aboutsummaryrefslogtreecommitdiffstats
path: root/packages/squid
diff options
context:
space:
mode:
Diffstat (limited to 'packages/squid')
-rw-r--r--packages/squid/proxy_monitor.sh69
-rw-r--r--packages/squid/squid.inc926
-rw-r--r--packages/squid/squid.xml187
-rw-r--r--packages/squid/squid_auth.inc446
-rw-r--r--packages/squid/squid_auth.xml159
-rw-r--r--packages/squid/squid_cache.xml150
-rw-r--r--packages/squid/squid_extauth.xml62
-rw-r--r--packages/squid/squid_nac.xml101
-rw-r--r--packages/squid/squid_ng.inc1067
-rw-r--r--packages/squid/squid_ng.xml222
-rw-r--r--packages/squid/squid_traffic.xml110
-rw-r--r--packages/squid/squid_upstream.xml87
-rw-r--r--packages/squid/squid_users.xml74
13 files changed, 3660 insertions, 0 deletions
diff --git a/packages/squid/proxy_monitor.sh b/packages/squid/proxy_monitor.sh
new file mode 100644
index 00000000..d0035d1a
--- /dev/null
+++ b/packages/squid/proxy_monitor.sh
@@ -0,0 +1,69 @@
+#!/bin/sh
+# $Id$ */
+#
+# proxy_monitor.sh
+# Copyright (C) 2006 Scott Ullrich
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#
+# 1. Redistributions of source code must retain the above copyright notice,
+# this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+set -e
+
+LOOP_SLEEP=300
+
+if [ -f /var/run/squid_alarm ]; then
+ rm /var/run/squid_alarm
+fi
+
+# Squid monitor 1.0
+while [ /bin/true ]; do
+ if [ ! -f /var/run/squid_alarm ]; then
+ NUM_PROCS=`ps awux | grep "squid -D" | grep -v "grep" | wc -l | awk '{ print $1 }'`
+ if [ $NUM_PROCS -lt 1 ]; then
+ # squid is down
+ echo "Squid has exited. Reconfiguring filter." | \
+ logger -p daemon.info -i -t Squid_Alarm
+ echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm
+ /usr/local/etc/rc.d/squid.sh start
+ sleep 3
+ echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm
+ /etc/rc.filter_configure_sync
+ touch /var/run/squid_alarm
+ fi
+ fi
+ NUM_PROCS=`ps awux | grep "squid -D" | grep -v "grep" | wc -l | awk '{ print $1 }'`
+ if [ $NUM_PROCS -gt 0 ]; then
+ if [ -f /var/run/squid_alarm ]; then
+ echo "Squid has resumed. Reconfiguring filter." | \
+ logger -p daemon.info -i -t Squid_Alarm
+ /etc/rc.filter_configure_sync
+ rm /var/run/squid_alarm
+ fi
+ fi
+ sleep $LOOP_SLEEP
+done
+
+if [ -f /var/run/squid_alarm ]; then
+ rm /var/run/squid_alarm
+fi
+
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc
new file mode 100644
index 00000000..5bd9fb1d
--- /dev/null
+++ b/packages/squid/squid.inc
@@ -0,0 +1,926 @@
+<?php
+/* $Id$ */
+/*
+ squid.inc
+ Copyright (C) 2006 Scott Ullrich
+ Copyright (C) 2006 Fernando Lemos
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+*/
+
+require_once('globals.inc');
+require_once('config.inc');
+require_once('util.inc');
+require_once('pfsense-utils.inc');
+require_once('pkg-utils.inc');
+require_once('filter.inc');
+require_once('service-utils.inc');
+
+define('SQUID_CONFBASE', '/usr/local/etc/squid');
+define('SQUID_ACLDIR', '/var/squid/acl');
+define('SQUID_PASSWD', '/var/etc/squid.passwd');
+
+$valid_acls = array();
+
+
+function squid_get_real_interface_address($iface) {
+ global $config;
+
+ $iface = convert_friendly_interface_to_real_interface_name($iface);
+ $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
+ list($dummy, $ip, $dummy2, $netmask) = explode(' ', $line);
+
+ return array($ip, long2ip(hexdec($netmask)));
+}
+
+function squid_chown_recursive($dir, $user, $group) {
+ chown($dir, $user);
+ chgrp($dir, $group);
+ $handle = opendir($dir) ;
+ while (($item = readdir($handle)) !== false) {
+ if (($item != ".") && ($item != "..")) {
+ $path = "$dir/$item";
+ if (is_dir($path))
+ squid_chown_recursive($path, $user, $group);
+ else {
+ chown($path, $user);
+ chgrp($path, $group);
+ }
+ }
+ }
+}
+
+/* setup cache */
+function squid_dash_z() {
+ global $config;
+ $settings = $config['installedpackages']['squidcache']['config'][0];
+ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+
+ if(!is_dir($cachedir.'/')) {
+ log_error("Creating Squid cache dir $cachedir");
+ make_dirs($cachedir);
+ squid_chown_recursive($cachedir, 'proxy', 'proxy');
+ }
+
+ if(!is_dir($cachedir.'/00/')) {
+ log_error("Creating squid cache subdirs in $cachedir");
+ mwexec("/usr/local/sbin/squid -z");
+ }
+
+}
+
+function squid_is_valid_acl($acl) {
+ global $valid_acls;
+ if(!is_array($valid_acls))
+ return;
+ return in_array($acl, $valid_acls);
+}
+
+function squid_install_command() {
+ global $config;
+
+ /* create cache */
+ squid_dash_z();
+ /* make sure pinger is executable */
+ exec("/bin/chmod a+x /usr/local/libexec/squid/pinger");
+ exec("/bin/rm /usr/local/etc/rc.d/squid");
+ $rc = array();
+ $rc['file'] = 'squid.sh';
+ $rc['start'] = '/usr/local/sbin/squid -D';
+ $rc['stop'] = <<<EOD
+/usr/local/sbin/squid -k shutdown
+# Just to be sure...
+sleep 5
+killall -9 squid 2>/dev/null
+killall pinger 2>/dev/null
+
+EOD;
+ $rc['restart'] = <<<EOD
+if [ -z "`pgrep squid`" ]; then
+ /usr/local/sbin/squid -D
+ else
+ /usr/local/sbin/squid -k reconfigure
+ fi
+
+EOD;
+ write_rcfile($rc);
+
+ foreach (array( SQUID_CONFBASE,
+ SQUID_ACLDIR,
+ ) as $dir) {
+ make_dirs($dir);
+ squid_chown_recursive($dir, 'proxy', 'proxy');
+ }
+
+ /* kill any running proxy alarm scripts */
+ log_error("Stopping any running proxy monitors");
+ mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill");
+ sleep(1);
+ /* restart proxy alarm scripts */
+ log_error("Starting a proxy monitor script");
+ mwexec_bg("/usr/local/etc/rc.d/proxy_monitor.sh");
+
+ if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default'))
+ copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf');
+
+ squid_dash_z();
+
+ if (!is_service_running('squid')) {
+ log_error("Starting Squid");
+ mwexec_bg("/usr/local/sbin/squid -D");
+ } else {
+ log_error("Reloading Squid for configuration sync");
+ mwexec("/usr/local/sbin/squid -k reconfigure");
+ }
+
+ filter_configure();
+
+}
+
+function squid_deinstall_command() {
+ global $config;
+ $settings = $config['installedpackages']['squidcache']['config'][0];
+ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+ $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/log');
+
+ mwexec('rm -rf $cachedir');
+ mwexec('rm -rf $logdir');
+ mwexec('rm -f /usr/local/etc/rc.d/proxy_monitor.sh');
+ mwexec("ps awux | grep \"proxy_monitor\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill");
+ mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
+ mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
+ mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
+ filter_configure();
+}
+
+function squid_before_form_general($pkg) {
+ $values = get_dir(SQUID_CONFBASE . '/errors/');
+ // Get rid of '..' and '.'
+ array_shift($values);
+ array_shift($values);
+ $name = array();
+ foreach ($values as $value)
+ $names[] = implode(' ', explode('_', $value));
+
+ $i = 0;
+ foreach ($pkg['fields']['field'] as $field) {
+ if ($field['fieldname'] == 'error_language')
+ break;
+ $i++;
+ }
+ $field = &$pkg['fields']['field'][$i];
+
+ for ($i = 0; $i < count($values) - 1; $i++)
+ $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]);
+}
+
+function squid_validate_general($post, $input_errors) {
+ global $config;
+ $icp_port = trim($post['icp_port']);
+ if (!empty($icp_port) && !is_port($icp_port))
+ $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field';
+
+ if (substr($post['log_dir'], -1, 1) == '/')
+ $input_errors[] = 'You may not end log location with an / mark';
+
+ if ($post['log_dir']{0} != '/')
+ $input_errors[] = 'You must start log location with a / mark';
+ if (strlen($post['log_dir']) <= 3)
+ $input_errors[] = "That is not a valid log location dir";
+
+ if (($post['transparent_proxy'] == 'on')) {
+ $port = 80;
+ } else {
+ $port = trim($post['proxy_port']);
+ }
+
+ $webgui_port = $config['system']['webgui']['port'];
+ if($config['system']['webgui']['port'] == "") {
+ $webgui_port = 80;
+ }
+
+ if ($port == $webgui_port) {
+ $input_errors[] = "You can not run squid on the same port as the webgui";
+ }
+}
+
+function squid_validate_upstream($post, $input_errors) {
+ if ($post['proxy_forwarding'] == 'on') {
+ $addr = trim($post['proxy_addr']);
+ if (empty($addr))
+ $input_errors[] = 'The field \'Hostname\' is required';
+ else {
+ if (!is_ipaddr($addr) && !is_domain($addr))
+ $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field';
+ }
+
+ foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) {
+ $port = trim($post[$field]);
+ if (empty($port))
+ $input_errors[] = "The field '$name' is required";
+ else {
+ if (!is_port($port))
+ $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535";
+ }
+ }
+ }
+}
+
+function squid_validate_cache($post, $input_errors) {
+ $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size',
+ 'memory_cache_size' => 'Memory cache size',
+ 'maximum_object_size' => 'Maximum object size',
+ );
+ foreach ($num_fields as $field => $name) {
+ $value = trim($post[$field]);
+ if (!is_numeric($value) || ($value < 1))
+ $input_errors[] = "You must enter a valid value for '$field'";
+ }
+
+ $value = trim($post['minimum_object_size']);
+ if (!is_numeric($value) || ($value < 0))
+ $input_errors[] = 'You must enter a valid value for \'Minimum object size\'';
+
+ if ($post['donotcache'] != "") {
+ foreach (explode(',', $post['donotcache']) as $host) {
+ $host = trim($host);
+ if (!is_ipaddr($host) && !is_domain($host))
+ $input_errors[] = "The host '$host' is not a valid IP or host name";
+ }
+ }
+
+}
+
+function squid_validate_nac($post, $input_errors) {
+ $allowed_subnets = explode(',', trim($post['allowed_subnets']));
+ foreach ($allowed_subnets as $subnet) {
+ $subnet = trim($subnet);
+ if (!empty($subnet) && !is_subnet($subnet))
+ $input_errors[] = "The subnet '$subnet' is not a valid CIDR range";
+ }
+
+ foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) {
+ foreach (explode(',', $post[$hosts]) as $host) {
+ $host = trim($host);
+ if (!empty($host) && !is_ipaddr($host))
+ $input_errors[] = "The host '$host' is not a valid IP address";
+ }
+ }
+
+ foreach (array('unrestricted_macs', 'banned_macs') as $macs) {
+ foreach (explode(',', $post[$macs]) as $mac) {
+ $mac = trim($mac);
+ if (!empty($mac) && !is_macaddr($mac))
+ $input_errors[] = "The mac '$mac' is not a valid MAC address";
+ }
+ }
+
+ foreach (explode(',', $post['timelist']) as $time) {
+ $time = trim($time);
+ if (!empty($time) && !squid_is_timerange($time))
+ $input_errors[] = "The time range '$time' is not a valid time range";
+ }
+}
+
+function squid_validate_traffic($post, $input_errors) {
+ $num_fields = array( 'max_download_size' => 'Maximum download size',
+ 'max_upload_size' => 'Maximum upload size',
+ 'perhost_throttling' => 'Per-host bandwidth throttling',
+ 'overall_throttling' => 'Overall bandwidth throttling',
+ );
+ foreach ($num_fields as $field => $name) {
+ $value = trim($post[$field]);
+ if (!is_numeric($value) || ($value < 0))
+ $input_errors[] = "The field '$name' must contain a positive number";
+ }
+}
+
+function squid_validate_auth($post, $input_errors) {
+ $num_fields = array( array('auth_processes', 'Authentication processes', 1),
+ array('auth_ttl', 'Authentication TTL', 0),
+ );
+ foreach ($num_fields as $field) {
+ $value = trim($post[$field[0]]);
+ if (!empty($value) && (!is_numeric($value) || ($value < $field[2])))
+ $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}";
+ }
+
+ $auth_method = $post['auth_method'];
+ if (($auth_method != 'none') && ($auth_method != 'local')) {
+ $server = trim($post['auth_server']);
+ if (empty($server))
+ $input_errors[] = 'The field \'Authentication server\' is required';
+ else if (!is_ipaddr($server) && !is_domain($server))
+ $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name';
+
+ $port = trim($post['auth_server_port']);
+ if (!empty($port) && !is_port($port))
+ $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number';
+
+ switch ($auth_method) {
+ case 'ldap':
+ $user = trim($post['ldap_user']);
+ if (empty($user))
+ $input_errors[] = 'The field \'LDAP server user DN\' is required';
+ else if (!$user)
+ $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name';
+ break;
+ case 'radius':
+ $secret = trim($post['radius_secret']);
+ if (empty($secret))
+ $input_errors[] = 'The field \'RADIUS secret\' is required';
+ break;
+ case 'msnt':
+ foreach (explode(trim($post['msnt_secondary'])) as $server) {
