From 093d135da031d8c951189a089f1425b55b6b427d Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 21:31:29 +0200 Subject: start squid-reverse [squid2] --- config/squid-reverse/proxy_monitor.sh | 72 ++ config/squid-reverse/squid.inc | 1436 +++++++++++++++++++++++++++++++ config/squid-reverse/squid.xml | 351 ++++++++ config/squid-reverse/squid_auth.inc | 446 ++++++++++ config/squid-reverse/squid_auth.xml | 244 ++++++ config/squid-reverse/squid_cache.xml | 236 +++++ config/squid-reverse/squid_extauth.xml | 106 +++ config/squid-reverse/squid_nac.xml | 163 ++++ config/squid-reverse/squid_ng.inc | 1070 +++++++++++++++++++++++ config/squid-reverse/squid_ng.xml | 267 ++++++ config/squid-reverse/squid_reverse.xml | 231 +++++ config/squid-reverse/squid_traffic.xml | 181 ++++ config/squid-reverse/squid_upstream.xml | 137 +++ config/squid-reverse/squid_users.xml | 124 +++ pkg_config.8.xml | 18 + pkg_config.8.xml.amd64 | 18 + 16 files changed, 5100 insertions(+) create mode 100644 config/squid-reverse/proxy_monitor.sh create mode 100644 config/squid-reverse/squid.inc create mode 100644 config/squid-reverse/squid.xml create mode 100644 config/squid-reverse/squid_auth.inc create mode 100644 config/squid-reverse/squid_auth.xml create mode 100644 config/squid-reverse/squid_cache.xml create mode 100644 config/squid-reverse/squid_extauth.xml create mode 100644 config/squid-reverse/squid_nac.xml create mode 100644 config/squid-reverse/squid_ng.inc create mode 100644 config/squid-reverse/squid_ng.xml create mode 100644 config/squid-reverse/squid_reverse.xml create mode 100644 config/squid-reverse/squid_traffic.xml create mode 100644 config/squid-reverse/squid_upstream.xml create mode 100644 config/squid-reverse/squid_users.xml diff --git a/config/squid-reverse/proxy_monitor.sh b/config/squid-reverse/proxy_monitor.sh new file mode 100644 index 00000000..fab2ee54 --- /dev/null +++ b/config/squid-reverse/proxy_monitor.sh @@ -0,0 +1,72 @@ +#!/bin/sh +# $Id$ */ +# +# proxy_monitor.sh +# Copyright (C) 2006 Scott Ullrich +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, +# this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, +# INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +# POSSIBILITY OF SUCH DAMAGE. +# + +set -e + +LOOP_SLEEP=55 + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + +# Sleep 5 seconds on startup not to mangle with existing boot scripts. +sleep 5 + +# Squid monitor 1.2 +while [ /bin/true ]; do + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure_sync + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`ps auxw | grep "[s]quid -D"|awk '{print $2}'| wc -l | awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure_sync + rm /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP +done + +if [ -f /var/run/squid_alarm ]; then + rm /var/run/squid_alarm +fi + diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc new file mode 100644 index 00000000..8dd2cc8e --- /dev/null +++ b/config/squid-reverse/squid.inc @@ -0,0 +1,1436 @@ + $names[$i], 'value' => $values[$i]); +} + +function squid_validate_general($post, $input_errors) { + global $config; + $settings = $config['installedpackages']['squid']['config'][0]; + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $port = $post['proxy_port'] ? $post['proxy_port'] : $port; + + $icp_port = trim($post['icp_port']); + if (!empty($icp_port) && !is_port($icp_port)) + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; + + if (substr($post['log_dir'], -1, 1) == '/') + $input_errors[] = 'You may not end log location with an / mark'; + + if ($post['log_dir']{0} != '/') + $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) + $input_errors[] = "That is not a valid log location dir"; + + $log_rotate = trim($post['log_rotate']); + if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; + + $webgui_port = $config['system']['webgui']['port']; + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + $webgui_port = 80; + } + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + $webgui_port = 443; + } + + if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { + $input_errors[] = "You can not run squid on the same port as the webgui"; + } + + foreach (array('defined_ip_proxy_off') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + foreach (array('defined_ip_proxy_off_dest') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + + if(!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + }} +} + +function squid_validate_upstream($post, $input_errors) { + if ($post['proxy_forwarding'] == 'on') { + $addr = trim($post['proxy_addr']); + if (empty($addr)) + $input_errors[] = 'The field \'Hostname\' is required'; + else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) + $input_errors[] = "The field '$name' is required"; + else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + } + } + } +} + +function squid_validate_cache($post, $input_errors) { + $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "You must enter a valid value for '$field'"; + } + + $value = trim($post['minimum_object_size']); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + } + + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } + + if ($post['donotcache'] != "") { + foreach (split("\n", $post['donotcache']) as $host) { + $host = trim($host); + if (!is_ipaddr($host) && !is_domain($host)) + $input_errors[] = "The host '$host' is not a valid IP or host name"; + } + } + + squid_dash_z(); + +} + +function squid_validate_nac($post, $input_errors) { + $allowed_subnets = explode("\n", $post['allowed_subnets']); + foreach ($allowed_subnets as $subnet) { + $subnet = trim($subnet); + if (!empty($subnet) && !is_subnet($subnet)) + $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; + } + + foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { + foreach (explode("\n", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host)) + $input_errors[] = "The host '$host' is not a valid IP address"; + } + } + + foreach (array('unrestricted_macs', 'banned_macs') as $macs) { + foreach (explode("\n", $post[$macs]) as $mac) { + $mac = trim($mac); + if (!empty($mac) && !is_macaddr($mac)) + $input_errors[] = "The mac '$mac' is not a valid MAC address"; + } + } + + foreach (explode(",", $post['timelist']) as $time) { + $time = trim($time); + if (!empty($time) && !squid_is_timerange($time)) + $input_errors[] = "The time range '$time' is not a valid time range"; + } + + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + }} +} + +function squid_validate_traffic($post, $input_errors) { + $num_fields = array( 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "The field '$name' must contain a positive number"; + } + + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; + } + +} + +function squid_validate_auth($post, $input_errors) { + $num_fields = array( array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), + ); + foreach ($num_fields as $field) { + $value = trim($post[$field[0]]); + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) + $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + } + + $auth_method = $post['auth_method']; + if (($auth_method != 'none') && ($auth_method != 'local')) { + $server = trim($post['auth_server']); + if (empty($server)) + $input_errors[] = 'The field \'Authentication server\' is required'; + else if (!is_ipaddr($server) && !is_domain($server)) + $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + + $port = trim($post['auth_server_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + + switch ($auth_method) { + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; + } + + $no_auth = explode("\n", $post['no_auth_hosts']); + foreach ($no_auth as $host) { + $host = trim($host); + if (!empty($host) && !is_subnet($host)) + $input_errors[] = "The host '$host' is not a valid CIDR range"; + } + } +} + +function squid_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['task_name'], "squid_rotate_logs")) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['task_name'] = "squid_rotate_logs"; + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/sbin/squid -k rotate"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config("Squid Log Rotation"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config(); + } + configure_cron(); + } + break; + } +} + +function squid_resync_general() { + global $g, $config, $valid_acls; + + $settings = $config['installedpackages']['squid']['config'][0]; + $conf = "# This file is automatically generated by pfSense\n"; + $conf = "# Do not edit manually !\n"; + + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); + $real_ifaces = array(); + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; + } + } + if (($settings['transparent_proxy'] == 'on')) { + $conf .= "http_port 127.0.0.1:" . $settings['proxy_port'] . " transparent\n"; + } + $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); + + $pidfile = "{$g['varrun_path']}/squid.pid"; + $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); + $errordir = SQUID_CONFBASE . '/errors/' . $language; + $icondir = SQUID_CONFBASE . '/icons'; + $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); + $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); + + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + + $logdir_cache = $logdir . '/cache.log'; + $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); + + $conf .= << 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + ); + foreach ($options as $option => $directive) { + $contents = base64_decode($settings[$option]); + if (!empty($contents)) { + file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); + $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; + $valid_acls[] = $option; + } + elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { + unlink(SQUID_ACLDIR . "/$option.acl"); + } + } + + $conf .= << $binaries, + 'throttle_cdimages' => $cdimages, + 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') + $exts = array_merge($exts, explode(",", $set)); + } + + foreach (explode(",", $settings['throttle_others']) as $ext) { + if (!empty($ext)) $exts[] = $ext; + } + + $contents = ''; + foreach ($exts as $ext) + $contents .= "\.$ext\$\n"; + file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); + + $conf .= "# Throttle extensions matched in the url\n"; + $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; + $conf .= "delay_access 1 allow throttle_exts\n"; + $conf .= "delay_access 1 deny all\n"; + } + else + $conf .= "delay_access 1 allow all\n"; + + return $conf; +} + +function squid_resync_auth() { + global $config, $valid_acls; + + $settings = $config['installedpackages']['squidauth']['config'][0]; + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + $settingsconfig = $config['installedpackages']['squid']['config'][0]; + $conf = ''; + + // Custom Options + if(!empty($config['installedpackages']['squid']['config'][0]['custom_options'])) { + $custopts = explode(";", ($config['installedpackages']['squid']['config'][0]['custom_options'])); + $conf .= "# Custom options\n"; + foreach ($custopts as $custopt) { + $conf .= $custopt."\n"; + } + } + + // Deny the banned guys before allowing the good guys + if(! empty($settingsnac['banned_hosts'])) { + if (squid_is_valid_acl('banned_hosts')) { + $conf .= "# These hosts are banned\n"; + $conf .= "http_access deny banned_hosts\n"; + } + } + if(! empty($settingsnac['banned_macs'])) { + if (squid_is_valid_acl('banned_macs')) { + $conf .= "# These macs are banned\n"; + $conf .= "http_access deny banned_macs\n"; + } + } + + // Unrestricted hosts take precendence over blacklist + if(! empty($settingsnac['unrestricted_hosts'])) { + if (squid_is_valid_acl('unrestricted_hosts')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_hosts\n"; + } + } + if(! empty($settingsnac['unrestricted_macs'])) { + if (squid_is_valid_acl('unrestricted_macs')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_macs\n"; + } + } + + // Whitelist and blacklist also take precendence over other allow rules + if(! empty($settingsnac['whitelist'])) { + if (squid_is_valid_acl('whitelist')) { + $conf .= "# Always allow access to whitelist domains\n"; + $conf .= "http_access allow whitelist\n"; + } + } + if(! empty($settingsnac['blacklist'])) { + if (squid_is_valid_acl('blacklist')) { + $conf .= "# Block access to blacklist domains\n"; + $conf .= "http_access deny blacklist\n"; + } + } + + $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); + $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + // Allow the remaining ACLs if no authentication is set + if ($auth_method == 'none') { + $conf .="# Setup allowed acls\n"; + $allowed = array('allowed_subnets'); + if ($settingsconfig['allow_interface'] == 'on') { + $conf .= "# Allow local network(s) on interface(s)\n"; + $allowed[] = "localnet"; + } + $allowed = array_filter($allowed, 'squid_is_valid_acl'); + foreach ($allowed as $acl) + $conf .= "http_access allow $acl\n"; + } + else { + $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); + if (!empty($noauth)) { + $conf .= "acl noauth src $noauth\n"; + $valid_acls[] = 'noauth'; + } + + // Set up the external authentication programs + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); + $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); + switch ($auth_method) { + case 'local': + $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'msnt': + $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; + squid_resync_msnt(); + break; + } + $conf .= << + + + +EOD; + } + else { + $javascript = << + + + +EOD; + } + + print($javascript); +} + +function squid_print_javascript_auth2() { + print("\n"); +} + +function squid_generate_rules($type) { + global $config; + + $squid_conf = $config['installedpackages']['squid']['config'][0]; + + if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { + return; + } + + if (!is_service_running('squid')) { + log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); + return; + } + + $ifaces = explode(",", $squid_conf['active_interface']); + $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); + $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); + + $fw_aliases = filter_generate_aliases(); + if(strstr($fw_aliases, "pptp =")) + $PPTP_ALIAS = "\$pptp"; + else + $PPTP_ALIAS = "\$PPTP"; + if(strstr($fw_aliases, "PPPoE =")) + $PPPOE_ALIAS = "\$PPPoE"; + else + $PPPOE_ALIAS = "\$pppoe"; + + switch($type) { + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if(!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip,2); + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port 80\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port 80\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if(!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port 80\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port 80\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port 80\n"; + } + } + foreach ($ifaces as $iface) { + $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($ifaces as $iface) { + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n"; + $rules .= "\n"; + }; + if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; + } + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; + } + break; + default: + break; + } + + return $rules; +} + +function squid_write_rcfile() { + $rc = array(); + $rc['file'] = 'squid.sh'; + $rc['start'] = <</dev/null +killall pinger 2>/dev/null + +EOD; + $rc['restart'] = << diff --git a/config/squid-reverse/squid.xml b/config/squid-reverse/squid.xml new file mode 100644 index 00000000..1449a59c --- /dev/null +++ b/config/squid-reverse/squid.xml @@ -0,0 +1,351 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squid-reverse + 2.7.STABLE9 + Proxy server: General settings + /usr/local/pkg/squid.inc + + Proxy server + Modify the proxy server's settings +
Services
+ /pkg_edit.php?xml=squid.xml&id=0 +
