From 7c6bdcb88f5d0a57fdc9c0b2025260b556005655 Mon Sep 17 00:00:00 2001 From: alainabbas Date: Wed, 12 Nov 2014 16:36:28 +0100 Subject: Update squid_reverse.inc Adding the Certificate peer authentication in the reverse proxy and the revocation list --- config/squid3/33/squid_reverse.inc | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/config/squid3/33/squid_reverse.inc b/config/squid3/33/squid_reverse.inc index 1332f220..152d3d12 100755 --- a/config/squid3/33/squid_reverse.inc +++ b/config/squid3/33/squid_reverse.inc @@ -58,8 +58,27 @@ function squid_resync_reverse() { $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; } } + } + //Add Ca certificate for Client Validation + if (isset($settings["reverse_check_clientca"]) && $settings["reverse_check_clientca"] == "on") { + $clientca_cert=lookup_ca($settings["reverse_ssl_clientca"]); + $clientca_prm=''; + if ( $clientca_cert != false){ + if(base64_decode($clientca_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientca"]}.crt",sq_text_area_decode($clientca_cert['crt'])); + $clientca_prm = "clientca=" . SQUID_CONFBASE . "/{$settings["reverse_ssl_clientca"]}.crt "; + } + } + $crl=lookup_crl($settings["reverse_ssl_clientcrl"]); + crl_update($crl); + if ( $crl != false){ + if(base64_decode($crl['text'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl",base64_decode($crl['text'])); + $clientca_prm .= "crlfile=" . SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl sslflags=VERIFY_CRL "; + } + } } - + if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); @@ -82,7 +101,7 @@ function squid_resync_reverse() { $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; //HTTPS if (!empty($settings['reverse_https'])) - $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} ".$clientca_prm."key={$reverse_key} defaultsite={$https_defsite} vhost\n"; } } @@ -242,4 +261,17 @@ function squid_resync_reverse() { return $conf; } +function squid_refresh_crl() +{ + global $config; + if (isset($settings["reverse_check_clientca"]) && $settings["reverse_check_clientca"] == "on") { + $crl=lookup_crl($settings["reverse_ssl_clientcrl"]); + crl_update($crl); + if ( $crl != false){ + if(base64_decode($crl['text'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_clientcrl"]}.crl",base64_decode($crl['text'])); + } + } + } +} ?> -- cgit v1.2.3