aboutsummaryrefslogtreecommitdiffstats
path: root/config
diff options
context:
space:
mode:
Diffstat (limited to 'config')
-rw-r--r--config/freeradius2/freeradius.inc117
-rw-r--r--config/freeradius2/freeradius.xml4
-rw-r--r--config/freeradius2/freeradius_view_config.php2
-rw-r--r--config/freeradius2/freeradiusauthorizedmacs.xml2
-rw-r--r--config/freeradius2/freeradiuscerts.xml4
-rw-r--r--config/freeradius2/freeradiusclients.xml4
-rw-r--r--config/freeradius2/freeradiuseapconf.xml2
-rw-r--r--config/freeradius2/freeradiusinterfaces.xml4
-rw-r--r--config/freeradius2/freeradiusmodulesldap.xml6
-rw-r--r--config/freeradius2/freeradiussettings.xml6
-rw-r--r--config/freeradius2/freeradiussqlconf.xml6
-rw-r--r--config/freeradius2/freeradiussync.xml28
-rwxr-xr-xconfig/squid3/33/squid.inc112
-rw-r--r--config/squid3/33/squid.xml25
-rwxr-xr-xconfig/squid3/33/squid_cache.xml11
-rw-r--r--config/squidGuard/squidguard.inc7
16 files changed, 214 insertions, 126 deletions
diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc
index eecfec84..b2df3d0b 100644
--- a/config/freeradius2/freeradius.inc
+++ b/config/freeradius2/freeradius.inc
@@ -4,7 +4,7 @@
/*
freeradius.inc
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
Copyright (C) 2013 Marcello Coutinho
All rights reserved.
@@ -2521,52 +2521,75 @@ conf_mount_ro();
/* Uses XMLRPC to synchronize the changes to a remote node */
function freeradius_sync_on_changes() {
global $config, $g;
- $varsyncenablexmlrpc = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc'];
- $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout'];
-
- // if checkbox is NOT checked do nothing
- if(!$varsyncenablexmlrpc) {
+ if (is_array($config['installedpackages']['freeradiussync'])){
+ $synconchanges = $config['installedpackages']['freeradiussync']['config'][0]['varsyncenablexmlrpc'];
+ $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout'];
+ }
+ else
+ {
return;
}
-
- log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds.");
-
- // if checkbox is checked get IP and password of the destination hosts
- foreach ($config['installedpackages']['freeradiussync']['config'] as $rs ){
- foreach($rs['row'] as $sh){
- // if checkbox is NOT checked do nothing
- if($sh['varsyncdestinenable']) {
- $varsyncprotocol = $sh['varsyncprotocol'];
- $sync_to_ip = $sh['varsyncipaddress'];
- $password = $sh['varsyncpassword'];
- $varsyncport = $sh['varsyncport'];
- // check if all credentials are complete for this host
- if($password && $sync_to_ip && $varsyncport && $varsyncprotocol) {
- freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol);
+
+ // if checkbox is NOT checked do nothing
+ switch ($synconchanges){
+ case "manual":
+ if (is_array($config['installedpackages']['freeradiussync']['config'][0]['row'])){
+ $rs=$config['installedpackages']['freeradiussync']['config'][0]['row'];
+ }
+ else{
+ log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no hosts to push on FreeRADIUS config.");
+ return;
+ }
+ break;
+ case "auto":
+ if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){
+ $system_carp=$config['installedpackages']['carpsettings']['config'][0];
+ $rs[0]['varsyncdestinenable']="on";
+ $rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https");
+ $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip'];
+ $rs[0]['varsyncpassword']=$system_carp['password'];
+ $rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443");
+ if (! is_ipaddr($system_carp['synchronizetoip'])){
+ log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config.");
+ return;
+ }
+ }
+ else{
+ log_error("[FreeRADIUS]: xmlrpc sync is enabled but there is no system backup hosts to push FreeRADIUS config.");
+ return;
+ }
+ break;
+ default:
+ return;
+ break;
+ }
+ if (is_array($rs)){
