From 64544441536552b858797a172148e058f3239115 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 15:52:35 +0200 Subject: Squid3 - multiple antivirus fixes - Stop moving C-ICAP logs, it completely breaks things for users in bizarre ways - Ditch the recursive chown madness on ClamAV/C-ICAP dirs. The C-ICAP socket/pid/logs are supposed to be owned by root:wheel, not clamav:wheel, this just should not be done. - Fix the broken squid_check_clamav_user() function and user handling in general; stop re-adding clamav user to wheel group over and over again. Also, clean up the wheel group on uninstall. - Put extensive error checking and debugging info to configuration files handling so that it's possible to debug things easily in future. --- config/squid3/34/squid_antivirus.inc | 154 +++++++++++++++++++++++------------ 1 file changed, 104 insertions(+), 50 deletions(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 03b9e129..c6f128f1 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -37,16 +37,16 @@ require_once('config.inc'); */ /* clamav user account hadling (only needed for PBI/pfSense <2.3) */ -function squid_check_clamav_user($user) { +function squid_check_clamav_user() { if (SQUID_BASE == '/usr/local') { return; - } - - $_gc = exec("/usr/sbin/pw usershow {$user}", $sq_ex_output, $sq_ex_return); - $user_arg = ($sq_ex_return == 0 ? "mod" : "add"); - $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return); - if ($sq_ex_return != 0) { - log_error("[squid] Could not change clamav user settings. " . serialize($sq_ex_output)); + } else { + if (!exec("/usr/sbin/pw usershow clamav")) { + mwexec("/usr/sbin/pw useradd clamav -G wheel -u 9595 -s /sbin/nologin"); + } + if (!exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) { + mwexec("/usr/sbin/pw usermod clamav -G wheel"); + } } } @@ -61,7 +61,8 @@ function squid_check_antivirus_dirs() { ); foreach ($dirs as $dir_path => $dir_user) { safe_mkdir($dir_path, 0755); - squid_chown_recursive($dir_path, $dir_user, "wheel"); + chown($dir_path, $dir_user); + chgrp($dir_path, "wheel"); } } @@ -125,7 +126,16 @@ function squid_antivirus_install_command() { symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); } - // check dirs + // remove dirs with possibly broken file permissions after previous versions + $dirs = array("/var/run/c-icap", "/var/log/c-icap"); + foreach ($dirs as $dir) { + if (is_dir("{$dir}")) { + mwexec("/bin/rm -rf {$dir}"); + } + } + + // create required dirs and set up clamav user if needed + squid_check_clamav_user(); squid_check_antivirus_dirs(); // remove unwanted PBI rc scripts @@ -136,6 +146,7 @@ function squid_antivirus_install_command() { /* Run on Squid package uninstall */ function squid_antivirus_deinstall_command() { + global $config, $keep; /* kill all running services */ if (is_process_running("c-icap")) { mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); @@ -183,6 +194,21 @@ function squid_antivirus_deinstall_command() { } } + /* clean up user/groups if needed */ + if (SQUID_BASE == '/usr/local') { + return; + } else { + if (exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) { + mwexec("/usr/sbin/pw groupmod wheel -d clamav"); + } + if (exec("/usr/sbin/pw usershow clamav")) { + mwexec("/usr/sbin/pw userdel clamav"); + } + if (exec("/usr/sbin/pw groupshow clamav")) { + mwexec("/usr/sbin/pw groupdel clamav"); + } + } + /* check if clamav/c_icap is enabled in rc.conf.local */ // XXX: This hasn't been used since 0.3.7; to be removed in future if (file_exists("/etc/rc.conf.local")) { @@ -219,7 +245,7 @@ function squid_antivirus_deinstall_command() { /* Proxy Server: Antivirus configuration handler */ function squid_resync_antivirus() { - global $config; + global $config, $antivirus_config; if (is_array($config['installedpackages']['squidantivirus'])) { $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; @@ -266,7 +292,7 @@ adaptation_access service_avi_resp allow all EOF; // check clamav user and dirs - squid_check_clamav_user('clamav'); + squid_check_clamav_user(); squid_check_antivirus_dirs(); if ($antivirus_config['enable_advanced'] == "enabled") { @@ -290,15 +316,20 @@ EOF; $cf = SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf"; if (file_exists("{$cf}.pfsense")) { $sample_file = file_get_contents("{$cf}.pfsense"); + $squidclamav_m[0] = "@#This