From c9763d43223dc19543156376cde14242a52714a5 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 27 Nov 2015 22:03:20 +0100 Subject: Add client cert auth option, multiple fixes - Fix input validations - Fix no-op "Ignore Internal Certificate Validation" option - Make sure that 'User Defined Reverse Proxy IPs' are locally configured - Code style and cosmetics --- config/squid3/34/squid_reverse.inc | 186 ++++++++++++++++++++++++++++--------- 1 file changed, 140 insertions(+), 46 deletions(-) diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index b302c8b1..15217a33 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -30,6 +30,7 @@ POSSIBILITY OF SUCH DAMAGE. */ require_once('certs.inc'); +require_once("pfsense-utils.inc"); require_once('util.inc'); /* This file is currently only being included in squid.inc and not used separately */ // require_once('squid.inc'); @@ -41,48 +42,85 @@ function squid_resync_reverse() { // config file if (is_array($config['installedpackages']['squidreversegeneral'])) { $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; + } else { + $settings = array(); } if (is_array($config['installedpackages']['squidreversepeer'])) { $reverse_peers = $config['installedpackages']['squidreversepeer']['config']; + } else { + $reverse_peers = array(); } if (is_array($config['installedpackages']['squidreverseuri'])) { $reverse_maps = $config['installedpackages']['squidreverseuri']['config']; + } else { + $reverse_maps = array(); } if (is_array($config['installedpackages']['squidreverseredir'])) { $reverse_redir = $config['installedpackages']['squidreverseredir']['config']; + } else { + $reverse_redir = array(); } $conf = "# Reverse Proxy settings\n"; - if (isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { - $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if (isset($settings['reverse_ssl_cert']) && $settings['reverse_ssl_cert'] != "none") { + $svr_cert = lookup_cert($settings['reverse_ssl_cert']); if ($svr_cert != false) { if (base64_decode($svr_cert['crt'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", sq_text_area_decode($svr_cert['crt'])); - $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt", sq_text_area_decode($svr_cert['crt'])); + $reverse_crt = SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt"; } if (base64_decode($svr_cert['prv'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", sq_text_area_decode($svr_cert['prv'])); - $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.key", sq_text_area_decode($svr_cert['prv'])); + $reverse_key = SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.key"; } } } if (!empty($settings['reverse_int_ca'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", "\n" . sq_text_area_decode($settings['reverse_int_ca']), FILE_APPEND | LOCK_EX); + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_cert']}.crt", "\n" . sq_text_area_decode($settings['reverse_int_ca']), FILE_APPEND | LOCK_EX); + } + + if (isset($settings['reverse_check_clientca']) && $settings['reverse_check_clientca'] == "on") { + if (isset($settings['reverse_ssl_clientca']) && $settings['reverse_ssl_clientca'] != 'none') { + $clientca_cert = lookup_ca($settings['reverse_ssl_clientca']); + $clientca_opts = ''; + if ($clientca_cert != false) { + if (base64_decode($clientca_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt", sq_text_area_decode($clientca_cert['prv'])); + $clientca_opts = "clientca=" . SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt"; + } + if (base64_decode($clientca_cert['prv'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientca']}.crt", "\n" . sq_text_area_decode($clientca_cert['crt']), FILE_APPEND | LOCK_EX); + } + } + } + if (isset($settings['reverse_ssl_clientcrl']) && $settings['reverse_ssl_clientcrl'] != 'none') { + $crl = lookup_crl($settings['reverse_ssl_clientcrl']); + crl_update($crl); + if ($crl != false) { + if (base64_decode($crl['text'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl", sq_text_area_decode($crl['text'])); + $clientca_opts .= " crlfile=" . SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl sslflags=VERIFY_CRL"; + } + } + } } $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); // set HTTP port and defsite - $http_port = (empty($settings['reverse_http_port']) ? "80" : $settings['reverse_http_port']); + $http_port = (!is_port($settings['reverse_http_port']) ? "80" : $settings['reverse_http_port']); $http_defsite = (empty($settings['reverse_http_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_http_defsite']); // set HTTPS port and defsite - $https_port = (empty($settings['reverse_https_port']) ? "443" : $settings['reverse_https_port']); + $https_port = (!is_port($settings['reverse_https_port']) ? "443" : $settings['reverse_https_port']); $https_defsite = (empty($settings['reverse_https_defsite']) ? $settings['reverse_external_fqdn'] : $settings['reverse_https_defsite']); + // Ignore Internal Certificate Validation + $sslflags = ($settings['reverse_ignore_ssl_valid'] == "on" ? "sslflags=DONT_VERIFY_PEER" : ""); + foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if ($real_ifaces[$i][0]) { @@ -92,7 +130,7 @@ function squid_resync_reverse() { } //HTTPS if (!empty($settings['reverse_https'])) { - $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} {$clientca_opts} defaultsite={$https_defsite} vhost\n"; } } } @@ -112,13 +150,13 @@ function squid_resync_reverse() { } // peers - if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { + if ($settings['reverse_owa'] == 'on') { if (!empty($settings['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip'])); $casnr = 0; foreach ($reverse_owa_ip as $reowaip) { $casnr++; - $conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n"; + $conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl {$sslflags} front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n"; $conf .= "cache_peer {$reowaip} parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_{$casnr}_pfs\n"; } } @@ -131,7 +169,7 @@ function squid_resync_reverse() { $conf_peer = "#{$rp['description']}\n"; $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; if ($rp['protocol'] == 'HTTPS') { - $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf_peer .= "ssl {$sslflags} front-end-https=auto "; } $conf_peer .= "name=rvp_{$rp['name']}\n\n"; @@ -259,7 +297,7 @@ function squid_resync_reverse() { $conf .= "http_access allow OWA_URI_pfs\n"; } - $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; + $conf .= $cache_peer_allow_conf . $cache_peer_deny_conf . $cache_peer_never_direct_conf . $http_access_conf . "\n"; if (!empty($settings['deny_info_tcp_reset'])) { $conf .