diff options
Diffstat (limited to 'config/squid3/34')
-rwxr-xr-x | config/squid3/34/squid.inc | 1631 |
1 files changed, 815 insertions, 816 deletions
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 4876b472..3a0dcf2f 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -38,7 +38,7 @@ require_once('pfsense-utils.inc'); require_once('pkg-utils.inc'); require_once('service-utils.inc'); -if(!function_exists("filter_configure")) +if (!function_exists("filter_configure")) require_once("filter.inc"); $shortcut_section = "squid"; @@ -63,13 +63,12 @@ $valid_acls = array(); $uname=posix_uname(); if ($uname['machine']=='amd64') - ini_set('memory_limit', '250M'); + ini_set('memory_limit', '250M'); - function sq_text_area_decode($text){ +function sq_text_area_decode($text) { return preg_replace('/\r\n/', "\n",base64_decode($text)); } - function squid_get_real_interface_address($iface) { global $config; @@ -88,9 +87,9 @@ function squid_chown_recursive($dir, $user, $group) { if (($item != ".") && ($item != "..")) { $path = "$dir/$item"; // Recurse unless it's the cache dir, that is slow and rarely necessary. - if (is_dir($path) && (basename($dir) != "cache")) + if (is_dir($path) && (basename($dir) != "cache")) { squid_chown_recursive($path, $user, $group); - elseif (is_file($path)) { + } elseif (is_file($path)) { chown($path, $user); chgrp($path, $group); } @@ -98,14 +97,13 @@ function squid_chown_recursive($dir, $user, $group) { } } -function squid_check_clamav_user($user) - { - exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return); - $user_arg=($sq_ex_return == 0?"mod":"add"); - exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return); - if ($sq_ex_return != 0) - log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output)); - } +function squid_check_clamav_user($user) { + $_gc = exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return); + $user_arg=($sq_ex_return == 0?"mod":"add"); + $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return); + if ($sq_ex_return != 0) + log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output)); +} /* setup cache */ function squid_dash_z($cache_action='none') { @@ -121,21 +119,21 @@ function squid_dash_z($cache_action='none') { if ($settings['harddisk_cache_system'] == "null") return; - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - if ($cache_action=="clean"){ - rename ($cachedir,"{$cachedir}.old"); + if ($cache_action == "clean") { + rename ($cachedir, "{$cachedir}.old"); mwexec_bg("/bin/rm -rf {$cachedir}.old"); } - if(!is_dir($cachedir.'/')) { - log_error("Creating Squid cache dir $cachedir"); + if (!is_dir($cachedir.'/')) { + log_error("Creating Squid cache dir {$cachedir}"); make_dirs($cachedir); // Double check permissions here, should be safe to recurse cache dir if it's small here. mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); } - if(!is_dir($cachedir.'/00/')) { + if (!is_dir($cachedir.'/00/')) { log_error("Creating squid cache subdirs in $cachedir"); mwexec(SQUID_BASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE); sleep(5); @@ -145,24 +143,25 @@ function squid_dash_z($cache_action='none') { mwexec(SQUID_BASE. "/sbin/squid -z -f " . SQUID_CONFFILE); } - if(file_exists("/var/squid/cache/swap.state")) { + if (file_exists("/var/squid/cache/swap.state")) { chown("/var/squid/cache/swap.state", "proxy"); chgrp("/var/squid/cache/swap.state", "proxy"); exec("chmod a+rw /var/squid/cache/swap.state"); } - } function squid_is_valid_acl($acl) { global $valid_acls; - if(!is_array($valid_acls)) + + if (!is_array($valid_acls)) return; + return in_array($acl, $valid_acls); } function squid_install_command() { - global $config; - global $g; + global $config, $g; + update_status("Checking if there is configuration to migrate... One moment please..."); /* migrate existing csv config fields */ if (is_array($config['installedpackages']['squidauth']['config'])) @@ -175,131 +174,119 @@ function squid_install_command() { $settingsgen = $config['installedpackages']['squid']['config'][0]; if (file_exists("/usr/local/pkg/check_ip.php")) - rename("/usr/local/pkg/check_ip.php",SQUID_BASE . "/bin/check_ip.php"); + rename("/usr/local/pkg/check_ip.php", SQUID_BASE . "/bin/check_ip.php"); + /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; } /* migrate auth settings */ - if (!empty($settingsauth['no_auth_hosts'])) { - if(strstr($settingsauth['no_auth_hosts'], ",")) { - $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); - $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; - } + if (!empty($settingsauth['no_auth_hosts']) && strstr($settingsauth['no_auth_hosts'], ",")) { + $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); + $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; } /* migrate cache settings */ - if (!empty($settingscache['donotcache'])) { - if(strstr($settingscache['donotcache'], ",")) { - $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); - $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; - } + if (!empty($settingscache['donotcache']) && strstr($settingscache['donotcache'], ",")) { + $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); + $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; } /* migrate nac settings */ - if(! empty($settingsnac['allowed_subnets'])) { - if(strstr($settingsnac['allowed_subnets'], ",")) { - $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); - $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; - } + if (!empty($settingsnac['allowed_subnets']) && strstr($settingsnac['allowed_subnets'], ",")) { + $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); + $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; } - if(! empty($settingsnac['banned_hosts'])) { - if(strstr($settingsnac['banned_hosts'], ",")) { - $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; - } + + if (!empty($settingsnac['banned_hosts']) && strstr($settingsnac['banned_hosts'], ",")) { + $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; } - if(! empty($settingsnac['banned_macs'])) { - if(strstr($settingsnac['banned_macs'], ",")) { - $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); - $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; - } + if (!empty($settingsnac['banned_macs']) && strstr($settingsnac['banned_macs'], ",")) { + $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); + $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; } - if(! empty($settingsnac['unrestricted_hosts'])) { - if(strstr($settingsnac['unrestricted_hosts'], ",")) { - $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; - } + if (!empty($settingsnac['unrestricted_hosts']) && strstr($settingsnac['unrestricted_hosts'], ",")) { + $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; } - if(! empty($settingsnac['unrestricted_macs'])) { - if(strstr($settingsnac['unrestricted_macs'], ",")) { - $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; - } + if (!empty($settingsnac['unrestricted_macs']) && strstr($settingsnac['unrestricted_macs'], ",")) { + $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; } - if(! empty($settingsnac['whitelist'])) { - if(strstr($settingsnac['whitelist'], ",")) { - $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); - $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; - } + if (!empty($settingsnac['whitelist']) && strstr($settingsnac['whitelist'], ",")) { + $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); + $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; } - if(! empty($settingsnac['blacklist'])) { - if(strstr($settingsnac['blacklist'], ",")) { - $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); - $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; - } + if (!empty($settingsnac['blacklist']) && strstr($settingsnac['blacklist'], ",")) { + $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); + $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; } - if(! empty($settingsnac['block_user_agent'])) { - if(strstr($settingsnac['block_user_agent'], ",")) { - $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); - $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; - } + if (!empty($settingsnac['block_user_agent']) && strstr($settingsnac['block_user_agent'], ",")) { + $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); + $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; } - if(! empty($settingsnac['block_reply_mime_type'])) { - if(strstr($settingsnac['block_reply_mime_type'], ",")) { - $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); - $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; - } + if (!empty($settingsnac['block_reply_mime_type']) && strstr($settingsnac['block_reply_mime_type'], ",")) { + $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); + $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; } /*Migrate reverse settings*/ - if (is_array($config['installedpackages']['squidreverse'])){ + if (is_array($config['installedpackages']['squidreverse'])) { $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0]; //Settings - if (!is_array($config['installedpackages']['squidreversegeneral'])){ + if (!is_array($config['installedpackages']['squidreversegeneral'])) { $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings; unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); - } + } //PEERS - if (!is_array($config['installedpackages']['squidreversepeer'])){ - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) - foreach (explode(";",$cache_peers) as $cache_peer) - $config['installedpackages']['squidreversepeer']['config'][]=array('description'=>'migrated', - 'enable'=> 'on', - 'name'=> $cache_peer[0], - 'port'=> $cache_peer[1], - 'protocol' => $cache_peer[2]); + if (!is_array($config['installedpackages']['squidreversepeer'])) { + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { + foreach (explode(";",$cache_peers) as $cache_peer) { + $config['installedpackages']['squidreversepeer']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $cache_peer[0], + 'port' => $cache_peer[1], + 'protocol' => $cache_peer[2] + ); + } } + } //MAPPINGS - if (!is_array($config['installedpackages']['squidreverseuri'])){ - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){ - foreach (explode(";",$acls) as $acl) + if (!is_array($config['installedpackages']['squidreverseuri'])) { + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { + foreach (explode(";",$acls) as $acl) { array_push(${'peer_'.$acl[0]},$acl[1]); } - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) - foreach (explode(";",$uris) as $uri){ + } + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { + foreach (explode(";",$uris) as $uri) { $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); - $config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated', - 'enable'=> 'on', - 'name'=> $uri[0], - 'uri'=> $uri[1], - 'vhost' => $uri[2], - 'peers'=>$peer_list); + $config['installedpackages']['squidreverseuri']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $uri[0], + 'uri' => $uri[1], + 'vhost' => $uri[2], + 'peers' => $peer_list + ); } } + } } update_status("Writing configuration... One moment please..."); @@ -309,18 +296,24 @@ function squid_install_command() { /* create cache */ update_status("Creating squid cache pools... One moment please..."); squid_dash_z(); + /* make sure pinger is executable */ - if(file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) + if (file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) exec("/bin/chmod a+x ". SQUID_LOCALBASE. "/libexec/squid/pinger"); - if(file_exists("/usr/local/etc/rc.d/squid")) + + if (file_exists("/usr/local/etc/rc.d/squid")) exec("/bin/rm /usr/local/etc/rc.d/squid"); + squid_write_rcfile(); - if(file_exists("/usr/local/pkg/swapstate_check.php")) + + if (file_exists("/usr/local/pkg/swapstate_check.php")) exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php"); + write_rcfile(array( "file" => "sqp_monitor.sh", "start" => "/usr/local/pkg/sqpmon.sh &", - "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")); + "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill") + ); foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, @@ -363,6 +356,7 @@ function squid_install_command() { function squid_deinstall_command() { global $config, $g; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; squid_install_cron(false); if (is_array($config['installedpackages']['squidcache'])) @@ -373,11 +367,11 @@ function squid_deinstall_command() { $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); update_status("Removing cache ... One moment please..."); update_output_window("$plswait_txt"); - mwexec_bg('rm -rf $cachedir'); - mwexec('rm -rf $logdir'); + mwexec_bg("rm -rf {$cachedir}"); + mwexec("rm -rf {$logdir}"); update_status("Finishing package cleanup."); mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); - mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh'); + unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh'); mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); @@ -408,19 +402,21 @@ function squid_before_form_general(&$pkg) { for ($i = 0; $i < count($values) - 1; $i++) $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); } + function squid_validate_antivirus($post, &$input_errors) { global $config; - if ($post['enable']=="on"){ - if($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)){ + + if ($post['enable']=="on") { + if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)) { $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})"; $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. "; - } - if($post['c-icap_conf']) { - if( !preg_match("/squid_clamav/",$post['c-icap_conf'])){ + } + if ($post['c-icap_conf']) { + if (!preg_match("/squid_clamav/",$post['c-icap_conf'])) { $input_errors[] ="c-icap Squidclamav service definition is no present."; $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; - } - if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)){ + } + if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)) { $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; } } @@ -429,10 +425,12 @@ function squid_validate_antivirus($post, &$input_errors) { function squid_validate_general($post, &$input_errors) { global $config; + if (is_array($config['installedpackages']['squid'])) $settings = $config['installedpackages']['squid']['config'][0]; else $settings = array(); + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $port = $post['proxy_port'] ? $post['proxy_port'] : $port; @@ -445,19 +443,21 @@ function squid_validate_general($post, &$input_errors) { if ($post['log_dir']{0} != '/') $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) $input_errors[] = "That is not a valid log location dir"; $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field'; $webgui_port = $config['system']['webgui']['port']; - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + + if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { $webgui_port = 80; } - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { $webgui_port = 443; } @@ -484,31 +484,33 @@ function squid_validate_general($post, &$input_errors) { } } - if(!empty($post['dns_nameservers'])) { - $altdns = explode(";", ($post['dns_nameservers'])); - foreach ($altdns as $dnssrv) { - if (!is_ipaddr($dnssrv)) - $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; - break; - }} + if (!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) { + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + break; + } + } + } } function squid_validate_upstream($post, &$input_errors) { if ($post['enabled'] == 'on') { $addr = trim($post['proxyaddr']); - if (empty($addr)) + if (empty($addr)) { $input_errors[] = 'The field \'Hostname\' is required'; - else { + } else { if (!is_ipaddr($addr) && !is_domain($addr)) $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; } foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { $port = trim($post[$field]); - if (empty($port)) + if (empty($port)) { $input_errors[] = "The field '$name' is required"; - else { - if (!is_port($port)) + } else { + if (!is_port($port)) $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; } } @@ -516,10 +518,12 @@ function squid_validate_upstream($post, &$input_errors) { } function squid_validate_cache($post, &$input_errors) { - $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', - 'memory_cache_size' => 'Memory cache size', - 'maximum_object_size' => 'Maximum object size', + $num_fields = array( + 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', ); + foreach ($num_fields as $field => $name) { $value = trim($post[$field]); if (!is_numeric($value) || ($value < 0)) @@ -530,17 +534,17 @@ function squid_validate_cache($post, &$input_errors) { if (!is_numeric($value) || ($value < 0)) $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; - if (!empty($post['cache_swap_low'])) { - $value = trim($post['cache_swap_low']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; } - if (!empty($post['cache_swap_high'])) { - $value = trim($post['cache_swap_high']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; - } + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } if ($post['donotcache'] != "") { foreach (split("\n", $post['donotcache']) as $host) { @@ -551,7 +555,6 @@ function squid_validate_cache($post, &$input_errors) { } squid_dash_z(); - } function squid_validate_nac($post, &$input_errors) { @@ -562,19 +565,17 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; } - foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { - - if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)){ - for ($x=0;$x < count($matches[1]);$x++){ - if ($matches[2][$x] == ""){ + foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) { + if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)) { + for ($x=0; $x < count($matches[1]); $x++) { + if ($matches[2][$x] == "") { if (!is_ipaddr($matches[1][$x])) $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address"; - } - else{ + } else { if (!is_subnet($matches[0][$x])) $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range"; - } } + } } } @@ -592,53 +593,58 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "The time range '$time' is not a valid time range"; } - if(!empty($post['ext_cachemanager'])) { - $extmgr = explode(";", ($post['ext_cachemanager'])); - foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; - }} + if (!