aboutsummaryrefslogtreecommitdiffstats
path: root/config/squid3
diff options
context:
space:
mode:
Diffstat (limited to 'config/squid3')
-rwxr-xr-xconfig/squid3/34/squid.inc1460
1 files changed, 785 insertions, 675 deletions
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc
index 665c0d7c..4905f96c 100755
--- a/config/squid3/34/squid.inc
+++ b/config/squid3/34/squid.inc
@@ -1,12 +1,13 @@
<?php
-/* $Id$ */
/*
squid.inc
+ part of pfSense (https://www.pfSense.org/)
Copyright (C) 2006-2009 Scott Ullrich
Copyright (C) 2006 Fernando Lemos
Copyright (C) 2012 Martin Fuchs
Copyright (C) 2012-2014 Marcello Coutinho
Copyright (C) 2013 Gekkenhuis
+ Copyright (C) 2015 ESF, LLC
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -30,7 +31,6 @@
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
-
require_once('globals.inc');
require_once('config.inc');
require_once('util.inc');
@@ -38,13 +38,14 @@ require_once('pfsense-utils.inc');
require_once('pkg-utils.inc');
require_once('service-utils.inc');
-if (!function_exists("filter_configure"))
+if (!function_exists("filter_configure")) {
require_once("filter.inc");
+}
$shortcut_section = "squid";
global $pfs_version;
-$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3);
+$pfs_version = substr(trim(file_get_contents("/etc/version")), 0, 3);
if ($pfs_version == "2.1" || $pfs_version == "2.2") {
define('SQUID_BASE', '/usr/pbi/squid-' . php_uname("m"));
define('SQUID_LOCALBASE', SQUID_BASE . "/local");
@@ -65,24 +66,27 @@ define('SQUID_SSL_DB','/var/squid/lib/ssl_db');
$valid_acls = array();
-$uname=posix_uname();
-if ($uname['machine']=='amd64')
+$uname = posix_uname();
+if ($uname['machine'] == 'amd64') {
ini_set('memory_limit', '250M');
+}
function sq_text_area_decode($text) {
- return preg_replace('/\r\n/', "\n",base64_decode($text));
+ return preg_replace('/\r\n/', "\n", base64_decode($text));
}
function squid_get_real_interface_address($iface) {
- if (!function_exists("get_interface_ip"))
+ if (!function_exists("get_interface_ip")) {
require_once("interfaces.inc");
+ }
return array(get_interface_ip($iface), gen_subnet_mask(get_interface_subnet($iface)));
}
function squid_chown_recursive($dir, $user, $group) {
- if ($dir == '/usr/local')
+ if ($dir == '/usr/local') {
return;
+ }
chown($dir, $user);
chgrp($dir, $group);
@@ -102,46 +106,50 @@ function squid_chown_recursive($dir, $user, $group) {
}
function squid_check_clamav_user($user) {
- if (SQUID_BASE == '/usr/local')
+ if (SQUID_BASE == '/usr/local') {
return;
+ }
- $_gc = exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return);
- $user_arg=($sq_ex_return == 0?"mod":"add");
- $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return);
- if ($sq_ex_return != 0)
- log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output));
+ $_gc = exec("/usr/sbin/pw usershow {$user}", $sq_ex_output, $sq_ex_return);
+ $user_arg = ($sq_ex_return == 0 ? "mod" : "add");
+ $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return);
+ if ($sq_ex_return != 0) {
+ log_error("Squid - Could not change clamav user settings. " . serialize($sq_ex_output));
+ }
}
/* setup cache */
-function squid_dash_z($cache_action='none') {
+function squid_dash_z($cache_action = 'none') {
global $config;
//Do nothing if there is no cache config
- if (!is_array($config['installedpackages']['squidcache']['config']))
+ if (!is_array($config['installedpackages']['squidcache']['config'])) {
return;
+ }
$settings = $config['installedpackages']['squidcache']['config'][0];
// If the cache system is null, there is no need to initialize the (irrelevant) cache dir.
- if ($settings['harddisk_cache_system'] == "null")
+ if ($settings['harddisk_cache_system'] == "null") {
return;
+ }
$cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
if ($cache_action == "clean" && file_exists($cachedir)) {
- rename ($cachedir, "{$cachedir}.old");
+ rename($cachedir, "{$cachedir}.old");
mwexec_bg("/bin/rm -rf {$cachedir}.old");
}
if (!is_dir($cachedir)) {
log_error("Creating Squid cache dir {$cachedir}");
- @mkdir($cachedir, 0755, true);
+ safe_mkdir($cachedir, 0755);
@chown($cachedir, SQUID_UID);
@chgrp($cachedir, SQUID_GID);
}
- if (!is_dir($cachedir.'/00')) {
- log_error("Creating squid cache subdirs in $cachedir");
+ if (!is_dir($cachedir . '/00')) {
+ log_error("Creating Squid cache subdirs in $cachedir");
mwexec(SQUID_BASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE);
sleep(5);
mwexec(SQUID_BASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE);
@@ -160,8 +168,9 @@ function squid_dash_z($cache_action='none') {
function squid_is_valid_acl($acl) {
global $valid_acls;
- if (!is_array($valid_acls))
+ if (!is_array($valid_acls)) {
return;
+ }
return in_array($acl, $valid_acls);
}
@@ -171,19 +180,22 @@ function squid_install_command() {
update_status("Checking if there is configuration to migrate... One moment please...");
/* migrate existing csv config fields */
- if (is_array($config['installedpackages']['squidauth']['config']))
+ if (is_array($config['installedpackages']['squidauth']['config'])) {
$settingsauth = $config['installedpackages']['squidauth']['config'][0];
- if (is_array($config['installedpackages']['squidcache']['config']))
+ }
+ if (is_array($config['installedpackages']['squidcache']['config'])) {
$settingscache = $config['installedpackages']['squidcache']['config'][0];
- if (is_array($config['installedpackages']['squidnac']['config']))
+ }
+ if (is_array($config['installedpackages']['squidnac']['config'])) {
$settingsnac = $config['installedpackages']['squidnac']['config'][0];
- if (is_array($config['installedpackages']['squid']['config']))
+ }
+ if (is_array($config['installedpackages']['squid']['config'])) {
$settingsgen = $config['installedpackages']['squid']['config'][0];
+ }
- if (SQUID_BASE != '/usr/local' &&
- file_exists('/usr/local/bin/check_ip.php') &&
- !file_exists(SQUID_BASE . '/bin/check_ip.php'))
+ if (SQUID_BASE != '/usr/local' && file_exists('/usr/local/bin/check_ip.php') && !file_exists(SQUID_BASE . '/bin/check_ip.php')) {
symlink("/usr/local/bin/check_ip.php", SQUID_BASE . "/bin/check_ip.php");
+ }
/* Set storage system */
if ($g['platform'] == "nanobsd") {
@@ -248,22 +260,22 @@ function squid_install_command() {
$config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type'];
}
- /*Migrate reverse settings*/
+ /* migrate reverse settings */
if (is_array($config['installedpackages']['squidreverse'])) {
- $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0];
+ $old_reverse_settings = $config['installedpackages']['squidreverse']['config'][0];
- //Settings
+ // settings
if (!is_array($config['installedpackages']['squidreversegeneral'])) {
- $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings;
- unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']);
- unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']);
- unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']);
+ $config['installedpackages']['squidreversegeneral']['config'][0] = $old_reverse_settings;
+ unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']);
+ unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']);
+ unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']);
}
- //PEERS
+ // peers
if (!is_array($config['installedpackages']['squidreversepeer'])) {
- foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) {
- foreach (explode(";",$cache_peers) as $cache_peer) {
+ foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) {
+ foreach (explode(";", $cache_peers) as $cache_peer) {
$config['installedpackages']['squidreversepeer']['config'][] = array(
'description' => 'migrated',
'enable' => 'on',
@@ -275,16 +287,16 @@ function squid_install_command() {
}
}
- //MAPPINGS
+ // mappings
if (!is_array($config['installedpackages']['squidreverseuri'])) {
- foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) {
- foreach (explode(";",$acls) as $acl) {
+ foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) {
+ foreach (explode(";", $acls) as $acl) {
array_push(${'peer_'.$acl[0]},$acl[1]);
}
}
- foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) {
- foreach (explode(";",$uris) as $uri) {
- $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):"");
+ foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) {
+ foreach (explode(";", $uris) as $uri) {
+ $peer_list = (is_array(${'peer_' . $uri[0]}) ? implode(",", ${'peer_' . $uri[0]}) : "");
$config['installedpackages']['squidreverseuri']['config'][] = array(
'description' => 'migrated',
'enable' => 'on',
@@ -299,7 +311,6 @@ function squid_install_command() {
}
update_status("Writing configuration... One moment please...");
-
write_config();
/* create cache */
@@ -308,29 +319,25 @@ function squid_install_command() {
/* make sure pinger is executable and suid root */
// XXX: Bug #5114
- if (file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger"))
- chgrp(SQUID_LOCALBASE. "/libexec/squid/pinger", SQUID_GID);
-
- // XXX: Is it really necessary?
