aboutsummaryrefslogtreecommitdiffstats
path: root/config/squid3/33/squid.inc
diff options
context:
space:
mode:
Diffstat (limited to 'config/squid3/33/squid.inc')
-rwxr-xr-xconfig/squid3/33/squid.inc134
1 files changed, 99 insertions, 35 deletions
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc
index c55160bc..a97746e2 100755
--- a/config/squid3/33/squid.inc
+++ b/config/squid3/33/squid.inc
@@ -5,7 +5,7 @@
Copyright (C) 2006-2009 Scott Ullrich
Copyright (C) 2006 Fernando Lemos
Copyright (C) 2012 Martin Fuchs
- Copyright (C) 2012-2013 Marcello Coutinho
+ Copyright (C) 2012-2014 Marcello Coutinho
Copyright (C) 2013 Gekkenhuis
All rights reserved.
@@ -95,8 +95,17 @@ function squid_chown_recursive($dir, $user, $group) {
}
}
+function squid_check_clamav_user($user)
+ {
+ exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return);
+ $user_arg=($sq_ex_return == 0?"mod":"add");
+ exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return);
+ if ($sq_ex_return != 0)
+ log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output));
+ }
+
/* setup cache */
-function squid_dash_z() {
+function squid_dash_z($cache_action='none') {
global $config;
//Do nothing if there is no cache config
@@ -110,7 +119,12 @@ function squid_dash_z() {
return;
$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
-
+
+ if ($cache_action=="clean"){
+ rename ($cachedir,"{$cachedir}.old");
+ mwexec_bg("/bin/rm -rf {$cachedir}.old");
+ }
+
if(!is_dir($cachedir.'/')) {
log_error("Creating Squid cache dir $cachedir");
make_dirs($cachedir);
@@ -354,9 +368,9 @@ function squid_deinstall_command() {
$settings = array();
$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
$logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs');
- update_status("Removing swap.state ... One moment please...");
+ update_status("Removing cache ... One moment please...");
update_output_window("$plswait_txt");
- mwexec('rm -rf $cachedir/swap.state');
+ mwexec_bg('rm -rf $cachedir');
mwexec('rm -rf $logdir');
update_status("Finishing package cleanup.");
mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop");
@@ -721,19 +735,26 @@ function squid_install_cron($should_install) {
$x=0;
$rotate_job_id=-1;
$swapstate_job_id=-1;
+ $cron_cmd=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : "");
+ $cron_cmd .= SQUID_LOCALBASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE;
+ $need_write = false;
foreach($config['cron']['item'] as $item) {
if(strstr($item['task_name'], "squid_rotate_logs")) {
$rotate_job_id = $x;
+ if ($item['command'] != $cron_cmd){
+ $config['cron']['item'][$x]['command']=$cron_cmd;
+ $need_write = true;
+ }
} elseif(strstr($item['task_name'], "squid_check_swapstate")) {
$swapstate_job_id = $x;
}
$x++;
}
- $need_write = false;
switch($should_install) {
case true:
$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
if($rotate_job_id < 0) {
+ $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : "");
$cron_item = array();
$cron_item['task_name'] = "squid_rotate_logs";
$cron_item['minute'] = "0";
@@ -742,7 +763,7 @@ function squid_install_cron($should_install) {
$cron_item['month'] = "*";
$cron_item['wday'] = "*";
$cron_item['who'] = "root";
- $cron_item['command'] = "/bin/rm {$cachedir}/swap.state; ". SQUID_LOCALBASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE;
+ $cron_item['command'] .= $cron_cmd;
/* Add this cron_item as a new entry at the end of the item array. */
$config['cron']['item'][] = $cron_item;
$need_write = true;
@@ -919,7 +940,7 @@ function squid_resync_general() {
$conf .= "http_port 127.0.0.1:{$port} intercept\n";
}
}
- $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 7);
+ $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0);
$dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" );
$pidfile = "{$g['varrun_path']}/squid.pid";
$language = ($settings['error_language'] ? $settings['error_language'] : 'en');
@@ -934,6 +955,8 @@ function squid_resync_general() {
}
$logdir_cache = $logdir . '/cache.log';
$logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
+ $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on';
+ $pinger_program=SQUID_LOCALBASE."/libexec/squid/pinger";
$conf .= <<< EOD
icp_port {$icp_port}
@@ -948,15 +971,17 @@ cache_mgr {$email}
access_log {$logdir_access}
cache_log {$logdir_cache}
cache_store_log none
+netdb_filename {$logdir}/netdb.state
+pinger_enable {$pinger_helper}
+pinger_program {$pinger_program}
{$interception_checks}
EOD;
// Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen.
