diff options
Diffstat (limited to 'config/squid3/34')
-rwxr-xr-x | config/squid3/34/squid.inc | 1802 | ||||
-rw-r--r-- | config/squid3/34/squid.xml | 14 | ||||
-rw-r--r-- | config/squid3/34/squid_auth.inc | 446 | ||||
-rw-r--r-- | config/squid3/34/squid_cpauth.php | 24 | ||||
-rw-r--r-- | config/squid3/34/squid_extauth.xml | 106 | ||||
-rwxr-xr-x | config/squid3/34/squid_ng.inc | 1070 | ||||
-rwxr-xr-x | config/squid3/34/squid_ng.xml | 267 | ||||
-rwxr-xr-x | config/squid3/34/squid_reverse.inc | 158 |
8 files changed, 995 insertions, 2892 deletions
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index cce9bddd..7155d560 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -38,43 +38,52 @@ require_once('pfsense-utils.inc'); require_once('pkg-utils.inc'); require_once('service-utils.inc'); -if(!function_exists("filter_configure")) +if (!function_exists("filter_configure")) require_once("filter.inc"); $shortcut_section = "squid"; -define('SQUID_BASE', '/usr/pbi/squid-' . php_uname("m")); -define('SQUID_LOCALBASE', SQUID_BASE . "/local"); + +global $pfs_version; +$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pfs_version == "2.1" || $pfs_version == "2.2") { + define('SQUID_BASE', '/usr/pbi/squid-' . php_uname("m")); + define('SQUID_LOCALBASE', SQUID_BASE . "/local"); + define('SQUID_UID', 'proxy'); + define('SQUID_GID', 'proxy'); +} else { + define('SQUID_BASE', '/usr/local'); + define('SQUID_LOCALBASE', '/usr/local'); + define('SQUID_UID', 'squid'); + define('SQUID_GID', 'squid'); +} define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid'); define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf'); -define('SQUID_BASE', '/var/squid/'); define('SQUID_ACLDIR', '/var/squid/acl'); define('SQUID_PASSWD', '/var/etc/squid.passwd'); -define('SQUID_LIB','/var/squid/lib'); define('SQUID_SSL_DB','/var/squid/lib/ssl_db'); $valid_acls = array(); $uname=posix_uname(); if ($uname['machine']=='amd64') - ini_set('memory_limit', '250M'); + ini_set('memory_limit', '250M'); - function sq_text_area_decode($text){ +function sq_text_area_decode($text) { return preg_replace('/\r\n/', "\n",base64_decode($text)); } - function squid_get_real_interface_address($iface) { - global $config; - - $iface = convert_friendly_interface_to_real_interface_name($iface); - $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); - list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); + if (!function_exists("get_interface_ip")) + require_once("interfaces.inc"); - return array($ip, long2ip(hexdec($netmask))); + return array(get_interface_ip($iface), gen_subnet_mask(get_interface_subnet($iface))); } function squid_chown_recursive($dir, $user, $group) { + if ($dir == '/usr/local') + return; + chown($dir, $user); chgrp($dir, $group); $handle = opendir($dir) ; @@ -82,9 +91,9 @@ function squid_chown_recursive($dir, $user, $group) { if (($item != ".") && ($item != "..")) { $path = "$dir/$item"; // Recurse unless it's the cache dir, that is slow and rarely necessary. - if (is_dir($path) && (basename($dir) != "cache")) + if (is_dir($path) && (basename($dir) != "cache")) { squid_chown_recursive($path, $user, $group); - elseif (is_file($path)) { + } elseif (is_file($path)) { chown($path, $user); chgrp($path, $group); } @@ -92,14 +101,16 @@ function squid_chown_recursive($dir, $user, $group) { } } -function squid_check_clamav_user($user) - { - exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return); - $user_arg=($sq_ex_return == 0?"mod":"add"); - exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return); - if ($sq_ex_return != 0) - log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output)); - } +function squid_check_clamav_user($user) { + if (SQUID_BASE == '/usr/local') + return; + + $_gc = exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return); + $user_arg=($sq_ex_return == 0?"mod":"add"); + $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return); + if ($sq_ex_return != 0) + log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output)); +} /* setup cache */ function squid_dash_z($cache_action='none') { @@ -115,48 +126,49 @@ function squid_dash_z($cache_action='none') { if ($settings['harddisk_cache_system'] == "null") return; - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - if ($cache_action=="clean"){ - rename ($cachedir,"{$cachedir}.old"); + if ($cache_action == "clean" && file_exists($cachedir)) { + rename ($cachedir, "{$cachedir}.old"); mwexec_bg("/bin/rm -rf {$cachedir}.old"); } - if(!is_dir($cachedir.'/')) { - log_error("Creating Squid cache dir $cachedir"); - make_dirs($cachedir); - // Double check permissions here, should be safe to recurse cache dir if it's small here. - mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); + if (!is_dir($cachedir)) { + log_error("Creating Squid cache dir {$cachedir}"); + @mkdir($cachedir, 0755, true); + @chown($cachedir, SQUID_UID); + @chgrp($cachedir, SQUID_GID); } - if(!is_dir($cachedir.'/00/')) { + if (!is_dir($cachedir.'/00')) { log_error("Creating squid cache subdirs in $cachedir"); mwexec(SQUID_BASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE); sleep(5); mwexec(SQUID_BASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE); // Double check permissions here, should be safe to recurse cache dir if it's small here. - mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); + mwexec("/usr/sbin/chown -R " . SQUID_UID . ":" . SQUID_GID . " $cachedir"); mwexec(SQUID_BASE. "/sbin/squid -z -f " . SQUID_CONFFILE); } - if(file_exists("/var/squid/cache/swap.state")) { - chown("/var/squid/cache/swap.state", "proxy"); - chgrp("/var/squid/cache/swap.state", "proxy"); - exec("chmod a+rw /var/squid/cache/swap.state"); + if (file_exists("/var/squid/cache/swap.state")) { + chown("/var/squid/cache/swap.state", SQUID_UID); + chgrp("/var/squid/cache/swap.state", SQUID_GID); + chmod("/var/squid/cache/swap.state", "a+rw"); } - } function squid_is_valid_acl($acl) { global $valid_acls; - if(!is_array($valid_acls)) + + if (!is_array($valid_acls)) return; + return in_array($acl, $valid_acls); } function squid_install_command() { - global $config; - global $g; + global $config, $g; + update_status("Checking if there is configuration to migrate... One moment please..."); /* migrate existing csv config fields */ if (is_array($config['installedpackages']['squidauth']['config'])) @@ -168,132 +180,122 @@ function squid_install_command() { if (is_array($config['installedpackages']['squid']['config'])) $settingsgen = $config['installedpackages']['squid']['config'][0]; - if (file_exists("/usr/local/pkg/check_ip.php")) - rename("/usr/local/pkg/check_ip.php",SQUID_BASE . "/bin/check_ip.php"); + if (SQUID_BASE != '/usr/local' && + file_exists('/usr/local/bin/check_ip.php') && + !file_exists(SQUID_BASE . '/bin/check_ip.php')) + symlink("/usr/local/bin/check_ip.php", SQUID_BASE . "/bin/check_ip.php"); + /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; } /* migrate auth settings */ - if (!empty($settingsauth['no_auth_hosts'])) { - if(strstr($settingsauth['no_auth_hosts'], ",")) { - $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); - $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; - } + if (!empty($settingsauth['no_auth_hosts']) && strstr($settingsauth['no_auth_hosts'], ",")) { + $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); + $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; } /* migrate cache settings */ - if (!empty($settingscache['donotcache'])) { - if(strstr($settingscache['donotcache'], ",")) { - $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); - $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; - } + if (!empty($settingscache['donotcache']) && strstr($settingscache['donotcache'], ",")) { + $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); + $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; } /* migrate nac settings */ - if(! empty($settingsnac['allowed_subnets'])) { - if(strstr($settingsnac['allowed_subnets'], ",")) { - $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); - $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; - } + if (!empty($settingsnac['allowed_subnets']) && strstr($settingsnac['allowed_subnets'], ",")) { + $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); + $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; } - if(! empty($settingsnac['banned_hosts'])) { - if(strstr($settingsnac['banned_hosts'], ",")) { - $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; - } + + if (!empty($settingsnac['banned_hosts']) && strstr($settingsnac['banned_hosts'], ",")) { + $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; } - if(! empty($settingsnac['banned_macs'])) { - if(strstr($settingsnac['banned_macs'], ",")) { - $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); - $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; - } + if (!empty($settingsnac['banned_macs']) && strstr($settingsnac['banned_macs'], ",")) { + $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); + $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; } - if(! empty($settingsnac['unrestricted_hosts'])) { - if(strstr($settingsnac['unrestricted_hosts'], ",")) { - $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; - } + if (!empty($settingsnac['unrestricted_hosts']) && strstr($settingsnac['unrestricted_hosts'], ",")) { + $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; } - if(! empty($settingsnac['unrestricted_macs'])) { - if(strstr($settingsnac['unrestricted_macs'], ",")) { - $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; - } + if (!empty($settingsnac['unrestricted_macs']) && strstr($settingsnac['unrestricted_macs'], ",")) { + $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; } - if(! empty($settingsnac['whitelist'])) { - if(strstr($settingsnac['whitelist'], ",")) { - $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); - $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; - } + if (!empty($settingsnac['whitelist']) && strstr($settingsnac['whitelist'], ",")) { + $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); + $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; } - if(! empty($settingsnac['blacklist'])) { - if(strstr($settingsnac['blacklist'], ",")) { - $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); - $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; - } + if (!empty($settingsnac['blacklist']) && strstr($settingsnac['blacklist'], ",")) { + $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); + $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; } - if(! empty($settingsnac['block_user_agent'])) { - if(strstr($settingsnac['block_user_agent'], ",")) { - $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); - $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; - } + if (!empty($settingsnac['block_user_agent']) && strstr($settingsnac['block_user_agent'], ",")) { + $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); + $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; } - if(! empty($settingsnac['block_reply_mime_type'])) { - if(strstr($settingsnac['block_reply_mime_type'], ",")) { - $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); - $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; - } + if (!empty($settingsnac['block_reply_mime_type']) && strstr($settingsnac['block_reply_mime_type'], ",")) { + $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); + $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; } /*Migrate reverse settings*/ - if (is_array($config['installedpackages']['squidreverse'])){ + if (is_array($config['installedpackages']['squidreverse'])) { $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0]; //Settings - if (!is_array($config['installedpackages']['squidreversegeneral'])){ + if (!is_array($config['installedpackages']['squidreversegeneral'])) { $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings; unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); - } + } //PEERS - if (!is_array($config['installedpackages']['squidreversepeer'])){ - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) - foreach (explode(";",$cache_peers) as $cache_peer) - $config['installedpackages']['squidreversepeer']['config'][]=array('description'=>'migrated', - 'enable'=> 'on', - 'name'=> $cache_peer[0], - 'port'=> $cache_peer[1], - 'protocol' => $cache_peer[2]); + if (!is_array($config['installedpackages']['squidreversepeer'])) { + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { + foreach (explode(";",$cache_peers) as $cache_peer) { + $config['installedpackages']['squidreversepeer']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $cache_peer[0], + 'port' => $cache_peer[1], + 'protocol' => $cache_peer[2] + ); + } } + } //MAPPINGS - if (!is_array($config['installedpackages']['squidreverseuri'])){ - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){ - foreach (explode(";",$acls) as $acl) + if (!is_array($config['installedpackages']['squidreverseuri'])) { + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { + foreach (explode(";",$acls) as $acl) { array_push(${'peer_'.$acl[0]},$acl[1]); } - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) - foreach (explode(";",$uris) as $uri){ + } + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { + foreach (explode(";",$uris) as $uri) { $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); - $config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated', - 'enable'=> 'on', - 'name'=> $uri[0], - 'uri'=> $uri[1], - 'vhost' => $uri[2], - 'peers'=>$peer_list); + $config['installedpackages']['squidreverseuri']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $uri[0], + 'uri' => $uri[1], + 'vhost' => $uri[2], + 'peers' => $peer_list + ); } } + } } update_status("Writing configuration... One moment please..."); @@ -303,26 +305,32 @@ function squid_install_command() { /* create cache */ update_status("Creating squid cache pools... One moment please..."); squid_dash_z(); + /* make sure pinger is executable */ - if(file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) - exec("/bin/chmod a+x ". SQUID_LOCALBASE. "/libexec/squid/pinger"); - if(file_exists("/usr/local/etc/rc.d/squid")) - exec("/bin/rm /usr/local/etc/rc.d/squid"); + if (file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) + @chmod(SQUID_LOCALBASE. "/libexec/squid/pinger", "a+x"); + + // XXX: Is it really necessary? + if (file_exists("/usr/local/etc/rc.d/squid")) + unlink_if_exists("/usr/local/etc/rc.d/squid"); + squid_write_rcfile(); - if(file_exists("/usr/local/pkg/swapstate_check.php")) - exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php"); + + // XXX: Is it really necessary? mode is set to 0755 in squid.xml + if (file_exists("/usr/local/pkg/swapstate_check.php")) + @chmod("/usr/local/pkg/swapstate_check.php", "a+x"); + write_rcfile(array( "file" => "sqp_monitor.sh", "start" => "/usr/local/pkg/sqpmon.sh &", - "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")); + "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill") + ); foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, - SQUID_BASE, - SQUID_LIB, SQUID_SSL_DB ) as $dir) { - make_dirs($dir); - squid_chown_recursive($dir, 'proxy', 'proxy'); + @mkdir($dir, 0755, true); + squid_chown_recursive($dir, SQUID_UID, SQUID_GID); } /* kill any running proxy alarm scripts */ @@ -357,6 +365,7 @@ function squid_install_command() { function squid_deinstall_command() { global $config, $g; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; squid_install_cron(false); if (is_array($config['installedpackages']['squidcache'])) @@ -367,11 +376,12 @@ function squid_deinstall_command() { $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); update_status("Removing cache ... One moment please..."); update_output_window("$plswait_txt"); - mwexec_bg('rm -rf $cachedir'); - mwexec('rm -rf $logdir'); + // XXX: Is it ok to remove cache and logs? It's going to happen every time package is updated + mwexec_bg("rm -rf {$cachedir}"); + mwexec("rm -rf {$logdir}"); update_status("Finishing package cleanup."); mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); - mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh'); + unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh'); mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); @@ -381,6 +391,15 @@ function squid_deinstall_command() { function squid_before_form_general(&$pkg) { $values = get_dir(SQUID_CONFBASE . '/errors/'); + /* + * XXX: This logic is broken. Probably the idea in the past + * was to skip '.', '..'. 