+ + squid + squid.sh + squid + Proxy server Service + + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Reverse Settings + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + Auth Settings + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Local Users + /pkg.php?xml=squid_users.xml + + + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid.inc + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_cache.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_nac.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_ng.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_traffic.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_upstream.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_reverse.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_auth.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_users.xml + + + /usr/local/etc/rc.d/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/proxy_monitor.sh + + + /usr/local/pkg/ + 0755 + http://www.pfsense.org/packages/config/squid-reverse/squid_cache.xml + + + + Proxy interface + active_interface + The interface(s) the proxy server will bind to. + interfaces_selection + + lan + + + + Allow users on interface + allow_interface + If this field is checked, the users connected to the interface selected in the 'Proxy interface' field will be allowed to use the proxy, i.e., there will be no need to add the interface's subnet to the list of allowed subnets. This is just a shortcut. + checkbox + + on + + + Transparent proxy + transparent_proxy + If transparent mode is enabled, all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary. + checkbox + private_subnet_proxy_off,defined_ip_proxy_off,defined_ip_proxy_off_dest + + + + Bypass proxy for Private Address Space (RFC 1918) destination + private_subnet_proxy_off + Do not forward traffic to Private Address Space (RFC 1918) <b>destination</b> through the proxy server but directly through the firewall. + checkbox + + + Bypass proxy for these source IPs + defined_ip_proxy_off + Do not forward traffic from these <b>source</b> IPs, CIDR nets, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode] + input + 80 + + + Bypass proxy for these destination IPs + defined_ip_proxy_off_dest + Do not proxy traffic going to these <b>destination</b> IPs, CIDR nets, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). [Applies only to transparent mode] + input + 80 + + + Enabled logging + log_enabled + This will enable the access log. Don't switch this on if you don't have much disk space left. + checkbox + log_query_terms,log_user_agents + + + Log store directory + log_dir + The directory where the log will be stored (note: do not end with a / mark) + input + 60 + + /var/squid/logs + + + Log rotate + log_rotate + Defines how many days of logfiles will be kept. Rotation is disabled if left empty. + input + 5 + + + Proxy port + proxy_port + This is the port the proxy server will listen on. + input + 5 + + 3128 + + + ICP port + icp_port + This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. Leave this blank if you don't want the proxy server to communicate with neighbor caches through ICP. + input + 5 + + + Visible hostname + visible_hostname + This is the URL to be displayed in proxy server error messages. + input + 60 + localhost + + + Administrator email + admin_email + This is the email address displayed in error messages to the users. + input + 60 + admin@localhost + + + Language + error_language + Select the language in which the proxy server will display error messages to users. + select + English + + + Disable X-Forward + disable_xforward + If not set, Squid will include your system's IP address or name in the HTTP requests it forwards. + checkbox + + + Disable VIA + disable_via + If not set, Squid will include a Via header in requests and replies as required by RFC2616. + checkbox + + + What to do with requests that have whitespace characters in the URI + uri_whitespace + <b> strip:</b> The whitespace characters are stripped out of the URL. This is the behavior recommended by RFC2396. <p> <b> deny:</b> The request is denied. The user receives an "Invalid Request" message.<p> <b> allow:</b> The request is allowed and the URI is not changed. The whitespace characters remain in the URI.<p> <b> encode:</b> The request is allowed and the whitespace characters are encoded according to RFC1738.<p> <b> chop:</b> The request is allowed and the URI is chopped at the first whitespace. + select + strip + + + + + + + + + + Use alternate DNS-servers for the proxy-server + dns_nameservers + If you want to use other DNS-servers than the DNS-forwarder, enter the IPs here, separated by semi-colons (;). + input + 60 + + + Suppress Squid Version + disable_squidversion + If set, suppress Squid version string info in HTTP headers and HTML error pages. + checkbox + + + Custom Options + custom_options + You can put your own custom options here, separated by semi-colons (;). They'll be added to the configuration. They need to be squid.conf native options, otherwise squid will NOT work. + textarea + 65 + 5 + + + + squid_before_form_general(&$pkg); + + + squid_resync(); + + + squid_validate_general($_POST, &$input_errors); + + + squid_resync(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + + + update_status("Checking Squid cache... One moment please..."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + squid_install_command(); + squid_resync(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid"); + + + squid_deinstall_command(); + exec("/bin/rm -f /usr/local/etc/rc.d/squid*"); + + squid_generate_rules +
\ No newline at end of file diff --git a/config/squid-reverse/squid_auth.inc b/config/squid-reverse/squid_auth.inc new file mode 100644 index 00000000..7c99a01b --- /dev/null +++ b/config/squid-reverse/squid_auth.inc @@ -0,0 +1,446 @@ + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +function global_eval_auth_options() +{ + global $config; + conf_mount_rw(); + config_lock(); + + switch ($config['installedpackages']['squidauth']['config'][0]['auth_method']) { + case "none": + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + case "local_auth": + dynamic_auth_content("pkg"); + /* create empty passwd file to prevent stat error with squid reload */ + touch ("/usr/local/etc/squid/advanced/ncsa/passwd"); + dynamic_local_auth(); + break; + case "ldap_bind": + dynamic_auth_content("pkg_edit"); + dynamic_ldap_auth(); + break; + case "domain_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_domain_auth(); + break; + case "radius_auth": + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_radius_auth(); + break; + default: + $filecontents = file("/usr/local/pkg/squid_auth.xml"); + dynamic_auth_content("pkg_edit"); + dynamic_no_auth(); + break; + } + + config_unlock(); + conf_mount_ro(); + +} /* end function global_eval_auth_options */ + +function dynamic_no_auth() { + global $config; + conf_mount_rw(); + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, " squidextnoauth\n"); + fwrite($fout, " Services: Proxy Server -> Extended Authentication Settings\n"); + fwrite($fout, " installedpackages->package->squidextnoauth->configuration->settings\n"); + fwrite($fout, "\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " General Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_ng.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Upstream Proxy\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_upstream.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Cache Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_cache.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Network Access Control\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_nac.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Traffic Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_traffic.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_auth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Extended Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " No Authentication Defined\n"); + fwrite($fout, " no_auth\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_local_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, " squidextlocalauth\n"); + fwrite($fout, " Services: Proxy Server -> Extended Auth Settings\n"); + fwrite($fout, " 2.5.10_4\n"); + fwrite($fout, " installedpackages->package->squidextlocalauth->configuration->settings\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " /pkg.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " General Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_ng.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Upstream Proxy\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_upstream.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Cache Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_cache.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Network Access Control\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_nac.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Traffic Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_traffic.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_auth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Extended Auth Settings\n"); + fwrite($fout, " /pkg.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " Username\n"); + fwrite($fout, " username\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Description\n"); + fwrite($fout, " description\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Restriction Group\n"); + fwrite($fout, " group\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " Username\n"); + fwrite($fout, " username\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 15\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Password\n"); + fwrite($fout, " password\n"); + fwrite($fout, " password\n"); + fwrite($fout, " 8\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Description (Optional)\n"); + fwrite($fout, " description\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 30\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Restriction Group\n"); + fwrite($fout, " group\n"); + fwrite($fout, " select\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +function dynamic_ldap_auth() { + global $config; + conf_mount_rw(); + + $fout = fopen("/usr/local/pkg/squid_extauth.xml", "w"); + + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, " squidextldapauth\n"); + fwrite($fout, " Services: Proxy Server -> Extended Auth Settings\n"); + fwrite($fout, " 2.5.11\n"); + fwrite($fout, " installedpackages->package->squidextldapauth->configuration->settings\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " General Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_ng.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Upstream Proxy\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_upstream.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Cache Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_cache.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Network Access Control\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_nac.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Traffic Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_traffic.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_auth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Extended Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " Base DN\n"); + fwrite($fout, " ldap_basedn\n"); + fwrite($fout, " This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: \"ou=users,o=company\" will search for users in and under the specified company.\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 50\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Server\n"); + fwrite($fout, " ldap_server\n"); + fwrite($fout, " This is the LDAP server that the bind will be attempted against.\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 20\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Type\n"); + fwrite($fout, " ldap_type\n"); + fwrite($fout, " This specifies the supported LDAP types.\n"); + fwrite($fout, " select\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Port\n"); + fwrite($fout, " ldap_port\n"); + fwrite($fout, " This is the port that LDAP bind will attempt on. The default is \"389\".\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 5\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Bind DN Username\n"); + fwrite($fout, " bind_dn_username\n"); + fwrite($fout, " If \"anonymous bind\" is not supported, please specify the bind username that can access the Base DN hierarchy.\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 30\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Bind DN Password\n"); + fwrite($fout, " bind_dn_password\n"); + fwrite($fout, " This is the associated password with the Bind DN Username previously specified.\n"); + fwrite($fout, " password\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " require_once(\"/usr/local/pkg/squid_ng.inc\");\n"); + fwrite($fout, "\n"); + fwrite($fout, " mod_htpasswd();\n"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, " mwexec(\"/usr/local/sbin/squid -k reconfigure\");\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + + fclose($fout); + + /* mount filesystem read-only */ + conf_mount_ro(); +} + +/* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ +function dynamic_auth_content($pkgvar) { + + switch ($pkgvar) { + case "pkg": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file, "w"); + foreach($filecontents as $line) { + if (stristr($line, "/pkg_edit.php?xml=squid_extauth.xml&id=0")) { + fwrite($fout, " /pkg.php?xml=squid_extauth.xml&id=0\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + + case "pkg_edit": + if ($handle = opendir("/usr/local/pkg")) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + $filecontents = file("/usr/local/pkg/" . $file); + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "/pkg.php?xml=squid_extauth.xml&id=0")) { + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + break; + } + +} /* end function dynamic_auth_content */ +?> \ No newline at end of file diff --git a/config/squid-reverse/squid_auth.xml b/config/squid-reverse/squid_auth.xml new file mode 100644 index 00000000..8d6e046e --- /dev/null +++ b/config/squid-reverse/squid_auth.xml @@ -0,0 +1,244 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidauth + none + Proxy server: Authentication + squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Reverse Settings + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + Auth Settings + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + + Local Users + /pkg.php?xml=squid_users.xml + + + + + Authentication method + auth_method + Select an authentication method. This will allow users to be authenticated by local or external services. + select + + none + + + + + + + + on_auth_method_changed() + + + LDAP version + ldap_version + Enter LDAP protocol version (2 or 3). + select + 2 + + + + + + + Authentication server + auth_server + Enter here the IP or hostname of the server that will perform the authentication. + input + 60 + + + Authentication server port + auth_server_port + Enter here the port to use to connect to the authentication server. Leave this field blank to use the authentication method's default port. + input + 60 + + + NT domain + auth_ntdomain + Enter here the NT domain. + input + 60 + + + LDAP server user DN + ldap_user + Enter here the user DN to use to connect to the LDAP server. + input + 60 + + + LDAP password + ldap_pass + Enter here the password to use to connect to the LDAP server. + password + 60 + + + LDAP base domain + ldap_basedomain + For LDAP authentication, enter here the base domain in the LDAP server. + input + 60 + + + LDAP username DN attribute + ldap_userattribute + Enter LDAP username DN attibute. + input + 60 + uid + + + LDAP search filter + ldap_filter + Enter LDAP search filter. + input + 60 + (&(objectClass=person)(uid=%s)) + + + RADIUS secret + radius_secret + The RADIUS secret for RADIUS authentication. + password + 60 + + + Secondary NT servers + msnt_secondary + Comma-separated list of secondary servers to be used for NT domain authentication. + input + 60 + + + Authentication prompt + auth_prompt + This string will be displayed at the top of the authentication request window. + input + Please enter your credentials to access the proxy + + + Authentication processes + auth_processes + The number of authenticator processes to spawn. If many authentications are expected within a short timeframe, increase this number accordingly. + input + 60 + 5 + + + Authentication TTL + auth_ttl + This specifies for how long (in minutes) the proxy server assumes an externally validated username and password combination is valid (Time To Live). When the TTL expires, the user will be prompted for credentials again. + input + 60 + 60 + + + Requiere authentication for unrestricted hosts + unrestricted_auth + If this option is enabled, even users tagged as unrestricted through access control are required to authenticate to use the proxy. + checkbox + + + Subnets that don't need authentication + no_auth_hosts + Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy. + textarea + 50 + 5 + base64 + + + + squid_validate_auth($_POST, &$input_errors); + + + squid_print_javascript_auth2(); + + + squid_resync(); + + + squid_print_javascript_auth2(); + + + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + if($transparent_proxy) + $input_errors[] = "Authentication cannot be enabled while transparent proxy mode is enabled"; + squid_print_javascript_auth(); + + diff --git a/config/squid-reverse/squid_cache.xml b/config/squid-reverse/squid_cache.xml new file mode 100644 index 00000000..beafa5dd --- /dev/null +++ b/config/squid-reverse/squid_cache.xml @@ -0,0 +1,236 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidcache + none + Proxy server: Cache management + squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Reverse Settings + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + Auth Settings + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Local Users + /pkg.php?xml=squid_users.xml + + + + + Hard disk cache size + harddisk_cache_size + This is the amount of disk space (in megabytes) to use for cached objects. + input + + 100 + + + Hard disk cache system + harddisk_cache_system + This specifies the kind of storage system to use. <p> <b> ufs </b> is the old well-known Squid storage format that has always been there. <p> <b> aufs </b> uses POSIX-threads to avoid blocking the main Squid process on disk-I/O. (Formerly known as async-io.) <p> <b> diskd </b> uses a separate process to avoid blocking the main Squid process on disk-I/O. <p> <b> null </b> Does not use any storage. Ideal for Embedded/NanoBSD. + select + ufs + + + + + + + + + Hard disk cache location + harddisk_cache_location + This is the directory where the cache will be stored. (note: do not end with a /). If you change this location, squid needs to make a new cache, this could take a while + input + 60 + + /var/squid/cache + + + Memory cache size + memory_cache_size + This is the amount of physical RAM (in megabytes) to be used for negative cache and in-transit objects. This value should not exceed more than 50% of the installed RAM. The minimum value is 1MB. + input + + 8 + + + Minimum object size + minimum_object_size + Objects smaller than the size specified (in kilobytes) will not be saved on disk. The default value is 0, meaning there is no minimum. + input + + 0 + + + Maximum object size + maximum_object_size + Objects larger than the size specified (in kilobytes) will not be saved on disk. If you wish to increase speed more than you want to save bandwidth, this should be set to a low value. + input + + 4 + + + Maximum object size in RAM + maximum_objsize_in_mem + Objects smaller than the size specified (in kilobytes) will be saved in RAM. Default is 32. + input + + 32 + + + Level 1 subdirectories + level1_subdirs + Each level-1 directory contains 256 subdirectories, so a value of 256 level-1 directories will use a total of 65536 directories for the hard disk cache. This will significantly slow down the startup process of the proxy service, but can speed up the caching under certain conditions. + select + 16 + + + + + + + + + + + + Memory replacement policy + memory_replacement_policy + The memory replacement policy determines which objects are purged from memory when space is needed. The default policy for memory replacement is GDSF. <p> <b> LRU: Last Recently Used Policy </b> - The LRU policies keep recently referenced objects. i.e., it replaces the object that has not been accessed for the longest time. <p> <b> Heap GDSF: Greedy-Dual Size Frequency </b> - The Heap GDSF policy optimizes object-hit rate by keeping smaller, popular objects in cache. It achieves a lower byte hit rate than LFUDA though, since it evicts larger (possibly popular) objects. <p> <b> Heap LFUDA: Least Frequently Used with Dynamic Aging </b> - The Heap LFUDA policy keeps popular objects in cache regardless of their size and thus optimizes byte hit rate at the expense of hit rate since one large, popular object will prevent many smaller, slightly less popular objects from being cached. <p> <b> Heap LRU: Last Recently Used </b> - Works like LRU, but uses a heap instead. <p> Note: If using the LFUDA replacement policy, the value of Maximum Object Size should be increased above its default of 12KB to maximize the potential byte hit rate improvement of LFUDA. + select + heap GDSF + + + + + + + + + Cache replacement policy + cache_replacement_policy + The cache replacement policy decides which objects will remain in cache and which objects are replaced to create space for the new objects. The default policy for cache replacement is LFUDA. Please see the type descriptions specified in the memory replacement policy for additional detail. + select + heap LFUDA + + + + + + + + + Low-water-mark in % + cache_swap_low + Cache replacement begins when the swap usage is above the low-low-water mark and attempts to maintain utilisation near the low-water-mark. + input + 90 + + + High-water-mark in % + cache_swap_high + As swap utilisation gets close to the high-water-mark object eviction becomes more aggressive. + input + 95 + + + Do not cache + donotcache + Enter each domain or IP address on a new line that should never be cached. + textarea + 50 + 5 + base64 + + + Enable offline mode + enable_offline + Enable this option and the proxy server will never try to validate cached objects. The offline mode gives access to more cached information than the proposed feature would allow (stale cached versions, where the origin server should have been contacted). + checkbox + + + + + if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) { + $needs_dash_z = true; + } + + + squid_validate_cache($_POST, &$input_errors); + + + squid_resync(); + if($needs_dash_z) + squid_dash_z(); + + diff --git a/config/squid-reverse/squid_extauth.xml b/config/squid-reverse/squid_extauth.xml new file mode 100644 index 00000000..41d9f633 --- /dev/null +++ b/config/squid-reverse/squid_extauth.xml @@ -0,0 +1,106 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidextnoauth + none + Services: Proxy Server -> Extended Authentication Settings + /pkg_edit.php?xml=squid_extauth.xml&id=0 + + + General + /pkg_edit.php?xml=squid_ng.xml&id=0 + + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + + Auth + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + + Extended Auth + /pkg_edit.php?xml=squid_extauth.xml&id=0 + + + + + installedpackages->package->squidextnoauth->configuration->settings + + + No Authentication Defined + no_auth + text + + + + + require_once("/usr/local/pkg/squid_ng.inc"); + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + + + diff --git a/config/squid-reverse/squid_nac.xml b/config/squid-reverse/squid_nac.xml new file mode 100644 index 00000000..7b333141 --- /dev/null +++ b/config/squid-reverse/squid_nac.xml @@ -0,0 +1,163 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidnac + none + Proxy server: Access control + squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Reverse Settings + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + Auth Settings + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Local Users + /pkg.php?xml=squid_users.xml + + + + + Allowed subnets + allowed_subnets + Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy. + textarea + 50 + 5 + base64 + + + Unrestricted IPs + unrestricted_hosts + Enter each unrestricted IP address on a new line that is not to be filtered out by the other access control directives set in this page. + textarea + 50 + 5 + base64 + + + Banned host addresses + banned_hosts + Enter each IP address on a new line that is not to be allowed to use the proxy. + textarea + 50 + 5 + base64 + + + Whitelist + whitelist + Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. You also can use regular expressions. + textarea + 50 + 5 + base64 + + + Blacklist + blacklist + Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. You also can use regular expressions. + textarea + 50 + 5 + base64 + + + External Cache-Managers + ext_cachemanager + Enter the IPs for the external Cache Managers to be allowed here, separated by semi-colons (;). + input + 60 + + + acl safeports + addtl_ports + This is a space-separated list of "safe ports" in addition to the already defined list: 21 70 80 210 280 443 488 563 591 631 777 901 1025-65535 + input + 60 + + + + acl sslports + addtl_sslports + This is a space-separated list of ports to allow SSL "CONNECT" in addition to the already defined list: 443 563 + input + 60 + + + + + squid_validate_nac($_POST, &$input_errors); + + + squid_resync(); + + diff --git a/config/squid-reverse/squid_ng.inc b/config/squid-reverse/squid_ng.inc new file mode 100644 index 00000000..03f6d48c --- /dev/null +++ b/config/squid-reverse/squid_ng.inc @@ -0,0 +1,1070 @@ + + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +*/ + +if(!function_exists("filter_configure")) + require_once("filter.inc"); + +function global_write_squid_config() +{ + global $config; + conf_mount_rw(); + config_lock(); + + /* define squid configuration file in variable for replace function */ + $squidconfig = "/usr/local/etc/squid/squid.conf"; + + /* squid.xml values */ + $active_interface = $config['installedpackages']['squid']['config'][0]['active_interface']; + $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy']; + $log_enabled = $config['installedpackages']['squid']['config'][0]['log_enabled']; + $urlfier_enable = $config['installedpackages']['squid']['config'][0]['urlfilter_enable']; + $accesslog_disabled = $config['installedpackages']['squid']['config'][0]['accesslog_disabled']; + $log_query_terms = $config['installedpackages']['squid']['config'][0]['log_query_terms']; + $log_user_agents = $config['installedpackages']['squid']['config'][0]['log_user_agents']; + $proxy_port = $config['installedpackages']['squid']['config'][0]['proxy_port']; + $visible_hostname = $config['installedpackages']['squid']['config'][0]['visible_hostname']; + $cache_admin_email = $config['installedpackages']['squid']['config'][0]['cache_admin_email']; + $error_language = $config['installedpackages']['squid']['config'][0]['error_language']; + $cachemgr_enabled = $config['installedpackages']['squid']['config'][0]['cachemgr_enabled']; + + /* squid_upstream.xml values */ + $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; + $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; + $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; + $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; + $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; + $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; + $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; + + /* squid_cache.xml values */ + $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; + $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; + $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; + $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; + $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; + $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; + $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; + $domain = $config['installedpackages']['squidcache']['config'][0]['domain']; + $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; + + /* squid_nac.xml values */ + $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; + $unrestricted_ip_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; + $unrestricted_mac_addr = $config['installedpackages']['squidnac']['config'][0]['unrestricted_mac_addresses']; + $banned_ip_addr = $config['installedpackages']['squidnac']['config'][0]['banned_ip_addresses']; + $banned_mac_addr = $config['installedpackages']['squidnac']['config'][0]['banned_mac_addresses']; + $override_hosts = $config['installedpackages']['squidnac']['config'][0]['override_hosts']; + + /* squid_traffic.xml values */ + $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; + $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; + $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; + $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; + $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; + $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; + $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; + + /* squid_auth.xml values */ + $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; + $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; + $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; + $limit_ip_addr = $config['installedpackages']['squidauth']['config'][0]['limit_ip_addr']; + $user_ip_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['user_ip_cache_ttl']; + $req_unrestricted_auth = $config['installedpackages']['squidauth']['config'][0]['req_unrestricted_auth']; + $auth_realm_prompt = $config['installedpackages']['squidauth']['config'][0]['auth_realm_prompt']; + $no_domain_auth = $config['installedpackages']['squidauth']['config'][0]['no_domain_auth']; + $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; + $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; + + /* squid_extauth.xml (ldap) values */ + $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; + $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; + $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; + $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; + $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; + $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; + + /* squid_extauth.xml (radius) values */ + $radius_server = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_server']; + $radius_port = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_port']; + $radius_identifier = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_identifier']; + $radius_secret = $config['installedpackages']['squidextradiusauth']['config'][0]['radius_secret']; + + /* static variable assignments for directory mapping */ + $acldir = "/usr/local/etc/squid/advanced/acls"; + $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; + $ntlmdir = "/usr/local/etc/squid/advanced/ntlm"; + $radiusdir = "/usr/local/etc/squid/advanced/radius"; + + $fout = fopen($squidconfig, "w"); + + $config_array = array('shutdown_lifetime 5 seconds' . "\n\n"); + + if (isset($cachemgr_enabled) && ($cachemgr_enabled == "on")) { + mwexec("cp /usr/local/libexec/squid/cachemgr.cgi /usr/local/www/cachemgr.cgi"); + mwexec("chmod a+rx /usr/local/www/cachemgr.cgi"); + } else { + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + } + unset($cachemgr_enabled); + + if (!isset($icp_port) or ($icp_port == "")) { + $icp_port = "3130"; + } + $config_array[] = 'icp_port ' . $icp_port . "\n"; + unset($icp_port); + + if(!isset($proxy_port) or ($proxy_port == "")) { + $proxy_port = "3128"; + } + + if (isset($transparent_proxy) && ($transparent_proxy != "on")) { + $int = convert_friendly_interface_to_real_interface_name($active_interface); + $listen_ip = find_interface_ip($int); + + $config_array[] = 'http_port ' . $listen_ip . ':' . $proxy_port . "\n\n"; + $config_array[] = 'acl QUERY urlpath_regex cgi-bin \?' . "\n"; + $config_array[] = 'no_cache deny QUERY' . "\n\n"; + } + $config_array[] = 'http_port 127.0.0.1:' . $proxy_port . "\n\n"; + unset($proxy_port); + + if (isset($domain) && ($domain !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/dst_nocache.acl","w"); + + $domain_array = split("; ",$domain); + foreach ($domain_array as $no_cache_domain) { + fwrite($aclout, $no_cache_domain . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl no_cache_domains dstdomain "' . $acldir . '/dst_nocache.acl"' . "\n"; + $config_array[] = 'no_cache deny no_cache_domains' . "\n\n"; + } + unset($no_cache_domain); + unset($domain_array); + unset($domain); + + $config_array[] = 'cache_effective_user squid' . "\n"; + $config_array[] = 'cache_effective_group squid' . "\n\n"; + $config_array[] = 'pid_filename /var/run/squid.pid' . "\n\n"; + + if (!isset($memory_cache_size) or ($memory_cache_size == "")) { + $memory_cache_size = "8"; + } + $config_array[] = 'cache_mem ' . $memory_cache_size . ' MB' . "\n"; + unset($memory_cache_size); + + if (!isset($harddisk_cache_size) or ($harddisk_cache_size == "")) { + $harddisk_cache_size = "500"; + } + + if (!isset($level_subdirs) or ($level_subdirs == "")) { + $level_subdirs = "16"; + } + + $config_array[] = 'cache_dir diskd /var/squid/cache ' . $harddisk_cache_size . ' ' . $level_subdirs . ' 256' . "\n\n"; + unset($harddisk_cache_size); + unset($level_subdirs); + + if (!isset($error_language) or ($error_language == "")) { + $error_language = "English"; + } + $config_array[] = 'error_directory /usr/local/etc/squid/errors/' . $error_language . "\n\n"; + unset($error_language); + + if (isset($offline_mode) && ($offline_mode == "on")) { + $config_array[] = 'offline_mode on' . "\n\n"; + } else { + $config_array[] = 'offline_mode off' . "\n\n"; + } + + if (!isset($memory_replacement) or ($memory_replacement == "")) { + $memory_replacement = "heap GDSF"; + } + $config_array[] = 'memory_replacement_policy ' . $memory_replacement . "\n"; + unset($memory_replacement); + + if (!isset($cache_replacement) or ($cache_replacement == "")) { + $cache_replacement="heap GDSF"; + } + $config_array[] = 'cache_replacement_policy ' . $cache_replacement . "\n\n"; + unset($cache_replacement); + + if (isset($accesslog_disabled) && ($accesslog_disabled == "on")) { + $config_array[] = 'cache_access_log none' . "\n"; + } else { + $config_array[] = 'cache_access_log /var/log/access.log' . "\n"; + } + $config_array[] = 'cache_log /var/log/cache.log' . "\n"; + $config_array[] = 'cache_store_log none' . "\n"; + unset($accesslog_disabled); + unset($log_enabled); + + if (isset($log_query_terms) && ($log_query_terms == "on")) { + $config_array[] = 'strip_query_terms off' . "\n"; + } else { + $config_array[] = 'strip_query_terms on' . "\n"; + } + unset($log_query_terms); + + $config_array[] = 'useragent_log /var/log/useragent.log' . "\n\n"; + unset($log_user_agents); + + $config_array[] = 'log_mime_hdrs off' . "\n"; + $config_array[] = 'emulate_httpd_log on' . "\n"; + + switch ($user_forwarding) { + case "on": + $config_array[] = 'forwarded_for on' . "\n\n"; + break; + case "off": + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + default: + $config_array[] = 'forwarded_for off' . "\n\n"; + break; + } + unset($user_forwarding); + + switch ($auth_method) { + case "none": + break; + case "local_auth": + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/advanced/ncsa/passwd' . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "radius_auth"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_rad_auth -h ' . $radius_server . ' -p ' . $radius_port . ' -i ' . $radius_identifier . ' -w ' . $radius_secret . "\n"; + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "ldap_bind"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"; + $config_array[] = 'auth_param basic program /usr/local/libexec/squid/squid_ldap_auth'; + $config_array[] = ' -b "' . $ldap_basedn . '"'; + $config_array[] = ' -D "' . $bind_dn_username . '"'; + $config_array[] = " -w " . $bind_dn_password; + $config_array[] = ' -f "(&(objectClass=person)(cn=%s))"'; + $config_array[] = " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"; + + if (!isset($auth_processes) or ($auth_processes == "")) { + $auth_processes = "5"; + } + $config_array[] = 'auth_param basic children ' . $auth_processes . "\n"; + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) { + $auth_realm_prompt = "pfSense Advanced Proxy"; + } + $config_array[] = 'auth_param basic realm ' . $auth_realm_prompt . "\n"; + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) { + $auth_cache_ttl = "60"; + } + $config_array[] = 'auth_param basic credentialsttl ' . $auth_cache_ttl . ' minutes' . "\n\n"; + $config_array[] = 'acl for_inetusers proxy_auth REQUIRED' . "\n\n"; + + unset($auth_realm_prompt); + unset($auth_processes); + unset($auth_cache_ttl); + + break; + case "windows_auth"; + break; + } + + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $binary_out = "\.bin$\n\.cab$\n\.gz$\n\.rar$\n\.sea$\n\.tar$\n\.tgz$\n\.zip$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_binary.acl", "w"); + fwrite($throttle_out, $binary_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_binary url_regex -i "' . $acldir . '/dst_throttle_binary.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_binary.acl")) unlink($acldir . "/dst_throttle_binary.acl"); + } + unset($throttle_binary_files); + unset($throttle_out); + unset($binary_out); + + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $cd_out = "\.b5t$\n\.bin$\n\.bwt$\n\.cdi$\n\.cue$\n\.gho$\n\.img$\n\.iso$\n\.mds$\n\.nrg$\n\.pqi$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_cd.acl","w"); + fwrite($throttle_out, $cd_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_cd url_regex -i "' . $acldir . '/dst_throttle_cd.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_cd.acl")) { + unlink($acldir . "/dst_throttle_cd.acl"); + } + } + unset($throttle_cd_images); + unset($throttle_out); + unset($cd_out); + + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $multimedia_out = "\.aiff?$\n\.asf$\n\.avi$\n\.divx$\n\.mov$\n\.mp3$\n\.mpe?g$\n\.qt$\n\.ra?m$\n"; + + $throttle_out = fopen($acldir . "/dst_throttle_multimedia.acl","w"); + fwrite($throttle_out, $multimedia_out); + fclose($throttle_out); + $config_array[] = 'acl for_throttled_multimedia url_regex -i "' . $acldir . '/dst_throttle_multimedia.acl"' . "\n"; + } else { + if (file_exists($acldir . "/dst_throttle_multimedia.acl")) { + unlink($acldir . "/dst_throttle_multimedia.acl"); + } + } + unset($throttle_multimedia); + unset($multimedia_out); + unset($throttle_out); + + $config_array[] = 'acl within_timeframe time MTWHFAS 00:00-24:00' . "\n\n"; + + /* obtain interface subnet and address for Squid rules */ + $lactive_interface = strtolower($active_interface); + + $lancfg = $config['interfaces'][$lactive_interface]; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $config_array[] = 'acl all src 0.0.0.0/0.0.0.0' . "\n"; + $config_array[] = 'acl localnet src ' . $lansa . '/' . $lansn . "\n"; + $config_array[] = 'acl localhost src 127.0.0.1/255.255.255.255' . "\n"; + $config_array[] = 'acl SSL_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 80 # http' . "\n"; + $config_array[] = 'acl Safe_ports port 21 # ftp' . "\n"; + $config_array[] = 'acl Safe_ports port 443 563 873 # https, snews, rsync' . "\n"; + $config_array[] = 'acl Safe_ports port 70 # gopher' . "\n"; + $config_array[] = 'acl Safe_ports port 210 # wais' . "\n"; + $config_array[] = 'acl Safe_ports port 1025-65535 # unregistered ports' . "\n"; + $config_array[] = 'acl Safe_ports port 280 # http-mgmt' . "\n"; + $config_array[] = 'acl Safe_ports port 488 # gss-http' . "\n"; + $config_array[] = 'acl Safe_ports port 591 # filemaker' . "\n"; + $config_array[] = 'acl Safe_ports port 777 # multiling http' . "\n"; + $config_array[] = 'acl Safe_ports port 800 # Squids port (for icons)' . "\n\n"; + + /* allow access through proxy for custom admin port */ + $custom_port = $config['system']['webgui']['port']; + if (isset($custom_port) && ($custom_port !== "")) { + $config_array[] = 'acl pf_admin_port port ' . $custom_port . "\n"; + unset($custom_port); + } else { + $admin_protocol = $config['system']['webgui']['protocol']; + switch ($admin_protocol) { + case "http"; + $config_array[] = 'acl pf_admin_port port 80' ."\n"; + break; + case "https"; + $config_array[] = 'acl pf_admin_port port 443' . "\n"; + break; + default; + $config_array[] = 'acl pf_admin_port port 80' . "\n"; + break; + } + unset($admin_protocol); + } + + /* define override hosts as specified in squid_nac.xml */ + if (isset($override_hosts) && ($override_hosts !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_override_hosts.acl", "w"); + + $override_hosts_array = split("; ", $override_hosts); + foreach ($override_hosts_array as $ind_override_host) { + fwrite($aclout, $ind_override_host . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl override_hosts src "/usr/local/etc/squid/advanced/acls/src_override_hosts.acl"' . "\n"; + } + /* clear variables */ + unset($override_hosts_array); + unset($ind_override_host); + unset($override_hosts); + + /* define subnets allowed to utilize proxy service */ + if (isset($allowed_subnets) && ($allowed_subnets !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + mwexec("touch {$acldir}/src_subnets.acl"); + } + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + + $allowed_subnets_array = split("; ",$allowed_subnets); + foreach ($allowed_subnets_array as $ind_allowed_subnets) { + fwrite($aclout, $ind_allowed_subnets . "\n"); + } + + fclose($aclout); + } else { + + $aclout = fopen($acldir . "/src_subnets.acl","w"); + fwrite($aclout, $lansa . "/" . $lansn . "\n"); + fclose($aclout); + } + + $config_array[] = 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"; + + unset($allowed_subnets_array); + unset($ind_allowed_subnets); + unset($allowed_subnets); + + /* define ip addresses that have 'unrestricted' access */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_ip.acl","w"); + + $unrestricted_ip_array = split("; ",$unrestricted_ip_addr); + foreach ($unrestricted_ip_array as $ind_unrestricted_ip) { + fwrite($aclout, $ind_unrestricted_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_ip src "/usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"' . "\n"; + } + unset($unrestricted_ip_array); + unset($unrestricted_ip_addr); + unset($ind_unrestricted_ip); + + /* define mac addresses that have 'unrestricted' access */ + if (isset($unrestricted_mac_addr) && ($unrestricted_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_unrestricted_mac.acl","w"); + + $unrestricted_mac_array = split("; ",$unrestricted_mac_addr); + foreach ($unrestricted_mac_array as $ind_unrestricted_mac) { + fwrite($aclout, $ind_unrestricted_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_unrestricted_mac src "/usr/local/etc/squid/advanced/acls/src_unrestricted_mac.acl"' . "\n"; + } + unset($unrestricted_mac_array); + unset($unrestricted_mac_addr); + unset($ind_unrestricted_mac); + + /* define ip addresses that are banned from using the proxy service */ + if (isset($banned_ip_addr) && ($banned_ip_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_ip.acl","w"); + + $banned_ip_array = split("; ",$banned_ip_addr); + foreach ($banned_ip_array as $ind_banned_ip) { + fwrite($aclout, $ind_banned_ip . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_ip src "/usr/local/etc/squid/advanced/acls/src_banned_ip.acl"' . "\n"; + } + unset($banned_ip_addr); + unset($banned_ip_addr); + unset($ind_banned_ip); + + /* define mac addresses that are banned from using the proxy service */ + if (isset($banned_mac_addr) && ($banned_mac_addr !== "")) { + if (!file_exists($acldir)) { + mwexec("/bin/mkdir -p " . $acldir); + } + + $aclout = fopen($acldir . "/src_banned_mac.acl","w"); + + $banned_mac_array = split("; ",$banned_mac_addr); + foreach ($banned_mac_array as $ind_banned_mac) { + fwrite($aclout, $ind_banned_mac . "\n"); + } + + fclose($aclout); + + $config_array[] = 'acl pf_banned_mac src "/usr/local/etc/squid/advanced/acls/src_banned_mac.acl"' . "\n"; + } + unset($banned_mac_array); + unset($banned_mac_addr); + unset($ind_banned_mac); + + $config_array[] = 'acl pf_ips dst ' . $lanip . "\n"; + $config_array[] = 'acl CONNECT method CONNECT' . "\n\n"; + + if (isset($auth_method) && ($auth_method == "none")) { + $config_array[] = 'http_access allow localnet' . "\n"; + } + $config_array[] = 'http_access allow localhost' . "\n"; + + if (isset($override_hosts) && ($override_hosts !== "")) { + $config_array[] = 'http_access allow override_hosts' . "\n"; + } + $config_array[] = "\n"; + + switch ($config['system']['webgui']['protocol']) { + case "http": + $config_array[] = 'http_access allow pf_ips' . "\n"; + $config_array[] = 'http_access allow pf_admin_port' . "\n"; + $config_array[] = 'http_access deny !pf_networks' . "\n\n"; + break; + case "https": + $config_array[] = 'http_access allow CONNECT pf_ips' . "\n"; + $config_array[] = 'http_access allow CONNECT pf_admin_port' . "\n"; + $config_array[] = 'http_access deny CONNECT !pf_networks' . "\n\n"; + break; + } + + $config_array[] = 'http_access deny !Safe_ports' . "\n"; + $config_array[] = 'http_access deny CONNECT !SSL_ports' . "\n\n"; + + if (isset($auth_method) && ($auth_method != "none")) { + $config_array[] = 'http_access allow pf_networks for_inetusers within_timeframe' . "\n"; + } + + $config_array[] = 'http_access deny all' . "\n\n"; + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_overall == "unlimited") { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . "\n"; + } else { + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr == "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if (isset($throttle_binary_files) && ($throttle_binary_files == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if (isset($throttle_cd_images) && ($throttle_cd_images == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if (isset($throttle_multimedia) && ($throttle_multimedia == "on")) { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + + if (isset($dl_per_host) && ($dl_per_host !== "") and isset($dl_overall) && ($dl_overall == "")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + + if ($dl_per_host == "unlimited") { + $config_array[] = 'delay_parameters 1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . '-1/-1 -1/-1' . "\n"; + } else { + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_per_host * 250) . "\n"; + } + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' ."\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n\n"; + } + + if (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host !== "")) { + /* if no bandwidth restrictions are specified, then these parameters are not necessary */ + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + if ((isset($dl_overall) && ($dl_overall == "unlimited")) and (isset($dl_per_host) && ($dl_per_host !== ""))) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 -1/-1 -1/-1 ' . ($dl_per_host * 125) . '/' . ($dl_overall * 250) . "\n"; + } elseif (isset($dl_overall) && ($dl_overall !== "") and isset($dl_per_host) && ($dl_per_host == "unlimited")) { + $config_array[] = 'delay_pools 1' . "\n"; + $config_array[] = 'delay_class 1 3' . "\n"; + $config_array[] = 'delay_parameters 1 ' . ($dl_overall * 125) . '/' . ($dl_overall * 250) . ' -1/-1 -1/-1' . "\n"; + } + } + + if ($dl_overall !== "unlimited" and $dl_per_host !== "unlimited") { + + /* if no unrestricted ip addresses are defined; this line is ignored */ + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'delay_access 1 deny pf_unrestricted_ip' . "\n"; + + /* this will define bandwidth delay restrictions for specified throttles */ + if ($throttle_binary_files == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_binary' . "\n"; + } + if ($throttle_cd_images == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_cd' . "\n"; + } + if ($throttle_multimedia == "on") { + $config_array[] = 'delay_access 1 allow all for_throttled_multimedia' . "\n"; + } else { + $config_array[] = 'delay_access 1 allow all' . "\n"; + } + $config_array[] = 'delay_initial_bucket_level 100%' . "\n\n"; + } + } + + $config_array[] = 'header_access X-Forwarded-For deny all' . "\n"; + $config_array[] = 'header_access Via deny all' . "\n\n"; + + /* TODO: acl customization for snmp support */ + /* fwrite($fout, "\n"); */ + + if (isset($urlfilter_enable) && ($urlfilter_enable == "on")) { + $config_array[] = 'redirect_program /usr/sbin/squidGuard' . "\n"; + $config_array[] = 'redirect_children 5' . "\n\n"; + } + + if (isset($max_upload_size) && ($max_upload_size != "")) { + $config_array[] = 'request_body_max_size ' . $max_download_size . 'KB' . "\n"; + } + + if (isset($max_download_size) && ($max_download_size != "")) { + if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) $config_array[] = 'reply_body_max_size 0 allow pf_unrestricted_ip' . "\n"; + /* fwrite($fout, "#reply_body_max_size 0 allow for_extended_users\n"); */ + $config_array[] = 'reply_body_max_size ' . $max_download_size * 1024 . ' allow all' . "\n\n"; + } + + /* set default value for maximum_object_size */ + if (!isset($maximum_object_size) or ($maximum_object_size == "")) { + $maximum_object_size = "4096"; + } + + /* set default value for minimum_object_size */ + if (!isset($minimum_object_size) or ($minimum_object_size == "")) { + $minimum_object_size = "0"; + } + $config_array[] = 'maximum_object_size ' . $maximum_object_size . ' KB' . "\n"; + $config_array[] = 'minimum_object_size ' . $minimum_object_size . ' KB' . "\n\n"; + + if (isset($proxy_forwarding) && ($proxy_forwarding == "on")) { + $config_array[] = 'cache_peer ' . $upstream_proxy . ' parent ' . $upstream_proxy_port . ' 3130 login=' . upstream_username . ':' . upstream_password . ' default no-query' . "\n"; + $config_array[] = 'never_direct allow all' . "\n"; + } + unset($proxy_forwarding); + + + /* define default ruleset for transparent proxy operation */ + if (isset($transparent_proxy) && ($transparent_proxy == "on")) { + $config_array[] = 'httpd_accel_host virtual' . "\n"; + $config_array[] = 'httpd_accel_port 80' . "\n"; + $config_array[] = 'httpd_accel_with_proxy on' . "\n"; + $config_array[] = 'httpd_accel_uses_host_header on' . "\n\n"; + } + unset($transparent_proxy); + + + /* define visible hostname */ + if (isset($visible_hostname) && ($visible_hostname !