- if (file_exists("/usr/local/etc/rc.d/squid"))
- unlink_if_exists("/usr/local/etc/rc.d/squid");
+ if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) {
+ chgrp(SQUID_LOCALBASE . "/libexec/squid/pinger", SQUID_GID);
+ }
squid_write_rcfile();
// XXX: Is it really necessary? mode is set to 0755 in squid.xml
- if (file_exists("/usr/local/pkg/swapstate_check.php"))
+ if (file_exists("/usr/local/pkg/swapstate_check.php")) {
@chmod("/usr/local/pkg/swapstate_check.php", 0755);
+ }
write_rcfile(array(
"file" => "sqp_monitor.sh",
"start" => "/usr/local/pkg/sqpmon.sh &",
- "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")
+ "stop" => "/bin/ps awux | /usr/bin/grep \"sqpmon\" | /usr/bin/grep -v \"grep\" | /usr/bin/grep -v \"php\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill")
);
- foreach (array( SQUID_CONFBASE,
- SQUID_ACLDIR,
- SQUID_SSL_DB ) as $dir) {
- @mkdir($dir, 0755, true);
+ foreach (array(SQUID_CONFBASE, SQUID_ACLDIR, SQUID_SSL_DB) as $dir) {
+ safe_mkdir($dir, 0755);
squid_chown_recursive($dir, SQUID_UID, SQUID_GID);
}
@@ -367,25 +374,26 @@ function squid_install_command() {
function squid_deinstall_command() {
global $config, $g;
- $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process.";
+ $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process.";
squid_install_cron(false);
- if (is_array($config['installedpackages']['squidcache']))
+ if (is_array($config['installedpackages']['squidcache'])) {
$settings = $config['installedpackages']['squidcache']['config'][0];
- else
+ } else {
$settings = array();
+ }
$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
$logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs');
update_status("Removing cache ... One moment please...");
update_output_window("$plswait_txt");
// XXX: Is it ok to remove cache and logs? It's going to happen every time package is updated
- mwexec_bg("rm -rf {$cachedir}");
- mwexec("rm -rf {$logdir}");
+ mwexec_bg("/bin/rm -rf {$cachedir}");
+ mwexec("/bin/rm -rf {$logdir}");
update_status("Finishing package cleanup.");
mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop");
unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh');
- mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
- mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
- mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
+ mwexec("/bin/ps awux | /usr/bin/grep \"squid\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill");
+ mwexec("/bin/ps awux | /usr/bin/grep \"dnsserver\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill");
+ mwexec("/bin/ps awux | /usr/bin/grep \"unlinkd\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill");
update_status("Reloading filter...");
filter_configure();
}
@@ -408,38 +416,42 @@ function squid_before_form_general(&$pkg) {
array_shift($values);
$name = array();
- foreach ($values as $value)
+ foreach ($values as $value) {
$names[] = implode(" ", explode("_", $value));
+ }
$i = 0;
foreach ($pkg['fields']['field'] as $field) {
- if ($field['fieldname'] == 'error_language')
+ if ($field['fieldname'] == 'error_language') {
break;
+ }
$i++;
}
$field = &$pkg['fields']['field'][$i];
- for ($i = 0; $i < count($values) - 1; $i++)
+ for ($i = 0; $i < count($values) - 1; $i++) {
$field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]);
+ }
}
function squid_validate_antivirus($post, &$input_errors) {
global $config;
- if ($post['enable'] != "on")
+ if ($post['enable'] != "on") {
return;
+ }
- if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)) {
- $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})";
- $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. ";
+ if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/", $post['squidclamav'], $a_match)) {
+ $input_errors[] = "SquidClamav warnings redirect points to sample config domain ({$a_match[1]})";
+ $input_errors[] = "Change redirect info on 'squidclamav.conf' field to pfSense GUI or an external host.";
}
if ($post['c-icap_conf']) {
- if (!preg_match("/squid_clamav/",$post['c-icap_conf'])) {
- $input_errors[] ="c-icap Squidclamav service definition is no present.";
- $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working.";
+ if (!preg_match("/squid_clamav/", $post['c-icap_conf'])) {
+ $input_errors[] = "c-icap Squidclamav service definition is not present.";
+ $input_errors[] = "Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working.";
}
- if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)) {
- $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field.";
+ if (preg_match("/(Manager:Apassword\S+)/", $post['c-icap_conf'], $c_match)) {
+ $input_errors[] = "Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field.";
}
}
}
@@ -447,31 +459,37 @@ function squid_validate_antivirus($post, &$input_errors) {
function squid_validate_general($post, &$input_errors) {
global $config;
- if (is_array($config['installedpackages']['squid']))
+ if (is_array($config['installedpackages']['squid'])) {
$settings = $config['installedpackages']['squid']['config'][0];
- else
+ } else {
$settings = array();
+ }
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$port = $post['proxy_port'] ? $post['proxy_port'] : $port;
$icp_port = trim($post['icp_port']);
- if (!empty($icp_port) && !is_port($icp_port))
- $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field';
+ if (!empty($icp_port) && !is_port($icp_port)) {
+ $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field.';
+ }
- if (substr($post['log_dir'], -1, 1) == '/')
- $input_errors[] = 'You may not end log location with an / mark';
+ if (substr($post['log_dir'], -1, 1) == '/') {
+ $input_errors[] = 'Log location must not end with a / character.';
+ }
- if ($post['log_dir']{0} != '/')
- $input_errors[] = 'You must start log location with a / mark';
+ if ($post['log_dir']{0} != '/') {
+ $input_errors[] = 'Log location must start with a / character.';
+ }
- if (strlen($post['log_dir']) <= 3)
- $input_errors[] = "That is not a valid log location dir";
+ if (strlen($post['log_dir']) <= 3) {
+ $input_errors[] = "Configured log location directory is not valid.";
+ }
$log_rotate = trim($post['log_rotate']);
- if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1)))
- $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field';
+ if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) {
+ $input_errors[] = "You must enter a valid number of days in the 'Log rotate' field.";
+ }
$webgui_port = $config['system']['webgui']['port'];
@@ -483,7 +501,7 @@ function squid_validate_general($post, &$input_errors) {
}
if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) {
- $input_errors[] = "You can not run squid on the same port as the webgui";
+ $input_errors[] = "You can not run Squid on the same port as the pfSense WebGUI";
}
if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) {
@@ -493,15 +511,17 @@ function squid_validate_general($post, &$input_errors) {
foreach (array('defined_ip_proxy_off') as $hosts) {
foreach (explode(";", $post[$hosts]) as $host) {
$host = trim($host);
- if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host))
- $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias";
+ if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) {
+ $input_errors[] = "'Bypass proxy for these source IPs' entry '$host' is not a valid IP address, hostname, or alias.";
+ }
}
}
foreach (array('defined_ip_proxy_off_dest') as $hosts) {
foreach (explode(";", $post[$hosts]) as $host) {
$host = trim($host);
- if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host))
- $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias";
+ if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) {
+ $input_errors[] = "'Bypass proxy for these destination IPs' entry '$host' is not a valid IP address, hostname, or alias.";
+ }
}
}
@@ -509,7 +529,7 @@ function squid_validate_general($post, &$input_errors) {
$altdns = explode(";", ($post['dns_nameservers']));
foreach ($altdns as $dnssrv) {
if (!is_ipaddr($dnssrv)) {
- $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field';
+ $input_errors[] = "You must enter a valid IP address in the 'Alternate DNS servers' field.";
break;
}
}
@@ -517,24 +537,27 @@ function squid_validate_general($post, &$input_errors) {
}
function squid_validate_upstream($post, &$input_errors) {
- if ($post['enabled'] != 'on')
+ if ($post['enabled'] != 'on') {
return;
+ }
$addr = trim($post['proxyaddr']);
if (empty($addr)) {
- $input_errors[] = 'The field \'Hostname\' is required';
+ $input_errors[] = "The 'Proxy hostname' field is required";
} else {
- if (!is_ipaddr($addr) && !is_domain($addr))
- $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field';
+ if (!is_ipaddr($addr) && !is_domain($addr)) {
+ $input_errors[] = "You must enter a valid IP address or host name in the 'Proxy hostname' field.";
+ }
}
foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) {
$port = trim($post[$field]);
if (empty($port)) {
- $input_errors[] = "The field '$name' is required";
+ $input_errors[] = "The '$name' field is required.";
} else {
- if (!is_port($port))
- $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535";
+ if (!is_port($port)) {
+ $input_errors[] = "The '$name' field must contain a valid port number (1-65535).";
+ }
}
}
}
@@ -548,31 +571,36 @@ function squid_validate_cache($post, &$input_errors) {
foreach ($num_fields as $field => $name) {
$value = trim($post[$field]);
- if (!is_numericint($value))
- $input_errors[] = "You must enter a valid value for '$field'";
+ if (!is_numericint($value)) {
+ $input_errors[] = "You must enter a valid value for '$field'.";
+ }
}
$value = trim($post['minimum_object_size']);
- if (!is_numericint($value))
- $input_errors[] = 'You must enter a valid value for \'Minimum object size\'';
+ if (!is_numericint($value)) {
+ $input_errors[] = "You must enter a valid value for 'Minimum object size'.";
+ }
if (!empty($post['cache_swap_low'])) {
$value = trim($post['cache_swap_low']);
- if (!is_numericint($value) || ($value > 100))
- $input_errors[] = 'You must enter a valid value for \'Low-water-mark\'';
+ if (!is_numericint($value) || ($value > 100)) {
+ $input_errors[] = "You must enter a valid value for 'Low-water-mark'.";
+ }
}
if (!empty($post['cache_swap_high'])) {
$value = trim($post['cache_swap_high']);
- if (!is_numericint($value) || ($value > 100))
- $input_errors[] = 'You must enter a valid value for \'High-water-mark\'';
+ if (!is_numericint($value) || ($value > 100)) {
+ $input_errors[] = "You must enter a valid value for 'High-water-mark'.";
+ }
}
if ($post['donotcache'] != "") {
foreach (split("\n", $post['donotcache']) as $host) {
$host = trim($host);
- if (!is_ipaddr($host) && !is_domain($host))
- $input_errors[] = "The host '$host' is not a valid IP or host name";
+ if (!is_ipaddr($host) && !is_domain($host)) {
+ $input_errors[] = "The host '$host' is not a valid IP or hostname.";
+ }
}
}
@@ -583,19 +611,22 @@ function squid_validate_nac($post, &$input_errors) {
$allowed_subnets = explode("\n", $post['allowed_subnets']);
foreach ($allowed_subnets as $subnet) {
$subnet = trim($subnet);
- if (!empty($subnet) && !is_subnet($subnet))
- $input_errors[] = "The subnet '$subnet' is not a valid CIDR range";
+ if (!empty($subnet) && !is_subnet($subnet)) {
+ $input_errors[] = "The subnet '$subnet' is not a valid CIDR range.";
+ }
}
foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) {
- if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)) {
- for ($x=0; $x < count($matches[1]); $x++) {
+ if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@", $_POST[$hosts], $matches)) {
+ for ($x = 0; $x < count($matches[1]); $x++) {
if ($matches[2][$x] == "") {
- if (!is_ipaddr($matches[1][$x]))
- $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address";
+ if (!is_ipaddr($matches[1][$x])) {
+ $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address.";
+ }
} else {
- if (!is_subnet($matches[0][$x]))
- $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range";
+ if (!is_subnet($matches[0][$x])) {
+ $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range.";
+ }
}
}
}
@@ -604,22 +635,25 @@ function squid_validate_nac($post, &$input_errors) {
foreach (array('unrestricted_macs', 'banned_macs') as $macs) {
foreach (explode("\n", $post[$macs]) as $mac) {
$mac = trim($mac);
- if (!empty($mac) && !is_macaddr($mac))
- $input_errors[] = "The mac '$mac' is not a valid MAC address";
+ if (!empty($mac) && !is_macaddr($mac)) {
+ $input_errors[] = "'$mac' is not a valid MAC address.";
+ }
}
}
foreach (explode(",", $post['timelist']) as $time) {
$time = trim($time);
- if (!empty($time) && !squid_is_timerange($time))
- $input_errors[] = "The time range '$time' is not a valid time range";
+ if (!empty($time) && !squid_is_timerange($time)) {
+ $input_errors[] = "The time range '$time' is not a valid time range.";
+ }
}
if (!empty($post['ext_cachemanager'])) {
$extmgr = explode(";", ($post['ext_cachemanager']));
foreach ($extmgr as $mgr) {
- if (!is_ipaddr($mgr))
- $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field';
+ if (!is_ipaddr($mgr)) {
+ $input_errors[] = "You must enter a valid IP address in the 'External Cache Manager' field'.";
+ }
}
}
}
@@ -634,26 +668,30 @@ function squid_validate_traffic($post, &$input_errors) {
foreach ($num_fields as $field => $name) {
$value = trim($post[$field]);
- if (!is_numericint($value))
- $input_errors[] = "The field '$name' must contain a positive number";
+ if (!is_numericint($value)) {
+ $input_errors[] = "The '$name' field must contain a positive integer.";
+ }
}
if (!empty($post['quick_abort_min'])) {
$value = trim($post['quick_abort_min']);
- if (!is_numericint($value))
- $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number";
+ if (!is_numericint($value)) {
+ $input_errors[] = "'Finish when remaining KB' must contain a positive integer.";
+ }
}
if (!empty($post['quick_abort_max'])) {
$value = trim($post['quick_abort_max']);
- if (!is_numericint($value))
- $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number";
+ if (!is_numericint($value)) {
+ $input_errors[] = "'Abort when remaining KB' must contain a positive integer.";
+ }
}
if (!empty($post['quick_abort_pct'])) {
$value = trim($post['quick_abort_pct']);
- if (!is_numericint($value) || ($value > 100))
- $input_errors[] = "The field 'Finish when remaining %' must contain a percentage";
+ if (!is_numericint($value) || ($value > 100)) {
+ $input_errors[] = "'Finish when remaining %' must contain valid percentage (1-100).";
+ }
}
}
@@ -663,33 +701,37 @@ function squid_validate_reverse($post, &$input_errors) {
if (!empty($post['reverse_ip'])) {
$reverse_ip = explode(";", ($post['reverse_ip']));
foreach ($reverse_ip as $reip) {
- if (!is_ipaddr(trim($reip)))
- $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.';
+ if (!is_ipaddr(trim($reip))) {
+ $input_errors[] = "You must enter a valid IP address in the 'User-defined reverse-proxy IPs' field. '$reip' is invalid.";
+ }
}
}
$fqdn = trim($post['reverse_external_fqdn']);
- if (!empty($fqdn) && !is_domain($fqdn))
- $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name';
+ if (!empty($fqdn) && !is_domain($fqdn)) {
+ $input_errors[] = "'External FQDN' field must contain a valid domain name.";
+ }
$port = trim($post['reverse_http_port']);
- // XXX: Where is $portrange being defined ???
