From 4287e7d8d41fc449103977256fa822f3a0547e7e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Sat, 3 Oct 2015 10:16:40 +0200 Subject: Move antivirus integration features to a separate file --- config/squid3/34/squid.inc | 391 +-------------------------------------------- 1 file changed, 2 insertions(+), 389 deletions(-) (limited to 'config/squid3') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index ab47e3a0..04f1615e 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -45,6 +45,8 @@ if (!function_exists("filter_configure")) { require_once('/usr/local/pkg/squid_reverse.inc'); /* Squid javascript helpers */ require_once('/usr/local/pkg/squid_js.inc'); +/* Squid antivirus intergration features helpers */ +require_once('/usr/local/pkg/squid_antivirus.inc'); $shortcut_section = "squid"; @@ -114,24 +116,6 @@ function squid_chown_recursive($dir, $user, $group) { } } -function squid_check_clamav_user($user) { - if (SQUID_BASE == '/usr/local') { - return; - } - - $_gc = exec("/usr/sbin/pw usershow {$user}", $sq_ex_output, $sq_ex_return); - $user_arg = ($sq_ex_return == 0 ? "mod" : "add"); - $_gc = exec("/usr/sbin/pw user{$user_arg} {$user} -G wheel -u 9595 -s /sbin/nologin", $sq_ex_output, $sq_ex_return); - if ($sq_ex_return != 0) { - log_error("Squid - Could not change clamav user settings. " . serialize($sq_ex_output)); - } -} - -function squid_update_clamav() { - log_error("Updating ClamAV definitions now... This will take a while. Check /var/log/clamav/freshclam.log for progress information."); - mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); -} - /* setup cache */ function squid_dash_z($cache_action = 'none') { global $config; @@ -562,43 +546,6 @@ function squid_deinstall_command() { update_output_window("Squid3 has been uninstalled."); } -function squid_validate_antivirus($post, &$input_errors) { - global $config; - - /* Manual ClamAV database update */ - if ($post['submit'] == 'Update AV') { - squid_update_clamav(); - return; - } - - if ($post['enable'] != "on") { - return; - } - - if ($post['squidclamav'] && preg_match("/(\S+proxy.domain\S+)/", $post['squidclamav'], $a_match)) { - $input_errors[] = "SquidClamav warnings redirect points to sample config domain ({$a_match[1]})"; - $input_errors[] = "Change redirect info on 'squidclamav.conf' field to pfSense GUI or an external host."; - } - if ($post['c-icap_conf']) { - if (!preg_match("/squid_clamav/", $post['c-icap_conf'])) { - $input_errors[] = "c-icap Squidclamav service definition is not present."; - $input_errors[] = "Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working."; - } - if (preg_match("/(Manager:Apassword\S+)/", $post['c-icap_conf'], $c_match)) { - $input_errors[] = "Remove ldap configuration'{$c_match[1]}' from 'c-icap.conf' field."; - } - } - - if ($post['clamav_dbservers']) { - foreach (explode(";", $post['clamav_dbservers']) as $dbserver) { - $dbserver = trim($dbserver); - if (!empty($dbserver) && !is_ipaddr($dbserver) && !is_hostname($dbserver)) { - $input_errors[] = "'Optional ClamAV Database Update Servers' entry '$dbserver' is not a valid IP address or hostname."; - } - } - } -} - function squid_validate_general($post, &$input_errors) { global $config; @@ -939,32 +886,6 @@ function squid_install_cron($should_install) { } } -function squid_install_freshclam_cron($should_install) { - global $config; - - if (platform_booting()) { - return; - } - - if (is_array($config['installedpackages']['squidantivirus'])) { - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; - } else { - $antivirus_config = array(); - } - - $freshclam_cmd = (SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - if (($should_install) && (squid_enabled())) { - if ($antivirus_config['clamav_update'] != "0") { - $minutes = ($antivirus_config['clamav_update'] * 