From 633a702b9ff9e427ccdb5a9017066c56454ed90d Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 10:27:12 +0200 Subject: Fix "Finish transfer if less than x KB remaining" validation --- config/squid3/34/squid.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 07d1da26..a2b6dc56 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -953,7 +953,7 @@ function squid_validate_traffic($post, &$input_errors) { if (!empty($post['quick_abort_min'])) { $value = trim($post['quick_abort_min']); - if ((!is_numericint($value)) && ($value !== -1)) { + if ((!is_numericint($value)) && ($value != "-1")) { $input_errors[] = "'Finish when remaining KB' must contain a positive integer or '-1'."; } } -- cgit v1.2.3 From b78cdd190df597857c61a85ee2e3f03c2ad4b16f Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 10:47:29 +0200 Subject: Some package install/deinstall tweaks - Nuke one more state broken cronjob people happen to have on their systems from previous versions - Kill the right processes on uninstall --- config/squid3/34/squid.inc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index a2b6dc56..cde74ebc 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -502,8 +502,9 @@ function squid_install_command() { // remove unwanted PBI rc script unlink_if_exists("/usr/local/etc/rc.d/squid"); - // remove broken cronjob possibly left over after 'Clear Cache on Log Rotate' misfeature + // remove broken cronjobs possibly left over after 'Clear Cache on Log Rotate' misfeature install_cron_job("/usr/local/pkg/swapstate_check.php clean;", false); + install_cron_job("/bin/rm /var/squid/cache/swap.state;", false); } @@ -516,12 +517,14 @@ function squid_deinstall_command() { /* kill all running services */ update_output_window("Stopping and removing services..."); mwexec('/usr/local/etc/rc.d/sqp_monitor.sh stop'); - mwexec("/bin/ps awux | /usr/bin/grep '[s]quid' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/bin/ps awux | /usr/bin/egrep -i '[s]quid -f|\([s]quid\)' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep '[d]iskd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); mwexec("/bin/ps awux | /usr/bin/grep '[d]nsserver' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); mwexec("/bin/ps awux | /usr/bin/grep '[u]nlinkd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); /* delete rc scripts */ unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh'); + unlink_if_exists('/usr/local/etc/rc.d/squid.sh'); /* clean up created directories if 'Keep Settings/Data' is disabled */ if (is_array($config['installedpackages']['squidcache'])) { -- cgit v1.2.3 From bf982fd21fd14e961249f23264b22bf165b3d2ae Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 10:50:07 +0200 Subject: Don't truncate the hostname if none exists in 'External FQDN' --- config/squid3/34/squid_reverse.inc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index 9693b21f..f19652b4 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -209,7 +209,11 @@ function squid_resync_reverse() { } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { - $reverse_external_domain = strstr($settings['reverse_external_fqdn'], '.'); + if (substr_count($settings['reverse_external_fqdn'], ".") > 1) { + $reverse_external_domain = strstr($settings['reverse_external_fqdn'], '.'); + } else { + $reverse_external_domain = $settings['reverse_external_fqdn']; + } $conf .= "acl OWA_URI_pfs url_regex -i ^http://{$settings['reverse_external_fqdn']}/AutoDiscover/AutoDiscover.xml\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/AutoDiscover/AutoDiscover.xml\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^http://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n"; -- cgit v1.2.3 From 935ceb15cde794e23b0d590a282c0fa4dae53f35 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 10:52:43 +0200 Subject: Account for incremental AV defs updates. The defs get unpacked to *.cld if updated incrementally. Fix whitespace while here. --- config/squid3/34/squid_antivirus_status.widget.php | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/config/squid3/34/squid_antivirus_status.widget.php b/config/squid3/34/squid_antivirus_status.widget.php index 