From c8539d3211d79c628b59bdcc3eb363cc00e93707 Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Thu, 20 Nov 2014 16:09:48 -0200 Subject: squid3.4 - first package files --- config/squid3/34/check_ip.php | 86 + config/squid3/34/pkg_squid.inc | 11 + config/squid3/34/sqpmon.sh | 75 + config/squid3/34/squid.inc | 2463 ++++++++++++++++++++++++++++ config/squid3/34/squid.xml | 582 +++++++ config/squid3/34/squid_antivirus.xml | 158 ++ config/squid3/34/squid_auth.inc | 446 +++++ config/squid3/34/squid_auth.xml | 270 +++ config/squid3/34/squid_cache.xml | 322 ++++ config/squid3/34/squid_cpauth.php | 24 + config/squid3/34/squid_extauth.xml | 106 ++ config/squid3/34/squid_ident.php | 148 ++ config/squid3/34/squid_log_parser.php | 57 + config/squid3/34/squid_monitor.php | 200 +++ config/squid3/34/squid_monitor_data.php | 175 ++ config/squid3/34/squid_nac.xml | 191 +++ config/squid3/34/squid_ng.inc | 1070 ++++++++++++ config/squid3/34/squid_ng.xml | 267 +++ config/squid3/34/squid_reverse.inc | 245 +++ config/squid3/34/squid_reverse.xml | 365 +++++ config/squid3/34/squid_reverse_general.xml | 257 +++ config/squid3/34/squid_reverse_peer.xml | 167 ++ config/squid3/34/squid_reverse_redir.xml | 182 ++ config/squid3/34/squid_reverse_sync.xml | 135 ++ config/squid3/34/squid_reverse_uri.xml | 159 ++ config/squid3/34/squid_sync.xml | 151 ++ config/squid3/34/squid_traffic.xml | 208 +++ config/squid3/34/squid_upstream.xml | 361 ++++ config/squid3/34/squid_users.xml | 137 ++ config/squid3/34/swapstate_check.php | 65 + pkg_config.10.xml | 8 +- 31 files changed, 9087 insertions(+), 4 deletions(-) create mode 100644 config/squid3/34/check_ip.php create mode 100644 config/squid3/34/pkg_squid.inc create mode 100644 config/squid3/34/sqpmon.sh create mode 100755 config/squid3/34/squid.inc create mode 100644 config/squid3/34/squid.xml create mode 100755 config/squid3/34/squid_antivirus.xml create mode 100644 config/squid3/34/squid_auth.inc create mode 100755 config/squid3/34/squid_auth.xml create mode 100755 config/squid3/34/squid_cache.xml create mode 100644 config/squid3/34/squid_cpauth.php create mode 100644 config/squid3/34/squid_extauth.xml create mode 100644 config/squid3/34/squid_ident.php create mode 100755 config/squid3/34/squid_log_parser.php create mode 100755 config/squid3/34/squid_monitor.php create mode 100755 config/squid3/34/squid_monitor_data.php create mode 100755 config/squid3/34/squid_nac.xml create mode 100755 config/squid3/34/squid_ng.inc create mode 100755 config/squid3/34/squid_ng.xml create mode 100755 config/squid3/34/squid_reverse.inc create mode 100755 config/squid3/34/squid_reverse.xml create mode 100755 config/squid3/34/squid_reverse_general.xml create mode 100755 config/squid3/34/squid_reverse_peer.xml create mode 100755 config/squid3/34/squid_reverse_redir.xml create mode 100755 config/squid3/34/squid_reverse_sync.xml create mode 100755 config/squid3/34/squid_reverse_uri.xml create mode 100755 config/squid3/34/squid_sync.xml create mode 100755 config/squid3/34/squid_traffic.xml create mode 100755 config/squid3/34/squid_upstream.xml create mode 100755 config/squid3/34/squid_users.xml create mode 100644 config/squid3/34/swapstate_check.php diff --git a/config/squid3/34/check_ip.php b/config/squid3/34/check_ip.php new file mode 100644 index 00000000..a3f07204 --- /dev/null +++ b/config/squid3/34/check_ip.php @@ -0,0 +1,86 @@ +#!/usr/local/bin/php -q + 2.0){ + $dir="/var/db"; + $files=scandir($dir); + foreach ($files as $file){ + if (preg_match("/captive.*db/",$file)){ + $dbhandle = sqlite_open("$dir/$file", 0666, $error); + if ($dbhandle){ + $query = "select * from captiveportal"; + $result = sqlite_array_query($dbhandle, $query, SQLITE_ASSOC); + if ($result){ + foreach ($result as $rownum => $row){ + $cp_db[$rownum]=implode(",",$row); + } + sqlite_close($dbhandle); + } + } + } + } + } +else{ + $filename="/var/db/captiveportal.db"; + if (file_exists($filename)) + $cp_db=file($filename); +} + + $usuario=""; + // 1376630450,2,172.16.3.65,00:50:56:9c:00:c7,admin,e1779ea20d0a11c7,,,, + if (is_array($cp_db)){ + foreach ($cp_db as $cpl){ + $fields=explode(",",$cpl); + if ($fields[2] != "" && $fields[2]==$line) + $usuario=$fields[4]; + } + } + if ($usuario !="") + $resposta="OK user={$usuario}"; + else + $resposta="ERR"; + fwrite (STDOUT, "{$resposta}\n"); + unset($cp_db); +} +?> + diff --git a/config/squid3/34/pkg_squid.inc b/config/squid3/34/pkg_squid.inc new file mode 100644 index 00000000..47b64e2d --- /dev/null +++ b/config/squid3/34/pkg_squid.inc @@ -0,0 +1,11 @@ + \ No newline at end of file diff --git a/config/squid3/34/sqpmon.sh b/config/squid3/34/sqpmon.sh new file mode 100644 index 00000000..244b3b61 --- /dev/null +++ b/config/squid3/34/sqpmon.sh @@ -0,0 +1,75 @@ +#!/bin/sh +# $Id$ */ +# +# sqpmon.sh +# Copyright (C) 2006 Scott Ullrich +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +if [ `pgrep -f "sqpmon.sh"|wc -l` -ge 1 ]; then + exit 0 +fi + +set -e + +LOOP_SLEEP=55 + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + +# Sleep 5 seconds on startup not to mangle with existing boot scripts. +sleep 5 + +# Squid monitor 1.2 +while [ /bin/true ]; do + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + rm /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP +done + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc new file mode 100755 index 00000000..87232c2b --- /dev/null +++ b/config/squid3/34/squid.inc @@ -0,0 +1,2463 @@ +'migrated', + 'enable'=> 'on', + 'name'=> $cache_peer[0], + 'port'=> $cache_peer[1], + 'protocol' => $cache_peer[2]); + } + + //MAPPINGS + if (!is_array($config['installedpackages']['squidreverseuri'])){ + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){ + foreach (explode(";",$acls) as $acl) + array_push(${'peer_'.$acl[0]},$acl[1]); + } + foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) + foreach (explode(";",$uris) as $uri){ + $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); + $config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated', + 'enable'=> 'on', + 'name'=> $uri[0], + 'uri'=> $uri[1], + 'vhost' => $uri[2], + 'peers'=>$peer_list); + } + } + } + + update_status("Writing configuration... One moment please..."); + + write_config(); + + /* create cache */ + update_status("Creating squid cache pools... One moment please..."); + squid_dash_z(); + /* make sure pinger is executable */ + if(file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) + exec("/bin/chmod a+x ". SQUID_LOCALBASE. "/libexec/squid/pinger"); + if(file_exists("/usr/local/etc/rc.d/squid")) + exec("/bin/rm /usr/local/etc/rc.d/squid"); + squid_write_rcfile(); + if(file_exists("/usr/local/pkg/swapstate_check.php")) + exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php"); + write_rcfile(array( + "file" => "sqp_monitor.sh", + "start" => "/usr/local/pkg/sqpmon.sh &", + "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill")); + + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + SQUID_BASE, + SQUID_LIB, + SQUID_SSL_DB ) as $dir) { + make_dirs($dir); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } + + /* kill any running proxy alarm scripts */ + update_status("Checking for running processes... One moment please..."); + log_error("Stopping any running proxy monitors"); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + sleep(1); + + if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default')) + copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf'); + + update_status("Checking cache... One moment please..."); + squid_dash_z(); + + if (!is_service_running('squid')) { + update_status("Starting... One moment please..."); + log_error("Starting Squid"); + mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -f " . SQUID_CONFFILE); + } else { + update_status("Reloading Squid for configuration sync... One moment please..."); + log_error("Reloading Squid for configuration sync"); + mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); + } + + /* restart proxy alarm scripts */ + log_error("Starting a proxy monitor script"); + mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); + + update_status("Reconfiguring filter... One moment please..."); + filter_configure(); +} + +function squid_deinstall_command() { + global $config, $g; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; + squid_install_cron(false); + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + update_status("Removing cache ... One moment please..."); + update_output_window("$plswait_txt"); + mwexec_bg('rm -rf $cachedir'); + mwexec('rm -rf $logdir'); + update_status("Finishing package cleanup."); + mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); + mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh'); + mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + update_status("Reloading filter..."); + filter_configure(); +} + +function squid_before_form_general(&$pkg) { + $values = get_dir(SQUID_CONFBASE . '/errors/'); + // Get rid of '..' and '.' and ... + array_shift($values); + array_shift($values); + array_shift($values); + array_shift($values); + + $name = array(); + foreach ($values as $value) + $names[] = implode(" ", explode("_", $value)); + + $i = 0; + foreach ($pkg['fields']['field'] as $field) { + if ($field['fieldname'] == 'error_language') + break; + $i++; + } + $field = &$pkg['fields']['field'][$i]; + + for ($i = 0; $i < count($values) - 1; $i++) + $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); +} + +function squid_validate_general($post, &$input_errors) { + global $config; + if (is_array($config['installedpackages']['squid'])) + $settings = $config['installedpackages']['squid']['config'][0]; + else + $settings = array(); + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $port = $post['proxy_port'] ? $post['proxy_port'] : $port; + + $icp_port = trim($post['icp_port']); + if (!empty($icp_port) && !is_port($icp_port)) + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; + + if (substr($post['log_dir'], -1, 1) == '/') + $input_errors[] = 'You may not end log location with an / mark'; + + if ($post['log_dir']{0} != '/') + $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) + $input_errors[] = "That is not a valid log location dir"; + + $log_rotate = trim($post['log_rotate']); + if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + + $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field'; + + $webgui_port = $config['system']['webgui']['port']; + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + $webgui_port = 80; + } + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + $webgui_port = 443; + } + + if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { + $input_errors[] = "You can not run squid on the same port as the webgui"; + } + + if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) { + $input_errors[] = "SSL interception cannot be enabled without a CA."; + } + + foreach (array('defined_ip_proxy_off') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + foreach (array('defined_ip_proxy_off_dest') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + + if(!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + break; + }} +} + +function squid_validate_upstream($post, &$input_errors) { + if ($post['enabled'] == 'on') { + $addr = trim($post['proxyaddr']); + if (empty($addr)) + $input_errors[] = 'The field \'Hostname\' is required'; + else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) + $input_errors[] = "The field '$name' is required"; + else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + } + } + } +} + +function squid_validate_cache($post, &$input_errors) { + $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "You must enter a valid value for '$field'"; + } + + $value = trim($post['minimum_object_size']); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + } + + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } + + if ($post['donotcache'] != "") { + foreach (split("\n", $post['donotcache']) as $host) { + $host = trim($host); + if (!is_ipaddr($host) && !is_domain($host)) + $input_errors[] = "The host '$host' is not a valid IP or host name"; + } + } + + squid_dash_z(); + +} + +function squid_validate_nac($post, &$input_errors) { + $allowed_subnets = explode("\n", $post['allowed_subnets']); + foreach ($allowed_subnets as $subnet) { + $subnet = trim($subnet); + if (!empty($subnet) && !is_subnet($subnet)) + $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; + } + + foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { + + if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)){ + for ($x=0;$x < count($matches[1]);$x++){ + if ($matches[2][$x] == ""){ + if (!is_ipaddr($matches[1][$x])) + $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address"; + } + else{ + if (!is_subnet($matches[0][$x])) + $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range"; + } + } + } + } + + foreach (array('unrestricted_macs', 'banned_macs') as $macs) { + foreach (explode("\n", $post[$macs]) as $mac) { + $mac = trim($mac); + if (!empty($mac) && !is_macaddr($mac)) + $input_errors[] = "The mac '$mac' is not a valid MAC address"; + } + } + + foreach (explode(",", $post['timelist']) as $time) { + $time = trim($time); + if (!empty($time) && !squid_is_timerange($time)) + $input_errors[] = "The time range '$time' is not a valid time range"; + } + + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + }} +} + +function squid_validate_traffic($post, &$input_errors) { + $num_fields = array( 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "The field '$name' must contain a positive number"; + } + + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; + } +} + +function squid_validate_reverse($post, &$input_errors) { + + if(!empty($post['reverse_ip'])) { + $reverse_ip = explode(";", ($post['reverse_ip'])); + foreach ($reverse_ip as $reip) { + if (!is_ipaddr(trim($reip))) + $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; + }} + + $fqdn = trim($post['reverse_external_fqdn']); + if (!empty($fqdn) && !is_domain($fqdn)) + $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; + + $port = trim($post['reverse_http_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; + + $port = trim($post['reverse_https_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; + + if ($post['reverse_ssl_cert'] == 'none') + $input_errors[] = 'A valid certificate for the external interface must be selected'; + + if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { + $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + } + + if(!empty($post['reverse_owa_ip'])) { + $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); + foreach ($reverse_owa_ip as $reowaip) { + if (!is_ipaddr(trim($reowaip))) + $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; + }} + + $contents = $post['reverse_cache_peer']; + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + }} + + +} + +function squid_validate_auth($post, &$input_errors) { + $num_fields = array( array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), + ); + foreach ($num_fields as $field) { + $value = trim($post[$field[0]]); + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) + $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + } + + $auth_method = $post['auth_method']; + if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { + $server = trim($post['auth_server']); + if (empty($server)) + $input_errors[] = 'The field \'Authentication server\' is required'; + else if (!is_ipaddr($server) && !is_domain($server)) + $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + + $port = trim($post['auth_server_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + + switch ($auth_method) { + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; + } + + $no_auth = explode("\n", $post['no_auth_hosts']); + foreach ($no_auth as $host) { + $host = trim($host); + if (!empty($host) && !is_subnet($host)) + $input_errors[] = "The host '$host' is not a valid CIDR range"; + } + } +} + +function squid_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $rotate_is_installed = false; + $swapstate_is_installed = false; + + if(!$config['cron']['item']) + return; + + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); + + $x=0; + $rotate_job_id=-1; + $swapstate_job_id=-1; + $cron_cmd=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); + $cron_cmd .= SQUID_LOCALBASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE; + $need_write = false; + foreach($config['cron']['item'] as $item) { + if(strstr($item['task_name'], "squid_rotate_logs")) { + $rotate_job_id = $x; + if ($item['command'] != $cron_cmd){ + $config['cron']['item'][$x]['command']=$cron_cmd; + $need_write = true; + } + } elseif(strstr($item['task_name'], "squid_check_swapstate")) { + $swapstate_job_id = $x; + } + $x++; + } + switch($should_install) { + case true: + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + if($rotate_job_id < 0) { + $cron_item['command']=($settings['clear_cache']=='on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); + $cron_item = array(); + $cron_item['task_name'] = "squid_rotate_logs"; + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] .= $cron_cmd; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if($swapstate_job_id < 0) { + $cron_item = array(); + $cron_item['task_name'] = "squid_check_swapstate"; + $cron_item['minute'] = "*/15"; + $cron_item['hour'] = "*"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/pkg/swapstate_check.php"; + /* Add this cron_item as a new entry at the end of the item array. */ + $config['cron']['item'][] = $cron_item; + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Adding Squid Cron Jobs"); + } + break; + case false: + if($rotate_job_id >= 0) { + unset($config['cron']['item'][$rotate_job_id]); + $need_write = true; + } + if($swapstate_job_id >= 0) { + unset($config['cron']['item'][$swapstate_job_id]); + $need_write = true; + } + if ($need_write) { + parse_config(true); + write_config("Removing Squid Cron Jobs"); + } + break; + } + configure_cron(); +} + +function squid_check_ca_hashes(){ + global $config,$g; + + #check certificates + $cert_count=0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) + if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) { + while (false !== ($file = readdir($handle))) + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + if ($cert_count < 10){ + conf_mount_rw(); + #create ca-root hashes from ca-root-nss package + log_error("Creating root certificate bundle hashes from the Mozilla Project"); + $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); + $cert=0; + foreach ($cas as $ca){ + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + $cert=1; + if ($cert == 1) + $crt.=$ca; + if (preg_match("/-END CERTIFICATE-/",$ca)){ + file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); + $cert_hash=array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); + file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); + $crt=""; + $cert=0; + } + } + } +} + +function squid_resync_general() { + global $g, $config, $valid_acls; + + if (is_array($config['installedpackages']['squid'])) + $settings = $config['installedpackages']['squid']['config'][0]; + else + $settings=array(); + $conf = "# This file is automatically generated by pfSense\n"; + $conf .= "# Do not edit manually !\n\n"; + #Check ssl interception + if (($settings['ssl_proxy'] == 'on')) { + squid_check_ca_hashes(); + $srv_cert = lookup_ca($settings["dca"]); + if ($srv_cert != false) { + if(base64_decode($srv_cert['prv'])) { + #check if ssl_db was initilized by squid + if (! file_exists("/var/squid/lib/ssl_db/serial")){ + if (is_dir("/var/squid/lib/ssl_db")){ + mwexec("/bin/rm -rf /var/squid/lib/ssl_db"); + } + mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s /var/squid/lib/ssl_db/"); + } + #force squid user permission on /var/squid/lib/ssl_db/ + squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); + # cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext + $crt_pk=SQUID_CONFBASE."/serverkey.pem"; + $crt_capath=SQUID_LOCALBASE."/share/certs/"; + file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); + $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); + $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; + $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; + $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; + $interception_checks .= "sslproxy_capath {$crt_capath}\n"; + if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) + $interception_checks.="sslproxy_cert_error allow all\n"; + if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) + $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; + if ($settings["interception_adapt"] != ""){ + foreach (explode(",",$settings["interception_adapt"]) as $adapt) + $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; + } + } + } + } + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); + +#Read assigned interfaces + $real_ifaces = array(); + + if($settings['active_interface']) + $proxy_ifaces = explode(",", $settings['active_interface']); + else + $proxy_ifaces=array("lan"); + + if ($settings['transparent_proxy']=="on"){ + $transparent_ifaces = explode(",", $settings['transparent_active_interface']); + foreach ($transparent_ifaces as $t_iface){ + $t_iface_ip = squid_get_real_interface_address($t_iface); + if($t_iface_ip[0]) + $real_ifaces[]=$t_iface_ip; + } + } + else{ + $transparent_ifaces=array(); + } + + if ($settings['ssl_proxy']=="on"){ + $ssl_ifaces = explode(",", $settings['ssl_active_interface']); + foreach ($ssl_ifaces as $s_iface){ + $s_iface_ip = squid_get_real_interface_address($s_iface); + if($s_iface_ip[0]) + $real_ifaces[]=$s_iface_ip; + } + } + else{ + $ssl_ifaces=array(); + } + + #check all proxy interfaces selected + foreach ($proxy_ifaces as $iface) { + $iface_ip = squid_get_real_interface_address($iface); + if($iface_ip[0]) { + $real_ifaces[]=$iface_ip; + if (in_array($iface,$ssl_ifaces)) + $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; + else + $conf .