= "deny_info TCP_RESET allsrc\n"; @@ -268,6 +306,27 @@ function squid_resync_reverse() { return $conf; } +/* Refresh Client Certificate Revocation List */ +function squid_refresh_crl() { + global $config; + + if (is_array($config['installedpackages']['squidreversegeneral'])) { + $settings = $config['installedpackages']['squidreversegeneral']['config'][0]; + } else { + $settings = array(); + } + + if (isset($settings['reverse_check_clientca']) && $settings['reverse_check_clientca'] == "on" && isset($settings['reverse_ssl_clientcrl']) && $settings['reverse_ssl_clientcrl'] != 'none') { + $crl = lookup_crl($settings['reverse_ssl_clientcrl']); + crl_update($crl); + if ($crl != false) { + if (base64_decode($crl['text'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings['reverse_ssl_clientcrl']}.crl", sq_text_area_decode($crl['text'])); + } + } + } +} + /* Migrate reverse proxy configuration from old Squid package versions */ function squid_reverse_upgrade_config() { global $config; @@ -325,51 +384,84 @@ function squid_reverse_upgrade_config() { function squid_validate_reverse($post, &$input_errors) { global $config; + /* Manually refresh client CRL */ + if ($post['refresh_crl'] == 'Refresh CRL') { + log_error("[squid] Client Certificate Revocation List refresh forced via GUI. Refreshing now..."); + squid_refresh_crl(); + } + + if ($post['reverse_http'] == 'on' || $post['reverse_https'] == 'on') { + if ($post['reverse_interface'] == '') { + $input_errors[] = "You must select at least one interface under 'Reverse Proxy Interface(s)' to enable HTTP Reverse Proxy."; + } + $fqdn = trim($post['reverse_external_fqdn']); + if (empty($fqdn) || !is_domain($fqdn)) { + $input_errors[] = "'External FQDN' field must contain a valid domain name."; + } + unset($fqdn); + } + if (!empty($post['reverse_ip'])) { $reverse_ip = explode(";", ($post['reverse_ip'])); foreach ($reverse_ip as $reip) { - if (!is_ipaddr(trim($reip))) { - $input_errors[] = "You must enter a valid IP address in the 'User-defined reverse-proxy IPs' field. '$reip' is invalid."; + if (!is_ipaddr_configured(trim($reip))) { + $input_errors[] = "You must enter a valid, locally configured IP address in the 'User Defined Reverse Proxy IPs' field. '$reip' is invalid."; } } + unset($reverse_ip); } - $fqdn = trim($post['reverse_external_fqdn']); - if (!empty($fqdn) && !is_domain($fqdn)) { - $input_errors[] = "'External FQDN' field must contain a valid domain name."; + if ($post['reverse_http'] == 'on') { + $port = trim($post['reverse_http_port']); + preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); + if (!is_port($port)) { + $input_errors[] = "'Reverse HTTP port' must contain a valid port number."; + } + if (is_port($port) && $port <= $portrange[1]) { + $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon."; + } + unset($port, $portrange); } - $port = trim($post['reverse_http_port']); - preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); - if (!empty($port) && !is_port($port)) { - $input_errors[] = "'Reverse HTTP port' must contain a valid port number."; - } - if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; - } - $port = trim($post['reverse_https_port']); - if (!empty($port) && !is_port($port)) { - $input_errors[] = "'Reverse HTTPS port' must contain a valid port number."; - } - if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; - } - if ($post['reverse_ssl_cert'] == 'none') { - $input_errors[] = 'A valid certificate for the external interface must be selected'; - } + if ($post['reverse_https'] == 'on') { + $port = trim($post['reverse_https_port']); + preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); + if (!is_port($port)) { + $input_errors[] = "'Reverse HTTPS port' must contain a valid port number."; + } + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { + $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in System: Advanced: System Tunables and restart Squid daemon."; + } + unset($port, $portrange); + + if ($post['reverse_ssl_cert'] == 'none') { + $input_errors[] = "A valid certificate for the external interface must be selected when 'HTTPS Reverse Proxy' is enabled."; + } - if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { - $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + if ($post['reverse_check_clientca'] == 'on') { + if ($post['reverse_ssl_clientca'] == 'none') { + $input_errors[] = "A valid 'Client Certificate CA' must be selected when 'Check Client Certificate' is enabled"; + } + } } - if (!empty($post['reverse_owa_ip'])) { - $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); - foreach ($reverse_owa_ip as $reowaip) { - if (!is_ipaddr(trim($reowaip))) { - $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA frontend IP address' field. '$reowaip' is invalid."; + if ($post['reverse_owa'] == 'on') { + if ($post['reverse_https'] != 'on') { + $input_errors[] = "You have to enable HTTPS Reverse Proxy to enable OWA support."; + } + + if (!empty($post['reverse_owa_ip'])) { + $reowaips = explode(";", ($post['reverse_owa_ip'])); + foreach ($reowaips as $reowaip) { + if (!is_ipaddr(trim($reowaip))) { + $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA Frontend IP Address(es)' field. '$reowaip' is invalid."; + } } + unset($reowaips); + } else { + $input_errors[] = "You must enter at least one valid IP address in the 'CAS-Array / OWA Frontend IP Address(es)' field."; } } @@ -388,7 +480,9 @@ function squid_validate_reverse($post, &$input_errors) { $input_errors[] = "Please choose HTTP or HTTPS in the cache peer configuration."; } } + unset($cfg, $defs); } + unset($contents); } ?> -- cgit v1.2.3 From 42ac21d898e0d2f87b149b6d49d9a91c95f2450e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 27 Nov 2015 22:05:50 +0100 Subject: Add client cert auth option, fix input validations, improve descriptions --- config/squid3/34/squid_reverse_general.xml | 84 ++++++++++++++++++++++-------- 1 file changed, 62 insertions(+), 22 deletions(-) diff --git a/config/squid3/34/squid_reverse_general.xml b/config/squid3/34/squid_reverse_general.xml index 90babcd0..def3b55c 100755 --- a/config/squid3/34/squid_reverse_general.xml +++ b/config/squid3/34/squid_reverse_general.xml @@ -42,7 +42,7 @@ ]]> squidreversegeneral - 0.3.8 + 0.4.5 Reverse Proxy Server: General /usr/local/pkg/squid.inc @@ -78,16 +78,18 @@ listtopic - Reverse Proxy Interface + Reverse Proxy Interface(s) reverse_interface - Use CTRL + click to select multiple interfaces. + The interface(s) the reverse-proxy server will bind to (usually WAN).
