From 0101b159ad8ebad4f335f33dfef91c6f1b2c90f6 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 13:40:10 +0200 Subject: Antivirus GUI behaviour sanitization - first part Use JS to toggle access to different parts of the GUI, depending on whether the users want to configure things by editing config files or via the GUI options. --- config/squid3/34/squid.inc | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index db5f1b0c..e286b37d 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -2413,6 +2413,48 @@ function squid_print_javascript_auth2() { print("\n"); } +function squid_print_antivirus_advanced_config() { + $javascript = <<< EOD + + +EOD; + print($javascript); + +} + +function squid_print_antivirus_advanced_config2() { + print('\n'); +} + function squid_generate_rules($type) { global $config, $pfs_version; -- cgit v1.2.3 From 3a44ec003327d054620bd151006e742864080940 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 13:43:02 +0200 Subject: Antivirus GUI behaviour sanitization - first part Add manual configuration toggle. When disabled, the 'Advanced Options" only show the AV/C-ICAP config file but do not allow editing, and vice versa. --- config/squid3/34/squid_antivirus.xml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'config') diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml index a257891d..647ffe35 100755 --- a/config/squid3/34/squid_antivirus.xml +++ b/config/squid3/34/squid_antivirus.xml @@ -99,6 +99,24 @@ Enable Squid antivirus check using ClamAV. checkbox + + Enable Manual Configuration + enable_advanced + + + You must edit the configuration files directly in the 'Advanced Options'.
+ Warning: Only enable this if you know what are you doing. + ]]> + + select + + + + + disabled + on_antivirus_advanced_config_changed() + Client Forward Options client_info @@ -238,6 +256,15 @@ 15 + + squid_print_antivirus_advanced_config(); + + + squid_print_antivirus_advanced_config2(); + + + squid_print_antivirus_advanced_config2(); + squid_validate_antivirus($_POST, $input_errors); -- cgit v1.2.3 From 330057b59ad547c3ed9b6c0c80f44808bd36e720 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 14:31:04 +0200 Subject: Mute rename() to stop spitting out useless junk in console... --- config/squid3/34/squid.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index e286b37d..692c489f 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -153,7 +153,7 @@ function squid_dash_z($cache_action = 'none') { if (is_service_running('squid')) { stop_service("squid"); } - rename($cachedir, "{$cachedir}.old"); + @rename($cachedir, "{$cachedir}.old"); mwexec_bg("/bin/rm -rf {$cachedir}.old"); squid_restart_services(); } else { @@ -174,7 +174,7 @@ function squid_dash_z($cache_action = 'none') { } if (is_dir($cachedir)) { if (substr($cachedir, 0, 11) === "/var/squid/") { - rename($cachedir, "{$cachedir}.old"); + @rename($cachedir, "{$cachedir}.old"); mwexec_bg("/bin/rm -rf {$cachedir}.old"); } else { log_error("Will NOT delete Squid cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); -- cgit v1.2.3 From ba452f535da31882d674940117a24f3ffdfdc543 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 14:55:54 +0200 Subject: Remove squid_resync_redirector() Deprecated dead cruft. See http://www.freshports.org/www/squirm --- config/squid3/34/squid.inc | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 692c489f..d4295a23 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -1399,20 +1399,6 @@ function squid_resync_upstream() { return $conf; } -function squid_resync_redirector() { - global $config; - - // XXX: What port provide squirm binary? It's not present - $httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on'); - $redirector = "/usr/local/bin/squirm"; - if (($httpav_enabled) && is_executable($redirector)) { - $conf = "url_rewrite_program /usr/local/bin/squirm\n"; - } else { - $conf = "# No redirector configured\n"; - } - return $conf; -} - function squid_resync_nac() { global $config, $valid_acls; @@ -2163,7 +2149,6 @@ function squid_resync($via_rpc = "no") { } $conf = squid_resync_general() . "\n"; $conf .= squid_resync_cache() . "\n"; - $conf .= squid_resync_redirector() . "\n"; $conf .= squid_resync_upstream() . "\n"; $conf .= squid_resync_nac() . "\n"; $conf .= squid_resync_traffic() . "\n"; -- cgit v1.2.3 From a653e571efe26445fc32688d7da194644cc70ac2 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 15:20:28 +0200 Subject: Code style and whitespace fixes --- config/squid3/34/squid.inc | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index d4295a23..37fe5ef6 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -383,7 +383,7 @@ function squid_install_command() { "start" => "/usr/local/pkg/sqpmon.sh &", "stop" => "/bin/ps awux | /usr/bin/grep \"sqpmon\" | /usr/bin/grep -v \"grep\" | /usr/bin/grep -v \"php\" | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill") ); - + // create c-icap rcfile squid_write_cicap_rcfile(); @@ -944,7 +944,7 @@ function squid_install_cron($should_install) { function squid_install_freshclam_cron($should_install) { global $config; - + if (platform_booting()) { return; } @@ -2405,7 +2405,7 @@ function squid_print_antivirus_advanced_config() { function on_antivirus_advanced_config_changed() { var field = document.iform.enable_advanced; var enable_advanced = field.options[field.selectedIndex].value; - + if (enable_advanced === 'disabled') { document.iform['client_info'].disabled = 0; document.iform['clamav_safebrowsing'].disabled = 0; @@ -2449,7 +2449,7 @@ function squid_generate_rules($type) { $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $cp_inc = file($cp_file); $new_cp_inc = ""; - $found_rule=0; + $found_rule = 0; foreach ($cp_inc as $line) { $new_line = $line; //remove applied squid patch @@ -2487,13 +2487,13 @@ function squid_generate_rules($type) { $transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']); $transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces); } else { - $transparent_ifaces=array(); + $transparent_ifaces = array(); } if ($squid_conf['ssl_proxy'] == "on") { $ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']); $ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces); } else { - $ssl_ifaces=array(); + $ssl_ifaces = array(); } $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); @@ -2741,15 +2741,7 @@ function squid_sync_on_changes() { function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { global $config, $g; - if (!$username) { - return; - } - - if (!$password) { - return; - } - - if (!$sync_to_ip) { + if (!$username || !$password || !$sync_to_ip) { return; } @@ -2757,7 +2749,6 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $synctimeout = 250; } - $xmlrpc_sync_neighbor = $sync_to_ip; if ($config['system']['webgui']['protocol'] != "") { $synchronizetoip = $config['system']['webgui']['protocol']; @@ -2766,10 +2757,7 @@ function squid_do_xmlrpc_sync($sync_to_ip, $username, $password, $synctimeout) { $port = $config['system']['webgui']['port']; /* If port is empty let's rely on the protocol selection */ if ($port == "") { - if ($config['system']['webgui']['protocol'] == "http") - $port = "80"; - else - $port = "443"; + $port = $config['system']['webgui']['protocol'] == "http" ? "80" : "443"; } $synchronizetoip .