41c8c2fd..377b51f2 100644 --- a/config/squid3/34/squid_antivirus_status.widget.php +++ b/config/squid3/34/squid_antivirus_status.widget.php @@ -44,8 +44,8 @@ global $clamd_path, $cicap_cfg_path, $img; $clamd_path = SQUID_BASE . "/bin/clamd"; $cicap_cfg_path = SQUID_LOCALBASE . "/bin/c-icap-config"; $img = array(); -$img['up'] = ""; -$img['down'] = ""; +$img['up'] = ""; +$img['down'] = ""; function squid_avdb_info($filename) { $stl = "style='padding-top: 0px; padding-bottom: 0px; padding-left: 4px; padding-right: 4px; border-left: 1px solid #999999;'"; @@ -71,10 +71,10 @@ function squid_avdb_info($filename) { function squid_antivirus_bases_info() { $db = ''; $db .= ''; - $db .= squid_avdb_info("daily.cvd"); - $db .= squid_avdb_info("bytecode.cvd"); - $db .= squid_avdb_info("main.cvd"); - $db .= squid_avdb_info("safebrowsing.cvd"); + $avdbs = array("daily.cvd", "daily.cld", "bytecode.cvd", "bytecode.cld", "main.cvd", "main.cld", "safebrowing.cvd", "safebrowing.cld"); + foreach ($avdbs as $avdb) { + $db .= squid_avdb_info($avdb); + } $db .= '
DatabaseDateVersionBuilder
'; return $db; } -- cgit v1.2.3 From 1f3ef70e4a16ef5c8c6bf1a2a885b56c840dd4f7 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 13:26:20 +0200 Subject: Add more logs to the 'Real Time' tab --- config/squid3/34/squid_monitor.php | 99 +++++++++++++++++++++++++++++++++++--- 1 file changed, 91 insertions(+), 8 deletions(-) diff --git a/config/squid3/34/squid_monitor.php b/config/squid3/34/squid_monitor.php index 80e15a64..b08372f1 100755 --- a/config/squid3/34/squid_monitor.php +++ b/config/squid3/34/squid_monitor.php @@ -130,13 +130,13 @@ include("head.inc"); - + + +
- + + +
+
@@ -159,7 +176,6 @@ include("head.inc"); @@ -167,18 +183,85 @@ include("head.inc");
- + + + + + +
+ + + + + + + +
+
+ + + + + +
+ + + + + + + +
+
+ + + + + +
+ + + + + + + +
+
+ + + + + +
+ + + + + + + +
+
+ \n"; @@ -75,6 +72,30 @@ if ($_POST) { echo "\n"; } break; + case 'squid_cache'; + // Define log file + $log = '/var/squid/logs/cache.log'; + // Show table headers + show_tds(array("Date-Time", "Message")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + // Split line by delimiter + $logline = preg_split("@\|@", $logent); + + // Replace some build host nonsense and apply time format + $logline[0] = date("d.m.Y H:i:s", strtotime(str_replace("kid1", "", $logline[0]))); + + // Word wrap the message + $logline[1] = htmlentities($logline[1]); + $logline[1] = html_autowrap($logline[1]); + + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + } + break; case 'sguard'; $log = '/var/squidGuard/log/block.log'; // Show table headers @@ -107,7 +128,7 @@ if ($_POST) { echo "\n"; } break; - case 'clamav'; + case 'cicap_virus'; // Define log file $log = '/var/log/c-icap/virus.log'; // Show table headers @@ -115,7 +136,7 @@ if ($_POST) { // Fetch lines $logarr = fetch_log($log); foreach ($logarr as $logent) { - // Split line by space delimiter + // Split line by delimiter $logline = preg_split("/\|/", $logent); // Apply time format @@ -135,7 +156,91 @@ if ($_POST) { echo "\n"; } break; - } + case 'cicap_access'; + // Define log file + $log = '/var/log/c-icap/access.log'; + // Show table headers + show_tds(array("Date-Time", "Message")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + // Split line by delimiter + $logline = preg_split("/,/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y H:i:s", strtotime($logline[0])); + + // Word wrap the message + $logline[1] = htmlentities($logline[1]); + $logline[1] = html_autowrap($logline[1]); + + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + } + break; + case 'cicap_server'; + // Define log file + $log = '/var/log/c-icap/server.log'; + // Show table headers + show_tds(array("Date-Time", "Message")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + // Split line by delimiter + $logline = preg_split("/,/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y H:i:s", strtotime($logline[0])); + + // Word wrap the message + $logline[2] = htmlentities($logline[2]); + $logline[2] = html_autowrap($logline[2]); + + echo "\n"; + echo "\n"; + echo "\n"; + echo "\n"; + } + break; + case 'freshclam'; + // Define log file + $log = '/var/log/clamav/freshclam.log'; + // Show table headers + show_tds(array("Message")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + $logline = preg_split("/\n/", $logent); + // Word wrap the message + $logline[0] = htmlentities($logline[0]); + $logline[0] = html_autowrap($logline[0]); + + echo "\n"; + echo "\n"; + echo "\n"; + } + break; + case 'clamd'; + // Define log file + $log = '/var/log/clamav/clamd.log'; + // Show table headers + show_tds(array("Message")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + $logline = preg_split("/\n/", $logent); + // Word wrap the message + $logline[0] = htmlentities($logline[0]); + $logline[0] = html_autowrap($logline[0]); + + echo "\n"; + echo "\n"; + echo "\n"; + } + break; + } } /* Functions */ -- cgit v1.2.3 From b65d0c259ba92a4f6f99633dace1bbdadc581679 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 14:34:35 +0200 Subject: Fix XHTML validation --- config/squid3/34/squid_monitor.php | 55 ++++++++++++++++++++++++-------------- 1 file changed, 35 insertions(+), 20 deletions(-) diff --git a/config/squid3/34/squid_monitor.php b/config/squid3/34/squid_monitor.php index b08372f1..4bc65b15 100755 --- a/config/squid3/34/squid_monitor.php +++ b/config/squid3/34/squid_monitor.php @@ -93,7 +93,7 @@ include("head.inc");
- + - +
-- cgit v1.2.3 From 43954854e64ff6a976d2387c38e76cc0e184a6a8 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 13:28:06 +0200 Subject: Add more logs to the 'Real Time' tab and fix a typo in tag --- config/squid3/34/squid_monitor_data.php | 119 ++++++++++++++++++++++++++++++-- 1 file changed, 112 insertions(+), 7 deletions(-) diff --git a/config/squid3/34/squid_monitor_data.php b/config/squid3/34/squid_monitor_data.php index c2c3264d..747699cd 100755 --- a/config/squid3/34/squid_monitor_data.php +++ b/config/squid3/34/squid_monitor_data.php @@ -49,9 +49,6 @@ if ($_POST) { // Split line by space delimiter $logline = preg_split("/\s+/", $logent); - // Apply date format to first line - //$logline[0] = date("d.m.Y H:i:s",$logline[0]); - // Word wrap the URL $logline[7] = htmlentities($logline[7]); $logline[7] = html_autowrap($logline[7]); @@ -62,7 +59,7 @@ if ($_POST) { // Apply filter and color // Need validate special chars if ($filter != "") { - $logline = preg_replace("@($filter)@i","$1", $logline); + $logline = preg_replace("@($filter)@i","$1", $logline); } echo "
{$logline[0]}{$logline[1]}
{$logline[0]}{$logline[1]}
{$logline[0]}{$logline[2]}
{$logline[0]}
{$logline[0]}
-
+ @@ -135,14 +135,15 @@ include("head.inc"); @@ -153,13 +154,15 @@ include("head.inc"); @@ -171,13 +174,15 @@ include("head.inc"); @@ -188,13 +193,15 @@ include("head.inc"); @@ -205,13 +212,15 @@ include("head.inc"); @@ -222,13 +231,15 @@ include("head.inc"); @@ -239,13 +250,15 @@ include("head.inc"); @@ -256,13 +269,15 @@ include("head.inc"); -- cgit v1.2.3 From 0b788eefbb4eca975ec507bab0cff519e4f72b1c Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 14:35:37 +0200 Subject: Nuke unwanted div tag --- config/squid3/34/squid_monitor.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_monitor.php b/config/squid3/34/squid_monitor.php index 4bc65b15..f178bacc 100755 --- a/config/squid3/34/squid_monitor.php +++ b/config/squid3/34/squid_monitor.php @@ -274,9 +274,9 @@ include("head.inc");
- + - + +
+
- + - + +
+
- + - + +
+
- + - + +
+
- + - + +
+
- + - + +
+
- + - + +
+
- + - + - + +
-
+
-- cgit v1.2.3 From 33fa9cc2a00c128dbd6578521336b2bf48d2ee8d Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 14:58:22 +0200 Subject: Fix input size tags --- config/squid3/34/squid_antivirus.