diff options
Diffstat (limited to 'config')
176 files changed, 14091 insertions, 1748 deletions
diff --git a/config/apache_mod_security-dev/apache.template b/config/apache_mod_security-dev/apache.template index 69ffb9c7..ab981a9e 100644 --- a/config/apache_mod_security-dev/apache.template +++ b/config/apache_mod_security-dev/apache.template @@ -4,69 +4,8 @@ if(file_exists( APACHEDIR ."/libexec/apache22/mod_memcache.so")) $mod_mem_cache = "LoadModule memcache_module libexec/apache22/mod_memcache.so\n"; } - -/* -<IfModule mod_security2.c> - - - # Turn the filtering engine On or Off - SecFilterEngine On - - # XXX Add knobs for these - SecRuleEngine On - SecRequestBodyAccess On - SecResponseBodyAccess On - - SecRequestBodyInMemoryLimit {$secrequestbodyinmemorylimit} - SecRequestBodyLimit {$secrequestbodylimit} - - {$mod_security_custom} - - SecResponseBodyMimeTypesClear - SecResponseBodyMimeType (null) text/plain text/html text/css text/xml - - # XXX Add knobs for these - SecUploadDir /var/spool/apache/private - SecUploadKeepFiles Off - - # The audit engine works independently and - # can be turned On of Off on the per-server or - # on the per-directory basis - SecAuditEngine {$secauditengine} - - # XXX Add knobs for these - # Make sure that URL encoding is valid - SecFilterCheckURLEncoding On - - # XXX Add knobs for these - # Unicode encoding check - SecFilterCheckUnicodeEncoding On - - # XXX Add knobs for these - # Only allow bytes from this range - SecFilterForceByteRange 1 255 - - # Help prevent the effects of a Slowloris-type of attack - # $secreadstatelimit - - # Cookie format checks. - SecFilterCheckCookieFormat On - - # The name of the audit log file - SecAuditLog logs/audit_log - - #http-guardian Anti-dos protection - {$SecGuardianLog} - - # Should mod_security inspect POST payloads - SecFilterScanPOST On - - # Include rules from rules/ directory - {$mod_security_rules} - -</IfModule> - -*/ + if($mods_settings['enablemodsecurity']=="on") + $mod_security_module= "LoadModule security2_module libexec/apache22/mod_security2.so\n"; $apache_dir=APACHEDIR; $apache_config = <<<EOF @@ -176,7 +115,7 @@ LoadModule status_module libexec/apache22/mod_status.so LoadModule autoindex_module libexec/apache22/mod_autoindex.so LoadModule asis_module libexec/apache22/mod_asis.so LoadModule info_module libexec/apache22/mod_info.so -LoadModule cgi_module libexec/apache22/mod_cgi.so +#LoadModule cgi_module libexec/apache22/mod_cgi.so LoadModule vhost_alias_module libexec/apache22/mod_vhost_alias.so LoadModule negotiation_module libexec/apache22/mod_negotiation.so LoadModule dir_module libexec/apache22/mod_dir.so @@ -188,6 +127,7 @@ LoadModule alias_module libexec/apache22/mod_alias.so LoadModule rewrite_module libexec/apache22/mod_rewrite.so LoadModule reqtimeout_module libexec/apache22/mod_reqtimeout.so {$mod_mem_cache} +{$mod_security_module} <IfModule !mpm_netware_module> <IfModule !mpm_winnt_module> @@ -564,9 +504,13 @@ AcceptFilter https none # Proxysettings {$mod_proxy} +# Mod status +{$mod_status} + + # Include anything else Include etc/apache22/Includes/*.conf EOF; -?>
\ No newline at end of file +?> diff --git a/config/apache_mod_security-dev/apache_balancer.xml b/config/apache_mod_security-dev/apache_balancer.xml index b3acba57..015da143 100755 --- a/config/apache_mod_security-dev/apache_balancer.xml +++ b/config/apache_mod_security-dev/apache_balancer.xml @@ -75,7 +75,12 @@ <active/> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> </tab> @@ -103,6 +108,7 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -135,59 +141,64 @@ <fieldname>proto</fieldname> <description><![CDATA[Protocol listening on this internal server(s) port.]]></description> <type>select</type> - <options> - <option> <name>HTTP</name> <value>http</value> </option> - <option> <name>HTTPS</name> <value>https</value> </option> - </options> + <options> + <option> <name>HTTP</name> <value>http</value> </option> + <option> <name>HTTPS</name> <value>https</value> </option> + </options> </field> -<field> - <fielddescr> - <![CDATA[Internal Servers]]> - </fielddescr> + <field> + <name><![CDATA[Internal Server(s)]]></name> + <type>listtopic</type> + </field> + <field> + <fielddescr><![CDATA[Internal Servers]]></fielddescr> <fieldname>additionalparameters</fieldname> - <type>rowhelper</type> - <rowhelper> + <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> + <rowhelper> <rowhelperfield> - <fielddescr>fqdn or ip</fielddescr> - <fieldname>host</fieldname> - <description>Internal site IP or Hostnamesite</description> - <type>input</type> - <size>20</size> + <fielddescr>FQDN or IP Address</fielddescr> + <fieldname>host</fieldname> + <description>Internal site IP or Hostnamesite</description> + <type>input</type> + <size>27</size> </rowhelperfield> <rowhelperfield> - <fielddescr>port</fielddescr> - <fieldname>port</fieldname> - <description>Internal site port</description> - <type>input</type> - <size>4</size> + <fielddescr>port</fielddescr> + <fieldname>port</fieldname> + <description>Internal site port</description> + <type>input</type> + <size>5</size> </rowhelperfield> <rowhelperfield> - <fielddescr>routeid</fielddescr> - <fieldname>routeid</fieldname> - <description>id to define stick connections</description> - <type>input</type> - <size>4</size> + <fielddescr>routeid</fielddescr> + <fieldname>routeid</fieldname> + <description>ID to define sticky connections</description> + <type>input</type> + <size>6</size> </rowhelperfield> <rowhelperfield> - <fielddescr>weight</fielddescr> - <fieldname>loadfactor</fieldname> - <description>Server weight</description> - <type>input</type> - <size>4</size> + <fielddescr>weight</fielddescr> + <fieldname>loadfactor</fieldname> + <description>Server weight</description> + <type>input</type> + <size>4</size> </rowhelperfield> <rowhelperfield> - <fielddescr>ping</fielddescr> - <fieldname>ping</fieldname> - <description>Server ping test interval</description> - <type>input</type> - <size>4</size> + <fielddescr>ping</fielddescr> + <fieldname>ping</fieldname> + <description>Server ping test interval</description> + <type>input</type> + <size>6</size> </rowhelperfield> <rowhelperfield> - <fielddescr>ttl</fielddescr> - <fieldname>ttl</fieldname> - <description>Server pint ttl</description> - <type>input</type> - <size>4</size> + <fielddescr>ttl</fielddescr> + <fieldname>ttl</fieldname> + <description>Server ping TTL</description> + <type>input</type> + <size>6</size> </rowhelperfield> </rowhelper> </field> @@ -196,4 +207,4 @@ <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_location.xml b/config/apache_mod_security-dev/apache_location.xml new file mode 100644 index 00000000..315cca4c --- /dev/null +++ b/config/apache_mod_security-dev/apache_location.xml @@ -0,0 +1,237 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + apache_location.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2012 Marcello Coutinho + Copyright (C)2013 Stephane Lapie <stephane.lapie@asahinet.com> + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> + </copyright> + <name>apachelocation</name> + <version>1.0</version> + <title>Apache reverse proxy: Locations</title> + + <tabs> + <tab> + <text>Apache</text> + <url>/pkg_edit.php?xml=apache_settings.xml&id=0</url> + <active/> + </tab> + <tab> + <text>ModSecurity</text> + <url>/pkg_edit.php?xml=apache_mod_security_settings.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=apache_mod_security_sync.xml</url> + </tab> + <tab> + <text>Daemon Options</text> + <url>/pkg_edit.php?xml=apache_settings.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Backends / Balancers</text> + <url>/pkg.php?xml=apache_balancer.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <active/> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> + <url>/pkg.php?xml=apache_virtualhost.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Logs</text> + <url>/apache_view_logs.php</url> + <tab_level>2</tab_level> + </tab> + </tabs> + <adddeleteeditpagefields> + <movable>on</movable> + <columnitem> + <fielddescr>Identifier</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Compress</fielddescr> + <fieldname>compress</fieldname> + </columnitem> + <columnitem> + <fielddescr>Site Path</fielddescr> + <fieldname>sitepath</fieldname> + <listmodeoff>/</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Balancer</fielddescr> + <fieldname>balancer</fieldname> + </columnitem> + <columnitem> + <fielddescr>lbmethod</fielddescr> + <fieldname>lbmethod</fieldname> + </columnitem> + <columnitem> + <fielddescr>Backendpath</fielddescr> + <fieldname>backendpath</fieldname> + <listmodeoff>/</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Modsecurity</fielddescr> + <fieldname>modsecgroup</fieldname> + <listmodeoff>None</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Rule Manipulation</fielddescr> + <fieldname>modsecmanipulation</fieldname> + <listmodeoff>None</listmodeoff> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <name>Location Settings</name> + <type>listtopic</type> + </field> + <field> + <fielddescr><![CDATA[Identifier]]></fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Location name/identifier.]]></description> + <type>input</type> + <required/> + <size>20</size> + </field> + <field> + <fielddescr><![CDATA[gzip?]]></fielddescr> + <fieldname>compress</fieldname> + <description>Compress data to save bandwidth?</description> + <type>select</type> + <options> + <option><name>yes</name><value>yes</value></option> + <option><name>no</name><value>no</value></option> + </options> + </field> + <field> + <fielddescr><![CDATA[Site Path]]></fielddescr> + <fieldname>sitepath</fieldname> + <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <fielddescr><![CDATA[Balancer]]></fielddescr> + <fieldname>balancer</fieldname> + <description>Server balancer / pool</description> + <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + <type>select_source</type> + <size>5</size> + </field> + <field> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LB Method</a>]]></fielddescr> + <fieldname>lbmethod</fieldname> + <description>Server balance method</description> + <type>select</type> + <options> + <option><name>byrequests</name><value>byrequests</value></option> + <option><name>bytraffic</name><value>bytraffic</value></option> + <option><name>bybusyness</name><value>bybusyness</value></option> + </options> + </field> + <field> + <fielddescr>Backend Path</fielddescr> + <fieldname>backendpath</fieldname> + <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <fielddescr><![CDATA[ModSecurity]]></fielddescr> + <fieldname>modsecgroup</fieldname> + <description>Choose ModSecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr><![CDATA[Manipulations]]></fielddescr> + <fieldname>modsecmanipulation</fieldname> + <description>Choose Modsecurity group to use on this virtual host.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <show_disable_value>none</show_disable_value> + </field> + <field> + <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> + <fieldname>options</fieldname> + <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> + <type>input</type> + <size>30</size> + </field> + <field> + <name>Custom Location Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>custom</fieldname> + <description><![CDATA[Pass extra Apache config for this Location. This is useful for SSLRequire rules for example.]]></description> + <type>textarea</type> + <cols>90</cols> + <rows>10</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + </fields> + <service> + <name>apache_mod_security</name> + <rcfile>apache_mod_security.sh</rcfile> + <executable>httpd</executable> + </service> + <custom_php_resync_config_command> + apache_mod_security_resync(); + </custom_php_resync_config_command> + <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> +</packagegui> diff --git a/config/apache_mod_security-dev/apache_logs_data.php b/config/apache_mod_security-dev/apache_logs_data.php index 256ff144..fdcc04b0 100644 --- a/config/apache_mod_security-dev/apache_logs_data.php +++ b/config/apache_mod_security-dev/apache_logs_data.php @@ -92,7 +92,7 @@ if ($_GET) { // Apply filter and color if ($filter != "") $line = preg_replace("@($filter)@i","<spam><font color='red'>$1</font></span>",$line); - $agent_info="onmouseover=\"jQuery('#bowserinfo').empty().html('{$line[13]}');\"\n"; + $agent_info="onmouseover=\"jQuery('#browserinfo').empty().html('{$line[13]}');\"\n"; echo "<tr valign=\"top\" $agent_info>\n"; echo "<td class=\"listlr\" align=\"center\" nowrap>{$line[5]}({$line[6]})</td>\n"; echo "<td class=\"listr\" align=\"center\">{$line[1]}</td>\n"; diff --git a/config/apache_mod_security-dev/apache_mod_security.inc b/config/apache_mod_security-dev/apache_mod_security.inc index fb83f9a6..c58210dc 100644 --- a/config/apache_mod_security-dev/apache_mod_security.inc +++ b/config/apache_mod_security-dev/apache_mod_security.inc @@ -3,7 +3,8 @@ apache_mod_security.inc part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho + Copyright (C) 2013 Stephane Lapie <stephane.lapie@asahinet.com> All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$shortcut_section = "apache"; // Check to find out on which system the package is running $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) @@ -35,9 +37,9 @@ if ($pf_version > 2.0) else define('APACHEDIR', '/usr/local'); // End of system check -define ('MODSECURITY_DIR','modsecurity-crs_2.2.5'); +define ('MODSECURITY_DIR','crs'); // Rules directory location -define("rules_directory", APACHEDIR . "/". MODSECURITY_DIR); +define("RULES_DIRECTORY", APACHEDIR . "/". MODSECURITY_DIR); function apache_textarea_decode($base64){ return preg_replace("/\r\n/","\n",base64_decode($base64)); } @@ -57,10 +59,6 @@ function apache_get_real_interface_address($iface) { // Ensure NanoBSD can write. pkg_mgr will remount RO conf_mount_rw(); -// Needed mod_security directories -if(!is_dir(APACHEDIR . "/". MODSECURITY_DIR)) - safe_mkdir(APACHEDIR . "/". MODSECURITY_DIR); - // Startup function function apache_mod_security_start() { exec(APACHEDIR . "/sbin/httpd -D NOHTTPACCEPT -k start"); @@ -127,24 +125,179 @@ function apache_mod_security_resync() { global $config, $g; apache_mod_security_install(); $dirs=array("base", "experimental","optional", "slr"); - if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")) - exec ("tar -xzf /usr/local/pkg/modsecurity-crs_2.2.5.tar.gz -C ".APACHEDIR); + log_error("apache_mod_security_package: configuration resync is starting."); + if (! file_exists(APACHEDIR ."/". MODSECURITY_DIR . "/LICENSE")){ + exec ("/usr/local/bin/git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git ".APACHEDIR."/".MODSECURITY_DIR); + //chdir (APACHEDIR."/".MODSECURITY_DIR); + //exec ("/usr/local/bin/git checkout -q 2.2.8"); + } $write_config=0; foreach ($dirs as $dir){ if ($handle = opendir(APACHEDIR ."/".MODSECURITY_DIR."/{$dir}_rules")) { - $write_config++; - $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); - while (false !== ($entry = readdir($handle))) { - if (preg_match("/(\S+).conf/",$entry,$matches)) - $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); - } - closedir($handle); + $write_config++; + $config['installedpackages']["modsecurityfiles{$dir}"]['config']=array(); + while (false !== ($entry = readdir($handle))) { + if (preg_match("/(\S+).conf$/",$entry,$matches)) + $config["installedpackages"]["modsecurityfiles{$dir}"]["config"][]=array("file"=>$matches[1]); + } + closedir($handle); } } if ($write_config > 0) write_config(); apache_mod_security_checkconfig(); apache_mod_security_restart(); + log_error("apache_mod_security_package: configuration resync is ending."); + + if (is_array($config['installedpackages']['apachesync']['config'])){ + $apache_sync = $config['installedpackages']['apachesync']['config'][0]; + $synconchanges = $apache_sync['synconchanges']; + $synctimeout = $apache_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($apache_sync[row])){ + $rs = $apache_sync[row]; + } else { + log_error("apache_mod_security_package: xmlrpc sync is enabled but there is no hosts to push on apache config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ // pfSense 2.0.x + $system_carp = $config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else if (is_array($config['hasync'])) { // pfSense 2.1 + $system_carp = $config['hasync']; + $rs[0]['ipaddress'] = $system_carp['synchronizetoip']; + $rs[0]['username'] = $system_carp['username']; + $rs[0]['password'] = $system_carp['password']; + } else { + log_error("apache_mod_security_package: xmlrpc sync is enabled but there is no system backup hosts to push apache config."); + return; + } + break; + default: + return; + break; + } + } + if (is_array($rs)){ + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if ($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if ($password && $sync_to_ip) + apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout); + } + } +} + +// Do the actual XMLRPC Sync +function apache_mod_security_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=25; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['apachesettings'] = $config['installedpackages']['apachesettings']; + $xml['apachemodsecurity'] = $config['installedpackages']['apachemodsecurity']; + $xml['apachemodsecuritysettings'] = $config['installedpackages']['apachemodsecuritysettings']; + $xml['apachebalancer'] = $config['installedpackages']['apachebalancer']; + $xml['apachevirtualhost'] = $config['installedpackages']['apachevirtualhost']; + $xml['apachelisten'] = $config['installedpackages']['apachelisten']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("apache_mod_security_package: Beginning apache_mod_security XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } else { + log_error("apache_mod_security_package: XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell apache_mod_security to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/apache_mod_security.inc');\n"; + $execcmd .= "apache_mod_security_resync();"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("apache_mod_security_package: XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting apache_mod_security XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting apache_mod_security XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "apache_mod_security Settings Sync", ""); + } else { + log_error("apache_mod_security XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + + } function apache_mod_security_checkconfig() { @@ -198,7 +351,9 @@ function generate_apache_configuration() { file_notice("apache_mod_security", $error, "apache_mod_security", ""); } // Set global listening directive and ensure nothing is listening on this port already - $globalbind_ip = ($settings['globalbindtoipaddr'] ? $settings['globalbindtoipaddr'] : "*"); + $iface_address = apache_get_real_interface_address($settings['globalbindtoipaddr']); + $ip=$iface_address[0]; + $globalbind_ip = ($ip ? $ip : "*"); $globalbind_port = $settings['globalbindtoport']; if ($globalbind_port == ""){ $globalbind_port ="80"; @@ -230,7 +385,8 @@ function generate_apache_configuration() { //performance settings //reference http://httpd.apache.org/docs/2.2/mod/mpm_common.html - $performance_settings="KeepAlive {$settings['keepalive']}\n"; + $keepalive=($settings['keepalive']?$settings['keepalive']:"on"); + $performance_settings="KeepAlive {$keepalive}\n"; if ($settings['maxkeepalivereq']) $performance_settings .= "MaxKeepAliveRequests {$settings['maxkeepalivereq']}\n"; if ($settings['keepalivetimeout']) @@ -296,7 +452,7 @@ function generate_apache_configuration() { $options.=($server['routeid'] ? " route={$server['routeid']}" : ""); $options.=($server['loadfactor'] ? " loadfactor={$server['loadfactor']}" : ""); - if (isset($server['ping'])){ + if (isset($server['ping']) && $server['ping']!=""){ $options.= " ping={$server['ping']}"; $options.=($server['ttl'] ? " ttl={$server['ttl']}" : ""); } @@ -311,8 +467,50 @@ function generate_apache_configuration() { //write balancer conf file_put_contents(APACHEDIR."/etc/apache22/Includes/balancers.conf",$balancer_config,LOCK_EX); } - + + // configure modsecurity group options + //chroot apache http://forums.freebsd.org/showthread.php?t=6858 + if (is_array($config['installedpackages']['apachemodsecuritygroups'])){ + unset($mods_group); + foreach ($config['installedpackages']['apachemodsecuritygroups']['config'] as $mods_groups){ + //RULES_DIRECTORY + foreach (split(",",$mods_groups['baserules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/base_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['optionalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/optional_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['slrrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/slr_rules/{$baserule}.conf\n"; + } + foreach (split(",",$mods_groups['experimentalrules']) as $baserule){ + $mods_group[$mods_groups['name']].=" Include ".RULES_DIRECTORY ."/experimental_rules/{$baserule}.conf\n"; + } + } + } + //print "<PRE>"; + //var_dump($mods_group); + + //mod_security settings + if (is_array($config['installedpackages']['apachemodsecuritysettings'])){ + $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; + + if ($mods_settings['crs10']=="" && file_exists(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')){ + $config['installedpackages']['apachemodsecuritysettings']['config'][0]['crs10']=base64_encode(file_get_contents(RULES_DIRECTORY .'/modsecurity_crs_10_setup.conf.example')); + write_config("modsecurity - Load crs 10 default setup file."); + } + + $cr10_setup="Include ".RULES_DIRECTORY ."/modsecurity_crs_10_setup.conf\n"; + file_put_contents(RULES_DIRECTORY ."/modsecurity_crs_10_setup.conf",apache_textarea_decode($config['installedpackages']['apachemodsecuritygroups']['config'][0]['crs10']),LOCK_EX); + } + // create location(s) array + if (is_array($config['installedpackages']['apachelocation'])){ + foreach ($config['installedpackages']['apachelocation']['config'] as $location) + $apache_location[$location['name']]=$location; + } //configure virtual hosts + $namevirtualhosts=array(); + $namevirtualhosts[0]=$global_listen; if (is_array($config['installedpackages']['apachevirtualhost'])){ $vh_config= <<<EOF ################################################################################## @@ -332,6 +530,9 @@ EOF; $iface_address = apache_get_real_interface_address($virtualhost['interface']); $ip=$iface_address[0]; $port=($virtualhost['port'] ? $virtualhost['port'] : $default_port[$virtualhost['proto']]); + if (!in_array("{$ip}:{$port}",$namevirtualhosts)) + $namevirtualhosts[]="{$ip}:{$port}"; + $vh_config.="# {$virtualhost['description']}\n"; $vh_config.="<VirtualHost {$ip}:{$port}>\n"; $vh_config.=" ServerName ". preg_replace ("/\r\n(\S+)/","\n ServerAlias $1",base64_decode($virtualhost['primarysitehostname'])) ."\n"; @@ -378,23 +579,30 @@ EOF; $vh_config.= apache_textarea_decode($virtualhost['custom'])."\n\n"; #Check virtualhost locations - foreach ($virtualhost['row'] as $backend){ - $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; - $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; - if ($backend['compress']== "no") - $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; - if (is_array($config['installedpackages']['apachemodsecuritymanipulation'])){ - foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ - if ($backend['modsecmanipulation'] == $manipulation['name']){ - if (is_array($manipulation['row'])) - foreach ($manipulation['row'] as $secrule) - $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + foreach ($virtualhost['row'] as $be){ + if ($be['location'] != "none"){ + $backend=$apache_location[$be['location']]; + $vh_config.=" <Location ".($backend['sitepath'] ? $backend['sitepath'] : "/").">\n"; + $vh_config.=" ProxyPass balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + $vh_config.=" ProxyPassReverse balancer://{$backend['balancer']}{$backend['backendpath']}\n"; + if ($backend['compress']== "no") + $vh_config.=" SetInputFilter INFLATE\n SetOutputFilter INFLATE\n"; + if ($backend['modsecgroup']!="" && $backend['modsecgroup']!="none" && $mods_settings['enablemodsecurity']=="on"){ + $vh_config.=$mods_group[$backend['modsecgroup']]; + } + if (is_array($config['installedpackages']['apachemodsecuritymanipulation']) && $mods_settings['enablemodsecurity']=="on"){ + foreach($config['installedpackages']['apachemodsecuritymanipulation']['config'] as $manipulation){ + if ($backend['modsecmanipulation'] == $manipulation['name']){ + if (is_array($manipulation['row'])) + foreach ($manipulation['row'] as $secrule) + $vh_config.=" {$secrule['type']} {$secrule['value']}\n"; + } } } - } - $vh_config.=" </Location>\n\n"; + $vh_config.= apache_textarea_decode($backend['custom'])."\n\n"; + $vh_config.=" </Location>\n\n"; } + } $vh_config.="</VirtualHost>\n"; } } @@ -404,7 +612,7 @@ EOF; // check/fix perl version on mod_security util files $perl_files= array("httpd-guardian.pl","rules-updater.pl","runav.pl","arachni2modsec.pl","zap2modsec.pl","regression_tests/rulestest.pl"); foreach ($perl_files as $perl_file){ - $file_path=rules_directory."/util/"; + $file_path=RULES_DIRECTORY."/util/"; if (file_exists($file_path.$perl_file)){ $script=preg_replace("/#!\S+perl/","#!".APACHEDIR."/bin/perl",file_get_contents($file_path.$perl_file)); file_put_contents($file_path.$perl_file,$script,LOCK_EX); @@ -421,12 +629,8 @@ EOF; } } - //mod_security settings - if (is_array($config['installedpackages']['apachemodsecuritysettings']['config'])){ - $mods_settings=$config['installedpackages']['apachemodsecuritysettings']['config'][0]; - if ($mods_settings!="") - $SecGuardianLog="SecGuardianLog \"|".rules_directory."/util/httpd-guardian\""; - } + if ($mods_settings!="") + $SecGuardianLog="SecGuardianLog \"|".RULES_DIRECTORY."/util/httpd-guardian\""; //fix http-guardian.pl block bins //$file_path=APACHEDIR.MODSECURITY_DIR."/util/".$perl_lib; @@ -480,51 +684,44 @@ EOF; // Read already configured addresses if (is_array($settings['row'])){ foreach($settings['row'] as $row) { - if ($row['ipaddress'] && $row['ipport']) + if ($row['interface'] && $row['ipport']) $configuredaliases[] = $row; } } // clear list of bound addresses before updating $config['installedpackages']['apachesettings']['config'][0]['row'] = array(); - // Process proxy sites // Configure NameVirtualHost directives $aliases = ""; - $processed = array(); - if(is_array($config['installedpackages']['apachemodsecurity'])) { - foreach($config['installedpackages']['apachemodsecurity']['config'] as $ams) { - if($ams['ipaddress'] && $ams['port']) - $local_ip_port = "{$ams['ipaddress']}:{$ams['port']}"; - else - $local_ip_port = $global_listen; - // Do not add entries twice. - if(!in_array($local_ip_port, $processed)) { - // explicit bind if not global ip:port - if ($local_ip_port != $global_listen) { - $aliases .= "Listen $local_ip_port\n"; - // Automatically add this to configuration - $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['port']); - } - $mod_proxy .= "NameVirtualHost $local_ip_port\n"; - $processed[] = $local_ip_port; - } + //add NameVirtualHost and listening entries to configured virtualhosts + foreach ($namevirtualhosts as $namevirtualhost){ + // explicit bind if not global ip:port + if ($namevirtualhost != $global_listen) { + $mod_proxy .= "NameVirtualHost {$namevirtualhost}\n"; + $aliases .= "Listen $namevirtualhost\n"; + // Automatically add this to configuration + $aplisten=split(":",$namevirtualhost); + $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $aplisten[0], 'ipport' => $aplisten[1]); } } + // Process Status Page + $mod_status = ""; + if ($settings['statuspage'] == "on") { + if($settings['extendedstatuspage']== "on"){ + $extendedstatus="ExtendedStatus On"; + } + $mod_status .= <<<EOF +{$extendedstatus} +<Location /server-status> + SetHandler server-status + Order Deny,Allow + Deny from all -//** Uncomment to allow adding ip/ports not used by any site proxies -//** Otherwise unused addresses/ports will be automatically deleted from the configuration -// foreach ($configuredaliases as $ams) { -// $local_ip_port = "{$ams['ipaddress']}:{$ams['ipport']}"; -// if(!in_array($local_ip_port, $processed)) { -// // explicit bind if not global ip:port -// if ($local_ip_port != $global_listen) { -// $aliases .= "Listen $local_ip_port\n"; -// // Automatically add this to configuration -// $config['installedpackages']['apachesettings']['config'][0]['row'][] = array('ipaddress' => $ams['ipaddress'], 'ipport' => $ams['ipport']); -// } -// } -// } +EOF; + $mod_status .= "Allow from ".($settings['netaccessstatus'] ? $settings['netaccessstatus'] : "All")."\n"; + $mod_status .= "</Location>\n"; + } // update configuration with actual ip bindings write_config($pkg['addedit_string']); @@ -632,19 +829,20 @@ EOF; $mod_security_custom = $config['installedpackages']['apachesettings']['config'][0]['modsecuritycustom']; // Process and include rules - if(is_dir(rules_directory)) { + if(is_dir(RULES_DIRECTORY)) { $mod_security_rules = ""; - $files = return_dir_as_array(rules_directory); + $files = return_dir_as_array(RULES_DIRECTORY); foreach($files as $file) { - if(file_exists(rules_directory . "/" . $file)) { + if(file_exists(RULES_DIRECTORY . "/" . $file)) { // XXX: TODO integrate snorts rule on / off thingie - $file_txt = file_get_contents(rules_directory . "/" . $file); + $file_txt = file_get_contents(RULES_DIRECTORY . "/" . $file); $mod_security_rules .= $file_txt . "\n"; } } } #include file templates + include ("/usr/local/pkg/apache_mod_security.template"); include ("/usr/local/pkg/apache.template"); file_put_contents(APACHEDIR . "/etc/apache22/httpd.conf",$apache_config,LOCK_EX); diff --git a/config/apache_mod_security-dev/apache_mod_security.template b/config/apache_mod_security-dev/apache_mod_security.template index e5a2c864..d004a9ae 100644 --- a/config/apache_mod_security-dev/apache_mod_security.template +++ b/config/apache_mod_security-dev/apache_mod_security.template @@ -1,8 +1,8 @@ <?php - // Mod_security enabled? - if($modsec_settings['enablemodsecurity']) { - $enable_mod_security = true; - $mod_security = <<< EOF +// Mod_security enabled? +if($mods_settings['enablemodsecurity']=="on") { + $enable_mod_security = true; + $mod_security = <<< EOF # -- Rule engine initialization ---------------------------------------------- # Enable ModSecurity, attaching it to every transaction. Use detection @@ -208,3 +208,5 @@ SecArgumentSeparator & # SecCookieFormat 0 +EOF; +} diff --git a/config/apache_mod_security-dev/apache_mod_security_groups.xml b/config/apache_mod_security-dev/apache_mod_security_groups.xml index 92b41243..4775fb3c 100644 --- a/config/apache_mod_security-dev/apache_mod_security_groups.xml +++ b/config/apache_mod_security-dev/apache_mod_security_groups.xml @@ -73,15 +73,21 @@ <tab_level>2</tab_level> </tab> </tabs> - <adddeleteeditpagefields> + <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Name</fielddescr> <fieldname>name</fieldname> </columnitem> <columnitem> + <fielddescr>Logging</fielddescr> + <fieldname>secauditengine</fieldname> + </columnitem> + <columnitem> <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + </adddeleteeditpagefields> <fields> <field> @@ -94,6 +100,7 @@ <description>Enter group name</description> <type>input</type> <size>25</size> + <required/> </field> <field> <fielddescr>Description</fielddescr> @@ -102,6 +109,7 @@ <type>input</type> <size>45</size> </field> + <field> <fielddescr>Base Rules</fielddescr> <fieldname>baserules</fieldname> @@ -182,30 +190,24 @@ <option><name>log everything, including very detailed debugging information</name><value>9</value></option> </options> </field> - <field> - <name>Custom options</name> + <name>Custom mod_security rules</name> <type>listtopic</type> </field> <field> - <fielddescr>Custom mod_security ErrorDocument</fielddescr> - <fieldname>errordocument</fieldname> - <description></description> - <type>textarea</type> - <rows>10</rows> - <cols>75</cols> - </field> - <field> <fielddescr>Custom mod_security rules</fielddescr> <fieldname>modsecuritycustom</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste any custom mod_security rules that you would like to use</description> <type>textarea</type> - <rows>10</rows> - <cols>75</cols> + <encoding>base64</encoding> + <rows>10</rows> + <cols>90</cols> </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml index 54738d83..7477e540 100644 --- a/config/apache_mod_security-dev/apache_mod_security_manipulation.xml +++ b/config/apache_mod_security-dev/apache_mod_security_manipulation.xml @@ -82,6 +82,7 @@ <fielddescr>Description</fielddescr> <fieldname>description</fieldname> </columnitem> + <movable>on</movable> </adddeleteeditpagefields> <fields> <field> @@ -141,4 +142,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_settings.xml b/config/apache_mod_security-dev/apache_mod_security_settings.xml index 985f6bcc..bbc7da4a 100644 --- a/config/apache_mod_security-dev/apache_mod_security_settings.xml +++ b/config/apache_mod_security-dev/apache_mod_security_settings.xml @@ -101,7 +101,6 @@ <fielddescr>Max request per IP</fielddescr> <fieldname>SecReadStateLimit</fieldname> <description> - //274 <![CDATA[This option limits number of POSTS accepted from same IP address and help prevent the effects of a Slowloris-type of attack.<br> More info about this attack can be found here: http://en.wikipedia.org/wiki/Slowloris ]]> @@ -124,6 +123,36 @@ <size>10</size> </field> <field> + <name>mod_security crs 10 setup</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>mod_security crs 10 setup</fielddescr> + <fieldname>crs10</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[<b>modsecurity_crs_10_setup.conf file.</b><br>Leave empty to load setup defaults.]]></description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>15</rows> + <cols>90</cols> + </field> + <field> + <name>Custom mod_security ErrorDocument</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Custom mod_security ErrorDocument</fielddescr> + <fieldname>errordocument</fieldname> + <dontdisplayname/> + <usecolspan2/> + <description>Custom mod_security ErrorDocument.</description> + <type>textarea</type> + <encoding>base64</encoding> + <rows>10</rows> + <cols>90</cols> + </field> + <field> <name>Modsecurity addons</name> <type>listtopic</type> </field> @@ -164,4 +193,4 @@ apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_mod_security_sync.xml b/config/apache_mod_security-dev/apache_mod_security_sync.xml index 0d8d8c8f..7ecfb68e 100755 --- a/config/apache_mod_security-dev/apache_mod_security_sync.xml +++ b/config/apache_mod_security-dev/apache_mod_security_sync.xml @@ -68,8 +68,30 @@ <field> <fielddescr>Automatically sync apache configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>Automatically sync apache changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for Apache + ModSecurity.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>250</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>120 seconds</name><value>120</value></option> + <option><name>250 seconds</name><value>250</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> diff --git a/config/apache_mod_security-dev/apache_mod_security_view_logs.php b/config/apache_mod_security-dev/apache_mod_security_view_logs.php index 1956a217..669c71f4 100755 --- a/config/apache_mod_security-dev/apache_mod_security_view_logs.php +++ b/config/apache_mod_security-dev/apache_mod_security_view_logs.php @@ -68,7 +68,7 @@ include("head.inc"); <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), false, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); $tab_array[] = array(gettext("Backends"), false, "/pkg.php?xml=apache_mod_security_backends.xml",2); $tab_array[] = array(gettext("VirtualHosts"), false, "/pkg.php?xml=apache_mod_security.xml",2); diff --git a/config/apache_mod_security-dev/apache_settings.xml b/config/apache_mod_security-dev/apache_settings.xml index 20ba59c2..1dd4bc78 100644 --- a/config/apache_mod_security-dev/apache_settings.xml +++ b/config/apache_mod_security-dev/apache_settings.xml @@ -10,7 +10,7 @@ apache_mod_security_settings.xml part of apache_mod_security package (http://www.pfSense.com) Copyright (C) 2008, 2009, 2010 Scott Ullrich - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -68,7 +68,12 @@ <tab_level>2</tab_level> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> </tab> @@ -88,36 +93,35 @@ <fieldname>globalsiteadminemail</fieldname> <description>Enter the site administrators e-mail address</description> <type>input</type> + <size>25</size> </field> <field> <fielddescr>Server hostname</fielddescr> <fieldname>hostname</fieldname> <description> - <![CDATA[Enter the servers hostname<br/ + <![CDATA[Enter the servers hostname<br> NOTE: Leave blank to use this devices hostname.]]> </description> <type>input</type> + <size>25</size> </field> <field> <fielddescr>Default Bind to IP Address</fielddescr> <fieldname>globalbindtoipaddr</fieldname> <description> - <![CDATA[ - This is the IP address the Proxy Server will listen on. - <br/> - NOTE: Leave blank to bind to * - ]]> + <![CDATA[This is the IP address the Proxy Server will listen on.]]> </description> - <type>input</type> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <showips/> </field> <field> <fielddescr>Default Bind to port</fielddescr> <fieldname>globalbindtoport</fieldname> <description> - <![CDATA[ - This is the port the Proxy Server will listen on.<br> - NOTE: Leave blank to bind to 80 - ]]> + <![CDATA[This is the port the Proxy Server will listen on.<br> + NOTE: Leave blank to bind to 80]]> </description> <type>input</type> <size>5</size> @@ -278,9 +282,42 @@ <type>input</type> <size>10</size> </field> + <field> + <name>Status Page</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Status Page</fielddescr> + <fieldname>statuspage</fieldname> + <description> + <![CDATA[Enable a status page for Apache and Mod_proxy. Access http://DefaultBindIP:DefaultBindPort/status-server]]> + </description> + <type>select</type> + <options> + <option><name>Disabled (Default)</name><value>off</value></option> + <option><name>Enabled</name><value>on</value></option> + </options> + </field> + <field> + <fielddescr>Extended Status</fielddescr> + <fieldname>extendedstatuspage</fieldname> + <description> + <![CDATA[Keep track of extended status information for each request]]> + </description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Status Page ACL</fielddescr> + <fieldname>netaccessstatus</fieldname> + <description> + <![CDATA[Networks that can access apache status page. Ex: 172.16.1.0/24<br> + NOTE: Leave blank to allow access from any ip.(Not recommended for security reasons)]]> + </description> + <type>input</type> + </field> </fields> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/apache_view_logs.php b/config/apache_mod_security-dev/apache_view_logs.php index da82baaa..10bb1db6 100644 --- a/config/apache_mod_security-dev/apache_view_logs.php +++ b/config/apache_mod_security-dev/apache_view_logs.php @@ -42,7 +42,7 @@ $pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); if(strstr($pfSversion, "1.2")) $one_two = true; -$pgtitle = "Status: Apache Vhosts Logs"; +$pgtitle = "Status: Apache VirtualHost Logs"; include("head.inc"); ?> @@ -96,7 +96,7 @@ function showLog(content,url,logtype) <?php $tab_array = array(); $tab_array[] = array(gettext("Apache"), true, "/pkg_edit.php?xml=apache_settings.xml&id=0"); - $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_setttings.xml"); + $tab_array[] = array(gettext("ModSecurity"), false, "/pkg_edit.php?xml=apache_mod_security_settings.xml"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=apache_mod_security_sync.xml"); display_top_tabs($tab_array); ?> @@ -106,6 +106,7 @@ function showLog(content,url,logtype) unset ($tab_array); $tab_array[] = array(gettext("Daemon Options"), false, "pkg_edit.php?xml=apache_settings.xml"); $tab_array[] = array(gettext("Backends / Balancers"), false, "/pkg.php?xml=apache_balancer.xml"); + $tab_array[] = array(gettext("Location(s)"), false, "/pkg.php?xml=apache_location.xml"); $tab_array[] = array(gettext("Virtual Hosts"), false, "/pkg.php?xml=apache_virtualhost.xml"); $tab_array[] = array(gettext("Logs"), true, "/apache_view_logs.php"); display_top_tabs($tab_array); @@ -171,8 +172,8 @@ function showLog(content,url,logtype) </tbody> </table> </form> - <div id="bowserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> - <span><span> + <div id="browserinfo" style='padding: 5px; border: 1px dashed #990000; font-weight:bold; font-size: 0.9em; text-align: center; margin: 1px; display:block; height: 12px;'> + <span></span> </div> <!-- Squid Table --> <table width="100%" border="0" cellpadding="0" cellspacing="0"> diff --git a/config/apache_mod_security-dev/apache_virtualhost.xml b/config/apache_mod_security-dev/apache_virtualhost.xml index 2e29a9af..c2c4837b 100644 --- a/config/apache_mod_security-dev/apache_virtualhost.xml +++ b/config/apache_mod_security-dev/apache_virtualhost.xml @@ -4,40 +4,41 @@ <packagegui> <copyright> <![CDATA[ - /* $Id$ */ - /* ========================================================================== */ - /* - apache_virtualhost.xml - part of apache_mod_security package (http://www.pfSense.com) - Copyright (C)2009, 2010 Scott Ullrich - Copyright (C)2012 Marcello Coutinho - All rights reserved. - */ - /* ========================================================================== */ - /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: +/* $Id$ */ +/* ========================================================================== */ +/* + apache_virtualhost.xml + part of apache_mod_security package (http://www.pfSense.com) + Copyright (C)2009, 2010 Scott Ullrich + Copyright (C)2012 Marcello Coutinho + Copyright (C)2013 Stephane Lapie <stephane.lapie@asahinet.com> + All rights reserved. +*/ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code MUST retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form MUST reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ - /* ========================================================================== */ - ]]> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]> </copyright> <name>apachevirtualhost</name> <version>1.0</version> @@ -113,6 +114,16 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/apache_mod_security-dev/apache_view_logs.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/pkg_apache.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/apache_mod_security-dev/apache_location.xml</item> + </additional_files_needed> <tabs> <tab> <text>Apache</text> @@ -138,7 +149,12 @@ <tab_level>2</tab_level> </tab> <tab> - <text>Virutal Hosts</text> + <text>Location(s)</text> + <url>/pkg.php?xml=apache_location.xml</url> + <tab_level>2</tab_level> + </tab> + <tab> + <text>Virtual Hosts</text> <url>/pkg.php?xml=apache_virtualhost.xml</url> <tab_level>2</tab_level> <active/> @@ -150,9 +166,12 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Status</fielddescr> <fieldname>enable</fieldname> + <listmodeon>Enabled</listmodeon> + <listmodeoff>Disabled</listmodeoff> </columnitem> <columnitem> <fielddescr>Iface</fielddescr> @@ -193,17 +212,14 @@ <description>Select protocols that this virtual host will accept connections</description> <type>select</type> <options> - <option><name>HTTP</name><value>http</value></option> - <option><name>HTTPS</name><value>https</value></option> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> </options> </field> <field> <fielddescr>Server Name(s)</fielddescr> <fieldname>primarysitehostname</fieldname> - <description> - <![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/> - Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]> - </description> + <description><![CDATA[Enter hostnames one per line in FQDN format for this website (e.g. www.example.com)<br/>Leave blank and define the IP Address / port above for IP site proxy (i.e. not named site proxy)]]></description> <cols>40</cols> <rows>2</rows> <type>textarea</type> @@ -230,27 +246,21 @@ <fielddescr>Site Webmaster E-Mail address</fielddescr> <fieldname>siteemail</fieldname> <size>50</size> - <description> - <![CDATA[ - Enter the Webmaster E-Mail address for this site. - ]]> - </description> + <description><![CDATA[Enter the Webmaster E-Mail address for this site.]]></description> <type>input</type> </field> <field> <fielddescr>Site description</fielddescr> <fieldname>description</fieldname> <size>50</size> - <description> - <![CDATA[Enter a site description]]> - </description> + <description><![CDATA[Enter a site description]]></description> <type>input</type> </field> <field> <fielddescr>HTTPS SSL certificate</fielddescr> <fieldname>ssl_cert</fieldname> <description>Choose the SSL Server Certificate here.</description> - <type>select_source</type> + <type>select_source</type> <source><![CDATA[$config['cert']]]></source> <source_name>descr</source_name> <source_value>refid</source_value> @@ -271,82 +281,19 @@ <![CDATA[Location(s)]]> </fielddescr> <fieldname>locations</fieldname> - <type>rowhelper</type> - <rowhelper> - <rowhelperfield> - <fielddescr><![CDATA[gzip?]]></fielddescr> - <fieldname>compress</fieldname> - <description>Compress data to save bandwidth?</description> - <type>select</type> - <options> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> - </options> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[site path]]></fielddescr> - <fieldname>sitepath</fieldname> - <description><![CDATA[Site path to publish.<br>leave blank to use /]]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> + <type>rowhelper</type> + <rowhelper> <rowhelperfield> - <fielddescr><![CDATA[Balancer]]></fielddescr> - <fieldname>balancer</fieldname> - <description>Server balancer / pool</description> - <source><![CDATA[$config['installedpackages']['apachebalancer']['config']]]></source> + <fielddescr><![CDATA[Location]]></fielddescr> + <fieldname>Location</fieldname> + <description>Server locatino</description> + <source><![CDATA[$config['installedpackages']['apachelocation']['config']]]></source> <source_name>name</source_name> <source_value>name</source_value> <show_disable_value>none</show_disable_value> <type>select_source</type> - <size>5</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'>LbMethod</a>]]></fielddescr> - <fieldname>lbmethod</fieldname> - <description>Server balance method</description> - <type>select</type> - <options> - <option><name>byrequests</name><value>byrequests</value></option> - <option><name>bytraffic</name><value>bytraffic</value></option> - <option><name>bybusyness</name><value>bybusyness</value></option> - </options> </rowhelperfield> - <rowhelperfield> - <fielddescr>Backend path</fielddescr> - <fieldname>backendpath</fieldname> - <description><![CDATA[Backend redirect path.<br>Leave blank to use /]]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[ModSecurity]]></fielddescr> - <fieldname>modsecgroup</fieldname> - <description>Choose Modsecurity group to use on this virtual host.</description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['apachemodsecuritygroups']['config']]]></source> - <source_name>name</source_name> - <source_value>name</source_value> - <show_disable_value>none</show_disable_value> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[Manipulations]]></fielddescr> - <fieldname>modsecmanipulation</fieldname> - <description>Choose Modsecurity group to use on this virtual host.</description> - <type>select_source</type> - <source><![CDATA[$config['installedpackages']['apachemodsecuritymanipulation']['config']]]></source> - <source_name>name</source_name> - <source_value>name</source_value> - <show_disable_value>none</show_disable_value> - </rowhelperfield> - <rowhelperfield> - <fielddescr><![CDATA[<a href='https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass'> Balancer options</a>]]></fielddescr> - <fieldname>options</fieldname> - <description><![CDATA[Additional proxypass options for this path.<br>ex: ttl=60 stickysession='JSESSIONID']]></description> - <type>input</type> - <size>5</size> - </rowhelperfield> - </rowhelper> + </rowhelper> </field> <field> <name>Logging</name> @@ -355,25 +302,19 @@ <field> <fielddescr>Preserve Proxy hostname</fielddescr> <fieldname>preserveproxyhostname</fieldname> - <description> - <![CDATA[ - When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address. - ]]> - </description> + <description><![CDATA[When enabled, this option will pass the Host: line from the incoming request to the proxied host, instead of the backend IP address.]]></description> <type>checkbox</type> </field> <field> <fielddescr>Log file</fielddescr> <fieldname>logfile</fieldname> - <description> - <![CDATA[Enable access and error log for this virtual host.]]> - </description> + <description><![CDATA[Enable access and error log for this virtual host.]]></description> <type>select</type> - <options> - <option><name>Log to default apache log file</name><value>default</value></option> - <option><name>Create a log file for this site</name><value>create</value></option> - <option><name>Do not not this website</name><value>disabled</value></option> - </options> + <options> + <option><name>Log to default apache log file</name><value>default</value></option> + <option><name>Create a log file for this site</name><value>create</value></option> + <option><name>Do not log this website</name><value>disabled</value></option> + </options> </field> <field> <name>Custom Options</name> @@ -382,21 +323,22 @@ <field> <fielddescr>Custom Options</fielddescr> <fieldname>custom</fieldname> - <description>Paste extra apache config for this virtualhost. This is usefull for rewrite rules for example.</description> + <description>Pass extra Apache config for this VirtualHost. This is useful for Rewrite rules for example.</description> <type>textarea</type> - <cols>65</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> </field> - </fields> <service> <name>apache_mod_security</name> - <rcfile>/usr/local/etc/rc.d/apache_mod_security.sh</rcfile> + <rcfile>apache_mod_security.sh</rcfile> <executable>httpd</executable> </service> <custom_php_resync_config_command> apache_mod_security_resync(); </custom_php_resync_config_command> <include_file>/usr/local/pkg/apache_mod_security.inc</include_file> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/apache_mod_security-dev/pkg_apache.inc b/config/apache_mod_security-dev/pkg_apache.inc new file mode 100755 index 00000000..97fb2417 --- /dev/null +++ b/config/apache_mod_security-dev/pkg_apache.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['apache'] = array(); +$shortcuts['apache']['main'] = "pkg_edit.php?xml=apache_virtualhost.xml"; +$shortcuts['apache']['log'] = "diag_logs.php"; +$shortcuts['apache']['status'] = "status_services.php"; +$shortcuts['apache']['service'] = "apache_mod_security"; + +?> diff --git a/config/apache_mod_security/apache_mod_security.xml b/config/apache_mod_security/apache_mod_security.xml index ada5a29c..c42ebddf 100644 --- a/config/apache_mod_security/apache_mod_security.xml +++ b/config/apache_mod_security/apache_mod_security.xml @@ -219,8 +219,9 @@ </fields> <service> <name>apache_mod_security</name> - <rcfile>/usr/local/etc/rc.d/apache_mod_security.sh</rcfile> + <rcfile>apache_mod_security.sh</rcfile> <executable>httpd</executable> + <description>HTTP Daemon with mod_security</description> </service> <custom_php_resync_config_command> apache_mod_security_resync(); diff --git a/config/arpwatch.xml b/config/arpwatch.xml index c9434075..bf163ad6 100644 --- a/config/arpwatch.xml +++ b/config/arpwatch.xml @@ -2,65 +2,64 @@ <!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ -/* $Id$ */ -/* ========================================================================== */ + <copyright> + <![CDATA[ +/* ========================================================================== /* - arpwatch.xml - part of pfSense (http://www.pfSense.com) - Copyright (C) 2007 to whom it may belong - All rights reserved. + arpwatch.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2007 to whom it may belong + All rights reserved. - Based on m0n0wall (http://m0n0.ch/wall) - Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. - All rights reserved. - */ -/* ========================================================================== */ + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ /* - Redistribution and use in source and binary forms, with or without - modification, are permitted provided that the following conditions are met: + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. - THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, - INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY - AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE - AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, - OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - ]]> - </copyright> - <description>Describe your package here</description> - <requirements>Describe your package requirements here</requirements> - <faq>Currently there are no FAQ items provided.</faq> + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>ARP Monitoring Daemon</description> + <requirements>None</requirements> + <faq>Currently there are no FAQ items provided.</faq> <name>arpwatch</name> - <version>2.1.a13</version> + <version>2.1.a14 pkg v1.1.1</version> <title>arpwatch: Settings</title> <aftersaveredirect>pkg_edit.php?xml=arpwatch.xml&id=0</aftersaveredirect> <menu> - <name>arpwatch</name> - <tooltiptext>Modify arpwatch settings.</tooltiptext> - <section>Services</section> - <configfile>arpwatch.xml</configfile> - <url>/pkg_edit.php?xml=arpwatch.xml&id=0</url> - </menu> + <name>arpwatch</name> + <tooltiptext>Modify arpwatch settings.</tooltiptext> + <section>Services</section> + <configfile>arpwatch.xml</configfile> + <url>/pkg_edit.php?xml=arpwatch.xml&id=0</url> + </menu> <service> - <name>arpwatch</name> - <rcfile>arpwatch.sh</rcfile> - <executable>arpwatch</executable> - </service> + <name>arpwatch</name> + <rcfile>arpwatch.sh</rcfile> + <executable>arpwatch</executable> + </service> <tabs> <tab> <text>Settings</text> @@ -74,10 +73,15 @@ </tabs> <configpath>installedpackages->package->$packagename->configuration->settings</configpath> <additional_files_needed> - <prefix>/usr/local/www/</prefix> - <chmod>a+rx</chmod> - <item>http://www.pfsense.com/packages/config/arpwatch_reports.php</item> - </additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>a+rx</chmod> + <item>http://www.pfsense.com/packages/config/arpwatch_reports.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/sbin/</prefix> + <chmod>a+rx</chmod> + <item>http://www.pfsense.com/packages/config/sm.php</item> + </additional_files_needed> <fields> <field> <fielddescr>Listening Interface</fielddescr> @@ -85,21 +89,37 @@ <description>Choose the desired listening interface here.</description> <type>interfaces_selection</type> </field> + <field> + <fielddescr>Enable E-mail Notifications</fielddescr> + <fieldname>enable_email</fieldname> + <type>checkbox</type> + <description>Sends an E-mail notification for each new station and ARP change as they are seen <strong>instead of</strong> local reports.<br/>NOTE: Only works on pfSense 2.1 or later. <br/>NOTE 2: Disables local reports which rely on arpwatch debug mode, which does not work with e-mail notifications.<br/>Configure SMTP and address settings in System > Advanced on the Notifications tab</description> + </field> </fields> <custom_php_global_functions> + <![CDATA[ function sync_package_arpwatch() { global $config; + $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); conf_mount_rw(); config_lock(); $log_file = "/var/log/arp.dat"; if($_POST['interface'] != "") { - $int = $_POST['interface']; + $int = $_POST['interface']; } else { $int = $config['installedpackages']['arpwatch']['config'][0]['interface']; } + $mail = ""; + $debug = ""; + if(($pf_version > 2.0) && (isset($_POST['enable_email']) || ($config['installedpackages']['arpwatch']['config'][0]['enable_email'] == "on"))) { + if (!empty($config['notifications']['smtp']['notifyemailaddress'])) + $mail = " -m {$config['notifications']['smtp']['notifyemailaddress']}"; + } else { + $debug = "-d"; + } $int = convert_friendly_interface_to_real_interface_name($int); $start = "touch {$log_file}\n"; - $start .= "/usr/local/sbin/arpwatch -d -f {$log_file} -i {$int} > /var/log/arpwatch.reports 2>&1 &"; + $start .= "/usr/local/sbin/arpwatch {$debug} -f {$log_file} {$mail} -i {$int} > /var/log/arpwatch.reports 2>&1 &"; $stop = "/usr/bin/killall arpwatch"; write_rcfile(array( "file" => "arpwatch.sh", @@ -111,11 +131,17 @@ conf_mount_ro(); config_unlock(); } + ]]> </custom_php_global_functions> <custom_add_php_command> + <![CDATA[ sync_package_arpwatch(); + ]]> </custom_add_php_command> <custom_php_install_command> + <![CDATA[ unlink_if_exists("/usr/local/etc/rc.d/arpwatch.sh"); - </custom_php_install_command> -</packagegui>
\ No newline at end of file + @link("/usr/sbin/sm.php", "/usr/sbin/sendmail"); + ]]> + </custom_php_install_command> +</packagegui> diff --git a/config/asterisk/asterisk.inc b/config/asterisk/asterisk.inc index b2f93532..07d3d923 100644 --- a/config/asterisk/asterisk.inc +++ b/config/asterisk/asterisk.inc @@ -3,7 +3,8 @@ /* asterisk.inc part of pfSense (http://www.pfSense.com) - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho + Copyright (C) 2012-2013 robi <robreg@zsurob.hu> All rights reserved. */ /* ========================================================================== */ @@ -31,6 +32,13 @@ */ /* ========================================================================== */ +define('ASTERISK_CONF_DIR', '/conf/asterisk'); +//Check pfsense version +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('ASTERISK_LOCALBASE', '/usr/pbi/asterisk-' . php_uname("m")); +else + define('ASTERISK_LOCALBASE','/usr/local'); function asterisk_install() { sync_package_asterisk(); @@ -50,44 +58,370 @@ function sync_package_asterisk() { #mount filesystem writeable conf_mount_rw(); - #fix asterisk options for nanobsd - if ($g['platform'] == "nanobsd"){ - $script='/usr/local/etc/asterisk/logger.conf'; + //for NanoBSD compatibility, move the /etc/asterisk configuration directory to /conf, and symlink it back + $dist_dir=ASTERISK_CONF_DIR ."/dist"; + if (!is_dir($dist_dir)) + mkdir($dist_dir,0755,TRUE); + + if(file_exists (ASTERISK_LOCALBASE."/etc/asterisk") && !is_link(ASTERISK_LOCALBASE."/etc/asterisk")){ + $dist_files= scandir(ASTERISK_LOCALBASE."/etc/asterisk"); + foreach ($dist_files as $dist){ + if (preg_match("/-dist/",$dist)) + rename (ASTERISK_LOCALBASE."/etc/asterisk"."/$dist", "$dist_dir/$dist"); + elseif (preg_match("/\w+/",$dist)) + rename (ASTERISK_LOCALBASE."/etc/asterisk"."/$dist", ASTERISK_CONF_DIR."/$dist"); + } + rmdir(ASTERISK_LOCALBASE. "/etc/asterisk"); + symlink (ASTERISK_CONF_DIR , ASTERISK_LOCALBASE. "/etc/asterisk"); + } + + //fix asterisk options for nanobsd: logging, db and calls log in /tmp + // if ($g['platform'] == "nanobsd"){ + $script='/conf/asterisk/logger.conf'; if (file_exists($script)){ $script_file=file_get_contents($script); - $pattern[0]='/messages =/'; - $replace[0]='/tmp/log_asterisk ='; + $pattern[0]='@;rotatestrategy@'; + $replace[0]='rotatestrategy = rotate ;by pfSense ;'; $script_file=preg_replace($pattern,$replace,$script_file); file_put_contents($script, $script_file, LOCK_EX); } - $script='/usr/local/etc/asterisk/asterisk.conf'; + $script='/conf/asterisk/asterisk.conf'; if (file_exists($script)){ + //point to the /var subdirs in the writable area in RAM $script_file=file_get_contents($script); - $pattern[0]='@astdbdir => [a-z,A-Z,/]+@'; - $replace[0]='astdbdir => /tmp'; - $pattern[1]='@astspooldir => [a-z,A-Z,/]+@'; - $replace[1]='astspooldir => /tmp'; + $pattern[0]='/(\Wdirectories\W)\S+/'; + $replace[0]='$1'; + $pattern[1]='/astetcdir => \S+/'; + $replace[1]='astetcdir => /conf/asterisk'; + $pattern[2]='/astdbdir => \S+/'; + $replace[2]='astdbdir => /var/db/asterisk'; + $pattern[3]='/astspooldir => \S+/'; + $replace[3]='astspooldir => /var/spool/asterisk'; + $pattern[4]='/astrundir => \S+/'; + $replace[4]='astrundir => /var/run/asterisk'; + $pattern[5]='/astlogdir => \S+/'; + $replace[5]='astlogdir => /var/log/asterisk'; $script_file=preg_replace($pattern,$replace,$script_file); file_put_contents($script, $script_file, LOCK_EX); } - - } +// } + + //add modules settings, for disabling those not required on pfSense + $script='/conf/asterisk/modules.conf'; + if (file_exists($script)){ + $script_file=file_get_contents($script); + if (strpos($script_file,'pfSense') === false) { //first check if already added... + $add_modules_settings=<<<EOF +;The following modules settings work out of the box on pfSense (note: do not remove this comment line). +;Should you need any disabled module, check for its functionality individually in your environment. +;For more information check asterisk's online documentation. +noload => res_ael_share.so +noload => res_adsi.so +;noload => res_agi.so +noload => res_calendar.so +noload => res_crypto.so +;noload => res_fax.so +noload => res_jabber.so +noload => res_monitor.so +;noload => res_stun_monitor.so +noload => res_smdi.so +noload => res_speech.so +noload => res_odbc.so +noload => res_musiconhold.so +noload => app_celgenuserevent.so +;noload => app_confbridge.so +;noload => app_minivm.so +;noload => app_originate.so +;noload => app_playtones.so +;noload => app_readexten.so +;noload => app_waituntil.so +;noload => bridge_builtin_features.so +;noload => bridge_multiplexed.so +;noload => bridge_simple.so +;noload => bridge_softmix.so +noload => cdr_adaptive_odbc.so +noload => chan_jingle.so +;noload => chan_bridge.so +noload => chan_unistim.so +;noload => codec_g722.so +;noload => format_g719.so +noload => format_sln16.so +noload => format_siren14.so +noload => format_siren7.so +;noload => func_aes.so +;noload => func_audiohookinherit.so +;noload => func_blacklist.so +;noload => func_config.so +;noload => func_devstate.so +;noload => func_dialgroup.so +;noload => func_dialplan.so +;noload => func_extstate.so +;noload => func_iconv.so +;noload => func_lock.so +;noload => func_module.so +;noload => func_shell.so +;noload => func_speex.so +;noload => func_sprintf.so +;noload => func_sysinfo.so +;noload => func_version.so +;noload => res_curl.so +noload => func_vmcount.so +noload => func_volume.so +noload => res_clialiases.so +noload => res_config_curl.so +noload => res_config_ldap.so +noload => res_config_sqlite.so +;noload => res_limit.so +;noload => res_phoneprov.so +noload => res_realtime.so +noload => res_timing_pthread.so +;noload => app_adsiprog.so +;noload => app_alarmreceiver.so +;noload => app_amd.so +;noload => app_authenticate.so +;noload => app_cdr.so +;noload => app_chanisavail.so +;noload => app_channelredirect.so +;noload => app_chanspy.so +;noload => app_controlplayback.so +noload => app_db.so +;noload => app_dial.so +;noload => app_dictate.so +;noload => app_directed_pickup.so +;noload => app_directory.so +;noload => app_disa.so +;noload => app_dumpchan.so +;noload => app_echo.so +;noload => app_exec.so +;noload => app_externalivr.so +;noload => app_festival.so +;noload => app_followme.so +;noload => app_forkcdr.so +;noload => app_getcpeid.so +;noload => app_ices.so +;noload => app_image.so +;noload => app_macro.so +;noload => app_milliwatt.so +;noload => app_mixmonitor.so +;noload => app_mp3.so +;noload => app_morsecode.so +;noload => app_nbscat.so +;noload => app_parkandannounce.so +;noload => app_playback.so +;noload => app_privacy.so +;noload => app_queue.so +;noload => app_read.so +;noload => app_readfile.so +;noload => app_record.so +;noload => app_sayunixtime.so +;noload => app_senddtmf.so +;noload => app_sendtext.so +;noload => app_setcallerid.so +;noload => app_sms.so +;noload => app_softhangup.so +noload => app_speech_utils.so +;noload => app_stack.so +;noload => app_system.so +;noload => app_talkdetect.so +;noload => app_test.so +;noload => app_transfer.so +;noload => app_url.so +;noload => app_userevent.so +;noload => app_verbose.so +;noload => app_voicemail.so +;noload => app_waitforring.so +;noload => app_waitforsilence.so +;noload => app_while.so +;noload => app_zapateller.so +;noload => cdr_csv.so +noload => cdr_custom.so +;noload => cdr_manager.so +noload => cdr_pgsql.so +noload => cdr_radius.so +noload => cdr_sqlite.so +noload => cdr_sqlite3_custom.so +noload => cdr_syslog.so +;noload => cel_custom.so +;noload => cel_manager.so +noload => cel_odbc.so +noload => cel_pgsql.so +noload => cel_radius.so +noload => cel_sqlite3_custom.so +noload => cel_tds.so +;noload => chan_agent.so +noload => chan_dahdi.so +noload => chan_gtalk.so +noload => chan_iax2.so +;noload => chan_local.so +noload => chan_mgcp.so +;noload => chan_multicast_rtp.so +noload => chan_oss.so +;noload => chan_sip.so +noload => chan_skinny.so +;noload => codec_a_mu.so +;noload => codec_adpcm.so +;noload => codec_alaw.so +noload => codec_dahdi.so +;noload => codec_g726.so +;noload => codec_gsm.so +;noload => codec_lpc10.so +;noload => codec_speex.so +;noload => codec_ulaw.so +;noload => format_g723.so +;noload => format_g726.so +;noload => format_g729.so +;noload => format_gsm.so +;noload => format_h263.so +;noload => format_h264.so +;noload => format_ilbc.so +noload => format_jpeg.so +;noload => format_ogg_vorbis.so +;noload => format_pcm.so +;noload => format_sln.so +;noload => format_vox.so +;noload => format_wav.so +;noload => format_wav_gsm.so +;noload => func_base64.so +;noload => func_callcompletion.so +;noload => func_callerid.so +;noload => func_cdr.so +;noload => func_channel.so +;noload => func_curl.so +;noload => func_cut.so +noload => func_db.so +;noload => func_enum.so +;noload => func_env.so +;noload => func_frame_trace.so +;noload => func_global.so +;noload => func_groupcount.so +;noload => func_logic.so +;noload => func_math.so +;noload => func_md5.so +noload => func_odbc.so +;noload => func_pitchshift.so +;noload => func_rand.so +;noload => func_realtime.so +;noload => func_sha1.so +;noload => func_srv.so +;noload => func_strings.so +;noload => func_timeout.so +;noload => func_uri.so +noload => pbx_ael.so +;noload => pbx_config.so +noload => pbx_dundi.so +;noload => pbx_loopback.so +;noload => pbx_realtime.so +;noload => pbx_spool.so +;noload => res_clioriginate.so +noload => res_config_pgsql.so +;noload => res_convert.so +;noload => res_mutestream.so +;noload => res_rtp_asterisk.so +;noload => res_rtp_multicast.so +;noload => res_security_log.so +;noload => res_snmp.so +noload => cdr_odbc.so +noload => cdr_tds.so +noload => chan_h323.so +noload => res_config_odbc.so + +EOF; + $script_file .= $add_modules_settings; + file_put_contents($script, $script_file, LOCK_EX); + } + } + + //replace general SIP settings as a newbie hint to start configuration + $script='/conf/asterisk/sip.conf'; + if (file_exists($script)){ + $script_file=file_get_contents($script); + //strenghten a couple of security settings, and predefine codecs in the default SIP configuration + if (strpos($script_file,'pfSense') === false) { //first check if already added... + $pattern[0]='/;allowguest\S+/'; + $replace[0]='allowguest=no ;by pfSense ;'; + $pattern[1]='/;alwaysauthreject/'; + $replace[1]='alwaysauthreject=yes ;by pfSense ;'; + $pattern[2]='/; jbenable/'; + $replace[2]='jbenable=yes ;by pfSense ;'; + $pattern[3]='/(First disallow all codecs)/'; + $replace[3]="$1\n;The following general settings usually work on pfSense boxes (note: please do not remove this comment line).\ndisallow=all ;by pfSense\nallow=g729\nallow=gsm\nallow=ulaw\nallow=alaw\n\n"; + $script_file=preg_replace($pattern,$replace,$script_file); + file_put_contents($script, $script_file, LOCK_EX); + } + if (strpos($script_file,'demo extension for pfSense') === false) { //first check if already added... + $add_demo_extension = <<<EOF + +[301] +;demo extension for pfSense +type=friend +defaultuser=301 +insecure=port,invite +secret=1234 +regexten=301 +host=dynamic +context=default + +[302] +;demo extension for pfSense +type=friend +defaultuser=302 +insecure=port,invite +secret=1234 +regexten=302 +host=dynamic +context=default + +EOF; + $script_file .= $add_demo_extension; + file_put_contents($script, $script_file, LOCK_EX); + } + } + $script='/usr/local/etc/rc.d/asterisk'; if (file_exists($script)){ $script_file=file_get_contents($script); if (preg_match('/NO/',$script_file)){ $script_file=preg_replace("/NO/","YES",$script_file); - file_put_contents($script, $script_file, LOCK_EX); + $script_file=preg_replace("/core stop now'/","core stop now'\n killall \$name",$script_file); + + //create the /var subdirs for the writable area in RAM + if (strpos($script_file,'pfSense') === false) { //first check if already added... + $writable_area = <<< EOF +# Create paths in pfSense's volatile area if they don't exist (note: please do not remove this comment line) +for a in db spool run log +do +if [ ! -d /var/\$a/asterisk ]; then + mkdir -p /var/\$a/asterisk + chown -R asterisk:asterisk /var/\$a/asterisk + chmod -R g+w /var/\$a/asterisk +fi +done + +if [ ! -d /var/log/asterisk/cdr-csv ]; then + mkdir -p /var/log/asterisk/cdr-csv + chown -R asterisk:asterisk /var/log/asterisk/cdr-csv + chmod -R g+w /var/log/asterisk/cdr-csv +fi + +EOF; + $script_file .= $writable_area; } + file_put_contents($script, $script_file, LOCK_EX); + } chmod ($script,0755); mwexec("$script stop"); mwexec_bg("$script start"); } - #mount filesystem readonly - conf_mount_ro(); + //prepare backup for factory defaults restoring feature + if (!file_exists("/conf.default/asterisk_factory_defaults_config.tgz")) { + system("cd /conf/asterisk/ && tar czf /conf.default/asterisk_factory_defaults_config.tgz *"); + } + + //mount filesystem readonly + conf_mount_ro(); } ?> diff --git a/config/asterisk/asterisk.xml b/config/asterisk/asterisk.xml index a0ce4833..7f9f56bf 100644 --- a/config/asterisk/asterisk.xml +++ b/config/asterisk/asterisk.xml @@ -41,7 +41,7 @@ <requirements>Asterisk 1.8.x</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>asterisk</name> - <version>0.1</version> + <version>0.3.1</version> <title>asterisk</title> <include_file>/usr/local/pkg/asterisk.inc</include_file> <additional_files_needed> @@ -69,6 +69,11 @@ <chmod>0755</chmod> <item>http://www.pfsense.com/packages/config/asterisk/asterisk_cmd.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.com/packages/config/asterisk/pkg_asterisk.inc</item> + </additional_files_needed> <menu> <name>Asterisk</name> <tooltiptext>Asterisk</tooltiptext> @@ -100,4 +105,4 @@ <custom_php_resync_config_command> sync_package_asterisk(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/asterisk/asterisk_calls.php b/config/asterisk/asterisk_calls.php index 77131d8d..75f24b2f 100644 --- a/config/asterisk/asterisk_calls.php +++ b/config/asterisk/asterisk_calls.php @@ -4,12 +4,11 @@ status_asterisk_calls.php part of pfSense Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com>. - Copyright (C) 2012 robreg@zsurob.hu + Copyright (C) 2013 robi <robreg@zsurob.hu> All rights reserved. originally part of m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2005 Manuel Kasper <mk@neon1.net>. - Copyright (C) 2012 robreg@zsurob.hu All rights reserved. Redistribution and use in source and binary forms, with or without @@ -41,12 +40,13 @@ ##|*IDENT=page-status-asterisk ##|*NAME=Status: Asterisk Calls page ##|*DESCR=Allow access to the 'Status: Asterisk Calls' page. -##|*MATCH=status_asterisk_calls.php* +##|*MATCH=asterisk_calls.php* ##|-PRIV require_once("guiconfig.inc"); $pgtitle = array(gettext("Status"),gettext("Asterisk Calls")); +$shortcut_section = "asterisk"; include("head.inc"); /* Path to call log database */ @@ -54,7 +54,6 @@ $callog = "/var/log/asterisk/cdr-csv/Master.csv"; /* Data input processing */ $cmd = $_GET['cmd']; -//$cmd = str_replace("+", " ", $cmd); $file = $_SERVER["SCRIPT_NAME"]; $break = Explode('/', $file); @@ -63,17 +62,19 @@ $pfile = $break[count($break) - 1]; if (file_exists($callog)) switch ($cmd){ case "trim": - $trimres=shell_exec("tail -50 '$callog' > /tmp/trimmed.csv; rm '$callog'; mv /tmp/trimmed.csv '$callog'; chmod 666 '$callog'"); + $trimres=shell_exec("tail -50 '$callog' > /tmp/trimmed_asterisk.csv && rm '$callog' && mv /tmp/trimmed_asterisk.csv '$callog' && chown asterisk:asterisk '$callog' && chmod g+w '$callog'"); + header( 'Location: asterisk_calls.php?savemsg=Calls+log+trimmed.') ; break; case "clear": - $trimres=shell_exec("rm '$callog'; touch '$callog'; chmod 666 '$callog'"); + $trimres=shell_exec("rm '$callog' && touch '$callog' && chown asterisk:asterisk '$callog' && chmod g+w '$callog'"); + header( 'Location: asterisk_calls.php?savemsg=Calls+log+cleared.') ; break; case "download": // session_cache_limiter('none'); //*Use before session_start() // session_start(); - + header('Content-Description: File Transfer'); header('Content-Type: application/octet-stream'); header('Content-Disposition: attachment; filename='.basename($callog)); @@ -93,6 +94,12 @@ if (file_exists($callog)) <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> + <?php + $savemsg = $_GET["savemsg"]; + if ($savemsg) { + print_info_box($savemsg); + } + ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> @@ -110,23 +117,21 @@ if (file_exists($callog)) <td> <div id="mainarea"> <?php - //$trimres=shell_exec("tail -50 '$callog' > /tmp/trimmed.csv; rm '$callog'; mv /tmp/trimmed.csv '$callog'"); - //print $trimres . "Last 50 calls: <br>"; if (file_exists($callog)) $file_handle = fopen($callog, "r"); ?> - <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> - <tr> - <td colspan="6" class="listtopic">Last 50 Asterisk calls</td> - </tr> - <tr> - <td nowrap class="listhdrr"><?=gettext("From");?></td> - <td nowrap class="listhdrr"><?=gettext("To");?></a></td> - <td nowrap class="listhdrr"><?=gettext("Start");?></td> - <td nowrap class="listhdrr"><?=gettext("End");?></a></td> - <td nowrap class="listhdrr"><?=gettext("Duration");?></a></td> - <td nowrap class="listhdrr"><?=gettext("Status");?></td> - </tr> + <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <tr> + <td colspan="6" class="listtopic">Last 50 Asterisk calls</td> + </tr> + <tr> + <td nowrap class="listhdrr"><?=gettext("From");?></td> + <td nowrap class="listhdrr"><?=gettext("To");?></a></td> + <td nowrap class="listhdrr"><?=gettext("Start");?></td> + <td nowrap class="listhdrr"><?=gettext("End");?></a></td> + <td nowrap class="listhdrr"><?=gettext("Duration");?></a></td> + <td nowrap class="listhdrr"><?=gettext("Status");?></td> + </tr> <?php $out = ''; if (file_exists($callog)){ @@ -134,7 +139,7 @@ if (file_exists($callog)) $lin = fgetcsv($file_handle, 102400); if ($lin[12] != "") { $out = "<tr>" . $out; - $out = "<td class='listlr'>" . str_replace('"', '', $lin[4]) . "</td><td class='listlr'>" . $lin[2] . "</td><td class='listlr'>" . $lin[9] . "</td><td class='listlr'>" . $lin[11] . "</td><td class='listlr'>" . gmdate("G:i:s", $lin[12]) . "</td><td class='listlr'>" . $lin[14] . "</td>" . $out; + $out = "<td class='listlr'>" . utf8_decode(str_replace('"', '', $lin[4])) . "</td><td class='listlr'>" . $lin[2] . "</td><td class='listlr'>" . $lin[9] . "</td><td class='listlr'>" . $lin[11] . "</td><td class='listlr'>" . gmdate("G:i:s", $lin[12]) . "</td><td class='listlr'>" . $lin[14] . "</td>" . $out; $out = "</tr>" . $out; } } @@ -160,6 +165,13 @@ if (file_exists($callog)) <?=gettext("Listed in reverse order (latest on top).");?> <br> <?=gettext("Duration includes ringing time.");?> <br> <?=gettext("Trim keeps the last 50 entries.");?> + +<? +if ($g['platform'] == "nanobsd") + echo "<br>This log may be lost when rebooting the system."; +?> + + </span> diff --git a/config/asterisk/asterisk_cmd.php b/config/asterisk/asterisk_cmd.php index 504c3cd1..da684cde 100644 --- a/config/asterisk/asterisk_cmd.php +++ b/config/asterisk/asterisk_cmd.php @@ -4,7 +4,7 @@ status_asterisk.php part of pfSense Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com>. - Copyright (C) 2012 robreg@zsurob.hu + Copyright (C) 2013 robi <robreg@zsurob.hu> All rights reserved. originally part of m0n0wall (http://m0n0.ch/wall) @@ -40,12 +40,13 @@ ##|*IDENT=page-status-asterisk ##|*NAME=Status: Asterisk page ##|*DESCR=Allow access to the 'Status: Asterisk' page. -##|*MATCH=status_asterisk.php* +##|*MATCH=sasterisk_cmd.php* ##|-PRIV require_once("guiconfig.inc"); $pgtitle = array(gettext("Status"),gettext("Asterisk")); +$shortcut_section = "asterisk"; include("head.inc"); ?> @@ -86,19 +87,26 @@ $pfile = $break[count($break) - 1]; <table class="tabcont sortable" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td class="listtopic"> + <table><tr> <?php /* Print command buttons */ - echo "<a href='$pfile?cmd=sip+show+registry'><input type='button' name='command' value='SIP Registry' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=sip+show+peers'><input type='button' name='command' value='SIP Peers' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=sip+show+channels'><input type='button' name='command' value='SIP Channels' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=core+show+channels'><input type='button' name='command' value='Channels' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=core+show+codecs+audio'><input type='button' name='command' value='Codecs' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=core+show+translation+recalc+10'><input type='button' name='command' value='Translation' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=sip+show+settings'><input type='button' name='command' value='SIP Settings' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=sip+reload'><input type='button' name='command' value='!Reload SIP' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=core+reload'><input type='button' name='command' value='!Reload Core' class='formbtns'></a>"; - echo "<a href='$pfile?cmd=core+show+uptime'><input type='button' name='command' value='Uptime' class='formbtns'></a>"; + echo "<td align='center'><a href='$pfile?cmd=sip+show+registry'><input type='button' name='command' value='SIP Registry' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=sip+show+peers'><input type='button' name='command' value='SIP Peers' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=sip+show+channels'><input type='button' name='command' value='SIP Channels' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=core+show+channels'><input type='button' name='command' value='Channels' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=core+show+codecs+audio'><input type='button' name='command' value='Codecs' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=core+show+translation+recalc+10'><input type='button' name='command' value='Translation' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=sip+show+settings'><input type='button' name='command' value='SIP Settings' class='formbtns' style='width: 100px'></a></td>"; + echo "</tr><tr>"; + //echo "<td></td>"; + echo "<td align='center'><a href='$pfile?cmd=sip+reload'><input type='button' name='command' value='Reload SIP' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=dialplan+reload'><input type='button' name='command' value='Reload Extensions' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=core+reload'><input type='button' name='command' value='Reload Core' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=core+show+uptime'><input type='button' name='command' value='Uptime' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='center'><a href='$pfile?cmd=core+restart+now'><input type='button' name='command' value='Restart Asterisk' class='formbtns' style='width: 100px'></a></td>"; + echo "<td align='right' colspan='2'><form name='input' action='$pfile' method='get'><input type='text' name='cmd' style='width: 145px'><input type='submit' value='SEND' class='formbtns' style='width: 50px'></form> </td>"; ?> + </tr></table> </td> </tr> <tr valign="top"> @@ -117,4 +125,4 @@ $pfile = $break[count($break) - 1]; </td> </tr> </table> -<?php include("fend.inc"); ?>
\ No newline at end of file +<?php include("fend.inc"); ?> diff --git a/config/asterisk/asterisk_edit_file.php b/config/asterisk/asterisk_edit_file.php index 50d00279..1c992d26 100644 --- a/config/asterisk/asterisk_edit_file.php +++ b/config/asterisk/asterisk_edit_file.php @@ -2,7 +2,7 @@ /* edit.php Copyright (C) 2004, 2005 Scott Ullrich - Copyright (C) 2012 robreg@zsurob.hu + Copyright (C) 2013 robi <robreg@zsurob.hu> All rights reserved. Redistribution and use in source and binary forms, with or without @@ -34,12 +34,99 @@ ##|*IDENT=page-status-asterisk ##|*NAME=Status: Asterisk config editor page ##|*DESCR=Allow access to the 'Status: Asterisk configuration files' page. -##|*MATCH=status_asterisk_edit.php* +##|*MATCH=asterisk_edit_file.php* ##|-PRIV $pgtitle = array(gettext("Status"),gettext("Asterisk configuration files")); require("guiconfig.inc"); + +$backup_dir = "/conf"; +$backup_filename = "asterisk_config.bak.tgz"; +$backup_path = "{$backup_dir}/{$backup_filename}"; +$files_dir = "/conf/asterisk"; +$host = "{$config['system']['hostname']}.{$config['system']['domain']}"; +$downname = "asterisk-config-{$host}-".date("YmdHis").".bak.tgz"; //put the date in the filename + +if (($_GET['a'] == "download") && $_GET['t'] == "backup") { + conf_mount_rw(); +// system("cd {$files_dir} && tar czf {$backup_path} *"); + system("cd {$files_dir} && tar czf {$backup_path} --exclude 'dist/*' --exclude dist *"); + conf_mount_ro(); +} + +if (($_GET['a'] == "download") && file_exists("{$backup_path}")) { + session_cache_limiter('public'); + $fd = fopen("{$backup_path}", "rb"); + header("Content-Type: application/force-download"); + header("Content-Type: application/octet-stream"); + header("Content-Type: application/download"); + header("Content-Description: File Transfer"); + header("Content-Disposition: attachment; filename=\"{$downname}\""); + header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 + header("Expires: Sat, 26 Jul 1997 05:00:00 GMT"); // Date in the past + header("Content-Length: " . filesize("{$backup_path}")); + fpassthru($fd); + exit; +} + +if ($_GET['a'] == "other") { + if ($_GET['t'] == "restore") { + //extract files to $files_dir (/conf/asterisk) + if (file_exists($backup_path)) { + //echo "The file $filename exists"; + conf_mount_rw(); + exec("tar -xzC {$files_dir} -f {$backup_path} 2>&1", $sysretval); + $savemsg = "Backup has been restored, please restart Asterisk now " . $sysretval[1]; + system("chmod -R 644 {$files_dir}/*"); + header( 'Location: asterisk_edit_file.php?savemsg=' . $savemsg ) ; + conf_mount_ro(); + } else { + header( 'Location: asterisk_edit_file.php?savemsg=Restore+failed.+Backup+file+not+found.' ) ; + } + exit; + } + if ($_GET['t'] == "factrest") { + //extract files to $files_dir (/conf/asterisk) + if (file_exists('/conf.default/asterisk_factory_defaults_config.tgz')) { + //echo "The file $filename exists"; + conf_mount_rw(); + exec("tar -xzC {$files_dir} -f /conf.default/asterisk_factory_defaults_config.tgz 2>&1", $sysretval); + $savemsg = "Factory configuration restored, please restart Asterisk now " . $sysretval[1]; + system("chmod -R 644 {$files_dir}/*"); + header( 'Location: asterisk_edit_file.php?savemsg=' . $savemsg ) ; + conf_mount_ro(); + } + exit; + } + if ($_GET['t'] == "deldist") { + //delete dist directory from $files_dir/dist (/conf/asterisk/dist) + if (file_exists($files_dir . "/dist")) { + conf_mount_rw(); + exec("rm -r {$files_dir}/dist 2>&1", $sysretval); + $savemsg = "Deleted dist files " . $sysretval[1]; + header( 'Location: asterisk_edit_file.php?savemsg=' . $savemsg ) ; + conf_mount_ro(); + } + exit; + } +} + +if (($_POST['submit'] == "Upload") && is_uploaded_file($_FILES['ulfile']['tmp_name'])) { + $upfilnam = $_FILES['ulfile']['name']; + $upfiltim = strtotime(str_replace(".bak.tgz","",end(explode("-",$upfilnam)))); + conf_mount_rw(); + move_uploaded_file($_FILES['ulfile']['tmp_name'], "{$backup_path}"); + $savemsg = "Uploaded ". htmlentities($_FILES['ulfile']['name']) . " file as " . $backup_path . "." ; + system('chmod -R 644 {$backup_path}'); + if ($upfiltim) { //take the date from the filename and update modified time accordingly + touch($backup_path, $upfiltim); + } + unset($_POST['txtCommand']); + conf_mount_ro(); + header( 'Location: asterisk_edit_file.php?savemsg=' . $savemsg ) ; +} + if($_REQUEST['action']) { switch($_REQUEST['action']) { case 'load': @@ -83,7 +170,7 @@ if($_REQUEST['action']) { } exit; } - +$shortcut_section = "asterisk"; require("head.inc"); outputJavaScriptFileInline("filebrowser/browser.js"); outputJavaScriptFileInline("javascript/base64.js"); @@ -93,6 +180,13 @@ outputJavaScriptFileInline("javascript/base64.js"); <body link="#000000" vlink="#000000" alink="#000000"> <?php include("fbegin.inc"); ?> +<?php +$savemsg = $_GET["savemsg"]; +if ($savemsg) { + print_info_box($savemsg); +} +?> + <script type="text/javascript"> function loadFile() { $("fileStatus").innerHTML = "<?=gettext("Loading file"); ?> ..."; @@ -151,6 +245,26 @@ outputJavaScriptFileInline("javascript/base64.js"); } ); } + + + + function ckrest() { + if(document.getElementById('ckrest').checked==true) { + document.getElementById('restfactdef').disabled=false; + } else { + document.getElementById('restfactdef').disabled=true; + } + } + + function ckdist() { + if(document.getElementById('ckdist').checked==true) { + document.getElementById('deldistdire').disabled=false; + } else { + document.getElementById('deldistdire').disabled=true; + } + } + + </script> <table width="100%" border="0" cellpadding="0" cellspacing="0"> @@ -170,13 +284,50 @@ outputJavaScriptFileInline("javascript/base64.js"); <td> <div id="mainarea"> - <!-- file status box --> - <div style="display:none; background:#eeeeee;" id="fileStatusBox"> + <!-- backup options --> + <div style="background:#eeeeee;"> <div class="vexpl" style="padding-left:15px;"> - <strong id="fileStatus"></strong> + <br /> + <table width='98%' cellpadding='0' cellspacing='0' border='0'> + <tr> + <td width='80%'> + <b>Backup / Restore</b> + The 'Backup' button will tar gzip asterisk configuration files to <? echo $backup_path; ?> it then offers it to download.<br> + The 'Restore' button will be visible only if the <? echo $backup_path; ?> backup file exists.<br> + You can upload a backup file to the system, if one already exists at <? echo $backup_path; ?>, it will be overwritten. + <br /> + </td> + <td width='20%' valign='middle' align='right'> + <?php + echo " <input type='button' value='Backup' onclick=\"document.location.href='asterisk_edit_file.php?a=download&t=backup';\" />\n"; + if (file_exists($backup_path)) { + echo " <input type='button' value='Restore' onclick=\"document.location.href='asterisk_edit_file.php?a=other&t=restore';\" />\n"; + } + ?> + </td> + </tr></table><br> + <table width='98%' cellpadding='0' cellspacing='0' border='0'> + <tr> + <td width='20%' valign='middle' align='left'> + <?php + if (file_exists($backup_path)) { + echo $backup_filename . " date:<br>" . date ("Y F d H:i:s.", filemtime($backup_path)); + } + ?> + </td> + <td width='80%' valign='middle' align='right'> + <form action="asterisk_edit_file.php" method="POST" enctype="multipart/form-data" name="frmUpload" onSubmit=""> + Upload backup file: + <input name="ulfile" type="file" class="button" id="ulfile"> + <input name="submit" type="submit" class="button" id="upload" value="Upload"> + </form> + </td> + </tr> + </table><br /> </div> </div> - + + <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> @@ -186,8 +337,8 @@ outputJavaScriptFileInline("javascript/base64.js"); <table width="100%" cellpadding="9" cellspacing="9"> <tr> <td align="center" class="list"> - <?=gettext("Save / Load from path"); ?>: - <input type="text" class="formfld file" id="fbTarget" value="<?=gettext('/usr/local/etc/asterisk');?>" size="45" /> + <?=gettext("Configuration files stored in"); ?>: + <input type="text" class="formfld file" id="fbTarget" value="<?=gettext($files_dir);?>" size="45" /> <input type="button" class="formbtn" id="fbOpen" value="<?=gettext('Browse');?>" /> <!-- <input type="button" class="formbtn" onclick="loadFile();" value="<?=gettext('Load');?>" /> --> <input type="button" class="formbtn" onclick="saveFile();" value="<?=gettext('Save');?>" /> @@ -196,6 +347,16 @@ outputJavaScriptFileInline("javascript/base64.js"); </tr> </table> + + + <!-- file status box --> + <div style="display:none; background:#eeeeee;" id="fileStatusBox"> + <div class="vexpl" style="padding-left:15px;"> + <strong id="fileStatus"></strong> + </div> + </div> + + <!-- filebrowser --> <div id="fbBrowser" style="display:none; border:1px dashed gray; width:98%;"></div> @@ -236,11 +397,54 @@ outputJavaScriptFileInline("javascript/base64.js"); <?php endif; ?> </script> + + <div style="background:#eeeeee;"> + <div class="vexpl" style="padding-left:15px;"> + <table width='98%' cellpadding='0' cellspacing='0' border='0'> + <tr> + <td width='80%' valign='middle' align='right'><br /> + <?php + if (file_exists($files_dir . "/dist")) { + echo "<input name='ckdist' id='ckdist' type='checkbox' onclick='return ckdist();' style='vertical-align:-3px;'>enable <input type='button' value='Delete dist files' name='deldistdire' id='deldistdire' disabled='disabled' onclick=\"document.location.href='asterisk_edit_file.php?a=other&t=deldist';\" /> \n"; + } + if (file_exists("/conf.default/asterisk_factory_defaults_config.tgz")) { + echo "<input name='ckrest' id='ckrest' type='checkbox' onclick='return ckrest();' style='vertical-align:-3px;'>enable <input type='button' value='Restore to factory defaults' name='restfactdef' id='restfactdef' disabled='disabled' onclick=\"document.location.href='asterisk_edit_file.php?a=other&t=factrest';\" />\n"; + } + ?> + <br /></td> + </tr> + </table><br /> + </div> + </div> + + </div> </td> </tr> </table> +<p/> + +<span class="vexpl"> + <span class="red"> + <strong><?=gettext("Note:");?><br /></strong> + </span> + <?=gettext("Please back up your Asterisk configuration regularly.");?><br> + <?=gettext("It's worth to preserve the automatically generated filename of the downloaded backup file. It contains the backup creation date, which is used when uploading it back to the system.");?> + <?php + $sipconf=$files_dir . "/sip.conf"; + if (file_exists($sipconf)){ + $sipconf_file=file_get_contents($sipconf); + if (strpos($sipconf_file,"demo extension for pfSense") !== false) { + ?><br /> + <?=gettext("This Asterisk configuration on pfSense contains two demo SIP accounts, 301 and 302 with password 1234, for you to test functionality. Check sip.conf for more details. These accounts can be safely removed at any time.");?> + <?php + } + } + ?> + +</span> + <?php include("fend.inc"); ?> </body> </html> diff --git a/config/asterisk/asterisk_log.php b/config/asterisk/asterisk_log.php index 7d1328ed..f4a752d2 100644 --- a/config/asterisk/asterisk_log.php +++ b/config/asterisk/asterisk_log.php @@ -4,7 +4,7 @@ status_asterisk_log.php part of pfSense Copyright (C) 2009 Scott Ullrich <sullrich@gmail.com>. - Copyright (C) 2012 robreg@zsurob.hu + Copyright (C) 2012 robi <robreg@zsurob.hu> Copyright (C) 2012 Marcello Coutinho All rights reserved. @@ -41,19 +41,20 @@ ##|*IDENT=page-status-asterisk ##|*NAME=Status: Asterisk Calls page ##|*DESCR=Allow access to the 'Status: Asterisk Log' page. -##|*MATCH=status_asterisk_log.php* +##|*MATCH=asterisk_log.php* ##|-PRIV require_once("guiconfig.inc"); $pgtitle = array(gettext("Status"),gettext("Asterisk Log")); +$shortcut_section = "asterisk"; include("head.inc"); /* Path to Asterisk log file */ -if ($g['platform'] == "nanobsd") - $log = "/tmp/log_asterisk"; -else - $log = "/var/log/asterisk/messages"; +//if ($g['platform'] == "nanobsd") +// $log = "/tmp/asterisk.log"; +//else +$log = "/var/log/asterisk/messages"; ?> @@ -66,18 +67,27 @@ $file = $_SERVER["SCRIPT_NAME"]; $break = Explode('/', $file); $pfile = $break[count($break) - 1]; -if ($cmd == "trim") { - $trimres=shell_exec("tail -50 '$log' > /tmp/trimmed.csv; rm '$log'; mv /tmp/trimmed.csv '$log'; chmod 666 '$log'"); -} -if ($cmd == "clear") { - $trimres=shell_exec("rm '$log'; touch '$log'; chmod 666 '$log'"); +if (file_exists($log)) { + if ($cmd == "trim") { + $trimres=shell_exec("tail -50 '$log' > /tmp/trimmed_asterisk.log && rm '$log' && mv /tmp/trimmed_asterisk.log '$log' && chown asterisk:asterisk '$log' && chmod g+w '$log'"); + header( 'Location: asterisk_log.php?savemsg=Log+trimmed.') ; + } + if ($cmd == "clear") { + $trimres=shell_exec("rm '$log' && touch '$log' && chown asterisk:asterisk '$log' && chmod g+w '$log'"); + header( 'Location: asterisk_log.php?savemsg=Log+cleared.') ; + } } - ?> <body link="#0000CC" vlink="#0000CC" alink="#0000CC"> <?php include("fbegin.inc"); ?> + <?php + $savemsg = $_GET["savemsg"]; + if ($savemsg) { + print_info_box($savemsg); + } + ?> <table width="100%" border="0" cellpadding="0" cellspacing="0"> <tr> <td> @@ -98,9 +108,9 @@ if ($cmd == "clear") { <tr> <td colspan="2" class="listtopic">Last 50 Asterisk log entries</td> </tr> - + <tr valign="top"><td class="listlr" nowrap> - + <?php $showlog_command=shell_exec("tail -50 '$log'"); echo nl2br($showlog_command); @@ -123,6 +133,12 @@ if ($cmd == "clear") { <strong><?=gettext("Note:");?><br /></strong> </span> <?=gettext("Trim keeps the last 50 lines of the log.");?> +<? +if ($g['platform'] == "nanobsd") + echo "<br>This log may be lost when rebooting the system."; +?> + + </span> <?php include("fend.inc"); ?> diff --git a/config/asterisk/pkg_asterisk.inc b/config/asterisk/pkg_asterisk.inc new file mode 100644 index 00000000..129313c4 --- /dev/null +++ b/config/asterisk/pkg_asterisk.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['asterisk'] = array(); +$shortcuts['asterisk']['main'] = "asterisk_cmd.php"; +$shortcuts['asterisk']['log'] = "asterisk_log.php"; +$shortcuts['asterisk']['status'] = "asterisk_cmd.php"; +$shortcuts['asterisk']['service'] = "asterisk"; + +?>
