From 596f04c575f215f26d46293af75e21ab2cae2885 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 00:40:29 +0200 Subject: Do not loop when trying to chown inaccessible directory and log some debug info Some whacky issue with screwed filesystem/permissions reported at https://forum.pfsense.org/index.php?topic=100167.msg559007#msg559007 - cannot get any meaningful info from the guy there. --- config/squid3/34/squid.inc | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 654aeb3c..ae367d3a 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -91,18 +91,22 @@ function squid_chown_recursive($dir, $user, $group) { chown($dir, $user); chgrp($dir, $group); - $handle = opendir($dir) ; - while (($item = readdir($handle)) !== false) { - if (!empty($item) && ($item != ".") && ($item != "..")) { - $path = "{$dir}/{$item}"; - // Recurse unless it's the cache dir, that is slow and rarely necessary. - if (is_dir($path) && (basename($dir) != "cache")) { - squid_chown_recursive($path, $user, $group); - } elseif (is_file($path)) { - chown($path, $user); - chgrp($path, $group); + $handle = opendir($dir); + if ($handle) { + while (($item = readdir($handle)) !== false) { + if (!empty($item) && ($item != ".") && ($item != "..")) { + $path = "{$dir}/{$item}"; + // Recurse unless it's the cache dir, that is slow and rarely necessary. + if (is_dir($path) && (basename($dir) != "cache")) { + squid_chown_recursive($path, $user, $group); + } elseif (is_file($path)) { + chown($path, $user); + chgrp($path, $group); + } } } + } else { + log_error(gettext("Squid squid_chown_recursive call failed; permissions not set for directory: {$dir}")); } } -- cgit v1.2.3 From a2d91f5d0abf8b5c74cd5dd079ca6de79b50f2f3 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 01:36:56 +0200 Subject: Sanitize input fields size --- config/squid3/34/squid_auth.xml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config/squid3/34/squid_auth.xml b/config/squid3/34/squid_auth.xml index e2bae945..58a0bf12 100755 --- a/config/squid3/34/squid_auth.xml +++ b/config/squid3/34/squid_auth.xml @@ -127,7 +127,7 @@ ]]> input - 60 + 5 Authentication Prompt @@ -135,6 +135,7 @@ This string will be displayed at the top of the authentication request window. input Please enter your credentials to access the proxy + 60 Authentication Processes -- cgit v1.2.3 From e860d82ac79bdffcd4952f795986b7c149e0545a Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 01:40:44 +0200 Subject: Sanitize input fields size --- config/squid3/34/squid_users.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/squid3/34/squid_users.xml b/config/squid3/34/squid_users.xml index f67db48e..c47395b9 100755 --- a/config/squid3/34/squid_users.xml +++ b/config/squid3/34/squid_users.xml @@ -111,6 +111,7 @@ Enter the username here. input + 20 Password @@ -118,12 +119,14 @@ Enter the password here. password + 20 Description description You may enter a description here for your reference (not parsed). input + 60 -- cgit v1.2.3 From 65e269dfe539f6474e6172863b63c00bb6bd0de3 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 01:43:07 +0200 Subject: Sanitize input fields size --- config/squid3/34/squid_traffic.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/config/squid3/34/squid_traffic.xml b/config/squid3/34/squid_traffic.xml index ac86770f..bd01bbb7 100755 --- a/config/squid3/34/squid_traffic.xml +++ b/config/squid3/34/squid_traffic.xml @@ -217,6 +217,7 @@ quick_abort_max If the transfer has more than x KB remaining, it will abort the retrieval. input + 10 0 -- cgit v1.2.3 From ca31a45195da84f6226007e31c28d334d3722683 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 08:57:15 +0200 Subject: Remove no-op and unintended "required" tag from offline mode --- config/squid3/34/squid_cache.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/config/squid3/34/squid_cache.xml b/config/squid3/34/squid_cache.xml index 2045005c..20f62376 100755 --- a/config/squid3/34/squid_cache.xml +++ b/config/squid3/34/squid_cache.xml @@ -168,7 +168,6 @@ ]]> checkbox - External Cache Managers -- cgit v1.2.3 From 4ccc7282f3f3cd1db0a5fc153c03baf824828e6f Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 09:25:12 +0200 Subject: Move javascript helpers to a separate file squid.inc is already huge enough as it is, without bloating it even more. --- config/squid3/34/squid.inc | 200 +-------------------------------------------- 1 file changed, 4 insertions(+), 196 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index ae367d3a..a40dd551 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -41,6 +41,10 @@ require_once('service-utils.inc'); if (!function_exists("filter_configure")) { require_once("filter.inc"); } +/* Squid reverse proxy */ +require_once('/usr/local/pkg/squid_reverse.inc'); +/* Squid javascript helpers */ +require_once('/usr/local/pkg/squid_js.inc'); $shortcut_section = "squid"; @@ -1850,9 +1854,6 @@ function squid_get_server_certs() { return $cert_arr; } -// squid reverse -include('/usr/local/pkg/squid_reverse.inc'); - function squid_resync_auth() { global $config, $valid_acls; $write_config = 0; @@ -2318,199 +2319,6 @@ function squid_restart_antivirus() { } } -function squid_print_javascript_auth() { - global $config; - $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); - - // No authentication for transparent proxy - if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) { - $javascript = <<< EOD - - -EOD; - } else { - $javascript = <<< EOD - - -EOD; - } - - print($javascript); -} - -function squid_print_javascript_auth2() { - print("\n"); -} - -function squid_print_antivirus_advanced_config() { - $javascript = <<< EOD - - -EOD; - print($javascript); - -} - -function squid_print_antivirus_advanced_config2() { - print('\n'); -} - function squid_generate_rules($type) { global $config, $pfs_version; -- cgit v1.2.3 From 09b9fa1d1482560584ba141c368b6af322cfe14c Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 09:42:02 +0200 Subject: Move javascript helpers to a separate file squid.inc is already huge enough as it is, without bloating it even more. --- config/squid3/34/squid_js.inc | 240 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 240 insertions(+) create mode 100644 config/squid3/34/squid_js.inc diff --git a/config/squid3/34/squid_js.inc b/config/squid3/34/squid_js.inc new file mode 100644 index 00000000..9ff5a78a --- /dev/null +++ b/config/squid3/34/squid_js.inc @@ -0,0 +1,240 @@ + +// + + +EOD; + + } else { + + $javascript = <<< EOD + + +EOD; + + } + print($javascript); +} + +function squid_print_javascript_auth2() { + print("\n"); +} + +function squid_print_antivirus_advanced_config() { + + $javascript = <<< EOD + + +EOD; + print($javascript); + +} + +function squid_print_antivirus_advanced_config2() { + print('\n'); +} + +?> -- cgit v1.2.3 From b40de06469bb908689066c3c6f65c62e49663410 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 09:45:11 +0200 Subject: Move javascript helpers to a separate file --- config/squid3/34/squid.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 0f86bf84..e3c83cfd 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -123,6 +123,10 @@ /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid.inc + + /usr/local/pkg/ + https://packages.pfsense.org/packages/config/squid3/34/squid_js.inc + /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.inc -- cgit v1.2.3 From 11ad58450e3229f0fc8551517802caa8134f43b3 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 10:05:57 +0200 Subject: Move squid_validate_reverse() to squid_reverse.inc where it belongs --- config/squid3/34/squid.inc | 69 ---------------------------------------------- 1 file changed, 69 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index a40dd551..ab47e3a0 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -848,75 +848,6 @@ function squid_validate_traffic($post, &$input_errors) { } } -function squid_validate_reverse($post, &$input_errors) { - global $config; - - if (!empty($post['reverse_ip'])) { - $reverse_ip = explode(";", ($post['reverse_ip'])); - foreach ($reverse_ip as $reip) { - if (!is_ipaddr(trim($reip))) { - $input_errors[] = "You must enter a valid IP address in the 'User-defined reverse-proxy IPs' field. '$reip' is invalid."; - } - } - } - - $fqdn = trim($post['reverse_external_fqdn']); - if (!empty($fqdn) && !is_domain($fqdn)) { - $input_errors[] = "'External FQDN' field must contain a valid domain name."; - } - - $port = trim($post['reverse_http_port']); - preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); - if (!empty($port) && !is_port($port)) { - $input_errors[] = "'Reverse HTTP port' must contain a valid port number."; - } - if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; - } - $port = trim($post['reverse_https_port']); - if (!empty($port) && !is_port($port)) { - $input_errors[] = "'Reverse HTTPS port' must contain a valid port number."; - } - if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; - } - if ($post['reverse_ssl_cert'] == 'none') { - $input_errors[] = 'A valid certificate for the external interface must be selected'; - } - - if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { - $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; - } - - if (!empty($post['reverse_owa_ip'])) { - $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); - foreach ($reverse_owa_ip as $reowaip) { - if (!is_ipaddr(trim($reowaip))) { - $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA frontend IP address' field. '$reowaip' is invalid."; - } - } - } - - $contents = $post['reverse_cache_peer']; - if (!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";", ($def)); - if (!is_ipaddr($cfg[1])) { - $input_errors[] = "Please choose a valid IP in the cache peer configuration."; - } - if (!is_port($cfg[2])) { - $input_errors[] = "Please choose a valid port in the cache peer configuration."; - } - if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) { - $input_errors[] = "Please choose HTTP or HTTPS in the cache peer configuration."; - } - } - } -} - function squid_validate_auth($post, &$input_errors) { $num_fields = array( array('auth_processes', 'Authentication processes', 1), -- cgit v1.2.3 From 1adc1d85625457a0e0ce6fa532665e03cdb9e089 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 10:07:24 +0200 Subject: Move squid_validate_reverse() to squid_reverse.inc where it belongs --- config/squid3/34/squid_reverse.inc | 69 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index 32c3fa65..aa46e06d 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -262,4 +262,73 @@ function squid_resync_reverse() { return $conf; } +function squid_validate_reverse($post, &$input_errors) { + global $config; + + if (!empty($post['reverse_ip'])) { + $reverse_ip = explode(";", ($post['reverse_ip'])); + foreach ($reverse_ip as $reip) { + if (!is_ipaddr(trim($reip))) { + $input_errors[] = "You must enter a valid IP address in the 'User-defined reverse-proxy IPs' field. '$reip' is invalid."; + } + } + } + + $fqdn = trim($post['reverse_external_fqdn']); + if (!empty($fqdn) && !is_domain($fqdn)) { + $input_errors[] = "'External FQDN' field must contain a valid domain name."; + } + + $port = trim($post['reverse_http_port']); + preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); + if (!empty($port) && !is_port($port)) { + $input_errors[] = "'Reverse HTTP port' must contain a valid port number."; + } + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { + $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; + } + $port = trim($post['reverse_https_port']); + if (!empty($port) && !is_port($port)) { + $input_errors[] = "'Reverse HTTPS port' must contain a valid port number."; + } + if (!empty($port) && is_port($port) && $port <= $portrange[1]) { + $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; + } + if ($post['reverse_ssl_cert'] == 'none') { + $input_errors[] = 'A valid certificate for the external interface must be selected'; + } + + if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { + $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + } + + if (!empty($post['reverse_owa_ip'])) { + $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); + foreach ($reverse_owa_ip as $reowaip) { + if (!is_ipaddr(trim($reowaip))) { + $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA frontend IP address' field. '$reowaip' is invalid."; + } + } + } + + $contents = $post['reverse_cache_peer']; + if (!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";", ($def)); + if (!is_ipaddr($cfg[1])) { + $input_errors[] = "Please choose a valid IP in the cache peer configuration."; + } + if (!is_port($cfg[2])) { + $input_errors[] = "Please choose a valid port in the cache peer configuration."; + } + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) { + $input_errors[] = "Please choose HTTP or HTTPS in the cache peer configuration."; + } + } + } +} + ?> -- cgit v1.2.3 From 4287e7d8d41fc449103977256fa822f3a0547e7e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 10:16:40 +0200 Subject: Move antivirus integration features to a separate file --- config/squid3/34/squid.inc | 391 +-------------------------------------------- 1 file changed, 2 insertions(+), 389 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index ab47e3a0..04f1615e 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -45,6 +45,8 @@ if (!function_exists("filter_configure")) { require_once('/usr/local/pkg/squid_reverse.inc'); /* Squid javascript helpers */ require_once('/usr/local/pkg/squid_js.inc'); +/* Squid antivirus intergration features helpers */ +require_once('/usr/local/pkg/squid_antivirus.inc'); $shortcut_section = "squid"; @@ -114,24 +116,6 @@ function squid_chown_recursive($dir, $user, $group) { } } -function squid_check_clamav_user($user) { - if (SQUID_BASE == '/usr/local') { - return; - } - - $_gc = exec("/usr/sbin/pw usershow {$user}", $sq_ex_output, $sq_ex_return); - $user_arg = ($sq_ex_return == 0 ? "mod" : "add"); - $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return); - if ($sq_ex_return != 0) { - log_error("Squid - Could not change clamav user settings. " . serialize($sq_ex_output)); - } -} - -function squid_update_clamav() { - log_error("Updating ClamAV definitions now... This will take a while. Check /var/log/clamav/freshclam.log for progress information."); - mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); -} - /* setup cache */ function squid_dash_z($cache_action = 'none') { global $config; @@ -562,43 +546,6 @@ function squid_deinstall_command() { update_output_window("Squid3 has been uninstalled."); } -function squid_validate_antivirus($post, &$input_errors) { - global $config; - - /* Manual ClamAV database update */ - if ($post['submit'] == 'Update AV') { - squid_update_clamav(); - return; - } - - if ($post['enable'] != "on") { - return; - } - - if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/", $post['squidclamav'], $a_match)) { - $input_errors[] = "SquidClamav warnings redirect points to sample config domain ({$a_match[1]})"; - $input_errors[] = "Change redirect info on 'squidclamav.conf' field to pfSense GUI or an external host."; - } - if ($post['c-icap_conf']) { - if (!preg_match("/squid_clamav/", $post['c-icap_conf'])) { - $input_errors[] = "c-icap Squidclamav service definition is not present."; - $input_errors[] = "Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; - } - if (preg_match("/(Manager:Apassword\S+)/", $post['c-icap_conf'], $c_match)) { - $input_errors[] = "Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; - } - } - - if ($post['clamav_dbservers']) { - foreach (explode(";", $post['clamav_dbservers']) as $dbserver) { - $dbserver = trim($dbserver); - if (!empty($dbserver) && !is_ipaddr($dbserver) && !is_hostname($dbserver)) { - $input_errors[] = "'Optional ClamAV Database Update Servers' entry '$dbserver' is not a valid IP address or hostname."; - } - } - } -} - function squid_validate_general($post, &$input_errors) { global $config; @@ -939,32 +886,6 @@ function squid_install_cron($should_install) { } } -function squid_install_freshclam_cron($should_install) { - global $config; - - if (platform_booting()) { - return; - } - - if (is_array($config['installedpackages']['squidantivirus'])) { - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; - } else { - $antivirus_config = array(); - } - - $freshclam_cmd = (SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - if (($should_install) && (squid_enabled())) { - if ($antivirus_config['clamav_update'] != "0") { - $minutes = ($antivirus_config['clamav_update'] * 60); - install_cron_job("{$freshclam_cmd}", true, "*/{$minutes}", "*", "*", "*", "*", "clamav"); - } else { - install_cron_job("{$freshclam_cmd}", false); - } - } else { - install_cron_job("{$freshclam_cmd}", false); - } -} - function squid_check_ca_hashes() { global $config, $g; @@ -1492,193 +1413,6 @@ EOD; return $conf; } -function squid_resync_antivirus() { - global $config; - - if (is_array($config['installedpackages']['squidantivirus'])) { - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; - } else { - $antivirus_config = array(); - } - - if (squid_enabled() && ($antivirus_config['enable'] == "on")) { - switch ($antivirus_config['client_info']) { - case "both": - default: - $icap_send_client_ip = "on"; - $icap_send_client_username = "on"; - break; - case "ip": - $icap_send_client_ip = "on"; - $icap_send_client_username = "off"; - break; - case "username": - $icap_send_client_ip = "off"; - $icap_send_client_username = "on"; - break; - case "none": - $icap_send_client_ip = "off"; - $icap_send_client_username = "off"; - break; - } - - $conf = <<< EOF -icap_enable on -icap_send_client_ip {$icap_send_client_ip} -icap_send_client_username {$icap_send_client_username} -icap_client_username_encode off -icap_client_username_header X-Authenticated-User -icap_preview_enable on -icap_preview_size 1024 - -icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off -adaptation_access service_avi_req allow all -icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on -adaptation_access service_avi_resp allow all - -EOF; - - // check clamav user - squid_check_clamav_user('clamav'); - // patch sample files to pfsense dirs - // squidclamav.conf - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default"); - $clamav_m[0] = "@/var/run/clamav/clamd.ctl@"; - $clamav_m[1] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; - $clamav_r[0] = "/var/run/clamav/clamd.sock"; - $clamav_r[1] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; - if ($antivirus_config['clamav_safebrowsing'] == "on") { - $clamav_m[2] = "@safebrowsing\s0@"; - $clamav_r[2] = "safebrowsing 1"; - } else { - $clamav_m[2] = "@safebrowsing\s1@"; - $clamav_r[2] = "safebrowsing 0"; - } - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX); - } - // c-icap.conf - // make a backup of default c-icap.conf.sample first - // unlike with other config files, the file distributed in package is called c-icap.conf.sample, not c-icap.conf.default - if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - copy(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - } - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - if (!preg_match("/squid_clamav/", $sample_file)) { - $sample_file .