From 536d61533e58b95935c9682820ad8b5a2545ede4 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 15:46:49 +0200 Subject: squid3 - code style fixes --- config/squid3/34/check_ip.php | 68 +++++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 32 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/check_ip.php b/config/squid3/34/check_ip.php index 5865037b..68deb02c 100644 --- a/config/squid3/34/check_ip.php +++ b/config/squid3/34/check_ip.php @@ -1,9 +1,10 @@ #!/usr/local/bin/php -q $row){ - $cp_db[$rownum]=implode(",",$row); +$files = scandir($g['vardb_path']); +foreach ($files as $file) { + if (preg_match("/captive.*db/", $file)) { + $result = squid_cp_read_db("{$g['vardb_path']}/{$file}"); + foreach ($result as $rownum => $row) { + $cp_db[$rownum] = implode(",", $row); } } } - $usuario=""; - //1419045939,1419045939,2000,2000,192.168.10.11,192.168.10.11,08:00:27:5c:e1:ee,08:00:27:5c:e1:ee,marcello,marcello,605a1f46e2d64556,605a1f46e2d64556,,,,,,,,,,,first,first - if (is_array($cp_db)){ - foreach ($cp_db as $cpl){ - $fields=explode(",",$cpl); - if ($fields[4] != "" && $fields[4]==$line) - $usuario=$fields[8]; - } - } - if ($usuario !="") - $resposta="OK user={$usuario}"; - else - $resposta="ERR"; - fwrite (STDOUT, "{$resposta}\n"); - unset($cp_db); + $usuario = ""; + //1419045939,1419045939,2000,2000,192.168.10.11,192.168.10.11,08:00:27:5c:e1:ee,08:00:27:5c:e1:ee,marcello,marcello,605a1f46e2d64556,605a1f46e2d64556,,,,,,,,,,,first,first + if (is_array($cp_db)) { + foreach ($cp_db as $cpl) { + $fields = explode(",", $cpl); + if ($fields[4] != "" && $fields[4] == $line) { + $usuario = $fields[8]; + } + } + } + if ($usuario != "") { + $resposta = "OK user={$usuario}"; + } else { + $resposta = "ERR"; + } + fwrite(STDOUT, "{$resposta}\n"); + unset($cp_db); } /* read captive portal DB into array */ @@ -75,8 +79,9 @@ function squid_cp_read_db($file) { if ($DB) { $response = $DB->query("SELECT * FROM captiveportal"); if ($response != FALSE) { - while ($row = $response->fetchArray()) + while ($row = $response->fetchArray()) { $cpdb[] = $row; + } } $DB->close(); } @@ -85,4 +90,3 @@ function squid_cp_read_db($file) { } ?> - -- cgit v1.2.3 From 14b08ca6206352556a62efe10326a1f7b5cd3f49 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 15:51:19 +0200 Subject: squid3 - code style fixes --- config/squid3/34/pkg_squid.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/pkg_squid.inc b/config/squid3/34/pkg_squid.inc index 47b64e2d..8439fa5f 100644 --- a/config/squid3/34/pkg_squid.inc +++ b/config/squid3/34/pkg_squid.inc @@ -8,4 +8,4 @@ $shortcuts['squid']['log'] = "squid_monitor.php"; $shortcuts['squid']['status'] = "status_services.php"; $shortcuts['squid']['service'] = "squid"; -?> \ No newline at end of file +?> -- cgit v1.2.3 From e1737f4747d8fb25df6d7c977421de792999fbf3 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 16:11:21 +0200 Subject: squid3 - code style fixes --- config/squid3/34/sqpmon.sh | 62 ++++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 30 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/sqpmon.sh b/config/squid3/34/sqpmon.sh index 244b3b61..48854565 100644 --- a/config/squid3/34/sqpmon.sh +++ b/config/squid3/34/sqpmon.sh @@ -1,8 +1,10 @@ #!/bin/sh # $Id$ */ # -# sqpmon.sh -# Copyright (C) 2006 Scott Ullrich +# sqpmon.sh +# part of pfSense (https://www.pfSense.org/) +# Copyright (C) 2006 Scott Ullrich +# Copyright (C) 2015 ESF, LLC # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -27,8 +29,8 @@ # POSSIBILITY OF SUCH DAMAGE. # -if [ `pgrep -f "sqpmon.sh"|wc -l` -ge 1 ]; then - exit 0 +if [ `/bin/pgrep -f "sqpmon.sh" | /usr/bin/wc -l` -ge 1 ]; then + exit 0 fi set -e @@ -36,7 +38,7 @@ set -e LOOP_SLEEP=55 if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm + /bin/rm -f /var/run/squid_alarm fi # Sleep 5 seconds on startup not to mangle with existing boot scripts. @@ -44,32 +46,32 @@ sleep 5 # Squid monitor 1.2 while [ /bin/true ]; do - if [ ! -f /var/run/squid_alarm ]; then - NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -lt 1 ]; then - # squid is down - echo "Squid has exited. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - echo "Attempting restart..." | logger -p daemon.info -i -t Squid_Alarm - /usr/local/etc/rc.d/squid.sh start - sleep 3 - echo "Reconfiguring filter..." | logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - touch /var/run/squid_alarm - fi - fi - NUM_PROCS=`ps auxw | grep "[s]quid -f"|awk '{print $2}'| wc -l | awk '{ print $1 }'` - if [ $NUM_PROCS -gt 0 ]; then - if [ -f /var/run/squid_alarm ]; then - echo "Squid has resumed. Reconfiguring filter." | \ - logger -p daemon.info -i -t Squid_Alarm - /etc/rc.filter_configure - rm /var/run/squid_alarm - fi - fi - sleep $LOOP_SLEEP + if [ ! -f /var/run/squid_alarm ]; then + NUM_PROCS=`/bin/ps auxw | /usr/bin/grep "[s]quid -f" | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/awk '{ print $1 }'` + if [ $NUM_PROCS -lt 1 ]; then + # squid is down + echo "Squid has exited. Reconfiguring filter." | \ + /usr/bin/logger -p daemon.info -i -t Squid_Alarm + echo "Attempting restart..." | /usr/bin/logger -p daemon.info -i -t Squid_Alarm + /usr/local/etc/rc.d/squid.sh start + sleep 3 + echo "Reconfiguring filter..." | /usr/bin/logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + touch /var/run/squid_alarm + fi + fi + NUM_PROCS=`/bin/ps auxw | /usr/bin/grep "[s]quid -f" | /usr/bin/awk '{print $2}' | /usr/bin/wc -l | /usr/bin/awk '{ print $1 }'` + if [ $NUM_PROCS -gt 0 ]; then + if [ -f /var/run/squid_alarm ]; then + echo "Squid has resumed. Reconfiguring filter." | \ + /usr/bin/logger -p daemon.info -i -t Squid_Alarm + /etc/rc.filter_configure + /bin/rm -f /var/run/squid_alarm + fi + fi + sleep $LOOP_SLEEP done if [ -f /var/run/squid_alarm ]; then - rm /var/run/squid_alarm + /bin/rm -f /var/run/squid_alarm fi -- cgit v1.2.3 From 8fa0b4aeda51405a8fe8cdba42c5390afbaedfed Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 16:41:44 +0200 Subject: squid3 - code style fixes --- config/squid3/34/swapstate_check.php | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/swapstate_check.php b/config/squid3/34/swapstate_check.php index 7a7ccd27..ea9600f3 100644 --- a/config/squid3/34/swapstate_check.php +++ b/config/squid3/34/swapstate_check.php @@ -2,7 +2,9 @@ 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024)) || $argv[1]=="clean") { + // or the drive is 90% full and swap.state is larger than 1GB, + // kill it and initiate a rotate to write a fresh copy. + if (($swapstate_pct > 75) || (($diskusedpct > 90) && ($swapstate_size > 1024*1024*1024)) || $argv[1] == "clean") { squid_dash_z('clean'); log_error(gettext(sprintf("Squid cache and/or swap.state exceeded size limits. Removing and rotating. File was %d bytes, %d%% of total disk space.", $swapstate_size, $swapstate_pct))); } -- cgit v1.2.3 From 5a98d24dbbe5f9eb99e88826acd598d20879075b Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 16:43:14 +0200 Subject: squid3 - code style fixes --- config/squid3/34/check_ip.php | 2 -- 1 file changed, 2 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/check_ip.php b/config/squid3/34/check_ip.php index 68deb02c..2fb43339 100644 --- a/config/squid3/34/check_ip.php +++ b/config/squid3/34/check_ip.php @@ -49,7 +49,6 @@ foreach ($files as $file) { $result = squid_cp_read_db("{$g['vardb_path']}/{$file}"); foreach ($result as $rownum => $row) { $cp_db[$rownum] = implode(",", $row); - } } } @@ -85,7 +84,6 @@ function squid_cp_read_db($file) { } $DB->close(); } - return $cpdb; } -- cgit v1.2.3 From 9580d88776e38f60ed308c9740a41cf728246d46 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 17:26:15 +0200 Subject: squid3 - code style fixes, fix missing includes, declare global vars --- config/squid3/34/squid_reverse.inc | 145 +++++++++++++++++++++---------------- 1 file changed, 82 insertions(+), 63 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/squid_reverse.inc b/config/squid3/34/squid_reverse.inc index f583ee12..2b57e99f 100755 --- a/config/squid3/34/squid_reverse.inc +++ b/config/squid3/34/squid_reverse.inc @@ -1,10 +1,11 @@ $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if ($real_ifaces[$i][0]) { //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + if ((!empty($settings['reverse_http'])) || ($settings['reverse_owa_autodiscover'] == 'on')) { $conf .= "http_port {$real_ifaces[$i][0]}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + } //HTTPS - if (!empty($settings['reverse_https'])) + if (!empty($settings['reverse_https'])) { $conf .= "https_port {$real_ifaces[$i][0]}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } } } @@ -88,15 +98,17 @@ function squid_resync_reverse() { $reverse_ip = explode(";", ($settings['reverse_ip'])); foreach ($reverse_ip as $reip) { //HTTP - if (!empty($settings['reverse_http']) OR ($settings['reverse_owa_autodiscover'] == 'on')) + if ((!empty($settings['reverse_http'])) || ($settings['reverse_owa_autodiscover'] == 'on')) { $conf .= "http_port {$reip}:{$http_port} accel defaultsite={$http_defsite} vhost\n"; + } //HTTPS - if (!empty($settings['reverse_https'])) + if (!empty($settings['reverse_https'])) { $conf .= "https_port {$reip}:{$https_port} accel cert={$reverse_crt} key={$reverse_key} defaultsite={$https_defsite} vhost\n"; + } } } - //PEERS + // peers if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { if (!empty($settings['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($settings['reverse_owa_ip'])); @@ -109,33 +121,34 @@ function squid_resync_reverse() { } } - $active_peers=array(); + $active_peers = array(); if (is_array($reverse_peers)) { foreach ($reverse_peers as $rp) { - if ($rp['enable'] =="on" && $rp['name'] !="" && $rp['ip'] !="" && $rp['port'] !="") { - $conf_peer = "#{$rp['description']}\n"; - $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; - if ($rp['protocol'] == 'HTTPS') - $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf_peer .= "name=rvp_{$rp['name']}\n\n"; - - // add peer only if reverse proxy is enabled for http - if ($rp['protocol'] == 'HTTP' && $settings['reverse_http'] =="on") { - $conf .= $conf_peer; - array_push($active_peers,$rp['name']); - } - // add peer only if if reverse proxy is enabled for https - if ($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] =="on") { - if (!in_array($rp['name'],$active_peers)) { + if ($rp['enable'] == "on" && $rp['name'] != "" && $rp['ip'] != "" && $rp['port'] != "") { + $conf_peer = "#{$rp['description']}\n"; + $conf_peer .= "cache_peer {$rp['ip']} parent {$rp['port']} 0 proxy-only no-query no-digest originserver login=PASSTHRU connection-auth=on round-robin "; + if ($rp['protocol'] == 'HTTPS') { + $conf_peer .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + } + $conf_peer .= "name=rvp_{$rp['name']}\n\n"; + + // add peer only if reverse proxy is enabled for http + if ($rp['protocol'] == 'HTTP' && $settings['reverse_http'] == "on") { $conf .= $conf_peer; - array_push($active_peers,$rp['name']); + array_push($active_peers, $rp['name']); + } + // add peer only if if reverse proxy is enabled for https + if ($rp['protocol'] == 'HTTPS' && $settings['reverse_https'] == "on") { + if (!in_array($rp['name'], $active_peers)) { + $conf .