From 093d135da031d8c951189a089f1425b55b6b427d Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 21:31:29 +0200 Subject: start squid-reverse [squid2] --- config/squid-reverse/squid.inc | 1436 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 1436 insertions(+) create mode 100644 config/squid-reverse/squid.inc (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc new file mode 100644 index 00000000..8dd2cc8e --- /dev/null +++ b/config/squid-reverse/squid.inc @@ -0,0 +1,1436 @@ + $names[$i], 'value' => $values[$i]); +} + +function squid_validate_general($post, $input_errors) { + global $config; + $settings = $config['installedpackages']['squid']['config'][0]; + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $port = $post['proxy_port'] ? $post['proxy_port'] : $port; + + $icp_port = trim($post['icp_port']); + if (!empty($icp_port) && !is_port($icp_port)) + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; + + if (substr($post['log_dir'], -1, 1) == '/') + $input_errors[] = 'You may not end log location with an / mark'; + + if ($post['log_dir']{0} != '/') + $input_errors[] = 'You must start log location with a / mark'; + if (strlen($post['log_dir']) <= 3) + $input_errors[] = "That is not a valid log location dir"; + + $log_rotate = trim($post['log_rotate']); + if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; + + $webgui_port = $config['system']['webgui']['port']; + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { + $webgui_port = 80; + } + if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { + $webgui_port = 443; + } + + if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { + $input_errors[] = "You can not run squid on the same port as the webgui"; + } + + foreach (array('defined_ip_proxy_off') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + foreach (array('defined_ip_proxy_off_dest') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + + if(!empty($post['dns_nameservers'])) { + $altdns = explode(";", ($post['dns_nameservers'])); + foreach ($altdns as $dnssrv) { + if (!is_ipaddr($dnssrv)) + $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + }} +} + +function squid_validate_upstream($post, $input_errors) { + if ($post['proxy_forwarding'] == 'on') { + $addr = trim($post['proxy_addr']); + if (empty($addr)) + $input_errors[] = 'The field \'Hostname\' is required'; + else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) + $input_errors[] = "The field '$name' is required"; + else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + } + } + } +} + +function squid_validate_cache($post, $input_errors) { + $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "You must enter a valid value for '$field'"; + } + + $value = trim($post['minimum_object_size']); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + + if (!empty($post['cache_swap_low'])) { + $value = trim($post['cache_swap_low']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + } + + if (!empty($post['cache_swap_high'])) { + $value = trim($post['cache_swap_high']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + } + + if ($post['donotcache'] != "") { + foreach (split("\n", $post['donotcache']) as $host) { + $host = trim($host); + if (!is_ipaddr($host) && !is_domain($host)) + $input_errors[] = "The host '$host' is not a valid IP or host name"; + } + } + + squid_dash_z(); + +} + +function squid_validate_nac($post, $input_errors) { + $allowed_subnets = explode("\n", $post['allowed_subnets']); + foreach ($allowed_subnets as $subnet) { + $subnet = trim($subnet); + if (!empty($subnet) && !is_subnet($subnet)) + $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; + } + + foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { + foreach (explode("\n", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host)) + $input_errors[] = "The host '$host' is not a valid IP address"; + } + } + + foreach (array('unrestricted_macs', 'banned_macs') as $macs) { + foreach (explode("\n", $post[$macs]) as $mac) { + $mac = trim($mac); + if (!empty($mac) && !is_macaddr($mac)) + $input_errors[] = "The mac '$mac' is not a valid MAC address"; + } + } + + foreach (explode(",", $post['timelist']) as $time) { + $time = trim($time); + if (!empty($time) && !squid_is_timerange($time)) + $input_errors[] = "The time range '$time' is not a valid time range"; + } + + if(!empty($post['ext_cachemanager'])) { + $extmgr = explode(";", ($post['ext_cachemanager'])); + foreach ($extmgr as $mgr) { + if (!is_ipaddr($mgr)) + $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + }} +} + +function squid_validate_traffic($post, $input_errors) { + $num_fields = array( 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "The field '$name' must contain a positive number"; + } + + if (!empty($post['quick_abort_min'])) { + $value = trim($post['quick_abort_min']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_max'])) { + $value = trim($post['quick_abort_max']); + if (!is_numeric($value)) + $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + } + + if (!empty($post['quick_abort_pct'])) { + $value = trim($post['quick_abort_pct']); + if (!is_numeric($value) || ($value > 100)) + $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; + } + +} + +function