diff options
Diffstat (limited to 'config/squid3')
-rwxr-xr-x | config/squid3/33/squid.inc | 112 | ||||
-rw-r--r-- | config/squid3/33/squid.xml | 25 | ||||
-rwxr-xr-x | config/squid3/33/squid_cache.xml | 11 |
3 files changed, 104 insertions, 44 deletions
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 94c85a7e..8eb9f2fa 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -777,6 +777,41 @@ function squid_install_cron($should_install) { configure_cron(); } +function squid_check_ca_hashes(){ + global $config,$g; + + #check certificates + $cert_count=0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) + if ($handle = opendir(SQUID_LOCALBASE.'/usr/local/share/certs')) { + while (false !== ($file = readdir($handle))) + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + if ($cert_count < 10){ + conf_mount_rw(); + #create ca-root hashes from ca-root-nss package + log_error("Creating root certificate bundle hashes from the Mozilla Project"); + $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); + $cert=0; + foreach ($cas as $ca){ + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + $cert=1; + if ($cert == 1) + $crt.=$ca; + if (preg_match("/-END CERTIFICATE-/",$ca)){ + file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); + $cert_hash=array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); + file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); + $crt=""; + $cert=0; + } + } + } +} + function squid_resync_general() { global $g, $config, $valid_acls; @@ -785,11 +820,11 @@ function squid_resync_general() { else $settings=array(); $conf = "# This file is automatically generated by pfSense\n"; - $conf .= "# Do not edit manually !\n"; + $conf .= "# Do not edit manually !\n\n"; #Check ssl interception - $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); if (($settings['ssl_proxy'] == 'on')) { - $srv_cert = lookup_cert($settings["dcert"]); + squid_check_ca_hashes(); + $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { if(base64_decode($srv_cert['prv'])) { #check if ssl_db was initilized by squid @@ -801,17 +836,23 @@ function squid_resync_general() { } #force squid user permission on /var/squid/lib/ssl_db/ squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); + # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext $crt_pk=SQUID_CONFBASE."/serverkey.pem"; + $crt_capath=SQUID_LOCALBASE."/share/certs/"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); - - $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size={$sslcrtd_children}MB cert={$crt_pk}\n"; - $interception_checks=""; + $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); + $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; + $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; + $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; + $interception_checks .= "sslproxy_capath {$crt_capath}\n"; if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; - if ($settings["interception_adapt"] != "") - $interception_checks.="sslproxy_cert_adapt {$settings["interception_adapt"]}\n"; + if ($settings["interception_adapt"] != ""){ + foreach (explode(",",$settings["interception_adapt"]) as $adapt) + $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; + } } } } @@ -887,7 +928,7 @@ function squid_resync_general() { $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); - $conf .= <<<EOD + $conf .= <<< EOD icp_port {$icp_port} dns_v4_first {$dns_v4_first} pid_filename {$pidfile} @@ -900,7 +941,6 @@ cache_mgr {$email} access_log {$logdir_access} cache_log {$logdir_cache} cache_store_log none -sslcrtd_children {$sslcrtd_children} {$interception_checks} EOD; @@ -912,7 +952,7 @@ $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; $conf .= "logfile_rotate {$rotate}\n"; squid_install_cron(true); - $conf .= <<<EOD + $conf .= <<< EOD shutdown_lifetime 3 seconds EOD; @@ -987,7 +1027,7 @@ if(empty($settings['cache_dynamic_content'])){ } else{ if(preg_match('/youtube/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private @@ -998,7 +1038,7 @@ cache allow youtube EOC; } if(preg_match('/windows/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Windows Update refresh_pattern range_offset_limit -1 @@ -1010,7 +1050,7 @@ EOC; } if(preg_match('/symantec/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Symantec refresh_pattern range_offset_limit -1 @@ -1020,7 +1060,7 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re EOC; } if(preg_match('/avast/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Avast refresh_pattern range_offset_limit -1 @@ -1029,7 +1069,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i EOC; } if(preg_match('/avira/',$settings['refresh_patterns'])){ - $conf.=<<<EOC + $conf.=<<< EOC # Avira refresh_pattern range_offset_limit -1 @@ -1037,18 +1077,22 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43 EOC; } - $refresh_conf=<<<EOC + $refresh_conf=<<< EOC # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 + EOC; - } + + If ($settings['custom_refresh_patterns'] !="") + $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; + + $conf .= <<< EOD - $conf .