= $conf_peer; + array_push($active_peers, $rp['name']); } } } } } - //REDIRECTS + // redirects if (is_array($reverse_redir)) { foreach ($reverse_redir as $rdr) { if ($rdr['enable'] == "on" && $rdr['name'] != "" && $rdr['pathregex'] != "" && $rdr['redirurl'] != "") { @@ -167,25 +180,30 @@ function squid_resync_reverse() { } } - //ACLS and MAPPINGS + // ACLs and mappings //create an empty owa_dirs to populate based on user selected options - $owa_dirs=array(); - if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] =="on") { + $owa_dirs = array(); + if (($settings['reverse_owa'] == 'on') && $settings['reverse_https'] == "on") { if (!empty($settings['reverse_owa_ip'])) { - array_push($owa_dirs,'owa','exchange','public','exchweb','ecp','OAB'); - if ($settings['reverse_owa_activesync']) - array_push($owa_dirs,'Microsoft-Server-ActiveSync'); - if ($settings['reverse_owa_rpchttp']) - array_push($owa_dirs,'rpc/rpcproxy.dll','rpcwithcert/rpcproxy.dll'); - if ($settings['reverse_owa_mapihttp']) - array_push($owa_dirs,'mapi'); - if ($settings['reverse_owa_webservice']) - array_push($owa_dirs,'EWS'); + array_push($owa_dirs, 'owa', 'exchange', 'public', 'exchweb', 'ecp', 'OAB'); + if ($settings['reverse_owa_activesync']) { + array_push($owa_dirs, 'Microsoft-Server-ActiveSync'); + } + if ($settings['reverse_owa_rpchttp']) { + array_push($owa_dirs, 'rpc/rpcproxy.dll', 'rpcwithcert/rpcproxy.dll'); + } + if ($settings['reverse_owa_mapihttp']) { + array_push($owa_dirs, 'mapi'); + } + if ($settings['reverse_owa_webservice']) { + array_push($owa_dirs, 'EWS'); + } } if (is_array($owa_dirs)) { - foreach ($owa_dirs as $owa_dir) + foreach ($owa_dirs as $owa_dir) { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/$owa_dir.*$\n"; + } } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { @@ -199,31 +217,31 @@ function squid_resync_reverse() { //$conf .= "ssl_unclean_shutdown on"; if (is_array($reverse_maps)) { foreach ($reverse_maps as $rm) { - if ($rm['enable'] == "on" && $rm['name']!="" && $rm['peers']!="" && is_array($rm['row'])) { + if ($rm['enable'] == "on" && $rm['name'] != "" && $rm['peers'] != "" && is_array($rm['row'])) { foreach ($rm['row'] as $uri) { - $url_regex=($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); + $url_regex = ($uri['uri'] == '' ? $settings['reverse_external_fqdn'] : $uri['uri'] ); //$conf .= "acl rvm_{$rm['name']} url_regex -i {$uri['uri']}{$url_regex}.*$\n"; $conf .= "acl rvm_{$rm['name']} url_regex -i {$url_regex}\n"; if ($rm['name'] != $last_rm_name) { $cache_peer_never_direct_conf .= "never_direct allow rvm_{$rm['name']}\n"; $http_access_conf .= "http_access allow rvm_{$rm['name']}\n"; - foreach (explode(',',$rm['peers']) as $map_peer) { - if (in_array($map_peer,$active_peers)) { + foreach (explode(',', $rm['peers']) as $map_peer) { + if (in_array($map_peer, $active_peers)) { $cache_peer_allow_conf .= "cache_peer_access rvp_{$map_peer} allow rvm_{$rm['name']}\n"; $cache_peer_deny_conf .= "cache_peer_access rvp_{$map_peer} deny allsrc\n"; } } - $last_rm_name=$rm['name']; + $last_rm_name = $rm['name']; } } } } } - //ACCESS - if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] =="on") { + // access + if ($settings['reverse_owa'] == 'on' && !empty($settings['reverse_owa_ip']) && $settings['reverse_https'] == "on") { - for ($cascnt=1;$cascnt<$casnr+1;$cascnt++) { + for ($cascnt = 1; $cascnt < $casnr + 1; $cascnt++) { $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_80_{$cascnt}_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_443_{$cascnt}_pfs deny allsrc\n"; @@ -236,8 +254,9 @@ function squid_resync_reverse() { $conf .= $cache_peer_allow_conf.$cache_peer_deny_conf.$cache_peer_never_direct_conf.$http_access_conf."\n"; - if (!empty($settings['deny_info_tcp_reset'])) + if (!empty($settings['deny_info_tcp_reset'])) { $conf .= "deny_info TCP_RESET allsrc\n"; + } return $conf; } -- cgit v1.2.3 From 389a4a9d79419ddb0439f8c6b23aab68f3159788 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 18:05:25 +0200 Subject: squid3 - code style fixes, declare global vars, XHTML fixes --- config/squid3/34/squid_monitor_data.php | 277 +++++++++++++++----------------- 1 file changed, 134 insertions(+), 143 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/squid_monitor_data.php b/config/squid3/34/squid_monitor_data.php index 9010f0a2..c2c3264d 100755 --- a/config/squid3/34/squid_monitor_data.php +++ b/config/squid3/34/squid_monitor_data.php @@ -1,23 +1,21 @@ + Copyright (C) 2015 ESF, LLC All rights reserved. - */ -/* ========================================================================== */ -/* + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -29,174 +27,167 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ -# ------------------------------------------------------------------------------ -# Defines -# ------------------------------------------------------------------------------ +*/ require_once("guiconfig.inc"); -# ------------------------------------------------------------------------------ -# Requests -# ------------------------------------------------------------------------------ +/* Requests */ if ($_POST) { - # Actions - $filter = preg_replace('/(@|!|>|<)/',"",htmlspecialchars($_POST['strfilter'])); + global $filter, $program; + // Actions + $filter = preg_replace('/(@|!|>|<)/', "", htmlspecialchars($_POST['strfilter'])); $program = strtolower($_POST['program']); - switch ($program) { - case 'squid': + switch ($program) { + case 'squid': // Define log file - $log='/var/squid/logs/access.log'; - //show table headers - show_tds(array("Date","IP","Status","Address","User","Destination")); - //fetch lines - $logarr=fetch_log($log); + $log = '/var/squid/logs/access.log'; + // Show table headers + show_tds(array("Date", "IP", "Status", "Address", "User", "Destination")); + // Fetch lines + $logarr = fetch_log($log); // Print lines - foreach ($logarr as $logent) { - // Split line by space delimiter - $logline = preg_split("/\s+/", $logent); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); - // Apply date format to first line - //$logline[0] = date("d.m.Y H:i:s",$logline[0]); + // Apply date format to first line + //$logline[0] = date("d.m.Y H:i:s",$logline[0]); - // Word wrap the URL - $logline[7] = htmlentities($logline[7]); - $logline[7] = html_autowrap($logline[7]); + // Word wrap the URL + $logline[7] = htmlentities($logline[7]); + $logline[7] = html_autowrap($logline[7]); - // Remove /(slash) in destination row - $logline_dest = preg_split("/\//", $logline[9]); + // Remove /(slash) in destination row + $logline_dest = preg_split("/\//", $logline[9]); - // Apply filter and color + // Apply filter and color // Need validate special chars - if ($filter != "") - $logline = preg_replace("@($filter)@i","$1",$logline); + if ($filter != "") { + $logline = preg_replace("@($filter)@i","$1", $logline); + } + echo "\n"; - echo "{$logline[0]} {$logline[1]}\n"; + echo "{$logline[0]} {$logline[1]}\n"; echo "{$logline[3]}\n"; echo "{$logline[4]}\n"; - echo "{$logline[7]}\n"; + echo "{$logline[7]}\n"; echo "{$logline[8]}\n"; echo "{$logline_dest[1]}\n"; echo "\n"; - } + } break; case 'sguard'; - $log='/var/squidGuard/log/block.log'; - //show table headers - show_tds(array("Date-Time","ACL","Address","Host","User")); - //fetch lines - $logarr=fetch_log($log); - foreach ($logarr as $logent) { - // Split line by space delimiter - $logline = preg_split("/\s+/", $logent); - - // Apply time format - $logline[0] = date("d.m.Y", strtotime($logline[0])); - - // Word wrap the URL - $logline[4] = htmlentities($logline[4]); - $logline[4] = html_autowrap($logline[4]); - - - // Apply filter color - // Need validate special chars - if ($filter != "") - $logline = preg_replace("@($filter)@i","$1",$logline); - - - echo "\n"; - echo "{$logline[0]} {$logline[1]}\n"; - echo "{$logline[3]}\n"; - echo "{$logline[4]}\n"; - echo "{$logline[5]}\n"; - echo "{$logline[6]}\n"; - echo "\n"; - } + $log = '/var/squidGuard/log/block.log'; + // Show table headers + show_tds(array("Date-Time", "ACL", "Address", "Host", "User")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\s+/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y", strtotime($logline[0])); + + // Word wrap the URL + $logline[4] = htmlentities($logline[4]); + $logline[4] = html_autowrap($logline[4]); + + // Apply filter color + // Need validate special chars + if ($filter != "") { + $logline = preg_replace("@($filter)@i", "$1", $logline); + } + + echo "\n"; + echo "{$logline[0]} {$logline[1]}\n"; + echo "{$logline[3]}\n"; + echo "{$logline[4]}\n"; + echo "{$logline[5]}\n"; + echo "{$logline[6]}\n"; + echo "\n"; + } break; case 'clamav'; - // Define log file - $log='/var/log/c-icap/virus.log'; - //show table headers - show_tds(array("Date-Time","Message","Virus","URL","Host","User")); - //fetch lines - $logarr=fetch_log($log); - foreach ($logarr as $logent) { - // Split line by space delimiter - $logline = preg_split("/\|/", $logent); - - // Apply time format - $logline[0] = date("d.m.Y H:i:s", strtotime($logline[0])); - - // Word wrap the URL - $logline[3] = htmlentities($logline[3]); - $logline[3] = html_autowrap($logline[3]); - - echo "\n"; - echo "{$logline[0]}\n"; - echo "{$logline[1]}\n"; - echo "{$logline[2]}\n"; - echo "{$logline[3]}\n"; - echo "{$logline[4]}\n"; - echo "{$logline[5]}\n"; - echo "\n"; - } - break; - } + // Define log file + $log = '/var/log/c-icap/virus.log'; + // Show table headers + show_tds(array("Date-Time", "Message", "Virus", "URL", "Host", "User")); + // Fetch lines + $logarr = fetch_log($log); + foreach ($logarr as $logent) { + // Split line by space delimiter + $logline = preg_split("/\|/", $logent); + + // Apply time format + $logline[0] = date("d.m.Y H:i:s", strtotime($logline[0])); + + // Word wrap the URL + $logline[3] = htmlentities($logline[3]); + $logline[3] = html_autowrap($logline[3]); + + echo "\n"; + echo "{$logline[0]}\n"; + echo "{$logline[1]}\n"; + echo "{$logline[2]}\n"; + echo "{$logline[3]}\n"; + echo "{$logline[4]}\n"; + echo "{$logline[5]}\n"; + echo "\n"; + } + break; + } } -# ------------------------------------------------------------------------------ -# Functions -# ------------------------------------------------------------------------------ - -// From SquidGuard Package -function html_autowrap($cont) -{ - # split strings - $p = 0; +/* Functions */ +function html_autowrap($cont) { + // split strings + $p = 0; $pstep = 25; - $str = $cont; + $str = $cont; $cont = ''; - for ( $p = 0; $p < strlen($str); $p += $pstep ) { - $s = substr( $str, $p, $pstep ); - if ( !$s ) break; - $cont .= $s . ""; + for ($p = 0; $p < strlen($str); $p += $pstep) { + $s = substr($str, $p, $pstep); + if (!$s) { + break; + } + $cont .= $s . ""; } return $cont; } - // Show Squid Logs -function fetch_log($log){ - global $filter,$program; - // Get Data from form post - $lines = $_POST['maxlines']; - if (preg_match("/!/",htmlspecialchars($_POST['strfilter']))) - $grep_arg="-iv"; - else - $grep_arg="-i"; - - //Check program to execute or no the parser - if($program == "squid") - $parser = "| php -q squid_log_parser.php"; - else +function fetch_log($log) { + global $filter, $program; + // Get data from form post + $lines = $_POST['maxlines']; + if (preg_match("/!/", htmlspecialchars($_POST['strfilter']))) { + $grep_arg = "-iv"; + } else { + $grep_arg = "-i"; + } + + // Check program to execute or no the parser + if ($program == "squid") { + $parser = "| /usr/local/bin/php -q squid_log_parser.php"; + } else { $parser = ""; + } - // Get logs based in filter expression - if($filter != "") { - exec("tail -2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | tail -r -n {$lines} {$parser} " , $logarr); - } - else { - exec("tail -r -n {$lines} {$log} {$parser}", $logarr); - } - // return logs - return $logarr; + // Get logs based in filter expression + if ($filter != "") { + exec("/usr/bin/tail -n 2000 {$log} | /usr/bin/grep {$grep_arg} " . escapeshellarg($filter). " | /usr/bin/tail -r -n {$lines} {$parser} ", $logarr); + } else { + exec("/usr/bin/tail -r -n {$lines} {$log} {$parser}", $logarr); + } + // Return logs + return $logarr; }; -function show_tds($tds){ +function show_tds($tds) { echo "\n"; foreach ($tds as $td){ - echo "".gettext($td)."\n"; - } + echo "" . gettext($td) . "\n"; + } echo "\n"; } -- cgit v1.2.3 From 0e3ce40841d6a55e2272df9daa54c0e27f060b16 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 18:28:02 +0200 Subject: squid3 - code style and XHTML fixes --- config/squid3/34/squid_monitor.php | 175 ++++++++++++++++--------------------- 1 file changed, 77 insertions(+), 98 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/squid_monitor.php b/config/squid3/34/squid_monitor.php index 60a366fc..ba87f998 100755 --- a/config/squid3/34/squid_monitor.php +++ b/config/squid3/34/squid_monitor.php @@ -1,23 +1,21 @@ + Copyright (C) 2015 ESF, LLC All rights reserved. - */ -/* ========================================================================== */ -/* + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -29,19 +27,13 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - +*/ require_once("/etc/inc/util.inc"); require_once("/etc/inc/functions.inc"); require_once("/etc/inc/pkg-utils.inc"); require_once("/etc/inc/globals.inc"); require_once("guiconfig.inc"); -$pfSversion = str_replace("\n", "", file_get_contents("/etc/version")); -if(strstr($pfSversion, "1.2")) - $one_two = true; - $pgtitle = "Status: Proxy Monitor"; $shortcut_section = "squid"; include("head.inc"); @@ -51,44 +43,40 @@ include("head.inc"); - - -