squid_validate_auth($post, $input_errors) { + $num_fields = array( array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), + ); + foreach ($num_fields as $field) { + $value = trim($post[$field[0]]); + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) + $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + } + + $auth_method = $post['auth_method']; + if (($auth_method != 'none') && ($auth_method != 'local')) { + $server = trim($post['auth_server']); + if (empty($server)) + $input_errors[] = 'The field \'Authentication server\' is required'; + else if (!is_ipaddr($server) && !is_domain($server)) + $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + + $port = trim($post['auth_server_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + + switch ($auth_method) { + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!$user) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + break; + } + + $no_auth = explode("\n", $post['no_auth_hosts']); + foreach ($no_auth as $host) { + $host = trim($host); + if (!empty($host) && !is_subnet($host)) + $input_errors[] = "The host '$host' is not a valid CIDR range"; + } + } +} + +function squid_install_cron($should_install) { + global $config, $g; + if($g['booting']==true) + return; + $is_installed = false; + if(!$config['cron']['item']) + return; + $x=0; + foreach($config['cron']['item'] as $item) { + if(strstr($item['task_name'], "squid_rotate_logs")) { + $is_installed = true; + break; + } + $x++; + } + switch($should_install) { + case true: + if(!$is_installed) { + $cron_item = array(); + $cron_item['task_name'] = "squid_rotate_logs"; + $cron_item['minute'] = "0"; + $cron_item['hour'] = "0"; + $cron_item['mday'] = "*"; + $cron_item['month'] = "*"; + $cron_item['wday'] = "*"; + $cron_item['who'] = "root"; + $cron_item['command'] = "/usr/local/sbin/squid -k rotate"; + $config['cron']['item'][] = $cron_item; + parse_config(true); + write_config("Squid Log Rotation"); + configure_cron(); + } + break; + case false: + if($is_installed == true) { + if($x > 0) { + unset($config['cron']['item'][$x]); + parse_config(true); + write_config(); + } + configure_cron(); + } + break; + } +} + +function squid_resync_general() { + global $g, $config, $valid_acls; + + $settings = $config['installedpackages']['squid']['config'][0]; + $conf = "# This file is automatically generated by pfSense\n"; + $conf = "# Do not edit manually !\n"; + + $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); + $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); + $real_ifaces = array(); + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; + } + } + if (($settings['transparent_proxy'] == 'on')) { + $conf .= "http_port 127.0.0.1:" . $settings['proxy_port'] . " transparent\n"; + } + $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); + + $pidfile = "{$g['varrun_path']}/squid.pid"; + $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); + $errordir = SQUID_CONFBASE . '/errors/' . $language; + $icondir = SQUID_CONFBASE . '/icons'; + $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); + $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); + + $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); + + $logdir_cache = $logdir . '/cache.log'; + $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); + + $conf .= << 'src', + 'banned_hosts' => 'src', + 'whitelist' => 'dstdom_regex -i', + 'blacklist' => 'dstdom_regex -i', + ); + foreach ($options as $option => $directive) { + $contents = base64_decode($settings[$option]); + if (!empty($contents)) { + file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); + $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; + $valid_acls[] = $option; + } + elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { + unlink(SQUID_ACLDIR . "/$option.acl"); + } + } + + $conf .= << $binaries, + 'throttle_cdimages' => $cdimages, + 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') + $exts = array_merge($exts, explode(",", $set)); + } + + foreach (explode(",", $settings['throttle_others']) as $ext) { + if (!empty($ext)) $exts[] = $ext; + } + + $contents = ''; + foreach ($exts as $ext) + $contents .= "\.$ext\$\n"; + file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); + + $conf .= "# Throttle extensions matched in the url\n"; + $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; + $conf .= "delay_access 1 allow throttle_exts\n"; + $conf .= "delay_access 1 deny all\n"; + } + else + $conf .= "delay_access 1 allow all\n"; + + return $conf; +} + +function squid_resync_auth() { + global $config, $valid_acls; + + $settings = $config['installedpackages']['squidauth']['config'][0]; + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; + $settingsconfig = $config['installedpackages']['squid']['config'][0]; + $conf = ''; + + // Custom Options + if(!empty($config['installedpackages']['squid']['config'][0]['custom_options'])) { + $custopts = explode(";", ($config['installedpackages']['squid']['config'][0]['custom_options'])); + $conf .= "# Custom options\n"; + foreach ($custopts as $custopt) { + $conf .= $custopt."\n"; + } + } + + // Deny the banned guys before allowing the good guys + if(! empty($settingsnac['banned_hosts'])) { + if (squid_is_valid_acl('banned_hosts')) { + $conf .