-// Rotating also ensures that swap.state is rewritten, so is useful even if the logs
-// are not being rotated.
$rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate'];
$conf .= "logfile_rotate {$rotate}\n";
+$conf .= "debug_options rotate={$rotate}\n";
squid_install_cron(true);
$conf .= <<< EOD
@@ -1051,7 +1076,7 @@ EOC;
range_offset_limit -1
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
-refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
+refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
EOC;
}
@@ -1310,8 +1335,27 @@ function squid_resync_antivirus(){
if (preg_match("/fr/i",$squid_config['error_language']))
$clwarn="clwarn.cgi.fr_FR";
if (preg_match("/pt_br/i",$squid_config['error_language']))
- $clwarn="clwarn.cgi.pt_BR";
- copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi");
+ $clwarn="clwarn.cgi.pt_BR";
+ $clwarn_file="/usr/local/www/clwarn.cgi";
+ copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}",$clwarn_file);
+
+ #fix perl path on clwarn.cgi
+ $clwarn_file_new=file_get_contents($clwarn_file);
+ $c_pattern[]="@/usr/\S+/perl@";
+ $c_replacement[]=SQUID_LOCALBASE."/bin/perl";
+ /*$c_pattern[]="@redirect \S+/clwarn.cgi@";
+ $gui_proto=$config['system']['webgui']['protocol'];
+ $gui_port=$config['system']['webgui']['port'];
+ if($gui_port == "") {
+ $gui_port($gui_proto == "http"?"80":"443");
+ }
+ $c_replacement[]=SQUID_LOCALBASE."redirect {$gui_proto}://127.0.0.1:{$gui_port}/clwarn.cgi";
+ */
+ $clwarn_file_new=preg_replace($c_pattern, $c_replacement,$clwarn_file_new);
+ file_put_contents($clwarn_file, $clwarn_file_new,LOCK_EX);
+
+ #fix clwarn.cgi file permission
+ chmod($clwarn_file,0755);
$conf = <<< EOF
icap_enable on
@@ -1346,7 +1390,7 @@ EOF;
if (!isset($clamav_clamd_enable))
$rc_file.='clamav_clamd_enable="YES"'."\n";
file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX);
-
+ squid_check_clamav_user('clamav');
#patch sample files to pfsense dirs
#squidclamav.conf
if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))
@@ -1391,9 +1435,13 @@ EOF;
foreach ($dirs as $dir_path => $dir_user){
if (!is_dir($dir_path))
make_dirs($dir_path);
- squid_chown_recursive($dir_path, $dir_user, $dir_user);
+ squid_chown_recursive($dir_path, $dir_user, "wheel");
+ }
+ #Check clamav database
+ if (count(glob("/var/db/clamav/*d"))==0){
+ log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background.");
+ mwexec_bg(SQUID_LOCALBASE."/bin/freshclam");
}
-
#check startup scripts on pfsense > 2.1
if (preg_match("/usr.pbi/",SQUID_LOCALBASE)){
$rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d");
@@ -1410,7 +1458,7 @@ EOF;
#check antivirus daemons
#check icap
if (is_process_running("c-icap")){
- mwexec('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl');
+ mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl');
}
else{
#check c-icap user on startup file
@@ -1421,13 +1469,13 @@ EOF;
$cicapr[0]='c_icap_user="clamav"}';
file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX);
}
- mwexec("/usr/local/etc/rc.d/c-icap start");
+ mwexec_bg("/usr/local/etc/rc.d/c-icap start");
}
#check clamav
if (is_process_running("clamd"))
mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload");
else
- mwexec("/usr/local/etc/rc.d/clamav-clamd start");
+ mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start");
}
return $conf;
}
@@ -1533,12 +1581,12 @@ include('/usr/local/pkg/squid_reverse.inc');
function squid_resync_auth() {
global $config, $valid_acls;
-