= "\nService squid_clamav squidclamav.so\n"; - } - $cicap_m[0] = "@Manager:Apassword\S+@"; - $cicap_r[0] = ""; - // XXX: Bug #4615 - if (is_array($config['installedpackages']['squid'])) { - $squidsettings = $config['installedpackages']['squid']['config'][0]; - } else { - $squidsettings = array(); - } - $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); - $cicap_m[1] = "@DebugLevel\s1@"; - $cicap_r[1] = "DebugLevel 0"; - $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; - $cicap_r[2] = "AccessLog $logdir/c-icap-access.log"; - $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; - $cicap_r[3] = "ServerLog $logdir/c-icap-server.log"; - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); - } - // freshclam.conf - // make a backup of default freshclam.conf.sample first - if (!file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { - copy(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", SQUID_LOCALBASE . "/etc/freshclam.conf.default"); - } - if (file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.default"); - $freshclam_m[0] = "@#Example@"; - $freshclam_r[0] = ""; - $clamav_mirrors = ""; - if ($antivirus_config['clamav_dbregion'] != "") { - $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; - } - if ($antivirus_config['clamav_dbservers'] != "") { - foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { - $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; - } - } - if ($clamav_mirrors != "") { - $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; - $freshclam_r[1] = "{$clamav_mirrors}"; - } - if ($antivirus_config['clamav_safebrowsing'] == "on") { - $freshclam_m[2] = "@#SafeBrowsing yes@"; - $freshclam_r[2] = "SafeBrowsing yes"; - } else { - if (!preg_match("@#SafeBrowsing yes@", file_get_contents($sample_file))) { - $freshclam_m[2] = "@SafeBrowsing yes@"; - $freshclam_r[2] = "#SafeBrowsing yes"; - } - } - file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); - } - // freshclam cronjob - squid_install_freshclam_cron(true); - - // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) - $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); - foreach ($ln_icap as $ln) { - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { - symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); - } - } - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { - symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); - } - - $loadsample = 0; - if ($antivirus_config['squidclamav'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['squidclamav'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample"))); - $loadsample++; - } - if ($antivirus_config['c-icap_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample"))); - $loadsample++; - } - if ($antivirus_config['c-icap_magic'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample"))); - $loadsample++; - } - if ($antivirus_config['freshclam_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['freshclam_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample"))); - $loadsample++; - } - if ($loadsample > 0) { - write_config(); - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; - } - // check dirs - $dirs = array( - "/var/run/c-icap" => "clamav", - "/var/log/c-icap" => "clamav", - "/var/log/clamav" => "clamav", - "/var/run/clamav" => "clamav", - "/var/db/clamav" => "clamav" - ); - foreach ($dirs as $dir_path => $dir_user) { - safe_mkdir($dir_path, 0755); - squid_chown_recursive($dir_path, $dir_user, "wheel"); - } - - // write advanced clamav/icap config files - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf", base64_decode($antivirus_config['freshclam_conf']), LOCK_EX); - } - // this will (re)start or stop/disable services as needed - // depending on whether Squid proxy and/or antivirus features are enabled - squid_restart_antivirus(); - - return $conf; -} - function squid_resync_traffic() { global $config, $valid_acls; @@ -2177,79 +1911,6 @@ function squid_restart_services() { } } -function squid_restart_antivirus() { - global $config; - if (is_array($config['installedpackages']['squidantivirus'])) { - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; - } else { - $antivirus_config = array(); - } - - // reconfigure and (re)start service as needed if enabled, otherwise stop them - // do not (re)start antivirus services on boot - if (platform_booting()) { - return; - } - - if (squid_enabled() && ($antivirus_config['enable'] == "on")) { - // Check clamav database - if (count(glob("/var/db/clamav/*d")) == 0) { - log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); - mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - } elseif ($antivirus_config['clamav_safebrowsing'] == "on" && !is_file("/var/db/clamav/safebrowsing.cvd")) { - log_error("Squid - Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); - mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - } elseif ($antivirus_config['clamav_safebrowsing'] != "on" && is_file("/var/db/clamav/safebrowsing.cvd")) { - log_error("Squid - Google Safe Browsing is disabled. Removing safebrowsing.cvd definitions."); - mwexec("/bin/rm -f /var/db/clamav/safebrowsing.cvd"); - } - - // start/reload clamav - $clamd_rcfile = "/usr/local/etc/rc.d/clamd.sh"; - if (!file_exists($clamd_rcfile)) { - squid_write_clamd_rcfile(); - } - if (is_process_running("clamd")) { - log_error("Reloading ClamAV..."); - $reload_cmd = SQUID_BASE . "/bin/clamdscan --reload"; - mwexec_bg("{$reload_cmd}"); - } else { - log_error("Starting ClamAV..."); - mwexec_bg("{$clamd_rcfile} start"); - } - - // check c-icap rcfile - $c_icap_rcfile = "/usr/local/etc/rc.d/c-icap.sh"; - if (!file_exists($c_icap_rcfile)) { - squid_write_cicap_rcfile(); - } - if (is_process_running("c-icap")) { - mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); - } else { - mwexec_bg("{$c_icap_rcfile} start"); - } - } else { - // stop AV services and disable all C-ICAP/AV features - log_error("Squid antivirus features disabled."); - if (is_process_running("clamd")) { - log_error("Stopping and disabling ClamAV..."); - mwexec("/usr/bin/killall clamd"); - } - unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); - - // freshclam cronjob - log_error("Removing freshclam cronjob..."); - squid_install_freshclam_cron(false); - - // check c-icap rcfile - if (is_process_running("c-icap")) { - log_error("Stopping and disabling C-ICAP..."); - mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); - } - unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); - } -} - function squid_generate_rules($type) { global $config, $pfs_version; @@ -2477,54 +2138,6 @@ EOD; conf_mount_ro(); } -function squid_write_cicap_rcfile() { - $c_icap_rcfile = "c-icap.sh"; - $cicap_libdir = SQUID_LOCALBASE . "/lib"; - $cicap_bin = SQUID_LOCALBASE . "/bin/c-icap"; - $cicap_conf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; - $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; - $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; - conf_mount_rw(); - write_rcfile(array( - "file" => "{$c_icap_rcfile}", - "start" => "{$cicap_start_cmd}", - "stop" => "{$cicap_stop_cmd}" - ) - ); - conf_mount_ro(); -} - -function squid_write_clamd_rcfile() { - $squid_base = SQUID_BASE; - $rc = array(); - $rc['file'] = 'clamd.sh'; - $rc['start'] = <<< EOD - -if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ];then - echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" - exit 1 -fi - -{$squid_base}/bin/clamd --config-file="{$squid_base}/local/etc/clamd.conf" - -EOD; - - $rc['stop'] = <<< EOD - -/usr/bin/killall clamd 2>/dev/null -# Just to be sure... -sleep 5 -if [ -n "`/bin/ps auxw | /usr/bin/grep "[c]lamd" | /usr/bin/awk '{print $2}'`" ]; then - /usr/bin/killall -9 clamd 2>/dev/null -fi - -EOD; - - conf_mount_rw(); - write_rcfile($rc); - conf_mount_ro(); -} - /* Uses XMLRPC to synchronize the changes to a remote node */ function squid_sync_on_changes() { global $config, $g; -- cgit v1.2.3 From 5580005718bcc0c5ee53bbd7271016f190e47f6b Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 10:34:15 +0200 Subject: Move antivirus integration features to a separate file --- config/squid3/34/squid_antivirus.inc | 433 +++++++++++++++++++++++++++++++++++ 1 file changed, 433 insertions(+) create mode 100644 config/squid3/34/squid_antivirus.inc diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc new file mode 100644 index 00000000..ac78ad44 --- /dev/null +++ b/config/squid3/34/squid_antivirus.inc @@ -0,0 +1,433 @@ +/dev/null +# Just to be sure... +sleep 5 +if [ -n "`/bin/ps auxw | /usr/bin/grep "[c]lamd" | /usr/bin/awk '{print $2}'`" ]; then + /usr/bin/killall -9 clamd 2>/dev/null +fi + +EOD; + + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); +} + +/* Create /usr/local/etc/rc.d/c-icap.sh rcfile */ +function squid_write_cicap_rcfile() { + $c_icap_rcfile = "c-icap.sh"; + $cicap_libdir = SQUID_LOCALBASE . "/lib"; + $cicap_bin = SQUID_LOCALBASE . "/bin/c-icap"; + $cicap_conf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; + $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; + $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; + conf_mount_rw(); + write_rcfile(array( + "file" => "{$c_icap_rcfile}", + "start" => "{$cicap_start_cmd}", + "stop" => "{$cicap_stop_cmd}" + ) + ); + conf_mount_ro(); +} + +/* ClamAV antivirus definitions updates via cron */ +function squid_install_freshclam_cron($should_install) { + global $config; + + if (platform_booting()) { + return; + } + + if (is_array($config['installedpackages']['squidantivirus'])) { + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } else { + $antivirus_config = array(); + } + + $freshclam_cmd = (SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); + if (($should_install) && (squid_enabled())) { + if ($antivirus_config['clamav_update'] != "0") { + $minutes = ($antivirus_config['clamav_update'] * 60); + install_cron_job("{$freshclam_cmd}", true, "*/{$minutes}", "*", "*", "*", "*", "clamav"); + } else { + install_cron_job("{$freshclam_cmd}", false); + } + } else { + install_cron_job("{$freshclam_cmd}", false); + } +} + +/* Manually update ClamAV virus definitions (via the GUI button) */ +function squid_update_clamav() { + log_error("Updating ClamAV definitions now... This will take a while. Check /var/log/clamav/freshclam.log for progress information."); + mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); +} + +/* Antivirus features configuration */ +function squid_resync_antivirus() { + global $config; + + if (is_array($config['installedpackages']['squidantivirus'])) { + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } else { + $antivirus_config = array(); + } + + if (squid_enabled() && ($antivirus_config['enable'] == "on")) { + switch ($antivirus_config['client_info']) { + case "both": + default: + $icap_send_client_ip = "on"; + $icap_send_client_username = "on"; + break; + case "ip": + $icap_send_client_ip = "on"; + $icap_send_client_username = "off"; + break; + case "username": + $icap_send_client_ip = "off"; + $icap_send_client_username = "on"; + break; + case "none": + $icap_send_client_ip = "off"; + $icap_send_client_username = "off"; + break; + } + + $conf = <<< EOF +icap_enable on +icap_send_client_ip {$icap_send_client_ip} +icap_send_client_username {$icap_send_client_username} +icap_client_username_encode off +icap_client_username_header X-Authenticated-User +icap_preview_enable on +icap_preview_size 1024 + +icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off +adaptation_access service_avi_req allow all +icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on +adaptation_access service_avi_resp allow all + +EOF; + + // check clamav user + squid_check_clamav_user('clamav'); + // patch sample files to pfsense dirs + // squidclamav.conf + if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default")) { + $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default"); + $clamav_m[0] = "@/var/run/clamav/clamd.ctl@"; + $clamav_m[1] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; + $clamav_r[0] = "/var/run/clamav/clamd.sock"; + $clamav_r[1] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; + if ($antivirus_config['clamav_safebrowsing'] == "on") { + $clamav_m[2] = "@safebrowsing\s0@"; + $clamav_r[2] = "safebrowsing 1"; + } else { + $clamav_m[2] = "@safebrowsing\s1@"; + $clamav_r[2] = "safebrowsing 0"; + } + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX); + } + // c-icap.conf + // make a backup of default c-icap.conf.sample first + // unlike with other config files, the file distributed in package is called c-icap.conf.sample, not c-icap.conf.default + if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { + copy(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); + } + if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { + $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); + if (!preg_match("/squid_clamav/", $sample_file)) { + $sample_file .