+ if (!empty($server) && !is_ipaddr($server) && !is_domain($server))
+ $input_errors[] = "The host '$server' is not a valid IP address or domain name";
+ }
+ break;
+ }
+
+ $no_auth = explode(',', trim($post['no_auth_hosts']));
+ foreach ($no_auth as $host) {
+ $host = trim($host);
+ if (!empty($host) && !is_subnet($host))
+ $input_errors[] = "The host '$host' is not a valid CIDR range";
+ }
+ }
+}
+
+function squid_resync_general() {
+ global $g, $config, $valid_acls;
+
+ $settings = $config['installedpackages']['squid']['config'][0];
+ $conf = '';
+
+ $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
+ $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan');
+ $real_ifaces = array();
+ foreach (explode(',', $ifaces) as $i => $iface) {
+ $real_ifaces[] = squid_get_real_interface_address($iface);
+ if($real_ifaces[$i][0])
+ $conf .= "http_port {$real_ifaces[$i][0]}";
+ if (($settings['transparent_proxy'] == 'on')) {
+ $conf .= ":80 transparent\n";
+ } else {
+ $conf .= ":$port\n";
+ }
+ }
+
+ $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0);
+
+ $pidfile = "{$g['varrun_path']}/squid.pid";
+ $language = ($settings['error_language'] ? $settings['error_language'] : 'English');
+ $errordir = SQUID_CONFBASE . '/errors/' . $language;
+ $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost');
+ $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost');
+
+ $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/log');
+
+ $logdir_cache = $logdir . '/cache.log';
+ $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
+
+ $conf .= <<<EOD
+icp_port $icp_port
+
+pid_filename $pidfile
+cache_effective_user proxy
+cache_effective_group proxy
+error_directory $errordir
+visible_hostname $hostname
+cache_mgr $email
+
+cache_access_log $logdir_access
+cache_log $logdir_cache
+cache_store_log none
+shutdown_lifetime 3 seconds
+
+EOD;
+
+ if ($settings['allow_interface'] == 'on') {
+ $src = '';
+ foreach ($real_ifaces as $iface) {
+ list($ip, $mask) = $iface;
+ $ip = long2ip(ip2long($ip) & ip2long($mask));
+ $src .= " $ip/$mask";
+ }
+ $conf .= "acl localnet src $src\n";
+ $valid_acls[] = 'localnet';
+ $conf .= <<<EOD
+acl get method GET
+http_access allow get
+acl post method POST
+http_access allow post
+
+EOD;
+
+ }
+
+ return $conf;
+}
+
+function squid_resync_cache() {
+ global $config;
+
+ $settings = $config['installedpackages']['squidcache']['config'][0];
+
+ $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
+ $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100);
+ $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16);
+ $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8);
+ $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] : 10);
+ $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0);
+ $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA');
+ $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF');
+ $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off');
+
+ $conf = <<<EOD
+cache_dir diskd $cachedir $disk_cache_size $level1 256
+cache_mem $memory_cache_size MB
+maximum_object_size $max_objsize KB
+minimum_object_size $min_objsize KB
+cache_replacement_policy $cache_policy
+memory_replacement_policy $memory_policy
+offline_mode $offline_mode
+
+EOD;
+
+ $donotcache = trim(implode("\n", array_map('trim', explode(',', $settings['donotcache']))));
+ if (!empty($donotcache)) {
+ file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
+ $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
+ $conf .= 'no_cache deny donotcache';
+ }
+
+ return $conf;
+}
+
+function squid_resync_upstream() {
+ global $config;
+ $settings = $config['installedpackages']['squidupstream']['config'][0];
+
+ $conf = '';
+ if ($settings['proxy_forwarding'] == 'on') {
+ $conf .= "cache_peer {$settings['proxy_addr']} parent {$settings['proxy_port']} {$settings['icp_port']} ";
+
+ if (!empty($settings['username']))
+ $conf .= " login={$settings['username']}";
+ if (!empty($settings['password']))
+ $conf .= ":{$settings['password']}";
+ }
+
+ return $conf;
+}
+
+function squid_resync_redirector() {
+ global $config;
+
+ $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on');
+ if ($httpav_enabled)
+ return ('redirect_program /usr/local/bin/squirm');
+ return '# No redirector configured';
+}
+
+function squid_resync_nac() {
+ global $config, $valid_acls;
+
+ $settings = $config['installedpackages']['squidnac']['config'][0];
+ $webgui_port = $config['system']['webgui']['port'];
+
+ $conf = <<<EOD
+acl all src 0.0.0.0/0
+acl localhost src 127.0.0.1
+acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port 1025-65535
+acl sslports port 443 563 $webgui_port
+acl manager proto cache_object
+acl purge method PURGE
+acl connect method CONNECT
+acl dynamic urlpath_regex cgi-bin \?
+
+EOD;
+
+ $allowed = implode(' ', array_map('trim', explode(',', $settings['allowed_subnets'])));
+ if (!empty($allowed)) {
+ $conf .= "acl allowed_subnets src $allowed\n";
+ $valid_acls[] = 'allowed_subnets';
+ }
+
+ $options = array( 'unrestricted_hosts' => 'src',
+ 'unrestricted_macs' => 'arp',
+ 'banned_hosts' => 'src',
+ 'banned_macs' => 'arp',
+ 'whitelist' => 'url_regex -i',
+ 'blacklist' => 'url_regex -i',
+ );
+ foreach ($options as $option => $directive) {
+ $contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option]))));
+ if (!empty($contents)) {
+ file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents);
+ $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n";
+ $valid_acls[] = $option;
+ }
+ }
+
+ $conf .= <<<EOD
+no_cache deny dynamic
+http_access allow manager localhost
+http_access deny manager
+http_access allow purge localhost
+http_access deny purge
+http_access deny !safeports
+http_access deny CONNECT !sslports
+
+http_access allow localhost
+
+EOD;
+
+ return $conf;
+}
+
+function squid_resync_traffic() {
+ global $config, $valid_acls;
+ if(!is_array($valid_acls))
+ return;
+ $settings = $config['installedpackages']['squidtraffic']['config'][0];
+ $conf = '';
+
+ $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0);
+ $down_limit = ($settings['max_download_size'] ? $settings['max_download_suze'] : 0);
+ $conf .= "request_body_max_size $up_limit KB\n";
+ $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " allow all\n";
+
+ // Only apply throttling past 10MB
+ // XXX: Should this really be hardcoded?
+ $threshold = 10 * 1024 * 1024;
+ $overall = $settings['overall_throttling'];
+ if (!isset($overall) || ($overall == 0))
+ $overall = -1;
+ else
+ $overall *= 1024;
+ $perhost = $settings['perhost_throttling'];
+ if (!isset($perhost) || ($perhost == 0))
+ $perhost = -1;
+ else
+ $perhost *= 1024;
+ $conf .= <<<EOD
+delay_pools 1
+delay_class 1 2
+delay_parameters 1 $overall/$overall $perhost/$perhost
+delay_initial_bucket_level 100
+
+EOD;
+
+ foreach (array('unrestricted_hosts', 'unrestricted_macs') as $item) {
+ if (in_array($item, $valid_acls))
+ $conf .= "delay_access 1 deny $item\n";
+ }
+
+ if ($settings['throttle_specific'] == 'on') {
+ $exts = array();
+ $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,exe,com';
+ $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi';
+ $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,mpe?g,qt,ra?m';
+ foreach (array( 'throttle_binaries' => $binaries,
+ 'throttle_cdimages' => $cdimages,
+ 'throttle_multimedia' => $multimedia) as $field => $set) {
+ if ($settings[$field] == 'on')
+ $exts = array_merge($exts, explode(',', $set));
+ }
+
+ foreach (explode(',', $settings['throttle_others']) as $ext) {
+ if (!empty($ext)) $exts[] = $ext;
+ }
+
+ $contents = '';
+ foreach ($exts as $ext)
+ $contents .= "\.$ext\$\n";
+ file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents);
+
+ $conf .= 'acl throttle_exts url_regex -i "' . SQUID_ACLDIR . '/throttle_exts.acl"';
+ $conf .= "delay_access 1 allow throttle_exts\n";
+ $conf .= "delay_access 1 deny all\n";
+ }
+ else
+ $conf .= "delay_access 1 allow all\n";
+
+ return $conf;
+}
+
+function squid_resync_auth() {
+ global $config, $valid_acls;
+
+ $settings = $config['installedpackages']['squidauth']['config'][0];
+ $conf = '';
+
+ // Deny the banned guys before allowing the good guys
+ $banned = array( 'banned_hosts',
+ 'banned_macs',
+ );
+ $banned = array_filter($banned, 'squid_is_valid_acl');
+ foreach ($banned as $acl)
+ $conf .= "http_access deny $acl\n";
+
+ // Unrestricted hosts take precendence over blacklist
+ if (squid_is_valid_acl('unrestricted_hosts'))
+ $conf .= "http_access allow unrestricted_hosts\n";
+ if (squid_is_valid_acl('unrestricted_macs'))
+ $conf .= "http_access allow unrestricted_macs\n";
+ // Whitelist and blacklist also take precendence
+ if (squid_is_valid_acl('whitelist'))
+ $conf .= "http_access allow whitelist\n";
+ if (squid_is_valid_acl('blacklist'))
+ $conf .= "http_access deny blacklist\n";
+
+ $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
+ $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none');
+
+ // Allow the remaining ACLs if no authentication is set
+ if ($auth_method == 'none') {
+ if ($settings['allow_interface'] == 'on') {
+ $allowed = array('localnet', 'allowed_subnets');
+ $allowed = array_filter($allowed, 'squid_is_valid_acl');
+ foreach ($allowed as $acl)
+ $conf .= "http_access allow $acl\n";
+ }
+ }
+ else {
+ $noauth = implode(' ', array_map('trim', explode(',', $settings['no_auth_hosts'])));
+ if (!empty($noauth)) {
+ $conf .= "acl noauth src $noauth\n";
+ $valid_acls[] = 'noauth';
+ }
+
+ // Set up the external authentication programs
+ $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60);
+ $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5);
+ $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy');
+ switch ($auth_method) {
+ case 'local':
+ $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n";
+ break;
+ case 'ldap':
+ $port = (isset($settings['auth_port']) ? ":{$settings['auth_port']}" : '');
+ $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
+ $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"(&(objectClass=person)(cn=%s))\" -u cn -P {$settings['auth_server']}$port\n";
+ break;
+ case 'radius':
+ $port = (isset($settings['auth_port']) ? "-p {$settings['auth_server_port']}" : '');
+ $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
+ break;
+ case 'msnt':
+ $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n";
+ break;
+ }
+ $conf .= <<<EOD
+auth_param basic children $processes
+auth_param basic realm $prompt
+auth_param basic credentialsttl $auth_ttl minutes
+acl password proxy_auth REQUIRED
+
+EOD;
+
+ // Onto the ACLs
+ $password = array('localnet', 'allowed_subnets');
+ $passwordless = array('unrestricted_hosts', 'unrestricted_macs');
+ if ($settings['unrestricted_auth'] == 'on') {
+ // Even the unrestricted hosts should authenticate
+ $password = array_merge($password, $passwordless);
+ $passwordless = array();
+ }
+ $passwordless[] = 'noauth';
+ $password = array_filter($password, 'squid_is_valid_acl');
+ $passwordless = array_filter($passwordless, 'squid_is_valid_acl');
+
+ // Allow the ACLs that don't need to authenticate
+ foreach ($passwordless as $acl)
+ $conf .= "http_access allow $acl\n";
+
+ // Allow the other ACLs as long as they authenticate
+ foreach ($password as $acl)
+ $conf .= "http_access allow password $acl\n";
+ }
+
+
+ $conf .= "http_access deny all\n";
+
+ return $conf;
+}
+
+function squid_resync_users() {
+ global $config;
+
+ $users = $config['installedpackages']['squidusers']['config'];
+ $contents = '';
+ if (is_array($users)) {
+ foreach ($users as $user)
+ $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n";
+ }
+ file_put_contents(SQUID_PASSWD, $contents);
+ chown(SQUID_PASSWD, 'proxy');
+ chmod(SQUID_PASSWD, 0600);
+}
+
+function squid_resync() {
+ global $config;
+ $conf = squid_resync_general() . "\n";
+ $conf .= squid_resync_cache() . "\n";
+ $conf .= squid_resync_redirector() . "\n";
+ $conf .= squid_resync_upstream() . "\n";
+ $conf .= squid_resync_nac() . "\n";
+ $conf .= squid_resync_traffic() . "\n";
+ $conf .= squid_resync_auth();
+ squid_resync_users();
+
+ /* make sure pinger is executable */
+ exec("chmod a+x /usr/local/libexec/squid/pinger");
+
+ file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf);
+
+ $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/';
