From e4863b3053aab5436079d756eb5b07cdd35cf79a Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Tue, 27 Sep 2011 21:09:42 +0200 Subject: not to mess up anything: revert changes to packages and start over in an own repo --- config/squid3-reverse/squid.inc | 1403 --------------------------------------- 1 file changed, 1403 deletions(-) delete mode 100644 config/squid3-reverse/squid.inc (limited to 'config/squid3-reverse/squid.inc') diff --git a/config/squid3-reverse/squid.inc b/config/squid3-reverse/squid.inc deleted file mode 100644 index c1b5b419..00000000 --- a/config/squid3-reverse/squid.inc +++ /dev/null @@ -1,1403 +0,0 @@ -/dev/null -killall pinger 2>/dev/null - -EOD; - $rc['restart'] = << $names[$i], 'value' => $values[$i]); -} - -function squid_validate_general($post, $input_errors) { - global $config; - $settings = $config['installedpackages']['squid']['config'][0]; - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $port = $post['proxy_port'] ? $post['proxy_port'] : $port; - - $icp_port = trim($post['icp_port']); - if (!empty($icp_port) && !is_port($icp_port)) - $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; - - if (substr($post['log_dir'], -1, 1) == '/') - $input_errors[] = 'You may not end log location with an / mark'; - - if ($post['log_dir']{0} != '/') - $input_errors[] = 'You must start log location with a / mark'; - if (strlen($post['log_dir']) <= 3) - $input_errors[] = "That is not a valid log location dir"; - - $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) - $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; - - $webgui_port = $config['system']['webgui']['port']; - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { - $webgui_port = 80; - } - if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { - $webgui_port = 443; - } - - if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { - $input_errors[] = "You can not run squid on the same port as the webgui"; - } - - foreach (array('defined_ip_proxy_off') as $hosts) { - foreach (explode(";", $post[$hosts]) as $host) { - $host = trim($host); - if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host)) - $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; - } - } - foreach (array('defined_ip_proxy_off_dest') as $hosts) { - foreach (explode(";", $post[$hosts]) as $host) { - $host = trim($host); - if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host)) - $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; - } - } - - if(!empty($post['dns_nameservers'])) { - $altdns = explode(";", ($post['dns_nameservers'])); - foreach ($altdns as $dnssrv) { - if (!is_ipaddr($dnssrv)) - $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; - }} -} - -function squid_validate_upstream($post, $input_errors) { - if ($post['proxy_forwarding'] == 'on') { - $addr = trim($post['proxy_addr']); - if (empty($addr)) - $input_errors[] = 'The field \'Hostname\' is required'; - else { - if (!is_ipaddr($addr) && !is_domain($addr)) - $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; - } - - foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { - $port = trim($post[$field]); - if (empty($port)) - $input_errors[] = "The field '$name' is required"; - else { - if (!is_port($port)) - $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; - } - } - } -} - -function squid_validate_cache($post, $input_errors) { - $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', - 'memory_cache_size' => 'Memory cache size', - 'maximum_object_size' => 'Maximum object size', - ); - foreach ($num_fields as $field => $name) { - $value = trim($post[$field]); - if (!is_numeric($value) || ($value < 0)) - $input_errors[] = "You must enter a valid value for '$field'"; - } - - $value = trim($post['minimum_object_size']); - if (!is_numeric($value) || ($value < 0)) - $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; - - if (!empty($post['cache_swap_low'])) { - $value = trim($post['cache_swap_low']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; - } - - if (!empty($post['cache_swap_high'])) { - $value = trim($post['cache_swap_high']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; - } - - if ($post['donotcache'] != "") { - foreach (split("\n", $post['donotcache']) as $host) { - $host = trim($host); - if (!is_ipaddr($host) && !is_domain($host)) - $input_errors[] = "The host '$host' is not a valid IP or host name"; - } - } - - squid_dash_z(); - -} - -function squid_validate_nac($post, $input_errors) { - $allowed_subnets = explode("\n", $post['allowed_subnets']); - foreach ($allowed_subnets as $subnet) { - $subnet = trim($subnet); - if (!empty($subnet) && !is_subnet($subnet)) - $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; - } - - foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { - foreach (explode("\n", $post[$hosts]) as $host) { - $host = trim($host); - if (!empty($host) && !is_ipaddr($host)) - $input_errors[] = "The host '$host' is not a valid IP address"; - } - } - - foreach (array('unrestricted_macs', 'banned_macs') as $macs) { - foreach (explode("\n", $post[$macs]) as $mac) { - $mac = trim($mac); - if (!empty($mac) && !is_macaddr($mac)) - $input_errors[] = "The mac '$mac' is not a valid MAC address"; - } - } - - foreach (explode(",", $post['timelist']) as $time) { - $time = trim($time); - if (!empty($time) && !squid_is_timerange($time)) - $input_errors[] = "The time range '$time' is not a valid time range"; - } - - if(!empty($post['ext_cachemanager'])) { - $extmgr = explode(";", ($post['ext_cachemanager'])); - foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; - }} -} - -function squid_validate_traffic($post, $input_errors) { - $num_fields = array( 'max_download_size' => 'Maximum download size', - 'max_upload_size' => 'Maximum upload size', - 'perhost_throttling' => 'Per-host bandwidth throttling', - 'overall_throttling' => 'Overall bandwidth throttling', - ); - foreach ($num_fields as $field => $name) { - $value = trim($post[$field]); - if (!is_numeric($value) || ($value < 0)) - $input_errors[] = "The field '$name' must contain a positive number"; - } - - if (!empty($post['quick_abort_min'])) { - $value = trim($post['quick_abort_min']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; - } - - if (!empty($post['quick_abort_max'])) { - $value = trim($post['quick_abort_max']); - if (!is_numeric($value)) - $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; - } - - if (!empty($post['quick_abort_pct'])) { - $value = trim($post['quick_abort_pct']); - if (!is_numeric($value) || ($value > 100)) - $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; - } - -} - -function squid_validate_auth($post, $input_errors) { - $num_fields = array( array('auth_processes', 'Authentication processes', 1), - array('auth_ttl', 'Authentication TTL', 0), - ); - foreach ($num_fields as $field) { - $value = trim($post[$field[0]]); - if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) - $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; - } - - $auth_method = $post['auth_method']; - if (($auth_method != 'none') && ($auth_method != 'local')) { - $server = trim($post['auth_server']); - if (empty($server)) - $input_errors[] = 'The field \'Authentication server\' is required'; - else if (!is_ipaddr($server) && !is_domain($server)) - $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; - - $port = trim($post['auth_server_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; - - switch ($auth_method) { - case 'ldap': - $user = trim($post['ldap_user']); - if (empty($user)) - $input_errors[] = 'The field \'LDAP server user DN\' is required'; - else if (!$user) - $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; - break; - case 'radius': - $secret = trim($post['radius_secret']); - if (empty($secret)) - $input_errors[] = 'The field \'RADIUS secret\' is required'; - break; - case 'msnt': - foreach (explode(",", trim($post['msnt_secondary'])) as $server) { - if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) - $input_errors[] = "The host '$server' is not a valid IP address or domain name"; - } - break; - } - - $no_auth = explode("\n", $post['no_auth_hosts']); - foreach ($no_auth as $host) { - $host = trim($host); - if (!empty($host) && !is_subnet($host)) - $input_errors[] = "The host '$host' is not a valid CIDR range"; - } - } -} - -function squid_install_cron($should_install) { - global $config, $g; - if($g['booting']==true) - return; - $is_installed = false; - if(!$config['cron']['item']) - return; - $x=0; - foreach($config['cron']['item'] as $item) { - if(strstr($item['task_name'], "squid_rotate_logs")) { - $is_installed = true; - break; - } - $x++; - } - switch($should_install) { - case true: - if(!