- if (is_array($config['installedpackages']['squidauth']['config']))
- $settings = $config['installedpackages']['squidauth']['config'][0];
- else
- $settings = array();
-
+ $write_config=0;
+ if (!is_array($config['installedpackages']['squidauth']['config'])){
+ $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none");
+ $write_config++;
+ }
+ $settings = $config['installedpackages']['squidauth']['config'][0];
if (is_array($config['installedpackages']['squidnac']['config']))
$settingsnac = $config['installedpackages']['squidnac']['config'][0];
else
@@ -1549,6 +1597,9 @@ function squid_resync_auth() {
else
$settingsconfig = array();
+ if ($write_config > 0)
+ write_config();
+
$conf = '';
// SSL interception acl options part 1
@@ -1568,8 +1619,8 @@ function squid_resync_auth() {
$conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n";
}
- // Custom User Options
- $conf .= "# Custom options\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n";
+ // Custom User Options before authentication acls
+ $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n";
// Deny the banned guys before allowing the good guys
if(! empty($settingsnac['banned_hosts'])) {
@@ -1626,10 +1677,10 @@ function squid_resync_auth() {
}
// SSL interception acl options part 2
- if ($settingsconfig['ssl_proxy'] == "on"){
+ /*if ($settingsconfig['ssl_proxy'] == "on"){
$conf .= "always_direct allow all\n";
$conf .= "ssl_bump server-first all\n";
- }
+ }*/
// Include squidguard denied acl log in squid
if ($settingsconfig['log_sqd'])
@@ -1687,9 +1738,8 @@ function squid_resync_auth() {
$conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
break;
case 'cp':
- $conf .= "external_acl_type check_filter children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n";
- $conf .= "acl dgfilter external check_filter\n";
- $conf .= "http_access allow dgfilter\n";
+ $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n";
+ $conf .= "acl password external check_cp\n";
break;
case 'msnt':
$conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
@@ -1705,6 +1755,14 @@ acl password proxy_auth REQUIRED
EOD;
}
+ // Custom User Options after authentication definition
+ $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n";
+
+ // SSL interception acl options part 2
+ if ($settingsconfig['ssl_proxy'] == "on"){
+ $conf .= "always_direct allow all\n";
+ $conf .= "ssl_bump server-first all\n";
+ }
// Onto the ACLs
$password = array('localnet', 'allowed_subnets');
$passwordless = array('unrestricted_hosts');
@@ -1721,7 +1779,7 @@ EOD;
foreach ($passwordless as $acl)
$conf .= "http_access allow $acl\n";
- if ($auth_method != 'cp'){
+ //if ($auth_method != 'cp'){
// Include squidguard denied acl log in squid
if ($settingsconfig['log_sqd'])
$conf .="http_access deny password sglog\n";
@@ -1729,9 +1787,9 @@ EOD;
// Allow the other ACLs as long as they authenticate
foreach ($password as $acl)
$conf .= "http_access allow password $acl\n";
- }
+ // }
}
-
+
$conf .= "# Default block all to be sure\n";
$conf .= "http_access deny allsrc\n";
@@ -2224,6 +2282,12 @@ EOD;
{$squid_local_base}/sbin/squid -k shutdown -f {$squid_conffile_var}
# Just to be sure...
sleep 5
+
+if [ -f /usr/bin/ipcs ];then
+# http://man.chinaunix.net/newsoft/squid/Squid_FAQ/FAQ-22.html#ss22.8
+ipcs | grep '^[mq]' | awk '{printf "ipcrm -%s %s\\n", $1, $2}' | /bin/sh
+fi
+
killall -9 squid 2>/dev/null
killall pinger 2>/dev/null
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-07 21:55:52 +0000