file was automatically generated by pfSense@"; + $squidclamav_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; if ($antivirus_config['clamav_safebrowsing'] == "on") { - $squidclamav_m[0] = "@safebrowsing\s0@"; - $squidclamav_r[0] = "safebrowsing 1"; + $squidclamav_m[1] = "@safebrowsing\s0@"; + $squidclamav_r[1] = "safebrowsing 1"; } if ($antivirus_config['clamav_url'] != "") { - $squidclamav_m[1] = "@redirect http@"; - $squidclamav_r[1] = "{$antivirus_config['clamav_url']}"; + $squidclamav_m[2] = "@redirect http@"; + $squidclamav_r[2] = "{$antivirus_config['clamav_url']}"; + } + /* Trying to overwrite squidclamav.conf via file_put_contents() may fail when Squid is running */ + if (!file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save generated {$cf} file!"); } - file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); } else { log_error("[squid] Template not found; could not generate '{$cf}' file!"); } @@ -310,20 +341,17 @@ EOF; if (!preg_match("/squid_clamav/", $sample_file)) { $sample_file .= "\nService squid_clamav squidclamav.so\n"; } - // XXX: Bug #4615 - if (is_array($config['installedpackages']['squid'])) { - $squidsettings = $config['installedpackages']['squid']['config'][0]; - } else { - $squidsettings = array(); + /* XXX: Bug #4615 + * Do NOT move the C-ICAP log anywhere, ever! It breaks C-ICAP in completely inexplicable ways, + * such as Error: [No Error] or 500 response codes. + */ + $cicap_m[0] = "@#This file was automatically generated by pfSense@"; + $cicap_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; + $cicap_m[1] = "@DebugLevel\s1@"; + $cicap_r[1] = "DebugLevel 0"; + if (!file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save generated {$cf} file!"); } - $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); - $cicap_m[0] = "@DebugLevel\s1@"; - $cicap_r[0] = "DebugLevel 0"; - $cicap_m[1] = "@AccessLog /var/squid/logs/c-icap-access.log@"; - $cicap_r[1] = "AccessLog {$logdir}/c-icap-access.log"; - $cicap_m[2] = "@ServerLog /var/squid/logs/c-icap-server.log@"; - $cicap_r[2] = "ServerLog {$logdir}/c-icap-server.log"; - file_put_contents("{$cf}", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); } else { log_error("[squid] Template not found; could not generate '{$cf}' file!"); } @@ -332,15 +360,19 @@ EOF; // just make a copy of pfSense template, nothing configurable via GUI options here $cf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic"; if (file_exists("{$cf}.pfsense")) { - copy("{$cf}.pfsense", "{$cf}"); + if (!copy("{$cf}.pfsense", "{$cf}")) { + log_error("[squid] Could not save {$cf} file!"); + } } else { - log_error("[squid] Template not found; could not generate '{$cf}' file!"); + log_error("[squid] Template not found; could not save '{$cf}' file!"); } // freshclam.conf $cf = SQUID_LOCALBASE . "/etc/freshclam.conf"; if (file_exists("{$cf}.pfsense")) { $sample_file = file_get_contents("{$cf}.pfsense"); + $freshclam_m[0] = "@#This file was automatically generated by pfSense@"; + $freshclam_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; $clamav_mirrors = ""; if ($antivirus_config['clamav_dbregion'] != "") { $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; @@ -351,23 +383,29 @@ EOF; } } if ($clamav_mirrors != "") { - $freshclam_m[0] = "@#DatabaseMirror db.XY.clamav.net@"; - $freshclam_r[0] = "{$clamav_mirrors}"; + $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; + $freshclam_r[1] = "{$clamav_mirrors}"; } if ($antivirus_config['clamav_safebrowsing'] == "on") { - $freshclam_m[1] = "@#SafeBrowsing yes@"; - $freshclam_r[1] = "SafeBrowsing yes"; + $freshclam_m[2] = "@#SafeBrowsing yes@"; + $freshclam_r[2] = "SafeBrowsing yes"; + } + if (!file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save generated {$cf} file!"); } - file_put_contents("{$cf}", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); } else { log_error("[squid] Template not found; could not generate '{$cf}' file!"); } // clamd.conf - // just make a copy of pfSense template, nothing configurable via GUI options here $cf = SQUID_LOCALBASE . "/etc/clamd.conf"; if (file_exists("{$cf}.pfsense")) { - copy("{$cf}.pfsense", "{$cf}"); + $sample_file = file_get_contents("{$cf}.pfsense"); + $clamd_m[0] = "@#This file was automatically generated by pfSense@"; + $clamd_r[0] = "#This file was automatically generated