diff options
Diffstat (limited to 'packages')
-rw-r--r-- | packages/squid_auth.inc | 160 | ||||
-rw-r--r-- | packages/squid_ng.inc | 684 | ||||
-rw-r--r-- | packages/squid_ng.xml | 33 |
3 files changed, 496 insertions, 381 deletions
diff --git a/packages/squid_auth.inc b/packages/squid_auth.inc index ae431f22..e5eb2d2a 100644 --- a/packages/squid_auth.inc +++ b/packages/squid_auth.inc @@ -31,21 +31,21 @@ */ -function global_eval_auth_options(){ +function global_eval_auth_options() +{ + global $config; conf_mount_rw(); config_lock(); - global $config; - - $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; - - switch ($auth_method) { + switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { case "none": dynamic_auth_content("pkg_edit"); dynamic_no_auth(); break; case "local_auth": dynamic_auth_content("pkg"); + /* create empty passwd file to prevent stat error with squid reload */ + touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); dynamic_local_auth(); break; case "ldap_bind": @@ -54,62 +54,31 @@ function global_eval_auth_options(){ break; case "domain_auth": $filecontents = file('/usr/local/pkg/squid_auth.xml'); - - $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - + dynamic_auth_content("pkg_edit"); dynamic_domain_auth(); break; case "radius_auth": $filecontents = file('/usr/local/pkg/squid_auth.xml'); - - $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - + dynamic_auth_content("pkg_edit"); dynamic_radius_auth(); break; default: $filecontents = file('/usr/local/pkg/squid_auth.xml'); - - $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); - } - } - + dynamic_auth_content("pkg_edit"); dynamic_no_auth(); break; } - conf_mount_ro(); config_unlock(); + conf_mount_ro(); } /* end function global_eval_auth_options */ function dynamic_no_auth() { - conf_mount_rw(); - config_lock(); - global $config; - - $pkgfile = "/usr/local/pkg/squid_extauth.xml"; - - $fout = fopen($pkgfile, "w"); + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n"); fwrite($fout, "<packagegui>\n"); @@ -175,23 +144,22 @@ function dynamic_no_auth() { fwrite($fout, "</packagegui>\n"); fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); } function dynamic_local_auth() { - conf_mount_rw(); - config_lock(); - global $config; + conf_mount_rw(); - $pkgfile = "/usr/local/pkg/squid_extauth.xml"; - - $fout = fopen($pkgfile, "w"); + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n"); fwrite($fout, "\n"); fwrite($fout, "<packagegui>\n"); fwrite($fout, " <name>squidextlocalauth</name>\n"); - fwrite($fout, " <title>Services: Proxy Server -> Extended Authentication Settings</title>\n"); + fwrite($fout, " <title>Services: Proxy Server -> Extended Auth Settings</title>\n"); fwrite($fout, " <version>2.5.10_4</version>\n"); fwrite($fout, " <configpath>installedpackages->package->squidextlocalauth->configuration->settings</configpath>\n"); fwrite($fout, "\n"); @@ -293,9 +261,7 @@ function dynamic_local_auth() { fwrite($fout, " <custom_add_php_command_late>\n"); fwrite($fout, ' require_once("/usr/local/pkg/squid_ng.inc");' . "\n"); fwrite($fout, "\n"); - fwrite($fout, ' if ($password == $confirm_password) { ' . "\n"); - fwrite($fout, " mod_htpasswd();\n"); - fwrite($fout, " }\n"); + fwrite($fout, " mod_htpasswd();\n"); fwrite($fout, " global_write_squid_config();\n"); fwrite($fout, ' mwexec("/usr/local/sbin/squid -k reconfigure");' . "\n"); fwrite($fout, " </custom_add_php_command_late>\n"); @@ -304,19 +270,15 @@ function dynamic_local_auth() { fclose($fout); + /* mount filesystem read-only */ conf_mount_ro(); - config_unlock(); -} /* end function dynamic_local_auth */ +} function dynamic_ldap_auth() { - conf_mount_rw(); - config_lock(); - global $config; + conf_mount_rw(); - $pkgfile = "/usr/local/pkg/squid_extauth.xml"; - - $fout = fopen($pkgfile, "w"); + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); fwrite($fout, '<?xml version="1.0" encoding="utf-8" ?>' . "\n"); fwrite($fout, "\n"); @@ -374,7 +336,7 @@ function dynamic_ldap_auth() { fwrite($fout, " <field>\n"); fwrite($fout, " <fielddescr>Base DN</fielddescr>\n"); fwrite($fout, " <fieldname>ldap_basedn</fieldname>\n"); - fwrite($fout, " <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: "ou=users,o=company" will search for users in and under the specified company.</description>\n"); + fwrite($fout, ' <description>This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: "ou=users,o=company" will search for users in and under the specified company.