- preg_match("/(\d+)/",`sysctl net.inet.ip.portrange.reservedhigh`,$portrange);
- if (!empty($port) && !is_port($port))
- $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number';
+ preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange);
+ if (!empty($port) && !is_port($port)) {
+ $input_errors[] = "'Reverse HTTP port' must contain a valid port number.";
+ }
if (!empty($port) && is_port($port) && $port <= $portrange[1]) {
- $input_errors[] = "The field 'reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]}).";
- $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon.";
+ $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]}).";
+ $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon.";
}
$port = trim($post['reverse_https_port']);
- if (!empty($port) && !is_port($port))
- $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number';
+ if (!empty($port) && !is_port($port)) {
+ $input_errors[] = "'Reverse HTTPS port' must contain a valid port number.";
+ }
if (!empty($port) && is_port($port) && $port <= $portrange[1]) {
- $input_errors[] = "The field 'reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]}).";
- $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon.";
+ $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]}).";
+ $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon.";
}
- if ($post['reverse_ssl_cert'] == 'none')
+ if ($post['reverse_ssl_cert'] == 'none') {
$input_errors[] = 'A valid certificate for the external interface must be selected';
+ }
if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) {
$input_errors[] = "You have to enable reverse HTTPS before enabling OWA support.";
@@ -698,8 +740,9 @@ function squid_validate_reverse($post, &$input_errors) {
if (!empty($post['reverse_owa_ip'])) {
$reverse_owa_ip = explode(";", ($post['reverse_owa_ip']));
foreach ($reverse_owa_ip as $reowaip) {
- if (!is_ipaddr(trim($reowaip)))
- $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.';
+ if (!is_ipaddr(trim($reowaip))) {
+ $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA frontend IP address' field. '$reowaip' is invalid.";
+ }
}
}
@@ -707,13 +750,16 @@ function squid_validate_reverse($post, &$input_errors) {
if (!empty($contents)) {
$defs = explode("\r\n", ($contents));
foreach ($defs as $def) {
- $cfg = explode(";",($def));
- if (!is_ipaddr($cfg[1]))
- $input_errors[] = "please choose a valid IP in the cache peer configuration.";
- if (!is_port($cfg[2]))
- $input_errors[] = "please choose a valid port in the cache peer configuration.";
- if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP'))
- $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration.";
+ $cfg = explode(";", ($def));
+ if (!is_ipaddr($cfg[1])) {
+ $input_errors[] = "Please choose a valid IP in the cache peer configuration.";
+ }
+ if (!is_port($cfg[2])) {
+ $input_errors[] = "Please choose a valid port in the cache peer configuration.";
+ }
+ if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) {
+ $input_errors[] = "Please choose HTTP or HTTPS in the cache peer configuration.";
+ }
}
}
}
@@ -726,48 +772,55 @@ function squid_validate_auth($post, &$input_errors) {
foreach ($num_fields as $field) {
$value = trim($post[$field[0]]);
- if (!empty($value) && (!is_numeric($value) || ($value < $field[2])))
- $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}";
+ if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) {
+ $input_errors[] = "The '{$field[1]}' field must contain a valid number greater than {$field[2]}";
+ }
}
$auth_method = $post['auth_method'];
if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) {
$server = trim($post['auth_server']);
- if (empty($server))
- $input_errors[] = 'The field \'Authentication server\' is required';
- else if (!is_ipaddr($server) && !is_domain($server))
- $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name';
+ if (empty($server)) {
+ $input_errors[] = "'Authentication server' is required.";
+ } elseif (!is_ipaddr($server) && !is_domain($server)) {
+ $input_errors[] = "'Authentication server' must contain a valid IP address or domain name.";
+ }
$port = trim($post['auth_server_port']);
- if (!empty($port) && !is_port($port))
- $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number';
+ if (!empty($port) && !is_port($port)) {
+ $input_errors[] = "'Authentication server port' must contain a valid port number.";
+ }
switch ($auth_method) {
- case 'ldap':
- $user = trim($post['ldap_user']);
- if (empty($user))
- $input_errors[] = 'The field \'LDAP server user DN\' is required';
- else if (!$user)
- $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name';
- break;
- case 'radius':
- $secret = trim($post['radius_secret']);
- if (empty($secret))
- $input_errors[] = 'The field \'RADIUS secret\' is required';
- break;
- case 'msnt':
- foreach (explode(",", trim($post['msnt_secondary'])) as $server) {
- if (!empty($server) && !is_ipaddr($server) && !is_domain($server))
- $input_errors[] = "The host '$server' is not a valid IP address or domain name";
- }
- break;
+ case 'ldap':
+ $user = trim($post['ldap_user']);
+ if (empty($user)) {
+ $input_errors[] = "'LDAP server user DN' is required.";
+ } elseif (!$user) {
+ $input_errors[] = "'LDAP server user DN' must be a valid DN.";
+ }
+ break;
+ case 'radius':
+ $secret = trim($post['radius_secret']);
+ if (empty($secret)) {
+ $input_errors[] = "'RADIUS secret' is required.";
+ }
+ break;
+ case 'msnt':
+ foreach (explode(",", trim($post['msnt_secondary'])) as $server) {
+ if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) {
+ $input_errors[] = "The host '$server' is not a valid IP address or domain name";
+ }
+ }
+ break;
}
$no_auth = explode("\n", $post['no_auth_hosts']);
foreach ($no_auth as $host) {
$host = trim($host);
- if (!empty($host) && !is_subnet($host))
+ if (!empty($host) && !is_subnet($host)) {
$input_errors[] = "The host '$host' is not a valid CIDR range";
+ }
}
}
}
@@ -786,7 +839,7 @@ function squid_install_cron($should_install) {
$settings = array();
}
- $cron_cmd = ($settings['clear_cache'] == 'on' ? "/usr/local/pkg/swapstate_check.php clean; " : "");
+ $cron_cmd = ($settings['clear_cache'] == 'on' ? "/usr/local/pkg/swapstate_check.php clean; " : "");
$cron_cmd .= SQUID_BASE . "/sbin/squid -k rotate -f " . SQUID_CONFFILE;
install_cron_job("{$cron_cmd}", $should_install, "0", "0", "*", "*", "*", "root");
@@ -803,15 +856,16 @@ function squid_install_cron($should_install) {
}
function squid_check_ca_hashes() {
- global $config,$g;
+ global $config, $g;
// check certificates
$cert_count = 0;
- if (is_dir(SQUID_LOCALBASE. '/share/certs')) {
- if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) {
+ if (is_dir(SQUID_LOCALBASE . '/share/certs')) {
+ if ($handle = opendir(SQUID_LOCALBASE . '/share/certs')) {
while (false !== ($file = readdir($handle))) {
- if (preg_match ("/\d+.0/",$file))
+ if (preg_match ("/\d+.0/",$file)) {
$cert_count++;
+ }
}
closedir($handle);
}
@@ -820,20 +874,22 @@ function squid_check_ca_hashes() {
conf_mount_rw();
// create ca-root hashes from ca-root-nss package
log_error("Creating root certificate bundle hashes from the Mozilla Project");
- $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt');
- $cert=0;
+ $cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt');
+ $cert = 0;
foreach ($cas as $ca) {
- if (preg_match("/--BEGIN CERTIFICATE--/",$ca))
- $cert=1;
- if ($cert == 1)
- $crt.=$ca;
- if (preg_match("/-END CERTIFICATE-/",$ca)) {
- file_put_contents("/tmp/cert.pem",$crt, LOCK_EX);
- $cert_hash=array();
- exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash);
- file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX);
- $crt="";
- $cert=0;
+ if (preg_match("/--BEGIN CERTIFICATE--/", $ca)) {
+ $cert = 1;
+ }
+ if ($cert == 1) {
+ $crt .= $ca;
+ }
+ if (preg_match("/-END CERTIFICATE-/", $ca)) {
+ file_put_contents("/tmp/cert.pem", $crt, LOCK_EX);
+ $cert_hash = array();
+ exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem", $cert_hash);
+ file_put_contents(SQUID_LOCALBASE . "/share/certs/" . $cert_hash[0] . ".0", $crt, LOCK_EX);
+ $crt = "";
+ $cert = 0;
}
}
}
@@ -842,10 +898,11 @@ function squid_check_ca_hashes() {
function squid_resync_general() {
global $g, $config, $valid_acls;
- if (is_array($config['installedpackages']['squid']))
+ if (is_array($config['installedpackages']['squid'])) {
$settings = $config['installedpackages']['squid']['config'][0];
- else
- $settings=array();
+ } else {
+ $settings = array();
+ }
$conf = "# This file is automatically generated by pfSense\n";
$conf .= "# Do not edit manually !\n\n";
@@ -855,31 +912,34 @@ function squid_resync_general() {
$srv_cert = lookup_ca($settings["dca"]);
if ($srv_cert != false) {
if (base64_decode($srv_cert['prv'])) {
- // check if ssl_db was initilized by squid
+ // check if ssl_db was initilized by Squid
if (!file_exists(SQUID_SSL_DB . "/serial")) {
if (is_dir(SQUID_SSL_DB)) {
mwexec("/bin/rm -rf " . SQUID_SSL_DB);
}
- mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB);
+ mwexec(SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB);
}
// force squid user permission on /var/squid/lib/ssl_db/
squid_chown_recursive(SQUID_SSL_DB, SQUID_UID, SQUID_GID);
- // cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext
- $crt_pk=SQUID_CONFBASE."/serverkey.pem";
- $crt_capath=SQUID_LOCALBASE."/share/certs/";
- file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
- $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
- $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n";
- $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n";
+ // cert, key, version, cipher, options, clientca, cafile, capath, crlfile, dhparams, sslflags, sslcontext
+ $crt_pk = SQUID_CONFBASE . "/serverkey.pem";
+ $crt_capath = SQUID_LOCALBASE . "/share/certs/";
+ file_put_contents($crt_pk, base64_decode($srv_cert['prv']) . base64_decode($srv_cert['crt']));
+ $sslcrtd_children = ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
+ $ssl_interception .= "ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=" . ($sslcrtd_children*2) . "MB cert={$crt_pk} capath={$crt_capath}\n";
+ $interception_checks = "sslcrtd_program " . SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n";
$interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
$interception_checks .= "sslproxy_capath {$crt_capath}\n";
- if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
- $interception_checks.="sslproxy_cert_error allow all\n";
- if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
- $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n";
+ if (preg_match("/sslproxy_cert_error/", $settings["interception_checks"])) {
+ $interception_checks .= "sslproxy_cert_error allow all\n";
+ }
+ if (preg_match("/sslproxy_flags/", $settings["interception_checks"])) {
+ $interception_checks .= "sslproxy_flags DONT_VERIFY_PEER\n";
+ }
if ($settings["interception_adapt"] != "") {
- foreach (explode(",",$settings["interception_adapt"]) as $adapt)
- $interception_checks.="sslproxy_cert_adapt {$adapt} all\n";
+ foreach (explode(",", $settings["interception_adapt"]) as $adapt) {
+ $interception_checks .= "sslproxy_cert_adapt {$adapt} all\n";
+ }
}
}
}
@@ -890,47 +950,51 @@ function squid_resync_general() {
// Read assigned interfaces
$real_ifaces = array();
- if ($settings['active_interface'])
+ if ($settings['active_interface']) {
$proxy_ifaces = explode(",", $settings['active_interface']);
- else
- $proxy_ifaces=array("lan");
+ } else {
+ $proxy_ifaces = array("lan");