\ No newline at end of file diff --git a/config/avahi/avahi.xml b/config/avahi/avahi.xml index 46f1293b..ef4fd961 100644 --- a/config/avahi/avahi.xml +++ b/config/avahi/avahi.xml @@ -47,6 +47,7 @@ <name>avahi</name> <rcfile>avahi-daemon.sh</rcfile> <executable>avahi-daemon</executable> + <description>Avahi zeroconf/mDNS daemon</description> </service> <fields> <field> diff --git a/config/bandwidthd/bandwidthd.inc b/config/bandwidthd/bandwidthd.inc index 829cdf59..1220e033 100644 --- a/config/bandwidthd/bandwidthd.inc +++ b/config/bandwidthd/bandwidthd.inc @@ -66,39 +66,60 @@ function bandwidthd_install_config() { /* user defined values */ $bandwidthd_config = $config['installedpackages']['bandwidthd']['config'][0]; $meta_refresh = $bandwidthd_config['meta_refresh']; - if($meta_refresh) + if ($meta_refresh) $meta_refresh = "meta_refresh $meta_refresh\n"; $graph = $bandwidthd_config['drawgraphs']; - if($graph) + if ($graph) $graph = "graph true\n"; else $graph = "graph false\n"; $filter_text = $bandwidthd_config['filter']; - if($filter_text) + if ($filter_text) $filter_text = "filter $filter_text\n"; $recover_cdf = $bandwidthd_config['recovercdf']; - if($recover_cdf) + if ($recover_cdf) $recover_cdf = "recover_cdf true\n"; $output_cdf = $bandwidthd_config['outputcdf']; - if($output_cdf) + if ($output_cdf) $output_cdf_string = "output_cdf true\n"; else $output_cdf_string = ""; + + $output_postgresql = $bandwidthd_config['outputpostgresql']; + $postgresql_host = $bandwidthd_config['postgresqlhost']; + $postgresql_database = $bandwidthd_config['postgresqldatabase']; + $postgresql_username = $bandwidthd_config['postgresqlusername']; + $postgresql_password = $bandwidthd_config['postgresqlpassword']; + $postgresql_string = ""; + if ($output_postgresql) { + if ($postgresql_host && $postgresql_username && $postgresql_database && $postgresql_password) + $postgresql_string = "pgsql_connect_string \"user = $postgresql_username dbname = $postgresql_database password = $postgresql_password host = $postgresql_host\"\n"; + else + log_error("You have to specify the postgreSQL Host, Database, Username and Password. Exiting."); + } + + $sensor_id = $bandwidthd_config['sensorid']; + + if ($sensor_id) + $sensor_id_string = "sensor_id \"$sensor_id\""; + else + $sensor_id_string = ""; + $promiscuous = $bandwidthd_config['promiscuous']; - if($promiscuous) + if ($promiscuous) $promiscuous = "promiscuous true\n"; else $promiscuous = "promiscuous false\n"; $graph_cutoff = $bandwidthd_config['graphcutoff']; - if($graph_cutoff) + if ($graph_cutoff) $graph_cutoff = "graph_cutoff $graph_cutoff\n"; $skip_intervals = $bandwidthd_config['skipintervals']; - if($skip_intervals) + if ($skip_intervals) $skip_intervals = "skip_intervals $skip_intervals\n"; - if($bandwidthd_config['active_interface']){ + if ($bandwidthd_config['active_interface']){ $ifdescrs = array($bandwidthd_config['active_interface']); } else { log_error("You should specify an interface for bandwidthd to listen on. Exiting."); @@ -112,25 +133,34 @@ function bandwidthd_install_config() { //for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { //$ifdescrs['opt' . $j] = "opt" . $j; //} - if(is_array($ifdescrs)) { - foreach($ifdescrs as $int) { + if (is_array($ifdescrs)) { + foreach ($ifdescrs as $int) { /* calculate interface subnet information */ $ifcfg = $config['interfaces'][$int]; $subnet = gen_subnet($ifcfg['ipaddr'], $ifcfg['subnet']); $subnetmask = gen_subnet_mask($ifcfg['subnet']); - if($subnet == "pppoe") { + $subnet_with_mask = ""; + if ($subnet == "pppoe") { $subnet = find_interface_ip("ng0"); - if($subnet) - $subnets .= "subnet {$subnet}/32\n"; + if ($subnet) { + $subnet_with_mask = $subnet . "/32"; + } } else { - if($subnet) - $subnets .= "subnet {$subnet}/{$ifcfg['subnet']}\n"; + if ($subnet) { + $subnet_with_mask = $subnet . "/" . $ifcfg['subnet']; + } + } + if (!empty($subnet_with_mask)) { + /* Only add the subnet if the user has not specified it in the custom subnets. */ + /* This avoids generating an unnecessary syntax error message from the config. */ + if (!in_array($subnet_with_mask, $subnets_custom)) + $subnets .= "subnet {$subnet_with_mask}\n"; } } } - if(is_array($subnets_custom)) { - foreach($subnets_custom as $sub) { + if (is_array($subnets_custom)) { + foreach ($subnets_custom as $sub) { if (!empty($sub) && is_subnet($sub)) $subnets .= "subnet {$sub}\n"; } @@ -138,8 +168,8 @@ function bandwidthd_install_config() { /* initialize to "" */ $dev = ""; - if(is_array($ifdescrs)) { - foreach($ifdescrs as $ifdescr) { + if (is_array($ifdescrs)) { + foreach ($ifdescrs as $ifdescr) { $descr = convert_friendly_interface_to_real_interface_name($ifdescr); $dev .= "dev \"$descr\"\n"; } @@ -176,7 +206,7 @@ $dev # intervals to skip before doing a graphing run $skip_intervals -# Graph cutoff is how many k must be transfered by an +# Graph cutoff is how many k must be transferred by an # ip before we bother to graph it $graph_cutoff @@ -190,11 +220,19 @@ $output_cdf_string #Read back the cdf file on startup $recover_cdf +# Standard postgres connect string, just like php, see postgres docs for +# details +$postgresql_string + +# Arbitrary sensor name, I recommend the sensors fully qualified domain +# name +$sensor_id_string + #Libpcap format filter string used to control what bandwidthd sees #Please always include "ip" in the string to avoid strange problems $filter_text -#Draw Graphs - This default to true to graph the traffic bandwidthd is recording +#Draw Graphs - This defaults to true to graph the traffic bandwidthd is recording #Usually set this to false if you only want cdf output or #you are using the database output option. Bandwidthd will use very little #ram and cpu if this is set to false. @@ -206,7 +244,7 @@ $meta_refresh EOF; $fd = fopen("{$bandwidthd_config_dir}/bandwidthd.conf","w"); - if(!$fd) { + if (!$fd) { log_error("could not open {$bandwidthd_config_dir}/bandwidthd.conf for writing"); exit; } @@ -314,7 +352,7 @@ EOD; if (!file_exists($bandwidthd_index_file)) { exec("echo \"Please start bandwidthd to populate this directory.\" > " . $bandwidthd_index_file); } - + if (($bandwidthd_enable) && ($output_cdf)) { // Use cron job to rotate logs every day at 00:01 install_cron_job("/bin/kill -HUP `cat /var/run/bandwidthd.pid`", true, "1", "0"); diff --git a/config/bandwidthd/bandwidthd.xml b/config/bandwidthd/bandwidthd.xml index f306546a..672b5367 100644 --- a/config/bandwidthd/bandwidthd.xml +++ b/config/bandwidthd/bandwidthd.xml @@ -2,8 +2,8 @@ <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> - <copyright> - <![CDATA[ + <copyright> + <![CDATA[ /* $Id$ */ /* ========================================================================== */ /* @@ -40,13 +40,13 @@ POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ - ]]> + ]]> </copyright> <description>Describe your package here</description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>bandwidthd</name> - <version>2.0.1.4</version> + <version>2.0.1_5 pkg v.0.2</version> <title>Bandwidthd</title> <aftersaveredirect>/pkg_edit.php?xml=bandwidthd.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/bandwidthd.inc</include_file> @@ -60,6 +60,7 @@ <name>bandwidthd</name> <rcfile>bandwidthd.sh</rcfile> <executable>bandwidthd</executable> + <description>BandwidthD bandwidth monitoring daemon</description> </service> <tabs> <tab> @@ -69,7 +70,7 @@ </tab> <tab> <text>Access BandwidthD</text> - <url>/bandwidthd" target="_blank</url> + <url>/bandwidthd/index.html" target="_blank</url> </tab> </tabs> <configpath>installedpackages->package->bandwidthd</configpath> @@ -84,7 +85,7 @@ <fieldname>enable</fieldname> <type>checkbox</type> <description></description> - </field> + </field> <field> <fielddescr>Interface</fielddescr> <fieldname>active_interface</fieldname> @@ -92,7 +93,7 @@ <type>interfaces_selection</type> <required/> <default_value>lan</default_value> - </field> + </field> <field> <fielddescr>Subnet</fielddescr> <fieldname>subnets_custom</fieldname> @@ -131,6 +132,43 @@ <type>checkbox</type> </field> <field> + <fielddescr>output PostgreSQL</fielddescr> + <fieldname>outputpostgresql</fieldname> + <description>Log data to a PostgreSQL database.<br> + Get the postgreSQL schema and PHP files to display the results from: <a target="_new" href="https://github.com/individual-it/bandwidthd-pSQL-frontend">https://github.com/individual-it/bandwidthd-pSQL-frontend</a></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Database host</fielddescr> + <fieldname>postgresqlhost</fieldname> + <description>Hostname of the postgreSQL database server.</description> + <type>input</type> + </field> + <field> + <fielddescr>Database name</fielddescr> + <fieldname>postgresqldatabase</fieldname> + <description>Database on the postgreSQL database server.</description> + <type>input</type> + </field> + <field> + <fielddescr>Database Username</fielddescr> + <fieldname>postgresqlusername</fieldname> + <description>Username of the postgreSQL database server.</description> + <type>input</type> + </field> + <field> + <fielddescr>Database Password</fielddescr> + <fieldname>postgresqlpassword</fieldname> + <description>Password of the postgreSQL database server.</description> + <type>password</type> + </field> + <field> + <fielddescr>sensor_id</fielddescr> + <fieldname>sensorid</fieldname> + <description>Arbitrary sensor name, I recommend the sensors fully qualified domain name.</description> + <type>input</type> + </field> + <field> <fielddescr>Filter</fielddescr> <fieldname>filter</fieldname> <description>Libpcap format filter string used to control what bandwidthd sees. Please always include "ip" in the string to avoid strange problems.</description> diff --git a/config/bind/bind.inc b/config/bind/bind.inc new file mode 100644 index 00000000..146632c9 --- /dev/null +++ b/config/bind/bind.inc @@ -0,0 +1,883 @@ +<?PHP +/* $Id$ */ +/* + bind.inc + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ +$shortcut_section = "bind"; +require_once('globals.inc'); +require_once('config.inc'); +require_once('util.inc'); +require_once('pfsense-utils.inc'); +require_once('pkg-utils.inc'); +require_once('service-utils.inc'); +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('BIND_LOCALBASE', '/usr/pbi/bind-' . php_uname("m")); +else + define('BIND_LOCALBASE','/usr/local'); + +define('CHROOT_LOCALBASE','/cf/named'); + +function bind_zone_validate($post, $input_errors){ + if (key_exists("mail",$_POST)) + $_POST['mail']=preg_replace("/@/",".",$post['mail']); + + switch ($_POST['type']){ + case 'slave': + if( $_POST['slaveip'] == "") + $input_errors[] = 'The field \'Master Zone IP\' is required for slave zones.'; + break; + case 'forward': + if( $_POST['forwarders'] == "") + $input_errors[] = 'The field \'Forwarders\' is required for forward zones.'; + break; + case 'redirect': + $_POST['tll']=300; + $_POST['refresh']=0; + $_POST['serial']=0; + $_POST['retry']=0; + $_POST['expire']=0; + $_POST['minimum']=0; + if($_POST['mail']=='') + $input_errors[] = "The field 'Mail Admin Zone' is required for {$_POST['type']} zones."; + + default: + if($_POST['nameserver']=='') + $input_errors[] = "The field 'Name server' is required for {$_POST['type']} zones."; + for ($i=0;$i < count($_POST);$i++){ + if (key_exists("hostname$i",$_POST)){ + if ($_POST['reverso']=="on"){ + $_POST["hostvalue$i"]=""; + if (!preg_match("/(PTR|NS)/",$_POST["hosttype$i"])) + $input_errors[] = 'On reverse zones, valid record types are NS or PTR'; + } + if (preg_match("/(MX|NS)/",$_POST["hosttype$i"])) + $_POST["hostname$i"]=""; + if (!preg_match("/(MX|NS)/",$_POST["hosttype$i"]) && $_POST["hostname$i"]=="") + $input_errors[] = 'Record cannot be empty for '.$_POST["hosttype$i"].' type '; + if ($_POST["hosttype$i"]=="MX" && $_POST["hostvalue$i"]=="") + $_POST["hostvalue$i"]="10"; + if ($_POST["hosttype$i"]!="MX" && $_POST["hostvalue$i"]!="") + $_POST["hostvalue$i"]=""; + if ($_POST["hostdst$i"]=="") + $input_errors[] = 'Alias or IP address cannot be empty.'; + } + } + } +} + + function bind_sync(){ + + global $config; + conf_mount_rw(); + //create rndc + $rndc_confgen="/usr/local/sbin/rndc-confgen"; + if (!file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsense") && file_exists($rndc_confgen)){ + exec("$rndc_confgen ",$rndc_conf); + foreach($rndc_conf as $line) + $confgen_file.="$line\n"; + file_put_contents(BIND_LOCALBASE."/etc/rndc-confgen.pfsese",$confgen_file); + } + if (file_exists(BIND_LOCALBASE."/etc/rndc-confgen.pfsese")){ + $rndc_conf=file(BIND_LOCALBASE."/etc/rndc-confgen.pfsese"); + $confgen="rndc.conf"; + $rndc_bindconf=""; + foreach ($rndc_conf as $line){ + if ($confgen =="rndc.conf"){ + if (!preg_match ("/^#/",$line)) + $rndc_file.=$line; + } + else{ + if (!preg_match ("/named.conf/",$line)) + $rndc_bindconf.=preg_replace('/#/',"",$line); + } + if (preg_match("/named.conf/",$line)){ + $confgen="named.conf"; + file_put_contents(BIND_LOCALBASE."/etc/rndc.conf",$rndc_file); + } + } + } + + $bind = $config["installedpackages"]["bind"]["config"][0]; + $bind_enable = $bind['enable_bind']; + $bind_forwarder = $bind['bind_forwarder']; + $forwarder_ips = $bind['bind_forwarder_ips']; + $ram_limit = ($bind['bind_ram_limit']?$bind['bind_ram_limit']:"256M"); + $hide_version = $bind['bind_hide_version']; + $bind_notify = $bind['bind_notify']; + $custom_options = base64_decode($bind['bind_custom_options']); + $bind_logging = $bind['bind_logging']; + $bind_conf ="#Bind pfsense configuration\n"; + $bind_conf .="#Do not edit this file!!!\n\n"; + $bind_conf .= "$rndc_bindconf\n"; + $bind_conf .= <<<EOD + +options { + directory "/etc/namedb"; + pid-file "/var/run/named/pid"; + statistics-file "/var/log/named.stats"; + max-cache-size {$ram_limit}; + +EOD; + // check response rate limit option + //https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html + //http://ss.vix.su/~vjs/rl-arm.html + if ($bind['rate_enabled']=="on"){ + $rate_limit=($bind['rate_limit']?$bind['rate_limit']:"15"); + $log_only=($bind['log_only']=="no"?"no":"yes"); + $bind_conf .= <<<EOD + rate-limit { + responses-per-second {$rate_limit}; + log-only {$log_only}; + }; + +EOD; + } + //check ips to listen on + if (preg_match("/All/",$bind['listenon'])){ + $bind_listenonv6="Any;"; + $bind_listenon="Any;"; + } + else{ + $bind_listenonv6=""; + $bind_listenon =""; + foreach (explode(',',$bind['listenon']) as $listenon){ + if (is_ipaddrv6($listenon)) + $bind_listenonv6 .= $listenon."; "; + elseif (is_ipaddr($listenon)) + $bind_listenon .= $listenon."; "; + else{ + $listenon=(pfSense_get_interface_addresses(convert_friendly_interface_to_real_interface_name($listenon))); + if (is_ipaddr($listenon['ipaddr'])) + $bind_listenon .= $listenon['ipaddr']."; "; + if(is_ipaddrv6($listenon['ipaddr6'])) + $bind_listenonv6 .= $listenon['ipaddr6']."; "; + } + } + } + $bind_listenonv6=($bind_listenonv6==""?"none;":$bind_listenonv6); + $bind_listenon=($bind_listenon==""?"none;":$bind_listenon); + //print "<PRE>$bind_listenonv6 $bind_listenon"; + if (key_exists("ipv6allow",$config['system'])){ + $bind_conf .="\t\tlisten-on-v6 { $bind_listenonv6 };\n"; + } + $bind_conf .="\t\tlisten-on { $bind_listenon };\n"; + + #forwarder config + if ($bind_forwarder == on) + $bind_conf .="\t\tforwarders { $forwarder_ips };\n"; + if ($bind_notify == on) + $bind_conf .="\t\tnotify yes;\n"; + if ($hide_version == on) + $bind_conf .="\t\tversion \"N/A\";\n"; + + $bind_conf .="\t\t$custom_options\n"; + $bind_conf .= "\t};\n\n"; + + if ($bind_logging == on){ + //check if bind is included on syslog + $syslog_files=array("/etc/inc/system.inc","/var/etc/syslog.conf"); + $restart_syslog=0; + foreach ($syslog_files as $syslog_file){ + $syslog_file_data=file_get_contents($syslog_file); + if (!preg_match("/dnsmasq,named,filterdns/",$syslog_file_data)){ + $syslog_file_data=preg_replace("/dnsmasq,filterdns/","dnsmasq,named,filterdns",$syslog_file_data); + file_put_contents($syslog_file,$syslog_file_data); + $restart_syslog++; + } + } + if ($restart_syslog > 0){ + system("/usr/bin/killall -HUP syslogd"); + } + $log_categories=explode(",",$bind['log_options']); + $log_severity=($bind['log_severity']?$bind['log_severity']:'default'); + if (sizeof($log_categories) > 0 && $log_categories[0]!=""){ + $bind_conf .= <<<EOD + + logging { + channel custom { + syslog daemon; + print-time no; + print-severity yes; + print-category yes; + severity {$log_severity}; + }; + +EOD; + foreach ($log_categories as $category) + $bind_conf .="\t\t\tcategory $category\t{custom;};\n"; + $bind_conf .="\t\t};\n\n"; + } + } + else { + $bind_conf .="\t\tlogging { category default { null; }; };\n\n"; + } + + #Config Zone domain + if(!is_array($config["installedpackages"]["bindacls"]) || !is_array($config["installedpackages"]["bindacls"]["config"])){ + $config["installedpackages"]["bindacls"]["config"][] =array("name"=>"any","description"=>"Default Access list","row" => array("value"=> "","description"=>"")); + write_config("Create Default bind acl 'Any'"); + } + $bindacls = $config["installedpackages"]["bindacls"]["config"]; + for ($i=0; $i<sizeof($bindacls); $i++) + { + $aclname = $bindacls[$i]['name']; + $aclhost = $bindacls[$i]['row']; + if($aclname != "any"){ + $bind_conf .= "acl \"$aclname\" {\n"; + for ($u=0; $u<sizeof($aclhost); $u++) + { + $aclhostvalue = $aclhost[$u]['value']; + $bind_conf .= "\t$aclhostvalue;\n"; + } + $bind_conf .= "};\n\n"; + } + } + + if(is_array($config["installedpackages"]["bindviews"])) + $bindview = $config["installedpackages"]["bindviews"]["config"]; + else + $bindview =array(); + + for ($i=0; $i<sizeof($bindview); $i++) + { + $views = $config["installedpackages"]["bindviews"]["config"][$i]; + $viewname = $views['name']; + $viewrecursion = $views['recursion']; + if($views['match-clients'] == '') + $viewmatchclients = "none"; + else + $viewmatchclients = str_replace(',','; ',$views['match-clients']); + if($views['allow-recursion'] == '') + $viewallowrecursion = "none"; + else + $viewallowrecursion = str_replace(',','; ',$views['allow-recursion']); + $viewcustomoptions = base64_decode($views['bind_custom_options']); + + $bind_conf .= "view \"$viewname\" { \n\n"; + $bind_conf .= "\trecursion $viewrecursion;\n"; + $bind_conf .= "\tmatch-clients { $viewmatchclients;};\n"; + $bind_conf .= "\tallow-recursion { $viewallowrecursion;};\n"; + $bind_conf .= "\t$viewcustomoptions\n\n"; + + if(is_array($config["installedpackages"]["bindzone"])) + $bindzone = $config["installedpackages"]["bindzone"]["config"]; + else + $bindzone =array(); + + $write_config=0; + for ($x=0; $x<sizeof($bindzone); $x++) + { + $zone = $bindzone[$x]; + if ($zone['disabled']=="on"){ + continue; + } + $zonename = $zone['name']; + if ($zonename=="."){ + $custom_root_zone[$i]=true; + } + $zonetype = $zone['type']; + $zoneview = $zone['view']; + $zonecustom = base64_decode($zone['custom']); + $zoneipslave = $zone['slaveip']; + $zoneforwarders=$zone['forwarders']; + $zonereverso = $zone['reverso']; + + if (!(is_dir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview"))) + mkdir(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview",0755,true); + + if($zone['allowupdate'] == '') + $zoneallowupdate = "none"; + else + $zoneallowupdate = str_replace(',','; ',$zone['allowupdate']); + if($zone['allowquery'] == '') + $zoneallowquery = "none"; + else + $zoneallowquery = str_replace(',','; ',$zone['allowquery']); + if($zone['allowtransfer'] == '') + $zoneallowtransfer = "none"; + else + $zoneallowtransfer = str_replace(',','; ',$zone['allowtransfer']); + + if ($zoneview == $viewname){ + if($zonereverso == "on") + $bind_conf .= "\tzone \"$zonename.in-addr.arpa\" {\n"; + else + $bind_conf .= "\tzone \"$zonename\" {\n"; + + $bind_conf .= "\t\ttype $zonetype;\n"; + if ($zonetype != "forward") + $bind_conf .= "\t\tfile \"/etc/namedb/$zonetype/$zoneview/$zonename.DB\";\n"; + switch ($zonetype){ + case "slave": + $bind_conf .= "\t\tmasters { $zoneipslave; };\n"; + $bind_conf .= "\t\tallow-transfer {none;};\n"; + $bind_conf .= "\t\tnotify no;\n"; + break; + case "forward": + $bind_conf .= "\t\tforward only;\n"; + $bind_conf .= "\t\tforwarders { $zoneforwarders; };\n"; + break; + case "redirect": + $bind_conf .= "\t\t# While using redirect zones,NXDOMAIN Redirection will not override DNSSEC\n"; + $bind_conf .= "\t\t# If the client has requested DNSSEC records (DO=1) and the NXDOMAIN response is signed then no substitution will occur\n"; + $bind_conf .= "\t\t# https://kb.isc.org/article/AA-00376/192/BIND-9.9-redirect-zones-for-NXDOMAIN-redirection.html\n"; + break; + default: + $bind_conf .= "\t\tallow-update { $zoneallowupdate;};\n"; + $bind_conf .= "\t\tallow-query { $zoneallowquery;};\n"; + $bind_conf .= "\t\tallow-transfer { $zoneallowtransfer;};\n"; + if ($zone['dnssec']=="on"){ + //https://kb.isc.org/article/AA-00626/ + $bind_conf .="\n\t\t# look for dnssec keys here:\n"; + $bind_conf .="\t\tkey-directory \"/etc/namedb/keys\";\n\n"; + $bind_conf .="\t\t# publish and activate dnssec keys:\n"; + $bind_conf .="\t\tauto-dnssec maintain;\n\n"; + $bind_conf .="\t\t# use inline signing:\n"; + $bind_conf .="\t\tinline-signing yes;\n\n"; + } + } + if ($zonecustom != '') + $bind_conf .= "\t\t$zonecustom\n"; + + $bind_conf .= "\t};\n\n"; + + switch($zonetype){ + case "redirect": + case "master": + //check/update slave dir permission + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind"); + $zonetll = ($zone['tll']?$zone['tll']:"43200"); + $zonemail = ($zone['mail']?$zone['mail']:"zonemaster.{$zonename}"); + $zonemail = preg_replace("/@/",".",$zonemail); + $zoneserial = $zone['serial']; + $zonerefresh = ($zone['refresh']?$zone['refresh']:"3600"); + $zoneretry = ($zone['retry']?$zone['retry']:"600"); + $zoneexpire = ($zone['expire']?$zone['expire']:"86400"); + $zoneminimum = ($zone['minimum']?$zone['minimum']:"3600"); + $zonenameserver = $zone['nameserver']; + $zoneipns = $zone['ipns']; + $zonereverso = $zone['reverso']; + if($zone['allowupdate'] == '') + $zoneallowupdate = "none"; + else + $zoneallowupdate = str_replace(',','; ',$zone['allowupdate']); + if($zone['allowquery'] == '') + $zoneallowquery = "none"; + else + $zoneallowquery = str_replace(',','; ',$zone['allowquery']); + if($zone['allowtransfer'] == '') + $zoneallowtransfer = "none"; + else + $zoneallowtransfer = str_replace(',','; ',$zone['allowtransfer']); + $zone_conf = "\$TTL {$zonetll}\n;\n"; + if($zonereverso == "on") + $zone_conf .= "\$ORIGIN {$zonename}.in-addr.arpa.\n\n"; + else + $zone_conf .= "\$ORIGIN {$zonename}.\n\n"; + $zone_conf .= ";\tDatabase file {$zonename}.DB for {$zonename} zone.\n"; + $zone_conf .= ";\tDo not edit this file!!!\n"; + $zone_conf .= ";\tZone version {$zoneserial}\n;\n"; + if($zonereverso == "on" || $zonetype =="redirect") + $zone_conf .= "@\t IN SOA $zonenameserver. \t $zonemail. (\n"; + else + $zone_conf .= "$zonename.\t IN SOA $zonenameserver. \t $zonemail. (\n"; + + $zone_conf .= "\t\t$zoneserial ; serial\n"; + $zone_conf .= "\t\t$zonerefresh ; refresh\n"; + $zone_conf .= "\t\t$zoneretry ; retry\n"; + $zone_conf .= "\t\t$zoneexpire ; expire\n"; + $zone_conf .= "\t\t$zoneminimum ; default_ttl\n\t\t)\n\n"; + $zone_conf .= ";\n; Zone Records\n;\n"; + + if($zonereverso == "on") + $zone_conf .= "\t IN NS \t$zonenameserver.\n"; + else{ + $zone_conf .= "@ \t IN NS \t$zonenameserver.\n"; + if ($zoneipns !="") + $zone_conf .= "@ \t IN A \t$zoneipns\n"; + } + for ($y=0; $y<sizeof($zone['row']); $y++) + { + $hostname = (preg_match("/(MX|NS)/",$zone['row'][$y]['hosttype'])?"@":$zone['row'][$y]['hostname']); + $hosttype = $zone['row'][$y]['hosttype']; + $hostdst = $zone['row'][$y]['hostdst']; + if (preg_match("/[a-zA-Z]/",$hostdst) && !preg_match("/(TXT|SPF)/",$hosttype)) + $hostdst .= "."; + $hostvalue = $zone['row'][$y]['hostvalue']; + + $zone_conf .= "$hostname \t IN $hosttype $hostvalue \t$hostdst\n"; + } + if (($zone[regdhcpstatic] == 'on') && is_array($config['dhcpd'])) { + foreach ($config['dhcpd'] as $dhcpif => $dhcpifconf) + if(is_array($dhcpifconf['staticmap']) && isset($dhcpifconf['enable'])) + foreach ($dhcpifconf['staticmap'] as $host) + if ($host['ipaddr'] && $host['hostname']) { + $zone_conf .= "{$host['hostname']}\tIN A\t{$host['ipaddr']}\n"; + } + } + if ($zone['customzonerecords']!=""){ + $zone_conf .= "\n\n;\n;custom zone records\n;\n".base64_decode($zone['customzonerecords'])."\n"; + } + file_put_contents(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB", $zone_conf); + $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($zone_conf); + $write_config++; + //check dnssec keys creation for master zones + if($zone['dnssec']=="on"){ + $zone_found=0; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*key",GLOB_NOSORT) as $filename){ + $zone_found++; + } + if ($zone_found==0){ + $key_restored=0; + if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){ + foreach ($config['installedpackages']['dnsseckeys']['config']as $filer) + if (preg_match ("/K$zonename\.+/",$filer['fullfile'])){ + file_put_contents($filer['fullfile'],base64_decode($filer['filedata']),LOCK_EX); + chmod($filer['fullfile'],0700); + chown($filer['fullfile'],"bind"); + $key_restored++; + } + } + if ($key_restored > 0){ + log_error("[bind] {$key_restored} DNSSEC keys restored from XML backup for {$zonename} zone."); + } + $dnssec_bin="/usr/local/sbin/dnssec-keygen"; + if (file_exists($dnssec_bin) && $key_restored==0){ + exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys {$zonename}",$kout); + exec("{$dnssec_bin} -K ".CHROOT_LOCALBASE."/etc/namedb/keys -fk {$zonename}",$kout); + foreach($kout as $filename){ + chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.key","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/keys/{$filename}.private","bind"); + } + log_error("[bind] DNSSEC keys for {$zonename} created."); + } + } + //get ds keys + $dsfromkey="/usr/local/sbin/dnssec-dsfromkey"; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*key",GLOB_NOSORT) as $filename) { + $zone_key=file_get_contents($filename); + if (preg_match("/IN DNSKEY 257 /",$zone_key) && file_exists($dsfromkey)){ + exec("$dsfromkey $filename",$dsset); + $config["installedpackages"]["bindzone"]["config"][$x]['dsset']=base64_encode(array_pop($dsset)."\n".array_pop($dsset)); + $write_config++; + } + } + //save dnssec keys to xml + + if($zone['backupkeys']=="on"){ + $dnssec_keys=0; + foreach (glob(CHROOT_LOCALBASE."/etc/namedb/keys/*{$zonename}*",GLOB_NOSORT) as $filename){ + $file_found=0; + if(is_array($config['installedpackages']['dnsseckeys']) && is_array($config['installedpackages']['dnsseckeys']['config'])){ + foreach ($config['installedpackages']['dnsseckeys']['config']as $filer){ + if ($filer['fullfile']==$filename) + $file_found++; + } + } + if ($file_found==0){ + $config['installedpackages']['dnsseckeys']['config'][]=array('fullfile'=> $filename, + 'description'=> "bind {$zonename} DNSSEC backup file", + 'filedata'=> base64_encode(file_get_contents($filename))); + $write_config++; + $dnssec_keys++; + } + } + if($dnssec_keys>0){ + log_error("[bind] {$dnssec_keys} DNSSEC keys for {$zonename} zone saved on XML config."); + } + } + } + break; + case "slave": + //check/update slave dir permission + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview","bind"); + //check if exists slave zone file + $rsconfig=""; + if ($zone['dnssec']=="on"){ + if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed")) + exec("/usr/local/sbin/named-checkzone -D -f raw -o - {$zonename} ".CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB.signed",$slave_file); + } + else{ + if (file_exists(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB")) + $slave_file=file(CHROOT_LOCALBASE."/etc/namedb/$zonetype/$zoneview/$zonename.DB"); + } + if (is_array($slave_file)){ + foreach ($slave_file as $zfile) + $rsconfig.= $zfile; + $config["installedpackages"]["bindzone"]["config"][$x][resultconfig]=base64_encode($rsconfig); + $write_config++; + } + break; + } + } + } + if (!$custom_root_zone[$i]){ + $bind_conf .="\tzone \".\" {\n"; + $bind_conf .="\t\ttype hint;\n"; + $bind_conf .="\t\tfile \"/etc/namedb/named.root\";\n"; + $bind_conf .= "\t};\n\n"; + } + if($write_config > 0){ + write_config("save result config file for zone on xml"); + } + $bind_conf .= "};\n"; + } + $dirs=array("/etc/namedb/keys","/var/run/named","/var/dump","/var/log","/var/stats","/dev"); + foreach ($dirs as $dir){ + if (!is_dir(CHROOT_LOCALBASE .$dir)) + mkdir(CHROOT_LOCALBASE .$dir,0755,true); + } + //dev dirs for chroot + $bind_dev_dir=CHROOT_LOCALBASE."/dev"; + if (!file_exists("$bind_dev_dir/random")){ + $dev_dirs=array("null","zero","random","urandom"); + exec("/sbin/mount -t devfs devfs {$bind_dev_dir}",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} ruleset 1",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} rule add hide",$dout); + foreach ($dev_dirs as $dev_dir) + exec("/sbin/devfs -m {$bind_dev_dir} rule add path $dev_dir unhide",$dout); + exec("/sbin/devfs -m {$bind_dev_dir} rule applyset",$dout); + } + //http://www.unixwiz.net/techtips/bind9-chroot.html + file_put_contents(CHROOT_LOCALBASE.'/etc/namedb/named.conf', $bind_conf); + file_put_contents(CHROOT_LOCALBASE.'/etc/namedb/rndc.conf', $rndc_file); + + if (!file_exists(CHROOT_LOCALBASE."/etc/namedb/named.root")){ + //dig +tcp @a.root-servers.net > CHROOT_LOCALBASE."/etc/namedb/named.root" + $named_root=file_get_contents("http://www.internic.net/domain/named.root"); + file_put_contents(CHROOT_LOCALBASE."/etc/namedb/named.root",$named_root,LOCK_EX); + } + if (!file_exists(CHROOT_LOCALBASE."/etc/localtime")){ + copy("/etc/localtime", CHROOT_LOCALBASE."/etc/localtime"); + } + + bind_write_rcfile(); + chown(CHROOT_LOCALBASE."/etc/namedb/keys","bind"); + chown(CHROOT_LOCALBASE."/etc/namedb","bind"); + chown(CHROOT_LOCALBASE."/var/log","bind"); + chown(CHROOT_LOCALBASE."/var/run/named","bind"); + chgrp(CHROOT_LOCALBASE."/var/log","bind"); + $bind_sh="/usr/local/etc/rc.d/named.sh"; + if($bind_enable == "on"){ + chmod ($bind_sh,0755); + mwexec("{$bind_sh} restart"); + } + elseif (is_service_running('named')){ + mwexec("{$bind_sh} stop"); + chmod ($bind_sh,0644); + } + //sync to backup servers + bind_sync_on_changes(); + conf_mount_ro(); +} + +function bind_print_javascript_type_zone(){ +?> + <script language="JavaScript"> + <!-- + function on_type_zone_changed() { + + var field = document.iform.type; + var tipo = field.options[field.selectedIndex].value; + switch (tipo){ + case 'master': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 0; + document.iform.nameserver.disabled = 0; + document.iform.reverso.disabled = 0; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 0; + document.iform.backupkeys.disabled = 0; + document.iform.regdhcpstatic.disabled = 0; + document.iform.ipns.disabled = 0; + document.iform.mail.disabled = 0; + document.iform.serial.disabled = 0; + document.iform.refresh.disabled = 0; + document.iform.retry.disabled = 0; + document.iform.expire.disabled = 0; + document.iform.minimum.disabled = 0; + break; + case 'slave': + document.iform.slaveip.disabled = 0; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 1; + document.iform.reverso.disabled = 0; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 0; + document.iform.backupkeys.disabled = 0; + document.iform.regdhcpstatic.disabled = 0; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 1; + document.iform.serial.disabled = 1; + document.iform.refresh.disabled = 1; + document.iform.retry.disabled = 1; + document.iform.expire.disabled = 1; + document.iform.minimum.disabled = 1; + break; + case 'forward': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 1; + document.iform.reverso.disabled = 1; + document.iform.forwarders.disabled = 0; + document.iform.dnssec.disabled = 1; + document.iform.backupkeys.disabled = 1; + document.iform.regdhcpstatic.disabled = 1; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 1; + document.iform.serial.disabled = 1; + document.iform.refresh.disabled = 1; + document.iform.retry.disabled = 1; + document.iform.expire.disabled = 1; + document.iform.minimum.disabled = 1; + break; + case 'redirect': + document.iform.slaveip.disabled = 1; + document.iform.tll.disabled = 1; + document.iform.nameserver.disabled = 0; + document.iform.reverso.disabled = 1; + document.iform.forwarders.disabled = 1; + document.iform.dnssec.disabled = 1; + document.iform.backupkeys.disabled = 1; + document.iform.regdhcpstatic.disabled = 1; + document.iform.ipns.disabled = 1; + document.iform.mail.disabled = 0; + document.iform.serial.disabled = 0; + document.iform.refresh.disabled = 0; + document.iform.retry.disabled = 0; + document.iform.expire.disabled = 0; + document.iform.minimum.disabled = 0; + break; + } + } + --> + </script> +<?php +} + +function bind_print_javascript_type_zone2(){ + print("<script language=\"JavaScript\">on_type_zone_changed();document.iform.resultconfig.disabled = 1;document.iform.dsset.disabled = 1;</script>\n"); +} + +function bind_write_rcfile() { + $rc = array(); + $BIND_LOCALBASE = "/usr/local"; + $rc['file'] = 'named.sh'; + $rc['start'] = <<<EOD +if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ +fi + +EOD; + $rc['stop'] = <<<EOD +killall -9 named 2>/dev/null +sleep 2 +EOD; + $rc['restart'] = <<<EOD +if [ -z "`ps auxw | grep "[n]amed -c /etc/namedb/named.conf"|awk '{print $2}'`" ];then + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ + else + killall -9 named 2>/dev/null + sleep 3 + {$BIND_LOCALBASE}/sbin/named -c /etc/namedb/named.conf -u bind -t /cf/named/ + fi + +EOD; + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); +} + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function bind_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['bindsync']['config'])){ + $bind_sync=$config['installedpackages']['bindsync']['config'][0]; + $synconchanges = $bind_sync['synconchanges']; + $synctimeout = $bind_sync['synctimeout']; + $master_zone_ip=$bind_sync['masterip']; + switch ($synconchanges){ + case "manual": + if (is_array($bind_sync[row])){ + $rs=$bind_sync[row]; + } + else{ + log_error("[bind] xmlrpc sync is enabled but there is no hosts to push on bind config."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])){ + $hasync=$config['hasync'][0]; + $rs[0]['ipaddress']=$hasync['synchronizetoip']; + $rs[0]['username']=$hasync['username']; + $rs[0]['password']=$hasync['password']; + } + else{ + log_error("[bind] xmlrpc sync is enabled but there is no system backup hosts to push bind config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[bind] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + bind_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout,$master_zone_ip); + } + log_error("[bind] xmlrpc sync is ending."); + } + } +} +/* Do the actual XMLRPC sync */ +function bind_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout,$master_zone_ip) { + global $config, $g; + + if(!$username) + return; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$synctimeout) + $synctimeout=25; + + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['bind'] = $config['installedpackages']['bind']; + $xml['bindacls'] = $config['installedpackages']['bindacls']; + $xml['bindviews'] = $config['installedpackages']['bindviews']; + $xml['bindzone'] = $config['installedpackages']['bindzone']; + if (is_array($config['installedpackages']['dnsseckeys'])) + $xml['dnsseckeys']=$config['installedpackages']['dnsseckeys']; + //change master zone to slave on backup servers + if(is_array($xml['bindzone']["config"])) + for ($x=0; $x<sizeof($xml['bindzone']["config"]); $x++){ + if ($xml['bindzone']["config"][$x]['type']=="master"){ + $xml['bindzone']["config"][$x]['type']="slave"; + $xml['bindzone']["config"][$x]['slaveip']=$master_zone_ip; + } + + } + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("[bind] Beginning bind XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting bind XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting bind XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } else { + log_error("[bind] XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell bind to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/bind.inc');\n"; + $execcmd .= "bind_sync('yes');"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("[bind] XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting bind XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "Bind Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "[Bind] An error code was received while attempting bind XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "bind Settings Sync", ""); + } else { + log_error("Bind XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} +?> diff --git a/config/bind/bind.widget.php b/config/bind/bind.widget.php new file mode 100644 index 00000000..490ded9b --- /dev/null +++ b/config/bind/bind.widget.php @@ -0,0 +1,86 @@ +<?php +/* + Copyright 2013 Marcello Coutinho + Part of bind package for pfSense(www.pfsense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +@require_once("guiconfig.inc"); +@require_once("pfsense-utils.inc"); +@require_once("functions.inc"); + +$uname=posix_uname(); +if ($uname['machine']=='amd64') + ini_set('memory_limit', '250M'); + +function open_table(){ + echo "<table style=\"padding-top:0px; padding-bottom:0px; padding-left:0px; padding-right:0px\" width=\"100%\" border=\"0\" cellpadding=\"0\" cellspacing=\"0\">"; + echo" <tr>"; +} +function close_table(){ + echo" </tr>"; + echo"</table>"; + +} + +$pfb_table=array(); +$img['Sick']="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_down.gif'>"; +$img['Healthy']="<img src ='/themes/{$g['theme']}/images/icons/icon_interface_up.gif'>"; + + +#var_dump($pfb_table); +#exit; +?><div id='bind'><?php +global $config; +$rndc_bin="/usr/local/sbin/rndc"; + +if (file_exists($rndc_bin)) + exec("$rndc_bin status",$status); + +open_table(); +foreach($status as $line){ + $fields=explode(":",$line); + print "<tr><td class=\"vncellt\"width=50%><strong>".ucfirst($fields[0])."</strong></td>\n"; + print "<td class=\"listlr\">{$fields[1]}</td>\n</tr>"; + } +close_table(); +echo"</div>"; + +?> +<script type="text/javascript"> + function getstatus_bind() { + var url = "/widgets/widgets/bind.widget.php"; + var pars = 'getupdatestatus=yes'; + var myAjax = new Ajax.Request( + url, + { + method: 'get', + parameters: pars, + onComplete: activitycallback_bind + }); + } + function activitycallback_bind(transport) { + $('bind').innerHTML = transport.responseText; + setTimeout('getstatus_postfix()', 5000); + } + getstatus_bind(); +</script> diff --git a/config/bind/bind.xml b/config/bind/bind.xml new file mode 100644 index 00000000..76fdf523 --- /dev/null +++ b/config/bind/bind.xml @@ -0,0 +1,316 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bind</name> + <version>1.0</version> + <title>Bind: Domain Named Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext>Modify Bind settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=bind.xml</url> + </menu> + <service> + <name>named</name> + <rcfile>named.sh</rcfile> + <executable>named</executable> + <description>Domain Name Service</description> + </service> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + <active/> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + + </tabs> + <!-- Installation --> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_views.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_zones.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_acls.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/pkg_bind.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/widgets/widgets/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/bind/bind.widget.php</item> + </additional_files_needed> + <fields> + <field> + <type>listtopic</type> + <name>Daemon Settings</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Enable Bind</fielddescr> + <fieldname>enable_bind</fieldname> + <description><![CDATA[Enable DNS Bind on Server<br> + Disable Dns forwarder service on selected interfaces before enabling bind.]]></description> + <type>checkbox</type> + <required/> + </field> + <field> + <fielddescr>Listen-on</fielddescr> + <fieldname>listenon</fieldname> + <description><![CDATA[Enable Named to listen on.]]></description> + <type>interfaces_selection</type> + <showlistenall/> + <showvirtualips/> + <multiple/> + </field> + <field> + <fielddescr>Enable Notify</fielddescr> + <fieldname>bind_notify</fieldname> + <description>Notify slave server after any update on master.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Hide Version</fielddescr> + <fieldname>bind_hide_version</fieldname> + <description>Hide the version of BIND, this prevents discover the version of our servers, use any exploit that exploits a vulnerability in Bind.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Limit Memory use</fielddescr> + <fieldname>bind_ram_limit</fieldname> + <description>Limits RAM use for DNS server, recommend 256M</description> + <type>input</type> + <size>10</size> + <default_value>256M</default_value> + </field> + <field> + <type>listtopic</type> + <name>Logging options</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Enable logging</fielddescr> + <fieldname>bind_logging</fieldname> + <description><![CDATA[Enable Bind logs on status-> system logs -> resolver menu.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Loggin serverity</fielddescr> + <fieldname>log_severity</fieldname> + <description><![CDATA[Select logging levels for selected categories.<BR> + use CTRL+click to select/unselect.<br> + The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace.]]></description> + <type>select</type> + <options> + <option><name>Critital</name><value>critical</value></option> + <option><name>Error</name><value>error</value></option> + <option><name>Warning</name><value>warning</value></option> + <option><name>Notice</name><value>Notice</value></option> + <option><name>info</name><value>info</value></option> + <option><name>Debug level 1</name><value>debug 1</value></option> + <option><name>Debug level 3</name><value>debug 3</value></option> + <option><name>Debug level 5</name><value>debug 5</value></option> + <option><name>Dynamic</name><value>dynamic</value></option> + </options> + </field> + <field> + <fielddescr>Loggin options</fielddescr> + <fieldname>log_options</fieldname> + <description><![CDATA[Select categories to log.<BR> + use CTRL+click to select/unselect.]]></description> + <type>select</type> + <options> + <option><name>Default-if this is the only category selected, it will log all categories except queries</name><value>default</value></option> + <option><name>General-Anything that is not classified as any other item in this list defaults to this category</name><value>general</value></option> + <option><name>Database-The value 'dynamic' means assume the global level defined by either the command line parameter -d or by running rndc trace</name><value>database</value></option> + <option><name>Security-Approval and denial of requests</name><value>security</value></option> + <option><name>Config-Configuration file parsing and processing</name><value>config</value></option> + <option><name>Resolver-Name resolution including recursive lookups</name><value>resolver</value></option> + <option><name>Xfer-in-Details of zone transfers the server is receiving.</name><value>xfer-in</value></option> + <option><name>Xfer-out-Details of zone transfers the server is sending.</name><value>xfer-out</value></option> + <option><name>Notify-Logs all NOTIFY operations.</name><value>notify</value></option> + <option><name>Client-Processing of client requests</name><value>client</value></option> + <option><name>Unmatched-No matching view clause or unrecognized class value.</name><value>unmatched</value></option> + <option><name>Queries-Logs all query transactions</name><value>queries</value></option> + <option><name>Network-Logs all network operations</name><value>network</value></option> + <option><name>Update-Logging of all dynamic update (DDNS) transactions</name><value>update</value></option> + <option><name>Dispatch-Dispatching of incoming packets to the server modules</name><value>dispatch</value></option> + <option><name>DNSSEC-DNSSEC and TSIG protocol processing</name><value>dnssec</value></option> + <option><name>lame-servers-Mis-configuration in the delegation of domains discovered by BIND</name><value>lame-servers</value></option> + </options> + <multiple/> + <size>18</size> + </field> + <field> + <type>listtopic</type> + <name>Response Rate Limit</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Rate limit</fielddescr> + <fieldname>rate_enabled</fieldname> + <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-01000/189/A-Quick-Introduction-to-Response-Rate-Limiting.html?utm_source=isc&utm_medium=website&utm_term=rrl-kb&utm_content=kbarticle&utm_campaign=bind994_release_091913'> + Limit/rate response queries</a> to prevent DOS attack.]]></description> + <type>checkbox</type> + <enablefields>rate_limit,log_only</enablefields> + </field> + <field> + <fielddescr>Limit Action</fielddescr> + <fieldname>log_only</fieldname> + <description>Select what to do when a query reaches a limit.</description> + <type>select</type> + <options> + <option><name>Deny query</name><value>no</value></option> + <option><name>Log only</name><value>yes</value></option> + </options> + </field> + <field> + <fielddescr>limit</fielddescr> + <fieldname>rate_limit</fieldname> + <description>Set rate limit. Default to 15.</description> + <type>input</type> + <size>10</size> + </field> + + <field> + <type>listtopic</type> + <name>Forwarder Config</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Forwarder</fielddescr> + <fieldname>bind_forwarder</fieldname> + <description>Forwardes enable DNS Bind on Server.</description> + <type>checkbox</type> + <enablefields>bind_forwarder_ips</enablefields> + </field> + <field> + <fielddescr>Forwarder IPs</fielddescr> + <fieldname>bind_forwarder_ips</fieldname> + <description>Enter IPs to forward. Separate by semi-colons (;). [Applies only to Forwarder mode]</description> + <type>input</type> + <size>80</size> + </field> + <field> + <type>listtopic</type> + <name>custom Options</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>bind_custom_options</fieldname> + <description><![CDATA[You can put your own custom options here, one per line.<br> + They'll be added to the configuration. They need to be named.conf native options.]]> + </description> + <type>textarea</type> + <cols>65</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_after_head_command> + </custom_php_after_head_command> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_add_php_command> + </custom_add_php_command> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> + <custom_php_install_command> + bind_write_rcfile(); + </custom_php_install_command> + <custom_php_deinstall_command> + </custom_php_deinstall_command> + <filter_rules_needed></filter_rules_needed> +</packagegui> diff --git a/config/bind/bind_acls.xml b/config/bind/bind_acls.xml new file mode 100644 index 00000000..b8d10158 --- /dev/null +++ b/config/bind/bind_acls.xml @@ -0,0 +1,138 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_acls.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindacls</name> + <version>0.1.0</version> + <title>Bind: ACLs Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + <active/> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindacls']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>ACL</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <!-- fields gets invoked when the user adds or edits a item. the following items + will be parsed and rendered for the user as a gui with input, and selectboxes. --> + <fields> + <field> + <fielddescr>ACL Name</fielddescr> + <fieldname>name</fieldname> + <description>Enter name ACL.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this ACL.</description> + <type>input</type> + </field> + <field> + <fielddescr>Enter IP or range bloc network.</fielddescr> + <description>Leave blank to allow All</description> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Value</fielddescr> + <fieldname>value</fieldname> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <type>input</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_sync.xml b/config/bind/bind_sync.xml new file mode 100644 index 00000000..d2f9c95b --- /dev/null +++ b/config/bind/bind_sync.xml @@ -0,0 +1,143 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_sync.xml + part of the Bind package for pfSense + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindsync</name> + <version>1.0</version> + <title>Bind: XMLRPC Sync</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Automatically sync bind configuration changes</fielddescr> + <fieldname>synconchanges</fieldname> + <description>Select a sync method for bind.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>25</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>250 seconds</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + </options> + </field> + <field> + <fielddescr>Zone Master IP</fielddescr> + <fieldname>masterip</fieldname> + <description><![CDATA[Set master zone ip you want to use to sync backup server zones with master.<br> + <b>All master zones will be configured as backup on slave servers.<b>]]></description> + <type>input</type> + <size>20</size> + <required/> + </field> + <field> + <fielddescr>Remote Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <description><![CDATA[<b>Do not forget to:</b><br> + Create firewall rules to allow zone transfer between master and slave servers.<br> + Create a acls with these slave servers.<br> + Include created acl on allow-transfer option on zone config.]]></description> + <rowhelper> + <rowhelperfield> + <fielddescr>IP Address</fielddescr> + <fieldname>ipaddress</fieldname> + <description>IP Address of remote server</description> + <type>input</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Password</fielddescr> + <fieldname>password</fieldname> + <description>Password for remote server.</description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_php_validation_command> + </custom_php_validation_command> + <custom_php_resync_config_command> + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_views.xml b/config/bind/bind_views.xml new file mode 100644 index 00000000..a6c42552 --- /dev/null +++ b/config/bind/bind_views.xml @@ -0,0 +1,162 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_zone.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindviews</name> + <version>0.1.0</version> + <title>Bind: Views Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + <active/> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml</url> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindviews']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>View</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>View Name</fielddescr> + <fieldname>name</fieldname> + <description>Enter the name of the View.</description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter a description of the View.</description> + <type>input</type> + </field> + <field> + <fielddescr>Recursion</fielddescr> + <fieldname>recursion</fieldname> + <description>A recursive query occurs when your DNS server is queried for a domain that it currently knows nothing about, in which case it will try to resolve the given host by performing further queries (eg by starting at the root servers and working out, or by simply passing the request to yet another DNS server).</description> + <type>select</type> + <options> + <option><name>No</name><value>no</value></option> + <option><name>Yes</name><value>yes</value></option> + </options> + </field> + <field> + <fielddescr>Match-clients</fielddescr> + <fieldname>match-clients</fieldname> + <description>If either or both of match-clients are missing they default to any (all hosts match). The match-clients statement defines the address_match_list for the source IP address of the incoming messages.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-recursion</fielddescr> + <fieldname>allow-recursion</fieldname> + <description>For example, if you have one DNS server serving your local network, you may want all of your local computers to use your DNS server.</description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <type>listtopic</type> + <name>Custom Views </name> + <fieldname>temp</fieldname> + </field> + <field> + <fielddescr>Custom Options</fielddescr> + <fieldname>bind_custom_options</fieldname> + <description>You can put your own custom options here, separated by semi-colons (;).</description> + <type>textarea</type> + <cols>65</cols> + <rows>8</rows> + <encoding>base64</encoding> + </field> + </fields> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_delete_php_command> + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/bind_zones.xml b/config/bind/bind_zones.xml new file mode 100644 index 00000000..be4da9cf --- /dev/null +++ b/config/bind/bind_zones.xml @@ -0,0 +1,445 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* + bind_zone.xml + part of pfSense (http://www.pfSense.com) + part of the Bind package for pfSense + Copyright (C) 2013 Juliano Oliveira/Adriano Brancher + All rights reserved. + + Based on m0n0wall (http://m0n0.ch/wall) + Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Describe your package here</description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>bindzone</name> + <version>none</version> + <title>Bind: Zones Settings</title> + <include_file>/usr/local/pkg/bind.inc</include_file> + <menu> + <name>Bind Server</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <configfile>bind.xml</configfile> + </menu> + <tabs> + <tab> + <text>Settings</text> + <url>/pkg_edit.php?xml=bind.xml</url> + </tab> + <tab> + <text>ACLs</text> + <url>/pkg.php?xml=bind_acls.xml</url> + </tab> + <tab> + <text>Views</text> + <url>/pkg.php?xml=bind_views.xml</url> + </tab> + <tab> + <text>Zones</text> + <url>/pkg.php?xml=bind_zones.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Sync</text> + <url>/pkg_edit.php?xml=bind_sync.xml</url> + </tab> + </tabs> + <configpath>['installedpackages']['bindzone']['config']</configpath> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>status</fielddescr> + <fieldname>disabled</fieldname> + <listmodeon>Disabled</listmodeon> + <listmodeoff>Enabled</listmodeoff> + </columnitem> + <columnitem> + <fielddescr>Zone Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Zone Type</fielddescr> + <fieldname>type</fieldname> + </columnitem> + <columnitem> + <fielddescr>View Name</fielddescr> + <fieldname>view</fieldname> + </columnitem> + <columnitem> + <fielddescr>Serial</fielddescr> + <fieldname>serial</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + <movable>on</movable> + </adddeleteeditpagefields> + <fields> + <field> + <type>listtopic</type> + <name>Domain Zone Configuration</name> + <fieldname>temp01</fieldname> + </field> + <field> + <fielddescr>Disable this zone</fielddescr> + <fieldname>disabled</fieldname> + <description><![CDATA[Do not Include this zone on bind config files.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Zone Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[Enter the name for zone (ex:mydomain.com)<br> + For reverse zones, include zone ip in reverse order or following your provider instructions.(Ex: 1.168.192)<br> + IN-ADDR.ARPA will be automaticaly included on conf files when reveser zone option is checked.]]></description> + <type>input</type> + <required/> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this zone.</description> + <type>input</type> + <size>70</size> + </field> + <field> + <fielddescr>Zone Type</fielddescr> + <fieldname>type</fieldname> + <description><![CDATA[Select zone type.]]></description> + <type>select</type> + <options> + <option><name>Master</name><value>master</value><enablefields>description</enablefields></option> + <option><name>Slave</name><value>slave</value><enablefields>ttl</enablefields></option> + <option><name>Forward</name><value>forward</value><enablefields>forward</enablefields></option> + <option><name>Redirect</name><value>redirect</value><enablefields>redirect</enablefields></option> + </options> + <onchange>on_type_zone_changed()</onchange> + <required/> + </field> + <field> + <fielddescr>View</fielddescr> + <fieldname>view</fieldname> + <description><![CDATA[Select the View that this area will belong.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindviews']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + </field> + <field> + <fielddescr>Reverse Zone</fielddescr> + <fieldname>reverso</fieldname> + <description>Enable if this is a reverse zone.</description> + <type>checkbox</type> + </field> + <field> + <fielddescr>custom Option</fielddescr> + <fieldname>custom</fieldname> + <description>You can put your own custom options here.</description> + <type>textarea</type> + <cols>75</cols> + <rows>5</rows> + <encoding>base64</encoding> + </field> + <field> + <type>listtopic</type> + <name>DNSSEC</name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Inline Signing</fielddescr> + <fieldname>dnssec</fieldname> + <enablefields>backupkeys</enablefields> + <description><![CDATA[<a target=_new href='https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html'>Enable inline DNSSEC Signing</a> afor this zones.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>backup keys</fielddescr> + <fieldname>backupkeys</fieldname> + <description><![CDATA[Enable this option to include all DNSSEC key files on XML.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>DS set</fielddescr> + <fieldname>dsset</fieldname> + <description><![CDATA[Digest fingerprint of the Key Signing KeyResulting for this zone.<br> + Upload this ds set to your domain root server.]]></description> + <type>textarea</type> + <cols>75</cols> + <rows>3</rows> + <encoding>base64</encoding> + </field> + <field> + <type>listtopic</type> + <name>Slave Zone Configuration </name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Master Zone IP</fielddescr> + <fieldname>slaveip</fieldname> + <description>If zone is slave, enter the IP address of the master DNS zone.</description> + <type>input</type> + </field> + <field> + <type>listtopic</type> + <name>Forward Zone Configuration </name> + <fieldname>temp04</fieldname> + </field> + <field> + <fielddescr>Forwarders</fielddescr> + <fieldname>forwarders</fieldname> + <description>Enter forwarders IPs for this domain. Separate by semi-colons (;).</description> + <type>input</type> + <size>70</size> + </field> + + <field> + <type>listtopic</type> + <name>Master Zone Configuration </name> + <fieldname>temp03</fieldname> + </field> + <field> + <fielddescr>TLL</fielddescr> + <fieldname>tll</fieldname> + <description>Default expiration time of all resource records without their own TTL value</description> + <type>input</type> + </field> + <field> + <fielddescr>Name Server</fielddescr> + <fieldname>nameserver</fieldname> + <description>Enter nameserver for this zone</description> + <type>input</type> + </field> + <field> + <fielddescr>Base Domain ip</fielddescr> + <fieldname>ipns</fieldname> + <description>Enter ip address for base domain lookup. Ex: nslookup mydomain.com</description> + <type>input</type> + </field> + <field> + <fielddescr>Mail Admin Zone</fielddescr> + <fieldname>mail</fieldname> + <description>Enter mail admin zone.</description> + <type>input</type> + </field> + <field> + <fielddescr>Serial</fielddescr> + <fieldname>serial</fieldname> + <description>Parsed value for the slave to update the DNS Zone</description> + <type>input</type> + </field> + <field> + <fielddescr>Refresh</fielddescr> + <fieldname>refresh</fieldname> + <description>Slave refresh (1 day)</description> + <type>input</type> + <default_value>1d</default_value> + </field> + <field> + <fielddescr>Retry</fielddescr> + <fieldname>retry</fieldname> + <description>Slave retry time in case of a problem (2 hours)</description> + <type>input</type> + <default_value>2h</default_value> + </field> + <field> + <fielddescr>Expire</fielddescr> + <fieldname>expire</fieldname> + <description>Slave expiration time (4 weeks)</description> + <type>input</type> + <default_value>4w</default_value> + </field> + <field> + <fielddescr>Minimum</fielddescr> + <fieldname>minimum</fieldname> + <description>Maximum caching time in case of failed lookups (1 hour)</description> + <type>input</type> + <default_value>1h</default_value> + </field> + <field> + <fielddescr>Allow-update</fielddescr> + <fieldname>allowupdate</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to send updates to this zone.<br> + Allow-update defines a match list eg IP address(es) that are allowed to submit dynamic updates for 'master' zones ie it enables Dynamic DNS (DDNS).]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-query</fielddescr> + <fieldname>allowquery</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to query this zone.<br> + Allow-query defines an match list of IP address(es) which are allowed to issue queries to the server.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <fielddescr>Allow-transfer</fielddescr> + <fieldname>allowtransfer</fieldname> + <description><![CDATA[Select(CTRL+click) who are allowed to copy this zone.<br> + Allow-transfer defines a match list eg IP address(es) that are allowed to transfer (copy) the zone information from the server (master or slave for the zone). While on its face this may seem an excessively friendly default, DNS data is essentially public (that's why its there) and the bad guys can get all of it anyway. However if the thought of anyone being able to transfer your precious zone file is repugnant, or (and this is far more significant) you are concerned about possible DoS attack initiated by XFER requests, then use the following policy.]]></description> + <type>select_source</type> + <source><![CDATA[$config['installedpackages']['bindacls']['config']]]></source> + <source_name>name</source_name> + <source_value>name</source_value> + <multiple/> + <size>03</size> + </field> + <field> + <type>listtopic</type> + <name>Zone Domain records</name> + <fieldname>temp02</fieldname> + </field> + <field> + <fielddescr>Enter Domain records.</fielddescr> + <description><![CDATA[<b>"Record"</b> is the name or last octec of ip. Sample: www or pop<br> + <b>"Type"</b> is the type of the record Sample: A CNAME MX NS<br> + <b>"Priority"</b> in used only in mx records to define its priority<br> + <b>"Alias or IP address"</b> is the destination host or ip address.<br><br> + You can order elements on this list with drag and drop between columns.]]></description> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Record</fielddescr> + <fieldname>hostname</fieldname> + <description>Enter the Host Name (ex: www)</description> + <type>input</type> + <size>10</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Type</fielddescr> + <fieldname>hosttype</fieldname> + <description>Select Type Host</description> + <type>select</type> + <options> + <option><name>A</name><value>A</value></option> + <option><name>AAAA</name><value>AAAA</value></option> + <option><name>DNAME</name><value>DNAME</value></option> + <option><name>MX</name><value>MX</value></option> + <option><name>CNAME</name><value>CNAME</value></option> + <option><name>NS</name><value>NS</value></option> + <option><name>LOC</name><value>LOC</value></option> + <option><name>SRV</name><value>SRV</value></option> + <option><name>PTR</name><value>PTR</value></option> + <option><name>TXT</name><value>TXT</value></option> + <option><name>SPF</name><value>SPF</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Priority</fielddescr> + <fieldname>hostvalue</fieldname> + <description>MX 10 or 20</description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Alias or IP address</fielddescr> + <fieldname>hostdst</fieldname> + <description>Enter the IP address or CNAME destination for Domain (ex: 10.31.11.1 or mail.example.com)</description> + <type>input</type> + <size>35</size> + </rowhelperfield> + <movable>on</movable> + </rowhelper> + </field> + <field> + <fieldname>regdhcpstatic</fieldname> + <fielddescr>Register DHCP static mappings</fielddescr> + <description>If this option is set, then DHCP static mappings will be registered in DNS, so that their name can be resolved.</description> + <type>checkbox</type> + </field> + <field> + <type>listtopic</type> + <name>Custom Zone Domain records</name> + <fieldname>temp02</fieldname> + </field> + <field> + <fielddescr></fielddescr> + <fieldname>customzonerecords</fieldname> + <description><![CDATA[Paste any custom zone records to include on this zone.<br> + This can be used for a fast migration setup.]]></description> + <type>textarea</type> + <cols>84</cols> + <rows>10</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + <field> + <type>listtopic</type> + <name>Resulting Zone config file</name> + </field> + <field> + <fielddescr></fielddescr> + <fieldname>resultconfig</fieldname> + <description>Resulting bind config file for this zone.</description> + <type>textarea</type> + <cols>84</cols> + <rows>15</rows> + <encoding>base64</encoding> + <dontdisplayname/> + <usecolspan2/> + </field> + </fields> + <custom_php_after_form_command> + bind_print_javascript_type_zone2(); + </custom_php_after_form_command> + <custom_php_after_head_command> + bind_print_javascript_type_zone(); + </custom_php_after_head_command> + <custom_php_command_before_form> + </custom_php_command_before_form> + <custom_php_validation_command> + if ($_POST['type']=="master") + $_POST['serial']=(date("U")+ 1000000000); + bind_zone_validate($_POST, &$input_errors); + </custom_php_validation_command> + <custom_delete_php_command> + bind_sync(); + </custom_delete_php_command> + <custom_php_resync_config_command> + bind_sync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/bind/pkg_bind.inc b/config/bind/pkg_bind.inc new file mode 100644 index 00000000..3ed3351d --- /dev/null +++ b/config/bind/pkg_bind.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['bind'] = array(); +$shortcuts['bind']['main'] = "pkg_edit.php?xml=bind.xml"; +$shortcuts['bind']['log'] = "diag_logs_resolver.php"; +$shortcuts['bind']['status'] = "status_services.php"; +$shortcuts['bind']['service'] = "named"; + +?> diff --git a/config/blinkled/blinkled.xml b/config/blinkled/blinkled.xml index b23c4dfc..d1141dbd 100644 --- a/config/blinkled/blinkled.xml +++ b/config/blinkled/blinkled.xml @@ -20,6 +20,7 @@ <name>blinkled</name> <rcfile>blinkled.sh</rcfile> <executable>blinkled</executable> + <description>Blinks LEDs to indicate network activity</description> </service> <fields> <field> diff --git a/config/blinkled8/blinkled.inc b/config/blinkled8/blinkled.inc index d50cc022..f466da94 100644 --- a/config/blinkled8/blinkled.inc +++ b/config/blinkled8/blinkled.inc @@ -1,10 +1,36 @@ <?php require_once("functions.inc"); +function blinkled_rcfile() { + global $config; + $blinkled_config = $config['installedpackages']['blinkled']['config'][0]; + $stop = <<<EOD +if [ `/bin/pgrep blinkled | /usr/bin/wc -l` != 0 ]; then + /usr/bin/killall -9 blinkled + while [ `/bin/pgrep blinkled | /usr/bin/wc -l` != 0 ]; do + sleep 1 + done + fi +EOD; + + $start = "{$stop}\n"; + if (($blinkled_config['enable_led2']) && ($blinkled_config['iface_led2'])) + $start .= "\t" . blinkled_launch(convert_friendly_interface_to_real_interface_name($blinkled_config['iface_led2']), 2, true) . "\n"; + if (($blinkled_config['enable_led3']) && ($blinkled_config['iface_led3'])) + $start .= "\t" . blinkled_launch(convert_friendly_interface_to_real_interface_name($blinkled_config['iface_led3']), 3, true) . "\n"; + + conf_mount_rw(); + write_rcfile(array( + 'file' => 'blinkled.sh', + 'start' => $start, + 'stop' => $stop) + ); + conf_mount_ro(); +} + function blinkled_running () { return ((int)exec('pgrep blinkled | wc -l') > 0); } - function sync_package_blinkled() { global $config; $blinkled_config = $config['installedpackages']['blinkled']['config'][0]; @@ -16,10 +42,15 @@ function sync_package_blinkled() { if(!blinkled_running()) { blinkled_start(); } + blinkled_rcfile(); } -function blinkled_launch($int, $led) { - mwexec("/usr/local/bin/blinkled -i " . escapeshellarg($int) . " -l /dev/led/led" . escapeshellarg($led)); +function blinkled_launch($int, $led, $return = false) { + $cmd = "/usr/local/bin/blinkled -i " . escapeshellarg($int) . " -l " . escapeshellarg("/dev/led/led{$led}"); + if ($return) + return $cmd; + else + mwexec($cmd); } function blinkled_start() { diff --git a/config/blinkled8/blinkled.xml b/config/blinkled8/blinkled.xml index 310d3810..5fb5ff7c 100644 --- a/config/blinkled8/blinkled.xml +++ b/config/blinkled8/blinkled.xml @@ -2,7 +2,7 @@ <packagegui> <title>Interfaces: Assign LEDs</title> <name>blinkled</name> - <version>20090710</version> + <version>0.4</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/blinkled.inc</include_file> <menu> @@ -25,6 +25,7 @@ <name>blinkled</name> <rcfile>blinkled.sh</rcfile> <executable>blinkled</executable> + <description>Blinks LEDs to indicate network activity</description> </service> <fields> <field> diff --git a/config/cron/cron.inc b/config/cron/cron.inc index 88388b3c..2fe9cf57 100644 --- a/config/cron/cron.inc +++ b/config/cron/cron.inc @@ -81,8 +81,8 @@ function cron_install_command() write_rcfile(array( "file" => "cron.sh", - "start" => "/usr/sbin/cron -s &", - "stop" => "[ -f \"/var/run/cron.pid\" ] && kill -9 `cat /var/run/cron.pid`; rm -f /var/run/cron.pid;" + "start" => "[ `/bin/pgrep -f 'cron -s' | wc -l` -eq 0 ] && /usr/sbin/cron -s &", + "stop" => "[ -f \"/var/run/cron.pid\" ] && kill -9 `cat /var/run/cron.pid`; rm -f /var/run/cron.pid; /bin/pkill -f 'cron -s'" ) ); diff --git a/config/cron/cron.xml b/config/cron/cron.xml index 4110090f..71e524b3 100644 --- a/config/cron/cron.xml +++ b/config/cron/cron.xml @@ -55,7 +55,7 @@ <name>cron</name> <rcfile>cron.sh</rcfile> <executable>cron</executable> - <description>The cron utility is used to manage commands on a schedule.</description> + <description>Scheduled commands daemon</description> </service> <tabs> <tab> diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc index 7f8f2cca..ad6e6482 100755 --- a/config/dansguardian/dansguardian.inc +++ b/config/dansguardian/dansguardian.inc @@ -185,6 +185,7 @@ function sync_package_dansguardian($via_rpc="no",$install_process=false) { $icapscan=(preg_match('/icapscan/',$dansguardian_config['content_scanners'])?"on":"off"); $contentscannertimeout=($dansguardian_config['contentscannertimeout']?$dansguardian_config['contentscannertimeout']:"60"); $contentscanexceptions=($dansguardian_config['contentscanexceptions']?"on":"off"); + $icapurl=($dansguardian_config['icapurl']?$dansguardian_config['icapurl']:"icap://icapserver:1344/avscan"); $recheckreplacedurls=(preg_match('/recheckreplacedurls/',$dansguardian_config['misc_options'])?"on":"off"); $forwardedfor=(preg_match('/forwardedfor/',$dansguardian_config['misc_options'])?"on":"off"); $recheckreplacedurls=(preg_match('/icapscan/',$dansguardian_config['misc_options'])?"on":"off"); @@ -975,6 +976,7 @@ EOF; $filterip=($filterip==""?"filterip = ":$filterip); $filterports=($filterports==""?"filterports = $filterport":$filterports); include("/usr/local/pkg/dansguardian.conf.template"); + include("/usr/local/pkg/icapscan.conf.template"); #check cron_tab $new_cron=array(); @@ -1112,6 +1114,7 @@ EOF; #create config files file_put_contents($dansguardian_dir."/dansguardian.conf", $dg, LOCK_EX); + file_put_contents($dansguardian_dir."/contentscanners/icapscan.conf", $icapconf, LOCK_EX); #check virus_scanner options $libexec_dir= DANSGUARDIAN_DIR."/libexec/dansguardian/"; diff --git a/config/dansguardian/dansguardian.xml b/config/dansguardian/dansguardian.xml index 34d4156c..e0cb58fd 100644 --- a/config/dansguardian/dansguardian.xml +++ b/config/dansguardian/dansguardian.xml @@ -184,6 +184,11 @@ <chmod>0755</chmod> </additional_files_needed> <additional_files_needed> + <item>http://www.pfsense.org/packages/config/dansguardian/icapscan.conf.template</item> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + </additional_files_needed> + <additional_files_needed> <item>http://www.pfsense.org/packages/config/dansguardian/dansguardian_rc.template</item> <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> diff --git a/config/dansguardian/dansguardian_config.xml b/config/dansguardian/dansguardian_config.xml index 35b0bf5b..342b52d7 100644 --- a/config/dansguardian/dansguardian_config.xml +++ b/config/dansguardian/dansguardian_config.xml @@ -274,7 +274,7 @@ </field> <field> <fielddescr>ICAP URL</fielddescr> - <fieldname>contentscannertimeout</fieldname> + <fieldname>icapurl</fieldname> <type>input</type> <size>40</size> <description><![CDATA[Enter ICAP URL in <strong>icap://icapserver:1344/avscan</strong> format<br> diff --git a/config/dansguardian/dansguardian_ips_header.template b/config/dansguardian/dansguardian_ips_header.template index 48eb3e68..be4f28de 100644 --- a/config/dansguardian/dansguardian_ips_header.template +++ b/config/dansguardian/dansguardian_ips_header.template @@ -63,8 +63,8 @@ <url>/pkg_edit.php?xml=dansguardian_blacklist.xml&id=0</url> </tab> <tab> - <text>Access Lists</text> - <url>/pkg_edit.php?xml=dansguardian_site_acl.xml&id=0</url> + <text>ACLs</text> + <url>/pkg.php?xml=dansguardian_site_acl.xml</url> </tab> <tab> <text>LDAP</text> @@ -111,4 +111,4 @@ <rows>12</rows> <encoding>base64</encoding> </field> -
\ No newline at end of file + diff --git a/config/dansguardian/icapscan.conf.template b/config/dansguardian/icapscan.conf.template new file mode 100755 index 00000000..b4289dc1 --- /dev/null +++ b/config/dansguardian/icapscan.conf.template @@ -0,0 +1,16 @@ +<?php + $icapconf=<<<EOF +plugname = 'icapscan' + +# ICAP URL +# Use hostname rather than IP address +# Always specify the port +# +icapurl = '{$icapurl}' + +exceptionvirusmimetypelist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusmimetypelist' +exceptionvirusextensionlist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusextensionlist' +exceptionvirussitelist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirussitelist' +exceptionvirusurllist = '/usr/pbi/dansguardian-amd64/etc/dansguardian/lists/contentscanners/exceptionvirusurllist' +EOF; +?> diff --git a/config/darkstat/darkstat.xml b/config/darkstat/darkstat.xml index c90b33cd..3263012b 100644 --- a/config/darkstat/darkstat.xml +++ b/config/darkstat/darkstat.xml @@ -58,6 +58,7 @@ <name>darkstat</name> <rcfile>darkstat.sh</rcfile> <executable>darkstat</executable> + <description>Darkstat bandwidth monitoring daemon</description> </service> <tabs> <tab> diff --git a/config/freeradius2/freeradius.inc b/config/freeradius2/freeradius.inc index bf48dd06..a18872fc 100644 --- a/config/freeradius2/freeradius.inc +++ b/config/freeradius2/freeradius.inc @@ -2971,6 +2971,7 @@ function freeradius_modulesldap_resync() { // Variables for General Configuration ldap1 $varmodulesldapserver = ($arrmodulesldap['varmodulesldapserver']?$arrmodulesldap['varmodulesldapserver']:'ldap.your.domain'); + $varmodulesldapserverport = ($arrmodulesldap['varmodulesldapserverport']?$arrmodulesldap['varmodulesldapserverport']:'389'); $varmodulesldapidentity = ($arrmodulesldap['varmodulesldapidentity']?$arrmodulesldap['varmodulesldapidentity']:'cn=admin,o=My Org,c=UA'); $varmodulesldappassword = ($arrmodulesldap['varmodulesldappassword']?$arrmodulesldap['varmodulesldappassword']:'mypass'); $varmodulesldapbasedn = ($arrmodulesldap['varmodulesldapbasedn']?$arrmodulesldap['varmodulesldapbasedn']:'o=My Org,c=UA'); @@ -2983,6 +2984,7 @@ function freeradius_modulesldap_resync() { // Variables for General Configuration ldap2 $varmodulesldap2server = ($arrmodulesldap['varmodulesldap2server']?$arrmodulesldap['varmodulesldap2server']:'ldap.your.domain'); + $varmodulesldap2serverport = ($arrmodulesldap['varmodulesldap2serverport']?$arrmodulesldap['varmodulesldap2serverport']:'389'); $varmodulesldap2identity = ($arrmodulesldap['varmodulesldap2identity']?$arrmodulesldap['varmodulesldap2identity']:'cn=admin,o=My Org,c=UA'); $varmodulesldap2password = ($arrmodulesldap['varmodulesldap2password']?$arrmodulesldap['varmodulesldap2password']:'mypass'); $varmodulesldap2basedn = ($arrmodulesldap['varmodulesldap2basedn']?$arrmodulesldap['varmodulesldap2basedn']:'o=My Org,c=UA'); @@ -3237,6 +3239,7 @@ ldap { # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "$varmodulesldapserver" + port = "$varmodulesldapserverport" identity = "$varmodulesldapidentity" password = $varmodulesldappassword basedn = "$varmodulesldapbasedn" @@ -3290,7 +3293,7 @@ ldap { # Certificate Verification requirements. Can be: # "never" (don't even bother trying) - # "allow" (try, but don't fail if the cerificate + # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # @@ -3396,6 +3399,7 @@ ldap ldap2{ # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "$varmodulesldap2server" + port = "$varmodulesldap2serverport" identity = "$varmodulesldap2identity" password = $varmodulesldap2password basedn = "$varmodulesldap2basedn" @@ -3449,7 +3453,7 @@ ldap ldap2{ # Certificate Verification requirements. Can be: # "never" (don't even bother trying) - # "allow" (try, but don't fail if the cerificate + # "allow" (try, but don't fail if the certificate # can't be verified) # "demand" (fail if the certificate doesn't verify.) # diff --git a/config/freeradius2/freeradiusmodulesldap.xml b/config/freeradius2/freeradiusmodulesldap.xml index c7b5e79d..5abe85cb 100644 --- a/config/freeradius2/freeradiusmodulesldap.xml +++ b/config/freeradius2/freeradiusmodulesldap.xml @@ -127,6 +127,14 @@ <default_value>ldap.your.domain</default_value> </field> <field> + <fielddescr>Port</fielddescr> + <fieldname>varmodulesldapserverport</fieldname> + <description><![CDATA[No description. (Default: 389 )]]></description> + <type>input</type> + <size>80</size> + <default_value>389</default_value> + </field> + <field> <fielddescr>Identity</fielddescr> <fieldname>varmodulesldapidentity</fieldname> <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> @@ -377,7 +385,7 @@ <description><![CDATA[Choose how the certs should be checked:<br><br> <b>never: </b>don't even bother trying<br> - <b>allow: </b>try but don't fail if the cerificate can't be verified<br> + <b>allow: </b>try but don't fail if the certificate can't be verified<br> <b>demand: </b>fail if the certificate doesn't verify]]></description> <type>select</type> <default_value>never</default_value> @@ -438,6 +446,14 @@ <default_value>ldap.your.domain</default_value> </field> <field> + <fielddescr>Port</fielddescr> + <fieldname>varmodulesldap2serverport</fieldname> + <description><![CDATA[No description. (Default: 389 )]]></description> + <type>input</type> + <size>80</size> + <default_value>389</default_value> + </field> + <field> <fielddescr>Identity</fielddescr> <fieldname>varmodulesldap2identity</fieldname> <description><![CDATA[No description. (Default: cn=admin,o=My Org,c=UA )]]></description> diff --git a/config/git/git.xml b/config/git/git.xml new file mode 100644 index 00000000..6c5254ae --- /dev/null +++ b/config/git/git.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* ========================================================================== */ +/* + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 + All rights reserved. +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>git</description> + <requirements>None</requirements> + <faq></faq> + <name>git</name> + <version>0.0</version> + <title>git</title> +</packagegui>