</description>' . "\n"); fwrite($fout, " <type>input</type>\n"); fwrite($fout, " <size>50</size>\n"); fwrite($fout, " </field>\n"); @@ -428,57 +390,59 @@ function dynamic_ldap_auth() { fwrite($fout, " <custom_add_php_command_late>\n"); fwrite($fout, ' require_once("/usr/local/pkg/squid_ng.inc");' . "\n"); fwrite($fout, "\n"); - fwrite($fout, " if ($password == $confirm_password) {\n"); - fwrite($fout, ' mwexec("/usr/bin/htpasswd -b /usr/local/etc/squid/advanced/ncsa/passwd "' . $username . " " . $password . "\n"); - fwrite($fout, " }\n"); + fwrite($fout, " mod_htpasswd();\n"); fwrite($fout, "\n"); fwrite($fout, " global_write_squid_config();\n"); fwrite($fout, ' mwexec("/usr/local/sbin/squid -k reconfigure");' . "\n"); fwrite($fout, " </custom_add_php_command_late>\n"); fwrite($fout, "\n"); fwrite($fout, "</packagegui>\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); } /* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ function dynamic_auth_content($pkgvar) { - - if ($pkgvar == "pkg") { - if ($handle = opendir('/usr/local/pkg')) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { - - $filecontents = file("/usr/local/pkg/" . $file); - - $fout = fopen("/usr/local/pkg/" . $file,"w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); + + switch ($pkgvar) { + case "pkg": + if ($handle = opendir('/usr/local/pkg')) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file, "w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } } } } - } - } - } else { + } + break; + + case "pkg_edit": if ($handle = opendir('/usr/local/pkg')) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { - - $filecontents = file("/usr/local/pkg/" . $file); - - $fout = fopen("/usr/local/pkg/" . $file,"w"); - foreach($filecontents as $line) { - if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { - fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); - } else { - fwrite($fout, $line); + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "<url>/pkg.php?xml=squid_extauth.xml&id=0</url>")) { + fwrite($fout, " <url>/pkg_edit.php?xml=squid_extauth.xml&id=0</url>\n"); + } else { + fwrite($fout, $line); + } } } } } - } + break; } -} /* end function dynamic_auth_content */ - -?>
\ No newline at end of file + +} /* end function dynamic_auth_content */
\ No newline at end of file diff --git a/packages/squid_ng.inc b/packages/squid_ng.inc index 8c32ccf5..47a19635 100644 --- a/packages/squid_ng.inc +++ b/packages/squid_ng.inc @@ -31,12 +31,12 @@ */ -function global_write_squid_config() { +function global_write_squid_config() +{ + global $config; conf_mount_rw(); config_lock(); - - global $config; - + /* define squid configuration file in variable for replace function */ $squidconfig = "/usr/local/etc/squid/squid.conf"; @@ -109,217 +109,295 @@ function global_write_squid_config() { $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; + /* squid_extauth.xml (radius) values */ + $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; + $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; + $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; + $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; + /* static variable assignments for directory mapping */ $acldir = "/usr/local/etc/squid/advanced/acls"; $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; $radiusdir = "/usr/local/etc/squid/advanced/radius"; - - $fout = fopen($squidconfig,"w"); - - /* option: shutdown_lifetime */ - fwrite($fout, "shutdown_lifetime 5 seconds\n"); - fwrite($fout, "\n"); + + $fout = fopen($squidconfig, "w"); + + $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); - /* option: icp_port */ - if($icp_port == "") $icp_port="3130"; - fwrite($fout, "icp_port " . $icp_port . "\n"); + if (!isset($icp_port) or ($icp_port == "")) { + $icp_port = "3130"; + } + $config_array[] = 'icp_port ' . $icp_port . "\n"; + unset($icp_port); - /* option: proxy_port */ - if($proxy_port == "") $proxy_port="3128"; + if(!isset($proxy_port) or ($proxy_port == "")) { + $proxy_port = "3128"; + } + if (isset($transparent_proxy) && ($transparent_proxy != "on")) { $int = convert_friendly_interface_to_real_interface_name($active_interface); $listen_ip = find_interface_ip($int); - fwrite($fout, "http_port " . $listen_ip . ":" . $proxy_port . "\n"); - fwrite($fout, "\n"); - - fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); - fwrite($fout, "no_cache deny QUERY\n"); + $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; + $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; + $config_array[] = 'no_cache deny QUERY' . "\n\n"; } + unset($proxy_port); + + if (isset($domain) && ($domain !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/dst_nocache.acl","w"); - /* option: acl no cache domains */ - if (isset($domain) && $domain !== "") { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); - $aclout = fopen($acldir . "/dst_nocache.acl","w"); - - $domain_array = split(";",$domain); - foreach ($domain_array as $no_cache_domain) { + $domain_array = split("; ",$domain); + foreach ($domain_array as $no_cache_domain) { fwrite($aclout, $no_cache_domain . "\n"); } - + fclose($aclout); - fwrite($fout, 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"); - fwrite($fout, "no_cache deny no_cache_domains\n"); + $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; + $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; + } + unset($no_cache_domain); + unset($domain_array); + unset($domain); + + $config_array[] = 'cache_effective_user squid' . "\n"; + $config_array[] = 'cache_effective_group squid' . "\n\n"; + $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; + + if (!isset($memory_cache_size) or ($memory_cache_size == "")) { + $memory_cache_size = "8"; + } + $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; + unset($memory_cache_size); + + if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { + $harddisk_cache_size = "500"; + } + + if (!isset($level_subdirs) or ($level_subdirs == "")) { + $level_subdirs = "16"; } + + $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; + unset($harddisk_cache_size); + unset($level_subdirs); + + if (!isset($error_language) or ($error_language == "")) { + $error_language = "English"; + } + $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; + unset($error_language); - fwrite($fout, "\n"); - - fwrite($fout, "cache_effective_user squid\n"); - fwrite($fout, "cache_effective_group squid\n"); - fwrite($fout, "\n"); - - fwrite($fout, "pid_filename /var/run/squid.pid\n"); - fwrite($fout, "\n"); - - if ($memory_cache_size == "") $memory_cache_size="8"; - fwrite($fout, "cache_mem " . $memory_cache_size . " MB\n"); - if ($harddisk_cache_size == "") $harddisk_cache_size="500"; - if ($level_subdirs == "") $level_subdirs="16"; - fwrite($fout, "cache_dir diskd /var/squid/cache " . $harddisk_cache_size . " " . $level_subdirs . " 256\n"); - fwrite($fout, "\n"); - - if ($error_language == "") $error_language="English"; - fwrite($fout, "error_directory /usr/local/etc/squid/errors/" . $error_language . "\n"); - fwrite($fout, "\n"); - - if (isset($offline_mode) and ($offline_mode == "on")) { - fwrite($fout, "offline_mode on\n"); - fwrite($fout, "\n"); + if (isset($offline_mode) && ($offline_mode == "on")) { + $config_array[] = 'offline_mode on' . "\n\n"; } else { - fwrite($fout, "offline_mode off\n"); - fwrite($fout, "\n"); + $config_array[] = 'offline_mode off' . "\n\n"; } - if (!isset($cache_replacement) or ($memory_replacement == "")) $memory_replacement="heap GDSF"; - fwrite($fout, "memory_replacement_policy " . $memory_replacement . "\n"); - if (!isset($cache_replacement) or ($cache_replacement == "")) $cache_replacement="heap GDSF"; - fwrite($fout, "cache_replacement_policy " . $cache_replacement . "\n"); - fwrite($fout, "\n"); + if (!isset($memory_replacement) or ($memory_replacement == "")) { + $memory_replacement = "heap GDSF"; + } + $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; + unset($memory_replacement); + + if (!isset($cache_replacement) or ($cache_replacement == "")) { + $cache_replacement="heap GDSF"; + } + $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; + unset($cache_replacement); - if ($log_enabled == "on" ) { + if (isset($log_enabled) && ($log_enabled == "on" )) { if (!file_exists("/var/squid/logs")) { mwexec("mkdir -p /var/squid/logs"); mwexec("chown squid:squid /var/squid/logs"); } - fwrite($fout, "cache_access_log /var/squid/logs/access.log\n"); - fwrite($fout, "cache_log /var/squid/logs/cache.log\n"); - fwrite($fout, "cache_store_log none\n"); + $config_array[] = 'cache_access_log /var/squid/logs/access.log' . "\n"; + $config_array[] = 'cache_log /var/squid/logs/cache.log' . "\n"; + $config_array[] = 'cache_store_log none' . "\n"; } else { - fwrite($fout, "cache_access_log /dev/null\n"); - fwrite($fout, "cache_log /dev/null\n"); - fwrite($fout, "cache_store_log none\n"); + $config_array[] = 'cache_access_log /dev/null' . "\n"; + $config_array[] = 'cache_log /dev/null' . "\n"; + $config_array[] = 'cache_store_log none' . "\n"; } + unset($log_enabled); - if ($log_query_terms == "on") { - fwrite($fout, "strip_query_terms off\n"); + if (isset($log_query_terms) && ($log_query_terms == "on")) { + $config_array[] = 'strip_query_terms off' . "\n"; } else { - fwrite($fout, "strip_query_terms on\n"); + $config_array[] = 'strip_query_terms on' . "\n"; } + unset($log_query_terms); - if ($log_user_agents == "on") { + if (isset($log_user_agents) && ($log_user_agents == "on")) { if (!file_exists("/var/squid/logs")) mwexec("mkdir -p /var/squid/logs"); - fwrite($fout, "useragent_log /var/squid/logs/useragent.log\n"); + $config_array[] = 'useragent_log /var/squid/logs/useragent.log' . "\n\n"; } - fwrite($fout, "\n"); + unset($log_user_agents); - fwrite($fout, "log_mime_hdrs off\n"); - fwrite($fout, "emulate_httpd_log on\n"); + $config_array[] = 'log_mime_hdrs off' . "\n"; + $config_array[] = 'emulate_httpd_log on' . "\n"; switch ($user_forwarding) { case "on": - fwrite($fout, "forwarded_for on\n"); + $config_array[] = 'forwarded_for on' . "\n\n"; break; case "off": - fwrite($fout, "forwarded_for off\n"); + $config_array[] = 'forwarded_for off' . "\n\n"; break; default: - fwrite($fout, "forwarded_for off\n"); + $config_array[] = 'forwarded_for off' . "\n\n"; break; } - fwrite($fout, "\n"); + unset($user_forwarding); - if ($no_auth == "on") { - fwrite($fout, "\n"); - } - switch ($auth_method) { case "none": break; case "local_auth": - fwrite($fout, "auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd\n"); - if (!isset($auth_processes) or ($auth_processes == "")) $auth_processes = "5"; - fwrite($fout, "auth_param basic children " . $auth_processes . "\n"); - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) $auth_realm_prompt = "pfSense Advanced