From 641e4466dba13d72dc46cf65fcb444580dea913a Mon Sep 17 00:00:00 2001 From: marcelloc Date: Thu, 12 Jan 2012 23:59:56 -0200 Subject: dansguardian - more updates, almost done --- config/dansguardian/dansguardian.inc | 1253 +++++++++++++++++++++++++++ config/dansguardian/dansguardian.xml | 8 +- config/dansguardian/dansguardian_config.xml | 4 +- config/dansguardian/dansguardian_limits.xml | 2 +- config/dansguardian/dansguardian_log.xml | 4 +- 5 files changed, 1262 insertions(+), 9 deletions(-) create mode 100755 config/dansguardian/dansguardian.inc (limited to 'config/dansguardian') diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc new file mode 100755 index 00000000..bbee18a3 --- /dev/null +++ b/config/dansguardian/dansguardian.inc @@ -0,0 +1,1253 @@ + 'deleted.content.message.txt', + 'deletedbadfilename' => 'deleted.filename.message.txt', + 'deletedvirus' =>'deleted.virus.message.txt', + 'deletedsize' => 'deleted.size.message.txt', + 'storedbadcontent' => 'stored.content.message.txt', + 'storedbadfilename' => 'stored.filename.message.txt', + 'storedvirus' => 'stored.virus.message.txt', + 'storedsize' => 'stored.size.message.txt', + 'disinfected' => 'disinfected.report.txt', + 'sendercontent' => 'sender.content.report.txt', + 'sendererror' => 'sender.error.report.txt', + 'senderbadfilename' => 'sender.filename.report.txt', + 'sendervirus' => 'sender.virus.report.txt', + 'sendersize' => 'sender.size.report.txt', + 'senderrbl' => 'sender.spam.rbl.report.txt', + 'sendersa' => 'sender.spam.sa.report.txt', + 'sendermcp' => 'sender.mcp.report.txt', + 'senderspam'=>'sender.spam.report.txt', + 'recipientmcp'=>'recipient.mcp.report.txt', + 'recipientspam'=>'recipient.spam.report.txt', + 'rejection' =>'rejection.report.txt'); + + foreach ($report_files as $key_r => $file_r){ + if ($report[$key_r] == ""){ + #$input_errors[]= $key; + $config['installedpackages']['msreport']['config'][0][$key_r]=base64_encode(file_get_contents($report_dir.'/'.$file_r.'.sample')); + file_put_contents($report_dir.'/'.$file_r,dg_text_area_decode($config['installedpackages']['msreport']['config'][0][$key_r]),LOCK_EX); + $load_samples++; + } + #print $key_r ."X $file_r X". base64_encode(file_get_contents($report_dir.'/'.$file_r.'.sample')) ."
"; + + if ($alert['sig']){ + if($alert['sig_html'] == ""){ + $config['installedpackages']['msalerts']['config'][0]['sig_html']=base64_encode(file_get_contents($report_dir.'/inline.sig.html')); + $load_samples++; + } + if($alert['sig_txt'] == ""){ + $config['installedpackages']['msalerts']['config'][0]['sig_txt']=base64_encode(file_get_contents($report_dir.'/inline.sig.txt')); + $load_samples++; + } + } + + if ($alert['warning']){ + if($alert['warning_html'] == ""){ + $config['installedpackages']['msalerts']['config'][0]['warning_html']=base64_encode(file_get_contents($report_dir.'/inline.warning.html')); + $load_samples++; + } + if($alert['warning_txt'] == ""){ + $config['installedpackages']['msalerts']['config'][0]['warning_txt']=base64_encode(file_get_contents($report_dir.'/inline.warning.txt')); + $load_samples++; + } + } + + + } + #exit; + if($load_samples > 0) + write_config(); + + +#create dansguardian.conf + $dg=<< 0 +# Once every 3 minutes, the current number of IPs in the cache, and the most +# that have been in the cache since the daemon was started, are written to this +# file. IPs persist in the cache for 7 days. +#statlocation = '/var/log/stats' + + +# Network Settings +# +# the IP that DansGuardian listens on. If left blank DansGuardian will +# listen on all IPs. That would include all NICs, loopback, modem, etc. +# Normally you would have your firewall protecting this, but if you want +# you can limit it to a certain IP. To bind to multiple interfaces, +# specify each IP on an individual filterip line. +# You can have the same IP twice so long as it has a different port. +filterip = {$filterip} + +# the ports that DansGuardian listens to. Specify one line per filterip +# line. You can specify different authentication mechanisms per port but +# only if the mechanisms can co-exist (e.g. basic/proxy auth can't) +filterports = 8080 +#filterports = 8081 +{$filterports} + +# the ip of the proxy (default is the loopback - i.e. this server) +proxyip = 127.0.0.1 + +# the port DansGuardian connects to proxy on +proxyport = 3128 + +# Whether to retrieve the original destination IP in transparent proxy +# setups and check it against the domain pulled from the HTTP headers. +# +# Be aware that when visiting sites which use a certain type of round-robin +# DNS for load balancing, DG may mark requests as invalid unless DG gets +# exactly the same answers to its DNS requests as clients. The chances of +# this happening can be increased if all clients and servers on the same LAN +# make use of a local, caching DNS server instead of using upstream DNS +# directly. +# +# See http://www.kb.cert.org/vuls/id/435052 +# on (default) | off +#!! Not compiled !! originalip = on + +# accessdeniedaddress is the address of your web server to which the cgi +# dansguardian reporting script was copied. Only used in reporting levels 1 and 2. +# +# This webserver must be either: +# 1. Non-proxied. Either a machine on the local network, or listed as an exception +# in your browser's proxy configuration. +# 2. Added to the exceptionsitelist. Option 1 is preferable; this option is +# only for users using both transparent proxying and a non-local server +# to host this script. +# +# Individual filter groups can override this setting in their own configuration. +# +accessdeniedaddress = 'http://YOURSERVER.YOURDOMAIN/cgi-bin/dansguardian.pl' + +# Non standard delimiter (only used with accessdeniedaddress) +# To help preserve the full banned URL, including parameters, the variables +# passed into the access denied CGI are separated using non-standard +# delimiters. This can be useful to ensure correct operation of the filter +# bypass modes. Parameters are split using "::" in place of "&", and "==" in +# place of "=". +# Default is enabled, but to go back to the standard mode, disable it. +nonstandarddelimiter = {$nonstandarddelimiter} + + + +# Banned image replacement +# Images that are banned due to domain/url/etc reasons including those +# in the adverts blacklists can be replaced by an image. This will, +# for example, hide images from advert sites and remove broken image +# icons from banned domains. +# on (default) | off +usecustombannedimage = {$usecustombannedimage} +custombannedimagefile = '/usr/local/share/dansguardian/transparent1x1.gif' + + +#Banned flash replacement +usecustombannedflash = {$usecustombannedflash} +custombannedflashfile = '/usr/local/share/dansguardian/blockedflash.swf' + + + +# Filter groups options +# filtergroups sets the number of filter groups. A filter group is a set of content +# filtering options you can apply to a group of users. The value must be 1 or more. +# DansGuardian will automatically look for dansguardianfN.conf where N is the filter +# group. To assign users to groups use the filtergroupslist option. All users default +# to filter group 1. You must have some sort of authentication to be able to map users +# to a group. The more filter groups the more copies of the lists will be in RAM so +# use as few as possible. +filtergroups = 1 +filtergroupslist = '/usr/local/etc/dansguardian/lists/filtergroupslist' + + + +# Authentication files location +bannediplist = '/usr/local/etc/dansguardian/lists/bannediplist' +exceptioniplist = '/usr/local/etc/dansguardian/lists/exceptioniplist' + +# Per-Room blocking definition directory +# A directory containing text files containing the room's name followed by IPs or ranges +# Think of it as bannediplist on crack +perroomblockingdirectory = '/usr/local/etc/dansguardian/lists/bannedrooms/' + +# Show weighted phrases found +# If enabled then the phrases found that made up the total which excedes +# the naughtyness limit will be logged and, if the reporting level is +# high enough, reported. on | off +showweightedfound = {$showweightedfound} + +# Weighted phrase mode +# There are 3 possible modes of operation: +# 0 = off = do not use the weighted phrase feature. +# 1 = on, normal = normal weighted phrase operation. +# 2 = on, singular = each weighted phrase found only counts once on a page. +# +# IMPORTANT: Note that setting this to "0" turns off all features which +# extract phrases from page content, including banned & exception +# phrases (not just weighted), search term filtering, and scanning for +# links to banned URLs. +# +weightedphrasemode = {$weightedphrasemode} + + + +# Positive (clean) result caching for URLs +# Caches good pages so they don't need to be scanned again. +# It also works with AV plugins. +# 0 = off (recommended for ISPs with users with disimilar browsing) +# 1000 = recommended for most users +# 5000 = suggested max upper limit +# If you're using an AV plugin then use at least 5000. +urlcachenumber = {$urlcachenumber} +# +# Age before they are stale and should be ignored in seconds +# 0 = never +# 900 = recommended = 15 mins +urlcacheage ={$urlcacheage} + + + +# Cache for content (AV) scan results as 'clean' +# By default, to save CPU, files scanned and found to be +# clean are inserted into the clean cache and NOT scanned +# again for a while. If you don't like this then choose +# to disable it. +# on = cache results; do not re-scan +# off = do not cache; always re-scan +# (on|off) default = on. +scancleancache = {$scancleancache} + + + +# Smart, Raw and Meta/Title phrase content filtering options +# Smart is where the multiple spaces and HTML are removed before phrase filtering +# Raw is where the raw HTML including meta tags are phrase filtered +# Meta/Title is where only meta and title tags are phrase filtered (v. quick) +# CPU usage can be effectively halved by using setting 0 or 1 compared to 2 +# 0 = raw only +# 1 = smart only +# 2 = both of the above (default) +# 3 = meta/title +phrasefiltermode = {$phrasefiltermode} + +# Lower casing options +# When a document is scanned the uppercase letters are converted to lower case +# in order to compare them with the phrases. However this can break Big5 and +# other 16-bit texts. If needed preserve the case. As of version 2.7.0 accented +# characters are supported. +# 0 = force lower case (default) +# 1 = do not change case +# 2 = scan first in lower case, then in original case +preservecase = {$preservecase} + +# Note: +# If phrasefiltermode and preserve case are both 2, this equates to 4 phrase +# filtering passes. If you have a large enough userbase for this to be a +# worry, and need to filter pages in exotic character encodings, it may be +# better to run two instances on separate servers: one with preservecase 1 +# (and possibly forcequicksearch 1) and non ASCII/UTF-8 phrase lists, and one +# with preservecase 0 and ASCII/UTF-8 