'COPYRIGHT' and 'TRANSLATORS' and + * errors subdirectories used to be more meaning, like 'English' + * or Brazillian_Portuguese. + * + * Nowadays they are 'en', 'pt-br', ... and also there is a + * 'templates' directory to be skipped + */ // Get rid of '..' and '.' and ... array_shift($values); array_shift($values); @@ -402,31 +421,36 @@ function squid_before_form_general(&$pkg) { for ($i = 0; $i < count($values) - 1; $i++) $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); } + function squid_validate_antivirus($post, &$input_errors) { global $config; - if ($post['enable']=="on"){ - if($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)){ - $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})"; - $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. "; - } - if($post['c-icap_conf']) { - if( !preg_match("/squid_clamav/",$post['c-icap_conf'])){ - $input_errors[] ="c-icap Squidclamav service definition is no present."; - $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; - } - if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)){ - $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; - } + + if ($post['enable'] != "on") + return; + + if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)) { + $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})"; + $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. "; + } + if ($post['c-icap_conf']) { + if (!preg_match("/squid_clamav/",$post['c-icap_conf'])) { + $input_errors[] ="c-icap Squidclamav service definition is no present."; + $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; + } + if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)) { + $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; } } } function squid_validate_general($post, &$input_errors) { global $config; + if (is_array($config['installedpackages']['squid'])) $settings = $config['installedpackages']['squid']['config'][0]; else $settings = array(); + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $port = $post['proxy_port'] ? $post['proxy_port'] : $port; @@ -439,19 +463,21 @@ function squid_validate_general($post, &$input_errors) { if ($post['log_dir']{0} != '/') $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) $input_errors[] = "That is not a valid log location dir"; $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field'; $webgui_port = $config['system']['webgui']['port']; - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + + if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { $webgui_port = 80; } - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { $webgui_port = 443; } @@ -478,63 +504,68 @@ function squid_validate_general($post, &$input_errors) { } } - if(!empty($post['dns_nameservers'])) { - $altdns = explode(";", ($post['dns_nameservers'])); - foreach ($altdns as $dnssrv) { - if (!is_ipaddr($dnssrv)) - $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; - break; - }} + if (!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) { + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + break; + } + } + } } function squid_validate_upstream($post, &$input_errors) { - if ($post['enabled'] == 'on') { - $addr = trim($post['proxyaddr']); - if (empty($addr)) - $input_errors[] = 'The field \'Hostname\' is required'; - else { - if (!is_ipaddr($addr) && !is_domain($addr)) - $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; - } - - foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { - $port = trim($post[$field]); - if (empty($port)) - $input_errors[] = "The field '$name' is required"; - else { - if (!is_port($port)) - $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; - } + if ($post['enabled'] != 'on') + return; + + $addr = trim($post['proxyaddr']); + if (empty($addr)) { + $input_errors[] = 'The field \'Hostname\' is required'; + } else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) { + $input_errors[] = "The field '$name' is required"; + } else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; } } } function squid_validate_cache($post, &$input_errors) { - $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', - 'memory_cache_size' => 'Memory cache size', - 'maximum_object_size' => 'Maximum object size', + $num_fields = array( + 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', ); + foreach ($num_fields as $field => $name) { $value = trim($post[$field]); - if (!is_numeric($value) || ($value < 0)) + if (!is_numericint($value)) $input_errors[] = "You must enter a valid value for '$field'"; } $value = trim($post['minimum_object_size']); - if (!is_numeric($value) || ($value < 0)) + if (!is_numericint($value)) $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; - if (!empty($post['cache_swap_low'])) { - $value = trim($post['cache_swap_low']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numericint($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; } - if (!empty($post['cache_swap_high'])) { - $value = trim($post['cache_swap_high']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; - } + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numericint($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } if ($post['donotcache'] != "") { foreach (split("\n", $post['donotcache']) as $host) { @@ -545,7 +576,6 @@ function squid_validate_cache($post, &$input_errors) { } squid_dash_z(); - } function squid_validate_nac($post, &$input_errors) { @@ -556,19 +586,17 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; } - foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { - - if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)){ - for ($x=0;$x < count($matches[1]);$x++){ - if ($matches[2][$x] == ""){ + foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) { + if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)) { + for ($x=0; $x < count($matches[1]); $x++) { + if ($matches[2][$x] == "") { if (!is_ipaddr($matches[1][$x])) $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address"; - } - else{ + } else { if (!is_subnet($matches[0][$x])) $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range"; - } } + } } } @@ -586,107 +614,115 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "The time range '$time' is not a valid time range"; } - if(!empty($post['ext_cachemanager'])) { - $extmgr = explode(";", ($post['ext_cachemanager'])); - foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; - }} + if (!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + } + } } function squid_validate_traffic($post, &$input_errors) { - $num_fields = array( 'max_download_size' => 'Maximum download size', - 'max_upload_size' => 'Maximum upload size', - 'perhost_throttling' => 'Per-host bandwidth throttling', - 'overall_throttling' => 'Overall bandwidth throttling', + $num_fields = array( + 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', ); + foreach ($num_fields as $field => $name) { $value = trim($post[$field]); - if (!is_numeric($value) || ($value < 0)) + if (!is_numericint($value)) $input_errors[] = "The field '$name' must contain a positive number"; } - if (!empty($post['quick_abort_min'])) { - $value = trim($post['quick_abort_min']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; - } + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numericint($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } - if (!empty($post['quick_abort_max'])) { - $value = trim($post['quick_abort_max']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; - } + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numericint($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } - if (!empty($post['quick_abort_pct'])) { - $value = trim($post['quick_abort_pct']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; - } + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numericint($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; + } } function squid_validate_reverse($post, &$input_errors) { global $config; - if(!empty($post['reverse_ip'])) { + + if (!empty($post['reverse_ip'])) { $reverse_ip = explode(";", ($post['reverse_ip'])); foreach ($reverse_ip as $reip) { - if (!is_ipaddr(trim($reip))) - $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; - }} + if (!is_ipaddr(trim($reip))) + $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; + } + } $fqdn = trim($post['reverse_external_fqdn']); if (!empty($fqdn) && !is_domain($fqdn)) $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; $port = trim($post['reverse_http_port']); + // XXX: Where is $portrange being defined ??? preg_match("/(\d+)/",`sysctl net.inet.ip.portrange.reservedhigh`,$portrange); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; - if (!empty($port) && is_port($port) && $port <= $portrange[1]){ + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { $input_errors[] = "The field 'reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; } $port = trim($post['reverse_https_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; - if (!empty($port) && is_port($port) && $port <= $portrange[1]){ + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { $input_errors[] = "The field 'reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; } if ($post['reverse_ssl_cert'] == 'none') $input_errors[] = 'A valid certificate for the external interface must be selected'; - if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { - $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; - } + if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { + $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + } - if(!empty($post['reverse_owa_ip'])) { + if (!empty($post['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); foreach ($reverse_owa_ip as $reowaip) { - if (!is_ipaddr(trim($reowaip))) - $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; - }} - - $contents = $post['reverse_cache_peer']; - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (!is_ipaddr($cfg[1])) - $input_errors[] = "please choose a valid IP in the cache peer configuration."; - if (!is_port($cfg[2])) - $input_errors[] = "please choose a valid port in the cache peer configuration."; - if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) - $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; - }} - + if (!is_ipaddr(trim($reowaip))) + $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; + } + } + $contents = $post['reverse_cache_peer']; + if (!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + } + } } function squid_validate_auth($post, &$input_errors) { - $num_fields = array( array('auth_processes', 'Authentication processes', 1), - array('auth_ttl', 'Authentication TTL', 0), + $num_fields = array( + array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), ); + foreach ($num_fields as $field) { $value = trim($post[$field[0]]); if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) @@ -706,24 +742,24 @@ function squid_validate_auth($post, &$input_errors) { $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; switch ($auth_method) { - case 'ldap': - $user = trim($post['ldap_user']); - if (empty($user)) - $input_errors[] = 'The field \'LDAP server user DN\' is required'; - else if (!$user) - $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; - break; - case 'radius': - $secret = trim($post['radius_secret']); - if (empty($secret)) - $input_errors[] = 'The field \'RADIUS secret\' is required'; - break; - case 'msnt': - foreach (explode(",", trim($post['msnt_secondary'])) as $server) { - if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) - $input_errors[] = "The host '$server' is not a valid IP address or domain name"; - } - break; + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; } $no_auth = explode("\n", $post['no_auth_hosts']); @@ -737,12 +773,13 @@ function squid_validate_auth($post, &$input_errors) { function squid_install_cron($should_install) { global $config, $g; - if($g['booting']==true) + + if ($g['booting']==true) return; $rotate_is_installed = false; $swapstate_is_installed = false; - if(!$config['cron']['item']) + if (!$config['cron']['item']) return; if (is_array($config['installedpackages']['squidcache'])) @@ -756,106 +793,105 @@ function squid_install_cron($should_install) { $cron_cmd=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); $cron_cmd .= SQUID_BASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE; $need_write = false; - foreach($config['cron']['item'] as $item) { - if(strstr($item['task_name'], "squid_rotate_logs")) { + foreach ($config['cron']['item'] as $item) { + if (strstr($item['task_name'], "squid_rotate_logs")) { $rotate_job_id = $x; - if ($item['command'] != $cron_cmd){ + if ($item['command'] != $cron_cmd) { $config['cron']['item'][$x]['command']=$cron_cmd; $need_write = true; } - } elseif(strstr($item['task_name'], "squid_check_swapstate")) { - $swapstate_job_id = $x; + } elseif (strstr($item['task_name'], "squid_check_swapstate")) { + $swapstate_job_id = $x; } $x++; } - switch($should_install) { - case true: - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); - if($rotate_job_id < 0) { - $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); - $cron_item = array(); - $cron_item['task_name'] = "squid_rotate_logs"; - $cron_item['minute'] = "0"; - $cron_item['hour'] = "0"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] .= $cron_cmd; - /* Add this cron_item as a new entry at the end of the item array. */ - $config['cron']['item'][] = $cron_item; - $need_write = true; - } - if($swapstate_job_id < 0) { - $cron_item = array(); - $cron_item['task_name'] = "squid_check_swapstate"; - $cron_item['minute'] = "*/15"; - $cron_item['hour'] = "*"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; - /* Add this cron_item as a new entry at the end of the item array. */ - $config['cron']['item'][] = $cron_item; - $need_write = true; - } - if ($need_write) { - parse_config(true); - write_config("Adding Squid Cron Jobs"); - } - break; - case false: - if($rotate_job_id >= 0) { - unset($config['cron']['item'][$rotate_job_id]); - $need_write = true; - } - if($swapstate_job_id >= 0) { - unset($config['cron']['item'][$swapstate_job_id]); - $need_write = true; - } - if ($need_write) { - parse_config(true); - write_config("Removing Squid Cron Jobs"); - } - break; + if ($should_install) { + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + if ($rotate_job_id < 0) { + $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); + $cron_item = array(); + $cron_item['task_name'] = "squid_rotate_logs"; + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] .= $cron_cmd; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if ($swapstate_job_id < 0) { + $cron_item = array(); + $cron_item['task_name'] = "squid_check_swapstate"; + $cron_item['minute'] = "*/15"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Adding Squid Cron Jobs"); + } + } else { + if ($rotate_job_id >= 0) { + unset($config['cron']['item'][$rotate_job_id]); + $need_write = true; + } + if ($swapstate_job_id >= 0) { + unset($config['cron']['item'][$swapstate_job_id]); + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Removing Squid Cron Jobs"); + } } configure_cron(); } -function squid_check_ca_hashes(){ +function squid_check_ca_hashes() { global $config,$g; - #check certificates - $cert_count=0; - if (is_dir(SQUID_LOCALBASE. '/share/certs')) + // check certificates + $cert_count = 0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) { if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) { - while (false !== ($file = readdir($handle))) - if (preg_match ("/\d+.0/",$file)) - $cert_count++; - } - closedir($handle); - if ($cert_count < 10){ + while (false !== ($file = readdir($handle))) { + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + } + } + if ($cert_count < 10) { conf_mount_rw(); - #create ca-root hashes from ca-root-nss package + // create ca-root hashes from ca-root-nss package log_error("Creating root certificate bundle hashes from the Mozilla Project"); $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); $cert=0; - foreach ($cas as $ca){ - if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + foreach ($cas as $ca) { + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) $cert=1; if ($cert == 1) $crt.=$ca; - if (preg_match("/-END CERTIFICATE-/",$ca)){ + if (preg_match("/-END CERTIFICATE-/",$ca)) { file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); $cert_hash=array(); exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); $crt=""; $cert=0; - } } } + } } function squid_resync_general() { @@ -865,96 +901,94 @@ function squid_resync_general() { $settings = $config['installedpackages']['squid']['config'][0]; else $settings=array(); + $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n\n"; - #Check ssl interception + // Check ssl interception if (($settings['ssl_proxy'] == 'on')) { squid_check_ca_hashes(); $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { - if(base64_decode($srv_cert['prv'])) { - #check if ssl_db was initilized by squid - if (! file_exists("/var/squid/lib/ssl_db/serial")){ - if (is_dir("/var/squid/lib/ssl_db")){ - mwexec("/bin/rm -rf /var/squid/lib/ssl_db"); - } - mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s /var/squid/lib/ssl_db/"); + if (base64_decode($srv_cert['prv'])) { + // check if ssl_db was initilized by squid + if (!file_exists(SQUID_SSL_DB . "/serial")) { + if (is_dir(SQUID_SSL_DB)) { + mwexec("/bin/rm -rf " . SQUID_SSL_DB); + } + mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB); } - #force squid user permission on /var/squid/lib/ssl_db/ - squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); - # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext + // force squid user permission on /var/squid/lib/ssl_db/ + squid_chown_recursive(SQUID_SSL_DB, SQUID_UID, SQUID_GID); + // cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext $crt_pk=SQUID_CONFBASE."