From 39f4ee8a301be1328d5aafa5c029c24546cdb73f Mon Sep 17 00:00:00 2001
From: Marcello Coutinho <marcellocoutinho@gmail.com>
Date: Thu, 16 May 2013 14:44:35 -0300
Subject: squid3-dev - include more options to ssl_crt, new
 custom_refresh_patter on cache tab, fix auth plugins names

---
 config/squid3/33/squid.inc       | 107 +++++++++++++++++++++++++++------------
 config/squid3/33/squid.xml       |  14 +++--
 config/squid3/33/squid_cache.xml |  11 +++-
 3 files changed, 94 insertions(+), 38 deletions(-)

(limited to 'config/squid3')

diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc
index 94c85a7e..4ca1672f 100755
--- a/config/squid3/33/squid.inc
+++ b/config/squid3/33/squid.inc
@@ -777,6 +777,41 @@ function squid_install_cron($should_install) {
 	configure_cron();
 }
 
+function squid_check_ca_hashes(){
+	global $config,$g;
+	
+	#check certificates
+	$cert_count=0;
+	if (is_dir(SQUID_LOCALBASE. '/share/certs'))
+		if ($handle = opendir(SQUID_LOCALBASE.'/usr/local/share/certs')) {
+    		while (false !== ($file = readdir($handle)))
+        		if (preg_match ("/\d+.0/",$file))
+            		$cert_count++;
+        	}
+    closedir($handle);
+	if ($cert_count < 10){
+		conf_mount_rw();
+		#create ca-root hashes from ca-root-nss package
+		log_error("Creating root certificate bundle hashes from the Mozilla Project");
+		$cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt');
+		$cert=0;
+		foreach ($cas as $ca){
+	    	if (preg_match("/--BEGIN CERTIFICATE--/",$ca))
+				$cert=1;
+			if ($cert == 1)
+				$crt.=$ca;
+			if (preg_match("/-END CERTIFICATE-/",$ca)){
+				file_put_contents("/tmp/cert.pem",$crt, LOCK_EX);
+				$cert_hash=array();
+				exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash);
+				file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX);
+				$crt="";
+				$cert=0;
+				}
+			}
+		}
+}
+
 function squid_resync_general() {
 	global $g, $config, $valid_acls;
 
@@ -785,10 +820,10 @@ function squid_resync_general() {
 	else
 		$settings=array();
 	$conf = "# This file is automatically generated by pfSense\n";
-	$conf .= "# Do not edit manually !\n";
+	$conf .= "# Do not edit manually !\n\n";
 	#Check ssl interception
-	$sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
 	if (($settings['ssl_proxy'] == 'on')) {
+		squid_check_ca_hashes();
 		$srv_cert = lookup_cert($settings["dcert"]);
 		if ($srv_cert != false) {
 			if(base64_decode($srv_cert['prv'])) {
@@ -803,15 +838,19 @@ function squid_resync_general() {
 				squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy');
 				$crt_pk=SQUID_CONFBASE."/serverkey.pem";
 				file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
-						
-				$ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size={$sslcrtd_children}MB cert={$crt_pk}\n";
-				$interception_checks="";
+				$sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
+				$ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk}\n";
+				$interception_checks  = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n";
+				$interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
+				$interception_checks .= 'sslproxy_capath '.SQUID_LOCALBASE.'/share/certs'."\n";
 				if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
 					$interception_checks.="sslproxy_cert_error allow all\n";
 				if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
 					$interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n";
-				if ($settings["interception_adapt"] != "")
-					$interception_checks.="sslproxy_cert_adapt {$settings["interception_adapt"]}\n";
+				if ($settings["interception_adapt"] != ""){
+					foreach (explode(",",$settings["interception_adapt"]) as $adapt)
+						$interception_checks.="sslproxy_cert_adapt {$adapt} all\n";
+					}
 			}
 		}
 	}
@@ -887,7 +926,7 @@ function squid_resync_general() {
 	$logdir_cache = $logdir . '/cache.log';
 	$logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
 
-	$conf .= <<<EOD
+	$conf .= <<< EOD
 icp_port {$icp_port}
 dns_v4_first {$dns_v4_first}
 pid_filename {$pidfile}
@@ -900,7 +939,6 @@ cache_mgr {$email}
 access_log {$logdir_access}
 cache_log {$logdir_cache}
 cache_store_log none
-sslcrtd_children {$sslcrtd_children}
 {$interception_checks}
 
