aboutsummaryrefslogtreecommitdiffstats
path: root/packages/squid/squid.inc
diff options
context:
space:
mode:
Diffstat (limited to 'packages/squid/squid.inc')
-rw-r--r--packages/squid/squid.inc53
1 files changed, 29 insertions, 24 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc
index a3c2b5d8..5a716747 100644
--- a/packages/squid/squid.inc
+++ b/packages/squid/squid.inc
@@ -369,7 +369,8 @@ function squid_resync_general() {
global $g, $config, $valid_acls;
$settings = $config['installedpackages']['squid']['config'][0];
- $conf = '';
+ $conf = "# This file is automatically generated by pfSense\n";
+ $conf = "# Do not edit manually!\n";
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan');
@@ -407,7 +408,7 @@ error_directory $errordir
visible_hostname $hostname
cache_mgr $email
-cache_access_log $logdir_access
+access_log $logdir_access
cache_log $logdir_cache
cache_store_log none
shutdown_lifetime 3 seconds
@@ -421,16 +422,9 @@ EOD;
$ip = long2ip(ip2long($ip) & ip2long($mask));
$src .= " $ip/$mask";
}
+ $conf .= "Allow local network(s) on interface(s)\n";
$conf .= "acl localnet src $src\n";
$valid_acls[] = 'localnet';
- $conf .= <<<EOD
-acl get method GET
-http_access allow get
-acl post method POST
-http_access allow post
-
-EOD;
-
}
return $conf;
@@ -493,9 +487,12 @@ function squid_resync_redirector() {
global $config;
$httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on');
- if ($httpav_enabled)
- return ('redirect_program /usr/local/bin/squirm');
- return '# No redirector configured';
+ if ($httpav_enabled) {
+ $conf = "redirect_program /usr/local/bin/squirm\n";
+ } else {
+ $conf = "# No redirector configured\n";
+ }
+ return $conf;
}
function squid_resync_nac() {
@@ -505,6 +502,8 @@ function squid_resync_nac() {
$webgui_port = $config['system']['webgui']['port'];
$conf = <<<EOD
+
+# Setup some default acls
acl all src 0.0.0.0/0
acl localhost src 127.0.0.1
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port 1025-65535
@@ -523,11 +522,9 @@ EOD;
}
$options = array( 'unrestricted_hosts' => 'src',
- 'unrestricted_macs' => 'arp',
'banned_hosts' => 'src',
- 'banned_macs' => 'arp',
- 'whitelist' => 'url_regex -i',
- 'blacklist' => 'url_regex -i',
+ 'whitelist' => 'dstdom_regex -i',
+ 'blacklist' => 'dstdom_regex -i',
);
foreach ($options as $option => $directive) {
$contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option]))));
@@ -539,7 +536,7 @@ EOD;
}
$conf .= <<<EOD
-no_cache deny dynamic
+cache deny dynamic
http_access allow manager localhost
http_access deny manager
http_access allow purge localhost
@@ -547,6 +544,7 @@ http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
+# Always allow localhost connections
http_access allow localhost
EOD;
@@ -587,7 +585,7 @@ delay_initial_bucket_level 100
EOD;
- foreach (array('unrestricted_hosts', 'unrestricted_macs') as $item) {
+ foreach (array('unrestricted_hosts') as $item) {
if (in_array($item, $valid_acls))
$conf .= "delay_access 1 deny $item\n";
}
@@ -613,7 +611,8 @@ EOD;
$contents .= "\.$ext\$\n";
file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents);
- $conf .= "acl throttle_exts url_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
+ $conf .= "# Throttle extensions matched in the url\n";
+ $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
$conf .= "delay_access 1 allow throttle_exts\n";
$conf .= "delay_access 1 deny all\n";
}
@@ -631,7 +630,6 @@ function squid_resync_auth() {
// Deny the banned guys before allowing the good guys
$banned = array( 'banned_hosts',
- 'banned_macs',
);
$banned = array_filter($banned, 'squid_is_valid_acl');
foreach ($banned as $acl)
@@ -639,15 +637,22 @@ function squid_resync_auth() {
// Unrestricted hosts take precendence over blacklist
if (squid_is_valid_acl('unrestricted_hosts'))
+ $conf .= "# These hosts do not have any ACL\n";
$conf .= "http_access allow unrestricted_hosts\n";
- if (squid_is_valid_acl('unrestricted_macs'))
- $conf .= "http_access allow unrestricted_macs\n";
+
// Whitelist and blacklist also take precendence
if (squid_is_valid_acl('whitelist'))
+ $conf .= "# Always allow access to whitelist domains\n";
$conf .= "http_access allow whitelist\n";
if (squid_is_valid_acl('blacklist'))
+ $conf .= "# Block access to blacklist domains\n";
$conf .= "http_access deny blacklist\n";
+ // Allow locanet if it is enabled and defined
+ if (squid_is_valid_acl('localnet'))
+ $conf .= "# Allow local network(s) on interface(s)\n";
+ $conf .= "http_access allow localnet\n";
+
$transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
$auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none');
@@ -717,7 +722,7 @@ EOD;
$conf .= "http_access allow password $acl\n";
}
-
+ $conf .= "# Default block all to be sure\n";
$conf .= "http_access deny all\n";
return $conf;