diff options
Diffstat (limited to 'config')
-rwxr-xr-x | config/squid3/34/squid_reverse.inc | 145 |
1 files changed, 82 insertions, 63 deletions
diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index f583ee12..2b57e99f 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -1,10 +1,11 @@ <?php -/* $Id$ */ /* squid_reverse.inc + part of pfSense (https://www.pfSense.org/) Copyright (C) 2012 Martin Fuchs Copyright (C) 2012-2014 Marcello Coutinho Copyright (C) 2013 Gekkenhuis + Copyright (C) 2015 ESF, LLC All rights reserved. Redistribution and use in source and binary forms, with or without @@ -28,19 +29,25 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ +require_once('certs.inc'); +require_once('squid.inc'); function squid_resync_reverse() { - global $config; + global $config, $settings, $reverse_peers, $reverse_maps, $reverse_redir, $casnr; - //CONFIG FILE - if (is_array($config['installedpackages']['squidreversegeneral'])) + // config file + if (is_array($config['installedpackages']['squidreversegeneral'])) { $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; - if (is_array($config['installedpackages']['squidreversepeer'])) - $reverse_peers=$config['installedpackages']['squidreversepeer']['config']; - if (is_array($config['installedpackages']['squidreverseuri'])) - $reverse_maps=$config['installedpackages']['squidreverseuri']['config']; - if (is_array($config['installedpackages']['squidreverseredir'])) - $reverse_redir=$config['installedpackages']['squidreverseredir']['config']; + } + if (is_array($config['installedpackages']['squidreversepeer'])) { + $reverse_peers = $config['installedpackages']['squidreversepeer']['config']; + } + if (is_array($config['installedpackages']['squidreverseuri'])) { + $reverse_maps = $config['installedpackages']['squidreverseuri']['config']; + } + if (is_array($config['installedpackages']['squidreverseredir'])) { + $reverse_redir = $config['installedpackages']['squidreverseredir']['config']; + } $conf = "# Reverse Proxy settings\n"; @@ -48,39 +55,42 @@ function squid_resync_reverse() { $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); if ($svr_cert != false) { if (base64_decode($svr_cert['crt'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",sq_text_area_decode($svr_cert['crt'])); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", sq_text_area_decode($svr_cert['crt'])); $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; } if (base64_decode($svr_cert['prv'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",sq_text_area_decode($svr_cert['prv'])); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", sq_text_area_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; } } } - if (!empty($settings['reverse_int_ca'])) - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); + if (!empty($settings['reverse_int_ca'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", "\n" . sq_text_area_decode($settings['reverse_int_ca']), FILE_APPEND | LOCK_EX); + } $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); // set HTTP port and defsite - $http_port=(empty($settings['reverse_http_port'])?"80":$settings['reverse_http_port']); - $http_defsite=(empty($settings['reverse_http_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_http_defsite']); + $http_port = (empty($settings['reverse_http_port']) ? "80" : $settings['reverse_http_port']); + $http_defsite = (empty($settings['reverse_http_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_http_defsite']); // set HTTPS port and defsite - $https_port=(empty($settings['reverse_https_port'])?"443":$settings['reverse_https_port']); - $https_defsite=(empty($settings['reverse_https_defsite'])?$settings['reverse_external_fqdn']:$settings['reverse_https_defsite']); + $https_port = (empty($settings['reverse_https_port']) ? "443" : $settings['reverse_https_port']); + $https_defsite = (empty($settings['reverse_https_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_https_defsite']); foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if ($real_ifaces[$i][0]) { //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + if ((!empty($settings['reverse_http'])) || ($settings['reverse_owa_autodiscover'] == 'on')) { $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + } //HTTPS - if (!empty($settings['reverse_https'])) + if (!empty($settings['reverse_https'])) { $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } } } @@ -88,15 +98,17 @@ function squid_resync_reverse() { $reverse_ip = explode(";", ($settings['reverse_ip'])); foreach ($reverse_ip as $reip) { //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + if ((!empty($settings['reverse_http'])) || ($settings['reverse_owa_autodiscover'] == 'on')) { $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + } //HTTPS - if (!empty($settings['reverse_https'])) + if (!empty($settings['reverse_https'])) { $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } } } - //PEERS + // peers if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { if (!empty($settings['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip'])); @@ -109,33 +121,34 @@ function squid_resync_reverse() { } } - $active_peers=array(); + $active_peers = array(); if (is_array($reverse_peers)) { foreach ($reverse_peers as $rp) { - if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !="") { - $conf_peer = "#{$rp['description']}\n"; - $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; - if ($rp['protocol'] == 'HTTPS') - $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf_peer .= "name=rvp_{$rp['name']}\n\n"; - - // add peer only if reverse proxy is enabled for http - if ($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on") { - $conf .= $conf_peer; - array_push($active_peers,$rp['name']); - } - // add peer only if if reverse proxy is enabled for https - if ($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on") { - if (!in_array($rp['name'],$active_peers)) { + if ($rp['enable'] == "on" && $rp['name'] != "" && $rp['ip'] != "" && $rp['port'] != "") { + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; + if ($rp['protocol'] == 'HTTPS') { + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + } + $conf_peer .= "name=rvp_{$rp['name']}\n\n"; + + // add peer only if reverse proxy is enabled for http + if ($rp['protocol'] == 'HTTP' && $settings['reverse_http'] == "on") { $conf .= $conf_peer; - array_push($active_peers,$rp['name']); + array_push($active_peers, $rp['name']); + } + // add peer only if if reverse proxy is enabled for https + if ($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] == "on") { + if (!in_array($rp['name'], $active_peers)) { + $conf .= $conf_peer; + array_push($active_peers, $rp['name']); } } } } } - //REDIRECTS + // redirects if (is_array($reverse_redir)) { foreach ($reverse_redir as $rdr) { if ($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { @@ -167,25 +180,30 @@ function squid_resync_reverse() { } } - //ACLS and MAPPINGS + // ACLs and mappings //create an empty owa_dirs to populate based on user selected options - $owa_dirs=array(); - if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on") { + $owa_dirs = array(); + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] == "on") { if (!empty($settings['reverse_owa_ip'])) { - array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); - if ($settings['reverse_owa_activesync']) - array_push($owa_dirs,'Microsoft-Server-ActiveSync'); - if ($settings['reverse_owa_rpchttp']) - array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); - if ($settings['reverse_owa_mapihttp']) - array_push($owa_dirs,'mapi'); - if ($settings['reverse_owa_webservice']) - array_push($owa_dirs,'EWS'); + array_push($owa_dirs, 'owa', 'exchange', 'public', 'exchweb', 'ecp', 'OAB'); + if ($settings['reverse_owa_activesync']) { + array_push($owa_dirs, 'Microsoft-Server-ActiveSync'); + } + if ($settings['reverse_owa_rpchttp']) { + array_push($owa_dirs, 'rpc/rpcproxy.dll', 'rpcwithcert/rpcproxy.dll'); + } + if ($settings['reverse_owa_mapihttp']) { + array_push($owa_dirs, 'mapi'); + } + if ($settings['reverse_owa_webservice']) { + array_push($owa_dirs, 'EWS'); + } } if (is_array($owa_dirs)) { - foreach ($owa_dirs as $owa_dir) + foreach ($owa_dirs as $owa_dir) { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + } } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { @@ -199,31 +217,31 @@ function squid_resync_reverse() { //$conf .= "ssl_unclean_shutdown on"; if (is_array($reverse_maps)) { foreach ($reverse_maps as $rm) { - if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!="" && is_array($rm['row'])) { + if ($rm['enable'] == "on" && $rm['name'] != "" && $rm['peers'] != "" && is_array($rm['row'])) { foreach ($rm['row'] as $uri) { - $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); + $url_regex = ($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n"; $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n"; if ($rm['name'] != $last_rm_name) { $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n"; $http_access_conf .= "http_access allow rvm_{$rm['name']}\n"; - foreach (explode(',',$rm['peers']) as $map_peer) { - if (in_array($map_peer,$active_peers)) { + foreach (explode(',', $rm['peers']) as $map_peer) { + if (in_array($map_peer, $active_peers)) { $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n"; $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n"; } } - $last_rm_name=$rm['name']; + $last_rm_name = $rm['name']; } } } } } - //ACCESS - if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + // access + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] == "on") { - for ($cascnt=1;$cascnt<$casnr+1;$cascnt++) { + for ($cascnt = 1; $cascnt < $casnr + 1; $cascnt++) { $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs deny allsrc\n"; @@ -236,8 +254,9 @@ function squid_resync_reverse() { $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; - if (!empty($settings['deny_info_tcp_reset'])) + if (!empty($settings['deny_info_tcp_reset'])) { $conf .= "deny_info TCP_RESET allsrc\n"; + } return $conf; } |