Proxy"; - fwrite($fout, "auth_param basic realm " . $auth_realm_prompt . "\n"); - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) $auth_cache_ttl = "60"; - fwrite($fout, "auth_param basic credentialsttl " . $auth_cache_ttl . " minutes\n"); - fwrite($fout, "\n"); - fwrite($fout, "acl for_inetusers proxy_auth REQUIRED\n"); - fwrite($fout, "\n"); + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + break; case "radius_auth"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + break; case "ldap_bind"; - /* fwrite($fout, 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"); */ - fwrite($fout, "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth"); - fwrite($fout, ' -b "' . $ldap_basedn . '"'); - fwrite($fout, ' -D "' . $bind_dn_username . '"'); - fwrite($fout, " -w " . $bind_dn_password); - fwrite($fout, ' -f "(&(objectClass=person)(cn=%s))"'); - fwrite($fout, " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"); - - if (!isset($auth_processes) or ($auth_processes == "")) $auth_processes = "5"; - fwrite($fout, "auth_param basic children " . $auth_processes . "\n"); - - if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) $auth_realm_prompt = "pfSense Advanced Proxy"; - fwrite($fout, "auth_param basic realm " . $auth_realm_prompt . "\n"); - - if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) $auth_cache_ttl = "60"; - fwrite($fout, "auth_param basic credentialsttl " . $auth_cache_ttl . " minutes\n"); - fwrite($fout, "\n"); - fwrite($fout, "acl for_inetusers proxy_auth REQUIRED\n"); - fwrite($fout, "\n"); + $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; + $config_array[] = ' -b "' . $ldap_basedn . '"'; + $config_array[] = ' -D "' . $bind_dn_username . '"'; + $config_array[] = " -w " . $bind_dn_password; + $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; + $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; + + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + break; case "windows_auth"; break; - default: - break; } - if (isset($throttle_binary_files) && $throttle_binary_files == "on") { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); - $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; - $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); - fwrite($throttle_out, $binary_out); - fclose($throttle_out); - fwrite($fout, 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"); - } else { - if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); + $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); + fwrite($throttle_out, $binary_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); } + unset($throttle_binary_files); + unset($throttle_out); + unset($binary_out); - if (isset($throttle_cd_images) && $throttle_cd_images == "on") { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); fwrite($throttle_out, $cd_out); fclose($throttle_out); - fwrite($fout, 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"); + $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; } else { - if (file_exists($acldir . "/dst_throttle_cd.acl")) unlink($acldir . "/dst_throttle_cd.acl"); + if (file_exists($acldir . "/dst_throttle_cd.acl")) { + unlink($acldir . "/dst_throttle_cd.acl"); + } } + unset($throttle_cd_images); + unset($throttle_out); + unset($cd_out); - if (isset($throttle_multimedia) && $throttle_multimedia == "on") { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); fwrite($throttle_out, $multimedia_out); fclose($throttle_out); - fwrite($fout, 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"); + $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; } else { - if (file_exists($acldir . "/dst_throttle_multimedia.acl")) unlink($acldir . "/dst_throttle_multimedia.acl"); + if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { + unlink($acldir . "/dst_throttle_multimedia.acl"); + } } + unset($throttle_multimedia); + unset($multimedia_out); + unset($throttle_out); - fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); - fwrite($fout, "\n"); + $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; /* obtain interface subnet and address for Squid rules */ $lactive_interface = strtolower($active_interface); @@ -330,45 +408,48 @@ function global_write_squid_config() { $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; - fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); - fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); - fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); - fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); - fwrite($fout, "acl Safe_ports port 80 # http\n"); - fwrite($fout, "acl Safe_ports port 21 # ftp\n"); - fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); - fwrite($fout, "acl Safe_ports port 70 # gopher\n"); - fwrite($fout, "acl Safe_ports port 210 # wais\n"); - fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); - fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); - fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); - fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); - fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); - fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); - fwrite($fout, "\n"); + $config_array[] = 