+
+ if(!is_dir($log_dir)) {
+ log_error("Creating squid log dir $log_dir");
+ make_dirs($log_dir);
+ squid_chown_recursive($log_dir, 'proxy', 'proxy');
+ }
+
+ squid_dash_z();
+
+ if (!is_service_running('squid')) {
+ log_error("Starting Squid");
+ mwexec_bg("/usr/local/sbin/squid -D");
+ } else {
+ log_error("Reloading Squid for configuration sync");
+ mwexec("/usr/local/sbin/squid -k reconfigure");
+ }
+
+ filter_configure();
+}
+
+function squid_print_javascript_auth() {
+ global $config;
+ $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
+
+ // No authentication for transparent proxy
+ if ($transparent_proxy) {
+ $javascript = <<<EOD
+<script language="JavaScript">
+<!--
+function on_auth_method_changed() {
+ document.iform.auth_method.disabled = 1;
+ document.iform.auth_server.disabled = 1;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_password.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ document.iform.auth_prompt.disabled = 1;
+ document.iform.auth_processes.disabled = 1;
+ document.iform.auth_ttl.disabled = 1;
+ document.iform.unrestricted_auth.disabled = 1;
+ document.iform.no_auth_hosts.disabled = 1;
+}
+-->
+</script>
+
+EOD;
+ }
+ else {
+ $javascript = <<<EOD
+<script language="JavaScript">
+<!--
+function on_auth_method_changed() {
+ var field = document.iform.auth_method;
+ var auth_method = field.options[field.selectedIndex].value;
+
+ if (auth_method == 'none') {
+ document.iform.auth_server.disabled = 1;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_password.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ document.iform.auth_prompt.disabled = 1;
+ document.iform.auth_processes.disabled = 1;
+ document.iform.auth_ttl.disabled = 1;
+ document.iform.unrestricted_auth.disabled = 1;
+ document.iform.no_auth_hosts.disabled = 1;
+ }
+ else {
+ document.iform.auth_prompt.disabled = 0;
+ document.iform.auth_processes.disabled = 0;
+ document.iform.auth_ttl.disabled = 0;
+ document.iform.unrestricted_auth.disabled = 0;
+ document.iform.no_auth_hosts.disabled = 0;
+ }
+
+ switch (auth_method) {
+ case 'local':
+ document.iform.auth_server.disabled = 1;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_password.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ break;
+ case 'ldap':
+ document.iform.auth_server.disabled = 0;
+ document.iform.auth_server_port.disabled = 0;
+ document.iform.ldap_user.disabled = 0;
+ document.iform.ldap_password.disabled = 0;
+ document.iform.ldap_basedomain.disabled = 0;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 1;
+ break;
+ case 'radius':
+ document.iform.auth_server.disabled = 0;
+ document.iform.auth_server_port.disabled = 0;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_password.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 0;
+ document.iform.msnt_secondary.disabled = 1;
+ break;
+ case 'msnt':
+ document.iform.auth_server.disabled = 0;
+ document.iform.auth_server_port.disabled = 1;
+ document.iform.ldap_user.disabled = 1;
+ document.iform.ldap_password.disabled = 1;
+ document.iform.ldap_basedomain.disabled = 1;
+ document.iform.radius_secret.disabled = 1;
+ document.iform.msnt_secondary.disabled = 0;
+ break;
+ }
+}
+-->
+</script>
+
+EOD;
+ }
+
+ print($javascript);
+}
+
+function squid_print_javascript_auth2() {
+ print("<script language=\"JavaScript\">on_auth_method_changed()</script>\n");
+}
+
+function squid_generate_rules($type) {
+ global $config;
+
+ $squid_conf = $config['installedpackages']['squid']['config'][0];
+ if (!is_service_running('squid')) {
+ log_error("SQUID is installed but not started. Not installing redirect rules.");
+ return;
+ }
+
+ if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) {
+ return;
+ }
+
+ $ifaces = explode(',', $squid_conf['active_interface']);
+ $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces);
+
+ switch($type) {
+ case 'nat':
+ foreach ($ifaces as $iface)
+ $rules .= "# Setup Squid transparent proxy redirect\n";
+ $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> ($iface) port 80\n";
+ $rules .= "\n";
+ break;
+ case 'filter':
+ foreach ($ifaces as $iface)
+ $rules .= "# Setup squid pass rules for transparent proxy\n";
+ $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n";
+ $rules .= "\n";
+ break;
+ default:
+ break;
+ }
+
+ return $rules;
+}
+?>
diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml
new file mode 100644
index 00000000..13398b3d
--- /dev/null
+++ b/packages/squid/squid.xml
@@ -0,0 +1,187 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packagegui>
+ <name>squid</name>
+ <version>2.5.14_2-p7</version>
+
+ <include_file>/usr/local/pkg/squid.inc</include_file>
+ <!-- Installation -->
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/squid.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/squid_cache.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/squid_nac.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/squid_ng.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/squid_traffic.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/squid_upstream.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/squid_auth.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/squid_users.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <item>http://www.pfsense.org/packages/config/proxy_monitor.sh</item>
+ <prefix>/usr/local/etc/rc.d/</prefix>
+ <chmod>0755</chmod>
+ </additional_files_needed>
+ <menu>
+ <name>Proxy server</name>
+ <tooltiptext>Modify the proxy server's settings</tooltiptext>
+ <section>Services</section>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </menu>
+ <service>
+ <name>squid</name>
+ <description>Proxy server Service</description>
+ <rcfile>squid.sh</rcfile>
+ <executable>squid</executable>
+ </service>
+
+ <!-- Interface -->
+ <title>Proxy server: General settings</title>
+ <tabs>
+ <tab>
+ <text>General settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Upstream proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache management</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Access control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic management</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Auth settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Local users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fieldname>active_interface</fieldname>
+ <fielddescr>Proxy interface</fielddescr>
+ <description>The interface(s) the proxy server will bind to.</description>
+ <default_value>lan</default_value>
+ <required/>
+ <type>interfaces_selection</type>
+ <multiple/>
+ </field>
+ <field>
+ <fieldname>allow_interface</fieldname>
+ <fielddescr>Allow users on interface</fielddescr>
+ <description>If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut.</description>
+ <default_value>on</default_value>
+ <required/>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fieldname>transparent_proxy</fieldname>
+ <fielddescr>Transparent proxy</fielddescr>
+ <description>If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description>
+ <required/>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fieldname>log_enabled</fieldname>
+ <fielddescr>Enabled logging</fielddescr>
+ <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description>
+ <enablefields>log_query_terms,log_user_agents</enablefields>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fieldname>log_dir</fieldname>
+ <fielddescr>Log store directory</fielddescr>
+ <description>The directory where the log will be stored (note: do not end with a / mark)</description>
+ <type>input</type>
+ <size>60</size>
+ <default_value>/var/squid/log</default_value>
+ </field>
+ <field>
+ <fieldname>proxy_port</fieldname>
+ <fielddescr>Proxy port</fielddescr>
+ <description>This is the port the proxy server will listen on.</description>
+ <required/>
+ <type>input</type>
+ <size>5</size>
+ <default_value>3128</default_value>
+ </field>
+ <field>
+ <fieldname>icp_port</fieldname>
+ <fielddescr>ICP port</fielddescr>
+ <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP.</description>
+ <type>input</type>
+ <size>5</size>
+ </field>
+ <field>
+ <fieldname>visible_hostname</fieldname>
+ <fielddescr>Visible hostname</fielddescr>
+ <description>This is the URL to be displayed in proxy server error messages.</description>
+ <default_value>localhost</default_value>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>admin_email</fieldname>
+ <fielddescr>Administrator email</fielddescr>
+ <description>This is the email address displayed in error messages to the users.</description>
+ <default_value>admin@localhost</default_value>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>Language</fielddescr>
+ <fieldname>error_language</fieldname>
+ <description>Select the language in which the proxy server will display error messages to users.</description>
+ <default_value>English</default_value>
+ <type>select</type>
+ </field>
+ </fields>
+ <custom_add_php_command>
+ squid_resync();
+ </custom_add_php_command>
+ <custom_php_command_before_form>
+ squid_before_form_general(&amp;$pkg);
+ </custom_php_command_before_form>
+ <custom_php_validation_command>
+ squid_validate_general($_POST, &amp;$input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ exec("/bin/rm -f /usr/local/etc/rc.d/squid");
+ </custom_php_resync_config_command>
+ <custom_php_install_command>
+ update_status("Checking Squid cache... One moment please...");
+ update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process.");
+ squid_install_command();
+ squid_resync();
+ exec("/bin/rm -f /usr/local/etc/rc.d/squid");
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ squid_deinstall_command();
+ exec("/bin/rm -f /usr/local/etc/rc.d/squid*");
+ </custom_php_deinstall_command>
+</packagegui>
diff --git a/packages/squid/squid_auth.inc b/packages/squid/squid_auth.inc
new file mode 100644
index 00000000..7c99a01b
--- /dev/null
+++ b/packages/squid/squid_auth.inc
@@ -0,0 +1,446 @@
+<?php
+/* $Id$ */
+
+/*
+ squid_auth.inc
+ part of pfSense (www.pfSense.com)
+
+ Copyright (C) 2005 Michael Capp <michael.capp@gmail.com>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+function global_eval_auth_options()
+{
+ global $config;
+ conf_mount_rw();
+ config_lock();
+
+ switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) {
+ case "none":
+ dynamic_auth_content("pkg_edit");
+ dynamic_no_auth();
+ break;
+ case "local_auth":
+ dynamic_auth_content("pkg");
+ /* create empty passwd file to prevent stat error with squid reload */
+ touch ("/usr/local/etc/squid/advanced/ncsa/passwd");
+ dynamic_local_auth();
+ break;
+ case "ldap_bind":
+ dynamic_auth_content("pkg_edit");
+ dynamic_ldap_auth();
+ break;
+ case "domain_auth":
+ $filecontents = file("/usr/local/pkg/squid_auth.xml");
+ dynamic_auth_content("pkg_edit");
+ dynamic_domain_auth();
+ break;
+ case "radius_auth":
+ $filecontents = file("/usr/local/pkg/squid_auth.xml");
+ dynamic_auth_content("pkg_edit");
+ dynamic_radius_auth();
+ break;
+ default:
+ $filecontents = file("/usr/local/pkg/squid_auth.xml");
+ dynamic_auth_content("pkg_edit");
+ dynamic_no_auth();
+ break;
+ }
+
+ config_unlock();
+ conf_mount_ro();
+
+} /* end function global_eval_auth_options */
+
+function dynamic_no_auth() {
+ global $config;
+ conf_mount_rw();
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
+ fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n");
+ fwrite($fout, "<packagegui>\n");
+ fwrite($fout, " <name>squidextnoauth</name>\n");
+ fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n");
+ fwrite($fout, " <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tabs>\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>General Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Upstream Proxy</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Cache Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Network Access Control</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Traffic Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Extended Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ fwrite($fout, " <active/>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </tabs>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <fields>\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>No Authentication Defined</fielddescr>\n");