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + } + } } function squid_validate_traffic($post, &$input_errors) { - $num_fields = array( 'max_download_size' => 'Maximum download size', - 'max_upload_size' => 'Maximum upload size', - 'perhost_throttling' => 'Per-host bandwidth throttling', - 'overall_throttling' => 'Overall bandwidth throttling', + $num_fields = array( + 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', ); + foreach ($num_fields as $field => $name) { $value = trim($post[$field]); if (!is_numeric($value) || ($value < 0)) $input_errors[] = "The field '$name' must contain a positive number"; } - if (!empty($post['quick_abort_min'])) { - $value = trim($post['quick_abort_min']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; - } + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } - if (!empty($post['quick_abort_max'])) { - $value = trim($post['quick_abort_max']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; - } + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } - if (!empty($post['quick_abort_pct'])) { - $value = trim($post['quick_abort_pct']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; - } + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; + } } function squid_validate_reverse($post, &$input_errors) { global $config; - if(!empty($post['reverse_ip'])) { + + if (!empty($post['reverse_ip'])) { $reverse_ip = explode(";", ($post['reverse_ip'])); foreach ($reverse_ip as $reip) { - if (!is_ipaddr(trim($reip))) - $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; - }} + if (!is_ipaddr(trim($reip))) + $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; + } + } $fqdn = trim($post['reverse_external_fqdn']); if (!empty($fqdn) && !is_domain($fqdn)) @@ -648,51 +654,53 @@ function squid_validate_reverse($post, &$input_errors) { preg_match("/(\d+)/",`sysctl net.inet.ip.portrange.reservedhigh`,$portrange); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; - if (!empty($port) && is_port($port) && $port <= $portrange[1]){ + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { $input_errors[] = "The field 'reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; } $port = trim($post['reverse_https_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; - if (!empty($port) && is_port($port) && $port <= $portrange[1]){ + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { $input_errors[] = "The field 'reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; } if ($post['reverse_ssl_cert'] == 'none') $input_errors[] = 'A valid certificate for the external interface must be selected'; - if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { - $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; - } + if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { + $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + } - if(!empty($post['reverse_owa_ip'])) { + if (!empty($post['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); foreach ($reverse_owa_ip as $reowaip) { - if (!is_ipaddr(trim($reowaip))) - $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; - }} - - $contents = $post['reverse_cache_peer']; - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (!is_ipaddr($cfg[1])) - $input_errors[] = "please choose a valid IP in the cache peer configuration."; - if (!is_port($cfg[2])) - $input_errors[] = "please choose a valid port in the cache peer configuration."; - if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) - $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; - }} - + if (!is_ipaddr(trim($reowaip))) + $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; + } + } + $contents = $post['reverse_cache_peer']; + if (!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + } + } } function squid_validate_auth($post, &$input_errors) { - $num_fields = array( array('auth_processes', 'Authentication processes', 1), - array('auth_ttl', 'Authentication TTL', 0), + $num_fields = array( + array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), ); + foreach ($num_fields as $field) { $value = trim($post[$field[0]]); if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) @@ -712,24 +720,24 @@ function squid_validate_auth($post, &$input_errors) { $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; switch ($auth_method) { - case 'ldap': - $user = trim($post['ldap_user']); - if (empty($user)) - $input_errors[] = 'The field \'LDAP server user DN\' is required'; - else if (!$user) - $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; - break; - case 'radius': - $secret = trim($post['radius_secret']); - if (empty($secret)) - $input_errors[] = 'The field \'RADIUS secret\' is required'; - break; - case 'msnt': - foreach (explode(",", trim($post['msnt_secondary'])) as $server) { - if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) - $input_errors[] = "The host '$server' is not a valid IP address or domain name"; - } - break; + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; } $no_auth = explode("\n", $post['no_auth_hosts']); @@ -743,12 +751,13 @@ function squid_validate_auth($post, &$input_errors) { function squid_install_cron($should_install) { global $config, $g; - if($g['booting']==true) + + if ($g['booting']==true) return; $rotate_is_installed = false; $swapstate_is_installed = false; - if(!$config['cron']['item']) + if (!$config['cron']['item']) return; if (is_array($config['installedpackages']['squidcache'])) @@ -762,106 +771,108 @@ function squid_install_cron($should_install) { $cron_cmd=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); $cron_cmd .= SQUID_BASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE; $need_write = false; - foreach($config['cron']['item'] as $item) { - if(strstr($item['task_name'], "squid_rotate_logs")) { + foreach ($config['cron']['item'] as $item) { + if (strstr($item['task_name'], "squid_rotate_logs")) { $rotate_job_id = $x; - if ($item['command'] != $cron_cmd){ + if ($item['command'] != $cron_cmd) { $config['cron']['item'][$x]['command']=$cron_cmd; $need_write = true; } - } elseif(strstr($item['task_name'], "squid_check_swapstate")) { - $swapstate_job_id = $x; + } elseif (strstr($item['task_name'], "squid_check_swapstate")) { + $swapstate_job_id = $x; } $x++; } switch($should_install) { - case true: - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - if($rotate_job_id < 0) { - $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); - $cron_item = array(); - $cron_item['task_name'] = "squid_rotate_logs"; - $cron_item['minute'] = "0"; - $cron_item['hour'] = "0"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] .= $cron_cmd; - /* Add this cron_item as a new entry at the end of the item array. */ - $config['cron']['item'][] = $cron_item; - $need_write = true; - } - if($swapstate_job_id < 0) { - $cron_item = array(); - $cron_item['task_name'] = "squid_check_swapstate"; - $cron_item['minute'] = "*/15"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; - /* Add this cron_item as a new entry at the end of the item array. */ - $config['cron']['item'][] = $cron_item; - $need_write = true; - } - if ($need_write) { - parse_config(true); - write_config("Adding Squid Cron Jobs"); - } - break; - case false: - if($rotate_job_id >= 0) { - unset($config['cron']['item'][$rotate_job_id]); - $need_write = true; - } - if($swapstate_job_id >= 0) { - unset($config['cron']['item'][$swapstate_job_id]); - $need_write = true; - } - if ($need_write) { - parse_config(true); - write_config("Removing Squid Cron Jobs"); - } - break; + case true: + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + if ($rotate_job_id < 0) { + $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); + $cron_item = array(); + $cron_item['task_name'] = "squid_rotate_logs"; + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] .