+ log_error("[FreeRADIUS]: xmlrpc sync is starting with timeout {$varsynctimeout} seconds.");
+ foreach($rs as $sh){
+ if($sh['varsyncdestinenable']){
+ $varsyncprotocol = $sh['varsyncprotocol'];
+ $sync_to_ip = $sh['varsyncipaddress'];
+ $password = $sh['varsyncpassword'];
+ $varsyncport = $sh['varsyncport'];
+ if($password && $sync_to_ip)
+ freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout);
+ else
+ log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!");
}
else {
- log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!");
+ log_error("[FreeRADIUS]: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled");
}
}
- else {
- log_error("FreeRADIUS: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled");
+ log_error("[FreeRADIUS]: xmlrpc sync is ending.");
}
- }
- }
- log_error("FreeRADIUS: Finished XMLRPC process (freeradius_do_xmlrpc_sync).");
}
/* Do the actual XMLRPC sync */
-function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol) {
+function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) {
global $config, $g;
- $varsynctimeout = $config['installedpackages']['freeradiussync']['config'][0]['varsynctimeout'];
-
- if($varsynctimeout == '' || $varsynctimeout == 0) {
+ if($varsynctimeout == '' || $varsynctimeout == 0)
$varsynctimeout = 150;
- }
-
- // log_error("FreeRADIUS: Starting XMLRPC process (freeradius_do_xmlrpc_sync) with timeout {$varsynctimeout} seconds.");
if(!$password)
return;
@@ -2600,7 +2623,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn
/* set a few variables needed for sync code borrowed from filter.inc */
$url = $synchronizetoip;
- log_error("FreeRADIUS: Beginning FreeRADIUS XMLRPC sync with {$url}:{$port}.");
+ log_error("[FreeRADIUS]: Beginning FreeRADIUS XMLRPC sync with {$url}:{$port}.");
$method = 'pfsense.merge_installedpackages_section_xmlrpc';
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
@@ -2611,22 +2634,22 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn
$resp = $cli->send($msg, $varsynctimeout);
if(!$resp) {
$error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port}.";
- log_error("FreeRADIUS: $error");
- file_notice("sync_settings", $error, "freeradius Settings Sync", "");
+ log_error("[FreeRADIUS]: $error");
+ file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", "");
} elseif($resp->faultCode()) {
$cli->setDebug(1);
$resp = $cli->send($msg, $varsynctimeout);
$error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
- log_error("FreeRADIUS: $error");
- file_notice("sync_settings", $error, "freeradius Settings Sync", "");
+ log_error("[FreeRADIUS]: $error");
+ file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", "");
} else {
- log_error("FreeRADIUS: XMLRPC has synced data successfully with {$url}:{$port}.");
+ log_error("[FreeRADIUS]: XMLRPC has synced data successfully with {$url}:{$port}.");
}
- /* tell freeradius to reload our settings on the destionation sync host. */
+ /* tell FreeRADIUS to reload our settings on the destionation sync host. */
$method = 'pfsense.exec_php';
$execcmd = "require_once('/usr/local/pkg/freeradius.inc');\n";
- // pfblocker just needed one fuction to reload after XMLRPC. freeRADIUS needs more so we point to a fuction below which contains all fuctions
+ // pfblocker just needed one fuction to reload after XMLRPC. FreeRADIUS needs more so we point to a fuction below which contains all fuctions
$execcmd .= "freeradius_all_after_XMLRPC_resync();";
/* assemble xmlrpc payload */
@@ -2635,7 +2658,7 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn
XML_RPC_encode($execcmd)
);
- log_error("FreeRADIUS XMLRPC is reloading data on {$url}:{$port}.");
+ log_error("[FreeRADIUS]: XMLRPC is reloading data on {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