+ fwrite($fout, " <fieldname>no_auth</fieldname>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, " </fields>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <custom_add_php_command_late>\n");
+ fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");");
+ fwrite($fout, "\n");
+ fwrite($fout, " global_write_squid_config();\n");
+ fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n");
+ fwrite($fout, " </custom_add_php_command_late>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "</packagegui>\n");
+ fclose($fout);
+
+ /* mount filesystem read-only */
+ conf_mount_ro();
+}
+
+function dynamic_local_auth() {
+ global $config;
+ conf_mount_rw();
+
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
+
+ fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "<packagegui>\n");
+ fwrite($fout, " <name>squidextlocalauth</name>\n");
+ fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n");
+ fwrite($fout, " <version>2.5.10_4</version>\n");
+ fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <files></files>\n");
+ fwrite($fout, " <menu></menu>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <aftersaveredirect>/pkg.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tabs>\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>General Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Upstream Proxy</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Cache Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Network Access Control</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Traffic Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Extended Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ fwrite($fout, " <active/>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </tabs>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <adddeleteeditpagefields>\n");
+ fwrite($fout, " <columnitem>\n");
+ fwrite($fout, " <fielddescr>Username</fielddescr>\n");
+ fwrite($fout, " <fieldname>username</fieldname>\n");
+ fwrite($fout, " </columnitem>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <columnitem>\n");
+ fwrite($fout, " <fielddescr>Description</fielddescr>\n");
+ fwrite($fout, " <fieldname>description</fieldname>\n");
+ fwrite($fout, " </columnitem>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <columnitem>\n");
+ fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n");
+ fwrite($fout, " <fieldname>group</fieldname>\n");
+ fwrite($fout, " </columnitem>\n");
+ fwrite($fout, " </adddeleteeditpagefields>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <fields>\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Username</fielddescr>\n");
+ fwrite($fout, " <fieldname>username</fieldname>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>15</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Password</fielddescr>\n");
+ fwrite($fout, " <fieldname>password</fieldname>\n");
+ fwrite($fout, " <type>password</type>\n");
+ fwrite($fout, " <size>8</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Description (Optional)</fielddescr>\n");
+ fwrite($fout, " <fieldname>description</fieldname>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>30</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Restriction Group</fielddescr>\n");
+ fwrite($fout, " <fieldname>group</fieldname>\n");
+ fwrite($fout, " <type>select</type>\n");
+ fwrite($fout, " <options>\n");
+ fwrite($fout, " <option><name>Standard</name><value>Standard</value></option>\n");
+ fwrite($fout, " <option><name>Extended</name><value>Extended</value></option>\n");
+ fwrite($fout, " </options>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </fields>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <custom_add_php_command_late>\n");
+ fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " mod_htpasswd();\n");
+ fwrite($fout, " global_write_squid_config();\n");
+ fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n");
+ fwrite($fout, " </custom_add_php_command_late>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "</packagegui>\n");
+
+ fclose($fout);
+
+ /* mount filesystem read-only */
+ conf_mount_ro();
+}
+
+function dynamic_ldap_auth() {
+ global $config;
+ conf_mount_rw();
+
+ $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w");
+
+ fwrite($fout, "<?xml version=\"1.0\" encoding=\"utf-8\" ?>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "<packagegui>\n");
+ fwrite($fout, " <name>squidextldapauth</name>\n");
+ fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n");
+ fwrite($fout, " <version>2.5.11</version>\n");
+ fwrite($fout, " <configpath>installedpackages->package->squidextldapauth->configuration->settings</configpath>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <files></files>\n");
+ fwrite($fout, " <menu></menu>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tabs>\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>General Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Upstream Proxy</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Cache Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Network Access Control</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Traffic Mgmt</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <tab>\n");
+ fwrite($fout, " <text>Extended Auth Settings</text>\n");
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ fwrite($fout, " <active/>\n");
+ fwrite($fout, " </tab>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </tabs>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <fields>\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Base DN</fielddescr>\n");
+ fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n");
+ fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.</description>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>50</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>LDAP Server</fielddescr>\n");
+ fwrite($fout, " <fieldname>ldap_server</fieldname>\n");
+ fwrite($fout, " <description>This is the LDAP server that the bind will be attempted against.</description>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>20</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>LDAP Type</fielddescr>\n");
+ fwrite($fout, " <fieldname>ldap_type</fieldname>\n");
+ fwrite($fout, " <description>This specifies the supported LDAP types.</description>\n");
+ fwrite($fout, " <type>select</type>\n");
+ fwrite($fout, " <options>\n");
+ fwrite($fout, " <option><name>Active Directory</name><value>active_directory</value></option>\n");
+ fwrite($fout, " <option><name>Novell eDirectory</name><value>novell_edirectory</value></option>\n");
+ fwrite($fout, " <option><name>LDAP v2</name><value>ldap_v2</value></option>\n");
+ fwrite($fout, " <option><name>LDAP v3</name><value>ldap_v3</value></option>\n");
+ fwrite($fout, " </options>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>LDAP Port</fielddescr>\n");
+ fwrite($fout, " <fieldname>ldap_port</fieldname>\n");
+ fwrite($fout, " <description>This is the port that LDAP bind will attempt on. The default is \"389\".</description>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>5</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Bind DN Username</fielddescr>\n");
+ fwrite($fout, " <fieldname>bind_dn_username</fieldname>\n");
+ fwrite($fout, " <description>If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.</description>\n");
+ fwrite($fout, " <type>input</type>\n");
+ fwrite($fout, " <size>30</size>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <field>\n");
+ fwrite($fout, " <fielddescr>Bind DN Password</fielddescr>\n");
+ fwrite($fout, " <fieldname>bind_dn_password</fieldname>\n");
+ fwrite($fout, " <description>This is the associated password with the Bind DN Username previously specified.</description>\n");
+ fwrite($fout, " <type>password</type>\n");
+ fwrite($fout, " </field>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " </fields>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " <custom_add_php_command_late>\n");
+ fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " mod_htpasswd();\n");
+ fwrite($fout, "\n");
+ fwrite($fout, " global_write_squid_config();\n");
+ fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n");
+ fwrite($fout, " </custom_add_php_command_late>\n");
+ fwrite($fout, "\n");
+ fwrite($fout, "</packagegui>\n");
+
+ fclose($fout);
+
+ /* mount filesystem read-only */
+ conf_mount_ro();
+}
+
+/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */
+function dynamic_auth_content($pkgvar) {
+
+ switch ($pkgvar) {
+ case "pkg":
+ if ($handle = opendir("/usr/local/pkg")) {
+ while (($file = readdir($handle)) != false) {
+ if (stristr($file, "squid_") && stristr($file, ".xml")) {
+ $filecontents = file("/usr/local/pkg/" . $file);
+ $fout = fopen("/usr/local/pkg/" . $file, "w");
+ foreach($filecontents as $line) {
+ if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>")) {
+ fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ } else {
+ fwrite($fout, $line);
+ }
+ }
+ }
+ }
+ }
+ break;
+
+ case "pkg_edit":
+ if ($handle = opendir("/usr/local/pkg")) {
+ while (($file = readdir($handle)) != false) {
+ if (stristr($file, "squid_") && stristr($file, ".xml")) {
+ $filecontents = file("/usr/local/pkg/" . $file);
+ $fout = fopen("/usr/local/pkg/" . $file,"w");
+ foreach($filecontents as $line) {
+ if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&amp;id=0</url>")) {
+ fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>\n");
+ } else {
+ fwrite($fout, $line);
+ }
+ }
+ }
+ }
+ }
+ break;
+ }
+
+} /* end function dynamic_auth_content */
+?> \ No newline at end of file
diff --git a/packages/squid/squid_auth.xml b/packages/squid/squid_auth.xml
new file mode 100644
index 00000000..9367231d
--- /dev/null
+++ b/packages/squid/squid_auth.xml
@@ -0,0 +1,159 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packagegui>
+ <include_file>squid.inc</include_file>
+ <name>squidauth</name>
+ <title>Proxy server: Authentication</title>
+ <tabs>
+ <tab>
+ <text>General settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Upstream proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache management</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Access control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic management</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Auth settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Local users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fielddescr>Authentication method</fielddescr>
+ <fieldname>auth_method</fieldname>
+ <description>Select an authentication method. This will allow users to be authenticated by local or external services.</description>
+ <default_value>none</default_value>
+ <required/>
+ <type>select</type>
+ <options>
+ <option><name>None</name><value>none</value></option>
+ <option><name>Local</name><value>local</value></option>
+ <option><name>LDAP</name><value>ldap</value></option>
+ <option><name>RADIUS</name><value>radius</value></option>
+ <option><name>NT domain</name><value>msnt</value></option>
+ </options>
+ <onchange>on_auth_method_changed()</onchange>
+ </field>
+ <field>
+ <fieldname>auth_server</fieldname>
+ <fielddescr>Authentication server</fielddescr>
+ <description>Enter here the IP or hostname of the server that will perform the authentication.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>auth_server_port</fieldname>
+ <fielddescr>Authentication server port</fielddescr>
+ <description>Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>ldap_user</fieldname>
+ <fielddescr>LDAP server user DN</fielddescr>
+ <description>Enter here the user DN to use to connect to the LDAP server.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>ldap_password</fieldname>
+ <fielddescr>LDAP password</fielddescr>
+ <description>Enter here the password to use to connect to the LDAP server.</description>
+ <type>password</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>ldap_basedomain</fieldname>
+ <fielddescr>LDAP base domain</fielddescr>
+ <description>For LDAP authentication, enter here the base domain in the LDAP server.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>radius_secret</fieldname>
+ <fielddescr>RADIUS secret</fielddescr>
+ <description>The RADIUS secret for RADIUS authentication.</description>