= "\nService squid_clamav squidclamav.so\n"; + } + $cicap_m[0] = "@Manager:Apassword\S+@"; + $cicap_r[0] = ""; + // XXX: Bug #4615 + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); + $cicap_m[1] = "@DebugLevel\s1@"; + $cicap_r[1] = "DebugLevel 0"; + $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; + $cicap_r[2] = "AccessLog $logdir/c-icap-access.log"; + $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; + $cicap_r[3] = "ServerLog $logdir/c-icap-server.log"; + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); + } + // freshclam.conf + // make a backup of default freshclam.conf.sample first + if (!file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { + copy(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", SQUID_LOCALBASE . "/etc/freshclam.conf.default"); + } + if (file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { + $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.default"); + $freshclam_m[0] = "@#Example@"; + $freshclam_r[0] = ""; + $clamav_mirrors = ""; + if ($antivirus_config['clamav_dbregion'] != "") { + $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; + } + if ($antivirus_config['clamav_dbservers'] != "") { + foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { + $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; + } + } + if ($clamav_mirrors != "") { + $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; + $freshclam_r[1] = "{$clamav_mirrors}"; + } + if ($antivirus_config['clamav_safebrowsing'] == "on") { + $freshclam_m[2] = "@#SafeBrowsing yes@"; + $freshclam_r[2] = "SafeBrowsing yes"; + } else { + if (!preg_match("@#SafeBrowsing yes@", file_get_contents($sample_file))) { + $freshclam_m[2] = "@SafeBrowsing yes@"; + $freshclam_r[2] = "#SafeBrowsing yes"; + } + } + file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + } + // freshclam cronjob + squid_install_freshclam_cron(true); + + // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) + $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); + foreach ($ln_icap as $ln) { + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { + symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); + } + } + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { + symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); + } + + $loadsample = 0; + if ($antivirus_config['squidclamav'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['squidclamav'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample"))); + $loadsample++; + } + if ($antivirus_config['c-icap_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample"))); + $loadsample++; + } + if ($antivirus_config['c-icap_magic'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample"))); + $loadsample++; + } + if ($antivirus_config['freshclam_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['freshclam_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample"))); + $loadsample++; + } + if ($loadsample > 0) { + write_config(); + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } + // check dirs + $dirs = array( + "/var/run/c-icap" => "clamav", + "/var/log/c-icap" => "clamav", + "/var/log/clamav" => "clamav", + "/var/run/clamav" => "clamav", + "/var/db/clamav" => "clamav" + ); + foreach ($dirs as $dir_path => $dir_user) { + safe_mkdir($dir_path, 0755); + squid_chown_recursive($dir_path, $dir_user, "wheel"); + } + + // write advanced clamav/icap config files + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf", base64_decode($antivirus_config['freshclam_conf']), LOCK_EX); + } + // this will (re)start or stop/disable services as needed + // depending on whether Squid proxy and/or antivirus features are enabled + squid_restart_antivirus(); + + return $conf; +} + +/* Antivirus services handling */ +function squid_restart_antivirus() { + global $config; + if (is_array($config['installedpackages']['squidantivirus'])) { + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } else { + $antivirus_config = array(); + } + + // reconfigure and (re)start service as needed if enabled, otherwise stop them + // do not (re)start antivirus services on boot + if (platform_booting()) { + return; + } + + if (squid_enabled() && ($antivirus_config['enable'] == "on")) { + // Check clamav database + if (count(glob("/var/db/clamav/*d")) == 0) { + log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); + mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); + } elseif ($antivirus_config['clamav_safebrowsing'] == "on" && !is_file("/var/db/clamav/safebrowsing.cvd")) { + log_error("Squid - Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); + mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); + } elseif ($antivirus_config['clamav_safebrowsing'] != "on" && is_file("/var/db/clamav/safebrowsing.cvd")) { + log_error("Squid - Google Safe Browsing is disabled. Removing safebrowsing.cvd definitions."); + mwexec("/bin/rm -f /var/db/clamav/safebrowsing.cvd"); + } + + // start/reload clamav + $clamd_rcfile = "/usr/local/etc/rc.d/clamd.sh"; + if (!file_exists($clamd_rcfile)) { + squid_write_clamd_rcfile(); + } + if (is_process_running("clamd")) { + log_error("Reloading ClamAV..."); + $reload_cmd = SQUID_BASE . "/bin/clamdscan --reload"; + mwexec_bg("{$reload_cmd}"); + } else { + log_error("Starting ClamAV..."); + mwexec_bg("{$clamd_rcfile} start"); + } + + // check c-icap rcfile + $c_icap_rcfile = "/usr/local/etc/rc.d/c-icap.sh"; + if (!file_exists($c_icap_rcfile)) { + squid_write_cicap_rcfile(); + } + if (is_process_running("c-icap")) { + mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); + } else { + mwexec_bg("{$c_icap_rcfile} start"); + } + } else { + // stop AV services and disable all C-ICAP/AV features + log_error("Squid antivirus features disabled."); + if (is_process_running("clamd")) { + log_error("Stopping and disabling ClamAV..."); + mwexec("/usr/bin/killall clamd"); + } + unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); + + // freshclam cronjob + log_error("Removing freshclam cronjob..."); + squid_install_freshclam_cron(false); + + // check c-icap rcfile + if (is_process_running("c-icap")) { + log_error("Stopping and disabling C-ICAP..."); + mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); + } + unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); + } +} + +/* Input validation */ +function squid_validate_antivirus($post, &$input_errors) { + global $config; + + /* Manual ClamAV database update */ + if ($post['submit'] == 'Update AV') { + squid_update_clamav(); + return; + } + + if ($post['enable'] != "on") { + return; + } + + if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/", $post['squidclamav'], $a_match)) { + $input_errors[] = "SquidClamav warnings redirect points to sample config domain ({$a_match[1]})"; + $input_errors[] = "Change redirect info on 'squidclamav.conf' field to pfSense GUI or an external host."; + } + if ($post['c-icap_conf']) { + if (!preg_match("/squid_clamav/", $post['c-icap_conf'])) { + $input_errors[] = "c-icap Squidclamav service definition is not present."; + $input_errors[] = "Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; + } + if (preg_match("/(Manager:Apassword\S+)/", $post['c-icap_conf'], $c_match)) { + $input_errors[] = "Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; + } + } + + if ($post['clamav_dbservers']) { + foreach (explode(";", $post['clamav_dbservers']) as $dbserver) { + $dbserver = trim($dbserver); + if (!empty($dbserver) && !is_ipaddr($dbserver) && !is_hostname($dbserver)) { + $input_errors[] = "'Optional ClamAV Database Update Servers' entry '$dbserver' is not a valid IP address or hostname."; + } + } + } +} + +?> -- cgit v1.2.3 From f77a2bdc55d38d78a93dce63762cccb3de838d75 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 10:35:46 +0200 Subject: Move antivirus integration features to a separate file --- config/squid3/34/squid.xml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index e3c83cfd..fb749600 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -123,6 +123,10 @@ /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid.inc + + /usr/local/pkg/ + https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus.inc + /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_js.inc -- cgit v1.2.3 From f31a1d242a7204eaaebcacc561be1b79e61775fb Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 10:46:02 +0200 Subject: Bump squid3 package version --- config/squid3/34/squid.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index fb749600..ae388e3c 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -42,7 +42,7 @@ ]]> squid - 0.3.8 + 0.3.8.1 Proxy Server: General Settings /usr/local/pkg/squid.inc -- cgit v1.2.3 From 1be0ef14cef328dca10beeb20654ad47ecaf5dba Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 10:46:46 +0200 Subject: Bump squid3 package version --- pkg_config.10.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.10.xml b/pkg_config.10.xml index c21d0c34..efbdaf2a 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -1052,7 +1052,7 @@ https://forum.pfsense.org/index.php/topic,48347.0.html http://www.squid-cache.org/ Network - 0.3.8 + 0.3.8.1 beta 2.2 marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org -- cgit v1.2.3 From de72c719d9c45b44c7fb8341a8b7e64682c47d7f Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 14:49:13 +0200 Subject: Reoder functions into logical sections and add descriptions to them --- config/squid3/34/squid.inc | 473 +++++++++++++++++++++++++-------------------- 1 file changed, 266 insertions(+), 207 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 04f1615e..1179889c 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -77,10 +77,16 @@ if ($uname['machine'] == 'amd64') { ini_set('memory_limit', '250M'); } +/* + * Utility functions + */ + +/* Handle base64 encoding and linebreaks in textarea configuration fields */ function sq_text_area_decode($text) { return preg_replace('/\r\n/', "\n", base64_decode($text)); } +/* Get interface IP and netmask for Squid interfaces */ function squid_get_real_interface_address($iface) { if (!function_exists("get_interface_ip")) { require_once("interfaces.inc"); @@ -89,6 +95,18 @@ function squid_get_real_interface_address($iface) { return array(get_interface_ip($iface), gen_subnet_mask(get_interface_subnet($iface))); } +/* Check whether ACL is valid */ +function squid_is_valid_acl($acl) { + global $valid_acls; + + if (!is_array($valid_acls)) { + return; + } + + return in_array($acl, $valid_acls); +} + +/* Recursively change ownership of directories */ function squid_chown_recursive($dir, $user, $group) { if (empty($dir) || ($dir == '/') || ($dir == '/usr/local') || !is_dir($dir)) { log_error(gettext("Squid attempted to chown an invalid directory: {$dir}")); @@ -116,7 +134,87 @@ function squid_chown_recursive($dir, $user, $group) { } } -/* setup cache */ +/* Check whether Squid is enabled */ +function squid_enabled() { + global $config, $proxy_enabled; + $proxy_enabled = false; + + if (is_array($config['installedpackages']['squid']['config'])) { + // check whether Squid is enabled ... + if ($config['installedpackages']['squid']['config'][0]['enable_squid'] == "on") { + // ... and has at least one interface configured ... + if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") { + $proxy_enabled = true; + } else { + // ... or has at least one reverse interface configured + if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { + $proxy_enabled = true; + } + } + } + } + } + return $proxy_enabled; +} + +/* Get list of certificates for SSL proxy */ +function squid_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + +/* Handle root CA certificates bundle */ +function squid_check_ca_hashes() { + global $config, $g; + + // check certificates + $cert_count = 0; + if (is_dir(SQUID_LOCALBASE . '/share/certs')) { + if ($handle = opendir(SQUID_LOCALBASE . '/share/certs')) { + while (false !== ($file = readdir($handle))) { + if (preg_match ("/\d+.0/", $file)) { + $cert_count++; + } + } + closedir($handle); + } + } + if ($cert_count < 10) { + conf_mount_rw(); + // create ca-root hashes from ca-root-nss package + log_error("Creating root certificate bundle hashes from the Mozilla Project"); + $cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt'); + $cert = 0; + foreach ($cas as $ca) { + if (preg_match("/--BEGIN CERTIFICATE--/", $ca)) { + $cert = 1; + } + if ($cert == 1) { + $crt .= $ca; + } + if (preg_match("/-END CERTIFICATE-/", $ca)) { + file_put_contents("/tmp/cert.pem", $crt, LOCK_EX); + $cert_hash = array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem", $cert_hash); + file_put_contents(SQUID_LOCALBASE . "/share/certs/" . $cert_hash[0] . ".0", $crt, LOCK_EX); + $crt = ""; + $cert = 0; + } + } + } +} + +/* + * Squid cache setup + */ + + /* Create Squid disk cache directories */ function squid_dash_z($cache_action = 'none') { global $config; @@ -177,6 +275,7 @@ function squid_dash_z($cache_action = 'none') { } } +/* Helper function for squid_dash_z() */ function squid_create_cachedir() { global $config; if (is_array($config['installedpackages']['squidcache'])) { @@ -207,16 +306,148 @@ function squid_create_cachedir() { } } -function squid_is_valid_acl($acl) { - global $valid_acls; - if (!is_array($valid_acls)) { +/* + * rc scripts, services and cronjobs + */ + +/* Handle cronjob install/uninstall */ +function squid_install_cron($should_install) { + global $config; + + if (platform_booting()) { return; } - return in_array($acl, $valid_acls); + parse_config(true); + if (is_array($config['installedpackages']['squidcache'])) { + $settings = $config['installedpackages']['squidcache']['config'][0]; + } else { + $settings = array(); + } + + $cron_cmd = ($settings['clear_cache'] == 'on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); + $cron_cmd .= SQUID_BASE . "/sbin/squid -k rotate -f " . SQUID_CONFFILE; + install_cron_job("{$cron_cmd}", $should_install, "0", "0", "*", "*", "*", "root"); + + $swapstate_cmd = "/usr/local/pkg/swapstate_check.php clean; "; + if (($should_install) && (squid_enabled())) { + if ($settings['clear_cache'] == 'on' ) { + install_cron_job("{$swapstate_cmd}", true, "*/360"); + } else { + install_cron_job("{$swapstate_cmd}", false); + } + } else { + install_cron_job("{$swapstate_cmd}", false); + } +} + +/* Create /usr/local/etc/rc.d/squid.sh rc script */ +function squid_write_rcfile() { + /* Declare a variable for the SQUID_CONFFILE constant. */ + /* Then the variable can be referenced easily in the heredoc text that generates the rc file. */ + $squid_conffile_var = SQUID_CONFFILE; + $squid_base = SQUID_BASE; + $rc = array(); + $rc['file'] = 'squid.sh'; + $rc['start'] = <<< EOD +#/sbin/sysctl net.inet.ip.portrange.reservedhigh=0 +if [ -z "`/bin/ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then + {$squid_base}/sbin/squid -f {$squid_conffile_var} +fi + +EOD; + + $rc['stop'] = <<< EOD +{$squid_base}/sbin/squid -k shutdown -f {$squid_conffile_var} +# Just to be sure... +sleep 5 +if [ -n "`/bin/ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then + {$squid_base}/sbin/squid -k kill -f {$squid_conffile_var} +fi + +if [ -x /usr/bin/ipcs ]; then +# http://man.chinaunix.net/newsoft/squid/Squid_FAQ/FAQ-22.html#ss22.8 +/usr/bin/ipcs | /usr/bin/grep '^[mq]' | /usr/bin/awk '{printf "ipcrm -%s %s\\n", $1, $2}' | /bin/sh +fi + +/usr/bin/killall -9 squid 2>/dev/null +/usr/bin/killall pinger 2>/dev/null + +EOD; + + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); +} + +/* Start sqp_monitor.sh watchdog script */ +function squid_start_monitor() { + if (squid_enabled()) { + if (!exec("/bin/ps auxw | /usr/bin/grep '[s]qpmon'")) { + log_error("Starting a proxy monitor script"); + mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); + } + sleep(1); + } else { + log_error("Squid is disabled. Not starting a proxy monitor script"); + } +} + +/* Stop sqp_monitor.sh watchdog script */ +function squid_stop_monitor() { + /* kill any running proxy alarm scripts */ + if (exec("/bin/ps auxw | /usr/bin/grep '[s]qpmon'")) { + log_error("Stopping any running proxy monitors"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + } + sleep(1); +} + +/* Start and/or stop services according to Squid configuration */ +function squid_restart_services() { + global $config; + + // do not (re)start squid services on boot + if (platform_booting()) { + return; + } + + if (squid_enabled()) { + /* kill any running proxy alarm scripts */ + squid_stop_monitor(); + + if (!is_service_running('squid')) { + log_error("Starting Squid"); + mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); + } else { + log_error("Reloading Squid for configuration sync"); + mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); + } + // sleep for a couple seconds to give squid a chance to fire up fully. + for ($i = 0; $i < 10; $i++) { + if (!is_service_running('squid')) { + sleep(1); + } + } + /* restart proxy alarm scripts */ + squid_start_monitor(); + + } else { + /* Squid is disabled - kill any running proxy alarm scripts and stop Squid services */ + squid_stop_monitor(); + if (is_service_running('squid')) { + log_error("Stopping Squid"); + stop_service("squid"); + } + } } + +/* + * Squid package install/uninstall + */ + function squid_install_command() { global $config, $g; @@ -334,7 +565,7 @@ function squid_install_command() { if (!is_array($config['installedpackages']['squidreverseuri'])) { foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { foreach (explode(";", $acls) as $acl) { - array_push(${'peer_'.$acl[0]},$acl[1]); + array_push(${'peer_'.$acl[0]}, $acl[1]); } } foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { @@ -546,6 +777,11 @@ function squid_deinstall_command() { update_output_window("Squid3 has been uninstalled."); } +/* + * Squid input validation + */ + +/* Proxy Server: General Settings input validation */ function squid_validate_general($post, &$input_errors) { global $config; @@ -626,6 +862,7 @@ function squid_validate_general($post, &$input_errors) { } } +/* Proxy Server: Remote Proxy Settings input validation */ function squid_validate_upstream($post, &$input_errors) { if ($post['enabled'] != 'on') { return; @@ -652,6 +889,7 @@ function squid_validate_upstream($post, &$input_errors) { } } +/* Proxy Server: Cache Management input validation */ function squid_validate_cache($post, &$input_errors) { $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', @@ -707,6 +945,7 @@ function squid_validate_cache($post, &$input_errors) { } } +/* Proxy Server: Access Control input validation */ function squid_validate_nac($post, &$input_errors) { $allowed_subnets = explode("\n", $post['allowed_subnets']); foreach ($allowed_subnets as $subnet) { @@ -758,6 +997,7 @@ function squid_validate_nac($post, &$input_errors) { } } +/* Proxy server: Traffic Management input validation */ function squid_validate_traffic($post, &$input_errors) { $num_fields = array( 'max_download_size' => 'Maximum download size', @@ -795,6 +1035,7 @@ function squid_validate_traffic($post, &$input_errors) { } } +/* Proxy Server: Authentication input validation */ function squid_validate_auth($post, &$input_errors) { $num_fields = array( array('auth_processes', 'Authentication processes', 1), @@ -856,76 +1097,7 @@ function squid_validate_auth($post, &$input_errors) { } } -function squid_install_cron($should_install) { - global $config; - - if (platform_booting()) { - return; - } - - parse_config(true); - if (is_array($config['installedpackages']['squidcache'])) { - $settings = $config['installedpackages']['squidcache']['config'][0]; - } else { - $settings = array(); - } - - $cron_cmd = ($settings['clear_cache'] == 'on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); - $cron_cmd .