+ }
- if ($settings['transparent_proxy']=="on") {
+ if ($settings['transparent_proxy'] == "on") {
$transparent_ifaces = explode(",", $settings['transparent_active_interface']);
foreach ($transparent_ifaces as $t_iface) {
$t_iface_ip = squid_get_real_interface_address($t_iface);
- if ($t_iface_ip[0])
- $real_ifaces[]=$t_iface_ip;
+ if ($t_iface_ip[0]) {
+ $real_ifaces[] = $t_iface_ip;
+ }
}
} else {
- $transparent_ifaces=array();
+ $transparent_ifaces = array();
}
- if ($settings['ssl_proxy']=="on") {
+ if ($settings['ssl_proxy'] == "on") {
$ssl_ifaces = explode(",", $settings['ssl_active_interface']);
foreach ($ssl_ifaces as $s_iface) {
$s_iface_ip = squid_get_real_interface_address($s_iface);
- if ($s_iface_ip[0])
+ if ($s_iface_ip[0]) {
$real_ifaces[]=$s_iface_ip;
+ }
}
} else {
- $ssl_ifaces=array();
+ $ssl_ifaces = array();
}
// check all proxy interfaces selected
foreach ($proxy_ifaces as $iface) {
$iface_ip = squid_get_real_interface_address($iface);
if ($iface_ip[0]) {
- $real_ifaces[]=$iface_ip;
- if (in_array($iface,$ssl_ifaces))
+ $real_ifaces[] = $iface_ip;
+ if (in_array($iface,$ssl_ifaces)) {
$conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n";
- else
+ } else {
$conf .= "http_port {$iface_ip[0]}:{$port}\n";
+ }
}
}
if (($settings['transparent_proxy'] == 'on')) {
- if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0) {
+ if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces) > 0) {
$conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n";
$conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n";
} else {
@@ -938,11 +1002,11 @@ function squid_resync_general() {
}
}
$icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0);
- $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" );
- $piddir="{$g['varrun_path']}/squid";
+ $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off" );
+ $piddir = "{$g['varrun_path']}/squid";
$pidfile = "{$piddir}/squid.pid";
if (!is_dir($piddir)) {
- @mkdir($piddir, 0755, true);
+ safe_mkdir($piddir, 0755);
squid_chown_recursive($piddir, SQUID_UID, 'wheel');
}
$language = ($settings['error_language'] ? $settings['error_language'] : 'en');
@@ -952,13 +1016,13 @@ function squid_resync_general() {
$logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs');
if (!is_dir($logdir)) {
- @mkdir($logdir, 0755, true);
+ safe_mkdir($logdir, 0755);
squid_chown_recursive($logdir, SQUID_UID, SQUID_GID);
}
$logdir_cache = $logdir . '/cache.log';
$logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
- $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on';
- $pinger_program=SQUID_LOCALBASE."/libexec/squid/pinger";
+ $pinger_helper = ($settings['disable_pinger']) == 'on' ? 'off' : 'on';
+ $pinger_program = SQUID_LOCALBASE . "/libexec/squid/pinger";
$squid_uid = SQUID_UID;
$squid_gid = SQUID_GID;
@@ -1000,35 +1064,42 @@ EOD;
list($ip, $mask) = $iface;
$ip = long2ip(ip2long($ip) & ip2long($mask));
$mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2);
- if (!preg_match("@$ip/$mask@",$src))
+ if (!preg_match("@$ip/$mask@", $src)) {
$src .= " $ip/$mask";
+ }
}
$conf .= "# Allow local network(s) on interface(s)\n";
$conf .= "acl localnet src $src\n";
$valid_acls[] = 'localnet';
}
- if ($settings['xforward_mode'])
+ if ($settings['xforward_mode']) {
$conf .= "forwarded_for {$settings['xforward_mode']}\n";
- else
- $conf .= "forwarded_for on\n"; //only used for first run
+ } else {
+ // only used for first run
+ $conf .= "forwarded_for on\n";
+ }
- if ($settings['disable_via'])
+ if ($settings['disable_via']) {
$conf .= "via off\n";
+ }
- if ($settings['disable_squidversion'])
+ if ($settings['disable_squidversion']) {
$conf .= "httpd_suppress_version_string on\n";
+ }
- if (!empty($settings['uri_whitespace']))
+ if (!empty($settings['uri_whitespace'])) {
$conf .= "uri_whitespace {$settings['uri_whitespace']}\n";
- else
- $conf .= "uri_whitespace strip\n"; //only used for first run
+ } else {
+ // only used for first run
+ $conf .= "uri_whitespace strip\n";
+ }
if (!empty($settings['dns_nameservers'])) {
$altdns = explode(";", ($settings['dns_nameservers']));
$conf .= "dns_nameservers ";
foreach ($altdns as $dnssrv) {
- $conf .= $dnssrv." ";
+ $conf .= $dnssrv . " ";
}
}
@@ -1038,17 +1109,18 @@ EOD;
function squid_resync_cache() {
global $config, $g;
- if (is_array($config['installedpackages']['squidcache']))
+ if (is_array($config['installedpackages']['squidcache'])) {
$settings = $config['installedpackages']['squidcache']['config'][0];
- else
+ } else {
$settings = array();
+ }
- //apply cache settings
- $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+ // apply cache settings
+ $cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
$disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100);
$level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16);
$memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8);
- $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size']." KB" : "10 KB");
+ $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] . " KB" : "10 KB");
$min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0);
$max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32);
$cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA');
@@ -1066,15 +1138,15 @@ function squid_resync_cache() {
}
// 'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching.
if ($disk_cache_system != "null") {
- $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256";
+ $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256";
}
- //check dynamic content
+ // check dynamic content
if (empty($settings['cache_dynamic_content'])) {
- $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n";
- $conf.="cache deny dynamic\n";
- } else if (preg_match('/youtube/',$settings['refresh_patterns'])) {
+ $conf .= 'acl dynamic urlpath_regex cgi-bin \?' . "\n";
+ $conf .= "cache deny dynamic\n";
+ } elseif (preg_match('/youtube/', $settings['refresh_patterns'])) {
// Broken (Bug #3847) and not working (http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube#Discussion)
-/* $conf.=<<< EOC
+/* $conf .= <<< EOC
# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
@@ -1085,8 +1157,8 @@ cache allow youtube
EOC;
*/
}
- if (preg_match('/windows/',$settings['refresh_patterns'])) {
- $conf.=<<< EOC
+ if (preg_match('/windows/', $settings['refresh_patterns'])) {
+ $conf .= <<< EOC
# Windows Update refresh_pattern
range_offset_limit -1
@@ -1097,8 +1169,8 @@ refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320
EOC;
}
- if (preg_match('/symantec/',$settings['refresh_patterns'])) {
- $conf.=<<< EOC
+ if (preg_match('/symantec/', $settings['refresh_patterns'])) {
+ $conf .= <<< EOC
# Symantec refresh_pattern
range_offset_limit -1
@@ -1107,8 +1179,8 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re
EOC;
}
- if (preg_match('/avast/',$settings['refresh_patterns'])) {
- $conf.=<<< EOC
+ if (preg_match('/avast/', $settings['refresh_patterns'])) {
+ $conf .= <<< EOC
# Avast refresh_pattern
range_offset_limit -1
@@ -1116,7 +1188,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i
EOC;
}
- if (preg_match('/avira/',$settings['refresh_patterns'])) {
+ if (preg_match('/avira/', $settings['refresh_patterns'])) {
$conf.=<<< EOC
# Avira refresh_pattern
@@ -1125,7 +1197,7 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43
EOC;
}
- $refresh_conf=<<< EOC
+ $refresh_conf = <<< EOC
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
@@ -1135,32 +1207,36 @@ refresh_pattern . 0 20% 4320
EOC;
- if ($settings['custom_refresh_patterns'] !="")
- $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n";
+ if ($settings['custom_refresh_patterns'] != "") {
+ $conf .= sq_text_area_decode($settings['custom_refresh_patterns']) . "\n";
+ }
$conf .= <<< EOD
-cache_mem $memory_cache_size MB
+cache_mem {$memory_cache_size} MB
maximum_object_size_in_memory {$max_objsize_in_mem} KB
memory_replacement_policy {$memory_policy}
cache_replacement_policy {$cache_policy}
minimum_object_size {$min_objsize} KB
maximum_object_size {$max_objsize}
-$disk_cache_opts
+{$disk_cache_opts}
offline_mode {$offline_mode}
EOD;
- if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n";
- if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n";
+ if (!empty($settings['cache_swap_low'])) {
+ $conf .= "cache_swap_low {$settings['cache_swap_low']}\n";
+ }
+ if (!empty($settings['cache_swap_high'])) {
+ $conf .= "cache_swap_high {$settings['cache_swap_high']}\n";
+ }
$donotcache = sq_text_area_decode($settings['donotcache']);
if (!empty($donotcache)) {
file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
$conf .= "cache deny donotcache\n";
- }
- elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
+ } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
unlink(SQUID_ACLDIR . '/donotcache.acl');
}
$conf .= "cache allow all\n";
@@ -1171,17 +1247,19 @@ EOD;
function squid_resync_upstream() {
global $config;
- if (!is_array($config['installedpackages']['squidremote']['config']))
+ if (!is_array($config['installedpackages']['squidremote']['config'])) {
$config['installedpackages']['squidremote']['config'] = array();
+ }
$conf = "\n#Remote proxies\n";
foreach ($config['installedpackages']['squidremote']['config'] as $settings) {
if ($settings['enable'] == 'on') {
$conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} ";
- if ($settings['icpport'] == '7')
+ if ($settings['icpport'] == '7') {
$conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} ";
- else
+ } else {
$conf .= "{$settings['icpport']} ";
+ }
// auth settings
if (!empty($settings['username']) && !empty($settings['password'])) {
$conf .= " login={$settings['username']}:{$settings['password']}";
@@ -1189,14 +1267,18 @@ function squid_resync_upstream() {
$conf .= "{$settings['authoption']} ";
}
// other options settings
- if (!empty($settings['weight']))
+ if (!empty($settings['weight'])) {
$conf .= "weight={$settings['weight']} ";
- if (!empty($settings['basetime']))
+ }
+ if (!empty($settings['basetime'])) {
$conf .= "basetime={$settings['basetime']} ";
- if (!empty($settings['ttl']))
+ }
+ if (!empty($settings['ttl'])) {
$conf .= "ttl={$settings['ttl']} ";
- if (!empty($settings['nodelay']))
+ }
+ if (!empty($settings['nodelay'])) {
$conf .= "no-delay";
+ }
}
$conf .= "\n";
}
@@ -1208,7 +1290,8 @@ function squid_resync_redirector() {
// XXX: What port provide squirm binary? It's not present
$httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on');
- if ($httpav_enabled) {
+ $redirector = "/usr/local/bin/squirm";
+ if (($httpav_enabled) && is_executable($redirector)) {
$conf = "url_rewrite_program /usr/local/bin/squirm\n";
} else {
$conf = "# No redirector configured\n";
@@ -1220,10 +1303,11 @@ function squid_resync_nac() {
global $config, $valid_acls;
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
- if (is_array($config['installedpackages']['squidnac']))
+ if (is_array($config['installedpackages']['squidnac'])) {
$settings = $config['installedpackages']['squidnac']['config'][0];
- else
+ } else {
$settings = array();
+ }
$webgui_port = $config['system']['webgui']['port'];
$addtl_ports = $settings['addtl_ports'];
$addtl_sslports = $settings['addtl_sslports'];
@@ -1250,7 +1334,7 @@ acl HTTPS proto HTTPS
EOD;
- $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets']));
+ $allowed_subnets = preg_replace("/\s+/"," ", sq_text_area_decode($settings['allowed_subnets']));
if (!empty($allowed_subnets)) {
$conf .= "acl allowed_subnets src $allowed_subnets\n";
$valid_acls[] = 'allowed_subnets';