= $cron_cmd; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if ($swapstate_job_id < 0) { + $cron_item = array(); + $cron_item['task_name'] = "squid_check_swapstate"; + $cron_item['minute'] = "*/15"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Adding Squid Cron Jobs"); + } + break; + case false: + if ($rotate_job_id >= 0) { + unset($config['cron']['item'][$rotate_job_id]); + $need_write = true; + } + if ($swapstate_job_id >= 0) { + unset($config['cron']['item'][$swapstate_job_id]); + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Removing Squid Cron Jobs"); + } + break; } configure_cron(); } -function squid_check_ca_hashes(){ +function squid_check_ca_hashes() { global $config,$g; - #check certificates - $cert_count=0; - if (is_dir(SQUID_LOCALBASE. '/share/certs')) + // check certificates + $cert_count = 0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) { if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) { - while (false !== ($file = readdir($handle))) - if (preg_match ("/\d+.0/",$file)) - $cert_count++; - } - closedir($handle); - if ($cert_count < 10){ + while (false !== ($file = readdir($handle))) { + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + } + } + if ($cert_count < 10) { conf_mount_rw(); - #create ca-root hashes from ca-root-nss package + // create ca-root hashes from ca-root-nss package log_error("Creating root certificate bundle hashes from the Mozilla Project"); $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); $cert=0; - foreach ($cas as $ca){ - if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + foreach ($cas as $ca) { + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) $cert=1; if ($cert == 1) $crt.=$ca; - if (preg_match("/-END CERTIFICATE-/",$ca)){ + if (preg_match("/-END CERTIFICATE-/",$ca)) { file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); $cert_hash=array(); exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); $crt=""; $cert=0; - } } } + } } function squid_resync_general() { @@ -871,24 +882,25 @@ function squid_resync_general() { $settings = $config['installedpackages']['squid']['config'][0]; else $settings=array(); + $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n\n"; - #Check ssl interception + // Check ssl interception if (($settings['ssl_proxy'] == 'on')) { squid_check_ca_hashes(); $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { - if(base64_decode($srv_cert['prv'])) { - #check if ssl_db was initilized by squid - if (! file_exists("/var/squid/lib/ssl_db/serial")){ - if (is_dir("/var/squid/lib/ssl_db")){ + if (base64_decode($srv_cert['prv'])) { + // check if ssl_db was initilized by squid + if (!file_exists("/var/squid/lib/ssl_db/serial")) { + if (is_dir("/var/squid/lib/ssl_db")) { mwexec("/bin/rm -rf /var/squid/lib/ssl_db"); - } + } mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s /var/squid/lib/ssl_db/"); } - #force squid user permission on /var/squid/lib/ssl_db/ + // force squid user permission on /var/squid/lib/ssl_db/ squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); - # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext + // cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext $crt_pk=SQUID_CONFBASE."/serverkey.pem"; $crt_capath=SQUID_LOCALBASE."/share/certs/"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); @@ -901,66 +913,63 @@ function squid_resync_general() { $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; - if ($settings["interception_adapt"] != ""){ + if ($settings["interception_adapt"] != "") { foreach (explode(",",$settings["interception_adapt"]) as $adapt) $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; - } + } } } } $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); -#Read assigned interfaces + // Read assigned interfaces $real_ifaces = array(); - if($settings['active_interface']) + if ($settings['active_interface']) $proxy_ifaces = explode(",", $settings['active_interface']); else $proxy_ifaces=array("lan"); - if ($settings['transparent_proxy']=="on"){ + if ($settings['transparent_proxy']=="on") { $transparent_ifaces = explode(",", $settings['transparent_active_interface']); - foreach ($transparent_ifaces as $t_iface){ + foreach ($transparent_ifaces as $t_iface) { $t_iface_ip = squid_get_real_interface_address($t_iface); - if($t_iface_ip[0]) + if ($t_iface_ip[0]) $real_ifaces[]=$t_iface_ip; - } } - else{ + } else { $transparent_ifaces=array(); } - if ($settings['ssl_proxy']=="on"){ + if ($settings['ssl_proxy']=="on") { $ssl_ifaces = explode(",", $settings['ssl_active_interface']); - foreach ($ssl_ifaces as $s_iface){ + foreach ($ssl_ifaces as $s_iface) { $s_iface_ip = squid_get_real_interface_address($s_iface); - if($s_iface_ip[0]) + if ($s_iface_ip[0]) $real_ifaces[]=$s_iface_ip; - } } - else{ + } else { $ssl_ifaces=array(); } - #check all proxy interfaces selected + // check all proxy interfaces selected foreach ($proxy_ifaces as $iface) { $iface_ip = squid_get_real_interface_address($iface); - if($iface_ip[0]) { + if ($iface_ip[0]) { $real_ifaces[]=$iface_ip; if (in_array($iface,$ssl_ifaces)) $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; else $conf .= "http_port {$iface_ip[0]}:{$port}\n"; - } } + } if (($settings['transparent_proxy'] == 'on')) { - if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0){ + if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0) { $conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n"; $conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n"; - } - else{ + } else { $conf .= "http_port 127.0.0.1:{$port} intercept\n"; } } @@ -968,20 +977,20 @@ function squid_resync_general() { $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); $piddir="{$g['varrun_path']}/squid"; $pidfile = "{$piddir}/squid.pid"; - if (!is_dir($piddir)){ + if (!is_dir($piddir)) { make_dirs($piddir); squid_chown_recursive($piddir, 'proxy', 'wheel'); - } + } $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); $icondir = SQUID_CONFBASE . '/icons'; $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); - if (! is_dir($logdir)){ + if (!is_dir($logdir)) { make_dirs($logdir); squid_chown_recursive($logdir, 'proxy', 'proxy'); - } + } $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on'; @@ -1007,11 +1016,11 @@ pinger_program {$pinger_program} EOD; -// Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. -$rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; -$conf .= "logfile_rotate {$rotate}\n"; -$conf .= "debug_options rotate={$rotate}\n"; -squid_install_cron(true); + // Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. + $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; + $conf .= "logfile_rotate {$rotate}\n"; + $conf .= "debug_options rotate={$rotate}\n"; + squid_install_cron(true); $conf .= <<< EOD shutdown_lifetime 3 seconds @@ -1031,32 +1040,42 @@ EOD; $conf .= "acl localnet src $src\n"; $valid_acls[] = 'localnet'; } - if ($settings['xforward_mode']) $conf .= "forwarded_for {$settings['xforward_mode']}\n"; - else $conf .= "forwarded_for on\n"; //only used for first run - if ($settings['disable_via']) $conf .= "via off\n"; - if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; - if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; - else $conf .= "uri_whitespace strip\n"; //only used for first run - - if(!empty($settings['dns_nameservers'])) { - $altdns = explode(";", ($settings['dns_nameservers'])); - $conf .= "dns_nameservers "; - foreach ($altdns as $dnssrv) { - $conf .= $dnssrv." "; - } -// $conf .= "\n"; //Kill blank line after DNS-Servers - } - - return $conf; -} + if ($settings['xforward_mode']) + $conf .= "forwarded_for {$settings['xforward_mode']}\n"; + else + $conf .= "forwarded_for on\n"; //only used for first run + + if ($settings['disable_via']) + $conf .= "via off\n"; + + if ($settings['disable_squidversion']) + $conf .= "httpd_suppress_version_string on\n"; + + if (!empty($settings['uri_whitespace'])) + $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; + else + $conf .= "uri_whitespace strip\n"; //only used for first run + + if (!empty($settings['dns_nameservers'])) { + $altdns = explode(";", ($settings['dns_nameservers'])); + $conf .= "dns_nameservers "; + foreach ($altdns as $dnssrv) { + $conf .