60); - install_cron_job("{$freshclam_cmd}", true, "*/{$minutes}", "*", "*", "*", "*", "clamav"); - } else { - install_cron_job("{$freshclam_cmd}", false); - } - } else { - install_cron_job("{$freshclam_cmd}", false); - } -} - function squid_check_ca_hashes() { global $config, $g; @@ -1492,193 +1413,6 @@ EOD; return $conf; } -function squid_resync_antivirus() { - global $config; - - if (is_array($config['installedpackages']['squidantivirus'])) { - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; - } else { - $antivirus_config = array(); - } - - if (squid_enabled() && ($antivirus_config['enable'] == "on")) { - switch ($antivirus_config['client_info']) { - case "both": - default: - $icap_send_client_ip = "on"; - $icap_send_client_username = "on"; - break; - case "ip": - $icap_send_client_ip = "on"; - $icap_send_client_username = "off"; - break; - case "username": - $icap_send_client_ip = "off"; - $icap_send_client_username = "on"; - break; - case "none": - $icap_send_client_ip = "off"; - $icap_send_client_username = "off"; - break; - } - - $conf = <<< EOF -icap_enable on -icap_send_client_ip {$icap_send_client_ip} -icap_send_client_username {$icap_send_client_username} -icap_client_username_encode off -icap_client_username_header X-Authenticated-User -icap_preview_enable on -icap_preview_size 1024 - -icap_service service_avi_req reqmod_precache icap://[::1]:1344/squid_clamav bypass=off -adaptation_access service_avi_req allow all -icap_service service_avi_resp respmod_precache icap://[::1]:1344/squid_clamav bypass=on -adaptation_access service_avi_resp allow all - -EOF; - - // check clamav user - squid_check_clamav_user('clamav'); - // patch sample files to pfsense dirs - // squidclamav.conf - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.default"); - $clamav_m[0] = "@/var/run/clamav/clamd.ctl@"; - $clamav_m[1] = "@http\://proxy.domain.dom/cgi-bin/clwarn.cgi@"; - $clamav_r[0] = "/var/run/clamav/clamd.sock"; - $clamav_r[1] = "{$config['system']['webgui']['protocol']}://{$config['system']['hostname']}.{$config['system']['domain']}/squid_clwarn.php"; - if ($antivirus_config['clamav_safebrowsing'] == "on") { - $clamav_m[2] = "@safebrowsing\s0@"; - $clamav_r[2] = "safebrowsing 1"; - } else { - $clamav_m[2] = "@safebrowsing\s1@"; - $clamav_r[2] = "safebrowsing 0"; - } - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX); - } - // c-icap.conf - // make a backup of default c-icap.conf.sample first - // unlike with other config files, the file distributed in package is called c-icap.conf.sample, not c-icap.conf.default - if (!file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - copy(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - } - if (file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.default"); - if (!preg_match("/squid_clamav/", $sample_file)) { - $sample_file .= "\nService squid_clamav squidclamav.so\n"; - } - $cicap_m[0] = "@Manager:Apassword\S+@"; - $cicap_r[0] = ""; - // XXX: Bug #4615 - if (is_array($config['installedpackages']['squid'])) { - $squidsettings = $config['installedpackages']['squid']['config'][0]; - } else { - $squidsettings = array(); - } - $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); - $cicap_m[1] = "@DebugLevel\s1@"; - $cicap_r[1] = "DebugLevel 0"; - $cicap_m[2] = "@AccessLog /var/log/c-icap/access.log@"; - $cicap_r[2] = "AccessLog $logdir/c-icap-access.log"; - $cicap_m[3] = "@ServerLog /var/log/c-icap/server.log@"; - $cicap_r[3] = "ServerLog $logdir/c-icap-server.log"; - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample", preg_replace($cicap_m, $cicap_r, $sample_file), LOCK_EX); - } - // freshclam.conf - // make a backup of default freshclam.conf.sample first - if (!file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { - copy(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", SQUID_LOCALBASE . "/etc/freshclam.conf.default"); - } - if (file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.default")) { - $sample_file = file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.default"); - $freshclam_m[0] = "@#Example@"; - $freshclam_r[0] = ""; - $clamav_mirrors = ""; - if ($antivirus_config['clamav_dbregion'] != "") { - $clamav_mirrors .