= $sync_to_ip; -- cgit v1.2.3 From e6e538462dbb20646948bd8e499e06ab49cf66bf Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 18:18:54 +0200 Subject: Implement keep data/settings features --- config/squid3/34/squid.inc | 99 ++++++++++++++++++++++++++++++++++------------ 1 file changed, 74 insertions(+), 25 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 37fe5ef6..d5fed4ce 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -406,14 +406,14 @@ function squid_install_command() { } function squid_deinstall_command() { - global $config, $g; + global $config, $g, $keep; /* remove cronjobs */ squid_install_cron(false); squid_install_freshclam_cron(false); - update_status("Stopping services..."); /* kill all running services */ + update_output_window("Stopping and removing services..."); mwexec('/usr/local/etc/rc.d/sqp_monitor.sh stop'); if (is_process_running("c-icap")) { mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); @@ -430,9 +430,7 @@ function squid_deinstall_command() { unlink_if_exists('/usr/local/etc/rc.d/clamav-clamd'); unlink_if_exists('/usr/local/etc/rc.d/clamav-freshclam'); - /* clean up created directories */ - update_status("Removing cache and logs ... One moment please..."); - update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + /* clean up created directories if 'Keep Settings/Data' is disabled */ if (is_array($config['installedpackages']['squidcache'])) { $cachesettings = $config['installedpackages']['squidcache']['config'][0]; } else { @@ -445,30 +443,36 @@ function squid_deinstall_command() { $squidsettings = array(); } $logdir = ($squidsettings['log_dir'] ? $squidsettings['log_dir'] : '/var/squid/logs'); - // XXX: Is it ok to remove cache and logs? It's going to happen every time package is updated - if (is_dir("{$cachedir}")) { - if (substr($cachedir, 0, 11) === "/var/squid/") { - mwexec_bg("/bin/rm -rf {$cachedir}"); - } else { - log_error("Will NOT delete Squid cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); + $keep = ($squidsettings['keep_squid_data'] ? true : false); + + if (!$keep) { + update_output_window("Removing cache and logs ... One moment please..."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + if (is_dir("{$cachedir}")) { + if (substr($cachedir, 0, 11) === "/var/squid/") { + mwexec_bg("/bin/rm -rf {$cachedir}"); + } else { + log_error("Will NOT delete Squid cache dir '{$cachedir}' since it is not located under /var/squid. Delete manually if required."); + } } - } - if (is_dir("{$logdir}")) { - if (substr($logdir, 0, 11) === "/var/squid/") { - mwexec("/bin/rm -rf {$logdir}"); - } else { - log_error("Will NOT delete Squid log dir '{$logdir}' since it is not located under /var/squid. Delete manually if required."); + if (is_dir("{$logdir}")) { + if (substr($logdir, 0, 11) === "/var/squid/") { + mwexec("/bin/rm -rf {$logdir}"); + } else { + log_error("Will NOT delete Squid log dir '{$logdir}' since it is not located under /var/squid. Delete manually if required."); + } } - } - $dirs = array("/var/run/c-icap", "/var/log/c-icap", "/var/log/clamav", "/var/run/clamav", "/var/db/clamav", "/var/run/squid", "/var/squid"); - foreach ($dirs as $dir) { - if (is_dir("{$dir}")) { - mwexec("/bin/rm -rf {$dir}"); + + $dirs = array("/var/run/c-icap", "/var/log/c-icap", "/var/log/clamav", "/var/run/clamav", "/var/db/clamav", "/var/run/squid", "/var/squid"); + foreach ($dirs as $dir) { + if (is_dir("{$dir}")) { + mwexec("/bin/rm -rf {$dir}"); + } } } /* clean up created PBI symlinks */ - update_status("Finishing package cleanup."); + update_output_window("Finishing package cleanup."); if (SQUID_LOCALBASE != '/usr/local') { $ln_icap = array('bin/c-icap', 'bin/c-icap-client', 'c-icap-config', 'c-icap-libicapapi-config', 'c-icap-stretch', 'lib/c_icap', 'share/c_icap', 'etc/c-icap'); foreach ($ln_icap as $ln) { @@ -483,7 +487,7 @@ function squid_deinstall_command() { /* check if clamav/c_icap is enabled in rc.conf.local */ if (file_exists("/etc/rc.conf.local")) { - update_status("Removing antivirus services from /etc/rc.conf.local..."); + update_output_window("Removing antivirus services from /etc/rc.conf.local..."); $sample_file = file_get_contents("/etc/rc.conf.local"); $rcconf_local_m[0] = "@c_icap_enable(.*)\n@"; $rcconf_local_m[1] = "@clamav_clamd_enable(.*)\n@"; @@ -492,8 +496,53 @@ function squid_deinstall_command() { file_put_contents("/etc/rc.conf.local", preg_replace($rcconf_local_m, $rcconf_local_r, $sample_file), LOCK_EX); } - update_status("Reloading filter..."); + update_output_window("Reloading filter..."); filter_configure(); + + /* Remove package settings from config if 'Keep Settings/Data' is disabled */ + if (!$keep) { + log_error("Removing all Squid settings since 'Keep Settings/Data' is disabled..."); + if (is_array($config['installedpackages']['squid'])) { + unset($config['installedpackages']['squid']); + } + if (is_array($config['installedpackages']['squidantivirus'])) { + unset($config['installedpackages']['squidantivirus']); + } + if (is_array($config['installedpackages']['squidauth'])) { + unset($config['installedpackages']['squidauth']); + } + if (is_array($config['installedpackages']['squidcache'])) { + unset($config['installedpackages']['squidcache']); + } + if (is_array($config['installedpackages']['squidnac'])) { + unset($config['installedpackages']['squidnac']); + } + if (is_array($config['installedpackages']['squidreverse'])) { + unset($config['installedpackages']['squidreverse']); + } + if (is_array($config['installedpackages']['squidreversegeneral'])) { + unset($config['installedpackages']['squidreversegeneral']); + } + if (is_array($config['installedpackages']['squidreversepeer'])) { + unset($config['installedpackages']['squidreversepeer']); + } + if (is_array($config['installedpackages']['squidreverseredir'])) { + unset($config['installedpackages']['squidreverseredir']); + } + if (is_array($config['installedpackages']['squidsync'])) { + unset($config['installedpackages']['squidsync']); + } + if (is_array($config['installedpackages']['squidtraffic'])) { + unset($config['installedpackages']['squidtraffic']); + } + if (is_array($config['installedpackages']['squidremote'])) { + unset($config['installedpackages']['squidremote']); + } + if (is_array($config['installedpackages']['squidusers'])) { + unset($config['installedpackages']['squidusers']); + } + } + update_output_window("Squid3 has been uninstalled."); } function squid_validate_antivirus($post, &$input_errors) { -- cgit v1.2.3 From 0c05b01aedbe30bb17766d00e2cd221c5a208cff Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 18:22:22 +0200 Subject: Implement keep data/settings features --- config/squid3/34/squid.xml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index dda924f8..1bc5fd3b 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -42,7 +42,7 @@ ]]> squid - 0.3.7 + 0.3.8 Proxy Server: General Settings /usr/local/pkg/squid.inc @@ -236,6 +236,18 @@ Squid General Settings listtopic + + Keep Settings/Data + keep_squid_data + + + Note: If disabled, all settings and data will be wiped on package uninstall/reinstall/upgrade. + ]]> + + checkbox + on + Proxy Interface(s) active_interface -- cgit v1.2.3 From 6fb1d579ee14eb39724b3c4650d5d4dba3e84220 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 18:30:12 +0200 Subject: Implement a generic setting to enable/disable Squid services Desperately needed, currently getting rid of configured and running Squid is impossible without uninstalling. --- config/squid3/34/squid.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'config') diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 1bc5fd3b..0f99b8cb 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -236,6 +236,17 @@ Squid General Settings listtopic + + Enable Squid Proxy + enable_squid + + + Note: If unchecked, all Squid services will be disabled and stopped.