- - - -
- - +
+ + - - - -
-
-
-
- - + + + +
+
+ + + - -
Max lines: @@ -123,95 +110,87 @@ include("head.inc");
- +
String filter: - +
-
-
- ! to invert the sense of matching, to select non-matching lines.");?> +
+
+ ! to invert the sense of matching, to select non-matching lines.");?>
- - - - - - - +
+
+ + + + + + - - -
- + -
-
- - - - - - + +
+
+ + + + + - - -
- + -
-
- - - - - + +
+
+ + + + - - -
- + -
-
-
+
+
-
+
- -- cgit v1.2.3 From 60d98f07d36a483530dab7de5f33aa777276f378 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 18:32:24 +0200 Subject: squid3 - code style fixes --- config/squid3/34/squid_log_parser.php | 44 ++++++++++++++++------------------- 1 file changed, 20 insertions(+), 24 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/squid_log_parser.php b/config/squid3/34/squid_log_parser.php index 8d0cbc20..c55db021 100755 --- a/config/squid3/34/squid_log_parser.php +++ b/config/squid3/34/squid_log_parser.php @@ -1,24 +1,22 @@ #!/usr/local/bin/php -q + Copyright (C) 2015 ESF, LLC All rights reserved. - */ -/* ========================================================================== */ -/* + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. - 2. Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in the - documentation and/or other materials provided with the distribution. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY @@ -30,28 +28,26 @@ CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -/* ========================================================================== */ - -# ------------------------------------------------------------------------------ -# Simple Squid Log parser to rewrite line with date/time human readable -# Usage: cat /var/squid/log/access.log | parser_squid_log.php -# ------------------------------------------------------------------------------ +*/ +/* +* Simple Squid Log parser to rewrite line with date/time human readable +* Usage: cat /var/squid/log/access.log | parser_squid_log.php +*/ $logline = fopen("php://stdin", "r"); -while(!feof($logline)) { +while (!feof($logline)) { $line = fgets($logline); $line = rtrim($line); if ($line != "") { $fields = explode(' ', $line); // Apply date format - $fields[0] = date("d.m.Y H:i:s",$fields[0]); - foreach($fields as $field) { - // Write the Squid log line with date/time human readable - echo "{$field} "; + $fields[0] = date("d.m.Y H:i:s", $fields[0]); + foreach ($fields as $field) { + // Write the Squid log line with human readable date/time + echo "{$field} "; } echo "\n"; } } fclose($logline); -?> \ No newline at end of file +?> -- cgit v1.2.3 From 458d92c27ad0aaee40763689a0f644c848ebe465 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 18:59:59 +0200 Subject: Remove unused squid_ident.php --- config/squid3/34/squid_ident.php | 148 --------------------------------------- 1 file changed, 148 deletions(-) delete mode 100644 config/squid3/34/squid_ident.php (limited to 'config/squid3/34') diff --git a/config/squid3/34/squid_ident.php b/config/squid3/34/squid_ident.php deleted file mode 100644 index ad13beb6..00000000 --- a/config/squid3/34/squid_ident.php +++ /dev/null @@ -1,148 +0,0 @@ -#!/usr/bin/php -#http://blog.dataforce.org.uk/2010/03/Ident-Server -/.ident - * If this is present, it will be read. - * It should be a file with a format like so: - * - * - * ::: - * - * The first line that matches is used, any bit can be a * and it will always match, - * so "* user" is valid. In future more sophisticated matches will be permitted - * (eg 127.*) but for now its either all or nothing. - * - * Its worth noting that is the host that requests the ident, so if this - * is likely to be different than the host that was connected to, then "STRICT_HOST" will - * need to be set to false. - * - * At the moment is ignored, in future versions this might be changed, so - * it is still required. - * - * Lines with a ':' in them are assumed to be of the second format, and must contain - * all 4 sections or they will be ignored. - * - * Lines starting with a # are ignored. - * - * There are some special values that can be used as idents: - * ! = Send an error instead. - * * = Send the default ident. - * ? = Send a random ident (In future a 3rd parameter will specify the format, - * # for a number, @ for a letter, ? for either, but this is not implemented yet) - * - * In future there will also be support for /home/user/.ident.d/ directories, where - * every file will be read for the ident response untill one matches. - * This will allow multiple processes to create files rather than needing to - * lock and edit .ident - */ - - // Allow spoofing idents. - define('ALLOW_SPOOF', true); - - // Requesting host must be the same as the host that was connected to. - define('STRICT_HOST', true); - - // Error to send when '!' is used as an ident. - define('HIDE_ERROR', 'UNKNOWN-ERROR'); - - openlog('simpleIdent', LOG_PID | LOG_ODELAY, LOG_DAEMON); - - $result = 'ERROR : UNKNOWN-ERROR' . "\n"; - - $host = $_SERVER['REMOTE_HOST']; - - syslog(LOG_INFO, 'Connection from: '.$host); - - // Red in the line from the socket. - $fh = @fopen('php://stdin', 'r'); - if ($fh) { - $input = @fgets($fh); - $line = trim($input); - if ($input !== FALSE && !empty($line)) { - $result = trim($input) . ' : ' . $result; - // Get the data from it. - $bits = explode(',', $line); - $source = trim($bits[0]); - $dest = isset($bits[1]) ? trim($bits[1]) : ''; - - // Check if it is valid - if (preg_match('/^[0-9]+$/', $source) && preg_match('/^[0-9]+$/', $dest)) { - // Now actually look for this! - $match = STRICT_HOST ? ":$source .*$host:$dest " : ":$source.*:$dest"; - - $output = `netstat -napW 2>&1 | grep '$match' | awk '{print \$7}'`; - - $bits = explode('/', $output); - $pid = $bits[0]; - - if (preg_match('/^[0-9]+$/', $pid)) { - $user = `ps -o ruser=SOME-REALLY-WIDE-USERNAMES-ARE-PERMITTED-HERE $pid | tail -n 1`; - - $senduser = trim($user); - - // Look for special ident file: /home/user/.ident this is an ini-format file. - $file = '/home/'.trim($user).'/.ident'; - - if (file_exists($file)) { - $config = file($file, FILE_SKIP_EMPTY_LINES | FILE_IGNORE_NEW_LINES | FILE_TEXT); - foreach ($config as $line) { - // Ignore comments. - $line = trim($line); - if (substr($line, 1) == '#') { continue; } - - // Make sure line is valid. - $bits = explode(' ', $line); - if (count($bits) == 1) { continue; } - - // Check type of line - if (strpos($bits[0], ':') !== FALSE) { - // LocalHost:LocalPort:RemoteHost:RemotePort - $match = explode(':', $bits[0]); - if (count($match) != 4) { continue; } - - if (($match[1] == '*' || $match[1] == $source) && - ($match[2] == '*' || $match[2] == $host) && - ($match[3] == '*' || $match[3] == $dest)) { - syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); - $senduser = $bits[1]; - break; - } - } else if ($bits[0] == '*' || $bits[0] == $pid) { - syslog(LOG_INFO, 'Spoof for '.$senduser.': '.$line); - $senduser = $bits[1]; - } - } - - if ($senduser == "*") { - $senduser = trim(user); - } else if ($senduser == "?") { - $senduser = 'user'.rand(1000,9999); - } - } - - if ($senduser != "!") { - $result = $source . ', ' . $dest . ' : USERID : UNIX : ' . trim($senduser); - } else { - $result = $source . ', ' . $dest . ' : ERROR : ' . HIDE_ERROR; - } - } - } - } - } - - echo $result; - syslog(LOG_INFO, 'Result: '.$result); - closelog(); - exit(0); -?> -- cgit v1.2.3 From f25d84fc6ab5ddd9a4746ccdc02c50decb8de68d Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 19:13:29 +0200 Subject: squid3 - code style fixes --- config/squid3/34/squid_clwarn.php | 80 +++++++++++++++++++-------------------- 1 file changed, 38 insertions(+), 42 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/squid_clwarn.php b/config/squid3/34/squid_clwarn.php index 8de016f3..5ddf8171 100644 --- a/config/squid3/34/squid_clwarn.php +++ b/config/squid3/34/squid_clwarn.php @@ -1,22 +1,20 @@ -
+

-
+

- The requested URL
+ The requested URL
: -

+

-

+

Origin: / -

-

- Powered by SquidClamAv . -
+

+

+ Powered by SquidClamav . +

+
-- cgit v1.2.3 From b05e3ce0e475e7196f3f4289ee28ad08fff80578 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 24 Sep 2015 23:49:06 +0200 Subject: squid3 - code style fixes --- config/squid3/34/squid.inc | 1460 ++++++++++++++++++++++++-------------------- 1 file changed, 785 insertions(+), 675 deletions(-) (limited to 'config/squid3/34') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 665c0d7c..4905f96c 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -1,12 +1,13 @@ 'migrated', 'enable' => 'on', @@ -275,16 +287,16 @@ function squid_install_command() { } } - //MAPPINGS + // mappings if (!is_array($config['installedpackages']['squidreverseuri'])) { - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { - foreach (explode(";",$acls) as $acl) { + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls) { + foreach (explode(";", $acls) as $acl) { array_push(${'peer_'.$acl[0]},$acl[1]); } } - foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { - foreach (explode(";",$uris) as $uri) { - $peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):""); + foreach (explode("\n", sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris) { + foreach (explode(";", $uris) as $uri) { + $peer_list = (is_array(${'peer_' . $uri[0]}) ? implode(",", ${'peer_' . $uri[0]}) : ""); $config['installedpackages']['squidreverseuri']['config'][] = array( 'description' => 'migrated', 'enable' => 'on', @@ -299,7 +311,6 @@ function squid_install_command() { } update_status("Writing configuration... One moment please..."); - write_config(); /* create cache */ @@ -308,29 +319,25 @@ function squid_install_command() { /* make sure pinger is executable and suid root */ // XXX: Bug #5114 - if (file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger")) - chgrp(SQUID_LOCALBASE. "/libexec/squid/pinger", SQUID_GID); - - // XXX: Is it really necessary? - if (file_exists("/usr/local/etc/rc.d/squid")) - unlink_if_exists("/usr/local/etc/rc.d/squid"); + if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) { + chgrp(SQUID_LOCALBASE . "/libexec/squid/pinger", SQUID_GID); + } squid_write_rcfile(); // XXX: Is it really necessary? mode is set to 0755 in squid.xml - if (file_exists("/usr/local/pkg/swapstate_check.php")) + if (file_exists("/usr/local/pkg/swapstate_check.php")) { @chmod("/usr/local/pkg/swapstate_check.php", 0755); + } write_rcfile(array( "file" => "sqp_monitor.sh", "start" => "/usr/local/pkg/sqpmon.sh &", - "stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill") + "stop" => "/bin/ps awux | /usr/bin/grep \"sqpmon\" | /usr/bin/grep -v \"grep\" | /usr/bin/grep -v \"php\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill") ); - foreach (array( SQUID_CONFBASE, - SQUID_ACLDIR, - SQUID_SSL_DB ) as $dir) { - @mkdir($dir, 0755, true); + foreach (array(SQUID_CONFBASE, SQUID_ACLDIR, SQUID_SSL_DB) as $dir) { + safe_mkdir($dir, 0755); squid_chown_recursive($dir, SQUID_UID, SQUID_GID); } @@ -367,25 +374,26 @@ function squid_install_command() { function squid_deinstall_command() { global $config, $g; - $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; + $plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."; squid_install_cron(false); - if (is_array($config['installedpackages']['squidcache'])) + if (is_array($config['installedpackages']['squidcache'])) { $settings = $config['installedpackages']['squidcache']['config'][0]; - else + } else { $settings = array(); + } $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); update_status("Removing cache ... One moment please..."); update_output_window("$plswait_txt"); // XXX: Is it ok to remove cache and logs? It's going to happen every time package is updated - mwexec_bg("rm -rf {$cachedir}"); - mwexec("rm -rf {$logdir}"); + mwexec_bg("/bin/rm -rf {$cachedir}"); + mwexec("/bin/rm -rf {$logdir}"); update_status("Finishing package cleanup."); mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop"); unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh'); - mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); - mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); - mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep \"squid\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep \"dnsserver\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/bin/ps awux | /usr/bin/grep \"unlinkd\" | /usr/bin/grep -v \"grep\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); update_status("Reloading filter..."); filter_configure(); } @@ -408,38 +416,42 @@ function squid_before_form_general(&$pkg) { array_shift($values); $name = array(); - foreach ($values as $value) + foreach ($values as $value) { $names[] = implode(" ", explode("_", $value)); + } $i = 0; foreach ($pkg['fields']['field'] as $field) { - if ($field['fieldname'] == 'error_language') + if ($field['fieldname'] == 'error_language') { break; + } $i++; } $field = &$pkg['fields']['field'][$i]; - for ($i = 0; $i < count($values) - 1; $i++) + for ($i = 0; $i < count($values) - 1; $i++) { $field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]); + } } function squid_validate_antivirus($post, &$input_errors) { global $config; - if ($post['enable'] != "on") + if ($post['enable'] != "on") { return; + } - if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/",$post['squidclamav'],$a_match)) { - $input_errors[] ="Squidclamav warns redirect points to sample config domain ({$a_match[1]})"; - $input_errors[] ="Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host. "; + if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/", $post['squidclamav'], $a_match)) { + $input_errors[] = "SquidClamav warnings redirect points to sample config domain ({$a_match[1]})"; + $input_errors[] = "Change redirect info on 'squidclamav.conf' field to pfSense GUI or an external host."; } if ($post['c-icap_conf']) { - if (!preg_match("/squid_clamav/",$post['c-icap_conf'])) { - $input_errors[] ="c-icap Squidclamav service definition is no present."; - $input_errors[] ="Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; + if (!preg_match("/squid_clamav/", $post['c-icap_conf'])) { + $input_errors[] = "c-icap Squidclamav service definition is not present."; + $input_errors[] = "Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; } - if (preg_match("/(Manager:Apassword\S+)/",$post['c-icap_conf'],$c_match)) { - $input_errors[] ="Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; + if (preg_match("/(Manager:Apassword\S+)/", $post['c-icap_conf'], $c_match)) { + $input_errors[] = "Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; } } } @@ -447,31 +459,37 @@ function squid_validate_antivirus($post, &$input_errors) { function squid_validate_general($post, &$input_errors) { global $config; - if (is_array($config['installedpackages']['squid'])) + if (is_array($config['installedpackages']['squid'])) { $settings = $config['installedpackages']['squid']['config'][0]; - else + } else { $settings = array(); + } $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $port = $post['proxy_port'] ? $post['proxy_port'] : $port; $icp_port = trim($post['icp_port']); - if (!empty($icp_port) && !is_port($icp_port)) - $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; + if (!empty($icp_port) && !is_port($icp_port)) { + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field.'; + } - if (substr($post['log_dir'], -1, 1) == '/') - $input_errors[] = 'You may not end log location with an / mark'; + if (substr($post['log_dir'], -1, 1) == '/') { + $input_errors[] = 'Log location must not end with a / character.'; + } - if ($post['log_dir']{0} != '/') - $input_errors[] = 'You must start log location with a / mark'; + if ($post['log_dir']{0} != '/') { + $input_errors[] = 'Log location must start with a / character.'; + } - if (strlen($post['log_dir']) <= 3) - $input_errors[] = "That is not a valid log location dir"; + if (strlen($post['log_dir']) <= 3) { + $input_errors[] = "Configured log location directory is not valid."; + } $log_rotate = trim($post['log_rotate']); - if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) - $input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field'; + if (!empty($log_rotate) && (!is_numericint($log_rotate) or ($log_rotate < 1))) { + $input_errors[] = "You must enter a valid number of days in the 'Log rotate' field."; + } $webgui_port = $config['system']['webgui']['port']; @@ -483,7 +501,7 @@ function squid_validate_general($post, &$input_errors) { } if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { - $input_errors[] = "You can not run squid on the same port as the webgui"; + $input_errors[] = "You can not run Squid on the same port as the pfSense WebGUI"; } if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) { @@ -493,15 +511,17 @@ function squid_validate_general($post, &$input_errors) { foreach (array('defined_ip_proxy_off') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); - if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) - $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) { + $input_errors[] = "'Bypass proxy for these source IPs' entry '$host' is not a valid IP address, hostname, or alias."; + } } } foreach (array('defined_ip_proxy_off_dest') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); - if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) - $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) { + $input_errors[] = "'Bypass proxy for these destination IPs' entry '$host' is not a valid IP address, hostname, or alias."; + } } } @@ -509,7 +529,7 @@ function squid_validate_general($post, &$input_errors) { $altdns = explode(";", ($post['dns_nameservers'])); foreach ($altdns as $dnssrv) { if (!is_ipaddr($dnssrv)) { - $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + $input_errors[] = "You must enter a valid IP address in the 'Alternate DNS servers' field."; break; } } @@ -517,24 +537,27 @@ function squid_validate_general($post, &$input_errors) { } function squid_validate_upstream($post, &$input_errors) { - if ($post['enabled'] != 'on') + if ($post['enabled'] != 'on') { return; + } $addr = trim($post['proxyaddr']); if (empty($addr)) { - $input_errors[] = 'The field \'Hostname\' is required'; + $input_errors[] = "The 'Proxy hostname' field is required"; } else { - if (!is_ipaddr($addr) && !is_domain($addr)) - $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + if (!is_ipaddr($addr) && !is_domain($addr)) { + $input_errors[] = "You must enter a valid IP address or host name in the 'Proxy hostname' field."; + } } foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { $port = trim($post[$field]); if (empty($port)) { - $input_errors[] = "The field '$name' is required"; + $input_errors[] = "The '$name' field is required."; } else { - if (!is_port($port)) - $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + if (!is_port($port)) { + $input_errors[] = "The '$name' field must contain a valid port number (1-65535)."; + } } } } @@ -548,31 +571,36 @@ function squid_validate_cache($post, &$input_errors) { foreach ($num_fields as $field => $name) { $value = trim($post[$field]); - if (!is_numericint($value)) - $input_errors[] = "You must enter a valid value for '$field'"; + if (!is_numericint($value)) { + $input_errors[] = "You must enter a valid value for '$field'."; + } } $value = trim($post['minimum_object_size']); - if (!is_numericint($value)) - $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + if (!is_numericint($value)) { + $input_errors[] = "You must enter a valid value for 'Minimum object size'."; + } if (!empty($post['cache_swap_low'])) { $value = trim($post['cache_swap_low']); - if (!is_numericint($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; + if (!is_numericint($value) || ($value > 100)) { + $input_errors[] = "You must enter a valid value for 'Low-water-mark'."; + } } if (!empty($post['cache_swap_high'])) { $value = trim($post['cache_swap_high']); - if (!is_numericint($value) || ($value > 100)) - $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; + if (!is_numericint($value) || ($value > 100)) { + $input_errors[] = "You must enter a valid value for 'High-water-mark'."; + } } if ($post['donotcache'] != "") { foreach (split("\n", $post['donotcache']) as $host) { $host = trim($host); - if (!is_ipaddr($host) && !is_domain($host)) - $input_errors[] = "The host '$host' is not a valid IP or host name"; + if (!is_ipaddr($host) && !is_domain($host)) { + $input_errors[] = "The host '$host' is not a valid IP or hostname."; + } } } @@ -583,19 +611,22 @@ function squid_validate_nac($post, &$input_errors) { $allowed_subnets = explode("\n", $post['allowed_subnets']); foreach ($allowed_subnets as $subnet) { $subnet = trim($subnet); - if (!empty($subnet) && !is_subnet($subnet)) - $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; + if (!empty($subnet) && !is_subnet($subnet)) { + $input_errors[] = "The subnet '$subnet' is not a valid CIDR range."; + } } foreach (array('unrestricted_hosts', 'banned_hosts') as $hosts) { - if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)) { - for ($x=0; $x < count($matches[1]); $x++) { + if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@", $_POST[$hosts], $matches)) { + for ($x = 0; $x < count($matches[1]); $x++) { if ($matches[2][$x] == "") { - if (!is_ipaddr($matches[1][$x])) - $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address"; + if (!is_ipaddr($matches[1][$x])) { + $input_errors[] = "'{$matches[1][$x]}' is not a valid IP address."; + } } else { - if (!is_subnet($matches[0][$x])) - $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range"; + if (!is_subnet($matches[0][$x])) { + $input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range."; + } } } } @@ -604,22 +635,25 @@ function squid_validate_nac($post, &$input_errors) { foreach (array('unrestricted_macs', 'banned_macs') as $macs) { foreach (explode("\n", $post[$macs]) as $mac) { $mac = trim($mac); - if (!empty($mac) && !is_macaddr($mac)) - $input_errors[] = "The mac '$mac' is not a valid MAC address"; + if (!empty($mac) && !is_macaddr($mac)) { + $input_errors[] = "'$mac' is not a valid MAC address."; + } } } foreach (explode(",", $post['timelist']) as $time) { $time = trim($time); - if (!empty($time) && !squid_is_timerange($time)) - $input_errors[] = "The time range '$time' is not a valid time range"; + if (!empty($time) && !squid_is_timerange($time)) { + $input_errors[] = "The time range '$time' is not a valid time range."; + } } if (!empty($post['ext_cachemanager'])) { $extmgr = explode(";", ($post['ext_cachemanager'])); foreach ($extmgr as $mgr) { - if (!is_ipaddr($mgr)) - $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; + if (!is_ipaddr($mgr)) { + $input_errors[] = "You must enter a valid IP address in the 'External Cache Manager' field'."; + } } } } @@ -634,26 +668,30 @@ function squid_validate_traffic($post, &$input_errors) { foreach ($num_fields as $field => $name) { $value = trim($post[$field]); - if (!is_numericint($value)) - $input_errors[] = "The field '$name' must contain a positive number"; + if (!is_numericint($value)) { + $input_errors[] = "The '$name' field must contain a positive integer."; + } } if (!empty($post['quick_abort_min'])) { $value = trim($post['quick_abort_min']); - if (!is_numericint($value)) - $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; + if (!is_numericint($value)) { + $input_errors[] = "'Finish when remaining KB' must contain a positive integer."; + } } if (!empty($post['quick_abort_max'])) { $value = trim($post['quick_abort_max']); - if (!is_numericint($value)) - $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; + if (!is_numericint($value)) { + $input_errors[] = "'Abort when remaining KB' must contain a positive integer."; + } } if (!empty($post['quick_abort_pct'])) { $value = trim($post['quick_abort_pct']); - if (!is_numericint($value) || ($value > 100)) - $input_errors[] = "The field 'Finish when remaining %' must contain a percentage"; + if (!is_numericint($value) || ($value > 100)) { + $input_errors[] = "'Finish when remaining %' must contain valid percentage (1-100)."; + } } } @@ -663,33 +701,37 @@ function squid_validate_reverse($post, &$input_errors) { if (!empty($post['reverse_ip'])) { $reverse_ip = explode(";", ($post['reverse_ip'])); foreach ($reverse_ip as $reip) { - if (!is_ipaddr(trim($reip))) - $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'.' -> \''.