'acl all src ' . $lansa . '/' . $lansn . "\n"; + $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; + $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; + $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; + $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; + $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; + $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; + $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; + $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; + $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; + $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; + $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; + $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; /* allow access through proxy for custom admin port */ $custom_port = $config['system']['webgui']['port']; if (isset($custom_port) && ($custom_port !== "")) { - fwrite($fout, "acl pf_admin_port port " . $custom_port . "\n"); + $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; + unset($custom_port); } else { $admin_protocol = $config['system']['webgui']['protocol']; switch ($admin_protocol) { case "http"; - fwrite($fout, "acl pf_admin_port port 80\n"); + $config_array[] = 'acl pf_admin_port port 80' ."\n"; break; case "https"; - fwrite($fout, "acl pf_admin_port port 443\n"); + $config_array[] = 'acl pf_admin_port port 443' . "\n"; break; default; - fwrite($fout, "acl pf_admin_port port 80\n"); + $config_array[] = 'acl pf_admin_port port 80' . "\n"; break; } + unset($admin_protocol); } /* define override hosts as specified in squid_nac.xml */ if (isset($override_hosts) && ($override_hosts !== "")) { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); @@ -379,280 +460,327 @@ function global_write_squid_config() { fclose($aclout); - fwrite($fout, 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"); + $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; } + /* clear variables */ + unset($override_hosts_array); + unset($ind_override_host); + unset($override_hosts); /* define subnets allowed to utilize proxy service */ if (isset($allowed_subnets) && ($allowed_subnets !== "")) { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } $aclout = fopen($acldir . "/src_subnets.acl","w"); - $allowed_subnets_array = split(";",$allowed_subnets); + $allowed_subnets_array = split("; ",$allowed_subnets); foreach ($allowed_subnets_array as $ind_allowed_subnets) { fwrite($aclout, $ind_allowed_subnets . "\n"); } - fclose($aclout); - - fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"); + fclose($aclout); } else { + $aclout = fopen($acldir . "/src_subnets.acl","w"); fwrite($aclout, $lansa . "/" . $lansn . "\n"); fclose($aclout); } - + + $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; + + unset($allowed_subnets_array); + unset($ind_allowed_subnets); + unset($allowed_subnets); /* define ip addresses that have 'unrestricted' access */ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); - $unrestricted_ip_array = split(";",$unrestricted_ip_addr); + $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { fwrite($aclout, $ind_unrestricted_ip . "\n"); } fclose($aclout); - fwrite($fout, 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"); + $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; } + unset($unrestricted_ip_array); + unset($unrestricted_ip_addr); + unset($ind_unrestricted_ip); /* define mac addresses that have 'unrestricted' access */ if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); - $unrestricted_mac_array = split(";",$unrestricted_mac_addr); + $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { fwrite($aclout, $ind_unrestricted_mac . "\n"); } fclose($aclout); - fwrite($fout, 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"); + $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; } + unset($unrestricted_mac_array); + unset($unrestricted_mac_addr); + unset($ind_unrestricted_mac); /* define ip addresses that are banned from using the proxy service */ if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } $aclout = fopen($acldir . "/src_banned_ip.acl","w"); - $banned_ip_array = split(";",$banned_ip_addr); + $banned_ip_array = split("; ",$banned_ip_addr); foreach ($banned_ip_array as $ind_banned_ip) { fwrite($aclout, $ind_banned_ip . "\n"); } fclose($aclout); - fwrite($fout, 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"); + $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; } + unset($banned_ip_addr); + unset($banned_ip_addr); + unset($ind_banned_ip); /* define mac addresses that are banned from using the proxy service */ if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { - if (!file_exists($acldir)) mwexec("/bin/mkdir -p " . $acldir); + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } - $aclout = fopen($acldir . "/src_banned_mac.acl","w"); + $aclout = fopen($acldir . "/src_banned_mac.acl","w"); - $banned_mac_array = split(";",$banned_mac_addr); - foreach ($banned_mac_array as $ind_banned_mac) { - fwrite($aclout, $ind_banned_mac . "\n"); - } + $banned_mac_array = split("; ",$banned_mac_addr); + foreach ($banned_mac_array as $ind_banned_mac) { + fwrite($aclout, $ind_banned_mac . "\n"); + } fclose($aclout); - fwrite($fout, 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"); + $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; } + unset($banned_mac_array); + unset($banned_mac_addr); + unset($ind_banned_mac); - fwrite($fout, "acl pf_ips dst " . $lanip . "\n"); - fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"); - fwrite($fout, "acl CONNECT method CONNECT\n"); - fwrite($fout, "\n"); + $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; + $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; - fwrite($fout, "#access to squid; local machine; no restrictions\n"); - if (isset($auth_method) && ($auth_method == "none")) fwrite($fout, "http_access allow localnet\n"); - fwrite($fout, "http_access allow localhost\n"); + if (isset($auth_method) && ($auth_method == "none")) { + $config_array[] = 'http_access allow localnet' . "\n"; + } + $config_array[] = 'http_access allow localhost' . "\n"; - if (isset($override_hosts) && ($override_hosts !== "")) fwrite($fout, "http_access allow override_hosts\n"); - fwrite($fout, "\n"); + if (isset($override_hosts) && ($override_hosts !== "")) { + $config_array[] = 'http_access allow override_hosts' . "\n"; + } + $config_array[] = "\n"; - fwrite($fout, "#GUI admin to allow local connections\n"); - if ($config['system']['webgui']['protocol'] == "http") fwrite($fout, "http_access allow pf_ips pf_networks pf_admin_port\n"); - if ($config['system']['webgui']['protocol'] == "https") fwrite($fout, "http_access allow CONNECT pf_ips pf_networks pf_admin_port\n"); + switch ($config['system']['webgui']['protocol']) { + case "http": + $config_array[] = 'http_access allow pf_ips' . "\n"; + $config_array[] = 'http_access allow pf_admin_port' . "\n"; + $config_array[] = 'http_access deny !pf_networks' . "\n\n"; + break; + case "https": + $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; + $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; + $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; + break; + } - fwrite($fout, "#Deny non web services\n"); - fwrite($fout, "http_access deny !Safe_ports\n"); - fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); - fwrite($fout, "\n"); + $config_array[] = 'http_access deny !Safe_ports' . "\n"; + $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; - fwrite($fout, "#Set custom configured ACLs\n"); if (isset($auth_method) && ($auth_method != "none")) { - fwrite($fout, "http_access allow pf_networks for_inetusers within_timeframe\n"); + $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; } - fwrite($fout, "http_access deny all\n"); - fwrite($fout, "\n"); + $config_array[] = 'http_access deny all' . "\n\n"; if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { - fwrite($fout, "#Set throttle and bandwidth restrictions\n"); - - fwrite($fout, "delay_pools 1\n"); - fwrite($fout, "delay_class 1 3\n"); + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; if ($dl_overall == "unlimited") { - fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . "\n"); + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; } else { - fwrite($fout, "delay_parameters 1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . " -1/-1 -1/-1\n"); + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; } /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - fwrite($fout, "#delay_access 1 deny for_extended_users\n"); - /* this will define bandwidth delay restrictions for specified throttles */ if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { - fwrite($fout, "delay_access 1 allow all for_throttled_binary\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; } if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { - fwrite($fout, "delay_access 1 allow all for_throttled_cd\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; } if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { - fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; } else { - fwrite($fout, "delay_access 1 allow all\n"); + $config_array[] = 'delay_access 1 allow all' . "\n"; } - fwrite($fout, "delay_initial_bucket_level 100%\n\n"); + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; } if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { - fwrite($fout, "#Set throttle and bandwidth restrictions\n"); - - fwrite($fout, "delay_pools 1\n"); - fwrite($fout, "delay_class 1 3\n"); + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; if ($dl_per_host == "unlimited") { - fwrite($fout, "delay_parameters 1 " . ($dl_per_host * 125) . "/" . ($dl_per_host * 250) . "-1/-1 -1/-1\n"); + $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; } else { - fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_per_host * 125) . "/" . ($dl_per_host * 250) . "\n"); + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; } /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; - fwrite($fout, "#delay_access 1 deny for_extended_users\n"); - /* this will define bandwidth delay