by pfSense WebGUI configuration"; + if (!file_put_contents("{$cf}", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save generated {$cf} file!"); + } } else { log_error("[squid] Template not found; could not generate '{$cf}' file!"); } @@ -406,8 +444,15 @@ function squid_antivirus_install_config_files() { $squidclamav_m[1] = "@/var/run/clamav/clamd.ctl@"; $squidclamav_r[1] = "/var/run/clamav/clamd.sock"; $squidclamav_m[2] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; - $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; - file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX); + $port = $config['system']['webgui']['port']; + if ($port == "") { + $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; + } else { + $squidclamav_r[2] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}:{$port}/squid_clwarn.php"; + } + if (!file_put_contents("{$cf}.pfsense", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save patched '{$cf}.pfsense' template file!"); + } } else { log_error("[squid] Could not patch '{$cf}' template file!"); } @@ -425,13 +470,15 @@ function squid_antivirus_install_config_files() { } $cicap_m[0] = "@# This file contains the default settings for c-icap@"; $cicap_r[0] = "#This file was automatically generated by pfSense"; + /* XXX: Bug #4615 + * Do NOT move the C-ICAP log anywhere, ever! It breaks C-ICAP in completely inexplicable ways, + * such as Error: [No Error] or 500 response codes. + */ $cicap_m[1] = "@DebugLevel\s1@"; $cicap_r[1] = "DebugLevel 0"; - $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; - $cicap_r[2] = "AccessLog /var/squid/logs/c-icap-access.log"; - $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; - $cicap_r[3] = "ServerLog /var/squid/logs/c-icap-server.log"; - file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); + if (!file_put_contents("{$cf}.pfsense", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save patched '{$cf}.pfsense' template file!"); + } } else { log_error("[squid] Could not patch '{$cf}' template file!"); } @@ -460,7 +507,9 @@ function squid_antivirus_install_config_files() { $clamd_r[1] = ""; $clamd_m[2] = "@#Example@"; $clamd_r[2] = ""; - file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX); + if (!file_put_contents("{$cf}.pfsense", preg_replace($clamd_m, $clamd_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save patched '{$cf}.pfsense' template file!"); + } } else { log_error("[squid] Could not patch '{$cf}' template file!"); } @@ -479,7 +528,9 @@ function squid_antivirus_install_config_files() { $freshclam_r[1] = ""; $freshclam_m[2] = "@#Example@"; $freshclam_r[2] = ""; - file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); + if (!file_put_contents("{$cf}.pfsense", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX)) { + log_error("[squid] Could not save patched '{$cf}.pfsense' template file!"); + } } else { log_error("[squid] - could not patch '{$cf}' template file!"); } @@ -614,8 +665,11 @@ function squid_antivirus_put_raw_config($rawfiles) { /* Helper function for squid_antivirus_put_raw_config() */ function squid_antivirus_write_conffile($dir, $file, $text) { if ($file && $text) { - file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX); - log_error("[squid] Saved '{$file}' configuration file."); + if (!file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX)) { + log_error("[squid] Could not save '{$file}' configuration file."); + } else { + log_error("[squid] Saved '{$file}' configuration file."); + } } } -- cgit v1.2.3 From 4350fa2eeac5ebf945292a3760917a13af813371 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 15:54:40 +0200 Subject: Add a button to manually clear disk cache from the GUI --- config/squid3/34/squid_cache.xml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/config/squid3/34/squid_cache.xml b/config/squid3/34/squid_cache.xml index ef477bb4..47471df9 100755 --- a/config/squid3/34/squid_cache.xml +++ b/config/squid3/34/squid_cache.xml @@ -42,7 +42,7 @@ ]]> squidcache - 0.3.9.2 + 0.4.0 Proxy Server: Cache management /usr/local/pkg/squid.inc @@ -216,6 +216,19 @@ + + Clear Disk Cache NOW + + + The script will only clear the disk cache on the following conditions:
+ - if the swap.state file is taking up more than 75% of disk space;
+ - or the drive is 90% full and swap.state is larger than 1GB.