lists. + + + +# Hex decoding options +# When a document is scanned it can optionally convert %XX to chars. +# If you find documents are getting past the phrase filtering due to encoding +# then enable. However this can break Big5 and other 16-bit texts. +# off = disabled (default) +# on = enabled +hexdecodecontent = {$hexdecodecontent} + + + +# Force Quick Search rather than DFA search algorithm +# The current DFA implementation is not totally 16-bit character compatible +# but is used by default as it handles large phrase lists much faster. +# If you wish to use a large number of 16-bit character phrases then +# enable this option. +# off (default) | on (Big5 compatible) +forcequicksearch = {$forcequicksearch} + + + +# Reverse lookups for banned site and URLs. +# If set to on, DansGuardian will look up the forward DNS for an IP URL +# address and search for both in the banned site and URL lists. This would +# prevent a user from simply entering the IP for a banned address. +# It will reduce searching speed somewhat so unless you have a local caching +# DNS server, leave it off and use the Blanket IP Block option in the +# bannedsitelist file instead. +reverseaddresslookups = {$reverseaddresslookups} + + + +# Reverse lookups for banned and exception IP lists. +# If set to on, DansGuardian will look up the forward DNS for the IP +# of the connecting computer. This means you can put in hostnames in +# the exceptioniplist and bannediplist. +# If a client computer is matched against an IP given in the lists, then the +# IP will be recorded in any log entries; if forward DNS is successful and a +# match occurs against a hostname, the hostname will be logged instead. +# It will reduce searching speed somewhat so unless you have a local DNS server, +# leave it off. +reverseclientiplookups = {$reverseclientiplookups} + + +# Perform reverse lookups on client IPs for successful requests. +# If set to on, DansGuardian will look up the forward DNS for the IP +# of the connecting computer, and log host names (where available) rather than +# IPs against requests. +# This is not dependent on reverseclientiplookups being enabled; however, if it +# is, enabling this option does not incur any additional forward DNS requests. +logclienthostnames = {$logclienthostnames} + + +# Build bannedsitelist and bannedurllist cache files. +# This will compare the date stamp of the list file with the date stamp of +# the cache file and will recreate as needed. +# If a .processed file exists for an item (e.g. domain/URL) list, then that +# will be used instead, if it is up to date (i.e. newer than the unprocessed +# list file). +# This can increase process start speed on slow computers. +# Fast computers do not need this option. +# on | off, default = on +createlistcachefiles = {$createlistcachefiles} + + +# Prefer cached list files +# If enabled, DansGuardian will always prefer to load ".processed" versions of +# list files, regardless of their time stamps relative to the original +# unprocessed lists. This is not generally useful unless you have a specific +# list update process which results in - for example - up-to-date, pre-sorted +# ".processed" list files with dummy unprocessed files. +# on | off, default = off +prefercachedlists = {$prefercachedlists} + + + +# POST protection (web upload and forms) +# does not block forms without any file upload, i.e. this is just for +# blocking or limiting uploads +# measured in kibibytes after MIME encoding and header bumph +# use 0 for a complete block +# use higher (e.g. 512 = 512Kbytes) for limiting +# use -1 for no blocking +#maxuploadsize = 512 +#maxuploadsize = 0 +maxuploadsize = {$maxuploadsize} + + + +# Max content filter size +# Sometimes web servers label binary files as text which can be very +# large which causes a huge drain on memory and cpu resources. +# To counter this, you can limit the size of the document to be +# filtered and get it to just pass it straight through. +# This setting also applies to content regular expression modification. +# The value must not be higher than maxcontentramcachescansize +# The size is in Kibibytes - eg 2048 = 2Mb +# use 0 to set it to maxcontentramcachescansize +maxcontentfiltersize = {$maxcontentfiltersize} + + + +# Max content ram cache scan size +# This is only used if you use a content scanner plugin such as AV +# This is the max size of file that DG will download and cache +# in RAM. After this limit is reached it will cache to disk +# This value must be less than or equal to maxcontentfilecachescansize. +# The size is in Kibibytes - eg 10240 = 10Mb +# use 0 to set it to maxcontentfilecachescansize +# This option may be ignored by the configured download manager. +maxcontentramcachescansize = {$maxcontentramcachescansize} + + + +# Max content file cache scan size +# This is only used if you use a content scanner plugin such as AV +# This is the max size file that DG will download +# so that it can be scanned or virus checked. +# This value must be greater or equal to maxcontentramcachescansize. +# The size is in Kibibytes - eg 10240 = 10Mb +maxcontentfilecachescansize = {$maxcontentfilecachescansize} + + + +# File cache dir +# Where DG will download files to be scanned if too large for the +# RAM cache. +filecachedir = '/tmp' + + + +# Delete file cache after user completes download +# When a file gets save to temp it stays there until it is deleted. +# You can choose to have the file