@@ -1271,8 +1355,7 @@ EOD;
file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents);
$conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n";
$valid_acls[] = $option;
- }
- elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) {
+ } elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) {
unlink(SQUID_ACLDIR . "/$option.acl");
}
}
@@ -1320,28 +1403,26 @@ function squid_resync_antivirus() {
else
$antivirus_config = array();
- if ($antivirus_config['enable']=="on") {
+ if ($antivirus_config['enable'] == "on") {
switch ($antivirus_config['client_info']) {
- case "both":
- default:
- $icap_send_client_ip="on";
- $icap_send_client_username="on";
- break;
- case "IP":
- $icap_send_client_ip="on";
- $icap_send_client_username="off";
- break;
- case "username":
- $icap_send_client_ip="off";
- $icap_send_client_username="on";
- break;
- case "none":
- $icap_send_client_ip="off";
- $icap_send_client_username="off";
- break;
+ case "both":
+ default:
+ $icap_send_client_ip = "on";
+ $icap_send_client_username = "on";
+ break;
+ case "ip":
+ $icap_send_client_ip = "on";
+ $icap_send_client_username = "off";
+ break;
+ case "username":
+ $icap_send_client_ip = "off";
+ $icap_send_client_username = "on";
+ break;
+ case "none":
+ $icap_send_client_ip = "off";
+ $icap_send_client_username = "off";
+ break;
}
- if (is_array($config['installedpackages']['squid']))
- $squid_config=$config['installedpackages']['squid']['config'][0];
$conf = <<< EOF
icap_enable on
@@ -1360,66 +1441,72 @@ adaptation_access service_avi_resp allow all
EOF;
// check if icap is enabled on rc.conf.local
+ // XXX: This whole thing sucks and should be redone to install/enable services in pfSense way
if (file_exists("/etc/rc.conf.local")) {
- $rc_old_file=file("/etc/rc.conf.local");
+ $rc_old_file = file("/etc/rc.conf.local");
foreach ($rc_old_file as $rc_line) {
- if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)) {
- $rc_file.=$matches[1].'="YES"'."\n";
- ${$matches[1]}="ok";
+ if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/", $rc_line, $matches)) {
+ $rc_file .= $matches[1] . '="YES"' . "\n";
+ ${$matches[1]} = "ok";
+ } else {
+ $rc_file .= $rc_line;
}
- else
- $rc_file.=$rc_line;
}
}
- if (!isset($c_icap_enable))
- $rc_file.='c_icap_enable="YES"'."\n";
- if (!isset($clamav_clamd_enable))
- $rc_file.='clamav_clamd_enable="YES"'."\n";
- file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX);
+ if (!isset($c_icap_enable)) {
+ $rc_file .= 'c_icap_enable="YES"' . "\n";
+ }
+ if (!isset($clamav_clamd_enable)) {
+ $rc_file .= 'clamav_clamd_enable="YES"' . "\n";
+ }
+ file_put_contents("/etc/rc.conf.local", $rc_file, LOCK_EX);
squid_check_clamav_user('clamav');
// patch sample files to pfsense dirs
// squidclamav.conf
- if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) {
- if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")) {
- $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default");
- $clamav_m[0]="@/var/run/clamav/clamd.ctl@";
- $clamav_m[1]="@cgi-bin/clwarn.cgi@";
- $clamav_r[0]="/var/run/clamav/clamd.sock";
- $clamav_r[1]="squid_clwarn.php";
- file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX);
+ if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) {
+ if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default")) {
+ $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default");
+ $clamav_m[0] = "@/var/run/clamav/clamd.ctl@";
+ $clamav_m[1] = "@cgi-bin/clwarn.cgi@";
+ $clamav_r[0] = "/var/run/clamav/clamd.sock";
+ $clamav_r[1] = "squid_clwarn.php";
+ file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX);
}
}
// c-icap.conf
- if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) {
- if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")) {
- $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default");
- if (!preg_match("/squid_clamav/",$sample_file))
- $sample_file.="\nService squid_clamav squidclamav.so\n";
- $cicap_m[0]="@Manager:Apassword\S+@";
- $cicap_r[0]="";
- file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",preg_replace($cicap_m,$cicap_r,$sample_file),LOCK_EX);
+ if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) {
+ if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) {
+ $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default");
+ if (!preg_match("/squid_clamav/", $sample_file)) {
+ $sample_file .= "\nService squid_clamav squidclamav.so\n";
+ }
+ $cicap_m[0] = "@Manager:Apassword\S+@";
+ $cicap_r[0] = "";
+ file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX);
}
}
- //check squidclamav files until pbis are gone(https://redmine.pfsense.org/issues/4197)
- $ln_icap= array('bin/c-icap','bin/c-icap-client','c-icap-config','c-icap-libicapapi-config','c-icap-stretch','lib/c_icap','share/c_icap','etc/c-icap');
+ // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197)
+ $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap');
foreach ($ln_icap as $ln) {
- if (!file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE."/{$ln}"))
- symlink(SQUID_LOCALBASE."/{$ln}","/usr/local/{$ln}");
+ if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) {
+ symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}");
+ }
+ }
+ if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) {
+ symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3");
}
- if (!file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5"))
- symlink(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5","/usr/local/lib/libicapapi.so.3");
- $loadsample=0;
- if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) {
- $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")));
+ $loadsample = 0;
+ if ($antivirus_config['squidclamav'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) {
+ $config['installedpackages']['squidantivirus']['config'][0]['squidclamav'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")));
$loadsample++;
}
- if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) {
- $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")));
+ if ($antivirus_config['c-icap_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) {
+ $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")));
$loadsample++;
}
- if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")) {
- $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")));
+ if ($antivirus_config['c-icap_magic'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")) {
+ $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")));
$loadsample++;
}
if ($loadsample > 0) {
@@ -1435,24 +1522,25 @@ EOF;
"/var/db/clamav" => "clamav"
);
foreach ($dirs as $dir_path => $dir_user) {
- if (!is_dir($dir_path))
- @mkdir($dir_path, 0755, true);
+ safe_mkdir($dir_path, 0755);
squid_chown_recursive($dir_path, $dir_user, "wheel");
}
// Check clamav database
- if (count(glob("/var/db/clamav/*d"))==0) {
- log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background.");
- mwexec_bg(SQUID_BASE."/bin/freshclam");
+ if (count(glob("/var/db/clamav/*d")) == 0) {
+ log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background.");
+ mwexec_bg(SQUID_BASE . "/bin/freshclam");
}
$rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d");
- foreach ($rcd_files as $rcd_file)
- if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}"))
- symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}");
+ foreach ($rcd_files as $rcd_file) {
+ if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/etc/rc.d/{$rcd_file}")) {
+ symlink(SQUID_LOCALBASE . "/etc/rc.d/{$rcd_file}", "/usr/local/etc/rc.d/{$rcd_file}");
+ }
+ }
// write advanced icap config files
- file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX);
- file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX);
- file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX);
+ file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX);
+ file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX);
+ file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX);
// check antivirus daemons
// check icap
@@ -1460,38 +1548,39 @@ EOF;
mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl');
} else {
// check c-icap user on startup file
- $c_icap_rcfile="/usr/local/etc/rc.d/c-icap";
+ $c_icap_rcfile = "/usr/local/etc/rc.d/c-icap";
if (file_exists($c_icap_rcfile)) {
- $sample_file=file_get_contents($c_icap_rcfile);
- $cicapm[0]="@c_icap_user=.*}@";
- $cicapr[0]='c_icap_user="clamav"}';
- $cicapm[1]="@/usr/local@";
- $cicapr[1]=SQUID_LOCALBASE;
- file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX);
+ $sample_file = file_get_contents($c_icap_rcfile);
+ $cicapm[0] = "@c_icap_user=.*}@";
+ $cicapr[0] = 'c_icap_user="clamav"}';
+ $cicapm[1] = "@/usr/local@";
+ $cicapr[1] = SQUID_LOCALBASE;
+ file_put_contents($c_icap_rcfile, preg_replace($cicapm, $cicapr, $sample_file), LOCK_EX);
}
mwexec_bg("/usr/local/etc/rc.d/c-icap start");
}
// check clamav/freshclam
- $rc_files=array("clamav-freshclam","clamav-clamd");
- $clamm[0]="@/usr/local/(bin|sbin)@";
- $clamm[1]="@/local/(bin|sbin)@";
- $clamm[2]="@/usr/local/etc@";
- $clamm[3]="@enable:=NO@";
- $clamr[0]=SQUID_BASE."/bin";
- $clamr[1]="/bin";
- $clamr[2]=SQUID_LOCALBASE."/etc";
- $clamr[3]="enable:=YES";
+ $rc_files = array("clamav-freshclam", "clamav-clamd");
+ $clamm[0] = "@/usr/local/(bin|sbin)@";
+ $clamm[1] = "@/local/(bin|sbin)@";
+ $clamm[2] = "@/usr/local/etc@";
+ $clamm[3] = "@enable:=NO@";
+ $clamr[0] = SQUID_BASE . "/bin";
+ $clamr[1] = "/bin";
+ $clamr[2] = SQUID_LOCALBASE . "/etc";
+ $clamr[3] = "enable:=YES";
foreach ($rc_files as $rc_file) {
- $clamav_rcfile="/usr/local/etc/rc.d/{$rc_file}";
+ $clamav_rcfile = "/usr/local/etc/rc.d/{$rc_file}";
if (file_exists($clamav_rcfile)) {
- $sample_file=file_get_contents($clamav_rcfile);
- file_put_contents($clamav_rcfile,preg_replace($clamm,$clamr,$sample_file),LOCK_EX);
+ $sample_file = file_get_contents($clamav_rcfile);
+ file_put_contents($clamav_rcfile, preg_replace($clamm, $clamr, $sample_file), LOCK_EX);
}
}
- if (is_process_running("clamd"))
+ if (is_process_running("clamd")) {
mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload");
- else
+ } else {
mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start");
+ }
}
return $conf;
}
@@ -1499,40 +1588,48 @@ EOF;
function squid_resync_traffic() {
global $config, $valid_acls;
- if (!is_array($valid_acls))
+ if (!is_array($valid_acls)) {
return;
- if (is_array($config['installedpackages']['squidtraffic']))
+ }
+ if (is_array($config['installedpackages']['squidtraffic'])) {
$settings = $config['installedpackages']['squidtraffic']['config'][0];
- else
+ } else {
$settings = array();
+ }
$conf = '';
- if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0")
+ if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") {
$conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n";
- if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0")
+ }
+ if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") {
$conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n";
- if (!empty($settings['quick_abort_pct']))
+ }
+ if (!empty($settings['quick_abort_pct'])) {
$conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n";
+ }
$up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0);
$down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0);
$conf .= "request_body_max_size $up_limit KB\n";
- if ($down_limit != 0)
+ if ($down_limit != 0) {
$conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n";
+ }
// Only apply throttling past 10MB
// XXX: Should this really be hardcoded?