$reip.'\' is invalid.'; + if (!is_ipaddr(trim($reip))) { + $input_errors[] = "You must enter a valid IP address in the 'User-defined reverse-proxy IPs' field. '$reip' is invalid."; + } } } $fqdn = trim($post['reverse_external_fqdn']); - if (!empty($fqdn) && !is_domain($fqdn)) - $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; + if (!empty($fqdn) && !is_domain($fqdn)) { + $input_errors[] = "'External FQDN' field must contain a valid domain name."; + } $port = trim($post['reverse_http_port']); - // XXX: Where is $portrange being defined ??? - preg_match("/(\d+)/",`sysctl net.inet.ip.portrange.reservedhigh`,$portrange); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; + preg_match("/(\d+)/", shell_exec("/sbin/sysctl net.inet.ip.portrange.reservedhigh"), $portrange); + if (!empty($port) && !is_port($port)) { + $input_errors[] = "'Reverse HTTP port' must contain a valid port number."; + } if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "The field 'reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; + $input_errors[] = "'Reverse HTTP port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; } $port = trim($post['reverse_https_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; + if (!empty($port) && !is_port($port)) { + $input_errors[] = "'Reverse HTTPS port' must contain a valid port number."; + } if (!empty($port) && is_port($port) && $port <= $portrange[1]) { - $input_errors[] = "The field 'reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; - $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 on system tunable options and restart squid daemon."; + $input_errors[] = "'Reverse HTTPS port' must contain a port number higher than net.inet.ip.portrange.reservedhigh sysctl value({$portrange[1]})."; + $input_errors[] = "To listen on low ports, change portrange.reservedhigh sysctl value to 0 in system tunable options and restart Squid daemon."; } - if ($post['reverse_ssl_cert'] == 'none') + if ($post['reverse_ssl_cert'] == 'none') { $input_errors[] = 'A valid certificate for the external interface must be selected'; + } if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; @@ -698,8 +740,9 @@ function squid_validate_reverse($post, &$input_errors) { if (!empty($post['reverse_owa_ip'])) { $reverse_owa_ip = explode(";", ($post['reverse_owa_ip'])); foreach ($reverse_owa_ip as $reowaip) { - if (!is_ipaddr(trim($reowaip))) - $input_errors[] = 'You must enter a valid IP address in the \'CAS-Array / OWA frontend IP address\' field'.' -> \''.$reowaip.'\' is invalid.'; + if (!is_ipaddr(trim($reowaip))) { + $input_errors[] = "You must enter a valid IP address in the 'CAS-Array / OWA frontend IP address' field. '$reowaip' is invalid."; + } } } @@ -707,13 +750,16 @@ function squid_validate_reverse($post, &$input_errors) { if (!empty($contents)) { $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { - $cfg = explode(";",($def)); - if (!is_ipaddr($cfg[1])) - $input_errors[] = "please choose a valid IP in the cache peer configuration."; - if (!is_port($cfg[2])) - $input_errors[] = "please choose a valid port in the cache peer configuration."; - if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) - $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; + $cfg = explode(";", ($def)); + if (!is_ipaddr($cfg[1])) { + $input_errors[] = "Please choose a valid IP in the cache peer configuration."; + } + if (!is_port($cfg[2])) { + $input_errors[] = "Please choose a valid port in the cache peer configuration."; + } + if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) { + $input_errors[] = "Please choose HTTP or HTTPS in the cache peer configuration."; + } } } } @@ -726,48 +772,55 @@ function squid_validate_auth($post, &$input_errors) { foreach ($num_fields as $field) { $value = trim($post[$field[0]]); - if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) - $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) { + $input_errors[] = "The '{$field[1]}' field must contain a valid number greater than {$field[2]}"; + } } $auth_method = $post['auth_method']; if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) { $server = trim($post['auth_server']); - if (empty($server)) - $input_errors[] = 'The field \'Authentication server\' is required'; - else if (!is_ipaddr($server) && !is_domain($server)) - $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + if (empty($server)) { + $input_errors[] = "'Authentication server' is required."; + } elseif (!is_ipaddr($server) && !is_domain($server)) { + $input_errors[] = "'Authentication server' must contain a valid IP address or domain name."; + } $port = trim($post['auth_server_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + if (!empty($port) && !is_port($port)) { + $input_errors[] = "'Authentication server port' must contain a valid port number."; + } switch ($auth_method) { - case 'ldap': - $user = trim($post['ldap_user']); - if (empty($user)) - $input_errors[] = 'The field \'LDAP server user DN\' is required'; - else if (!$user) - $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; - break; - case 'radius': - $secret = trim($post['radius_secret']); - if (empty($secret)) - $input_errors[] = 'The field \'RADIUS secret\' is required'; - break; - case 'msnt': - foreach (explode(",", trim($post['msnt_secondary'])) as $server) { - if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) - $input_errors[] = "The host '$server' is not a valid IP address or domain name"; - } - break; + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) { + $input_errors[] = "'LDAP server user DN' is required."; + } elseif (!$user) { + $input_errors[] = "'LDAP server user DN' must be a valid DN."; + } + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) { + $input_errors[] = "'RADIUS secret' is required."; + } + break; + case 'msnt': + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) { + $input_errors[] = "The host '$server' is not a valid IP address or domain name"; + } + } + break; } $no_auth = explode("\n", $post['no_auth_hosts']); foreach ($no_auth as $host) { $host = trim($host); - if (!empty($host) && !is_subnet($host)) + if (!empty($host) && !is_subnet($host)) { $input_errors[] = "The host '$host' is not a valid CIDR range"; + } } } } @@ -786,7 +839,7 @@ function squid_install_cron($should_install) { $settings = array(); } - $cron_cmd = ($settings['clear_cache'] == 'on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); + $cron_cmd = ($settings['clear_cache'] == 'on' ? "/usr/local/pkg/swapstate_check.php clean; " : ""); $cron_cmd .= SQUID_BASE . "/sbin/squid -k rotate -f " . SQUID_CONFFILE; install_cron_job("{$cron_cmd}", $should_install, "0", "0", "*", "*", "*", "root"); @@ -803,15 +856,16 @@ function squid_install_cron($should_install) { } function squid_check_ca_hashes() { - global $config,$g; + global $config, $g; // check certificates $cert_count = 0; - if (is_dir(SQUID_LOCALBASE. '/share/certs')) { - if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) { + if (is_dir(SQUID_LOCALBASE . '/share/certs')) { + if ($handle = opendir(SQUID_LOCALBASE . '/share/certs')) { while (false !== ($file = readdir($handle))) { - if (preg_match ("/\d+.0/",$file)) + if (preg_match ("/\d+.0/",$file)) { $cert_count++; + } } closedir($handle); } @@ -820,20 +874,22 @@ function squid_check_ca_hashes() { conf_mount_rw(); // create ca-root hashes from ca-root-nss package log_error("Creating root certificate bundle hashes from the Mozilla Project"); - $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); - $cert=0; + $cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt'); + $cert = 0; foreach ($cas as $ca) { - if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) - $cert=1; - if ($cert == 1) - $crt.=$ca; - if (preg_match("/-END CERTIFICATE-/",$ca)) { - file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); - $cert_hash=array(); - exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); - file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); - $crt=""; - $cert=0; + if (preg_match("/--BEGIN CERTIFICATE--/", $ca)) { + $cert = 1; + } + if ($cert == 1) { + $crt .= $ca; + } + if (preg_match("/-END CERTIFICATE-/", $ca)) { + file_put_contents("/tmp/cert.pem", $crt, LOCK_EX); + $cert_hash = array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem", $cert_hash); + file_put_contents(SQUID_LOCALBASE . "/share/certs/" . $cert_hash[0] . ".0", $crt, LOCK_EX); + $crt = ""; + $cert = 0; } } } @@ -842,10 +898,11 @@ function squid_check_ca_hashes() { function squid_resync_general() { global $g, $config, $valid_acls; - if (is_array($config['installedpackages']['squid'])) + if (is_array($config['installedpackages']['squid'])) { $settings = $config['installedpackages']['squid']['config'][0]; - else - $settings=array(); + } else { + $settings = array(); + } $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n\n"; @@ -855,31 +912,34 @@ function squid_resync_general() { $srv_cert = lookup_ca($settings["dca"]); if ($srv_cert != false) { if (base64_decode($srv_cert['prv'])) { - // check if ssl_db was initilized by squid + // check if ssl_db was initilized by Squid if (!file_exists(SQUID_SSL_DB . "/serial")) { if (is_dir(SQUID_SSL_DB)) { mwexec("/bin/rm -rf " . SQUID_SSL_DB); } - mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB); + mwexec(SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -c -s " . SQUID_SSL_DB); } // force squid user permission on /var/squid/lib/ssl_db/ squid_chown_recursive(SQUID_SSL_DB, SQUID_UID, SQUID_GID); - // cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext - $crt_pk=SQUID_CONFBASE."/serverkey.pem"; - $crt_capath=SQUID_LOCALBASE."/share/certs/"; - file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); - $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); - $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n"; - $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n"; + // cert, key, version, cipher, options, clientca, cafile, capath, crlfile, dhparams, sslflags, sslcontext + $crt_pk = SQUID_CONFBASE . "/serverkey.pem"; + $crt_capath = SQUID_LOCALBASE . "/share/certs/"; + file_put_contents($crt_pk, base64_decode($srv_cert['prv']) . base64_decode($srv_cert['crt'])); + $sslcrtd_children = ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); + $ssl_interception .= "ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=" . ($sslcrtd_children*2) . "MB cert={$crt_pk} capath={$crt_capath}\n"; + $interception_checks = "sslcrtd_program " . SQUID_LOCALBASE . "/libexec/squid/ssl_crtd -s " . SQUID_SSL_DB . " -M 4MB -b 2048\n"; $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; $interception_checks .= "sslproxy_capath {$crt_capath}\n"; - if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) - $interception_checks.="sslproxy_cert_error allow all\n"; - if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) - $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; + if (preg_match("/sslproxy_cert_error/", $settings["interception_checks"])) { + $interception_checks .= "sslproxy_cert_error allow all\n"; + } + if (preg_match("/sslproxy_flags/", $settings["interception_checks"])) { + $interception_checks .