$is_installed) { - $cron_item = array(); - $cron_item['task_name'] = "squid_rotate_logs"; - $cron_item['minute'] = "0"; - $cron_item['hour'] = "0"; - $cron_item['mday'] = "*"; - $cron_item['month'] = "*"; - $cron_item['wday'] = "*"; - $cron_item['who'] = "root"; - $cron_item['command'] = "/usr/local/sbin/squid -k rotate"; - $config['cron']['item'][] = $cron_item; - parse_config(true); - write_config("Squid Log Rotation"); - configure_cron(); - } - break; - case false: - if($is_installed == true) { - if($x > 0) { - unset($config['cron']['item'][$x]); - parse_config(true); - write_config(); - } - configure_cron(); - } - break; - } -} - -function squid_resync_general() { - global $g, $config, $valid_acls; - - $settings = $config['installedpackages']['squid']['config'][0]; - $conf = "# This file is automatically generated by pfSense\n"; - $conf = "# Do not edit manually !\n"; - - $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); - $real_ifaces = array(); - foreach (explode(",", $ifaces) as $i => $iface) { - $real_ifaces[] = squid_get_real_interface_address($iface); - if($real_ifaces[$i][0]) { - $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; - } - } - if (($settings['transparent_proxy'] == 'on')) { - $conf .= "http_port 127.0.0.1:80 intercept\n"; - } - $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); - - $pidfile = "{$g['varrun_path']}/squid.pid"; - $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); - $errordir = SQUID_CONFBASE . '/errors/' . $language; - $icondir = SQUID_CONFBASE . '/icons'; - $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); - $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); - - $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); - - $logdir_cache = $logdir . '/cache.log'; - $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); - - $conf .= << 'src', - 'banned_hosts' => 'src', - 'whitelist' => 'dstdom_regex -i', - 'blacklist' => 'dstdom_regex -i', - ); - foreach ($options as $option => $directive) { - $contents = base64_decode($settings[$option]); - if (!empty($contents)) { - file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); - $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; - $valid_acls[] = $option; - } - elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { - unlink(SQUID_ACLDIR . "/$option.acl"); - } - } - - $conf .= << $binaries, - 'throttle_cdimages' => $cdimages, - 'throttle_multimedia' => $multimedia) as $field => $set) { - if ($settings[$field] == 'on') - $exts = array_merge($exts, explode(",", $set)); - } - - foreach (explode(",", $settings['throttle_others']) as $ext) { - if (!empty($ext)) $exts[] = $ext; - } - - $contents = ''; - foreach ($exts as $ext) - $contents .= "\.$ext\$\n"; - file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); - - $conf .= "# Throttle extensions matched in the url\n"; - $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; - $conf .= "delay_access 1 allow throttle_exts\n"; - $conf .= "delay_access 1 deny all\n"; - } - else - $conf .= "delay_access 1 allow all\n"; - - return $conf; -} - -function squid_resync_auth() { - global $config, $valid_acls; - - $settings = $config['installedpackages']['squidauth']['config'][0]; - $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - $settingsconfig = $config['installedpackages']['squid']['config'][0]; - $conf = ''; - - // Deny the banned guys before allowing the good guys - if(! empty($settingsnac['banned_hosts'])) { - if (squid_is_valid_acl('banned_hosts')) { - $conf .= "# These hosts are banned\n"; - $conf .= "http_access deny banned_hosts\n"; - } - } - if(! empty($settingsnac['banned_macs'])) { - if (squid_is_valid_acl('banned_macs')) { - $conf .= "# These macs are banned\n"; - $conf .= "http_access deny banned_macs\n"; - } - } - - // Unrestricted hosts take precendence over blacklist - if(! empty($settingsnac['unrestricted_hosts'])) { - if (squid_is_valid_acl('unrestricted_hosts')) { - $conf .= "# These hosts do not have any restrictions\n"; - $conf .= "http_access allow unrestricted_hosts\n"; - } - } - if(! empty($settingsnac['unrestricted_macs'])) { - if (squid_is_valid_acl('unrestricted_macs')) { - $conf .= "# These hosts do not have any restrictions\n"; - $conf .= "http_access allow unrestricted_macs\n"; - } - } - - // Whitelist and blacklist also take precendence over other allow rules - if(! empty($settingsnac['whitelist'])) { - if (squid_is_valid_acl('whitelist')) { - $conf .= "# Always allow access to whitelist domains\n"; - $conf .= "http_access allow whitelist\n"; - } - } - if(! empty($settingsnac['blacklist'])) { - if (squid_is_valid_acl('blacklist')) { - $conf .= "# Block access to blacklist domains\n"; - $conf .