 EOD;
@@ -912,7 +950,7 @@ $rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate'];
 $conf .= "logfile_rotate {$rotate}\n";
 squid_install_cron(true);
 
-	$conf .= <<<EOD
+	$conf .= <<< EOD
 shutdown_lifetime 3 seconds
 
 EOD;
@@ -987,7 +1025,7 @@ if(empty($settings['cache_dynamic_content'])){
 }
 else{
 	if(preg_match('/youtube/',$settings['refresh_patterns'])){
-		$conf.=<<<EOC
+		$conf.=<<< EOC
 # Break HTTP standard for flash videos. Keep them in cache even if asked not to.
 refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
 
@@ -998,7 +1036,7 @@ cache allow youtube
 EOC;
 	}
 	if(preg_match('/windows/',$settings['refresh_patterns'])){
-		$conf.=<<<EOC
+		$conf.=<<< EOC
 
 # Windows Update refresh_pattern
 range_offset_limit -1
@@ -1010,7 +1048,7 @@ EOC;
 		}
 
 if(preg_match('/symantec/',$settings['refresh_patterns'])){
-		$conf.=<<<EOC
+		$conf.=<<< EOC
 
 # Symantec refresh_pattern
 range_offset_limit -1
@@ -1020,7 +1058,7 @@ refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 re
 EOC;
 		}
 if(preg_match('/avast/',$settings['refresh_patterns'])){
-		$conf.=<<<EOC
+		$conf.=<<< EOC
 
 # Avast refresh_pattern
 range_offset_limit -1
@@ -1029,7 +1067,7 @@ refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-i
 EOC;
 		}
 if(preg_match('/avira/',$settings['refresh_patterns'])){
-		$conf.=<<<EOC
+		$conf.=<<< EOC
 
 # Avira refresh_pattern
 range_offset_limit -1
@@ -1037,18 +1075,21 @@ refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43
 
 EOC;
 	}
-	$refresh_conf=<<<EOC
+	$refresh_conf=<<< EOC
 	
 # Add any of your own refresh_pattern entries above these.
 refresh_pattern ^ftp:    1440  20%  10080
 refresh_pattern ^gopher:  1440  0%  1440
 refresh_pattern -i (/cgi-bin/|\?) 0  0%  0
 refresh_pattern .    0  20%  4320
+
 EOC;
-  
 }
-	
-	$conf .= <<<EOD
+
+	If ($settings['custom_refresh_patterns'] !="")
+		$conf .= sq_text_area_decode($settings['custom_refresh_patterns']);
+		
+	$conf .= <<< EOD
 cache_mem $memory_cache_size MB
 maximum_object_size_in_memory {$max_objsize_in_mem} KB
 memory_replacement_policy {$memory_policy}
@@ -1067,11 +1108,12 @@ EOD;
 	if (!empty($donotcache)) {
 		file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
 		$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
-		$conf .= 'cache deny donotcache';
+		$conf .= "cache deny donotcache\n";
 	}
 	elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
      unlink(SQUID_ACLDIR . '/donotcache.acl');
     }
+    $conf .= "cache allow all\n";
 	return $conf.$refresh_conf;
 }
 
@@ -1133,7 +1175,7 @@ function squid_resync_nac() {
 	$addtl_sslports = $settings['addtl_sslports'];
 	$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
 	$ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
-	$conf = <<<EOD
+	$conf = <<< EOD
 
 # Setup some default acls
 # From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
@@ -1152,7 +1194,6 @@ acl connect method CONNECT
 acl HTTP proto HTTP
 acl HTTPS proto HTTPS
 
-
 EOD;
 
 	$allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets']));
@@ -1187,7 +1228,7 @@ EOD;
     }
 	}
 
-	$conf .= <<<EOD
+	$conf .= <<< EOD
 http_access allow manager localhost
 
 EOD;
@@ -1204,7 +1245,7 @@ EOD;
 			}
 		}
 	
-  $conf .= <<<EOD
+  $conf .= <<< EOD
   
 http_access deny manager
 http_access allow purge localhost
@@ -1262,7 +1303,7 @@ function squid_resync_antivirus(){
 			$clwarn="clwarn.cgi.pt_BR";	
 		copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi");
 		
-		$conf = <<<EOF
+		$conf = <<< EOF
 icap_enable on
 icap_send_client_ip {$icap_send_client_ip}
 icap_send_client_username {$icap_send_client_username} 
@@ -1412,7 +1453,7 @@ function squid_resync_traffic() {
 		$perhost = -1;
 	else
 		$perhost *= 1024;
-	$conf .= <<<EOD
+	$conf .= <<< EOD
 delay_pools 1
 delay_class 1 2
 delay_parameters 1 $overall/$overall $perhost/$perhost
@@ -1608,23 +1649,23 @@ function squid_resync_auth() {
 		$prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy');
 		switch ($auth_method) {
 			case 'local':
-				$conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n";
+				$conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/baisc_ncsa_auth ' . SQUID_PASSWD . "\n";
 				break;
 			case 'ldap':
 				$port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
 				$password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
-				$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
+				$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
 				break;
 			case 'radius':
 				$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
-				$conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
+				$conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
 				break;
 			case 'msnt':
-				$conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/msnt_auth\n";
+				$conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
 				squid_resync_msnt();
 				break;
 		}
-		$conf .= <<<EOD
+		$conf .= <<< EOD
 auth_param basic children $processes
 auth_param basic realm $prompt
 auth_param basic credentialsttl $auth_ttl minutes
@@ -1788,7 +1829,7 @@ function squid_print_javascript_auth() {
 
 	// No authentication for transparent proxy
 	if ($transparent_proxy) {
-		$javascript = <<<EOD
+		$javascript = <<< EOD
 <script language="JavaScript">
 <!--
 function on_auth_method_changed() {
@@ -1816,7 +1857,7 @@ function on_auth_method_changed() {
 EOD;
 	}
 	else {
-		$javascript = <<<EOD
+		$javascript = <<< EOD
 <script language="JavaScript">
 <!--
 function on_auth_method_changed() {
diff --git a/config/squid3/33/squid.xml b/config/squid3/33/squid.xml
index 25c1b212..dbaf0895 100644
--- a/config/squid3/33/squid.xml
+++ b/config/squid3/33/squid.xml
@@ -401,11 +401,17 @@
 		<size>3</size>
 		</field>
 		<field>
-			<fielddescr>sslcrtd adapt</fielddescr>
+			<fielddescr>Certificate adapt</fielddescr>
 			<fieldname>interception_adapt</fieldname>
-			<description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: setCommonName ssl::certDomainMismatch<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
-			<type>input</type>
-			<size>70</size>
+			<description><![CDATA[Pass original SSL server certificate information to the user. Allow the user to make an informed decision on whether to trust the server certificate.<br>Hint: Set subject CN<br><a target=_new href='http://wiki.squid-cache.org/Features/MimicSslServerCert'>wiki doc with reference</a>]]></description>
+			<type>select</type>
+			<options>
+					<option><name>Sets the "Not After" (setValidAfter).</name><value>setValidAfter</value></option>
+					<option><name>Sets the "Not Before" (setValidBefore).</name><value>setValidBefore</value></option>
+					<option><name>Sets CN property (setCommonName)</name><value>setCommonName</value></option>
+			</options>
+			<multiple/>
+			<size>3</size>
 		</field>
 		<field>
 			<name>Logging Settings</name>
diff --git a/config/squid3/33/squid_cache.xml b/config/squid3/33/squid_cache.xml
index 9d982dcb..26d6463c 100755
--- a/config/squid3/33/squid_cache.xml
+++ b/config/squid3/33/squid_cache.xml
@@ -284,7 +284,16 @@
 			</options>
 			<multiple/>
 			<size>06</size>
-		</field>		
+		</field>
+		<field>
+			<fielddescr>Custom refresh_patterns</fielddescr>
+			<fieldname>custom_refresh_patterns</fieldname>
+			<description>Enter custom refresh_patterns for better dynamic cache. This options will be included only if dynamic cache is enabled.</description>
+			<type>textarea</type>
+			<cols>67</cols>
+			<rows>5</rows>
+			<encoding>base64</encoding>
+		</field>
 	</fields>
 	<custom_php_command_before_form>
 		if($_POST['harddisk_cache_size'] != $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']) {
-- 
cgit v1.2.3