$cli->setCredentials('admin', $password);
@@ -2643,21 +2666,19 @@ function freeradius_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyn
if(!$resp) {
$error = "A communications error occurred while FreeRADIUS was attempting XMLRPC sync with {$url}:{$port} (exec_php).";
log_error($error);
- file_notice("sync_settings", $error, "freeradius Settings Sync", "");
+ file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", "");
} elseif($resp->faultCode()) {
$cli->setDebug(1);
$resp = $cli->send($msg, $varsynctimeout);
$error = "An error code was received while FreeRADIUS XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
- file_notice("sync_settings", $error, "freeradius Settings Sync", "");
+ file_notice("sync_settings", $error, "FreeRADIUS Settings Sync", "");
} else {
- log_error("FreeRADIUS: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php).");
+ log_error("[FreeRADIUS]: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php).");
}
}
-// ##### The part above is based on the code of pfblocker #####
-
// This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files (clients.conf, users)
// Adding more functions will increase the to sync
function freeradius_all_after_XMLRPC_resync() {
diff --git a/config/freeradius2/freeradius.xml b/config/freeradius2/freeradius.xml
index fdadab89..c9381c81 100644
--- a/config/freeradius2/freeradius.xml
+++ b/config/freeradius2/freeradius.xml
@@ -9,7 +9,7 @@
/*
freeradius.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -45,7 +45,7 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradius</name>
- <version>2.1.12</version>
+ <version>2.2.0</version>
<title>FreeRADIUS: Users</title>
<include_file>/usr/local/pkg/freeradius.inc</include_file>
<menu>
diff --git a/config/freeradius2/freeradius_view_config.php b/config/freeradius2/freeradius_view_config.php
index a29e1a55..a1943653 100644
--- a/config/freeradius2/freeradius_view_config.php
+++ b/config/freeradius2/freeradius_view_config.php
@@ -2,7 +2,7 @@
/*
freeradius_view_config.php
part of pfSense (http://www.pfsense.com/)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com>
based on postfix_view_config.php
based on varnish_view_config.
diff --git a/config/freeradius2/freeradiusauthorizedmacs.xml b/config/freeradius2/freeradiusauthorizedmacs.xml
index 173f8f00..235d0218 100644
--- a/config/freeradius2/freeradiusauthorizedmacs.xml
+++ b/config/freeradius2/freeradiusauthorizedmacs.xml
@@ -9,7 +9,7 @@
/*
freeradiusauthorizedmacs.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
diff --git a/config/freeradius2/freeradiuscerts.xml b/config/freeradius2/freeradiuscerts.xml
index 21f18643..6108215b 100644
--- a/config/freeradius2/freeradiuscerts.xml
+++ b/config/freeradius2/freeradiuscerts.xml
@@ -9,7 +9,7 @@
/*
freeradiuscerts.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -290,4 +290,4 @@
<custom_php_resync_config_command>
freeradius_allcertcnf_resync();
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/freeradius2/freeradiusclients.xml b/config/freeradius2/freeradiusclients.xml
index 87d8a11f..215a751e 100644
--- a/config/freeradius2/freeradiusclients.xml
+++ b/config/freeradius2/freeradiusclients.xml
@@ -9,7 +9,7 @@
/*
freeradiusclients.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -246,4 +246,4 @@
<custom_php_resync_config_command>
freeradius_clients_resync();
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/freeradius2/freeradiuseapconf.xml b/config/freeradius2/freeradiuseapconf.xml
index a2dd2b99..8f8e4dc7 100644
--- a/config/freeradius2/freeradiuseapconf.xml
+++ b/config/freeradius2/freeradiuseapconf.xml
@@ -9,7 +9,7 @@
/*
freeradiuseapconf.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
Copyright (C) 2013 Marcello Coutinho (revocation list code)
All rights reserved.