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml index 44820257..8e089ddd 100755 --- a/config/squid3/34/squid_antivirus.xml +++ b/config/squid3/34/squid_antivirus.xml @@ -42,7 +42,7 @@ ]]> squidantivirus - 0.4.0 + 0.4.1 Proxy server: Antivirus /usr/local/pkg/squid.inc @@ -148,7 +148,7 @@ ]]> input - 60 + 60 @@ -229,7 +229,7 @@ ]]> input - 60 + 60 squidclamav.conf -- cgit v1.2.3 From bfba2284a7436d2ab844b455c6aeaca49b73a5de Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 15:33:26 +0200 Subject: Put in more logging, move AV service stop to a separate function, deinstall cleanup --- config/squid3/34/squid_antivirus.inc | 85 ++++++++++++++++++++++-------------- 1 file changed, 52 insertions(+), 33 deletions(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 9a678fa9..0619549e 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -42,9 +42,11 @@ function squid_check_clamav_user() { return; } else { if (!exec("/usr/sbin/pw usershow clamav")) { + log_error("[squid] Adding clamav user."); mwexec("/usr/sbin/pw useradd clamav -G wheel -u 9595 -s /sbin/nologin"); } if (!exec("/usr/sbin/pw groupshow wheel | /usr/bin/grep clamav")) { + log_error("[squid] Adding clamav user to wheel group."); mwexec("/usr/sbin/pw usermod clamav -G wheel"); } } @@ -147,21 +149,10 @@ function squid_antivirus_install_command() { /* Run on Squid package uninstall */ function squid_antivirus_deinstall_command() { global $config, $keep; - /* kill all running services */ - if (is_process_running("c-icap")) { - mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); - } - mwexec("/bin/ps awux | /usr/bin/grep '[c]lamd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + /* Stop all running services, remove rc scripts and cronjobs */ + squid_stop_antivirus(); mwexec("/bin/ps awux | /usr/bin/grep '[f]reshclam' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); - /* remove cronjobs */ - squid_install_freshclam_cron(false); - - /* delete rc scripts */ - unlink_if_exists('/usr/local/etc/rc.d/squid.sh'); - unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); - unlink_if_exists('/usr/local/etc/rc.d/clamd.sh'); - /* clean up created PBI symlinks */ update_output_window("Finishing package cleanup."); if (SQUID_LOCALBASE != '/usr/local') { @@ -656,11 +647,11 @@ function squid_antivirus_put_raw_config($rawfiles) { break; case 'raw_freshclam_conf': $confdir = ""; - $conffile = "freshclam.conf"; + $conffile = "/freshclam.conf"; break; case 'raw_clamd_conf': $confdir = ""; - $conffile = "clamd.conf"; + $conffile = "/clamd.conf"; break; default: $confdir = ""; @@ -677,10 +668,11 @@ function squid_antivirus_put_raw_config($rawfiles) { /* Helper function for squid_antivirus_put_raw_config() */ function squid_antivirus_write_conffile($dir, $file, $text) { if ($file && $text) { - if (!file_put_contents(SQUID_LOCALBASE . "/etc" . "{$dir}" . "/{$file}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX)) { - log_error("[squid] Could not save '{$file}' configuration file."); + $cfgfile = SQUID_LOCALBASE . "/etc" . "{$dir}" . "{$file}"; + if (!file_put_contents("{$cfgfile}", preg_replace("/\r\n/", "\n", base64_decode($text)), LOCK_EX)) { + log_error("[squid] Could not save '{$cfgfile}' configuration file."); } else { - log_error("[squid] Saved '{$file}' configuration file."); + log_error("[squid] Saved '{$cfgfile}' configuration file."); } } } @@ -697,7 +689,7 @@ function squid_write_clamd_rcfile() { $rc['start'] = <<< EOD if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ]; then - echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" + echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first!" exit 1 fi @@ -717,6 +709,7 @@ fi EOD; conf_mount_rw(); + log_error("[squid] Creating 'clamd.sh' rc script."); write_rcfile($rc); conf_mount_ro(); } @@ -730,6 +723,7 @@ function squid_write_cicap_rcfile() { $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; conf_mount_rw(); + log_error("[squid] Creating '{$c_icap_rcfile}' rc script."); write_rcfile(array( "file" => "{$c_icap_rcfile}", "start" => "{$cicap_start_cmd}", @@ -739,7 +733,7 @@ function squid_write_cicap_rcfile() { conf_mount_ro(); } -/* (Re)start antivirus services if AV features are enabled; otherwise stop and disable them */ +/* (Re)start antivirus services if AV features are enabled */ function squid_restart_antivirus() { global $config; if (is_array($config['installedpackages']['squidantivirus'])) { @@ -751,6 +745,7 @@ function squid_restart_antivirus() { // reconfigure and (re)start service as needed if enabled, otherwise stop them // do not (re)start antivirus services on boot if (platform_booting()) { + log_error("[squid] Skipping antivirus services (re)start on boot."); return; } @@ -758,7 +753,7 @@ function