= "# These hosts are banned\n"; + $conf .= "http_access deny banned_hosts\n"; + } + } + if(! empty($settingsnac['banned_macs'])) { + if (squid_is_valid_acl('banned_macs')) { + $conf .= "# These macs are banned\n"; + $conf .= "http_access deny banned_macs\n"; + } + } + + // Unrestricted hosts take precendence over blacklist + if(! empty($settingsnac['unrestricted_hosts'])) { + if (squid_is_valid_acl('unrestricted_hosts')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_hosts\n"; + } + } + if(! empty($settingsnac['unrestricted_macs'])) { + if (squid_is_valid_acl('unrestricted_macs')) { + $conf .= "# These hosts do not have any restrictions\n"; + $conf .= "http_access allow unrestricted_macs\n"; + } + } + + // Whitelist and blacklist also take precendence over other allow rules + if(! empty($settingsnac['whitelist'])) { + if (squid_is_valid_acl('whitelist')) { + $conf .= "# Always allow access to whitelist domains\n"; + $conf .= "http_access allow whitelist\n"; + } + } + if(! empty($settingsnac['blacklist'])) { + if (squid_is_valid_acl('blacklist')) { + $conf .= "# Block access to blacklist domains\n"; + $conf .= "http_access deny blacklist\n"; + } + } + + $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); + $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + // Allow the remaining ACLs if no authentication is set + if ($auth_method == 'none') { + $conf .="# Setup allowed acls\n"; + $allowed = array('allowed_subnets'); + if ($settingsconfig['allow_interface'] == 'on') { + $conf .= "# Allow local network(s) on interface(s)\n"; + $allowed[] = "localnet"; + } + $allowed = array_filter($allowed, 'squid_is_valid_acl'); + foreach ($allowed as $acl) + $conf .= "http_access allow $acl\n"; + } + else { + $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); + if (!empty($noauth)) { + $conf .= "acl noauth src $noauth\n"; + $valid_acls[] = 'noauth'; + } + + // Set up the external authentication programs + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); + $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); + switch ($auth_method) { + case 'local': + $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'msnt': + $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; + squid_resync_msnt(); + break; + } + $conf .= << + + + +EOD; + } + else { + $javascript = << + + + +EOD; + } + + print($javascript); +} + +function squid_print_javascript_auth2() { + print("\n"); +} + +function squid_generate_rules($type) { + global $config; + + $squid_conf = $config['installedpackages']['squid']['config'][0]; + + if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { + return; + } + + if (!is_service_running('squid')) { + log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); + return; + } + + $ifaces = explode(",", $squid_conf['active_interface']); + $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); + $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); + + $fw_aliases = filter_generate_aliases(); + if(strstr($fw_aliases, "pptp =")) + $PPTP_ALIAS = "\$pptp"; + else + $PPTP_ALIAS = "\$PPTP"; + if(strstr($fw_aliases, "PPPoE =")) + $PPPOE_ALIAS = "\$PPPoE"; + else + $PPPOE_ALIAS = "\$pppoe"; + + switch($type) { + case 'nat': + $rules .= "\n# Setup Squid proxy redirect\n"; + if ($squid_conf['private_subnet_proxy_off'] == 'on') { + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if(!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip,2); + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port 80\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port 80\n"; + } + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if(!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port 80\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port 80\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port 80\n"; + } + } + foreach ($ifaces as $iface) { + $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; + } + /* Handle PPPOE case */ + if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { + $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; + } + /* Handle PPTP case */ + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; + } + $rules .= "\n"; + break; + case 'filter': + case 'rule': + foreach ($ifaces as $iface) { + $rules .= "# Setup squid pass rules for proxy\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; + $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n"; + $rules .