= "sslproxy_flags DONT_VERIFY_PEER\n"; + } if ($settings["interception_adapt"] != "") { - foreach (explode(",",$settings["interception_adapt"]) as $adapt) - $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; + foreach (explode(",", $settings["interception_adapt"]) as $adapt) { + $interception_checks .= "sslproxy_cert_adapt {$adapt} all\n"; + } } } } @@ -890,47 +950,51 @@ function squid_resync_general() { // Read assigned interfaces $real_ifaces = array(); - if ($settings['active_interface']) + if ($settings['active_interface']) { $proxy_ifaces = explode(",", $settings['active_interface']); - else - $proxy_ifaces=array("lan"); + } else { + $proxy_ifaces = array("lan"); + } - if ($settings['transparent_proxy']=="on") { + if ($settings['transparent_proxy'] == "on") { $transparent_ifaces = explode(",", $settings['transparent_active_interface']); foreach ($transparent_ifaces as $t_iface) { $t_iface_ip = squid_get_real_interface_address($t_iface); - if ($t_iface_ip[0]) - $real_ifaces[]=$t_iface_ip; + if ($t_iface_ip[0]) { + $real_ifaces[] = $t_iface_ip; + } } } else { - $transparent_ifaces=array(); + $transparent_ifaces = array(); } - if ($settings['ssl_proxy']=="on") { + if ($settings['ssl_proxy'] == "on") { $ssl_ifaces = explode(",", $settings['ssl_active_interface']); foreach ($ssl_ifaces as $s_iface) { $s_iface_ip = squid_get_real_interface_address($s_iface); - if ($s_iface_ip[0]) + if ($s_iface_ip[0]) { $real_ifaces[]=$s_iface_ip; + } } } else { - $ssl_ifaces=array(); + $ssl_ifaces = array(); } // check all proxy interfaces selected foreach ($proxy_ifaces as $iface) { $iface_ip = squid_get_real_interface_address($iface); if ($iface_ip[0]) { - $real_ifaces[]=$iface_ip; - if (in_array($iface,$ssl_ifaces)) + $real_ifaces[] = $iface_ip; + if (in_array($iface,$ssl_ifaces)) { $conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n"; - else + } else { $conf .= "http_port {$iface_ip[0]}:{$port}\n"; + } } } if (($settings['transparent_proxy'] == 'on')) { - if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0) { + if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces) > 0) { $conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n"; $conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n"; } else { @@ -938,11 +1002,11 @@ function squid_resync_general() { } } $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); - $dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" ); - $piddir="{$g['varrun_path']}/squid"; + $dns_v4_first = ($settings['dns_v4_first'] == "on" ? "on" : "off" ); + $piddir = "{$g['varrun_path']}/squid"; $pidfile = "{$piddir}/squid.pid"; if (!is_dir($piddir)) { - @mkdir($piddir, 0755, true); + safe_mkdir($piddir, 0755); squid_chown_recursive($piddir, SQUID_UID, 'wheel'); } $language = ($settings['error_language'] ? $settings['error_language'] : 'en'); @@ -952,13 +1016,13 @@ function squid_resync_general() { $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); if (!is_dir($logdir)) { - @mkdir($logdir, 0755, true); + safe_mkdir($logdir, 0755); squid_chown_recursive($logdir, SQUID_UID, SQUID_GID); } $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); - $pinger_helper = ($settings['disable_pinger']) =='on' ? 'off' : 'on'; - $pinger_program=SQUID_LOCALBASE."/libexec/squid/pinger"; + $pinger_helper = ($settings['disable_pinger']) == 'on' ? 'off' : 'on'; + $pinger_program = SQUID_LOCALBASE . "/libexec/squid/pinger"; $squid_uid = SQUID_UID; $squid_gid = SQUID_GID; @@ -1000,35 +1064,42 @@ EOD; list($ip, $mask) = $iface; $ip = long2ip(ip2long($ip) & ip2long($mask)); $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); - if (!preg_match("@$ip/$mask@",$src)) + if (!preg_match("@$ip/$mask@", $src)) { $src .= " $ip/$mask"; + } } $conf .= "# Allow local network(s) on interface(s)\n"; $conf .= "acl localnet src $src\n"; $valid_acls[] = 'localnet'; } - if ($settings['xforward_mode']) + if ($settings['xforward_mode']) { $conf .= "forwarded_for {$settings['xforward_mode']}\n"; - else - $conf .= "forwarded_for on\n"; //only used for first run + } else { + // only used for first run + $conf .= "forwarded_for on\n"; + } - if ($settings['disable_via']) + if ($settings['disable_via']) { $conf .= "via off\n"; + } - if ($settings['disable_squidversion']) + if ($settings['disable_squidversion']) { $conf .= "httpd_suppress_version_string on\n"; + } - if (!empty($settings['uri_whitespace'])) + if (!empty($settings['uri_whitespace'])) { $conf .= "uri_whitespace {$settings['uri_whitespace']}\n"; - else - $conf .= "uri_whitespace strip\n"; //only used for first run + } else { + // only used for first run + $conf .= "uri_whitespace strip\n"; + } if (!empty($settings['dns_nameservers'])) { $altdns = explode(";", ($settings['dns_nameservers'])); $conf .= "dns_nameservers "; foreach ($altdns as $dnssrv) { - $conf .= $dnssrv." "; + $conf .= $dnssrv . " "; } } @@ -1038,17 +1109,18 @@ EOD; function squid_resync_cache() { global $config, $g; - if (is_array($config['installedpackages']['squidcache'])) + if (is_array($config['installedpackages']['squidcache'])) { $settings = $config['installedpackages']['squidcache']['config'][0]; - else + } else { $settings = array(); + } - //apply cache settings - $cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); + // apply cache settings + $cachedir = ($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache'); $disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100); $level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16); $memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8); - $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size']." KB" : "10 KB"); + $max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size'] . " KB" : "10 KB"); $min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0); $max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32); $cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA'); @@ -1066,15 +1138,15 @@ function squid_resync_cache() { } // 'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching. if ($disk_cache_system != "null") { - $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; + $disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256"; } - //check dynamic content + // check dynamic content if (empty($settings['cache_dynamic_content'])) { - $conf.='acl dynamic urlpath_regex cgi-bin \?'."\n"; - $conf.="cache deny dynamic\n"; - } else if (preg_match('/youtube/',$settings['refresh_patterns'])) { + $conf .= 'acl dynamic urlpath_regex cgi-bin \?' . "\n"; + $conf .= "cache deny dynamic\n"; + } elseif (preg_match('/youtube/', $settings['refresh_patterns'])) { // Broken (Bug #3847) and not working (http://wiki.squid-cache.org/ConfigExamples/DynamicContent/YouTube#Discussion) -/* $conf.=<<< EOC +/* $conf .= <<< EOC # Break HTTP standard for flash videos. Keep them in cache even if asked not to. refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private @@ -1085,8 +1157,8 @@ cache allow youtube EOC; */ } - if (preg_match('/windows/',$settings['refresh_patterns'])) { - $conf.=<<< EOC + if (preg_match('/windows/', $settings['refresh_patterns'])) { + $conf .= <<< EOC # Windows Update refresh_pattern range_offset_limit -1 @@ -1097,8 +1169,8 @@ refresh_pattern -i windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 EOC; } - if (preg_match('/symantec/',$settings['refresh_patterns'])) { - $conf.=<<< EOC + if (preg_match('/symantec/', $settings['refresh_patterns'])) { + $conf .= <<< EOC # Symantec refresh_pattern range_offset_limit -1 @@ -1107,8 +1179,8 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re EOC; } - if (preg_match('/avast/',$settings['refresh_patterns'])) { - $conf.=<<< EOC + if (preg_match('/avast/', $settings['refresh_patterns'])) { + $conf .= <<< EOC # Avast refresh_pattern range_offset_limit -1 @@ -1116,7 +1188,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i EOC; } - if (preg_match('/avira/',$settings['refresh_patterns'])) { + if (preg_match('/avira/', $settings['refresh_patterns'])) { $conf.=<<< EOC # Avira refresh_pattern @@ -1125,7 +1197,7 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43 EOC; } - $refresh_conf=<<< EOC + $refresh_conf = <<< EOC # Add any of your own refresh_pattern entries above these. refresh_pattern ^ftp: 1440 20% 10080 @@ -1135,32 +1207,36 @@ refresh_pattern . 0 20% 4320 EOC; - if ($settings['custom_refresh_patterns'] !="") - $conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n"; + if ($settings['custom_refresh_patterns'] != "") { + $conf .= sq_text_area_decode($settings['custom_refresh_patterns']) . "\n"; + } $conf .= <<< EOD -cache_mem $memory_cache_size MB +cache_mem {$memory_cache_size} MB maximum_object_size_in_memory {$max_objsize_in_mem} KB memory_replacement_policy {$memory_policy} cache_replacement_policy {$cache_policy} minimum_object_size {$min_objsize} KB maximum_object_size {$max_objsize} -$disk_cache_opts +{$disk_cache_opts} offline_mode {$offline_mode} EOD; - if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; - if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; + if (!empty($settings['cache_swap_low'])) { + $conf .= "cache_swap_low {$settings['cache_swap_low']}\n"; + } + if (!empty($settings['cache_swap_high'])) { + $conf .= "cache_swap_high {$settings['cache_swap_high']}\n"; + } $donotcache = sq_text_area_decode($settings['donotcache']); if (!empty($donotcache)) { file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; $conf .= "cache deny donotcache\n"; - } - elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { + } elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) { unlink(SQUID_ACLDIR . '/donotcache.acl'); } $conf .= "cache allow all\n"; @@ -1171,17 +1247,19 @@ EOD; function squid_resync_upstream() { global $config; - if (!is_array($config['installedpackages']['squidremote']['config'])) + if (!is_array($config['installedpackages']['squidremote']['config'])) { $config['installedpackages']['squidremote']['config'] = array(); + } $conf = "\n#Remote proxies\n"; foreach ($config['installedpackages']['squidremote']['config'] as $settings) { if ($settings['enable'] == 'on') { $conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} "; - if ($settings['icpport'] == '7') + if ($settings['icpport'] == '7') { $conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} "; - else + } else { $conf .= "{$settings['icpport']} "; + } // auth settings if (!empty($settings['username']) && !empty($settings['password'])) { $conf .= " login={$settings['username']}:{$settings['password']}"; @@ -1189,14 +1267,18 @@ function squid_resync_upstream() { $conf .= "{$settings['authoption']} "; } // other options settings - if (!empty($settings['weight'])) + if (!empty($settings['weight'])) { $conf .= "weight={$settings['weight']} "; - if (!empty($settings['basetime'])) + } + if (!empty($settings['basetime'])) { $conf .= "basetime={$settings['basetime']} "; - if (!empty($settings['ttl'])) + } + if (!empty($settings['ttl'])) { $conf .= "ttl={$settings['ttl']} "; - if (!empty($settings['nodelay'])) + } + if (!empty($settings['nodelay'])) { $conf .= "no-delay"; + } } $conf .= "\n"; } @@ -1208,7 +1290,8 @@ function squid_resync_redirector() { // XXX: What port provide squirm binary? It's not present $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); - if ($httpav_enabled) { + $redirector = "/usr/local/bin/squirm"; + if (($httpav_enabled) && is_executable($redirector)) { $conf = "url_rewrite_program /usr/local/bin/squirm\n"; } else { $conf = "# No redirector configured\n"; @@ -1220,10 +1303,11 @@ function squid_resync_nac() { global $config, $valid_acls; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); - if (is_array($config['installedpackages']['squidnac'])) + if (is_array($config['installedpackages']['squidnac'])) { $settings = $config['installedpackages']['squidnac']['config'][0]; - else + } else { $settings = array(); + } $webgui_port = $config['system']['webgui']['port']; $addtl_ports = $settings['addtl_ports']; $addtl_sslports = $settings['addtl_sslports']; @@ -1250,7 +1334,7 @@ acl HTTPS proto HTTPS EOD; - $allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets'])); + $allowed_subnets = preg_replace("/\s+/"," ", sq_text_area_decode($settings['allowed_subnets'])); if (!empty($allowed_subnets)) { $conf .