restrictions for specified throttles */ if ($throttle_binary_files == "on") { - fwrite($fout, "delay_access 1 allow all for_throttled_binary\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; } if ($throttle_cd_images == "on") { - fwrite($fout, "delay_access 1 allow all for_throttled_cd\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; } if ($throttle_multimedia == "on") { - fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; } else { - fwrite($fout, "delay_access 1 allow all\n"); + $config_array[] = 'delay_access 1 allow all' . "\n"; } - fwrite($fout, "delay_initial_bucket_level 100%\n\n"); - fwrite($fout, "\n"); + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; } if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { /* if no bandwidth restrictions are specified, then these parameters are not necessary */ if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { - fwrite($fout, "#Set throttle and bandwidth restrictions\n"); if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { - fwrite($fout, "delay_pools 1\n"); - fwrite($fout, "delay_class 1 3\n"); - fwrite($fout, "delay_parameters 1 -1/-1 -1/-1 " . ($dl_per_host * 125) . "/" . ($dl_overall * 250) . "\n"); + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { - fwrite($fout, "delay_pools 1\n"); - fwrite($fout, "delay_class 1 3\n"); - fwrite($fout, "delay_parameters 1 " . ($dl_overall * 125) . "/" . ($dl_overall * 250) . " -1/-1 -1/-1\n"); + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; } } if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { /* if no unrestricted ip addresses are defined; this line is ignored */ - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "delay_access 1 deny pf_unrestricted_ip\n"); - - fwrite($fout, "#delay_access 1 deny for_extended_users\n"); - + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + /* this will define bandwidth delay restrictions for specified throttles */ if ($throttle_binary_files == "on") { - fwrite($fout, "delay_access 1 allow all for_throttled_binary\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; } if ($throttle_cd_images == "on") { - fwrite($fout, "delay_access 1 allow all for_throttled_cd\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; } if ($throttle_multimedia == "on") { - fwrite($fout, "delay_access 1 allow all for_throttled_multimedia\n"); + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; } else { - fwrite($fout, "delay_access 1 allow all\n"); + $config_array[] = 'delay_access 1 allow all' . "\n"; } - fwrite($fout, "delay_initial_bucket_level 100%\n\n"); + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; } } - fwrite($fout, "#Strip HTTP Header\n"); - fwrite($fout, "header_access X-Forwarded-For deny all\n"); - fwrite($fout, "header_access Via deny all\n"); - fwrite($fout, "\n"); + $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; + $config_array[] = 'header_access Via deny all' . "\n\n"; /* TODO: acl customization for snmp support */ - fwrite($fout, "\n"); + /* fwrite($fout, "\n"); */ if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { - fwrite($fout, "redirect_program /usr/sbin/squidGuard"); - fwrite($fout, "redirect_children 5"); - fwrite($fout, "\n"); + $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; + $config_array[] = 'redirect_children 5' . "\n\n"; } if (isset($max_upload_size) && ($max_upload_size != "")) { - fwrite($fout, "request_body_max_size " . $max_download_size . "KB\n"); + $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; } if (isset($max_download_size) && ($max_download_size != "")) { - if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) fwrite($fout, "reply_body_max_size 0 allow pf_unrestricted_ip\n"); - fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); - fwrite($fout, "reply_body_max_size " . $max_download_size * 1024 . " allow all\n"); - fwrite($fout, "\n"); + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; + /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ + $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; } - if ($maximum_object_size == "") $maximum_object_size="4096"; - if ($minimum_object_size == "") $minimum_object_size="0"; - fwrite($fout, "maximum_object_size " . $maximum_object_size . " KB\n"); - fwrite($fout, "minimum_object_size " . $minimum_object_size . " KB\n"); - fwrite($fout, "\n"); + /* set default value for maximum_object_size */ + if (!isset($maximum_object_size) or ($maximum_object_size == "")) { + $maximum_object_size = "4096"; + } + + /* set default value for minimum_object_size */ + if (!isset($minimum_object_size) or ($minimum_object_size == "")) { + $minimum_object_size = "0"; + } + $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; + $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; - if ($proxy_forwarding == "on") { - fwrite($fout, "cache_peer " . $upstream_proxy . "parent " . $upstream_proxy_port . "3130 login=" . upstream_username . ":" . upstream_password . " default no-query\n"); - fwrite($fout, "never_direct allow all\n"); + if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { + $config_array[] = 'cache_peer ' . $upstream_proxy . 