From 37681fd565cebf04d2feee3c5a37bb93fcbf1ba0 Mon Sep 17 00:00:00 2001 From: Marcello Coutinho Date: Fri, 20 Apr 2012 02:12:12 -0300 Subject: squid3 - version 2.0.4 with bug fixes and remote peer improvements --- config/squid-reverse/squid.inc | 86 +++++---- config/squid-reverse/squid.xml | 7 +- config/squid-reverse/squid_auth.xml | 8 +- config/squid-reverse/squid_cache.xml | 8 +- config/squid-reverse/squid_nac.xml | 8 +- config/squid-reverse/squid_reverse.inc | 2 +- config/squid-reverse/squid_reverse_general.xml | 6 +- config/squid-reverse/squid_reverse_peer.xml | 6 +- config/squid-reverse/squid_reverse_sync.xml | 6 +- config/squid-reverse/squid_reverse_uri.xml | 6 +- config/squid-reverse/squid_sync.xml | 6 +- config/squid-reverse/squid_traffic.xml | 8 +- config/squid-reverse/squid_upstream.xml | 242 +++++++++++++++++++++++-- config/squid-reverse/squid_users.xml | 8 +- 14 files changed, 314 insertions(+), 93 deletions(-) (limited to 'config') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 3828476e..847d6a35 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -411,8 +411,8 @@ function squid_validate_general($post, $input_errors) { } function squid_validate_upstream($post, $input_errors) { - if ($post['proxy_forwarding'] == 'on') { - $addr = trim($post['proxy_addr']); + if ($post['enabled'] == 'on') { + $addr = trim($post['proxyaddr']); if (empty($addr)) $input_errors[] = 'The field \'Hostname\' is required'; else { @@ -420,7 +420,7 @@ function squid_validate_upstream($post, $input_errors) { $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; } - foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { + foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) { $port = trim($post[$field]); if (empty($port)) $input_errors[] = "The field '$name' is required"; @@ -865,42 +865,45 @@ EOC; } if(preg_match('/windows/',$settings['refresh_patterns'])){ $conf.=<< - Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 + Remote Cache + /pkg.php?xml=squid_upstream.xml - Cache + Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 diff --git a/config/squid-reverse/squid_auth.xml b/config/squid-reverse/squid_auth.xml index e04dbfba..43cbe7ea 100644 --- a/config/squid-reverse/squid_auth.xml +++ b/config/squid-reverse/squid_auth.xml @@ -48,18 +48,18 @@ squidauth none Proxy server: Authentication - squid.inc + /usr/local/pkg/squid.inc General /pkg_edit.php?xml=squid.xml&id=0 - Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 + Remote Cache + /pkg.php?xml=squid_upstream.xml - Cache + Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 diff --git a/config/squid-reverse/squid_cache.xml b/config/squid-reverse/squid_cache.xml index 01ea7da6..4144a7bc 100644 --- a/config/squid-reverse/squid_cache.xml +++ b/config/squid-reverse/squid_cache.xml @@ -48,18 +48,18 @@ squidcache none Proxy server: Cache management - squid.inc + /usr/local/pkg/squid.inc General /pkg_edit.php?xml=squid.xml&id=0 - Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 + Remote Cache + /pkg.php?xml=squid_upstream.xml - Cache + Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 diff --git a/config/squid-reverse/squid_nac.xml b/config/squid-reverse/squid_nac.xml index cb986f2b..c951b6f3 100644 --- a/config/squid-reverse/squid_nac.xml +++ b/config/squid-reverse/squid_nac.xml @@ -48,18 +48,18 @@ squidnac none Proxy server: Access control - squid.inc + /usr/local/pkg/squid.inc General /pkg_edit.php?xml=squid.xml&id=0 - Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 + Remote Cache + /pkg.php?xml=squid_upstream.xml - Cache + Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 diff --git a/config/squid-reverse/squid_reverse.inc b/config/squid-reverse/squid_reverse.inc index 7c0025ba..b208b7b1 100644 --- a/config/squid-reverse/squid_reverse.inc +++ b/config/squid-reverse/squid_reverse.inc @@ -58,7 +58,7 @@ function squid_resync_reverse() { } if (!empty($settings['reverse_int_ca'])) - file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decodedecode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); + file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . sq_text_area_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); diff --git a/config/squid-reverse/squid_reverse_general.xml b/config/squid-reverse/squid_reverse_general.xml index 00c8d4a5..ff74b9d5 100644 --- a/config/squid-reverse/squid_reverse_general.xml +++ b/config/squid-reverse/squid_reverse_general.xml @@ -57,15 +57,15 @@ Web Servers - /pkg.php?xml=squid_reverse_peer.xml&id=0 + /pkg.php?xml=squid_reverse_peer.xml Mappings - /pkg.php?xml=squid_reverse_uri.xml&id=0 + /pkg.php?xml=squid_reverse_uri.xml Sync - /pkg_edit.php?xml=squid_reverse_sync.xml + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 diff --git a/config/squid-reverse/squid_reverse_peer.xml b/config/squid-reverse/squid_reverse_peer.xml index