= "http_port {$iface_ip[0]}:{$port}\n"; + } + } + + if (($settings['transparent_proxy'] == 'on')) { + if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0){ + $conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n"; + $conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n"; + } + else{ + $conf .= "http_port 127.0.0.1:{$port} intercept\n"; + } + } + $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); + $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); + $pidfile = "{$g['varrun_path']}/squid.pid"; + $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); + $icondir = SQUID_CONFBASE . '/icons'; + $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); + $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); + + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + if (! is_dir($logdir)){ + make_dirs($logdir); + squid_chown_recursive($logdir, 'proxy', 'proxy'); + } + $logdir_cache = $logdir . '/cache.log'; + $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); + $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on'; + $pinger_program=SQUID_LOCALBASE."/libexec/squid/pinger"; + + $conf .= <<< EOD +icp_port {$icp_port} +dns_v4_first {$dns_v4_first} +pid_filename {$pidfile} +cache_effective_user proxy +cache_effective_group proxy +error_default_language {$language} +icon_directory {$icondir} +visible_hostname {$hostname} +cache_mgr {$email} +access_log {$logdir_access} +cache_log {$logdir_cache} +cache_store_log none +netdb_filename {$logdir}/netdb.state +pinger_enable {$pinger_helper} +pinger_program {$pinger_program} +{$interception_checks} + +EOD; + +// Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. +$rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate']; +$conf .= "logfile_rotate {$rotate}\n"; +$conf .= "debug_options rotate={$rotate}\n"; +squid_install_cron(true); + + $conf .= <<< EOD +shutdown_lifetime 3 seconds + +EOD; + + if ($settings['allow_interface'] == 'on') { + $src = ''; + foreach ($real_ifaces as $iface) { + list($ip, $mask) = $iface; + $ip = long2ip(ip2long($ip) & ip2long($mask)); + $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); + if (!preg_match("@$ip/$mask@",$src)) + $src .= " $ip/$mask"; + } + $conf .= "# Allow local network(s) on interface(s)\n"; + $conf .= "acl localnet src $src\n"; + $valid_acls[] = 'localnet'; + } + if ($settings['disable_xforward']) $conf .= "forwarded_for off\n"; + if ($settings['disable_via']) $conf .= "via off\n"; + if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n"; + if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; + else $conf .= "uri_whitespace strip\n"; //only used for first run + + if(!empty($settings['dns_nameservers'])) { + $altdns = explode(";", ($settings['dns_nameservers'])); + $conf .= "dns_nameservers "; + foreach ($altdns as $dnssrv) { + $conf .= $dnssrv." "; + } +// $conf .= "\n"; //Kill blank line after DNS-Servers + } + + return $conf; +} + + +function squid_resync_cache() { + global $config, $g; + if (is_array($config['installedpackages']['squidcache'])) + $settings = $config['installedpackages']['squidcache']['config'][0]; + else + $settings = array(); + //apply cache settings + $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); + $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16); + $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); + $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size']." KB" : "10 KB"); + $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); + $max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32); + $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); + $memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF'); + $offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off'); + $conf = ''; + if (!isset($settings['harddisk_cache_system'])) { + if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config'])) + $disk_cache_system = 'null'; + else + $disk_cache_system = 'ufs'; + } + else{ + $disk_cache_system = $settings['harddisk_cache_system']; + } + #'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. + if ($disk_cache_system != "null") { + $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; + } +//check dynamic content +if(empty($settings['cache_dynamic_content'])){ + $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; + $conf.="cache deny dynamic\n"; +} +else{ + if(preg_match('/youtube/',$settings['refresh_patterns'])){ + $conf.=<<< EOC +# Break HTTP standard for flash videos. Keep them in cache even if asked not to. +refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private + +# Let the clients favorite video site through with full caching +acl youtube dstdomain .youtube.com +cache allow youtube + +EOC; + } + if(preg_match('/windows/',$settings['refresh_patterns'])){ + $conf.=<<< EOC + +# Windows Update refresh_pattern +range_offset_limit -1 +refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims +refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims +refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims + +EOC; + } + +if(preg_match('/symantec/',$settings['refresh_patterns'])){ + $conf.=<<< EOC + +# Symantec refresh_pattern +range_offset_limit -1 +refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims +refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims + +EOC; + } +if(preg_match('/avast/',$settings['refresh_patterns'])){ + $conf.=<<< EOC + +# Avast refresh_pattern +range_offset_limit -1 +refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims + +EOC; + } +if(preg_match('/avira/',$settings['refresh_patterns'])){ + $conf.=<<< EOC + +# Avira refresh_pattern +range_offset_limit -1 +refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims + +EOC; + } + $refresh_conf=<<< EOC + +# Add any of your own refresh_pattern entries above these. +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 +refresh_pattern . 0 20% 4320 + +EOC; +} + + If ($settings['custom_refresh_patterns'] !="") + $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; + + $conf .= <<< EOD + +cache_mem $memory_cache_size MB +maximum_object_size_in_memory {$max_objsize_in_mem} KB +memory_replacement_policy {$memory_policy} +cache_replacement_policy {$cache_policy} +$disk_cache_opts +minimum_object_size {$min_objsize} KB +maximum_object_size {$max_objsize} +offline_mode {$offline_mode} + +EOD; + + if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; + if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; + + $donotcache = sq_text_area_decode($settings['donotcache']); + if (!empty($donotcache)) { + file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); + $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; + $conf .= "cache deny donotcache\n"; + } + elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { + unlink(SQUID_ACLDIR . '/donotcache.acl'); + } + $conf .= "cache allow all\n"; + return $conf.$refresh_conf; +} + +function squid_resync_upstream() { + global $config; + $conf = "\n#Remote proxies\n"; + if (is_array($config['installedpackages']['squidremote']['config'])) + foreach ($config['installedpackages']['squidremote']['config'] as $settings){ + if ($settings['enable'] == 'on') { + $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} "; + if ($settings['icpport'] == '7') + $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; + else + $conf .= "{$settings['icpport']} "; + #auth settings + if (!empty($settings['username']) && !empty($settings['password'])){ + $conf .= " login={$settings['username']}:{$settings['password']}"; + } + else{ + $conf .= "{$settings['authoption']} "; + } + #other options settings + if (!empty($settings['weight'])) + $conf .= "weight={$settings['weight']} "; + if (!empty($settings['basetime'])) + $conf .= "basetime={$settings['basetime']} "; + if (!empty($settings['ttl'])) + $conf .= "ttl={$settings['ttl']} "; + if (!empty($settings['nodelay'])) + $conf .= "no-delay"; + } + $conf .= "\n"; + } + return $conf; +} + +function squid_resync_redirector() { + global $config; + + $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); + if ($httpav_enabled) { + $conf = "url_rewrite_program /usr/local/bin/squirm\n"; + } else { + $conf = "# No redirector configured\n"; + } + return $conf; +} + +function squid_resync_nac() { + global $config, $valid_acls; + + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + if (is_array($config['installedpackages']['squidnac'])) + $settings = $config['installedpackages']['squidnac']['config'][0]; + else + $settings = array(); + $webgui_port = $config['system']['webgui']['port']; + $addtl_ports = $settings['addtl_ports']; + $addtl_sslports = $settings['addtl_sslports']; + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127); + $conf = <<< EOD + +# Setup some default acls +# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. +# acl localhost src 127.0.0.1/32 +acl allsrc src all +acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port $ssl_port 1025-65535 $addtl_ports +acl sslports port 443 563 $webgui_port $addtl_sslports + +# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in. +#acl manager proto cache_object + +acl purge method PURGE +acl connect method CONNECT + +# Define protocols used for redirects +acl HTTP proto HTTP +acl HTTPS proto HTTPS + +EOD; + + $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); + #$allowed = ""; + #foreach ($allowed_subnets as $subnet) { + # if(!empty($subnet)) { + # $subnet = trim($subnet); + # $allowed .= "$subnet "; + # } + #} + if (!empty($allowed_subnets)) { + $conf .= "acl allowed_subnets src $allowed_subnets\n"; + $valid_acls[] = 'allowed_subnets'; + } + + $options = array( 'unrestricted_hosts' => 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + 'block_user_agent' => 'browser -i', + 'block_reply_mime_type' => 'rep_mime_type -i', + ); + foreach ($options as $option => $directive) { + $contents = sq_text_area_decode($settings[$option]); + if (!empty($contents)) { + file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); + $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; + $valid_acls[] = $option; + } + elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { + unlink(SQUID_ACLDIR . "/$option.acl"); + } + } + + $conf .= <<< EOD +http_access allow manager localhost + +EOD; + + if (is_array($config['installedpackages']['squidcache'])){ + $settings_ch = $config['installedpackages']['squidcache']['config'][0]; + if(!empty($settings_ch['ext_cachemanager'])) { + $extmgr = explode(";", ($settings_ch['ext_cachemanager'])); + $conf .= "\n# Allow external cache managers\n"; + foreach ($extmgr as $mgr) { + $conf .= "acl ext_manager src {$mgr}\n"; + } + $conf .= "http_access allow manager ext_manager\n"; + } + } + + $conf .= <<< EOD + +http_access deny manager +http_access allow purge localhost +http_access deny purge +http_access deny !safeports +http_access deny CONNECT !sslports + +# Always allow localhost connections +# From 3.2 further configuration cleanups have been done to make things easier and safer. +# The manager, localhost, and to_localhost ACL definitions are now built-in. +# http_access allow localhost + +EOD; + + return $conf; +} + +function squid_resync_antivirus(){ + global $config; + + if (is_array($config['installedpackages']['squidantivirus'])) + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + else + $antivirus_config = array(); + + if ($antivirus_config['enable']=="on"){ + switch ($antivirus_config['client_info']){ + case "both": + $icap_send_client_ip="on"; + $icap_send_client_username="on"; + break; + case "IP": + $icap_send_client_ip="on"; + $icap_send_client_username="off"; + break; + case "username": + $icap_send_client_ip="off"; + $icap_send_client_username="on"; + break; + case "none": + $icap_send_client_ip="off"; + $icap_send_client_username="off"; + break; + } + if (is_array($config['installedpackages']['squid'])) + $squid_config=$config['installedpackages']['squid']['config'][0]; + $clwarn="clwarn.cgi.en_EN"; + if (preg_match("/de/i",$squid_config['error_language'])) + $clwarn="clwarn.cgi.de_DE"; + if (preg_match("/ru/i",$squid_config['error_language'])) + $clwarn="clwarn.cgi.ru_RU"; + if (preg_match("/fr/i",$squid_config['error_language'])) + $clwarn="clwarn.cgi.fr_FR"; + if (preg_match("/pt_br/i",$squid_config['error_language'])) + $clwarn="clwarn.cgi.pt_BR"; + $clwarn_file="/usr/local/www/clwarn.cgi"; + copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}",$clwarn_file); + + #fix perl path on clwarn.cgi + $clwarn_file_new=file_get_contents($clwarn_file); + $c_pattern[]="@/usr/\S+/perl@"; + $c_replacement[]=SQUID_LOCALBASE."/bin/perl"; + /*$c_pattern[]="@redirect \S+/clwarn.cgi@"; + $gui_proto=$config['system']['webgui']['protocol']; + $gui_port=$config['system']['webgui']['port']; + if($gui_port == "") { + $gui_port($gui_proto == "http"?"80":"443"); + } + $c_replacement[]=SQUID_LOCALBASE."redirect {$gui_proto}://127.0.0.1:{$gui_port}/clwarn.cgi"; + */ + $clwarn_file_new=preg_replace($c_pattern, $c_replacement,$clwarn_file_new); + file_put_contents($clwarn_file, $clwarn_file_new,LOCK_EX); + + #fix clwarn.cgi file permission + chmod($clwarn_file,0755); + + $conf = <<< EOF +icap_enable on +icap_send_client_ip {$icap_send_client_ip} +icap_send_client_username {$icap_send_client_username} +icap_client_username_encode off +icap_client_username_header X-Authenticated-User +icap_preview_enable on +icap_preview_size 1024 + +icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav +icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav + +adaptation_access service_req allow all +adaptation_access service_resp allow all + +EOF; + #check if icap is enabled on rc.conf.local + if (file_exists("/etc/rc.conf.local")){ + $rc_old_file=file("/etc/rc.conf.local"); + foreach ($rc_old_file as $rc_line){ + if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)){ + $rc_file.=$matches[1].'="YES"'."\n"; + ${$matches[1]}="ok"; + } + else + $rc_file.=$rc_line; + } + } + if (!isset($c_icap_enable)) + $rc_file.='c_icap_enable="YES"'."\n"; + if (!isset($clamav_clamd_enable)) + $rc_file.='clamav_clamd_enable="YES"'."\n"; + file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX); + squid_check_clamav_user('clamav'); + #patch sample files to pfsense dirs + #squidclamav.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")){ + $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default"); + $clamav_m[0]="@/var/run/clamav/clamd.ctl@"; + $clamav_r[0]="/var/run/clamav/clamd.sock"; + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX); + } + #c-icap.conf + if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) + if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")){ + $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default"); + if (! preg_match ("/squidclamav/")) + $sample_file.="\nService squidclamav squidclamav.so\n"; + + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",$sample_file,LOCK_EX); + } + $loadsample=0; + if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")){ + $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")); + $loadsample++; + } + if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")){ + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")); + $loadsample++; + } + if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default")){ + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default")); + $loadsample++; + } + if($loadsample > 0){ + write_config(); + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } + #check dirs + $dirs=array("/var/run/c-icap" => "clamav", + "/var/log/c-icap" => "clamav", + "/var/log/clamav" => "clamav", + "/var/run/clamav" => "clamav", + "/var/db/clamav" => "clamav"); + foreach ($dirs as $dir_path => $dir_user){ + if (!is_dir($dir_path)) + make_dirs($dir_path); + squid_chown_recursive($dir_path, $dir_user, "wheel"); + } + #Check clamav database + if (count(glob("/var/db/clamav/*d"))==0){ + log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background."); + mwexec_bg(SQUID_LOCALBASE."/bin/freshclam"); + } + #check startup scripts on pfsense > 2.1 + if (preg_match("/usr.pbi/",SQUID_LOCALBASE)){ + $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); + foreach($rcd_files as $rcd_file) + if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) + symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); + } + + #write advanced icap config files + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX); + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX); + file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX); + + #check antivirus daemons + #check icap + if (is_process_running("c-icap")){ + mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); + } + else{ + #check c-icap user on startup file + $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; + if (file_exists($c_icap_rcfile)){ + $sample_file=file_get_contents($c_icap_rcfile); + $cicapm[0]="@c_icap_user=.*}@"; + $cicapr[0]='c_icap_user="clamav"}'; + file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX); + } + mwexec_bg("/usr/local/etc/rc.d/c-icap start"); + } + #check clamav + if (is_process_running("clamd")) + mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); + else + mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); + } +return $conf; +} + +function squid_resync_traffic() { + global $config, $valid_acls; + + if(!is_array($valid_acls)) + return; + if (is_array($config['installedpackages']['squidtraffic'])) + $settings = $config['installedpackages']['squidtraffic']['config'][0]; + else + $settings = array(); + + $conf = ''; + if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") + $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; + if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") + $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; + if (!empty($settings['quick_abort_pct'])) + $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; + + $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0); + $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0); + $conf .= "request_body_max_size $up_limit KB\n"; + if ($down_limit != 0) + $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n"; + + + // Only apply throttling past 10MB + // XXX: Should this really be hardcoded? + $threshold = 10 * 1024 * 1024; + $overall = $settings['overall_throttling']; + if (!isset($overall) || ($overall == 0)) + $overall = -1; + else + $overall *= 1024; + $perhost = $settings['perhost_throttling']; + if (!isset($perhost) || ($perhost == 0)) + $perhost = -1; + else + $perhost *= 1024; + $conf .= <<< EOD +delay_pools 1 +delay_class 1 2 +delay_parameters 1 $overall/$overall $perhost/$perhost +delay_initial_bucket_level 100 + +EOD; + + if(! empty($settings['unrestricted_hosts'])) { + foreach (array('unrestricted_hosts') as $item) { + if (in_array($item, $valid_acls)) + $conf .= "# Do not throttle unrestricted hosts\n"; + $conf .= "delay_access 1 deny $item\n"; + } + } + + if ($settings['throttle_specific'] == 'on') { + $exts = array(); + $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com'; + $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi'; + $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m'; + foreach (array( 'throttle_binaries' => $binaries, + 'throttle_cdimages' => $cdimages, + 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') + $exts = array_merge($exts, explode(",", $set)); + } + + foreach (explode(",", $settings['throttle_others']) as $ext) { + if (!empty($ext)) $exts[] = $ext; + } + + $contents = ''; + foreach ($exts as $ext) + $contents .= "\.$ext\$\n"; + file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); + + $conf .= "# Throttle extensions matched in the url\n"; + $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; + $conf .= "delay_access 1 allow throttle_exts\n"; + $conf .= "delay_access 1 deny allsrc\n"; + } + else + $conf .= "delay_access 1 allow allsrc\n"; + + return $conf; +} + +function squid_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + +#squid reverse +include('/usr/local/pkg/squid_reverse.inc'); + +function squid_resync_auth() { + global $config, $valid_acls; + $write_config=0; + if (!is_array($config['installedpackages']['squidauth']['config'])){ + $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none"); + $write_config++; + } + $settings = $config['installedpackages']['squidauth']['config'][0]; + if (is_array($config['installedpackages']['squidnac']['config'])) + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + else + $settingsnac = array(); + + if (is_array($config['installedpackages']['squid']['config'])) + $settingsconfig = $config['installedpackages']['squid']['config'][0]; + else + $settingsconfig = array(); + + if ($write_config > 0) + write_config(); + + $conf = ''; + + // SSL interception acl options part 1 + if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])){ + $conf .