size>35</size> + <required/> </field> <field> <fielddescr>TCP port</fielddescr> - <fieldname>proxy_port</fieldname> + <fieldname>proxyport</fieldname> <description>Enter the port to use to connect to the upstream proxy.</description> <type>input</type> <size>5</size> <default_value>3128</default_value> + <required/> + </field> + <field> + <fielddescr>Timeout</fielddescr> + <fieldname>connecttimeout</fieldname> + <description>A peer-specific connect timeout. Also see the peer_connect_timeout directive.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Fail Limit</fielddescr> + <fieldname>connectfailLimit</fieldname> + <description>How many times connecting to a peer must fail before it is marked as down. Default is 10.</description> + <type>input</type> + <size>5</size> + <default_value>10</default_value> + </field> + <field> + <fielddescr>Max</fielddescr> + <fieldname>maxconn</fieldname> + <description>Limit the amount of connections Squid may open to this peer.</description> + <type>input</type> + <size>5</size> + </field> + <field> + <fielddescr>Allow Miss</fielddescr> + <fieldname>allowmiss</fieldname> + <description><![CDATA[<strong>allow-miss</strong> - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.<br><br> + <strong>no-tproxy</strong> - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.<br><br> + <strong>proxy-only</strong> - Objects fetched from the peer will not be stored locally.]]></description> + <type>select</type> + <default_value>allow-miss</default_value> + <options> + <option><name>Allow Miss</name><value>allow-miss</value></option> + <option><name>No Tproxy</name><value>no-tproxy</value></option> + <option><name>Proxy Only</name><value>proxy-only</value></option> + </options> + <multiple/> + <size>4</size> + </field> + <field> + <name>Peer settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Hierarchy</fielddescr> + <fieldname>hierarchy</fieldname> + <description>Specify remote caches hierarchy.</description> + <type>select</type> + <default_value>parent</default_value> + <options> + <option><name>parent</name><value>parent</value></option> + <option><name>sibling</name><value>sibling</value></option> + <option><name>multicast</name><value>multicast</value></option> + </options> + </field> + <field> + <fielddescr>Select method</fielddescr> + <fieldname>peermethod</fieldname> + <description><![CDATA[The default peer selection method is ICP, with the first responding peer being used as source. These options can be used for better load balancing.<br><br> + <strong>default</strong> - This is a parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.<br> + If specified more than once, only the first is used.<br><br> + <strong>round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.<br>weight=N can be used to add bias.<br><br> + <strong>weighted-round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.<br> + Closer parents are used more often. Usually used for background-ping parents. weight=N can be used to add bias.<br><br> + <strong>carp</strong> - Load-Balance parents which should be used as a CARP array. The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight.<br><br> + <strong>userhash</strong> - Load-balance parents based on the client proxy_auth or ident username.<br><br> + <strong>sourcehash</strong> - Load-balance parents based on the client source IP.<br><br> + <strong>multicast-siblings</strong> - To be used only for cache peers of type "multicast".<br> + ALL members of this multicast group have "sibling" relationship with it, not "parent". This is to a multicast group when the requested object would be fetched only from a "parent" cache, anyway.<br> + It's useful, e.g., when configuring a pool of redundant Squid proxies, being members of the same multicast group.]]></description> + <type>select</type> + <default_value>round-robin</default_value> + <options> + <option><name>round-robin</name><value>round-robin</value></option> + <option><name>default</name><value>default</value></option> + <option><name>weighted-round-robin</name><value>weighted-round-robin</value></option> + <option><name>carp</name><value>carp</value></option> + <option><name>userhash</name><value>userhash</value></option> + <option><name>sourcehash</name><value>sourcehash</value></option> + <option><name>multicast-sibling</name><value>multicast-sibling</value></option> + </options> + </field> + <field> + <fielddescr>weight</fielddescr> + <fieldname>weight</fieldname> + <description>Use to affect the selection of a peer during any weighted peer-selection mechanisms. The weight must be an integer; default is 1,larger weights are favored more.</description> + <type>input</type> + <size>5</size> + <default>1</default> + </field> + <field> + <fielddescr>basetime</fielddescr> + <fieldname>basetime</fieldname> + <description><![CDATA[Specify a base amount to be subtracted from round trip times of parents.