$threshold = 10 * 1024 * 1024;
$overall = $settings['overall_throttling'];
- if (!isset($overall) || ($overall == 0))
+ if (!isset($overall) || ($overall == 0)) {
$overall = -1;
- else
+ } else {
$overall *= 1024;
+ }
$perhost = $settings['perhost_throttling'];
- if (!isset($perhost) || ($perhost == 0))
+ if (!isset($perhost) || ($perhost == 0)) {
$perhost = -1;
- else
+ } else {
$perhost *= 1024;
+ }
$conf .= <<< EOD
delay_pools 1
delay_class 1 2
@@ -1555,21 +1652,22 @@ EOD;
$binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com';
$cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi';
$multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m';
- foreach (array( 'throttle_binaries' => $binaries,
- 'throttle_cdimages' => $cdimages,
- 'throttle_multimedia' => $multimedia) as $field => $set) {
- if ($settings[$field] == 'on')
+ foreach (array('throttle_binaries' => $binaries, 'throttle_cdimages' => $cdimages, 'throttle_multimedia' => $multimedia) as $field => $set) {
+ if ($settings[$field] == 'on') {
$exts = array_merge($exts, explode(",", $set));
+ }
}
foreach (explode(",", $settings['throttle_others']) as $ext) {
- if (!empty($ext))
+ if (!empty($ext)) {
$exts[] = $ext;
+ }
}
$contents = '';
- foreach ($exts as $ext)
+ foreach ($exts as $ext) {
$contents .= "\.$ext\$\n";
+ }
file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents);
$conf .= "# Throttle extensions matched in the url\n";
@@ -1598,24 +1696,27 @@ include('/usr/local/pkg/squid_reverse.inc');
function squid_resync_auth() {
global $config, $valid_acls;
- $write_config=0;
+ $write_config = 0;
if (!is_array($config['installedpackages']['squidauth']['config'])) {
- $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none");
+ $config['installedpackages']['squidauth']['config'][] = array('auth_method'=> "none");
$write_config++;
}
$settings = $config['installedpackages']['squidauth']['config'][0];
- if (is_array($config['installedpackages']['squidnac']['config']))
+ if (is_array($config['installedpackages']['squidnac']['config'])) {
$settingsnac = $config['installedpackages']['squidnac']['config'][0];
- else
+ } else {
$settingsnac = array();
+ }
- if (is_array($config['installedpackages']['squid']['config']))
+ if (is_array($config['installedpackages']['squid']['config'])) {
$settingsconfig = $config['installedpackages']['squid']['config'][0];
- else
+ } else {
$settingsconfig = array();
+ }
- if ($write_config > 0)
+ if ($write_config > 0) {
write_config();
+ }
$conf = '';
@@ -1627,17 +1728,17 @@ function squid_resync_auth() {
// Package integration
if (!empty($settingsconfig['custom_options'])) {
- $co_preg[0]='/;/';
- $co_rep[0]="\n";
- $co_preg[1]="/redirect_program/";
- $co_rep[1]="url_rewrite_program";
- $co_preg[2]="/redirector_bypass/";
- $co_rep[2]="url_rewrite_bypass";
- $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n";
+ $co_preg[0] = '/;/';
+ $co_rep[0] = "\n";
+ $co_preg[1] = "/redirect_program/";
+ $co_rep[1] = "url_rewrite_program";
+ $co_preg[2] = "/redirector_bypass/";
+ $co_rep[2] = "url_rewrite_bypass";
+ $conf .= "# Package Integration\n" . preg_replace($co_preg, $co_rep, $settingsconfig['custom_options']) . "\n\n";
}
// Custom User Options before authentication acls
- $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n";
+ $conf .= "# Custom options before auth\n" . sq_text_area_decode($settingsconfig['custom_options_squid3']) . "\n\n";
// Deny the banned guys before allowing the good guys
if (!empty($settingsnac['banned_hosts'])) {
@@ -1655,7 +1756,7 @@ function squid_resync_auth() {
// Unrestricted hosts take precedence over blacklist
if (!empty($settingsnac['unrestricted_hosts'])) {
- if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") {
+ if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth'] != "on") {
$conf .= "# These hosts do not have any restrictions\n";
$conf .= "http_access allow unrestricted_hosts\n";
}
@@ -1694,39 +1795,43 @@ function squid_resync_auth() {
}
// Include squidguard denied acl log in squid
- if ($settingsconfig['log_sqd'])
+ if ($settingsconfig['log_sqd']) {
$conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n";
+ }
$transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on');
if ($transparent_proxy) {
- if (preg_match ("/(none|cp)/",$settings['auth_method']))
- $auth_method=$settings['auth_method'];
- else
- $auth_method="none";
+ if (preg_match ("/(none|cp)/", $settings['auth_method'])) {
+ $auth_method = $settings['auth_method'];
+ } else {
+ $auth_method = "none";
+ }
} else {
- $auth_method=$settings['auth_method'];
+ $auth_method = $settings['auth_method'];
}
// Allow the remaining ACLs if no authentication is set
if ($auth_method == 'none' || $auth_method == 'cp') {
// Include squidguard denied acl log in squid
- if ($settingsconfig['log_sqd'])
- $conf .="http_access deny sglog\n";
+ if ($settingsconfig['log_sqd']) {
+ $conf .= "http_access deny sglog\n";
+ }
}
- if ($auth_method == 'none' ) {
+ if ($auth_method == 'none') {
// SSL interception acl options part 2 without authentication
if ($settingsconfig['ssl_proxy'] == "on") {
$conf .= "always_direct allow all\n";
$conf .= "ssl_bump server-first all\n";
}
- $conf .="# Setup allowed acls\n";
+ $conf .= "# Setup allowed acls\n";
$allowed = array('allowed_subnets');
if ($settingsconfig['allow_interface'] == 'on') {
$conf .= "# Allow local network(s) on interface(s)\n";
$allowed[] = "localnet";
}
$allowed = array_filter($allowed, 'squid_is_valid_acl');
- foreach ($allowed as $acl)
+ foreach ($allowed as $acl) {
$conf .= "http_access allow $acl\n";
+ }
} else {
$noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts'])));
if (!empty($noauth)) {
@@ -1739,26 +1844,26 @@ function squid_resync_auth() {
$processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5);
$prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy');
switch ($auth_method) {
- case 'local':
- $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n";
- break;
- case 'ldap':
- $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
- $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
- $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
- break;
- case 'radius':
- $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
- $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
- break;
- case 'cp':
- $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n";
- $conf .= "acl password external check_cp\n";
- break;
- case 'msnt':
- $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
- squid_resync_msnt();
- break;
+ case 'local':
+ $conf .= 'auth_param basic program ' . SQUID_LOCALBASE . '/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n";
+ break;
+ case 'ldap':
+ $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
+ $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
+ $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
+ break;
+ case 'radius':
+ $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
+ break;
+ case 'cp':
+ $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC " . SQUID_BASE . "/bin/check_ip.php\n";
+ $conf .= "acl password external check_cp\n";
+ break;
+ case 'msnt':
+ $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
+ squid_resync_msnt();
+ break;
}
if ($auth_method != 'cp') {
$conf .= <<< EOD
@@ -1770,7 +1875,7 @@ acl password proxy_auth REQUIRED
EOD;
}
// Custom User Options after authentication definition
- $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n";
+ $conf .= "# Custom options after auth\n" . sq_text_area_decode($settingsconfig['custom_options2_squid3']) . "\n\n";
// SSL interception acl options part 2
if ($settingsconfig['ssl_proxy'] == "on") {
@@ -1790,16 +1895,19 @@ EOD;
$passwordless = array_filter($passwordless, 'squid_is_valid_acl');
// Allow the ACLs that don't need to authenticate
- foreach ($passwordless as $acl)
+ foreach ($passwordless as $acl) {
$conf .= "http_access allow $acl\n";
+ }
// Include squidguard denied acl log in squid
- if ($settingsconfig['log_sqd'])
- $conf .="http_access deny password sglog\n";
+ if ($settingsconfig['log_sqd']) {
+ $conf .= "http_access deny password sglog\n";
+ }
// Allow the other ACLs as long as they authenticate
- foreach ($password as $acl)
+ foreach ($password as $acl) {
$conf .= "http_access allow password $acl\n";
+ }
}
$conf .= "# Default block all to be sure\n";
@@ -1814,8 +1922,9 @@ function squid_resync_users() {
$users = $config['installedpackages']['squidusers']['config'];
$contents = '';
if (is_array($users)) {
- foreach ($users as $user)
+ foreach ($users as $user) {
$contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n";
+ }
}
file_put_contents(SQUID_PASSWD, $contents);
chown(SQUID_PASSWD, SQUID_UID);
@@ -1825,20 +1934,21 @@ function squid_resync_users() {
function squid_resync_msnt() {
global $config;
- if (is_array($config['installedpackages']['squidauth']))
+ if (is_array($config['installedpackages']['squidauth'])) {
$settings = $config['installedpackages']['squidauth']['config'][0];
- else
+ } else {
$settings = array();
+ }
$pdcserver = $settings['auth_server'];
- $bdcserver = str_replace(',',' ',$settings['msnt_secondary']);
+ $bdcserver = str_replace(',', ' ', $settings['msnt_secondary']);
$ntdomain = $settings['auth_ntdomain'];
- file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}");
- chown(SQUID_CONFBASE."/msntauth.conf", SQUID_UID);
- chmod(SQUID_CONFBASE."/msntauth.conf", 0600);
+ file_put_contents(SQUID_CONFBASE . "/msntauth.conf", "server {$pdcserver} {$bdcserver} {$ntdomain}");
+ chown(SQUID_CONFBASE . "/msntauth.conf", SQUID_UID);
+ chmod(SQUID_CONFBASE . "/msntauth.conf", 0600);
}
-function squid_resync($via_rpc="no") {
+function squid_resync($via_rpc = "no") {
global $config;
// detect boot process
@@ -1846,20 +1956,19 @@ function squid_resync($via_rpc="no") {
if (!platform_booting()) {
unset($boot_process);
} else {
- $boot_process="on";
+ $boot_process = "on";
}
}
- log_error("[Squid] - Squid_resync function call pr:".is_process_running('squid')." bp:".isset($boot_process)." rpc:".$via_rpc);
+ log_error("[Squid] - Squid_resync function call pr:" . is_process_running('squid') . " bp:" . isset($boot_process) . " rpc:" . $via_rpc);
- if (is_process_running('squid') && isset($boot_process) && $via_rpc=="no")
+ if (is_process_running('squid') && isset($boot_process) && $via_rpc == "no") {
return;
+ }
conf_mount_rw();
- foreach (array( SQUID_CONFBASE,
- SQUID_ACLDIR,
- SQUID_SSL_DB ) as $dir) {
- @mkdir($dir, 0755, true);
+ foreach (array(SQUID_CONFBASE, SQUID_ACLDIR, SQUID_SSL_DB) as $dir) {
+ safe_mkdir($dir, 0755);
squid_chown_recursive($dir, SQUID_UID, SQUID_GID);
}
$conf = squid_resync_general() . "\n";
@@ -1869,38 +1978,41 @@ function squid_resync($via_rpc="no") {
$conf .= squid_resync_nac() . "\n";
$conf .= squid_resync_traffic() . "\n";
$conf .= squid_resync_reverse() . "\n";
- $conf .= squid_resync_auth()."\n";
+ $conf .= squid_resync_auth() . "\n";
$conf .= squid_resync_antivirus();
squid_resync_users();
squid_write_rcfile();
- if (!isset($boot_process) || $via_rpc="yes")
+ if (!isset($boot_process) || $via_rpc == "yes") {
squid_sync_on_changes();
+ }
// write config file
file_put_contents(SQUID_CONFFILE, $conf);
/* make sure pinger is executable and suid root */
// XXX: Bug #5114
- if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger"))
- chgrp(SQUID_LOCALBASE. "/libexec/squid/pinger", SQUID_GID);
+ if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) {
+ chgrp(SQUID_LOCALBASE . "/libexec/squid/pinger", SQUID_GID);
+ }
- $log_dir="";
- // check if squid is enabled
+ $log_dir = "";
+ // check if Squid is enabled
if (is_array($config['installedpackages']['squid']['config'])) {
- if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "")
- $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/';
- }
- // check if squidreverse is enabled
- else if (is_array($config['installedpackages']['squidreversegeneral']['config'])) {
- if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "")
- $log_dir="/var/squid/logs/";
+ if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") {
+ $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'] . '/';
+ }
+ } elseif (is_array($config['installedpackages']['squidreversegeneral']['config'])) {
+ // check if squidreverse is enabled
+ if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") {
+ $log_dir = "/var/squid/logs/";
+ }
}
// do not start squid if there is no log dir
if ($log_dir != "") {
if (!is_dir($log_dir)) {
- log_error("Creating squid log dir $log_dir");
- @mkdir($log_dir, 0755, true);
+ log_error("Creating Squid log dir $log_dir");
+ safe_mkdir($log_dir, 0755);
squid_chown_recursive($log_dir, SQUID_UID, SQUID_GID);
