aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/arpwatch.xml7
-rwxr-xr-xconfig/arpwatch_reports.php1
-rw-r--r--config/autoconfigbackup/autoconfigbackup.inc5
-rw-r--r--config/autoconfigbackup/autoconfigbackup.php13
-rw-r--r--config/autoconfigbackup/autoconfigbackup.xml12
-rw-r--r--config/autoconfigbackup/autoconfigbackup_backup.php8
-rw-r--r--config/avahi/avahi.inc49
-rw-r--r--config/bacula-client/bacula-client_fd.xml6
-rw-r--r--config/bind/bind.inc10
-rw-r--r--config/bind/bind.xml30
-rw-r--r--config/bind/bind_acls.xml4
-rw-r--r--config/bind/bind_views.xml2
-rw-r--r--config/bind/bind_zones.xml44
-rw-r--r--config/freeradius2/freeradius.xml16
-rw-r--r--config/freeradius2/freeradiusauthorizedmacs.xml14
-rw-r--r--config/freeradius2/freeradiuscerts.xml2
-rw-r--r--config/freeradius2/freeradiusclients.xml10
-rw-r--r--config/freeradius2/freeradiuseapconf.xml22
-rw-r--r--config/freeradius2/freeradiusinterfaces.xml4
-rw-r--r--config/freeradius2/freeradiusmodulesldap.xml8
-rw-r--r--config/freeradius2/freeradiussettings.xml17
-rw-r--r--config/freeradius2/freeradiussqlconf.xml30
-rw-r--r--config/haproxy-devel/haproxy.inc463
-rw-r--r--config/haproxy-devel/haproxy.xml5
-rw-r--r--config/haproxy-devel/haproxy_files.php176
-rw-r--r--config/haproxy-devel/haproxy_htmllist.inc423
-rw-r--r--config/haproxy-devel/haproxy_listeners.php35
-rw-r--r--config/haproxy-devel/haproxy_listeners_edit.php139
-rw-r--r--config/haproxy-devel/haproxy_pool_edit.php40
-rw-r--r--config/haproxy-devel/pkg_haproxy_tabs.inc2
-rw-r--r--config/imspector/imspector.inc5
-rw-r--r--config/iperf.xml15
-rw-r--r--config/iperfserver.xml8
-rw-r--r--config/mailscanner/mailscanner.inc111
-rw-r--r--config/nmap/nmap.inc22
-rw-r--r--config/nmap/nmap.xml5
-rw-r--r--config/ntopng/ntopng.xml5
-rw-r--r--config/nut/nut.inc23
-rw-r--r--config/open-vm-tools/open-vm-tools.xml8
-rw-r--r--config/open-vm-tools_2/open-vm-tools.xml8
-rwxr-xr-xconfig/openvpn-client-export/openvpn-client-export.inc7
-rwxr-xr-xconfig/openvpn-client-export/openvpn-client-export.xml4
-rwxr-xr-xconfig/postfix/adexport.pl40
-rwxr-xr-xconfig/postfix/postfix.inc140
-rw-r--r--config/postfix/postfix.php50
-rwxr-xr-xconfig/postfix/postfix.widget.php25
-rw-r--r--config/postfix/postfix.xml2
-rwxr-xr-xconfig/postfix/postfix_about.php10
-rw-r--r--config/postfix/postfix_acl.xml2
-rw-r--r--config/postfix/postfix_antispam.xml4
-rw-r--r--config/postfix/postfix_domains.xml4
-rwxr-xr-xconfig/postfix/postfix_queue.php37
-rw-r--r--config/postfix/postfix_recipients.xml2
-rwxr-xr-xconfig/postfix/postfix_search.php20
-rw-r--r--config/postfix/postfix_sync.xml2
-rw-r--r--config/postfix/postfix_view_config.php30
-rw-r--r--config/sarg/sarg_schedule.xml2
-rwxr-xr-xconfig/snort/snort.inc85
-rw-r--r--config/snort/snort.priv.inc1
-rwxr-xr-xconfig/snort/snort.xml9
-rw-r--r--config/snort/snort_check_cron_misc.inc27
-rwxr-xr-xconfig/snort/snort_check_for_rule_updates.php198
-rw-r--r--config/snort/snort_conf_template.inc3
-rw-r--r--config/snort/snort_defs.inc101
-rwxr-xr-xconfig/snort/snort_download_updates.php77
-rw-r--r--config/snort/snort_generate_conf.php39
-rw-r--r--config/snort/snort_interface_logs.php18
-rwxr-xr-xconfig/snort/snort_interfaces_edit.php6
-rw-r--r--config/snort/snort_interfaces_global.php129
-rw-r--r--config/snort/snort_ip_list_mgmt.php37
-rw-r--r--config/snort/snort_ip_reputation.php14
-rw-r--r--config/snort/snort_log_mgmt.php32
-rw-r--r--config/snort/snort_migrate_config.php76
-rw-r--r--config/snort/snort_post_install.php31
-rwxr-xr-xconfig/snort/snort_preprocessors.php150
-rwxr-xr-xconfig/snort/snort_rules.php9
-rw-r--r--config/snort/snort_sid_mgmt.php11
-rwxr-xr-xconfig/squid3/33/squid_reverse.inc36
-rwxr-xr-xconfig/squid3/33/squid_reverse_general.xml27
-rw-r--r--config/squid3/34/check_ip.php86
-rw-r--r--config/squid3/34/pkg_squid.inc11
-rw-r--r--config/squid3/34/sqpmon.sh75
-rwxr-xr-xconfig/squid3/34/squid.inc2458
-rw-r--r--config/squid3/34/squid.xml582
-rwxr-xr-xconfig/squid3/34/squid_antivirus.xml158
-rw-r--r--config/squid3/34/squid_auth.inc446
-rwxr-xr-xconfig/squid3/34/squid_auth.xml270
-rwxr-xr-xconfig/squid3/34/squid_cache.xml322
-rw-r--r--config/squid3/34/squid_cpauth.php24
-rw-r--r--config/squid3/34/squid_extauth.xml106
-rw-r--r--config/squid3/34/squid_ident.php148
-rwxr-xr-xconfig/squid3/34/squid_log_parser.php57
-rwxr-xr-xconfig/squid3/34/squid_monitor.php200
-rwxr-xr-xconfig/squid3/34/squid_monitor_data.php175
-rwxr-xr-xconfig/squid3/34/squid_nac.xml191
-rwxr-xr-xconfig/squid3/34/squid_ng.inc1070
-rwxr-xr-xconfig/squid3/34/squid_ng.xml267
-rwxr-xr-xconfig/squid3/34/squid_reverse.inc245
-rwxr-xr-xconfig/squid3/34/squid_reverse.xml365
-rwxr-xr-xconfig/squid3/34/squid_reverse_general.xml257
-rwxr-xr-xconfig/squid3/34/squid_reverse_peer.xml167
-rwxr-xr-xconfig/squid3/34/squid_reverse_redir.xml182
-rwxr-xr-xconfig/squid3/34/squid_reverse_sync.xml135
-rwxr-xr-xconfig/squid3/34/squid_reverse_uri.xml159
-rwxr-xr-xconfig/squid3/34/squid_sync.xml151
-rwxr-xr-xconfig/squid3/34/squid_traffic.xml208
-rwxr-xr-xconfig/squid3/34/squid_upstream.xml361
-rwxr-xr-xconfig/squid3/34/squid_users.xml137
-rw-r--r--config/squid3/34/swapstate_check.php54
-rw-r--r--config/sshdcond/sshdcond.inc159
-rw-r--r--config/suricata/suricata.inc291
-rw-r--r--config/suricata/suricata.priv.inc6
-rw-r--r--config/suricata/suricata.xml32
-rw-r--r--config/suricata/suricata_alerts.js2
-rw-r--r--config/suricata/suricata_alerts.php29
-rw-r--r--config/suricata/suricata_alerts.widget.php71
-rw-r--r--config/suricata/suricata_app_parsers.php2
-rw-r--r--config/suricata/suricata_barnyard.php31
-rw-r--r--config/suricata/suricata_blocked.php95
-rw-r--r--config/suricata/suricata_check_cron_misc.inc32
-rw-r--r--config/suricata/suricata_check_for_rule_updates.php169
-rw-r--r--config/suricata/suricata_define_vars.php2
-rw-r--r--config/suricata/suricata_defs.inc117
-rw-r--r--config/suricata/suricata_download_updates.php14
-rw-r--r--config/suricata/suricata_etiqrisk_update.php211
-rw-r--r--config/suricata/suricata_flow_stream.php2
-rw-r--r--config/suricata/suricata_generate_yaml.php48
-rw-r--r--config/suricata/suricata_geoipupdate.php137
-rw-r--r--config/suricata/suricata_global.php38
-rw-r--r--config/suricata/suricata_interfaces.php20
-rw-r--r--config/suricata/suricata_interfaces_edit.php15
-rw-r--r--config/suricata/suricata_ip_list_mgmt.php393
-rw-r--r--config/suricata/suricata_ip_reputation.php482
-rw-r--r--config/suricata/suricata_iprep_list_browser.php99
-rw-r--r--config/suricata/suricata_logs_browser.php1
-rw-r--r--config/suricata/suricata_logs_mgmt.php5
-rw-r--r--config/suricata/suricata_migrate_config.php54
-rw-r--r--config/suricata/suricata_passlist.php3
-rw-r--r--config/suricata/suricata_passlist_edit.php3
-rw-r--r--config/suricata/suricata_post_install.php68
-rw-r--r--config/suricata/suricata_rules.php2
-rw-r--r--config/suricata/suricata_rules_flowbits.php2
-rw-r--r--config/suricata/suricata_rulesets.php33
-rw-r--r--config/suricata/suricata_sid_mgmt.php17
-rw-r--r--config/suricata/suricata_suppress.php3
-rw-r--r--config/suricata/suricata_suppress_edit.php1
-rw-r--r--config/suricata/suricata_sync.xml5
-rw-r--r--config/suricata/suricata_uninstall.php50
-rw-r--r--config/suricata/suricata_yaml_template.inc14
-rw-r--r--config/syslog-ng/syslog-ng.inc2
-rw-r--r--config/varnish3/varnish.inc264
-rwxr-xr-xconfig/varnish3/varnish.widget.php89
-rw-r--r--config/varnish3/varnish_backends.xml7
-rw-r--r--config/varnish3/varnish_custom_vcl.xml7
-rw-r--r--config/varnish3/varnish_lb_directors.xml18
-rw-r--r--config/varnish3/varnish_settings.xml18
-rw-r--r--config/varnish3/varnish_sync.xml3
-rw-r--r--config/varnish3/varnish_view_config.php13
-rw-r--r--config/varnish3/varnishstat.php51
-rw-r--r--config/vnstat2/vnstat2.inc2
-rw-r--r--config/vnstat2/vnstat_php_frontend/README4
-rw-r--r--config/vnstat2/vnstat_php_frontend/config.php22
-rw-r--r--config/vnstat2/vnstat_php_frontend/graph.php61
-rw-r--r--config/vnstat2/vnstat_php_frontend/graph_svg.php56
-rw-r--r--config/vnstat2/vnstat_php_frontend/index.php43
-rw-r--r--config/vnstat2/vnstat_php_frontend/json.php81
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/br.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/cn.php40
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/de.php40
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/es.php41
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/fi.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/fr.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/hr.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/hu.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/it.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/no.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/pl.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/ru.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/lang/sk.php39
-rw-r--r--config/vnstat2/vnstat_php_frontend/themes/dark/theme.php28
-rw-r--r--config/vnstat2/vnstat_php_frontend/themes/espresso/theme.php30
-rw-r--r--config/vnstat2/vnstat_php_frontend/themes/light/style.css32
-rw-r--r--config/vnstat2/vnstat_php_frontend/themes/light/theme.php26
-rw-r--r--config/vnstat2/vnstat_php_frontend/themes/red/theme.php28
-rw-r--r--config/vnstat2/vnstat_php_frontend/vnstat.php47
185 files changed, 14682 insertions, 1890 deletions
diff --git a/config/arpwatch.xml b/config/arpwatch.xml
index f77fce34..ea3f6795 100644
--- a/config/arpwatch.xml
+++ b/config/arpwatch.xml
@@ -7,13 +7,10 @@
/* ==========================================================================
/*
arpwatch.xml
- part of pfSense (http://www.pfSense.com)
- Copyright (C) 2007 to whom it may belong
+ part of pfSense (https://www.pfsense.org)
+ Copyright (C) 2007-2014 Electric Sheep Fencing LP
All rights reserved.
- Based on m0n0wall (http://m0n0.ch/wall)
- Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
*/
/* ========================================================================== */
/*
diff --git a/config/arpwatch_reports.php b/config/arpwatch_reports.php
index c2b4401e..9b3b1c6c 100755
--- a/config/arpwatch_reports.php
+++ b/config/arpwatch_reports.php
@@ -63,7 +63,6 @@ include("head.inc");
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<?php include("fbegin.inc"); ?>
-<p class="pgtitle"><?=$pgtitle?></p>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
diff --git a/config/autoconfigbackup/autoconfigbackup.inc b/config/autoconfigbackup/autoconfigbackup.inc
index 2c9d18f9..2511a2a1 100644
--- a/config/autoconfigbackup/autoconfigbackup.inc
+++ b/config/autoconfigbackup/autoconfigbackup.inc
@@ -2,7 +2,7 @@
/* $Id$ */
/*
autoconfigbackup.inc
- Copyright (C) 2008 Scott Ullrich
+ Copyright (C) 2008-2014 Electric Sheep Fencing LP
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
@@ -144,9 +144,6 @@ function upload_config($reasonm = "") {
* This file plugs into config.inc (/usr/local/pkg/parse_config)
* and runs every time the running firewall filter changes.
*
- * Written by Scott Ullrich
- * (C) 2008 BSD Perimeter LLC
- *
*/
if(file_exists("/tmp/acb_nooverwrite")) {
diff --git a/config/autoconfigbackup/autoconfigbackup.php b/config/autoconfigbackup/autoconfigbackup.php
index 755c47aa..52b3eca9 100644
--- a/config/autoconfigbackup/autoconfigbackup.php
+++ b/config/autoconfigbackup/autoconfigbackup.php
@@ -357,10 +357,17 @@ EOF;
<center>
<b>Hostname:</b>
<select id="hostname" name="hostname" onChange="document.location='autoconfigbackup.php?hostname=' + this.value;">
- <?foreach($hostnames as $hn):?>
- <option value='<?=$hn?>'><?=$hn?></option>
+ <?
+ $host_not_found = true;
+ foreach($hostnames as $hn):
+ ?>
+ <option value='<?=$hn?>' <? if ($hn == $hostname) {echo " selected=\"selected\""; $host_not_found = false;}?>>
+ <?=$hn?>
+ </option>
<?endforeach?>
- <option value='<?=$hostname?>' SELECTED><?=$hostname?></option>
+ <? if ($host_not_found) { ?>
+ <option value='<?=$hostname?>' SELECTED><?=$hostname?></option>
+ <? } ?>
</select>
</td>
</tr>
diff --git a/config/autoconfigbackup/autoconfigbackup.xml b/config/autoconfigbackup/autoconfigbackup.xml
index ee125efc..eb3f7545 100644
--- a/config/autoconfigbackup/autoconfigbackup.xml
+++ b/config/autoconfigbackup/autoconfigbackup.xml
@@ -7,8 +7,8 @@
/* $Id$ */
/*
autoconfigbackup.xml
- part of pfSense (http://www.pfSense.com)
- Copyright (C) 2008 BSD Perimeter
+ part of pfSense (https://www.pfsense.org)
+ Copyright (C) 2008-2014 Electric Sheep Fencing LP
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -37,7 +37,7 @@
<description>Automatically backs up your pfSense configuration. All contents are encrypted before being sent to the server. Requires Gold Subscription from https://portal.pfsense.org</description>
<requirements>pfSense Portal subscription</requirements>
<name>AutoConfigBackup</name>
- <version>1.25</version>
+ <version>1.28</version>
<title>Diagnostics: Auto Configuration Backup</title>
<savetext>Change</savetext>
<include_file>/usr/local/pkg/autoconfigbackup.inc</include_file>
@@ -132,12 +132,6 @@
<fieldname>crypto_password2</fieldname>
<type>password</type>
</field>
- <field>
- <fielddescr>Test connection</fielddescr>
- <description>Check this box to test the connection to portal.pfsense.org.</description>
- <fieldname>testconnection</fieldname>
- <type>checkbox</type>
- </field>
</fields>
<custom_php_validation_command>
custom_php_validation_command($_POST, $input_errors);
diff --git a/config/autoconfigbackup/autoconfigbackup_backup.php b/config/autoconfigbackup/autoconfigbackup_backup.php
index f14b8aed..3c5ea423 100644
--- a/config/autoconfigbackup/autoconfigbackup_backup.php
+++ b/config/autoconfigbackup/autoconfigbackup_backup.php
@@ -105,14 +105,6 @@ include("head.inc");
</td>
</tr>
<tr>
- <td align="right">
- Do not overwrite previous backups for this hostname:
- </td>
- <td>
- <input type="checkbox" name="nooverwrite">
- </td>
- </tr>
- <tr>
<td>
&nbsp;
</td>
diff --git a/config/avahi/avahi.inc b/config/avahi/avahi.inc
index a22d94c0..554a647c 100644
--- a/config/avahi/avahi.inc
+++ b/config/avahi/avahi.inc
@@ -34,15 +34,9 @@ switch ($pfs_version) {
case "1.2":
case "2.0":
define('AVAHI_BASE', '/usr/local');
- define('AVAHI_LOCALBASE', AVAHI_BASE);
- break;
- case "2.1":
- define('AVAHI_BASE', '/usr/pbi/avahi-' . php_uname("m"));
- define('AVAHI_LOCALBASE', AVAHI_BASE);
break;
default:
define('AVAHI_BASE', '/usr/pbi/avahi-' . php_uname("m"));
- define('AVAHI_LOCALBASE', AVAHI_BASE . '/local');
}
function avahi_start() {
@@ -54,27 +48,11 @@ function avahi_stop() {
}
function avahi_install() {
- global $g, $config, $pfs_version;
+ global $g, $config;
conf_mount_rw();
- // This old hacky install code should only happen on 1.x
- if (php_uname("m") == "i386")
- $archive = (substr(trim(file_get_contents("/etc/version")),0,1) == "1") ? "avahi.tar.gz" : "";
- // Extract out libraries and avahi-daemon
- if(!empty($archive) && file_exists("/root/{$archive}")) {
- exec("mkdir -p " . AVAHI_LOCALBASE . "/etc/avahi/services/");
- exec("mv " . AVAHI_LOCALBASE . "/etc/avahi/*.service " . AVAHI_LOCALBASE . "/etc/avahi/services/");
- exec("/usr/bin/tar xzPUf /root/{$archive} -C /");
- unlink("/root/{$archive}");
- // Make sure everthing was extracted
- if(!file_exists(AVAHI_BASE . "/sbin/avahi-daemon")) {
- log_error("Sorry, something went wrong while extract avahi binaries. Please try the operation again");
- return;
- }
- }
-
- if ($pfs_version >= 2.2 && !file_exists('/usr/local/etc/gnome.subr')) {
- @symlink(AVAHI_LOCALBASE . '/etc/gnome.subr', '/usr/local/etc/gnome.subr');
+ if (!file_exists('/usr/local/etc/gnome.subr')) {
+ @symlink(AVAHI_BASE . '/etc/gnome.subr', '/usr/local/etc/gnome.subr');
}
// Add needed users and groups
@@ -168,8 +146,8 @@ rlimit-nproc=3
EOF;
/* Write out .conf file */
- safe_mkdir(AVAHI_LOCALBASE . "/etc/avahi");
- $fd = fopen(AVAHI_LOCALBASE . "/etc/avahi/avahi-daemon.conf", "w");
+ safe_mkdir(AVAHI_BASE . "/etc/avahi");
+ $fd = fopen(AVAHI_BASE . "/etc/avahi/avahi-daemon.conf", "w");
fwrite($fd, $avahiconfig);
fclose($fd);
/* Write out rc.d startup file */
@@ -178,19 +156,26 @@ EOF;
$start .= " mkdir -p /proc\n";
$start .= " mount -t procfs procfs /proc\n";
$start .= "fi\n";
+ $start .= "if [ ! -f /usr/local/etc/gnome.subr ]; then\n";
+ $start .= " ln -sf " . AVAHI_BASE . "/etc/gnome.subr /usr/local/etc/gnome.subr\n";
+ $start .= "fi\n";
+ $start .= "if [ ! -d /var/run/dbus ]; then\n";
+ $start .= " mkdir /var/run/dbus\n";
+ $start .= " chown messagebus:messagebus /var/run/dbus\n";
+ $start .= "fi\n";
$start .= "/usr/bin/killall avahi-daemon >/dev/null 2>&1\n";
- if (file_exists(AVAHI_LOCALBASE . "/etc/rc.d/dbus")) {
- $start .= AVAHI_LOCALBASE . "/etc/rc.d/dbus onestop\n";
+ if (file_exists(AVAHI_BASE . "/etc/rc.d/dbus")) {
+ $start .= AVAHI_BASE . "/etc/rc.d/dbus onestop\n";
$start .= "rm /var/run/dbus/dbus.pid >/dev/null 2>&1\n";
- $start .= AVAHI_LOCALBASE . "/etc/rc.d/dbus onestart\n";
+ $start .= AVAHI_BASE . "/etc/rc.d/dbus onestart\n";
}
$start .= "sleep 5\n";
$start .= AVAHI_BASE . "/sbin/avahi-daemon -D\n";
$start .= "/etc/rc.conf_mount_ro\n";
$stop = "/usr/bin/killall avahi-daemon >/dev/null 2>&1\n";
- if (file_exists(AVAHI_LOCALBASE . "/etc/rc.d/dbus")) {
- $stop .= AVAHI_LOCALBASE . "/etc/rc.d/dbus onestop\n";
+ if (file_exists(AVAHI_BASE . "/etc/rc.d/dbus")) {
+ $stop .= AVAHI_BASE . "/etc/rc.d/dbus onestop\n";
$stop .= "rm /var/run/dbus/dbus.pid >/dev/null 2>&1\n";
}
diff --git a/config/bacula-client/bacula-client_fd.xml b/config/bacula-client/bacula-client_fd.xml
index d6a6a8f0..08a64ea1 100644
--- a/config/bacula-client/bacula-client_fd.xml
+++ b/config/bacula-client/bacula-client_fd.xml
@@ -80,12 +80,12 @@
<required/>
</field>
<field>
- <fielddescr>Maximun Concurrent Jobs</fielddescr>
+ <fielddescr>Maximum Concurrent Jobs</fielddescr>
<fieldname>jobs</fieldname>
<type>input</type>
<size>3</size>
<required/>
- <description>Maximun Concurrent Jobs. Default : 20</description>
+ <description>Maximum Concurrent Jobs. Default : 20</description>
</field>
</fields>
@@ -104,4 +104,4 @@
<custom_php_resync_config_command>
baculaclient_custom_php_write_config();
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/bind/bind.inc b/config/bind/bind.inc
index 4f6e0d87..54d536d0 100644
--- a/config/bind/bind.inc
+++ b/config/bind/bind.inc
@@ -876,13 +876,13 @@ function bind_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout,$ma
/* send our XMLRPC message and timeout after defined sync timeout value*/
$resp = $cli->send($msg, $synctimeout);
if(!$resp) {
- $error = "A communications error occurred while attempting bind XMLRPC sync with {$url}:{$port}.";
+ $error = "A communications error occurred while attempting BIND XMLRPC sync with {$url}:{$port}.";
log_error($error);
file_notice("sync_settings", $error, "bind Settings Sync", "");
} elseif($resp->faultCode()) {
$cli->setDebug(1);
$resp = $cli->send($msg, $synctimeout);
- $error = "An error code was received while attempting bind XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "An error code was received while attempting BIND XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "bind Settings Sync", "");
} else {
@@ -905,17 +905,17 @@ function bind_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout,$ma
$cli->setCredentials($username, $password);
$resp = $cli->send($msg, $synctimeout);
if(!$resp) {
- $error = "A communications error occurred while attempting bind XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
+ $error = "A communications error occurred while attempting BIND XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
log_error($error);
file_notice("sync_settings", $error, "Bind Settings Sync", "");
} elseif($resp->faultCode()) {
$cli->setDebug(1);
$resp = $cli->send($msg, $synctimeout);
- $error = "[Bind] An error code was received while attempting bind XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ $error = "[Bind] An error code was received while attempting BIND XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "bind Settings Sync", "");
} else {
- log_error("Bind XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
+ log_error("BIND XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
}
}
diff --git a/config/bind/bind.xml b/config/bind/bind.xml
index beb96589..5e5f9e9b 100644
--- a/config/bind/bind.xml
+++ b/config/bind/bind.xml
@@ -52,8 +52,8 @@
<title>Bind: Domain Named Settings</title>
<include_file>/usr/local/pkg/bind.inc</include_file>
<menu>
- <name>Bind Server</name>
- <tooltiptext>Modify Bind settings</tooltiptext>
+ <name>BIND Server</name>
+ <tooltiptext>Modify BIND settings</tooltiptext>
<section>Services</section>
<url>/pkg_edit.php?xml=bind.xml</url>
</menu>
@@ -135,17 +135,17 @@
<fieldname>temp01</fieldname>
</field>
<field>
- <fielddescr>Enable Bind</fielddescr>
+ <fielddescr>Enable BIND</fielddescr>
<fieldname>enable_bind</fieldname>
- <description><![CDATA[Enable DNS Bind on Server<br>
- Disable Dns forwarder service on selected interfaces before enabling bind.]]></description>
+ <description><![CDATA[Enable BIND DNS server<br>
+ Disable DNS Forwarder and Resolver services on selected interfaces before enabling BIND.]]></description>
<type>checkbox</type>
<required/>
</field>
<field>
- <fielddescr>Listen-on</fielddescr>
+ <fielddescr>Listen on</fielddescr>
<fieldname>listenon</fieldname>
- <description><![CDATA[Enable Named to listen on.]]></description>
+ <description><![CDATA[Choose the interfaces on which to enable BIND.]]></description>
<type>interfaces_selection</type>
<showlistenall/>
<showvirtualips/>
@@ -160,7 +160,7 @@
<field>
<fielddescr>Hide Version</fielddescr>
<fieldname>bind_hide_version</fieldname>
- <description>Hide the version of BIND (do not process queries to version.bind at all). This makes it more difficult to exploit the server.</description>
+ <description>Hide the version of BIND (ignore queries for version.bind).</description>
<type>checkbox</type>
</field>
<field>
@@ -179,13 +179,13 @@
<field>
<fielddescr>Enable logging</fielddescr>
<fieldname>bind_logging</fieldname>
- <description><![CDATA[Enable Bind logs on status-> system logs -> resolver menu.]]></description>
+ <description><![CDATA[Enable BIND logs under Status > System logs, Resolver tab.]]></description>
<type>checkbox</type>
</field>
<field>
- <fielddescr>Loggin serverity</fielddescr>
+ <fielddescr>Logging serverity</fielddescr>
<fieldname>log_severity</fieldname>
- <description><![CDATA[Select logging levels for selected categories.<BR>
+ <description><![CDATA[Choose logging levels for selected categories.<BR>
use CTRL+click to select/unselect.<br>
The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace.]]></description>
<type>select</type>
@@ -202,7 +202,7 @@
</options>
</field>
<field>
- <fielddescr>Loggin options</fielddescr>
+ <fielddescr>Logging options</fielddescr>
<fieldname>log_options</fieldname>
<description><![CDATA[Select categories to log.<BR>
use CTRL+click to select/unselect.]]></description>
@@ -266,16 +266,16 @@
<fieldname>temp01</fieldname>
</field>
<field>
- <fielddescr>Forwarder</fielddescr>
+ <fielddescr>Enable Forwarding</fielddescr>
<fieldname>bind_forwarder</fieldname>
- <description>Forwardes enable DNS Bind on Server.</description>
+ <description>Enable forwarding queries to other DNS servers listed below rather than this server performing its own recursion.</description>
<type>checkbox</type>
<enablefields>bind_forwarder_ips</enablefields>
</field>
<field>
<fielddescr>Forwarder IPs</fielddescr>
<fieldname>bind_forwarder_ips</fieldname>
- <description>Enter IPs to forward. Separate by semi-colons (;). [Applies only to Forwarder mode]</description>
+ <description>Enter IPs of DNS servers to use for recursion. Separate by semi-colons (;). Applies only if Enable Forwarding is chosen.</description>
<type>input</type>
<size>80</size>
</field>
diff --git a/config/bind/bind_acls.xml b/config/bind/bind_acls.xml
index dbd9e29d..c9b49f47 100644
--- a/config/bind/bind_acls.xml
+++ b/config/bind/bind_acls.xml
@@ -48,10 +48,10 @@
<faq>Currently there are no FAQ items provided.</faq>
<name>bindacls</name>
<version>0.1.0</version>
- <title>Bind: ACLs Settings</title>
+ <title>BIND: ACLs Settings</title>
<include_file>/usr/local/pkg/bind.inc</include_file>
<menu>
- <name>Bind Server</name>
+ <name>BIND Server</name>
<tooltiptext></tooltiptext>
<section>Services</section>
<configfile>bind.xml</configfile>
diff --git a/config/bind/bind_views.xml b/config/bind/bind_views.xml
index a6c42552..505f2b0d 100644
--- a/config/bind/bind_views.xml
+++ b/config/bind/bind_views.xml
@@ -51,7 +51,7 @@
<title>Bind: Views Settings</title>
<include_file>/usr/local/pkg/bind.inc</include_file>
<menu>
- <name>Bind Server</name>
+ <name>BIND Server</name>
<tooltiptext></tooltiptext>
<section>Services</section>
<configfile>bind.xml</configfile>
diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml
index d771ada6..1576cd79 100644
--- a/config/bind/bind_zones.xml
+++ b/config/bind/bind_zones.xml
@@ -48,10 +48,10 @@
<faq>Currently there are no FAQ items provided.</faq>
<name>bindzone</name>
<version>none</version>
- <title>Bind: Zones Settings</title>
+ <title>BIND: Zones Settings</title>
<include_file>/usr/local/pkg/bind.inc</include_file>
<menu>
- <name>Bind Server</name>
+ <name>BIND Server</name>
<tooltiptext></tooltiptext>
<section>Services</section>
<configfile>bind.xml</configfile>
@@ -118,22 +118,22 @@
<field>
<fielddescr>Disable this zone</fielddescr>
<fieldname>disabled</fieldname>
- <description><![CDATA[Do not Include this zone on bind config files.]]></description>
+ <description><![CDATA[Do not include this zone in BIND config files.]]></description>
<type>checkbox</type>
</field>
<field>
<fielddescr>Zone Name</fielddescr>
<fieldname>name</fieldname>
- <description><![CDATA[Enter the name for zone (ex:mydomain.com)<br>
- For reverse zones, include zone ip in reverse order or following your provider instructions.(Ex: 1.168.192)<br>
- IN-ADDR.ARPA will be automaticaly included on conf files when reverse zone option is checked.]]></description>
+ <description><![CDATA[Enter the name for zone (e.g. example.com)<br>
+ For reverse zones, include zone IP in reverse order. (e.g. 1.168.192)<br>
+ IN-ADDR.ARPA will be automaticaly included in config files when reverse zone option is checked.]]></description>
<type>input</type>
<required/>
</field>
<field>
<fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
- <description>Enter the description for this zone.</description>
+ <description>Enter a description for this zone.</description>
<type>input</type>
<size>70</size>
</field>
@@ -167,7 +167,7 @@
<type>checkbox</type>
</field>
<field>
- <fielddescr>custom Option</fielddescr>
+ <fielddescr>Custom Option</fielddescr>
<fieldname>custom</fieldname>
<description>You can put your own custom options here.</description>
<type>textarea</type>
@@ -184,7 +184,7 @@
<fielddescr>Inline Signing</fielddescr>
<fieldname>dnssec</fieldname>
<enablefields>backupkeys</enablefields>
- <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description>
+ <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC signing</a> for this zone.]]></description>
<type>checkbox</type>
</field>
<field>
@@ -194,10 +194,10 @@
<type>checkbox</type>
</field>
<field>
- <fielddescr>DS set</fielddescr>
+ <fielddescr>DSSET</fielddescr>
<fieldname>dsset</fieldname>
- <description><![CDATA[Digest fingerprint of the Key Signing KeyResulting for this zone.<br>
- Upload this ds set to your domain root server.]]></description>
+ <description><![CDATA[Digest fingerprint of the Key Signing Key for this zone.<br>
+ Upload this DSSET to your domain root server.]]></description>
<type>textarea</type>
<cols>75</cols>
<rows>3</rows>
@@ -211,7 +211,7 @@
<field>
<fielddescr>Master Zone IP</fielddescr>
<fieldname>slaveip</fieldname>
- <description>If zone is slave, enter the IP address of the master DNS zone.</description>
+ <description>If this is a slave zone, enter the IP address of the master DNS server.</description>
<type>input</type>
</field>
<field>
@@ -222,7 +222,7 @@
<field>
<fielddescr>Forwarders</fielddescr>
<fieldname>forwarders</fieldname>
- <description>Enter forwarders IPs for this domain. Separate by semi-colons (;).</description>
+ <description>Enter forwarder IPs for this domain. Separate by semicolons (;).</description>
<type>input</type>
<size>70</size>
</field>
@@ -245,9 +245,9 @@
<type>input</type>
</field>
<field>
- <fielddescr>Base Domain ip</fielddescr>
+ <fielddescr>Base Domain IP</fielddescr>
<fieldname>ipns</fieldname>
- <description>Enter ip address for base domain lookup. Ex: nslookup mydomain.com</description>
+ <description>Enter IP address for base domain lookup. Ex: nslookup mydomain.com</description>
<type>input</type>
</field>
<field>
@@ -259,7 +259,7 @@
<field>
<fielddescr>Serial</fielddescr>
<fieldname>serial</fieldname>
- <description>Parsed value for the slave to update the DNS Zone</description>
+ <description>Parsed value for the slave to update the DNS zone</description>
<type>input</type>
</field>
<field>
@@ -333,7 +333,7 @@
</field>
<field>
<fielddescr>Enter Domain records.</fielddescr>
- <description><![CDATA[<b>"Record"</b> is the name or last octec of ip. Sample: www or pop<br>
+ <description><![CDATA[<b>"Record"</b> is the name or last octet of IP. Example: www or pop<br>
<b>"Type"</b> is the type of the record Sample: A CNAME MX NS<br>
<b>"Priority"</b> in used only in mx records to define its priority<br>
<b>"Alias or IP address"</b> is the destination host or ip address.<br><br>
@@ -377,7 +377,7 @@
<rowhelperfield>
<fielddescr>Alias or IP address</fielddescr>
<fieldname>hostdst</fieldname>
- <description>Enter the IP address or CNAME destination for Domain (ex: 10.31.11.1 or mail.example.com)</description>
+ <description>Enter the IP address or FQDN destination for domain MX (ex: 10.31.11.1 or mail.example.com)</description>
<type>input</type>
<size>35</size>
</rowhelperfield>
@@ -398,7 +398,7 @@
<field>
<fielddescr></fielddescr>
<fieldname>customzonerecords</fieldname>
- <description><![CDATA[Paste any custom zone records to include on this zone.<br>
+ <description><![CDATA[Paste any custom zone records to include in this zone.<br>
This can be used for a fast migration setup.]]></description>
<type>textarea</type>
<cols>84</cols>
@@ -409,12 +409,12 @@
</field>
<field>
<type>listtopic</type>
- <name>Resulting Zone config file</name>
+ <name>Resulting zone config file</name>
</field>
<field>
<fielddescr></fielddescr>
<fieldname>resultconfig</fieldname>
- <description>Resulting bind config file for this zone.</description>
+ <description>Resulting BIND config file for this zone.</description>
<type>textarea</type>
<cols>84</cols>
<rows>15</rows>
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index 13b4123a..8cef9430 100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -204,7 +204,7 @@
</adddeleteeditpagefields>
<fields>
<field>
- <name>GENERAL CONFIGURATION</name>
+ <name>General Configuration</name>
<type>listtopic</type>
</field>
<field>
@@ -280,19 +280,19 @@
<default_value>0</default_value>
</field>
<field>
- <name>MISCELLANEOUS CONFIGURATION</name>
+ <name>Miscellaneous Configuration</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Number of simultaneous connections</fielddescr>
<fieldname>varuserssimultaneousconnect</fieldname>
- <description><![CDATA[The maximum of simultaneous connections with this username. If you leave this field empty than there is no limit. If you are using FreeRADIUS with CaptivePortal you should leave this empty. Read the documentation!]]></description>
+ <description><![CDATA[The maximum of simultaneous connections with this username. If you leave this field empty than there is no limit. If you are using FreeRADIUS with Captive Portal you should leave this empty. Read the documentation!]]></description>
<type>input</type>
</field>
<field>
<fielddescr>Redirection URL</fielddescr>
<fieldname>varuserswisprredirectionurl</fieldname>
- <description><![CDATA[Enter the URL the user should be redirected to after successfull login. (e.g.: http://www.google.com)]]></description>
+ <description><![CDATA[Enter the URL the user should be redirected to after successful login. (e.g.: http://www.google.com)]]></description>
<type>input</type>
</field>
<field>
@@ -302,7 +302,7 @@
<type>input</type>
</field>
<field>
- <name>NETWORK CONFIGURATION</name>
+ <name>Network Configuration</name>
<type>listtopic</type>
</field>
<field>
@@ -339,7 +339,7 @@
<type>input</type>
</field>
<field>
- <name>TIME CONFIGURATION</name>
+ <name>Time Configuration</name>
<type>listtopic</type>
</field>
<field>
@@ -384,7 +384,7 @@
</options>
</field>
<field>
- <name>TRAFFIC AND BANDWIDTH</name>
+ <name>Traffic and Bandwidth</name>
<type>listtopic</type>
</field>
<field>
@@ -425,7 +425,7 @@
<type>input</type>
</field>
<field>
- <name>ADVANCED CONFIGURATION</name>
+ <name>Advanced Configuration</name>
<type>listtopic</type>
</field>
<field>
diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml
index 05b5515a..594e7398 100644
--- a/config/freeradius2/freeradiusauthorizedmacs.xml
+++ b/config/freeradius2/freeradiusauthorizedmacs.xml
@@ -200,7 +200,7 @@
</adddeleteeditpagefields>
<fields>
<field>
- <name>GENERAL CONFIGURATION</name>
+ <name>General Configuration</name>
<type>listtopic</type>
</field>
<field>
@@ -227,13 +227,13 @@
<type>input</type>
</field>
<field>
- <name>MISCELLANEOUS CONFIGURATION</name>
+ <name>Miscellaneous Configuration</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Redirection URL</fielddescr>
<fieldname>varmacsswisprredirectionurl</fieldname>
- <description><![CDATA[Enter the URL the MAC should be redirected to after successfull login. (e.g.: http://www.google.com)]]></description>
+ <description><![CDATA[Enter the URL the MAC should be redirected to after successful login. (e.g.: http://www.google.com)]]></description>
<type>input</type>
</field>
<field>
@@ -250,7 +250,7 @@
<type>input</type>
</field>
<field>
- <name>NETWORK CONFIGURATION</name>
+ <name>Network Configuration</name>
<type>listtopic</type>
</field>
<field>
@@ -287,7 +287,7 @@
<type>input</type>
</field>
<field>
- <name>TIME CONFIGURATION</name>
+ <name>Time Configuration</name>
<type>listtopic</type>
</field>
<field>
@@ -331,7 +331,7 @@
</options>
</field>
<field>
- <name>TRAFFIC AND BANDWIDTH</name>
+ <name>Traffic and Bandwidth</name>
<type>listtopic</type>
</field>
<field>
@@ -372,7 +372,7 @@
<type>input</type>
</field>
<field>
- <name>ADVANCED CONFIGURATION</name>
+ <name>Advanced Configuration</name>
<type>listtopic</type>
</field>
<field>
diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml
index 6108215b..4909411a 100644
--- a/config/freeradius2/freeradiuscerts.xml
+++ b/config/freeradius2/freeradiuscerts.xml
@@ -98,7 +98,7 @@
</tabs>
<fields>
<field>
- <name>GENERAL CONFIGURATION</name>
+ <name>General Configuration</name>
<type>listtopic</type>
</field>
<field>
diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml
index 215a751e..4e66a597 100644
--- a/config/freeradius2/freeradiusclients.xml
+++ b/config/freeradius2/freeradiusclients.xml
@@ -132,13 +132,13 @@
</adddeleteeditpagefields>
<fields>
<field>
- <name>GENERAL CONFIGURATION</name>
+ <name>General Configuration</name>
<type>listtopic</type>
</field>
<field>
<fielddescr>Client IP Address</fielddescr>
<fieldname>varclientip</fieldname>
- <description><![CDATA[Enter the IP address of the client. This is in general the IP of the NAS (switch,accesspoint).]]></description>
+ <description><![CDATA[Enter the IP address of the RADIUS client. This is the IP of the NAS (switch, access point, firewall, router, etc.).]]></description>
<type>input</type>
<required/>
</field>
@@ -156,19 +156,19 @@
<field>
<fielddescr>Client Shortname</fielddescr>
<fieldname>varclientshortname</fieldname>
- <description><![CDATA[Enter shortname of the client. This is in general the hostname of the NAS (switch,accesspoint).]]></description>
+ <description><![CDATA[Enter a short name for the client. This is generally the hostname of the NAS.]]></description>
<type>input</type>
<required/>
</field>
<field>
<fielddescr>Client Shared Secret</fielddescr>
<fieldname>varclientsharedsecret</fieldname>
- <description><![CDATA[Enter the shared secret of the client here. This is the shared secret (password) which the NAS (switch or accesspoint) needs to communicate with the RADIUS server.]]></description>
+ <description><![CDATA[Enter the shared secret of the RADIUS client here. This is the shared secret (password) which the NAS (switch or accesspoint) needs to communicate with the RADIUS server.]]></description>
<type>password</type>
<required/>
</field>
<field>
- <name>MISCELLANEOUS CONFIGURATION</name>
+ <name>Miscellaneous Configuration</name>
<type>listtopic</type>
</field>
<field>
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index 8f8e4dc7..947ef6b9 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -105,7 +105,7 @@
<field>
<fielddescr>Disable weak EAP types</fielddescr>
<fieldname>vareapconfdisableweakeaptypes</fieldname>
- <description><![CDATA[Here you disable the weak EAP types MD5, GTC and LEAP. You should do this if you want that only stronger EAP types like TLS, TTLS, PEAP, MSCHAPv2 should be allowed. This option does not affect the "tunneled EAP sessions".]]></description>
+ <description><![CDATA[Here you can disable the weak EAP types MD5, GTC and LEAP. Check this to only allow stronger EAP types like TLS, TTLS, PEAP, MSCHAPv2 should be allowed. This option does not affect the "tunneled EAP sessions".]]></description>
<type>checkbox</type>
</field>
<field>
@@ -134,7 +134,7 @@
<field>
<fielddescr>Ignore Unknown EAP Types</fielddescr>
<fieldname>vareapconfignoreunknowneaptypes</fieldname>
- <description><![CDATA[If the RADIUS does not know the EAP type it rejects it. If set to "yes" an other module <b>must</b> be configured to proxy the request to a further RADIUS server. (Default: no)]]></description>
+ <description><![CDATA[If the RADIUS server does not know the EAP type, it rejects it. If set to "yes" another module <b>must</b> be configured to proxy the request to a further RADIUS server. (Default: no)]]></description>
<type>select</type>
<default_value>no</default_value>
<options>
@@ -161,23 +161,23 @@
<default_value>4096</default_value>
</field>
<field>
- <name>CERTIFICATES FOR TLS</name>
+ <name>Certificates for TLS</name>
<type>listtopic</type>
</field>
<field>
- <fielddescr>Choose Cert-Manager</fielddescr>
+ <fielddescr>Choose Cert Manager</fielddescr>
<fieldname>vareapconfchoosecertmanager</fieldname>
<description><![CDATA[Choose your Cert manager. By default it is the freeradius cert manager because the server needs some default certs to start service. For more information take al look at "Certificates"-Tab.<br>
- To use the firewall's built-in Cert Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager).<br><br>
- <b>uncheked</b>: FreeRADIUS Cert-Manager (not recommended) (Default: unchecked)<br>
- <b>cheked</b>: Firewall Cert-Manager (recommended)]]></description>
+ To use the firewall's built-in Certificate Manager you have to create a CA and an Server Certificate first. (SYSTEM -> Cert Manager).<br><br>
+ <b>unchecked</b>: FreeRADIUS Cert Manager (not recommended) (Default: unchecked)<br>
+ <b>checked</b>: Firewall Cert Manager (recommended)]]></description>
<type>checkbox</type>
<enablefields>ssl_ca_cert,ssl_ca_crl,ssl_server_cert</enablefields>
</field>
<field>
<fielddescr>Private Key Password</fielddescr>
<fieldname>vareapconfprivatekeypassword</fieldname>
- <description><![CDATA[By default the certificates created by freeradius are protected with an "input/ouput" password from reading the certificate. The certificates created by the firewall's built-in Cert Manager are not protected so you must leave this field empty. (Default: whatever)]]></description>
+ <description><![CDATA[By default the certificates created by freeradius are protected with an "input/ouput" password from reading the certificate. The certificates created by the firewall's built-in Cert Manager are not protected so you must leave this field empty.]]></description>
<type>password</type>
<default_value>whatever</default_value>
</field>
@@ -306,7 +306,7 @@
<field>
- <name>EAP-TLS - ENABLE CACHE</name>
+ <name>EAP-TLS - Enable Cache</name>
<type>listtopic</type>
</field>
<field>
@@ -334,7 +334,7 @@
<field>
<fielddescr>Max Entries</fielddescr>
<fieldname>vareapconfcachemaxentries</fieldname>
- <description><![CDATA[The maximum number of entries in the cache. Set to "0" for "infinite". This could be set to the number of users who are logged in... which can be a LOT. (Default: 255)]]></description>
+ <description><![CDATA[The maximum number of entries in the cache. Set to "0" for "infinite." (Default: 255)]]></description>
<type>input</type>
<default_value>255</default_value>
</field>
@@ -470,7 +470,7 @@
<field>
<fielddescr>Microsoft Statement of Health (SoH) Support</fielddescr>
<fieldname>vareapconfpeapsohenable</fieldname>
- <description><![CDATA[You can accept/reject clients if they have not actual windows updates and more. You need to change server-file for your needs. It cannot be changed from GUI and will be deleted after package (re)installation. (/usr/local/etc/raddb/sites-available/soh). (Default: no)]]></description>
+ <description><![CDATA[You can accept/reject clients based on Microsoft's Statement of Health, such as if they are missing Windows updates, don't have a firewall enabled, antivirus not in line with policy, etc. You need to change server-file for your needs. It cannot be changed from GUI and will be deleted after package reinstallation. (/usr/local/etc/raddb/sites-available/soh). (Default: no)]]></description>
<type>select</type>
<default_value>Disable</default_value>
<options>
diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml
index 1233f72f..5427f988 100644
--- a/config/freeradius2/freeradiusinterfaces.xml
+++ b/config/freeradius2/freeradiusinterfaces.xml
@@ -120,7 +120,7 @@
</adddeleteeditpagefields>
<fields>
<field>
- <name>GENERAL CONFIGURATION</name>
+ <name>General Configuration</name>
<type>listtopic</type>
</field>
<field>
@@ -175,7 +175,7 @@
<field>
<fielddescr>Description</fielddescr>
<fieldname>description</fieldname>
- <description><![CDATA[Enter any description you like for this interface.]]></description>
+ <description><![CDATA[Optionally enter a description here for your reference.]]></description>
<type>input</type>
</field>
</fields>
diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml
index 5abe85cb..e476b877 100644
--- a/config/freeradius2/freeradiusmodulesldap.xml
+++ b/config/freeradius2/freeradiusmodulesldap.xml
@@ -115,7 +115,7 @@
<type>checkbox</type>
</field>
<field>
- <name>GENERAL CONFIGURATION - SERVER 1</name>
+ <name>General Configuration - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
@@ -207,7 +207,7 @@
<default_value>1</default_value>
</field>
<field>
- <name>MISCELLANEOUS CONFIGURATION - SERVER 1</name>
+ <name>Miscellaneous Configuration - SERVER 1</name>
<type>listtopic</type>
</field>
<field>
@@ -434,7 +434,7 @@
<type>checkbox</type>
</field>
<field>
- <name>GENERAL CONFIGURATION - SERVER 2</name>
+ <name>General Configuration - SERVER 2</name>
<type>listtopic</type>
</field>
<field>
@@ -526,7 +526,7 @@
<default_value>1</default_value>
</field>
<field>
- <name>MISCELLANEOUS CONFIGURATION - SERVER 2</name>
+ <name>Miscellaneous Configuration - SERVER 2</name>
<type>listtopic</type>
</field>
<field>
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index 99af4d4a..78c65372 100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -8,7 +8,8 @@
/* ========================================================================== */
/*
freeradiussettings.xml
- part of pfSense (http://www.pfSense.com)
+ part of pfSense (https://www.pfsense.org)
+ Copyright (C) 2014 Electric Sheep Fencing, LP
Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
@@ -98,7 +99,7 @@
</tabs>
<fields>
<field>
- <name>GENERAL CONFIGURATION</name>
+ <name>General Configuration</name>
<type>listtopic</type>
</field>
<field>
@@ -162,7 +163,7 @@
<field>
<fielddescr>Logging Destination of RADIUS</fielddescr>
<fieldname>varsettingslogdir</fieldname>
- <description><![CDATA[Choose the destination where freeRADIUS should log. This will log if service started or failed but no authentication information. (Default: radius.log)]]></description>
+ <description><![CDATA[Choose the destination where freeRADIUS will log. This will log general service information, but no authentication information. (Default: radius.log)]]></description>
<type>select</type>
<default_value>syslog</default_value>
<options>
@@ -316,7 +317,7 @@
<field>
<fielddescr>Enable Mobile-One-Time-Password</fielddescr>
<fieldname>varsettingsmotpenable</fieldname>
- <description><![CDATA[This enables the possibility to authenticate against an username and an one-time-password. The client which generates OTP can be installed on various mobile device plattforms like Android and more. (Default: unchecked)]]></description>
+ <description><![CDATA[This enables the possibility to authenticate using a username and one-time-password. The client which generates OTP can be installed on various mobile device plattforms like Android and more. (Default: unchecked)]]></description>
<type>checkbox</type>
<enablefields>varsettingsmotptimespan,varsettingsmotppasswordattempts,varsettingsmotpchecksumtype,varsettingsmotptokenlength</enablefields>
</field>
@@ -330,14 +331,14 @@
<field>
<fielddescr>Number of invalid password attempts</fielddescr>
<fieldname>varsettingsmotppasswordattempts</fieldname>
- <description><![CDATA[After this the user will be locked out until the admin unlocks the user. (Default: 5)]]></description>
+ <description><![CDATA[After this many failed attempts, the user will be locked out until an admin unlocks the user. (Default: 5)]]></description>
<type>input</type>
<default_value>5</default_value>
</field>
<field>
<fielddescr>Hash algorithm</fielddescr>
<fieldname>varsettingsmotpchecksumtype</fieldname>
- <description><![CDATA[We build a hash of "EPOCHTIME+INIT-SECRET+PIN" and then use the digits as password. Perhaps there are some other/hardware tokens which use other hash types so you can perhaps adjust this here. But this <b>must</b> be equal on bothe sites! (Default: md5)]]></description>
+ <description><![CDATA[We build a hash of "EPOCHTIME+INIT-SECRET+PIN" and then use the digits as password. Perhaps there are some other/hardware tokens which use other hash types so you can perhaps adjust this here. This <b>must</b> be equal on both sides! (Default: md5)]]></description>
<type>select</type>
<default_value>md5</default_value>
<options>
@@ -349,12 +350,12 @@
<field>
<fielddescr>Token Password length</fielddescr>
<fieldname>varsettingsmotptokenlength</fieldname>
- <description><![CDATA[We build a hash of "EPOCHTIME+INIT-SECRET+PIN" and then use the digits 1 to 6 as password. Perhaps there are some other/hardware tokens which use other digits so you can perhaps adjust this here. But this <b>must</b> be equal on bothe sites! (Default: 1-6)]]></description>
+ <description><![CDATA[We build a hash of "EPOCHTIME+INIT-SECRET+PIN" and then use the digits 1 to 6 as password. Perhaps there are some other/hardware tokens which use other digits so you can perhaps adjust this here. This <b>must</b> be equal on both sides! (Default: 1-6)]]></description>
<type>input</type>
<default_value>1-6</default_value>
</field>
<field>
- <name>MISCELLANEOUS CONFIGURATION</name>
+ <name>Miscellaneous Configuration</name>
<type>listtopic</type>
</field>
<field>
diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml
index bb72a07a..f8f7ebc3 100644
--- a/config/freeradius2/freeradiussqlconf.xml
+++ b/config/freeradius2/freeradiussqlconf.xml
@@ -98,7 +98,7 @@
</tabs>
<fields>
<field>
- <name>ENABLE SQL DATABASE - SERVER 1</name>
+ <name>Enable SQL Database- Server 1</name>
<type>listtopic</type>
</field>
<field>
@@ -117,7 +117,7 @@
<type>select</type>
<default_value>Disable</default_value>
<options>
- <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Disable</name><value>Disable</value></option>
<option><name>Enable</name><value>Enable</value></option>
</options>
</field>
@@ -129,7 +129,7 @@
<type>select</type>
<default_value>Disable</default_value>
<options>
- <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Disable</name><value>Disable</value></option>
<option><name>Enable</name><value>Enable</value></option>
</options>
</field>
@@ -141,7 +141,7 @@
<type>select</type>
<default_value>Disable</default_value>
<options>
- <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Disable</name><value>Disable</value></option>
<option><name>Enable</name><value>Enable</value></option>
</options>
</field>
@@ -153,12 +153,12 @@
<type>select</type>
<default_value>Disable</default_value>
<options>
- <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Disable</name><value>Disable</value></option>
<option><name>Enable</name><value>Enable</value></option>
</options>
</field>
<field>
- <name>SQL DATABASE CONFIGURATION - SERVER 1</name>
+ <name>SQL Database Configuration - Server 1</name>
<type>listtopic</type>
</field>
<field>
@@ -331,7 +331,7 @@
<field>
<fielddescr>Read Clients from Database</fielddescr>
<fieldname>varsqlconfreadclients</fieldname>
- <description><![CDATA[Set to <b>yes</b> to read radius clients from the database ('nas' table). Clients will only be read on server startup. (Default: yes)]]></description>
+ <description><![CDATA[Set to <b>yes</b> to read RADIUS clients from the database ('nas' table). Clients will only be read on server startup. (Default: yes)]]></description>
<type>select</type>
<default_value>yes</default_value>
<options>
@@ -347,7 +347,7 @@
<default_value>nas</default_value>
</field>
<field>
- <name>ENABLE REDUNDANT SQL DATABASE SUPPORT</name>
+ <name>Enable Redundant SQL Database Support</name>
<type>listtopic</type>
</field>
<field>
@@ -366,7 +366,7 @@
</options>
</field>
<field>
- <name>ENABLE SQL DATABASE - SERVER 2</name>
+ <name>Enable SQL Database - Server 2</name>
<type>listtopic</type>
</field>
<field>
@@ -385,7 +385,7 @@
<type>select</type>
<default_value>Disable</default_value>
<options>
- <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Disable</name><value>Disable</value></option>
<option><name>Enable</name><value>Enable</value></option>
</options>
</field>
@@ -397,7 +397,7 @@
<type>select</type>
<default_value>Disable</default_value>
<options>
- <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Disable</name><value>Disable</value></option>
<option><name>Enable</name><value>Enable</value></option>
</options>
</field>
@@ -409,7 +409,7 @@
<type>select</type>
<default_value>Disable</default_value>
<options>
- <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Disable</name><value>Disable</value></option>
<option><name>Enable</name><value>Enable</value></option>
</options>
</field>
@@ -421,12 +421,12 @@
<type>select</type>
<default_value>Disable</default_value>
<options>
- <option><name>Disbale</name><value>Disable</value></option>
+ <option><name>Disable</name><value>Disable</value></option>
<option><name>Enable</name><value>Enable</value></option>
</options>
</field>
<field>
- <name>SQL DATABASE CONFIGURATION - SERVER 2</name>
+ <name>SQL Database Configuration - Server 2</name>
<type>listtopic</type>
</field>
<field>
@@ -599,7 +599,7 @@
<field>
<fielddescr>Read Clients from Database</fielddescr>
<fieldname>varsqlconf2readclients</fieldname>
- <description><![CDATA[Set to <b>yes</b> to read radius clients from the database ('nas' table). Clients will only be read on server startup. (Default: yes)]]></description>
+ <description><![CDATA[Set to <b>yes</b> to read RADIUS clients from the database ('nas' table). Clients will only be read on server startup. (Default: yes)]]></description>
<type>select</type>
<default_value>yes</default_value>
<options>
diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc
index 07086bd5..fd086cfc 100644
--- a/config/haproxy-devel/haproxy.inc
+++ b/config/haproxy-devel/haproxy.inc
@@ -38,6 +38,13 @@ require_once("haproxy_xmlrpcsyncclient.inc");
$d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty";
+global $a_frontendmode;
+$a_frontendmode = array();
+$a_frontendmode['http'] = array('name' => "http / https(offloading)", 'shortname' => "http/https");
+$a_frontendmode['https'] = array('name' => "ssl / https(TCP mode)", 'shortname' => "ssl/https");
+$a_frontendmode['tcp'] = array('name' => "tcp", 'shortname' => "tcp");
+$a_frontendmode['health'] = array('name' => "health", 'shortname' => "health");
+
global $a_acltypes;
$a_acltypes = array();
$a_acltypes["host_starts_with"] = array('name' => 'Host starts with:',
@@ -84,6 +91,8 @@ $a_acltypes["ssl_sni_starts_with"] = array('name' => 'Server Name Indication TLS
'mode' => 'https', 'syntax' => 'req.ssl_sni -m beg -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
$a_acltypes["ssl_sni_ends_with"] = array('name' => 'Server Name Indication TLS extension ends with:', 'inspect-delay' => '5',
'mode' => 'https', 'syntax' => 'req.ssl_sni -m end -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
+$a_acltypes["ssl_sni_ends_with"] = array('name' => 'Server Name Indication TLS extension regex:', 'inspect-delay' => '5',
+ 'mode' => 'https', 'syntax' => 'req.ssl_sni -m reg -i %1$s', 'advancedoptions' => "tcp-request content accept if { req.ssl_hello_type 1 }");
$a_acltypes["custom"] = array('name' => 'Custom acl:',
'mode' => '', 'syntax' => '%1$s');
@@ -187,6 +196,19 @@ $a_sticky_type['stick_rdp_cookie'] = array('name' => 'Stick on RDP-cookie',
'descr' => "Uses a RDP-Cookie send by the mstsc client, note that not all clients send this.",
'cookiedescr' => 'EXAMPLE: msts or mstshash');
+
+global $a_error;
+$a_error = array();
+$a_error['200'] = array('descr' => "stats or monitoring requests");
+$a_error['400'] = array('descr' => "request invalid or too large");
+$a_error['401'] = array('descr' => "authentication is required to perform the action");
+$a_error['403'] = array('descr' => "request is forbidden");
+$a_error['408'] = array('descr' => "timeout before the request is complete");
+$a_error['500'] = array('descr' => "internal error");
+$a_error['502'] = array('descr' => "server response invalid or blocked");
+$a_error['503'] = array('descr' => "no server was available to handle the request");
+$a_error['504'] = array('descr' => "timeout before the server responds");
+
if(!function_exists('group_ports')){
// function group_ports() is present in pfSense 2.2 in util.inc
/* create ranges of sequential port numbers (200:215) and remove duplicates */
@@ -237,10 +259,11 @@ function group_ports($ports) {
return $result;
}
}
-
+
function haproxy_portoralias_to_list($port_or_alias) {
// input: a port or aliasname: 80 https MyPortAlias
// returns: a array of ports and portranges 80 443 8000:8010
+
global $aliastable;
$portresult = array();
if (alias_get_type($port_or_alias) == "port") {
@@ -253,15 +276,39 @@ function haproxy_portoralias_to_list($port_or_alias) {
return $portresult;
} else if (is_portrange($port_or_alias)) {
return (array)$port_or_alias;
- } else if (is_port($port_or_alias)) {
- if (getservbyname($port_or_alias, "tcp"))
- return (array)getservbyname($port_or_alias, "tcp");
- if (getservbyname($port_or_alias, "udp"))
- return (array)getservbyname($port_or_alias, "udp");
- return (array)$port_or_alias;
+ } else {
+ $ports = explode(",", $port_or_alias);
+ foreach($ports as $port){
+ if (is_port($port)) {
+ if (getservbyname($port, "tcp"))
+ $port = getservbyname($port, "tcp");
+ if (getservbyname($port, "udp"))
+ $port = getservbyname($port, "udp");
+ $portresult[] = $port;
+ }
+ }
+ return $portresult;
+ }
+}
+function haproxy_addressoralias_to_list($address_or_alias) {
+ global $aliastable;
+ $result = array();
+ $alias_type = alias_get_type($address_or_alias);
+ if (!empty($alias_type)) {
+ $alias = $aliastable[$address_or_alias];
+ if ($alias_type == "url") {
+ $result = explode(' ',$alias);
+ } else
+ if ($alias_type == "network") {
+ //$result = explode(' ',$alias);
+ } else
+ if ($alias_type == "host") {
+ $result = explode(' ',$alias);
+ }
+ } else {
+ $result[] = $address_or_alias;
}
- else
- return null;
+ return $result;
}
function haproxy_hostoralias_to_list($host_or_alias) {
@@ -274,6 +321,20 @@ function haproxy_hostoralias_to_list($host_or_alias) {
return $result;
}
+function haproxy_get_fileslist() {
+ // returns the files array with 'keys'.
+ $result = array();
+ global $config;
+ // create a copy to not modify the original 'keyless' array
+ $a_files = $config['installedpackages']['haproxy']['files']['item'];
+ if (!is_array($a_files)) $a_files = array();
+ foreach($a_files as $file) {
+ $key = $file['name'];
+ $result[$key] = $file;
+ }
+ return $result;
+}
+
function haproxy_custom_php_deinstall_command() {
global $static_output;
$static_output .= "HAProxy, running haproxy_custom_php_deinstall_command()\n";
@@ -365,107 +426,136 @@ EOD;
$static_output .= "HAProxy, update configuration\n";
update_output_window($static_output);
- $writeconfigupdate = false;
- /* Do XML upgrade from haproxy 0.31 to haproxy-dev */
- if (is_array($config['installedpackages']['haproxy']['ha_servers'])) {
- $static_output .= "HAProxy, Do XML upgrade from haproxy 0.31 to haproxy-dev\n";
- update_output_window($static_output);
+ // make sure the version stays 'comparable'
+ if (is_arrayset($config,'installedpackages','haproxy') && isset($config['installedpackages']['haproxy']['configversion']))
+ $configversion = $config['installedpackages']['haproxy']['configversion'];
+ else
+ $configversion = "00.12";
- /* We have an old config */
- $config['installedpackages']['haproxy']['ha_pools']['item'] = array();
- $a_global = &$config['installedpackages']['haproxy'];
- $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item'];
- $a_oldservers = &$config['installedpackages']['haproxy']['ha_servers']['item'];
- $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
+ $static_output .= "HAProxy, from version $configversion\n";
+ update_output_window($static_output);
+
+ $writeconfigupdate = false;
+ if ($configversion < "00.13") {
+ /* Do XML upgrade from haproxy 0.31 to haproxy-dev */
+ if (is_array($config['installedpackages']['haproxy']['ha_servers'])) {
+ $static_output .= "HAProxy, Do XML upgrade from haproxy 0.31 to haproxy-dev\n";
+ update_output_window($static_output);
+
+ /* We have an old config */
+ $config['installedpackages']['haproxy']['ha_pools']['item'] = array();
+ $a_global = &$config['installedpackages']['haproxy'];
+ $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item'];
+ $a_oldservers = &$config['installedpackages']['haproxy']['ha_servers']['item'];
+ $a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
- foreach ($a_backends as $id => $be) {
- $a_backends[$id]['status'] = 'active';
- }
- $id = 0;
- foreach ($a_oldservers as $oldserver) {
- $pool=$oldserver;
- /* make server sub array */
- $server=array();
- $server['name'] = $oldserver['name'];
- $server['address'] = $oldserver['address'];
- $server['port'] = $oldserver['port'];
- $server['weight'] = $oldserver['weight'];
- $a_servers=array();
- $a_servers[]=$server;
- /* set new pool */
- $pool['name'] = "pool$id";
- $id++;
- $pool['ha_servers']['item']=$a_servers;
- /* link to frontend */
foreach ($a_backends as $id => $be) {
- if ($a_backends[$id]['name'] == $oldserver['backend']) {
- $a_backends[$id]['backend_serverpool'] = $pool['name'];
- $pool['monitor_uri'] = $be['monitor_uri'];
- unset($a_backends[$id]['monitor_uri']);
- break;
+ $a_backends[$id]['status'] = 'active';
+ }
+ $id = 0;
+ foreach ($a_oldservers as $oldserver) {
+ $pool=$oldserver;
+ /* make server sub array */
+ $server=array();
+ $server['name'] = $oldserver['name'];
+ $server['address'] = $oldserver['address'];
+ $server['port'] = $oldserver['port'];
+ $server['weight'] = $oldserver['weight'];
+ $a_servers=array();
+ $a_servers[]=$server;
+ /* set new pool */
+ $pool['name'] = "pool$id";
+ $id++;
+ $pool['ha_servers']['item']=$a_servers;
+ /* link to frontend */
+ foreach ($a_backends as $id => $be) {
+ if ($a_backends[$id]['name'] == $oldserver['backend']) {
+ $a_backends[$id]['backend_serverpool'] = $pool['name'];
+ $pool['monitor_uri'] = $be['monitor_uri'];
+ unset($a_backends[$id]['monitor_uri']);
+ break;
+ }
}
+ unset($pool['backend']);
+ unset($pool['address']);
+ unset($pool['port']);
+ unset($pool['weight']);
+ $a_pools[] = $pool;
}
- unset($pool['backend']);
- unset($pool['address']);
- unset($pool['port']);
- unset($pool['weight']);
- $a_pools[] = $pool;
+ unset($config['installedpackages']['haproxy']['ha_servers']);
+ $writeconfigupdate = true;
}
- unset($config['installedpackages']['haproxy']['ha_servers']);
- $writeconfigupdate = true;
- }
-
- /* XML update to: pkg v1.3 and 'pool' changed to 'backend_serverpool' because 'pool' was added to listtags() in xmlparse.inc */
- if (is_arrayset($config,'installedpackages','haproxy','ha_backends','item',0,'pool')) {
- $static_output .= "HAProxy, Do XML upgrade, change to backend_serverpool from pool array\n";
- update_output_window($static_output);
-
- foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend)
- {
- $backend_serverpool = $frontend['pool'][0];
- $frontend['backend_serverpool'] = $backend_serverpool;
- unset($frontend['pool']);
+
+ /* XML update to: pkg v1.3 and 'pool' changed to 'backend_serverpool' because 'pool' was added to listtags() in xmlparse.inc */
+ if (is_arrayset($config,'installedpackages','haproxy','ha_backends','item',0,'pool')) {
+ $static_output .= "HAProxy, Do XML upgrade, change to backend_serverpool from pool array\n";
+ update_output_window($static_output);
+
+ foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend)
+ {
+ $backend_serverpool = $frontend['pool'][0];
+ $frontend['backend_serverpool'] = $backend_serverpool;
+ unset($frontend['pool']);
+ }
+ $writeconfigupdate = true;
}
- $writeconfigupdate = true;
- }
- //also move setting for existing 2.0 installations as only the new variable is used
- if (is_arrayset($config,'installedpackages','haproxy','ha_backends','item',0) &&
- isset($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) {
- $static_output .= "HAProxy, Do XML upgrade, change to backend_serverpool from pool\n";
- update_output_window($static_output);
- foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend)
- {
- $backend_serverpool = $frontend['pool'];
- $frontend['backend_serverpool'] = $backend_serverpool;
- unset($frontend['pool']);
+ //also move setting for existing 2.0 installations as only the new variable is used
+ if (is_arrayset($config,'installedpackages','haproxy','ha_backends','item',0) &&
+ isset($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) {
+ $static_output .= "HAProxy, Do XML upgrade, change to backend_serverpool from pool\n";
+ update_output_window($static_output);
+ foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend)
+ {
+ $backend_serverpool = $frontend['pool'];
+ $frontend['backend_serverpool'] = $backend_serverpool;
+ unset($frontend['pool']);
+ }
+ $writeconfigupdate = true;
+ }
+ // update config to "haproxy-devel 1.5-dev19 pkg v0.5"
+ if(is_arrayset($config,'installedpackages','haproxy','ha_backends','item')) {
+ $static_output .= "HAProxy, Do XML upgrade, update frontend options\n";
+ update_output_window($static_output);
+ foreach ($config['installedpackages']['haproxy']['ha_backends']['item'] as &$bind) {
+ if($bind['httpclose'] && $bind['httpclose'] == "yes" ) {
+ $bind['httpclose'] = "httpclose";
+ $writeconfigupdate = true;
+ }
+ if (!$bind['extaddr']){
+ $bind['extaddr'] = "wan_ipv4";
+ $writeconfigupdate = true;
+ }
+ if ($bind['extaddr'] == "localhost"){
+ $bind['extaddr'] = "localhost_ipv4";
+ $writeconfigupdate = true;
+ }
+ if ($bind['extaddr'] == "any"){
+ $bind['extaddr'] = "any_ipv4";
+ $writeconfigupdate = true;
+ }
+ }
}
- $writeconfigupdate = true;
}
- // update config to "haproxy-devel 1.5-dev19 pkg v0.5"
- if(is_arrayset($config,'installedpackages','haproxy','ha_backends','item')) {
- $static_output .= "HAProxy, Do XML upgrade, update frontend options\n";
- update_output_window($static_output);
+ if ($configversion == "00.12") {
+ // update config to "haproxy-devel 1.5-dev19 pkg v0.13"
foreach ($config['installedpackages']['haproxy']['ha_backends']['item'] as &$bind) {
- if($bind['httpclose'] && $bind['httpclose'] == "yes" ) {
- $bind['httpclose'] = "httpclose";
- $writeconfigupdate = true;
- }
- if (!$bind['extaddr']){
- $bind['extaddr'] = "wan_ipv4";
- $writeconfigupdate = true;
- }
- if ($bind['extaddr'] == "localhost"){
- $bind['extaddr'] = "localhost_ipv4";
- $writeconfigupdate = true;
- }
- if ($bind['extaddr'] == "any"){
- $bind['extaddr'] = "any_ipv4";
- $writeconfigupdate = true;
+ if (isset($bind['extaddr'])) {
+ $new['extaddr'] = $bind['extaddr'];
+ $new['extaddr_port'] = $bind['port'];
+ $new['extaddr_ssl'] = $bind['ssloffload'];
+ $bind['a_extaddr']['item'][] = $new;
}
+ unset($bind['extaddr']);
+ unset($bind['port']);
+ //unset($bind['ssloffload']);
}
+ $configversion = "00.13";
}
+
+ $writeconfigupdate = $config['installedpackages']['haproxy']['configversion'] <> $configversion;
if ($writeconfigupdate) {
- $static_output .= "HAProxy, write updated config\n";
+ $config['installedpackages']['haproxy']['configversion'] = $configversion;
+ $static_output .= "HAProxy, write updated config to version: $configversion\n";
update_output_window($static_output);
write_config("HAProxy, update xml config version");
}
@@ -540,11 +630,10 @@ function haproxy_find_acl($name) {
function write_backend($configpath, $fd, $name, $pool, $frontend) {
if(!is_array($pool['ha_servers']['item']) && !$pool['stats_enabled']=='yes')
return;
- global $a_checktypes, $a_cookiemode;
+ global $a_checktypes, $a_cookiemode, $a_files, $a_error;
$a_servers = &$pool['ha_servers']['item'];
$frontendtype = $frontend['type'];
- $frontend_ip = haproxy_interface_ip($frontend['extaddr']);
fwrite ($fd, "backend " . $name . "\n");
// https is an alias for tcp for clarity purposes
@@ -604,6 +693,23 @@ function write_backend($configpath, $fd, $name, $pool, $frontend) {
fwrite ($fd, "\tstats\t\t\tscope " . $scope_item . "\n");
}
}
+
+ if (is_arrayset($pool,'errorfiles','item')) {
+ foreach($pool['errorfiles']['item'] as $errorfile) {
+ if (!is_array($a_files))// load only once
+ $a_files = haproxy_get_fileslist();
+ $file = $errorfile['errorfile'];
+ $errorcodes = explode(",",$errorfile['errorcode']);
+ foreach($errorcodes as $errorcode) {
+ $filename = "$configpath/errorfile_{$name}_{$errorcode}_{$file}";
+ $content = base64_decode($a_files[$file]['content']);
+ $content = str_replace('{errormsg}', $a_error[$errorcode]['descr'], $content);
+ $content = str_replace('{errorcode}', $errorcode, $content);
+ file_put_contents($filename, $content);
+ fwrite ($fd, "\terrorfile\t\t\t" . $errorcode ." " . $filename . "\n");
+ }
+ }
+ }
}
switch($pool["persist_sticky_type"]) {
@@ -678,11 +784,19 @@ function write_backend($configpath, $fd, $name, $pool, $frontend) {
$pool['retries'] = 3;
fwrite ($fd, "\tretries\t\t\t" . $pool['retries'] . "\n");
+ $uses_ipv6 = false;
+ $ips = get_frontend_ipport($frontend);
+ foreach($ips as $ip){
+ $uses_ipv6 = is_ipaddrv6($ip['addr']);
+ if ($uses_ipv6)
+ break;
+ }
+
if ($pool['transparent_clientip']) {
- if (is_ipaddrv4($frontend_ip))
- fwrite ($fd, "\tsource 0.0.0.0 usesrc clientip\n");
- else
+ if ($uses_ipv6)
fwrite ($fd, "\tsource ipv6@ usesrc clientip\n");
+ else
+ fwrite ($fd, "\tsource 0.0.0.0 usesrc clientip\n");
}
$uri = $pool['monitor_uri'];
@@ -875,6 +989,9 @@ function haproxy_write_certificate_fullchain($filename, $certid, $append = false
function haproxy_writeconf($configpath) {
global $config;
+ global $aliastable;
+ if (!isset($aliastable))
+ alias_make_table($config);
$chroot_dir = "/tmp/haproxy_chroot"; // can contain socket to forward connection from backend to frontend. "/var/empty"
make_dirs($chroot_dir);
@@ -951,7 +1068,8 @@ function haproxy_writeconf($configpath) {
if(!$frontend['backend_serverpool'])
continue;
$primaryfrontend = get_primaryfrontend($frontend);
- $bname = get_frontend_ipport($frontend);
+
+ $bname = $primaryfrontend['name'];
if (!is_array($a_bind[$bname])) {
$a_bind[$bname] = array();
$a_bind[$bname] = $primaryfrontend;
@@ -959,12 +1077,14 @@ function haproxy_writeconf($configpath) {
}
//check ssl info
- if (strtolower($primaryfrontend['type']) == "http" && $frontend['ssloffload']){
+ $ssl = get_frontend_uses_ssl($frontend);
+
+ if ($ssl) {
//ssl crt ./server.pem ca-file ./ca.crt verify optional crt-ignore-err all crl-file ./ca_crl.pem
- $filename = "$configpath/{$frontend['name']}.{$frontend['port']}.pem";
+ $filename = "$configpath/{$frontend['name']}.pem";
$ssl_crt = " crt $filename";
haproxy_write_certificate_fullchain($filename, $frontend['ssloffloadcert']);
- $subfolder = "$configpath/{$frontend['name']}.{$frontend['port']}";
+ $subfolder = "$configpath/{$frontend['name']}";
$certs = $frontend['ha_certificates']['item'];
if (is_array($certs)){
if (count($certs) > 0){
@@ -1032,8 +1152,8 @@ function haproxy_writeconf($configpath) {
}
// Prepare ports for processing by splitting
- $portss = "{$bind['port']},";
- $ports = split(",", $portss);
+ //$portss = "{$bind['port']},";
+ //$ports = split(",", $portss);
if($bind['type'] == "http") {
// ssl offloading is only possible in http mode.
@@ -1043,25 +1163,41 @@ function haproxy_writeconf($configpath) {
$ssl_info = "";
$advanced_bind = "";
}
+
+ fwrite ($fd, "{$frontendinfo}");
+
// Initialize variable
$listenip = "";
// Process and add bind directives for ports
- $ip = haproxy_interface_ip($bind['extaddr']);
- if ($ip){
- foreach($ports as $alias_or_port) {
- if($alias_or_port) {
- $portsnumeric = group_ports(haproxy_portoralias_to_list($alias_or_port));
- foreach($portsnumeric as $portnumeric) {
- $portnumeric = str_replace(":","-",$portnumeric);
- $listenip .= "\tbind\t\t\t$ip:{$portnumeric} {$ssl_info} {$advanced_bind}\n";
+ if (isset($bind['a_extaddr'])) {
+ foreach($bind['a_extaddr']['item'] as $extaddr) {
+ $a_ip = array();
+ if (isset($extaddr['extaddr']) && $extaddr['extaddr'] != "custom") {
+ $a_ip[] = haproxy_interface_ip($extaddr['extaddr']);
+ } else {
+ $iporalias = $extaddr['extaddr_custom'];
+ $a_ip = haproxy_addressoralias_to_list($iporalias);
+ }
+
+ if ($extaddr['extaddr_ssl'] == 'yes')
+ $ssl = $ssl_info;
+ else
+ $ssl = "";
+
+ foreach($a_ip as $ip) {
+ $portsnumeric = group_ports(haproxy_portoralias_to_list($extaddr['extaddr_port']));
+ if (is_array($portsnumeric)) {
+ foreach($portsnumeric as $portnumeric) {
+ $portnumeric = str_replace(":","-",$portnumeric);
+ $listenip .= "\tbind\t\t\t$ip:{$portnumeric} {$ssl} {$advanced_bind} {$extaddr['extaddr_advanced']}\n";
+ }
}
}
}
}
-
- fwrite ($fd, "{$frontendinfo}");
fwrite ($fd, "{$listenip}");
+
if (use_frontend_as_unixsocket($bind['name'])){
fwrite ($fd, "\tbind /tmp/haproxy_chroot/{$bind['name']}.socket accept-proxy {$ssl_info} {$advanced_bind}\n");
}
@@ -1106,10 +1242,9 @@ function haproxy_writeconf($configpath) {
if($bind['forwardfor']) {
fwrite ($fd, "\toption\t\t\tforwardfor\n");
- if($bind['ssloffload'] == "yes")
- fwrite ($fd, "\treqadd X-Forwarded-Proto:\ https\n");
- else
- fwrite ($fd, "\treqadd X-Forwarded-Proto:\ http\n");
+ fwrite ($fd, "\tacl https ssl_fc\n");
+ fwrite ($fd, "\treqadd X-Forwarded-Proto:\ http if !https\n");
+ fwrite ($fd, "\treqadd X-Forwarded-Proto:\ https if https\n");
}
}
@@ -1392,8 +1527,7 @@ function haproxy_plugin_certificates($pluginparams) {
$result['certificatelist'] = array();
// return a array of used certificates.
foreach($config['installedpackages']['haproxy']['ha_backends']['item'] as &$frontend) {
- $mainfrontend = get_primaryfrontend($frontend);
- if (strtolower($mainfrontend['type']) == "http" && $mainfrontend['ssloffload']) {
+ if (get_frontend_uses_ssl($frontend)) {
if ($frontend['ssloffloadacl']){
$item = array();
$cert = $frontend['ssloffloadcert'];
@@ -1581,12 +1715,30 @@ function get_primaryfrontend($frontend) {
return $mainfrontend;
}
-function get_frontend_ipport($frontend,$userfriendly=false) {
+function get_frontend_ipport($frontend, $userfriendly=false) {
$mainfrontend = get_primaryfrontend($frontend);
- $result = haproxy_interface_ip($mainfrontend['extaddr'], $userfriendly);
- if ($userfriendly and is_ipaddrv6($result))
- $result = "[{$result}]";
- return $result . ":" . $mainfrontend['port'];
+ $newline = "";
+ $result = array();
+ if (!is_arrayset($mainfrontend,"a_extaddr","item"))
+ return $result;
+ foreach($mainfrontend['a_extaddr']['item'] as $extaddr) {
+ if ($extaddr['extaddr'] == 'custom'){
+ $addr = $extaddr['extaddr_custom'];
+ } else {
+ $addr = haproxy_interface_ip($extaddr['extaddr'], $userfriendly);
+ }
+ if ($userfriendly and is_ipaddrv6($addr))
+ $addr = "[{$addr}]";
+
+ $port = $extaddr['extaddr_port'];
+ $newitem = array();
+ $newitem['addr'] = $addr;
+ $newitem['port'] = $port;
+ $newitem['ssl'] = $extaddr['extaddr_ssl'];
+ $result[$addr.$port] = $newitem;
+ }
+ ksort($result);
+ return $result;
}
function haproxy_check_config() {
@@ -1599,17 +1751,20 @@ function haproxy_check_config() {
foreach($a_backends as $frontend) {
if (($frontend['status'] != 'active') || ($frontend['secondary'] == 'yes'))
continue;
- $ipport = get_frontend_ipport($frontend);
- if (isset($activefrontends[$ipport]))
- $issues['P_'.$ipport] = "Multiple primary frontends with IP:Port \"$ipport\"";
- else
- $activefrontends[$ipport] = true;
+ $ipports = get_frontend_ipport($frontend);
+ foreach($ipports as $ipport) {
+ $id = "{$ipport['addr']}:{$ipport['port']}";
+ if (isset($activefrontends[$id]))
+ $issues['P_'.$id] = "Multiple primary frontends with IP:Port \"$id\"";
+ else
+ $activefrontends[$id] = true;
+ }
}
foreach($a_backends as $frontend) {
if (($frontend['status'] != 'active') || ($frontend['secondary'] != 'yes'))
continue;
- $ipport = get_frontend_ipport($frontend);
- if (!isset($activefrontends[$ipport]))
+ $mainfrontend = get_primaryfrontend($frontend);
+ if (!isset($mainfrontend))
$issues['S_'.$frontend['name']] = "Secondary frontend \"{$frontend['name']}\" without active primary frontend.";
}
foreach ($issues as $item)
@@ -1621,6 +1776,8 @@ function get_haproxy_frontends($excludeitem="") {
global $config;
$a_frontend = &$config['installedpackages']['haproxy']['ha_backends']['item'];
$result = array();
+ if(!is_array($a_frontend))
+ return $result;
foreach($a_frontend as &$frontend)
{
if ($frontend['secondary'])
@@ -1628,17 +1785,43 @@ function get_haproxy_frontends($excludeitem="") {
if ($frontend['name'] == $excludeitem)
continue;
- $serveradress = "{$frontend['extaddr']}:{$frontend['port']}";
- $result[$frontend['name']]['name'] = "{$frontend['name']} - {$frontend['type']} ({$serveradress})";
+ $serveraddress = get_frontend_ipport($frontend, true);
+ $serveradresstext = null;
+ foreach($serveraddress as $addr) {
+ $serveradresstext .=($serveradresstext == null ? "" : ", ") . "{$addr['addr']}:{$addr['port']}";
+ }
+ $result[$frontend['name']]['name'] = "{$frontend['name']} - {$frontend['type']} ({$serveradresstext})";
$result[$frontend['name']]['ref'] = &$frontend;
}
uasort($result, haproxy_compareByName);
return $result;
}
-function generate_cert_acl($crt, $defaultport, $nondefaultport){
- // The host header send by a browser will contain the portnumber when a nondefault port is used for the server side.
+function get_frontend_uses_ssl($frontend) {
+ $mainfrontend = get_primaryfrontend($frontend);
+ $ssl = false;
+ if (is_arrayset($mainfrontend,'a_extaddr','item')) {
+ foreach($mainfrontend['a_extaddr']['item'] as $extaddr) {
+ if ($extaddr['extaddr_ssl'] == 'yes') {
+ $ssl = true;
+ break;
+ }
+ }
+ }
+ if ($mainfrontend['name'] != $frontend['name'])
+ $ssl = $ssl && $frontend['ssloffload'] == 'yes';
+ return $ssl;
+}
+function get_frontend_uses_ssl_only($frontend) {
+ $mainfrontend = get_primaryfrontend($frontend);
+ if (is_arrayset($mainfrontend,'a_extaddr','item')) {
+ foreach($mainfrontend['a_extaddr']['item'] as $extaddr) {
+ if ($extaddr['extaddr_ssl'] != 'yes')
+ return false;
+ }
+ }
+ return true;
}
function get_frontend_acls($frontend) {
@@ -1664,7 +1847,7 @@ function get_frontend_acls($frontend) {
}
}
- if (strtolower($mainfrontend['type']) == "http" && $mainfrontend['ssloffload']) {
+ if (get_frontend_uses_ssl($frontend)) {
$a_acl = &$frontend['ha_acls']['item'];
if(!is_array($a_acl))
$a_acl=array();
diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml
index acd934a7..6156c174 100644
--- a/config/haproxy-devel/haproxy.xml
+++ b/config/haproxy-devel/haproxy.xml
@@ -90,6 +90,11 @@
<additional_files_needed>
<prefix>/usr/local/www/</prefix>
<chmod>077</chmod>
+ <item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_files.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>077</chmod>
<item>https://packages.pfsense.org/packages/config/haproxy-devel/haproxy_pools.php</item>
</additional_files_needed>
<additional_files_needed>
diff --git a/config/haproxy-devel/haproxy_files.php b/config/haproxy-devel/haproxy_files.php
new file mode 100644
index 00000000..4946a7be
--- /dev/null
+++ b/config/haproxy-devel/haproxy_files.php
@@ -0,0 +1,176 @@
+<?php
+/* $Id: load_balancer_virtual_server.php,v 1.6.2.1 2006/01/02 23:46:24 sullrich Exp $ */
+/*
+ haproxy_pools.php
+ part of pfSense (https://www.pfsense.org/)
+ Copyright (C) 2014 PiBa-NL
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+$shortcut_section = "haproxy";
+require_once("guiconfig.inc");
+require_once("haproxy.inc");
+require_once("pkg_haproxy_tabs.inc");
+require_once("haproxy_htmllist.inc");
+
+$a_files = &$config['installedpackages']['haproxy']['files']['item'];
+if (!is_array($a_files)) $a_files = array();
+$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
+if (!is_array($a_pools)) $a_pools = array();
+
+
+$fields_files = array();
+$fields_files[0]['name']="name";
+$fields_files[0]['columnheader']="Name";
+$fields_files[0]['colwidth']="30%";
+$fields_files[0]['type']="textbox";
+$fields_files[0]['size']="20";
+
+$fields_files[1]['name']="content";
+$fields_files[1]['columnheader']="content";
+$fields_files[1]['colwidth']="70%";
+$fields_files[1]['type']="textarea";
+$fields_files[1]['size']="70";
+
+$fileslist = new HaproxyHtmlList("table_files", $fields_files);
+$fileslist->keyfield = "name";
+
+if ($_POST) {
+ $pconfig = $_POST;
+
+ if ($_POST['apply']) {
+ $result = haproxy_check_and_run($savemsg, true);
+ if ($result)
+ unlink_if_exists($d_haproxyconfdirty_path);
+ } else {
+ $a_files = $fileslist->haproxy_htmllist_get_values($fields_files);
+ $filedupcheck = array();
+
+ foreach($a_files as $key => $file) {
+ $name = $file['name'];
+ if (!preg_match("/^[a-zA-Z][a-zA-Z0-9\.\-_]*$/", $file['name']))
+ $input_errors[] = "The field 'Name' (".htmlspecialchars($file['name']).") contains invalid characters. Use only: a-zA-Z0-9.-_ and start with a letter";
+ if (isset($filedupcheck[$name]))
+ $input_errors[] = "Duplicate names are not allowed: " . htmlspecialchars($name);
+ $filedupcheck[$name] = true;
+ }
+
+ // replace references in backends to renamed 'files'
+ foreach($a_pools as &$backend) {
+ if (is_arrayset($backend,'errorfiles','item'))
+ foreach($backend['errorfiles']['item'] as &$errorfile) {
+ $found = false;
+ foreach($a_files as $key => $file) {
+ if ($errorfile['errorfile'] == $key) {
+ $errorfile['errorfile'] = $file['name'];
+ $found = true;
+ }
+ }
+ if (!$found)
+ $input_errors[] = "Errorfile marked for deletion: " . $errorfile['errorfile'] . " which is used in backend " . $backend['name'];
+ }
+ }
+ if (!$input_errors) {
+ // save config when no errors found
+ touch($d_haproxyconfdirty_path);
+ write_config($changedesc);
+ header("Location: haproxy_files.php");
+ exit;
+ }
+ }
+}
+
+$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
+
+$pgtitle = "Services: HAProxy: Files";
+include("head.inc");
+
+?>
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+<?php include("fbegin.inc"); ?>
+<form action="haproxy_files.php" method="post">
+<?php if ($input_errors) print_input_errors($input_errors); ?>
+<?php if ($savemsg) print_info_box($savemsg); ?>
+<?php if (file_exists($d_haproxyconfdirty_path)): ?>
+<?php print_info_box_np("The haproxy configuration has been changed.<br/>You must apply the changes in order for them to take effect.");?><br/>
+<?php endif; ?>
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr><td class="tabnavtbl">
+ <?php
+ haproxy_display_top_tabs_active($haproxy_tab_array['haproxy'], "files");
+ ?>
+ </td></tr>
+ <tr>
+ <td>
+ <div id="mainarea">
+ <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr>
+ <td>
+ Files can be used for errorfiles, that can return custom error pages in
+ case haproxy reports a error (like no available backend). The content needs
+ to be less than the buffer size which is typically 8kb.
+ There are 2 possible variables to use inside the template:
+ Put these variables in the content of the errorfile templates and they will be replaced by the actual errorcode / message. (include the curly braces around the text)<br/>
+ <b>{errorcode}</b> this represents the errorcode<br/>
+ <b>{errormsg}</b> this represents the human readable error<br/>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ &nbsp;
+ </td>
+ </tr>
+ <tr>
+ <td>
+ <?
+ $counter=0;
+ $fileslist->Draw($a_files);
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td>
+ &nbsp;
+ </td>
+ </tr>
+ <tr>
+ <td width="78%">
+ <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)" />
+ </td>
+ </tr>
+ </table>
+ </div>
+ </table>
+ </form>
+<script type="text/javascript">
+ totalrows = <?php echo $counter; ?>;
+<?
+ phparray_to_javascriptarray($fields_files,"fields_files",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name'));
+?>
+</script>
+
+<?php
+haproxy_htmllist_js();
+include("fend.inc"); ?>
+</body>
+</html>
diff --git a/config/haproxy-devel/haproxy_htmllist.inc b/config/haproxy-devel/haproxy_htmllist.inc
index 404e9fab..f873028e 100644
--- a/config/haproxy-devel/haproxy_htmllist.inc
+++ b/config/haproxy-devel/haproxy_htmllist.inc
@@ -34,193 +34,267 @@
require_once("config.inc");
require_once("haproxy_utils.inc");
-function haproxy_htmllist_get_values($html_list){
- $values = array();
- for($x=0; $x<99; $x++) {
- $value = array();
- $add_item = false;
- foreach($html_list as $item){
- $itemname = $item['name'];
- $value[$itemname] = $_POST[$itemname.$x];
- $add_item |= isset($_POST[$itemname.$x]);
+class HaproxyHtmlList
+{
+ /*
+ javascript 'events':
+ <tableId>_row_added(tableId, rowNr)
+ <tableId>_field_changed(tableId, rowNr, fieldId, field)
+ */
+
+ private $tablename = "";
+ private $fields = array();
+ public $editmode = false;
+ public $fields_details = null;
+ public $keyfield = "";
+
+ public function HaproxyHtmlList($tablename, $fields){
+ $this->tablename = $tablename;
+ $this->fields = $fields;
+ }
+
+ public function Draw($data){
+ $this->haproxy_htmllist($data, $this->fields, $this->editmode, $this->fields_details);
+ }
+
+ function haproxy_htmllist_get_values(){
+ $values = array();
+ for($x=0; $x<99; $x++) {
+ $value = array();
+ $add_item = false;
+ foreach($this->fields as $item){
+ $itemname = $item['name'];
+ $value[$itemname] = $_POST[$itemname.$x];
+ if ($item['type'] == 'textarea')
+ $value[$itemname] = base64_encode($value[$itemname]);
+ $add_item |= isset($_POST[$itemname.$x]);
+ }
+ if ($add_item) {
+ if ($this->keyfield != "") {
+ if (isset($_POST[$this->tablename."_key".$x]))
+ $key = $_POST[$this->tablename."_key".$x];
+ else
+ $key = $_POST[$this->keyfield.$x];
+
+ } else
+ $key = "";
+
+ if (isset($values[$key]))
+ $values[] = $value;
+ else
+ $values[$key] = $value;
+ }
}
- if ($add_item)
- $values[] = $value;
+ return $values;
}
- return $values;
-}
-function haproxy_htmllist_drawcell($item, $itemvalue, $editable, $itemnamenr = "") {
- $itemtype = $item['type'];
- if ($editable) {
+ private function haproxy_htmllist_drawcell($item, $itemvalue, $editable, $itemname, $counter) {
+ $itemnamenr = $itemname . $counter;
$itemtype = $item['type'];
- if ($itemtype == "select"){
- echo_html_select($itemnamenr, $item['items'], $itemvalue,"","updatevisibility();", "width:{$item['size']}");
- } else
- if ($itemtype == "checkbox"){
- $checked = $itemvalue=='yes' ? " checked" : "";
- echo "<input name='$itemnamenr' id='$itemnamenr' type='checkbox'$checked value='yes' size='{$item['size']}' />";
- } else
- echo "<input name='$itemnamenr' id='$itemnamenr' type='text' value='{$itemvalue}' size='{$item['size']}' />";
- } else {
- if ($itemtype == "select"){
- echo $item['items'][$itemvalue]['name'];
- } else
- if ($itemtype == "checkbox"){
- echo $itemvalue=='yes' ? gettext('yes') : gettext('no');
- } else
- echo $itemvalue;
+ if ($editable) {
+ $itemtype = $item['type'];
+ if ($itemtype == "select"){
+ echo_html_select($itemnamenr, $item['items'], $itemvalue,"","html_listitem_change(\"{$this->tablename}\",\"{$itemname}\",\"{$counter}\",this);", "width:{$item['size']}");
+ } else
+ if ($itemtype == "checkbox"){
+ $checked = $itemvalue=='yes' ? " checked" : "";
+ echo "<input onclick='html_listitem_change(\"{$this->tablename}\",\"{$itemname}\",\"{$counter}\",this);' name='$itemnamenr' id='$itemnamenr' type='checkbox'$checked value='yes' size='{$item['size']}' />";
+ } else
+ if ($itemtype == "textarea"){
+ echo "<textarea name='$itemnamenr' id='$itemnamenr' type='text' cols='{$item['size']}' rows='10'>";
+ echo htmlspecialchars(base64_decode($itemvalue));
+ echo "</textarea>";
+ } else
+ echo "<input name='$itemnamenr' id='$itemnamenr' type='text' value='{$itemvalue}' size='{$item['size']}' />";
+ } else {
+ if ($itemtype == "select"){
+ echo $item['items'][$itemvalue]['name'];
+ } else
+ if ($itemtype == "checkbox"){
+ echo $itemvalue=='yes' ? gettext('yes') : gettext('no');
+ } else
+ if ($itemtype == "textarea"){
+ echo htmlspecialchars(base64_decode($itemvalue));
+ } else
+ echo htmlspecialchars($itemvalue);
+ }
}
-}
-function haproxy_htmllist($tablename,$rowvalues,$items,$editstate=false,$itemdetails=null){
- global $g, $counter;
- echo "<table class='' width='100%' cellpadding='0' cellspacing='0' id='$tablename'>
- <tr>";
- foreach($items as $item){
- echo "<td width='{$item['colwidth']}' class='listhdrr'>{$item['columnheader']}</td>";
- }
- echo "<td width='5%' class=''></td>
- </tr>";
- if (is_array($rowvalues)){
- foreach($rowvalues as $value){
- if (!$editstate) {
- echo "<tr id='tr_view_$counter' ondblclick='editRow($counter); return false;' >";
- $leftitem = true;
- foreach($items as $item) {
- $tdclass = $leftitem ? "vtable listlr" : "vtable listr";
- echo "<td class='$tdclass'>";
+ function haproxy_htmllist($rowvalues,$items,$editstate=false,$itemdetails=null){
+ $tablename = $this->tablename;
+ global $g, $counter;
+ echo "<table class='' width='100%' cellpadding='0' cellspacing='0' id='$tablename'>
+ <tr>";
+ foreach($items as $item){
+ echo "<td width='{$item['colwidth']}' class='listhdrr'>{$item['columnheader']}</td>";
+ }
+ echo "<td width='5%' class=''></td>
+ </tr>";
+ if (is_array($rowvalues)){
+ foreach($rowvalues as $keyid => $value){
+ if ($this->keyfield != "") {
+ if (preg_match("/[^0-9]/", $keyid))
+ $itemvalue = $keyid;
+ else
+ $itemvalue = $value[$this->keyfield];
+ $key = "<input name='{$tablename}_key{$counter}' id='{$tablename}_key{$counter}' type='hidden' value='{$itemvalue}'>";
+ } else
+ $key = "";
+
+ if (!$editstate) {
+ echo "<tr id='tr_view_$counter' ondblclick='editRow($counter); return false;' >";
+ $leftitem = true;
+ foreach($items as $item) {
+ $tdclass = $leftitem ? "vtable listlr" : "vtable listr";
+ echo "<td class='$tdclass'>";
+ $itemname = $item['name'];
+ $itemvalue = $value[$itemname];
+ if (isset($item['customdrawcell'])) {
+ $item['customdrawcell']($item, $itemvalue, false);
+ } else
+ $this->haproxy_htmllist_drawcell($item, $itemvalue, false, $itemname, $counter);
+ echo "</td>";
+ $leftitem = false;
+
+ }
+ echo "
+ <td class='list'>
+ <table border='0' cellspacing='0' cellpadding='1'><tr>
+ <td valign='middle'>
+ <img src='/themes/{$g['theme']}/images/icons/icon_e.gif' title='edit entry' width='17' height='17' border='0' onclick='editRow($counter); return false;' />
+ </td>
+ <td valign='middle'>
+ <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='deleteRow($counter, \"$tablename\"); return false;' />
+ </td>
+ <td valign='middle'>
+ <img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow($counter, \"$tablename\"); return false;' />
+ </td></tr></table>
+ </td>";
+ echo "</tr>";
+ }
+ $displaystyle = $editstate ? "" : "display: none;";
+ echo "<tr id='tr_edit_$counter' style='$displaystyle'>";
+ foreach($items as $item){
$itemname = $item['name'];
- $itemvalue = $value[$itemname];
+ $itemvalue = $value[$itemname];
+ echo "<td class='vtable'>".$key;
if (isset($item['customdrawcell'])) {
- $item['customdrawcell']($item, $itemvalue, false);
+ $item['customdrawcell']($item, $itemvalue, true, $item['name'].$counter);
} else
- haproxy_htmllist_drawcell($item, $itemvalue, false);
+ $this->haproxy_htmllist_drawcell($item, $itemvalue, true, $itemname, $counter);
echo "</td>";
- $leftitem = false;
+ $key = "";
}
echo "
<td class='list'>
<table border='0' cellspacing='0' cellpadding='1'><tr>
<td valign='middle'>
- <img src='/themes/{$g['theme']}/images/icons/icon_e.gif' title='edit entry' width='17' height='17' border='0' onclick='editRow($counter); return false;' />
- </td>
- <td valign='middle'>
- <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='deleteRow($counter, \"$tablename\"); return false;' />
+ <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='removeRow(this); return false;' />
</td>
<td valign='middle'>
<img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow($counter, \"$tablename\"); return false;' />
</td></tr></table>
</td>";
echo "</tr>";
- }
- $displaystyle = $editstate ? "" : "display: none;";
- echo "<tr id='tr_edit_$counter' style='$displaystyle'>";
- foreach($items as $item){
- $itemname = $item['name'];
- $itemvalue = $value[$itemname];
- $itemnamenr = $itemname . $counter;
- echo "<td class='vtable'>";
- if (isset($item['customdrawcell'])) {
- $item['customdrawcell']($item, $itemvalue, true, $itemnamenr);
- } else
- haproxy_htmllist_drawcell($item, $itemvalue, true, $itemnamenr);
- echo "</td>";
- }
- echo "
- <td class='list'>
- <table border='0' cellspacing='0' cellpadding='1'><tr>
- <td valign='middle'>
- <img src='/themes/{$g['theme']}/images/icons/icon_x.gif' title='delete entry' width='17' height='17' border='0' onclick='removeRow(this); return false;' />
- </td>
- <td valign='middle'>
- <img src='/themes/{$g['theme']}/images/icons/icon_plus.gif' title='duplicate entry' width='17' height='17' border='0' onclick='dupRow($counter, \"$tablename\"); return false;' />
- </td></tr></table>
- </td>";
- echo "</tr>";
- if (isset($itemdetails)) {
- $colspan = count($items)-1;
- echo "<tr id='tr_viewdetail_$counter'>";
- ?>
- <td class='vtable listlr' style='border-bottom-width: medium;vertical-align:top;'>
- <div style="position:relative;float:right;width:11px;height:11px;">
- <a onclick="htmltable_toggle_details('<?="htmltable_{$tablename}_{$counter}_details"?>')">
- <img id="htmltable_<?="{$tablename}_{$counter}"?>_details_off" alt="Expand advanced server settings"
- src="tree/plus.gif" style="clip:rect(19px 13px 30px 2px); top:-19px;position:absolute;"/>
- </a>
- </div>
- </td>
- <?
- echo "<td class='vtable listr' colspan='$colspan' style='border-bottom-width: medium;'>";
- $itemnr = 0;
- echo "<div id='htmltable_{$tablename}_{$counter}_details_view'>";
- $itemcount = count($itemdetails);
- foreach($itemdetails as $item) {
- echo "<div style='float: left;padding-right: 2px;'>";
- $tdclass = "";//$leftitem ? "vtable listlr" : "vtable listr";
- echo $item['columnheader'] . ": ";
- $itemname = $item['name'];
- $itemvalue = $value[$itemname];
- if (isset($item['customdrawcell'])) {
- $item['customdrawcell']($item, $itemvalue, false);
- } else
- haproxy_htmllist_drawcell($item, $itemvalue, false);
- $leftitem = false;
- $itemnr++;
- if ($itemcount != $itemnr)
- echo ", ";
+ if (isset($itemdetails)) {
+ $colspan = count($items)-1;
+ echo "<tr id='tr_viewdetail_$counter'>";
+ ?>
+ <td class='vtable listlr' style='border-bottom-width: medium;vertical-align:top;'>
+ <div style="position:relative;float:right;width:11px;height:11px;">
+ <a onclick="htmltable_toggle_details('<?="htmltable_{$tablename}_{$counter}_details"?>')">
+ <img id="htmltable_<?="{$tablename}_{$counter}"?>_details_off" alt="Expand advanced server settings"
+ src="tree/plus.gif" style="clip:rect(19px 13px 30px 2px); top:-19px;position:absolute;"/>
+ </a>
+ </div>
+ </td>
+ <?