deleted when the user makes a sucessful +# download. This will mean if they click on the link to download from +# the temp store a second time it will give a 404 error. +# You should configure something to delete old files in temp to stop it filling up. +# on|off (defaults to on) +deletedownloadedtempfiles = {$deletedownloadedtempfiles} + + + +# Initial Trickle delay +# This is the number of seconds a browser connection is left waiting +# before first being sent *something* to keep it alive. The +# *something* depends on the download manager chosen. +# Do not choose a value too low or normal web pages will be affected. +# A value between 20 and 110 would be sensible +# This may be ignored by the configured download manager. +initialtrickledelay = {$initialtrickledelay} + + + +# Trickle delay +# This is the number of seconds a browser connection is left waiting +# before being sent more *something* to keep it alive. The +# *something* depends on the download manager chosen. +# This may be ignored by the configured download manager. +trickledelay = {$trickledelay} + + + +# Download Managers +# These handle downloads of files to be filtered and scanned. +# They differ in the method they deal with large downloads. +# Files usually need to be downloaded 100% before they can be +# filtered and scanned before being sent on to the browser. +# Normally the browser can just wait, but with content scanning, +# for example to AV, the browser may timeout or the user may get +# confused so the download manager has to do some sort of +# 'keep alive'. +# +# There are various methods possible but not all are included. +# The author does not have the time to write them all so I have +# included a plugin systam. Also, not all methods work with all +# browsers and clients. Specifically some fancy methods don't +# work with software that downloads updates. To solve this, +# each plugin can support a regular expression for matching +# the client's user-agent string, and lists of the mime types +# and extensions it should manage. +# +# Note that these are the matching methods provided by the base plugin +# code, and individual plugins may override or add to them. +# See the individual plugin conf files for supported options. +# +# The plugins are matched in the order you specify and the last +# one is forced to match as the default, regardless of user agent +# and other matching mechanisms. +# +downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/fancy.conf' +##!! Not compiled !! downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/trickle.conf' +downloadmanager = '/usr/local/etc/dansguardian/downloadmanagers/default.conf' + + + +# Content Scanners (Also known as AV scanners) +# These are plugins that scan the content of all files your browser fetches +# for example to AV scan. The options are limitless. Eventually all of +# DansGuardian will be plugin based. You can have more than one content +# scanner. The plugins are run in the order you specify. +# This is one of the few places you can have multiple options of the same name. +# +# Some of the scanner(s) require 3rd party software and libraries eg clamav. +# See the individual plugin conf file for more options (if any). +# +#contentscanner = '/usr/local/etc/dansguardian/contentscanners/clamdscan.conf' +#!! Not compiled !! contentscanner = '/usr/local/etc/dansguardian/contentscanners/avastdscan.conf' +#!! Not compiled !! contentscanner = '/usr/local/etc/dansguardian/contentscanners/kavdscan.conf' +#contentscanner = '/usr/local/etc/dansguardian/contentscanners/icapscan.conf' +#!! Not compiled !! contentscanner = '/usr/local/etc/dansguardian/contentscanners/commandlinescan.conf' + + + +# Content scanner timeout +# Some of the content scanners support using a timeout value to stop +# processing (eg AV scanning) the file if it takes too long. +# If supported this will be used. +# The default of 60 seconds is probably reasonable. +contentscannertimeout = {$contentscannertimeout} + + + +# Content scan exceptions +# If 'on' exception sites, urls, users etc will be scanned +# This is probably not desirable behavour as exceptions are +# supposed to be trusted and will increase load. +# Correct use of grey lists are a better idea. +# (on|off) default = off +contentscanexceptions = {$contentscanexceptions} + + + +# Auth plugins +# These replace the usernameidmethod* options in previous versions. They +# handle the extraction of client usernames from various sources, such as +# Proxy-Authorisation headers and ident servers, enabling requests to be +# handled according to the settings of the user's filter group. +# Multiple plugins can be specified, and will be used per port in the order +# filterports are listed. +# +# If you do not use multiple filter groups, you need not specify this option. +# +#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-basic.conf' +#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-digest.conf' +#authplugin = '/usr/local/etc/dansguardian/authplugins/proxy-ntlm.conf' +#authplugin = '/usr/local/etc/dansguardian/authplugins/ident.conf' +#authplugin = '/usr/local/etc/dansguardian/authplugins/ip.conf' + + + +# Re-check replaced URLs +# As a matter of course, URLs undergo regular expression search/replace (urlregexplist) +# *after* checking the exception site/URL/regexpURL lists, but *before* checking against +# the banned site/URL lists, allowing certain requests that would be