/serverkey.pem"; $crt_capath=SQUID_LOCALBASE."/share/certs/"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; - $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; + $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n"; $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; $interception_checks .= "sslproxy_capath {$crt_capath}\n"; if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; - if ($settings["interception_adapt"] != ""){ + if ($settings["interception_adapt"] != "") { foreach (explode(",",$settings["interception_adapt"]) as $adapt) $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; - } + } } } } $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); -#Read assigned interfaces + // Read assigned interfaces $real_ifaces = array(); - if($settings['active_interface']) + if ($settings['active_interface']) $proxy_ifaces = explode(",", $settings['active_interface']); else $proxy_ifaces=array("lan"); - if ($settings['transparent_proxy']=="on"){ + if ($settings['transparent_proxy']=="on") { $transparent_ifaces = explode(",", $settings['transparent_active_interface']); - foreach ($transparent_ifaces as $t_iface){ + foreach ($transparent_ifaces as $t_iface) { $t_iface_ip = squid_get_real_interface_address($t_iface); - if($t_iface_ip[0]) + if ($t_iface_ip[0]) $real_ifaces[]=$t_iface_ip; - } } - else{ + } else { $transparent_ifaces=array(); } - if ($settings['ssl_proxy']=="on"){ + if ($settings['ssl_proxy']=="on") { $ssl_ifaces = explode(",", $settings['ssl_active_interface']); - foreach ($ssl_ifaces as $s_iface){ + foreach ($ssl_ifaces as $s_iface) { $s_iface_ip = squid_get_real_interface_address($s_iface); - if($s_iface_ip[0]) + if ($s_iface_ip[0]) $real_ifaces[]=$s_iface_ip; - } } - else{ + } else { $ssl_ifaces=array(); } - #check all proxy interfaces selected + // check all proxy interfaces selected foreach ($proxy_ifaces as $iface) { $iface_ip = squid_get_real_interface_address($iface); - if($iface_ip[0]) { + if ($iface_ip[0]) { $real_ifaces[]=$iface_ip; if (in_array($iface,$ssl_ifaces)) $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; else $conf .= "http_port {$iface_ip[0]}:{$port}\n"; - } } + } if (($settings['transparent_proxy'] == 'on')) { - if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0){ + if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0) { $conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n"; $conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n"; - } - else{ + } else { $conf .= "http_port 127.0.0.1:{$port} intercept\n"; } } @@ -962,31 +996,34 @@ function squid_resync_general() { $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); $piddir="{$g['varrun_path']}/squid"; $pidfile = "{$piddir}/squid.pid"; - if (!is_dir($piddir)){ - make_dirs($piddir); - squid_chown_recursive($piddir, 'proxy', 'wheel'); - } + if (!is_dir($piddir)) { + @mkdir($piddir, 0755, true); + squid_chown_recursive($piddir, SQUID_UID, 'wheel'); + } $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); $icondir = SQUID_CONFBASE . '/icons'; $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); - if (! is_dir($logdir)){ - make_dirs($logdir); - squid_chown_recursive($logdir, 'proxy', 'proxy'); - } + if (!is_dir($logdir)) { + @mkdir($logdir, 0755, true); + squid_chown_recursive($logdir, SQUID_UID, SQUID_GID); + } $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on'; $pinger_program=SQUID_LOCALBASE."/libexec/squid/pinger"; + $squid_uid = SQUID_UID; + $squid_gid = SQUID_GID; + $conf .= <<< EOD icp_port {$icp_port} dns_v4_first {$dns_v4_first} pid_filename {$pidfile} -cache_effective_user proxy -cache_effective_group proxy +cache_effective_user {$squid_uid} +cache_effective_group {$squid_gid} error_default_language {$language} icon_directory {$icondir} visible_hostname {$hostname} @@ -1001,11 +1038,11 @@ pinger_program {$pinger_program} EOD; -// Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. -$rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; -$conf .= "logfile_rotate {$rotate}\n"; -$conf .= "debug_options rotate={$rotate}\n"; -squid_install_cron(true); + // Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. + $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; + $conf .= "logfile_rotate {$rotate}\n"; + $conf .= "debug_options rotate={$rotate}\n"; + squid_install_cron(true); $conf .= <<< EOD shutdown_lifetime 3 seconds @@ -1025,32 +1062,42 @@ EOD; $conf .= "acl localnet src $src\n"; $valid_acls[] = 'localnet'; } - if ($settings['xforward_mode']) $conf .= "forwarded_for {$settings['xforward_mode']}\n"; - else $conf .= "forwarded_for on\n"; //only used for first run - if ($settings['disable_via']) $conf .= "via off\n"; - if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; - if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; - else $conf .= "uri_whitespace strip\n"; //only used for first run - - if(!empty($settings['dns_nameservers'])) { - $altdns = explode(";", ($settings['dns_nameservers'])); - $conf .= "dns_nameservers "; - foreach ($altdns as $dnssrv) { - $conf .= $dnssrv." "; - } -// $conf .= "\n"; //Kill blank line after DNS-Servers - } - - return $conf; -} + if ($settings['xforward_mode']) + $conf .= "forwarded_for {$settings['xforward_mode']}\n"; + else + $conf .= "forwarded_for on\n"; //only used for first run + + if ($settings['disable_via']) + $conf .= "via off\n"; + + if ($settings['disable_squidversion']) + $conf .= "httpd_suppress_version_string on\n"; + + if (!empty($settings['uri_whitespace'])) + $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; + else + $conf .= "uri_whitespace strip\n"; //only used for first run + + if (!empty($settings['dns_nameservers'])) { + $altdns = explode(";", ($settings['dns_nameservers'])); + $conf .= "dns_nameservers "; + foreach ($altdns as $dnssrv) { + $conf .= $dnssrv." "; + } + } + + return $conf; +} function squid_resync_cache() { global $config, $g; + if (is_array($config['installedpackages']['squidcache'])) $settings = $config['installedpackages']['squidcache']['config'][0]; else $settings = array(); + //apply cache settings $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); @@ -1064,25 +1111,23 @@ function squid_resync_cache() { $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); $conf = ''; if (!isset($settings['harddisk_cache_system'])) { - if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) + if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) { $disk_cache_system = 'null'; - else + } else { $disk_cache_system = 'ufs'; } - else{ + } else { $disk_cache_system = $settings['harddisk_cache_system']; - } - #'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. + } + // 'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. if ($disk_cache_system != "null") { $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; } -//check dynamic content -if(empty($settings['cache_dynamic_content'])){ - $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; - $conf.="cache deny dynamic\n"; -} -else{ - if(preg_match('/youtube/',$settings['refresh_patterns'])){ + //check dynamic content + if (empty($settings['cache_dynamic_content'])) { + $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; + $conf.="cache deny dynamic\n"; + } else if (preg_match('/youtube/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private @@ -1093,7 +1138,7 @@ cache allow youtube EOC; } - if(preg_match('/windows/',$settings['refresh_patterns'])){ + if (preg_match('/windows/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Windows Update refresh_pattern @@ -1103,9 +1148,9 @@ refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims EOC; - } + } -if(preg_match('/symantec/',$settings['refresh_patterns'])){ + if (preg_match('/symantec/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Symantec refresh_pattern @@ -1114,8 +1159,8 @@ refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 10 refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims EOC; - } -if(preg_match('/avast/',$settings['refresh_patterns'])){ + } + if (preg_match('/avast/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Avast refresh_pattern @@ -1123,8 +1168,8 @@ range_offset_limit -1 refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims EOC; - } -if(preg_match('/avira/',$settings['refresh_patterns'])){ + } + if (preg_match('/avira/',$settings['refresh_patterns'])) { $conf.=<<< EOC # Avira refresh_pattern @@ -1142,9 +1187,8 @@ refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 EOC; -} - If ($settings['custom_refresh_patterns'] !="") + if ($settings['custom_refresh_patterns'] !="") $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; $conf .= <<< EOD @@ -1170,31 +1214,34 @@ EOD; $conf .= "cache deny donotcache\n"; } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { - unlink(SQUID_ACLDIR . '/donotcache.acl'); - } - $conf .= "cache allow all\n"; + unlink(SQUID_ACLDIR . '/donotcache.acl'); + } + $conf .= "cache allow all\n"; + return $conf.$refresh_conf; } function squid_resync_upstream() { global $config; + + if (!is_array($config['installedpackages']['squidremote']['config'])) + $config['installedpackages']['squidremote']['config'] = array(); + $conf = "\n#Remote proxies\n"; - if (is_array($config['installedpackages']['squidremote']['config'])) - foreach ($config['installedpackages']['squidremote']['config'] as $settings){ + foreach ($config['installedpackages']['squidremote']['config'] as $settings) { if ($settings['enable'] == 'on') { $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} "; if ($settings['icpport'] == '7') - $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; - else - $conf .= "{$settings['icpport']} "; - #auth settings - if (!empty($settings['username']) && !empty($settings['password'])){ + $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; + else + $conf .= "{$settings['icpport']} "; + // auth settings + if (!empty($settings['username']) && !empty($settings['password'])) { $conf .= " login={$settings['username']}:{$settings['password']}"; - } - else{ + } else { $conf .= "{$settings['authoption']} "; } - #other options settings + // other options settings if (!empty($settings['weight'])) $conf .= "weight={$settings['weight']} "; if (!empty($settings['basetime'])) @@ -1205,13 +1252,14 @@ function squid_resync_upstream() { $conf .= "no-delay"; } $conf .= "\n"; - } + } return $conf; } function squid_resync_redirector() { global $config; + // XXX: What port provide squirm binary? It's not present $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); if ($httpav_enabled) { $conf = "url_rewrite_program /usr/local/bin/squirm\n"; @@ -1256,25 +1304,20 @@ acl HTTPS proto HTTPS EOD; $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); - #$allowed = ""; - #foreach ($allowed_subnets as $subnet) { - # if(!empty($subnet)) { - # $subnet = trim($subnet); - # $allowed .= "$subnet "; - # } - #} if (!empty($allowed_subnets)) { $conf .= "acl allowed_subnets src $allowed_subnets\n"; $valid_acls[] = 'allowed_subnets'; } - $options = array( 'unrestricted_hosts' => 'src', - 'banned_hosts' => 'src', - 'whitelist' => 'dstdom_regex -i', - 'blacklist' => 'dstdom_regex -i', - 'block_user_agent' => 'browser -i', - 'block_reply_mime_type' => 'rep_mime_type -i', + $options = array( + 'unrestricted_hosts' => 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + 'block_user_agent' => 'browser -i', + 'block_reply_mime_type' => 'rep_mime_type -i', ); + foreach ($options as $option => $directive) { $contents = sq_text_area_decode($settings[$option]); if (!empty($contents)) { @@ -1283,8 +1326,8 @@ EOD; $valid_acls[] = $option; } elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { - unlink(SQUID_ACLDIR . "/$option.acl"); - } + unlink(SQUID_ACLDIR . "/$option.acl"); + } } $conf .= <<< EOD @@ -1292,19 +1335,19 @@ http_access allow manager localhost EOD; - if (is_array($config['installedpackages']['squidcache'])){ + if (is_array($config['installedpackages']['squidcache'])) { $settings_ch = $config['installedpackages']['squidcache']['config'][0]; - if(!empty($settings_ch['ext_cachemanager'])) { - $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); - $conf .= "\n# Allow external cache managers\n"; - foreach ($extmgr as $mgr) { - $conf .= "acl ext_manager src {$mgr}\n"; - } - $conf .= "http_access allow manager ext_manager\n"; + if (!empty($settings_ch['ext_cachemanager'])) { + $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); + $conf .= "\n# Allow external cache managers\n"; + foreach ($extmgr as $mgr) { + $conf .= "acl ext_manager src {$mgr}\n"; } + $conf .= "http_access allow manager ext_manager\n"; } + } - $conf .= <<< EOD + $conf .= <<< EOD http_access deny manager http_access allow purge localhost @@ -1322,7 +1365,7 @@ EOD; return $conf; } -function squid_resync_antivirus(){ +function squid_resync_antivirus() { global $config; if (is_array($config['installedpackages']['squidantivirus'])) @@ -1330,24 +1373,24 @@ function squid_resync_antivirus(){ else $antivirus_config = array(); - if ($antivirus_config['enable']=="on"){ - switch ($antivirus_config['client_info']){ - case "both": - $icap_send_client_ip="on"; - $icap_send_client_username="on"; - break; - case "IP": - $icap_send_client_ip="on"; - $icap_send_client_username="off"; - break; - case "username": - $icap_send_client_ip="off"; - $icap_send_client_username="on"; - break; - case "none": - $icap_send_client_ip="off"; - $icap_send_client_username="off"; - break; + if ($antivirus_config['enable']=="on") { + switch ($antivirus_config['client_info']) { + case "both": + $icap_send_client_ip="on"; + $icap_send_client_username="on"; + break; + case "IP": + $icap_send_client_ip="on"; + $icap_send_client_username="off"; + break; + case "username": + $icap_send_client_ip="off"; + $icap_send_client_username="on"; + break; + case "none": + $icap_send_client_ip="off"; + $icap_send_client_username="off"; + break; } if (is_array($config['installedpackages']['squid'])) $squid_config=$config['installedpackages']['squid']['config'][0]; @@ -1367,11 +1410,12 @@ icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav by adaptation_access service_avi_resp allow all EOF; - #check if icap is enabled on rc.conf.local - if (file_exists("/etc/rc.conf.local")){ + + // check if icap is enabled on rc.conf.local + if (file_exists("/etc/rc.conf.local")) { $rc_old_file=file("/etc/rc.conf.local"); - foreach ($rc_old_file as $rc_line){ - if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)){ + foreach ($rc_old_file as $rc_line) { + if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)) { $rc_file.=$matches[1].'="YES"'."\n"; ${$matches[1]}="ok"; } @@ -1385,10 +1429,10 @@ EOF; $rc_file.='clamav_clamd_enable="YES"'."\n"; file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX); squid_check_clamav_user('clamav'); - #patch sample files to pfsense dirs - #squidclamav.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")){ + // patch sample files to pfsense dirs + // squidclamav.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")) { $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default"); $clamav_m[0]="@/var/run/clamav/clamd.ctl@"; $clamav_m[1]="@cgi-bin/clwarn.cgi@"; @@ -1396,19 +1440,21 @@ EOF; $clamav_r[1]="squid_clwarn.php"; file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX); } - #c-icap.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")){ + } + // c-icap.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")) { $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default"); - if (! preg_match("/squid_clamav/",$sample_file)) + if (!preg_match("/squid_clamav/",$sample_file)) $sample_file.="\nService squid_clamav squidclamav.so\n"; $cicap_m[0]="@Manager:Apassword\S+@"; $cicap_r[0]=""; file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",preg_replace($cicap_m,$cicap_r,$sample_file),LOCK_EX); } + } //check squidclamav files until pbis are gone(https://redmine.pfsense.org/issues/4197) $ln_icap= array('bin/c-icap','bin/c-icap-client','c-icap-config','c-icap-libicapapi-config','c-icap-stretch','lib/c_icap','share/c_icap','etc/c-icap'); - foreach ($ln_icap as $ln){ + foreach ($ln_icap as $ln) { if (!file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE."/{$ln}")) symlink(SQUID_LOCALBASE."/{$ln}","/usr/local/{$ln}"); } @@ -1416,67 +1462,68 @@ EOF; symlink(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5","/usr/local/lib/libicapapi.so.3"); $loadsample=0; - if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")){ + if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")){ + if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")){ + if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")) { $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample"))); $loadsample++; } - if($loadsample > 0){ + if ($loadsample > 0) { write_config(); $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; } - #check dirs - $dirs=array("/var/run/c-icap" => "clamav", - "/var/log/c-icap" => "clamav", - "/var/log/clamav" => "clamav", - "/var/run/clamav" => "clamav", - "/var/db/clamav" => "clamav"); - foreach ($dirs as $dir_path => $dir_user){ - if (!is_dir($dir_path)) - make_dirs($dir_path); - squid_chown_recursive($dir_path, $dir_user, "wheel"); - } - #Check clamav database - if (count(glob("/var/db/clamav/*d"))==0){ + // check dirs + $dirs = array( + "/var/run/c-icap" => "clamav", + "/var/log/c-icap" => "clamav", + "/var/log/clamav" => "clamav", + "/var/run/clamav" => "clamav", + "/var/db/clamav" => "clamav" + ); + foreach ($dirs as $dir_path => $dir_user) { + if (!is_dir($dir_path)) + @mkdir($dir_path, 0755, true); + squid_chown_recursive($dir_path, $dir_user, "wheel"); + } + // Check clamav database + if (count(glob("/var/db/clamav/*d"))==0) { log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background."); mwexec_bg(SQUID_BASE."