+ echo "<td class='vtable listr' colspan='$colspan' style='border-bottom-width: medium;'>";
+ $itemnr = 0;
+ echo "<div id='htmltable_{$tablename}_{$counter}_details_view'>";
+ $itemcount = count($itemdetails);
+ foreach($itemdetails as $item) {
+ echo "<div style='float: left;padding-right: 2px;'>";
+ $tdclass = "";//$leftitem ? "vtable listlr" : "vtable listr";
+ echo $item['columnheader'] . ": ";
+ $itemname = $item['name'];
+ $itemvalue = $value[$itemname];
+ if (isset($item['customdrawcell'])) {
+ $item['customdrawcell']($item, $itemvalue, false);
+ } else
+ $this->haproxy_htmllist_drawcell($item, $itemvalue, false, $itemname, $counter);
+ $leftitem = false;
+ $itemnr++;
+ if ($itemcount != $itemnr)
+ echo ", ";
+ echo "</div>";
+ }
+ echo "</div>";
+ echo "<div id='htmltable_{$tablename}_{$counter}_details_edit' style='display:none;'>";
+ echo "<table class='tabcont' style='border-collapse:collapse' border='1' cellspacing='0' >";
+ $leftitem = true;
+ foreach($itemdetails as $item) {
+ echo "<tr id='tr_edititemdetails_$counter' ondblclick='editRow($counter); return false;'>";
+ $tdclass = "";//$leftitem ? "vtable listlr" : "vtable listr";
+ echo "<td style='border-right:0' class='$tdclass'>";
+ echo "{$item['columnheader']}: ";
+ echo "</td>";
+ echo "<td style='border-left:0' class='$tdclass'>";
+ $itemname = $item['name'];
+ $itemvalue = $value[$itemname];
+ echo "{$item['description']}<br/>";
+ if (isset($item['customdrawcell'])) {
+ $item['customdrawcell']($item, $itemvalue, true, $itemname . $counter);
+ } else
+ $this->haproxy_htmllist_drawcell($item, $itemvalue, true, $itemname, $counter);
+ echo "</td>";
+ $leftitem = false;
+ echo "</tr>";
+ }
+ echo "</table>";
echo "</div>";
- }
- echo "</div>";
- echo "<div id='htmltable_{$tablename}_{$counter}_details_edit' style='display:none;'>";
- echo "<table class='tabcont' style='border-collapse:collapse' border='1' cellspacing='0' >";
- $leftitem = true;
- foreach($itemdetails as $item) {
- echo "<tr id='tr_edititemdetails_$counter' ondblclick='editRow($counter); return false;'>";
- $tdclass = "";//$leftitem ? "vtable listlr" : "vtable listr";
- echo "<td style='border-right:0' class='$tdclass'>";
- echo "{$item['columnheader']}: ";
echo "</td>";
- echo "<td style='border-left:0' class='$tdclass'>";
- $itemname = $item['name'];
- $itemvalue = $value[$itemname];
- $itemnamenr = $itemname . $counter;
- echo "{$item['description']}<br/>";
- if (isset($item['customdrawcell'])) {
- $item['customdrawcell']($item, $itemvalue, true, $itemnamenr);
- } else
- haproxy_htmllist_drawcell($item, $itemvalue, true, $itemnamenr);
+ echo "</tr>";
+ }
+ if (isset($itemdetails)) {
+ $colspan = count($items)-1;
+ echo "<tr id='htmltable_{$tablename}_{$counter}_details' style='$displaystyle' >";
+ echo "<td class='vtable listlr' style='border-bottom-width: medium;'> </td>";
+ echo "<td class='vtable listr' colspan='$colspan' style='border-bottom-width: medium;'>";
echo "</td>";
- $leftitem = false;
- echo "</tr>";
+ echo "</tr>";
}
- echo "</table>";
- echo "</div>";
- echo "</td>";
- echo "</tr>";
- }
- if (isset($itemdetails)) {
- $colspan = count($items)-1;
- echo "<tr id='htmltable_{$tablename}_{$counter}_details' style='$displaystyle' >";
- echo "<td class='vtable listlr' style='border-bottom-width: medium;'> </td>";
- echo "<td class='vtable listr' colspan='$colspan' style='border-bottom-width: medium;'>";
- echo "</td>";
- echo "</tr>";
- }
-
-
-
- $counter++;
+
+ $counter++;
+ }
}
+ echo "</table>
+ <a onclick='javascript:addRowTo(\"$tablename\"); return false;' href='#'>
+ <img border='0' src='/themes/{$g['theme']}/images/icons/icon_plus.gif' alt='' title='add another entry' />
+ </a>";
}
- echo "</table>
- <a onclick='javascript:addRowTo(\"$tablename\"); return false;' href='#'>
- <img border='0' src='/themes/{$g['theme']}/images/icons/icon_plus.gif' alt='' title='add another entry' />
- </a>";
+}
+
+function haproxy_htmllist($tablename,$rowvalues,$items,$editstate=false,$itemdetails=null){
+ $list = new HaproxyHtmlList($tablename, $items);
+ $list->haproxy_htmllist($rowvalues, $items, $editstate, $itemdetails);
+}
+
+function haproxy_htmllist_get_values($html_list){
+ $list = new HaproxyHtmlList("-", $html_list);
+ return $list->haproxy_htmllist_get_values();
}
function haproxy_htmllist_js(){
-?><script type="text/javascript">
+?><script type="text/javascript">
+ function html_listitem_change(tableId, fieldId, rowNr, field) {
+ javascript_event = tableId + "_listitem_change";
+ var fn = window[javascript_event];
+ if (typeof fn === 'function'){
+ fn(tableId, fieldId, rowNr, field);
+ }
+ }
+
function htmllist_get_select_items(prefix,tableId) {
var items;
var i = tableId.lastIndexOf('_');
@@ -248,14 +322,21 @@ function haproxy_htmllist_js(){
td.innerHTML="<input size='" + items[i]['size'] + "' name='" + items[i]['name'] + totalrows +
"' id='" + items[i]['name'] + totalrows +
"'><\/input> ";
+ } else if(items[i]['type'] == 'textarea') {
+ td.innerHTML="<textarea cols='" + items[i]['size'] + "' rows='30' name='" + items[i]['name'] + totalrows +
+ "' id='" + items[i]['name'] + totalrows +
+ "'><\/textarea> ";
} else if(items[i]['type'] == 'select') {
seltext = htmllist_get_select_options(tableId, items[i]['name']);
td.innerHTML="<select style='width:" + items[i]['size'] + "' name='" + items[i]['name'] + totalrows +
- "' id='" + items[i]['name'] + totalrows +
- "'>" + seltext + "<\/select> ";
+ "' id='" + items[i]['name'] + totalrows + "' "+
+ "onchange='html_listitem_change(\""+tableId+"\",\""+items[i]['name']+"\",\""+totalrows+"\",this);' " +
+ ">" + seltext + "<\/select> ";
} else {
- td.innerHTML="<input type='checkbox' name='" + items[i]['name'] + totalrows +
- "' id='" + items[i]['name'] + totalrows + "' value='yes'><\/input> ";
+ td.innerHTML="<input type='checkbox' name='" + items[i]['name'] + totalrows +"'"+
+ "id='" + items[i]['name'] + totalrows + "' "+
+ "onclick='html_listitem_change(\""+tableId+"\",\""+items[i]['name']+"\",\""+totalrows+"\",this);' " +
+ "value='yes'><\/input> ";
}
tr.appendChild(td);
}
@@ -290,6 +371,12 @@ function haproxy_htmllist_js(){
td.appendChild(btable);
tr.appendChild(td);
tbody.appendChild(tr);
+
+ javascript_row_added = tableId + "_row_added";
+ var fn = window[javascript_row_added];
+ if (typeof fn === 'function'){
+ fn(tableId, totalrows);
+ }
});
})();
function dupRow(rowId, tableId) {
@@ -316,6 +403,11 @@ function haproxy_htmllist_js(){
else
newEl.value = dupEl.value;
}
+ javascript_row_added = tableId + "_row_added";
+ var fn = window[javascript_row_added];
+ if (typeof fn === 'function'){
+ fn(tableId, totalrows);
+ }
}
function editRow(num) {
var trview = document.getElementById('tr_view_' + num);
@@ -327,9 +419,12 @@ function haproxy_htmllist_js(){
var view = document.getElementById("tr_view_" + rowId);
var viewdetail = document.getElementById("tr_viewdetail_" + rowId);
var edit = document.getElementById("tr_edit_" + rowId);
- view.parentNode.removeChild(view);
- viewdetail.parentNode.removeChild(viewdetail);
- edit.parentNode.removeChild(edit);
+ if (view)
+ view.parentNode.removeChild(view);
+ if (viewdetail)
+ viewdetail.parentNode.removeChild(viewdetail);
+ if (edit)
+ edit.parentNode.removeChild(edit);
}
function removeRow(el) {
var cel;
diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php
index 1deabdbb..8105345e 100644
--- a/config/haproxy-devel/haproxy_listeners.php
+++ b/config/haproxy-devel/haproxy_listeners.php
@@ -124,10 +124,11 @@ include("head.inc");
$a_frontend_grouped = array();
foreach($a_frontend as &$frontend2) {
$mainfrontend = get_primaryfrontend($frontend2);
+ $mainname = $mainfrontend['name'];
$ipport = get_frontend_ipport($frontend2, true);
$frontend2['ipport'] = $ipport;
$frontend2['type'] = $mainfrontend['type'];
- $a_frontend_grouped[$ipport][] = $frontend2;
+ $a_frontend_grouped[$mainname][] = $frontend2;
}
ksort($a_frontend_grouped);
@@ -142,6 +143,7 @@ include("head.inc");
if ((count($a_frontend) > 1 || $last_frontend_shared) && !$first) {
?> <tr class="<?=$textgray?>"><td colspan="7">&nbsp;</td></tr> <?
}
+ $first = false;
$last_frontend_shared = count($a_frontend) > 1;
foreach ($a_frontend as $frontend) {
$frontendname = $frontend['name'];
@@ -161,7 +163,7 @@ include("head.inc");
if ($isaclset)
echo "<img src=\"$img_acl\" title=\"" . gettext("acl's used") . ": {$isaclset}\" border=\"0\" />";
- if (strtolower($frontend['type']) == "http" && $frontend['ssloffload']) {
+ if (get_frontend_uses_ssl($frontend)) {
$cert = lookup_cert($frontend['ssloffloadcert']);
$descr = htmlspecialchars($cert['descr']);
if (is_array($frontend['ha_certificates']) && is_array($frontend['ha_certificates']['item'])) {
@@ -205,10 +207,35 @@ include("head.inc");
<?=$frontend['desc'];?>
</td>
<td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';">
- <?=str_replace(" ","&nbsp;",$frontend['ipport']);?>
+ <?
+ $first = true;
+ foreach($frontend['ipport'] as $addr) {
+ if (!$first)
+ print "<br/>";
+ print "<div style='white-space:nowrap;'>";
+ print "{$addr['addr']}:{$addr['port']}";
+ if ($addr['ssl'] == 'yes') {
+ echo '<img src="'.$img_cert.'" title="SSL offloading" alt="SSL" border="0" height="11" width="11" />';
+ }
+ print "</div";
+ $first = false;
+ }
+ ?>
</td>
<td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';">
- <?=$frontend['type']?>
+ <?
+ if ($frontend['type'] == 'http') {
+ $mainfrontend = get_primaryfrontend($frontend);
+ $sslused = get_frontend_uses_ssl($mainfrontend);
+ $httpused = !get_frontend_uses_ssl_only($frontend);
+ if ($httpused)
+ echo "http";
+ if ($sslused) {
+ echo ($httpused ? "/" : "") . "https";
+ }
+ } else
+ echo $a_frontendmode[$frontend['type']]['shortname'];
+ ?>
</td>
<td class="listlr" ondblclick="document.location='haproxy_listeners_edit.php?id=<?=$frontendname;?>';">
<div title='<?=$backend_serverpool_hint;?>'>
diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php
index d243ffb1..a818fcfb 100644
--- a/config/haproxy-devel/haproxy_listeners_edit.php
+++ b/config/haproxy-devel/haproxy_listeners_edit.php
@@ -63,6 +63,8 @@ if (!is_array($config['installedpackages']['haproxy']['ha_backends']['item'])) {
$a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item'];
$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
+if (!is_array($a_pools))
+ $a_pools = array();
uasort($a_pools, haproxy_compareByName);
global $simplefields;
@@ -85,6 +87,10 @@ if (!is_numeric($id))
{
//default value for new items.
$pconfig['ssloffloadacl'] = "yes";
+ $new_item = array();
+ $new_item['extaddr'] = "wan_ipv4";
+ $new_item['extaddr_port'] = "80";
+ $pconfig['a_extaddr'][] = $new_item;
}
$servercerts = haproxy_get_certificates('server,user');
@@ -138,11 +144,44 @@ $fields_aclSelectionList[2]['colwidth']="35%";
$fields_aclSelectionList[2]['type']="textbox";
$fields_aclSelectionList[2]['size']="35";
+$interfaces = haproxy_get_bindable_interfaces();
+$interfaces_custom['custom']['name']="Use custom address:";
+$interfaces = $interfaces_custom + $interfaces;
+
+$fields_externalAddress=array();
+$fields_externalAddress[0]['name']="extaddr";
+$fields_externalAddress[0]['columnheader']="Listen address";
+$fields_externalAddress[0]['colwidth']="25%";
+$fields_externalAddress[0]['type']="select";
+$fields_externalAddress[0]['size']="200px";
+$fields_externalAddress[0]['items']=&$interfaces;
+$fields_externalAddress[1]['name']="extaddr_custom";
+$fields_externalAddress[1]['columnheader']="Custom address";
+$fields_externalAddress[1]['colwidth']="25%";
+$fields_externalAddress[1]['type']="textbox";
+$fields_externalAddress[1]['size']="30";
+$fields_externalAddress[2]['name']="extaddr_port";
+$fields_externalAddress[2]['columnheader']="Port";
+$fields_externalAddress[2]['colwidth']="5%";
+$fields_externalAddress[2]['type']="textbox";
+$fields_externalAddress[2]['size']="5";
+$fields_externalAddress[3]['name']="extaddr_ssl";
+$fields_externalAddress[3]['columnheader']="SSL Offloading";
+$fields_externalAddress[3]['colwidth']="10%";
+$fields_externalAddress[3]['type']="checkbox";
+$fields_externalAddress[3]['size']="50px";
+$fields_externalAddress[4]['name']="extaddr_advanced";
+$fields_externalAddress[4]['columnheader']="Advanced";
+$fields_externalAddress[4]['colwidth']="20%";
+$fields_externalAddress[4]['type']="textbox";
+$fields_externalAddress[4]['size']="30";
+
if (isset($id) && $a_backend[$id]) {
$pconfig['a_acl']=&$a_backend[$id]['ha_acls']['item'];
$pconfig['a_certificates']=&$a_backend[$id]['ha_certificates']['item'];
$pconfig['clientcert_ca']=&$a_backend[$id]['clientcert_ca']['item'];
$pconfig['clientcert_crl']=&$a_backend[$id]['clientcert_crl']['item'];
+ $pconfig['a_extaddr']=&$a_backend[$id]['a_extaddr']['item'];
$pconfig['advanced'] = base64_decode($a_backend[$id]['advanced']);
foreach($simplefields as $stat)
$pconfig[$stat] = $a_backend[$id][$stat];
@@ -164,8 +203,8 @@ if ($_POST) {
$pconfig = $_POST;
if ($pconfig['secondary'] != "yes") {
- $reqdfields = explode(" ", "name type port");
- $reqdfieldsn = explode(",", "Name,Type,Port");
+ $reqdfields = explode(" ", "name type");
+ $reqdfieldsn = explode(",", "Name,Type");
} else {
$reqdfields = explode(" ", "name");
$reqdfieldsn = explode(",", "Name");
@@ -208,6 +247,10 @@ if ($_POST) {
$a_acl = haproxy_htmllist_get_values($fields_aclSelectionList);
$pconfig['a_acl'] = $a_acl;
+ $a_extaddr = haproxy_htmllist_get_values($fields_externalAddress);
+ $pconfig['a_extaddr'] = $a_extaddr;
+
+
foreach($a_acl as $acl) {
$acl_name = $acl['name'];
$acl_value = $acl['value'];
@@ -247,6 +290,7 @@ if ($_POST) {
$backend['ha_certificates']['item'] = $a_certificates;
$backend['clientcert_ca']['item'] = $a_clientcert_ca;
$backend['clientcert_crl']['item'] = $a_clientcert_crl;
+ $backend['a_extaddr']['item'] = $a_extaddr;
if (isset($id) && $a_backend[$id]) {
$a_backend[$id] = $backend;
@@ -275,7 +319,6 @@ include("head.inc");
if (!isset($_GET['dup']))
$excludefrontend = $pconfig['name'];
$primaryfrontends = get_haproxy_frontends($excludefrontend);
-$interfaces = haproxy_get_bindable_interfaces();
?>
<style type="text/css">
@@ -329,6 +372,9 @@ $interfaces = haproxy_get_bindable_interfaces();
if (tableId == 'table_clientcert_crl'){
seltext = "<?=haproxy_js_select_options($certs_crl);?>";
}
+ if (tableId == 'table_extaddr'){
+ seltext = "<?=haproxy_js_select_options($interfaces);?>";
+ }
return seltext;
}
@@ -343,20 +389,26 @@ $interfaces = haproxy_get_bindable_interfaces();
}
}
}
-
function updatevisibility() {
d = document;
+ ssl = false;
ssloffload = d.getElementById("ssloffload");
+ for (i = 0; i < 99; i++) {
+ customEdit = document.getElementById("extaddr_ssl"+i);
+ if (customEdit && customEdit.checked)
+ ssl = true;
+ }
var type;
var secondary = d.getElementById("secondary");
var primary_frontend = d.getElementById("primary_frontend");
- if ((secondary !== null) && (secondary.checked))
+ if ((secondary !== null) && (secondary.checked)) {
type = primaryfrontends[primary_frontend.value]['ref']['type'];
- else
+ ssl = ssloffload.checked;
+ } else
type = d.getElementById("type").value;
- setCSSdisplay(".haproxy_ssloffloading_enabled", ssloffload.checked);
+ setCSSdisplay(".haproxy_ssloffloading_enabled", ssl);
setCSSdisplay(".haproxy_mode_http", type == "http");
if (secondary !== null) {
setCSSdisplay(".haproxy_primary", !secondary.checked);
@@ -481,25 +533,45 @@ $interfaces = haproxy_get_bindable_interfaces();
<tr class="haproxy_primary">
<td width="22%" valign="top" class="vncellreq">External address</td>
<td width="78%" class="vtable">
- <?
- echo_html_select('extaddr', $interfaces, $pconfig['extaddr']);
- ?>
+ <?
+ $counter=0;
+ $a_extaddr = $pconfig['a_extaddr'];
+ $htmllist_extadd = new HaproxyHtmlList("table_extaddr", $fields_externalAddress);
+ $htmllist_extadd->editmode = true;
+ $htmllist_extadd->Draw($a_extaddr);
+ ?>
+ <script type="text/javascript">
+ function table_extaddr_row_added(tableid, rowid){
+ new AutoSuggestControl(document.getElementById("extaddr_custom"+rowid), new StateSuggestions(address_array));
+ new AutoSuggestControl(document.getElementById("extaddr_port"+rowid), new StateSuggestions(port_array));
+ table_extaddr_listitem_change(tableid,"",rowid, null);//disables address when not set to custom.
+ }
+
+ function table_extaddr_listitem_change(tableId, fieldId, rowNr, field) {
+ if (fieldId == "extaddr" || fieldId == "") {
+ field = field || document.getElementById("extaddr"+rowNr);
+ customEdit = document.getElementById("extaddr_custom"+rowNr);
+ customdisabled = field.value == "custom" ? 0 : 1;
+ customEdit.disabled = customdisabled;
+ }
+ if (fieldId == "extaddr_ssl") {
+ updatevisibility();
+ }
+ }
+
+ </script>
<br />
<span class="vexpl">
If you want this rule to apply to another IP address than the IP address of the interface chosen above,
select it here (you need to define <a href="firewall_virtual_ip.php">Virtual IP</a> addresses on the first).
Also note that if you are trying to redirect connections on the LAN select the "any" option.
+
+ In the port to listen to, if you want to specify multiple ports, separate them with a comma (,). EXAMPLE: 80,8000
+ Or to listen on both 80 and 443 create 2 rows in the table.
</span>
</td>
</tr>
<tr class="haproxy_primary" align="left">
- <td width="22%" valign="top" class="vncellreq">External port</td>
- <td width="78%" class="vtable" colspan="2">
- <input name="port" id="port" type="text" <?if(isset($pconfig['port'])) echo "value=\"{$pconfig['port']}\"";?> size="10" maxlength="500" />
- <div>The port to listen to. To specify multiple ports, separate with a comma (,). EXAMPLE: 80,8000</div>
- </td>
- </tr>
- <tr class="haproxy_primary" align="left">
<td width="22%" valign="top" class="vncell">Max connections</td>
<td width="78%" class="vtable" colspan="2">
<input name="max_connections" type="text" <?if(isset($pconfig['max_connections'])) echo "value=\"{$pconfig['max_connections']}\"";?> size="10" maxlength="10" />
@@ -526,8 +598,8 @@ $interfaces = haproxy_get_bindable_interfaces();
<td width="22%" valign="top" class="vncellreq">Type</td>
<td width="78%" class="vtable" colspan="2">
<select name="type" id="type" onchange="updatevisibility();">
- <option value="http"<?php if($pconfig['type'] == "http") echo " SELECTED"; ?>>HTTP</option>
- <option value="https"<?php if($pconfig['type'] == "https") echo " SELECTED"; ?>>HTTPS</option>
+ <option value="http"<?php if($pconfig['type'] == "http") echo " SELECTED"; ?>>HTTP / HTTPS(offloading)</option>
+ <option value="https"<?php if($pconfig['type'] == "https") echo " SELECTED"; ?>>SSL / HTTPS(TCP mode)</option>
<option value="tcp"<?php if($pconfig['type'] == "tcp") echo " SELECTED"; ?>>TCP</option>
<option value="health"<?php if($pconfig['type'] == "health") echo " SELECTED"; ?>>Health</option>
</select><br/>
@@ -541,7 +613,6 @@ $interfaces = haproxy_get_bindable_interfaces();
<td width="22%" valign="top" class="vncell">Access Control lists</td>
<td width="78%" class="vtable" colspan="2" valign="top">
<?
- $counter=0;
$a_acl = $pconfig['a_acl'];
haproxy_htmllist("tableA_acltable", $a_acl, $fields_aclSelectionList, true);
?>
@@ -654,16 +725,19 @@ $interfaces = haproxy_get_bindable_interfaces();
<td colspan="2" valign="top" class="listtopic">SSL Offloading</td>
</tr>
<tr align="left">
- <td width="22%" valign="top" class="vncell">Use Offloading</td>
<td width="78%" class="vtable" colspan="2">
- <input id="ssloffload" name="ssloffload" type="checkbox" value="yes" <?php if ($pconfig['ssloffload']=='yes') echo "checked";?> onclick="updatevisibility();" /><strong>Use Offloading</strong>
- <br/>
SSL Offloading will reduce web servers load by maintaining and encrypting connection with users on internet while sending and retrieving data without encrytion to internal servers.
Also more ACL rules and http logging may be configured when this option is used.
Certificates can be imported into the <a href="/system_camanager.php" target="_blank">pfSense "Certificate Authority Manager"</a>
Please be aware this possibly will not work with all web applications. Some applications will require setting the SSL checkbox on the backend server configurations so the connection to the webserver will also be a encrypted connection, in that case there will be a slight overall performance loss.
</td>
</tr>
+ <tr align="left" class="haproxy_secondary" >
+ <td width="22%" valign="top" class="vncell">Use Offloading</td>
+ <td width="78%" class="vtable" colspan="2">
+ <input id="ssloffload" name="ssloffload" type="checkbox" value="yes" <?php if ($pconfig['ssloffload']=='yes') echo "checked";?> onclick="updatevisibility();" /><strong>Use Offloading</strong>
+ </td>
+ </tr>
<tr class="haproxy_ssloffloading_enabled" align="left">
<td width="22%" valign="top" class="vncell">Certificate</td>
<td width="78%" class="vtable" colspan="2">
@@ -700,7 +774,8 @@ $interfaces = haproxy_get_bindable_interfaces();
</td>
</tr>
<tr class="haproxy_ssloffloading_enabled haproxy_primary">
- <td class="vncell" colspan="2"><b>Client certificate verification options, leave this empty if you do want to ask for a client certificate</b></td>
+ <td class="vncell" colspan="2"><b>Client certificate verification options, leave this empty if you do not want to ask for a client certificate</b><br/>
+ The users that visit this site will need to load the client cert signed by the ca's listed below imported into their browser.</td>
</tr>
<tr class="haproxy_ssloffloading_enabled haproxy_primary">
<td width="22%" valign="top" class="vncell">Client verification CA certificates</td>
@@ -754,14 +829,24 @@ $interfaces = haproxy_get_bindable_interfaces();
phparray_to_javascriptarray($fields_caCertificates,"fields_ca",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name'));
phparray_to_javascriptarray($fields_crlCertificates,"fields_crl",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name'));
phparray_to_javascriptarray($fields_aclSelectionList,"fields_acltable",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name'));
+ phparray_to_javascriptarray($fields_externalAddress,"fields_extaddr",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name'));
?>
</script>
<script type="text/javascript">
totalrows = <?php echo $counter; ?>;
- updatevisibility();
- var customarray = <?= json_encode(get_alias_list(array("port", "url_ports", "urltable_ports"))) ?>;
- var oTextbox1 = new AutoSuggestControl(document.getElementById("port"), new StateSuggestions(customarray));
+ var port_array = <?= json_encode(get_alias_list(array("port", "url_ports", "urltable_ports"))) ?>;
+ var address_array = <?= json_encode(get_alias_list(array("host", "network", "openvpn", "urltable"))) ?>;
+
+
+ for(i=0;i < <?=count($a_extaddr)?>;i++){
+ new AutoSuggestControl(document.getElementById('extaddr_custom'+i), new StateSuggestions(address_array));
+ new AutoSuggestControl(document.getElementById('extaddr_port'+i), new StateSuggestions(port_array));
+ // Initially set fields disabled where needed
+ table_extaddr_listitem_change('table_extaddr','',i,null);
+ }
+
+ updatevisibility();
</script>
<?php
haproxy_htmllist_js();
diff --git a/config/haproxy-devel/haproxy_pool_edit.php b/config/haproxy-devel/haproxy_pool_edit.php
index 30079847..5c7f66b9 100644
--- a/config/haproxy-devel/haproxy_pool_edit.php
+++ b/config/haproxy-devel/haproxy_pool_edit.php
@@ -42,6 +42,8 @@ if (!is_array($config['installedpackages']['haproxy']['ha_pools']['item'])) {
$a_pools = &$config['installedpackages']['haproxy']['ha_pools']['item'];
+$a_files = haproxy_get_fileslist();
+
if (isset($_POST['id']))
$id = $_POST['id'];
else
@@ -172,6 +174,19 @@ $fields_servers_details[7]['colwidth']="15%";
$fields_servers_details[7]['type']="textbox";
$fields_servers_details[7]['size']="80";
+$fields_errorfile = array();
+$fields_errorfile[0]['name']="errorcode";
+$fields_errorfile[0]['columnheader']="errorcode(s)";
+$fields_errorfile[0]['colwidth']="15%";
+$fields_errorfile[0]['type']="textbox";
+$fields_errorfile[0]['size']="70px";
+$fields_errorfile[1]['name']="errorfile";
+$fields_errorfile[1]['columnheader']="Error Page";
+$fields_errorfile[1]['colwidth']="30%";
+$fields_errorfile[1]['type']="select";
+$fields_errorfile[1]['size']="170px";
+$fields_errorfile[1]['items']=&$a_files;
+
if (isset($id) && $a_pools[$id]) {
$pconfig['advanced'] = base64_decode($a_pools[$id]['advanced']);
$pconfig['advanced_backend'] = base64_decode($a_pools[$id]['advanced_backend']);
@@ -179,6 +194,9 @@ if (isset($id) && $a_pools[$id]) {
foreach($simplefields as $stat)
$pconfig[$stat] = $a_pools[$id][$stat];
+
+ $a_errorfiles = &$a_pools[$id]['errorfiles']['item'];
+ if (!is_array($a_errorfiles)) $a_errorfiles = array();
}
if (isset($_GET['dup']))
@@ -269,6 +287,8 @@ if ($_POST) {
$input_errors[] = "The field 'Port' value is not a number.";
}
+ $a_errorfiles = haproxy_htmllist_get_values($fields_errorfile);
+
if ($_POST['strict_transport_security'] !== "" && !is_numeric($_POST['strict_transport_security']))
$input_errors[] = "The field 'Strict-Transport-Security' is not empty or a number.";
@@ -356,6 +376,9 @@ foreach($simplefields as $field){
if (fieldname == 'forwardto')
return "<?=haproxy_js_select_options($primaryfrontends);?>";
else
+ if (fieldname == 'errorfile')
+ return "<?=haproxy_js_select_options($a_files);?>";
+ else
return "<?=haproxy_js_select_options($a_servermodes);?>";
}
@@ -920,6 +943,21 @@ set by the 'retries' parameter.</div>
</tr>
<tr><td>&nbsp;</td></tr>
<tr>
+ <td colspan="2" valign="top" class="listtopic">Error files</td>
+ </tr>
+ <tr class="" align="left" id='errorfiles'>
+ <td colspan="2" valign="top" class="vtable">
+ Use these to replace the error pages that haproxy can generate by custom pages created on the files tab.
+ For example haproxy will generate a 503 error page when no backend is available, you can replace that page here.
+ <br/>
+ <br/>
+ <?
+ haproxy_htmllist("table_errorfile", $a_errorfiles, $fields_errorfile);
+ ?>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr>
+ <tr>
<td colspan="2" valign="top" class="listtopic">Advanced</td>
</tr>
<tr class="" align="left" id='Strict-Transport-Security'>
@@ -961,9 +999,11 @@ set by the 'retries' parameter.</div>
<?
phparray_to_javascriptarray($fields_servers,"fields_servers",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name'));
phparray_to_javascriptarray($fields_servers_details,"fields_details_servers",Array('/*','/*/name','/*/type'));
+ phparray_to_javascriptarray($fields_errorfile,"fields_errorfile",Array('/*','/*/name','/*/type','/*/size','/*/items','/*/items/*','/*/items/*/*','/*/items/*/*/name'));
phparray_to_javascriptarray($a_checktypes,"checktypes",Array('/*','/*/name','/*/descr'));
phparray_to_javascriptarray($a_cookiemode,"cookiemode",Array('/*','/*/name','/*/descr'));
phparray_to_javascriptarray($a_sticky_type,"sticky_type",Array('/*','/*/descr','/*/cookiedescr'));
+ phparray_to_javascriptarray($a_files,"a_files",Array('/*','/*/name','/*/descr'));
?>
browser_InnerText_support = (document.getElementsByTagName("body")[0].innerText != undefined) ? true : false;
diff --git a/config/haproxy-devel/pkg_haproxy_tabs.inc b/config/haproxy-devel/pkg_haproxy_tabs.inc
index 8cb280f8..f49d2b67 100644
--- a/config/haproxy-devel/pkg_haproxy_tabs.inc
+++ b/config/haproxy-devel/pkg_haproxy_tabs.inc
@@ -12,7 +12,9 @@ $haproxy_tab_array['haproxy'] = array();
$haproxy_tab_array['haproxy']['settings'] = Array(name => "Settings", url => "haproxy_global.php");
$haproxy_tab_array['haproxy']['frontend'] = Array(name => "Frontend", url => "haproxy_listeners.php");
$haproxy_tab_array['haproxy']['backend'] = Array(name => "Backend", url => "haproxy_pools.php");
+$haproxy_tab_array['haproxy']['files'] = Array(name => "Files", url => "haproxy_files.php");
$haproxy_tab_array['haproxy']['stats'] = Array(name => "Stats", url => "haproxy_stats.php");
+$haproxy_tab_array['haproxy']['statsfs'] = Array(name => "Stats FS", url => "haproxy_stats.php?haproxystats=1");
function haproxy_display_top_tabs_active($top_tabs, $activetab) {
$tab_array = array();
diff --git a/config/imspector/imspector.inc b/config/imspector/imspector.inc
index 2d672e87..89fbda2b 100644
--- a/config/imspector/imspector.inc
+++ b/config/imspector/imspector.inc
@@ -35,9 +35,8 @@
require_once("service-utils.inc");
/* IMSpector */
-
define('IMSPECTOR_RCFILE', '/usr/local/etc/rc.d/imspector.sh');
- define('IMSPECTOR_ETC', '/usr/local/etc/imspector');
+ define('IMSPECTOR_ETC', "/usr/pbi/imspector-" . php_uname("m") . "/local/etc/imspector");
define('IMSPECTOR_CONFIG', IMSPECTOR_ETC . '/imspector.conf');
function imspector_warn ($msg) { syslog(LOG_WARNING, "imspector: {$msg}"); }
@@ -543,4 +542,4 @@ function imspector_do_xmlrpc_sync($sync_to_ip, $password) {
}
}
-?>
+?> \ No newline at end of file
diff --git a/config/iperf.xml b/config/iperf.xml
index f64500d9..3b17f549 100644
--- a/config/iperf.xml
+++ b/config/iperf.xml
@@ -150,13 +150,12 @@
$iperf_options = "";
if($_POST['protocol'] == "udp") $iperf_options .= " -u";
if($_POST['format'] == "bytes") $iperf_options .= " -f A";
- if($_POST['interval'] != "") $iperf_options .= " -i {$_POST['interval']}";
- if($_POST['length'] != "") $iperf_options .= " -l {$_POST['length']}";
- if($_POST['window'] != "") $iperf_options .= " -w {$_POST['window']}";
- if($_POST['udpbandwidth'] != "") $iperf_options .= " -b {$_POST['udpbandwidth']}";
- if($_POST['port'] != "") $iperf_options .= " -p {$_POST['port']}";
- $iperf_options .= " -c {$_POST['hostname']}";
+ if($_POST['interval'] != "") $iperf_options .= " -i " . escapeshellarg($_POST['interval']);
+ if($_POST['length'] != "") $iperf_options .= " -l " . escapeshellarg($_POST['length']);
+ if($_POST['window'] != "") $iperf_options .= " -w " . escapeshellarg($_POST['window']);
+ if($_POST['udpbandwidth'] != "") $iperf_options .= " -b " . escapeshellarg($_POST['udpbandwidth']);
+ if($_POST['port'] != "") $iperf_options .= " -p " . escapeshellarg($_POST['port']);
+ $iperf_options .= " -c " . escapeshellarg($_POST['hostname']);
system("/usr/local/bin/iperf" . $iperf_options);
</custom_add_php_command>
-</packagegui>
-
+</packagegui> \ No newline at end of file
diff --git a/config/iperfserver.xml b/config/iperfserver.xml
index 493c41c8..f0dc074a 100644
--- a/config/iperfserver.xml
+++ b/config/iperfserver.xml
@@ -130,10 +130,10 @@
$iperf_options = "";
if($_POST['protocol'] == "udp") $iperf_options .= " -u";
if($_POST['format'] == "bytes") $iperf_options .= " -f A";
- if($_POST['interval'] != "") $iperf_options .= " -i {$_POST['interval']}";
- if($_POST['length'] != "") $iperf_options .= " -l {$_POST['length']}";
- if($_POST['window'] != "") $iperf_options .= " -w {$_POST['window']}";
- if($_POST['port'] != "") $iperf_options .= " -p {$_POST['port']}";
+ if($_POST['interval'] != "") $iperf_options .= " -i " . escapeshellarg($_POST['interval']);
+ if($_POST['length'] != "") $iperf_options .= " -l " . escapeshellarg($_POST['length']);
+ if($_POST['window'] != "") $iperf_options .= " -w " . escapeshellarg($_POST['window']);
+ if($_POST['port'] != "") $iperf_options .= " -p " . escapeshellarg($_POST['port']);
$iperf_options .= " -s";
mwexec_bg("/usr/local/bin/iperf" . $iperf_options);
</custom_add_php_command>
diff --git a/config/mailscanner/mailscanner.inc b/config/mailscanner/mailscanner.inc
index 4067eef3..8418c85c 100644
--- a/config/mailscanner/mailscanner.inc
+++ b/config/mailscanner/mailscanner.inc
@@ -1,8 +1,8 @@
<?php
/*
- postfix.inc
+ mailscanner.inc
part of the Postfix package for pfSense
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -29,12 +29,12 @@
*/
$shortcut_section = "mailscanner";
require_once("util.inc");
-require("globals.inc");
+require_once("globals.inc");
#require("guiconfig.inc");
$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
define('MAILSCANNER_PREFIX', '/usr/pbi/mailscanner-' . php_uname("m"));
-if ($pf_version != "2.1")
+if ($pf_version == "2.1")
define('MAILSCANNER_LOCALBASE', MAILSCANNER_PREFIX);
else
define('MAILSCANNER_LOCALBASE', MAILSCANNER_PREFIX . '/local');
@@ -44,7 +44,7 @@ if ($uname['machine']=='amd64')
ini_set('memory_limit', '250M');
function ms_text_area_decode($text){
- return preg_replace('/\r\n/', "\n",base64_decode($text));
+ return preg_replace('/\r\n/', "\n",base64_decode($text));
}
function sync_package_mailscanner($via_rpc=false) {
@@ -63,7 +63,7 @@ function sync_package_mailscanner($via_rpc=false) {
#check default config
$load_samples=0;
-
+
#assign xml arrays
if (!is_array($config['installedpackages']['mailscanner'])){
$config['installedpackages']['mailscanner']['config'][0]=array( 'max_children'=> '5',
@@ -131,7 +131,7 @@ function sync_package_mailscanner($via_rpc=false) {
$antispam=$config['installedpackages']['msantispam']['config'][0];
if (is_array($config['installedpackages']['msalerts']))
$alert=$config['installedpackages']['msalerts']['config'][0];
-
+
#General options
$info =($mailscanner['orgname']?'%org-name% = '.$mailscanner['orgname']."\n":'%org-name% = Pfsense'."\n");
$info .=($mailscanner['longorgname']?'%org-long-name% = '.$mailscanner['longorgname']."\n":'%org-long-name% = Pfsense Inc.'."\n");
@@ -166,7 +166,7 @@ function sync_package_mailscanner($via_rpc=false) {
#Attachment options
$max_size=($attachments['max_sizes']?$attachments['max_sizes']:'-1');
- $archive_depth=($attachments['archive_depth']?$attachments['archive_depth']:'8');
+ $archive_depth=($attachments['archive_depth']?$attachments['archive_depth']:'8');
$expand_tnef=(preg_match('/ExpandTNEF/',$attachments['features'])?"yes":"no");
$deliver_tnef=(preg_match('/DeliverUnparsableTNEF/',$attachments['features'])?"yes":"no");
$find_archive=(preg_match('/FindArchiveByContent/',$attachments['features'])?"yes":"no");
@@ -189,7 +189,7 @@ function sync_package_mailscanner($via_rpc=false) {
$allow_password=(preg_match('/AllowPassword-ProtectedArchives/',$antivirus['features'])?"yes":"no");
$check_filenames=(preg_match('/CheckFilenamesInPassword-ProtectedArchives/',$antivirus['features'])?"yes":"no");
$custom_antivirus_options=ms_text_area_decode($antivirus['custom']);
-
+
#content
$dangerous_content=(preg_match('/DangerousContentScanning/',$content['checks'])?"yes":"no");
$partial_messages=(preg_match('/AllowPartialMessages/',$content['checks'])?"yes":"no");
@@ -200,7 +200,7 @@ function sync_package_mailscanner($via_rpc=false) {
$highlight_phishing=(preg_match('/HighlightPhishingFraud/',$content['checks'])?"yes":"no");
$dangerous_html=(preg_match('/ConvertDangerousHTMLToText/',$content['checks'])?"yes":"no");
$html_to_text=(preg_match('/ConvertHTMLToText/',$content['checks'])?"yes":"no");
-
+
#reports and responses
$include_scanner_name=(preg_match('/IncludeScannerNameInReports/',$report['features'])?"yes":"no");
$hide_incoming_work_dir=(preg_match('/HideIncomingWorkDir/',$report['features'])?"yes":"no");
@@ -226,7 +226,7 @@ function sync_package_mailscanner($via_rpc=false) {
$notice_from=($report['notice_from']?$report['notice_from']:"MailScanner");
$notice_to=($report['notice_to']?$report['notice_to']:"MailScanner");
$notice_signature=($report['notice_signature']?$report['notice_signature']:'-- \nMailScanner\nEmail Virus Scanner\nwww.mailscanner.info');
-
+
#antispa- spam assassin
$use_sa=(preg_match('/use_sa/',$antispam['safeatures'])?"yes":"no");
$sa_auto_whitelist=(preg_match('/sa_auto_whitelist/',$antispam['safeatures'])?"yes":"no");
@@ -249,7 +249,7 @@ function sync_package_mailscanner($via_rpc=false) {
$is_not_mcp=(preg_match('/is_not_mcp/',$antispam['mcp_features'])?"yes":"no");
$mcp_is_high_score=(preg_match('/mcp_is_high_score/',$antispam['mcp_features'])?"yes":"no");
$include_mcp_report=(preg_match('/include_mcp_report/',$antispam['mcp_features'])?"yes":"no");
- $detailled_mcp_report=(preg_match('/detailled_mcp_report/',$antispam['mcp_features'])?"yes":"no");
+ $detailled_mcp_report=(preg_match('/detailled_mcp_report/',$antispam['mcp_features'])?"yes":"no");
$score_mcp_report=(preg_match('/score_mcp_report/',$antispam['mcp_features'])?"yes":"no");
$log_mcp=(preg_match('/log_mcp/',$antispam['mcp_features'])?"yes":"no");
$mcp_score=($antispam['mcp_score']?$antispam['mcp_score']:"1");
@@ -257,14 +257,14 @@ function sync_package_mailscanner($via_rpc=false) {
$mcp_action=($antispam['mcp_action']?preg_replace("/,/"," ",$antispam['mcp_action']):"deliver");
$mcp_hi_action=($antispam['mcp_hi_action']?preg_replace("/,/"," ",$antispam['mcp_hi_action']):"delete");
$mcp_max=($antispam['mcp_max']?$antispam['mcp_max']:"200k");
-
+
/*
Language Strings = %report-dir%/languages.conf
*/
#check files
$mailscanner_dir=MAILSCANNER_LOCALBASE ."/etc/MailScanner";
-
+
if($attachments['filename_rules'] == ""){
$config['installedpackages']['msattachments']['config'][0]['filename_rules']=base64_encode(file_get_contents($mailscanner_dir.'/archives.filename.rules.conf.sample'));
$load_samples++;
@@ -280,7 +280,7 @@ Language Strings = %report-dir%/languages.conf
if($content['phishing_bad'] == ""){
$config['installedpackages']['mscontent']['config'][0]['phishing_bad']=base64_encode(file_get_contents($mailscanner_dir.'/phishing.bad.sites.conf.sample'));
$load_samples++;
- }
+ }
if($content['country_domains'] == ""){
$config['installedpackages']['mscontent']['config'][0]['country_domains']=base64_encode(file_get_contents($mailscanner_dir.'/country.domains.conf.sample'));
$load_samples++;
@@ -311,7 +311,7 @@ Language Strings = %report-dir%/languages.conf
$config['installedpackages']['msantispam']['config'][0]['max_message_size']=base64_encode(file_get_contents($mailscanner_dir.'/rules/max.message.size.rules.sample'));
$load_samples++;
}
-
+
$report_dir=MAILSCANNER_LOCALBASE."/share/MailScanner/reports/".strtolower($report['language']);
#CHECK REPORT FILES
$report_files= array('deletedbadcontent' => 'deleted.content.message.txt',
@@ -335,7 +335,7 @@ Language Strings = %report-dir%/languages.conf
'recipientmcp'=>'recipient.mcp.report.txt',
'recipientspam'=>'recipient.spam.report.txt',
'rejection' =>'rejection.report.txt');
-
+
foreach ($report_files as $key_r => $file_r){
if ($report[$key_r] == ""){
#$input_errors[]= $key;
@@ -346,7 +346,7 @@ Language Strings = %report-dir%/languages.conf
}
}
#print $key_r ."X $file_r X". base64_encode(file_get_contents($report_dir.'/'.$file_r.'.sample')) ."<br>";
-
+
if ($alert['sig']){
if($alert['sig_html'] == ""){
$config['installedpackages']['msalerts']['config'][0]['sig_html']=base64_encode(file_get_contents($report_dir.'/inline.sig.html'));
@@ -368,8 +368,8 @@ Language Strings = %report-dir%/languages.conf
$load_samples++;
}
}
-
-
+
+
}
#exit;
if($load_samples > 0)
@@ -404,23 +404,23 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
}
if (is_dir('/var/spool/postfix'))
chown ('/var/spool/postfix','postfix');
-
+
$mlang=strtolower($report['language']);
$mfiles[]= MAILSCANNER_LOCALBASE. "/etc/MailScanner/virus.scanners.conf";
$mfiles[]= MAILSCANNER_LOCALBASE. "/share/MailScanner/reports/{$mlang}/inline.spam.warning.txt";
$mfiles[]= MAILSCANNER_LOCALBASE. "/share/MailScanner/reports/{$mlang}/languages.conf";
-
+
foreach ($mfiles as $mfile)
if (! file_exists ($mfile) && file_exists($mfile.".sample"))
copy($mfile.".sample",$mfile);
-
+
#update spam.assassin.prefs.conf
$sa_temp=ms_text_area_decode($config['installedpackages']['msantispam']['config'][0]['sa_pref_file']);
$pattern[]='/#ifplugin/';
$pattern[]='/#dcc_path/';
$pattern[]='/#endif/';
-
+
$replacement[]="ifplugin";
$replacement[]="dcc_path";
$replacement[]="endif";
@@ -494,13 +494,13 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
$replacement[]="bayes_ignore_header ".($mailscanner['orgname']!=""?$mailscanner['orgname']:"Pfsense")."-MailScanner";
$pattern[]='/envelope_sender_header X([a-zA-Z0-9_.-]+)MailScanner-From/';
$replacement[]="envelope_sender_header X-".($mailscanner['orgname']!=""?$mailscanner['orgname']:"Pfsense")."-MailScanner-From";
-
-
+
+
$sa_temp=preg_replace($pattern,$replacement,$sa_temp);
#rint "pre".$sa_temp;exit;
$config['installedpackages']['msantispam']['config'][0]['sa_pref_file']=base64_encode($sa_temp);
write_config();
-
+
file_put_contents($mailscanner_dir."/MailScanner.conf", $mc, LOCK_EX);
file_put_contents($mailscanner_dir."/filename.rules.conf",ms_text_area_decode($config['installedpackages']['msattachments']['config'][0]['filename_rules']),LOCK_EX);
file_put_contents($mailscanner_dir."/filetype.rules.conf",ms_text_area_decode($config['installedpackages']['msattachments']['config'][0]['filetype_rules']),LOCK_EX);
@@ -515,10 +515,10 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
file_put_contents($mailscanner_dir.'/rules/bounce.rules',ms_text_area_decode($config['installedpackages']['msantispam']['config'][0]['bounce']),LOCK_EX);
file_put_contents($mailscanner_dir.'/rules/max.message.size.rules',ms_text_area_decode($config['installedpackages']['msantispam']['config'][0]['max_message_size']),LOCK_EX);
file_put_contents($mailscanner_dir.'/rules/spam.whitelist.rules',ms_text_area_decode($config['installedpackages']['msantispam']['config'][0]['spam_whitelist']),LOCK_EX);
-
+
foreach ($report_files as $key_r => $file_r)
file_put_contents($report_dir.'/'.$file_r,ms_text_area_decode($config['installedpackages']['msreport']['config'][0][$key_r]),LOCK_EX);
-
+
if ($alert['sig']){
$sig_html=ms_text_area_decode($config['installedpackages']['msalerts']['config'][0]['sig_html']);
$sig_txt=ms_text_area_decode($config['installedpackages']['msalerts']['config'][0]['sig_txt']);}
@@ -536,7 +536,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
$warning_txt="";}
file_put_contents($report_dir.'/inline.warning.txt',$warning_txt,LOCK_EX);
file_put_contents($report_dir.'/inline.warning.html',$warning_html,LOCK_EX);
-
+
#check virus_scanner options
$libexec_dir=MAILSCANNER_LOCALBASE. "/libexec/MailScanner/";
if ($virus_scanning == "yes"){
@@ -562,7 +562,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
chmod ($libexec_dir.'clamav-autoupdate',0755);
copy($libexec_dir.'clamav-wrapper.sample',$libexec_dir.'clamav-wrapper');
chmod ($libexec_dir.'clamav-autoupdate',0755);
-
+
#clamav-wrapper file
$cconf=$libexec_dir."clamav-wrapper";
if (file_exists($cconf)){
@@ -572,7 +572,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
file_put_contents($cconf, $cconf_file, LOCK_EX);
}
}
-
+
#freshclam conf file
$cconf=MAILSCANNER_LOCALBASE. "/etc/freshclam.conf";
if (file_exists($cconf)){
@@ -582,7 +582,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
file_put_contents($cconf, $cconf_file, LOCK_EX);
}
}
-
+
#clamd conf file
$cconf=MAILSCANNER_LOCALBASE. "/etc/clamd.conf";
if (file_exists($cconf)){
@@ -617,7 +617,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
else{
log_error("Starting clamav-clamd daemon");
mwexec_bg("$script start");
- }
+ }
}
else{
if (is_process_running('clamd')){
@@ -626,20 +626,20 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
}
}
}
-
+
#check clamav database
if (!file_exists('/var/db/clamav/main.cvd')){
log_error('No clamav database found, running freshclam in background.');
mwexec_bg(MAILSCANNER_LOCALBASE. '/bin/freshclam --config-file='.MAILSCANNER_LOCALBASE.'/etc/freshclam.conf --user=root');
}
-
+
}
}
else{
unlink_if_exists($libexec_dir.'clamav-autoupdate');
unlink_if_exists($libexec_dir.'clamav-wrapper');
}
-
+
#check dcc config file
$script=MAILSCANNER_LOCALBASE. '/dcc/dcc_conf';
if (file_exists($script)){
@@ -649,7 +649,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
file_put_contents($script, $script_file, LOCK_EX);
}
}
-
+
#check dcc startup script
$script=MAILSCANNER_LOCALBASE. '/etc/rc.d/dccifd';
if (file_exists($script)){
@@ -659,21 +659,21 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
file_put_contents($script, $script_file, LOCK_EX);
chmod ($script,0755);
}
-
+
if($config['installedpackages']['mailscanner']['config'][0]['enable']){
if(is_process_running('dccifd')){
log_error("Restarting dccifd");
- mwexec("$script restart");
+ mwexec("$script restart");
}
else{
log_error("Starting dccifd");
mwexec("$script start");
- }
+ }
}
else{
if(is_process_running('dccifd')){
log_error("Stopping dccifd");
- mwexec("$script stop");
+ mwexec("$script stop");
}
}
}
@@ -683,7 +683,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
#fix MIME::ToolUtils deprecated function and usecure dependency calls in /usr/local/sbin/mailscanner
$cconf=MAILSCANNER_PREFIX. "/sbin/mailscanner";
if (file_exists($cconf)){
-
+
$perl_bin="perl_mailscanner";
if(file_exists(MAILSCANNER_PREFIX . '/bin/perl') && !file_exists(MAILSCANNER_PREFIX . "/bin/{$perl_bin}")){
link(MAILSCANNER_PREFIX . '/bin/perl',MAILSCANNER_PREFIX . "/bin/{$perl_bin}");
@@ -699,7 +699,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
file_put_contents($cconf, $cconf_file, LOCK_EX);
}
}
-
+
}
#check spam assassin rules
@@ -714,7 +714,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
log_error("Mailscanner- No spamassassin rules found, forcing sa-update.");
mwexec($saupdate);
}
- }
+ }
if (file_exists($script)){
$script_file=file_get_contents($script);
@@ -765,8 +765,8 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
}
break;
case "auto":
- if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){
- $system_carp=$config['installedpackages']['carpsettings']['config'][0];
+ if (is_array($config['hasync'])){
+ $system_carp=$config['hasync'];
$rs[0]['ipaddress']=$system_carp['synchronizetoip'];
$rs[0]['username']=$system_carp['username'];
$rs[0]['password']=$system_carp['password'];
@@ -780,7 +780,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf
log_error("[Mailscanner] xmlrpc sync is enabled but there is no system backup hosts to push mailscanner config.");
return;
}
- break;
+ break;
default:
return;
break;
@@ -846,7 +846,7 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$
if(!$synctimeout)
$synctimeout=120;
-
+
$xmlrpc_sync_neighbor = $sync_to_ip;
if($config['system']['webgui']['protocol'] != "") {
$synchronizetoip = $config['system']['webgui']['protocol'];
@@ -855,9 +855,9 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$
$port = $config['system']['webgui']['port'];
/* if port is empty lets rely on the protocol selection */
if($port == "") {
- if($config['system']['webgui']['protocol'] == "http")
+ if($config['system']['webgui']['protocol'] == "http")
$port = "80";
- else
+ else
$port = "443";
}
$synchronizetoip .= $sync_to_ip;
@@ -868,6 +868,7 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$
if ($sync_xml){
log_error("Include mailscanner config");
$xml['mailscanner'] = $config['installedpackages']['mailscanner'];
+ $xml['msattachments'] = $config['installedpackages']['msattachments'];
$xml['msreport'] = $config['installedpackages']['msreport'];
$xml['mscontent'] = $config['installedpackages']['mscontent'];
$xml['msantivirus'] = $config['installedpackages']['msantivirus'];
@@ -880,7 +881,7 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$
XML_RPC_encode($password),
XML_RPC_encode($xml)
);
-
+
/* set a few variables needed for sync code borrowed from filter.inc */
$url = $synchronizetoip;
log_error("Beginning mailscanner XMLRPC sync to {$url}:{$port}.");
@@ -905,18 +906,18 @@ function mailscanner_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$
} else {
log_error("mailscanner XMLRPC sync successfully completed with {$url}:{$port}.");
}
-
+
/* tell postfix to reload our settings on the destionation sync host. */
$method = 'pfsense.exec_php';
$execcmd = "require_once('/usr/local/pkg/mailscanner.inc');\n";
$execcmd .= "sync_package_mailscanner(true);";
-
+
/* assemble xmlrpc payload */
$params = array(
XML_RPC_encode($password),
XML_RPC_encode($execcmd)
);
-
+
log_error("mailscanner XMLRPC reload data {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
diff --git a/config/nmap/nmap.inc b/config/nmap/nmap.inc
index 272f27ef..f66f6be9 100644
--- a/config/nmap/nmap.inc
+++ b/config/nmap/nmap.inc
@@ -28,6 +28,28 @@
POSSIBILITY OF SUCH DAMAGE.
*/
+function nmap_install() {
+ $destination_file = "/usr/local/share/nmap/nmap-mac-prefixes";
+ $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
+ switch ($pfs_version) {
+ case "1.2":
+ case "2.0":
+ return null;
+ case "2.1":
+ $source_file = "/usr/pbi/nmap-" . php_uname("m") . "/share/nmap/nmap-mac-prefixes";
+ break;
+ default:
+ $source_file = "/usr/pbi/nmap-" . php_uname("m") . "/local/share/nmap/nmap-mac-prefixes";
+ }
+ /* Only copy the file if it doesn't exist */
+ if (file_exists($source_file) && !file_exists($destination_file)) {
+ if (!is_dir(dirname($destination_file))) {
+ @mkdir(dirname($destination_file), 0644, true);
+ }
+ @symlink($source_file, $destination_file);
+ }
+}
+
function nmap_custom_php_validation_command($post, & $input_errors) {
global $_POST, $savemsg, $config;
if (empty($_POST['hostname'])) {
diff --git a/config/nmap/nmap.xml b/config/nmap/nmap.xml
index b07b3982..ad0f8e0a 100644
--- a/config/nmap/nmap.xml
+++ b/config/nmap/nmap.xml
@@ -46,7 +46,7 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>nmap</name>
- <version>6.40_2 pkg v1.2.1</version>
+ <version>6.40_2 pkg v1.3</version>
<title>Diagnostics: NMap</title>
<savetext>Scan</savetext>
<preoutput>yes</preoutput>
@@ -122,4 +122,7 @@
<custom_php_validation_command>
nmap_custom_php_validation_command($_POST, $input_errors);
</custom_php_validation_command>
+ <custom_php_install_command>
+ nmap_install();
+ </custom_php_install_command>
</packagegui>
diff --git a/config/ntopng/ntopng.xml b/config/ntopng/ntopng.xml
index 5428d205..45b68bdc 100644
--- a/config/ntopng/ntopng.xml
+++ b/config/ntopng/ntopng.xml
@@ -182,8 +182,8 @@
$redis_path = "/usr/pbi/ntopng-" . php_uname("m") . "/bin";
}
- $start = "ldconfig -m /usr/pbi/ntopng-i386/lib\n";
- $start .= "\t{$redis_path}/redis-server &\n";
+ $start = "ldconfig -m /usr/pbi/ntopng-" . php_uname("m") . "/lib\n";
+ $start .= "\t{$redis_path}/redis-server --dir /var/db/ntopng/ --dbfilename ntopng.rdb &\n";
// TODO:
// Add support for --data-dir /somewhere, --httpdocs-dir /somewhereelse,
// --dump-timeline (on/off) --http-port, --https-port
@@ -207,6 +207,7 @@
$ntopng_config['password'] = "admin";
$password = md5($ntopng_config['password']);
mwexec_bg("{$redis_path}/redis-cli SET user.admin.password " . escapeshellarg($password));
+ mwexec_bg("{$redis_path}/redis-cli save");
conf_mount_ro();
config_unlock();
}
diff --git a/config/nut/nut.inc b/config/nut/nut.inc
index 2dfe944b..aa0bbe13 100644
--- a/config/nut/nut.inc
+++ b/config/nut/nut.inc
@@ -35,7 +35,8 @@
define('NUT_RCFILE', '/usr/local/etc/rc.d/nut.sh');
- if (substr(trim(file_get_contents("/etc/version")),0,3) == "2.0") {
+ $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
+ if ($pfs_version == "2.0") {
define('NUT_DIR','/usr/local/etc/nut');
} else {
define('NUT_DIR', '/usr/pbi/nut-' . php_uname("m") . '/etc/nut');
@@ -224,6 +225,8 @@ EOD;
}
function sync_package_nut_local() {
+ global $pfs_version;
+
$name = nut_config('name');
$driver = nut_config_sub('driver', 2);
$port = nut_config('port');
@@ -287,6 +290,11 @@ EOD;
}
$upsd_users .= "{$custom_upsdusers}";
+ if ($pfs_version == "2.1")
+ $upsdrvctl = "/usr/local/libexec/nut/upsdrvctl";
+ else
+ $upsdrvctl = "/usr/local/sbin/upsdrvctl";
+
/* upsmon.conf */
$upsmon_conf = <<<EOD
MONITOR {$name}@localhost 1 monuser {$password} master
@@ -310,7 +318,7 @@ EOD;
fi
if [ `pgrep {$driver} | wc -l` != 0 ]; then
echo stopping {$driver}
- /usr/local/libexec/nut/upsdrvctl stop
+ {$upsdrvctl} stop
fi
sleep 1
if [ `pgrep {$driver} | wc -l` != 0 ]; then
@@ -329,7 +337,7 @@ if [ `pgrep {$driver} | wc -l` != 0 ]; then
fi
{$port_set}
echo starting {$driver}
- if /usr/local/libexec/nut/upsdrvctl start; then
+ if {$upsdrvctl} start; then
echo starting upsd
/usr/local/sbin/upsd {$ovr_user}
echo starting upsmon
@@ -411,6 +419,11 @@ EOD;
}
$upsd_users .= "{$custom_upsdusers}";
+ if ($pfs_version == "2.1")
+ $upsdrvctl = "/usr/local/libexec/nut/upsdrvctl";
+ else
+ $upsdrvctl = "/usr/local/sbin/upsdrvctl";
+
/* upsmon.conf */
$upsmon_conf = <<<EOD
MONITOR {$name}@localhost 1 monuser {$password} master
@@ -434,7 +447,7 @@ EOD;
fi
if [ `pgrep {$driver} | wc -l` != 0 ]; then
echo stopping {$driver}
- /usr/local/libexec/nut/upsdrvctl stop
+ {$upsdrvctl} stop
fi
sleep 1
if [ `pgrep {$driver} | wc -l` != 0 ]; then
@@ -453,7 +466,7 @@ if [ `pgrep {$driver} | wc -l` != 0 ]; then
fi
{$port_set}
echo starting {$driver}
- if /usr/local/libexec/nut/upsdrvctl start; then
+ if {$upsdrvctl} start; then
echo starting upsd
/usr/local/sbin/upsd {$ovr_user}
echo starting upsmon
diff --git a/config/open-vm-tools/open-vm-tools.xml b/config/open-vm-tools/open-vm-tools.xml
index c705f0e9..b4b1c0e8 100644
--- a/config/open-vm-tools/open-vm-tools.xml
+++ b/config/open-vm-tools/open-vm-tools.xml
@@ -8,13 +8,9 @@
/*
open-vm-tools.xml
part of pfSense (http://www.pfSense.org)
- Copyright (C) 2008 BSD Perimeter LLC
+ Copyright (C) 2008-2014 Electric Sheep Fencing LP
All rights reserved.
- Based on m0n0wall (http://m0n0.ch/wall)
- Copyright (C) 2003-2008 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
- */
/* ========================================================================== */
/*
Redistribution and use in source and binary forms, with or without
@@ -66,4 +62,4 @@
conf_mount_ro();
</custom_php_deinstall_command>
<include_file>/usr/local/pkg/open-vm-tools.inc</include_file>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/open-vm-tools_2/open-vm-tools.xml b/config/open-vm-tools_2/open-vm-tools.xml
index 02247242..1e823eed 100644
--- a/config/open-vm-tools_2/open-vm-tools.xml
+++ b/config/open-vm-tools_2/open-vm-tools.xml
@@ -8,13 +8,9 @@
/*
open-vm-tools.xml
part of pfSense (http://www.pfSense.org)
- Copyright (C) 2008 BSD Perimeter LLC
+ Copyright (C) 2008-2014 Electric Sheep Fencing LP
All rights reserved.
- Based on m0n0wall (http://m0n0.ch/wall)
- Copyright (C) 2003-2008 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
- */
/* ========================================================================== */
/*
Redistribution and use in source and binary forms, with or without
@@ -66,4 +62,4 @@
conf_mount_ro();
</custom_php_deinstall_command>
<include_file>/usr/local/pkg/open-vm-tools.inc</include_file>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc
index 44604a90..f635bbd0 100755
--- a/config/openvpn-client-export/openvpn-client-export.inc
+++ b/config/openvpn-client-export/openvpn-client-export.inc
@@ -39,12 +39,13 @@ require_once("util.inc");
require_once("pfsense-utils.inc");
global $current_openvpn_version, $current_openvpn_version_rev;
-$current_openvpn_version = "2.3.5";
+$current_openvpn_version = "2.3.6";
$current_openvpn_version_rev = "01";
function openvpn_client_export_install() {
+ global $current_openvpn_version;
conf_mount_rw();
- $tarpath = "/usr/local/pkg/openvpn-client-export.tgz";
+ $tarpath = "/usr/local/pkg/openvpn-client-export-{$current_openvpn_version}.tgz";
$phpfile = "vpn_openvpn_export.php";
$ovpndir = "/usr/local/share/openvpn";
$workdir = "{$ovpndir}/client-export";
@@ -57,6 +58,7 @@ function openvpn_client_export_install() {
}
function openvpn_client_export_deinstall() {
+ global $current_openvpn_version;
conf_mount_rw();
$phpfile = "vpn_openvpn_export.php";
$phpfile2 = "vpn_openvpn_export_shared.php";
@@ -65,6 +67,7 @@ function openvpn_client_export_deinstall() {
unlink_if_exists("/usr/local/www/{$phpfile}");
unlink_if_exists("/usr/local/www/{$phpfile2}");
+ unlink_if_exists("/usr/local/pkg/openvpn-client-export-{$current_openvpn_version}.tgz");
exec("/bin/rm -r {$workdir}");
conf_mount_ro();
}
diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml
index f96336b3..15986428 100755
--- a/config/openvpn-client-export/openvpn-client-export.xml
+++ b/config/openvpn-client-export/openvpn-client-export.xml
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8" ?>
<packagegui>
<name>OpenVPN Client Export</name>
- <version>1.2.14</version>
+ <version>1.2.15</version>
<title>OpenVPN Client Export</title>
<include_file>/usr/local/pkg/openvpn-client-export.inc</include_file>
<backup_file></backup_file>
@@ -27,7 +27,7 @@
<additional_files_needed>
<prefix>/usr/local/pkg/</prefix>
<chmod>077</chmod>
- <item>https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export.tgz</item>
+ <item>https://files.pfsense.org/packages/openvpn-client-export/openvpn-client-export-2.3.6.tgz</item>
</additional_files_needed>
<additional_files_needed>
<prefix>/usr/local/www/</prefix>
diff --git a/config/postfix/adexport.pl b/config/postfix/adexport.pl
index 185848f1..25a8a267 100755
--- a/config/postfix/adexport.pl
+++ b/config/postfix/adexport.pl
@@ -1,9 +1,9 @@
-#!/usr/bin/perl -w
+#!/usr/local/bin/perl -w
##############################################################################
#
# Script to export a list of all email addresses from Active Directory
# Brian Landers <brian@packetslave.com>
-#
+#
# This code is in the public domain. Your use of this code is at your own
# risk, and no warranty is implied. The author accepts no liability for any
# damages or risks incurred by its use.
@@ -42,7 +42,7 @@ use Net::LDAP;
use Net::LDAP::Control::Paged;
use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED );
-#our ($cn,$passwd,$base);
+#our ($cn,$passwd,$base);
#($cn,$passwd,$base)=@_ARGV;
#print "$cn \n $passwd \n $base";
#exit;
@@ -74,10 +74,10 @@ foreach( @servers ) {
# 1000 records by default. We have to use paging to get the full list.
my $page = Net::LDAP::Control::Paged->new( size => 100 );
-
+
# Try to bind (login) to the server now that we're connected
-my $msg = $ldap->bind( dn => $bind,
- password => $passwd
+my $msg = $ldap->bind( dn => $bind,
+ password => $passwd
);
# If we can't bind, we can't continue
@@ -122,7 +122,7 @@ if( $cookie ) {
}
# Finally, unbind from the server
-$ldap->unbind;
+$ldap->unbind;
# ------------------------------------------------------------------------
# Callback function that gets called for each record we get from the server
@@ -131,16 +131,16 @@ $ldap->unbind;
#
sub handle_object {
-
+
my $msg = shift; # Net::LDAP::Message object
my $data = shift; # May be Net::LDAP::Entry or Net::LDAP::Reference
-
+
# Only process if we actually got data
return unless $data;
-
+
return handle_entry( $msg, $data ) if $data->isa("Net::LDAP::Entry");
return handle_reference( $msg, $data ) if $data->isa("Net::LDAP::Reference");
-
+
# If we get here, it was something we're not prepared to handle,
# so just return silently.
@@ -153,35 +153,35 @@ sub handle_object {
# ones we haven't seen before.
sub handle_entry {
-
+
my $msg = shift;
my $data = shift;
-
+
# Extract the email addressess, selecting only the SMTP ones, and
# filter them so that we only get unique addresses
- my @mails = grep { /^smtp:/i && !$gSeen{$_}++ }
+ my @mails = grep { /^smtp:/i && !$gSeen{$_}++ }
$data->get_value( "proxyAddresses" );
-
- # If we found any, strip off the SMTP: identifier and print them out
+
+ # If we found any, strip off the SMTP: identifier and print them out
if( @mails ) {
print map { s/^smtp:(.+)$/\L$1\n/i; $_ } @mails;
}
}
# ------------------------------------------------------------------------
-# Handler for a Net::LDAP::Reference object. This is a 'redirect' to
+# Handler for a Net::LDAP::Reference object. This is a 'redirect' to
# another portion of the directory. We simply extract the references
# from the object and resubmit them to the handle_object function for
# processing.
sub handle_reference {
-
+
my $msg = shift;
my $data = shift;
-
+
foreach my $obj( $data->references() ) {
-
+
# Oooh, recursion! Might be a reference to another reference, after all
return handle_object( $msg, $obj );
}
diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc
index 50979f38..eb5499aa 100755
--- a/config/postfix/postfix.inc
+++ b/config/postfix/postfix.inc
@@ -3,7 +3,7 @@
postfix.inc
part of the Postfix package for pfSense
Copyright (C) 2010 Erik Fonnesbeck
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
@@ -35,19 +35,19 @@ require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("globals.inc");
-$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pf_version > 2.0)
+$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
+if (is_dir('/usr/pbi/postfix-' . php_uname("m"))) {
define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m"));
-else
- define('POSTFIX_LOCALBASE','/usr/local');
-
+} else {
+ define('POSTFIX_LOCALBASE','/usr/local');
+}
$uname=posix_uname();
if ($uname['machine']=='amd64')
ini_set('memory_limit', '250M');
function px_text_area_decode($text){
- return preg_replace('/\r\n/', "\n",base64_decode($text));
+ return preg_replace('/\r\n/', "\n",base64_decode($text));
}
function px_get_real_interface_address($iface) {
@@ -85,8 +85,8 @@ function sync_relay_recipients($via_cron="cron"){
if (!file_exists($ldap_recipients))
system('/usr/bin/touch '. $ldap_recipients);
$relay_ldap_recipients=file_get_contents($ldap_recipients);
- }
- else{
+ }
+ else{
#running via crontab, time to get ldap content.
$ldap_temp=array();
foreach ($postfix_recipients_config['row'] as $postfix_ldap) {
@@ -121,7 +121,7 @@ function sync_relay_recipients($via_cron="cron"){
print "Total ldap recipients:".count($ldap_all)."\tunique:".count($ldap_unique)."\n";
foreach($ldap_unique as $recipient)
$relay_ldap_recipients.=($recipient != ""?preg_replace("/\s+/","",$recipient)." OK\n":"");
-
+
#save ldap relay recipients
file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/relay_ldap_recipients.txt",$relay_ldap_recipients, LOCK_EX);
}
@@ -137,11 +137,11 @@ function sync_relay_recipients($via_cron="cron"){
}
if($relay_recipients !="" || $relay_ldap_recipients!="")
return("relay_recipient_maps = hash:".POSTFIX_LOCALBASE."/etc/postfix/relay_recipients\n");
-
+
}
function check_cron(){
global $config, $g;
- #check crontab
+ #check crontab
$new_cron=array();
$cron_cmd_sqlite = "";
$cron_postfix_sqlite="";
@@ -207,7 +207,7 @@ function check_cron(){
}
}
}
-
+
#check crontab relay recipients
$cron_found="";
if (is_array($config['cron']['item'])){
@@ -224,7 +224,7 @@ function check_cron(){
}
}
}
- #check sqlite update queue
+ #check sqlite update queue
else if(!preg_match("/.usr.local.www.postfix.php/",$cron["command"])){
#keep all non postfix cron cmds if not empty
if ($cron["command"] != "")
@@ -235,7 +235,7 @@ function check_cron(){
# Check if crontab must be changed to valid recipients cmd
if ($postfix_recipients_config['enable_ldap'] || $postfix_recipients_config['enable_url']){
if ($cron_found!=$cron_postfix){
- #update postfix cron schedule
+ #update postfix cron schedule
if (! is_array($cron_found) && $postfix_enabled=="on")
$new_cron['item'][]=$cron_postfix;
$write_cron=1;
@@ -255,7 +255,7 @@ function check_cron(){
}
}
- #call cron functions
+ #call cron functions
if ($write_cron==1){
$config['cron']=$new_cron;
write_config('Postfix - sync remote sqlite database',$backup = false);
@@ -271,17 +271,17 @@ function check_cron(){
else
$new_crontab .= $line;
}
- if ($old_cron==1)
+ if ($old_cron==1)
file_put_contents("/etc/crontab",$new_crontab, LOCK_EX);
-
+
#print "<pre>". var_dump($new_cron). var_dump($cron_postfix_sqlite).var_dump($config['cron']);
#exit;
-
-
+
+
}
function sync_package_postfix($via_rpc="no") {
global $config;
-
+
log_error("sync_package_postfix called with via_rpc={$via_rpc}");
# detect boot process
if (is_array($_POST)){
@@ -290,10 +290,10 @@ function sync_package_postfix($via_rpc="no") {
else
$boot_process="on";
}
-
+
if(is_process_running("master") && isset($boot_process) && $via_rpc=="no")
return;
-
+
#check patch in /etc/inc/config.
$relay_domains = "";
$transport = "";
@@ -346,10 +346,10 @@ function sync_package_postfix($via_rpc="no") {
}
file_put_contents($sys_log_file,$new_sys_log, LOCK_EX);
#mwexec('/usr/local/bin/php -q /usr/local/www/postfix_syslog.php');
- #restart syslog daemon
+ #restart syslog daemon
system_syslogd_start();
}
-
+
#check_debug
if($postfix_config['debug_list'] && $postfix_config['debug_list']!=""){
$check_debug ="\n#Debugging postfix\n";
@@ -358,7 +358,7 @@ function sync_package_postfix($via_rpc="no") {
}
#check relay recipients
$all_relay_recipients=sync_relay_recipients('gui');
-
+
$copyright=<<<ABOUT
#Part of the Postfix package for pfSense
#Copyright (C) 2010 Erik Fonnesbeck
@@ -416,14 +416,14 @@ EOF;
$cal_cidr = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['cal_cidr']);
else
#formatar o arquivo retirando os 'oks'
- $cal_cidr_tmp = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['cal_cidr']);
+ $cal_cidr_tmp = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['cal_cidr']);
$cal_cidr = preg_replace('/ ok/i'," permit",$cal_cidr_tmp);
}
#Client PCRE
if ($config['installedpackages']['postfixacl']['config'][0]['cal_pcre']){
$cal_pcre = px_text_area_decode($config['installedpackages']['postfixacl']['config'][0]['cal_pcre']);
}
- $postfix_main .= px_text_area_decode($postfix_config['maincf'])."\n".
+ $postfix_main .= px_text_area_decode($postfix_config['maincf'])."\n".
"relay_domains ={$relay_domains}\n" .
"transport_maps = hash:".POSTFIX_LOCALBASE."/etc/postfix/transport\n" .
"local_recipient_maps =\n" .
@@ -434,7 +434,7 @@ EOF;
"default_process_limit = {$process_limit}\n";
#assign antispam options
$antispam=$config['installedpackages']['postfixantispam']['config'][0];
-
+
if($antispam['antispam_enabled']){
switch ($antispam['antispam_software']){
case "mailscanner":
@@ -452,16 +452,16 @@ smtpd_client_restrictions = check_policy_service {$antispam['antispam_location']
smtpd_restriction_classes =
has_our_domain_as_sender
client_throttle
-smtpd_end_of_data_restrictions = check_policy_service {$antispam['antispam_location']}
+smtpd_end_of_data_restrictions = check_policy_service {$antispam['antispam_location']}
EOF;
}
else{
- $postfix_main_antispam = "Policyd v2 has no location set.\n\n";
+ $postfix_main_antispam = "Policyd v2 has no location set.\n\n";
}
break;
- }
+ }
}
if ($antispam['reject_unknown_helo_hostname']){
$reject_unknown_helo_hostname = <<<EOF
@@ -470,7 +470,7 @@ smtpd_helo_restrictions = check_helo_access pcre:{$pf_dir}/etc/postfix/helo_chec
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit
-
+
EOF;
}
if ($antispam['header_check'] == "strong")
@@ -492,7 +492,7 @@ smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_multi_recipient_bounce,
permit
-# Allow connections from specified local clients and strong check everybody else.
+# Allow connections from specified local clients and strong check everybody else.
smtpd_client_restrictions = permit_mynetworks,
reject_unauth_destination,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
@@ -500,7 +500,7 @@ smtpd_client_restrictions = permit_mynetworks,
reject_unknown_client_hostname,
reject_unauth_pipelining,
reject_multi_recipient_bounce,
- permit
+ permit
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
@@ -522,13 +522,13 @@ else
$postfix_main .= <<<EOF
#Just reject after helo,sender,client,recipient tests
smtpd_delay_reject = yes
-
+
# Don't talk to mail systems that don't know their own hostname.
smtpd_helo_required = yes
{$reject_unknown_helo_hostname}
smtpd_sender_restrictions = reject_unknown_sender_domain,
- RBLRBLRBL
+ RBLRBLRBL
# Allow connections from specified local clients and rbl check everybody else if rbl check are set.
smtpd_client_restrictions = permit_mynetworks,
@@ -540,7 +540,7 @@ smtpd_client_restrictions = permit_mynetworks,
# Whitelisting: local clients may specify any destination domain.
#,
-smtpd_recipient_restrictions = permit_mynetworks,
+smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination,
check_sender_access hash:{$pf_dir}/etc/postfix/sender_access,
check_client_access pcre:{$pf_dir}/etc/postfix/cal_pcre,
@@ -571,16 +571,16 @@ switch ($antispam['zombie_blocker'])
case "ignore":
$postscreen=1;
break;
-
+
case "disabled":
$postscreen=0;
break;
}
if ($antispam['soft_bounce'] == "enabled")
{
- $postfix_main.="soft_bounce = yes\n";
+ $postfix_main.="soft_bounce = yes\n";
}
-
+
//check ips to listen on
$inet_protocols=($postfix_config['inet_protocol'] ? $postfix_config['inet_protocol'] : "ipv4");
$inet_interfaces =array();
@@ -633,7 +633,7 @@ switch ($antispam['zombie_blocker'])
if(preg_match("/postscreen_greet_check/",$antispam['after_greeting'])){
$postfix_main.="postscreen_greet_action = ".$antispam['zombie_blocker']."\n";
}
-
+
$postfix_main.="postscreen_access_list = permit_mynetworks,\n\t\t\tcidr:".POSTFIX_LOCALBASE."/etc/postfix/cal_cidr\n";
$postfix_main.="postscreen_dnsbl_action= ".$antispam['zombie_blocker']."\n";
$postfix_main.="postscreen_blacklist_action= ".$antispam['zombie_blocker']."\n";
@@ -674,7 +674,7 @@ MASTEREOF;
$rbl2.= $prefix."reject_rbl_client $rbl,\n";
}
}
-
+
#interface loop
/*$postfix_inets="";
$ifaces = ($postfix_config['enabled_interface'] ? $postfix_config['enabled_interface'] : 'loopback');
@@ -688,16 +688,16 @@ MASTEREOF;
}
*/
$postfix_master ="25 inet n - n - - smtpd\n";
-
+
}
$rbl2.=($rbl2 !=""?"\t\t\t\tpermit\n":"permit\n");
$postfix_main=preg_replace("/RBLRBLRBL/",$rbl2,$postfix_main);
-
+
#Header Maps
$anvil_config=$config['installedpackages']['postfixantispam']['config'][0]['anvil'];
if ($anvil_config =='enabled' || ($anvil_config =='postscreen' && $postscreen==1))
$anvil='anvil unix - - n - 1 anvil';
-
+
$postfix_master .= <<<MASTEREOF2
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
@@ -725,9 +725,15 @@ scache unix - - n - 1 scache
{$anvil}
MASTEREOF2;
-
+
conf_mount_rw();
+ //check postfix etc dir on 2.2
+ $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
+ $postfix_etc_lnk="/usr/local/etc/postfix";
+ if ($pfs_version == 2.2 && !is_dir($postfix_etc_lnk))
+ @symlink(POSTFIX_LOCALBASE.'/etc/postfix',$postfix_etc_lnk);
+
log_error("Writing out configuration");
file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/main.cf", $postfix_main, LOCK_EX);
file_put_contents(POSTFIX_LOCALBASE."/etc/postfix/master.cf", $postfix_master, LOCK_EX);
@@ -745,13 +751,13 @@ MASTEREOF2;
{
mwexec(POSTFIX_LOCALBASE."/sbin/postmap ".POSTFIX_LOCALBASE."/etc/postfix/".$file);
}
-
+
#check postix dirs
$dirs=array("/var/spool/postfix","/etc/mail","/var/db/postfix","/var/mail/postfix");
foreach ($dirs as $dir)
if (!is_dir($dir) && !file_exists($dir))
mkdir($dir, 0755,TRUE);
-
+
#check postfix owners
$dirs=array("/var/db/postfix","/var/mail/postfix");
foreach ($dirs as $dir){
@@ -762,27 +768,27 @@ MASTEREOF2;
touch("/etc/mail/aliases");
exec("/usr/local/bin/newaliases");
postfix_start();
-
+
#Do not sync during boot
if(!isset($boot_process) || $via_rpc=="yes")
postfix_sync_on_changes();
-
+
}
function postfix_start(){
global $config;
$pf_dir=POSTFIX_LOCALBASE;
$start=<<<EOF
-
+
sysctl kern.ipc.nmbclusters=65536
sysctl kern.ipc.somaxconn=16384
sysctl kern.maxfiles=131072
sysctl kern.maxfilesperproc=104856
sysctl kern.threads.max_threads_per_proc=4096
{$pf_dir}/sbin/postfix start
-
+
EOF;
$stop = POSTFIX_LOCALBASE."/sbin/postfix stop\n";
- log_error("Writing rc_file");
+ log_error("Writing rc_file");
write_rcfile(array("file" => "postfix.sh", "start" => $start, "stop" => $stop));
sleep(1);
@@ -797,7 +803,7 @@ EOF;
mwexec("/usr/local/etc/rc.d/postfix.sh stop");
system('/bin/chmod -x /usr/local/etc/rc.d/postfix.sh');
}
-
+
conf_mount_ro();
}
@@ -806,11 +812,11 @@ function postfix_validate_input($post, &$input_errors) {
if (empty($value))
continue;
if($key == "greet_time" && !preg_match("/(\d+),(\d+)(s|m|h|w)/",$value))
- $input_errors[] = "Wrong greet time sintax.";
+ $input_errors[] = "Wrong greet time sintax.";
if($key == "message_size_limit" && !is_numeric($value))
$input_errors[] = "Message size limit must be numeric.";
if($key == "process_limit" && !is_numeric($value))
- $input_errors[] = "Process limit must be numeric.";
+ $input_errors[] = "Process limit must be numeric.";
if($key == "freq" && (!preg_match("/^\d+(h|m|d)$/",$value) || $value == 0))
$input_errors[] = "A valid number with a time reference is required for the field 'Frequency'";
if (substr($key, 0, 2) == "dc" && !is_hostname($value))
@@ -845,7 +851,7 @@ function postfix_php_deinstall_command() {
/* Uses XMLRPC to synchronize the changes to a remote node */
function postfix_sync_on_changes() {
- global $config, $g;
+ global $config, $g;
if (is_array($config['installedpackages']['postfixsync']['config'])){
$postfix_sync=$config['installedpackages']['postfixsync']['config'][0];
$synctimeout = $postfix_sync['synctimeout'];
@@ -877,7 +883,7 @@ function postfix_sync_on_changes() {
log_error("[postfix] xmlrpc sync is enabled but there is no system backup hosts to push postfix config.");
return;
}
- break;
+ break;
default:
return;
break;
@@ -905,13 +911,13 @@ function postfix_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$sync
if(!$username)
$username="admin";
-
+
if(!$password)
return;
if(!$sync_to_ip)
return;
-
+
if(!$synctimeout)
$synctimeout=120;
@@ -923,9 +929,9 @@ function postfix_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$sync
$port = $config['system']['webgui']['port'];
/* if port is empty lets rely on the protocol selection */
if($port == "") {
- if($config['system']['webgui']['protocol'] == "http")
+ if($config['system']['webgui']['protocol'] == "http")
$port = "80";
- else
+ else
$port = "443";
}
$synchronizetoip .= $sync_to_ip;
@@ -948,7 +954,7 @@ function postfix_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$sync
XML_RPC_encode($password),
XML_RPC_encode($xml)
);
-
+
/* set a few variables needed for sync code borrowed from filter.inc */
$url = $synchronizetoip;
log_error("Beginning Postfix XMLRPC sync to {$url}:{$port}.");
@@ -973,18 +979,18 @@ function postfix_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type,$sync
} else {
log_error("Postfix XMLRPC sync successfully completed with {$url}:{$port}.");
}
-
+
/* tell postfix to reload our settings on the destionation sync host. */
$method = 'pfsense.exec_php';
$execcmd = "require_once('/usr/local/pkg/postfix.inc');\n";
$execcmd .= "sync_package_postfix('yes');";
-
+
/* assemble xmlrpc payload */
$params = array(
XML_RPC_encode($password),
XML_RPC_encode($execcmd)
);
-
+
log_error("postfix XMLRPC reload data {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
diff --git a/config/postfix/postfix.php b/config/postfix/postfix.php
index 774c7573..4cf85033 100644
--- a/config/postfix/postfix.php
+++ b/config/postfix/postfix.php
@@ -2,7 +2,7 @@
/*
postfix.php
part of pfSense (https://www.pfsense.org/)
- Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com>
+ Copyright (C) 2011-2014 Marcello Coutinho <marcellocoutinho@gmail.com>
based on varnish_view_config.
All rights reserved.
@@ -42,13 +42,13 @@ function get_remote_log(){
$curr_time = time();
$log_time=date('YmdHis',$curr_time);
#get protocol
- if($config['system']['webgui']['protocol'] != "")
+ if($config['system']['webgui']['protocol'] != "")
$synchronizetoip = $config['system']['webgui']['protocol']. "://";
#get port
$port = $config['system']['webgui']['port'];
- #if port is empty lets rely on the protocol selection
+ #if port is empty lets rely on the protocol selection
if($port == "")
- $port =($config['system']['webgui']['protocol'] == "http"?"80":"443");
+ $port =($config['system']['webgui']['protocol'] == "http"?"80":"443");
$synchronizetoip .= $sync_to_ip;
if (is_array($config['installedpackages']['postfixsync']))
foreach($config['installedpackages']['postfixsync']['config'][0]['row'] as $sh){
@@ -59,7 +59,7 @@ function get_remote_log(){
#get remote data
if ($sync_type=='fetch'){
$url= $synchronizetoip . $sync_to_ip;
- print "$sync_to_ip $url, $port\n";
+ print "$sync_to_ip $url, $port\n";
$method = 'pfsense.exec_php';
$execcmd = "require_once('/usr/local/www/postfix.php');\n";
$execcmd .= '$toreturn=get_sql('.$log_time.');';
@@ -93,7 +93,7 @@ function get_remote_log(){
die ("Cannot execute query. $error\n".$update['sql']."\n");
}
else{
- if ($debug=true)
+ if ($debug=true)
print "ok\n";
}
sqlite_close($dbhandle);
@@ -114,12 +114,12 @@ function get_remote_log(){
$resp = $cli->send($msg, "250");
}
}
- }
+ }
}
function get_sql($log_time){
global $config,$xmlrpc_g;
$server=$_SERVER['REMOTE_ADDR'];
-
+
if (is_array($config['installedpackages']['postfixsync']))
foreach($config['installedpackages']['postfixsync']['config'][0]['row'] as $sh){
$sync_to_ip = $sh['ipaddress'];
@@ -141,7 +141,7 @@ function flush_sql($log_time){
function grep_log(){
global $postfix_dir,$postfix_arg,$config,$g;
-
+
$total_lines=0;
$days=array();
$grep="\(MailScanner\|postfix.cleanup\|postfix.smtp\|postfix.error\|postfix.qmgr\)";
@@ -203,7 +203,7 @@ function grep_log(){
#Nov 16 00:00:14 srvch011 postfix/smtp[7363]: 7AEB91F797D: to=<alessandra.bueno@mg.test.com>, relay=mail.mg.test.com[172.25.3.5]:25, delay=39, delays=35/1.1/0.04/2.7, dsn=5.7.1, status=bounced (host mail.mg.test.com[172.25.3.5] said: 550 5.7.1 Unable to relay for alessandra.bueno@mg.test.com (in reply to RCPT TO command))
else if(preg_match("/(\w+\s+\d+\s+[0-9,:]+) (\w+) postfix.\w+\W\d+\W+(\w+): to=\<(.*)\>, relay=(.*), delay=([0-9,.]+), .* dsn=([0-9,.]+), status=(\w+) (.*)/",$line,$email)){
$stm_queue[$day].= "insert or ignore into mail_status (info) values ('".$email[8]."');\n";
- $stm_queue[$day].= "insert or ignore into mail_to (from_id,too,status,status_info,relay,delay,dsn) values ((select id from mail_from where sid='".$email[3]."' and server='".$email[2]."'),'".strtolower($email[4])."',(select id from mail_status where info='".$email[8]."'),'".preg_replace("/(\<|\>|\s+|\'|\")/"," ",$email[9])."','".$email[5]."','".$email[6]."','".$email[7]."');\n";
+ $stm_queue[$day].= "insert or ignore into mail_to (from_id,too,status,status_info,relay,delay,dsn) values ((select id from mail_from where sid='".$email[3]."' and server='".$email[2]."'),'".strtolower($email[4])."',(select id from mail_status where info='".$email[8]."'),'".preg_replace("/(\<|\>|\s+|\'|\")/"," ",$email[9])."','".$email[5]."','".$email[6]."','".$email[7]."');\n";
$stm_queue[$day].= "update or ignore mail_to set status=(select id from mail_status where info='".$email[8]."'), status_info='".preg_replace("/(\<|\>|\s+|\'|\")/"," ",$email[9])."', dsn='".$email[7]."', delay='".$email[6]."', relay='".$email[5]."', too='".strtolower($email[4])."' where from_id in (select id from mail_from where sid='".$email[3]."' and server='".$email[2]."');\n";
}
#Nov 13 01:48:44 srvch011 postfix/cleanup[16914]: D995B1F570B: message-id=<61.40.11745.10E3FBE4@ofertas6>
@@ -223,7 +223,7 @@ function grep_log(){
$stm_queue[$day].= "insert or ignore into mail_status (info) values ('".$email[8]."');\n";
$stm_queue[$day].= "update mail_to set status=(select id from mail_status where info='reject'), status_info='queue file size limit exceeded' where from_id in (select id from mail_from where sid='".$email[3]."' and server='".$email[2]."');\n";
}
-
+
#Nov 9 02:14:57 srvch011 postfix/cleanup[6856]: 617A51F5AC5: warning: header Subject: Mapeamento de Processos from lxalpha.12b.com.br[66.109.29.225]; from=<apache@lxalpha.12b.com.br> to=<ritiele.faria@mail.test.com> proto=ESMTP helo=<lxalpha.12b.com.br>
#Nov 8 09:31:50 srvch011 postfix/cleanup[11471]: 19C281F59C8: reject: header From: "Giuliana Flores - Parceiro do Grupo Virtual" <publicidade@parceiro-grupovirtual.com.br> from pm03-974.auinmeio.com.br[177.70.232.225]; from=<publicidade@parceiro-grupovirtual.com.br> to=<jorge.lustosa@mail.test.com> proto=ESMTP helo=<pm03-974.auinmeio.com.br>: 5.7.1 [SN007]
#Nov 13 00:03:24 srvch011 postfix/cleanup[4192]: 8A5B31F52D2: reject: body http://platform.roastcrack.info/mj0ie6p-48qtiyq from move2.igloojack.info[173.239.63.16]; from=<ljmd6u8lrxke4@move2.igloojack.info> to=<edileva@aasdf..br> proto=SMTP helo=<move2.igloojack.info>: 5.7.1 [BD040]
@@ -271,9 +271,9 @@ function grep_log(){
$status['status_info']=$email[4];
$status['from']=$email[5];
$status['to']=$email[6];
- $status['helo']=$email[7];
+ $status['helo']=$email[7];
$values="'".$status['date']."','".$status['status']."','".$status['status_info']."','".strtolower($status['from'])."','".strtolower($status['to'])."','".$status['helo']."','".$status['server']."'";
- $stm_noqueue[$day].='insert or ignore into mail_noqueue(date,status,status_info,fromm,too,helo,server) values ('.$values.');'."\n";
+ $stm_noqueue[$day].='insert or ignore into mail_noqueue(date,status,status_info,fromm,too,helo,server) values ('.$values.');'."\n";
}
if ($total_lines%1500 == 0){
#save log in database
@@ -295,7 +295,7 @@ function grep_log(){
$stm_queue[$d]="BEGIN;\n";
}
}
-
+
$config=parse_xml_config("{$g['conf_path']}/config.xml", $g['xml_rootobj']);
//print count($config['installedpackages']);
#start db replication if configured
@@ -310,7 +310,7 @@ function grep_log(){
postfix_do_xmlrpc_sync($sync_to_ip, $password,$sync_type);
print "ok\n";
}
-
+
}
function write_db($stm,$table,$days){
@@ -341,7 +341,7 @@ function write_db($stm,$table,$days){
if ($debug=true)
print " writing to local db $day...";
$dbhandle = sqlite_open($postfix_dir.$day.".db", 0666, $error);
- if (!$dbhandle) die ($error);
+ if (!$dbhandle) die ($error);
#file_put_contents("/tmp/".$key.'-'.$update['day'].".sql",gzuncompress(base64_decode($update['sql'])), LOCK_EX);
$ok = sqlite_exec($dbhandle, $stm[$day]."COMMIT;", $error);
if (!$ok){
@@ -356,13 +356,13 @@ function write_db($stm,$table,$days){
}
#write update sql files
if (count ($do_sync) > 0 ){
-
+
foreach($do_sync as $ip)
file_put_contents('/var/db/postfix/'.$ip.'.sql',${$ip},LOCK_EX);
conf_mount_ro();
}
#write local file
-
+
}
function create_db($postfix_db){
@@ -513,14 +513,14 @@ switch ($argv[1]){
'12:','13:','14:','15:','16:','17:','18:','19:','20:','21:','22:','23:'),
'time' => '-03 day');
break;
-
+
default:
die ("invalid parameters\n");
}
# get remote log from remote server
get_remote_log();
# get local log from logfile
-grep_log();
+grep_log();
}
#http client call
@@ -540,7 +540,7 @@ if ($_REQUEST['files']!= ""){
$stm_fetch=array();
$total_result=0;
foreach ($files as $postfix_db)
- if (file_exists($postfix_dir.'/'.$postfix_db)){
+ if (file_exists($postfix_dir.'/'.$postfix_db)){
$dbhandle = sqlite_open($postfix_dir.'/'.$postfix_db, 0666, $error);
if ($_REQUEST['from']!= ""){
$next=($last_next==" and "?" and ":" where ");
@@ -595,7 +595,7 @@ if ($_REQUEST['files']!= ""){
else
$stm .=$next."server = '".$_REQUEST['server']."'";
}
-
+
if ($_REQUEST['status']!= ""){
$next=($last_next==" and "?" and ":" where ");
$last_next=" and ";
@@ -604,7 +604,7 @@ if ($_REQUEST['files']!= ""){
#print "<pre>".$stm;
#$stm = "select * from mail_to,mail_status where mail_to.status=mail_status.id";
$result = sqlite_query($dbhandle, $stm." order by date desc $limit_prefix $limit ");
- #$result = sqlite_query($dbhandle, $stm." $limit_prefix $limit ");
+ #$result = sqlite_query($dbhandle, $stm." $limit_prefix $limit ");
if (preg_match("/\d+/",$_REQUEST['limit'])){
for ($i = 1; $i <= $limit; $i++) {
$row = sqlite_fetch_array($result, SQLITE_ASSOC);
@@ -744,8 +744,8 @@ if ($_REQUEST['files']!= ""){
print '<tr>';
print '<td ><strong>Total:</strong></td>';
print '<td ><strong>'.$total_result.'</strong></td>';
- print '</tr>';
+ print '</tr>';
print '</table>';
- }
+ }
}
?> \ No newline at end of file
diff --git a/config/postfix/postfix.widget.php b/config/postfix/postfix.widget.php
index b7fc7af9..e61274b9 100755
--- a/config/postfix/postfix.widget.php
+++ b/config/postfix/postfix.widget.php
@@ -1,6 +1,7 @@
-<?php
+<?php
/*
- Copyright 2011 Marcello Coutinho
+ postfix.widget.php
+ Copyright 2011-2014 Marcello Coutinho
Part of pfSense widgets (www.pfsense.org)
Redistribution and use in source and binary forms, with or without
@@ -31,7 +32,7 @@
$uname=posix_uname();
if ($uname['machine']=='amd64')
ini_set('memory_limit', '250M');
-
+
function open_table(){
echo "<table style=\"padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">";
echo" <tr>";
@@ -39,7 +40,7 @@ function open_table(){
function close_table(){
echo" </tr>";
echo"</table>";
-
+
}
$pfb_table=array();
@@ -49,20 +50,20 @@ $img['Healthy']="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up
#var_dump($pfb_table);
#exit;
-?><div id='postfix'><?php
+?><div id='postfix'><?php
global $config;
$size=$config['installedpackages']['postfix']['config'][0]['widget_size'];
if (preg_match('/\d+/',$config['installedpackages']['postfix']['config'][0]['widget_days']))
- $days=$config['installedpackages']['postfix']['config'][0]['widget_days'] * -1;
+ $days=$config['installedpackages']['postfix']['config'][0]['widget_days'] * -1;
else
$days=-3;
if (preg_match('/\d+/',$config['installedpackages']['postfix']['config'][0]['widget_size']))
- $size=$config['installedpackages']['postfix']['config'][0]['widget_size'];
+ $size=$config['installedpackages']['postfix']['config'][0]['widget_size'];
else
$size='100000000';#100mb
-
+
$postfix_dir="/var/db/postfix/";
$curr_time = time();
for ($z = 0; $z > $days; $z--){
@@ -71,7 +72,7 @@ if ($z==0)
$postfix_db=date("Y-m-d");
else
$postfix_db=date("Y-m-d",strtotime("$z day",$curr_time));
-
+
if (file_exists($postfix_dir.'/'.$postfix_db.".db")){
#noqueue
open_table();
@@ -83,7 +84,7 @@ if (file_exists($postfix_dir.'/'.$postfix_db.".db")){
$stm="select count(*) as total from mail_noqueue";
$result = sqlite_query($dbhandle, $stm);
$row_noqueue = sqlite_fetch_array($result, SQLITE_ASSOC);
-
+
#queue
$result = sqlite_query($dbhandle, $stm);
$stm="select mail_status.info as status,count(*) as total from mail_to,mail_status where mail_to.status=mail_status.id group by status order by mail_status.info";
@@ -96,7 +97,7 @@ if (file_exists($postfix_dir.'/'.$postfix_db.".db")){
if (preg_match("/\w+/",$row['status'])){
$reader.="<td class=\"listlr\"width=50%><strong>".ucfirst($row['status'])."</strong></td>\n";
if ($row['status']=="reject")
- $row['total']=+$row_noqueue['total'];
+ $row['total']=+$row_noqueue['total'];
$count.="<td class=\"listlr\">".$row['total']."</td>\n";
}
}
@@ -111,7 +112,7 @@ if (file_exists($postfix_dir.'/'.$postfix_db.".db")){
}
close_table();
echo "<br>";
-
+
}
}
echo" </tr>";
diff --git a/config/postfix/postfix.xml b/config/postfix/postfix.xml
index 46233828..8e70fd7a 100644
--- a/config/postfix/postfix.xml
+++ b/config/postfix/postfix.xml
@@ -10,7 +10,7 @@
postfix.xml
part of the Postfix package for pfSense
Copyright (C) 2010 Erik Fonnesbeck
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
diff --git a/config/postfix/postfix_about.php b/config/postfix/postfix_about.php
index 87d0cf69..397c8e06 100755
--- a/config/postfix/postfix_about.php
+++ b/config/postfix/postfix_about.php
@@ -2,7 +2,7 @@
/*
postfix_about.php
part of pfSense (https://www.pfsense.org/)
- Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com>
+ Copyright (C) 2011-2014 Marcello Coutinho <marcellocoutinho@gmail.com>
based on varnish_view_config.
All rights reserved.
@@ -48,7 +48,7 @@ include("head.inc");
<?php if ($savemsg) print_info_box($savemsg); ?>
<!-- <form action="postfix_view_config.php" method="post"> -->
-
+
<div id="mainlevel">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
@@ -68,7 +68,7 @@ include("head.inc");
?>
</td></tr>
<tr>
-
+
<td>
<div id="mainarea">
<table class="tabcont" width="100%" border="0" cellpadding="8" cellspacing="0">
@@ -86,11 +86,11 @@ include("head.inc");
If you want that your donation goes to this package developer, make a note on donation forwarding it to me.<br><br>");?></td>
</tr>
</table>
-
+
</div>
</td>
</tr>
-
+
</table>
<br>
diff --git a/config/postfix/postfix_acl.xml b/config/postfix/postfix_acl.xml
index 60b23a22..8df5255e 100644
--- a/config/postfix/postfix_acl.xml
+++ b/config/postfix/postfix_acl.xml
@@ -9,7 +9,7 @@
/*
postfix.xml
part of the Postfix package for pfSense
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
/* ========================================================================== */
diff --git a/config/postfix/postfix_antispam.xml b/config/postfix/postfix_antispam.xml
index 6c3f5911..9d55e47e 100644
--- a/config/postfix/postfix_antispam.xml
+++ b/config/postfix/postfix_antispam.xml
@@ -7,9 +7,9 @@
/* $Id$ */
/* ========================================================================== */
/*
- postfix.xml
+ postfix_antispam.xml
part of the Postfix package for pfSense
- Copyright (C) 2011 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
diff --git a/config/postfix/postfix_domains.xml b/config/postfix/postfix_domains.xml
index 539ef60e..ea19297d 100644
--- a/config/postfix/postfix_domains.xml
+++ b/config/postfix/postfix_domains.xml
@@ -7,10 +7,10 @@
/* $Id$ */
/* ========================================================================== */
/*
- postfix.xml
+ postfix_domains.xml
part of the Postfix package for pfSense
Copyright (C) 2010 Erik Fonnesbeck
- Copyright (C) 2011 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
diff --git a/config/postfix/postfix_queue.php b/config/postfix/postfix_queue.php
index 7afd8fe7..1db2b8e2 100755
--- a/config/postfix/postfix_queue.php
+++ b/config/postfix/postfix_queue.php
@@ -2,7 +2,7 @@
/*
postfix_view_config.php
part of pfSense (https://www.pfsense.org/)
- Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com>
+ Copyright (C) 2011-2014 Marcello Coutinho <marcellocoutinho@gmail.com>
based on varnish_view_config.
All rights reserved.
@@ -34,12 +34,11 @@ $uname=posix_uname();
if ($uname['machine']=='amd64')
ini_set('memory_limit', '250M');
-$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pf_version > 2.0)
+if (is_dir('/usr/pbi/postfix-' . php_uname("m"))) {
define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m"));
-else
- define('POSTFIX_LOCALBASE','/usr/local');
-
+} else {
+ define('POSTFIX_LOCALBASE','/usr/local');
+}
function get_cmd(){
if ($_REQUEST['cmd'] =='mailq'){
#exec("/usr/local/bin/mailq" . escapeshellarg('^'.$m.$j." ".$hour.".*".$grep)." /var/log/maillog", $lists);
@@ -67,13 +66,13 @@ function get_cmd(){
elseif (preg_match("/\s+(\w+.*)/",$line,$matches) && $sid !=""){
print $td.$matches[1].'</td></tr>';
$sid="";
- }
+ }
}
print '</table>';
}
if ($_REQUEST['cmd'] =='qshape'){
if ($_REQUEST['qshape']!="")
- exec(POSTFIX_LOCALBASE."/bin/qshape -".preg_replace("/\W/","",$_REQUEST['type'])." ". preg_replace("/\W/","",$_REQUEST['qshape']), $qshape);
+ exec(POSTFIX_LOCALBASE."/bin/qshape -".preg_replace("/\W/","",$_REQUEST['type'])." ". preg_replace("/\W/","",$_REQUEST['qshape']), $qshape);
else
exec(POSTFIX_LOCALBASE."/bin/qshape", $qshape);
print '<table class="tabcont" width="100%" border="0" cellpadding="8" cellspacing="0">';
@@ -107,22 +106,22 @@ else{
$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
if ($pf_version < 2.0)
$one_two = true;
-
+
$pgtitle = "Status: Postfix Mail Queue";
include("head.inc");
-
+
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<?php include("fbegin.inc"); ?>
-
+
<?php if($one_two): ?>
<p class="pgtitle"><?=$pgtitle?></font></p>
<?php endif; ?>
-
+
<?php if ($savemsg) print_info_box($savemsg); ?>
-
+
<form action="postfix_view_config.php" method="post">
-
+
<div id="mainlevel">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
@@ -167,7 +166,7 @@ else{
<option value="1" selected>Never</option>
</select><br><?=gettext("Select how often queue cmd will run.");?></td>
</tr>
- <tr>
+ <tr>
<td width="22%" valign="top" class="vncell"><?=gettext("qshape Report flags: ");?></td>
<td width="78%" class="vtable">
<select name="drop3" id="qshape" multiple="multiple" size="5">
@@ -178,7 +177,7 @@ else{
<option value="maildrop">maildrop</option>
</select><br><?=gettext("Select how often queue will be queried.");?></td>
</tr>
- <tr>
+ <tr>
<td width="22%" valign="top" class="vncell"><?=gettext("qshape Report type: ");?></td>
<td width="78%" class="vtable">
<select name="drop3" id="qtype">
@@ -201,7 +200,7 @@ else{
<tr>
<td class="tabcont" >
<div id="file_div"></div>
-
+
</td>
</tr>
</table>
@@ -223,7 +222,7 @@ else{
}
return(selectedArray);
}
-
+
function get_queue(loop) {
//prevent multiple instances
if ($('run').value=="show queue" || loop== 'running'){
@@ -255,7 +254,7 @@ else{
}
}
</script>
- <?php
+ <?php
include("fend.inc");
}
?>
diff --git a/config/postfix/postfix_recipients.xml b/config/postfix/postfix_recipients.xml
index d8f9707e..946bd79f 100644
--- a/config/postfix/postfix_recipients.xml
+++ b/config/postfix/postfix_recipients.xml
@@ -9,7 +9,7 @@
/*
postfix_recipients.xml
part of the Postfix package for pfSense
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
/* ========================================================================== */
diff --git a/config/postfix/postfix_search.php b/config/postfix/postfix_search.php
index c29d8cf2..5e146269 100755
--- a/config/postfix/postfix_search.php
+++ b/config/postfix/postfix_search.php
@@ -2,7 +2,7 @@
/*
postfix_search.php
part of pfSense (https://www.pfsense.org/)
- Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com>
+ Copyright (C) 2011-2014 Marcello Coutinho <marcellocoutinho@gmail.com>
based on varnish_view_config.