diff --git a/config/freeradius2/freeradiusinterfaces.xml b/config/freeradius2/freeradiusinterfaces.xml
index c944ac17..1233f72f 100644
--- a/config/freeradius2/freeradiusinterfaces.xml
+++ b/config/freeradius2/freeradiusinterfaces.xml
@@ -9,7 +9,7 @@
/*
freeradiusinterfaces.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -185,4 +185,4 @@
<custom_php_resync_config_command>
freeradius_settings_resync();
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml
index 0fa98493..c7b5e79d 100644
--- a/config/freeradius2/freeradiusmodulesldap.xml
+++ b/config/freeradius2/freeradiusmodulesldap.xml
@@ -9,7 +9,7 @@
/*
freeradiusmodulesldap.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -45,7 +45,7 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradiusmodulesldap</name>
- <version>none</version>
+ <version>2.2.0</version>
<title>FreeRADIUS: LDAP</title>
<aftersaveredirect>pkg_edit.php?xml=freeradiusmodulesldap.xml&amp;id=0</aftersaveredirect>
<include_file>/usr/local/pkg/freeradius.inc</include_file>
@@ -705,4 +705,4 @@
<custom_php_resync_config_command>
freeradius_modulesldap_resync();
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/freeradius2/freeradiussettings.xml b/config/freeradius2/freeradiussettings.xml
index 4bc98723..1d908ca4 100644
--- a/config/freeradius2/freeradiussettings.xml
+++ b/config/freeradius2/freeradiussettings.xml
@@ -9,7 +9,7 @@
/*
freeradiussettings.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -45,7 +45,7 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradiussettings</name>
- <version>none</version>
+ <version>2.2.0</version>
<title>FreeRADIUS: Settings</title>
<aftersaveredirect>pkg_edit.php?xml=freeradiussettings.xml&amp;id=0</aftersaveredirect>
<include_file>/usr/local/pkg/freeradius.inc</include_file>
@@ -376,4 +376,4 @@
<custom_php_resync_config_command>
freeradius_settings_resync();
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/freeradius2/freeradiussqlconf.xml b/config/freeradius2/freeradiussqlconf.xml
index 6851711c..bb72a07a 100644
--- a/config/freeradius2/freeradiussqlconf.xml
+++ b/config/freeradius2/freeradiussqlconf.xml
@@ -9,7 +9,7 @@
/*
freeradiussqlconf.xml
part of pfSense (http://www.pfSense.com)
- Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
+ Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
All rights reserved.
Based on m0n0wall (http://m0n0.ch/wall)
@@ -45,7 +45,7 @@
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradiussqlconf</name>
- <version>none</version>
+ <version>2.2.0</version>
<title>FreeRADIUS: SQL</title>
<aftersaveredirect>pkg_edit.php?xml=freeradiussqlconf.xml&amp;id=0</aftersaveredirect>
<include_file>/usr/local/pkg/freeradius.inc</include_file>
@@ -621,4 +621,4 @@
<custom_php_resync_config_command>
freeradius_sqlconf_resync();
</custom_php_resync_config_command>
-</packagegui> \ No newline at end of file
+</packagegui>
diff --git a/config/freeradius2/freeradiussync.xml b/config/freeradius2/freeradiussync.xml
index 5f1acc74..be678e5a 100644
--- a/config/freeradius2/freeradiussync.xml
+++ b/config/freeradius2/freeradiussync.xml
@@ -9,8 +9,8 @@
/*
freeradiussync.xml
part of pfSense (http://www.pfSense.com)
-Copyright (C) 2011 - 2012 Alexander Wilke <nachtfalkeaw@web.de>
-Copyright (C) 2011 Marcello Coutinho <marcellocoutinho@gmail.com>
+Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de>
+Copyright (C) 2013 Marcello Coutinho <marcellocoutinho@gmail.com>
based on pfblocker_sync.xml
All rights reserved.
@@ -47,7 +47,7 @@ POSSIBILITY OF SUCH DAMAGE.
<requirements>Describe your package requirements here</requirements>
<faq>Currently there are no FAQ items provided.</faq>
<name>freeradiussync</name>
- <version>2.1.12</version>
+ <version>2.2.0</version>
<title>FreeRADIUS: XMLRPC Sync</title>
<include_file>/usr/local/pkg/freeradius.inc</include_file>
<menu>
@@ -111,23 +111,29 @@ POSSIBILITY OF SUCH DAMAGE.
</tabs>
<fields>
<field>
- <name>freeRADIUS XMLRPC Sync</name>
+ <name>FreeRADIUS XMLRPC Sync</name>
<type>listtopic</type>
</field>
<field>
- <fielddescr>Automatically sync freeRADIUS configuration changes?</fielddescr>
+ <fielddescr>Enable Sync</fielddescr>
<fieldname>varsyncenablexmlrpc</fieldname>
<description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br>
- Only <b>Users</b>, <b>MACs</b> and <b>NAS / Clients</b> will be synced.<br>
- <b>Important:</b> Only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description>
- <type>checkbox</type>
+ <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description>
+ <type>select</type>
+ <required/>
+ <default_value>auto</default_value>
+ <options>
+ <option><name>Sync to configured system backup server</name><value>auto</value></option>
+ <option><name>Sync to host(s) defined below</name><value>manual</value></option>
+ <option><name>Do not sync this package configuration</name><value>disabled</value></option>
+ </options>
</field>
<field>
- <fielddescr>XMLRPC timeout</fielddescr>
+ <fielddescr>XMLRPC timeout</fielddescr>
<fieldname>varsynctimeout</fieldname>
<description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description>
<type>input</type>
- <default_value>150</default_value>
+ <default_value>150</default_value>
<size>5</size>
</field>
@@ -166,7 +172,7 @@ POSSIBILITY OF SUCH DAMAGE.