}
@@ -1909,15 +2021,16 @@ function squid_resync($via_rpc="no") {
if (!is_service_running('squid')) {
log_error("Starting Squid");
mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE);
- } else if (!isset($boot_process)) {
+ } elseif (!isset($boot_process)) {
log_error("Reloading Squid for configuration sync");
mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE);
}
// Sleep for a couple seconds to give squid a chance to fire up fully.
- for ($i=0; $i < 10; $i++) {
- if (!is_service_running('squid'))
+ for ($i = 0; $i < 10; $i++) {
+ if (!is_service_running('squid')) {
sleep(1);
+ }
}
filter_configure();
}
@@ -1931,7 +2044,7 @@ function squid_print_javascript_auth() {
// No authentication for transparent proxy
if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) {
$javascript = <<< EOD
-<script language="JavaScript">
+<script type="text/javascript">
<!--
function on_auth_method_changed() {
document.iform.auth_method.disabled = 1;
@@ -1958,7 +2071,7 @@ function on_auth_method_changed() {
EOD;
} else {
$javascript = <<< EOD
-<script language="JavaScript">
+<script type="text/javascript">
<!--
function on_auth_method_changed() {
var field = document.iform.auth_method;
@@ -2072,68 +2185,53 @@ EOD;
}
function squid_print_javascript_auth2() {
- print("<script language=\"JavaScript\">on_auth_method_changed()</script>\n");
+ print("<script type=\"text/javascript\">on_auth_method_changed()</script>\n");
}
function squid_generate_rules($type) {
- global $config;
+ global $config, $pfs_version;
$squid_conf = $config['installedpackages']['squid']['config'][0];
//check captive portal option
- $cp_file='/etc/inc/captiveportal.inc';
- $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version"));
+ $cp_file = '/etc/inc/captiveportal.inc';
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$cp_inc = file($cp_file);
- $new_cp_inc="";
+ $new_cp_inc = "";
$found_rule=0;
foreach ($cp_inc as $line) {
- $new_line=$line;
+ $new_line = $line;
//remove applied squid patch
- if (preg_match('/skipto 65314 ip/',$line)) {
+ if (preg_match('/skipto 65314 ip/', $line)) {
$found_rule++;
- $new_line ="";
+ $new_line = "";
}
- if (substr($pfsense_version,0,3) > 2.0) {
- if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']) {
- $found_rule++;
- $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n";
- $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n";
- }
- } else {
- //add squid patch option based on current config
- if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']) {
- $found_rule++;
- $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n";
- $new_line .= $line;
- }
- if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']) {
- $found_rule++;
- $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n";
- $new_line .= $line;
- }
+ if (preg_match('/255.255.255.255/', $line) && $squid_conf['patch_cp']) {
+ $found_rule++;
+ $new_line .= "\t" . '$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} ' . $port . ' in\n";' . "\n";
+ $new_line .= "\t" . '$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} ' . $port . ' to any out\n";' . "\n";
}
$new_cp_inc .= $new_line;
}
- if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) {
- copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup');
+ if (!file_exists('/root/' . $pfs_version . '.captiveportal.inc.backup')) {
+ copy($cp_file, '/root/' . $pfs_version . '.captiveportal.inc.backup');
}
if ($found_rule > 0) {
- file_put_contents($cp_file,$new_cp_inc, LOCK_EX);
+ file_put_contents($cp_file, $new_cp_inc, LOCK_EX);
}
- //normal squid rule check
+ // normal squid rule check
if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) {
return;
}
if (!is_service_running('squid')) {
- log_error("SQUID is installed but not started. Not installing \"{$type}\" rules.");
+ log_error("Squid is installed but not started. Not installing \"{$type}\" rules.");
return;
}
// Read assigned interfaces
$proxy_ifaces = explode(",", $squid_conf['active_interface']);
$proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces);
- if ($squid_conf['transparent_proxy']=="on") {
+ if ($squid_conf['transparent_proxy'] == "on") {
$transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']);
$transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces);
} else {
@@ -2150,118 +2248,123 @@ function squid_generate_rules($type) {
$ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127);
$fw_aliases = filter_generate_aliases();
- if (strstr($fw_aliases, "pptp ="))
+ if (strstr($fw_aliases, "pptp =")) {
$PPTP_ALIAS = "\$pptp";
- else
+ } else {
$PPTP_ALIAS = "\$PPTP";
- if (strstr($fw_aliases, "PPPoE ="))
+ }
+ if (strstr($fw_aliases, "PPPoE =")) {
$PPPOE_ALIAS = "\$PPPoE";
- else
+ } else {
$PPPOE_ALIAS = "\$pppoe";
+ }
// define ports based on transparent options and ssl filtering
- $pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80");
+ $pf_rule_port = ($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80");
switch($type) {
- case 'nat':
- $rules .= "\n# Setup Squid proxy redirect\n";
- if ($squid_conf['private_subnet_proxy_off'] == 'on') {
- foreach ($transparent_ifaces as $iface) {
- $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
- $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n";
- }
- /* Handle PPPOE case */
- if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
- $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
+ case 'nat':
+ $rules .= "\n# Setup Squid proxy redirect\n";
+ if ($squid_conf['private_subnet_proxy_off'] == 'on') {
+ foreach ($transparent_ifaces as $iface) {
+ $pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443}" : "80");
+ $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n";
+ }
+ /* Handle PPPOE case */
+ if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
+ $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
+ }
+ /* Handle PPTP case */
+ if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
+ $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
+ }
}
- /* Handle PPTP case */
- if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
- $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
+ if (!empty($squid_conf['defined_ip_proxy_off'])) {
+ $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']);
+ $exempt_ip = "";
+ foreach ($defined_ip_proxy_off as $ip_proxy_off) {
+ if (!empty($ip_proxy_off)) {
+ $ip_proxy_off = trim($ip_proxy_off);
+ if (is_alias($ip_proxy_off)) {
+ $ip_proxy_off = '$' . $ip_proxy_off;
+ }
+ $exempt_ip .= ", $ip_proxy_off";
+ }
+ }
+ $exempt_ip = substr($exempt_ip, 2);
+ foreach ($transparent_ifaces as $iface) {
+ $pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443}" : "80");
+ $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n";
+ }
+ /* Handle PPPOE case */
+ if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
+ $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
+ }
+ /* Handle PPTP case */
+ if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
+ $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
+ }
}
- }
- if (!empty($squid_conf['defined_ip_proxy_off'])) {
- $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']);
- $exempt_ip = "";
- foreach ($defined_ip_proxy_off as $ip_proxy_off) {
- if (!empty($ip_proxy_off)) {
- $ip_proxy_off = trim($ip_proxy_off);
- if (is_alias($ip_proxy_off))
- $ip_proxy_off = '$'.$ip_proxy_off;
- $exempt_ip .= ", $ip_proxy_off";
+ if (!empty($squid_conf['defined_ip_proxy_off_dest'])) {
+ $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']);
+ $exempt_dest = "";
+ foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) {
+ if (!empty($ip_proxy_off_dest)) {
+ $ip_proxy_off_dest = trim($ip_proxy_off_dest);
+ if (is_alias($ip_proxy_off_dest)) {
+ $ip_proxy_off_dest = '$' . $ip_proxy_off_dest;
+ }
+ $exempt_dest .= ", $ip_proxy_off_dest";
+ }
+ }
+ $exempt_dest = substr($exempt_dest, 2);
+ foreach ($transparent_ifaces as $iface) {
+ $pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443}" : "80");
+ $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n";
+ }
+ /* Handle PPPOE case */
+ if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
+ $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
+ }
+ /* Handle PPTP case */
+ if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
+ $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
}
}
- $exempt_ip = substr($exempt_ip,2);
- foreach ($transparent_ifaces as $iface) {
- $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
- $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n";
+ foreach ($transparent_ifaces as $t_iface) {
+ $pf_transparent_rule_port = (in_array($t_iface, $ssl_ifaces) ? "{80,443}" : "80");
+ $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n";
+ if (in_array($t_iface, $ssl_ifaces)) {
+ $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n";
+ }
}
/* Handle PPPOE case */
if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
- $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
+ $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
}
/* Handle PPTP case */
if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
- $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
- }
- }
- if (!empty($squid_conf['defined_ip_proxy_off_dest'])) {
- $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']);
- $exempt_dest = "";
- foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) {
- if (!empty($ip_proxy_off_dest)) {
- $ip_proxy_off_dest = trim($ip_proxy_off_dest);
- if (is_alias($ip_proxy_off_dest))
- $ip_proxy_off_dest = '$'.$ip_proxy_off_dest;
- $exempt_dest .= ", $ip_proxy_off_dest";
- }
+ $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
}
- $exempt_dest = substr($exempt_dest,2);
+ $rules .= "\n";
+ break;
+ case 'filter':
+ case 'rule':
foreach ($transparent_ifaces as $iface) {
- $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
- $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n";
+ $pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}");
+ $rules .= "# Setup squid pass rules for proxy\n";
+ $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n";
+ // $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n";
+ $rules .= "\n";
}
- /* Handle PPPOE case */
- if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
- $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
+ if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) {
+ $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
}
- /* Handle PPTP case */
if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
- $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
+ $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
}
- }
- foreach ($transparent_ifaces as $t_iface) {
- $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80");
- $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n";
- if (in_array($t_iface,$ssl_ifaces))
- $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n";
- }
- /* Handle PPPOE case */
- if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
- $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
- }
- /* Handle PPTP case */
- if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
- $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
- }
- $rules .= "\n";
- break;
- case 'filter':
- case 'rule':
- foreach ($transparent_ifaces as $iface) {
- $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}");
- $rules .= "# Setup squid pass rules for proxy\n";
- $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n";
- // $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n";
- $rules .= "\n";
- };
- if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) {
- $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
- }
- if ($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
- $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
- }
- break;
- default:
- break;
+ break;
+ default:
+ break;
}
return $rules;
@@ -2269,35 +2372,35 @@ function squid_generate_rules($type) {
function squid_write_rcfile() {
/* Declare a variable for the SQUID_CONFFILE constant. */
- /* Then the variable can be referenced easily in the Heredoc text that generates the rc file. */
+ /* Then the variable can be referenced easily in the heredoc text that generates the rc file. */
$squid_conffile_var = SQUID_CONFFILE;
$squid_base = SQUID_BASE;
$rc = array();
$rc['file'] = 'squid.sh';
- $rc['start'] = <<<EOD
-#sysctl net.inet.ip.portrange.reservedhigh=0
-if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then
+ $rc['start'] = <<< EOD
+#/sbin/sysctl net.inet.ip.portrange.reservedhigh=0
+if [ -z "`/bin/ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then
{$squid_base}/sbin/squid -f {$squid_conffile_var}
fi
EOD;