All rights reserved.
@@ -52,7 +52,7 @@ include("head.inc");
<?php if ($savemsg) print_info_box($savemsg); ?>
<!-- <form action="postfix_view_config.php" method="post"> -->
-
+
<div id="mainlevel">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
@@ -72,7 +72,7 @@ include("head.inc");
?>
</td></tr>
<tr>
-
+
<td>
<div id="mainarea">
<table class="tabcont" width="100%" border="0" cellpadding="8" cellspacing="0">
@@ -151,7 +151,7 @@ include("head.inc");
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Sqlite files: ");?></td>
<td width="78%" class="vtable">
-
+
<?php if ($handle = opendir('/var/db/postfix')) {
$total_files=0;
$array_files=array();
@@ -159,14 +159,14 @@ include("head.inc");
if (preg_match("/(\d+-\d+-\d+).db$/",$file,$matches))
$array_files[]=array($file,$matches[1]);
closedir($handle);
- asort($array_files);
+ asort($array_files);
foreach ($array_files as $file)
$select_output= '<option value="'.$file[0].'">'.$file[1]."</option>\n" . $select_output;
-
+
echo '<select name="drop1" id="Select1" size="'.(count($array_files)>10?10:count($array_files)+2).'" multiple="multiple">';
echo $select_output;
echo '</select><br>'.gettext("Select what database files you want to use in your search.").'</td></td>';
- }?>
+ }?>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?=gettext("Message Fields: ");?></td>
@@ -188,17 +188,17 @@ include("head.inc");
<option value="helo">Helo</option>
</select><br><?=gettext("Max log messages to fetch per Sqlite file.");?></td>
</tr>
-
+
<tr>
<td width="22%" valign="top"></td>
<td width="78%"><input name="Submit" type="submit" class="formbtn" id="search" value="<?=gettext("Search");?>" onclick="getsearch_results('search')">
&nbsp;<input name="Submit" type="submit" class="formbtn" id="export" value="<?=gettext("Export");?>" onclick="getsearch_results('export')"></td>
</table>
-
+
</div>
</td>
</tr>
-
+
</table>
<br>
diff --git a/config/postfix/postfix_sync.xml b/config/postfix/postfix_sync.xml
index 97a88e2c..727305ff 100644
--- a/config/postfix/postfix_sync.xml
+++ b/config/postfix/postfix_sync.xml
@@ -9,7 +9,7 @@
/*
postfix_sync.xml
part of the Postfix package for pfSense
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
/* ========================================================================== */
diff --git a/config/postfix/postfix_view_config.php b/config/postfix/postfix_view_config.php
index 24bfd575..a844ce65 100644
--- a/config/postfix/postfix_view_config.php
+++ b/config/postfix/postfix_view_config.php
@@ -2,7 +2,7 @@
/*
postfix_view_config.php
part of pfSense (https://www.pfsense.org/)
- Copyright (C) 2011-2013 Marcello Coutinho <marcellocoutinho@gmail.com>
+ Copyright (C) 2011-2014 Marcello Coutinho <marcellocoutinho@gmail.com>
based on varnish_view_config.
All rights reserved.
@@ -29,12 +29,12 @@
*/
$shortcut_section = "postfix";
require("guiconfig.inc");
-$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pf_version > 2.0)
+if (is_dir('/usr/pbi/postfix-' . php_uname("m"))) {
define('POSTFIX_LOCALBASE', '/usr/pbi/postfix-' . php_uname("m"));
-else
- define('POSTFIX_LOCALBASE','/usr/local');
-
+} else {
+ define('POSTFIX_LOCALBASE','/usr/local');
+}
+
function get_file($file){
$files['main']=POSTFIX_LOCALBASE."/etc/postfix/main.cf";
$files['master']=POSTFIX_LOCALBASE."/etc/postfix/master.cf";
@@ -59,22 +59,22 @@ else{
$pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
if ($pf_version < 2.0)
$one_two = true;
-
+
$pgtitle = "Services: Postfix View Configuration";
include("head.inc");
-
+
?>
<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
<?php include("fbegin.inc"); ?>
-
+
<?php if($one_two): ?>
<p class="pgtitle"><?=$pgtitle?></font></p>
<?php endif; ?>
-
+
<?php if ($savemsg) print_info_box($savemsg); ?>
-
+
<form action="postfix_view_config.php" method="post">
-
+
<div id="mainlevel">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
@@ -117,7 +117,7 @@ else{
<tr>
<td class="tabcont" >
<div id="file_div"></div>
-
+
</td>
</tr>
</table>
@@ -153,8 +153,8 @@ else{
scroll(0,0);
}
</script>
- <?php
- include("fend.inc");
+ <?php
+ include("fend.inc");
}
?>
</body>
diff --git a/config/sarg/sarg_schedule.xml b/config/sarg/sarg_schedule.xml
index 6080e530..5123d786 100644
--- a/config/sarg/sarg_schedule.xml
+++ b/config/sarg/sarg_schedule.xml
@@ -144,7 +144,7 @@
To force sarg to create a report only for specific days, use:<br>
<b>TODAY:</b>&nbsp;&nbsp;-d `date +%d/%m/%Y`<br>
<b>YESTERDAY:</b>&nbsp;&nbsp;-d `date -v-1d +%d/%m/%Y`<br>
- <b>WEEKAGO:</b>&nbsp;&nbsp;-d `date -v-1w +%d/%m/%Y`- `date -v-1d +%d/%m/%Y`<br>
+ <b>WEEKAGO:</b>&nbsp;&nbsp;-d `date -v-1w +%d/%m/%Y`-`date -v-1d +%d/%m/%Y`<br>
<b>MONTHAGO:</b>&nbsp;&nbsp;-d `date -v-1m +01/%m/%Y`-`date -v-1m +31/%m/%Y`]]></description>
<type>input</type>
<size>50</size>
diff --git a/config/snort/snort.inc b/config/snort/snort.inc
index 5c113d27..ed1e64be 100755
--- a/config/snort/snort.inc
+++ b/config/snort/snort.inc
@@ -36,9 +36,8 @@ require_once("config.inc");
require_once("functions.inc");
require_once("service-utils.inc");
require_once("pkg-utils.inc");
-
-// Needed on 2.0 because of filter_get_vpns_list()
require_once("filter.inc");
+require("/usr/local/pkg/snort/snort_defs.inc");
// Snort GUI needs some extra PHP memory space to manipulate large rules arrays
ini_set("memory_limit", "256M");
@@ -48,47 +47,12 @@ global $g, $config, $rebuild_rules, $pfSense_snort_version;
// Grab the Snort binary version programmatically, but if that fails use a safe default
$snortver = array();
-exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
-
-/* Used to indicate latest version of this include file has been loaded */
-$pfSense_snort_version = "3.1.5";
+$snortbindir = SNORT_PBI_BINDIR;
+exec("{$snortbindir}snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
/* get installed package version for display */
$snort_package_version = "Snort {$config['installedpackages']['package'][get_pkg_id("snort")]['version']}";
-// Define SNORTDIR and SNORTLIBDIR constants according to pfSense version
-$pfs_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pfs_version >= 2.2) {
- define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/local/etc/snort");
- define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/local/lib/snort");
-}
-else {
- define("SNORTDIR", "/usr/pbi/snort-" . php_uname("m") . "/etc/snort");
- define("SNORTLIBDIR", "/usr/pbi/snort-" . php_uname("m") . "/lib/snort");
-}
-
-/* Define some useful constants for Snort */
-/* Be sure to include trailing slash on the URL defines */
-define("SNORTLOGDIR", "{$g['varlog_path']}/snort");
-define("SNORT_BIN_VERSION", "2.9.6.2");
-define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
-define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
-define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
-define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
-define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
-define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
-define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
-if (!defined("FLOWBITS_FILENAME"))
- define("FLOWBITS_FILENAME", "flowbit-required.rules");
-if (!defined("VRT_FILE_PREFIX"))
- define("VRT_FILE_PREFIX", "snort_");
-if (!defined("GPL_FILE_PREFIX"))
- define("GPL_FILE_PREFIX", "GPLv2_");
-if (!defined("ET_OPEN_FILE_PREFIX"))
- define("ET_OPEN_FILE_PREFIX", "emerging-");
-if (!defined("ET_PRO_FILE_PREFIX"))
- define("ET_PRO_FILE_PREFIX", "etpro-");
-
/* Rebuild Rules Flag -- if "true", rebuild enforcing rules and flowbit-rules files */
$rebuild_rules = false;
@@ -599,13 +563,14 @@ function snort_barnyard_start($snortcfg, $if_real, $background=FALSE) {
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
$snort_uuid = $snortcfg['uuid'];
+ $snortbindir = SNORT_PBI_BINDIR;
if ($snortcfg['barnyard_enable'] == 'on' && !isvalidpid("{$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid")) {
log_error("[Snort] Barnyard2 START for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
if ($background)
- mwexec_bg("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
+ mwexec_bg("{$snortbindir}barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
else
- mwexec("/usr/local/bin/barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
+ mwexec("{$snortbindir}barnyard2 -r {$snort_uuid} -f \"snort_{$snort_uuid}_{$if_real}.u2\" --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q");
}
}
@@ -615,13 +580,19 @@ function snort_start($snortcfg, $if_real, $background=FALSE) {
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
$snort_uuid = $snortcfg['uuid'];
+ $snortbindir = SNORT_PBI_BINDIR;
+
+ if ($config['installedpackages']['snortglobal']['verbose_logging'] == "on")
+ $quiet = "";
+ else
+ $quiet = "-q --suppress-config-log";
if ($snortcfg['enable'] == 'on' && !isvalidpid("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) {
log_error("[Snort] Snort START for " . convert_real_interface_to_friendly_descr($if_real) . "({$if_real})...");
if ($background)
- mwexec_bg("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ mwexec_bg("{$snortbindir}snort -R {$snort_uuid} -D {$quiet} -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
else
- mwexec("/usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
+ mwexec("{$snortbindir}snort -R {$snort_uuid} -D {$quiet} -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}");
snort_barnyard_start($snortcfg, $if_real, $background);
}
}
@@ -2735,11 +2706,12 @@ function snort_load_sid_mods($sids) {
if (preg_match('/(\d+)\s*:\s*(\d+)/', $v, $match)) {
if (!is_array($result[$match[1]]))
$result[$match[1]] = array();
+ if (!is_array($result[$match[1]][$match[2]]))
+ $result[$match[1]][$match[2]] = array();
$result[$match[1]][$match[2]] = "{$match[1]}:{$match[2]}";
}
}
unset($tmp);
-
return $result;
}
@@ -2804,6 +2776,7 @@ function snort_create_rc() {
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
+ $snortbindir = SNORT_PBI_BINDIR;
$rcdir = RCFILEPREFIX;
$snortconf = $config['installedpackages']['snortglobal']['rule'];
@@ -2814,6 +2787,12 @@ function snort_create_rc() {
return;
}
+ // See whether or not to enable detailed startup logging
+ if ($config['installedpackages']['snortglobal']['verbose_logging'] == "on")
+ $quiet = "";
+ else
+ $quiet = "-q --suppress-config-log";
+
// At least one interface is configured, so OK
$start_snort_iface_start = array();
$start_snort_iface_stop = array();
@@ -2837,7 +2816,7 @@ function snort_create_rc() {
fi
if [ -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Barnyard2 START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q > /dev/null 2>&1
+ {$snortbindir}barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d {$snortlogdir}/snort_{$if_real}{$snort_uuid} -D -q > /dev/null 2>&1
fi
EOE;
$stop_barnyard2 = <<<EOE
@@ -2888,7 +2867,7 @@ EOE;
if [ -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SnortStartup "Snort START for {$value['descr']}({$snort_uuid}_{$if_real})..."
- /usr/local/bin/snort -R {$snort_uuid} -D -q -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} > /dev/null 2>&1
+ {$snortbindir}snort -R {$snort_uuid} -D {$quiet} -l {$snortlogdir}/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real} > /dev/null 2>&1
fi
{$start_barnyard2}
@@ -3106,7 +3085,7 @@ function snort_deinstall() {
global $config, $g;
$snortdir = SNORTDIR;
- $snortlibdir = SNORTLIBDIR;
+ $snortlibdir = "/usr/pbi/snort-" . php_uname("m") . "/lib";
$snortlogdir = SNORTLOGDIR;
$rcdir = RCFILEPREFIX;
$snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
@@ -3205,6 +3184,8 @@ function snort_deinstall() {
rmdir_recursive("/usr/local/www/snort");
rmdir_recursive("/usr/local/etc/snort");
rmdir_recursive("/usr/local/lib/snort");
+ rmdir_recursive("/usr/local/lib/snort_dynamicengine");
+ rmdir_recursive("/usr/local/lib/snort_dynamicpreprocessor");
}
/* Keep this as a last step */
@@ -3518,10 +3499,9 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa
* Format of array is: *
* "rule_option" => "dependent_preprocessor" *
* *
- * Last Update: 04/05/2013 *
+ * Last Update: 10/30/2014 *
* *
- * Added: http_inspect content modifiers and *
- * various "service" metadata values. *
+ * Added: appid: detection option *
* *
***************************************************/
$rule_opts_preprocs = array("ssl_version:" => "ssl_preproc","ssl_state:" => "ssl_preproc",
@@ -3544,7 +3524,8 @@ function snort_filter_preproc_rules($snortcfg, &$active_rules, $persist_log = fa
"uricontent:" => "http_inspect", "urilen:" => "http_inspect",
"http_encode;" => "http_inspect", "service http" => "http_inspect",
"service imap" => "imap_preproc", "service pop2" => "pop_preproc",
- "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor");
+ "service pop3" => "pop_preproc", "service smtp" => "smtp_preprocessor",
+ "appid:" => "appid_preproc" );
/***************************************************
* Iterate the enabled rules, and check for rule *
@@ -3650,7 +3631,7 @@ function snort_generate_conf($snortcfg) {
return;
$snortdir = SNORTDIR;
- $snortlibdir = SNORTLIBDIR;
+ $snortlibdir = SNORT_PBI_BASEDIR . "lib";
$snortlogdir = SNORTLOGDIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
$snort_enforcing_rules_file = SNORT_ENFORCING_RULES_FILENAME;
diff --git a/config/snort/snort.priv.inc b/config/snort/snort.priv.inc
index 1af0e783..928ecb52 100644
--- a/config/snort/snort.priv.inc
+++ b/config/snort/snort.priv.inc
@@ -11,6 +11,7 @@ $priv_list['page-services-snort']['match'][] = "snort/snort_barnyard.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_blocked.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_check_for_rule_updates.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_define_servers.php*";
+$priv_list['page-services-snort']['match'][] = "snort/snort_defs.inc*";
$priv_list['page-services-snort']['match'][] = "snort/snort_download_rules.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_download_updates.php*";
$priv_list['page-services-snort']['match'][] = "snort/snort_edit_hat_data.php*";
diff --git a/config/snort/snort.xml b/config/snort/snort.xml
index 91d42532..fd0a8d41 100755
--- a/config/snort/snort.xml
+++ b/config/snort/snort.xml
@@ -46,8 +46,8 @@
<requirements>None</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>Snort</name>
- <version>2.9.6.2</version>
- <title>Services:2.9.6.2 pkg v3.1.5</title>
+ <version>2.9.7.0</version>
+ <title>Services:2.9.7.0 pkg v3.2.1</title>
<include_file>/usr/local/pkg/snort/snort.inc</include_file>
<menu>
<name>Snort</name>
@@ -129,6 +129,11 @@
<item>https://packages.pfsense.org/packages/config/snort/snort_check_for_rule_updates.php</item>
</additional_files_needed>
<additional_files_needed>
+ <prefix>/usr/local/pkg/snort/</prefix>
+ <chmod>077</chmod>
+ <item>https://packages.pfsense.org/packages/config/snort/snort_defs.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
<prefix>/usr/local/www/snort/</prefix>
<chmod>077</chmod>
<item>https://packages.pfsense.org/packages/config/snort/snort_interfaces.php</item>
diff --git a/config/snort/snort_check_cron_misc.inc b/config/snort/snort_check_cron_misc.inc
index b39d8d1c..a2688b58 100644
--- a/config/snort/snort_check_cron_misc.inc
+++ b/config/snort/snort_check_cron_misc.inc
@@ -75,16 +75,21 @@ function snort_check_dir_size_limit($snortloglimitsize) {
@file_put_contents("{$snort_log_dir}/alert", "");
}
- // Cleanup any rotated perfmon stats logs
+ // Cleanup any perfmon stats logs
$files = array();
$list = glob("{$snort_log_dir}/*");
foreach ($list as $file) {
- if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.]?[\d+]?)/', basename($file), $matches))
+ if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.\d+]*)/', basename($file), $matches))
$files[] = $snort_log_dir . "/" . $matches[1];
}
foreach ($files as $file)
unlink_if_exists($file);
+ // Cleanup any AppID stats logs
+ $files = glob("{$snort_log_dir}/appid-stats.log.*");
+ foreach ($files as $file)
+ unlink_if_exists($file);
+
// This is needed if snort is run as snort user
mwexec('/bin/chmod 660 {$snort_log_dir}/*', true);
@@ -214,7 +219,7 @@ if ($config['installedpackages']['snortglobal']['enable_log_mgmt'] == 'on') {
$files = array();
$list = glob("{$snort_log_dir}/*");
foreach ($list as $file) {
- if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.]?[\d+]?)/', basename($file), $matches))
+ if (preg_match('/(^\d{4}-\d{2}-\d{2}[\.\d+]*)/', basename($file), $matches))
$files[] = $snort_log_dir . "/" . $matches[1];
}
$prune_count = 0;
@@ -228,6 +233,22 @@ if ($config['installedpackages']['snortglobal']['enable_log_mgmt'] == 'on') {
if ($prune_count > 0)
log_error(gettext("[Snort] perfmon stats logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/..."));
}
+
+ // Prune any aged-out AppID stats logs if any exist
+ if ($value['appid_stats_log_retention'] > 0) {
+ $now = time();
+ $files = glob("{$snort_log_dir}/app-stats.log.*");
+ $prune_count = 0;
+ foreach ($files as $f) {
+ if (($now - filemtime($f)) > ($value['appid_stats_log_retention'] * 3600)) {
+ $prune_count++;
+ unlink_if_exists($f);
+ }
+ }
+ unset($files);
+ if ($prune_count > 0)
+ log_error(gettext("[Snort] AppID stats logs cleanup job removed {$prune_count} file(s) from {$snort_log_dir}/..."));
+ }
}
}
diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php
index edf99dc8..3106cb7b 100755
--- a/config/snort/snort_check_for_rule_updates.php
+++ b/config/snort/snort_check_for_rule_updates.php
@@ -32,46 +32,16 @@
require_once("functions.inc");
require_once("service-utils.inc");
-require_once "/usr/local/pkg/snort/snort.inc";
+require_once("/usr/local/pkg/snort/snort.inc");
+require("/usr/local/pkg/snort/snort_defs.inc");
global $g, $config, $pkg_interface, $snort_gui_include, $rebuild_rules;
-if (!defined("VRT_DNLD_URL"))
- define("VRT_DNLD_URL", "https://www.snort.org/rules/");
-if (!defined("SNORT_BIN_VERSION"))
- define("SNORT_BIN_VERSION", "2.9.6.2");
-if (!defined("ET_VERSION"))
- define("ET_VERSION", "2.9.0");
-if (!defined("ET_BASE_DNLD_URL"))
- define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/");
-if (!defined("ETPRO_BASE_DNLD_URL"))
- define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/");
-if (!defined("SNORT_ET_DNLD_FILENAME"))
- define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
-if (!defined("SNORT_ETPRO_DNLD_FILENAME"))
- define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
-if (!defined("SNORT_GPLV2_DNLD_FILENAME"))
- define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
-if (!defined("GPLV2_DNLD_URL"))
- define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/");
-if (!defined("SNORT_RULES_UPD_LOGFILE"))
- define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
-if (!defined("VRT_FILE_PREFIX"))
- define("VRT_FILE_PREFIX", "snort_");
-if (!defined("GPL_FILE_PREFIX"))
- define("GPL_FILE_PREFIX", "GPLv2_");
-if (!defined("ET_OPEN_FILE_PREFIX"))
- define("ET_OPEN_FILE_PREFIX", "emerging-");
-if (!defined("ET_PRO_FILE_PREFIX"))
- define("ET_PRO_FILE_PREFIX", "etpro-");
-if (!defined("SNORT_IPREP_PATH"))
- define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
-
$snortdir = SNORTDIR;
-$snortlibdir = SNORTLIBDIR;
+$snortlibdir = "/usr/pbi/snort-" . php_uname("m") . "/lib";
$snortlogdir = SNORTLOGDIR;
$snortiprepdir = SNORT_IPREP_PATH;
-$snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
+$snortbindir = SNORT_PBI_BINDIR;
$mounted_rw = FALSE;
/* Save the state of $pkg_interface so we can restore it */
@@ -89,6 +59,7 @@ $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'
$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == 'on' ? 'on' : 'off';
$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'] == 'on' ? 'on' : 'off';
$vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload'] == 'on' ? 'on' : 'off';
+$openappid_detectors = $config['installedpackages']['snortglobal']['openappid_detectors'] == 'on' ? 'on' : 'off';
/* Working directory for downloaded rules tarballs and extraction */
$tmpfname = "{$g['tmp_path']}/snort_rules_up";
@@ -97,7 +68,7 @@ $tmpfname = "{$g['tmp_path']}/snort_rules_up";
/* the proper Snort VRT rules tarball and md5 filenames. Fallback to a */
/* default in the event we fail. */
$snortver = array();
-exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
+exec("{$snortbindir}snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
// Save the version with decimal delimiters for use in extracting the rules
$snort_version = $snortver[0];
if (empty($snort_version))
@@ -143,6 +114,11 @@ $snort_community_rules_filename = SNORT_GPLV2_DNLD_FILENAME;
$snort_community_rules_filename_md5 = SNORT_GPLV2_DNLD_FILENAME . ".md5";
$snort_community_rules_url = GPLV2_DNLD_URL;
+/* Snort OpenAppID detectors filename and URL */
+$snort_openappid_filename = SNORT_OPENAPPID_DNLD_FILENAME;
+$snort_openappid_filename_md5 = SNORT_OPENAPPID_DNLD_FILENAME . ".md5";
+$snort_openappid_url = SNORT_OPENAPPID_DNLD_URL;
+
function snort_download_file_url($url, $file_out) {
/************************************************/
@@ -293,21 +269,21 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
/* error occurred. */
/**********************************************************/
- global $pkg_interface, $snort_rules_upd_log, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors;
$snortdir = SNORTDIR;
$filename_md5 = basename($file_dst);
if ($pkg_interface <> "console")
update_status(gettext("Downloading {$desc} md5 file..."));
- error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$rc = snort_download_file_url($file_url, $file_dst);
// See if download from URL was successful
if ($rc === true) {
if ($pkg_interface <> "console")
update_status(gettext("Done downloading {$filename_md5}."));
- error_log("\tChecking {$desc} md5 file...\n", 3, $snort_rules_upd_log);
+ error_log("\tChecking {$desc} md5 file...\n", 3, SNORT_RULES_UPD_LOGFILE);
// check md5 hash in new file against current file to see if new download is posted
if (file_exists("{$snortdir}/{$filename_md5}")) {
@@ -317,7 +293,7 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("{$desc} are up to date..."));
log_error(gettext("[Snort] {$desc} are up to date..."));
- error_log(gettext("\t{$desc} are up to date.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} are up to date.\n"), 3, SNORT_RULES_UPD_LOGFILE);
return false;
}
else
@@ -326,7 +302,7 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
return true;
}
else {
- error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} md5 download failed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$snort_err_msg = gettext("Server returned error code {$rc}.");
if ($pkg_interface <> "console") {
update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
@@ -334,9 +310,9 @@ function snort_check_rule_md5($file_url, $file_dst, $desc = "") {
}
log_error(gettext("[Snort] {$desc} md5 download failed..."));
log_error(gettext("[Snort] Server returned error code {$rc}..."));
- error_log(gettext("\t{$snort_err_msg}\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$snort_err_msg}\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -361,7 +337,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* FALSE if download was not successful. */
/**********************************************************/
- global $pkg_interface, $snort_rules_upd_log, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors;
$snortdir = SNORTDIR;
$filename = basename($file_dst);
@@ -369,8 +345,8 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
log_error(gettext("[Snort] There is a new set of {$desc} posted. Downloading {$filename}..."));
- error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$rc = snort_download_file_url($file_url, $file_dst);
// See if the download from the URL was successful
@@ -378,7 +354,7 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("Done downloading {$desc} file."));
log_error("[Snort] {$desc} file update downloaded successfully");
- error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log);
+ error_log(gettext("\tDone downloading rules file.\n"),3, SNORT_RULES_UPD_LOGFILE);
// Test integrity of the rules file. Turn off update if file has wrong md5 hash
if ($file_md5 != trim(md5_file($file_dst))){
@@ -387,10 +363,10 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
log_error(gettext("[Snort] {$desc} file download failed. Bad MD5 checksum..."));
log_error(gettext("[Snort] Downloaded File MD5: " . md5_file($file_dst)));
log_error(gettext("[Snort] Expected File MD5: {$file_md5}"));
- error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -400,9 +376,9 @@ function snort_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_output_window(gettext("{$desc} file download failed..."));
log_error(gettext("[Snort] {$desc} file download failed... server returned error '{$rc}'..."));
- error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $snort_rules_upd_log);
- error_log(gettext("\t{$desc} will not be updated.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, SNORT_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -422,18 +398,18 @@ safe_mkdir("{$snortdir}/rules");
safe_mkdir("{$snortdir}/signatures");
safe_mkdir("{$snortdir}/preproc_rules");
safe_mkdir("{$tmpfname}");
-safe_mkdir("{$snortlibdir}/dynamicrules");
+safe_mkdir("{$snortlibdir}/snort_dynamicrules");
safe_mkdir("{$snortlogdir}");
safe_mkdir("{$snortiprepdir}");
/* See if we need to automatically clear the Update Log based on 1024K size limit */
-if (file_exists($snort_rules_upd_log)) {
- if (1048576 < filesize($snort_rules_upd_log))
- unlink_if_exists("{$snort_rules_upd_log}");
+if (file_exists(SNORT_RULES_UPD_LOGFILE)) {
+ if (1048576 < filesize(SNORT_RULES_UPD_LOGFILE))
+ unlink_if_exists("{SNORT_RULES_UPD_LOGFILE}");
}
/* Log start time for this rules update */
-error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $snort_rules_upd_log);
+error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, SNORT_RULES_UPD_LOGFILE);
$last_curl_error = "";
$update_errors = false;
@@ -449,9 +425,22 @@ if ($snortdownload == 'on') {
$snortdownload = 'off';
}
+/* Check for and download any new Snort OpenAppID detectors */
+if ($openappid_detectors == 'on') {
+ if (snort_check_rule_md5("{$snort_openappid_url}{$snort_openappid_filename}/md5", "{$tmpfname}/{$snort_openappid_filename_md5}", "Snort OpenAppID detectors")) {
+ $file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_openappid_filename_md5}"));
+ file_put_contents("{$tmpfname}/{$snort_openappid_filename_md5}", $file_md5);
+ /* download snort-openappid file */
+ if (!snort_fetch_new_rules("{$snort_openappid_url}{$snort_openappid_filename}", "{$tmpfname}/{$snort_openappid_filename}", $file_md5, "Snort OpenAppID detectors"))
+ $openappid_detectors = 'off';
+ }
+ else
+ $openappid_detectors = 'off';
+}
+
/* Check for and download any new Snort GPLv2 Community Rules sigs */
if ($snortcommunityrules == 'on') {
- if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
+ if (snort_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename}/md5", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
/* download Snort GPLv2 Community Rules file */
$file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"));
if (!snort_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules"))
@@ -492,7 +481,7 @@ if ($snortdownload == 'on') {
update_status(gettext("Extracting Snort VRT rules..."));
update_output_window(gettext("Installing Sourcefire VRT rules..."));
}
- error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
/* extract snort.org rules and add VRT_FILE_PREFIX prefix to all snort.org files */
safe_mkdir("{$tmpfname}/snortrules");
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname}/snortrules rules/");
@@ -507,7 +496,7 @@ if ($snortdownload == 'on') {
$newfile = basename($file);
@copy($file, "{$snortdir}/rules/{$newfile}");
}
- exec("rm -r {$tmpfname}/snortrules");
+ rmdir_recursive("{$tmpfname}/snortrules");
/* Extract the Snort preprocessor rules */
if ($pkg_interface <> "console")
update_output_window(gettext("Extracting preprocessor rules files..."));
@@ -517,22 +506,21 @@ if ($snortdownload == 'on') {
$newfile = basename($file);
@copy($file, "{$snortdir}/preproc_rules/{$newfile}");
}
- exec("rm -r {$tmpfname}/preproc_rules");
+ rmdir_recursive("{$tmpfname}/preproc_rules");
/* extract so rules */
if ($pkg_interface <> "console") {
update_status(gettext("Extracting Snort VRT Shared Objects rules..."));
update_output_window(gettext("Installing precompiled Shared Objects rules for {$freebsd_version_so}..."));
}
- exec("/bin/mkdir -p {$snortlibdir}/dynamicrules/");
- error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tUsing Snort VRT precompiled SO rules for {$freebsd_version_so} ...\n"), 3, SNORT_RULES_UPD_LOGFILE);
$snort_arch = php_uname("m");
$nosorules = false;
if ($snort_arch == 'i386'){
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/");
- exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
+ exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/snort_dynamicrules/");
} elseif ($snort_arch == 'amd64') {
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$tmpfname} so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/");
- exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/");
+ exec("/bin/cp {$tmpfname}/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/snort_dynamicrules/");
} else
$nosorules = true;
rmdir_recursive("{$tmpfname}/so_rules/");
@@ -558,7 +546,7 @@ if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/etc/{$file}"))
@copy("{$tmpfname}/etc/{$file}", "{$tmpfname}/VRT_{$file}");
}
- exec("rm -r {$tmpfname}/etc");
+ rmdir_recursive("{$tmpfname}/etc");
if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
if ($pkg_interface <> "console")
update_status(gettext("Copying md5 signature to snort directory..."));
@@ -568,7 +556,30 @@ if ($snortdownload == 'on') {
update_status(gettext("Extraction of Snort VRT rules completed..."));
update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
}
- error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ }
+}
+
+/* Untar Snort OpenAppID detectors file to SNORT_APPID_ODP_PATH */
+if ($openappid_detectors == 'on') {
+ // If we have a valid downloaded file, then first cleanup the old directory
+ if (file_exists("{$tmpfname}/{$snort_openappid_filename}")) {
+ $snort_openappid_path = SNORT_APPID_ODP_PATH;
+ rmdir_recursive("{$snort_openappid_path}odp");
+ error_log(gettext("\tExtracting and installing Snort OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ safe_mkdir(SNORT_APPID_ODP_PATH);
+ exec("/usr/bin/tar oxzf {$tmpfname}/{$snort_openappid_filename} -C {$snort_openappid_path}");
+ if (file_exists("{$tmpfname}/{$snort_openappid_filename_md5}")) {
+ if ($pkg_interface <> "console")
+ update_status(gettext("Copying md5 signature to snort directory..."));
+ @copy("{$tmpfname}/{$snort_openappid_filename_md5}", "{$snortdir}/{$snort_openappid_filename_md5}");
+ }
+ if ($pkg_interface <> "console") {
+ update_status(gettext("Extraction of Snort OpenAppID detectors completed..."));
+ update_output_window(gettext("Installation of Snort OpenAppID detectors completed..."));
+ }
+ unlink_if_exists("{$tmpfname}/{$snort_openappid_filename}");
+ error_log(gettext("\tInstallation of Snort OpenAppID detectors completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
}
@@ -580,7 +591,7 @@ if ($snortcommunityrules == 'on') {
update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
update_output_window(gettext("Installing Snort GPLv2 Community Rules..."));
}
- error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
$files = glob("{$tmpfname}/community/community-rules/*.rules");
@@ -603,7 +614,7 @@ if ($snortcommunityrules == 'on') {
update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
}
- error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/community/");
}
}
@@ -616,7 +627,7 @@ if ($emergingthreats == 'on') {
update_status(gettext("Extracting {$et_name} rules..."));
update_output_window(gettext("Installing {$et_name} rules..."));
}
- error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
/* Remove the old Emerging Threats rules files */
@@ -664,7 +675,7 @@ if ($emergingthreats == 'on') {
update_status(gettext("Extraction of {$et_name} rules completed..."));
update_output_window(gettext("Installation of {$et_name} rules completed..."));
}
- error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SNORT_RULES_UPD_LOGFILE);
rmdir_recursive("{$tmpfname}/emerging/");
}
}
@@ -698,7 +709,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
if ($pkg_interface <> "console")
update_status(gettext('Copying new config and map files...'));
- error_log(gettext("\tCopying new config and map files...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tCopying new config and map files...\n"), 3, SNORT_RULES_UPD_LOGFILE);
/******************************************************************/
/* Build the classification.config and reference.config files */
@@ -757,8 +768,8 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/rules");
if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules"))
safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/preproc_rules");
- if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor"))
- safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/dynamicpreprocessor");
+ if (!is_dir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/snort_dynamicpreprocessor"))
+ safe_mkdir("{$snortdir}/snort_{$value['uuid']}_{$if_real}/snort_dynamicpreprocessor");
snort_apply_customizations($value, $if_real);
@@ -768,7 +779,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
$tmp .= gettext("\tPreprocessor text rules flagged as protected and not updated for ");
$tmp .= convert_friendly_interface_to_friendly_descr($value['interface']) . "...\n";
}
- error_log($tmp, 3, $snort_rules_upd_log);
+ error_log($tmp, 3, SNORT_RULES_UPD_LOGFILE);
}
}
else {
@@ -776,7 +787,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
update_output_window(gettext("Warning: No interfaces configured for Snort were found..."));
update_output_window(gettext("No interfaces currently have Snort configured and enabled on them..."));
}
- error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tWarning: No interfaces configured for Snort were found...\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
/* Clear the rebuild rules flag. */
@@ -788,7 +799,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
update_status(gettext('Restarting Snort to activate the new set of rules...'));
update_output_window(gettext("Please wait ... restarting Snort will take some time..."));
}
- error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tRestarting Snort to activate the new set of rules...\n"), 3, SNORT_RULES_UPD_LOGFILE);
touch("{$g['varrun_path']}/snort_pkg_starting.lck");
snort_restart_all_interfaces(TRUE);
sleep(3);
@@ -796,7 +807,32 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
if ($pkg_interface <> "console")
update_output_window(gettext("Snort has restarted with your new set of rules..."));
log_error(gettext("[Snort] Snort has restarted with your new set of rules..."));
- error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, $snort_rules_upd_log);
+ error_log(gettext("\tSnort has restarted with your new set of rules.\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ }
+ else {
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("The rules update task is complete..."));
+ }
+}
+elseif ($openappid_detectors == 'on') {
+ /**************************************************************************************/
+ /* Only updated OpenAppID detectors, so do not need to rebuild all interface rules. */
+ /* Restart snort if running, and not in post-install, so as to pick up the detectors. */
+ /**************************************************************************************/
+ if (!$g['snort_postinstall'] && is_service_running("snort") && count($config['installedpackages']['snortglobal']['rule']) > 0) {
+ if ($pkg_interface <> "console") {
+ update_status(gettext('Restarting Snort to activate the new OpenAppID detectors...'));
+ update_output_window(gettext("Please wait ... restarting Snort will take some time..."));
+ }
+ error_log(gettext("\tRestarting Snort to activate the new OpenAppID detectors...\n"), 3, SNORT_RULES_UPD_LOGFILE);
+ touch("{$g['varrun_path']}/snort_pkg_starting.lck");
+ snort_restart_all_interfaces(TRUE);
+ sleep(2);
+ unlink_if_exists("{$g['varrun_path']}/snort_pkg_starting.lck");
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("Snort has restarted with your new set of OpenAppID detectors..."));
+ log_error(gettext("[Snort] Snort has restarted with your new set of OpenAppID detectors..."));
+ error_log(gettext("\tSnort has restarted with your new set of OpenAppID detectors.\n"), 3, SNORT_RULES_UPD_LOGFILE);
}
else {
if ($pkg_interface <> "console")
@@ -812,7 +848,7 @@ if (is_dir("{$tmpfname}")) {
if ($pkg_interface <> "console")
update_status(gettext("The Rules update has finished..."));
log_error(gettext("[Snort] The Rules update has finished."));
-error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $snort_rules_upd_log);
+error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SNORT_RULES_UPD_LOGFILE);
/* Remount filesystem read-only if we changed it in this module */
if ($mounted_rw == TRUE)
diff --git a/config/snort/snort_conf_template.inc b/config/snort/snort_conf_template.inc
index e1b11acc..6b362ce5 100644
--- a/config/snort/snort_conf_template.inc
+++ b/config/snort/snort_conf_template.inc
@@ -24,9 +24,6 @@ var RULE_PATH {$snortcfgdir}/rules
# Define Server Ports #
{$portvardef}
-# Configure quiet startup mode #
-config quiet
-
# Configure the snort decoder #
config checksum_mode: {$cksumcheck}
config disable_decode_alerts
diff --git a/config/snort/snort_defs.inc b/config/snort/snort_defs.inc
new file mode 100644
index 00000000..43ecada6
--- /dev/null
+++ b/config/snort/snort_defs.inc
@@ -0,0 +1,101 @@
+<?php
+/*
+ * snort_defs.inc
+ *
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009-2010 Robert Zelaya
+ * Copyright (C) 2011-2012 Ermal Luci
+ * Copyright (C) 2013,2014 Bill Meeks
+ * part of pfSense
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+global $g, $config;
+
+/* Define some useful constants for Snort */
+if (!defined("SNORT_PBI_BASEDIR"))
+ define("SNORT_PBI_BASEDIR", "/usr/pbi/snort-" . php_uname("m") . "/");
+if (!defined("SNORT_PBI_BINDIR"))
+ define("SNORT_PBI_BINDIR", SNORT_PBI_BASEDIR . "bin/");
+if (!defined("SNORTDIR"))
+ define("SNORTDIR", SNORT_PBI_BASEDIR . "etc/snort");
+if (!defined("SNORTLOGDIR"))
+ define("SNORTLOGDIR", "{$g['varlog_path']}/snort");
+if (!defined("SNORT_BIN_VERSION")) {
+ // Grab the Snort binary version programmatically
+ $snortver = array();
+ $snortbindir = SNORT_PBI_BINDIR;
+ mwexec("{$snortbindir}/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
+ if (!empty($snortver[0]))
+ define("SNORT_BIN_VERSION", $snortver[0]);
+ else
+ define("SNORT_BIN_VERSION", "2.9.7.0");
+}
+if (!defined("SNORT_SID_MODS_PATH"))
+ define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
+if (!defined("SNORT_IPREP_PATH"))
+ define("SNORT_IPREP_PATH", "{$g['vardb_path']}/snort/iprep/");
+if (!defined('SNORT_APPID_ODP_PATH'))
+ define('SNORT_APPID_ODP_PATH', SNORTDIR . "/appid/");
+
+// Rules filenames, download URLs and prefixes.
+// Be sure to include the trailing backslash on URLs.
+if (!defined("SNORT_ENFORCING_RULES_FILENAME"))
+ define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
+if (!defined("FLOWBITS_FILENAME"))
+ define("FLOWBITS_FILENAME", "flowbit-required.rules");
+if (!defined("SNORT_RULES_UPD_LOGFILE"))
+ define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+if (!defined("VRT_DNLD_URL"))
+ define("VRT_DNLD_URL", "https://www.snort.org/rules/");
+if (!defined("ET_VERSION"))
+ define("ET_VERSION", "2.9.0");
+if (!defined("ET_BASE_DNLD_URL"))
+ define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/");
+if (!defined("ETPRO_BASE_DNLD_URL"))
+ define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/");
+if (!defined("SNORT_ET_DNLD_FILENAME"))
+ define("SNORT_ET_DNLD_FILENAME", "emerging.rules.tar.gz");
+if (!defined("SNORT_ETPRO_DNLD_FILENAME"))
+ define("SNORT_ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
+if (!defined("SNORT_GPLV2_DNLD_FILENAME"))
+ define("SNORT_GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
+if (!defined("GPLV2_DNLD_URL"))
+ define("GPLV2_DNLD_URL", "https://www.snort.org/downloads/community/");
+if (!defined("SNORT_OPENAPPID_DNLD_URL"))
+ define("SNORT_OPENAPPID_DNLD_URL", "https://www.snort.org/downloads/openappid/");
+if (!defined("SNORT_OPENAPPID_DNLD_FILENAME"))
+ define("SNORT_OPENAPPID_DNLD_FILENAME", "snort-openappid.tar.gz");
+if (!defined("SNORT_RULES_UPD_LOGFILE"))
+ define("SNORT_RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log");
+if (!defined("VRT_FILE_PREFIX"))
+ define("VRT_FILE_PREFIX", "snort_");
+if (!defined("GPL_FILE_PREFIX"))
+ define("GPL_FILE_PREFIX", "GPLv2_");
+if (!defined("ET_OPEN_FILE_PREFIX"))
+ define("ET_OPEN_FILE_PREFIX", "emerging-");
+if (!defined("ET_PRO_FILE_PREFIX"))
+ define("ET_PRO_FILE_PREFIX", "etpro-");
+
+?>
diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php
index e74a9ce6..3f34cb7e 100755
--- a/config/snort/snort_download_updates.php
+++ b/config/snort/snort_download_updates.php
@@ -39,24 +39,18 @@ require_once("/usr/local/pkg/snort/snort.inc");
/* Define some locally required variables from Snort constants */
$snortdir = SNORTDIR;
$snort_rules_upd_log = SNORT_RULES_UPD_LOGFILE;
+$snortbinver = SNORT_BIN_VERSION;
+$snortbinver = str_replace(".", "", $snortbinver);
-/* Grab the Snort binary version programmatically and */
-/* use it to construct the proper Snort VRT rules */
-/* tarball filename. Fallback to a safe default if */
-/* we fail. */
-$snortver = array();
-exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver);
-if (empty($snortver[0]))
- $snortver[0] = SNORT_BIN_VERSION;
-$snortver[0] = str_replace(".", "", $snortver[0]);
-
-$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz";
+$snort_rules_file = "snortrules-snapshot-{$snortbinver}.tar.gz";
$snort_community_rules_filename = SNORT_GPLV2_DNLD_FILENAME;
+$snort_openappid_filename = SNORT_OPENAPPID_DNLD_FILENAME;
$snortdownload = $config['installedpackages']['snortglobal']['snortdownload'];
$emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats'];
$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro'];
$snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules'];
+$openappid_detectors = $config['installedpackages']['snortglobal']['openappid_detectors'];
/* Get last update information if available */
if (!empty($config['installedpackages']['snortglobal']['last_rule_upd_time']))
@@ -70,21 +64,21 @@ else
if ($etpro == "on") {
$emergingthreats_filename = SNORT_ETPRO_DNLD_FILENAME;
- $et_name = "Emerging Threats Pro Rules";
+ $et_name = gettext("Emerging Threats Pro Rules");
}
else {
$emergingthreats_filename = SNORT_ET_DNLD_FILENAME;
- $et_name = "Emerging Threats Open Rules";
+ $et_name = gettext("Emerging Threats Open Rules");
}
/* quick md5 chk of downloaded rules */
if ($snortdownload == 'on') {
- $snort_org_sig_chk_local = 'Not Downloaded';
- $snort_org_sig_date = 'Not Downloaded';
+ $snort_org_sig_chk_local = gettext("Not Downloaded");
+ $snort_org_sig_date = gettext("Not Downloaded");
}
else {
- $snort_org_sig_chk_local = 'Not Enabled';
- $snort_org_sig_date = 'Not Enabled';
+ $snort_org_sig_chk_local = gettext("Not Enabled");
+ $snort_org_sig_date = gettext("Not Enabled");
}
if (file_exists("{$snortdir}/{$snort_rules_file}.md5") && $snortdownload == 'on') {
$snort_org_sig_chk_local = file_get_contents("{$snortdir}/{$snort_rules_file}.md5");
@@ -92,12 +86,12 @@ if (file_exists("{$snortdir}/{$snort_rules_file}.md5") && $snortdownload == 'on'
}
if ($etpro == "on" || $emergingthreats == "on") {
- $emergingt_net_sig_chk_local = 'Not Downloaded';
- $emergingt_net_sig_date = 'Not Downloaded';
+ $emergingt_net_sig_chk_local = gettext("Not Downloaded");
+ $emergingt_net_sig_date = gettext("Not Downloaded");
}
else {
- $emergingt_net_sig_chk_local = 'Not Enabled';
- $emergingt_net_sig_date = 'Not Enabled';
+ $emergingt_net_sig_chk_local = gettext("Not Enabled");
+ $emergingt_net_sig_date = gettext("Not Enabled");
}
if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5") && ($etpro == "on" || $emergingthreats == "on")) {
$emergingt_net_sig_chk_local = file_get_contents("{$snortdir}/{$emergingthreats_filename}.md5");
@@ -105,16 +99,29 @@ if (file_exists("{$snortdir}/{$emergingthreats_filename}.md5") && ($etpro == "on
}
if ($snortcommunityrules == 'on') {
- $snort_community_sig_chk_local = 'Not Downloaded';
- $snort_community_sig_sig_date = 'Not Downloaded';
+ $snort_community_sig_chk_local = gettext("Not Downloaded");
+ $snort_community_sig_date = gettext("Not Downloaded");
}
else {
- $snort_community_sig_chk_local = 'Not Enabled';
- $snort_community_sig_sig_date = 'Not Enabled';
+ $snort_community_sig_chk_local = gettext("Not Enabled");
+ $snort_community_sig_date = gettext("Not Enabled");
}
if (file_exists("{$snortdir}/{$snort_community_rules_filename}.md5") && $snortcommunityrules == 'on') {
$snort_community_sig_chk_local = file_get_contents("{$snortdir}/{$snort_community_rules_filename}.md5");
- $snort_community_sig_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$snort_community_rules_filename}.md5"));
+ $snort_community_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$snort_community_rules_filename}.md5"));
+}
+
+if ($openappid_detectors == 'on') {
+ $openappid_detectors_sig_chk_local = gettext("Not Downloaded");
+ $openappid_detectors_sig_date = gettext("Not Downloaded");
+}
+else {
+ $openappid_detectors_sig_chk_local = gettext("Not Enabled");
+ $openappid_detectors_sig_date = gettext("Not Enabled");
+}
+if (file_exists("{$snortdir}/{$snort_openappid_filename}.md5") && $openappid_detectors == 'on') {
+ $openappid_detectors_sig_chk_local = file_get_contents("{$snortdir}/{$snort_openappid_filename}.md5");
+ $openappid_detectors_sig_date = date(DATE_RFC850, filemtime("{$snortdir}/{$snort_openappid_filename}.md5"));
}
/* Check for postback to see if we should clear the update log file. */
@@ -122,7 +129,7 @@ if (isset($_POST['clear'])) {
unlink_if_exists($snort_rules_upd_log);
}
-if (isset($_POST['check'])) {
+if (isset($_POST['update'])) {
header("Location: /snort/snort_download_rules.php");
exit;
}
@@ -135,6 +142,7 @@ if ($_POST['force']) {
unlink_if_exists("{$snortdir}/{$emergingthreats_filename}.md5");
unlink_if_exists("{$snortdir}/{$snort_community_rules_filename}.md5");
unlink_if_exists("{$snortdir}/{$snort_rules_file}.md5");
+ unlink_if_exists("{$snortdir}/{$snort_openappid_filename}.md5");
// Revert file system to R/O.
conf_mount_ro();
@@ -204,20 +212,25 @@ include_once("head.inc");
</tr>
</thead>
<tr>
- <td align="center" class="vncell vexpl"><b>Snort VRT Rules</b></td>
+ <td align="center" class="vncell vexpl"><b><?=gettext("Snort VRT Rules");?></b></td>
<td align="center" class="vncell vexpl"><? echo trim($snort_org_sig_chk_local);?></td>
<td align="center" class="vncell vexpl"><?php echo gettext($snort_org_sig_date);?></td>
</tr>
<tr>
- <td align="center" class="vncell vexpl"><b>Snort GPLv2 Community Rules</b></td>
+ <td align="center" class="vncell vexpl"><b><?=gettext("Snort GPLv2 Community Rules");?></b></td>
<td align="center" class="vncell vexpl"><? echo trim($snort_community_sig_chk_local);?></td>
- <td align="center" class="vncell vexpl"><?php echo gettext($snort_community_sig_sig_date);?></td>
+ <td align="center" class="vncell vexpl"><?php echo gettext($snort_community_sig_date);?></td>
</tr>
<tr>
<td align="center" class="vncell vexpl"><b><?=$et_name;?></b></td>
<td align="center" class="vncell vexpl"><? echo trim($emergingt_net_sig_chk_local);?></td>
<td align="center" class="vncell vexpl"><?php echo gettext($emergingt_net_sig_date);?></td>
</tr>
+ <tr>
+ <td align="center" class="vncell vexpl"><b><?=gettext("Snort OpenAppID Detectors");?></b></td>
+ <td align="center" class="vncell vexpl"><? echo trim($openappid_detectors_sig_chk_local);?></td>
+ <td align="center" class="vncell vexpl"><?php echo gettext($openappid_detectors_sig_date);?></td>
+ </tr>
</table><br/>
</td>
</tr>
@@ -253,8 +266,8 @@ include_once("head.inc");
<br/></p>
<?php else: ?>
<br/>
- <input type="submit" value="<?=gettext("Check");?>" name="check" id="check" class="formbtn"
- title="<?php echo gettext("Check for new updates to enabled rule sets"); ?>"/>&nbsp;&nbsp;&nbsp;&nbsp;
+ <input type="submit" value="<?=gettext("Update");?>" name="update" id="update" class="formbtn"
+ title="<?php echo gettext("Check for and apply new update to enabled rule sets"); ?>"/>&nbsp;&nbsp;&nbsp;&nbsp;
<input type="submit" value="<?=gettext("Force");?>" name="force" id="force" class="formbtn"
title="<?=gettext("Force an update of all enabled rule sets");?>"
onclick="return confirm('<?=gettext("This will zero-out the MD5 hashes to force a fresh download of enabled rule sets. Click OK to continue or CANCEL to quit");?>');"/>
diff --git a/config/snort/snort_generate_conf.php b/config/snort/snort_generate_conf.php
index fb5c750f..1d56fc13 100644
--- a/config/snort/snort_generate_conf.php
+++ b/config/snort/snort_generate_conf.php
@@ -64,9 +64,9 @@ $snort_dirs = array( $snortdir, $snortcfgdir, "{$snortcfgdir}/rules",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}",
"{$snortlogdir}/snort_{$if_real}{$snort_uuid}/barnyard2",
"{$snortcfgdir}/preproc_rules",
- "dynamicrules" => "{$snortlibdir}/dynamicrules",
- "dynamicengine" => "{$snortlibdir}/dynamicengine",
- "dynamicpreprocessor" => "{$snortcfgdir}/dynamicpreprocessor"
+ "dynamicrules" => "{$snortlibdir}/snort_dynamicrules",
+ "dynamicengine" => "{$snortlibdir}/snort_dynamicengine",
+ "dynamicpreprocessor" => "{$snortcfgdir}/snort_dynamicpreprocessor"
);
foreach ($snort_dirs as $dir) {
if (!is_dir($dir))
@@ -82,7 +82,7 @@ foreach ($snort_dirs as $dir) {
/* put in place by the rules update process. */
/********************************************************************/
$snort_files = array("gen-msg.map", "classification.config", "reference.config", "attribute_table.dtd",
- "sid-msg.map", "unicode.map", "threshold.conf", "preproc_rules/preprocessor.rules",
+ "sid-msg.map", "unicode.map", "file_magic.conf", "threshold.conf", "preproc_rules/preprocessor.rules",
"preproc_rules/decoder.rules", "preproc_rules/sensitive-data.rules"
);
foreach ($snort_files as $file) {
@@ -126,6 +126,10 @@ if ($snortcfg['barnyard_enable'] == "on") {
$snortunifiedlog_type .= ", vlan_event_types";
if ($snortcfg['barnyard_log_mpls_events'] == 'on')
$snortunifiedlog_type .= ", mpls_event_types";
+
+ // If AppID detector is enabled, add it to unified2 logging
+ if ($snortcfg['appid_preproc'] == 'on' )
+ $snortunifiedlog_type .= ", appid_event_types";
}
/* define spoink */
@@ -889,6 +893,23 @@ preprocessor reputation: \
EOD;
+/* def AppID preprocessor */
+$appid_memcap = $snortcfg['sf_appid_mem_cap'] * 1024 * 1024;
+$appid_params = "app_detector_dir " . SNORT_APPID_ODP_PATH . ", \\\n\tmemcap {$appid_memcap}";
+if ($snortcfg['sf_appid_statslog'] == "on") {
+ $appid_params .= ", \\\n\tapp_stats_filename app-stats.log";
+ $appid_params .= ", \\\n\tapp_stats_period {$snortcfg['sf_appid_stats_period']}";
+ $appid_params .= ", \\\n\tapp_stats_rollover_size " . strval($config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] * 1024);
+ $appid_params .= ", \\\n\tapp_stats_rollover_time 86400";
+}
+
+$appid_preproc = <<<EOD
+# AppID preprocessor #
+preprocessor appid: \
+ {$appid_params}
+
+EOD;
+
/***************************************/
/* end of preprocessor string var code */
/***************************************/
@@ -920,14 +941,14 @@ $snort_preproc_libs = array(
"dce_rpc_2" => "dce2_preproc", "dns_preprocessor" => "dns_preproc", "ftp_preprocessor" => "ftptelnet_preproc", "imap_preproc" => "imap_preproc",
"pop_preproc" => "pop_preproc", "reputation_preproc" => "reputation_preproc", "sensitive_data" => "sdf_preproc",
"sip_preproc" => "sip_preproc", "gtp_preproc" => "gtp_preproc", "smtp_preprocessor" => "smtp_preproc", "ssh_preproc" => "ssh_preproc",
- "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc"
+ "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc", "appid_preproc" => "appid_preproc"
);
$snort_preproc = array (
"perform_stat", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan",
- "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc"
+ "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "appid_preproc"
);
$default_disabled_preprocs = array(
- "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat"
+ "sf_portscan", "gtp_preproc", "sensitive_data", "dnp3_preproc", "modbus_preproc", "reputation_preproc", "perform_stat", "appid_preproc"
);
$snort_preprocessors = "";
foreach ($snort_preproc as $preproc) {
@@ -941,8 +962,8 @@ foreach ($snort_preproc as $preproc) {
if (!empty($snort_preproc_libs[$preproc])) {
$preproclib = "libsf_" . $snort_preproc_libs[$preproc];
if (!file_exists($snort_dirs['dynamicpreprocessor'] . "{$preproclib}.so")) {
- if (file_exists("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so")) {
- @copy("{$snortlibdir}/dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
+ if (file_exists("{$snortlibdir}/snort_dynamicpreprocessor/{$preproclib}.so")) {
+ @copy("{$snortlibdir}/snort_dynamicpreprocessor/{$preproclib}.so", "{$snort_dirs['dynamicpreprocessor']}/{$preproclib}.so");
$snort_preprocessors .= $$preproc;
$snort_preprocessors .= "\n";
} else
diff --git a/config/snort/snort_interface_logs.php b/config/snort/snort_interface_logs.php
index ba8215ca..c8c4c24c 100644
--- a/config/snort/snort_interface_logs.php
+++ b/config/snort/snort_interface_logs.php
@@ -54,15 +54,29 @@ $if_real = get_real_interface($a_instance[$id]['interface']);
// Construct a pointer to the instance's logging subdirectory
$snortlogdir = SNORTLOGDIR . "/snort_{$if_real}{$snort_uuid}/";
+// Construct a pointer to the PBI_BIN directory
+$snortbindir = SNORT_PBI_BINDIR;
+
// Limit all file access to just the currently selected interface's logging subdirectory
$logfile = htmlspecialchars($snortlogdir . basename($_POST['file']));
if ($_POST['action'] == 'load') {
+ // If viewing the app-stats log, then grab only the most recent one
+ if (strpos(basename($logfile), "app-stats.log") !== FALSE) {
+ $appid_statlogs = glob("{$snortlogdir}app-stats.log.*");
+ $logfile = array_pop($appid_statlogs);
+ }
+
if(!is_file($logfile)) {
echo "|3|" . gettext("Log file does not exist or that logging feature is not enabled") . ".|";
}
else {
- $data = file_get_contents($logfile);
+ // Test for special unified2 format app-stats file because
+ // we have to use a Snort binary tool to display its contents.
+ if (strpos(basename($_POST['file']), "app-stats.log") !== FALSE)
+ $data = shell_exec("{$snortbindir}u2openappid {$logfile} 2>&1");
+ else
+ $data = file_get_contents($logfile);
if($data === false) {
echo "|1|" . gettext("Failed to read log file") . ".|";
} else {
@@ -178,7 +192,7 @@ if ($input_errors) {
<td width="78%" class="vtable">
<select name="logFile" id="logFile" class="formselect" onChange="loadFile();">
<?php
- $logs = array( "alert", "{$if_real}.stats" , "sid_changes.log" );
+ $logs = array( "alert", "app-stats.log", "{$if_real}.stats" , "sid_changes.log" );
foreach ($logs as $log) {
$selected = "";
if ($log == basename($logfile))
diff --git a/config/snort/snort_interfaces_edit.php b/config/snort/snort_interfaces_edit.php
index 14b54b34..0d41c7db 100755
--- a/config/snort/snort_interfaces_edit.php
+++ b/config/snort/snort_interfaces_edit.php
@@ -365,9 +365,15 @@ if ($_POST["save"] && !$input_errors) {
if (!is_array($natent['stream5_tcp_engine']['item']))
$natent['stream5_tcp_engine']['item'] = array();
$natent['stream5_tcp_engine']['item'][] = $stream5_eng;
+
$natent['alertsystemlog_facility'] = "log_auth";
$natent['alertsystemlog_priority'] = "log_alert";
+ $natent['appid_preproc'] = "off";
+ $natent['sf_appid_mem_cap'] = "256";
+ $natent['sf_appid_statslog'] = "on";
+ $natent['sf_appid_stats_period'] = "300";
+
$a_rule[] = $natent;
}
diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php
index fb36d192..6c1d56ac 100644
--- a/config/snort/snort_interfaces_global.php
+++ b/config/snort/snort_interfaces_global.php
@@ -41,19 +41,26 @@ require_once("/usr/local/pkg/snort/snort.inc");
global $g;
$snortdir = SNORTDIR;
-
-/* make things short */
-$pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload'] == "on" ? 'on' : 'off';
-$pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode'];
-$pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code'];
-$pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats'] == "on" ? 'on' : 'off';
-$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == "on" ? 'on' : 'off';
-$pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
-$pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7'];
-$pconfig['rule_update_starttime'] = $config['installedpackages']['snortglobal']['rule_update_starttime'];
-$pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings'] == "on" ? 'on' : 'off';
-$pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules'] == "on" ? 'on' : 'off';
-$pconfig['clearblocks'] = $config['installedpackages']['snortglobal']['clearblocks'] == "on" ? 'on' : 'off';
+$snort_openappdir = SNORT_APPID_ODP_PATH;
+
+// Grab any previous input values if doing a SAVE operation
+if ($_POST['save'])
+ $pconfig = $_POST;
+else {
+ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload'] == "on" ? 'on' : 'off';
+ $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode'];
+ $pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code'];
+ $pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats'] == "on" ? 'on' : 'off';
+ $pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro'] == "on" ? 'on' : 'off';
+ $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked'];
+ $pconfig['autorulesupdate7'] = $config['installedpackages']['snortglobal']['autorulesupdate7'];
+ $pconfig['rule_update_starttime'] = $config['installedpackages']['snortglobal']['rule_update_starttime'];
+ $pconfig['forcekeepsettings'] = $config['installedpackages']['snortglobal']['forcekeepsettings'] == "on" ? 'on' : 'off';
+ $pconfig['snortcommunityrules'] = $config['installedpackages']['snortglobal']['snortcommunityrules'] == "on" ? 'on' : 'off';
+ $pconfig['clearblocks'] = $config['installedpackages']['snortglobal']['clearblocks'] == "on" ? 'on' : 'off';
+ $pconfig['verbose_logging'] = $config['installedpackages']['snortglobal']['verbose_logging'] == "on" ? 'on' : 'off';
+ $pconfig['openappid_detectors'] = $config['installedpackages']['snortglobal']['openappid_detectors'] == "on" ? 'on' : 'off';
+}
/* Set sensible values for any empty default params */
if (!isset($pconfig['rule_update_starttime']))
@@ -61,6 +68,16 @@ if (!isset($pconfig['rule_update_starttime']))
if (!isset($config['installedpackages']['snortglobal']['forcekeepsettings']))
$pconfig['forcekeepsettings'] = 'on';
+/* Grab OpenAppID version info if enabled and downloaded */
+if ($pconfig['openappid_detectors'] == "on") {
+ if (file_exists("{$snort_openappdir}odp/version.conf")) {
+ $openappid_ver = gettext("Installed Detection Package ");
+ $openappid_ver .= gettext(ucfirst(strtolower(file_get_contents("{$snort_openappdir}odp/version.conf"))));
+ }
+ else
+ $openappid_ver = gettext("N/A (Not Downloaded)");
+}
+
if ($_POST['rule_update_starttime']) {
if (!preg_match('/^([01]?[0-9]|2[0-3]):?([0-5][0-9])$/', $_POST['rule_update_starttime']))
$input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'.";
@@ -81,6 +98,8 @@ if (!$input_errors) {
$config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off';
$config['installedpackages']['snortglobal']['clearblocks'] = $_POST['clearblocks'] ? 'on' : 'off';
+ $config['installedpackages']['snortglobal']['verbose_logging'] = $_POST['verbose_logging'] ? 'on' : 'off';
+ $config['installedpackages']['snortglobal']['openappid_detectors'] = $_POST['openappid_detectors'] ? 'on' : 'off';
// If any rule sets are being turned off, then remove them
// from the active rules section of each interface. Start
@@ -137,13 +156,13 @@ if (!$input_errors) {
$retval = 0;
+ write_config("Snort pkg: modified global settings.");
+
/* create whitelist and homenet file, then sync files */
conf_mount_rw();
sync_snort_package_config();
conf_mount_ro();
- write_config("Snort pkg: modified global settings.");
-
/* forces page to reload new settings */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
@@ -206,7 +225,7 @@ if ($input_errors)
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td><input name="snortdownload" type="checkbox" id="snortdownload" value="on" onclick="enable_snort_vrt();"
- <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td>
+ <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?> /></td>
<td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td>
<tr>
<td>&nbsp;</td>
@@ -224,9 +243,9 @@ if ($input_errors)
</tr>
<tr>
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
- <td><input name="oinkmastercode" type="text"
- class="formfld unknown" id="oinkmastercode" size="52"
- value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>"><br/>
+ <td><input name="oinkmastercode" type="text"
+ class="formfld unknown" id="oinkmastercode" size="52"
+ value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" /><br/>
<?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td>
</tr>
</table>
@@ -236,8 +255,8 @@ if ($input_errors)
<td width="78%" class="vtable">
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
- <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on"
- <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked";?> ></td>
+ <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on"
+ <?php if ($pconfig['snortcommunityrules']=="on") echo "checked";?> /></td>
<td class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " .
"without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset.");?>
<br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
@@ -252,13 +271,13 @@ if ($input_errors)
<table width="100%" border="0" cellpadding="2" cellspacing="0">
<tr>
<td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="on" onclick="enable_et_rules();"
- <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>></td>
+ <?php if ($pconfig['emergingthreats']=="on") echo "checked"; ?> /></td>
<td><span class="vexpl"><?php echo gettext("ETOpen is an open source set of Snort rules whose coverage " .
"is more limited than ETPro."); ?></span></td>
</tr>
<tr>
<td valign="top" width="8%"><input name="emergingthreats_pro" type="checkbox" value="on" onclick="enable_etpro_rules();"
- <?php if ($config['installedpackages']['snortglobal']['emergingthreats_pro']=="on") echo "checked"; ?>></td>
+ <?php if ($pconfig['emergingthreats_pro']=="on") echo "checked"; ?>/></td>
<td><span class="vexpl"><?php echo gettext("ETPro for Snort offers daily updates and extensive coverage of current malware threats."); ?></span></td>
</tr>
<tr>
@@ -282,13 +301,38 @@ if ($input_errors)
<td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
<td><input name="etpro_code" type="text"
class="formfld unknown" id="etpro_code" size="52"
- value="<?=htmlspecialchars($pconfig['etpro_code']);?>"><br/>
+ value="<?=htmlspecialchars($pconfig['etpro_code']);?>"/><br/>
<?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td>
</tr>
</table>
</td>
</tr>
-
+<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Install ") . "<strong>" . gettext("OpenAppID") . "</strong>" . gettext(" detectors");?></td>
+ <td width="78%" class="vtable">
+ <table width="100%" border="0" cellpadding="2" cellspacing="0">
+ <tr>
+ <td valign="top" width="8%"><input name="openappid_detectors" type="checkbox" value="on" onclick="enable_openappid_dnload();"
+ <?php if ($pconfig['openappid_detectors']=="on") echo "checked";?> /></td>
+ <td class="vexpl"><?php echo gettext("The OpenAppID package contains the application signatures required by " .
+ "the AppID preprocessor.");?>
+ <br/><br/><?php echo "<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
+ gettext("You must enable download of the OpenAppID detectors package in order to utilize the Application ID ") .
+ gettext("preprocessor and any user-provided application detection rules. Once enabled, go to the ") .
+ "<a href='/snort/snort_download_updates.php'>" . gettext("UPDATES") . "</a>" . gettext(" tab and click to download updates.");?></td>
+ </tr>
+ <tbody id="openappid_rows">
+ <tr>
+ <td class="vexpl" colspan="2"><br/><strong><?=gettext("OpenAppID Detection Package");?></strong></td>
+ </tr>
+ <tr>
+ <td class="vexpl" valign="top"><strong><?=gettext("VER:");?></strong></td>
+ <td class="vexpl"><?=htmlspecialchars($openappid_ver);?></td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+</tr>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Rules Update Settings"); ?></td>
</tr>
@@ -300,7 +344,7 @@ if ($input_errors)
$interfaces3 = array('never_up' => gettext('NEVER'), '6h_up' => gettext('6 HOURS'), '12h_up' => gettext('12 HOURS'), '1d_up' => gettext('1 DAY'), '4d_up' => gettext('4 DAYS'), '7d_up' => gettext('7 DAYS'), '28d_up' => gettext('28 DAYS'));
foreach ($interfaces3 as $iface3 => $ifacename3): ?>
<option value="<?=$iface3;?>"
- <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?>>
+ <?php if ($iface3 == $pconfig['autorulesupdate7']) echo "selected"; ?> />
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
</select><span class="vexpl">&nbsp;&nbsp;<?php echo gettext("Please select the interval for rule updates. Choosing ") .
@@ -310,7 +354,7 @@ if ($input_errors)
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Update Start Time"); ?></td>
<td width="78%" class="vtable"><input type="text" class="formfld time" name="rule_update_starttime" id="rule_update_starttime" size="4"
- maxlength="5" value="<?=htmlspecialchars($pconfig['rule_update_starttime']);?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?>><span class="vexpl">&nbsp;&nbsp;
+ maxlength="5" value="<?=htmlspecialchars($pconfig['rule_update_starttime']);?>" <?php if ($pconfig['autorulesupdate7'] == "never_up") {echo "disabled";} ?> /><span class="vexpl">&nbsp;&nbsp;
<?php echo gettext("Enter the rule update start time in 24-hour format (HH:MM). ") . "<strong>" .
gettext("Default") . "&nbsp;</strong>" . gettext("is ") . "<strong>" . gettext("00:05") . "</strong></span>"; ?>.<br/><br/>
<?php echo gettext("Rules will update at the interval chosen above starting at the time specified here. For example, using the default " .
@@ -327,7 +371,7 @@ if ($input_errors)
$interfaces3 = array('never_b' => gettext('NEVER'), '15m_b' => gettext('15 MINS'), '30m_b' => gettext('30 MINS'), '1h_b' => gettext('1 HOUR'), '3h_b' => gettext('3 HOURS'), '6h_b' => gettext('6 HOURS'), '12h_b' => gettext('12 HOURS'), '1d_b' => gettext('1 DAY'), '4d_b' => gettext('4 DAYS'), '7d_b' => gettext('7 DAYS'), '28d_b' => gettext('28 DAYS'));
foreach ($interfaces3 as $iface3 => $ifacename3): ?>
<option value="<?=$iface3;?>"
- <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?>>
+ <?php if ($iface3 == $pconfig['rm_blocked']) echo "selected"; ?> />
<?=htmlspecialchars($ifacename3);?></option>
<?php endforeach; ?>
</select>&nbsp;
@@ -336,21 +380,29 @@ if ($input_errors)
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Remove Blocked Hosts After Deinstall"); ?></td>
- <td width="78%" class="vtable"><input name="clearblocks" id="clearblocks" type="checkbox" value="yes"
- <?php if ($config['installedpackages']['snortglobal']['clearblocks']=="on") echo " checked"; ?>/>&nbsp;
+ <td width="78%" class="vtable"><input name="clearblocks" id="clearblocks" type="checkbox" value="yes"
+ <?php if ($pconfig['clearblocks']=="on") echo " checked"; ?> />&nbsp;
<?php echo gettext("All blocked hosts added by Snort will be removed during package deinstallation."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Keep Snort Settings After Deinstall"); ?></td>
<td width="78%" class="vtable"><input name="forcekeepsettings"
- id="forcekeepsettings" type="checkbox" value="yes"
- <?php if ($pconfig['forcekeepsettings']=="on") echo "checked"; ?>
- >&nbsp;&nbsp;<?php echo gettext("Settings will not be removed during package deinstallation."); ?></td>
+ id="forcekeepsettings" type="checkbox" value="yes"
+ <?php if ($pconfig['forcekeepsettings']=="on") echo "checked"; ?> />
+ &nbsp;&nbsp;<?php echo gettext("Settings will not be removed during package deinstallation."); ?></td>
+</tr>
+<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Startup/Shutdown Logging"); ?></td>
+ <td width="78%" class="vtable"><input name="verbose_logging"
+ id="verbose_logging" type="checkbox" value="yes"
+ <?php if ($pconfig['verbose_logging']=="on") echo "checked"; ?> />
+ &nbsp;&nbsp;<?php echo gettext("Output detailed messages to the system log when Snort is starting and stopping. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>" . gettext("."); ?></td>
</tr>
<tr>
<td width="22%" valign="top">
<td width="78%">
- <input name="save" type="submit" class="formbtn" value="Save" >
+ <input name="save" type="submit" class="formbtn" value="Save" />
</td>
</tr>
<tr>
@@ -403,11 +455,20 @@ function enable_change_rules_upd() {
document.iform.rule_update_starttime.disabled="";
}
+function enable_openappid_dnload() {
+ var endis = document.iform.openappid_detectors.checked;
+ if (endis)
+ document.getElementById("openappid_rows").style.display = "";
+ else
+ document.getElementById("openappid_rows").style.display = "none";
+}
+
// Initialize the form controls state based on saved settings
enable_snort_vrt();
enable_et_rules();
enable_etpro_rules();
enable_change_rules_upd();
+enable_openappid_dnload();
//-->
</script>
diff --git a/config/snort/snort_ip_list_mgmt.php b/config/snort/snort_ip_list_mgmt.php
index 8311ea1c..20d486c6 100644
--- a/config/snort/snort_ip_list_mgmt.php
+++ b/config/snort/snort_ip_list_mgmt.php
@@ -152,6 +152,7 @@ if ($savemsg)
<input type="hidden" name="MAX_FILE_SIZE" value="100000000" />
<input type="hidden" name="iplist_fname" id="iplist_fname" value=""/>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tbody>
<tr><td>
<?php
$tab_array = array();
@@ -170,21 +171,19 @@ if ($savemsg)
?>
</td>
</tr>
-<tbody id="uploader" style="display: none;" class="tabcont">
- <tr>
- <td colspan="4" class="list"><br/><?php echo gettext("Click BROWSE to select a file to import, and then click UPLOAD. Click CLOSE to quit."); ?></td>
- </tr>
- <tr>
- <td colspan="4" class="list"><input type="file" name="iprep_fileup" id="iprep_fileup" class="formfld file" size="50" />
- &nbsp;&nbsp;<input type="submit" name="upload" id="upload" value="<?=gettext("Upload");?>"
- title="<?=gettext("Upload selected IP list to firewall");?>"/>&nbsp;&nbsp;<input type="button"
- value="<?=gettext("Close");?>" onClick="document.getElementById('uploader').style.display='none';" /><br/></td>
- <td class="list"></td>
- </tr>
-</tbody>
<tr>
<td>
<div id="mainarea">
+
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tbody>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("IP Reputation is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ </tbody>
+ </table>
+ <?php else: ?>
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
<colgroup>
<col style="width: 50%;">
@@ -223,6 +222,18 @@ if ($savemsg)
height="17" border="0" title="<?php echo gettext('Delete this IP List');?>"/></td>
</tr>
<?php endforeach; ?>
+ <tbody id="uploader" style="display: none;">
+ <tr>
+ <td colspan="4" class="list"><br/><?php echo gettext("Click BROWSE to select a file to import, and then click UPLOAD. Click CLOSE to quit."); ?></td>
+ </tr>
+ <tr>
+ <td colspan="4" class="list"><input type="file" name="iprep_fileup" id="iprep_fileup" class="formfld file" size="50" />
+ &nbsp;&nbsp;<input type="submit" name="upload" id="upload" value="<?=gettext("Upload");?>"
+ title="<?=gettext("Upload selected IP list to firewall");?>"/>&nbsp;&nbsp;<input type="button"
+ value="<?=gettext("Close");?>" onClick="document.getElementById('uploader').style.display='none';" /><br/></td>
+ <td colspan="4" class="list"></td>
+ </tr>
+ </tbody>
<tbody id="iplist_editor" style="<?=$iplist_edit_style;?>">
<tr>
<td colspan="4">&nbsp;</td>
@@ -267,9 +278,11 @@ if ($savemsg)
<td class="list"></td>
</tr>
</table>
+ <?php endif; ?>
</div>
</td>
</tr>
+</tbody>
</table>
</form>
<?php include("fend.inc"); ?>
diff --git a/config/snort/snort_ip_reputation.php b/config/snort/snort_ip_reputation.php
index 891f3773..4c3065a0 100644
--- a/config/snort/snort_ip_reputation.php
+++ b/config/snort/snort_ip_reputation.php
@@ -204,6 +204,7 @@ if ($savemsg)
<?php endif; ?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tbody>
<tr>
<td>
<?php
@@ -239,6 +240,12 @@ if ($savemsg)
<tr>
<td><div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tbody>
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("IP Reputation is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ <?php else: ?>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("IP Reputation Preprocessor Configuration"); ?></td>
</tr>
@@ -368,9 +375,9 @@ if ($savemsg)
<td width="22%" valign='top' class='vncell'><?php echo gettext("Whitelist Files"); ?>
</td>
<td width="78%" class="vtable">
- <table width="95%" border="0" cellpadding="2" cellspacing="0">
<!-- wlist_chooser -->
<div id="wlistChooser" name="wlistChooser" style="display:none; border:1px dashed gray; width:98%;"></div>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
<colgroup>
<col style="text-align:left;">
<col style="width: 30%; text-align:left;">
@@ -411,12 +418,16 @@ if ($savemsg)
</table>
</td>
</tr>
+ <?php endif; ?>
+ </tbody>
</table>
</div>
</td>
</tr>
+ </tbody>
</table>
+<?php if ($g['platform'] != "nanobsd") : ?>
<script type="text/javascript">
Event.observe(
window, "load",
@@ -504,6 +515,7 @@ function wlistComplete(req) {
}
</script>
+<?php endif; ?>
</form>
<?php include("fend.inc"); ?>
diff --git a/config/snort/snort_log_mgmt.php b/config/snort/snort_log_mgmt.php
index 0e38afc2..33d94a04 100644
--- a/config/snort/snort_log_mgmt.php
+++ b/config/snort/snort_log_mgmt.php
@@ -57,6 +57,8 @@ $pconfig['sid_changes_log_limit_size'] = $config['installedpackages']['snortglob
$pconfig['sid_changes_log_retention'] = $config['installedpackages']['snortglobal']['sid_changes_log_retention'];
$pconfig['event_pkts_log_limit_size'] = '0';
$pconfig['event_pkts_log_retention'] = $config['installedpackages']['snortglobal']['event_pkts_log_retention'];
+$pconfig['appid_stats_log_limit_size'] = $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'];
+$pconfig['appid_stats_log_retention'] = $config['installedpackages']['snortglobal']['appid_stats_log_retention'];
// Load up some arrays with selection values (we use these later).
// The keys in the $retentions array are the retention period
@@ -86,6 +88,8 @@ if (!isset($pconfig['sid_changes_log_retention']))
$pconfig['sid_changes_log_retention'] = "336";
if (!isset($pconfig['event_pkts_log_retention']))
$pconfig['event_pkts_log_retention'] = "336";
+if (!isset($pconfig['appid_stats_log_retention']))
+ $pconfig['appid_stats_log_retention'] = "168";
// Set default log file size limits
if (!isset($pconfig['alert_log_limit_size']))
@@ -94,6 +98,8 @@ if (!isset($pconfig['stats_log_limit_size']))
$pconfig['stats_log_limit_size'] = "500";
if (!isset($pconfig['sid_changes_log_limit_size']))
$pconfig['sid_changes_log_limit_size'] = "250";
+if (!isset($pconfig['appid_stats_log_limit_size']))
+ $pconfig['appid_stats_log_limit_size'] = "1000";
if ($_POST['ResetAll']) {
@@ -102,11 +108,13 @@ if ($_POST['ResetAll']) {
$pconfig['stats_log_retention'] = "168";
$pconfig['sid_changes_log_retention'] = "336";
$pconfig['event_pkts_log_retention'] = "336";
+ $pconfig['appid_stats_log_retention'] = "168";
$pconfig['alert_log_limit_size'] = "500";
$pconfig['stats_log_limit_size'] = "500";
$pconfig['sid_changes_log_limit_size'] = "250";
$pconfig['event_pkts_log_limit_size'] = "0";
+ $pconfig['appid_stats_log_limit_size'] = "1000";
/* Log a message at the top of the page to inform the user */
$savemsg = gettext("All log management settings on this page have been reset to their defaults. Click APPLY if you wish to keep these new settings.");
@@ -148,6 +156,8 @@ if ($_POST["save"] || $_POST['apply']) {
$config['installedpackages']['snortglobal']['sid_changes_log_retention'] = $_POST['sid_changes_log_retention'];
$config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = $_POST['event_pkts_log_limit_size'];
$config['installedpackages']['snortglobal']['event_pkts_log_retention'] = $_POST['event_pkts_log_retention'];
+ $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] = $_POST['appid_stats_log_limit_size'];
+ $config['installedpackages']['snortglobal']['appid_stats_log_retention'] = $_POST['appid_stats_log_retention'];
write_config("Snort pkg: saved updated configuration for LOGS MGMT.");
conf_mount_rw();
@@ -307,7 +317,26 @@ if ($savemsg) {
</td>
<td class="listbg"><?=gettext("Snort alerts and event details");?></td>
</tr>
-
+ <tr>
+ <td class="listbg">appid-stats</td>
+ <td class="listr" align="center"><select name="appid_stats_log_limit_size" class="formselect" id="appid_stats_log_limit_size">
+ <?php foreach ($log_sizes as $k => $l): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['appid_stats_log_limit_size']) echo " selected"; ?>>
+ <?=htmlspecialchars($l);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listr" align="center"><select name="appid_stats_log_retention" class="formselect" id="appid_stats_log_retention">
+ <?php foreach ($retentions as $k => $p): ?>
+ <option value="<?=$k;?>"
+ <?php if ($k == $pconfig['appid_stats_log_retention']) echo " selected"; ?>>
+ <?=htmlspecialchars($p);?></option>
+ <?php endforeach; ?>
+ </select>
+ </td>
+ <td class="listbg"><?=gettext("Application ID statistics");?></td>
+ </tr>
<tr>
<td class="listbg">event pcaps</td>
<td class="listr" align="center"><select name="event_pkts_log_limit_size" class="formselect" id="event_pkts_log_limit_size">
@@ -324,7 +353,6 @@ if ($savemsg) {
</td>
<td class="listbg"><?=gettext("Snort alert related packet captures");?></td>
</tr>
-
<tr>
<td class="listbg">sid_changes</td>
<td class="listr" align="center"><select name="sid_changes_log_limit_size" class="formselect" id="sid_changes_log_limit_size">
diff --git a/config/snort/snort_migrate_config.php b/config/snort/snort_migrate_config.php
index a722d52b..12ae5d19 100644
--- a/config/snort/snort_migrate_config.php
+++ b/config/snort/snort_migrate_config.php
@@ -73,27 +73,52 @@ if (empty($config['installedpackages']['snortglobal']['snort_config_ver']) &&
/**********************************************************/
/* Create new Auto SID Mgmt settings if not set */
/**********************************************************/
- if (empty($config['installedpackages']['snortglobal']['auto_manage_sids'])) {
- $config['installedpackages']['snortglobal']['auto_manage_sids'] = "off";
- $updated_cfg = true;
- }
+if (empty($config['installedpackages']['snortglobal']['auto_manage_sids'])) {
+ $config['installedpackages']['snortglobal']['auto_manage_sids'] = "off";
+ $updated_cfg = true;
+}
/**********************************************************/
/* Create new LOG MGMT settings if not set */
/**********************************************************/
- if (empty($config['installedpackages']['snortglobal']['enable_log_mgmt'])) {
- $config['installedpackages']['snortglobal']['enable_log_mgmt'] = "on";
- $config['installedpackages']['snortglobal']['alert_log_limit_size'] = "500";
- $config['installedpackages']['snortglobal']['alert_log_retention'] = "336";
- $config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = "0";
- $config['installedpackages']['snortglobal']['event_pkts_log_retention'] = "336";
- $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'] = "250";
- $config['installedpackages']['snortglobal']['sid_changes_log_retention'] = "336";
- $config['installedpackages']['snortglobal']['stats_log_limit_size'] = "500";
- $config['installedpackages']['snortglobal']['stats_log_retention'] = "168";
- $updated_cfg = true;
+if (empty($config['installedpackages']['snortglobal']['enable_log_mgmt'])) {
+ $config['installedpackages']['snortglobal']['enable_log_mgmt'] = "on";
+ $config['installedpackages']['snortglobal']['alert_log_limit_size'] = "500";
+ $config['installedpackages']['snortglobal']['alert_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] = "1000";
+ $config['installedpackages']['snortglobal']['appid_stats_log_retention'] = "168";
+ $config['installedpackages']['snortglobal']['event_pkts_log_limit_size'] = "0";
+ $config['installedpackages']['snortglobal']['event_pkts_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['sid_changes_log_limit_size'] = "250";
+ $config['installedpackages']['snortglobal']['sid_changes_log_retention'] = "336";
+ $config['installedpackages']['snortglobal']['stats_log_limit_size'] = "500";
+ $config['installedpackages']['snortglobal']['stats_log_retention'] = "168";
+ $updated_cfg = true;
+}
+if (empty($config['installedpackages']['snortglobal']['appid_stats_log_limit_size']))
+ $config['installedpackages']['snortglobal']['appid_stats_log_limit_size'] = "1000";
+if (empty($config['installedpackages']['snortglobal']['appid_stats_log_retention']))
+ $config['installedpackages']['snortglobal']['appid_stats_log_retention'] = "168";
+
+/**********************************************************/
+/* Create new VERBOSE_LOGGING setting if not set */
+/**********************************************************/
+if (empty($config['installedpackages']['snortglobal']['verbose_logging'])) {
+ $config['installedpackages']['snortglobal']['verbose_logging'] = "off";
+ $updated_cfg = true;
}
+/**********************************************************/
+/* Create new OpenAppID settings if not set */
+/**********************************************************/
+if (empty($config['installedpackages']['snortglobal']['openappid_detectors'])) {
+ $config['installedpackages']['snortglobal']['openappid_detectors'] = "off";
+ $updated_cfg = true;
+}
+
+/**********************************************************/
+/* Migrate per interface settings if required. */
+/**********************************************************/
foreach ($rule as &$r) {
// Initialize arrays for supported preprocessors if necessary
if (!is_array($r['frag3_engine']['item']))
@@ -482,6 +507,24 @@ foreach ($rule as &$r) {
$updated_cfg = true;
}
+ // Default any unconfigured AppID preprocessor settings
+ if (empty($pconfig['appid_preproc'])) {
+ $pconfig['appid_preproc'] = 'off';
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['sf_appid_mem_cap'])) {
+ $pconfig['sf_appid_mem_cap'] = '256';
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['sf_appid_statslog'])) {
+ $pconfig['sf_appid_statslog'] = 'on';
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['sf_appid_stats_period'])) {
+ $pconfig['sf_appid_stats_period'] = '300';
+ $updated_cfg = true;
+ }
+
// Save the new configuration data into the $config array pointer
$r = $pconfig;
}
@@ -490,8 +533,7 @@ unset($r);
// Log a message if we changed anything
if ($updated_cfg) {
- $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1.5";
- log_error("[Snort] Saving configuration settings in new format...");
+ $config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2";
log_error("[Snort] Settings successfully migrated to new configuration format...");
}
else
diff --git a/config/snort/snort_post_install.php b/config/snort/snort_post_install.php
index 5009a8b3..57e92ce5 100644
--- a/config/snort/snort_post_install.php
+++ b/config/snort/snort_post_install.php
@@ -41,35 +41,12 @@
require_once("config.inc");
require_once("functions.inc");
require_once("/usr/local/pkg/snort/snort.inc");
+require("/usr/local/pkg/snort/snort_defs.inc");
global $config, $g, $rebuild_rules, $pkg_interface, $snort_gui_include;
-/****************************************
- * Define any new constants here that *
- * may not be yet defined in the old *
- * "snort.inc" include file that might *
- * be cached and used by the package *
- * manager installation code. *
- * *
- * This is a hack to work around the *
- * fact the old version of suricata.inc *
- * is cached and used instead of the *
- * updated version icluded with the *
- * updated GUI package. *
- ****************************************/
-if (!defined('SNORT_SID_MODS_PATH'))
- define('SNORT_SID_MODS_PATH', "{$g['vardb_path']}/snort/sidmods/");
-
-if (!defined('SNORT_ENFORCING_RULES_FILENAME'))
- define("SNORT_ENFORCING_RULES_FILENAME", "snort.rules");
-
-/****************************************
- * End of PHP caching workaround *
- ****************************************/
-
$snortdir = SNORTDIR;
$snortlogdir = SNORTLOGDIR;
-$snortlibdir = SNORTLIBDIR;
$rcdir = RCFILEPREFIX;
$flowbit_rules_file = FLOWBITS_FILENAME;
$snort_enforcing_rules_file = SNORT_ENFORCING_RULES_FILENAME;
@@ -101,6 +78,7 @@ conf_mount_rw();
@rename("{$snortdir}/threshold.conf-sample", "{$snortdir}/threshold.conf");
@rename("{$snortdir}/sid-msg.map-sample", "{$snortdir}/sid-msg.map");
@rename("{$snortdir}/unicode.map-sample", "{$snortdir}/unicode.map");
+@rename("{$snortdir}/file_magic.conf-sample", "{$snortdir}/file_magic.conf");
@rename("{$snortdir}/classification.config-sample", "{$snortdir}/classification.config");
@rename("{$snortdir}/generators-sample", "{$snortdir}/generators");
@rename("{$snortdir}/reference.config-sample", "{$snortdir}/reference.config");
@@ -123,6 +101,7 @@ unlink_if_exists("{$rcdir}barnyard2");
safe_mkdir(SNORTLOGDIR);
safe_mkdir(SNORT_IPREP_PATH);
safe_mkdir(SNORT_SID_MODS_PATH);
+safe_mkdir(SNORT_APPID_ODP_PATH);
/* If installed, absorb the Snort Dashboard Widget into this package */
/* by removing it as a separately installed package. */
@@ -263,8 +242,8 @@ if (stristr($config['widgets']['sequence'], "snort_alerts-container") === FALSE)
$config['widgets']['sequence'] .= ",{$snort_widget_container}";
/* Update Snort package version in configuration */
-$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.1.5";
-write_config("Snort pkg v3.1.5: post-install configuration saved.");
+$config['installedpackages']['snortglobal']['snort_config_ver'] = "3.2";
+write_config("Snort pkg v3.2: post-install configuration saved.");
/* Done with post-install, so clear flag */
unset($g['snort_postinstall']);
diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php
index 75e4902d..9f6879ef 100755
--- a/config/snort/snort_preprocessors.php
+++ b/config/snort/snort_preprocessors.php
@@ -341,6 +341,10 @@ if ($_POST['ResetAll']) {
$pconfig['smtp_log_rcpt_to'] = 'on';
$pconfig['smtp_log_filename'] = 'on';
$pconfig['smtp_log_email_hdrs'] = 'on';
+ $pconfig['appid_preproc'] = "off";
+ $pconfig['sf_appid_mem_cap'] = "256";
+ $pconfig['sf_appid_statslog'] = "on";
+ $pconfig['sf_appid_stats_period'] = "300";
$pconfig['sf_portscan'] = "off";
$pconfig['pscan_protocol'] = "all";
$pconfig['pscan_type'] = "all";
@@ -439,6 +443,14 @@ if ($_POST['save']) {
$input_errors[] = gettext("The value for SMTP Decoder E-Mail Headers Log Depth must be between 0 and 20,480.");
}
+ // Validate AppID parameter values if AppID Detector is enabled
+ if ($_POST['appid_preproc'] == 'on') {
+ if ($_POST['sf_appid_mem_cap'] < 32 || $_POST['sf_appid_mem_cap'] > 3000)
+ $input_errors[] = gettext("The value for Application ID Memory Cap must be between 32 and 3000.");
+ if ($_POST['sf_appid_stats_period'] < 60 || $_POST['sf_appid_stats_period'] > 3600)
+ $input_errors[] = gettext("The value for Application ID Stats Period must be between 60 and 3600.");
+ }
+
/* if no errors write to conf */
if (!$input_errors) {
/* post new options */
@@ -481,6 +493,8 @@ if ($_POST['save']) {
if ($_POST['smtp_bitenc_decode_depth'] != "") { $natent['smtp_bitenc_decode_depth'] = $_POST['smtp_bitenc_decode_depth']; }else{ $natent['smtp_bitenc_decode_depth'] = "0"; }
if ($_POST['smtp_uu_decode_depth'] != "") { $natent['smtp_uu_decode_depth'] = $_POST['smtp_uu_decode_depth']; }else{ $natent['smtp_uu_decode_depth'] = "0"; }
if ($_POST['smtp_email_hdrs_log_depth'] != "") { $natent['smtp_email_hdrs_log_depth'] = $_POST['smtp_email_hdrs_log_depth']; }else{ $natent['smtp_email_hdrs_log_depth'] = "1464"; }
+ if ($_POST['sf_appid_mem_cap'] != "") { $natent['sf_appid_mem_cap'] = $_POST['sf_appid_mem_cap']; }else{ $natent['sf_appid_mem_cap'] = "256"; }
+ if ($_POST['sf_appid_stats_period'] != "") { $natent['sf_appid_stats_period'] = $_POST['sf_appid_stats_period']; }else{ $natent['sf_appid_stats_period'] = "300"; }
// Set SDF inspection types
$natent['sdf_alert_data_type'] = implode(",",$_POST['sdf_alert_data_type']);
@@ -525,6 +539,8 @@ if ($_POST['save']) {
$natent['stream5_track_tcp'] = $_POST['stream5_track_tcp'] ? 'on' : 'off';
$natent['stream5_track_udp'] = $_POST['stream5_track_udp'] ? 'on' : 'off';
$natent['stream5_track_icmp'] = $_POST['stream5_track_icmp'] ? 'on' : 'off';
+ $natent['appid_preproc'] = $_POST['appid_preproc'] ? 'on' : 'off';
+ $natent['sf_appid_statslog'] = $_POST['sf_appid_statslog'] ? 'on' : 'off';
if (isset($id) && isset($a_nat[$id])) {
$a_nat[$id] = $natent;
@@ -685,14 +701,14 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Performance Stats"); ?></td>
<td width="78%" class="vtable"><input name="perform_stat" type="checkbox" value="on"
- <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['perform_stat']=="on") echo "checked"; ?>/>
<?php echo gettext("Collect Performance Statistics for this interface."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Protect Customized Preprocessor Rules"); ?></td>
<td width="78%" class="vtable"><input name="protect_preproc_rules" type="checkbox" value="on"
<?php if ($pconfig['protect_preproc_rules']=="on") echo "checked ";
- if ($vrt_enabled <> 'on') echo "disabled"; ?>>
+ if ($vrt_enabled <> 'on') echo "disabled"; ?>/>
<?php echo gettext("Check this box if you maintain customized preprocessor text rules files for this interface."); ?>
<table width="100%" border="0" cellpadding="2" cellpadding="2">
<tr>
@@ -709,7 +725,7 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Auto Rule Disable"); ?></td>
<td width="78%" class="vtable"><input name="preproc_auto_rule_disable" type="checkbox" value="on"
- <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['preproc_auto_rule_disable']=="on") echo "checked"; ?>/>
<?php echo gettext("Auto-disable text rules dependent on disabled preprocessors for this interface. ");
echo gettext("Default is ") . '<strong>' . gettext("Not Checked"); ?></strong>.<br/>
<table width="100%" border="0" cellpadding="2" cellpadding="2">
@@ -739,7 +755,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="host_attribute_table"
type="checkbox" value="on" id="host_attribute_table" onclick="host_attribute_table_enable_change();"
- <?php if ($pconfig['host_attribute_table']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['host_attribute_table']=="on") echo "checked"; ?>/>
<?php echo gettext("Use a Host Attribute Table file to auto-configure applicable preprocessors. " .
"Default is "); ?><strong><?php echo gettext("Not Checked"); ?></strong>.</td>
</tr>
@@ -823,7 +839,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="http_inspect"
type="checkbox" value="on" id="http_inspect" onclick="http_inspect_enable_change();"
- <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked";?>>
+ <?php if ($pconfig['http_inspect']=="on" || empty($pconfig['http_inspect'])) echo "checked";?>/>
<?php echo gettext("Use HTTP Inspect to Normalize/Decode and detect HTTP traffic and protocol anomalies. Default is ");?>
<strong><?php echo gettext("Checked"); ?></strong>.</td>
</tr>
@@ -831,7 +847,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Proxy Alert"); ?></td>
<td width="78%" class="vtable"><input name="http_inspect_proxy_alert"
type="checkbox" value="on" id="http_inspect_proxy_alert"
- <?php if ($pconfig['http_inspect_proxy_alert']=="on") echo "checked";?>>
+ <?php if ($pconfig['http_inspect_proxy_alert']=="on") echo "checked";?>/>
<?php echo gettext("Enable global alerting on HTTP server proxy usage. Default is ");?>
<strong><?php echo gettext("Not Checked"); ?></strong>.<br/><br/><span class="red"><strong>
<?php echo gettext("Note: ") . "</strong></span>" . gettext("By adding Server Configurations below and enabling " .
@@ -916,7 +932,7 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable");?></td>
<td width="78%" class="vtable"><input name="frag3_detection" type="checkbox" value="on" onclick="frag3_enable_change();"
- <?php if ($pconfig['frag3_detection']=="on") echo "checked";?>>
+ <?php if ($pconfig['frag3_detection']=="on") echo "checked";?>/>
<?php echo gettext("Use Frag3 Engine to detect IDS evasion attempts via target-based IP packet fragmentation. Default is ") .
"<strong>" . gettext("Checked") . "</strong>.";?></td>
</tr>
@@ -984,14 +1000,14 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="stream5_reassembly" type="checkbox" value="on" onclick="stream5_enable_change();"
- <?php if ($pconfig['stream5_reassembly']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_reassembly']=="on") echo "checked"; ?>/>
<?php echo gettext("Use Stream5 session reassembly for TCP, UDP and/or ICMP traffic. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr id="stream5_flushonalert_row">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Flush On Alert"); ?></td>
<td width="78%" class="vtable"><input name="stream5_flush_on_alert" type="checkbox" value="on"
- <?php if ($pconfig['stream5_flush_on_alert']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['stream5_flush_on_alert']=="on") echo "checked"; ?>/>
<?php echo gettext("Flush a TCP stream when an alert is generated on that stream. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong><br/><span class=\"red\"><strong>" .
gettext("Note: ") . "</strong></span>" . gettext("This parameter is for backwards compatibility.");?></td>
@@ -1135,6 +1151,53 @@ if ($savemsg) {
</table>
</td>
</tr>
+
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Application ID Detection"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
+ <td width="78%" class="vtable"><input name="appid_preproc" onclick="appid_preproc_enable_change();"
+ type="checkbox" value="on" id="appid_preproc"
+ <?php if ($pconfig['appid_preproc']=="on") echo "checked"; ?>/>
+ <?php echo gettext("Use OpenAppID to detect various applications. Default is ") .
+ "<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
+ </tr>
+ <tbody id="appid_rows">
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("Memory Cap"); ?></td>
+ <td class="vtable">
+ <input name="sf_appid_mem_cap" type="text" class="formfld unknown" id="sf_appid_mem_cap" size="9"
+ value="<?=htmlspecialchars($pconfig['sf_appid_mem_cap']);?>">
+ <?php echo gettext("Memory for App ID structures. Min is ") . "<strong>" . gettext("32") . "</strong>" .
+ gettext(" (32 MB) and Max is ") . "<strong>" . gettext("3000") . "</strong>" .
+ gettext(" (3 GB) bytes.");?><br/>
+ <?php echo gettext("The memory cap in megabytes used by AppID internal structures " .
+ "in RAM. Default value is ") . "<strong>" . gettext("256") . "</strong>" . gettext(" (256 MB)."); ?><br/>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("AppID Stats Logging"); ?></td>
+ <td width="78%" class="vtable">
+ <input name="sf_appid_statslog" type="checkbox" value="on" id="sf_appid_statslog"
+ <?php if ($pconfig['sf_appid_statslog']=="on") echo "checked"; ?>/>
+ <?php echo gettext("Enable OpenAppID statistics logging. Default is ") .
+ "<strong>" . gettext("Checked") . "</strong>" . gettext("."); ?><br/><br/>
+ <span class="red"><strong><?php echo gettext("Note: ") . "</strong></span>" . gettext("log size and retention limits for AppID Stats Logging") .
+ gettext(" can be set on the ") . "<a href='/snort/snort_log_mgmt.php'>" . gettext("LOG MGMT") . "</a>" . gettext(" tab.");?> </td>
+ </tr>
+ <tr>
+ <td valign="top" class="vncell"><?php echo gettext("AppID Stats Period"); ?></td>
+ <td class="vtable">
+ <input name="sf_appid_stats_period" type="text" class="formfld unknown" id="sf_appid_stats_period" size="9"
+ value="<?=htmlspecialchars($pconfig['sf_appid_stats_period']);?>">
+ <?php echo gettext("Bucket size in seconds for AppID stats. Min is ") . "<strong>" . gettext("60") . "</strong>" .
+ gettext(" (1 minute) and Max is ") . "<strong>" . gettext("3600") . "</strong>" . gettext(" (1 hour).");?><br/>
+ <?php echo gettext("The bucket size in seconds used to collecxt AppID statistics. " .
+ "Default value is ") . "<strong>" . gettext("300") . "</strong>" . gettext(" (5 minutes)."); ?><br/>
+ </td>
+ </tr>
+ </tbody>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("Portscan Detection"); ?></td>
</tr>
@@ -1142,7 +1205,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable"); ?></td>
<td width="78%" class="vtable"><input name="sf_portscan" onclick="sf_portscan_enable_change();"
type="checkbox" value="on" id="sf_portscan"
- <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['sf_portscan']=="on") echo "checked"; ?>/>
<?php echo gettext("Use Portscan Detection to detect various types of port scans and sweeps. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1287,14 +1350,14 @@ if ($savemsg) {
<tr id="ftp_telnet_row_encrypted_check">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Check Encrypted Traffic"); ?></td>
<td width="78%" class="vtable"><input name="ftp_telnet_check_encrypted" type="checkbox" value="on"
- <?php if ($pconfig['ftp_telnet_check_encrypted']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ftp_telnet_check_encrypted']=="on") echo "checked"; ?>/>
<?php echo gettext("Continue to check an encrypted session for subsequent command to cease encryption. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr id="ftp_telnet_row_encrypted_alert">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Alert on Encrypted Commands"); ?></td>
<td width="78%" class="vtable"><input name="ftp_telnet_alert_encrypted" type="checkbox" value="on"
- <?php if ($pconfig['ftp_telnet_alert_encrypted']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ftp_telnet_alert_encrypted']=="on") echo "checked"; ?>/>
<?php echo gettext("Alert on encrypted FTP and Telnet command channels. Default is ") .
"<strong>" . gettext("Not Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1304,14 +1367,14 @@ if ($savemsg) {
<tr id="ftp_telnet_row_normalize">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Normalization"); ?></td>
<td width="78%" class="vtable"><input name="ftp_telnet_normalize" type="checkbox" value="on"
- <?php if ($pconfig['ftp_telnet_normalize']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ftp_telnet_normalize']=="on") echo "checked"; ?>/>
<?php echo gettext("Normalize Telnet traffic by eliminating Telnet escape sequences. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr id="ftp_telnet_row_detect_anomalies">
<td width="22%" valign="top" class="vncell"><?php echo gettext("Detect Anomalies"); ?></td>
<td width="78%" class="vtable"><input name="ftp_telnet_detect_anomalies" type="checkbox" value="on"
- <?php if ($pconfig['ftp_telnet_detect_anomalies']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ftp_telnet_detect_anomalies']=="on") echo "checked"; ?>/>
<?php echo gettext("Alert on Telnet subnegotiation begin without corresponding subnegotiation end. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1423,7 +1486,7 @@ if ($savemsg) {
echo "checked";
elseif ($vrt_enabled == "off")
echo "disabled";
- ?>>
+ ?>/>
<?php echo gettext("Sensitive data searches for credit card numbers, Social Security numbers and e-mail addresses in data."); ?>
<br/>
<span class="red"><strong><?php echo gettext("Note: "); ?></strong></span><?php echo gettext("To enable this preprocessor, you must select the Snort VRT rules on the ") .