= "\n"; + }; + if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { + $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; + } + if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { + $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; + } + break; + default: + break; + } + + return $rules; +} + +function squid_write_rcfile() { + $rc = array(); + $rc['file'] = 'squid.sh'; + $rc['start'] = <</dev/null +killall pinger 2>/dev/null + +EOD; + $rc['restart'] = << -- cgit v1.2.3 From ff3490f72ab7ac9cfb30fd0e415cbcb69a4b6cd5 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 22:12:22 +0200 Subject: cerver certs --- config/squid-reverse/squid.inc | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 8dd2cc8e..2784dd25 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -117,6 +117,16 @@ function squid_is_valid_acl($acl) { return in_array($acl, $valid_acls); } +function squid_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + function squid_install_command() { global $config; global $g; -- cgit v1.2.3 From 3a9cd05d2d1aa5f49ede2ab93ab796ca099402bd Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 22:27:57 +0200 Subject: basics for squid_resync_reverse --- config/squid-reverse/squid.inc | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 2784dd25..ffd17569 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -936,6 +936,16 @@ EOD; return $conf; } +function squid_resync_reverse() { + global $config, $valid_acls; + if(!is_array($valid_acls)) + return; + $settings = $config['installedpackages']['squidreverse']['config'][0]; + $conf = ''; + + return $conf; +} + function squid_resync_auth() { global $config, $valid_acls; @@ -1109,6 +1119,7 @@ function squid_resync() { $conf .= squid_resync_upstream() . "\n"; $conf .= squid_resync_nac() . "\n"; $conf .= squid_resync_traffic() . "\n"; + $conf .= squid_resync_reverse() . "\n"; $conf .= squid_resync_auth(); squid_resync_users(); squid_write_rcfile(); -- cgit v1.2.3 From 2b6a30287a6ec1c2ac1f2e59edf8afbff565f80f Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 22:31:42 +0200 Subject: basics for squid_validate_reverse --- config/squid-reverse/squid.inc | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index ffd17569..d0dad31d 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -485,6 +485,10 @@ function squid_validate_traffic($post, $input_errors) { if (!is_numeric($value) || ($value > 100)) $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; } +} + +function squid_validate_reverse($post, $input_errors) { + } @@ -943,6 +947,8 @@ function squid_resync_reverse() { $settings = $config['installedpackages']['squidreverse']['config'][0]; $conf = ''; + + return $conf; } -- cgit v1.2.3 From e1d40c40e30883031d3565d305c09b91781d15aa Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 23:03:51 +0200 Subject: few options beginning to work --- config/squid-reverse/squid.inc | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index d0dad31d..cbd18b68 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -489,6 +489,7 @@ function squid_validate_traffic($post, $input_errors) { function squid_validate_reverse($post, $input_errors) { +// CONF } @@ -595,7 +596,7 @@ function squid_resync_general() { $settings = $config['installedpackages']['squid']['config'][0]; $conf = "# This file is automatically generated by pfSense\n"; - $conf = "# Do not edit manually !\n"; + $conf .= "# Do not edit manually !\n"; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); @@ -946,9 +947,12 @@ function squid_resync_reverse() { return; $settings = $config['installedpackages']['squidreverse']['config'][0]; $conf = ''; - - - + +// CONF + $conf .= "# Reverse Proxy settings\n"; + if (!empty($settings['extension_methods'])) $conf .= "extension_methods {$settings['extension_methods']}\n"; + if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; + return $conf; } -- cgit v1.2.3 From ae1cfe7f86d39dd291a3af92f57f911bb64341b9 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 13:42:34 +0200 Subject: proxy http port definition working --- config/squid-reverse/squid.inc | 50 ++++++++++++++++++++++++++++++++---------- 1 file changed, 38 insertions(+), 12 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index cbd18b68..32f7d387 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -117,16 +117,6 @@ function squid_is_valid_acl($acl) { return in_array($acl, $valid_acls); } -function squid_get_server_certs() { - global $config; - $cert_arr = array(); - $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); - foreach ($config['cert'] as $cert) { - $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); - } - return $cert_arr; -} - function squid_install_command() { global $config; global $g; @@ -489,7 +479,16 @@ function squid_validate_traffic($post, $input_errors) { function squid_validate_reverse($post, $input_errors) { -// CONF + $port = trim($post['reverse_http_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; + + $port = trim($post['reverse_https_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; + + if ($post['reverse_ssl_cert'] == 'none') + $input_errors[] = 'A valid certificate for the external interface must be selected'; } @@ -941,6 +940,16 @@ EOD; return $conf; } +function squid_get_server_certs() { + global $config; + $cert_arr = array(); + $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); + foreach ($config['cert'] as $cert) { + $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); + } + return $cert_arr; +} + function squid_resync_reverse() { global $config, $valid_acls; if(!is_array($valid_acls)) @@ -948,8 +957,25 @@ function squid_resync_reverse() { $settings = $config['installedpackages']['squidreverse']['config'][0]; $conf = ''; -// CONF $conf .