= "always_direct allow whitelist\n"; + $conf .= "ssl_bump none whitelist\n"; + } + + // Package integration + if(!empty($settingsconfig['custom_options'])){ + $co_preg[0]='/;/'; + $co_rep[0]="\n"; + $co_preg[1]="/redirect_program/"; + $co_rep[1]="url_rewrite_program"; + $co_preg[2]="/redirector_bypass/"; + $co_rep[2]="url_rewrite_bypass"; + $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n"; + } + + // Custom User Options before authentication acls + $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n"; + + // Deny the banned guys before allowing the good guys + if(! empty($settingsnac['banned_hosts'])) { + if (squid_is_valid_acl('banned_hosts')) { + $conf .= "# These hosts are banned\n"; + $conf .= "http_access deny banned_hosts\n"; + } + } + if(! empty($settingsnac['banned_macs'])) { + if (squid_is_valid_acl('banned_macs')) { + $conf .= "# These macs are banned\n"; + $conf .= "http_access deny banned_macs\n"; + } + } + + // Unrestricted hosts take precedence over blacklist + if(! empty($settingsnac['unrestricted_hosts'])) { + if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_hosts\n"; + } + } + if(! empty($settingsnac['unrestricted_macs'])) { + if (squid_is_valid_acl('unrestricted_macs')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_macs\n"; + } + } + + // Whitelist and blacklist also take precedence over other allow rules + if(! empty($settingsnac['whitelist'])) { + if (squid_is_valid_acl('whitelist')) { + $conf .= "# Always allow access to whitelist domains\n"; + $conf .= "http_access allow whitelist\n"; + } + } + if(! empty($settingsnac['blacklist'])) { + if (squid_is_valid_acl('blacklist')) { + $conf .= "# Block access to blacklist domains\n"; + $conf .= "http_access deny blacklist\n"; + } + } + if(! empty($settingsnac['block_user_agent'])) { + if (squid_is_valid_acl('block_user_agent')) { + $conf .= "# Block access with user agents and browsers\n"; + $conf .= "http_access deny block_user_agent\n"; + } + } + if(! empty($settingsnac['block_reply_mime_type'])) { + if (squid_is_valid_acl('block_reply_mime_type')) { + $conf .= "# Block access with mime type in the reply\n"; + $conf .= "http_reply_access deny block_reply_mime_type\n"; + } + } + + // SSL interception acl options part 2 + /*if ($settingsconfig['ssl_proxy'] == "on"){ + $conf .= "always_direct allow all\n"; + $conf .= "ssl_bump server-first all\n"; + }*/ + + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; + + $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); + if ($transparent_proxy){ + if (preg_match ("/(none|cp)/",$settings['auth_method'])) + $auth_method=$settings['auth_method']; + else + $auth_method="none"; + } + else{ + $auth_method=$settings['auth_method']; + } + // Allow the remaining ACLs if no authentication is set + if ($auth_method == 'none' || $auth_method == 'cp') { + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny sglog\n"; + } + if ($auth_method == 'none' ) { + $conf .="# Setup allowed acls\n"; + $allowed = array('allowed_subnets'); + if ($settingsconfig['allow_interface'] == 'on') { + $conf .= "# Allow local network(s) on interface(s)\n"; + $allowed[] = "localnet"; + } + $allowed = array_filter($allowed, 'squid_is_valid_acl'); + foreach ($allowed as $acl) + $conf .= "http_access allow $acl\n"; + } + else { + $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); + if (!empty($noauth)) { + $conf .= "acl noauth src $noauth\n"; + $valid_acls[] = 'noauth'; + } + + // Set up the external authentication programs + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 5); + $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); + $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); + switch ($auth_method) { + case 'local': + $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'cp': + $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n"; + $conf .= "acl password external check_cp\n"; + break; + case 'msnt': + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; + squid_resync_msnt(); + break; + } + if ($auth_method != 'cp'){ + $conf .= <<< EOD +auth_param basic children $processes +auth_param basic realm $prompt +auth_param basic credentialsttl $auth_ttl minutes +acl password proxy_auth REQUIRED + +EOD; + } + // Custom User Options after authentication definition + $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n"; + + // SSL interception acl options part 2 + if ($settingsconfig['ssl_proxy'] == "on"){ + $conf .= "always_direct allow all\n"; + $conf .= "ssl_bump server-first all\n"; + } + // Onto the ACLs + $password = array('localnet', 'allowed_subnets'); + $passwordless = array('unrestricted_hosts'); + if ($settings['unrestricted_auth'] == 'on') { + // Even the unrestricted hosts should authenticate + $password = array_merge($password, $passwordless); + $passwordless = array(); + } + $passwordless[] = 'noauth'; + $password = array_filter($password, 'squid_is_valid_acl'); + $passwordless = array_filter($passwordless, 'squid_is_valid_acl'); + + // Allow the ACLs that don't need to authenticate + foreach ($passwordless as $acl) + $conf .= "http_access allow $acl\n"; + + //if ($auth_method != 'cp'){ + // Include squidguard denied acl log in squid + if ($settingsconfig['log_sqd']) + $conf .="http_access deny password sglog\n"; + + // Allow the other ACLs as long as they authenticate + foreach ($password as $acl) + $conf .= "http_access allow password $acl\n"; + // } + } + + $conf .= "# Default block all to be sure\n"; + $conf .= "http_access deny allsrc\n"; + + return $conf; +} + +function squid_resync_users() { + global $config; + + $users = $config['installedpackages']['squidusers']['config']; + $contents = ''; + if (is_array($users)) { + foreach ($users as $user) + $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; + } + file_put_contents(SQUID_PASSWD, $contents); + chown(SQUID_PASSWD, 'proxy'); + chmod(SQUID_PASSWD, 0600); +} + +function squid_resync_msnt() { + global $config; + + if (is_array($config['installedpackages']['squidauth'])) + $settings = $config['installedpackages']['squidauth']['config'][0]; + else + $settings = array(); + $pdcserver = $settings['auth_server']; + $bdcserver = str_replace(',',' ',$settings['msnt_secondary']); + $ntdomain = $settings['auth_ntdomain']; + + file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}"); + chown(SQUID_CONFBASE."/msntauth.conf", 'proxy'); + chmod(SQUID_CONFBASE."/msntauth.conf", 0600); +} + +function squid_resync($via_rpc="no") { + global $config; + + # detect boot process + if (is_array($_POST)){ + if (preg_match("/\w+/",$_POST['__csrf_magic'])) + unset($boot_process); + else + $boot_process="on"; + } + + log_error("[Squid] - Squid_resync function call pr:".is_process_running('squid')." bp:".isset($boot_process)." rpc:".$via_rpc); + + if (is_process_running('squid') && isset($boot_process) && $via_rpc=="no") + return; + + conf_mount_rw(); + foreach (array( SQUID_CONFBASE, + SQUID_ACLDIR, + SQUID_BASE, + SQUID_LIB, + SQUID_SSL_DB ) as $dir) { + make_dirs($dir); + chown($dir, 'proxy'); + chgrp($dir, 'proxy'); + squid_chown_recursive($dir, 'proxy', 'proxy'); + } + $conf = squid_resync_general() . "\n"; + $conf .= squid_resync_cache() . "\n"; + $conf .= squid_resync_redirector() . "\n"; + $conf .= squid_resync_upstream() . "\n"; + $conf .= squid_resync_nac() . "\n"; + $conf .= squid_resync_traffic() . "\n"; + $conf .= squid_resync_reverse() . "\n"; + $conf .= squid_resync_auth()."\n"; + $conf .= squid_resync_antivirus(); + squid_resync_users(); + squid_write_rcfile(); + + if(!isset($boot_process) || $via_rpc="yes") + squid_sync_on_changes(); + + #write config file + file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf); + + /* make sure pinger is executable */ + if(file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) + exec("chmod a+x " . SQUID_LOCALBASE . "/libexec/squid/pinger"); + + $log_dir=""; + #check if squid is enabled + if (is_array($config['installedpackages']['squid']['config'])){ + if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "") + $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; + } + #check if squidreverse is enabled + else if (is_array($config['installedpackages']['squidreversegeneral']['config'])){ + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") + $log_dir="/var/squid/logs/"; + } + #do not start squid if there is no log dir + if ($log_dir != ""){ + if(!is_dir($log_dir)) { + log_error("Creating squid log dir $log_dir"); + make_dirs($log_dir); + squid_chown_recursive($log_dir, 'proxy', 'proxy'); + } + + squid_dash_z(); + + if (!is_service_running('squid')) { + log_error("Starting Squid"); + mwexec(SQUID_LOCALBASE . "/sbin/squid -f " . SQUID_CONFFILE); + } + else { + if (!isset($boot_process)){ + log_error("Reloading Squid for configuration sync"); + mwexec(SQUID_LOCALBASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); + } + } + + // Sleep for a couple seconds to give squid a chance to fire up fully. + for ($i=0; $i < 10; $i++) { + if (!is_service_running('squid')) + sleep(1); + } + filter_configure(); + } + conf_mount_ro(); +} + +function squid_print_javascript_auth() { + global $config; + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + + // No authentication for transparent proxy + if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) { + $javascript = <<< EOD + + +EOD; + } + else { + $javascript = <<< EOD + + +EOD; + } + + print($javascript); +} + +function squid_print_javascript_auth2() { + print("\n"); +} + +function squid_generate_rules($type) { + global $config; + $squid_conf = $config['installedpackages']['squid']['config'][0]; + //check captive portal option + $cp_file='/etc/inc/captiveportal.inc'; + $pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version")); + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $cp_inc = file($cp_file); + $new_cp_inc=""; + $found_rule=0; + foreach ($cp_inc as $line){ + $new_line=$line; + //remove applied squid patch + if (preg_match('/skipto 65314 ip/',$line)){ + $found_rule++; + $new_line =""; + } + + if (substr($pfsense_version,0,3) > 2.0){ + if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + } + } + else{ + //add squid patch option based on current config + if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n"; + $new_line .= $line; + } + if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){ + $found_rule++; + $new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n"; + $new_line .= $line; + } + } + $new_cp_inc .= $new_line; + } + if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) { + copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup'); + } + if($found_rule > 0){ + file_put_contents($cp_file,$new_cp_inc, LOCK_EX); + } + //normal squid rule check + if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { + return; + } + + if (!is_service_running('squid')) { + log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); + return; + } + #Read assigned interfaces + $proxy_ifaces = explode(",", $squid_conf['active_interface']); + $proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces); + if ($squid_conf['transparent_proxy']=="on"){ + $transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']); + $transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces); + } + else{ + $transparent_ifaces=array(); + } + if ($squid_conf['ssl_proxy'] == "on"){ + $ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']); + $ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces); + } + else{ + $ssl_ifaces=array(); + } + + $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); + $ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127); + + $fw_aliases = filter_generate_aliases(); + if(strstr($fw_aliases, "pptp =")) + $PPTP_ALIAS = "\$pptp"; + else + $PPTP_ALIAS = "\$PPTP"; + if(strstr($fw_aliases, "PPPoE =")) + $PPPOE_ALIAS = "\$PPPoE"; + else + $PPPOE_ALIAS = "\$pppoe"; + + #define ports based on transparent options and ssl filtering + $pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80"); + switch($type) { + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if(!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip,2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if(!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n"; + } + } + foreach ($transparent_ifaces as $t_iface) { + $pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80"); + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n"; + if (in_array($t_iface,$ssl_ifaces)) + $rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($transparent_ifaces as $iface) { + $pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}"); + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n"; + #$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n"; + $rules .= "\n"; + }; + if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n"; + } + break; + default: + break; + } + + return $rules; +} + +function squid_write_rcfile() { + /* Declare a variable for the SQUID_CONFFILE constant. */ + /* Then the variable can be referenced easily in the Heredoc text that generates the rc file. */ + $squid_conffile_var = SQUID_CONFFILE; + $squid_local_base = SQUID_LOCALBASE; + $rc = array(); + $rc['file'] = 'squid.sh'; + $rc['start'] = <</dev/null +killall pinger 2>/dev/null + +EOD; + $rc['restart'] = <<setCredentials($username, $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after defined sync timeout value*/ + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } else { + log_error("[Squid] XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell squid to reload our settings on the destination sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/squid.inc');\n"; + $execcmd .= "squid_resync('yes');"; + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("[Squid] XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials($username, $password); + $resp = $cli->send($msg, $synctimeout); + if(!$resp) { + $error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, $synctimeout); + $error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "squid Settings Sync", ""); + } else { + log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + +} +?> diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml new file mode 100644 index 00000000..970f093e --- /dev/null +++ b/config/squid3/34/squid.xml @@ -0,0 +1,582 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squid + 3.4.9 + Proxy server: General settings + /usr/local/pkg/squid.inc + + Proxy server + Modify the proxy server's settings +
Services
+ /pkg_edit.php?xml=squid.xml&id=0 +
+ + Reverse Proxy + Modify the proxy reverse server's settings +
Services
+ /pkg_edit.php?xml=squid_reverse_general.xml&id=0 +
+ + squid + squid.sh + squid + Proxy server Service + + + clamd + clamav-clamd + clamd + Clamav Antivirus + + + c-icap + c-icap + c-icap + Icap inteface for squid and clamav integration + + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid.inc + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_general.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_peer.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_uri.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_sync.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_sync.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_cache.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_nac.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_ng.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_ng.inc + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_traffic.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_upstream.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.inc + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_auth.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_users.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_antivirus.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/sqpmon.sh + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/swapstate_check.php + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_redir.xml + + + /usr/local/www/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_monitor.php + + + /usr/local/www/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_monitor_data.php + + + /usr/local/www/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/squid_log_parser.php + + + /usr/local/www/shortcuts/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/pkg_squid.inc + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid3/34/check_ip.php + + + + Squid General Settings + listtopic + + + Proxy interface(s) + active_interface + The interface(s) the proxy server will bind to. + interfaces_selection + + lan + + + + Proxy port + proxy_port + This is the port the proxy server will listen on. + input + 5 + + 3128 + + + ICP port + icp_port + This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP. + input + 5 + + + + Allow users on interface + allow_interface + If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut. + checkbox + + on + + + Patch captive portal + patch_cp + + NOTE: You may need to reapply captive portal config after changing this option.]]> + checkbox + + + Resolv dns v4 first + dns_v4_first + + checkbox + + + Disable ICMP + disable_pinger + + checkbox + + + Use alternate DNS-servers for the proxy-server + dns_nameservers + If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;). + input + 70 + + + Transparent Proxy Settings + listtopic + + + Transparent HTTP proxy + transparent_proxy + + NOTE: Transparent mode will filter ssl(port 443) if enable men-in-the-middle options below.
+ To filter both http and https protocol without intercepting ssl connections, enable WPAD/PAC options on your dns/dhcp.]]>
+ checkbox + transparent_active_interface,private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest + +
+ + Transparent Proxy interface(s) + transparent_active_interface + The interface(s) the proxy server will transparent intercept requests. + interfaces_selection + + lan + + + + Bypass proxy for Private Address destination + private_subnet_proxy_off + Do not forward traffic to Private Address Space (RFC 1918) <b>destination</b> through the proxy server but directly through the firewall. + checkbox + + + Bypass proxy for these source IPs + defined_ip_proxy_off + Do not forward traffic from these <b>source</b> IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode] + input + 70 + + + Bypass proxy for these destination IPs + defined_ip_proxy_off_dest + Do not proxy traffic going to these <b>destination</b> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode] + input + 70 + + + SSL man in the middle Filtering + listtopic + + + HTTPS/SSL interception + ssl_proxy + + checkbox + ssl_active_interface,dcert,sslcrtd_children,ssl_proxy_port,interception_checks + + + SSL Intercept interface(s) + ssl_active_interface + The interface(s) the proxy server will intercept ssl requests. + interfaces_selection + + lan + + + + SSL Proxy port + ssl_proxy_port + This is the port the proxy server will listen on to intercept ssl while using transparent proxy. + input + 5 + 3129 + + + CA + dca + + To create a CA on pfsense, go to system -> Cert Manager
+ Install the CA crt as an trusted ca on each computer you want to filter ssl to avoid ssl error on each connection.]]>
+ select_source + + descr + refid +
+ + sslcrtd children + sslcrtd_children + + if Squid is used in busy environments this may need to be increased, as well as the number of 'sslcrtd_children']]> + input + 2 + 5 + + + Remote Cert checks + interception_checks + Defaul is to do not select any of these options.]]> + select + + + + + + 3 + + + Certificate adapt + interception_adapt + Hint: Set subject CN
wiki doc with reference]]>
+ select + + + + + + + 3 +
+ + Logging Settings + listtopic + + + Enabled logging + log_enabled + This will enable the access log. Don't switch this on if you don't have much disk space left. + checkbox + log_query_terms,log_user_agents + + + Log store directory + log_dir + The directory where the log will be stored (note: do not end with a / mark) + input + 60 + + /var/squid/logs + + + Log rotate + log_rotate + Defines how many days of logfiles will be kept. Rotation is disabled if left empty. + input + 5 + + + Visible hostname + visible_hostname + This is the URL to be displayed in proxy server error messages. + input + 60 + localhost + + + Administrator email + admin_email + This is the email address displayed in error messages to the users. + input + 60 + admin@localhost + + + Language + error_language + Select the language in which the proxy server will display error messages to users. + select + en + + + Disable X-Forward + disable_xforward + If not set, Squid will include your system's IP address or name in the HTTP requests it forwards. + checkbox + + + Disable VIA + disable_via + If not set, Squid will include a Via header in requests and replies as required by RFC2616. + checkbox + + + Log denied pages by squidguard + log_sqd + + Note: This option only will work if you include this code on your sgerror.php file to force client browser send a second request to squid with denied string on url.