= SQUID_BASE . "/sbin/squid -k rotate -f " . SQUID_CONFFILE; - install_cron_job("{$cron_cmd}", $should_install, "0", "0", "*", "*", "*", "root"); - - $swapstate_cmd = "/usr/local/pkg/swapstate_check.php clean; "; - if (($should_install) && (squid_enabled())) { - if ($settings['clear_cache'] == 'on' ) { - install_cron_job("{$swapstate_cmd}", true, "*/360"); - } else { - install_cron_job("{$swapstate_cmd}", false); - } - } else { - install_cron_job("{$swapstate_cmd}", false); - } -} - -function squid_check_ca_hashes() { - global $config, $g; - - // check certificates - $cert_count = 0; - if (is_dir(SQUID_LOCALBASE . '/share/certs')) { - if ($handle = opendir(SQUID_LOCALBASE . '/share/certs')) { - while (false !== ($file = readdir($handle))) { - if (preg_match ("/\d+.0/",$file)) { - $cert_count++; - } - } - closedir($handle); - } - } - if ($cert_count < 10) { - conf_mount_rw(); - // create ca-root hashes from ca-root-nss package - log_error("Creating root certificate bundle hashes from the Mozilla Project"); - $cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt'); - $cert = 0; - foreach ($cas as $ca) { - if (preg_match("/--BEGIN CERTIFICATE--/", $ca)) { - $cert = 1; - } - if ($cert == 1) { - $crt .= $ca; - } - if (preg_match("/-END CERTIFICATE-/", $ca)) { - file_put_contents("/tmp/cert.pem", $crt, LOCK_EX); - $cert_hash = array(); - exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem", $cert_hash); - file_put_contents(SQUID_LOCALBASE . "/share/certs/" . $cert_hash[0] . ".0", $crt, LOCK_EX); - $crt = ""; - $cert = 0; - } - } - } -} - +/* Proxy Server: General Settings configuration handler */ function squid_resync_general() { global $g, $config, $valid_acls; @@ -1016,7 +1188,7 @@ function squid_resync_general() { $iface_ip = squid_get_real_interface_address($iface); if ($iface_ip[0]) { $real_ifaces[] = $iface_ip; - if (in_array($iface,$ssl_ifaces)) { + if (in_array($iface, $ssl_ifaces)) { $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; } else { $conf .= "http_port {$iface_ip[0]}:{$port}\n"; @@ -1138,6 +1310,7 @@ EOD; return $conf; } +/* Proxy Server: Cache Management configuration handler */ function squid_resync_cache() { global $config, $g; @@ -1276,6 +1449,7 @@ EOD; return $conf.$refresh_conf; } +/* Proxy Server: Remote Proxy Settings configuration handler */ function squid_resync_upstream() { global $config; @@ -1317,6 +1491,7 @@ function squid_resync_upstream() { return $conf; } +/* Proxy Server: Access Control configuration handler */ function squid_resync_nac() { global $config, $valid_acls; @@ -1413,6 +1588,7 @@ EOD; return $conf; } +/* Proxy server: Traffic Management configuration handler */ function squid_resync_traffic() { global $config, $valid_acls; @@ -1509,16 +1685,7 @@ EOD; return $conf; } -function squid_get_server_certs() { - global $config; - $cert_arr = array(); - $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); - foreach ($config['cert'] as $cert) { - $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); - } - return $cert_arr; -} - +/* Proxy Server: Authentication configuration handler */ function squid_resync_auth() { global $config, $valid_acls; $write_config = 0; @@ -1741,6 +1908,7 @@ EOD; return $conf; } +/* Proxy server: Local users configuration handler */ function squid_resync_users() { global $config; @@ -1756,6 +1924,7 @@ function squid_resync_users() { chmod(SQUID_PASSWD, 0600); } +/* Proxy server: NT Domain configuration handler */ function squid_resync_msnt() { global $config; @@ -1773,6 +1942,7 @@ function squid_resync_msnt() { chmod(SQUID_CONFBASE . "/msntauth.conf", 0600); } +/* Wrapper function to sync whole Squid configuration */ function squid_resync($via_rpc = "no") { global $config; @@ -1829,87 +1999,9 @@ function squid_resync($via_rpc = "no") { conf_mount_ro(); } -function squid_stop_monitor() { - /* kill any running proxy alarm scripts */ - if (exec("/bin/ps auxw | /usr/bin/grep '[s]qpmon'")) { - log_error("Stopping any running proxy monitors"); - mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); - } - sleep(1); -} - -function squid_start_monitor() { - if (squid_enabled()) { - if (!exec("/bin/ps auxw | /usr/bin/grep '[s]qpmon'")) { - log_error("Starting a proxy monitor script"); - mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); - } - sleep(1); - } else { - log_error("Squid is disabled. Not starting a proxy monitor script"); - } -} - -function squid_enabled() { - global $config, $proxy_enabled; - $proxy_enabled = false; - - if (is_array($config['installedpackages']['squid']['config'])) { - // check whether Squid is enabled ... - if ($config['installedpackages']['squid']['config'][0]['enable_squid'] == "on") { - // ... and has at least one interface configured ... - if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") { - $proxy_enabled = true; - } else { - // ... or has at least one reverse interface configured - if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { - if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { - $proxy_enabled = true; - } - } - } - } - } - return $proxy_enabled; -} - -function squid_restart_services() { - global $config; - // reconfigure and (re)start service as needed if enabled, otherwise stop them - // do not (re)start squid services on boot - if (platform_booting()) { - return; - } - - if (squid_enabled()) { - /* kill any running proxy alarm scripts */ - squid_stop_monitor(); - - if (!is_service_running('squid')) { - log_error("Starting Squid"); - mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); - } else { - log_error("Reloading Squid for configuration sync"); - mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); - } - // sleep for a couple seconds to give squid a chance to fire up fully. - for ($i = 0; $i < 10; $i++) { - if (!is_service_running('squid')) { - sleep(1); - } - } - /* restart proxy alarm scripts */ - squid_start_monitor(); - - } else { - /* Squid is disabled - kill any running proxy alarm scripts and stop Squid services */ - squid_stop_monitor(); - if (is_service_running('squid')) { - log_error("Stopping Squid"); - stop_service("squid"); - } - } -} +/* + * Squid firewall rules configuration + */ function squid_generate_rules($type) { global $config, $pfs_version; @@ -2100,45 +2192,11 @@ function squid_generate_rules($type) { return $rules; } -function squid_write_rcfile() { - /* Declare a variable for the SQUID_CONFFILE constant. */ - /* Then the variable can be referenced easily in the heredoc text that generates the rc file. */ - $squid_conffile_var = SQUID_CONFFILE; - $squid_base = SQUID_BASE; - $rc = array(); - $rc['file'] = 'squid.sh'; - $rc['start'] = <<< EOD -#/sbin/sysctl net.inet.ip.portrange.reservedhigh=0 -if [ -z "`/bin/ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then - {$squid_base}/sbin/squid -f {$squid_conffile_var} -fi - -EOD; - - $rc['stop'] = <<< EOD -{$squid_base}/sbin/squid -k shutdown -f {$squid_conffile_var} -# Just to be sure... -sleep 5 -if [ -n "`/bin/ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then - {$squid_base}/sbin/squid -k kill -f {$squid_conffile_var} -fi - -if [ -x /usr/bin/ipcs ]; then -# http://man.chinaunix.net/newsoft/squid/Squid_FAQ/FAQ-22.html#ss22.8 -/usr/bin/ipcs | /usr/bin/grep '^[mq]' | /usr/bin/awk '{printf "ipcrm -%s %s\\n", $1, $2}' | /bin/sh -fi - -/usr/bin/killall -9 squid 2>/dev/null -/usr/bin/killall pinger 2>/dev/null - -EOD; - - conf_mount_rw(); - write_rcfile($rc); - conf_mount_ro(); -} +/* + * Squid XMLRPC sync + */ -/* Uses XMLRPC to synchronize the changes to a remote node */ +/* XMLRPC sync configuration */ function squid_sync_on_changes() { global $config, $g; if (is_array($config['installedpackages']['squidsync']['config'])) { @@ -2187,7 +2245,8 @@ function squid_sync_on_changes() { } } } -/* Do the actual XMLRPC sync */ + +/* Perform the actual XMLRPC sync */ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { global $config, $g; -- cgit v1.2.3 From 1170a846da8c550807b4882b5fe8642d5a756f37 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 14:55:12 +0200 Subject: Add description to functions --- config/squid3/34/squid_reverse.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index aa46e06d..d69d6a01 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -33,6 +33,7 @@ require_once('certs.inc'); /* This file is currently only being included in squid.inc and not used separately */ // require_once('squid.inc'); +/* Reverse Proxy Server configuration handler */ function squid_resync_reverse() { global $config; @@ -262,6 +263,7 @@ function squid_resync_reverse() { return $conf; } +/* Reverse Proxy Server input validation */ function squid_validate_reverse($post, &$input_errors) { global $config; -- cgit v1.2.3 From b94a3e2a0886fcff4c8e60b21629c41f27d2f1f5 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 5 Oct 2015 00:22:21 +0200 Subject: Fix newline --- config/squid3/34/squid_js.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid_js.inc b/config/squid3/34/squid_js.inc index 9ff5a78a..3ab28f15 100644 --- a/config/squid3/34/squid_js.inc +++ b/config/squid3/34/squid_js.inc @@ -234,7 +234,7 @@ EOD; } function squid_print_antivirus_advanced_config2() { - print('\n'); + print("\n"); } ?> -- cgit v1.2.3 From 091a673be366bd9baf4f35872e8445ef7a569431 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 05:05:28 +0200 Subject: Update squid_js.inc for new squid_antivirus.xml --- config/squid3/34/squid_js.inc | 57 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 45 insertions(+), 12 deletions(-) diff --git a/config/squid3/34/squid_js.inc b/config/squid3/34/squid_js.inc index 3ab28f15..781b6710 100644 --- a/config/squid3/34/squid_js.inc +++ b/config/squid3/34/squid_js.inc @@ -26,10 +26,16 @@ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* Squid javascript helpers for GUI fields status manipulation */ +/* + * Squid javascript helpers for GUI fields status manipulation + */ require_once('globals.inc'); require_once('config.inc'); +/* + * Enable/disable and blank out various parts of the Authentication tab + * depending on selected 'Authentication Method' value + */ function squid_print_javascript_auth() { global $config; if (is_array($config['installedpackages']['squid'])) { @@ -190,12 +196,16 @@ EOD; print($javascript); } +/* onchange toggle helper for squid_print_javascript_auth() function */ function squid_print_javascript_auth2() { print("\n"); } +/* + * Enable/disable and blank out various parts of the Antivirus tab + * depending on selected 'Enable Manual Configuration' value + */ function squid_print_antivirus_advanced_config() { - $javascript = <<< EOD \n"); } -- cgit v1.2.3 From b52dc8a8896e6b268611959f5c79dcfb85c0ec84 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 05:12:33 +0200 Subject: squid.inc - more cleanups and small bugfixes - Completely split antivirus install/uninstall to squid_antivirus.inc - Move the config migration cruft to separate squid_upgrade_config() function - Some cachedr creation fixes --- config/squid3/34/squid.inc | 351 +++++++++++++++++++++------------------------ 1 file changed, 165 insertions(+), 186 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 1179889c..bb1e46ec 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -218,7 +218,13 @@ function squid_check_ca_hashes() { function squid_dash_z($cache_action = 'none') { global $config; - // We need cache created on package install + // We need cache configured after initial package install + if (!is_array($config['installedpackages']['squidcache']['config'])) { + log_error("Squid - 'Local Cache' not configured, disk cache will be disabled."); + log_error("Squid - Please, configure and save 'Local Cache' settings before enabling Squid proxy."); + return; + } + if (is_array($config['installedpackages']['squidcache'])) { $cachesettings = $config['installedpackages']['squidcache']['config'][0]; } else { @@ -294,9 +300,9 @@ function squid_create_cachedir() { if (!is_dir($cachedir . '/00')) { log_error("Creating Squid cache subdirs in $cachedir"); + mwexec(SQUID_BASE. "/sbin/squid -z -f " . SQUID_CONFFILE); // Double check permissions here, should be safe to recurse cache dir if it's small here. squid_chown_recursive($cachedir, SQUID_UID, SQUID_GID); - mwexec(SQUID_BASE. "/sbin/squid -z -f " . SQUID_CONFFILE); } if (file_exists("/var/squid/cache/swap.state")) { @@ -453,139 +459,17 @@ function squid_install_command() { update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); update_output_window("Checking if there is configuration to migrate... One moment please..."); - /* migrate existing csv config fields */ - if (is_array($config['installedpackages']['squidauth']['config'])) { - $settingsauth = $config['installedpackages']['squidauth']['config'][0]; - } - if (is_array($config['installedpackages']['squidcache']['config'])) { - $settingscache = $config['installedpackages']['squidcache']['config'][0]; - } - if (is_array($config['installedpackages']['squidnac']['config'])) { - $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - } - if (is_array($config['installedpackages']['squid']['config'])) { - $settingsgen = $config['installedpackages']['squid']['config'][0]; - } - if (SQUID_BASE != '/usr/local' && file_exists('/usr/local/bin/check_ip.php') && !file_exists(SQUID_BASE . '/bin/check_ip.php')) { - symlink("/usr/local/bin/check_ip.php", SQUID_BASE . "/bin/check_ip.php"); + /* Set storage system for nanobsd */ + if (!is_array($config['installedpackages']['squidcache'])) { + $config['installedpackages']['squidcache'] = array(); } - - /* Set storage system */ if ($g['platform'] == "nanobsd") { $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null'; } - /* migrate auth settings */ - if (!empty($settingsauth['no_auth_hosts']) && strstr($settingsauth['no_auth_hosts'], ",")) { - $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); - $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; - } - - /* migrate cache settings */ - if (!empty($settingscache['donotcache']) && strstr($settingscache['donotcache'], ",")) { - $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); - $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; - } - - /* migrate nac settings */ - if (!empty($settingsnac['allowed_subnets']) && strstr($settingsnac['allowed_subnets'], ",")) { - $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); - $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; - } - - if (!empty($settingsnac['banned_hosts']) && strstr($settingsnac['banned_hosts'], ",")) { - $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; - } - - if (!empty($settingsnac['banned_macs']) && strstr($settingsnac['banned_macs'], ",")) { - $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); - $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; - } - - if (!empty($settingsnac['unrestricted_hosts']) && strstr($settingsnac['unrestricted_hosts'], ",")) { - $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; - } - - if (!empty($settingsnac['unrestricted_macs']) && strstr($settingsnac['unrestricted_macs'], ",")) { - $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); - $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; - } - - if (!empty($settingsnac['whitelist']) && strstr($settingsnac['whitelist'], ",")) { - $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); - $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; - } - - if (!empty($settingsnac['blacklist']) && strstr($settingsnac['blacklist'], ",")) { - $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); - $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; - } - - if (!empty($settingsnac['block_user_agent']) && strstr($settingsnac['block_user_agent'], ",")) { - $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); - $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; - } - - if (!empty($settingsnac['block_reply_mime_type']) && strstr($settingsnac['block_reply_mime_type'], ",")) { - $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); - $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; - } - - /* migrate reverse settings */ - if (is_array($config['installedpackages']['squidreverse'])) { - $old_reverse_settings = $config['installedpackages']['squidreverse']['config'][0]; - - // settings - if (!is_array($config['installedpackages']['squidreversegeneral'])) { - $config['installedpackages']['squidreversegeneral']['config'][0] = $old_reverse_settings; - unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); - unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); - unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); - } - - // peers - if (!is_array($config['installedpackages']['squidreversepeer'])) { - foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { - foreach (explode(";", $cache_peers) as $cache_peer) { - $config['installedpackages']['squidreversepeer']['config'][] = array( - 'description' => 'migrated', - 'enable' => 'on', - 'name' => $cache_peer[0], - 'port' => $cache_peer[1], - 'protocol' => $cache_peer[2] - ); - } - } - } - - // mappings - if (!is_array($config['installedpackages']['squidreverseuri'])) { - foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { - foreach (explode(";", $acls) as $acl) { - array_push(${'peer_'.