+ Use CTRL + click to select multiple interfaces.

+ Important:
+ To use Squid as a reverse proxy ONLY: After saving configuration here, you must tick the 'Enable Squid Proxy' checkbox under Services - Squid Proxy Server - General and click Save there.
+ To disable the reverse proxy ONLY (without disabling Squid completely): Unselect all 'Reverse Proxy Interface(s)', uncheck both 'Enable HTTP Reverse Proxy' and 'Enable HTTPS Reverse Proxy' below and click Save. ]]>
interfaces_selection - wan
@@ -97,7 +99,8 @@ - Note: Separate entries by semi-colons (;) + Note: Separate entries by semi-colons (;)

+ Important: Any entry here must be a valid, locally configured IP address. ]]>
input @@ -108,7 +111,6 @@ reverse_external_fqdn The external fully qualified domain name of the WAN IP address. input - 70 @@ -123,17 +125,16 @@ listtopic - Enable HTTP Reverse Mode + Enable HTTP Reverse Proxy reverse_http - Note: You must add a proper firewall rule with destination 'WAN Address'. + Important: You must add a proper firewall rule with destination matching the 'Reverse Proxy Interface(s)' address. ]]> checkbox reverse_http_port,reverse_http_defsite - off @@ -141,7 +142,7 @@ reverse_http_port + This is the port the HTTP reverse proxy will listen on.
Default: 80 ]]>
@@ -159,7 +160,7 @@ ]]> input - 60 + 70
Squid Reverse HTTPS Settings @@ -171,12 +172,11 @@ - Note: You must add a proper firewall rule with destination 'WAN Address'. + Important: You must add a proper firewall rule with destination matching the 'Reverse Proxy Interface(s)' address. ]]> checkbox - reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain - + reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_check_clientca,reverse_owa off @@ -184,7 +184,7 @@ reverse_https_port + This is the port the HTTPS reverse proxy will listen on.
Default: 443 ]]>
@@ -198,20 +198,22 @@ - Note: Leave empty to use 'External FQDN' value specified above. + Note: Leave empty to use 'External FQDN' value specified in 'Squid Reverse Proxy General Settings'. ]]> input - 60 + 70
Reverse SSL Certificate reverse_ssl_cert Choose the SSL Server Certificate here. select_source - $config['cert'] + descr refid + none + none Intermediate CA Certificate (If Needed) @@ -233,6 +235,43 @@ checkbox on + + Check Client Certificate + reverse_check_clientca + If checked, clients need a client certificate to authenticate. + checkbox + off + + + Client Certificate CA + reverse_ssl_clientca + Choose the CA used to issue client authentication certificates. + select_source + + descr + refid + none + none + + + Client Certificate Revocation List + reverse_ssl_clientcrl + + + Note: This must match the 'Client Certificate CA' selected above!

+ Important: After updating the CRL in System - Cert Manager - Certificate Revocation, remember to press the 'Refresh CRL' button below.
+ Otherwise, the updated CRL will not have any effect on Squid reverse proxy users!

+ + ]]> +
+ select_source + + descr + refid + none + none +
OWA Reverse Proxy General Settings listtopic @@ -245,12 +284,12 @@ reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover - CAS-Array / OWA Frontend IP Address + CAS-Array / OWA Frontend IP Address(es) reverse_owa_ip - Note: Separate entries by semi-colons (;) + Note: Separate entries by semi-colons (;) ]]> input @@ -305,7 +344,8 @@ -- cgit v1.2.3 From a21e09c9215a40d3de738ba7f3fa87209eb949e8 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 27 Nov 2015 23:06:49 +0100 Subject: Fix input validations, improve descriptions --- config/squid3/34/squid.xml | 74 ++++++++++++++++++++++++++-------------------- 1 file changed, 42 insertions(+), 32 deletions(-) diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 28326d7f..903ae694 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -42,7 +42,7 @@ ]]> squid - 0.4.0 + 0.4.5 Proxy Server: General Settings /usr/local/pkg/squid.inc @@ -254,7 +254,7 @@ - Note: If unchecked, all Squid services will be disabled and stopped.
+ Note: If unchecked, ALL Squid services will be disabled and stopped. ]]>
checkbox @@ -277,21 +277,24 @@ - Note: Use CTRL + click to select multiple interfaces. + Note: Use CTRL + click to select multiple interfaces. ]]> interfaces_selection - lan Proxy Port proxy_port - This is the port the proxy server will listen on. + + + (Default: 3128) + ]]> + input 5 - 3128 @@ -386,11 +389,10 @@ - Note: Use CTRL + click to select multiple interfaces. + Note: Use CTRL + click to select multiple interfaces. ]]> interfaces_selection - lan @@ -410,7 +412,7 @@ source IPs, CIDR nets, hostnames, or aliases through the proxy server but let it pass directly through the firewall. - (Applies only to transparent mode.)

+ (Applies only to transparent mode.)
Note: Separate entries by semi-colons (;) ]]>
@@ -422,8 +424,8 @@ defined_ip_proxy_off_dest destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall.
- (Applies only to transparent mode.)

+ Do not proxy traffic going to these destination IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. + (Applies only to transparent mode.)
Note: Separate entries by semi-colons (;) ]]>
@@ -435,7 +437,7 @@ listtopic - HTTPS/SSL interception + HTTPS/SSL Interception ssl_proxy Enable SSL filtering. checkbox @@ -447,18 +449,22 @@ - Note: Use CTRL + click to select multiple interfaces. + Note: Use CTRL + click to select multiple interfaces. ]]> interfaces_selection - lan SSL Proxy port ssl_proxy_port - This is the port the proxy server will listen on to intercept SSL while using transparent proxy. + + + (Default: 3129) + ]]> + input 5 3129 @@ -514,7 +520,7 @@ - Hint: Set the subject CN - see fake certificate properties documentation for details. + Hint: Set the subject CN - see fake certificate properties documentation for details. ]]> select @@ -564,6 +570,25 @@ input 5 + + Log Pages Denied by SquidGuard + log_sqd + + + Note: This option will only work if you include the code below in your sgerror.php file.
