From 24de87f8d94b43fc05aaaffe48f5f927e81ed9f8 Mon Sep 17 00:00:00 2001 From: Fernando Lemos Date: Fri, 2 Jun 2006 12:45:40 +0000 Subject: The Squid package... Countless changes. You might need some stuff from HEAD to make this work properly (you need make_dirs from HEAD to at least install it). This might not work out of the box. In fact, it should not work out of the box in RELENG_1. Please be patient. --- packages/squid.inc | 770 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 770 insertions(+) create mode 100644 packages/squid.inc (limited to 'packages/squid.inc') diff --git a/packages/squid.inc b/packages/squid.inc new file mode 100644 index 00000000..af0d7bda --- /dev/null +++ b/packages/squid.inc @@ -0,0 +1,770 @@ +/dev/null +sleep 1 +killall squid 2>/dev/null + +EOD; + $rc['restart'] = << $names[$i], 'value' => $values[$i]); +} + +function squid_validate_general($post, $input_errors) { + $icp_port = trim($post['icp_port']); + if (!empty($icp_port) && !is_port($icp_port)) + $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; +} + +function squid_validate_upstream($post, $input_errors) { + if ($post['proxy_forwarding'] == 'on') { + $addr = trim($post['proxy_addr']); + if (empty($addr)) + $input_errors[] = 'The field \'Hostname\' is required'; + else { + if (!is_ipaddr($addr) && !is_domain($addr)) + $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; + } + + foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { + $port = trim($post[$field]); + if (empty($port)) + $input_errors[] = "The field '$name' is required"; + else { + if (!is_port($port)) + $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; + } + } + } +} + +function squid_validate_cache($post, $input_errors) { + $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', + 'memory_cache_size' => 'Memory cache size', + 'maximum_object_size' => 'Maximum object size', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 1)) + $input_errors[] = "You must enter a valid value for '$field'"; + } + + $value = trim($post['minimum_object_size']); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; + + foreach (explode(',', $post['donotcache']) as $host) { + $host = trim($host); + if (!is_ipaddr($host) && !is_domain($host)) + $input_errors[] = "$host is not a valid IP or host name"; + } +} + +function squid_validate_nac($post, $input_errors) { + $allowed_subnets = explode(',', trim($post['allowed_subnets'])); + foreach ($allowed_subnets as $subnet) { + $subnet = trim($subnet); + if (!is_subnet($subnet)) + $input_errors[] = "'$subnet' is not a valid CIDR range"; + } + + foreach (array( 'unrestricted_hosts', + 'banned_hosts', + 'whitelist', + 'blacklist', + ) as $hosts) { + foreach (explode(',', $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host)) + $input_errors[] = "'$host' is not a valid IP address"; + } + } + + foreach (array('unrestricted_macs', 'banned_macs') as $macs) { + foreach (explode(',', $post[$macs]) as $mac) { + $mac = trim($mac); + if (!empty($mac) && !is_macaddr($mac)) + $input_errors[] = "'$mac' is not a valid MAC address"; + } + } + + foreach (explode(',', $post['timelist']) as $time) { + $time = trim($time); + if (!empty($time) && !squid_is_timerange($time)) + $input_errors[] = "'$time' is not a valid time range"; + } +} + +function squid_validate_traffic($post, $input_errors) { + $num_fields = array( 'max_download_size' => 'Maximum download size', + 'max_upload_size' => 'Maximum upload size', + 'perhost_throttling' => 'Per-host bandwidth throttling', + 'overall_throttling' => 'Overall bandwidth throttling', + ); + foreach ($num_fields as $field => $name) { + $value = trim($post[$field]); + if (!is_numeric($value) || ($value < 0)) + $input_errors[] = "The field '$name' must contain a positive number"; + } +} + +function squid_validate_auth($post, $input_errors) { + $num_fields = array( array('auth_processes', 'Authentication processes', 1), + array('auth_ttl', 'Authentication TTL', 0), + ); + foreach ($num_fields as $field) { + $value = trim($post[$field[0]]); + if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) + $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; + } + + $auth_method = $post['auth_method']; + if (($auth_method != 'none') && ($auth_method != 'local')) { + $server = trim($post['auth_server']); + if (empty($server)) + $input_errors[] = 'The field \'Authentication server\' is required'; + else if (!is_ipaddr($server) && !is_domain($server)) + $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; + + $port = trim($post['auth_server_port']); + if (!empty($port) && !is_port($port)) + $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; + + switch ($auth_method) { + case 'ldap': + $user = trim($post['ldap_user']); + if (empty($user)) + $input_errors[] = 'The field \'LDAP server user DN\' is required'; + else if (!is_domain($user)) + $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; + break; + case 'radius': + $secret = trim($post['radius_secret']); + if (empty($secret)) + $input_errors[] = 'The field \'RADIUS secret\' is required'; + break; + case 'msnt': + foreach (explode(trim($post['msnt_secondary'])) as $server) { + if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) + $input_errors[] = "'$server' isn't a valid IP address or domain name"; + } + break; + } + + $no_auth = explode(',', trim($post['no_auth_hosts'])); + foreach ($no_auth as $host) { + $host = trim($host); + if (!empty($host) && !is_subnet($host)) + $input_errors[] = "'$host' isn't a valid CIDR range"; + } + } +} + +function squid_resync_general() { + global $g, $config, $valid_acls; + + $settings = $config['installedpackages']['squid']['config'][0]; + $conf = ''; + + if ($settings['transparent_proxy'] == 'on') { + $conf .