+ $sge_prefix=(preg_match("/\?/",$cl['u'])?"&":"?");
+ $str[] = '< iframe > src="'.$cl['u'].$sge_prefix.'sgr=ACCESSDENIED" width="1" height="1" > < /iframe >';

+ removing extra space on iframe html code.]]>
+ checkbox +
+ + What to do with requests that have whitespace characters in the URI + uri_whitespace + <b> strip:</b> The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. <p> <b> deny:</b> The request is denied. The user receives an "Invalid Request" message.<p> <b> allow:</b> The request is allowed and the URI is not changed. The whitespace characters remain in the URI.<p> <b> encode:</b> The request is allowed and the whitespace characters are encoded according to RFC1738.<p> <b> chop:</b> The request is allowed and the URI is chopped at the first whitespace. + select + strip + + + + + + + + + + Suppress Squid Version + disable_squidversion + If set, suppress Squid version string info in HTTP headers and HTML error pages. + checkbox + + + Custom Settings + listtopic + + + Integrations + custom_options + + textarea + 78 + 5 + + + Custom ACLS (Before_Auth) + custom_options_squid3 + + They need to be squid.conf native options, otherwise squid will NOT work.]]> + textarea + base64 + 78 + 10 + + + Custom ACLS (After_Auth) + custom_options2_squid3 + + They need to be squid.conf native options, otherwise squid will NOT work.]]> + textarea + base64 + 78 + 10 + +
+ + squid_before_form_general($pkg); + + + squid_resync(); + + + squid_validate_general($_POST, $input_errors); + + + squid_resync(); + unlink_if_exists("/usr/local/etc/rc.d/squid"); + + + update_status("Checking Squid cache... One moment please..."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + squid_install_command(); + squid_resync(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + + + squid_deinstall_command(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); + + squid_generate_rules +
diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml new file mode 100755 index 00000000..2afb1ff1 --- /dev/null +++ b/config/squid3/34/squid_antivirus.xml @@ -0,0 +1,158 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidantivirus + none + Proxy server: Antivirus + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + Clamav anti-virus integration using c-icap + listtopic + + + Enable + enable + Enable squid antivirus check using clamav. + max_check_size,Timeout,MaxKeepAliveRequests,KeepAliveTimeout,StartServers,MaxServers + checkbox + + + Client forward options + client_info + + select + strip + + + + + + + + + Advanced options + listtopic + + + squidclamav.conf + squidclamav + squidclamav.conf file. Leave empty to load sample file. Edit only if you know what are you doing. + textarea + base64 + 75 + 15 + + + c-icap.conf + c-icap_conf + c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing. + textarea + base64 + 75 + 15 + + + c-icap.magic + c-icap_magic + c-icap.conf file. Leave empty to load sample file. Edit only if you know what are you doing. + textarea + base64 + 75 + 15 + + + + + + squid_resync(); + + diff --git a/config/squid3/34/squid_auth.inc b/config/squid3/34/squid_auth.inc new file mode 100644 index 00000000..cc511607 --- /dev/null +++ b/config/squid3/34/squid_auth.inc @@ -0,0 +1,446 @@ + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +function global_eval_auth_options() +{ + global $config; + conf_mount_rw(); + config_lock(); + + switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { + case "none": + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + case "local_auth": + dynamic_auth_content("pkg"); + /* create empty passwd file to prevent stat error with squid reload */ + touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); + dynamic_local_auth(); + break; + case "ldap_bind": + dynamic_auth_content("pkg_edit"); + dynamic_ldap_auth(); + break; + case "domain_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_domain_auth(); + break; + case "radius_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_radius_auth(); + break; + default: + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + } + + config_unlock(); + conf_mount_ro(); + +} /* end function global_eval_auth_options */ + +function dynamic_no_auth() { + global $config; + conf_mount_rw(); + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, " squidextnoauth\n"); + fwrite($fout, " Services: Proxy Server -> Extended Authentication Settings\n"); + fwrite($fout, " installedpackages->package->squidextnoauth->configuration->settings\n"); + fwrite($fout, "\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " General Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_ng.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Upstream Proxy\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_upstream.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Cache Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_cache.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Network Access Control\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_nac.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Traffic Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_traffic.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_auth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Extended Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " No Authentication Defined\n"); + fwrite($fout, " no_auth\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_local_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, " squidextlocalauth\n"); + fwrite($fout, " Services: Proxy Server -> Extended Auth Settings\n"); + fwrite($fout, " 2.5.10_4\n"); + fwrite($fout, " installedpackages->package->squidextlocalauth->configuration->settings\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " /pkg.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " General Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_ng.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Upstream Proxy\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_upstream.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Cache Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_cache.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Network Access Control\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_nac.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Traffic Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_traffic.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_auth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Extended Auth Settings\n"); + fwrite($fout, " /pkg.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " Username\n"); + fwrite($fout, " username\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Description\n"); + fwrite($fout, " description\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Restriction Group\n"); + fwrite($fout, " group\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " Username\n"); + fwrite($fout, " username\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 15\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Password\n"); + fwrite($fout, " password\n"); + fwrite($fout, " password\n"); + fwrite($fout, " 8\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Description (Optional)\n"); + fwrite($fout, " description\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 30\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Restriction Group\n"); + fwrite($fout, " group\n"); + fwrite($fout, " select\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_ldap_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, " squidextldapauth\n"); + fwrite($fout, " Services: Proxy Server -> Extended Auth Settings\n"); + fwrite($fout, " 2.5.11\n"); + fwrite($fout, " installedpackages->package->squidextldapauth->configuration->settings\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " General Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_ng.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Upstream Proxy\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_upstream.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Cache Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_cache.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Network Access Control\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_nac.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Traffic Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_traffic.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_auth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Extended Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " Base DN\n"); + fwrite($fout, " ldap_basedn\n"); + fwrite($fout, " This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 50\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Server\n"); + fwrite($fout, " ldap_server\n"); + fwrite($fout, " This is the LDAP server that the bind will be attempted against.\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 20\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Type\n"); + fwrite($fout, " ldap_type\n"); + fwrite($fout, " This specifies the supported LDAP types.\n"); + fwrite($fout, " select\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Port\n"); + fwrite($fout, " ldap_port\n"); + fwrite($fout, " This is the port that LDAP bind will attempt on. The default is \"389\".\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 5\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Bind DN Username\n"); + fwrite($fout, " bind_dn_username\n"); + fwrite($fout, " If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 30\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Bind DN Password\n"); + fwrite($fout, " bind_dn_password\n"); + fwrite($fout, " This is the associated password with the Bind DN Username previously specified.\n"); + fwrite($fout, " password\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ +function dynamic_auth_content($pkgvar) { + + switch ($pkgvar) { + case "pkg": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file, "w"); + foreach($filecontents as $line) { + if (stristr($line, "/pkg_edit.php?xml=squid_extauth.xml&id=0")) { + fwrite($fout, " /pkg.php?xml=squid_extauth.xml&id=0\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + + case "pkg_edit": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "/pkg.php?xml=squid_extauth.xml&id=0")) { + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + } + +} /* end function dynamic_auth_content */ +?> \ No newline at end of file diff --git a/config/squid3/34/squid_auth.xml b/config/squid3/34/squid_auth.xml new file mode 100755 index 00000000..7f54b156 --- /dev/null +++ b/config/squid3/34/squid_auth.xml @@ -0,0 +1,270 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidauth + none + Proxy server: Authentication + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + Squid Authentication General Settings + listtopic + + + Authentication method + auth_method + Select an authentication method. This will allow users to be authenticated by local or external services. + select + + none + + + + + + + + + on_auth_method_changed() + + + Authentication server + auth_server + Enter here the IP or hostname of the server that will perform the authentication. + input + 60 + + + Authentication server port + auth_server_port + Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port. + input + 60 + + + Authentication prompt + auth_prompt + This string will be displayed at the top of the authentication request window. + input + Please enter your credentials to access the proxy + + + Authentication processes + auth_processes + The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly. + input + 5 + 5 + + + Authentication TTL + auth_ttl + This specifies for how long (in seconds) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again.Default value is 5. + input + 5 + 5 + + + Requiere authentication for unrestricted hosts + unrestricted_auth + If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy. + checkbox + + + Subnets that don't need authentication + no_auth_hosts + Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy. + textarea + 50 + 5 + base64 + + + Squid Authentication Ldap Settings + listtopic + + + LDAP version + ldap_version + Enter LDAP protocol version (2 or 3). + select + 2 + + + + + + + LDAP server user DN + ldap_user + Enter here the user DN to use to connect to the LDAP server. + input + 60 + + + LDAP password + ldap_pass + Enter here the password to use to connect to the LDAP server. + password + 20 + + + LDAP base domain + ldap_basedomain + For LDAP authentication, enter here the base domain in the LDAP server. + input + 60 + + + LDAP username DN attribute + ldap_userattribute + Enter LDAP username DN attibute. + input + 20 + uid + + + LDAP search filter + ldap_filter + Enter LDAP search filter. + input + 40 + (&(objectClass=person)(uid=%s)) + + + Squid Authentication NT Domain Settings + listtopic + + + NT domain + auth_ntdomain + Enter here the NT domain. + input + 60 + + + Secondary NT servers + msnt_secondary + Comma-separated list of secondary servers to be used for NT domain authentication. + input + 60 + + + Squid Authentication Radius Settings + listtopic + + + RADIUS secret + radius_secret + The RADIUS secret for RADIUS authentication. + password + 20 + + + + squid_validate_auth($_POST, $input_errors); + + + squid_print_javascript_auth2(); + + + squid_resync(); + + + squid_print_javascript_auth2(); + + + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + if($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) + $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; + squid_print_javascript_auth(); + + diff --git a/config/squid3/34/squid_cache.xml b/config/squid3/34/squid_cache.xml new file mode 100755 index 00000000..f9204d46 --- /dev/null +++ b/config/squid3/34/squid_cache.xml @@ -0,0 +1,322 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form MUST reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidcache + none + Proxy server: Cache management + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + Squid Cache General Settings + listtopic + + + Cache replacement policy + cache_replacement_policy + The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail. + select + heap LFUDA + + + + + + + + + Low-water-mark in % + cache_swap_low + Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark. + input + 5 + 90 + + + High-water-mark in % + cache_swap_high + As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive. + input + 5 + 95 + + + Do not cache + donotcache + Enter each domain or IP address on a new line that should never be cached. + textarea + 50 + 5 + base64 + + + Enable offline mode + enable_offline + Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted). + checkbox + + + + External Cache-Managers + ext_cachemanager + Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;). + input + 60 + + + Squid Hard disk cacheSettings + listtopic + + + Hard disk cache size + harddisk_cache_size + This is the amount of disk space (in megabytes) to use for cached objects. + input + + 10 + 100 + + + Hard disk cache system + harddisk_cache_system +
ufs is the old well-known Squid storage format that has always been there. +