+ This forces the client browser to send a second request to Squid with the denied string in URL.

+ $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?");
+ $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';

+ Hint: You MUST remove extra spaces in the above iframe HTML tags. + ]]> +
+ checkbox +
+ + Headers Handling, Language and Other Customizations + listtopic + Visible Hostname visible_hostname @@ -662,21 +687,6 @@ If not set, Squid will include a Via header in requests and replies as required by RFC2616. checkbox - - Log Pages Denied by SquidGuard - log_sqd - - - Note: This option will only work if you include the code below in your sgerror.php file.
- This forces the client browser to send a second request to Squid with the denied string in URL.

- $sge_prefix = (preg_match("/\?/", $cl['u']) ? "&" : "?");
- $str[] = '< iframe > src="'. $cl['u'] . $sge_prefix . 'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';

- Hint: You MUST remove extra spaces in the above iframe HTML tags. - ]]> -
- checkbox -
URI Whitespace Characters Handling uri_whitespace @@ -710,7 +720,7 @@ custom_options textarea -- cgit v1.2.3 From 39ff3c94637f2d38e6b1a68104a194ee2402df30 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 28 Nov 2015 10:45:39 +0100 Subject: Add a function to check whether Squid reverse proxy is enabled To be used in squid.inc's squid_enabled() --- config/squid3/34/squid_reverse.inc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index 15217a33..559c9d5b 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -327,6 +327,25 @@ function squid_refresh_crl() { } } +/* Check whether Squid reverse proxy is enabled */ +function squid_reverse_enabled() { + global $config, $reverse_proxy_enabled; + $reverse_proxy_enabled = false; + + if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { + // check whether HTTP or HTTPS reverse proxy is enabled ... + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_http'] == "on" || + $config['installedpackages']['squidreversegeneral']['config'][0]['reverse_https'] == "on") { + // ... and has at least one reverse interface configured + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { + $reverse_proxy_enabled = true; + } + } + } + + return $reverse_proxy_enabled; +} + /* Migrate reverse proxy configuration from old Squid package versions */ function squid_reverse_upgrade_config() { global $config; -- cgit v1.2.3 From 574df7719c4ce38555128110c64b146b93832b61 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 28 Nov 2015 19:16:42 +0100 Subject: Hide loopback from interface selection in places where it makes no sense Also, make it possible to deselect CA from SSL/MITM. --- config/squid3/34/squid.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 903ae694..2fd1e287 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -381,7 +381,7 @@ ]]> checkbox - transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest + transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest,ssl_proxy Transparent Proxy Interface(s) @@ -394,6 +394,7 @@ interfaces_selection lan + loopback @@ -454,6 +455,7 @@ interfaces_selection lan + loopback @@ -483,6 +485,8 @@ descr refid + none + none SSL Certificate Deamon Children -- cgit v1.2.3 From 7503dd1b4eaaffbd203652835e171ae5e810b3e5 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 28 Nov 2015 21:08:42 +0100 Subject: Add lots of input validations to sanitize configuration, plus other fixes - Allow reverse proxy to be used without running normal Squid proxy - Force users to select at least one proxy or reverse proxy interface when enabling Squid (unless reverse proxy is enabled) - Only allow to configure transparent proxy on interfaces where Squid is actually running (never had any effect otherwise anyway) - Only allow to configure HTTPS/SSL Interception on interfaces where transparent proxy is enabled (never had any effect otherwise anyway) - Do not add loopback interface twice when transparent proxy is enabled and loopback is selected in Proxy Interface(s) - Avoid adding empty localnet ACL - Fix HTTPS proxy default port - Some code style fixes and cleanups --- config/squid3/34/squid.inc | 159 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 121 insertions(+), 38 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index aab4d134..763fe34c 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -66,7 +66,7 @@ define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid'); define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf'); define('SQUID_ACLDIR', '/var/squid/acl'); define('SQUID_PASSWD', '/var/etc/squid.passwd'); -define('SQUID_SSL_DB','/var/squid/lib/ssl_db'); +define('SQUID_SSL_DB', '/var/squid/lib/ssl_db'); $valid_acls = array(); @@ -148,15 +148,11 @@ function squid_enabled() { // check whether Squid is enabled ... if ($config['installedpackages']['squid']['config'][0]['enable_squid'] == "on") { // ... and has at least one interface configured ... - if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") { + if (!empty($config['installedpackages']['squid']['config'][0]['active_interface'])) { + $proxy_enabled = true; + // ... or whether Squid reverse proxy is enabled + } elseif (squid_reverse_enabled()) { $proxy_enabled = true; - } else { - // ... or has at least one reverse interface configured - if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { - if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { - $proxy_enabled = true; - } - } } } } @@ -724,16 +720,27 @@ function squid_validate_general($post, &$input_errors) { // force users to configure cache if (!is_array($config['installedpackages']['squidcache']['config'])) { - $input_errors[] = 'Please, configure and save \'Local Cache\' settings first.'; + $input_errors[] = "Please, configure and save 'Local Cache' settings first."; } - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $port = $post['proxy_port'] ? $post['proxy_port'] : $port; + // force users to select at least one proxy or reverse proxy interface when enabling Squid + if ($post['enable_squid'] == "on") { + // if