= << $iface) { + $real_ifaces[] = squid_get_real_interface_address($iface); + $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; + } + + $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); + + $pidfile = "{$g['varrun_path']}/squid.pid"; + $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); + $errordir = SQUID_CONFBASE . '/errors/' . $language; + $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); + $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); + + $logdir_cache = SQUID_LOGDIR . '/cache.log'; + $logdir_access = ($settings['log_enabled'] == 'on' ? SQUID_LOGDIR . '/access.log' : '/dev/null'); + + $conf .= << 'src', + 'unrestricted_macs' => 'arp', + 'banned_hosts' => 'src', + 'banned_macs' => 'arp', + 'whitelist' => 'url_regex -i', + 'blacklist' => 'url_regex -i', + ); + foreach ($options as $option => $directive) { + $contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option])))); + if (!empty($contents)) { + file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); + $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; + $valid_acls[] = $option; + } + } + + $conf .= << $binaries, + 'throttle_cdimages' => $cdimages, + 'throttle_multimedia' => $multimedia) as $field => $set) { + if ($settings[$field] == 'on') + $exts = array_merge($exts, explode(',', $set)); + } + + foreach (explode(',', $settings['throttle_others']) as $ext) { + if (!empty($ext)) $exts[] = $ext; + } + + $contents = ''; + foreach ($exts as $ext) + $contents .= "\.$ext\$\n"; + file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); + + $conf .= 'acl throttle_exts url_regex -i "' . SQUID_ACLDIR . '/throttle_exts.acl"'; + $conf .= "delay_access 1 allow throttle_exts\n"; + $conf .= "delay_access 1 deny all\n"; + } + else + $conf .= "delay_access 1 allow all\n"; + + return $conf; +} + +function squid_resync_auth() { + global $config, $valid_acls; + + $settings = $config['installedpackages']['squidauth']['config'][0]; + $conf = ''; + + // Deny the banned guys before allowing the good guys + $banned = array( 'banned_hosts', + 'banned_macs', + ); + $banned = array_filter($banned, 'squid_is_valid_acl'); + foreach ($banned as $acl) + $conf .= "http_access deny $acl\n"; + + // Whitelist and blacklist also take precendence + if (squid_is_valid_acl('whitelist')) + $conf .= "http_access allow whitelist\n"; + if (squid_is_valid_acl('blacklist')) + $conf .= "http_access deny blacklist\n"; + + $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); + + // Allow the remaining ACLs if no authentication is set + if ($auth_method == 'none') { + $allowed = array('localnet', 'allowed_subnets', 'unrestricted_hosts', 'unrestricted_macs'); + $allowed = array_filter($allowed, 'squid_is_valid_acl'); + foreach ($allowed as $acl) + $conf .= "http_access allow $acl\n"; + } + + else { + $noauth = implode(' ', array_map('trim', explode(',', $settings['no_auth_hosts']))); + if (!empty($noauth)) { + $conf .= "acl noauth src $noauth\n"; + $valid_acls[] = 'noauth'; + } + + // Set up the external authentication programs + $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); + $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); + $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); + switch ($auth_method) { + case 'local': + $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; + break; + case 'ldap': + $port = (isset($settings['auth_port']) ? ":{$settings['auth_port']}" : ''); + $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"(&(objectClass=person)(cn=%s))\" -u cn -P {$settings['auth_server']}$port\n"; + break; + case 'radius': + $port = (isset($settings['auth_port']) ? "-p {$settings['auth_server_port']}" : ''); + $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; + break; + case 'msnt': + $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; + break; + } + $conf .= << + + + +EOD; + } + else { + $javascript = << + + + +EOD; + } + + print($javascript); +} + +function squid_print_javascript_auth2() { + print("\n"); +} + +function squid_generate_rules($type) { + global $config; + + $squid_conf = $config['installedpackages']['squid']['config'][0]; + if (!is_service_running('squid') || ($squid_conf['transparent_proxy'] != 'on')) return; + + $port = $squid_conf['proxy_port']; + $ifaces = explode(',', $squid_conf['active_interface']); + $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); + + if ($type == 'nat') { + foreach ($ifaces as $iface) + $rules .= "rdr on $iface inet proto tcp to !($iface) port 80 -> ($iface) port $port\n"; + } + + else { + foreach ($ifaces as $iface) + $rules .= "pass quick on $iface inet proto tcp to !($iface) port 80 flags S/SA keep state\n"; + } + + return $rules; +} +?> -- cgit v1.2.3