/bin/freshclam"); } $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); - foreach($rcd_files as $rcd_file) + foreach ($rcd_files as $rcd_file) if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); - #write advanced icap config files + // write advanced icap config files file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX); file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX); file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX); - #check antivirus daemons - #check icap - if (is_process_running("c-icap")){ + // check antivirus daemons + // check icap + if (is_process_running("c-icap")) { mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); - } - else{ - #check c-icap user on startup file - $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; - if (file_exists($c_icap_rcfile)){ + } else { + // check c-icap user on startup file + $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; + if (file_exists($c_icap_rcfile)) { $sample_file=file_get_contents($c_icap_rcfile); $cicapm[0]="@c_icap_user=.*}@"; $cicapr[0]='c_icap_user="clamav"}'; $cicapm[1]="@/usr/local@"; $cicapr[1]=SQUID_LOCALBASE; file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX); - } - mwexec_bg("/usr/local/etc/rc.d/c-icap start"); } - #check clamav/freshclam + mwexec_bg("/usr/local/etc/rc.d/c-icap start"); + } + // check clamav/freshclam $rc_files=array("clamav-freshclam","clamav-clamd"); $clamm[0]="@/usr/local/(bin|sbin)@"; $clamm[1]="@/local/(bin|sbin)@"; @@ -1486,25 +1533,25 @@ EOF; $clamr[1]="/bin"; $clamr[2]=SQUID_LOCALBASE."/etc"; $clamr[3]="enable:=YES"; - foreach ($rc_files as $rc_file){ + foreach ($rc_files as $rc_file) { $clamav_rcfile="/usr/local/etc/rc.d/{$rc_file}"; - if (file_exists($clamav_rcfile)){ + if (file_exists($clamav_rcfile)) { $sample_file=file_get_contents($clamav_rcfile); file_put_contents($clamav_rcfile,preg_replace($clamm,$clamr,$sample_file),LOCK_EX); - } } + } if (is_process_running("clamd")) mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); else mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); - } -return $conf; + } + return $conf; } function squid_resync_traffic() { global $config, $valid_acls; - if(!is_array($valid_acls)) + if (!is_array($valid_acls)) return; if (is_array($config['installedpackages']['squidtraffic'])) $settings = $config['installedpackages']['squidtraffic']['config'][0]; @@ -1525,7 +1572,6 @@ function squid_resync_traffic() { if ($down_limit != 0) $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n"; - // Only apply throttling past 10MB // XXX: Should this really be hardcoded? $threshold = 10 * 1024 * 1024; @@ -1547,11 +1593,12 @@ delay_initial_bucket_level 100 EOD; - if(! empty($settings['unrestricted_hosts'])) { + if (!empty($settings['unrestricted_hosts'])) { foreach (array('unrestricted_hosts') as $item) { - if (in_array($item, $valid_acls)) + if (in_array($item, $valid_acls)) { $conf .= "# Do not throttle unrestricted hosts\n"; $conf .= "delay_access 1 deny $item\n"; + } } } @@ -1568,7 +1615,8 @@ EOD; } foreach (explode(",", $settings['throttle_others']) as $ext) { - if (!empty($ext)) $exts[] = $ext; + if (!empty($ext)) + $exts[] = $ext; } $contents = ''; @@ -1580,9 +1628,9 @@ EOD; $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; $conf .= "delay_access 1 allow throttle_exts\n"; $conf .= "delay_access 1 deny allsrc\n"; - } - else + } else { $conf .= "delay_access 1 allow allsrc\n"; + } return $conf; } @@ -1597,16 +1645,16 @@ function squid_get_server_certs() { return $cert_arr; } -#squid reverse +// squid reverse include('/usr/local/pkg/squid_reverse.inc'); function squid_resync_auth() { global $config, $valid_acls; $write_config=0; - if (!is_array($config['installedpackages']['squidauth']['config'])){ + if (!is_array($config['installedpackages']['squidauth']['config'])) { $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none"); $write_config++; - } + } $settings = $config['installedpackages']['squidauth']['config'][0]; if (is_array($config['installedpackages']['squidnac']['config'])) $settingsnac = $config['installedpackages']['squidnac']['config'][0]; @@ -1624,13 +1672,13 @@ function squid_resync_auth() { $conf = ''; // SSL interception acl options part 1 - if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])){ + if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])) { $conf .= "always_direct allow whitelist\n"; $conf .= "ssl_bump none whitelist\n"; - } + } // Package integration - if(!empty($settingsconfig['custom_options'])){ + if (!empty($settingsconfig['custom_options'])) { $co_preg[0]='/;/'; $co_rep[0]="\n"; $co_preg[1]="/redirect_program/"; @@ -1638,19 +1686,19 @@ function squid_resync_auth() { $co_preg[2]="/redirector_bypass/"; $co_rep[2]="url_rewrite_bypass"; $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n"; - } + } // Custom User Options before authentication acls $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n"; // Deny the banned guys before allowing the good guys - if(! empty($settingsnac['banned_hosts'])) { + if (!empty($settingsnac['banned_hosts'])) { if (squid_is_valid_acl('banned_hosts')) { $conf .= "# These hosts are banned\n"; $conf .= "http_access deny banned_hosts\n"; } } - if(! empty($settingsnac['banned_macs'])) { + if (!empty($settingsnac['banned_macs'])) { if (squid_is_valid_acl('banned_macs')) { $conf .= "# These macs are banned\n"; $conf .= "http_access deny banned_macs\n"; @@ -1658,13 +1706,13 @@ function squid_resync_auth() { } // Unrestricted hosts take precedence over blacklist - if(! empty($settingsnac['unrestricted_hosts'])) { + if (!empty($settingsnac['unrestricted_hosts'])) { if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_hosts\n"; } } - if(! empty($settingsnac['unrestricted_macs'])) { + if (!empty($settingsnac['unrestricted_macs'])) { if (squid_is_valid_acl('unrestricted_macs')) { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_macs\n"; @@ -1672,49 +1720,42 @@ function squid_resync_auth() { } // Whitelist and blacklist also take precedence over other allow rules - if(! empty($settingsnac['whitelist'])) { + if (!empty($settingsnac['whitelist'])) { if (squid_is_valid_acl('whitelist')) { $conf .= "# Always allow access to whitelist domains\n"; $conf .= "http_access allow whitelist\n"; } } - if(! empty($settingsnac['blacklist'])) { + if (!empty($settingsnac['blacklist'])) { if (squid_is_valid_acl('blacklist')) { $conf .= "# Block access to blacklist domains\n"; $conf .= "http_access deny blacklist\n"; } } - if(! empty($settingsnac['block_user_agent'])) { + if (!empty($settingsnac['block_user_agent'])) { if (squid_is_valid_acl('block_user_agent')) { $conf .= "# Block access with user agents and browsers\n"; $conf .= "http_access deny block_user_agent\n"; } } - if(! empty($settingsnac['block_reply_mime_type'])) { + if (!empty($settingsnac['block_reply_mime_type'])) { if (squid_is_valid_acl('block_reply_mime_type')) { $conf .= "# Block access with mime type in the reply\n"; $conf .= "http_reply_access deny block_reply_mime_type\n"; } } - // SSL interception acl options part 2 - /*if ($settingsconfig['ssl_proxy'] == "on"){ - $conf .= "always_direct allow all\n"; - $conf .= "ssl_bump server-first all\n"; - }*/ - // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - if ($transparent_proxy){ + if ($transparent_proxy) { if (preg_match ("/(none|cp)/",$settings['auth_method'])) $auth_method=$settings['auth_method']; else $auth_method="none"; - } - else{ + } else { $auth_method=$settings['auth_method']; } // Allow the remaining ACLs if no authentication is set @@ -1725,10 +1766,10 @@ function squid_resync_auth() { } if ($auth_method == 'none' ) { // SSL interception acl options part 2 without authentication - if ($settingsconfig['ssl_proxy'] == "on"){ + if ($settingsconfig['ssl_proxy'] == "on") { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; - } + } $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { @@ -1738,8 +1779,7 @@ function squid_resync_auth() { $allowed = array_filter($allowed, 'squid_is_valid_acl'); foreach ($allowed as $acl) $conf .= "http_access allow $acl\n"; - } - else { + } else { $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { $conf .= "acl noauth src $noauth\n"; @@ -1751,28 +1791,28 @@ function squid_resync_auth() { $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { - case 'local': - $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; - break; - case 'ldap': - $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); - $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; - break; - case 'radius': - $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; - break; - case 'cp': - $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; - $conf .= "acl password external check_cp\n"; - break; - case 'msnt': - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; - squid_resync_msnt(); - break; + case 'local': + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'cp': + $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; + $conf .= "acl password external check_cp\n"; + break; + case 'msnt': + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; + squid_resync_msnt(); + break; } - if ($auth_method != 'cp'){ + if ($auth_method != 'cp') { $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt @@ -1785,10 +1825,10 @@ EOD; $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n"; // SSL interception acl options part 2 - if ($settingsconfig['ssl_proxy'] == "on"){ + if ($settingsconfig['ssl_proxy'] == "on") { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; - } + } // Onto the ACLs $password = array('localnet', 'allowed_subnets'); $passwordless = array('unrestricted_hosts'); @@ -1805,15 +1845,13 @@ EOD; foreach ($passwordless as $acl) $conf .= "http_access allow $acl\n"; - //if ($auth_method != 'cp'){ - // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; - // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) - $conf .= "http_access allow password $acl\n"; - // } + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; } $conf .= "# Default block all to be sure\n"; @@ -1832,7 +1870,7 @@ function squid_resync_users() { $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; } file_put_contents(SQUID_PASSWD, $contents); - chown(SQUID_PASSWD, 'proxy'); + chown(SQUID_PASSWD, SQUID_UID); chmod(SQUID_PASSWD, 0600); } @@ -1848,15 +1886,15 @@ function squid_resync_msnt() { $ntdomain = $settings['auth_ntdomain']; file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}"); - chown(SQUID_CONFBASE."/msntauth.conf", 'proxy'); + chown(SQUID_CONFBASE."/msntauth.conf", SQUID_UID); chmod(SQUID_CONFBASE."/msntauth.conf", 0600); } function squid_resync($via_rpc="no") { global $config; - # detect boot process - if (is_array($_POST)){ + // detect boot process + if (is_array($_POST)) { if (preg_match("/\w+/",$_POST['__csrf_magic'])) unset($boot_process); else @@ -1871,13 +1909,9 @@ function squid_resync($via_rpc="no") { conf_mount_rw(); foreach (array( SQUID_CONFBASE, SQUID_ACLDIR, - SQUID_BASE, - SQUID_LIB, SQUID_SSL_DB ) as $dir) { - make_dirs($dir); - chown($dir, 'proxy'); - chgrp($dir, 'proxy'); - squid_chown_recursive($dir, 'proxy', 'proxy'); + @mkdir($dir, 0755, true); + squid_chown_recursive($dir, SQUID_UID, SQUID_GID); } $conf = squid_resync_general() . "\n"; $conf .= squid_resync_cache() . "\n"; @@ -1891,46 +1925,44 @@ function squid_resync($via_rpc="no") { squid_resync_users(); squid_write_rcfile(); - if(!isset($boot_process) || $via_rpc="yes") + if (!isset($boot_process) || $via_rpc="yes") squid_sync_on_changes(); - #write config file - file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); + // write config file + file_put_contents(SQUID_CONFFILE, $conf); /* make sure pinger is executable */ - if(file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) + // XXX: Is it really necessary? Who could change its permission? + if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) exec("chmod a+x " . SQUID_LOCALBASE . "/libexec/squid/pinger"); $log_dir=""; - #check if squid is enabled - if (is_array($config['installedpackages']['squid']['config'])){ + // check if squid is enabled + if (is_array($config['installedpackages']['squid']['config'])) { if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "") $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; - } - #check if squidreverse is enabled - else if (is_array($config['installedpackages']['squidreversegeneral']['config'])){ + } + // check if squidreverse is enabled + else if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") $log_dir="/var/squid/logs/"; - } - #do not start squid if there is no log dir - if ($log_dir != ""){ - if(!is_dir($log_dir)) { + } + // do not start squid if there is no log dir + if ($log_dir != "") { + if (!is_dir($log_dir)) { log_error("Creating squid log dir $log_dir"); - make_dirs($log_dir); - squid_chown_recursive($log_dir, 'proxy', 'proxy'); - } + @mkdir($log_dir, 0755, true); + squid_chown_recursive($log_dir, SQUID_UID, SQUID_GID); + } squid_dash_z(); if (!is_service_running('squid')) { log_error("Starting Squid"); mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); - } - else { - if (!isset($boot_process)){ - log_error("Reloading Squid for configuration sync"); - mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); - } + } else if (!isset($boot_process)) { + log_error("Reloading Squid for configuration sync"); + mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } // Sleep for a couple seconds to give squid a chance to fire up fully. @@ -1975,8 +2007,7 @@ function on_auth_method_changed() { </script> EOD; - } - else { + } else { $javascript = <<< EOD <script language="JavaScript"> <!-- @@ -2001,8 +2032,7 @@ function on_auth_method_changed() { document.iform.auth_ttl.disabled = 1; document.iform.unrestricted_auth.disabled = 1; document.iform.no_auth_hosts.disabled = 1; - } - else { + } else { document.iform.auth_prompt.disabled = 0; document.iform.auth_processes.disabled = 0; document.iform.auth_ttl.disabled = 0; @@ -2011,76 +2041,76 @@ function on_auth_method_changed() { } switch (auth_method) { - case 'local': - document.iform.auth_server.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - break; - case 'ldap': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 0; - document.iform.ldap_user.disabled = 0; - document.iform.ldap_pass.disabled = 0; - document.iform.ldap_version.disabled = 0; - document.iform.ldap_userattribute.disabled = 0; - document.iform.ldap_filter.disabled = 0; - document.iform.ldap_basedomain.disabled = 0; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - break; - case 'radius': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 0; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 0; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - break; - case 'msnt': - document.iform.auth_server.disabled = 0; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 0; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 0; - break; - case 'cp': - document.iform.auth_server.disabled = 1; - document.iform.auth_server_port.disabled = 1; - document.iform.auth_ntdomain.disabled = 1; - document.iform.ldap_user.disabled = 1; - document.iform.ldap_version.disabled = 1; - document.iform.ldap_userattribute.disabled = 1; - document.iform.ldap_filter.disabled = 1; - document.iform.ldap_pass.disabled = 1; - document.iform.ldap_basedomain.disabled = 1; - document.iform.radius_secret.disabled = 1; - document.iform.msnt_secondary.disabled = 1; - document.iform.auth_prompt.disabled = 1; - document.iform.auth_processes.disabled = 0; - document.iform.auth_ttl.disabled = 0; - document.iform.unrestricted_auth.disabled = 1; - document.iform.no_auth_hosts.disabled = 1; - break; + case 'local': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + break; + case 'ldap': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 0; + document.iform.ldap_pass.disabled = 0; + document.iform.ldap_version.disabled = 0; + document.iform.ldap_userattribute.disabled = 0; + document.iform.ldap_filter.disabled = 0; + document.iform.ldap_basedomain.disabled = 0; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'radius': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 0; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + break; + case 'msnt': + document.iform.auth_server.disabled = 0; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 0; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 0; + break; + case 'cp': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + break; } } --> @@ -2098,50 +2128,50 @@ function squid_print_javascript_auth2() { function squid_generate_rules($type) { global $config; + $squid_conf = $config['installedpackages']['squid']['config'][0]; //check captive portal option $cp_file='/etc/inc/captiveportal.inc'; $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $cp_inc = file($cp_file); - $new_cp_inc=""; - $found_rule=0; - foreach ($cp_inc as $line){ - $new_line=$line; - //remove applied squid patch - if (preg_match('/skipto 65314 ip/',$line)){ + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line) { + $new_line=$line; + //remove applied squid patch + if (preg_match('/skipto 65314 ip/',$line)) { + $found_rule++; + $new_line =""; + } + + if (substr($pfsense_version,0,3) > 2.0) { + if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']) { $found_rule++; - $new_line =""; - } - - if (substr($pfsense_version,0,3) > 2.0){ - if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - } - } - else{ - //add squid patch option based on current config - if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= $line; - } - if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - $new_line .