From 3583714f6c009e7f2cd4214883da669335194d5a Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 12 Oct 2010 14:32:34 -0400 Subject: Allow user to input destination bypasses for squid, which work like the source bypasses. Also allow users to enter IPs, hostnames, or aliases into these fields. Version bump for squid. --- config/squid/squid.inc | 38 +++++++++++++++++++++++++++++++++----- config/squid/squid.xml | 12 ++++++++++-- 2 files changed, 43 insertions(+), 7 deletions(-) (limited to 'config/squid') diff --git a/config/squid/squid.inc b/config/squid/squid.inc index fded1f8b..238fd37c 100644 --- a/config/squid/squid.inc +++ b/config/squid/squid.inc @@ -344,13 +344,23 @@ function squid_validate_general($post, $input_errors) { if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off'])) { $input_errors[] = "You can not bypass traffic from specific IPs without using the transparent proxy."; - } + } + if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off_dest'])) { + $input_errors[] = "You can not bypass traffic to specific IPs without using the transparent proxy."; + } foreach (array('defined_ip_proxy_off') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); - if (!empty($host) && !is_ipaddr($host)) - $input_errors[] = "The entry '$host' is not a valid IP address"; + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; + } + } + foreach (array('defined_ip_proxy_off_dest') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host)) + $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; } } @@ -1330,14 +1340,32 @@ function squid_generate_rules($type) { foreach ($defined_ip_proxy_off as $ip_proxy_off) { if(!empty($ip_proxy_off)) { $ip_proxy_off = trim($ip_proxy_off); + if (is_alias($ip_proxy_off)) + $ip_proxy_off = '$'.$ip_proxy_off; $exempt_ip .= ", $ip_proxy_off"; } } $exempt_ip = substr($exempt_ip,2); foreach ($ifaces as $iface) { $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; - } - } + } + } + if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { + $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); + $exempt_dest = ""; + foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { + if(!empty($ip_proxy_off_dest)) { + $ip_proxy_off_dest = trim($ip_proxy_off_dest); + if (is_alias($ip_proxy_off_dest)) + $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; + $exempt_dest .= ", $ip_proxy_off_dest"; + } + } + $exempt_dest = substr($exempt_dest,2); + foreach ($ifaces as $iface) { + $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port 80\n"; + } + } foreach ($ifaces as $iface) { $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n"; } diff --git a/config/squid/squid.xml b/config/squid/squid.xml index 91019bed..1f251eea 100644 --- a/config/squid/squid.xml +++ b/config/squid/squid.xml @@ -177,10 +177,17 @@ Bypass proxy for these source IPs defined_ip_proxy_off - Do not forward traffic from these <b>source</b> IPs through the proxy server but directly through the firewall. Separate by semi-colons (;). + Do not forward traffic from these <b>source</b> IPs, hostnames, or aliases through the proxy server but directly through the firewall. Separate by semi-colons (;). input 80 - + + + Bypass proxy for these destination IPs + defined_ip_proxy_off_dest + Do not proxy traffic going to these <b>destination</b> IPs, hostnames, or aliases, but let it pass directly through the firewall. Separate by semi-colons (;). + input + 80 + Enabled logging log_enabled @@ -332,3 +339,4 @@ squid_generate_rules + \ No newline at end of file -- cgit v1.2.3