matched against the +# latter in their original state to effectively be converted into grey requests. +# With this option enabled, the exception site/URL/regexpURL lists are also re-checked +# after replacement, making it possible for URL replacement to trigger exceptions based +# on them. +# Defaults to off. +recheckreplacedurls = {$recheckreplacedurls} + + + +# Misc settings + +# if on it adds an X-Forwarded-For: to the HTTP request +# header. This may help solve some problem sites that need to know the +# source ip. on | off +forwardedfor = {$forwardedfor} + + +# if on it uses the X-Forwarded-For: to determine the client +# IP. This is for when you have squid between the clients and DansGuardian. +# Warning - headers are easily spoofed. on | off +usexforwardedfor = {usexforwardedfor} + + +# if on it logs some debug info regarding fork()ing and accept()ing which +# can usually be ignored. These are logged by syslog. It is safe to leave +# it on or off +logconnectionhandlingerrors = {$logconnectionhandlingerrors} + + + +# Fork pool options + +# If on, this causes DG to write to the log file whenever child processes are +# created or destroyed (other than by crashes). This information can help in +# understanding and tuning the following parameters, but is not generally +# useful in production. +logchildprocesshandling = {$logchildprocesshandling} + +# sets the maximum number of processes to spawn to handle the incoming +# connections. Max value usually 250 depending on OS. +# On large sites you might want to try 180. +maxchildren = {$maxchildren} + + +# sets the minimum number of processes to spawn to handle the incoming connections. +# On large sites you might want to try 32. +minchildren = {$minchildren} + + +# sets the minimum number of processes to be kept ready to handle connections. +# On large sites you might want to try 8. +minsparechildren = {$minsparechildren} + + +# sets the minimum number of processes to spawn when it runs out +# On large sites you might want to try 10. +preforkchildren = {$preforkchildren} + + +# sets the maximum number of processes to have doing nothing. +# When this many are spare it will cull some of them. +# On large sites you might want to try 64. +maxsparechildren = {$maxsparechildren} + + +# sets the maximum age of a child process before it croaks it. +# This is the number of connections they handle before exiting. +# On large sites you might want to try 10000. +maxagechildren = {$maxagechildren} + + +# Sets the maximum number client IP addresses allowed to connect at once. +# Use this to set a hard limit on the number of users allowed to concurrently +# browse the web. Set to 0 for no limit, and to disable the IP cache process. +maxips = {$maxips} + + + +# Process options +# (Change these only if you really know what you are doing). +# These options allow you to run multiple instances of DansGuardian on a single machine. +# Remember to edit the log file path above also if that is your intention. + +# IPC filename +# +# Defines IPC server directory and filename used to communicate with the log process. +ipcfilename = '/tmp/.dguardianipc' + +# URL list IPC filename +# +# Defines URL list IPC server directory and filename used to communicate with the URL +# cache process. +urlipcfilename = '/tmp/.dguardianurlipc' + +# IP list IPC filename +# +# Defines IP list IPC server directory and filename, for communicating with the client +# IP cache process. +ipipcfilename = '/tmp/.dguardianipipc' + +# PID filename +# +# Defines process id directory and filename. +#pidfilename = '/var/run/dansguardian.pid' + +# Disable daemoning +# If enabled the process will not fork into the background. +# It is not usually advantageous to do this. +# on|off (defaults to off) +nodaemon = {$nodaemon} + +# Disable logging process +# on|off (defaults to off) +nologger = {$nologger} + +# Enable logging of "ADs" category blocks +# on|off (defaults to off) +logadblocks = {$logadblocks} + +# Enable logging of client User-Agent +# Some browsers will cause a *lot* of extra information on each line! +# on|off (defaults to off) +loguseragent = {$loguseragent} + +# Daemon runas user and group +# This is the user that DansGuardian runs as. Normally the user/group nobody. +# Uncomment to use. Defaults to the user set at compile time. +# Temp files created during virus scanning are given owner and group read +# permissions; to use content scanners based on external processes, such as +# clamdscan, the two processes must run with either the same group or user ID. +#daemonuser = 'nobody' +#daemongroup = 'nobody' + +# Soft restart +# When on this disables the forced killing off all processes in the process group. +# This is not to be confused with the -g run time option - they are not related. +# on|off (defaults to off) +softrestart = {softrestart} + +# Mail program +# Path (sendmail-compatible) email program, with options. +# Not used if usesmtp is disabled (filtergroup specific). +#!! Not compiled !!mailer = '/usr/sbin/sendmail -t' + +#SSL certificate checking path +#Path to CA certificates used to validate the certificates of https sites. +#sslcertificatepath = '/etc/ssl/certs/' + +#SSL man in the middle +#CA certificate path +#Path to the CA certificate to use as a signing certificate for +#generated certificates. +#cacertificatepath = '/home/stephen/dginstall/ca.pem' + +#CA private key path +#path to the private key that matches the public key