= "acl allowed_subnets src $allowed_subnets\n"; $valid_acls[] = 'allowed_subnets'; @@ -1271,8 +1355,7 @@ EOD; file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; $valid_acls[] = $option; - } - elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { + } elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { unlink(SQUID_ACLDIR . "/$option.acl"); } } @@ -1320,28 +1403,26 @@ function squid_resync_antivirus() { else $antivirus_config = array(); - if ($antivirus_config['enable']=="on") { + if ($antivirus_config['enable'] == "on") { switch ($antivirus_config['client_info']) { - case "both": - default: - $icap_send_client_ip="on"; - $icap_send_client_username="on"; - break; - case "IP": - $icap_send_client_ip="on"; - $icap_send_client_username="off"; - break; - case "username": - $icap_send_client_ip="off"; - $icap_send_client_username="on"; - break; - case "none": - $icap_send_client_ip="off"; - $icap_send_client_username="off"; - break; + case "both": + default: + $icap_send_client_ip = "on"; + $icap_send_client_username = "on"; + break; + case "ip": + $icap_send_client_ip = "on"; + $icap_send_client_username = "off"; + break; + case "username": + $icap_send_client_ip = "off"; + $icap_send_client_username = "on"; + break; + case "none": + $icap_send_client_ip = "off"; + $icap_send_client_username = "off"; + break; } - if (is_array($config['installedpackages']['squid'])) - $squid_config=$config['installedpackages']['squid']['config'][0]; $conf = <<< EOF icap_enable on @@ -1360,66 +1441,72 @@ adaptation_access service_avi_resp allow all EOF; // check if icap is enabled on rc.conf.local + // XXX: This whole thing sucks and should be redone to install/enable services in pfSense way if (file_exists("/etc/rc.conf.local")) { - $rc_old_file=file("/etc/rc.conf.local"); + $rc_old_file = file("/etc/rc.conf.local"); foreach ($rc_old_file as $rc_line) { - if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)) { - $rc_file.=$matches[1].'="YES"'."\n"; - ${$matches[1]}="ok"; + if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/", $rc_line, $matches)) { + $rc_file .= $matches[1] . '="YES"' . "\n"; + ${$matches[1]} = "ok"; + } else { + $rc_file .= $rc_line; } - else - $rc_file.=$rc_line; } } - if (!isset($c_icap_enable)) - $rc_file.='c_icap_enable="YES"'."\n"; - if (!isset($clamav_clamd_enable)) - $rc_file.='clamav_clamd_enable="YES"'."\n"; - file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX); + if (!isset($c_icap_enable)) { + $rc_file .= 'c_icap_enable="YES"' . "\n"; + } + if (!isset($clamav_clamd_enable)) { + $rc_file .= 'clamav_clamd_enable="YES"' . "\n"; + } + file_put_contents("/etc/rc.conf.local", $rc_file, LOCK_EX); squid_check_clamav_user('clamav'); // patch sample files to pfsense dirs // squidclamav.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")) { - $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default"); - $clamav_m[0]="@/var/run/clamav/clamd.ctl@"; - $clamav_m[1]="@cgi-bin/clwarn.cgi@"; - $clamav_r[0]="/var/run/clamav/clamd.sock"; - $clamav_r[1]="squid_clwarn.php"; - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX); + if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { + if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default")) { + $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default"); + $clamav_m[0] = "@/var/run/clamav/clamd.ctl@"; + $clamav_m[1] = "@cgi-bin/clwarn.cgi@"; + $clamav_r[0] = "/var/run/clamav/clamd.sock"; + $clamav_r[1] = "squid_clwarn.php"; + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX); } } // c-icap.conf - if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { - if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")) { - $sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default"); - if (!preg_match("/squid_clamav/",$sample_file)) - $sample_file.="\nService squid_clamav squidclamav.so\n"; - $cicap_m[0]="@Manager:Apassword\S+@"; - $cicap_r[0]=""; - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",preg_replace($cicap_m,$cicap_r,$sample_file),LOCK_EX); + if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { + if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { + $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); + if (!preg_match("/squid_clamav/", $sample_file)) { + $sample_file .= "\nService squid_clamav squidclamav.so\n"; + } + $cicap_m[0] = "@Manager:Apassword\S+@"; + $cicap_r[0] = ""; + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); } } - //check squidclamav files until pbis are gone(https://redmine.pfsense.org/issues/4197) - $ln_icap= array('bin/c-icap','bin/c-icap-client','c-icap-config','c-icap-libicapapi-config','c-icap-stretch','lib/c_icap','share/c_icap','etc/c-icap'); + // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) + $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); foreach ($ln_icap as $ln) { - if (!file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE."/{$ln}")) - symlink(SQUID_LOCALBASE."/{$ln}","/usr/local/{$ln}"); + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { + symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); + } + } + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { + symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); } - if (!file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5")) - symlink(SQUID_LOCALBASE."/lib/libicapapi.so.3.0.5","/usr/local/lib/libicapapi.so.3"); - $loadsample=0; - if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))); + $loadsample = 0; + if ($antivirus_config['squidclamav'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['squidclamav'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"))); + if ($antivirus_config['c-icap_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample"))); $loadsample++; } - if ($antivirus_config['c-icap_magic'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(str_replace( "\r", "",file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.sample"))); + if ($antivirus_config['c-icap_magic'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")) { + $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample"))); $loadsample++; } if ($loadsample > 0) { @@ -1435,24 +1522,25 @@ EOF; "/var/db/clamav" => "clamav" ); foreach ($dirs as $dir_path => $dir_user) { - if (!is_dir($dir_path)) - @mkdir($dir_path, 0755, true); + safe_mkdir($dir_path, 0755); squid_chown_recursive($dir_path, $dir_user, "wheel"); } // Check clamav database - if (count(glob("/var/db/clamav/*d"))==0) { - log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam on background."); - mwexec_bg(SQUID_BASE."/bin/freshclam"); + if (count(glob("/var/db/clamav/*d")) == 0) { + log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); + mwexec_bg(SQUID_BASE . "/bin/freshclam"); } $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); - foreach ($rcd_files as $rcd_file) - if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}")) - symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}"); + foreach ($rcd_files as $rcd_file) { + if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/etc/rc.d/{$rcd_file}")) { + symlink(SQUID_LOCALBASE . "/etc/rc.d/{$rcd_file}", "/usr/local/etc/rc.d/{$rcd_file}"); + } + } // write advanced icap config files - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX); - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX); - file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); + file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX); // check antivirus daemons // check icap @@ -1460,38 +1548,39 @@ EOF; mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); } else { // check c-icap user on startup file - $c_icap_rcfile="/usr/local/etc/rc.d/c-icap"; + $c_icap_rcfile = "/usr/local/etc/rc.d/c-icap"; if (file_exists($c_icap_rcfile)) { - $sample_file=file_get_contents($c_icap_rcfile); - $cicapm[0]="@c_icap_user=.*}@"; - $cicapr[0]='c_icap_user="clamav"}'; - $cicapm[1]="@/usr/local@"; - $cicapr[1]=SQUID_LOCALBASE; - file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX); + $sample_file = file_get_contents($c_icap_rcfile); + $cicapm[0] = "@c_icap_user=.*}@"; + $cicapr[0] = 'c_icap_user="clamav"}'; + $cicapm[1] = "@/usr/local@"; + $cicapr[1] = SQUID_LOCALBASE; + file_put_contents($c_icap_rcfile, preg_replace($cicapm, $cicapr, $sample_file), LOCK_EX); } mwexec_bg("/usr/local/etc/rc.d/c-icap start"); } // check clamav/freshclam - $rc_files=array("clamav-freshclam","clamav-clamd"); - $clamm[0]="@/usr/local/(bin|sbin)@"; - $clamm[1]="@/local/(bin|sbin)@"; - $clamm[2]="@/usr/local/etc@"; - $clamm[3]="@enable:=NO@"; - $clamr[0]=SQUID_BASE."/bin"; - $clamr[1]="/bin"; - $clamr[2]=SQUID_LOCALBASE."/etc"; - $clamr[3]="enable:=YES"; + $rc_files = array("clamav-freshclam", "clamav-clamd"); + $clamm[0] = "@/usr/local/(bin|sbin)@"; + $clamm[1] = "@/local/(bin|sbin)@"; + $clamm[2] = "@/usr/local/etc@"; + $clamm[3] = "@enable:=NO@"; + $clamr[0] = SQUID_BASE . "/bin"; + $clamr[1] = "/bin"; + $clamr[2] = SQUID_LOCALBASE . "/etc"; + $clamr[3] = "enable:=YES"; foreach ($rc_files as $rc_file) { - $clamav_rcfile="/usr/local/etc/rc.d/{$rc_file}"; + $clamav_rcfile = "/usr/local/etc/rc.d/{$rc_file}"; if (file_exists($clamav_rcfile)) { - $sample_file=file_get_contents($clamav_rcfile); - file_put_contents($clamav_rcfile,preg_replace($clamm,$clamr,$sample_file),LOCK_EX); + $sample_file = file_get_contents($clamav_rcfile); + file_put_contents($clamav_rcfile, preg_replace($clamm, $clamr, $sample_file), LOCK_EX); } } - if (is_process_running("clamd")) + if (is_process_running("clamd")) { mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); - else + } else { mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); + } } return $conf; } @@ -1499,40 +1588,48 @@ EOF; function squid_resync_traffic() { global $config, $valid_acls; - if (!is_array($valid_acls)) + if (!is_array($valid_acls)) { return; - if (is_array($config['installedpackages']['squidtraffic'])) + } + if (is_array($config['installedpackages']['squidtraffic'])) { $settings = $config['installedpackages']['squidtraffic']['config'][0]; - else + } else { $settings = array(); + } $conf = ''; - if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") + if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0") { $conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n"; - if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") + } + if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0") { $conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n"; - if (!empty($settings['quick_abort_pct'])) + } + if (!empty($settings['quick_abort_pct'])) { $conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n"; + } $up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0); $down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0); $conf .= "request_body_max_size $up_limit KB\n"; - if ($down_limit != 0) + if ($down_limit != 0) { $conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n"; + } // Only apply throttling past 10MB // XXX: Should this really be hardcoded? $threshold = 10 * 1024 * 1024; $overall = $settings['overall_throttling']; - if (!isset($overall) || ($overall == 0)) + if (!isset($overall) || ($overall == 0)) { $overall = -1; - else + } else { $overall *= 1024; + } $perhost = $settings['perhost_throttling']; - if (!isset($perhost) || ($perhost == 0)) + if (!isset($perhost) || ($perhost == 0)) { $perhost = -1; - else + } else { $perhost *= 1024; + } $conf .= <<< EOD delay_pools 1 delay_class 1 2 @@ -1555,21 +1652,22 @@ EOD; $binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com'; $cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi'; $multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m'; - foreach (array( 'throttle_binaries' => $binaries, - 'throttle_cdimages' => $cdimages, - 'throttle_multimedia' => $multimedia) as $field => $set) { - if ($settings[$field] == 'on') + foreach (array('throttle_binaries' => $binaries, 'throttle_cdimages' => $cdimages, 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') { $exts = array_merge($exts, explode(",", $set)); + } } foreach (explode(",", $settings['throttle_others']) as $ext) { - if (!empty($ext)) + if (!empty($ext)) { $exts[] = $ext; + } } $contents = ''; - foreach ($exts as $ext) + foreach ($exts as $ext) { $contents .