e32e1973..fb853eb3 100644 --- a/config/squid-reverse/squid_reverse_peer.xml +++ b/config/squid-reverse/squid_reverse_peer.xml @@ -56,16 +56,16 @@ Web Servers - /pkg.php?xml=squid_reverse_peer.xml&id=0 + /pkg.php?xml=squid_reverse_peer.xml Mappings - /pkg.php?xml=squid_reverse_uri.xml&id=0 + /pkg.php?xml=squid_reverse_uri.xml Sync - /pkg_edit.php?xml=squid_reverse_sync.xml + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 diff --git a/config/squid-reverse/squid_reverse_sync.xml b/config/squid-reverse/squid_reverse_sync.xml index 9395f6d7..d666d4e8 100755 --- a/config/squid-reverse/squid_reverse_sync.xml +++ b/config/squid-reverse/squid_reverse_sync.xml @@ -52,15 +52,15 @@ Web Servers - /pkg.php?xml=squid_reverse_peer.xml&id=0 + /pkg.php?xml=squid_reverse_peer.xml Mappings - /pkg.php?xml=squid_reverse_uri.xml&id=0 + /pkg.php?xml=squid_reverse_uri.xml Sync - /pkg_edit.php?xml=squid_reverse_sync.xml + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 diff --git a/config/squid-reverse/squid_reverse_uri.xml b/config/squid-reverse/squid_reverse_uri.xml index 57ce5832..a7a5a6d6 100644 --- a/config/squid-reverse/squid_reverse_uri.xml +++ b/config/squid-reverse/squid_reverse_uri.xml @@ -56,16 +56,16 @@ Web Servers - /pkg.php?xml=squid_reverse_peer.xml&id=0 + /pkg.php?xml=squid_reverse_peer.xml Mappings - /pkg.php?xml=squid_reverse_uri.xml&id=0 + /pkg.php?xml=squid_reverse_uri.xml Sync - /pkg_edit.php?xml=squid_reverse_sync.xml + /pkg_edit.php?xml=squid_reverse_sync.xml&id=0 diff --git a/config/squid-reverse/squid_sync.xml b/config/squid-reverse/squid_sync.xml index 5af26a7a..c581d2c5 100755 --- a/config/squid-reverse/squid_sync.xml +++ b/config/squid-reverse/squid_sync.xml @@ -51,11 +51,11 @@ /pkg_edit.php?xml=squid.xml&id=0 - Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 + Remote Cache + /pkg.php?xml=squid_upstream.xml - Cache + Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 diff --git a/config/squid-reverse/squid_traffic.xml b/config/squid-reverse/squid_traffic.xml index 40e8eb97..b1799cce 100644 --- a/config/squid-reverse/squid_traffic.xml +++ b/config/squid-reverse/squid_traffic.xml @@ -48,18 +48,18 @@ squidtraffic none Proxy server: Traffic management - squid.inc + /usr/local/pkg/squid.inc General /pkg_edit.php?xml=squid.xml&id=0 - Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 + Remote Cache + /pkg.php?xml=squid_upstream.xml - Cache + Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 diff --git a/config/squid-reverse/squid_upstream.xml b/config/squid-reverse/squid_upstream.xml index d3c10771..126a0710 100644 --- a/config/squid-reverse/squid_upstream.xml +++ b/config/squid-reverse/squid_upstream.xml @@ -7,9 +7,10 @@ /* $Id$ */ /* ========================================================================== */ /* - authng.xml + squid_upstream.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2007 to whom it may belong + Copyright (C) 2012 Marcello Coutinho All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) @@ -45,22 +46,22 @@ Describe your package here Describe your package requirements here Currently there are no FAQ items provided. - squidupstream + squidremote none - Proxy server: Upstream proxy settings - squid.inc + Proxy server: Remote proxy settings + /usr/local/pkg/squid.inc General /pkg_edit.php?xml=squid.xml&id=0 - Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 + Remote Cache + /pkg.php?xml=squid_upstream.xml - Cache + Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 @@ -84,41 +85,219 @@ /pkg_edit.php?xml=squid_sync.xml + + + Status + enable + + + name + proxyaddr + + + Port + proxyport + + + ICP + icpport + + + Peer type + hierarchy + + + Method + peermethod + + + - Upstream proxy settings + General Settings listtopic - Enable forwarding - proxy_forwarding - This option enables the proxy server to forward requests to an upstream server. + Enable + enable + This option enables the proxy server to forward requests to an upstream/neighbor server. checkbox - proxy_addr,proxy_port,icp_port,username,password Hostname - proxy_addr + proxyaddr Enter here the IP address or host name of the upstream proxy. input + 35 + + + + Name + proxyname + Unique name for the peer.Required if you have multiple peers on the same host but different ports. + input + 35 + TCP port - proxy_port + proxyport Enter the port to use to connect to the upstream proxy. input 5 3128 + + + + Timeout + connecttimeout + A peer-specific connect timeout. Also see the peer_connect_timeout directive. + input + 5 + + + Fail Limit + connectfailLimit + How many times connecting to a peer must fail before it is marked as down. Default is 10. + input + 5 + 10 + + + Max + maxconn + Limit the amount of connections Squid may open to this peer. + input + 5 + + + Allow Miss + allowmiss + allow-miss - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.

