diff options
Diffstat (limited to 'packages/squid/squid.inc')
-rw-r--r-- | packages/squid/squid.inc | 53 |
1 files changed, 29 insertions, 24 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc index a3c2b5d8..5a716747 100644 --- a/packages/squid/squid.inc +++ b/packages/squid/squid.inc @@ -369,7 +369,8 @@ function squid_resync_general() { global $g, $config, $valid_acls; $settings = $config['installedpackages']['squid']['config'][0]; - $conf = ''; + $conf = "# This file is automatically generated by pfSense\n"; + $conf = "# Do not edit manually!\n"; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); @@ -407,7 +408,7 @@ error_directory $errordir visible_hostname $hostname cache_mgr $email -cache_access_log $logdir_access +access_log $logdir_access cache_log $logdir_cache cache_store_log none shutdown_lifetime 3 seconds @@ -421,16 +422,9 @@ EOD; $ip = long2ip(ip2long($ip) & ip2long($mask)); $src .= " $ip/$mask"; } + $conf .= "Allow local network(s) on interface(s)\n"; $conf .= "acl localnet src $src\n"; $valid_acls[] = 'localnet'; - $conf .= <<<EOD -acl get method GET -http_access allow get -acl post method POST -http_access allow post - -EOD; - } return $conf; @@ -493,9 +487,12 @@ function squid_resync_redirector() { global $config; $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); - if ($httpav_enabled) - return ('redirect_program /usr/local/bin/squirm'); - return '# No redirector configured'; + if ($httpav_enabled) { + $conf = "redirect_program /usr/local/bin/squirm\n"; + } else { + $conf = "# No redirector configured\n"; + } + return $conf; } function squid_resync_nac() { @@ -505,6 +502,8 @@ function squid_resync_nac() { $webgui_port = $config['system']['webgui']['port']; $conf = <<<EOD + +# Setup some default acls acl all src 0.0.0.0/0 acl localhost src 127.0.0.1 acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port 1025-65535 @@ -523,11 +522,9 @@ EOD; } $options = array( 'unrestricted_hosts' => 'src', - 'unrestricted_macs' => 'arp', 'banned_hosts' => 'src', - 'banned_macs' => 'arp', - 'whitelist' => 'url_regex -i', - 'blacklist' => 'url_regex -i', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', ); foreach ($options as $option => $directive) { $contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option])))); @@ -539,7 +536,7 @@ EOD; } $conf .= <<<EOD -no_cache deny dynamic +cache deny dynamic http_access allow manager localhost http_access deny manager http_access allow purge localhost @@ -547,6 +544,7 @@ http_access deny purge http_access deny !safeports http_access deny CONNECT !sslports +# Always allow localhost connections http_access allow localhost EOD; @@ -587,7 +585,7 @@ delay_initial_bucket_level 100 EOD; - foreach (array('unrestricted_hosts', 'unrestricted_macs') as $item) { + foreach (array('unrestricted_hosts') as $item) { if (in_array($item, $valid_acls)) $conf .= "delay_access 1 deny $item\n"; } @@ -613,7 +611,8 @@ EOD; $contents .= "\.$ext\$\n"; file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); - $conf .= "acl throttle_exts url_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; + $conf .= "# Throttle extensions matched in the url\n"; + $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; $conf .= "delay_access 1 allow throttle_exts\n"; $conf .= "delay_access 1 deny all\n"; } @@ -631,7 +630,6 @@ function squid_resync_auth() { // Deny the banned guys before allowing the good guys $banned = array( 'banned_hosts', - 'banned_macs', ); $banned = array_filter($banned, 'squid_is_valid_acl'); foreach ($banned as $acl) @@ -639,15 +637,22 @@ function squid_resync_auth() { // Unrestricted hosts take precendence over blacklist if (squid_is_valid_acl('unrestricted_hosts')) + $conf .= "# These hosts do not have any ACL\n"; $conf .= "http_access allow unrestricted_hosts\n"; - if (squid_is_valid_acl('unrestricted_macs')) - $conf .= "http_access allow unrestricted_macs\n"; + // Whitelist and blacklist also take precendence if (squid_is_valid_acl('whitelist')) + $conf .= "# Always allow access to whitelist domains\n"; $conf .= "http_access allow whitelist\n"; if (squid_is_valid_acl('blacklist')) + $conf .= "# Block access to blacklist domains\n"; $conf .= "http_access deny blacklist\n"; + // Allow locanet if it is enabled and defined + if (squid_is_valid_acl('localnet')) + $conf .= "# Allow local network(s) on interface(s)\n"; + $conf .= "http_access allow localnet\n"; + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); @@ -717,7 +722,7 @@ EOD; $conf .= "http_access allow password $acl\n"; } - + $conf .= "# Default block all to be sure\n"; $conf .= "http_access deny all\n"; return $conf; |