\ No newline at end of file diff --git a/config/gwled/gwled.xml b/config/gwled/gwled.xml index f1d065a2..35df41ee 100644 --- a/config/gwled/gwled.xml +++ b/config/gwled/gwled.xml @@ -25,6 +25,7 @@ <name>gwled</name> <rcfile>gwled.sh</rcfile> <executable>gwled</executable> + <description>Gateway LED Indicator Daemon</description> </service> <fields> <field> diff --git a/config/haproxy-devel/haproxy.inc b/config/haproxy-devel/haproxy.inc index f8434327..912f1fb3 100644 --- a/config/haproxy-devel/haproxy.inc +++ b/config/haproxy-devel/haproxy.inc @@ -31,9 +31,7 @@ require_once("functions.inc"); require_once("pkg-utils.inc"); require_once("notices.inc"); - -global $haproxy_sni_ssloffloading; -$haproxy_sni_ssloffloading=true;// can only be used with recent 1.5-dev17 builds. +require_once("haproxy_xmlrpcsyncclient.inc"); $d_haproxyconfdirty_path = $g['varrun_path'] . "/haproxy.conf.dirty"; @@ -62,10 +60,9 @@ $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', 'mode' => '', 'syntax' => 'src %1$s'); $a_acltypes[] = array('name' => 'backendservercount', 'descr' => 'Minimum count usable servers', 'mode' => '', 'syntax' => 'nbsrv(%2$s) ge %1$d', 'parameters' => 'value,backendname'); -if ($haproxy_sni_ssloffloading) { - $a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', - 'mode' => 'https', 'syntax' => 'req_ssl_sni -i %1$s', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); -} +// 'ssl_sni_matches' was added in HAProxy1.5dev17 +$a_acltypes[] = array('name' => 'ssl_sni_matches', 'descr' => 'Server Name Indication TLS extension matches', + 'mode' => 'https', 'syntax' => 'req_ssl_sni -i %1$s', 'advancedoptions' => "tcp-request inspect-delay 5s\n\ttcp-request content accept if { req_ssl_hello_type 1 }"); $a_checktypes['none'] = array('name' => 'none', 'syntax' => '', 'descr' => 'No health checks will be performed.'); @@ -73,7 +70,7 @@ $a_checktypes['Basic'] = array('name' => 'Basic', 'syntax' => '', 'descr' => 'Basic socket connection check'); $a_checktypes['HTTP'] = array('name' => 'HTTP', 'syntax' => 'httpchk', 'descr' => 'HTTP protocol to check on the servers health, can also be used for HTTPS servers(requirs checking the SSL box for the servers).', 'parameters' => "uri,method,version"); -/* 'Agent' was added in HAProxy1.5dev18 */ +// 'Agent' was added in HAProxy1.5dev18 $a_checktypes['Agent'] = array('name' => 'Agent', 'syntax' => 'lb-agent-chk', 'usedifferenport' => 'yes', 'descr' => 'Use a TCP connection to read an ASCII string of the form 100%,75%,drain,down (others in haproxy manual)'); $a_checktypes['LDAP'] = array('name' => 'LDAP', 'syntax' => 'ldap-check', @@ -99,6 +96,15 @@ $a_httpcheck_method['PUT'] = array('name' => 'PUT', 'syntax' => 'PUT'); $a_httpcheck_method['DELETE'] = array('name' => 'DELETE', 'syntax' => 'DELETE'); $a_httpcheck_method['TRACE'] = array('name' => 'TRACE', 'syntax' => 'TRACE'); +$a_closetypes['none'] = array('name' => 'none', 'syntax' => '', + 'descr' => 'No close headers will be changed.'); +$a_closetypes['httpclose'] = array('name' => 'httpclose', 'syntax' => 'httpclose', + 'descr' => 'The "httpclose" option removes any "Connection" header both ways, and adds a "Connection: close" header in each direction. This makes it easier to disable HTTP keep-alive than the previous 4-rules block.'); +$a_closetypes['http-server-close'] = array('name' => 'http-server-close', 'syntax' => 'http-server-close', + 'descr' => 'By default, when a client communicates with a server, HAProxy will only analyze, log, and process the first request of each connection. Setting "option http-server-close" enables HTTP connection-close mode on the server side while keeping the ability to support HTTP keep-alive and pipelining on the client side. This provides the lowest latency on the client side (slow network) and the fastest session reuse on the server side to save server resources.'); +$a_closetypes['forceclose'] = array('name' => 'forceclose', 'syntax' => 'forceclose', + 'descr' => 'Some HTTP servers do not necessarily close the connections when they receive the "Connection: close" set by "option httpclose", and if the client does not close either, then the connection remains open till the timeout expires. This causes high number of simultaneous connections on the servers and shows high global session times in the logs. Note that this option also enables the parsing of the full request and response, which means we can close the connection to the server very quickly, releasing some resources earlier than with httpclose.'); + function haproxy_custom_php_deinstall_command() { exec("cd /var/db/pkg && pkg_delete `ls | grep haproxy`"); exec("rm /usr/local/pkg/haproxy.inc"); @@ -197,6 +203,7 @@ EOD; fclose($fd); exec("/etc/rc.d/devd restart"); + $writeconfigupdate = false; /* Do XML upgrade from haproxy 0.31 to haproxy-dev */ if (is_array($config['installedpackages']['haproxy']['ha_servers'])) { /* We have an old config */ @@ -240,7 +247,7 @@ EOD; $a_pools[] = $pool; } unset($config['installedpackages']['haproxy']['ha_servers']); - write_config(); + $writeconfigupdate = true; } /* XML update to: pkg v1.3 and 'pool' changed to 'backend_serverpool' because 'pool' was added to listtags() in xmlparse.inc */ @@ -252,7 +259,7 @@ EOD; $frontend['backend_serverpool'] = $backend_serverpool; unset($frontend['pool']); } - write_config(); + $writeconfigupdate = true; } //also move setting for existing 2.0 installations as only the new variable is used if (isset($config['installedpackages']['haproxy']['ha_backends']['item'][0]['pool'])) @@ -263,9 +270,21 @@ EOD; $frontend['backend_serverpool'] = $backend_serverpool; unset($frontend['pool']); } - write_config(); + $writeconfigupdate = true; } - + // update config to "haproxy-devel 1.5-dev19 pkg v0.5" + $a_backends = &$config['installedpackages']['haproxy']['ha_backends']['item']; + if(is_array($a_backends)) { + foreach ($a_backends as &$bind) { + if($bind['httpclose'] && $bind['httpclose'] == "yes" ) { + $bind['httpclose'] = "httpclose"; + $writeconfigupdate = true; + } + } + } + if ($writeconfigupdate) + write_config("haproxy, update xml config version"); + conf_mount_ro(); exec("/usr/local/etc/rc.d/haproxy.sh start"); @@ -299,7 +318,7 @@ function haproxy_install_cron($should_install) { $cron_item['command'] = "/usr/local/etc/rc.d/haproxy.sh check"; $config['cron']['item'][] = $cron_item; parse_config(true); - write_config(); + write_config("haproxy, install cron CARP job"); configure_cron(); } break; @@ -308,7 +327,7 @@ function haproxy_install_cron($should_install) { if($x > 0) { unset($config['cron']['item'][$x]); parse_config(true); - write_config(); + write_config("haproxy, remove cron CARP job"); } configure_cron(); } @@ -318,34 +337,6 @@ function haproxy_install_cron($should_install) { function haproxy_find_acl($name) { global $a_acltypes; - - /* XXX why is this broken from xmlsync? */ - if (!$a_acltypes) { - $a_acltypes = array(); - $a_acltypes[] = array('name' => 'host_starts_with', 'descr' => 'Host starts with', - 'mode' => 'http', 'syntax' => 'hdr_beg(host) -i'); - $a_acltypes[] = array('name' => 'host_ends_with', 'descr' => 'Host ends with', - 'mode' =>'http', 'syntax' => 'hdr_end(host) -i'); - $a_acltypes[] = array('name' => 'host_matches', 'descr' => 'Host matches', - 'mode' =>'http', 'syntax' => 'hdr(host) -i'); - $a_acltypes[] = array('name' => 'host_regex', 'descr' => 'Host regex', - 'mode' =>'http', 'syntax' => 'hdr_reg(host) -i'); - $a_acltypes[] = array('name' => 'host_contains', 'descr' => 'Host contains', - 'mode' => 'http', 'syntax' => 'hdr_dir(host) -i'); - $a_acltypes[] = array('name' => 'path_starts_with', 'descr' => 'Path starts with', - 'mode' => 'http', 'syntax' => 'path_beg -i'); - $a_acltypes[] = array('name' => 'path_ends_with', 'descr' => 'Path ends with', - 'mode' => 'http', 'syntax' => 'path_end -i'); - $a_acltypes[] = array('name' => 'path_matches', 'descr' => 'Path matches', - 'mode' => 'http', 'syntax' => 'path -i'); - $a_acltypes[] = array('name' => 'path_regex', 'descr' => 'Path regex', - 'mode' => 'http', 'syntax' => 'path_reg -i'); - $a_acltypes[] = array('name' => 'path_contains', 'descr' => 'Path contains', - 'mode' => 'http', 'syntax' => 'path_dir -i'); - $a_acltypes[] = array('name' => 'source_ip', 'descr' => 'Source IP', - 'mode' => '', 'syntax' => 'src'); - } - if($a_acltypes) { foreach ($a_acltypes as $acl) { if ($acl['name'] == $name) @@ -610,31 +601,28 @@ function haproxy_writeconf($configfile) { $bname = get_frontend_ipport($backend); - if ($backend['extaddr']=='localhost') - $backend['extaddr'] = "127.0.0.1"; - if (!is_array($a_bind[$bname])) { $a_bind[$bname] = array(); $a_bind[$bname]['config'] = array(); - // Settings which are constant for a merged frontend - $a_bind[$bname]['name'] = $backend['name']; - $a_bind[$bname]['extaddr'] = $backend['extaddr']; - $a_bind[$bname]['port'] = $backend['port']; + // Settings which are used only from the primary frontend + $primaryfrontend = get_primaryfrontend($backend); + $a_bind[$bname]['name'] = $primaryfrontend['name']; + $a_bind[$bname]['extaddr'] = $primaryfrontend['extaddr']; + $a_bind[$bname]['port'] = $primaryfrontend['port']; + $a_bind[$bname]['type'] = $primaryfrontend['type']; + $a_bind[$bname]['forwardfor'] = $primaryfrontend['forwardfor']; + $a_bind[$bname]['httpclose'] = $primaryfrontend['httpclose']; + $a_bind[$bname]['max_connections'] = $primaryfrontend['max_connections']; + $a_bind[$bname]['client_timeout'] = $primaryfrontend['client_timeout']; + $a_bind[$bname]['advanced'] = $primaryfrontend['advanced']; + $a_bind[$bname]['ssloffload'] = $primaryfrontend['ssloffload']; + $a_bind[$bname]['advanced_bind'] = $primaryfrontend['advanced_bind']; } $b = &$a_bind[$bname]; - // Overwrite ? - if ($backend['secondary'] != 'yes') { - if (isset($b['type'])) + if (($backend['secondary'] != 'yes') && ($backend['name'] != $b['name'])) { + // only 1 frontend can be the primary for a set of frontends that share 1 address:port. $input_errors[] = "Multiple primary frondends for $bname"; - $b['type'] = $backend['type']; - $b['forwardfor'] = $backend['forwardfor']; - $b['httpclose'] = $backend['httpclose']; - $b['max_connections'] = $backend['max_connections']; - $b['client_timeout'] = $backend['client_timeout']; - $b['advanced'] = $backend['advanced']; - $b['ssloffload'] = $backend['ssloffload']; - $b['advanced_bind'] = $backend['advanced_bind']; } if ($ssl_crt != "") { @@ -706,8 +694,8 @@ function haproxy_writeconf($configfile) { if ($backend_type == 'http') { - if($bind['httpclose']) - fwrite ($fd, "\toption\t\t\thttpclose\n"); + if($bind['httpclose'] && $bind['httpclose'] != "none" ) + fwrite ($fd, "\toption\t\t\t{$bind['httpclose']}\n"); if($bind['forwardfor']) { fwrite ($fd, "\toption\t\t\tforwardfor\n"); @@ -742,7 +730,7 @@ function haproxy_writeconf($configfile) { $poolname .= "_" . $bconfig['svrport']; // Write this out once, and must be before any backend config text - if ($default_backend = "" || $bconfig['secondary'] != 'yes') { + if ($default_backend == "" || $bconfig['secondary'] != 'yes') { $default_backend = $poolname; } @@ -808,29 +796,18 @@ function haproxy_writeconf($configfile) { } fwrite ($fd, "\n"); - // Sync HAProxy configuration (if enabled) - if(isset($config['installedpackages']['haproxy']['enablesync'])) { - if($config['installedpackages']['haproxy']['synchost1']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost1'], - $config['installedpackages']['haproxy']['syncpassword']); - } - if($config['installedpackages']['haproxy']['synchost2']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost2'], - $config['installedpackages']['haproxy']['syncpassword']); - } - if($config['installedpackages']['haproxy']['synchost3']) { - haproxy_do_xmlrpc_sync($config['installedpackages']['haproxy']['synchost3'], - $config['installedpackages']['haproxy']['syncpassword']); - } - } - - // create config file + // close config file fclose($fd); if ($input_errors) { require_once("guiconfig.inc"); print_input_errors($input_errors); + } else { + // Only sync to xmlrpc backup machine if no errors are found in config + if(isset($config['installedpackages']['haproxy']['enablesync'])) { + haproxy_do_xmlrpc_sync(); + } } if (isset($a_global['carpdev'])) @@ -996,117 +973,46 @@ function killprocesses($processname, $pidfile, $signal = "KILL") { exec("kill -$signal `pgrep -x $processname | grep -w -f $pidfile`"); } -function haproxy_do_xmlrpc_sync($sync_to_ip, $password) { - global $config, $g; - - if(!$password) - return; - - if(!$sync_to_ip) - return; +function haproxy_sync_xmlrpc_settings() { + global $config; + // preserve 'old' sync settings, that should not be overwritten by xmlrpc-sync. + $enable = isset($config['installedpackages']['haproxy']['enablesync']); - // Do not allow syncing to self. - $donotsync = false; - $lanip = find_interface_ip($config['interfaces']['lan']['if']); - if($lanip == $sync_to_ip) - $donotsync = true; - $wanip = find_interface_ip($config['interfaces']['wan']['if']); - if($wanip == $sync_to_ip) - $donotsync = true; - for ($j = 1; isset($config['interfaces']['opt' . $j]); $j++) { - $optip = find_interface_ip($config['interfaces']['opt' . $j]['if']); - if($optip == $sync_to_ip) - $donotsync = true; - } - if($donotsync) { - log_error("Disallowing sync loop for HAProxy sync."); - return; - } + $config['installedpackages']['haproxy'] = $config['installedpackages']['haproxysyncpkg']; + unset($config['installedpackages']['haproxysyncpkg']); + + // restore 'old' settings. + $config['installedpackages']['haproxy']['enablesync'] = $enable ? true : false; + + write_config("haproxy, xmlrpc config synced"); // Write new 'merged' configuration +} - $xmlrpc_sync_neighbor = $sync_to_ip; - if($config['system']['webgui']['protocol'] != "") { - $synchronizetoip = $config['system']['webgui']['protocol']; - $synchronizetoip .= "://"; - } - $port = $config['system']['webgui']['port']; - /* if port is empty lets rely on the protocol selection */ - if($port == "") { - if($config['system']['webgui']['protocol'] == "http") - $port = "80"; - else - $port = "443"; - } - $synchronizetoip .= $sync_to_ip; +function haproxy_do_xmlrpc_sync() { + $syncinfo = array(); + $syncinfo['sync_logname'] = "HAProxy"; + $syncinfo['data'] = haproxy_xmlrpc_sync_prepare_config(); + $syncinfo['sync_include'] = "/usr/local/pkg/haproxy.inc"; + $syncinfo['sync_done_execute'] = "haproxy_xmlrpc_sync_configure"; + xmlrpc_sync_execute($syncinfo); +} +function haproxy_xmlrpc_sync_prepare_config() { /* xml will hold the sections to sync */ + global $config; $xml = array(); - $xml['haproxy'] = $config['installedpackages']['haproxy']; - - // Prevent sync loops - unset($xml['synchost1']); - unset($xml['synchost2']); - unset($xml['synchost3']); - unset($xml['syncpassword']); - - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($xml) - ); - - /* set a few variables needed for sync code borrowed from filter.inc */ - $url = $synchronizetoip; - log_error("Beginning HAProxy XMLRPC sync to {$url}:{$port}."); - $method = 'pfsense.merge_installedpackages_section_xmlrpc'; - $msg = new XML_RPC_Message($method, $params); - $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - if($g['debug']) - $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); - if(!$resp) { - $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port}."; - log_error($error); - file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting HAProxy XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); - } else { - log_error("HAProxy XMLRPC sync successfully completed with {$url}:{$port}."); - } + $xml['haproxysyncpkg'] = $config['installedpackages']['haproxy']; + return $xml; +} - /* tell haproxy to reload our settings on the destionation sync host. */ - $method = 'pfsense.exec_php'; - $execcmd = "require_once('/usr/local/pkg/haproxy.inc');\n"; - $execcmd .= "haproxy_configure();\n"; +function haproxy_xmlrpc_sync_configure() { + // this function is called by xmlrpc after config has been synced. - /* assemble xmlrpc payload */ - $params = array( - XML_RPC_encode($password), - XML_RPC_encode($execcmd) - ); - - log_error("HAProxy XMLRPC reload data {$url}:{$port}."); - $msg = new XML_RPC_Message($method, $params); - $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); - if(!$resp) { - $error = "A communications error occurred while attempting HAProxy XMLRPC sync with {$url}:{$port} (exec_php)."; - log_error($error); - file_notice("sync_settings", $error, "HAProxy Settings Reload", ""); - } elseif($resp->faultCode()) { - $cli->setDebug(1); - $resp = $cli->send($msg, "250"); - $error = "An error code was received while attempting HAProxy XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); - log_error($error); - file_notice("sync_settings", $error, "HAProxy Settings Sync", ""); - } else { - log_error("HAProxy XMLRPC reload data success with {$url}:{$port} (exec_php)."); + haproxy_sync_xmlrpc_settings(); + haproxy_configure(); // Configure HAProxy config files to use the new configuration. + + // sync 2nd and further nodes in the chain if applicable. + if(isset($config['installedpackages']['haproxy']['enablesync'])) { + haproxy_do_xmlrpc_sync(); } } @@ -1123,20 +1029,27 @@ function get_frontend_id($name) { return null; } -function get_frontend_ipport($fontend) { +function get_primaryfrontend($frontend) { global $config; $a_backend = &$config['installedpackages']['haproxy']['ha_backends']['item']; - if ($fontend['secondary'] == 'yes') - $mainfontend = $a_backend[get_frontend_id($fontend['primary_frontend'])]; + if ($frontend['secondary'] == 'yes') + $mainfrontend = $a_backend[get_frontend_id($frontend['primary_frontend'])]; else - $mainfontend = $fontend; - if($mainfontend['extaddr'] == "any") + $mainfrontend = $frontend; + return $mainfrontend; +} + +function get_frontend_ipport($frontend) { + $mainfrontend = get_primaryfrontend($frontend); + if($mainfrontend['extaddr'] == "any") $result = "0.0.0.0"; - elseif($mainfontend['extaddr']) - $result = $mainfontend['extaddr']; + elseif ($mainfrontend['extaddr'] == "localhost") + $result = "127.0.0.1"; + elseif($mainfrontend['extaddr']) + $result = $mainfrontend['extaddr']; else $result = get_current_wan_address('wan'); - return $result . ":" . $mainfontend['port']; + return $result . ":" . $mainfrontend['port']; } function haproxy_check_config() { diff --git a/config/haproxy-devel/haproxy.xml b/config/haproxy-devel/haproxy.xml index 4511bde4..bfd7f437 100644 --- a/config/haproxy-devel/haproxy.xml +++ b/config/haproxy-devel/haproxy.xml @@ -95,6 +95,11 @@ <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_socketinfo.inc</item> </additional_files_needed> <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>077</chmod> + <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc</item> + </additional_files_needed> + <additional_files_needed> <prefix>/usr/local/www/widgets/widgets/</prefix> <chmod>077</chmod> <item>http://www.pfsense.com/packages/config/haproxy-devel/haproxy.widget.php</item> diff --git a/config/haproxy-devel/haproxy_global.php b/config/haproxy-devel/haproxy_global.php index dbc55847..ff8d1280 100755 --- a/config/haproxy-devel/haproxy_global.php +++ b/config/haproxy-devel/haproxy_global.php @@ -59,26 +59,26 @@ if ($_POST) { if ($_POST['maxconn'] && (!is_numeric($_POST['maxconn']))) $input_errors[] = "The maximum number of connections should be numeric."; - if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) + /*if($_POST['synchost1'] && !is_ipaddr($_POST['synchost1'])) $input_errors[] = "Synchost1 needs to be an IPAddress."; if($_POST['synchost2'] && !is_ipaddr($_POST['synchost2'])) $input_errors[] = "Synchost2 needs to be an IPAddress."; if($_POST['synchost3'] && !is_ipaddr($_POST['synchost3'])) - $input_errors[] = "Synchost3 needs to be an IPAddress."; + $input_errors[] = "Synchost3 needs to be an IPAddress.";*/ if (!$input_errors) { $config['installedpackages']['haproxy']['enable'] = $_POST['enable'] ? true : false; $config['installedpackages']['haproxy']['terminate_on_reload'] = $_POST['terminate_on_reload'] ? true : false; $config['installedpackages']['haproxy']['maxconn'] = $_POST['maxconn'] ? $_POST['maxconn'] : false; $config['installedpackages']['haproxy']['enablesync'] = $_POST['enablesync'] ? true : false; - $config['installedpackages']['haproxy']['synchost1'] = $_POST['synchost1'] ? $_POST['synchost1'] : false; - $config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost2'] ? $_POST['synchost2'] : false; - $config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost3'] ? $_POST['synchost3'] : false; + //$config['installedpackages']['haproxy']['synchost1'] = $_POST['synchost1'] ? $_POST['synchost1'] : false; + //$config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost2'] ? $_POST['synchost2'] : false; + //$config['installedpackages']['haproxy']['synchost2'] = $_POST['synchost3'] ? $_POST['synchost3'] : false; $config['installedpackages']['haproxy']['remotesyslog'] = $_POST['remotesyslog'] ? $_POST['remotesyslog'] : false; $config['installedpackages']['haproxy']['logfacility'] = $_POST['logfacility'] ? $_POST['logfacility'] : false; $config['installedpackages']['haproxy']['loglevel'] = $_POST['loglevel'] ? $_POST['loglevel'] : false; $config['installedpackages']['haproxy']['carpdev'] = $_POST['carpdev'] ? $_POST['carpdev'] : false; - $config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; + //$config['installedpackages']['haproxy']['syncpassword'] = $_POST['syncpassword'] ? $_POST['syncpassword'] : false; $config['installedpackages']['haproxy']['advanced'] = $_POST['advanced'] ? base64_encode($_POST['advanced']) : false; $config['installedpackages']['haproxy']['nbproc'] = $_POST['nbproc'] ? $_POST['nbproc'] : false; touch($d_haproxyconfdirty_path); @@ -91,10 +91,10 @@ $pconfig['enable'] = isset($config['installedpackages']['haproxy']['enable']); $pconfig['terminate_on_reload'] = isset($config['installedpackages']['haproxy']['terminate_on_reload']); $pconfig['maxconn'] = $config['installedpackages']['haproxy']['maxconn']; $pconfig['enablesync'] = isset($config['installedpackages']['haproxy']['enablesync']); -$pconfig['syncpassword'] = $config['installedpackages']['haproxy']['syncpassword']; -$pconfig['synchost1'] = $config['installedpackages']['haproxy']['synchost1']; -$pconfig['synchost2'] = $config['installedpackages']['haproxy']['synchost2']; -$pconfig['synchost3'] = $config['installedpackages']['haproxy']['synchost3']; +//$pconfig['syncpassword'] = $config['installedpackages']['haproxy']['syncpassword']; +//$pconfig['synchost1'] = $config['installedpackages']['haproxy']['synchost1']; +//$pconfig['synchost2'] = $config['installedpackages']['haproxy']['synchost2']; +//$pconfig['synchost3'] = $config['installedpackages']['haproxy']['synchost3']; $pconfig['remotesyslog'] = $config['installedpackages']['haproxy']['remotesyslog']; $pconfig['logfacility'] = $config['installedpackages']['haproxy']['logfacility']; $pconfig['loglevel'] = $config['installedpackages']['haproxy']['loglevel']; @@ -337,12 +337,15 @@ function enable_change(enable_change) { <td colspan="2" valign="top" class="listtopic">Configuration synchronization</td> </tr> <tr> - <td width="22%" valign="top" class="vncell"> </td> + <td width="22%" valign="top" class="vncell">HAProxy Sync</td> <td width="78%" class="vtable"> <input name="enablesync" type="checkbox" value="yes" <?php if ($pconfig['enablesync']) echo "checked"; ?>> - <strong>Sync HAProxy configuration to backup CARP members via XMLRPC.</strong> + <strong>Sync HAProxy configuration to backup CARP members via XMLRPC.</strong><br/> + Note: remember to also turn on HAProxy Sync on the backup nodes.<br/> + The synchronisation host and password are those configured in pfSense main <a href="/system_hasync.php">"System: High Availability Sync"</a> settings. </td> </tr> +<!-- <tr> <td width="22%" valign="top" class="vncell">Synchronization password</td> <td width="78%" class="vtable"> @@ -375,6 +378,7 @@ function enable_change(enable_change) { <strong>Synchronize settings to this hosts IP address.</strong> </td> </tr> +--> <tr> <td> diff --git a/config/haproxy-devel/haproxy_listeners.php b/config/haproxy-devel/haproxy_listeners.php index 7b6e3d58..6d9c9dc1 100644 --- a/config/haproxy-devel/haproxy_listeners.php +++ b/config/haproxy-devel/haproxy_listeners.php @@ -166,9 +166,9 @@ include("head.inc"); $isadvset = ""; if ($frontend['advanced_bind']) $isadvset .= "Advanced bind: {$frontend['advanced_bind']}\r\n"; - if ($frontend['advanced']) $isadvset .= "advanced settings used\r\n"; + if ($frontend['advanced']) $isadvset .= "Advanced pass thru setting used\r\n"; if ($isadvset) - echo "<img src=\"$img_adv\" title=\"" . gettext("advanced settings set") . ": {$isadvset}\" border=\"0\">"; + echo "<img src=\"$img_adv\" title=\"" . gettext("Advanced settings set") . ": {$isadvset}\" border=\"0\">"; ?> </td> diff --git a/config/haproxy-devel/haproxy_listeners_edit.php b/config/haproxy-devel/haproxy_listeners_edit.php index 8f9c2484..d37444c0 100644 --- a/config/haproxy-devel/haproxy_listeners_edit.php +++ b/config/haproxy-devel/haproxy_listeners_edit.php @@ -229,6 +229,15 @@ if ($_POST) { if($backend['name'] != "") $changedesc .= " modified '{$backend['name']}' pool:"; + + // update references to this primary frontend + if ($backend['name'] != $_POST['name']) { + foreach($a_backend as &$frontend) { + if ($frontend['primary_frontend'] == $backend['name']) { + $frontend['primary_frontend'] = $_POST['name']; + } + } + } foreach($simplefields as $stat) update_if_changed($stat, $backend[$stat], $_POST[$stat]); @@ -454,6 +463,12 @@ include("head.inc"); setCSSdisplay(".haproxy_secondary", secondary.checked); type_change(type); + + http_close = d.getElementById("httpclose").value; + http_close_description = d.getElementById("http_close_description"); + http_close_description.innerHTML=closetypes[http_close]["descr"]; + http_close_description.setAttribute('style','padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt; height:30px'); + http_close_description.setAttribute('style','padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt; height:'+http_close_description.scrollHeight+'px'); } function type_change(type) { @@ -689,11 +704,10 @@ include("head.inc"); <tr align="left" class="haproxy_mode_http"> <td width="22%" valign="top" class="vncell">Use 'httpclose' option</td> <td width="78%" class="vtable" colspan="2"> - <input id="httpclose" name="httpclose" type="checkbox" value="yes" <?php if ($pconfig['httpclose']=='yes') echo "checked"; ?>> - <br/> - The 'httpclose' option removes any 'Connection' header both ways, and - adds a 'Connection: close' header in each direction. This makes it easier to - disable HTTP keep-alive than the previous 4-rules block. + <? + echo_html_select("httpclose",$a_closetypes,$pconfig['httpclose']?$pconfig['httpclose']:"none","","updatevisibility();"); + ?><br/> + <textarea readonly="yes" cols="70" rows="3" id="http_close_description" name="http_close_description" style="padding:5px; border:1px dashed #990000; background-color: #ffffff; color: #000000; font-size: 8pt;"></textarea> </td> </tr> <tr align="left"> @@ -716,10 +730,6 @@ include("head.inc"); <td> </td> </tr> </table> -<? - global $haproxy_sni_ssloffloading; - if ($haproxy_sni_ssloffloading): -?> <table class="haproxy_mode_http" width="100%" border="0" cellpadding="6" cellspacing="0"> <tr> <td colspan="2" valign="top" class="listtopic">SSL Offloading</td> @@ -762,9 +772,6 @@ include("head.inc"); <td> </td> </tr> </table> -<? - endif; -?> <table width="100%" border="0" cellpadding="6" cellspacing="0"> <tr align="left"> <td width="22%" valign="top"> </td> @@ -788,6 +795,8 @@ include("head.inc"); <script type="text/javascript"> <? phparray_to_javascriptarray($primaryfrontends,"primaryfrontends",Array('/*','/*/name','/*/ref','/*/ref/type','/*/ref/ssloffload')); + phparray_to_javascriptarray($a_closetypes,"closetypes",Array('/*','/*/name','/*/descr')); + ?> </script> diff --git a/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc b/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc new file mode 100644 index 00000000..781b7544 --- /dev/null +++ b/config/haproxy-devel/haproxy_xmlrpcsyncclient.inc @@ -0,0 +1,148 @@ +<?php +/* + haproxy_xmlrpcsyncclient.inc + Copyright (C) 2009 Scott Ullrich <sullrich@pfsense.com> + Copyright (C) 2008 Remco Hoef + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +/* include all configuration functions */ +require_once("functions.inc"); +require_once("pkg-utils.inc"); +require_once("notices.inc"); + +function xmlrpc_sync_execute($syncinfo) { + // name that is logged if something fails during syncing + $sync_logname = $syncinfo['sync_logname']; + // configuration data to sync + $xml = $syncinfo['data']; + // include file in which the "function sync_done_execute(){xxx}" must be pressent + $sync_include = $syncinfo['sync_include']; + // executes to apply the changed configuration on the target system + $sync_function = $syncinfo['sync_done_execute']; + + global $config, $g; + //if(!$password) + $password = $config['hasync']['password']; + if(!$password) + return; + + //if(!$sync_to_ip) + $sync_to_ip = $config['hasync']['synchronizetoip']; + if(!$sync_to_ip) + return; + + // Do not allow syncing to self. + $donotsync = false; + $localips = get_configured_ip_addresses(); + if (in_array($sync_to_ip, $localips , true)) + $donotsync = true; + + if($donotsync) { + log_error("Disallowing sync loop for {$sync_logname} sync."); + return; + } + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + //$xml = prepare_xmlrpc_sync_config(); + + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning {$sync_logname} XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting {$sync_logname} XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "{$sync_logname} Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting {$sync_logname} XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "{$sync_logname} Settings Sync", ""); + } else { + log_error("{$sync_logname} XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell package to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('{$sync_include}');\n"; + $execcmd .= "{$sync_function}();\n"; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("{$sync_logname} XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting {$sync_logname} XMLRPC sync with {$url}:{$port} (exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "{$sync_logname} Settings Reload", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting {$sync_logname} XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "{$sync_logname} Settings Sync", ""); + } else { + log_error("{$sync_logname} XMLRPC reload data success with {$url}:{$port} (exec_php)."); + } +} + +?> diff --git a/config/haproxy/haproxy.inc b/config/haproxy/haproxy.inc index 332cc8f7..aa8d5a3e 100644 --- a/config/haproxy/haproxy.inc +++ b/config/haproxy/haproxy.inc @@ -534,7 +534,7 @@ function haproxy_writeconf() { fwrite ($fd, "\tmaxconn\t\t\t" . $bind['max_connections'] . "\n"); if($bind['client_timeout']) - fwrite ($fd, "\tclitimeout\t\t" . $bind['client_timeout'] . "\n"); + fwrite ($fd, "\ttimeout client\t\t" . $bind['client_timeout'] . "\n"); // Combine the rest of the listener configs @@ -637,6 +637,11 @@ function haproxy_is_running() { return $running; } +function haproxy_check_config() { + exec("/usr/local/sbin/haproxy -c -f /var/etc/haproxy.cfg 2>&1", $output); + return implode("\n", $output); +} + function haproxy_check_run($reload) { global $config, $g; diff --git a/config/haproxy/haproxy.xml b/config/haproxy/haproxy.xml index 0c897dc7..227d1b27 100644 --- a/config/haproxy/haproxy.xml +++ b/config/haproxy/haproxy.xml @@ -42,7 +42,7 @@ <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>haproxy</name> - <version>1.0</version> + <version>1.2.4</version> <title>HAProxy</title> <aftersaveredirect>/pkg_edit.php?xml=haproxy_pools.php</aftersaveredirect> <include_file>/usr/local/pkg/haproxy.inc</include_file> diff --git a/config/haproxy/haproxy_global.php b/config/haproxy/haproxy_global.php index c09b202f..aa046544 100755 --- a/config/haproxy/haproxy_global.php +++ b/config/haproxy/haproxy_global.php @@ -89,6 +89,12 @@ if ($_POST) { touch($d_haproxyconfdirty_path); write_config(); } + + if ($_POST['Submit'] == "Save and Check Config") { + $check_output = haproxy_check_config(); + if (empty($check_output)) + $check_output = "No output."; + } } } @@ -159,6 +165,14 @@ function enable_change(enable_change) { <td> <div id="mainarea"> <table class="tabcont" width="100%" border="0" cellpadding="6" cellspacing="0"> + <?php if ($_POST['Submit'] == "Save and Check Config"): ?> + <tr><td colspan="2" valign="top" class="vncell"> +Configuration check output: +<pre> +<?= $check_output; ?> +</pre> + </td></tr> + <?php endif; ?> <tr> <td colspan="2" valign="top" class="listtopic">General settings</td> </tr> @@ -386,6 +400,7 @@ function enable_change(enable_change) { <td width="22%" valign="top"> </td> <td width="78%"> <input name="Submit" type="submit" class="formbtn" value="Save" onClick="enable_change(true)"> + <input name="Submit" type="submit" class="formbtn" value="Save and Check Config" onClick="enable_change(true)"> </td> </td> </tr> diff --git a/config/havp/havp.inc b/config/havp/havp.inc index 36c053c9..29a109ba 100644 --- a/config/havp/havp.inc +++ b/config/havp/havp.inc @@ -79,7 +79,7 @@ define('HVDEF_PID_FILE', '/var/run/havp.pid'); define('HVDEF_WORK_DIR', '/usr/local/etc/havp'); $pfSversion = str_replace("\s", "", file_get_contents("/etc/version")); -if(preg_match("/^2.0/",$pfSversion)) +if(preg_match("/^2./",$pfSversion)) define('HVDEF_LOG_DIR', '/var/log/havp'); else define('HVDEF_LOG_DIR', '/var/log'); @@ -413,6 +413,10 @@ function havp_check_system() havp_set_file_access(HVDEF_TEMPLATES, HVDEF_USER, ''); havp_set_file_access(HVDEF_TEMPLATES_EX, HVDEF_USER, ''); + # havp log dir + if (!file_exists(HVDEF_LOG_DIR)) + mwexec("mkdir -p " . HVDEF_LOG_DIR); + havp_set_file_access(HVDEF_LOG_DIR, HVDEF_USER, ''); # log files exists ? if (!file_exists(HVDEF_HAVP_ACCESSLOG)) file_put_contents(HVDEF_HAVP_ACCESSLOG, ''); if (!file_exists(HVDEF_HAVP_ERRORLOG)) file_put_contents(HVDEF_HAVP_ERRORLOG, ''); @@ -427,12 +431,16 @@ function havp_check_system() if (!file_exists(HVDEF_FRESHCLAM_CONF)) file_put_contents(HVDEF_FRESHCLAM_CONF, ''); havp_set_file_access(HVDEF_FRESHCLAM_CONF, HVDEF_AVUSER, '0664'); + # clam log dir + if (!file_exists(HVDEF_AVLOG_DIR)) + mwexec("mkdir -p " . HVDEF_AVLOG_DIR); + havp_set_file_access(HVDEF_AVLOG_DIR, HVDEF_USER, ''); # log files exists ? if (!file_exists(HVDEF_CLAM_LOG)) file_put_contents(HVDEF_CLAM_LOG, ''); if (!file_exists(HVDEF_FRESHCLAM_LOG)) file_put_contents(HVDEF_FRESHCLAM_LOG, ''); # log dir permissions - if (!file_exists(HVDEF_AVLOG_DIR)) - mwexec("mkdir -p " . HVDEF_AVLOG_DIR); + # if (!file_exists(HVDEF_AVLOG_DIR)) + # mwexec("mkdir -p " . HVDEF_AVLOG_DIR); havp_set_file_access(HVDEF_AVLOG_DIR, HVDEF_USER, '0777'); # =-= ClamAV =-= diff --git a/config/iftop/iftop.xml b/config/iftop/iftop.xml new file mode 100644 index 00000000..64afbc79 --- /dev/null +++ b/config/iftop/iftop.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* ========================================================================== */ +/* + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 + All rights reserved. +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>iftop</description> + <requirements>None</requirements> + <faq></faq> + <name>iftop</name> + <version>0.0</version> + <title>iftop</title> +</packagegui>
\ No newline at end of file diff --git a/config/iperf.xml b/config/iperf.xml index e5de8b85..2fe49699 100644 --- a/config/iperf.xml +++ b/config/iperf.xml @@ -59,6 +59,7 @@ <service> <name>iperf</name> <executable>iperf</executable> + <description>iperf network performance testing daemon/client</description> </service> <tabs> <tab> diff --git a/config/ipmitool/ipmitool.xml b/config/ipmitool/ipmitool.xml new file mode 100644 index 00000000..a42baa36 --- /dev/null +++ b/config/ipmitool/ipmitool.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* ========================================================================== */ +/* + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 + All rights reserved. +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>ipmitool</description> + <requirements>None</requirements> + <faq></faq> + <name>ipmitool</name> + <version>0.0</version> + <title>ipmitool</title> +</packagegui>
\ No newline at end of file diff --git a/config/lcdproc-dev/lcdproc.inc b/config/lcdproc-dev/lcdproc.inc index 1436c07d..8b3ce28f 100644 --- a/config/lcdproc-dev/lcdproc.inc +++ b/config/lcdproc-dev/lcdproc.inc @@ -81,6 +81,7 @@ case "lpt1": case "ugen0.2": case "ugen1.2": + case "ugen1.3"; case "ugen2.2": continue; break; @@ -177,6 +178,9 @@ case "ugen1.2": $realport = "/dev/ugen1.2"; break; + case "ugen1.3": + $realport = "/dev/ugen1.3"; + break; case "ugen2.2": $realport = "/dev/ugen2.2"; break; @@ -303,9 +307,11 @@ case "hd44780": $config_text .= "[{$lcdproc_config['driver']}]\n"; $config_text .= "driverpath=/usr/local/lib/lcdproc/\n"; - $config_text .= "ConnectionType=lcd2usb\n"; + $config_text .= "ConnectionType={$lcdproc_config['connection_type']}\n"; + $config_text .= "Device={$realport}\n"; + $config_text .= "Port=0x378\n"; $config_text .= "Speed=0\n"; - $config_text .= "Keypad=no\n"; + $config_text .= "Keypad=yes\n"; $config_text .= set_lcd_value("contrast", 1000, 850); $config_text .= set_lcd_value("brightness", 1000, 800); $config_text .= set_lcd_value("offbrightness", 1000, 0); @@ -315,6 +321,16 @@ $config_text .= "DelayMult=1\n"; $config_text .= "DelayBus=true\n"; $config_text .= "Size={$lcdproc_config['size']}\n"; + if ($lcdproc_config[connection_type] == "winamp") + { + $config_text .= "KeyDirect_1=Enter\n"; + $config_text .= "KeyDirect_2=Up\n"; + $config_text .= "KeyDirect_3=Down\n"; + $config_text .= "KeyDirect_4=Escape\n"; + } + else + { + } break; case "icp_a106": $config_text .= "[{$lcdproc_config['driver']}]\n"; @@ -531,4 +547,4 @@ EOD; } return $returnvalue; } -?>
\ No newline at end of file +?> diff --git a/config/lcdproc-dev/lcdproc.xml b/config/lcdproc-dev/lcdproc.xml index 3db83ccd..bca9b4c8 100644 --- a/config/lcdproc-dev/lcdproc.xml +++ b/config/lcdproc-dev/lcdproc.xml @@ -1,8 +1,8 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> - <title>Services: LCDproc 0.5.5 pkg v. 0.9.4</title> + <title>Services: LCDproc 0.5.6 pkg v. 0.9.7</title> <name>lcdproc</name> - <version>0.5.5 pkg v. 0.9.4</version> + <version>0.5.6 pkg v. 0.9.7</version> <savetext>Save</savetext> <include_file>/usr/local/pkg/lcdproc.inc</include_file> <tabs> @@ -101,8 +101,12 @@ <name>USB Com port 2 alternate (/dev/ugen1.2)</name> </option> <option> + <value>ugen1.3</value> + <name>USB Com port 3 alternate (/dev/ugen1.3)</name> + </option> + <option> <value>ugen2.2</value> - <name>USB Com port 3 alternate (/dev/ugen2.2)</name> + <name>USB Com port 4 alternate (/dev/ugen2.2)</name> </option> </options> <default_value>ucom1</default_value> @@ -302,6 +306,87 @@ <default_value>pyramid</default_value> </field> <field> + <fieldname>connection_type</fieldname> + <fielddescr>Connection Type</fielddescr> + <description>Set connection type for the HD44780 driver</description> + <type>select</type> + <options> + <option> + <value>4bit</value> + <name>4bit wiring to parallel port</name> + </option> + <option> + <value>8bit</value> + <name>8bit wiring to parallel port(lcdtime)</name> + </option> + <option> + <value>winamp</value> + <name>8bit wiring winamp style to parallel port</name> + </option> + <option> + <value>serialLpt</value> + <name>Serial LPT wiring</name> + </option> + <option> + <value>picanlcd</value> + <name>PIC-an-LCD serial device</name> + </option> + <option> + <value>lcdserializer</value> + <name>LCD serializer</name> + </option> + <option> + <value>los-panel</value> + <name>LCD on serial panel device</name> + </option> + <option> + <value>vdr-lcd</value> + <name>VDR LCD serial device</name> + </option> + <option> + <value>vdr-wakeup</value> + <name>VDR-Wakeup module</name> + </option> + <option> + <value>pertelian</value> + <name>Pertelian X2040 LCD</name> + </option> + <option> + <value>bwctusb</value> + <name>BWCT USB device</name> + </option> + <option> + <value>lcd2usb</value> + <name>Till Harbaum's LCD2USB</name> + </option> + <option> + <value>usbtiny</value> + <name>Dick Streefland's USBtiny</name> + </option> + <option> + <value>lis2</value> + <name>LIS2 from VLSystem</name> + </option> + <option> + <value>mplay</value> + <name>MPlay Blast from VLSystem</name> + </option> + <option> + <value>ftdi</value> + <name>LCD connected to FTDI 2232D USB chip</name> + </option> + <option> + <value>usblcd</value> + <name>USBLCD adapter from Adams IT Services</name> + </option> + <option> + <value>i2c</value> + <name>LCD driven by PCF8574/PCA9554 connected via i2c</name> + </option> + </options> + <default_value>lcd2usb</default_value> + </field> + <field> <fieldname>refresh_frequency</fieldname> <fielddescr>Refresh frequency</fielddescr> <description>Set the refresh frequency of the information on the LCD Panel</description> diff --git a/config/lightsquid/lightsquid.xml b/config/lightsquid/lightsquid.xml index b8ce2bc8..53d074c5 100644 --- a/config/lightsquid/lightsquid.xml +++ b/config/lightsquid/lightsquid.xml @@ -186,7 +186,7 @@ <input type="submit" name="Submit" value="Refresh full"> <br> Press button for start background refresh (this take some time). <br> <span style="color: rgb(153, 51, 0);"> Note after installation: - <br> On the first - enable log in squid package with "/var/squid/log" path. + <br> On the first - enable log in squid package with "/var/squid/logs" path. <br> On the second - press Refresh button for create lightsquid reports, else you will have error diagnostic page.</span> </description> <type>select</type> diff --git a/config/lightsquid/sqstat.class.php b/config/lightsquid/sqstat.class.php index 228aecfe..03695a47 100644 --- a/config/lightsquid/sqstat.class.php +++ b/config/lightsquid/sqstat.class.php @@ -179,7 +179,8 @@ class squidstat{ } fclose($this->fp); - if ($raw[0]!="HTTP/1.0 200 OK") { $this->errorMsg(1, "Cannot get data. Server answered: $raw[0]"); + if (!preg_match("/^HTTP.* 200 OK$/", $raw[0])) { + $this->errorMsg(1, "Cannot get data. Server answered: $raw[0]"); return false; } diff --git a/config/mailreport/mail_reports.inc b/config/mailreport/mail_reports.inc index 85b67ddf..cf8c837c 100644 --- a/config/mailreport/mail_reports.inc +++ b/config/mailreport/mail_reports.inc @@ -229,8 +229,6 @@ function mail_report_send($headertext, $cmdtext, $logtext, $attachments) { if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; - } else { - echo "<strong>Message sent to {$address}!</strong>\n"; } } diff --git a/config/mailreport/mail_reports_generate.php b/config/mailreport/mail_reports_generate.php index a784c596..c31909c9 100644 --- a/config/mailreport/mail_reports_generate.php +++ b/config/mailreport/mail_reports_generate.php @@ -53,9 +53,21 @@ if (!$config['mailreports']['schedule'][$id]) exit; $thisreport = $config['mailreports']['schedule'][$id]; -$cmds = $thisreport['cmd']['row']; -$logs = $thisreport['log']['row']; -$graphs = $thisreport['row']; + +if (is_array($thisreport['cmd']) && is_array($thisreport['cmd']['row'])) + $cmds = $thisreport['cmd']['row']; +else + $cmds = array(); + +if (is_array($thisreport['log']) && is_array($thisreport['log']['row'])) + $logs = $thisreport['log']['row']; +else + $logs = array(); + +if (is_array($thisreport['row'])) + $graphs = $thisreport['row']; +else + $graphs = array(); // If there is nothing to do, bail! if ((!is_array($cmds) || !(count($cmds) > 0)) diff --git a/config/mailreport/mailreport.xml b/config/mailreport/mailreport.xml index d27d3a28..5a759984 100644 --- a/config/mailreport/mailreport.xml +++ b/config/mailreport/mailreport.xml @@ -37,7 +37,7 @@ ]]> </copyright> <name>mailreport</name> - <version>2.0.4</version> + <version>2.0.6</version> <title>Status: Mail Reports</title> <additional_files_needed> <prefix>/usr/local/bin/</prefix> diff --git a/config/mailscanner/mailscanner.conf.template b/config/mailscanner/mailscanner.conf.template index 06090be3..c801c5d6 100644 --- a/config/mailscanner/mailscanner.conf.template +++ b/config/mailscanner/mailscanner.conf.template @@ -3,17 +3,17 @@ $mc=<<<EOF {$info} # Configuration directory containing this file -%etc-dir% = /usr/local/etc/MailScanner +%etc-dir% = {$mlb}/etc/MailScanner # Set the directory containing all the reports in the required language -%report-dir% = /usr/local/share/MailScanner/reports/{$report_language} +%report-dir% = {$mlb}/share/MailScanner/reports/{$report_language} # Rulesets directory containing your ".rules" files -%rules-dir% = /usr/local/etc/MailScanner/rules +%rules-dir% = {$mlb}/etc/MailScanner/rules # Configuration directory containing files related to MCP # (Message Content Protection) -%mcp-dir% = /usr/local/etc/MailScanner/mcp +%mcp-dir% = {$mlb}/etc/MailScanner/mcp # # System settings @@ -417,7 +417,7 @@ Log SpamAssassin Rule Actions = {$log_sa_rule_action} SpamAssassin Temporary Dir = /var/spool/MailScanner/incoming/SpamAssassin-Temp SpamAssassin User State Dir = SpamAssassin Install Prefix = -SpamAssassin Site Rules Dir = /usr/local/etc/mail/spamassassin +SpamAssassin Site Rules Dir = {$mlb}/etc/mail/spamassassin SpamAssassin Local Rules Dir = SpamAssassin Local State Dir = # /var/lib/spamassassin SpamAssassin Default Rules Dir = @@ -469,7 +469,7 @@ Sender MCP Report = %report-dir%/sender.mcp.report.txt Use Default Rules With Multiple Recipients = {$default_rule_multiple} Read IP Address From Received Header = {$read_ipaddress} Spam Score Number Format = {$spam_score_format} -MailScanner Version Number = 4.83.5 +MailScanner Version Number = {$mailscanner_version} SpamAssassin Cache Timings = {$cache_timings} Debug = {$debug} Debug SpamAssassin = {$debug_spam} @@ -480,12 +480,12 @@ Deliver In Background = {$deliver_background} Delivery Method = {$mailscanner['deliver_method']} Split Exim Spool = {$split_exim_spool} Lockfile Dir = /var/spool/MailScanner/incoming/Locks -Custom Functions Dir = /usr/local/lib/MailScanner/MailScanner/CustomFunctions +Custom Functions Dir = {$mlb}/lib/MailScanner/MailScanner/CustomFunctions Lock Type = Syslog Socket Type = Automatic Syntax Check = {$syntax_check} Minimum Code Status = {$mailscanner['minimum_code']} -include /usr/local/etc/MailScanner/conf.d/* +include {$mlb}/etc/MailScanner/conf.d/* diff --git a/config/mailscanner/mailscanner.inc b/config/mailscanner/mailscanner.inc index 1ba0a4ca..0b638166 100644 --- a/config/mailscanner/mailscanner.inc +++ b/config/mailscanner/mailscanner.inc @@ -27,7 +27,7 @@ POSSIBILITY OF SUCH DAMAGE. */ - +$shortcut_section = "mailscanner"; require_once("util.inc"); require("globals.inc"); #require("guiconfig.inc"); @@ -101,6 +101,7 @@ function sync_package_mailscanner($via_rpc=false) { $config['installedpackages']['mscontent']['config'][0]=array('checks'=>'DangerousContentScanning,UseStricterPhishingNet,HighlightPhishingFraud', 'iframe_tags'=>'disarm', 'form_tags'=>'disarm', + 'script_tags'=>'disarm', 'web_bugs'=>'disarm', 'codebase_tags'=>'disarm'); $load_samples++; @@ -116,7 +117,7 @@ function sync_package_mailscanner($via_rpc=false) { $report=$config['installedpackages']['msreport']['config'][0]; if (!is_array($config['installedpackages']['msantispam'])){ $config['installedpackages']['msantispam']['config'][0]=array( 'rblfeatures'=>'spam_checks', - 'safeatures'=>'use_sa,sa_auto_whitelist,check_sa_if_on_spam_list,spam_score,cache_spamassassin_results,use_pyzor,use_razor,use_dcc,use_bayes,use_auto_learn_bayes', + 'safeatures'=>'use_sa,sa_auto_whitelist,check_sa_if_on_spam_list,spam_score,cache_spamassassin_results,use_razor,use_dcc,use_bayes,use_auto_learn_bayes', 'sa_score'=>'6', 'spam_actions'=>'deliver', 'hi_score'=>'20', @@ -259,6 +260,7 @@ function sync_package_mailscanner($via_rpc=false) { /* Language Strings = %report-dir%/languages.conf */ + #check files $mailscanner_dir=MAILSCANNER_LOCALBASE ."/etc/MailScanner"; @@ -309,7 +311,8 @@ Language Strings = %report-dir%/languages.conf $load_samples++; } - $report_dir=MAILSCANNER_LOCALBASE."/share/MailScanner/reports/".strtolower($report['language']); + //$report_dir=MAILSCANNER_LOCALBASE."/share/MailScanner/reports/".strtolower($report['language']); + $report_dir="/usr/local/share/MailScanner/reports/".strtolower($report['language']); #CHECK REPORT FILES $report_files= array('deletedbadcontent' => 'deleted.content.message.txt', 'deletedbadfilename' => 'deleted.filename.message.txt', @@ -377,8 +380,18 @@ Phishing Safe Sites File = %etc-dir%/phishing.safe.sites.conf Phishing Bad Sites File = %etc-dir%/phishing.bad.sites.conf Country Sub-Domains List = %etc-dir%/country.domains.conf */ - + #get mailscanner version + $msc_bin=MAILSCANNER_LOCALBASE. "/sbin/mailscanner"; + if (file_exists($msc_bin)){ + $msc_bin_file=file_get_contents($msc_bin); + if (preg_match("/MailScannerVersion = '(\S+)'/",$msc_bin_file,$msv_matches)) + $mailscanner_version=$msv_matches[1]; + else + $mailscanner_version='4.83.5'; + } #create MailScanner.conf + $mlb=MAILSCANNER_LOCALBASE; + include("mailscanner.conf.template"); #write files conf_mount_rw(); @@ -404,76 +417,77 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #update spam.assassin.prefs.conf $sa_temp=ms_text_area_decode($config['installedpackages']['msantispam']['config'][0]['sa_pref_file']); - $pattern[0]='/#ifplugin/'; - $pattern[1]='/#pyzor_path/'; - $pattern[2]='/usr.bin.pyzor/'; - $pattern[3]='/#dcc_path/'; - $pattern[4]='/#endif/'; - $replacement[0]="ifplugin"; - $replacement[1]="pyzor_path"; - $replacement[2]="usr/local/bin/pyzor"; - $replacement[3]="dcc_path"; - $replacement[4]="endif"; + $pattern[]='/#ifplugin/'; + $pattern[]='/#dcc_path/'; + $pattern[]='/#endif/'; + + $replacement[]="ifplugin"; + $replacement[]="dcc_path"; + $replacement[]="endif"; if (preg_match('/use_razor/',$antispam['safeatures'])){ - $pattern[5]='/\nuse_razor2\s+0/'; - $replacement[5]="\n".'# use_razor2 0'; + $pattern[]='/\nuse_razor2\s+0/'; + $replacement[]="\n".'# use_razor2 0'; } else{ - $pattern[5]='/\n#\s+use_razor2\s+0/'; - $replacement[5]="\n".'use_razor2 0'; + $pattern[]='/\n#\s+use_razor2\s+0/'; + $replacement[]="\n".'use_razor2 0'; } if (preg_match('/use_dcc/',$antispam['safeatures'])){ - $pattern[6]='/\nuse_dcc\s+0/'; - $replacement[6]="\n".'# use_dcc 0'; + $pattern[]='/\nuse_dcc\s+0/'; + $replacement[]="\n".'# use_dcc 0'; } else{ - $pattern[6]='/\n#\s+use_dcc\s+0/'; - $replacement[6]="\n".'use_dcc 0'; + $pattern[]='/\n#\s+use_dcc\s+0/'; + $replacement[]="\n".'use_dcc 0'; } if (preg_match('/use_pyzor/',$antispam['safeatures'])){ - $pattern[7]='/\nuse_pyzor\s+0/'; - $replacement[7]="\n".'# use_pyzor 0'; + $pattern[]='/#pyzor_path/'; + $pattern[]='/usr.bin.pyzor/'; + $pattern[]='/\nuse_pyzor\s+0/'; + $replacement[]="pyzor_path"; + $replacement[]="usr/local/bin/pyzor"; + $replacement[]="\n".'# use_pyzor 0'; } else{ - $pattern[7]='/\n#\s+use_pyzor\s+0/'; - $replacement[7]="\n".'# use_pyzor 0'; + $pattern[]='/\n#\s+use_pyzor\s+0/'; + $replacement[]="\n".'# use_pyzor 0'; } if (preg_match('/use_auto_learn_bayes/',$antispam['safeatures'])){ - $pattern[8]='/\nbayes_auto_learn\s+0/'; - $replacement[8]="\n".'# bayes_auto_learn 0'; + $pattern[]='/\nbayes_auto_learn\s+0/'; + $replacement[]="\n".'# bayes_auto_learn 0'; } else{ - $pattern[8]='/\n#\s+bayes_auto_learn\s+0/'; - $replacement[8]="\n".'bayes_auto_learn 0'; + $pattern[]='/\n#\s+bayes_auto_learn\s+0/'; + $replacement[]="\n".'bayes_auto_learn 0'; } if (preg_match('/use_bayes/',$antispam['safeatures'])){ - $pattern[9]='/\nuse_bayes\s+0/'; - $replacement[9]="\n".'# use_bayes 0'; + $pattern[]='/\nuse_bayes\s+0/'; + $replacement[]="\n".'# use_bayes 0'; } else{ - $pattern[9]='/\n#\s+use_bayes\s+0/'; - $replacement[9]="\n".'use_bayes 0'; + $pattern[]='/\n#\s+use_bayes\s+0/'; + $replacement[]="\n".'use_bayes 0'; } if (preg_match('/sa_auto_whitelist/',$antispam['safeatures'])){ - $pattern[10]='/\nuse_auto_whitelist\s+0/'; - $replacement[10]="\n".'# use_auto_whitelist 0'; + $pattern[]='/\nuse_auto_whitelist\s+0/'; + $replacement[]="\n".'# use_auto_whitelist 0'; } else{ - $pattern[10]='/\n#\s*use_auto_whitelist 0/'; - $replacement[10]="\n".'use_auto_whitelist 0'; + $pattern[]='/\n#\s*use_auto_whitelist 0/'; + $replacement[]="\n".'use_auto_whitelist 0'; } if ($antispam['rblchecks']){ - $pattern[11]='/\nskip_rbl_checks\s+1/'; - $replacement[11]="\n".'# skip_rbl_checks 1'; + $pattern[]='/\nskip_rbl_checks\s+1/'; + $replacement[]="\n".'# skip_rbl_checks 1'; } else{ - $pattern[11]='/\n#\s+skip_rbl_checks\s+\d/'; - $replacement[11]="\n".'skip_rbl_checks 1'; + $pattern[]='/\n#\s+skip_rbl_checks\s+\d/'; + $replacement[]="\n".'skip_rbl_checks 1'; } - $pattern[12]='/bayes_ignore_header ([a-zA-Z0-9_.-]+)MailScanner/'; - $replacement[12]="bayes_ignore_header ".($mailscanner['orgname']!=""?$mailscanner['orgname']:"pfsense")."-MailScanner"; - $pattern[13]='/envelope_sender_header X([a-zA-Z0-9_.-]+)MailScanner-From/'; - $replacement[13]="envelope_sender_header X-".($mailscanner['orgname']!=""?$mailscanner['orgname']:"pfsense")."-MailScanner-From"; + $pattern[]='/bayes_ignore_header ([a-zA-Z0-9_.-]+)MailScanner/'; + $replacement[]="bayes_ignore_header ".($mailscanner['orgname']!=""?$mailscanner['orgname']:"Pfsense")."-MailScanner"; + $pattern[]='/envelope_sender_header X([a-zA-Z0-9_.-]+)MailScanner-From/'; + $replacement[]="envelope_sender_header X-".($mailscanner['orgname']!=""?$mailscanner['orgname']:"Pfsense")."-MailScanner-From"; $sa_temp=preg_replace($pattern,$replacement,$sa_temp); @@ -525,34 +539,24 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf unlink_if_exists($libexec_dir.'clamav-wrapper'); } else{ - if (file_exists('/var/run/clamav/')) - chown('/var/run/clamav/', 'postfix'); - if (file_exists('/var/log/clamav/')) - chown('/var/log/clamav/', 'postfix'); - if (file_exists('/var/db/clamav/')) - chown('/var/db/clamav/', 'postfix'); - if (file_exists('/var/db/clamav/bytecode.cld')) - chown('/var/db/clamav/bytecode.cld', 'postfix'); - if (file_exists('/var/db/clamav/daily.cld')) - chown('/var/db/clamav/daily.cld', 'postfix'); - if (file_exists('/var/db/clamav/main.cvd')) - chown('/var/db/clamav/main.cvd', 'postfix'); - if (file_exists('/var/db/clamav/mirrors.dat')) - chown('/var/db/clamav/mirrors.dat', 'postfix'); - if (file_exists('/var/log/clamav/clamd.log')) - chown('/var/log/clamav/clamd.log', 'postfix'); - if (file_exists('/var/log/clamav/freshclam.log')) - chown('/var/log/clamav/freshclam.log', 'postfix'); - + $av_dirs=array('run','log','db'); + foreach ($av_dirs as $av_dir){ + if (!is_dir("/var/$av_dir/clamav")) + mkdir("/var/$av_dir/clamav",0774,true); + chown("/var/$av_dir/clamav", 'postfix'); + chgrp("/var/$av_dir/clamav", 'wheel'); + } + $av_files=array('/var/db/clamav/daily.cld','/var/db/clamav/main.cvd','/var/db/clamav/mirrors.dat', + '/var/log/clamav/clamd.log','/var/log/clamav/freshclam.log','/var/db/clamav/bytecode.cld'); + foreach ($av_files as $av_file){ + if (file_exists($av_file)) + chown($av_file, 'postfix'); + } copy($libexec_dir.'clamav-autoupdate.sample',$libexec_dir.'clamav-autoupdate'); chmod ($libexec_dir.'clamav-autoupdate',0755); copy($libexec_dir.'clamav-wrapper.sample',$libexec_dir.'clamav-wrapper'); chmod ($libexec_dir.'clamav-autoupdate',0755); - if (!file_exists('/var/db/clamav/main.cvd')){ - log_error('No clamav database found, running freshclam in background.'); - mwexec_bg(MAILSCANNER_LOCALBASE. '/bin/freshclam'); - } - + #clamav-wrapper file $cconf=$libexec_dir."clamav-wrapper"; if (file_exists($cconf)){ @@ -565,7 +569,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #freshclam conf file $cconf=MAILSCANNER_LOCALBASE. "/etc/freshclam.conf"; - if (file_exists($conf)){ + if (file_exists($cconf)){ $cconf_file=file_get_contents($cconf); if (preg_match('/DatabaseOwner clamav/',$cconf_file)){ $cconf_file=preg_replace("/DatabaseOwner clamav/","DatabaseOwner postfix",$cconf_file); @@ -575,7 +579,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf #clamd conf file $cconf=MAILSCANNER_LOCALBASE. "/etc/clamd.conf"; - if (file_exists($conf)){ + if (file_exists($cconf)){ $cconf_file=file_get_contents($cconf); if (preg_match('/User clamav/',$cconf_file)){ $cconf_file=preg_replace("/User clamav/","User postfix",$cconf_file); @@ -616,6 +620,13 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } } + + #check clamav database + if (!file_exists('/var/db/clamav/main.cvd')){ + log_error('No clamav database found, running freshclam in background.'); + mwexec_bg(MAILSCANNER_LOCALBASE. '/bin/freshclam --config-file='.MAILSCANNER_LOCALBASE.'/etc/freshclam.conf --user=root'); + } + } } else{ @@ -660,7 +671,7 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf } } } - + $script=MAILSCANNER_LOCALBASE. '/etc/rc.d/mailscanner'; #fix MIME::ToolUtils deprecated function and usecure dependency calls in /usr/local/sbin/mailscanner @@ -670,20 +681,35 @@ Country Sub-Domains List = %etc-dir%/country.domains.conf exec('find '.MAILSCANNER_LOCALBASE. '/lib/perl5/site_perl -name Df.pm',$find_out); $perl_bin="perl"; foreach($find_out as $perl_dir){ - if (preg_match ('@usr/local/lib/perl5/site_perl/([.0-9]+)/mach/Filesys/Df.pm@',$perl_dir,$perl_match)) + if (preg_match ('@/usr\S+lib/perl5/site_perl/([.0-9]+)/mach/Filesys/Df.pm@',$perl_dir,$perl_match)) $perl_bin.=$perl_match[1]; } $cconf_file=file_get_contents($cconf); - $pattern2[0]='@#!/usr.*bin/perl.*I@'; + $pattern2[0]='@#!/usr\S+bin/perl.*I@'; $pattern2[1]='/\smy .current = config MIME::ToolUtils/'; $replacement2[0]='#!'.MAILSCANNER_LOCALBASE. "/bin/{$perl_bin} -U -I"; $replacement2[1]=' #my $current = config MIME::ToolUtils'; - if (preg_match('@#!/usr.*bin/perl.*I@',$cconf_file)){ + if (preg_match('@#!/usr\S+bin/perl.*I@',$cconf_file)){ $cconf_file=preg_replace($pattern2,$replacement2,$cconf_file); file_put_contents($cconf, $cconf_file, LOCK_EX); } } + + #check spam assassin rules + $saupdate="/usr/local/bin/sa-update"; + if (file_exists($saupdate)){ + $rules_found=0; + if (file_exists("/var/db/spamassassin")){ + foreach (glob("/var/db/spamassassin/*",GLOB_ONLYDIR) as $dirname) + $rules_found++; + } + if ($rules_found==0){ + log_error("Mailscanner- No spamassassin rules found, forcing sa-update."); + mwexec($saupdate); + } + } + if (file_exists($script)){ $script_file=file_get_contents($script); if (preg_match('/NO/',$script_file)){ diff --git a/config/mailscanner/mailscanner.xml b/config/mailscanner/mailscanner.xml index 0e644196..05798a1e 100644 --- a/config/mailscanner/mailscanner.xml +++ b/config/mailscanner/mailscanner.xml @@ -9,7 +9,7 @@ /* mailscanner.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -54,7 +54,7 @@ <service> <name>mailscanner</name> <rcfile>mailscanner</rcfile> - <executable>perl5.12.4</executable> + <executable>perl5.14.2</executable> <description>MailScanner</description> </service> <additional_files_needed> @@ -112,6 +112,11 @@ <prefix>/usr/local/pkg/</prefix> <chmod>0755</chmod> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/mailscanner/pkg_mailscanner.inc</item> + </additional_files_needed> <tabs> <tab> <text>General</text> @@ -228,7 +233,7 @@ <fielddescr>Logging</fielddescr> <fieldname>syslog</fieldname> <description> - <![CDATA[Select virus scanner tests to enable. Mailscanner default options are in ( ).]]> + <![CDATA[Select logging options to enable. Mailscanner default options are in ( ).]]> </description> <type>select</type> <options> diff --git a/config/mailscanner/mailscanner_antispam.xml b/config/mailscanner/mailscanner_antispam.xml index 652935f5..7f989765 100644 --- a/config/mailscanner/mailscanner_antispam.xml +++ b/config/mailscanner/mailscanner_antispam.xml @@ -9,7 +9,7 @@ /* mailscanner_antispam.xml part of the mailscanner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -346,62 +346,93 @@ <size>5</size> </field> <field> - <name>Antispam Files</name> + <name>spam.assassin.prefs.conf</name> <type>listtopic</type> </field> <field> <fielddescr>spam.assassin.prefs.conf</fielddescr> <fieldname>sa_pref_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>spam.lists.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>spam.lists.conf</fielddescr> <fieldname>rbl_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.lists.conf. Leave Blank to load sample file.<br> <strong>Use this list only when not using postscreen RBL checks(postfix-forwareder package).</strong>]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>bounce.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>bounce.rules</fielddescr> <fieldname>bounce</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>max.message.size.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>max.message.size.rules</fielddescr> <fieldname>max_message_size</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>spam.whitelist.rules</name> + <type>listtopic</type> + </field> + <field> <fielddescr>spam.whitelist.rules</fielddescr> <fieldname>spam_whitelist</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - + <field> + <name>mcp.spam.assassin.prefs.conf</name> + <type>listtopic</type> + </field> <field> <fielddescr>mcp.spam.assassin.prefs.conf</fielddescr> <fieldname>mcp_pref_file</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit mcp.spam.assassin.prefs.conf. Leave Blank to load sample file.]]></description> <type>textarea</type> - <cols>80</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_antivirus.xml b/config/mailscanner/mailscanner_antivirus.xml index 4a3bfe6c..590a61f6 100644 --- a/config/mailscanner/mailscanner_antivirus.xml +++ b/config/mailscanner/mailscanner_antivirus.xml @@ -9,7 +9,7 @@ /* mailscanner_antivirus.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -159,11 +159,17 @@ <size>30</size> </field> <field> + <name>Custom antivirus options</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Custom antivirus options</fielddescr> <fieldname>custom</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Paste your custom mailscanner antivirus settings here.]]></description> <type>textarea</type> - <cols>60</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_attachments.xml b/config/mailscanner/mailscanner_attachments.xml index 1b031466..e89fbd46 100644 --- a/config/mailscanner/mailscanner_attachments.xml +++ b/config/mailscanner/mailscanner_attachments.xml @@ -9,7 +9,7 @@ /* mailscanner_attachments.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -174,24 +174,32 @@ <size>5</size> </field> <field> - <name>Fileset rules</name> + <name>filename.rules.conf</name> <type>listtopic</type> </field> <field> <fielddescr>filename.rules.conf</fielddescr> <fieldname>filename_rules</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit archives.filename.rules.conf file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>85</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>filetypes.rules.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>filetypes.rules.conf</fielddescr> <fieldname>filetype_rules</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit archives.filetype.rules.conf file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>85</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_content.xml b/config/mailscanner/mailscanner_content.xml index ca79b07f..07342dce 100644 --- a/config/mailscanner/mailscanner_content.xml +++ b/config/mailscanner/mailscanner_content.xml @@ -9,7 +9,7 @@ /* mailscanner_contents.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -114,13 +114,13 @@ <multiple/> </field> <field> - <fielddescr>Allow IFrame Tags</fielddescr> + <fielddescr>IFrame Tags</fielddescr> <fieldname>iframe_tags</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'IFrame' tags in email messages?<br> This is not a good idea as it allows various Microsoft Outlook security vulnerabilities to remain unprotected, but if you have a load of mailing lists sending them, @@ -128,39 +128,39 @@ </description> </field> <field> - <fielddescr>Allow Form Tags</fielddescr> + <fielddescr>Form Tags</fielddescr> <fieldname>form_tags</fieldname> <type>select</type> <options> <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Form' tags in email messages?<br> This is a bad idea as these are used as scams to pursuade people to part with credit card information and other personal data.]]> </description> </field> <field> - <fielddescr>Allow Script Tags</fielddescr> + <fielddescr>Script Tags</fielddescr> <fieldname>script_tags</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Script' tags in email messages?<br> This is a bad idea as these are used to exploit vulnerabilities in email applications and web browsers.]]> </description> </field> <field> - <fielddescr>Allow web bugs</fielddescr> + <fielddescr>Web bugs</fielddescr> <fieldname>web_bugs</fieldname> <type>select</type> <options> - <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>Disarm</name><value>disarm</value></option> + <option><name>Allow</name><value>yes</value></option> + <option><name>Deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow 'Img' tags with very small images in email messages?<br> This is a bad idea as these are used as 'web bugs' to find out if a message has been read.<br> @@ -168,13 +168,13 @@ </description> </field> <field> - <fielddescr>Allow Object Codebase Tags</fielddescr> + <fielddescr>Object Codebase Tags</fielddescr> <fieldname>codebase_tags</fieldname> <type>select</type> <options> <option><name>disarm</name><value>disarm</value></option> - <option><name>yes</name><value>yes</value></option> - <option><name>no</name><value>no</value></option> + <option><name>allow</name><value>yes</value></option> + <option><name>deny</name><value>no</value></option> </options> <description><![CDATA[Do you want to allow <strong>'Object Codebase=...' or 'Object Data=...'</strong> tags in email messages?<br> This is a bad idea as it leaves you unprotected against various Microsoft-specific security vulnerabilities.<br> @@ -182,33 +182,47 @@ </description> </field> <field> - <name>Phishing files</name> + <name>phishing.safe.sites.conf</name> <type>listtopic</type> </field> <field> <fielddescr>phishing.safe.sites.conf</fielddescr> <fieldname>phishing_safe</fieldname> - <description><![CDATA[edit phishing.safe.sites.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[phishing.safe.sites.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>phishing.bad.sites.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>phishing.bad.sites.conf</fielddescr> <fieldname>phishing_bad</fieldname> - <description><![CDATA[edit phishing.bad.sites.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[phishing.bad.sites.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> <field> + <name>country.domains.conf</name> + <type>listtopic</type> + </field> + <field> <fielddescr>country.domains.conf</fielddescr> <fieldname>country_domains</fieldname> - <description><![CDATA[edit country.domains.conf file here.<br>If you leave this field blank, it will load sample file.]]></description> + <dontdisplayname/> + <usecolspan2/> + <description><![CDATA[country.domains.conf config file.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> - <cols>70</cols> + <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/mailscanner/mailscanner_report.xml b/config/mailscanner/mailscanner_report.xml index 60e7385c..e12ed341 100644 --- a/config/mailscanner/mailscanner_report.xml +++ b/config/mailscanner/mailscanner_report.xml @@ -9,7 +9,7 @@ /* mailscanner_report.xml part of the mailscaner package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -90,6 +90,31 @@ <type>listtopic</type> </field> <field> + <fielddescr>Language</fielddescr> + <fieldname>language</fieldname> + <description> + <![CDATA[Select report language.]]> + </description> + <type>select</type> + <options> + <option><name>EN (Default)</name><value>en</value></option> + <option><name>CA</name><value>ca</value></option> + <option><name>CY+EN</name><value>cy+en</value></option> + <option><name>CZ</name><value>cz</value></option> + <option><name>DE</name><value>de</value></option> + <option><name>DK</name><value>dk</value></option> + <option><name>ES</name><value>es</value></option> + <option><name>FR</name><value>fr</value></option> + <option><name>HU</name><value>hu</value></option> + <option><name>IT</name><value>it</value></option> + <option><name>NL</name><value>nl</value></option> + <option><name>PT_BR</name><value>pt_br</value></option> + <option><name>RO</name><value>ro</value></option> + <option><name>SE</name><value>se</value></option> + <option><name>SK</name><value>sk</value></option> + </options> + </field> + <field> <fielddescr>Reports</fielddescr> <fieldname>features</fieldname> <description> @@ -177,46 +202,29 @@ <size>20</size> </field> <field> - <name>Message Reports</name> + <name>Deleted Bad Content</name> <type>listtopic</type> </field> <field> - <fielddescr>Language</fielddescr> - <fieldname>language</fieldname> - <description> - <![CDATA[Select report language.]]> - </description> - <type>select</type> - <options> - <option><name>EN (Default)</name><value>en</value></option> - <option><name>CA</name><value>ca</value></option> - <option><name>CY+EN</name><value>cy+en</value></option> - <option><name>CZ</name><value>cz</value></option> - <option><name>DE</name><value>de</value></option> - <option><name>DK</name><value>dk</value></option> - <option><name>ES</name><value>es</value></option> - <option><name>FR</name><value>fr</value></option> - <option><name>HU</name><value>hu</value></option> - <option><name>IT</name><value>it</value></option> - <option><name>NL</name><value>nl</value></option> - <option><name>PT_BR</name><value>pt_br</value></option> - <option><name>RO</name><value>ro</value></option> - <option><name>SE</name><value>se</value></option> - <option><name>SK</name><value>sk</value></option> - </options> - </field> - <field> <fielddescr>Deleted Bad Content</fielddescr> <fieldname>deletedbadcontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Deleted Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Bad Filename</fielddescr> <fieldname>deletedbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.filename.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -224,8 +232,14 @@ <encoding>base64</encoding> </field> <field> + <name>Deleted Virus</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Virus</fielddescr> <fieldname>deletedvirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.virus.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -233,35 +247,59 @@ <encoding>base64</encoding> </field> <field> + <name>Deleted Size</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Deleted Size</fielddescr> <fieldname>deletedsize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit deleted.size.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Bad Content</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Bad Content</fielddescr> <fieldname>storedbadcontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Bad Filename</fielddescr> <fieldname>storedbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.filename.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - <field> + <field> + <name>Stored Virus</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Virus</fielddescr> <fieldname>storedvirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.virus.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -269,8 +307,14 @@ <encoding>base64</encoding> </field> <field> + <name>Disinfected Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Disinfected Report</fielddescr> <fieldname>disinfected</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit stored.size.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -278,8 +322,14 @@ <encoding>base64</encoding> </field> <field> + <name>Stored Size</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Stored Size</fielddescr> <fieldname>storedsize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit disinfected.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -287,8 +337,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender content</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender content</fielddescr> <fieldname>sendercontent</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.content.message.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -296,8 +352,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Error</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Error</fielddescr> <fieldname>sendererror</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.error.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -305,8 +367,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Bad Filename</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Bad Filename</fielddescr> <fieldname>senderbadfilename</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.filename.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -314,8 +382,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Virus Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Virus Report</fielddescr> <fieldname>sendervirus</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.virus.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -323,8 +397,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Size Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Size Report</fielddescr> <fieldname>sendersize</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.size.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -332,8 +412,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam report</fielddescr> <fieldname>senderspam</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -341,8 +427,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender SPam RBL report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender SPam RBL report</fielddescr> <fieldname>senderrbl</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.rbl.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -350,8 +442,14 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam SA report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam SA report</fielddescr> <fieldname>sendersa</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.spam.sa.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -359,18 +457,29 @@ <encoding>base64</encoding> </field> <field> + <name>Sender Spam MCP report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Sender Spam MCP report</fielddescr> <fieldname>sendermcp</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit sender.mcp.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - + <field> + <name>Recipients Spam report</name> + <type>listtopic</type> + </field> <field> <fielddescr>Recipients Spam report</fielddescr> <fieldname>recipientspam</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit recipient.spam.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -378,8 +487,14 @@ <encoding>base64</encoding> </field> <field> + <name>Recipients MCP report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Recipients MCP report</fielddescr> <fieldname>recipientmcp</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit recipient.mcp.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> @@ -387,16 +502,20 @@ <encoding>base64</encoding> </field> <field> + <name>Rejection Report</name> + <type>listtopic</type> + </field> + <field> <fielddescr>Rejection Report</fielddescr> <fieldname>rejection</fieldname> + <dontdisplayname/> + <usecolspan2/> <description><![CDATA[Edit rejection.report.txt file here.<br>Leave this field blank to load sample file.]]></description> <type>textarea</type> <cols>90</cols> <rows>15</rows> <encoding>base64</encoding> </field> - - </fields> <custom_php_install_command> mailscanner_php_install_command(); diff --git a/config/mailscanner/pkg_mailscanner.inc b/config/mailscanner/pkg_mailscanner.inc new file mode 100755 index 00000000..cbd83cf5 --- /dev/null +++ b/config/mailscanner/pkg_mailscanner.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['mailscanner'] = array(); +$shortcuts['mailscanner']['main'] = "pkg_edit.php?xml=mailscanner.xml"; +$shortcuts['mailscanner']['log'] = "diag_logs.php"; +$shortcuts['mailscanner']['status'] = "status_services.php"; +$shortcuts['mailscanner']['service'] = "mailscanner"; + +?> diff --git a/config/nrpe2/nrpe2.inc b/config/nrpe2/nrpe2.inc index cd3fa013..25964b16 100644 --- a/config/nrpe2/nrpe2.inc +++ b/config/nrpe2/nrpe2.inc @@ -159,8 +159,12 @@ function nrpe2_custom_php_write_config() { conf_mount_rw(); $cmds = array(); foreach ($config['installedpackages']['nrpe2']['config'][0]['row'] as $cmd) { + $sudo_bin = "/usr/local/bin/sudo"; + $sudo = (isset($cmd['sudo']) && is_executable($sudo_bin)) ? "{$sudo_bin} " : ""; + $wcmd = !empty($cmd['warning']) ? "-w {$cmd['warning']}" : ""; + $ccmd = !empty($cmd['critical']) ? "-c {$cmd['critical']}" : ""; if (is_executable("{$nagios_check_path}/{$cmd['command']}")) - $cmds[] = "command[{$cmd['name']}]={$nagios_check_path}/{$cmd['command']} -w {$cmd['warning']} -c {$cmd['critical']} {$cmd['extra']}\n"; + $cmds[] = "command[{$cmd['name']}]={$sudo}{$nagios_check_path}/{$cmd['command']} {$wcmd} {$ccmd} {$cmd['extra']}\n"; } $commands = implode($cmds); diff --git a/config/nrpe2/nrpe2.xml b/config/nrpe2/nrpe2.xml index e013b47c..5b84b97f 100644 --- a/config/nrpe2/nrpe2.xml +++ b/config/nrpe2/nrpe2.xml @@ -3,7 +3,7 @@ <description>Nagios NRPEv2</description> <requirements>Describe your package requirements here</requirements> <name>nrpe2</name> - <version>2.11</version> + <version>2.2</version> <title>NRPEv2</title> <aftersaveredirect>/pkg_edit.php?xml=nrpe2.xml&id=0</aftersaveredirect> <include_file>/usr/local/pkg/nrpe2.inc</include_file> diff --git a/config/ntop/ntop.xml b/config/ntop/ntop.xml index 3b50c847..b635ef1f 100644 --- a/config/ntop/ntop.xml +++ b/config/ntop/ntop.xml @@ -64,6 +64,7 @@ <name>ntop</name> <rcfile>ntop.sh</rcfile> <executable>ntop</executable> + <description>NTOP bandwidth monitoring/graphing</description> </service> <tabs> <tab> diff --git a/config/ntop2/ntop.xml b/config/ntop2/ntop.xml index 898df4d7..4db9e9c8 100644 --- a/config/ntop2/ntop.xml +++ b/config/ntop2/ntop.xml @@ -60,6 +60,7 @@ <name>ntop</name> <rcfile>ntop.sh</rcfile> <executable>ntop</executable> + <description>NTOP bandwidth monitoring/graphing</description> </service> <tabs> <tab> diff --git a/config/nut/nut.inc b/config/nut/nut.inc index 0c1235dd..46c5741e 100644 --- a/config/nut/nut.inc +++ b/config/nut/nut.inc @@ -272,7 +272,7 @@ EOD; $upsd_users = "[monuser]\n"; $upsd_users .= "password = {$password}\n"; $upsd_users .= "upsmon master\n"; - if($allowaddr && $allowuser) { + if($allowuser && $allowpass) { $upsd_users .= "\n[$allowuser]\n"; $upsd_users .= "password = $allowpass\n"; $upsd_users .= "upsmon master\n"; @@ -356,7 +356,6 @@ EOD; $snmpcommunity = nut_config('snmpcommunity'); $snmpfreq = nut_config('snmpfreq'); $snmpdisabletransfer = (nut_config('snmpdisabletransfer') == 'on'); - $allowaddr = nut_config('allowaddr'); $allowuser = nut_config('allowuser'); $allowpass = nut_config('allowpass'); @@ -389,7 +388,7 @@ EOD; $upsd_users = "[monuser]\n"; $upsd_users .= "password = {$password}\n"; $upsd_users .= "upsmon master\n"; - if($allowaddr && $allowuser) { + if($allowuser && $allowpass) { $upsd_users .= "\n[$allowuser]\n"; $upsd_users .= "password = $allowpass\n"; $upsd_users .= "upsmon master\n"; diff --git a/config/nut/nut.xml b/config/nut/nut.xml index 75a5c246..fcfbdfe6 100644 --- a/config/nut/nut.xml +++ b/config/nut/nut.xml @@ -61,6 +61,7 @@ <name>nut</name> <rcfile>nut.sh</rcfile> <executable>upsmon</executable> + <description>UPS monitoring daemon</description> </service> <tabs> <tab> @@ -298,6 +299,10 @@ <value>upscode204</value> </option> <option> + <name>Generic USB UPS (Blazer)</name> + <value>blazer_usb01</value> + </option> + <option> <name>Inform GUARD Line Interactive</name> <value>powercom00</value> </option> @@ -599,6 +604,10 @@ <name>pw</name> <value>pw</value> </option> + <option> + <name>cyberpower</name> + <value>cyberpower</value> + </option> </options> </field> <field> @@ -648,4 +657,4 @@ <custom_php_deinstall_command> deinstall_package_nut(); </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/openbgpd/openbgpd.xml b/config/openbgpd/openbgpd.xml index 58107d48..73bda244 100644 --- a/config/openbgpd/openbgpd.xml +++ b/config/openbgpd/openbgpd.xml @@ -49,6 +49,7 @@ <name>bgpd</name> <rcfile>bgpd.sh</rcfile> <executable>bgpd</executable> + <description>OpenBSD BGP Daemon</description> </service> <additional_files_needed> <prefix>/usr/local/www/</prefix> diff --git a/config/openospfd/openospfd.xml b/config/openospfd/openospfd.xml index 278a91a0..ab948e7a 100644 --- a/config/openospfd/openospfd.xml +++ b/config/openospfd/openospfd.xml @@ -45,6 +45,7 @@ <name>OpenOSPFd</name> <rcfile>ospfd.sh</rcfile> <executable>ospfd</executable> + <description>OpenBSD OSPF Daemon</description> </service> <fields> <field> diff --git a/config/openvpn-client-export/openvpn-client-export.inc b/config/openvpn-client-export/openvpn-client-export.inc index ac006d20..e6351686 100755 --- a/config/openvpn-client-export/openvpn-client-export.inc +++ b/config/openvpn-client-export/openvpn-client-export.inc @@ -33,6 +33,10 @@ require_once("globals.inc"); require_once("openvpn.inc"); +require_once("filter.inc"); +require_once("shaper.inc"); +require_once("util.inc"); +require_once("pfsense-utils.inc"); function openvpn_client_export_install() { conf_mount_rw(); @@ -156,7 +160,7 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { } elseif (($settings['mode'] == "server_tls") || (($settings['mode'] == "server_tls_user") && ($settings['authmode'] != "Local Database"))) { $cert = $config['cert'][$crtid]; if (!$cert) - $input_errors[] = "Could not find client certifficate."; + $input_errors[] = "Could not find client certificate."; } else $nokeys = true; @@ -166,8 +170,9 @@ function openvpn_client_export_validate_config($srvid, $usrid, $crtid) { return array($settings, $server_cert, $server_ca, $servercn, $user, $cert, $nokeys); } -function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { +function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys = false, $proxy, $expformat = "baseconf", $outpass = "", $skiptls=false, $doslines=false, $openvpnmanager, $advancedoptions = "") { global $config, $input_errors, $g; + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); $nl = ($doslines) ? "\r\n" : "\n"; $conf = ""; @@ -180,27 +185,10 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // determine basic variables - if ($useaddr == "serveraddr") { - $interface = $settings['interface']; - if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { - $server_host = $settings['ipaddr']; - } else { - if (!$interface || ($interface == "any")) - $interface = "wan"; - $server_host = get_interface_ip($interface); - } - } else if ($useaddr == "serverhostname" || empty($useaddr)) { - $server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}."; - $server_host .= "{$config['system']['domain']}"; - } else - $server_host = $useaddr; - + $remotes = openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl); $server_port = $settings['local_port']; - $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); - if (($expformat == "inlineios") && ($proto == "tcp-client")) - $proto = "tcp"; - $cipher = $settings['crypto']; + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; // add basic settings $devmode = empty($settings['dev_mode']) ? "tun" : $settings['dev_mode']; @@ -215,14 +203,29 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese // if ((($expformat != "inlinedroid") && ($expformat != "inlineios")) && ($proto == "tcp")) // $conf .= "proto tcp-client{$nl}"; $conf .= "cipher {$cipher}{$nl}"; + $conf .= "auth {$digest}{$nl}"; $conf .= "tls-client{$nl}"; $conf .= "client{$nl}"; if (($expformat != "inlinedroid") && ($expformat != "inlineios")) $conf .= "resolv-retry infinite{$nl}"; - $conf .= "remote {$server_host} {$server_port} {$proto}{$nl}"; - if (!empty($servercn) && ($expformat != "inlineios")) { - $qw = ($quoteservercn) ? "\"" : ""; - $conf .= "tls-remote {$qw}{$servercn}{$qw}{$nl}"; + $conf .= "$remotes{$nl}"; + /* This line can cause problems with auth-only setups and also with Yealink/Snom phones + since they are stuck on an older OpenVPN version that does not support this feature. */ + if (!empty($servercn) && !$nokeys) { + switch ($verifyservercn) { + case "none": + break; + case "tls-remote": + $conf .= "tls-remote {$servercn}{$nl}"; + break; + case "tls-remote-quote": + $conf .= "tls-remote \"{$servercn}\"{$nl}"; + break; + default: + if ((substr($expformat, 0, 7) != "yealink") && ($expformat != "snom")) { + $conf .= "verify-x509-name \"{$servercn}\" name{$nl}"; + } + } } if (!empty($proxy)) { @@ -309,18 +312,28 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } // add optional settings - if ($settings['compression']) - $conf .= "comp-lzo{$nl}"; + if (!empty($settings['compression'])) { + if ($pfs_version > 2.1) + $conf .= "comp-lzo {$settings['compression']}{$nl}"; + else + $conf .= "comp-lzo{$nl}"; + } + if ($settings['passtos']) $conf .= "passtos{$nl}"; if ($openvpnmanager) { + if (!empty($settings['client_mgmt_port'])) { + $client_mgmt_port = $settings['client_mgmt_port']; + } else { + $client_mgmt_port = 166; + } $conf .= $nl; $conf .= "# dont terminate service process on wrong password, ask again{$nl}"; $conf .= "auth-retry interact{$nl}"; $conf .= "# open management channel{$nl}"; - $conf .= "management 127.0.0.1 166{$nl}"; + $conf .= "management 127.0.0.1 {$client_mgmt_port}{$nl}"; $conf .= "# wait for management to explicitly start connection{$nl}"; $conf .= "management-hold{$nl}"; $conf .= "# query management channel for user/pass{$nl}"; @@ -458,7 +471,7 @@ function openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quotese } } -function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { +function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions, $openvpn_version = "2.1") { global $config, $g, $input_errors; $uname_p = trim(exec("uname -p")); @@ -470,7 +483,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot $client_install_exe = "openvpn-install-2.3-x86_64.exe"; break; default: - $client_install_exe = "openvpn-install-2.2.exe"; + $client_install_exe = "openvpn-install-2.3-i686.exe"; } $ovpndir = "/usr/local/share/openvpn"; @@ -498,6 +511,8 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot exec("cp -r {$workdir}/template/* {$tempdir}"); // and put the required installer exe in place exec("/bin/cp {$tempdir}/{$client_install_exe} {$tempdir}/openvpn-install.exe"); + if (stristr($openvpn_version, "x64")) + rename("{$tempdir}/openvpn-postinstall64.exe", "{$tempdir}/openvpn-postinstall.exe"); // write configuration file $prefix = openvpn_client_export_prefix($srvid, $usrid, $crtid); @@ -508,7 +523,7 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot $pwdfle .= "{$proxy['password']}\r\n"; file_put_contents("{$confdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys, $proxy, "", "baseconf", false, true, $openvpnmanager, $advancedoptions); if (!$conf) { $input_errors[] = "Could not create a config to export."; return false; @@ -543,8 +558,6 @@ function openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quot if ($openvpnmanager) $files .= "openvpnmanager "; - unlink("openvpn-postinstall.exe"); - rename("openvpnmanager/openvpn-postinstall.exe","openvpn-postinstall.exe"); $files .= "openvpn-install.exe "; $files .= "openvpn-postinstall.exe "; if ($usetoken) @@ -575,7 +588,7 @@ RunProgram="openvpn-postinstall.exe" return $outfile; } -function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { +function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $outpass, $proxy, $openvpnmanager, $advancedoptions) { global $config, $g; $uname_p = trim(exec("uname -p")); @@ -610,14 +623,14 @@ function viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $usead file_put_contents("{$tempdir}/{$proxy['passwdfile']}", $pwdfle); } - $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); + $conf = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, true, $proxy, "baseconf", "", true, $openvpnmanager, $advancedoptions); if (!$conf) return false; // We need to nuke the ca line from the above config if it exists. $conf = explode("\n", $conf); for ($i=0; $i < count($conf); $i++) { - if (substr($conf[$i], 0, 3) == "ca ") + if ((substr($conf[$i], 0, 3) == "ca ") || (substr($conf[$i], 0, 7) == "pkcs12 ")) unset($conf[$i]); } $conf = implode("\n", $conf); @@ -726,6 +739,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp-client"); $cipher = $settings['crypto']; + $digest = !empty($settings['digest']) ? $settings['digest'] : "SHA1"; // add basic settings $conf = "dev tun\n"; @@ -736,6 +750,7 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco $conf .= "persist-key\n"; $conf .= "proto {$proto}\n"; $conf .= "cipher {$cipher}\n"; + $conf .= "auth {$digest}\n"; $conf .= "pull\n"; $conf .= "resolv-retry infinite\n"; $conf .= "remote {$server_host} {$server_port}\n"; @@ -806,4 +821,111 @@ function openvpn_client_export_sharedkey_config($srvid, $useaddr, $proxy, $zipco return $conf; } +function openvpn_client_export_build_remote_lines($settings, $useaddr, $interface, $expformat, $nl) { + global $config; + $remotes = array(); + if (($useaddr == "serveraddr") || ($useaddr == "servermagic") || ($useaddr == "servermagichost")) { + $interface = $settings['interface']; + if (!empty($settings['ipaddr']) && is_ipaddr($settings['ipaddr'])) { + $server_host = $settings['ipaddr']; + } else { + if (!$interface || ($interface == "any")) + $interface = "wan"; + $server_host = get_interface_ip($interface); + } + } else if ($useaddr == "serverhostname" || empty($useaddr)) { + $server_host = empty($config['system']['hostname']) ? "" : "{$config['system']['hostname']}."; + $server_host .= "{$config['system']['domain']}"; + } else + $server_host = $useaddr; + + $proto = (strtoupper($settings['protocol']) == 'UDP' ? 'udp' : "tcp"); + if (($expformat == "inlineios") && ($proto == "tcp-client")) + $proto = "tcp"; + + if (($useaddr == "servermagic") || ($useaddr == "servermagichost")) { + $destinations = openvpn_client_export_find_port_forwards($server_host, $settings['local_port'], $proto, true, ($useaddr == "servermagichost")); + foreach ($destinations as $dest) { + $remotes[] = "remote {$dest['host']} {$dest['port']} {$dest['proto']}"; + } + } else { + $remotes[] = "remote {$server_host} {$settings['local_port']} {$proto}"; + } + + return implode($nl, $remotes); +} + +function openvpn_client_export_find_port_forwards($targetip, $targetport, $targetproto, $skipprivate, $findhostname=false) { + global $config, $FilterIflist; + if (empty($FilterIflist)) + filter_generate_optcfg_array(); + $destinations = array(); + + foreach ($config['nat']['rule'] as $natent) { + $dest = array(); + if (!isset($natent['disabled']) + && ($natent['target'] == $targetip) + && ($natent['local-port'] == $targetport) + && ($natent['protocol'] == $targetproto)) { + $dest['proto'] = $natent['protocol']; + + // Could be multiple ports... But we can only use one. + $dports = is_port($natent['destination']['port']) ? array($natent['destination']['port']) : filter_expand_alias_array($natent['destination']['port']); + $dest['port'] = $dports[0]; + + // Could be network or address ... + $natif = (!$natent['interface']) ? "wan" : $natent['interface']; + + if (!isset($FilterIflist[$natif])) + continue; // Skip if there is no interface + + $dstaddr = trim(filter_generate_address($natent, 'destination', true)); + if(!