squid_restart_antivirus() { // Check clamav database if (count(glob("/var/db/clamav/*d")) == 0) { log_error("[squid] Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); - log_error("[squid] Do NOT attempt to start ClamAV service until AV definitions are downloaded. Check /var/log/clamav/freshclam.log for progress information."); + log_error("[squid] Do NOT attempt to start ClamAV service until AV definitions are downloaded."); squid_update_clamav(); } elseif ($antivirus_config['clamav_safebrowsing'] == "on" && !is_file("/var/db/clamav/safebrowsing.cvd")) { log_error("[squid] Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); @@ -789,31 +784,55 @@ function squid_restart_antivirus() { squid_write_cicap_rcfile(); } if (is_process_running("c-icap")) { + log_error("[squid] Reloading C-ICAP..."); mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); } else { + log_error("[squid] Starting C-ICAP..."); mwexec_bg("{$c_icap_rcfile} start"); } } else { // stop AV services and disable all C-ICAP/AV features log_error("[squid] Antivirus features disabled."); - if (is_process_running("clamd")) { - log_error("[squid] Stopping and disabling ClamAV..."); - mwexec("/usr/bin/killall clamd"); - } - unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); - - // freshclam cronjob - squid_install_freshclam_cron(false); + squid_stop_antivirus(); + } +} - // check c-icap rcfile +/* Stop AV services and disable all C-ICAP/AV features */ +function squid_stop_antivirus() { + // Stop C-ICAP + if (is_process_running("c-icap")) { + log_error("[squid] Stopping and disabling C-ICAP..."); + mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); + sleep(5); if (is_process_running("c-icap")) { - log_error("[squid] Stopping and disabling C-ICAP..."); - mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); + log_error("[squid] C-ICAP still running, forcibly killing c-icap process(es)."); + mwexec("/bin/ps awux | /usr/bin/grep '[c]-icap' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill -9"); + } + } + unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); + + // Stop ClamAV + if (is_process_running("clamd")) { + log_error("[squid] Stopping and disabling ClamAV..."); + mwexec("/usr/bin/killall clamd"); + // sleep for a couple of seconds to give clamd a chance to perform clean exit + for ($i = 0; $i < 10; $i++) { + if (is_process_running('clamd')) { + sleep(1); + } } - unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); } + if (is_process_running("clamd")) { + log_error("[squid] ClamAV still running, forcibly killing clamd process(es)."); + mwexec("/usr/bin/killall -9 clamd"); + } + unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); + + // Remove freshclam cronjob + squid_install_freshclam_cron(false); } + /* * Input validation */ -- cgit v1.2.3 From 45aded2d2c8e6c947d40706525abf930baa40c34 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 15:52:03 +0200 Subject: Don't default 'Throttle Only Specific Extensions' to on Avoids creating empty ACL when users don't specify anything else here. --- config/squid3/34/squid_traffic.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/config/squid3/34/squid_traffic.xml b/config/squid3/34/squid_traffic.xml index bd01bbb7..9364ef56 100755 --- a/config/squid3/34/squid_traffic.xml +++ b/config/squid3/34/squid_traffic.xml @@ -160,7 +160,6 @@ Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled. checkbox throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others - on Throttle Binary Files -- cgit v1.2.3 From a7f8506c32dae34ad0fd39e7989eb0c8ba25370b Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 16:11:44 +0200 Subject: Put validation to 'Throttle Only Specific Extensions' to avoid an empty ACL --- config/squid3/34/squid.inc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index cde74ebc..d8598141 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -974,6 +974,14 @@ function squid_validate_traffic($post, &$input_errors) { $input_errors[] = "'Finish when remaining %' must contain valid percentage (1-100)."; } } + + if ($post['throttle_specific'] == "on") { + $others = trim($post['throttle_others']); + if ($post['throttle_binaries'] == "" && $post['throttle_cdimages'] == "" && $post['throttle_multimedia'] == "" && $others == "") { + $input_errors[] = "'Throttle Only Specific Extensions' enabled but no extensions specified. Select some options under 'Squid Transfer Extension Settings' or disable this option."; + } + } + } /* Proxy Server: Authentication input validation */ -- cgit v1.2.3 From 851ea5731648682e796658cfe80c805999697f23 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 16:22:36 +0200 Subject: Fix linebreaks here Reported by dsefcik @ https://forum.pfsense.org/index.php?topic=100825.0 --- config/squid3/34/squid.