== "")) { + $config_array[] = 'visible_hostname ' . $visible_hostname . "\n"; + } + unset($visible_hostname); + + /* define cache administrators email address within error messages */ + if (isset($cache_admin_email) && ($cache_admin_email !== "")) { + $config_array[] = 'cache_mgr ' . $cache_admin_email . "\n\n"; + } + unset($cache_admin_email); + + /* write configuration file */ + foreach ($config_array as $config_item) + { + fwrite($fout, trim($config_item)); + + if (stristr($config_item, "\n")) + { + for ($i = 1; $i < count(explode("\n", $config_item)); $i++) + { + fwrite($fout, "\n"); + } + } + + } + fclose($fout); + + conf_mount_ro(); + config_unlock(); + + touch($squidconfig); +} /* end function write_squid_config */ + +function custom_php_install_command() { + /* write initial static config for transparent proxy */ + write_static_squid_config(); + + touch("/tmp/custom_php_install_command"); + + /* make sure this all exists, see: + * http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 + */ + update_output_window("Setting up Squid environment..."); + mwexec("mkdir -p /var/squid"); + mwexec("chown squid:squid /var/squid"); + mwexec("mkdir -p /var/squid/logs"); + mwexec("chown squid:squid /var/squid/logs"); + mwexec("mkdir -p /var/squid/cache"); + mwexec("chown squid:squid /var/squid/cache"); + mwexec("mkdir -p /usr/local/etc/squid/advanced"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced"); + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); + mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); + mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); + + + /* set a few extra items noted by regan */ + update_output_window("Creating logs and setting user information..."); + $fdsquid = fopen("/usr/local/etc/rc.d/aSquid.sh", "w"); + fwrite($fdsquid, "#/bin/sh\n"); + fwrite($fdsquid, "# \n"); + fwrite($fdsquid, "# This file was created by the pfSense package system\n"); + fwrite($fdsquid, "# Sets up squid option on each bootup that are not persistent\n"); + fwrite($fdsquid, "# \n\n"); + fwrite($fdsquid, "chown squid:wheel /dev/pf\n"); + fwrite($fdsquid, "chmod ug+rw /dev/pf\n"); + fwrite($fdsquid, "touch /var/log/useragent.log\n"); + fwrite($fdsquid, "touch /var/log/access.log\n"); + fwrite($fdsquid, "touch /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/cache.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/access.log\n"); + fwrite($fdsquid, "chown squid:wheel /var/log/useragent.log\n"); + fwrite($fdsquid, "\n"); + fclose($fdsquid); + mwexec("chmod a+rx /usr/local/etc/rc.d/aSquid.sh"); + mwexec("/usr/local/etc/rc.d/aSquid.sh"); + + update_output_window("Creating Proxy Server initialization scripts..."); + $start = "touch /tmp/ro_root_mount; /usr/local/sbin/squid -D; touch /tmp/filter_dirty"; + $stop = "/usr/local/sbin/squid -k shutdown"; + write_rcfile(array( + "file" => "squid.sh", + "start" => $start, + "stop" => $stop + ) + ); + + mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); + + /* create log directory hierarchies if they don't exist */ + update_output_window("Creating required directory hierarchies..."); + + if (!file_exists("/var/squid/logs")) { + mwexec("mkdir -p /var/squid/logs"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); + + + if (!file_exists("/var/squid/cache")) { + mwexec("mkdir -p /var/squid/cache"); + } + mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); + + if (!file_exists("/usr/local/etc/squid/advanced/acls")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); + + if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); + + if (!file_exists("/usr/local/etc/squid/advanced/radius")) { + mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); + } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); + + $devfs_file = fopen("/etc/devfs.conf", "a"); + fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); + fwrite($devfs_file, "own pf root:squid"); + fwrite($devfs_file, "perm pf 0640"); + fclose($devfs_file); + + update_output_window("Initializing Cache... This may take a moment..."); + mwexec("/usr/local/sbin/squid -z"); + + update_output_window("Starting Proxy Server..."); + start_service("squid"); +} + +function custom_php_deinstall_command() { + update_output_window("Stopping proxy service..."); + stop_service("squid"); + sleep(1); + /* brute force any remaining squid processes out */ + mwexec("/usr/bin/killall squid"); + mwexec("/usr/bin/killall pinger"); + update_output_window("Recursively removing directories hierarchies. If existant, log files in /var/squid/logs will remain..."); + mwexec("rm -rf /var/squid/cache"); + update_output_window("Removing configuration files..."); + unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); + unlink_if_exists("/usr/local/libexec/squid"); + unlink_if_exists("/usr/local/etc/rc.d/aSquid.sh"); + mwexec("rm -f /usr/local/etc/rc.d/squid*"); + mwexec("rm -f /usr/local/www/cachemgr.cgi"); + filter_configure(); +} + +function write_static_squid_config() { + touch("/tmp/write_static_squid_config"); + global $config; + $lancfg = $config['interfaces']['lan']; + $lanif = $lancfg['if']; + $lanip = $lancfg['ipaddr']; + $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); + $lansn = $lancfg['subnet']; + + $fout = fopen("/usr/local/etc/squid/squid.conf","w"); + fwrite($fout, "#\n"); + fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); + fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); + fwrite($fout, "#\n"); + + /* set # of dns children */ + fwrite($fout, "dns_children 15\n"); + + fwrite($fout, "shutdown_lifetime 5 seconds\n"); + fwrite($fout, "icp_port 0\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); + fwrite($fout, "no_cache deny QUERY\n"); + fwrite($fout, "\n"); + + fwrite($fout, "pid_filename /var/run/squid.pid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_mem 24 MB\n"); + fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); + fwrite($fout, "\n"); + + fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); + fwrite($fout, "\n"); + + fwrite($fout, "memory_replacement_policy heap GDSF\n"); + fwrite($fout, "cache_replacement_policy heap GDSF\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_access_log none\n"); + fwrite($fout, "cache_log none\n"); + fwrite($fout, "cache_store_log none\n"); + fwrite($fout, "\n"); + + fwrite($fout, "log_mime_hdrs off\n"); + fwrite($fout, "emulate_httpd_log on\n"); + fwrite($fout, "forwarded_for off\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl all src 0.0.0.0/0.0.0.0\n"); + fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); + fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); + fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 80 # http\n"); + fwrite($fout, "acl Safe_ports port 21 # ftp\n"); + fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); + fwrite($fout, "acl Safe_ports port 70 # gopher\n"); + fwrite($fout, "acl Safe_ports port 210 # wais\n"); + fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); + fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); + fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); + fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); + fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); + fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); + fwrite($fout, "\n"); + + fwrite($fout, "acl CONNECT method CONNECT\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#access to squid; local machine; no restrictions\n"); + fwrite($fout, "http_access allow localnet\n"); + fwrite($fout, "http_access allow localhost\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Deny non web services\n"); + fwrite($fout, "http_access deny !Safe_ports\n"); + fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); + fwrite($fout, "\n"); + + fwrite($fout, "#Set custom configured ACLs\n"); + fwrite($fout, "http_access deny all\n"); + fwrite($fout, "visible_hostname pfSense\n"); + fwrite($fout, "\n"); + + fwrite($fout, "cache_effective_user squid\n"); + fwrite($fout, "cache_effective_group squid\n"); + fwrite($fout, "\n"); + + fwrite($fout, "maximum_object_size 4096 KB\n"); + fwrite($fout, "minimum_object_size 0 KB\n"); + fwrite($fout, "\n"); + + fwrite($fout, "request_body_max_size 0 KB\n"); + fwrite($fout, "reply_body_max_size 0 allow all\n"); + fwrite($fout, "\n"); + + fwrite($fout, "httpd_accel_host virtual\n"); + fwrite($fout, "httpd_accel_port 80\n"); + fwrite($fout, "httpd_accel_with_proxy on\n"); + fwrite($fout, "httpd_accel_uses_host_header on\n"); + + fclose($fout); +} + +function mod_htpasswd() { + global $config; + conf_mount_rw(); + config_lock(); + + if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); + + $passfile = fopen("/usr/local/etc/squid/advanced/ncsa/passwd", "w+"); + + if (isset($config['installedpackages']['squidextlocalauth']['config']) && $config['installedpackages']['squidextlocalauth']['config'] != "") { + foreach($config['installedpackages']['squidextlocalauth']['config'] as $rowhelper) { + $encpass = generate_htpasswd($rowhelper['username'], $rowhelper['password']); + fwrite($passfile, $rowhelper['username'] . ":" . $encpass . "\n"); + } + } + + fclose($passfile); + + conf_mount_ro(); + config_unlock(); +} + +function generate_htpasswd($username, $password) { + $all = explode( " ", + "a b c d e f g h i j k l m n o p q r s t u v w x y z " + . "A B C D E F G H I J K L M N O P Q R S T U V W X Y Z " + . "0 1 2 3 4 5 6 7 8 9"); + + for ($i = 0; $i < 9; $i++) { + srand((double)microtime()*1000000); + $randy = rand(0,61); + $seed .= $all[$randy]; + } + + $crypt = crypt($password, "$1$$seed"); + return $crypt; +} + +?> diff --git a/config/squid-reverse/squid_ng.xml b/config/squid-reverse/squid_ng.xml new file mode 100644 index 00000000..5d956387 --- /dev/null +++ b/config/squid-reverse/squid_ng.xml @@ -0,0 +1,267 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squid + 2.5.12_4 + Services: Proxy Server + Security + /pkg_edit.php?xml=squid_ng.xml&id=0 + /usr/local/pkg/squid_ng.inc + + Squid + Modify settings for Proxy Server +
Services
+ /pkg_edit.php?xml=squid_ng.xml&id=0 +
+ + Squid stats + Show Squid statistics +
Services
+ /cachemgr.cgi +
+ + squid + squid.sh + + + + General Settings + /pkg_edit.php?xml=squid.xml&id=0 + + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Network Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Auth + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Extended Auth + /pkg_edit.php?xml=squid_extauth.xml&id=0 + + + installedpackages->package->squidng->configuration->settings + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/squid/squid_cache.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/squid/squid_nac.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/squid/squid_ng.inc + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/squid/squid_traffic.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/squid/squid_upstream.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/squid/squid_auth.xml + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/squid/squid_auth.inc + + + /usr/local/pkg/ + 0755 + http://www.pfsense.com/packages/config/squid/squid_extauth.xml + + + + Proxy Listening Interface + active_interface + This defines the active listening interface to which the proxy server will listen for its requests. + interfaces_selection + + + Transparent Proxy + transparent_proxy + If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary. + checkbox + + + URL Filtering Enabled + urlfilter_enable + This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering + checkbox + + + Disable Access Log + accesslog_disabled + Disable the access log entirely. By default, Squid keeps a log of all requests it processes in /var/log/access.log. This can grow to be fairly large. If you do not require this logging, check this box to disable. + checkbox + + + Log Query Terms + log_query_terms + This will log the complete URL rather than the part of the URL containing dynamic queries. + checkbox + + + Log User Agents + log_user_agents + This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes. + checkbox + + + Proxy Port + proxy_port + This is the port the Proxy Server will listen for client requests on. The default is 3128. + input + 4 + true + + + ICP Port + icp_port + This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled. + input + 4 + + + Visible Hostname + visible_hostname + This URL is displayed on the Proxy Server error messages. + input + 35 + + + Cache Administrator E-Mail + cache_admin_email + This E-Mail address is displayed on the Proxy Server error messages. + input + 35 + + + Error Messages Language + error_language + Select the language in which the Proxy Server shall display error messages to users. + select + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Enable cachemgr + cachemgr_enabled + Enable Squid's cachemgr.cgi to provide stats. Once enabled you can access this from the pfSense menus. <b>Note:</b> This page is not secured by pfSense, any user with access to the pfSense admin port can view the stats. The page prompts for a password but it only required for shutting down Squid. + checkbox + + + + + global_write_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + + + custom_php_install_command(); + write_static_squid_config(); + mwexec("/usr/local/sbin/squid -k reconfigure"); + start_service("squid"); + + + custom_php_deinstall_command(); + stop_service("squid"); + +
diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml new file mode 100644 index 00000000..c86410f5 --- /dev/null +++ b/config/squid-reverse/squid_reverse.xml @@ -0,0 +1,231 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidreverse + none + Proxy server: Reverse Proxy + squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Reverse Proxy + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + + Reverse Settings + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + + Auth Settings + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Local Users + /pkg.php?xml=squid_users.xml + + + + + Reverse Proxy interface + reverse_interface + The interface(s) the reverse-proxy server will bind to. + interfaces_selection + + wan + + + + Enable HTTP reverse mode. + reverse_http + If this field is checked, the proxy-server will act in HTTP reverse mode. + checkbox + reverse_http_port,reverse_http_defsite + + off + + + reverse HTTP port + reverse_http_port + This is the port the HTTP reverse-proxy will listen on. + input + 5 + + 80 + + + reverse HTTP default site + reverse_http_defsite + This is the HTTP reverse default site. + input + 60 + + localhost + + + + Enable HTTPS reverse mode. + reverse_https + If this field is checked, the proxy-server will act in HTTPS reverse mode. + checkbox + reverse_https_port,reverse_ssl_cert,reverse_https_defsite,ignore_ssl_valid + + off + + + reverse HTTPS port + reverse_https_port + This is the port the HTTPS reverse-proxy will listen on. + input + 5 + + 443 + + + reverse HTTPS default site + reverse_https_defsite + This is the HTTPS reverse default site. + input + 60 + + localhost + + + + reverse SSL Certificate + reverse_ssl_cert + Choose the SSL Server Certificate here. + select_source + + descr + refid + + + + Ignore internal Certificate validation. + ignore_ssl_valid + If this field is checked, internal certificate validation will be ignored. + checkbox + + on + + + extension methods + extension_methods + This field defines more extension methods for the proxy to use. + input + 60 + RPC_IN_DATA RPC_OUT_DATA + + + Reset TCP connections if request is unauthorized. + deny_info_tcp_reset + If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized. + checkbox + on + + + + published server peer IP + reverse_cache_peer + This is the internal published server peer IP. + input + 15 + + internalhost + + + + published server peer port + reverse_cache_peer_port + This is the internal published server peer port. + input + 5 + + 80 + + + + published URL + reverse_acl + This is the URL to publish. + input + 60 + + + + + + squid_before_form_general(&$pkg); + + + squid_validate_general($_POST, &$input_errors); + + + squid_resync_reverse(); + + \ No newline at end of file diff --git a/config/squid-reverse/squid_traffic.xml b/config/squid-reverse/squid_traffic.xml new file mode 100644 index 00000000..c56ca73f --- /dev/null +++ b/config/squid-reverse/squid_traffic.xml @@ -0,0 +1,181 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidtraffic + none + Proxy server: Traffic management + squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + + Reverse Settings + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + Auth Settings + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Local Users + /pkg.php?xml=squid_users.xml + + + + + Maximum download size + max_download_size + Limit the maximum total download size to the size specified here (in kilobytes). Set to 0 to disable. + input + + 0 + + + Maximum upload size + max_upload_size + Limit the maximum total upload size to the size specified here (in kilobytes). Set to 0 to disable. + input + + 0 + + + Overall bandwidth throttling + overall_throttling + This value specifies (in kilobytes per second) the bandwidth throttle for downloads. Users will gradually have their download speed increased according to this value. Set to 0 to disable bandwidth throttling. + input + + 0 + + + Per-host throttling + perhost_throttling + This value specifies the download throttling per host. Set to 0 to disable this. + input + + 0 + + + Throttle only specific extensions + throttle_specific + Leave this checked to be able to choose the extensions that throttling will be applied to. Otherwise, all files will be throttled. + checkbox + throttle_binaries,throttle_cdimages,throttle_multimedia,throttle_others + on + + + Throttle binary files + throttle_binaries + Check this to apply bandwidth throttle to binary files. This includes compressed archives and executables. + checkbox + + + Throttle CD images + throttle_cdimages + Check this to apply bandwidth throttle to CD image files. + checkbox + + + Throttle multimedia files + throttle_multimedia + Check this to apply bandwidth throttle to multimedia files, such as movies or songs. + checkbox + + + Throttle other extensions + throttle_others + Comma-separated list of extensions to apply bandwidth throttle to. + input + 60 + + + Finish transfer if less than x KB remaining + quick_abort_min + If the transfer has less than x KB remaining, it will finish the retrieval. Set to 0 to abort the transfer immediately. + input + 0 + + + Abort transfer if more than x KB remaining + quick_abort_max + If the transfer has more than x KB remaining, it will abort the retrieval. Set to 0 to abort the transfer immediately. + input + 0 + + + Finish transfer if more than x % finished + quick_abort_pct + If more than x % of the transfer has completed, it will finish the retrieval. + input + 0 + + + + squid_validate_traffic($_POST, &$input_errors); + + + squid_resync(); + + diff --git a/config/squid-reverse/squid_upstream.xml b/config/squid-reverse/squid_upstream.xml new file mode 100644 index 00000000..3d4d1611 --- /dev/null +++ b/config/squid-reverse/squid_upstream.xml @@ -0,0 +1,137 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidupstream + none + Proxy server: Upstream proxy settings + squid.inc + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Reverse Settings + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + Auth Settings + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Local Users + /pkg.php?xml=squid_users.xml + + + + + Enable forwarding + proxy_forwarding + This option enables the proxy server to forward requests to an upstream server. + checkbox + proxy_addr,proxy_port,icp_port,username,password + + + + Hostname + proxy_addr + Enter here the IP address or host name of the upstream proxy. + input + + + TCP port + proxy_port + Enter the port to use to connect to the upstream proxy. + input + 5 + 3128 + + + ICP port + icp_port + Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies. + input + 5 + 7 + + + Username + username + If the upstream proxy requires a username, specify it here. + input + + + Password + password + If the upstream proxy requires a password, specify it here. + password + + + + squid_validate_upstream($_POST, &$input_errors); + + + squid_resync(); + + diff --git a/config/squid-reverse/squid_users.xml b/config/squid-reverse/squid_users.xml new file mode 100644 index 00000000..f2f8fe1c --- /dev/null +++ b/config/squid-reverse/squid_users.xml @@ -0,0 +1,124 @@ + + + + + + . + All rights reserved. + */ +/* ========================================================================== */ +/* + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + */ +/* ========================================================================== */ + ]]> + + Describe your package here + Describe your package requirements here + Currently there are no FAQ items provided. + squidusers + none + Proxy server: Local users + squid.inc + A proxy server user has been deleted. + A proxy server user has been created/modified. + + + General + /pkg_edit.php?xml=squid.xml&id=0 + + + Upstream Proxy + /pkg_edit.php?xml=squid_upstream.xml&id=0 + + + Cache Mgmt + /pkg_edit.php?xml=squid_cache.xml&id=0 + + + Access Control + /pkg_edit.php?xml=squid_nac.xml&id=0 + + + Traffic Mgmt + /pkg_edit.php?xml=squid_traffic.xml&id=0 + + + Reverse Settings + /pkg_edit.php?xml=squid_reverse.xml&id=0 + + + Auth Settings + /pkg_edit.php?xml=squid_auth.xml&id=0 + + + Local Users + /pkg.php?xml=squid_users.xml + + + + + + Username + username + + + Description + description + + + + + Username + username + Enter the username here. + input + + + + Password + password + Enter the password here. + password + + + + Description + description + You may enter a description here for your reference (not parsed). + input + + + + squid_resync_users(); + + diff --git a/pkg_config.8.xml b/pkg_config.8.xml index b9765f0b..a8888d60 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -814,6 +814,24 @@ http://www.pfsense.org/packages/config/squid/squid.xml squid.xml + + squid-reverse + High performance web proxy cache with reverse proxy. + http://www.squid-cache.org/ + Network + 2.7.9_4.2 + Stable + 3.0 + fernando@netfilter.com.br seth.mos@xs4all.nl mfuchs77@googlemail.com jimp@pfsense.org + http://files.pfsense.org/packages/8/All/ + squid-2.7.9_1.tbz + squid_radius_auth-1.10.tbz + libwww-5.4.0_4.tbz + + WITH_SQUID_KERB_AUTH=true WITH_SQUID_LDAP_AUTH=true WITH_SQUID_NIS_AUTH=true WITH_SQUID_SASL_AUTH=true WITH_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITH_SQUID_CARP=true WITH_SQUID_SSL=true WITHOUT_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITH_SQUID_HTCP=true WITH_SQUID_VIA_DB=true WITH_SQUID_CACHE_DIGESTS=true WITH_SQUID_WCCP=true WITHOUT_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITHOUT_SQUID_USERAGENT_LOG=true WITH_SQUID_ARP_ACL=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITH_SQUID_AUFS=true WITH_SQUID_COSS=true WITH_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true + http://www.pfsense.org/packages/config/squid-reverse/squid.xml + squid.xml + squid3 EXPERIMENTAL! Not all directives are ported yet! High performance web proxy cache. diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index eb118b0c..3549a862 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -51,6 +51,24 @@ http://www.pfsense.org/packages/config/squid/squid.xml squid.xml + + squid-reverse + High performance web proxy cache with reverse proxy. + http://www.squid-cache.org/ + Network + 2.7.9_4.2 + Stable + 3.0 + fernando@netfilter.com.br seth.mos@xs4all.nl mfuchs77@googlemail.com jimp@pfsense.org + http://files.pfsense.org/packages/amd64/8/All/ + squid-2.7.9_1.tbz + squid_radius_auth-1.10.tbz + libwww-5.4.0_4.tbz + + WITH_SQUID_KERB_AUTH=true WITH_SQUID_LDAP_AUTH=true WITH_SQUID_NIS_AUTH=true WITH_SQUID_SASL_AUTH=true WITH_SQUID_DELAY_POOLS=true WITH_SQUID_SNMP=true WITH_SQUID_CARP=true WITH_SQUID_SSL=true WITHOUT_SQUID_PINGER=true WITHOUT_SQUID_DNS_HELPER=true WITH_SQUID_HTCP=true WITH_SQUID_VIA_DB=true WITH_SQUID_CACHE_DIGESTS=true WITH_SQUID_WCCP=true WITHOUT_SQUID_WCCPV2=true WITHOUT_SQUID_STRICT_HTTP=true WITH_SQUID_IDENT=true WITH_SQUID_REFERER_LOG=true WITHOUT_SQUID_USERAGENT_LOG=true WITH_SQUID_ARP_ACL=true WITH_SQUID_PF=true WITHOUT_SQUID_IPFILTER=true WITH_SQUID_FOLLOW_XFF=true WITH_SQUID_AUFS=true WITH_SQUID_COSS=true WITH_SQUID_KQUEUE=true WITH_SQUID_LARGEFILE=true WITHOUT_SQUID_STACKTRACES=true + http://www.pfsense.org/packages/config/squid-reverse/squid.xml + squid.xml + Varnish Varnish is a state-of-the-art, high-performance HTTP accelerator. It uses the advanced features in FreeBSD 6/7/8 to achieve its high performance. BACKUP your custom vcl data before upgrading from 0.8 -- cgit v1.2.3 From 1d9587352725e204d0599b4da4030c19de9ebde7 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 21:43:05 +0200 Subject: do not bread squid2-existing-config --- config/squid-reverse/squid.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid-reverse/squid.xml b/config/squid-reverse/squid.xml index 1449a59c..f33327e4 100644 --- a/config/squid-reverse/squid.xml +++ b/config/squid-reverse/squid.xml @@ -45,7 +45,7 @@ Describe your package here Describe your package requirements here Currently there are no FAQ items provided. - squid-reverse + squid 2.7.STABLE9 Proxy server: General settings /usr/local/pkg/squid.inc -- cgit v1.2.3 From e90d0b6ae4ad38c64c715536a2dff5f182a7b44a Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 22:00:53 +0200 Subject: make squid-reverse available for 2.x --- pkg_config.8.xml | 4 ++-- pkg_config.8.xml.amd64 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg_config.8.xml b/pkg_config.8.xml index a8888d60..483909cf 100644 --- a/pkg_config.8.xml +++ b/pkg_config.8.xml @@ -819,9 +819,9 @@ High performance web proxy cache with reverse proxy. http://www.squid-cache.org/ Network - 2.7.9_4.2 + 2.7.9_1 Stable - 3.0 + 2 fernando@netfilter.com.br seth.mos@xs4all.nl mfuchs77@googlemail.com jimp@pfsense.org http://files.pfsense.org/packages/8/All/ squid-2.7.9_1.tbz diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64 index 3549a862..f3bd7beb 100644 --- a/pkg_config.8.xml.amd64 +++ b/pkg_config.8.xml.amd64 @@ -56,9 +56,9 @@ High performance web proxy cache with reverse proxy. http://www.squid-cache.org/ Network - 2.7.9_4.2 + 2.7.9_1 Stable - 3.0 + 2 fernando@netfilter.com.br seth.mos@xs4all.nl mfuchs77@googlemail.com jimp@pfsense.org http://files.pfsense.org/packages/amd64/8/All/ squid-2.7.9_1.tbz -- cgit v1.2.3 From ff3490f72ab7ac9cfb30fd0e415cbcb69a4b6cd5 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 22:12:22 +0200 Subject: cerver certs --- config/squid-reverse/squid.inc | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 8dd2cc8e..2784dd25 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -117,6 +117,16 @@ function squid_is_valid_acl($acl) { return in_array($acl, $valid_acls); } +function squid_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + function squid_install_command() { global $config; global $g; -- cgit v1.2.3 From 3a9cd05d2d1aa5f49ede2ab93ab796ca099402bd Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 22:27:57 +0200 Subject: basics for squid_resync_reverse --- config/squid-reverse/squid.inc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 2784dd25..ffd17569 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -936,6 +936,16 @@ EOD; return $conf; } +function squid_resync_reverse() { + global $config, $valid_acls; + if(!is_array($valid_acls)) + return; + $settings = $config['installedpackages']['squidreverse']['config'][0]; + $conf = ''; + + return $conf; +} + function squid_resync_auth() { global $config, $valid_acls; @@ -1109,6 +1119,7 @@ function squid_resync() { $conf .= squid_resync_upstream() . "\n"; $conf .= squid_resync_nac() . "\n"; $conf .= squid_resync_traffic() . "\n"; + $conf .= squid_resync_reverse() . "\n"; $conf .= squid_resync_auth(); squid_resync_users(); squid_write_rcfile(); -- cgit v1.2.3 From 2b6a30287a6ec1c2ac1f2e59edf8afbff565f80f Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 22:31:42 +0200 Subject: basics for squid_validate_reverse --- config/squid-reverse/squid.inc | 6 ++++++ config/squid-reverse/squid_reverse.xml | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index ffd17569..d0dad31d 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -485,6 +485,10 @@ function squid_validate_traffic($post, $input_errors) { if (!is_numeric($value) || ($value > 100)) $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; } +} + +function squid_validate_reverse($post, $input_errors) { + } @@ -943,6 +947,8 @@ function squid_resync_reverse() { $settings = $config['installedpackages']['squidreverse']['config'][0]; $conf = ''; + + return $conf; } diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index c86410f5..93e1c595 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -223,7 +223,7 @@ squid_before_form_general(&$pkg); - squid_validate_general($_POST, &$input_errors); + squid_validate_reverse($_POST, &$input_errors); squid_resync_reverse(); -- cgit v1.2.3 From e1d40c40e30883031d3565d305c09b91781d15aa Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 23:03:51 +0200 Subject: few options beginning to work --- config/squid-reverse/squid.inc | 12 ++++++++---- config/squid-reverse/squid_reverse.xml | 7 ------- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index d0dad31d..cbd18b68 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -489,6 +489,7 @@ function squid_validate_traffic($post, $input_errors) { function squid_validate_reverse($post, $input_errors) { +// CONF } @@ -595,7 +596,7 @@ function squid_resync_general() { $settings = $config['installedpackages']['squid']['config'][0]; $conf = "# This file is automatically generated by pfSense\n"; - $conf = "# Do not edit manually !\n"; + $conf .= "# Do not edit manually !\n"; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); @@ -946,9 +947,12 @@ function squid_resync_reverse() { return; $settings = $config['installedpackages']['squidreverse']['config'][0]; $conf = ''; - - - + +// CONF + $conf .= "# Reverse Proxy settings\n"; + if (!empty($settings['extension_methods'])) $conf .= "extension_methods {$settings['extension_methods']}\n"; + if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; + return $conf; } diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 93e1c595..240cd26e 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -114,7 +114,6 @@ This is the port the HTTP reverse-proxy will listen on. input 5 - 80 @@ -123,7 +122,6 @@ This is the HTTP reverse default site. input 60 - localhost @@ -142,7 +140,6 @@ This is the port the HTTPS reverse-proxy will listen on. input 5 - 443 @@ -151,7 +148,6 @@ This is the HTTPS reverse default site. input 60 - localhost @@ -195,7 +191,6 @@ This is the internal published server peer IP. input 15 - internalhost @@ -205,7 +200,6 @@ This is the internal published server peer port. input 5 - 80 @@ -215,7 +209,6 @@ This is the URL to publish. input 60 - -- cgit v1.2.3 From 188a9aee89dc9af8ac2cecd7fd26360570344efe Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 11:15:41 +0200 Subject: modify descriptions and add fqdn --- config/squid-reverse/squid_reverse.xml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 240cd26e..cf2af951 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -99,6 +99,14 @@ wan + + external FQDN + reverse_external_fqdn + The external full-qualified-domain-name of the WAN address. + input + + 80 + Enable HTTP reverse mode. reverse_http @@ -172,9 +180,9 @@ extension methods extension_methods - This field defines more extension methods for the proxy to use. + This field defines more extension methods for the proxy to use. (RPC_IN_DATA RPC_OUT_DATA for RPC over HTTP -> Outlook Anywhere) input - 60 + 80 RPC_IN_DATA RPC_OUT_DATA -- cgit v1.2.3 From 1b82519a84d11c23ce4e62d5e0934005977a01b7 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 12:16:16 +0200 Subject: sync all on save --- config/squid-reverse/squid_reverse.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index cf2af951..525f620f 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -227,6 +227,6 @@ squid_validate_reverse($_POST, &$input_errors); - squid_resync_reverse(); + squid_resync(); \ No newline at end of file -- cgit v1.2.3 From ae1cfe7f86d39dd291a3af92f57f911bb64341b9 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 13:42:34 +0200 Subject: proxy http port definition working --- config/squid-reverse/squid.inc | 50 ++++++++++++++++++++++++++-------- config/squid-reverse/squid_reverse.xml | 10 +++---- 2 files changed, 43 insertions(+), 17 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index cbd18b68..32f7d387 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -117,16 +117,6 @@ function squid_is_valid_acl($acl) { return in_array($acl, $valid_acls); } -function squid_get_server_certs() { - global $config; - $cert_arr = array(); - $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); - foreach ($config['cert'] as $cert) { - $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); - } - return $cert_arr; -} - function squid_install_command() { global $config; global $g; @@ -489,7 +479,16 @@ function squid_validate_traffic($post, $input_errors) { function squid_validate_reverse($post, $input_errors) { -// CONF + $port = trim($post['reverse_http_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; + + $port = trim($post['reverse_https_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; + + if ($post['reverse_ssl_cert'] == 'none') + $input_errors[] = 'A valid certificate for the external interface must be selected'; } @@ -941,6 +940,16 @@ EOD; return $conf; } +function squid_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + function squid_resync_reverse() { global $config, $valid_acls; if(!is_array($valid_acls)) @@ -948,8 +957,25 @@ function squid_resync_reverse() { $settings = $config['installedpackages']['squidreverse']['config'][0]; $conf = ''; -// CONF $conf .= "# Reverse Proxy settings\n"; + $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); + $real_ifaces = array(); + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + //HTTP + if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; + if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_external_fqdn']}\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_https_defsite']} vhost\n"; + } + } + if (!empty($settings['extension_methods'])) $conf .= "extension_methods {$settings['extension_methods']}\n"; if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 525f620f..4c520ff7 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -119,7 +119,7 @@ reverse HTTP port reverse_http_port - This is the port the HTTP reverse-proxy will listen on. + This is the port the HTTP reverse-proxy will listen on. (leave empty to use 80) input 5 80 @@ -127,7 +127,7 @@ reverse HTTP default site reverse_http_defsite - This is the HTTP reverse default site. + This is the HTTP reverse default site. (leave empty to use the external fqdn) input 60 localhost @@ -145,7 +145,7 @@ reverse HTTPS port reverse_https_port - This is the port the HTTPS reverse-proxy will listen on. + This is the port the HTTPS reverse-proxy will listen on. (leave empty to use 443) input 5 443 @@ -153,7 +153,7 @@ reverse HTTPS default site reverse_https_defsite - This is the HTTPS reverse default site. + This is the HTTPS reverse default site. (leave empty to use the external fqdn) input 60 localhost @@ -180,7 +180,7 @@ extension methods extension_methods - This field defines more extension methods for the proxy to use. (RPC_IN_DATA RPC_OUT_DATA for RPC over HTTP -> Outlook Anywhere) + This field defines additional extension methods for the proxy to use. (RPC_IN_DATA RPC_OUT_DATA for RPC over HTTP -> Outlook Anywhere) input 80 RPC_IN_DATA RPC_OUT_DATA -- cgit v1.2.3 From 468c21369d8f8357916204fc584651f01bd14659 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 14:53:45 +0200 Subject: proxy https definition and cert writeout working --- config/squid-reverse/squid.inc | 23 +++++++++++++++++++---- config/squid-reverse/squid_reverse.xml | 4 ++-- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 32f7d387..8cd05136 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -958,6 +958,21 @@ function squid_resync_reverse() { $conf = ''; $conf .= "# Reverse Proxy settings\n"; + + if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { + $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", + base64_decode($svr_cert['crt'])); + $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; + } + if(base64_decode($svr_cert['prv'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", + base64_decode($svr_cert['prv'])); + $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; + }}} + $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); foreach (explode(",", $ifaces) as $i => $iface) { @@ -969,10 +984,10 @@ function squid_resync_reverse() { if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; //HTTPS - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_external_fqdn']}\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_https_defsite']} vhost\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; } } diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 4c520ff7..62379c35 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -110,7 +110,7 @@ Enable HTTP reverse mode. reverse_http - If this field is checked, the proxy-server will act in HTTP reverse mode. + If this field is checked, the proxy-server will act in HTTP reverse mode. (You have to add a rule with destination "WAN-address") checkbox reverse_http_port,reverse_http_defsite @@ -136,7 +136,7 @@ Enable HTTPS reverse mode. reverse_https - If this field is checked, the proxy-server will act in HTTPS reverse mode. + If this field is checked, the proxy-server will act in HTTPS reverse mode. (You have to add a rule with destination "WAN-address") checkbox reverse_https_port,reverse_ssl_cert,reverse_https_defsite,ignore_ssl_valid -- cgit v1.2.3 From fc94eabf28e3776296703521e0fa3d0176fe9de0 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 20:59:13 +0200 Subject: remove #, let the game begin... --- config/squid-reverse/squid.inc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 8cd05136..925d1691 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -979,15 +979,15 @@ function squid_resync_reverse() { $real_ifaces[] = squid_get_real_interface_address($iface); if($real_ifaces[$i][0]) { //HTTP - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; + if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; + if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; //HTTPS - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; } } -- cgit v1.2.3 From 0cef6a3d1fd29f80961f1776e09ef78da5148e69 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 23:52:30 +0200 Subject: rowhelper does not like me, so adding textboxes :-( --- config/squid-reverse/squid_reverse.xml | 120 ++++++++++++++++++++++++--------- 1 file changed, 88 insertions(+), 32 deletions(-) diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 62379c35..72fac2ba 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -110,7 +110,7 @@ Enable HTTP reverse mode. reverse_http - If this field is checked, the proxy-server will act in HTTP reverse mode. (You have to add a rule with destination "WAN-address") + If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address") checkbox reverse_http_port,reverse_http_defsite @@ -132,11 +132,10 @@ 60 localhost - Enable HTTPS reverse mode. reverse_https - If this field is checked, the proxy-server will act in HTTPS reverse mode. (You have to add a rule with destination "WAN-address") + If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address") checkbox reverse_https_port,reverse_ssl_cert,reverse_https_defsite,ignore_ssl_valid @@ -158,9 +157,8 @@ 60 localhost - - reverse SSL Certificate + reverse SSL certificate reverse_ssl_cert Choose the SSL Server Certificate here. select_source @@ -168,56 +166,114 @@ descr refid - - Ignore internal Certificate validation. - ignore_ssl_valid - If this field is checked, internal certificate validation will be ignored. + Reset TCP connections if request is unauthorized. + deny_info_tcp_reset + If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized. checkbox - on extension methods extension_methods - This field defines additional extension methods for the proxy to use. (RPC_IN_DATA RPC_OUT_DATA for RPC over HTTP -> Outlook Anywhere) + This field defines additional extension methods for the proxy to use. <br>(RPC_IN_DATA RPC_OUT_DATA for RPC over HTTP -> Outlook Anywhere) input 80 RPC_IN_DATA RPC_OUT_DATA - Reset TCP connections if request is unauthorized. - deny_info_tcp_reset - If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized. + Ignore internal Certificate validation. + reverse_ignore_ssl_valid + If this field is checked, internal certificate validation will be ignored. checkbox on - + - published server peer IP + <b>peer definitions</b> <br>publishing hosts reverse_cache_peer - This is the internal published server peer IP. - input - 15 - internalhost + Enter each peer definition on a new line. Directives have to be separated by a semicolon(;). <br>syntax: [peer alias];[internal ip address]:[port];[HTTP / HTTPS] <br>example: HOST1;192.168.0.1:80;HTTP <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> + + textarea + 60 + 10 + base64 + + <b>URI definitions</b> <br>published URIs + revrse_uri + Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;).<br>syntax: [group the uri belongs to];[URI to publish] (a group can contain multiple URIs) <br>example: URI1;public <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> + + textarea + 60 + 10 + base64 + + + <b>ACL definitions</b> <br>published URIs + reverse_acl + Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;). <br>syntax: [peer alias];[uri group alias] <br>example: HOST1;URI1 <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> + + textarea + 60 + 10 + base64 + + -- cgit v1.2.3 From cd3200f70fe1e1c3af08df1d90ed8e546b88d039 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 11:00:47 +0200 Subject: add owa wizard --- config/squid-reverse/squid_reverse.xml | 63 ++++++++++++++++++++++++---------- 1 file changed, 45 insertions(+), 18 deletions(-) diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 72fac2ba..eb6a5c05 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -108,7 +108,7 @@ 80 - Enable HTTP reverse mode. + Enable HTTP reverse mode reverse_http If this field is checked, the proxy-server will act in HTTP reverse mode. <br>(You have to add a rule with destination "WAN-address") checkbox @@ -130,17 +130,16 @@ This is the HTTP reverse default site. (leave empty to use the external fqdn) input 60 - localhost - - - Enable HTTPS reverse mode. + + + Enable HTTPS reverse proxy reverse_https - If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address") + If this field is checked, squid will act as an accelerator/SSL offload for Outlook Web Access. checkbox - reverse_https_port,reverse_ssl_cert,reverse_https_defsite,ignore_ssl_valid + reverse_owa,reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_ignore_ssl_valid off - + reverse HTTPS port reverse_https_port @@ -155,7 +154,6 @@ This is the HTTPS reverse default site. (leave empty to use the external fqdn) input 60 - localhost reverse SSL certificate @@ -167,12 +165,47 @@ refid - Reset TCP connections if request is unauthorized. + Reset TCP connections if request is unauthorized deny_info_tcp_reset If this field is checked, the reverse-proxy will reset the TCP connection if the request is unauthorized. checkbox on + + Ignore internal Certificate validation + reverse_ignore_ssl_valid + If this field is checked, internal certificate validation will be ignored. + checkbox + on + + + Enable OWA reverse proxy + reverse_owa + If this field is checked, squid will act as an accelerator/SSL offload for Outlook Web Access. + checkbox + reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp + + + OWA frontend IP address + reverse_owa_ip + This is the internal IP Address of the OWA frontend server. + input + 15 + localhost + + + Enable ActiveSync + reverse_owa_activesync + If this field is checked, ActiveSync support will be enabled. + checkbox + + + Enable Outlook Anywhere + reverse_owa_rpchttp + If this field is checked, RPC over HTTP support will be enabled. + checkbox + extension_methods + extension methods extension_methods @@ -181,14 +214,8 @@ 80 RPC_IN_DATA RPC_OUT_DATA - - Ignore internal Certificate validation. - reverse_ignore_ssl_valid - If this field is checked, internal certificate validation will be ignored. - checkbox - on - - + + <b>peer definitions</b> <br>publishing hosts reverse_cache_peer -- cgit v1.2.3 From 696863f625b7c55a387bb8411563c1d831203127 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 12:07:13 +0200 Subject: owa witard working --- config/squid-reverse/squid.inc | 58 +++++++++++++++++++++++++++++++++- config/squid-reverse/squid_reverse.xml | 10 +----- 2 files changed, 58 insertions(+), 10 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 925d1691..3794c47e 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -310,6 +310,7 @@ function squid_validate_general($post, $input_errors) { $log_rotate = trim($post['log_rotate']); if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; $webgui_port = $config['system']['webgui']['port']; @@ -479,6 +480,10 @@ function squid_validate_traffic($post, $input_errors) { function squid_validate_reverse($post, $input_errors) { + $fqdn = trim($post['reverse_external_fqdn']); + if (!empty($fqdn) && !is_domain($fqdn)) + $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; + $port = trim($post['reverse_http_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; @@ -490,6 +495,14 @@ function squid_validate_reverse($post, $input_errors) { if ($post['reverse_ssl_cert'] == 'none') $input_errors[] = 'A valid certificate for the external interface must be selected'; + if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { + $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + } + + $rowa = trim($post['reverse_owa_ip']); + if (!empty($rowa) && !is_ipaddr($rowa)) + $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; + } function squid_validate_auth($post, $input_errors) { @@ -990,8 +1003,51 @@ function squid_resync_reverse() { if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; } } + //PEERS + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=OWA_HOST_pfs\n"; + + //ACLs + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/owa.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchange.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/public.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchwebexchweb.*$\n"; + } + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_activesync'] == 'on')) { + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/Microsoft-Server-ActiveSync.*$\n"; + } + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_rpchttp'] == 'on')) { + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/rpc/rpcproxy.dll.*$\n"; + $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; + } + + //ACCESS + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { + $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; + $conf .= "cache_peer_access OWA_HOST_pfs deny all\n"; + $conf .= "never_direct allow OWA_URI_pfs\n"; + $conf .= "http_access allow OWA_URI_pfs\n"; + } + + /* + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/owa.*$; + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/exchange.*$; + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/public.*$; + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/exchweb.*$; + + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/Microsoft-Server-ActiveSync.*$; + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/rpc/rpcproxy.dll.*$; + + cache_peer_access CYGNUS_SSL allow OWA; + cache_peer_access CYGNUS_SSL deny all; + + never_direct allow OWA; + + http_access allow OWA; + + #miss_access allow OWA; + */ - if (!empty($settings['extension_methods'])) $conf .