= "# Reverse Proxy settings\n"; + $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); + $real_ifaces = array(); + foreach (explode(",", $ifaces) as $i => $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + if($real_ifaces[$i][0]) { + //HTTP + if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; + if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; + //HTTPS + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_external_fqdn']}\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_https_defsite']} vhost\n"; + } + } + if (!empty($settings['extension_methods'])) $conf .= "extension_methods {$settings['extension_methods']}\n"; if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; -- cgit v1.2.3 From 468c21369d8f8357916204fc584651f01bd14659 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 14:53:45 +0200 Subject: proxy https definition and cert writeout working --- config/squid-reverse/squid.inc | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 32f7d387..8cd05136 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -958,6 +958,21 @@ function squid_resync_reverse() { $conf = ''; $conf .= "# Reverse Proxy settings\n"; + + if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { + $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); + if ($svr_cert != false) { + if(base64_decode($svr_cert['crt'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", + base64_decode($svr_cert['crt'])); + $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; + } + if(base64_decode($svr_cert['prv'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", + base64_decode($svr_cert['prv'])); + $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; + }}} + $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); foreach (explode(",", $ifaces) as $i => $iface) { @@ -969,10 +984,10 @@ function squid_resync_reverse() { if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; //HTTPS - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_external_fqdn']}\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_https_defsite']} vhost\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert=/usr/local/etc/squid/XXX.crt key=/usr/local/etc/squid/XXX.key defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; } } -- cgit v1.2.3 From fc94eabf28e3776296703521e0fa3d0176fe9de0 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Thu, 29 Sep 2011 20:59:13 +0200 Subject: remove #, let the game begin... --- config/squid-reverse/squid.inc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 8cd05136..925d1691 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -979,15 +979,15 @@ function squid_resync_reverse() { $real_ifaces[] = squid_get_real_interface_address($iface); if($real_ifaces[$i][0]) { //HTTP - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; - if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "# http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; + if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; + if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; //HTTPS - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; - if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; - if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "# https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; + if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; + if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; } } -- cgit v1.2.3 From 696863f625b7c55a387bb8411563c1d831203127 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 12:07:13 +0200 Subject: owa witard working --- config/squid-reverse/squid.inc | 58 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 925d1691..3794c47e 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -310,6 +310,7 @@ function squid_validate_general($post, $input_errors) { $log_rotate = trim($post['log_rotate']); if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) + $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; $webgui_port = $config['system']['webgui']['port']; @@ -479,6 +480,10 @@ function squid_validate_traffic($post, $input_errors) { function squid_validate_reverse($post, $input_errors) { + $fqdn = trim($post['reverse_external_fqdn']); + if (!empty($fqdn) && !is_domain($fqdn)) + $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; + $port = trim($post['reverse_http_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; @@ -490,6 +495,14 @@ function squid_validate_reverse($post, $input_errors) { if ($post['reverse_ssl_cert'] == 'none') $input_errors[] = 'A valid certificate for the external interface must be selected'; + if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { + $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; + } + + $rowa = trim($post['reverse_owa_ip']); + if (!empty($rowa) && !is_ipaddr($rowa)) + $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; + } function squid_validate_auth($post, $input_errors) { @@ -990,8 +1003,51 @@ function squid_resync_reverse() { if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; } } + //PEERS + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=OWA_HOST_pfs\n"; + + //ACLs + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/owa.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchange.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/public.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchwebexchweb.*$\n"; + } + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_activesync'] == 'on')) { + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/Microsoft-Server-ActiveSync.*$\n"; + } + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_rpchttp'] == 'on')) { + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/rpc/rpcproxy.dll.*$\n"; + $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; + } + + //ACCESS + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { + $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; + $conf .= "cache_peer_access OWA_HOST_pfs deny all\n"; + $conf .= "never_direct allow OWA_URI_pfs\n"; + $conf .= "http_access allow OWA_URI_pfs\n"; + } + + /* + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/owa.*$; + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/exchange.*$; + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/public.*$; + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/exchweb.*$; + + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/Microsoft-Server-ActiveSync.*$; + acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/rpc/rpcproxy.dll.*$; + + cache_peer_access CYGNUS_SSL allow OWA; + cache_peer_access CYGNUS_SSL deny all; + + never_direct allow OWA; + + http_access allow OWA; + + #miss_access allow OWA; + */ - if (!empty($settings['extension_methods'])) $conf .= "extension_methods {$settings['extension_methods']}\n"; if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; return $conf; -- cgit v1.2.3 From c828ba8054534c082d5cf226dc987ed451a457c6 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 12:09:59 +0200 Subject: cleanup --- config/squid-reverse/squid.inc | 18 ------------------ 1 file changed, 18 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 3794c47e..1c68045f 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1029,25 +1029,7 @@ function squid_resync_reverse() { $conf .= "http_access allow OWA_URI_pfs\n"; } - /* - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/owa.*$; - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/exchange.*$; - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/public.*$; - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/exchweb.*$; - - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/Microsoft-Server-ActiveSync.*$; - acl OWA url_regex -i ^https://xg1.fuchs-kiel.de/rpc/rpcproxy.dll.*$; - - cache_peer_access CYGNUS_SSL allow OWA; - cache_peer_access CYGNUS_SSL deny all; - - never_direct allow OWA; - - http_access allow OWA; - #miss_access allow OWA; - */ - if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; return $conf; -- cgit v1.2.3 From fccac1d03c0ae59a36845eb9b30a9ad45f7f7738 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 13:50:20 +0200 Subject: peers work --- config/squid-reverse/squid.inc | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 1c68045f..55e2facd 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1005,6 +1005,17 @@ function squid_resync_reverse() { } //PEERS if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=OWA_HOST_pfs\n"; + + $contents = base64_decode($settings['reverse_cache_peer']); + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; + if($cfg[3] == 'HTTPS') + $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf .= "name={$cfg[0]}\n"; + }} //ACLs if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { @@ -1028,10 +1039,23 @@ function squid_resync_reverse() { $conf .= "never_direct allow OWA_URI_pfs\n"; $conf .= "http_access allow OWA_URI_pfs\n"; } - + +/* + $contents = base64_decode($settings['reverse_cache_peer']); + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + $conf .= "# cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; + if($cfg[3] == 'HTTPS') + $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf .= "name={$cfg[0]}\n"; + }} +*/ + + $conf .= "\n"; if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; - return $conf; } -- cgit v1.2.3 From c635d9e80797e99c78db01f2023ad6607dd2c65b Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 14:32:49 +0200 Subject: a little sorting and some errorchecks and enhanced logics missing... --- config/squid-reverse/squid.inc | 29 ++++++++++++++++++++++------- 1 file changed, 22 insertions(+), 7 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 55e2facd..e3704ab6 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1032,6 +1032,20 @@ function squid_resync_reverse() { $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; } + + $contents = base64_decode($settings['revrse_uri']); + if(!empty($contents)) { +$conf .= "# -= TESTING AREA =-\n"; + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; +// if($cfg[3] == 'HTTPS') +// $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; +// $conf .= "name={$cfg[0]}\n"; + }} + + //ACCESS if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; @@ -1040,18 +1054,19 @@ function squid_resync_reverse() { $conf .= "http_access allow OWA_URI_pfs\n"; } -/* - $contents = base64_decode($settings['reverse_cache_peer']); + + $contents = base64_decode($settings['reverse_acl']); if(!empty($contents)) { +$conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); - $conf .