+ ]]> + + checkbox + Keep Settings/Data keep_squid_data -- cgit v1.2.3 From 781a2fa1be222ad4c4b2c32e293d4bd62ddf92b3 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 19:37:22 +0200 Subject: Fix the numdirs comparison here (int vs. string), make this more readable as well Cache is getting always recreated because of strict comparison. --- config/squid3/34/squid.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index d5fed4ce..fc957e34 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -166,7 +166,7 @@ function squid_dash_z($cache_action = 'none') { // Re-create the cachedir if clean is forced by cronjob/manually, // or if the cachedir changed, or level1_subdirs don't exist or the number of level1_subdirs changed - if ($cache_action == "clean" || ((!is_dir($cachedir)) || (!is_dir($cachedir . '/00'))) || ($numdirs !== $currentdirs)) { + if ($cache_action == "clean" || !is_dir($cachedir) || !is_dir($cachedir . '/00') || $numdirs != $currentdirs) { // cannot nuke disk cache while Squid is running squid_stop_monitor(); if (is_service_running('squid')) { -- cgit v1.2.3 From 281897d2d9cbcdccf5f10a77f2bd81bebc46e6f1 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 21:58:07 +0200 Subject: Implement a generic setting to enable/disable Squid services, bugfixes and cleanups - add squid_enabled() function to check whether Squid is enabled; if not, disable all services (proxy, clamav, c-icap, monitor script) and cronjobs - handle antivirus services in a separate function - make it possible to disable Google Safe Browsing via the antivirus GUI options --- config/squid3/34/squid.inc | 245 +++++++++++++++++++++++++++++---------------- 1 file changed, 158 insertions(+), 87 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index fc957e34..ed218409 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -980,7 +980,7 @@ function squid_install_cron($should_install) { install_cron_job("{$cron_cmd}", $should_install, "0", "0", "*", "*", "*", "root"); $swapstate_cmd = "/usr/local/pkg/swapstate_check.php clean; "; - if ($should_install) { + if (($should_install) && (squid_enabled())) { if ($settings['clear_cache'] == 'on' ) { install_cron_job("{$swapstate_cmd}", true, "*/360"); } else { @@ -1005,7 +1005,7 @@ function squid_install_freshclam_cron($should_install) { } $freshclam_cmd = (SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - if ($should_install) { + if (($should_install) && (squid_enabled())) { if ($antivirus_config['clamav_update'] != "0") { $minutes = ($antivirus_config['clamav_update'] * 60); install_cron_job("{$freshclam_cmd}", true, "*/{$minutes}", "*", "*", "*", "*", "clamav"); @@ -1553,7 +1553,7 @@ function squid_resync_antivirus() { $antivirus_config = array(); } - if ($antivirus_config['enable'] == "on") { + if (squid_enabled() && ($antivirus_config['enable'] == "on")) { switch ($antivirus_config['client_info']) { case "both": default: @@ -1619,6 +1619,9 @@ EOF; if ($antivirus_config['clamav_safebrowsing'] == "on") { $clamav_m[2] = "@safebrowsing\s0@"; $clamav_r[2] = "safebrowsing 1"; + } else { + $clamav_m[2] = "@safebrowsing\s1@"; + $clamav_r[2] = "safebrowsing 0"; } file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf.sample", preg_replace($clamav_m, $clamav_r, $sample_file), LOCK_EX); } @@ -1675,6 +1678,11 @@ EOF; if ($antivirus_config['clamav_safebrowsing'] == "on") { $freshclam_m[2] = "@#SafeBrowsing yes@"; $freshclam_r[2] = "SafeBrowsing yes"; + } else { + if (!preg_match("@#SafeBrowsing yes@", file_get_contents($sample_file))) { + $freshclam_m[2] = "@SafeBrowsing yes@"; + $freshclam_r[2] = "#SafeBrowsing yes"; + } } file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf.sample", preg_replace($freshclam_m, $freshclam_r, $sample_file), LOCK_EX); } @@ -1738,74 +1746,10 @@ EOF; file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.magic", base64_decode($antivirus_config['c-icap_magic']), LOCK_EX); file_put_contents(SQUID_LOCALBASE . "/etc/freshclam.conf", base64_decode($antivirus_config['freshclam_conf']), LOCK_EX); - - // Check clamav database - if (count(glob("/var/db/clamav/*d")) == 0) { - log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); - mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - } elseif (($antivirus_config['clamav_safebrowsing'] == "on") && (!is_file("/var/db/clamav/safebrowsing.cvd"))) { - log_error("Squid - Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); - mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); - } - - // check antivirus daemons - // check icap - $c_icap_rcfile = "/usr/local/etc/rc.d/c-icap.sh"; - if (!file_exists($c_icap_rcfile)) { - squid_write_cicap_rcfile(); - } - if (is_process_running("c-icap")) { - mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); - } else { - mwexec_bg("{$c_icap_rcfile} start"); - } - // check clamav/freshclam - $rc_files = array("clamav-freshclam", "clamav-clamd"); - $clamm[0] = "@/usr/local/(bin|sbin)@"; - $clamm[1] = "@/local/(bin|sbin)@"; - $clamm[2] = "@/usr/local/etc@"; - $clamm[3] = "@enable:=NO@"; - $clamr[0] = SQUID_BASE . "/bin"; - $clamr[1] = "/bin"; - $clamr[2] = SQUID_LOCALBASE . "/etc"; - $clamr[3] = "enable:=YES"; - foreach ($rc_files as $rc_file) { - $clamav_rcfile = "/usr/local/etc/rc.d/{$rc_file}"; - if (file_exists($clamav_rcfile)) { - $sample_file = file_get_contents($clamav_rcfile); - file_put_contents($clamav_rcfile, preg_replace($clamm, $clamr, $sample_file), LOCK_EX); - } - } - if (is_process_running("clamd")) { - mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); - } else { - mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); - } - } else { - // stop AV services and disable all C-ICAP/AV features - log_error("Squid antivirus features disabled."); - if (is_process_running("clamd")) { - log_error("Stopping ClamAV..."); - mwexec("/bin/ps awux | /usr/bin/grep '[c]lamd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); - } - if (is_process_running("c-icap")) { - log_error("Stopping C-ICAP..."); - mwexec_bg("/usr/local/etc/rc.d/c-icap.sh stop"); - } - // freshclam cronjob - log_error("Removing freshclam cronjob..."); - squid_install_freshclam_cron(false); - - // check if clamav is enabled in rc.conf.local - // XXX: This whole thing sucks and should be redone to install/enable services in pfSense way - if (file_exists("/etc/rc.conf.local")) { - log_error("Removing antivirus services from /etc/rc.conf.local..."); - $sample_file = file_get_contents("/etc/rc.conf.local"); - $rcconf_local_m[0] = "@clamav_clamd_enable(.