+ If you wish to clear cache immediately, press the button. + ]]> +
+ info +
Level 1 Directories level1_subdirs -- cgit v1.2.3 From 6d301cca472737f59d7bd05af34685c5d716aba9 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 15:57:46 +0200 Subject: Re-add swapstate_check.php cronjob, add manually clear disk cache feature - The swapstate_check.php cronjob, is here purely to prevent Squid from filling disk completely on misconfigured boxes; the script will only clear the disk cache on the following conditions:either if the swap.state file is taking up more than 75% of disk space, or the drive is 90% full and swap.state is larger than 1GB. - Added a button to manually clear disk cache from the GUI --- config/squid3/34/squid.inc | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index cbb24a04..e28cf56e 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -324,10 +324,22 @@ function squid_install_cron($should_install) { } $cron_cmd = SQUID_BASE . "/sbin/squid -k rotate -f " . SQUID_CONFFILE; + /* + * This is here to prevent Squid from filling disk completely on misconfigured boxes. + * When 'Hard Disk Cache System' is set to null, the script silently returns, no need to check here. + * Otherwise, swapstate_check.php will only clear the disk cache on the following conditions: + * - if the swap.state file is taking up more than 75% of disk space, + * - or the drive is 90% full and swap.state is larger than 1GB. + */ + $swapstate_cmd = "/usr/local/pkg/swapstate_check.php"; if (($should_install) && (squid_enabled())) { + log_error("[squid] Adding cronjobs ..."); install_cron_job("{$cron_cmd}", $should_install, "0", "0", "*", "*", "*", "root"); + install_cron_job("{$swapstate_cmd}", $should_install, "15", "0", "*", "*", "*", "root"); } else { + log_error("[squid] Removing cronjobs ..."); install_cron_job("{$cron_cmd}", false); + install_cron_job("{$swapstate_cmd}", false); } } @@ -861,6 +873,13 @@ function squid_validate_upstream($post, &$input_errors) { /* Proxy Server: Cache Management input validation */ function squid_validate_cache($post, &$input_errors) { + /* Manually clear hard disk cache */ + if ($post['clear_cache'] == 'Clear Disk Cache NOW') { + log_error("[squid] Clear disk cache forced via GUI. Clearing cache now..."); + squid_dash_z("clean"); + return; + } + $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', 'memory_cache_size' => 'Memory cache size', -- cgit v1.2.3 From 5fac54533a6b259aa62ce107b7aef677097a85df Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 15:58:57 +0200 Subject: Add Squid3 antivirus widget --- config/squid3/34/squid.xml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index ccaca843..f0289e6e 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -42,7 +42,7 @@ ]]> squid - 0.3.9 + 0.4.0 Proxy Server: General Settings /usr/local/pkg/squid.inc @@ -127,6 +127,10 @@ /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus.inc + + /usr/local/www/widgets/include + https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus_status.inc + /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_js.inc @@ -199,6 +203,10 @@ + + /usr/local/www/widgets/widgets + https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus_status.widget.php + /usr/local/www/ https://packages.pfsense.org/packages/config/squid3/34/squid_clwarn.php -- cgit v1.2.3 From 88fd464b6cc951c0e4339e169dc40c13ddfa3480 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 15:59:50 +0200 Subject: Add Squid3 antivirus widget --- config/squid3/34/squid_antivirus_status.widget.php | 176 +++++++++++++++++++++ 1 file changed, 176 insertions(+) create mode 100644 config/squid3/34/squid_antivirus_status.widget.php diff --git a/config/squid3/34/squid_antivirus_status.widget.php b/config/squid3/34/squid_antivirus_status.widget.php new file mode 100644 index 00000000..8d96a3a1 --- /dev/null +++ b/config/squid3/34/squid_antivirus_status.widget.php @@ -0,0 +1,176 @@ + + Copyright (C) 2015 ESF, LLC + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. +*/ +require_once("guiconfig.inc"); +require_once("pfsense-utils.inc"); +require_once("functions.inc"); +require_once("pkg-utils.inc"); +if (file_exists("/usr/local/pkg/squid.inc")) { + require_once("/usr/local/pkg/squid.inc"); +} else { + echo "No squid.inc found. You must have Squid3 package installed to use this widget."; +} + +define('PATH_CLAMDB', '/var/db/clamav'); +define('PATH_SQUID', SQUID_BASE . '/bin/squid'); +define('PATH_AVLOG', '/var/log/c-icap/virus.log'); +global $clamd_path, $cicap_cfg_path, $img; +$clamd_path = SQUID_BASE . "/bin/clamd"; +$cicap_cfg_path = SQUID_LOCALBASE . "/bin/c-icap-config"; +$img = array(); +$img['up'] = ""; +$img['down'] = ""; + +function squid_avdb_info($filename) { + $stl = "style='padding-top: 0px; padding-bottom: 0px; padding-left: 4px; padding-right: 4px; border-left: 1px solid #999999;'"; + $r = ''; + $path = PATH_CLAMDB . "/{$filename}"; + if (file_exists($path)) { + $handle = ''; + if ($handle = fopen($path, "r")) { + $s = fread($handle, 1024); + $s = explode(':', $s); + # datetime + $dt = explode(" ", $s[1]); + $s[1] = strftime("%Y.%m.%d", strtotime("{$dt[0]} {$dt[1]} {$dt[2]}")); + if ($s[0] == 'ClamAV-VDB') { + $r .= "{$filename}{$s[1]}{$s[2]}{$s[7]}"; + } + fclose($handle); + } + return $r; + } +} + +function squid_antivirus_bases_info() { + $db = ''; + $db .= ''; + $db .= squid_avdb_info("daily.cvd"); + $db .= squid_avdb_info("bytecode.cvd"); + $db .= squid_avdb_info("main.cvd"); + $db .= squid_avdb_info("safebrowsing.cvd"); + $db .= '
DatabaseDateVersionBuilder
'; + return $db; +} + +function squid_clamav_version() { + global $clamd_path, $cicap_cfg_path, $img; + if (is_executable($clamd_path)) { + $s = (is_service_running("clamd") ? $img['up'] : $img['down']); + $version = preg_split("@/@", shell_exec("{$clamd_path} -V")); + $s .= "  {$version[0]}"; + } else { + $s .= "  ClamAV: N/A"; + } + if (is_executable($cicap_cfg_path)) { + $s .= "  "; + $s .= (is_service_running("c-icap") ? $img['up'] : $img['down']); + $s .= "  C-ICAP " . shell_exec("{$cicap_cfg_path} --version"); + } else { + $s .= "  C-ICAP: N/A"; + } + if (file_exists("/usr/local/www/squid_clwarn.php")) { + preg_match("@(VERSION.*).(\d{1}).(\d{2})@", file_get_contents("/usr/local/www/squid_clwarn.php"), $squidclamav_version); + $s .= "+  SquidClamav " . str_replace("'", "", strstr($squidclamav_version[0], "'")); + } else { + $s .= "+  SquidClamav: N/A"; + } + return $s; +} + +function squid_avupdate_status() { + global $clamd_path; + $s = "N/A"; + if (is_executable($clamd_path)) { + $lastupd = preg_split("@/@", shell_exec("{$clamd_path} -V")); + $s = $lastupd[2]; + } + return $s; +} + +function squid_antivirus_statistics() { + $s = "Unknown (no log exists)"; + if (file_exists(PATH_AVLOG)) { + $log = file_get_contents(PATH_AVLOG); + $count = substr_count(strtolower($log), "virus found"); + $s = "Found {$count} virus(es) total."; + } + return $s; +} + +?> + + + + + + + + + + + + + + + + + + + + + + + + +
Squid Version + +
Antivirus Scanner + +
Antivirus Bases + +
Last Update + +
Statistics + +
-- cgit v1.2.3 From 6c2395f273a49fb8ab536099824f59f412426114 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 16:00:18 +0200 Subject: Add Squid3 antivirus widget --- config/squid3/34/squid_antivirus_status.inc | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 config/squid3/34/squid_antivirus_status.inc diff --git a/config/squid3/34/squid_antivirus_status.inc b/config/squid3/34/squid_antivirus_status.inc new file mode 100644 index 00000000..c384df73 --- /dev/null +++ b/config/squid3/34/squid_antivirus_status.inc @@ -0,0 +1,7 @@ + -- cgit v1.2.3 From 2652266b891da18d000ee266088c9a70c60ef8e1 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 16:06:13 +0200 Subject: Bump squid3 package version --- pkg_config.10.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 0263b71d..8bd6434a 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -1052,7 +1052,7 @@ https://forum.pfsense.org/index.php/topic,48347.0.html http://www.squid-cache.org/ Network - 0.3.9.2 + 0.4.0 beta 2.2 marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org -- cgit v1.2.3 From d52543244d35e8dff7c487dfce1cada44d60e5d3 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 19:51:00 +0200 Subject: Custom redirect URL handling --- config/squid3/34/squid_antivirus.