= $dnssrv." "; + } + } + + return $conf; +} function squid_resync_cache() { global $config, $g; + if (is_array($config['installedpackages']['squidcache'])) $settings = $config['installedpackages']['squidcache']['config'][0]; else $settings = array(); + //apply cache settings $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); @@ -1070,25 +1089,23 @@ function squid_resync_cache() { $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); $conf = ''; if (!isset($settings['harddisk_cache_system'])) { - if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) + if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) { $disk_cache_system = 'null'; - else + } else { $disk_cache_system = 'ufs'; } - else{ + } else { $disk_cache_system = $settings['harddisk_cache_system']; - } - #'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. + } + // 'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. if ($disk_cache_system != "null") { $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; } -//check dynamic content -if(empty($settings['cache_dynamic_content'])){ - $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; - $conf.="cache deny dynamic\n"; -} -else{ - if(preg_match('/youtube/',$settings['refresh_patterns'])){ + //check dynamic content + if (empty($settings['cache_dynamic_content'])) { + $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; + $conf.="cache deny dynamic\n"; + } else if (preg_match('/youtube/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private @@ -1099,7 +1116,7 @@ cache allow youtube EOC; } - if(preg_match('/windows/',$settings['refresh_patterns'])){ + if (preg_match('/windows/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Windows Update refresh_pattern @@ -1109,9 +1126,9 @@ refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims EOC; - } + } -if(preg_match('/symantec/',$settings['refresh_patterns'])){ + if (preg_match('/symantec/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Symantec refresh_pattern @@ -1120,8 +1137,8 @@ refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 10 refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims EOC; - } -if(preg_match('/avast/',$settings['refresh_patterns'])){ + } + if (preg_match('/avast/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Avast refresh_pattern @@ -1129,8 +1146,8 @@ range_offset_limit -1 refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims EOC; - } -if(preg_match('/avira/',$settings['refresh_patterns'])){ + } + if (preg_match('/avira/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Avira refresh_pattern @@ -1148,9 +1165,8 @@ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 EOC; -} - If ($settings['custom_refresh_patterns'] !="") + if ($settings['custom_refresh_patterns'] !="") $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; $conf .= <<< EOD @@ -1176,9 +1192,10 @@ EOD; $conf .= "cache deny donotcache\n"; } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { - unlink(SQUID_ACLDIR . '/donotcache.acl'); - } - $conf .= "cache allow all\n"; + unlink(SQUID_ACLDIR . '/donotcache.acl'); + } + $conf .= "cache allow all\n"; + return $conf.$refresh_conf; } @@ -1186,21 +1203,20 @@ function squid_resync_upstream() { global $config; $conf = "\n#Remote proxies\n"; if (is_array($config['installedpackages']['squidremote']['config'])) - foreach ($config['installedpackages']['squidremote']['config'] as $settings){ + foreach ($config['installedpackages']['squidremote']['config'] as $settings) { if ($settings['enable'] == 'on') { $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} "; if ($settings['icpport'] == '7') - $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; - else - $conf .= "{$settings['icpport']} "; - #auth settings - if (!empty($settings['username']) && !empty($settings['password'])){ + $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; + else + $conf .= "{$settings['icpport']} "; + // auth settings + if (!empty($settings['username']) && !empty($settings['password'])) { $conf .= " login={$settings['username']}:{$settings['password']}"; - } - else{ + } else { $conf .= "{$settings['authoption']} "; } - #other options settings + // other options settings if (!empty($settings['weight'])) $conf .= "weight={$settings['weight']} "; if (!empty($settings['basetime'])) @@ -1211,7 +1227,7 @@ function squid_resync_upstream() { $conf .= "no-delay"; } $conf .= "\n"; - } + } return $conf; } @@ -1262,25 +1278,20 @@ acl HTTPS proto HTTPS EOD; $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); - #$allowed = ""; - #foreach ($allowed_subnets as $subnet) { - # if(!empty($subnet)) { - # $subnet = trim($subnet); - # $allowed .= "$subnet "; - # } - #} if (!empty($allowed_subnets)) { $conf .= "acl allowed_subnets src $allowed_subnets\n"; $valid_acls[] = 'allowed_subnets'; } - $options = array( 'unrestricted_hosts' => 'src', - 'banned_hosts' => 'src', - 'whitelist' => 'dstdom_regex -i', - 'blacklist' => 'dstdom_regex -i', - 'block_user_agent' => 'browser -i', - 'block_reply_mime_type' => 'rep_mime_type -i', + $options = array( + 'unrestricted_hosts' => 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + 'block_user_agent' => 'browser -i', + 'block_reply_mime_type' => 'rep_mime_type -i', ); + foreach ($options as $option => $directive) { $contents = sq_text_area_decode($settings[$option]); if (!empty($contents)) { @@ -1289,8 +1300,8 @@ EOD; $valid_acls[] = $option; } elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { - unlink(SQUID_ACLDIR . "/$option.acl"); - } + unlink(SQUID_ACLDIR . "/$option.acl"); + } } $conf .= <<< EOD @@ -1298,19 +1309,19 @@ http_access allow manager localhost EOD; - if (is_array($config['installedpackages']['squidcache'])){ + if (is_array($config['installedpackages']['squidcache'])) { $settings_ch = $config['installedpackages']['squidcache']['config'][0]; - if(!empty($settings_ch['ext_cachemanager'])) { - $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); - $conf .= "\n# Allow external cache managers\n"; - foreach ($extmgr as $mgr) { - $conf .= "acl ext_manager src {$mgr}\n"; - } - $conf .= "http_access allow manager ext_manager\n"; + if (!empty($settings_ch['ext_cachemanager'])) { + $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); + $conf .= "\n# Allow external cache managers\n"; + foreach ($extmgr as $mgr) { + $conf .= "acl ext_manager src {$mgr}\n"; } + $conf .= "http_access allow manager ext_manager\n"; } + } - $conf .= <<< EOD + $conf .= <<< EOD http_access deny manager http_access allow purge localhost @@ -1328,7 +1339,7 @@ EOD; return $conf; } -function squid_resync_antivirus(){ +function squid_resync_antivirus() { global $config; if (is_array($config['installedpackages']['squidantivirus'])) @@ -1336,24 +1347,24 @@ function squid_resync_antivirus(){ else $antivirus_config = array(); - if ($antivirus_config['enable']=="on"){ - switch ($antivirus_config['client_info']){ - case "both": - $icap_send_client_ip="on"; - $icap_send_client_username="on"; - break; - case "IP": - $icap_send_client_ip="on"; - $icap_send_client_username="off"; - break; - case "username": - $icap_send_client_ip="off"; - $icap_send_client_username="on"; - break; - case "none": - $icap_send_client_ip="off"; - $icap_send_client_username="off"; - break; + if ($antivirus_config['enable']=="on") { + switch ($antivirus_config['client_info']) { + case "both": + $icap_send_client_ip="on"; + $icap_send_client_username="on"; + break; + case "IP": + $icap_send_client_ip="on"; + $icap_send_client_username="off"; + break; + case "username": + $icap_send_client_ip="off"; + $icap_send_client_username="on"; + break; + case "none": + $icap_send_client_ip="off"; + $icap_send_client_username="off"; + break; } if (is_array($config['installedpackages']['squid'])) $squid_config=$config['installedpackages']['squid']['config'][0]; @@ -1373,11 +1384,12 @@ icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav by adaptation_access service_avi_resp allow all EOF; - #check if icap is enabled on rc.conf.local - if (file_exists("/etc/rc.conf.local")){ + + // check if icap is enabled on rc.conf.local + if (file_exists("/etc/rc.conf.local")) { $rc_old_file=file("/etc/rc.conf.local"); - foreach ($rc_old_file as $rc_line){ - if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)){ + foreach ($rc_old_file as $rc_line) { + if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)) { $rc_file.=$matches[1].'="YES"'."\n"; ${$matches[1]}="ok"; } @@ -1391,10 +1403,10 @@ EOF; $rc_file.='clamav_clamd_enable="YES"'."\n"; file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX); squid_check_clamav_user('clamav'); - #patch sample files to pfsense dirs - #squidclamav.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")){ + // patch sample files to pfsense dirs + // squidclamav.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")) { $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default"); $clamav_m[0]="@/var/run/clamav/clamd.ctl@"; $clamav_m[1]="@cgi-bin/clwarn.cgi@"; @@ -1402,19 +1414,21 @@ EOF; $clamav_r[1]="squid_clwarn.php"; file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX); } - #c-icap.