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index d8598141..f9fe2c02 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -1777,7 +1777,7 @@ function squid_resync_auth() { $conf .= "http_access allow $acl\n"; } } else { - $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); + $noauth = implode(' ', explode("\n", sq_text_area_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { $conf .= "acl noauth src $noauth\n"; $valid_acls[] = 'noauth'; -- cgit v1.2.3 From dfbdb090f15eb0818e0021e2127afa0e6a5b143e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 20:19:22 +0200 Subject: Unlink throttle_exts.acl if 'Throttle Only Specific Extensions' is disabled --- config/squid3/34/squid.inc | 1 + 1 file changed, 1 insertion(+) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index f9fe2c02..3161a2a5 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -1631,6 +1631,7 @@ EOD; $conf .= "delay_access 1 allow throttle_exts\n"; $conf .= "delay_access 1 deny allsrc\n"; } else { + unlink_if_exists(SQUID_ACLDIR . '/throttle_exts.acl'); $conf .= "delay_access 1 allow allsrc\n"; } -- cgit v1.2.3 From fd10cef996f12b543d79aed2919651c7f7f1e8c4 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 20:51:49 +0200 Subject: Unset reverse proxy mappings if 'Keep Settings/Data' is disabled Reported by stanthewizard @ https://forum.pfsense.org/index.php?topic=100783.0 --- config/squid3/34/squid.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 3161a2a5..21d269a3 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -603,6 +603,9 @@ function squid_deinstall_command() { if (is_array($config['installedpackages']['squidreverseredir'])) { unset($config['installedpackages']['squidreverseredir']); } + if (is_array($config['installedpackages']['squidreverseuri'])) { + unset($config['installedpackages']['squidreverseuri']); + } if (is_array($config['installedpackages']['squidsync'])) { unset($config['installedpackages']['squidsync']); } -- cgit v1.2.3 From 4978d111b52ca1e7f324a557d7f299c5a5c79e40 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 21:50:28 +0200 Subject: Only try to remove old cachedir if it was actually configured, instead of unset --- config/squid3/34/squid_cache.xml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/config/squid3/34/squid_cache.xml b/config/squid3/34/squid_cache.xml index 47471df9..b4f1aedf 100755 --- a/config/squid3/34/squid_cache.xml +++ b/config/squid3/34/squid_cache.xml @@ -42,8 +42,8 @@ ]]> squidcache - 0.4.0 - Proxy Server: Cache management + 0.4.1 + Proxy Server: Cache Management /usr/local/pkg/squid.inc @@ -410,7 +410,9 @@ // do not leave orphaned cachedirs if harddisk_cache_location changed if ($_POST['harddisk_cache_location'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_location']) { $oldcachedir = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_location']; - $cachedir_changed = true; + if ($oldcachedir != "") { + $cachedir_changed = true; + } } ]]> -- cgit v1.2.3 From 64ca4e60a636b08466fbfc089b027af005cb036c Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 21:58:24 +0200 Subject: Point users to 'Real Time' tab for freshclam logs. --- config/squid3/34/squid_antivirus.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml index 8e089ddd..495ef342 100755 --- a/config/squid3/34/squid_antivirus.xml +++ b/config/squid3/34/squid_antivirus.xml @@ -43,7 +43,7 @@ squidantivirus 0.4.1 - Proxy server: Antivirus + Proxy Server: Antivirus /usr/local/pkg/squid.inc @@ -173,7 +173,7 @@ Select the desired frequency here.

Click the button to update AV databases now.