$dstaddr) + $dstaddr = $FilterIflist[$natif]['ip']; + + $dstaddr_port = explode(" ", $dstaddr); + + if(empty($dstaddr_port[0]) || strtolower(trim($dstaddr_port[0])) == "port") + continue; // Skip port forward if no destination address found + + + if (!is_ipaddr($dstaddr_port[0])) + continue; // We can only work with single IPs, not subnets! + + + if ($skipprivate && is_private_ip($dstaddr_port[0])) + continue; // Skipping a private IP destination! + + $dest['host'] = $dstaddr_port[0]; + + if ($findhostname) { + $hostname = openvpn_client_export_find_hostname($natif); + if (!empty($hostname)) + $dest['host'] = $hostname; + } + + $destinations[] = $dest; + } + } + + return $destinations; +} + +function openvpn_client_export_find_hostname($interface) { + global $config; + $hostname = ""; + if (is_array($config['dyndnses']['dyndns'])) { + foreach ($config['dyndnses']['dyndns'] as $ddns) { + if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) + return $ddns['host']; + } + } + if (is_array($config['dnsupdates']['dnsupdate'])) { + foreach ($config['dnsupdates']['dnsupdate'] as $ddns) { + if (($ddns['interface'] == $interface) && isset($ddns['enable']) && !empty($ddns['host']) && !is_numeric($ddns['host']) && is_hostname($ddns['host'])) + return $ddns['host']; + } + } + +} ?> diff --git a/config/openvpn-client-export/openvpn-client-export.xml b/config/openvpn-client-export/openvpn-client-export.xml index f90ac2cf..4c0518b2 100755 --- a/config/openvpn-client-export/openvpn-client-export.xml +++ b/config/openvpn-client-export/openvpn-client-export.xml @@ -1,7 +1,7 @@ <?xml version="1.0" encoding="utf-8" ?> <packagegui> <name>OpenVPN Client Export</name> - <version>1.0.11</version> + <version>1.2.2</version> <title>OpenVPN Client Export</title> <include_file>/usr/local/pkg/openvpn-client-export.inc</include_file> <backup_file></backup_file> diff --git a/config/openvpn-client-export/source/openvpn-postinstall64.nsi b/config/openvpn-client-export/source/openvpn-postinstall64.nsi new file mode 100644 index 00000000..b962ddff --- /dev/null +++ b/config/openvpn-client-export/source/openvpn-postinstall64.nsi @@ -0,0 +1,215 @@ +;-------------------------------- +; OpenVPN NSIS Post-Installer +;-------------------------------- + +;-------------------------------- +;Include Modern UI + +Var /GLOBAL mui.FinishPage.Run +!define MUI_FINISHPAGE_RUN_VARIABLES + + !include "MUI2.nsh" + !include "FileFunc.nsh" + !include "LogicLib.nsh" + +;-------------------------------- +; General +;-------------------------------- + + Name "OpenVPN Configuration" + OutFile "openvpn-postinstall64.exe" + SetCompressor /SOLID lzma + + ShowInstDetails show + + !include "dotnet2.nsh" + !include "x64.nsh" +;-------------------------------- +;Include Settings +;-------------------------------- + + !define MUI_ICON "openvpn-postinstall.ico" + !define MUI_ABORTWARNING + +;-------------------------------- +;Pages +;-------------------------------- + +!define WELCOME_TITLE 'Welcome to OpenVPN installer.' + +!define WELCOME_TEXT "This wizard will guide you through the installation of the OpenVPN client and configuration.$\r$\n$\r$\n\ +This wil automaticaly install the configuration files needed for your connection. \ +And if needed install the required DotNet2 framework." + !define MUI_WELCOMEPAGE_TITLE '${WELCOME_TITLE}' + ;!define MUI_WELCOMEPAGE_TITLE_3LINES + !define MUI_WELCOMEPAGE_TEXT '${WELCOME_TEXT}' + !insertmacro MUI_PAGE_WELCOME + + !insertmacro MUI_PAGE_INSTFILES + + + !define MUI_FINISHPAGE_RUN "C:\User\test.lnk" + !define MUI_FINISHPAGE_RUN_TEXT "Start OpenVPNManager." + !define MUI_FINISHPAGE_RUN_FUNCTION "LaunchLink" + !define MUI_PAGE_CUSTOMFUNCTION_SHOW finish_show + !insertmacro MUI_PAGE_FINISH + + !insertmacro Locate + !insertmacro GetParameters + !insertmacro GetOptions + +;-------------------------------- +;Languages +;-------------------------------- + + !insertmacro MUI_LANGUAGE "English" + +;-------------------------------- +;Functions +;-------------------------------- + +Function .onInit + Var /GLOBAL BINPATH + Var /GLOBAL CONFPATH + Var /GLOBAL OpenVPNManager + + ; If we are running on a 64-bit OS with a 64-bit payload then we must operate in the 64-bit registry + ; This should not be done if the payload is a 32-bit OpenVPN even on a 64-bit OS. + ${If} ${RunningX64} + SetRegView 64 + ${EndIf} + IfFileExists ".\OpenVPNManager" InstallOpenVPNManager1 DontInstallOpenVPNManager1 + InstallOpenVPNManager1: + strcpy $OpenVPNManager true + !insertmacro CheckForDotNET2 + Goto OpenVPNManagerDone1 + DontInstallOpenVPNManager1: + strcpy $OpenVPNManager false + OpenVPNManagerDone1: +FunctionEnd + +Function CopyConfFile + CopyFiles $R9 $CONFPATH\$R7 + Push $0 +FunctionEnd + +Function ImportConfFile + ExecWait "rundll32.exe cryptext.dll,CryptExtAddPFX $R9" + Push $0 +FunctionEnd + +Function CopyOpenVPNManager + DetailPrint "Installing OpenVPNManager..." + DetailPrint "Installing in: $BINPATH\OpenVPNManager\" + CreateDirectory "$BINPATH\OpenVPNManager" + CreateDirectory "$BINPATH\OpenVPNManager\config" + CopyFiles ".\OpenVPNManager\*.*" "$BINPATH\OpenVPNManager" + CreateShortcut "$desktop\OpenVPNManager.lnk" "$BINPATH\OpenVPNManager\OpenVPNManager.exe" + Push $0 +FunctionEnd + +Function finish_show + ${If} $OpenVPNManager != "true" + ;If OpenVPNManager is not installed then dont give the option to run it. (hide and uncheck the checkbox) + ShowWindow $mui.FinishPage.Run 0 + ${NSD_Uncheck} $mui.FinishPage.Run + ${EndIf} +FunctionEnd + +Function LaunchLink + ExecShell "" "$desktop\OpenVPNManager.lnk" +FunctionEnd +;-------------------------------- +;Installer Sections +;-------------------------------- + +Section "Import Configuration" SectionImport + ${If} $OpenVPNManager == "true" + ; OpenVPNManager needs dotnet2 + !insertmacro InstallDotNet2 + ${Endif} + + ClearErrors + ReadRegStr $BINPATH HKLM "Software\OpenVPN" "" + IfErrors OpenVPNInstall OpenVPNAlreadyInstalled + OpenVPNInstall: + DetailPrint "Pausing installation while OpenVPN installer runs." + ExecWait '".\openvpn-install.exe"' $1 + ${if} $OpenVPNManager == "true" + SetShellVarContext all + Delete "$desktop\OpenVPN GUI.lnk" + SetShellVarContext current + ${Endif} + Pop $0 + OpenVPNAlreadyInstalled: + + ClearErrors + ReadRegStr $BINPATH HKLM "Software\OpenVPN" "" + IfErrors OpenVPNnotFound OpenVPNok + OpenVPNnotFound: + Abort "OpenVPN installation not found, installation aborted." + OpenVPNok: + DetailPrint "Completed OpenVPN installation." + + ${If} $OpenVPNManager == "true" + strcpy $OpenVPNManager true + StrCpy $CONFPATH "$BINPATH\OpenVPNManager\config" + call "CopyOpenVPNManager" + ${Else} + strcpy $OpenVPNManager false + ClearErrors + ReadRegStr $CONFPATH HKLM "Software\OpenVPN" "config_dir" + IfErrors configNotFound configFound + configNotFound: + ReadRegStr $CONFPATH HKLM "Software\OpenVPN" "" + StrCpy $CONFPATH "$CONFPATH\config" + configFound: + + ${Endif} + + DetailPrint "Installing configuration files ..." + ${Locate} ".\config" "/L=F /M=*.ovpn" "CopyConfFile" + + DetailPrint "Installing certificate and key files ..." + ${Locate} ".\config" "/L=F /M=*.crt" "CopyConfFile" + ${Locate} ".\config" "/L=F /M=*.key" "CopyConfFile" + + ${If} $OpenVPNManager == "true" + DetailPrint "Registering OpenVPNManager service..." + ExecWait '"$BINPATH\OpenVPNManager\OpenVPNManager.exe" /install' + DetailPrint "Starting OpenVPNManager service..." + SimpleSC::StartService "OpenVPNManager" "" 30 + Pop $0 + ${Else} + ;DetailPrint "Starting OpenVPN Service..." + ;SimpleSC::StartService "OpenVPNService" "" 30 + ;Pop $0 + ${Endif} + + ${GetParameters} $R0 + ${GetOptions} $R0 "/Import" $R1 + IfErrors p12_copy p12_import + p12_copy: + ${Locate} ".\config" "/L=F /M=*.p12" "CopyConfFile" + Goto p12_done + p12_import: + ${Locate} ".\config" "/L=F /M=*.p12" "ImportConfFile" + Goto p12_done + p12_done: + +SectionEnd +;-------------------------------- +;Descriptions +;-------------------------------- + + ;Language strings + LangString DESC_SectionImport ${LANG_ENGLISH} "Import OpenVPN Configurations and Key Files." + + ;Assign language strings to sections + !insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN + !insertmacro MUI_DESCRIPTION_TEXT ${SectionImport} $(DESC_SectionImport) + !insertmacro MUI_FUNCTION_DESCRIPTION_END + +;-------------------------------- +; END +;-------------------------------- diff --git a/config/openvpn-client-export/vpn_openvpn_export.php b/config/openvpn-client-export/vpn_openvpn_export.php index c2a54432..44744832 100755 --- a/config/openvpn-client-export/vpn_openvpn_export.php +++ b/config/openvpn-client-export/vpn_openvpn_export.php @@ -138,7 +138,7 @@ if (!empty($act)) { $advancedoptions = $_GET['advancedoptions']; $openvpnmanager = $_GET['openvpnmanager']; - $quoteservercn = $_GET['quoteservercn']; + $verifyservercn = $_GET['verifyservercn']; $usetoken = $_GET['usetoken']; if ($usetoken && (substr($act, 0, 10) == "confinline")) $input_errors[] = "You cannot use Microsoft Certificate Storage with an Inline configuration."; @@ -213,17 +213,17 @@ if (!empty($act)) { $exp_name = urlencode($exp_name."-config.ovpn"); $expformat = "baseconf"; } - $exp_path = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $nokeys, $proxy, $expformat, $password, false, false, $openvpnmanager, $advancedoptions); + $exp_path = openvpn_client_export_config($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $nokeys, $proxy, $expformat, $password, false, false, $openvpnmanager, $advancedoptions); } if($act == "visc") { $exp_name = urlencode($exp_name."-Viscosity.visc.zip"); - $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions); + $exp_path = viscosity_openvpn_client_config_exporter($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions); } if(substr($act, 0, 4) == "inst") { $exp_name = urlencode($exp_name."-install.exe"); - $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $quoteservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions, substr($act, 5)); + $exp_path = openvpn_client_export_installer($srvid, $usrid, $crtid, $useaddr, $verifyservercn, $usetoken, $password, $proxy, $openvpnmanager, $advancedoptions, substr($act, 5)); } if (!$exp_path) { @@ -304,9 +304,9 @@ function download_begin(act, i, j) { advancedoptions = document.getElementById("advancedoptions").value; - var quoteservercn = 0; - if (document.getElementById("quoteservercn").checked) - quoteservercn = 1; + var verifyservercn; + verifyservercn = document.getElementById("verifyservercn").value; + var usetoken = 0; if (document.getElementById("usetoken").checked) usetoken = 1; @@ -380,7 +380,7 @@ function download_begin(act, i, j) { dlurl += "&crtid=" + escape(certs[j][0]); } dlurl += "&useaddr=" + escape(useaddr); - dlurl += ""eservercn=" + escape(quoteservercn); + dlurl += "&verifyservercn=" + escape(verifyservercn); dlurl += "&openvpnmanager=" + escape(openvpnmanager); dlurl += "&usetoken=" + escape(usetoken); if (usepass) @@ -434,11 +434,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ", -1)'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ", -1)'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ", -1)'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ", -1)'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ", -1)'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ", -1)'>Viscosity Bundle<\/a>"; @@ -471,11 +469,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\", -1," + j + ")'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\", -1," + j + ")'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\", -1," + j + ")'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\", -1," + j + ")'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\", -1," + j + ")'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\", -1," + j + ")'>Viscosity Bundle<\/a>"; @@ -515,11 +511,9 @@ function server_changed() { cell2.innerHTML += "<a href='javascript:download_begin(\"confinline\"," + i + ")'>Others<\/a>"; cell2.innerHTML += "<br\/>- Windows Installers:<br\/>"; cell2.innerHTML += " "; - cell2.innerHTML += "<a href='javascript:download_begin(\"inst\"," + i + ")'>2.2<\/a>"; - cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x86\"," + i + ")'>2.3-x86<\/a>"; -// cell2.innerHTML += " "; -// cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ")'>2.3-x64<\/a>"; + cell2.innerHTML += " "; + cell2.innerHTML += "<a href='javascript:download_begin(\"inst-2.3-x64\"," + i + ")'>2.3-x64<\/a>"; cell2.innerHTML += "<br\/>- Mac OSX:<br\/>"; cell2.innerHTML += " "; cell2.innerHTML += "<a href='javascript:download_begin(\"visc\"," + i + ")'>Viscosity Bundle<\/a>"; @@ -597,6 +591,8 @@ function useproxy_changed(obj) { <td> <select name="useaddr" id="useaddr" class="formselect" onchange="useaddr_changed(this)"> <option value="serveraddr" >Interface IP Address</option> + <option value="servermagic" >Automagic Multi-WAN IPs (port forward targets)</option> + <option value="servermagichost" >Automagic Multi-WAN DDNS Hostnames (port forward targets)</option> <option value="serverhostname" >Installation hostname</option> <?php if (is_array($config['dyndnses']['dyndns'])): ?> <?php foreach ($config['dyndnses']['dyndns'] as $ddns): ?> @@ -623,16 +619,22 @@ function useproxy_changed(obj) { </td> </tr> <tr> - <td width="22%" valign="top" class="vncell">Quote Server CN</td> + <td width="22%" valign="top" class="vncell">Verify Server CN</td> <td width="78%" class="vtable"> - <table border="0" cellpadding="2" cellspacing="0" summary="quote server cn"> + <table border="0" cellpadding="2" cellspacing="0" summary="verify server cn"> <tr> <td> - <input name="quoteservercn" id="quoteservercn" type="checkbox" value="yes" /> - </td> - <td> + <select name="verifyservercn" id="verifyservercn" class="formselect"> + <option value="auto">Automatic - Use verify-x509-name (OpenVPN 2.3+) where possible</option> + <option value="tls-remote">Use tls-remote (Deprecated, use only on old clients <= OpenVPN 2.2.x)</option> + <option value="tls-remote-quote">Use tls-remote and quote the server CN</option> + <option value="none">Do not verify the server CN</option> + </select> + <br/> <span class="vexpl"> - Enclose the server CN in quotes. Can help if your server CN contains spaces and certain clients cannot parse the server CN. Some clients have problems parsing the CN with quotes. Use only as needed. + Optionally verify the server certificate Common Name (CN) when the client connects. Current clients, including the most recent versions of Windows, Viscosity, Tunnelblick, OpenVPN on iOS and Android and so on should all work at the default automatic setting. + <br/><br/>Only use tls-remote if you must use an older client that you cannot control. The option has been deprecated by OpenVPN and will be removed in the next major version. + <br/><br/>With tls-remote the server CN may optionally be enclosed in quotes. This can help if the server CN contains spaces and certain clients cannot parse the server CN. Some clients have problems parsing the CN with quotes. Use only as needed. </span> </td> </tr> @@ -804,6 +806,7 @@ function useproxy_changed(obj) { This will change the generated .ovpn configuration to allow for usage of the management interface. And include the OpenVPNManager program in the "Windows Installers". With this OpenVPN can be used also by non-administrator users. This is also useful for Windows Vista/7/8 systems where elevated permissions are needed to add routes to the system. + <br/><br/>NOTE: This is not currently compatible with the 64-bit OpenVPN installer. It will work with the 32-bit installer on a 64-bit system. </span> </td> </tr> diff --git a/config/postfix/pkg_postfix.inc b/config/postfix/pkg_postfix.inc new file mode 100755 index 00000000..18da1c11 --- /dev/null +++ b/config/postfix/pkg_postfix.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['postfix'] = array(); +$shortcuts['postfix']['main'] = "pkg_edit.php?xml=postfix.xml"; +$shortcuts['postfix']['log'] = "diag_logs_resolver.php"; +$shortcuts['postfix']['status'] = "status_services.php"; +$shortcuts['postfix']['service'] = "postfix"; + +?> diff --git a/config/postfix/postfix.inc b/config/postfix/postfix.inc index 193ec6c7..cf7cd786 100755 --- a/config/postfix/postfix.inc +++ b/config/postfix/postfix.inc @@ -29,6 +29,7 @@ POSSIBILITY OF SUCH DAMAGE. */ +$shortcut_section = "postfix"; require_once("util.inc"); require_once("functions.inc"); require_once("pkg-utils.inc"); diff --git a/config/postfix/postfix.xml b/config/postfix/postfix.xml index 25f7a81d..c3b3664f 100644 --- a/config/postfix/postfix.xml +++ b/config/postfix/postfix.xml @@ -145,6 +145,11 @@ <prefix>/usr/local/bin/</prefix> <chmod>0755</chmod> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/postfix/pkg_postfix.inc</item> + </additional_files_needed> <tabs> <tab> <text>General</text> diff --git a/config/postfix/postfix_acl.xml b/config/postfix/postfix_acl.xml index 4eeda7a4..d704c189 100644 --- a/config/postfix/postfix_acl.xml +++ b/config/postfix/postfix_acl.xml @@ -110,7 +110,7 @@ See http://www.postfix.org/header_checks.5.html for more help]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -124,7 +124,7 @@ See http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions for more help]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -142,7 +142,7 @@ <strong>Note: a result of "OK" in this field is not allowed/wanted for safety reasons(it may accept forged senders as it will not do other spam checks). Instead, use DUNNO in order to exclude specific hosts from blacklists.</strong>]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -154,7 +154,7 @@ /^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|drv|em(ai)?l|ex[_e]|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> @@ -166,7 +166,7 @@ ~^[[:alnum:]+/]{60,}$~ OK]]> </description> <type>textarea</type> - <cols>83</cols> + <cols>80</cols> <rows>15</rows> <encoding>base64</encoding> </field> diff --git a/config/postfix/postfix_recipients.xml b/config/postfix/postfix_recipients.xml index 97e39fb2..2b07bae8 100644 --- a/config/postfix/postfix_recipients.xml +++ b/config/postfix/postfix_recipients.xml @@ -9,7 +9,7 @@ /* postfix_recipients.xml part of the Postfix package for pfSense - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -119,33 +119,38 @@ Before using LDAP fetch you must install p5-perl-ldap package(hint: <strong>/usr/sbin/pkg_add -r p5-perl-ldap</strong>)]]></description> </field> <field> - <fielddescr><![CDATA[<strong>HINTS</strong><br>Hostname:<br>dc1.mysite.com<br><br>Domain:<br>dc=mysite,dc=com<br><br>Username:<br>cn=antispam,cn=Users<br>]]></fielddescr> <fieldname>none</fieldname> <type>rowhelper</type> + <dontdisplayname/> + <usecolspan2/> + <movable>on</movable> <rowhelper> <rowhelperfield> <fielddescr>Hostname</fielddescr> + <description><![CDATA[<strong>Hostname Hint:</strong><br>dc1.mysite.com]]></description> <fieldname>dc</fieldname> <type>input</type> - <size>20</size> + <size>23</size> </rowhelperfield> <rowhelperfield> <fielddescr>Domain</fielddescr> + <description><![CDATA[<strong>Domain Hint:</strong><br>dc=mysite,dc=com]]></description> <fieldname>cn</fieldname> <type>input</type> - <size>22</size> + <size>25</size> </rowhelperfield> <rowhelperfield> <fielddescr>Username</fielddescr> + <description><![CDATA[<strong>Username Hint:</strong><br>Username:cn=antispam,cn=Users]]></description> <fieldname>username</fieldname> <type>input</type> - <size>20</size> + <size>24</size> </rowhelperfield> <rowhelperfield> <fielddescr>Password</fielddescr> <fieldname>password</fieldname> <type>password</type> - <size>10</size> + <size>12</size> </rowhelperfield> </rowhelper> </field> diff --git a/config/quagga_ospfd/quagga_ospfd.inc b/config/quagga_ospfd/quagga_ospfd.inc index aabd27a8..782baf0f 100644 --- a/config/quagga_ospfd/quagga_ospfd.inc +++ b/config/quagga_ospfd/quagga_ospfd.inc @@ -73,6 +73,8 @@ function quagga_ospfd_install_conf() { // Since we need to embed this in a string, copy to a var. Can't embed constnats. $quagga_config_base = PKG_QUAGGA_CONFIG_BASE; + $noaccept = ""; + if ($config['installedpackages']['quaggaospfd']['rawconfig'] && $config['installedpackages']['quaggaospfd']['rawconfig']['item']) { // if there is a raw config specifyed in tthe config.xml use that instead of the assisted config $conffile = implode("\n",$config['installedpackages']['quaggaospfd']['rawconfig']['item']); @@ -132,6 +134,9 @@ function quagga_ospfd_install_conf() { if ($interface_subnet == 32) $interface_subnet = 30; $subnet = gen_subnet($interface_ip, $interface_subnet); + if (!empty($conf['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$subnet}/{$interface_subnet}\n"; + } if (!empty($conf['interfacearea'])) { $interface_networks[] = array( "subnet" => "{$subnet}/{$interface_subnet}", "area" => $conf['interfacearea']); } @@ -151,6 +156,9 @@ function quagga_ospfd_install_conf() { foreach ($ospfd_conf['row'] as $redistr) { if (empty($redistr['routevalue'])) continue; + if (isset($redistr['acceptfilter'])) { + $noaccept .= "ip prefix-list ACCEPTFILTER deny {$redistr['routevalue']}\n"; + } if (isset($redistr['redistribute'])) { $noredist .= " access-list dnr-list deny {$redistr['routevalue']}\n"; } else { @@ -239,6 +247,13 @@ function quagga_ospfd_install_conf() { $zebraconffile .= "password {$ospfd_conf['password']}\n"; if ($ospfd_conf['logging']) $zebraconffile .= "log syslog\n"; + if (!empty($noaccept)) { + $zebraconffile .= $noaccept; + $zebraconffile .= "ip prefix-list ACCEPTFILTER permit any\n"; + $zebraconffile .= "route-map ACCEPTFILTER permit 10\n"; + $zebraconffile .= "match ip address prefix-list ACCEPTFILTER\n"; + $zebraconffile .= "ip protocol ospf route-map ACCEPTFILTER\n"; + } $fd = fopen("{$quagga_config_base}/zebra.conf", "w"); fwrite($fd, $zebraconffile); fclose($fd); diff --git a/config/quagga_ospfd/quagga_ospfd.xml b/config/quagga_ospfd/quagga_ospfd.xml index a03f9e3c..c975961b 100644 --- a/config/quagga_ospfd/quagga_ospfd.xml +++ b/config/quagga_ospfd/quagga_ospfd.xml @@ -1,6 +1,6 @@ <packagegui> <name>quagga_ospfd</name> - <version>0.5.4</version> + <version>0.6.1</version> <title>Services: Quagga OSPFd</title> <include_file>/usr/local/pkg/quagga_ospfd.inc</include_file> <aftersaveredirect>pkg_edit.php?xml=quagga_ospfd.xml&id=0</aftersaveredirect> @@ -50,11 +50,13 @@ <name>Quagga OSPFd</name> <rcfile>quagga.sh</rcfile> <executable>ospfd</executable> + <description>OSPF routing daemon</description> </service> <service> <name>Quagga Zebra</name> <rcfile>quagga.sh</rcfile> <executable>zebra</executable> + <description>Quagga core/abstraction daemon</description> </service> <fields> <field> @@ -163,6 +165,13 @@ <size>20</size> </rowhelperfield> <rowhelperfield> + <fielddescr>Disable <br/>Acceptance</fielddescr> + <fieldname>acceptfilter</fieldname> + <description>Accept Filter</description> + <type>checkbox</type> + <size>20</size> + </rowhelperfield> + <rowhelperfield> <fielddescr>Subnet to Route</fielddescr> <fieldname>routevalue</fieldname> <type>input</type> diff --git a/config/quagga_ospfd/quagga_ospfd_interfaces.xml b/config/quagga_ospfd/quagga_ospfd_interfaces.xml index 21bc877f..beb6f2b0 100644 --- a/config/quagga_ospfd/quagga_ospfd_interfaces.xml +++ b/config/quagga_ospfd/quagga_ospfd_interfaces.xml @@ -87,6 +87,12 @@ <type>checkbox</type> </field> <field> + <fielddescr>Accept Filter</fielddescr> + <fieldname>acceptfilter</fieldname> + <description>Do not add routes for this interface subnet from OSPF into the routing table. (Suggested for Multi-WAN environments).</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Enable MD5 password for this Quagga OSPFd interface (default no)</fielddescr> <fieldname>md5password</fieldname> <description>Enables the use of an MD5 password to on this instance</description> diff --git a/config/sarg/sarg.inc b/config/sarg/sarg.inc index 32cca7ed..1a4db315 100644 --- a/config/sarg/sarg.inc +++ b/config/sarg/sarg.inc @@ -4,7 +4,7 @@ sarg.inc part of pfSense (http://www.pfSense.com) Copyright (C) 2007 Joao Henrique F. Freitas - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -33,12 +33,26 @@ /* ========================================================================== */ $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0){ + + // Function to get squidGuard directory + // each squidGuard version has a different directory + function getsqGuardDir() { + foreach (glob("/usr/pbi/*",GLOB_ONLYDIR) as $dirname) { + if (preg_match("/squidguard-/i", $dirname)) { + return trim($dirname); + break; + } + } + } + define('SARG_DIR', '/usr/pbi/sarg-' . php_uname("m")); + define('SQGARD_DIR', getsqGuardDir()); define('SQUID_DIR', '/usr/pbi/squid-' . php_uname("m")); define('DANSG_DIR', '/usr/pbi/dansguardian-' . php_uname("m")); } else{ define('SARG_DIR', '/usr/local'); + define('SQGARD_DIR', '/usr/local'); define('SQUID_DIR', '/usr/local'); define('DANSG_DIR', '/usr/local'); } @@ -50,7 +64,7 @@ if ($uname['machine']=='amd64') // STATIC VARS $sarg_proxy=array( 'squid_rc'=> SQUID_DIR . '/etc/rc.d/squid.sh', 'squid_config'=> '/var/squid/logs/access.log', - 'squidguard_config'=> SARG_DIR . '/etc/squidGuard/squidGuard.conf', + 'squidguard_config'=> SQGARD_DIR . '/etc/squidGuard/squidGuard.conf', 'squidguard_block_log'=>'/var/squidGuard/log/block.log', 'dansguardian_config'=> DANSG_DIR . '/etc/dansguardian/dansguardian.conf', 'dansguardian_log'=>'/var/log/dansguardian/access.log'); @@ -140,7 +154,7 @@ EOF; } #create a new file to speedup find search file_put_contents("/root/sarg_run_{$id}.sh",$gzip_script,LOCK_EX); - mwexec($cmd. " ".$args); + mwexec("export LC_ALL=C && " .$cmd. " ".$args); #check if there is a script to run after file save if (is_array($config['installedpackages']['sarg'])) switch ($config['installedpackages']['sarg']['config'][0]['proxy_server']){ @@ -246,7 +260,7 @@ function sync_package_sarg() { $anonymous_output_files=(preg_match('/anonymous_output_files/',$sarg['report_options'])?"yes":"no"); $resolve_ip=(preg_match('/resolve_ip/',$sarg['report_options'])?"yes":"no"); $user_ip=(preg_match('/user_ip/',$sarg['report_options'])?"yes":"no"); - $sort_order=(preg_match('/user_sort_field_order/',$sarg['report_options'])?"REVERSE":"NORMAL"); + $sort_order=(preg_match('/user_sort_field_order/',$sarg['report_options'])?"reverse":"normal"); $remove_temp_files=(preg_match('/remove_temp_files/',$sarg['report_options'])?"yes":"no"); $main_index=(preg_match('/main_index/',$sarg['report_options'])?"yes":"no"); $index_tree=(preg_match('/index_tree/',$sarg['report_options'])?"file":"date"); @@ -258,7 +272,9 @@ function sync_package_sarg() { $bytes_in_sites_users_report=(preg_match('/bytes_in_sites_users_report/',$sarg['report_options'])?"yes":"no"); $date_time_by=(preg_match('/date_time_by_bytes/',$sarg['report_options'])?"bytes":""); $date_time_by.=(preg_match('/date_time_by_elap/',$sarg['report_options'])?" elap":""); - $date_format=(empty($sarg['report_date_format'])?"u":$sarg['report_date_format']); + if(empty($date_time_by)) + $date_time_by="bytes"; + $date_format=(preg_match("/\w/",$sarg['report_date_format'])?$sarg['report_date_format']:"u"); $report_type=preg_replace('/,/',' ',$sarg['report_type']); $report_charset=(empty($sarg['report_charset'])?"UTF-8":$sarg['report_charset']); $exclude_string=(empty($sarg['exclude_string'])?"":'exclude_string "'.$sarg['exclude_string'].'"'); @@ -289,6 +305,7 @@ function sync_package_sarg() { file_put_contents( SARG_DIR . '/etc/sarg/usertab.conf', sarg_text_area_decode($sarguser['usertab']),LOCK_EX); } if($sarguser['ldap_enable']){ + $usertab="ldap"; $LDAPHost=(empty($sarguser['ldap_host'])?"":"LDAPHost ".$sarguser['ldap_host']); $LDAPort=(empty($sarguser['ldap_port'])?"":"LDAPPort ".$sarguser['ldap_port']); $LDAPBindDN=(empty($sarguser['ldap_bind_dn'])?"":"LDAPBindDN ".$sarguser['ldap_bind_dn']); diff --git a/config/sarg/sarg.xml b/config/sarg/sarg.xml index bb345379..cc11cad4 100644 --- a/config/sarg/sarg.xml +++ b/config/sarg/sarg.xml @@ -9,7 +9,7 @@ /* sarg.xml part of the sarg for pfSense - Copyright (C) 2012 Marcello Coutinho + Copyright (C) 2012-2013 Marcello Coutinho All rights reserved. */ diff --git a/config/sarg/sarg_frame.php b/config/sarg/sarg_frame.php index 4d3421ab..21638247 100755 --- a/config/sarg/sarg_frame.php +++ b/config/sarg/sarg_frame.php @@ -68,9 +68,11 @@ if ($report != "" ) #look for graph files inside reports. if (preg_match_all('/img src="([a-zA-Z0-9._-]+).png/',$report,$images)){ + conf_mount_rw(); for ($x=0;$x<count($images[1]);$x++){ copy("{$dir}/{$prefix}/{$images[1][$x]}.png","/usr/local/www/sarg-images/temp/{$images[1][$x]}.{$rand}.png"); } + conf_mount_ro(); } print preg_replace($pattern,$replace,$report); } diff --git a/config/sarg/sarg_reports.php b/config/sarg/sarg_reports.php index b1792312..b156a4d7 100755 --- a/config/sarg/sarg_reports.php +++ b/config/sarg/sarg_reports.php @@ -61,7 +61,9 @@ require("guiconfig.inc"); $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=sarg_sync.xml&id=0"); $tab_array[] = array(gettext("Help"), false, "/pkg_edit.php?xml=sarg_about.php"); display_top_tabs($tab_array); + conf_mount_rw(); exec('rm -f /usr/local/www/sarg-images/temp/*'); + conf_mount_ro(); ?> </td></tr> <tr> diff --git a/config/sarg/sarg_schedule.xml b/config/sarg/sarg_schedule.xml index 0c452335..9e1ad709 100644 --- a/config/sarg/sarg_schedule.xml +++ b/config/sarg/sarg_schedule.xml @@ -141,8 +141,11 @@ <fielddescr>Sarg args</fielddescr> <fieldname>args</fieldname> <description><![CDATA[Enter sarg extra args to run on this schedule.<br> - To force sarg to create a report only from current day, use:<br> - <strong>-d `date +%d/%m/%Y`-`date +%d/%m/%Y`</strong>]]></description> + To force sarg to create a report only for specific days, use:<br> + <b>TODAY:</b> -d `date +%d/%m/%Y`<br> + <b>YESTERDAY:</b> -d `date -v-1d +%d/%m/%Y`<br> + <b>WEEKAGO:</b> -d `date -v-1w +%d/%m/%Y`- `date -v-1d +%d/%m/%Y`<br> + <b>MONTHAGO:</b> -d `date -v-1m +01/%m/%Y`-`date -v-1m +31/%m/%Y`]]></description> <type>input</type> <size>50</size> </field> diff --git a/config/servicewatchdog/services_servicewatchdog.php b/config/servicewatchdog/services_servicewatchdog.php new file mode 100644 index 00000000..920fd1bb --- /dev/null +++ b/config/servicewatchdog/services_servicewatchdog.php @@ -0,0 +1,211 @@ +<?php +/* + services_servicewatchdog.php + Copyright (C) 2013 Jim Pingle + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: system +*/ + +##|+PRIV +##|*IDENT=page-services-servicewatchdog +##|*NAME=Services: Service Watchdog +##|*DESCR=Allow access to the 'Services: Service Watchdog' page. +##|*MATCH=services_servicewatchdog.php* +##|-PRIV + +require("guiconfig.inc"); +require_once("functions.inc"); +require_once("service-utils.inc"); +require_once("servicewatchdog.inc"); + +if (!is_array($config['installedpackages']['servicewatchdog']['item'])) + $config['installedpackages']['servicewatchdog']['item'] = array(); + +$a_pwservices = &$config['installedpackages']['servicewatchdog']['item']; + +/* if a custom message has been passed along, lets process it */ +if ($_GET['savemsg']) + $savemsg = $_GET['savemsg']; + +if ($_GET['act'] == "del") { + if ($a_pwservices[$_GET['id']]) { + unset($a_pwservices[$_GET['id']]); + servicewatchdog_cron_job(); + write_config(); + header("Location: services_servicewatchdog.php"); + exit; + } +} + +if (isset($_POST['del_x'])) { + /* delete selected services */ + if (is_array($_POST['pwservices']) && count($_POST['pwservices'])) { + foreach ($_POST['pwservices'] as $servicei) { + unset($a_pwservices[$servicei]); + } + servicewatchdog_cron_job(); + write_config(); + header("Location: services_servicewatchdog.php"); + exit; + } +} else { + /* yuck - IE won't send value attributes for image buttons, while Mozilla does - so we use .x/.y to find move button clicks instead... */ + unset($movebtn); + foreach ($_POST as $pn => $pd) { + if (preg_match("/move_(\d+)_x/", $pn, $matches)) { + $movebtn = $matches[1]; + break; + } + } + /* move selected services before this service */ + if (isset($movebtn) && is_array($_POST['pwservices']) && count($_POST['pwservices'])) { + $a_pwservices_new = array(); + + /* copy all services < $movebtn and not selected */ + for ($i = 0; $i < $movebtn; $i++) { + if (!in_array($i, $_POST['pwservices'])) + $a_pwservices_new[] = $a_pwservices[$i]; + } + + /* copy all selected services */ + for ($i = 0; $i < count($a_pwservices); $i++) { + if ($i == $movebtn) + continue; + if (in_array($i, $_POST['pwservices'])) + $a_pwservices_new[] = $a_pwservices[$i]; + } + + /* copy $movebtn service */ + if ($movebtn < count($a_pwservices)) + $a_pwservices_new[] = $a_pwservices[$movebtn]; + + /* copy all services > $movebtn and not selected */ + for ($i = $movebtn+1; $i < count($a_pwservices); $i++) { + if (!in_array($i, $_POST['pwservices'])) + $a_pwservices_new[] = $a_pwservices[$i]; + } + $a_pwservices = $a_pwservices_new; + servicewatchdog_cron_job(); + write_config(); + header("Location: services_servicewatchdog.php"); + return; + } +} + +$closehead = false; +$pgtitle = array(gettext("Services"),gettext("Service Watchdog")); +include("head.inc"); + +?> +<script type="text/javascript" src="/javascript/domTT/domLib.js"></script> +<script type="text/javascript" src="/javascript/domTT/domTT.js"></script> +<script type="text/javascript" src="/javascript/domTT/behaviour.js"></script> +<script type="text/javascript" src="/javascript/domTT/fadomatic.js"></script> + +<link type="text/css" rel="stylesheet" href="/javascript/chosen/chosen.css" /> +</head> +<body link="#000000" vlink="#000000" alink="#000000"> +<?php include("fbegin.inc"); ?> +<form action="services_servicewatchdog.php" method="post" name="iform"> +<script type="text/javascript" language="javascript" src="/javascript/row_toggle.js"></script> +<?php if ($savemsg) print_info_box($savemsg); ?> +<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="services to monitor"> +<tr><td><div id="mainarea"> +<table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0" summary="main area"> +<tr><td colspan="8" align="center"> +<?php echo gettext("This page allows you to select services to be monitored so that they may be automatically restarted if they crash or are stopped."); ?> +<br/><br/> +</td></tr> +<tr id="frheader"> +<td width="5%" class="list"> </td> +<td width="30%" class="listhdrr"><?=gettext("Service Name");?></td> +<td width="60%" class="listhdrr"><?=gettext("Description");?></td> +<td width="5%" class="list"> +<table border="0" cellspacing="0" cellpadding="1" summary="buttons"> + <tr><td width="17"> + <?php if (count($a_pwservices) == 0): ?> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="<?=gettext("delete selected services");?>" border="0" alt="delete" /> + <?php else: ?> + <input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?=gettext("delete selected services"); ?>" onclick="return confirm('<?=gettext("Do you really want to delete the selected services?");?>')" /> + <?php endif; ?> + </td> + <td><a href="services_servicewatchdog_add.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="<?=gettext("add new service"); ?>" alt="add" /></a></td> + </tr> +</table> +</td> +</tr> + +<?php +$nservices = $i = 0; +foreach ($a_pwservices as $thisservice): +?> + <tr valign="top" id="fr<?=$nservices;?>"> + <td class="listt"><input type="checkbox" id="frc<?=$nservices;?>" name="pwservices[]" value="<?=$i;?>" onClick="fr_bgcolor('<?=$nservices;?>')" style="margin: 0; padding: 0; width: 15px; height: 15px;" /></td> + <td class="listlr" onclick="fr_toggle(<?=$nservices;?>)" id="frd<?=$nservices;?>" ondblclick="document.location='services_servicewatchdog_add.php?id=<?=$nservices;?>';"> + <?=$thisservice['name'];?> + </td> + <td class="listr" onclick="fr_toggle(<?=$nservices;?>)" id="frd<?=$nservices;?>" ondblclick="document.location='services_servicewatchdog_add.php?id=<?=$nservices;?>';"> + <?=$thisservice['description'];?> + </td> + <td valign="middle" class="list" nowrap> + <table border="0" cellspacing="0" cellpadding="1" summary="add"> + <tr> + <td><input onmouseover="fr_insline(<?=$nservices;?>, true)" onmouseout="fr_insline(<?=$nservices;?>, false)" name="move_<?=$i;?>" src="/themes/<?= $g['theme']; ?>/images/icons/icon_left.gif" title="<?=gettext("move selected services before this service");?>" height="17" type="image" width="17" border="0" /></td> + <td align="center" valign="middle"><a href="services_servicewatchdog.php?act=del&id=<?=$i;?>" onclick="return confirm('<?=gettext("Do you really want to delete this service?");?>')"><img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" border="0" title="<?=gettext("delete service");?>" alt="delete" /></a></td> + </tr> + </table> + </td></tr> +<?php $i++; $nservices++; endforeach; ?> + <tr> + <td class="list" colspan="3"></td> + <td class="list" valign="middle" nowrap> + <table border="0" cellspacing="0" cellpadding="1" summary="add"> + <tr> + <td><?php if ($nservices == 0): ?><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_left_d.gif" width="17" height="17" title="<?=gettext("move selected services to end"); ?>" border="0" alt="move" /><?php else: ?><input name="move_<?=$i;?>" type="image" src="/themes/<?= $g['theme']; ?>/images/icons/icon_left.gif" width="17" height="17" title="<?=gettext("move selected services to end");?>" border="0" alt="move" /><?php endif; ?></td> + </tr> + <tr> + <td width="17"> + <?php if (count($a_pwservices) == 0): ?> + <img src="./themes/<?= $g['theme']; ?>/images/icons/icon_x_d.gif" width="17" height="17" title="<?=gettext("delete selected services");?>" border="0" alt="delete" /> + <?php else: ?> + <input name="del" type="image" src="./themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" width="17" height="17" title="<?=gettext("delete selected services"); ?>" onclick="return confirm('<?=gettext("Do you really want to delete the selected services?");?>')" /> + <?php endif; ?> + </td> + <td><a href="services_servicewatchdog_add.php"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_plus.gif" width="17" height="17" border="0" title="<?=gettext("add new service"); ?>" alt="add" /></a></td> + </tr> + </table> + </td> + </tr> + <tr><td></td><td colspan="3"> + <?php echo gettext("Click to select a service and use the arrows to re-order them in the list. Higher services are checked first."); ?> + </td><td></td></tr> + </table> +</div></td></tr> +</table> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/servicewatchdog/services_servicewatchdog_add.php b/config/servicewatchdog/services_servicewatchdog_add.php new file mode 100644 index 00000000..11e5e284 --- /dev/null +++ b/config/servicewatchdog/services_servicewatchdog_add.php @@ -0,0 +1,117 @@ +<?php +/* + services_servicewatchdog_add.php + Copyright (C) 2013 Jim Pingle + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +/* + pfSense_MODULE: system +*/ + +##|+PRIV +##|*IDENT=page-services-servicewatchdog-add +##|*NAME=Services: Add Service Watchdog Services +##|*DESCR=Allow access to the 'Add Service Watchdog Services' page. +##|*MATCH=services_servicewatchdog.php-add* +##|-PRIV + +require("guiconfig.inc"); +require_once("service-utils.inc"); +require_once("servicewatchdog.inc"); + +if (!is_array($config['installedpackages']['servicewatchdog']['item'])) { + $config['installedpackages']['servicewatchdog']['item'] = array(); +} +$a_pwservices = &$config['installedpackages']['servicewatchdog']['item']; +// Pre-load "cron" into this array to blacklist it from being offered as a choice. +$a_pwservice_names = array("cron"); +foreach ($a_pwservices as $svc) { + $a_pwservice_names[] = $svc['name']; +} +$system_services = get_services(); + +unset($input_errors); + +if ($_POST) { + if (!is_numeric($_POST['svcid'])) + + + if (!isset($system_services[$_POST['svcid']])) { + $input_errors[] = gettext("The supplied service appears to be invalid."); + } + + if (!$input_errors) { + $a_pwservices[] = $system_services[$_POST['svcid']]; + servicewatchdog_cron_job(); + write_config(); + + header("Location: services_servicewatchdog.php"); + return; + } +} + +$closehead = false; +$pgtitle = array(gettext("Services"),gettext("servicewatchdog"), gettext("Add")); +include("head.inc"); + +?> +<link type="text/css" rel="stylesheet" href="/pfCenter/javascript/chosen/chosen.css" /> +<script src="/pfCenter/javascript/chosen/chosen.proto.js" type="text/javascript"></script> +</head> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> + +<?php include("fbegin.inc"); ?> +<?php if ($input_errors) print_input_errors($input_errors); ?> +<form action="services_servicewatchdog_add.php" method="post" name="iform" id="iform"> +<table width="100%" border="0" cellpadding="6" cellspacing="0" summary="add monitored service"> +<tr> + <td colspan="2" valign="top" class="listtopic"><?=gettext("Add Service Entry"); ?></td> +</tr> +<tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Service to Add:"); ?></td> + <td width="78%" class="vtable"> + <select name="svcid" class="formselect" id="svcid"> +<?php $i=0; + foreach ($system_services as $svc): ?> + <?php if (!servicewatchdog_is_service_watched($svc)): ?> + <?php $svc['description'] = empty($svc['description']) ? get_pkg_descr($svc['name']) : $svc['description']; ?> + <option value="<?= $i ?>"><?=$svc['name'];?>: <?= strlen($svc['description']) > 50 ? substr($svc['description'], 0, 50) . "..." : $svc['description'];?></option> + <?php endif; + $i++; ?> +<?php endforeach; ?> + </select> + </td> +</tr> +<tr> + <td width="22%" valign="top"> </td> + <td width="78%"> + <input name="Submit" type="submit" class="formbtn" value="<?=gettext("Add"); ?>" /> <input type="button" class="formbtn" value="<?=gettext("Cancel"); ?>" onclick="history.back()" /> + </td> +</tr> +</table> +</form> +<?php include("fend.inc"); ?> +</body> +</html> diff --git a/config/servicewatchdog/servicewatchdog.inc b/config/servicewatchdog/servicewatchdog.inc new file mode 100644 index 00000000..1bdb1ce9 --- /dev/null +++ b/config/servicewatchdog/servicewatchdog.inc @@ -0,0 +1,83 @@ +<?php +require_once("config.inc"); +require_once("services.inc"); +require_once("service-utils.inc"); +require_once("util.inc"); + +function servicewatchdog_service_matches($svc1, $svc2) { + /* If the arrays are equal, it must be the same service. */ + if ($svc1 == $svc2) + return true; + /* If the names are different, they must not be the same. */ + if ($svc1['name'] != $svc2['name']) + return false; + switch ($svc1['name']) { + case "openvpn": + if (($svc1['mode'] == $svc2['mode']) && ($svc1['vpnid'] == $svc2['vpnid'])) + return true; + else + return false; + break; + case "captiveportal": + if ($svc1['zone'] == $svc2['zone']) + return true; + else + return false; + break; + default: + /* Other services must be the same if the name matches. */ + return true; + } +} + +function servicewatchdog_is_service_watched($svc) { + global $config; + if (!is_array($config['installedpackages']['servicewatchdog']['item'])) { + $config['installedpackages']['servicewatchdog']['item'] = array(); + } + $a_pwservices = &$config['installedpackages']['servicewatchdog']['item']; + $blacklisted_services = array("cron"); + + if (empty($svc['name']) || in_array($svc['name'], $blacklisted_services)) + return true; + + foreach ($a_pwservices as $a_svc) { + if (servicewatchdog_service_matches($svc, $a_svc)) + return true; + } + return false; +} + +function servicewatchdog_cron_job() { + global $config; + if (!is_array($config['installedpackages']['servicewatchdog']['item'])) { + $config['installedpackages']['servicewatchdog']['item'] = array(); + } + $a_pwservices = &$config['installedpackages']['servicewatchdog']['item']; + + if (count($a_pwservices) > 0) { + // Add the cron job if it doesn't exist. + install_cron_job("/usr/local/pkg/servicewatchdog_cron.php", true, "*/1"); + } else { + // Remove the cron job + install_cron_job("/usr/local/pkg/servicewatchdog_cron.php", false, "*/1"); + } +} + +function servicewatchdog_check_services() { + global $config; + if (!is_array($config['installedpackages']['servicewatchdog']['item'])) { + $config['installedpackages']['servicewatchdog']['item'] = array(); + } + $a_pwservices = &$config['installedpackages']['servicewatchdog']['item']; + + foreach ($a_pwservices as $svc) { + if (!get_service_status($svc)) { + $descr = strlen($svc['description']) > 50 ? substr($svc['description'], 0, 50) . "..." : $svc['description']; + log_error("Service Watchdog detected service {$svc['name']} stopped. Restarting {$svc['name']} ({$descr})"); + service_control_start($svc['name'], $svc); + } + } +} + +?>
\ No newline at end of file diff --git a/config/servicewatchdog/servicewatchdog.xml b/config/servicewatchdog/servicewatchdog.xml new file mode 100644 index 00000000..5e1ce309 --- /dev/null +++ b/config/servicewatchdog/servicewatchdog.xml @@ -0,0 +1,72 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* ========================================================================== */ +/* + servicewatchdog.xml + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 Jim Pingle + All rights reserved. +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>Service Watchdog</description> + <requirements>None</requirements> + <faq>Monitors for stopped services and restarts them.</faq> + <name>Service Watchdog</name> + <version>1.4</version> + <title>Services: Service Watchdog</title> + <include_file>/usr/local/pkg/servicewatchdog.inc</include_file> + <menu> + <name>Service Watchdog</name> + <tooltiptext></tooltiptext> + <section>Services</section> + <url>/services_servicewatchdog.php</url> + </menu> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>644</chmod> + <item>http://www.pfsense.com/packages/config/servicewatchdog/services_servicewatchdog.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>644</chmod> + <item>http://www.pfsense.com/packages/config/servicewatchdog/services_servicewatchdog_add.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>755</chmod> + <item>http://www.pfsense.com/packages/config/servicewatchdog/servicewatchdog_cron.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>644</chmod> + <item>http://www.pfsense.com/packages/config/servicewatchdog/servicewatchdog.inc</item> + </additional_files_needed> +</packagegui>
\ No newline at end of file diff --git a/config/servicewatchdog/servicewatchdog_cron.php b/config/servicewatchdog/servicewatchdog_cron.php new file mode 100644 index 00000000..004afd97 --- /dev/null +++ b/config/servicewatchdog/servicewatchdog_cron.php @@ -0,0 +1,13 @@ +#!/usr/local/bin/php -f +<?php +require_once("globals.inc"); +require_once("servicewatchdog.inc"); + +global $g; + +/* Do nothing at bootup. */ +if ($g['booting'] || file_exists("{$g['varrun_path']}/booting")) + return; + +servicewatchdog_check_services(); +?>
\ No newline at end of file diff --git a/config/siproxd.inc b/config/siproxd.inc index 13254a42..a34f5b34 100644 --- a/config/siproxd.inc +++ b/config/siproxd.inc @@ -70,8 +70,8 @@ function siproxd_generate_rules($type) { } /* proxy is turned off in package settings */ - if($siproxd_conf['rtpenable'] == "0") { - log_error("WARNING: siproxd RTP proxy has not been enabled. Not installing rules."); + if($siproxd_conf['sipenable'] == "0") { + log_error("WARNING: siproxd proxy has not been enabled. Not installing rules."); return "\n"; } @@ -95,7 +95,9 @@ function siproxd_generate_rules($type) { if($iface <> "") { $rules .= "# allow SIP signaling and RTP traffic\n"; $rules .= "pass in on {$iface} proto udp from any to any port = {$port}\n"; - $rules .= "pass in on {$iface} proto udp from any to any port {$rtplower}:{$rtpupper}\n"; + if($siproxd_conf['rtpenable'] == "1") { + $rules .= "pass in on {$iface} proto udp from any to any port {$rtplower}:{$rtpupper}\n"; + } } } break; @@ -125,7 +127,7 @@ function sync_package_siproxd() { fwrite($fout, "# package management system.\n\n"); /* proxy is turned off in package settings */ - if($siproxd_conf['rtpenable'] == "0") { + if($siproxd_conf['sipenable'] == "0") { fclose($fout); return; } diff --git a/config/siproxd.xml b/config/siproxd.xml index 1176a423..1e16a9ea 100644 --- a/config/siproxd.xml +++ b/config/siproxd.xml @@ -84,6 +84,12 @@ </additional_files_needed> <fields> <field> + <fielddescr>Enable siproxd</fielddescr> + <fieldname>sipenable</fieldname> + <description>Enable or disable siproxd</description> + <type>checkbox</type> + </field> + <field> <fielddescr>Inbound interface</fielddescr> <fieldname>if_inbound</fieldname> <description>Select the inbound interface.</description> @@ -335,4 +341,4 @@ <custom_php_validation_command> validate_form_siproxd($_POST, &$input_errors); </custom_php_validation_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/sm.php b/config/sm.php new file mode 100644 index 00000000..2e1cc4a0 --- /dev/null +++ b/config/sm.php @@ -0,0 +1,42 @@ +#!/usr/local/bin/php -q +<?php +require_once("config.inc"); +require_once("globals.inc"); +require_once("notices.inc"); + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if (($pf_version < 2.1)) { + $error = "Sending e-mail on this version of pfSense is not supported. Please use pfSense 2.1 or later"; + log_error($error); + echo "{$error}\n"; + return; +} + +$options = getopt("s::"); + +$message = ""; + +if($options['s'] <> "") { + $subject = $options['s']; +} + + +$in = file("php://stdin"); +foreach($in as $line){ + $line = trim($line); + if ( (substr($line, 0, 6) == "From: ") + || (substr($line, 0, 6) == "Date: ") + || (substr($line, 0, 4) == "To: ")) + continue; + if (empty($subject) && (substr($line, 0, 9) == "Subject: ")) { + $subject = substr($line, 9); + continue; + } + $message .= "$line\n"; +} + +if (!empty($subject)) + send_smtp_message($message, $subject); +else + send_smtp_message($message); +?>
\ No newline at end of file diff --git a/config/snort-dev/snort.xml b/config/snort-dev/snort.xml index 4f687c9c..8f64a5e3 100644 --- a/config/snort-dev/snort.xml +++ b/config/snort-dev/snort.xml @@ -59,8 +59,7 @@ <name>snort</name> <rcfile>snort.sh</rcfile> <executable>snort</executable> - <description>Snort is the most widely deployed IDS/IPS technology - worldwide.</description> + <description>Snort IDS/IPS Daemon</description> </service> <tabs> </tabs> diff --git a/config/snort/snort.inc b/config/snort/snort.inc index f1f5ad9b..98b80d66 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -47,7 +47,7 @@ global $rebuild_rules; /* package version */ $snort_version = "2.9.4.6"; -$pfSense_snort_version = "2.5.9"; +$pfSense_snort_version = "2.6.1"; $snort_package_version = "Snort {$snort_version} pkg v. {$pfSense_snort_version}"; // Define SNORTDIR and SNORTLIBDIR constants according to FreeBSD version (PBI support or no PBI) @@ -67,12 +67,9 @@ else { /* Define some useful constants for Snort */ define("SNORTLOGDIR", "/var/log/snort"); -define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); -define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); -define("ET_VERSION", "2.9.0"); define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); -define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); define("FLOWBITS_FILENAME", "flowbit-required.rules"); define("ENFORCING_RULES_FILENAME", "snort.rules"); define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); @@ -83,6 +80,64 @@ $rebuild_rules = false; if (!is_array($config['installedpackages']['snortglobal'])) $config['installedpackages']['snortglobal'] = array(); +function snort_is_single_addr_alias($alias) { + /***************************************************/ + /* This function evaluates the passed Alias to */ + /* determine if it represents a single IP address, */ + /* or a network in CIDR form, and returns TRUE if */ + /* the condition is met, and FALSE if not. */ + /* */ + /* On Entry: $alias ==> Alias to be evaluated */ + /* Returns: TRUE if Alias represents a single */ + /* IP address or network, and FALSE */ + /* if not. */ + /***************************************************/ + + /* If spaces in expanded Alias, it's not a single entity */ + if (strpos(trim(filter_expand_alias($alias)), " ") !== false) + return false; + else + return true; +} + +function snort_expand_port_range($ports) { + /**************************************************/ + /* This function examines the passed ports string */ + /* and expands any embedded port ranges into the */ + /* individual ports separated by commas. A port */ + /* range is indicated by a colon in the string. */ + /* */ + /* On Entry: $ports ==> string to be evaluated */ + /* with commas separating */ + /* the port values. */ + /* Returns: string with any encountered port */ + /* ranges expanded. */ + /**************************************************/ + + $value = ""; + + // Split the incoming string on the commas + $tmp = explode(",", $ports); + + // Look for any included port range and expand it + foreach ($tmp as $val) { + if (is_portrange($val)) { + $start = strtok($val, ":"); + $end = strtok(":"); + if ($end !== false) { + $val = $start . ","; + for ($i = intval($start) + 1; $i < intval($end); $i++) + $val .= strval($i) . ","; + $val .= $end; + } + } + $value .= $val . ","; + } + + // Remove any trailing comma in return value + return trim($value, ","); +} + function snort_get_blocked_ips() { $blocked_ips = ""; exec('/sbin/pfctl -t snort2c -T show', $blocked_ips); @@ -164,8 +219,13 @@ function snort_load_suppress_sigs($snortcfg, $track_by=false) { if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+)\s*$/i', $line, $matches)) { $genid = $matches[1]; $sigid = $matches[2]; - if (!empty($genid) && !empty($sigid)) + if (!empty($genid) && !empty($sigid)) { + if (!is_array($suppress[$genid])) + $suppress[$genid] = array(); + if (!is_array($suppress[$genid][$sigid])) + $suppress[$genid][$sigid] = array(); $suppress[$genid][$sigid] = "suppress"; + } } /* Get "track by IP" entries if requested */ @@ -176,8 +236,17 @@ function snort_load_suppress_sigs($snortcfg, $track_by=false) { $sigid = $matches[2]; $whichip = trim($matches[3]); $ip = $matches[4]; - if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) + if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) { + if (!is_array($suppress[$genid])) + $suppress[$genid] = array(); + if (!is_array($suppress[$genid][$sigid])) + $suppress[$genid][$sigid] = array(); + if (!is_array($suppress[$genid][$sigid][$whichip])) + $suppress[$genid][$sigid][$whichip] = array(); + if (!is_array($suppress[$genid][$sigid][$whichip][$ip])) + $suppress[$genid][$sigid][$whichip][$ip] = array(); $suppress[$genid][$sigid][$whichip][$ip] = "suppress"; + } } /* See if entry suppresses only by SRC or DST IPv6 address */ if (preg_match('/\s*suppress\s*gen_id\b\s*(\d+),\s*sig_id\b\s*(\d+),\s*track\s*(by_src|by_dst),\s*ip\s*([0-9a-f\.:]+)\s*$/i', $line, $matches)) { @@ -185,8 +254,17 @@ function snort_load_suppress_sigs($snortcfg, $track_by=false) { $sigid = $matches[2]; $whichip = trim($matches[3]); $ip = trim($matches[4]); - if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) + if (!empty($genid) && !empty($sigid) && !empty($whichip) && !empty($ip)) { + if (!is_array($suppress[$genid])) + $suppress[$genid] = array(); + if (!is_array($suppress[$genid][$sigid])) + $suppress[$genid][$sigid] = array(); + if (!is_array($suppress[$genid][$sigid][$whichip])) + $suppress[$genid][$sigid][$whichip] = array(); + if (!is_array($suppress[$genid][$sigid][$whichip][$ip])) + $suppress[$genid][$sigid][$whichip][$ip] = array(); $suppress[$genid][$sigid][$whichip][$ip] = "suppress"; + } } } } @@ -1769,24 +1847,33 @@ function snort_modify_sids(&$rule_map, $snortcfg) { unset($enablesid, $disablesid); } -/* Start of main config files */ -/* open snort.sh for writing" */ function snort_create_rc() { + + /*********************************************************/ + /* This function builds the /usr/local/etc/rc.d/snort.sh */ + /* shell script for starting and stopping Snort. The */ + /* script is rebuilt on each package sync operation and */ + /* after any changes to snort.conf saved in the GUI. */ + /*********************************************************/ + global $config, $g; $snortdir = SNORTDIR; $rcdir = RCFILEPREFIX; + // If no interfaces are configured for Snort, exit if (!is_array($config['installedpackages']['snortglobal']['rule'])) return; - - $snortconf =& $config['installedpackages']['snortglobal']['rule']; - /* do not start config build if rules is empty */ + $snortconf = $config['installedpackages']['snortglobal']['rule']; if (empty($snortconf)) return; + // At least one interface is configured, so OK $start_snort_iface_start = array(); $start_snort_iface_stop = array(); + + // Loop thru each configured interface and build + // the shell script. foreach ($snortconf as $value) { $snort_uuid = $value['uuid']; $if_real = snort_get_real_interface($value['interface']); @@ -1794,7 +1881,7 @@ function snort_create_rc() { $start_barnyard = <<<EOE if [ ! -f {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid ]; then - pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' > {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` + pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/barnyard2_{$if_real}{$snort_uuid}.pid` fi @@ -1835,9 +1922,9 @@ EOE; /bin/rm /var/run/barnyard2_{$if_real}{$snort_uuid}.pid fi else - pid=`/bin/pgrep -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q'` + pid=`/bin/pgrep -f "barnyard2 -r {$snort_uuid} "` if [ ! -z \$pid ]; then - /bin/pkill -xf '/usr/local/bin/barnyard2 -r {$snort_uuid} -f snort_{$snort_uuid}_{$if_real}.u2 --pid-path {$g['varrun_path']} --nolock-pidfile -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/barnyard2.conf -d /var/log/snort/snort_{$if_real}{$snort_uuid} -D -q' + /bin/pkill -f "barnyard2 -r {$snort_uuid} " time=0 timeout=30 while kill -0 \$pid 2>/dev/null; do sleep 1 @@ -1860,10 +1947,11 @@ EOE; ###### For Each Iface # Start snort and barnyard2 if [ ! -f {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid ]; then - pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'` + pid=`/bin/pgrep -f "snort -R {$snort_uuid} "` else pid=`/bin/pgrep -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid` fi + if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort SOFT RESTART for {$value['descr']}({$snort_uuid}_{$if_real})..." /bin/pkill -HUP \$pid @@ -1895,10 +1983,10 @@ EOE; /bin/rm /var/run/snort_{$if_real}{$snort_uuid}.pid fi else - pid=`/bin/pgrep -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}'` + pid=`/bin/pgrep -f "snort -R {$snort_uuid} "` if [ ! -z \$pid ]; then /usr/bin/logger -p daemon.info -i -t SnortStartup "Snort STOP for {$value['descr']}({$snort_uuid}_{$if_real})..." - /bin/pkill -xf '/usr/local/bin/snort -R {$snort_uuid} -D -q -l /var/log/snort/snort_{$if_real}{$snort_uuid} --pid-path {$g['varrun_path']} --nolock-pidfile -G {$snort_uuid} -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -i {$if_real}' + /bin/pkill -f "snort -R {$snort_uuid} " time=0 timeout=30 while kill -0 \$pid 2>/dev/null; do sleep 1 @@ -1925,7 +2013,7 @@ EOE; # This file was automatically generated # by the pfSense service handler. # Code added to protect from double starts on pfSense bootup -######## Begining of Main snort.sh +######## Start of main snort.sh rc_start() { {$rc_start} @@ -2236,6 +2324,10 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { log_error('[Snort] Enabling any flowbit-required rules for: ' . snort_get_friendly_interface($snortcfg['interface']) . '...'); $fbits = snort_resolve_flowbits($all_rules, $enabled_rules); + /* Check for and disable any flowbit-required rules the user has */ + /* manually forced to a disabled state. */ + snort_modify_sids($fbits, $snortcfg); + /* Check for and disable any flowbit-required rules dependent upon */ /* disabled preprocessors if this option is enabled for the interface. */ if ($snortcfg['preproc_auto_rule_disable'] == "on") { @@ -2548,14 +2640,15 @@ function snort_generate_conf($snortcfg) { $ssh_port = "22"; $snort_ports = array( "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", - "http_ports" => "80,901,3128,8080,9000", "oracle_ports" => "1521", "mssql_ports" => "1433", - "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555", + "oracle_ports" => "1024:", "mssql_ports" => "1433", + "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535", "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", - "sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", + "sip_ports" => "5060,5061, 5600", "auth_ports" => "113", "finger_ports" => "79", "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", - "ssl_ports" => "443,465,563,636,989,990,992,993,994,995", + "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", @@ -2568,7 +2661,7 @@ function snort_generate_conf($snortcfg) { $portvardef = ""; foreach ($snort_ports as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) - $snort_ports[$alias] = filter_expand_alias($snortcfg["def_{$alias}"]); + $snort_ports[$alias] = trim(filter_expand_alias($snortcfg["def_{$alias}"])); $snort_ports[$alias] = preg_replace('/\s+/', ',', trim($snort_ports[$alias])); $portvardef .= "portvar " . strtoupper($alias) . " [" . $snort_ports[$alias] . "]\n"; } @@ -2616,7 +2709,7 @@ EOD; $http_inspect_server_opts .= " \\\n\tlog_hostname"; } - $http_ports = str_replace(",", " ", $snort_ports['http_ports']); + $http_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['http_ports'])); /* def http_inspect */ $http_inspect = <<<EOD @@ -2633,19 +2726,23 @@ preprocessor http_inspect_server: server default profile {$http_server_profile} EOD; /* def ftp_preprocessor */ + $telnet_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['telnet_ports'])); + $ftp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ftp_ports'])); $ftp_preprocessor = <<<EOD -# ftp preprocessor # +# ftp_telnet preprocessor # preprocessor ftp_telnet: global \ inspection_type stateless preprocessor ftp_telnet_protocol: telnet \ - normalize \ - ayt_attack_thresh 200 + normalize ports { {$telnet_ports} } \ + ayt_attack_thresh 20 \ + detect_anomalies -preprocessor ftp_telnet_protocol: \ - ftp server default \ +preprocessor ftp_telnet_protocol: ftp server default \ def_max_param_len 100 \ - ports { 21 } \ + ports { $ftp_ports } \ + telnet_cmds yes \ + ignore_telnet_erase_cmds yes \ ftp_cmds { USER PASS ACCT CWD SDUP SMNT QUIT REIN PORT PASV TYPE STRU MODE } \ ftp_cmds { RETR STOR STOU APPE ALLO REST RNFR RNTO ABOR DELE RMD MKD PWD } \ ftp_cmds { LIST NLST SITE SYST STAT HELP NOOP } \ @@ -2676,12 +2773,14 @@ preprocessor ftp_telnet_protocol: \ preprocessor ftp_telnet_protocol: ftp client default \ max_resp_len 256 \ bounce yes \ + ignore_telnet_erase_cmds yes \ telnet_cmds yes EOD; - $pop_ports = str_replace(",", " ", $snort_ports['pop3_ports']); + $pop_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['pop3_ports'])); $pop_preproc = <<<EOD +# POP preprocessor # preprocessor pop: \ ports { {$pop_ports} } \ memcap 1310700 \ @@ -2691,8 +2790,9 @@ preprocessor pop: \ EOD; - $imap_ports = str_replace(",", " ", $snort_ports['imap_ports']); + $imap_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['imap_ports'])); $imap_preproc = <<<EOD +# IMAP preprocessor # preprocessor imap: \ ports { {$imap_ports} } \ memcap 1310700 \ @@ -2702,7 +2802,7 @@ preprocessor imap: \ EOD; - $smtp_ports = str_replace(",", " ", $snort_ports['mail_ports']); + $smtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['mail_ports'])); /* def smtp_preprocessor */ $smtp_preprocessor = <<<EOD # SMTP preprocessor # @@ -2711,10 +2811,12 @@ preprocessor SMTP: \ inspection_type stateful \ normalize cmds \ ignore_tls_data \ - valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN PIPELINING \ -CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ - normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET SEND SAML SOML AUTH TURN ETRN \ -PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + valid_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP RSET \ + SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK TIME \ + TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ + normalize_cmds { MAIL RCPT HELP HELO ETRN EHLO EXPN VRFY ATRN SIZE BDAT DEBUG EMAL ESAM ESND ESOM EVFY IDENT NOOP \ + RSET SEND SAML SOML AUTH TURN ETRN PIPELINING CHUNKING DATA DSN RSET QUIT ONEX QUEU STARTTLS TICK \ + TIME TURNME VERB X-EXPS X-LINK2STATE XADR XAUTH XCIR XEXCH50 XGEN XLICENSE XQUEU XSTA XTRN XUSR } \ max_header_line_len 1000 \ max_response_line_len 512 \ alt_max_command_line_len 260 { MAIL } \ @@ -2752,12 +2854,12 @@ EOD; $sf_pscan_sense_level = $snortcfg['pscan_sense_level']; $sf_pscan_ignore_scanners = "\$HOME_NET"; if (!empty($snortcfg['pscan_ignore_scanners']) && is_alias($snortcfg['pscan_ignore_scanners'])) { - $sf_pscan_ignore_scanners = filter_expand_alias($snortcfg['pscan_ignore_scanners']); + $sf_pscan_ignore_scanners = trim(filter_expand_alias($snortcfg['pscan_ignore_scanners'])); $sf_pscan_ignore_scanners = preg_replace('/\s+/', ',', trim($sf_pscan_ignore_scanners)); } $sf_portscan = <<<EOD -# sf Portscan # +# sf Portscan preprocessor # preprocessor sfportscan: scan_type { {$sf_pscan_type} } \ proto { {$sf_pscan_protocol} } \ memcap { {$sf_pscan_memcap} } \ @@ -2766,21 +2868,34 @@ preprocessor sfportscan: scan_type { {$sf_pscan_type} } \ EOD; - $sun_rpc_ports = str_replace(",", " ", $snort_ports['sun_rpc_ports']); + /* def ssh_preproc */ + $ssh_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssh_ports'])); + $ssh_preproc = <<<EOD +# SSH preprocessor # +preprocessor ssh: server_ports { {$ssh_ports} } \ + autodetect \ + max_client_bytes 19600 \ + max_encrypted_packets 20 \ + max_server_version_len 100 \ + enable_respoverflow enable_ssh1crc32 \ + enable_srvoverflow enable_protomismatch + +EOD; + /* def other_preprocs */ + $sun_rpc_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sun_rpc_ports'])); $other_preprocs = <<<EOD - # Other preprocs # preprocessor rpc_decode: {$sun_rpc_ports} no_alert_multiple_requests no_alert_large_fragments no_alert_incomplete -# Back Orifice +# Back Orifice preprocessor # preprocessor bo EOD; /* def dce_rpc_2 */ $dce_rpc_2 = <<<EOD -# DCE/RPC 2 # +# DCE/RPC 2 # preprocessor dcerpc2: memcap 102400, events [co] preprocessor dcerpc2_server: default, policy WinXP, \ detect [smb [{$snort_ports['smb_ports']}], tcp 135, udp 135, rpc-over-http-server 593], \ @@ -2789,17 +2904,45 @@ preprocessor dcerpc2_server: default, policy WinXP, \ EOD; - $sip_ports = str_replace(",", " ", $snort_ports['sip_ports']); + $sip_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['sip_ports'])); $sip_preproc = <<<EOD -# SIP preprocessor -preprocessor sip: ports { {$sip_ports} }, max_call_id_len 300, \ - max_from_len 100, max_to_len 200, max_via_len 1000, \ - max_requestName_len 50, max_uri_len 100, ignore_call_channel,\ - max_content_len 1000 +# SIP preprocessor # +preprocessor sip: max_sessions 40000, \ + ports { {$sip_ports} }, \ + methods { invite \ + cancel \ + ack \ + bye \ + register \ + options \ + refer \ + subscribe \ + update \ + join \ + info \ + message \ + notify \ + benotify \ + do \ + qauth \ + sprack \ + publish \ + service \ + unsubscribe \ + prack }, \ + max_call_id_len 80, \ + max_from_len 256, \ + max_to_len 256, \ + max_via_len 1024, \ + max_requestName_len 50, \ + max_uri_len 512, \ + ignore_call_channel, \ + max_content_len 2048, \ + max_contact_len 512 EOD; - $dns_ports = str_replace(",", " ", $snort_ports['dns_ports']); + $dns_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['dns_ports'])); /* def dns_preprocessor */ $dns_preprocessor = <<<EOD # DNS preprocessor # @@ -2810,7 +2953,7 @@ preprocessor dns: \ EOD; /* def dnp3_preprocessor */ - $dnp3_ports = str_replace(",", " ", $snort_ports['DNP3_PORTS']); + $dnp3_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['DNP3_PORTS'])); $dnp3_preproc = <<<EOD # DNP3 preprocessor # preprocessor dnp3: \ @@ -2821,7 +2964,7 @@ preprocessor dnp3: \ EOD; /* def modbus_preprocessor */ - $modbus_ports = str_replace(",", " ", $snort_ports['MODBUS_PORTS']); + $modbus_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['MODBUS_PORTS'])); $modbus_preproc = <<<EOD # Modbus preprocessor # preprocessor modbus: \ @@ -2830,17 +2973,20 @@ preprocessor modbus: \ EOD; /* def gtp_preprocessor */ - $gtp_ports = str_replace(",", " ", $snort_ports['GTP_PORTS']); + $gtp_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['GTP_PORTS'])); $gtp_preproc = <<<EOD # GTP preprocessor # preprocessor gtp: ports { {$gtp_ports} } EOD; - $def_ssl_ports_ignore = str_replace(",", " ", $snort_ports['ssl_ports']); + /* def ssl_preprocessor */ + $ssl_ports = str_replace(",", " ", snort_expand_port_range($snort_ports['ssl_ports'])); $ssl_preproc = <<<EOD -# Ignore SSL and Encryption # -preprocessor ssl: ports { {$def_ssl_ports_ignore} }, trustservers, noinspect_encrypted +# SSL preprocessor # +preprocessor ssl: \ + ports { {$ssl_ports} }, \ + trustservers, noinspect_encrypted EOD; @@ -2872,8 +3018,8 @@ EOD; $vardef = ""; foreach ($snort_servers as $alias => $avalue) { if (!empty($snortcfg["def_{$alias}"]) && is_alias($snortcfg["def_{$alias}"])) { - $avalue = filter_expand_alias($snortcfg["def_{$alias}"]); - $avalue = str_replace(" ", ",", trim($avalue)); + $avalue = trim(filter_expand_alias($snortcfg["def_{$alias}"])); + $avalue = preg_replace('/\s+/', ',', trim($avalue)); } $vardef .= "var " . strtoupper($alias) . " [{$avalue}]\n"; } @@ -2885,7 +3031,7 @@ EOD; "ssl_preproc" => "ssl_preproc", "dnp3_preproc" => "dnp3_preproc", "modbus_preproc" => "modbus_preproc" ); $snort_preproc = array ( - "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", + "perform_stat", "http_inspect", "other_preprocs", "ftp_preprocessor", "smtp_preprocessor", "ssl_preproc", "sip_preproc", "gtp_preproc", "ssh_preproc", "sf_portscan", "dce_rpc_2", "dns_preprocessor", "sensitive_data", "pop_preproc", "imap_preproc", "dnp3_preproc", "modbus_preproc" ); $default_disabled_preprocs = array( @@ -3071,7 +3217,7 @@ EOD; # snort configuration file # generated automatically by the pfSense subsystems do not modify manually -# Define Local Network # +# Define Local Network # var HOME_NET [{$home_net}] var EXTERNAL_NET [{$external_net}] @@ -3079,16 +3225,16 @@ var EXTERNAL_NET [{$external_net}] var RULE_PATH {$snortcfgdir}/rules var PREPROC_RULE_PATH {$snortcfgdir}/preproc_rules -# Define Servers # +# Define Servers # {$vardef} -# Define Server Ports # +# Define Server Ports # {$portvardef} # Configure quiet startup mode # config quiet -# Configure the snort decoder # +# Configure the snort decoder # config checksum_mode: {$cksumcheck} config disable_decode_alerts config disable_tcpopt_experimental_alerts @@ -3098,14 +3244,14 @@ config disable_tcpopt_alerts config disable_ipopt_alerts config disable_decode_drops -# Enable the GTP decoder # +# Enable the GTP decoder # config enable_gtp # Configure PCRE match limitations config pcre_match_limit: 3500 config pcre_match_limit_recursion: 1500 -# Configure the detection engine # +# Configure the detection engine # config detection: {$cfg_detect_settings} config event_queue: max_queue 8 log 5 order_events content_length @@ -3134,7 +3280,7 @@ preprocessor frag3_global: {$frag3_memcap}, {$frag3_max_frags}{$frag3_disabled} preprocessor frag3_engine: {$frag3_policy} detect_anomalies {$frag3_timeout} {$frag3_overlap_limit} {$frag3_min_frag_len} preprocessor stream5_global:{$stream5_reassembly} track_tcp {$stream5_track_tcp}, track_udp {$stream5_track_udp}, track_icmp {$stream5_track_icmp}, max_tcp 262144, max_udp 131072, max_active_responses 2, min_response_seconds 5{$stream5_mem_cap} -preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}$stream5_dont_store_lg_pkts +preprocessor stream5_tcp: {$stream5_policy}, {$stream5_overlap_limit}, {$stream5_tcp_timeout}, ports both all{$stream5_max_queued_bytes_type}{$stream5_max_queued_segs_type}{$stream5_require_3whs}{$stream5_no_reassemble_async}{$stream5_dont_store_lg_pkts} preprocessor stream5_udp: {$stream5_udp_timeout} preprocessor stream5_icmp: {$stream5_icmp_timeout} diff --git a/config/snort/snort.xml b/config/snort/snort.xml index ed731f74..49bec61c 100755 --- a/config/snort/snort.xml +++ b/config/snort/snort.xml @@ -47,7 +47,7 @@ <faq>Currently there are no FAQ items provided.</faq> <name>Snort</name> <version>2.9.4.6</version> - <title>Services:2.9.4.6 pkg v. 2.5.9</title> + <title>Services:2.9.4.6 pkg v. 2.6.1</title> <include_file>/usr/local/pkg/snort/snort.inc</include_file> <menu> <name>Snort</name> @@ -59,7 +59,7 @@ <name>snort</name> <rcfile>snort.sh</rcfile> <executable>snort</executable> - <description>Snort is the most widely deployed IDS/IPS technology worldwide.</description> + <description>Snort IDS/IPS Daemon</description> </service> <tabs> </tabs> diff --git a/config/snort/snort_alerts.php b/config/snort/snort_alerts.php index c296f81b..728de751 100755 --- a/config/snort/snort_alerts.php +++ b/config/snort/snort_alerts.php @@ -90,8 +90,8 @@ function snort_add_supplist_entry($suppress) { /* If no Suppress List is set for the interface, then create one with the interface name */ if (empty($a_instance[$instanceid]['suppresslistname']) || $a_instance[$instanceid]['suppresslistname'] == 'default') { $s_list = array(); - $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress"; $s_list['uuid'] = uniqid(); + $s_list['name'] = $a_instance[$instanceid]['interface'] . "suppress" . "_" . $s_list['uuid']; $s_list['descr'] = "Auto-generated list for Alert suppression"; $s_list['suppresspassthru'] = base64_encode($suppress); $a_suppress[] = $s_list; @@ -108,6 +108,10 @@ function snort_add_supplist_entry($suppress) { $alist['suppresspassthru'] = base64_encode($tmplist); $a_suppress[$a_id] = $alist; } + else { + $alist['suppresspassthru'] = base64_encode($suppress); + $a_suppress[$a_id] = $alist; + } } } } @@ -167,7 +171,7 @@ if ($_POST['todelete'] || $_GET['todelete']) { $ip = $_GET['todelete']; if (is_ipaddr($ip)) { exec("/sbin/pfctl -t snort2c -T delete {$ip}"); - $savemsg = "Host IP address {$ip} has been removed from the Blocked Table."; + $savemsg = gettext("Host IP address {$ip} has been removed from the Blocked Table."); } } @@ -179,7 +183,7 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ /* Add the new entry to the Suppress List */ if (snort_add_supplist_entry($suppress)) - $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."; + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to the Suppress List."); else $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); } @@ -204,7 +208,7 @@ if (($_GET['act'] == "addsuppress_srcip" || $_GET['act'] == "addsuppress_dstip") /* Add the new entry to the Suppress List */ if (snort_add_supplist_entry($suppress)) - $savemsg = "An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."; + $savemsg = gettext("An entry for 'suppress gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}, track {$method}, ip {$_GET['ip']}' has been added to the Suppress List."); else /* We did not find the defined list, so notify the user with an error */ $input_errors[] = gettext("Suppress List '{$a_instance[$instanceid]['suppresslistname']}' is defined for this interface, but it could not be found!"); @@ -217,8 +221,7 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($fd) fclose($fd); conf_mount_ro(); - /* XXX: This is needed is snort is run as snort user */ - //mwexec('/usr/sbin/chown snort:snort /var/log/snort/*', true); + /* XXX: This is needed if snort is run as snort user */ mwexec('/bin/chmod 660 /var/log/snort/*', true); if (file_exists("{$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid")) mwexec("/bin/pkill -HUP -F {$g['varrun_path']}/snort_{$if_real}{$snort_uuid}.pid -a"); @@ -229,23 +232,28 @@ if ($_GET['action'] == "clear" || $_POST['delete']) { if ($_POST['download']) { $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_logs_{$save_date}_{$if_real}.tar.gz"; - exec("/usr/bin/tar cfz /tmp/{$file_name} /var/log/snort/snort_{$if_real}{$snort_uuid}"); + exec("cd /var/log/snort/snort_{$if_real}{$snort_uuid} && /usr/bin/tar -czf /tmp/{$file_name} *"); if (file_exists("/tmp/{$file_name}")) { - $file = "/tmp/snort_logs_{$save_date}.tar.gz"; - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); - header("Content-length: ".filesize($file)); + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); + header("Content-length: " . filesize("/tmp/{$file_name}")); header("Content-disposition: attachment; filename = {$file_name}"); - readfile("$file"); + ob_end_clean(); //important or other post will fail + readfile("/tmp/{$file_name}"); + + // Clean up the temp file @unlink("/tmp/{$file_name}"); } - - header("Location: /snort/snort_alerts.php?instance={$instanceid}"); - exit; + else + $savemsg = gettext("An error occurred while creating archive"); } /* Load up an array with the current Suppression List GID,SID values */ @@ -263,7 +271,7 @@ include_once("fbegin.inc"); /* refresh every 60 secs */ if ($pconfig['arefresh'] == 'on') - echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php\" />\n"; + echo "<meta http-equiv=\"refresh\" content=\"60;url=/snort/snort_alerts.php?instance={$instanceid}\" />\n"; ?> <?php if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} @@ -300,7 +308,7 @@ if ($pconfig['arefresh'] == 'on') <tr> <td width="22%" class="vncell"><?php echo gettext('Instance to inspect'); ?></td> <td width="78%" class="vtable"> - <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').submit()"> + <select name="instance" id="instance" class="formselect" onChange="document.getElementById('formalert').method='get';document.getElementById('formalert').submit()"> <?php foreach ($a_instance as $id => $instance) { $selected = ""; @@ -396,19 +404,26 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_src = $fields[6]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_src = str_replace(":", ":​", $alert_ip_src); + /* Add Reverse DNS lookup icon */ + $alert_ip_src .= "<br/><a href='/diag_dns.php?host={$fields[6]}&instance={$instanceid}'>"; + $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; + $alert_ip_src .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; + /* Add icons for auto-adding to Suppress List if appropriate */ if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && !isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { - $alert_ip_src .= "<br/><a href='?instance={$instanceid}&act=addsuppress_srcip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[6])) . "'>"; + $alert_ip_src .= " <a href='?instance={$instanceid}&act=addsuppress_srcip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[6])) . "'>"; $alert_ip_src .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; - $alert_ip_src .= "title='" . gettext("Add this gen_id:sig_id track by_src IP to Suppress List") . "'></a>"; + $alert_ip_src .= "title='" . gettext("Add this alert to the Suppress List and track by_src IP") . "'></a>"; } elseif (isset($supplist[$fields[1]][$fields[2]]['by_src'][$fields[6]])) { - $alert_ip_src .= "<br/><img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; - $alert_ip_src .= "title='" . gettext("This gen_id:sig_id track by_src IP already in Suppress List") . "'/>"; + $alert_ip_src .= " <img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; + $alert_ip_src .= "title='" . gettext("This alert track by_src IP is already in the Suppress List") . "'/>"; } + /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[6]])) { - $alert_ip_src .= " <a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'> - <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/></a>"; + $alert_ip_src .= " "; + $alert_ip_src .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[6])) . "'> + <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; } /* IP SRC Port */ $alert_src_p = $fields[7]; @@ -416,19 +431,26 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { $alert_ip_dst = $fields[8]; /* Add zero-width space as soft-break opportunity after each colon if we have an IPv6 address */ $alert_ip_dst = str_replace(":", ":​", $alert_ip_dst); + /* Add Reverse DNS lookup icon */ + $alert_ip_dst .= "<br/><a href='/diag_dns.php?host={$fields[8]}&instance={$instanceid}'>"; + $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' "; + $alert_ip_dst .= "title='" . gettext("Resolve host via reverse DNS lookup") . "'></a>"; + /* Add icons for auto-adding to Suppress List if appropriate */ if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2]) && !isset($supplist[$fields[1]][$fields[2]]['by_dst'][$fields[8]])) { - $alert_ip_dst .= "<br/><a href='?instance={$instanceid}&act=addsuppress_dstip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[8])) . "'>"; + $alert_ip_dst .= " <a href='?instance={$instanceid}&act=addsuppress_dstip&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}&ip=" . trim(urlencode($fields[8])) . "'>"; $alert_ip_dst .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; - $alert_ip_dst .= "title='" . gettext("Add this gen_id:sig_id track by_dst IP to Suppress List") . "'></a>"; + $alert_ip_dst .= "title='" . gettext("Add this alert to the Suppress List and track by_dst IP") . "'></a>"; } elseif (isset($supplist[$fields[1]][$fields[2]]['by_dst'][$fields[8]])) { - $alert_ip_dst .= "<br/><img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; - $alert_ip_dst .= "title='" . gettext("This gen_id:sig_id track by_dst IP already in Suppress List") . "'/>"; + $alert_ip_dst .= " <img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; + $alert_ip_dst .= "title='" . gettext("This alert track by_dst IP is already in the Suppress List") . "'/>"; } + /* Add icon for auto-removing from Blocked Table if required */ if (isset($tmpblocked[$fields[8]])) { - $alert_ip_dst .= " <a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'> - <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"/></a>"; + $alert_ip_dst .= " "; + $alert_ip_dst .= "<a href='?instance={$id}&todelete=" . trim(urlencode($fields[8])) . "'> + <img title=\"" . gettext("Remove host from Blocked Table") . "\" border=\"0\" width='12' height='12' name='todelete' id='todelete' alt=\"Remove from Blocked Hosts\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a>"; } /* IP DST Port */ $alert_dst_p = $fields[9]; @@ -437,11 +459,11 @@ if (file_exists("/var/log/snort/snort_{$if_real}{$snort_uuid}/alert")) { if (!snort_is_alert_globally_suppressed($supplist, $fields[1], $fields[2])) { $sidsupplink = "<a href='?instance={$instanceid}&act=addsuppress&sidid={$fields[2]}&gen_id={$fields[1]}&descr={$alert_descr_url}'>"; $sidsupplink .= "<img src='../themes/{$g['theme']}/images/icons/icon_plus.gif' width='12' height='12' border='0' "; - $sidsupplink .= "title='" . gettext("Add this gen_id:sig_id to Suppress List") . "'></a>"; + $sidsupplink .= "title='" . gettext("Add this alert to the Suppress List") . "'></a>"; } else { $sidsupplink = "<img src='../themes/{$g['theme']}/images/icons/icon_plus_d.gif' width='12' height='12' border='0' "; - $sidsupplink .= "title='" . gettext("This gen_id:sig_id already in Suppress List") . "'/>"; + $sidsupplink .= "title='" . gettext("This alert is already in the Suppress List") . "'/>"; } $alert_class = $fields[11]; diff --git a/config/snort/snort_blocked.php b/config/snort/snort_blocked.php index 56edfbc5..983e8905 100644 --- a/config/snort/snort_blocked.php +++ b/config/snort/snort_blocked.php @@ -67,7 +67,6 @@ if ($_POST['download']) exec('/sbin/pfctl -t snort2c -T show', $blocked_ips_array_save); /* build the list */ if (is_array($blocked_ips_array_save) && count($blocked_ips_array_save) > 0) { - ob_start(); //important or other posts will fail $save_date = exec('/bin/date "+%Y-%m-%d-%H-%M-%S"'); $file_name = "snort_blocked_{$save_date}.tar.gz"; exec('/bin/mkdir -p /tmp/snort_blocked'); @@ -79,24 +78,32 @@ if ($_POST['download']) file_put_contents("/tmp/snort_blocked/snort_block.pf", "{$fileline}\n", FILE_APPEND); } - exec("/usr/bin/tar cf /tmp/{$file_name} /tmp/snort_blocked"); + // Create a tar gzip archive of blocked host IP addresses + exec("/usr/bin/tar -czf /tmp/{$file_name} -C/tmp/snort_blocked snort_block.pf"); + // If we successfully created the archive, send it to the browser. if(file_exists("/tmp/{$file_name}")) { - header("Expires: Mon, 26 Jul 1997 05:00:00 GMT\n"); - header("Pragma: private"); // needed for IE - header("Cache-Control: private, must-revalidate"); // needed for IE - header('Content-type: application/force-download'); - header('Content-Transfer-Encoding: Binary'); + ob_start(); //important or other posts will fail + if (isset($_SERVER['HTTPS'])) { + header('Pragma: '); + header('Cache-Control: '); + } else { + header("Pragma: private"); + header("Cache-Control: private, must-revalidate"); + } + header("Content-Type: application/octet-stream"); header("Content-length: " . filesize("/tmp/{$file_name}")); header("Content-disposition: attachment; filename = {$file_name}"); + ob_end_clean(); //important or other post will fail readfile("/tmp/{$file_name}"); - ob_end_clean(); //importanr or other post will fail + + // Clean up the temp files and directory @unlink("/tmp/{$file_name}"); exec("/bin/rm -fr /tmp/snort_blocked"); } else - $savemsg = "An error occurred while createing archive"; + $savemsg = gettext("An error occurred while creating archive"); } else - $savemsg = "No content on snort block list"; + $savemsg = gettext("No content on snort block list"); } if ($_POST['save']) @@ -257,7 +264,9 @@ if ($pconfig['brefresh'] == 'on') /* use one echo to do the magic*/ echo "<tr> <td align=\"center\" valign=\"middle\" class=\"listr\">{$counter}</td> - <td valign=\"middle\" class=\"listr\">{$tmp_ip}</td> + <td valign=\"middle\" class=\"listr\">{$tmp_ip} <a href='/diag_dns.php?host={$blocked_ip}'> + <img src='../themes/{$g['theme']}/images/icons/icon_log.gif' width='11' height='11' border='0' + title='" . gettext("Resolve host via reverse DNS lookup") . "'></a></td> <td valign=\"middle\" class=\"listr\">{$blocked_desc}</td> <td align=\"center\" valign=\"middle\" class=\"listr\"><a href='snort_blocked.php?todelete=" . trim(urlencode($blocked_ip)) . "'> <img title=\"" . gettext("Delete host from Blocked Table") . "\" border=\"0\" name='todelete' id='todelete' alt=\"Delete host from Blocked Table\" src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"></a></td> diff --git a/config/snort/snort_check_for_rule_updates.php b/config/snort/snort_check_for_rule_updates.php index c40d6ff4..e7263330 100755 --- a/config/snort/snort_check_for_rule_updates.php +++ b/config/snort/snort_check_for_rule_updates.php @@ -35,27 +35,25 @@ require_once "/usr/local/pkg/snort/snort.inc"; global $g, $pkg_interface, $snort_gui_include, $rebuild_rules; - -if (!defined("VRT_DNLD_FILENAME")) - define("VRT_DNLD_FILENAME", "snortrules-snapshot-2946.tar.gz"); if (!defined("VRT_DNLD_URL")) define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/"); if (!defined("ET_VERSION")) define("ET_VERSION", "2.9.0"); +if (!defined("ET_BASE_DNLD_URL")) + define("ET_BASE_DNLD_URL", "http://rules.emergingthreats.net/"); +if (!defined("ETPRO_BASE_DNLD_URL")) + define("ETPRO_BASE_DNLD_URL", "https://rules.emergingthreatspro.com/"); if (!defined("ET_DNLD_FILENAME")) define("ET_DNLD_FILENAME", "emerging.rules.tar.gz"); +if (!defined("ETPRO_DNLD_FILENAME")) + define("ETPRO_DNLD_FILENAME", "etpro.rules.tar.gz"); if (!defined("GPLV2_DNLD_FILENAME")) define("GPLV2_DNLD_FILENAME", "community-rules.tar.gz"); if (!defined("GPLV2_DNLD_URL")) define("GPLV2_DNLD_URL", "https://s3.amazonaws.com/snort-org/www/rules/community/"); -if (!defined("FLOWBITS_FILENAME")) - define("FLOWBITS_FILENAME", "flowbit-required.rules"); -if (!defined("ENFORCING_RULES_FILENAME")) - define("ENFORCING_RULES_FILENAME", "snort.rules"); if (!defined("RULES_UPD_LOGFILE")) define("RULES_UPD_LOGFILE", SNORTLOGDIR . "/snort_rules_update.log"); - $snortdir = SNORTDIR; $snortlibdir = SNORTLIBDIR; $snortlogdir = SNORTLOGDIR; @@ -70,8 +68,10 @@ else /* define checks */ $oinkid = $config['installedpackages']['snortglobal']['oinkmastercode']; +$etproid = $config['installedpackages']['snortglobal']['etpro_code']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; $vrt_enabled = $config['installedpackages']['snortglobal']['snortdownload']; $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; @@ -79,15 +79,39 @@ $et_enabled = $config['installedpackages']['snortglobal']['emergingthreats']; /* Working directory for downloaded rules tarballs */ $tmpfname = "{$snortdir}/tmp/snort_rules_up"; -/* Snort VRT rules filenames and URL */ -$snort_filename = VRT_DNLD_FILENAME; -$snort_filename_md5 = VRT_DNLD_FILENAME . ".md5"; +/* Grab the Snort binary version programmatically and use it to construct */ +/* the proper Snort VRT rules tarball and md5 filenames. */ +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +// Save the version with decimal delimiters for use in extracting the rules +$snort_version = $snortver[0]; +// Create a collapsed version string for use in the tarball filename +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_filename = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +$snort_filename_md5 = "{$snort_filename}.md5"; $snort_rule_url = VRT_DNLD_URL; -/* Emerging Threats rules filenames and URL */ -$emergingthreats_filename = ET_DNLD_FILENAME; -$emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; -$emerging_threats_version = ET_VERSION; +/* Set up Emerging Threats rules filenames and URL */ +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $emergingthreats_filename_md5 = ETPRO_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ETPRO_BASE_DNLD_URL; + $emergingthreats_url .