+ no-tproxy - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.

+ proxy-only - Objects fetched from the peer will not be stored locally.]]>
+ select + allow-miss + + + + + + + 4 +
+ + Peer settings + listtopic + + + Hierarchy + hierarchy + Specify remote caches hierarchy. + select + parent + + + + + + + + Select method + peermethod +
+ default - This is a parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.
+ If specified more than once, only the first is used.

+ round-robin - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.
weight=N can be used to add bias.

+ weighted-round-robin - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.
+ Closer parents are used more often. Usually used for background-ping parents. weight=N can be used to add bias.

+ carp - Load-Balance parents which should be used as a CARP array. The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight.

+ userhash - Load-balance parents based on the client proxy_auth or ident username.

+ sourcehash - Load-balance parents based on the client source IP.

+ multicast-siblings - To be used only for cache peers of type "multicast".
+ ALL members of this multicast group have "sibling" relationship with it, not "parent". This is to a multicast group when the requested object would be fetched only from a "parent" cache, anyway.
+ It's useful, e.g., when configuring a pool of redundant Squid proxies, being members of the same multicast group.]]>
+ select + round-robin + + + + + + + + + +
+ + weight + weight + Use to affect the selection of a peer during any weighted peer-selection mechanisms. The weight must be an integer; default is 1,larger weights are favored more. + input + 5 + 1 + + + basetime + basetime + + It is subtracted before division by weight in calculating which parent to fectch from. If the rtt is less than the base time the rtt is set to a minimal value.]]> + input + 5 + 1 + + + ttl + ttl + + Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option.]]> + input + 5 + 1 + + + no-delay + nodelay + + checkbox + + + ICP settings + listtopic ICP port - icp_port + icpport Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies. input 5 7 + + ICP Options + icpoptions + + The defaults will prevent peer traffic using ICP

+ no-query - Disable ICP queries to this neighbor.

+ multicast-responder -Indicates the named peer is a member of a multicast group.
+ ICP queries will not be sent directly to the peer, but ICP replies will be accepted from it.

+ closest-only - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.

+ background-ping - To only send ICP queries to this neighbor infrequently.
+ This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin.]]>
+ select + no-query + + + + + + +
+ + Auth settings + listtopic + Username username @@ -131,6 +310,39 @@ If the upstream proxy requires a password, specify it here. password + + Authentication options + authoption + login=user:password - If this is a personal/workgroup proxy and your parent requires proxy authentication.

+ login=PASSTHRU - Send login details received from client to this peer. Authentication is not required by Squid for this to work.
+ This will pass any form of authentication but only Basic auth will work through a proxy unless the connection-auth options are also used.

+ login=PASS - Send login details received from client to this peer.Authentication is not required by this option.
+ To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for a single login (one for proxy, one for origin server).
+ Also be warned this will expose your users proxy password to the peer. USE WITH CAUTION

+ login=*:password - Send the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user.

+ login=NEGOTIATE - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.
+ The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used.
+ WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.

+ login=NEGOTIATE:principal_nameIf this is a personal/workgroup proxy and your parent requires a secure proxy authentication.
+ The principal principal_name from the default keytab or defined by the environment variable KRB5_KTNAME will be used. + WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.

+ connection-auth=on - Tell Squid that this peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.
+ Default is auto to automatically determine the status of the peer.

+ connection-auth=off - Tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.
+ Default is auto to automatically determine the status of the peer.]]>
+ select + login=*:password + + + + + + + + + + +
squid_validate_upstream($_POST, &$input_errors); diff --git a/config/squid-reverse/squid_users.xml b/config/squid-reverse/squid_users.xml index d51a5f87..295ce4fa 100644 --- a/config/squid-reverse/squid_users.xml +++ b/config/squid-reverse/squid_users.xml @@ -48,7 +48,7 @@ squidusers none Proxy server: Local users - squid.inc + /usr/local/pkg/squid.inc A proxy server user has been deleted. A proxy server user has been created/modified. @@ -57,11 +57,11 @@ /pkg_edit.php?xml=squid.xml&id=0
- Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 + Remote Cache + /pkg.php?xml=squid_upstream.xml - Cache + Local Cache /pkg_edit.php?xml=squid_cache.xml&id=0 -- cgit v1.2.3