in the CA certificate. +#caprivatekeypath = '/home/stephen/dginstall/ca.key' + +#Cert private key path +#The public / private key pair used by all generated certificates +#certprivatekeypath = '/home/stephen/dginstall/cert.key' + +#Generated cert path +#The location where generated certificates will be saved for future use. +#(must be writable by the dg user) +#generatedcertpath = '/home/stephen/dginstall/generatedcerts/' + +#Generated link path = '' +#The location where symlinks to certificates will be created. +#(must be writable by the dg user) +#generatedlinkpath = '/home/stephen/dginstall/generatedlinks/' + +EOF; + #write files + conf_mount_rw(); + + $mlang=strtolower($report['language']); + $mfiles[]="/usr/local/etc/dansguardian/virus.scanners.conf"; + $mfiles[]="/usr/local/share/dansguardian/reports/{$mlang}/inline.spam.warning.txt"; + $mfiles[]="/usr/local/share/dansguardian/reports/{$mlang}/languages.conf"; + + foreach ($mfiles as $mfile) + if (! file_exists ($mfile)) + copy($mfile.".sample",$mfile); + + + write_config(); + + file_put_contents($dansguardian_dir."/dansguardian.conf", $mc, LOCK_EX); + file_put_contents($dansguardian_dir."/filename.rules.conf",dg_text_area_decode($config['installedpackages']['msattachments']['config'][0]['filename_rules']),LOCK_EX); + file_put_contents($dansguardian_dir."/filetype.rules.conf",dg_text_area_decode($config['installedpackages']['msattachments']['config'][0]['filetype_rules']),LOCK_EX); + file_put_contents($dansguardian_dir."/archives.filename.rules.conf",dg_text_area_decode($config['installedpackages']['msattachments']['config'][0]['filename_rules']),LOCK_EX); + file_put_contents($dansguardian_dir."/archives.filetype.rules.conf",dg_text_area_decode($config['installedpackages']['msattachments']['config'][0]['filetype_rules']),LOCK_EX); + file_put_contents($dansguardian_dir."/phishing.safe.sites.conf",dg_text_area_decode($config['installedpackages']['mscontent']['config'][0]['phishing_safe']),LOCK_EX); + file_put_contents($dansguardian_dir."/phishing.bad.sites.conf",dg_text_area_decode($config['installedpackages']['mscontent']['config'][0]['phishing_bad']),LOCK_EX); + file_put_contents($dansguardian_dir."/country.domains.conf",dg_text_area_decode($config['installedpackages']['mscontent']['config'][0]['country_domains']),LOCK_EX); + file_put_contents($dansguardian_dir.'/spam.assassin.prefs.conf',$sa_temp,LOCK_EX); + file_put_contents($dansguardian_dir.'/spam.lists.conf',dg_text_area_decode($config['installedpackages']['msantispam']['config'][0]['rbl_file']),LOCK_EX); + file_put_contents($dansguardian_dir.'/mcp/mcp.spam.assassin.prefs.conf',dg_text_area_decode($config['installedpackages']['msantispam']['config'][0]['mcp_pref_file']),LOCK_EX); + file_put_contents($dansguardian_dir.'/rules/bounce.rules',dg_text_area_decode($config['installedpackages']['msantispam']['config'][0]['bounce']),LOCK_EX); + file_put_contents($dansguardian_dir.'/rules/max.message.size.rules',dg_text_area_decode($config['installedpackages']['msantispam']['config'][0]['max_message_size']),LOCK_EX); + file_put_contents($dansguardian_dir.'/rules/spam.whitelist.rules',dg_text_area_decode($config['installedpackages']['msantispam']['config'][0]['spam_whitelist']),LOCK_EX); + + foreach ($report_files as $key_r => $file_r) + file_put_contents($report_dir.'/'.$file_r,dg_text_area_decode($config['installedpackages']['msreport']['config'][0][$key_r]),LOCK_EX); + + if ($alert['sig']){ + $sig_html=dg_text_area_decode($config['installedpackages']['msalerts']['config'][0]['sig_html']); + $sig_txt=dg_text_area_decode($config['installedpackages']['msalerts']['config'][0]['sig_txt']);} + else{ + $sig_html=""; + $sig_txt="";} + file_put_contents($report_dir.'/inline.sig.txt',$sig_txt,LOCK_EX); + file_put_contents($report_dir.'/inline.sig.html',$sig_html,LOCK_EX); + + if ($alert['warning']){ + $warning_html=dg_text_area_decode($config['installedpackages']['msalerts']['config'][0]['warning_html']); + $warning_txt=dg_text_area_decode($config['installedpackages']['msalerts']['config'][0]['warning_txt']);} + else{ + $warning_html=""; + $warning_txt="";} + file_put_contents($report_dir.'/inline.warning.txt',$warning_txt,LOCK_EX); + file_put_contents($report_dir.'/inline.warning.html',$warning_html,LOCK_EX); + + #check virus_scanner options + $libexec_dir="/usr/local/libexec/dansguardian/"; + if ($virus_scanning == "yes"){ + if ($antivirus['virus_scanner'] =="none"){ + unlink_if_exists($libexec_dir.'clamav-autoupdate'); + unlink_if_exists($libexec_dir.'clamav-wrapper'); + } + else{ + if (file_exists('/var/run/clamav/')) + chown('/var/run/clamav/', 'dansguardian'); + if (file_exists('/var/log/clamav/')) + chown('/var/log/clamav/', 'dansguardian'); + if (file_exists('/var/db/clamav/')) + chown('/var/db/clamav/', 'dansguardian'); + if (file_exists('/var/db/clamav/bytecode.cld')) + chown('/var/db/clamav/bytecode.cld', 'dansguardian'); + if (file_exists('/var/db/clamav/daily.cld')) + chown('/var/db/clamav/daily.cld', 'dansguardian'); + if (file_exists('/var/db/clamav/main.cvd')) + chown('/var/db/clamav/main.cvd', 'dansguardian'); + if (file_exists('/var/db/clamav/mirrors.dat')) + chown('/var/db/clamav/mirrors.dat', 'dansguardian'); + if (file_exists('/var/log/clamav/clamd.log')) + chown('/var/log/clamav/clamd.log', 'dansguardian'); + if (file_exists('/var/log/clamav/freshclam.log')) + chown('/var/log/clamav/freshclam.log', 