aufs uses POSIX-threads to avoid blocking the main Squid process on disk-I/O. (Formerly known as async-io.) +

diskd uses a separate process to avoid blocking the main Squid process on disk-I/O.
To use ipcs and ipcrm on squid, Download livefs.iso from ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/8.3/ mount it and copy /usr/bin/ipcs and /usr/bin/ipcrm to your system and set them as executables. +

null Does not use any storage. Ideal for Embedded/NanoBSD.]]>
+ select + ufs + + + + + + +
+ + Clear cache on log rotate + clear_cache + + This action will be executed automatically if the swap.state file is taking up more than 75% disk space,or the drive is 90%]]> + checkbox + + + Level 1 subdirectories + level1_subdirs + Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions. + select + 16 + + + + + + + + + + + + Hard disk cache location + harddisk_cache_location + This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while + input + 60 + + /var/squid/cache + + + Minimum object size + minimum_object_size + Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum. + input + + 10 + 0 + + + Maximum object size + maximum_object_size + Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value. + input + + 10 + 4 + + + Squid Memory Cache Settings + listtopic + + + Memory cache size + memory_cache_size + This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB. + input + 10 + + 8 + + + Maximum object size in RAM + maximum_objsize_in_mem + Objects smaller than the size specified (in kilobytes) will be saved in RAM. Default is 32. + input + 10 + + 32 + + + Memory replacement policy + memory_replacement_policy + The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA. + select + heap GDSF + + + + + + + + + Dynamic and Update Content + listtopic + + + Cache Dynamic Content + cache_dynamic_content + enable caching of dynamic content.
+ ]]>
+ checkbox + 10 +
+ + Refresh Patterns + refresh_patterns + Youtube and windowsupdate
+
Notes:
+ Squid wiki suggests 'Finish transfer if less than x KB remaining' on 'traffic mgmt' squid tab to -1 but you can apply your own values to control cache.

+ set Maximum download size on 'traffic mgmt' squid tab to a value that fits patterns your are applying.
Microsoft may need 200Mb and youtube 4GB.]]>
+ select + none + + + + + + + + + 06 +
+ + Custom refresh_patterns + custom_refresh_patterns + Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled. + textarea + 67 + 5 + base64 + +
+ + if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { + $needs_dash_z = true; + } + + + squid_validate_cache($_POST, $input_errors); + + + squid_resync(); + if($needs_dash_z) + squid_dash_z(); + +
diff --git a/config/squid3/34/squid_cpauth.php b/config/squid3/34/squid_cpauth.php new file mode 100644 index 00000000..98be9946 --- /dev/null +++ b/config/squid3/34/squid_cpauth.php @@ -0,0 +1,24 @@ +#!/usr/local/bin/php -q + \ No newline at end of file diff --git a/config/squid3/34/squid_extauth.xml b/config/squid3/34/squid_extauth.xml new file mode 100644 index 00000000..41d9f633 --- /dev/null +++ b/config/squid3/34/squid_extauth.xml @@ -0,0 +1,106 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidextnoauth + none + Services: Proxy Server -> Extended Authentication Settings + /pkg_edit.php?xml=squid_extauth.xml&id=0 + + + General + /pkg_edit.php?xml=squid_ng.xml&id=0 + + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + + Auth + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + + Extended Auth + /pkg_edit.php?xml=squid_extauth.xml&id=0 + + + + + installedpackages->package->squidextnoauth->configuration->settings + + + No Authentication Defined + no_auth + text + + + + + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + + + diff --git a/config/squid3/34/squid_ident.php b/config/squid3/34/squid_ident.php new file mode 100644 index 00000000..ad13beb6 --- /dev/null +++ b/config/squid3/34/squid_ident.php @@ -0,0 +1,148 @@ +#!/usr/bin/php +#http://blog.dataforce.org.uk/2010/03/Ident-Server +/.ident + * If this is present, it will be read. + * It should be a file with a format like so: + * + * + * ::: + * + * The first line that matches is used, any bit can be a * and it will always match, + * so "* user" is valid. In future more sophisticated matches will be permitted + * (eg 127.*) but for now its either all or nothing. + * + * Its worth noting that is the host that requests the ident, so if this + * is likely to be different than the host that was connected to, then "STRICT_HOST" will + * need to be set to false. + * + * At the moment is ignored, in future versions this might be changed, so + * it is still required. + * + * Lines with a ':' in them are assumed to be of the second format, and must contain + * all 4 sections or they will be ignored. + * + * Lines starting with a # are ignored. + * + * There are some special values that can be used as idents: + * ! = Send an error instead. + * * = Send the default ident. + * ? = Send a random ident (In future a 3rd parameter will specify the format, + * # for a number, @ for a letter, ? for either, but this is not implemented yet) + * + * In future there will also be support for /home/user/.ident.d/ directories, where + * every file will be read for the ident response untill one matches. + * This will allow multiple processes to create files rather than needing to + * lock and edit .ident + */ + + // Allow spoofing idents. + define('ALLOW_SPOOF', true); + + // Requesting host must be the same as the host that was connected to. + define('STRICT_HOST', true); + + // Error to send when '!' is used as an ident. + define('HIDE_ERROR', 'UNKNOWN-ERROR'); + + openlog('simpleIdent', LOG_PID | LOG_ODELAY, LOG_DAEMON); + + $result = 'ERROR : UNKNOWN-ERROR' . "\n"; + + $host = $_SERVER['REMOTE_HOST']; + + syslog(LOG_INFO, 'Connection from: '.$host); + + // Red in the line from the socket. + $fh = @fopen('php://stdin', 'r'); + if ($fh) { + $input = @fgets($fh); + $line = trim($input); + if ($input !== FALSE && !empty($line)) { + $result = trim($input) . ' : ' . $result; + // Get the data from it. + $bits = explode(',', $line); + $source = trim($bits[0]); + $dest = isset($bits[1]) ? trim($bits[1]) : ''; + + // Check if it is valid + if (preg_match('/^[0-9]+$/', $source) && preg_match('/^[0-9]+$/', $dest)) { + // Now actually look for this! + $match = STRICT_HOST ? ":$source .*$host:$dest " : ":$source.*:$dest"; + + $output = `netstat -napW 2>&1 | grep '$match' | awk '{print \$7}'`; + + $bits = explode('/', $output); + $pid = $bits[0]; + + if (preg_match('/^[0-9]+$/', $pid)) { + $user = `ps -o ruser=SOME-REALLY-WIDE-USERNAMES-ARE-PERMITTED-HERE $pid | tail -n 1`; + + $senduser = trim($user); + + // Look for special ident file: /home/user/.ident this is an ini-format file. + $file = '/home/'.trim($user).'/.ident'; + + if (file_exists($file)) { + $config = file($file, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES | FILE_TEXT); + foreach ($config as $line) { + // Ignore comments. + $line = trim($line); + if (substr($line, 1) == '#') { continue; } + + // Make sure line is valid. + $bits = explode(' ', $line); + if (count($bits) == 1) { continue; } + + // Check type of line + if (strpos($bits[0], ':') !== FALSE) { + // LocalHost:LocalPort:RemoteHost:RemotePort + $match = explode(':', $bits[0]); + if (count($match) != 4) { continue; } + + if (($match[1] == '*' || $match[1] == $source) && + ($match[2] == '*' || $match[2] == $host) && + ($match[3] == '*' || $match[3] == $dest)) { + syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); + $senduser = $bits[1]; + break; + } + } else if ($bits[0] == '*' || $bits[0] == $pid) { + syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); + $senduser = $bits[1]; + } + } + + if ($senduser == "*") { + $senduser = trim(user); + } else if ($senduser == "?") { + $senduser = 'user'.rand(1000,9999); + } + } + + if ($senduser != "!") { + $result = $source . ', ' . $dest . ' : USERID : UNIX : ' . trim($senduser); + } else { + $result = $source . ', ' . $dest . ' : ERROR : ' . HIDE_ERROR; + } + } + } + } + } + + echo $result; + syslog(LOG_INFO, 'Result: '.$result); + closelog(); + exit(0); +?> diff --git a/config/squid3/34/squid_log_parser.php b/config/squid3/34/squid_log_parser.php new file mode 100755 index 00000000..8d0cbc20 --- /dev/null +++ b/config/squid3/34/squid_log_parser.php @@ -0,0 +1,57 @@ +#!/usr/local/bin/php -q + \ No newline at end of file diff --git a/config/squid3/34/squid_monitor.php b/config/squid3/34/squid_monitor.php new file mode 100755 index 00000000..84bf08e9 --- /dev/null +++ b/config/squid3/34/squid_monitor.php @@ -0,0 +1,200 @@ + + + + + + + + +