= "# cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; - if($cfg[3] == 'HTTPS') - $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf .= "name={$cfg[0]}\n"; + $conf .= "# cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; + $conf .= "# cache_peer_access {$cfg[0]} deny all\n"; + $conf .= "# never direct allow {$cfg[1]}\n"; + $conf .= "# http_access allow {$cfg[1]}\n"; }} -*/ + $conf .= "\n"; -- cgit v1.2.3 From ce2735901deac81ac11f675224dd01c531b1a3df Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 14:44:50 +0200 Subject: fix acl generation bug --- config/squid-reverse/squid.inc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index e3704ab6..03b60f30 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1034,15 +1034,16 @@ function squid_resync_reverse() { $contents = base64_decode($settings['revrse_uri']); - if(!empty($contents)) { + if(!empty($contents)) { $conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { - $cfg = explode(";",($def)); - $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; -// if($cfg[3] == 'HTTPS') -// $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; -// $conf .= "name={$cfg[0]}\n"; + if (($cfg[0]) != '' && ($cfg[1]) != '') + $cfg = explode(";",($def)); + $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; +// if($cfg[3] == 'HTTPS') +// $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; +// $conf .= "name={$cfg[0]}\n"; }} -- cgit v1.2.3 From 8d2bcb1c7668ce8533f87289795646e47b90cb4b Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 14:58:45 +0200 Subject: add some checks --- config/squid-reverse/squid.inc | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 03b60f30..7e6acd3a 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1011,11 +1011,12 @@ function squid_resync_reverse() { $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); - $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; - if($cfg[3] == 'HTTPS') - $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf .= "name={$cfg[0]}\n"; - }} + if (($cfg[0]) != '' && ($cfg[1]) != '' && ($cfg[2]) != ''){ + $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; + if($cfg[3] == 'HTTPS') + $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf .= "name={$cfg[0]}\n"; + }}} //ACLs if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { @@ -1032,19 +1033,18 @@ function squid_resync_reverse() { $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; } - $contents = base64_decode($settings['revrse_uri']); if(!empty($contents)) { $conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { - if (($cfg[0]) != '' && ($cfg[1]) != '') - $cfg = explode(";",($def)); + $cfg = explode(";",($def)); + if (($cfg[0]) != '' && ($cfg[1]) != ''){ $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; // if($cfg[3] == 'HTTPS') // $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; // $conf .= "name={$cfg[0]}\n"; - }} + }}} //ACCESS @@ -1062,11 +1062,12 @@ $conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); - $conf .= "# cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; - $conf .= "# cache_peer_access {$cfg[0]} deny all\n"; - $conf .= "# never direct allow {$cfg[1]}\n"; - $conf .= "# http_access allow {$cfg[1]}\n"; - }} + if (($cfg[0]) != '' && ($cfg[1]) != ''){ + $conf .= "# cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; + $conf .= "# cache_peer_access {$cfg[0]} deny all\n"; + $conf .= "# never direct allow {$cfg[1]}\n"; + $conf .= "# http_access allow {$cfg[1]}\n"; + }}} $conf .= "\n"; -- cgit v1.2.3 From 20eed5536e0e961e9a6b157b60b950e1491dee58 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 15:23:05 +0200 Subject: multi-fqdn for vhost --- config/squid-reverse/squid.inc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 7e6acd3a..5877ab58 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1040,8 +1040,11 @@ $conf .= "# -= TESTING AREA =-\n"; foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']} {$cfg[1]}.*$\n"; -// if($cfg[3] == 'HTTPS') + if($cfg[2] != '') + $conf .= "# acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; + if($cfg[2] == '') + $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; +// if($cfg[2] == 'HTTPS') // $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; // $conf .= "name={$cfg[0]}\n"; }}} -- cgit v1.2.3 From bf995ed3b06f77503ebddfdd841e70656e7356d2 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 15:26:22 +0200 Subject: remove # - let the game gbegin --- config/squid-reverse/squid.inc | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 5877ab58..43ce8bcd 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -1035,18 +1035,14 @@ function squid_resync_reverse() { $contents = base64_decode($settings['revrse_uri']); if(!empty($contents)) { -$conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ if($cfg[2] != '') - $conf .= "# acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; + $conf .= "acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; if($cfg[2] == '') - $conf .= "# acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; -// if($cfg[2] == 'HTTPS') -// $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; -// $conf .= "name={$cfg[0]}\n"; + $conf .