= "http_access deny blacklist\n"; - } - } - - $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); - $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); - // Allow the remaining ACLs if no authentication is set - if ($auth_method == 'none') { - $conf .="# Setup allowed acls\n"; - $allowed = array('allowed_subnets'); - if ($settingsconfig['allow_interface'] == 'on') { - $conf .= "# Allow local network(s) on interface(s)\n"; - $allowed[] = "localnet"; - } - $allowed = array_filter($allowed, 'squid_is_valid_acl'); - foreach ($allowed as $acl) - $conf .= "http_access allow $acl\n"; - } - else { - $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); - if (!empty($noauth)) { - $conf .= "acl noauth src $noauth\n"; - $valid_acls[] = 'noauth'; - } - - // Set up the external authentication programs - $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); - $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); - $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); - switch ($auth_method) { - case 'local': - $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; - break; - case 'ldap': - $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); - $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; - break; - case 'radius': - $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; - break; - case 'msnt': - $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; - squid_resync_msnt(); - break; - } - $conf .= << - - - -EOD; - } - else { - $javascript = << - - - -EOD; - } - - print($javascript); -} - -function squid_print_javascript_auth2() { - print("\n"); -} - -function squid_generate_rules($type) { - global $config; - - $squid_conf = $config['installedpackages']['squid']['config'][0]; - - if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { - return; - } - - if (!is_service_running('squid')) { - log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); - return; - } - - $ifaces = explode(",", $squid_conf['active_interface']); - $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); - $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); - - $fw_aliases = filter_generate_aliases(); - if(strstr($fw_aliases, "pptp =")) - $PPTP_ALIAS = "\$pptp"; - else - $PPTP_ALIAS = "\$PPTP"; - if(strstr($fw_aliases, "PPPoE =")) - $PPPOE_ALIAS = "\$PPPoE"; - else - $PPPOE_ALIAS = "\$pppoe"; - - switch($type) { - case 'nat': - $rules .= "\n# Setup Squid proxy redirect\n"; - if ($squid_conf['private_subnet_proxy_off'] == 'on') { - foreach ($ifaces as $iface) { - $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; - } - } - if (!empty($squid_conf['defined_ip_proxy_off'])) { - $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); - $exempt_ip = ""; - foreach ($defined_ip_proxy_off as $ip_proxy_off) { - if(!empty($ip_proxy_off)) { - $ip_proxy_off = trim($ip_proxy_off); - if (is_alias($ip_proxy_off)) - $ip_proxy_off = '$'.$ip_proxy_off; - $exempt_ip .= ", $ip_proxy_off"; - } - } - $exempt_ip = substr($exempt_ip,2); - foreach ($ifaces as $iface) { - $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; - } - } - if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { - $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); - $exempt_dest = ""; - foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { - if(!empty($ip_proxy_off_dest)) { - $ip_proxy_off_dest = trim($ip_proxy_off_dest); - if (is_alias($ip_proxy_off_dest)) - $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; - $exempt_dest .= ", $ip_proxy_off_dest"; - } - } - $exempt_dest = substr($exempt_dest,2); - foreach ($ifaces as $iface) { - $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port 80\n"; - } - } - foreach ($ifaces as $iface) { - $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n"; - } - /* Handle PPPOE case */ - if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { - $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80\n"; - } - /* Handle PPTP case */ - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port 80\n"; - } - $rules .= "\n"; - break; - case 'filter': - case 'rule': - foreach ($ifaces as $iface) { - $rules .= "# Setup squid pass rules for proxy\n"; - $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; - $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n"; - $rules .= "\n"; - }; - if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { - $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; - } - if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { - $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; - } - break; - default: - break; - } - - return $rules; -} - -?> -- cgit v1.2.3