+ + + + + + + +
+ + + + + +
+ +
+
+
+ + + + + + + + + + + +
Max lines: + +
+ + + +
String filter: + +
+ +
+
+ ! to invert the sense of matching, to select non-matching lines.");?> +
+
+
+ + + + + + + + +
+ + + + + + + +
+
+ + + + + + + + +
+ + + + + + + +
+
+
+ +
+
+ + + + + + diff --git a/config/squid3/34/squid_monitor_data.php b/config/squid3/34/squid_monitor_data.php new file mode 100755 index 00000000..6223330e --- /dev/null +++ b/config/squid3/34/squid_monitor_data.php @@ -0,0 +1,175 @@ +|<)/',"",htmlspecialchars($_POST['strfilter'])); + $program = strtolower($_POST['program']); + switch ($program) { + case 'squid': + // Define log file + $log='/var/squid/logs/access.log'; + //show table headers + show_tds(array("Date","IP","Status","Address","User","Destination")); + //fetch lines + $logarr=fetch_log($log); + // Print lines + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); + + // Apply date format to first line + //$logline[0] = date("d.m.Y H:i:s",$logline[0]); + + // Word wrap the URL + $logline[7] = htmlentities($logline[7]); + $logline[7] = html_autowrap($logline[7]); + + // Remove /(slash) in destination row + $logline_dest = preg_split("/\//", $logline[9]); + + // Apply filter and color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","$1",$logline); + echo "\n"; + echo "{$logline[0]} {$logline[1]}\n"; + echo "{$logline[3]}\n"; + echo "{$logline[4]}\n"; + echo "{$logline[7]}\n"; + echo "{$logline[8]}\n"; + echo "{$logline_dest[1]}\n"; + echo "\n"; + } + break; + case 'sguard'; + $log='/var/squidGuard/log/block.log'; + //show table headers + show_tds(array("Date-Time","ACL","Address","Host","User")); + //fetch lines + $logarr=fetch_log($log); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y", strtotime($logline[0])); + + // Word wrap the URL + $logline[4] = htmlentities($logline[4]); + $logline[4] = html_autowrap($logline[4]); + + + // Apply filter color + // Need validate special chars + if ($filter != "") + $logline = preg_replace("@($filter)@i","$1",$logline); + + + echo "\n"; + echo "{$logline[0]} {$logline[1]}\n"; + echo "{$logline[3]}\n"; + echo "{$logline[4]}\n"; + echo "{$logline[5]}\n"; + echo "{$logline[6]}\n"; + echo "\n"; + } + break; + } +} + +# ------------------------------------------------------------------------------ +# Functions +# ------------------------------------------------------------------------------ + +// From SquidGuard Package +function html_autowrap($cont) +{ + # split strings + $p = 0; + $pstep = 25; + $str = $cont; + $cont = ''; + for ( $p = 0; $p < strlen($str); $p += $pstep ) { + $s = substr( $str, $p, $pstep ); + if ( !$s ) break; + $cont .= $s . ""; + } + return $cont; +} + + +// Show Squid Logs +function fetch_log($log){ + global $filter,$program; + // Get Data from form post + $lines = $_POST['maxlines']; + if (preg_match("/!/",htmlspecialchars($_POST['strfilter']))) + $grep_arg="-iv"; + else + $grep_arg="-i"; + + //Check program to execute or no the parser + if($program == "squid") + $parser = "| php -q squid_log_parser.php"; + else + $parser = ""; + + // Get logs based in filter expression + if($filter != "") { + exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines} {$parser} " , $logarr); + } + else { + exec("tail -r -n {$lines} {$log} {$parser}", $logarr); + } + // return logs + return $logarr; +}; + +function show_tds($tds){ + echo "\n"; + foreach ($tds as $td){ + echo "".gettext($td)."\n"; + } + echo "\n"; +} + +?> diff --git a/config/squid3/34/squid_nac.xml b/config/squid3/34/squid_nac.xml new file mode 100755 index 00000000..70fe162f --- /dev/null +++ b/config/squid3/34/squid_nac.xml @@ -0,0 +1,191 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidnac + none + Proxy server: Access control + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + Squid Access Control Lists + listtopic + + + Allowed subnets + allowed_subnets + Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy. + textarea + 50 + 5 + base64 + + + Unrestricted IPs + unrestricted_hosts + Enter unrestricted IP address / network(in CIDR format) on a new line that is not to be filtered out by the other access control directives set in this page. + textarea + 50 + 5 + base64 + + + Banned host addresses + banned_hosts + Enter each IP address / network(in CIDR format) on a new line that is not to be allowed to use the proxy. + textarea + 50 + 5 + base64 + + + Whitelist + whitelist + Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. You also can use regular expressions. + textarea + 50 + 5 + base64 + + + Blacklist + blacklist + Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. + textarea + 50 + 5 + base64 + + + Block user agents + block_user_agent + Enter each user agent on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. + textarea + 50 + 5 + base64 + + + Block MIME types (reply only) + block_reply_mime_type + Enter each MIME type on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. Useful to block javascript (application/x-javascript). + textarea + 50 + 5 + base64 + + + Squid Allowed ports + listtopic + + + acl safeports + addtl_ports + This is a space-separated list of "safe ports" in addition to the already defined list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535 + input + 60 + + + + acl sslports + addtl_sslports + This is a space-separated list of ports to allow SSL "CONNECT" in addition to the already defined list: 443 563 + input + 60 + + + + + squid_validate_nac($_POST, $input_errors); + + + squid_resync(); + + diff --git a/config/squid3/34/squid_ng.inc b/config/squid3/34/squid_ng.inc new file mode 100755 index 00000000..bac4d4f0 --- /dev/null +++ b/config/squid3/34/squid_ng.inc @@ -0,0 +1,1070 @@ + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +function global_write_squid_config() +{ + global $config; + conf_mount_rw(); + config_lock(); + + /* define squid configuration file in variable for replace function */ + $squidconfig = "/usr/local/etc/squid/squid.conf"; + + /* squid.xml values */ + $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; + $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; + $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; + $urlfilter_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; + $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; + $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; + $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; + $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; + $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; + $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; + $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; + $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled']; + + /* squid_upstream.xml values */ + $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; + $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; + $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; + $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; + $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; + $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; + $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; + + /* squid_cache.xml values */ + $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; + $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; + $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; + $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; + $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; + $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; + $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; + $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; + $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; + + /* squid_nac.xml values */ + $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; + $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; + $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; + $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; + $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; + $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts']; + + /* squid_traffic.xml values */ + $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; + $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; + $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; + $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; + $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; + $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; + $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; + + /* squid_auth.xml values */ + $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; + $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; + $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; + $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; + $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; + $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; + $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; + $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; + $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; + $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; + + /* squid_extauth.xml (ldap) values */ + $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; + $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; + $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; + $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; + $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; + $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; + + /* squid_extauth.xml (radius) values */ + $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; + $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; + $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; + $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; + + /* static variable assignments for directory mapping */ + $acldir = "/usr/local/etc/squid/advanced/acls"; + $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; + $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; + $radiusdir = "/usr/local/etc/squid/advanced/radius"; + + $fout = fopen($squidconfig, "w"); + + $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); + + if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) { + mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi"); + mwexec("chmod a+rx /usr/local/www/cachemgr.cgi"); + } else { + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + } + unset($cachemgr_enabled); + + if (!isset($icp_port) or ($icp_port == "")) { + $icp_port = "3130"; + } + $config_array[] = 'icp_port ' . $icp_port . "\n"; + unset($icp_port); + + if(!isset($proxy_port) or ($proxy_port == "")) { + $proxy_port = "3128"; + } + + if (isset($transparent_proxy) && ($transparent_proxy != "on")) { + $int = convert_friendly_interface_to_real_interface_name($active_interface); + $listen_ip = find_interface_ip($int); + + $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; + $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; + $config_array[] = 'no_cache deny QUERY' . "\n\n"; + } + $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n"; + unset($proxy_port); + + if (isset($domain) && ($domain !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/dst_nocache.acl","w"); + + $domain_array = split("; ",$domain); + foreach ($domain_array as $no_cache_domain) { + fwrite($aclout, $no_cache_domain . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; + $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; + } + unset($no_cache_domain); + unset($domain_array); + unset($domain); + + $config_array[] = 'cache_effective_user squid' . "\n"; + $config_array[] = 'cache_effective_group squid' . "\n\n"; + $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; + + if (!isset($memory_cache_size) or ($memory_cache_size == "")) { + $memory_cache_size = "8"; + } + $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; + unset($memory_cache_size); + + if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { + $harddisk_cache_size = "500"; + } + + if (!isset($level_subdirs) or ($level_subdirs == "")) { + $level_subdirs = "16"; + } + + $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; + unset($harddisk_cache_size); + unset($level_subdirs); + + if (!isset($error_language) or ($error_language == "")) { + $error_language = "English"; + } + $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; + unset($error_language); + + if (isset($offline_mode) && ($offline_mode == "on")) { + $config_array[] = 'offline_mode on' . "\n\n"; + } else { + $config_array[] = 'offline_mode off' . "\n\n"; + } + + if (!isset($memory_replacement) or ($memory_replacement == "")) { + $memory_replacement = "heap GDSF"; + } + $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; + unset($memory_replacement); + + if (!isset($cache_replacement) or ($cache_replacement == "")) { + $cache_replacement="heap GDSF"; + } + $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; + unset($cache_replacement); + + if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) { + $config_array[] = 'cache_access_log none' . "\n"; + } else { + $config_array[] = 'cache_access_log /var/log/access.log' . "\n"; + } + $config_array[] = 'cache_log /var/log/cache.log' . "\n"; + $config_array[] = 'cache_store_log none' . "\n"; + unset($accesslog_disabled); + unset($log_enabled); + + if (isset($log_query_terms) && ($log_query_terms == "on")) { + $config_array[] = 'strip_query_terms off' . "\n"; + } else { + $config_array[] = 'strip_query_terms on' . "\n"; + } + unset($log_query_terms); + + $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n"; + unset($log_user_agents); + + $config_array[] = 'log_mime_hdrs off' . "\n"; + $config_array[] = 'emulate_httpd_log on' . "\n"; + + switch ($user_forwarding) { + case "on": + $config_array[] = 'forwarded_for on' . "\n\n"; + break; + case "off": + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + default: + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + } + unset($user_forwarding); + + switch ($auth_method) { + case "none": + break; + case "local_auth": + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "radius_auth"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "ldap_bind"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; + $config_array[] = ' -b "' . $ldap_basedn . '"'; + $config_array[] = ' -D "' . $bind_dn_username . '"'; + $config_array[] = " -w " . $bind_dn_password; + $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; + $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; + + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "windows_auth"; + break; + } + + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); + fwrite($throttle_out, $binary_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); + } + unset($throttle_binary_files); + unset($throttle_out); + unset($binary_out); + + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); + fwrite($throttle_out, $cd_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_cd.acl")) { + unlink($acldir . "/dst_throttle_cd.acl"); + } + } + unset($throttle_cd_images); + unset($throttle_out); + unset($cd_out); + + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); + fwrite($throttle_out, $multimedia_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { + unlink($acldir . "/dst_throttle_multimedia.acl"); + } + } + unset($throttle_multimedia); + unset($multimedia_out); + unset($throttle_out); + + $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; + + /* obtain interface subnet and address for Squid rules */ + $lactive_interface = strtolower($active_interface); + + $lancfg = $config['interfaces'][$lactive_interface]; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n"; + $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; + $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; + $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; + $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; + $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; + $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; + $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; + $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; + $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; + $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; + $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; + $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; + + /* allow access through proxy for custom admin port */ + $custom_port = $config['system']['webgui']['port']; + if (isset($custom_port) && ($custom_port !== "")) { + $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; + unset($custom_port); + } else { + $admin_protocol = $config['system']['webgui']['protocol']; + switch ($admin_protocol) { + case "http"; + $config_array[] = 'acl pf_admin_port port 80' ."\n"; + break; + case "https"; + $config_array[] = 'acl pf_admin_port port 443' . "\n"; + break; + default; + $config_array[] = 'acl pf_admin_port port 80' . "\n"; + break; + } + unset($admin_protocol); + } + + /* define override hosts as specified in squid_nac.xml */ + if (isset($override_hosts) && ($override_hosts !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); + + $override_hosts_array = split("; ", $override_hosts); + foreach ($override_hosts_array as $ind_override_host) { + fwrite($aclout, $ind_override_host . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; + } + /* clear variables */ + unset($override_hosts_array); + unset($ind_override_host); + unset($override_hosts); + + /* define subnets allowed to utilize proxy service */ + if (isset($allowed_subnets) && ($allowed_subnets !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + mwexec("touch {$acldir}/src_subnets.acl"); + } + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + + $allowed_subnets_array = split("; ",$allowed_subnets); + foreach ($allowed_subnets_array as $ind_allowed_subnets) { + fwrite($aclout, $ind_allowed_subnets . "\n"); + } + + fclose($aclout); + } else { + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + fwrite($aclout, $lansa . "/" . $lansn . "\n"); + fclose($aclout); + } + + $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; + + unset($allowed_subnets_array); + unset($ind_allowed_subnets); + unset($allowed_subnets); + + /* define ip addresses that have 'unrestricted' access */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); + + $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); + foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { + fwrite($aclout, $ind_unrestricted_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; + } + unset($unrestricted_ip_array); + unset($unrestricted_ip_addr); + unset($ind_unrestricted_ip); + + /* define mac addresses that have 'unrestricted' access */ + if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); + + $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); + foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { + fwrite($aclout, $ind_unrestricted_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; + } + unset($unrestricted_mac_array); + unset($unrestricted_mac_addr); + unset($ind_unrestricted_mac); + + /* define ip addresses that are banned from using the proxy service */ + if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_ip.acl","w"); + + $banned_ip_array = split("; ",$banned_ip_addr); + foreach ($banned_ip_array as $ind_banned_ip) { + fwrite($aclout, $ind_banned_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; + } + unset($banned_ip_array); + unset($banned_ip_addr); + unset($ind_banned_ip); + + /* define mac addresses that are banned from using the proxy service */ + if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_mac.acl","w"); + + $banned_mac_array = split("; ",$banned_mac_addr); + foreach ($banned_mac_array as $ind_banned_mac) { + fwrite($aclout, $ind_banned_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; + } + unset($banned_mac_array); + unset($banned_mac_addr); + unset($ind_banned_mac); + + $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; + $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; + + if (isset($auth_method) && ($auth_method == "none")) { + $config_array[] = 'http_access allow localnet' . "\n"; + } + $config_array[] = 'http_access allow localhost' . "\n"; + + if (isset($override_hosts) && ($override_hosts !== "")) { + $config_array[] = 'http_access allow override_hosts' . "\n"; + } + $config_array[] = "\n"; + + switch ($config['system']['webgui']['protocol']) { + case "http": + $config_array[] = 'http_access allow pf_ips' . "\n"; + $config_array[] = 'http_access allow pf_admin_port' . "\n"; + $config_array[] = 'http_access deny !pf_networks' . "\n\n"; + break; + case "https": + $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; + $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; + $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; + break; + } + + $config_array[] = 'http_access deny !Safe_ports' . "\n"; + $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; + + if (isset($auth_method) && ($auth_method != "none")) { + $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; + } + + $config_array[] = 'http_access deny all' . "\n\n"; + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_overall == "unlimited") { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; + } else { + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + + if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_per_host == "unlimited") { + $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; + } else { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; + } + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { + /* if no bandwidth restrictions are specified, then these parameters are not necessary */ + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; + } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + } + + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + } + + $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; + $config_array[] = 'header_access Via deny all' . "\n\n"; + + /* TODO: acl customization for snmp support */ + /* fwrite($fout, "\n"); */ + + if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { + $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; + $config_array[] = 'redirect_children 5' . "\n\n"; + } + + if (isset($max_upload_size) && ($max_upload_size != "")) { + $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; + } + + if (isset($max_download_size) && ($max_download_size != "")) { + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; + /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ + $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; + } + + /* set default value for maximum_object_size */ + if (!isset($maximum_object_size) or ($maximum_object_size == "")) { + $maximum_object_size = "4096"; + } + + /* set default value for minimum_object_size */ + if (!isset($minimum_object_size) or ($minimum_object_size == "")) { + $minimum_object_size = "0"; + } + $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; + $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; + + if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { + $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; + $config_array[] = 'never_direct allow all' . "\n"; + } + unset($proxy_forwarding); + + + /* define default ruleset for transparent proxy operation */ + if (isset($transparent_proxy) && ($transparent_proxy == "on")) { + $config_array[] = 'httpd_accel_host virtual' . "\n"; + $config_array[] = 'httpd_accel_port 80' . "\n"; + $config_array[] = 'httpd_accel_with_proxy on' . "\n"; + $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; + } + unset($transparent_proxy); + + + /* define visible hostname */ + if (isset($visible_hostname) && ($visible_hostname !== "")) { + $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; + } + unset($visible_hostname); + + /* define cache administrators email address within error messages */ + if (isset($cache_admin_email) && ($cache_admin_email !