= "acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; }}} -- cgit v1.2.3 From f2148bae9112023991f085e790f0361d61e047b1 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 21:34:02 +0200 Subject: add intermediate CA --- config/squid-reverse/squid.inc | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 43ce8bcd..044cf10b 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -985,6 +985,11 @@ function squid_resync_reverse() { base64_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; }}} + + if (!empty($settings['reverse_int_ca'])) { + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n",FILE_APPEND | LOCK_EX); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); + } $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); -- cgit v1.2.3 From 2aae3aff464282d34087b390e89c3163b06badb8 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Fri, 30 Sep 2011 22:47:12 +0200 Subject: acls working --- config/squid-reverse/squid.inc | 41 +++++++++++++++++++++++++++++++++-------- 1 file changed, 33 insertions(+), 8 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 044cf10b..aa8cf691 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -503,6 +503,21 @@ function squid_validate_reverse($post, $input_errors) { if (!empty($rowa) && !is_ipaddr($rowa)) $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; +/* + $contents = base64_decode($post['reverse_cache_peer']); + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + }} +*/ + } function squid_validate_auth($post, $input_errors) { @@ -1059,20 +1074,30 @@ function squid_resync_reverse() { $conf .= "http_access allow OWA_URI_pfs\n"; } - $contents = base64_decode($settings['reverse_acl']); if(!empty($contents)) { -$conf .= "# -= TESTING AREA =-\n"; $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "# cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; - $conf .= "# cache_peer_access {$cfg[0]} deny all\n"; - $conf .= "# never direct allow {$cfg[1]}\n"; - $conf .= "# http_access allow {$cfg[1]}\n"; - }}} - + $conf .= "cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; + }} + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (($cfg[0]) != '' && ($cfg[1]) != ''){ + $conf .= "cache_peer_access {$cfg[0]} deny all\n"; + }} + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (($cfg[0]) != '' && ($cfg[1]) != ''){ + $conf .= "never direct allow {$cfg[1]}\n"; + }} + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (($cfg[0]) != '' && ($cfg[1]) != ''){ + $conf .= "http_access allow {$cfg[1]}\n"; + }} + } $conf .= "\n"; -- cgit v1.2.3 From 42b72a5b9995b92c6d6b5e8217484f3d8cd4559b Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 4 Oct 2011 15:52:50 +0200 Subject: add checks and cleanup inc --- config/squid-reverse/squid.inc | 44 +++++++++++++++++++++--------------------- 1 file changed, 22 insertions(+), 22 deletions(-) (limited to 'config/squid-reverse/squid.inc') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index aa8cf691..01a5edc6 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -499,24 +499,29 @@ function squid_validate_reverse($post, $input_errors) { $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; } +/* + if (!is_cert($post['reverse_int_ca'])) + $input_errors[] = 'A valid certificate for the external interface must be selected'; +*/ + $rowa = trim($post['reverse_owa_ip']); if (!empty($rowa) && !is_ipaddr($rowa)) $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; -/* - $contents = base64_decode($post['reverse_cache_peer']); - if(!empty($contents)) { - $defs = explode("\r\n", ($contents)); - foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (!is_ipaddr($cfg[1])) - $input_errors[] = "please choose a valid IP in the cache peer configuration."; - if (!is_port($cfg[2])) - $input_errors[] = "please choose a valid port in the cache peer configuration."; - if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) - $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; - }} -*/ + + $contents = $post['reverse_cache_peer']; + if(!empty($contents)) { + $defs = explode("\r\n", ($contents)); + foreach ($defs as $def) { + $cfg = explode(";",($def)); + if (!is_ipaddr($cfg[1])) + $input_errors[] = "please choose a valid IP in the cache peer configuration."; + if (!is_port($cfg[2])) + $input_errors[] = "please choose a valid port in the cache peer configuration."; + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) + $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + }} + } @@ -991,20 +996,15 @@ function squid_resync_reverse() { $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['crt'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt", - base64_decode($svr_cert['crt'])); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($svr_cert['crt'])); $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; } if(base64_decode($svr_cert['prv'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key", - base64_decode($svr_cert['prv'])); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",base64_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; }}} - if (!empty($settings['reverse_int_ca'])) { - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n",FILE_APPEND | LOCK_EX); - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); - } + if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); -- cgit v1.2.3