<br> + It is subtracted before division by weight in calculating which parent to fectch from. If the rtt is less than the base time the rtt is set to a minimal value.]]></description> + <type>input</type> + <size>5</size> + <default>1</default> + </field> + <field> + <fielddescr>ttl</fielddescr> + <fieldname>ttl</fieldname> + <description><![CDATA[Specify a TTL to use when sending multicast ICP queries to this address<br> + Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option.]]></description> + <type>input</type> + <size>5</size> + <default>1</default> + </field> + <field> + <fielddescr>no-delay</fielddescr> + <fieldname>nodelay</fieldname> + <description><![CDATA[To prevent access to this neighbor from influencing the delay pools.]]></description> + <type>checkbox</type> + </field> + <field> + <name>ICP settings</name> + <type>listtopic</type> </field> <field> <fielddescr>ICP port</fielddescr> - <fieldname>icp_port</fieldname> + <fieldname>icpport</fieldname> <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description> <type>input</type> <size>5</size> <default_value>7</default_value> </field> <field> + <fielddescr>ICP Options</fielddescr> + <fieldname>icpoptions</fieldname> + <description><![CDATA[You MUST also set icp_port and icp_access explicitly when using these options.<br> + The defaults will prevent peer traffic using ICP<br><br> + <strong>no-query</strong> - Disable ICP queries to this neighbor.<br><br> + <strong>multicast-responder</strong> -Indicates the named peer is a member of a multicast group.<br> + ICP queries will not be sent directly to the peer, but ICP replies will be accepted from it.<br><br> + <strong>closest-only</strong> - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.<br><br> + <strong>background-ping</strong> - To only send ICP queries to this neighbor infrequently.<br> + This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin.]]></description> + <type>select</type> + <default_value>no-query</default_value> + <options> + <option><name>no-query</name><value>no-query</value></option> + <option><name>multicast-responder</name><value>multicast-responder</value></option> + <option><name>closest-only</name><value>closest-only</value></option> + <option><name>background-ping</name><value>background-ping</value></option> + </options> + </field> + <field> + <name>Auth settings</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Username</fielddescr> <fieldname>username</fieldname> <description>If the upstream proxy requires a username, specify it here.</description> @@ -127,6 +314,39 @@ <description>If the upstream proxy requires a password, specify it here.</description> <type>password</type> </field> + <field> + <fielddescr>Authentication options</fielddescr> + <fieldname>authoption</fieldname> + <description><![CDATA[<br><strong>login=user:password</strong> - If this is a personal/workgroup proxy and your parent requires proxy authentication.<br><br> + <strong>login=PASSTHRU</strong> - Send login details received from client to this peer. Authentication is not required by Squid for this to work.<br> + This will pass any form of authentication but only Basic auth will work through a proxy unless the connection-auth options are also used.<br><br> + <strong>login=PASS</strong> - Send login details received from client to this peer.Authentication is not required by this option.<br> + To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for a single login (one for proxy, one for origin server).<br> + Also be warned this will expose your users proxy password to the peer. USE WITH CAUTION<br><br> + <strong>login=*:password</strong> - Send the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user.<br><br> + <strong>login=NEGOTIATE</strong> - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> + The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used.<br> + WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br> + <strong>login=NEGOTIATE:principal_name</strong>If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> + The principal principal_name from the default keytab or defined by the environment variable KRB5_KTNAME will be used. + WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br> + <strong>connection-auth=on</strong> - Tell Squid that this peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br> + Default is auto to automatically determine the status of the peer.<br><br> + <strong>connection-auth=off</strong> - Tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br> + Default is auto to automatically determine the status of the peer.]]