$acl[0]}, $acl[1]); - } - } - foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { - foreach (explode(";", $uris) as $uri) { - $peer_list = (is_array(${'peer_' . $uri[0]}) ? implode(",", ${'peer_' . $uri[0]}) : ""); - $config['installedpackages']['squidreverseuri']['config'][] = array( - 'description' => 'migrated', - 'enable' => 'on', - 'name' => $uri[0], - 'uri' => $uri[1], - 'vhost' => $uri[2], - 'peers' => $peer_list - ); - } - } - } - } - - update_output_window("Writing configuration... One moment please..."); - write_config(); + // migrate configuration from old versions + squid_upgrade_config(); /* make sure pinger is executable and suid root */ // XXX: Bug #5114 @@ -593,14 +477,14 @@ function squid_install_command() { chgrp(SQUID_LOCALBASE . "/libexec/squid/pinger", SQUID_GID); } + // another PBI hack + if (SQUID_BASE != '/usr/local' && file_exists('/usr/local/bin/check_ip.php') && !file_exists(SQUID_BASE . '/bin/check_ip.php')) { + symlink("/usr/local/bin/check_ip.php", SQUID_BASE . "/bin/check_ip.php"); + } + // create squid rcfile squid_write_rcfile(); - // XXX: Is it really necessary? mode is set to 0755 in squid.xml - if (file_exists("/usr/local/pkg/swapstate_check.php")) { - @chmod("/usr/local/pkg/swapstate_check.php", 0755); - } - // create squid monitor rcfile write_rcfile(array( "file" => "sqp_monitor.sh", @@ -608,18 +492,8 @@ function squid_install_command() { "stop" => "/bin/ps awux | /usr/bin/grep \"sqpmon\" | /usr/bin/grep -v \"grep\" | /usr/bin/grep -v \"php\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill") ); - // create c-icap rcfile - squid_write_cicap_rcfile(); - - // make a backup of default c-icap config file on install; also see squid_resync_antivirus() function below - if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { - copy(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - } - } - - // create clamd rcfile - squid_write_clamd_rcfile(); + // antivirus intergration + squid_antivirus_install_command(); foreach (array(SQUID_CONFBASE, SQUID_ACLDIR, SQUID_SSL_DB) as $dir) { safe_mkdir($dir, 0755); @@ -630,11 +504,8 @@ function squid_install_command() { copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf'); } - // remove unwanted PBI rcfiles + // remove unwanted PBI rc script unlink_if_exists("/usr/local/etc/rc.d/squid"); - unlink_if_exists("/usr/local/etc/rc.d/c-icap"); - unlink_if_exists("/usr/local/etc/rc.d/clamav-clamd"); - unlink_if_exists("/usr/local/etc/rc.d/clamav-freshclam"); } @@ -643,24 +514,16 @@ function squid_deinstall_command() { /* remove cronjobs */ squid_install_cron(false); - squid_install_freshclam_cron(false); /* kill all running services */ update_output_window("Stopping and removing services..."); mwexec('/usr/local/etc/rc.d/sqp_monitor.sh stop'); - if (is_process_running("c-icap")) { - mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); - } - mwexec("/bin/ps awux | /usr/bin/grep '[c]lamd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); - mwexec("/bin/ps awux | /usr/bin/grep '[f]reshclam' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); mwexec("/bin/ps awux | /usr/bin/grep '[s]quid' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); mwexec("/bin/ps awux | /usr/bin/grep '[d]nsserver' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); mwexec("/bin/ps awux | /usr/bin/grep '[u]nlinkd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + /* delete rc scripts */ unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh'); - unlink_if_exists('/usr/local/etc/rc.d/squid.sh'); - unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); - unlink_if_exists('/usr/local/etc/rc.d/clamd.sh'); /* clean up created directories if 'Keep Settings/Data' is disabled */ if (is_array($config['installedpackages']['squidcache'])) { @@ -694,8 +557,8 @@ function squid_deinstall_command() { log_error("Will NOT delete Squid log dir '{$logdir}' since it is not located under /var/squid. Delete manually if required."); } } - - $dirs = array("/var/run/c-icap", "/var/log/c-icap", "/var/log/clamav", "/var/run/clamav", "/var/db/clamav", "/var/run/squid", "/var/squid"); + update_output_window("Removing remaining Squid directories ... One moment please..."); + $dirs = array("/var/run/squid", "/var/squid"); foreach ($dirs as $dir) { if (is_dir("{$dir}")) { mwexec("/bin/rm -rf {$dir}"); @@ -703,30 +566,8 @@ function squid_deinstall_command() { } } - /* clean up created PBI symlinks */ - update_output_window("Finishing package cleanup."); - if (SQUID_LOCALBASE != '/usr/local') { - $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); - foreach ($ln_icap as $ln) { - if (is_link("/usr/local/{$ln}")) { - unlink("/usr/local/{$ln}"); - } - } - if (is_link("/usr/local/lib/libicapapi.so.3")) { - unlink("/usr/local/lib/libicapapi.so.3"); - } - } - - /* check if clamav/c_icap is enabled in rc.conf.local */ - if (file_exists("/etc/rc.conf.local")) { - update_output_window("Removing antivirus services from /etc/rc.conf.local..."); - $sample_file = file_get_contents("/etc/rc.conf.local"); - $rcconf_local_m[0] = "@c_icap_enable(.*)\n@"; - $rcconf_local_m[1] = "@clamav_clamd_enable(.*)\n@"; - $rcconf_local_r[0] = ""; - $rcconf_local_r[1] = ""; - file_put_contents("/etc/rc.conf.local", preg_replace($rcconf_local_m, $rcconf_local_r, $sample_file), LOCK_EX); - } + // remove antivirus integration features + squid_antivirus_deinstall_command(); update_output_window("Reloading filter..."); filter_configure(); @@ -777,6 +618,136 @@ function squid_deinstall_command() { update_output_window("Squid3 has been uninstalled."); } +/* Migrate configuration from god knows which Squid package versions */ +/* None of these ever existed with Squid 3.4 package and this cruft should be most likely just removed */ +function squid_upgrade_config() { + /* migrate existing csv config fields */ + if (is_array($config['installedpackages']['squidauth']['config'])) { + $settingsauth = $config['installedpackages']['squidauth']['config'][0]; + } + if (is_array($config['installedpackages']['squidcache']['config'])) { + $settingscache = $config['installedpackages']['squidcache']['config'][0]; + } + if (is_array($config['installedpackages']['squidnac']['config'])) { + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + } + if (is_array($config['installedpackages']['squid']['config'])) { + $settingsgen = $config['installedpackages']['squid']['config'][0]; + } + + /* migrate auth settings */ + if (!empty($settingsauth['no_auth_hosts']) && strstr($settingsauth['no_auth_hosts'], ",")) { + $settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts']))); + $config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts']; + } + + /* migrate cache settings */ + if (!empty($settingscache['donotcache']) && strstr($settingscache['donotcache'], ",")) { + $settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache']))); + $config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache']; + } + + /* migrate nac settings */ + if (!empty($settingsnac['allowed_subnets']) && strstr($settingsnac['allowed_subnets'], ",")) { + $settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets']))); + $config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets']; + } + + if (!empty($settingsnac['banned_hosts']) && strstr($settingsnac['banned_hosts'], ",")) { + $settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts']; + } + + if (!empty($settingsnac['banned_macs']) && strstr($settingsnac['banned_macs'], ",")) { + $settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs']))); + $config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs']; + } + + if (!empty($settingsnac['unrestricted_hosts']) && strstr($settingsnac['unrestricted_hosts'], ",")) { + $settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts']; + } + + if (!empty($settingsnac['unrestricted_macs']) && strstr($settingsnac['unrestricted_macs'], ",")) { + $settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs']))); + $config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs']; + } + + if (!empty($settingsnac['whitelist']) && strstr($settingsnac['whitelist'], ",")) { + $settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist']))); + $config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist']; + } + + if (!empty($settingsnac['blacklist']) && strstr($settingsnac['blacklist'], ",")) { + $settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist']))); + $config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist']; + } + + if (!empty($settingsnac['block_user_agent']) && strstr($settingsnac['block_user_agent'], ",")) { + $settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent']))); + $config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent']; + } + + if (!empty($settingsnac['block_reply_mime_type']) && strstr($settingsnac['block_reply_mime_type'], ",")) { + $settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type']))); + $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; + } + + /* migrate reverse settings */ + if (is_array($config['installedpackages']['squidreverse'])) { + $old_reverse_settings = $config['installedpackages']['squidreverse']['config'][0]; + + // settings + if (!is_array($config['installedpackages']['squidreversegeneral'])) { + $config['installedpackages']['squidreversegeneral']['config'][0] = $old_reverse_settings; + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); + } + + // peers + if (!is_array($config['installedpackages']['squidreversepeer'])) { + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { + foreach (explode(";", $cache_peers) as $cache_peer) { + $config['installedpackages']['squidreversepeer']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $cache_peer[0], + 'port' => $cache_peer[1], + 'protocol' => $cache_peer[2] + ); + } + } + } + + // mappings + if (!is_array($config['installedpackages']['squidreverseuri'])) { + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { + foreach (explode(";", $acls) as $acl) { + array_push(${'peer_'.$acl[0]}, $acl[1]); + } + } + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { + foreach (explode(";", $uris) as $uri) { + $peer_list = (is_array(${'peer_' . $uri[0]}) ? implode(",", ${'peer_' . $uri[0]}) : ""); + $config['installedpackages']['squidreverseuri']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $uri[0], + 'uri' => $uri[1], + 'vhost' => $uri[2], + 'peers' => $peer_list + ); + } + } + } + } + + update_output_window("Writing configuration... One moment please..."); + write_config(); +} + + /* * Squid input validation */ @@ -791,6 +762,11 @@ function squid_validate_general($post, &$input_errors) { $settings = array(); } + // force users to configure cache + if (!is_array($config['installedpackages']['squidcache']['config'])) { + $input_errors[] = 'Please, configure and save \'Local Cache\' settings first.'; + } + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $port = $post['proxy_port'] ? $post['proxy_port'] : $port; @@ -1333,8 +1309,11 @@ function squid_resync_cache() { $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); $conf = ''; if (!isset($settings['harddisk_cache_system'])) { - if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) { + if ($g['platform'] == "nanobsd") { $disk_cache_system = 'null'; + } elseif (!is_array($config['installedpackages']['squidcache']['config'])) { + log_error("Squid - 'Local Cache' not configured, disk cache will be disabled."); + log_error("Squid - Please, configure and save 'Local Cache' settings before enabling Squid proxy."); } else { $disk_cache_system = 'ufs'; } -- cgit v1.2.3 From 0b7b038ad2a82751872d3c9c2df9412bcc7c7419 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 05:17:58 +0200 Subject: Major rework of antivirus features logic - Users can either maintain raw config files now, or use the GUI options, but not both at the same time. - Added extensive descriptions regarding the config files / config.xml configuration handling - Install/deinstall of AV-related stuff moved here from squid.inc --- config/squid3/34/squid_antivirus.inc | 718 ++++++++++++++++++++++++++--------- 1 file changed, 540 insertions(+), 178 deletions(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index ac78ad44..7a82464a 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -32,8 +32,11 @@ require_once('config.inc'); /* This file is currently only being included in squid.inc and not used separately */ // require_once('squid.inc'); +/* + * Utility functions + */ -/* Only needed for PBI/pfSense <2.3 */ +/* clamav user account hadling (only needed for PBI/pfSense <2.3) */ function squid_check_clamav_user($user) { if (SQUID_BASE == '/usr/local') { return; @@ -47,57 +50,7 @@ function squid_check_clamav_user($user) { } } -/* Create /usr/local/etc/rc.d/clamd.sh rcfile */ -function squid_write_clamd_rcfile() { - $squid_base = SQUID_BASE; - $rc = array(); - $rc['file'] = 'clamd.sh'; - $rc['start'] = <<< EOD - -if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ];then - echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" - exit 1 -fi - -{$squid_base}/bin/clamd --config-file="{$squid_base}/local/etc/clamd.conf" - -EOD; - - $rc['stop'] = <<< EOD - -/usr/bin/killall clamd 2>/dev/null -# Just to be sure... -sleep 5 -if [ -n "`/bin/ps auxw | /usr/bin/grep "[c]lamd" | /usr/bin/awk '{print $2}'`" ]; then - /usr/bin/killall -9 clamd 2>/dev/null -fi - -EOD; - - conf_mount_rw(); - write_rcfile($rc); - conf_mount_ro(); -} - -/* Create /usr/local/etc/rc.d/c-icap.sh rcfile */ -function squid_write_cicap_rcfile() { - $c_icap_rcfile = "c-icap.sh"; - $cicap_libdir = SQUID_LOCALBASE . "/lib"; - $cicap_bin = SQUID_LOCALBASE . "/bin/c-icap"; - $cicap_conf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; - $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; - $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; - conf_mount_rw(); - write_rcfile(array( - "file" => "{$c_icap_rcfile}", - "start" => "{$cicap_start_cmd}", - "stop" => "{$cicap_stop_cmd}" - ) - ); - conf_mount_ro(); -} - -/* ClamAV antivirus definitions updates via cron */ +/* Antivirus definitions updates via cron */ function squid_install_freshclam_cron($should_install) { global $config; @@ -124,13 +77,139 @@ function squid_install_freshclam_cron($should_install) { } } -/* Manually update ClamAV virus definitions (via the GUI button) */ +/* Manually update ClamAV virus definitions via the GUI button */ function squid_update_clamav() { log_error("Updating ClamAV definitions now... This will take a while. Check /var/log/clamav/freshclam.log for progress information."); mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); } -/* Antivirus features configuration */ +/* + * Squid package install/uninstall + */ + +/* Run on Squid package install */ +function squid_antivirus_install_command() { + // antivirus rc scripts + squid_write_cicap_rcfile(); + squid_write_clamd_rcfile(); + + // antivirus config files + squid_antivirus_install_config_files(); + + // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) + $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); + foreach ($ln_icap as $ln) { + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { + symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); + } + } + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { + symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); + } + + // check dirs + $dirs = array( + "/var/run/c-icap" => "clamav", + "/var/log/c-icap" => "clamav", + "/var/log/clamav" => "clamav", + "/var/run/clamav" => "clamav", + "/var/db/clamav" => "clamav" + ); + foreach ($dirs as $dir_path => $dir_user) { + safe_mkdir($dir_path, 0755); + squid_chown_recursive($dir_path, $dir_user, "wheel"); + } + + // remove unwanted PBI rc scripts + unlink_if_exists("/usr/local/etc/rc.d/c-icap"); + unlink_if_exists("/usr/local/etc/rc.d/clamav-clamd"); + unlink_if_exists("/usr/local/etc/rc.d/clamav-freshclam"); +} + +/* Run on Squid package uninstall */ +function squid_antivirus_deinstall_command() { + /* kill all running services */ + if (is_process_running("c-icap")) { + mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); + } + mwexec("/bin/ps awux | /usr/bin/grep '[c]lamd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep '[f]reshclam' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + + /* remove cronjobs */ + squid_install_freshclam_cron(false); + + /* delete rc scripts */ + unlink_if_exists('/usr/local/etc/rc.d/squid.sh'); + unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); + unlink_if_exists('/usr/local/etc/rc.d/clamd.sh'); + + /* clean up created PBI symlinks */ + update_output_window("Finishing package cleanup."); + if (SQUID_LOCALBASE != '/usr/local') { + $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); + foreach ($ln_icap as $ln) { + if (is_link("/usr/local/{$ln}")) { + unlink("/usr/local/{$ln}"); + } + } + if (is_link("/usr/local/lib/libicapapi.so.3")) { + unlink("/usr/local/lib/libicapapi.so.3"); + } + } + + /* clean up created directories if 'Keep Settings/Data' is disabled */ + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + $keep = ($squidsettings['keep_squid_data'] ? true : false); + + if (!