'dansguardian'); + + copy($libexec_dir.'clamav-autoupdate.sample',$libexec_dir.'clamav-autoupdate'); + chmod ($libexec_dir.'clamav-autoupdate',0755); + copy($libexec_dir.'clamav-wrapper.sample',$libexec_dir.'clamav-wrapper'); + chmod ($libexec_dir.'clamav-autoupdate',0755); + if (!file_exists('/var/db/clamav/main.cvd')){ + log_error('No clamav database found, running freshclam in background.'); + mwexec_bg('/usr/local/bin/freshclam'); + } + #clamav-wrapper file + $cconf=$libexec_dir."clamav-wrapper"; + $cconf_file=file_get_contents($cconf); + if (preg_match('/"clamav"/',$cconf_file)){ + $cconf_file=preg_replace('/"clamav"/','"dansguardian"',$cconf_file); + file_put_contents($cconf, $cconf_file, LOCK_EX); + } + + #freshclam conf file + $cconf="/usr/local/etc/freshclam.conf"; + $cconf_file=file_get_contents($cconf); + if (preg_match('/DatabaseOwner clamav/',$cconf_file)){ + $cconf_file=preg_replace("/DatabaseOwner clamav/","DatabaseOwner dansguardian",$cconf_file); + file_put_contents($cconf, $cconf_file, LOCK_EX); + } + + #clamd conf file + $cconf="/usr/local/etc/clamd.conf"; + $cconf_file=file_get_contents($cconf); + if (preg_match('/User clamav/',$cconf_file)){ + $cconf_file=preg_replace("/User clamav/","User dansguardian",$cconf_file); + file_put_contents($cconf, $cconf_file, LOCK_EX); + } + #clamd script file + $script='/usr/local/etc/rc.d/clamav-clamd'; + $script_file=file($script); + foreach ($script_file as $script_line){ + if(preg_match("/command=/",$script_line)){ + $new_clamav_startup.= "/bin/mkdir /var/run/clamav\n"; + $new_clamav_startup.= "chown dansguardian /var/run/clamav\n"; + $new_clamav_startup.=$script_line; + } + elseif(!preg_match("/(mkdir|chown|sleep|dansguardian)/",$script_line)) { + $new_clamav_startup.=preg_replace("/NO/","YES",$script_line); + } + } + file_put_contents($script, $new_clamav_startup, LOCK_EX); + chmod ($script,0755); + mwexec("$script stop"); + mwexec_bg("$script start"); + } + } + else{ + unlink_if_exists($libexec_dir.'clamav-autoupdate'); + unlink_if_exists($libexec_dir.'clamav-wrapper'); + } + + #check dcc startup script + $script='/usr/local/etc/rc.d/dccifd'; + $script_file=file_get_contents($script); + if (preg_match('/NO/',$script_file)){ + $script_file=preg_replace("/NO/","YES",$script_file); + file_put_contents($script, $script_file, LOCK_EX); + chmod ($script,0755); + } + #check dcc config file + $script='/usr/local/dcc/dcc_conf'; + $script_file=file_get_contents($script); + if (preg_match('/DCCIFD_ENABLE=off/',$script_file)){ + $script_file=preg_replace("/DCCIFD_ENABLE=off/","DCCIFD_ENABLE=on",$script_file); + file_put_contents($script, $script_file, LOCK_EX); + } + mwexec("$script stop"); + mwexec_bg("$script start"); + + $script='/usr/local/etc/rc.d/dansguardian'; + + #fix MIME::ToolUtils deprecated function and usecure dependency calls in /usr/local/sbin/dansguardian + $cconf="/usr/local/sbin/dansguardian"; + $cconf_file=file_get_contents($cconf); + $pattern2[0]='/perl\W+I/'; + $pattern2[1]='/\smy .current = config MIME::ToolUtils/'; + $replacement2[0]='perl -U -I'; + $replacement2[1]=' #my $current = config MIME::ToolUtils'; + if (preg_match('/perl\W+I/',$cconf_file)){ + $cconf_file=preg_replace($pattern2,$replacement2,$cconf_file); + file_put_contents($cconf, $cconf_file, LOCK_EX); + #force old process stop + mwexec("$script stop"); + } + + $script_file=file_get_contents($script); + if (preg_match('/NO/',$script_file)){ + $script_file=preg_replace("/NO/","YES",$script_file); + file_put_contents($script, $script_file, LOCK_EX); + chmod ($script,0755); + } + if($config['installedpackages']['dansguardian']['config'][0]['enable']){ + log_error("Reload dansguardian"); + chmod ($script,0755); + mwexec("$script stop"); + sleep(2); + mwexec_bg("$script start"); + } + else{ + log_error("Stopping dansguardian if running"); + mwexec("$script stop"); + chmod ($script,0444); + } + conf_mount_ro(); + $synconchanges = $config['installedpackages']['dansguardiansync']['config'][0]['synconchanges']; + if(!$synconchanges && !$syncondbchanges) + return; + log_error("[dansguardian] dansguardian_xmlrpc_sync.php is starting."); + foreach ($config['installedpackages']['dansguardiansync']['config'] as $rs ){ + foreach($rs['row'] as $sh){ + $sync_to_ip = $sh['ipaddress']; + $password = $sh['password']; + $sync_type = $sh['sync_type']; + if($password && $sync_to_ip) + dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type); + } + } + log_error("[dansguardian] dansguardian_xmlrpc_sync.php is ending."); + +} + +function dansguardian_validate_input($post, &$input_errors) { + foreach ($post as $key => $value) { + if (empty($value)) + continue; + if (substr($key, 0, 6) == "domain" && is_numeric(substr($key, 6))) { + if (!is_domain($value)) + $input_errors[] = "{$value} is not a valid domain name."; + } else if (substr($key, 0, 12) == "mailserverip" && is_numeric(substr($key, 12))) { + if (empty($post['domain' . substr($key, 12)])) + $input_errors[] = "Domain for {$value} cannot be blank."; + if (!is_ipaddr($value) && !is_hostname($value)) + $input_errors[] = "{$value} is not a valid IP address or host name."; + } + } +} + +function dansguardian_php_install_command() { + sync_package_dansguardian(); +} + +function dansguardian_php_deinstall_command() { + mwexec("/usr/local/etc/rc.d/dansguardian.sh stop"); + sleep(1); + conf_mount_rw(); + unlink_if_exists("/usr/local/etc/rc.d/dansguardian.sh"); + conf_mount_ro(); +} + +function dansguardian_do_xmlrpc_sync($sync_to_ip, $password,$sync_type) { + global $config, $g; + + if(!