></description> + <type>select</type> + <default_value>login=*:password</default_value> + <options> + <option><name>login=*:password</name><value>login=*:password</value></option> + <option><name>login=user:password</name><value>login=user:password</value></option> + <option><name>login=PASSTHRU</name><value>login=PASSTHRU</value></option> + <option><name>login=PASS</name><value>login=PASS</value></option> + <option><name>login=NEGOTIATE</name><value>login=NEGOTIATE</value></option> + <option><name>login=NEGOTIATE:principal_name</name><value>login=NEGOTIATE:principal_name</value></option> + <option><name>connection-auth=on</name><value>connection-auth=on</value></option> + <option><name>connection-auth=off</name><value>connection-auth=off</value></option> + </options> + </field> </fields> <custom_php_validation_command> squid_validate_upstream($_POST, &$input_errors); diff --git a/config/squid-reverse/squid_users.xml b/config/squid-reverse/squid_users.xml index f2f8fe1c..791a5fa9 100644 --- a/config/squid-reverse/squid_users.xml +++ b/config/squid-reverse/squid_users.xml @@ -48,24 +48,24 @@ <name>squidusers</name> <version>none</version> <title>Proxy server: Local users</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <delete_string>A proxy server user has been deleted.</delete_string> <addedit_string>A proxy server user has been created/modified.</addedit_string> <tabs> - <tab> +<tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> + <text>Remote Cache</text> + <url>/pkg.php?xml=squid_upstream.xml</url> </tab> <tab> - <text>Cache Mgmt</text> + <text>Local Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> - <text>Access Control</text> + <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> @@ -73,18 +73,22 @@ <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> - <text>Reverse Settings</text> - <url>/pkg_edit.php?xml=squid_reverse.xml&id=0</url> - </tab> - <tab> - <text>Auth Settings</text> + <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> - <text>Local Users</text> + <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> <active/> </tab> + <tab> + <text>Real time</text> + <url>/squid_monitor.php</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=squid_sync.xml</url> + </tab> </tabs> <adddeleteeditpagefields> <columnitem> @@ -98,6 +102,10 @@ </adddeleteeditpagefields> <fields> <field> + <name>Squid Local Users</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Username</fielddescr> <fieldname>username</fieldname> <description>Enter the username here.</description> diff --git a/config/squid-reverse/swapstate_check.php b/config/squid-reverse/swapstate_check.php index ab5b11d8..6ecfff3c 100644 --- a/config/squid-reverse/swapstate_check.php +++ b/config/squid-reverse/swapstate_check.php @@ -29,20 +29,30 @@ require_once('config.inc'); require_once('util.inc'); -$settings = $config['installedpackages']['squidcache']['config'][0]; -$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); -$swapstate = $cachedir . '/swap.state'; -$disktotal = disk_total_space(dirname($cachedir)); -$diskfree = disk_free_space(dirname($cachedir)); -$diskusedpct = round((($disktotal - $diskfree) / $disktotal) * 100); -$swapstate_size = filesize($swapstate); -$swapstate_pct = round(($swapstate_size / $disktotal) * 100); +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); +else + define('SQUID_LOCALBASE','/usr/local'); -// If the swap.state file is taking up more than 75% disk space, -// or the drive is 90% full and swap.state is larger than 1GB, -// kill it and initiate a rotate to write a fresh copy. -if (($swapstate_pct > 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024))) { - mwexec_bg("/bin/rm $swapstate; /usr/local/sbin/squid -k rotate"); - log_error(gettext(sprintf("Squid swap.state file exceeded size limits. Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct))); + $settings = $config['installedpackages']['squidcache']['config'][0]; +// Only check the cache if Squid is actually caching. +// If there is no cache then quietly do nothing. +if ($settings['harddisk_cache_system'] != "null"){ + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $swapstate = $cachedir . '/swap.state'; + $disktotal = disk_total_space(dirname($cachedir)); + $diskfree = disk_free_space(dirname($cachedir)); + $diskusedpct = round((($disktotal - $diskfree) / $disktotal) * 100); + $swapstate_size = filesize($swapstate); + $swapstate_pct = round(($swapstate_size / $disktotal) * 100); + + // If the swap.state file is taking up more than 75% disk space, + // or the drive is 90% full and swap.state is larger than 1GB, + // kill it and initiate a rotate to write a fresh copy. + if (($swapstate_pct > 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024))) { + mwexec_bg("/bin/rm $swapstate; ". SQUID_LOCALBASE . "/sbin/squid -k rotate"); + log_error(gettext(sprintf("Squid swap.state file exceeded size limits. Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct))); + } } ?>
\ No newline at end of file |