From 39f4ee8a301be1328d5aafa5c029c24546cdb73f Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Thu, 16 May 2013 14:44:35 -0300 Subject: squid3-dev - include more options to ssl_crt, new custom_refresh_patter on cache tab, fix auth plugins names --- config/squid3/33/squid.inc | 107 +++++++++++++++++++++++++++------------ config/squid3/33/squid.xml | 14 +++-- config/squid3/33/squid_cache.xml | 11 +++- 3 files changed, 94 insertions(+), 38 deletions(-) (limited to 'config/squid3') diff --git a/config/squid3/33/squid.inc b/config/squid3/33/squid.inc index 94c85a7e..4ca1672f 100755 --- a/config/squid3/33/squid.inc +++ b/config/squid3/33/squid.inc @@ -777,6 +777,41 @@ function squid_install_cron($should_install) { configure_cron(); } +function squid_check_ca_hashes(){ + global $config,$g; + + #check certificates + $cert_count=0; + if (is_dir(SQUID_LOCALBASE. '/share/certs')) + if ($handle = opendir(SQUID_LOCALBASE.'/usr/local/share/certs')) { + while (false !== ($file = readdir($handle))) + if (preg_match ("/\d+.0/",$file)) + $cert_count++; + } + closedir($handle); + if ($cert_count < 10){ + conf_mount_rw(); + #create ca-root hashes from ca-root-nss package + log_error("Creating root certificate bundle hashes from the Mozilla Project"); + $cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt'); + $cert=0; + foreach ($cas as $ca){ + if (preg_match("/--BEGIN CERTIFICATE--/",$ca)) + $cert=1; + if ($cert == 1) + $crt.=$ca; + if (preg_match("/-END CERTIFICATE-/",$ca)){ + file_put_contents("/tmp/cert.pem",$crt, LOCK_EX); + $cert_hash=array(); + exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash); + file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX); + $crt=""; + $cert=0; + } + } + } +} + function squid_resync_general() { global $g, $config, $valid_acls; @@ -785,10 +820,10 @@ function squid_resync_general() { else $settings=array(); $conf = "# This file is automatically generated by pfSense\n"; - $conf .= "# Do not edit manually !\n"; + $conf .= "# Do not edit manually !\n\n"; #Check ssl interception - $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); if (($settings['ssl_proxy'] == 'on')) { + squid_check_ca_hashes(); $srv_cert = lookup_cert($settings["dcert"]); if ($srv_cert != false) { if(base64_decode($srv_cert['prv'])) { @@ -803,15 +838,19 @@ function squid_resync_general() { squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy'); $crt_pk=SQUID_CONFBASE."/serverkey.pem"; file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt'])); - - $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size={$sslcrtd_children}MB cert={$crt_pk}\n"; - $interception_checks=""; + $sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5); + $ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk}\n"; + $interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n"; + $interception_checks .= "sslcrtd_children {$sslcrtd_children}\n"; + $interception_checks .= 'sslproxy_capath '.SQUID_LOCALBASE.'/share/certs'."\n"; if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"])) $interception_checks.="sslproxy_cert_error allow all\n"; if (preg_match("/sslproxy_flags/",$settings["interception_checks"])) $interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n"; - if ($settings["interception_adapt"] != "") - $interception_checks.="sslproxy_cert_adapt {$settings["interception_adapt"]}\n"; + if ($settings["interception_adapt"] != ""){ + foreach (explode(",",$settings["interception_adapt"]) as $adapt) + $interception_checks.="sslproxy_cert_adapt {$adapt} all\n"; + } } } } @@ -887,7 +926,7 @@ function squid_resync_general() { $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); - $conf .= <<