diff options
Diffstat (limited to 'config/squid3')
-rw-r--r-- | config/squid3/34/check_ip.php | 56 | ||||
-rwxr-xr-x | config/squid3/34/squid.inc | 187 | ||||
-rw-r--r-- | config/squid3/34/squid.xml | 23 | ||||
-rwxr-xr-x | config/squid3/34/squid_antivirus.xml | 1 | ||||
-rw-r--r-- | config/squid3/34/squid_clwarn.php | 95 | ||||
-rw-r--r-- | config/squid3/34/swapstate_check.php | 11 |
6 files changed, 250 insertions, 123 deletions
diff --git a/config/squid3/34/check_ip.php b/config/squid3/34/check_ip.php index a3f07204..5865037b 100644 --- a/config/squid3/34/check_ip.php +++ b/config/squid3/34/check_ip.php @@ -3,7 +3,7 @@ /* $Id$ */ /* check_ip.php - Copyright (C) 2013-2014 Marcello Coutinho + Copyright (C) 2013-2015 Marcello Coutinho All rights reserved. Redistribution and use in source and binary forms, with or without @@ -27,6 +27,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +require_once("config.inc"); error_reporting(0); // stdin loop if (! defined(STDIN)) { @@ -39,40 +40,24 @@ while( !feof(STDIN)){ $line = trim(fgets(STDIN)); // %SRC -$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); unset($cp_db); -if ($pf_version > 2.0){ - $dir="/var/db"; - $files=scandir($dir); - foreach ($files as $file){ - if (preg_match("/captive.*db/",$file)){ - $dbhandle = sqlite_open("$dir/$file", 0666, $error); - if ($dbhandle){ - $query = "select * from captiveportal"; - $result = sqlite_array_query($dbhandle, $query, SQLITE_ASSOC); - if ($result){ - foreach ($result as $rownum => $row){ - $cp_db[$rownum]=implode(",",$row); - } - sqlite_close($dbhandle); - } - } +$files=scandir($g['vardb_path']); +foreach ($files as $file){ + if (preg_match("/captive.*db/",$file)){ + $result=squid_cp_read_db("{$g['vardb_path']}/{$file}"); + foreach ($result as $rownum => $row){ + $cp_db[$rownum]=implode(",",$row); } - } + } } -else{ - $filename="/var/db/captiveportal.db"; - if (file_exists($filename)) - $cp_db=file($filename); -} $usuario=""; - // 1376630450,2,172.16.3.65,00:50:56:9c:00:c7,admin,e1779ea20d0a11c7,,,, + //1419045939,1419045939,2000,2000,192.168.10.11,192.168.10.11,08:00:27:5c:e1:ee,08:00:27:5c:e1:ee,marcello,marcello,605a1f46e2d64556,605a1f46e2d64556,,,,,,,,,,,first,first if (is_array($cp_db)){ foreach ($cp_db as $cpl){ $fields=explode(",",$cpl); - if ($fields[2] != "" && $fields[2]==$line) - $usuario=$fields[4]; + if ($fields[4] != "" && $fields[4]==$line) + $usuario=$fields[8]; } } if ($usuario !="") @@ -82,5 +67,22 @@ else{ fwrite (STDOUT, "{$resposta}\n"); unset($cp_db); } + +/* read captive portal DB into array */ +function squid_cp_read_db($file) { + $cpdb = array(); + $DB = new SQLite3($file); + if ($DB) { + $response = $DB->query("SELECT * FROM captiveportal"); + if ($response != FALSE) { + while ($row = $response->fetchArray()) + $cpdb[] = $row; + } + $DB->close(); + } + + return $cpdb; +} + ?> diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 87232c2b..69a50125 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -42,15 +42,8 @@ if(!function_exists("filter_configure")) require_once("filter.inc"); $shortcut_section = "squid"; -$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); -if (is_dir('/usr/pbi/squid-' . php_uname("m"))) { - if ($pfs_version == 2.2) - define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")."/local"); - else - define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); -} else { - define('SQUID_LOCALBASE','/usr/local'); -} +define('SQUID_BASE', '/usr/pbi/squid-' . php_uname("m")); +define('SQUID_LOCALBASE', SQUID_BASE . "/local"); define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid'); define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf'); @@ -138,12 +131,12 @@ function squid_dash_z($cache_action='none') { if(!is_dir($cachedir.'/00/')) { log_error("Creating squid cache subdirs in $cachedir"); - mwexec(SQUID_LOCALBASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE); + mwexec(SQUID_BASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE); sleep(5); - mwexec(SQUID_LOCALBASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE); + mwexec(SQUID_BASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE); // Double check permissions here, should be safe to recurse cache dir if it's small here. mwexec("/usr/sbin/chown -R proxy:proxy $cachedir"); - mwexec(SQUID_LOCALBASE. "/sbin/squid -z -f " . SQUID_CONFFILE); + mwexec(SQUID_BASE. "/sbin/squid -z -f " . SQUID_CONFFILE); } if(file_exists("/var/squid/cache/swap.state")) { @@ -176,7 +169,7 @@ function squid_install_command() { $settingsgen = $config['installedpackages']['squid']['config'][0]; if (file_exists("/usr/local/pkg/check_ip.php")) - rename("/usr/local/pkg/check_ip.php",SQUID_LOCALBASE . "/libexec/squid/check_ip.php"); + rename("/usr/local/pkg/check_ip.php",SQUID_BASE . "/bin/check_ip.php"); /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; @@ -347,11 +340,11 @@ function squid_install_command() { if (!is_service_running('squid')) { update_status("Starting... One moment please..."); log_error("Starting Squid"); - mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -f " . SQUID_CONFFILE); + mwexec_bg(SQUID_BASE. "/sbin/squid -f " . SQUID_CONFFILE); } else { update_status("Reloading Squid for configuration sync... One moment please..."); log_error("Reloading Squid for configuration sync"); - mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); + mwexec_bg(SQUID_BASE. "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } /* restart proxy alarm scripts */ @@ -409,6 +402,24 @@ function squid_before_form_general(&$pkg) { for ($i = 0; $i < count($values) - 1; $i++) $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); } +function squid_validate_antivirus($post, &$input_errors) { + global $config; + if ($post['enable']=="on"){ + if($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)){ + $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})"; + $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. "; + } + if($post['c-icap_conf']) { + if( !preg_match("/squid_clamav/",$post['c-icap_conf'])){ + $input_errors[] ="c-icap Squidclamav service definition is no present."; + $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; + } + if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)){ + $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; + } + } + } +} function squid_validate_general($post, &$input_errors) { global $config; @@ -615,7 +626,7 @@ function squid_validate_traffic($post, &$input_errors) { } function squid_validate_reverse($post, &$input_errors) { - + global $config; if(!empty($post['reverse_ip'])) { $reverse_ip = explode(";", ($post['reverse_ip'])); foreach ($reverse_ip as $reip) { @@ -628,13 +639,20 @@ function squid_validate_reverse($post, &$input_errors) { $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; $port = trim($post['reverse_http_port']); + preg_match("/(\d+)/",`sysctl net.inet.ip.portrange.first`,$portrange); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; - + if (!empty($port) && is_port($port) && $port < $portrange[1]){ + $input_errors[] = "The field 'reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.first sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.first sysctl value to 0 on system tunable options and restart squid daemon."; + } $port = trim($post['reverse_https_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; - + if (!empty($port) && is_port($port) && $port < $portrange[1]){ + $input_errors[] = "The field 'reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.first sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.first sysctl value to 0 on system tunable options and restart squid daemon."; + } if ($post['reverse_ssl_cert'] == 'none') $input_errors[] = 'A valid certificate for the external interface must be selected'; @@ -736,7 +754,7 @@ function squid_install_cron($should_install) { $rotate_job_id=-1; $swapstate_job_id=-1; $cron_cmd=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); - $cron_cmd .= SQUID_LOCALBASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE; + $cron_cmd .= SQUID_BASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE; $need_write = false; foreach($config['cron']['item'] as $item) { if(strstr($item['task_name'], "squid_rotate_logs")) { @@ -942,7 +960,12 @@ function squid_resync_general() { } $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); - $pidfile = "{$g['varrun_path']}/squid.pid"; + $piddir="{$g['varrun_path']}/squid"; + $pidfile = "{$piddir}/squid.pid"; + if (!is_dir($piddir)){ + make_dirs($piddir); + squid_chown_recursive($piddir, 'proxy', 'wheel'); + } $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); $icondir = SQUID_CONFBASE . '/icons'; $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); @@ -1002,7 +1025,8 @@ EOD; $conf .= "acl localnet src $src\n"; $valid_acls[] = 'localnet'; } - if ($settings['disable_xforward']) $conf .= "forwarded_for off\n"; + if ($settings['xforward_mode']) $conf .= "forwarded_for {$settings['xforward_mode']}\n"; + else $conf .= "forwarded_for on\n"; //only used for first run if ($settings['disable_via']) $conf .