+ <type>password</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>msnt_secondary</fieldname>
+ <fielddescr>Secondary NT servers</fielddescr>
+ <description>Comma-separated list of secondary servers to be used for NT domain authentication.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>auth_prompt</fieldname>
+ <fielddescr>Authentication prompt</fielddescr>
+ <description>This string will be displayed at the top of the authentication request window.</description>
+ <default_value>Please enter your credentials to access the proxy</default_value>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>auth_processes</fieldname>
+ <fielddescr>Authentication processes</fielddescr>
+ <description>The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly.</description>
+ <default_value>5</default_value>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>auth_ttl</fieldname>
+ <fielddescr>Authentication TTL</fielddescr>
+ <description>This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.</description>
+ <default_value>60</default_value>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fieldname>unrestricted_auth</fieldname>
+ <fielddescr>Requiere authentication for unrestricted hosts</fielddescr>
+ <description>If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fieldname>no_auth_hosts</fieldname>
+ <fielddescr>Subnets that don't need authentication</fielddescr>
+ <description>A comma-separated list of subnets (in CIDR range, e.g.: 10.5.0.0/16, 192.168.1.50/32) whose hosts won't be asked for authentication to access the proxy.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ </fields>
+ <custom_php_after_head_command>
+ $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
+ if($transparent_proxy)
+ $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled";
+ squid_print_javascript_auth();
+ </custom_php_after_head_command>
+ <custom_php_validation_command>
+ squid_validate_auth($_POST, &amp;$input_errors);
+ </custom_php_validation_command>
+ <custom_php_before_form_command>
+ squid_print_javascript_auth2();
+ </custom_php_before_form_command>
+ <custom_php_after_form_command>
+ squid_print_javascript_auth2();
+ </custom_php_after_form_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/packages/squid/squid_cache.xml b/packages/squid/squid_cache.xml
new file mode 100644
index 00000000..ee5db606
--- /dev/null
+++ b/packages/squid/squid_cache.xml
@@ -0,0 +1,150 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packagegui>
+ <include_file>squid.inc</include_file>
+ <name>squidcache</name>
+ <title>Proxy server: Cache management</title>
+ <tabs>
+ <tab>
+ <text>General settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Upstream proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache management</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Access control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic management</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Auth settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Local users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fielddescr>Hard disk cache size</fielddescr>
+ <fieldname>harddisk_cache_size</fieldname>
+ <description>This is the amount of disk space (in megabytes) to use for cached objects.</description>
+ <required/>
+ <default_value>100</default_value>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Hard disk cache location</fielddescr>
+ <fieldname>harddisk_cache_location</fieldname>
+ <description>This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while</description>
+ <required/>
+ <default_value>/var/squid/cache</default_value>
+ <size>60</size>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Memory cache size</fielddescr>
+ <fieldname>memory_cache_size</fieldname>
+ <description>This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB.</description>
+ <required/>
+ <default_value>8</default_value>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Minimum object size</fielddescr>
+ <fieldname>minimum_object_size</fieldname>
+ <description>Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum.</description>
+ <required/>
+ <default_value>0</default_value>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Maximum object size</fielddescr>
+ <fieldname>maximum_object_size</fieldname>
+ <description>Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value.</description>
+ <required/>
+ <default_value>4</default_value>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Level 1 subdirectories</fielddescr>
+ <fieldname>level1_subdirs</fieldname>
+ <description>Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions.</description>
+ <default_value>16</default_value>
+ <type>select</type>
+ <options>
+ <option><name>4</name><value>4</value></option>
+ <option><name>8</name><value>8</value></option>
+ <option><name>16</name><value>16</value></option>
+ <option><name>32</name><value>32</value></option>
+ <option><name>64</name><value>64</value></option>
+ <option><name>128</name><value>128</value></option>
+ <option><name>256</name><value>256</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Memory replacement policy</fielddescr>
+ <fieldname>memory_replacement</fieldname>
+ <description>The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. &lt;p&gt; &lt;b&gt; LRU: Last Recently Used Policy &lt;/b&gt; - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. &lt;p&gt; &lt;b&gt; Heap GDSF: Greedy-Dual Size Frequency &lt;/b&gt; - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. &lt;p&gt; &lt;b&gt; Heap LFUDA: Least Frequently Used with Dynamic Aging &lt;/b&gt; - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. &lt;p&gt; &lt;b&gt; Heap LRU: Last Recently Used &lt;/b&gt; - Works like LRU, but uses a heap instead. &lt;p&gt; Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximuze the potential byte hit rate improvement of LFUDA.</description>
+ <default_value>heap GDSF</default_value>
+ <type>select</type>
+ <options>
+ <option><name>LRU</name><value>lru</value></option>
+ <option><name>Heap LFUDA</name><value>heap LFUDA</value></option>
+ <option><name>Heap GDSF</name><value>heap GDSF</value></option>
+ <option><name>Heap LRU</name><value>heap LRU</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Cache replacement policy</fielddescr>
+ <fieldname>cache_replacement</fieldname>
+ <description>The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail.</description>
+ <default_value>heap LFUDA</default_value>
+ <type>select</type>
+ <options>
+ <option><name>LRU</name><value>lru</value></option>
+ <option><name>Heap LFUDA</name><value>heap LFUDA</value></option>
+ <option><name>Heap GDSF</name><value>heap GDSF</value></option>
+ <option><name>Heap LRU</name><value>heap LRU</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Do not cache</fielddescr>
+ <fieldname>donotcache</fieldname>
+ <description>The specified domains or IP addresses (separated by commas) will never be cached.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ <field>
+ <fielddescr>Enable offline mode</fielddescr>
+ <fieldname>enable_offline</fieldname>
+ <description>Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted).</description>
+ <required/>
+ <type>checkbox</type>
+ </field>
+ </fields>
+ <custom_php_command_before_form>
+ if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) {
+ $needs_dash_z = true;
+ }
+ </custom_php_command_before_form>
+ <custom_php_validation_command>
+ squid_validate_cache($_POST, &amp;$input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ if($needs_dash_z)
+ squid_dash_z();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/packages/squid/squid_extauth.xml b/packages/squid/squid_extauth.xml
new file mode 100644
index 00000000..3af66111
--- /dev/null
+++ b/packages/squid/squid_extauth.xml
@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<packagegui>
+ <name>squidextnoauth</name>
+ <title>Services: Proxy Server -> Extended Authentication Settings</title>
+ <configpath>installedpackages->package->squidextnoauth->configuration->settings</configpath>
+
+ <aftersaveredirect>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</aftersaveredirect>
+
+ <tabs>
+ <tab>
+ <text>General Settings</text>
+ <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Upstream Proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Cache Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Network Access Control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Auth Settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+
+ <tab>
+ <text>Extended Auth Settings</text>
+ <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>
+ <active/>
+ </tab>
+
+ </tabs>
+
+ <fields>
+ <field>
+ <fielddescr>No Authentication Defined</fielddescr>
+ <fieldname>no_auth</fieldname>
+ </field>
+ </fields>
+
+ <custom_add_php_command_late>
+ require_once("/usr/local/pkg/squid_ng.inc");
+
+ global_write_squid_config();
+ mwexec("/usr/local/sbin/squid -k reconfigure");
+ </custom_add_php_command_late>
+
+</packagegui>
diff --git a/packages/squid/squid_nac.xml b/packages/squid/squid_nac.xml
new file mode 100644
index 00000000..b7bbf8c9
--- /dev/null
+++ b/packages/squid/squid_nac.xml
@@ -0,0 +1,101 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packagegui>
+ <include_file>squid.inc</include_file>
+ <name>squidnac</name>
+ <title>Proxy server: Access control</title>
+ <tabs>
+ <tab>
+ <text>General settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Upstream proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache management</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Access control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Traffic management</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Auth settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Local users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fieldname>allowed_subnets</fieldname>
+ <fielddescr>Allowed subnets</fielddescr>
+ <description>Those are the subnets (separated by commas) that are allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ <field>
+ <fieldname>unrestricted_hosts</fieldname>
+ <fielddescr>Unrestricted IPs</fielddescr>
+ <description>The IP addresses specified here (separated by commas) won't be filtered out by the other access control directives set in this page.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ <field>
+ <fieldname>unrestricted_macs</fieldname>
+ <fielddescr>Unrestricted MAC Addresses</fielddescr>
+ <description>The MAC addresses specified here (separated by commas) won't be filtered out by the other access control directives set in this page.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ <field>
+ <fieldname>banned_hosts</fieldname>
+ <fielddescr>Banned host addresses</fielddescr>
+ <description>The IP addresses specified here (separated by commas) won't be allowed to use the proxy.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ <field>
+ <fieldname>banned_macs</fieldname>
+ <fielddescr>Banned MAC addresses</fielddescr>
+ <description>The MAC addresses specified here (separated by commas) won't be allowed to use the proxy.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ <field>
+ <fieldname>whitelist</fieldname>
+ <fielddescr>Whitelist</fielddescr>
+ <description>Those are the sites (separated by commas) that will be accessable to the users that are allowed to use the proxy.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ <field>
+ <fieldname>blacklist</fieldname>
+ <fielddescr>Blacklist</fielddescr>
+ <description>Those are the sites (separated by commas) that will be blocked to the users that are allowed to use the proxy.</description>
+ <type>textarea</type>
+ <rows>5</rows>
+ <cols>50</cols>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ squid_validate_nac($_POST, &amp;$input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/packages/squid/squid_ng.inc b/packages/squid/squid_ng.inc
new file mode 100644
index 00000000..dc18e349
--- /dev/null
+++ b/packages/squid/squid_ng.inc
@@ -0,0 +1,1067 @@
+<?php
+/* $Id$ */
+
+/*
+ squid_ng.inc
+ part of pfSense (www.pfSense.com)
+
+ Copyright (C) 2005 Michael Capp <michael.capp@gmail.com>
+ All rights reserved.
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ POSSIBILITY OF SUCH DAMAGE.