== "")) { + $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; + } + unset($cache_admin_email); + + /* write configuration file */ + foreach ($config_array as $config_item) + { + fwrite($fout, trim($config_item)); + + if (stristr($config_item, "\n")) + { + for ($i = 1; $i < count(explode("\n", $config_item)); $i++) + { + fwrite($fout, "\n"); + } + } + + } + fclose($fout); + + conf_mount_ro(); + config_unlock(); + + touch($squidconfig); +} /* end function write_squid_config */ + +function squid3_custom_php_install_command() { + /* write initial static config for transparent proxy */ + write_static_squid_config(); + + touch("/tmp/squid3_custom_php_install_command"); + + /* make sure this all exists, see: + * https://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 + */ + update_output_window("Setting up Squid environment..."); + mwexec("mkdir -p /var/squid"); + mwexec("chown squid:squid /var/squid"); + mwexec("mkdir -p /var/squid/logs"); + mwexec("chown squid:squid /var/squid/logs"); + mwexec("mkdir -p /var/squid/cache"); + mwexec("chown squid:squid /var/squid/cache"); + mwexec("mkdir -p /usr/local/etc/squid/advanced"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced"); + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); + + + /* set a few extra items noted by regan */ + update_output_window("Creating logs and setting user information..."); + $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w"); + fwrite($fdsquid, "#/bin/sh\n"); + fwrite($fdsquid, "# \n"); + fwrite($fdsquid, "# This file was created by the pfSense package system\n"); + fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n"); + fwrite($fdsquid, "# \n\n"); + fwrite($fdsquid, "chown squid:wheel /dev/pf\n"); + fwrite($fdsquid, "chmod ug+rw /dev/pf\n"); + fwrite($fdsquid, "touch /var/log/useragent.log\n"); + fwrite($fdsquid, "touch /var/log/access.log\n"); + fwrite($fdsquid, "touch /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n"); + fwrite($fdsquid, "\n"); + fclose($fdsquid); + mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh"); + mwexec("/usr/local/etc/rc.d/aSquid.sh"); + + update_output_window("Creating Proxy Server initialization scripts..."); + $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty"; + $stop = "/usr/local/sbin/squid -k shutdown"; + write_rcfile(array( + "file" => "squid.sh", + "start" => $start, + "stop" => $stop + ) + ); + + mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); + + /* create log directory hierarchies if they don't exist */ + update_output_window("Creating required directory hierarchies..."); + + if (!file_exists("/var/squid/logs")) { + mwexec("mkdir -p /var/squid/logs"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); + + + if (!file_exists("/var/squid/cache")) { + mwexec("mkdir -p /var/squid/cache"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); + + if (!file_exists("/usr/local/etc/squid/advanced/acls")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); + + if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); + + if (!file_exists("/usr/local/etc/squid/advanced/radius")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); + + $devfs_file = fopen("/etc/devfs.conf", "a"); + fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); + fwrite($devfs_file, "own pf root:squid"); + fwrite($devfs_file, "perm pf 0640"); + fclose($devfs_file); + + update_output_window("Initializing Cache... This may take a moment..."); + mwexec("/usr/local/sbin/squid -z"); + + update_output_window("Starting Proxy Server..."); + start_service("squid"); +} + +function squid3_custom_php_deinstall_command() { + update_output_window("Stopping proxy service..."); + stop_service("squid"); + sleep(1); + /* brute force any remaining squid processes out */ + mwexec("/usr/bin/killall squid"); + mwexec("/usr/bin/killall pinger"); + update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain..."); + mwexec("rm -rf /var/squid/cache"); + update_output_window("Removing configuration files..."); + unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); + unlink_if_exists("/usr/local/libexec/squid"); + unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh"); + mwexec("rm -f /usr/local/etc/rc.d/squid*"); + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + filter_configure(); +} + +function write_static_squid_config() { + touch("/tmp/write_static_squid_config"); + global $config; + $lancfg = $config['interfaces']['lan']; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $fout = fopen("/usr/local/etc/squid/squid.conf","w"); + fwrite($fout, "#\n"); + fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); + fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); + fwrite($fout, "#\n"); + + /* set # of dns children */ + fwrite($fout, "dns_children 15\n"); + + fwrite($fout, "shutdown_lifetime 5 seconds\n"); + fwrite($fout, "icp_port 0\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); + fwrite($fout, "no_cache deny QUERY\n"); + fwrite($fout, "\n"); + + fwrite($fout, "pid_filename /var/run/squid.pid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_mem 24 MB\n"); + fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); + fwrite($fout, "\n"); + + fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); + fwrite($fout, "\n"); + + fwrite($fout, "memory_replacement_policy heap GDSF\n"); + fwrite($fout, "cache_replacement_policy heap GDSF\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_access_log none\n"); + fwrite($fout, "cache_log none\n"); + fwrite($fout, "cache_store_log none\n"); + fwrite($fout, "\n"); + + fwrite($fout, "log_mime_hdrs off\n"); + fwrite($fout, "emulate_httpd_log on\n"); + fwrite($fout, "forwarded_for off\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n"); + fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 80 # http\n"); + fwrite($fout, "acl Safe_ports port 21 # ftp\n"); + fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 70 # gopher\n"); + fwrite($fout, "acl Safe_ports port 210 # wais\n"); + fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); + fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); + fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); + fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); + fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); + fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl CONNECT method CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#access to squid; local machine; no restrictions\n"); + fwrite($fout, "http_access allow localnet\n"); + fwrite($fout, "http_access allow localhost\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Deny non web services\n"); + fwrite($fout, "http_access deny !Safe_ports\n"); + fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Set custom configured ACLs\n"); + fwrite($fout, "http_access deny all\n"); + fwrite($fout, "visible_hostname pfSense\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_effective_user squid\n"); + fwrite($fout, "cache_effective_group squid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "maximum_object_size 4096 KB\n"); + fwrite($fout, "minimum_object_size 0 KB\n"); + fwrite($fout, "\n"); + + fwrite($fout, "request_body_max_size 0 KB\n"); + fwrite($fout, "reply_body_max_size 0 allow all\n"); + fwrite($fout, "\n"); + + fwrite($fout, "httpd_accel_host virtual\n"); + fwrite($fout, "httpd_accel_port 80\n"); + fwrite($fout, "httpd_accel_with_proxy on\n"); + fwrite($fout, "httpd_accel_uses_host_header on\n"); + + fclose($fout); +} + +function mod_htpasswd() { + global $config; + conf_mount_rw(); + config_lock(); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + + $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); + + if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { + foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { + $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); + fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); + } + } + + fclose($passfile); + + conf_mount_ro(); + config_unlock(); +} + +function generate_htpasswd($username, $password) { + $all = explode( " ", + "a b c d e f g h i j k l m n o p q r s t u v w x y z " + . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " + . "0 1 2 3 4 5 6 7 8 9"); + + for ($i = 0; $i < 9; $i++) { + srand((double)microtime()*1000000); + $randy = rand(0,61); + $seed .= $all[$randy]; + } + + $crypt = crypt($password, "$1$$seed"); + return $crypt; +} + +?> diff --git a/config/squid3/34/squid_ng.xml b/config/squid3/34/squid_ng.xml new file mode 100755 index 00000000..b96b4eb2 --- /dev/null +++ b/config/squid3/34/squid_ng.xml @@ -0,0 +1,267 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squid + 2.5.12_4 + Services: Proxy Server + Security + /pkg_edit.php?xml=squid_ng.xml&id=0 + /usr/local/pkg/squid_ng.inc + + Squid + Modify settings for Proxy Server +
Services
+ /pkg_edit.php?xml=squid_ng.xml&id=0 +
+ + Squid stats + Show Squid statistics +
Services
+ /cachemgr.cgi +
+ + squid + squid.sh + + + + General Settings + /pkg_edit.php?xml=squid.xml&id=0 + + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Network Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Auth + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Extended Auth + /pkg_edit.php?xml=squid_extauth.xml&id=0 + + + installedpackages->package->squidng->configuration->settings + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid/squid_cache.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid/squid_nac.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid/squid_ng.inc + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid/squid_traffic.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid/squid_upstream.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid/squid_auth.xml + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid/squid_auth.inc + + + /usr/local/pkg/ + 0755 + https://packages.pfsense.org/packages/config/squid/squid_extauth.xml + + + + Proxy Listening Interface + active_interface + This defines the active listening interface to which the proxy server will listen for its requests. + interfaces_selection + + + Transparent Proxy + transparent_proxy + If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary. + checkbox + + + URL Filtering Enabled + urlfilter_enable + This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering + checkbox + + + Disable Access Log + accesslog_disabled + Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable. + checkbox + + + Log Query Terms + log_query_terms + This will log the complete URL rather than the part of the URL containing dynamic queries. + checkbox + + + Log User Agents + log_user_agents + This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes. + checkbox + + + Proxy Port + proxy_port + This is the port the Proxy Server will listen for client requests on. The default is 3128. + input + 4 + true + + + ICP Port + icp_port + This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled. + input + 4 + + + Visible Hostname + visible_hostname + This URL is displayed on the Proxy Server error messages. + input + 35 + + + Cache Administrator E-Mail + cache_admin_email + This E-Mail address is displayed on the Proxy Server error messages. + input + 35 + + + Error Messages Language + error_language + Select the language in which the Proxy Server shall display error messages to users. + select + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Enable cachemgr + cachemgr_enabled + Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. <b>Note:</b> This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid. + checkbox + + + + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + + + squid3_custom_php_install_command(); + write_static_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + + + squid3_custom_php_deinstall_command(); + stop_service("squid"); + +
diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc new file mode 100755 index 00000000..3f216296 --- /dev/null +++ b/config/squid3/34/squid_reverse.inc @@ -0,0 +1,245 @@ + $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + //HTTP + if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } + } + + if(!empty($settings['reverse_ip'])) { + $reverse_ip = explode(";", ($settings['reverse_ip'])); + foreach ($reverse_ip as $reip) { + //HTTP + if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https'])) + $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } + } + + //PEERS + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) + + if(!empty($settings['reverse_owa_ip'])) { + $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip'])); + $casnr = 0; + foreach ($reverse_owa_ip as $reowaip) { + $casnr++; + $conf .= "cache_peer {$reowaip} parent 443 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on ssl sslflags=DONT_VERIFY_PEER front-end-https=on name=OWA_HOST_443_{$casnr}_pfs\n"; + $conf .= "cache_peer {$reowaip} parent 80 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on name=OWA_HOST_80_{$casnr}_pfs\n"; + } + } + + $active_peers=array(); + if (is_array($reverse_peers)) + foreach ($reverse_peers as $rp){ + if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !=""){ + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; + if($rp['protocol'] == 'HTTPS') + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf_peer .= "name=rvp_{$rp['name']}\n\n"; + + // add peer only if reverse proxy is enabled for http + if($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on"){ + $conf .= $conf_peer; + array_push($active_peers,$rp['name']); + } + // add peer only if if reverse proxy is enabled for https + if($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on"){ + if (!in_array($rp['name'],$active_peers)){ + $conf .= $conf_peer; + array_push($active_peers,$rp['name']); + } + } + } + } + + //REDIRECTS + if (is_array($reverse_redir)) { + foreach ($reverse_redir as $rdr) { + if($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { + $conf_rdr = "# Redirect: {$rdr['description']}\n"; + + if (is_array($rdr['row'])) { + foreach ($rdr['row'] as $uri) { + $conf_rdr .= "acl rdr_dst_{$rdr['name']} dstdomain {$uri['uri']}\n"; + } + } + + $conf_rdr .= "acl rdr_path_{$rdr['name']} urlpath_regex {$rdr['pathregex']}\n"; + $conf_rdr .= "deny_info {$rdr['redirurl']} rdr_path_{$rdr['name']}\n"; + + foreach (explode(',', $rdr['protocol']) as $rdr_protocol) { + if($rdr_protocol == "HTTP") { + $conf_rdr .= "http_access deny HTTP rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; + } + + if($rdr_protocol == "HTTPS") { + $conf_rdr .= "http_access deny HTTPS rdr_dst_{$rdr['name']} rdr_path_{$rdr['name']}\n"; + } + } + + $conf_rdr .= "\n"; + } + + $conf .= $conf_rdr; + } + } + + //ACLS and MAPPINGS + + //create an empty owa_dirs to populate based on user selected options + $owa_dirs=array(); + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on"){ + if(!empty($settings['reverse_owa_ip'])){ + array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); + if($settings['reverse_owa_activesync']) + array_push($owa_dirs,'Microsoft-Server-ActiveSync'); + if($settings['reverse_owa_rpchttp']) + array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); + if($settings['reverse_owa_mapihttp']) + array_push($owa_dirs,'mapi'); + if($settings['reverse_owa_webservice']){ + array_push($owa_dirs,'EWS'); + } + } + if (is_array($owa_dirs)) + foreach ($owa_dirs as $owa_dir) + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { + $reverse_external_domain = strstr($settings['reverse_external_fqdn'], '.'); + $conf .= "acl OWA_URI_pfs url_regex -i ^http://{$settings['reverse_external_fqdn']}/AutoDiscover/AutoDiscover.xml\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/AutoDiscover/AutoDiscover.xml\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^http://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://autodiscover{$reverse_external_domain}/AutoDiscover/AutoDiscover.xml\n"; + } + } + //$conf .= "ssl_unclean_shutdown on"; + if (is_array($reverse_maps)) + foreach ($reverse_maps as $rm){ + if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!=""){ + if (is_array($rm['row'])) + foreach ($rm['row'] as $uri){ + $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); + //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n"; + $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n"; + if($rm['name'] != $last_rm_name){ + $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n"; + $http_access_conf .= "http_access allow rvm_{$rm['name']}\n"; + foreach (explode(',',$rm['peers']) as $map_peer) + if (in_array($map_peer,$active_peers)){ + $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n"; + $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n"; + } + $last_rm_name=$rm['name']; + } + } + } + } + + //ACCESS + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + + for($cascnt=1;$cascnt<$casnr+1;$cascnt++) + { + $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs allow OWA_URI_pfs\n"; + $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs allow OWA_URI_pfs\n"; + $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs deny allsrc\n"; + $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs deny allsrc\n"; + } + + $conf .= "never_direct allow OWA_URI_pfs\n"; + $conf .= "http_access allow OWA_URI_pfs\n"; + } + + $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; + + if (!empty($settings['deny_info_tcp_reset'])) + $conf .= "deny_info TCP_RESET allsrc\n"; + + return $conf; +} +?> diff --git a/config/squid3/34/squid_reverse.xml b/config/squid3/34/squid_reverse.xml new file mode 100755 index 00000000..40fb0ec1 --- /dev/null +++ b/config/squid3/34/squid_reverse.xml @@ -0,0 +1,365 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidreverse + none + Proxy server: Reverse Proxy + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Upstream + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Reverse + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + Squid Reverse proxy General Settings + listtopic + + + Reverse Proxy interface + reverse_interface + The interface(s) the reverse-proxy server will bind to. + interfaces_selection + + wan + + + + User-defined reverse-proxy IPs + reverse_ip + Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;). + input + 70 + + + external FQDN + reverse_external_fqdn + The external full-qualified-domain-name of the WAN address. + input + + 70 + + + Reset TCP connections if request is unauthorized + deny_info_tcp_reset + If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized. + checkbox + on + + + Squid Reverse HTTP Settings + listtopic + + + Enable HTTP reverse mode + reverse_http + If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address") + checkbox + reverse_http_port,reverse_http_defsite + + off + + + reverse HTTP port + reverse_http_port + This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80) + input + 5 + 80 + + + reverse HTTP default site + reverse_http_defsite + This is the HTTP reverse default site. (leave empty to use the external fqdn) + input + 60 + + + Squid Reverse HTTPS Settings + listtopic + + + Enable HTTPS reverse proxy + reverse_https + If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address") + checkbox + reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain + + off + + + reverse HTTPS port + reverse_https_port + This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443) + input + 5 + 443 + + + reverse HTTPS default site + reverse_https_defsite + This is the HTTPS reverse default site. (leave empty to use the external fqdn) + input + 60 + + + reverse SSL certificate + reverse_ssl_cert + Choose the SSL Server Certificate here. + select_source + + descr + refid + + + intermediate CA certificate (if needed) + reverse_int_ca + Paste a signed certificate in X.509 PEM format here. + textarea + 50 + 5 + base64 + + + Ignore internal Certificate validation + reverse_ignore_ssl_valid + If this field is checked, internal certificate validation will be ignored. + checkbox + on + + + Enable OWA reverse proxy + reverse_owa + If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App. + checkbox + reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover + + + CAS-Array / OWA frontend IP address + reverse_owa_ip + These are the internal IPs of the CAS-Array (OWA frontend servers). Separate by semi-colons (;). + input + 70 + + + Enable ActiveSync + reverse_owa_activesync + If this field is checked, ActiveSync will be enabled. + checkbox + + + Enable Outlook Anywhere + reverse_owa_rpchttp + If this field is checked, RPC over HTTP will be enabled. + checkbox + + + Enable MAPI HTTP + reverse_owa_mapihttp + + This feature is only available with at least Exchange 2013 SP1]]> + checkbox + + + Enable Exchange WebServices + reverse_owa_webservice + + There are potential DoS side effects to its use, please avoid unless you must.]]> + checkbox + + + Enable AutoDiscover + reverse_owa_autodiscover + + You also should set up the autodiscover DNS-record to point to you WAN-IP.]]> + checkbox + + + Squid Reverse Mappings + listtopic + + + <b>peer definitions</b> <br>publishing hosts + reverse_cache_peer + + syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS]
+ example: HOST1;192.168.0.1;80;HTTP
+ WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING]]>
+ textarea + 60 + 10 + base64 +
+ + <b>URI definitions</b> <br>published URIs + reverse_uri + + syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn])
+ (a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://)
+ example: URI1;public;server.pfsense.org.
+ WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING]]>
+ textarea + 60 + 10 + base64 +
+ + <b>ACL definitions</b> <br>published URIs + reverse_acl + + syntax: [peer alias];[uri group alias]
example: HOST1;URI1
+ WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING]]>
+ textarea + 60 + 10 + base64 +
+ + + +
+ + squid_before_form_general($pkg); + + + squid_validate_reverse($_POST, $input_errors); + + + squid_resync(); + +
diff --git a/config/squid3/34/squid_reverse_general.xml b/config/squid3/34/squid_reverse_general.xml new file mode 100755 index 00000000..3317ae18 --- /dev/null +++ b/config/squid3/34/squid_reverse_general.xml @@ -0,0 +1,257 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidreversegeneral + none + Reverse Proxy server: General + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid_reverse_general.xml&id=0 + + + + Web Servers + /pkg.php?xml=squid_reverse_peer.xml + + + Mappings + /pkg.php?xml=squid_reverse_uri.xml + + + Redirects + /pkg.php?xml=squid_reverse_redir.xml + + + Real time + /squid_monitor.php?menu=reverse + + + Sync + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 + + + + + Squid Reverse proxy General Settings + listtopic + + + Reverse Proxy interface + reverse_interface + The interface(s) the reverse-proxy server will bind to. + interfaces_selection + + wan + + + + User-defined reverse-proxy IPs + reverse_ip + Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;). + input + 70 + + + external FQDN + reverse_external_fqdn + The external full-qualified-domain-name of the WAN address. + input + + 70 + + + Reset TCP connections if request is unauthorized + deny_info_tcp_reset + If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized. + checkbox + on + + + Squid Reverse HTTP Settings + listtopic + + + Enable HTTP reverse mode + reverse_http + If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address") + checkbox + reverse_http_port,reverse_http_defsite + + off + + + reverse HTTP port + reverse_http_port + This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80) + input + 5 + 80 + + + reverse HTTP default site + reverse_http_defsite + This is the HTTP reverse default site. (leave empty to use the external fqdn) + input + 60 + + + Squid Reverse HTTPS Settings + listtopic + + + Enable HTTPS reverse proxy + reverse_https + If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address") + checkbox + reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain + + off + + + reverse HTTPS port + reverse_https_port + This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443) + input + 5 + 443 + + + reverse HTTPS default site + reverse_https_defsite + This is the HTTPS reverse default site. (leave empty to use the external fqdn) + input + 60 + + + reverse SSL certificate + reverse_ssl_cert + Choose the SSL Server Certificate here. + select_source + + descr + refid + + + intermediate CA certificate (if needed) + reverse_int_ca + Paste a signed certificate in X.509 PEM format here. + textarea + 50 + 5 + base64 + + + Ignore internal Certificate validation + reverse_ignore_ssl_valid + If this field is checked, internal certificate validation will be ignored. + checkbox + on + + + OWA Reverse proxy General Settings + listtopic + + + Enable OWA reverse proxy + reverse_owa + If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App. + checkbox + reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover + + + CAS-Array / OWA frontend IP address + reverse_owa_ip + These are the internal IPs of the CAS-Array (OWA frontend servers). Separate by semi-colons (;). + input + 70 + + + Enable ActiveSync + reverse_owa_activesync + If this field is checked, ActiveSync will be enabled. + checkbox + + + Enable Outlook Anywhere + reverse_owa_rpchttp + If this field is checked, RPC over HTTP will be enabled. + checkbox + + + Enable MAPI HTTP + reverse_owa_mapihttp + + This feature is only available with at least Exchange 2013 SP1]]> + checkbox + + + Enable Exchange WebServices + reverse_owa_webservice + + There are potential DoS side effects to its use, please avoid unless you must.]]> + checkbox + + + Enable AutoDiscover + reverse_owa_autodiscover + + You also should set up the autodiscover DNS-record to point to you WAN-IP.]]> + checkbox + + + + squid_before_form_general($pkg); + + + squid_validate_reverse($_POST, $input_errors); + + + squid_resync(); + + diff --git a/config/squid3/34/squid_reverse_peer.xml b/config/squid3/34/squid_reverse_peer.xml new file mode 100755 index 00000000..eabc72ff --- /dev/null +++ b/config/squid3/34/squid_reverse_peer.xml @@ -0,0 +1,167 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidreversepeer + none + Reverse Proxy server: Peers + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid_reverse_general.xml&id=0 + + + Web Servers + /pkg.php?xml=squid_reverse_peer.xml + + + + Mappings + /pkg.php?xml=squid_reverse_uri.xml + + + Redirects + /pkg.php?xml=squid_reverse_redir.xml + + + Real time + /squid_monitor.php?menu=reverse + + + Sync + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 + + + + + Status + enable + + + Alias + name + + + Ip address + ip + + + Port + port + + + Protocol + Protocol + + + Description + description + + + + + Squid Reverse Peer Mappings + listtopic + + + Enable this peer + enable + If this field is checked, then this peer will be available for reverse config. + checkbox + + + Peer Alias + name + + example: HOST1]]> + input + 20 + + + Peer IP + ip + + example: 192.168.0.1]]> + input + 20 + + + Peer Port + port + + example: 80]]> + input + 20 + + + Peer Protocol + protocol + + select + + + + + + + Peer Description + description + + input + 60 + + + + squid_before_form_general($pkg); + + + squid_validate_reverse($_POST, $input_errors); + + + squid_resync(); + + diff --git a/config/squid3/34/squid_reverse_redir.xml b/config/squid3/34/squid_reverse_redir.xml new file mode 100755 index 00000000..de25f56a --- /dev/null +++ b/config/squid3/34/squid_reverse_redir.xml @@ -0,0 +1,182 @@ + + + + + + . + All rights reserved. + */ +/* ============================================================================ */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ============================================================================ */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidreverseredir + none + Reverse Proxy server: Redirects + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid_reverse_general.xml&id=0 + + + Web Servers + /pkg.php?xml=squid_reverse_peer.xml + + + Mappings + /pkg.php?xml=squid_reverse_uri.xml + + + Redirects + /pkg.php?xml=squid_reverse_redir.xml + + + + Real time + /squid_monitor.php?menu=reverse + + + Sync + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 + + + + + Status + enable + + + Redirect Name + name + + + Redirect to + redirurl + + + Description + description + + + + + Squid Redirect Mappings + listtopic + + + Enable this redirect + enable + + checkbox + + + Redirect name + name + + example: REDIR1]]> + input + 20 + + + Redirect Description + description + + input + 60 + + + Redirect Protocol + protocol + + Use CTRL + click to select multiple]]> + select + + 03 + + + + + + + Blocked domains + none + Domains to redirect for + rowhelper + + + Domains to match