= "via off\n"; if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; @@ -1327,35 +1351,6 @@ function squid_resync_antivirus(){ } if (is_array($config['installedpackages']['squid'])) $squid_config=$config['installedpackages']['squid']['config'][0]; - $clwarn="clwarn.cgi.en_EN"; - if (preg_match("/de/i",$squid_config['error_language'])) - $clwarn="clwarn.cgi.de_DE"; - if (preg_match("/ru/i",$squid_config['error_language'])) - $clwarn="clwarn.cgi.ru_RU"; - if (preg_match("/fr/i",$squid_config['error_language'])) - $clwarn="clwarn.cgi.fr_FR"; - if (preg_match("/pt_br/i",$squid_config['error_language'])) - $clwarn="clwarn.cgi.pt_BR"; - $clwarn_file="/usr/local/www/clwarn.cgi"; - copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}",$clwarn_file); - - #fix perl path on clwarn.cgi - $clwarn_file_new=file_get_contents($clwarn_file); - $c_pattern[]="@/usr/\S+/perl@"; - $c_replacement[]=SQUID_LOCALBASE."/bin/perl"; - /*$c_pattern[]="@redirect \S+/clwarn.cgi@"; - $gui_proto=$config['system']['webgui']['protocol']; - $gui_port=$config['system']['webgui']['port']; - if($gui_port == "") { - $gui_port($gui_proto == "http"?"80":"443"); - } - $c_replacement[]=SQUID_LOCALBASE."redirect {$gui_proto}://127.0.0.1:{$gui_port}/clwarn.cgi"; - */ - $clwarn_file_new=preg_replace($c_pattern, $c_replacement,$clwarn_file_new); - file_put_contents($clwarn_file, $clwarn_file_new,LOCK_EX); - - #fix clwarn.cgi file permission - chmod($clwarn_file,0755); $conf = <<< EOF icap_enable on @@ -1366,11 +1361,10 @@ icap_client_username_header X-Authenticated-User icap_preview_enable on icap_preview_size 1024 -icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav -icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav - -adaptation_access service_req allow all -adaptation_access service_resp allow all +icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off +adaptation_access service_avi_req allow all +icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on +adaptation_access service_avi_resp allow all EOF; #check if icap is enabled on rc.conf.local @@ -1397,29 +1391,41 @@ EOF; if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")){ $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default"); $clamav_m[0]="@/var/run/clamav/clamd.ctl@"; + $clamav_m[1]="@cgi-bin/clwarn.cgi@"; $clamav_r[0]="/var/run/clamav/clamd.sock"; + $clamav_r[1]="squid_clwarn.php"; file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX); } #c-icap.conf if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")){ $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default"); - if (! preg_match ("/squidclamav/")) - $sample_file.="\nService squidclamav squidclamav.so\n"; - - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",$sample_file,LOCK_EX); + if (! preg_match("/squid_clamav/",$sample_file)) + $sample_file.="\nService squid_clamav squidclamav.so\n"; + $cicap_m[0]="@Manager:Apassword\S+@"; + $cicap_r[0]=""; + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",preg_replace($cicap_m,$cicap_r,$sample_file),LOCK_EX); } + //check squidclamav files until pbis are gone(https://redmine.pfsense.org/issues/4197) + $ln_icap= array('bin/c-icap','bin/c-icap-client','c-icap-config','c-icap-libicapapi-config','c-icap-stretch','lib/c_icap','share/c_icap','etc/c-icap'); + foreach ($ln_icap as $ln){ + if (!file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE."/{$ln}")) + symlink(SQUID_LOCALBASE."/{$ln}","/usr/local/{$ln}"); + } + if (!file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5")) + symlink(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5","/usr/local/lib/libicapapi.so.3"); + $loadsample=0; if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")){ - $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")); + $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))); $loadsample++; } if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")){ - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")); + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"))); $loadsample++; } - if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default")){ - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default")); + if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")){ + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample"))); $loadsample++; } if($loadsample > 0){ @@ -1440,15 +1446,12 @@ EOF; #Check clamav database if (count(glob("/var/db/clamav/*d"))==0){ log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background."); - mwexec_bg(SQUID_LOCALBASE."