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index c6f128f1..5c3b6b3f 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -323,8 +323,8 @@ EOF; $squidclamav_r[1] = "safebrowsing 1"; } if ($antivirus_config['clamav_url'] != "") { - $squidclamav_m[2] = "@redirect http@"; - $squidclamav_r[2] = "{$antivirus_config['clamav_url']}"; + $squidclamav_m[2] = "@(redirect http.*)@"; + $squidclamav_r[2] = "redirect {$antivirus_config['clamav_url']}"; } /* Trying to overwrite squidclamav.conf via file_put_contents() may fail when Squid is running */ if (!file_put_contents("{$cf}", preg_replace($squidclamav_m, $squidclamav_r, $sample_file), LOCK_EX)) { -- cgit v1.2.3 From 3efdd574a6b657eb6b59e80f0db4e5838fb668ab Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 23:48:57 +0200 Subject: Move antivirus config migration to squid_antivirus.inc --- config/squid3/34/squid.inc | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index e28cf56e..cd502658 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -619,6 +619,7 @@ function squid_deinstall_command() { /* Migrate configuration from god knows which Squid package versions */ /* None of these ever existed with Squid 3.4 package and this cruft should be most likely just removed */ function squid_upgrade_config() { + global $config; /* migrate existing csv config fields */ if (is_array($config['installedpackages']['squidauth']['config'])) { $settingsauth = $config['installedpackages']['squidauth']['config'][0]; @@ -742,12 +743,7 @@ function squid_upgrade_config() { } /* unset broken antivirus settings */ - if (is_array($config['installedpackages']['squidantivirus'])) { - unset($config['installedpackages']['squidantivirus']['config'][0]['squidclamav']); - unset($config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']); - unset($config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']); - unset($config['installedpackages']['squidantivirus']['config'][0]['freshclam_conf']); - } + squid_antivirus_upgrade_config(); update_output_window("Writing configuration... One moment please..."); write_config(); -- cgit v1.2.3 From d3554bcd81cc824f3f328e950082dd8da9d0a996 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sun, 11 Oct 2015 23:50:12 +0200 Subject: Move antivirus config migration to squid_antivirus.inc --- config/squid3/34/squid_antivirus.inc | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 5c3b6b3f..7af50399 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -222,6 +222,18 @@ function squid_antivirus_deinstall_command() { } } +/* Migrate configuration from old Squid package versions */ +function squid_antivirus_upgrade_config() { + global $config; + /* unset broken antivirus settings */ + if (is_array($config['installedpackages']['squidantivirus'])) { + unset($config['installedpackages']['squidantivirus']['config'][0]['squidclamav']); + unset($config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']); + unset($config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']); + unset($config['installedpackages']['squidantivirus']['config'][0]['freshclam_conf']); + } +} + /* * Antivirus features configuration * -- cgit v1.2.3 From f76829a211478295f6c94072742a32f8561ce263 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 12 Oct 2015 00:00:18 +0200 Subject: Move reverse proxy config migration to squid_reverse.inc --- config/squid3/34/squid.inc | 51 ++-------------------------------------------- 1 file changed, 2 insertions(+), 49 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index cd502658..07d1da26 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -692,55 +692,8 @@ function squid_upgrade_config() { $config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type']; } - /* migrate reverse settings */ - if (is_array($config['installedpackages']['squidreverse'])) { - $old_reverse_settings = $config['installedpackages']['squidreverse']['config'][0]; - - // settings - if (!is_array($config['installedpackages']['squidreversegeneral'])) { - $config['installedpackages']['squidreversegeneral']['config'][0] = $old_reverse_settings; - unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); - unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); - unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); - } - - // peers - if (!is_array($config['installedpackages']['squidreversepeer'])) { - foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { - foreach (explode(";", $cache_peers) as $cache_peer) { - $config['installedpackages']['squidreversepeer']['config'][] = array( - 'description' => 'migrated', - 'enable' => 'on', - 'name' => $cache_peer[0], - 'port' => $cache_peer[1], - 'protocol' => $cache_peer[2] - ); - } - } - } - - // mappings - if (!is_array($config['installedpackages']['squidreverseuri'])) { - foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { - foreach (explode(";", $acls) as $acl) { - array_push(${'peer_'.$acl[0]}, $acl[1]); - } - } - foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { - foreach (explode(";", $uris) as $uri) { - $peer_list = (is_array(${'peer_' . $uri[0]}) ? implode(",", ${'peer_' . $uri[0]}) : ""); - $config['installedpackages']['squidreverseuri']['config'][] = array( - 'description' => 'migrated', - 'enable' => 'on', - 'name' => $uri[0], - 'uri' => $uri[1], - 'vhost' => $uri[2], - 'peers' => $peer_list - ); - } - } - } - } + /* migrate reverse proxy settings */ + squid_reverse_upgrade_config(); /* unset broken antivirus settings */ squid_antivirus_upgrade_config(); -- cgit v1.2.3 From f0445789ce9fe90918b22626eea90339916d66e6 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 12 Oct 2015 00:01:44 +0200 Subject: Move reverse proxy config migration to squid_reverse.inc --- config/squid3/34/squid_reverse.inc | 53 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index d69d6a01..9693b21f 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -263,6 +263,59 @@ function squid_resync_reverse() { return $conf; } +/* Migrate reverse proxy configuration from old Squid package versions */ +function squid_reverse_upgrade_config() { + global $config; + if (is_array($config['installedpackages']['squidreverse'])) { + $old_reverse_settings = $config['installedpackages']['squidreverse']['config'][0]; + + // settings + if (!is_array($config['installedpackages']['squidreversegeneral'])) { + $config['installedpackages']['squidreversegeneral']['config'][0] = $old_reverse_settings; + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']); + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']); + unset($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']); + } + + // peers + if (!is_array($config['installedpackages']['squidreversepeer'])) { + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers) { + foreach (explode(";", $cache_peers) as $cache_peer) { + $config['installedpackages']['squidreversepeer']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $cache_peer[0], + 'port' => $cache_peer[1], + 'protocol' => $cache_peer[2] + ); + } + } + } + + // mappings + if (!is_array($config['installedpackages']['squidreverseuri'])) { + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { + foreach (explode(";", $acls) as $acl) { + array_push(${'peer_'.$acl[0]}, $acl[1]); + } + } + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { + foreach (explode(";", $uris) as $uri) { + $peer_list = (is_array(${'peer_' . $uri[0]}) ? implode(",", ${'peer_' . $uri[0]}) : ""); + $config['installedpackages']['squidreverseuri']['config'][] = array( + 'description' => 'migrated', + 'enable' => 'on', + 'name' => $uri[0], + 'uri' => $uri[1], + 'vhost' => $uri[2], + 'peers' => $peer_list + ); + } + } + } + } +} + /* Reverse Proxy Server input validation */ function squid_validate_reverse($post, &$input_errors) { global $config; -- cgit v1.2.3 From 50e54d02daafa2defc398a5ba58f68fe4f9c8261 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 12 Oct 2015 00:37:38 +0200 Subject: Fix non-breaking space entity --- config/squid3/34/squid_antivirus_status.widget.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid_antivirus_status.widget.php b/config/squid3/34/squid_antivirus_status.widget.php index 8d96a3a1..41c8c2fd 100644 --- a/config/squid3/34/squid_antivirus_status.widget.php +++ b/config/squid3/34/squid_antivirus_status.widget.php @@ -140,7 +140,7 @@ function squid_antivirus_statistics() { preg_match("@(\d{1}).