reverse proxy is configured, perhaps the user wants to use the reverse proxy features only + if (!squid_reverse_enabled()) { + if (empty($post['active_interface'])) { + $input_errors[] = "You must select at least one interface under 'Proxy Interface(s)' to enable Squid proxy."; + $input_errors[] = "If you intend to use Squid as reverse proxy ONLY, then visit Services: Squid Proxy Server: General, configure and save the reverse proxy settings first."; + } + } else { + log_error("[squid] Enabled as reverse proxy ONLY. If this is not what you intended, visit Services: Squid Proxy Server: General and configure proxy interfaces."); + } + } $icp_port = trim($post['icp_port']); if (!empty($icp_port) && !is_port($icp_port)) { - $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field.'; + $input_errors[] = "You must enter a valid port number in the 'ICP port' field."; } + unset($icp_port); if (substr($post['log_dir'], -1, 1) == '/') { $input_errors[] = 'Log location must not end with a / character.'; @@ -748,26 +755,66 @@ function squid_validate_general($post, &$input_errors) { } $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) { $input_errors[] = "You must enter a valid number of days in the 'Log rotate' field."; } + unset($log_rotate); + // check that the proxy port does not clash with WebGUI + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $port = $post['proxy_port'] ? $post['proxy_port'] : $port; $webgui_port = $config['system']['webgui']['port']; - if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { $webgui_port = 80; } if (($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { $webgui_port = 443; } - if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { $input_errors[] = "You can not run Squid on the same port as the pfSense WebGUI"; } + unset($port, $webgui_port); + + if ($post['transparent_proxy'] == 'on') { + if (empty($post['transparent_active_interface'])) { + $input_errors[] = "You must select at least one interface under 'Transparent Proxy Interface(s)' when 'Transparent HTTP Proxy' is enabled."; + } else { + // allow transparent proxy only on interfaces where Squid is actually running to keep configuration sane + $a_ifaces = $post['active_interface'] ?: array(); + $t_ifaces = $post['transparent_active_interface']; + foreach ($t_ifaces as $t_iface) { + if (!in_array($t_iface, $a_ifaces)) { + $err_iface = convert_friendly_interface_to_friendly_descr($t_iface); + $input_errors[] = "'Transparent Proxy Interface(s)' may only contain interfaces also selected in 'Proxy Interface(s)' above. '{$err_iface}' is not valid."; + unset($err_iface); + } + } + unset($a_ifaces, $t_iface, $t_ifaces); + } + } - if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) { - $input_errors[] = "SSL interception cannot be enabled without a CA."; + if ($post['ssl_proxy'] == 'on') { + if ($post['transparent_proxy'] != 'on') { + $input_errors[] = "SSL interception cannot be enabled without enabling 'Transparent HTTP Proxy'."; + } + if ($post['dca'] == 'none') { + $input_errors[] = "SSL interception cannot be enabled without a CA."; + } + if (empty($post['ssl_active_interface'])) { + $input_errors[] = "You must select at least one interface under 'SSL Intercept Interface(s)' when 'HTTPS/SSL Interception' is enabled."; + } else { + // allow HTTPS/SSL Interception only on interfaces where transparent proxy is enabled + $t_ifaces = $post['transparent_active_interface'] ?: array(); + $s_ifaces = $post['ssl_active_interface']; + foreach ($s_ifaces as $s_iface) { + if (!in_array($s_iface, $t_ifaces)) { + $err_iface = convert_friendly_interface_to_friendly_descr($s_iface); + $input_errors[] = "'SSL Intercept Interface(s)' may only contain interfaces also selected in 'Transparent Proxy Interface(s)' above. '{$err_iface}' is not valid."; + unset($err_iface); + } + } + unset($t_ifaces, $s_ifaces, $s_iface); + } } foreach (array('defined_ip_proxy_off') as $hosts) { @@ -778,6 +825,8 @@ function squid_validate_general($post, &$input_errors) { } } } + unset($host, $hosts); + foreach (array('defined_ip_proxy_off_dest') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); @@ -786,6 +835,7 @@ function squid_validate_general($post, &$input_errors) { } } } + unset($host, $hosts); if (!empty($post['dns_nameservers'])) { $altdns = explode(";", ($post['dns_nameservers'])); @@ -796,6 +846,7 @@ function squid_validate_general($post, &$input_errors) { } } } + unset($altdns, $dnssrv); } /* Proxy Server: Remote Proxy Settings input validation */ @@ -823,6 +874,7 @@ function squid_validate_upstream($post, &$input_errors) { } } } + unset($port); } /* Proxy Server: Cache Management input validation */ @@ -846,17 +898,20 @@ function squid_validate_cache($post, &$input_errors) { $input_errors[] = "You must enter a valid value for '$field'."; } } + unset($num_fields); $value = trim($post['minimum_object_size']); if (!is_numericint($value)) { $input_errors[] = "You must enter a valid value for 'Minimum object size'."; } + unset($value); if (!empty($post['cache_swap_low'])) { $value = trim($post['cache_swap_low']); if (!is_numericint($value) || ($value > 100)) { $input_errors[] = "You must enter a valid value for 'Low-water-mark'."; } + unset($value); } if (!empty($post['cache_swap_high'])) { @@ -864,6 +919,7 @@ function squid_validate_cache($post, &$input_errors) { if (!is_numericint($value) || ($value > 100)) { $input_errors[] = "You must enter a valid value for 'High-water-mark'."; } + unset($value); } if ($post['donotcache'] != "") { @@ -873,6 +929,7 @@ function squid_validate_cache($post, &$input_errors) { $input_errors[] = "The host '$host' is not a valid IP or hostname."; } } + unset($host); } if (substr($post['harddisk_cache_location'], -1, 1) == '/') { @@ -897,6 +954,7 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "'Allowed Subnets' must be a valid CIDR range or 'all'. The subnet '$subnet' is not valid."; } } + unset($allowed_subnets); foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) { if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@", $_POST[$hosts], $matches)) { @@ -921,6 +979,7 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "'$mac' is not a valid MAC address."; } } + unset($mac); } foreach (explode(",", $post['timelist']) as $time) { @@ -929,6 +988,7 @@ function squid_validate_nac($post, &$input_errors) { $input_errors[] = "The time range '$time' is not a valid time range."; } } + unset($time); if (!empty($post['ext_cachemanager'])) { $extmgr = explode(";", ($post['ext_cachemanager'])); @@ -938,6 +998,7 @@ function squid_validate_nac($post, &$input_errors) { } } } + unset($extmgr); } /* Proxy server: Traffic Management input validation */ @@ -955,6 +1016,7 @@ function squid_validate_traffic($post, &$input_errors) { $input_errors[] = "The '$name' field must contain a positive integer."; } } + unset($num_fields); if (!empty($post['quick_abort_min'])) { $value = trim($post['quick_abort_min']); @@ -982,6 +1044,7 @@ function squid_validate_traffic($post, &$input_errors) { if ($post['throttle_binaries'] == "" && $post['throttle_cdimages'] == "" && $post['throttle_multimedia'] == "" && $others == "") { $input_errors[] = "'Throttle Only Specific Extensions' enabled but no extensions specified. Select some options under 'Squid Transfer Extension Settings' or disable this option."; } + unset($others); } } @@ -999,6 +1062,7 @@ function squid_validate_auth($post, &$input_errors) { $input_errors[] = "The '{$field[1]}' field must contain a valid number greater than {$field[2]}"; } } + unset($num_fields); $auth_method = $post['auth_method']; if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { @@ -1046,6 +1110,7 @@ function squid_validate_auth($post, &$input_errors) { } } } + unset($auth_method, $port, $server, $secret, $user); } /* Proxy Server: General Settings configuration handler */ @@ -1108,7 +1173,7 @@ function squid_resync_general() { } } $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); + $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3129); // Read assigned interfaces $real_ifaces = array(); @@ -1116,7 +1181,7 @@ function squid_resync_general() { if ($settings['active_interface']) { $proxy_ifaces = explode(",", $settings['active_interface']); } else { - $proxy_ifaces = array("lan"); + $proxy_ifaces = array(); } if ($settings['transparent_proxy'] == "on") { @@ -1136,7 +1201,7 @@ function squid_resync_general() { foreach ($ssl_ifaces as $s_iface) { $s_iface_ip = squid_get_real_interface_address($s_iface); if ($s_iface_ip[0]) { - $real_ifaces[]=$s_iface_ip; + $real_ifaces[] = $s_iface_ip; } } } else { @@ -1147,11 +1212,16 @@ function squid_resync_general() { foreach ($proxy_ifaces as $iface) { $iface_ip = squid_get_real_interface_address($iface); if ($iface_ip[0]) { - $real_ifaces[] = $iface_ip; - if (in_array($iface, $ssl_ifaces)) { - $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; + // do not add loopback twice when transparent proxy is enabled + if ($iface_ip[0] == "127.0.0.1" && $settings['transparent_proxy'] == "on") { + continue; } else { - $conf .= "http_port {$iface_ip[0]}:{$port}\n"; + $real_ifaces[] = $iface_ip; + if (in_array($iface, $ssl_ifaces)) { + $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; + } else { + $conf .= "http_port {$iface_ip[0]}:{$port}\n"; + } } } } @@ -1165,7 +1235,7 @@ function squid_resync_general() { } } $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); - $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off" ); + $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off"); $piddir = "{$g['varrun_path']}/squid"; $pidfile = "{$piddir}/squid.pid"; if (!is_dir($piddir)) { @@ -1237,9 +1307,11 @@ EOD; } } } - $conf .= "# Allow local network(s) on interface(s)\n"; - $conf .= "acl localnet src $src\n"; - $valid_acls[] = 'localnet'; + if (!empty($src)) { + $conf .= "# Allow local network(s) on interface(s)\n"; + $conf .= "acl localnet src $src\n"; + $valid_acls[] = 'localnet'; + } } if ($settings['xforward_mode']) { @@ -1411,25 +1483,33 @@ function squid_resync_upstream() { function squid_resync_nac() { global $config, $valid_acls; - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); if (is_array($config['installedpackages']['squidnac'])) { $settings = $config['installedpackages']['squidnac']['config'][0]; } else { $settings = array(); } + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + $webgui_port = $config['system']['webgui']['port']; $addtl_ports = $settings['addtl_ports']; $addtl_sslports = $settings['addtl_sslports']; - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); + // do not add (default) proxy ports when using Squid as reverse proxy only + if (!empty($squidsettings['active_interface'])) { + $port = $squidsettings['proxy_port'] ? $squidsettings['proxy_port'] : 3128; + $ssl_port = $squidsettings['ssl_proxy_port'] ? $squidsettings['ssl_proxy_port'] : 3129; + } $conf = <<< EOD # Setup some default acls # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. # acl localhost src 127.0.0.1/32 acl allsrc src all -acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port $ssl_port 1025-65535 $addtl_ports -acl sslports port 443 563 $webgui_port $addtl_sslports +acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 {$webgui_port} {$port} {$ssl_port} 1025-65535 {$addtl_ports} +acl sslports port 443 563 {$webgui_port} {$addtl_sslports} # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. #acl manager proto cache_object @@ -1731,9 +1811,9 @@ function squid_resync_auth() { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; } - $conf .= "# Setup allowed acls\n"; + $conf .= "# Setup allowed ACLs\n"; $allowed = array('allowed_subnets'); - if ($settingsconfig['allow_interface'] == 'on') { + if ($settingsconfig['allow_interface'] == 'on' && !empty($settingsconfig['active_interface'])) { $conf .