@@ -1458,7 +1521,7 @@ if ($savemsg) {
<input name="sdf_mask_output" type="checkbox" value="on"
<?php if ($pconfig['sdf_mask_output'] == "on")
echo "checked";
- ?>>
+ ?>/>
<?php echo gettext("Replace all but last 4 digits of PII with \"X\"s on credit card and Social Security Numbers. ") .
gettext("Default is ") . "<strong>" . gettext("Not Checked") . "</strong>."; ?>
</td>
@@ -1756,40 +1819,40 @@ if ($savemsg) {
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable RPC Decode and Back Orifice detector"); ?></td>
<td width="78%" class="vtable"><input name="other_preprocs" type="checkbox" value="on"
- <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['other_preprocs']=="on") echo "checked"; ?>/>
<?php echo gettext("Normalize/Decode RPC traffic and detects Back Orifice traffic on the network. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DCE/RPC2 Detection"); ?></td>
<td width="78%" class="vtable"><input name="dce_rpc_2" type="checkbox" value="on"
- <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['dce_rpc_2']=="on") echo "checked"; ?>/>
<?php echo gettext("The DCE/RPC preprocessor detects and decodes SMB and DCE/RPC traffic. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SIP Detection"); ?></td>
<td width="78%" class="vtable"><input name="sip_preproc" type="checkbox" value="on"
- <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['sip_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("The SIP preprocessor decodes SIP traffic and detects vulnerabilities. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable GTP Detection"); ?></td>
<td width="78%" class="vtable"><input name="gtp_preproc" type="checkbox" value="on"
- <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['gtp_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SSH Detection"); ?></td>
<td width="78%" class="vtable"><input name="ssh_preproc" type="checkbox" value="on"
- <?php if ($pconfig['ssh_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ssh_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("The SSH preprocessor detects various Secure Shell exploit attempts."); ?></td>
</tr>
<tr>
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td>
<td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on"
- <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>/>
<?php echo gettext("The DNS preprocessor decodes DNS response traffic and detects vulnerabilities. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1797,7 +1860,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SSL Data"); ?></td>
<td width="78%" class="vtable">
<input name="ssl_preproc" type="checkbox" value="on"
- <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['ssl_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("SSL data searches for irregularities during SSL protocol exchange. Default is ") .
"<strong>" . gettext("Checked") . "</strong>"; ?>.</td>
</tr>
@@ -1808,7 +1871,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable Modbus Detection"); ?></td>
<td width="78%" class="vtable">
<input name="modbus_preproc" type="checkbox" value="on"
- <?php if ($pconfig['modbus_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['modbus_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("Modbus is a protocol used in SCADA networks. The default port is TCP 502.") . "<br/>" .
"<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
gettext("If your network does not contain Modbus-enabled devices, you can leave this preprocessor disabled."); ?>
@@ -1818,7 +1881,7 @@ if ($savemsg) {
<td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNP3 Detection"); ?></td>
<td width="78%" class="vtable">
<input name="dnp3_preproc" type="checkbox" value="on"
- <?php if ($pconfig['dnp3_preproc']=="on") echo "checked"; ?>>
+ <?php if ($pconfig['dnp3_preproc']=="on") echo "checked"; ?>/>
<?php echo gettext("DNP3 is a protocol used in SCADA networks. The default port is TCP 20000.") . "<br/>" .
"<span class=\"red\"><strong>" . gettext("Note: ") . "</strong></span>" .
gettext("If your network does not contain DNP3-enabled devices, you can leave this preprocessor disabled."); ?>
@@ -1833,7 +1896,7 @@ if ($savemsg) {
<input name="ResetAll" type="submit" class="formbtn" value="Reset" title="<?php echo
gettext("Reset all settings to defaults") . "\" onclick=\"return confirm('" .
gettext("WARNING: This will reset ALL preprocessor settings to their defaults. Click OK to continue or CANCEL to quit.") .
- "');\""; ?>></td>
+ "');\""; ?>/></td>
</tr>
<tr>
<td width="22%" valign="top">&nbsp;</td>
@@ -1978,12 +2041,20 @@ function http_inspect_enable_change() {
var endis = !(document.iform.http_inspect.checked);
document.iform.http_inspect_memcap.disabled=endis;
- // Hide the "icmp session timeout " row if stream5_track_icmp disabled
- if (endis) {
- document.getElementById("httpinspect_memcap_row").style.display="none";
- document.getElementById("httpinspect_maxgzipmem_row").style.display="none";
- document.getElementById("httpinspect_proxyalert_row").style.display="none";
- document.getElementById("httpinspect_engconf_row").style.display="none";
+ if (!document.iform.http_inspect.checked) {
+ var msg = "WARNING: Disabling the http_inspect preprocessor is not recommended!\n\n";
+ msg = msg + "Snort may fail to start because of other dependent preprocessors or ";
+ msg = msg + "rule options. Are you sure you want to disable it?\n\n";
+ msg = msg + "Click OK to disable http_inspect, or CANCEL to quit.";
+ if (!confirm(msg)) {
+ document.iform.http_inspect.checked=true;
+ }
+ else {
+ document.getElementById("httpinspect_memcap_row").style.display="none";
+ document.getElementById("httpinspect_maxgzipmem_row").style.display="none";
+ document.getElementById("httpinspect_proxyalert_row").style.display="none";
+ document.getElementById("httpinspect_engconf_row").style.display="none";
+ }
}
else {
document.getElementById("httpinspect_memcap_row").style.display="table-row";
@@ -2013,6 +2084,16 @@ function sf_portscan_enable_change() {
}
}
+function appid_preproc_enable_change() {
+ var endis = !(document.iform.appid_preproc.checked);
+
+ // Hide the AppID configuration rows if appid_preproc disabled
+ if (endis)
+ document.getElementById("appid_rows").style.display="none";
+ else
+ document.getElementById("appid_rows").style.display="";
+}
+
function stream5_enable_change() {
if (!document.iform.stream5_reassembly.checked) {
var msg = "WARNING: Stream5 is a critical preprocessor, and disabling it is not recommended! ";
@@ -2020,7 +2101,8 @@ function stream5_enable_change() {
msg = msg + " SMTP\t\tPOP\t\tSIP\n";
msg = msg + " SENSITIVE_DATA\tSF_PORTSCAN\tDCE/RPC 2\n";
msg = msg + " IMAP\t\tDNS\t\tSSL\n";
- msg = msg + " GTP\t\tDNP3\t\tMODBUS\n\n";
+ msg = msg + " GTP\t\tDNP3\t\tMODBUS\n";
+ msg = msg + " APP_ID\n\n";
msg = msg + "Snort may fail to start because of other preprocessors or rule options dependent on Stream5. ";
msg = msg + "Are you sure you want to disable it?\n\n";
msg = msg + "Click OK to disable Stream5, or CANCEL to quit.";
@@ -2039,6 +2121,7 @@ function stream5_enable_change() {
document.iform.dns_preprocessor.checked=false;
document.iform.modbus_preproc.checked=false;
document.iform.dnp3_preproc.checked=false;
+ document.iform.appid_preproc.checked=false;
document.iform.sf_portscan.checked=false;
sf_portscan_enable_change();
}
@@ -2147,6 +2230,7 @@ function smtp_enable_change() {
function enable_change_all() {
http_inspect_enable_change();
sf_portscan_enable_change();
+ appid_preproc_enable_change();
// -- Enable/Disable Host Attribute Table settings --
host_attribute_table_enable_change();
diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php
index 681c691f..b9050b35 100755
--- a/config/snort/snort_rules.php
+++ b/config/snort/snort_rules.php
@@ -36,6 +36,7 @@ require_once("/usr/local/pkg/snort/snort.inc");
global $g, $rebuild_rules;
$snortdir = SNORTDIR;
+$snortbindir = SNORT_PBI_BINDIR;
$rules_map = array();
$categories = array();
$pconfig = array();
@@ -400,7 +401,7 @@ elseif ($_POST['save']) {
$rebuild_rules = false;
$output = "";
$retcode = "";
- exec("/usr/local/bin/snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode);
+ exec("{$snortbindir}snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode);
if (intval($retcode) != 0) {
$error = "";
$start = count($output);
@@ -412,8 +413,7 @@ elseif ($_POST['save']) {
else {
/* Soft-restart Snort to live-load new rules */
snort_reload_config($a_rule[$id]);
- $savemsg = gettext("Custom rules validated successfully and have been saved to the Snort configuration files. ");
- $savemsg .= gettext("Any active Snort process on this interface has been signalled to live-load the new rules.");
+ $savemsg = gettext("Custom rules validated successfully and any active Snort process on this interface has been signalled to live-load the new rules.");
}
clear_subsystem_dirty('snort_rules');
@@ -443,6 +443,9 @@ else if ($_POST['apply']) {
// Sync to configured CARP slaves if any are enabled
snort_sync_on_changes();
+
+ if (snort_is_running($snort_uuid, $if_real))
+ $savemsg = gettext("Snort is 'live-reloading' the new rule set.");
}
include_once("head.inc");
diff --git a/config/snort/snort_sid_mgmt.php b/config/snort/snort_sid_mgmt.php
index ea1a5b99..016cc96d 100644
--- a/config/snort/snort_sid_mgmt.php
+++ b/config/snort/snort_sid_mgmt.php
@@ -294,6 +294,11 @@ if ($savemsg) {
<div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tbody>
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("SID auto-management is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ <?php else: ?>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
</tr>
@@ -568,6 +573,7 @@ if ($savemsg) {
&nbsp;&nbsp;<?=gettext("Remember to save changes before exiting this page"); ?>
</td>
</tr>
+ <?php endif; ?>
</tbody>
</table>
</div>
@@ -576,8 +582,9 @@ if ($savemsg) {
</table>
</form>
-
<?php include("fend.inc"); ?>
+
+<?php if ($g['platform'] != "nanobsd") : ?>
<script type="text/javascript">
function enable_sid_conf() {
@@ -593,5 +600,7 @@ function enable_sid_conf() {
enable_sid_conf();
</script>
+<?php endif; ?>
+
</body>
</html>
diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc
index 1332f220..152d3d12 100755
--- a/config/squid3/33/squid_reverse.inc
+++ b/config/squid3/33/squid_reverse.inc
@@ -58,8 +58,27 @@ function squid_resync_reverse() {
$reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key";
}
}
+ }
+ //Add Ca certificate for Client Validation
+ if (isset($settings["reverse_check_clientca"]) && $settings["reverse_check_clientca"] == "on") {
+ $clientca_cert=lookup_ca($settings["reverse_ssl_clientca"]);
+ $clientca_prm='';
+ if ( $clientca_cert != false){
+ if(base64_decode($clientca_cert['crt'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientca"]}.crt",sq_text_area_decode($clientca_cert['crt']));
+ $clientca_prm = "clientca=" . SQUID_CONFBASE . "/{$settings["reverse_ssl_clientca"]}.crt ";
+ }
+ }
+ $crl=lookup_crl($settings["reverse_ssl_clientcrl"]);
+ crl_update($crl);
+ if ( $crl != false){
+ if(base64_decode($crl['text'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl",base64_decode($crl['text']));
+ $clientca_prm .= "crlfile=" . SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl sslflags=VERIFY_CRL ";
+ }
+ }
}
-
+
if (!empty($settings['reverse_int_ca']))
file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX);
@@ -82,7 +101,7 @@ function squid_resync_reverse() {
$conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n";
//HTTPS
if (!empty($settings['reverse_https']))
- $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n";
+ $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} ".$clientca_prm."key={$reverse_key} defaultsite={$https_defsite} vhost\n";
}
}
@@ -242,4 +261,17 @@ function squid_resync_reverse() {
return $conf;
}
+function squid_refresh_crl()
+{
+ global $config;
+ if (isset($settings["reverse_check_clientca"]) && $settings["reverse_check_clientca"] == "on") {
+ $crl=lookup_crl($settings["reverse_ssl_clientcrl"]);
+ crl_update($crl);
+ if ( $crl != false){
+ if(base64_decode($crl['text'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl",base64_decode($crl['text']));
+ }
+ }
+ }
+}
?>
diff --git a/config/squid3/33/squid_reverse_general.xml b/config/squid3/33/squid_reverse_general.xml
index 1795edf5..6969ae6a 100755
--- a/config/squid3/33/squid_reverse_general.xml
+++ b/config/squid3/33/squid_reverse_general.xml
@@ -193,6 +193,33 @@
<type>checkbox</type>
<default_value>on</default_value>
</field>
+ <field>
+ <fielddescr>Check Client certificate</fielddescr>
+ <fieldname>reverse_check_clientca</fieldname>
+ <description>If this field is checked, Client certificate will be checked.</description>
+ <type>checkbox</type>
+ <default_value>off</default_value>
+ </field>
+
+ <field>
+ <fielddescr>CA Client certificate</fielddescr>
+ <fieldname>reverse_ssl_clientca</fieldname>
+ <description>Choose CA certificate to authenticate clients.</description>
+ <type>select_source</type>
+ <source><![CDATA[$config['ca']]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ </field>
+ <field>
+ <fielddescr>Revocation List</fielddescr>
+ <fieldname>reverse_ssl_clientcrl</fieldname>
+ <description>Choose CRL.</description>
+ <type>select_source</type>
+ <source><![CDATA[$config['crl']]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ </field>
+
<field>
<name>OWA Reverse proxy General Settings</name>
<type>listtopic</type>
diff --git a/config/squid3/34/check_ip.php b/config/squid3/34/check_ip.php
new file mode 100644
index 00000000..a3f07204
--- /dev/null
+++ b/config/squid3/34/check_ip.php
@@ -0,0 +1,86 @@
+#!/usr/local/bin/php -q
+<?php
+/* $Id$ */
+/*
+ check_ip.php
+ Copyright (C) 2013-2014 Marcello Coutinho
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+error_reporting(0);
+// stdin loop
+if (! defined(STDIN)) {
+ define("STDIN", fopen("php://stdin", "r"));
+}
+if (! defined(STDOUT)){
+ define("STDOUT", fopen('php://stdout', 'w'));
+ }
+while( !feof(STDIN)){
+ $line = trim(fgets(STDIN));
+ // %SRC
+
+$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
+unset($cp_db);
+if ($pf_version > 2.0){
+ $dir="/var/db";
+ $files=scandir($dir);
+ foreach ($files as $file){
+ if (preg_match("/captive.*db/",$file)){
+ $dbhandle = sqlite_open("$dir/$file", 0666, $error);
+ if ($dbhandle){
+ $query = "select * from captiveportal";
+ $result = sqlite_array_query($dbhandle, $query, SQLITE_ASSOC);
+ if ($result){
+ foreach ($result as $rownum => $row){
+ $cp_db[$rownum]=implode(",",$row);
+ }
+ sqlite_close($dbhandle);
+ }
+ }
+ }
+ }
+ }
+else{
+ $filename="/var/db/captiveportal.db";
+ if (file_exists($filename))
+ $cp_db=file($filename);
+}
+
+ $usuario="";
+ // 1376630450,2,172.16.3.65,00:50:56:9c:00:c7,admin,e1779ea20d0a11c7,,,,
+ if (is_array($cp_db)){
+ foreach ($cp_db as $cpl){
+ $fields=explode(",",$cpl);
+ if ($fields[2] != "" && $fields[2]==$line)
+ $usuario=$fields[4];
+ }
+ }
+ if ($usuario !="")
+ $resposta="OK user={$usuario}";
+ else
+ $resposta="ERR";
+ fwrite (STDOUT, "{$resposta}\n");
+ unset($cp_db);
+}
+?>
+
diff --git a/config/squid3/34/pkg_squid.inc b/config/squid3/34/pkg_squid.inc
new file mode 100644
index 00000000..47b64e2d
--- /dev/null
+++ b/config/squid3/34/pkg_squid.inc
@@ -0,0 +1,11 @@
+<?php
+
+global $shortcuts;
+
+$shortcuts['squid'] = array();
+$shortcuts['squid']['main'] = "pkg_edit.php?xml=squid.xml";
+$shortcuts['squid']['log'] = "squid_monitor.php";
+$shortcuts['squid']['status'] = "status_services.php";
+$shortcuts['squid']['service'] = "squid";
+
+?> \ No newline at end of file
diff --git a/config/squid3/34/sqpmon.sh b/config/squid3/34/sqpmon.sh
new file mode 100644
index 00000000..244b3b61
--- /dev/null
+++ b/config/squid3/34/sqpmon.sh
@@ -0,0 +1,75 @@
+#!/bin/sh
+# $Id$ */
+#
+# sqpmon.sh
+# Copyright (C) 2006 Scott Ullrich
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+if [ `pgrep -f "sqpmon.sh"|wc -l` -ge 1 ]; then
+ exit 0
+fi
+
+set -e
+
+LOOP_SLEEP=55
+
+if [ -f /var/run/squid_alarm ]; then
+ rm /var/run/squid_alarm
+fi
+
+# Sleep 5 seconds on startup not to mangle with existing boot scripts.
+sleep 5
+
+# Squid monitor 1.2
+while [ /bin/true ]; do
+ if [ ! -f /var/run/squid_alarm ]; then
+ NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'`
+ if [ $NUM_PROCS -lt 1 ]; then
+ # squid is down
+ echo "Squid has exited. Reconfiguring filter." | \
+ logger -p daemon.info -i -t Squid_Alarm
+ echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm
+ /usr/local/etc/rc.d/squid.sh start
+ sleep 3
+ echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm
+ /etc/rc.filter_configure
+ touch /var/run/squid_alarm
+ fi
+ fi
+ NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'`
+ if [ $NUM_PROCS -gt 0 ]; then
+ if [ -f /var/run/squid_alarm ]; then
+ echo "Squid has resumed. Reconfiguring filter." | \
+ logger -p daemon.info -i -t Squid_Alarm
+ /etc/rc.filter_configure
+ rm /var/run/squid_alarm
+ fi
+ fi
+ sleep $LOOP_SLEEP
+done
+
+if [ -f /var/run/squid_alarm ]; then
+ rm /var/run/squid_alarm
+fi
diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc
new file mode 100755
index 00000000..a2917515
--- /dev/null
+++ b/config/squid3/34/squid.inc
@@ -0,0 +1,2458 @@
+<?php
+/* $Id$ */
+/*
+ squid.inc
+ Copyright (C) 2006-2009 Scott Ullrich
+ Copyright (C) 2006 Fernando Lemos
+ Copyright (C) 2012 Martin Fuchs
+ Copyright (C) 2012-2014 Marcello Coutinho
+ Copyright (C) 2013 Gekkenhuis
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once('globals.inc');
+require_once('config.inc');
+require_once('util.inc');
+require_once('pfsense-utils.inc');
+require_once('pkg-utils.inc');
+require_once('service-utils.inc');
+
+if(!function_exists("filter_configure"))
+ require_once("filter.inc");
+
+$shortcut_section = "squid";
+if (is_dir('/usr/pbi/squid-' . php_uname("m"))) {
+ define('SQUID_BASE', '/usr/pbi/squid-' . php_uname("m"));
+ define('SQUID_LOCALBASE', SQUID_BASE . "/local");
+} else {
+ define('SQUID_BASE', '/usr/local');
+ define('SQUID_LOCALBASE', '/usr/local');
+}
+
+define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid');
+define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf');
+define('SQUID_BASE', '/var/squid/');
+define('SQUID_ACLDIR', '/var/squid/acl');
+define('SQUID_PASSWD', '/var/etc/squid.passwd');
+define('SQUID_LIB','/var/squid/lib');
+define('SQUID_SSL_DB','/var/squid/lib/ssl_db');
+
+$valid_acls = array();
+
+$uname=posix_uname();
+if ($uname['machine']=='amd64')
+ ini_set('memory_limit', '250M');
+
+ function sq_text_area_decode($text){
+ return preg_replace('/\r\n/', "\n",base64_decode($text));
+}
+
+
+function squid_get_real_interface_address($iface) {
+ global $config;
+
+ $iface = convert_friendly_interface_to_real_interface_name($iface);
+ $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
+ list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line);
+
+ return array($ip, long2ip(hexdec($netmask)));
+}
+
+function squid_chown_recursive($dir, $user, $group) {
+ chown($dir, $user);
+ chgrp($dir, $group);
+ $handle = opendir($dir) ;
+ while (($item = readdir($handle)) !== false) {
+ if (($item != ".") && ($item != "..")) {
+ $path = "$dir/$item";
+ // Recurse unless it's the cache dir, that is slow and rarely necessary.
+ if (is_dir($path) && (basename($dir) != "cache"))
+ squid_chown_recursive($path, $user, $group);
+ elseif (is_file($path)) {
+ chown($path, $user);
+ chgrp($path, $group);
+ }
+ }
+ }
+}
+
+function squid_check_clamav_user($user)
+ {
+ exec("/usr/sbin/pw usershow {$user}",$sq_ex_output,$sq_ex_return);
+ $user_arg=($sq_ex_return == 0?"mod":"add");
+ exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin",$sq_ex_output,$sq_ex_return);
+ if ($sq_ex_return != 0)
+ log_error("Squid - Could not change clamav user settings. ".serialize($sq_ex_output));
+ }
+
+/* setup cache */
+function squid_dash_z($cache_action='none') {
+ global $config;
+
+ //Do nothing if there is no cache config
+ if (!is_array($config['installedpackages']['squidcache']['config']))
+ return;
+
+ $settings = $config['installedpackages']['squidcache']['config'][0];
+
+ // If the cache system is null, there is no need to initialize the (irrelevant) cache dir.
+ if ($settings['harddisk_cache_system'] == "null")
+ return;
+
+ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+
+ if ($cache_action=="clean"){
+ rename ($cachedir,"{$cachedir}.old");
+ mwexec_bg("/bin/rm -rf {$cachedir}.old");
+ }
+
+ if(!is_dir($cachedir.'/')) {
+ log_error("Creating Squid cache dir $cachedir");
+ make_dirs($cachedir);
+ // Double check permissions here, should be safe to recurse cache dir if it's small here.
+ mwexec("/usr/sbin/chown -R proxy:proxy $cachedir");
+ }
+
+ if(!is_dir($cachedir.'/00/')) {
+ log_error("Creating squid cache subdirs in $cachedir");
+ mwexec(SQUID_BASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE);
+ sleep(5);
+ mwexec(SQUID_BASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE);
+ // Double check permissions here, should be safe to recurse cache dir if it's small here.
+ mwexec("/usr/sbin/chown -R proxy:proxy $cachedir");
+ mwexec(SQUID_BASE. "/sbin/squid -z -f " . SQUID_CONFFILE);
+ }
+
+ if(file_exists("/var/squid/cache/swap.state")) {
+ chown("/var/squid/cache/swap.state", "proxy");
+ chgrp("/var/squid/cache/swap.state", "proxy");
+ exec("chmod a+rw /var/squid/cache/swap.state");
+ }
+
+}
+
+function squid_is_valid_acl($acl) {
+ global $valid_acls;
+ if(!is_array($valid_acls))
+ return;
+ return in_array($acl, $valid_acls);
+}
+
+function squid_install_command() {
+ global $config;
+ global $g;
+ update_status("Checking if there is configuration to migrate... One moment please...");
+ /* migrate existing csv config fields */
+ if (is_array($config['installedpackages']['squidauth']['config']))
+ $settingsauth = $config['installedpackages']['squidauth']['config'][0];
+ if (is_array($config['installedpackages']['squidcache']['config']))
+ $settingscache = $config['installedpackages']['squidcache']['config'][0];
+ if (is_array($config['installedpackages']['squidnac']['config']))
+ $settingsnac = $config['installedpackages']['squidnac']['config'][0];
+ if (is_array($config['installedpackages']['squid']['config']))
+ $settingsgen = $config['installedpackages']['squid']['config'][0];
+
+ if (file_exists("/usr/local/pkg/check_ip.php"))
+ rename("/usr/local/pkg/check_ip.php",SQUID_LOCALBASE . "/libexec/squid/check_ip.php");
+ /* Set storage system */
+ if ($g['platform'] == "nanobsd") {
+ $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null';
+ }
+
+ /* migrate auth settings */
+ if (!empty($settingsauth['no_auth_hosts'])) {
+ if(strstr($settingsauth['no_auth_hosts'], ",")) {
+ $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts'])));
+ $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts'];
+ }
+ }
+
+ /* migrate cache settings */
+ if (!empty($settingscache['donotcache'])) {
+ if(strstr($settingscache['donotcache'], ",")) {
+ $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache'])));
+ $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache'];
+ }
+ }
+
+ /* migrate nac settings */
+ if(! empty($settingsnac['allowed_subnets'])) {
+ if(strstr($settingsnac['allowed_subnets'], ",")) {
+ $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets'])));
+ $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets'];
+ }
+ }
+ if(! empty($settingsnac['banned_hosts'])) {
+ if(strstr($settingsnac['banned_hosts'], ",")) {
+ $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts'])));
+ $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts'];
+ }
+ }
+
+ if(! empty($settingsnac['banned_macs'])) {
+ if(strstr($settingsnac['banned_macs'], ",")) {
+ $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs'])));
+ $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs'];
+ }
+ }
+
+ if(! empty($settingsnac['unrestricted_hosts'])) {
+ if(strstr($settingsnac['unrestricted_hosts'], ",")) {
+ $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts'])));
+ $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts'];
+ }
+ }
+
+ if(! empty($settingsnac['unrestricted_macs'])) {
+ if(strstr($settingsnac['unrestricted_macs'], ",")) {
+ $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs'])));
+ $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs'];
+ }
+ }
+
+ if(! empty($settingsnac['whitelist'])) {
+ if(strstr($settingsnac['whitelist'], ",")) {
+ $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist'])));
+ $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist'];
+ }
+ }
+
+ if(! empty($settingsnac['blacklist'])) {
+ if(strstr($settingsnac['blacklist'], ",")) {
+ $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist'])));
+ $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist'];
+ }
+ }
+
+ if(! empty($settingsnac['block_user_agent'])) {
+ if(strstr($settingsnac['block_user_agent'], ",")) {
+ $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent'])));
+ $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent'];
+ }
+ }
+
+ if(! empty($settingsnac['block_reply_mime_type'])) {
+ if(strstr($settingsnac['block_reply_mime_type'], ",")) {
+ $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type'])));
+ $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type'];
+ }
+ }
+
+ /*Migrate reverse settings*/
+ if (is_array($config['installedpackages']['squidreverse'])){
+ $old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0];
+
+ //Settings
+ if (!is_array($config['installedpackages']['squidreversegeneral'])){
+ $config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings;
+ unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']);
+ unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']);
+ unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']);
+ }
+
+ //PEERS
+ if (!is_array($config['installedpackages']['squidreversepeer'])){
+ foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers)
+ foreach (explode(";",$cache_peers) as $cache_peer)
+ $config['installedpackages']['squidreversepeer']['config'][]=array('description'=>'migrated',
+ 'enable'=> 'on',
+ 'name'=> $cache_peer[0],
+ 'port'=> $cache_peer[1],
+ 'protocol' => $cache_peer[2]);
+ }
+
+ //MAPPINGS
+ if (!is_array($config['installedpackages']['squidreverseuri'])){
+ foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){
+ foreach (explode(";",$acls) as $acl)
+ array_push(${'peer_'.$acl[0]},$acl[1]);
+ }
+ foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris)
+ foreach (explode(";",$uris) as $uri){
+ $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):"");
+ $config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated',
+ 'enable'=> 'on',
+ 'name'=> $uri[0],
+ 'uri'=> $uri[1],
+ 'vhost' => $uri[2],
+ 'peers'=>$peer_list);
+ }
+ }
+ }
+
+ update_status("Writing configuration... One moment please...");
+
+ write_config();
+
+ /* create cache */
+ update_status("Creating squid cache pools... One moment please...");
+ squid_dash_z();
+ /* make sure pinger is executable */
+ if(file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger"))
+ exec("/bin/chmod a+x ". SQUID_LOCALBASE. "/libexec/squid/pinger");
+ if(file_exists("/usr/local/etc/rc.d/squid"))
+ exec("/bin/rm /usr/local/etc/rc.d/squid");
+ squid_write_rcfile();
+ if(file_exists("/usr/local/pkg/swapstate_check.php"))
+ exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php");
+ write_rcfile(array(
+ "file" => "sqp_monitor.sh",
+ "start" => "/usr/local/pkg/sqpmon.sh &",
+ "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"));
+
+ foreach (array( SQUID_CONFBASE,
+ SQUID_ACLDIR,
+ SQUID_BASE,
+ SQUID_LIB,
+ SQUID_SSL_DB ) as $dir) {
+ make_dirs($dir);
+ squid_chown_recursive($dir, 'proxy', 'proxy');
+ }
+
+ /* kill any running proxy alarm scripts */
+ update_status("Checking for running processes... One moment please...");
+ log_error("Stopping any running proxy monitors");
+ mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop");
+ sleep(1);
+
+ if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default'))
+ copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf');
+
+ update_status("Checking cache... One moment please...");
+ squid_dash_z();
+
+ if (!is_service_running('squid')) {
+ update_status("Starting... One moment please...");
+ log_error("Starting Squid");
+ mwexec_bg(SQUID_BASE. "/sbin/squid -f " . SQUID_CONFFILE);
+ } else {
+ update_status("Reloading Squid for configuration sync... One moment please...");
+ log_error("Reloading Squid for configuration sync");
+ mwexec_bg(SQUID_BASE. "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE);
+ }
+
+ /* restart proxy alarm scripts */
+ log_error("Starting a proxy monitor script");
+ mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start");
+
+ update_status("Reconfiguring filter... One moment please...");
+ filter_configure();
+}
+
+function squid_deinstall_command() {
+ global $config, $g;
+ $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process.";
+ squid_install_cron(false);
+ if (is_array($config['installedpackages']['squidcache']))
+ $settings = $config['installedpackages']['squidcache']['config'][0];
+ else
+ $settings = array();
+ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+ $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs');
+ update_status("Removing cache ... One moment please...");
+ update_output_window("$plswait_txt");
+ mwexec_bg('rm -rf $cachedir');
+ mwexec('rm -rf $logdir');
+ update_status("Finishing package cleanup.");
+ mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop");
+ mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh');
+ mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
+ mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
+ mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
+ update_status("Reloading filter...");
+ filter_configure();
+}
+
+function squid_before_form_general(&$pkg) {
+ $values = get_dir(SQUID_CONFBASE . '/errors/');
+ // Get rid of '..' and '.' and ...
+ array_shift($values);
+ array_shift($values);
+ array_shift($values);
+ array_shift($values);
+
+ $name = array();
+ foreach ($values as $value)
+ $names[] = implode(" ", explode("_", $value));
+
+ $i = 0;
+ foreach ($pkg['fields']['field'] as $field) {
+ if ($field['fieldname'] == 'error_language')
+ break;
+ $i++;
+ }
+ $field = &$pkg['fields']['field'][$i];
+
+ for ($i = 0; $i < count($values) - 1; $i++)
+ $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]);
+}
+
+function squid_validate_general($post, &$input_errors) {
+ global $config;
+ if (is_array($config['installedpackages']['squid']))
+ $settings = $config['installedpackages']['squid']['config'][0];
+ else
+ $settings = array();
+ $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
+ $port = $post['proxy_port'] ? $post['proxy_port'] : $port;
+
+ $icp_port = trim($post['icp_port']);
+ if (!empty($icp_port) && !is_port($icp_port))
+ $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field';
+
+ if (substr($post['log_dir'], -1, 1) == '/')
+ $input_errors[] = 'You may not end log location with an / mark';
+
+ if ($post['log_dir']{0} != '/')
+ $input_errors[] = 'You must start log location with a / mark';
+ if (strlen($post['log_dir']) <= 3)
+ $input_errors[] = "That is not a valid log location dir";
+
+ $log_rotate = trim($post['log_rotate']);
+ if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1)))
+
+ $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field';
+
+ $webgui_port = $config['system']['webgui']['port'];
+ if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) {
+ $webgui_port = 80;
+ }
+ if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) {
+ $webgui_port = 443;
+ }
+
+ if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) {
+ $input_errors[] = "You can not run squid on the same port as the webgui";
+ }
+
+ if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) {
+ $input_errors[] = "SSL interception cannot be enabled without a CA.";
+ }
+
+ foreach (array('defined_ip_proxy_off') as $hosts) {
+ foreach (explode(";", $post[$hosts]) as $host) {
+ $host = trim($host);
+ if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host))
+ $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias";
+ }
+ }
+ foreach (array('defined_ip_proxy_off_dest') as $hosts) {
+ foreach (explode(";", $post[$hosts]) as $host) {
+ $host = trim($host);
+ if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host))
+ $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias";
+ }
+ }
+
+ if(!empty($post['dns_nameservers'])) {
+ $altdns = explode(";", ($post['dns_nameservers']));
+ foreach ($altdns as $dnssrv) {
+ if (!is_ipaddr($dnssrv))
+ $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field';
+ break;
+ }}
+}
+
+function squid_validate_upstream($post, &$input_errors) {
+ if ($post['enabled'] == 'on') {
+ $addr = trim($post['proxyaddr']);
+ if (empty($addr))
+ $input_errors[] = 'The field \'Hostname\' is required';
+ else {
+ if (!is_ipaddr($addr) && !is_domain($addr))
+ $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field';
+ }
+
+ foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) {
+ $port = trim($post[$field]);
+ if (empty($port))
+ $input_errors[] = "The field '$name' is required";
+ else {
+ if (!is_port($port))
+ $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535";
+ }
+ }
+ }
+}
+
+function squid_validate_cache($post, &$input_errors) {
+ $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size',
+ 'memory_cache_size' => 'Memory cache size',
+ 'maximum_object_size' => 'Maximum object size',
+ );
+ foreach ($num_fields as $field => $name) {
+ $value = trim($post[$field]);
+ if (!is_numeric($value) || ($value < 0))
+ $input_errors[] = "You must enter a valid value for '$field'";
+ }
+
+ $value = trim($post['minimum_object_size']);
+ if (!is_numeric($value) || ($value < 0))
+ $input_errors[] = 'You must enter a valid value for \'Minimum object size\'';
+
+ if (!empty($post['cache_swap_low'])) {
+ $value = trim($post['cache_swap_low']);
+ if (!is_numeric($value) || ($value > 100))
+ $input_errors[] = 'You must enter a valid value for \'Low-water-mark\'';
+ }
+
+ if (!empty($post['cache_swap_high'])) {
+ $value = trim($post['cache_swap_high']);
+ if (!is_numeric($value) || ($value > 100))
+ $input_errors[] = 'You must enter a valid value for \'High-water-mark\'';
+ }
+
+ if ($post['donotcache'] != "") {
+ foreach (split("\n", $post['donotcache']) as $host) {
+ $host = trim($host);
+ if (!is_ipaddr($host) && !is_domain($host))
+ $input_errors[] = "The host '$host' is not a valid IP or host name";
+ }
+ }
+
+ squid_dash_z();
+
+}
+
+function squid_validate_nac($post, &$input_errors) {
+ $allowed_subnets = explode("\n", $post['allowed_subnets']);
+ foreach ($allowed_subnets as $subnet) {
+ $subnet = trim($subnet);
+ if (!empty($subnet) && !is_subnet($subnet))
+ $input_errors[] = "The subnet '$subnet' is not a valid CIDR range";
+ }
+
+ foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) {
+
+ if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)){
+ for ($x=0;$x < count($matches[1]);$x++){
+ if ($matches[2][$x] == ""){
+ if (!is_ipaddr($matches[1][$x]))
+ $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address";
+ }
+ else{
+ if (!is_subnet($matches[0][$x]))
+ $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range";
+ }
+ }
+ }
+ }
+
+ foreach (array('unrestricted_macs', 'banned_macs') as $macs) {
+ foreach (explode("\n", $post[$macs]) as $mac) {
+ $mac = trim($mac);
+ if (!empty($mac) && !is_macaddr($mac))
+ $input_errors[] = "The mac '$mac' is not a valid MAC address";
+ }
+ }
+
+ foreach (explode(",", $post['timelist']) as $time) {
+ $time = trim($time);
+ if (!empty($time) && !squid_is_timerange($time))
+ $input_errors[] = "The time range '$time' is not a valid time range";
+ }
+
+ if(!empty($post['ext_cachemanager'])) {
+ $extmgr = explode(";", ($post['ext_cachemanager']));
+ foreach ($extmgr as $mgr) {
+ if (!is_ipaddr($mgr))
+ $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field';
+ }}
+}
+
+function squid_validate_traffic($post, &$input_errors) {
+ $num_fields = array( 'max_download_size' => 'Maximum download size',
+ 'max_upload_size' => 'Maximum upload size',
+ 'perhost_throttling' => 'Per-host bandwidth throttling',
+ 'overall_throttling' => 'Overall bandwidth throttling',
+ );
+ foreach ($num_fields as $field => $name) {
+ $value = trim($post[$field]);
+ if (!is_numeric($value) || ($value < 0))
+ $input_errors[] = "The field '$name' must contain a positive number";
+ }
+
+ if (!empty($post['quick_abort_min'])) {
+ $value = trim($post['quick_abort_min']);
+ if (!is_numeric($value))
+ $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number";
+ }
+
+ if (!empty($post['quick_abort_max'])) {
+ $value = trim($post['quick_abort_max']);
+ if (!is_numeric($value))
+ $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number";
+ }
+
+ if (!empty($post['quick_abort_pct'])) {
+ $value = trim($post['quick_abort_pct']);
+ if (!is_numeric($value) || ($value > 100))
+ $input_errors[] = "The field 'Finish when remaining %' must contain a percentage";
+ }
+}
+
+function squid_validate_reverse($post, &$input_errors) {
+
+ if(!empty($post['reverse_ip'])) {
+ $reverse_ip = explode(";", ($post['reverse_ip']));
+ foreach ($reverse_ip as $reip) {
+ if (!is_ipaddr(trim($reip)))
+ $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.';
+ }}
+
+ $fqdn = trim($post['reverse_external_fqdn']);
+ if (!empty($fqdn) && !is_domain($fqdn))
+ $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name';
+
+ $port = trim($post['reverse_http_port']);
+ if (!empty($port) && !is_port($port))
+ $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number';
+
+ $port = trim($post['reverse_https_port']);
+ if (!empty($port) && !is_port($port))
+ $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number';
+
+ if ($post['reverse_ssl_cert'] == 'none')
+ $input_errors[] = 'A valid certificate for the external interface must be selected';
+
+ if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) {
+ $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support.";
+ }
+
+ if(!empty($post['reverse_owa_ip'])) {
+ $reverse_owa_ip = explode(";", ($post['reverse_owa_ip']));
+ foreach ($reverse_owa_ip as $reowaip) {
+ if (!is_ipaddr(trim($reowaip)))
+ $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.';
+ }}
+
+ $contents = $post['reverse_cache_peer'];
+ if(!empty($contents)) {
+ $defs = explode("\r\n", ($contents));
+ foreach ($defs as $def) {
+ $cfg = explode(";",($def));
+ if (!is_ipaddr($cfg[1]))
+ $input_errors[] = "please choose a valid IP in the cache peer configuration.";
+ if (!is_port($cfg[2]))
+ $input_errors[] = "please choose a valid port in the cache peer configuration.";
+ if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP'))
+ $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration.";
+ }}
+
+
+}
+
+function squid_validate_auth($post, &$input_errors) {
+ $num_fields = array( array('auth_processes', 'Authentication processes', 1),
+ array('auth_ttl', 'Authentication TTL', 0),
+ );
+ foreach ($num_fields as $field) {
+ $value = trim($post[$field[0]]);
+ if (!empty($value) && (!is_numeric($value) || ($value < $field[2])))
+ $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}";
+ }
+
+ $auth_method = $post['auth_method'];
+ if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) {
+ $server = trim($post['auth_server']);
+ if (empty($server))
+ $input_errors[] = 'The field \'Authentication server\' is required';
+ else if (!is_ipaddr($server) && !is_domain($server))
+ $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name';
+
+ $port = trim($post['auth_server_port']);
+ if (!empty($port) && !is_port($port))
+ $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number';
+
+ switch ($auth_method) {
+ case 'ldap':
+ $user = trim($post['ldap_user']);
+ if (empty($user))
+ $input_errors[] = 'The field \'LDAP server user DN\' is required';
+ else if (!$user)
+ $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name';
+ break;
+ case 'radius':
+ $secret = trim($post['radius_secret']);
+ if (empty($secret))
+ $input_errors[] = 'The field \'RADIUS secret\' is required';
+ break;
+ case 'msnt':
+ foreach (explode(",", trim($post['msnt_secondary'])) as $server) {
+ if (!empty($server) && !is_ipaddr($server) && !is_domain($server))
+ $input_errors[] = "The host '$server' is not a valid IP address or domain name";
+ }
+ break;
+ }
+
+ $no_auth = explode("\n", $post['no_auth_hosts']);
+ foreach ($no_auth as $host) {
+ $host = trim($host);
+ if (!empty($host) && !is_subnet($host))
+ $input_errors[] = "The host '$host' is not a valid CIDR range";
+ }
+ }
+}
+
+function squid_install_cron($should_install) {
+ global $config, $g;
+ if($g['booting']==true)
+ return;
+ $rotate_is_installed = false;
+ $swapstate_is_installed = false;
+
+ if(!$config['cron']['item'])
+ return;
+
+ if (is_array($config['installedpackages']['squidcache']))
+ $settings = $config['installedpackages']['squidcache']['config'][0];
+ else
+ $settings = array();
+
+ $x=0;
+ $rotate_job_id=-1;
+ $swapstate_job_id=-1;
+ $cron_cmd=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : "");
+ $cron_cmd .= SQUID_BASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE;
+ $need_write = false;
+ foreach($config['cron']['item'] as $item) {
+ if(strstr($item['task_name'], "squid_rotate_logs")) {
+ $rotate_job_id = $x;
+ if ($item['command'] != $cron_cmd){
+ $config['cron']['item'][$x]['command']=$cron_cmd;
+ $need_write = true;
+ }
+ } elseif(strstr($item['task_name'], "squid_check_swapstate")) {
+ $swapstate_job_id = $x;
+ }
+ $x++;
+ }
+ switch($should_install) {
+ case true:
+ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+ if($rotate_job_id < 0) {
+ $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : "");
+ $cron_item = array();
+ $cron_item['task_name'] = "squid_rotate_logs";
+ $cron_item['minute'] = "0";
+ $cron_item['hour'] = "0";
+ $cron_item['mday'] = "*";
+ $cron_item['month'] = "*";
+ $cron_item['wday'] = "*";
+ $cron_item['who'] = "root";
+ $cron_item['command'] .= $cron_cmd;
+ /* Add this cron_item as a new entry at the end of the item array. */
+ $config['cron']['item'][] = $cron_item;
+ $need_write = true;
+ }
+ if($swapstate_job_id < 0) {
+ $cron_item = array();
+ $cron_item['task_name'] = "squid_check_swapstate";
+ $cron_item['minute'] = "*/15";
+ $cron_item['hour'] = "*";
+ $cron_item['mday'] = "*";
+ $cron_item['month'] = "*";
+ $cron_item['wday'] = "*";
+ $cron_item['who'] = "root";
+ $cron_item['command'] = "/usr/local/pkg/swapstate_check.php";
+ /* Add this cron_item as a new entry at the end of the item array. */
+ $config['cron']['item'][] = $cron_item;
+ $need_write = true;
+ }
+ if ($need_write) {
+ parse_config(true);
+ write_config("Adding Squid Cron Jobs");
+ }
+ break;
+ case false:
+ if($rotate_job_id >= 0) {
+ unset($config['cron']['item'][$rotate_job_id]);
+ $need_write = true;
+ }
+ if($swapstate_job_id >= 0) {
+ unset($config['cron']['item'][$swapstate_job_id]);
+ $need_write = true;
+ }
+ if ($need_write) {
+ parse_config(true);
+ write_config("Removing Squid Cron Jobs");
+ }
+ break;
+ }
+ configure_cron();
+}
+
+function squid_check_ca_hashes(){
+ global $config,$g;
+
+ #check certificates
+ $cert_count=0;
+ if (is_dir(SQUID_LOCALBASE. '/share/certs'))
+ if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) {
+ while (false !== ($file = readdir($handle)))
+ if (preg_match ("/\d+.0/",$file))
+ $cert_count++;
+ }
+ closedir($handle);
+ if ($cert_count < 10){
+ conf_mount_rw();
+ #create ca-root hashes from ca-root-nss package
+ log_error("Creating root certificate bundle hashes from the Mozilla Project");
+ $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt');
+ $cert=0;
+ foreach ($cas as $ca){
+ if (preg_match("/--BEGIN CERTIFICATE--/",$ca))
+ $cert=1;
+ if ($cert == 1)
+ $crt.=$ca;
+ if (preg_match("/-END CERTIFICATE-/",$ca)){
+ file_put_contents("/tmp/cert.pem",$crt, LOCK_EX);
+ $cert_hash=array();
+ exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash);
+ file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX);
+ $crt="";
+ $cert=0;
+ }
+ }
+ }
+}
+
+function squid_resync_general() {
+ global $g, $config, $valid_acls;
+
+ if (is_array($config['installedpackages']['squid']))
+ $settings = $config['installedpackages']['squid']['config'][0];
+ else
+ $settings=array();
+ $conf = "# This file is automatically generated by pfSense\n";
+ $conf .= "# Do not edit manually !\n\n";
+ #Check ssl interception
+ if (($settings['ssl_proxy'] == 'on')) {
+ squid_check_ca_hashes();
+ $srv_cert = lookup_ca($settings["dca"]);
+ if ($srv_cert != false) {
+ if(base64_decode($srv_cert['prv'])) {
+ #check if ssl_db was initilized by squid
+ if (! file_exists("/var/squid/lib/ssl_db/serial")){
+ if (is_dir("/var/squid/lib/ssl_db")){
+ mwexec("/bin/rm -rf /var/squid/lib/ssl_db");
+ }
+ mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s /var/squid/lib/ssl_db/");
+ }
+ #force squid user permission on /var/squid/lib/ssl_db/
+ squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy');
+ # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext
+ $crt_pk=SQUID_CONFBASE."/serverkey.pem";
+ $crt_capath=SQUID_LOCALBASE."/share/certs/";
+ file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
+ $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
+ $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n";
+ $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n";
+ $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
+ $interception_checks .= "sslproxy_capath {$crt_capath}\n";
+ if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
+ $interception_checks.="sslproxy_cert_error allow all\n";
+ if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
+ $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n";
+ if ($settings["interception_adapt"] != ""){
+ foreach (explode(",",$settings["interception_adapt"]) as $adapt)
+ $interception_checks.="sslproxy_cert_adapt {$adapt} all\n";
+ }
+ }
+ }
+ }
+ $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
+ $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
+
+#Read assigned interfaces
+ $real_ifaces = array();
+
+ if($settings['active_interface'])
+ $proxy_ifaces = explode(",", $settings['active_interface']);
+ else
+ $proxy_ifaces=array("lan");
+
+ if ($settings['transparent_proxy']=="on"){
+ $transparent_ifaces = explode(",", $settings['transparent_active_interface']);
+ foreach ($transparent_ifaces as $t_iface){
+ $t_iface_ip = squid_get_real_interface_address($t_iface);
+ if($t_iface_ip[0])
+ $real_ifaces[]=$t_iface_ip;
+ }
+ }
+ else{
+ $transparent_ifaces=array();
+ }
+
+ if ($settings['ssl_proxy']=="on"){
+ $ssl_ifaces = explode(",", $settings['ssl_active_interface']);
+ foreach ($ssl_ifaces as $s_iface){
+ $s_iface_ip = squid_get_real_interface_address($s_iface);
+ if($s_iface_ip[0])
+ $real_ifaces[]=$s_iface_ip;
+ }
+ }
+ else{
+ $ssl_ifaces=array();
+ }
+
+ #check all proxy interfaces selected
+ foreach ($proxy_ifaces as $iface) {
+ $iface_ip = squid_get_real_interface_address($iface);
+ if($iface_ip[0]) {
+ $real_ifaces[]=$iface_ip;
+ if (in_array($iface,$ssl_ifaces))
+ $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n";
+ else
+ $conf .= "http_port {$iface_ip[0]}:{$port}\n";
+ }
+ }
+
+ if (($settings['transparent_proxy'] == 'on')) {
+ if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0){
+ $conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n";
+ $conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n";
+ }
+ else{
+ $conf .= "http_port 127.0.0.1:{$port} intercept\n";
+ }
+ }
+ $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0);
+ $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" );
+ $pidfile = "{$g['varrun_path']}/squid.pid";
+ $language = ($settings['error_language'] ? $settings['error_language'] : 'en');
+ $icondir = SQUID_CONFBASE . '/icons';
+ $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost');
+ $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost');
+
+ $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs');
+ if (! is_dir($logdir)){
+ make_dirs($logdir);
+ squid_chown_recursive($logdir, 'proxy', 'proxy');
+ }
+ $logdir_cache = $logdir . '/cache.log';
+ $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
+ $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on';
+ $pinger_program=SQUID_LOCALBASE."/libexec/squid/pinger";
+
+ $conf .= <<< EOD
+icp_port {$icp_port}
+dns_v4_first {$dns_v4_first}
+pid_filename {$pidfile}
+cache_effective_user proxy
+cache_effective_group proxy
+error_default_language {$language}
+icon_directory {$icondir}
+visible_hostname {$hostname}
+cache_mgr {$email}
+access_log {$logdir_access}
+cache_log {$logdir_cache}
+cache_store_log none
+netdb_filename {$logdir}/netdb.state
+pinger_enable {$pinger_helper}
+pinger_program {$pinger_program}
+{$interception_checks}
+
+EOD;
+
+// Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen.
+$rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate'];
+$conf .= "logfile_rotate {$rotate}\n";
+$conf .= "debug_options rotate={$rotate}\n";
+squid_install_cron(true);
+
+ $conf .= <<< EOD
+shutdown_lifetime 3 seconds
+
+EOD;
+
+ if ($settings['allow_interface'] == 'on') {
+ $src = '';
+ foreach ($real_ifaces as $iface) {
+ list($ip, $mask) = $iface;
+ $ip = long2ip(ip2long($ip) & ip2long($mask));
+ $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2);
+ if (!preg_match("@$ip/$mask@",$src))
+ $src .= " $ip/$mask";
+ }
+ $conf .= "# Allow local network(s) on interface(s)\n";
+ $conf .= "acl localnet src $src\n";
+ $valid_acls[] = 'localnet';
+ }
+ if ($settings['disable_xforward']) $conf .= "forwarded_for off\n";
+ if ($settings['disable_via']) $conf .= "via off\n";
+ if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n";
+ if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n";
+ else $conf .= "uri_whitespace strip\n"; //only used for first run
+
+ if(!empty($settings['dns_nameservers'])) {
+ $altdns = explode(";", ($settings['dns_nameservers']));
+ $conf .= "dns_nameservers ";
+ foreach ($altdns as $dnssrv) {
+ $conf .= $dnssrv." ";
+ }
+// $conf .= "\n"; //Kill blank line after DNS-Servers
+ }
+
+ return $conf;
+}
+
+
+function squid_resync_cache() {
+ global $config, $g;
+ if (is_array($config['installedpackages']['squidcache']))
+ $settings = $config['installedpackages']['squidcache']['config'][0];
+ else
+ $settings = array();
+ //apply cache settings
+ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+ $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100);
+ $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16);
+ $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8);
+ $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size']." KB" : "10 KB");
+ $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0);
+ $max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32);
+ $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA');
+ $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF');
+ $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off');
+ $conf = '';
+ if (!isset($settings['harddisk_cache_system'])) {
+ if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config']))
+ $disk_cache_system = 'null';
+ else
+ $disk_cache_system = 'ufs';
+ }
+ else{
+ $disk_cache_system = $settings['harddisk_cache_system'];
+ }
+ #'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching.
+ if ($disk_cache_system != "null") {
+ $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256";
+ }
+//check dynamic content
+if(empty($settings['cache_dynamic_content'])){
+ $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n";
+ $conf.="cache deny dynamic\n";
+}
+else{
+ if(preg_match('/youtube/',$settings['refresh_patterns'])){
+ $conf.=<<< EOC
+# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
+refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
+
+# Let the clients favorite video site through with full caching
+acl youtube dstdomain .youtube.com
+cache allow youtube
+
+EOC;
+ }
+ if(preg_match('/windows/',$settings['refresh_patterns'])){
+ $conf.=<<< EOC
+
+# Windows Update refresh_pattern
+range_offset_limit -1
+refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
+refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
+refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
+
+EOC;
+ }
+
+if(preg_match('/symantec/',$settings['refresh_patterns'])){
+ $conf.=<<< EOC
+
+# Symantec refresh_pattern
+range_offset_limit -1
+refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
+refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
+
+EOC;
+ }
+if(preg_match('/avast/',$settings['refresh_patterns'])){
+ $conf.=<<< EOC
+
+# Avast refresh_pattern
+range_offset_limit -1
+refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims
+
+EOC;
+ }
+if(preg_match('/avira/',$settings['refresh_patterns'])){
+ $conf.=<<< EOC
+
+# Avira refresh_pattern
+range_offset_limit -1
+refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims
+
+EOC;
+ }
+ $refresh_conf=<<< EOC
+
+# Add any of your own refresh_pattern entries above these.
+refresh_pattern ^ftp: 1440 20% 10080
+refresh_pattern ^gopher: 1440 0% 1440
+refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
+refresh_pattern . 0 20% 4320
+
+EOC;
+}
+
+ If ($settings['custom_refresh_patterns'] !="")
+ $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n";
+
+ $conf .= <<< EOD
+
+cache_mem $memory_cache_size MB
+maximum_object_size_in_memory {$max_objsize_in_mem} KB
+memory_replacement_policy {$memory_policy}
+cache_replacement_policy {$cache_policy}
+$disk_cache_opts
+minimum_object_size {$min_objsize} KB
+maximum_object_size {$max_objsize}
+offline_mode {$offline_mode}
+
+EOD;
+
+ if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n";
+ if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n";
+
+ $donotcache = sq_text_area_decode($settings['donotcache']);
+ if (!empty($donotcache)) {
+ file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
+ $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
+ $conf .= "cache deny donotcache\n";
+ }
+ elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
+ unlink(SQUID_ACLDIR . '/donotcache.acl');
+ }
+ $conf .= "cache allow all\n";
+ return $conf.$refresh_conf;
+}
+
+function squid_resync_upstream() {
+ global $config;
+ $conf = "\n#Remote proxies\n";
+ if (is_array($config['installedpackages']['squidremote']['config']))
+ foreach ($config['installedpackages']['squidremote']['config'] as $settings){
+ if ($settings['enable'] == 'on') {
+ $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} ";
+ if ($settings['icpport'] == '7')
+ $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} ";
+ else
+ $conf .= "{$settings['icpport']} ";
+ #auth settings
+ if (!empty($settings['username']) && !empty($settings['password'])){
+ $conf .= " login={$settings['username']}:{$settings['password']}";
+ }
+ else{
+ $conf .= "{$settings['authoption']} ";
+ }
+ #other options settings
+ if (!empty($settings['weight']))
+ $conf .= "weight={$settings['weight']} ";
+ if (!empty($settings['basetime']))
+ $conf .= "basetime={$settings['basetime']} ";
+ if (!empty($settings['ttl']))
+ $conf .= "ttl={$settings['ttl']} ";
+ if (!empty($settings['nodelay']))
+ $conf .= "no-delay";
+ }
+ $conf .= "\n";
+ }
+ return $conf;
+}
+
+function squid_resync_redirector() {
+ global $config;
+
+ $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on');
+ if ($httpav_enabled) {
+ $conf = "url_rewrite_program /usr/local/bin/squirm\n";
+ } else {
+ $conf = "# No redirector configured\n";
+ }
+ return $conf;
+}
+
+function squid_resync_nac() {
+ global $config, $valid_acls;
+
+ $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
+ if (is_array($config['installedpackages']['squidnac']))
+ $settings = $config['installedpackages']['squidnac']['config'][0];
+ else
+ $settings = array();
+ $webgui_port = $config['system']['webgui']['port'];
+ $addtl_ports = $settings['addtl_ports'];
+ $addtl_sslports = $settings['addtl_sslports'];
+ $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
+ $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
+ $conf = <<< EOD
+
+# Setup some default acls
+# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
+# acl localhost src 127.0.0.1/32
+acl allsrc src all
+acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port $ssl_port 1025-65535 $addtl_ports
+acl sslports port 443 563 $webgui_port $addtl_sslports
+
+# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
+#acl manager proto cache_object
+
+acl purge method PURGE
+acl connect method CONNECT
+
+# Define protocols used for redirects
+acl HTTP proto HTTP
+acl HTTPS proto HTTPS
+
+EOD;
+
+ $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets']));
+ #$allowed = "";
+ #foreach ($allowed_subnets as $subnet) {
+ # if(!empty($subnet)) {
+ # $subnet = trim($subnet);
+ # $allowed .= "$subnet ";
+ # }
+ #}
+ if (!empty($allowed_subnets)) {
+ $conf .= "acl allowed_subnets src $allowed_subnets\n";
+ $valid_acls[] = 'allowed_subnets';
+ }
+
+ $options = array( 'unrestricted_hosts' => 'src',
+ 'banned_hosts' => 'src',
+ 'whitelist' => 'dstdom_regex -i',
+ 'blacklist' => 'dstdom_regex -i',
+ 'block_user_agent' => 'browser -i',
+ 'block_reply_mime_type' => 'rep_mime_type -i',
+ );
+ foreach ($options as $option => $directive) {
+ $contents = sq_text_area_decode($settings[$option]);
+ if (!empty($contents)) {
+ file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents);
+ $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n";
+ $valid_acls[] = $option;
+ }
+ elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) {
+ unlink(SQUID_ACLDIR . "/$option.acl");
+ }
+ }
+
+ $conf .= <<< EOD
+http_access allow manager localhost
+
+EOD;
+
+ if (is_array($config['installedpackages']['squidcache'])){
+ $settings_ch = $config['installedpackages']['squidcache']['config'][0];
+ if(!empty($settings_ch['ext_cachemanager'])) {
+ $extmgr = explode(";", ($settings_ch['ext_cachemanager']));
+ $conf .= "\n# Allow external cache managers\n";
+ foreach ($extmgr as $mgr) {
+ $conf .= "acl ext_manager src {$mgr}\n";
+ }
+ $conf .= "http_access allow manager ext_manager\n";
+ }
+ }
+
+ $conf .= <<< EOD
+
+http_access deny manager
+http_access allow purge localhost
+http_access deny purge
+http_access deny !safeports
+http_access deny CONNECT !sslports
+
+# Always allow localhost connections
+# From 3.2 further configuration cleanups have been done to make things easier and safer.
+# The manager, localhost, and to_localhost ACL definitions are now built-in.
+# http_access allow localhost
+
+EOD;
+
+ return $conf;
+}
+
+function squid_resync_antivirus(){
+ global $config;
+
+ if (is_array($config['installedpackages']['squidantivirus']))
+ $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0];
+ else
+ $antivirus_config = array();
+
+ if ($antivirus_config['enable']=="on"){
+ switch ($antivirus_config['client_info']){
+ case "both":
+ $icap_send_client_ip="on";
+ $icap_send_client_username="on";
+ break;
+ case "IP":
+ $icap_send_client_ip="on";
+ $icap_send_client_username="off";
+ break;
+ case "username":
+ $icap_send_client_ip="off";
+ $icap_send_client_username="on";
+ break;
+ case "none":
+ $icap_send_client_ip="off";
+ $icap_send_client_username="off";
+ break;
+ }
+ if (is_array($config['installedpackages']['squid']))
+ $squid_config=$config['installedpackages']['squid']['config'][0];
+ $clwarn="clwarn.cgi.en_EN";
+ if (preg_match("/de/i",$squid_config['error_language']))
+ $clwarn="clwarn.cgi.de_DE";
+ if (preg_match("/ru/i",$squid_config['error_language']))
+ $clwarn="clwarn.cgi.ru_RU";
+ if (preg_match("/fr/i",$squid_config['error_language']))
+ $clwarn="clwarn.cgi.fr_FR";
+ if (preg_match("/pt_br/i",$squid_config['error_language']))
+ $clwarn="clwarn.cgi.pt_BR";
+ $clwarn_file="/usr/local/www/clwarn.cgi";
+ copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}",$clwarn_file);
+
+ #fix perl path on clwarn.cgi
+ $clwarn_file_new=file_get_contents($clwarn_file);
+ $c_pattern[]="@/usr/\S+/perl@";
+ $c_replacement[]=SQUID_BASE."/bin/perl";
+ /*$c_pattern[]="@redirect \S+/clwarn.cgi@";
+ $gui_proto=$config['system']['webgui']['protocol'];
+ $gui_port=$config['system']['webgui']['port'];
+ if($gui_port == "") {
+ $gui_port($gui_proto == "http"?"80":"443");
+ }
+ $c_replacement[]=SQUID_LOCALBASE."redirect {$gui_proto}://127.0.0.1:{$gui_port}/clwarn.cgi";
+ */
+ $clwarn_file_new=preg_replace($c_pattern, $c_replacement,$clwarn_file_new);
+ file_put_contents($clwarn_file, $clwarn_file_new,LOCK_EX);
+
+ #fix clwarn.cgi file permission
+ chmod($clwarn_file,0755);
+
+ $conf = <<< EOF
+icap_enable on
+icap_send_client_ip {$icap_send_client_ip}
+icap_send_client_username {$icap_send_client_username}
+icap_client_username_encode off
+icap_client_username_header X-Authenticated-User
+icap_preview_enable on
+icap_preview_size 1024
+
+icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
+icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
+
+adaptation_access service_req allow all
+adaptation_access service_resp allow all
+
+EOF;
+ #check if icap is enabled on rc.conf.local
+ if (file_exists("/etc/rc.conf.local")){
+ $rc_old_file=file("/etc/rc.conf.local");
+ foreach ($rc_old_file as $rc_line){
+ if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)){
+ $rc_file.=$matches[1].'="YES"'."\n";
+ ${$matches[1]}="ok";
+ }
+ else
+ $rc_file.=$rc_line;
+ }
+ }
+ if (!isset($c_icap_enable))
+ $rc_file.='c_icap_enable="YES"'."\n";
+ if (!isset($clamav_clamd_enable))
+ $rc_file.='clamav_clamd_enable="YES"'."\n";
+ file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX);
+ squid_check_clamav_user('clamav');
+ #patch sample files to pfsense dirs
+ #squidclamav.conf
+ if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))
+ if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")){
+ $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default");
+ $clamav_m[0]="@/var/run/clamav/clamd.ctl@";
+ $clamav_r[0]="/var/run/clamav/clamd.sock";
+ file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX);
+ }
+ #c-icap.conf
+ if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"))
+ if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")){
+ $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default");
+ if (! preg_match ("/squidclamav/"))
+ $sample_file.="\nService squidclamav squidclamav.so\n";
+
+ file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",$sample_file,LOCK_EX);
+ }
+ $loadsample=0;
+ if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")){
+ $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"));
+ $loadsample++;
+ }
+ if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")){
+ $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"));
+ $loadsample++;
+ }
+ if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default")){
+ $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default"));
+ $loadsample++;
+ }
+ if($loadsample > 0){
+ write_config();
+ $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0];
+ }
+ #check dirs
+ $dirs=array("/var/run/c-icap" => "clamav",
+ "/var/log/c-icap" => "clamav",
+ "/var/log/clamav" => "clamav",
+ "/var/run/clamav" => "clamav",
+ "/var/db/clamav" => "clamav");
+ foreach ($dirs as $dir_path => $dir_user){
+ if (!is_dir($dir_path))
+ make_dirs($dir_path);
+ squid_chown_recursive($dir_path, $dir_user, "wheel");
+ }
+ #Check clamav database
+ if (count(glob("/var/db/clamav/*d"))==0){
+ log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background.");
+ mwexec_bg(SQUID_BASE."/bin/freshclam");
+ }
+ $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d");
+ foreach($rcd_files as $rcd_file)
+ if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}"))
+ symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}");
+
+ #write advanced icap config files
+ file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX);
+ file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX);
+ file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX);
+
+ #check antivirus daemons
+ #check icap
+ if (is_process_running("c-icap")){
+ mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl');
+ }
+ else{
+ #check c-icap user on startup file
+ $c_icap_rcfile="/usr/local/etc/rc.d/c-icap";
+ if (file_exists($c_icap_rcfile)){
+ $sample_file=file_get_contents($c_icap_rcfile);
+ $cicapm[0]="@c_icap_user=.*}@";
+ $cicapr[0]='c_icap_user="clamav"}';
+ file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX);
+ }
+ mwexec_bg("/usr/local/etc/rc.d/c-icap start");
+ }
+ #check clamav
+ if (is_process_running("clamd"))
+ mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload");
+ else
+ mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start");
+ }
+return $conf;
+}
+
+function squid_resync_traffic() {
+ global $config, $valid_acls;
+
+ if(!is_array($valid_acls))
+ return;
+ if (is_array($config['installedpackages']['squidtraffic']))
+ $settings = $config['installedpackages']['squidtraffic']['config'][0];
+ else
+ $settings = array();
+
+ $conf = '';
+ if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0")
+ $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n";
+ if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0")
+ $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n";
+ if (!empty($settings['quick_abort_pct']))
+ $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n";
+
+ $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0);
+ $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0);
+ $conf .= "request_body_max_size $up_limit KB\n";
+ if ($down_limit != 0)
+ $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n";
+
+
+ // Only apply throttling past 10MB
+ // XXX: Should this really be hardcoded?
+ $threshold = 10 * 1024 * 1024;
+ $overall = $settings['overall_throttling'];
+ if (!isset($overall) || ($overall == 0))
+ $overall = -1;
+ else
+ $overall *= 1024;
+ $perhost = $settings['perhost_throttling'];
+ if (!isset($perhost) || ($perhost == 0))
+ $perhost = -1;
+ else
+ $perhost *= 1024;
+ $conf .= <<< EOD
+delay_pools 1
+delay_class 1 2
+delay_parameters 1 $overall/$overall $perhost/$perhost
+delay_initial_bucket_level 100
+
+EOD;
+
+ if(! empty($settings['unrestricted_hosts'])) {
+ foreach (array('unrestricted_hosts') as $item) {
+ if (in_array($item, $valid_acls))
+ $conf .= "# Do not throttle unrestricted hosts\n";
+ $conf .= "delay_access 1 deny $item\n";
+ }
+ }
+
+ if ($settings['throttle_specific'] == 'on') {
+ $exts = array();
+ $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com';
+ $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi';
+ $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m';
+ foreach (array( 'throttle_binaries' => $binaries,
+ 'throttle_cdimages' => $cdimages,
+ 'throttle_multimedia' => $multimedia) as $field => $set) {
+ if ($settings[$field] == 'on')
+ $exts = array_merge($exts, explode(",", $set));
+ }
+
+ foreach (explode(",", $settings['throttle_others']) as $ext) {
+ if (!empty($ext)) $exts[] = $ext;
+ }
+
+ $contents = '';
+ foreach ($exts as $ext)
+ $contents .= "\.$ext\$\n";
+ file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents);
+
+ $conf .= "# Throttle extensions matched in the url\n";
+ $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
+ $conf .= "delay_access 1 allow throttle_exts\n";
+ $conf .= "delay_access 1 deny allsrc\n";
+ }
+ else
+ $conf .= "delay_access 1 allow allsrc\n";
+
+ return $conf;
+}
+
+function squid_get_server_certs() {
+ global $config;
+ $cert_arr = array();
+ $cert_arr[] = array('refid' => 'none', 'descr' => 'none');
+ foreach ($config['cert'] as $cert) {
+ $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']);
+ }
+ return $cert_arr;
+}
+
+#squid reverse
+include('/usr/local/pkg/squid_reverse.inc');
+
+function squid_resync_auth() {
+ global $config, $valid_acls;
+ $write_config=0;
+ if (!is_array($config['installedpackages']['squidauth']['config'])){
+ $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none");
+ $write_config++;
+ }
+ $settings = $config['installedpackages']['squidauth']['config'][0];
+ if (is_array($config['installedpackages']['squidnac']['config']))
+ $settingsnac = $config['installedpackages']['squidnac']['config'][0];
+ else
+ $settingsnac = array();
+
+ if (is_array($config['installedpackages']['squid']['config']))
+ $settingsconfig = $config['installedpackages']['squid']['config'][0];
+ else
+ $settingsconfig = array();
+
+ if ($write_config > 0)
+ write_config();
+
+ $conf = '';
+
+ // SSL interception acl options part 1
+ if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])){
+ $conf .= "always_direct allow whitelist\n";
+ $conf .= "ssl_bump none whitelist\n";
+ }
+
+ // Package integration
+ if(!empty($settingsconfig['custom_options'])){
+ $co_preg[0]='/;/';
+ $co_rep[0]="\n";
+ $co_preg[1]="/redirect_program/";
+ $co_rep[1]="url_rewrite_program";
+ $co_preg[2]="/redirector_bypass/";
+ $co_rep[2]="url_rewrite_bypass";
+ $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n";
+ }
+
+ // Custom User Options before authentication acls
+ $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n";
+
+ // Deny the banned guys before allowing the good guys
+ if(! empty($settingsnac['banned_hosts'])) {
+ if (squid_is_valid_acl('banned_hosts')) {
+ $conf .= "# These hosts are banned\n";
+ $conf .= "http_access deny banned_hosts\n";
+ }
+ }
+ if(! empty($settingsnac['banned_macs'])) {
+ if (squid_is_valid_acl('banned_macs')) {
+ $conf .= "# These macs are banned\n";
+ $conf .= "http_access deny banned_macs\n";
+ }
+ }
+
+ // Unrestricted hosts take precedence over blacklist
+ if(! empty($settingsnac['unrestricted_hosts'])) {
+ if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") {
+ $conf .= "# These hosts do not have any restrictions\n";
+ $conf .= "http_access allow unrestricted_hosts\n";
+ }
+ }
+ if(! empty($settingsnac['unrestricted_macs'])) {
+ if (squid_is_valid_acl('unrestricted_macs')) {
+ $conf .= "# These hosts do not have any restrictions\n";
+ $conf .= "http_access allow unrestricted_macs\n";
+ }
+ }
+
+ // Whitelist and blacklist also take precedence over other allow rules
+ if(! empty($settingsnac['whitelist'])) {
+ if (squid_is_valid_acl('whitelist')) {
+ $conf .= "# Always allow access to whitelist domains\n";
+ $conf .= "http_access allow whitelist\n";
+ }
+ }
+ if(! empty($settingsnac['blacklist'])) {
+ if (squid_is_valid_acl('blacklist')) {
+ $conf .= "# Block access to blacklist domains\n";
+ $conf .= "http_access deny blacklist\n";
+ }
+ }
+ if(! empty($settingsnac['block_user_agent'])) {
+ if (squid_is_valid_acl('block_user_agent')) {
+ $conf .= "# Block access with user agents and browsers\n";
+ $conf .= "http_access deny block_user_agent\n";
+ }
+ }
+ if(! empty($settingsnac['block_reply_mime_type'])) {
+ if (squid_is_valid_acl('block_reply_mime_type')) {
+ $conf .= "# Block access with mime type in the reply\n";
+ $conf .= "http_reply_access deny block_reply_mime_type\n";
+ }
+ }
+
+ // SSL interception acl options part 2
+ /*if ($settingsconfig['ssl_proxy'] == "on"){
+ $conf .= "always_direct allow all\n";
+ $conf .= "ssl_bump server-first all\n";
+ }*/
+
+ // Include squidguard denied acl log in squid
+ if ($settingsconfig['log_sqd'])
+ $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n";
+
+ $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on');
+ if ($transparent_proxy){
+ if (preg_match ("/(none|cp)/",$settings['auth_method']))
+ $auth_method=$settings['auth_method'];
+ else
+ $auth_method="none";
+ }
+ else{
+ $auth_method=$settings['auth_method'];
+ }
+ // Allow the remaining ACLs if no authentication is set
+ if ($auth_method == 'none' || $auth_method == 'cp') {
+ // Include squidguard denied acl log in squid
+ if ($settingsconfig['log_sqd'])
+ $conf .="http_access deny sglog\n";
+ }
+ if ($auth_method == 'none' ) {
+ $conf .="# Setup allowed acls\n";
+ $allowed = array('allowed_subnets');
+ if ($settingsconfig['allow_interface'] == 'on') {
+ $conf .= "# Allow local network(s) on interface(s)\n";
+ $allowed[] = "localnet";
+ }
+ $allowed = array_filter($allowed, 'squid_is_valid_acl');
+ foreach ($allowed as $acl)
+ $conf .= "http_access allow $acl\n";
+ }
+ else {
+ $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts'])));
+ if (!empty($noauth)) {
+ $conf .= "acl noauth src $noauth\n";
+ $valid_acls[] = 'noauth';
+ }
+
+ // Set up the external authentication programs
+ $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 5);
+ $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5);
+ $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy');
+ switch ($auth_method) {
+ case 'local':
+ $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n";
+ break;
+ case 'ldap':
+ $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
+ $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
+ $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
+ break;
+ case 'radius':
+ $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
+ break;
+ case 'cp':
+ $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n";
+ $conf .= "acl password external check_cp\n";
+ break;
+ case 'msnt':
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
+ squid_resync_msnt();
+ break;
+ }
+ if ($auth_method != 'cp'){
+ $conf .= <<< EOD
+auth_param basic children $processes
+auth_param basic realm $prompt
+auth_param basic credentialsttl $auth_ttl minutes
+acl password proxy_auth REQUIRED
+
+EOD;
+ }
+ // Custom User Options after authentication definition
+ $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n";
+
+ // SSL interception acl options part 2
+ if ($settingsconfig['ssl_proxy'] == "on"){
+ $conf .= "always_direct allow all\n";
+ $conf .= "ssl_bump server-first all\n";
+ }
+ // Onto the ACLs
+ $password = array('localnet', 'allowed_subnets');
+ $passwordless = array('unrestricted_hosts');
+ if ($settings['unrestricted_auth'] == 'on') {
+ // Even the unrestricted hosts should authenticate
+ $password = array_merge($password, $passwordless);
+ $passwordless = array();
+ }
+ $passwordless[] = 'noauth';
+ $password = array_filter($password, 'squid_is_valid_acl');
+ $passwordless = array_filter($passwordless, 'squid_is_valid_acl');
+
+ // Allow the ACLs that don't need to authenticate
+ foreach ($passwordless as $acl)
+ $conf .= "http_access allow $acl\n";
+
+ //if ($auth_method != 'cp'){
+ // Include squidguard denied acl log in squid
+ if ($settingsconfig['log_sqd'])
+ $conf .="http_access deny password sglog\n";
+
+ // Allow the other ACLs as long as they authenticate
+ foreach ($password as $acl)
+ $conf .= "http_access allow password $acl\n";
+ // }
+ }
+
+ $conf .= "# Default block all to be sure\n";
+ $conf .= "http_access deny allsrc\n";
+
+ return $conf;
+}
+
+function squid_resync_users() {
+ global $config;
+
+ $users = $config['installedpackages']['squidusers']['config'];
+ $contents = '';
+ if (is_array($users)) {
+ foreach ($users as $user)
+ $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n";
+ }
+ file_put_contents(SQUID_PASSWD, $contents);
+ chown(SQUID_PASSWD, 'proxy');
+ chmod(SQUID_PASSWD, 0600);
+}
+
+function squid_resync_msnt() {
+ global $config;
+
+ if (is_array($config['installedpackages']['squidauth']))
+ $settings = $config['installedpackages']['squidauth']['config'][0];
+ else
+ $settings = array();
+ $pdcserver = $settings['auth_server'];
+ $bdcserver = str_replace(',',' ',$settings['msnt_secondary']);
+ $ntdomain = $settings['auth_ntdomain'];
+
+ file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}");
+ chown(SQUID_CONFBASE."/msntauth.conf", 'proxy');
+ chmod(SQUID_CONFBASE."/msntauth.conf", 0600);
+}
+
+function squid_resync($via_rpc="no") {
+ global $config;
+
+ # detect boot process
+ if (is_array($_POST)){
+ if (preg_match("/\w+/",$_POST['__csrf_magic']))
+ unset($boot_process);
+ else
+ $boot_process="on";
+ }
+
+ log_error("[Squid] - Squid_resync function call pr:".is_process_running('squid')." bp:".isset($boot_process)." rpc:".$via_rpc);
+
+ if (is_process_running('squid') && isset($boot_process) && $via_rpc=="no")
+ return;
+
+ conf_mount_rw();
+ foreach (array( SQUID_CONFBASE,
+ SQUID_ACLDIR,
+ SQUID_BASE,
+ SQUID_LIB,
+ SQUID_SSL_DB ) as $dir) {
+ make_dirs($dir);
+ chown($dir, 'proxy');
+ chgrp($dir, 'proxy');
+ squid_chown_recursive($dir, 'proxy', 'proxy');
+ }
+ $conf = squid_resync_general() . "\n";
+ $conf .= squid_resync_cache() . "\n";
+ $conf .= squid_resync_redirector() . "\n";
+ $conf .= squid_resync_upstream() . "\n";
+ $conf .= squid_resync_nac() . "\n";
+ $conf .= squid_resync_traffic() . "\n";
+ $conf .= squid_resync_reverse() . "\n";
+ $conf .= squid_resync_auth()."\n";
+ $conf .= squid_resync_antivirus();
+ squid_resync_users();
+ squid_write_rcfile();
+
+ if(!isset($boot_process) || $via_rpc="yes")
+ squid_sync_on_changes();
+
+ #write config file
+ file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf);
+
+ /* make sure pinger is executable */
+ if(file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger"))
+ exec("chmod a+x " . SQUID_LOCALBASE . "/libexec/squid/pinger");
+
+ $log_dir="";
+ #check if squid is enabled
+ if (is_array($config['installedpackages']['squid']['config'])){
+ if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "")
+ $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/';
+ }
+ #check if squidreverse is enabled
+ else if (is_array($config['installedpackages']['squidreversegeneral']['config'])){
+ if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "")
+ $log_dir="/var/squid/logs/";
+ }
+ #do not start squid if there is no log dir
+ if ($log_dir != ""){
+ if(!is_dir($log_dir)) {
+ log_error("Creating squid log dir $log_dir");
+ make_dirs($log_dir);
+ squid_chown_recursive($log_dir, 'proxy', 'proxy');
+ }
+
+ squid_dash_z();
+
+ if (!is_service_running('squid')) {
+ log_error("Starting Squid");
+ mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE);
+ }
+ else {
+ if (!isset($boot_process)){
+ log_error("Reloading Squid for configuration sync");
+ mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE);
+ }
+ }
+
+ // Sleep for a couple seconds to give squid a chance to fire up fully.
+ for ($i=0; $i < 10; $i++) {
+ if (!is_service_running('squid'))
+ sleep(1);
+ }
+ filter_configure();
+ }
+ conf_mount_ro();
+}
+
+function squid_print_javascript_auth() {
+ global $config;
+ $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
+
+ // No authentication for transparent proxy
+ if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) {
+ $javascript = <<< EOD
+<script language="JavaScript">
+<!--
+function on_auth_method_changed() {
+ document.iform.auth_method.disabled = 1;
+ document.iform.auth_server.disabled = 1;
+ document.iform.auth_ntdomain.disabled = 1;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_version.disabled = 1;
+ document.iform.ldap_userattribute.disabled = 1;
+ document.iform.ldap_filter.disabled = 1;
+ document.iform.ldap_pass.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ document.iform.auth_prompt.disabled = 1;
+ document.iform.auth_processes.disabled = 1;
+ document.iform.auth_ttl.disabled = 1;
+ document.iform.unrestricted_auth.disabled = 1;
+ document.iform.no_auth_hosts.disabled = 1;
+}
+-->
+</script>
+
+EOD;
+ }
+ else {
+ $javascript = <<< EOD
+<script language="JavaScript">
+<!--
+function on_auth_method_changed() {
+ var field = document.iform.auth_method;
+ var auth_method = field.options[field.selectedIndex].value;
+
+ if (auth_method == 'none') {
+ document.iform.auth_server.disabled = 1;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.auth_ntdomain.disabled = 1;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_version.disabled = 1;
+ document.iform.ldap_userattribute.disabled = 1;
+ document.iform.ldap_filter.disabled = 1;
+ document.iform.ldap_pass.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ document.iform.auth_prompt.disabled = 1;
+ document.iform.auth_processes.disabled = 1;
+ document.iform.auth_ttl.disabled = 1;
+ document.iform.unrestricted_auth.disabled = 1;
+ document.iform.no_auth_hosts.disabled = 1;
+ }
+ else {
+ document.iform.auth_prompt.disabled = 0;
+ document.iform.auth_processes.disabled = 0;
+ document.iform.auth_ttl.disabled = 0;
+ document.iform.unrestricted_auth.disabled = 0;
+ document.iform.no_auth_hosts.disabled = 0;
+ }
+
+ switch (auth_method) {
+ case 'local':
+ document.iform.auth_server.disabled = 1;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.auth_ntdomain.disabled = 1;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_pass.disabled = 1;
+ document.iform.ldap_version.disabled = 1;
+ document.iform.ldap_userattribute.disabled = 1;
+ document.iform.ldap_filter.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ break;
+ case 'ldap':
+ document.iform.auth_server.disabled = 0;
+ document.iform.auth_server_port.disabled = 0;
+ document.iform.ldap_user.disabled = 0;
+ document.iform.ldap_pass.disabled = 0;
+ document.iform.ldap_version.disabled = 0;
+ document.iform.ldap_userattribute.disabled = 0;
+ document.iform.ldap_filter.disabled = 0;
+ document.iform.ldap_basedomain.disabled = 0;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ document.iform.auth_ntdomain.disabled = 1;
+ break;
+ case 'radius':
+ document.iform.auth_server.disabled = 0;
+ document.iform.auth_server_port.disabled = 0;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_pass.disabled = 1;
+ document.iform.ldap_version.disabled = 1;
+ document.iform.ldap_userattribute.disabled = 1;
+ document.iform.ldap_filter.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 0;
+ document.iform.msnt_secondary.disabled = 1;
+ document.iform.auth_ntdomain.disabled = 1;
+ break;
+ case 'msnt':
+ document.iform.auth_server.disabled = 0;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.auth_ntdomain.disabled = 0;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_pass.disabled = 1;
+ document.iform.ldap_version.disabled = 1;
+ document.iform.ldap_userattribute.disabled = 1;
+ document.iform.ldap_filter.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 0;
+ break;
+ case 'cp':
+ document.iform.auth_server.disabled = 1;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.auth_ntdomain.disabled = 1;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_version.disabled = 1;
+ document.iform.ldap_userattribute.disabled = 1;
+ document.iform.ldap_filter.disabled = 1;
+ document.iform.ldap_pass.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ document.iform.auth_prompt.disabled = 1;
+ document.iform.auth_processes.disabled = 0;
+ document.iform.auth_ttl.disabled = 0;
+ document.iform.unrestricted_auth.disabled = 1;
+ document.iform.no_auth_hosts.disabled = 1;
+ break;
+ }
+}
+-->
+</script>
+
+EOD;
+ }
+
+ print($javascript);
+}
+
+function squid_print_javascript_auth2() {
+ print("<script language=\"JavaScript\">on_auth_method_changed()</script>\n");
+}
+
+function squid_generate_rules($type) {
+ global $config;
+ $squid_conf = $config['installedpackages']['squid']['config'][0];
+ //check captive portal option
+ $cp_file='/etc/inc/captiveportal.inc';
+ $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version"));
+ $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
+ $cp_inc = file($cp_file);
+ $new_cp_inc="";
+ $found_rule=0;
+ foreach ($cp_inc as $line){
+ $new_line=$line;
+ //remove applied squid patch
+ if (preg_match('/skipto 65314 ip/',$line)){
+ $found_rule++;
+ $new_line ="";
+ }
+
+ if (substr($pfsense_version,0,3) > 2.0){
+ if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){
+ $found_rule++;
+ $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n";
+ $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n";
+ }
+ }
+ else{
+ //add squid patch option based on current config
+ if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){
+ $found_rule++;
+ $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n";
+ $new_line .= $line;
+ }
+ if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){
+ $found_rule++;
+ $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n";
+ $new_line .= $line;
+ }
+ }
+ $new_cp_inc .= $new_line;
+ }
+ if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) {
+ copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup');
+ }
+ if($found_rule > 0){
+ file_put_contents($cp_file,$new_cp_inc, LOCK_EX);
+ }
+ //normal squid rule check
+ if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) {
+ return;
+ }
+
+ if (!is_service_running('squid')) {
+ log_error("SQUID is installed but not started. Not installing \"{$type}\" rules.");
+ return;
+ }
+ #Read assigned interfaces
+ $proxy_ifaces = explode(",", $squid_conf['active_interface']);
+ $proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces);
+ if ($squid_conf['transparent_proxy']=="on"){
+ $transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']);
+ $transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces);
+ }
+ else{
+ $transparent_ifaces=array();
+ }
+ if ($squid_conf['ssl_proxy'] == "on"){
+ $ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']);
+ $ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces);
+ }
+ else{
+ $ssl_ifaces=array();
+ }
+
+ $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128);
+ $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127);
+
+ $fw_aliases = filter_generate_aliases();
+ if(strstr($fw_aliases, "pptp ="))
+ $PPTP_ALIAS = "\$pptp";
+ else
+ $PPTP_ALIAS = "\$PPTP";
+ if(strstr($fw_aliases, "PPPoE ="))
+ $PPPOE_ALIAS = "\$PPPoE";
+ else
+ $PPPOE_ALIAS = "\$pppoe";
+
+ #define ports based on transparent options and ssl filtering
+ $pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80");
+ switch($type) {
+ case 'nat':
+ $rules .= "\n# Setup Squid proxy redirect\n";
+ if ($squid_conf['private_subnet_proxy_off'] == 'on') {
+ foreach ($transparent_ifaces as $iface) {
+ $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
+ $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n";
+ }
+ /* Handle PPPOE case */
+ if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
+ $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
+ }
+ /* Handle PPTP case */
+ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
+ $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
+ }
+ }
+ if (!empty($squid_conf['defined_ip_proxy_off'])) {
+ $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']);
+ $exempt_ip = "";
+ foreach ($defined_ip_proxy_off as $ip_proxy_off) {
+ if(!empty($ip_proxy_off)) {
+ $ip_proxy_off = trim($ip_proxy_off);
+ if (is_alias($ip_proxy_off))
+ $ip_proxy_off = '$'.$ip_proxy_off;
+ $exempt_ip .= ", $ip_proxy_off";
+ }
+ }
+ $exempt_ip = substr($exempt_ip,2);
+ foreach ($transparent_ifaces as $iface) {
+ $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
+ $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n";
+ }
+ /* Handle PPPOE case */
+ if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
+ $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
+ }
+ /* Handle PPTP case */
+ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
+ $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
+ }
+ }
+ if (!empty($squid_conf['defined_ip_proxy_off_dest'])) {
+ $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']);
+ $exempt_dest = "";
+ foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) {
+ if(!empty($ip_proxy_off_dest)) {
+ $ip_proxy_off_dest = trim($ip_proxy_off_dest);
+ if (is_alias($ip_proxy_off_dest))
+ $ip_proxy_off_dest = '$'.$ip_proxy_off_dest;
+ $exempt_dest .= ", $ip_proxy_off_dest";
+ }
+ }
+ $exempt_dest = substr($exempt_dest,2);
+ foreach ($transparent_ifaces as $iface) {
+ $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
+ $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n";
+ }
+ /* Handle PPPOE case */
+ if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
+ $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
+ }
+ /* Handle PPTP case */
+ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
+ $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
+ }
+ }
+ foreach ($transparent_ifaces as $t_iface) {
+ $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80");
+ $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n";
+ if (in_array($t_iface,$ssl_ifaces))
+ $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n";
+ }
+ /* Handle PPPOE case */
+ if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
+ $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
+ }
+ /* Handle PPTP case */
+ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
+ $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
+ }
+ $rules .= "\n";
+ break;
+ case 'filter':
+ case 'rule':
+ foreach ($transparent_ifaces as $iface) {
+ $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}");
+ $rules .= "# Setup squid pass rules for proxy\n";
+ $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n";
+ #$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n";
+ $rules .= "\n";
+ };
+ if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) {
+ $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
+ }
+ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
+ $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
+ }
+ break;
+ default:
+ break;
+ }
+
+ return $rules;
+}
+
+function squid_write_rcfile() {
+ /* Declare a variable for the SQUID_CONFFILE constant. */
+ /* Then the variable can be referenced easily in the Heredoc text that generates the rc file. */
+ $squid_conffile_var = SQUID_CONFFILE;
+ $squid_base = SQUID_BASE;
+ $rc = array();
+ $rc['file'] = 'squid.sh';
+ $rc['start'] = <<<EOD
+if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then
+ {$squid_base}/sbin/squid -f {$squid_conffile_var}
+fi
+
+EOD;
+
+ $rc['stop'] = <<<EOD
+{$squid_base}/sbin/squid -k shutdown -f {$squid_conffile_var}
+# Just to be sure...