+ Samples: mydomain.com sub.mydomain.com www.mydomain.com

+ Do not enter http:// or https:// here! only the hostname is required.]]> + uri + input + 60 + + + + + Path regex + pathregex +
]]> + Enter ^/$ to match the domain only.
+ input + 60 +
+ + URL to redirect to + redirurl + + input + 60 + + + + + + + + + squid_resync(); + + \ No newline at end of file diff --git a/config/squid3/34/squid_reverse_sync.xml b/config/squid3/34/squid_reverse_sync.xml new file mode 100755 index 00000000..0dc816cb --- /dev/null +++ b/config/squid3/34/squid_reverse_sync.xml @@ -0,0 +1,135 @@ + + + + + + + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidsync + 1.0 + Reverse Proxy server: XMLRPC Sync + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid_reverse_general.xml&id=0 + + + Web Servers + /pkg.php?xml=squid_reverse_peer.xml + + + Mappings + /pkg.php?xml=squid_reverse_uri.xml + + + Redirects + /pkg.php?xml=squid_reverse_redir.xml + + + Real time + /squid_monitor.php?menu=reverse + + + Sync + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 + + + + + + XMLRPC Sync + listtopic + + + Automatically sync squid configuration changes + synconchanges + Select a sync method for squid. + select + + auto + + + + + + + + Sync timeout + synctimeout + Select sync max wait time + select + + 250 + + + + + + + + + + Remote Server + none + rowhelper + + + IP Address + ipaddress + IP Address of remote server + input + 20 + + + Password + password + Password for remote server. + password + 20 + + + + + + + + squid_resync(); + + diff --git a/config/squid3/34/squid_reverse_uri.xml b/config/squid3/34/squid_reverse_uri.xml new file mode 100755 index 00000000..9a6f183f --- /dev/null +++ b/config/squid3/34/squid_reverse_uri.xml @@ -0,0 +1,159 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidreverseuri + none + Reverse Proxy server: Mappings + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid_reverse_general.xml&id=0 + + + Web Servers + /pkg.php?xml=squid_reverse_peer.xml + + + Mappings + /pkg.php?xml=squid_reverse_uri.xml + + + + Redirects + /pkg.php?xml=squid_reverse_redir.xml + + + Real time + /squid_monitor.php?menu=reverse + + + Sync + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 + + + + + Status + enable + + + Group Name + name + + + Peers + peers + + + Description + description + + + + + Squid Reverse Peer Mappings + listtopic + + + Enable this URI + enable + + checkbox + + + Group name + name + + example: URI1]]> + input + 20 + + + Group Description + description + + input + 60 + + + Peers + peers + + Use CTRL + click to select.]]> + select_source + + name + name + + 05 + + + + none + + rowhelper + + + Url regex to match


+ Samples: .mydomain.com .mydomain.com/test
+ www.mydomain.com http://www.mydomain.com/ ^http://www.mydomain.com/.*$]]> + uri + input + 70 + + + + + + + + + + squid_resync(); + + \ No newline at end of file diff --git a/config/squid3/34/squid_sync.xml b/config/squid3/34/squid_sync.xml new file mode 100755 index 00000000..7e632eab --- /dev/null +++ b/config/squid3/34/squid_sync.xml @@ -0,0 +1,151 @@ + + + + + + + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidsync + 1.0 + Proxy server: XMLRPC Sync + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + + XMLRPC Sync + listtopic + + + Automatically sync squid configuration changes + synconchanges + Select a sync method for squid. + select + + auto + + + + + + + + Sync timeout + synctimeout + Select sync max wait time + select + + 250 + + + + + + + + + + Remote Server + none + rowhelper + + + IP Address + ipaddress + IP Address of remote server + input + 20 + + + Password + password + Password for remote server. + password + 20 + + + + + + + + squid_resync(); + + diff --git a/config/squid3/34/squid_traffic.xml b/config/squid3/34/squid_traffic.xml new file mode 100755 index 00000000..3439d598 --- /dev/null +++ b/config/squid3/34/squid_traffic.xml @@ -0,0 +1,208 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidtraffic + none + Proxy server: Traffic management + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + Squid Traffic Managment Settings + listtopic + + + Maximum download size + max_download_size + Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable. + input + 10 + + 0 + + + Maximum upload size + max_upload_size + Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable. + input + 10 + + 0 + + + Overall bandwidth throttling + overall_throttling + This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling. + input + 10 + + 0 + + + Per-host throttling + perhost_throttling + This value specifies the download throttling per host. Set to 0 to disable this. + input + 10 + + 0 + + + Squid Transfer Extension Settings + listtopic + + + Throttle only specific extensions + throttle_specific + Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled. + checkbox + throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others + on + + + Throttle binary files + throttle_binaries + Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables. + checkbox + + + Throttle CD images + throttle_cdimages + Check this to apply bandwidth throttle to CD image files. + checkbox + + + Throttle multimedia files + throttle_multimedia + Check this to apply bandwidth throttle to multimedia files, such as movies or songs. + checkbox + + + Throttle other extensions + throttle_others + Comma-separated list of extensions to apply bandwidth throttle to. + input + 60 + + + Squid Transfer Quick Abort Settings + listtopic + + + Finish transfer if less than x KB remaining + quick_abort_min + If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately. + input + 10 + 0 + + + Abort transfer if more than x KB remaining + quick_abort_max + If the transfer has more than x KB remaining, it will abort the retrieval. Set to 0 to abort the transfer immediately. + input + 0 + + + Finish transfer if more than x % finished + quick_abort_pct + If more than x % of the transfer has completed, it will finish the retrieval. + input + 10 + 0 + + + + squid_validate_traffic($_POST, $input_errors); + + + squid_resync(); + + diff --git a/config/squid3/34/squid_upstream.xml b/config/squid3/34/squid_upstream.xml new file mode 100755 index 00000000..b8696750 --- /dev/null +++ b/config/squid3/34/squid_upstream.xml @@ -0,0 +1,361 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code MUST retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidremote + none + Proxy server: Remote proxy settings + /usr/local/pkg/squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + Status + enable + + + name + proxyaddr + + + Port + proxyport + + + ICP + icpport + + + Peer type + hierarchy + + + Method + peermethod + + + + + + General Settings + listtopic + + + Enable + enable + This option enables the proxy server to forward requests to an upstream/neighbor server. + checkbox + + + + Hostname + proxyaddr + Enter here the IP address or host name of the upstream proxy. + input + 35 + + + + Name + proxyname + Unique name for the peer.Required if you have multiple peers on the same host but different ports. + input + 35 + + + + TCP port + proxyport + Enter the port to use to connect to the upstream proxy. + input + 5 + 3128 + + + + Timeout + connecttimeout + A peer-specific connect timeout. Also see the peer_connect_timeout directive. + input + 5 + + + Fail Limit + connectfailLimit + How many times connecting to a peer must fail before it is marked as down. Default is 10. + input + 5 + 10 + + + Max + maxconn + Limit the amount of connections Squid may open to this peer. + input + 5 + + + Allow Miss + allowmiss + allow-miss - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.

+ no-tproxy - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.

+ proxy-only - Objects fetched from the peer will not be stored locally.]]>
+ select + allow-miss + + + + + + + 4 +
+ + Peer settings + listtopic + + + Hierarchy + hierarchy + Specify remote caches hierarchy. + select + parent + + + + + + + + Select method + peermethod +
+ default - This is a parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.
+ If specified more than once, only the first is used.

+ round-robin - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.
weight=N can be used to add bias.

+ weighted-round-robin - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.
+ Closer parents are used more often. Usually used for background-ping parents. weight=N can be used to add bias.

+ carp - Load-Balance parents which should be used as a CARP array. The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight.

+ userhash - Load-balance parents based on the client proxy_auth or ident username.

+ sourcehash - Load-balance parents based on the client source IP.

+ multicast-siblings - To be used only for cache peers of type "multicast".
+ ALL members of this multicast group have "sibling" relationship with it, not "parent". This is to a multicast group when the requested object would be fetched only from a "parent" cache, anyway.
+ It's useful, e.g., when configuring a pool of redundant Squid proxies, being members of the same multicast group.]]>
+ select + round-robin + + + + + + + + + +
+ + weight + weight + Use to affect the selection of a peer during any weighted peer-selection mechanisms. The weight must be an integer; default is 1,larger weights are favored more. + input + 5 + 1 + + + basetime + basetime + + It is subtracted before division by weight in calculating which parent to fectch from. If the rtt is less than the base time the rtt is set to a minimal value.]]> + input + 5 + 1 + + + ttl + ttl + + Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option.]]> + input + 5 + 1 + + + no-delay + nodelay + + checkbox + + + ICP settings + listtopic + + + ICP port + icpport + Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies. + input + 5 + 7 + + + ICP Options + icpoptions + + The defaults will prevent peer traffic using ICP

+ no-query - Disable ICP queries to this neighbor.

+ multicast-responder -Indicates the named peer is a member of a multicast group.
+ ICP queries will not be sent directly to the peer, but ICP replies will be accepted from it.

+ closest-only - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.

+ background-ping - To only send ICP queries to this neighbor infrequently.
+ This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin.]]>
+ select + no-query + + + + + + +
+ + Auth settings + listtopic + + + Username + username + If the upstream proxy requires a username, specify it here. + input + + + Password + password + If the upstream proxy requires a password, specify it here. + password + + + Authentication options + authoption + login=user:password - If this is a personal/workgroup proxy and your parent requires proxy authentication.

+ login=PASSTHRU - Send login details received from client to this peer. Authentication is not required by Squid for this to work.
+ This will pass any form of authentication but only Basic auth will work through a proxy unless the connection-auth options are also used.

+ login=PASS - Send login details received from client to this peer.Authentication is not required by this option.
+ To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for a single login (one for proxy, one for origin server).
+ Also be warned this will expose your users proxy password to the peer. USE WITH CAUTION

+ login=*:password - Send the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user.

+ login=NEGOTIATE - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.
+ The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used.
+ WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.

+ login=NEGOTIATE:principal_nameIf this is a personal/workgroup proxy and your parent requires a secure proxy authentication.
+ The principal principal_name from the default keytab or defined by the environment variable KRB5_KTNAME will be used. + WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.

+ connection-auth=on - Tell Squid that this peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.
+ Default is auto to automatically determine the status of the peer.

+ connection-auth=off - Tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.
+ Default is auto to automatically determine the status of the peer.]]>
+ select + login=*:password + + + + + + + + + + +
+
+ + squid_validate_upstream($_POST, $input_errors); + + + squid_resync(); + +
diff --git a/config/squid3/34/squid_users.xml b/config/squid3/34/squid_users.xml new file mode 100755 index 00000000..835cf07b --- /dev/null +++ b/config/squid3/34/squid_users.xml @@ -0,0 +1,137 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidusers + none + Proxy server: Local users + /usr/local/pkg/squid.inc + A proxy server user has been deleted. + A proxy server user has been created/modified. + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Remote Cache + /pkg.php?xml=squid_upstream.xml + + + Local Cache + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Antivirus + /pkg_edit.php?xml=squid_antivirus.xml&id=0 + + + ACLs + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Authentication + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Users + /pkg.php?xml=squid_users.xml + + + + Real time + /squid_monitor.php + + + Sync + /pkg_edit.php?xml=squid_sync.xml + + + + + Username + username + + + Description + description + + + + + Squid Local Users + listtopic + + + Username + username + Enter the username here. + input + + + + Password + password + Enter the password here. + password + + + + Description + description + You may enter a description here for your reference (not parsed). + input + + + + squid_resync_users(); + + diff --git a/config/squid3/34/swapstate_check.php b/config/squid3/34/swapstate_check.php new file mode 100644 index 00000000..b9f51ec1 --- /dev/null +++ b/config/squid3/34/swapstate_check.php @@ -0,0 +1,65 @@ +#!/usr/local/bin/php -q + 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024)) || $argv[1]=="clean") { + squid_dash_z('clean'); + log_error(gettext(sprintf("Squid cache and/or swap.state exceeded size limits. Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct))); + } +} +?> diff --git a/pkg_config.10.xml b/pkg_config.10.xml index 1f6bc263..c2841ed3 100644 --- a/pkg_config.10.xml +++ b/pkg_config.10.xml @@ -924,20 +924,20 @@ https://forum.pfsense.org/index.php/topic,48347.0.html http://www.squid-cache.org/ Network - 3.1.20 pkg 2.1.2 + 3.4.9 pkg 0.1 beta 2.2 marcellocoutinho@gmail.com fernando@netfilter.com.br seth.mos@dds.nl mfuchs77@googlemail.com jimp@pfsense.org www/libwww - www/squid31 + www/squid3 www/squid_radius_auth c-icap_UNSET_FORCE=IPV6;squid_UNSET_FORCE=AUTH_SMB AUTH_SQL DNS_HELPER FS_COSS ESI SNMP ECAP STACKTRACES STRICT_HTTP TP_IPF TP_IPFW VIA_DB DEBUG DOCS EXAMPLES;squid_SET_FORCE=ARP_ACL AUTH_KERB AUTH_LDAP AUTH_NIS AUTH_SASL CACHE_DIGESTS DELAY_POOLS FOLLOW_XFF TP_PF MSSL_CRTD WCCP WCCPV2 FS_AUFS HTCP ICAP ICMP IDENT IPV6 KQUEUE LARGEFILE SSL SSL_CRTD - https://packages.pfsense.org/packages/config/squid3/31/squid.xml + https://packages.pfsense.org/packages/config/squid3/34/squid.xml squid.xml - squid-3.1.22_1-##ARCH##.pbi + squid-3.4.9-##ARCH##.pbi squid3-dev -- cgit v1.2.3