= "# Allow local network(s) on interface(s)\n"; $allowed[] = "localnet"; } @@ -1952,10 +2032,13 @@ function squid_generate_rules($type) { file_put_contents($cp_file, $new_cp_inc, LOCK_EX); } - // do not install any firewall rules if Squid is disabled + // do not install any firewall rules if Squid is disabled or used as reverse proxy only if (!squid_enabled()) { log_error("[squid] Installed but disabled. Not installing '{$type}' rules."); return; + } elseif (empty($squid_conf['active_interface'])) { + log_error("[squid] Configured as reverse proxy only. Not installing '{$type}' rules."); + return; } // normal squid rule check @@ -1984,7 +2067,7 @@ function squid_generate_rules($type) { } $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); - $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127); + $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3129); $fw_aliases = filter_generate_aliases(); if (strstr($fw_aliases, "pptp =")) { -- cgit v1.2.3 From e358b07541eda0355abb82c72fd466b8d8d516e7 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 28 Nov 2015 21:09:56 +0100 Subject: Bump squid3 package version --- pkg_config.10.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.10.xml b/pkg_config.10.xml index e7c29115..7e39e5e1 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -1089,7 +1089,7 @@ https://forum.pfsense.org/index.php?topic=100167.0 http://www.squid-cache.org/ Services - 0.4.4 + 0.4.5 BETA 2.2 marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org -- cgit v1.2.3 From 76781ee5a131f6f765c0ded64f93ac936f442c01 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 28 Nov 2015 21:25:20 +0100 Subject: Use consistent checks for empty values --- config/squid3/34/squid_reverse.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index 559c9d5b..74aab0a1 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -337,7 +337,7 @@ function squid_reverse_enabled() { if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_http'] == "on" || $config['installedpackages']['squidreversegeneral']['config'][0]['reverse_https'] == "on") { // ... and has at least one reverse interface configured - if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { + if (!empty($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'])) { $reverse_proxy_enabled = true; } } @@ -410,7 +410,7 @@ function squid_validate_reverse($post, &$input_errors) { } if ($post['reverse_http'] == 'on' || $post['reverse_https'] == 'on') { - if ($post['reverse_interface'] == '') { + if (empty($post['reverse_interface'])) { $input_errors[] = "You must select at least one interface under 'Reverse Proxy Interface(s)' to enable HTTP Reverse Proxy."; } $fqdn = trim($post['reverse_external_fqdn']); -- cgit v1.2.3 From 0cb82b54b7427254fe8c53be9ce74a0a58b6fa7c Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 28 Nov 2015 22:14:16 +0100 Subject: Re-enable SSL/MITM junk even without transparent proxy --- config/squid3/34/squid.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 2fd1e287..82fe44b8 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -381,7 +381,7 @@ ]]> checkbox - transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest,ssl_proxy + transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest Transparent Proxy Interface(s) -- cgit v1.2.3 From 257dc468c1cd5fb045cec6002476747dc3fc8334 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 28 Nov 2015 22:19:06 +0100 Subject: Re-enable SSL/MITM junk even without transparent proxy --- config/squid3/34/squid.inc | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 763fe34c..f5ed51ca 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -794,9 +794,6 @@ function squid_validate_general($post, &$input_errors) { } if ($post['ssl_proxy'] == 'on') { - if ($post['transparent_proxy'] != 'on') { - $input_errors[] = "SSL interception cannot be enabled without enabling 'Transparent HTTP Proxy'."; - } if ($post['dca'] == 'none') { $input_errors[] = "SSL interception cannot be enabled without a CA."; } @@ -804,16 +801,16 @@ function squid_validate_general($post, &$input_errors) { $input_errors[] = "You must select at least one interface under 'SSL Intercept Interface(s)' when 'HTTPS/SSL Interception' is enabled."; } else { // allow HTTPS/SSL Interception only on interfaces where transparent proxy is enabled - $t_ifaces = $post['transparent_active_interface'] ?: array(); + $a_ifaces = $post['active_interface'] ?: array(); $s_ifaces = $post['ssl_active_interface']; foreach ($s_ifaces as $s_iface) { - if (!in_array($s_iface, $t_ifaces)) { + if (!in_array($s_iface, $a_ifaces)) { $err_iface = convert_friendly_interface_to_friendly_descr($s_iface); - $input_errors[] = "'SSL Intercept Interface(s)' may only contain interfaces also selected in 'Transparent Proxy Interface(s)' above. '{$err_iface}' is not valid."; + $input_errors[] = "'SSL Intercept Interface(s)' may only contain interfaces also selected in 'Proxy Interface(s)' above. '{$err_iface}' is not valid."; unset($err_iface); } } - unset($t_ifaces, $s_ifaces, $s_iface); + unset($a_ifaces, $s_ifaces, $s_iface); } } -- cgit v1.2.3 From 4efb357cb8079f20bac7612e7656ae2c7cf213e8 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 28 Nov 2015 22:24:08 +0100 Subject: Comment fix --- config/squid3/34/squid.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index f5ed51ca..952d50d8 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -800,7 +800,7 @@ function squid_validate_general($post, &$input_errors) { if (empty($post['ssl_active_interface'])) { $input_errors[] = "You must select at least one interface under 'SSL Intercept Interface(s)' when 'HTTPS/SSL Interception' is enabled."; } else { - // allow HTTPS/SSL Interception only on interfaces where transparent proxy is enabled + // allow HTTPS/SSL Interception only on interfaces where Squid is actually running to keep configuration sane $a_ifaces = $post['active_interface'] ?: array(); $s_ifaces = $post['ssl_active_interface']; foreach ($s_ifaces as $s_iface) { -- cgit v1.2.3 From 90ae6c829adce44d7dccfe7c2acefa5ab5eec265 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 29 Nov 2015 19:01:51 +0100 Subject: Switch ClamAV mirrors order to prefer manually configured mirrors --- config/squid3/34/squid_antivirus.inc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 