+sleep 5
+
+if [ -f /usr/bin/ipcs ];then
+# http://man.chinaunix.net/newsoft/squid/Squid_FAQ/FAQ-22.html#ss22.8
+ipcs | grep '^[mq]' | awk '{printf "ipcrm -%s %s\\n", $1, $2}' | /bin/sh
+fi
+
+killall -9 squid 2>/dev/null
+killall pinger 2>/dev/null
+
+EOD;
+ $rc['restart'] = <<<EOD
+if [ -z "`ps auxw | grep "[s]quid "|awk '{print $2}'`" ];then
+ {$squid_base}/sbin/squid -f {$squid_conffile_var}
+ else
+ {$squid_base}/sbin/squid -k reconfigure -f {$squid_conffile_var}
+ fi
+
+EOD;
+ conf_mount_rw();
+ write_rcfile($rc);
+ conf_mount_ro();
+}
+
+/* Uses XMLRPC to synchronize the changes to a remote node */
+function squid_sync_on_changes() {
+ global $config, $g;
+ if (is_array($config['installedpackages']['squidsync']['config'])){
+ $squid_sync=$config['installedpackages']['squidsync']['config'][0];
+ $synconchanges = $squid_sync['synconchanges'];
+ $synctimeout = $squid_sync['synctimeout'];
+ switch ($synconchanges){
+ case "manual":
+ if (is_array($squid_sync[row])){
+ $rs=$squid_sync[row];
+ }
+ else{
+ log_error("[squid] xmlrpc sync is enabled but there is no hosts to push on squid config.");
+ return;
+ }
+ break;
+ case "auto":
+ if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){
+ $system_carp=$config['installedpackages']['carpsettings']['config'][0];
+ $rs[0]['ipaddress']=$system_carp['synchronizetoip'];
+ $rs[0]['username']=$system_carp['username'];
+ $rs[0]['password']=$system_carp['password'];
+ }
+ else{
+ log_error("[squid] xmlrpc sync is enabled but there is no system backup hosts to push squid config.");
+ return;
+ }
+ break;
+ default:
+ return;
+ break;
+ }
+ if (is_array($rs)){
+ log_error("[squid] xmlrpc sync is starting.");
+ foreach($rs as $sh){
+ $sync_to_ip = $sh['ipaddress'];
+ $password = $sh['password'];
+ if($sh['username'])
+ $username = $sh['username'];
+ else
+ $username = 'admin';
+ if($password && $sync_to_ip)
+ squid_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout);
+ }
+ log_error("[squid] xmlrpc sync is ending.");
+ }
+ }
+}
+/* Do the actual XMLRPC sync */
+function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) {
+ global $config, $g;
+
+ if(!$username)
+ return;
+
+ if(!$password)
+ return;
+
+ if(!$sync_to_ip)
+ return;
+
+ if(!$synctimeout)
+ $synctimeout=250;
+
+
+ $xmlrpc_sync_neighbor = $sync_to_ip;
+ if($config['system']['webgui']['protocol'] != "") {
+ $synchronizetoip = $config['system']['webgui']['protocol'];
+ $synchronizetoip .= "://";
+ }
+ $port = $config['system']['webgui']['port'];
+ /* if port is empty lets rely on the protocol selection */
+ if($port == "") {
+ if($config['system']['webgui']['protocol'] == "http")
+ $port = "80";
+ else
+ $port = "443";
+ }
+ $synchronizetoip .= $sync_to_ip;
+
+ /* xml will hold the sections to sync */
+ $xml = array();
+ $xml['squid'] = $config['installedpackages']['squid'];
+ $xml['squidupstream'] = $config['installedpackages']['squidupstream'];
+ $xml['squidcache'] = $config['installedpackages']['squidcache'];
+ $xml['squidantivirus'] = $config['installedpackages']['squidanitivirus'];
+ $xml['squidnac'] = $config['installedpackages']['squidnac'];
+ $xml['squidtraffic'] = $config['installedpackages']['squidtraffic'];
+ $xml['squidreversegeneral'] = $config['installedpackages']['squidreversegeneral'];
+ $xml['squidreversepeer'] = $config['installedpackages']['squidreversepeer'];
+ $xml['squidreverseuri'] = $config['installedpackages']['squidreverseuri'];
+ $xml['squidauth'] = $config['installedpackages']['squidauth'];
+ $xml['squidusers'] = $config['installedpackages']['squidusers'];
+ /* assemble xmlrpc payload */
+ $params = array(
+ XML_RPC_encode($password),
+ XML_RPC_encode($xml)
+ );
+
+ /* set a few variables needed for sync code borrowed from filter.inc */
+ $url = $synchronizetoip;
+ log_error("[Squid] Beginning squid XMLRPC sync to {$url}:{$port}.");
+ $method = 'pfsense.merge_installedpackages_section_xmlrpc';
+ $msg = new XML_RPC_Message($method, $params);
+ $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
+ $cli->setCredentials($username, $password);
+ if($g['debug'])
+ $cli->setDebug(1);
+ /* send our XMLRPC message and timeout after defined sync timeout value*/
+ $resp = $cli->send($msg, $synctimeout);
+ if(!$resp) {
+ $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}.";
+ log_error($error);
+ file_notice("sync_settings", $error, "squid Settings Sync", "");
+ } elseif($resp->faultCode()) {
+ $cli->setDebug(1);
+ $resp = $cli->send($msg, $synctimeout);
+ $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ log_error($error);
+ file_notice("sync_settings", $error, "squid Settings Sync", "");
+ } else {
+ log_error("[Squid] XMLRPC sync successfully completed with {$url}:{$port}.");
+ }
+
+ /* tell squid to reload our settings on the destination sync host. */
+ $method = 'pfsense.exec_php';
+ $execcmd = "require_once('/usr/local/pkg/squid.inc');\n";
+ $execcmd .= "squid_resync('yes');";
+ /* assemble xmlrpc payload */
+ $params = array(
+ XML_RPC_encode($password),
+ XML_RPC_encode($execcmd)
+ );
+
+ log_error("[Squid] XMLRPC reload data {$url}:{$port}.");
+ $msg = new XML_RPC_Message($method, $params);
+ $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
+ $cli->setCredentials($username, $password);
+ $resp = $cli->send($msg, $synctimeout);
+ if(!$resp) {
+ $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
+ log_error($error);
+ file_notice("sync_settings", $error, "squid Settings Sync", "");
+ } elseif($resp->faultCode()) {
+ $cli->setDebug(1);
+ $resp = $cli->send($msg, $synctimeout);
+ $error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
+ log_error($error);
+ file_notice("sync_settings", $error, "squid Settings Sync", "");
+ } else {
+ log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
+ }
+
+}
+?>
diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml
new file mode 100644
index 00000000..970f093e
--- /dev/null
+++ b/config/squid3/34/squid.xml
@@ -0,0 +1,582 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2013-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squid</name>
+ <version>3.4.9</version>
+ <title>Proxy server: General settings</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <menu>
+ <name>Proxy server</name>
+ <tooltiptext>Modify the proxy server's settings</tooltiptext>
+ <section>Services</section>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </menu>
+ <menu>
+ <name>Reverse Proxy</name>
+ <tooltiptext>Modify the proxy reverse server's settings</tooltiptext>
+ <section>Services</section>
+ <url>/pkg_edit.php?xml=squid_reverse_general.xml&amp;id=0</url>
+ </menu>
+ <service>
+ <name>squid</name>
+ <rcfile>squid.sh</rcfile>
+ <executable>squid</executable>
+ <description>Proxy server Service</description>
+ </service>
+ <service>
+ <name>clamd</name>
+ <rcfile>clamav-clamd</rcfile>
+ <executable>clamd</executable>
+ <description>Clamav Antivirus</description>
+ </service>
+ <service>
+ <name>c-icap</name>
+ <rcfile>c-icap</rcfile>
+ <executable>c-icap</executable>
+ <description>Icap inteface for squid and clamav integration</description>
+ </service>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <!-- Installation -->
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_general.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_peer.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_uri.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_sync.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_sync.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_cache.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_nac.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_ng.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_ng.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_traffic.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_upstream.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_auth.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_users.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/sqpmon.sh</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/swapstate_check.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_redir.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_monitor.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_monitor_data.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/squid_log_parser.php</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/www/shortcuts/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid3/34/check_ip.php</item>
+ </additional_files_needed>
+ <fields>
+ <field>
+ <name>Squid General Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Proxy interface(s)</fielddescr>
+ <fieldname>active_interface</fieldname>
+ <description>The interface(s) the proxy server will bind to.</description>
+ <type>interfaces_selection</type>
+ <required/>
+ <default_value>lan</default_value>
+ <multiple/>
+ </field>
+ <field>
+ <fielddescr>Proxy port</fielddescr>
+ <fieldname>proxy_port</fieldname>
+ <description>This is the port the proxy server will listen on.</description>
+ <type>input</type>
+ <size>5</size>
+ <required/>
+ <default_value>3128</default_value>
+ </field>
+ <field>
+ <fielddescr>ICP port</fielddescr>
+ <fieldname>icp_port</fieldname>
+ <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description>
+ <type>input</type>
+ <size>5</size>
+ </field>
+
+ <field>
+ <fielddescr>Allow users on interface</fielddescr>
+ <fieldname>allow_interface</fieldname>
+ <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description>
+ <type>checkbox</type>
+ <required/>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Patch captive portal</fielddescr>
+ <fieldname>patch_cp</fieldname>
+ <description><![CDATA[Enable this option to force captive portal to non transparent proxy users.<br>
+ <strong>NOTE:</strong> You may need to reapply captive portal config after changing this option.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Resolv dns v4 first</fielddescr>
+ <fieldname>dns_v4_first</fieldname>
+ <description><![CDATA[Enable this option to force dns v4 lookup first. This option is very usefull if you have problems to access https sites.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Disable ICMP</fielddescr>
+ <fieldname>disable_pinger</fieldname>
+ <description><![CDATA[Enable this option to disable squid ICMP pinger helper.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Use alternate DNS-servers for the proxy-server</fielddescr>
+ <fieldname>dns_nameservers</fieldname>
+ <description>If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;).</description>
+ <type>input</type>
+ <size>70</size>
+ </field>
+ <field>
+ <name>Transparent Proxy Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Transparent HTTP proxy</fielddescr>
+ <fieldname>transparent_proxy</fieldname>
+ <description><![CDATA[Enable transparent mode to forward all requests for destination port 80 to the proxy server without any additional configuration necessary.<br>
+ <strong>NOTE:</strong> Transparent mode will filter ssl(port 443) if enable men-in-the-middle options below.<br>
+ To filter both http and https protocol without intercepting ssl connections, enable WPAD/PAC options on your dns/dhcp.]]></description>
+ <type>checkbox</type>
+ <enablefields>transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest</enablefields>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Transparent Proxy interface(s)</fielddescr>
+ <fieldname>transparent_active_interface</fieldname>
+ <description>The interface(s) the proxy server will transparent intercept requests.</description>
+ <type>interfaces_selection</type>
+ <required/>
+ <default_value>lan</default_value>
+ <multiple/>
+ </field>
+ <field>
+ <fielddescr>Bypass proxy for Private Address destination</fielddescr>
+ <fieldname>private_subnet_proxy_off</fieldname>
+ <description>Do not forward traffic to Private Address Space (RFC 1918) &lt;b&gt;destination&lt;/b&gt; through the proxy server but directly through the firewall.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Bypass proxy for these source IPs</fielddescr>
+ <fieldname>defined_ip_proxy_off</fieldname>
+ <description>Do not forward traffic from these &lt;b&gt;source&lt;/b&gt; IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description>
+ <type>input</type>
+ <size>70</size>
+ </field>
+ <field>
+ <fielddescr>Bypass proxy for these destination IPs</fielddescr>
+ <fieldname>defined_ip_proxy_off_dest</fieldname>
+ <description>Do not proxy traffic going to these &lt;b&gt;destination&lt;/b&gt; IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode]</description>
+ <type>input</type>
+ <size>70</size>
+ </field>
+ <field>
+ <name>SSL man in the middle Filtering</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>HTTPS/SSL interception</fielddescr>
+ <fieldname>ssl_proxy</fieldname>
+ <description><![CDATA[Enable SSL filtering.]]></description>
+ <type>checkbox</type>
+ <enablefields>ssl_active_interface,dcert,sslcrtd_children,ssl_proxy_port,interception_checks</enablefields>
+ </field>
+ <field>
+ <fielddescr>SSL Intercept interface(s)</fielddescr>
+ <fieldname>ssl_active_interface</fieldname>
+ <description>The interface(s) the proxy server will intercept ssl requests.</description>
+ <type>interfaces_selection</type>
+ <required/>
+ <default_value>lan</default_value>
+ <multiple/>
+ </field>
+ <field>
+ <fielddescr>SSL Proxy port</fielddescr>
+ <fieldname>ssl_proxy_port</fieldname>
+ <description>This is the port the proxy server will listen on to intercept ssl while using transparent proxy.</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>3129</default_value>
+ </field>
+ <field>
+ <fielddescr>CA</fielddescr>
+ <fieldname>dca</fieldname>
+ <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br>
+ To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br>
+ Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description>
+ <type>select_source</type>
+ <source><![CDATA[$config['ca']]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ </field>
+ <field>
+ <fielddescr>sslcrtd children</fielddescr>
+ <fieldname>sslcrtd_children</fieldname>
+ <description><![CDATA[This is the number of ssl crt deamon children to start. Default value is 5.<br>
+ if Squid is used in busy environments this may need to be increased, as well as the number of 'sslcrtd_children']]></description>
+ <type>input</type>
+ <size>2</size>
+ <default_value>5</default_value>
+ </field>
+ <field>
+ <fielddescr>Remote Cert checks</fielddescr>
+ <fieldname>interception_checks</fieldname>
+ <description><![CDATA[Select remote ssl cert checks to do.<br>Defaul is to do not select any of these options.]]></description>
+ <type>select</type>
+ <options>
+ <option><name>Accept remote server certificate Erros</name><value>sslproxy_cert_error</value></option>
+ <option><name>Do not verify remote certificate</name><value>sslproxy_flags</value></option>
+ </options>
+ <multiple/>
+ <size>3</size>
+ </field>
+ <field>
+ <fielddescr>Certificate adapt</fielddescr>
+ <fieldname>interception_adapt</fieldname>
+ <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
+ <type>select</type>
+ <options>
+ <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option>
+ <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option>
+ <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option>
+ </options>
+ <multiple/>
+ <size>3</size>
+ </field>
+ <field>
+ <name>Logging Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enabled logging</fielddescr>
+ <fieldname>log_enabled</fieldname>
+ <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description>
+ <type>checkbox</type>
+ <enablefields>log_query_terms,log_user_agents</enablefields>
+ </field>
+ <field>
+ <fielddescr>Log store directory</fielddescr>
+ <fieldname>log_dir</fieldname>
+ <description>The directory where the log will be stored (note: do not end with a / mark)</description>
+ <type>input</type>
+ <size>60</size>
+ <required/>
+ <default_value>/var/squid/logs</default_value>
+ </field>
+ <field>
+ <fielddescr>Log rotate</fielddescr>
+ <fieldname>log_rotate</fieldname>
+ <description>Defines how many days of logfiles will be kept. Rotation is disabled if left empty.</description>
+ <type>input</type>
+ <size>5</size>
+ </field>
+ <field>
+ <fielddescr>Visible hostname</fielddescr>
+ <fieldname>visible_hostname</fieldname>
+ <description>This is the URL to be displayed in proxy server error messages.</description>
+ <type>input</type>
+ <size>60</size>
+ <default_value>localhost</default_value>
+ </field>
+ <field>
+ <fielddescr>Administrator email</fielddescr>
+ <fieldname>admin_email</fieldname>
+ <description>This is the email address displayed in error messages to the users.</description>
+ <type>input</type>
+ <size>60</size>
+ <default_value>admin@localhost</default_value>
+ </field>
+ <field>
+ <fielddescr>Language</fielddescr>
+ <fieldname>error_language</fieldname>
+ <description>Select the language in which the proxy server will display error messages to users.</description>
+ <type>select</type>
+ <default_value>en</default_value>
+ </field>
+ <field>
+ <fielddescr>Disable X-Forward</fielddescr>
+ <fieldname>disable_xforward</fieldname>
+ <description>If not set, Squid will include your system's IP address or name in the HTTP requests it forwards.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Disable VIA</fielddescr>
+ <fieldname>disable_via</fieldname>
+ <description>If not set, Squid will include a Via header in requests and replies as required by RFC2616.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Log denied pages by squidguard</fielddescr>
+ <fieldname>log_sqd</fieldname>
+ <description><![CDATA[Enable squidguard denied log to be included on squid logs.<br>
+ <strong>Note:</strong> This option only will work if you include this code on your sgerror.php file to force client browser send a second request to squid with denied string on url.<br><br>
+ $sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");<br>
+ $str[] = '< iframe > src="'.$cl['u'].$sge_prefix.'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';<br><br>
+ removing extra space on iframe html code.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>What to do with requests that have whitespace characters in the URI</fielddescr>
+ <fieldname>uri_whitespace</fieldname>
+ <description>&lt;b&gt; strip:&lt;/b&gt; The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. &lt;p&gt; &lt;b&gt; deny:&lt;/b&gt; The request is denied. The user receives an "Invalid Request" message.&lt;p&gt; &lt;b&gt; allow:&lt;/b&gt; The request is allowed and the URI is not changed. The whitespace characters remain in the URI.&lt;p&gt; &lt;b&gt; encode:&lt;/b&gt; The request is allowed and the whitespace characters are encoded according to RFC1738.&lt;p&gt; &lt;b&gt; chop:&lt;/b&gt; The request is allowed and the URI is chopped at the first whitespace.</description>
+ <type>select</type>
+ <default_value>strip</default_value>
+ <options>
+ <option><name>strip</name><value>strip</value></option>
+ <option><name>deny</name><value>deny</value></option>
+ <option><name>allow</name><value>allow</value></option>
+ <option><name>encode</name><value>encode</value></option>
+ <option><name>chop</name><value>chop</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Suppress Squid Version</fielddescr>
+ <fieldname>disable_squidversion</fieldname>
+ <description>If set, suppress Squid version string info in HTTP headers and HTML error pages.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <name>Custom Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Integrations</fielddescr>
+ <fieldname>custom_options</fieldname>
+ <description><![CDATA[Squid options added from packages like squidguard or havp for squid integration.]]></description>
+ <type>textarea</type>
+ <cols>78</cols>
+ <rows>5</rows>
+ </field>
+ <field>
+ <fielddescr>Custom ACLS (Before_Auth)</fielddescr>
+ <fieldname>custom_options_squid3</fieldname>
+ <description><![CDATA[Put your own custom options here,one per line. They'll be added to the configuration before authetication acls(if any).<br>
+ <strong>They need to be squid.conf native options, otherwise squid will NOT work.</strong>]]></description>
+ <type>textarea</type>
+ <encoding>base64</encoding>
+ <cols>78</cols>
+ <rows>10</rows>
+ </field>
+ <field>
+ <fielddescr>Custom ACLS (After_Auth)</fielddescr>
+ <fieldname>custom_options2_squid3</fieldname>
+ <description><![CDATA[Put your own custom options here,one per line. They'll be added to the configuration after authetication definition(if any).<br>
+ <strong>They need to be squid.conf native options, otherwise squid will NOT work.</strong>]]></description>
+ <type>textarea</type>
+ <encoding>base64</encoding>
+ <cols>78</cols>
+ <rows>10</rows>
+ </field>
+ </fields>
+ <custom_php_command_before_form>
+ squid_before_form_general($pkg);
+ </custom_php_command_before_form>
+ <custom_add_php_command>
+ squid_resync();
+ </custom_add_php_command>
+ <custom_php_validation_command>
+ squid_validate_general($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ unlink_if_exists("/usr/local/etc/rc.d/squid");
+ </custom_php_resync_config_command>
+ <custom_php_install_command>
+ update_status("Checking Squid cache... One moment please...");
+ update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process.");
+ squid_install_command();
+ squid_resync();
+ exec("/bin/rm -f /usr/local/etc/rc.d/squid");
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ squid_deinstall_command();
+ exec("/bin/rm -f /usr/local/etc/rc.d/squid*");
+ </custom_php_deinstall_command>
+ <filter_rules_needed>squid_generate_rules</filter_rules_needed>
+</packagegui>
diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml
new file mode 100755
index 00000000..2afb1ff1
--- /dev/null
+++ b/config/squid3/34/squid_antivirus.xml
@@ -0,0 +1,158 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ squid_antivirus.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2013-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidantivirus</name>
+ <version>none</version>
+ <title>Proxy server: Antivirus</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>Clamav anti-virus integration using c-icap</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable</fielddescr>
+ <fieldname>enable</fieldname>
+ <description>Enable squid antivirus check using clamav.</description>
+ <enablefields>max_check_size,Timeout,MaxKeepAliveRequests,KeepAliveTimeout,StartServers,MaxServers</enablefields>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Client forward options</fielddescr>
+ <fieldname>client_info</fieldname>
+ <description><![CDATA[Select what client info to forward to clamav.]]></description>
+ <type>select</type>
+ <default_value>strip</default_value>
+ <options>
+ <option><name>Send Both client username and ip info(Default)</name><value>both</value></option>
+ <option><name>Send only client username</name><value>username</value></option>
+ <option><name>Send only client ip</name><value>ip</value></option>
+ <option><name>Do not send client info</name><value>none</value></option>
+ </options>
+ </field>
+ <field>
+ <name>Advanced options</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>squidclamav.conf</fielddescr>
+ <fieldname>squidclamav</fieldname>
+ <description>squidclamav.conf file. Leave empty to load sample file. Edit only if you know what are you doing.</description>
+ <type>textarea</type>
+ <encoding>base64</encoding>
+ <cols>75</cols>
+ <rows>15</rows>
+ </field>
+ <field>
+ <fielddescr>c-icap.conf</fielddescr>
+ <fieldname>c-icap_conf</fieldname>
+ <description>c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing.</description>
+ <type>textarea</type>
+ <encoding>base64</encoding>
+ <cols>75</cols>
+ <rows>15</rows>
+ </field>
+ <field>
+ <fielddescr>c-icap.magic</fielddescr>
+ <fieldname>c-icap_magic</fieldname>
+ <description>c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing.</description>
+ <type>textarea</type>
+ <encoding>base64</encoding>
+ <cols>75</cols>
+ <rows>15</rows>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_auth.inc b/config/squid3/34/squid_auth.inc
new file mode 100644
index 00000000..cc511607
--- /dev/null
+++ b/config/squid3/34/squid_auth.inc
@@ -0,0 +1,446 @@
+<?php
+/* $Id$ */
+
+/*
+ squid_auth.inc
+ part of pfSense (www.pfSense.com)
+
+ Copyright (C) 2005 Michael Capp <michael.capp@gmail.com>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+function global_eval_auth_options()
+{
+ global $config;
+ conf_mount_rw();
+ config_lock();
+
+ switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) {
+ case "none":
+ dynamic_auth_content("pkg_edit");
+ dynamic_no_auth();
+ break;
+ case "local_auth":
+ dynamic_auth_content("pkg");
+ /* create empty passwd file to prevent stat error with squid reload */
+ touch ("/usr/local/etc/squid/advanced/ncsa/passwd");
+ dynamic_local_auth();
+ break;
+ case "ldap_bind":
+ dynamic_auth_content("pkg_edit");
+ dynamic_ldap_auth();
+ break;
+ case "domain_auth":
+ $filecontents = file("/usr/local/pkg/squid_auth.xml");
+ dynamic_auth_content("pkg_edit");
+ dynamic_domain_auth();
+ break;
+ case "radius_auth":
+ $filecontents = file("/usr/local/pkg/squid_auth.xml");
+ dynamic_auth_content("pkg_edit");
+ dynamic_radius_auth();
+ break;
+ default:
+ $filecontents = file("/usr/local/pkg/squid_auth.xml");
+ dynamic_auth_content("pkg_edit");
+ dynamic_no_auth();
+ break;
+ }
+
+ config_unlock();
+ conf_mount_ro();
+
+} /* end function global_eval_auth_options */
+
+function dynamic_no_auth() {
+ global $config;
+ conf_mount_rw();
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
+ fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n");
+ fwrite($fout, "<packagegui>\n");
+ fwrite($fout, " <name>squidextnoauth</name>\n");
+ fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n");
+ fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tabs>\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>General Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Upstream Proxy</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Cache Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Network Access Control</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Traffic Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Extended Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ fwrite($fout, " <active/>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </tabs>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <fields>\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n");
+ fwrite($fout, " <fieldname>no_auth</fieldname>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, " </fields>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <custom_add_php_command_late>\n");
+ fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");");
+ fwrite($fout, "\n");
+ fwrite($fout, " global_write_squid_config();\n");
+ fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n");
+ fwrite($fout, " </custom_add_php_command_late>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "</packagegui>\n");
+ fclose($fout);
+
+ /* mount filesystem read-only */
+ conf_mount_ro();
+}
+
+function dynamic_local_auth() {
+ global $config;
+ conf_mount_rw();
+
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
+
+ fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "<packagegui>\n");
+ fwrite($fout, " <name>squidextlocalauth</name>\n");
+ fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n");
+ fwrite($fout, " <version>2.5.10_4</version>\n");
+ fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <files></files>\n");
+ fwrite($fout, " <menu></menu>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tabs>\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>General Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Upstream Proxy</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Cache Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Network Access Control</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Traffic Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Extended Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ fwrite($fout, " <active/>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </tabs>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <adddeleteeditpagefields>\n");
+ fwrite($fout, " <columnitem>\n");
+ fwrite($fout, " <fielddescr>Username</fielddescr>\n");
+ fwrite($fout, " <fieldname>username</fieldname>\n");
+ fwrite($fout, " </columnitem>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <columnitem>\n");
+ fwrite($fout, " <fielddescr>Description</fielddescr>\n");
+ fwrite($fout, " <fieldname>description</fieldname>\n");
+ fwrite($fout, " </columnitem>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <columnitem>\n");
+ fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n");
+ fwrite($fout, " <fieldname>group</fieldname>\n");
+ fwrite($fout, " </columnitem>\n");
+ fwrite($fout, " </adddeleteeditpagefields>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <fields>\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Username</fielddescr>\n");
+ fwrite($fout, " <fieldname>username</fieldname>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>15</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Password</fielddescr>\n");
+ fwrite($fout, " <fieldname>password</fieldname>\n");
+ fwrite($fout, " <type>password</type>\n");
+ fwrite($fout, " <size>8</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n");
+ fwrite($fout, " <fieldname>description</fieldname>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>30</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n");
+ fwrite($fout, " <fieldname>group</fieldname>\n");
+ fwrite($fout, " <type>select</type>\n");
+ fwrite($fout, " <options>\n");
+ fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n");
+ fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n");
+ fwrite($fout, " </options>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </fields>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <custom_add_php_command_late>\n");
+ fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " mod_htpasswd();\n");
+ fwrite($fout, " global_write_squid_config();\n");
+ fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n");
+ fwrite($fout, " </custom_add_php_command_late>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "</packagegui>\n");
+
+ fclose($fout);
+
+ /* mount filesystem read-only */
+ conf_mount_ro();
+}
+
+function dynamic_ldap_auth() {
+ global $config;
+ conf_mount_rw();
+
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
+
+ fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "<packagegui>\n");
+ fwrite($fout, " <name>squidextldapauth</name>\n");
+ fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n");
+ fwrite($fout, " <version>2.5.11</version>\n");
+ fwrite($fout, " <configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <files></files>\n");
+ fwrite($fout, " <menu></menu>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tabs>\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>General Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Upstream Proxy</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Cache Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Network Access Control</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Traffic Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Extended Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ fwrite($fout, " <active/>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </tabs>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <fields>\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Base DN</fielddescr>\n");
+ fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n");
+ fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.</description>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>50</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>LDAP Server</fielddescr>\n");
+ fwrite($fout, " <fieldname>ldap_server</fieldname>\n");
+ fwrite($fout, " <description>This is the LDAP server that the bind will be attempted against.</description>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>20</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>LDAP Type</fielddescr>\n");
+ fwrite($fout, " <fieldname>ldap_type</fieldname>\n");
+ fwrite($fout, " <description>This specifies the supported LDAP types.</description>\n");
+ fwrite($fout, " <type>select</type>\n");
+ fwrite($fout, " <options>\n");
+ fwrite($fout, " <option><name>Active Directory</name><value>active_directory</value></option>\n");
+ fwrite($fout, " <option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n");
+ fwrite($fout, " <option><name>LDAP v2</name><value>ldap_v2</value></option>\n");
+ fwrite($fout, " <option><name>LDAP v3</name><value>ldap_v3</value></option>\n");
+ fwrite($fout, " </options>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>LDAP Port</fielddescr>\n");
+ fwrite($fout, " <fieldname>ldap_port</fieldname>\n");
+ fwrite($fout, " <description>This is the port that LDAP bind will attempt on. The default is \"389\".</description>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>5</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Bind DN Username</fielddescr>\n");
+ fwrite($fout, " <fieldname>bind_dn_username</fieldname>\n");
+ fwrite($fout, " <description>If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>30</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Bind DN Password</fielddescr>\n");
+ fwrite($fout, " <fieldname>bind_dn_password</fieldname>\n");
+ fwrite($fout, " <description>This is the associated password with the Bind DN Username previously specified.</description>\n");
+ fwrite($fout, " <type>password</type>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </fields>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <custom_add_php_command_late>\n");
+ fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " mod_htpasswd();\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " global_write_squid_config();\n");
+ fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n");
+ fwrite($fout, " </custom_add_php_command_late>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "</packagegui>\n");
+
+ fclose($fout);
+
+ /* mount filesystem read-only */
+ conf_mount_ro();
+}
+
+/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */
+function dynamic_auth_content($pkgvar) {
+
+ switch ($pkgvar) {
+ case "pkg":
+ if ($handle = opendir("/usr/local/pkg")) {
+ while (($file = readdir($handle)) != false) {
+ if (stristr($file, "squid_") && stristr($file, ".xml")) {
+ $filecontents = file("/usr/local/pkg/" . $file);
+ $fout = fopen("/usr/local/pkg/" . $file, "w");
+ foreach($filecontents as $line) {
+ if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>")) {
+ fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ } else {
+ fwrite($fout, $line);
+ }
+ }
+ }
+ }
+ }
+ break;
+
+ case "pkg_edit":
+ if ($handle = opendir("/usr/local/pkg")) {
+ while (($file = readdir($handle)) != false) {
+ if (stristr($file, "squid_") && stristr($file, ".xml")) {
+ $filecontents = file("/usr/local/pkg/" . $file);
+ $fout = fopen("/usr/local/pkg/" . $file,"w");
+ foreach($filecontents as $line) {
+ if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ } else {
+ fwrite($fout, $line);
+ }
+ }
+ }
+ }
+ }
+ break;
+ }
+
+} /* end function dynamic_auth_content */
+?> \ No newline at end of file
diff --git a/config/squid3/34/squid_auth.xml b/config/squid3/34/squid_auth.xml
new file mode 100755
index 00000000..7f54b156
--- /dev/null
+++ b/config/squid3/34/squid_auth.xml
@@ -0,0 +1,270 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidauth</name>
+ <version>none</version>
+ <title>Proxy server: Authentication</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>Squid Authentication General Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Authentication method</fielddescr>
+ <fieldname>auth_method</fieldname>
+ <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description>
+ <type>select</type>
+ <required/>
+ <default_value>none</default_value>
+ <options>
+ <option><name>None</name><value>none</value></option>
+ <option><name>Local</name><value>local</value></option>
+ <option><name>LDAP</name><value>ldap</value></option>
+ <option><name>RADIUS</name><value>radius</value></option>
+ <option><name>Captive Portal</name><value>cp</value></option>
+ <option><name>NT domain</name><value>msnt</value></option>
+ </options>
+ <onchange>on_auth_method_changed()</onchange>
+ </field>
+ <field>
+ <fielddescr>Authentication server</fielddescr>
+ <fieldname>auth_server</fieldname>
+ <description>Enter here the IP or hostname of the server that will perform the authentication.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>Authentication server port</fielddescr>
+ <fieldname>auth_server_port</fieldname>
+ <description>Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>Authentication prompt</fielddescr>
+ <fieldname>auth_prompt</fieldname>
+ <description>This string will be displayed at the top of the authentication request window.</description>
+ <type>input</type>
+ <default_value>Please enter your credentials to access the proxy</default_value>
+ </field>
+ <field>
+ <fielddescr>Authentication processes</fielddescr>
+ <fieldname>auth_processes</fieldname>
+ <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>5</default_value>
+ </field>
+ <field>
+ <fielddescr>Authentication TTL</fielddescr>
+ <fieldname>auth_ttl</fieldname>
+ <description>This specifies for how long (in seconds) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.Default value is 5.</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>5</default_value>
+ </field>
+ <field>
+ <fielddescr>Requiere authentication for unrestricted hosts</fielddescr>
+ <fieldname>unrestricted_auth</fieldname>
+ <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Subnets that don't need authentication</fielddescr>
+ <fieldname>no_auth_hosts</fieldname>
+ <description>Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <name>Squid Authentication Ldap Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>LDAP version</fielddescr>
+ <fieldname>ldap_version</fieldname>
+ <description>Enter LDAP protocol version (2 or 3).</description>
+ <type>select</type>
+ <default_value>2</default_value>
+ <options>
+ <option><name>2</name><value>2</value></option>
+ <option><name>3</name><value>3</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>LDAP server user DN</fielddescr>
+ <fieldname>ldap_user</fieldname>
+ <description>Enter here the user DN to use to connect to the LDAP server.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>LDAP password</fielddescr>
+ <fieldname>ldap_pass</fieldname>
+ <description>Enter here the password to use to connect to the LDAP server.</description>
+ <type>password</type>
+ <size>20</size>
+ </field>
+ <field>
+ <fielddescr>LDAP base domain</fielddescr>
+ <fieldname>ldap_basedomain</fieldname>
+ <description>For LDAP authentication, enter here the base domain in the LDAP server.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>LDAP username DN attribute</fielddescr>
+ <fieldname>ldap_userattribute</fieldname>
+ <description>Enter LDAP username DN attibute.</description>
+ <type>input</type>
+ <size>20</size>
+ <default_value>uid</default_value>
+ </field>
+ <field>
+ <fielddescr>LDAP search filter</fielddescr>
+ <fieldname>ldap_filter</fieldname>
+ <description>Enter LDAP search filter.</description>
+ <type>input</type>
+ <size>40</size>
+ <default_value>(&amp;(objectClass=person)(uid=%s))</default_value>
+ </field>
+ <field>
+ <name>Squid Authentication NT Domain Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>NT domain</fielddescr>
+ <fieldname>auth_ntdomain</fieldname>
+ <description>Enter here the NT domain.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>Secondary NT servers</fielddescr>
+ <fieldname>msnt_secondary</fieldname>
+ <description>Comma-separated list of secondary servers to be used for NT domain authentication.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <name>Squid Authentication Radius Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>RADIUS secret</fielddescr>
+ <fieldname>radius_secret</fieldname>
+ <description>The RADIUS secret for RADIUS authentication.</description>
+ <type>password</type>
+ <size>20</size>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ squid_validate_auth($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_after_form_command>
+ squid_print_javascript_auth2();
+ </custom_php_after_form_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+ <custom_php_before_form_command>
+ squid_print_javascript_auth2();
+ </custom_php_before_form_command>
+ <custom_php_after_head_command>
+ $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
+ if($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method']))
+ $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled";
+ squid_print_javascript_auth();
+ </custom_php_after_head_command>
+</packagegui>
diff --git a/config/squid3/34/squid_cache.xml b/config/squid3/34/squid_cache.xml
new file mode 100755
index 00000000..f9204d46
--- /dev/null
+++ b/config/squid3/34/squid_cache.xml
@@ -0,0 +1,322 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form MUST reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidcache</name>
+ <version>none</version>
+ <title>Proxy server: Cache management</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+<tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>Squid Cache General Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Cache replacement policy</fielddescr>
+ <fieldname>cache_replacement_policy</fieldname>
+ <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description>
+ <type>select</type>
+ <default_value>heap LFUDA</default_value>
+ <options>
+ <option><name>LRU</name><value>lru</value></option>
+ <option><name>Heap LFUDA</name><value>heap LFUDA</value></option>
+ <option><name>Heap GDSF</name><value>heap GDSF</value></option>
+ <option><name>Heap LRU</name><value>heap LRU</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Low-water-mark in %</fielddescr>
+ <fieldname>cache_swap_low</fieldname>
+ <description>Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark.</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>90</default_value>
+ </field>
+ <field>
+ <fielddescr>High-water-mark in %</fielddescr>
+ <fieldname>cache_swap_high</fieldname>
+ <description>As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive.</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>95</default_value>
+ </field>
+ <field>
+ <fielddescr>Do not cache</fielddescr>
+ <fieldname>donotcache</fieldname>
+ <description>Enter each domain or IP address on a new line that should never be cached.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Enable offline mode</fielddescr>
+ <fieldname>enable_offline</fieldname>
+ <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description>
+ <type>checkbox</type>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>External Cache-Managers</fielddescr>
+ <fieldname>ext_cachemanager</fieldname>
+ <description>Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;).</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <name>Squid Hard disk cacheSettings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Hard disk cache size</fielddescr>
+ <fieldname>harddisk_cache_size</fieldname>
+ <description>This is the amount of disk space (in megabytes) to use for cached objects.</description>
+ <type>input</type>
+ <required/>
+ <size>10</size>
+ <default_value>100</default_value>
+ </field>
+ <field>
+ <fielddescr>Hard disk cache system</fielddescr>
+ <fieldname>harddisk_cache_system</fieldname>
+ <description><![CDATA[This specifies the kind of storage system to use.
+ <br><br><b>ufs</b> is the old well-known Squid storage format that has always been there.
+ <br><br><b>aufs</b> uses POSIX-threads to avoid blocking the main Squid process on disk-I/O. (Formerly known as async-io.)
+ <br><br><b>diskd</b> uses a separate process to avoid blocking the main Squid process on disk-I/O.<br>To use <b>ipcs</b> and <b>ipcrm</b> on squid, Download livefs.iso from ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/ mount it and copy <b>/usr/bin/ipcs</b> and <b>/usr/bin/ipcrm</b> to your system and set them as executables.
+ <br><br><b>null</b> Does not use any storage. Ideal for Embedded/NanoBSD.]]></description>
+ <type>select</type>
+ <default_value>ufs</default_value>
+ <options>
+ <option><name>ufs</name><value>ufs</value></option>
+ <option><name>aufs</name><value>aufs</value></option>
+ <option><name>diskd</name><value>diskd</value></option>
+ <option><name>null</name><value>null</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Clear cache on log rotate</fielddescr>
+ <fieldname>clear_cache</fieldname>
+ <description><![CDATA[If set, Squid will clear cache and swap.state on every log rotate.<br>
+ This action will be executed automatically if the swap.state file is taking up more than 75% disk space,or the drive is 90%]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Level 1 subdirectories</fielddescr>
+ <fieldname>level1_subdirs</fieldname>
+ <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description>
+ <type>select</type>
+ <default_value>16</default_value>
+ <options>
+ <option><name>4</name><value>4</value></option>
+ <option><name>8</name><value>8</value></option>
+ <option><name>16</name><value>16</value></option>
+ <option><name>32</name><value>32</value></option>
+ <option><name>64</name><value>64</value></option>
+ <option><name>128</name><value>128</value></option>
+ <option><name>256</name><value>256</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Hard disk cache location</fielddescr>
+ <fieldname>harddisk_cache_location</fieldname>
+ <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description>
+ <type>input</type>
+ <size>60</size>
+ <required/>
+ <default_value>/var/squid/cache</default_value>
+ </field>
+ <field>
+ <fielddescr>Minimum object size</fielddescr>
+ <fieldname>minimum_object_size</fieldname>
+ <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description>
+ <type>input</type>
+ <required />
+ <size>10</size>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Maximum object size</fielddescr>
+ <fieldname>maximum_object_size</fieldname>
+ <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description>
+ <type>input</type>
+ <required/>
+ <size>10</size>
+ <default_value>4</default_value>
+ </field>
+ <field>
+ <name>Squid Memory Cache Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Memory cache size</fielddescr>
+ <fieldname>memory_cache_size</fieldname>
+ <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description>
+ <type>input</type>
+ <size>10</size>
+ <required/>
+ <default_value>8</default_value>
+ </field>
+ <field>
+ <fielddescr>Maximum object size in RAM</fielddescr>
+ <fieldname>maximum_objsize_in_mem</fieldname>
+ <description>Objects smaller than the size specified (in kilobytes) will be saved in RAM. Default is 32.</description>
+ <type>input</type>
+ <size>10</size>
+ <required/>
+ <default_value>32</default_value>
+ </field>
+ <field>
+ <fielddescr>Memory replacement policy</fielddescr>
+ <fieldname>memory_replacement_policy</fieldname>
+ <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. &lt;p&gt; &lt;b&gt; LRU: Last Recently Used Policy &lt;/b&gt; - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. &lt;p&gt; &lt;b&gt; Heap GDSF: Greedy-Dual Size Frequency &lt;/b&gt; - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. &lt;p&gt; &lt;b&gt; Heap LFUDA: Least Frequently Used with Dynamic Aging &lt;/b&gt; - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. &lt;p&gt; &lt;b&gt; Heap LRU: Last Recently Used &lt;/b&gt; - Works like LRU, but uses a heap instead. &lt;p&gt; Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA.</description>
+ <type>select</type>
+ <default_value>heap GDSF</default_value>
+ <options>
+ <option><name>LRU</name><value>lru</value></option>
+ <option><name>Heap LFUDA</name><value>heap LFUDA</value></option>
+ <option><name>Heap GDSF</name><value>heap GDSF</value></option>
+ <option><name>Heap LRU</name><value>heap LRU</value></option>
+ </options>
+ </field>
+ <field>
+ <name>Dynamic and Update Content</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Cache Dynamic Content</fielddescr>
+ <fieldname>cache_dynamic_content</fieldname>
+ <description><![CDATA[Select this option to <a target=_new href='http://wiki.squid-cache.org/ConfigExamples/DynamicContent'>enable caching of dynamic content.</a><br>
+ ]]></description>
+ <type>checkbox</type>
+ <size>10</size>
+ </field>
+ <field>
+ <fielddescr>Refresh Patterns</fielddescr>
+ <fieldname>refresh_patterns</fieldname>
+ <description><![CDATA[With dynamic cache enabled, you can also apply squid wiki refresh_patterns to sites like <a target=_new href='http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube'>Youtube</a> and <a target=_new href='http://wiki.squid-cache.org/SquidFaq/WindowsUpdate'>windowsupdate</a><br>
+ <br><strong>Notes:</strong><br>
+ Squid wiki suggests 'Finish transfer if less than x KB remaining' on 'traffic mgmt' squid tab to -1 but you can apply your own values to control cache.<br><br>
+ set Maximum download size on 'traffic mgmt' squid tab to a value that fits patterns your are applying.<br>Microsoft may need 200Mb and youtube 4GB.]]></description>
+ <type>select</type>
+ <default_value>none</default_value>
+ <options>
+ <option><name>Youtube</name><value>youtube</value></option>
+ <option><name>Windows Update</name><value>windows</value></option>
+ <option><name>Symantec Antivirus</name><value>symantec</value></option>
+ <option><name>Avira</name><value>avira</value></option>
+ <option><name>Avast</name><value>avast</value></option>
+ </options>
+ <multiple/>
+ <size>06</size>
+ </field>
+ <field>
+ <fielddescr>Custom refresh_patterns</fielddescr>
+ <fieldname>custom_refresh_patterns</fieldname>
+ <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description>
+ <type>textarea</type>
+ <cols>67</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ </fields>
+ <custom_php_command_before_form>
+ if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) {
+ $needs_dash_z = true;
+ }
+ </custom_php_command_before_form>
+ <custom_php_validation_command>
+ squid_validate_cache($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ if($needs_dash_z)
+ squid_dash_z();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_cpauth.php b/config/squid3/34/squid_cpauth.php
new file mode 100644
index 00000000..98be9946
--- /dev/null
+++ b/config/squid3/34/squid_cpauth.php
@@ -0,0 +1,24 @@
+#!/usr/local/bin/php -q
+<?php
+
+$NONINTERACTIVE_SCRIPT = TRUE;
+
+$fp = fopen('php://stdin', 'r');
+while($args = split(" ",trim(fgets($fp, 4096)))){
+ print captive_ip_to_username($args);
+}
+
+function captive_ip_to_username($args){
+ $current_sessions = file("/var/db/captiveportal.db");
+ foreach($current_sessions as $session){
+ list($a, $b, $IP_Address, $Mac_Address, $Username) = explode(",", $session,5);
+ #this test allow access if user's ip is listed on captive portal
+ #args array has (ip, site, protocol and port) passed by squid helper
+ #include a more complex test here to allow or deny access based on username returned
+ # this script will not return username to squid logs
+ if($IP_Address == $args[0]) return "OK\n";
+ }
+ return "ERR\n";
+}
+
+?> \ No newline at end of file
diff --git a/config/squid3/34/squid_extauth.xml b/config/squid3/34/squid_extauth.xml
new file mode 100644
index 00000000..41d9f633
--- /dev/null
+++ b/config/squid3/34/squid_extauth.xml
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidextnoauth</name>
+ <version>none</version>
+ <title>Services: Proxy Server -> Extended Authentication Settings</title>
+ <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Upstream Proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Cache Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Access Control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Auth</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Extended Auth</text>
+ <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>
+ <active/>
+ </tab>
+
+ </tabs>
+ <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>
+ <fields>
+ <field>
+ <fielddescr>No Authentication Defined</fielddescr>
+ <fieldname>no_auth</fieldname>
+ <type>text</type>
+ </field>
+ </fields>
+
+ <custom_add_php_command_late>
+ require_once("/usr/local/pkg/squid_ng.inc");
+
+ global_write_squid_config();
+ mwexec("/usr/local/sbin/squid -k reconfigure");
+ </custom_add_php_command_late>
+
+</packagegui>
diff --git a/config/squid3/34/squid_ident.php b/config/squid3/34/squid_ident.php
new file mode 100644
index 00000000..ad13beb6
--- /dev/null
+++ b/config/squid3/34/squid_ident.php
@@ -0,0 +1,148 @@
+#!/usr/bin/php
+#http://blog.dataforce.org.uk/2010/03/Ident-Server
+<?php
+ /**
+ * Simple PHP-Based inetd ident server, version 0.1.
+ * Copyright (c) 2010 - Shane "Dataforce" Mc Cormack
+ * This code is licensed under the MIT License, of which a copy can be found
+ * at http://www.opensource.org/licenses/mit-license.php
+ *
+ * The latest version of the code can be found at
+ * http://blog.dataforce.org.uk/index.php?p=news&id=135
+ *
+ * This should be run from inetd, it will take input on stdin and write to stdout.
+ *
+ * By default users can spoof ident by having a .ident file in /home/<username>/.ident
+ * If this is present, it will be read.
+ * It should be a file with a format like so:
+ *
+ * <pid> <ident>
+ * <local host>:<local port>:<target host>:<target port> <ident>
+ *
+ * The first line that matches is used, any bit can be a * and it will always match,
+ * so "* user" is valid. In future more sophisticated matches will be permitted
+ * (eg 127.*) but for now its either all or nothing.
+ *
+ * Its worth noting that <target host> is the host that requests the ident, so if this
+ * is likely to be different than the host that was connected to, then "STRICT_HOST" will
+ * need to be set to false.
+ *
+ * At the moment <local host> is ignored, in future versions this might be changed, so
+ * it is still required.
+ *
+ * Lines with a ':' in them are assumed to be of the second format, and must contain
+ * all 4 sections or they will be ignored.
+ *
+ * Lines starting with a # are ignored.
+ *
+ * There are some special values that can be used as idents:
+ * ! = Send an error instead.
+ * * = Send the default ident.
+ * ? = Send a random ident (In future a 3rd parameter will specify the format,
+ * # for a number, @ for a letter, ? for either, but this is not implemented yet)
+ *
+ * In future there will also be support for /home/user/.ident.d/ directories, where
+ * every file will be read for the ident response untill one matches.
+ * This will allow multiple processes to create files rather than needing to
+ * lock and edit .ident
+ */
+
+ // Allow spoofing idents.
+ define('ALLOW_SPOOF', true);
+
+ // Requesting host must be the same as the host that was connected to.
+ define('STRICT_HOST', true);
+
+ // Error to send when '!' is used as an ident.
+ define('HIDE_ERROR', 'UNKNOWN-ERROR');
+
+ openlog('simpleIdent', LOG_PID | LOG_ODELAY, LOG_DAEMON);
+
+ $result = 'ERROR : UNKNOWN-ERROR' . "\n";
+
+ $host = $_SERVER['REMOTE_HOST'];
+
+ syslog(LOG_INFO, 'Connection from: '.$host);
+
+ // Red in the line from the socket.
+ $fh = @fopen('php://stdin', 'r');
+ if ($fh) {
+ $input = @fgets($fh);
+ $line = trim($input);
+ if ($input !== FALSE && !empty($line)) {
+ $result = trim($input) . ' : ' . $result;
+ // Get the data from it.
+ $bits = explode(',', $line);
+ $source = trim($bits[0]);
+ $dest = isset($bits[1]) ? trim($bits[1]) : '';
+
+ // Check if it is valid
+ if (preg_match('/^[0-9]+$/', $source) && preg_match('/^[0-9]+$/', $dest)) {
+ // Now actually look for this!
+ $match = STRICT_HOST ? ":$source .*$host:$dest " : ":$source.*:$dest";
+
+ $output = `netstat -napW 2>&1 | grep '$match' | awk '{print \$7}'`;
+
+ $bits = explode('/', $output);
+ $pid = $bits[0];
+
+ if (preg_match('/^[0-9]+$/', $pid)) {
+ $user = `ps -o ruser=SOME-REALLY-WIDE-USERNAMES-ARE-PERMITTED-HERE $pid | tail -n 1`;
+
+ $senduser = trim($user);
+
+ // Look for special ident file: /home/user/.ident this is an ini-format file.
+ $file = '/home/'.trim($user).'/.ident';
+
+ if (file_exists($file)) {
+ $config = file($file, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES | FILE_TEXT);
+ foreach ($config as $line) {
+ // Ignore comments.
+ $line = trim($line);
+ if (substr($line, 1) == '#') { continue; }
+
+ // Make sure line is valid.
+ $bits = explode(' ', $line);
+ if (count($bits) == 1) { continue; }
+
+ // Check type of line
+ if (strpos($bits[0], ':') !== FALSE) {
+ // LocalHost:LocalPort:RemoteHost:RemotePort
+ $match = explode(':', $bits[0]);
+ if (count($match) != 4) { continue; }
+
+ if (($match[1] == '*' || $match[1] == $source) &&
+ ($match[2] == '*' || $match[2] == $host) &&
+ ($match[3] == '*' || $match[3] == $dest)) {
+ syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line);
+ $senduser = $bits[1];
+ break;
+ }
+ } else if ($bits[0] == '*' || $bits[0] == $pid) {
+ syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line);
+ $senduser = $bits[1];
+ }
+ }
+
+ if ($senduser == "*") {
+ $senduser = trim(user);
+ } else if ($senduser == "?") {
+ $senduser = 'user'.rand(1000,9999);
+ }
+ }
+
+ if ($senduser != "!") {
+ $result = $source . ', ' . $dest . ' : USERID : UNIX : ' . trim($senduser);
+ } else {
+ $result = $source . ', ' . $dest . ' : ERROR : ' . HIDE_ERROR;
+ }
+ }
+ }
+ }
+ }
+
+ echo $result;
+ syslog(LOG_INFO, 'Result: '.$result);
+ closelog();
+ exit(0);
+?>
diff --git a/config/squid3/34/squid_log_parser.php b/config/squid3/34/squid_log_parser.php
new file mode 100755
index 00000000..8d0cbc20
--- /dev/null
+++ b/config/squid3/34/squid_log_parser.php
@@ -0,0 +1,57 @@
+#!/usr/local/bin/php -q
+<?php
+/* ========================================================================== */
+/*
+ squid_log_parser.php
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2012-2014 Marcello Coutinho
+ Copyright (C) 2012-2014 Carlos Cesario - carloscesario@gmail.com
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+
+# ------------------------------------------------------------------------------
+# Simple Squid Log parser to rewrite line with date/time human readable
+# Usage: cat /var/squid/log/access.log | parser_squid_log.php
+# ------------------------------------------------------------------------------
+
+$logline = fopen("php://stdin", "r");
+while(!feof($logline)) {
+ $line = fgets($logline);
+ $line = rtrim($line);
+ if ($line != "") {
+ $fields = explode(' ', $line);
+ // Apply date format
+ $fields[0] = date("d.m.Y H:i:s",$fields[0]);
+ foreach($fields as $field) {
+ // Write the Squid log line with date/time human readable
+ echo "{$field} ";
+ }
+ echo "\n";
+ }
+}
+fclose($logline);
+?> \ No newline at end of file
diff --git a/config/squid3/34/squid_monitor.php b/config/squid3/34/squid_monitor.php
new file mode 100755
index 00000000..84bf08e9
--- /dev/null
+++ b/config/squid3/34/squid_monitor.php
@@ -0,0 +1,200 @@
+<?php
+/* ========================================================================== */
+/*
+ squid_monitor.php
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2012-2014 Marcello Coutinho
+ Copyright (C) 2012-2014 Carlos Cesario - carloscesario@gmail.com
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+
+require_once("/etc/inc/util.inc");
+require_once("/etc/inc/functions.inc");
+require_once("/etc/inc/pkg-utils.inc");
+require_once("/etc/inc/globals.inc");
+require_once("guiconfig.inc");
+
+$pfSversion = str_replace("\n", "", file_get_contents("/etc/version"));
+if(strstr($pfSversion, "1.2"))
+ $one_two = true;
+
+$pgtitle = "Status: Proxy Monitor";
+$shortcut_section = "squid";
+include("head.inc");
+?>
+
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+
+<?php include("fbegin.inc"); ?>
+
+<?php if($one_two): ?>
+
+ <p class="pgtitle"><?=$pgtitle?></font></p>
+
+<?php endif; ?>
+
+<?php if ($savemsg) print_info_box($savemsg); ?>
+
+<!-- Function to call programs logs -->
+<script language="JavaScript">
+ function showLog(content,url,program)
+ {
+ new PeriodicalExecuter(function(pe) {
+ new Ajax.Updater(content, url, {
+ method: 'post',
+ asynchronous: true,
+ evalScripts: true,
+ parameters: { maxlines: $('maxlines').getValue(),
+ strfilter: $('strfilter').getValue(),
+ program: program }
+ })
+ }, 1)
+ }
+</script>
+<div id="mainlevel">
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tr><td>
+ <?php
+ $tab_array = array();
+ if ($_REQUEST["menu"]=="reverse"){
+ $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid_reverse_general.xml&amp;id=0");
+ $tab_array[] = array(gettext("Web Servers"), false, "/pkg.php?xml=squid_reverse_peer.xml");
+ $tab_array[] = array(gettext("Mappings"), false, "/pkg.php?xml=squid_reverse_uri.xml");
+ $tab_array[] = array(gettext("Redirects"), false, "/pkg.php?xml=squid_reverse_redir.xml");
+ $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php?menu=reverse");
+ $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_reverse_sync.xml");
+ }
+ else{
+ $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid.xml&amp;id=0");
+ $tab_array[] = array(gettext("Remote Cache"), false, "/pkg.php?xml=squid_upstream.xml");
+ $tab_array[] = array(gettext("Local Cache"), false, "/pkg_edit.php?xml=squid_cache.xml&amp;id=0");
+ $tab_array[] = array(gettext("Antivirus"), false, "/pkg_edit.php?xml=antivirus.xml&amp;id=0");
+ $tab_array[] = array(gettext("ACLs"), false, "/pkg_edit.php?xml=squid_nac.xml&amp;id=0");
+ $tab_array[] = array(gettext("Traffic Mgmt"), false, "/pkg_edit.php?xml=squid_traffic.xml&amp;id=0");
+ $tab_array[] = array(gettext("Authentication"), false, "/pkg_edit.php?xml=squid_auth.xml&amp;id=0");
+ $tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=squid_users.xml");
+ $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php");
+ $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_sync.xml");
+ }
+ display_top_tabs($tab_array);
+ ?>
+</td></tr>
+ <tr>
+ <td>
+<div id="mainarea" style="padding-top: 0px; padding-bottom: 0px; ">
+ <form id="paramsForm" name="paramsForm" method="post">
+ <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="6">
+ <tbody>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">Max lines:</td>
+ <td width="78%" class="vtable">
+ <select name="maxlines" id="maxlines">
+ <option value="5">5 lines</option>
+ <option value="10" selected="selected">10 lines</option>
+ <option value="15">15 lines</option>
+ <option value="20">20 lines</option>
+ <option value="25">25 lines</option>
+ <option value="100">100 lines</option>
+ <option value="200">200 lines</option>
+ </select>
+ <br/>
+ <span class="vexpl">
+ <?=gettext("Max. lines to be displayed.");?>
+ </span>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncellreq">String filter:</td>
+ <td width="78%" class="vtable">
+ <input name="strfilter" type="text" class="formfld search" id="strfilter" size="50" value="">
+ <br/>
+ <span class="vexpl">
+ <?=gettext("Enter a grep like string/pattern to filterlog.");?><br>
+ <?=gettext("eg. username, ip addr, url.");?><br>
+ <?=gettext("Use <b>!</b> to invert the sense of matching, to select non-matching lines.");?>
+ </span>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+ </form>
+
+ <!-- Squid Table -->
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tbody>
+ <tr>
+ <td>
+ <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
+ <tr>
+ <td colspan="6" class="listtopic"><center><?=gettext("Squid Logs"); ?><center></td>
+ </tr>
+ <tbody id="squidView">
+ <script language="JavaScript">
+ // Call function to show squid log
+ showLog('squidView', 'squid_monitor_data.php','squid');
+ </script>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+<?php if ($_REQUEST["menu"]!="reverse"){?>
+ <!-- SquidGuard Table -->
+ <table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tbody>
+ <tr>
+ <td>
+ <table class="tabcont" width="100%" border="0" cellspacing="0" cellpadding="0">
+ <tr>
+ <td colspan="5" class="listtopic"><center><?=gettext("SquidGuard Logs"); ?><center></td>
+ </tr>
+ <tbody id="sguardView">
+ <script language="JavaScript">
+ // Call function to show squidGuard log
+ showLog('sguardView', 'squid_monitor_data.php','sguard');
+ </script>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ </tbody>
+ </table>
+</div>
+<?php }?>
+</td>
+</tr>
+</table>
+</div>
+
+
+<?php
+include("fend.inc");
+?>
+
+</body>
+</html>
diff --git a/config/squid3/34/squid_monitor_data.php b/config/squid3/34/squid_monitor_data.php
new file mode 100755
index 00000000..6223330e
--- /dev/null
+++ b/config/squid3/34/squid_monitor_data.php
@@ -0,0 +1,175 @@
+<?php
+/* ========================================================================== */
+/*
+ squid_monitor_data.php
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2012-2014 Marcello Coutinho
+ Copyright (C) 2012-2014 Carlos Cesario - carloscesario@gmail.com
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+# ------------------------------------------------------------------------------
+# Defines
+# ------------------------------------------------------------------------------
+require_once("guiconfig.inc");
+
+# ------------------------------------------------------------------------------
+# Requests
+# ------------------------------------------------------------------------------
+if ($_POST) {
+ # Actions
+ $filter = preg_replace('/(@|!|>|<)/',"",htmlspecialchars($_POST['strfilter']));
+ $program = strtolower($_POST['program']);
+ switch ($program) {
+ case 'squid':
+ // Define log file
+ $log='/var/squid/logs/access.log';
+ //show table headers
+ show_tds(array("Date","IP","Status","Address","User","Destination"));
+ //fetch lines
+ $logarr=fetch_log($log);
+ // Print lines
+ foreach ($logarr as $logent) {
+ // Split line by space delimiter
+ $logline = preg_split("/\s+/", $logent);
+
+ // Apply date format to first line
+ //$logline[0] = date("d.m.Y H:i:s",$logline[0]);
+
+ // Word wrap the URL
+ $logline[7] = htmlentities($logline[7]);
+ $logline[7] = html_autowrap($logline[7]);
+
+ // Remove /(slash) in destination row
+ $logline_dest = preg_split("/\//", $logline[9]);
+
+ // Apply filter and color
+ // Need validate special chars
+ if ($filter != "")
+ $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline);
+ echo "<tr valign=\"top\">\n";
+ echo "<td class=\"listlr\" nowrap>{$logline[0]} {$logline[1]}</td>\n";
+ echo "<td class=\"listr\">{$logline[3]}</td>\n";
+ echo "<td class=\"listr\">{$logline[4]}</td>\n";
+ echo "<td class=\"listr\" width=\"*\">{$logline[7]}</td>\n";
+ echo "<td class=\"listr\">{$logline[8]}</td>\n";
+ echo "<td class=\"listr\">{$logline_dest[1]}</td>\n";
+ echo "</tr>\n";
+ }
+ break;
+ case 'sguard';
+ $log='/var/squidGuard/log/block.log';
+ //show table headers
+ show_tds(array("Date-Time","ACL","Address","Host","User"));
+ //fetch lines
+ $logarr=fetch_log($log);
+ foreach ($logarr as $logent) {
+ // Split line by space delimiter
+ $logline = preg_split("/\s+/", $logent);
+
+ // Apply time format
+ $logline[0] = date("d.m.Y", strtotime($logline[0]));
+
+ // Word wrap the URL
+ $logline[4] = htmlentities($logline[4]);
+ $logline[4] = html_autowrap($logline[4]);
+
+
+ // Apply filter color
+ // Need validate special chars
+ if ($filter != "")
+ $logline = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$logline);
+
+
+ echo "<tr>\n";
+ echo "<td class=\"listlr\" nowrap>{$logline[0]} {$logline[1]}</td>\n";
+ echo "<td class=\"listr\">{$logline[3]}</td>\n";
+ echo "<td class=\"listr\" width=\"*\">{$logline[4]}</td>\n";
+ echo "<td class=\"listr\">{$logline[5]}</td>\n";
+ echo "<td class=\"listr\">{$logline[6]}</td>\n";
+ echo "</tr>\n";
+ }
+ break;
+ }
+}
+
+# ------------------------------------------------------------------------------
+# Functions
+# ------------------------------------------------------------------------------
+
+// From SquidGuard Package
+function html_autowrap($cont)
+{
+ # split strings
+ $p = 0;
+ $pstep = 25;
+ $str = $cont;
+ $cont = '';
+ for ( $p = 0; $p < strlen($str); $p += $pstep ) {
+ $s = substr( $str, $p, $pstep );
+ if ( !$s ) break;
+ $cont .= $s . "<wbr/>";
+ }
+ return $cont;
+}
+
+
+// Show Squid Logs
+function fetch_log($log){
+ global $filter,$program;
+ // Get Data from form post
+ $lines = $_POST['maxlines'];
+ if (preg_match("/!/",htmlspecialchars($_POST['strfilter'])))
+ $grep_arg="-iv";
+ else
+ $grep_arg="-i";
+
+ //Check program to execute or no the parser
+ if($program == "squid")
+ $parser = "| php -q squid_log_parser.php";
+ else
+ $parser = "";
+
+ // Get logs based in filter expression
+ if($filter != "") {
+ exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines} {$parser} " , $logarr);
+ }
+ else {
+ exec("tail -r -n {$lines} {$log} {$parser}", $logarr);
+ }
+ // return logs
+ return $logarr;
+};
+
+function show_tds($tds){
+ echo "<tr valign='top'>\n";
+ foreach ($tds as $td){
+ echo "<td class='listhdrr'>".gettext($td)."</td>\n";
+ }
+ echo "</tr>\n";
+}
+
+?>
diff --git a/config/squid3/34/squid_nac.xml b/config/squid3/34/squid_nac.xml
new file mode 100755
index 00000000..70fe162f
--- /dev/null
+++ b/config/squid3/34/squid_nac.xml
@@ -0,0 +1,191 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidnac</name>
+ <version>none</version>
+ <title>Proxy server: Access control</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>Squid Access Control Lists</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Allowed subnets</fielddescr>
+ <fieldname>allowed_subnets</fieldname>
+ <description>Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Unrestricted IPs</fielddescr>
+ <fieldname>unrestricted_hosts</fieldname>
+ <description>Enter unrestricted IP address / network(in CIDR format) on a new line that is not to be filtered out by the other access control directives set in this page.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Banned host addresses</fielddescr>
+ <fieldname>banned_hosts</fieldname>
+ <description>Enter each IP address / network(in CIDR format) on a new line that is not to be allowed to use the proxy.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Whitelist</fielddescr>
+ <fieldname>whitelist</fieldname>
+ <description>Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. You also can use regular expressions.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Blacklist</fielddescr>
+ <fieldname>blacklist</fieldname>
+ <description>Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Block user agents</fielddescr>
+ <fieldname>block_user_agent</fieldname>
+ <description>Enter each user agent on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Block MIME types (reply only)</fielddescr>
+ <fieldname>block_reply_mime_type</fieldname>
+ <description>Enter each MIME type on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. Useful to block javascript (application/x-javascript).</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <name>Squid Allowed ports</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>acl safeports</fielddescr>
+ <fieldname>addtl_ports</fieldname>
+ <description>This is a space-separated list of "safe ports" in addition to the already defined list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535</description>
+ <type>input</type>
+ <size>60</size>
+ <default_value></default_value>
+ </field>
+ <field>
+ <fielddescr>acl sslports</fielddescr>
+ <fieldname>addtl_sslports</fieldname>
+ <description>This is a space-separated list of ports to allow SSL "CONNECT" in addition to the already defined list: 443 563</description>
+ <type>input</type>
+ <size>60</size>
+ <default_value></default_value>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ squid_validate_nac($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_ng.inc b/config/squid3/34/squid_ng.inc
new file mode 100755
index 00000000..bac4d4f0
--- /dev/null
+++ b/config/squid3/34/squid_ng.inc
@@ -0,0 +1,1070 @@
+<?php
+/* $Id$ */
+
+/*
+ squid_ng.inc
+ part of pfSense (www.pfSense.com)
+
+ Copyright (C) 2005 Michael Capp <michael.capp@gmail.com>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+if(!function_exists("filter_configure"))
+ require_once("filter.inc");
+
+function global_write_squid_config()
+{
+ global $config;
+ conf_mount_rw();
+ config_lock();
+
+ /* define squid configuration file in variable for replace function */
+ $squidconfig = "/usr/local/etc/squid/squid.conf";
+
+ /* squid.xml values */
+ $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface'];
+ $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy'];
+ $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled'];
+ $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable'];
+ $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled'];
+ $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms'];
+ $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents'];
+ $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port'];
+ $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname'];
+ $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email'];
+ $error_language = $config['installedpackages']['squid']['config'][0]['error_language'];
+ $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled'];
+
+ /* squid_upstream.xml values */
+ $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding'];
+ $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding'];
+ $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding'];
+ $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy'];
+ $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port'];
+ $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username'];
+ $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword'];
+
+ /* squid_cache.xml values */
+ $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size'];
+ $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size'];
+ $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size'];
+ $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size'];
+ $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs'];
+ $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement'];
+ $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement'];
+ $domain = $config['installedpackages']['squidcache']['config'][0]['domain'];
+ $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline'];
+
+ /* squid_nac.xml values */
+ $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'];
+ $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address'];
+ $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses'];
+ $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses'];
+ $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses'];
+ $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts'];
+
+ /* squid_traffic.xml values */
+ $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size'];
+ $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size'];
+ $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall'];
+ $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host'];
+ $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files'];
+ $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images'];
+ $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia'];
+
+ /* squid_auth.xml values */
+ $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method'];
+ $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes'];
+ $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl'];
+ $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr'];
+ $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl'];
+ $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth'];
+ $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt'];
+ $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth'];
+ $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length'];
+ $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended'];
+
+ /* squid_extauth.xml (ldap) values */
+ $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn'];
+ $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server'];
+ $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type'];
+ $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port'];
+ $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username'];
+ $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password'];
+
+ /* squid_extauth.xml (radius) values */
+ $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server'];
+ $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port'];
+ $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier'];
+ $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret'];
+
+ /* static variable assignments for directory mapping */
+ $acldir = "/usr/local/etc/squid/advanced/acls";
+ $ncsadir = "/usr/local/etc/squid/advanced/ncsa";
+ $ntlmdir = "/usr/local/etc/squid/advanced/ntlm";
+ $radiusdir = "/usr/local/etc/squid/advanced/radius";
+
+ $fout = fopen($squidconfig, "w");
+
+ $config_array = array('shutdown_lifetime 5 seconds' . "\n\n");
+
+ if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) {
+ mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi");
+ mwexec("chmod a+rx /usr/local/www/cachemgr.cgi");
+ } else {
+ mwexec("rm -f /usr/local/www/cachemgr.cgi");
+ }
+ unset($cachemgr_enabled);
+
+ if (!isset($icp_port) or ($icp_port == "")) {
+ $icp_port = "3130";
+ }
+ $config_array[] = 'icp_port ' . $icp_port . "\n";
+ unset($icp_port);
+
+ if(!isset($proxy_port) or ($proxy_port == "")) {
+ $proxy_port = "3128";
+ }
+
+ if (isset($transparent_proxy) && ($transparent_proxy != "on")) {
+ $int = convert_friendly_interface_to_real_interface_name($active_interface);
+ $listen_ip = find_interface_ip($int);
+
+ $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n";
+ $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n";
+ $config_array[] = 'no_cache deny QUERY' . "\n\n";
+ }
+ $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n";
+ unset($proxy_port);
+
+ if (isset($domain) && ($domain !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/dst_nocache.acl","w");
+
+ $domain_array = split("; ",$domain);
+ foreach ($domain_array as $no_cache_domain) {
+ fwrite($aclout, $no_cache_domain . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n";
+ $config_array[] = 'no_cache deny no_cache_domains' . "\n\n";
+ }
+ unset($no_cache_domain);
+ unset($domain_array);
+ unset($domain);
+
+ $config_array[] = 'cache_effective_user squid' . "\n";
+ $config_array[] = 'cache_effective_group squid' . "\n\n";
+ $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n";
+
+ if (!isset($memory_cache_size) or ($memory_cache_size == "")) {
+ $memory_cache_size = "8";
+ }
+ $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n";
+ unset($memory_cache_size);
+
+ if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) {
+ $harddisk_cache_size = "500";
+ }
+
+ if (!isset($level_subdirs) or ($level_subdirs == "")) {
+ $level_subdirs = "16";
+ }
+
+ $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n";
+ unset($harddisk_cache_size);
+ unset($level_subdirs);
+
+ if (!isset($error_language) or ($error_language == "")) {
+ $error_language = "English";
+ }
+ $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n";
+ unset($error_language);
+
+ if (isset($offline_mode) && ($offline_mode == "on")) {
+ $config_array[] = 'offline_mode on' . "\n\n";
+ } else {
+ $config_array[] = 'offline_mode off' . "\n\n";
+ }
+
+ if (!isset($memory_replacement) or ($memory_replacement == "")) {
+ $memory_replacement = "heap GDSF";
+ }
+ $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n";
+ unset($memory_replacement);
+
+ if (!isset($cache_replacement) or ($cache_replacement == "")) {
+ $cache_replacement="heap GDSF";
+ }
+ $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n";
+ unset($cache_replacement);
+
+ if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) {
+ $config_array[] = 'cache_access_log none' . "\n";
+ } else {
+ $config_array[] = 'cache_access_log /var/log/access.log' . "\n";
+ }
+ $config_array[] = 'cache_log /var/log/cache.log' . "\n";
+ $config_array[] = 'cache_store_log none' . "\n";
+ unset($accesslog_disabled);
+ unset($log_enabled);
+
+ if (isset($log_query_terms) && ($log_query_terms == "on")) {
+ $config_array[] = 'strip_query_terms off' . "\n";
+ } else {
+ $config_array[] = 'strip_query_terms on' . "\n";
+ }
+ unset($log_query_terms);
+
+ $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n";
+ unset($log_user_agents);
+
+ $config_array[] = 'log_mime_hdrs off' . "\n";
+ $config_array[] = 'emulate_httpd_log on' . "\n";
+
+ switch ($user_forwarding) {
+ case "on":
+ $config_array[] = 'forwarded_for on' . "\n\n";
+ break;
+ case "off":
+ $config_array[] = 'forwarded_for off' . "\n\n";
+ break;
+ default:
+ $config_array[] = 'forwarded_for off' . "\n\n";
+ break;
+ }
+ unset($user_forwarding);
+
+ switch ($auth_method) {
+ case "none":
+ break;
+ case "local_auth":
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n";
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
+ break;
+ case "radius_auth";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n";
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
+ break;
+ case "ldap_bind";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth';
+ $config_array[] = ' -b "' . $ldap_basedn . '"';
+ $config_array[] = ' -D "' . $bind_dn_username . '"';
+ $config_array[] = " -w " . $bind_dn_password;
+ $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"';
+ $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n";
+
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
+ break;
+ case "windows_auth";
+ break;
+ }
+
+ if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n";
+
+ $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w");
+ fwrite($throttle_out, $binary_out);
+ fclose($throttle_out);
+ $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n";
+ } else {
+ if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl");
+ }
+ unset($throttle_binary_files);
+ unset($throttle_out);
+ unset($binary_out);
+
+ if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n";
+
+ $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w");
+ fwrite($throttle_out, $cd_out);
+ fclose($throttle_out);
+ $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n";
+ } else {
+ if (file_exists($acldir . "/dst_throttle_cd.acl")) {
+ unlink($acldir . "/dst_throttle_cd.acl");
+ }
+ }
+ unset($throttle_cd_images);
+ unset($throttle_out);
+ unset($cd_out);
+
+ if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n";
+
+ $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w");
+ fwrite($throttle_out, $multimedia_out);
+ fclose($throttle_out);
+ $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n";
+ } else {
+ if (file_exists($acldir . "/dst_throttle_multimedia.acl")) {
+ unlink($acldir . "/dst_throttle_multimedia.acl");
+ }
+ }
+ unset($throttle_multimedia);
+ unset($multimedia_out);
+ unset($throttle_out);
+
+ $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n";
+
+ /* obtain interface subnet and address for Squid rules */
+ $lactive_interface = strtolower($active_interface);
+
+ $lancfg = $config['interfaces'][$lactive_interface];
+ $lanif = $lancfg['if'];
+ $lanip = $lancfg['ipaddr'];
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+ $lansn = $lancfg['subnet'];
+
+ $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n";
+ $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n";
+ $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n";
+ $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n";
+ $config_array[] = 'acl Safe_ports port 80 # http' . "\n";
+ $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n";
+ $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n";
+ $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n";
+ $config_array[] = 'acl Safe_ports port 210 # wais' . "\n";
+ $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n";
+ $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n";
+ $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n";
+ $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n";
+ $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n";
+ $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n";
+
+ /* allow access through proxy for custom admin port */
+ $custom_port = $config['system']['webgui']['port'];
+ if (isset($custom_port) && ($custom_port !== "")) {
+ $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n";
+ unset($custom_port);
+ } else {
+ $admin_protocol = $config['system']['webgui']['protocol'];
+ switch ($admin_protocol) {
+ case "http";
+ $config_array[] = 'acl pf_admin_port port 80' ."\n";
+ break;
+ case "https";
+ $config_array[] = 'acl pf_admin_port port 443' . "\n";
+ break;
+ default;
+ $config_array[] = 'acl pf_admin_port port 80' . "\n";
+ break;
+ }
+ unset($admin_protocol);
+ }
+
+ /* define override hosts as specified in squid_nac.xml */
+ if (isset($override_hosts) && ($override_hosts !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_override_hosts.acl", "w");
+
+ $override_hosts_array = split("; ", $override_hosts);
+ foreach ($override_hosts_array as $ind_override_host) {
+ fwrite($aclout, $ind_override_host . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n";
+ }
+ /* clear variables */
+ unset($override_hosts_array);
+ unset($ind_override_host);
+ unset($override_hosts);
+
+ /* define subnets allowed to utilize proxy service */
+ if (isset($allowed_subnets) && ($allowed_subnets !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ mwexec("touch {$acldir}/src_subnets.acl");
+ }
+
+ $aclout = fopen($acldir . "/src_subnets.acl","w");
+
+ $allowed_subnets_array = split("; ",$allowed_subnets);
+ foreach ($allowed_subnets_array as $ind_allowed_subnets) {
+ fwrite($aclout, $ind_allowed_subnets . "\n");
+ }
+
+ fclose($aclout);
+ } else {
+
+ $aclout = fopen($acldir . "/src_subnets.acl","w");
+ fwrite($aclout, $lansa . "/" . $lansn . "\n");
+ fclose($aclout);
+ }
+
+ $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n";
+
+ unset($allowed_subnets_array);
+ unset($ind_allowed_subnets);
+ unset($allowed_subnets);
+
+ /* define ip addresses that have 'unrestricted' access */
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w");
+
+ $unrestricted_ip_array = split("; ",$unrestricted_ip_addr);
+ foreach ($unrestricted_ip_array as $ind_unrestricted_ip) {
+ fwrite($aclout, $ind_unrestricted_ip . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n";
+ }
+ unset($unrestricted_ip_array);
+ unset($unrestricted_ip_addr);
+ unset($ind_unrestricted_ip);
+
+ /* define mac addresses that have 'unrestricted' access */
+ if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w");
+
+ $unrestricted_mac_array = split("; ",$unrestricted_mac_addr);
+ foreach ($unrestricted_mac_array as $ind_unrestricted_mac) {
+ fwrite($aclout, $ind_unrestricted_mac . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n";
+ }
+ unset($unrestricted_mac_array);
+ unset($unrestricted_mac_addr);
+ unset($ind_unrestricted_mac);
+
+ /* define ip addresses that are banned from using the proxy service */
+ if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_banned_ip.acl","w");
+
+ $banned_ip_array = split("; ",$banned_ip_addr);
+ foreach ($banned_ip_array as $ind_banned_ip) {
+ fwrite($aclout, $ind_banned_ip . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n";
+ }
+ unset($banned_ip_array);
+ unset($banned_ip_addr);
+ unset($ind_banned_ip);
+
+ /* define mac addresses that are banned from using the proxy service */
+ if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_banned_mac.acl","w");
+
+ $banned_mac_array = split("; ",$banned_mac_addr);
+ foreach ($banned_mac_array as $ind_banned_mac) {
+ fwrite($aclout, $ind_banned_mac . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n";
+ }
+ unset($banned_mac_array);
+ unset($banned_mac_addr);
+ unset($ind_banned_mac);
+
+ $config_array[] = 'acl pf_ips dst ' . $lanip . "\n";
+ $config_array[] = 'acl CONNECT method CONNECT' . "\n\n";
+
+ if (isset($auth_method) && ($auth_method == "none")) {
+ $config_array[] = 'http_access allow localnet' . "\n";
+ }
+ $config_array[] = 'http_access allow localhost' . "\n";
+
+ if (isset($override_hosts) && ($override_hosts !== "")) {
+ $config_array[] = 'http_access allow override_hosts' . "\n";
+ }
+ $config_array[] = "\n";
+
+ switch ($config['system']['webgui']['protocol']) {
+ case "http":
+ $config_array[] = 'http_access allow pf_ips' . "\n";
+ $config_array[] = 'http_access allow pf_admin_port' . "\n";
+ $config_array[] = 'http_access deny !pf_networks' . "\n\n";
+ break;
+ case "https":
+ $config_array[] = 'http_access allow CONNECT pf_ips' . "\n";
+ $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n";
+ $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n";
+ break;
+ }
+
+ $config_array[] = 'http_access deny !Safe_ports' . "\n";
+ $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n";
+
+ if (isset($auth_method) && ($auth_method != "none")) {
+ $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n";
+ }
+
+ $config_array[] = 'http_access deny all' . "\n\n";
+
+ if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) {
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+
+ if ($dl_overall == "unlimited") {
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n";
+ } else {
+ $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n";
+ }
+
+ /* if no unrestricted ip addresses are defined; this line is ignored */
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
+
+ /* this will define bandwidth delay restrictions for specified throttles */
+ if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) {
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
+ }
+ if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) {
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
+ }
+ if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) {
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n";
+ } else {
+ $config_array[] = 'delay_access 1 allow all' . "\n";
+ }
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n";
+ }
+
+ if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) {
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+
+ if ($dl_per_host == "unlimited") {
+ $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n";
+ } else {
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n";
+ }
+
+ /* if no unrestricted ip addresses are defined; this line is ignored */
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
+
+ /* this will define bandwidth delay restrictions for specified throttles */
+ if ($throttle_binary_files == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
+ }
+ if ($throttle_cd_images == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
+ }
+ if ($throttle_multimedia == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n";
+ } else {
+ $config_array[] = 'delay_access 1 allow all' . "\n";
+ }
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n";
+ }
+
+ if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) {
+ /* if no bandwidth restrictions are specified, then these parameters are not necessary */
+ if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
+
+ if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) {
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n";
+ } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) {
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+ $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n";
+ }
+ }
+
+ if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
+
+ /* if no unrestricted ip addresses are defined; this line is ignored */
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
+
+ /* this will define bandwidth delay restrictions for specified throttles */
+ if ($throttle_binary_files == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
+ }
+ if ($throttle_cd_images == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
+ }
+ if ($throttle_multimedia == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n";
+ } else {
+ $config_array[] = 'delay_access 1 allow all' . "\n";
+ }
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n";
+ }
+ }
+
+ $config_array[] = 'header_access X-Forwarded-For deny all' . "\n";
+ $config_array[] = 'header_access Via deny all' . "\n\n";
+
+ /* TODO: acl customization for snmp support */
+ /* fwrite($fout, "\n"); */
+
+ if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) {
+ $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n";
+ $config_array[] = 'redirect_children 5' . "\n\n";
+ }
+
+ if (isset($max_upload_size) && ($max_upload_size != "")) {
+ $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n";
+ }
+
+ if (isset($max_download_size) && ($max_download_size != "")) {
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n";
+ /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */
+ $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n";
+ }
+
+ /* set default value for maximum_object_size */
+ if (!isset($maximum_object_size) or ($maximum_object_size == "")) {
+ $maximum_object_size = "4096";
+ }
+
+ /* set default value for minimum_object_size */
+ if (!isset($minimum_object_size) or ($minimum_object_size == "")) {
+ $minimum_object_size = "0";
+ }
+ $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n";
+ $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n";
+
+ if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) {
+ $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n";
+ $config_array[] = 'never_direct allow all' . "\n";
+ }
+ unset($proxy_forwarding);
+
+
+ /* define default ruleset for transparent proxy operation */
+ if (isset($transparent_proxy) && ($transparent_proxy == "on")) {
+ $config_array[] = 'httpd_accel_host virtual' . "\n";
+ $config_array[] = 'httpd_accel_port 80' . "\n";
+ $config_array[] = 'httpd_accel_with_proxy on' . "\n";
+ $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n";
+ }
+ unset($transparent_proxy);
+
+
+ /* define visible hostname */
+ if (isset($visible_hostname) && ($visible_hostname !== "")) {
+ $config_array[] = 'visible_hostname ' . $visible_hostname . "\n";
+ }
+ unset($visible_hostname);
+
+ /* define cache administrators email address within error messages */
+ if (isset($cache_admin_email) && ($cache_admin_email !== "")) {
+ $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n";
+ }
+ unset($cache_admin_email);
+
+ /* write configuration file */
+ foreach ($config_array as $config_item)
+ {
+ fwrite($fout, trim($config_item));
+
+ if (stristr($config_item, "\n"))
+ {
+ for ($i = 1; $i < count(explode("\n", $config_item)); $i++)
+ {
+ fwrite($fout, "\n");
+ }
+ }
+
+ }
+ fclose($fout);
+
+ conf_mount_ro();
+ config_unlock();
+
+ touch($squidconfig);
+} /* end function write_squid_config */
+
+function squid3_custom_php_install_command() {
+ /* write initial static config for transparent proxy */
+ write_static_squid_config();
+
+ touch("/tmp/squid3_custom_php_install_command");
+
+ /* make sure this all exists, see:
+ * https://forum.pfsense.org/index.php?topic=23.msg2391#msg2391
+ */
+ update_output_window("Setting up Squid environment...");
+ mwexec("mkdir -p /var/squid");
+ mwexec("chown squid:squid /var/squid");
+ mwexec("mkdir -p /var/squid/logs");
+ mwexec("chown squid:squid /var/squid/logs");
+ mwexec("mkdir -p /var/squid/cache");
+ mwexec("chown squid:squid /var/squid/cache");
+ mwexec("mkdir -p /usr/local/etc/squid/advanced");
+ mwexec("chown squid:squid /usr/local/etc/squid/advanced");
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
+ mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls");
+ mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl");
+ mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl");
+ mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
+ mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
+ mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf");
+
+
+ /* set a few extra items noted by regan */
+ update_output_window("Creating logs and setting user information...");
+ $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w");
+ fwrite($fdsquid, "#/bin/sh\n");
+ fwrite($fdsquid, "# \n");
+ fwrite($fdsquid, "# This file was created by the pfSense package system\n");
+ fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n");
+ fwrite($fdsquid, "# \n\n");
+ fwrite($fdsquid, "chown squid:wheel /dev/pf\n");
+ fwrite($fdsquid, "chmod ug+rw /dev/pf\n");
+ fwrite($fdsquid, "touch /var/log/useragent.log\n");
+ fwrite($fdsquid, "touch /var/log/access.log\n");
+ fwrite($fdsquid, "touch /var/log/cache.log\n");
+ fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n");
+ fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n");
+ fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n");
+ fwrite($fdsquid, "\n");
+ fclose($fdsquid);
+ mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh");
+ mwexec("/usr/local/etc/rc.d/aSquid.sh");
+
+ update_output_window("Creating Proxy Server initialization scripts...");
+ $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty";
+ $stop = "/usr/local/sbin/squid -k shutdown";
+ write_rcfile(array(
+ "file" => "squid.sh",
+ "start" => $start,
+ "stop" => $stop
+ )
+ );
+
+ mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh");
+
+ /* create log directory hierarchies if they don't exist */
+ update_output_window("Creating required directory hierarchies...");
+
+ if (!file_exists("/var/squid/logs")) {
+ mwexec("mkdir -p /var/squid/logs");
+ }
+ mwexec("/usr/sbin/chown squid:squid /var/squid/logs");
+
+
+ if (!file_exists("/var/squid/cache")) {
+ mwexec("mkdir -p /var/squid/cache");
+ }
+ mwexec("/usr/sbin/chown squid:squid /var/squid/cache");
+
+ if (!file_exists("/usr/local/etc/squid/advanced/acls")) {
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
+ }
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls");
+
+ if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) {
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
+ }
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa");
+
+ if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) {
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm");
+ }
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm");
+
+ if (!file_exists("/usr/local/etc/squid/advanced/radius")) {
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/radius");
+ }
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius");
+
+ $devfs_file = fopen("/etc/devfs.conf", "a");
+ fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. ");
+ fwrite($devfs_file, "own pf root:squid");
+ fwrite($devfs_file, "perm pf 0640");
+ fclose($devfs_file);
+
+ update_output_window("Initializing Cache... This may take a moment...");
+ mwexec("/usr/local/sbin/squid -z");
+
+ update_output_window("Starting Proxy Server...");
+ start_service("squid");
+}
+
+function squid3_custom_php_deinstall_command() {
+ update_output_window("Stopping proxy service...");
+ stop_service("squid");
+ sleep(1);
+ /* brute force any remaining squid processes out */
+ mwexec("/usr/bin/killall squid");
+ mwexec("/usr/bin/killall pinger");
+ update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain...");
+ mwexec("rm -rf /var/squid/cache");
+ update_output_window("Removing configuration files...");
+ unlink_if_exists("/usr/local/etc/rc.d/squid.sh");
+ unlink_if_exists("/usr/local/libexec/squid");
+ unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh");
+ mwexec("rm -f /usr/local/etc/rc.d/squid*");
+ mwexec("rm -f /usr/local/www/cachemgr.cgi");
+ filter_configure();
+}
+
+function write_static_squid_config() {
+ touch("/tmp/write_static_squid_config");
+ global $config;
+ $lancfg = $config['interfaces']['lan'];
+ $lanif = $lancfg['if'];
+ $lanip = $lancfg['ipaddr'];
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+ $lansn = $lancfg['subnet'];
+
+ $fout = fopen("/usr/local/etc/squid/squid.conf","w");
+ fwrite($fout, "#\n");
+ fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n");
+ fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n");
+ fwrite($fout, "#\n");
+
+ /* set # of dns children */
+ fwrite($fout, "dns_children 15\n");
+
+ fwrite($fout, "shutdown_lifetime 5 seconds\n");
+ fwrite($fout, "icp_port 0\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n");
+ fwrite($fout, "no_cache deny QUERY\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "pid_filename /var/run/squid.pid\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "cache_mem 24 MB\n");
+ fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "memory_replacement_policy heap GDSF\n");
+ fwrite($fout, "cache_replacement_policy heap GDSF\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "cache_access_log none\n");
+ fwrite($fout, "cache_log none\n");
+ fwrite($fout, "cache_store_log none\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "log_mime_hdrs off\n");
+ fwrite($fout, "emulate_httpd_log on\n");
+ fwrite($fout, "forwarded_for off\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n");
+ fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n");
+ fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n");
+ fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n");
+ fwrite($fout, "acl Safe_ports port 80 # http\n");
+ fwrite($fout, "acl Safe_ports port 21 # ftp\n");
+ fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n");
+ fwrite($fout, "acl Safe_ports port 70 # gopher\n");
+ fwrite($fout, "acl Safe_ports port 210 # wais\n");
+ fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n");
+ fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n");
+ fwrite($fout, "acl Safe_ports port 488 # gss-http\n");
+ fwrite($fout, "acl Safe_ports port 591 # filemaker\n");
+ fwrite($fout, "acl Safe_ports port 777 # multiling http\n");
+ fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "acl CONNECT method CONNECT\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "#access to squid; local machine; no restrictions\n");
+ fwrite($fout, "http_access allow localnet\n");
+ fwrite($fout, "http_access allow localhost\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "#Deny non web services\n");
+ fwrite($fout, "http_access deny !Safe_ports\n");
+ fwrite($fout, "http_access deny CONNECT !SSL_ports\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "#Set custom configured ACLs\n");
+ fwrite($fout, "http_access deny all\n");
+ fwrite($fout, "visible_hostname pfSense\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "cache_effective_user squid\n");
+ fwrite($fout, "cache_effective_group squid\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "maximum_object_size 4096 KB\n");
+ fwrite($fout, "minimum_object_size 0 KB\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "request_body_max_size 0 KB\n");
+ fwrite($fout, "reply_body_max_size 0 allow all\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "httpd_accel_host virtual\n");
+ fwrite($fout, "httpd_accel_port 80\n");
+ fwrite($fout, "httpd_accel_with_proxy on\n");
+ fwrite($fout, "httpd_accel_uses_host_header on\n");
+
+ fclose($fout);
+}
+
+function mod_htpasswd() {
+ global $config;
+ conf_mount_rw();
+ config_lock();
+
+ if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
+
+ $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+");
+
+ if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") {
+ foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) {
+ $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']);
+ fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n");
+ }
+ }
+
+ fclose($passfile);
+
+ conf_mount_ro();
+ config_unlock();
+}
+
+function generate_htpasswd($username, $password) {
+ $all = explode( " ",
+ "a b c d e f g h i j k l m n o p q r s t u v w x y z "
+ . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z "
+ . "0 1 2 3 4 5 6 7 8 9");
+
+ for ($i = 0; $i < 9; $i++) {
+ srand((double)microtime()*1000000);
+ $randy = rand(0,61);
+ $seed .= $all[$randy];
+ }
+
+ $crypt = crypt($password, "$1$$seed");
+ return $crypt;
+}
+
+?>
diff --git a/config/squid3/34/squid_ng.xml b/config/squid3/34/squid_ng.xml
new file mode 100755
index 00000000..b96b4eb2
--- /dev/null
+++ b/config/squid3/34/squid_ng.xml
@@ -0,0 +1,267 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squid</name>
+ <version>2.5.12_4</version>
+ <title>Services: Proxy Server</title>
+ <category>Security</category>
+ <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</aftersaveredirect>
+ <include_file>/usr/local/pkg/squid_ng.inc</include_file>
+ <menu>
+ <name>Squid</name>
+ <tooltiptext>Modify settings for Proxy Server</tooltiptext>
+ <section>Services</section>
+ <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>
+ </menu>
+ <menu>
+ <name>Squid stats</name>
+ <tooltiptext>Show Squid statistics</tooltiptext>
+ <section>Services</section>
+ <url>/cachemgr.cgi</url>
+ </menu>
+ <service>
+ <name>squid</name>
+ <rcfile>squid.sh</rcfile>
+ </service>
+ <tabs>
+ <tab>
+ <text>General Settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Upstream Proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Network Access Control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Auth</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Extended Auth</text>
+ <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <configpath>installedpackages->package->squidng->configuration->settings</configpath>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid/squid_cache.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid/squid_nac.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid/squid_ng.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid/squid_traffic.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid/squid_upstream.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid/squid_auth.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid/squid_auth.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>https://packages.pfsense.org/packages/config/squid/squid_extauth.xml</item>
+ </additional_files_needed>
+ <fields>
+ <field>
+ <fielddescr>Proxy Listening Interface</fielddescr>
+ <fieldname>active_interface</fieldname>
+ <description>This defines the active listening interface to which the proxy server will listen for its requests.</description>
+ <type>interfaces_selection</type>
+ </field>
+ <field>
+ <fielddescr>Transparent Proxy</fielddescr>
+ <fieldname>transparent_proxy</fieldname>
+ <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>URL Filtering Enabled</fielddescr>
+ <fieldname>urlfilter_enable</fieldname>
+ <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Disable Access Log</fielddescr>
+ <fieldname>accesslog_disabled</fieldname>
+ <description>Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Log Query Terms</fielddescr>
+ <fieldname>log_query_terms</fieldname>
+ <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Log User Agents</fielddescr>
+ <fieldname>log_user_agents</fieldname>
+ <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Proxy Port</fielddescr>
+ <fieldname>proxy_port</fieldname>
+ <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description>
+ <type>input</type>
+ <size>4</size>
+ <combinefieldsend>true</combinefieldsend>
+ </field>
+ <field>
+ <fielddescr>ICP Port</fielddescr>
+ <fieldname>icp_port</fieldname>
+ <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description>
+ <type>input</type>
+ <size>4</size>
+ </field>
+ <field>
+ <fielddescr>Visible Hostname</fielddescr>
+ <fieldname>visible_hostname</fieldname>
+ <description>This URL is displayed on the Proxy Server error messages.</description>
+ <type>input</type>
+ <size>35</size>
+ </field>
+ <field>
+ <fielddescr>Cache Administrator E-Mail</fielddescr>
+ <fieldname>cache_admin_email</fieldname>
+ <description>This E-Mail address is displayed on the Proxy Server error messages.</description>
+ <type>input</type>
+ <size>35</size>
+ </field>
+ <field>
+ <fielddescr>Error Messages Language</fielddescr>
+ <fieldname>error_language</fieldname>
+ <description>Select the language in which the Proxy Server shall display error messages to users.</description>
+ <type>select</type>
+ <options>
+ <option><name>Bulgarian</name><value>Bulgarian</value></option>
+ <option><name>Catalan</name><value>Catalan</value></option>
+ <option><name>Czech</name><value>Czech</value></option>
+ <option><name>Danish</name><value>Danish</value></option>
+ <option><name>Dutch</name><value>Dutch</value></option>
+ <option><name>English</name><value>English</value></option>
+ <option><name>Estonian</name><value>Estonian</value></option>
+ <option><name>Finnish</name><value>Finnish</value></option>
+ <option><name>French</name><value>French</value></option>
+ <option><name>German</name><value>German</value></option>
+ <option><name>Hebrew</name><value>Hebrew</value></option>
+ <option><name>Hungarian</name><value>Hungarian</value></option>
+ <option><name>Italian</name><value>Italian</value></option>
+ <option><name>Japanese</name><value>Japanese</value></option>
+ <option><name>Korean</name><value>Korean</value></option>
+ <option><name>Lithuanian</name><value>Lithuanian</value></option>
+ <option><name>Polish</name><value>Polish</value></option>
+ <option><name>Portuguese</name><value>Portuguese</value></option>
+ <option><name>Romanian</name><value>Romanian</value></option>
+ <option><name>Russian-1251</name><value>Russian-1251</value></option>
+ <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option>
+ <option><name>Serbian</name><value>Serbian</value></option>
+ <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option>
+ <option><name>Slovak</name><value>Slovak</value></option>
+ <option><name>Spanish</name><value>Spanish</value></option>
+ <option><name>Swedish</name><value>Swedish</value></option>
+ <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option>
+ <option><name>Turkish</name><value>Turkish</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Enable cachemgr</fielddescr>
+ <fieldname>cachemgr_enabled</fieldname>
+ <description>Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. &lt;b&gt;Note:&lt;/b&gt; This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid.</description>
+ <type>checkbox</type>
+ </field>
+
+ </fields>
+ <custom_add_php_command_late>
+ global_write_squid_config();
+ mwexec("/usr/local/sbin/squid -k reconfigure");
+ start_service("squid");
+ </custom_add_php_command_late>
+ <custom_php_install_command>
+ squid3_custom_php_install_command();
+ write_static_squid_config();
+ mwexec("/usr/local/sbin/squid -k reconfigure");
+ start_service("squid");
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ squid3_custom_php_deinstall_command();
+ stop_service("squid");
+ </custom_php_deinstall_command>
+</packagegui>
diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc
new file mode 100755
index 00000000..3f216296
--- /dev/null
+++ b/config/squid3/34/squid_reverse.inc
@@ -0,0 +1,245 @@
+<?php
+/* $Id$ */
+/*
+ squid_reverse.inc
+ Copyright (C) 2012 Martin Fuchs
+ Copyright (C) 2012-2014 Marcello Coutinho
+ Copyright (C) 2013 Gekkenhuis
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+function squid_resync_reverse() {
+ global $config;
+ //if(!is_array($valid_acls))
+ // return;
+
+ //CONFIG FILE
+ if (is_array($config['installedpackages']['squidreversegeneral']))
+ $settings = $config['installedpackages']['squidreversegeneral']['config'][0];
+ if (is_array($config['installedpackages']['squidreversepeer']))
+ $reverse_peers=$config['installedpackages']['squidreversepeer']['config'];
+ if (is_array($config['installedpackages']['squidreverseuri']))
+ $reverse_maps=$config['installedpackages']['squidreverseuri']['config'];
+ if (is_array($config['installedpackages']['squidreverseredir']))
+ $reverse_redir=$config['installedpackages']['squidreverseredir']['config'];
+
+ $conf = "# Reverse Proxy settings\n";
+
+ if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") {
+ $svr_cert = lookup_cert($settings["reverse_ssl_cert"]);
+ if ($svr_cert != false) {
+ if(base64_decode($svr_cert['crt'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",sq_text_area_decode($svr_cert['crt']));
+ $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt";
+ }
+ if(base64_decode($svr_cert['prv'])) {
+ file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",sq_text_area_decode($svr_cert['prv']));
+ $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key";
+ }
+ }
+ }
+
+ if (!empty($settings['reverse_int_ca']))
+ file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX);
+
+ $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan');
+ $real_ifaces = array();
+
+ #set HTTP port and defsite
+ $http_port=(empty($settings['reverse_http_port'])?"80":$settings['reverse_http_port']);
+ $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']);
+
+ #set HTTPS port and defsite
+ $https_port=(empty($settings['reverse_https_port'])?"443":$settings['reverse_https_port']);
+ $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']);
+
+ foreach (explode(",", $ifaces) as $i => $iface) {
+ $real_ifaces[] = squid_get_real_interface_address($iface);
+ if($real_ifaces[$i][0]) {
+ //HTTP
+ if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on'))
+ $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n";
+ //HTTPS
+ if (!empty($settings['reverse_https']))
+ $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n";
+ }
+ }
+
+ if(!empty($settings['reverse_ip'])) {
+ $reverse_ip = explode(";", ($settings['reverse_ip']));
+ foreach ($reverse_ip as $reip) {
+ //HTTP
+ if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on'))
+ $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n";
+ //HTTPS
+ if (!empty($settings['reverse_https']))
+ $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n";
+ }
+ }
+
+ //PEERS
+ if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])))
+
+ if(!empty($settings['reverse_owa_ip'])) {
+ $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip']));
+ $casnr = 0;
+ foreach ($reverse_owa_ip as $reowaip) {
+ $casnr++;
+ $conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n";
+ $conf .= "cache_peer {$reowaip} parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_{$casnr}_pfs\n";
+ }
+ }
+
+ $active_peers=array();
+ if (is_array($reverse_peers))
+ foreach ($reverse_peers as $rp){
+ if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){
+ $conf_peer = "#{$rp['description']}\n";
+ $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin ";
+ if($rp['protocol'] == 'HTTPS')
+ $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto ";
+ $conf_peer .= "name=rvp_{$rp['name']}\n\n";
+
+ // add peer only if reverse proxy is enabled for http
+ if($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on"){
+ $conf .= $conf_peer;
+ array_push($active_peers,$rp['name']);
+ }
+ // add peer only if if reverse proxy is enabled for https
+ if($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on"){
+ if (!in_array($rp['name'],$active_peers)){
+ $conf .= $conf_peer;
+ array_push($active_peers,$rp['name']);
+ }
+ }
+ }
+ }
+
+ //REDIRECTS
+ if (is_array($reverse_redir)) {
+ foreach ($reverse_redir as $rdr) {
+ if($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") {
+ $conf_rdr = "# Redirect: {$rdr['description']}\n";
+
+ if (is_array($rdr['row'])) {
+ foreach ($rdr['row'] as $uri) {
+ $conf_rdr .= "acl rdr_dst_{$rdr['name']} dstdomain {$uri['uri']}\n";
+ }
+ }
+
+ $conf_rdr .= "acl rdr_path_{$rdr['name']} urlpath_regex {$rdr['pathregex']}\n";
+ $conf_rdr .= "deny_info {$rdr['redirurl']} rdr_path_{$rdr['name']}\n";
+
+ foreach (explode(',', $rdr['protocol']) as $rdr_protocol) {
+ if($rdr_protocol == "HTTP") {
+ $conf_rdr .= "http_access deny HTTP rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n";
+ }
+
+ if($rdr_protocol == "HTTPS") {
+ $conf_rdr .= "http_access deny HTTPS rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n";
+ }
+ }
+
+ $conf_rdr .= "\n";
+ }
+
+ $conf .= $conf_rdr;
+ }
+ }
+
+ //ACLS and MAPPINGS
+
+ //create an empty owa_dirs to populate based on user selected options
+ $owa_dirs=array();
+ if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on"){
+ if(!empty($settings['reverse_owa_ip'])){
+ array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB');
+ if($settings['reverse_owa_activesync'])
+ array_push($owa_dirs,'Microsoft-Server-ActiveSync');
+ if($settings['reverse_owa_rpchttp'])
+ array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll');
+ if($settings['reverse_owa_mapihttp'])
+ array_push($owa_dirs,'mapi');
+ if($settings['reverse_owa_webservice']){
+ array_push($owa_dirs,'EWS');
+ }
+ }
+ if (is_array($owa_dirs))
+ foreach ($owa_dirs as $owa_dir)
+ $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n";
+
+ if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) {
+ $reverse_external_domain = strstr($settings['reverse_external_fqdn'], '.');
+ $conf .= "acl OWA_URI_pfs url_regex -i ^http://{$settings['reverse_external_fqdn']}/AutoDiscover/AutoDiscover.xml\n";
+ $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/AutoDiscover/AutoDiscover.xml\n";
+ $conf .= "acl OWA_URI_pfs url_regex -i ^http://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n";
+ $conf .= "acl OWA_URI_pfs url_regex -i ^https://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n";
+ }
+ }
+ //$conf .= "ssl_unclean_shutdown on";
+ if (is_array($reverse_maps))
+ foreach ($reverse_maps as $rm){
+ if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!=""){
+ if (is_array($rm['row']))
+ foreach ($rm['row'] as $uri){
+ $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] );
+ //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n";
+ $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n";
+ if($rm['name'] != $last_rm_name){
+ $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n";
+ $http_access_conf .= "http_access allow rvm_{$rm['name']}\n";
+ foreach (explode(',',$rm['peers']) as $map_peer)
+ if (in_array($map_peer,$active_peers)){
+ $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n";
+ $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n";
+ }
+ $last_rm_name=$rm['name'];
+ }
+ }
+ }
+ }
+
+ //ACCESS
+ if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") {
+
+ for($cascnt=1;$cascnt<$casnr+1;$cascnt++)
+ {
+ $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs allow OWA_URI_pfs\n";
+ $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs allow OWA_URI_pfs\n";
+ $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs deny allsrc\n";
+ $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs deny allsrc\n";
+ }
+
+ $conf .= "never_direct allow OWA_URI_pfs\n";
+ $conf .= "http_access allow OWA_URI_pfs\n";
+ }
+
+ $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n";
+
+ if (!empty($settings['deny_info_tcp_reset']))
+ $conf .= "deny_info TCP_RESET allsrc\n";
+
+ return $conf;
+}
+?>
diff --git a/config/squid3/34/squid_reverse.xml b/config/squid3/34/squid_reverse.xml
new file mode 100755
index 00000000..40fb0ec1
--- /dev/null
+++ b/config/squid3/34/squid_reverse.xml
@@ -0,0 +1,365 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidreverse</name>
+ <version>none</version>
+ <title>Proxy server: Reverse Proxy</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+<tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Upstream</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Reverse</text>
+ <url>/pkg_edit.php?xml=squid_reverse.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>Squid Reverse proxy General Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Reverse Proxy interface</fielddescr>
+ <fieldname>reverse_interface</fieldname>
+ <description>The interface(s) the reverse-proxy server will bind to.</description>
+ <type>interfaces_selection</type>
+ <required/>
+ <default_value>wan</default_value>
+ <multiple/>
+ </field>
+ <field>
+ <fielddescr>User-defined reverse-proxy IPs</fielddescr>
+ <fieldname>reverse_ip</fieldname>
+ <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description>
+ <type>input</type>
+ <size>70</size>
+ </field>
+ <field>
+ <fielddescr>external FQDN</fielddescr>
+ <fieldname>reverse_external_fqdn</fieldname>
+ <description>The external full-qualified-domain-name of the WAN address.</description>
+ <type>input</type>
+ <required/>
+ <size>70</size>
+ </field>
+ <field>
+ <fielddescr>Reset TCP connections if request is unauthorized</fielddescr>
+ <fieldname>deny_info_tcp_reset</fieldname>
+ <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <name>Squid Reverse HTTP Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable HTTP reverse mode</fielddescr>
+ <fieldname>reverse_http</fieldname>
+ <description>If this field is checked, the proxy-server will act in HTTP reverse mode. &lt;br&gt;(You have to add a rule with destination "WAN-address")</description>
+ <type>checkbox</type>
+ <enablefields>reverse_http_port,reverse_http_defsite</enablefields>
+ <required/>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>reverse HTTP port</fielddescr>
+ <fieldname>reverse_http_port</fieldname>
+ <description>This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80)</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>80</default_value>
+ </field>
+ <field>
+ <fielddescr>reverse HTTP default site</fielddescr>
+ <fieldname>reverse_http_defsite</fieldname>
+ <description>This is the HTTP reverse default site. (leave empty to use the external fqdn)</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <name>Squid Reverse HTTPS Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable HTTPS reverse proxy</fielddescr>
+ <fieldname>reverse_https</fieldname>
+ <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. &lt;br&gt;(You have to add a rule with destination "WAN-address")</description>
+ <type>checkbox</type>
+ <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields>
+ <required/>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>reverse HTTPS port</fielddescr>
+ <fieldname>reverse_https_port</fieldname>
+ <description>This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443)</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>443</default_value>
+ </field>
+ <field>
+ <fielddescr>reverse HTTPS default site</fielddescr>
+ <fieldname>reverse_https_defsite</fieldname>
+ <description>This is the HTTPS reverse default site. (leave empty to use the external fqdn)</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>reverse SSL certificate</fielddescr>
+ <fieldname>reverse_ssl_cert</fieldname>
+ <description>Choose the SSL Server Certificate here.</description>
+ <type>select_source</type>
+ <source><![CDATA[$config['cert']]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ </field>
+ <field>
+ <fielddescr>intermediate CA certificate (if needed)</fielddescr>
+ <fieldname>reverse_int_ca</fieldname>
+ <description>Paste a signed certificate in X.509 PEM format here.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Ignore internal Certificate validation</fielddescr>
+ <fieldname>reverse_ignore_ssl_valid</fieldname>
+ <description>If this field is checked, internal certificate validation will be ignored.</description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Enable OWA reverse proxy</fielddescr>
+ <fieldname>reverse_owa</fieldname>
+ <description>If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.</description>
+ <type>checkbox</type>
+ <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields>
+ </field>
+ <field>
+ <fielddescr>CAS-Array / OWA frontend IP address</fielddescr>
+ <fieldname>reverse_owa_ip</fieldname>
+ <description>These are the internal IPs of the CAS-Array (OWA frontend servers). Separate by semi-colons (;). </description>
+ <type>input</type>
+ <size>70</size>
+ </field>
+ <field>
+ <fielddescr>Enable ActiveSync</fielddescr>
+ <fieldname>reverse_owa_activesync</fieldname>
+ <description>If this field is checked, ActiveSync will be enabled.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable Outlook Anywhere</fielddescr>
+ <fieldname>reverse_owa_rpchttp</fieldname>
+ <description>If this field is checked, RPC over HTTP will be enabled.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable MAPI HTTP</fielddescr>
+ <fieldname>reverse_owa_mapihttp</fieldname>
+ <description><![CDATA[If this field is checked, MAPI over HTTP will be enabled.<br>
+ <strong>This feature is only available with at least Exchange 2013 SP1</strong>]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable Exchange WebServices</fielddescr>
+ <fieldname>reverse_owa_webservice</fieldname>
+ <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br>
+ <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable AutoDiscover</fielddescr>
+ <fieldname>reverse_owa_autodiscover</fieldname>
+ <description><![CDATA[If this field is checked, AutoDiscover will be enabled.<br>
+ <strong>You also should set up the autodiscover DNS-record to point to you WAN-IP.</strong>]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <name>Squid Reverse Mappings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>&lt;b&gt;peer definitions&lt;/b&gt; &lt;br&gt;publishing hosts</fielddescr>
+ <fieldname>reverse_cache_peer</fieldname>
+ <description><![CDATA[Enter each peer definition on a new line. Directives have to be separated by a semicolon(;).<BR>
+ syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS]<br>
+ example: HOST1;192.168.0.1;80;HTTP<br>
+ <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description>
+ <type>textarea</type>
+ <cols>60</cols>
+ <rows>10</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>&lt;b&gt;URI definitions&lt;/b&gt; &lt;br&gt;published URIs</fielddescr>
+ <fieldname>reverse_uri</fieldname>
+ <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;)<BR>
+ syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn]) <BR>
+ (a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://)<BR>
+ example: URI1;public;server.pfsense.org.<BR>
+ <STRONG>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</STRONG>]]></description>
+ <type>textarea</type>
+ <cols>60</cols>
+ <rows>10</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>&lt;b&gt;ACL definitions&lt;/b&gt; &lt;br&gt;published URIs</fielddescr>
+ <fieldname>reverse_acl</fieldname>
+ <description><![CDATA[Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;). <br>
+ syntax: [peer alias];[uri group alias] <br>example: HOST1;URI1 <br>
+ <strong>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</strong>]]></description>
+ <type>textarea</type>
+ <cols>60</cols>
+ <rows>10</rows>
+ <encoding>base64</encoding>
+ </field>
+
+<!--
+ <field>
+ <fielddescr>internal hosts</fielddescr>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr>IP address</fielddescr>
+ <fieldname>reverse_cache_peer_ip</fieldname>
+ <type>input</type>
+ <size>15</size>
+ </rowhelperfield>
+ <rowhelperfield>
+ <fielddescr>Protocol</fielddescr>
+ <fieldname>reverse_cache_peer_proto</fieldname>
+ <type>select</type>
+ <options>
+ <option> <name>HTTP</name> <value>HTTP</value> </option>
+ <option> <name>HTTPS</name> <value>HTTPS</value> </option>
+ </options>
+ </rowhelperfield>
+ <rowhelperfield>
+ <fielddescr>port</fielddescr>
+ <fieldname>reverse_cache_peer_port</fieldname>
+ <type>input</type>
+ <size>5</size>
+ </rowhelperfield>
+ <rowhelperfield>
+ <fielddescr>peer name</fielddescr>
+ <fieldname>reverse_cache_peer_name</fieldname>
+ <type>input</type>
+ <size>25</size>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+
+ <field>
+ <fielddescr>published URI</fielddescr>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr>URI</fielddescr>
+ <fieldname>reverse_cache_peer_uri</fieldname>
+ <type>input</type>
+ <size>50</size>
+ </rowhelperfield>
+ <rowhelperfield>
+ <fielddescr>peer name</fielddescr>
+ <fieldname>reverse_cache_peer</fieldname>
+ <type>input</type>
+ <size>25</size>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+-->
+
+ </fields>
+ <custom_php_command_before_form>
+ squid_before_form_general($pkg);
+ </custom_php_command_before_form>
+ <custom_php_validation_command>
+ squid_validate_reverse($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_reverse_general.xml b/config/squid3/34/squid_reverse_general.xml
new file mode 100755
index 00000000..3317ae18
--- /dev/null
+++ b/config/squid3/34/squid_reverse_general.xml
@@ -0,0 +1,257 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ squid_reverse_general.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidreversegeneral</name>
+ <version>none</version>
+ <title>Reverse Proxy server: General</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid_reverse_general.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Web Servers</text>
+ <url>/pkg.php?xml=squid_reverse_peer.xml</url>
+ </tab>
+ <tab>
+ <text>Mappings</text>
+ <url>/pkg.php?xml=squid_reverse_uri.xml</url>
+ </tab>
+ <tab>
+ <text>Redirects</text>
+ <url>/pkg.php?xml=squid_reverse_redir.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php?menu=reverse</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_reverse_sync.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>Squid Reverse proxy General Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Reverse Proxy interface</fielddescr>
+ <fieldname>reverse_interface</fieldname>
+ <description>The interface(s) the reverse-proxy server will bind to.</description>
+ <type>interfaces_selection</type>
+ <required/>
+ <default_value>wan</default_value>
+ <multiple/>
+ </field>
+ <field>
+ <fielddescr>User-defined reverse-proxy IPs</fielddescr>
+ <fieldname>reverse_ip</fieldname>
+ <description>Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;).</description>
+ <type>input</type>
+ <size>70</size>
+ </field>
+ <field>
+ <fielddescr>external FQDN</fielddescr>
+ <fieldname>reverse_external_fqdn</fieldname>
+ <description>The external full-qualified-domain-name of the WAN address.</description>
+ <type>input</type>
+ <required/>
+ <size>70</size>
+ </field>
+ <field>
+ <fielddescr>Reset TCP connections if request is unauthorized</fielddescr>
+ <fieldname>deny_info_tcp_reset</fieldname>
+ <description>If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized.</description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <name>Squid Reverse HTTP Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable HTTP reverse mode</fielddescr>
+ <fieldname>reverse_http</fieldname>
+ <description>If this field is checked, the proxy-server will act in HTTP reverse mode. &lt;br&gt;(You have to add a rule with destination "WAN-address")</description>
+ <type>checkbox</type>
+ <enablefields>reverse_http_port,reverse_http_defsite</enablefields>
+ <required/>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>reverse HTTP port</fielddescr>
+ <fieldname>reverse_http_port</fieldname>
+ <description>This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80)</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>80</default_value>
+ </field>
+ <field>
+ <fielddescr>reverse HTTP default site</fielddescr>
+ <fieldname>reverse_http_defsite</fieldname>
+ <description>This is the HTTP reverse default site. (leave empty to use the external fqdn)</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <name>Squid Reverse HTTPS Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable HTTPS reverse proxy</fielddescr>
+ <fieldname>reverse_https</fieldname>
+ <description>If this field is checked, the proxy-server will act in HTTPS reverse mode. &lt;br&gt;(You have to add a rule with destination "WAN-address")</description>
+ <type>checkbox</type>
+ <enablefields>reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain</enablefields>
+ <required/>
+ <default_value>off</default_value>
+ </field>
+ <field>
+ <fielddescr>reverse HTTPS port</fielddescr>
+ <fieldname>reverse_https_port</fieldname>
+ <description>This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443)</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>443</default_value>
+ </field>
+ <field>
+ <fielddescr>reverse HTTPS default site</fielddescr>
+ <fieldname>reverse_https_defsite</fieldname>
+ <description>This is the HTTPS reverse default site. (leave empty to use the external fqdn)</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>reverse SSL certificate</fielddescr>
+ <fieldname>reverse_ssl_cert</fieldname>
+ <description>Choose the SSL Server Certificate here.</description>
+ <type>select_source</type>
+ <source><![CDATA[$config['cert']]]></source>
+ <source_name>descr</source_name>
+ <source_value>refid</source_value>
+ </field>
+ <field>
+ <fielddescr>intermediate CA certificate (if needed)</fielddescr>
+ <fieldname>reverse_int_ca</fieldname>
+ <description>Paste a signed certificate in X.509 PEM format here.</description>
+ <type>textarea</type>
+ <cols>50</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
+ <field>
+ <fielddescr>Ignore internal Certificate validation</fielddescr>
+ <fieldname>reverse_ignore_ssl_valid</fieldname>
+ <description>If this field is checked, internal certificate validation will be ignored.</description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <name>OWA Reverse proxy General Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable OWA reverse proxy</fielddescr>
+ <fieldname>reverse_owa</fieldname>
+ <description>If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App.</description>
+ <type>checkbox</type>
+ <enablefields>reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover</enablefields>
+ </field>
+ <field>
+ <fielddescr>CAS-Array / OWA frontend IP address</fielddescr>
+ <fieldname>reverse_owa_ip</fieldname>
+ <description>These are the internal IPs of the CAS-Array (OWA frontend servers). Separate by semi-colons (;). </description>
+ <type>input</type>
+ <size>70</size>
+ </field>
+ <field>
+ <fielddescr>Enable ActiveSync</fielddescr>
+ <fieldname>reverse_owa_activesync</fieldname>
+ <description>If this field is checked, ActiveSync will be enabled.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable Outlook Anywhere</fielddescr>
+ <fieldname>reverse_owa_rpchttp</fieldname>
+ <description>If this field is checked, RPC over HTTP will be enabled.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable MAPI HTTP</fielddescr>
+ <fieldname>reverse_owa_mapihttp</fieldname>
+ <description><![CDATA[If this field is checked, MAPI over HTTP will be enabled.<br>
+ <strong>This feature is only available with at least Exchange 2013 SP1</strong>]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable Exchange WebServices</fielddescr>
+ <fieldname>reverse_owa_webservice</fieldname>
+ <description><![CDATA[If this field is checked, Exchange WebServices will be enabled.<br>
+ <strong>There are potential DoS side effects to its use, please avoid unless you must.</strong>]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Enable AutoDiscover</fielddescr>
+ <fieldname>reverse_owa_autodiscover</fieldname>
+ <description><![CDATA[If this field is checked, AutoDiscover will be enabled.<br>
+ <strong>You also should set up the autodiscover DNS-record to point to you WAN-IP.</strong>]]></description>
+ <type>checkbox</type>
+ </field>
+ </fields>
+ <custom_php_command_before_form>
+ squid_before_form_general($pkg);
+ </custom_php_command_before_form>
+ <custom_php_validation_command>
+ squid_validate_reverse($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_reverse_peer.xml b/config/squid3/34/squid_reverse_peer.xml
new file mode 100755
index 00000000..eabc72ff
--- /dev/null
+++ b/config/squid3/34/squid_reverse_peer.xml
@@ -0,0 +1,167 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ squid_reverse_peer.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidreversepeer</name>
+ <version>none</version>
+ <title>Reverse Proxy server: Peers</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid_reverse_general.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Web Servers</text>
+ <url>/pkg.php?xml=squid_reverse_peer.xml</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Mappings</text>
+ <url>/pkg.php?xml=squid_reverse_uri.xml</url>
+ </tab>
+ <tab>
+ <text>Redirects</text>
+ <url>/pkg.php?xml=squid_reverse_redir.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php?menu=reverse</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_reverse_sync.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fielddescr>Status</fielddescr>
+ <fieldname>enable</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Alias</fielddescr>
+ <fieldname>name</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Ip address</fielddescr>
+ <fieldname>ip</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Port</fielddescr>
+ <fieldname>port</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Protocol</fielddescr>
+ <fieldname>Protocol</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
+ <fields>
+ <field>
+ <name>Squid Reverse Peer Mappings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable this peer</fielddescr>
+ <fieldname>enable</fieldname>
+ <description>If this field is checked, then this peer will be available for reverse config.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Peer Alias</fielddescr>
+ <fieldname>name</fieldname>
+ <description><![CDATA[Name to identify this peer on squid reverse conf<br>
+ example: HOST1]]></description>
+ <type>input</type>
+ <size>20</size>
+ </field>
+ <field>
+ <fielddescr>Peer IP</fielddescr>
+ <fieldname>ip</fieldname>
+ <description><![CDATA[Ip Address of this peer.<br>
+ example: 192.168.0.1]]></description>
+ <type>input</type>
+ <size>20</size>
+ </field>
+ <field>
+ <fielddescr>Peer Port</fielddescr>
+ <fieldname>port</fieldname>
+ <description><![CDATA[Listening port of this peer.<br>
+ example: 80]]></description>
+ <type>input</type>
+ <size>20</size>
+ </field>
+ <field>
+ <fielddescr>Peer Protocol</fielddescr>
+ <fieldname>protocol</fieldname>
+ <description><![CDATA[Protocol listening on this peer port.]]></description>
+ <type>select</type>
+ <options>
+ <option> <name>HTTP</name> <value>HTTP</value> </option>
+ <option> <name>HTTPS</name> <value>HTTPS</value> </option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Peer Description</fielddescr>
+ <fieldname>description</fieldname>
+ <description><![CDATA[Peer Description (optional)]]></description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ </fields>
+ <custom_php_command_before_form>
+ squid_before_form_general($pkg);
+ </custom_php_command_before_form>
+ <custom_php_validation_command>
+ squid_validate_reverse($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_reverse_redir.xml b/config/squid3/34/squid_reverse_redir.xml
new file mode 100755
index 00000000..de25f56a
--- /dev/null
+++ b/config/squid3/34/squid_reverse_redir.xml
@@ -0,0 +1,182 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ============================================================================ */
+/*
+ squid_reverse_redir.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2013 Gekkenhuis
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ============================================================================ */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ============================================================================ */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidreverseredir</name>
+ <version>none</version>
+ <title>Reverse Proxy server: Redirects</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid_reverse_general.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Web Servers</text>
+ <url>/pkg.php?xml=squid_reverse_peer.xml</url>
+ </tab>
+ <tab>
+ <text>Mappings</text>
+ <url>/pkg.php?xml=squid_reverse_uri.xml</url>
+ </tab>
+ <tab>
+ <text>Redirects</text>
+ <url>/pkg.php?xml=squid_reverse_redir.xml</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php?menu=reverse</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_reverse_sync.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fielddescr>Status</fielddescr>
+ <fieldname>enable</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Redirect Name</fielddescr>
+ <fieldname>name</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Redirect to</fielddescr>
+ <fieldname>redirurl</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
+ <fields>
+ <field>
+ <name>Squid Redirect Mappings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable this redirect</fielddescr>
+ <fieldname>enable</fieldname>
+ <description><![CDATA[If this field is checked, then this redirect will be available for reverse config.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Redirect name</fielddescr>
+ <fieldname>name</fieldname>
+ <description><![CDATA[Name to identify this redirect on squid reverse conf<br/>
+ example: REDIR1]]></description>
+ <type>input</type>
+ <size>20</size>
+ </field>
+ <field>
+ <fielddescr>Redirect Description</fielddescr>
+ <fieldname>description</fieldname>
+ <description><![CDATA[Redirect Description (optional)]]></description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>Redirect Protocol</fielddescr>
+ <fieldname>protocol</fieldname>
+ <description><![CDATA[Protocol to redirect on.<br/>
+ Use CTRL + click to select multiple]]></description>
+ <type>select</type>
+ <multiple/>
+ <size>03</size>
+ <options>
+ <option>
+ <name>HTTP</name>
+ <value>HTTP</value>
+ </option>
+ <option>
+ <name>HTTPS</name>
+ <value>HTTPS</value>
+ </option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Blocked domains</fielddescr>
+ <fieldname>none</fieldname>
+ <description>Domains to redirect for</description>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr><![CDATA[<strong>Domains to match</strong><br/><br/>
+ Samples: mydomain.com sub.mydomain.com www.mydomain.com<br/><br/>
+ Do not enter http:&#47;&#47; or https:&#47;&#47; here! only the hostname is required.]]></fielddescr>
+ <fieldname>uri</fieldname>
+ <type>input</type>
+ <size>60</size>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+ <field>
+ <fielddescr>Path regex</fielddescr>
+ <fieldname>pathregex</fieldname>
+ <description><![CDATA[Path regex to match<br/><br/>]]>
+ Enter &#94;&#47;&#36; to match the domain only.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>URL to redirect to</fielddescr>
+ <fieldname>redirurl</fieldname>
+ <description><![CDATA[URL to redirect to]]></description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ </fields>
+
+ <custom_php_command_before_form>
+ </custom_php_command_before_form>
+ <custom_php_validation_command>
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui> \ No newline at end of file
diff --git a/config/squid3/34/squid_reverse_sync.xml b/config/squid3/34/squid_reverse_sync.xml
new file mode 100755
index 00000000..0dc816cb
--- /dev/null
+++ b/config/squid3/34/squid_reverse_sync.xml
@@ -0,0 +1,135 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ squid_sync.xml
+ part of the sarg package for pfSense
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidsync</name>
+ <version>1.0</version>
+ <title>Reverse Proxy server: XMLRPC Sync</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid_reverse_general.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Web Servers</text>
+ <url>/pkg.php?xml=squid_reverse_peer.xml</url>
+ </tab>
+ <tab>
+ <text>Mappings</text>
+ <url>/pkg.php?xml=squid_reverse_uri.xml</url>
+ </tab>
+ <tab>
+ <text>Redirects</text>
+ <url>/pkg.php?xml=squid_reverse_redir.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php?menu=reverse</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_reverse_sync.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>XMLRPC Sync</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Automatically sync squid configuration changes</fielddescr>
+ <fieldname>synconchanges</fieldname>
+ <description>Select a sync method for squid.</description>
+ <type>select</type>
+ <required/>
+ <default_value>auto</default_value>
+ <options>
+ <option><name>Sync to configured system backup server</name><value>auto</value></option>
+ <option><name>Sync to host(s) defined below</name><value>manual</value></option>
+ <option><name>Do not sync this package configuration</name><value>disabled</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Sync timeout</fielddescr>
+ <fieldname>synctimeout</fieldname>
+ <description>Select sync max wait time</description>
+ <type>select</type>
+ <required/>
+ <default_value>250</default_value>
+ <options>
+ <option><name>250 seconds(Default)</name><value>250</value></option>
+ <option><name>120 seconds</name><value>120</value></option>
+ <option><name>90 seconds</name><value>90</value></option>
+ <option><name>60 seconds</name><value>60</value></option>
+ <option><name>30 seconds</name><value>30</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Remote Server</fielddescr>
+ <fieldname>none</fieldname>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr>IP Address</fielddescr>
+ <fieldname>ipaddress</fieldname>
+ <description>IP Address of remote server</description>
+ <type>input</type>
+ <size>20</size>
+ </rowhelperfield>
+ <rowhelperfield>
+ <fielddescr>Password</fielddescr>
+ <fieldname>password</fieldname>
+ <description>Password for remote server.</description>
+ <type>password</type>
+ <size>20</size>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_reverse_uri.xml b/config/squid3/34/squid_reverse_uri.xml
new file mode 100755
index 00000000..9a6f183f
--- /dev/null
+++ b/config/squid3/34/squid_reverse_uri.xml
@@ -0,0 +1,159 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ squid_reverse_general.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidreverseuri</name>
+ <version>none</version>
+ <title>Reverse Proxy server: Mappings</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid_reverse_general.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Web Servers</text>
+ <url>/pkg.php?xml=squid_reverse_peer.xml</url>
+ </tab>
+ <tab>
+ <text>Mappings</text>
+ <url>/pkg.php?xml=squid_reverse_uri.xml</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Redirects</text>
+ <url>/pkg.php?xml=squid_reverse_redir.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php?menu=reverse</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_reverse_sync.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fielddescr>Status</fielddescr>
+ <fieldname>enable</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Group Name</fielddescr>
+ <fieldname>name</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Peers</fielddescr>
+ <fieldname>peers</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
+ <fields>
+ <field>
+ <name>Squid Reverse Peer Mappings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable this URI</fielddescr>
+ <fieldname>enable</fieldname>
+ <description><![CDATA[If this field is checked, then this URI(Uniform Resource Name) will be available for reverse config.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Group name</fielddescr>
+ <fieldname>name</fieldname>
+ <description><![CDATA[Name to identify this URI on squid reverse conf<br>
+ example: URI1]]></description>
+ <type>input</type>
+ <size>20</size>
+ </field>
+ <field>
+ <fielddescr>Group Description</fielddescr>
+ <fieldname>description</fieldname>
+ <description><![CDATA[URI Group Description (optional)]]></description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>Peers</fielddescr>
+ <fieldname>peers</fieldname>
+ <description><![CDATA[Apply this Group Mappings to selected Peers<br>
+ Use CTRL + click to select.]]></description>
+ <type>select_source</type>
+ <source><![CDATA[$config['installedpackages']['squidreversepeer']['config']]]></source>
+ <source_name>name</source_name>
+ <source_value>name</source_value>
+ <multiple/>
+ <size>05</size>
+ </field>
+ <field>
+ <fielddescr><![CDATA[URIs]]></fielddescr>
+ <fieldname>none</fieldname>
+ <description><![CDATA[URI to publish]]></description>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr><![CDATA[<strong>Url regex to match</strong><br><br>
+ Samples: .mydomain.com .mydomain.com/test<br>
+ www.mydomain.com http://www.mydomain.com/ ^http://www.mydomain.com/.*$]]></fielddescr>
+ <fieldname>uri</fieldname>
+ <type>input</type>
+ <size>70</size>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+ </fields>
+ <custom_php_command_before_form>
+ </custom_php_command_before_form>
+ <custom_php_validation_command>
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui> \ No newline at end of file
diff --git a/config/squid3/34/squid_sync.xml b/config/squid3/34/squid_sync.xml
new file mode 100755
index 00000000..7e632eab
--- /dev/null
+++ b/config/squid3/34/squid_sync.xml
@@ -0,0 +1,151 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ squid_sync.xml
+ part of the sarg package for pfSense
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidsync</name>
+ <version>1.0</version>
+ <title>Proxy server: XMLRPC Sync</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ <active/>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>XMLRPC Sync</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Automatically sync squid configuration changes</fielddescr>
+ <fieldname>synconchanges</fieldname>
+ <description>Select a sync method for squid.</description>
+ <type>select</type>
+ <required/>
+ <default_value>auto</default_value>
+ <options>
+ <option><name>Sync to configured system backup server</name><value>auto</value></option>
+ <option><name>Sync to host(s) defined below</name><value>manual</value></option>
+ <option><name>Do not sync this package configuration</name><value>disabled</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Sync timeout</fielddescr>
+ <fieldname>synctimeout</fieldname>
+ <description>Select sync max wait time</description>
+ <type>select</type>
+ <required/>
+ <default_value>250</default_value>
+ <options>
+ <option><name>250 seconds(Default)</name><value>250</value></option>
+ <option><name>120 seconds</name><value>120</value></option>
+ <option><name>90 seconds</name><value>90</value></option>
+ <option><name>60 seconds</name><value>60</value></option>
+ <option><name>30 seconds</name><value>30</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Remote Server</fielddescr>
+ <fieldname>none</fieldname>
+ <type>rowhelper</type>
+ <rowhelper>
+ <rowhelperfield>
+ <fielddescr>IP Address</fielddescr>
+ <fieldname>ipaddress</fieldname>
+ <description>IP Address of remote server</description>
+ <type>input</type>
+ <size>20</size>
+ </rowhelperfield>
+ <rowhelperfield>
+ <fielddescr>Password</fielddescr>
+ <fieldname>password</fieldname>
+ <description>Password for remote server.</description>
+ <type>password</type>
+ <size>20</size>
+ </rowhelperfield>
+ </rowhelper>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_traffic.xml b/config/squid3/34/squid_traffic.xml
new file mode 100755
index 00000000..3439d598
--- /dev/null
+++ b/config/squid3/34/squid_traffic.xml
@@ -0,0 +1,208 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidtraffic</name>
+ <version>none</version>
+ <title>Proxy server: Traffic management</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+ <tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <name>Squid Traffic Managment Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Maximum download size</fielddescr>
+ <fieldname>max_download_size</fieldname>
+ <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description>
+ <type>input</type>
+ <size>10</size>
+ <required/>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Maximum upload size</fielddescr>
+ <fieldname>max_upload_size</fieldname>
+ <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description>
+ <type>input</type>
+ <size>10</size>
+ <required/>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Overall bandwidth throttling</fielddescr>
+ <fieldname>overall_throttling</fieldname>
+ <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description>
+ <type>input</type>
+ <size>10</size>
+ <required/>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Per-host throttling</fielddescr>
+ <fieldname>perhost_throttling</fieldname>
+ <description>This value specifies the download throttling per host. Set to 0 to disable this.</description>
+ <type>input</type>
+ <size>10</size>
+ <required/>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <name>Squid Transfer Extension Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Throttle only specific extensions</fielddescr>
+ <fieldname>throttle_specific</fieldname>
+ <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description>
+ <type>checkbox</type>
+ <enablefields>throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others</enablefields>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Throttle binary files</fielddescr>
+ <fieldname>throttle_binaries</fieldname>
+ <description>Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Throttle CD images</fielddescr>
+ <fieldname>throttle_cdimages</fieldname>
+ <description>Check this to apply bandwidth throttle to CD image files.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Throttle multimedia files</fielddescr>
+ <fieldname>throttle_multimedia</fieldname>
+ <description>Check this to apply bandwidth throttle to multimedia files, such as movies or songs.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Throttle other extensions</fielddescr>
+ <fieldname>throttle_others</fieldname>
+ <description>Comma-separated list of extensions to apply bandwidth throttle to.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <name>Squid Transfer Quick Abort Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Finish transfer if less than x KB remaining</fielddescr>
+ <fieldname>quick_abort_min</fieldname>
+ <description>If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately.</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Abort transfer if more than x KB remaining</fielddescr>
+ <fieldname>quick_abort_max</fieldname>
+ <description>If the transfer has more than x KB remaining, it will abort the retrieval. Set to 0 to abort the transfer immediately.</description>
+ <type>input</type>
+ <default_value>0</default_value>
+ </field>
+ <field>
+ <fielddescr>Finish transfer if more than x % finished</fielddescr>
+ <fieldname>quick_abort_pct</fieldname>
+ <description>If more than x % of the transfer has completed, it will finish the retrieval.</description>
+ <type>input</type>
+ <size>10</size>
+ <default_value>0</default_value>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ squid_validate_traffic($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_upstream.xml b/config/squid3/34/squid_upstream.xml
new file mode 100755
index 00000000..b8696750
--- /dev/null
+++ b/config/squid3/34/squid_upstream.xml
@@ -0,0 +1,361 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ squid_upstream.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code MUST retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidremote</name>
+ <version>none</version>
+ <title>Proxy server: Remote proxy settings</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <tabs>
+<tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fielddescr>Status</fielddescr>
+ <fieldname>enable</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>name</fielddescr>
+ <fieldname>proxyaddr</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Port</fielddescr>
+ <fieldname>proxyport</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>ICP</fielddescr>
+ <fieldname>icpport</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Peer type</fielddescr>
+ <fieldname>hierarchy</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Method</fielddescr>
+ <fieldname>peermethod</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
+
+ <fields>
+ <field>
+ <name>General Settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable</fielddescr>
+ <fieldname>enable</fieldname>
+ <description>This option enables the proxy server to forward requests to an upstream/neighbor server.</description>
+ <type>checkbox</type>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Hostname</fielddescr>
+ <fieldname>proxyaddr</fieldname>
+ <description>Enter here the IP address or host name of the upstream proxy.</description>
+ <type>input</type>
+ <size>35</size>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Name</fielddescr>
+ <fieldname>proxyname</fieldname>
+ <description>Unique name for the peer.Required if you have multiple peers on the same host but different ports.</description>
+ <type>input</type>
+ <size>35</size>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>TCP port</fielddescr>
+ <fieldname>proxyport</fieldname>
+ <description>Enter the port to use to connect to the upstream proxy.</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>3128</default_value>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Timeout</fielddescr>
+ <fieldname>connecttimeout</fieldname>
+ <description>A peer-specific connect timeout. Also see the peer_connect_timeout directive.</description>
+ <type>input</type>
+ <size>5</size>
+ </field>
+ <field>
+ <fielddescr>Fail Limit</fielddescr>
+ <fieldname>connectfailLimit</fieldname>
+ <description>How many times connecting to a peer must fail before it is marked as down. Default is 10.</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>10</default_value>
+ </field>
+ <field>
+ <fielddescr>Max</fielddescr>
+ <fieldname>maxconn</fieldname>
+ <description>Limit the amount of connections Squid may open to this peer.</description>
+ <type>input</type>
+ <size>5</size>
+ </field>
+ <field>
+ <fielddescr>Allow Miss</fielddescr>
+ <fieldname>allowmiss</fieldname>
+ <description><![CDATA[<strong>allow-miss</strong> - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.<br><br>
+ <strong>no-tproxy</strong> - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.<br><br>
+ <strong>proxy-only</strong> - Objects fetched from the peer will not be stored locally.]]></description>
+ <type>select</type>
+ <default_value>allow-miss</default_value>
+ <options>
+ <option><name>Allow Miss</name><value>allow-miss</value></option>
+ <option><name>No Tproxy</name><value>no-tproxy</value></option>
+ <option><name>Proxy Only</name><value>proxy-only</value></option>
+ </options>
+ <multiple/>
+ <size>4</size>
+ </field>
+ <field>
+ <name>Peer settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Hierarchy</fielddescr>
+ <fieldname>hierarchy</fieldname>
+ <description>Specify remote caches hierarchy.</description>
+ <type>select</type>
+ <default_value>parent</default_value>
+ <options>
+ <option><name>parent</name><value>parent</value></option>
+ <option><name>sibling</name><value>sibling</value></option>
+ <option><name>multicast</name><value>multicast</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Select method</fielddescr>
+ <fieldname>peermethod</fieldname>
+ <description><![CDATA[The default peer selection method is ICP, with the first responding peer being used as source. These options can be used for better load balancing.<br><br>
+ <strong>default</strong> - This is a parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.<br>
+ If specified more than once, only the first is used.<br><br>
+ <strong>round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.<br>weight=N can be used to add bias.<br><br>
+ <strong>weighted-round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.<br>
+ Closer parents are used more often. Usually used for background-ping parents. weight=N can be used to add bias.<br><br>
+ <strong>carp</strong> - Load-Balance parents which should be used as a CARP array. The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight.<br><br>
+ <strong>userhash</strong> - Load-balance parents based on the client proxy_auth or ident username.<br><br>
+ <strong>sourcehash</strong> - Load-balance parents based on the client source IP.<br><br>
+ <strong>multicast-siblings</strong> - To be used only for cache peers of type "multicast".<br>
+ ALL members of this multicast group have "sibling" relationship with it, not "parent". This is to a multicast group when the requested object would be fetched only from a "parent" cache, anyway.<br>
+ It's useful, e.g., when configuring a pool of redundant Squid proxies, being members of the same multicast group.]]></description>
+ <type>select</type>
+ <default_value>round-robin</default_value>
+ <options>
+ <option><name>round-robin</name><value>round-robin</value></option>
+ <option><name>default</name><value>default</value></option>
+ <option><name>weighted-round-robin</name><value>weighted-round-robin</value></option>
+ <option><name>carp</name><value>carp</value></option>
+ <option><name>userhash</name><value>userhash</value></option>
+ <option><name>sourcehash</name><value>sourcehash</value></option>
+ <option><name>multicast-sibling</name><value>multicast-sibling</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>weight</fielddescr>
+ <fieldname>weight</fieldname>
+ <description>Use to affect the selection of a peer during any weighted peer-selection mechanisms. The weight must be an integer; default is 1,larger weights are favored more.</description>
+ <type>input</type>
+ <size>5</size>
+ <default>1</default>
+ </field>
+ <field>
+ <fielddescr>basetime</fielddescr>
+ <fieldname>basetime</fieldname>
+ <description><![CDATA[Specify a base amount to be subtracted from round trip times of parents.<br>
+ It is subtracted before division by weight in calculating which parent to fectch from. If the rtt is less than the base time the rtt is set to a minimal value.]]></description>
+ <type>input</type>
+ <size>5</size>
+ <default>1</default>
+ </field>
+ <field>
+ <fielddescr>ttl</fielddescr>
+ <fieldname>ttl</fieldname>
+ <description><![CDATA[Specify a TTL to use when sending multicast ICP queries to this address<br>
+ Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option.]]></description>
+ <type>input</type>
+ <size>5</size>
+ <default>1</default>
+ </field>
+ <field>
+ <fielddescr>no-delay</fielddescr>
+ <fieldname>nodelay</fieldname>
+ <description><![CDATA[To prevent access to this neighbor from influencing the delay pools.]]></description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <name>ICP settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>ICP port</fielddescr>
+ <fieldname>icpport</fieldname>
+ <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description>
+ <type>input</type>
+ <size>5</size>
+ <default_value>7</default_value>
+ </field>
+ <field>
+ <fielddescr>ICP Options</fielddescr>
+ <fieldname>icpoptions</fieldname>
+ <description><![CDATA[You MUST also set icp_port and icp_access explicitly when using these options.<br>
+ The defaults will prevent peer traffic using ICP<br><br>
+ <strong>no-query</strong> - Disable ICP queries to this neighbor.<br><br>
+ <strong>multicast-responder</strong> -Indicates the named peer is a member of a multicast group.<br>
+ ICP queries will not be sent directly to the peer, but ICP replies will be accepted from it.<br><br>
+ <strong>closest-only</strong> - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.<br><br>
+ <strong>background-ping</strong> - To only send ICP queries to this neighbor infrequently.<br>
+ This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin.]]></description>
+ <type>select</type>
+ <default_value>no-query</default_value>
+ <options>
+ <option><name>no-query</name><value>no-query</value></option>
+ <option><name>multicast-responder</name><value>multicast-responder</value></option>
+ <option><name>closest-only</name><value>closest-only</value></option>
+ <option><name>background-ping</name><value>background-ping</value></option>
+ </options>
+ </field>
+ <field>
+ <name>Auth settings</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Username</fielddescr>
+ <fieldname>username</fieldname>
+ <description>If the upstream proxy requires a username, specify it here.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Password</fielddescr>
+ <fieldname>password</fieldname>
+ <description>If the upstream proxy requires a password, specify it here.</description>
+ <type>password</type>
+ </field>
+ <field>
+ <fielddescr>Authentication options</fielddescr>
+ <fieldname>authoption</fieldname>
+ <description><![CDATA[<br><strong>login=user:password</strong> - If this is a personal/workgroup proxy and your parent requires proxy authentication.<br><br>
+ <strong>login=PASSTHRU</strong> - Send login details received from client to this peer. Authentication is not required by Squid for this to work.<br>
+ This will pass any form of authentication but only Basic auth will work through a proxy unless the connection-auth options are also used.<br><br>
+ <strong>login=PASS</strong> - Send login details received from client to this peer.Authentication is not required by this option.<br>
+ To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for a single login (one for proxy, one for origin server).<br>
+ Also be warned this will expose your users proxy password to the peer. USE WITH CAUTION<br><br>
+ <strong>login=*:password</strong> - Send the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user.<br><br>
+ <strong>login=NEGOTIATE</strong> - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br>
+ The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used.<br>
+ WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br>
+ <strong>login=NEGOTIATE:principal_name</strong>If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br>
+ The principal principal_name from the default keytab or defined by the environment variable KRB5_KTNAME will be used.
+ WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br>
+ <strong>connection-auth=on</strong> - Tell Squid that this peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br>
+ Default is auto to automatically determine the status of the peer.<br><br>
+ <strong>connection-auth=off</strong> - Tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br>
+ Default is auto to automatically determine the status of the peer.]]></description>
+ <type>select</type>
+ <default_value>login=*:password</default_value>
+ <options>
+ <option><name>login=*:password</name><value>login=*:password</value></option>
+ <option><name>login=user:password</name><value>login=user:password</value></option>
+ <option><name>login=PASSTHRU</name><value>login=PASSTHRU</value></option>
+ <option><name>login=PASS</name><value>login=PASS</value></option>
+ <option><name>login=NEGOTIATE</name><value>login=NEGOTIATE</value></option>
+ <option><name>login=NEGOTIATE:principal_name</name><value>login=NEGOTIATE:principal_name</value></option>
+ <option><name>connection-auth=on</name><value>connection-auth=on</value></option>
+ <option><name>connection-auth=off</name><value>connection-auth=off</value></option>
+ </options>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ squid_validate_upstream($_POST, $input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/squid_users.xml b/config/squid3/34/squid_users.xml
new file mode 100755
index 00000000..835cf07b
--- /dev/null
+++ b/config/squid3/34/squid_users.xml
@@ -0,0 +1,137 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd">
+<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?>
+<packagegui>
+ <copyright>
+ <![CDATA[
+/* $Id$ */
+/* ========================================================================== */
+/*
+ authng.xml
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2007 to whom it may belong
+ Copyright (C) 2012-2014 Marcello Coutinho
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+ */
+/* ========================================================================== */
+/*
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+ */
+/* ========================================================================== */
+ ]]>
+ </copyright>
+ <description>Describe your package here</description>
+ <requirements>Describe your package requirements here</requirements>
+ <faq>Currently there are no FAQ items provided.</faq>
+ <name>squidusers</name>
+ <version>none</version>
+ <title>Proxy server: Local users</title>
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <delete_string>A proxy server user has been deleted.</delete_string>
+ <addedit_string>A proxy server user has been created/modified.</addedit_string>
+ <tabs>
+<tab>
+ <text>General</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Remote Cache</text>
+ <url>/pkg.php?xml=squid_upstream.xml</url>
+ </tab>
+ <tab>
+ <text>Local Cache</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Antivirus</text>
+ <url>/pkg_edit.php?xml=squid_antivirus.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>ACLs</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Authentication</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Real time</text>
+ <url>/squid_monitor.php</url>
+ </tab>
+ <tab>
+ <text>Sync</text>
+ <url>/pkg_edit.php?xml=squid_sync.xml</url>
+ </tab>
+ </tabs>
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fielddescr>Username</fielddescr>
+ <fieldname>username</fieldname>
+ </columnitem>
+ <columnitem>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ </columnitem>
+ </adddeleteeditpagefields>
+ <fields>
+ <field>
+ <name>Squid Local Users</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Username</fielddescr>
+ <fieldname>username</fieldname>
+ <description>Enter the username here.</description>
+ <type>input</type>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Password</fielddescr>
+ <fieldname>password</fieldname>
+ <description>Enter the password here.</description>
+ <type>password</type>
+ <required/>
+ </field>
+ <field>
+ <fielddescr>Description</fielddescr>
+ <fieldname>description</fieldname>
+ <description>You may enter a description here for your reference (not parsed).</description>
+ <type>input</type>
+ </field>
+ </fields>
+ <custom_php_resync_config_command>
+ squid_resync_users();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/config/squid3/34/swapstate_check.php b/config/squid3/34/swapstate_check.php
new file mode 100644
index 00000000..7a7ccd27
--- /dev/null
+++ b/config/squid3/34/swapstate_check.php
@@ -0,0 +1,54 @@
+#!/usr/local/bin/php -q
+<?php
+/*
+ swapstate_check.php
+ Copyright (C) 2011 Jim Pingle
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+require_once('config.inc');
+require_once('util.inc');
+require_once('squid.inc');
+
+ $settings = $config['installedpackages']['squidcache']['config'][0];
+// Only check the cache if Squid is actually caching.
+// If there is no cache then quietly do nothing.
+if ($settings['harddisk_cache_system'] != "null"){
+ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+ $swapstate = $cachedir . '/swap.state';
+ if (!file_exists($swapstate))
+ return;
+ $disktotal = disk_total_space(dirname($cachedir));
+ $diskfree = disk_free_space(dirname($cachedir));
+ $diskusedpct = round((($disktotal - $diskfree) / $disktotal) * 100);
+ $swapstate_size = filesize($swapstate);
+ $swapstate_pct = round(($swapstate_size / $disktotal) * 100);
+ // If the swap.state file is taking up more than 75% disk space,
+ // or the drive is 90% full and swap.state is larger than 1GB,
+ // kill it and initiate a rotate to write a fresh copy.
+ if (($swapstate_pct > 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024)) || $argv[1]=="clean") {
+ squid_dash_z('clean');
+ log_error(gettext(sprintf("Squid cache and/or swap.state exceeded size limits. Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct)));
+ }
+}
+?>
diff --git a/config/sshdcond/sshdcond.inc b/config/sshdcond/sshdcond.inc
index 2caa39cc..7ff911c1 100644
--- a/config/sshdcond/sshdcond.inc
+++ b/config/sshdcond/sshdcond.inc
@@ -1,69 +1,46 @@
<?php
-/* ========================================================================== */
/*
- sshdcond.inc
- part of pfSense (http://www.pfSense.com)
- Copyright (C) 2012 Marcello Coutinho
- Copyright (C) 2012 Han Van (namezero@afim.info)
- All rights reserved.
-
- Based on m0n0wall (http://m0n0.ch/wall)
- Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
- All rights reserved.
- */
-/* ========================================================================== */
-/*
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions are met:
-
- 1. Redistributions of source code must retain the above copyright notice,
- this list of conditions and the following disclaimer.
-
- 2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
- AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
- OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- POSSIBILITY OF SUCH DAMAGE.
- */
-/* ========================================================================== */
- require_once("config.inc");
- require_once("util.inc");
-
-function restart_sshd(){
- #backup /etc/sshd before any change
- $etc_sshd="/etc/sshd";
- $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version"));
- if (!file_exists('/root/'.$pfsense_version.'.sshd.backup')){
- copy ($etc_sshd,'/root/'.$pfsense_version.'.sshd.backup');
- }
-
- #patch /etc/sshd if need
- $sshd_file=file($etc_sshd);
- $sshd_new_file="";
- foreach ($sshd_file as $line){
- if (preg_match('/sshconf .= "Port/',$line)){
- $sshd_new_file.= $line;
- $sshd_new_file.= "\t".'if(file_exists("/etc/ssh/sshd_extra")){$sshconf.=file_get_contents("/etc/ssh/sshd_extra");}'."\n";
- }
- elseif(!preg_match('/sshd_extra/',$line)){
- $sshd_new_file.= $line;
- }
- }
- file_put_contents($etc_sshd,$sshd_new_file,LOCK_EX);
- mwexec_bg($etc_sshd);
- }
+ sshdcond.inc
+ part of pfSense (http://www.pfSense.com)
+ Copyright (C) 2012 Marcello Coutinho
+ Copyright (C) 2012 Han Van (namezero@afim.info)
+ All rights reserved.
+
+ Based on m0n0wall (http://m0n0.ch/wall)
+ Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("config.inc");
+require_once("util.inc");
+
+function restart_sshd() {
+ mwexec_bg("/etc/sshd");
+}
-function sshdcond_custom_php_install_command(){
+function sshdcond_custom_php_install_command() {
global $g, $config;
conf_mount_rw();
@@ -71,12 +48,12 @@ function sshdcond_custom_php_install_command(){
// We need to generate an outfile for our extra commands
// The patched g_szSSHDFileGenerate php file then reads and appends that config
$fd = fopen("/etc/ssh/sshd_extra", 'w');
- fclose($fd);
+ fclose($fd);
conf_mount_ro();
}
-function sshdcond_custom_php_deinstall_command(){
+function sshdcond_custom_php_deinstall_command() {
global $g, $config;
conf_mount_rw();
@@ -90,25 +67,25 @@ function sshdcond_custom_php_deinstall_command(){
conf_mount_ro();
}
-function sshdcond_custom_php_write_config(){
+function sshdcond_custom_php_write_config() {
global $g, $config;
-
+
# detect boot process
- if (is_array($_POST)){
+ if (is_array($_POST)) {
if (!preg_match("/\w+/",$_POST['__csrf_magic']))
return;
}
-
+
$sshd_extra="";
- if (is_array($config['installedpackages']['sshdcond']['config'])){
+ if (is_array($config['installedpackages']['sshdcond']['config'])) {
// Mount Read-only
conf_mount_rw();
// Read config
- foreach ($config['installedpackages']['sshdcond']['config'] as $sshdcond){
- if ($sshdcond['enable'] && is_array($sshdcond['row'])){
+ foreach ($config['installedpackages']['sshdcond']['config'] as $sshdcond) {
+ if ($sshdcond['enable'] && is_array($sshdcond['row'])) {
$sshd_extra.= "Match {$sshdcond['matchtype']} {$sshdcond['matchvalue']}\n";
- foreach ($sshdcond['row'] as $sshd){
+ foreach ($sshdcond['row'] as $sshd) {
//check if there is spaces on sshd value
if(preg_match ("/\s+/",$sshd['sshdvalue']))
$sshd['sshdvalue']='"'.$sshd['sshdvalue'].'"';
@@ -118,7 +95,7 @@ function sshdcond_custom_php_write_config(){
$sshd_extra.="\t {$sshd['sshdoption']} {$sshd['sshdvalue']}\n";
//apply file permission if option is ChrootDirectory
- if ($sshd['sshdoption']=="ChrootDirectory" && file_exists($sshd['sshdvalue'])){
+ if ($sshd['sshdoption']=="ChrootDirectory" && file_exists($sshd['sshdvalue'])) {
chown($sshd['sshdvalue'], 'root');
chgrp($sshd['sshdvalue'], 'operator');
}
@@ -129,15 +106,15 @@ function sshdcond_custom_php_write_config(){
//Save /etc/ssh/sshd_extra
file_put_contents("/etc/ssh/sshd_extra",$sshd_extra,LOCK_EX);
-
-
+
+
// Restart sshd
restart_sshd();
// Mount Read-only
conf_mount_ro();
-
+
//sync config with other pfsense servers
sshdcond_sync_on_changes();
}
@@ -145,14 +122,14 @@ function sshdcond_custom_php_write_config(){
/* Uses XMLRPC to synchronize the changes to a remote node */
function sshdcond_sync_on_changes() {
global $config, $g;
-
+
if (is_array($config['installedpackages']['sshdcondsync']))
- if (!$config['installedpackages']['sshdcondsync']['config'][0]['synconchanges'])
+ if (!$config['installedpackages']['sshdcondsync']['config'][0]['synconchanges'])
return;
log_error("[sshdcond] xmlrpc sync is starting.");
- foreach ($config['installedpackages']['sshdcondsync']['config'] as $rs ){
- foreach($rs['row'] as $sh){
+ foreach ($config['installedpackages']['sshdcondsync']['config'] as $rs ) {
+ foreach($rs['row'] as $sh) {
$sync_to_ip = $sh['ipaddress'];
$password = $sh['password'];
if($password && $sync_to_ip)
@@ -174,18 +151,18 @@ function sshdcond_do_xmlrpc_sync($sync_to_ip, $password) {
$username='admin';
$xmlrpc_sync_neighbor = $sync_to_ip;
- if($config['system']['webgui']['protocol'] != "") {
+ if($config['system']['webgui']['protocol'] != "") {
$synchronizetoip = $config['system']['webgui']['protocol'];
$synchronizetoip .= "://";
- }
- $port = $config['system']['webgui']['port'];
- /* if port is empty lets rely on the protocol selection */
- if($port == "") {
- if($config['system']['webgui']['protocol'] == "http")
+ }
+ $port = $config['system']['webgui']['port'];
+ /* if port is empty lets rely on the protocol selection */
+ if($port == "") {
+ if($config['system']['webgui']['protocol'] == "http")
$port = "80";
- else
+ else
$port = "443";
- }
+ }
$synchronizetoip .= $sync_to_ip;
/* xml will hold the sections to sync */
@@ -221,7 +198,7 @@ function sshdcond_do_xmlrpc_sync($sync_to_ip, $password) {
} else {
log_error("sshdcond XMLRPC sync successfully completed with {$url}:{$port}.");
}
-
+
/* tell sshdcond to reload our settings on the destionation sync host. */
$method = 'pfsense.exec_php';
$execcmd = "require_once('/usr/local/pkg/sshdcond.inc');\n";
@@ -231,7 +208,7 @@ function sshdcond_do_xmlrpc_sync($sync_to_ip, $password) {
XML_RPC_encode($password),
XML_RPC_encode($execcmd)
);
-
+
log_error("sshdcond XMLRPC reload data {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
@@ -251,4 +228,4 @@ function sshdcond_do_xmlrpc_sync($sync_to_ip, $password) {
log_error("sshdcond XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
}
}
- ?> \ No newline at end of file
+ ?>
diff --git a/config/suricata/suricata.inc b/config/suricata/suricata.inc
index af0b0da2..66c1e799 100644
--- a/config/suricata/suricata.inc
+++ b/config/suricata/suricata.inc
@@ -44,47 +44,13 @@ require_once("services.inc");
require_once("service-utils.inc");
require_once("pkg-utils.inc");
require_once("filter.inc");
+require("/usr/local/pkg/suricata/suricata_defs.inc");
global $g, $config;
// Suricata GUI needs some extra PHP memory space to manipulate large rules arrays
ini_set("memory_limit", "256M");
-if (!is_array($config['installedpackages']['suricata']))
- $config['installedpackages']['suricata'] = array();
-
-/* Get installed package version for display */
-$suricata_package_version = "Suricata {$config['installedpackages']['package'][get_pkg_id("suricata")]['version']}";
-
-// Define the installed package version
-define('SURICATA_PKG_VER', $suricata_package_version);
-
-// Define the name of the pf table used for IP blocks
-define('SURICATA_PF_TABLE', 'snort2c');
-
-// Create some other useful defines
-$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pf_version >= 2.2)
- define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/local/etc/suricata/');
-else
- define('SURICATADIR', '/usr/pbi/suricata-' . php_uname("m") . '/etc/suricata/');
-
-define('SURICATALOGDIR', '/var/log/suricata/');
-define('RULES_UPD_LOGFILE', SURICATALOGDIR . 'suricata_rules_update.log');
-define('ENFORCING_RULES_FILENAME', 'suricata.rules');
-define('FLOWBITS_FILENAME', 'flowbit-required.rules');
-define('SID_MODS_PATH', '/var/db/suricata/sidmods/');
-define('IPREP_PATH', '/var/db/suricata/iprep/');
-
-// Rule set download filenames and prefixes
-define('ET_DNLD_FILENAME', 'emerging.rules.tar.gz');
-define('ETPRO_DNLD_FILENAME', 'etpro.rules.tar.gz');
-define('GPLV2_DNLD_FILENAME', 'community-rules.tar.gz');
-define('VRT_FILE_PREFIX', 'snort_');
-define('GPL_FILE_PREFIX', 'GPLv2_');
-define('ET_OPEN_FILE_PREFIX', 'emerging-');
-define('ET_PRO_FILE_PREFIX', 'etpro-');
-
function suricata_generate_id() {
global $config;
@@ -139,10 +105,11 @@ function suricata_barnyard_start($suricatacfg, $if_real) {
$suricata_uuid = $suricatacfg['uuid'];
$suricatadir = SURICATADIR . "suricata_{$suricata_uuid}_{$if_real}";
$suricatalogdir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}";
+ $suricatabindir = SURICATA_PBI_BINDIR;
if ($suricatacfg['barnyard_enable'] == 'on') {
log_error("[Suricata] Barnyard2 START for {$suricatacfg['descr']}({$if_real})...");
- mwexec_bg("/usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}/barnyard2.conf -d {$suricatalogdir} -D -q");
+ mwexec_bg("{$suricatabindir}barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}/barnyard2.conf -d {$suricatalogdir} -D -q");
}
}
@@ -151,10 +118,11 @@ function suricata_start($suricatacfg, $if_real) {
$suricatadir = SURICATADIR;
$suricata_uuid = $suricatacfg['uuid'];
+ $suricatabindir = SURICATA_PBI_BINDIR;
if ($suricatacfg['enable'] == 'on') {
log_error("[Suricata] Suricata START for {$suricatacfg['descr']}({$if_real})...");
- mwexec_bg("/usr/local/bin/suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid");
+ mwexec_bg("{$suricatabindir}suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid");
}
else
return;
@@ -163,6 +131,61 @@ function suricata_start($suricatacfg, $if_real) {
suricata_barnyard_start($suricatacfg, $if_real);
}
+function suricata_start_all_interfaces($background=FALSE) {
+
+ /*************************************************************/
+ /* This function starts all configured and enabled Suricata */
+ /* interfaces. */
+ /*************************************************************/
+
+ global $g, $config;
+
+ /* do nothing if no Suricata interfaces active */
+ if (!is_array($config['installedpackages']['suricata']['rule']))
+ return;
+
+ foreach ($config['installedpackages']['suricata']['rule'] as $suricatacfg) {
+ if ($suricatacfg['enable'] != 'on')
+ continue;
+ suricata_start($suricatacfg, get_real_interface($suricatacfg['interface']));
+ }
+}
+
+function suricata_stop_all_interfaces() {
+
+ /*************************************************************/
+ /* This function stops all configured Suricata interfaces. */
+ /*************************************************************/
+
+ global $g, $config;
+
+ /* do nothing if no Suricata interfaces active */
+ if (!is_array($config['installedpackages']['suricata']['rule']))
+ return;
+
+ foreach ($config['installedpackages']['suricata']['rule'] as $suricatacfg) {
+ suricata_stop($suricatacfg, get_real_interface($suricatacfg['interface']));
+ }
+}
+
+function suricata_restart_all_interfaces() {
+
+ /*************************************************************/
+ /* This function stops all configured Suricata interfaces */
+ /* and restarts enabled Suricata interfaces. */
+ /*************************************************************/
+
+ global $g, $config;
+
+ /* do nothing if no Suricata interfaces active */
+ if (!is_array($config['installedpackages']['suricata']['rule']))
+ return;
+
+ suricata_stop_all_interfaces();
+ sleep(2);
+ suricata_start_all_interfaces(TRUE);
+}
+
function suricata_reload_config($suricatacfg, $signal="USR2") {
/**************************************************************/
@@ -492,17 +515,61 @@ function suricata_build_list($suricatacfg, $listname = "", $passlist = false, $e
return $valresult;
}
-function suricata_rules_up_install_cron($should_install=true) {
+function suricata_cron_job_exists($crontask, $match_time=FALSE, $minute="0", $hour="*", $monthday="*", $month="*", $weekday="*", $who="root") {
+
+ /************************************************************
+ * This function iterates the cron[] array in the config *
+ * to determine if the passed $crontask entry exists. It *
+ * returns TRUE if the $crontask already exists, or FALSE *
+ * if there is no match. *
+ * *
+ * The $match_time flag, when set, causes a test of the *
+ * configured task execution times along with the task *
+ * when checking for a match. *
+ * *
+ * We use this to prevent unneccessary config writes if *
+ * the $crontask already exists. *
+ ************************************************************/
+
global $config, $g;
- // Remove any existing job first
- install_cron_job("suricata_check_for_rule_updates.php", false);
+ if (!is_array($config['cron']))
+ $config['cron'] = array();
+ if (!is_array($config['cron']['item']))
+ $config['cron']['item'] = array();
+
+ foreach($config['cron']['item'] as $item) {
+ if(strpos($item['command'], $crontask) !== FALSE) {
+ if ($match_time) {
+ if ($item['minute'] != $minute)
+ return FALSE;
+ if ($item['hour'] != $hour)
+ return FALSE;
+ if ($item['mday'] != $monthday)
+ return FALSE;
+ if ($item['month'] != $month)
+ return FALSE;
+ if ($item['wday'] != $weekday)
+ return FALSE;
+ if ($item['who'] != $who)
+ return FALSE;
+ }
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
- // If called with FALSE as argument, then we're done
- if ($should_install == FALSE)
- return;
+function suricata_rules_up_install_cron($should_install=true) {
+ global $config, $g;
- $command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_check_for_rule_updates.php";
+ // If called with FALSE as argument, then we're removing
+ // the existing job.
+ if ($should_install == FALSE) {
+ if (suricata_cron_job_exists("suricata_check_for_rule_updates.php", FALSE))
+ install_cron_job("suricata_check_for_rule_updates.php", false);
+ return;
+ }
// Get auto-rule update parameter from configuration
$suricata_rules_up_info_ck = $config['installedpackages']['suricata']['config'][0]['autoruleupdate'];
@@ -568,12 +635,32 @@ function suricata_rules_up_install_cron($should_install=true) {
$suricata_rules_up_wday = "*";
}
- // System call to manage the cron job.
- install_cron_job($command, $should_install, $suricata_rules_up_min, $suricata_rules_up_hr, $suricata_rules_up_mday, $suricata_rules_up_month, $suricata_rules_up_wday, "root");
+ // Construct the basic cron command task
+ $command = "/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_check_for_rule_updates.php";
+
+ // If there are no changes in the cron job command string from the existing job, then exit
+ if (suricata_cron_job_exists($command, TRUE, $suricata_rules_up_min, $suricata_rules_up_hr, $suricata_rules_up_mday, $suricata_rules_up_month, $suricata_rules_up_wday, "root"))
+ return;
+
+ // Else install the new or updated cron job
+ if ($should_install)
+ install_cron_job($command, $should_install, $suricata_rules_up_min, $suricata_rules_up_hr, $suricata_rules_up_mday, $suricata_rules_up_month, $suricata_rules_up_wday, "root");
}
function suricata_loglimit_install_cron($should_install=true) {
+ // See if simply removing existing "loglimit" job for Suricata
+ if ($should_install == FALSE) {
+ if (suricata_cron_job_exists("suricata/suricata_check_cron_misc.inc", FALSE))
+ install_cron_job("suricata_check_cron_misc.inc", false);
+ return;
+ }
+
+ // If there are no changes in the cron job command string from the existing job, then exit.
+ if ($should_install && suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_check_cron_misc.inc", TRUE, "*/5"))
+ return;
+
+ // Else install the new or updated cron job
install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_check_cron_misc.inc", $should_install, "*/5");
}
@@ -581,6 +668,13 @@ function suricata_rm_blocked_install_cron($should_install) {
global $config, $g;
$suri_pf_table = SURICATA_PF_TABLE;
+ // See if simply removing existing "expiretable" job for Suricata
+ if ($should_install == FALSE) {
+ if (suricata_cron_job_exists("{$suri_pf_table}", FALSE))
+ install_cron_job("{$suri_pf_table}", false);
+ return;
+ }
+
$suricata_rm_blocked_info_ck = $config['installedpackages']['suricata']['config'][0]['rm_blocked'];
if ($suricata_rm_blocked_info_ck == "15m_b") {
@@ -664,13 +758,15 @@ function suricata_rm_blocked_install_cron($should_install) {
$suricata_rm_blocked_expire = "2419200";
}
- // First, remove any existing cron task for "rm_blocked" hosts
- install_cron_job("{$suri_pf_table}", false);
+ // Construct the basic cron command task
+ $command = "/usr/bin/nice -n20 /sbin/pfctl -q -t {$suri_pf_table} -T expire {$suricata_rm_blocked_expire}";
- // Now add or update the cron task for "rm_blocked" hosts
- // if enabled.
+ // If there are no changes in the cron job command string from the existing job, then exit.
+ if (suricata_cron_job_exists($command, TRUE, $suricata_rm_blocked_min, $suricata_rm_blocked_hr, $suricata_rm_blocked_mday, $suricata_rm_blocked_month, $suricata_rm_blocked_wday, "root"))
+ return;
+
+ // Else install the new or updated cron job
if ($should_install) {
- $command = "/usr/bin/nice -n20 /sbin/pfctl -q -t {$suri_pf_table} -T expire {$suricata_rm_blocked_expire}";
install_cron_job($command, $should_install, $suricata_rm_blocked_min, $suricata_rm_blocked_hr, $suricata_rm_blocked_mday, $suricata_rm_blocked_month, $suricata_rm_blocked_wday, "root");
}
}
@@ -681,25 +777,22 @@ function sync_suricata_package_config() {
$suricatadir = SURICATADIR;
$rcdir = RCFILEPREFIX;
- conf_mount_rw();
-
// Do not start config build if there are no Suricata-configured interfaces
- if (!is_array($config['installedpackages']['suricata']) || !is_array($config['installedpackages']['suricata']['rule'])) {
- @unlink("{$rcdir}suricata.sh");
- conf_mount_ro();
+ if (!is_array($config['installedpackages']['suricata']['rule']) || count($config['installedpackages']['suricata']['rule']) < 1)
return;
- }
$suricataconf = $config['installedpackages']['suricata']['rule'];
foreach ($suricataconf as $value) {
- $if_real = get_real_interface($value['interface']);
+ /* Skip configuration of any disabled interface */
+ if ($value['enable'] != 'on')
+ continue;
// create a suricata.yaml file for interface
suricata_generate_yaml($value);
// create barnyard2.conf file for interface
if ($value['barnyard_enable'] == 'on')
- suricata_generate_barnyard2_conf($value, $if_real);
+ suricata_generate_barnyard2_conf($value, get_real_interface($value['interface']));
}
// create suricata bootup file suricata.sh
@@ -707,18 +800,16 @@ function sync_suricata_package_config() {
// setup the log directory size check job if enabled
suricata_loglimit_install_cron(true);
+
// setup the suricata rules update job if enabled
suricata_rules_up_install_cron($config['installedpackages']['suricata']['config'][0]['autoruleupdate'] != "never_up" ? true : false);
+
// set the suricata blocked hosts time
suricata_rm_blocked_install_cron($config['installedpackages']['suricata']['config'][0]['rm_blocked'] != "never_b" ? true : false);
- configure_cron();
-
// Do not attempt package sync if reinstalling package or booting
if (!isset($g['suricata_postinstall']) && !$g['booting'])
suricata_sync_on_changes();
-
- conf_mount_ro();
}
function suricata_load_suppress_sigs($suricatacfg, $track_by=false) {
@@ -853,19 +944,19 @@ function suricata_post_delete_logs($suricata_uuid = 0) {
// Keep most recent file
unset($filelist[count($filelist) - 1]);
foreach ($filelist as $file)
- @unlink($file);
+ unlink_if_exists($file);
/* Clean-up Barnyard2 archived files if any exist */
$filelist = glob("{$suricata_log_dir}/barnyard2/archive/unified2.alert.*");
foreach ($filelist as $file)
- @unlink($file);
+ unlink_if_exists($file);
/* Clean-up packet capture files if any exist */
$filelist = glob("{$suricata_log_dir}/log.pcap.*");
// Keep most recent file
unset($filelist[count($filelist) - 1]);
foreach ($filelist as $file)
- @unlink($file);
+ unlink_if_exists($file);
unset($filelist);
}
}
@@ -1693,7 +1784,7 @@ function suricata_sid_mgmt_auto_categories($suricatacfg, $log_results = FALSE) {
/****************************************************/
global $config;
- $suricata_sidmods_dir = SID_MODS_PATH;
+ $suricata_sidmods_dir = SURICATA_SID_MODS_PATH;
$sid_mods = array();
$enables = array();
$disables = array();
@@ -2232,7 +2323,7 @@ function suricata_process_enablesid(&$rule_map, $suricatacfg, $log_results = FAL
/* $rule_map array */
/**********************************************/
- $suricata_sidmods_dir = SID_MODS_PATH;
+ $suricata_sidmods_dir = SURICATA_SID_MODS_PATH;
$suricatalogdir = SURICATALOGDIR;
$sid_mods = array();
@@ -2279,7 +2370,7 @@ function suricata_process_disablesid(&$rule_map, $suricatacfg, $log_results = FA
/* $rule_map array */
/**********************************************/
- $suricata_sidmods_dir = SID_MODS_PATH;
+ $suricata_sidmods_dir = SURICATA_SID_MODS_PATH;
$suricatalogdir = SURICATALOGDIR;
$sid_mods = array();
@@ -2326,7 +2417,7 @@ function suricata_process_modifysid(&$rule_map, $suricatacfg, $log_results = FAL
/* $rule_map array */
/**********************************************/
- $suricata_sidmods_dir = SID_MODS_PATH;
+ $suricata_sidmods_dir = SURICATA_SID_MODS_PATH;
$suricatalogdir = SURICATALOGDIR;
$sid_mods = array();
@@ -2550,7 +2641,7 @@ function suricata_prepare_rule_files($suricatacfg, $suricatacfgdir) {
$suricatadir = SURICATADIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
- $suricata_enforcing_rules_file = ENFORCING_RULES_FILENAME;
+ $suricata_enforcing_rules_file = SURICATA_ENFORCING_RULES_FILENAME;
$enabled_rules = array();
$enabled_files = array();
$all_rules = array();
@@ -2749,7 +2840,7 @@ function suricata_write_enforcing_rules_file($rule_map, $rule_path) {
/* rules file will be written. */
/************************************************/
- $rule_file = "/" . ENFORCING_RULES_FILENAME;
+ $rule_file = "/" . SURICATA_ENFORCING_RULES_FILENAME;
// See if we were passed a directory or full
// filename to write the rules to, and adjust
@@ -2798,6 +2889,7 @@ function suricata_create_rc() {
$suricatadir = SURICATADIR;
$suricatalogdir = SURICATALOGDIR;
+ $suricatabindir = SURICATA_PBI_BINDIR;
$rcdir = RCFILEPREFIX;
// If no interfaces are configured for Suricata, exit
@@ -2815,7 +2907,7 @@ function suricata_create_rc() {
// the shell script.
foreach ($suricataconf as $value) {
// Skip disabled Suricata interfaces
- if ($value['enable'] <> 'on')
+ if ($value['enable'] != 'on')
continue;
$suricata_uuid = $value['uuid'];
$if_real = get_real_interface($value['interface']);
@@ -2828,14 +2920,10 @@ function suricata_create_rc() {
pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid`
fi
- if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 SOFT RESTART for {$value['descr']}({$suricata_uuid}_{$if_real})..."
- /bin/pkill -HUP \$pid
- else
+ if [ -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SuricataStartup "Barnyard2 START for {$value['descr']}({$suricata_uuid}_{$if_real})..."
- /usr/local/bin/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/barnyard2.conf -d {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} -D -q
+ {$suricatabindir}/barnyard2 -r {$suricata_uuid} -f unified2.alert --pid-path {$g['varrun_path']} --nolock-pidfile -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/barnyard2.conf -d {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} -D -q > /dev/null 2>&1
fi
-
EOE;
$stop_barnyard2 = <<<EOE
@@ -2851,8 +2939,8 @@ EOE;
break
fi
done
- if [ -f /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid ]; then
- /bin/rm /var/run/barnyard2_{$if_real}{$suricata_uuid}.pid
+ if [ -f {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid ]; then
+ /bin/rm {$g['varrun_path']}/barnyard2_{$if_real}{$suricata_uuid}.pid
fi
else
pid=`/bin/pgrep -fn "barnyard2 -r {$suricata_uuid} "`
@@ -2868,7 +2956,6 @@ EOE;
done
fi
fi
-
EOE;
if ($value['barnyard_enable'] == 'on')
$start_barnyard2 = $start_barnyard;
@@ -2877,25 +2964,20 @@ EOE;
$start_suricata_iface_start[] = <<<EOE
-###### For Each Iface
- # Start suricata and barnyard2
+ ## Start suricata on {$value['descr']} ({$if_real}) ##
if [ ! -f {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid ]; then
pid=`/bin/pgrep -fn "suricata -i {$if_real} "`
else
pid=`/bin/pgrep -F {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid`
fi
- if [ ! -z \$pid ]; then
- /usr/bin/logger -p daemon.info -i -t SuricataStartup "Suricata SOFT RESTART for {$value['descr']}({$suricata_uuid}_{$if_real})..."
- /bin/pkill -USR2 \$pid
- else
+ if [ -z \$pid ]; then
/usr/bin/logger -p daemon.info -i -t SuricataStartup "Suricata START for {$value['descr']}({$suricata_uuid}_{$if_real})..."
- /usr/local/bin/suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid
+ {$suricatabindir}suricata -i {$if_real} -D -c {$suricatadir}suricata_{$suricata_uuid}_{$if_real}/suricata.yaml --pidfile {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid > /dev/null 2>&1
fi
- sleep 2
+ sleep 1
{$start_barnyard2}
-
EOE;
$start_suricata_iface_stop[] = <<<EOE
@@ -2912,8 +2994,8 @@ EOE;
break
fi
done
- if [ -f /var/run/suricata_{$if_real}{$suricata_uuid}.pid ]; then
- /bin/rm /var/run/suricata_{$if_real}{$suricata_uuid}.pid
+ if [ -f {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid ]; then
+ /bin/rm {$g['varrun_path']}/suricata_{$if_real}{$suricata_uuid}.pid
fi
else
pid=`/bin/pgrep -fn "suricata -i {$if_real} "`
@@ -2931,9 +3013,8 @@ EOE;
fi
fi
- sleep 2
+ sleep 1
{$stop_barnyard2}
-
EOE;
}
@@ -2948,7 +3029,15 @@ EOE;
######## Start of main suricata.sh
rc_start() {
+
+ ### Lock out other start signals until we are done
+ /usr/bin/touch {$g['varrun_path']}/suricata_pkg_starting.lck
{$rc_start}
+
+ ### Remove the lock since we have started all interfaces
+ if [ -f {$g['varrun_path']}/suricata_pkg_starting.lck ]; then
+ /bin/rm {$g['varrun_path']}/suricata_pkg_starting.lck
+ fi
}
rc_stop() {
@@ -2957,7 +3046,11 @@ rc_stop() {
case $1 in
start)
- rc_start
+ if [ ! -f {$g['varrun_path']}/suricata_pkg_starting.lck ]; then
+ rc_start
+ else
+ /usr/bin/logger -p daemon.info -i -t SuricataStartup "Ignoring additional START command since Suricata is already starting..."
+ fi
;;
stop)
rc_stop
@@ -3108,7 +3201,7 @@ function suricata_generate_yaml($suricatacfg) {
$suricatadir = SURICATADIR;
$suricatalogdir = SURICATALOGDIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
- $suricata_enforcing_rules_file = ENFORCING_RULES_FILENAME;
+ $suricata_enforcing_rules_file = SURICATA_ENFORCING_RULES_FILENAME;
$if_real = get_real_interface($suricatacfg['interface']);
$suricata_uuid = $suricatacfg['uuid'];
$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}";
@@ -3237,7 +3330,7 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $userna
/*************************************************/
/* Send over any auto-SID management files */
/*************************************************/
- $sid_files = glob(SID_MODS_PATH . '*');
+ $sid_files = glob(SURICATA_SID_MODS_PATH . '*');
foreach ($sid_files as $file) {
$content = base64_encode(file_get_contents($file));
$payload = "@file_put_contents('{$file}', base64_decode('{$content}'));";
@@ -3332,7 +3425,9 @@ function suricata_do_xmlrpc_sync($syncdownloadrules, $sync_to_ip, $port, $userna
unset(\$g["suricata_postinstall"]);
log_error(gettext("[suricata] XMLRPC pkg CARP sync: Generating suricata.yaml file using Master Host settings..."));
\$rebuild_rules = true;
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
\$rebuild_rules = false;
{$suricatastart}
log_error(gettext("[suricata] XMLRPC pkg CARP sync process on this host is complete..."));
diff --git a/config/suricata/suricata.priv.inc b/config/suricata/suricata.priv.inc
index efa71366..84ede368 100644
--- a/config/suricata/suricata.priv.inc
+++ b/config/suricata/suricata.priv.inc
@@ -36,10 +36,16 @@ $priv_list['page-services-suricata']['match'][] = "suricata/suricata_rules_flowb
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_rulesets.php*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_os_policy_engine.php*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_global.php*";
+$priv_list['page-services-suricata']['match'][] = "suricata/suricata_ip_list_mgmt.php*";
+$priv_list['page-services-suricata']['match'][] = "suricata/suricata_ip_reputation.php*";
+$priv_list['page-services-suricata']['match'][] = "suricata/suricata_iprep_list_browser.php*";
$priv_list['page-services-suricata']['match'][] = "pkg_edit.php?xml=suricata/suricata.xml*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_check_cron_misc.inc*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_yaml_template.inc*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata.inc*";
+$priv_list['page-services-suricata']['match'][] = "suricata/suricata_defs.inc*";
+$priv_list['page-services-suricata']['match'][] = "suricata/suricata_geoipupdate.php*";
+$priv_list['page-services-suricata']['match'][] = "suricata/suricata_etiqrisk_update.php*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_post_install.php*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_uninstall.php*";
$priv_list['page-services-suricata']['match'][] = "suricata/suricata_generate_yaml.php*";
diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml
index 995ed900..3b3bf723 100644
--- a/config/suricata/suricata.xml
+++ b/config/suricata/suricata.xml
@@ -42,7 +42,7 @@
<description>Suricata IDS/IPS Package</description>
<requirements>None</requirements>
<name>suricata</name>
- <version>2.0.3 pkg v2.0.2</version>
+ <version>2.0.4 pkg v2.1</version>
<title>Services: Suricata IDS</title>
<include_file>/usr/local/pkg/suricata/suricata.inc</include_file>
<menu>
@@ -108,6 +108,21 @@
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
+ <item>https://packages.pfsense.org/packages/config/suricata/suricata_defs.inc</item>
+ <prefix>/usr/local/pkg/suricata/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>https://packages.pfsense.org/packages/config/suricata/suricata_geoipupdate.php</item>
+ <prefix>/usr/local/pkg/suricata/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>https://packages.pfsense.org/packages/config/suricata/suricata_etiqrisk_update.php</item>
+ <prefix>/usr/local/pkg/suricata/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
<item>https://packages.pfsense.org/packages/config/suricata/suricata_download_updates.php</item>
<prefix>/usr/local/www/suricata/</prefix>
<chmod>0755</chmod>
@@ -223,6 +238,21 @@
<chmod>0755</chmod>
</additional_files_needed>
<additional_files_needed>
+ <item>https://packages.pfsense.org/packages/config/suricata/suricata_ip_list_mgmt.php</item>
+ <prefix>/usr/local/www/suricata/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>https://packages.pfsense.org/packages/config/suricata/suricata_ip_reputation.php</item>
+ <prefix>/usr/local/www/suricata/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>https://packages.pfsense.org/packages/config/suricata/suricata_iprep_list_browser.php</item>
+ <prefix>/usr/local/www/suricata/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <additional_files_needed>
<prefix>/usr/local/www/widgets/javascript/</prefix>
<chmod>0644</chmod>
<item>https://packages.pfsense.org/packages/config/suricata/suricata_alerts.js</item>
diff --git a/config/suricata/suricata_alerts.js b/config/suricata/suricata_alerts.js
index b6a5d3c3..e56b586d 100644
--- a/config/suricata/suricata_alerts.js
+++ b/config/suricata/suricata_alerts.js
@@ -18,7 +18,7 @@ function suricata_alerts_fetch_new_rules_callback(callback_data) {
line += '<td class="listMRr ellipsis" nowrap><div style="display:inline;" title="';
line += row_split[2] + '">' + row_split[2] + '</div><br/><div style="display:inline;" title="';
line += row_split[3] + '">' + row_split[3] + '</div></td>';
- line += '<td class="listMRr">' + 'Pri: ' + row_split[4] + ' ' + row_split[5] + '</td>';
+ line += '<td class="listMRr"><div style="display: fixed; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; line-height: 1.2em; max-height: 2.4em; overflow: hidden; text-overflow: ellipsis;" title="' + row_split[4] + '">' + row_split[4] + '</div></td>';
new_data_to_add[new_data_to_add.length] = line;
}
suricata_alerts_update_div_rows(new_data_to_add);
diff --git a/config/suricata/suricata_alerts.php b/config/suricata/suricata_alerts.php
index 57ccbe27..f151e173 100644
--- a/config/suricata/suricata_alerts.php
+++ b/config/suricata/suricata_alerts.php
@@ -43,6 +43,7 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
+global $g, $config;
$supplist = array();
$suri_pf_table = SURICATA_PF_TABLE;
$filterlogentries = FALSE;
@@ -127,7 +128,9 @@ function suricata_add_supplist_entry($suppress) {
/* and return true; otherwise return false. */
if ($found_list) {
write_config();
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
return true;
}
else
@@ -232,6 +235,7 @@ if ($_POST['filterlogentries_submit']) {
if ($_POST['filterlogentries_clear']) {
$filterfieldsarray = array();
+ $filterlogentries = TRUE;
}
if ($_POST['save']) {
@@ -377,11 +381,11 @@ if ($_POST['delete']) {
}
if ($_POST['download']) {
- $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+ $save_date = date("Y-m-d-H-i-s");
$file_name = "suricata_logs_{$save_date}_{$if_real}.tar.gz";
- exec("cd {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *");
+ exec("cd {$suricatalogdir}suricata_{$if_real}{$suricata_uuid} && /usr/bin/tar -czf {$g['tmp_path']}/{$file_name} *");
- if (file_exists("/tmp/{$file_name}")) {
+ if (file_exists("{$g['tmp_path']}/{$file_name}")) {
ob_start(); //important or other posts will fail
if (isset($_SERVER['HTTPS'])) {
header('Pragma: ');
@@ -391,13 +395,13 @@ if ($_POST['download']) {
header("Cache-Control: private, must-revalidate");
}
header("Content-Type: application/octet-stream");
- header("Content-length: " . filesize("/tmp/{$file_name}"));
+ header("Content-length: " . filesize("{$g['tmp_path']}/{$file_name}"));
header("Content-disposition: attachment; filename = {$file_name}");
ob_end_clean(); //important or other post will fail
- readfile("/tmp/{$file_name}");
+ readfile("{$g['tmp_path']}/{$file_name}");
// Clean up the temp file
- @unlink("/tmp/{$file_name}");
+ unlink_if_exists("{$g['tmp_path']}/{$file_name}");
}
else
$savemsg = gettext("An error occurred while creating archive");
@@ -451,6 +455,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -578,7 +583,7 @@ if ($savemsg) {
</table>
</td>
</tr>
- <?php if ($filterlogentries) : ?>
+ <?php if ($filterlogentries && count($filterfieldsarray)) : ?>
<tr>
<td colspan="2" class="listtopic"><?php printf(gettext("Last %s Alert Entries"), $anentries); ?>&nbsp;&nbsp;
<?php echo gettext("(Most recent listed first) ** FILTERED VIEW ** clear filter to see all entries"); ?></td>
@@ -622,9 +627,9 @@ if ($savemsg) {
<?php
/* make sure alert file exists */
-if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log")) {
- exec("tail -{$anentries} -r /var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > /tmp/alerts_suricata{$suricata_uuid}");
- if (file_exists("/tmp/alerts_suricata{$suricata_uuid}")) {
+if (file_exists("{$g['varlog_path']}/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log")) {
+ exec("tail -{$anentries} -r {$g['varlog_path']}/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.log > {$g['tmp_path']}/alerts_suricata{$suricata_uuid}");
+ if (file_exists("{$g['tmp_path']}/alerts_suricata{$suricata_uuid}")) {
$tmpblocked = array_flip(suricata_get_blocked_ips());
$counter = 0;
@@ -638,7 +643,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
/* 0 1 2 3 4 5 6 7 */
/************** *************************************************************************************************************************/
- $fd = fopen("/tmp/alerts_suricata{$suricata_uuid}", "r");
+ $fd = fopen("{$g['tmp_path']}/alerts_suricata{$suricata_uuid}", "r");
$buf = "";
while (($buf = fgets($fd)) !== FALSE) {
$fields = array();
@@ -834,7 +839,7 @@ if (file_exists("/var/log/suricata/suricata_{$if_real}{$suricata_uuid}/alerts.lo
}
unset($fields, $buf, $tmp);
fclose($fd);
- @unlink("/tmp/alerts_suricata{$suricata_uuid}");
+ unlink_if_exists("{$g['tmp_path']}/alerts_suricata{$suricata_uuid}");
}
}
?>
diff --git a/config/suricata/suricata_alerts.widget.php b/config/suricata/suricata_alerts.widget.php
index bc7a0e2a..81d17c2e 100644
--- a/config/suricata/suricata_alerts.widget.php
+++ b/config/suricata/suricata_alerts.widget.php
@@ -81,7 +81,7 @@ if (isset($_GET['getNewAlerts'])) {
$counter = 0;
foreach ($suri_alerts as $a) {
$response .= $a['instanceid'] . " " . $a['dateonly'] . "||" . $a['timeonly'] . "||" . $a['src'] . "||";
- $response .= $a['dst'] . "||" . $a['priority'] . "||" . $a['category'] . "\n";
+ $response .= $a['dst'] . "||" . $a['msg'] . "\n";
$counter++;
if($counter >= $suri_nentries)
break;
@@ -116,7 +116,7 @@ function suricata_widget_get_alerts() {
/*************** FORMAT without CSV patch -- ALERT -- ***********************************************************************************/
/* Line format: timestamp action[**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} src:srcport -> dst:dstport */
- /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
+ /* 0 1 2 3 4 5 6 7 8 9 10 11 12 */
/****************************************************************************************************************************************/
/**************** FORMAT without CSV patch -- DECODER EVENT -- **************************************************************************/
@@ -134,37 +134,41 @@ function suricata_widget_get_alerts() {
$fields[0] = substr($buf, 0, strpos($buf, ' '));
// The regular expression match below returns an array as follows:
- // [1] => CLASSIFICATION, [2] = PRIORITY
- preg_match('/\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
- $fields[6] = trim($tmp[1]);
- $fields[7] = trim($tmp[2]);
+ // [2] => GID, [3] => SID, [4] => REV, [5] => MSG, [6] => CLASSIFICATION, [7] = PRIORITY
+ preg_match('/\[\*{2}\]\s\[((\d+):(\d+):(\d+))\]\s(.*)\[\*{2}\]\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
+ $fields['gid'] = trim($tmp[2]);
+ $fields['sid'] = trim($tmp[3]);
+ $fields['rev'] = trim($tmp[4]);
+ $fields['msg'] = trim($tmp[5]);
+ $fields['class'] = trim($tmp[6]);
+ $fields['priority'] = trim($tmp[7]);
// The regular expression match below looks for the PROTO, SRC and DST fields
// and returns an array as follows:
// [1] = PROTO, [2] => SRC:SPORT [3] => DST:DPORT
if (preg_match('/\{(.*)\}\s(.*)\s->\s(.*)/', $buf, $tmp)) {
// Get SRC
- $fields[9] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
- if (is_ipaddrv6($fields[9]))
- $fields[9] = inet_ntop(inet_pton($fields[9]));
+ $fields['src'] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
+ if (is_ipaddrv6($fields['src']))
+ $fields['src'] = inet_ntop(inet_pton($fields['src']));
// Get SPORT
- $fields[10] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
+ $fields['sport'] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
// Get DST
- $fields[11] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':')));
- if (is_ipaddrv6($fields[11]))
- $fields[11] = inet_ntop(inet_pton($fields[11]));
+ $fields['dst'] = trim(substr($tmp[3], 0, strrpos($tmp[3], ':')));
+ if (is_ipaddrv6($fields['dst']))
+ $fields['dst'] = inet_ntop(inet_pton($fields['dst']));
// Get DPORT
- $fields[12] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1));
+ $fields['dport'] = trim(substr($tmp[3], strrpos($tmp[3], ':') + 1));
}
else {
// If no PROTO and IP ADDR, then this is a DECODER EVENT
- $fields[9] = gettext("Decoder Event");
- $fields[10] = "";
- $fields[11] = "";
- $fields[12] = "";
+ $fields['src'] = gettext("Decoder Event");
+ $fields['sport'] = "";
+ $fields['dst'] = "";
+ $fields['dport'] = "";
}
// Create a DateTime object from the event timestamp that
@@ -173,31 +177,30 @@ function suricata_widget_get_alerts() {
// Check the 'CATEGORY' field for the text "(null)" and
// substitute "No classtype defined".
- if ($fields[6] == "(null)")
- $fields[6] = "No classtype assigned";
+ if ($fields['class'] == "(null)")
+ $fields['class'] = "No classtype assigned";
$suricata_alerts[$counter]['instanceid'] = strtoupper(convert_friendly_interface_to_friendly_descr($a_instance[$instanceid]['interface']));
$suricata_alerts[$counter]['timestamp'] = strval(date_timestamp_get($event_tm));
$suricata_alerts[$counter]['timeonly'] = date_format($event_tm, "H:i:s");
$suricata_alerts[$counter]['dateonly'] = date_format($event_tm, "M d");
+ $suricata_alerts[$counter]['msg'] = $fields['msg'];
// Add square brackets around any IPv6 address
- if (is_ipaddrv6($fields[9]))
- $suricata_alerts[$counter]['src'] = "[" . $fields[9] . "]";
+ if (is_ipaddrv6($fields['src']))
+ $suricata_alerts[$counter]['src'] = "[" . $fields['src'] . "]";
else
- $suricata_alerts[$counter]['src'] = $fields[9];
+ $suricata_alerts[$counter]['src'] = $fields['src'];
// Add the SRC PORT if not null
- if (!empty($fields[10]) || $fields[10] == '0')
- $suricata_alerts[$counter]['src'] .= ":" . $fields[10];
+ if (!empty($fields['sport']) || $fields['sport'] == '0')
+ $suricata_alerts[$counter]['src'] .= ":" . $fields['sport'];
// Add square brackets around any IPv6 address
- if (is_ipaddrv6($fields[11]))
- $suricata_alerts[$counter]['dst'] = "[" . $fields[11] . "]";
+ if (is_ipaddrv6($fields['dst']))
+ $suricata_alerts[$counter]['dst'] = "[" . $fields['dst'] . "]";
else
- $suricata_alerts[$counter]['dst'] = $fields[11];
+ $suricata_alerts[$counter]['dst'] = $fields['dst'];
// Add the DST PORT if not null
- if (!empty($fields[12]) || $fields[12] == '0')
- $suricata_alerts[$counter]['dst'] .= ":" . $fields[12];
- $suricata_alerts[$counter]['priority'] = $fields[7];
- $suricata_alerts[$counter]['category'] = $fields[6];
+ if (!empty($fields['dport']) || $fields['dport'] == '0')
+ $suricata_alerts[$counter]['dst'] .= ":" . $fields['dport'];
$counter++;
};
fclose($fd);
@@ -238,7 +241,7 @@ function suricata_widget_get_alerts() {
<tr>
<th class="listhdrr"><?=gettext("IF/Date");?></th>
<th class="listhdrr"><?=gettext("Src/Dst Address");?></th>
- <th class="listhdrr"><?=gettext("Priority/Class");?></th>
+ <th class="listhdrr"><?=gettext("Description");?></th>
</tr>
</thead>
<tbody id="suricata-alert-entries">
@@ -251,7 +254,7 @@ function suricata_widget_get_alerts() {
echo(" <tr class='" . $evenRowClass . "'>
<td class='listMRr'>" . $alert['instanceid'] . " " . $alert['dateonly'] . "<br/>" . $alert['timeonly'] . "</td>
<td class='listMRr ellipsis' nowrap><div style='display:inline;' title='" . $alert['src'] . "'>" . $alert['src'] . "</div><br/><div style='display:inline;' title='" . $alert['dst'] . "'>" . $alert['dst'] . "</div></td>
- <td class='listMRr'>Pri: " . $alert['priority'] . " " . $alert['category'] . "</td></tr>");
+ <td class='listMRr'><div style='display: fixed; display: -webkit-box; -webkit-line-clamp: 2; -webkit-box-orient: vertical; line-height: 1.2em; max-height: 2.4em; overflow: hidden; text-overflow: ellipsis;' title='{$alert['msg']}'>" . $alert['msg'] . "</div></td></tr>");
$counter++;
if($counter >= $suri_nentries)
break;
diff --git a/config/suricata/suricata_app_parsers.php b/config/suricata/suricata_app_parsers.php
index 51514ee5..cfa34a54 100644
--- a/config/suricata/suricata_app_parsers.php
+++ b/config/suricata/suricata_app_parsers.php
@@ -475,6 +475,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td>';
@@ -487,6 +488,7 @@ if ($savemsg) {
$tab_array[] = array($menu_iface . gettext("App Parsers"), true, "/suricata/suricata_app_parsers.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/suricata/suricata_ip_reputation.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_barnyard.php b/config/suricata/suricata_barnyard.php
index 987055fd..2938136f 100644
--- a/config/suricata/suricata_barnyard.php
+++ b/config/suricata/suricata_barnyard.php
@@ -89,6 +89,29 @@ if (isset($id) && $a_nat[$id]) {
}
if ($_POST['save']) {
+
+ // If disabling Barnyard2 on the interface, stop any
+ // currently running instance, then save the disabled
+ // state and exit so as to preserve settings.
+ if ($_POST['barnyard_enable'] != 'on') {
+ $a_nat[$id]['barnyard_enable'] = 'off';
+ write_config("Suricata pkg: modified Barnyard2 settings.");
+ suricata_barnyard_stop($a_nat[$id], get_real_interface($a_nat[$id]['interface']));
+
+ // No need to rebuild rules for Barnyard2 changes
+ $rebuild_rules = false;
+ conf_mount_rw();
+ sync_suricata_package_config();
+ conf_mount_ro();
+ header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
+ header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
+ header( 'Cache-Control: no-store, no-cache, must-revalidate' );
+ header( 'Cache-Control: post-check=0, pre-check=0', false );
+ header( 'Pragma: no-cache' );
+ header("Location: /suricata/suricata_barnyard.php");
+ exit;
+ }
+
// Check that at least one output plugin is enabled
if ($_POST['barnyard_mysql_enable'] != 'on' && $_POST['barnyard_syslog_enable'] != 'on' &&
$_POST['barnyard_bro_ids_enable'] != 'on' && $_POST['barnyard_enable'] == "on")
@@ -167,11 +190,13 @@ if ($_POST['save']) {
if ($_POST['barnconfigpassthru']) $natent['barnconfigpassthru'] = base64_encode(str_replace("\r\n", "\n", $_POST['barnconfigpassthru'])); else unset($natent['barnconfigpassthru']);
$a_nat[$id] = $natent;
- write_config();
+ write_config("Suricata pkg: modified Barnyard2 settings.");
// No need to rebuild rules for Barnyard2 changes
$rebuild_rules = false;
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
// If disabling Barnyard2 on the interface, stop any
// currently running instance. If an instance is
@@ -234,6 +259,7 @@ include_once("head.inc");
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -246,6 +272,7 @@ include_once("head.inc");
$tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), true, "/suricata/suricata_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/suricata/suricata_ip_reputation.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -606,11 +633,11 @@ function enable_change(enable_change) {
document.iform.barnconfigpassthru.disabled = endis;
}
-enable_change(false);
toggle_mySQL();
toggle_syslog();
toggle_local_syslog();
toggle_bro_ids();
+enable_change(false);
</script>
diff --git a/config/suricata/suricata_blocked.php b/config/suricata/suricata_blocked.php
index 842d4073..4f4bf095 100644
--- a/config/suricata/suricata_blocked.php
+++ b/config/suricata/suricata_blocked.php
@@ -42,6 +42,8 @@
require_once("guiconfig.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
+global $g, $config;
+
$suricatalogdir = SURICATALOGDIR;
$suri_pf_table = SURICATA_PF_TABLE;
@@ -94,22 +96,22 @@ if ($_POST['download'])
exec("/sbin/pfctl -t {$suri_pf_table} -T show", $blocked_ips_array_save);
/* build the list */
if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) {
- $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+ $save_date = date("Y-m-d-H-i-s");
$file_name = "suricata_blocked_{$save_date}.tar.gz";
- exec('/bin/mkdir -p /tmp/suricata_blocked');
- file_put_contents("/tmp/suricata_blocked/suricata_block.pf", "");
+ safe_mkdir("{$g['tmp_path']}/suricata_blocked");
+ file_put_contents("{$g['tmp_path']}/suricata_blocked/suricata_block.pf", "");
foreach($blocked_ips_array_save as $counter => $fileline) {
if (empty($fileline))
continue;
$fileline = trim($fileline, " \n\t");
- file_put_contents("/tmp/suricata_blocked/suricata_block.pf", "{$fileline}\n", FILE_APPEND);
+ file_put_contents("{$g['tmp_path']}/suricata_blocked/suricata_block.pf", "{$fileline}\n", FILE_APPEND);
}
// Create a tar gzip archive of blocked host IP addresses
- exec("/usr/bin/tar -czf /tmp/{$file_name} -C/tmp/suricata_blocked suricata_block.pf");
+ exec("/usr/bin/tar -czf {$g['tmp_path']}/{$file_name} -C{$g['tmp_path']}/suricata_blocked suricata_block.pf");
// If we successfully created the archive, send it to the browser.
- if(file_exists("/tmp/{$file_name}")) {
+ if(file_exists("{$g['tmp_path']}/{$file_name}")) {
ob_start(); //important or other posts will fail
if (isset($_SERVER['HTTPS'])) {
header('Pragma: ');
@@ -119,14 +121,14 @@ if ($_POST['download'])
header("Cache-Control: private, must-revalidate");
}
header("Content-Type: application/octet-stream");
- header("Content-length: " . filesize("/tmp/{$file_name}"));
+ header("Content-length: " . filesize("{$g['tmp_path']}/{$file_name}"));
header("Content-disposition: attachment; filename = {$file_name}");
ob_end_clean(); //important or other post will fail
- readfile("/tmp/{$file_name}");
+ readfile("{$g['tmp_path']}/{$file_name}");
// Clean up the temp files and directory
- @unlink("/tmp/{$file_name}");
- exec("/bin/rm -fr /tmp/suricata_blocked");
+ unlink_if_exists("{$g['tmp_path']}/{$file_name}");
+ rmdir_recursive("{$g['tmp_path']}/suricata_blocked");
} else
$savemsg = gettext("An error occurred while creating archive");
} else
@@ -191,6 +193,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td>
@@ -257,19 +260,67 @@ if ($savemsg) {
foreach (glob("{$suricatalogdir}*/block.log*") as $alertfile) {
$fd = fopen($alertfile, "r");
if ($fd) {
- /* 0 1 2 3 4 5 6 7 8 9 10 */
- /* File format timestamp,action,sig_generator,sig_id,sig_rev,msg,classification,priority,proto,ip,port */
- while (($fields = fgetcsv($fd, 1000, ',', '"')) !== FALSE) {
- if(count($fields) != 11) {
- log_error("[suricata] ERROR: block.log entry failed to parse correctly with too many or not enough CSV entities, skipping this entry...");
- log_error("[suricata] Failed block.log entry fields are: " . print_r($fields, true));
- continue;
+
+ /*************** FORMAT for file -- BLOCK -- **************************************************************************/
+ /* Line format: timestamp action [**] [gid:sid:rev] msg [**] [Classification: class] [Priority: pri] {proto} ip:port */
+ /* 0 1 2 3 4 5 6 7 8 9 10 */
+ /**********************************************************************************************************************/
+
+ $buf = "";
+ while (($buf = fgets($fd)) !== FALSE) {
+ $fields = array();
+ $tmp = array();
+
+ /***************************************************************/
+ /* Parse block log entry to find the parts we want to display. */
+ /* We parse out all the fields even though we currently use */
+ /* just a few of them. */
+ /***************************************************************/
+
+ // Field 0 is the event timestamp
+ $fields['time'] = substr($buf, 0, strpos($buf, ' '));
+
+ // Field 1 is the action
+ if (strpos($buf, '[') !== FALSE && strpos($buf, ']') !== FALSE)
+ $fields['action'] = substr($buf, strpos($buf, '[') + 1, strpos($buf, ']') - strpos($buf, '[') - 1);
+ else
+ $fields['action'] = null;
+
+ // The regular expression match below returns an array as follows:
+ // [2] => GID, [3] => SID, [4] => REV, [5] => MSG, [6] => CLASSIFICATION, [7] = PRIORITY
+ preg_match('/\[\*{2}\]\s\[((\d+):(\d+):(\d+))\]\s(.*)\[\*{2}\]\s\[Classification:\s(.*)\]\s\[Priority:\s(\d+)\]\s/', $buf, $tmp);
+ $fields['gid'] = trim($tmp[2]);
+ $fields['sid'] = trim($tmp[3]);
+ $fields['rev'] = trim($tmp[4]);
+ $fields['msg'] = trim($tmp[5]);
+ $fields['class'] = trim($tmp[6]);
+ $fields['priority'] = trim($tmp[7]);
+
+ // The regular expression match below looks for the PROTO, IP and PORT fields
+ // and returns an array as follows:
+ // [1] = PROTO, [2] => IP:PORT
+ if (preg_match('/\{(.*)\}\s(.*)/', $buf, $tmp)) {
+ // Get PROTO
+ $fields['proto'] = trim($tmp[1]);
+
+ // Get IP
+ $fields['ip'] = trim(substr($tmp[2], 0, strrpos($tmp[2], ':')));
+ if (is_ipaddrv6($fields['ip']))
+ $fields['ip'] = inet_ntop(inet_pton($fields['ip']));
+
+ // Get PORT
+ $fields['port'] = trim(substr($tmp[2], strrpos($tmp[2], ':') + 1));
}
- $fields[9] = inet_pton($fields[9]);
- if (isset($tmpblocked[$fields[9]])) {
- if (!is_array($src_ip_list[$fields[9]]))
- $src_ip_list[$fields[9]] = array();
- $src_ip_list[$fields[9]][$fields[5]] = "{$fields[5]} - " . substr($fields[0], 0, -7);
+
+ // In the unlikely event we read an old log file and fail to parse
+ // out an IP address, just skip the record since we can't use it.
+ if (empty($fields['ip']))
+ continue;
+ $fields['ip'] = inet_pton($fields['ip']);
+ if (isset($tmpblocked[$fields['ip']])) {
+ if (!is_array($src_ip_list[$fields['ip']]))
+ $src_ip_list[$fields['ip']] = array();
+ $src_ip_list[$fields['ip']][$fields['msg']] = "{$fields['msg']} - " . substr($fields['time'], 0, -7);
}
}
fclose($fd);
diff --git a/config/suricata/suricata_check_cron_misc.inc b/config/suricata/suricata_check_cron_misc.inc
index 70394a23..eb1ba2d0 100644
--- a/config/suricata/suricata_check_cron_misc.inc
+++ b/config/suricata/suricata_check_cron_misc.inc
@@ -66,9 +66,9 @@ function suricata_check_dir_size_limit($suricataloglimitsize) {
conf_mount_rw();
// Truncate the Rules Update Log file if it exists
- if (file_exists(RULES_UPD_LOGFILE)) {
+ if (file_exists(SURICATA_RULES_UPD_LOGFILE)) {
log_error(gettext("[Suricata] Truncating the Rules Update Log file..."));
- @file_put_contents(RULES_UPD_LOGFILE, "");
+ @file_put_contents(SURICATA_RULES_UPD_LOGFILE, "");
}
// Initialize an array of the log files we want to prune
@@ -93,6 +93,14 @@ function suricata_check_dir_size_limit($suricataloglimitsize) {
}
}
+ // Cleanup any rotated logs
+ log_error(gettext("[Suricata] Deleting any rotated log files for {$value['descr']} ({$if_real})..."));
+ unlink_if_exists("{$suricata_log_dir}/*.log.*");
+
+ // Cleanup any rotated pcap logs
+ log_error(gettext("[Suricata] Deleting any rotated pcap log files for {$value['descr']} ({$if_real})..."));
+ unlink_if_exists("{$suricata_log_dir}/log.pcap.*");
+
// Check for any captured stored files and clean them up
unlink_if_exists("{$suricata_log_dir}/files/*");
@@ -217,6 +225,7 @@ if ($config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] ==
$config['installedpackages']['suricata']['config'][0]['file_store_retention'] > 0) {
$now = time();
$files = glob("{$suricata_log_dir}/files/file.*");
+ $prune_count = 0;
foreach ($files as $f) {
if (($now - filemtime($f)) > ($config['installedpackages']['suricata']['config'][0]['file_store_retention'] * 3600)) {
$prune_count++;
@@ -227,6 +236,25 @@ if ($config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] ==
log_error(gettext("[Suricata] File Store cleanup job removed {$prune_count} file(s) from {$suricata_log_dir}/files/..."));
unset($files);
}
+
+ // Prune any pcap log files over configured limit
+ $files = glob("{$suricata_log_dir}/log.pcap.*");
+ if (count($files) > $value['max_pcap_log_files']) {
+ $over = count($files) - $value['max_pcap_log_files'];
+ $remove_files = array();
+ while ($over > 0) {
+ $remove_files[] = array_shift($files);
+ $over--;
+ }
+ $prune_count = 0;
+ foreach ($remove_files as $f) {
+ $prune_count++;
+ unlink_if_exists($f);
+ }
+ if ($prune_count > 0)
+ log_error(gettext("[Suricata] Packet Capture log cleanup job removed {$prune_count} file(s) from {$suricata_log_dir}/..."));
+ unset($files, $remove_files);
+ }
}
}
diff --git a/config/suricata/suricata_check_for_rule_updates.php b/config/suricata/suricata_check_for_rule_updates.php
index eeb7be6c..0fa4fb2d 100644
--- a/config/suricata/suricata_check_for_rule_updates.php
+++ b/config/suricata/suricata_check_for_rule_updates.php
@@ -41,39 +41,13 @@
require_once("functions.inc");
require_once("service-utils.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
+require_once("/usr/local/pkg/suricata/suricata_defs.inc");
global $g, $pkg_interface, $suricata_gui_include, $rebuild_rules;
-if (!defined("VRT_DNLD_URL"))
- define("VRT_DNLD_URL", "https://www.snort.org/rules/");
-if (!defined("ET_VERSION"))
- define("ET_VERSION", "2.9.0");
-if (!defined("ET_BASE_DNLD_URL"))
- define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/");
-if (!defined("ETPRO_BASE_DNLD_URL"))
- define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/");
-if (!defined("ET_DNLD_FILENAME"))
- define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
-if (!defined("ETPRO_DNLD_FILENAME"))
- define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
-if (!defined("GPLV2_DNLD_FILENAME"))
- define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
-if (!defined("GPLV2_DNLD_URL"))
- define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/");
-if (!defined("RULES_UPD_LOGFILE"))
- define("RULES_UPD_LOGFILE", SURICATALOGDIR . "/suricata_rules_update.log");
-if (!defined("VRT_FILE_PREFIX"))
- define("VRT_FILE_PREFIX", "snort_");
-if (!defined("GPL_FILE_PREFIX"))
- define("GPL_FILE_PREFIX", "GPLv2_");
-if (!defined("ET_OPEN_FILE_PREFIX"))
- define("ET_OPEN_FILE_PREFIX", "emerging-");
-if (!defined("ET_PRO_FILE_PREFIX"))
- define("ET_PRO_FILE_PREFIX", "etpro-");
-
$suricatadir = SURICATADIR;
$suricatalogdir = SURICATALOGDIR;
-$suricata_rules_upd_log = RULES_UPD_LOGFILE;
+$mounted_rw = FALSE;
/* Save the state of $pkg_interface so we can restore it */
$pkg_interface_orig = $pkg_interface;
@@ -93,7 +67,7 @@ $vrt_enabled = $config['installedpackages']['suricata']['config'][0]['enable_vrt
$snortcommunityrules = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules'] == 'on' ? 'on' : 'off';
/* Working directory for downloaded rules tarballs */
-$tmpfname = "/tmp/suricata_rules_up";
+$tmpfname = "{$g['tmp_path']}/suricata_rules_up";
/* Snort VRT Rules filenames and URL */
$snort_filename_md5 = "{$snort_filename}.md5";
@@ -105,7 +79,10 @@ $snort_community_rules_filename_md5 = GPLV2_DNLD_FILENAME . ".md5";
$snort_community_rules_url = GPLV2_DNLD_URL;
/* Mount the Suricata conf directories R/W so we can modify files there */
-conf_mount_rw();
+if (!is_subsystem_dirty('mount')) {
+ conf_mount_rw();
+ $mounted_rw = TRUE;
+}
/* Set up Emerging Threats rules filenames and URL */
if ($etpro == "on") {
@@ -115,7 +92,7 @@ if ($etpro == "on") {
$emergingthreats_url .= "{$etproid}/suricata/";
$et_name = "Emerging Threats Pro";
$et_md5_remove = ET_DNLD_FILENAME . ".md5";
- @unlink("{$suricatadir}{$et_md5_remove}");
+ unlink_if_exists("{$suricatadir}{$et_md5_remove}");
}
else {
$emergingthreats_filename = ET_DNLD_FILENAME;
@@ -126,7 +103,7 @@ else {
$emergingthreats_url .= "suricata/";
$et_name = "Emerging Threats Open";
$et_md5_remove = ETPRO_DNLD_FILENAME . ".md5";
- @unlink("{$suricatadir}{$et_md5_remove}");
+ unlink_if_exists("{$suricatadir}{$et_md5_remove}");
}
// Set a common flag for all Emerging Threats rules (open and pro).
@@ -209,7 +186,9 @@ function suricata_download_file_url($url, $file_out) {
curl_setopt($ch, CURLOPT_FILE, $fout);
// NOTE: required to suppress errors from XMLRPC due to progress bar output
- if ($g['suricata_sync_in_progress'])
+ // and to prevent useless spam from rules update cron job execution. This
+ // prevents progress bar output during package sync and rules update cron task.
+ if ($g['suricata_sync_in_progress'] || $pkg_interface == "console")
curl_setopt($ch, CURLOPT_HEADER, false);
else {
curl_setopt($ch, CURLOPT_HEADERFUNCTION, 'read_header');
@@ -283,21 +262,21 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
/* error occurred. */
/**********************************************************/
- global $pkg_interface, $suricata_rules_upd_log, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors;
$suricatadir = SURICATADIR;
$filename_md5 = basename($file_dst);
if ($pkg_interface <> "console")
update_status(gettext("Downloading {$desc} md5 file..."));
- error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tDownloading {$desc} md5 file {$filename_md5}...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
$rc = suricata_download_file_url($file_url, $file_dst);
// See if download from URL was successful
if ($rc === true) {
if ($pkg_interface <> "console")
update_status(gettext("Done downloading {$filename_md5}."));
- error_log("\tChecking {$desc} md5 file...\n", 3, $suricata_rules_upd_log);
+ error_log("\tChecking {$desc} md5 file...\n", 3, SURICATA_RULES_UPD_LOGFILE);
// check md5 hash in new file against current file to see if new download is posted
if (file_exists("{$suricatadir}{$filename_md5}")) {
@@ -307,7 +286,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("{$desc} are up to date..."));
log_error(gettext("[Suricata] {$desc} are up to date..."));
- error_log(gettext("\t{$desc} are up to date.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\t{$desc} are up to date.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
return false;
}
else
@@ -316,7 +295,7 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
return true;
}
else {
- error_log(gettext("\t{$desc} md5 download failed.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\t{$desc} md5 download failed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
$suricata_err_msg = gettext("Server returned error code {$rc}.");
if ($pkg_interface <> "console") {
update_status(gettext("{$desc} md5 error ... Server returned error code {$rc} ..."));
@@ -324,10 +303,10 @@ function suricata_check_rule_md5($file_url, $file_dst, $desc = "") {
}
log_error(gettext("[Suricata] {$desc} md5 download failed..."));
log_error(gettext("[Suricata] Server returned error code {$rc}..."));
- error_log(gettext("\t{$suricata_err_msg}\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\t{$suricata_err_msg}\n"), 3, SURICATA_RULES_UPD_LOGFILE);
if ($pkg_interface == "console")
- error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log);
- error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tServer error message was: {$last_curl_error}\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -352,7 +331,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* FALSE if download was not successful. */
/**********************************************************/
- global $pkg_interface, $suricata_rules_upd_log, $last_curl_error, $update_errors;
+ global $pkg_interface, $last_curl_error, $update_errors;
$suricatadir = SURICATADIR;
$filename = basename($file_dst);
@@ -360,8 +339,8 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("There is a new set of {$desc} posted. Downloading..."));
log_error(gettext("[Suricata] There is a new set of {$desc} posted. Downloading {$filename}..."));
- error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, $suricata_rules_upd_log);
- error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tThere is a new set of {$desc} posted.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+ error_log(gettext("\tDownloading file '{$filename}'...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
$rc = suricata_download_file_url($file_url, $file_dst);
// See if the download from the URL was successful
@@ -369,7 +348,7 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_status(gettext("Done downloading {$desc} file."));
log_error("[Suricata] {$desc} file update downloaded successfully");
- error_log(gettext("\tDone downloading rules file.\n"),3, $suricata_rules_upd_log);
+ error_log(gettext("\tDone downloading rules file.\n"),3, SURICATA_RULES_UPD_LOGFILE);
// Test integrity of the rules file. Turn off update if file has wrong md5 hash
if ($file_md5 != trim(md5_file($file_dst))){
@@ -378,10 +357,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
log_error(gettext("[Suricata] {$desc} file download failed. Bad MD5 checksum..."));
log_error(gettext("[Suricata] Downloaded File MD5: " . md5_file($file_dst)));
log_error(gettext("[Suricata] Expected File MD5: {$file_md5}"));
- error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, $suricata_rules_upd_log);
- error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, $suricata_rules_upd_log);
- error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, $suricata_rules_upd_log);
- error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\t{$desc} file download failed. Bad MD5 checksum.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+ error_log(gettext("\tDownloaded {$desc} file MD5: " . md5_file($file_dst) . "\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+ error_log(gettext("\tExpected {$desc} file MD5: {$file_md5}\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} file download failed. {$desc} will not be updated.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -391,10 +370,10 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
if ($pkg_interface <> "console")
update_output_window(gettext("{$desc} file download failed..."));
log_error(gettext("[Suricata] {$desc} file download failed... server returned error '{$rc}'..."));
- error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\t{$desc} file download failed. Server returned error {$rc}.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
if ($pkg_interface == "console")
- error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, $suricata_rules_upd_log);
- error_log(gettext("\t{$desc} will not be updated.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tThe error text was: {$last_curl_error}\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+ error_log(gettext("\t{$desc} will not be updated.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
$update_errors = true;
return false;
}
@@ -405,21 +384,21 @@ function suricata_fetch_new_rules($file_url, $file_dst, $file_md5, $desc = "") {
/* remove old $tmpfname files if present */
if (is_dir("{$tmpfname}"))
- exec("/bin/rm -r {$tmpfname}");
+ rmdir_recursive("{$tmpfname}");
/* Make sure required suricatadirs exsist */
-exec("/bin/mkdir -p {$suricatadir}rules");
-exec("/bin/mkdir -p {$tmpfname}");
-exec("/bin/mkdir -p {$suricatalogdir}");
+safe_mkdir("{$suricatadir}rules");
+safe_mkdir("{$tmpfname}");
+safe_mkdir("{$suricatalogdir}");
/* See if we need to automatically clear the Update Log based on 1024K size limit */
-if (file_exists($suricata_rules_upd_log)) {
- if (1048576 < filesize($suricata_rules_upd_log))
- exec("/bin/rm -r {$suricata_rules_upd_log}");
+if (file_exists(SURICATA_RULES_UPD_LOGFILE)) {
+ if (1048576 < filesize(SURICATA_RULES_UPD_LOGFILE))
+ unlink_if_exists("{SURICATA_RULES_UPD_LOGFILE}");
}
/* Log start time for this rules update */
-error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, $suricata_rules_upd_log);
+error_log(gettext("Starting rules update... Time: " . date("Y-m-d H:i:s") . "\n"), 3, SURICATA_RULES_UPD_LOGFILE);
$last_curl_error = "";
$update_errors = false;
@@ -439,7 +418,7 @@ if ($emergingthreats == 'on') {
if ($snortdownload == 'on') {
if (empty($snort_filename)) {
log_error(gettext("No snortrules-snapshot filename has been set on Snort pkg GLOBAL SETTINGS tab. Snort VRT rules cannot be updated."));
- error_log(gettext("\tWARNING-- No snortrules-snapshot filename set on GLOBAL SETTINGS tab. Snort VRT rules cannot be updated!\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tWARNING-- No snortrules-snapshot filename set on GLOBAL SETTINGS tab. Snort VRT rules cannot be updated!\n"), 3, SURICATA_RULES_UPD_LOGFILE);
$snortdownload = 'off';
}
elseif (suricata_check_rule_md5("{$snort_rule_url}{$snort_filename_md5}?oinkcode={$oinkid}", "{$tmpfname}/{$snort_filename_md5}", "Snort VRT rules")) {
@@ -454,7 +433,7 @@ if ($snortdownload == 'on') {
/* Check for and download any new Snort GPLv2 Community Rules sigs */
if ($snortcommunityrules == 'on') {
- if (suricata_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
+ if (suricata_check_rule_md5("{$snort_community_rules_url}{$snort_community_rules_filename}/md5", "{$tmpfname}/{$snort_community_rules_filename_md5}", "Snort GPLv2 Community Rules")) {
/* download Snort GPLv2 Community Rules file */
$file_md5 = trim(file_get_contents("{$tmpfname}/{$snort_community_rules_filename_md5}"));
if (!suricata_fetch_new_rules("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}", $file_md5, "Snort GPLv2 Community Rules"))
@@ -472,7 +451,7 @@ if ($emergingthreats == 'on') {
update_status(gettext("Extracting {$et_name} rules..."));
update_output_window(gettext("Installing {$et_name} rules..."));
}
- error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$tmpfname}/emerging rules/");
/* Remove the old Emerging Threats rules files */
@@ -530,8 +509,8 @@ if ($emergingthreats == 'on') {
update_status(gettext("Extraction of {$et_name} rules completed..."));
update_output_window(gettext("Installation of {$et_name} rules completed..."));
}
- error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $suricata_rules_upd_log);
- exec("rm -r {$tmpfname}/emerging");
+ error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+ rmdir_recursive("{$tmpfname}/emerging");
}
}
@@ -546,7 +525,7 @@ if ($snortdownload == 'on') {
update_status(gettext("Extracting Snort VRT rules..."));
update_output_window(gettext("Installing Sourcefire VRT rules..."));
}
- error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tExtracting and installing Snort VRT rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
/* extract snort.org rules and add prefix to all snort.org files */
safe_mkdir("{$tmpfname}/snortrules");
@@ -563,7 +542,7 @@ if ($snortdownload == 'on') {
$newfile = basename($file);
@copy($file, "{$suricatadir}rules/{$newfile}");
}
- exec("rm -r {$tmpfname}/snortrules");
+ rmdir_recursive("{$tmpfname}/snortrules");
/* extract base etc files */
if ($pkg_interface <> "console") {
@@ -575,7 +554,7 @@ if ($snortdownload == 'on') {
if (file_exists("{$tmpfname}/etc/{$file}"))
@copy("{$tmpfname}/etc/{$file}", "{$tmpfname}/VRT_{$file}");
}
- exec("rm -r {$tmpfname}/etc");
+ rmdir_recursive("{$tmpfname}/etc");
if (file_exists("{$tmpfname}/{$snort_filename_md5}")) {
if ($pkg_interface <> "console")
update_status(gettext("Copying md5 signature to Suricata directory..."));
@@ -585,7 +564,7 @@ if ($snortdownload == 'on') {
update_status(gettext("Extraction of Snort VRT rules completed..."));
update_output_window(gettext("Installation of Sourcefire VRT rules completed..."));
}
- error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tInstallation of Snort VRT rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
}
@@ -597,7 +576,7 @@ if ($snortcommunityrules == 'on') {
update_status(gettext("Extracting Snort GPLv2 Community Rules..."));
update_output_window(gettext("Installing Snort GPLv2 Community Rules..."));
}
- error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tExtracting and installing Snort GPLv2 Community Rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
exec("/usr/bin/tar xzf {$tmpfname}/{$snort_community_rules_filename} -C {$tmpfname}/community/");
$files = glob("{$tmpfname}/community/community-rules/*.rules");
@@ -620,8 +599,8 @@ if ($snortcommunityrules == 'on') {
update_status(gettext("Extraction of Snort GPLv2 Community Rules completed..."));
update_output_window(gettext("Installation of Snort GPLv2 Community Rules file completed..."));
}
- error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, $suricata_rules_upd_log);
- exec("rm -r {$tmpfname}/community");
+ error_log(gettext("\tInstallation of Snort GPLv2 Community Rules completed.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
+ rmdir_recursive("{$tmpfname}/community");
}
}
@@ -643,7 +622,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
if ($pkg_interface <> "console")
update_status(gettext('Copying new config and map files...'));
- error_log(gettext("\tCopying new config and map files...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tCopying new config and map files...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
/******************************************************************/
/* Build the classification.config and reference.config files */
@@ -672,10 +651,14 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
/* Start the rules rebuild proccess for each configured interface */
if (is_array($config['installedpackages']['suricata']['rule']) &&
- !empty($config['installedpackages']['suricata']['rule'])) {
+ count($config['installedpackages']['suricata']['rule']) > 0) {
- /* Set the flag to force rule rebuilds since we downloaded new rules */
- $rebuild_rules = true;
+ /* Set the flag to force rule rebuilds since we downloaded new rules, */
+ /* except when in post-install mode. Post-install does its own rebuild. */
+ if ($g['suricata_postinstall'])
+ $rebuild_rules = false;
+ else
+ $rebuild_rules = true;
/* Create configuration for each active Suricata interface */
foreach ($config['installedpackages']['suricata']['rule'] as $value) {
@@ -693,7 +676,7 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
}
suricata_apply_customizations($value, $if_real);
$tmp = "\t" . $tmp . "\n";
- error_log($tmp, 3, $suricata_rules_upd_log);
+ error_log($tmp, 3, SURICATA_RULES_UPD_LOGFILE);
}
}
else {
@@ -701,44 +684,43 @@ if ($snortdownload == 'on' || $emergingthreats == 'on' || $snortcommunityrules =
update_output_window(gettext("Warning: No interfaces configured for Suricata were found..."));
update_output_window(gettext("No interfaces currently have Suricata configured and enabled on them..."));
}
- error_log(gettext("\tWarning: No interfaces configured for Suricata were found...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tWarning: No interfaces configured for Suricata were found...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
/* Clear the rebuild rules flag. */
$rebuild_rules = false;
- /* Restart Suricata if already running and we are not rebooting to pick up the new rules. */
- if (is_process_running("suricata") && !$g['booting'] &&
- !empty($config['installedpackages']['suricata']['rule'])) {
+ /* Restart Suricata if already running and we are not in post-install, so as to pick up the new rules. */
+ if (is_process_running("suricata") && !$g['suricata_postinstall'] &&
+ count($config['installedpackages']['suricata']['rule']) > 0) {
// See if "Live Reload" is configured and signal each Suricata instance
// if enabled, else just do a hard restart of all the instances.
if ($config['installedpackages']['suricata']['config'][0]['live_swap_updates'] == 'on') {
if ($pkg_interface <> "console") {
- update_status(gettext('Signalling Suricata to live-load the new set of rules...'));
+ update_status(gettext('Signaling Suricata to live-load the new set of rules...'));
update_output_window(gettext("Please wait ... the process should complete in a few seconds..."));
}
log_error(gettext("[Suricata] Live-Reload of rules from auto-update is enabled..."));
- error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tLive-Reload of updated rules is enabled...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
foreach ($config['installedpackages']['suricata']['rule'] as $value) {
- $if_real = get_real_interface($value['interface']);
suricata_reload_config($value);
- error_log(gettext("\tLive swap of updated rules requested for " . convert_friendly_interface_to_friendly_descr($value['interface']) . ".\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tLive swap of updated rules requested for " . convert_friendly_interface_to_friendly_descr($value['interface']) . ".\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
log_error(gettext("[Suricata] Live-Reload of updated rules completed..."));
- error_log(gettext("\tLive-Reload of the updated rules is complete.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tLive-Reload of the updated rules is complete.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
else {
if ($pkg_interface <> "console") {
update_status(gettext('Restarting Suricata to activate the new set of rules...'));
update_output_window(gettext("Please wait ... restarting Suricata will take some time..."));
}
- error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tRestarting Suricata to activate the new set of rules...\n"), 3, SURICATA_RULES_UPD_LOGFILE);
restart_service("suricata");
if ($pkg_interface <> "console")
update_output_window(gettext("Suricata has restarted with your new set of rules..."));
log_error(gettext("[Suricata] Suricata has restarted with your new set of rules..."));
- error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, $suricata_rules_upd_log);
+ error_log(gettext("\tSuricata has restarted with your new set of rules.\n"), 3, SURICATA_RULES_UPD_LOGFILE);
}
}
else {
@@ -753,7 +735,7 @@ if (is_dir("{$tmpfname}")) {
update_status(gettext("Cleaning up after rules extraction..."));
update_output_window(gettext("Removing {$tmpfname} directory..."));
}
- exec("/bin/rm -r {$tmpfname}");
+ rmdir_recursive("{$tmpfname}");
}
if ($pkg_interface <> "console") {
@@ -761,11 +743,10 @@ if ($pkg_interface <> "console") {
update_output_window("");
}
log_error(gettext("[Suricata] The Rules update has finished."));
-error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, $suricata_rules_upd_log);
+error_log(gettext("The Rules update has finished. Time: " . date("Y-m-d H:i:s"). "\n\n"), 3, SURICATA_RULES_UPD_LOGFILE);
-// Remount filesystem read-only unless we are in package post-install.