+
+*/
+
+function global_write_squid_config()
+{
+ global $config;
+ conf_mount_rw();
+ config_lock();
+
+ /* define squid configuration file in variable for replace function */
+ $squidconfig = "/usr/local/etc/squid/squid.conf";
+
+ /* squid.xml values */
+ $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface'];
+ $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy'];
+ $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled'];
+ $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable'];
+ $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled'];
+ $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms'];
+ $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents'];
+ $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port'];
+ $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname'];
+ $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email'];
+ $error_language = $config['installedpackages']['squid']['config'][0]['error_language'];
+ $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled'];
+
+ /* squid_upstream.xml values */
+ $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding'];
+ $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding'];
+ $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding'];
+ $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy'];
+ $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port'];
+ $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username'];
+ $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword'];
+
+ /* squid_cache.xml values */
+ $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size'];
+ $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size'];
+ $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size'];
+ $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size'];
+ $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs'];
+ $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement'];
+ $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement'];
+ $domain = $config['installedpackages']['squidcache']['config'][0]['domain'];
+ $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline'];
+
+ /* squid_nac.xml values */
+ $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'];
+ $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address'];
+ $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses'];
+ $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses'];
+ $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses'];
+ $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts'];
+
+ /* squid_traffic.xml values */
+ $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size'];
+ $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size'];
+ $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall'];
+ $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host'];
+ $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files'];
+ $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images'];
+ $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia'];
+
+ /* squid_auth.xml values */
+ $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method'];
+ $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes'];
+ $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl'];
+ $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr'];
+ $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl'];
+ $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth'];
+ $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt'];
+ $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth'];
+ $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length'];
+ $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended'];
+
+ /* squid_extauth.xml (ldap) values */
+ $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn'];
+ $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server'];
+ $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type'];
+ $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port'];
+ $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username'];
+ $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password'];
+
+ /* squid_extauth.xml (radius) values */
+ $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server'];
+ $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port'];
+ $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier'];
+ $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret'];
+
+ /* static variable assignments for directory mapping */
+ $acldir = "/usr/local/etc/squid/advanced/acls";
+ $ncsadir = "/usr/local/etc/squid/advanced/ncsa";
+ $ntlmdir = "/usr/local/etc/squid/advanced/ntlm";
+ $radiusdir = "/usr/local/etc/squid/advanced/radius";
+
+ $fout = fopen($squidconfig, "w");
+
+ $config_array = array('shutdown_lifetime 5 seconds' . "\n\n");
+
+ if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) {
+ mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi");
+ mwexec("chmod a+rx /usr/local/www/cachemgr.cgi");
+ } else {
+ mwexec("rm -f /usr/local/www/cachemgr.cgi");
+ }
+ unset($cachemgr_enabled);
+
+ if (!isset($icp_port) or ($icp_port == "")) {
+ $icp_port = "3130";
+ }
+ $config_array[] = 'icp_port ' . $icp_port . "\n";
+ unset($icp_port);
+
+ if(!isset($proxy_port) or ($proxy_port == "")) {
+ $proxy_port = "3128";
+ }
+
+ if (isset($transparent_proxy) && ($transparent_proxy != "on")) {
+ $int = convert_friendly_interface_to_real_interface_name($active_interface);
+ $listen_ip = find_interface_ip($int);
+
+ $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n";
+ $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n";
+ $config_array[] = 'no_cache deny QUERY' . "\n\n";
+ }
+ $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n";
+ unset($proxy_port);
+
+ if (isset($domain) && ($domain !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/dst_nocache.acl","w");
+
+ $domain_array = split("; ",$domain);
+ foreach ($domain_array as $no_cache_domain) {
+ fwrite($aclout, $no_cache_domain . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n";
+ $config_array[] = 'no_cache deny no_cache_domains' . "\n\n";
+ }
+ unset($no_cache_domain);
+ unset($domain_array);
+ unset($domain);
+
+ $config_array[] = 'cache_effective_user squid' . "\n";
+ $config_array[] = 'cache_effective_group squid' . "\n\n";
+ $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n";
+
+ if (!isset($memory_cache_size) or ($memory_cache_size == "")) {
+ $memory_cache_size = "8";
+ }
+ $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n";
+ unset($memory_cache_size);
+
+ if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) {
+ $harddisk_cache_size = "500";
+ }
+
+ if (!isset($level_subdirs) or ($level_subdirs == "")) {
+ $level_subdirs = "16";
+ }
+
+ $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n";
+ unset($harddisk_cache_size);
+ unset($level_subdirs);
+
+ if (!isset($error_language) or ($error_language == "")) {
+ $error_language = "English";
+ }
+ $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n";
+ unset($error_language);
+
+ if (isset($offline_mode) && ($offline_mode == "on")) {
+ $config_array[] = 'offline_mode on' . "\n\n";
+ } else {
+ $config_array[] = 'offline_mode off' . "\n\n";
+ }
+
+ if (!isset($memory_replacement) or ($memory_replacement == "")) {
+ $memory_replacement = "heap GDSF";
+ }
+ $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n";
+ unset($memory_replacement);
+
+ if (!isset($cache_replacement) or ($cache_replacement == "")) {
+ $cache_replacement="heap GDSF";
+ }
+ $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n";
+ unset($cache_replacement);
+
+ if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) {
+ $config_array[] = 'cache_access_log none' . "\n";
+ } else {
+ $config_array[] = 'cache_access_log /var/log/access.log' . "\n";
+ }
+ $config_array[] = 'cache_log /var/log/cache.log' . "\n";
+ $config_array[] = 'cache_store_log none' . "\n";
+ unset($accesslog_disabled);
+ unset($log_enabled);
+
+ if (isset($log_query_terms) && ($log_query_terms == "on")) {
+ $config_array[] = 'strip_query_terms off' . "\n";
+ } else {
+ $config_array[] = 'strip_query_terms on' . "\n";
+ }
+ unset($log_query_terms);
+
+ $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n";
+ unset($log_user_agents);
+
+ $config_array[] = 'log_mime_hdrs off' . "\n";
+ $config_array[] = 'emulate_httpd_log on' . "\n";
+
+ switch ($user_forwarding) {
+ case "on":
+ $config_array[] = 'forwarded_for on' . "\n\n";
+ break;
+ case "off":
+ $config_array[] = 'forwarded_for off' . "\n\n";
+ break;
+ default:
+ $config_array[] = 'forwarded_for off' . "\n\n";
+ break;
+ }
+ unset($user_forwarding);
+
+ switch ($auth_method) {
+ case "none":
+ break;
+ case "local_auth":
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n";
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
+ break;
+ case "radius_auth";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n";
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
+ break;
+ case "ldap_bind";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n";
+ $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth';
+ $config_array[] = ' -b "' . $ldap_basedn . '"';
+ $config_array[] = ' -D "' . $bind_dn_username . '"';
+ $config_array[] = " -w " . $bind_dn_password;
+ $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"';
+ $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n";
+
+ if (!isset($auth_processes) or ($auth_processes == "")) {
+ $auth_processes = "5";
+ }
+ $config_array[] = 'auth_param basic children ' . $auth_processes . "\n";
+
+ if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) {
+ $auth_realm_prompt = "pfSense Advanced Proxy";
+ }
+ $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n";
+
+ if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) {
+ $auth_cache_ttl = "60";
+ }
+ $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n";
+ $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n";
+
+ unset($auth_realm_prompt);
+ unset($auth_processes);
+ unset($auth_cache_ttl);
+
+ break;
+ case "windows_auth";
+ break;
+ }
+
+ if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n";
+
+ $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w");
+ fwrite($throttle_out, $binary_out);
+ fclose($throttle_out);
+ $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n";
+ } else {
+ if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl");
+ }
+ unset($throttle_binary_files);
+ unset($throttle_out);
+ unset($binary_out);
+
+ if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n";
+
+ $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w");
+ fwrite($throttle_out, $cd_out);
+ fclose($throttle_out);
+ $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n";
+ } else {
+ if (file_exists($acldir . "/dst_throttle_cd.acl")) {
+ unlink($acldir . "/dst_throttle_cd.acl");
+ }
+ }
+ unset($throttle_cd_images);
+ unset($throttle_out);
+ unset($cd_out);
+
+ if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n";
+
+ $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w");
+ fwrite($throttle_out, $multimedia_out);
+ fclose($throttle_out);
+ $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n";
+ } else {
+ if (file_exists($acldir . "/dst_throttle_multimedia.acl")) {
+ unlink($acldir . "/dst_throttle_multimedia.acl");
+ }
+ }
+ unset($throttle_multimedia);
+ unset($multimedia_out);
+ unset($throttle_out);
+
+ $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n";
+
+ /* obtain interface subnet and address for Squid rules */
+ $lactive_interface = strtolower($active_interface);
+
+ $lancfg = $config['interfaces'][$lactive_interface];
+ $lanif = $lancfg['if'];
+ $lanip = $lancfg['ipaddr'];
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+ $lansn = $lancfg['subnet'];
+
+ $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n";
+ $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n";
+ $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n";
+ $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n";
+ $config_array[] = 'acl Safe_ports port 80 # http' . "\n";
+ $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n";
+ $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n";
+ $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n";
+ $config_array[] = 'acl Safe_ports port 210 # wais' . "\n";
+ $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n";
+ $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n";
+ $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n";
+ $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n";
+ $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n";
+ $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n";
+
+ /* allow access through proxy for custom admin port */
+ $custom_port = $config['system']['webgui']['port'];
+ if (isset($custom_port) && ($custom_port !== "")) {
+ $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n";
+ unset($custom_port);
+ } else {
+ $admin_protocol = $config['system']['webgui']['protocol'];
+ switch ($admin_protocol) {
+ case "http";
+ $config_array[] = 'acl pf_admin_port port 80' ."\n";
+ break;
+ case "https";
+ $config_array[] = 'acl pf_admin_port port 443' . "\n";
+ break;
+ default;
+ $config_array[] = 'acl pf_admin_port port 80' . "\n";
+ break;
+ }
+ unset($admin_protocol);
+ }
+
+ /* define override hosts as specified in squid_nac.xml */
+ if (isset($override_hosts) && ($override_hosts !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_override_hosts.acl", "w");
+
+ $override_hosts_array = split("; ", $override_hosts);
+ foreach ($override_hosts_array as $ind_override_host) {
+ fwrite($aclout, $ind_override_host . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n";
+ }
+ /* clear variables */
+ unset($override_hosts_array);
+ unset($ind_override_host);
+ unset($override_hosts);
+
+ /* define subnets allowed to utilize proxy service */
+ if (isset($allowed_subnets) && ($allowed_subnets !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ mwexec("touch {$acldir}/src_subnets.acl");
+ }
+
+ $aclout = fopen($acldir . "/src_subnets.acl","w");
+
+ $allowed_subnets_array = split("; ",$allowed_subnets);
+ foreach ($allowed_subnets_array as $ind_allowed_subnets) {
+ fwrite($aclout, $ind_allowed_subnets . "\n");
+ }
+
+ fclose($aclout);
+ } else {
+
+ $aclout = fopen($acldir . "/src_subnets.acl","w");
+ fwrite($aclout, $lansa . "/" . $lansn . "\n");
+ fclose($aclout);
+ }
+
+ $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n";
+
+ unset($allowed_subnets_array);
+ unset($ind_allowed_subnets);
+ unset($allowed_subnets);
+
+ /* define ip addresses that have 'unrestricted' access */
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w");
+
+ $unrestricted_ip_array = split("; ",$unrestricted_ip_addr);
+ foreach ($unrestricted_ip_array as $ind_unrestricted_ip) {
+ fwrite($aclout, $ind_unrestricted_ip . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n";
+ }
+ unset($unrestricted_ip_array);
+ unset($unrestricted_ip_addr);
+ unset($ind_unrestricted_ip);
+
+ /* define mac addresses that have 'unrestricted' access */
+ if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w");
+
+ $unrestricted_mac_array = split("; ",$unrestricted_mac_addr);
+ foreach ($unrestricted_mac_array as $ind_unrestricted_mac) {
+ fwrite($aclout, $ind_unrestricted_mac . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n";
+ }
+ unset($unrestricted_mac_array);
+ unset($unrestricted_mac_addr);
+ unset($ind_unrestricted_mac);
+
+ /* define ip addresses that are banned from using the proxy service */
+ if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_banned_ip.acl","w");
+
+ $banned_ip_array = split("; ",$banned_ip_addr);
+ foreach ($banned_ip_array as $ind_banned_ip) {
+ fwrite($aclout, $ind_banned_ip . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n";
+ }
+ unset($banned_ip_addr);
+ unset($banned_ip_addr);
+ unset($ind_banned_ip);
+
+ /* define mac addresses that are banned from using the proxy service */