/bin/freshclam"); - } - #check startup scripts on pfsense > 2.1 - if (preg_match("/usr.pbi/",SQUID_LOCALBASE)){ - $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); - foreach($rcd_files as $rcd_file) - if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) - symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); + mwexec_bg(SQUID_BASE."/bin/freshclam"); } + $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); + foreach($rcd_files as $rcd_file) + if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) + symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); #write advanced icap config files file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX); @@ -1467,11 +1470,29 @@ EOF; $sample_file=file_get_contents($c_icap_rcfile); $cicapm[0]="@c_icap_user=.*}@"; $cicapr[0]='c_icap_user="clamav"}'; + $cicapm[1]="@/usr/local@"; + $cicapr[1]=SQUID_LOCALBASE; file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX); } mwexec_bg("/usr/local/etc/rc.d/c-icap start"); } - #check clamav + #check clamav/freshclam + $rc_files=array("clamav-freshclam","clamav-clamd"); + $clamm[0]="@/usr/local/(bin|sbin)@"; + $clamm[1]="@/local/(bin|sbin)@"; + $clamm[2]="@/usr/local/etc@"; + $clamm[3]="@enable:=NO@"; + $clamr[0]=SQUID_BASE."/bin"; + $clamr[1]="/bin"; + $clamr[2]=SQUID_LOCALBASE."/etc"; + $clamr[3]="enable:=YES"; + foreach ($rc_files as $rc_file){ + $clamav_rcfile="/usr/local/etc/rc.d/{$rc_file}"; + if (file_exists($clamav_rcfile)){ + $sample_file=file_get_contents($clamav_rcfile); + file_put_contents($clamav_rcfile,preg_replace($clamm,$clamr,$sample_file),LOCK_EX); + } + } if (is_process_running("clamd")) mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); else @@ -1703,6 +1724,11 @@ function squid_resync_auth() { $conf .="http_access deny sglog\n"; } if ($auth_method == 'none' ) { + // SSL interception acl options part 2 without authentication + if ($settingsconfig['ssl_proxy'] == "on"){ + $conf .= "always_direct allow all\n"; + $conf .= "ssl_bump server-first all\n"; + } $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { @@ -1738,7 +1764,7 @@ function squid_resync_auth() { $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; case 'cp': - $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n"; + $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; $conf .= "acl password external check_cp\n"; break; case 'msnt': @@ -1898,12 +1924,12 @@ function squid_resync($via_rpc="no") { if (!is_service_running('squid')) { log_error("Starting Squid"); - mwexec(SQUID_LOCALBASE . "/sbin/squid -f " . SQUID_CONFFILE); + mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); } else { if (!isset($boot_process)){ log_error("Reloading Squid for configuration sync"); - mwexec(SQUID_LOCALBASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); + mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } } @@ -2268,18 +2294,19 @@ function squid_write_rcfile() { /* Declare a variable for the SQUID_CONFFILE constant. */ /* Then the variable can be referenced easily in the Heredoc text that generates the rc file. */ $squid_conffile_var = SQUID_CONFFILE; - $squid_local_base = SQUID_LOCALBASE; + $squid_base = SQUID_BASE; $rc = array(); $rc['file'] = 'squid.sh'; $rc['start'] = <<<EOD +#sysctl net.inet.ip.portrange.reservedhigh=0 if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then - {$squid_local_base}/sbin/squid -f {$squid_conffile_var} + {$squid_base}/sbin/squid -f {$squid_conffile_var} fi EOD; $rc['stop'] = <<<EOD -{$squid_local_base}/sbin/squid -k shutdown -f {$squid_conffile_var} +{$squid_base}/sbin/squid -k shutdown -f {$squid_conffile_var} # Just to be sure... sleep 5 @@ -2294,9 +2321,9 @@ killall pinger 2>/dev/null EOD; $rc['restart'] = <<<EOD if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then - {$squid_local_base}/sbin/squid -f {$squid_conffile_var} + {$squid_base}/sbin/squid -f {$squid_conffile_var} else - {$squid_local_base}/sbin/squid -k reconfigure -f {$squid_conffile_var} + {$squid_base}/sbin/squid -k reconfigure -f {$squid_conffile_var} fi EOD; diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 970f093e..57dfc938 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -46,7 +46,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squid</name> - <version>3.4.9</version> + <version>3.4.10_2 pkg 0.2.6</version> <title>Proxy server: General settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <menu> @@ -239,6 +239,11 @@ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_log_parser.php</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>https://packages.pfsense.org/packages/config/squid3/34/squid_clwarn.php</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/shortcuts/</prefix> <chmod>0755</chmod> <item>https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc</item> @@ -480,10 +485,18 @@ <default_value>en</default_value> </field> <field> - <fielddescr>Disable X-Forward</fielddescr> - <fieldname>disable_xforward</fieldname> - <description>If not set, Squid will include your system's IP address or name in the HTTP requests it forwards.