$password) + return; + + if(!$sync_to_ip) + return; + + $xmlrpc_sync_neighbor = $sync_to_ip; + if($config['system']['webgui']['protocol'] != "") { + $synchronizetoip = $config['system']['webgui']['protocol']; + $synchronizetoip .= "://"; + } + $port = $config['system']['webgui']['port']; + /* if port is empty lets rely on the protocol selection */ + if($port == "") { + if($config['system']['webgui']['protocol'] == "http") + $port = "80"; + else + $port = "443"; + } + $synchronizetoip .= $sync_to_ip; + + /* xml will hold the sections to sync */ + $xml = array(); + $sync_xml=$config['installedpackages']['dansguardiansync']['config'][0]['synconchanges']; + if ($sync_xml){ + log_error("Include dansguardian config"); + $xml['dansguardian'] = $config['installedpackages']['dansguardian']; + $xml['msreport'] = $config['installedpackages']['msreport']; + $xml['mscontent'] = $config['installedpackages']['mscontent']; + $xml['msantivirus'] = $config['installedpackages']['msantivirus']; + $xml['msantispam'] = $config['installedpackages']['msantispam']; + $xml['msalerts'] = $config['installedpackages']['msalerts']; + } + if (count($xml) > 0){ + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($xml) + ); + + /* set a few variables needed for sync code borrowed from filter.inc */ + $url = $synchronizetoip; + log_error("Beginning dansguardian XMLRPC sync to {$url}:{$port}."); + $method = 'pfsense.merge_installedpackages_section_xmlrpc'; + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + if($g['debug']) + $cli->setDebug(1); + /* send our XMLRPC message and timeout after 250 seconds */ + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting dansguardian XMLRPC sync with {$url}:{$port}."; + log_error($error); + file_notice("sync_settings", $error, "dansguardian Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting dansguardian XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "dansguardian Settings Sync", ""); + } else { + log_error("dansguardian XMLRPC sync successfully completed with {$url}:{$port}."); + } + + /* tell dansguardian to reload our settings on the destionation sync host. */ + $method = 'pfsense.exec_php'; + $execcmd = "require_once('/usr/local/pkg/dansguardian.inc');\n"; + $execcmd .= "sync_package_dansguardian();"; + + /* assemble xmlrpc payload */ + $params = array( + XML_RPC_encode($password), + XML_RPC_encode($execcmd) + ); + + log_error("dansguardian XMLRPC reload data {$url}:{$port}."); + $msg = new XML_RPC_Message($method, $params); + $cli = new XML_RPC_Client('/xmlrpc.php', $url, $port); + $cli->setCredentials('admin', $password); + $resp = $cli->send($msg, "250"); + if(!$resp) { + $error = "A communications error occurred while attempting dansguardian XMLRPC sync with {$url}:{$port} (pfsense.exec_php)."; + log_error($error); + file_notice("sync_settings", $error, "dansguardian Settings Sync", ""); + } elseif($resp->faultCode()) { + $cli->setDebug(1); + $resp = $cli->send($msg, "250"); + $error = "An error code was received while attempting dansguardian XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString(); + log_error($error); + file_notice("sync_settings", $error, "dansguardian Settings Sync", ""); + } else { + log_error("dansguardian XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php)."); + } + } +} + +?> diff --git a/config/dansguardian/dansguardian.xml b/config/dansguardian/dansguardian.xml index f81be0e3..c8b630d1 100644 --- a/config/dansguardian/dansguardian.xml +++ b/config/dansguardian/dansguardian.xml @@ -7,7 +7,7 @@ /* $Id$ */ /* ========================================================================== */ /* - pfblocker.xml + dansguardian.xml part of the dansguardian for pfSense Copyright (C) 2012 Marcello Coutinho @@ -49,7 +49,7 @@ dansguardian Configure dansguardian -
Firewall
+
Services
pkg_edit.php?xml=dansguardian.xml @@ -125,7 +125,7 @@ Enable dansguardian - enable_cb + enable_dg checkbox @@ -168,7 +168,7 @@ Min/Max Spare Children - minsparechildren + sparechildren input 10 4/32
diff --git a/config/dansguardian/dansguardian_config.xml b/config/dansguardian/dansguardian_config.xml index 41e3c335..d3ed5277 100644 --- a/config/dansguardian/dansguardian_config.xml +++ b/config/dansguardian/dansguardian_config.xml @@ -104,7 +104,7 @@ Scan Options - report_options + scan_options select @@ -171,7 +171,7 @@ select - + diff --git a/config/dansguardian/dansguardian_limits.xml b/config/dansguardian/dansguardian_limits.xml index ecc3c020..2a1be7d6 100644 --- a/config/dansguardian/dansguardian_limits.xml +++ b/config/dansguardian/dansguardian_limits.xml @@ -7,7 +7,7 @@ /* $Id$ */ /* ========================================================================== */ /* - dansguardian_config.xml + dansguardian_limits.xml part of the dansguardian for pfSense Copyright (C) 2012 Marcello Coutinho diff --git a/config/dansguardian/dansguardian_log.xml b/config/dansguardian/dansguardian_log.xml index 885aebf8..386fe159 100644 --- a/config/dansguardian/dansguardian_log.xml +++ b/config/dansguardian/dansguardian_log.xml @@ -42,7 +42,7 @@ Describe your package here Describe your package requirements here Currently there are no FAQ items provided. - dansguardianlimits + dansguardianlog 1.0 Services: Dansguardian /usr/local/pkg/dansguardian.inc @@ -150,7 +150,7 @@ Logging Options - report_options + logging_options select -- cgit v1.2.3