= <<<EOD cache_mem $memory_cache_size MB maximum_object_size_in_memory {$max_objsize_in_mem} KB memory_replacement_policy {$memory_policy} @@ -1067,11 +1111,12 @@ EOD; if (!empty($donotcache)) { file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; - $conf .= 'cache deny donotcache'; + $conf .= "cache deny donotcache\n"; } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { unlink(SQUID_ACLDIR . '/donotcache.acl'); } + $conf .= "cache allow all\n"; return $conf.$refresh_conf; } @@ -1133,7 +1178,7 @@ function squid_resync_nac() { $addtl_sslports = $settings['addtl_sslports']; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); - $conf = <<<EOD + $conf = <<< EOD # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. @@ -1152,7 +1197,6 @@ acl connect method CONNECT acl HTTP proto HTTP acl HTTPS proto HTTPS - EOD; $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); @@ -1187,7 +1231,7 @@ EOD; } } - $conf .= <<<EOD + $conf .= <<< EOD http_access allow manager localhost EOD; @@ -1204,7 +1248,7 @@ EOD; } } - $conf .= <<<EOD + $conf .= <<< EOD http_access deny manager http_access allow purge localhost @@ -1262,7 +1306,7 @@ function squid_resync_antivirus(){ $clwarn="clwarn.cgi.pt_BR"; copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi"); - $conf = <<<EOF + $conf = <<< EOF icap_enable on icap_send_client_ip {$icap_send_client_ip} icap_send_client_username {$icap_send_client_username} @@ -1412,7 +1456,7 @@ function squid_resync_traffic() { $perhost = -1; else $perhost *= 1024; - $conf .= <<<EOD + $conf .= <<< EOD delay_pools 1 delay_class 1 2 delay_parameters 1 $overall/$overall $perhost/$perhost @@ -1608,23 +1652,23 @@ function squid_resync_auth() { $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { case 'local': - $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; break; case 'ldap': $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; break; case 'radius': $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; case 'msnt': - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/msnt_auth\n"; + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; squid_resync_msnt(); break; } - $conf .= <<<EOD + $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt auth_param basic credentialsttl $auth_ttl minutes @@ -1650,7 +1694,7 @@ EOD; // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) - $conf .="http_access deny passowrd sglog\n"; + $conf .="http_access deny password sglog\n"; // Allow the other ACLs as long as they authenticate foreach ($password as $acl) @@ -1788,7 +1832,7 @@ function squid_print_javascript_auth() { // No authentication for transparent proxy if ($transparent_proxy) { - $javascript = <<<EOD + $javascript = <<< EOD <script language="JavaScript"> <!-- function on_auth_method_changed() { @@ -1816,7 +1860,7 @@ function on_auth_method_changed() { EOD; } else { - $javascript = <<<EOD + $javascript = <<< EOD <script language="JavaScript"> <!-- function on_auth_method_changed() { diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index 25c1b212..d64aabb9 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -370,12 +370,13 @@ <default_value>3129</default_value> </field> <field> - <fielddescr>Cert</fielddescr> - <fieldname>dcert</fieldname> - <description><![CDATA[Select Certificate to use in SSL interception<br> - To create a Certificate on pfsense, go to <strong>system -> Cert Manager<strong>]]></description> + <fielddescr>CA</fielddescr> + <fieldname>dca</fieldname> + <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br> + To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br> + Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description> <type>select_source</type> - <source><![CDATA[$config['cert']]]></source> + <source><![CDATA[$config['ca']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> </field> @@ -401,11 +402,17 @@ <size>3</size> </field> <field> - <fielddescr>sslcrtd adapt</fielddescr> + <fielddescr>Certificate adapt</fielddescr> <fieldname>interception_adapt</fieldname> - <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: setCommonName ssl::certDomainMismatch<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description> - <type>input</type> - <size>70</size> + <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description> + <type>select</type> + <options> + <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option> + <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option> + <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option> + </options> + <multiple/> + <size>3</size> </field> <field> <name>Logging Settings</name> diff --git a/config/squid3/33/squid_cache.xml b/config/squid3/33/squid_cache.xml index 9d982dcb..26d6463c 100755 --- a/config/squid3/33/squid_cache.xml +++ b/config/squid3/33/squid_cache.xml @@ -284,7 +284,16 @@ </options> <multiple/> <size>06</size> - </field> + </field> + <field> + <fielddescr>Custom refresh_patterns</fielddescr> + <fieldname>custom_refresh_patterns</fieldname> + <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description> + <type>textarea</type> + <cols>67</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> </fields> <custom_php_command_before_form> if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { |