aboutsummaryrefslogtreecommitdiffstats
path: root/config/squid3
diff options
context:
space:
mode:
Diffstat (limited to 'config/squid3')
-rwxr-xr-xconfig/squid3/33/squid.inc112
-rw-r--r--config/squid3/33/squid.xml25
-rwxr-xr-xconfig/squid3/33/squid_cache.xml11
3 files changed, 104 insertions, 44 deletions
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc
index 94c85a7e..8eb9f2fa 100755
--- a/config/squid3/33/squid.inc
+++ b/config/squid3/33/squid.inc
@@ -777,6 +777,41 @@ function squid_install_cron($should_install) {
configure_cron();
}
+function squid_check_ca_hashes(){
+ global $config,$g;
+
+ #check certificates
+ $cert_count=0;
+ if (is_dir(SQUID_LOCALBASE. '/share/certs'))
+ if ($handle = opendir(SQUID_LOCALBASE.'/usr/local/share/certs')) {
+ while (false !== ($file = readdir($handle)))
+ if (preg_match ("/\d+.0/",$file))
+ $cert_count++;
+ }
+ closedir($handle);
+ if ($cert_count < 10){
+ conf_mount_rw();
+ #create ca-root hashes from ca-root-nss package
+ log_error("Creating root certificate bundle hashes from the Mozilla Project");
+ $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt');
+ $cert=0;
+ foreach ($cas as $ca){
+ if (preg_match("/--BEGIN CERTIFICATE--/",$ca))
+ $cert=1;
+ if ($cert == 1)
+ $crt.=$ca;
+ if (preg_match("/-END CERTIFICATE-/",$ca)){
+ file_put_contents("/tmp/cert.pem",$crt, LOCK_EX);
+ $cert_hash=array();
+ exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash);
+ file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX);
+ $crt="";
+ $cert=0;
+ }
+ }
+ }
+}
+
function squid_resync_general() {
global $g, $config, $valid_acls;
@@ -785,11 +820,11 @@ function squid_resync_general() {
else
$settings=array();
$conf = "# This file is automatically generated by pfSense\n";
- $conf .= "# Do not edit manually !\n";
+ $conf .= "# Do not edit manually !\n\n";
#Check ssl interception
- $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
if (($settings['ssl_proxy'] == 'on')) {
- $srv_cert = lookup_cert($settings["dcert"]);
+ squid_check_ca_hashes();
+ $srv_cert = lookup_ca($settings["dca"]);
if ($srv_cert != false) {
if(base64_decode($srv_cert['prv'])) {
#check if ssl_db was initilized by squid
@@ -801,17 +836,23 @@ function squid_resync_general() {
}
#force squid user permission on /var/squid/lib/ssl_db/
squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy');
+ # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext
$crt_pk=SQUID_CONFBASE."/serverkey.pem";
+ $crt_capath=SQUID_LOCALBASE."/share/certs/";
file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
-
- $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size={$sslcrtd_children}MB cert={$crt_pk}\n";
- $interception_checks="";
+ $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
+ $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n";
+ $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n";
+ $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
+ $interception_checks .= "sslproxy_capath {$crt_capath}\n";
if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
$interception_checks.="sslproxy_cert_error allow all\n";
if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
$interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n";
- if ($settings["interception_adapt"] != "")
- $interception_checks.="sslproxy_cert_adapt {$settings["interception_adapt"]}\n";
+ if ($settings["interception_adapt"] != ""){
+ foreach (explode(",",$settings["interception_adapt"]) as $adapt)
+ $interception_checks.="sslproxy_cert_adapt {$adapt} all\n";
+ }
}
}
}
@@ -887,7 +928,7 @@ function squid_resync_general() {
$logdir_cache = $logdir . '/cache.log';
$logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
- $conf .= <<<EOD
+ $conf .= <<< EOD
icp_port {$icp_port}
dns_v4_first {$dns_v4_first}
pid_filename {$pidfile}
@@ -900,7 +941,6 @@ cache_mgr {$email}
access_log {$logdir_access}
cache_log {$logdir_cache}
cache_store_log none
-sslcrtd_children {$sslcrtd_children}
{$interception_checks}
EOD;
@@ -912,7 +952,7 @@ $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate'];
$conf .= "logfile_rotate {$rotate}\n";
squid_install_cron(true);
- $conf .= <<<EOD
+ $conf .= <<< EOD
shutdown_lifetime 3 seconds
EOD;
@@ -987,7 +1027,7 @@ if(empty($settings['cache_dynamic_content'])){
}
else{
if(preg_match('/youtube/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
@@ -998,7 +1038,7 @@ cache allow youtube
EOC;
}
if(preg_match('/windows/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Windows Update refresh_pattern
range_offset_limit -1
@@ -1010,7 +1050,7 @@ EOC;
}
if(preg_match('/symantec/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Symantec refresh_pattern
range_offset_limit -1
@@ -1020,7 +1060,7 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re
EOC;
}
if(preg_match('/avast/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Avast refresh_pattern
range_offset_limit -1
@@ -1029,7 +1069,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i
EOC;
}
if(preg_match('/avira/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Avira refresh_pattern
range_offset_limit -1
@@ -1037,18 +1077,22 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43
EOC;
}
- $refresh_conf=<<<EOC
+ $refresh_conf=<<< EOC
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
+
EOC;
-
}
+
+ If ($settings['custom_refresh_patterns'] !="")
+ $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n";
+
+ $conf .= <<< EOD
- $conf .= <<<EOD
cache_mem $memory_cache_size MB
maximum_object_size_in_memory {$max_objsize_in_mem} KB
memory_replacement_policy {$memory_policy}
@@ -1067,11 +1111,12 @@ EOD;
if (!empty($donotcache)) {
file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
- $conf .= 'cache deny donotcache';
+ $conf .= "cache deny donotcache\n";
}
elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
unlink(SQUID_ACLDIR . '/donotcache.acl');
}
+ $conf .= "cache allow all\n";
return $conf.$refresh_conf;
}
@@ -1133,7 +1178,7 @@ function squid_resync_nac() {
$addtl_sslports = $settings['addtl_sslports'];
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
- $conf = <<<EOD
+ $conf = <<< EOD
# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
@@ -1152,7 +1197,6 @@ acl connect method CONNECT
acl HTTP proto HTTP
acl HTTPS proto HTTPS
-
EOD;
$allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets']));
@@ -1187,7 +1231,7 @@ EOD;
}
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
http_access allow manager localhost
EOD;
@@ -1204,7 +1248,7 @@ EOD;
}
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
http_access deny manager
http_access allow purge localhost
@@ -1262,7 +1306,7 @@ function squid_resync_antivirus(){
$clwarn="clwarn.cgi.pt_BR";
copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi");
- $conf = <<<EOF
+ $conf = <<< EOF
icap_enable on
icap_send_client_ip {$icap_send_client_ip}
icap_send_client_username {$icap_send_client_username}
@@ -1412,7 +1456,7 @@ function squid_resync_traffic() {
$perhost = -1;
else
$perhost *= 1024;
- $conf .= <<<EOD
+ $conf .= <<< EOD
delay_pools 1
delay_class 1 2
delay_parameters 1 $overall/$overall $perhost/$perhost
@@ -1608,23 +1652,23 @@ function squid_resync_auth() {
$prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy');
switch ($auth_method) {
case 'local':
- $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n";
+ $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n";
break;
case 'ldap':
$port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
$password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
- $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
+ $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
break;
case 'radius':
$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
- $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
break;
case 'msnt':
- $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/msnt_auth\n";
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
squid_resync_msnt();
break;
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
auth_param basic children $processes
auth_param basic realm $prompt
auth_param basic credentialsttl $auth_ttl minutes
@@ -1650,7 +1694,7 @@ EOD;
// Include squidguard denied acl log in squid
if ($settingsconfig['log_sqd'])
- $conf .="http_access deny passowrd sglog\n";
+ $conf .="http_access deny password sglog\n";
// Allow the other ACLs as long as they authenticate
foreach ($password as $acl)
@@ -1788,7 +1832,7 @@ function squid_print_javascript_auth() {
// No authentication for transparent proxy
if ($transparent_proxy) {
- $javascript = <<<EOD
+ $javascript = <<< EOD
<script language="JavaScript">
<!--
function on_auth_method_changed() {
@@ -1816,7 +1860,7 @@ function on_auth_method_changed() {
EOD;
}
else {
- $javascript = <<<EOD
+ $javascript = <<< EOD
<script language="JavaScript">
<!--
function on_auth_method_changed() {
diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml
index 25c1b212..d64aabb9 100644
--- a/config/squid3/33/squid.xml
+++ b/config/squid3/33/squid.xml
@@ -370,12 +370,13 @@
<default_value>3129</default_value>
</field>
<field>
- <fielddescr>Cert</fielddescr>
- <fieldname>dcert</fieldname>
- <description><![CDATA[Select Certificate to use in SSL interception<br>
- To create a Certificate on pfsense, go to <strong>system -> Cert Manager<strong>]]></description>
+ <fielddescr>CA</fielddescr>
+ <fieldname>dca</fieldname>
+ <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br>
+ To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br>
+ Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description>
<type>select_source</type>
- <source><![CDATA[$config['cert']]]></source>
+ <source><![CDATA[$config['ca']]]></source>
<source_name>descr</source_name>
<source_value>refid</source_value>
</field>
@@ -401,11 +402,17 @@
<size>3</size>
</field>
<field>
- <fielddescr>sslcrtd adapt</fielddescr>
+ <fielddescr>Certificate adapt</fielddescr>
<fieldname>interception_adapt</fieldname>
- <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: setCommonName ssl::certDomainMismatch<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
- <type>input</type>
- <size>70</size>
+ <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
+ <type>select</type>
+ <options>
+ <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option>
+ <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option>
+ <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option>
+ </options>
+ <multiple/>
+ <size>3</size>
</field>
<field>
<name>Logging Settings</name>
diff --git a/config/squid3/33/squid_cache.xml b/config/squid3/33/squid_cache.xml
index 9d982dcb..26d6463c 100755
--- a/config/squid3/33/squid_cache.xml
+++ b/config/squid3/33/squid_cache.xml
@@ -284,7 +284,16 @@
</options>
<multiple/>
<size>06</size>
- </field>
+ </field>
+ <field>
+ <fielddescr>Custom refresh_patterns</fielddescr>
+ <fieldname>custom_refresh_patterns</fieldname>
+ <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description>
+ <type>textarea</type>
+ <cols>67</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
</fields>
<custom_php_command_before_form>
if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) {