From 9229bea29bd67b14c089c0946ec43631adde9c42 Mon Sep 17 00:00:00 2001 From: Martin Fuchs Date: Mon, 19 Mar 2012 22:32:16 +0100 Subject: bump squid to 3.1.19 --- config/squid-reverse/squid.inc | 130 ++++++++++++++++++++++----------- config/squid-reverse/squid.xml | 2 +- config/squid-reverse/squid_reverse.xml | 42 +++++++---- 3 files changed, 119 insertions(+), 55 deletions(-) (limited to 'config') diff --git a/config/squid-reverse/squid.inc b/config/squid-reverse/squid.inc index 0358ce7c..979549f2 100644 --- a/config/squid-reverse/squid.inc +++ b/config/squid-reverse/squid.inc @@ -209,7 +209,6 @@ function squid_install_command() { if(file_exists("/usr/local/etc/rc.d/squid")) exec("/bin/rm /usr/local/etc/rc.d/squid"); squid_write_rcfile(); - exec("chmod a+rx /usr/local/libexec/squid/dnsserver"); if(file_exists("/usr/local/pkg/swapstate_check.php")) exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php"); @@ -272,10 +271,11 @@ function squid_deinstall_command() { } function squid_before_form_general($pkg) { - $values = get_dir(SQUID_CONFBASE . '/errors/'); - // Get rid of '..' and '.' - array_shift($values); - array_shift($values); + $values_raw = get_dir(SQUID_CONFBASE . '/errors/'); + // Get rid of '..' and '.' and ... + $values = array_diff ($values_raw, array('.','..','COPYRIGHT','TRANSLATORS')); + sort($values); + $name = array(); foreach ($values as $value) $names[] = implode(" ", explode("_", $value)); @@ -347,6 +347,7 @@ function squid_validate_general($post, $input_errors) { foreach ($altdns as $dnssrv) { if (!is_ipaddr($dnssrv)) $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; + break; }} } @@ -482,20 +483,28 @@ function squid_validate_traffic($post, $input_errors) { function squid_validate_reverse($post, $input_errors) { - $fqdn = trim($post['reverse_external_fqdn']); - if (!empty($fqdn) && !is_domain($fqdn)) - $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; + if(!empty($post['reverse_ip'])) { + $reverse_ip = explode(";", ($post['reverse_ip'])); + foreach ($reverse_ip as $reip) { + if (!is_ipaddr($reip)) + $input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field'; + break; + }} + + $fqdn = trim($post['reverse_external_fqdn']); + if (!empty($fqdn) && !is_domain($fqdn)) + $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; - $port = trim($post['reverse_http_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; + $port = trim($post['reverse_http_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; - $port = trim($post['reverse_https_port']); - if (!empty($port) && !is_port($port)) - $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; + $port = trim($post['reverse_https_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; - if ($post['reverse_ssl_cert'] == 'none') - $input_errors[] = 'A valid certificate for the external interface must be selected'; + if ($post['reverse_ssl_cert'] == 'none') + $input_errors[] = 'A valid certificate for the external interface must be selected'; if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; @@ -506,9 +515,9 @@ function squid_validate_reverse($post, $input_errors) { $input_errors[] = 'A valid certificate for the external interface must be selected'; */ - $rowa = trim($post['reverse_owa_ip']); - if (!empty($rowa) && !is_ipaddr($rowa)) - $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; + $rowa = trim($post['reverse_owa_ip']); + if (!empty($rowa) && !is_ipaddr($rowa)) + $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; $contents = $post['reverse_cache_peer']; @@ -672,7 +681,7 @@ function squid_resync_general() { } } if (($settings['transparent_proxy'] == 'on')) { - $conf .= "http_port 127.0.0.1:" . $settings['proxy_port'] . " transparent\n"; + $conf .= "http_port 127.0.0.1:" . $settings['proxy_port'] . " intercept\n"; } $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); @@ -702,6 +711,8 @@ access_log $logdir_access cache_log $logdir_cache cache_store_log none +sslcrtd_children 0 + EOD; // Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen. @@ -721,6 +732,7 @@ EOD; foreach ($real_ifaces as $iface) { list($ip, $mask) = $iface; $ip = long2ip(ip2long($ip) & ip2long($mask)); + $mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2); $src .= " $ip/$mask"; } $conf .= "# Allow local network(s) on interface(s)\n"; @@ -851,8 +863,8 @@ function squid_resync_nac() { $conf = <<>>>>>> upstream/master if($cfg[3] == 'HTTPS') - $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; - $conf .= "name={$cfg[0]}\n"; + $conf .= "ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; + $conf .= "name={$cfg[0]}\n"; }}} //ACLs @@ -1074,14 +1109,27 @@ function squid_resync_reverse() { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/owa.*$\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchange.*$\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/public.*$\n"; - $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchwebexchweb.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchweb.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/ecp.