From 42ac21d898e0d2f87b149b6d49d9a91c95f2450e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 27 Nov 2015 22:05:50 +0100 Subject: Add client cert auth option, fix input validations, improve descriptions --- config/squid3/34/squid_reverse_general.xml | 84 ++++++++++++++++++++++-------- 1 file changed, 62 insertions(+), 22 deletions(-) diff --git a/config/squid3/34/squid_reverse_general.xml b/config/squid3/34/squid_reverse_general.xml index 90babcd0..def3b55c 100755 --- a/config/squid3/34/squid_reverse_general.xml +++ b/config/squid3/34/squid_reverse_general.xml @@ -42,7 +42,7 @@ ]]> squidreversegeneral - 0.3.8 + 0.4.5 Reverse Proxy Server: General /usr/local/pkg/squid.inc @@ -78,16 +78,18 @@ listtopic - Reverse Proxy Interface + Reverse Proxy Interface(s) reverse_interface - Use CTRL + click to select multiple interfaces. + The interface(s) the reverse-proxy server will bind to (usually WAN).
+ Use CTRL + click to select multiple interfaces.

+ Important:
+ To use Squid as a reverse proxy ONLY: After saving configuration here, you must tick the 'Enable Squid Proxy' checkbox under Services - Squid Proxy Server - General and click Save there.
+ To disable the reverse proxy ONLY (without disabling Squid completely): Unselect all 'Reverse Proxy Interface(s)', uncheck both 'Enable HTTP Reverse Proxy' and 'Enable HTTPS Reverse Proxy' below and click Save. ]]>
interfaces_selection - wan
@@ -97,7 +99,8 @@ - Note: Separate entries by semi-colons (;) + Note: Separate entries by semi-colons (;)

+ Important: Any entry here must be a valid, locally configured IP address. ]]>
input @@ -108,7 +111,6 @@ reverse_external_fqdn The external fully qualified domain name of the WAN IP address. input - 70 @@ -123,17 +125,16 @@ listtopic - Enable HTTP Reverse Mode + Enable HTTP Reverse Proxy reverse_http - Note: You must add a proper firewall rule with destination 'WAN Address'. + Important: You must add a proper firewall rule with destination matching the 'Reverse Proxy Interface(s)' address. ]]> checkbox reverse_http_port,reverse_http_defsite - off @@ -141,7 +142,7 @@ reverse_http_port + This is the port the HTTP reverse proxy will listen on.
Default: 80 ]]>
@@ -159,7 +160,7 @@ ]]> input - 60 + 70
Squid Reverse HTTPS Settings @@ -171,12 +172,11 @@ - Note: You must add a proper firewall rule with destination 'WAN Address'. + Important: You must add a proper firewall rule with destination matching the 'Reverse Proxy Interface(s)' address. ]]> checkbox - reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain - + reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_check_clientca,reverse_owa off @@ -184,7 +184,7 @@ reverse_https_port + This is the port the HTTPS reverse proxy will listen on.
Default: 443 ]]>
@@ -198,20 +198,22 @@ - Note: Leave empty to use 'External FQDN' value specified above. + Note: Leave empty to use 'External FQDN' value specified in 'Squid Reverse Proxy General Settings'. ]]> input - 60 + 70
Reverse SSL Certificate reverse_ssl_cert Choose the SSL Server Certificate here. select_source - $config['cert'] + descr refid + none + none Intermediate CA Certificate (If Needed) @@ -233,6 +235,43 @@ checkbox on + + Check Client Certificate + reverse_check_clientca + If checked, clients need a client certificate to authenticate. + checkbox + off + + + Client Certificate CA + reverse_ssl_clientca + Choose the CA used to issue client authentication certificates. + select_source + + descr + refid + none + none + + + Client Certificate Revocation List + reverse_ssl_clientcrl + + + Note: This must match the 'Client Certificate CA' selected above!

+ Important: After updating the CRL in System - Cert Manager - Certificate Revocation, remember to press the 'Refresh CRL' button below.
+ Otherwise, the updated CRL will not have any effect on Squid reverse proxy users!

+ + ]]> +
+ select_source + + descr + refid + none + none +
OWA Reverse Proxy General Settings listtopic @@ -245,12 +284,12 @@ reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover - CAS-Array / OWA Frontend IP Address + CAS-Array / OWA Frontend IP Address(es) reverse_owa_ip - Note: Separate entries by semi-colons (;) + Note: Separate entries by semi-colons (;) ]]> input @@ -305,7 +344,8 @@ -- cgit v1.2.3