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")){ + } + // c-icap.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")) { $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default"); - if (! preg_match("/squid_clamav/",$sample_file)) + if (!preg_match("/squid_clamav/",$sample_file)) $sample_file.="\nService squid_clamav squidclamav.so\n"; $cicap_m[0]="@Manager:Apassword\S+@"; $cicap_r[0]=""; file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",preg_replace($cicap_m,$cicap_r,$sample_file),LOCK_EX); } + } //check squidclamav files until pbis are gone(https://redmine.pfsense.org/issues/4197) $ln_icap= array('bin/c-icap','bin/c-icap-client','c-icap-config','c-icap-libicapapi-config','c-icap-stretch','lib/c_icap','share/c_icap','etc/c-icap'); - foreach ($ln_icap as $ln){ + foreach ($ln_icap as $ln) { if (!file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE."/{$ln}")) symlink(SQUID_LOCALBASE."/{$ln}","/usr/local/{$ln}"); } @@ -1422,67 +1436,68 @@ EOF; symlink(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5","/usr/local/lib/libicapapi.so.3"); $loadsample=0; - if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")){ + if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")){ + if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")){ + if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample"))); $loadsample++; } - if($loadsample > 0){ + if ($loadsample > 0) { write_config(); $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; } - #check dirs - $dirs=array("/var/run/c-icap" => "clamav", - "/var/log/c-icap" => "clamav", - "/var/log/clamav" => "clamav", - "/var/run/clamav" => "clamav", - "/var/db/clamav" => "clamav"); - foreach ($dirs as $dir_path => $dir_user){ - if (!is_dir($dir_path)) - make_dirs($dir_path); - squid_chown_recursive($dir_path, $dir_user, "wheel"); - } - #Check clamav database - if (count(glob("/var/db/clamav/*d"))==0){ + // check dirs + $dirs = array( + "/var/run/c-icap" => "clamav", + "/var/log/c-icap" => "clamav", + "/var/log/clamav" => "clamav", + "/var/run/clamav" => "clamav", + "/var/db/clamav" => "clamav" + ); + foreach ($dirs as $dir_path => $dir_user) { + if (!is_dir($dir_path)) + make_dirs($dir_path); + squid_chown_recursive($dir_path, $dir_user, "wheel"); + } + // Check clamav database + if (count(glob("/var/db/clamav/*d"))==0) { log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background."); mwexec_bg(SQUID_BASE."/bin/freshclam"); } $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); - foreach($rcd_files as $rcd_file) + foreach ($rcd_files as $rcd_file) if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); - #write advanced icap config files + // write advanced icap config files file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX); file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX); file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX); - #check antivirus daemons - #check icap - if (is_process_running("c-icap")){ + // check antivirus daemons + // check icap + if (is_process_running("c-icap")) { mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); - } - else{ - #check c-icap user on startup file - $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; - if (file_exists($c_icap_rcfile)){ + } else { + // check c-icap user on startup file + $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; + if (file_exists($c_icap_rcfile)) { $sample_file=file_get_contents($c_icap_rcfile); $cicapm[0]="@c_icap_user=.*}@"; $cicapr[0]='c_icap_user="clamav"}'; $cicapm[1]="@/usr/local@"; $cicapr[1]=SQUID_LOCALBASE; file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX); - } - mwexec_bg("/usr/local/etc/rc.d/c-icap start"); } - #check clamav/freshclam + mwexec_bg("/usr/local/etc/rc.d/c-icap start"); + } + // check clamav/freshclam $rc_files=array("clamav-freshclam","clamav-clamd"); $clamm[0]="@/usr/local/(bin|sbin)@"; $clamm[1]="@/local/(bin|sbin)@"; @@ -1492,25 +1507,25 @@ EOF; $clamr[1]="/bin"; $clamr[2]=SQUID_LOCALBASE."/etc"; $clamr[3]="enable:=YES"; - foreach ($rc_files as $rc_file){ + foreach ($rc_files as $rc_file) { $clamav_rcfile="/usr/local/etc/rc.d/{$rc_file}"; - if (file_exists($clamav_rcfile)){ + if (file_exists($clamav_rcfile)) { $sample_file=file_get_contents($clamav_rcfile); file_put_contents($clamav_rcfile,preg_replace($clamm,$clamr,$sample_file),LOCK_EX); - } } + } if (is_process_running("clamd")) mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); else mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); - } -return $conf; + } + return $conf; } function squid_resync_traffic() { global $config, $valid_acls; - if(!is_array($valid_acls)) + if (!is_array($valid_acls)) return; if (is_array($config['installedpackages']['squidtraffic'])) $settings = $config['installedpackages']['squidtraffic']['config'][0]; @@ -1531,7 +1546,6 @@ function squid_resync_traffic() { if ($down_limit != 0) $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n"; - // Only apply throttling past 10MB // XXX: Should this really be hardcoded? $threshold = 10 * 1024 * 1024; @@ -1553,11 +1567,12 @@ delay_initial_bucket_level 100 EOD; - if(! empty($settings['unrestricted_hosts'])) { + if (!empty($settings['unrestricted_hosts'])) { foreach (array('unrestricted_hosts') as $item) { - if (in_array($item, $valid_acls)) + if (in_array($item, $valid_acls)) { $conf .= "# Do not throttle unrestricted hosts\n"; $conf .= "delay_access 1 deny $item\n"; + } } } @@ -1574,7 +1589,8 @@ EOD; } foreach (explode(",", $settings['throttle_others']) as $ext) { - if (!empty($ext)) $exts[] = $ext; + if (!empty($ext)) + $exts[] = $ext; } $contents = ''; @@ -1586,9 +1602,9 @@ EOD; $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; $conf .= "delay_access 1 allow throttle_exts\n"; $conf .= "delay_access 1 deny allsrc\n"; - } - else + } else { $conf .= "delay_access 1 allow allsrc\n"; + } return $conf; } @@ -1603,16 +1619,16 @@ function squid_get_server_certs() { return $cert_arr; } -#squid reverse +// squid reverse include('/usr/local/pkg/squid_reverse.inc'); function squid_resync_auth() { global $config, $valid_acls; $write_config=0; - if (!is_array($config['installedpackages']['squidauth']['config'])){ + if (!is_array($config['installedpackages']['squidauth']['config'])) { $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none"); $write_config++; - } + } $settings = $config['installedpackages']['squidauth']['config'][0]; if (is_array($config['installedpackages']['squidnac']['config'])) $settingsnac = $config['installedpackages']['squidnac']['config'][0]; @@ -1630,13 +1646,13 @@ function squid_resync_auth() { $conf = ''; // SSL interception acl options part 1 - if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])){ + if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])) { $conf .= "always_direct allow whitelist\n"; $conf .= "ssl_bump none whitelist\n"; - } + } // Package integration - if(!empty($settingsconfig['custom_options'])){ + if (!empty($settingsconfig['custom_options'])) { $co_preg[0]='/;/'; $co_rep[0]="\n"; $co_preg[1]="/redirect_program/"; @@ -1644,19 +1660,19 @@ function squid_resync_auth() { $co_preg[2]="/redirector_bypass/"; $co_rep[2]="url_rewrite_bypass"; $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n"; - } + } // Custom User Options before authentication acls $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n"; // Deny the banned guys before allowing the good guys - if(! empty($settingsnac['banned_hosts'])) { + if (!empty($settingsnac['banned_hosts'])) { if (squid_is_valid_acl('banned_hosts')) { $conf .= "# These hosts are banned\n"; $conf .= "http_access deny banned_hosts\n"; } } - if(! empty($settingsnac['banned_macs'])) { + if (!empty($settingsnac['banned_macs'])) { if (squid_is_valid_acl('banned_macs')) { $conf .= "# These macs are banned\n"; $conf .= "http_access deny banned_macs\n"; @@ -1664,13 +1680,13 @@ function squid_resync_auth() { } // Unrestricted hosts take precedence over blacklist - if(! empty($settingsnac['unrestricted_hosts'])) { + if (!empty($settingsnac['unrestricted_hosts'])) { if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_hosts\n"; } } - if(! empty($settingsnac['unrestricted_macs'])) { + if (!empty($settingsnac['unrestricted_macs'])) { if (squid_is_valid_acl('unrestricted_macs')) { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_macs\n"; @@ -1678,49 +1694,42 @@ function squid_resync_auth() { } // Whitelist and blacklist also take precedence over other allow rules - if(! empty($settingsnac['whitelist'])) { + if (!empty($settingsnac['whitelist'])) { if (squid_is_valid_acl('whitelist')) { $conf .= "# Always allow access to whitelist domains\n"; $conf .