= "\.$ext\$\n"; + } file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); $conf .= "# Throttle extensions matched in the url\n"; @@ -1598,24 +1696,27 @@ include('/usr/local/pkg/squid_reverse.inc'); function squid_resync_auth() { global $config, $valid_acls; - $write_config=0; + $write_config = 0; if (!is_array($config['installedpackages']['squidauth']['config'])) { - $config['installedpackages']['squidauth']['config'][]=array('auth_method'=> "none"); + $config['installedpackages']['squidauth']['config'][] = array('auth_method'=> "none"); $write_config++; } $settings = $config['installedpackages']['squidauth']['config'][0]; - if (is_array($config['installedpackages']['squidnac']['config'])) + if (is_array($config['installedpackages']['squidnac']['config'])) { $settingsnac = $config['installedpackages']['squidnac']['config'][0]; - else + } else { $settingsnac = array(); + } - if (is_array($config['installedpackages']['squid']['config'])) + if (is_array($config['installedpackages']['squid']['config'])) { $settingsconfig = $config['installedpackages']['squid']['config'][0]; - else + } else { $settingsconfig = array(); + } - if ($write_config > 0) + if ($write_config > 0) { write_config(); + } $conf = ''; @@ -1627,17 +1728,17 @@ function squid_resync_auth() { // Package integration if (!empty($settingsconfig['custom_options'])) { - $co_preg[0]='/;/'; - $co_rep[0]="\n"; - $co_preg[1]="/redirect_program/"; - $co_rep[1]="url_rewrite_program"; - $co_preg[2]="/redirector_bypass/"; - $co_rep[2]="url_rewrite_bypass"; - $conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n"; + $co_preg[0] = '/;/'; + $co_rep[0] = "\n"; + $co_preg[1] = "/redirect_program/"; + $co_rep[1] = "url_rewrite_program"; + $co_preg[2] = "/redirector_bypass/"; + $co_rep[2] = "url_rewrite_bypass"; + $conf .= "# Package Integration\n" . preg_replace($co_preg, $co_rep, $settingsconfig['custom_options']) . "\n\n"; } // Custom User Options before authentication acls - $conf .= "# Custom options before auth\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n"; + $conf .= "# Custom options before auth\n" . sq_text_area_decode($settingsconfig['custom_options_squid3']) . "\n\n"; // Deny the banned guys before allowing the good guys if (!empty($settingsnac['banned_hosts'])) { @@ -1655,7 +1756,7 @@ function squid_resync_auth() { // Unrestricted hosts take precedence over blacklist if (!empty($settingsnac['unrestricted_hosts'])) { - if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") { + if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth'] != "on") { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_hosts\n"; } @@ -1694,39 +1795,43 @@ function squid_resync_auth() { } // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) + if ($settingsconfig['log_sqd']) { $conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n"; + } $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); if ($transparent_proxy) { - if (preg_match ("/(none|cp)/",$settings['auth_method'])) - $auth_method=$settings['auth_method']; - else - $auth_method="none"; + if (preg_match ("/(none|cp)/", $settings['auth_method'])) { + $auth_method = $settings['auth_method']; + } else { + $auth_method = "none"; + } } else { - $auth_method=$settings['auth_method']; + $auth_method = $settings['auth_method']; } // Allow the remaining ACLs if no authentication is set if ($auth_method == 'none' || $auth_method == 'cp') { // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny sglog\n"; + if ($settingsconfig['log_sqd']) { + $conf .= "http_access deny sglog\n"; + } } - if ($auth_method == 'none' ) { + if ($auth_method == 'none') { // SSL interception acl options part 2 without authentication if ($settingsconfig['ssl_proxy'] == "on") { $conf .= "always_direct allow all\n"; $conf .= "ssl_bump server-first all\n"; } - $conf .="# Setup allowed acls\n"; + $conf .= "# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { $conf .= "# Allow local network(s) on interface(s)\n"; $allowed[] = "localnet"; } $allowed = array_filter($allowed, 'squid_is_valid_acl'); - foreach ($allowed as $acl) + foreach ($allowed as $acl) { $conf .= "http_access allow $acl\n"; + } } else { $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { @@ -1739,26 +1844,26 @@ function squid_resync_auth() { $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { - case 'local': - $conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; - break; - case 'ldap': - $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); - $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); - $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; - break; - case 'radius': - $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; - break; - case 'cp': - $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_BASE . "/bin/check_ip.php\n"; - $conf .= "acl password external check_cp\n"; - break; - case 'msnt': - $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; - squid_resync_msnt(); - break; + case 'local': + $conf .= 'auth_param basic program ' . SQUID_LOCALBASE . '/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'cp': + $conf .= "external_acl_type check_cp children-startup={$processes} ttl={$auth_ttl} %SRC " . SQUID_BASE . "/bin/check_ip.php\n"; + $conf .= "acl password external check_cp\n"; + break; + case 'msnt': + $conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n"; + squid_resync_msnt(); + break; } if ($auth_method != 'cp') { $conf .= <<< EOD @@ -1770,7 +1875,7 @@ acl password proxy_auth REQUIRED EOD; } // Custom User Options after authentication definition - $conf .= "# Custom options after auth\n".sq_text_area_decode($settingsconfig['custom_options2_squid3'])."\n\n"; + $conf .= "# Custom options after auth\n" . sq_text_area_decode($settingsconfig['custom_options2_squid3']) . "\n\n"; // SSL interception acl options part 2 if ($settingsconfig['ssl_proxy'] == "on") { @@ -1790,16 +1895,19 @@ EOD; $passwordless = array_filter($passwordless, 'squid_is_valid_acl'); // Allow the ACLs that don't need to authenticate - foreach ($passwordless as $acl) + foreach ($passwordless as $acl) { $conf .= "http_access allow $acl\n"; + } // Include squidguard denied acl log in squid - if ($settingsconfig['log_sqd']) - $conf .="http_access deny password sglog\n"; + if ($settingsconfig['log_sqd']) { + $conf .= "http_access deny password sglog\n"; + } // Allow the other ACLs as long as they authenticate - foreach ($password as $acl) + foreach ($password as $acl) { $conf .= "http_access allow password $acl\n"; + } } $conf .= "# Default block all to be sure\n"; @@ -1814,8 +1922,9 @@ function squid_resync_users() { $users = $config['installedpackages']['squidusers']['config']; $contents = ''; if (is_array($users)) { - foreach ($users as $user) + foreach ($users as $user) { $contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n"; + } } file_put_contents(SQUID_PASSWD, $contents); chown(SQUID_PASSWD, SQUID_UID); @@ -1825,20 +1934,21 @@ function squid_resync_users() { function squid_resync_msnt() { global $config; - if (is_array($config['installedpackages']['squidauth'])) + if (is_array($config['installedpackages']['squidauth'])) { $settings = $config['installedpackages']['squidauth']['config'][0]; - else + } else { $settings = array(); + } $pdcserver = $settings['auth_server']; - $bdcserver = str_replace(',',' ',$settings['msnt_secondary']); + $bdcserver = str_replace(',', ' ', $settings['msnt_secondary']); $ntdomain = $settings['auth_ntdomain']; - file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}"); - chown(SQUID_CONFBASE."/msntauth.conf", SQUID_UID); - chmod(SQUID_CONFBASE."/msntauth.conf", 0600); + file_put_contents(SQUID_CONFBASE . "/msntauth.conf", "server {$pdcserver} {$bdcserver} {$ntdomain}"); + chown(SQUID_CONFBASE . "/msntauth.conf", SQUID_UID); + chmod(SQUID_CONFBASE . "/msntauth.conf", 0600); } -function squid_resync($via_rpc="no") { +function squid_resync($via_rpc = "no") { global $config; // detect boot process @@ -1846,20 +1956,19 @@ function squid_resync($via_rpc="no") { if (!platform_booting()) { unset($boot_process); } else { - $boot_process="on"; + $boot_process = "on"; } } - log_error("[Squid] - Squid_resync function call pr:".is_process_running('squid')." bp:".isset($boot_process)." rpc:".$via_rpc); + log_error("[Squid] - Squid_resync function call pr:" . is_process_running('squid') . " bp:" . isset($boot_process) . " rpc:" . $via_rpc); - if (is_process_running('squid') && isset($boot_process) && $via_rpc=="no") + if (is_process_running('squid') && isset($boot_process) && $via_rpc == "no") { return; + } conf_mount_rw(); - foreach (array( SQUID_CONFBASE, - SQUID_ACLDIR, - SQUID_SSL_DB ) as $dir) { - @mkdir($dir, 0755, true); + foreach (array(SQUID_CONFBASE, SQUID_ACLDIR, SQUID_SSL_DB) as $dir) { + safe_mkdir($dir, 0755); squid_chown_recursive($dir, SQUID_UID, SQUID_GID); } $conf = squid_resync_general() . "\n"; @@ -1869,38 +1978,41 @@ function squid_resync($via_rpc="no") { $conf .= squid_resync_nac() . "\n"; $conf .= squid_resync_traffic() . "\n"; $conf .= squid_resync_reverse() . "\n"; - $conf .= squid_resync_auth()."\n"; + $conf .= squid_resync_auth() . "\n"; $conf .= squid_resync_antivirus(); squid_resync_users(); squid_write_rcfile(); - if (!isset($boot_process) || $via_rpc="yes") + if (!isset($boot_process) || $via_rpc == "yes") { squid_sync_on_changes(); + } // write config file file_put_contents(SQUID_CONFFILE, $conf); /* make sure pinger is executable and suid root */ // XXX: Bug #5114 - if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) - chgrp(SQUID_LOCALBASE. "/libexec/squid/pinger", SQUID_GID); + if (file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger")) { + chgrp(SQUID_LOCALBASE . "/libexec/squid/pinger", SQUID_GID); + } - $log_dir=""; - // check if squid is enabled + $log_dir = ""; + // check if Squid is enabled if (is_array($config['installedpackages']['squid']['config'])) { - if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "") - $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/'; - } - // check if squidreverse is enabled - else if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { - if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") - $log_dir="/var/squid/logs/"; + if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") { + $log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'] . '/'; + } + } elseif (is_array($config['installedpackages']['squidreversegeneral']['config'])) { + // check if squidreverse is enabled + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { + $log_dir = "/var/squid/logs/"; + } } // do not start squid if there is no log dir if ($log_dir != "") { if (!is_dir($log_dir)) { - log_error("Creating squid log dir $log_dir"); - @mkdir($log_dir, 0755, true); + log_error("Creating Squid log dir $log_dir"); + safe_mkdir($log_dir, 0755); squid_chown_recursive($log_dir, SQUID_UID, SQUID_GID); } @@ -1909,15 +2021,16 @@ function squid_resync($via_rpc="no") { if (!is_service_running('squid')) { log_error("Starting Squid"); mwexec(SQUID_BASE . "/sbin/squid -f " . SQUID_CONFFILE); - } else if (!isset($boot_process)) { + } elseif (!isset($boot_process)) { log_error("Reloading Squid for configuration sync"); mwexec(SQUID_BASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE); } // Sleep for a couple seconds to give squid a chance to fire up fully. - for ($i=0; $i < 10; $i++) { - if (!is_service_running('squid')) + for ($i = 0; $i < 10; $i++) { + if (!is_service_running('squid')) { sleep(1); + } } filter_configure(); } @@ -1931,7 +2044,7 @@ function squid_print_javascript_auth() { // No authentication for transparent proxy if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) { $javascript = <<< EOD -