= "extension_methods {$settings['extension_methods']}\n"; if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; return $conf; diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index eb6a5c05..61aa4aae 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -136,7 +136,7 @@ reverse_https If this field is checked, squid will act as an accelerator/SSL offload for Outlook Web Access. checkbox - reverse_owa,reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_ignore_ssl_valid + reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_ignore_ssl_valid off @@ -206,14 +206,6 @@ checkbox extension_methods - - extension methods - extension_methods - This field defines additional extension methods for the proxy to use. <br>(RPC_IN_DATA RPC_OUT_DATA for RPC over HTTP -> Outlook Anywhere) - input - 80 - RPC_IN_DATA RPC_OUT_DATA - -- cgit v1.2.3 From c828ba8054534c082d5cf226dc987ed451a457c6 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 12:09:59 +0200 Subject: cleanup --- config/squid-reverse/squid.inc | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 3794c47e..1c68045f 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1029,25 +1029,7 @@ function squid_resync_reverse() { $conf .= "http_access allow OWA_URI_pfs\n"; } - /* - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/owa.*$; - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/exchange.*$; - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/public.*$; - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/exchweb.*$; - - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/Microsoft-Server-ActiveSync.*$; - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/rpc/rpcproxy.dll.*$; - - cache_peer_access CYGNUS_SSL allow OWA; - cache_peer_access CYGNUS_SSL deny all; - - never_direct allow OWA; - - http_access allow OWA; - #miss_access allow OWA; - */ - if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; return $conf; -- cgit v1.2.3 From fccac1d03c0ae59a36845eb9b30a9ad45f7f7738 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 13:50:20 +0200 Subject: peers work --- config/squid-reverse/squid.inc | 28 ++++++++++++++++++++++++++-- config/squid-reverse/squid_reverse.xml | 3 +-- 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 1c68045f..55e2facd 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1005,6 +1005,17 @@ function squid_resync_reverse() { } //PEERS if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=OWA_HOST_pfs\n"; + + $contents = base64_decode($settings['reverse_cache_peer']); + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; + if($cfg[3] == 'HTTPS') + $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf .= "name={$cfg[0]}\n"; + }} //ACLs if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { @@ -1028,10 +1039,23 @@ function squid_resync_reverse() { $conf .= "never_direct allow OWA_URI_pfs\n"; $conf .= "http_access allow OWA_URI_pfs\n"; } - + +/* + $contents = base64_decode($settings['reverse_cache_peer']); + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + $conf .= "# cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; + if($cfg[3] == 'HTTPS') + $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf .= "name={$cfg[0]}\n"; + }} +*/ + + $conf .= "\n"; if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; - return $conf; } diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 61aa4aae..8958fa64 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -206,12 +206,11 @@ checkbox extension_methods - <b>peer definitions</b> <br>publishing hosts reverse_cache_peer - Enter each peer definition on a new line. Directives have to be separated by a semicolon(;). <br>syntax: [peer alias];[internal ip address]:[port];[HTTP / HTTPS] <br>example: HOST1;192.168.0.1:80;HTTP <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> + Enter each peer definition on a new line. Directives have to be separated by a semicolon(;). <br>syntax: [peer alias];[internal ip address];[port];[HTTP / HTTPS] <br>example: HOST1;192.168.0.1;80;HTTP <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> textarea 60 -- cgit v1.2.3 From c635d9e80797e99c78db01f2023ad6607dd2c65b Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 14:32:49 +0200 Subject: a little sorting and some errorchecks and enhanced logics missing... --- config/squid-reverse/squid.inc | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 55e2facd..e3704ab6 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1032,6 +1032,20 @@ function squid_resync_reverse() { $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; } + + $contents = base64_decode($settings['revrse_uri']); + if(!empty($contents)) { +$conf .= "# -= TESTING AREA =-\n"; + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; +// if($cfg[3] == 'HTTPS') +// $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; +// $conf .= "name={$cfg[0]}\n"; + }} + + //ACCESS if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; @@ -1040,18 +1054,19 @@ function squid_resync_reverse() { $conf .= "http_access allow OWA_URI_pfs\n"; } -/* - $contents = base64_decode($settings['reverse_cache_peer']); + + $contents = base64_decode($settings['reverse_acl']); if(!empty($contents)) { +$conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); - $conf .= "# cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; - if($cfg[3] == 'HTTPS') - $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf .= "name={$cfg[0]}\n"; + $conf .= "# cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; + $conf .= "# cache_peer_access {$cfg[0]} deny all\n"; + $conf .= "# never direct allow {$cfg[1]}\n"; + $conf .= "# http_access allow {$cfg[1]}\n"; }} -*/ + $conf .= "\n"; -- cgit v1.2.3 From ce2735901deac81ac11f675224dd01c531b1a3df Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 14:44:50 +0200 Subject: fix acl generation bug --- config/squid-reverse/squid.inc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index e3704ab6..03b60f30 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1034,15 +1034,16 @@ function squid_resync_reverse() { $contents = base64_decode($settings['revrse_uri']); - if(!empty($contents)) { + if(!empty($contents)) { $conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { - $cfg = explode(";",($def)); - $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; -// if($cfg[3] == 'HTTPS') -// $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; -// $conf .= "name={$cfg[0]}\n"; + if (($cfg[0]) != '' && ($cfg[1]) != '') + $cfg = explode(";",($def)); + $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; +// if($cfg[3] == 'HTTPS') +// $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; +// $conf .= "name={$cfg[0]}\n"; }} -- cgit v1.2.3 From 8d2bcb1c7668ce8533f87289795646e47b90cb4b Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 14:58:45 +0200 Subject: add some checks --- config/squid-reverse/squid.inc | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 03b60f30..7e6acd3a 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1011,11 +1011,12 @@ function squid_resync_reverse() { $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); - $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; - if($cfg[3] == 'HTTPS') - $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf .= "name={$cfg[0]}\n"; - }} + if (($cfg[0]) != '' && ($cfg[1]) != '' && ($cfg[2]) != ''){ + $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; + if($cfg[3] == 'HTTPS') + $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf .= "name={$cfg[0]}\n"; + }}} //ACLs if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { @@ -1032,19 +1033,18 @@ function squid_resync_reverse() { $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; } - $contents = base64_decode($settings['revrse_uri']); if(!empty($contents)) { $conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { - if (($cfg[0]) != '' && ($cfg[1]) != '') - $cfg = explode(";",($def)); + $cfg = explode(";",($def)); + if (($cfg[0]) != '' && ($cfg[1]) != ''){ $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; // if($cfg[3] == 'HTTPS') // $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; // $conf .= "name={$cfg[0]}\n"; - }} + }}} //ACCESS @@ -1062,11 +1062,12 @@ $conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); - $conf .= "# cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; - $conf .= "# cache_peer_access {$cfg[0]} deny all\n"; - $conf .= "# never direct allow {$cfg[1]}\n"; - $conf .= "# http_access allow {$cfg[1]}\n"; - }} + if (($cfg[0]) != '' && ($cfg[1]) != ''){ + $conf .= "# cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; + $conf .= "# cache_peer_access {$cfg[0]} deny all\n"; + $conf .= "# never direct allow {$cfg[1]}\n"; + $conf .= "# http_access allow {$cfg[1]}\n"; + }}} $conf .= "\n"; -- cgit v1.2.3 From 20eed5536e0e961e9a6b157b60b950e1491dee58 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 15:23:05 +0200 Subject: multi-fqdn for vhost --- config/squid-reverse/squid.inc | 7 +++++-- config/squid-reverse/squid_reverse.xml | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 7e6acd3a..5877ab58 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1040,8 +1040,11 @@ $conf .= "# -= TESTING AREA =-\n"; foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; -// if($cfg[3] == 'HTTPS') + if($cfg[2] != '') + $conf .= "# acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; + if($cfg[2] == '') + $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; +// if($cfg[2] == 'HTTPS') // $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; // $conf .= "name={$cfg[0]}\n"; }}} diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 8958fa64..8f7686f1 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -220,7 +220,7 @@ <b>URI definitions</b> <br>published URIs revrse_uri - Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;).<br>syntax: [group the uri belongs to];[URI to publish] (a group can contain multiple URIs) <br>example: URI1;public <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> + Enter each reverse acl definition on a new line. Directives have to be separated by a semicolon(;).<br>syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn]) <br>(a group can contain multiple URIs, without vhost fqdn the external fqdn is used, you also can specity http:// or https://) <br>example: URI1;public;server.pfsense.org. <br><i>WRONG SYNTAX USAGE WILL RESULT IN SQUID NOT STARTING</i> textarea 60 -- cgit v1.2.3 From bf995ed3b06f77503ebddfdd841e70656e7356d2 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 15:26:22 +0200 Subject: remove # - let the game gbegin --- config/squid-reverse/squid.inc | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 5877ab58..43ce8bcd 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1035,18 +1035,14 @@ function squid_resync_reverse() { $contents = base64_decode($settings['revrse_uri']); if(!empty($contents)) { -$conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ if($cfg[2] != '') - $conf .= "# acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; + $conf .= "acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; if($cfg[2] == '') - $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; -// if($cfg[2] == 'HTTPS') -// $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; -// $conf .= "name={$cfg[0]}\n"; + $conf .= "acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; }}} -- cgit v1.2.3 From f2148bae9112023991f085e790f0361d61e047b1 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 21:34:02 +0200 Subject: add intermediate CA --- config/squid-reverse/squid.inc | 5 +++++ config/squid-reverse/squid_reverse.xml | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 43ce8bcd..044cf10b 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -985,6 +985,11 @@ function squid_resync_reverse() { base64_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; }}} + + if (!empty($settings['reverse_int_ca'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n",FILE_APPEND | LOCK_EX); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); + } $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index 8f7686f1..cafa3ec7 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -136,7 +136,7 @@ reverse_https If this field is checked, squid will act as an accelerator/SSL offload for Outlook Web Access. checkbox - reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_ignore_ssl_valid + reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_ignore_ssl_valid,reverse_ssl_chain off @@ -164,6 +164,15 @@ descr refid + + intermediate CA certificate + reverse_int_ca + Paste a signed certificate in X.509 PEM format here. + textarea + 50 + 5 + base64 + Reset TCP connections if request is unauthorized deny_info_tcp_reset -- cgit v1.2.3 From 2aae3aff464282d34087b390e89c3163b06badb8 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 22:47:12 +0200 Subject: acls working --- config/squid-reverse/squid.inc | 41 +++++++++++++++++++++++++++------- config/squid-reverse/squid_reverse.xml | 2 +- 2 files changed, 34 insertions(+), 9 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 044cf10b..aa8cf691 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -503,6 +503,21 @@ function squid_validate_reverse($post, $input_errors) { if (!empty($rowa) && !is_ipaddr($rowa)) $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; +/* + $contents = base64_decode($post['reverse_cache_peer']); + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + }} +*/ + } function squid_validate_auth($post, $input_errors) { @@ -1059,20 +1074,30 @@ function squid_resync_reverse() { $conf .= "http_access allow OWA_URI_pfs\n"; } - $contents = base64_decode($settings['reverse_acl']); if(!empty($contents)) { -$conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "# cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; - $conf .= "# cache_peer_access {$cfg[0]} deny all\n"; - $conf .= "# never direct allow {$cfg[1]}\n"; - $conf .= "# http_access allow {$cfg[1]}\n"; - }}} - + $conf .= "cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; + }} + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (($cfg[0]) != '' && ($cfg[1]) != ''){ + $conf .= "cache_peer_access {$cfg[0]} deny all\n"; + }} + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (($cfg[0]) != '' && ($cfg[1]) != ''){ + $conf .= "never direct allow {$cfg[1]}\n"; + }} + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (($cfg[0]) != '' && ($cfg[1]) != ''){ + $conf .= "http_access allow {$cfg[1]}\n"; + }} + } $conf .= "\n"; diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index cafa3ec7..d921254f 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -165,7 +165,7 @@ refid - intermediate CA certificate + intermediate CA certificate (if needed) reverse_int_ca Paste a signed certificate in X.509 PEM format here. textarea -- cgit v1.2.3 From 42b72a5b9995b92c6d6b5e8217484f3d8cd4559b Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 4 Oct 2011 15:52:50 +0200 Subject: add checks and cleanup inc --- config/squid-reverse/squid.inc | 44 +++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index aa8cf691..01a5edc6 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -499,24 +499,29 @@ function squid_validate_reverse($post, $input_errors) { $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; } +/* + if (!is_cert($post['reverse_int_ca'])) + $input_errors[] = 'A valid certificate for the external interface must be selected'; +*/ + $rowa = trim($post['reverse_owa_ip']); if (!empty($rowa) && !is_ipaddr($rowa)) $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; -/* - $contents = base64_decode($post['reverse_cache_peer']); - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (!is_ipaddr($cfg[1])) - $input_errors[] = "please choose a valid IP in the cache peer configuration."; - if (!is_port($cfg[2])) - $input_errors[] = "please choose a valid port in the cache peer configuration."; - if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) - $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; - }} -*/ + + $contents = $post['reverse_cache_peer']; + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + }} + } @@ -991,20 +996,15 @@ function squid_resync_reverse() { $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['crt'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", - base64_decode($svr_cert['crt'])); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($svr_cert['crt'])); $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; } if(base64_decode($svr_cert['prv'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", - base64_decode($svr_cert['prv'])); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",base64_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; }}} - if (!empty($settings['reverse_int_ca'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n",FILE_APPEND | LOCK_EX); - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); - } + if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); -- cgit v1.2.3