-// The post-install code will remount read-only when it completes.
-if (!$g['suricata_postinstall'])
+/* Remount filesystem read-only if we changed it in this module */
+if ($mounted_rw == TRUE)
conf_mount_ro();
// Restore the state of $pkg_interface
@@ -777,6 +758,6 @@ if ($update_errors)
else
$config['installedpackages']['suricata']['config'][0]['last_rule_upd_status'] = gettext("success");
$config['installedpackages']['suricata']['config'][0]['last_rule_upd_time'] = time();
-write_config("Suricata pkg: updated status for updated rules package(s) check.");
+write_config("Suricata pkg: updated status for updated rules package(s) check.", FALSE);
?>
diff --git a/config/suricata/suricata_define_vars.php b/config/suricata/suricata_define_vars.php
index 040244b0..b94292c3 100644
--- a/config/suricata/suricata_define_vars.php
+++ b/config/suricata/suricata_define_vars.php
@@ -187,6 +187,7 @@ if ($savemsg)
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -199,6 +200,7 @@ if ($savemsg)
$tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Variables"), true, "/suricata/suricata_define_vars.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/suricata/suricata_ip_reputation.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_defs.inc b/config/suricata/suricata_defs.inc
new file mode 100644
index 00000000..7758a9f0
--- /dev/null
+++ b/config/suricata/suricata_defs.inc
@@ -0,0 +1,117 @@
+<?php
+/*
+ * suricata_defs.inc
+ *
+ * Significant portions of this code are based on original work done
+ * for the Snort package for pfSense from the following contributors:
+ *
+ * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2012 Ermal Luci
+ * All rights reserved.
+ *
+ * Adapted for Suricata by:
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("pkg-utils.inc");
+
+/*************************************************************************/
+/* This file contains definitions for various CONSTANTS used throughout */
+/* the Suricata package. It is included via a "require_once()" call in */
+/* the "suricata.inc" and "suricata_post_install.php" files. */
+/*************************************************************************/
+
+global $g, $config;
+
+if (!is_array($config['installedpackages']['suricata']))
+ $config['installedpackages']['suricata'] = array();
+
+/* Get installed package version for display */
+$suricata_package_version = "Suricata {$config['installedpackages']['package'][get_pkg_id("suricata")]['version']}";
+
+// Define the installed package version
+if (!defined('SURICATA_PKG_VER'))
+ define('SURICATA_PKG_VER', $suricata_package_version);
+
+// Define the PBI base directory
+if (!defined('SURICATA_PBI_BASEDIR'))
+ define('SURICATA_PBI_BASEDIR', '/usr/pbi/suricata-' . php_uname("m") . '/');
+
+// Define the PBI binary wrapper directory
+if (!defined('SURICATA_PBI_BINDIR'))
+ define('SURICATA_PBI_BINDIR', SURICATA_PBI_BASEDIR . 'bin/');
+
+// Define the name of the pf table used for IP blocks
+if (!defined('SURICATA_PF_TABLE'))
+ define('SURICATA_PF_TABLE', 'snort2c');
+
+// Create some other useful defines
+if (!defined('SURICATADIR'))
+ define('SURICATADIR', SURICATA_PBI_BASEDIR . 'etc/suricata/');
+if (!defined('SURICATALOGDIR'))
+ define('SURICATALOGDIR', "{$g['varlog_path']}/suricata/");
+if (!defined('SURICATA_RULES_UPD_LOGFILE'))
+ define('SURICATA_RULES_UPD_LOGFILE', SURICATALOGDIR . 'suricata_rules_update.log');
+if (!defined('SURICATA_SID_MODS_PATH'))
+ define('SURICATA_SID_MODS_PATH', "{$g['vardb_path']}/suricata/sidmods/");
+if (!defined('SURICATA_IPREP_PATH'))
+ define('SURICATA_IPREP_PATH', "{$g['vardb_path']}/suricata/iprep/");
+
+// Rule set download URLs, filenames and prefixes
+if (!defined("VRT_DNLD_URL"))
+ define("VRT_DNLD_URL", "https://www.snort.org/rules/");
+if (!defined("ET_VERSION"))
+ define("ET_VERSION", "2.9.0");
+if (!defined("ET_BASE_DNLD_URL"))
+ define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/");
+if (!defined("ETPRO_BASE_DNLD_URL"))
+ define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/");
+if (!defined("ET_DNLD_FILENAME"))
+ define("ET_DNLD_FILENAME", "emerging.rules.tar.gz");
+if (!defined("ETPRO_DNLD_FILENAME"))
+ define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz");
+if (!defined("ET_IQRISK_DNLD_URL"))
+ define("ET_IQRISK_DNLD_URL", "https://rules.emergingthreatspro.com/_xxx_/reputation/");
+if (!defined("GPLV2_DNLD_FILENAME"))
+ define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz");
+if (!defined("GPLV2_DNLD_URL"))
+ define("GPLV2_DNLD_URL", "https://www.snort.org/downloads/community/");
+if (!defined("VRT_FILE_PREFIX"))
+ define("VRT_FILE_PREFIX", "snort_");
+if (!defined("GPL_FILE_PREFIX"))
+ define("GPL_FILE_PREFIX", "GPLv2_");
+if (!defined("ET_OPEN_FILE_PREFIX"))
+ define("ET_OPEN_FILE_PREFIX", "emerging-");
+if (!defined("ET_PRO_FILE_PREFIX"))
+ define("ET_PRO_FILE_PREFIX", "etpro-");
+if (!defined('SURICATA_ENFORCING_RULES_FILENAME'))
+ define('SURICATA_ENFORCING_RULES_FILENAME', 'suricata.rules');
+if (!defined('FLOWBITS_FILENAME'))
+ define('FLOWBITS_FILENAME', 'flowbit-required.rules');
+
+?>
diff --git a/config/suricata/suricata_download_updates.php b/config/suricata/suricata_download_updates.php
index 89e959c9..1abb32d6 100644
--- a/config/suricata/suricata_download_updates.php
+++ b/config/suricata/suricata_download_updates.php
@@ -44,7 +44,7 @@ require_once("/usr/local/pkg/suricata/suricata.inc");
/* Define some locally required variables from Suricata constants */
$suricatadir = SURICATADIR;
-$suricata_rules_upd_log = RULES_UPD_LOGFILE;
+$suricata_rules_upd_log = SURICATA_RULES_UPD_LOGFILE;
$snortdownload = $config['installedpackages']['suricata']['config'][0]['enable_vrt_rules'];
$emergingthreats = $config['installedpackages']['suricata']['config'][0]['enable_etopen_rules'];
@@ -116,7 +116,7 @@ if ($snortcommunityrules == 'on' && file_exists("{$suricatadir}{$snort_community
/* Check for postback to see if we should clear the update log file. */
if ($_POST['clear']) {
if (file_exists("{$suricata_rules_upd_log}"))
- mwexec("/bin/rm -f {$suricata_rules_upd_log}");
+ unlink_if_exists("{$suricata_rules_upd_log}");
}
if ($_POST['update']) {
@@ -130,12 +130,9 @@ if ($_POST['force']) {
conf_mount_rw();
// Remove the existing MD5 signature files to force a download
- if (file_exists("{$suricatadir}{$emergingthreats_filename}.md5"))
- @unlink("{$suricatadir}{$emergingthreats_filename}.md5");
- if (file_exists("{$suricatadir}{$snort_community_rules_filename}.md5"))
- @unlink("{$suricatadir}{$snort_community_rules_filename}.md5");
- if (file_exists("{$suricatadir}{$snort_rules_file}.md5"))
- @unlink("{$suricatadir}{$snort_rules_file}.md5");
+ unlink_if_exists("{$suricatadir}{$emergingthreats_filename}.md5");
+ unlink_if_exists("{$suricatadir}{$snort_community_rules_filename}.md5");
+ unlink_if_exists("{$suricatadir}{$snort_rules_file}.md5");
// Revert file system to R/O.
conf_mount_ro();
@@ -195,6 +192,7 @@ include_once("head.inc");
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_etiqrisk_update.php b/config/suricata/suricata_etiqrisk_update.php
new file mode 100644
index 00000000..6723ce99
--- /dev/null
+++ b/config/suricata/suricata_etiqrisk_update.php
@@ -0,0 +1,211 @@
+<?php
+/*
+ * suricata_etiqrisk_update.php
+ *
+ * Significant portions of this code are based on original work done
+ * for the Snort package for pfSense from the following contributors:
+ *
+ * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2012 Ermal Luci
+ * All rights reserved.
+ *
+ * Adapted for Suricata by:
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once("config.inc");
+require_once("functions.inc");
+require_once("/usr/local/pkg/suricata/suricata.inc");
+
+/*************************************************************************
+ * Hack for backwards compatibility with older 2.1.x pfSense versions *
+ * that did not contain the new "download_file()" utility function *
+ * present in 2.2 and higher. *
+ *************************************************************************/
+if(!function_exists("download_file")) {
+ function download_file($url, $destination, $verify_ssl = false, $connect_timeout = 60, $timeout = 0) {
+ global $config, $g;
+
+ $fp = fopen($destination, "wb");
+
+ if (!$fp)
+ return false;
+
+ $ch = curl_init();
+ curl_setopt($ch, CURLOPT_URL, $url);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+ curl_setopt($ch, CURLOPT_FILE, $fp);
+ curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $connect_timeout);
+ curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
+ curl_setopt($ch, CURLOPT_HEADER, false);
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+ curl_setopt($ch, CURLOPT_USERAGENT, $g['product_name'] . '/' . rtrim(file_get_contents("/etc/version")));
+
+ if (!empty($config['system']['proxyurl'])) {
+ curl_setopt($ch, CURLOPT_PROXY, $config['system']['proxyurl']);
+ if (!empty($config['system']['proxyport']))
+ curl_setopt($ch, CURLOPT_PROXYPORT, $config['system']['proxyport']);
+ if (!empty($config['system']['proxyuser']) && !empty($config['system']['proxypass'])) {
+ @curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY | CURLAUTH_ANYSAFE);
+ curl_setopt($ch, CURLOPT_PROXYUSERPWD, "{$config['system']['proxyuser']}:{$config['system']['proxypass']}");
+ }
+ }
+
+ @curl_exec($ch);
+ $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+ fclose($fp);
+ curl_close($ch);
+ return ($http_code == 200) ? true : $http_code;
+ }
+}
+
+function suricata_check_iprep_md5($filename) {
+
+ /**********************************************************/
+ /* This function attempts to download the MD5 hash for */
+ /* the passed file and compare its contents to the */
+ /* currently stored hash file to see if a new file has */
+ /* been posted. */
+ /* */
+ /* On Entry: $filename = IPREP file to check ('md5sum' */
+ /* is auto-appended to the supplied */
+ /* filename.) */
+ /* */
+ /* Returns: TRUE if new rule file download required. */
+ /* FALSE if rule download not required or an */
+ /* error occurred. */
+ /**********************************************************/
+
+ global $et_iqrisk_url, $iqRisk_tmppath, $iprep_path;
+ $new_md5 = $old_md5 = "";
+
+ if (download_file("{$et_iqrisk_url}{$filename}.md5sum", "{$iqRisk_tmppath}{$filename}.md5") == true) {
+ if (file_exists("{$iqRisk_tmppath}{$filename}.md5"))
+ $new_md5 = file_get_contents("{$iqRisk_tmppath}{$filename}.md5");
+ if (file_exists("{$iprep_path}{$filename}.md5"))
+ $old_md5 = file_get_contents("{$iprep_path}{$filename}.md5");
+ if ($new_md5 != $old_md5)
+ return TRUE;
+ else
+ log_error(gettext("[Suricata] IPREP file '{$filename}' is up to date."));
+ }
+ else
+ log_error(gettext("[Suricata] An error occurred downloading {$filename}.md5sum for IPREP. Update of {$filename} file will be skipped."));
+
+ return FALSE;
+}
+
+/**********************************************************************
+ * Start of main code *
+ **********************************************************************/
+global $g, $config;
+$iprep_path = SURICATA_IPREP_PATH;
+$iqRisk_tmppath = "{$g['tmp_path']}/IQRisk/";
+$success = FALSE;
+
+// If auto-updates of ET IQRisk are disabled, then exit
+if ($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'] == "off")
+ return(0);
+else
+ log_error(gettext("[Suricata] Updating the Emerging Threats IQRisk IP List..."));
+
+// Construct the download URL using the saved ET IQRisk Subscriber Code
+if (!empty($config['installedpackages']['suricata']['config'][0]['iqrisk_code'])) {
+ $et_iqrisk_url = str_replace("_xxx_", $config['installedpackages']['suricata']['config'][0]['iqrisk_code'], ET_IQRISK_DNLD_URL);
+}
+else {
+ log_error(gettext("[Suricata] No IQRisk subscriber code found! Aborting scheduled update of Emerging Threats IQRisk IP List."));
+ return(0);
+}
+
+// Download the IP List files to a temporary location
+safe_mkdir("$iqRisk_tmppath");
+
+// Test the posted MD5 checksum file against our local copy
+// to see if an update has been posted for 'categories.txt'.
+if (suricata_check_iprep_md5("categories.txt")) {
+ log_error(gettext("[Suricata] An updated IPREP 'categories.txt' file is available...downloading new file."));
+ if (download_file("{$et_iqrisk_url}categories.txt", "{$iqRisk_tmppath}categories.txt") != true)
+ log_error(gettext("[Suricata] An error occurred downloading the 'categories.txt' file for IQRisk."));
+ else {
+ // If the files downloaded successfully, unpack them and store
+ // the list files in the SURICATA_IPREP_PATH directory.
+ if (file_exists("{$iqRisk_tmppath}categories.txt") && file_exists("{$iqRisk_tmppath}categories.txt.md5")) {
+ $new_md5 = file_get_contents("{$iqRisk_tmppath}categories.txt.md5");
+ if ($new_md5 == trim(md5_file("{$iqRisk_tmppath}categories.txt"))) {
+ @rename("{$iqRisk_tmppath}categories.txt", "{$iprep_path}categories.txt");
+ @rename("{$iqRisk_tmppath}categories.txt.md5", "{$iprep_path}categories.txt.md5");
+ $success = TRUE;
+ log_error(gettext("[Suricata] Successfully updated IPREP file 'categories.txt'."));
+ }
+ else
+ log_error(gettext("[Suricata] MD5 integrity check of downloaded 'categories.txt' file failed! Skipping update of this IPREP file."));
+ }
+ }
+}
+
+// Test the posted MD5 checksum file against our local copy
+// to see if an update has been posted for 'iprepdata.txt.gz'.
+if (suricata_check_iprep_md5("iprepdata.txt.gz")) {
+ log_error(gettext("[Suricata] An updated IPREP 'iprepdata.txt' file is available...downloading new file."));
+ if (download_file("{$et_iqrisk_url}iprepdata.txt.gz", "{$iqRisk_tmppath}iprepdata.txt.gz") != true)
+ log_error(gettext("[Suricata] An error occurred downloading the 'iprepdata.txt.gz' file for IQRisk."));
+ else {
+ // If the files downloaded successfully, unpack them and store
+ // the list files in the SURICATA_IPREP_PATH directory.
+ if (file_exists("{$iqRisk_tmppath}iprepdata.txt.gz") && file_exists("{$iqRisk_tmppath}iprepdata.txt.gz.md5")) {
+ $new_md5 = file_get_contents("{$iqRisk_tmppath}iprepdata.txt.gz.md5");
+ if ($new_md5 == trim(md5_file("{$iqRisk_tmppath}iprepdata.txt.gz"))) {
+ mwexec("/usr/bin/gunzip -f {$iqRisk_tmppath}iprepdata.txt.gz");
+ @rename("{$iqRisk_tmppath}iprepdata.txt", "{$iprep_path}iprepdata.txt");
+ @rename("{$iqRisk_tmppath}iprepdata.txt.gz.md5", "{$iprep_path}iprepdata.txt.gz.md5");
+ $success = TRUE;
+ log_error(gettext("[Suricata] Successfully updated IPREP file 'iprepdata.txt'."));
+ }
+ else
+ log_error(gettext("[Suricata] MD5 integrity check of downloaded 'iprepdata.txt.gz' file failed! Skipping update of this IPREP file."));
+ }
+ }
+}
+
+// Cleanup the tmp directory path
+rmdir_recursive("$iqRisk_tmppath");
+
+log_error(gettext("[Suricata] Emerging Threats IQRisk IP List update finished."));
+
+// If successful, signal any running Suricata process to live reload the rules and IP lists
+if ($success == TRUE && is_process_running("suricata")) {
+ foreach ($config['installedpackages']['suricata']['rule'] as $value) {
+ if ($value['enable_iprep'] == "on") {
+ suricata_reload_config($value);
+ sleep(2);
+ }
+ }
+}
+
+?>
diff --git a/config/suricata/suricata_flow_stream.php b/config/suricata/suricata_flow_stream.php
index 53c4e010..9467ea7c 100644
--- a/config/suricata/suricata_flow_stream.php
+++ b/config/suricata/suricata_flow_stream.php
@@ -467,6 +467,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td>';
@@ -479,6 +480,7 @@ if ($savemsg) {
$tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/suricata/suricata_ip_reputation.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_generate_yaml.php b/config/suricata/suricata_generate_yaml.php
index 8e3e538c..328702b9 100644
--- a/config/suricata/suricata_generate_yaml.php
+++ b/config/suricata/suricata_generate_yaml.php
@@ -53,13 +53,6 @@ foreach ($config_files as $file) {
@copy("{$suricatadir}{$file}", "{$suricatacfgdir}/{$file}");
}
-// Create required files if they don't exist
-$suricata_files = array( "{$suricatacfgdir}/magic" );
-foreach ($suricata_files as $file) {
- if (!file_exists($file))
- file_put_contents($file, "\n");
-}
-
// Read the configuration parameters for the passed interface
// and construct appropriate string variables for use in the
// suricata.yaml template include file.
@@ -540,9 +533,10 @@ else
// Add the OS-specific host policies if configured, otherwise
// just set default to BSD for all networks.
+$host_os_policy = "";
if (!is_array($suricatacfg['host_os_policy']['item']))
$suricatacfg['host_os_policy']['item'] = array();
-if (empty($suricatacfg['host_os_policy']['item']))
+if (count($suricatacfg['host_os_policy']['item']) < 1)
$host_os_policy = "bsd: [0.0.0.0/0]";
else {
foreach ($suricatacfg['host_os_policy']['item'] as $k => $v) {
@@ -580,10 +574,12 @@ else {
// Add the HTTP Server-specific policies if configured, otherwise
// just set default to IDS for all networks.
+$http_hosts_policy = "";
+$http_hosts_default_policy = "";
if (!is_array($suricatacfg['libhtp_policy']['item']))
$suricatacfg['libhtp_policy']['item'] = array();
-if (empty($suricatacfg['libhtp_policy']['item'])) {
- $http_hosts_default_policy = "default-config:\n personality: IDS\n request-body-limit: 4096\n response-body-limit: 4096\n";
+if (count($suricatacfg['libhtp_policy']['item']) < 1) {
+ $http_hosts_default_policy = " personality: IDS\n request-body-limit: 4096\n response-body-limit: 4096\n";
$http_hosts_default_policy .= " double-decode-path: no\n double-decode-query: no\n uri-include-all: no\n";
}
else {
@@ -705,15 +701,41 @@ else
$http_parser_memcap = "67108864";
/* Configure the IP REP section */
-$iprep_path = rtrim(IPREP_PATH, '/');
+$iprep_path = rtrim(SURICATA_IPREP_PATH, '/');
+$iprep_config = "# IP Reputation\n";
+if ($suricatacfg['enable_iprep'] == "on") {
+ $iprep_config .= "default-reputation-path: {$iprep_path}\n";
+ $iprep_config .= "reputation-categories-file: {$iprep_path}/{$suricatacfg['iprep_catlist']}\n";
+ $iprep_config .= "reputation-files:";
+
+ if (!is_array($suricatacfg['iplist_files']['item']))
+ $suricatacfg['iplist_files']['item'] = array();
+
+ foreach ($suricatacfg['iplist_files']['item'] as $f)
+ $iprep_config .= "\n - $f";
+}
+
+/* Configure Host Table settings */
+if (!empty($suricatacfg['host_memcap']))
+ $host_memcap = $suricatacfg['host_memcap'];
+else
+ $host_memcap = "16777216";
+if (!empty($suricatacfg['host_hash_size']))
+ $host_hash_size = $suricatacfg['host_hash_size'];
+else
+ $host_hash_size = "4096";
+if (!empty($suricatacfg['host_prealloc']))
+ $host_prealloc = $suricatacfg['host_prealloc'];
+else
+ $host_prealloc = "1000";
// Create the rules files and save in the interface directory
suricata_prepare_rule_files($suricatacfg, $suricatacfgdir);
// Check and configure only non-empty rules files for the interface
$rules_files = "";
-if (filesize("{$suricatacfgdir}/rules/".ENFORCING_RULES_FILENAME) > 0)
- $rules_files .= ENFORCING_RULES_FILENAME;
+if (filesize("{$suricatacfgdir}/rules/".SURICATA_ENFORCING_RULES_FILENAME) > 0)
+ $rules_files .= SURICATA_ENFORCING_RULES_FILENAME;
if (filesize("{$suricatacfgdir}/rules/".FLOWBITS_FILENAME) > 0)
$rules_files .= "\n - " . FLOWBITS_FILENAME;
if (filesize("{$suricatacfgdir}/rules/custom.rules") > 0)
diff --git a/config/suricata/suricata_geoipupdate.php b/config/suricata/suricata_geoipupdate.php
new file mode 100644
index 00000000..46e1177e
--- /dev/null
+++ b/config/suricata/suricata_geoipupdate.php
@@ -0,0 +1,137 @@
+<?php
+/*
+ * suricata_geoipupdate.php
+ *
+ * Significant portions of this code are based on original work done
+ * for the Snort package for pfSense from the following contributors:
+ *
+ * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2012 Ermal Luci
+ * All rights reserved.
+ *
+ * Adapted for Suricata by:
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+*/
+
+/* This product includes GeoLite data created by MaxMind, available from
+ * http://www.maxmind.com
+*/
+
+require_once("config.inc");
+require_once("functions.inc");
+require("/usr/local/pkg/suricata/suricata_defs.inc");
+
+/*************************************************************************
+ * Hack for backwards compatibility with older 2.1.x pfSense versions *
+ * that did not contain the new "download_file()" utility function *
+ * present in 2.2 and higher. *
+ *************************************************************************/
+if(!function_exists("download_file")) {
+ function download_file($url, $destination, $verify_ssl = false, $connect_timeout = 60, $timeout = 0) {
+ global $config, $g;
+
+ $fp = fopen($destination, "wb");
+
+ if (!$fp)
+ return false;
+
+ $ch = curl_init();
+ curl_setopt($ch, CURLOPT_URL, $url);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, $verify_ssl);
+ curl_setopt($ch, CURLOPT_FILE, $fp);
+ curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $connect_timeout);
+ curl_setopt($ch, CURLOPT_TIMEOUT, $timeout);
+ curl_setopt($ch, CURLOPT_HEADER, false);
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
+ curl_setopt($ch, CURLOPT_USERAGENT, $g['product_name'] . '/' . rtrim(file_get_contents("/etc/version")));
+
+ if (!empty($config['system']['proxyurl'])) {
+ curl_setopt($ch, CURLOPT_PROXY, $config['system']['proxyurl']);
+ if (!empty($config['system']['proxyport']))
+ curl_setopt($ch, CURLOPT_PROXYPORT, $config['system']['proxyport']);
+ if (!empty($config['system']['proxyuser']) && !empty($config['system']['proxypass'])) {
+ @curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY | CURLAUTH_ANYSAFE);
+ curl_setopt($ch, CURLOPT_PROXYUSERPWD, "{$config['system']['proxyuser']}:{$config['system']['proxypass']}");
+ }
+ }
+
+ @curl_exec($ch);
+ $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+ fclose($fp);
+ curl_close($ch);
+ return ($http_code == 200) ? true : $http_code;
+ }
+}
+
+/**********************************************************************
+ * Start of main code *
+ **********************************************************************/
+global $g, $config;
+$suricata_geoip_dbdir = SURICATA_PBI_BASEDIR . 'share/GeoIP/';
+$geoip_tmppath = "{$g['tmp_path']}/geoipup/";
+
+// If auto-updates of GeoIP are disabled, then exit
+if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == "off")
+ exit(0);
+else
+ log_error(gettext("[Suricata] Updating the GeoIP country database files..."));
+
+
+// Download the free GeoIP Legacy country name databases for IPv4 and IPv6
+// to a temporary location.
+safe_mkdir("$geoip_tmppath");
+if (download_file("http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz", "{$geoip_tmppath}GeoIP.dat.gz") != true)
+ log_error(gettext("[Suricata] An error occurred downloading the 'GeoIP.dat.gz' update file for GeoIP."));
+if (download_file("http://geolite.maxmind.com/download/geoip/database/GeoIPv6.dat.gz", "{$geoip_tmppath}GeoIPv6.dat.gz") != true)
+ log_error(gettext("[Suricata] An error occurred downloading the 'GeoIPv6.dat.gz' update file for GeoIP."));
+
+// Mount filesystem read-write since we need to write
+// the extracted databases to PBI_BASE/share/GeoIP.
+conf_mount_rw();
+
+// If the files downloaded successfully, unpack them and store
+// the DB files in the PBI_BASE/share/GeoIP directory.
+if (file_exists("{$geoip_tmppath}GeoIP.dat.gz")) {
+ mwexec("/usr/bin/gunzip -f {$geoip_tmppath}GeoIP.dat.gz");
+ @rename("{$geoip_tmppath}GeoIP.dat", "{$suricata_geoip_dbdir}GeoIP.dat");
+}
+
+if (file_exists("{$geoip_tmppath}GeoIPv6.dat.gz")) {
+ mwexec("/usr/bin/gunzip -f {$geoip_tmppath}GeoIPv6.dat.gz");
+ @rename("{$geoip_tmppath}GeoIPv6.dat", "{$suricata_geoip_dbdir}GeoIPv6.dat");
+}
+
+// Finished with filesystem mods, so remount read-only
+conf_mount_ro();
+
+// Cleanup the tmp directory path
+rmdir_recursive("$geoip_tmppath");
+
+log_error(gettext("[Suricata] GeoIP database update finished."));
+
+?>
diff --git a/config/suricata/suricata_global.php b/config/suricata/suricata_global.php
index 5f01a660..eb657465 100644
--- a/config/suricata/suricata_global.php
+++ b/config/suricata/suricata_global.php
@@ -66,6 +66,7 @@ else {
$pconfig['forcekeepsettings'] = $config['installedpackages']['suricata']['config'][0]['forcekeepsettings'];
$pconfig['snortcommunityrules'] = $config['installedpackages']['suricata']['config'][0]['snortcommunityrules'];
$pconfig['snort_rules_file'] = $config['installedpackages']['suricata']['config'][0]['snort_rules_file'];
+ $pconfig['autogeoipupdate'] = $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'];
}
// Do input validation on parameters
@@ -97,6 +98,7 @@ if (!$input_errors) {
$config['installedpackages']['suricata']['config'][0]['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off';
$config['installedpackages']['suricata']['config'][0]['enable_etopen_rules'] = $_POST['enable_etopen_rules'] ? 'on' : 'off';
$config['installedpackages']['suricata']['config'][0]['enable_etpro_rules'] = $_POST['enable_etpro_rules'] ? 'on' : 'off';
+ $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] = $_POST['autogeoipupdate'] ? 'on' : 'off';
// If any rule sets are being turned off, then remove them
// from the active rules section of each interface. Start
@@ -140,12 +142,14 @@ if (!$input_errors) {
$config['installedpackages']['suricata']['config'][0]['autoruleupdate'] = $_POST['autoruleupdate'];
/* Check and adjust format of Rule Update Starttime string to add colon and leading zero if necessary */
- $pos = strpos($_POST['autoruleupdatetime'], ":");
- if ($pos === false) {
- $tmp = str_pad($_POST['autoruleupdatetime'], 4, "0", STR_PAD_LEFT);
- $_POST['autoruleupdatetime'] = substr($tmp, 0, 2) . ":" . substr($tmp, -2);
+ if ($_POST['autoruleupdatetime']) {
+ $pos = strpos($_POST['autoruleupdatetime'], ":");
+ if ($pos === false) {
+ $tmp = str_pad($_POST['autoruleupdatetime'], 4, "0", STR_PAD_LEFT);
+ $_POST['autoruleupdatetime'] = substr($tmp, 0, 2) . ":" . substr($tmp, -2);
+ }
+ $config['installedpackages']['suricata']['config'][0]['autoruleupdatetime'] = str_pad($_POST['autoruleupdatetime'], 4, "0", STR_PAD_LEFT);
}
- $config['installedpackages']['suricata']['config'][0]['autoruleupdatetime'] = str_pad($_POST['autoruleupdatetime'], 4, "0", STR_PAD_LEFT);
$config['installedpackages']['suricata']['config'][0]['log_to_systemlog'] = $_POST['log_to_systemlog'] ? 'on' : 'off';
$config['installedpackages']['suricata']['config'][0]['log_to_systemlog_facility'] = $_POST['log_to_systemlog_facility'];
$config['installedpackages']['suricata']['config'][0]['live_swap_updates'] = $_POST['live_swap_updates'] ? 'on' : 'off';
@@ -153,10 +157,20 @@ if (!$input_errors) {
$retval = 0;
+ write_config("Suricata pkg: modified global settings.");
+
+ /* Toggle cron task for GeoIP database updates if setting was changed */
+ if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == 'on' && !suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_geoipupdate.php")) {
+ include("/usr/local/pkg/suricata/suricata_geoipupdate.php");
+ install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_geoipupdate.php", TRUE, 0, 0, 8, "*", "*", "root");
+ }
+ elseif ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] == 'off' && suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_geoipupdate.php"))
+ install_cron_job("/usr/local/pkg/suricata/suricata_geoipupdate.php", FALSE);
+
/* create passlist and homenet file, then sync files */
+ conf_mount_rw();
sync_suricata_package_config();
-
- write_config("Suricata pkg: modified global settings.");
+ conf_mount_ro();
/* forces page to reload new settings */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
@@ -202,6 +216,7 @@ if ($input_errors)
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -348,6 +363,15 @@ if ($input_errors)
"If issues are encountered with live load, uncheck this option to perform a hard restart of all Suricata instances following an update."); ?></td>
</tr>
<tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("GeoIP DB Update"); ?></td>
+ <td width="78%" class="vtable"><input name="autogeoipupdate" id="autogeoipupdate" type="checkbox" value="yes"
+ <?php if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate']=="on") echo " checked"; ?>/>
+ &nbsp;<?php echo gettext("Enable downloading of free GeoIP Country Database updates. Default is ") . "<strong>" . gettext("Checked") . "</strong>"; ?><br/><br/>
+ <?php echo gettext("When enabled, Suricata will automatically download updates for the free legacy GeoIP country database on the 8th of each month at midnight.") .
+ "<br/><br/>" . gettext("If you have a subscription for more current GeoIP updates, uncheck this option and instead create your own process to place the required database files in " .
+ SURICATA_PBI_BASEDIR . "share/GeoIP/."); ?></td>
+</tr>
+<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
</tr>
<tr>
diff --git a/config/suricata/suricata_interfaces.php b/config/suricata/suricata_interfaces.php
index 3d093d45..e996a24f 100644
--- a/config/suricata/suricata_interfaces.php
+++ b/config/suricata/suricata_interfaces.php
@@ -68,8 +68,8 @@ if ($_POST['del_x']) {
$if_real = get_real_interface($a_nat[$rulei]['interface']);
$suricata_uuid = $a_nat[$rulei]['uuid'];
suricata_stop($a_nat[$rulei], $if_real);
- exec("/bin/rm -r {$suricatalogdir}suricata_{$if_real}{$suricata_uuid}");
- exec("/bin/rm -r {$suricatadir}suricata_{$suricata_uuid}_{$if_real}");
+ rmdir_recursive("{$suricatalogdir}suricata_{$if_real}{$suricata_uuid}");
+ rmdir_recursive("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}");
unset($a_nat[$rulei]);
}
conf_mount_ro();
@@ -81,16 +81,9 @@ if ($_POST['del_x']) {
write_config("Suricata pkg: deleted one or more Suricata interfaces.");
sleep(2);
- /* if there are no ifaces remaining do not create suricata.sh */
- if (!empty($config['installedpackages']['suricata']['rule']))
- suricata_create_rc();
- else {
- conf_mount_rw();
- @unlink("{$rcdir}suricata.sh");
- conf_mount_ro();
- }
-
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
@@ -110,7 +103,9 @@ if ($_POST['bartoggle']) {
if (!suricata_is_running($suricatacfg['uuid'], $if_real, 'barnyard2')) {
log_error("Toggle (barnyard starting) for {$if_friendly}({$suricatacfg['descr']})...");
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
suricata_barnyard_start($suricatacfg, $if_real);
} else {
log_error("Toggle (barnyard stopping) for {$if_friendly}({$suricatacfg['descr']})...");
@@ -135,7 +130,9 @@ if ($_POST['toggle']) {
log_error("Toggle (suricata starting) for {$if_friendly}({$suricatacfg['descr']})...");
// set flag to rebuild interface rules before starting Snort
$rebuild_rules = true;
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
$rebuild_rules = false;
suricata_start($suricatacfg, $if_real);
}
@@ -185,6 +182,7 @@ include_once("head.inc");
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/suricata/suricata_interfaces_edit.php b/config/suricata/suricata_interfaces_edit.php
index c4a1775a..13526031 100644
--- a/config/suricata/suricata_interfaces_edit.php
+++ b/config/suricata/suricata_interfaces_edit.php
@@ -223,7 +223,9 @@ if ($_POST["save"] && !$input_errors) {
suricata_stop($a_rule[$id], get_real_interface($a_rule[$id]['interface']));
write_config("Suricata pkg: disabled Suricata on " . convert_friendly_interface_to_friendly_descr($a_rule[$id]['interface']));
$rebuild_rules = false;
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
header( 'Cache-Control: no-store, no-cache, must-revalidate' );
@@ -316,9 +318,9 @@ if ($_POST["save"] && !$input_errors) {
}
else
$suricata_start = false;
- exec("mv -f {$suricatalogdir}suricata_{$oif_real}" . $a_rule[$id]['uuid'] . " {$suricatalogdir}suricata_{$if_real}" . $a_rule[$id]['uuid']);
+ @rename("{$suricatalogdir}suricata_{$oif_real}{$a_rule[$id]['uuid']}", "{$suricatalogdir}suricata_{$if_real}{$a_rule[$id]['uuid']}");
conf_mount_rw();
- exec("mv -f {$suricatadir}suricata_" . $a_rule[$id]['uuid'] . "_{$oif_real} {$suricatadir}suricata_" . $a_rule[$id]['uuid'] . "_{$if_real}");
+ @rename("{$suricatadir}suricata_{$a_rule[$id]['uuid']}_{$oif_real}", "{$suricatadir}suricata_{$a_rule[$id]['uuid']}_{$if_real}");
conf_mount_ro();
}
$a_rule[$id] = $natent;
@@ -392,6 +394,11 @@ if ($_POST["save"] && !$input_errors) {
$natent['smb_parser'] = "yes";
$natent['msn_parser'] = "detection-only";
+ $natent['enable_iprep'] = "off";
+ $natent['host_memcap'] = "16777216";
+ $natent['host_hash_size'] = "4096";
+ $natent['host_prealloc'] = "1000";
+
$default = array( "name" => "default", "bind_to" => "all", "policy" => "bsd" );
if (!is_array($natent['host_os_policy']['item']))
$natent['host_os_policy']['item'] = array();
@@ -423,7 +430,9 @@ if ($_POST["save"] && !$input_errors) {
write_config("Suricata pkg: modified interface configuration for " . convert_friendly_interface_to_friendly_descr($natent['interface']));
// Update suricata.conf and suricata.sh files for this interface
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
header( 'Last-Modified: ' . gmdate( 'D, d M Y H:i:s' ) . ' GMT' );
@@ -473,6 +482,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -485,6 +495,7 @@ if ($savemsg) {
$tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/suricata/suricata_ip_reputation.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_ip_list_mgmt.php b/config/suricata/suricata_ip_list_mgmt.php
new file mode 100644
index 00000000..ee3a7009
--- /dev/null
+++ b/config/suricata/suricata_ip_list_mgmt.php
@@ -0,0 +1,393 @@
+<?php
+/*
+ * suricata_ip_list_mgmt.php
+ *
+ * Significant portions of this code are based on original work done
+ * for the Snort package for pfSense from the following contributors:
+ *
+ * Copyright (C) 2005 Bill Marquette <bill.marquette@gmail.com>.
+ * Copyright (C) 2003-2004 Manuel Kasper <mk@neon1.net>.
+ * Copyright (C) 2006 Scott Ullrich
+ * Copyright (C) 2009 Robert Zelaya Sr. Developer
+ * Copyright (C) 2012 Ermal Luci
+ * All rights reserved.
+ *
+ * Adapted for Suricata by:
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/suricata/suricata.inc");
+
+global $config, $g;
+
+if (!is_array($config['installedpackages']['suricata']['rule']))
+ $config['installedpackages']['suricata']['rule'] = array();
+
+// Hard-code the path where IP Lists are stored
+// and disregard any user-supplied path element.
+$iprep_path = SURICATA_IPREP_PATH;
+
+// Set default to not show IP List editor controls
+$iplist_edit_style = "display: none;";
+
+function suricata_is_iplist_active($iplist) {
+
+ /***************************************************
+ * This function checks all configured Suricata *
+ * interfaces to see if the passed IP List is used *
+ * as a whitelist or blacklist by an interface. *
+ * *
+ * Returns: TRUE if IP List is in use *
+ * FALSE if IP List is not in use *
+ ***************************************************/
+
+ global $g, $config;
+
+ if (!is_array($config['installedpackages']['suricata']['rule']))
+ return FALSE;
+
+ foreach ($config['installedpackages']['suricata']['rule'] as $rule) {
+ if (is_array($rule['iplist_files']['item'])) {
+ foreach ($rule['iplist_files']['item'] as $file) {
+ if ($file == $iplist)
+ return TRUE;
+ }
+ }
+ }
+ return FALSE;
+}
+
+// If doing a postback, used typed values, else load from stored config
+if (!empty($_POST)) {
+ $pconfig = $_POST;
+}
+else {
+ $pconfig['et_iqrisk_enable'] = $config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'];
+ $pconfig['iqrisk_code'] = $config['installedpackages']['suricata']['config'][0]['iqrisk_code'];
+}
+
+// Validate IQRisk settings if enabled and saving them
+if ($_POST['save']) {
+ if ($pconfig['et_iqrisk_enable'] == 'on' && empty($pconfig['iqrisk_code']))
+ $input_errors[] = gettext("You must provide a valid IQRisk subscription code when IQRisk downloads are enabled!");
+
+ if (!$input_errors) {
+ $config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'] = $_POST['et_iqrisk_enable'] ? 'on' : 'off';
+ $config['installedpackages']['suricata']['config'][0]['iqrisk_code'] = $_POST['iqrisk_code'];
+ write_config("Suricata pkg: modified IP Lists settings.");
+
+ /* Toggle cron task for ET IQRisk updates if setting was changed */
+ if ($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'] == 'on' && !suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_etiqrisk_update.php")) {
+ include("/usr/local/pkg/suricata/suricata_etiqrisk_update.php");
+ install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_etiqrisk_update.php", TRUE, 0, 0, "*", "*", "*", "root");
+ }
+ elseif ($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'] == 'off' && suricata_cron_job_exists("/usr/local/pkg/suricata/suricata_etiqrisk_update.php"))
+ install_cron_job("/usr/local/pkg/suricata/suricata_etiqrisk_update.php", FALSE);
+ }
+}
+
+if (isset($_POST['upload'])) {
+ if ($_FILES["iprep_fileup"]["error"] == UPLOAD_ERR_OK) {
+ $tmp_name = $_FILES["iprep_fileup"]["tmp_name"];
+ $name = $_FILES["iprep_fileup"]["name"];
+ move_uploaded_file($tmp_name, "{$iprep_path}{$name}");
+ }
+ else
+ $input_errors[] = gettext("Failed to upload file {$_FILES["iprep_fileup"]["name"]}");
+}
+
+if (isset($_POST['iplist_delete']) && isset($_POST['iplist_fname'])) {
+ if (!suricata_is_iplist_active($_POST['iplist_fname']))
+ unlink_if_exists("{$iprep_path}{$_POST['iplist_fname']}");
+ else
+ $input_errors[] = gettext("This IP List is currently assigned to an interface and cannot be deleted until it is removed from the configured interface.");
+}
+
+if (isset($_POST['iplist_edit']) && isset($_POST['iplist_fname'])) {
+ $file = $iprep_path . basename($_POST['iplist_fname']);
+ $data = file_get_contents($file);
+ if ($data !== FALSE) {
+ $iplist_data = htmlspecialchars($data);
+ $iplist_edit_style = "display: table-row-group;";
+ $iplist_name = basename($_POST['iplist_fname']);
+ unset($data);
+ }
+ else {
+ $input_errors[] = gettext("An error occurred reading the file.");
+ }
+}
+
+if (isset($_POST['iplist_edit_save']) && isset($_POST['iplist_data'])) {
+ if (strlen(basename($_POST['iplist_name'])) > 0) {
+ $file = $iprep_path . basename($_POST['iplist_name']);
+ $data = str_replace("\r\n", "\n", $_POST['iplist_data']);
+ file_put_contents($file, $data);
+ unset($data);
+ }
+ else {
+ $input_errors[] = gettext("You must provide a valid filename for the IP List.");
+ $iplist_edit_style = "display: table-row-group;";
+ }
+}
+
+// Get all files in the IP Lists sub-directory as an array
+// Leave this as the last thing before spewing the page HTML
+// so we can pick up any changes made to files in code above.
+$ipfiles = return_dir_as_array($iprep_path);
+
+$pgtitle = gettext("Suricata: IP Reputation Lists");
+include_once("head.inc");
+
+?>
+
+<body link="#000000" vlink="#000000" alink="#000000">
+
+<?php
+include_once("fbegin.inc");
+if ($input_errors) {
+ print_input_errors($input_errors);
+}
+
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="/suricata/suricata_ip_list_mgmt.php" enctype="multipart/form-data" method="post" name="iform" id="iform">
+<input type="hidden" name="MAX_FILE_SIZE" value="100000000" />
+<input type="hidden" name="iplist_fname" id="iplist_fname" value=""/>
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+<tbody>
+<tr><td>
+<?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("Interfaces"), false, "/suricata/suricata_interfaces.php");
+ $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php");
+ $tab_array[] = array(gettext("Updates"), false, "/suricata/suricata_download_updates.php");
+ $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
+ $tab_array[] = array(gettext("Blocks"), false, "/suricata/suricata_blocked.php");
+ $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php");
+ $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
+ $tab_array[] = array(gettext("Logs View"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
+ $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
+ $tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
+ $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), true, "/suricata/suricata_ip_list_mgmt.php");
+ display_top_tabs($tab_array, true);
+?>
+</td>
+</tr>
+<tr>
+ <td>
+ <div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tbody>
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("IP Reputation is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ <?php else: ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("Emerging Threats IQRisk Settings"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top"><?php echo gettext("Enable"); ?></td>
+ <td width="78%">
+ <input id="et_iqrisk_enable" name="et_iqrisk_enable" type="checkbox" value="on" <?php if ($pconfig['et_iqrisk_enable'] == "on") echo "checked"; ?> onclick="IQRisk_enablechange();"/>
+ <?php echo gettext("Checking this box enables auto-download of IQRisk List updates with a valid subscription code."); ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%"></td>
+ <td width="78%">
+ <table id="iqrisk_code_tbl" width="100%" border="0" cellpadding="2" cellspacing="0">
+ <tbody>
+ <tr>
+ <td colspan="2" class="vexpl"><?=gettext("IQRisk IP lists will auto-update nightly at midnight. Visit ") .
+ "<a href='http://emergingthreats.net/products/iqrisk-rep-list/' target='_blank'>" . gettext("http://emergingthreats.net/products/iqrisk-rep-list/") . "</a>" .
+ gettext(" for more information or to purchase a subscription.");?><br/><br/></td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("IQRisk Subscription Configuration"); ?></span></b></td>
+ </tr>
+ <tr>
+ <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td>
+ <td><input name="iqrisk_code" type="text" class="formfld unknown" id="iqrisk_code" size="52"
+ value="<?=htmlspecialchars($pconfig['iqrisk_code']);?>"/><br/>
+ <?php echo gettext("Obtain an Emerging Threats IQRisk List subscription code and paste it here."); ?></td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" align="center"><input name="save" id="save" type="submit" class="formbtn" value="Save" title="<?=gettext("Save IQRisk settings");?>"/></td>
+ </tr>
+ <tr>
+ <td colspan="2" class="vtable"></td>
+ </tr>
+ <tr>
+ <td colspan="2" class="listtopic"><?=gettext("IP Reputation List Files Management");?>
+ </td>
+ </tr>
+ <tbody id="uploader" style="display: none;">
+ <tr>
+ <td colspan="2" class="list"><br/><?php echo gettext("Click BROWSE to select a file to import, and then click UPLOAD. Click CLOSE to quit."); ?></td>
+ </tr>
+ <tr>
+ <td colspan="2" class="list"><input type="file" name="iprep_fileup" id="iprep_fileup" class="formfld file" size="50" />
+ &nbsp;&nbsp;<input type="submit" name="upload" id="upload" value="<?=gettext("Upload");?>"
+ title="<?=gettext("Upload selected IP list to firewall");?>"/>&nbsp;&nbsp;<input type="button"
+ value="<?=gettext("Close");?>" onClick="document.getElementById('uploader').style.display='none';" /></td>
+ </tr>
+ </tbody>
+ <tr>
+ <td colspan="2">
+ <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
+ <colgroup>
+ <col style="width: 50%;">
+ <col style="width: 25%;">
+ <col style="width: 15%;">
+ <col style="width: 10%;">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"><?php echo gettext("IP List File Name"); ?></th>
+ <th class="listhdrr"><?php echo gettext("Last Modified Time"); ?></th>
+ <th class="listhdrr"><?php echo gettext("File Size"); ?></th>
+ <th class="list" align="left"><img style="cursor:pointer;" name="iplist_new" id="iplist_new"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Create a new IP List');?>"
+ onClick="document.getElementById('iplist_data').value=''; document.getElementById('iplist_name').value=''; document.getElementById('iplist_editor').style.display='table-row-group'; document.getElementById('iplist_name').focus();" />
+ <img style="cursor:pointer;" name="iplist_import" id="iplist_import"
+ onClick="document.getElementById('uploader').style.display='table-row-group';"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_import_alias.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Import/Upload an IP List');?>"/></th>
+ </tr>
+ </thead>
+ <?php foreach ($ipfiles as $file): ?>
+ <tr>
+ <td class="listr"><?php echo gettext($file); ?></td>
+ <td class="listr"><?=date('M-d Y g:i a', filemtime("{$iprep_path}{$file}")); ?></td>
+ <td class="listr"><?=format_bytes(filesize("{$iprep_path}{$file}")); ?> </td>
+ <td class="list"><input type="image" name="iplist_edit[]" id="iplist_edit[]"
+ onClick="document.getElementById('iplist_fname').value='<?=$file;?>';"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Edit this IP List');?>"/>
+ <input type="image" name="iplist_delete[]" id="iplist_delete[]"
+ onClick="document.getElementById('iplist_fname').value='<?=$file;?>';
+ return confirm('<?=gettext("Are you sure you want to permanently delete this IP List file? Click OK to continue or CANCEL to quit.");?>');"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Delete this IP List');?>"/></td>
+ </tr>
+ <?php endforeach; ?>
+ <tbody id="iplist_editor" style="<?=$iplist_edit_style;?>">
+ <tr>
+ <td colspan="4">&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="4"><strong><?=gettext("File Name: ");?></strong><input type="text" size="45" class="formfld file" id="iplist_name" name="iplist_name" value="<?=$iplist_name;?>" />
+ &nbsp;&nbsp;<input type="submit" id="iplist_edit_save" name="iplist_edit_save" value="<?=gettext(" Save ");?>" title="<?=gettext("Save changes and close editor");?>" />
+ &nbsp;&nbsp;<input type="button" id="cancel" name="cancel" value="<?=gettext("Cancel");?>" onClick="document.getElementById('iplist_editor').style.display='none';"
+ title="<?=gettext("Abandon changes and quit editor");?>" /></td>
+ </tr>
+ <tr>
+ <td colspan="4">&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="4"><textarea wrap="off" cols="80" rows="20" name="iplist_data" id="iplist_data"
+ style="width:95%; height:100%;"><?=$iplist_data;?></textarea>
+ </td>
+ </tr>
+ </tbody>
+ <tbody>
+ <tr>
+ <td colspan="3" class="vexpl"><br/><span class="red"><strong><?php echo gettext("Notes:"); ?></strong></span>
+ <br/><?php echo gettext("1. A Categories file is required and contains CSV fields for Category Number, Short Name " .
+ "and Description per line."); ?></td>
+ <td class="list"></td>
+ </tr>
+ <tr>
+ <td colspan="3" class="vexpl"><?php echo gettext("2. IP Lists are CSV format text files " .
+ "with an IP address, category code and reputation score per line."); ?></td>
+ <td class="list"></td>
+ </tr>
+ <tr>
+ <td colspan="3" class="vexpl"><?php echo gettext("3. IP Lists are stored as local files " .
+ "on the firewall and their contents are not saved as part of the firewall configuration file."); ?></td>
+ <td class="list"></td>
+ </tr>
+ <tr>
+ <td colspan="3" class="vexpl"><?php echo gettext("4. Visit ") .
+ "<a href='https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationFormat' target='_blank'>" .
+ gettext("https://redmine.openinfosecfoundation.org/projects/suricata/wiki/IPReputationFormat") . "</a>" .
+ gettext(" for IP Reputation file formats."); ?><br/></td>
+ <td class="list"></td>
+ </tr>
+ <tr>
+ <td colspan="3" class="vexpl"><br/><strong><?php echo gettext("IP List Controls:"); ?></strong><br/><br/>
+ &nbsp;&nbsp;<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" />
+ &nbsp;<?=gettext("Opens the editor window to create a new IP List. You must provide a valid filename before saving.");?><br/>
+ &nbsp;&nbsp;<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_import_alias.gif" width="17" height="17" border="0" />
+ &nbsp;<?=gettext("Opens the file upload control for uploading a new IP List from your local machine.");?><br/>
+ &nbsp;&nbsp;<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" width="17" height="17" border="0" />
+ &nbsp;<?=gettext("Opens the IP List in a text edit control for viewing or editing its contents.");?><br/>
+ &nbsp;&nbsp;<img src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" />
+ &nbsp;<?=gettext("Deletes the IP List from the file system after confirmation.");?></td>
+ <td class="list"></td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ <?php endif; ?>
+ </tbody>
+ </table>
+ </div>
+ </td>
+</tr>
+</tbody>
+</table>
+</form>
+<?php include("fend.inc"); ?>
+
+<script language="JavaScript">
+<!--
+
+function IQRisk_enablechange() {
+ var endis = !(document.iform.et_iqrisk_enable.checked);
+ if (endis)
+ document.getElementById("iqrisk_code_tbl").style.display = "none";
+ else
+ document.getElementById("iqrisk_code_tbl").style.display = "table";
+}
+
+// Initialize the form controls state based on saved settings
+IQRisk_enablechange();
+
+//-->
+</script>
+</body>
+</html>
diff --git a/config/suricata/suricata_ip_reputation.php b/config/suricata/suricata_ip_reputation.php
new file mode 100644
index 00000000..4615923a
--- /dev/null
+++ b/config/suricata/suricata_ip_reputation.php
@@ -0,0 +1,482 @@
+<?php
+/*
+ * suricata_ip_reputation.php
+ * part of pfSense
+ *
+ * Copyright (C) 2014 Bill Meeks
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ * this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/suricata/suricata.inc");
+
+global $g, $rebuild_rules;
+
+if (isset($_POST['id']) && is_numericint($_POST['id']))
+ $id = $_POST['id'];
+elseif (isset($_GET['id']) && is_numericint($_GET['id']))
+ $id = htmlspecialchars($_GET['id']);
+
+if (is_null($id)) {
+ header("Location: /suricata/suricata_interfaces.php");
+ exit;
+}
+
+if (!is_array($config['installedpackages']['suricata']['rule'])) {
+ $config['installedpackages']['suricata']['rule'] = array();
+}
+if (!is_array($config['installedpackages']['suricata']['rule'][$id]['iplist_files']['item'])) {
+ $config['installedpackages']['suricata']['rule'][$id]['iplist_files']['item'] = array();
+}
+
+$a_nat = &$config['installedpackages']['suricata']['rule'];
+
+// If doing a postback, used typed values, else load from stored config
+if (!empty($_POST)) {
+ $pconfig = $_POST;
+}
+else {
+ $pconfig = $a_nat[$id];
+}
+
+$iprep_path = SURICATA_IPREP_PATH;
+$if_real = get_real_interface($a_nat[$id]['interface']);
+$suricata_uuid = $config['installedpackages']['suricata']['rule'][$id]['uuid'];
+
+if ($_POST['mode'] == 'iprep_catlist_add' && isset($_POST['iplist'])) {
+ $pconfig = $_POST;
+
+ // Test the supplied IP List file to see if it exists
+ if (file_exists($_POST['iplist'])) {
+ if (!$input_errors) {
+ $a_nat[$id]['iprep_catlist'] = basename($_POST['iplist']);
+ write_config("Suricata pkg: added new IP Rep Categories file for IP REPUTATION preprocessor.");
+ mark_subsystem_dirty('suricata_iprep');
+ }
+ }
+ else
+ $input_errors[] = gettext("The file '{$_POST['iplist']}' could not be found.");
+
+ $pconfig['iprep_catlist'] = $a_nat[$id]['iprep_catlist'];
+ $pconfig['iplist_files'] = $a_nat[$id]['iplist_files'];
+}
+
+if ($_POST['mode'] == 'iplist_add' && isset($_POST['iplist'])) {
+ $pconfig = $_POST;
+
+ // Test the supplied IP List file to see if it exists
+ if (file_exists($_POST['iplist'])) {
+ // See if the file is already assigned to the interface
+ foreach ($a_nat[$id]['iplist_files']['item'] as $f) {
+ if ($f == basename($_POST['iplist'])) {
+ $input_errors[] = gettext("The file {$f} is already assigned as a whitelist file.");
+ break;
+ }
+ }
+ if (!$input_errors) {
+ $a_nat[$id]['iplist_files']['item'][] = basename($_POST['iplist']);
+ write_config("Suricata pkg: added new whitelist file for IP REPUTATION preprocessor.");
+ mark_subsystem_dirty('suricata_iprep');
+ }
+ }
+ else
+ $input_errors[] = gettext("The file '{$_POST['iplist']}' could not be found.");
+
+ $pconfig['iprep_catlist'] = $a_nat[$id]['iprep_catlist'];
+ $pconfig['iplist_files'] = $a_nat[$id]['iplist_files'];
+}
+
+if ($_POST['iprep_catlist_del']) {
+ $pconfig = $_POST;
+ unset($a_nat[$id]['iprep_catlist']);
+ write_config("Suricata pkg: deleted blacklist file for IP REPUTATION preprocessor.");
+ mark_subsystem_dirty('suricata_iprep');
+ $pconfig['iprep_catlist'] = $a_nat[$id]['iprep_catlist'];
+ $pconfig['iplist_files'] = $a_nat[$id]['iplist_files'];
+}
+
+if ($_POST['iplist_del'] && is_numericint($_POST['list_id'])) {
+ $pconfig = $_POST;
+ unset($a_nat[$id]['iplist_files']['item'][$_POST['list_id']]);
+ write_config("Suricata pkg: deleted whitelist file for IP REPUTATION preprocessor.");
+ mark_subsystem_dirty('suricata_iprep');
+ $pconfig['iplist_files'] = $a_nat[$id]['iplist_files'];
+ $pconfig['iprep_catlist'] = $a_nat[$id]['iprep_catlist'];
+}
+
+if ($_POST['save'] || $_POST['apply']) {
+
+ $pconfig['iprep_catlist'] = $a_nat[$id]['iprep_catlist'];
+ $pconfig['iplist_files'] = $a_nat[$id]['iplist_files'];
+
+ // Validate HOST TABLE values
+ if ($_POST['host_memcap'] < 1000000 || !is_numericint($_POST['host_memcap']))
+ $input_errors[] = gettext("The value for 'Host Memcap' must be a numeric integer greater than 1MB (1,048,576!");
+ if ($_POST['host_hash_size'] < 1024 || !is_numericint($_POST['host_hash_size']))
+ $input_errors[] = gettext("The value for 'Host Hash Size' must be a numeric integer greater than 1024!");
+ if ($_POST['host_prealloc'] < 10 || !is_numericint($_POST['host_prealloc']))
+ $input_errors[] = gettext("The value for 'Host Preallocations' must be a numeric integer greater than 10!");
+
+ // Validate CATEGORIES FILE
+ if ($_POST['enable_iprep'] == 'on') {
+ if (empty($a_nat[$id]['iprep_catlist']))
+ $input_errors[] = gettext("Assignment of a 'Categories File' is required when IP Reputation is enabled!");
+ }
+
+ // If no errors write to conf
+ if (!$input_errors) {
+
+ $a_nat[$id]['enable_iprep'] = $_POST['enable_iprep'] ? 'on' : 'off';
+ $a_nat[$id]['host_memcap'] = str_replace(",", "", $_POST['host_memcap']);
+ $a_nat[$id]['host_hash_size'] = str_replace(",", "", $_POST['host_hash_size']);
+ $a_nat[$id]['host_prealloc'] = str_replace(",", "", $_POST['host_prealloc']);
+
+ write_config("Suricata pkg: modified IP REPUTATION preprocessor settings for {$a_nat[$id]['interface']}.");
+
+ // Update the suricata conf file for this interface
+ $rebuild_rules = false;
+ conf_mount_rw();
+ suricata_generate_yaml($a_nat[$id]);
+ conf_mount_ro();
+
+ // Soft-restart Suricata to live-load new variables
+ suricata_reload_config($a_nat[$id]);
+
+ // We have saved changes and done a soft restart, so clear "dirty" flag
+ clear_subsystem_dirty('suricata_iprep');
+ }
+}
+
+$if_friendly = convert_friendly_interface_to_friendly_descr($a_nat[$id]['interface']);
+$pgtitle = gettext("Suricata: Interface {$if_friendly} IP Reputation Preprocessor");
+include_once("head.inc");
+
+?>
+<body link="#0000CC" vlink="#0000CC" alink="#0000CC">
+
+<?php
+include("fbegin.inc");
+/* Display Alert message */
+if ($input_errors)
+ print_input_errors($input_errors);
+if ($savemsg)
+ print_info_box($savemsg);
+?>
+
+<form action="suricata_ip_reputation.php" method="post" name="iform" id="iform" >
+<input name="id" type="hidden" value="<?=$id;?>" />
+<input type="hidden" id="mode" name="mode" value="" />
+<input name="iplist" id="iplist" type="hidden" value="" />
+<input name="list_id" id="list_id" type="hidden" value="" />
+
+<?php if (is_subsystem_dirty('suricata_iprep') && !$input_errors): ?><p>
+<?php print_info_box_np(gettext("A change has been made to IP List file assignments.") . "<br/>" . gettext("You must apply the change in order for it to take effect."));?>
+<?php endif; ?>
+
+<table width="100%" border="0" cellpadding="0" cellspacing="0">
+ <tbody>
+ <tr>
+ <td>
+ <?php
+ $tab_array = array();
+ $tab_array[] = array(gettext("Interfaces"), true, "/suricata/suricata_interfaces.php");
+ $tab_array[] = array(gettext("Global Settings"), false, "/suricata/suricata_global.php");
+ $tab_array[] = array(gettext("Updates"), false, "/suricata/suricata_download_updates.php");
+ $tab_array[] = array(gettext("Alerts"), false, "/suricata/suricata_alerts.php?instance={$id}");
+ $tab_array[] = array(gettext("Blocks"), false, "/suricata/suricata_blocked.php");
+ $tab_array[] = array(gettext("Pass Lists"), false, "/suricata/suricata_passlist.php");
+ $tab_array[] = array(gettext("Suppress"), false, "/suricata/suricata_suppress.php");
+ $tab_array[] = array(gettext("Logs View"), false, "/suricata/suricata_logs_browser.php?instance={$id}");
+ $tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
+ $tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
+ $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
+ display_top_tabs($tab_array, true);
+ echo '</td></tr>';
+ echo '<tr><td class="tabnavtbl">';
+ $tab_array = array();
+ $menu_iface=($if_friendly?substr($if_friendly,0,5)." ":"Iface ");
+ $tab_array[] = array($menu_iface . gettext("Settings"), false, "/suricata/suricata_interfaces_edit.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Categories"), false, "/suricata/suricata_rulesets.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Rules"), false, "/suricata/suricata_rules.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Flow/Stream"), false, "/suricata/suricata_flow_stream.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), true, "/suricata/suricata_ip_reputation.php?id={$id}");
+ display_top_tabs($tab_array, true);
+ ?>
+ </td>
+ </tr>
+ <tr>
+ <td><div id="mainarea">
+ <table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
+ <tbody>
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("IP Reputation is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ <?php else: ?>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("IP Reputation Configuration"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign='top' class='vncell'><?php echo gettext("Enable"); ?>
+ </td>
+ <td width="78%" class="vtable"><input name="enable_iprep" type="checkbox" value="on" <?php if ($pconfig['enable_iprep'] == "on") echo "checked"; ?>/>
+ <?php echo gettext("Use IP Reputation Lists on this interface. Default is ") . "<strong>" . gettext("Not Checked.") . "</strong>"; ?>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Host Memcap"); ?></td>
+ <td width="78%" class="vtable"><input name="host_memcap" type="text"
+ class="formfld unknown" id="host_memcap" size="8" value="<?=htmlspecialchars($pconfig['host_memcap']); ?>"/>&nbsp;
+ <?php echo gettext("Host table memory cap in bytes. Default is ") . "<strong>" .
+ gettext("16777216") . "</strong>" . gettext(" (16 MB). Min value is 1048576 (1 MB)."); ?><br/><br/><?php echo gettext("When using large IP Reputation Lists, this value may need to be increased " .
+ "to avoid exhausting Host Table memory.") ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Host Hash Size"); ?></td>
+ <td width="78%" class="vtable"><input name="host_hash_size" type="text"
+ class="formfld unknown" id="host_hash_size" size="8" value="<?=htmlspecialchars($pconfig['host_hash_size']); ?>"/>&nbsp;
+ <?php echo gettext("Host Hash Size in bytes. Default is ") . "<strong>" .
+ gettext("4096") . "</strong>" . gettext(". Min value is 1024."); ?><br/><br/><?php echo gettext("When using large IP Reputation Lists, this value may need to be increased."); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?php echo gettext("Host Preallocations"); ?></td>
+ <td width="78%" class="vtable"><input name="host_prealloc" type="text"
+ class="formfld unknown" id="host_prealloc" size="8" value="<?=htmlspecialchars($pconfig['host_prealloc']); ?>"/>&nbsp;
+ <?php echo gettext("Number of Host Table entries to preallocate. Default is ") . "<strong>" .
+ gettext("1000") . "</strong>" . gettext(". Min value is 10."); ?><br/><br/><?php echo gettext("Increasing this value may slightly improve performance when using large IP Reputation Lists."); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell">&nbsp;</td>
+ <td width="78%" class="vtable">
+ <input name="save" type="submit" class="formbtn" value="Save" title="<?=gettext("Save IP Reputation configuration");?>" />
+ &nbsp;&nbsp;<?=gettext("Click to save configuration settings and live-reload the running Suricata configuration.");?>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Assign Categories File"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign='top' class='vncell'><?php echo gettext("Categories File"); ?>
+ </td>
+ <td width="78%" class="vtable">
+ <!-- iprep_catlist_chooser -->
+ <div id="iprep_catlistChooser" name="iprep_catlistChooser" style="display:none; border:1px dashed gray; width:98%;"></div>
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <colgroup>
+ <col style="text-align:left;">
+ <col style="width: 30%; text-align:left;">
+ <col style="width: 17px;">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"><?php echo gettext("Categories Filename"); ?></th>
+ <th class="listhdrr"><?php echo gettext("Modification Time"); ?></th>
+ <th class="list" align="left" valign="middle"><img style="cursor:pointer;" name="iprep_catlist_add" id="iprep_catlist_add"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17"
+ height="17" border="0" title="<?php echo gettext('Assign a Categories file');?>"/></th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php if (!empty($pconfig['iprep_catlist'])) :
+ $class = "listr";
+ if (!file_exists("{$iprep_path}{$pconfig['iprep_catlist']}")) {
+ $filedate = gettext("Unknown -- file missing");
+ $class .= " red";
+ }
+ else
+ $filedate = date('M-d Y g:i a', filemtime("{$iprep_path}{$pconfig['iprep_catlist']}"));
+ ?>
+ <tr>
+ <td class="<?=$class;?>"><?=htmlspecialchars($pconfig['iprep_catlist']);?></td>
+ <td class="<?=$class;?>" align="center"><?=$filedate;?></td>
+ <td class="list"><input type="image" name="iprep_catlist_del[]" id="iprep_catlist_del[]" onClick="document.getElementById('list_id').value='0';"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17"
+ border="0" title="<?php echo gettext('Remove this Categories file');?>"/></td>
+ </tr>
+ <?php endif; ?>
+ <tr>
+ <td colspan="2" class="vexpl"><span class="red"><strong><?=gettext("Note: ");?></strong></span>
+ <?=gettext("change to Categories File assignment is immediately saved.");?></td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" valign="top" class="listtopic"><?php echo gettext("Assign IP Reputation Lists"); ?></td>
+ </tr>
+ <tr>
+ <td width="22%" valign='top' class='vncell'><?php echo gettext("IP Reputation Files"); ?>
+ </td>
+ <td width="78%" class="vtable">
+ <table width="95%" border="0" cellpadding="2" cellspacing="0">
+ <!-- iplist_chooser -->
+ <div id="iplistChooser" name="iplistChooser" style="display:none; border:1px dashed gray; width:98%;"></div>
+ <colgroup>
+ <col style="text-align:left;">
+ <col style="width: 30%; text-align:left;">
+ <col style="width: 17px;">
+ </colgroup>
+ <thead>
+ <tr>
+ <th class="listhdrr"><?php echo gettext("IP Reputation List Filename"); ?></th>
+ <th class="listhdrr"><?php echo gettext("Modification Time"); ?></th>
+ <th class="list" align="left" valign="middle"><img style="cursor:pointer;" name="iplist_add" id="iplist_add"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17"
+ border="0" title="<?php echo gettext('Assign a whitelist file');?>"/></th>
+ </tr>
+ </thead>
+ <tbody>
+ <?php foreach($pconfig['iplist_files']['item'] as $k => $f):
+ $class = "listr";
+ if (!file_exists("{$iprep_path}{$f}")) {
+ $filedate = gettext("Unknown -- file missing");
+ $class .= " red";
+ }
+ else
+ $filedate = date('M-d Y g:i a', filemtime("{$iprep_path}{$f}"));
+ ?>
+ <tr>
+ <td class="<?=$class;?>"><?=htmlspecialchars($f);?></td>
+ <td class="<?=$class;?>" align="center"><?=$filedate;?></td>
+ <td class="list"><input type="image" name="iplist_del[]" id="iplist_del[]" onClick="document.getElementById('list_id').value='<?=$k;?>';"
+ src="../themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17"
+ border="0" title="<?php echo gettext('Remove this whitelist file');?>"/></td>
+ </tr>
+ <?php endforeach; ?>
+ <tr>
+ <td colspan="2" class="vexpl"><span class="red"><strong><?=gettext("Note: ");?></strong></span>
+ <?=gettext("changes to IP Reputation List assignments are immediately saved.");?></td>
+ </tr>
+ </tbody>
+ </table>
+ </td>
+ </tr>
+ <?php endif; ?>
+ </tbody>
+ </table>
+ </div>
+ </td>
+ </tr>
+ </tbody>
+</table>
+
+<?php if ($g['platform'] != "nanobsd") : ?>
+<script type="text/javascript">
+Event.observe(
+ window, "load",
+ function() {
+ Event.observe(
+ "iprep_catlist_add", "click",
+ function() {
+ Effect.Appear("iprep_catlistChooser", { duration: 0.25 });
+ iprep_catlistChoose();
+ }
+ );
+
+ Event.observe(
+ "iplist_add", "click",
+ function() {
+ Effect.Appear("iplistChooser", { duration: 0.25 });
+ iplistChoose();
+ }
+ );
+ }
+);
+
+function iprep_catlistChoose() {
+ Effect.Appear("iprep_catlistChooser", { duration: 0.25 });
+ if($("fbCurrentDir"))
+ $("fbCurrentDir").innerHTML = "Loading ...";
+
+ new Ajax.Request(
+ "/suricata/suricata_iprep_list_browser.php?container=iprep_catlistChooser&target=iplist&val=" + new Date().getTime(),
+ { method: "get", onComplete: iprep_catlistComplete }
+ );
+}
+
+function iplistChoose() {
+ Effect.Appear("iplistChooser", { duration: 0.25 });
+ if($("fbCurrentDir"))
+ $("fbCurrentDir").innerHTML = "Loading ...";
+
+ new Ajax.Request(
+ "/suricata/suricata_iprep_list_browser.php?container=iplistChooser&target=iplist&val=" + new Date().getTime(),
+ { method: "get", onComplete: iplistComplete }
+ );
+}
+
+function iprep_catlistComplete(req) {
+ $("iprep_catlistChooser").innerHTML = req.responseText;
+
+ var actions = {
+ fbClose: function() { $("iprep_catlistChooser").hide(); },
+ fbFile: function() { $("iplist").value = this.id;
+ $("mode").value = 'iprep_catlist_add';
+ document.getElementById('iform').submit();
+ }
+ }
+
+ for(var type in actions) {
+ var elem = $("iprep_catlistChooser");
+ var list = elem.getElementsByClassName(type);
+ for (var i=0; i<list.length; i++) {
+ Event.observe(list[i], "click", actions[type]);
+ list[i].style.cursor = "pointer";
+ }
+ }
+}
+
+function iplistComplete(req) {
+ $("iplistChooser").innerHTML = req.responseText;
+
+ var actions = {
+ fbClose: function() { $("iplistChooser").hide(); },
+ fbFile: function() { $("iplist").value = this.id;
+ $("mode").value = 'iplist_add';
+ document.getElementById('iform').submit();
+ }
+ }
+
+ for(var type in actions) {
+ var elem = $("iplistChooser");
+ var list = elem.getElementsByClassName(type);
+ for (var i=0; i<list.length; i++) {
+ Event.observe(list[i], "click", actions[type]);
+ list[i].style.cursor = "pointer";
+ }
+ }
+}
+
+</script>
+<?php endif; ?>
+
+</form>
+<?php include("fend.inc"); ?>
+</body>
+</html>
diff --git a/config/suricata/suricata_iprep_list_browser.php b/config/suricata/suricata_iprep_list_browser.php
new file mode 100644
index 00000000..9dd65311
--- /dev/null
+++ b/config/suricata/suricata_iprep_list_browser.php
@@ -0,0 +1,99 @@
+<?php
+
+require_once("guiconfig.inc");
+require_once("/usr/local/pkg/suricata/suricata.inc");
+
+// Fetch a list of files inside a given directory
+function get_content($dir) {
+ $files = array();
+
+ clearstatcache();
+ $fd = @opendir($dir);
+ while($entry = @readdir($fd)) {
+ if($entry == ".") continue;
+ if($entry == "..") continue;
+
+ if(is_dir("{$dir}/{$entry}"))
+ continue;
+ else
+ array_push($files, $entry);
+ }
+ @closedir($fd);
+ natsort($files);
+ return $files;
+}
+
+$path = SURICATA_IPREP_PATH;
+$container = htmlspecialchars($_GET['container']);
+$target = htmlspecialchars($_GET['target']);
+
+// ----- header -----
+?>
+<table width="100%">
+ <tr>
+ <td width="25px" align="left">
+ <img src="/filebrowser/images/icon_home.gif" alt="Home" title="Home" />
+ </td>
+ <td><b><?=$path;?></b></td>
+ <td class="fbClose" align="right">
+ <img onClick="$('<?=$container;?>').hide();" border="0" src="/filebrowser/images/icon_cancel.gif" alt="Close" title="Close" />
+ </td>
+ </tr>
+ <tr>
+ <td id="fbCurrentDir" colspan="3" class="vexpl" align="left">
+ </td>
+ </tr>
+<?php
+$files = get_content($path);
+
+// ----- files -----
+foreach($files as $file):
+ $ext = strrchr($file, ".");
+
+ if($ext == ".css" ) $type = "code";
+ elseif($ext == ".html") $type = "code";
+ elseif($ext == ".xml" ) $type = "code";
+ elseif($ext == ".rrd" ) $type = "database";
+ elseif($ext == ".gif" ) $type = "image";
+ elseif($ext == ".jpg" ) $type = "image";
+ elseif($ext == ".png" ) $type = "image";
+ elseif($ext == ".js" ) $type = "js";
+ elseif($ext == ".pdf" ) $type = "pdf";
+ elseif($ext == ".inc" ) $type = "php";
+ elseif($ext == ".php" ) $type = "php";
+ elseif($ext == ".conf") $type = "system";
+ elseif($ext == ".pid" ) $type = "system";
+ elseif($ext == ".sh" ) $type = "system";
+ elseif($ext == ".bz2" ) $type = "zip";
+ elseif($ext == ".gz" ) $type = "zip";
+ elseif($ext == ".tgz" ) $type = "zip";
+ elseif($ext == ".zip" ) $type = "zip";
+ else $type = "generic";
+
+ $fqpn = "{$path}/{$file}";
+
+ if(is_file($fqpn)) {
+ $fqpn = realpath($fqpn);
+ $size = sprintf("%.2f KiB", filesize($fqpn) / 1024);
+ }
+ else
+ $size = "";
+?>
+ <tr>
+ <td></td>
+ <td class="fbFile vexpl" id="<?=$fqpn;?>" align="left">
+ <?php $filename = str_replace("//","/", "{$path}/{$file}"); ?>
+ <div onClick="$('<?=$target;?>').value='<?=$filename?>'; $('<?=$container;?>').hide();">
+ <img src="/filebrowser/images/file_<?=$type;?>.gif" alt="" title="">
+ &nbsp;<?=$file;?>
+ </div>
+ </td>
+ <td align="right" class="vexpl">
+ <?=$size;?>
+ </td>
+ </tr>
+<?php
+endforeach;
+?>
+</table>
+
diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php
index d4475625..320ba23f 100644
--- a/config/suricata/suricata_logs_browser.php
+++ b/config/suricata/suricata_logs_browser.php
@@ -151,6 +151,7 @@ if ($input_errors) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/suricata/suricata_logs_mgmt.php b/config/suricata/suricata_logs_mgmt.php
index fec2d149..aa353d6f 100644
--- a/config/suricata/suricata_logs_mgmt.php
+++ b/config/suricata/suricata_logs_mgmt.php
@@ -173,7 +173,9 @@ if ($_POST["save"] || $_POST['apply']) {
if ($_POST['enable_log_mgmt'] != 'on') {
$config['installedpackages']['suricata']['config'][0]['enable_log_mgmt'] = $_POST['enable_log_mgmt'] ? 'on' :'off';
write_config("Suricata pkg: saved updated configuration for LOGS MGMT.");
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
/* forces page to reload new settings */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
@@ -222,7 +224,9 @@ if ($_POST["save"] || $_POST['apply']) {
$config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = $_POST['sid_changes_log_retention'];
write_config("Suricata pkg: saved updated configuration for LOGS MGMT.");
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
/* forces page to reload new settings */
header( 'Expires: Sat, 26 Jul 1997 05:00:00 GMT' );
@@ -274,6 +278,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), true, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_migrate_config.php b/config/suricata/suricata_migrate_config.php
index 4729109b..75e13315 100644
--- a/config/suricata/suricata_migrate_config.php
+++ b/config/suricata/suricata_migrate_config.php
@@ -71,12 +71,28 @@ if ($config['installedpackages']['suricata']['config'][0]['suricata_config_ver']
/**********************************************************/
/* Create new Auto SID Mgmt settings if not set */
/**********************************************************/
- if (empty($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'])) {
- $config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] = "off";
- $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size'] = "250";
- $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = "336";
- $updated_cfg = true;
- }
+if (empty($config['installedpackages']['suricata']['config'][0]['auto_manage_sids'])) {
+ $config['installedpackages']['suricata']['config'][0]['auto_manage_sids'] = "off";
+ $config['installedpackages']['suricata']['config'][0]['sid_changes_log_limit_size'] = "250";
+ $config['installedpackages']['suricata']['config'][0]['sid_changes_log_retention'] = "336";
+ $updated_cfg = true;
+}
+
+/**********************************************************/
+/* Create new Auto GeoIP update setting if not set */
+/**********************************************************/
+if (empty($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'])) {
+ $config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] = "on";
+ $updated_cfg = true;
+}
+
+/**********************************************************/
+/* Create new ET IQRisk IP Reputation setting if not set */
+/**********************************************************/
+if (empty($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'])) {
+ $config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'] = "off";
+ $updated_cfg = true;
+}
// Now process the interface-specific settings
foreach ($rule as &$r) {
@@ -336,6 +352,26 @@ foreach ($rule as &$r) {
$updated_cfg = true;
}
+ /**********************************************************/
+ /* Create interface IP Reputation settings if not set */
+ /**********************************************************/
+ if (empty($pconfig['enable_iprep'])) {
+ $pconfig['enable_iprep'] = "off";
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['host_memcap'])) {
+ $pconfig['host_memcap'] = "16777216";
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['host_hash_size'])) {
+ $pconfig['host_hash_size'] = "4096";
+ $updated_cfg = true;
+ }
+ if (empty($pconfig['host_prealloc'])) {
+ $pconfig['host_prealloc'] = "1000";
+ $updated_cfg = true;
+ }
+
// Save the new configuration data into the $config array pointer
$r = $pconfig;
}
@@ -343,12 +379,8 @@ foreach ($rule as &$r) {
unset($r);
// Write out the new configuration to disk if we changed anything
-if ($updated_cfg) {
- $config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0.2";
- log_error("[Suricata] Saving configuration settings in new format...");
- write_config("Suricata pkg: migrate existing settings to new format during package upgrade.");
+if ($updated_cfg)
log_error("[Suricata] Settings successfully migrated to new configuration format...");
-}
else
log_error("[Suricata] Configuration version is current...");
diff --git a/config/suricata/suricata_passlist.php b/config/suricata/suricata_passlist.php
index 02aa4a3d..af1c4ff5 100644
--- a/config/suricata/suricata_passlist.php
+++ b/config/suricata/suricata_passlist.php
@@ -87,7 +87,9 @@ if ($_POST['del'] && is_numericint($_POST['list_id'])) {
if (!$input_errors) {
unset($a_passlist[$_POST['list_id']]);
write_config("Suricata pkg: deleted PASS LIST.");
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
header("Location: /suricata/suricata_passlist.php");
exit;
}
@@ -130,6 +132,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/suricata/suricata_passlist_edit.php b/config/suricata/suricata_passlist_edit.php
index 3e1502f3..5bfeb8b9 100644
--- a/config/suricata/suricata_passlist_edit.php
+++ b/config/suricata/suricata_passlist_edit.php
@@ -182,7 +182,9 @@ if ($_POST['save']) {
write_config("Suricata pkg: modified PASS LIST {$p_list['name']}.");
/* create pass list and homenet file, then sync files */
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
header("Location: /suricata/suricata_passlist.php");
exit;
@@ -224,6 +226,7 @@ if ($savemsg)
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/suricata/suricata_post_install.php b/config/suricata/suricata_post_install.php
index 42f72eca..f4a66b0b 100644
--- a/config/suricata/suricata_post_install.php
+++ b/config/suricata/suricata_post_install.php
@@ -48,36 +48,36 @@
require_once("config.inc");
require_once("functions.inc");
require_once("/usr/local/pkg/suricata/suricata.inc");
+require("/usr/local/pkg/suricata/suricata_defs.inc");
global $config, $g, $rebuild_rules, $pkg_interface, $suricata_gui_include;
/****************************************
* Define any new constants here that *
* may not be yet defined in the old *
- * "suricata.inc" include file that *
- * might be cached and used by the *
- * package manager installation code. *
+ * "suricata_defs.inc" include file *
+ * that might be cached and used by *
+ * the package manager installation *
+ * code. *
* *
* This is a hack to work around the *
- * fact the old version of suricata.inc *
+ * fact the old version of the inc file *
* is cached and used instead of the *
- * updated version icluded with the *
+ * updated version included with the *
* updated GUI package. *
****************************************/
-if (!defined('SID_MODS_PATH'))
- define('SID_MODS_PATH', '/var/db/suricata/sidmods/');
-if (!defined('IPREP_PATH'))
- define('IPREP_PATH', '/var/db/suricata/iprep/');
+if (!defined('SURICATA_PBI_BASEDIR'))
+ define('SURICATA_PBI_BASEDIR', '/usr/pbi/suricata-' . php_uname("m"));
/****************************************
- * End of PHP cachine workaround *
+ * End of PHP caching workaround *
****************************************/
// Initialize some common values from defined constants
$suricatadir = SURICATADIR;
$suricatalogdir = SURICATALOGDIR;
$flowbit_rules_file = FLOWBITS_FILENAME;
-$suricata_enforcing_rules_file = ENFORCING_RULES_FILENAME;
+$suricata_enforcing_rules_file = SURICATA_ENFORCING_RULES_FILENAME;
$rcdir = RCFILEPREFIX;
// Hard kill any running Suricata process that may have been started by any
@@ -103,14 +103,28 @@ $g['suricata_postinstall'] = true;
conf_mount_rw();
// Remove any previously installed script since we rebuild it
-@unlink("{$rcdir}suricata.sh");
+unlink_if_exists("{$rcdir}suricata.sh");
// Create the top-tier log directory
safe_mkdir(SURICATALOGDIR);
// Create the IP Rep and SID Mods lists directory
-safe_mkdir(SID_MODS_PATH);
-safe_mkdir(IPREP_PATH);
+safe_mkdir(SURICATA_SID_MODS_PATH);
+safe_mkdir(SURICATA_IPREP_PATH);
+
+// Download the latest GeoIP DB updates and create cron task if the feature is not disabled
+if ($config['installedpackages']['suricata']['config'][0]['autogeoipupdate'] != 'off') {
+ log_error(gettext("[Suricata] Installing free GeoIP country database files..."));
+ include("/usr/local/pkg/suricata/suricata_geoipupdate.php");
+ install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_geoipupdate.php", TRUE, 0, 0, 8, "*", "*", "root");
+}
+
+// Download the latest ET IQRisk updates and create cron task if the feature is not disabled
+if ($config['installedpackages']['suricata']['config'][0]['et_iqrisk_enable'] == 'on') {
+ log_error(gettext("[Suricata] Installing Emerging Threats IQRisk IP List..."));
+ include("/usr/local/pkg/suricata/suricata_etiqrisk_update.php");
+ install_cron_job("/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/suricata/suricata_etiqrisk_update.php", TRUE, 0, 0, "*", "*", "*", "root");
+}
// remake saved settings if previously flagged
if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] == 'on') {
@@ -149,7 +163,6 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
log_error(gettext("[Suricata] updated UUID for interface " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . " from {$old_uuid} to {$new_uuid}."));
}
}
- write_config("Suricata pkg: updated interface UUIDs to eliminate duplicates.");
unset($uuids, $rulesets);
}
/****************************************************************/
@@ -167,6 +180,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
include('/usr/local/pkg/suricata/suricata_check_for_rule_updates.php');
update_status(gettext("Generating suricata.yaml configuration file from saved settings..."));
$rebuild_rules = true;
+ conf_mount_rw();
// Create the suricata.yaml files for each enabled interface
$suriconf = $config['installedpackages']['suricata']['rule'];
@@ -174,6 +188,7 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
$if_real = get_real_interface($suricatacfg['interface']);
$suricata_uuid = $suricatacfg['uuid'];
$suricatacfgdir = "{$suricatadir}suricata_{$suricata_uuid}_{$if_real}";
+ update_output_window(gettext("Generating configuration for " . convert_friendly_interface_to_friendly_descr($suricatacfg['interface']) . "..."));
// Pull in the PHP code that generates the suricata.yaml file
// variables that will be substituted further down below.
@@ -202,9 +217,6 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
suricata_rm_blocked_install_cron($config['installedpackages']['suricata']['config'][0]['rm_blocked'] != "never_b" ? true : false);
suricata_rules_up_install_cron($config['installedpackages']['suricata']['config'][0]['autoruleupdate'] != "never_up" ? true : false);
- // Add the recurring jobs created above to crontab
- configure_cron();
-
// Restore the Dashboard Widget if it was previously enabled and saved
if (!empty($config['installedpackages']['suricata']['config'][0]['dashboard_widget']) && !empty($config['widgets']['sequence'])) {
if (strpos($config['widgets']['sequence'], "suricata_alerts-container") === FALSE)
@@ -216,16 +228,20 @@ if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] =
}
$rebuild_rules = false;
- update_output_window(gettext("Finished rebuilding Suricata configuration files..."));
+ if ($pkg_interface <> "console")
+ update_output_window(gettext("Finished rebuilding Suricata configuration files..."));
log_error(gettext("[Suricata] Finished rebuilding installation from saved settings..."));
// Only try to start Suricata if not in reboot
if (!$g['booting']) {
- update_status(gettext("Starting Suricata using rebuilt configuration..."));
- update_output_window(gettext("Please wait... while Suricata is started..."));
- log_error(gettext("[Suricata] Starting Suricata using rebuilt configuration..."));
- mwexec_bg("{$rcdir}suricata.sh start");
- update_output_window(gettext("Suricata has been started using the rebuilt configuration..."));
+ if ($pkg_interface <> "console") {
+ update_status(gettext("Starting Suricata using rebuilt configuration..."));
+ update_output_window(gettext("Please wait while Suricata is started..."));
+ mwexec("{$rcdir}suricata.sh start");
+ update_output_window(gettext("Suricata has been started using the rebuilt configuration..."));
+ }
+ else
+ mwexec_bg("{$rcdir}suricata.sh start");
}
}
@@ -238,8 +254,8 @@ if (empty($config['installedpackages']['suricata']['config'][0]['forcekeepsettin
conf_mount_ro();
// Update Suricata package version in configuration
-$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.0.2";
-write_config("Suricata pkg: updated GUI package version number.");
+$config['installedpackages']['suricata']['config'][0]['suricata_config_ver'] = "2.1";
+write_config("Suricata pkg v2.1: post-install configuration saved.");
// Done with post-install, so clear flag
unset($g['suricata_postinstall']);
diff --git a/config/suricata/suricata_rules.php b/config/suricata/suricata_rules.php
index 539a1daf..480bf3dc 100644
--- a/config/suricata/suricata_rules.php
+++ b/config/suricata/suricata_rules.php
@@ -473,6 +473,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -485,6 +486,7 @@ if ($savemsg) {
$tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/suricata/suricata_ip_reputation.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_rules_flowbits.php b/config/suricata/suricata_rules_flowbits.php
index b16353cb..1bb945d8 100644
--- a/config/suricata/suricata_rules_flowbits.php
+++ b/config/suricata/suricata_rules_flowbits.php
@@ -139,7 +139,9 @@ if ($_POST['addsuppress'] && is_numeric($_POST['sid']) && is_numeric($_POST['gid
if ($found_list) {
write_config();
$rebuild_rules = false;
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
suricata_reload_config($a_nat[$id]);
$savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_POST['gid']}, sig_id {$_POST['sid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'.");
}
diff --git a/config/suricata/suricata_rulesets.php b/config/suricata/suricata_rulesets.php
index 7ea672b1..7f591b6c 100644
--- a/config/suricata/suricata_rulesets.php
+++ b/config/suricata/suricata_rulesets.php
@@ -142,8 +142,7 @@ if ($_POST["save"]) {
$a_nat[$id]['autoflowbitrules'] = 'on';
else {
$a_nat[$id]['autoflowbitrules'] = 'off';
- if (file_exists("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}"))
- @unlink("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}");
+ unlink_if_exists("{$suricatadir}suricata_{$suricata_uuid}_{$if_real}/rules/{$flowbit_rules_file}");
}
write_config("Suricata pkg: save enabled rule categories for {$a_nat[$id]['interface']}.");
@@ -170,17 +169,43 @@ if ($_POST["save"]) {
suricata_sync_on_changes();
}
elseif ($_POST['unselectall']) {
+ if ($_POST['ips_policy_enable'] == "on") {
+ $a_nat[$id]['ips_policy_enable'] = 'on';
+ $a_nat[$id]['ips_policy'] = $_POST['ips_policy'];
+ }
+ else {
+ $a_nat[$id]['ips_policy_enable'] = 'off';
+ unset($a_nat[$id]['ips_policy']);
+ }
+
+ $pconfig['autoflowbits'] = $_POST['autoflowbits'];
+ $pconfig['ips_policy_enable'] = $_POST['ips_policy_enable'];
+ $pconfig['ips_policy'] = $_POST['ips_policy'];
+
// Remove all but the default events and files rules
$enabled_rulesets_array = array();
$enabled_rulesets_array = implode("||", $default_rules);
$savemsg = gettext("All rule categories have been de-selected. ");
- if ($_POST['ips_policy_enable'])
+ if ($_POST['ips_policy_enable'] == "on")
$savemsg .= gettext("Only the rules included in the selected IPS Policy will be used.");
else
$savemsg .= gettext("There currently are no inspection rules enabled for this Suricata instance!");
}
elseif ($_POST['selectall']) {
+ if ($_POST['ips_policy_enable'] == "on") {
+ $a_nat[$id]['ips_policy_enable'] = 'on';
+ $a_nat[$id]['ips_policy'] = $_POST['ips_policy'];
+ }
+ else {
+ $a_nat[$id]['ips_policy_enable'] = 'off';
+ unset($a_nat[$id]['ips_policy']);
+ }
+
+ $pconfig['autoflowbits'] = $_POST['autoflowbits'];
+ $pconfig['ips_policy_enable'] = $_POST['ips_policy_enable'];
+ $pconfig['ips_policy'] = $_POST['ips_policy'];
+
// Start with the required default events and files rules
$enabled_rulesets_array = $default_rules;
@@ -265,6 +290,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
echo '</td></tr>';
echo '<tr><td class="tabnavtbl">';
@@ -277,6 +303,7 @@ if ($savemsg) {
$tab_array[] = array($menu_iface . gettext("App Parsers"), false, "/suricata/suricata_app_parsers.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Variables"), false, "/suricata/suricata_define_vars.php?id={$id}");
$tab_array[] = array($menu_iface . gettext("Barnyard2"), false, "/suricata/suricata_barnyard.php?id={$id}");
+ $tab_array[] = array($menu_iface . gettext("IP Rep"), false, "/suricata/suricata_ip_reputation.php?id={$id}");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_sid_mgmt.php b/config/suricata/suricata_sid_mgmt.php
index 2224e81a..c2d58af8 100644
--- a/config/suricata/suricata_sid_mgmt.php
+++ b/config/suricata/suricata_sid_mgmt.php
@@ -55,7 +55,7 @@ $pconfig['auto_manage_sids'] = $config['installedpackages']['suricata']['config'
// Hard-code the path where SID Mods Lists are stored
// and disregard any user-supplied path element.
-$sidmods_path = SID_MODS_PATH;
+$sidmods_path = SURICATA_SID_MODS_PATH;
// Set default to not show SID modification lists editor controls
$sidmodlist_edit_style = "display: none;";
@@ -216,7 +216,7 @@ if (isset($_POST['sidlist_dnload']) && isset($_POST['sidlist_fname'])) {
}
if (isset($_POST['sidlist_dnload_all_x'])) {
- $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"');
+ $save_date = date("Y-m-d-H-i-s");
$file_name = "suricata_sid_conf_files_{$save_date}.tar.gz";
exec("cd {$sidmods_path} && /usr/bin/tar -czf /tmp/{$file_name} *");
@@ -236,7 +236,7 @@ if (isset($_POST['sidlist_dnload_all_x'])) {
readfile("/tmp/{$file_name}");
// Clean up the temp file
- @unlink("/tmp/{$file_name}");
+ unlink_if_exists("/tmp/{$file_name}");
}
else
$savemsg = gettext("An error occurred while creating the gzip archive!");
@@ -290,6 +290,7 @@ if ($savemsg) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), true, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td></tr>
@@ -297,6 +298,11 @@ if ($savemsg) {
<div id="mainarea">
<table id="maintable" class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0">
<tbody>
+ <?php if ($g['platform'] == "nanobsd") : ?>
+ <tr>
+ <td colspan="2" class="listtopic"><?php echo gettext("SID auto-management is not supported on NanoBSD installs"); ?></td>
+ </tr>
+ <?php else: ?>
<tr>
<td colspan="2" valign="top" class="listtopic"><?php echo gettext("General Settings"); ?></td>
</tr>
@@ -571,6 +577,7 @@ if ($savemsg) {
&nbsp;&nbsp;<?=gettext("Remember to save changes before exiting this page"); ?>
</td>
</tr>
+ <?php endif; ?>
</tbody>
</table>
</div>
@@ -581,6 +588,8 @@ if ($savemsg) {
<?php include("fend.inc"); ?>
+
+<?php if ($g['platform'] != "nanobsd") : ?>
<script type="text/javascript">
function enable_sid_conf() {
@@ -596,5 +605,7 @@ function enable_sid_conf() {
enable_sid_conf();
</script>
+<?php endif; ?>
+
</body>
</html>
diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php
index 80249724..8fcb3dd5 100644
--- a/config/suricata/suricata_suppress.php
+++ b/config/suricata/suricata_suppress.php
@@ -103,7 +103,9 @@ if ($_POST['del'] && is_numericint($_POST['list_id'])) {
else {
unset($a_suppress[$_POST['list_id']]);
write_config("Suricata pkg: deleted SUPPRESS LIST.");
+ conf_mount_rw();
sync_suricata_package_config();
+ conf_mount_ro();
header("Location: /suricata/suricata_suppress.php");
exit;
}
@@ -144,6 +146,7 @@ if ($input_errors) {
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td>
diff --git a/config/suricata/suricata_suppress_edit.php b/config/suricata/suricata_suppress_edit.php
index 24572789..8814d3db 100644
--- a/config/suricata/suricata_suppress_edit.php
+++ b/config/suricata/suricata_suppress_edit.php
@@ -168,6 +168,7 @@ if ($savemsg)
$tab_array[] = array(gettext("Logs Mgmt"), false, "/suricata/suricata_logs_mgmt.php");
$tab_array[] = array(gettext("SID Mgmt"), false, "/suricata/suricata_sid_mgmt.php");
$tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=suricata/suricata_sync.xml");
+ $tab_array[] = array(gettext("IP Lists"), false, "/suricata/suricata_ip_list_mgmt.php");
display_top_tabs($tab_array, true);
?>
</td></tr>
diff --git a/config/suricata/suricata_sync.xml b/config/suricata/suricata_sync.xml
index a85a3d63..28083d8d 100644
--- a/config/suricata/suricata_sync.xml
+++ b/config/suricata/suricata_sync.xml
@@ -110,6 +110,11 @@ POSSIBILITY OF SUCH DAMAGE.