<type>input</type>
<size>3</size>
</rowhelperfield>
- <rowhelperfield>
+ <rowhelperfield>
<fielddescr>GUI Admin Password</fielddescr>
<fieldname>varsyncpassword</fieldname>
<description><![CDATA[Password of the user "admin" on the destination host.]]></description>
diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc
index 94c85a7e..8eb9f2fa 100755
--- a/config/squid3/33/squid.inc
+++ b/config/squid3/33/squid.inc
@@ -777,6 +777,41 @@ function squid_install_cron($should_install) {
configure_cron();
}
+function squid_check_ca_hashes(){
+ global $config,$g;
+
+ #check certificates
+ $cert_count=0;
+ if (is_dir(SQUID_LOCALBASE. '/share/certs'))
+ if ($handle = opendir(SQUID_LOCALBASE.'/usr/local/share/certs')) {
+ while (false !== ($file = readdir($handle)))
+ if (preg_match ("/\d+.0/",$file))
+ $cert_count++;
+ }
+ closedir($handle);
+ if ($cert_count < 10){
+ conf_mount_rw();
+ #create ca-root hashes from ca-root-nss package
+ log_error("Creating root certificate bundle hashes from the Mozilla Project");
+ $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt');
+ $cert=0;
+ foreach ($cas as $ca){
+ if (preg_match("/--BEGIN CERTIFICATE--/",$ca))
+ $cert=1;
+ if ($cert == 1)
+ $crt.=$ca;
+ if (preg_match("/-END CERTIFICATE-/",$ca)){
+ file_put_contents("/tmp/cert.pem",$crt, LOCK_EX);
+ $cert_hash=array();
+ exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash);
+ file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX);
+ $crt="";
+ $cert=0;
+ }
+ }
+ }
+}
+
function squid_resync_general() {
global $g, $config, $valid_acls;
@@ -785,11 +820,11 @@ function squid_resync_general() {
else
$settings=array();
$conf = "# This file is automatically generated by pfSense\n";
- $conf .= "# Do not edit manually !\n";
+ $conf .= "# Do not edit manually !\n\n";
#Check ssl interception
- $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
if (($settings['ssl_proxy'] == 'on')) {
- $srv_cert = lookup_cert($settings["dcert"]);
+ squid_check_ca_hashes();
+ $srv_cert = lookup_ca($settings["dca"]);
if ($srv_cert != false) {
if(base64_decode($srv_cert['prv'])) {
#check if ssl_db was initilized by squid
@@ -801,17 +836,23 @@ function squid_resync_general() {
}
#force squid user permission on /var/squid/lib/ssl_db/
squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy');
+ # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext
$crt_pk=SQUID_CONFBASE."/serverkey.pem";
+ $crt_capath=SQUID_LOCALBASE."/share/certs/";
file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
-
- $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size={$sslcrtd_children}MB cert={$crt_pk}\n";
- $interception_checks="";
+ $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
+ $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n";
+ $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n";
+ $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
+ $interception_checks .= "sslproxy_capath {$crt_capath}\n";
if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
$interception_checks.="sslproxy_cert_error allow all\n";
if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
$interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n";
- if ($settings["interception_adapt"] != "")
- $interception_checks.="sslproxy_cert_adapt {$settings["interception_adapt"]}\n";
+ if ($settings["interception_adapt"] != ""){
+ foreach (explode(",",$settings["interception_adapt"]) as $adapt)
+ $interception_checks.="sslproxy_cert_adapt {$adapt} all\n";
+ }
}
}
}
@@ -887,7 +928,7 @@ function squid_resync_general() {
$logdir_cache = $logdir . '/cache.log';
$logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
- $conf .= <<<EOD
+ $conf .= <<< EOD
icp_port {$icp_port}
dns_v4_first {$dns_v4_first}
pid_filename {$pidfile}
@@ -900,7 +941,6 @@ cache_mgr {$email}
access_log {$logdir_access}
cache_log {$logdir_cache}
cache_store_log none
-sslcrtd_children {$sslcrtd_children}
{$interception_checks}
EOD;
@@ -912,7 +952,7 @@ $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate'];
$conf .= "logfile_rotate {$rotate}\n";