*)\n@"; - $rcconf_local_r[0] = ""; - file_put_contents("/etc/rc.conf.local", preg_replace($rcconf_local_m, $rcconf_local_r, $sample_file), LOCK_EX); - } } + // this will (re)start or stop/disable services as needed + // depending on whether Squid proxy and/or antivirus features are enabled + squid_restart_antivirus(); return $conf; } @@ -2239,11 +2183,38 @@ function squid_stop_monitor() { } function squid_start_monitor() { - if (!exec("/bin/ps auxw | /usr/bin/grep '[s]qpmon'")) { - log_error("Starting a proxy monitor script"); - mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); + if (squid_enabled()) { + if (!exec("/bin/ps auxw | /usr/bin/grep '[s]qpmon'")) { + log_error("Starting a proxy monitor script"); + mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start"); + } + sleep(1); + } else { + log_error("Squid is disabled. Not starting a proxy monitor script"); } - sleep(1); +} + +function squid_enabled() { + global $config, $proxy_enabled; + $proxy_enabled = false; + + if (is_array($config['installedpackages']['squid']['config'])) { + // check whether Squid is enabled ... + if ($config['installedpackages']['squid']['config'][0]['enable_squid'] == "on") { + // ... and has at least one interface configured ... + if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") { + $proxy_enabled = true; + } else { + // ... or has at least one reverse interface configured + if (is_array($config['installedpackages']['squidreversegeneral']['config'])) { + if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { + $proxy_enabled = true; + } + } + } + } + } + return $proxy_enabled; } function squid_restart_services() { @@ -2253,20 +2224,8 @@ function squid_restart_services() { if (platform_booting()) { return; } - $squid_enabled = false; - if (is_array($config['installedpackages']['squid']['config'])) { - // check if Squid is enabled - if ($config['installedpackages']['squid']['config'][0]['active_interface'] != "") { - $squid_enabled = true; - } - } elseif (is_array($config['installedpackages']['squidreversegeneral']['config'])) { - // check if squidreverse is enabled - if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "") { - $squid_enabled = true; - } - } - if ($squid_enabled) { + if (squid_enabled()) { /* kill any running proxy alarm scripts */ squid_stop_monitor(); @@ -2296,6 +2255,111 @@ function squid_restart_services() { } } +function squid_restart_antivirus() { + global $config; + if (is_array($config['installedpackages']['squidantivirus'])) { + $antivirus_config = $config['installedpackages']['squidantivirus']['config'][0]; + } else { + $antivirus_config = array(); + } + + // reconfigure and (re)start service as needed if enabled, otherwise stop them + // do not (re)start antivirus services on boot + if (platform_booting()) { + return; + } + + if (squid_enabled() && ($antivirus_config['enable'] == "on")) { + // Check clamav database + if (count(glob("/var/db/clamav/*d")) == 0) { + log_error("Squid - Missing /var/db/clamav/*.cvd or *.cld files. Running freshclam in background."); + mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); + } elseif ($antivirus_config['clamav_safebrowsing'] == "on" && !is_file("/var/db/clamav/safebrowsing.cvd")) { + log_error("Squid - Google Safe Browsing is enabled but missing safebrowsing.cvd definitions. Running freshclam in background."); + mwexec_bg(SQUID_BASE . "/bin/freshclam --config-file=" . SQUID_BASE . "/etc/freshclam.conf"); + } elseif ($antivirus_config['clamav_safebrowsing'] != "on" && is_file("/var/db/clamav/safebrowsing.cvd")) { + log_error("Squid - Google Safe Browsing is disabled. Removing safebrowsing.cvd definitions."); + mwexec("/bin/rm -f /var/db/clamav/safebrowsing.cvd"); + } + + // check clamav/freshclam rcfiles + $rc_files = array("clamav-freshclam", "clamav-clamd"); + $clamm[0] = "@/usr/local/(bin|sbin)@"; + $clamm[1] = "@/local/(bin|sbin)@"; + $clamm[2] = "@/usr/local/etc@"; + $clamm[3] = "@enable:=NO@"; + $clamr[0] = SQUID_BASE . "/bin"; + $clamr[1] = "/bin"; + $clamr[2] = SQUID_LOCALBASE . "/etc"; + $clamr[3] = "enable:=YES"; + foreach ($rc_files as $rc_file) { + $clamav_rcfile = "/usr/local/etc/rc.d/{$rc_file}"; + if (file_exists($clamav_rcfile)) { + $sample_file = file_get_contents($clamav_rcfile); + file_put_contents($clamav_rcfile, preg_replace($clamm, $clamr, $sample_file), LOCK_EX); + } + } + if (is_process_running("clamd")) { + log_error("Reloading ClamAV..."); + mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); + } else { + log_error("Starting ClamAV..."); + mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); + } + + // check c-icap rcfile + $c_icap_rcfile = "/usr/local/etc/rc.d/c-icap.sh"; + if (!file_exists($c_icap_rcfile)) { + squid_write_cicap_rcfile(); + } + if (is_process_running("c-icap")) { + mwexec_bg('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl'); + } else { + mwexec_bg("{$c_icap_rcfile} start"); + } + } else { + // stop AV services and disable all C-ICAP/AV features + log_error("Squid antivirus features disabled."); + if (is_process_running("clamd")) { + log_error("Stopping and disabling ClamAV..."); + mwexec("/bin/ps awux | /usr/bin/grep '[c]lamd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + } + + // freshclam cronjob + log_error("Removing freshclam cronjob..."); + squid_install_freshclam_cron(false); + + // check clamav/freshclam rcfiles + $rc_files = array("clamav-freshclam", "clamav-clamd"); + $clamm[0] = "@enable:=YES@"; + $clamr[0] = "enable:=NO"; + foreach ($rc_files as $rc_file) { + $clamav_rcfile = "/usr/local/etc/rc.d/{$rc_file}"; + if (file_exists($clamav_rcfile)) { + $sample_file = file_get_contents($clamav_rcfile); + file_put_contents($clamav_rcfile, preg_replace($clamm, $clamr, $sample_file), LOCK_EX); + } + } + + // check if clamav is enabled in rc.conf.local + // XXX: This whole thing sucks and should be redone to install/enable services in pfSense way + if (file_exists("/etc/rc.conf.local")) { + log_error("Removing antivirus services from /etc/rc.conf.local..."); + $sample_file = file_get_contents("/etc/rc.conf.local"); + $rcconf_local_m[0] = "@clamav_clamd_enable(.*)\n@"; + $rcconf_local_r[0] = ""; + file_put_contents("/etc/rc.conf.local", preg_replace($rcconf_local_m, $rcconf_local_r, $sample_file), LOCK_EX); + } + // check c-icap rcfile + if (is_process_running("c-icap")) { + log_error("Stopping and disabling C-ICAP..."); + mwexec_bg("/usr/local/etc/rc.d/c-icap.sh stop"); + } + unlink_if_exists("/usr/local/etc/rc.d/c-icap"); + unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); + } +} + function squid_print_javascript_auth() { global $config; $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); @@ -2520,6 +2584,13 @@ function squid_generate_rules($type) { if ($found_rule > 0) { file_put_contents($cp_file, $new_cp_inc, LOCK_EX); } + + // do not install any firewall rules if Squid is disabled + if (!squid_enabled()) { + log_error("Squid is installed but disabled. Not installing \"{$type}\" rules."); + return; + } + // normal squid rule check if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; -- cgit v1.2.3 From aa8c01713625a51fec2d8cc6d12d9a4c4f5ce94d Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 22:48:59 +0200 Subject: Remove useless buggy /etc/rc.conf.local crap Adding to the file was broken -- when run multiple times, it added a separate ="YES" line to the file. Moreover, the _enable variable is being patched to default to YES in individual rc scripts, so this junk is just not needed. Leaving the squid_deinstall_command() stuff in here for now, hopefully most users will get the "settings" removed and never added back. --- config/squid3/34/squid.inc | 27 +-------------------------- 1 file changed, 1 insertion(+), 26 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index ed218409..acc029c3 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -1590,23 +1590,7 @@ adaptation_access service_avi_resp allow all EOF; - // check if clamav is enabled in rc.conf.local - // XXX: This whole thing sucks and should be redone to install/enable services in pfSense way - if (file_exists("/etc/rc.conf.local")) { - $rc_old_file = file("/etc/rc.conf.local"); - foreach ($rc_old_file as $rc_line) { - if (preg_match("/^clamav_clamd_enable/", $rc_line, $matches)) { - $rc_file .= $matches[1] . '="YES"' . "\n"; - ${$matches[1]} = "ok"; - } else { - $rc_file .= $rc_line; - } - } - } - if (!isset($clamav_clamd_enable)) { - $rc_file .= 'clamav_clamd_enable="YES"' . "\n"; - } - file_put_contents("/etc/rc.conf.local", $rc_file, LOCK_EX); + // check clamav user squid_check_clamav_user('clamav'); // patch sample files to pfsense dirs // squidclamav.conf @@ -2341,15 +2325,6 @@ function squid_restart_antivirus() { } } - // check if clamav is enabled in rc.conf.local - // XXX: This whole thing sucks and should be redone to install/enable services in pfSense way - if (file_exists("/etc/rc.conf.local")) { - log_error("Removing antivirus services from /etc/rc.conf.local..."); - $sample_file = file_get_contents("/etc/rc.conf.local"); - $rcconf_local_m[0] = "@clamav_clamd_enable(.*)\n@"; - $rcconf_local_r[0] = ""; - file_put_contents("/etc/rc.conf.local", preg_replace($rcconf_local_m, $rcconf_local_r, $sample_file), LOCK_EX); - } // check c-icap rcfile if (is_process_running("c-icap")) { log_error("Stopping and disabling C-ICAP..."); -- cgit v1.2.3 From bc5d828943f491f0a37d449d50feb6e90c4bcece Mon Sep 17 00:00:00 2001 From: doktornotor Date: Thu, 1 Oct 2015 23:44:18 +0200 Subject: Do not use the c-icap rcfile to stop c-icap when AV is being disabled - the rcfile may not exist --- config/squid3/34/squid.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index acc029c3..c189d716 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -2328,7 +2328,7 @@ function squid_restart_antivirus() { // check c-icap rcfile if (is_process_running("c-icap")) { log_error("Stopping and disabling C-ICAP..."); - mwexec_bg("/usr/local/etc/rc.d/c-icap.sh stop"); + mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); } unlink_if_exists("/usr/local/etc/rc.d/c-icap"); unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); -- cgit v1.2.3 From 4faa71b099615038128a7f7a3611498c74021bfd Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 05:49:51 +0200 Subject: write_rcfile() does not handle custom restart command --- config/squid3/34/squid.inc | 7 ------- 1 file changed, 7 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index c189d716..5a71c627 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -2749,14 +2749,7 @@ fi /usr/bin/killall pinger 2>/dev/null EOD; - $rc['restart'] = <<< EOD -if [ -z "`ps auxw | /usr/bin/grep "[s]quid " | /usr/bin/awk '{print $2}'`" ]; then - {$squid_base}/sbin/squid -f {$squid_conffile_var} - else - {$squid_base}/sbin/squid -k reconfigure -f {$squid_conffile_var} - fi -EOD; conf_mount_rw(); write_rcfile($rc); // force delete the PBI initscript that keeps creeping back -- cgit v1.2.3 From 3b4a7b470986618cb653c2cfc75bd1d6117ae82d Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 06:50:43 +0200 Subject: Stop symlinking the damned PBI rcfiles over and over again --- config/squid3/34/squid.inc | 7 ------- 1 file changed, 7 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 5a71c627..56c8c853 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -1718,13 +1718,6 @@ EOF; squid_chown_recursive($dir_path, $dir_user, "wheel"); } - $rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d"); - foreach ($rcd_files as $rcd_file) { - if (SQUID_LOCALBASE != '/usr/local' && !file_exists("/usr/local/etc/rc.d/{$rcd_file}")) { - symlink(SQUID_LOCALBASE . "/etc/rc.d/{$rcd_file}", "/usr/local/etc/rc.d/{$rcd_file}"); - } - } - // write advanced clamav/icap config files file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/squidclamav.conf", base64_decode($antivirus_config['squidclamav']), LOCK_EX); file_put_contents(SQUID_LOCALBASE . "/etc/c-icap/c-icap.conf", base64_decode($antivirus_config['c-icap_conf']), LOCK_EX); -- cgit v1.2.3 From bdcee17abb82e4e348eb0c22466f3b0968d8b76e Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 06:53:34 +0200 Subject: Not needed any more and the symlinking misfeature was fixed --- config/squid3/34/squid.inc | 4 ---- 1 file changed, 4 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 56c8c853..36ac5a01 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -2745,8 +2745,6 @@ EOD; conf_mount_rw(); write_rcfile($rc); - // force delete the PBI initscript that keeps creeping back - unlink_if_exists("/usr/local/etc/rc.d/squid"); conf_mount_ro(); } @@ -2764,8 +2762,6 @@ function squid_write_cicap_rcfile() { "stop" => "{$cicap_stop_cmd}" ) ); - // force delete the PBI initscript that keeps creeping back - unlink_if_exists("/usr/local/etc/rc.d/c-icap"); conf_mount_ro(); } -- cgit v1.2.3 From 12aa78af47e7baac7219444a41b22fa0822ac310 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 07:32:34 +0200 Subject: Get rid of remaining PBI rcfiles and handle clamav with write_rcfile --- config/squid3/34/squid.inc | 91 +++++++++++++++++++++++++++------------------- 1 file changed, 54 insertions(+), 37 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.inc b/config/squid3/34/squid.inc index 36ac5a01..654aeb3c 100755 --- a/config/squid3/34/squid.inc +++ b/config/squid3/34/squid.inc @@ -228,7 +228,8 @@ function squid_is_valid_acl($acl) { function squid_install_command() { global $config, $g; - update_status("Checking if there is configuration to migrate... One moment please..."); + update_output_window("This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process."); + update_output_window("Checking if there is configuration to migrate... One moment please..."); /* migrate existing csv config fields */ if (is_array($config['installedpackages']['squidauth']['config'])) { $settingsauth = $config['installedpackages']['squidauth']['config'][0]; @@ -360,7 +361,7 @@ function squid_install_command() { } } - update_status("Writing configuration... One moment please..."); + update_output_window("Writing configuration... One moment please..."); write_config(); /* make sure pinger is executable and suid root */ @@ -394,6 +395,9 @@ function squid_install_command() { } } + // create clamd rcfile + squid_write_clamd_rcfile(); + foreach (array(SQUID_CONFBASE, SQUID_ACLDIR, SQUID_SSL_DB) as $dir) { safe_mkdir($dir, 0755); squid_chown_recursive($dir, SQUID_UID, SQUID_GID); @@ -403,6 +407,12 @@ function squid_install_command() { copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf'); } + // remove unwanted PBI rcfiles + unlink_if_exists("/usr/local/etc/rc.d/squid"); + unlink_if_exists("/usr/local/etc/rc.d/c-icap"); + unlink_if_exists("/usr/local/etc/rc.d/clamav-clamd"); + unlink_if_exists("/usr/local/etc/rc.d/clamav-freshclam"); + } function squid_deinstall_command() { @@ -425,10 +435,9 @@ function squid_deinstall_command() { mwexec("/bin/ps awux | /usr/bin/grep '[u]nlinkd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); /* delete rc scripts */ unlink_if_exists('/usr/local/etc/rc.d/sqp_monitor.sh'); - unlink_if_exists('/usr/local/etc/rc.d/c-icap'); + unlink_if_exists('/usr/local/etc/rc.d/squid.sh'); unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); - unlink_if_exists('/usr/local/etc/rc.d/clamav-clamd'); - unlink_if_exists('/usr/local/etc/rc.d/clamav-freshclam'); + unlink_if_exists('/usr/local/etc/rc.d/clamd.sh'); /* clean up created directories if 'Keep Settings/Data' is disabled */ if (is_array($config['installedpackages']['squidcache'])) { @@ -2259,29 +2268,18 @@ function squid_restart_antivirus() { mwexec("/bin/rm -f /var/db/clamav/safebrowsing.cvd"); } - // check clamav/freshclam rcfiles - $rc_files = array("clamav-freshclam", "clamav-clamd"); - $clamm[0] = "@/usr/local/(bin|sbin)@"; - $clamm[1] = "@/local/(bin|sbin)@"; - $clamm[2] = "@/usr/local/etc@"; - $clamm[3] = "@enable:=NO@"; - $clamr[0] = SQUID_BASE . "/bin"; - $clamr[1] = "/bin"; - $clamr[2] = SQUID_LOCALBASE . "/etc"; - $clamr[3] = "enable:=YES"; - foreach ($rc_files as $rc_file) { - $clamav_rcfile = "/usr/local/etc/rc.d/{$rc_file}"; - if (file_exists($clamav_rcfile)) { - $sample_file = file_get_contents($clamav_rcfile); - file_put_contents($clamav_rcfile, preg_replace($clamm, $clamr, $sample_file), LOCK_EX); - } + // start/reload clamav + $clamd_rcfile = "/usr/local/etc/rc.d/clamd.sh"; + if (!file_exists($clamd_rcfile)) { + squid_write_clamd_rcfile(); } if (is_process_running("clamd")) { log_error("Reloading