- Note: This will take a while. Check /var/log/clamav/freshclam.log for progress information. + Note: This will take a while. Check freshclam log on the 'Real Time' tab for progress information. ]]> select -- cgit v1.2.3 From 8cee679649f8d364bec2fede8f39f51bc29bebd1 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 22:00:42 +0200 Subject: Point users to 'Real Time' tab for freshclam logs. --- config/squid3/34/squid_antivirus.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid3/34/squid_antivirus.inc b/config/squid3/34/squid_antivirus.inc index 0619549e..6e5823b7 100644 --- a/config/squid3/34/squid_antivirus.inc +++ b/config/squid3/34/squid_antivirus.inc @@ -100,7 +100,7 @@ function squid_install_freshclam_cron($should_install) { /* Manually update ClamAV virus definitions via the GUI button */ function squid_update_clamav() { squid_check_antivirus_dirs(); - log_error("[squid] Updating ClamAV definitions now... This will take a while. Check /var/log/clamav/freshclam.log for progress information."); + log_error("[squid] Updating ClamAV definitions now... This will take a while. Check freshclam log on the 'Real Time' tab for progress information."); mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); } -- cgit v1.2.3 From b0384360be4ba55a09665aabcfaa3efd414484bc Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 22:04:03 +0200 Subject: Use consistent case in title and bump version --- config/squid3/34/squid_traffic.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_traffic.xml b/config/squid3/34/squid_traffic.xml index 9364ef56..810fa62d 100755 --- a/config/squid3/34/squid_traffic.xml +++ b/config/squid3/34/squid_traffic.xml @@ -42,8 +42,8 @@ ]]> squidtraffic - 0.3.5 - Proxy server: Traffic Management + 0.4.1 + Proxy Server: Traffic Management /usr/local/pkg/squid.inc -- cgit v1.2.3 From 178956f538454b1054b46c6cade96a13a7c7072e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 22:05:49 +0200 Subject: Use consistent case in title and bump version --- config/squid3/34/squid_users.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_users.xml b/config/squid3/34/squid_users.xml index c47395b9..fb791b9e 100755 --- a/config/squid3/34/squid_users.xml +++ b/config/squid3/34/squid_users.xml @@ -42,8 +42,8 @@ ]]> squidusers - 0.3.5 - Proxy server: Local users + 0.4.1 + Proxy Server: Local Users /usr/local/pkg/squid.inc A proxy server user has been deleted. A proxy server user has been created/modified. -- cgit v1.2.3 From 936820a8d402f28db171495d7bab2ec12adf7e37 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 22:07:17 +0200 Subject: Use consistent case in title and bump version --- config/squid3/34/squid_sync.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_sync.xml b/config/squid3/34/squid_sync.xml index 60e1190c..2f86b7c6 100755 --- a/config/squid3/34/squid_sync.xml +++ b/config/squid3/34/squid_sync.xml @@ -42,8 +42,8 @@ ]]> squidsync - 0.3.7 - Proxy server: XMLRPC Sync + 0.4.1 + Proxy Server: XMLRPC Sync /usr/local/pkg/squid.inc -- cgit v1.2.3 From 5e67138a537b9d6355b90f91df7364b289e25a37 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 22:11:47 +0200 Subject: Use consistent case in tabs name and bump version --- config/squid3/34/squid_reverse_sync.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_reverse_sync.xml b/config/squid3/34/squid_reverse_sync.xml index eb52540f..139c73c3 100755 --- a/config/squid3/34/squid_reverse_sync.xml +++ b/config/squid3/34/squid_reverse_sync.xml @@ -42,7 +42,7 @@ ]]> squidsync - 0.3.7 + 0.4.1 Reverse Proxy Server: XMLRPC Sync /usr/local/pkg/squid.inc @@ -63,7 +63,7 @@ /pkg.php?xml=squid_reverse_redir.xml - Real time + Real Time /squid_monitor.php?menu=reverse -- cgit v1.2.3 From bd2c369be01a5c5dca9f76c1c34b33ef381225da Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 22:17:09 +0200 Subject: Use consistent case in tabs name --- config/squid3/34/squid_monitor.