squid_install_cron(true);
- $conf .= <<<EOD
+ $conf .= <<< EOD
shutdown_lifetime 3 seconds
EOD;
@@ -987,7 +1027,7 @@ if(empty($settings['cache_dynamic_content'])){
}
else{
if(preg_match('/youtube/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
@@ -998,7 +1038,7 @@ cache allow youtube
EOC;
}
if(preg_match('/windows/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Windows Update refresh_pattern
range_offset_limit -1
@@ -1010,7 +1050,7 @@ EOC;
}
if(preg_match('/symantec/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Symantec refresh_pattern
range_offset_limit -1
@@ -1020,7 +1060,7 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re
EOC;
}
if(preg_match('/avast/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Avast refresh_pattern
range_offset_limit -1
@@ -1029,7 +1069,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i
EOC;
}
if(preg_match('/avira/',$settings['refresh_patterns'])){
- $conf.=<<<EOC
+ $conf.=<<< EOC
# Avira refresh_pattern
range_offset_limit -1
@@ -1037,18 +1077,22 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43
EOC;
}
- $refresh_conf=<<<EOC
+ $refresh_conf=<<< EOC
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
+
EOC;
-
}
+
+ If ($settings['custom_refresh_patterns'] !="")
+ $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n";
+
+ $conf .= <<< EOD
- $conf .= <<<EOD
cache_mem $memory_cache_size MB
maximum_object_size_in_memory {$max_objsize_in_mem} KB
memory_replacement_policy {$memory_policy}
@@ -1067,11 +1111,12 @@ EOD;
if (!empty($donotcache)) {
file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
- $conf .= 'cache deny donotcache';
+ $conf .= "cache deny donotcache\n";
}
elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
unlink(SQUID_ACLDIR . '/donotcache.acl');
}
+ $conf .= "cache allow all\n";
return $conf.$refresh_conf;
}
@@ -1133,7 +1178,7 @@ function squid_resync_nac() {
$addtl_sslports = $settings['addtl_sslports'];
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
- $conf = <<<EOD
+ $conf = <<< EOD
# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
@@ -1152,7 +1197,6 @@ acl connect method CONNECT
acl HTTP proto HTTP
acl HTTPS proto HTTPS
-
EOD;
$allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets']));
@@ -1187,7 +1231,7 @@ EOD;
}
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
http_access allow manager localhost
EOD;
@@ -1204,7 +1248,7 @@ EOD;
}
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
http_access deny manager
http_access allow purge localhost
@@ -1262,7 +1306,7 @@ function squid_resync_antivirus(){
$clwarn="clwarn.cgi.pt_BR";
copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi");
- $conf = <<<EOF
+ $conf = <<< EOF
icap_enable on
icap_send_client_ip {$icap_send_client_ip}
icap_send_client_username {$icap_send_client_username}
@@ -1412,7 +1456,7 @@ function squid_resync_traffic() {
$perhost = -1;
else
$perhost *= 1024;
- $conf .= <<<EOD
+ $conf .= <<< EOD
delay_pools 1
delay_class 1 2
delay_parameters 1 $overall/$overall $perhost/$perhost
@@ -1608,23 +1652,23 @@ function squid_resync_auth() {
$prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy');
switch ($auth_method) {
case 'local':
- $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n";
+ $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n";
break;
case 'ldap':
$port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
$password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
- $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
+ $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
break;
case 'radius':
$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
- $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
break;
case 'msnt':
- $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/msnt_auth\n";
+ $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
squid_resync_msnt();
break;
}
- $conf .= <<<EOD
+ $conf .= <<< EOD
auth_param basic children $processes
auth_param basic realm $prompt
auth_param basic credentialsttl $auth_ttl minutes