= $line; - } - } - $new_cp_inc .= $new_line; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; } - if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { - copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } else { + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']) { + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; } - if($found_rule > 0){ - file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']) { + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; } + } + $new_cp_inc .= $new_line; + } + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } + if ($found_rule > 0) { + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + } //normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; @@ -2151,21 +2181,19 @@ function squid_generate_rules($type) { log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); return; } - #Read assigned interfaces + // Read assigned interfaces $proxy_ifaces = explode(",", $squid_conf['active_interface']); $proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces); - if ($squid_conf['transparent_proxy']=="on"){ + if ($squid_conf['transparent_proxy']=="on") { $transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']); $transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces); - } - else{ + } else { $transparent_ifaces=array(); } - if ($squid_conf['ssl_proxy'] == "on"){ + if ($squid_conf['ssl_proxy'] == "on") { $ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']); $ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces); - } - else{ + } else { $ssl_ifaces=array(); } @@ -2173,118 +2201,118 @@ function squid_generate_rules($type) { $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127); $fw_aliases = filter_generate_aliases(); - if(strstr($fw_aliases, "pptp =")) + if (strstr($fw_aliases, "pptp =")) $PPTP_ALIAS = "\$pptp"; else $PPTP_ALIAS = "\$PPTP"; - if(strstr($fw_aliases, "PPPoE =")) + if (strstr($fw_aliases, "PPPoE =")) $PPPOE_ALIAS = "\$PPPoE"; else $PPPOE_ALIAS = "\$pppoe"; - #define ports based on transparent options and ssl filtering + // define ports based on transparent options and ssl filtering $pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80"); switch($type) { - case 'nat': - $rules .= "\n# Setup Squid proxy redirect\n"; - if ($squid_conf['private_subnet_proxy_off'] == 'on') { - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; - } + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; } - if (!empty($squid_conf['defined_ip_proxy_off'])) { - $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); - $exempt_ip = ""; - foreach ($defined_ip_proxy_off as $ip_proxy_off) { - if(!empty($ip_proxy_off)) { - $ip_proxy_off = trim($ip_proxy_off); - if (is_alias($ip_proxy_off)) - $ip_proxy_off = '$'.$ip_proxy_off; - $exempt_ip .= ", $ip_proxy_off"; - } - } - $exempt_ip = substr($exempt_ip,2); - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; - } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; } - if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { - $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); - $exempt_dest = ""; - foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { - if(!empty($ip_proxy_off_dest)) { - $ip_proxy_off_dest = trim($ip_proxy_off_dest); - if (is_alias($ip_proxy_off_dest)) - $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; - $exempt_dest .= ", $ip_proxy_off_dest"; - } - } - $exempt_dest = substr($exempt_dest,2); - foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; - } - /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if (!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; + $exempt_ip .= ", $ip_proxy_off"; } } - foreach ($transparent_ifaces as $t_iface) { - $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); - $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; - if (in_array($t_iface,$ssl_ifaces)) - $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + $exempt_ip = substr($exempt_ip,2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; } /* Handle PPPOE case */ - if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { - $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; } /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; } - $rules .= "\n"; - break; - case 'filter': - case 'rule': + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if (!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); foreach ($transparent_ifaces as $iface) { - $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); - $rules .= "# Setup squid pass rules for proxy\n"; - $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; - #$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; - $rules .= "\n"; - }; - if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { - $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; } - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; } - break; - default: - break; + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + } + } + foreach ($transparent_ifaces as $t_iface) { + $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; + if (in_array($t_iface,$ssl_ifaces)) + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + } + /* Handle PPPOE case */ + if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + /* Handle PPTP case */ + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; + // $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; + $rules .= "\n"; + }; + if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + break; + default: + break; } return $rules; @@ -2335,82 +2363,80 @@ EOD; /* Uses XMLRPC to synchronize the changes to a remote node */ function squid_sync_on_changes() { global $config, $g; - if (is_array($config['installedpackages']['squidsync']['config'])){ + if (is_array($config['installedpackages']['squidsync']['config'])) { $squid_sync=$config['installedpackages']['squidsync']['config'][0]; $synconchanges = $squid_sync['synconchanges']; $synctimeout = $squid_sync['synctimeout']; - switch ($synconchanges){ - case "manual": - if (is_array($squid_sync[row])){ - $rs=$squid_sync[row]; - } - else{ - log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); - return; - } - break; - case "auto": - if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ - $system_carp=$config['installedpackages']['carpsettings']['config'][0]; - $rs[0]['ipaddress']=$system_carp['synchronizetoip']; - $rs[0]['username']=$system_carp['username']; - $rs[0]['password']=$system_carp['password']; - } - else{ - log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); - return; - } - break; - default: + switch ($synconchanges) { + case "manual": + if (is_array($squid_sync[row])) { + $rs=$squid_sync[row]; + } else { + log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) { + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress']=$system_carp['synchronizetoip']; + $rs[0]['username']=$system_carp['username']; + $rs[0]['password']=$system_carp['password']; + } else { + log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); return; + } + break; + default: + return; break; } - if (is_array($rs)){ + if (is_array($rs)) { log_error("[squid] xmlrpc sync is starting."); - foreach($rs as $sh){ + foreach ($rs as $sh) { $sync_to_ip = $sh['ipaddress']; $password = $sh['password']; - if($sh['username']) + if ($sh['username']) $username = $sh['username']; else $username = 'admin'; - if($password && $sync_to_ip) + if ($password && $sync_to_ip) squid_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); - } - log_error("[squid] xmlrpc sync is ending."); } - } + log_error("[squid] xmlrpc sync is ending."); + } + } } /* Do the actual XMLRPC sync */ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { global $config, $g; - if(!$username) + if (!$username) return; - if(!$password) + if (!$password) return; - if(!$sync_to_ip) + if (!$sync_to_ip) return; - if(!$synctimeout) + if (!$synctimeout) $synctimeout=250; $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { + if ($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if ($port == "") { + if ($config['system']['webgui']['protocol'] == "http") $port = "80"; else $port = "443"; - } + } $synchronizetoip .= $sync_to_ip; /* xml will hold the sections to sync */ @@ -2439,15 +2465,15 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); - if($g['debug']) + if ($g['debug']) $cli->setDebug(1); /* send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); @@ -2472,11 +2498,11 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); - if(!$resp) { + if (!$resp) { $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "squid Settings Sync", ""); - } elseif($resp->faultCode()) { + } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); $error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); @@ -2485,6 +2511,6 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { } else { log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } - } + ?> diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 57dfc938..96f2610c 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -46,7 +46,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squid</name> - <version>3.4.10_2 pkg 0.2.6</version> + <version>0.2.8</version> <title>Proxy server: General settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <menu> @@ -166,16 +166,6 @@ <additional_files_needed> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_ng.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid3/34/squid_ng.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squid3/34/squid_traffic.xml</item> </additional_files_needed> <additional_files_needed> @@ -249,7 +239,7 @@ <item>https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc</item> </additional_files_needed> <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> + <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squid3/34/check_ip.php</item> </additional_files_needed> diff --git a/config/squid3/34/squid_auth.inc b/config/squid3/34/squid_auth.inc deleted file mode 100644 index cc511607..00000000 --- a/config/squid3/34/squid_auth.inc +++ /dev/null @@ -1,446 +0,0 @@ -<?php -/* $Id$ */ - -/* - squid_auth.inc - part of pfSense (www.pfSense.com) - - Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ - -function global_eval_auth_options() -{ - global $config; - conf_mount_rw(); - config_lock(); - - switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { - case "none": - dynamic_auth_content("pkg_edit"); - dynamic_no_auth(); - break; - case "local_auth": - dynamic_auth_content("pkg"); - /* create empty passwd file to prevent stat error with squid reload */ - touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); - dynamic_local_auth(); - break; - case "ldap_bind": - dynamic_auth_content("pkg_edit"); - dynamic_ldap_auth(); - break; - case "domain_auth": - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_domain_auth(); - break; - case "radius_auth": - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_radius_auth(); - break; - default: - $filecontents = file("/usr/local/pkg/squid_auth.xml"); - dynamic_auth_content("pkg_edit"); - dynamic_no_auth(); - break; - } - - config_unlock(); - conf_mount_ro(); - -} /* end function global_eval_auth_options */ - -function dynamic_no_auth() { - global $config; - conf_mount_rw(); - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextnoauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n"); - fwrite($fout, " <fieldname>no_auth</fieldname>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");"); - fwrite($fout, "\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -function dynamic_local_auth() { - global $config; - conf_mount_rw(); - - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextlocalauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); - fwrite($fout, " <version>2.5.10_4</version>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <files></files>\n"); - fwrite($fout, " <menu></menu>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <adddeleteeditpagefields>\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Username</fielddescr>\n"); - fwrite($fout, " <fieldname>username</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Description</fielddescr>\n"); - fwrite($fout, " <fieldname>description</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <columnitem>\n"); - fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); - fwrite($fout, " <fieldname>group</fieldname>\n"); - fwrite($fout, " </columnitem>\n"); - fwrite($fout, " </adddeleteeditpagefields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Username</fielddescr>\n"); - fwrite($fout, " <fieldname>username</fieldname>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>15</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Password</fielddescr>\n"); - fwrite($fout, " <fieldname>password</fieldname>\n"); - fwrite($fout, " <type>password</type>\n"); - fwrite($fout, " <size>8</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n"); - fwrite($fout, " <fieldname>description</fieldname>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>30</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n"); - fwrite($fout, " <fieldname>group</fieldname>\n"); - fwrite($fout, " <type>select</type>\n"); - fwrite($fout, " <options>\n"); - fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n"); - fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n"); - fwrite($fout, " </options>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); - fwrite($fout, "\n"); - fwrite($fout, " mod_htpasswd();\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -function dynamic_ldap_auth() { - global $config; - conf_mount_rw(); - - $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); - - fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n"); - fwrite($fout, "\n"); - fwrite($fout, "<packagegui>\n"); - fwrite($fout, " <name>squidextldapauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); - fwrite($fout, " <version>2.5.11</version>\n"); - fwrite($fout, " <configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <files></files>\n"); - fwrite($fout, " <menu></menu>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tabs>\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>General Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Upstream Proxy</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Cache Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Network Access Control</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Traffic Mgmt</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <tab>\n"); - fwrite($fout, " <text>Extended Auth Settings</text>\n"); - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - fwrite($fout, " <active/>\n"); - fwrite($fout, " </tab>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </tabs>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <fields>\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Base DN</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n"); - fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>50</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Server</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_server</fieldname>\n"); - fwrite($fout, " <description>This is the LDAP server that the bind will be attempted against.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>20</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Type</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_type</fieldname>\n"); - fwrite($fout, " <description>This specifies the supported LDAP types.</description>\n"); - fwrite($fout, " <type>select</type>\n"); - fwrite($fout, " <options>\n"); - fwrite($fout, " <option><name>Active Directory</name><value>active_directory</value></option>\n"); - fwrite($fout, " <option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n"); - fwrite($fout, " <option><name>LDAP v2</name><value>ldap_v2</value></option>\n"); - fwrite($fout, " <option><name>LDAP v3</name><value>ldap_v3</value></option>\n"); - fwrite($fout, " </options>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>LDAP Port</fielddescr>\n"); - fwrite($fout, " <fieldname>ldap_port</fieldname>\n"); - fwrite($fout, " <description>This is the port that LDAP bind will attempt on. The default is \"389\".</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>5</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Bind DN Username</fielddescr>\n"); - fwrite($fout, " <fieldname>bind_dn_username</fieldname>\n"); - fwrite($fout, " <description>If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>\n"); - fwrite($fout, " <type>input</type>\n"); - fwrite($fout, " <size>30</size>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <field>\n"); - fwrite($fout, " <fielddescr>Bind DN Password</fielddescr>\n"); - fwrite($fout, " <fieldname>bind_dn_password</fieldname>\n"); - fwrite($fout, " <description>This is the associated password with the Bind DN Username previously specified.</description>\n"); - fwrite($fout, " <type>password</type>\n"); - fwrite($fout, " </field>\n"); - fwrite($fout, "\n"); - fwrite($fout, " </fields>\n"); - fwrite($fout, "\n"); - fwrite($fout, " <custom_add_php_command_late>\n"); - fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); - fwrite($fout, "\n"); - fwrite($fout, " mod_htpasswd();\n"); - fwrite($fout, "\n"); - fwrite($fout, " global_write_squid_config();\n"); - fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); - fwrite($fout, " </custom_add_php_command_late>\n"); - fwrite($fout, "\n"); - fwrite($fout, "</packagegui>\n"); - - fclose($fout); - - /* mount filesystem read-only */ - conf_mount_ro(); -} - -/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ -function dynamic_auth_content($pkgvar) { - - switch ($pkgvar) { - case "pkg": - if ($handle = opendir("/usr/local/pkg")) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { - $filecontents = file("/usr/local/pkg/" . $file); - $fout = fopen("/usr/local/pkg/" . $file, "w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - } - } - } - break; - - case "pkg_edit": - if ($handle = opendir("/usr/local/pkg")) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { - $filecontents = file("/usr/local/pkg/" . $file); - $fout = fopen("/usr/local/pkg/" . $file,"w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - } - } - } - break; - } - -} /* end function dynamic_auth_content */ -?>
\ No newline at end of file diff --git a/config/squid3/34/squid_cpauth.php b/config/squid3/34/squid_cpauth.php deleted file mode 100644 index 98be9946..00000000 --- a/config/squid3/34/squid_cpauth.php +++ /dev/null @@ -1,24 +0,0 @@ -#!/usr/local/bin/php -q -<?php - -$NONINTERACTIVE_SCRIPT = TRUE; - -$fp = fopen('php://stdin', 'r'); -while($args = split(" ",trim(fgets($fp, 4096)))){ - print captive_ip_to_username($args); -} - -function captive_ip_to_username($args){ - $current_sessions = file("/var/db/captiveportal.db"); - foreach($current_sessions as $session){ - list($a, $b, $IP_Address, $Mac_Address, $Username) = explode(",", $session,5); - #this test allow access if user's ip is listed on captive portal - #args array has (ip, site, protocol and port) passed by squid helper - #include a more complex test here to allow or deny access based on username returned - # this script will not return username to squid logs - if($IP_Address == $args[0]) return "OK\n"; - } - return "ERR\n"; -} - -?>
\ No newline at end of file diff --git a/config/squid3/34/squid_extauth.xml b/config/squid3/34/squid_extauth.xml deleted file mode 100644 index 41d9f633..00000000 --- a/config/squid3/34/squid_extauth.xml +++ /dev/null @@ -1,106 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squidextnoauth</name> - <version>none</version> - <title>Services: Proxy Server -> Extended Authentication Settings</title> - <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&id=0</aftersaveredirect> - <tabs> - <tab> - <text>General</text> - <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> - </tab> - - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - - <tab> - <text>Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - - <tab> - <text>Auth</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - - <tab> - <text>Extended Auth</text> - <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> - <active/> - </tab> - - </tabs> - <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath> - <fields> - <field> - <fielddescr>No Authentication Defined</fielddescr> - <fieldname>no_auth</fieldname> - <type>text</type> - </field> - </fields> - - <custom_add_php_command_late> - require_once("/usr/local/pkg/squid_ng.inc"); - - global_write_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - </custom_add_php_command_late> - -</packagegui> diff --git a/config/squid3/34/squid_ng.inc b/config/squid3/34/squid_ng.inc deleted file mode 100755 index bac4d4f0..00000000 --- a/config/squid3/34/squid_ng.inc +++ /dev/null @@ -1,1070 +0,0 @@ -<?php -/* $Id$ */ - -/* - squid_ng.inc - part of pfSense (www.pfSense.com) - - Copyright (C) 2005 Michael Capp <michael.capp@gmail.com> - All rights reserved. - - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - -*/ - -if(!function_exists("filter_configure")) - require_once("filter.inc"); - -function global_write_squid_config() -{ - global $config; - conf_mount_rw(); - config_lock(); - - /* define squid configuration file in variable for replace function */ - $squidconfig = "/usr/local/etc/squid/squid.conf"; - - /* squid.xml values */ - $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; - $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; - $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; - $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; - $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; - $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; - $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; - $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; - $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; - $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; - $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; - $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled']; - - /* squid_upstream.xml values */ - $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; - $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; - $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; - $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; - $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; - $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; - $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; - - /* squid_cache.xml values */ - $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; - $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; - $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; - $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; - $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; - $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; - $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; - $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; - $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; - - /* squid_nac.xml values */ - $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; - $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; - $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; - $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; - $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; - $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts']; - - /* squid_traffic.xml values */ - $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; - $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; - $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; - $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; - $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; - $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; - $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; - - /* squid_auth.xml values */ - $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; - $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; - $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; - $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; - $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; - $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; - $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; - $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; - $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; - $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; - - /* squid_extauth.xml (ldap) values */ - $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; - $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; - $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; - $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; - $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; - $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; - - /* squid_extauth.xml (radius) values */ - $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; - $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; - $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; - $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; - - /* static variable assignments for directory mapping */ - $acldir = "/usr/local/etc/squid/advanced/acls"; - $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; - $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; - $radiusdir = "/usr/local/etc/squid/advanced/radius"; - - $fout = fopen($squidconfig, "w"); - - $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); - - if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) { - mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi"); - mwexec("chmod a+rx /usr/local/www/cachemgr.cgi"); - } else { - mwexec("rm -f /usr/local/www/cachemgr.cgi"); - } - unset($cachemgr_enabled); - - if (!isset($icp_port) or ($icp_port == "")) { - $icp_port = "3130"; - } - $config_array[] = 'icp_port ' . $icp_port . "\n"; - unset($icp_port); - - if(!isset($proxy_port) or ($proxy_port == "")) { - $proxy_port = "3128"; - } - - if (isset($transparent_proxy) && ($transparent_proxy != "on")) { - $int = convert_friendly_interface_to_real_interface_name($active_interface); - $listen_ip = find_interface_ip($int); - - $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; - $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; - $config_array[] = 'no_cache deny QUERY' . "\n\n"; - } - $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n"; - unset($proxy_port); - - if (isset($domain) && ($domain !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/dst_nocache.acl","w"); - - $domain_array = split("; ",$domain); - foreach ($domain_array as $no_cache_domain) { - fwrite($aclout, $no_cache_domain . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; - $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; - } - unset($no_cache_domain); - unset($domain_array); - unset($domain); - - $config_array[] = 'cache_effective_user squid' . "\n"; - $config_array[] = 'cache_effective_group squid' . "\n\n"; - $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; - - if (!isset($memory_cache_size) or ($memory_cache_size == "")) { - $memory_cache_size = "8"; - } - $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; - unset($memory_cache_size); - - if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { - $harddisk_cache_size = "500"; - } - - if (!isset($level_subdirs) or ($level_subdirs == "")) { - $level_subdirs = "16"; - } - - $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; - unset($harddisk_cache_size); - unset($level_subdirs); - - if (!isset($error_language) or ($error_language == "")) { - $error_language = "English"; - } - $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; - unset($error_language); - - if (isset($offline_mode) && ($offline_mode == "on")) { - $config_array[] = 'offline_mode on' . "\n\n"; - } else { - $config_array[] = 'offline_mode off' . "\n\n"; - } - - if (!isset($memory_replacement) or ($memory_replacement == "")) { - $memory_replacement = "heap GDSF"; - } - $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; - unset($memory_replacement); - - if (!isset($cache_replacement) or ($cache_replacement == "")) { - $cache_replacement="heap GDSF"; - } - $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; - unset($cache_replacement); - - if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) { - $config_array[] = 'cache_access_log none' . "\n"; - } else { - $config_array[] = 'cache_access_log /var/log/access.log' . "\n"; - } - $config_array[] = 'cache_log /var/log/cache.log' . "\n"; - $config_array[] = 'cache_store_log none' . "\n"; - unset($accesslog_disabled); - unset($log_enabled); - - if (isset($log_query_terms) && ($log_query_terms == "on")) { - $config_array[] = 'strip_query_terms off' . "\n"; - } else { - $config_array[] = 'strip_query_terms on' . "\n"; - } - unset($log_query_terms); - - $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n"; - unset($log_user_agents); - - $config_array[] = 'log_mime_hdrs off' . "\n"; - $config_array[] = 'emulate_httpd_log on' . "\n"; - - switch ($user_forwarding) { - case "on": - $config_array[] = 'forwarded_for on' . "\n\n"; - break; - case "off": - $config_array[] = 'forwarded_for off' . "\n\n"; - break; - default: - $config_array[] = 'forwarded_for off' . "\n\n"; - break; - } - unset($user_forwarding); - - switch ($auth_method) { - case "none": - break; - case "local_auth": - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "radius_auth"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "ldap_bind"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; - $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; - $config_array[] = ' -b "' . $ldap_basedn . '"'; - $config_array[] = ' -D "' . $bind_dn_username . '"'; - $config_array[] = " -w " . $bind_dn_password; - $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; - $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; - - if (!isset($auth_processes) or ($auth_processes == "")) { - $auth_processes = "5"; - } - $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { - $auth_realm_prompt = "pfSense Advanced Proxy"; - } - $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { - $auth_cache_ttl = "60"; - } - $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; - $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; - - unset($auth_realm_prompt); - unset($auth_processes); - unset($auth_cache_ttl); - - break; - case "windows_auth"; - break; - } - - if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); - fwrite($throttle_out, $binary_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); - } - unset($throttle_binary_files); - unset($throttle_out); - unset($binary_out); - - if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); - fwrite($throttle_out, $cd_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_cd.acl")) { - unlink($acldir . "/dst_throttle_cd.acl"); - } - } - unset($throttle_cd_images); - unset($throttle_out); - unset($cd_out); - - if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; - - $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); - fwrite($throttle_out, $multimedia_out); - fclose($throttle_out); - $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; - } else { - if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { - unlink($acldir . "/dst_throttle_multimedia.acl"); - } - } - unset($throttle_multimedia); - unset($multimedia_out); - unset($throttle_out); - - $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; - - /* obtain interface subnet and address for Squid rules */ - $lactive_interface = strtolower($active_interface); - - $lancfg = $config['interfaces'][$lactive_interface]; - $lanif = $lancfg['if']; - $lanip = $lancfg['ipaddr']; - $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); - $lansn = $lancfg['subnet']; - - $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n"; - $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; - $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; - $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; - $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; - $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; - $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; - $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; - $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; - $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; - $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; - $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; - $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; - $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; - $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; - - /* allow access through proxy for custom admin port */ - $custom_port = $config['system']['webgui']['port']; - if (isset($custom_port) && ($custom_port !