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/squid3/34/squid_monitor.php b/config/squid3/34/squid_monitor.php index f178bacc..840d9a60 100755 --- a/config/squid3/34/squid_monitor.php +++ b/config/squid3/34/squid_monitor.php @@ -74,7 +74,7 @@ include("head.inc"); $tab_array[] = array(gettext("Web Servers"), false, "/pkg.php?xml=squid_reverse_peer.xml"); $tab_array[] = array(gettext("Mappings"), false, "/pkg.php?xml=squid_reverse_uri.xml"); $tab_array[] = array(gettext("Redirects"), false, "/pkg.php?xml=squid_reverse_redir.xml"); - $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php?menu=reverse"); + $tab_array[] = array(gettext("Real Time"), true, "/squid_monitor.php?menu=reverse"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_reverse_sync.xml"); } else { $tab_array[] = array(gettext("General"), false, "/pkg_edit.php?xml=squid.xml&id=0"); @@ -85,7 +85,7 @@ include("head.inc"); $tab_array[] = array(gettext("Traffic Mgmt"), false, "/pkg_edit.php?xml=squid_traffic.xml&id=0"); $tab_array[] = array(gettext("Authentication"), false, "/pkg_edit.php?xml=squid_auth.xml&id=0"); $tab_array[] = array(gettext("Users"), false, "/pkg.php?xml=squid_users.xml"); - $tab_array[] = array(gettext("Real time"), true, "/squid_monitor.php"); + $tab_array[] = array(gettext("Real Time"), true, "/squid_monitor.php"); $tab_array[] = array(gettext("Sync"), false, "/pkg_edit.php?xml=squid_sync.xml"); } display_top_tabs($tab_array); -- cgit v1.2.3 From 54b7b9dc0afd16198fd859fa4422ea38e982a74e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Wed, 14 Oct 2015 23:58:25 +0200 Subject: Improve description. --- config/squid3/34/squid_nac.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/config/squid3/34/squid_nac.xml b/config/squid3/34/squid_nac.xml index 4a81ac91..d621231f 100755 --- a/config/squid3/34/squid_nac.xml +++ b/config/squid3/34/squid_nac.xml @@ -42,7 +42,7 @@ ]]> squidnac - 0.3.5 + 0.4.1 Proxy Server: Access Control /usr/local/pkg/squid.inc @@ -98,9 +98,10 @@ allowed_subnets - The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24).

- Note: The proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy. + Enter subnets that are allowed to use the proxy.
+ The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24).
+ The proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy.
+ Note: Put each entry on a separate line. ]]> textarea -- cgit v1.2.3 From 509120a29dba7761c6fcd0b63eb34ab8db3e904f Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 15 Oct 2015 03:28:43 +0200 Subject: Don't downgrade client SSL/TLS connections with SSL MITM junk (Bug #4453) --- config/squid3/34/squid.inc | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 21d269a3..3dafded6 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -1079,12 +1079,21 @@ function squid_resync_general() { // cert, key, version, cipher, options, clientca, cafile, capath, crlfile, dhparams, sslflags, sslcontext $crt_pk = SQUID_CONFBASE . "/serverkey.pem"; $crt_capath = SQUID_LOCALBASE . "/share/certs/"; + /* XXX: Bug #4453 + * http://wiki.squid-cache.org/ConfigExamples/Intercept/SslBumpExplicit#Modern_DH.2Fciphers_usage + */ + //$sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"; + $sslproxy_cipher = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"; + $sslproxy_dhparams = "/etc/dh-parameters.2048"; + $sslproxy_options = "NO_SSLv2,NO_SSLv3,SINGLE_DH_USE"; file_put_contents($crt_pk, base64_decode($srv_cert['prv']) . base64_decode($srv_cert['crt'])); $sslcrtd_children = ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); - $ssl_interception .= "ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=" . ($sslcrtd_children*2) . "MB cert={$crt_pk} capath={$crt_capath}\n"; + $ssl_interception .= "ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=" . ($sslcrtd_children*2) . "MB cert={$crt_pk} capath={$crt_capath} cipher={$sslproxy_cipher} dhparams={$sslproxy_dhparams} options={$sslproxy_options}\n"; $interception_checks = "sslcrtd_program " . SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n"; $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; $interception_checks .= "sslproxy_capath {$crt_capath}\n"; + $interception_checks .= "sslproxy_options {$sslproxy_options}\n"; + $interception_checks .= "sslproxy_cipher {$sslproxy_cipher}\n"; if (preg_match("/sslproxy_cert_error/", $settings["interception_checks"])) { $interception_checks .= "sslproxy_cert_error allow all\n"; } -- cgit v1.2.3 From f327b39571d6f45531d14da59c155964372e7c71 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 15 Oct 2015 11:04:50 +0200 Subject: Bump squid3 package version --- pkg_config.10.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 7dac43b3..2ed6336d 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -1052,7 +1052,7 @@ https://forum.pfsense.org/index.php/topic,48347.0.html http://www.squid-cache.org/ Network - 0.4.0 + 0.4.1 beta 2.2 marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org -- cgit v1.2.3