<no_drop_down/>
<active/>
</tab>
+ <tab>
+ <text>IP Lists</text>
+ <url>/suricata/suricata_ip_list_mgmt.php</url>
+ <no_drop_down/>
+ </tab>
</tabs>
<fields>
<field>
diff --git a/config/suricata/suricata_uninstall.php b/config/suricata/suricata_uninstall.php
index 280e2394..c8048a1c 100644
--- a/config/suricata/suricata_uninstall.php
+++ b/config/suricata/suricata_uninstall.php
@@ -44,11 +44,12 @@ global $config, $g;
$suricatadir = SURICATADIR;
$suricatalogdir = SURICATALOGDIR;
-$sidmodspath = SID_MODS_PATH;
-$iprep_path = IPREP_PATH;
+$sidmodspath = SURICATA_SID_MODS_PATH;
+$iprep_path = SURICATA_IPREP_PATH;
$rcdir = RCFILEPREFIX;
-$suricata_rules_upd_log = RULES_UPD_LOGFILE;
+$suricata_rules_upd_log = SURICATA_RULES_UPD_LOGFILE;
$suri_pf_table = SURICATA_PF_TABLE;
+$mounted_rw = FALSE;
log_error(gettext("[Suricata] Suricata package uninstall in progress..."));
@@ -76,20 +77,29 @@ unlink_if_exists("{$g['varrun_path']}/barnyard2_*.pid");
install_cron_job("suricata_check_for_rule_updates.php", false);
install_cron_job("suricata_check_cron_misc.inc", false);
install_cron_job("{$suri_pf_table}" , false);
+install_cron_job("suricata_geoipupdate.php" , false);
+install_cron_job("suricata_etiqrisk_update.php", false);
/* See if we are to keep Suricata log files on uninstall */
if ($config['installedpackages']['suricata']['config'][0]['clearlogs'] == 'on') {
log_error(gettext("[Suricata] Clearing all Suricata-related log files..."));
- @unlink("{$suricata_rules_upd_log}");
- mwexec("/bin/rm -rf {$suricatalogdir}");
+ unlink_if_exists("{$suricata_rules_upd_log}");
+ rmdir_recursive("{$suricatalogdir}");
}
-// Mount filesystem read-write to remove our files
-conf_mount_rw();
+/**************************************************/
+/* If not already, set Suricata conf partition to */
+/* read-write so we can make changes there */
+/**************************************************/
+if (!is_subsystem_dirty('mount')) {
+ conf_mount_rw();
+ $mounted_rw = TRUE;
+}
/* Remove the Suricata GUI app directories */
-mwexec("/bin/rm -rf /usr/local/pkg/suricata");
-mwexec("/bin/rm -rf /usr/local/www/suricata");
+rmdir_recursive("/usr/local/pkg/suricata");
+rmdir_recursive("/usr/local/www/suricata");
+rmdir_recursive("/usr/local/etc/suricata");
/* Remove our associated Dashboard widget config and files. */
/* If "save settings" is enabled, then save old widget */
@@ -110,24 +120,26 @@ if (!empty($widgets)) {
}
}
$config['widgets']['sequence'] = implode(",", $widgetlist);
- write_config("Suricata pkg: remove Suricata Dashboard Widget on package deinstall.");
}
-@unlink("/usr/local/www/widgets/include/widget-suricata.inc");
-@unlink("/usr/local/www/widgets/widgets/suricata_alerts.widget.php");
-@unlink("/usr/local/www/widgets/javascript/suricata_alerts.js");
+unlink_if_exists("/usr/local/www/widgets/include/widget-suricata.inc");
+unlink_if_exists("/usr/local/www/widgets/widgets/suricata_alerts.widget.php");
+unlink_if_exists("/usr/local/www/widgets/javascript/suricata_alerts.js");
-// Finished with filesystem mods so remount it read-only
-conf_mount_ro();
+/*******************************************************/
+/* We're finished with conf partition mods, return to */
+/* read-only if we changed it */
+/*******************************************************/
+if ($mounted_rw == TRUE)
+ conf_mount_ro();
/* Keep this as a last step */
if ($config['installedpackages']['suricata']['config'][0]['forcekeepsettings'] != 'on') {
log_error(gettext("Not saving settings... all Suricata configuration info and logs deleted..."));
unset($config['installedpackages']['suricata']);
unset($config['installedpackages']['suricatasync']);
- @unlink("{$suricata_rules_upd_log}");
- mwexec("/bin/rm -rf {$suricatalogdir}");
- mwexec("/bin/rm -rf {$sidmodspath}");
- mwexec("/bin/rm -rf {$iprep_path}");
+ unlink_if_exists("{$suricata_rules_upd_log}");
+ rmdir_recursive("{$suricatalogdir}");
+ rmdir_recursive("{$g['vardb_path']}/suricata");
log_error(gettext("[Suricata] The package has been removed from this system..."));
}
diff --git a/config/suricata/suricata_yaml_template.inc b/config/suricata/suricata_yaml_template.inc
index 82c449d3..a8b06ebe 100644
--- a/config/suricata/suricata_yaml_template.inc
+++ b/config/suricata/suricata_yaml_template.inc
@@ -225,9 +225,9 @@ reassembly:
# Host table is used by tagging and per host thresholding subsystems.
host:
- hash-size: 4096
- prealloc: 1000
- memcap: 16777216
+ hash-size: {$host_hash_size}
+ prealloc: {$host_prealloc}
+ memcap: {$host_memcap}
# Host specific policies for defragmentation and TCP stream reassembly.
host-os-policy:
@@ -286,18 +286,14 @@ vars:
port-groups:
{$port_vars}
-# Set the order of alerts bassed on actions
+# Set the order of alerts based on actions
action-order:
- pass
- drop
- reject
- alert
-# IP Reputation
-#reputation-categories-file: {$iprep_path}/categories.txt
-#default-reputation-path: {$iprep_path}
-#reputation-files:
-# - reputation.list
+{$iprep_config}
# Limit for the maximum number of asn1 frames to decode (default 256)
asn1-max-frames: {$asn1_max_frames}
diff --git a/config/syslog-ng/syslog-ng.inc b/config/syslog-ng/syslog-ng.inc
index 395a97d6..e373f62e 100644
--- a/config/syslog-ng/syslog-ng.inc
+++ b/config/syslog-ng/syslog-ng.inc
@@ -249,7 +249,7 @@ function syslogng_get_log_files($objects) {
function syslogng_build_conf($objects) {
$conf = "# This file is automatically generated by pfSense\n";
$conf .= "# Do not edit manually !\n";
- $conf .= "@version:3.3\n";
+ $conf .= "@version:3.5\n";
foreach($objects as $object) {
if($object['objecttype'] == 'log' || $object['objecttype'] == 'options') {
diff --git a/config/varnish3/varnish.inc b/config/varnish3/varnish.inc
index 4883af15..50b37990 100644
--- a/config/varnish3/varnish.inc
+++ b/config/varnish3/varnish.inc
@@ -4,7 +4,7 @@
varnish.inc
part of pfSense (http://www.pfSense.com)
Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
Copyright (C) 2012 Marcio Carlos Antao
All rights reserved.
*/
@@ -34,23 +34,26 @@
/* ========================================================================== */
$shortcut_section = "varnish";
-$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
-if ($pf_version > 2.0)
- define('VARNISH_LOCALBASE', '/usr/pbi/varnish-' . php_uname("m"));
-else
- define('VARNISH_LOCALBASE','/usr/local');
+$pfs_version = substr(trim(file_get_contents("/etc/version")),0,3);
+if (is_dir('/usr/pbi/varnish-' . php_uname("m"))) {
+ define('VARNISH_LOCALBASE', '/usr/pbi/varnish-' . php_uname("m"));
+} else {
+ define('VARNISH_LOCALBASE','/usr/local');
+}
+define('VARNISH_DIRTYPATH',"{$g['varrun_path']}/varnish.conf.dirty");
+define('VARNISH_CONFFILE','/var/etc/default.vcl');
function varnish_settings_post_validate($post, &$input_errors) {
- if( !is_numeric($post['storagesize']))
- $input_errors[] = "A valid number is required for the field 'Storage size'";
- if($post['listeningport'] && !is_numeric($post['listeningport']))
- $input_errors[] = "A valid number is required for the field 'Listening port'";
- if($post['minworkers'] && !is_numeric($post['minworkers']))
- $input_errors[] = "A valid number is required for the field 'Minimum worker threads'";
- if($post['maxworkers'] && !is_numeric($post['maxworkers']))
- $input_errors[] = "A valid number is required for the field 'Maximum worker threads'";
- if($post['timeoutworkers'] && !is_numeric($post['timeoutworkers']))
+ if( !is_numeric($post['storagesize']))
+ $input_errors[] = "A valid number is required for the field 'Storage size'";
+ if($post['listeningport'] && !is_numeric($post['listeningport']))
+ $input_errors[] = "A valid number is required for the field 'Listening port'";
+ if($post['minworkers'] && !is_numeric($post['minworkers']))
+ $input_errors[] = "A valid number is required for the field 'Minimum worker threads'";
+ if($post['maxworkers'] && !is_numeric($post['maxworkers']))
+ $input_errors[] = "A valid number is required for the field 'Maximum worker threads'";
+ if($post['timeoutworkers'] && !is_numeric($post['timeoutworkers']))
$input_errors[] = "A valid number is required for the field 'Worker thread timeout'";
if($post['managment']){
$mgm= explode(":",$post['managment']);
@@ -61,7 +64,7 @@ function varnish_settings_post_validate($post, &$input_errors) {
$input_errors[] = "A valid number with a time reference is required for the field 'Fetch grace'";
if($post['saint'] && ! preg_match("/^\d+(h|m|s)$/",$post['saint']))
$input_errors[] = "A valid number with a time reference is required for the field 'Saint mode'";
-
+
}
function varnish_lb_directors_post_validate($post, &$input_errors) {
@@ -81,21 +84,21 @@ function varnish_lb_directors_post_validate($post, &$input_errors) {
function varnish_backends_post_validate($post, &$input_errors) {
if (!$post['backendname'] || preg_match("/[^a-zA-Z0-9]/", $post['backendname']))
$input_errors[] = "The backend name must only contain the characters a-Z or 0-9";
- if(!is_ipaddr($post['ipaddress']))
+ if(!is_ipaddr($post['ipaddress']))
$input_errors[] = "A valid IP address is required for the field 'IPAddress'";
- if($post['first_byte_timeout'] && !is_numeric($post['first_byte_timeout']))
+ if($post['first_byte_timeout'] && !is_numeric($post['first_byte_timeout']))
$input_errors[] = "A valid number is required for the field 'first byte timeout'";
- if($post['connect_timeout'] && !is_numeric($post['connect_timeout']))
+ if($post['connect_timeout'] && !is_numeric($post['connect_timeout']))
$input_errors[] = "A valid number is required for the field 'connect timeout'";
- if($post['probe_interval'] && !is_numeric($post['probe_interval']))
+ if($post['probe_interval'] && !is_numeric($post['probe_interval']))
$input_errors[] = "A valid number is required for the field 'probe interval'";
- if($post['probe_interval'] && !is_numeric($post['probe_interval']))
+ if($post['probe_interval'] && !is_numeric($post['probe_interval']))
$input_errors[] = "A valid number is required for the field 'probe interval'";
- if($post['probe_timeout'] && !is_numeric($post['probe_timeout']))
+ if($post['probe_timeout'] && !is_numeric($post['probe_timeout']))
$input_errors[] = "A valid number is required for the field 'probe timeout'";
- if($post['probe_window'] && !is_numeric($post['probe_window']))
+ if($post['probe_window'] && !is_numeric($post['probe_window']))
$input_errors[] = "A valid number is required for the field 'probe window'";
- if($post['probe_threshold'] && !is_numeric($post['probe_threshold']))
+ if($post['probe_threshold'] && !is_numeric($post['probe_threshold']))
$input_errors[] = "A valid number is required for the field 'probe threshold'";
$x=0;
while ($post['maptype'.$x] != ""){
@@ -103,13 +106,24 @@ function varnish_backends_post_validate($post, &$input_errors) {
$input_errors[] = "A valid number with a time reference is required for the field 'grace' in map ".($x +1);
}
$x++;
-
+
}
}
function varnish_install() {
create_varnish_rcd_file();
+
+ if (file_exists(VARNISH_LOCALBASE . '/local/lib/varnish/libvarnish.so')) {
+ @symlink(VARNISH_LOCALBASE . '/local/lib/varnish/libvarnish.so',
+ VARNISH_LOCALBASE . '/local/lib/libvarnish.so');
+ @symlink(VARNISH_LOCALBASE . '/local/lib/varnish/libvarnishcompat.so',
+ VARNISH_LOCALBASE . '/local/lib/libvarnishcompat.so');
+ @symlink(VARNISH_LOCALBASE . '/local/lib/varnish/libvcl.so',
+ VARNISH_LOCALBASE . '/local/lib/libvcl.so');
+ @symlink(VARNISH_LOCALBASE . '/local/lib/varnish/libvgz.so',
+ VARNISH_LOCALBASE . '/local/lib/libvgz.so');
+ }
}
function varnish_deinstall() {
@@ -117,14 +131,51 @@ function varnish_deinstall() {
}
function text_area_decode($text){
- return preg_replace('/\r\n/', "\n",base64_decode($text));
+ return preg_replace('/\r\n/', "\n",base64_decode($text));
}
-function varnish_start() {
+
+function varnish_check_config(){
+ global $savemsg,$config;
+
+ if (!isset($config['installedpackages']['varnishsettings']['config'][0]['enablevarnish']))
+ return;
+
+ $path = '/usr/bin/env PATH=' . VARNISH_LOCALBASE . '/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin';
+ exec($path . " " . VARNISH_LOCALBASE."/bin/varnishd -C -f ".VARNISH_CONFFILE." 2>&1",$output,$return);
+ if ($return == 0){
+ if (isset($_REQUEST['apply'])){
+ varnish_start(true);
+ return;
+ }
+
+ if (file_exists(VARNISH_DIRTYPATH))
+ $savemsg="Varnish configuration has been changed.<br>You must apply in order to take effect.<br>";
+ }
+ else{
+ $savemsg.= implode("<br>",$output);
+ $savemsg.= "<br>Daemon will not be restarted.";
+ return 1;
+ }
+ return 0;
+}
+
+
+function varnish_start($force_start=false) {
global $g, $config;
+
+ if ($force_start){
+ mwexec("/usr/local/etc/rc.d/varnish.sh");
+ unlink_if_exists(VARNISH_DIRTYPATH);
+ return;
+ }
+
if ($config['installedpackages']['varnishsettings']['config'][0]['enablevarnish']){
exec("chmod +x /usr/local/etc/rc.d/varnish.sh");
- mwexec("/usr/local/etc/rc.d/varnish.sh");}
- else{
+ if (varnish_check_config() == 0 || $force_start){
+ unlink_if_exists(VARNISH_DIRTYPATH);
+ mwexec("/usr/local/etc/rc.d/varnish.sh");
+ }
+ }else{
exec("chmod -x /usr/local/etc/rc.d/varnish.sh");
mwexec("/usr/bin/killall varnishd");}
}
@@ -160,8 +211,15 @@ function varnish_get_url_mappings_txt() {
$urlmappings .= "if (req.http.host $fieldtype ".'"'.$url['directorurl'].'") {'."\n";
else
$urlmappings .= "if (req.http.host $fieldtype ".'"'.$url['directorurl'].'"'." && req.url $fieldtype ".'"^'.$url['directorurl2'].'") {'."\n";
-
+
$urlbackend = "\t\t\tset req.backend = ".$url['directorname'].";";
+ // check force ssl option
+ if ($url['forcessl']){
+ $urlmappings .="\t\t#Force ssl for this host/director\n";
+ $urlmappings .="\t\tif((req.http.X-Forwarded-Proto !~ \"(?i)https\" ) && !(client.ip ~ SslOffloadServers)){\n";
+ $urlmappings .="\t\t\tset req.http.x-redir-url = \"https://\" + req.http.host + req.url;\n";
+ $urlmappings .="\t\t\terror 750 req.http.x-redir-url;\n\t\t\t}\n";
+ }
// check rewrite options
if ($url['rewritehost'])
$urlmappings .= "\t\t\tset req.http.host = regsub(req.http.host, ".'"'.$url['directorurl'].'",'.'"'.$url['rewritehost'].'")'.";\n";
@@ -202,7 +260,7 @@ function varnish_get_url_mappings_txt() {
$urlmappings .= <<<EOAU
if (req.{$req} {$fieldtype} "{$url['urlmapping']}") {
set req.backend = {$urlmapping['backendname']}BACKEND;{$directo_grace_time}
- }
+ }
EOAU;
$isfirst = false;
@@ -224,33 +282,35 @@ function create_varnish_rcd_file() {
foreach($config['installedpackages']['varnishsettings']['config'] as $vs) {
if($vs['storagetype'] == "malloc")
$storage_type = "-s malloc,{$vs['storagesize']}MB";
- else
+ else
$storage_type = "-s file,/var/varnish/storage.bin,{$vs['storagesize']}MB";
if($vs['listeningport'])
$listeningport = "-a :{$vs['listeningport']}";
- else
+ else
$listeningport = "-a :80";
if($vs['managment'])
$advancedstartup = "-T {$vs['managment']} ";
- else
+ else
$advancedstartup = "";
if($vs['advancedstartup'])
$advancedstartup .= text_area_decode($vs['advancedstartup'])."\n";
if($vs['minworkers'])
$minworkers = "{$vs['minworkers']}";
- else
+ else
$minworkers = "200";
if($vs['maxworkers'])
$maxworkers = "{$vs['maxworkers']}";
- else
+ else
$maxworkers = "4000";
if($vs['timeoutworkers'])
$timeoutworkers = "{$vs['timeoutworkers']}";
- else
- $timeoutworkers = "50";
+ else
+ $timeoutworkers = "50";
}
}
$fd = fopen("/usr/local/etc/rc.d/varnish.sh", "w");
+ $conf_file=VARNISH_CONFFILE;
+ $bin_path=VARNISH_LOCALBASE . '/bin';
$rc_file = <<<EOF
#!/bin/sh
mkdir -p /var/varnish
@@ -261,26 +321,25 @@ sysctl kern.ipc.somaxconn=16384
sysctl kern.maxfiles=131072
sysctl kern.maxfilesperproc=104856
sysctl kern.threads.max_threads_per_proc=4096
-/usr/bin/env \
-PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
+export PATH={$bin_path}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDOFF
<?php
- require_once("globals.inc");
+ require_once("globals.inc");
require_once("functions.inc");
require_once("pkg-utils.inc");
require_once("varnish.inc");
sync_package_varnish();
- #varnish_start();
+ unlink_if_exists(VARNISH_DIRTYPATH);
?>
ENDOFF
/usr/local/sbin/varnishd \
{$listeningport} \
- -f /var/etc/default.vcl \
+ -f {$conf_file} \
{$storage_type} \
-w {$minworkers},{$maxworkers},{$timeoutworkers} \
- {$advancedstartup}
+ {$advancedstartup}
EOF;
@@ -296,15 +355,15 @@ function get_backend_config_txt() {
foreach($config['installedpackages']['varnishbackends']['config'] as $backend) {
if ($backend['connect_timeout'])
$connect_timeout = $backend['connect_timeout'] . "s";
- else
+ else
$connect_timeout = "25s";
if ($backend['port'])
$connect_port = $backend['port'];
- else
+ else
$connect_port = "80";
if ($backend['first_byte_timeout'])
$first_byte_timeout = $backend['first_byte_timeout'] . "s";
- else
+ else
$first_byte_timeout = "300s";
if ($backend['probe_url'])
if (preg_match("@^(http)://([a-zA-Z0-9.-]*)/(.*)$@",$backend['probe_url'],$matches)){
@@ -386,7 +445,7 @@ function get_lb_directors_config_txt() {
$weight = "\t\t.weight = {$be['weight']};\n";
elseif($weight != " ")
$weight = "\t\t.weight = 100;\n";
-
+
$director .= "\t{\n\t\t.backend = {$be['backendname']}BACKEND;\n{$weight}\t}";
$backends_in_use[$be['backendname']].= $backend['directorname']." ";
}
@@ -397,7 +456,7 @@ director {$backend['directorname']} {$backend['directortype']} {
EOFA;
-
+
}
}
}
@@ -406,6 +465,12 @@ EOFA;
function sync_package_varnish() {
global $config, $g;
+
+ if (isset($_POST["apply"])){
+ varnish_start();
+ unlink_if_exists(VARNISH_DIRTYPATH);
+ return;
+ }
if (is_array($config['installedpackages']['varnishcustomvcl']['config'])) {
foreach($config['installedpackages']['varnishcustomvcl']['config'] as $vcl) {
if ($vcl['vcl_recv_early'])
@@ -422,11 +487,23 @@ function sync_package_varnish() {
$vcl_pipe_late = text_area_decode($vcl['vcl_pipe_late']);
}
}
- $vcl_recv_set_basic='#BASIC VCL RULES SETTING'."\n";
- $vcl_recv_action_basic='#BASIC VCL RULES ACTIONS'."\n";
- #$plataform=posix_uname();
- if (is_array($config['installedpackages']['varnishsettings']['config']))
- foreach($config['installedpackages']['varnishsettings']['config'] as $vcl) {
+
+ $vcl_recv_set_basic='#BASIC VCL RULES SETTING'."\n";
+ $vcl_recv_action_basic='#BASIC VCL RULES ACTIONS'."\n";
+ #$plataform=posix_uname();
+ if (is_array($config['installedpackages']['varnishsettings']['config']))
+ foreach($config['installedpackages']['varnishsettings']['config'] as $vcl) {
+ if ($vcl['ssloffload']){
+ $vcl_acls="acl SslOffloadServers {\n\t\"localhost\";";
+ $sslservers= split (" ",$vcl['ssloffload']);
+ foreach ($sslservers as $sslserver){
+ if (preg_match("/(\S+)\/(d+)/",$sslserver,$sslm))
+ $vcl_acls.="\n\t\"{$sslm[1]}\"/{$sslm[2]};";
+ else
+ $vcl_acls.="\n\t\"{$sslserver}\";";
+ }
+ $vcl_acls.="\n\t}\n";
+ }
if ($vcl['streaming'])
$vcl_fetch_stream="set beresp.do_stream = true;\n";
if ($vcl['fixgzip']) {
@@ -463,7 +540,9 @@ function sync_package_varnish() {
$vcl_recv_set_basic .= "\tset req.http.X-Forwarded-For = req.http.X-Forwarded-For + \",\" + client.ip;\n\n";
break;
case 'create':
- $vcl_recv_set_basic .= "\tset req.http.X-Forwarded-Varnish = client.ip;\n\n";
+ $vcl_recv_set_basic .= "\tif (req.http.X-Forwarded-For && client.ip ~ SslOffloadServers){\n\t\t";
+ $vcl_recv_set_basic .= "set req.http.X-Forwarded-Varnish = req.http.X-Forwarded-For;\n\t}";
+ $vcl_recv_set_basic .= "else{\n\t\tset req.http.X-Forwarded-Varnish = client.ip;\n\n\t}";
break;
case 'unset':
$vcl_recv_set_basic .= "\tunset req.http.X-Forwarded-For;\n\n";
@@ -478,7 +557,7 @@ function sync_package_varnish() {
$vcl_fetch_session = "#Disable cache when backend is starting a session\n";
$vcl_fetch_session .= "\t".'if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(PHPSESSID|phpsessid)") {'."\n\t\treturn(hit_for_pass);\n\t\t}\n";
$vcl_fetch_session .= "\t".'if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(JSESSION|jsession)") {'."\n\t\treturn(hit_for_pass);\n\t\t}\n";
-
+
if ($vcl['sessioncache'] == "never") {
$vcl_recv_session = "\t#Disable session cache\n";
$vcl_recv_session .= "\t".'if (req.http.Cookie && req.http.Cookie ~ "(PHPSESSID|phpsessid)") {'."\n\t\treturn(pass);\n\t\t}\n";
@@ -498,7 +577,7 @@ function sync_package_varnish() {
$vcl_fetch_static = "#Enable static cache\n";
$vcl_fetch_static .= 'if (req.url ~ "\.(css|js|txt|zip|pdf|rtf|flv|swf|html|htm)$") {'."\n\tunset beresp.http.set-cookie;\n\t}\n";
$vcl_fetch_static .= 'if (req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {'."\n\tunset beresp.http.set-cookie;\n\t}\n";
-
+
switch ($vcl['staticache']) {
case "all":
// cache all static content, unseting cookie when present
@@ -515,7 +594,7 @@ function sync_package_varnish() {
$vcl_recv_action_basic .= $vcl_recv_static.$vcl_recv_session;
$vcl_fetch_action = $vcl_fetch_session;
}
-
+
if ($vcl['rfc2616']) {
$vcl_recv_action_basic .= "\t#Be rfc2616 compliant\n";
$vcl_recv_action_basic .= "\t".'if (req.request ~ "^(GET|HEAD|PUT|POST|TRACE|OPTIONS|DELETE)$") {'."\n\t\treturn(lookup);\n\t\t}\n\telse\t{\n\t\treturn(pipe);\n\t\t}\n";
@@ -560,24 +639,31 @@ $varnish_config_file = <<<EOF
# Varnish configuration file
# Automatically generated by the pfSense package system
-# This file is located in /var/etc/default.vcl
+# This file is located in {$conf_file}
sub vcl_error {
- if (obj.status == 503 && req.restarts < {$vcl_restarts}) {
- return(restart);
+ if (obj.status == 503 && req.restarts < {$vcl_restarts}) {
+ return(restart);
}
-
+
+ if (obj.status == 750) {
+ set obj.http.Location = obj.response;
+ set obj.status = 301;
+ return(deliver);
+ }
+
set obj.http.Content-Type = "text/html; charset=utf-8";
synthetic {"<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
{$errorvcl}"};
return(deliver);
-
+
}
-
+
{$backends}
{$vcl_hash}
+{$vcl_acls}
sub vcl_recv {
{$vcl_recv_early}
{$vcl_recv_set_basic}
@@ -588,7 +674,7 @@ sub vcl_recv {
{
return(pass);
}
-
+
{$vcl_recv_action_basic}
return(lookup);
}
@@ -623,12 +709,12 @@ sub vcl_fetch {
## If the number of restarts reaches the value of the parameter max_restarts,
## the request will be error'ed. max_restarts defaults to 4. This prevents
## an eternal loop in the event that, e.g., the object does not exist at all.
- if (beresp.status != 200 && beresp.status != 403 && beresp.status != 404 &&
+ if (beresp.status != 200 && beresp.status != 403 && beresp.status != 404 &&
beresp.status != 303 && beresp.status != 302 && beresp.status != 301 && beresp.status != 401 ) {
{$vcl_saint_mode}return(restart);
}
-
+
{$vcl_fetch_late}
{$vcl_grace_time}return(deliver);
}
@@ -636,10 +722,10 @@ sub vcl_fetch {
sub vcl_deliver {
##set resp.http.X-Served-By = server.hostname;
if (obj.hits > 0) {
- set resp.http.X-Cache = "HIT";
+ set resp.http.X-Cache = "HIT";
set resp.http.X-Cache-Hits = obj.hits;
} else {
- set resp.http.X-Cache = "MISS";
+ set resp.http.X-Cache = "MISS";
}
return(deliver);
}
@@ -647,26 +733,28 @@ sub vcl_deliver {
sub vcl_init {
return (ok);
}
-
+
sub vcl_fini {
return (ok);
-}
+}
EOF;
- file_put_contents("/var/etc/default.vcl",$varnish_config_file,LOCK_EX);
- $cc_file="/usr/local/bin/cc";
+ file_put_contents(VARNISH_CONFFILE,$varnish_config_file,LOCK_EX);
+ touch(VARNISH_DIRTYPATH);
+ varnish_sync_on_changes();
+
+ $cc_file=VARNISH_LOCALBASE."/bin/cc";
foreach (glob(VARNISH_LOCALBASE."/bin/gcc*") as $bin_file) {
+ if (strpos($bin_file, '.pbiopt') != FALSE)
+ continue;
$gcc_file=$bin_file;
}
if (!file_exists($cc_file) && file_exists($gcc_file)){
symlink($gcc_file,$cc_file);
}
-
- $fd = fopen("/var/etc/default.vcl", "w");
- fwrite($fd, $varnish_config_file);
- fclose($fd);
- varnish_sync_on_changes();
+ create_varnish_rcd_file();
+
}
/* Uses XMLRPC to synchronize the changes to a remote node */
@@ -697,7 +785,7 @@ function varnish_sync_on_changes() {
log_error("[varnish] xmlrpc sync is enabled but there is no system backup hosts to push varnish config.");
return;
}
- break;
+ break;
default:
return;
break;
@@ -721,16 +809,16 @@ function varnish_sync_on_changes() {
/* Do the actual XMLRPC sync */
function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) {
global $config, $g;
-
+
if(!$username)
return;
-
+
if(!$password)
return;
if(!$sync_to_ip)
return;
-
+
if(!$synctimeout)
$synctimeout=25;
@@ -742,9 +830,9 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout)
$port = $config['system']['webgui']['port'];
/* if port is empty lets rely on the protocol selection */
if($port == "") {
- if($config['system']['webgui']['protocol'] == "http")
+ if($config['system']['webgui']['protocol'] == "http")
$port = "80";
- else
+ else
$port = "443";
}
$synchronizetoip .= $sync_to_ip;
@@ -755,7 +843,7 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout)
$xml['varnishbackends'] = $config['installedpackages']['varnishbackends'];
$xml['varnishlbdirectors'] = $config['installedpackages']['varnishlbdirectors'];
$xml['varnishsettings'] = $config['installedpackages']['varnishsettings'];
-
+
/* assemble xmlrpc payload */
$params = array(
XML_RPC_encode($password),
@@ -786,7 +874,7 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout)
} else {
log_error("varnish XMLRPC sync successfully completed with {$url}:{$port}.");
}
-
+
/* tell varnish to reload our settings on the destionation sync host. */
$method = 'pfsense.exec_php';
$execcmd = "require_once('/usr/local/pkg/varnish.inc');\n";
@@ -796,7 +884,7 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout)
XML_RPC_encode($password),
XML_RPC_encode($execcmd)
);
-
+
log_error("varnish XMLRPC reload data {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
@@ -815,7 +903,7 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout)
} else {
log_error("varnish XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
}
-
+
}
?>
diff --git a/config/varnish3/varnish.widget.php b/config/varnish3/varnish.widget.php
index 35723e95..c6fdfe78 100755
--- a/config/varnish3/varnish.widget.php
+++ b/config/varnish3/varnish.widget.php
@@ -1,7 +1,7 @@
-<?php
+<?php
/*
Copyright 2011 Thomas Schaefer - Tomschaefer.org
- Copyright 2011 Marcello Coutinho
+ Copyright 2011-2014 Marcello Coutinho
Part of pfSense widgets (www.pfsense.org)
Redistribution and use in source and binary forms, with or without
@@ -45,38 +45,59 @@ $img['Healthy']="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up
#var_dump($pfb_table);
#exit;
-?><div id='varnish'><?php
+?><div id='varnish'><?php
open_table();
+print "<pre>";
+print "<td class=\"vncellt\"width=30%><strong>Cache hits</strong></td>";
+print "<td class=\"vncellt\"width=30%><strong>Cache hits pass</strong></td>";
+print "<td class=\"vncellt\"width=30%><strong>Cache Missed</strong></td></tr>";
+$backends=exec("varnishstat -1",$debug);
+foreach ($debug as $line){
+ if (preg_match("/(\S+)\s+(\d+)/",$line,$matches))
+ $vs[$matches[1]]=$matches[2];
+ }
+print "<td class=\"listlr\">".number_format($vs['cache_hit']) ."</td>";
+print "<td class=\"listlr\">".number_format($vs['cache_hitpass']) ."</td>";
+print "<td class=\"listlr\">".number_format($vs['cache_miss'])."</td></tr>";
+close_table();
+
+open_table();
+print "<td class=\"vncellt\" width=30%><strong>Conn. Accepted</strong></td>";
+print "<td class=\"vncellt\" width=30%><strong>Req. received</strong></td>";
+print "<td class=\"vncellt\" width=30%><strong>Uptime</strong></td></tr>";
+print "<td class=\"listlr\">".number_format($vs['client_conn']) ."</td>";
+print "<td class=\"listlr\">".number_format($vs['client_req']) ."</td>";
+print "<td class=\"listlr\">".(int)($vs['uptime'] / 86400) . "+ ". gmdate("H:i:s",($vs['uptime'] % 86400))."</td></tr>";
+close_table();
+
+open_table();
+print "<td class=\"vncellt\" width=70%><strong>Host</strong></td>";
+print "<td class=\"vncellt\" width=15%><strong>Header(Rx)</strong></td>";
+print "<td class=\"vncellt\" width=15%><strong>Header(Tx)</strong></td></tr>";
+unset($debug);
+$backends=exec("varnishtop -I '^Host:' -1",$debug);
+foreach ($debug as $line){
+ if (preg_match("/(\S+)\s+(\w+)Header.Host: (\S+)/",$line,$lm))
+ $varnish_hosts[$lm[3]][$lm[2]]=$lm[1];
+}
+if (is_array($varnish_hosts)){
+ foreach ($varnish_hosts as $v_key=>$v_value){
+ print "<td class=\"listlr\">". $v_key ."</td>";
+ print "<td class=\"listlr\" align=\"Right\">". number_format($v_value['Rx']) ."</td>";
+ print "<td class=\"listlr\" align=\"Right\">".number_format($v_value['Tx'])."</td></tr>";
+ }
+}
+else{
+ print "<td class=\"listlr\">No traffic</td><td class=\"listlr\"></td><td class=\"listlr\"></td></tr>";
+}
+
+close_table();
+
+
if ($config['installedpackages']['varnishsettings']['config'][0])
- $mgm=$config['installedpackages']['varnishsettings']['config'][0]['managment'];
+ $mgm=$config['installedpackages']['varnishsettings']['config'][0]['managment'];
if ($mgm != ""){
- print "<pre>";
- print "<td class=\"vncellt\"width=30%><strong>Cache hits</strong></td>";
- print "<td class=\"vncellt\"width=30%><strong>Cache hits pass</strong></td>";
- print "<td class=\"vncellt\"width=30%><strong>Cache Missed</strong></td></tr>";
-
- $backends=exec("varnishadm -T " . escapeshellarg($mgm) . " stats",$debug);
- foreach ($debug as $line){
- if (preg_match("/(\d+)\s+Cache\s+(hits.for|hits|misses)/",$line,$matches))
- $cache[preg_replace("/\s+/","",$matches[2])]=$matches[1];
- if (preg_match("/(\d+)\s+Client\s+(\w+)/",$line,$matches))
- $client[$matches[2]]=$matches[1];
- }
- print "<td class=\"listlr\">".$cache['hits'] ."</td>";
- print "<td class=\"listlr\">".$cache['hitsfor'] ."</td>";
- print "<td class=\"listlr\">".$cache['misses']."</td></tr>";
- close_table();
-
- open_table();
- print "<td class=\"vncellt\" width=30%><strong>Conn. Accepted</strong></td>";
- print "<td class=\"vncellt\" width=30%><strong>Req. received</strong></td>";
- print "<td class=\"vncellt\" width=30%><strong>Uptime</strong></td></tr>";
- print "<td class=\"listlr\">".$client['connections'] ."</td>";
- print "<td class=\"listlr\">".$client['requests'] ."</td>";
- print "<td class=\"listlr\">".$client['uptime']."</td></tr>";
- close_table();
-
open_table();
print "<td class=\"vncellt\" width=30%><strong>Backend</strong></td>";
print "<td class=\"vncellt\" width=30%><strong>LB applied</strong></td>";
@@ -86,20 +107,20 @@ if ($mgm != ""){
foreach ($lb['row'] as $lb_backend){
${$lb_backend['backendname']}++;
}
- }
- $backends=exec("varnishadm -T " . escapeshellarg($mgm) . " debug.health",$debug);
+ }
+ $backends=exec("varnishadm -T " . escapeshellarg($mgm) . " debug.health",$debug);
foreach ($debug as $line){
if (preg_match("/Backend (.*) is (\w+)/",$line,$matches)){
$backend=preg_replace("/BACKEND$/","",$matches[1]);
print "<td class=\"listlr\">". $backend ."</td>";
print "<td class=\"listlr\">". ${$backend} ."</td>";
- print "<td class=\"listlr\">".$img[$matches[2]]."</td></tr>";
+ print "<td class=\"listlr\">".$img[$matches[2]]."</td></tr>";
}
}
}
else{
print "<td class=\"listlr\">Varnish Managment interface not set in config.</td></tr>";
-}
+}
echo" </tr>";
echo"</table></div>";
diff --git a/config/varnish3/varnish_backends.xml b/config/varnish3/varnish_backends.xml
index 1bcb822c..95248cb9 100644
--- a/config/varnish3/varnish_backends.xml
+++ b/config/varnish3/varnish_backends.xml
@@ -9,7 +9,7 @@
varnish_backends.xml
part of pfSense (http://www.pfSense.com)
Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
/*/
/* ========================================================================== */
@@ -293,16 +293,13 @@
varnish_install();
</custom_php_install_command>
<custom_php_command_before_form>
+ varnish_check_config();
</custom_php_command_before_form>
<custom_delete_php_command>
sync_package_varnish();
- create_varnish_rcd_file();
- varnish_start();
</custom_delete_php_command>
<custom_php_resync_config_command>
sync_package_varnish();
- create_varnish_rcd_file();
- varnish_start();
</custom_php_resync_config_command>
<custom_php_validation_command>
varnish_backends_post_validate($_POST, $input_errors);
diff --git a/config/varnish3/varnish_custom_vcl.xml b/config/varnish3/varnish_custom_vcl.xml
index c0bb0e80..4950c6ed 100644
--- a/config/varnish3/varnish_custom_vcl.xml
+++ b/config/varnish3/varnish_custom_vcl.xml
@@ -9,7 +9,7 @@
varnish_settings.xml
part of pfSense (http://www.pfSense.com)
Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
- Copyright (C) 2013 Marcello Coutinho
+ Copyright (C) 2013-2014 Marcello Coutinho
All rights reserved.
*/
/* ========================================================================== */
@@ -169,11 +169,12 @@
<encoding>base64</encoding>
</field>
</fields>
+ <custom_php_command_before_form>
+ varnish_check_config();
+ </custom_php_command_before_form>
<custom_php_validation_command>
</custom_php_validation_command>
<custom_php_resync_config_command>
sync_package_varnish();
- create_varnish_rcd_file();
- varnish_start();
</custom_php_resync_config_command>
</packagegui> \ No newline at end of file
diff --git a/config/varnish3/varnish_lb_directors.xml b/config/varnish3/varnish_lb_directors.xml
index 1946860c..c8868ec4 100644
--- a/config/varnish3/varnish_lb_directors.xml
+++ b/config/varnish3/varnish_lb_directors.xml
@@ -9,7 +9,7 @@
varnish_lb_directors.xml
part of pfSense (http://www.pfSense.com)
Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
@@ -130,6 +130,10 @@
<fieldname>grace</fieldname>
</columnitem>
<columnitem>
+ <fielddescr>SSL</fielddescr>
+ <fieldname>forcessl</fieldname>
+ </columnitem>
+ <columnitem>
<fielddescr>Failover</fielddescr>
<fieldname>failover</fieldname>
</columnitem>
@@ -197,6 +201,13 @@
<type>input</type>
<size>5</size>
</field>
+ <field>
+ <fielddescr>Force SSL</fielddescr>
+ <fieldname>forcessl</fieldname>
+ <description><![CDATA[Redirect to ssl if request does not came from ssl offload servers.]]></description>
+ <type>checkbox</type>
+ <size>5</size>
+ </field>
<field>
<fielddescr>Additions options</fielddescr>
<fieldname>customapping</fieldname>
@@ -261,16 +272,13 @@
</field>
</fields>
<custom_php_command_before_form>
+ varnish_check_config();
</custom_php_command_before_form>
<custom_delete_php_command>
sync_package_varnish();
- create_varnish_rcd_file();
- varnish_start();
</custom_delete_php_command>
<custom_php_resync_config_command>
sync_package_varnish();
- create_varnish_rcd_file();
- varnish_start();
</custom_php_resync_config_command>
<custom_php_validation_command>
varnish_lb_directors_post_validate($_POST, $input_errors);
diff --git a/config/varnish3/varnish_settings.xml b/config/varnish3/varnish_settings.xml
index a5ff5ef9..accfaae8 100644
--- a/config/varnish3/varnish_settings.xml
+++ b/config/varnish3/varnish_settings.xml
@@ -9,7 +9,7 @@
varnish_settings.xml
part of pfSense (http://www.pfSense.com)
Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com>
- Copyright (C) 2011 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
/* ========================================================================== */
@@ -223,7 +223,7 @@
<field>
<fielddescr>Foward client IP</fielddescr>
<fieldname>xforward</fieldname>
- <description>Select how to forward clients real IP.</description>
+ <description><![CDATA[Select how to forward clients real IP.]]></description>
<type>select</type>
<options>
<option><name>set X-Forwarded-For</name><value>set</value></option>
@@ -233,6 +233,15 @@
</options>
</field>
<field>
+ <fielddescr>SSL Offload server ACL</fielddescr>
+ <fieldname>ssloffload</fieldname>
+ <description><![CDATA[Use <b>x-forwarded-for</b> var instead of <b>client.ip</b> to set <b>X-Forwarded-Varnish</b> on Forward<br>
+ SSL offload servers must be configured to forward client info. if not set you can get a blank var forwarded to backend.<br>
+ use space to specify more then one host or network.]]></description>
+ <type>input</type>
+ <size>30</size>
+ </field>
+ <field>
<fielddescr>Fetch Grace</fielddescr>
<fieldname>grace</fieldname>
<description><![CDATA[<a href="https://www.varnish-cache.org/trac/wiki/VCLExampleGrace">How many time varnish will keep cached objects.</a> HINT 60s, 30m, 1h]]></description>
@@ -274,10 +283,13 @@
<encoding>base64</encoding>
</field>
</fields>
+ <custom_php_command_before_form>
+ varnish_check_config();
+ </custom_php_command_before_form>
+
<custom_php_resync_config_command>
sync_package_varnish();
create_varnish_rcd_file();
- varnish_start();
</custom_php_resync_config_command>
<custom_php_validation_command>
varnish_settings_post_validate($_POST, $input_errors);
diff --git a/config/varnish3/varnish_sync.xml b/config/varnish3/varnish_sync.xml
index d81851b1..c5b4b69c 100644
--- a/config/varnish3/varnish_sync.xml
+++ b/config/varnish3/varnish_sync.xml
@@ -9,7 +9,7 @@
varnish_sync.xml
part of pfSense (http://www.pfSense.com)
Copyright (C) 2008 Scott Ullrich <sullrich@gmail.com>
- Copyright (C) 2011-2013 Marcello Coutinho
+ Copyright (C) 2011-2014 Marcello Coutinho
All rights reserved.
*/
/* ========================================================================== */
@@ -136,5 +136,6 @@
</custom_php_resync_config_command>
<custom_php_command_before_form>
unset($_POST['temp']);
+ varnish_check_config();
</custom_php_command_before_form>
</packagegui> \ No newline at end of file
diff --git a/config/varnish3/varnish_view_config.php b/config/varnish3/varnish_view_config.php
index 69a9fabb..30765756 100644
--- a/config/varnish3/varnish_view_config.php
+++ b/config/varnish3/varnish_view_config.php
@@ -28,7 +28,7 @@
*/
require("guiconfig.inc");
-
+require("varnish.inc");
$pf_version=substr(trim(file_get_contents("/etc/version")),0,3);
if ($pf_version < 2.0)
$one_two = true;
@@ -44,10 +44,10 @@ include("head.inc");
<p class="pgtitle"><?=$pgtitle?></font></p>
<?php endif; ?>
-<?php if ($savemsg) print_info_box($savemsg); ?>
+<?php varnish_check_config();if ($savemsg) print_info_box($savemsg); ?>
<form action="varnishstat_view_config.php" method="post">
-
+
<div id="mainlevel">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr><td>
@@ -70,9 +70,10 @@ include("head.inc");
<tr>
<td class="tabcont" >
<textarea id="varnishlogs" rows="50" cols="100%">
-<?php
- $config_file = file_get_contents("/var/etc/default.vcl");
- echo $config_file;
+<?php
+ $config_file = file("/var/etc/default.vcl");
+ foreach ($config_file as $l => $v)
+ echo ($l+1)." - {$v}";
?>
</textarea>
</td>
diff --git a/config/varnish3/varnishstat.php b/config/varnish3/varnishstat.php
index 10d9ceb9..aa6827a8 100644
--- a/config/varnish3/varnishstat.php
+++ b/config/varnish3/varnishstat.php
@@ -1,8 +1,9 @@
<?php
/*
- varnishstat_view_logs.php
+ varnishstat.php
part of pfSense (https://www.pfsense.org/)
Copyright (C) 2006 Scott Ullrich <sullrich@gmail.com>
+ Copyright (C) 2014 Marcello Coutinho
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -28,11 +29,45 @@
*/
require("guiconfig.inc");
-
+require("varnish.inc");
+function open_table(){
+ echo "<table style=\"padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">";
+ echo" <tr>";
+}
+function close_table(){
+ echo" </tr>";
+ echo"</table>";
+ echo "<br>";
+}
if($_REQUEST['getactivity']) {
- $varnishstatlogs = `varnishstat -1`;
+ //$varnishstatlogs = `varnishstat -1`;
+ $backends=exec("varnishstat -1",$debug);
echo "<h2>VarnishSTAT Server logs as of " . date("D M j G:i:s T Y") . "</h2>";
- echo $varnishstatlogs;
+ open_table();
+ print "<td class=\"vncellt\" width=30%><strong>Description</strong></td>";
+ print "<td class=\"vncellt\" width=15%><strong>Count</strong></td>";
+ print "<td class=\"vncellt\" width=15%><strong></strong></td>";
+ print "<td width=20%></td><td width=20%></td></tr>";
+ foreach ($debug as $line){
+ if (!preg_match("/^VBE/",$line,$lm) &&
+ preg_match("/(\S+)\s+(\S+)\s+(\S+)\s+(.*)/",$line,$lm))
+ $varnish_stats[]=$lm;
+ }
+ unset($debug);
+ if (is_array($varnish_stats)){
+ foreach ($varnish_stats as $v){
+ print "<td class=\"listlr\"> $v[4] ($v[1])</td>";
+ print "<td class=\"listlr\" align=\"Right\">". @number_format($v[2]) ."</td>";
+ print "<td class=\"listlr\" align=\"Right\">$v[3]</td>";
+ print "<td>&nbsp;</td><td>&nbsp;</td></tr>";
+ }
+ }
+ else{
+ print "<td class=\"listlr\">No traffic</td><td class=\"listlr\"></td><td class=\"listlr\"></td></tr>";
+ }
+
+close_table();
+ //echo $varnishstatlogs;
exit;
}
@@ -60,9 +95,9 @@ include("head.inc");
}
function activitycallback(transport) {
$('varnishstatlogs').innerHTML = '<font face="Courier"><pre>' + transport.responseText + '</pre></font>';
- setTimeout('getlogactivity()', 2500);
+ setTimeout('getlogactivity()', 2500);
}
- setTimeout('getlogactivity()', 1000);
+ setTimeout('getlogactivity()', 1000);
</script>
<?php include("fbegin.inc"); ?>
@@ -70,7 +105,7 @@ include("head.inc");
<p class="pgtitle"><?=$pgtitle?></font></p>
<?php endif; ?>
-<?php if ($savemsg) print_info_box($savemsg); ?>
+<?php varnish_check_config();if ($savemsg) print_info_box($savemsg); ?>
<div id="mainlevel">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
@@ -93,7 +128,7 @@ include("head.inc");
<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td class="tabcont" >
- <form action="varnishstat_view_logs.php" method="post">
+ <form action="varnishstat.php" method="post">
<div id="varnishstatlogs">
<pre>One moment please, loading VarnishSTAT...</pre>
</div>
diff --git a/config/vnstat2/vnstat2.inc b/config/vnstat2/vnstat2.inc
index 9a684aa1..7418530f 100644
--- a/config/vnstat2/vnstat2.inc
+++ b/config/vnstat2/vnstat2.inc
@@ -248,7 +248,7 @@ function vnstat_php_frontend(){
// see file COPYING or at http://www.gnu.org/licenses/gpl.html
// for more information.
//
- error_reporting(E_ALL | E_NOTICE);
+ //error_reporting(E_ALL | E_NOTICE);
//
// configuration parameters
diff --git a/config/vnstat2/vnstat_php_frontend/README b/config/vnstat2/vnstat_php_frontend/README
index 20053152..c0259cfa 100644
--- a/config/vnstat2/vnstat_php_frontend/README
+++ b/config/vnstat2/vnstat_php_frontend/README
@@ -26,8 +26,8 @@ explained in config.php.
3. LICENSE
-vnstat PHP frontend 1.5.1
-Copyright (c)2006-2008 Bjorge Dijkstra (bjd@jooz.net)
+vnstat PHP frontend 1.5.2
+Copyright (c)2006-2011 Bjorge Dijkstra (bjd@jooz.net)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff --git a/config/vnstat2/vnstat_php_frontend/config.php b/config/vnstat2/vnstat_php_frontend/config.php
index 3a4cd51a..9f2102ac 100644
--- a/config/vnstat2/vnstat_php_frontend/config.php
+++ b/config/vnstat2/vnstat_php_frontend/config.php
@@ -17,10 +17,10 @@
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
//
- // see file COPYING or at http://www.gnu.org/licenses/gpl.html
+ // see file COPYING or at http://www.gnu.org/licenses/gpl.html
// for more information.
//
- error_reporting(E_ALL | E_NOTICE);
+ //error_reporting(E_ALL | E_NOTICE);
//
// configuration parameters
@@ -30,6 +30,9 @@
$locale = 'en_US.UTF-8';
$language = 'en';
+ // Set local timezone
+ date_default_timezone_set("Europe/Amsterdam");
+
// list of network interfaces monitored by vnStat
$iface_list = array('em0', 'em1');
@@ -43,7 +46,7 @@
//
// There are two possible sources for vnstat data. If the $vnstat_bin
// variable is set then vnstat is called directly from the PHP script
- // to get the interface data.
+ // to get the interface data.
//
// The other option is to periodically dump the vnstat interface data to
// a file (e.g. by a cronjob). In that case the $vnstat_bin variable
@@ -52,18 +55,23 @@
//
// You can generate vnstat dumps with the command:
// vnstat --dumpdb -i $iface > /path/to/data_dir/vnstat_dump_$iface
- //
+ //
$vnstat_bin = '/usr/local/bin/vnstat';
$data_dir = './dumps';
// graphics format to use: svg or png
$graph_format='svg';
-
+
// Font to use for PNG graphs
define('GRAPH_FONT',dirname(__FILE__).'/VeraBd.ttf');
// Font to use for SVG graphs
define('SVG_FONT', 'Verdana');
- define('DEFAULT_COLORSCHEME', 'pfSense');
-?> \ No newline at end of file
+ // Default theme
+ define('DEFAULT_COLORSCHEME', 'pfSense');
+
+ // SVG Depth scaling factor
+ define('SVG_DEPTH_SCALING', 1);
+
+?>
diff --git a/config/vnstat2/vnstat_php_frontend/graph.php b/config/vnstat2/vnstat_php_frontend/graph.php
index fb00be67..3ef72f1a 100644
--- a/config/vnstat2/vnstat_php_frontend/graph.php
+++ b/config/vnstat2/vnstat_php_frontend/graph.php
@@ -17,7 +17,7 @@
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
//
- // see file COPYING or at http://www.gnu.org/licenses/gpl.html
+ // see file COPYING or at http://www.gnu.org/licenses/gpl.html
// for more information.
//
require 'config.php';
@@ -32,7 +32,7 @@
{
return imagecolorallocatealpha($im, $colors[0], $colors[1], $colors[2], $colors[3]);
}
-
+
function init_image()
{
global $im, $xlm, $xrm, $ytm, $ybm, $iw, $ih,$graph, $cl, $iface, $colorscheme, $style;
@@ -42,7 +42,7 @@
//
// image object
- //
+ //
$xlm = 70;
$xrm = 20;
$ytm = 35;
@@ -50,7 +50,7 @@
if ($graph == 'small')
{
$iw = 300 + $xrm + $xlm;
- $ih = 100 + $ytm + $ybm;
+ $ih = 100 + $ytm + $ybm;
}
else
{
@@ -75,10 +75,10 @@
$cl['rx_border'] = allocate_color($im, $cs['rx_border']);
$cl['tx'] = allocate_color($im, $cs['tx']);
$cl['tx_border'] = allocate_color($im, $cs['tx_border']);
-
+
imagefilledrectangle($im,0,0,$iw,$ih,$cl['image_background']);
imagefilledrectangle($im,$xlm,$ytm,$iw-$xrm,$ih-$ybm, $cl['background']);
-
+
$x_step = ($iw - $xlm - $xrm) / 12;
$depth = ($x_step / 8) + 4;
imagefilledpolygon($im, array($xlm, $ytm, $xlm, $ih - $ybm, $xlm - $depth, $ih - $ybm + $depth, $xlm - $depth, $ytm + $depth), 4, $cl['background_2']);
@@ -89,7 +89,7 @@
$bbox = imagettfbbox(10, 0, GRAPH_FONT, $text);
$textwidth = $bbox[2] - $bbox[0];
imagettftext($im, 10, 0, ($iw-$textwidth)/2, ($ytm/2), $cl['text'], GRAPH_FONT, $text);
-
+
}
function draw_border()
@@ -98,16 +98,16 @@
imageline($im, 0, 0,$iw-1, 0, $cl['border']);
imageline($im, 0,$ih-1,$iw-1,$ih-1, $cl['border']);
- imageline($im, 0, 0, 0,$ih-1, $cl['border']);
+ imageline($im, 0, 0, 0,$ih-1, $cl['border']);
imageline($im, $iw-1, 0,$iw-1,$ih-1, $cl['border']);
}
-
+
function draw_grid($x_ticks, $y_ticks)
{
global $im, $cl, $iw, $ih, $xlm, $xrm, $ytm, $ybm;
$x_step = ($iw - $xlm - $xrm) / $x_ticks;
$y_step = ($ih - $ytm - $ybm) / $y_ticks;
-
+
$depth = 10;//($x_step / 8) + 4;
$ls = array($cl['grid_stipple_1'],$cl['grid_stipple_2']);
@@ -119,14 +119,13 @@
}
for ($i=$ytm;$i<=($ih-$ybm); $i += $y_step)
{
- imageline($im, $xlm, $i, $iw - $xrm, $i, IMG_COLOR_STYLED);
+ imageline($im, $xlm, $i, $iw - $xrm, $i, IMG_COLOR_STYLED);
imageline($im, $xlm, $i, $xlm - $depth, $i + $depth, IMG_COLOR_STYLED);
}
imageline($im, $xlm, $ytm, $xlm, $ih - $ybm, $cl['border']);
imageline($im, $xlm, $ih - $ybm, $iw - $xrm, $ih - $ybm, $cl['border']);
}
-
-
+
function draw_data($data)
{
global $im,$cl,$iw,$ih,$xlm,$xrm,$ytm,$ybm;
@@ -168,7 +167,7 @@
{
$prescale = $prescale * 1024;
$y_scale = $y_scale / 1024;
- if ($unit == 'K')
+ if ($unit == 'K')
$unit = 'M';
else if ($unit == 'M')
$unit = 'G';
@@ -178,7 +177,7 @@
}
draw_grid($x_ticks, $y_ticks);
-
+
//
// graph scale factor (per pixel)
//
@@ -187,7 +186,7 @@
if ($data[0] == 'nodata')
{
- $text = 'no data available';
+ $text = T('no data available');
$bbox = imagettfbbox(10, 0, GRAPH_FONT, $text);
$textwidth = $bbox[2] - $bbox[0];
imagettftext($im, 10, 0, ($iw-$textwidth)/2, $ytm + 80, $cl['text'], GRAPH_FONT, $text);
@@ -196,26 +195,26 @@
{
//
// draw bars
- //
+ //
for ($i=0; $i<$x_ticks; $i++)
{
$x = $xlm + ($i * $x_step);
$y = $ytm + ($ih - $ytm - $ybm) - (($data[$i]['rx'] - $offset) / $sf);
-
+
$depth = $x_step / 8;
$space = 0;
-
+
$x1 = $x;
$y1 = $y;
$x2 = $x + $bar_w - $space;
$y2 = $ih - $ybm;
-
+
imagefilledrectangle($im, $x1, $y1, $x2, $y2, $cl['rx']);
imagerectangle($im, $x1, $y1, $x2, $y2, $cl['rx_border']);
-
+
imagefilledrectangle($im, $x1 - $depth, $y1 + $depth, $x2 -$depth, $y2 + $depth, $cl['rx']);
imagerectangle($im, $x1 - $depth, $y1 + $depth, $x2 - $depth, $y2 + $depth, $cl['rx_border']);
-
+
imagefilledpolygon($im, array($x1, $y1, $x2, $y1, $x2 - $depth, $y1 + $depth, $x1 - $depth, $y1 + $depth), 4, $cl['rx']);
imagepolygon($im, array($x1, $y1, $x2, $y1, $x2 - $depth, $y1 + $depth, $x1 - $depth, $y1 + $depth), 4, $cl['rx_border']);
imagefilledpolygon($im, array($x2, $y1, $x2, $y2, $x2 - $depth, $y2 + $depth, $x2 - $depth, $y1 + $depth), 4, $cl['rx']);
@@ -227,16 +226,16 @@
imagefilledrectangle($im, $x1, $y1, $x2, $y2, $cl['tx']);
imagerectangle($im, $x1, $y1, $x2, $y2, $cl['tx_border']);
-
+
imagefilledrectangle($im, $x1 - $depth, $y1 + $depth, $x2 - $depth, $y2 + $depth, $cl['tx']);
- imagerectangle($im, $x1 - $depth, $y1 + $depth, $x2 - $depth, $y2 + $depth, $cl['tx_border']);
-
+ imagerectangle($im, $x1 - $depth, $y1 + $depth, $x2 - $depth, $y2 + $depth, $cl['tx_border']);
+
imagefilledpolygon($im, array($x1, $y1, $x2, $y1, $x2 - $depth, $y1 + $depth, $x1 - $depth, $y1 + $depth), 4, $cl['tx']);
imagepolygon($im, array($x1, $y1, $x2, $y1, $x2 - $depth, $y1 + $depth, $x1 - $depth, $y1 + $depth), 4, $cl['tx_border']);
imagefilledpolygon($im, array($x2, $y1, $x2, $y2, $x2 - $depth, $y2 + $depth, $x2 - $depth, $y1 + $depth), 4, $cl['tx']);
imagepolygon($im, array($x2, $y1, $x2, $y2, $x2 - $depth, $y2 + $depth, $x2 - $depth, $y1 + $depth), 4, $cl['tx_border']);
}
-
+
//
// axis labels
//
@@ -265,11 +264,11 @@
//
imagefilledrectangle($im, $xlm, $ih-$ybm+39, $xlm+8,$ih-$ybm+47,$cl['rx']);
imagerectangle($im, $xlm, $ih-$ybm+39, $xlm+8,$ih-$ybm+47,$cl['text']);
- imagettftext($im, 8,0, $xlm+14, $ih-$ybm+48,$cl['text'], GRAPH_FONT,'bytes in');
+ imagettftext($im, 8,0, $xlm+14, $ih-$ybm+48,$cl['text'], GRAPH_FONT,T('bytes in'));
imagefilledrectangle($im, $xlm+120 , $ih-$ybm+39, $xlm+128,$ih-$ybm+47,$cl['tx']);
imagerectangle($im, $xlm+120, $ih-$ybm+39, $xlm+128,$ih-$ybm+47,$cl['text']);
- imagettftext($im, 8,0, $xlm+134, $ih-$ybm+48,$cl['text'], GRAPH_FONT,'bytes out');
+ imagettftext($im, 8,0, $xlm+134, $ih-$ybm+48,$cl['text'], GRAPH_FONT,T('bytes out'));
}
function output_image()
@@ -293,11 +292,11 @@
{
draw_data($month);
}
-
- header('Content-type: image/png');
+
+ header('Content-type: image/png');
imagepng($im);
}
get_vnstat_data();
output_image();
-?>
+?>
diff --git a/config/vnstat2/vnstat_php_frontend/graph_svg.php b/config/vnstat2/vnstat_php_frontend/graph_svg.php
index 8992ed12..e67a894f 100644
--- a/config/vnstat2/vnstat_php_frontend/graph_svg.php
+++ b/config/vnstat2/vnstat_php_frontend/graph_svg.php
@@ -17,7 +17,7 @@
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
//
- // see file COPYING or at http://www.gnu.org/licenses/gpl.html
+ // see file COPYING or at http://www.gnu.org/licenses/gpl.html
// for more information.
//
require 'config.php';
@@ -61,8 +61,8 @@
print "</g>\n";
}
- function svg_text($x, $y, $text, $options = array())
- {
+ function svg_text($x, $y, $text, $options = array())
+ {
printf("<text x=\"%F\" y=\"%F\" ", $x, $y);
svg_options($options);
print ">$text</text>\n";
@@ -75,7 +75,7 @@
print "/>\n";
}
- function svg_rect($x, $y, $w, $h, $options = array())
+ function svg_rect($x, $y, $w, $h, $options = array())
{
printf("<rect x=\"%F\" y=\"%F\" width=\"%F\" height=\"%F\" ", $x, $y, $w, $h);
svg_options($options);
@@ -98,7 +98,7 @@
$col['opacity'] = sprintf("%F", (127 - $colors[3]) / 127);
return $col;
}
-
+
function init_image()
{
global $xlm, $xrm, $ytm, $ybm, $iw, $ih,$graph, $cl, $iface, $colorscheme, $style;
@@ -108,7 +108,7 @@
//
// image object
- //
+ //
$xlm = 70;
$xrm = 20;
$ytm = 35;
@@ -116,14 +116,14 @@
if ($graph == 'small')
{
$iw = 300 + $xrm + $xlm;
- $ih = 100 + $ytm + $ybm;
+ $ih = 100 + $ytm + $ybm;
}
else
{
$iw = 600 + $xrm + $xlm;
$ih = 200 + $ytm + $ybm;
}
-
+
svg_create($iw, $ih);
//
@@ -141,11 +141,11 @@
$cl['rx_border'] = allocate_color($cs['rx_border']);
$cl['tx'] = allocate_color($cs['tx']);
$cl['tx_border'] = allocate_color($cs['tx_border']);
-
+
svg_rect(0, 0, $iw, $ih, array( 'stroke' => 'none', 'stroke-width' => 0, 'fill' => $cl['image_background']['rgb']) );
svg_rect($xlm, $ytm, $iw-$xrm-$xlm, $ih-$ybm-$ytm, array( 'stroke' => 'none', 'stroke-width' => 0, 'fill' => $cl['background']['rgb']) );
-
- $depth = 12;
+
+ $depth = 12*SVG_DEPTH_SCALING;
svg_group( array( 'stroke' => 'none', 'stroke-width' => 0, 'fill' => $cl['background_2']['rgb'], 'fill-opacity' => $cl['background_2']['opacity']) );
svg_poly(array($xlm, $ytm, $xlm, $ih - $ybm, $xlm - $depth, $ih - $ybm + $depth, $xlm - $depth, $ytm + $depth));
svg_poly(array($xlm, $ih - $ybm, $xlm - $depth, $ih - $ybm + $depth, $iw - $xrm - $depth, $ih - $ybm + $depth, $iw - $xrm, $ih - $ybm));
@@ -153,7 +153,7 @@
// draw title
$text = T('Traffic data for')." $iface";
- svg_text($iw / 2, ($ytm / 2), $text, array( 'stroke' => $cl['text'], 'fill' => $cl['text']['rgb'],'stroke-width' => 0, 'font-family' => SVG_FONT, 'font-weight' => 'bold', 'text-anchor' => 'middle' ));
+ svg_text($iw / 2, ($ytm / 2), $text, array( 'stroke' => 'none', 'fill' => $cl['text']['rgb'],'stroke-width' => 0, 'font-family' => SVG_FONT, 'font-weight' => 'bold', 'text-anchor' => 'middle' ));
}
function draw_border()
@@ -161,14 +161,14 @@
global $cl, $iw, $ih;
svg_rect(1, 1, $iw-2, $ih-2, array( 'stroke' => $cl['border']['rgb'], 'stroke-opacity' => $cl['border']['opacity'], 'stroke-width' => 1, 'fill' => 'none') );
}
-
+
function draw_grid($x_ticks, $y_ticks)
{
global $cl, $iw, $ih, $xlm, $xrm, $ytm, $ybm;
$x_step = ($iw - $xlm - $xrm) / $x_ticks;
$y_step = ($ih - $ytm - $ybm) / $y_ticks;
-
- $depth = 12;
+
+ $depth = 12*SVG_DEPTH_SCALING;
svg_group( array( 'stroke' => $cl['grid_stipple_1']['rgb'], 'stroke-opacity' => $cl['grid_stipple_1']['opacity'], 'stroke-width' => '1px', 'stroke-dasharray' => '1,1' ) );
for ($i = $xlm; $i <= ($iw - $xrm); $i += $x_step)
@@ -178,7 +178,7 @@
}
for ($i = $ytm; $i <= ($ih - $ybm); $i += $y_step)
{
- svg_line($xlm, $i, $iw - $xrm, $i);
+ svg_line($xlm, $i, $iw - $xrm, $i);
svg_line($xlm, $i, $xlm - $depth, $i + $depth);
}
svg_group_end();
@@ -188,8 +188,8 @@
svg_line($xlm, $ih - $ybm, $iw - $xrm, $ih - $ybm);
svg_group_end();
}
-
-
+
+
function draw_data($data)
{
global $cl,$iw,$ih,$xlm,$xrm,$ytm,$ybm;
@@ -231,7 +231,7 @@
{
$prescale = $prescale * 1024;
$y_scale = $y_scale / 1024;
- if ($unit == 'K')
+ if ($unit == 'K')
$unit = 'M';
else if ($unit == 'M')
$unit = 'G';
@@ -241,7 +241,7 @@
}
draw_grid($x_ticks, $y_ticks);
-
+
//
// graph scale factor (per pixel)
//
@@ -256,22 +256,22 @@
{
//
// draw bars
- //
+ //
for ($i=0; $i<$x_ticks; $i++)
{
$x = $xlm + ($i * $x_step);
$y = $ytm + ($ih - $ytm - $ybm) - (($data[$i]['rx'] - $offset) / $sf);
-
- $depth = ($x_ticks < 20) ? 8 : 6;
+
+ $depth = ($x_ticks < 20) ? 8*SVG_DEPTH_SCALING : 6*SVG_DEPTH_SCALING;
$space = 0;
-
+
$x1 = (int)$x;
$y1 = (int)$y;
$w = (int)($bar_w - $space);
$h = (int)($ih - $ybm - $y);
$x2 = (int)($x + $bar_w - $space);
$y2 = (int)($ih - $ybm);
-
+
svg_group( array( 'stroke' => $cl['rx_border']['rgb'], 'stroke-opacity' => $cl['rx_border']['opacity'],
'stroke-width' => 1, 'stroke-linejoin' => 'round',
'fill' => $cl['rx']['rgb'], 'fill-opacity' => $cl['rx']['opacity'] ) );
@@ -287,7 +287,7 @@
$w = (int)($bar_w - $space);
$h = (int)($ih - $ybm - $y1 - 1);
- svg_group( array( 'stroke' => $cl['tx_border']['rgb'], 'stroke-opacity' => $cl['tx_border']['opacity'],
+ svg_group( array( 'stroke' => $cl['tx_border']['rgb'], 'stroke-opacity' => $cl['tx_border']['opacity'],
'stroke-width' => 1, 'stroke-linejoin' => 'round',
'fill' => $cl['tx']['rgb'], 'fill-opacity' => $cl['tx']['opacity'] ) );
svg_rect($x1, $y1, $w, $h);
@@ -296,7 +296,7 @@
svg_poly(array($x2, $y1, $x2, $y2, $x2 - $depth, $y2 + $depth, $x2 - $depth, $y1 + $depth));
svg_group_end();
}
-
+
//
// axis labels
//
@@ -359,4 +359,4 @@
get_vnstat_data();
output_image();
-?>
+?>
diff --git a/config/vnstat2/vnstat_php_frontend/index.php b/config/vnstat2/vnstat_php_frontend/index.php
index 70c0427f..478665ee 100644
--- a/config/vnstat2/vnstat_php_frontend/index.php
+++ b/config/vnstat2/vnstat_php_frontend/index.php
@@ -17,7 +17,7 @@
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
//
- // see file COPYING or at http://www.gnu.org/licenses/gpl.html
+ // see file COPYING or at http://www.gnu.org/licenses/gpl.html
// for more information.
//
require 'config.php';
@@ -31,15 +31,20 @@
function write_side_bar()
{
global $iface, $page, $graph, $script, $style;
- global $iface_list, $iface_title;
+ global $iface_list, $iface_title;
global $page_list, $page_title;
-
+
$p = "&amp;graph=$graph&amp;style=$style";
print "<ul class=\"iface\">\n";
foreach ($iface_list as $if)
{
- print "<li class=\"iface\">";
+ if ($iface == $if) {
+ print "<li class=\"iface active\">";
+ } else {
+ print "<li class=\"iface\">";
+ }
+ print "<a href=\"$script?if=$if$p\">";
if (isset($iface_title[$if]))
{
print $iface_title[$if];
@@ -48,17 +53,17 @@
{
print $if;
}
+ print "</a>";
print "<ul class=\"page\">\n";
foreach ($page_list as $pg)
{
print "<li class=\"page\"><a href=\"$script?if=$if$p&amp;page=$pg\">".$page_title[$pg]."</a></li>\n";
}
print "</ul></li>\n";
-
}
- print "</ul>\n";
+ print "</ul>\n";
}
-
+
function kbytes_to_string($kb)
{
@@ -70,10 +75,10 @@
{
$ui++;
$scale = $scale / 1024;
- }
+ }
return sprintf("%0.2f %s", ($kb/$scale),$units[$ui]);
}
-
+
function write_summary()
{
global $summary,$top,$day,$hour,$month;
@@ -108,8 +113,8 @@
print "<br/>\n";
write_data_table(T('Top 10 days'), $top);
}
-
-
+
+
function write_data_table($caption, $tab)
{
print "<table width=\"100%\" cellspacing=\"0\">\n";
@@ -118,7 +123,7 @@
print "<th class=\"label\" style=\"width:120px;\">&nbsp;</th>";
print "<th class=\"label\">".T('In')."</th>";
print "<th class=\"label\">".T('Out')."</th>";
- print "<th class=\"label\">".T('Total')."</th>";
+ print "<th class=\"label\">".T('Total')."</th>";
print "</tr>\n";
for ($i=0; $i<count($tab); $i++)
@@ -148,7 +153,7 @@
//
header('Content-type: text/html; charset=utf-8');
print '<?xml version="1.0"?>';
-?>
+?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
@@ -168,7 +173,7 @@
if ($graph_format == 'svg') {
print "<object type=\"image/svg+xml\" width=\"692\" height=\"297\" data=\"graph_svg.php?$graph_params\"></object>\n";
} else {
- print "<img src=\"graph.php?$graph_params\" alt=\"graph\"/>\n";
+ print "<img src=\"graph.php?$graph_params\" alt=\"graph\"/>\n";
}
if ($page == 's')
@@ -176,20 +181,20 @@
write_summary();
}
else if ($page == 'h')
- {
- write_data_table(T('Last 24 hours'), $hour);
+ {
+ write_data_table(T('Last 24 hours'), $hour);
}
else if ($page == 'd')
{
- write_data_table(T('Last 30 days'), $day);
+ write_data_table(T('Last 30 days'), $day);
}
else if ($page == 'm')
{
- write_data_table(T('Last 12 months'), $month);
+ write_data_table(T('Last 12 months'), $month);
}
?>
</div>
- <div id="footer"><a href="http://www.sqweek.com/">vnStat PHP frontend</a> 1.5.1 - &copy;2006-2010 Bjorge Dijkstra (bjd _at_ jooz.net)</div>
+ <div id="footer"><a href="http://www.sqweek.com/">vnStat PHP frontend</a> 1.5.2 - &copy;2006-2011 Bjorge Dijkstra (bjd _at_ jooz.net)</div>
</div>
</div>
diff --git a/config/vnstat2/vnstat_php_frontend/json.php b/config/vnstat2/vnstat_php_frontend/json.php
new file mode 100644
index 00000000..89d4c78e
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/json.php
@@ -0,0 +1,81 @@
+<?php
+ //
+ // vnStat PHP frontend (c)2006-2010 Bjorge Dijkstra (bjd@jooz.net)
+ //
+ // This program is free software; you can redistribute it and/or modify
+ // it under the terms of the GNU General Public License as published by
+ // the Free Software Foundation; either version 2 of the License, or
+ // (at your option) any later version.
+ //
+ // This program is distributed in the hope that it will be useful,
+ // but WITHOUT ANY WARRANTY; without even the implied warranty of
+ // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ // GNU General Public License for more details.
+ //
+ // You should have received a copy of the GNU General Public License
+ // along with this program; if not, write to the Free Software
+ // Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ //
+ //
+ // see file COPYING or at http://www.gnu.org/licenses/gpl.html
+ // for more information.
+ //
+ require 'config.php';
+ require 'localize.php';
+ require 'vnstat.php';
+
+ validate_input();
+
+ require "./themes/$style/theme.php";
+
+ function write_summary()
+ {
+ global $summary,$top,$day,$hour,$month;
+
+ $trx = $summary['totalrx']*1024+$summary['totalrxk'];
+ $ttx = $summary['totaltx']*1024+$summary['totaltxk'];
+
+ //
+ // build array for write_data_table
+ //
+ $sum['hour']['act'] = 1;
+ $sum['hour']['rx'] = $hour[0]['rx'];
+ $sum['hour']['tx'] = $hour[0]['tx'];
+
+ $sum['day']['act'] = 1;
+ $sum['day']['rx'] = $day[0]['rx'];
+ $sum['day']['tx'] = $day[0]['tx'];
+
+ $sum['month']['act'] = 1;
+ $sum['month']['rx'] = $month[0]['rx'];
+ $sum['month']['tx'] = $month[0]['tx'];
+
+ $sum['total']['act'] = 1;
+ $sum['total']['rx'] = $trx;
+ $sum['total']['tx'] = $ttx;
+
+ print json_encode($sum);
+ }
+
+
+ get_vnstat_data(false);
+
+ header('Content-type: application/json; charset=utf-8');
+ $graph_params = "if=$iface&amp;page=$page&amp;style=$style";
+ if ($page == 's')
+ {
+ write_summary();
+ }
+ else if ($page == 'h')
+ {
+ print json_encode(array('hours' => $hour));
+ }
+ else if ($page == 'd')
+ {
+ print json_encode(array('days' => $day));
+ }
+ else if ($page == 'm')
+ {
+ print json_encode(array('months' => $month));
+ }
+ ?> \ No newline at end of file
diff --git a/config/vnstat2/vnstat_php_frontend/lang/br.php b/config/vnstat2/vnstat_php_frontend/lang/br.php
new file mode 100644
index 00000000..ea2fd103
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/br.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'sumario';
+$L['hours'] = 'horas';
+$L['days'] = 'dias';
+$L['months'] = 'meses';
+
+// main table headers
+$L['Summary'] = 'Sumario';
+$L['Top 10 days'] = 'Top 10 - dias';
+$L['Last 24 hours'] = 'Ultimas 24 horas';
+$L['Last 30 days'] = 'Ultimos 30 dias';
+$L['Last 12 months'] = 'Ultimos 12 meses';
+
+// traffic table columns
+$L['In'] = 'Entrada';
+$L['Out'] = 'Saida';
+$L['Total'] = 'Total';
+
+// summary rows
+$L['This hour'] = 'Esta hora';
+$L['This day'] = 'Este dia';
+$L['This month'] = 'Este mes';
+$L['All time'] = 'Todos os tempos';
+
+// graph text
+$L['Traffic data for'] = 'Trafego da';
+$L['bytes in'] = 'bytes entrada';
+$L['bytes out'] = 'bytes saida';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%l%p';
+$L['datefmt_hours_img'] = '%l';
+$L['datefmt_top'] = '%d %B %Y';
diff --git a/config/vnstat2/vnstat_php_frontend/lang/cn.php b/config/vnstat2/vnstat_php_frontend/lang/cn.php
new file mode 100644
index 00000000..3be03cd5
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/cn.php
@@ -0,0 +1,40 @@
+<?php
+
+// sidebar labels
+$L['summary'] = '总计';
+$L['hours'] = '每时';
+$L['days'] = '每天';
+$L['months'] = '每月';
+
+// main table headers
+$L['Summary'] = '概览';
+$L['Top 10 days'] = '最高流量的10天';
+$L['Last 24 hours'] = '过去24小时';
+$L['Last 30 days'] = '过去30天';
+$L['Last 12 months'] = '过去12个月';
+
+// traffic table columns
+$L['In'] = '流入';
+$L['Out'] = '流出';
+$L['Total'] = '总流量';
+
+// summary rows
+$L['This hour'] = '本小时';
+$L['This day'] = '本日';
+$L['This month'] = '本月';
+$L['All time'] = '总计';
+
+// graph text
+$L['Traffic data for'] = '统计的网络:';
+$L['bytes in'] = '流入bytes';
+$L['bytes out'] = '流出bytes';
+
+// date formats
+$L['datefmt_days'] = '%B%d日';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%Y年%B';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%H:00';
+$L['datefmt_hours_img'] = '%H';
+$L['datefmt_top'] = '%Y年%m月%d日';
+
diff --git a/config/vnstat2/vnstat_php_frontend/lang/de.php b/config/vnstat2/vnstat_php_frontend/lang/de.php
new file mode 100644
index 00000000..b77fff83
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/de.php
@@ -0,0 +1,40 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'Übersicht';
+$L['hours'] = 'Stunden';
+$L['days'] = 'Tage';
+$L['months'] = 'Monate';
+
+// main table headers
+$L['Summary'] = 'Übersicht';
+$L['Top 10 days'] = 'Top 10 nach Tagen';
+$L['Last 24 hours'] = 'Letzte 24 Stunden';
+$L['Last 30 days'] = 'Letzte 30 Tage';
+$L['Last 12 months'] = 'Letzte 12 Monate';
+
+// traffic table columns
+$L['In'] = 'Rein';
+$L['Out'] = 'Raus';
+$L['Total'] = 'Total';
+
+// summary rows
+$L['This hour'] = 'Diese Stunde';
+$L['This day'] = 'Dieser Tag';
+$L['This month'] = 'Dieser Monat';
+$L['All time'] = 'Alles';
+
+// graph text
+$L['Traffic data for'] = 'Trafficdaten für';
+$L['bytes in'] = 'Bytes rein';
+$L['bytes out'] = 'Bytes raus';
+
+// date formats
+$L['datefmt_days'] = '%d.%B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B.%Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%H:%M';
+$L['datefmt_hours_img'] = '%H';
+$L['datefmt_top'] = '%d.%B.%Y';
+
diff --git a/config/vnstat2/vnstat_php_frontend/lang/es.php b/config/vnstat2/vnstat_php_frontend/lang/es.php
new file mode 100644
index 00000000..a2456295
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/es.php
@@ -0,0 +1,41 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'sumario';
+$L['hours'] = 'horas';
+$L['days'] = 'días';
+$L['months'] = 'meses';
+
+// main table headers
+$L['Summary'] = 'Sumario';
+$L['Top 10 days'] = 'Últimos 10 días';
+$L['Last 24 hours'] = 'Últimas 24 horas';
+$L['Last 30 days'] = 'Últimos 30 días';
+$L['Last 12 months'] = 'Últimos 12 meses';
+
+// traffic table columns
+$L['In'] = 'Entrada';
+$L['Out'] = 'Salida';
+$L['Total'] = 'Total';
+
+// summary rows
+$L['This hour'] = 'Esta hora';
+$L['This day'] = 'Este día';
+$L['This month'] = 'Este mes';
+$L['All time'] = 'Todo el tiempo';
+
+// graph text
+$L['Traffic data for'] = 'Trafico de datos para';
+$L['bytes in'] = 'entrada de bytes';
+$L['bytes out'] = 'salida de bytes';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%H:%M';
+$L['datefmt_hours_img'] = '%H';
+$L['datefmt_top'] = '%d %B %Y';
+
+// spanish version by Carlos Troetsch
diff --git a/config/vnstat2/vnstat_php_frontend/lang/fi.php b/config/vnstat2/vnstat_php_frontend/lang/fi.php
new file mode 100644
index 00000000..f1ce59b4
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/fi.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'yhteenveto';
+$L['hours'] = 'tunnit';
+$L['days'] = 'päivät';
+$L['months'] = 'kuukaudet';
+
+// main table headers
+$L['Summary'] = 'Yhteenveto';
+$L['Top 10 days'] = 'Top 10 päivää';
+$L['Last 24 hours'] = 'Viimeiset 24 tuntia';
+$L['Last 30 days'] = 'Viimeiset 30 päivää';
+$L['Last 12 months'] = 'Viimeiset 12 kuukautta';
+
+// traffic table columns
+$L['In'] = 'Sisään';
+$L['Out'] = 'Ulos';
+$L['Total'] = 'Yhteensä';
+
+// summary rows
+$L['This hour'] = 'Viimeisin tunti';
+$L['This day'] = 'Viimeisin päivä';
+$L['This month'] = 'Viimeisin kuukausi';
+$L['All time'] = 'Kaikkiaan';
+
+// graph text
+$L['Traffic data for'] = 'Liikennemäärä';
+$L['bytes in'] = 'tavua sisään';
+$L['bytes out'] = 'tavua ulos';
+
+// date formats
+$L['datefmt_days'] = '%d. %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%H';
+$L['datefmt_hours_img'] = '%H';
+$L['datefmt_top'] = '%a %d. %b %Y';
diff --git a/config/vnstat2/vnstat_php_frontend/lang/fr.php b/config/vnstat2/vnstat_php_frontend/lang/fr.php
new file mode 100644
index 00000000..abb76b0a
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/fr.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'Sommaire';
+$L['hours'] = 'Heures';
+$L['days'] = 'Jours';
+$L['months'] = 'Mois';
+
+// main table headers
+$L['Summary'] = 'Sommaire';
+$L['Top 10 days'] = 'Les 10 meilleurs jours';
+$L['Last 24 hours'] = 'Dernières 24 heures';
+$L['Last 30 days'] = 'Derniers 30 jours';
+$L['Last 12 months'] = 'Les 12 derniers mois';
+
+// traffic table columns
+$L['In'] = 'Entrant';
+$L['Out'] = 'Sortant';
+$L['Total'] = 'Total';
+
+// summary rows
+$L['This hour'] = 'Cette heure';
+$L['This day'] = 'Aujourd\' hui';
+$L['This month'] = 'Ce mois';
+$L['All time'] = 'Tout temps';
+
+// graph text
+$L['Traffic data for'] = 'Traffic de donnée pour :';
+$L['bytes in'] = 'bytes entrants';
+$L['bytes out'] = 'bytes sortants';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%Hh%M';
+$L['datefmt_hours_img'] = '%H';
+$L['datefmt_top'] = '%d %B %Y';
diff --git a/config/vnstat2/vnstat_php_frontend/lang/hr.php b/config/vnstat2/vnstat_php_frontend/lang/hr.php
new file mode 100644
index 00000000..f547f29d
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/hr.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'sažetak'; // summary
+$L['hours'] = 'sati';
+$L['days'] = 'dani';
+$L['months'] = 'mjeseci';
+
+// main table headers
+$L['Summary'] = 'Sažetak';
+$L['Top 10 days'] = '10 naprometnijih dana';
+$L['Last 24 hours'] = 'Zadnja 24 sata';
+$L['Last 30 days'] = 'Zadnjih 30 dana';
+$L['Last 12 months'] = 'Zadnjih 12 mjeseci';
+
+// traffic table columns
+$L['In'] = 'Primljeno';
+$L['Out'] = 'Poslano';
+$L['Total'] = 'Ukupno'; // Total
+
+// summary rows
+$L['This hour'] = 'Tekući sat';
+$L['This day'] = 'Danas';
+$L['This month'] = 'Tekući mjesec';
+$L['All time'] = 'Sveukupno';
+
+// graph text
+$L['Traffic data for'] = 'Promet za';
+$L['bytes in'] = 'bajta primljeno';
+$L['bytes out'] = 'bajta poslano';
+
+// date formats
+$L['datefmt_days'] = '%d. %m';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%m.%Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%H'; // %k
+$L['datefmt_hours_img'] = '%H';
+$L['datefmt_top'] = '%d.%m.%Y';
diff --git a/config/vnstat2/vnstat_php_frontend/lang/hu.php b/config/vnstat2/vnstat_php_frontend/lang/hu.php
new file mode 100644
index 00000000..94a445f3
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/hu.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'Összegzés';
+$L['hours'] = 'órák';
+$L['days'] = 'napok';
+$L['months'] = 'hónapok';
+
+// main table headers
+$L['Summary'] = 'Öszegzés';
+$L['Top 10 days'] = 'Legjobb 10 nap';
+$L['Last 24 hours'] = 'Utolsó 24 óra';
+$L['Last 30 days'] = 'Utolsó 30 nap';
+$L['Last 12 months'] = 'Utolsó 12 hónap';
+
+// traffic table columns
+$L['In'] = 'Bejövő';
+$L['Out'] = 'Kimenő';
+$L['Total'] = 'Összesen';
+
+// summary rows
+$L['This hour'] = 'Ebben az órában';
+$L['This day'] = 'Ezen a napon';
+$L['This month'] = 'Ebben a hónapban';
+$L['All time'] = 'Összesen';
+
+// graph text
+$L['Traffic data for'] = 'Forgalmi adatok: ';
+$L['bytes in'] = 'bejövő bájtok';
+$L['bytes out'] = 'kimenő bájtok';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%l%p';
+$L['datefmt_hours_img'] = '%l';
+$L['datefmt_top'] = '%d %B %Y'; \ No newline at end of file
diff --git a/config/vnstat2/vnstat_php_frontend/lang/it.php b/config/vnstat2/vnstat_php_frontend/lang/it.php
new file mode 100644
index 00000000..d86cb479
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/it.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'Riepilogo';
+$L['hours'] = 'Ore';
+$L['days'] = 'Giorni';
+$L['months'] = 'Mesi';
+
+// main table headers
+$L['Summary'] = 'Riepilogo';
+$L['Top 10 days'] = '10 giorni piu intensivi';
+$L['Last 24 hours'] = 'Ultime 24 ore';
+$L['Last 30 days'] = 'Ultimi 30 giorni';
+$L['Last 12 months'] = 'Ultimi 12 mesi';
+
+// traffic table columns
+$L['In'] = 'Entrata';
+$L['Out'] = 'Uscita';
+$L['Total'] = 'Totale';
+
+// summary rows
+$L['This hour'] = 'Quest ora';
+$L['This day'] = 'Oggi';
+$L['This month'] = 'Questo mese';
+$L['All time'] = 'Sempre';
+
+// graph text
+$L['Traffic data for'] = 'Dati per';
+$L['bytes in'] = 'bytes entrati';
+$L['bytes out'] = 'bytes usciti';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%l%p';
+$L['datefmt_hours_img'] = '%l';
+$L['datefmt_top'] = '%d %B %Y';
diff --git a/config/vnstat2/vnstat_php_frontend/lang/no.php b/config/vnstat2/vnstat_php_frontend/lang/no.php
new file mode 100644
index 00000000..9f214942
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/no.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'Sammendrag';
+$L['hours'] = 'Timer';
+$L['days'] = 'Dager';
+$L['months'] = 'Måneder';
+
+// main table headers
+$L['Summary'] = 'Sammendrag';
+$L['Top 10 days'] = 'Topp 10 dager';
+$L['Last 24 hours'] = 'Siste 24 timer';
+$L['Last 30 days'] = 'Siste 30 dager';
+$L['Last 12 months'] = 'Siste 12 måneder';
+
+// traffic table columns
+$L['In'] = 'Inn';
+$L['Out'] = 'Ut';
+$L['Total'] = 'Totalt';
+
+// summary rows
+$L['This hour'] = 'Denne time';
+$L['This day'] = 'Idag';
+$L['This month'] = 'Denne måneden';
+$L['All time'] = 'Totalt';
+
+// graph text
+$L['Traffic data for'] = 'Trafikkdata for';
+$L['bytes in'] = 'bytes inn';
+$L['bytes out'] = 'bytes ut';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%H:%M';
+$L['datefmt_hours_img'] = '%H';
+$L['datefmt_top'] = '%d %B %Y';
diff --git a/config/vnstat2/vnstat_php_frontend/lang/pl.php b/config/vnstat2/vnstat_php_frontend/lang/pl.php
new file mode 100644
index 00000000..d04e5166
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/pl.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'podsumowanie';
+$L['hours'] = 'godziny';
+$L['days'] = 'dni';
+$L['months'] = 'miesiące';
+
+// main table headers
+$L['Summary'] = 'Podsumowanie';
+$L['Top 10 days'] = 'Top 10 dni';
+$L['Last 24 hours'] = 'Ostatnie 24 godziny';
+$L['Last 30 days'] = 'Ostatnie 30 dni';
+$L['Last 12 months'] = 'Ostatnie 12 miesięcy';
+
+// traffic table columns
+$L['In'] = 'Wyjście';
+$L['Out'] = 'Wejście';
+$L['Total'] = 'Suma';
+
+// summary rows
+$L['This hour'] = 'Ta godzina';
+$L['This day'] = 'Ten dzień';
+$L['This month'] = 'Ten miesiąc';
+$L['All time'] = 'Całość';
+
+// graph text
+$L['Traffic data for'] = 'Transfer dla';
+$L['bytes in'] = 'Wysłane';
+$L['bytes out'] = 'Odebrane';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%l%p';
+$L['datefmt_hours_img'] = '%l';
+$L['datefmt_top'] = '%d %B %Y';
diff --git a/config/vnstat2/vnstat_php_frontend/lang/ru.php b/config/vnstat2/vnstat_php_frontend/lang/ru.php
new file mode 100644
index 00000000..7a105b38
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/ru.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'сводка';
+$L['hours'] = 'по часам';
+$L['days'] = 'по дням';
+$L['months'] = 'по месяцам';
+
+// main table headers
+$L['Summary'] = 'Сводка';
+$L['Top 10 days'] = 'Топ 10 дней';
+$L['Last 24 hours'] = 'Последние 24 часа';
+$L['Last 30 days'] = 'Последние 30 дней';
+$L['Last 12 months'] = 'Последние 12 месяцев';
+
+// traffic table columns
+$L['In'] = 'Входящий';
+$L['Out'] = 'Исходящий';
+$L['Total'] = 'Общий';
+
+// summary rows
+$L['This hour'] = 'Текущий час';
+$L['This day'] = 'Текущий день';
+$L['This month'] = 'Текущий месяц';
+$L['All time'] = 'За все время';
+
+// graph text
+$L['Traffic data for'] = 'Статистика трафика для';
+$L['bytes in'] = 'получено';
+$L['bytes out'] = 'передано';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%H:%M';
+$L['datefmt_hours_img'] = '%H';
+$L['datefmt_top'] = '%d %B %Y';
diff --git a/config/vnstat2/vnstat_php_frontend/lang/sk.php b/config/vnstat2/vnstat_php_frontend/lang/sk.php
new file mode 100644
index 00000000..bc972503
--- /dev/null
+++ b/config/vnstat2/vnstat_php_frontend/lang/sk.php
@@ -0,0 +1,39 @@
+<?php
+
+// sidebar labels
+$L['summary'] = 'zhrnutie';
+$L['hours'] = 'hodiny';
+$L['days'] = 'dni';
+$L['months'] = 'mesiace';
+
+// main table headers
+$L['Summary'] = 'Zhrnutie';
+$L['Top 10 days'] = 'Naj 10 dni';
+$L['Last 24 hours'] = 'Posledných 24 hodin';
+$L['Last 30 days'] = 'Posledných 30 dni';
+$L['Last 12 months'] = 'Posledných 12 mesiacov';
+
+// traffic table columns
+$L['In'] = 'Sťahovanie';
+$L['Out'] = 'Posielanie';
+$L['Total'] = 'Celkom';
+
+// summary rows
+$L['This hour'] = 'Túto hodinu';
+$L['This day'] = 'Tento deň';
+$L['This month'] = 'Tento mesiac';
+$L['All time'] = 'Celkom';
+
+// graph text
+$L['Traffic data for'] = 'Prehlad pre';
+$L['bytes in'] = 'bajtov stiahnuté';
+$L['bytes out'] = 'bajtov poslané';
+
+// date formats
+$L['datefmt_days'] = '%d %B';
+$L['datefmt_days_img'] = '%d';
+$L['datefmt_months'] = '%B %Y';
+$L['datefmt_months_img'] = '%b';
+$L['datefmt_hours'] = '%l%p';
+$L['datefmt_hours_img'] = '%l';
+$L['datefmt_top'] = '%d %B %Y';
diff --git a/config/vnstat2/vnstat_php_frontend/themes/dark/theme.php b/config/vnstat2/vnstat_php_frontend/themes/dark/theme.php
index 6df45cb2..91c6fca0 100644
--- a/config/vnstat2/vnstat_php_frontend/themes/dark/theme.php
+++ b/config/vnstat2/vnstat_php_frontend/themes/dark/theme.php
@@ -1,16 +1,16 @@
<?php
- // A dark colorscheme based on a contribution by Mart Visser
- $colorscheme = array(
- 'image_background' => array( 36, 36, 36, 0 ),
- 'graph_background' => array( 220, 220, 230, 0 ),
- 'graph_background_2' => array( 205, 205, 220, 0 ),
- 'grid_stipple_1' => array( 140, 140, 140, 0 ),
- 'grid_stipple_2' => array( 200, 200, 200, 0 ),
- 'border' => array( 71, 71, 71, 0 ),
- 'text' => array( 255, 255, 255,0 ),
- 'rx' => array( 10, 180, 10, 50 ),
- 'rx_border' => array( 0, 120, 0, 90 ),
- 'tx' => array( 130, 130, 130, 50 ),
- 'tx_border' => array( 60, 60, 60, 90 )
- );
+ // A dark colorscheme based on a contribution by Mart Visser
+ $colorscheme = array(
+ 'image_background' => array( 36, 36, 36, 0 ),
+ 'graph_background' => array( 220, 220, 230, 0 ),
+ 'graph_background_2' => array( 205, 205, 220, 0 ),
+ 'grid_stipple_1' => array( 140, 140, 140, 0 ),
+ 'grid_stipple_2' => array( 200, 200, 200, 0 ),
+ 'border' => array( 71, 71, 71, 0 ),
+ 'text' => array( 255, 255, 255, 0 ),
+ 'rx' => array( 10, 180, 10, 50 ),
+ 'rx_border' => array( 0, 120, 0, 90 ),
+ 'tx' => array( 130, 130, 130, 50 ),
+ 'tx_border' => array( 60, 60, 60, 90 )
+ );
?>
diff --git a/config/vnstat2/vnstat_php_frontend/themes/espresso/theme.php b/config/vnstat2/vnstat_php_frontend/themes/espresso/theme.php
index 3c7818f5..22a361f1 100644
--- a/config/vnstat2/vnstat_php_frontend/themes/espresso/theme.php
+++ b/config/vnstat2/vnstat_php_frontend/themes/espresso/theme.php
@@ -1,17 +1,17 @@
<?php
- // A dark colorscheme based on a contribution by Márcio Bremm
- // It is based also on Espresso (gtkrc theme) by Jesse L. Kay
- $colorscheme = array(
- 'image_background' => array( 065, 061, 057, 0 ),
- 'graph_background' => array( 117, 111, 104, 30 ),
- 'graph_background_2' => array( 128, 122, 102, 30 ),
- 'grid_stipple_1' => array( 140, 140, 140, 0 ),
- 'grid_stipple_2' => array( 200, 200, 200, 0 ),
- 'border' => array( 211, 202, 170, 0 ),
- 'text' => array( 211, 202, 170, 0 ),
- 'rx' => array( 211, 202, 170, 50 ),
- 'rx_border' => array( 80, 40, 40, 90 ),
- 'tx' => array( 163, 156, 131, 50 ),
- 'tx_border' => array( 60, 60, 60, 90 )
- );
+ // A dark colorscheme based on a contribution by Márcio Bremm
+ // It is based also on Espresso (gtkrc theme) by Jesse L. Kay
+ $colorscheme = array(
+ 'image_background' => array( 065, 061, 057, 0 ),
+ 'graph_background' => array( 117, 111, 104, 30 ),
+ 'graph_background_2' => array( 128, 122, 102, 30 ),
+ 'grid_stipple_1' => array( 140, 140, 140, 0 ),
+ 'grid_stipple_2' => array( 200, 200, 200, 0 ),
+ 'border' => array( 211, 202, 170, 0 ),
+ 'text' => array( 211, 202, 170, 0 ),
+ 'rx' => array( 211, 202, 170, 50 ),
+ 'rx_border' => array( 80, 40, 40, 90 ),
+ 'tx' => array( 163, 156, 131, 50 ),
+ 'tx_border' => array( 60, 60, 60, 90 )
+ );
?>
diff --git a/config/vnstat2/vnstat_php_frontend/themes/light/style.css b/config/vnstat2/vnstat_php_frontend/themes/light/style.css
index 28503f1d..6893d2a6 100644
--- a/config/vnstat2/vnstat_php_frontend/themes/light/style.css
+++ b/config/vnstat2/vnstat_php_frontend/themes/light/style.css
@@ -4,6 +4,18 @@ body
padding: 0;
}
+a[href]:link,
+a[href]:visited {
+ color: #00f;
+ text-decoration: none;
+}
+a[href]:hover,
+a[href]:active,
+a[href]:focus {
+ color: #c00;
+ text-decoration: none;
+}
+
#wrap
{
xwidth: 868px;
@@ -26,13 +38,24 @@ body
background-color: #eef;
}
+#sidebar li.iface ul
+{
+ display: none;
+}
+#sidebar li.iface.active ul
+{
+ display: block;
+}
+#sidebar li.iface:hover ul
+{
+ display: block;
+}
#sidebar li.iface
{
- margin: 0;
+ margin: 2px;
padding: 0;
list-style-type: none;
- font-family: 'Trebuchet MS', Verdana, sans-serif;
- font-size: 1em;
+ font-size: 12px;
font-weight: bold;
xborder-top: 1px solid #99b;
border-bottom: 1px solid #99b;
@@ -105,7 +128,8 @@ body
{
padding: 8px;
border-left: 1px solid #99b;
- border-right: 1px solid #99b;
+ border-right: 1px solid #99b;
+ border-bottom: 1px solid #99b;
border-collapse: collapse;
}
diff --git a/config/vnstat2/vnstat_php_frontend/themes/light/theme.php b/config/vnstat2/vnstat_php_frontend/themes/light/theme.php
index 2516c874..63bc234d 100644
--- a/config/vnstat2/vnstat_php_frontend/themes/light/theme.php
+++ b/config/vnstat2/vnstat_php_frontend/themes/light/theme.php
@@ -1,15 +1,15 @@
<?php
- $colorscheme = array(
- 'image_background' => array( 255, 255, 255, 0 ),
- 'graph_background' => array( 220, 220, 230, 0 ),
- 'graph_background_2' => array( 205, 205, 220, 0 ),
- 'grid_stipple_1' => array( 140, 140, 140, 0 ),
- 'grid_stipple_2' => array( 200, 200, 200, 0 ),
- 'border' => array( 0, 0, 0, 0 ),
- 'text' => array( 0, 0, 0, 0 ),
- 'rx' => array( 190, 190, 20, 50 ),
- 'rx_border' => array( 40, 80, 40, 90 ),
- 'tx' => array( 130, 160, 100, 50 ),
- 'tx_border' => array( 80, 40, 40, 90 )
- );
+ $colorscheme = array(
+ 'image_background' => array( 255, 255, 255, 0 ),
+ 'graph_background' => array( 220, 220, 230, 0 ),
+ 'graph_background_2' => array( 205, 205, 220, 0 ),
+ 'grid_stipple_1' => array( 140, 140, 140, 0 ),
+ 'grid_stipple_2' => array( 200, 200, 200, 0 ),
+ 'border' => array( 0, 0, 0, 0 ),
+ 'text' => array( 0, 0, 0, 0 ),
+ 'rx' => array( 190, 190, 20, 50 ),
+ 'rx_border' => array( 40, 80, 40, 90 ),
+ 'tx' => array( 130, 160, 100, 50 ),
+ 'tx_border' => array( 80, 40, 40, 90 )
+ );
?>
diff --git a/config/vnstat2/vnstat_php_frontend/themes/red/theme.php b/config/vnstat2/vnstat_php_frontend/themes/red/theme.php
index 2c9ba6f4..5edacbd2 100644
--- a/config/vnstat2/vnstat_php_frontend/themes/red/theme.php
+++ b/config/vnstat2/vnstat_php_frontend/themes/red/theme.php
@@ -1,16 +1,16 @@
<?php
- // A red colorscheme based on a contribution by Enrico Tröger
- $colorscheme = array(
- 'image_background' => array( 225, 225, 225, 0 ),
- 'graph_background' => array( 220, 220, 230, 0 ),
- 'graph_background_2' => array( 205, 205, 220, 0 ),
- 'grid_stipple_1' => array( 140, 140, 140, 0 ),
- 'grid_stipple_2' => array( 200, 200, 200, 0 ),
- 'border' => array( 0, 0, 0, 0 ),
- 'text' => array( 0, 0, 0, 0 ),
- 'rx' => array( 190, 20, 20, 50 ),
- 'rx_border' => array( 80, 40, 40, 90 ),
- 'tx' => array( 130, 130, 130, 50 ),
- 'tx_border' => array( 60, 60, 60, 90 )
- );
+ // A red colorscheme based on a contribution by Enrico Tröger
+ $colorscheme = array(
+ 'image_background' => array( 225, 225, 225, 0 ),
+ 'graph_background' => array( 220, 220, 230, 0 ),
+ 'graph_background_2' => array( 205, 205, 220, 0 ),
+ 'grid_stipple_1' => array( 140, 140, 140, 0 ),
+ 'grid_stipple_2' => array( 200, 200, 200, 0 ),
+ 'border' => array( 0, 0, 0, 0 ),
+ 'text' => array( 0, 0, 0, 0 ),
+ 'rx' => array( 190, 20, 20, 50 ),
+ 'rx_border' => array( 80, 40, 40, 90 ),
+ 'tx' => array( 130, 130, 130, 50 ),
+ 'tx_border' => array( 60, 60, 60, 90 )
+ );
?>
diff --git a/config/vnstat2/vnstat_php_frontend/vnstat.php b/config/vnstat2/vnstat_php_frontend/vnstat.php
index 9c7e211c..82e0e51f 100644
--- a/config/vnstat2/vnstat_php_frontend/vnstat.php
+++ b/config/vnstat2/vnstat_php_frontend/vnstat.php
@@ -17,10 +17,10 @@
// Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
//
//
- // see file COPYING or at http://www.gnu.org/licenses/gpl.html
+ // see file COPYING or at http://www.gnu.org/licenses/gpl.html
// for more information.
//
-
+
//
// Valid values for other parameters you can pass to the script.
// Input parameters will always be limited to one of the values listed here.
@@ -39,16 +39,16 @@
{
die('can\'t determine script name!');
}
-
+
$page_list = array('s','h','d','m');
-
+
$graph_list = array('large','small','none');
-
+
$page_title['s'] = T('summary');
$page_title['h'] = T('hours');
$page_title['d'] = T('days');
$page_title['m'] = T('months');
-
+
//
// functions
@@ -88,9 +88,9 @@
$style = DEFAULT_COLORSCHEME;
}
}
-
- function get_vnstat_data()
+
+ function get_vnstat_data($use_label=true)
{
global $iface, $vnstat_bin, $data_dir;
global $hour,$day,$month,$top,$summary;
@@ -100,7 +100,7 @@
if (file_exists("$data_dir/vnstat_dump_$iface"))
{
$vnstat_data = file("$data_dir/vnstat_dump_$iface");
- }
+ }
else
{
$vnstat_data = array();
@@ -126,7 +126,7 @@
//
// extract data
//
- foreach($vnstat_data as $line)
+ foreach($vnstat_data as $line)
{
$d = explode(';', trim($line));
if ($d[0] == 'd')
@@ -135,16 +135,16 @@
$day[$d[1]]['rx'] = $d[3] * 1024 + $d[5];
$day[$d[1]]['tx'] = $d[4] * 1024 + $d[6];
$day[$d[1]]['act'] = $d[7];
- if ($d[2] != 0)
+ if ($d[2] != 0 && $use_label)
{
$day[$d[1]]['label'] = strftime(T('datefmt_days'),$d[2]);
$day[$d[1]]['img_label'] = strftime(T('datefmt_days_img'), $d[2]);
}
- else
+ elseif($use_label)
{
$day[$d[1]]['label'] = '';
- $day[$d[1]]['img_label'] = '';
- }
+ $day[$d[1]]['img_label'] = '';
+ }
}
else if ($d[0] == 'm')
{
@@ -152,15 +152,15 @@
$month[$d[1]]['rx'] = $d[3] * 1024 + $d[5];
$month[$d[1]]['tx'] = $d[4] * 1024 + $d[6];
$month[$d[1]]['act'] = $d[7];
- if ($d[2] != 0)
+ if ($d[2] != 0 && $use_label)
{
$month[$d[1]]['label'] = strftime(T('datefmt_months'), $d[2]);
$month[$d[1]]['img_label'] = strftime(T('datefmt_months_img'), $d[2]);
}
- else
+ else if ($use_label)
{
$month[$d[1]]['label'] = '';
- $month[$d[1]]['img_label'] = '';
+ $month[$d[1]]['img_label'] = '';
}
}
else if ($d[0] == 'h')
@@ -169,27 +169,30 @@
$hour[$d[1]]['rx'] = $d[3];
$hour[$d[1]]['tx'] = $d[4];
$hour[$d[1]]['act'] = 1;
- if ($d[2] != 0)
+ if ($d[2] != 0 && $use_label)
{
$st = $d[2] - ($d[2] % 3600);
$et = $st + 3600;
$hour[$d[1]]['label'] = strftime(T('datefmt_hours'), $st).' - '.strftime(T('datefmt_hours'), $et);
$hour[$d[1]]['img_label'] = strftime(T('datefmt_hours_img'), $d[2]);
}
- else
+ else if ($use_label)
{
$hour[$d[1]]['label'] = '';
$hour[$d[1]]['img_label'] = '';
}
}
else if ($d[0] == 't')
- {
+ {
$top[$d[1]]['time'] = $d[2];
$top[$d[1]]['rx'] = $d[3] * 1024 + $d[5];
$top[$d[1]]['tx'] = $d[4] * 1024 + $d[6];
$top[$d[1]]['act'] = $d[7];
- $top[$d[1]]['label'] = strftime(T('datefmt_top'), $d[2]);
- $top[$d[1]]['img_label'] = '';
+ if($use_label)
+ {
+ $top[$d[1]]['label'] = strftime(T('datefmt_top'), $d[2]);
+ $top[$d[1]]['img_label'] = '';
+ }
}
else
{