ClamAV..."); - mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload"); + $reload_cmd = SQUID_BASE . "/bin/clamdscan --reload"; + mwexec_bg("{$reload_cmd}"); } else { log_error("Starting ClamAV..."); - mwexec_bg("/usr/local/etc/rc.d/clamav-clamd start"); + mwexec_bg("{$clamd_rcfile} start"); } // check c-icap rcfile @@ -2299,31 +2297,19 @@ function squid_restart_antivirus() { log_error("Squid antivirus features disabled."); if (is_process_running("clamd")) { log_error("Stopping and disabling ClamAV..."); - mwexec("/bin/ps awux | /usr/bin/grep '[c]lamd' | /usr/bin/awk '{ print $2 }' | /usr/bin/xargs kill"); + mwexec("/usr/bin/killall clamd"); } + unlink_if_exists("/usr/local/etc/rc.d/clamd.sh"); // freshclam cronjob log_error("Removing freshclam cronjob..."); squid_install_freshclam_cron(false); - // check clamav/freshclam rcfiles - $rc_files = array("clamav-freshclam", "clamav-clamd"); - $clamm[0] = "@enable:=YES@"; - $clamr[0] = "enable:=NO"; - foreach ($rc_files as $rc_file) { - $clamav_rcfile = "/usr/local/etc/rc.d/{$rc_file}"; - if (file_exists($clamav_rcfile)) { - $sample_file = file_get_contents($clamav_rcfile); - file_put_contents($clamav_rcfile, preg_replace($clamm, $clamr, $sample_file), LOCK_EX); - } - } - // check c-icap rcfile if (is_process_running("c-icap")) { log_error("Stopping and disabling C-ICAP..."); mwexec('/bin/echo -n "stop" > /var/run/c-icap/c-icap.ctl'); } - unlink_if_exists("/usr/local/etc/rc.d/c-icap"); unlink_if_exists("/usr/local/etc/rc.d/c-icap.sh"); } } @@ -2765,6 +2751,37 @@ function squid_write_cicap_rcfile() { conf_mount_ro(); } +function squid_write_clamd_rcfile() { + $squid_base = SQUID_BASE; + $rc = array(); + $rc['file'] = 'clamd.sh'; + $rc['start'] = <<< EOD + +if [ ! -f /var/db/clamav/main.cvd -a ! -f /var/db/clamav/main.cld ];then + echo "Missing /var/db/clamav/*.cvd or *.cld files. You must run freshclam first" + exit 1 +fi + +{$squid_base}/bin/clamd --config-file="{$squid_base}/local/etc/clamd.conf" + +EOD; + + $rc['stop'] = <<< EOD + +/usr/bin/killall clamd 2>/dev/null +# Just to be sure... +sleep 5 +if [ -n "`/bin/ps auxw | /usr/bin/grep "[c]lamd" | /usr/bin/awk '{print $2}'`" ]; then + /usr/bin/killall -9 clamd 2>/dev/null +fi + +EOD; + + conf_mount_rw(); + write_rcfile($rc); + conf_mount_ro(); +} + /* Uses XMLRPC to synchronize the changes to a remote node */ function squid_sync_on_changes() { global $config, $g; -- cgit v1.2.3 From e92bccc810adee8a9e107a4d06bab7e2234bfac6 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 07:36:34 +0200 Subject: Get rid of remaining PBI rcfiles and handle clamav with write_rcfile --- config/squid3/34/squid.xml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 0f99b8cb..643a5eba 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -65,7 +65,7 @@ clamd - clamav-clamd + clamd.sh clamd ClamAV Antivirus @@ -748,10 +748,11 @@ -- cgit v1.2.3 From 80c6a788f5c553cef7dc236ea750f635d02c8463 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 07:39:43 +0200 Subject: Comment out the new logic for now, needs more work --- config/squid3/34/squid_antivirus.xml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/squid3/34/squid_antivirus.xml b/config/squid3/34/squid_antivirus.xml index 647ffe35..94c788a0 100755 --- a/config/squid3/34/squid_antivirus.xml +++ b/config/squid3/34/squid_antivirus.xml @@ -42,7 +42,7 @@ ]]> squidantivirus - 0.3.7 + 0.3.8 Proxy server: Antivirus /usr/local/pkg/squid.inc @@ -99,6 +99,7 @@ Enable Squid antivirus check using ClamAV. checkbox + Client Forward Options client_info @@ -256,6 +258,7 @@ 15 + squid_validate_antivirus($_POST, $input_errors); -- cgit v1.2.3 From 4e762c641ad41602f3d8f868b1709e5f1c24e5bb Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 08:56:45 +0200 Subject: Remove unused squid_reverse.xml file --- config/squid3/34/squid.xml | 4 ---- 1 file changed, 4 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 643a5eba..51df8b95 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -153,10 +153,6 @@ /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_nac.xml - - /usr/local/pkg/ - https://packages.pfsense.org/packages/config/squid3/34/squid_reverse.xml - /usr/local/pkg/ https://packages.pfsense.org/packages/config/squid3/34/squid_reverse_general.xml -- cgit v1.2.3 From b7cfbd71b5b316b5a017d32bef8bf1fb4206d8d4 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 08:58:01 +0200 Subject: Remove unused squid_reverse.xml Some leftover from old versions; this is now moved to squid_reverse_general.xml --- config/squid3/34/squid_reverse.xml | 451 ------------------------------------- 1 file changed, 451 deletions(-) delete mode 100755 config/squid3/34/squid_reverse.xml (limited to 'config') diff --git a/config/squid3/34/squid_reverse.xml b/config/squid3/34/squid_reverse.xml deleted file mode 100755 index 3617debc..00000000 --- a/config/squid3/34/squid_reverse.xml +++ /dev/null @@ -1,451 +0,0 @@ - - - - - - - - squidreverse - 0.3.5 - Proxy Server: Reverse Proxy - /usr/local/pkg/squid.inc - - - General - /pkg_edit.php?xml=squid.xml&id=0 - - - Upstream - /pkg_edit.php?xml=squid_upstream.xml&id=0 - - - Cache - /pkg_edit.php?xml=squid_cache.xml&id=0 - - - ACLs - /pkg_edit.php?xml=squid_nac.xml&id=0 - - - Traffic Mgmt - /pkg_edit.php?xml=squid_traffic.xml&id=0 - - - Reverse - /pkg_edit.php?xml=squid_reverse.xml&id=0 - - - - Authentication - /pkg_edit.php?xml=squid_auth.xml&id=0 - - - Users - /pkg.php?xml=squid_users.xml - - - Real Time - /squid_monitor.php - - - Sync - /pkg_edit.php?xml=squid_sync.xml - - - - - Squid Reverse Proxy General Settings - listtopic - - - Reverse Proxy Interface - reverse_interface - - - Use CTRL + click to select multiple interfaces. - ]]> - - interfaces_selection - - wan - - - - User Defined