'parent ' . $upstream_proxy_port . '3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; + $config_array[] = 'never_direct allow all' . "\n"; } - - if ($transparent_proxy == "on") { - fwrite($fout, "httpd_accel_host virtual\n"); - fwrite($fout, "httpd_accel_port 80\n"); - fwrite($fout, "httpd_accel_with_proxy on\n"); - fwrite($fout, "httpd_accel_uses_host_header on\n"); - fwrite($fout, "\n"); + unset($proxy_forwarding); + + + /* define default ruleset for transparent proxy operation */ + if (isset($transparent_proxy) && ($transparent_proxy == "on")) { + $config_array[] = 'httpd_accel_host virtual' . "\n"; + $config_array[] = 'httpd_accel_port 80' . "\n"; + $config_array[] = 'httpd_accel_with_proxy on' . "\n"; + $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; } + unset($transparent_proxy); + + /* define visible hostname */ if (isset($visible_hostname) && ($visible_hostname !== "")) { - fwrite($fout, "visible_hostname " . $visible_hostname . "\n"); + $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; } + unset($visible_hostname); + /* define cache administrators email address within error messages */ if (isset($cache_admin_email) && ($cache_admin_email !== "")) { - fwrite($fout, "cache_mgr " . $cache_admin_email . "\n"); - fwrite($fout, "\n"); + $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; } - + unset($cache_admin_email); + + /* write configuration file */ + foreach ($config_array as $config_item) + { + fwrite($fout, trim($config_item)); + + if (stristr($config_item, "\n")) + { + for ($i = 1; $i < count(explode("\n", $config_item)); $i++) + { + fwrite($fout, "\n"); + } + } + + } fclose($fout); conf_mount_ro(); @@ -662,15 +790,15 @@ function global_write_squid_config() { } /* end function write_squid_config */ function mod_htpasswd() { + global $config; conf_mount_rw(); config_lock(); - global $config; if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); - if($config['installedpackages']['squidextlocalauth']['config'] != "") { + if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); diff --git a/packages/squid_ng.xml b/packages/squid_ng.xml index 06a86634..ddb19bf8 100644 --- a/packages/squid_ng.xml +++ b/packages/squid_ng.xml @@ -271,9 +271,10 @@ fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); fwrite($fout, "acl Safe_ports port 80 # http\n"); fwrite($fout, "acl Safe_ports port 21 # ftp\n"); - fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n"); + fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); fwrite($fout, "acl Safe_ports port 70 # gopher\n"); fwrite($fout, "acl Safe_ports port 210 # wais\n"); fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); @@ -294,7 +295,7 @@ fwrite($fout, "#Deny non web services\n"); fwrite($fout, "http_access deny !Safe_ports\n"); - fwrite($fout, "http_access deny CONNECT\n"); + fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); fwrite($fout, "\n"); fwrite($fout, "#Set custom configured ACLs\n"); @@ -333,10 +334,12 @@ <custom_php_install_command> write_static_squid_config(); <!-- write initial static config for transparent proxy --> + touch("/tmp/custom_php_install_command"> + update_output_window("Creating Proxy Server initialization scripts..."); $fout = fopen("/usr/local/etc/rc.d/squid.sh","w"); fwrite($fout, "#!/bin/sh\n"); - fwrite($fout, "#$pfSense: /usr/local/sbin/rc.d/squid.sh\n\n"); + fwrite($fout, "#: /usr/local/etc/rc.d/squid.sh\n\n"); fwrite($fout, "touch /tmp/ro_root_mount\n"); fwrite($fout, "/usr/local/sbin/squid -D\n"); fwrite($fout, "touch /tmp/filter_dirty\n"); @@ -358,7 +361,6 @@ } mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); - if (!file_exists("/usr/local/etc/squid/advanced/acls")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); } @@ -379,6 +381,17 @@ } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); + <-- EmanuelG: update pf group ownership settings to enhance squid performance and correct issue relating --> + <-- to error message: parseHttpRequest: PF open failed: (13) Permission denied --> + mwexec("chgrp squid /dev/pf"); + mwexec("chmod g+rw /dev/pf"); + + $devfs_file = fopen("/etc/devfs.conf", "a"); + fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. + fwrite($devfs_file, "own pf root:squid"); + fwrite($devfs_file, "perm pf 0640"); + fclose($devfs_file); + update_output_window("Initializing Cache... This may take a moment..."); mwexec("/usr/local/sbin/squid -z"); @@ -389,9 +402,19 @@ <custom_php_deinstall_command> update_output_window("Stopping proxy service..."); - mwexec("/usr/local/sbin/squid -k shutdown"); + + do while ((file_exists("/var/run/squid.pid") or ($i == 30)) { + mwexec("/usr/local/sbin/squid -k shutdown"); + $i++; + } + + if ($i == 30) { + $pid = shell_exec('nohup squid > /dev/null & echo $!'); + shell_exec('kill -9 ' . $pid . '/dev/null'); + } update_output_window("Recursively removing directories hierarchies..."); + update_output_window("If existant, log files in /var/squid/logs will remain..."); mwexec("rm -rf /usr/local/squid"); mwexec("rm -rf /var/squid/cache"); mwexec("rm -rf /usr/local/etc/squid"); |