$keep) { + update_output_window("Removing antivirus definitions and logs ... One moment please..."); + $dirs = array("/var/run/c-icap", "/var/log/c-icap", "/var/log/clamav", "/var/run/clamav", "/var/db/clamav"); + foreach ($dirs as $dir) { + if (is_dir("{$dir}")) { + mwexec("/bin/rm -rf {$dir}"); + } + } + } + + /* check if clamav/c_icap is enabled in rc.conf.local */ + // XXX: This hasn't been used since 0.3.7; to be removed in future + if (file_exists("/etc/rc.conf.local")) { + update_output_window("Removing antivirus services from /etc/rc.conf.local..."); + $sample_file = file_get_contents("/etc/rc.conf.local"); + $rcconf_local_m[0] = "@c_icap_enable(.*)\n@"; + $rcconf_local_m[1] = "@clamav_clamd_enable(.*)\n@"; + $rcconf_local_r[0] = ""; + $rcconf_local_r[1] = ""; + file_put_contents("/etc/rc.conf.local", preg_replace($rcconf_local_m, $rcconf_local_r, $sample_file), LOCK_EX); + } +} + +/* + * Antivirus features configuration + * + * .conf is the actual configuration file used for services. + * .conf.pfsense is a template file patched for pfSense; should be never altered beyond initial install. + * .conf.{sample,default} are templates distributed directly with PBI/package; + * If .conf.default does not exist, a backup copy is made from another distributed files before patching it for pfSense. + * + * Configuration via the GUI options: + * .conf is always (re)generated from the .conf.pfsense on package resync, + * with additional patches depending on the GUI configuration options configured by user. + * Directly editing files via 'Advanced Features' is disabled in the GUI. + * + * Manual Configuration + * When the user enables 'Manual Configuration' for the first time, the config.xml settings are + * serialized from .conf.pfsense template patched for pfSense. After this initial configuration, + * .conf is always (re)generated from config.xml as long as 'Manual Configuration' is enabled in settings. + * In this case, any additional configuration made in the Antivirus GUI outside of 'Advanced Features' + * is unset on saving settings; after that, those options are disabled in the GUI and have no effect any more. + */ + +/* Proxy Server: Antivirus configuration handler */ function squid_resync_antivirus() { global $config; @@ -140,6 +219,7 @@ function squid_resync_antivirus() { $antivirus_config = array(); } + // squid.conf antivirus integration if (squid_enabled() && ($antivirus_config['enable'] == "on")) { switch ($antivirus_config['client_info']) { case "both": @@ -179,146 +259,412 @@ EOF; // check clamav user squid_check_clamav_user('clamav'); - // patch sample files to pfsense dirs - // squidclamav.conf - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default"); - $clamav_m[0] = "@/var/run/clamav/clamd.ctl@"; - $clamav_m[1] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; - $clamav_r[0] = "/var/run/clamav/clamd.sock"; - $clamav_r[1] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; - if ($antivirus_config['clamav_safebrowsing'] == "on") { - $clamav_m[2] = "@safebrowsing\s0@"; - $clamav_r[2] = "safebrowsing 1"; - } else { - $clamav_m[2] = "@safebrowsing\s1@"; - $clamav_r[2] = "safebrowsing 0"; + + if ($antivirus_config['enable_advanced'] == "enabled") { + // User is managing raw configuration, so we unset the configuration options set via GUI + squid_antivirus_toggle_raw_config(true); + // Generate the raw configuration if missing + $rawopts = array("raw_squidclamav_conf", "raw_cicap_conf", "raw_cicap_magic", "raw_freshclam_conf", "raw_clamd_conf"); + foreach ($rawopts as $rawopt) { + if ($antivirus_config[$rawopt] == "") { + squid_antivirus_get_raw_config(); + } } - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX); - } - // c-icap.conf - // make a backup of default c-icap.conf.sample first - // unlike with other config files, the file distributed in package is called c-icap.conf.sample, not c-icap.conf.default - if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - copy(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - } - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - if (!preg_match("/squid_clamav/", $sample_file)) { - $sample_file .= "\nService squid_clamav squidclamav.so\n"; + // Create configuration files + squid_antivirus_put_raw_config($config['installedpackages']['squidantivirus']['config'][0]); + } else { + // unset raw configuration options + squid_antivirus_toggle_raw_config(false); + + // patch sample files to pfsense dirs + // squidclamav.conf + $cf = SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf"; + if (file_exists("{$cf}.pfsense")) { + $sample_file = file_get_contents("{$cf}.pfsense"); + if ($antivirus_config['clamav_safebrowsing'] == "on") { + $squidclamav_m[0] = "@safebrowsing\s0@"; + $squidclamav_r[0] = "safebrowsing 1"; + } + if ($antivirus_config['clamav_url'] != "") { + $squidclamav_m[1] = "@redirect http@"; + $squidclamav_r[1] = "{$antivirus_config['clamav_url']}"; + } + file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - template not found; could not generate {$cf} file!"); } - $cicap_m[0] = "@Manager:Apassword\S+@"; - $cicap_r[0] = ""; - // XXX: Bug #4615 - if (is_array($config['installedpackages']['squid'])) { - $squidsettings = $config['installedpackages']['squid']['config'][0]; + + // c-icap.conf + $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; + if (file_exists("{$cf}.pfsense")) { + $sample_file = file_get_contents("{$cf}.pfsense"); + if (!preg_match("/squid_clamav/", $sample_file)) { + $sample_file .= "\nService squid_clamav squidclamav.so\n"; + } + // XXX: Bug #4615 + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); + $cicap_m[0] = "@DebugLevel\s1@"; + $cicap_r[0] = "DebugLevel 0"; + $cicap_m[1] = "@AccessLog /var/squid/logs/c-icap-access.log@"; + $cicap_r[1] = "AccessLog {$logdir}/c-icap-access.log"; + $cicap_m[2] = "@ServerLog /var/squid/logs/c-icap-server.log@"; + $cicap_r[2] = "ServerLog {$logdir}/c-icap-server.log"; + file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); } else { - $squidsettings = array(); + log_error("Squid - template not found; could not generate {$cf} file!"); } - $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); - $cicap_m[1] = "@DebugLevel\s1@"; - $cicap_r[1] = "DebugLevel 0"; - $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; - $cicap_r[2] = "AccessLog $logdir/c-icap-access.log"; - $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; - $cicap_r[3] = "ServerLog $logdir/c-icap-server.log"; - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); - } - // freshclam.conf - // make a backup of default freshclam.conf.sample first - if (!file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { - copy(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", SQUID_LOCALBASE . "/etc/freshclam.conf.default"); - } - if (file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.default"); - $freshclam_m[0] = "@#Example@"; - $freshclam_r[0] = ""; - $clamav_mirrors = ""; - if ($antivirus_config['clamav_dbregion'] != "") { - $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; + + // c-icap.magic + // just make a copy of pfSense template, nothing configurable via GUI options here + $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic"; + if (file_exists("{$cf}.pfsense")) { + copy("{$cf}.pfsense", "{$cf}"); + } else { + log_error("Squid - template not found; could not generate {$cf} file!"); } - if ($antivirus_config['clamav_dbservers'] != "") { - foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { - $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; + + // freshclam.conf + $cf = SQUID_LOCALBASE . "/etc/freshclam.conf"; + if (file_exists("{$cf}.pfsense")) { + $sample_file = file_get_contents("{$cf}.pfsense"); + $clamav_mirrors = ""; + if ($antivirus_config['clamav_dbregion'] != "") { + $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; } + if ($antivirus_config['clamav_dbservers'] != "") { + foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { + $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; + } + } + if ($clamav_mirrors != "") { + $freshclam_m[0] = "@#DatabaseMirror db.XY.clamav.net@"; + $freshclam_r[0] = "{$clamav_mirrors}"; + } + if ($antivirus_config['clamav_safebrowsing'] == "on") { + $freshclam_m[1] = "@#SafeBrowsing yes@"; + $freshclam_r[1] = "SafeBrowsing yes"; + } + file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - template not found; could not generate {$cf} file!"); } - if ($clamav_mirrors != "") { - $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; - $freshclam_r[1] = "{$clamav_mirrors}"; - } - if ($antivirus_config['clamav_safebrowsing'] == "on") { - $freshclam_m[2] = "@#SafeBrowsing yes@"; - $freshclam_r[2] = "SafeBrowsing yes"; + + // clamd.conf + // just make a copy of pfSense template, nothing configurable via GUI options here + $cf = SQUID_LOCALBASE . "/etc/clamd.conf"; + if (file_exists("{$cf}.pfsense")) { + copy("{$cf}.pfsense", "{$cf}"); } else { - if (!preg_match("@#SafeBrowsing yes@", file_get_contents($sample_file))) { - $freshclam_m[2] = "@SafeBrowsing yes@"; - $freshclam_r[2] = "#SafeBrowsing yes"; - } + log_error("Squid - template not found; could not generate {$cf} file!"); } - file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + unset($cf); } + // freshclam cronjob squid_install_freshclam_cron(true); - // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) - $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); - foreach ($ln_icap as $ln) { - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { - symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); - } - } - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { - symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); - } + } + // this will (re)start or stop/disable services as needed + // depending on whether Squid proxy and/or antivirus features are enabled + squid_restart_antivirus(); - $loadsample = 0; - if ($antivirus_config['squidclamav'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['squidclamav'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample"))); - $loadsample++; + return $conf; +} + +/* Patch paths and settings in configuration files template for pfSense-specific values on install */ +function squid_antivirus_install_config_files() { + global $config; + if (is_array($config['installedpackages']['squid'])) { + $squidsettings = $config['installedpackages']['squid']['config'][0]; + } else { + $squidsettings = array(); + } + // squidclamav.conf + // there is no squidclamav.conf.sample packaged, use squidclamav.conf if really needed + $cf = SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}", "{$cf}.default"); + } + if (file_exists("{$cf}.default")) { + $sample_file = file_get_contents("{$cf}.default"); + $squidclamav_m[0] = "@# SquidClamav default configuration file@"; + $squidclamav_r[0] = "#This file was automatically generated by pfSense"; + $squidclamav_m[1] = "@/var/run/clamav/clamd.ctl@"; + $squidclamav_r[1] = "/var/run/clamav/clamd.sock"; + $squidclamav_m[2] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; + $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; + file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - could not patch {$cf} template file!"); + } + + // c-icap.conf + // there is no c-icap.conf.sample packaged, use c-icap.conf if really needed + $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}", "{$cf}.default"); + } + if (file_exists("{$cf}.default")) { + $sample_file = file_get_contents("{$cf}.default"); + if (!preg_match("/squid_clamav/", $sample_file)) { + $sample_file .= "\nService squid_clamav squidclamav.so\n"; } - if ($antivirus_config['c-icap_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample"))); - $loadsample++; + $cicap_m[0] = "@# This file contains the default settings for c-icap@"; + $cicap_r[0] = "#This file was automatically generated by pfSense"; + $cicap_m[1] = "@DebugLevel\s1@"; + $cicap_r[1] = "DebugLevel 0"; + $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; + $cicap_r[2] = "AccessLog /var/squid/logs/c-icap-access.log"; + $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; + $cicap_r[3] = "ServerLog /var/squid/logs/c-icap-server.log"; + file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - could not patch {$cf} template file!"); + } + + // c-icap.magic + // just make a backup and pfSense template copies of default c-icap.magic, we are not patching anything here + $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}.sample", "{$cf}.default"); + } + if (!file_exists("{$cf}.pfsense")) { + copy("{$cf}.sample", "{$cf}.pfsense"); + } + + // clamd.conf + // make a backup of default clamd.conf.sample first + $cf = SQUID_LOCALBASE . "/etc/clamd.conf"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}.sample", "{$cf}.default"); + } + if (file_exists("{$cf}.default")) { + $sample_file = file_get_contents("{$cf}.default"); + $clamd_m[0] = "@## Example config file for the Clam AV daemon@"; + $clamd_r[0] = "#This file was automatically generated by pfSense"; + $clamd_m[1] = "@# Comment or remove the line below.@"; + $clamd_r[1] = ""; + $clamd_m[2] = "@#Example@"; + $clamd_r[2] = ""; + file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - could not patch {$cf} template file!"); + } + + // freshclam.conf + // make a backup of default freshclam.conf.sample first + $cf = SQUID_LOCALBASE . "/etc/freshclam.conf"; + if (!file_exists("{$cf}.default")) { + copy("{$cf}.sample", "{$cf}.default"); + } + if (file_exists("{$cf}.default")) { + $sample_file = file_get_contents("{$cf}.default"); + $freshclam_m[0] = "@## Example config file for freshclam@"; + $freshclam_r[0] = "#This file was automatically generated by pfSense"; + $freshclam_m[1] = "@# Comment or remove the line below.