@@ -1650,7 +1694,7 @@ EOD;
// Include squidguard denied acl log in squid
if ($settingsconfig['log_sqd'])
- $conf .="http_access deny passowrd sglog\n";
+ $conf .="http_access deny password sglog\n";
// Allow the other ACLs as long as they authenticate
foreach ($password as $acl)
@@ -1788,7 +1832,7 @@ function squid_print_javascript_auth() {
// No authentication for transparent proxy
if ($transparent_proxy) {
- $javascript = <<<EOD
+ $javascript = <<< EOD
<script language="JavaScript">
<!--
function on_auth_method_changed() {
@@ -1816,7 +1860,7 @@ function on_auth_method_changed() {
EOD;
}
else {
- $javascript = <<<EOD
+ $javascript = <<< EOD
<script language="JavaScript">
<!--
function on_auth_method_changed() {
diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml
index 25c1b212..d64aabb9 100644
--- a/config/squid3/33/squid.xml
+++ b/config/squid3/33/squid.xml
@@ -370,12 +370,13 @@
<default_value>3129</default_value>
</field>
<field>
- <fielddescr>Cert</fielddescr>
- <fieldname>dcert</fieldname>
- <description><![CDATA[Select Certificate to use in SSL interception<br>
- To create a Certificate on pfsense, go to <strong>system -> Cert Manager<strong>]]></description>
+ <fielddescr>CA</fielddescr>
+ <fieldname>dca</fieldname>
+ <description><![CDATA[Select Certificate Authority to use when SSL interception is enabled.<br>
+ To create a CA on pfsense, go to <strong>system -> Cert Manager<strong><br>
+ Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]></description>
<type>select_source</type>
- <source><![CDATA[$config['cert']]]></source>
+ <source><![CDATA[$config['ca']]]></source>
<source_name>descr</source_name>
<source_value>refid</source_value>
</field>
@@ -401,11 +402,17 @@
<size>3</size>
</field>
<field>
- <fielddescr>sslcrtd adapt</fielddescr>
+ <fielddescr>Certificate adapt</fielddescr>
<fieldname>interception_adapt</fieldname>
- <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: setCommonName ssl::certDomainMismatch<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
- <type>input</type>
- <size>70</size>
+ <description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
+ <type>select</type>
+ <options>
+ <option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option>
+ <option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option>
+ <option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option>
+ </options>
+ <multiple/>
+ <size>3</size>
</field>
<field>
<name>Logging Settings</name>
diff --git a/config/squid3/33/squid_cache.xml b/config/squid3/33/squid_cache.xml
index 9d982dcb..26d6463c 100755
--- a/config/squid3/33/squid_cache.xml
+++ b/config/squid3/33/squid_cache.xml
@@ -284,7 +284,16 @@
</options>
<multiple/>
<size>06</size>
- </field>
+ </field>
+ <field>
+ <fielddescr>Custom refresh_patterns</fielddescr>
+ <fieldname>custom_refresh_patterns</fieldname>
+ <description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description>
+ <type>textarea</type>
+ <cols>67</cols>
+ <rows>5</rows>
+ <encoding>base64</encoding>
+ </field>
</fields>
<custom_php_command_before_form>
if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) {
diff --git a/config/squidGuard/squidguard.inc b/config/squidGuard/squidguard.inc
index f3126649..1ea1b5a5 100644
--- a/config/squidGuard/squidguard.inc
+++ b/config/squidGuard/squidguard.inc
@@ -645,10 +645,11 @@ function squidguard_before_form_dest($pkg) {
$i=0;
foreach($pkg['fields']['field'] as $field) {
# order
- if (is_array($destination_items) && $field['fieldname'] == 'order') {
+ if ($field['fieldname'] == 'order') {
$fld = &$pkg['fields']['field'][$i];
- foreach($destination_items as $nmkey => $nm)
- $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nmkey);
+ if (is_array($destination_items))
+ foreach($destination_items as $nmkey => $nm)
+ $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nmkey);
$fld['options']['option'][] = array('name'=>'--- Last ---', 'value'=>'9999');
$fld['options']['option'][] = array('name'=>'-----', 'value'=>''); # ! this is must be last !
}