= "{$etproid}/snort-" . ET_VERSION . "/"; + $emergingthreats = "on"; + $et_name = "Emerging Threats Pro"; + $et_md5_remove = ET_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $emergingthreats_filename_md5 = ET_DNLD_FILENAME . ".md5"; + $emergingthreats_url = ET_BASE_DNLD_URL; + // If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules + $emergingthreats_url .= $vrt_enabled == "on" ? "open-nogpl/" : "open/"; + $emergingthreats_url .= "snort-" . ET_VERSION . "/"; + $et_name = "Emerging Threats Open"; + $et_md5_remove = ETPRO_DNLD_FILENAME . ".md5"; + @unlink("{$snortdir}/{$et_md5_remove}"); +} /* Snort GPLv2 Community Rules filenames and URL */ $snort_community_rules_filename = GPLV2_DNLD_FILENAME; @@ -106,7 +130,13 @@ function snort_download_file_url($url, $file_out) { /* It provides logging of returned CURL errors. */ /************************************************/ - global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded; + global $g, $config, $pkg_interface, $last_curl_error, $fout, $ch, $file_size, $downloaded, $first_progress_update; + + // Initialize required variables for pfSense "read_body()" function + $file_size = 1; + $downloaded = 1; + $first_progress_update = TRUE; + /* Array of message strings for HTTP Response Codes */ $http_resp_msg = array( 200 => "OK", 202 => "Accepted", 204 => "No Content", 205 => "Reset Content", @@ -141,6 +171,18 @@ function snort_download_file_url($url, $file_out) { curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); curl_setopt($ch, CURLOPT_TIMEOUT, 0); + + // Use the system proxy server setttings if configured + if (!empty($config['system']['proxyurl'])) { + curl_setopt($ch, CURLOPT_PROXY, $config['system']['proxyurl']); + if (!empty($config['system']['proxyport'])) + curl_setopt($ch, CURLOPT_PROXYPORT, $config['system']['proxyport']); + if (!empty($config['system']['proxyuser']) && !empty($config['system']['proxypass'])) { + @curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_ANY | CURLAUTH_ANYSAFE); + curl_setopt($ch, CURLOPT_PROXYUSERPWD, "{$config['system']['proxyuser']}:{$config['system']['proxypass']}"); + } + } + $counter = 0; $rc = true; /* Try up to 4 times to download the file before giving up */ @@ -200,26 +242,26 @@ $last_curl_error = ""; /* download md5 sig from snort.org */ if ($snortdownload == 'on') { if ($pkg_interface <> "console") - update_status(gettext("Downloading Snort VRT md5 file...")); - error_log(gettext("\tDownloading Snort VRT md5 file...\n"), 3, $snort_rules_upd_log); + update_status(gettext("Downloading Snort VRT md5 file {$snort_filename_md5}...")); + error_log(gettext("\tDownloading Snort VRT md5 file '{$snort_filename_md5}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename_md5}/{$oinkid}/", "{$tmpfname}/{$snort_filename_md5}"); if ($rc === true) { if ($pkg_interface <> "console") - update_status(gettext("Done downloading snort.org md5.")); + update_status(gettext("Done downloading {$snort_filename_md5}.")); error_log("\tChecking Snort VRT md5 file...\n", 3, $snort_rules_upd_log); } else { error_log(gettext("\tSnort VRT md5 download failed.\n"), 3, $snort_rules_upd_log); if ($rc == 403) { $snort_err_msg = gettext("Too many attempts or Oinkcode not authorized for this Snort version.\n"); - $snort_err_msg .= gettext("\tFree Registered User accounts may download Snort VRT Rules once every 15 minutes.\n"); - $snort_err_msg .= gettext("\tPaid Subscriber accounts have no download limits.\n"); + $snort_err_msg .= gettext("\tFree Registered Users may download VRT Rules once every 15 minutes.\n"); + $snort_err_msg .= gettext("\tPaid Subscribers have no download limits.\n"); } else $snort_err_msg = gettext("Server returned error code '{$rc}'."); if ($pkg_interface <> "console") { update_status(gettext("Snort VRT md5 error ... Server returned error code {$rc} ...")); - update_output_window(gettext("Snort VRT rules will not be updated.\n{$snort_err_msg}")); + update_output_window(gettext("Snort VRT rules will not be updated.\n\t{$snort_err_msg}")); } log_error(gettext("[Snort] Snort VRT md5 download failed...")); log_error(gettext("[Snort] Server returned error code '{$rc}'...")); @@ -249,13 +291,15 @@ if ($snortdownload == 'on') { /* download snortrules file */ if ($snortdownload == 'on') { if ($pkg_interface <> "console") - update_status(gettext("There is a new set of Snort VRT rules posted. Downloading...")); + update_status(gettext("There is a new set of Snort VRT rules posted. Downloading {$snort_filename}...")); log_error(gettext("[Snort] There is a new set of Snort VRT rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of Snort VRT rules posted. Downloading...\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tThere is a new set of Snort VRT rules posted.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloading file '{$snort_filename}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$snort_rule_url}{$snort_filename}/{$oinkid}/", "{$tmpfname}/{$snort_filename}"); if ($rc === true) { if ($pkg_interface <> "console") update_status(gettext("Done downloading Snort VRT rules file.")); + log_error("[Snort] Snort VRT rules file update downloaded successfully"); error_log(gettext("\tDone downloading rules file.\n"),3, $snort_rules_upd_log); if (trim(file_get_contents("{$tmpfname}/{$snort_filename_md5}")) != trim(md5_file("{$tmpfname}/{$snort_filename}"))){ if ($pkg_interface <> "console") @@ -285,8 +329,8 @@ if ($snortdownload == 'on') { /* download md5 sig from Snort GPLv2 Community Rules */ if ($snortcommunityrules == 'on') { if ($pkg_interface <> "console") - update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file...")); - error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file...\n"), 3, $snort_rules_upd_log); + update_status(gettext("Downloading Snort GPLv2 Community Rules md5 file {$snort_community_rules_filename_md5}...")); + error_log(gettext("\tDownloading Snort GPLv2 Community Rules md5 file '{$snort_community_rules_filename_md5}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename_md5}", "{$tmpfname}/{$snort_community_rules_filename_md5}"); if ($rc === true) { if ($pkg_interface <> "console") @@ -320,9 +364,10 @@ if ($snortcommunityrules == 'on') { /* download Snort GPLv2 Community rules file */ if ($snortcommunityrules == "on") { if ($pkg_interface <> "console") - update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); + update_status(gettext("There is a new set of Snort GPLv2 Community Rules posted. Downloading {$snort_community_rules_filename} ...")); log_error(gettext("[Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted. Downloading...\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tThere is a new set of Snort GPLv2 Community Rules posted.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloading file '{$snort_community_rules_filename}'...\n"), 3, $snort_rules_upd_log); $rc = snort_download_file_url("{$snort_community_rules_url}{$snort_community_rules_filename}", "{$tmpfname}/{$snort_community_rules_filename}"); /* Test for a valid rules file download. Turn off Snort Community update if download failed. */ @@ -397,38 +442,34 @@ if ($snortcommunityrules == 'on') { /* download md5 sig from emergingthreats.net */ if ($emergingthreats == 'on') { if ($pkg_interface <> "console") - update_status(gettext("Downloading EmergingThreats md5 file...")); - error_log(gettext("\tDownloading EmergingThreats md5 file...\n"), 3, $snort_rules_upd_log); - /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ - if ($vrt_enabled == "on") - $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); - else - $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); + update_status(gettext("Downloading {$et_name} md5 file...")); + error_log(gettext("\tDownloading {$et_name} md5 file '{$emergingthreats_filename_md5}'...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename_md5}", "{$tmpfname}/{$emergingthreats_filename_md5}"); if ($rc === true) { if ($pkg_interface <> "console") - update_status(gettext("Done downloading EmergingThreats md5")); - error_log(gettext("\tChecking EmergingThreats md5.\n"), 3, $snort_rules_upd_log); + update_status(gettext("Done downloading {$et_name} md5 file {$emergingthreats_filename_md5}")); + error_log(gettext("\tChecking {$et_name} md5.\n"), 3, $snort_rules_upd_log); if (file_exists("{$snortdir}/{$emergingthreats_filename_md5}") && $emergingthreats == "on") { /* Check if were up to date emergingthreats.net */ $emerg_md5_check_new = file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"); $emerg_md5_check_old = file_get_contents("{$snortdir}/{$emergingthreats_filename_md5}"); if ($emerg_md5_check_new == $emerg_md5_check_old) { if ($pkg_interface <> "console") - update_status(gettext("Emerging Threats rules are up to date...")); - log_error(gettext("[Snort] Emerging Threat rules are up to date...")); - error_log(gettext("\tEmerging Threats rules are up to date.\n"), 3, $snort_rules_upd_log); + update_status(gettext("{$et_name} rules are up to date...")); + log_error(gettext("[Snort] {$et_name} rules are up to date...")); + error_log(gettext("\t{$et_name} rules are up to date.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } } else { if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats md5 file download failed. EmergingThreats rules will not be updated.")); - log_error(gettext("[Snort] EmergingThreats md5 file download failed. Server returned error code '{$rc}'.")); - error_log(gettext("\tEmergingThreats md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); + update_output_window(gettext("{$et_name} md5 file download failed. {$et_name} rules will not be updated.")); + log_error(gettext("[Snort] {$et_name} md5 file download failed. Server returned error code '{$rc}'.")); + error_log(gettext("\t{$et_name} md5 file download failed. Server returned error code '{$rc}'.\n"), 3, $snort_rules_upd_log); if ($pkg_interface == "console") error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); - error_log(gettext("\tEmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } } @@ -436,43 +477,39 @@ if ($emergingthreats == 'on') { /* download emergingthreats rules file */ if ($emergingthreats == "on") { if ($pkg_interface <> "console") - update_status(gettext("There is a new set of EmergingThreats rules posted. Downloading...")); - log_error(gettext("[Snort] There is a new set of EmergingThreats rules posted. Downloading...")); - error_log(gettext("\tThere is a new set of EmergingThreats rules posted. Downloading...\n"), 3, $snort_rules_upd_log); - - /* If using Sourcefire VRT rules with ET, then we should use the open-nogpl ET rules. */ - if ($vrt_enabled == "on") - $rc = snort_download_file_url("http://rules.emergingthreats.net/open-nogpl/snort-{$emerging_threats_version}/{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); - else - $rc = snort_download_file_url("http://rules.emergingthreats.net/open/snort-{$emerging_threats_version}/{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); + update_status(gettext("There is a new set of {$et_name} rules posted. Downloading {$emergingthreats_filename}...")); + log_error(gettext("[Snort] There is a new set of {$et_name} rules posted. Downloading...")); + error_log(gettext("\tThere is a new set of {$et_name} rules posted.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tDownloading file '{$emergingthreats_filename}'...\n"), 3, $snort_rules_upd_log); + $rc = snort_download_file_url("{$emergingthreats_url}{$emergingthreats_filename}", "{$tmpfname}/{$emergingthreats_filename}"); /* Test for a valid rules file download. Turn off ET update if download failed. */ if ($rc === true) { if (trim(file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}")) != trim(md5_file("{$tmpfname}/{$emergingthreats_filename}"))){ if ($pkg_interface <> "console") - update_output_window(gettext("EmergingThreats rules file MD5 checksum failed...")); - log_error(gettext("[Snort] EmergingThreats rules file download failed. Bad MD5 checksum...")); + update_output_window(gettext("{$et_name} rules file MD5 checksum failed...")); + log_error(gettext("[Snort] {$et_name} rules file download failed. Bad MD5 checksum...")); log_error(gettext("[Snort] Failed File MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}"))); log_error(gettext("[Snort] Expected File MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}"))); - error_log(gettext("\tEmergingThreats rules file download failed. EmergingThreats rules will not be updated.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\t{$et_name} rules file download failed. {$et_name} rules will not be updated.\n"), 3, $snort_rules_upd_log); error_log(gettext("\tDownloaded ET file MD5: " . md5_file("{$tmpfname}/{$emergingthreats_filename}") . "\n"), 3, $snort_rules_upd_log); error_log(gettext("\tExpected ET file MD5: " . file_get_contents("{$tmpfname}/{$emergingthreats_filename_md5}") . "\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; } else { if ($pkg_interface <> "console") - update_status(gettext('Done downloading EmergingThreats rules file.')); - log_error("[Snort] EmergingThreats rules file update downloaded successfully"); - error_log(gettext("\tDone downloading EmergingThreats rules file.\n"), 3, $snort_rules_upd_log); + update_status(gettext('Done downloading {$et_name} rules file.')); + log_error("[Snort] {$et_name} rules file update downloaded successfully"); + error_log(gettext("\tDone downloading {$et_name} rules file.\n"), 3, $snort_rules_upd_log); } } else { if ($pkg_interface <> "console") { - update_status(gettext("The server returned error code {$rc} ... skipping EmergingThreats update...")); - update_output_window(gettext("EmergingThreats rules file download failed...")); + update_status(gettext("The server returned error code {$rc} ... skipping {$et_name} update...")); + update_output_window(gettext("{$et_name} rules file download failed...")); } - log_error(gettext("[Snort] EmergingThreats rules file download failed. Server returned error '{$rc}'...")); - error_log(gettext("\tEmergingThreats rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); + log_error(gettext("[Snort] {$et_name} rules file download failed. Server returned error '{$rc}'...")); + error_log(gettext("\t{$et_name} rules file download failed. Server returned error '{$rc}'...\n"), 3, $snort_rules_upd_log); if ($pkg_interface == "console") error_log(gettext("\tThe error text is '{$last_curl_error}'\n"), 3, $snort_rules_upd_log); $emergingthreats = 'off'; @@ -484,22 +521,34 @@ if ($emergingthreats == 'on') { safe_mkdir("{$snortdir}/tmp/emerging"); if (file_exists("{$tmpfname}/{$emergingthreats_filename}")) { if ($pkg_interface <> "console") { - update_status(gettext("Extracting EmergingThreats.org rules...")); - update_output_window(gettext("Installing EmergingThreats rules...")); + update_status(gettext("Extracting {$et_name} rules...")); + update_output_window(gettext("Installing {$et_name} rules...")); } - error_log(gettext("\tExtracting and installing EmergingThreats.org rules...\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tExtracting and installing {$et_name} rules...\n"), 3, $snort_rules_upd_log); exec("/usr/bin/tar xzf {$tmpfname}/{$emergingthreats_filename} -C {$snortdir}/tmp/emerging rules/"); + /* Remove the old Emerging Threats rules files */ + array_map('unlink', glob("{$snortdir}/rules/emerging-*.rules")); + array_map('unlink', glob("{$snortdir}/rules/etpro-*.rules")); + array_map('unlink', glob("{$snortdir}/rules/emerging-*ips.txt")); + array_map('unlink', glob("{$snortdir}/rules/etpro-*ips.txt")); + $files = glob("{$snortdir}/tmp/emerging/rules/*.rules"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + else + @copy($file, "{$snortdir}/rules/{$newfile}"); } /* IP lists for Emerging Threats rules */ $files = glob("{$snortdir}/tmp/emerging/rules/*ips.txt"); foreach ($files as $file) { $newfile = basename($file); - @copy($file, "{$snortdir}/rules/{$newfile}"); + if ($etpro == "on") + @copy($file, "{$snortdir}/rules/etpro-{$newfile}"); + else + @copy($file, "{$snortdir}/rules/emerging-{$newfile}"); } /* base etc files for Emerging Threats rules */ foreach (array("classification.config", "reference.config", "gen-msg.map", "unicode.map") as $file) { @@ -514,10 +563,10 @@ if ($emergingthreats == 'on') { @copy("{$tmpfname}/{$emergingthreats_filename_md5}", "{$snortdir}/{$emergingthreats_filename_md5}"); } if ($pkg_interface <> "console") { - update_status(gettext("Extraction of EmergingThreats.org rules completed...")); - update_output_window(gettext("Installation of EmergingThreats rules completed...")); + update_status(gettext("Extraction of {$et_name} rules completed...")); + update_output_window(gettext("Installation of {$et_name} rules completed...")); } - error_log(gettext("\tInstallation of EmergingThreats.org rules completed.\n"), 3, $snort_rules_upd_log); + error_log(gettext("\tInstallation of {$et_name} rules completed.\n"), 3, $snort_rules_upd_log); exec("rm -r {$snortdir}/tmp/emerging"); } } @@ -531,6 +580,9 @@ if ($snortdownload == 'on') { if (substr(php_uname("r"), 0, 1) == '9') $freebsd_version_so = 'FreeBSD-9-0'; + /* Remove the old Snort rules files */ + array_map('unlink', glob("{$snortdir}/rules/snort_*.rules")); + if ($pkg_interface <> "console") { update_status(gettext("Extracting Snort VRT rules...")); update_output_window(gettext("Installing Sourcefire VRT rules...")); @@ -562,10 +614,10 @@ if ($snortdownload == 'on') { $nosorules = false; if ($snort_arch == 'i386'){ exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/* {$snortlibdir}/dynamicrules/"); + exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/i386/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); } elseif ($snort_arch == 'amd64') { exec("/usr/bin/tar xzf {$tmpfname}/{$snort_filename} -C {$snortdir}/tmp so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/"); - exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/* {$snortlibdir}/dynamicrules/"); + exec("/bin/cp {$snortdir}/tmp/so_rules/precompiled/{$freebsd_version_so}/x86-64/{$snort_version}/*.so {$snortlibdir}/dynamicrules/"); } else $nosorules = true; exec("rm -r {$snortdir}/tmp/so_rules"); diff --git a/config/snort/snort_define_servers.php b/config/snort/snort_define_servers.php index 371bbecd..ca549820 100755 --- a/config/snort/snort_define_servers.php +++ b/config/snort/snort_define_servers.php @@ -48,17 +48,17 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; -/* NOTE: KEEP IN SYNC WITH SNORT.INC since global do not work quite well with package */ +/* NOTE: KEEP IN SYNC WITH SNORT.INC since globals do not work well with package */ /* define servers and ports snortdefservers */ $snort_servers = array ( -"dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", -"www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", -"snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", -"pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", -"sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", -"dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", -"enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", -"aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" + "dns_servers" => "\$HOME_NET", "smtp_servers" => "\$HOME_NET", "http_servers" => "\$HOME_NET", + "www_servers" => "\$HOME_NET", "sql_servers" => "\$HOME_NET", "telnet_servers" => "\$HOME_NET", + "snmp_servers" => "\$HOME_NET", "ftp_servers" => "\$HOME_NET", "ssh_servers" => "\$HOME_NET", + "pop_servers" => "\$HOME_NET", "imap_servers" => "\$HOME_NET", "sip_proxy_ip" => "\$HOME_NET", + "sip_servers" => "\$HOME_NET", "rpc_servers" => "\$HOME_NET", "dnp3_server" => "\$HOME_NET", + "dnp3_client" => "\$HOME_NET", "modbus_server" => "\$HOME_NET", "modbus_client" => "\$HOME_NET", + "enip_server" => "\$HOME_NET", "enip_client" => "\$HOME_NET", + "aim_servers" => "64.12.24.0/23,64.12.28.0/23,64.12.161.0/24,64.12.163.0/24,64.12.200.0/24,205.188.3.0/24,205.188.5.0/24,205.188.7.0/24,205.188.9.0/24,205.188.153.0/24,205.188.179.0/24,205.188.248.0/24" ); /* if user has defined a custom ssh port, use it */ @@ -67,21 +67,23 @@ if(is_array($config['system']['ssh']) && isset($config['system']['ssh']['port']) else $ssh_port = "22"; $snort_ports = array( -"dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,143,465,691", -"http_ports" => "80", "oracle_ports" => "1521", "mssql_ports" => "1433", -"telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21", -"ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", -"imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", -"sip_ports" => "5060,5061", "auth_ports" => "113", "finger_ports" => "79", -"irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", -"nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", -"ssl_ports" => "443,465,563,636,989,990,992,993,994,995", "GTP_PORTS" => "2123,2152,3386", -"file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", -"sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", -"DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", -"DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", -"DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", -"DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502" + "dns_ports" => "53", "smtp_ports" => "25", "mail_ports" => "25,465,587,691", + "http_ports" => "36,80,81,82,83,84,85,86,87,88,89,90,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3443,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8500,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,10000,11371,34443,34444,41080,50000,50002,55555", + "oracle_ports" => "1024:", "mssql_ports" => "1433", + "telnet_ports" => "23","snmp_ports" => "161", "ftp_ports" => "21,2100,3535", + "ssh_ports" => $ssh_port, "pop2_ports" => "109", "pop3_ports" => "110", + "imap_ports" => "143", "sip_proxy_ports" => "5060:5090,16384:32768", + "sip_ports" => "5060,5061,5600", "auth_ports" => "113", "finger_ports" => "79", + "irc_ports" => "6665,6666,6667,6668,6669,7000", "smb_ports" => "139,445", + "nntp_ports" => "119", "rlogin_ports" => "513", "rsh_ports" => "514", + "ssl_ports" => "443,465,563,636,989,992,993,994,995,7801,7802,7900,7901,7902,7903,7904,7905,7906,7907,7908,7909,7910,7911,7912,7913,7914,7915,7916,7917,7918,7919,7920", + "file_data_ports" => "\$HTTP_PORTS,110,143", "shellcode_ports" => "!80", + "sun_rpc_ports" => "111,32770,32771,32772,32773,32774,32775,32776,32777,32778,32779", + "DCERPC_NCACN_IP_TCP" => "139,445", "DCERPC_NCADG_IP_UDP" => "138,1024:", + "DCERPC_NCACN_IP_LONG" => "135,139,445,593,1024:", "DCERPC_NCACN_UDP_LONG" => "135,1024:", + "DCERPC_NCACN_UDP_SHORT" => "135,593,1024:", "DCERPC_NCACN_TCP" => "2103,2105,2107", + "DCERPC_BRIGHTSTORE" => "6503,6504", "DNP3_PORTS" => "20000", "MODBUS_PORTS" => "502", + "GTP_PORTS" => "2123,2152,3386" ); $pconfig = $a_nat[$id]; @@ -201,15 +203,18 @@ if ($savemsg) $server = substr($server, 0, 40) . "..."; $label = strtoupper($key); $value = ""; - if (!empty($pconfig["def_{$key}"])) + $title = ""; + if (!empty($pconfig["def_{$key}"])) { $value = htmlspecialchars($pconfig["def_{$key}"]); + $title = trim(filter_expand_alias($pconfig["def_{$key}"])); + } ?> <tr> <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> <td width="78%" class="vtable"> <input name="def_<?=$key;?>" size="40" type="text" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" - value="<?=$value;?>"> <br/> + value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/><?php echo gettext("Leave " . "blank for default value."); ?></span> </td> @@ -220,17 +225,21 @@ if ($savemsg) </tr> <?php foreach ($snort_ports as $key => $server): - $server = substr($server, 0, 20); + if (strlen($server) > 40) + $server = substr($server, 0, 40) . "..."; $label = strtoupper($key); $value = ""; - if (!empty($pconfig["def_{$key}"])) + $title = ""; + if (!empty($pconfig["def_{$key}"])) { $value = htmlspecialchars($pconfig["def_{$key}"]); + $title = trim(filter_expand_alias($pconfig["def_{$key}"])); + } ?> <tr> <td width='22%' valign='top' class='vncell'><?php echo gettext("Define"); ?> <?=$label;?></td> <td width="78%" class="vtable"> - <input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" - value="<?=$value;?>"> <br/> + <input name="def_<?=$key;?>" type="text" size="40" autocomplete="off" class="formfldalias" id="def_<?=$key;?>" + value="<?=$value;?>" title="<?=$title;?>"> <br/> <span class="vexpl"><?php echo gettext("Default value:"); ?> "<?=$server;?>" <br/> <?php echo gettext("Leave " . "blank for default value."); ?></span> </td> @@ -259,6 +268,9 @@ if ($savemsg) if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + // Skip any Aliases that resolve to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_download_updates.php b/config/snort/snort_download_updates.php index 1f87fbbc..09ab646a 100755 --- a/config/snort/snort_download_updates.php +++ b/config/snort/snort_download_updates.php @@ -40,8 +40,14 @@ require_once("/usr/local/pkg/snort/snort.inc"); $snortdir = SNORTDIR; $snort_rules_upd_log = RULES_UPD_LOGFILE; $log = $snort_rules_upd_log; -$snort_rules_file = VRT_DNLD_FILENAME; -$emergingthreats_filename = ET_DNLD_FILENAME; + +/* Grab the Snort binary version programmatically and */ +/* use it to construct the proper Snort VRT rules */ +/* tarball filename. */ +exec("/usr/local/bin/snort -V 2>&1 |/usr/bin/grep Version | /usr/bin/cut -c20-26", $snortver); +$snortver[0] = str_replace(".", "", $snortver[0]); +$snort_rules_file = "snortrules-snapshot-{$snortver[0]}.tar.gz"; +//$snort_rules_file = VRT_DNLD_FILENAME; $snort_community_rules_filename = GPLV2_DNLD_FILENAME; /* load only javascript that is needed */ @@ -49,8 +55,18 @@ $snort_load_jquery = 'yes'; $snort_load_jquery_colorbox = 'yes'; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingthreats = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunityrules = $config['installedpackages']['snortglobal']['snortcommunityrules']; +if ($etpro == "on") { + $emergingthreats_filename = ETPRO_DNLD_FILENAME; + $et_name = "EMERGING THREATS PRO RULES"; +} +else { + $emergingthreats_filename = ET_DNLD_FILENAME; + $et_name = "EMERGING THREATS RULES"; +} + /* quick md5s chk */ $snort_org_sig_chk_local = 'N/A'; if (file_exists("{$snortdir}/{$snort_rules_file}.md5")) @@ -138,9 +154,9 @@ h += 96; <p style="text-align: left; margin-left: 225px;"> <font color="#777777" size="2.5px"> <b><?php echo gettext("INSTALLED RULESET SIGNATURES"); ?></b></font><br/><br/> - <font color="#FF850A" size="1px"><b>SNORT.ORG --></b></font> + <font color="#FF850A" size="1px"><b>SNORT VRT RULES --></b></font> <font size="1px" color="#000000"> <? echo $snort_org_sig_chk_local; ?></font><br/> - <font color="#FF850A" size="1px"><b>EMERGINGTHREATS.NET --></b></font> + <font color="#FF850A" size="1px"><b><?=$et_name;?> --></b></font> <font size="1px" color="#000000"> <? echo $emergingt_net_sig_chk_local; ?></font><br/> <font color="#FF850A" size="1px"><b>SNORT GPLv2 COMMUNITY RULES --></b></font> <font size="1px" color="#000000"> <? echo $snort_community_sig_chk_local; ?></font><br/> @@ -160,7 +176,7 @@ h += 96; <?php - if ($snortdownload != 'on' && $emergingthreats != 'on') { + if ($snortdownload != 'on' && $emergingthreats != 'on' && $etpro != 'on') { echo ' <button disabled="disabled"><span class="download">' . gettext("Update Rules") . '</span></button><br/> <p style="text-align:left; margin-left:150px;"> diff --git a/config/snort/snort_interfaces_global.php b/config/snort/snort_interfaces_global.php index d28ec2b4..089255b6 100644 --- a/config/snort/snort_interfaces_global.php +++ b/config/snort/snort_interfaces_global.php @@ -44,7 +44,9 @@ $snortdir = SNORTDIR; /* make things short */ $pconfig['snortdownload'] = $config['installedpackages']['snortglobal']['snortdownload']; $pconfig['oinkmastercode'] = $config['installedpackages']['snortglobal']['oinkmastercode']; +$pconfig['etpro_code'] = $config['installedpackages']['snortglobal']['etpro_code']; $pconfig['emergingthreats'] = $config['installedpackages']['snortglobal']['emergingthreats']; +$pconfig['emergingthreats_pro'] = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $pconfig['rm_blocked'] = $config['installedpackages']['snortglobal']['rm_blocked']; $pconfig['snortloglimit'] = $config['installedpackages']['snortglobal']['snortloglimit']; $pconfig['snortloglimitsize'] = $config['installedpackages']['snortglobal']['snortloglimitsize']; @@ -63,14 +65,22 @@ if ($_POST['rule_update_starttime']) { $input_errors[] = "Invalid Rule Update Start Time! Please supply a value in 24-hour format as 'HH:MM'."; } +if ($_POST['snortdownload'] == "on" && empty($_POST['oinkmastercode'])) + $input_errors[] = "You must supply an Oinkmaster code in the box provided in order to enable Snort VRT rules!"; + +if ($_POST['emergingthreats_pro'] == "on" && empty($_POST['etpro_code'])) + $input_errors[] = "You must supply a subscription code in the box provided in order to enable Emerging Threats Pro rules!"; + /* if no errors move foward */ if (!$input_errors) { if ($_POST["Submit"]) { - $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload']; + $config['installedpackages']['snortglobal']['snortdownload'] = $_POST['snortdownload'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['oinkmastercode'] = $_POST['oinkmastercode']; $config['installedpackages']['snortglobal']['snortcommunityrules'] = $_POST['snortcommunityrules'] ? 'on' : 'off'; $config['installedpackages']['snortglobal']['emergingthreats'] = $_POST['emergingthreats'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['emergingthreats_pro'] = $_POST['emergingthreats_pro'] ? 'on' : 'off'; + $config['installedpackages']['snortglobal']['etpro_code'] = $_POST['etpro_code']; $config['installedpackages']['snortglobal']['rm_blocked'] = $_POST['rm_blocked']; if ($_POST['snortloglimitsize']) { @@ -160,19 +170,14 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td><input name="snortdownload" type="radio" id="snortdownload" value="off" onclick="enable_snort_vrt('off')" - <?php if($pconfig['snortdownload']=='off' || $pconfig['snortdownload']=='') echo 'checked'; ?> > </td> - <td><span class="vexpl"><?php printf(gettext("Do %sNOT%s Install"), '<strong>', '</strong>'); ?></span></td> - </tr> - <tr> - <td><input name="snortdownload" type="radio" id="snortdownload" value="on" onclick="enable_snort_vrt('on')" + <td><input name="snortdownload" type="checkbox" id="snortdownload" value="on" onclick="enable_snort_vrt();" <?php if($pconfig['snortdownload']=='on') echo 'checked'; ?>></td> - <td><span class="vexpl"><?php echo gettext("Install Basic Rules or Premium rules"); ?></span></td> + <td><span class="vexpl"><?php echo gettext("Snort VRT free Registered User or paid Subscriber rules"); ?></span></td> <tr> <td> </td> - <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a Basic Rule Account"); ?> </a><br> + <td><a href="https://www.snort.org/signup" target="_blank"><?php echo gettext("Sign Up for a free Registered User Rule Account"); ?> </a><br> <a href="http://www.snort.org/vrt/buy-a-subscription" target="_blank"> - <?php echo gettext("Sign Up for Sourcefire VRT Certified Premium Rules. This Is Highly Recommended"); ?></a></td> + <?php echo gettext("Sign Up for paid Sourcefire VRT Certified Subscriber Rules"); ?></a></td> </tr> <tr> <td colspan="2"> </td> @@ -180,17 +185,17 @@ if ($input_errors) </table> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Oinkmaster Configuration"); ?></span></b></td> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("Snort VRT Oinkmaster Configuration"); ?></span></b></td> </tr> <tr> - <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code"); ?></strong></span></td> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> <td><input name="oinkmastercode" type="text" class="formfld" id="oinkmastercode" size="52" value="<?=htmlspecialchars($pconfig['oinkmastercode']);?>" <?php if($pconfig['snortdownload']<>'on') echo 'disabled'; ?>><br> <?php echo gettext("Obtain a snort.org Oinkmaster code and paste it here."); ?></td> </tr> - </table> + </table> </tr> <tr> <td width="22%" valign="top" class="vncell"><?php printf(gettext("Install %sSnort Community%s " . @@ -198,7 +203,7 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="yes" + <td valign="top" width="8%"><input name="snortcommunityrules" type="checkbox" value="on" <?php if ($config['installedpackages']['snortglobal']['snortcommunityrules']=="on") echo "checked"; ?> ></td> <td><span class="vexpl"><?php echo gettext("The Snort Community Ruleset is a GPLv2 VRT certified ruleset that is distributed free of charge " . "without any VRT License restrictions. This ruleset is updated daily and is a subset of the subscriber ruleset."); ?> @@ -212,11 +217,41 @@ if ($input_errors) <td width="78%" class="vtable"> <table width="100%" border="0" cellpadding="2" cellspacing="0"> <tr> - <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="yes" - <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>> - <td><span class="vexpl"><?php echo gettext("Emerging Threats is an open source community that produces fast " . - "moving and diverse Snort Rules."); ?></span></td> + <td valign="top" width="8%"><input name="emergingthreats" type="checkbox" value="on" onclick="enable_et_rules();" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats']=="on") echo "checked"; ?>></td> + <td><span class="vexpl"><?php echo gettext("ETOpen is an open source set of Snort rules whose coverage " . + "is more limited than ETPro."); ?></span></td> + </tr> + <tr> + <td valign="top" width="8%"><input name="emergingthreats_pro" type="checkbox" value="on" onclick="enable_etpro_rules();" + <?php if ($config['installedpackages']['snortglobal']['emergingthreats_pro']=="on") echo "checked"; ?>></td> + <td><span class="vexpl"><?php echo gettext("ETPro for Snort offers daily updates and extensive coverage of current malware threats."); ?></span></td> </tr> + <tr> + <td> </td> + <td><a href="http://www.emergingthreats.net/solutions/etpro-ruleset/" target="_blank"><?php echo gettext("Sign Up for an ETPro Account"); ?> </a></td> + </tr> + <tr> + <td> </td> + <td class="vexpl"><?php echo "<span class='red'><strong>" . gettext("Note:") . "</strong></span>" . " " . + gettext("The ETPro rules contain all of the ETOpen rules, so the ETOpen rules are not required and are disabled when the ETPro rules are selected."); ?></td> + </tr> + <tr> + <td colspan="2"> </td> + </tr> + </table> + <table width="100%" border="0" cellpadding="2" cellspacing="0"> + <tr> + <td colspan="2" valign="top"><b><span class="vexpl"><?php echo gettext("ETPro Subscription Configuration"); ?></span></b></td> + </tr> + <tr> + <td valign="top"><span class="vexpl"><strong><?php echo gettext("Code:"); ?></strong></span></td> + <td><input name="etpro_code" type="text" + class="formfld" id="etpro_code" size="52" + value="<?=htmlspecialchars($pconfig['etpro_code']);?>" + <?php if($pconfig['emergingthreats_pro']<>'on') echo 'disabled'; ?>><br> + <?php echo gettext("Obtain an ETPro subscription code and paste it here."); ?></td> + </tr> </table> </td> </tr> @@ -330,13 +365,28 @@ if ($input_errors) <script language="JavaScript"> <!-- -function enable_snort_vrt(btn) { - if (btn == 'off') { - document.iform.oinkmastercode.disabled = "true"; +function enable_snort_vrt() { + var endis = !(document.iform.snortdownload.checked); + document.iform.oinkmastercode.disabled = endis; + document.iform.etpro_code.disabled = endis; +} + +function enable_et_rules() { + var endis = document.iform.emergingthreats.checked; + if (endis) { + document.iform.emergingthreats_pro.checked = !(endis); + document.iform.etpro_code.disabled = "true"; } - if (btn == 'on') { - document.iform.oinkmastercode.disabled = ""; - } +} + +function enable_etpro_rules() { + var endis = document.iform.emergingthreats_pro.checked; + if (endis) { + document.iform.emergingthreats.checked = !(endis); + document.iform.etpro_code.disabled = ""; + } + else + document.iform.etpro_code.disabled = "true"; } function enable_change_rules_upd() { diff --git a/config/snort/snort_interfaces_suppress.php b/config/snort/snort_interfaces_suppress.php index 780a6e92..7eed6dd3 100644 --- a/config/snort/snort_interfaces_suppress.php +++ b/config/snort/snort_interfaces_suppress.php @@ -37,6 +37,8 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); +if (!is_array($config['installedpackages']['snortglobal']['rule'])) + $config['installedpackages']['snortglobal']['rule'] = array(); if (!is_array($config['installedpackages']['snortglobal']['suppress'])) $config['installedpackages']['snortglobal']['suppress'] = array(); if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) @@ -44,14 +46,41 @@ if (!is_array($config['installedpackages']['snortglobal']['suppress']['item'])) $a_suppress = &$config['installedpackages']['snortglobal']['suppress']['item']; $id_gen = count($config['installedpackages']['snortglobal']['suppress']['item']); + +function snort_suppresslist_used($supplist) { + + /****************************************************************/ + /* This function tests if the passed Suppress List is currently */ + /* assigned to an interface. It returns TRUE if the list is */ + /* in use. */ + /* */ + /* Returns: TRUE if list is in use, else FALSE */ + /****************************************************************/ + + global $config; + + $snortconf = $config['installedpackages']['snortglobal']['rule']; + if (empty($snortconf)) + return false; + foreach ($snortconf as $value) { + if ($value['suppresslistname'] == $supplist) + return true; + } + return false; +} + if ($_GET['act'] == "del") { if ($a_suppress[$_GET['id']]) { /* make sure rule is not being referenced by any nat or filter rules */ - - unset($a_suppress[$_GET['id']]); - write_config(); - header("Location: /snort/snort_interfaces_suppress.php"); - exit; + if (snort_suppresslist_used($a_suppress[$_GET['id']]['name'])) { + $input_errors[] = gettext("ERROR -- Suppress List is currently assigned to an interface and cannot be removed!"); + } + else { + unset($a_suppress[$_GET['id']]); + write_config(); + header("Location: /snort/snort_interfaces_suppress.php"); + exit; + } } } @@ -65,6 +94,10 @@ include_once("head.inc"); <?php include_once("fbegin.inc"); if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} +if ($input_errors) { + print_input_errors($input_errors); +} + ?> <form action="/snort/snort_interfaces_suppress.php" method="post"><?php if ($savemsg) print_info_box($savemsg); ?> @@ -107,12 +140,12 @@ if($pfsense_stable == 'yes'){echo '<p class="pgtitle">' . $pgtitle . '</p>';} <td valign="middle"><a href="snort_interfaces_suppress_edit.php?id=<?=$i;?>"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_e.gif" - width="17" height="17" border="0" title="<?php echo gettext("edit whitelist"); ?>"></a></td> + width="17" height="17" border="0" title="<?php echo gettext("edit Suppress List"); ?>"></a></td> <td><a href="/snort/snort_interfaces_suppress.php?act=del&id=<?=$i;?>" - onclick="return confirm('<?php echo gettext("Do you really want to delete this whitelist? All elements that still use it will become invalid (e.g. snort rules will fall back to the default whitelist)!"); ?>')"><img + onclick="return confirm('<?php echo gettext("Do you really want to delete this Suppress List?"); ?>')"><img src="/themes/<?= $g['theme']; ?>/images/icons/icon_x.gif" - width="17" height="17" border="0" title="<?php echo gettext("delete whitelist"); ?>"></a></td> + width="17" height="17" border="0" title="<?php echo gettext("delete Suppress List"); ?>"></a></td> </tr> </table> </td> diff --git a/config/snort/snort_interfaces_whitelist_edit.php b/config/snort/snort_interfaces_whitelist_edit.php index fc157375..671fa4e5 100644 --- a/config/snort/snort_interfaces_whitelist_edit.php +++ b/config/snort/snort_interfaces_whitelist_edit.php @@ -261,7 +261,7 @@ if ($savemsg) <div id="addressnetworkport"><?php echo gettext("Alias Name:"); ?></div> </td> <td width="78%" class="vtable"> - <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" /> + <input autocomplete="off" name="address" type="text" class="formfldalias" id="address" size="30" value="<?=htmlspecialchars($pconfig['address']);?>" title="<?=trim(filter_expand_alias($pconfig['address']));?>"/> </td> </tr> <tr> @@ -287,6 +287,9 @@ if ($savemsg) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] != "host" && $alias_name['type'] != "network") continue; + // Skip any Alias that resolves to an empty string + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; diff --git a/config/snort/snort_preprocessors.php b/config/snort/snort_preprocessors.php index 3f88efaa..95d5a10e 100755 --- a/config/snort/snort_preprocessors.php +++ b/config/snort/snort_preprocessors.php @@ -109,6 +109,7 @@ if (isset($id) && $a_nat[$id]) { $pconfig['dnp3_preproc'] = $a_nat[$id]['dnp3_preproc']; $pconfig['modbus_preproc'] = $a_nat[$id]['modbus_preproc']; $pconfig['gtp_preproc'] = $a_nat[$id]['gtp_preproc']; + $pconfig['ssh_preproc'] = $a_nat[$id]['ssh_preproc']; $pconfig['preproc_auto_rule_disable'] = $a_nat[$id]['preproc_auto_rule_disable']; $pconfig['protect_preproc_rules'] = $a_nat[$id]['protect_preproc_rules']; $pconfig['frag3_detection'] = $a_nat[$id]['frag3_detection']; @@ -153,6 +154,8 @@ if (isset($id) && $a_nat[$id]) { $pconfig['sip_preproc'] = 'on'; if (empty($pconfig['other_preprocs'])) $pconfig['other_preprocs'] = 'on'; + if (empty($pconfig['ssh_preproc'])) + $pconfig['ssh_preproc'] = 'on'; if (empty($pconfig['http_inspect_memcap'])) $pconfig['http_inspect_memcap'] = "150994944"; if (empty($pconfig['frag3_overlap_limit'])) @@ -258,6 +261,7 @@ if ($_POST['ResetAll']) { $pconfig['dnp3_preproc'] = "off"; $pconfig['modbus_preproc'] = "off"; $pconfig['gtp_preproc'] = "off"; + $pconfig['ssh_preproc'] = "on"; $pconfig['preproc_auto_rule_disable'] = "off"; $pconfig['protect_preproc_rules'] = "off"; $pconfig['frag3_detection'] = "on"; @@ -334,6 +338,7 @@ elseif ($_POST['Submit']) { $natent['sip_preproc'] = $_POST['sip_preproc'] ? 'on' : 'off'; $natent['modbus_preproc'] = $_POST['modbus_preproc'] ? 'on' : 'off'; $natent['gtp_preproc'] = $_POST['gtp_preproc'] ? 'on' : 'off'; + $natent['ssh_preproc'] = $_POST['ssh_preproc'] ? 'on' : 'off'; $natent['preproc_auto_rule_disable'] = $_POST['preproc_auto_rule_disable'] ? 'on' : 'off'; $natent['protect_preproc_rules'] = $_POST['protect_preproc_rules'] ? 'on' : 'off'; $natent['frag3_detection'] = $_POST['frag3_detection'] ? 'on' : 'off'; @@ -1156,8 +1161,8 @@ include_once("head.inc"); <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Ignore Scanners"); ?></td> <td width="78%" class="vtable"> - <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" - value="<?=$pconfig['pscan_ignore_scanners'];?>"> <?php echo gettext("Leave blank for default. ") . + <input name="pscan_ignore_scanners" type="text" size="40" autocomplete="off" class="formfldalias" id="pscan_ignore_scanners" + value="<?=$pconfig['pscan_ignore_scanners'];?>" title="<?=trim(filter_expand_alias($pconfig['pscan_ignore_scanners']));?>"> <?php echo gettext("Leave blank for default. ") . gettext("Default value is ") . "<strong>" . gettext("\$HOME_NET") . "</strong>"; ?>.<br/> <?php echo gettext("Ignores the specified entity as a source of scan alerts. Entity must be a defined alias."); ?><br/> </td> @@ -1221,6 +1226,12 @@ include_once("head.inc"); <?php echo gettext("The GTP preprocessor decodes GPRS Tunneling Protocol traffic and detects intrusion attempts."); ?></td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable SSH Detection"); ?></td> + <td width="78%" class="vtable"><input name="ssh_preproc" type="checkbox" value="on" + <?php if ($pconfig['ssh_preproc']=="on") echo "checked"; ?>> + <?php echo gettext("The SSH preprocessor detects various Secure Shell exploit attempts."); ?></td> + </tr> + <tr> <td width="22%" valign="top" class="vncell"><?php echo gettext("Enable DNS Detection"); ?></td> <td width="78%" class="vtable"><input name="dns_preprocessor" type="checkbox" value="on" <?php if ($pconfig['dns_preprocessor']=="on") echo "checked"; ?>> @@ -1304,6 +1315,8 @@ include_once("head.inc"); if(isset($config['aliases']['alias']) && is_array($config['aliases']['alias'])) foreach($config['aliases']['alias'] as $alias_name) { if ($alias_name['type'] == "host" || $alias_name['type'] == "network") { + if (trim(filter_expand_alias($alias_name['name'])) == "") + continue; if($addrisfirst == 1) $aliasesaddr .= ","; $aliasesaddr .= "'" . $alias_name['name'] . "'"; $addrisfirst = 1; @@ -1445,6 +1458,21 @@ function enable_change_all() { document.iform.stream5_icmp_timeout.disabled=endis; } +function wopen(url, name, w, h) +{ +// Fudge factors for window decoration space. +// In my tests these work well on all platforms & browsers. + w += 32; + h += 96; + var win = window.open(url, + name, + 'width=' + w + ', height=' + h + ', ' + + 'location=no, menubar=no, ' + + 'status=no, toolbar=no, scrollbars=yes, resizable=yes'); + win.resizeTo(w, h); + win.focus(); +} + // Set initial state of form controls enable_change_all(); diff --git a/config/snort/snort_rules.php b/config/snort/snort_rules.php index 7853b955..c9852597 100755 --- a/config/snort/snort_rules.php +++ b/config/snort/snort_rules.php @@ -33,7 +33,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $g, $flowbit_rules_file, $rebuild_rules; +global $g, $rebuild_rules; $snortdir = SNORTDIR; $rules_map = array(); @@ -106,6 +106,7 @@ function add_title_attribute($tag, $title) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; $categories = explode("||", $pconfig['rulesets']); @@ -117,7 +118,7 @@ else if ($_POST['openruleset']) else $currentruleset = $categories[0]; -if (empty($categories[0]) && ($currentruleset != "custom.rules")) { +if (empty($categories[0]) && ($currentruleset != "custom.rules") && ($currentruleset != "Auto-Flowbit Rules")) { if (!empty($a_rule[$id]['ips_policy'])) $currentruleset = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); else @@ -133,6 +134,9 @@ $ruledir = "{$snortdir}/rules"; $rulefile = "{$ruledir}/{$currentruleset}"; if ($currentruleset != 'custom.rules') { // Read the current rules file into our rules map array. + // If it is the auto-flowbits file, set the full path. + if ($currentruleset == "Auto-Flowbit Rules") + $rulefile = "{$snortcfgdir}/rules/" . FLOWBITS_FILENAME; // Test for the special case of an IPS Policy file. if (substr($currentruleset, 0, 10) == "IPS Policy") $rules_map = snort_load_vrt_policy($a_rule[$id]['ips_policy']); @@ -193,8 +197,6 @@ if ($_GET['act'] == "toggle" && $_GET['ids'] && !empty($rules_map)) { write_config(); $_GET['openruleset'] = $currentruleset; -// header("Location: /snort/snort_rules.php?id={$id}&openruleset={$currentruleset}"); -// exit; $anchor = "rule_{$sid}"; } @@ -334,7 +336,7 @@ if ($_POST['customrules']) { $rebuild_rules = false; $output = ""; $retcode = ""; - exec("snort -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf -T 2>&1", $output, $retcode); + exec("/usr/local/bin/snort -T -c {$snortdir}/snort_{$snort_uuid}_{$if_real}/snort.conf 2>&1", $output, $retcode); if (intval($retcode) != 0) { $error = ""; $start = count($output); @@ -436,6 +438,8 @@ if ($savemsg) { $files = explode("||", $pconfig['rulesets']); if ($a_rule[$id]['ips_policy_enable'] == 'on') $files[] = "IPS Policy - " . ucfirst($a_rule[$id]['ips_policy']); + if ($a_rule[$id]['autoflowbitrules'] == 'on') + $files[] = "Auto-Flowbit Rules"; natcasesort($files); foreach ($files as $value) { if ($snortdownload != 'on' && substr($value, 0, 6) == "snort_") @@ -511,12 +515,23 @@ if ($savemsg) { </tr> <tr> <td class="vexpl" valign="middle"><?php echo "<a href='?id={$id}&openruleset={$currentruleset}&act=enable_all'> - <img src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\" width=\"15\" height=\"15\" - onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_x.gif\"' - onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_x_mo.gif\"' border='0' + <img src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\" width=\"15\" height=\"15\" + onmouseout='this.src=\"../themes/{$g['theme']}/images/icons/icon_plus.gif\"' + onmouseover='this.src=\"../themes/{$g['theme']}/images/icons/icon_plus_mo.gif\"' border='0' title='" . gettext("Click to enable all rules in the selected category") . "'></a>"?> <?php echo gettext("Enable all rules in the current Category"); ?></td> </tr> + <?php if ($currentruleset == 'Auto-Flowbit Rules'): ?> + <tr> + <td colspan="3"> </td> + </tr> + <tr> + <td colspan="3" class="vexpl" align="center"><?php echo "<span class=\"red\"><b>" . gettext("WARNING: ") . "</b></span>" . + gettext("You should not disable flowbit rules! Add Suppress List entries for them instead by ") . + "<a href='snort_rules_flowbits.php?id={$id}' title=\"" . gettext("Add Suppress List entry for Flowbit Rule") . "\">" . + gettext("clicking here") . ".</a>";?></td> + </tr> + <?php endif;?> </table> </td> </tr> @@ -559,28 +574,37 @@ if ($savemsg) { <tbody> <?php - $counter = 0; + $counter = $enable_cnt = $disable_cnt = 0; foreach ($rules_map as $k1 => $rulem) { foreach ($rulem as $k2 => $v) { $sid = snort_get_sid($v['rule']); $gid = snort_get_gid($v['rule']); + if (isset($disablesid[$sid])) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_reject_d.gif"; + $disable_cnt++; + $title = gettext("Disabled by user. Click to toggle to enabled state"); } elseif (($v['disabled'] == 1) && (!isset($enablesid[$sid]))) { $textss = "<span class=\"gray\">"; $textse = "</span>"; $iconb = "icon_block_d.gif"; + $disable_cnt++; + $title = gettext("Disabled by default. Click to toggle to enabled state"); } elseif (isset($enablesid[$sid])) { $textss = $textse = ""; $iconb = "icon_reject.gif"; + $enable_cnt++; + $title = gettext("Enabled by user. Click to toggle to disabled state"); } else { $textss = $textse = ""; $iconb = "icon_block.gif"; + $enable_cnt++; + $title = gettext("Enabled by default. Click to toggle to disabled state"); } // Pick off the first section of the rule (prior to the start of the MSG field), @@ -607,7 +631,7 @@ if ($savemsg) { <a id=\"rule_{$sid}\" href='?id={$id}&openruleset={$currentruleset}&act=toggle&ids={$sid}'> <img src=\"../themes/{$g['theme']}/images/icons/{$iconb}\" width=\"11\" height=\"11\" border=\"0\" - title='" . gettext("Click to toggle enabled/disabled state") . "'></a> + title='{$title}'></a> $textse </td> <td class=\"listlr\" align=\"center\"> @@ -634,8 +658,8 @@ if ($savemsg) { ?> <td align="right" valign="middle" nowrap class="listt"> <a href="javascript: void(0)" - onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"><img - src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" + onclick="wopen('snort_rules_edit.php?id=<?=$id;?>&openruleset=<?=$currentruleset;?>&ids=<?=$sid;?>&gid=<?=$gid;?>','FileViewer',800,600)"> + <img src="../themes/<?= $g['theme']; ?>/images/icons/icon_right.gif" title="<?php echo gettext("Click to view the entire rule text"); ?>" width="17" height="17" border="0"></a> </td> </tr> @@ -653,7 +677,12 @@ if ($savemsg) { <td> <table width="100%" border="0" cellspacing="0" cellpadding="1"> <tr> - <td class="vexpl" colspan="2" height="30" valign="middle"><?php echo gettext("Rule Count: {$counter}"); ?></td> + <td width="16"></td> + <td class="vexpl" height="35" valign="top"> + <strong><?php echo gettext("--- Category Rules Summary ---") . "</strong><br/>" . + gettext("Total Rules: {$counter}") . " " . + gettext("Enabled: {$enable_cnt}") . " " . + gettext("Disabled: {$disable_cnt}"); ?></td> </tr> <tr> <td width="16"><img src="../themes/<?= $g['theme']; ?>/images/icons/icon_block.gif" diff --git a/config/snort/snort_rules_edit.php b/config/snort/snort_rules_edit.php index a1f45c07..c0087464 100755 --- a/config/snort/snort_rules_edit.php +++ b/config/snort/snort_rules_edit.php @@ -37,7 +37,7 @@ require_once("guiconfig.inc"); require_once("/usr/local/pkg/snort/snort.inc"); -global $flowbit_rules_file; +$flowbit_rules_file = FLOWBITS_FILENAME; $snortdir = SNORTDIR; if (!is_array($config['installedpackages']['snortglobal']['rule'])) { @@ -60,10 +60,17 @@ if (isset($id) && $a_rule[$id]) { /* convert fake interfaces to real */ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_rule[$id]['uuid']; +$snortcfgdir = "{$snortdir}/snort_{$snort_uuid}_{$if_real}"; $file = $_GET['openruleset']; $contents = ''; $wrap_flag = "off"; +// Correct displayed file title if necessary +if ($file == "Auto-Flowbit Rules") + $displayfile = FLOWBITS_FILENAME; +else + $displayfile = $file; + // Read the contents of the argument passed to us. // It may be an IPS policy string, an individual SID, // a standard rules file, or a complete file name. @@ -87,13 +94,18 @@ if (substr($file, 0, 10) == "IPS Policy") { } // Is it a SID to load the rule text from? elseif (isset($_GET['ids'])) { - $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); + // If flowbit rule, point to interface-specific file + if ($file == "Auto-Flowbit Rules") + $rules_map = snort_load_rules_map("{$snortcfgdir}/rules/" . FLOWBITS_FILENAME); + else + $rules_map = snort_load_rules_map("{$snortdir}/rules/{$file}"); $contents = $rules_map[$_GET['gid']][trim($_GET['ids'])]['rule']; $wrap_flag = "soft"; } + // Is it our special flowbit rules file? -elseif ($file == $flowbit_rules_file) - $contents = file_get_contents("{$snortdir}/snort_{$snort_uuid}_{$if_real}/rules/{$flowbit_rules_file}"); +elseif ($file == "Auto-Flowbit Rules") + $contents = file_get_contents("{$snortcfgdir}/rules/{$flowbit_rules_file}"); // Is it a rules file in the ../rules/ directory? elseif (file_exists("{$snortdir}/rules/{$file}")) $contents = file_get_contents("{$snortdir}/rules/{$file}"); @@ -101,10 +113,8 @@ elseif (file_exists("{$snortdir}/rules/{$file}")) elseif (file_exists($file)) $contents = file_get_contents($file); // It is not something we can display, so exit. -else { - header("Location: /snort/snort_rules.php?id={$id}&openruleset={$file}"); - exit; -} +else + $input_errors[] = gettext("Unable to open file: {$displayfile}"); $pgtitle = array(gettext("Snort"), gettext("File Viewer")); ?> @@ -128,7 +138,7 @@ $pgtitle = array(gettext("Snort"), gettext("File Viewer")); <input type="button" class="formbtn" value="Return" onclick="window.close()"> </td> <td align="right"> - <b><?php echo gettext("Rules File: ") . '</b> ' . $file; ?> + <b><?php echo gettext("Rules File: ") . '</b> ' . $displayfile; ?> </td> </tr> <tr> diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php index 7a653af8..92330ebf 100644 --- a/config/snort/snort_rules_flowbits.php +++ b/config/snort/snort_rules_flowbits.php @@ -50,6 +50,21 @@ if (!is_array($config['installedpackages']['snortglobal']['rule'])) { } $a_nat = &$config['installedpackages']['snortglobal']['rule']; +// Set who called us so we can return to the correct page with +// the RETURN button. We will just trust this User-Agent supplied +// string for now. +session_start(); +if(!isset($_SESSION['org_referer'])) + $_SESSION['org_referer'] = $_SERVER['HTTP_REFERER']; +$referrer = $_SESSION['org_referer']; + +if ($_POST['cancel']) { + unset($_SESSION['org_referer']); + session_write_close(); + header("Location: {$referrer}"); + exit; +} + $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; @@ -88,14 +103,15 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ if (empty($a_nat[$id]['suppresslistname']) || $a_nat[$id]['suppresslistname'] == 'default') { $s_list = array(); - $s_list['name'] = $a_nat[$id]['interface'] . "suppress"; $s_list['uuid'] = uniqid(); - $s_list['descr'] = "Auto-generated list for alert suppression"; + $s_list['name'] = $a_nat[$id]['interface'] . "suppress" . "_" . $s_list['uuid']; + $s_list['descr'] = "Auto-generated list for Alert suppression"; $s_list['suppresspassthru'] = base64_encode($suppress); $a_suppress[] = $s_list; $a_nat[$id]['suppresslistname'] = $s_list['name']; $found_list = true; } else { + /* If we get here, a Suppress List is defined for the interface so see if we can find it */ foreach ($a_suppress as $a_id => $alist) { if ($alist['name'] == $a_nat[$id]['suppresslistname']) { $found_list = true; @@ -105,6 +121,10 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ $alist['suppresspassthru'] = base64_encode($tmplist); $a_suppress[$a_id] = $alist; } + else { + $alist['suppresspassthru'] = base64_encode($suppress); + $a_suppress[$a_id] = $alist; + } } } } @@ -112,7 +132,8 @@ if ($_GET['act'] == "addsuppress" && is_numeric($_GET['sidid']) && is_numeric($_ write_config(); $rebuild_rules = false; sync_snort_package_config(); - $savemsg = gettext("Wrote suppress rule for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' to the '{$a_nat[$id]['suppresslistname']}' Suppression List."); + snort_reload_config($a_nat[$id]); + $savemsg = gettext("An entry to suppress the Alert for 'gen_id {$_GET['gen_id']}, sig_id {$_GET['sidid']}' has been added to Suppress List '{$a_nat[$id]['suppresslistname']}'."); } else { /* We did not find the defined list, so notify the user with an error */ @@ -179,8 +200,9 @@ if ($savemsg) <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus.gif" width='12' height='12' border='0'/></td> <td><span class="vexpl"><?php echo gettext("Alert is Not Suppressed"); ?></span></td> - <td rowspan="3" align="right"><input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php - echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/></td> + <td rowspan="3" align="right"><input id="cancel" name="cancel" type="submit" class="formbtn" <?php + echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> + <input name="id" type="hidden" value="<?=$id;?>" /></td> </tr> <tr> <td width="17px"><img src="../themes/<?=$g['theme']?>/images/icons/icon_plus_d.gif" width='12' height='12' border='0'/></td> @@ -272,7 +294,7 @@ if ($savemsg) <?php if ($count > 20): ?> <tr> <td align="center" valign="middle"> - <input id="cancelbutton" name="cancelbutton" type="button" class="formbtn" onclick="parent.location='snort_rulesets.php?id=<?=$id;?>'" <?php + <input id="cancel" name="cancel" type="submit" class="formbtn" <?php echo "value=\"" . gettext("Return") . "\" title=\"" . gettext("Return to previous page") . "\""; ?>/> <input name="id" type="hidden" value="<?=$id;?>" /> </td> diff --git a/config/snort/snort_rulesets.php b/config/snort/snort_rulesets.php index 7ec0edbd..3c613f84 100755 --- a/config/snort/snort_rulesets.php +++ b/config/snort/snort_rulesets.php @@ -63,6 +63,7 @@ $if_real = snort_get_real_interface($pconfig['interface']); $snort_uuid = $a_nat[$id]['uuid']; $snortdownload = $config['installedpackages']['snortglobal']['snortdownload']; $emergingdownload = $config['installedpackages']['snortglobal']['emergingthreats']; +$etpro = $config['installedpackages']['snortglobal']['emergingthreats_pro']; $snortcommunitydownload = $config['installedpackages']['snortglobal']['snortcommunityrules']; $no_emerging_files = false; @@ -70,10 +71,13 @@ $no_snort_files = false; $no_community_files = false; /* Test rule categories currently downloaded to $SNORTDIR/rules and set appropriate flags */ -$test = glob("{$snortdir}/rules/emerging-*.rules"); +if (($etpro == 'off' || empty($etpro)) && $emergingdownload == 'on') + $test = glob("{$snortdir}/rules/emerging-*.rules"); +elseif ($etpro == 'on' && ($emergingdownload == 'off' || empty($emergingdownload))) + $test = glob("{$snortdir}/rules/etpro-*.rules"); if (empty($test)) $no_emerging_files = true; -$test = glob("{$snortdir}/rules/snort_*.rules"); +$test = glob("{$snortdir}/rules/snort*.rules"); if (empty($test)) $no_snort_files = true; if (!file_exists("{$snortdir}/rules/GPLv2_community.rules")) @@ -184,10 +188,16 @@ if ($_POST['selectall']) { } if ($emergingdownload == 'on') { - $files = glob("{$snortdir}/rules/emerging*.rules"); + $files = glob("{$snortdir}/rules/emerging-*.rules"); foreach ($files as $file) $rulesets[] = basename($file); } + elseif ($etpro == 'on') { + $files = glob("{$snortdir}/rules/etpro-*.rules"); + foreach ($files as $file) + $rulesets[] = basename($file); + } + if ($snortcommunitydownload == 'on') { $files = glob("{$snortdir}/rules/*_community.rules"); foreach ($files as $file) @@ -421,7 +431,10 @@ if ($savemsg) { <tr id="frheader"> <?php if ($emergingdownload == 'on' && !$no_emerging_files): ?> <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> - <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: Emerging Threats');?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Open Rules');?></td> + <?php elseif ($etpro == 'on' && !$no_emerging_files): ?> + <td width="5%" class="listhdrr" align="center"><?php echo gettext("Enabled"); ?></td> + <td width="25%" class="listhdrr"><?php echo gettext('Ruleset: ET Pro Rules');?></td> <?php else: ?> <td colspan="2" align="center" width="30%" class="listhdrr"><?php echo gettext("Emerging Threats rules not {$msg_emerging}"); ?></td> <?php endif; ?> @@ -446,7 +459,9 @@ if ($savemsg) { $filename = basename($filename); if (substr($filename, -5) != "rules") continue; - if (strstr($filename, "emerging") && $emergingdownload == 'on') + if (strstr($filename, "emerging-") && $emergingdownload == 'on') + $emergingrules[] = $filename; + else if (strstr($filename, "etpro-") && $etpro == 'on') $emergingrules[] = $filename; else if (strstr($filename, "snort") && $snortdownload == 'on') { if (strstr($filename, ".so.rules")) diff --git a/config/softflowd/softflowd.xml b/config/softflowd/softflowd.xml new file mode 100644 index 00000000..149631b8 --- /dev/null +++ b/config/softflowd/softflowd.xml @@ -0,0 +1,137 @@ +<packagegui> + <name>softflowd</name> + <version>0.9.8</version> + <title>softflowd: Settings</title> + <aftersaveredirect>pkg_edit.php?xml=softflowd.xml&id=0</aftersaveredirect> + <menu> + <name>softflowd</name> + <tooltiptext>Modify softflowd settings.</tooltiptext> + <section>Services</section> + <configfile>softflowd.xml</configfile> + <url>/pkg_edit.php?xml=softflowd.xml&id=0</url> + </menu> + <service> + <name>softflowd</name> + <rcfile>softflowd.sh</rcfile> + <executable>softflowd</executable> + <description>Netflow export daemon</description> + </service> + <configpath>installedpackages->package->$packagename->configuration->settings</configpath> + <fields> + <field> + <fielddescr>Interface</fielddescr> + <fieldname>interface</fieldname> + <type>interfaces_selection</type> + <description>Pick an interface from which to collect netflow data. A separate instance of softflowd will be launched for each interface.</description> + <multiple/> + </field> + <field> + <fielddescr>Host</fielddescr> + <fieldname>host</fieldname> + <description>Specify the host to which datagrams will be sent.</description> + <type>input</type> + </field> + <field> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + <description>Enter the port to which datagrams will be sent.</description> + <type>input</type> + </field> + <field> + <fielddescr>Max Flows</fielddescr> + <fieldname>maxflows</fieldname> + <description>Specify the maximum number of flows to concurrently track before older flows are expired. Default: 8192.</description> + <type>input</type> + </field> + <field> + <fielddescr>Netflow version</fielddescr> + <fieldname>version</fieldname> + <description>Select the desired version of the NetFlow protocol.</description> + <type>select</type> + <options> + <option> + <name>9</name> + <value>9</value> + </option> + <option> + <name>5</name> + <value>5</value> + </option> + <option> + <name>1</name> + <value>1</value> + </option> + </options> + </field> + </fields> + <custom_php_global_functions> + <![CDATA[ + function sync_package_softflowd() { + conf_mount_rw(); + config_lock(); + global $config; + $cf = $config['installedpackages']['softflowd']['config'][0]; + $interface_list = explode(",", $cf['interface']); + if (!empty($cf['host']) && !empty($interface_list)) { + $cf['host'] = is_ipaddrv6($cf['host']) ? "[{$cf['host']}]" : $cf['host']; + $start = "/usr/bin/killall -9 softflowd"; + foreach ($interface_list as $interface_friendly) { + if (empty($interface_friendly)) + continue; + $interface = get_real_interface($interface_friendly); + if (empty($interface)) + continue; + $start .= "\n\t/usr/local/sbin/softflowd "; + $start .= " -i {$interface}"; + $start .= " -n {$cf['host']}:{$cf['port']}"; + if (is_numeric($cf['maxflows'])) + $start .= " -m {$cf['maxflows']}"; + if ($cf['version'] != "") + $start .= " -v {$cf['version']}"; + $start .= " -p /var/run/softflowd.{$interface}.pid"; + $start .= " -c /var/run/softflowd.{$interface}.ctl"; + } + write_rcfile(array( + "file" => "softflowd.sh", + "start" => $start, + "stop" => "/usr/bin/killall -9 softflowd" + ) + ); + restart_service("softflowd"); + } + conf_mount_ro(); + config_unlock(); + } + + function validate_form_softflowd($post, $input_errors) { + if (($post['host'] == "") || !is_ipaddr($post['host'])) + $input_errors[] = 'You must specify a valid ip address in the \'Host\' field'; + if (($post['port'] == "") || !is_port($post['port'])) + $input_errors[] = 'You must specify a valid port number in the \'Port\' field'; + } + + function cleanup_config_softflowd() { + global $a_pkg; + $pffconf = array(); + if (is_array($a_pkg)) { + foreach($a_pkg as $cf) { + if ($cf['host'] != "") { + $pffconf = $cf; + } + } + } + $a_pkg = array(); + $a_pkg[0] = $pffconf; + } + ]]> + </custom_php_global_functions> + <custom_php_resync_config_command> + sync_package_softflowd(); + </custom_php_resync_config_command> + <custom_php_validation_command> + validate_form_softflowd($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_command_before_form> + cleanup_config_softflowd(); + </custom_php_command_before_form> +</packagegui> diff --git a/config/spamd/spamd.xml b/config/spamd/spamd.xml index 83221d3d..76d39af9 100644 --- a/config/spamd/spamd.xml +++ b/config/spamd/spamd.xml @@ -56,6 +56,7 @@ <name>spamd</name> <rcfile>spamd.sh</rcfile> <executable>spamd</executable> + <description>SPAMD Greylisting Daemon</description> </service> <tabs> <tab> diff --git a/config/squid/squid.inc b/config/squid/squid.inc index 34186407..e136d9f8 100644 --- a/config/squid/squid.inc +++ b/config/squid/squid.inc @@ -447,12 +447,13 @@ function squid_validate_nac($post, $input_errors) { $input_errors[] = "The time range '$time' is not a valid time range"; } - if(!empty($post['ext_cachemanager'])) { - $extmgr = explode(";", ($post['ext_cachemanager'])); - foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; - }} + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!empty($mgr) && !is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + } + } } function squid_validate_traffic($post, $input_errors) { diff --git a/config/squid3/31/squid_reverse.xml b/config/squid3/31/squid_reverse.xml index ce09f8e7..7c25c371 100644 --- a/config/squid3/31/squid_reverse.xml +++ b/config/squid3/31/squid_reverse.xml @@ -48,7 +48,7 @@ <name>squidreverse</name> <version>none</version> <title>Proxy server: Reverse Proxy</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> @@ -354,4 +354,4 @@ <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squid3/33/check_ip.php b/config/squid3/33/check_ip.php new file mode 100644 index 00000000..6c65ff3f --- /dev/null +++ b/config/squid3/33/check_ip.php @@ -0,0 +1,85 @@ +#!/usr/local/bin/php -q +<?php +/* $Id$ */ +/* + check_ip.php + Copyright (C) 2013 Marcello Coutinho + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +error_reporting(0); +// stdin loop +if (! defined(STDIN)) { + define("STDIN", fopen("php://stdin", "r")); +} +if (! defined(STDOUT)){ + define("STDOUT", fopen('php://stdout', 'w')); + } +while( !feof(STDIN)){ + $line = trim(fgets(STDIN)); + // %SRC + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +unset($cp_db); +if ($pf_version > 2.0){ + $dir="/var/db"; + $files=scandir($dir); + foreach ($files as $file){ + if (preg_match("/captive.*db/",$file)){ + $dbhandle = sqlite_open("$dir/$file", 0666, $error); + if ($dbhandle){ + $query = "select * from captiveportal"; + $result = sqlite_query($dbhandle, $query); + if ($result){ + $row = sqlite_fetch_array($result, SQLITE_ASSOC); + $cp_db[]=implode(",",$row); + sqlite_close($dbhandle); + } + } + } + } + } +else{ + $filename="/var/db/captiveportal.db"; + if (file_exists($filename)) + $cp_db=file($filename); +} + + $usuario=""; + // 1376630450,2,172.16.3.65,00:50:56:9c:00:c7,admin,e1779ea20d0a11c7,,,, + if (is_array($cp_db)){ + foreach ($cp_db as $cpl){ + $fields=explode(",",$cpl); + if ($fields[2] != "" && $fields[2]==$line) + $usuario=$fields[4]; + } + } + if ($usuario !="") + $resposta="OK user={$usuario}"; + else + $resposta="ERR"; + fwrite (STDOUT, "{$resposta}\n"); + unset($cp_db); +} +?> + diff --git a/config/squid3/33/pkg_squid.inc b/config/squid3/33/pkg_squid.inc new file mode 100644 index 00000000..47b64e2d --- /dev/null +++ b/config/squid3/33/pkg_squid.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['squid'] = array(); +$shortcuts['squid']['main'] = "pkg_edit.php?xml=squid.xml"; +$shortcuts['squid']['log'] = "squid_monitor.php"; +$shortcuts['squid']['status'] = "status_services.php"; +$shortcuts['squid']['service'] = "squid"; + +?>
\ No newline at end of file diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 1da86847..c55160bc 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -40,7 +40,8 @@ require_once('service-utils.inc'); if(!function_exists("filter_configure")) require_once("filter.inc"); - + +$shortcut_section = "squid"; $pf_version=substr(trim(file_get_contents("/etc/version")),0,3); if ($pf_version > 2.0) define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); @@ -155,7 +156,9 @@ function squid_install_command() { $settingsnac = $config['installedpackages']['squidnac']['config'][0]; if (is_array($config['installedpackages']['squid']['config'])) $settingsgen = $config['installedpackages']['squid']['config'][0]; - + + if (file_exists("/usr/local/pkg/check_ip.php")) + rename("/usr/local/pkg/check_ip.php",SQUID_LOCALBASE . "/libexec/squid/check_ip.php"); /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; @@ -659,7 +662,7 @@ function squid_validate_auth($post, $input_errors) { } $auth_method = $post['auth_method']; - if (($auth_method != 'none') && ($auth_method != 'local')) { + if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { $server = trim($post['auth_server']); if (empty($server)) $input_errors[] = 'The field \'Authentication server\' is required'; @@ -1633,13 +1636,22 @@ function squid_resync_auth() { $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + if ($transparent_proxy){ + if (preg_match ("/(none|cp)/",$settings['auth_method'])) + $auth_method=$settings['auth_method']; + else + $auth_method="none"; + } + else{ + $auth_method=$settings['auth_method']; + } // Allow the remaining ACLs if no authentication is set - if ($auth_method == 'none') { + if ($auth_method == 'none' || $auth_method == 'cp') { // Include squidguard denied acl log in squid if ($settingsconfig['log_sqd']) $conf .="http_access deny sglog\n"; - + } + if ($auth_method == 'none' ) { $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { @@ -1658,7 +1670,7 @@ function squid_resync_auth() { } // Set up the external authentication programs - $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 5); $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { @@ -1674,11 +1686,17 @@ function squid_resync_auth() { $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; + case 'cp': + $conf .= "external_acl_type check_filter children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n"; + $conf .= "acl dgfilter external check_filter\n"; + $conf .= "http_access allow dgfilter\n"; + break; case 'msnt': $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; squid_resync_msnt(); break; } + if ($auth_method != 'cp'){ $conf .= <<< EOD auth_param basic children $processes auth_param basic realm $prompt @@ -1686,7 +1704,7 @@ auth_param basic credentialsttl $auth_ttl minutes acl password proxy_auth REQUIRED EOD; - + } // Onto the ACLs $password = array('localnet', 'allowed_subnets'); $passwordless = array('unrestricted_hosts'); @@ -1703,13 +1721,15 @@ EOD; foreach ($passwordless as $acl) $conf .= "http_access allow $acl\n"; - // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + if ($auth_method != 'cp'){ + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; - // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) - $conf .= "http_access allow password $acl\n"; + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; + } } $conf .= "# Default block all to be sure\n"; @@ -1844,7 +1864,7 @@ function squid_print_javascript_auth() { $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); // No authentication for transparent proxy - if ($transparent_proxy) { + if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) { $javascript = <<< EOD <script language="JavaScript"> <!-- @@ -1959,6 +1979,24 @@ function on_auth_method_changed() { document.iform.radius_secret.disabled = 1; document.iform.msnt_secondary.disabled = 0; break; + case 'cp': + document.iform.auth_server.disabled = 1; + document.iform.auth_server_port.disabled = 1; + document.iform.auth_ntdomain.disabled = 1; + document.iform.ldap_user.disabled = 1; + document.iform.ldap_version.disabled = 1; + document.iform.ldap_userattribute.disabled = 1; + document.iform.ldap_filter.disabled = 1; + document.iform.ldap_pass.disabled = 1; + document.iform.ldap_basedomain.disabled = 1; + document.iform.radius_secret.disabled = 1; + document.iform.msnt_secondary.disabled = 1; + document.iform.auth_prompt.disabled = 1; + document.iform.auth_processes.disabled = 0; + document.iform.auth_ttl.disabled = 0; + document.iform.unrestricted_auth.disabled = 1; + document.iform.no_auth_hosts.disabled = 1; + break; } } --> @@ -1975,43 +2013,51 @@ function squid_print_javascript_auth2() { } function squid_generate_rules($type) { - global $config; + global $config,$pf_version; $squid_conf = $config['installedpackages']['squid']['config'][0]; - //check captive portal option $cp_file='/etc/inc/captiveportal.inc'; $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $cp_inc = file($cp_file); - $new_cp_inc=""; - $found_rule=0; - foreach ($cp_inc as $line){ - $new_line=$line; - //remove applied squid patch - if (preg_match('/} set 1 skipto 65314/',$line)){ - $found_rule++; - $new_line =""; + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line){ + $new_line=$line; + //remove applied squid patch + if (preg_match('/skipto 65314 ip/',$line)){ + $found_rule++; + $new_line =""; + } + + if (substr($pfsense_version,0,3) > 2.0){ + if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + } + } + else{ + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; + } + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; + } + } + $new_cp_inc .= $new_line; } - //add squid patch option based on current config - if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; - $new_line .= $line; + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); } - if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ - $found_rule++; - $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; - $new_line .= $line; + if($found_rule > 0){ + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); } - $new_cp_inc .= $new_line; - } - if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { - copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); - } - if($found_rule > 0){ - file_put_contents($cp_file,$new_cp_inc, LOCK_EX); - } - //normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml index d64aabb9..a8bc0530 100644 --- a/config/squid3/33/squid.xml +++ b/config/squid3/33/squid.xml @@ -238,7 +238,16 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/squid3/33/squid_log_parser.php</item> </additional_files_needed> - + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/pkg_squid.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squid3/33/check_ip.php</item> + </additional_files_needed> <fields> <field> <name>Squid General Settings</name> diff --git a/config/squid3/33/squid_auth.xml b/config/squid3/33/squid_auth.xml index 111085a8..e71a7e8d 100755 --- a/config/squid3/33/squid_auth.xml +++ b/config/squid3/33/squid_auth.xml @@ -110,6 +110,7 @@ <option><name>Local</name><value>local</value></option> <option><name>LDAP</name><value>ldap</value></option> <option><name>RADIUS</name><value>radius</value></option> + <option><name>Captive Portal</name><value>cp</value></option> <option><name>NT domain</name><value>msnt</value></option> </options> <onchange>on_auth_method_changed()</onchange> @@ -140,16 +141,16 @@ <fieldname>auth_processes</fieldname> <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description> <type>input</type> - <size>60</size> + <size>5</size> <default_value>5</default_value> </field> <field> <fielddescr>Authentication TTL</fielddescr> <fieldname>auth_ttl</fieldname> - <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description> + <description>This specifies for how long (in seconds) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.Default value is 5.</description> <type>input</type> - <size>60</size> - <default_value>60</default_value> + <size>5</size> + <default_value>5</default_value> </field> <field> <fielddescr>Requiere authentication for unrestricted hosts</fielddescr> @@ -193,7 +194,7 @@ <fieldname>ldap_pass</fieldname> <description>Enter here the password to use to connect to the LDAP server.</description> <type>password</type> - <size>60</size> + <size>20</size> </field> <field> <fielddescr>LDAP base domain</fielddescr> @@ -207,7 +208,7 @@ <fieldname>ldap_userattribute</fieldname> <description>Enter LDAP username DN attibute.</description> <type>input</type> - <size>60</size> + <size>20</size> <default_value>uid</default_value> </field> <field> @@ -215,7 +216,7 @@ <fieldname>ldap_filter</fieldname> <description>Enter LDAP search filter.</description> <type>input</type> - <size>60</size> + <size>40</size> <default_value>(&(objectClass=person)(uid=%s))</default_value> </field> <field> @@ -245,7 +246,7 @@ <fieldname>radius_secret</fieldname> <description>The RADIUS secret for RADIUS authentication.</description> <type>password</type> - <size>60</size> + <size>20</size> </field> </fields> <custom_php_validation_command> @@ -262,7 +263,7 @@ </custom_php_before_form_command> <custom_php_after_head_command> $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); - if($transparent_proxy) + if($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; squid_print_javascript_auth(); </custom_php_after_head_command> diff --git a/config/squid3/33/squid_monitor.php b/config/squid3/33/squid_monitor.php index 3a7b1d01..272cc9c4 100755 --- a/config/squid3/33/squid_monitor.php +++ b/config/squid3/33/squid_monitor.php @@ -43,6 +43,7 @@ if(strstr($pfSversion, "1.2")) $one_two = true; $pgtitle = "Status: Proxy Monitor"; +$shortcut_section = "squid"; include("head.inc"); ?> diff --git a/config/squid3/33/squid_reverse.xml b/config/squid3/33/squid_reverse.xml index ce09f8e7..7c25c371 100755 --- a/config/squid3/33/squid_reverse.xml +++ b/config/squid3/33/squid_reverse.xml @@ -48,7 +48,7 @@ <name>squidreverse</name> <version>none</version> <title>Proxy server: Reverse Proxy</title> - <include_file>squid.inc</include_file> + <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> @@ -354,4 +354,4 @@ <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/squidGuard-devel/sgerror.php b/config/squidGuard-devel/sgerror.php new file mode 100644 index 00000000..e1e49385 --- /dev/null +++ b/config/squidGuard-devel/sgerror.php @@ -0,0 +1,292 @@ +<?php +include "globals.inc"; +include "config.inc"; +$page_info = <<<EOD +# ---------------------------------------------------------------------------------------------------------------------- +# SquidGuard error page generator +# (C)2006-2007 Serg Dvoriancev +# ---------------------------------------------------------------------------------------------------------------------- +# This programm processed redirection to specified URL or generated error page for standart HTTP error code. +# Redirection supported http and https protocols. +# ---------------------------------------------------------------------------------------------------------------------- +# Format: +# sgerror.php?url=[http://myurl]or[https://myurl]or[error_code[space_code]output-message][incoming SquidGuard variables] +# Incoming SquidGuard variables: +# a=client_address +# n=client_name +# i=client_user +# s=client_group +# t=target_group +# u=client_url +# Example: +# sgerror.php?url=http://myurl.com&a=..&n=..&i=..&s=..&t=..&u=.. +# sgerror.php?url=https://myurl.com&a=..&n=..&i=..&s=..&t=..&u=.. +# sgerror.php?url=404%20output-message&a=..&n=..&i=..&s=..&t=..&u=.. +# ---------------------------------------------------------------------------------------------------------------------- +# Tags: +# myurl and output messages can include Tags +# [a] - client address +# [n] - client name +# [i] - client user +# [s] - client group +# [t] - target group +# [u] - client url +# Example: +# sgerror.php?url=401 Unauthorized access to URL [u] for client [n] +# sgerror.php?url=http://my_error_page.php?cladr=%5Ba%5D&clname=%5Bn%5D // %5b=[ %d=] +# ---------------------------------------------------------------------------------------------------------------------- +# Special Tags: +# blank - get blank page +# blank_img - get one-pixel transparent image (for replace banners and etc.) +# Example: +# sgerror.php?url=blank +# sgerror.php?url=blank_img +# ---------------------------------------------------------------------------------------------------------------------- +EOD; + +define('ACTION_URL', 'url'); +define('ACTION_RES', 'res'); +define('ACTION_MSG', 'msg'); + +define('TAG_BLANK', 'blank'); +define('TAG_BLANK_IMG', 'blank_img'); + +# ---------------------------------------------------------------------------------------------------------------------- +# ?url=EMPTY_IMG +# Use this options for replace baners/ads to transparent picture. Thisbetter for viewing. +# ---------------------------------------------------------------------------------------------------------------------- +# NULL GIF file +# HEX: 47 49 46 38 39 61 - - - +# SYM: G I F 8 9 a 01 00 | 01 00 80 00 00 FF FF FF | 00 00 00 2C 00 00 00 00 | 01 00 01 00 00 02 02 44 | 01 00 3B +# ---------------------------------------------------------------------------------------------------------------------- +define(GIF_BODY, "GIF89a\x01\x00\x01\x00\x80\x00\x00\xFF\xFF\xFF\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B"); + +$url = ''; +$msg = ''; +$cl = Array(); // squidGuard variables: %a %n %i %s %t %u +$err_code = array(); + +$err_code[301] = "301 Moved Permanently"; +$err_code[302] = "302 Found"; +$err_code[303] = "303 See Other"; +$err_code[305] = "305 Use Proxy"; + +$err_code[400] = "400 Bad Request"; +$err_code[401] = "401 Unauthorized"; +$err_code[402] = "402 Payment Required"; +$err_code[403] = "403 Forbidden"; +$err_code[404] = "404 Not Found"; +$err_code[405] = "405 Method Not Allowed"; +$err_code[406] = "406 Not Acceptable"; +$err_code[407] = "407 Proxy Authentication Required"; +$err_code[408] = "408 Request Time-out"; +$err_code[409] = "409 Conflict"; +$err_code[410] = "410 Gone"; +$err_code[411] = "411 Length Required"; +$err_code[412] = "412 Precondition Failed"; +$err_code[413] = "413 Request Entity Too Large"; +$err_code[414] = "414 Request-URI Too Large"; +$err_code[415] = "415 Unsupported Media Type"; +$err_code[416] = "416 Requested range not satisfiable"; +$err_code[417] = "417 Expectation Failed"; + +$err_code[500] = "500 Internal Server Error"; +$err_code[501] = "501 Not Implemented"; +$err_code[502] = "502 Bad Gateway"; +$err_code[503] = "503 Service Unavailable"; +$err_code[504] = "504 Gateway Time-out"; +$err_code[505] = "505 HTTP Version not supported"; + +# ---------------------------------------------------------------------------------------------------------------------- +# check arg's +# ---------------------------------------------------------------------------------------------------------------------- + +if (count($_POST)) { + $url = trim($_POST['url']); + $msg = $_POST['msg']; + $cl['a'] = $_POST['a']; + $cl['n'] = $_POST['n']; + $cl['i'] = $_POST['i']; + $cl['s'] = $_POST['s']; + $cl['t'] = $_POST['t']; + $cl['u'] = $_POST['u']; +} +elseif (count($_GET)) { + $url = trim($_GET['url']); + $msg = $_GET['msg']; + $cl['a'] = $_GET['a']; + $cl['n'] = $_GET['n']; + $cl['i'] = $_GET['i']; + $cl['s'] = $_GET['s']; + $cl['t'] = $_GET['t']; + $cl['u'] = $_GET['u']; +} +else { + # Show 'About page' + echo get_page(get_about()); + exit(); +} + +# ---------------------------------------------------------------------------------------------------------------------- +# url's +# ---------------------------------------------------------------------------------------------------------------------- +if ($url) { + $err_id = 0; + + // check error code + foreach ($err_code as $key => $val) { + if (strpos(strtolower($url), strval($key)) === 0) { + $err_id = $key; + break; + } + } + + # blank page + if ($url === TAG_BLANK) { + echo get_page(''); + } + # blank image + elseif ($url === TAG_BLANK_IMG) { + $msg = trim($msg); + if(strpos($msg, "maxlen_") !== false) { + $maxlen = intval(trim(str_replace("maxlen_", "", $url))); + filter_by_image_size($cl['u'], $maxlen); + exit(); + } + else { + # -------------------------------------------------------------- + # return blank image + # -------------------------------------------------------------- + header("Content-Type: image/gif;"); // charset=windows-1251"); + echo GIF_BODY; + } + } + # error code + elseif ($err_id !== 0) { + $er_msg = strstr($_GET['url'], ' '); + echo get_error_page($err_id, $er_msg); + } + # redirect url + elseif ((strpos(strtolower($url), "http://") === 0) or (strpos(strtolower($url), "https://") === 0)) { + # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + # redirect to specified url + # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + header("HTTP/1.0"); + header("Location: $url", '', 302); + } + // error arguments + else { + echo get_page("sgerror: error arguments $url"); + } +} +else { + echo get_page($_SERVER['QUERY_STRING']); //$url . implode(" ", $_GET)); +# echo get_error_page(500); +} + +# ~~~~~~~~~~ +# Exit +# ~~~~~~~~~~ +exit(); + +# ---------------------------------------------------------------------------------------------------------------------- +# functions +# ---------------------------------------------------------------------------------------------------------------------- +function get_page($body) { + $str = Array(); + $str[] = '<html>'; + $str[] = "<body>\n$body\n</body>"; + $str[] = '</html>'; + return implode("\n", $str); +} + +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +# IE displayed self-page, if them size > 1024 +# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +function get_error_page($er_code_id, $err_msg='') { + global $err_code; + global $cl; + global $g; + global $config; + $str = Array(); + + header("HTTP/1.1 " . $err_code[$er_code_id]); + + $str[] = '<html>'; + $str[] = '<body>'; + if ($config['installedpackages']['squidguarddefault']['config'][0]['deniedmessage']) { + $str[] = "<h3>{$config['installedpackages']['squidguarddefault']['config'][0]['deniedmessage']}: {$err_code[$er_code_id]}</h3>"; + } else { + $str[] = "<h3>Request denied by {$g['product_name']} proxy: {$err_code[$er_code_id]}</h3>"; + } + if ($err_msg) $str[] = "<b> Reason: </b> $err_msg"; + $str[] = '<hr size="1" noshade>'; + if ($cl['a']) $str[] = "<b> Client address: </b> {$cl['a']} <br>"; + if ($cl['n']) $str[] = "<b> Client name: </b> {$cl['n']} <br>"; + if ($cl['i']) $str[] = "<b> Client user: </b> {$cl['i']} <br>"; + if ($cl['s']) $str[] = "<b> Client group: </b> {$cl['s']} <br>"; + if ($cl['t']) $str[] = "<b> Target group: </b> {$cl['t']} <br>"; + if ($cl['u']) $str[] = "<b> URL: </b> {$cl['u']} <br>"; + $str[] = '<hr size="1" noshade>'; + $str[] = "</body>"; + $str[] = "</html>"; + + return implode("\n", $str); +} + +function get_about() { + global $err_code; + global $page_info; + $str = Array(); + + // about info + $s = str_replace("\n", "<br>", $page_info); + $str[] = $s; + $str[] = "<br>"; + + $str[] = '<table>'; + $str[] = ' <b>HTTP error codes (ERROR_CODE):</th></tr>'; + foreach($err_code as $val) { + $str []= "<tr><td>$val"; + } + $str[] = '</table>'; + + return implode("\n", $str); +} + +function filter_by_image_size($url, $val_size) { + + # load url header + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $url); + curl_setopt($ch, CURLOPT_HEADER, 1); + curl_setopt($ch, CURLOPT_NOBODY, 1); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + $hd = curl_exec($ch); + curl_close($ch); + + $size = 0; + $SKEY = "content-length:"; + $s_tmp = strtolower($hd); + $s_tmp = str_replace("\n", " ", $s_tmp); # replace all "\n" + if (strpos($s_tmp, $SKEY) !== false) { + $s_tmp = trim(substr($s_tmp, strpos($s_tmp, $SKEY) + strlen($SKEY))); + $s_tmp = trim(substr($s_tmp, 0, strpos($s_tmp, " "))); + if (is_numeric($s_tmp)) + $size = intval($s_tmp); + else $size = 0; + } + + # === check url type and content size === + # redirect to specified url + if (($size !== 0) && ($size < $val_size)) { + header("HTTP/1.0"); + header("Location: $url", '', 302); + } + # return blank image + else { + header("Content-Type: image/gif;"); + echo GIF_BODY; + } +} +?>