@"; + $freshclam_r[1] = ""; + $freshclam_m[2] = "@#Example@"; + $freshclam_r[2] = ""; + file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + } else { + log_error("Squid - could not patch {$cf} template file!"); + } + unset($cf); +} + +/* Get the raw pfSense template files for manual configuration and serialize them to config.xml */ +function squid_antivirus_get_raw_config() { + global $config; + $loaded = false; + $rawfiles = array("squidclamav.conf", "c-icap.conf", "c-icap.magic", "freshclam.conf", "clamd.conf"); + + foreach ($rawfiles as $rawfile) { + switch ($rawfile) { + case 'squidclamav.conf': + $confdir = "/c-icap"; + $confopt = "raw_squidclamav_conf"; + break; + case 'c-icap.conf': + $confdir = "/c-icap"; + $confopt = "raw_cicap_conf"; + break; + case 'c-icap.magic': + $confdir = "/c-icap"; + $confopt = "raw_cicap_magic"; + break; + case 'freshclam.conf': + $confdir = ""; + $confopt = "raw_freshclam_conf"; + break; + case 'clamd.conf': + $confdir = ""; + $confopt = "raw_clamd_conf"; + break; + default: + $confdir = ""; + $confopt = ""; + break; } - if ($antivirus_config['c-icap_magic'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample"))); - $loadsample++; + // get the config from the files if not set (yet) in config.xml + if ($confopt) { + $conffile = SQUID_LOCALBASE . "/etc" . "{$confdir}" . "/{$rawfile}.pfsense"; + if (file_exists($conffile)) { + if ($config['installedpackages']['squidantivirus']['config'][0][$confopt] == "") { + $config['installedpackages']['squidantivirus']['config'][0][$confopt] = base64_encode(str_replace("\r", "", file_get_contents("{$conffile}"))); + log_error("Squid - Successfully loaded {$conffile} configuration file"); + $loaded = true; + } + // Just a fallback attempt if people do things in weird order on a completely fresh install perhaps; should not be ever needed + } else { + squid_antivirus_install_config_files(); + if (file_exists($conffile)) { + $config['installedpackages']['squidantivirus']['config'][0][$confopt] = base64_encode(str_replace("\r", "", file_get_contents("{$conffile}"))); + log_error("Squid - Successfully loaded {$conffile} configuration file"); + $loaded = true; + } else { + log_error("Squid - '{$conffile}' template does not exist; could not load advanced {$rawfile} configuration!"); + } + } } - if ($antivirus_config['freshclam_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['freshclam_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample"))); - $loadsample++; + } + if ($loaded) { + write_config("Squid - Loaded raw configuration files", false); + log_error("Squid - Successfully loaded raw configuration files"); + } +} + +/* Toggle the raw config state */ +function squid_antivirus_toggle_raw_config($state) { + global $config; + if ($state) { + // manual configuration enabled + $opts = array("clamav_url", "clamav_safebrowsing", "clamav_update", "clamav_dbregion", "clamav_dbservers"); + foreach ($opts as $opt) { + if (isset($config['installedpackages']['squidantivirus']['config'][0][$opt])) { + unset($config['installedpackages']['squidantivirus']['config'][0][$opt]); + log_error("Squid - Loaded {$opt} raw configuration file..."); + } } - if ($loadsample > 0) { - write_config(); - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + log_error("Squid - Loading raw configuration files..."); + squid_antivirus_get_raw_config(); + } else { + // manual configuration disabled + $opts = array("raw_squidclamav_conf", "raw_cicap_conf", "raw_cicap_magic", "raw_freshclam_conf", "raw_clamd_conf"); + foreach ($opts as $opt) { + if (isset($config['installedpackages']['squidantivirus']['config'][0][$opt])) { + unset($config['installedpackages']['squidantivirus']['config'][0][$opt]); + log_error("Squid - Unloaded {$opt} raw configuration file..."); + } } - // check dirs - $dirs = array( - "/var/run/c-icap" => "clamav", - "/var/log/c-icap" => "clamav", - "/var/log/clamav" => "clamav", - "/var/run/clamav" => "clamav", - "/var/db/clamav" => "clamav" - ); - foreach ($dirs as $dir_path => $dir_user) { - safe_mkdir($dir_path, 0755); - squid_chown_recursive($dir_path, $dir_user, "wheel"); + $config['installedpackages']['squidantivirus']['config'][0]['enable_advanced'] = "disabled"; + } +} + +/* Write the raw config files to disk from config.xml configuration */ +function squid_antivirus_put_raw_config($rawfiles) { + if (is_array($rawfiles)) { + foreach ($rawfiles as $rawfile => $rawconfig) { + switch ($rawfile) { + case 'raw_squidclamav_conf': + $confdir = "/c-icap"; + $conffile = "/squidclamav.conf"; + break; + case 'raw_cicap_conf': + $confdir = "/c-icap"; + $conffile = "/c-icap.conf"; + break; + case 'raw_cicap_magic': + $confdir = "/c-icap"; + $conffile = "/c-icap.magic"; + break; + case 'raw_freshclam_conf': + $confdir = ""; + $conffile = "freshclam.conf"; + break; + case 'raw_clamd_conf': + $confdir = ""; + $conffile = "clamd.conf"; + break; + default: + $confdir = ""; + $conffile = ""; + break; + } + if ($conffile && $rawconfig) { + squid_antivirus_write_conffile($confdir, $conffile, $rawconfig); + } } + } +} - // write advanced clamav/icap config files - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf", base64_decode($antivirus_config['freshclam_conf']), LOCK_EX); +/* Helper function for squid_antivirus_put_raw_config() */ +function squid_antivirus_write_conffile($dir, $file, $text) { + if ($file && $text) { + file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", base64_decode(preg_replace('/\r\n/', '\n', $text), LOCK_EX)); + log_error("Squid - Saved {$file} configuration file."); } - // this will (re)start or stop/disable services as needed - // depending on whether Squid proxy and/or antivirus features are enabled - squid_restart_antivirus(); +} - return $conf; +/* + * rc scripts and services + */ + +/* Create clamd.sh rc script */ +function squid_write_clamd_rcfile() { + $squid_base = SQUID_BASE; + $rc = array(); + $rc['file'] = 'clamd.sh'; + $rc['start'] = <<< EOD + +if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ]; then + echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" + exit 1 +fi + +{$squid_base}/bin/clamd --config-file="{$squid_base}/local/etc/clamd.conf" + +EOD; + + $rc['stop'] = <<< EOD + +/usr/bin/killall clamd 2>/dev/null +# Just to be sure... +sleep 5 +if [ -n "`/bin/ps auxw | /usr/bin/grep "[c]lamd" | /usr/bin/awk '{print $2}'`" ]; then + /usr/bin/killall -9 clamd 2>/dev/null +fi + +EOD; + + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); } -/* Antivirus services handling */ +/* Create c-icap.sh rc script */ +function squid_write_cicap_rcfile() { + $c_icap_rcfile = "c-icap.sh"; + $cicap_libdir = SQUID_LOCALBASE . "/lib"; + $cicap_bin = SQUID_LOCALBASE . "/bin/c-icap"; + $cicap_conf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; + $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; + $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; + conf_mount_rw(); + write_rcfile(array( + "file" => "{$c_icap_rcfile}", + "start" => "{$cicap_start_cmd}", + "stop" => "{$cicap_stop_cmd}" + ) + ); + conf_mount_ro(); +} + +/* (Re)start antivirus services if AV features are enabled; otherwise stop and disable them */ function squid_restart_antivirus() { global $config; if (is_array($config['installedpackages']['squidantivirus'])) { @@ -392,32 +738,42 @@ function squid_restart_antivirus() { } } -/* Input validation */ +/* + * Input validation + */ + +/* Proxy server: Antivirus input validation */ +/* Also handles manual AV updates and switching 'Manual Configuration' on/off */ function squid_validate_antivirus($post, &$input_errors) { global $config; + if (is_array($config['installedpackages']['squidantivirus'])) { + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } else { + $antivirus_config = array(); + } /* Manual ClamAV database update */ - if ($post['submit'] == 'Update AV') { + if ($post['update_av'] == 'Update AV') { squid_update_clamav(); return; } - if ($post['enable'] != "on") { + /* Load the raw config files if manual configuration is enabled */ + if ($post['load_advanced'] == 'Load Advanced') { + $config['installedpackages']['squidantivirus']['config'][0]['enable_advanced'] = "enabled"; + squid_antivirus_toggle_raw_config(true); return; } - if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/", $post['squidclamav'], $a_match)) { + if ($post['raw_squidclamav_conf'] && preg_match("/(\S+proxy.domain\S+)/", $post['raw_squidclamav_conf'], $a_match)) { $input_errors[] = "SquidClamav warnings redirect points to sample config domain ({$a_match[1]})"; $input_errors[] = "Change redirect info on 'squidclamav.conf' field to pfSense GUI or an external host."; } - if ($post['c-icap_conf']) { - if (!preg_match("/squid_clamav/", $post['c-icap_conf'])) { + if ($post['raw_cicap_conf']) { + if (!preg_match("/squid_clamav/", $post['raw_cicap_conf'])) { $input_errors[] = "c-icap Squidclamav service definition is not present."; $input_errors[] = "Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; } - if (preg_match("/(Manager:Apassword\S+)/", $post['c-icap_conf'], $c_match)) { - $input_errors[] = "Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; - } } if ($post['clamav_dbservers']) { @@ -428,6 +784,12 @@ function squid_validate_antivirus($post, &$input_errors) { } } } + + if ($post['clamav_url']) { + if (!filter_var($post['clamav_url'], FILTER_VALIDATE_URL)) { + $input_errors[] = "'Redirect URL' is not a valid URL."; + } + } } ?> -- cgit v1.2.3 From 3fdfc319f7136be9cbd337c185a110ec620a99e4 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 05:23:49 +0200 Subject: Major rework of antivirus features logic Users can either maintain raw config files manually now, or use the GUI options, but not both at the same time. There are some JS hacks in squid_js.inc.php to toggle various GUI options and features depending on whether raw config is being used or now, None of the previous configuration junk is migrated since it was just badly broken. --- config/squid3/34/squid_antivirus.xml | 116 +++++++++++++++++++++++++---------- 1 file changed, 83 insertions(+), 33 deletions(-) diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml index 94c788a0..e7d046f0 100755 --- a/config/squid3/34/squid_antivirus.xml +++ b/config/squid3/34/squid_antivirus.xml @@ -42,7 +42,7 @@ ]]> squidantivirus - 0.3.8 + 0.3.9 Proxy server: Antivirus /usr/local/pkg/squid.inc @@ -88,6 +88,7 @@ /pkg_edit.php?xml=squid_sync.xml + enabled ClamAV Anti-Virus Integration Using C-ICAP @@ -99,15 +100,33 @@ Enable Squid antivirus check using ClamAV. checkbox - - Client Forward Options - client_info + Redirect URL + clamav_url + Leave empty to use the default Squid/pfSense WebGUI URL.
+ Example: http://proxy.example.com/blocked.html ]]> - select - both - - - - - - + input + 60 + Google Safe Browsing @@ -156,7 +171,7 @@ Select the desired frequency here.

- + Click the button to update AV databases now.
Note: This will take a while. Check /var/log/clamav/freshclam.log for progress information. ]]> @@ -215,64 +230,99 @@ input 60 - 5 - - - Advanced Options - listtopic squidclamav.conf - squidclamav - squidclamav.conf file. Leave empty to load sample file. Edit only if you know what are you doing. + raw_squidclamav_conf + squidclamav.conf file. Edit only if you know what are you doing. textarea base64 85 15 + c-icap.conf - c-icap_conf - c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing. + raw_cicap_conf + c-icap.conf file. Edit only if you know what are you doing. textarea base64 85 15 + c-icap.magic - c-icap_magic - c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing. + raw_cicap_magic + c-icap.conf file. Edit only if you know what are you doing. textarea base64 85 15 + freshclam.conf - freshclam_conf - freshclam.conf file. Leave empty to load sample file. Edit only if you know what are you doing. + raw_freshclam_conf + freshclam.conf file. Edit only if you know what are you doing. + textarea + base64 + 85 + 15 + + + + clamd.conf + raw_clamd_conf + clamd.conf file. Edit only if you know what are you doing. textarea base64 85 15 + - squid_validate_antivirus($_POST, $input_errors); + -- cgit v1.2.3 From a4d06b9550c7bd35d72c54a5095f97f3b609fd5c Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 05:24:43 +0200 Subject: Bump version and nuke useless cruft --- config/squid3/34/squid.xml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index ae388e3c..ccaca843 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -42,7 +42,7 @@ ]]> squid - 0.3.8.1 + 0.3.9 Proxy Server: General Settings /usr/local/pkg/squid.inc @@ -751,13 +751,7 @@ squid_resync(); - squid_deinstall_command(); -- cgit v1.2.3 From 2053fcee561086ec79bb3a45e1ffba964e4b62da Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 06:21:45 +0200 Subject: Fix CRLF --- config/squid3/34/squid_antivirus.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 7a82464a..8bf717e5 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -605,7 +605,7 @@ function squid_antivirus_put_raw_config($rawfiles) { /* Helper function for squid_antivirus_put_raw_config() */ function squid_antivirus_write_conffile($dir, $file, $text) { if ($file && $text) { - file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", base64_decode(preg_replace('/\r\n/', '\n', $text), LOCK_EX)); + file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX); log_error("Squid - Saved {$file} configuration file."); } } -- cgit v1.2.3 From ec56ea65a4933ff30afb249e116e8a5d54f85cd5 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 06:26:36 +0200 Subject: Bump squid3 package version --- pkg_config.10.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.10.xml b/pkg_config.10.xml index efbdaf2a..72150b17 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -1052,7 +1052,7 @@ https://forum.pfsense.org/index.php/topic,48347.0.html http://www.squid-cache.org/ Network - 0.3.8.1 + 0.3.9 beta 2.2 marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org -- cgit v1.2.3 From 36da794e0717db9d34483253ec7f7c9031816373 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 06:49:18 +0200 Subject: unset broken antivirus settings on upgrade --- config/squid3/34/squid.inc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index bb1e46ec..1c4194b9 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -742,6 +742,14 @@ function squid_upgrade_config() { } } } + + /* unset broken antivirus settings */ + if (is_array($config['installedpackages']['squidantivirus'])) { + unset($config['installedpackages']['squidantivirus']['config'][0]['squidclamav']); + unset($config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']); + unset($config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']); + unset($config['installedpackages']['squidantivirus']['config'][0]['freshclam_conf']); + } update_output_window("Writing configuration... One moment please..."); write_config(); -- cgit v1.2.3 From 70ba77d3d0c13a9cb3bcf57a3439153dbe0b5bf0 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 11:23:16 +0200 Subject: Clean up and prefix log messages. --- config/squid3/34/squid.inc | 64 +++++++++++++++++++++++----------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 1c4194b9..15854317 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -109,7 +109,7 @@ function squid_is_valid_acl($acl) { /* Recursively change ownership of directories */ function squid_chown_recursive($dir, $user, $group) { if (empty($dir) || ($dir == '/') || ($dir == '/usr/local') || !is_dir($dir)) { - log_error(gettext("Squid attempted to chown an invalid directory: {$dir}")); + log_error(gettext("[squid] Attempted to chown an invalid directory: '{$dir}'")); return; } @@ -130,7 +130,7 @@ function squid_chown_recursive($dir, $user, $group) { } } } else { - log_error(gettext("Squid squid_chown_recursive call failed; permissions not set for directory: {$dir}")); + log_error(gettext("[squid] squid_chown_recursive() call failed; permissions not set for directory: '{$dir}'")); } } @@ -188,7 +188,7 @@ function squid_check_ca_hashes() { if ($cert_count < 10) { conf_mount_rw(); // create ca-root hashes from ca-root-nss package - log_error("Creating root certificate bundle hashes from the Mozilla Project"); + log_error("[squid] Creating root certificate bundle hashes from the Mozilla Project..."); $cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt'); $cert = 0; foreach ($cas as $ca) { @@ -220,8 +220,8 @@ function squid_dash_z($cache_action = 'none') { // We need cache configured after initial package install if (!is_array($config['installedpackages']['squidcache']['config'])) { - log_error("Squid - 'Local Cache' not configured, disk cache will be disabled."); - log_error("Squid - Please, configure and save 'Local Cache' settings before enabling Squid proxy."); + log_error("[squid] 'Local Cache' not configured, disk cache will be disabled."); + log_error("[squid] Please, configure and save 'Local Cache' settings before enabling Squid proxy."); return; } @@ -243,7 +243,7 @@ function squid_dash_z($cache_action = 'none') { if ($cachesettings['harddisk_cache_system'] == "null") { if (is_dir($cachedir)) { if (substr($cachedir, 0, 11) === "/var/squid/") { - log_error("Deleting Squid cache dir {$cachedir} since 'Hard Disk Cache System' is set to null."); + log_error("[squid] Deleting cache dir '{$cachedir}' since 'Hard Disk Cache System' is set to null..."); // cannot nuke disk cache while Squid is running squid_stop_monitor(); if (is_service_running('squid')) { @@ -253,8 +253,8 @@ function squid_dash_z($cache_action = 'none') { mwexec_bg("/bin/rm -rf {$cachedir}.old"); squid_restart_services(); } else { - log_error("'Hard Disk Cache System' is set to null."); - log_error("Will NOT delete Squid cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); + log_error("[squid] 'Hard Disk Cache System' is set to null."); + log_error("[squid] Will NOT delete cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); } } return; @@ -273,7 +273,7 @@ function squid_dash_z($cache_action = 'none') { @rename($cachedir, "{$cachedir}.old"); mwexec_bg("/bin/rm -rf {$cachedir}.old"); } else { - log_error("Will NOT delete Squid cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); + log_error("[squid] Will NOT delete cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); } } squid_create_cachedir(); @@ -292,14 +292,14 @@ function squid_create_cachedir() { $cachedir = ($cachesettings['harddisk_cache_location'] ? $cachesettings['harddisk_cache_location'] : '/var/squid/cache'); if (!is_dir($cachedir)) { - log_error("Creating Squid cache dir {$cachedir}"); + log_error("[squid] Creating cache dir '{$cachedir}' ..."); safe_mkdir($cachedir, 0755); @chown($cachedir, SQUID_UID); @chgrp($cachedir, SQUID_GID); } if (!is_dir($cachedir . '/00')) { - log_error("Creating Squid cache subdirs in $cachedir"); + log_error("[squid] Creating Squid cache subdirs in {$cachedir} ..."); mwexec(SQUID_BASE. "/sbin/squid -z -f " . SQUID_CONFFILE); // Double check permissions here, should be safe to recurse cache dir if it's small here. squid_chown_recursive($cachedir, SQUID_UID, SQUID_GID); @@ -391,12 +391,12 @@ EOD; function squid_start_monitor() { if (squid_enabled()) { if (!exec("/bin/ps auxw | /usr/bin/grep '[s]qpmon'")) { - log_error("Starting a proxy monitor script"); + log_error("[squid] Starting a proxy monitor script"); mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); } sleep(1); } else { - log_error("Squid is disabled. Not starting a proxy monitor script"); + log_error("[squid] Squid is disabled. Not starting a proxy monitor script"); } } @@ -404,7 +404,7 @@ function squid_start_monitor() { function squid_stop_monitor() { /* kill any running proxy alarm scripts */ if (exec("/bin/ps auxw | /usr/bin/grep '[s]qpmon'")) { - log_error("Stopping any running proxy monitors"); + log_error("[squid] Stopping any running proxy monitors"); mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); } sleep(1); @@ -424,10 +424,10 @@ function squid_restart_services() { squid_stop_monitor(); if (!is_service_running('squid')) { - log_error("Starting Squid"); + log_error("[squid] Starting service..."); mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); } else { - log_error("Reloading Squid for configuration sync"); + log_error("[squid] Reloading for configuration sync..."); mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } // sleep for a couple seconds to give squid a chance to fire up fully. @@ -443,7 +443,7 @@ function squid_restart_services() { /* Squid is disabled - kill any running proxy alarm scripts and stop Squid services */ squid_stop_monitor(); if (is_service_running('squid')) { - log_error("Stopping Squid"); + log_error("[squid] Stopping service..."); stop_service("squid"); } } @@ -547,14 +547,14 @@ function squid_deinstall_command() { if (substr($cachedir, 0, 11) === "/var/squid/") { mwexec_bg("/bin/rm -rf {$cachedir}"); } else { - log_error("Will NOT delete Squid cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); + log_error("[squid] Will NOT delete Squid cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); } } if (is_dir("{$logdir}")) { if (substr($logdir, 0, 11) === "/var/squid/") { mwexec("/bin/rm -rf {$logdir}"); } else { - log_error("Will NOT delete Squid log dir '{$logdir}' since it is not located under /var/squid. Delete manually if required."); + log_error("[squid] Will NOT delete Squid log dir '{$logdir}' since it is not located under /var/squid. Delete manually if required."); } } update_output_window("Removing remaining Squid directories ... One moment please..."); @@ -574,7 +574,7 @@ function squid_deinstall_command() { /* Remove package settings from config if 'Keep Settings/Data' is disabled */ if (!$keep) { - log_error("Removing all Squid settings since 'Keep Settings/Data' is disabled..."); + log_error("[squid] Removing all Squid settings since 'Keep Settings/Data' is disabled..."); if (is_array($config['installedpackages']['squid'])) { unset($config['installedpackages']['squid']); } @@ -1203,7 +1203,7 @@ function squid_resync_general() { $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); if (!is_dir($logdir)) { - log_error("Creating Squid log dir $logdir"); + log_error("[squid] Creating Squid log dir '{$logdir}' ..."); safe_mkdir($logdir, 0755); squid_chown_recursive($logdir, SQUID_UID, SQUID_GID); } @@ -1320,8 +1320,8 @@ function squid_resync_cache() { if ($g['platform'] == "nanobsd") { $disk_cache_system = 'null'; } elseif (!is_array($config['installedpackages']['squidcache']['config'])) { - log_error("Squid - 'Local Cache' not configured, disk cache will be disabled."); - log_error("Squid - Please, configure and save 'Local Cache' settings before enabling Squid proxy."); + log_error("[squid] 'Local Cache' not configured, disk cache will be disabled."); + log_error("[squid] Please, configure and save 'Local Cache' settings before enabling Squid proxy."); } else { $disk_cache_system = 'ufs'; } @@ -1942,7 +1942,7 @@ function squid_resync($via_rpc = "no") { } } - log_error("[Squid] - Squid_resync function call pr:" . is_process_running('squid') . " bp:" . isset($boot_process) . " rpc:" . $via_rpc); + log_error("[squid] - squid_resync function call pr:" . is_process_running('squid') . " bp:" . isset($boot_process) . " rpc:" . $via_rpc); if (is_process_running('squid') && isset($boot_process) && $via_rpc == "no") { return; @@ -2024,7 +2024,7 @@ function squid_generate_rules($type) { // do not install any firewall rules if Squid is disabled if (!squid_enabled()) { - log_error("Squid is installed but disabled. Not installing \"{$type}\" rules."); + log_error("[squid] Installed but disabled. Not installing '{$type}' rules."); return; } @@ -2034,7 +2034,7 @@ function squid_generate_rules($type) { } if (!is_service_running('squid')) { - log_error("Squid is installed but not started. Not installing \"{$type}\" rules."); + log_error("[squid] Installed but not started. Not installing '{$type}' rules."); return; } // Read assigned interfaces @@ -2278,7 +2278,7 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { /* Set a few variables needed for sync */ $url = $synchronizetoip; - log_error("[squid] Beginning Squid XMLRPC sync to {$url}:{$port}."); + log_error("[squid] Beginning XMLRPC sync to {$url}:{$port}."); $method = 'pfsense.merge_installedpackages_section_xmlrpc'; $msg = new XML_RPC_Message($method, $params); $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); @@ -2289,13 +2289,13 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { /* Send our XMLRPC message and timeout after defined sync timeout value*/ $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communication error occurred while attempting Squid XMLRPC sync with {$url}:{$port}."; + $error = "[squid] Communication error occurred while attempting XMLRPC sync with {$url}:{$port}."; log_error($error); file_notice("sync_settings", $error, "Squid Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "An error code was received while attempting Squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "[squid] An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Squid Settings Sync", ""); } else { @@ -2318,17 +2318,17 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $cli->setCredentials($username, $password); $resp = $cli->send($msg, $synctimeout); if (!$resp) { - $error = "A communication error occurred while attempting Squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + $error = "[squid] Communication error occurred while attempting XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; log_error($error); file_notice("sync_settings", $error, "Squid Settings Sync", ""); } elseif ($resp->faultCode()) { $cli->setDebug(1); $resp = $cli->send($msg, $synctimeout); - $error = "[Squid] An error code was received while attempting Squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + $error = "[squid] An error code was received while attempting XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); log_error($error); file_notice("sync_settings", $error, "Squid Settings Sync", ""); } else { - log_error("Squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + log_error("[squid] XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); } } -- cgit v1.2.3 From e0382acb903bde6b7b0f271f55554583970a9e95 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Tue, 6 Oct 2015 11:37:26 +0200 Subject: Clean up and prefix log messages. --- config/squid3/34/squid_antivirus.inc | 58 +++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 28 deletions(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 8bf717e5..e047db93 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -46,7 +46,7 @@ function squid_check_clamav_user($user) { $user_arg = ($sq_ex_return == 0 ? "mod" : "add"); $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return); if ($sq_ex_return != 0) { - log_error("Squid - Could not change clamav user settings. " . serialize($sq_ex_output)); + log_error("[squid] Could not change clamav user settings. " . serialize($sq_ex_output)); } } @@ -67,19 +67,22 @@ function squid_install_freshclam_cron($should_install) { $freshclam_cmd = (SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); if (($should_install) && (squid_enabled())) { if ($antivirus_config['clamav_update'] != "0") { + log_error("[squid] Adding freshclam cronjob."); $minutes = ($antivirus_config['clamav_update'] * 60); install_cron_job("{$freshclam_cmd}", true, "*/{$minutes}", "*", "*", "*", "*", "clamav"); } else { + log_error("[squid] Removing freshclam cronjob."); install_cron_job("{$freshclam_cmd}", false); } } else { + log_error("[squid] Removing freshclam cronjob."); install_cron_job("{$freshclam_cmd}", false); } } /* Manually update ClamAV virus definitions via the GUI button */ function squid_update_clamav() { - log_error("Updating ClamAV definitions now... This will take a while. Check /var/log/clamav/freshclam.log for progress information."); + log_error("[squid] Updating ClamAV definitions now... This will take a while. Check /var/log/clamav/freshclam.log for progress information."); mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); } @@ -291,7 +294,7 @@ EOF; } file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); } else { - log_error("Squid - template not found; could not generate {$cf} file!"); + log_error("[squid] Template not found; could not generate '{$cf}' file!"); } // c-icap.conf @@ -316,7 +319,7 @@ EOF; $cicap_r[2] = "ServerLog {$logdir}/c-icap-server.log"; file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); } else { - log_error("Squid - template not found; could not generate {$cf} file!"); + log_error("[squid] Template not found; could not generate '{$cf}' file!"); } // c-icap.magic @@ -325,7 +328,7 @@ EOF; if (file_exists("{$cf}.pfsense")) { copy("{$cf}.pfsense", "{$cf}"); } else { - log_error("Squid - template not found; could not generate {$cf} file!"); + log_error("[squid] Template not found; could not generate '{$cf}' file!"); } // freshclam.conf @@ -351,7 +354,7 @@ EOF; } file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); } else { - log_error("Squid - template not found; could not generate {$cf} file!"); + log_error("[squid] Template not found; could not generate '{$cf}' file!"); } // clamd.conf @@ -360,7 +363,7 @@ EOF; if (file_exists("{$cf}.pfsense")) { copy("{$cf}.pfsense", "{$cf}"); } else { - log_error("Squid - template not found; could not generate {$cf} file!"); + log_error("[squid] Template not found; could not generate '{$cf}' file!"); } unset($cf); } @@ -400,7 +403,7 @@ function squid_antivirus_install_config_files() { $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); } else { - log_error("Squid - could not patch {$cf} template file!"); + log_error("[squid] Could not patch '{$cf}' template file!"); } // c-icap.conf @@ -424,7 +427,7 @@ function squid_antivirus_install_config_files() { $cicap_r[3] = "ServerLog /var/squid/logs/c-icap-server.log"; file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); } else { - log_error("Squid - could not patch {$cf} template file!"); + log_error("[squid] Could not patch '{$cf}' template file!"); } // c-icap.magic @@ -453,7 +456,7 @@ function squid_antivirus_install_config_files() { $clamd_r[2] = ""; file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX); } else { - log_error("Squid - could not patch {$cf} template file!"); + log_error("[squid] Could not patch '{$cf}' template file!"); } // freshclam.conf @@ -472,7 +475,7 @@ function squid_antivirus_install_config_files() { $freshclam_r[2] = ""; file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); } else { - log_error("Squid - could not patch {$cf} template file!"); + log_error("[squid] - could not patch '{$cf}' template file!"); } unset($cf); } @@ -516,7 +519,7 @@ function squid_antivirus_get_raw_config() { if (file_exists($conffile)) { if ($config['installedpackages']['squidantivirus']['config'][0][$confopt] == "") { $config['installedpackages']['squidantivirus']['config'][0][$confopt] = base64_encode(str_replace("\r", "", file_get_contents("{$conffile}"))); - log_error("Squid - Successfully loaded {$conffile} configuration file"); + log_error("[squid] Successfully loaded '{$conffile}' configuration file"); $loaded = true; } // Just a fallback attempt if people do things in weird order on a completely fresh install perhaps; should not be ever needed @@ -524,17 +527,17 @@ function squid_antivirus_get_raw_config() { squid_antivirus_install_config_files(); if (file_exists($conffile)) { $config['installedpackages']['squidantivirus']['config'][0][$confopt] = base64_encode(str_replace("\r", "", file_get_contents("{$conffile}"))); - log_error("Squid - Successfully loaded {$conffile} configuration file"); + log_error("[squid] Successfully loaded '{$conffile}' configuration file"); $loaded = true; } else { - log_error("Squid - '{$conffile}' template does not exist; could not load advanced {$rawfile} configuration!"); + log_error("[squid] '{$conffile}' template does not exist; could not load advanced {$rawfile} configuration!"); } } } } if ($loaded) { write_config("Squid - Loaded raw configuration files", false); - log_error("Squid - Successfully loaded raw configuration files"); + log_error("[squid] Successfully loaded raw configuration files"); } } @@ -547,10 +550,10 @@ function squid_antivirus_toggle_raw_config($state) { foreach ($opts as $opt) { if (isset($config['installedpackages']['squidantivirus']['config'][0][$opt])) { unset($config['installedpackages']['squidantivirus']['config'][0][$opt]); - log_error("Squid - Loaded {$opt} raw configuration file..."); + log_error("[squid] Loaded '{$opt}' raw configuration file..."); } } - log_error("Squid - Loading raw configuration files..."); + log_error("[squid] Loading raw configuration files..."); squid_antivirus_get_raw_config(); } else { // manual configuration disabled @@ -558,7 +561,7 @@ function squid_antivirus_toggle_raw_config($state) { foreach ($opts as $opt) { if (isset($config['installedpackages']['squidantivirus']['config'][0][$opt])) { unset($config['installedpackages']['squidantivirus']['config'][0][$opt]); - log_error("Squid - Unloaded {$opt} raw configuration file..."); + log_error("[squid] Unloaded '{$opt}' raw configuration."); } } $config['installedpackages']['squidantivirus']['config'][0]['enable_advanced'] = "disabled"; @@ -606,7 +609,7 @@ function squid_antivirus_put_raw_config($rawfiles) { function squid_antivirus_write_conffile($dir, $file, $text) { if ($file && $text) { file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX); - log_error("Squid - Saved {$file} configuration file."); + log_error("[squid] Saved '{$file}' configuration file."); } } @@ -682,13 +685,13 @@ function squid_restart_antivirus() { if (squid_enabled() && ($antivirus_config['enable'] == "on")) { // Check clamav database if (count(glob("/var/db/clamav/*d")) == 0) { - log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); + log_error("[squid] Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); } elseif ($antivirus_config['clamav_safebrowsing'] == "on" && !is_file("/var/db/clamav/safebrowsing.cvd")) { - log_error("Squid - Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); + log_error("[squid] Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); } elseif ($antivirus_config['clamav_safebrowsing'] != "on" && is_file("/var/db/clamav/safebrowsing.cvd")) { - log_error("Squid - Google Safe Browsing is disabled. Removing safebrowsing.cvd definitions."); + log_error("[squid] Google Safe Browsing is disabled. Removing safebrowsing.cvd definitions."); mwexec("/bin/rm -f /var/db/clamav/safebrowsing.cvd"); } @@ -698,11 +701,11 @@ function squid_restart_antivirus() { squid_write_clamd_rcfile(); } if (is_process_running("clamd")) { - log_error("Reloading ClamAV..."); + log_error("[squid] Reloading ClamAV..."); $reload_cmd = SQUID_BASE . "/bin/clamdscan --reload"; mwexec_bg("{$reload_cmd}"); } else { - log_error("Starting ClamAV..."); + log_error("[squid] Starting ClamAV..."); mwexec_bg("{$clamd_rcfile} start"); } @@ -718,20 +721,19 @@ function squid_restart_antivirus() { } } else { // stop AV services and disable all C-ICAP/AV features - log_error("Squid antivirus features disabled."); + log_error("[squid] Antivirus features disabled."); if (is_process_running("clamd")) { - log_error("Stopping and disabling ClamAV..."); + log_error("[squid] Stopping and disabling ClamAV..."); mwexec("/usr/bin/killall clamd"); } unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); // freshclam cronjob - log_error("Removing freshclam cronjob..."); squid_install_freshclam_cron(false); // check c-icap rcfile if (is_process_running("c-icap")) { - log_error("Stopping and disabling C-ICAP..."); + log_error("[squid] Stopping and disabling C-ICAP..."); mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); } unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); -- cgit v1.2.3