*$\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/OAB.*$\n"; } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_activesync'] == 'on')) { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/Microsoft-Server-ActiveSync.*$\n"; } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_rpchttp'] == 'on')) { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/rpc/rpcproxy.dll.*$\n"; - $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/rpcwithcert/rpcproxy.dll.*$\n"; + } + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_webservice'] == 'on')) { + $conf .= "ignore_expect_100 on\n"; + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/EWS.*$\n"; + } + + if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_autodiscover'] == 'on')) { + $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/autodiscover.*$\n"; + +// $conf .= "ssl_unclean_shutdown on"; + } $contents = base64_decode($settings['revrse_uri']); @@ -1100,7 +1148,7 @@ function squid_resync_reverse() { //ACCESS if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; - $conf .= "cache_peer_access OWA_HOST_pfs deny all\n"; + $conf .= "cache_peer_access OWA_HOST_pfs deny allsrc\n"; $conf .= "never_direct allow OWA_URI_pfs\n"; $conf .= "http_access allow OWA_URI_pfs\n"; } @@ -1116,12 +1164,12 @@ function squid_resync_reverse() { foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "cache_peer_access {$cfg[0]} deny all\n"; + $conf .= "cache_peer_access {$cfg[0]} deny allsrc\n"; }} foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ - $conf .= "never direct allow {$cfg[1]}\n"; + $conf .= "never_direct allow {$cfg[1]}\n"; }} foreach ($defs as $def) { $cfg = explode(";",($def)); @@ -1132,7 +1180,7 @@ function squid_resync_reverse() { $conf .= "\n"; - if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; + if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET allsrc\n"; return $conf; } @@ -1268,7 +1316,7 @@ EOD; } $conf .= "# Default block all to be sure\n"; - $conf .= "http_access deny all\n"; + $conf .= "http_access deny allsrc\n"; return $conf; } @@ -1339,7 +1387,7 @@ function squid_resync() { if (!is_service_running('squid')) { log_error("Starting Squid"); - mwexec("/usr/local/sbin/squid -D"); + mwexec("/usr/local/sbin/squid"); } else { log_error("Reloading Squid for configuration sync"); mwexec("/usr/local/sbin/squid -k reconfigure"); diff --git a/config/squid-reverse/squid.xml b/config/squid-reverse/squid.xml index 5cb5ea4a..fdeaacb9 100644 --- a/config/squid-reverse/squid.xml +++ b/config/squid-reverse/squid.xml @@ -46,7 +46,7 @@ Describe your package requirements here Currently there are no FAQ items provided. squid - 2.7.STABLE9 + 3.1.STABLE19 Proxy server: General settings /usr/local/pkg/squid.inc diff --git a/config/squid-reverse/squid_reverse.xml b/config/squid-reverse/squid_reverse.xml index d921254f..e3f57b13 100644 --- a/config/squid-reverse/squid_reverse.xml +++ b/config/squid-reverse/squid_reverse.xml @@ -99,6 +99,13 @@ wan + + User-defined reverse-proxy IPs + reverse_ip + Squid will additionally bind to this user-defined IPs for reverse-proxy operation. Useful for virtual IPs such as CARP. Separate by semi-colons (;). + input + 80 + external FQDN reverse_external_fqdn @@ -131,15 +138,15 @@ input 60 - + Enable HTTPS reverse proxy reverse_https - If this field is checked, squid will act as an accelerator/SSL offload for Outlook Web Access. + If this field is checked, the proxy-server will act in HTTPS reverse mode. <br>(You have to add a rule with destination "WAN-address") checkbox reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_ignore_ssl_valid,reverse_ssl_chain off - + reverse HTTPS port reverse_https_port @@ -164,7 +171,7 @@ descr refid - + intermediate CA certificate (if needed) reverse_int_ca Paste a signed certificate in X.509 PEM format here. @@ -187,35 +194,44 @@ checkbox on - + Enable OWA reverse proxy reverse_owa - If this field is checked, squid will act as an accelerator/SSL offload for Outlook Web Access. + If this field is checked, squid will act as an accelerator/ SSL offloader for Outlook Web App. checkbox - reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp - + reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_webservice,reverse_owa_autodiscover + OWA frontend IP address reverse_owa_ip This is the internal IP Address of the OWA frontend server. input 15 - localhost Enable ActiveSync reverse_owa_activesync - If this field is checked, ActiveSync support will be enabled. + If this field is checked, ActiveSync will be enabled. checkbox Enable Outlook Anywhere reverse_owa_rpchttp - If this field is checked, RPC over HTTP support will be enabled. + If this field is checked, RPC over HTTP will be enabled. + checkbox + + + Enable Exchange WebServices + reverse_owa_webservice + If this field is checked, Exchange WebServices will be enabled. + checkbox + + + Enable AutoDiscover + reverse_owa_autodiscover + If this field is checked, AutoDiscover will be enabled. checkbox - extension_methods - <b>peer definitions</b> <br>publishing hosts reverse_cache_peer -- cgit v1.2.3