\ No newline at end of file diff --git a/config/squidGuard-devel/squidguard.inc b/config/squidGuard-devel/squidguard.inc new file mode 100644 index 00000000..d58dfb79 --- /dev/null +++ b/config/squidGuard-devel/squidguard.inc @@ -0,0 +1,1651 @@ +<?php +# ------------------------------------------------------------------------------ +/* squidguard.inc + + Copyright (C) 2006-2011 Serg Dvoriancev + Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> + Copyright (C) 2013 Marcello Coutinho + + part of pfSense (www.pfSense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +# ------------------------------------------------------------------------------ + +require_once('globals.inc'); +require_once('config.inc'); +require_once('util.inc'); +require_once('pfsense-utils.inc'); +require_once('pkg-utils.inc'); +require_once('filter.inc'); +require_once('service-utils.inc'); +require_once('squidguard_configurator.inc'); + +# ------------------------------------------------------------------------------ +# fields +define('F_NAME', 'name'); +define('F_DEST', 'dest'); +define('F_SOURCE', 'source'); +define('F_DESTINATION', 'dest'); +define('F_REWRITE', 'rewrite'); +define('F_REDIRECT', 'redirect'); +define('F_TIME', 'time'); +define('F_OVERDESTINATION', 'overdestination'); +define('F_OVERREWRITE', 'overrewrite'); +define('F_OVERREDIRECT', 'overredirect'); +define('F_TARGETURL', 'targeturl'); +define('F_REPLACETO', 'replaceto'); +define('F_TIMETYPE', 'timetype'); +define('F_TIMEDAYS', 'timedays'); +define('F_DATERANGE', 'daterange'); +define('F_TIMERANGE', 'sg_timerange'); +define('F_IPLIST', 'iplist'); +define('F_DESCRIPTION', 'description'); +define('F_EXPRESSIONS', 'expressions'); +define('F_DOMAINS', 'domains'); +define('F_URLS', 'urls'); +define('F_DISABLED', 'disabled'); +define('F_SQUIDGUARDENABLE', 'squidguard_enable'); +define('F_BLACKLIST', 'blacklist'); + +# prefixes +define('PREF_UPTIME', 'uptime_'); +define('PREF_UPTIME_DENY', 'uptimedeny_'); +define('PREF_OVERTIME', 'overtime_'); +define('PREF_OVERTIME_DENY', 'overtimedeny_'); +# modules +define('MODULE_GENERAL', 'squidguardgeneral'); +define('MODULE_DEFAULT', 'squidguarddefault'); +define('MODULE_ACL', 'squidguardacl'); +define('MODULE_DESTINATION', 'squidguarddest'); +define('MODULE_REWRITE', 'squidguardrewrite'); +define('MODULE_SOURCE', 'squidguardsrc'); +define('MODULE_TIME', 'squidguardtime'); +define('MODULE_LOG', 'squidguardlog'); +# blacklist +define('BLACKLIST_DEFAULT_URL', 'http://squidguard.mesd.k12.or.us/blacklists.tgz'); # 5Mb +define('BLACKLIST_DEFAULT_URL1', 'http://www.shallalist.de/Downloads/shallalist.tar.gz'); # ~7Mb +define('BLACKLIST_TMP_FILE', '/var/tmp/blacklists.tar.gz'); +define('BLACKLIST_BTN_URL', 'Upload Url'); +define('BLACKLIST_BTN_DEFAULT', 'Restore default'); +define('BLACKLIST_LOGFILE', 'blacklist.log'); +# +define('APPLY_BTN', 'Apply'); +define('SAFESEARCH', 'safesearch'); + +# ============================================================================== +# Initialization +# ============================================================================== +# use global variable $squidguard_config, defined in squidguard_configurator.inc +sg_init(convert_pfxml_to_sgxml()); + +# ============================================================================== +# Validations +# ============================================================================== +function squidguard_validate($post, $input_errors) +{ + $submit = isset($_GET['submit']) ? $_GET['submit'] : $_POST['submit']; + + # check config if 'Apply' + if ($submit === APPLY_BTN) sg_check_config_data(&$input_errors); +} + +# ------------------------------------------------------------------------------ +# validate default +# ------------------------------------------------------------------------------ +function squidguard_validate_default($post, $input_errors) +{ + squidguard_validate_acl($post, &$input_errors); +} + +# ------------------------------------------------------------------------------ +# validate acl +# ------------------------------------------------------------------------------ +function squidguard_validate_acl($post, $input_errors) +{ + $pass_up = array(); + $deny_up = array(); + $pass_up_val = ''; + $pass_over = array(); + $deny_over = array(); + $pass_over_val = ''; + $id = get_item_id(); + + # check name ('source') + $name = trim($post[F_NAME]); + if(!empty($name)) { + # validate name format + check_name_format($name, &$input_errors); + + # check unique name + if (!sg_check_unique_name(F_ACLS, $name)) + $input_errors[] = "Name '$name' already exists."; + + # check reserved + if (!sg_check_reserved_name($name)) + $input_errors[] = "Name '$name' is reserved."; + + # check source + $sgx = array(); + $sgx[F_NAME] = $post[F_NAME]; + $sgx[F_SOURCE] = $post[F_SOURCE]; + sg_check_src($sgx, &$input_errors); + } + + # store destinations to 'dest' value + foreach ($post as $key => $val) { + if (substr_count($key, PREF_UPTIME) != 0) { + $name = str_replace(PREF_UPTIME, '', $key); + if ($name) { + switch($val) { + case "allow": $pass_up_val .= " $name"; break; + case "white": $pass_up_val .= " ^$name"; break; + case "deny" : $pass_up_val .= " !$name"; break; + } + } + } + elseif (substr_count($key, PREF_OVERTIME) != 0) { + $name = str_replace(PREF_OVERTIME, '', $key); + if ($name) { + switch($val) { + case "allow": $pass_over_val .= " $name"; break; + case "white": $pass_over_val .= " ^$name"; break; + case "deny" : $pass_over_val .= " !$name"; break; + } + } + } + } + + # !ATTENTION! on pfSense XML config must be must(shell) be '!all' instead of 'none' - it is a must for correct work GUI + + # if not exists key 'all', then add 'none' - default 'deny all' + if ((substr_count($pass_up_val, 'all') == 0)) { + $pass_up_val .= ' !all'; + } + + if (!empty($pass_over_val) && (substr_count($pass_over_val, 'all') == 0)) { + $pass_over_val .= ' !all'; + } + + if (empty($pass_over_val)) + $post[F_DEST] = "$pass_up_val"; + else $post[F_DEST] = "$pass_up_val [$pass_over_val]"; + + # check redirect + $errmsg = ''; + if (!sg_check_redirect($post[F_RMOD], $post[F_REDIRECT], &$errmsg)) { + $input_errors[] = "Redirect info error. $errmsg"; + } +} + +# ------------------------------------------------------------------------------ +# validate times +# Format: +# date: <date(or range)><time (or range)> -- days not parsed (reset to *) +# weekly: <day or *><time or range> -- dates not parsed (reset to '') +# ------------------------------------------------------------------------------ +function squidguard_validate_times($post, $input_errors) +{ + $id = get_item_id(); + + # check name + $name = trim($post[F_NAME]); + if(!empty($name)) { + check_name_format($name, &$input_errors); + + # check unique name + if (!sg_check_unique_name(F_TIMES, $name)) + $input_errors[] = "Name '$name' already exists"; + + # check reserved + if (!sg_check_reserved_name($name)) + $input_errors[] = "Name '$name' is reserved."; + } + + # --- check format --- + $sgx = array(); + $sgx[F_NAME] = $post[F_NAME]; + $sgx[F_DESCRIPTION] = $post[F_DESCRIPTION]; + # fields of $post have 'fnameX' format + for ($i=0; isset($post[F_TIMETYPE."$i"]); $i++) { + # correct and update + if (strtolower($post[F_TIMETYPE."$i"]) === "date") { + $post[F_TIMEDAYS."$i"] = '*'; + # date cant be empty + if (trim($post[F_DATERANGE."$i"]) == '') $post[F_DATERANGE."$i"] = "*.*.*"; + } + else $post[F_DATERANGE."$i"] = ''; + + if (trim($post[F_TIMERANGE."$i"]) == '') $post[F_TIMERANGE."$i"] = "00:00-23:59"; + + # $post->xml + $sgx_row = array(); + $sgx_row[F_TIMETYPE] = $post[F_TIMETYPE."$i"]; + $sgx_row[F_TIMEDAYS] = $post[F_TIMEDAYS."$i"]; + $sgx_row[F_DATERANGE] = $post[F_DATERANGE."$i"]; + $sgx_row[F_TIMERANGE] = $post[F_TIMERANGE."$i"]; + $sgx[F_ITEM][] = $sgx_row; + } + # + sg_check_time($sgx, &$input_errors); + +} + +# ------------------------------------------------------------------------------ +# validate destinations +# ------------------------------------------------------------------------------ +function squidguard_validate_destination($post, $input_errors) { + # check name + $name = trim($post[F_NAME]); + if(!empty($name)) { + check_name_format($name, &$input_errors); + + # check unique name + if (!sg_check_unique_name(F_DESTINATIONS, $name)) + $input_errors[] = "Name '$name' already exists"; + + # check reserved + if (!sg_check_reserved_name($name)) + $input_errors[] = "Name '$name' is reserved."; + } + + # --- check format --- + $sgx = array(); + $sgx[F_NAME] = $post[F_NAME]; + $sgx[F_URLS] = $post[F_URLS]; + $sgx[F_DOMAINS] = $post[F_DOMAINS]; + $sgx[F_EXPRESSIONS] = $post[F_EXPRESSIONS]; + $sgx[F_RMOD] = $post[F_RMOD]; + $sgx[F_REDIRECT] = $post[F_REDIRECT]; + # + sg_check_dest($sgx, &$input_errors); +} + +# ------------------------------------------------------------------------------ +# validate rewrites +# ------------------------------------------------------------------------------ +function squidguard_validate_rewrite($post, $input_errors) { + # check name + $name = trim($post[F_NAME]); + if(!empty($name)) { + # check name format <char><symbols without space> - Ab123 + check_name_format($name, &$input_errors); + + # check unique name + if (!sg_check_unique_name(F_REWRITES, $name)) + $input_errors[] = "Name '$name' already exists"; + + # check reserved + if (!sg_check_reserved_name($name)) + $input_errors[] = "Name '$name' is reserved."; + } +} + +# ----------------------------------------------------------------------------- +# squidguard_resync +# ----------------------------------------------------------------------------- +function squidguard_resync() { + $upload_file = ''; + $submit = isset($_REQUEST['submit']) ? $_REQUEST['submit'] : ''; + $url = isset($_REQUEST[F_BLACKLISTURL]) ? $_REQUEST[F_BLACKLISTURL] : ''; + $proxy = isset($_REQUEST['blacklist_proxy'])? $_REQUEST['blacklist_proxy'] : ''; + + sg_init(convert_pfxml_to_sgxml()); + + # blacklist upload + if ($submit == BLACKLIST_BTN_URL) { + if ($url) + sg_reconfigure_blacklist($url, $proxy); + } + + # blacklist restore last (if exists) +# if ($submit == BLACKLIST_BTN_DEFAULT) { +# restore_arc_blacklist(); +# } + + # apply changes + //if ($submit == APPLY_BTN) { +# write_config('Update squidGuard options.'); # store, if not 'Save' button + + + sg_reconfigure(); + //} + + squidguard_cron_install(); + + //Sync only with apply button to avoid multiples reloads on backup server while editing master config + if ($submit == APPLY_BTN) + squidguard_sync_on_changes(); +} + +# ----------------------------------------------------------------------------- +# squidguard_resync_acl +# ----------------------------------------------------------------------------- + +function squidguard_resync_acl() { + global $config; # !!! ORDER !!! + + $conf = $config['installedpackages'][MODULE_ACL]['config']; + $id = isset($_POST['id']) ? $_POST['id'] : $_GET['id']; + + # --- sources part --- + # move current id by order + if (($id !== '') and is_array($conf)) { + $src_new = array(); + + foreach ($conf as $key => $src) { + $order = $src[F_ORDER]; + # n_key: no_move=$key+$order or move=$order+$key + $n_key = is_numeric($order) ? sprintf("%04d%04d", $order, $key) : sprintf("%04d%04d", $key, 9999); + unset($src[F_ORDER]); # ! must be unset for display correct default position in 'select'! + $src_new[$n_key] = $src; + } + # sort by key + ksort($src_new); + reset($src_new); + + $src_new = array_values($src_new); # make keys '0, 1, 2, ...' + + # renew config + unset ($config['installedpackages'][MODULE_ACL]['config']); + $config['installedpackages'][MODULE_ACL]['config'] = $src_new; + write_config('Update squidguardacl config'); + + # renew global $squidguard_config + sg_init(convert_pfxml_to_sgxml()); + } +} + +# ----------------------------------------------------------------------------- +# squidguard_resync_dest +# ----------------------------------------------------------------------------- + +function squidguard_resync_dest() { + global $config; # !!! ORDER !!! + + $conf = $config['installedpackages'][MODULE_DESTINATION]['config']; + $id = isset($_POST['id']) ? $_POST['id'] : $_GET['id']; + + # --- sources part --- + # move current id by order + if (($id !== '') and is_array($conf)) { + $src_new = array(); + + foreach ($conf as $key => $src) { + $order = $src[F_ORDER]; + # n_key: no_move=$key+$order or move=$order+$key + $n_key = is_numeric($order) ? sprintf("%04d%04d", $order, $key) : sprintf("%04d%04d", $key, 9999); + unset($src[F_ORDER]); # ! must be unset for display correct default position in 'select'! + $src_new[$n_key] = $src; + } + # sort by key + ksort($src_new); + reset($src_new); + + $src_new = array_values($src_new); # make keys '0, 1, 2, ...' + + # renew config + unset ($config['installedpackages'][MODULE_DESTINATION]['config']); + $config['installedpackages'][MODULE_DESTINATION]['config'] = $src_new; + write_config('Update squidguarddest config'); + + # renew global $squidguard_config + sg_init(convert_pfxml_to_sgxml()); + } +} + +# ============================================================================= +# common functions +# ============================================================================= + +# ----------------------------------------------------------------------------- +# get_pkgconf/sgconf_items_list +# ----------------------------------------------------------------------------- +function get_pkgconf_items_list($pkg_gui_name, $fieldname) { + global $config; + $res = ''; + + $conf = $config['installedpackages'][$pkg_gui_name]['config']; + if (is_array($conf)) + foreach($conf as $cf) $res[] = $cf[$fieldname]; + + return $res; +} + +function get_sgconf_items_list($data_group, $fieldname) { + global $squidguard_config; + $res = ''; + + $conf = $squidguard_config[$data_group]['item']; + if (is_array($conf)) + foreach($conf as $cf) $res[] = $cf[$fieldname]; + + return $res; +} + +# ============================================================================== +# Before form +# ============================================================================== +# squidguard_before_form +# ------------------------------------------------------------------------------ +function squidguard_before_form($pkg) { + $i=0; + + foreach($pkg['fields']['field'] as $field) { + # blacklist controls + switch ($field['fieldname']) { +# case F_BLACKLISTURL: +# $fld = &$pkg['fields']['field'][$i]; +# $fld['description'] .= make_grid_blacklist(); # insert to description custom controls +# break; + # Apply button + case 'squidguard_enable': + $fld = &$pkg['fields']['field'][$i]; + $fld['description'] .= make_grid_general_items(); # insert to description custom controls + break; + } + $i++; + } +} + +# ----------------------------------------------------------------------------- +# squidguard_before_form_acl +# ----------------------------------------------------------------------------- +function squidguard_before_form_acl($pkg, $is_acl=true) { + global $g; + global $squidguard_config; + + $current_id = ''; + $sources = ''; + $source_items = ''; + $destinations = ''; + $dest_items = ''; + $rewrites = ''; + $rewr_names = ''; + $times = ''; + $time_names = ''; + $acls_up = ''; + $acls_over = ''; + + $current_id = isset($_POST['id']) ? $_POST['id'] : $_GET['id']; + $current_id = ($current_id) ? $current_id : 0; + + # sources + $source_items = get_sgconf_items_list(F_SOURCES, 'name'); + # generate sources list TODO: exclude used names from list, source name used in ACL unique + $i=0; + foreach($pkg['fields']['field'] as $field) { + if ($field['fieldname'] == 'source') { + $fld = &$pkg['fields']['field'][$i]; + if (is_array($source_items)) { + foreach($source_items as $nm) + $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nm); + } + } + # order + if (is_array($source_items) && $field['fieldname'] == 'order') { + $fld = &$pkg['fields']['field'][$i]; + foreach($source_items as $nmkey => $nm) + $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nmkey); + $fld['options']['option'][] = array('name'=>'--- Last ---', 'value'=>'9999'); + $fld['options']['option'][] = array('name'=>'-----', 'value'=>''); # ! this is must be last ! + } + $i++; + } + + # destinations + # acls pass ---> prepare data for destinations; dest format 'uptime_dests_list [overtime_dests_list]' + $acl_dest = ''; + $acl_overdest = ''; + + # acl & default + if ($pkg['name'] !== MODULE_DEFAULT) { + $acl_dest = $squidguard_config[F_ACLS]['item'][$current_id][F_DESTINATIONNAME]; + $acl_overdest = $squidguard_config[F_ACLS]['item'][$current_id][F_OVERDESTINATIONNAME]; + } + else $acl_dest = $squidguard_config[F_DEFAULT][F_DESTINATIONNAME]; + + # acl dest ontime + if ($acl_dest) { + # 'none' > to '!all' + $acl_dest = str_replace('none', '!all', $acl_dest); + + $pss = explode(' ', $acl_dest); + foreach($pss as $val) { + $name = $val; + $name = str_replace('!', '', $name); + $name = str_replace('^', '', $name); + if (!empty($val)) { + switch($val[0]) { + case '!': $acls_up[$name] = 'deny'; break; + case '^': $acls_up[$name] = 'white'; break; + default : $acls_up[$name] = 'allow'; break; + } + } + } + } + + # acl dest overtime + if ($acl_overdest) { + # 'none' > to '!all' + $acl_overdest = str_replace('none', '!all', $acl_overdest); + + $pss = explode(' ', $acl_overdest); + foreach($pss as $val) { + $name = $val; + $name = str_replace('!', '', $name); + $name = str_replace('^', '', $name); + if (!empty($val)) { + switch($val[0]) { + case '!': $acls_over[$name] = 'deny'; break; + case '^': $acls_over[$name] = 'white'; break; + default : $acls_over[$name] = 'allow'; break; + } + } + } + } + + # --- Destinations --- + # User destinations + if ($squidguard_config[F_DESTINATIONS]) { + foreach($squidguard_config[F_DESTINATIONS]['item'] as $dst) { + $dest_items[] = array ('name'=>$dst[F_NAME], + 'upt_value'=>$acls_up[$dst[F_NAME]], + 'ovt_value'=>$acls_over[$dst[F_NAME]], + 'description'=>$dst[F_DESCRIPTION]); + } + } + + # Blacklist + if ($squidguard_config[F_BLACKLISTENABLED] === 'on') { + $blk_entries = sg_entries_blacklist(); + if (!empty($blk_entries)) { + foreach($blk_entries as $dst) { + $dest_items[] = array ('name'=>$dst, + 'upt_value'=>$acls_up[$dst], + 'ovt_value'=>$acls_over[$dst], + 'description'=>''); + } + } + } + + # Default all + $dest_items[] = array('name'=>FLT_DEFAULT_ALL, + 'upt_value'=>$acls_up[FLT_DEFAULT_ALL], + 'ovt_value'=>$acls_over[FLT_DEFAULT_ALL], + 'description'=>'Default access'); + + $i=0; + foreach($pkg['fields']['field'] as $field) { + if (($field['fieldname'] === 'dest')/* || ($field['fieldname'] == 'overdest')*/) { + $fld = &$pkg['fields']['field'][$i]; + $fld['description'] .= make_grid_controls('', $dest_items, $is_acl); # insert to description custom controls + } + $i++; + } + + # rewrites + $rewr_names = get_sgconf_items_list(F_REWRITES, 'name'); + $i=0; + foreach($pkg['fields']['field'] as $field) { + if (($field['fieldname'] == 'rewrite') || ($field['fieldname'] == 'overrewrite')) { + $fld = &$pkg['fields']['field'][$i]; + $fld['options']['option'][] = array('name'=>'none (rewrite not defined)', 'value'=>''); + if (is_array($rewr_names)) { + foreach($rewr_names as $nm) + $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nm); + } + } + $i++; + } + + # - set times field - + $time_names = get_sgconf_items_list(F_TIMES, 'name'); + $i=0; + foreach($pkg['fields']['field'] as $field) { + if ($field['fieldname'] === 'time') { + $fld = &$pkg['fields']['field'][$i]; + $fld['options']['option'][] = array('name'=>'none (time not defined)', 'value'=>''); + if (is_array($time_names)) { + foreach($time_names as $nm) + $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nm); + } + break; + } + $i++; + } +} + +# ----------------------------------------------------------------------------- +# squidguard_before_form_dest +# ----------------------------------------------------------------------------- +function squidguard_before_form_dest($pkg) { + global $g, $squidguard_config; + $destination_items = get_sgconf_items_list(F_DESTINATIONS, 'name'); +//var_dump($squidguard_config); + $i=0; + foreach($pkg['fields']['field'] as $field) { + # order + if ($field['fieldname'] == 'order') { + $fld = &$pkg['fields']['field'][$i]; + if (is_array($destination_items)) + foreach($destination_items as $nmkey => $nm) + $fld['options']['option'][] = array('name'=>$nm, 'value'=>$nmkey); + $fld['options']['option'][] = array('name'=>'--- Last ---', 'value'=>'9999'); + $fld['options']['option'][] = array('name'=>'-----', 'value'=>''); # ! this is must be last ! + } + $i++; + } +} + +# ----------------------------------------------------------------------------- +# make_grid_general_items +# ----------------------------------------------------------------------------- +function make_grid_general_items($id = '') +{ + global $squidguard_config; + + $bg_color = "bgcolor='#dddddd'"; + $res = ''; + $res .= "<table width='100%'>"; + + if ($id === '') { + # Apply + $res .= "<tr $bg_color><td><big>For saving configuration YOU need click button 'Save' on bottom of page</big></td></tr> + <tr><td><big>After changing configuration squidGuard you must <b><span style='color: #800000;'>apply all changes</span></b></big></td></tr> + <tr><td><input name='submit' type='submit' value='Apply'></td></tr>"; + + # service state + $sgstate = "<span style='color: #800000;'>STOPPED</span>"; + if (is_service_running("squidGuard")) + $sgstate = "<span style='color: #008000;'>STARTED</span>"; + + if (is_blacklist_update_started()) + $sgstate .= "<br><span style='color: #800000;'>Wait: began updating the blacklist. New data will be available after some time.<br>After the upgrade, it is necessary to check the configuration.</span>"; + $res .= "<tr $bg_color><td><big>SquidGuard service state: <b>$sgstate</b></big></td></tr>"; + } + + $res .= "</table>"; + return $res; +} + +# ----------------------------------------------------------------------------- +# make_grid_blacklist +# ----------------------------------------------------------------------------- +function make_grid_blacklist() { + $res = ''; + # button 'Upload URL' and button 'Restore last blacklist' + $res = "<hr><input name='submit' value='" . BLACKLIST_BTN_URL . "' type='submit'>"; + $res .= " <input name='submit' value='" . BLACKLIST_BTN_DEFAULT . "' type='submit'>"; + return $res; +} + +# ----------------------------------------------------------------------------- +# make_grid_controls +# ----------------------------------------------------------------------------- +function make_grid_controls($type, $items, $enable_overtime = true) { + global $g; + + $res = ''; + $tbl = ''; + $color = ''; + $color2 = ''; + $x = 0; + + foreach($items as $item) { + if ($x === 0) { + $color = ''; + $color2 = 'style="background-color: #dddddd;"'; + $x = 1; + } + else { + $color = 'style="background-color: #dddddd;"'; + $color2 = ''; + $x = 0; + } + + $name = trim($item['name']); + $upt_val = $item['upt_value']; + $ovt_val = $item['ovt_value']; + $description = $item['description']; + + if (!$name) continue; # skip empty + + $sel = "selected=\"selected\""; + $upt_A = $upt_B = $upt_C = $upt_D = ''; + switch($upt_val) { + case "allow": $upt_B = $sel; break; + case "white": $upt_C = $sel; break; + case "deny" : $upt_D = $sel; break; + default: $upt_A = $sel; break; + } + + $ovt_A = $ovt_B = $ovt_C= $ovt_D = ''; + switch($ovt_val) { + case "allow": $ovt_B = $sel; break; + case "white": $ovt_C = $sel; break; + case "deny" : $ovt_D = $sel; break; + default: $ovt_A = $sel; break; + } + unset($sel); + + $tbl .= "<tr>"; + # uptime table + $tnm = PREF_UPTIME . $name; + $tbl .= "<td $color></td>"; + $tbl .= "<td $color>$description [$name]</td>"; + $tbl .= "<td $color>access</td>"; + $tbl .= "<td $color><select id=$tnm name=\"$tnm\">"; + if ($name !== "all"/*substr_count($name, "all") === 0*/) { + $tbl .= "<option value=none name=\"----\" $upt_A>----</option>"; + $tbl .= "<option value=white name=\"white\" $upt_C>whitelist</option>"; + $tbl .= "<option value=deny name=\"deny\" $upt_D>deny </option>"; + $tbl .= "<option value=allow name=\"allow\" $upt_B>allow</option>"; + } + else { + $tbl .= "<option value=allow name=\"allow\" $upt_B>allow</option>"; + $tbl .= "<option value=deny name=\"deny\" $upt_D>deny </option>"; + } + $tbl .= "</td>"; + + # overtime table + if ($enable_overtime) { + $tnm = PREF_OVERTIME . $name; + $tbl .= "<td $color></td>"; + $tbl .= "<td $color>$description [$name]</td>"; + $tbl .= "<td $color>access</td>"; + $tbl .= "<td $color><select id=$tnm name=\"$tnm\">"; + if ($name !== "all"/*substr_count($name, "all") === 0*/) { + $tbl .= "<option value=none name=\"----\" $ovt_A>----</option>"; + $tbl .= "<option value=white name=\"white\" $ovt_C>whitelist</option>"; + $tbl .= "<option value=deny name=\"deny\" $ovt_D>deny </option>"; + $tbl .= "<option value=allow name=\"allow\" $ovt_B>allow</option>"; + } + else { + $tbl .= "<option value=allow name=\"allow\" $ovt_B>allow</option>"; + $tbl .= "<option value=deny name=\"deny\" $ovt_D>deny </option>"; + } + $tbl .= "</td>"; + } + $tbl .= "</tr>"; + } + + # header + if (!empty($tbl)) { + $color = 'style="background-color: #dddddd;"'; + $thdr = ''; + $hdr1up = "<big>Target Categories</big>"; + $hdr1ov = "<big>Target Categories for off-time</big>"; + $hds3 = "ACCESS: 'whitelist' - always pass; 'deny' - block; 'allow' - pass, if not blocked."; + if ($enable_overtime) { + $thdr .= "<tr><td colspan='8' align=left>$hds3</td></tr>"; + $thdr .= "<tr $color><th colspan='4' align=middle>$hdr1up</th><th colspan='4' align=middle>$hdr1ov</th></tr>"; + $thdr .= "<tr $color><td colspan='4' align=middle></td><td colspan='4' align=middle>If <b>'Time'</b> not defined, this is column will be ignored.</td></tr>"; + # formatting + $thdr .= "<tr><td/><td width='35%'/><td/><td/><td/><td width='35%'/><td/><td/></tr>"; + } + else { + $thdr .= "<tr><td colspan='4' align=left>$hds3<hr></tr>"; + $thdr .= "<tr $color><th colspan='4' align=middle>$hdr1up</th></tr>"; + # formatting + $thdr .= "<tr><td width='5%'/><td/><td width='5%'/><td width='10%'/></tr>"; + } + + $res .= "<table cellspacing='0' width='100%'> $thdr $tbl </table>"; + + $rstyle = ""; + $ha = "<div class='listtopic'>" . + "<span onClick='document.getElementById(\"destrules\").style.display = \"block\";' style=\"cursor: pointer;\">" . + "<font size='-12'><big>Target Rules List (click here)</big> " . + "<img src='/themes/{$g['theme']}/images/icons/icon_pass.gif' title='Show rules'> " . + "</span>" . + "<span style=\"cursor: pointer;\">" . + "<img src='/themes/{$g['theme']}/images/icons/icon_block.gif' title='Hide rules' onClick='document.getElementById(\"destrules\").style.display = \"none\";'>" . + "</span>" . + "</div>"; + $res = "<hr>$ha<div id=\"destrules\" style='DISPLAY: none'>$res</div>"; + + } + return $res; +} + +# ----------------------------------------------------------------------------- +# check unique name +# ----------------------------------------------------------------------------- +function sg_check_unique_name($module_id, $name, $log='') { + $res = true; + $id = (isset($_GET['id'])) ? $_GET['id'] : $_POST['id']; + + $name_list = get_sgconf_items_list($module_id, 'name'); + $name_val = (is_array($name_list)) ? array_count_values($name_list) : array(); + $count_names = $name_val[$name]; + + # if count names = 1, then check if add new record with this name(not valid) / or this is a self record(valid) + # else if count names > 1 - not valid + if ($count_names === 1) { + $nm_key = array_search($name, $name_list); + # if this new record + if ($id >= count($name_list)) { $res = false; } + # if not self record + elseif ($nm_key && (intval($id) !== intval($nm_key))) { $res = false; } + } + elseif($count_names > 1) $res = false; # bad - not unique + + return $res; +} + +# ----------------------------------------------------------------------------- +# check unique name +# ----------------------------------------------------------------------------- +function sg_check_reserved_name($name, $log='') +{ + $res = true; + $reserved = array("acl", "all", "allow", "dbhome", "default", "dest", "in-addr", "log", "logdir", "none", "pass", "rew", "src", "url", "user"); + + if (in_array(strtolower(trim($name)), $reserved)) { + $res = false; + } + + return $res; +} +# ------------------------------------------------------------------------------ +# Install & deinstall +# ------------------------------------------------------------------------------ + +function squidguard_install_command() { + if (!is_service_running("squidGuard")) { + sg_init(convert_pfxml_to_sgxml()); + sg_check_system(); + + # generate squidGuard blacklist entries file (check with squidGuard PORT) +# conf_mount_rw(); + $blklist_file = SQUIDGUARD_BLK_FILELISTPATH; + + + if (!file_exists($blklist_file)) { + # if blacklist not exists, then copy default db from samples +# $entries = array("ads", "aggressive", "audio-video", "drugs", "gambling", "hacking", "mail", "porn", "proxy", "violence", "warez"); +# file_put_contents($blklist_file, implode("\n", $entries)); + } + set_file_access(SQUIDGUARD_WORKDIR, OWNER_NAME, 0755); + set_file_access(SQUIDGUARD_DBHOME, OWNER_NAME, 0755); +# conf_mount_ro(); + + sg_reconfigure(); + } +} + +function squidguard_deinstall_command() { + # remove entries from squid config + squid_reconfigure('remove redirector options'); + + # Note: When you reinstall should remain Database + + # remove package and his depends + #mwexec("pkg_delete squidGuard-1.2.0_1"); + #mwexec("rm -rf " . SQUIDGUARD_WORKDIR); + # i known't, really need delete blacklist base? + #mwexec("rm -rf " . SQUIDGUARD_DBHOME); + #mwexec("/bin/rm -f " . SQUIDGUARD_CONFBASE . "/squidGuard*"); +} + +# ------------------------------------------------------------------------------ +# SquidGuard print JavaSrcript +# ------------------------------------------------------------------------------ +function squidGuard_print_javascript() { + $javascript = ''; + + $xml = ($_GET["xml"] !== '') ? $_GET["xml"] : $_POST["xml"]; + + # squidguard_default.xml + if ($xml === "squidguard_default.xml") { + $javascript .= "\n<script language='JavaScript'>"; + $javascript .= "\n<!--"; + $javascript .= "\n document.iform.dest.disabled=1;"; + $javascript .= "\n//-->"; + $javascript .= "\n</script>"; + } # if + + # squidguard_acl.xml + if ($xml === "squidguard_acl.xml") { + $javascript .= "\n<script language='JavaScript'>"; + $javascript .= "\n<!--"; + $javascript .= "\n document.iform.dest.disabled=1;"; + $javascript .= "\n//-->"; + $javascript .= "\n</script>"; + + } # if + + if ($xml === "squidguard_time.xml") { + $javascript .= "\n<script language='JavaScript'>"; + $javascript .= "\n<!--"; + $javascript .= "\n function on_updatecontrols() {"; + $javascript .= "\n for (var i=0; i<99; i++) {"; + $javascript .= "\n var elm = document.iform.elements['timetype' + i];"; + $javascript .= "\n if (elm) {"; + $javascript .= "\n document.iform.elements['timetype' + i].onclick = on_updatecontrols;"; + $javascript .= "\n if (document.iform.elements['timetype' + i].value == 'weekly') {"; + $javascript .= "\n document.iform.elements['timedays' + i].disabled = 0;"; + $javascript .= "\n document.iform.elements['daterange' + i].disabled = 1;"; + $javascript .= "\n }"; + $javascript .= "\n else {"; + $javascript .= "\n document.iform.elements['timedays' + i].disabled = 1;"; + $javascript .= "\n document.iform.elements['daterange' + i].disabled = 0;"; + $javascript .= "\n }"; + $javascript .= "\n }"; + $javascript .= "\n }"; + $javascript .= "\n }"; + $javascript .= "\n on_updatecontrols();"; + $javascript .= "\n "; + $javascript .= "\n//-->"; + $javascript .= "\n</script>"; + } + + print($javascript); +} + +# ============================================================================== +# Converter +# ============================================================================== +# convert_pfxml_to_sgxml +# ----------------------------------------------------------------- +function convert_pfxml_to_sgxml() { + + capability_update_source(); + + global $config; + conf_mount_rw(); + $sgxml = array(); + $pfxml = $config['installedpackages'][MODULE_GENERAL]['config'][0]; + + $sgxml[F_LOGDIR] = SQUIDGUARD_LOGDIR; + $sgxml[F_DBHOME] = SQUIDGUARD_DBHOME; + $sgxml[F_LDAPENABLE] = $pfxml['ldap_enable']; + $sgxml[F_LDAPBINDDN] = $pfxml['ldapbinddn']; + $sgxml[F_LDAPBINDPASS] = $pfxml['ldapbindpass']; + $sgxml[F_LDAPVERSION] = $pfxml['ldapversion']; + $sgxml[F_STRIPNTDOMAIN] = $pfxml['stripntdomain']; + $sgxml[F_STRIPREALM] = $pfxml['striprealm']; + $sgxml[F_BINPATH] = SQUIDGUARD_BINPATH; + $sgxml[F_WORKDIR] = SQUIDGUARD_WORKDIR; + $sgxml[F_SGCONF_XML] = SQUIDGUARD_WORKDIR . SQUIDGUARD_CONFXML; + $sgxml[F_ENABLED] = $pfxml[F_SQUIDGUARDENABLE]; + $sgxml[F_BLACKLISTENABLED] = $pfxml[F_BLACKLIST]; + $sgxml[F_BLACKLISTURL] = $pfxml[F_BLACKLISTURL]; + $sgxml[F_SOURCES] = convert_pfxml_to_sgxml_source($config); + $sgxml[F_DESTINATIONS] = convert_pfxml_to_sgxml_destination($config); + $sgxml[F_REWRITES] = convert_pfxml_to_sgxml_rewrite($config); + $sgxml[F_TIMES] = convert_pfxml_to_sgxml_time($config); + $sgxml[F_ACLS] = convert_pfxml_to_sgxml_acl($config); + $sgxml[F_DEFAULT] = convert_pfxml_to_sgxml_default($config); + + # log + $sgxml[F_ENABLELOG] = $pfxml['enable_log'] == 'on' ? 'on' : 'off'; + $sgxml[F_ENABLEGUILOG] = $pfxml['enable_guilog'] == 'on' ? 'on' : 'off'; + $sgxml[F_LOGROTATION] = $pfxml['log_rotation'] == 'on' ? 'on' : 'off'; + + #Clean adversiting + $sgxml[F_ADV_BLANKIMG] = $pfxml['adv_blankimg'] == 'on' ? 'on' : 'off'; + + + # other + $lanip = $config['interfaces']['lan']['ipaddr']; + $sgxml[F_CURRENT_LAN_IP] = $lanip; + + # transparent + $squidxml = $config['installedpackages']['squid']['config'][0]; + if($squidxml['transparent_proxy'] == 'on') { + $guiport = $config['system']['webgui']['port']; + $guiprotocol = $config['system']['webgui']['protocol']; + + $sgxml[F_SQUID_TRANSPARENT_MODE] = 'on'; + $sgxml[F_CURRENT_GUI_PORT] = $guiport; + $sgxml[F_CURRENT_GUI_PROTO] = $guiprotocol; + } else { + unset($sgxml[F_SQUID_TRANSPARENT_MODE]); + unset($sgxml[F_CURRENT_GUI_PORT]); + unset($sgxml[F_CURRENT_GUI_PROTO]); + } + + # store cfg cache + $cfg_xml = dump_xml_config($sgxml, F_SQUIDGUARD); + file_put_contents($sgxml[F_SGCONF_XML], $cfg_xml); + conf_mount_ro(); + + return $sgxml; +} + +# ----------------------------------------------------------------- +# convert_pfxml_to_sgxml_source +# sgxml_source: [name][ip][desc][log] +# ----------------------------------------------------------------- +# Changes 04-01-2008 : +# Source fields moved to ACL page. Source page - will remove +# But in XML internal config nothing to change +# ----------------------------------------------------------------- +# Changes 21-07-2008 : +# Source IP and domain move to one field, added 'username'. +function convert_pfxml_to_sgxml_source($pfconfig) { + $sgxml = array(); + $pfxml = $pfconfig['installedpackages'][MODULE_ACL]['config']; + if (is_array($pfxml)) { + foreach($pfxml as $pfx) { + $sgx = array(); + $sgx[F_NAME] = $pfx['name']; + $sgx[F_SOURCE] = $pfx[F_SOURCE]; + $sgx[F_LOG] = $pfx[F_ENABLELOG]; + $sgx[F_DESCRIPTION] = $pfx['description']; + $sgxml[F_ITEM][] = $sgx; + } + } + return $sgxml; +} + +# ----------------------------------------------------------------- +# convert_pfxml_to_sgxml_destination +# sgxml_destination: [name][domains][expr][urls][redir][desc][log] +# ----------------------------------------------------------------- +function convert_pfxml_to_sgxml_destination($pfconfig) { + $sgxml = array(); + $pfxml = $pfconfig['installedpackages'][MODULE_DESTINATION]['config']; + if (is_array($pfxml)) { + foreach($pfxml as $pfx) { + $sgx = array(); + $sgx[F_NAME] = $pfx['name']; + $sgx[F_URLS] = $pfx['urls']; + $sgx[F_DOMAINS] = $pfx[F_DOMAINS]; + $sgx[F_EXPRESSIONS] = $pfx['expressions']; + $sgx[F_RMOD] = isset($pfx[F_RMOD]) ? $pfx[F_RMOD] : RMOD_NONE; + $sgx[F_REDIRECT] = $pfx[F_REDIRECT]; + $sgx[F_DESCRIPTION] = $pfx['description']; + $sgx[F_LOG] = $pfx[F_ENABLELOG]; + $sgxml[F_ITEM][] = $sgx; + } + } + return $sgxml; +} + +# ----------------------------------------------------------------- +# convert_pfxml_to_sgxml_rewrite +# sgxml_rewrite: [name][desc][log][items(array): [targeturl][replaceto]] +# ----------------------------------------------------------------- +function convert_pfxml_to_sgxml_rewrite($pfconfig) { + $sgxml = array(); + + $pfxml = $pfconfig['installedpackages'][MODULE_REWRITE]['config']; + if (is_array($pfxml)) { + foreach($pfxml as $pfx) { + $sgx = array(); + $sgx[F_NAME] = $pfx['name']; + $sgx[F_DESCRIPTION] = $pfx['description']; + $sgx[F_LOG] = $pfx[F_ENABLELOG]; + + if (is_array($pfx['row'])) { + foreach($pfx['row'] as $pfx_row) { + $sgx_row = array(); + $sgx_row[F_TARGETURL] = $pfx_row['targeturl']; + $sgx_row[F_REPLACETO] = $pfx_row['replaceto']; + + $mode = ''; + if (strpos($pfx_row[F_MODE], 'nocase') !== false) $mode .= 'i'; + if (strpos($pfx_row[F_MODE], 'redirect') !== false) $mode .= 'r'; + $sgx_row[F_MODE] = $mode; # ! sys options only - not for GUI ! + + $sgx[F_ITEM][] = $sgx_row; + } + } + + $sgxml[F_ITEM][] = $sgx; + } + } + + # additional: google safeserach + $sgxml[F_ITEM][] = squidguard_adt_rewrite_safesrch(); + + return $sgxml; +} + +# ----------------------------------------------------------------- +# convert_pfxml_to_sgxml_time +# sgxml_time: [name][desc][items(array): [timetype][timedays][daterange][timerange]] +# ----------------------------------------------------------------- +function convert_pfxml_to_sgxml_time($pfconfig) { + $sgxml = array(); + + $pfxml = $pfconfig['installedpackages'][MODULE_TIME]['config']; + if (is_array($pfxml)) { + foreach($pfxml as $pfx) { + $sgx = array(); + $sgx[F_NAME] = $pfx[F_NAME]; + $sgx[F_DESCRIPTION] = $pfx[F_DESCRIPTION]; + + if (is_array($pfx['row'])) { + foreach($pfx['row'] as $pfx_row) { + $sgx_row = array(); + $sgx_row[F_TIMETYPE] = $pfx_row[F_TIMETYPE]; + $sgx_row[F_TIMEDAYS] = $pfx_row[F_TIMEDAYS]; + $sgx_row[F_DATERANGE] = $pfx_row[F_DATERANGE]; + $sgx_row[F_TIMERANGE] = $pfx_row[F_TIMERANGE]; + $sgx[F_ITEM][] = $sgx_row; + } + } + + $sgxml[F_ITEM][] = $sgx; + } + } + + return $sgxml; +} + +# ----------------------------------------------------------------- +# convert_pfxml_to_sgxml_acl +# sgxml_acl: [name][desc][disabled][timename][destname][redirect][rewritename][over_redirect][over_rewritename] +# ----------------------------------------------------------------- +function convert_pfxml_to_sgxml_acl($pfconfig) { + $sgxml = array(); + + $pfxml = $pfconfig['installedpackages'][MODULE_ACL]['config']; + if (is_array($pfxml)) { + foreach($pfxml as $pfx) { + $sgx = array(); + $sgx[F_NAME] = $pfx[F_NAME]; # [04-01-2008] new ver + $sgx[F_DESCRIPTION] = $pfx[F_DESCRIPTION]; + $sgx[F_DISABLED] = $pfx[F_DISABLED]; + $sgx[F_TIMENAME] = $pfx[F_TIME]; + $sgx[F_REDIRECT] = $pfx[F_REDIRECT]; + $sgx[F_RMOD] = isset($pfx[F_RMOD]) ? $pfx[F_RMOD] : RMOD_NONE; + $sgx[F_REWRITENAME] = $pfx[F_REWRITE]; + $sgx[F_LOG] = $pfx[F_ENABLELOG]; + $sgx[F_NOTALLOWINGIP] = $pfx[F_NOTALLOWINGIP]; + $sgx[F_ORDER] = $pfx[F_ORDER]; + + # for overtime + $sgx[F_OVERREDIRECT] = $pfx[F_REDIRECT]; # disabled ->- $pfx[F_OVERREDIRECT]; + $sgx[F_OVERREWRITENAME] = $pfx[F_OVERREWRITE]; + + # destinations + if (strpos($pfx['dest'], '[') === false) { + $sgx[F_DESTINATIONNAME] = trim($pfx['dest']); + $sgx[F_OVERDESTINATIONNAME] = ''; + } + else { + $sgx[F_DESTINATIONNAME] = trim( substr($pfx['dest'], 0, strpos($pfx['dest'], '[')) ); + $sgx[F_OVERDESTINATIONNAME] = trim( strstr($pfx['dest'], '[') ); + $sgx[F_OVERDESTINATIONNAME] = trim( str_replace(']', '', $sgx[F_OVERDESTINATIONNAME]) ); + $sgx[F_OVERDESTINATIONNAME] = trim( str_replace('[', '', $sgx[F_OVERDESTINATIONNAME]) ); + } + + # !ATTENTION! '!all' must be convert to 'none' + $sgx[F_DESTINATIONNAME] = str_replace("!all", "none", $sgx[F_DESTINATIONNAME]); + $sgx[F_OVERDESTINATIONNAME] = str_replace("!all", "none", $sgx[F_OVERDESTINATIONNAME]); + + # if empty - adding 'none' + if (!$sgx[F_DESTINATIONNAME]) $sgx[F_DESTINATIONNAME] = "none"; + if (!$sgx[F_OVERDESTINATIONNAME]) $sgx[F_OVERDESTINATIONNAME] = "none"; + + # safesearch + if ($pfx[SAFESEARCH] === 'on') { + # assign safesearch rewrite + $sgx[F_REWRITENAME] = SAFESEARCH; + $sgx[F_OVERREWRITENAME] = SAFESEARCH; + } + + $sgxml[F_ITEM][] = $sgx; + } + } + return $sgxml; +} + +# ----------------------------------------------------------------- +# convert_pfxml_to_sgxml_default +# sgxml_acl: [name][desc][disabled][timename][destname][redirect][rewritename][over_redirect][over_rewritename] +# ----------------------------------------------------------------- +function convert_pfxml_to_sgxml_default($pfconfig) { + $pfxml = $pfconfig['installedpackages'][MODULE_DEFAULT]['config']; + + $pfx = $pfxml[0]; + $sgx = array(); + $sgx[F_NAME] = 'default'; + $sgx[F_DESCRIPTION] = ''; + $sgx[F_DISABLED] = ''; + $sgx[F_TIMENAME] = $pfx[F_TIME]; + $sgx[F_RMOD] = isset($pfx[F_RMOD]) ? $pfx[F_RMOD] : RMOD_INT_ERRORPAGE; + $sgx[F_REDIRECT] = $pfx[F_REDIRECT]; + $sgx[F_REWRITENAME] = $pfx[F_REWRITE]; + $sgx[F_LOG] = $pfx[F_ENABLELOG]; + $sgx[F_NOTALLOWINGIP] = $pfx[F_NOTALLOWINGIP]; + + # destinations + if (strpos($pfx['dest'], '[') === false) + $sgx[F_DESTINATIONNAME] = trim($pfx['dest']); + else $sgx[F_DESTINATIONNAME] = trim( substr($pfx['dest'], 0, strpos($pfx['dest'], '[')) ); + + # !ATTENTION! '!all' must be convert to 'none' + $sgx[F_DESTINATIONNAME] = str_replace("!all", "none", $sgx[F_DESTINATIONNAME]); + + # if empty - adding 'none' + if (!$sgx[F_DESTINATIONNAME]) $sgx[F_DESTINATIONNAME] = "none"; + + # safesearch + if ($pfx[SAFESEARCH] === 'on') { + # assign safesearch rewrite + $sgx[F_REWRITENAME] = SAFESEARCH; + } + + return $sgx; +} + +# ================================================================= +# Capability +# ================================================================= +# convert old ver. squidguard config. +function capability_update_source() { + # ! use global var $config ONLY ! + global $config; + $conf_changed = false; + + if (isset($config['installedpackages'][MODULE_ACL]['config'])) { + $tconf = &$config['installedpackages'][MODULE_ACL]['config']; + foreach($tconf as $key => $cfg) { + if (isset($cfg['iplist'])) { + $tconf[$key][F_SOURCE] .= " " . $cfg['iplist']; + unset($tconf[$key]['iplist']); + $conf_changed = true; + } + if (isset($cfg[F_DOMAINS])) { + $tconf[$key][F_SOURCE] .= " " . $cfg[F_DOMAINS]; + unset($tconf[$key][F_DOMAINS]); + $conf_changed = true; + } + } + + if ($conf_changed) write_config('Convert old ver. squidguard config.'); + } +} +# ------------------------------------------------------------------ +# get_item_id - get item 'id' from get/post +# ------------------------------------------------------------------ +function get_item_id() +{ + return isset($_GET['id']) ? $_GET['id'] : $_POST['id']; +} + +# ================================================================== +# additional +# ================================================================== +# safesearch rewrite +function squidguard_adt_rewrite_safesrch() +{ + $res = array(); + + # safesearch + $res[F_NAME] = SAFESEARCH; + $res[F_DESCRIPTION] = "Google, Yandex safesearch"; + $res[F_LOG] = 'on'; + squidguard_adt_safesrch_add(&$res[F_ITEM]); + + return $res; +} + +function squidguard_adt_safesrch_add($rewrite_item) +{ + if (!is_array($rewrite_item)) $rewrite_item = array(); + + # Google + $rewrite_item[] = array(F_TARGETURL => '(google\..*/search?.*q=.*)', F_REPLACETO => '\1\&safe=active', F_MODE => 'i'); + $rewrite_item[] = array(F_TARGETURL => '(google\..*/images.*q=.*)', F_REPLACETO => '\1\&safe=active', F_MODE => 'i'); + $rewrite_item[] = array(F_TARGETURL => '(google\..*/groups.*q=.*)', F_REPLACETO => '\1\&safe=active', F_MODE => 'i'); + $rewrite_item[] = array(F_TARGETURL => '(google\..*/news.*q=.*)', F_REPLACETO => '\1\&safe=active', F_MODE => 'i'); + + # Yandex + $rewrite_item[] = array(F_TARGETURL => '(yandex\..*/yandsearch?.*text=.*)', F_REPLACETO => '\1\&fyandex=1', F_MODE => 'i'); + + # Yahoo + $rewrite_item[] = array(F_TARGETURL => '(search\.yahoo\..*/search.*p=.*)', F_REPLACETO => '\1\&vm=r&v=1', F_MODE => 'i'); + + # MSN Live search, Bing + $rewrite_item[] = array(F_TARGETURL => '(search\.live\..*/.*q=.*)', F_REPLACETO => '\1\&adlt=strict', F_MODE => 'i'); + $rewrite_item[] = array(F_TARGETURL => '(search\.msn\..*/.*q=.*)', F_REPLACETO => '\1\&adlt=strict', F_MODE => 'i'); + $rewrite_item[] = array(F_TARGETURL => '(\.bing\..*/.*q=.*)', F_REPLACETO => '\1\&adlt=strict', F_MODE => 'i'); + + return $rewrite_item; +} + +# log dump +function squidguard_logdump($filename, $lnoffset, $lncount, $reverse) +{ + define('LOGSHOW_BUFSIZE', '262144'); + $cnt = ''; + + if (file_exists($filename)) { + $fh = fopen($filename, "r"); + if ($fh) { + $fsize = filesize($filename); + + # take LOGSHOW_BUFSIZE bytes from end + if ($fsize > LOGSHOW_BUFSIZE) + fseek($fh, -LOGSHOW_BUFSIZE, SEEK_END); + $cnt = fread($fh, LOGSHOW_BUFSIZE); + + fclose($fh); + } + } + + $cnt = explode( "\n", $cnt ); + + # delete broken first element + array_shift($cnt); + + # offset must be >= 0 and can't be > count($cnt) + $lnoffset = $lnoffset >= 0 ? $lnoffset : 0; + $lnoffset = ($lnoffset + $lncount) < count($cnt) ? $lnoffset : 0; + + $pos = ($lncount + $lnoffset); + + # take elements from end of array + $cnt = array_slice($cnt, -$pos, $lncount); + + # reverse array order + if ($reverse) $cnt = array_reverse( $cnt ); + + return $cnt; +} + +# dump SG log +function squidguard_filterdump($lnoffset, $lncount, $reverse) +{ + $res = array(); + $cont = squidguard_logdump(SQUIDGUARD_LOGDIR . '/squidGuard.log', &$lnoffset, $lncount, $reverse); + + foreach($cont as $cn) { + $cn = explode(" ", trim($cn), 4); + $res[] = array( "{$cn[0]} {$cn[1]}", $cn[3] ); + } + + return $res; +} + +# dump SG Gui log +function squidguard_guidump($lnoffset, $lncount, $reverse) +{ + $res = array(); + $cont = squidguard_logdump(SQUIDGUARD_LOGDIR . SQUIDGUARD_CONFLOGFILE, &$lnoffset, $lncount, $reverse); + + foreach($cont as $cn) { + $cn = explode(" ", trim($cn), 4); + $res[] = array( "{$cn[0]} {$cn[1]}", $cn[3] ); + } + + return $res; +} + +# dump SG blocked +function squidguard_blockdump($lnoffset, $lncount, $reverse) +{ + $res = array(); + $cont = squidguard_logdump(SQUIDGUARD_LOGDIR . '/' . SQUIDGUARD_LOGFILE, &$lnoffset, $lncount, $reverse); + + foreach($cont as $cn) { + $cn = explode(" ", trim($cn), 9); + $res[] = array( "{$cn[0]} {$cn[1]}", $cn[5], $cn[4], "{$cn[3]} {$cn[6]} {$cn[7]} {$cn[8]}"); + } + + return $res; +} + +# get squid config list +function squidguard_squid_conflist( ) +{ + $fname = SQUID_CONFIGFILE; + $res = ""; + + if (file_exists( $fname )) + $res = file_get_contents( $fname ); + else $res = "File '$fname' not found."; + + return $res; +} + +# get squidguard config list +function squidguard_conflist( ) +{ + $fname = SQUIDGUARD_CONFBASE . SQUIDGUARD_CONFIGFILE; + $res = ""; + + if (file_exists( $fname )) + $res = file_get_contents( $fname ); + else $res = "File '$fname' not found."; + + return $res; +} + +# get blacklist list +function squidguard_blacklist_list() +{ + $res = ""; + $fname = SQUIDGUARD_BLK_FILELISTPATH; + + $res .= "<table class='tabcont' width='100%' border='0' cellpadding='0' cellspacing='0'>\n"; + $res .= "<tr><td class='listtopic'>Name</td><td class='listtopic'>Domains</td><td class='listtopic'>Urls</td><td class='listtopic'>Expressions</td></tr>\n"; + if (file_exists($fname)) { + $cont = explode("\n", file_get_contents($fname)); + foreach($cont as $cn) { + $ph = "/var/db/squidGuard/$cn"; + + if (file_exists($ph)) { + $dm = " "; + $ur = " "; + $ex = " "; + + if (file_exists("$ph/domains")) $dm = "domains"; + if (file_exists("$ph/urls")) $ur = "urls"; + if (file_exists("$ph/expressions")) $ex = "expressions"; + + $res .= "<tr><td class='listlr'>$cn</td><td class='listr'>$dm</td><td class='listr'>$ur</td><td class='listr'>$ex</td></tr>"; + } + } + } + $res .= "</table>"; + + return $res; +} + +// ##### The following part is based on the code of pfblocker ##### + +/* Uses XMLRPC to synchronize the changes to a remote node */ +function squidguard_sync_on_changes() { + global $config, $g; + if (is_array($config['installedpackages']['squidguardsync'])){ + $synconchanges = $config['installedpackages']['squidguardsync']['config'][0]['varsyncenablexmlrpc']; + $varsynctimeout = $config['installedpackages']['squidguardsync']['config'][0]['varsynctimeout']; + } + else + { + return; + } + + // if checkbox is NOT checked do nothing + switch ($synconchanges){ + case "manual": + if (is_array($config['installedpackages']['squidguardsync']['config'][0]['row'])){ + $rs=$config['installedpackages']['squidguardsync']['config'][0]['row']; + } + else{ + log_error("[Squidguard] xmlrpc sync is enabled but there is no hosts to push on Squidguard config."); + return; + } + break; + case "auto": + if (is_array($config['installedpackages']['carpsettings']) && is_array($config['installedpackages']['carpsettings']['config'])){ + $system_carp=$config['installedpackages']['carpsettings']['config'][0]; + $rs[0]['varsyncdestinenable']="on"; + $rs[0]['varsyncprotocol']=($config['system']['webgui']['protocol']!=""?$config['system']['webgui']['protocol']:"https"); + $rs[0]['varsyncipaddress']=$system_carp['synchronizetoip']; + $rs[0]['varsyncpassword']=$system_carp['password']; + $rs[0]['varsyncport']=($config['system']['webgui']['port']!=""?$config['system']['webgui']['port']:"443"); + if (! is_ipaddr($system_carp['synchronizetoip'])){ + log_error("[Squidguard] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + } + else{ + log_error("[Squidguard] xmlrpc sync is enabled but there is no system backup hosts to push squid config."); + return; + } + break; + default: + return; + break; + } + if (is_array($rs)){ + log_error("[SquidGuard] xmlrpc sync is starting with timeout {$varsynctimeout} seconds."); + foreach($rs as $sh){ + if($sh['varsyncdestinenable']){ + $varsyncprotocol = $sh['varsyncprotocol']; + $sync_to_ip = $sh['varsyncipaddress']; + $password = $sh['varsyncpassword']; + $varsyncport = $sh['varsyncport']; + if($password && $sync_to_ip) + squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout); + else + log_error("SquidGuard: XMLRPC Sync with {$sh['varsyncipaddress']} has incomplete credentials. No XMLRPC Sync done!"); + } + else { + log_error("SquidGuard: XMLRPC Sync with {$sh['varsyncipaddress']} is disabled"); + } + } + log_error("[SquidGuard] xmlrpc sync is ending."); + } +} + +/* Do the actual XMLRPC sync */ +function squidguard_do_xmlrpc_sync($sync_to_ip, $password, $varsyncport, $varsyncprotocol,$varsynctimeout) { + global $config, $g; + + if($varsynctimeout == '' || $varsynctimeout == 0) + $varsynctimeout = 150; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + if(!$varsyncport) + return; + + if(!$varsyncprotocol) + return; + + // Check and choose correct protocol type, port number and IP address + $synchronizetoip .= "$varsyncprotocol" . '://'; + $port = "$varsyncport"; + + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $xml['squidguardgeneral'] = $config['installedpackages']['squidguardgeneral']; + $xml['squidguardacl'] = $config['installedpackages']['squidguardacl']; + $xml['squidguarddefault'] = $config['installedpackages']['squidguarddefault']; + $xml['squidguarddest'] = $config['installedpackages']['squidguarddest']; + $xml['squidguardrewrite'] = $config['installedpackages']['squidguardrewrite']; + $xml['squidguardtime'] = $config['installedpackages']['squidguardtime']; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("SquidGuard: Beginning squidguard XMLRPC sync with {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after $varsynctimeout seconds */ + $resp = $cli->send($msg, $varsynctimeout); + if(!$resp) { + $error = "A communications error occurred while squidguard was attempting XMLRPC sync with {$url}:{$port}."; + log_error("SquidGuard: $error"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $varsynctimeout); + $error = "An error code was received while squidguard XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error("SquidGuard: $error"); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } else { + log_error("SquidGuard: XMLRPC has synced data successfully with {$url}:{$port}."); + } + + /* tell squidguard to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/squidguard.inc');\n"; + // pfblocker just needed one fuction to reload after XMLRPC. squidguard needs more so we point to a fuction below which contains all fuctions + $execcmd .= "squidguard_all_after_XMLRPC_resync();"; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("SquidGuard XMLRPC is reloading data on {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + $resp = $cli->send($msg, $varsynctimeout); + if(!$resp) { + $error = "A communications error occurred while squidguard was attempting XMLRPC sync with {$url}:{$port} (exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $varsynctimeout); + $error = "An error code was received while squidguard XMLRPC was attempting to sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squidguard Settings Sync", ""); + } else { + log_error("SquidGuard: XMLRPC has reloaded data successfully on {$url}:{$port} (exec_php)."); + } + +} + +// ##### The part above is based on the code of pfblocker ##### + +// This function restarts all other needed functions after XMLRPC so that the content of .XML + .INC will be written in the files +// Adding more functions will increase the time to sync +function squidguard_all_after_XMLRPC_resync() { + + squidguard_resync_acl(); + squidguard_resync_dest(); + squidguard_resync(); + + log_error("SquidGuard: Finished XMLRPC process. It should be OK. For more information look at the host which started sync."); +} + +?> diff --git a/config/squidGuard-devel/squidguard.xml b/config/squidGuard-devel/squidguard.xml new file mode 100644 index 00000000..e9ce78fd --- /dev/null +++ b/config/squidGuard-devel/squidguard.xml @@ -0,0 +1,260 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <description>[<![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidguardgeneral</name> + <version>1.5_1</version> + <title>Proxy filter SquidGuard: General settings</title> + <include_file>/usr/local/pkg/squidguard.inc</include_file> + <!-- Installation --> + <menu> + <name>Proxy filter</name> + <tooltiptext>Modify the proxy server's filter settings</tooltiptext> + <section>Services</section> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + </menu> + <tabs> + <tab> + <text>General settings</text> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Common ACL</text> + <url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url> + </tab> + <tab> + <text>Groups ACL</text> + <url>/pkg.php?xml=squidguard_acl.xml</url> + </tab> + <tab> + <text>Target categories</text> + <url>/pkg.php?xml=squidguard_dest.xml</url> + </tab> + <tab> + <text>Times</text> + <url>/pkg.php?xml=squidguard_time.xml</url> + </tab> + <tab> + <text>Rewrites</text> + <url>/pkg.php?xml=squidguard_rewr.xml</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/squidGuard/squidguard_blacklist.php</url> + </tab> + <tab> + <text>Log</text> + <url>/squidGuard/squidguard_log.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> + </tabs> + <service> + <name>squidGuard</name> + <description><![CDATA[Proxy server filter Service]]></description> + <executable>squidGuard</executable> + </service> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_configurator.inc</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_acl.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_default.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_dest.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_rewr.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_time.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/pkg/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_sync.xml</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/squidGuard/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_log.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/squidGuard/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/squidguard_blacklist.php</item> + </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/squidGuard-devel/sgerror.php</item> + </additional_files_needed> + <fields> + <field> + <fielddescr>Enable</fielddescr> + <fieldname>squidguard_enable</fieldname> + <description><![CDATA[Check this option to enable squidGuard]]></description> + <type>checkbox</type> + </field> + <field> + <name>LDAP Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable LDAP Filter</fielddescr> + <fieldname>ldap_enable</fieldname> + <description><![CDATA[Enable options for setup ldap connection to create filters with ldap search]]></description> + <type>checkbox</type> + <enablefields>ldapbinddn,ldapbindpass,stripntdomain,striprealm,ldapversion</enablefields> + </field> + <field> + <fielddescr>LDAP DN</fielddescr> + <fieldname>ldapbinddn</fieldname> + <description><![CDATA[Configure your LDAP DN (ex: cn=Administrator,cn=Users,dc=domain)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP DN Password</fielddescr> + <fieldname>ldapbindpass</fieldname> + <description><![CDATA[LDAP DN Users password]]></description> + <type>password</type> + </field> + <field> + <fielddescr>Strip NT domain name</fielddescr> + <fieldname>stripntdomain</fieldname> + <description><![CDATA[Strip NT domain name component from user names (/ or \ separated).]]></description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Strip Kerberos Realm</fielddescr> + <fieldname>striprealm</fieldname> + <description><![CDATA[Strip Kerberos Realm component from user names (@ separated).]]></description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>LDAP Version</fielddescr> + <fieldname>ldapversion</fieldname> + <type>select</type> + <default_value>3</default_value> + <options> + <option> + <name>Version 2</name> + <value>2</value> + </option> + <option> + <name>Version 3</name> + <value>3</value> + </option> + </options> + </field> + <field> + <name>Logging options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable GUI log</fielddescr> + <fieldname>enable_guilog</fieldname> + <description><![CDATA[Check this option to log the access to the Proxy Filter GUI.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable log</fielddescr> + <fieldname>enable_log</fieldname> + <description><![CDATA[Check this option to log the proxy filter settings like blocked websites in Common ACL, Group ACL and Target Categories. This option is usually used to check the filter settings.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Enable log rotation</fielddescr> + <fieldname>log_rotation</fieldname> + <description><![CDATA[Check this option to rotate the logs every day. This is recommended if you enable any kind of logging to limit file size and do not run out of disk space.]]></description> + <type>checkbox</type> + </field> + <field> + <name>Miscellaneous</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Clean Advertising</fielddescr> + <fieldname>adv_blankimg</fieldname> + <description><![CDATA[Check this option to display a blank gif image instead of the default block page. With this option the user gets a cleaner webpage.]]></description> + <type>checkbox</type> + </field> + <field> + <name>Blacklist options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Blacklist</fielddescr> + <fieldname>blacklist</fieldname> + <description><![CDATA[Check this option to enable blacklist]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Blacklist proxy</fielddescr> + <fieldname>blacklist_proxy</fieldname> + <description><![CDATA[<br> + Blacklist upload proxy - enter here, or leave blank.<br> + Format: host:[port login:pass] . Default proxy port 1080.<br> + Example: '192.168.0.1:8080 user:pass' + ]]></description> + <type>input</type> + <size>100</size> + </field> + <field> + <fielddescr>Blacklist URL</fielddescr> + <fieldname>blacklist_url</fieldname> + <description><![CDATA[Enter the path to the blacklist (blacklist.tar.gz) here. You can use FTP, HTTP or LOCAL URL blacklist archive or leave blank. The LOCAL path could be your pfsense (/tmp/blacklist.tar.gz).]]></description> + <type>input</type> + <size>100</size> + </field> + </fields> + <custom_add_php_command/> + <custom_php_validation_command> + squidguard_validate(&$_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_command_before_form> + squidguard_before_form(&$pkg); + </custom_php_command_before_form> + <custom_php_after_form_command> + squidGuard_print_javascript(); + </custom_php_after_form_command> + <custom_php_resync_config_command> + squidguard_resync(); + </custom_php_resync_config_command> + <custom_php_install_command> + squidguard_install_command(); + squidguard_resync(); + </custom_php_install_command> + <custom_php_deinstall_command> + squidguard_deinstall_command(); + </custom_php_deinstall_command> +</packagegui> diff --git a/config/squidGuard-devel/squidguard_acl.xml b/config/squidGuard-devel/squidguard_acl.xml new file mode 100644 index 00000000..cd3e8016 --- /dev/null +++ b/config/squidGuard-devel/squidguard_acl.xml @@ -0,0 +1,245 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidguardacl</name> + <version>none</version> + <title>Proxy filter SquidGuard: Groups Access Control List (ACL)</title> + <include_file>/usr/local/pkg/squidguard.inc</include_file> + <delete_string>A proxy server user has been deleted.</delete_string> + <addedit_string>A proxy server user has been created/modified.</addedit_string> + <tabs> + <tab> + <text>General settings</text> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + </tab> + <tab> + <text>Common ACL</text> + <url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url> + </tab> + <tab> + <text>Groups ACL</text> + <url>/pkg.php?xml=squidguard_acl.xml</url> + <active/> + </tab> + <tab> + <text>Target categories</text> + <url>/pkg.php?xml=squidguard_dest.xml</url> + </tab> + <tab> + <text>Times</text> + <url>/pkg.php?xml=squidguard_time.xml</url> + </tab> + <tab> + <text>Rewrites</text> + <url>/pkg.php?xml=squidguard_rewr.xml</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/squidGuard/squidguard_blacklist.php</url> + </tab> + <tab> + <text>Log</text> + <url>/squidGuard/squidguard_log.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Disabled</fielddescr> + <fieldname>disabled</fieldname> + </columnitem> + <columnitem> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Time</fielddescr> + <fieldname>time</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>Disabled</fielddescr> + <fieldname>disabled</fieldname> + <description><![CDATA[Check this to disable this ACL rule.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[ + Enter a unique name of this rule here.<br> + The name must consist between 2 and 15 symbols [a-Z_0-9]. The first one must be a letter.<br> + ]]></description> + <type>input</type> + <required/> + <size>100</size> + </field> + <field> + <fielddescr>Order</fielddescr> + <fieldname>order</fieldname> + <description><![CDATA[ + Select the new position for this ACL item. ACLs are evaluated on a first-match source basis.<br> + <b>Note:</b><br> + Search for a suitable ACL by field 'source' will occur before the first match. If you want to define an exception for some sources (IP) from the IP range, put them on first of the list.<br> + <b>Example:</b><br> + ACL with single (or short range) source ip 10.0.0.15 must be placed before ACL with more large ip range 10.0.0.0/24.<br> + ]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Client (source)</fielddescr> + <fieldname>source</fieldname> + <description><![CDATA[ + Enter client's IP address or domain or "username" here. To separate them use space.<br> + <b>Example:</b><br> + <b>IP:</b> 192.168.0.1 - <b>Subnet:</b> 192.168.0.0/24 or 192.168.1.0/255.255.255.0 - <b>IP-Range:</b> 192.168.1.1-192.168.1.10<br> + <b>Domain:</b> foo.bar matches foo.bar or *.foo.bar<br> + <b>Username:</b> 'user1' <br> + <b>Ldap search (Ldap filter must be enabled in General Settings):</b> <br> + ldapusersearch "ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))"<br> + <i>Attention: these line don't have break line, all on one line and use double quotes ("") in ldap expression</i> + ]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>3</rows> + <required/> + </field> + <field> + <fielddescr>Time</fielddescr> + <fieldname>time</fieldname> + <description><![CDATA[Select the time in which 'Target Rules' will operate or leave 'none' for rules without time restriction. If this option is set then in off-time the second ruleset will operate.]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Target Rules</fielddescr> + <fieldname>dest</fieldname> + <description><![CDATA[]]></description> + <type>input</type> + <size>100</size> + </field> + <field> + <fielddescr>Do not allow IP-Addresses in URL</fielddescr> + <fieldname>notallowingip</fieldname> + <description><![CDATA[To make sure that people do not bypass the URL filter by simply using the IP-Addresses instead of the FQDN you can check this option. This option has no effect on the whitelist.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Redirect mode</fielddescr> + <fieldname>redirect_mode</fieldname> + <description> + Select redirect mode here. + <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. +<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> + <br> Options: + <A title="To 'url' will added special client information;" > + <span style="background-color: #dddddd;" >ext url err page</span></A> , + <A title="Client view 'url' content without any notification about;" > + <span style="background-color: #dddddd;" > ext url redirect</span></A> , + <A title="Client will moved to specified url with displaying url in addres bar;" > + <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , + <A title="Client will moved to specified url with showing progress(only!) in status bar;" > + <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> + </u> + </description> + <type>select</type> + <value>rmod_none</value> + <options> + <option><name>none</name> <value>rmod_none</value></option> + <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> + <option><name>int blank page </name> <value>rmod_int_bpg</value></option> +<!-- <option><name>int blank image</name> <value>rmod_int_bim</value></option> --> +<!-- <option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option> --> + <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> + <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> + <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> + <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> + </options> + </field> + <field> + <fielddescr>Redirect</fielddescr> + <fieldname>redirect</fieldname> + <description><![CDATA[Enter the external redirection URL, error message or size (bytes) here.]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>2</rows> + </field> +<!-- not need now + <field> + <fielddescr>Redirect for off-time</fielddescr> + <fieldname>overredirect</fieldname> + <description><![CDATA[ + Enter external redirection URL, error message or size (bytes) here. + ]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>2</rows> + </field> +--> + <field> + <fielddescr>Use SafeSearch engine</fielddescr> + <fieldname>safesearch</fieldname> + <description><![CDATA[ + To protect your children from adult content you can use the protected mode of search engines.<br> + At the moment it is supported by Google, Yandex, Yahoo, MSN, Live Search and Bing. Make sure that the search engines can be accessed. It is recommended to prohibit access to others.<br> + <b>Note:</b> This option overrides 'Rewrite' setting. + ]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Rewrite</fielddescr> + <fieldname>rewrite</fieldname> + <description><![CDATA[Enter the rewrite condition name for this rule or leave it blank.]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Rewrite for off-time</fielddescr> + <fieldname>overrewrite</fieldname> + <description><![CDATA[Enter the rewrite condition name for this rule or leave it blank.]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[You may enter any description here for your reference.]]></description> + <type>input</type> + <size>100</size> + </field> + <field> + <fielddescr>Log</fielddescr> + <fieldname>enablelog</fieldname> + <description><![CDATA[Check this option to enable logging for this ACL.]]></description> + <type>checkbox</type> + </field> + </fields> + <custom_php_validation_command> + squidguard_validate_acl(&$_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_command_before_form> + squidguard_before_form_acl(&$pkg); + </custom_php_command_before_form> + <custom_php_after_form_command> + squidGuard_print_javascript(); + </custom_php_after_form_command> + <custom_php_resync_config_command> + squidguard_resync_acl(); + </custom_php_resync_config_command> + <custom_delete_php_command> + squidguard_resync_acl(); + </custom_delete_php_command> + <custom_add_php_command> + </custom_add_php_command> + <custom_add_php_command_late> + </custom_add_php_command_late> +</packagegui> diff --git a/config/squidGuard-devel/squidguard_blacklist.php b/config/squidGuard-devel/squidguard_blacklist.php new file mode 100644 index 00000000..98e0aecd --- /dev/null +++ b/config/squidGuard-devel/squidguard_blacklist.php @@ -0,0 +1,329 @@ +<?php +/* $Id$ */ +/* + squidguard_blacklist.php + 2006-2011 Serg Dvoriancev + + part of pfSense (www.pfSense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +require_once("guiconfig.inc"); +require_once("notices.inc"); +if (file_exists("/usr/local/pkg/squidguard.inc")) { + require_once("/usr/local/pkg/squidguard.inc"); +} + +# ------------------------------------------------------------------------------ +# defines +# ------------------------------------------------------------------------------ +define("SGCURL_STATUS", "/tmp/squidguard_download.log"); +define("SGUPD_STATFILE", "/tmp/squidguard_download.stat"); +define("SGBAR_SIZE", "450"); +define("DEBUG_AJAX", "false"); +# ------------------------------------------------------------------------------ +# Requests +# ------------------------------------------------------------------------------ +if ($_REQUEST['getactivity']) +{ + header("Content-type: text/javascript"); + echo squidguard_blacklist_AJAX_response( $_REQUEST ); + exit; +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + +function squidguard_blacklist_AJAX_response( $request ) +{ + $res = ''; + $sz = 0; + $pcaption = ' '; + + # Actions + if ($request['blacklist_download_start']) squidguard_blacklist_update_start( $request['blacklist_url'] ); # update start + elseif ($request['blacklist_download_cancel']) squidguard_blacklist_update_cancel(); # update cancel + elseif ($request['blacklist_restore_default']) squidguard_blacklist_restore_arcdb(); # restore default db + elseif ($request['blacklist_clear_log']) squidguard_blacklist_update_clearlog(); # clear log + + # Activity + # Rebuild progress /check SG rebuild process/ + if (is_squidGuardProcess_rebuild_started()) { + $pcaption = 'Blacklist DB rebuild progress'; + $sz = squidguar_blacklist_rebuild_progress(); + } + elseif (squidguard_blacklist_update_IsStarted()) { + $pcaption = 'Blacklist download progress'; + $sz = squidguard_blacklist_update_progress(); + } + + # progress status + $szleft = $sz * SGBAR_SIZE / 100; + $szright = SGBAR_SIZE - $szleft; + + if ($sz < 0) { + # nothing to show + $sz = 0; + $pcaption = ''; + } + $res .= "el('progress_caption').innerHTML = '{$pcaption}';"; + $res .= "el('widtha').width = {$szleft};"; + $res .= "el('widthb').width = {$szright};"; + $res .= "el('progress_text').innerHTML = '{$sz} %';"; + + $status = ''; + if (file_exists(SGUPD_STATFILE)) { + $status = file_get_contents(SGUPD_STATFILE); + if ($sz && $sz != 100) $status .= "Completed {$sz} %"; + } + if ($status) { + $status = str_replace("\n", "\\r\\n", trim($status)); + $res .= "el('update_state').innerHTML = '{$status}';"; + $res .= "el('update_state_cls').style.display='';"; + $res .= "el('update_state_row').style.display='';"; + } else { + $res .= "el('update_state').innerHTML = '';"; + $res .= "el('update_state_cls').style.display='none';"; + $res .= "el('update_state_row').style.display='none';"; + } + + return $res; +} + +function squidguard_blacklist_update_progress() +{ + $p = -1; + + if (file_exists(SGCURL_STATUS)) { + $cn = file_get_contents(SGCURL_STATUS); + if ($cn) { + $cn = explode("\r", $cn); + $cn = array_pop($cn); + $cn = explode(" ", trim($cn)); + $p = intval( $cn[0] ); + } + } + + return $p; +} + +function squidguar_blacklist_rebuild_progress() +{ + $arcdb = "/tmp/squidGuard/arcdb"; + $blfiles = "{$arcdb}/blacklist.files"; + + if (file_exists($arcdb) && file_exists($blfiles)) { + $dirlist = explode("\n", file_get_contents($blfiles)); + for ($i = 0; $i < count($dirlist); $i++) { + if ( !file_exists("$arcdb/{$dirlist[$i]}/domains.db") && + !file_exists("$arcdb/{$dirlist[$i]}/urls.db") ) + { + return intval( $i * 100 / count($dirlist) ); + } + } + } + + return 0; +} + +function is_squidGuardProcess_rebuild_started() +{ + # memo: 'ps -auxw' used 132 columns; 'ps -auxww' used 264 columns + # if cmd more then 132 need use 'ww..' key + return exec("ps -auxwwww | grep 'squidGuard -c .* -C all' | grep -v grep | awk '{print $2}' | wc -l | awk '{ print $1 }'"); +} + +# ------------------------------------------------------------------------------ +# HTML Page +# ------------------------------------------------------------------------------ + +$pgtitle = "Proxy filter SquidGuard: Blacklist page"; +$selfpath = "./squidguard_blacklist.php"; +$blacklist_url = ''; + +# get squidGuard config +if (function_exists(sg_init)) { + sg_init(convert_pfxml_to_sgxml()); + $blacklist_url = $squidguard_config[F_BLACKLISTURL]; +} + +include("head.inc"); + +echo "\t<script type=\"text/javascript\" src=\"/javascript/scriptaculous/prototype.js\"></script>\n"; + +?> + +<!-- Ajax Script --> +<script type="text/javascript"> + +function el(id) { + return document.getElementById(id); +} + +function getactivity(action) { + var url = "./squidguard_blacklist.php"; + var pars = 'getactivity=yes'; + + if (action == 'download') pars = pars + '&blacklist_download_start=yes&blacklist_url=' + encodeURIComponent(el('blacklist_url').value); + if (action == 'cancel') pars = pars + '&blacklist_download_cancel=yes'; + if (action == 'restore_default') pars = pars + '&blacklist_restore_default=yes'; + if (action == 'clear_log') pars = pars + '&blacklist_clear_log=yes'; + + var myAjax = new Ajax.Request( url, + { + method: 'get', + parameters: pars, + onComplete: activitycallback + }); +} + +function activitycallback(transport) { + +<?php if (DEBUG_AJAX == "true") echo "el('debug_textarea').innerHTML = transport.responseText;"; ?> + + if (200 == transport.status) { + result = transport.responseText; + } + + // refresh 3 sec + setTimeout('getactivity()', 3100); + //alert(transport.responseText); +} + +window.setTimeout('getactivity()', 150); + +</script> + +<!-- HTML --> + +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<form action="./squidguard_blacklist.php" method="post"> + +<?php include("fbegin.inc"); ?> + +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<!-- Tabs --> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("General settings"), false, "/pkg_edit.php?xml=squidguard.xml&id=0"); + $tab_array[] = array(gettext("Common ACL"), false, "/pkg_edit.php?xml=squidguard_default.xml&id=0"); + $tab_array[] = array(gettext("Groups ACL"), false, "/pkg.php?xml=squidguard_acl.xml"); + $tab_array[] = array(gettext("Target categories"),false, "/pkg.php?xml=squidguard_dest.xml"); + $tab_array[] = array(gettext("Times"), false, "/pkg.php?xml=squidguard_time.xml"); + $tab_array[] = array(gettext("Rewrites"), false, "/pkg.php?xml=squidguard_rewr.xml"); + $tab_array[] = array(gettext("Blacklist"), true, "/squidGuard/squidguard_blacklist.php"); + $tab_array[] = array(gettext("Log"), false, "/squidGuard/squidguard_log.php"); + $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=squidguard_sync.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + <table class="tabcont" width="100%"> + <tr> + <td class="vncell" width="22%">Blacklist Update</td> + <td class="vtable"> + <big id='progress_caption' name='progress_caption'> </big><br> +<?php + echo "<nobr>"; + echo "<img src='/themes/".$g['theme']."/images/misc/bar_left.gif' height='10' width='5' border='0' align='absmiddle'>"; + echo "<img src='/themes/".$g['theme']."/images/misc/bar_blue.gif' height='10' name='widtha' id='widtha' width='" . 0 . "' border='0' align='absmiddle'>"; + echo "<img src='/themes/".$g['theme']."/images/misc/bar_gray.gif' height='10' name='widthb' id='widthb' width='" . SGBAR_SIZE . "' border='0' align='absmiddle'>"; + echo "<img src='/themes/".$g['theme']."/images/misc/bar_right.gif' height='10' width='5' border='0' align='absmiddle'> "; + echo " <u id='progress_text' name='progress_text'>0 %</u>"; + echo "</nobr>"; + echo "<br><br>"; +?> + <nobr> + <input class="formfld unknown" size="70" id="blacklist_url" name="blacklist_url" value= '<?php echo "$blacklist_url"; ?>' >   + <!--input size='70' id='blacklist_download_start' name='blacklist_download_start' value='Download' type='button' onclick="getactivity('download');">  + <input size='70' id='blacklist_download_cancel' name='blacklist_download_cancel' value='Cancel' type='button' onclick="getactivity('cancel');"--> + </nobr><br> + <input size='70' id='blacklist_download_start' name='blacklist_download_start' value='Download' type='button' onclick="getactivity('download');"> + <input size='70' id='blacklist_download_cancel' name='blacklist_download_cancel' value='Cancel' type='button' onclick="getactivity('cancel');"> + + <input size='70' id='blacklist_restore_default' name='blacklist_restore_default' value='Restore default' type='button' onclick="getactivity('restore_default');"> + <br><br> + Enter FTP or HTTP path to the blacklist archive here. + <br><br> + </td> + </tr> + <tr id='update_state_cls' name='update_state_cls' style='display:none;'> + <td> </td> + <td> + <span style="cursor: pointer;"> + <img src=<?php echo "'/themes/{$g['theme']}/images/icons/icon_block.gif'" ?> onClick="getactivity('clear_log');" title='Clear Log and Close'> + </span> + <big><b>Blacklist update Log</b></big> + </td> + </tr> + <tr id='update_state_row' name='update_state_row' style='display:none;'> + <td> </td> + <td> + <textarea rows='15' cols='55' name='update_state' id='update_state' wrap='hard' readonly> </textarea> + </td> + </tr> +<?php +# debug +if (DEBUG_AJAX !== "false") { +echo <<<EOD + <tr id='debug_row' name='debug_row'> + <td> </td> + <td> + <textarea rows='15' cols='55' name='debug_textarea' id='debug_textarea' wrap='hard' readonly> </textarea> + </td> + </tr> +EOD; +} +?> + </table> + </td> + </tr> + <tr> + <td> +<?php +#blacklist table +#echo squidguard_blacklist_list(); +?> + </td> + </tr> + </table> + </div> + </td> + </tr> +</table> + +<?php include("fend.inc"); ?