82768f4b..e22ae039 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -392,14 +392,14 @@ EOF; $freshclam_m[0] = "@#This file was automatically generated by pfSense@"; $freshclam_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; $clamav_mirrors = ""; - if ($antivirus_config['clamav_dbregion'] != "") { - $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; - } if ($antivirus_config['clamav_dbservers'] != "") { foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; } } + if ($antivirus_config['clamav_dbregion'] != "") { + $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; + } if ($clamav_mirrors != "") { $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; $freshclam_r[1] = "{$clamav_mirrors}"; -- cgit v1.2.3 From 6da11458664f120004bb9e7367ee6cf5b3dc4be7 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 29 Nov 2015 19:38:22 +0100 Subject: Remove unwanted required tag from enable checkbox --- config/squid3/34/squid_upstream.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/squid3/34/squid_upstream.xml b/config/squid3/34/squid_upstream.xml index 14e23216..46f2dfae 100755 --- a/config/squid3/34/squid_upstream.xml +++ b/config/squid3/34/squid_upstream.xml @@ -42,7 +42,7 @@ ]]> squidremote - 0.3.5 + 0.4.5 Proxy Server: Remote Proxy Settings /usr/local/pkg/squid.inc @@ -124,7 +124,6 @@ enable This option enables the proxy server to forward requests to an upstream/neighbor server. checkbox - Hostname -- cgit v1.2.3 From c87c394e3ecd6be1d0ba1eedda950fd9a0ec6a28 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 29 Nov 2015 19:39:54 +0100 Subject: Remove useless required tag --- config/squid3/34/squid_auth.xml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/squid3/34/squid_auth.xml b/config/squid3/34/squid_auth.xml index 58a0bf12..2c36fcf3 100755 --- a/config/squid3/34/squid_auth.xml +++ b/config/squid3/34/squid_auth.xml @@ -42,7 +42,7 @@ ]]> squidauth - 0.3.5 + 0.4.5 Proxy Server: Authentication /usr/local/pkg/squid.inc @@ -98,7 +98,6 @@ auth_method Select an authentication method. This will allow users to be authenticated by local or external services. select - none -- cgit v1.2.3 From c43b47179d5b8eef38c77a539031e60d9e9b0c7c Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 29 Nov 2015 19:45:22 +0100 Subject: Add bunch of required tags to fields --- config/squid3/34/squid_reverse_peer.xml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/config/squid3/34/squid_reverse_peer.xml b/config/squid3/34/squid_reverse_peer.xml index fabc5b92..f5ab7544 100755 --- a/config/squid3/34/squid_reverse_peer.xml +++ b/config/squid3/34/squid_reverse_peer.xml @@ -42,7 +42,7 @@ ]]> squidreversepeer - 0.3.5 + 0.4.5 Reverse Proxy Server: Peers /usr/local/pkg/squid.inc @@ -119,7 +119,8 @@ ]]> input - 20 + 30 + Peer IP @@ -131,7 +132,8 @@ ]]> input - 20 + 30 + Peer Port @@ -143,7 +145,8 @@ ]]> input - 20 + 5 + Peer Protocol -- cgit v1.2.3 From 1feda696d8502b5c0ec4293e7b481e977794e16b Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 29 Nov 2015 19:52:55 +0100 Subject: Add bunch of required tags to fields --- config/squid3/34/squid_reverse_uri.xml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_reverse_uri.xml b/config/squid3/34/squid_reverse_uri.xml index 9a493a15..18b5e0e6 100755 --- a/config/squid3/34/squid_reverse_uri.xml +++ b/config/squid3/34/squid_reverse_uri.xml @@ -42,7 +42,7 @@ ]]> squidreverseuri - 0.3.7 + 0.4.5 Reverse Proxy Server: Mappings /usr/local/pkg/squid.inc @@ -112,6 +112,7 @@ input 20 + Group Description @@ -134,7 +135,7 @@ name name - 05 + 5 @@ -154,6 +155,7 @@ uri input 70 + -- cgit v1.2.3 From 7e6a085edb783dec23eafb01ed1e56213d3ce75c Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 29 Nov 2015 20:00:57 +0100 Subject: Add bunch of required tags to fields --- config/squid3/34/squid_reverse_redir.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/squid3/34/squid_reverse_redir.xml b/config/squid3/34/squid_reverse_redir.xml index cf5fdb45..3be74353 100755 --- a/config/squid3/34/squid_reverse_redir.xml +++ b/config/squid3/34/squid_reverse_redir.xml @@ -42,7 +42,7 @@ ]]> squidreverseredir - 0.3.7 + 0.4.5 Reverse Proxy Server: Redirects /usr/local/pkg/squid.inc @@ -112,6 +112,7 @@ input 20 + Redirect Description @@ -136,6 +137,7 @@ + @@ -154,6 +156,7 @@ uri input 60 + @@ -168,6 +171,7 @@ input 60 + URL to Redirect To @@ -175,6 +179,7 @@ Enter the URL to redirect to here. input 60 + -- cgit v1.2.3 From 0406d6355aa19f5d28d8ee5dc4a19398a0c22cdf Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 29 Nov 2015 20:04:27 +0100 Subject: Fix up bunch of required tags for various fields --- config/squid3/34/squid_reverse_sync.xml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/squid3/34/squid_reverse_sync.xml b/config/squid3/34/squid_reverse_sync.xml index 1091fce8..ee4b7f84 100755 --- a/config/squid3/34/squid_reverse_sync.xml +++ b/config/squid3/34/squid_reverse_sync.xml @@ -42,7 +42,7 @@ ]]> squidsync - 0.4.2 + 0.4.5 Reverse Proxy Server: XMLRPC Sync /usr/local/pkg/squid.inc @@ -88,7 +88,6 @@ ]]> select - disabled @@ -101,7 +100,6 @@ synctimeout XMLRPC timeout in seconds. select - 250 @@ -139,6 +137,7 @@ input 40 + Port @@ -146,6 +145,7 @@ input 3 + Admin Password @@ -153,6 +153,7 @@ password 20 + -- cgit v1.2.3 From 0ba2a29b68eddd9b8ffa616d1375117c3761100e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 29 Nov 2015 20:06:02 +0100 Subject: Fix up bunch of required tags for various fields --- config/squid3/34/squid_sync.xml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/squid3/34/squid_sync.xml b/config/squid3/34/squid_sync.xml index a7670ff5..b8b62460 100755 --- a/config/squid3/34/squid_sync.xml +++ b/config/squid3/34/squid_sync.xml @@ -42,7 +42,7 @@ ]]> squidsync - 0.4.2 + 0.4.5 Proxy Server: XMLRPC Sync /usr/local/pkg/squid.inc @@ -104,7 +104,6 @@ ]]> select - disabled @@ -117,7 +116,6 @@ synctimeout XMLRPC timeout in seconds. select - 250 @@ -155,6 +153,7 @@ input 40 + Port @@ -162,6 +161,7 @@ input 3 + Admin Password @@ -169,6 +169,7 @@ password 20 + -- cgit v1.2.3