+ if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) {
+ if (!file_exists($acldir)) {
+ mwexec("/bin/mkdir -p " . $acldir);
+ }
+
+ $aclout = fopen($acldir . "/src_banned_mac.acl","w");
+
+ $banned_mac_array = split("; ",$banned_mac_addr);
+ foreach ($banned_mac_array as $ind_banned_mac) {
+ fwrite($aclout, $ind_banned_mac . "\n");
+ }
+
+ fclose($aclout);
+
+ $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n";
+ }
+ unset($banned_mac_array);
+ unset($banned_mac_addr);
+ unset($ind_banned_mac);
+
+ $config_array[] = 'acl pf_ips dst ' . $lanip . "\n";
+ $config_array[] = 'acl CONNECT method CONNECT' . "\n\n";
+
+ if (isset($auth_method) && ($auth_method == "none")) {
+ $config_array[] = 'http_access allow localnet' . "\n";
+ }
+ $config_array[] = 'http_access allow localhost' . "\n";
+
+ if (isset($override_hosts) && ($override_hosts !== "")) {
+ $config_array[] = 'http_access allow override_hosts' . "\n";
+ }
+ $config_array[] = "\n";
+
+ switch ($config['system']['webgui']['protocol']) {
+ case "http":
+ $config_array[] = 'http_access allow pf_ips' . "\n";
+ $config_array[] = 'http_access allow pf_admin_port' . "\n";
+ $config_array[] = 'http_access deny !pf_networks' . "\n\n";
+ break;
+ case "https":
+ $config_array[] = 'http_access allow CONNECT pf_ips' . "\n";
+ $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n";
+ $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n";
+ break;
+ }
+
+ $config_array[] = 'http_access deny !Safe_ports' . "\n";
+ $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n";
+
+ if (isset($auth_method) && ($auth_method != "none")) {
+ $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n";
+ }
+
+ $config_array[] = 'http_access deny all' . "\n\n";
+
+ if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) {
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+
+ if ($dl_overall == "unlimited") {
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n";
+ } else {
+ $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n";
+ }
+
+ /* if no unrestricted ip addresses are defined; this line is ignored */
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
+
+ /* this will define bandwidth delay restrictions for specified throttles */
+ if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) {
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
+ }
+ if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) {
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
+ }
+ if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) {
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n";
+ } else {
+ $config_array[] = 'delay_access 1 allow all' . "\n";
+ }
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n";
+ }
+
+ if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) {
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+
+ if ($dl_per_host == "unlimited") {
+ $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n";
+ } else {
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n";
+ }
+
+ /* if no unrestricted ip addresses are defined; this line is ignored */
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
+
+ /* this will define bandwidth delay restrictions for specified throttles */
+ if ($throttle_binary_files == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
+ }
+ if ($throttle_cd_images == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
+ }
+ if ($throttle_multimedia == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n";
+ } else {
+ $config_array[] = 'delay_access 1 allow all' . "\n";
+ }
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n";
+ }
+
+ if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) {
+ /* if no bandwidth restrictions are specified, then these parameters are not necessary */
+ if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
+
+ if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) {
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+ $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n";
+ } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) {
+ $config_array[] = 'delay_pools 1' . "\n";
+ $config_array[] = 'delay_class 1 3' . "\n";
+ $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n";
+ }
+ }
+
+ if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") {
+
+ /* if no unrestricted ip addresses are defined; this line is ignored */
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n";
+
+ /* this will define bandwidth delay restrictions for specified throttles */
+ if ($throttle_binary_files == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n";
+ }
+ if ($throttle_cd_images == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n";
+ }
+ if ($throttle_multimedia == "on") {
+ $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n";
+ } else {
+ $config_array[] = 'delay_access 1 allow all' . "\n";
+ }
+ $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n";
+ }
+ }
+
+ $config_array[] = 'header_access X-Forwarded-For deny all' . "\n";
+ $config_array[] = 'header_access Via deny all' . "\n\n";
+
+ /* TODO: acl customization for snmp support */
+ /* fwrite($fout, "\n"); */
+
+ if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) {
+ $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n";
+ $config_array[] = 'redirect_children 5' . "\n\n";
+ }
+
+ if (isset($max_upload_size) && ($max_upload_size != "")) {
+ $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n";
+ }
+
+ if (isset($max_download_size) && ($max_download_size != "")) {
+ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n";
+ /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */
+ $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n";
+ }
+
+ /* set default value for maximum_object_size */
+ if (!isset($maximum_object_size) or ($maximum_object_size == "")) {
+ $maximum_object_size = "4096";
+ }
+
+ /* set default value for minimum_object_size */
+ if (!isset($minimum_object_size) or ($minimum_object_size == "")) {
+ $minimum_object_size = "0";
+ }
+ $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n";
+ $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n";
+
+ if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) {
+ $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n";
+ $config_array[] = 'never_direct allow all' . "\n";
+ }
+ unset($proxy_forwarding);
+
+
+ /* define default ruleset for transparent proxy operation */
+ if (isset($transparent_proxy) && ($transparent_proxy == "on")) {
+ $config_array[] = 'httpd_accel_host virtual' . "\n";
+ $config_array[] = 'httpd_accel_port 80' . "\n";
+ $config_array[] = 'httpd_accel_with_proxy on' . "\n";
+ $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n";
+ }
+ unset($transparent_proxy);
+
+
+ /* define visible hostname */
+ if (isset($visible_hostname) && ($visible_hostname !== "")) {
+ $config_array[] = 'visible_hostname ' . $visible_hostname . "\n";
+ }
+ unset($visible_hostname);
+
+ /* define cache administrators email address within error messages */
+ if (isset($cache_admin_email) && ($cache_admin_email !== "")) {
+ $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n";
+ }
+ unset($cache_admin_email);
+
+ /* write configuration file */
+ foreach ($config_array as $config_item)
+ {
+ fwrite($fout, trim($config_item));
+
+ if (stristr($config_item, "\n"))
+ {
+ for ($i = 1; $i < count(explode("\n", $config_item)); $i++)
+ {
+ fwrite($fout, "\n");
+ }
+ }
+
+ }
+ fclose($fout);
+
+ conf_mount_ro();
+ config_unlock();
+
+ touch($squidconfig);
+} /* end function write_squid_config */
+
+function custom_php_install_command() {
+ /* write initial static config for transparent proxy */
+ write_static_squid_config();
+
+ touch("/tmp/custom_php_install_command");
+
+ /* make sure this all exists, see:
+ * http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391
+ */
+ update_output_window("Setting up Squid environment...");
+ mwexec("mkdir -p /var/squid");
+ mwexec("chown squid:squid /var/squid");
+ mwexec("mkdir -p /var/squid/logs");
+ mwexec("chown squid:squid /var/squid/logs");
+ mwexec("mkdir -p /var/squid/cache");
+ mwexec("chown squid:squid /var/squid/cache");
+ mwexec("mkdir -p /usr/local/etc/squid/advanced");
+ mwexec("chown squid:squid /usr/local/etc/squid/advanced");
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
+ mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls");
+ mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl");
+ mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl");
+ mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
+ mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
+ mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf");
+
+
+ /* set a few extra items noted by regan */
+ update_output_window("Creating logs and setting user information...");
+ $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w");
+ fwrite($fdsquid, "#/bin/sh\n");
+ fwrite($fdsquid, "# \n");
+ fwrite($fdsquid, "# This file was created by the pfSense package system\n");
+ fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n");
+ fwrite($fdsquid, "# \n\n");
+ fwrite($fdsquid, "chown squid:wheel /dev/pf\n");
+ fwrite($fdsquid, "chmod ug+rw /dev/pf\n");
+ fwrite($fdsquid, "touch /var/log/useragent.log\n");
+ fwrite($fdsquid, "touch /var/log/access.log\n");
+ fwrite($fdsquid, "touch /var/log/cache.log\n");
+ fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n");
+ fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n");
+ fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n");
+ fwrite($fdsquid, "\n");
+ fclose($fdsquid);
+ mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh");
+ mwexec("/usr/local/etc/rc.d/aSquid.sh");
+
+ update_output_window("Creating Proxy Server initialization scripts...");
+ $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty";
+ $stop = "/usr/local/sbin/squid -k shutdown";
+ write_rcfile(array(
+ "file" => "squid.sh",
+ "start" => $start,
+ "stop" => $stop
+ )
+ );
+
+ mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh");
+
+ /* create log directory hierarchies if they don't exist */
+ update_output_window("Creating required directory hierarchies...");
+
+ if (!file_exists("/var/squid/logs")) {
+ mwexec("mkdir -p /var/squid/logs");
+ }
+ mwexec("/usr/sbin/chown squid:squid /var/squid/logs");
+
+
+ if (!file_exists("/var/squid/cache")) {
+ mwexec("mkdir -p /var/squid/cache");
+ }
+ mwexec("/usr/sbin/chown squid:squid /var/squid/cache");
+
+ if (!file_exists("/usr/local/etc/squid/advanced/acls")) {
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
+ }
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls");
+
+ if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) {
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
+ }
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa");
+
+ if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) {
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm");
+ }
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm");
+
+ if (!file_exists("/usr/local/etc/squid/advanced/radius")) {
+ mwexec("mkdir -p /usr/local/etc/squid/advanced/radius");
+ }
+ mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius");
+
+ $devfs_file = fopen("/etc/devfs.conf", "a");
+ fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. ");
+ fwrite($devfs_file, "own pf root:squid");
+ fwrite($devfs_file, "perm pf 0640");
+ fclose($devfs_file);
+
+ update_output_window("Initializing Cache... This may take a moment...");
+ mwexec("/usr/local/sbin/squid -z");
+
+ update_output_window("Starting Proxy Server...");
+ start_service("squid");
+}
+
+function custom_php_deinstall_command() {
+ update_output_window("Stopping proxy service...");
+ stop_service("squid");
+ sleep(1);
+ /* brute force any remaining squid processes out */
+ mwexec("/usr/bin/killall squid");
+ mwexec("/usr/bin/killall pinger");
+ update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain...");
+ mwexec("rm -rf /var/squid/cache");
+ update_output_window("Removing configuration files...");
+ unlink_if_exists("/usr/local/etc/rc.d/squid.sh");
+ unlink_if_exists("/usr/local/libexec/squid");
+ unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh");
+ mwexec("rm -f /usr/local/etc/rc.d/squid*");
+ mwexec("rm -f /usr/local/www/cachemgr.cgi");
+ filter_configure();
+}
+
+function write_static_squid_config() {
+ touch("/tmp/write_static_squid_config");
+ global $config;
+ $lancfg = $config['interfaces']['lan'];
+ $lanif = $lancfg['if'];
+ $lanip = $lancfg['ipaddr'];
+ $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
+ $lansn = $lancfg['subnet'];
+
+ $fout = fopen("/usr/local/etc/squid/squid.conf","w");
+ fwrite($fout, "#\n");
+ fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n");
+ fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n");
+ fwrite($fout, "#\n");
+
+ /* set # of dns children */
+ fwrite($fout, "dns_children 15\n");
+
+ fwrite($fout, "shutdown_lifetime 5 seconds\n");
+ fwrite($fout, "icp_port 0\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n");
+ fwrite($fout, "no_cache deny QUERY\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "pid_filename /var/run/squid.pid\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "cache_mem 24 MB\n");
+ fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "memory_replacement_policy heap GDSF\n");
+ fwrite($fout, "cache_replacement_policy heap GDSF\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "cache_access_log none\n");
+ fwrite($fout, "cache_log none\n");
+ fwrite($fout, "cache_store_log none\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "log_mime_hdrs off\n");
+ fwrite($fout, "emulate_httpd_log on\n");
+ fwrite($fout, "forwarded_for off\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n");
+ fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n");
+ fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n");
+ fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n");
+ fwrite($fout, "acl Safe_ports port 80 # http\n");
+ fwrite($fout, "acl Safe_ports port 21 # ftp\n");
+ fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n");
+ fwrite($fout, "acl Safe_ports port 70 # gopher\n");
+ fwrite($fout, "acl Safe_ports port 210 # wais\n");
+ fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n");
+ fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n");
+ fwrite($fout, "acl Safe_ports port 488 # gss-http\n");
+ fwrite($fout, "acl Safe_ports port 591 # filemaker\n");
+ fwrite($fout, "acl Safe_ports port 777 # multiling http\n");
+ fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "acl CONNECT method CONNECT\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "#access to squid; local machine; no restrictions\n");
+ fwrite($fout, "http_access allow localnet\n");
+ fwrite($fout, "http_access allow localhost\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "#Deny non web services\n");
+ fwrite($fout, "http_access deny !Safe_ports\n");
+ fwrite($fout, "http_access deny CONNECT !SSL_ports\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "#Set custom configured ACLs\n");
+ fwrite($fout, "http_access deny all\n");
+ fwrite($fout, "visible_hostname pfSense\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "cache_effective_user squid\n");
+ fwrite($fout, "cache_effective_group squid\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "maximum_object_size 4096 KB\n");
+ fwrite($fout, "minimum_object_size 0 KB\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "request_body_max_size 0 KB\n");
+ fwrite($fout, "reply_body_max_size 0 allow all\n");
+ fwrite($fout, "\n");
+
+ fwrite($fout, "httpd_accel_host virtual\n");
+ fwrite($fout, "httpd_accel_port 80\n");
+ fwrite($fout, "httpd_accel_with_proxy on\n");
+ fwrite($fout, "httpd_accel_uses_host_header on\n");
+
+ fclose($fout);
+}
+
+function mod_htpasswd() {
+ global $config;
+ conf_mount_rw();
+ config_lock();
+
+ if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
+
+ $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+");