Reverse Proxy IPs - reverse_ip - - - Note: Separate entries by semi-colons (;) - ]]> - - input - 70 - - - External FQDN - reverse_external_fqdn - The external fully qualified domain name of the WAN IP address. - input - - 70 - - - Reset TCP Connections on Unauthorized Requests - deny_info_tcp_reset - If checked, the reverse proxy will reset the TCP connection if the request is unauthorized. - checkbox - on - - - Squid Reverse HTTP Settings - listtopic - - - Enable HTTP Reverse Mode - reverse_http - - - Note: You must add a proper firewall rule with destination 'WAN Address'. - ]]> - - checkbox - reverse_http_port,reverse_http_defsite - - off - - - Reverse HTTP Port - reverse_http_port - - - Default: 80 - ]]> - - input - 5 - 80 - - - Reverse HTTP Default Site - reverse_http_defsite - - - Note: Leave empty to use 'External FQDN' value specified above. - ]]> - - input - 60 - - - Squid Reverse HTTPS Settings - listtopic - - - Enable HTTPS Reverse Proxy - reverse_https - - - Note: You must add a proper firewall rule with destination 'WAN Address'. - ]]> - - checkbox - reverse_https_port,reverse_https_defsite,reverse_ssl_cert,reverse_int_ca,reverse_ignore_ssl_valid,reverse_owa,reverse_owa_ip,reverse_owa_webservice,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_autodiscover,reverse_ssl_chain - - off - - - Reverse HTTPS Port - reverse_https_port - - - Default: 443 - ]]> - - input - 5 - 443 - - - Reverse HTTPS Default Site - reverse_https_defsite - - - Note: Leave empty to use 'External FQDN' value specified above. - ]]> - - input - 60 - - - Reverse SSL Certificate - reverse_ssl_cert - Choose the SSL Server Certificate here. - select_source - $config['cert'] - descr - refid - - - Intermediate CA Certificate (If Needed) - reverse_int_ca - - PEM format here. - ]]> - - textarea - 75 - 5 - base64 - - - Ignore Internal Certificate Validation - reverse_ignore_ssl_valid - If checked, internal certificate validation will be ignored. - checkbox - on - - - OWA Reverse Proxy General Settings - listtopic - - - Enable OWA Reverse Proxy - reverse_owa - If checked, Squid will act as an accelerator/SSL offloader for Outlook Web App. - checkbox - reverse_owa_ip,reverse_owa_activesync,reverse_owa_rpchttp,reverse_owa_mapihttp,reverse_owa_webservice,reverse_owa_autodiscover - - - CAS-Array / OWA Frontend IP Address - reverse_owa_ip - - - Note: Separate entries by semi-colons (;) - ]]> - - input - 70 - - - Enable ActiveSync - reverse_owa_activesync - If checked, ActiveSync will be enabled. - checkbox - - - Enable Outlook Anywhere - reverse_owa_rpchttp - If checked, RPC over HTTP will be enabled. - checkbox - - - Enable MAPI HTTP - reverse_owa_mapihttp - - - This feature is only available with at least Microsoft Exchange 2013 SP1 - ]]> - - checkbox - - - Enable Exchange WebServices - reverse_owa_webservice - - - There are potential DoS side effects to its use. Please avoid unless really required. - ]]> - - checkbox - - - Enable AutoDiscover - reverse_owa_autodiscover - - - You also should set up the autodiscover DNS record to point to you WAN IP. - ]]> - - checkbox - - - Squid Reverse Mappings - listtopic - - - - - Publishing Hosts - ]]> - - reverse_cache_peer - -
- Syntax: [peer alias];[internal ip address];[port];[HTTP/HTTPS]
- Example: HOST1;192.168.0.1;80;HTTP
- WARNING: Wrong syntax usage will result in Squid not starting! - ]]> - - textarea - 60 - 10 - base64 - - - - - Published URIs - ]]> - - reverse_uri - -
- Syntax: [group the uri belongs to];[URI to publish](;[vhost fqdn])
- Example: URI1;public;server.example.com

- Notes:
- - A group can contain multiple URIs
- - If [vhost fqdn] is ommited, 'External FQDN' is used
- - You also can specify http:// or https://

- WARNING: Wrong syntax usage will result in Squid not starting! - ]]> - - textarea - 60 - 10 - base64 - - - - - Published URIs - ]]> - - reverse_acl - - - Syntax: [peer alias];[uri group alias]
- Example: HOST1;URI1
- WARNING: Wrong syntax usage will result in Squid not starting! - ]]> - - textarea - 60 - 10 - base64 - - - - - squid_validate_reverse($_POST, $input_errors); - - - squid_resync(); - - -- cgit v1.2.3 From a3977a6e39e96edf493d96ba93e38b893e659e4c Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 09:13:00 +0200 Subject: Tell reverse proxy users to enable Squid if needed --- config/squid3/34/squid_reverse_general.xml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'config') diff --git a/config/squid3/34/squid_reverse_general.xml b/config/squid3/34/squid_reverse_general.xml index 19c504f1..90babcd0 100755 --- a/config/squid3/34/squid_reverse_general.xml +++ b/config/squid3/34/squid_reverse_general.xml @@ -42,7 +42,7 @@ ]]> squidreversegeneral - 0.3.5 + 0.3.8 Reverse Proxy Server: General /usr/local/pkg/squid.inc @@ -303,7 +303,12 @@ + squid_resync(); -- cgit v1.2.3 From 0e7826d4a5e0ca9d492c036d16510d777a3b99c9 Mon Sep 17 00:00:00 2001 From: doktornotor Date: Fri, 2 Oct 2015 21:31:55 +0200 Subject: Do not disable log_dir field when access logging is disabled. --- config/squid3/34/squid.xml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'config') diff --git a/config/squid3/34/squid.xml b/config/squid3/34/squid.xml index 51df8b95..0f86bf84 100644 --- a/config/squid3/34/squid.xml +++ b/config/squid3/34/squid.xml @@ -515,23 +515,23 @@ listtopic - Enable Logging + Enable Access Logging log_enabled access log. Warning: Do not switch this on if you don't have much disk space left. ]]> checkbox - log_dir,log_rotate + log_rotate Log Store Directory log_dir + The directory where the logs will be stored. This is also used for logs other than the Access Log above.
Default: /var/squid/logs
Note: Do NOT include the trailing / when setting a custom location. ]]> -- cgit v1.2.3