> + +</form> +</body> +</html> + diff --git a/config/squidGuard-devel/squidguard_configurator.inc b/config/squidGuard-devel/squidguard_configurator.inc new file mode 100644 index 00000000..3cf7bc61 --- /dev/null +++ b/config/squidGuard-devel/squidguard_configurator.inc @@ -0,0 +1,2532 @@ +<?php +# ------------------------------------------------------------------------------ +/* squidguard_configurator.inc + 2006-2011 Serg Dvoriancev + 2013 (squidGuard 1.5 beta) Luiz G. Costa <gugabsd@mundounix.com.br> + + part of pfSense (www.pfSense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +# ------------------------------------------------------------------------------ +# SquidGuard Configurator +# email: dv_serg@mail.ru +# ------------------------------------------------------------------------------ +# squidGuard inline options: +# squidGuard -C all - update database +# squidGuard -c <configfile> - create squidGuard with specified config file +# ------------------------------------------------------------------------------ +# Notes: +# for work squidGuard need present ALL destinations; +# if dest not present in config - then this item will ignored in operations +# (in rebuild DB for example) +# ------------------------------------------------------------------------------ +# Directories: +# work path - $workdir +# log path - $workdir + $logdir +# ------------------------------------------------------------------------------ + +require_once('globals.inc'); +require_once('config.inc'); +require_once('util.inc'); +require_once('pfsense-utils.inc'); +require_once('pkg-utils.inc'); +require_once('filter.inc'); +require_once('service-utils.inc'); + +# squid package must exists by default system path (for v.2.0/2.1) +# todo: move include string to the squid-function call string position +if (file_exists('/usr/local/pkg/squid.inc')) { + require_once('/usr/local/pkg/squid.inc'); +} + +# ------------------------------------------------------------------------------ +# Allow additional execution time 0 = no limit +# ------------------------------------------------------------------------------ +ini_set('max_execution_time', '3600'); +ini_set('max_input_time', '3600'); +ini_set('memory_limit', '100M'); + +# ------------------------------------------------------------------------------ +# ToDo ! Must use all settings via $squidguard_config ! +# Sdelat rewrite dlya smeny skachivaniya + +# ------------------------------------------------------------------------------ +# files header +# ------------------------------------------------------------------------------ +define('FILES_DB_HEADER', ' +# ------------------------------------------------------------------------------ +# File created by squidGuard package GUI +# (C)2006-2010 Serg Dvoriancev +# ------------------------------------------------------------------------------ +'); + +define('CONFIG_SG_HEADER', " +# ============================================================ +# SquidGuard configuration file +# This file generated automaticly with SquidGuard configurator +# (C)2006 Serg Dvoriancev +# email: dv_serg@mail.ru +# ============================================================ +"); + +# ------------------------------------------------------------------------------ +# squid config options +# ------------------------------------------------------------------------------ +define('REDIRECTOR_OPTIONS_REM', '# squidGuard options'); +define('REDIRECTOR_PROGRAM_OPT', 'redirect_program'); +define('REDIRECT_BYPASS_OPT', 'redirector_bypass'); +define('REDIRECT_CHILDREN_OPT', 'url_rewrite_children'); +define('REDIRECTOR_PROCESS_COUNT', '5'); # redirector processes count will started + +# ------------------------------------------------------------------------------ +# squidguard config options +# ------------------------------------------------------------------------------ +# define default redirection url (redirector get this url for all blocked url's) +# * !ATTENTION! this url must be exists; IF url not exist, redirector will't block +# (returned to squid some url, what blocked) +# ------------------------------------------------------------------------------ +define('REDIRECT_BASE_URL', '/sgerror.php'); +define('REDIRECT_URL_ARGS', '&a=%a&n=%n&i=%i&s=%s&t=%t&u=%u'); + +# ------------------------------------------------------------------------------ +# squidguard system constants +# ------------------------------------------------------------------------------ + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) { + if (file_exists('/usr/pbi/squidguard-squid3-' . php_uname("m"))) + define('SQUIDGUARD_LOCALBASE', '/usr/pbi/squidguard-squid3-' . php_uname("m")); + else + define('SQUIDGUARD_LOCALBASE', '/usr/pbi/squidguard-devel-' . php_uname("m")); +} else + define('SQUIDGUARD_LOCALBASE','/usr/local'); + +if (!defined('SQUID_LOCALBASE') && ($pf_version > 2.0)) + define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m")); +elseif (!defined('SQUID_LOCALBASE')) + define('SQUID_LOCALBASE','/usr/local'); + +define('SQUID_CONFIGFILE', SQUID_LOCALBASE . '/etc/squid/squid.conf'); +define('TMP_DIR', '/var/tmp'); +# +define('SQUIDGUARD_CONFIGFILE', '/squidGuard.conf'); +define('SQUIDGUARD_CONFLOGFILE', '/sg_configurator.log'); +define('SQUIDGUARD_LOGFILE', 'block.log'); +define('SQUIDGUARD_GUILOGFILE', 'squidGuard.log'); +define('SQUIDGUARD_CONFBASE', SQUID_LOCALBASE . '/etc/squid'); +define('SQUIDGUARD_WORKDIR', SQUIDGUARD_LOCALBASE . '/etc/squidGuard'); +define('SQUIDGUARD_BINPATH', SQUIDGUARD_LOCALBASE . '/bin'); +define('SQUIDGUARD_TMP', '/tmp/squidGuard'); # SG temp +define('SQUIDGUARD_VAR', '/var/squidGuard'); # SG variables +define('SQUIDGUARD_STATE', '/squidGuard.state'); +define('SQUIDGUARD_REBUILD', '/squidGuard.rebuild'); +define('SQUIDGUARD_CONFXML', '/squidguard_conf.xml'); +define('SQUIDGUARD_DBHOME', '/var/db/squidGuard'); +define('SQUIDGUARD_DBHOME_BLK', SQUIDGUARD_DBHOME); +define('SQUIDGUARD_DBSAMPLE', '/var/db/squidGuard.sample'); +define('SQUIDGUARD_LOGDIR', '/var/squidGuard/log'); +define('SQUIDGUARD_WEBGUI_LOG', '/squidguard_gui.log'); +define('SQUIDGUARD_WEBGUI_HISTORY_LOG', '/squidguard_gui_history.log'); +# +define('SQUIDGUARD_SCR_LOGROTATE', SQUIDGUARD_LOCALBASE . '/etc/rc.d/squidGuard_logrotate'); # Logrotate script +# +# DB home catalog contains 'Blacklist' and 'User' sub-catalogs +define('SQUIDGUARD_DB_BLACKLIST', '/bl'); +define('SQUIDGUARD_DB_USER', '/usr'); +define('SQUIDGUARD_BL_UNPACK', '/unpack'); +define('SQUIDGUARD_BL_DB', '/db'); +# +# DB/Blacklist defines + +#> +define('SQUIDGUARD_BLK_ENTRIES', '/blacklist.files'); +#< + +define('SQUIDGUARD_BLK_FILELIST', '/blacklist.files'); +define('SQUIDGUARD_BLK_FILELISTPATH', SQUIDGUARD_WORKDIR . SQUIDGUARD_BLK_FILELIST); +define('BLACKLIST_ARCHIVE', '/blacklists.tar'); +define('SCR_NAME_BLKUPDATE', '/tmp/squidGuard_blacklist_update.sh'); +define('DB_REBUILD_SH', '/tmp/squidGuard_db_rebuild.sh'); +define('DB_REBUILD_CONF', '/tmp/squidGuard_db_rebuild.conf'); +define('DB_REBUILD_BLK_CONF', '/squidGuard_blk_rebuild.conf'); +define('BLK_TEMP', '/tmp/sg_blk'); +define('SG_BLK_ARC', '/arcdb'); # blk db archive +define('SG_INFO_FILE', '/var/squidGuard/sg_db_upd.inf'); + +define('SG_UPDATE_TARFILE', '/tmp/squidguard_blacklist.tar'); +define('SG_UPDATE_TMPFILE', '/tmp/squidguard_download.tmp'); +define('SG_UPDATE_LOGFILE', '/tmp/squidguard_download.log'); +define('SG_UPDATE_STATFILE', '/tmp/squidguard_download.stat'); + +# ============================================================================== +# CONSTANTS +# ============================================================================== +# redirect mode +define('RMOD_NONE', 'rmod_none'); +define('RMOD_INT_ERRORPAGE', 'rmod_int'); +define('RMOD_INT_BLANKPAGE', 'rmod_int_bpg'); +define('RMOD_INT_BLANKIMG', 'rmod_int_bim'); +define('RMOD_INT_SIZELIMIT', 'rmod_int_szl'); +define('RMOD_EXT_ERR', 'rmod_ext_err'); +define('RMOD_EXT_RDR', 'rmod_ext_rdr'); +define('RMOD_EXT_MOVED', 'rmod_ext_mov'); +define('RMOD_EXT_FOUND', 'rmod_ext_fnd'); +# Log level: 0-error, 1-warning; 2-info +define('SQUIDGUARD_INFO', 2); +define('SQUIDGUARD_WARNING', 1); +define('SQUIDGUARD_ERROR', 0); +# +define('ACL_WARNING_ABSENSE_PASS', "!WARNING! Absence PASS 'all' or 'none' added as 'none'"); + +# ============================================================================== +# OPTIONS +# ============================================================================== +# Log +define('SQUIDGUARD_GUILOG_LEVEL', SQUIDGUARD_INFO); # log level +define('SQUIDGUARD_GUILOG_MAXCOUNT', 500); # log max lines +define('SQUIDGUARD_GUILOG_ENABLE', true); # on/off gui log - option override GUI settings +define('SQUIDGUARD_LOG_ENABLE', true); # on/off SG log - option override GUI settings + +# +define('FLT_DEFAULT_ALL', 'all'); +define('FLT_NOTALLOWIP', '!in-addr'); + +# owner user name (squid system user - need for define rights access) +define('OWNER_NAME', 'proxy'); + +# Debug +define('DEBUG_ON', 'true'); + +# ============================================================================== +# black list +# ============================================================================== +# known black list standard names +# ------------------------------------------------------------------------------ +define('FLT_AD', 'ads'); +define('FLT_AGGRESSIVE', 'aggressive'); +define('FLT_AUDIOVIDEO', 'audio-video'); +define('FLT_DRUGGS', 'druggs'); +define('FLT_GAMBLING', 'gambling'); +define('FLT_HACKING', 'hacking'); +define('FLT_MAIL', 'mail'); +define('FLT_PORN', 'porn'); +define('FLT_PROXY', 'proxy'); +define('FLT_VIOLENCE', 'viol'); +define('FLT_WAREZ', 'warez'); + +# ============================================================================== +# SquidGuard Configurator +# ============================================================================== + +# ------------------------------------------------------------------------------ +# squidguard system fields +# ------------------------------------------------------------------------------ +define('F_SQUIDGUARD', 'squidGuard'); +define('F_LOGDIR', 'logdir'); +define('F_DBHOME', 'dbhome'); +define('F_WORKDIR', 'workdir'); +define('F_LDAPENABLE', 'ldap_enable'); +define('F_LDAPBINDDN', 'ldapbinddn'); +define('F_LDAPBINDPASS', 'ldapbindpass'); +define('F_LDAPVERSION', 'ldapversion'); +define('F_STRIPNTDOMAIN', 'stripntdomain'); +define('F_STRIPREALM', 'striprealm'); +define('F_BINPATH', 'binpath'); +define('F_PROCCESSCOUNT', 'process_count'); +define('F_SQUIDCONFIGFILE', 'squid_configfile'); +define('F_ENABLED', 'enabled'); +define('F_SGCONF_XML', 'sgxml_file'); + +# other fields +define('F_ITEM', 'item'); +define('F_TIMES', 'times'); +define('F_SOURCES', 'sources'); +define('F_DESTINATIONS', 'destinations'); +define('F_REWRITES', 'rewrites'); +define('F_ACLS', 'acls'); +define('F_DEFAULT', 'default'); +define('F_NAME', 'name'); +define('F_DESCRIPTION', 'description'); +define('F_IP', 'ip'); +define('F_URLS', 'urls'); +define('F_DOMAINS', 'domains'); +define('F_EXPRESSIONS', 'expressions'); +define('F_REDIRECT', 'redirect'); +define('F_TARGETURL', 'targeturl'); +define('F_REPLACETO', 'replaceto'); +define('F_LOG', 'log'); +define('F_ITEM', 'item'); +define('F_DISABLED', 'disabled'); +define('F_TIMENAME', 'timename'); +define('F_DESTINATIONNAME', 'destname'); +define('F_REDIRECT', 'redirect'); +define('F_REWRITE', 'rewrite'); +define('F_MODE', 'mode'); +define('F_REWRITENAME', 'rewritename'); +define('F_OVERDESTINATIONNAME', 'overdestname'); +define('F_OVERREDIRECT', 'overredirect'); +define('F_OVERREWRITE', 'overrewrite'); +define('F_OVERREWRITENAME', 'overrewritename'); +define('F_TIMETYPE', 'timetype'); +define('F_TIMEDAYS', 'timedays'); +define('F_DATRANGE', 'daterange'); +define('F_TIMERANGE', 'sg_timerange'); +define('F_RMOD', 'redirect_mode'); # [redirect_mode] = rmod_int <base- use sgerror.php>; rmod_301; rmod_302; +define('F_NOTALLOWINGIP', 'notallowingip'); # not allowing ip in URL +define('F_USERNAME', 'username'); +define('F_ORDER', 'order'); + +# log +define('F_ENABLELOG', 'enablelog'); +define('F_ENABLEGUILOG', 'enableguilog'); +define('F_LOGROTATION', 'logrotation'); + +#Clean adversiting +define('F_ADV_BLANKIMG', 'adv_blankimg'); + +# transparent mode +define('F_SQUID_TRANSPARENT_MODE', 'squid_transparent_mode'); +define('F_CURRENT_LAN_IP', 'current_lan_ip'); +define('F_CURRENT_GUI_PORT', 'current_gui_port'); +define('F_CURRENT_GUI_PROTO', 'current_gui_protocol'); + +# blacklist +define('F_BLACKLISTENABLED', 'blacklist_enabled'); +define('F_BLACKLISTURL', 'blacklist_url'); + +# ============================================================================== +# Globals +# ============================================================================== +$squidguard_config = array(); # squidGuard config array + +# call default init +sg_init(); + +# ------------------------------------------------------------------------------ +# sg_init - initialize config array +# ------------------------------------------------------------------------------ +function sg_init($init = '') +{ + global $squidguard_config; + + $squidguard_config = array(); + if(empty($init) or !is_array($init) ) { + # default init (for generate minimal config) + $squidguard_config[F_LOGDIR] = SQUIDGUARD_LOGDIR; + $squidguard_config[F_DBHOME] = SQUIDGUARD_DBHOME; + $squidguard_config[F_WORKDIR] = SQUIDGUARD_WORKDIR; + $squidguard_config[F_BINPATH] = SQUIDGUARD_BINPATH; + $squidguard_config[F_SQUIDCONFIGFILE] = SQUID_CONFIGFILE; + $squidguard_config[F_PROCCESSCOUNT] = REDIRECTOR_PROCESS_COUNT; + + } else { + # copy config from $init + foreach($init as $key => $in) + $squidguard_config[$key] = $in; + } + + return $squidguard_config; +} + +# ------------------------------------------------------------------------------ +# sg_loadconfig_xml +# ------------------------------------------------------------------------------ +function sg_load_configxml($filename) +{ + global $squidguard_config; + + sg_init(); + if (file_exists($filename)) { + $xmlconf = file_get_contents($filename); + + if (!empty($xmlconf)) { + $squidguard_config = $xmlconf[F_SQUIDGUARD]; + sg_addlog("sg_load_configxml", "Success update from '$filename'.", SQUIDGUARD_INFO); + } else + sg_addlog("sg_load_configxml", "File '$filename' is empty.", SQUIDGUARD_ERROR); + } else + sg_addlog("sg_load_configxml", "File '$filename' does not exists.", SQUIDGUARD_ERROR); +} + +# ------------------------------------------------------------------------------ +# sg_saveconfig_xml +# ------------------------------------------------------------------------------ +function sg_save_configxml($filename) +{ + global $squidguard_config; + conf_mount_rw(); + file_put_contents($filename, dump_xml_config($squidguard_config, F_SQUIDGUARD)); + conf_mount_ro(); +} + +# ------------------------------------------------------------------------------ +# sg_reconfigure - squidguard reconfiguration +# ------------------------------------------------------------------------------ +function sg_reconfigure() +{ + global $squidguard_config; + $conf_file = SQUIDGUARD_LOGDIR . SQUIDGUARD_CONFIGFILE; + + # 1. check system + sg_check_system(); + + # 2. reconfigure user db + sg_reconfigure_user_db(); + + # 3. generate squidGuard config + $conf = sg_create_config(); + if ($conf) { + conf_mount_rw(); + if ($squidguard_config[F_WORKDIR]) + $conf_file = $squidguard_config[F_WORKDIR] . SQUIDGUARD_CONFIGFILE; + file_put_contents($conf_file, $conf); + file_put_contents(SQUID_LOCALBASE . '/etc/squid' . SQUIDGUARD_CONFIGFILE, $conf); # << squidGuard want config '/usr/local/etc/squid' by default + set_file_access($squidguard_config[F_WORKDIR], OWNER_NAME, 0755); + conf_mount_ro(); + sg_addlog("sg_reconfigure", "Save squidGuard config to '$conf_file'.", SQUIDGUARD_INFO); + } else + sg_addlog("sg_reconfigure", "Can't create squidGuard config.", SQUIDGUARD_ERROR); + + # 4. reconfigure squid + squid_reconfigure(); +} + +# ------------------------------------------------------------------------------ +# squid_reconfigure +# Insert in '/usr/local/squid/etc/squid.conf' options: +# redirector_bypass off +# redirect_program /usr/local/squidGuard/bin/squidGuard -c /path_to_config_file +# url_rewrite_children 5 +# ------------------------------------------------------------------------------ + +function squid_reconfigure($remove_only = '') +{ + global $config; + global $squidguard_config; + $conf = ''; + $cust_opt = $config['installedpackages']['squid']['config'][0]['custom_options']; + # remove old options + if (!empty($cust_opt)) { + $conf = explode(";", $cust_opt); + foreach ($conf as $key => $c_opt) { + $t_opt = ltrim($c_opt); + if ((strpos($t_opt, REDIRECTOR_PROGRAM_OPT) === 0) or + (strpos($t_opt, REDIRECT_BYPASS_OPT) === 0) or + (strpos($t_opt, REDIRECT_CHILDREN_OPT) === 0)) + unset($conf[$key]); + } + sg_addlog("squid_reconfigure", "Remove old redirector options from Squid config.", SQUIDGUARD_INFO); + } + + # add new options - if squidGuard enabled + if (empty($remove_only) && ($squidguard_config[F_ENABLED] === 'on')) { + $redirector_path = $squidguard_config[F_BINPATH] . '/squidGuard'; + $redirector_conf = $squidguard_config[F_WORKDIR] . SQUIDGUARD_CONFIGFILE; + + $conf[] = REDIRECTOR_PROGRAM_OPT . " $redirector_path -c $redirector_conf"; + $conf[] = REDIRECT_BYPASS_OPT . " off"; + $conf[] = REDIRECT_CHILDREN_OPT . " " . REDIRECTOR_PROCESS_COUNT; + + sg_addlog("squid_reconfigure", "Add new redirector options to Squid config.", SQUIDGUARD_INFO); + } + + # update config + if (is_array($conf)) $conf = implode(";", $conf); + + /* Only update squid options if we have something to do, otherwise this can interfere with squid's default options in a new install. */ + if ($conf != $cust_opt) { + $config['installedpackages']['squid']['config'][0]['custom_options'] = $conf; + write_config('Update redirector options to squid config.'); + } + + # resync squid package, if installed + if (function_exists('squid_resync')) { + squid_resync(); + } +} + +# ------------------------------------------------------------------------------ +# sg_check_system - check squidguard catalog's and access right's +# ------------------------------------------------------------------------------ +function sg_check_system() +{ + global $squidguard_config; + conf_mount_rw(); + + # check work_dir & create if not exists + $work_dir = $squidguard_config[F_WORKDIR]; + if (!empty($work_dir)) { + # check dir's + if (!file_exists($work_dir)) { + mwexec("mkdir -p $work_dir"); + set_file_access($work_dir, OWNER_NAME, 0755); + sg_addlog("sg_check_system", "Create work dir '$work_dir'.", SQUIDGUARD_WARNING); + } + } + + # check log_dir & create if not exists + $log_dir = $squidguard_config[F_LOGDIR]; + if (!empty($log_dir)) { + if (!file_exists($log_dir)) { + mwexec("mkdir -p $log_dir"); + sg_addlog("sg_check_system", "Create log dir '$log_dir'.", SQUIDGUARD_WARNING); + } + # set access right - need start any time; + # (SG possible start from console and log file will have only root access) + set_file_access($log_dir, OWNER_NAME, 0755); + } + + # check db dir + $db_dir = $squidguard_config[F_DBHOME]; + if (!empty($db_dir)) { + if (!file_exists($db_dir)) { + mwexec("mkdir -p $db_dir"); + sg_addlog("sg_check_system", "Create db dir '$db_dir'.", SQUIDGUARD_WARNING); + } + # set access right + set_file_access($db_dir, OWNER_NAME, 0755); + } + conf_mount_ro(); + + # logrotate + if (file_exists(SQUIDGUARD_SCR_LOGROTATE)) unlink(SQUIDGUARD_SCR_LOGROTATE); + if ($squidguard_config[F_LOGROTATION] == 'on') { + file_put_contents(SQUIDGUARD_SCR_LOGROTATE, sg_script_logrotate()); + set_file_access (SQUIDGUARD_SCR_LOGROTATE, OWNER_NAME, 0755); + } +} +# ============================================================================== +# squidGuard DB +# ============================================================================== +# sg_reconfigure_user_db - reconfigure(update) db user entries +# ------------------------------------------------------------------------------ +function sg_reconfigure_user_db() +{ + global $squidguard_config; + conf_mount_rw(); + $dbhome = $squidguard_config[F_DBHOME]; + + sg_addlog("sg_reconfigure_user_db", "Begin with '$dbhome'", SQUIDGUARD_INFO); + + # create user DB catalog, if not extsts + if (!file_exists($dbhome)) { + if (!mkdir($dbhome, 0755)) { + sg_addlog("sg_reconfigure_user_db", "Can't create user DB directory '$dbhome'.", SQUIDGUARD_ERROR); + return; + } + set_file_access($dbhome, OWNER_NAME, 0755); + sg_addlog("sg_reconfigure_user_db", "Create user DB directory '$dbhome'.", SQUIDGUARD_INFO); + } + + # update destinations to db + $dests = $squidguard_config[F_DESTINATIONS]; + if(!empty($dests)){ + $dst_names = Array(); + $dst_list = Array(); + + sg_addlog("sg_reconfigure_user_db", "Add user entries", SQUIDGUARD_INFO); + foreach($dests[F_ITEM] as $dst) { + $path = "$dbhome/" . $dst[F_NAME]; + $dst_names[] = $path; + $dst_list["usr_{$dst[F_NAME]}"] = $dst[F_NAME]; + + # 1. check destination catalog and create them, if need + if (!file_exists($path)) { + if (!mkdir ($path, 0755)) { + sg_addlog("sg_reconfigure_user_db", "Can't create dir '$path'.", SQUIDGUARD_ERROR); + return; + } + sg_addlog("sg_reconfigure_user_db", "Create dir '$path'.", SQUIDGUARD_INFO); + } + + # 2. build domains file + $domains = $dst[F_DOMAINS]; + if (!empty($domains)) { + $content = trim(str_replace(" ", "\n", $domains)); + file_put_contents($path . '/domains', $content); + sg_addlog("sg_reconfigure_user_db", "Add {$dst[F_NAME]} domains '$domains';", SQUIDGUARD_INFO); + } + unset($domains); + + # 3. build urls file + $urls = $dst[F_URLS]; + if (!empty($urls)) { + $content = trim(str_replace(" ", "\n", $urls)); + file_put_contents($path . '/urls', $content); + sg_addlog("sg_reconfigure_user_db", "Add {$dst[F_NAME]} urls '$content';", SQUIDGUARD_INFO); + } + unset($urls); + + # 4. build expression file + $expr = $dst[F_EXPRESSIONS]; + if (!empty($expr)) { + $content = trim(str_replace("|", " ", $expr)); # delete first and last unnecessary '|' symbol + $content = str_replace(" ", "|", $content); + file_put_contents($path . '/expressions', $content); + sg_addlog("sg_reconfigure_user_db", "Add {$dst[F_NAME]} expressions '$content';", SQUIDGUARD_INFO); + } + unset($expr); + } + + # 5. recursive set files access + set_file_access($dbhome, OWNER_NAME, 0755); + + # 6. rebuild user db ('/var/db/squidGuard') + squidguard_rebuild_db("_usrdb", $dbhome, $dst_list); + } else + sg_addlog("sg_reconfigure_user_db", "User destinations list empty.", SQUIDGUARD_WARNING); + + # 7. remove unused db entries + sg_remove_unused_db_entries(); + conf_mount_ro(); +} + +# ------------------------------------------------------------------------------ +# sg_remove_unused_db_entries +# ------------------------------------------------------------------------------ +function sg_remove_unused_db_entries() +{ + global $squidguard_config; + conf_mount_rw(); + $db_entries = array(); + $file_list = ''; + $dbhome = $squidguard_config[F_DBHOME]; + $workdir = $squidguard_config[F_WORKDIR]; + + # black list entries + # * worked only with 'blacklist entries list file - else may be deleted black list entry + if (file_exists(SQUIDGUARD_BLK_FILELISTPATH)) { + $file_for_del = array(); + + # load blk entries + $db_entries = explode("\n", file_get_contents(SQUIDGUARD_BLK_FILELISTPATH)); + + # $db_entries + add user entries + $dests = $squidguard_config[F_DESTINATIONS]; + if (!empty($dests)) { + foreach($dests[F_ITEM] as $dst) + $db_entries[] = $dst[F_NAME]; + } + + # diff between file list and entries list + $file_list = scan_dir($dbhome); + if (is_array($file_list) and is_array($db_entries)) { + $file_for_del = array_diff($file_list, $db_entries); + } + + # delete + if (is_array($file_for_del) and !empty($file_for_del)) { + foreach($file_for_del as $fd) { + $file_fd = "$dbhome/$fd"; + if (!empty($fd) && ($fd != ".") && ($fd != "..")) { + if (file_exists($file_fd)) { + mwexec("rm -R $file_fd"); + sg_addlog("sg_remove_unused_db_entries", "Removed file '$file_fd'.", SQUIDGUARD_INFO); + } else + sg_addlog("sg_remove_unused_db_entries", "File'$file_fd' not found.", SQUIDGUARD_ERROR); + } + } + } + } + conf_mount_ro(); +} +# ------------------------------------------------------------------------------ +# sg_rebuild_db Rebuild squidGuard DB from list items +# ------------------------------------------------------------------------------ +# $shtag - rebuild SH script TAG +# $rdb_dbhome - DB directory (default: '/var/db/squidGuard') +# $rdb_itemslist - items list as ['dest_key']='dest_DB_path' +# dest_DB_path - path without '$rdb_dbhome' +# example: ['ads_ban']='ads/banners' -> '/var/db/squidGuard/ads/banners' +# ------------------------------------------------------------------------------ +/* +function sg_rebuild_db($shtag, $rdb_dbhome, $rdb_itemslist) +{ + global $squidguard_config; + conf_mount_rw(); + $conf = ''; + $conf_path = ''; + $logdir = $squidguard_config[F_LOGDIR]; + $dbhome = $squidguard_config[F_DBHOME]; + + # current dbhome dir + if (!empty($rdb_dbhome)) $dbhome = $rdb_dbhome; + sg_addlog("sg_rebuild_db", "Begin with path '$dbhome'.", SQUIDGUARD_INFO); + + # define - where config will placed + $conf_path = "/tmp/squidGuard_rebuild.conf" . $shtag; + + # make rebuild config; include all found dest items + $conf = sg_create_simple_config($dbhome, $rdb_itemslist); + file_put_contents($conf_path, $conf); + set_file_access($conf_path, OWNER_NAME, 0750); + sg_addlog("sg_rebuild_db", "Create temporary config '$conf_path'.", SQUIDGUARD_INFO); + + # *** SH script *** + $sh_scr = Array(); + $sh_scr[] = "#!/bin/sh"; + $sh_scr[] = "cd $dbhome"; + $sh_scr[] = $squidguard_config[F_BINPATH] . "/squidGuard -c $conf_path -C all"; + $sh_scr[] = "wait"; # wait while SG rebuild DB + + # set DB owner and right access + $sh_scr[] = "chown -R -v " . OWNER_NAME . " $dbhome"; + + # restart squid for changes to take effects + $sh_scr[] = SQUID_LOCALBASE . "/sbin/squid -k reconfigure"; + + # store & exec sh + $sh_scr = implode("\n", $sh_scr); + $shfile = DB_REBUILD_SH . $shtag; + file_put_contents($shfile, $sh_scr); + set_file_access($shfile, OWNER_NAME, 0750); + # ! not background exec ! + mwexec($shfile); + sg_addlog("sg_rebuild_db", "Started SH script '$shfile'.", SQUIDGUARD_INFO); + conf_mount_ro(); +} +*/ +# ------------------------------------------------------------------------------ +# squidguard_rebuild_db Rebuild squidGuard DB from list items +# ------------------------------------------------------------------------------ +# $tag - rebuild task TAG +# $rdb_dbhome - DB directory (default: '/var/db/squidGuard') +# $rdb_itemslist - items list as ['dest_key']='dest_DB_path' +# dest_DB_path - path without '$rdb_dbhome' +# example: ['ads_ban']='ads/banners' -> '/var/db/squidGuard/ads/banners' +# ------------------------------------------------------------------------------ +function squidguard_rebuild_db($tag, $rdb_dbhome, $rdb_itemslist) +{ + global $squidguard_config; + + $dbhome = $rdb_dbhome; + $logdir = $squidguard_config[F_LOGDIR]; + $workdir = $squidguard_config[F_WORKDIR]; + $conf_path = "{$workdir}/squidGuard_{$tag}rebuild.conf"; + + sg_addlog("squidguard_rebuild_db", "Begin with path '$dbhome'.", SQUIDGUARD_INFO); + + # make rebuild config; include all found dest items + $dbitems = array(); + if ($rdb_itemslist) { + # items list as ['dest_key']='dest_DB_path' + foreach ($rdb_itemslist as $it) { + $dbitems[str_replace('/', '_', $it)] = $it; # replace path to name + } + } + file_put_contents($conf_path, sg_create_simple_config($dbhome, $dbitems)); + set_file_access($conf_path, OWNER_NAME, 0750); + sg_addlog("squidguard_rebuild_db", "Create rebuild config '$conf_path'.", SQUIDGUARD_INFO); + + # rebuild blacklist db + mwexec_bg("/usr/bin/nice -n20 " . SQUIDGUARD_BINPATH . "/squidGuard -c $conf_path -C all"); + # wait + while (exec("ps -auxwwww | grep 'squidGuard -c .* -C all' | grep -v grep | awk '{print $2}' | wc -l | awk '{ print $1 }'") > 0) { + sleep (10); + } + set_file_access($dbhome, OWNER_NAME, 0755); + sg_addlog("squidguard_rebuild_db", "Start rebuild DB.", SQUIDGUARD_INFO); +} + +# ============================================================================== +# Log +# ------------------------------------------------------------------------------ +# sg_addlog +# ------------------------------------------------------------------------------ +function sg_addlog($module, $log, $level = 0) +{ + global $squidguard_config; + + # log disabled + if ( SQUIDGUARD_GUILOG_ENABLE === false || $squidguard_config[F_ENABLEGUILOG] != 'on' ) return; + + # log level + if ($level > SQUIDGUARD_GUILOG_LEVEL) return; + + if ($module) $module = "[$module]"; + + $leveltext = ""; + switch($level) { + case SQUIDGUARD_INFO: $leveltext = ""; break; + case SQUIDGUARD_WARNING: $leveltext = "Warning"; break; + default: $leveltext = "Error"; break; + } + + $logfile = ''; + $logfile = SQUIDGUARD_LOGDIR . SQUIDGUARD_CONFLOGFILE; + $log_content = array(); + + setlocale(LC_TIME, ''); + $dt = date("d.m.Y H:i:s"); + + # define logfile + if (!empty($squidguard_config)) { + if (file_exists($squidguard_config[F_LOGDIR])) + $logfile = $squidguard_config[F_LOGDIR] . SQUIDGUARD_CONFLOGFILE; + } else + $log_content[] = "$dt : " . "[sg_addlog] Error: squidguard_config is empty"; + + $tmplog = ''; + if (file_exists($logfile)) + $tmplog = file_get_contents($logfile); + $log_content = explode("\n", $tmplog); + unset($tmplog); + + # shrink to MAXCOUNT log entries + $log_content[] = "$dt : $module $leveltext $log"; + if (count($log_content) > SQUIDGUARD_GUILOG_MAXCOUNT) + array_splice($log_content, 0, SQUIDGUARD_GUILOG_MAXCOUNT - count($log_content)); + + file_put_contents($logfile, implode("\n", $log_content)); +} +# ------------------------------------------------------------------------------ +# sg_getlog +# ------------------------------------------------------------------------------ +function sg_getlog($last_entries_count) +{ + global $squidguard_config; + $log_content = ''; + $logfile = SQUIDGUARD_LOGDIR . SQUIDGUARD_CONFLOGFILE; + + # define logfile + if (!empty($squidguard_config) && file_exists($squidguard_config[F_LOGDIR])) + $logfile = $squidguard_config[F_LOGDIR] . SQUIDGUARD_CONFLOGFILE; + + # get log last 100 entries + if (file_exists($logfile)) { + $log_content = explode("\n", file_get_contents($logfile)); + if (count($log_content) > $last_entries_count) + array_splice($log_content, 0, $last_entries_count - count($log_content)); + + # insert log file name on top + $log_content[0] = $logfile; + $log_content = implode("\n", $log_content); + } + + return $log_content; +} + +# ============================================================================== +# make config +# ============================================================================== +# sg_create_config +# ------------------------------------------------------------------------------ + +function sg_create_config() +{ + global $squidguard_config; + $sgconf = array(); + $sg_tag = new TSgTag; + $error_res = ''; + $temp_str = ''; + + if(!is_array($squidguard_config) || empty($squidguard_config)) { + sg_addlog("sg_create_config", "Bad squidGuard config data.", SQUIDGUARD_ERROR); + return sg_create_simple_config('', '', "Error! Check squidGuard configuration data." . " (sg_create_config: [1])."); + } + + # check configuration data + if (!sg_check_config_data(&$error_res)) { + sg_addlog("sg_create_config", "Bad config data. It's all error_res: $error_res", SQUIDGUARD_ERROR); + sg_addlog("sg_create_config", "Terminated.", SQUIDGUARD_ERROR); + return sg_create_simple_config('', '', "Error! Check squidGuard configuration data." . " (sg_create_config: [2])."); + } + + # --- Header --- + $sgconf[] = CONFIG_SG_HEADER; + $sgconf[] = "logdir {$squidguard_config[F_LOGDIR]}"; + $sgconf[] = "dbhome {$squidguard_config[F_DBHOME]}"; + if ( $squidguard_config[F_LDAPENABLE] == 'on' ) { + $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}"; + $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}"; + $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}"; + if ( $squidguard_config[F_STRIPNTDOMAIN] ) + $sgconf[] = "stripntdomain true"; + if ( $squidguard_config[F_STRIPREALM] ) + $sgconf[] = "striprealm true"; + } + + # --- Times --- + if ($squidguard_config[F_TIMES]) { + $temp_str = ''; + foreach($squidguard_config[F_TIMES][F_ITEM] as $tm) { + $sg_tag->clear(); + $sg_tag->set("time", $tm[F_NAME], "", $tm[F_DESCRIPTION]); + + foreach($tm[F_ITEM] as $itm) { + $dts = ($itm[F_TIMETYPE] === "weekly") ? $itm[F_TIMEDAYS] : $itm[F_DATERANGE]; + $sg_tag->items[] = "{$itm[F_TIMETYPE]} $dts {$itm[F_TIMERANGE]}"; + } + $sgconf[] = ""; + $sgconf[] = $sg_tag->tag_text(); + + # log + $temp_str .= " {$tm[F_NAME]}"; + } + # log + $temp_str = !empty($temp_str) ? $temp_str : "Nothing."; + sg_addlog("sg_create_config", "Add times: $temp_str", SQUIDGUARD_INFO); + } + + # --- Sources --- + if ($squidguard_config[F_SOURCES]) { + $temp_str = ''; + foreach($squidguard_config[F_SOURCES][F_ITEM] as $src) { + $sg_tag->clear(); + $sg_tag->set("src", $src[F_NAME], "", $src[F_DESCRIPTION]); + + # separate IP, domains, usernames + if (strpos(trim($src[F_SOURCE]), 'ldapusersearch') === false) { + $tsrc = explode(" ", trim($src[F_SOURCE])); + foreach($tsrc as $sr) { + $sr = trim($sr); + if (empty($sr)) continue; + if (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip $sr"; + elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr"; + elseif (is_username($sr)) $sg_tag->items[] = "user " . str_replace("'", "", $sr); + } + } else { + $sg_tag->items[] = trim($src[F_SOURCE]); + } + + if ($squidguard_config[F_ENABLELOG] == 'on' ) { + if ($src[F_LOG]) $sg_tag->items[] = "log " . SQUIDGUARD_LOGFILE; + } + + $sgconf[] = ""; + $sgconf[] = $sg_tag->tag_text(); + + # log + $temp_str .= " " . $src[F_NAME]; + } + # log + $temp_str = !empty($temp_str) ? $temp_str : "Nothing."; + sg_addlog("sg_create_config", "Add sources: $temp_str", SQUIDGUARD_INFO); + } + + # --- Blacklist --- + # Note! Blacklist must be added to config permanently. It's need for rebuild DB now + + $db_entries = sg_entries_blacklist(); + if (($squidguard_config[F_BLACKLISTENABLED] === 'on') and $db_entries) { + $log_entr_added = ''; + $log_entr_ignored = ''; + sg_addlog("sg_create_config", "Add blacklist entries", SQUIDGUARD_INFO); + foreach($db_entries as $key => $ent) { + $ent_state = array(); + $file_dms = "{$squidguard_config[F_DBHOME]}/$ent/domains"; + $file_urls = "{$squidguard_config[F_DBHOME]}/$ent/urls"; + $file_expr = "{$squidguard_config[F_DBHOME]}/$ent/expressions"; + + # check blacklist acl state + if (file_exists($file_dms)) { + $ent_state['exists'] = 'on'; + $ent_state[F_DOMAINS] = 'on'; + } + if (file_exists($file_urls)) { + $ent_state['exists'] = 'on'; + $ent_state[F_URLS] = 'on'; + } + if (file_exists($file_expr)) { + $ent_state['exists'] = 'on'; + $ent_state[F_EXPRESSIONS] = 'on'; + } + + # create config if blacklist item exists + if ($ent_state['exists']) { + $sg_tag->clear(); + $sg_tag->set("dest", $ent, "", ""); + + if ($ent_state[F_DOMAINS]) $sg_tag->items[] = "domainlist $ent/domains"; + if ($ent_state[F_EXPRESSIONS]) $sg_tag->items[] = "expressionlist $ent/expressions"; + if ($ent_state[F_URLS]) $sg_tag->items[] = "urllist $ent/urls"; + + # Check if $ent contains adv or ads, and F_ADV_BLANKIMG is on then add a custom redirect + $adv_pos = strpos($ent,'_adv'); + $ads_pos = strpos($ent, '_ads'); + if ( ($ads_pos > 0 || $adv_pos > 0) && $squidguard_config[F_ADV_BLANKIMG] == 'on') + $sg_tag->items[] = "redirect " . sg_redirector_base_url($dst[F_REDIRECT], RMOD_INT_BLANKIMG); + + if ($squidguard_config[F_ENABLELOG] == 'on' ) { + $sg_tag->items[] = "log ". SQUIDGUARD_LOGFILE; + } + + $sgconf[] = ""; + $sgconf[] = $sg_tag->tag_text(); + + # log + $log_entr_added .= " $ent;"; + } else { + $sgconf[] = "\t# Config ERROR: Destination '$ent' not found in DB"; + $log_entr_ignored .= " $ent;"; + } + } + + # log 'added' and 'ignored' + if (!empty($log_entr_added)) sg_addlog("sg_create_config", "Added: $log_entr_added .", SQUIDGUARD_INFO); + if (!empty($log_entr_ignored)) sg_addlog("sg_create_config", "Ignored: $log_entr_ignored .", SQUIDGUARD_WARNING); + } + + # --- Destinations --- + if ($squidguard_config[F_DESTINATIONS]) { + $temp_str = ''; + foreach($squidguard_config[F_DESTINATIONS][F_ITEM] as $dst) { + $dstname = $dst[F_NAME]; + $sg_tag->clear(); + $sg_tag->set("dest", $dst[F_NAME], "", $dst[F_DESCRIPTION]); + + if ($dst[F_DOMAINS]) + $sg_tag->items[] = "domainlist $dstname/domains"; + if ($dst[F_EXPRESSIONS]) + $sg_tag->items[] = "expressionlist $dstname/expressions"; + if ($dst[F_URLS]) + $sg_tag->items[] = "urllist $dstname/urls"; + if ($dst[F_RMOD] != RMOD_NONE) + $sg_tag->items[] = "redirect " . sg_redirector_base_url($dst[F_REDIRECT], $dst[F_RMOD]); + if ($squidguard_config[F_ENABLELOG] == 'on' ) { + if ($dst[F_LOG]) + $sg_tag->items[] = "log " . SQUIDGUARD_LOGFILE; + } + + $sgconf[] = ""; + $sgconf[] = $sg_tag->tag_text(); + + # log + $temp_str .= " $dstname;"; + } + # log + $temp_str = !empty($temp_str) ? $temp_str : "Nothing."; + sg_addlog("sg_create_config", "Add destinations: $temp_str", SQUIDGUARD_INFO); + } + + # --- Rewrites --- + if ($squidguard_config[F_REWRITES]) { + $temp_str = ''; + $log_entr_added = ''; + $log_entr_err = ''; + foreach($squidguard_config[F_REWRITES][F_ITEM] as $rew) { + $sg_tag->clear(); + $sg_tag->set("rew", $rew[F_NAME], "", ""); + + if (is_array($rew[F_ITEM])) { + foreach ($rew[F_ITEM] as $rw) + $sg_tag->items[] = "s@{$rw[F_TARGETURL]}@{$rw[F_REPLACETO]}@{$rw[F_MODE]}"; + + if ($squidguard_config[F_ENABLELOG] == 'on' ) { + if ($rew[F_LOG]) + $sg_tag->items[] = "log " . SQUIDGUARD_LOGFILE; + } + + $sgconf[] = ""; + $sgconf[] = $sg_tag->tag_text(); + # log + $log_entr_added .= " {$rew[F_NAME]};"; + } + else { + $sgconf[] = ""; + $sgconf[] = "# Rewrite {$rew[F_NAME]} error."; + # log + $log_entr_err .= " {$rew[F_NAME]};"; + } + } + + # log + if (!empty($log_entr_added)) sg_addlog("sg_create_config", "Add rewrites: $log_entr_added", SQUIDGUARD_INFO); + if (!empty($log_entr_err)) sg_addlog("sg_create_config", "Add rewrites error $log_entr_err", SQUIDGUARD_ERROR); + } + + # ---------------------------------------- + $entry_blacklist = sg_entries_blacklist(); + + # --- ACL --- + $sg_tag->clear(); + $sg_tag->set("acl", "", "", ""); + if ($squidguard_config[F_ACLS]) { + $temp_str = ''; + $log_entr_added = ''; + foreach($squidguard_config[F_ACLS][F_ITEM] as $acl) { + if (!$acl[F_DISABLED]) { + $sg_acltag = new TSgTag; + $sg_acltag->set($acl[F_NAME], "", $acl[F_TIMENAME], $acl[F_DESCRIPTION]); + + # delete blacklist entries from 'pass' if blacklist disabled + if ($squidguard_config[F_BLACKLISTENABLED] !== 'on') { + acl_remove_blacklist_items(&$acl[F_DESTINATIONNAME]); + acl_remove_blacklist_items(&$acl[F_OVERDESTINATIONNAME]); + } + + # not allowing IP in URL + if ($acl[F_NOTALLOWINGIP]) { + $acl[F_DESTINATIONNAME] = "!in-addr {$acl[F_DESTINATIONNAME]}"; + $acl[F_OVERDESTINATIONNAME] = "!in-addr {$acl[F_OVERDESTINATIONNAME]}"; + } + + # re-order acl pass (<white><!in-addr><deny><allow><all|none>) + $acl[F_DESTINATIONNAME] = sg_aclpass_reorder($acl[F_DESTINATIONNAME]); + $acl[F_OVERDESTINATIONNAME] = sg_aclpass_reorder($acl[F_OVERDESTINATIONNAME]); + + # ontime + $sg_acltag->items[] = "pass {$acl[F_DESTINATIONNAME]}"; + if ($acl[F_RMOD] != RMOD_NONE) + $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_REDIRECT], $acl[F_RMOD]); + if ($acl[F_REWRITENAME]) + $sg_acltag->items[] = "rewrite {$acl[F_REWRITENAME]}"; + if ($squidguard_config[F_ENABLELOG] == 'on' ) { + if ($acl[F_LOG]) + $sg_acltag->items[] = "log " . SQUIDGUARD_LOGFILE; + } + + # overtime + if ($acl[F_TIMENAME]) { + $sg_acltag->items[] = "} else {"; + $sg_acltag->items[] = "pass {$acl[F_OVERDESTINATIONNAME]}"; + if ($acl[F_REDIRECMODE] !== RMOD_NONE) + $sg_acltag->items[] = "redirect " . sg_redirector_base_url($acl[F_OVERREDIRECT], $acl[F_RMOD]); + if ($acl[F_OVERREWRITENAME]) + $sg_acltag->items[] = "rewrite {$acl[F_OVERREWRITENAME]}"; + if ($squidguard_config[F_ENABLELOG] == 'on' ) { + if ($acl[F_LOG]) + $sg_acltag->items[] = "log " . SQUIDGUARD_LOGFILE; + } + } + $sg_tag->items[] = $sg_acltag; + } + $log_entr_added .= " {$acl[F_NAME]};"; + } + # log + $log_entr_added = !empty($log_entr_added) ? $log_entr_added : "Nothing."; + sg_addlog("sg_create_config", "Add ACL's: $log_entr_added", SQUIDGUARD_INFO); + } + + # --- Default --- + $sg_tag_def = new TSgTag; + $sg_tag_def->set("default", "", "", ""); + $def = $squidguard_config[F_DEFAULT]; + sg_addlog("sg_create_config", "Add Default", SQUIDGUARD_INFO); + if ($def) { + $temp_str = ''; + + # delete blacklist entries from 'pass' if blacklist disabled + if ($squidguard_config[F_BLACKLISTENABLED] !== 'on') + acl_remove_blacklist_items(&$def[F_DESTINATIONNAME]); + + # not allowing IP in URL + if ($def[F_NOTALLOWINGIP]) + $def[F_DESTINATIONNAME] = "!in-addr " . $def[F_DESTINATIONNAME]; + + # re-order acl pass (<allow><deny<all|none>) + $def[F_DESTINATIONNAME] = sg_aclpass_reorder($def[F_DESTINATIONNAME]); + + # ! 'Default' must use without times ! + $sg_tag_def->items[] = "pass {$def[F_DESTINATIONNAME]}"; + if ($def[F_RMOD] !== RMOD_NONE) + $sg_tag_def->items[] = "redirect " . sg_redirector_base_url($def[F_REDIRECT], $def[F_RMOD]); + if ($def[F_REWRITENAME]) + $sg_tag_def->items[] = "rewrite {$def[F_REWRITENAME]}"; + if ($squidguard_config[F_ENABLELOG] == 'on' ) { + if ($def[F_LOG]) + $sg_tag_def->items[] = "log " . SQUIDGUARD_LOGFILE; + } + } # <- if def + else { + $msg = "ACL 'default' is empty, will use default 'block all'"; + $sg_tag_def->items[] = "# $msg"; + $sg_tag_def->items[] = "pass none"; + $sg_tag_def->items[] = "redirect " . sg_redirector_base_url('', RMOD_INT_ERRORPAGE); + sg_addlog("sg_create_config", "$msg.", SQUIDGUARD_ERROR); + } + + # --- ACL end --- + $sg_tag->items[] = $sg_tag_def; # add 'default' ACL object + $sgconf[] = ""; + $sgconf[] = $sg_tag->tag_text(); + + # delete "\n" chars before each string - SG bug (first string of config must be not empty) + foreach ($sgconf as $key => $val) $sgconf[$key] = ltrim($sgconf[$key], "\n"); + return implode("\n", $sgconf); +} + +# ------------------------------------------------------------------------------ +# sg_create_simple_config +# Create config for DB rebuilding +# Default rule - block all +# Variables: +# $blk_dbhome - temporary DB home dir, may be different with DBHOME +# $blk_destlist - is array as [dst_name] = 'path', +# where path - catalog without dbhome path +# For example: dbhome is '/var/db/squidGuard/', +# path can be 'usr/ads' or 'bl/poxy' +# $redirect_to - redirector string +# ------------------------------------------------------------------------------ +function sg_create_simple_config($blk_dbhome, $blk_destlist, $redirect_to = "404") +{ + global $squidguard_config; + $sgconf = array(); + $logdir = $squidguard_config[F_LOGDIR]; + $dbhome = $blk_dbhome ? $blk_dbhome : $squidguard_config[F_DBHOME]; + + sg_addlog("sg_create_simple_config", "Begin with dbhome='$dbhome'.", SQUIDGUARD_INFO); + + # header + $sgconf[] = CONFIG_SG_HEADER; + + # init section + $sgconf[] = "logdir $logdir"; + $sgconf[] = "dbhome $dbhome"; + if ( $squidguard_config[F_LDAPENABLE] == 'on' ) { + $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}"; + $sgconf[] = "ldapbindpass \"{$squidguard_config[F_LDAPBINDPASS]}\""; + $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}"; + if ( $squidguard_config[F_STRIPNTDOMAIN] ) + $sgconf[] = "stripntdomain true"; + if ( $squidguard_config[F_STRIPREALM] ) + $sgconf[] = "striprealm true"; + } + + $sgconf[] = ""; + + # destination section + if (is_array($blk_destlist)) { + foreach($blk_destlist as $dst => $dpath) { + $tmp_s = array(); + + # check item elements + if (file_exists("$dbhome/$dpath/domains")) $tmp_s[] = "\t domainlist $dpath/domains"; + if (file_exists("$dbhome/$dpath/urls")) $tmp_s[] = "\t urllist $dpath/urls"; + if (file_exists("$dbhome/$dpath/expressions")) $tmp_s[] = "\t expressionlist $dpath/expressions"; + + # create only valid items + if (!empty($tmp_s)) { + $tmp_s = implode("\n", $tmp_s); + $sgconf[] = "dest $dst {\n $tmp_s \n}\n"; + sg_addlog("sg_create_simple_config", "Added item '$dst' = '$dbhome/$dpath'.", SQUIDGUARD_INFO); + } else + sg_addlog("sg_create_simple_config", "Ignored empty item '$dst' = '$dbhome/$dpath'.", SQUIDGUARD_WARNING); + } + } + + # acl section + $sgconf[] = "acl {\n\t default {\n\t\t pass all "; + $sgconf[] = "\t\t redirect " . sg_redirector_base_url($redirect_to, RMOD_INT_ERRORPAGE); # use sgerror only! + $sgconf[] = "\t } \n}"; + + # delete "\n" chars before each string - SG bug (first string of config must be not empty) + foreach ($sgconf as $key => $val) $sgconf[$key] = ltrim($sgconf[$key], "\n"); + + return implode("\n", $sgconf); +} + +# ------------------------------------------------------------------------------------------------- +# sg_redirector_base_url +# $url - url where redirect to +# $use_internal - ignore 'Redirect mode' option, use internal (for rebuild config, for example) +# +# ------------------------------------------------------------------------------------------------- +function sg_redirector_base_url($rdr_info, $redirect_mode) +{ + global $squidguard_config; + $rdr_path = ''; + + # gui port, ip & proto + $guiip = (!empty($squidguard_config[F_CURRENT_LAN_IP])) ? $squidguard_config[F_CURRENT_LAN_IP] : '127.0.0.1'; + $guiport = (!empty($squidguard_config[F_CURRENT_GUI_PORT])) ? $squidguard_config[F_CURRENT_GUI_PORT] : '80'; + $rdr_path = "http://$guiip:$guiport" . REDIRECT_BASE_URL; + + # check redirect + $errmsg = ''; + if (!sg_check_redirect($redirect_mode, $rdr_info, &$errmsg)) { + $redirect_mode = RMOD_INT_ERRORPAGE; + $rdr_info = "Bad redirect settings. $errmsg Check you configuration."; + sg_addlog("sg_redirector_base_url", "$errmsg", SQUIDGUARD_ERROR); + } + + switch($redirect_mode) { + case RMOD_EXT_ERR: $rdr_path = "$rdr_info" . REDIRECT_URL_ARGS; break; + case RMOD_EXT_RDR: $rdr_path = "$rdr_info"; break; + case RMOD_EXT_MOVED: $rdr_path = "301:$rdr_info"; break; + case RMOD_EXT_FOUND: $rdr_path = "302:$rdr_info"; break; + case RMOD_INT_BLANKPAGE: $rdr_path .= "?url=blank&msg=" . rawurlencode($rdr_info) . REDIRECT_URL_ARGS; break; + case RMOD_INT_BLANKIMG: $rdr_path .= "?url=blank_img&msg=" . rawurlencode($rdr_info) . REDIRECT_URL_ARGS; break; + case RMOD_INT_SIZELIMIT: $rdr_path .= "?url=maxlen_$rdr_info" . REDIRECT_URL_ARGS; break; + case RMOD_INT_ERRORPAGE: + default: $rdr_path .= "?url=" . rawurlencode("403 $rdr_info") . REDIRECT_URL_ARGS; break; + } + + sg_addlog("sg_redirector_base_url", "Select redirector base url ($rdr_path)", SQUIDGUARD_INFO); + return $rdr_path; +} + +# ------------------------------------------------------------------------------------------------- +# sg_aclpass_reorder +# ------------------------------------------------------------------------------------------------- +function sg_aclpass_reorder($pass) +{ + $ar_pass = explode(" ", $pass); + + # 'pass' order: <white> <!in_addr> <deny> <allow> <all|none> + if (is_array($ar_pass)) { + $pass_end = ''; + $pass_fst = array(); # whitelist - '^' prefix (will deleted) + $pass_sec = array(); # blacklist - '!' prefix + $pass_lst = array(); # allow + foreach ($ar_pass as $val) { + $tk = trim($val); + if ($tk === 'all' or $tk === 'none') + $pass_end = $val; + elseif (strpos($tk, "^") !== false) + # delete '^' prefix + $pass_fst[] = str_replace('^', '', $val); + elseif (strpos($tk, "!") !== false) + $pass_sec[] = $val; + else + $pass_lst[] = $val; + } + $ar_pass = array_merge($pass_fst, $pass_sec, $pass_lst); + $ar_pass[] = $pass_end; + } + return implode(" ", $ar_pass); +} + +# ------------------------------------------------------------ +# sg_check_config_data +# ------------------------------------------------------------ +function sg_check_config_data ($input_errors) +{ + global $squidguard_config; + $elog = array(); + $times = sg_list_itemsfield($squidguard_config[F_TIMES], F_NAME); + $sources = sg_list_itemsfield($squidguard_config[F_SOURCES], F_NAME); + $destinations = sg_list_itemsfield($squidguard_config[F_DESTINATIONS], F_NAME); + $rewrites = sg_list_itemsfield($squidguard_config[F_REWRITES], F_NAME); + $acls = array(); + + # --- Times --- + if ($squidguard_config[F_TIMES]) { + $key_tm = array_count_values($times); + foreach($squidguard_config[F_TIMES][F_ITEM] as $tm) { + # check name as unique and name format + $tm_name = $tm[F_NAME]; + $err_s = ''; + if (!check_name_format($tm_name, &$err_s)) + $elog[] = "(T1) TIME '$tm_name' error: >>> $err_s"; + + if ($key_tm[$tm_name] > 1) + $elog[] = "(T2) TIME '$tm_name' error: duplicate time name '$tm_name'"; + + # check time items format + sg_check_time($tm, &$elog); + } + } + + # --- Sources --- + if ($squidguard_config[F_SOURCES]) { + $key_src = array_count_values($sources); + foreach($squidguard_config[F_SOURCES][F_ITEM] as $src) { + # check name as unique and name format + $src_name = $src[F_NAME]; + $err_s = ''; + if (!check_name_format($src_name, &$err_s)) + $elog[] = "(A1) ACL '$src_name'error: $err_s"; + + if ($key_src[$src_name] > 1) + $elog[] = "(A2) ACL '$src_name' error: duplicate source name '$src_name'"; + + sg_check_src($src, $elog); + } + } + + # --- Destinations --- + if ($squidguard_config[F_DESTINATIONS]) { + $key_dst = array_count_values($destinations); + foreach($squidguard_config[F_DESTINATIONS][F_ITEM] as $dst) { + # check name as unique and name format + $dst_name = $dst[F_NAME]; + $err_s = ''; + if (!check_name_format($dst_name, &$err_s)) + $elog[] = "(D1) DEST '$dst_name' error: $err_s"; + + if ($key_dst[$dst_name] > 1) + $elog[] = "(D2) DEST '$dst_name' error: duplicate destination name '$dst_name'"; + # + sg_check_dest($dst, &$elog); + } + } + + # --- Blacklist --- + if ($squidguard_config[F_BLACKLISTENABLED]) { + $blk_entries_file = SQUIDGUARD_BLK_FILELISTPATH; + if (file_exists($blk_entries_file)) { + $blk_entr = explode("\n", file_get_contents($blk_entries_file)); + foreach($blk_entr as $entr) { + if ($entr) { + $destinations[] = $entr; + # check entry for exists + $dbfile = $squidguard_config[F_DBHOME] . "/$entr"; + if (!file_exists($dbfile)) + $elog[] = "(B1) BLACKLIST '$entr' error: file '$dbfile' not found"; + } + } + } + } + + # --- Rewrites --- + if ($squidguard_config[F_REWRITES]) { + $key_rw = array_count_values($rewrites); + foreach($squidguard_config[F_REWRITES][F_ITEM] as $rw) { + # check check name as unique and name format + $rw_name = $rw[F_NAME]; + $err_s = ''; + if (!check_name_format($rw_name, &$err_s)) + $elog[] = "(R1) REWRITE '$rw_name' error: $err_s"; + + if ($key_rw[$rw_name] > 1) + $elog[] = "(R2) REWRITE '$rw_name' error: duplicate rewrite name '$rw_name'"; + } + } + + $key_times = array_count_values($times); + $key_sources = array_count_values($sources); + $key_destinations = array_count_values($destinations); + $key_rewrites = array_count_values($rewrites); + + # --- ACLs --- + if ($squidguard_config[F_ACLS]) { + $acls = array(); + foreach($squidguard_config[F_ACLS][F_ITEM] as $acl) { + # skip disabled acl + if ($acls[F_DISABLED]) continue; + + $acl_name = $acl[F_NAME]; + + # check acl name for unique and exists (as source items) + if ($acl_name and !$key_sources[$acl_name]) + $elog[] = "(A1) ACL '$acl_name' error: acl name '$acl_name' not found"; + + $acls[] = $acl_name; + $key_acls = array_count_values($acls); + if ($key_acls[$acl_name] > 1) + $elog[] = "(A2) ACL '$acl_name' error: duplicate acl name '$acl_name'"; + + # check time + $time = $acl[F_TIMENAME]; + if ($time and !$key_times[$time]) # time name must exists + $elog[] = "(A3) ACL '$acl_name' error: time name '$time' not found"; + + # check destinations + if ($acl[F_DESTINATIONNAME]) { + $acldest = $acl[F_DESTINATIONNAME]; + $acldest = str_replace("!", "", $acldest); + $acldest = str_replace("^", "", $acldest); + $acldest = explode(" ", $acldest); + $key_acldest = array_count_values($acldest); + foreach($acldest as $adest) { + # check duplicates destinations in acl + if ($key_acldest[$adest] > 1) + $elog[] = "(A4) ACL '$acl_name' error: duplicate destination name '$adest'. Any destination must included once."; + # check destinations for exists + if ($adest and ($adest != 'all') and ($adest != 'none') and !$key_destinations[$adest]) + $elog[] = "(A5) ACL '$acl_name' error: destination name '$adest' not found"; + } + } else { + $elog[] = "(A6) ACL '$acl_name' error: ontime pass list is empty. Added 'none'."; + $acl[F_DESTINATIONNAME] = "none"; + } + + # check overtime destinations + if ($time) { + if ($acl[F_OVERDESTINATIONNAME]) { + $acloverdest = $acl[F_OVERDESTINATIONNAME]; + $acloverdest = str_replace("!", "", $acloverdest); + $acloverdest = str_replace("^", "", $acloverdest); + $acloverdest = explode(" ", $acloverdest); + $key_acloverdest = array_count_values($acloverdest); + foreach($acloverdest as $adest) { + # check duplicates destinations in acl + if ($key_acloverdest[$adest] > 1) + $elog[] = "(A7) ACL '$acl_name' error: duplicate overtime destination name '$adest'. Any destination must included once."; + # check destinations for exists + if ($adest and ($adest != 'all') and ($adest != 'none') and !$key_destinations[$adest]) + $elog[] = "(A8) ACL '$acl_name' error: overtime destination name '$adest' not found"; + } + } else { + $elog[] = "(A9) ACL '$acl_name' error: overtime pass list is empty. Added 'none'."; + $acl[F_OVERDESTINATIONNAME] = "none"; + } + } + + # check rewrite + $rew = $acl[F_REWRITENAME]; + if ($rew and !$key_rewrites[$rew]) + $elog[] = "(AA) ACL '$acl_name' error: rewrite name '$rew' not found"; + + # check overtime rewrite + $overrew = $acl[F_OVERREWRITENAME]; + if ($time and $overrew and !$key_rewrites[$overrew]) + $elog[] = "(AB) ACL '$acl_name' error: overtime rewrite name '$overrew' not found"; + + # check redirect + $redir = $acl[F_REDIRECT]; + $overredir = $acl[F_OVERREDIRECT]; + } + } + + # --- Default --- + if ($squidguard_config[F_ACLS]) { + $def = $squidguard_config[F_DEFAULT]; + + # check time + $time = $def[F_TIMENAME]; + if ($time and !$key_times[$time]) # time name must exists + $elog[] = "(DF1) ACL 'default' error: time name '$time' not found"; + + # check destinations + if ($def[F_DESTINATIONNAME]) { + $defdest = $def[F_DESTINATIONNAME]; + $defdest = str_replace("!", "", $defdest); + $defdest = str_replace("^", "", $defdest); + $defdest = explode(" ", $defdest); + $key_defdest = array_count_values($defdest); + foreach($defdest as $adest) { + # check duplicates destinations in acl + if ($key_defdest[$adest] > 1) + $elog[] = "(DF2) ACL 'default' error: duplicate destination name '$adest'. Any destination must included once."; + # check destinations for exists + if ($adest and ($adest != 'all') and ($adest != 'none') and !$key_destinations[$adest]) + $elog[] = "(DF3) ACL 'default' error: destination name '$adest' not found"; + } + } else { + $elog[] = "(DF4) ACL 'default' error: ontime pass list is empty. Added 'none'."; + $def[F_DESTINATIONNAME] = "none"; + } + + # check rewrite + $rew = $def[F_REWRITENAME]; + if ($rew and !$key_rewrites[$rew]) + $elog[] = "(DF5) ACL 'default' error: rewrite name '$rew' not found"; + + # check overtime rewrite + $overrew = $def[F_OVERREWRITENAME]; + if ($time and $overrew and !$key_rewrites[$overrew]) + $elog[] = "(DF6) ACL 'default' error: overtime rewrite name '$overrew' not found"; + + # check redirect + $redir = $def[F_REDIRECT]; + $overredir = $def[F_OVERREDIRECT]; + } + + # update log + if (!empty($elog)) { + $input_errors = (is_array($input_errors)) ? array_merge($input_errors, $elog) : implode("\n", $elog); + } + + return empty($elog); +} + +# ========================== UTILS ============================================= + +# ------------------------------------------------------------------------------ + + +# ============================================================================== +# self utils +# ============================================================================== +# Set file access +# ------------------------------------------------------------------------------ +function set_file_access($dir, $owner, $mod) +{ + $mod = sprintf("%o", $mod); + if (!file_exists($dir)) return; + # recursive change access + mwexec("chown -R -v $owner $dir"); + mwexec("chgrp -R -v $owner $dir"); + mwexec("chmod -R -v $mod $dir"); +} +# ------------------------------------------------------------------------------ +# scan_dir - build files listing for $dir +# ------------------------------------------------------------------------------ +function scan_dir($dir) +{ + $files = array(); + if (file_exists($dir)) { + $dh = opendir($dir); + while (false !== ($filename = readdir($dh))) { + # skip '.' and '..' names + if (($filename !== '.') and ($filename !== '..')) $files[] = $filename; + } + sort($files); + } + return $files; +} + +# ****************************************************************************** +# squidguard utils +# ****************************************************************************** +# sg_list_itemsfield - get items field list +# ------------------------------------------------------------------------------ +function sg_list_itemsfield($xml_items, $fld_name) +{ + $ls = array(); + if (is_array($xml_items[F_ITEM])) + foreach($xml_items[F_ITEM] as $it) { + $ls[] = $it[$fld_name]; + } + return $ls; +} + +# ------------------------------------------------------------------------------ +# is_url - check url an err_codes +# ------------------------------------------------------------------------------ +if(!function_exists("is_url")) { + function is_url($url) + { + if (empty($url)) return false; + if (preg_match("/^(http|https):\/\//i", $url)) return true; + if (strstr("blank", $url)) return true; + if (strstr("blank_img", $url)) return true; + if (preg_match("/^((30[1235]{1})|(40[0-9]{1})|(41[0-7]{1})|(50[0-5]{1}))/i", $url)) return true; # http error code 30x, 4xx, 50x. + return false; + } +} + +# url as 'domain/path': 'mydomain.com/index.php' +function is_dest_url($url) +{ + $fmt = "[a-zA-Z0-9_-]"; + + if (empty($url)) return false; + if (preg_match("/^(($fmt){1,}\.){1,}($fmt){2,}(\/(.[^\*][^ ])*)/i", $url)) return true; + return false; +} +# ------------------------------------------------------------------------------ +# is_masksubnet - check ip/mask +# ------------------------------------------------------------------------------ +function is_masksubnet($subnet) +{ + if (!is_string($subnet)) + return false; + + list($ip,$msk) = explode('/', $subnet); + if (!is_ipaddr($ip) || !is_ipaddr($msk)) + return false; + + return true; +} +# ------------------------------------------------------------------------------ +# is_iprange - check ip1-ip2 +# ------------------------------------------------------------------------------ +function is_iprange_sg($ip_range) { + if (!is_string($ip_range)) return false; + + list($ip1,$ip2) = explode('-', $ip_range); + if (!is_ipaddr($ip1) || !is_ipaddr($ip2)) return false; + + # ip2 < ip1 - wrong + if (ipcmp(ip2, ip1) === -1) return false; + + return true; +} +# ------------------------------------------------------------------------------ +# is_ipaddr_valid - validate IP, subnet, IP range +# ------------------------------------------------------------------------------ +function is_ipaddr_valid($val) +{ + return is_string($val) && (is_ipaddr($val) || is_masksubnet($val) || is_subnet($val) || is_iprange_sg($val)); +} + +# ------------------------------------------------------------------------------ +# is_domain_valid - check domain format +# ------------------------------------------------------------------------------ +function is_domain_valid($domain) +{ + $dm_fmt = "([a-z0-9\-]{1,})"; + $dm_fmt = "/^(($dm_fmt{1,}\.){1,}$dm_fmt{2,})+$/i"; # example: (my.)(super.)(domain.)com + return is_string($domain) && preg_match($dm_fmt, trim($domain)); +} + +# ------------------------------------------------------------------------------ +# is_username - check username +# ------------------------------------------------------------------------------ +function is_username($username) +{ + $unm_fmt = "/^\'[a-zA-Z_0-9\.\-]{1,}\'$/i"; + return is_string($username) && preg_match($unm_fmt, trim($username)); +} +# ------------------------------------------------------------------------------ +# check name +# ------------------------------------------------------------------------------ +function check_name_format ($name, $input_errors) +{ + $elog = array(); + $val = trim($name); + + if ((strlen($val) < 2) || (strlen($val) > 16)) + $elog[] = " Size of name '$val' must be between [2..16]."; + + # All symbols must be [a-zA-Z_0-9\-] First symbol = letter. + if (!preg_match("/^([a-zA-Z]{1})([a-zA-Z_0-9\-]+)$/i", $val)) + $elog[] = " Invalid name $name. Valid name symbols: ['a-Z', '_', '0-9', '-']. First symbol must be a letter."; + + # update log + if (!empty($elog)) { + $input_errors = (is_array($input_errors)) ? array_merge($input_errors, $elog) : implode("\n", $elog); + } + + return empty($elog); +} +# ****************************************************************************** +# squidguard check +# ****************************************************************************** +# check redirect +# ------------------------------------------------------------------------------ +function sg_check_redirect($rdr_mode, $rdr_info, $err_msg) +{ + $res = true; + switch($rdr_mode) { + case RMOD_EXT_ERR: case RMOD_EXT_RDR: case RMOD_EXT_MOVED: case RMOD_EXT_FOUND: + $res = is_url($rdr_info); + if (!$res) $err_msg = "Valid URL expected, but '$rdr_info' found."; + break; + case RMOD_INT_SIZELIMIT: + $res = is_numeric($rdr_path); + if (!$res) $err_msg = "Valid number value expected, but '$rdr_info' found."; + break; + case RMOD_INT_BLANKPAGE: case RMOD_INT_BLANKIMG: case RMOD_INT_ERRORPAGE: + default: + $res = true; break; + } + return $res; +} + +# ------------------------------------------------------------------------------ +# sg_check_time +# ------------------------------------------------------------------------------ +function sg_check_time($sgtime, $input_errors) +{ + $err = ''; + $days = array("*", "mon", "tue", "wed", "thu", "fri", "sat", "sun"); + $timetypes = array("weekly", "date"); + + if (is_array($sgtime[F_ITEM])) { + # check date and time + foreach ($sgtime[F_ITEM] as $item) { + if (!in_array(trim($item[F_TIMETYPE]), $timetypes)) + $err .= " Invalid type '{$item[F_TIMETYPE]}'."; + if (!in_array(trim($item[F_TIMEDAYS]), $days)) + $err .= " Invalid week day '{$item[F_TIMEDAYS]}'."; + if (trim($item[F_DATERANGE])) $err .= check_date(trim($item[F_DATERANGE])); + if (trim($item[F_TIMERANGE])) $err .= check_time(trim($item[F_TIMERANGE])); + } + } + + # errors update + if (!empty($err)) $input_errors[] = "TIME '{$sgtime[F_NAME]}': $err"; + return empty($err); +} + +# ------------------------------------------------------------------------------ +# sg_check_dest +# ------------------------------------------------------------------------------ +function sg_check_dest($sgx, $input_errors) +{ + $elog = array(); + $dm = explode(" ", $sgx[F_DOMAINS]); +# $ex = explode(" ", $sgx[F_EXPRESSIONS]); + $ur = explode(" ", $sgx[F_URLS]); + array_packitems(&$dm); + array_packitems(&$ur); + + # domain or ip + foreach ($dm as $d_it) { + if ($d_it && !is_domain_valid($d_it) && !is_ipaddr($d_it)) $elog[] = "Item '$d_it' is not a domain."; + } + + # url + foreach ($ur as $u_it) + if ($u_it && !is_dest_url($u_it)) $elog[] = "Item '$u_it' is not a url."; + + # check redirect + sg_check_redirect($sgx[F_RMOD], $sgx[F_REDIRECT], &$elog); + + # update log + if (!empty($elog)) { + $elog = "DEST '{$sgx[F_NAME]}': " . implode(" ", $elog); + if (is_array($input_errors)) + $input_errors[] = $elog; + else $input_errors = $elog; + } + return empty($elog); +} + +# ------------------------------------------------------------------------------ +# sg_check_src +# ------------------------------------------------------------------------------ +function sg_check_src($sgx, $input_errors) +{ + $elog = array(); + + # source may be as one ('source') field or as two ('ip' and 'domain') fields + $src = (isset($sgx[F_SOURCE])) ? $sgx[F_SOURCE] : $sgx[F_IP] . " " . $sgx[F_DOMAINS]; + if (strpos($sgx[F_SOURCE], 'ldapusersearch') === false) { + $src = explode(" ", $src); + foreach ($src as $s_item) { + if ($s_item) { + if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item) and (strpos($s_item, 'ldapusersearch') !== false)) + $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'."; + } + } + } + + # update log + if (!empty($elog)) { + $input_errors = (is_array($input_errors)) ? array_merge($input_errors, $elog) : implode("\n", $elog); + } + + return empty($elog); +} + +# ------------------------------------------------------------------------------ +# check rebuild blacklist +# ------------------------------------------------------------------------------ +function is_blacklist_update_started() +{ + return exec("ps auxw | grep \"[s]quidGuard_blk_rebuild\" | awk '{print $2}' | wc -l | awk '{ print $1 }'"); +} + +# ------------------------------------------------------------------------------ +# Strings +# ------------------------------------------------------------------------------ +# str_pack_spaces - replace two and more space to single +# ------------------------------------------------------------------------------ +function str_packspaces($str) +{ + while(strpos($str, ' ')) $str = str_replace(' ', ' ', $str); +} + +function array_packitems($arval) +{ + if (is_array($arval)) { + $arval = array_map("trim", $arval); # trim all items + $arval = array_diff($arval, array(' ', '')); # exclude ' ' abd '' elements + $arval = array_unique($arval); # unique items + $arval = array_values($arval); # pack array + } + return $arval; +} + +# ----------------------------------------------------------------------------- +# check date +# date or date range format: 'yyyy-mm-dd', 'yyyy-m-d', 'yyyy.mm.dd' 'yyyy.mm.dd-yyyy.mm.dd' +# date mask format: '*-mm-dd', 'yyyy-*-dd', 'yyyy.mm.*' (but not for range) +# ----------------------------------------------------------------------------- +function check_date($date) +{ + $err = ''; + $val = trim($date); + $dtfmt = "/^([0-9]{4})\.([0-9]{2})\.([0-9]{2})/i"; + + # check date range + if (preg_match("{$dtfmt}-{$dtfmt}$", $val)) { + $val = explode("-", str_replace(".", '', $val)); + if (intval($val[0]) >= intval($val[1])) + $err .= "Invalid date range, begin range must be less than the end. {$val[0]} - {$val[1]}"; + } + elseif (!preg_match("/^(([0-9]{4})|[*])\.(([0-9]{2})|[*])\.(([0-9]{2})|[*])$/i", $val)) { + $err .= "Bad date format."; + } + + if ($err) + $err = " Invalid date '$date'. + $err + You mast use date or date range format: 'yyyy.mm.dd' and 'yyyy.mm.dd-yyyy.mm.dd'. + Also possible use mask * (mean any). Example: '*-10-01', '1990-*-*'."; + return $err; +} + +# ----------------------------------------------------------------------------- +# check time +# ----------------------------------------------------------------------------- +function check_time($time) +{ + $err = ''; + $time = trim($time); + + if (empty($time)) return ''; + + # time range format: 'HH:MM-HH:MM' + if (!preg_match("/^([0-2][0-9])\:([0-5][0-9])-([0-2][0-9])\:([0-5][0-9])$/i", $time)) + $err = "Invalid time range '$time'. You must use 'HH:MM-HH:MM' time range format. "; + else { + $tms = str_replace("-", "\n", $time); + $tmsview = explode("\n", $tms); + $tms = str_replace(":", "", $tms); + $tms = explode("\n", $tms); + if ($tms[0] >= 2400) + $err .= "Invalid time range var1='{$tmsview[0]}' must be < '24:00'. "; + if ($tms[1] > 2400) + $err .= "Invalid time range var2='{$tmsview[1]}' must be <= '24:00'. "; + if ($tms[0] >= $tms[1]) + $err .= "Invalid time range var1='{$tmsview[0]}' must be < var2='{$tmsview[1]}'. "; + } + + return $err; +} + +# ----------------------------------------------------------------------------- +# acl_remove_blacklist_items +# ----------------------------------------------------------------------------- +function acl_remove_blacklist_items($items) +{ + # add !items and ^items + $db_entries = sg_entries_blacklist(); + if (!is_array($db_entries)) + return; + $tdb_entries = array(); + foreach ($db_entries as $ent) { + $tdb_entries[] = $ent; + $tdb_entries[] = "!$ent"; + $tdb_entries[] = "^$ent"; + } + $db_entries = $tdb_entries; + unset($tdb_entries); + + # delete blacklist entries from 'pass' if blacklist disabled + $items = explode(" ", $items); + $items = implode(" ", array_diff($items, $db_entries)); + return $items; +} + +# ----------------------------------------------------------------------------- +# sg_script_logrotate +# truncate SG logfile to $lines +# ----------------------------------------------------------------------------- +function sg_script_logrotate() +{ + + global $squidguard_config; + + $sglogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_LOGFILE; + $sgguilogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_GUILOGFILE; + $sgconflogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_CONFLOGFILE; + $res = +<<<EOD +#!/bin/sh +# +# This file generated automaticly with SquidGuard configurator +# Rotates the block logfile +tail -{$lines} {$sglogname} > {$sglogname}.0 +tail -{$lines} {$sglogname}.0 > {$sglogname} +rm -f {$sglogname}.0 +# Rotates the squidguard GUI logile +tail -{$lines} {$sgguilogname} > {$sgguilogname}.0 +tail -{$lines} {$sgguilogname}.0 > {$sgguilogname} +rm -f {$sgguilogname}.0 +# Rotates the squidguard conf logile +tail -{$lines} {$sgconflogname} > {$sgconflogname}.0 +tail -{$lines} {$sgconflogname}.0 > {$sgconflogname} +rm -f {$sgconflogname}.0 +EOD; + return $res; +} + +# ------------------------------------------------------------------------------ +# squidguard_setup_cron +# ------------------------------------------------------------------------------ +function squidguard_cron_install() +{ + global $squidguard_config; + + $on_off = $squidguard_config[F_LOGROTATION] == 'on'; + + $opt = ""; + if ($on_off) { + $opt = array("0", "0", "*", "*", "*", "root", "/usr/bin/nice -n20 " . SQUIDGUARD_SCR_LOGROTATE); + } + squidguard_setup_cron("squidGuard_logrotate", $opt, $on_off); +} + +# ------------------------------------------------------------------------------ +# squidguard_setup_cron +# ------------------------------------------------------------------------------ +# $options: [0]='minute', [1]='hour', [2]='mday', [3]='month', [4]='wday', [5]='who', [6]='command' +# ------------------------------------------------------------------------------ +function squidguard_setup_cron($task_key, $options, $on_off) +{ + global $config; + $cron_item = array(); + + # $on_off = TRUE/FALSE - install/deinstall cron task: + # prepare new cron item + if (is_array($options)) { + $cron_item['minute'] = $options[0]; + $cron_item['hour'] = $options[1]; + $cron_item['mday'] = $options[2]; + $cron_item['month'] = $options[3]; + $cron_item['wday'] = $options[4]; + $cron_item['who'] = ($options[5]) ? $options[5] : 'nobody'; + $cron_item['command'] = $options[6]; + } + + # unset old cron task with $task_key + if (!empty($task_key)) { + $flag_cron_upd = false; + # delete old cron task if exists + if (is_array($config['cron']['item'])) { + foreach($config['cron']['item'] as $key => $val) { + if (strpos($config['cron']['item'][$key]['command'], $task_key) !== false) { + unset($config['cron']['item'][$key]); + $flag_cron_upd = true; + break; + } + } + } + + # set new cron task + if (($on_off === true) and !empty($cron_item)) { + $config['cron']['item'][] = $cron_item; + $flag_cron_upd = true; + } + + # write config and configure cron only if cron task modified + if ($flag_cron_upd === true) { + write_config("Installed cron task '$task_key' for 'squidGuard' package"); + configure_cron(); + } + } + else { + # ! error $name ! + return; + } +} + +# ***************************************************************************** +# RAMDisk +# Temp ramdisk for quickly DB update +# ***************************************************************************** +function squidguard_ramdisk($enable) +{ + $ramsize = 300; + + # delete old squidguard ramdisk + if (file_exists("/dev/md15")) { + mwexec("umount -f " . SQUIDGUARD_TMP); + mwexec("sleep 1"); + mwexec("mdconfig -d -u 15"); + } + + if ($enable === true) { + # create temp ramdisk + # size 300Mb very nice for work with Archive < 30Mb + # this is size use physical RAM + Swap file + mwexec("/sbin/mdmfs -s {$ramsize}M md15 " . SQUIDGUARD_TMP); + mwexec("chmod 1777 " . SQUIDGUARD_TMP); + } +} + +# ****************************************************************************** +# Blacklist +# ****************************************************************************** + +# ------------------------------------------------------------------------------ +# squidguard_update_stat +# ------------------------------------------------------------------------------ +function squidguard_update_log($msg, $new="") +{ + $to = $new ? ">" : ">>"; # create new or save to exists file + mwexec("echo $msg $to " . SG_UPDATE_STATFILE); +} + +# ----------------------------------------------------------------------------- +# squidguard_blacklist_update_start() +# ----------------------------------------------------------------------------- +function squidguard_blacklist_update_start($url_filename) +{ + # 1. if started - calncel + if (squidguard_blacklist_update_IsStarted()) squidguard_blacklist_update_cancel(); + + # 2. delete old script + if (file_exists(SCR_NAME_BLKUPDATE)) unlink(SCR_NAME_BLKUPDATE); + + # 3. create new php script & set permissions + file_put_contents(SCR_NAME_BLKUPDATE, squidguard_script_blacklistupdate($url_filename, "")); + set_file_access (SCR_NAME_BLKUPDATE, OWNER_NAME, 0755); + + # 4. start script background + mwexec_bg(SCR_NAME_BLKUPDATE); +} + +# ----------------------------------------------------------------------------- +# squidguard_blacklist_update_cancel +# ----------------------------------------------------------------------------- +function squidguard_blacklist_update_cancel() +{ + # kill script and SG update process + mwexec("kill `ps auxwwww | grep '" . SCR_NAME_BLKUPDATE . "' | grep -v 'grep' | awk '{print $2}'`"); + mwexec("kill `ps auxwwww | grep 'squidGuard -c .* -C all' | grep -v 'grep' | awk '{print $2}'`"); + squidguard_ramdisk(false); + + squidguard_update_log("Blacklist update terminated by user.", ""); +} + +# ----------------------------------------------------------------------------- +# squidguard_blacklist_update_clearlog +# ----------------------------------------------------------------------------- +function squidguard_blacklist_update_clearlog() +{ + # zero file + file_put_contents(SG_UPDATE_STATFILE, ""); +} + +# ----------------------------------------------------------------------------- +# squidguard_blacklist_update_IsStarted() +# ----------------------------------------------------------------------------- +function squidguard_blacklist_update_IsStarted() +{ + return exec("ps auxwwww | grep '" . SCR_NAME_BLKUPDATE . "' | grep -v 'grep' | awk '{print $2}' | wc -l | awk '{ print $1 }'"); +} + +# ----------------------------------------------------------------------------- +# sg_reconfigure_blacklist($source_filename, $opt) +# $source_filename - file name or url +# $opt - option: +# '' or 'local' - update from local file +# 'url' - update from url +# ----------------------------------------------------------------------------- +function sg_reconfigure_blacklist($source_filename, $opt = '') +{ + global $squidguard_config; + $sf = trim($source_filename); + $sf_contents = ''; + + sg_addlog("sg_reconfigure_blacklist", "Begin blacklist update.", SQUIDGUARD_INFO); + squidguard_update_log("Begin blacklist update", "New"); + + # 1. check system + sg_check_system(); + + # 2. download + if ($sf[0] === "/") { # local file - example '/tmp/blacklists.tar' + sg_addlog("sg_reconfigure_blacklist", "Update from file '$sf'.", SQUIDGUARD_INFO); + squidguard_update_log("Copy archive from file '$sf'"); + if (file_exists($sf)) { + $sf_contents = file_get_contents($sf); + } else { + sg_addlog("sg_reconfigure_blacklist", "File '$sf' not found.", SQUIDGUARD_ERROR); + squidguard_update_log("File '$sf' not found."); + return; + } + } + # from url + else { + sg_addlog("sg_reconfigure_blacklist", "Download from url '$sf'.", SQUIDGUARD_INFO); + squidguard_update_log("Start download."); + $sf_contents = sg_uploadfile_from_url($sf, $opt); + } + + # 3. update + if (empty($sf_contents)) { + sg_addlog("sg_reconfigure_blacklist", "Bad content from '$sf'. Terminate.", SQUIDGUARD_ERROR); + squidguard_update_log("Bad content from '$sf'. Terminate."); + return; + } + + # save black list archive content to local file + file_put_contents(SG_UPDATE_TARFILE, $sf_contents); + + # update blacklist + sg_update_blacklist(SG_UPDATE_TARFILE); +} + +# ------------------------------------------------------------------------------ +# sg_update_blacklist - update blacklist from file +# How it's work: +# - unpack tar archive to temp dir +# - copy subdir's tree to one-level TempDB +# - rebuild TempDB +# - create Blacklist files listing and copy to values dir and TempDB dir +# - background rebuild temp DB via sh script (longer proccess) and copy to work DB +# ------------------------------------------------------------------------------ + +function sg_update_blacklist($from_file) +{ + global $squidguard_config; + $dbhome = SQUIDGUARD_DBHOME; + $workdir = SQUIDGUARD_WORKDIR; + $tmp_unpack_dir = SQUIDGUARD_TMP . SQUIDGUARD_BL_UNPACK; + $arc_db_dir = SQUIDGUARD_TMP . SG_BLK_ARC; + $conf_path = SQUIDGUARD_VAR . DB_REBUILD_BLK_CONF; + $blklist_file = SQUIDGUARD_BLK_FILELISTPATH; + + sg_addlog("sg_update_blacklist", "Begin with '$from_file'.", SQUIDGUARD_INFO); + + if (file_exists($from_file)) { + # check work and DB dir's + if (file_exists($squidguard_config[F_DBHOME])) $dbhome = $squidguard_config[F_DBHOME]; + if (file_exists($squidguard_config[F_WORKDIR])) $workdir = $squidguard_config[F_WORKDIR]; + + # delete old tmp dir's + if (file_exists($tmp_unpack_dir)) mwexec("rm -R $tmp_unpack_dir"); + if (file_exists($arc_db_dir)) mwexec("rm -R $arc_db_dir"); + squidguard_ramdisk(false); + + # create new tmp/arc dir's, use ramdisk for quick operations + squidguard_ramdisk(true); + mwexec("mkdir -p -m 0755 $tmp_unpack_dir"); + mwexec("mkdir -p -m 0755 $arc_db_dir"); + + # 1. unpack archive + squidguard_update_log("Unpack archive"); + mwexec("tar zxvf $from_file -C $tmp_unpack_dir"); + set_file_access($tmp_unpack_dir, OWNER_NAME, 0755); + sg_addlog("sg_update_blacklist", "Unpack uploaded file '$from_file' -> '$tmp_unpack_dir'.", SQUIDGUARD_INFO); + + # 2. copy blacklist to TempDB base & create entries list + squidguard_update_log("Scan blacklist categories."); + if (file_exists($tmp_unpack_dir)) { + $blk_items = array(); + $blk_list = array(); + + # scan blacklist items + scan_blacklist_cat($tmp_unpack_dir, "blk", & $blk_items); + + # move blacklist catalog structure to 'one level' (from tmp_DB to arch_DB) + foreach ($blk_items as $key => $val) { + $current_dbpath = "$arc_db_dir/$key"; + if (count($val)) { + # make blk_list for config file + $blk_list[$key] = $key; + + # delete '$current_dbpath' for correct moving + # need moving $val['path'] to $current_dbpath + # if $current_dbpath exists, then $val['path'] will created as subdir - !it's worng! + if (file_exists($current_dbpath)) + mwexec("rm -R $current_dbpath"); + mwexec("mv -f {$val['path']}/ $current_dbpath"); + sg_addlog("sg_update_blacklist", "Move {$val['path']}/ -> $current_dbpath.", SQUIDGUARD_INFO); + } + } + set_file_access($arc_db_dir, OWNER_NAME, 0755); + + # create entries list + if (count($blk_items)) { + # save to temp DB + $cont = implode("\n", array_keys($blk_items)); + + # temp blacklist files + $blklist_file = $arc_db_dir . SQUIDGUARD_BLK_FILELIST; + file_put_contents($blklist_file, $cont); + set_file_access ($blklist_file, OWNER_NAME, 0755); + + # system blacklist files + $blklist_file = SQUIDGUARD_BLK_FILELISTPATH; + file_put_contents($blklist_file, $cont); + set_file_access ($blklist_file, OWNER_NAME, 0755); + + sg_addlog("sg_update_blacklist", "Create DB entries list '$blklist_file'.", SQUIDGUARD_INFO); + squidguard_update_log("Found " . count($blk_items) . " items."); + } + + # rebuild db & save to work dir + squidguard_update_log("Start rebuild DB."); + squidguard_rebuild_db("blk_", $arc_db_dir, $blk_list); + + squidguard_update_log("Copy DB to workdir."); + $blklist_file = $arc_db_dir . SQUIDGUARD_BLK_FILELIST; + mwexec("cp -R -p $arc_db_dir/ $dbhome"); + mwexec("cp -f -p $blklist_file " . SQUIDGUARD_WORKDIR); + set_file_access($dbhome, OWNER_NAME, 0755); + + squidguard_update_log("Reconfigure Squid proxy."); + mwexec(SQUID_LOCALBASE . "/sbin/squid -k reconfigure"); + + squidguard_update_log("Blacklist update complete."); + + } + + # free ramdisk + squidguard_ramdisk(false); + } + else sg_addlog("sg_update_blacklist", "File $from_file not found.", SQUIDGUARD_ERROR); +} + +# ----------------------------------------------------------------------------- +# sg_entries_blacklist +# ----------------------------------------------------------------------------- +function sg_entries_blacklist() +{ + $contents = ''; + + $fl = SQUIDGUARD_BLK_FILELISTPATH; + if (file_exists($fl)) + $contents = explode("\n", file_get_contents($fl)); + + return $contents; +} +# ----------------------------------------------------------------------------- +# sg_blacklist_rebuild_db - rebuild current Blacklist DB (default: '/var/db/squidGuard') +# ----------------------------------------------------------------------------- +/* +function sg_blacklist_rebuild_db() +{ + global $squidguard_config; + $dst_list = array(); + $dbhome = $squidguard_config[F_DBHOME]; + $workdir = $squidguard_config[F_WORKDIR]; + + # current dbhome and work dir's + sg_addlog("sg_blacklist_rebuild_db", "Start with path '$dbhome'.", SQUIDGUARD_INFO); + + # make dest list + $blklist_file = SQUIDGUARD_BLK_FILELISTPATH; + if (file_exists($blklist_file)) { + $blklist = explode("\n", file_get_contents($blklist_file)); + if (is_array($blklist)) + foreach($blklist as $bl) { $dst_list[$bl] = $bl; } + } + + # rebuild user db ('/var/db/squidGuard') + squidguard_rebuild_db("_blkdb", $dbhome, $dst_list); +} +*/ +# ----------------------------------------------------------------------------- +# sg_uploadfile_from_url +# ----------------------------------------------------------------------------- +function sg_uploadfile_from_url($url_file, $proxy = '') +{ + $err = 0; + $download_tmpfile = SG_UPDATE_TMPFILE; #"/tmp/squidguard_download.tmp"; + $download_logfile = SG_UPDATE_LOGFILE; #"/tmp/squidguard_download.log"; + + conf_mount_rw(); + # open destination file + $s = "Download archive '$url_file'" . ( $proxy ? " via proxy'$proxy'" : "" ); + sg_addlog("sg_uploadfile_from_url", $s, SQUIDGUARD_INFO); + squidguard_update_log( $s ); + + # open temp and log files for curl + $ftmp = fopen($download_tmpfile, "w"); # download result file + $flog = fopen($download_logfile, "w"); # download log file + + $result = ''; + $ch = curl_init(); + curl_setopt($ch, CURLOPT_URL, $url_file); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); + curl_setopt($ch, CURLOPT_NOPROGRESS, 0); + curl_setopt($ch, CURLOPT_FILE, $ftmp); + curl_setopt($ch, CURLOPT_STDERR, $flog); + + if (!empty($proxy)) { + $ip = ''; + $login = ''; + $s = trim($proxy); + if (strpos($s, ' ')) { + $ip = substr($s, 0, strpos($s, ' ')); + $login = substr($s, strpos($s, ' ') + 1); + } else $ip = $s; + + if($ip != '') { + curl_setopt($ch, CURLOPT_PROXY, $ip); + if($login != '') + curl_setopt($ch, CURLOPT_PROXYUSERPWD, $login); + } + } +# $result=curl_exec ($ch); + curl_exec ($ch); + $err = curl_errno($ch); + if ($err) + squidguard_update_log( "Download error: " . curl_error($ch) ); + else squidguard_update_log( "Download complete" ); + curl_close ($ch); + + # close temp and log files + fclose($ftmp); + fclose($flog); + conf_mount_ro(); + + if (!$err && file_exists( $download_tmpfile )) + $result = file_get_contents( $download_tmpfile ); + return $result; +} + +# ------------------------------------------------------------------------------ +# squidguard_blacklist_restore_arcdb - copy arc blacklist to db +# ------------------------------------------------------------------------------ +function squidguard_blacklist_restore_arcdb() +{ + global $squidguard_config; + $dbhome = $squidguard_config[F_DBHOME] ? $squidguard_config[F_DBHOME] : SQUIDGUARD_DBHOME; + $blklist_file = SQUIDGUARD_BLK_FILELISTPATH; + $arc_db_dir = SQUIDGUARD_DBSAMPLE; + + squidguard_update_log("Restore default blacklist DB.", "new"); + if (file_exists($arc_db_dir)) { + conf_mount_rw(); + # copy arc blacklist to work DB with permissions + mwexec("cp -R -p $arc_db_dir/ $dbhome"); + set_file_access($dbhome, OWNER_NAME, 0755); + sg_addlog("squidguard_blacklist_restore_arcdb", "Restore blacklist archive from '$arc_db_dir'.", SQUIDGUARD_INFO); + + # generate blacklist files list + $blklist = ""; + $files = scan_dir("$arc_db_dir/"); + if ($files) $blklist = implode("\n", $files); + file_put_contents($blklist_file, $blklist); + set_file_access($blklist_file, OWNER_NAME, 0755); + + squidguard_rebuild_db("arc_", $dbhome, $files); + + squidguard_update_log("Reconfigure Squid proxy."); + mwexec(SQUID_LOCALBASE . "/sbin/squid -k reconfigure"); + + conf_mount_ro(); + squidguard_update_log("Restore success."); + } else { + sg_addlog("squidguard_blacklist_restore_arcdb", "File '$arc_db_dir' or '$blklist_file' not found.", SQUIDGUARD_ERROR); + squidguard_update_log("Restore error: File '$arc_db_dir' or '$blklist_file' not found."); + } +} + +# ------------------------------------------------------------------------------ +# scan_blacklist_cat - scan all dirs and subdirs tree and make blk enrties list +# $cur_dir - start directory +# $key_name - current key name +# ------------------------------------------------------------------------------ +# blk entry[key]: +# ["domains"] domains file path +# ["urls"] urls file path +# ["expressions"] expressions file path +# ------------------------------------------------------------------------------ +function scan_blacklist_cat($curdir, $key_name, $cat_array) +{ + + if (file_exists($curdir) and is_dir($curdir)) { + $blk_entry = array(); + $files = scan_dir($curdir); + + foreach($files as $fls) { + $fls_file = "$curdir/$fls"; + + if (($fls != ".") and ($fls != "..")) { + if (is_file($fls_file)) { + + # add files path + switch(strtolower($fls)) { + case "domains": + $blk_entry["domains"] = $fls_file; + $blk_entry["path"] = $curdir; + break; + case "urls": + $blk_entry["urls"] = $fls_file; + $blk_entry["path"] = $curdir; + break; + case "expressions": + $blk_entry["expressions"] = $fls_file; + $blk_entry["path"] = $curdir; + break; + } + } + elseif (is_dir($fls_file)) { + $fls_key = $key_name . "_" . $fls; + + # recursive call + scan_blacklist_cat($fls_file, $fls_key, & $cat_array); + } + } + } + + if (count($blk_entry)) + $cat_array[$key_name] = $blk_entry; + } +} + +# ============================================================================= +# Blacklist Scripts +# ============================================================================= + +# squidGuard blacklist update php script +function squidguard_script_blacklistupdate($fname, $opt) +{ + $sh[] = "#!/usr/local/bin/php -f"; + $sh[] = "<?php"; + $sh[] = " \$incl = \"/usr/local/pkg/squidguard_configurator.inc\";"; + $sh[] = " if (file_exists(\$incl)) {"; + $sh[] = " require_once(\$incl);"; + $sh[] = " sg_reconfigure_blacklist( \"{$fname}\", \"{$opt}\" );"; + $sh[] = " }"; + $sh[] = " exit;"; + $sh[] = "?>"; + return implode ("\n", $sh); +} + +# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ +# classes +# @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ + +class TSgTag +{ + var $tag; + var $name; + var $time; + var $items; + var $desc; + + function __construct() { + $this->clear(); + } + + function clear() { + $this->tag = ''; + $this->name = ''; + $this->time = ''; + $this->items = array(); + $this->desc = ''; + } + + function set($tag, $name, $time, $desc) { + $this->tag = $tag; + $this->name = $name; + $this->time = $time; + $this->desc = $desc; + } + + function tag_text($offset = 0) { + $str = array(); + $off = str_repeat("\t", $offset); + + $str[] = $off . "# {$this->desc}"; + if (empty($this->time)) + $str[] = $off . "{$this->tag} {$this->name} {"; + else $str[] = $off . "{$this->tag} {$this->name} within {$this->time} {"; + + # get items + foreach($this->items as $it) { + if (is_a($it, "TSgTag")) + $str[] = $off . $it->tag_text($offset + 1); # sub tag + else $str[] = $off . "\t{$it}"; # item + } + + $str[] = $off . "}"; + return implode("\n", $str); + } +} + +?> diff --git a/config/squidGuard-devel/squidguard_default.xml b/config/squidGuard-devel/squidguard_default.xml new file mode 100644 index 00000000..01380ea5 --- /dev/null +++ b/config/squidGuard-devel/squidguard_default.xml @@ -0,0 +1,149 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidguarddefault</name> + <version>none</version> + <title>Proxy filter SquidGuard: Common Access Control List (ACL)</title> + <include_file>/usr/local/pkg/squidguard.inc</include_file> + <tabs> + <tab> + <text>General settings</text> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + </tab> + <tab> + <text>Common ACL</text> + <url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url> + <active/> + </tab> + <tab> + <text>Groups ACL</text> + <url>/pkg.php?xml=squidguard_acl.xml</url> + </tab> + <tab> + <text>Target categories</text> + <url>/pkg.php?xml=squidguard_dest.xml</url> + </tab> + <tab> + <text>Times</text> + <url>/pkg.php?xml=squidguard_time.xml</url> + </tab> + <tab> + <text>Rewrites</text> + <url>/pkg.php?xml=squidguard_rewr.xml</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/squidGuard/squidguard_blacklist.php</url> + </tab> + <tab> + <text>Log</text> + <url>/squidGuard/squidguard_log.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> + </tabs> + <fields> + <field> + <fielddescr>Target Rules</fielddescr> + <fieldname>dest</fieldname> + <description><![CDATA[]]></description> + <type>input</type> + <size>100</size> + </field> + <field> + <fielddescr>Do not allow IP-Addresses in URL</fielddescr> + <fieldname>notallowingip</fieldname> + <description><![CDATA[To make sure that people do not bypass the URL filter by simply using the IP-Addresses instead of the FQDN you can check this option. This option has no effect on the whitelist.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Proxy Denied Error</fielddescr> + <fieldname>deniedmessage</fieldname> + <description><![CDATA[The first part of the error message displayed to clients when access was denied. Defaults to <b>"Request denied by $g['product_name'] proxy"</b>]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>2</rows> + </field> + <field> + <fielddescr>Redirect mode</fielddescr> + <fieldname>redirect_mode</fieldname> + <description> + Select redirect mode here. + <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. +<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> + <br> Options: + <A title="To 'url' will added special client information;" > + <span style="background-color: #dddddd;" >ext url err page</span></A> , + <A title="Client view 'url' content without any notification about;" > + <span style="background-color: #dddddd;" > ext url redirect</span></A> , + <A title="Client will moved to specified url with displaying url in addres bar;" > + <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , + <A title="Client will moved to specified url with showing progress(only!) in status bar;" > + <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> + </u> + </description> + <type>select</type> + <value>rmod_none</value> + <options> + <!--option><name>none</name> <value>rmod_none</value></option--> + <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> + <option><name>int blank page </name> <value>rmod_int_bpg</value></option> + <!--option><name>int blank image</name> <value>rmod_int_bim</value></option--> + <!--option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option--> + <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> + <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> + <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> + <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> + </options> + </field> + <field> + <fielddescr>Redirect info</fielddescr> + <fieldname>redirect</fieldname> + <description><![CDATA[Enter external redirection URL, error message or size (bytes) here.]]></description> + <type>textarea</type> + <cols>65</cols> + <rows>2</rows> + </field> + <field> + <fielddescr>Use SafeSearch engine</fielddescr> + <fieldname>safesearch</fieldname> + <description><![CDATA[ + To protect your children from adult content you can use the protected mode of search engines.<br> + At the moment it is supported by Google, Yandex, Yahoo, MSN, Live Search and Bing. Make sure that the search engines can be accessed. It is recommended to prohibit access to others.<br> + <b>Note:</b> This option overrides 'Rewrite' setting. + ]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Rewrite</fielddescr> + <fieldname>rewrite</fieldname> + <description><![CDATA[Enter the rewrite condition name for this rule or leave it blank.]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Log</fielddescr> + <fieldname>enablelog</fieldname> + <description><![CDATA[Check this option to enable logging for this ACL.]]></description> + <type>checkbox</type> + </field> + </fields> + <custom_php_validation_command> + squidguard_validate_acl(&$_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_command_before_form> + squidguard_before_form_acl(&$pkg, false); + </custom_php_command_before_form> + <custom_php_after_form_command> + squidGuard_print_javascript(); + </custom_php_after_form_command> + <custom_add_php_command/> + <custom_php_resync_config_command> +// squidguard_resync(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squidGuard-devel/squidguard_dest.xml b/config/squidGuard-devel/squidguard_dest.xml new file mode 100644 index 00000000..3525098e --- /dev/null +++ b/config/squidGuard-devel/squidguard_dest.xml @@ -0,0 +1,189 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidguarddest</name> + <version>none</version> + <title>Proxy filter SquidGuard: Target categories</title> + <include_file>/usr/local/pkg/squidguard.inc</include_file> + <delete_string>A proxy server user has been deleted.</delete_string> + <addedit_string>A proxy server user has been created/modified.</addedit_string> + <tabs> + <tab> + <text>General settings</text> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + </tab> + <tab> + <text>Common ACL</text> + <url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url> + </tab> + <tab> + <text>Groups ACL</text> + <url>/pkg.php?xml=squidguard_acl.xml</url> + </tab> + <tab> + <text>Target categories</text> + <url>/pkg.php?xml=squidguard_dest.xml</url> + <active/> + </tab> + <tab> + <text>Times</text> + <url>/pkg.php?xml=squidguard_time.xml</url> + </tab> + <tab> + <text>Rewrites</text> + <url>/pkg.php?xml=squidguard_rewr.xml</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/squidGuard/squidguard_blacklist.php</url> + </tab> + <tab> + <text>Log</text> + <url>/squidGuard/squidguard_log.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Redirect</fielddescr> + <fieldname>redirect</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[ + Enter a unique name of this rule here.<br> + The name must consist between 2 and 15 symbols [a-Z_0-9]. The first one must be a letter.<br> + ]]></description> + <type>input</type> + <size>100</size> + <required/> + </field> + <field> + <fielddescr>Order</fielddescr> + <fieldname>order</fieldname> + <description><![CDATA[ + Select the new position for this target category. Target categories are listed in this order on ALCs and are matched from the top down in sequence.<br> + ]]></description> + <type>select</type> + </field> + <field> + <fielddescr>Domain List</fielddescr> + <fieldname>domains</fieldname> + <description><![CDATA[ + Enter destination domains or IP-addresses here. To separate them use space.<br> + <b>Example:</b> mail.ru e-mail.ru yahoo.com 192.168.1.1 + ]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + </field> + <field> + <fielddescr>URL List</fielddescr> + <fieldname>urls</fieldname> + <description><![CDATA[ + Enter destination URLs here. To separate them use space.<br> + <b>Example:</b> host.com/xxx 12.10.220.125/alisa + ]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + </field> + <field> + <fielddescr>Regular Expression</fielddescr> + <fieldname>expressions</fieldname> + <description><![CDATA[ + Enter word fragments of the destination URL. To separate them use <b>|</b> . + <b>Example:</b> mail|casino|game|\.rsdf$ + ]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>10</rows> + </field> + <field> + <fielddescr>Redirect mode</fielddescr> + <fieldname>redirect_mode</fieldname> + <description> + Select redirect mode here. + <br> Note: if you use 'transparent proxy', then 'int' redirect mode will not accessible. +<!