</description> - <type>checkbox</type> + <fielddescr>X-Forward Mode</fielddescr> + <fieldname>xforward_mode</fieldname> + <description><p><b> on:</b> Squid will append your client's IP address in the HTTP requests it forwards. (Default)<p> By default it looks like: X-Forwarded-For: 192.1.2.3 <p> <b> off:</b> It will appear as: X-Forwarded-For: unknown<p> <b> transparent:</b> Squid will not alter the X-Forwarded-For header in any way.<p> <b> delete:</b> Squid will delete the entire X-Forwarded-For header.<p> <b> truncate:</b> Squid will remove all existing X-Forwarded-For entries, and place the client IP as the sole entry.</description> + <type>select</type> + <default_value>on</default_value> + <options> + <option><name>(on)</name><value>on</value></option> + <option><name>off</name><value>off</value></option> + <option><name>transparent</name><value>transparent</value></option> + <option><name>delete</name><value>delete</value></option> + <option><name>truncate</name><value>truncate</value></option> + </options> </field> <field> <fielddescr>Disable VIA</fielddescr> diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml index 2afb1ff1..c722598d 100755 --- a/config/squid3/34/squid_antivirus.xml +++ b/config/squid3/34/squid_antivirus.xml @@ -151,6 +151,7 @@ </field> </fields> <custom_php_validation_command> + squid_validate_antivirus($_POST, $input_errors); </custom_php_validation_command> <custom_php_resync_config_command> squid_resync(); diff --git a/config/squid3/34/squid_clwarn.php b/config/squid3/34/squid_clwarn.php new file mode 100644 index 00000000..0bd97d58 --- /dev/null +++ b/config/squid3/34/squid_clwarn.php @@ -0,0 +1,95 @@ +<?php +/* ========================================================================== */ +/* + squid_clwarn.php + part of pfSense (http://www.pfSense.com) + Copyright (C) 2015 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ +$VERSION = '6.10'; + $url = $_REQUEST['url']; +$virus=($_REQUEST['virus']?$_REQUEST['virus']:$_REQUEST['malware']); +$source = preg_replace("@/-@","",$_REQUEST['source']); +$user = $_REQUEST['user']; + + +$TITLE_VIRUS = "SquidClamAv $VERSION: Virus detected!"; +$subtitle = 'Virus name'; +$errorreturn = 'This file cannot be downloaded.'; +$urlerror = 'contains a virus'; +if (preg_match("/Safebrowsing/",$virus)) { + $TITLE_VIRUS = "SquidClamAv $VERSION: Unsafe Browsing detected"; + $subtitle = 'Malware / pishing type'; + $urlerror = 'is listed as suspicious'; + $errorreturn = 'This page can not be displayed'; +} + +# Remove clamd infos +$vp[0]="/stream: /"; +$vp[1]="/ FOUND/"; +$vr[0]=""; +$vr[1]=""; + +$virus = preg_replace($vp,$vr,$virus); + + +?> +<style type="text/css"> + .visu { + border:1px solid #C0C0C0; + color:#FFFFFF; + position: relative; + min-width: 13em; + max-width: 52em; + margin: 4em auto; + border: 1px solid ThreeDShadow; + border-radius: 10px; + padding: 3em; + -moz-padding-start: 30px; + background-color: #8b0000; +} +.visu h2, .visu h3, .visu h4 { + font-size:130%; + font-family:"times new roman", times, serif; + font-style:normal; + font-weight:bolder; +} +</style> + <div class="visu"> + <h2><?=$TITLE_VIRUS?></h2> + <hr> + <p> + The requested URL <?=$url?> <?=$urlerror?><br> + <?=$subtitle?>: <?=$virus?> + <p> + <?=$errorreturn?> + <p> + Origin: <?=$source?> / <?=$user?> + <p> + <hr> + <font color="blue"> Powered by <a href="http://squidclamav.darold.net/">SquidClamAv <?=$VERSION?></a>.</font> + </div> diff --git a/config/squid3/34/swapstate_check.php b/config/squid3/34/swapstate_check.php index b9f51ec1..7a7ccd27 100644 --- a/config/squid3/34/swapstate_check.php +++ b/config/squid3/34/swapstate_check.php @@ -30,17 +30,6 @@ require_once('config.inc'); require_once('util.inc'); require_once('squid.inc'); -$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); -if (is_dir('/usr/pbi/squid-' . php_uname("m"))) { - if ($pfs_version == 2.2) - define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")."/local"); - else - define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); -} else { - define('SQUID_LOCALBASE','/usr/local'); -} - - $settings = $config['installedpackages']['squidcache']['config'][0]; // Only check the cache if Squid is actually caching. // If there is no cache then quietly do nothing. |