= "http_access allow whitelist\n"; } } - if(! empty($settingsnac['blacklist'])) { + if (!empty($settingsnac['blacklist'])) { if (squid_is_valid_acl('blacklist')) { $conf .= "# Block access to blacklist domains\n"; $conf .= "http_access deny blacklist\n"; } } - if(! empty($settingsnac['block_user_agent'])) { + if (!empty($settingsnac['block_user_agent'])) { if (squid_is_valid_acl('block_user_agent')) { $conf .= "# Block access with user agents and browsers\n"; $conf .= "http_access deny block_user_agent\n"; } } - if(! empty($settingsnac['block_reply_mime_type'])) { + if (!empty($settingsnac['block_reply_mime_type'])) { if (squid_is_valid_acl('block_reply_mime_type')) { $conf .= "# Block access with mime type in the reply\n"; $conf .= "http_reply_access deny block_reply_mime_type\n"; } } - // SSL interception acl options part 2 - /*if ($settingsconfig['ssl_proxy'] == "on"){ - $conf .= "always_direct allow all\n"; - $conf .= "ssl_bump server-first all\n"; - }*/ - // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - if ($transparent_proxy){ + if ($transparent_proxy) { if (preg_match ("/(none|cp)/",$settings['auth_method'])) $auth_method=$settings['auth_method']; else $auth_method="none"; - } - else{ + } else { $auth_method=$settings['auth_method']; } // Allow the remaining ACLs if no authentication is set @@ -1731,10 +1740,10 @@ function squid_resync_auth() { } if ($auth_method == 'none' ) { // SSL interception acl options part 2 without authentication - if ($settingsconfig['ssl_proxy'] == "on"){ + if ($settingsconfig['ssl_proxy'] == "on") { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; - } + } $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { @@ -1744,8 +1753,7 @@ function squid_resync_auth() { $allowed = array_filter($allowed, 'squid_is_valid_acl'); foreach ($allowed as $acl) $conf .= "http_access allow $acl\n"; - } - else { + } else { $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { $conf .= "acl noauth src $noauth\n"; @@ -1757,28 +1765,28 @@ function squid_resync_auth() { $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { - case 'local': - $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; - break; - case 'ldap': - $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); - $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; - break; - case 'radius': - $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; - break; - case 'cp': - $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; - $conf .= "acl password external check_cp\n"; - break; - case 'msnt': - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; - squid_resync_msnt(); - break; + case 'local': + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'cp': + $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; + $conf .= "acl password external check_cp\n"; + break; + case 'msnt': + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; + squid_resync_msnt(); + break; } - if ($auth_method != 'cp'){ + if ($auth_method != 'cp') { $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt @@ -1791,10 +1799,10 @@ EOD; $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n"; // SSL interception acl options part 2 - if ($settingsconfig['ssl_proxy'] == "on"){ + if ($settingsconfig['ssl_proxy'] == "on") { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; - } + } // Onto the ACLs $password = array('localnet', 'allowed_subnets'); $passwordless = array('unrestricted_hosts'); @@ -1811,15 +1819,13 @@ EOD; foreach ($passwordless as $acl) $conf .= "http_access allow $acl\n"; - //if ($auth_method != 'cp'){ - // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; - // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) - $conf .= "http_access allow password $acl\n"; - // } + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; } $conf .= "# Default block all to be sure\n"; @@ -1861,8 +1867,8 @@ function squid_resync_msnt() { function squid_resync($via_rpc="no") { global $config; - # detect boot process - if (is_array($_POST)){ + // detect boot process + if (is_array($_POST)) { if (preg_match("/\w+/",$_POST['__csrf_magic'])) unset($boot_process); else @@ -1897,43 +1903,42 @@ function squid_resync($via_rpc="no") { squid_resync_users(); squid_write_rcfile(); - if(!isset($boot_process) || $via_rpc="yes") + if (!isset($boot_process) || $via_rpc="yes") squid_sync_on_changes(); - #write config file + // write config file file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); /* make sure pinger is executable */ - if(file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) + if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) exec("chmod a+x " . SQUID_LOCALBASE . "/libexec/squid/pinger"); $log_dir=""; - #check if squid is enabled - if (is_array($config['installedpackages']['squid']['config'])){ + // check if squid is enabled + if (is_array($config['installedpackages']['squid']['config'])) { if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "") $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; - } - #check if squidreverse is enabled - else if (is_array($config['installedpackages']['squidreversegeneral']['config'])){ + } + // check if squidreverse is enabled + else if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") $log_dir="/var/squid/logs/"; - } - #do not start squid if there is no log dir - if ($log_dir != ""){ - if(!is_dir($log_dir)) { + } + // do not start squid if there is no log dir + if ($log_dir != "") { + if (!is_dir($log_dir)) { log_error("Creating squid log dir $log_dir"); make_dirs($log_dir); squid_chown_recursive($log_dir, 'proxy', 'proxy'); - } + } squid_dash_z(); if (!is_service_running('squid')) { log_error("Starting Squid"); mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); - } - else { - if (!isset($boot_process)){ + } else { + if (!isset($boot_process)) { log_error("Reloading Squid for configuration sync"); mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } @@ -1981,8 +1986,7 @@ function on_auth_method_changed() { </script> EOD; - } - else { + } else { $javascript = <<< EOD <script language="JavaScript"> <!-- @@ -2007,8 +2011,7 @@ function on_auth_method_changed() { document.iform.auth_ttl.disabled = 1; document.iform.unrestricted_auth.disabled = 1; document.iform.no_auth_hosts.disabled = 1; - } - else { + } else { document.iform.auth_prompt.disabled = 0; document.iform.auth_processes.disabled = 0; document.iform.auth_ttl.disabled = 0; @@ -2017,76 +2020,76 @@ function on_auth_method_changed() { } switch (auth_method) { - case 'local': - document.iform.auth_server.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - break; - case 'ldap': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 0; - document.iform.ldap_user.disabled = 0; - document.iform.ldap_pass.disabled = 0; - document.iform.ldap_version.disabled = 0; - document.iform.ldap_userattribute.disabled = 0; - document.iform.ldap_filter.disabled = 0; - document.iform.ldap_basedomain.disabled = 0; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - break; - case 'radius': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 0; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 0; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - break; - case 'msnt': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 0; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 0; - break; - case 'cp': - document.iform.auth_server.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_prompt.disabled = 1; - document.iform.auth_processes.disabled = 0; - document.iform.auth_ttl.disabled = 0; - document.iform.unrestricted_auth.disabled = 1; - document.iform.no_auth_hosts.disabled = 1; - break; + case 'local': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + break; + case 'ldap': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 0; + document.iform.ldap_pass.disabled = 0; + document.iform.ldap_version.disabled = 0; + document.iform.ldap_userattribute.disabled = 0; + document.iform.ldap_filter.disabled = 0; + document.iform.ldap_basedomain.disabled = 0; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'radius': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 0; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'msnt': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 0; + break; + case 'cp': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + break; } } --> @@ -2104,50 +2107,50 @@ function squid_print_javascript_auth2() { function squid_generate_rules($type) { global $config; + $squid_conf = $config['installedpackages']['squid']['config'][0]; //check captive portal option $cp_file='/etc/inc/captiveportal.inc'; $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $cp_inc = file($cp_file); - $new_cp_inc=""; - $found_rule=0; - foreach ($cp_inc as $line){ - $new_line=$line; - //remove applied squid patch - if (preg_match('/skipto 65314 ip/',$line)){ + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line) { + $new_line=$line; + //remove applied squid patch + if (preg_match('/skipto 65314 ip/',$line)) { + $found_rule++; + $new_line =""; + } + + if (substr($pfsense_version,0,3) > 2.0) { + if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']) { $found_rule++; - $new_line =""; - } - - if (substr($pfsense_version,0,3) > 2.0){ - if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - } - } - else{ - //add squid patch option based on current config - if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= $line; - } - if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - $new_line .