-- <br><b> int size limit :</b> if content size 0 or > 'size limit', then client moved to 'blank image' page; --> + <br> Options: + <A title="To 'url' will added special client information;" > + <span style="background-color: #dddddd;" >ext url err page</span></A> , + <A title="Client view 'url' content without any notification about;" > + <span style="background-color: #dddddd;" > ext url redirect</span></A> , + <A title="Client will moved to specified url with displaying url in addres bar;" > + <span style="background-color: #dddddd;" > ext url as 'move'</span></A> , + <A title="Client will moved to specified url with showing progress(only!) in status bar;" > + <span style="background-color: #dddddd;" > ext url as 'found'.</span></A> + </u> + </description> + <type>select</type> + <value>rmod_none</value> + <options> + <option><name>none</name> <value>rmod_none</value></option> + <option><name>int error page (enter error message)</name> <value>rmod_int</value></option> + <option><name>int blank page </name> <value>rmod_int_bpg</value></option> + <option><name>int blank image</name> <value>rmod_int_bim</value></option> +<!-- <option><name>int size limit (enter size in bytes)</name> <value>rmod_int_szl</value></option> --> + <option><name>ext url err page (enter URL)</name> <value>rmod_ext_err</value></option> + <option><name>ext url redirect (enter URL)</name> <value>rmod_ext_rdr</value></option> + <option><name>ext url move (enter URL)</name> <value>rmod_ext_mov</value></option> + <option><name>ext url found (enter URL)</name> <value>rmod_ext_fnd</value></option> + </options> + </field> + <field> + <fielddescr>Redirect</fielddescr> + <fieldname>redirect</fieldname> + <description><![CDATA[Enter the external redirection URL, error message or size (bytes) here.]]></description> + <type>textarea</type> + <cols>60</cols> + <rows>2</rows> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[You may enter any description here for your reference.]]></description> + <type>input</type> + <size>90</size> + </field> + <field> + <fielddescr>Log</fielddescr> + <fieldname>enablelog</fieldname> + <type>checkbox</type> + <description><![CDATA[Check this option to enable logging for this ACL.]]></description> + </field> + </fields> + <custom_php_command_before_form> + squidguard_before_form_dest(&$pkg); + </custom_php_command_before_form> + <custom_php_validation_command> + squidguard_validate_destination($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> + squidguard_resync_dest(); + </custom_php_resync_config_command> + <custom_delete_php_command> + squidguard_resync_dest(); + </custom_delete_php_command> + <custom_php_after_form_command> + squidGuard_print_javascript(); + </custom_php_after_form_command> +</packagegui> diff --git a/config/squidGuard-devel/squidguard_log.php b/config/squidGuard-devel/squidguard_log.php new file mode 100644 index 00000000..8eba2311 --- /dev/null +++ b/config/squidGuard-devel/squidguard_log.php @@ -0,0 +1,327 @@ +<?php +/* $Id$ */ +/* + squidguard_log.php + 2006-2011 Serg Dvoriancev + + part of pfSense (www.pfSense.com) + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ + +$pgtitle = "Proxy filter SquidGuard: Log page"; + +require_once('guiconfig.inc'); +require_once('notices.inc'); +if (file_exists("/usr/local/pkg/squidguard.inc")) { + require_once("/usr/local/pkg/squidguard.inc"); +} + +# ------------------------------------------------------------------------------ +# defines +# ------------------------------------------------------------------------------ +$selfpath = "/squidGuard/squidguard_log.php"; + +# ------------------------------------------------------------------------------ +# Requests +# ------------------------------------------------------------------------------ +if ($_REQUEST['getactivity']) +{ + header("Content-type: text/javascript"); + echo squidguard_log_AJAX_response( $_REQUEST ); + exit; +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + +function squidguard_log_AJAX_response( $request ) +{ + $res = ''; + $offset = $request['offset'] ? $request['offset'] : 0; + $reverse = $request['reverse'] == 'yes'? true : false; + $pcaption = ' '; + + # Actions + switch($request['rep']) { + case 'filterconf': + if (function_exists("squidguard_conflist")) + $cont = squidguard_conflist( ); + else $cont = "Function 'squidguard_conflist' not found."; + $res = squidguard_prep_textareacont($cont); + break; + case 'proxyconf': + if (function_exists("squidguard_squid_conflist")) + $cont = squidguard_squid_conflist( ); + else $cont = "Function 'squidguard_squid_conflist' not found."; + $res = squidguard_prep_textareacont($cont); + break; + case 'guilog': + $res = squidguard_logrep(squidguard_guidump( &$offset, 50, true)); + break; + case 'filterlog': + $res = squidguard_logrep(squidguard_filterdump( &$offset, 50, true)); + break; + case "blocked": + default: + $res = squidguard_logrep(squidguard_blockdump( &$offset, 50, true)); + break; + } + + $res .= "el('offset').value = {$offset};"; + $res .= "el('showoffset').innerHTML = {$offset};"; + return $res; +} + +function squidguard_logrep( $dump ) +{ + $res = ''; + + if (!empty($dump)) { + if (is_array($dump)) { + $acount = count($dump[0]) ? count($dump[0]) : 1; + $res = "<table class=\'tabcont\' width=\'100%\' border=\'0\' cellpadding=\'0\' cellspacing=\'0\'>"; + $res .= "<tr><td class=\'listtopic\' colspan=\'$acount\' nowrap>Show top 50 entries. List from the line: " . + "<span style=\'cursor: pointer;\' onclick=\'report_down();\'><<</span>" . + " <span id='showoffset' >0</span> " . + "<span style=\'cursor: pointer;\' onclick=\'report_up();\'>>></span> " . + "</td></tr>"; + + foreach($dump as $dm) { + if (!$dm[0] || !$dm[1]) continue; + # datetime + $dm[0] = date("d.m.Y H:i:s", strtotime($dm[0])); + $res .= "<tr><td class=\'listlr\' nowrap>{$dm[0]}</td>"; + + # col 1 + $dm[1] = htmlentities($dm[1]); + $dm[1] = squidguard_html_autowrap($dm[1]); + $res .= "<td class=\'listr\'>{$dm[1]}</td>"; + + # for blocked rep + if (count($dm) > 2) { + $dm[2] = htmlentities($dm[2]); + $dm[2] = squidguard_html_autowrap($dm[2]); + $res .= "<td class=\'listr\' width=\'*\'>{$dm[2]}</td>"; + $res .= "<td class=\'listr\'>{$dm[3]}</td>"; + } + $res .= "</tr>"; + } + $res .= "</table>"; + } + else $res = "{$dump}"; + } else { + $res = "No data."; + } + + $res = "el(\"reportarea\").innerHTML = \"{$res}\";"; + return $res; +} + +function squidguard_prepfor_JS($cont) +{ + # replace for JS + $cont = str_replace("\n", "\\n", $cont); + $cont = str_replace("\r", "\\r", $cont); + $cont = str_replace("\t", "\\t", $cont); + $cont = str_replace("\"", "\'", $cont); + return $cont; +} + +function squidguard_prep_textareacont($cont) +{ + $cont = squidguard_prepfor_JS($cont); + return + "el('reportarea').innerHTML = \"<br><center><textarea rows=25 cols=70 id='pconf' name='pconf' wrap='hard' readonly></textarea></center>\";" . + "el('pconf').innerHTML = '$cont';"; +} + +function squidguard_html_autowrap($cont) +{ + # split strings + $p = 0; + $pstep = 25; + $str = $cont; + $cont = ''; + for ( $p = 0; $p < strlen($str); $p += $pstep ) { + $s = substr( $str, $p, $pstep ); + if ( !$s ) break; + $cont .= $s . "<wbr/>"; + } + + return $cont; +} + +# ------------------------------------------------------------------------------ +# HTML Page +# ------------------------------------------------------------------------------ + +include("head.inc"); +echo "\t<script type=\"text/javascript\" src=\"/javascript/scriptaculous/prototype.js\"></script>\n"; +?> + +<!-- Ajax Script --> +<script type="text/javascript"> + +function el(id) { + return document.getElementById(id); +} + +function getactivity(action) { + var url = "./squidguard_log.php"; + var pars = 'getactivity=yes'; + var act = action; + var offset = 0; + var reverse = 'yes'; + + if (action == 'report_up') { + act = el('reptype').value; + offset = parseInt(el('offset').value); + offset = offset + 50; + } else + if (action == 'report_down') { + act = el('reptype').value; + offset = parseInt(el('offset').value); + offset = offset - 50; + offset = offset >= 0 ? offset : 0; + } else { + el('reptype').value = action ? action : 'blocklog'; + el('offset').value = 0; + offset = 0; + } + + pars = pars + '&rep=' + act + '&reverse=' + reverse + '&offset=' + offset; + + var myAjax = new Ajax.Request( url, + { + method: 'get', + parameters: pars, + onComplete: activitycallback + }); +} + +function activitycallback(transport) { + + if (200 == transport.status) { + result = transport.responseText; + } else { + el('reportarea').innerHTML = 'Error! Returned code ' + transport.status + ' ' + transport.responseText; + } + sethdtab_selected(); +} + +function report_up() +{ + getactivity('report_up'); +} + +function report_down() +{ + getactivity('report_down'); +} + +function sethdtab_selected() +{ + var sel = "hd_" + el('reptype').value; + + el('hd_blocklog').style.fontWeight = (sel == 'hd_blocklog') ? 'bold' : ''; + el('hd_guilog').style.fontWeight = (sel == 'hd_guilog') ? 'bold' : ''; + el('hd_filterlog').style.fontWeight = (sel == 'hd_filterlog') ? 'bold' : ''; + el('hd_proxyconf').style.fontWeight = (sel == 'hd_proxyconf') ? 'bold' : ''; + el('hd_filterconf').style.fontWeight = (sel == 'hd_filterconf') ? 'bold' : ''; +} + +window.setTimeout('getactivity()', 150); + +</script> + +<!-- HTML --> +<body link="#0000CC" vlink="#0000CC" alink="#0000CC"> +<?php include("fbegin.inc"); ?> +<form action="sg_log.php" method="post"> +<input type="hidden" id="reptype" val=""> +<input type="hidden" id="offset" val="0"> +<table width="100%" border="0" cellpadding="0" cellspacing="0"> +<!-- Tabs --> + <tr> + <td> +<?php + $tab_array = array(); + $tab_array[] = array(gettext("General settings"), false, "/pkg_edit.php?xml=squidguard.xml&id=0"); + $tab_array[] = array(gettext("Common ACL"), false, "/pkg_edit.php?xml=squidguard_default.xml&id=0"); + $tab_array[] = array(gettext("Groups ACL"), false, "/pkg.php?xml=squidguard_acl.xml"); + $tab_array[] = array(gettext("Target categories"),false, "/pkg.php?xml=squidguard_dest.xml"); + $tab_array[] = array(gettext("Times"), false, "/pkg.php?xml=squidguard_time.xml"); + $tab_array[] = array(gettext("Rewrites"), false, "/pkg.php?xml=squidguard_rewr.xml"); + $tab_array[] = array(gettext("Blacklist"), false, "/squidGuard/squidguard_blacklist.php"); + $tab_array[] = array(gettext("Log"), true, "$selfpath"); + $tab_array[] = array(gettext("XMLRPC Sync"), false, "/pkg_edit.php?xml=squidguard_sync.xml&id=0"); + display_top_tabs($tab_array); +?> + </td> + </tr> + <tr> + <td> + <div id="mainarea"> + <table class="tabcont" width="100%" border="0" cellpadding="0" cellspacing="0"> + <tr> + <td> + +<?php + # Subtabs + $mode = $mode ? $mode : "blocked"; + $tab_array = array(); + $tab_array[] = array(gettext("Blocked"), ($mode == "blocked"), "blocklog"); + $tab_array[] = array(gettext("Filter GUI log"), ($mode == "fgui"), "guilog"); + $tab_array[] = array(gettext("Filter log"), ($mode == "flog"), "filterlog"); + $tab_array[] = array(gettext("Proxy config"), ($mode == "pconf"), "proxyconf"); + $tab_array[] = array(gettext("Filter config"), ($mode == "fconf"), "filterconf"); + + echo "<big>| "; + foreach ($tab_array as $ta) { + $id = "hd_{$ta[2]}"; + $bb = $ta[1] ? "font-weight: bold;" : ''; + echo "<span id='{$id}' style='cursor: pointer; {$bb}' onclick=\"getactivity('{$ta[2]}');\">{$ta[0]}</span> | "; + } + echo "</big>"; +?> + </td> + </tr> + <tr> + <td id="reportarea" name="reportarea"></td> + </tr> + </table> + </div> + </td> + </tr> +</table> +</form> + +<?php include("fend.inc"); ?> + +<!--script type="text/javascript"> + NiftyCheck(); + Rounded("div#mainarea","bl br","#FFF","#eeeeee","smooth"); +</script--> +</body> +</html> diff --git a/config/squidGuard-devel/squidguard_rewr.xml b/config/squidGuard-devel/squidguard_rewr.xml new file mode 100644 index 00000000..c21cb1c0 --- /dev/null +++ b/config/squidGuard-devel/squidguard_rewr.xml @@ -0,0 +1,144 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidguardrewrite</name> + <version>none</version> + <title>Proxy filter SquidGuard: Rewrites</title> + <include_file>/usr/local/pkg/squidguard.inc</include_file> + <tabs> + <tab> + <text>General settings</text> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + </tab> + <tab> + <text>Common ACL</text> + <url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url> + </tab> + <tab> + <text>Groups ACL</text> + <url>/pkg.php?xml=squidguard_acl.xml</url> + </tab> + <tab> + <text>Target categories</text> + <url>/pkg.php?xml=squidguard_dest.xml</url> + </tab> + <tab> + <text>Times</text> + <url>/pkg.php?xml=squidguard_time.xml</url> + </tab> + <tab> + <text>Rewrites</text> + <url>/pkg.php?xml=squidguard_rewr.xml</url> + <active/> + </tab> + <tab> + <text>Blacklist</text> + <url>/squidGuard/squidguard_blacklist.php</url> + </tab> + <tab> + <text>Log</text> + <url>/squidGuard/squidguard_log.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[ + Enter a unique name of this rule here.<br> + The name must consist between 2 and 15 symbols [a-Z_0-9]. The first one must be a letter.<br> + ]]></description> + <type>input</type> + <required/> + <size>100</size> + </field> + <field> + <fielddescr> + <b>Rewrite rule.</b><br> + Define how url will be replaced.</fielddescr> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Target URL or regular expression</fielddescr> + <fieldname>targeturl</fieldname> + <type>input</type> + <size>35</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Replace to URL</fielddescr> + <fieldname>replaceto</fieldname> + <type>input</type> + <size>35</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Opt.</fielddescr> + <fieldname>mode</fieldname> + <type>select</type> + <value>no</value> + <options> + <option> <name>---------</name> <value>no</value> </option> + <option> <name>no case </name> <value>nocase</value> </option> + <option> <name>redirect </name> <value>redirect</value> </option> + <option> <name>no case + redirect</name> <value>nocase_redirect</value> </option> + </options> + </rowhelperfield> +<!-- <rowhelperfield> + <fielddescr>Http 301</fielddescr> + <fieldname>http301</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Http 302</fielddescr> + <fieldname>http302</fieldname> + <type>checkbox</type> + </rowhelperfield> +--> + </rowhelper> + </field> + <field> + <fielddescr>Log</fielddescr> + <fieldname>enablelog</fieldname> + <description><![CDATA[Check this option to enable logging for this ACL.]]></description> + <type>checkbox</type> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[You may enter any description here for your reference.<br> + <b>Note:</b><br> + <b>Rewrite rule:</b> Define how the URL will be replaced.<br> + <b>Target URL or Regular Expression:</b> Contains destination URL or regular expression. This is the URL or RegEx the user wants to visit.<br> + <b>Replace to URL:</b> Contains the replacing URL. This is the URL the user will see instead the original one. + ]]></description> + <type>input</type> + <size>100</size> + </field> + </fields> + <custom_php_after_form_command> + squidGuard_print_javascript(); + </custom_php_after_form_command> + <custom_php_validation_command> + squidguard_validate_rewrite($_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> +// squidguard_resync_rewrite(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squidGuard-devel/squidguard_sync.xml b/config/squidGuard-devel/squidguard_sync.xml new file mode 100644 index 00000000..f0537faf --- /dev/null +++ b/config/squidGuard-devel/squidguard_sync.xml @@ -0,0 +1,171 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "./schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="./xsl/package.xsl"?> +<packagegui> + <copyright> +<![CDATA[ +/* $Id$ */ +/* ========================================================================== */ +/* +squidguardsync.xml +part of pfSense (http://www.pfSense.com) +Copyright (C) 2013 Alexander Wilke <nachtfalkeaw@web.de> +Copyright (C) 2013 Marcello Coutinho +based on pfblocker_sync.xml +All rights reserved. + +Based on m0n0wall (http://m0n0.ch/wall) +Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. +All rights reserved. +*/ +/* ========================================================================== */ +/* +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, +this list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in the +documentation and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +POSSIBILITY OF SUCH DAMAGE. +*/ +/* ========================================================================== */ +]]></copyright> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidguardsync</name> + <version>1.3_1 pkg v.1.9</version> + <title>Proxy filter SquidGuard: XMLRPC Sync</title> + <include_file>/usr/local/pkg/squidguard.inc</include_file> + <tabs> + <tab> + <text>General settings</text> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + </tab> + <tab> + <text>Common ACL</text> + <url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url> + </tab> + <tab> + <text>Groups ACL</text> + <url>/pkg.php?xml=squidguard_acl.xml</url> + </tab> + <tab> + <text>Target categories</text> + <url>/pkg.php?xml=squidguard_dest.xml</url> + </tab> + <tab> + <text>Times</text> + <url>/pkg.php?xml=squidguard_time.xml</url> + </tab> + <tab> + <text>Rewrites</text> + <url>/pkg.php?xml=squidguard_rewr.xml</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/squidGuard/squidguard_blacklist.php</url> + </tab> + <tab> + <text>Log</text> + <url>/squidGuard/squidguard_log.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml&id=0</url> + <active/> + </tab> + </tabs> + <fields> + <field> + <name>SquidGuard XMLRPC Sync</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable Sync</fielddescr> + <fieldname>varsyncenablexmlrpc</fieldname> + <description><![CDATA[All changes will be synced immediately to the IPs listed below if this option is checked.<br> + <b>Important:</b> While using "Sync to hosts defined below", only sync from host A to B, A to C but <b>do not</B> enable XMLRPC sync <b>to</b> A. This will result in a loop!]]></description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>XMLRPC timeout</fielddescr> + <fieldname>varsynctimeout</fieldname> + <description><![CDATA[Timeout in seconds for the XMLRPC timeout. Default: 150]]></description> + <type>input</type> + <default_value>150</default_value> + <size>5</size> + </field> + + <field> + <fielddescr>Destination Server</fielddescr> + <fieldname>none</fieldname> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Enable</fielddescr> + <fieldname>varsyncdestinenable</fieldname> + <type>checkbox</type> + </rowhelperfield> + <rowhelperfield> + <fielddescr>GUI Protocol</fielddescr> + <fieldname>varsyncprotocol</fieldname> + <description><![CDATA[Choose the protocol of the destination host. Probably <b>http</b> or <b>https</b>]]></description> + <type>select</type> + <default_value>HTTP</default_value> + <options> + <option><name>HTTP</name><value>http</value></option> + <option><name>HTTPS</name><value>https</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>GUI IP-Address</fielddescr> + <fieldname>varsyncipaddress</fieldname> + <description><![CDATA[IP Address of the destination host.]]></description> + <type>input</type> + <size>15</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>GUI Port</fielddescr> + <fieldname>varsyncport</fieldname> + <description><![CDATA[Choose the port of the destination host.]]></description> + <type>input</type> + <size>3</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>GUI Admin Password</fielddescr> + <fieldname>varsyncpassword</fieldname> + <description><![CDATA[Password of the user "admin" on the destination host.]]></description> + <type>password</type> + <size>20</size> + </rowhelperfield> + </rowhelper> + </field> + </fields> + <custom_delete_php_command> + squidguard_sync_on_changes(); + </custom_delete_php_command> + <custom_php_resync_config_command> + squidguard_sync_on_changes(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squidGuard-devel/squidguard_time.xml b/config/squidGuard-devel/squidguard_time.xml new file mode 100644 index 00000000..dfd589aa --- /dev/null +++ b/config/squidGuard-devel/squidguard_time.xml @@ -0,0 +1,144 @@ +<?xml version="1.0" encoding="utf-8"?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <description><![CDATA[Describe your package here]]></description> + <requirements>Describe your package requirements here</requirements> + <faq>Currently there are no FAQ items provided.</faq> + <name>squidguardtime</name> + <version>none</version> + <title>Proxy filter SquidGuard: Times</title> + <include_file>/usr/local/pkg/squidguard.inc</include_file> + <delete_string>A proxy server user has been deleted.</delete_string> + <addedit_string>A proxy server user has been created/modified.</addedit_string> + <tabs> + <tab> + <text>General settings</text> + <url>/pkg_edit.php?xml=squidguard.xml&id=0</url> + </tab> + <tab> + <text>Common ACL</text> + <url>/pkg_edit.php?xml=squidguard_default.xml&id=0</url> + </tab> + <tab> + <text>Groups ACL</text> + <url>/pkg.php?xml=squidguard_acl.xml</url> + </tab> + <tab> + <text>Target categories</text> + <url>/pkg.php?xml=squidguard_dest.xml</url> + </tab> + <tab> + <text>Times</text> + <url>/pkg.php?xml=squidguard_time.xml</url> + <active/> + </tab> + <tab> + <text>Rewrites</text> + <url>/pkg.php?xml=squidguard_rewr.xml</url> + </tab> + <tab> + <text>Blacklist</text> + <url>/squidGuard/squidguard_blacklist.php</url> + </tab> + <tab> + <text>Log</text> + <url>/squidGuard/squidguard_log.php</url> + </tab> + <tab> + <text>XMLRPC Sync</text> + <url>/pkg_edit.php?xml=squidguard_sync.xml</url> + </tab> + </tabs> + <adddeleteeditpagefields> + <columnitem> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> + </adddeleteeditpagefields> + <fields> + <field> + <fielddescr>Name</fielddescr> + <fieldname>name</fieldname> + <description><![CDATA[ + Enter a unique name of this rule here.<br> + The name must consist between 2 and 15 symbols [a-Z_0-9]. The first one must be a letter.<br> + ]]></description> + <type>input</type> + <required/> + <size>100</size> + </field> + <field> + <fielddescr>Values</fielddescr> + <type>rowhelper</type> + <rowhelper> + <rowhelperfield> + <fielddescr>Time type</fielddescr> + <fieldname>timetype</fieldname> + <description><![CDATA[]]></description> + <type>select</type> + <value>weekly</value> + <options> + <option><name>Weekly</name><value>weekly</value></option> + <option><name>Date</name><value>date</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Days</fielddescr> + <fieldname>timedays</fieldname> + <description><![CDATA[]]></description> + <type>select</type> + <value>*</value> + <options> + <option><name>all</name><value>*</value></option> + <option><name>mon</name><value>mon</value></option> + <option><name>tue</name><value>tue</value></option> + <option><name>wed</name><value>wed</value></option> + <option><name>thu</name><value>thu</value></option> + <option><name>fri</name><value>fri</value></option> + <option><name>sat</name><value>sat</value></option> + <option><name>sun</name><value>sun</value></option> + </options> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Date or Date range</fielddescr> + <fieldname>daterange</fieldname> + <type>input</type> + <size>40</size> + </rowhelperfield> + <rowhelperfield> + <fielddescr>Time range</fielddescr> + <fieldname>sg_timerange</fieldname> + <description><![CDATA[00:00-08:00]]></description> + <type>input</type> + <size>20</size> + <value>00:00-23:59</value> + </rowhelperfield> + </rowhelper> + </field> + <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description><![CDATA[You may enter any description here for your reference.<br> + <b>Note:</b><br> + <b>Example for Date or Date Range:</b> 2007.12.31 <b>or</b> 2007.11.31-2007.12.31 <b>or</b> *.12.31 <b>or</b> 2007.*.31<br> + <b>Example for Time Range:</b> 08:00-18:00 + ]]></description> + <type>input</type> + <size>80</size> + </field> + </fields> + <custom_php_after_form_command> + squidGuard_print_javascript(); + </custom_php_after_form_command> + <custom_php_validation_command> + squidguard_validate_times(&$_POST, &$input_errors); + </custom_php_validation_command> + <custom_php_resync_config_command> +// squidguard_resync_time(); + </custom_php_resync_config_command> +</packagegui> diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc index ab44ae8d..5dbfcc43 100644 --- a/config/squidGuard/squidguard_configurator.inc +++ b/config/squidGuard/squidguard_configurator.inc @@ -205,6 +205,7 @@ define('SQUIDGUARD_GUILOG_LEVEL', SQUIDGUARD_INFO); # log level define('SQUIDGUARD_GUILOG_MAXCOUNT', 500); # log max lines define('SQUIDGUARD_GUILOG_ENABLE', true); # on/off gui log - option override GUI settings define('SQUIDGUARD_LOG_ENABLE', true); # on/off SG log - option override GUI settings +define('SQUIDGUARD_LOGROTATE_MAXCOUNT', 1000); # logrotate max lines # define('FLT_DEFAULT_ALL', 'all'); @@ -1920,7 +1921,8 @@ function acl_remove_blacklist_items($items) # ----------------------------------------------------------------------------- function sg_script_logrotate() { - + $lines = SQUIDGUARD_LOGROTATE_MAXCOUNT; + global $squidguard_config; $sglogname = $squidguard_config[F_LOGDIR] . "/" . SQUIDGUARD_LOGFILE; diff --git a/config/sudo/sudo.inc b/config/sudo/sudo.inc index a65753a1..5ffa14c3 100644 --- a/config/sudo/sudo.inc +++ b/config/sudo/sudo.inc @@ -26,6 +26,7 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +require_once("config.inc"); $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); switch ($pfs_version) { @@ -71,6 +72,7 @@ function sudo_install() { function sudo_write_config() { global $config; $sudoers = ""; + conf_mount_rw(); if (!is_array($config['installedpackages']['sudo']['config'][0]['row'])) { /* No config, wipe sudoers file and bail. */ unlink(SUDO_SUDOERS); @@ -104,6 +106,7 @@ function sudo_write_config() { log_error("Sudoers file invalid: {$result}"); unlink($tmpsudoers); } + conf_mount_ro(); } /* Get a list of users and groups in a format we can use to make proper sudoers entries. diff --git a/config/sudo/sudo.xml b/config/sudo/sudo.xml index 56163abf..defca988 100644 --- a/config/sudo/sudo.xml +++ b/config/sudo/sudo.xml @@ -3,7 +3,7 @@ <description>Sudo Command Control</description> <requirements>None</requirements> <name>sudo</name> - <version>0.1</version> + <version>0.2</version> <title>Sudo - Shell Command Privilege Delegation Utility</title> <include_file>/usr/local/pkg/sudo.inc</include_file> <menu> diff --git a/config/syslog-ng/syslog-ng.inc b/config/syslog-ng/syslog-ng.inc index 75d5bb4d..e1b4d35e 100644 --- a/config/syslog-ng/syslog-ng.inc +++ b/config/syslog-ng/syslog-ng.inc @@ -235,7 +235,7 @@ function syslogng_get_log_files($objects) { foreach($objects as $object) { if($object['objecttype'] == 'destination') { - preg_match("/file\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); + preg_match("/\bfile\b\(['\"]([^'\"]*)['\"]/", base64_decode($object['objectparameters']), $match); if($match) { $log_file = $match[1]; array_push($log_files, $log_file); @@ -433,4 +433,4 @@ EOD; conf_mount_rw(); write_rcfile($rc); } -?>
\ No newline at end of file +?> diff --git a/config/systempatches/system_patches_edit.php b/config/systempatches/system_patches_edit.php index 5b30c9c5..ffa2fe13 100644 --- a/config/systempatches/system_patches_edit.php +++ b/config/systempatches/system_patches_edit.php @@ -63,6 +63,10 @@ if (isset($id) && $a_patches[$id]) { $pconfig['ignorewhitespace'] = isset($a_patches[$id]['ignorewhitespace']); $pconfig['autoapply'] = isset($a_patches[$id]['autoapply']); $pconfig['uniqid'] = $a_patches[$id]['uniqid']; +} else { + $pconfig['pathstrip'] = 1; + $pconfig['basedir'] = "/"; + $pconfig['ignorewhitespace'] = true; } if (isset($_GET['dup'])) diff --git a/config/systempatches/systempatches.xml b/config/systempatches/systempatches.xml index f221588b..73974af0 100644 --- a/config/systempatches/systempatches.xml +++ b/config/systempatches/systempatches.xml @@ -40,7 +40,7 @@ <requirements>None</requirements> <faq>Applies patches supplied by the user to the firewall.</faq> <name>System Patches</name> - <version>0.10</version> + <version>1.0</version> <title>System: Patches</title> <include_file>/usr/local/pkg/patches.inc</include_file> <menu> diff --git a/config/tftp/tftp.xml b/config/tftp/tftp.xml index 720ac212..d6becc6d 100644 --- a/config/tftp/tftp.xml +++ b/config/tftp/tftp.xml @@ -55,7 +55,7 @@ <name>tftp</name> <rcfile>tftp.sh</rcfile> <executable>inetd</executable> - <description>Trivial File Transport Protocol is a very simple file transfer protocol. Often used with routers, voip phones and more.</description> + <description>TFTP daemon</description> </service> <tabs> <tab> diff --git a/config/tftp2/tftp.xml b/config/tftp2/tftp.xml index 6fc6a08d..64f81acf 100644 --- a/config/tftp2/tftp.xml +++ b/config/tftp2/tftp.xml @@ -54,7 +54,7 @@ <service> <name>tftp</name> <executable>inetd</executable> - <description>Trivial File Transport Protocol is a very simple file transfer protocol. Often used with routers, voip phones and more.</description> + <description>TFTP daemon</description> </service> <tabs> <tab> diff --git a/config/unbound/unbound.inc b/config/unbound/unbound.inc index e53168eb..6e55d577 100644 --- a/config/unbound/unbound.inc +++ b/config/unbound/unbound.inc @@ -1,6 +1,6 @@ <?php /* unbound.inc - (C)2010 Warren Baker (warren@decoy.co.za) + (C)2013 Warren Baker (warren@decoy.co.za) Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -118,7 +118,6 @@ function unbound_keys_setup() { function unbound_rc_setup() { global $config; - // Startup process and idea taken from TinyDNS package (author sullrich@gmail.com) $filename = "unbound.sh"; $start = "/usr/local/bin/php -q -d auto_prepend_file=config.inc <<ENDPHP @@ -198,7 +197,7 @@ function unbound_control($action) { case "start": //Start unbound - if($unbound_config['unbound_status'] == "on") { + if($unbound_config['enable'] == "on") { if(!is_service_running("unbound")) unbound_ctl_exec("start"); /* Link dnsmasq.pid to prevent dhcpleases logging error */ @@ -213,7 +212,7 @@ function unbound_control($action) { case "stop": //Stop unbound and unmount the file system - if($unbound_config['unbound_status'] == "on") { + if($unbound_config['enable'] == "on") { mwexec_bg("/usr/local/bin/unbound_monitor.sh stop"); unbound_ctl_exec("stop"); } @@ -240,7 +239,9 @@ function unbound_control($action) { break; case "anchor_update": //Update the Root Trust Anchor + conf_mount_rw(); mwexec(UNBOUND_BASE . "/sbin/unbound-anchor -a " . UNBOUND_BASE . "/etc/unbound/root-trust-anchor", true); + conf_mount_ro(); break; default: break; @@ -461,15 +462,14 @@ function unbound_resync_config() { private-address: 10.0.0.0/8 private-address: 172.16.0.0/12 private-address: 192.168.0.0/16 -private-address: 192.254.0.0/16 +private-address: 169.254.0.0/16 private-address: fd00::/8 private-address: fe80::/10 # Set private domains in case authorative name server returns a RFC1918 IP address EOF; - // Add private-domain options - $private_domains = unbound_add_domain_overrides(true); - + // Add private-domain options + $private_domains = unbound_add_domain_overrides(true); } //Setup optimization @@ -547,6 +547,7 @@ harden-dnssec-stripped: {$harden_dnssec_stripped} {$optimization['rrset_cache_size']} outgoing-range: 8192 {$optimization['so_rcvbuf']} +{$optimization['so_sndbuf']} # Interface IP(s) to bind to {$unbound_bind_interfaces} @@ -649,18 +650,21 @@ function unbound_optimization() { // Check that it is set to 4MB (by default the OS has it configured to 4MB) foreach ($config['sysctl']['item'] as $tunable) { if ($tunable['tunable'] == 'kern.ipc.maxsockbuf') { - $so = floor(($tunable['value']/1024/1024)-1); + if ($tunable['value'] == 'default') + $maxsockbuf = '4262144'; + else + $maxsockbuf = $tunable['value']; + $so = floor(($maxsockbuf/1024/1024)-1); // Check to ensure that the number is not a negative - if ($so > 0) + if ($so > 0) { $optimization['so_rcvbuf'] = "so-rcvbuf: {$so}m"; - else - unset($optimization['so_rcvbuf']); - + $optimization['so_sndbuf'] = "so-sndbuf: {$so}m"; + } else { + $optimization['so_rcvbuf'] = "#so-rcvbuf: 4m"; + $optimization['so_sndbuf'] = "#so-sndbuf: 4m"; + } } } - // Safety check in case kern.ipc.maxsockbuf is deleted. - if(!isset($optimization['so_rcvbuf'])) - $optimization['so_rcvbuf'] = "#so-rcvbuf: 4m"; return $optimization; } @@ -694,7 +698,7 @@ function fetch_root_hints() { function unbound_validate($post, $type=null) { global $config, $input_errors; - if($post['unbound_status'] == "on" && isset($config['dnsmasq']['enable'])) + if($post['enable'] == "on" && isset($config['dnsmasq']['enable'])) $input_errors[] = "The system dns-forwarder is still active. Disable it before enabling the Unbound service."; /* Validate the access lists */ @@ -741,7 +745,7 @@ function unbound_reconfigure() { $unbound_config = $config['installedpackages']['unbound']['config'][0]; - if ($unbound_config['unbound_status'] != "on") { + if ($unbound_config['enable'] != "on") { if(is_service_running("unbound")) unbound_control("termstop"); } else { @@ -820,30 +824,49 @@ function unbound_add_host_entries() { $unbound_entries .= "local-data: \"localhost.{$syscfg['domain']} AAAA ::1\"\n"; } + $added_item_v4 = array(); + $added_item_v6 = array(); if ($config['interfaces']['lan']) { + $current_host = $syscfg['hostname'].".".$syscfg['domain']; $cfgip = get_interface_ip("lan"); if (is_ipaddr($cfgip)) { - $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; - $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; + $unbound_entries .= "local-data-ptr: \"{$cfgip} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; + $added_item_v4[$current_host] = true; + } + $cfgip6 = get_interface_ipv6("lan"); + if (is_ipaddrv6($cfgip6)) { + $unbound_entries .= "local-data-ptr: \"{$cfgip6} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} AAAA {$cfgip6}\"\n"; + $unbound_entries .= "local-data: \"{$syscfg['hostname']} AAAA {$cfgip6}\"\n"; + $added_item_v6[$current_host] = true; } } else { $sysiflist = get_configured_interface_list(); foreach ($sysiflist as $sysif) { if (!interface_has_gateway($sysif)) { + $current_host = $syscfg['hostname'].".".$syscfg['domain']; $cfgip = get_interface_ip($sysif); if (is_ipaddr($cfgip)) { - $unbound_entries .= "local-data-ptr: \"{$cfgip} {$syscfg['hostname']}.{$syscfg['domain']}\"\n"; - $unbound_entries .= "local-data: \"{$syscfg['hostname']}.{$syscfg['domain']} A {$cfgip}\"\n"; + $unbound_entries .= "local-data-ptr: \"{$cfgip} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} A {$cfgip}\"\n"; $unbound_entries .= "local-data: \"{$syscfg['hostname']} A {$cfgip}\"\n"; - break; + $added_item_v4[$current_host] = true; + } + $cfgip6 = get_interface_ipv6($sysif); + if (is_ipaddr($cfgip6)) { + $unbound_entries .= "local-data-ptr: \"{$cfgip6} {$current_host}\"\n"; + $unbound_entries .= "local-data: \"{$current_host} AAAA {$cfgip6}\"\n"; + $unbound_entries .= "local-data: \"{$syscfg['hostname']} AAAA {$cfgip6}\"\n"; + $added_item_v6[$current_host] = true; } + if (is_ipaddr($cfgip) || is_ipaddr($cfgip6)) + break; } } } - $added_item_v4 = array(); - $added_item_v6 = array(); // DNSMasq entries static host entries if (isset($dnsmasqcfg['hosts'])) { $hosts = $dnsmasqcfg['hosts']; @@ -852,7 +875,7 @@ function unbound_add_host_entries() { foreach ($hosts as $host) { $current_host = ($host['host'] != "") ? $host['host'].".".$host['domain'] : $host['domain']; if (function_exists("is_ipaddrv6") && is_ipaddrv6($host['ip'])) { - if (!$added_item_v6[$curent_host]) { + if (!$added_item_v6[$current_host]) { $host_entries .= "local-data-ptr: \"{$host['ip']} {$current_host}\"\n"; $host_entries .= "local-data: \"{$current_host} IN AAAA {$host['ip']}\"\n"; $added_item_v6[$current_host] = true; @@ -987,23 +1010,25 @@ function unbound_add_domain_overrides($pvt=false) { $result = array(); foreach($sorted_domains as $domain) { $domain_key = current($domain); - if(!isset($result[$domain_key])) { + if (!isset($result[$domain_key])) $result[$domain_key] = array(); - } $result[$domain_key][] = $domain['ip']; } $domain_entries = ""; foreach($result as $domain=>$ips) { - if($pvt == true) { - $domain_entries .= "private-domain: \"$domain\"\n"; - $domain_entries .= "domain-insecure: \"$domain\"\n"; + if ($pvt == true) { + if (strpos($domain, "in-addr.arpa") !== false) + $domain_entries .= "local-zone: \"$domain\" transparent\n"; + else + $domain_entries .= "private-domain: \"$domain\"\n"; + if (isset($config['installedpackages']['unbound']['config'][0]['dnssec_status'])) + $domain_entries .= "domain-insecure: \"$domain\"\n"; } else { $domain_entries .= "stub-zone:\n"; $domain_entries .= "\tname: \"$domain\"\n"; - foreach($ips as $ip) { + foreach($ips as $ip) $domain_entries .= "\tstub-addr: $ip\n"; - } $domain_entries .= "\tstub-prime: no\n"; } } diff --git a/config/unbound/unbound.xml b/config/unbound/unbound.xml index 10de1f97..20f3d250 100644 --- a/config/unbound/unbound.xml +++ b/config/unbound/unbound.xml @@ -80,6 +80,9 @@ <chmod>0755</chmod> <item>http://www.pfsense.org/packages/config/unbound/unbound_monitor.sh</item> </additional_files_needed> + <system_services> + <dns/> + </system_services> <tabs> <tab> <text>Unbound DNS Settings</text> @@ -106,7 +109,7 @@ <type>listtopic</type> </field> <field> - <fieldname>unbound_status</fieldname> + <fieldname>enable</fieldname> <fielddescr>Enable Unbound</fielddescr> <description>Enable the use of Unbound as your DNS forwarder.</description> <type>checkbox</type> diff --git a/config/urlsnarf/urlsnarf.xml b/config/urlsnarf/urlsnarf.xml new file mode 100644 index 00000000..c65d1a14 --- /dev/null +++ b/config/urlsnarf/urlsnarf.xml @@ -0,0 +1,44 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> +<?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> +<packagegui> + <copyright> + <![CDATA[ +/* ========================================================================== */ +/* + part of pfSense (http://www.pfSense.com) + Copyright (C) 2013 + All rights reserved. +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + </copyright> + <description>urlsnarf</description> + <requirements>None</requirements> + <faq></faq> + <name>urlsnarf</name> + <version>0.0</version> + <title>urlsnarf</title> +</packagegui>
\ No newline at end of file diff --git a/config/varnish3/pkg_varnish.inc b/config/varnish3/pkg_varnish.inc new file mode 100755 index 00000000..509f24e5 --- /dev/null +++ b/config/varnish3/pkg_varnish.inc @@ -0,0 +1,11 @@ +<?php + +global $shortcuts; + +$shortcuts['varnish'] = array(); +$shortcuts['varnish']['main'] = "pkg.php?xml=varnish_backends.xml"; +$shortcuts['varnish']['log'] = "diag_logs.php"; +$shortcuts['varnish']['status'] = "status_services.php"; +$shortcuts['varnish']['service'] = "varnish"; + +?>
\ No newline at end of file diff --git a/config/varnish3/varnish.inc b/config/varnish3/varnish.inc index 3449c68b..983804c9 100644 --- a/config/varnish3/varnish.inc +++ b/config/varnish3/varnish.inc @@ -4,7 +4,7 @@ varnish.inc part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho Copyright (C) 2012 Marcio Carlos Antao All rights reserved. */ @@ -32,6 +32,14 @@ POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ +$shortcut_section = "varnish"; + +$pf_version=substr(trim(file_get_contents("/etc/version")),0,3); +if ($pf_version > 2.0) + define('VARNISH_LOCALBASE', '/usr/pbi/varnish-' . php_uname("m")); +else + define('VARNISH_LOCALBASE','/usr/local'); + function varnish_settings_post_validate($post, $input_errors) { if( !is_numeric($post['storagesize'])) @@ -119,95 +127,90 @@ function varnish_start() { /* Build the URL mappings logic VCL config txt */ function varnish_get_url_mappings_txt() { global $g, $config, $urlmappings,$backends_in_use; - $catch_all= "unset"; + $catch_all = "unset"; $isfirst = true; - if($config['installedpackages']['varnishlbdirectors']['config'] != "") { + if ($config['installedpackages']['varnishlbdirectors']['config'] != "") { foreach($config['installedpackages']['varnishlbdirectors']['config'] as $url) { - #check options - $directo_grace_time=""; + // check options + $directo_grace_time = ""; if ($url['customapping']) - $directo_grace_time.=text_area_decode($url['customapping'])."\n\t\t"; - if($url['grace']) - $directo_grace_time.=($url['grace']=="0s"?"return(pass);":"set req.grace=".$url['grace'].";"); - $fieldtype = ($url['fieldtype']?$url['fieldtype']:"=="); - $director_prefix=($url['directorurl'] && $url['directorurl2']?"^http://":""); - #check url - if ( $url['directorurl'] || $url['directorurl2'] || $catch_all == "unset" ){ - if ( $url['directorurl']== "" && $url['directorurl2']== "" ){ - #director with no host or url, so director for catch all traffic not specified in config - $lasturlmappings = "\telse\t{\n\t\tset req.backend = ".$url['directorname'].";\n\t\t}\n"; + $directo_grace_time .= text_area_decode($url['customapping'])."\n\t\t"; + if ($url['grace']) + $directo_grace_time .= ($url['grace'] == "0s" ? "return(pass);" : "set req.grace={$url['grace']};"); + $fieldtype = ($url['fieldtype'] ? $url['fieldtype'] : "=="); + $director_prefix = ($url['directorurl'] && $url['directorurl2'] ? "^http://" : ""); + // check url + if ($url['directorurl'] || $url['directorurl2'] || $catch_all == "unset") { + if ($url['directorurl'] == "" && $url['directorurl2'] == "") { + // director with no host or url, so director for catch all traffic not specified in config + $lasturlmappings = "\telse\t{\n\t\tset req.backend = {$url['directorname']};\n\t\t}\n"; $catch_all = "set"; $isfirst = false; - } - else{ - if(!$isfirst) - $urlmappings .= "\telse "; - if(!$url['directorurl']) { - $urlmappings .= "if (req.url $fieldtype ".'"^'.$url['directorurl2'].'") {'."\n"; - } - else if (!$url['directorurl2']) { - $urlmappings .= "if (req.http.host $fieldtype ".'"'.$url['directorurl'].'") {'."\n"; - } - else { + } else { + if (!$isfirst) + $urlmappings .= "\telse "; + if (!$url['directorurl']) + $urlmappings .= "if (req.url $fieldtype ".'"^'.$url['directorurl2'].'") {'."\n"; + else if (!$url['directorurl2']) + $urlmappings .= "if (req.http.host $fieldtype ".'"'.$url['directorurl'].'") {'."\n"; + else $urlmappings .= "if (req.http.host $fieldtype ".'"'.$url['directorurl'].'"'." && req.url $fieldtype ".'"^'.$url['directorurl2'].'") {'."\n"; - } - $urlbackend = "\t\t\tset req.backend = ".$url['directorname'].";"; - #check rewrite options - if($url['rewritehost']) { - $urlmappings .= "\t\t\tset req.http.host = regsub(req.http.host, ".'"'.$url['directorurl'].'",'.'"'.$url['rewritehost'].'")'.";\n"; - } - if ($url['rewriteurl']) { - $urlmappings .= "\t\t\tset req.url = regsub(req.url, ".'"'.$url['directorurl2'].'",'.'"^'.$url['rewriteurl'].'")'.";\n"; - } - #check failover - if ($url['failover'] && $url['failover'] != $url['directorname']){ - $tabs=($url['grace']?"\n\t\t\t":""); - $urlfailover = "\t\t\tset req.backend = ".$url['failover'].";"; - $urlmappings .= "\t\tif (req.restarts == 0) {\n".$urlbackend.$tabs.$directo_grace_time.$tabs."}"; - $urlmappings .= "\n\t\telse\t{\n".$urlfailover.$tabs.$directo_grace_time.$tabs."}\n\t\t}\n"; - $isfirst = false; + $urlbackend = "\t\t\tset req.backend = ".$url['directorname'].";"; + // check rewrite options + if ($url['rewritehost']) + $urlmappings .= "\t\t\tset req.http.host = regsub(req.http.host, ".'"'.$url['directorurl'].'",'.'"'.$url['rewritehost'].'")'.";\n"; + if ($url['rewriteurl']) + $urlmappings .= "\t\t\tset req.url = regsub(req.url, ".'"'.$url['directorurl2'].'",'.'"^'.$url['rewriteurl'].'")'.";\n"; + // check failover + if ($url['failover'] && $url['failover'] != $url['directorname']) { + $tabs = ($url['grace'] ? "\n\t\t\t" : ""); + $urlfailover = "\t\t\tset req.backend = ".$url['failover'].";"; + $urlmappings .= "\t\tif (req.restarts == 0) {\n".$urlbackend.$tabs.$directo_grace_time.$tabs."}"; + $urlmappings .= "\n\t\telse\t{\n".$urlfailover.$tabs.$directo_grace_time.$tabs."}\n\t\t}\n"; + $isfirst = false; + } else { + $tabs = ($url['grace'] ? "\n\t\t" : ""); + $urlmappings .= $urlbackend.$tabs.$directo_grace_time."\n\t\t}\n"; + $isfirst = false; } - else{ - $tabs=($url['grace']?"\n\t\t":""); - $urlmappings .= $urlbackend.$tabs.$directo_grace_time."\n\t\t}\n"; - $isfirst = false; - } } } } } - if($config['installedpackages']['varnishbackends']['config']) + if ($config['installedpackages']['varnishbackends']['config']) { foreach($config['installedpackages']['varnishbackends']['config'] as $urlmapping) { - if($urlmapping['row']) + if (isset($urlmapping['row'])) { foreach($urlmapping['row'] as $url) { - $directo_grace_time=""; - if($url['grace']) - $directo_grace_time=($url['grace']=="0s"?"\n\t\t return(pass);":"\n\t\tset req.grace=".$url['grace'].";"); - $req=($url['maptype']?$url['maptype']:"http.host"); - $fieldtype=($url['fieldtype']?$url['fieldtype']:"=="); - if ($url['urlmapping'] != "" || $catch_all == 'unset'){ - if($url['urlmapping'] == ""){ + $directo_grace_time = ""; + if ($url['grace']) + $directo_grace_time = ($url['grace'] == "0s" ? "\n\t\t return(pass);" : "\n\t\tset req.grace={$url['grace']};"); + $req = ($url['maptype'] ? $url['maptype'] : "http.host"); + $fieldtype = ($url['fieldtype'] ? $url['fieldtype'] : "=="); + if ($url['urlmapping'] != "" || $catch_all == "unset") { + if ($url['urlmapping'] == "") { $catch_all = "set"; - $lasturlmappings = "\telse\t{\n\t\tset req.backend = ".$urlmapping['backendname']."BACKEND;\n\t\t}\n"; - } - else{ - if(!$isfirst) - $urlmappings .= "\telse "; + $lasturlmappings .= "set req.backend = {$urlmapping['backendname']}BACKEND;\n"; + } else { + if (!$isfirst) + $urlmappings .= "\telse "; $urlmappings .= <<<EOAU if (req.{$req} {$fieldtype} "{$url['urlmapping']}") { set req.backend = {$urlmapping['backendname']}BACKEND;{$directo_grace_time} } - + EOAU; - } - $backends_in_use[$urlmapping['backendname']].=($url['directorurl'] == ""?"catch_all ":"url_map "); $isfirst = false; - } + } + $backends_in_use[$urlmapping['backendname']] .= ($url['directorurl'] == "" ? "catch_all " : "url_map "); + } + } + } } + if ($urlmappings != "") + $lasturlmappings = "\telse {\n\t\t$lasturlmappings\t}\n"; + return $urlmappings.$lasturlmappings; } - - return $urlmappings.$lasturlmappings; } function create_varnish_rcd_file() { @@ -249,7 +252,6 @@ mkdir -p /var/varnish rm /var/varnish/storage.bin 2>/dev/null killall varnishd 2>/dev/null sleep 1 -sysctl kern.ipc.nmbclusters=65536 sysctl kern.ipc.somaxconn=16384 sysctl kern.maxfiles=131072 sysctl kern.maxfilesperproc=104856 @@ -284,56 +286,53 @@ EOF; function get_backend_config_txt() { global $config, $g, $backends_in_use; - $backends=""; - if($config['installedpackages']['varnishbackends']['config'] != "") { + $backends = ""; + if ($config['installedpackages']['varnishbackends']['config'] != "") { foreach($config['installedpackages']['varnishbackends']['config'] as $backend) { - if($backend['connect_timeout']) + if ($backend['connect_timeout']) $connect_timeout = $backend['connect_timeout'] . "s"; else $connect_timeout = "25s"; - if($backend['port']) + if ($backend['port']) $connect_port = $backend['port']; else $connect_port = "80"; - if($backend['first_byte_timeout']) + if ($backend['first_byte_timeout']) $first_byte_timeout = $backend['first_byte_timeout'] . "s"; else $first_byte_timeout = "300s"; - if($backend['probe_url']) + if ($backend['probe_url']) if (preg_match("@^(http)://([a-zA-Z0-9.-]*)/(.*)$@",$backend['probe_url'],$matches)){ - $probe_url=".request =\n"; - $probe_url.="\t\t\t".'"GET /'.$matches[3].' HTTP/1.1"'."\n"; + $probe_url = ".request =\n"; + $probe_url .= "\t\t\t".'"GET /'.$matches[3].' HTTP/1.1"'."\n"; $probe_url.="\t\t\t".'"Accept: text/*"'."\n"; $probe_url.="\t\t\t".'"User-Agent: Varnish"'."\n"; - $probe_url.="\t\t\t".'"Host: '.$matches[2].'"'."\n"; - $probe_url.="\t\t\t".'"Connection: Close";'; - } - else{ - $probe_url = '.url = "'.$backend['probe_url'].'";'; - } - else - $probe_url ='.url = "/";'; - if($backend['probe_interval']) + $probe_url .= "\t\t\t".'"Host: '.$matches[2].'"'."\n"; + $probe_url .= "\t\t\t".'"Connection: Close";'; + } else + $probe_url = '.url = "'.$backend['probe_url'].'";'; + else + $probe_url = '.url = "/";'; + if ($backend['probe_interval']) $probe_interval = $backend['probe_interval'] . "s"; - else + else $probe_interval = "1s"; - if($backend['probe_timeout']) + if ($backend['probe_timeout']) $probe_timeout = $backend['probe_timeout'] . "s"; - else + else $probe_timeout = "1s"; - if($backend['probe_window']) + if ($backend['probe_window']) $probe_window = $backend['probe_window']; - else + else $probe_window = "5"; - if($backend['probe_threshold']) + if ($backend['probe_threshold']) $probe_threshold = $backend['probe_threshold']; - else + else $probe_threshold = "5"; - - if ($backend['probe_disable']) { + if ($backend['probe_disable']) $probe = ""; - } else { + else { $probe = <<<EOFPROBE .probe = { {$probe_url} @@ -345,10 +344,10 @@ function get_backend_config_txt() { EOFPROBE; } - if (isset($probe_threshold)){ - #last parameter set ,so write conf if backend is in use - if ($backends_in_use[$backend['backendname']] != ""){ - $backends .= <<<EOFA + if (isset($probe_threshold)) { + // last parameter set ,so write conf if backend is in use + if ($backends_in_use[$backend['backendname']] != "") { + $backends .= <<<EOFA backend {$backend['backendname']}BACKEND { # used in {$backends_in_use[$backend['backendname']]} @@ -361,10 +360,8 @@ backend {$backend['backendname']}BACKEND { EOFA; - } - else { - $backends .= "\n".'# backend '.$backend['backendname']." not in use.\n"; - } + } else + $backends .= "\n# backend {$backend['backendname']} not in use.\n"; } } } @@ -404,19 +401,19 @@ EOFA; function sync_package_varnish() { global $config, $g; - if(is_array($config['installedpackages']['varnishcustomvcl']['config'])) { + if (is_array($config['installedpackages']['varnishcustomvcl']['config'])) { foreach($config['installedpackages']['varnishcustomvcl']['config'] as $vcl) { - if($vcl['vcl_recv_early']) + if ($vcl['vcl_recv_early']) $vcl_recv_early = text_area_decode($vcl['vcl_recv_early']); - if($vcl['vcl_recv_late']) + if ($vcl['vcl_recv_late']) $vcl_recv_late = text_area_decode($vcl['vcl_recv_late']); - if($vcl['vcl_fetch_early']) + if ($vcl['vcl_fetch_early']) $vcl_fetch_early = text_area_decode($vcl['vcl_fetch_early']); - if($vcl['vcl_fetch_late']) + if ($vcl['vcl_fetch_late']) $vcl_fetch_late = text_area_decode($vcl['vcl_fetch_late']); - if($vcl['vcl_pipe_early']) + if ($vcl['vcl_pipe_early']) $vcl_pipe_early = text_area_decode($vcl['vcl_pipe_early']); - if($vcl['vcl_pipe_late']) + if ($vcl['vcl_pipe_late']) $vcl_pipe_late = text_area_decode($vcl['vcl_pipe_late']); } } @@ -425,120 +422,109 @@ function sync_package_varnish() { #$plataform=posix_uname(); if (is_array($config['installedpackages']['varnishsettings']['config'])) foreach($config['installedpackages']['varnishsettings']['config'] as $vcl) { - if($vcl['streaming']){ + if ($vcl['streaming']) $vcl_fetch_stream="set beresp.do_stream = true;\n"; - } - if($vcl['fixgzip']){ + if ($vcl['fixgzip']) { $vcl_recv_set_basic.="\t#Fix gzip compression\n"; $vcl_recv_set_basic.="\t".'if (req.http.Accept-Encoding) {'."\n"; $vcl_recv_set_basic.="\t".'if (req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|gz|tgz|bz2|tbz|mp3|ogg)$") {'."\n\t\tunset req.http.Accept-Encoding;\n\t\t}\n"; $vcl_recv_set_basic.="\t".'else if (req.http.Accept-Encoding ~ "gzip") {'."\n\t\tset req.http.Accept-Encoding = ".'"gzip"'.";\n\t\t}\n"; $vcl_recv_set_basic.="\t".'else if (req.http.Accept-Encoding ~ "deflate") {'."\n\t\tset req.http.Accept-Encoding = ".'"deflate"'.";\n\t\t}\n"; $vcl_recv_set_basic.="\telse\t{\n\t\tunset req.http.Accept-Encoding;\n\t\t}\n\t}\n"; + } + $vcl_recv_set_basic.="\t#set client balance identity\n"; + switch ($vcl['clientbalance']){ + case 'url': + $vcl_recv_set_basic.="\t".'set client.identity = req.url;'."\n\n"; + break; + case 'ip': + $vcl_recv_set_basic.="\t".'set client.identity = client.ip;'."\n\n"; + break; + case 'agent': + $vcl_recv_set_basic.="\t".'set client.identity = req.http.user-agent;'."\n\n"; + break; } - #if($vcl['clientbalance'] && $plataform['machine'] == 'amd64'){ - $vcl_recv_set_basic.="\t#set client balance identity\n"; - switch ($vcl['clientbalance']){ - case 'url': - $vcl_recv_set_basic.="\t".'set client.identity = req.url;'."\n\n"; - break; - case 'ip': - $vcl_recv_set_basic.="\t".'set client.identity = client.ip;'."\n\n"; - break; - case 'agent': - $vcl_recv_set_basic.="\t".'set client.identity = req.http.user-agent;'."\n\n"; - break; - } - #} - if($vcl['grace'] ){ + if ($vcl['grace']) $vcl_grace_time="set beresp.grace = ".$vcl['grace'].";\n\t\t"; - } - if($vcl['saint'] ){ + if ($vcl['saint']) $vcl_saint_mode="set beresp.saintmode = ".$vcl['saint'].";\n\t\t"; - } - if($vcl['xforward']){ + if ($vcl['xforward']) { $vcl_recv_set_basic.="\t#set X-forward\n"; - switch ($vcl['xforward']){ + switch ($vcl['xforward']) { case 'set': - $vcl_recv_set_basic.="\t".'set req.http.X-Forwarded-For = client.ip;'."\n\n"; + $vcl_recv_set_basic .= "\tset req.http.X-Forwarded-For = client.ip;\n\n"; break; case 'append': - $vcl_recv_set_basic.="\t".'set req.http.X-Forwarded-For = req.http.X-Forwarded-For "," client.ip;'."\n\n"; + $vcl_recv_set_basic .= "\tset req.http.X-Forwarded-For = req.http.X-Forwarded-For + \",\" + client.ip;\n\n"; break; case 'create': - $vcl_recv_set_basic.="\t".'set req.http.X-Forwarded-Varnish = client.ip;'."\n\n"; + $vcl_recv_set_basic .= "\tset req.http.X-Forwarded-Varnish = client.ip;\n\n"; break; case 'unset': - $vcl_recv_set_basic.="\t".'unset req.http.X-Forwarded-For;'."\n\n"; + $vcl_recv_set_basic .= "\tunset req.http.X-Forwarded-For;\n\n"; break; - } } - if($vcl['postcache']){ - $vcl_recv_action_basic.="\t#Disable post cache\n"; - $vcl_recv_action_basic.="\t".'if (req.request == "POST") {'."\n\t\treturn(pass);\n\t\t}\n"; - } - - $vcl_fetch_session ="#Disable cache when backend is starting a session\n"; - $vcl_fetch_session.="\t".'if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(PHPSESSID|phpsessid)") {'."\n\t\treturn(hit_for_pass);\n\t\t}\n"; - $vcl_fetch_session.="\t".'if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(JSESSION|jsession)") {'."\n\t\treturn(hit_for_pass);\n\t\t}\n"; + } + if ($vcl['postcache']) { + $vcl_recv_action_basic .= "\t#Disable post cache\n"; + $vcl_recv_action_basic .= "\t".'if (req.request == "POST") {'."\n\t\treturn(pass);\n\t\t}\n"; + } + + $vcl_fetch_session = "#Disable cache when backend is starting a session\n"; + $vcl_fetch_session .= "\t".'if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(PHPSESSID|phpsessid)") {'."\n\t\treturn(hit_for_pass);\n\t\t}\n"; + $vcl_fetch_session .= "\t".'if (beresp.http.Set-Cookie && beresp.http.Set-Cookie ~ "(JSESSION|jsession)") {'."\n\t\treturn(hit_for_pass);\n\t\t}\n"; - if($vcl['sessioncache']== "never"){ - $vcl_recv_session ="\t#Disable session cache\n"; - $vcl_recv_session.="\t".'if (req.http.Cookie && req.http.Cookie ~ "(PHPSESSID|phpsessid)") {'."\n\t\treturn(pass);\n\t\t}\n"; - $vcl_recv_session.="\t".'if (req.http.Cookie && req.http.Cookie ~ "(JSESSION|jsession)") {'."\n\t\treturn(pass);\n\t\t}\n"; - $vcl_recv_session.="\t".'if (req.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache") {'."\n\t\treturn(pass);\n\t\t}\n"; - $vcl_fetch_session.="\t".'if (beresp.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache") {'."\n\t\treturn(hit_for_pass);\n\t\t}\n"; - $vcl_recv_static_prefix=($vcl['staticache']=="no"?"":"\n\t\tunset req.http.cookie;"); - } - else - { + if ($vcl['sessioncache'] == "never") { + $vcl_recv_session = "\t#Disable session cache\n"; + $vcl_recv_session .= "\t".'if (req.http.Cookie && req.http.Cookie ~ "(PHPSESSID|phpsessid)") {'."\n\t\treturn(pass);\n\t\t}\n"; + $vcl_recv_session .= "\t".'if (req.http.Cookie && req.http.Cookie ~ "(JSESSION|jsession)") {'."\n\t\treturn(pass);\n\t\t}\n"; + $vcl_recv_session .= "\t".'if (req.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache") {'."\n\t\treturn(pass);\n\t\t}\n"; + $vcl_fetch_session .= "\t".'if (beresp.http.X-Requested-With == "XMLHttpRequest" || req.url ~ "nocache") {'."\n\t\treturn(hit_for_pass);\n\t\t}\n"; + $vcl_recv_static_prefix = ($vcl['staticache'] == "no" ? "" : "\n\t\tunset req.http.cookie;"); + } else { $vcl_hash = "#Enable Per user session cache.\n"; - $vcl_hash.= "sub vcl_hash {\n\thash_data(req.http.cookie);\n}\n"; - } - #set static content var - $vcl_recv_static_sufix=($vcl['staticache']=='no'?"pass":"lookup"); - $vcl_recv_static ="\t#Enable static cache\n"; - $vcl_recv_static.="\t".'if (req.request=="GET" && req.url ~ "\.(css|js|txt|zip|pdf|rtf|flv|swf|html|htm)$") {'.$vcl_recv_static_prefix."\n\t\treturn($vcl_recv_static_sufix);\n\t\t}\n"; - $vcl_recv_static.="\t".'if (req.request=="GET" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {'.$vcl_recv_static_prefix."\n\t\treturn($vcl_recv_static_sufix);\n\t\t}\n"; - $vcl_fetch_static ="#Enable static cache\n"; - $vcl_fetch_static.='if (req.url ~ "\.(css|js|txt|zip|pdf|rtf|flv|swf|html|htm)$") {'."\n\tunset beresp.http.set-cookie;\n\t}\n"; - $vcl_fetch_static.='if (req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {'."\n\tunset beresp.http.set-cookie;\n\t}\n"; + $vcl_hash .= "sub vcl_hash {\n\thash_data(req.http.cookie);\n}\n"; + } + // set static content var + $vcl_recv_static_sufix = ($vcl['staticache'] == 'no' ? "pass" : "lookup"); + $vcl_recv_static = "\t#Enable static cache\n"; + $vcl_recv_static .= "\t".'if (req.request=="GET" && req.url ~ "\.(css|js|txt|zip|pdf|rtf|flv|swf|html|htm)$") {'.$vcl_recv_static_prefix."\n\t\treturn($vcl_recv_static_sufix);\n\t\t}\n"; + $vcl_recv_static .= "\t".'if (req.request=="GET" && req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {'.$vcl_recv_static_prefix."\n\t\treturn($vcl_recv_static_sufix);\n\t\t}\n"; + $vcl_fetch_static = "#Enable static cache\n"; + $vcl_fetch_static .= 'if (req.url ~ "\.(css|js|txt|zip|pdf|rtf|flv|swf|html|htm)$") {'."\n\tunset beresp.http.set-cookie;\n\t}\n"; + $vcl_fetch_static .= 'if (req.url ~ "\.(gif|jpg|jpeg|bmp|png|ico|img|tga|wmf|mp3|ogg)$") {'."\n\tunset beresp.http.set-cookie;\n\t}\n"; - switch ($vcl['staticache']){ + switch ($vcl['staticache']) { case "all": - # cache all static content, unseting cookie when present - $vcl_recv_action_basic.=($vcl['sessioncache']=="never"?$vcl_recv_static.$vcl_recv_session:$vcl_recv_static); - $vcl_fetch_action=($vcl['sessioncache']=="never"?$vcl_fetch_static.$vcl_fetch_session:$vcl_fetch_static); + // cache all static content, unseting cookie when present + $vcl_recv_action_basic .= ($vcl['sessioncache'] == "never" ? $vcl_recv_static.$vcl_recv_session : $vcl_recv_static); + $vcl_fetch_action = ($vcl['sessioncache'] == "never" ? $vcl_fetch_static.$vcl_fetch_session : $vcl_fetch_static); break; case "yes": - # cache only object without cookie set - $vcl_recv_action_basic.=($vcl['sessioncache']=="never"?$vcl_recv_session.$vcl_recv_static:$vcl_recv_static); - $vcl_fetch_action=$vcl_fetch_session; + // cache only object without cookie set + $vcl_recv_action_basic .= ($vcl['sessioncache'] == "never" ? $vcl_recv_session.$vcl_recv_static : $vcl_recv_static); + $vcl_fetch_action = $vcl_fetch_session; break; default: - # no static cache at all - $vcl_recv_action_basic.=$vcl_recv_static.$vcl_recv_session; - $vcl_fetch_action=$vcl_fetch_session; + // no static cache at all + $vcl_recv_action_basic .= $vcl_recv_static.$vcl_recv_session; + $vcl_fetch_action = $vcl_fetch_session; } - if($vcl['rfc2616']){ - $vcl_recv_action_basic.="\t#Be rfc2616 compliant\n"; - $vcl_recv_action_basic.="\t".'if (req.request ~ "^(GET|HEAD|PUT|POST|TRACE|OPTIONS|DELETE)$") {'."\n\t\treturn(lookup);\n\t\t}\n\telse\t{\n\t\treturn(pipe);\n\t\t}\n"; - #$vcl_recv_action_basic.="\t".'if (req.request != "GET" && req.request != "HEAD" && req.request != "PUT" && reqa.request != "POST" &&'."\n"; - #$vcl_recv_action_basic.="\t".' req.request != "TRACE" && req.request != "OPTIONS" && req.request != "DELETE") {return(pipe);}'."\n\n"; - } - else { - $vcl_recv_action_basic.="\t".'if (req.request != "GET" && req.request != "HEAD") {return(pipe);}'."\n"; - } - if($vcl['restarts']){ - $vcl_restarts=$vcl['restarts']; - } - if($vcl['htmlerror']){ - $errorvcl=text_area_decode($vcl['htmlerror']); - } + if ($vcl['rfc2616']) { + $vcl_recv_action_basic .= "\t#Be rfc2616 compliant\n"; + $vcl_recv_action_basic .= "\t".'if (req.request ~ "^(GET|HEAD|PUT|POST|TRACE|OPTIONS|DELETE)$") {'."\n\t\treturn(lookup);\n\t\t}\n\telse\t{\n\t\treturn(pipe);\n\t\t}\n"; + //$vcl_recv_action_basic.="\t".'if (req.request != "GET" && req.request != "HEAD" && req.request != "PUT" && reqa.request != "POST" &&'."\n"; + //$vcl_recv_action_basic.="\t".' req.request != "TRACE" && req.request != "OPTIONS" && req.request != "DELETE") {return(pipe);}'."\n\n"; + } else + $vcl_recv_action_basic .= "\tif (req.request != \"GET\" && req.request != \"HEAD\") {return(pipe);}\n"; + if ($vcl['restarts']) + $vcl_restarts = $vcl['restarts']; + if ($vcl['htmlerror']) + $errorvcl = text_area_decode($vcl['htmlerror']); } - if(!$errorvcl) + if (!$errorvcl) $errorvcl = <<<EOF <html> <head> @@ -557,7 +543,7 @@ EOF; /* Grab configuration txt blocks */ /* Please keep this sequence to determine witch backends are in use */ -$backends_in_use=array(); +$backends_in_use = array(); $lb_config= get_lb_directors_config_txt(); $urlmappings = varnish_get_url_mappings_txt(); $backends = get_backend_config_txt() . $lb_config ; @@ -662,7 +648,15 @@ sub vcl_fini { } EOF; - + file_put_contents("/var/etc/default.vcl",$varnish_config_file,LOCK_EX); + $cc_file="/usr/local/bin/cc"; + foreach (glob(VARNISH_LOCALBASE."/bin/gcc*") as $bin_file) { + $gcc_file=$bin_file; + } + if (!file_exists($cc_file) && file_exists($gcc_file)){ + symlink($gcc_file,$cc_file); + } + $fd = fopen("/var/etc/default.vcl", "w"); fwrite($fd, $varnish_config_file); fclose($fd); @@ -673,29 +667,67 @@ EOF; /* Uses XMLRPC to synchronize the changes to a remote node */ function varnish_sync_on_changes() { global $config, $g; - log_error("[varnish] varnish_xmlrpc_sync.php is starting."); - $synconchanges = $config['installedpackages']['varnishsync']['config'][0]['synconchanges']; - if(!$synconchanges) - return; - foreach ($config['installedpackages']['varnishsync']['config'] as $rs ){ - foreach($rs['row'] as $sh){ - $sync_to_ip = $sh['ipaddress']; - $password = $sh['password']; - if($password && $sync_to_ip) - varnish_do_xmlrpc_sync($sync_to_ip, $password); + if (is_array($config['installedpackages']['varnishsync']['config'])){ + $varnish_sync=$config['installedpackages']['varnishsync']['config'][0]; + $synconchanges = $varnish_sync['synconchanges']; + $synctimeout = $varnish_sync['synctimeout']; + switch ($synconchanges){ + case "manual": + if (is_array($varnish_sync[row])){ + $rs=$varnish_sync[row]; + } + else{ + log_error("[varnish] xmlrpc sync is enabled but there is no hosts to push on varnish config."); + return; + } + break; + case "auto": + if (is_array($config['hasync'])){ + $hasync=$config['hasync'][0]; + $rs[0]['ipaddress']=$hasync['synchronizetoip']; + $rs[0]['username']=$hasync['username']; + $rs[0]['password']=$hasync['password']; + } + else{ + log_error("[varnish] xmlrpc sync is enabled but there is no system backup hosts to push varnish config."); + return; + } + break; + default: + return; + break; } - } - log_error("[varnish] varnish_xmlrpc_sync.php is ending."); + if (is_array($rs)){ + log_error("[varnish] xmlrpc sync is starting."); + foreach($rs as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + if($sh['username']) + $username = $sh['username']; + else + $username = 'admin'; + if($password && $sync_to_ip) + varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout); + } + log_error("[varnish] xmlrpc sync is ending."); + } + } } /* Do the actual XMLRPC sync */ -function varnish_do_xmlrpc_sync($sync_to_ip, $password) { +function varnish_do_xmlrpc_sync($sync_to_ip, $username, $password,$synctimeout) { global $config, $g; - + + if(!$username) + return; + if(!$password) return; if(!$sync_to_ip) return; + + if(!$synctimeout) + $synctimeout=25; $xmlrpc_sync_neighbor = $sync_to_ip; if($config['system']['webgui']['protocol'] != "") { @@ -731,18 +763,18 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $password) { $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); + $cli->setCredentials($username, $password); if($g['debug']) $cli->setDebug(1); - /* send our XMLRPC message and timeout after 250 seconds */ - $resp = $cli->send($msg, "250"); + /* send our XMLRPC message and timeout after $synctimeout seconds */ + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting varnish XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting varnish XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); @@ -763,15 +795,15 @@ function varnish_do_xmlrpc_sync($sync_to_ip, $password) { log_error("varnish XMLRPC reload data {$url}:{$port}."); $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); - $cli->setCredentials('admin', $password); - $resp = $cli->send($msg, "250"); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); if(!$resp) { $error = "A communications error occurred while attempting varnish XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); } elseif($resp->faultCode()) { $cli->setDebug(1); - $resp = $cli->send($msg, "250"); + $resp = $cli->send($msg, $synctimeout); $error = "An error code was received while attempting varnish XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "varnish Settings Sync", ""); diff --git a/config/varnish3/varnish_backends.xml b/config/varnish3/varnish_backends.xml index e480a8d6..28e7caca 100644 --- a/config/varnish3/varnish_backends.xml +++ b/config/varnish3/varnish_backends.xml @@ -9,7 +9,7 @@ varnish_backends.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. /*/ /* ========================================================================== */ @@ -85,6 +85,11 @@ <chmod>0755</chmod> <item>http://www.pfsense.com/packages/config/varnish3/varnishstat.php</item> </additional_files_needed> + <additional_files_needed> + <prefix>/usr/local/www/shortcuts/</prefix> + <chmod>0755</chmod> + <item>http://www.pfsense.org/packages/config/varnish3/pkg_varnish.inc</item> + </additional_files_needed> <menu> <name>Varnish</name> <tooltiptext>Varnish</tooltiptext> @@ -129,14 +134,23 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>IPAddress</fielddescr> <fieldname>ipaddress</fieldname> </columnitem> <columnitem> + <fielddescr>Port</fielddescr> + <fieldname>port</fieldname> + </columnitem> + <columnitem> <fielddescr>Name</fielddescr> <fieldname>backendname</fieldname> - </columnitem> + </columnitem> + <columnitem> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + </columnitem> </adddeleteeditpagefields> <fields> <field> @@ -163,9 +177,17 @@ <fieldname>port</fieldname> <description>Enter the TCP/IP port of the webserver.</description> <type>input</type> + <size>6</size> <validate>^[0-9]+$</validate> </field> <field> + <fielddescr>Description</fielddescr> + <fieldname>description</fieldname> + <description>Enter the description for this Backend.</description> + <type>input</type> + <size>40</size> + </field> + <field> <fielddescr>PerformanceMetrics</fielddescr> <fieldname>PerformanceMetrics</fieldname> <type>listtopic</type> diff --git a/config/varnish3/varnish_custom_vcl.xml b/config/varnish3/varnish_custom_vcl.xml index 86a9cdca..c0bb0e80 100644 --- a/config/varnish3/varnish_custom_vcl.xml +++ b/config/varnish3/varnish_custom_vcl.xml @@ -9,6 +9,7 @@ varnish_settings.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> + Copyright (C) 2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -78,56 +79,92 @@ </tabs> <fields> <field> + <type>listtopic</type> + <name>vcl_recv_early</name> + </field> + <field> <fielddescr>vcl_recv_early</fielddescr> <fieldname>vcl_recv_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_recv</a>]]> code here. This code will be included at the beginning of the vcl_recv function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_recv_late</name> + </field> + <field> <fielddescr>vcl_recv_late</fielddescr> <fieldname>vcl_recv_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_recv</a>]]> code here. This code will be included at the end of the vcl_recv function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_fetch_early</name> + </field> + <field> <fielddescr>vcl_fetch_early</fielddescr> <fieldname>vcl_fetch_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_fetch</a>]]> code here. This code will be included at the beginning of the vcl_fetch function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_fetch_late</name> + </field> + <field> <fielddescr>vcl_fetch_late</fielddescr> <fieldname>vcl_fetch_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_fetch</a>]]> code here. This code will be included at the end of the vcl_fetch function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_pipe_early</name> + </field> + <field> <fielddescr>vcl_pipe_early</fielddescr> <fieldname>vcl_pipe_early</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_pipe</a>]]> code here. This code will be included at the beginning of the vcl_pipe function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> <field> + <type>listtopic</type> + <name>vcl_pipe_late</name> + </field> + <field> <fielddescr>vcl_pipe_late</fielddescr> <fieldname>vcl_pipe_late</fieldname> + <dontdisplayname/> + <usecolspan2/> <description>Paste your custom <![CDATA[<a target=_new href='http://varnish-cache.org/wiki/VCL'>vcl_pipe</a>]]> code here. This code will be included at the end of the vcl_pipe function.</description> <type>textarea</type> - <cols>50</cols> + <cols>90</cols> <rows>10</rows> <encoding>base64</encoding> </field> diff --git a/config/varnish3/varnish_lb_directors.xml b/config/varnish3/varnish_lb_directors.xml index 0912e267..b9d8cc24 100644 --- a/config/varnish3/varnish_lb_directors.xml +++ b/config/varnish3/varnish_lb_directors.xml @@ -9,7 +9,7 @@ varnish_lb_directors.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2010 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ @@ -99,6 +99,7 @@ </tab> </tabs> <adddeleteeditpagefields> + <movable>on</movable> <columnitem> <fielddescr>Director name</fielddescr> <fieldname>directorname</fieldname> diff --git a/config/varnish3/varnish_sync.xml b/config/varnish3/varnish_sync.xml index 02434389..fd387fdb 100644 --- a/config/varnish3/varnish_sync.xml +++ b/config/varnish3/varnish_sync.xml @@ -9,7 +9,7 @@ varnish_sync.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2008 Scott Ullrich <sullrich@gmail.com> - Copyright (C) 2011 Marcello Coutinho + Copyright (C) 2011-2013 Marcello Coutinho All rights reserved. */ /* ========================================================================== */ @@ -82,12 +82,34 @@ <type>listtopic</type> <fieldname>temp</fieldname> <name>Enable Varnish configuration sync</name> - </field> + </field> <field> <fielddescr>Automatically sync Varnish configuration changes</fielddescr> <fieldname>synconchanges</fieldname> - <description>pfSense will automatically sync changes to the hosts defined below.</description> - <type>checkbox</type> + <description>Select a sync method for bind.</description> + <type>select</type> + <required/> + <default_value>auto</default_value> + <options> + <option><name>Sync to configured system backup server</name><value>auto</value></option> + <option><name>Sync to host(s) defined below</name><value>manual</value></option> + <option><name>Do not sync this package configuration</name><value>disabled</value></option> + </options> + </field> + <field> + <fielddescr>Sync timeout</fielddescr> + <fieldname>synctimeout</fieldname> + <description>Select sync max wait time</description> + <type>select</type> + <required/> + <default_value>25</default_value> + <options> + <option><name>30 seconds(Default)</name><value>30</value></option> + <option><name>60 seconds</name><value>60</value></option> + <option><name>90 seconds</name><value>90</value></option> + <option><name>250 seconds</name><value>250</value></option> + <option><name>120 seconds</name><value>120</value></option> + </options> </field> <field> <fielddescr>Remote Server</fielddescr> @@ -111,8 +133,7 @@ </rowhelper> </field> </fields> - <custom_php_resync_config_command> - varnish_sync_on_changes(); + <custom_php_resync_config_command> </custom_php_resync_config_command> <custom_php_command_before_form> unset($_POST['temp']); diff --git a/config/widget-snort/snort_alerts.widget.php b/config/widget-snort/snort_alerts.widget.php index e488bc49..f4eaa140 100644 --- a/config/widget-snort/snort_alerts.widget.php +++ b/config/widget-snort/snort_alerts.widget.php @@ -25,6 +25,9 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +require_once("/usr/local/www/widgets/include/widget-snort.inc"); + global $config, $g; /* array sorting */ diff --git a/config/widget-snort/widget-snort.inc b/config/widget-snort/widget-snort.inc index 105dd1e7..b9cfbeac 100644 --- a/config/widget-snort/widget-snort.inc +++ b/config/widget-snort/widget-snort.inc @@ -1,5 +1,10 @@ <?php require_once("config.inc"); + +//set variable for custom title +$snort_alerts_title = "Snort Alerts"; +$snort_alerts_title_link = "snort/snort_alerts.php"; + function widget_snort_uninstall() { global $config; diff --git a/config/widget-snort/widget-snort.xml b/config/widget-snort/widget-snort.xml index b415bd12..29edcc3f 100644 --- a/config/widget-snort/widget-snort.xml +++ b/config/widget-snort/widget-snort.xml @@ -46,15 +46,9 @@ <requirements>Dashboard package and Snort</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>widget-snort</name> - <version>0.3.4</version> + <version>0.3.5</version> <title>Widget - Snort</title> <include_file>/usr/local/www/widgets/include/widget-snort.inc</include_file> - <menu> - </menu> - <service> - </service> - <tabs> - </tabs> <additional_files_needed> <prefix>/usr/local/www/widgets/javascript/</prefix> <chmod>0644</chmod> @@ -70,14 +64,6 @@ <chmod>0644</chmod> <item>http://www.pfsense.com/packages/config/widget-snort/widget-snort.inc</item> </additional_files_needed> - <fields> - </fields> - <custom_add_php_command> - </custom_add_php_command> - <custom_php_resync_config_command> - </custom_php_resync_config_command> - <custom_php_install_command> - </custom_php_install_command> <custom_php_deinstall_command> widget_snort_uninstall(); </custom_php_deinstall_command> diff --git a/config/zabbix-agent/zabbix-agent.xml b/config/zabbix-agent/zabbix-agent.xml index 5a862496..885a54e3 100644 --- a/config/zabbix-agent/zabbix-agent.xml +++ b/config/zabbix-agent/zabbix-agent.xml @@ -17,7 +17,7 @@ <name>zabbix_agentd</name> <rcfile>zabbix_agentd.sh</rcfile> <executable>zabbix_agentd</executable> - <description>Zabbix Agent runs on a host being monitored. The agent provides host's performance and availability information for Zabbix Server.</description> + <description>Zabbix Agent host monitor daemon</description> </service> <tabs> <tab> @@ -111,7 +111,7 @@ <rows>5</rows> <cols>50</cols> <required>false</required> - <description>User-defined parameter to monitor. There can be several user-defined parameters. Value has form, example: UserParameter=users,who|wc -l</description> + <description>User-defined parameter to monitor. There can be several user-defined parameters. Value has form, example: UserParameter=users,who|wc -l <br><a href="https://www.zabbix.com/documentation/1.8/manual/tutorials/extending_agent" target="_new">See zabbix documentation for more information<a></description> </field> </fields> <custom_php_install_command> @@ -260,4 +260,4 @@ exec("/bin/rm -r /var/run/zabbix/"); ]]> </custom_php_deinstall_command> -</packagegui>
\ No newline at end of file +</packagegui> diff --git a/config/zabbix-proxy/zabbix-proxy.xml b/config/zabbix-proxy/zabbix-proxy.xml index ff4011b0..19930b49 100644 --- a/config/zabbix-proxy/zabbix-proxy.xml +++ b/config/zabbix-proxy/zabbix-proxy.xml @@ -17,6 +17,7 @@ <name>zabbix-proxy</name> <rcfile>zabbix-proxy.sh</rcfile> <executable>zabbix_proxy</executable> + <description>Zabbix proxy collection daemon</description> </service> <tabs> <tab> diff --git a/config/zabbix2/zabbix2-agent.xml b/config/zabbix2/zabbix2-agent.xml index 41ba26fb..0169e11f 100644 --- a/config/zabbix2/zabbix2-agent.xml +++ b/config/zabbix2/zabbix2-agent.xml @@ -41,7 +41,7 @@ <name>zabbixagent</name> <title>Services: Zabbix-2 Agent</title> <category>Monitoring</category> - <version>0.7</version> + <version>0.7_1</version> <include_file>/usr/local/pkg/zabbix2.inc</include_file> <addedit_string>Zabbix Agent has been created/modified.</addedit_string> <delete_string>Zabbix Agent has been deleted.</delete_string> @@ -61,7 +61,7 @@ <name>zabbix_agentd</name> <rcfile>zabbix2_agentd.sh</rcfile> <executable>zabbix_agentd</executable> - <description>Zabbix Agent runs on a host being monitored. The agent provides host's performance and availability information for Zabbix Server.</description> + <description>Zabbix Agent host monitor daemon</description> </service> <tabs> <tab> @@ -85,7 +85,6 @@ <fielddescr>Server</fielddescr> <fieldname>server</fieldname> <description>List of comma delimited IP addresses (or hostnames) of ZABBIX servers</description> - <value>127.0.0.1</value> <type>input</type> <size>60</size> </field> @@ -93,7 +92,6 @@ <fielddescr>Server Active</fielddescr> <fieldname>serveractive</fieldname> <description>List of comma delimited IP:port (or hostname:port) pairs of Zabbix servers for active checks</description> - <value></value> <type>input</type> <size>60</size> </field> @@ -101,30 +99,29 @@ <fielddescr>Hostname</fielddescr> <fieldname>hostname</fieldname> <description>Unique hostname. Required for active checks and must match hostname as configured on the Zabbix server (case sensitive).</description> - <value>localhost</value> <type>input</type> <size>60</size> </field> <field> <fielddescr>Listen IP</fielddescr> <fieldname>listenip</fieldname> - <value>0.0.0.0</value> + <default_value>0.0.0.0</default_value> <type>input</type> <size>60</size> - <description>Listen IP for connections from the server (generally 0.0.0.0 for all interfaces)</description> + <description>Listen IP for connections from the server (default 0.0.0.0 for all interfaces)</description> </field> <field> <fielddescr>Listen Port</fielddescr> <fieldname>listenport</fieldname> - <value>10050</value> + <default_value>10050</default_value> <type>input</type> <size>5</size> - <description>Listen port for connections from the server (generally 10050)</description> + <description>Listen port for connections from the server (default 10050)</description> </field> <field> <fielddescr>Refresh Active Checks</fielddescr> <fieldname>refreshactchecks</fieldname> - <value>120</value> + <default_value>120</default_value> <type>input</type> <size>5</size> <description>The agent will refresh list of active checks once per 120 (default) seconds.</description> @@ -132,15 +129,15 @@ <field> <fielddescr>Timeout</fielddescr> <fieldname>timeout</fieldname> - <value>3</value> + <default_value>3</default_value> <type>input</type> <size>5</size> - <description>Timeout (default 3). Do not spend more that Timeout seconds on getting requested value (1-255). The agent does not kill timeouted User Parameters processes!</description> + <description>Timeout (default 3). Do not spend more that Timeout seconds on getting requested value (1-30). The agent does not kill timeouted User Parameters processes!</description> </field> <field> <fielddescr>Buffer Send</fielddescr> <fieldname>buffersend</fieldname> - <value>5</value> + <default_value>5</default_value> <type>input</type> <size>5</size> <description>Buffer Send (default 5). Do not keep data longer than N seconds in buffer (1-3600).</description> @@ -148,7 +145,7 @@ <field> <fielddescr>Buffer Size</fielddescr> <fieldname>buffersize</fieldname> - <value>100</value> + <default_value>100</default_value> <type>input</type> <size>5</size> <description>Buffer Size (default 100). Maximum number of values in a memory buffer (2-65535). The agent will send all collected data to Zabbix server or proxy if the buffer is full.</description> @@ -156,7 +153,7 @@ <field> <fielddescr>Start Agents</fielddescr> <fieldname>startagents</fieldname> - <value>3</value> + <default_value>3</default_value> <type>input</type> <size>5</size> <description>Start Agents (default 3). Number of pre-forked instances of zabbix_agentd that process passive checks (0-100).If set to 0, disables passive checks and the agent will not listen on any TCP port.</description> @@ -165,7 +162,6 @@ <fielddescr>User Parameters</fielddescr> <fieldname>userparams</fieldname> <encoding>base64</encoding> - <value></value> <type>textarea</type> <rows>5</rows> <cols>50</cols> @@ -179,5 +175,5 @@ <custom_php_validation_command>validate_input_zabbix2($_POST, &$input_errors);</custom_php_validation_command> <custom_add_php_command></custom_add_php_command> <custom_php_resync_config_command>sync_package_zabbix2();</custom_php_resync_config_command> - <custom_php_deinstall_command>php_deinstall_zabbix2();</custom_php_deinstall_command> + <custom_php_deinstall_command>php_deinstall_zabbix2_agent();</custom_php_deinstall_command> </packagegui> diff --git a/config/zabbix2/zabbix2-proxy.xml b/config/zabbix2/zabbix2-proxy.xml index 4441df99..c687c5ba 100644 --- a/config/zabbix2/zabbix2-proxy.xml +++ b/config/zabbix2/zabbix2-proxy.xml @@ -41,7 +41,7 @@ <name>zabbixproxy</name> <title>Services: Zabbix-2 Proxy</title> <category>Monitoring</category> - <version>0.7</version> + <version>0.7_1</version> <include_file>/usr/local/pkg/zabbix2.inc</include_file> <addedit_string>Zabbix Proxy has been created/modified.</addedit_string> <delete_string>Zabbix Proxy has been deleted.</delete_string> @@ -58,10 +58,10 @@ <url>/pkg_edit.php?xml=zabbix2-proxy.xml&id=0</url> </menu> <service> - <name>zabbix-proxy</name> + <name>zabbix_proxy</name> <rcfile>zabbix2_proxy.sh</rcfile> <executable>zabbix_proxy</executable> - <description>Zabbix proxy is a process which collects performance and availability data from one or more monitored devices and sends the information to a Zabbix server</description> + <description>Zabbix proxy collection daemon</description> </service> <tabs> <tab> @@ -137,5 +137,5 @@ <custom_php_validation_command>validate_input_zabbix2($_POST, &$input_errors);</custom_php_validation_command> <custom_add_php_command></custom_add_php_command> <custom_php_resync_config_command>sync_package_zabbix2();</custom_php_resync_config_command> - <custom_php_deinstall_command>php_deinstall_zabbix2();</custom_php_deinstall_command> + <custom_php_deinstall_command>php_deinstall_zabbix2_proxy();</custom_php_deinstall_command> </packagegui> diff --git a/config/zabbix2/zabbix2.inc b/config/zabbix2/zabbix2.inc index 730ef873..0a1c12be 100644 --- a/config/zabbix2/zabbix2.inc +++ b/config/zabbix2/zabbix2.inc @@ -42,38 +42,61 @@ function php_install_zabbix2(){ sync_package_zabbix2(); } -function php_deinstall_zabbix2(){ - global $config, $g; +function php_deinstall_zabbix2_agent(){ + global $config, $g; - conf_mount_rw(); - $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); - if ($pfs_version > 2.0){ - define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); - define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); - } else { - define('ZABBIX_AGENT_BASE', '/usr/local'); - define('ZABBIX_PROXY_BASE', '/usr/local'); - } - - exec("/usr/bin/killall zabbix_proxy"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh"); - unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf"); - unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); - unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); - - exec("/usr/bin/killall zabbix_agentd"); - unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh"); - unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf"); - unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log"); - unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid"); - - if (is_dir("/var/log/zabbix2")) - exec("/bin/rm -r /var/log/zabbix2/"); - if (is_dir("/var/run/zabbix2")) - exec("/bin/rm -r /var/run/zabbix2/"); - if (is_dir("/var/db/zabbix2")) - exec("/bin/rm -r /var/db/zabbix2/"); - conf_mount_ro(); + conf_mount_rw(); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('ZABBIX_AGENT_BASE', '/usr/pbi/zabbix2-agent-' . php_uname("m")); + } else { + define('ZABBIX_AGENT_BASE', '/usr/local'); + } + + exec("/usr/bin/killall zabbix_agentd"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/rc.d/zabbix2_agentd.sh"); + unlink_if_exists(ZABBIX_AGENT_BASE . "/etc/zabbix2/zabbix_agentd.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix2_agentd.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_agentd.pid"); + + if (!is_array($config['installedpackages']['zabbixproxy'])){ + if (is_dir("/var/log/zabbix2")) + exec("/bin/rm -r /var/log/zabbix2/"); + if (is_dir("/var/run/zabbix2")) + exec("/bin/rm -r /var/run/zabbix2/"); + } + + conf_mount_ro(); +} + +function php_deinstall_zabbix2_proxy(){ + global $config, $g; + + conf_mount_rw(); + $pfs_version = substr(trim(file_get_contents("/etc/version")),0,3); + if ($pfs_version > 2.0){ + define('ZABBIX_PROXY_BASE', '/usr/pbi/zabbix2-proxy-' . php_uname("m")); + } else { + define('ZABBIX_PROXY_BASE', '/usr/local'); + } + + exec("/usr/bin/killall zabbix_proxy"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/rc.d/zabbix2_proxy.sh"); + unlink_if_exists(ZABBIX_PROXY_BASE . "/etc/zabbix2/zabbix_proxy.conf"); + unlink_if_exists("/var/log/zabbix2/zabbix_proxy.log"); + unlink_if_exists("/var/run/zabbix2/zabbix2_proxy.pid"); + + if (!is_array($config['installedpackages']['zabbixagent'])){ + if (is_dir("/var/log/zabbix2")) + exec("/bin/rm -r /var/log/zabbix2/"); + if (is_dir("/var/run/zabbix2")) + exec("/bin/rm -r /var/run/zabbix2/"); + } + + if (is_dir("/var/db/zabbix2")) + exec("/bin/rm -r /var/db/zabbix2/"); + + conf_mount_ro(); } function validate_input_zabbix2($post,&$input_errors){ @@ -95,14 +118,18 @@ function validate_input_zabbix2($post,&$input_errors){ if (!preg_match("/\w+/", $post['hostname'])) { $input_errors[]='Hostname field is required.'; } - - if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { - $input_errors[]='Listen IP is not a configured IP address.'; + + if ($post['listenip'] != '') { + if (!is_ipaddr_configured($post['listenip']) && !preg_match("/(127.0.0.1|0.0.0.0)/",$post['listenip'])) { + $input_errors[]='Listen IP is not a configured IP address.'; } + } - if (!preg_match("/^\d+$/", $post['listenport'])) { - $input_errors[]='Listen Port is not numeric.'; + if ($post['listenport'] != '') { + if (!preg_match("/^\d+$/", $post['listenport'])) { + $input_errors[]='Listen Port is not numeric.'; } + } if ($post['refreshactchecks'] != '') { if (!preg_match("/^\d+$/", $post['refreshactchecks'])) { @@ -111,11 +138,13 @@ function validate_input_zabbix2($post,&$input_errors){ $input_errors[]='You must enter a valid value for \'Refresh Active Checks\''; } } - - if (!is_numericint($post['timeout'])) { - $input_errors[]='Timeout is not numeric.'; - } elseif ( $post['timeout'] < 1 || $post['timeout'] > 255 ) { - $input_errors[]='You must enter a valid value for \'Timeout\''; + + if ($post['timeout'] != '') { + if (!is_numericint($post['timeout'])) { + $input_errors[]='Timeout is not numeric.'; + } elseif ( $post['timeout'] < 1 || $post['timeout'] > 30 ) { + $input_errors[]='You must enter a valid value for \'Timeout\''; + } } if ($post['buffersend'] != '') { @@ -191,19 +220,22 @@ EOF; $BufferSize=(preg_match("/(\d+)/",$zbagent_config['buffersize'],$matches)? $matches[1] : "100"); $StartAgents=(preg_match("/(\d+)/",$zbagent_config['startagents'],$matches)? $matches[1] :"3" ); $UserParams=base64_decode($zbagent_config['userparams']); - + $ListenIp=($zbagent_config['listenip'] != ''? $zbagent_config['listenip'] : "0.0.0.0"); + $ListenPort=($zbagent_config['listenport'] != ''? $zbagent_config['listenport'] : "10050"); + $TimeOut=($zbagent_config['timeout'] != ''? $zbagent_config['timeout'] : "3"); + $zbagent_conf_file = <<< EOF Server={$zbagent_config['server']} ServerActive={$zbagent_config['serveractive']} Hostname={$zbagent_config['hostname']} -ListenIP={$zbagent_config['listenip']} -ListenPort={$zbagent_config['listenport']} +ListenIP={$ListenIp} +ListenPort={$ListenPort} RefreshActiveChecks={$RefreshActChecks} DebugLevel=3 PidFile=/var/run/zabbix2/zabbix2_agentd.pid LogFile=/var/log/zabbix2/zabbix2_agentd.log LogFileSize=1 -Timeout={$zbagent_config['timeout']} +Timeout={$TimeOut} BufferSend={$BufferSend} BufferSize={$BufferSize} StartAgents={$StartAgents} |