== "")) { - $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; - unset($custom_port); - } else { - $admin_protocol = $config['system']['webgui']['protocol']; - switch ($admin_protocol) { - case "http"; - $config_array[] = 'acl pf_admin_port port 80' ."\n"; - break; - case "https"; - $config_array[] = 'acl pf_admin_port port 443' . "\n"; - break; - default; - $config_array[] = 'acl pf_admin_port port 80' . "\n"; - break; - } - unset($admin_protocol); - } - - /* define override hosts as specified in squid_nac.xml */ - if (isset($override_hosts) && ($override_hosts !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); - - $override_hosts_array = split("; ", $override_hosts); - foreach ($override_hosts_array as $ind_override_host) { - fwrite($aclout, $ind_override_host . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; - } - /* clear variables */ - unset($override_hosts_array); - unset($ind_override_host); - unset($override_hosts); - - /* define subnets allowed to utilize proxy service */ - if (isset($allowed_subnets) && ($allowed_subnets !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - mwexec("touch {$acldir}/src_subnets.acl"); - } - - $aclout = fopen($acldir . "/src_subnets.acl","w"); - - $allowed_subnets_array = split("; ",$allowed_subnets); - foreach ($allowed_subnets_array as $ind_allowed_subnets) { - fwrite($aclout, $ind_allowed_subnets . "\n"); - } - - fclose($aclout); - } else { - - $aclout = fopen($acldir . "/src_subnets.acl","w"); - fwrite($aclout, $lansa . "/" . $lansn . "\n"); - fclose($aclout); - } - - $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; - - unset($allowed_subnets_array); - unset($ind_allowed_subnets); - unset($allowed_subnets); - - /* define ip addresses that have 'unrestricted' access */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); - - $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); - foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { - fwrite($aclout, $ind_unrestricted_ip . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; - } - unset($unrestricted_ip_array); - unset($unrestricted_ip_addr); - unset($ind_unrestricted_ip); - - /* define mac addresses that have 'unrestricted' access */ - if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); - - $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); - foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { - fwrite($aclout, $ind_unrestricted_mac . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; - } - unset($unrestricted_mac_array); - unset($unrestricted_mac_addr); - unset($ind_unrestricted_mac); - - /* define ip addresses that are banned from using the proxy service */ - if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_banned_ip.acl","w"); - - $banned_ip_array = split("; ",$banned_ip_addr); - foreach ($banned_ip_array as $ind_banned_ip) { - fwrite($aclout, $ind_banned_ip . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; - } - unset($banned_ip_array); - unset($banned_ip_addr); - unset($ind_banned_ip); - - /* define mac addresses that are banned from using the proxy service */ - if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { - if (!file_exists($acldir)) { - mwexec("/bin/mkdir -p " . $acldir); - } - - $aclout = fopen($acldir . "/src_banned_mac.acl","w"); - - $banned_mac_array = split("; ",$banned_mac_addr); - foreach ($banned_mac_array as $ind_banned_mac) { - fwrite($aclout, $ind_banned_mac . "\n"); - } - - fclose($aclout); - - $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; - } - unset($banned_mac_array); - unset($banned_mac_addr); - unset($ind_banned_mac); - - $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; - $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; - - if (isset($auth_method) && ($auth_method == "none")) { - $config_array[] = 'http_access allow localnet' . "\n"; - } - $config_array[] = 'http_access allow localhost' . "\n"; - - if (isset($override_hosts) && ($override_hosts !== "")) { - $config_array[] = 'http_access allow override_hosts' . "\n"; - } - $config_array[] = "\n"; - - switch ($config['system']['webgui']['protocol']) { - case "http": - $config_array[] = 'http_access allow pf_ips' . "\n"; - $config_array[] = 'http_access allow pf_admin_port' . "\n"; - $config_array[] = 'http_access deny !pf_networks' . "\n\n"; - break; - case "https": - $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; - $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; - $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; - break; - } - - $config_array[] = 'http_access deny !Safe_ports' . "\n"; - $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; - - if (isset($auth_method) && ($auth_method != "none")) { - $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; - } - - $config_array[] = 'http_access deny all' . "\n\n"; - - if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - - if ($dl_overall == "unlimited") { - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; - } else { - $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; - } - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; - } - - if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - - if ($dl_per_host == "unlimited") { - $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; - } else { - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; - } - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if ($throttle_binary_files == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if ($throttle_cd_images == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if ($throttle_multimedia == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; - } - - if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { - /* if no bandwidth restrictions are specified, then these parameters are not necessary */ - if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { - - if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; - } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { - $config_array[] = 'delay_pools 1' . "\n"; - $config_array[] = 'delay_class 1 3' . "\n"; - $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; - } - } - - if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { - - /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - - /* this will define bandwidth delay restrictions for specified throttles */ - if ($throttle_binary_files == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; - } - if ($throttle_cd_images == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; - } - if ($throttle_multimedia == "on") { - $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; - } else { - $config_array[] = 'delay_access 1 allow all' . "\n"; - } - $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; - } - } - - $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; - $config_array[] = 'header_access Via deny all' . "\n\n"; - - /* TODO: acl customization for snmp support */ - /* fwrite($fout, "\n"); */ - - if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { - $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; - $config_array[] = 'redirect_children 5' . "\n\n"; - } - - if (isset($max_upload_size) && ($max_upload_size != "")) { - $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; - } - - if (isset($max_download_size) && ($max_download_size != "")) { - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; - /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ - $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; - } - - /* set default value for maximum_object_size */ - if (!isset($maximum_object_size) or ($maximum_object_size == "")) { - $maximum_object_size = "4096"; - } - - /* set default value for minimum_object_size */ - if (!isset($minimum_object_size) or ($minimum_object_size == "")) { - $minimum_object_size = "0"; - } - $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; - $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; - - if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { - $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; - $config_array[] = 'never_direct allow all' . "\n"; - } - unset($proxy_forwarding); - - - /* define default ruleset for transparent proxy operation */ - if (isset($transparent_proxy) && ($transparent_proxy == "on")) { - $config_array[] = 'httpd_accel_host virtual' . "\n"; - $config_array[] = 'httpd_accel_port 80' . "\n"; - $config_array[] = 'httpd_accel_with_proxy on' . "\n"; - $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; - } - unset($transparent_proxy); - - - /* define visible hostname */ - if (isset($visible_hostname) && ($visible_hostname !== "")) { - $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; - } - unset($visible_hostname); - - /* define cache administrators email address within error messages */ - if (isset($cache_admin_email) && ($cache_admin_email !== "")) { - $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; - } - unset($cache_admin_email); - - /* write configuration file */ - foreach ($config_array as $config_item) - { - fwrite($fout, trim($config_item)); - - if (stristr($config_item, "\n")) - { - for ($i = 1; $i < count(explode("\n", $config_item)); $i++) - { - fwrite($fout, "\n"); - } - } - - } - fclose($fout); - - conf_mount_ro(); - config_unlock(); - - touch($squidconfig); -} /* end function write_squid_config */ - -function squid3_custom_php_install_command() { - /* write initial static config for transparent proxy */ - write_static_squid_config(); - - touch("/tmp/squid3_custom_php_install_command"); - - /* make sure this all exists, see: - * https://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 - */ - update_output_window("Setting up Squid environment..."); - mwexec("mkdir -p /var/squid"); - mwexec("chown squid:squid /var/squid"); - mwexec("mkdir -p /var/squid/logs"); - mwexec("chown squid:squid /var/squid/logs"); - mwexec("mkdir -p /var/squid/cache"); - mwexec("chown squid:squid /var/squid/cache"); - mwexec("mkdir -p /usr/local/etc/squid/advanced"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced"); - mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); - mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); - mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); - mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); - - - /* set a few extra items noted by regan */ - update_output_window("Creating logs and setting user information..."); - $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w"); - fwrite($fdsquid, "#/bin/sh\n"); - fwrite($fdsquid, "# \n"); - fwrite($fdsquid, "# This file was created by the pfSense package system\n"); - fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n"); - fwrite($fdsquid, "# \n\n"); - fwrite($fdsquid, "chown squid:wheel /dev/pf\n"); - fwrite($fdsquid, "chmod ug+rw /dev/pf\n"); - fwrite($fdsquid, "touch /var/log/useragent.log\n"); - fwrite($fdsquid, "touch /var/log/access.log\n"); - fwrite($fdsquid, "touch /var/log/cache.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n"); - fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n"); - fwrite($fdsquid, "\n"); - fclose($fdsquid); - mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh"); - mwexec("/usr/local/etc/rc.d/aSquid.sh"); - - update_output_window("Creating Proxy Server initialization scripts..."); - $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty"; - $stop = "/usr/local/sbin/squid -k shutdown"; - write_rcfile(array( - "file" => "squid.sh", - "start" => $start, - "stop" => $stop - ) - ); - - mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); - - /* create log directory hierarchies if they don't exist */ - update_output_window("Creating required directory hierarchies..."); - - if (!file_exists("/var/squid/logs")) { - mwexec("mkdir -p /var/squid/logs"); - } - mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); - - - if (!file_exists("/var/squid/cache")) { - mwexec("mkdir -p /var/squid/cache"); - } - mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); - - if (!file_exists("/usr/local/etc/squid/advanced/acls")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); - - if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); - - if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); - - if (!file_exists("/usr/local/etc/squid/advanced/radius")) { - mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); - } - mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); - - $devfs_file = fopen("/etc/devfs.conf", "a"); - fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); - fwrite($devfs_file, "own pf root:squid"); - fwrite($devfs_file, "perm pf 0640"); - fclose($devfs_file); - - update_output_window("Initializing Cache... This may take a moment..."); - mwexec("/usr/local/sbin/squid -z"); - - update_output_window("Starting Proxy Server..."); - start_service("squid"); -} - -function squid3_custom_php_deinstall_command() { - update_output_window("Stopping proxy service..."); - stop_service("squid"); - sleep(1); - /* brute force any remaining squid processes out */ - mwexec("/usr/bin/killall squid"); - mwexec("/usr/bin/killall pinger"); - update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain..."); - mwexec("rm -rf /var/squid/cache"); - update_output_window("Removing configuration files..."); - unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); - unlink_if_exists("/usr/local/libexec/squid"); - unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh"); - mwexec("rm -f /usr/local/etc/rc.d/squid*"); - mwexec("rm -f /usr/local/www/cachemgr.cgi"); - filter_configure(); -} - -function write_static_squid_config() { - touch("/tmp/write_static_squid_config"); - global $config; - $lancfg = $config['interfaces']['lan']; - $lanif = $lancfg['if']; - $lanip = $lancfg['ipaddr']; - $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); - $lansn = $lancfg['subnet']; - - $fout = fopen("/usr/local/etc/squid/squid.conf","w"); - fwrite($fout, "#\n"); - fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); - fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); - fwrite($fout, "#\n"); - - /* set # of dns children */ - fwrite($fout, "dns_children 15\n"); - - fwrite($fout, "shutdown_lifetime 5 seconds\n"); - fwrite($fout, "icp_port 0\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); - fwrite($fout, "no_cache deny QUERY\n"); - fwrite($fout, "\n"); - - fwrite($fout, "pid_filename /var/run/squid.pid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_mem 24 MB\n"); - fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); - fwrite($fout, "\n"); - - fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); - fwrite($fout, "\n"); - - fwrite($fout, "memory_replacement_policy heap GDSF\n"); - fwrite($fout, "cache_replacement_policy heap GDSF\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_access_log none\n"); - fwrite($fout, "cache_log none\n"); - fwrite($fout, "cache_store_log none\n"); - fwrite($fout, "\n"); - - fwrite($fout, "log_mime_hdrs off\n"); - fwrite($fout, "emulate_httpd_log on\n"); - fwrite($fout, "forwarded_for off\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n"); - fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); - fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); - fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); - fwrite($fout, "acl Safe_ports port 80 # http\n"); - fwrite($fout, "acl Safe_ports port 21 # ftp\n"); - fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); - fwrite($fout, "acl Safe_ports port 70 # gopher\n"); - fwrite($fout, "acl Safe_ports port 210 # wais\n"); - fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); - fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); - fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); - fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); - fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); - fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl CONNECT method CONNECT\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#access to squid; local machine; no restrictions\n"); - fwrite($fout, "http_access allow localnet\n"); - fwrite($fout, "http_access allow localhost\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Deny non web services\n"); - fwrite($fout, "http_access deny !Safe_ports\n"); - fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); - fwrite($fout, "\n"); - - fwrite($fout, "#Set custom configured ACLs\n"); - fwrite($fout, "http_access deny all\n"); - fwrite($fout, "visible_hostname pfSense\n"); - fwrite($fout, "\n"); - - fwrite($fout, "cache_effective_user squid\n"); - fwrite($fout, "cache_effective_group squid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "maximum_object_size 4096 KB\n"); - fwrite($fout, "minimum_object_size 0 KB\n"); - fwrite($fout, "\n"); - - fwrite($fout, "request_body_max_size 0 KB\n"); - fwrite($fout, "reply_body_max_size 0 allow all\n"); - fwrite($fout, "\n"); - - fwrite($fout, "httpd_accel_host virtual\n"); - fwrite($fout, "httpd_accel_port 80\n"); - fwrite($fout, "httpd_accel_with_proxy on\n"); - fwrite($fout, "httpd_accel_uses_host_header on\n"); - - fclose($fout); -} - -function mod_htpasswd() { - global $config; - conf_mount_rw(); - config_lock(); - - if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); - - $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); - - if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { - foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { - $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); - fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); - } - } - - fclose($passfile); - - conf_mount_ro(); - config_unlock(); -} - -function generate_htpasswd($username, $password) { - $all = explode( " ", - "a b c d e f g h i j k l m n o p q r s t u v w x y z " - . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " - . "0 1 2 3 4 5 6 7 8 9"); - - for ($i = 0; $i < 9; $i++) { - srand((double)microtime()*1000000); - $randy = rand(0,61); - $seed .= $all[$randy]; - } - - $crypt = crypt($password, "$1$$seed"); - return $crypt; -} - -?> diff --git a/config/squid3/34/squid_ng.xml b/config/squid3/34/squid_ng.xml deleted file mode 100755 index b96b4eb2..00000000 --- a/config/squid3/34/squid_ng.xml +++ /dev/null @@ -1,267 +0,0 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> -<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> -<packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ -/* - authng.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. - - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ -/* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: - - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. - - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> - <name>squid</name> - <version>2.5.12_4</version> - <title>Services: Proxy Server</title> - <category>Security</category> - <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&id=0</aftersaveredirect> - <include_file>/usr/local/pkg/squid_ng.inc</include_file> - <menu> - <name>Squid</name> - <tooltiptext>Modify settings for Proxy Server</tooltiptext> - <section>Services</section> - <url>/pkg_edit.php?xml=squid_ng.xml&id=0</url> - </menu> - <menu> - <name>Squid stats</name> - <tooltiptext>Show Squid statistics</tooltiptext> - <section>Services</section> - <url>/cachemgr.cgi</url> - </menu> - <service> - <name>squid</name> - <rcfile>squid.sh</rcfile> - </service> - <tabs> - <tab> - <text>General Settings</text> - <url>/pkg_edit.php?xml=squid.xml&id=0</url> - <active/> - </tab> - <tab> - <text>Upstream Proxy</text> - <url>/pkg_edit.php?xml=squid_upstream.xml&id=0</url> - </tab> - <tab> - <text>Cache Mgmt</text> - <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> - </tab> - <tab> - <text>Network Access Control</text> - <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> - </tab> - <tab> - <text>Traffic Mgmt</text> - <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> - </tab> - <tab> - <text>Auth</text> - <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> - </tab> - <tab> - <text>Extended Auth</text> - <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url> - </tab> - </tabs> - <configpath>installedpackages->package->squidng->configuration->settings</configpath> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_cache.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_nac.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_ng.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_traffic.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_upstream.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_auth.xml</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_auth.inc</item> - </additional_files_needed> - <additional_files_needed> - <prefix>/usr/local/pkg/</prefix> - <chmod>0755</chmod> - <item>https://packages.pfsense.org/packages/config/squid/squid_extauth.xml</item> - </additional_files_needed> - <fields> - <field> - <fielddescr>Proxy Listening Interface</fielddescr> - <fieldname>active_interface</fieldname> - <description>This defines the active listening interface to which the proxy server will listen for its requests.</description> - <type>interfaces_selection</type> - </field> - <field> - <fielddescr>Transparent Proxy</fielddescr> - <fieldname>transparent_proxy</fieldname> - <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>URL Filtering Enabled</fielddescr> - <fieldname>urlfilter_enable</fieldname> - <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Disable Access Log</fielddescr> - <fieldname>accesslog_disabled</fieldname> - <description>Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Log Query Terms</fielddescr> - <fieldname>log_query_terms</fieldname> - <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Log User Agents</fielddescr> - <fieldname>log_user_agents</fieldname> - <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description> - <type>checkbox</type> - </field> - <field> - <fielddescr>Proxy Port</fielddescr> - <fieldname>proxy_port</fieldname> - <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description> - <type>input</type> - <size>4</size> - <combinefieldsend>true</combinefieldsend> - </field> - <field> - <fielddescr>ICP Port</fielddescr> - <fieldname>icp_port</fieldname> - <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description> - <type>input</type> - <size>4</size> - </field> - <field> - <fielddescr>Visible Hostname</fielddescr> - <fieldname>visible_hostname</fieldname> - <description>This URL is displayed on the Proxy Server error messages.</description> - <type>input</type> - <size>35</size> - </field> - <field> - <fielddescr>Cache Administrator E-Mail</fielddescr> - <fieldname>cache_admin_email</fieldname> - <description>This E-Mail address is displayed on the Proxy Server error messages.</description> - <type>input</type> - <size>35</size> - </field> - <field> - <fielddescr>Error Messages Language</fielddescr> - <fieldname>error_language</fieldname> - <description>Select the language in which the Proxy Server shall display error messages to users.</description> - <type>select</type> - <options> - <option><name>Bulgarian</name><value>Bulgarian</value></option> - <option><name>Catalan</name><value>Catalan</value></option> - <option><name>Czech</name><value>Czech</value></option> - <option><name>Danish</name><value>Danish</value></option> - <option><name>Dutch</name><value>Dutch</value></option> - <option><name>English</name><value>English</value></option> - <option><name>Estonian</name><value>Estonian</value></option> - <option><name>Finnish</name><value>Finnish</value></option> - <option><name>French</name><value>French</value></option> - <option><name>German</name><value>German</value></option> - <option><name>Hebrew</name><value>Hebrew</value></option> - <option><name>Hungarian</name><value>Hungarian</value></option> - <option><name>Italian</name><value>Italian</value></option> - <option><name>Japanese</name><value>Japanese</value></option> - <option><name>Korean</name><value>Korean</value></option> - <option><name>Lithuanian</name><value>Lithuanian</value></option> - <option><name>Polish</name><value>Polish</value></option> - <option><name>Portuguese</name><value>Portuguese</value></option> - <option><name>Romanian</name><value>Romanian</value></option> - <option><name>Russian-1251</name><value>Russian-1251</value></option> - <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option> - <option><name>Serbian</name><value>Serbian</value></option> - <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option> - <option><name>Slovak</name><value>Slovak</value></option> - <option><name>Spanish</name><value>Spanish</value></option> - <option><name>Swedish</name><value>Swedish</value></option> - <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option> - <option><name>Turkish</name><value>Turkish</value></option> - </options> - </field> - <field> - <fielddescr>Enable cachemgr</fielddescr> - <fieldname>cachemgr_enabled</fieldname> - <description>Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. <b>Note:</b> This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid.</description> - <type>checkbox</type> - </field> - - </fields> - <custom_add_php_command_late> - global_write_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - start_service("squid"); - </custom_add_php_command_late> - <custom_php_install_command> - squid3_custom_php_install_command(); - write_static_squid_config(); - mwexec("/usr/local/sbin/squid -k reconfigure"); - start_service("squid"); - </custom_php_install_command> - <custom_php_deinstall_command> - squid3_custom_php_deinstall_command(); - stop_service("squid"); - </custom_php_deinstall_command> -</packagegui> diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index 3f216296..f583ee12 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -31,8 +31,6 @@ function squid_resync_reverse() { global $config; - //if(!is_array($valid_acls)) - // return; //CONFIG FILE if (is_array($config['installedpackages']['squidreversegeneral'])) @@ -46,19 +44,19 @@ function squid_resync_reverse() { $conf = "# Reverse Proxy settings\n"; - if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { - $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if (isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { + $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); if ($svr_cert != false) { - if(base64_decode($svr_cert['crt'])) { + if (base64_decode($svr_cert['crt'])) { file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",sq_text_area_decode($svr_cert['crt'])); $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; - } - if(base64_decode($svr_cert['prv'])) { + } + if (base64_decode($svr_cert['prv'])) { file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",sq_text_area_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; - } } } + } if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); @@ -66,42 +64,41 @@ function squid_resync_reverse() { $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); - #set HTTP port and defsite + // set HTTP port and defsite $http_port=(empty($settings['reverse_http_port'])?"80":$settings['reverse_http_port']); $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']); - #set HTTPS port and defsite + // set HTTPS port and defsite $https_port=(empty($settings['reverse_https_port'])?"443":$settings['reverse_https_port']); $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']); foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); - if($real_ifaces[$i][0]) { - //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) - $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; - //HTTPS - if (!empty($settings['reverse_https'])) - $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; - } + if ($real_ifaces[$i][0]) { + //HTTP + if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; } + } - if(!empty($settings['reverse_ip'])) { + if (!empty($settings['reverse_ip'])) { $reverse_ip = explode(";", ($settings['reverse_ip'])); foreach ($reverse_ip as $reip) { - //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) - $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; - //HTTPS - if (!empty($settings['reverse_https'])) - $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; - } - } + //HTTP + if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } + } //PEERS - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) - - if(!empty($settings['reverse_owa_ip'])) { + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { + if (!empty($settings['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip'])); $casnr = 0; foreach ($reverse_owa_ip as $reowaip) { @@ -110,36 +107,38 @@ function squid_resync_reverse() { $conf .= "cache_peer {$reowaip} parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_{$casnr}_pfs\n"; } } + } - $active_peers=array(); - if (is_array($reverse_peers)) - foreach ($reverse_peers as $rp){ - if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ - $conf_peer = "#{$rp['description']}\n"; - $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; - if($rp['protocol'] == 'HTTPS') - $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $active_peers=array(); + if (is_array($reverse_peers)) { + foreach ($reverse_peers as $rp) { + if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !="") { + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; + if ($rp['protocol'] == 'HTTPS') + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; $conf_peer .= "name=rvp_{$rp['name']}\n\n"; // add peer only if reverse proxy is enabled for http - if($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on"){ + if ($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on") { $conf .= $conf_peer; array_push($active_peers,$rp['name']); - } + } // add peer only if if reverse proxy is enabled for https - if($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on"){ - if (!in_array($rp['name'],$active_peers)){ + if ($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on") { + if (!in_array($rp['name'],$active_peers)) { $conf .= $conf_peer; - array_push($active_peers,$rp['name']); + array_push($active_peers,$rp['name']); } } - } - } + } + } + } //REDIRECTS if (is_array($reverse_redir)) { foreach ($reverse_redir as $rdr) { - if($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { + if ($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { $conf_rdr = "# Redirect: {$rdr['description']}\n"; if (is_array($rdr['row'])) { @@ -152,11 +151,11 @@ function squid_resync_reverse() { $conf_rdr .= "deny_info {$rdr['redirurl']} rdr_path_{$rdr['name']}\n"; foreach (explode(',', $rdr['protocol']) as $rdr_protocol) { - if($rdr_protocol == "HTTP") { + if ($rdr_protocol == "HTTP") { $conf_rdr .= "http_access deny HTTP rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; } - if($rdr_protocol == "HTTPS") { + if ($rdr_protocol == "HTTPS") { $conf_rdr .= "http_access deny HTTPS rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; } } @@ -170,24 +169,24 @@ function squid_resync_reverse() { //ACLS and MAPPINGS - //create an empty owa_dirs to populate based on user selected options + //create an empty owa_dirs to populate based on user selected options $owa_dirs=array(); - if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on"){ - if(!empty($settings['reverse_owa_ip'])){ + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on") { + if (!empty($settings['reverse_owa_ip'])) { array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); - if($settings['reverse_owa_activesync']) - array_push($owa_dirs,'Microsoft-Server-ActiveSync'); - if($settings['reverse_owa_rpchttp']) - array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); - if($settings['reverse_owa_mapihttp']) - array_push($owa_dirs,'mapi'); - if($settings['reverse_owa_webservice']){ - array_push($owa_dirs,'EWS'); - } - } - if (is_array($owa_dirs)) - foreach ($owa_dirs as $owa_dir) - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + if ($settings['reverse_owa_activesync']) + array_push($owa_dirs,'Microsoft-Server-ActiveSync'); + if ($settings['reverse_owa_rpchttp']) + array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); + if ($settings['reverse_owa_mapihttp']) + array_push($owa_dirs,'mapi'); + if ($settings['reverse_owa_webservice']) + array_push($owa_dirs,'EWS'); + } + if (is_array($owa_dirs)) { + foreach ($owa_dirs as $owa_dir) + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { $reverse_external_domain = strstr($settings['reverse_external_fqdn'], '.'); @@ -195,36 +194,36 @@ function squid_resync_reverse() { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/AutoDiscover/AutoDiscover.xml\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^http://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^https://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n"; - } } + } //$conf .= "ssl_unclean_shutdown on"; - if (is_array($reverse_maps)) - foreach ($reverse_maps as $rm){ - if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!=""){ - if (is_array($rm['row'])) - foreach ($rm['row'] as $uri){ + if (is_array($reverse_maps)) { + foreach ($reverse_maps as $rm) { + if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!="" && is_array($rm['row'])) { + foreach ($rm['row'] as $uri) { $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n"; $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n"; - if($rm['name'] != $last_rm_name){ + if ($rm['name'] != $last_rm_name) { $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n"; $http_access_conf .= "http_access allow rvm_{$rm['name']}\n"; - foreach (explode(',',$rm['peers']) as $map_peer) - if (in_array($map_peer,$active_peers)){ + foreach (explode(',',$rm['peers']) as $map_peer) { + if (in_array($map_peer,$active_peers)) { $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n"; $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n"; } - $last_rm_name=$rm['name']; } + $last_rm_name=$rm['name']; + } } - } + } + } } //ACCESS - if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { - for($cascnt=1;$cascnt<$casnr+1;$cascnt++) - { + for ($cascnt=1;$cascnt<$casnr+1;$cascnt++) { $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs deny allsrc\n"; @@ -233,7 +232,7 @@ function squid_resync_reverse() { $conf .= "never_direct allow OWA_URI_pfs\n"; $conf .= "http_access allow OWA_URI_pfs\n"; - } + } $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; @@ -242,4 +241,5 @@ function squid_resync_reverse() { return $conf; } + ?> |