- $rc['stop'] = <<<EOD
+ $rc['stop'] = <<< EOD
{$squid_base}/sbin/squid -k shutdown -f {$squid_conffile_var}
# Just to be sure...
sleep 5
-if [ -f /usr/bin/ipcs ];then
+if [ -x /usr/bin/ipcs ]; then
# http://man.chinaunix.net/newsoft/squid/Squid_FAQ/FAQ-22.html#ss22.8
-ipcs | grep '^[mq]' | awk '{printf "ipcrm -%s %s\\n", $1, $2}' | /bin/sh
+/usr/bin/ipcs | /usr/bin/grep '^[mq]' | /usr/bin/awk '{printf "ipcrm -%s %s\\n", $1, $2}' | /bin/sh
fi
-killall -9 squid 2>/dev/null
-killall pinger 2>/dev/null
+/usr/bin/killall -9 squid 2>/dev/null
+/usr/bin/killall pinger 2>/dev/null
EOD;
- $rc['restart'] = <<<EOD
-if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then
+ $rc['restart'] = <<< EOD
+if [ -z "`ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then
{$squid_base}/sbin/squid -f {$squid_conffile_var}
else
{$squid_base}/sbin/squid -k reconfigure -f {$squid_conffile_var}
@@ -2313,46 +2416,48 @@ EOD;
function squid_sync_on_changes() {
global $config, $g;
if (is_array($config['installedpackages']['squidsync']['config'])) {
- $squid_sync=$config['installedpackages']['squidsync']['config'][0];
+ $squid_sync = $config['installedpackages']['squidsync']['config'][0];
$synconchanges = $squid_sync['synconchanges'];
$synctimeout = $squid_sync['synctimeout'];
switch ($synconchanges) {
- case "manual":
- if (is_array($squid_sync[row])) {
- $rs=$squid_sync[row];
- } else {
- log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config.");
- return;
- }
- break;
- case "auto":
- if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) {
- $system_carp=$config['installedpackages']['carpsettings']['config'][0];
- $rs[0]['ipaddress']=$system_carp['synchronizetoip'];
- $rs[0]['username']=$system_carp['username'];
- $rs[0]['password']=$system_carp['password'];
- } else {
- log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config.");
+ case "manual":
+ if (is_array($squid_sync['row'])) {
+ $rs = $squid_sync['row'];
+ } else {
+ log_error("[squid] XMLRPC sync is enabled but there is no hosts to push on Squid config.");
+ return;
+ }
+ break;
+ case "auto":
+ if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])) {
+ $system_carp = $config['installedpackages']['carpsettings']['config'][0];
+ $rs[0]['ipaddress'] = $system_carp['synchronizetoip'];
+ $rs[0]['username'] = $system_carp['username'];
+ $rs[0]['password'] = $system_carp['password'];
+ } else {
+ log_error("[squid] XMLRPC sync is enabled but there is no system backup hosts to push Squid config.");
+ return;
+ }
+ break;
+ default:
return;
- }
- break;
- default:
- return;
- break;
+ break;
}
if (is_array($rs)) {
- log_error("[squid] xmlrpc sync is starting.");
+ log_error("[squid] XMLRPC sync is starting.");
foreach ($rs as $sh) {
$sync_to_ip = $sh['ipaddress'];
$password = $sh['password'];
- if ($sh['username'])
+ if ($sh['username']) {
$username = $sh['username'];
- else
+ } else {
$username = 'admin';
- if ($password && $sync_to_ip)
- squid_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout);
+ }
+ if ($password && $sync_to_ip) {
+ squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout);
+ }
}
- log_error("[squid] xmlrpc sync is ending.");
+ log_error("[squid] XMLRPC sync is ending.");
}
}
}
@@ -2360,17 +2465,21 @@ function squid_sync_on_changes() {
function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) {
global $config, $g;
- if (!$username)
+ if (!$username) {
return;
+ }
- if (!$password)
+ if (!$password) {
return;
+ }
- if (!$sync_to_ip)
+ if (!$sync_to_ip) {
return;
+ }
- if (!$synctimeout)
- $synctimeout=250;
+ if (!$synctimeout) {
+ $synctimeout = 250;
+ }
$xmlrpc_sync_neighbor = $sync_to_ip;
@@ -2379,7 +2488,7 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) {
$synchronizetoip .= "://";
}
$port = $config['system']['webgui']['port'];
- /* if port is empty lets rely on the protocol selection */
+ /* If port is empty let's rely on the protocol selection */
if ($port == "") {
if ($config['system']['webgui']['protocol'] == "http")
$port = "80";
@@ -2388,7 +2497,7 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) {
}
$synchronizetoip .= $sync_to_ip;
- /* xml will hold the sections to sync */
+ /* XML will hold the sections to sync */
$xml = array();
$xml['squid'] = $config['installedpackages']['squid'];
$xml['squidupstream'] = $config['installedpackages']['squidupstream'];
@@ -2401,64 +2510,65 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) {
$xml['squidreverseuri'] = $config['installedpackages']['squidreverseuri'];
$xml['squidauth'] = $config['installedpackages']['squidauth'];
$xml['squidusers'] = $config['installedpackages']['squidusers'];
- /* assemble xmlrpc payload */
+ /* Assemble XMLRPC payload */
$params = array(
XML_RPC_encode($password),
XML_RPC_encode($xml)
);
- /* set a few variables needed for sync code borrowed from filter.inc */
+ /* Set a few variables needed for sync */
$url = $synchronizetoip;
- log_error("[Squid] Beginning squid XMLRPC sync to {$url}:{$port}.");
+ log_error("[squid] Beginning Squid XMLRPC sync to {$url}:{$port}.");
$method = 'pfsense.merge_installedpackages_section_xmlrpc';
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
$cli->setCredentials($username, $password);
- if ($g['debug'])
+ if ($g['debug']) {
$cli->setDebug(1);
- /* send our XMLRPC message and timeout after defined sync timeout value*/
+ }
+ /* Send our XMLRPC message and timeout after defined sync timeout value*/
$resp = $cli->send($msg, $synctimeout);
if (!$resp) {
- $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}.";
+ $error = "A communication error occurred while attempting Squid XMLRPC sync with {$url}:{$port}.";
log_error($error);
- file_notice("sync_settings", $error, "squid Settings Sync", "");
+ file_notice("sync_settings", $error, "Squid Settings Sync", "");
} elseif ($resp->faultCode()) {
$cli->setDebug(1);
$resp = $cli->send($msg, $synctimeout);
- $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "An error code was received while attempting Squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
- file_notice("sync_settings", $error, "squid Settings Sync", "");
+ file_notice("sync_settings", $error, "Squid Settings Sync", "");
} else {
- log_error("[Squid] XMLRPC sync successfully completed with {$url}:{$port}.");
+ log_error("[squid] XMLRPC sync successfully completed with {$url}:{$port}.");
}
- /* tell squid to reload our settings on the destination sync host. */
+ /* Tell Squid to reload our settings on the destination sync host. */
$method = 'pfsense.exec_php';
- $execcmd = "require_once('/usr/local/pkg/squid.inc');\n";
+ $execcmd = "require_once('/usr/local/pkg/squid.inc');\n";
$execcmd .= "squid_resync('yes');";
- /* assemble xmlrpc payload */
+ /* Assemble XMLRPC payload */
$params = array(
XML_RPC_encode($password),
XML_RPC_encode($execcmd)
);
- log_error("[Squid] XMLRPC reload data {$url}:{$port}.");
+ log_error("[squid] XMLRPC reload data {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
$cli->setCredentials($username, $password);
$resp = $cli->send($msg, $synctimeout);
if (!$resp) {
- $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
+ $error = "A communication error occurred while attempting Squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
log_error($error);
- file_notice("sync_settings", $error, "squid Settings Sync", "");
+ file_notice("sync_settings", $error, "Squid Settings Sync", "");
} elseif ($resp->faultCode()) {
$cli->setDebug(1);
$resp = $cli->send($msg, $synctimeout);
- $error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "[Squid] An error code was received while attempting Squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
- file_notice("sync_settings", $error, "squid Settings Sync", "");
+ file_notice("sync_settings", $error, "Squid Settings Sync", "");
} else {
- log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
+ log_error("Squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
}
}