(\d{1}).(\d{2})@", shell_exec("{$squid_path} -v"), $squid_version); $version = $squid_version[0]; } - $version .= "  (pkg v{$config['installedpackages']['package'][get_pkg_id("squid3")]['version']})"; + $version .= "  (pkg v{$config['installedpackages']['package'][get_pkg_id("squid3")]['version']})"; } else { pkg_exec("query '%v' squid", $version, $err); } -- cgit v1.2.3 From 2619487aa21f3abde6b93d75b76f0e10602b306b Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 12 Oct 2015 10:43:01 +0200 Subject: Leave the AV cron-based updates accessible even with manual configuration --- config/squid3/34/squid_antivirus.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml index 8bcb1652..44820257 100755 --- a/config/squid3/34/squid_antivirus.xml +++ b/config/squid3/34/squid_antivirus.xml @@ -42,7 +42,7 @@ ]]> squidantivirus - 0.3.9.2 + 0.4.0 Proxy server: Antivirus /usr/local/pkg/squid.inc @@ -289,7 +289,7 @@ Date: Mon, 12 Oct 2015 10:45:32 +0200 Subject: Leave the AV cron-based updates accessible even with manual configuration --- config/squid3/34/squid_antivirus.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 7af50399..ce8c618d 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -615,7 +615,7 @@ function squid_antivirus_toggle_raw_config($state) { global $config; if ($state) { // manual configuration enabled - $opts = array("clamav_url", "clamav_safebrowsing", "clamav_update", "clamav_dbregion", "clamav_dbservers"); + $opts = array("clamav_url", "clamav_safebrowsing", "clamav_dbregion", "clamav_dbservers"); foreach ($opts as $opt) { if (isset($config['installedpackages']['squidantivirus']['config'][0][$opt])) { unset($config['installedpackages']['squidantivirus']['config'][0][$opt]); -- cgit v1.2.3 From 5a1d66e56c464ed5438b20f3c9b48935cef99c15 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 12 Oct 2015 10:48:28 +0200 Subject: Leave the AV cron-based updates accessible even with manual configuration --- config/squid3/34/squid_js.inc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/config/squid3/34/squid_js.inc b/config/squid3/34/squid_js.inc index 781b6710..e1eb2e4e 100644 --- a/config/squid3/34/squid_js.inc +++ b/config/squid3/34/squid_js.inc @@ -236,8 +236,7 @@ function on_antivirus_advanced_config_changed() { document.iform['clamav_url'].disabled = 1; document.iform['clamav_safebrowsing'].disabled = 1; document.getElementById('clamav_safebrowsing').checked = 0; - document.iform['clamav_update'].disabled = 1; - document.getElementById("clamav_update").value = ''; + document.iform['clamav_update'].disabled = 0; document.iform['clamav_dbregion'].disabled = 1; document.getElementById("clamav_dbregion").value = ''; document.iform['clamav_dbservers'].disabled = 1; -- cgit v1.2.3 From 728cff6789e918203f45b5c85e2b823f00f1b3bf Mon Sep 17 00:00:00 2001 From: doktornotor Date: Mon, 12 Oct 2015 14:03:55 +0200 Subject: Futile attempt to make a fool-proof log message explaining that AV doesn't run without defs --- config/squid3/34/squid_antivirus.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index ce8c618d..9a678fa9 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -758,9 +758,11 @@ function squid_restart_antivirus() { // Check clamav database if (count(glob("/var/db/clamav/*d")) == 0) { log_error("[squid] Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); + log_error("[squid] Do NOT attempt to start ClamAV service until AV definitions are downloaded. Check /var/log/clamav/freshclam.log for progress information."); squid_update_clamav(); } elseif ($antivirus_config['clamav_safebrowsing'] == "on" && !is_file("/var/db/clamav/safebrowsing.cvd")) { log_error("[squid] Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); + log_error("[squid] ClamAV will be automatically notified about the new definitions when finished. No manual action necessary."); squid_update_clamav(); } elseif ($antivirus_config['clamav_safebrowsing'] != "on" && is_file("/var/db/clamav/safebrowsing.cvd")) { log_error("[squid] Google Safe Browsing is disabled. Removing safebrowsing.cvd definitions."); -- cgit v1.2.3