= $line; - } - } - $new_cp_inc .= $new_line; + $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; } - if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { - copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } else { + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']) { + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; } - if($found_rule > 0){ - file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']) { + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; } + } + $new_cp_inc .= $new_line; + } + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } + if ($found_rule > 0) { + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + } //normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; @@ -2157,21 +2160,19 @@ function squid_generate_rules($type) { log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); return; } - #Read assigned interfaces + // Read assigned interfaces $proxy_ifaces = explode(",", $squid_conf['active_interface']); $proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces); - if ($squid_conf['transparent_proxy']=="on"){ + if ($squid_conf['transparent_proxy']=="on") { $transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']); $transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces); - } - else{ + } else { $transparent_ifaces=array(); } - if ($squid_conf['ssl_proxy'] == "on"){ + if ($squid_conf['ssl_proxy'] == "on") { $ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']); $ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces); - } - else{ + } else { $ssl_ifaces=array(); } @@ -2179,118 +2180,118 @@ function squid_generate_rules($type) { $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127); $fw_aliases = filter_generate_aliases(); - if(strstr($fw_aliases, "pptp =")) + if (strstr($fw_aliases, "pptp =")) $PPTP_ALIAS = "\$pptp"; else $PPTP_ALIAS = "\$PPTP"; - if(strstr($fw_aliases, "PPPoE =")) + if (strstr($fw_aliases, "PPPoE =")) $PPPOE_ALIAS = "\$PPPoE"; else $PPPOE_ALIAS = "\$pppoe"; - #define ports based on transparent options and ssl filtering + // define ports based on transparent options and ssl filtering $pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80"); switch($type) { - case 'nat': - $rules .= "\n# Setup Squid proxy redirect\n"; - if ($squid_conf['private_subnet_proxy_off'] == 'on') { - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; - } + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; } - if (!empty($squid_conf['defined_ip_proxy_off'])) { - $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); - $exempt_ip = ""; - foreach ($defined_ip_proxy_off as $ip_proxy_off) { - if(!empty($ip_proxy_off)) { - $ip_proxy_off = trim($ip_proxy_off); - if (is_alias($ip_proxy_off)) - $ip_proxy_off = '$'.$ip_proxy_off; - $exempt_ip .= ", $ip_proxy_off"; - } - } - $exempt_ip = substr($exempt_ip,2); - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; - } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; } - if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { - $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); - $exempt_dest = ""; - foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { - if(!empty($ip_proxy_off_dest)) { - $ip_proxy_off_dest = trim($ip_proxy_off_dest); - if (is_alias($ip_proxy_off_dest)) - $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; - $exempt_dest .= ", $ip_proxy_off_dest"; - } - } - $exempt_dest = substr($exempt_dest,2); - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if (!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; + $exempt_ip .= ", $ip_proxy_off"; } } - foreach ($transparent_ifaces as $t_iface) { - $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; - if (in_array($t_iface,$ssl_ifaces)) - $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + $exempt_ip = substr($exempt_ip,2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; } /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; } /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; } - $rules .= "\n"; - break; - case 'filter': - case 'rule': + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if (!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); - $rules .= "# Setup squid pass rules for proxy\n"; - $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; - #$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; - $rules .= "\n"; - }; - if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { - $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; } - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; } - break; - default: - break; + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + } + } + foreach ($transparent_ifaces as $t_iface) { + $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; + if (in_array($t_iface,$ssl_ifaces)) + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; + // $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; + $rules .= "\n"; + }; + if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + break; + default: + break; } return $rules; @@ -2341,82 +2342,80 @@ EOD; /* Uses XMLRPC to synchronize the changes to a remote node */ function squid_sync_on_changes() { global $config, $g; - if (is_array($config['installedpackages']['squidsync']['config'])){ + if (is_array($config['installedpackages']['squidsync']['config'])) { $squid_sync=$config['installedpackages']['squidsync']['config'][0]; $synconchanges = $squid_sync['synconchanges']; $synctimeout = $squid_sync['synctimeout']; - switch ($synconchanges){ - case "manual": - if (is_array($squid_sync[row])){ - $rs=$squid_sync[row]; - } - else{ - log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); - return; - } - break; - case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['ipaddress']=$system_carp['synchronizetoip']; - $rs[0]['username']=$system_carp['username']; - $rs[0]['password']=$system_carp['password']; - } - else{ - log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); - return; - } - break; - default: + switch ($synconchanges) { + case "manual": + if (is_array($squid_sync[row])) { + $rs=$squid_sync[row]; + } else { + log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + } else { + log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + break; + default: + return; break; } - if (is_array($rs)){ + if (is_array($rs)) { log_error("[squid] xmlrpc sync is starting."); - foreach($rs as $sh){ + foreach ($rs as $sh) { $sync_to_ip = $sh['ipaddress']; $password = $sh['password']; - if($sh['username']) + if ($sh['username']) $username = $sh['username']; else $username = 'admin'; - if($password && $sync_to_ip) + if ($password && $sync_to_ip) squid_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); - } - log_error("[squid] xmlrpc sync is ending."); } - } + log_error("[squid] xmlrpc sync is ending."); + } + } } /* Do the actual XMLRPC sync */ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { global $config, $g; - if(!$username) + if (!$username) return; - if(!$password) + if (!$password) return; - if(!$sync_to_ip) + if (!$sync_to_ip) return; - if(!$synctimeout) + if (!$synctimeout) $synctimeout=250; $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { + if ($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if ($port == "") { + if ($config['system']['webgui']['protocol'] == "http") $port = "80"; else $port = "443"; - } + } $synchronizetoip .= $sync_to_ip; /* xml will hold the sections to sync */ @@ -2445,15 +2444,15 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - if($g['debug']) + if ($g['debug']) $cli->setDebug(1); /* send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); @@ -2478,11 +2477,11 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); $error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); @@ -2491,6 +2490,6 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { } else { log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } - } + ?> |