+
+ if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") {
+ foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) {
+ $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']);
+ fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n");
+ }
+ }
+
+ fclose($passfile);
+
+ conf_mount_ro();
+ config_unlock();
+}
+
+function generate_htpasswd($username, $password) {
+ $all = explode( " ",
+ "a b c d e f g h i j k l m n o p q r s t u v w x y z "
+ . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z "
+ . "0 1 2 3 4 5 6 7 8 9");
+
+ for ($i = 0; $i < 9; $i++) {
+ srand((double)microtime()*1000000);
+ $randy = rand(0,61);
+ $seed .= $all[$randy];
+ }
+
+ $crypt = crypt($password, "$1$$seed");
+ return $crypt;
+}
+
+?>
diff --git a/packages/squid/squid_ng.xml b/packages/squid/squid_ng.xml
new file mode 100644
index 00000000..6d98f00f
--- /dev/null
+++ b/packages/squid/squid_ng.xml
@@ -0,0 +1,222 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<packagegui>
+ <name>squid</name>
+ <title>Services: Proxy Server</title>
+ <category>Security</category>
+ <version>2.5.12_4</version>
+ <include_file>/usr/local/pkg/squid_ng.inc</include_file>
+ <configpath>installedpackages->package->squidng->configuration->settings</configpath>
+ <aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</aftersaveredirect>
+ <menu>
+ <name>Squid</name>
+ <tooltiptext>Modify settings for Proxy Server</tooltiptext>
+ <section>Services</section>
+ <url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>
+ </menu>
+ <menu>
+ <name>Squid stats</name>
+ <tooltiptext>Show Squid statistics</tooltiptext>
+ <section>Services</section>
+ <url>/cachemgr.cgi</url>
+ </menu>
+ <service>
+ <name>squid</name>
+ <rcfile>squid.sh</rcfile>
+ </service>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.com/packages/config/squid_cache.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.com/packages/config/squid_nac.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.com/packages/config/squid_ng.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.com/packages/config/squid_traffic.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.com/packages/config/squid_upstream.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.com/packages/config/squid_auth.xml</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.com/packages/config/squid_auth.inc</item>
+ </additional_files_needed>
+ <additional_files_needed>
+ <prefix>/usr/local/pkg/</prefix>
+ <chmod>0755</chmod>
+ <item>http://www.pfsense.com/packages/config/squid_extauth.xml</item>
+ </additional_files_needed>
+ <tabs>
+ <tab>
+ <text>General Settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Upstream Proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Network Access Control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic Mgmt</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Auth Settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Extended Auth Settings</text>
+ <url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fielddescr>Proxy Listening Interface</fielddescr>
+ <fieldname>active_interface</fieldname>
+ <description>This defines the active listening interface to which the proxy server will listen for its requests.</description>
+ <type>interfaces_selection</type>
+ </field>
+ <field>
+ <fielddescr>Transparent Proxy</fielddescr>
+ <fieldname>transparent_proxy</fieldname>
+ <description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>URL Filtering Enabled</fielddescr>
+ <fieldname>urlfilter_enable</fieldname>
+ <description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Disable Access Log</fielddescr>
+ <fieldname>accesslog_disabled</fieldname>
+ <description>Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Log Query Terms</fielddescr>
+ <fieldname>log_query_terms</fieldname>
+ <description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fielddescr>Log User Agents</fielddescr>
+ <fieldname>log_user_agents</fieldname>
+ <description>This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <combinefieldsend>true</combinefieldsend>
+ <fielddescr>Proxy Port</fielddescr>
+ <fieldname>proxy_port</fieldname>
+ <description>This is the port the Proxy Server will listen for client requests on. The default is 3128.</description>
+ <size>4</size>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>ICP Port</fielddescr>
+ <fieldname>icp_port</fieldname>
+ <description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.</description>
+ <size>4</size>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Visible Hostname</fielddescr>
+ <fieldname>visible_hostname</fieldname>
+ <description>This URL is displayed on the Proxy Server error messages.</description>
+ <size>35</size>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Cache Administrator E-Mail</fielddescr>
+ <fieldname>cache_admin_email</fieldname>
+ <description>This E-Mail address is displayed on the Proxy Server error messages.</description>
+ <size>35</size>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Error Messages Language</fielddescr>
+ <fieldname>error_language</fieldname>
+ <description>Select the language in which the Proxy Server shall display error messages to users.</description>
+ <type>select</type>
+ <options>
+ <option><name>Bulgarian</name><value>Bulgarian</value></option>
+ <option><name>Catalan</name><value>Catalan</value></option>
+ <option><name>Czech</name><value>Czech</value></option>
+ <option><name>Danish</name><value>Danish</value></option>
+ <option><name>Dutch</name><value>Dutch</value></option>
+ <option><name>English</name><value>English</value></option>
+ <option><name>Estonian</name><value>Estonian</value></option>
+ <option><name>Finnish</name><value>Finnish</value></option>
+ <option><name>French</name><value>French</value></option>
+ <option><name>German</name><value>German</value></option>
+ <option><name>Hebrew</name><value>Hebrew</value></option>
+ <option><name>Hungarian</name><value>Hungarian</value></option>
+ <option><name>Italian</name><value>Italian</value></option>
+ <option><name>Japanese</name><value>Japanese</value></option>
+ <option><name>Korean</name><value>Korean</value></option>
+ <option><name>Lithuanian</name><value>Lithuanian</value></option>
+ <option><name>Polish</name><value>Polish</value></option>
+ <option><name>Portuguese</name><value>Portuguese</value></option>
+ <option><name>Romanian</name><value>Romanian</value></option>
+ <option><name>Russian-1251</name><value>Russian-1251</value></option>
+ <option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option>
+ <option><name>Serbian</name><value>Serbian</value></option>
+ <option><name>Simplify Chinese</name><value>Simplify Chinese</value></option>
+ <option><name>Slovak</name><value>Slovak</value></option>
+ <option><name>Spanish</name><value>Spanish</value></option>
+ <option><name>Swedish</name><value>Swedish</value></option>
+ <option><name>Traditional Chinese</name><value>Traditional Chinese</value></option>
+ <option><name>Turkish</name><value>Turkish</value></option>
+ </options>
+ </field>
+ <field>
+ <fielddescr>Enable cachemgr</fielddescr>
+ <fieldname>cachemgr_enabled</fieldname>
+ <description>Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. &lt;b&gt;Note:&lt;/b&gt; This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid.</description>
+ <type>checkbox</type>
+ </field>
+
+ </fields>
+ <custom_add_php_command_late>
+ global_write_squid_config();
+ mwexec("/usr/local/sbin/squid -k reconfigure");
+ start_service("squid");
+ </custom_add_php_command_late>
+ <custom_php_install_command>
+ custom_php_install_command();
+ write_static_squid_config();
+ mwexec("/usr/local/sbin/squid -k reconfigure");
+ start_service("squid");
+ </custom_php_install_command>
+ <custom_php_deinstall_command>
+ custom_php_deinstall_command();
+ stop_service("squid");
+ </custom_php_deinstall_command>
+</packagegui>
diff --git a/packages/squid/squid_traffic.xml b/packages/squid/squid_traffic.xml
new file mode 100644
index 00000000..4cc67e86
--- /dev/null
+++ b/packages/squid/squid_traffic.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packagegui>
+ <include_file>squid.inc</include_file>
+ <name>squidtraffic</name>
+ <title>Proxy server: Traffic management</title>
+ <tabs>
+ <tab>
+ <text>General settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Upstream proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache management</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Access control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic management</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Auth settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Local users</text>
+ <url>/pkg.php?xml=squid_users.xml</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fieldname>max_download_size</fieldname>
+ <fielddescr>Maximum download size</fielddescr>
+ <description>Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable.</description>
+ <default_value>0</default_value>
+ <required/>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>max_upload_size</fieldname>
+ <fielddescr>Maximum upload size</fielddescr>
+ <description>Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable.</description>
+ <default_value>0</default_value>
+ <required/>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>overall_throttling</fieldname>
+ <fielddescr>Overall bandwidth throttling</fielddescr>
+ <description>This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling.</description>
+ <default_value>0</default_value>
+ <required/>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>perhost_throttling</fieldname>
+ <fielddescr>Per-host throttling</fielddescr>
+ <description>This value specifies the download throttling per host. Set to 0 to disable this.</description>
+ <default_value>0</default_value>
+ <required/>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>throttle_specific</fieldname>
+ <fielddescr>Throttle only specific extensions</fielddescr>
+ <description>Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled.</description>
+ <default_value>on</default_value>
+ <type>checkbox</type>
+ <enablefields>throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others</enablefields>
+ </field>
+ <field>
+ <fieldname>throttle_binaries</fieldname>
+ <fielddescr>Throttle binary files</fielddescr>
+ <description>Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fieldname>throttle_cdimages</fieldname>
+ <fielddescr>Throttle CD images</fielddescr>
+ <description>Check this to apply bandwidth throttle to CD image files.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fieldname>throttle_multimedia</fieldname>
+ <fielddescr>Throttle multimedia files</fielddescr>
+ <description>Check this to apply bandwidth throttle to multimedia files, such as movies or songs.</description>
+ <type>checkbox</type>
+ </field>
+ <field>
+ <fieldname>throttle_others</fieldname>
+ <fielddescr>Throttle other extensions</fielddescr>
+ <description>Comma-separated list of extensions to apply bandwidth throttle to.</description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ squid_validate_traffic($_POST, &amp;$input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/packages/squid/squid_upstream.xml b/packages/squid/squid_upstream.xml
new file mode 100644
index 00000000..37ec80ff
--- /dev/null
+++ b/packages/squid/squid_upstream.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packagegui>
+ <include_file>squid.inc</include_file>
+ <name>squidupstream</name>
+ <title>Proxy server: Upstream proxy settings</title>
+ <tabs>
+ <tab>
+ <text>General settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Upstream proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ <active/>
+ </tab>
+ <tab>
+ <text>Cache management</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Access control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic management</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Auth settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Local users</text>
+ <url>/pkg.php?xml=squid_users.in</url>
+ </tab>
+ </tabs>
+ <fields>
+ <field>
+ <fielddescr>Enable forwarding</fielddescr>
+ <fieldname>proxy_forwarding</fieldname>
+ <description>This option enables the proxy server to forward requests to an upstream server.</description>
+ <required/>
+ <type>checkbox</type>
+ <enablefields>proxy_addr,proxy_port,icp_port,username,password</enablefields>
+ </field>
+ <field>
+ <fielddescr>Hostname</fielddescr>
+ <fieldname>proxy_addr</fieldname>
+ <description>Enter here the IP address or host name of the upstream proxy.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>TCP port</fielddescr>
+ <fieldname>proxy_port</fieldname>
+ <description>Enter the port to use to connect to the upstream proxy.</description>
+ <default_value>3128</default_value>
+ <type>input</type>
+ <size>5</size>
+ </field>
+ <field>
+ <fielddescr>ICP port</fielddescr>
+ <fieldname>icp_port</fieldname>
+ <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description>
+ <default_value>7</default_value>
+ <type>input</type>
+ <size>5</size>
+ </field>
+ <field>
+ <fielddescr>Username</fielddescr>
+ <fieldname>username</fieldname>
+ <description>If the upstream proxy requires a username, specify it here.</description>
+ <type>input</type>
+ </field>
+ <field>
+ <fielddescr>Password</fielddescr>
+ <fieldname>password</fieldname>
+ <description>If the upstream proxy requires a password, specify it here.</description>
+ <type>password</type>
+ </field>
+ </fields>
+ <custom_php_validation_command>
+ squid_validate_upstream($_POST, &amp;$input_errors);
+ </custom_php_validation_command>
+ <custom_php_resync_config_command>
+ squid_resync();
+ </custom_php_resync_config_command>
+</packagegui>
diff --git a/packages/squid/squid_users.xml b/packages/squid/squid_users.xml
new file mode 100644
index 00000000..4e70b7de
--- /dev/null
+++ b/packages/squid/squid_users.xml
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packagegui>
+ <include_file>squid.inc</include_file>
+ <name>squidusers</name>
+ <title>Proxy server: Local users</title>
+ <delete_string>A proxy server user has been deleted.</delete_string>
+ <addedit_string>A proxy server user has been created/modified.</addedit_string>
+ <tabs>
+ <tab>
+ <text>General settings</text>
+ <url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Upstream proxy</text>
+ <url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Cache management</text>
+ <url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Access control</text>
+ <url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Traffic management</text>
+ <url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Auth settings</text>
+ <url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
+ </tab>
+ <tab>
+ <text>Local users</text>
+ <url>/pkg.php?xml=squid_users.inc</url>
+ <active/>
+ </tab>
+ </tabs>
+ <adddeleteeditpagefields>
+ <columnitem>
+ <fieldname>username</fieldname>
+ <fielddescr>Username</fielddescr>
+ </columnitem>
+ <columnitem>
+ <fieldname>description</fieldname>
+ <fielddescr>Description</fielddescr>
+ </columnitem>
+ </adddeleteeditpagefields>
+ <fields>
+ <field>
+ <fieldname>username</fieldname>
+ <fielddescr>Username</fielddescr>
+ <description>Enter the username here.</description>
+ <required/>
+ <type>input</type>
+ </field>
+ <field>
+ <fieldname>password</fieldname>
+ <fielddescr>Password</fielddescr>
+ <description>Enter the password here.</description>
+ <required/>
+ <type>password</type>
+ </field>
+ <field>
+ <fieldname>description</fieldname>
+ <fielddescr>Description</fielddescr>
+ <description>You may enter a description here for your reference (not parsed).</description>
+ <type>input</type>
+ </field>
+ </fields>
+ <custom_php_resync_config_command>
+ squid_resync_users();
+ </custom_php_resync_config_command>
+</packagegui>