= "DatabaseMirror db.{$antivirus_config['clamav_dbregion']}.clamav.net\n"; - } - if ($antivirus_config['clamav_dbservers'] != "") { - foreach (explode(";", $antivirus_config['clamav_dbservers']) as $dbserver) { - $clamav_mirrors .= "DatabaseMirror {$dbserver}\n"; - } - } - if ($clamav_mirrors != "") { - $freshclam_m[1] = "@#DatabaseMirror db.XY.clamav.net@"; - $freshclam_r[1] = "{$clamav_mirrors}"; - } - if ($antivirus_config['clamav_safebrowsing'] == "on") { - $freshclam_m[2] = "@#SafeBrowsing yes@"; - $freshclam_r[2] = "SafeBrowsing yes"; - } else { - if (!preg_match("@#SafeBrowsing yes@", file_get_contents($sample_file))) { - $freshclam_m[2] = "@SafeBrowsing yes@"; - $freshclam_r[2] = "#SafeBrowsing yes"; - } - } - file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); - } - // freshclam cronjob - squid_install_freshclam_cron(true); - - // check squidclamav files until PBIs are gone (https://redmine.pfsense.org/issues/4197) - $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); - foreach ($ln_icap as $ln) { - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/{$ln}") && file_exists(SQUID_LOCALBASE . "/{$ln}")) { - symlink(SQUID_LOCALBASE . "/{$ln}", "/usr/local/{$ln}"); - } - } - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/lib/libicapapi.so.3") && file_exists(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5")) { - symlink(SQUID_LOCALBASE . "/lib/libicapapi.so.3.0.5", "/usr/local/lib/libicapapi.so.3"); - } - - $loadsample = 0; - if ($antivirus_config['squidclamav'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['squidclamav'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample"))); - $loadsample++; - } - if ($antivirus_config['c-icap_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf.sample"))); - $loadsample++; - } - if ($antivirus_config['c-icap_magic'] == "" && file_exists(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic.sample"))); - $loadsample++; - } - if ($antivirus_config['freshclam_conf'] == "" && file_exists(SQUID_LOCALBASE . "/etc/freshclam.conf.sample")) { - $config['installedpackages']['squidantivirus']['config'][0]['freshclam_conf'] = base64_encode(str_replace("\r", "", file_get_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample"))); - $loadsample++; - } - if ($loadsample > 0) { - write_config(); - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; - } - // check dirs - $dirs = array( - "/var/run/c-icap" => "clamav", - "/var/log/c-icap" => "clamav", - "/var/log/clamav" => "clamav", - "/var/run/clamav" => "clamav", - "/var/db/clamav" => "clamav" - ); - foreach ($dirs as $dir_path => $dir_user) { - safe_mkdir($dir_path, 0755); - squid_chown_recursive($dir_path, $dir_user, "wheel"); - } - - // write advanced clamav/icap config files - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX); - file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf", base64_decode($antivirus_config['freshclam_conf']), LOCK_EX); - } - // this will (re)start or stop/disable services as needed - // depending on whether Squid proxy and/or antivirus features are enabled - squid_restart_antivirus(); - - return $conf; -} - function squid_resync_traffic() { global $config, $valid_acls; @@ -2177,79 +1911,6 @@ function squid_restart_services() { } } -function squid_restart_antivirus() { - global $config; - if (is_array($config['installedpackages']['squidantivirus'])) { - $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; - } else { - $antivirus_config = array(); - } - - // reconfigure and (re)start service as needed if enabled, otherwise stop them - // do not (re)start antivirus services on boot - if (platform_booting()) { - return; - } - - if (squid_enabled() && ($antivirus_config['enable'] == "on")) { - // Check clamav database - if (count(glob("/var/db/clamav/*d")) == 0) { - log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); - mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - } elseif ($antivirus_config['clamav_safebrowsing'] == "on" && !is_file("/var/db/clamav/safebrowsing.cvd")) { - log_error("Squid - Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); - mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - } elseif ($antivirus_config['clamav_safebrowsing'] != "on" && is_file("/var/db/clamav/safebrowsing.cvd")) { - log_error("Squid - Google Safe Browsing is disabled. Removing safebrowsing.cvd definitions."); - mwexec("/bin/rm -f /var/db/clamav/safebrowsing.cvd"); - } - - // start/reload clamav - $clamd_rcfile = "/usr/local/etc/rc.d/clamd.sh"; - if (!file_exists($clamd_rcfile)) { - squid_write_clamd_rcfile(); - } - if (is_process_running("clamd")) { - log_error("Reloading ClamAV..."); - $reload_cmd = SQUID_BASE . "/bin/clamdscan --reload"; - mwexec_bg("{$reload_cmd}"); - } else { - log_error("Starting ClamAV..."); - mwexec_bg("{$clamd_rcfile} start"); - } - - // check c-icap rcfile - $c_icap_rcfile = "/usr/local/etc/rc.d/c-icap.sh"; - if (!file_exists($c_icap_rcfile)) { - squid_write_cicap_rcfile(); - } - if (is_process_running("c-icap")) { - mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); - } else { - mwexec_bg("{$c_icap_rcfile} start"); - } - } else { - // stop AV services and disable all C-ICAP/AV features - log_error("Squid antivirus features disabled."); - if (is_process_running("clamd")) { - log_error("Stopping and disabling ClamAV..."); - mwexec("/usr/bin/killall clamd"); - } - unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); - - // freshclam cronjob - log_error("Removing freshclam cronjob..."); - squid_install_freshclam_cron(false); - - // check c-icap rcfile - if (is_process_running("c-icap")) { - log_error("Stopping and disabling C-ICAP..."); - mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); - } - unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); - } -} - function squid_generate_rules($type) { global $config, $pfs_version; @@ -2477,54 +2138,6 @@ EOD; conf_mount_ro(); } -function squid_write_cicap_rcfile() { - $c_icap_rcfile = "c-icap.sh"; - $cicap_libdir = SQUID_LOCALBASE . "/lib"; - $cicap_bin = SQUID_LOCALBASE . "/bin/c-icap"; - $cicap_conf = SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf"; - $cicap_start_cmd = "LD_LIBRARY_PATH={$cicap_libdir} {$cicap_bin} -f {$cicap_conf}"; - $cicap_stop_cmd = '/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'; - conf_mount_rw(); - write_rcfile(array( - "file" => "{$c_icap_rcfile}", - "start" => "{$cicap_start_cmd}", - "stop" => "{$cicap_stop_cmd}" - ) - ); - conf_mount_ro(); -} - -function squid_write_clamd_rcfile() { - $squid_base = SQUID_BASE; - $rc = array(); - $rc['file'] = 'clamd.sh'; - $rc['start'] = <<< EOD - -if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ];then - echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" - exit 1 -fi - -{$squid_base}/bin/clamd --config-file="{$squid_base}/local/etc/clamd.conf" - -EOD; - - $rc['stop'] = <<< EOD - -/usr/bin/killall clamd 2>/dev/null -# Just to be sure... -sleep 5 -if [ -n "`/bin/ps auxw | /usr/bin/grep "[c]lamd" | /usr/bin/awk '{print $2}'`" ]; then - /usr/bin/killall -9 clamd 2>/dev/null -fi - -EOD; - - conf_mount_rw(); - write_rcfile($rc); - conf_mount_ro(); -} - /* Uses XMLRPC to synchronize the changes to a remote node */ function squid_sync_on_changes() { global $config, $g; -- cgit v1.2.3