From 5fbe459e2ba938aa7a0235bf118adf1bad8592e7 Mon Sep 17 00:00:00 2001 From: Seth Mos Date: Wed, 17 Jan 2007 09:49:51 +0000 Subject: Bump version to p12 ********* NOTE: the format for the white,black,nac,donotcache,banned and unrestricted fields has changed! ********* * fields now use newlines instead of csv so it is easier to import white and blacklists. * fix acl creation and ordering. --- packages/squid/squid.inc | 75 +++++++++++++++++++++++++----------------- packages/squid/squid.xml | 3 +- packages/squid/squid_auth.xml | 3 +- packages/squid/squid_cache.xml | 3 +- packages/squid/squid_nac.xml | 15 ++++++--- 5 files changed, 60 insertions(+), 39 deletions(-) (limited to 'packages/squid') diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc index 5b9b9156..1fb343ab 100644 --- a/packages/squid/squid.inc +++ b/packages/squid/squid.inc @@ -47,7 +47,7 @@ function squid_get_real_interface_address($iface) { $iface = convert_friendly_interface_to_real_interface_name($iface); $line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6")); - list($dummy, $ip, $dummy2, $netmask) = explode(' ', $line); + list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line); return array($ip, long2ip(hexdec($netmask))); } @@ -182,7 +182,7 @@ function squid_before_form_general($pkg) { array_shift($values); $name = array(); foreach ($values as $value) - $names[] = implode(' ', explode('_', $value)); + $names[] = implode(" ", explode("_", $value)); $i = 0; foreach ($pkg['fields']['field'] as $field) { @@ -258,7 +258,7 @@ function squid_validate_cache($post, $input_errors) { $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; if ($post['donotcache'] != "") { - foreach (explode(',', $post['donotcache']) as $host) { + foreach (split("\n", $post['donotcache']) as $host) { $host = trim($host); if (!is_ipaddr($host) && !is_domain($host)) $input_errors[] = "The host '$host' is not a valid IP or host name"; @@ -270,7 +270,7 @@ function squid_validate_cache($post, $input_errors) { } function squid_validate_nac($post, $input_errors) { - $allowed_subnets = explode(',', trim($post['allowed_subnets'])); + $allowed_subnets = explode("\n", $post['allowed_subnets']); foreach ($allowed_subnets as $subnet) { $subnet = trim($subnet); if (!empty($subnet) && !is_subnet($subnet)) @@ -278,7 +278,7 @@ function squid_validate_nac($post, $input_errors) { } foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { - foreach (explode(',', $post[$hosts]) as $host) { + foreach (explode("\n", $post[$hosts]) as $host) { $host = trim($host); if (!empty($host) && !is_ipaddr($host)) $input_errors[] = "The host '$host' is not a valid IP address"; @@ -286,14 +286,14 @@ function squid_validate_nac($post, $input_errors) { } foreach (array('unrestricted_macs', 'banned_macs') as $macs) { - foreach (explode(',', $post[$macs]) as $mac) { + foreach (explode("\n", $post[$macs]) as $mac) { $mac = trim($mac); if (!empty($mac) && !is_macaddr($mac)) $input_errors[] = "The mac '$mac' is not a valid MAC address"; } } - foreach (explode(',', $post['timelist']) as $time) { + foreach (explode(",", $post['timelist']) as $time) { $time = trim($time); if (!empty($time) && !squid_is_timerange($time)) $input_errors[] = "The time range '$time' is not a valid time range"; @@ -349,14 +349,14 @@ function squid_validate_auth($post, $input_errors) { $input_errors[] = 'The field \'RADIUS secret\' is required'; break; case 'msnt': - foreach (explode(',', trim($post['msnt_secondary'])) as $server) { + foreach (explode(",", trim($post['msnt_secondary'])) as $server) { if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) $input_errors[] = "The host '$server' is not a valid IP address or domain name"; } break; } - $no_auth = explode(',', trim($post['no_auth_hosts'])); + $no_auth = explode("\n", $post['no_auth_hosts']); foreach ($no_auth as $host) { $host = trim($host); if (!empty($host) && !is_subnet($host)) @@ -375,14 +375,14 @@ function squid_resync_general() { $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); $real_ifaces = array(); - foreach (explode(',', $ifaces) as $i => $iface) { + foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if($real_ifaces[$i][0]) { if (($settings['transparent_proxy'] == 'on')) { $conf .= "http_port 127.0.0.1:80 transparent\n"; } } else { - foreach (explode(',', $ifaces) as $i => $iface) { + foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if($real_ifaces[$i][0]) { $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; @@ -461,7 +461,7 @@ offline_mode $offline_mode EOD; - $donotcache = trim(implode("\n", array_map('trim', explode(',', $settings['donotcache'])))); + $donotcache = base64_decode($settings['donotcache']); if (!empty($donotcache)) { file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache); $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n"; @@ -520,7 +520,14 @@ acl dynamic urlpath_regex cgi-bin \? EOD; - $allowed = implode(' ', array_map('trim', explode(',', $settings['allowed_subnets']))); + $allowed_subnets = explode("\n", base64_decode($settings['allowed_subnets'])); + $allowed = ""; + foreach ($allowed_subnets as $subnet) { + if(!empty($subnet)) { + $subnet = trim($subnet); + $allowed .= "$subnet "; + } + } if (!empty($allowed)) { $conf .= "acl allowed_subnets src $allowed\n"; $valid_acls[] = 'allowed_subnets'; @@ -532,7 +539,7 @@ EOD; 'blacklist' => 'dstdom_regex -i', ); foreach ($options as $option => $directive) { - $contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option])))); + $contents = base64_decode($settings[$option]); if (!empty($contents)) { file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; @@ -607,10 +614,10 @@ EOD; 'throttle_cdimages' => $cdimages, 'throttle_multimedia' => $multimedia) as $field => $set) { if ($settings[$field] == 'on') - $exts = array_merge($exts, explode(',', $set)); + $exts = array_merge($exts, explode(",", $set)); } - foreach (explode(',', $settings['throttle_others']) as $ext) { + foreach (explode(",", $settings['throttle_others']) as $ext) { if (!empty($ext)) $exts[] = $ext; } @@ -634,60 +641,66 @@ function squid_resync_auth() { global $config, $valid_acls; $settings = $config['installedpackages']['squidauth']['config'][0]; + $settingsnac = $config['installedpackages']['squidnac']['config'][0]; $settingsconfig = $config['installedpackages']['squid']['config'][0]; $conf = ''; // Deny the banned guys before allowing the good guys - $banned = array('banned_hosts'); - $banned = array_filter($banned, 'squid_is_valid_acl'); - foreach ($banned as $acl) { - if(! empty($settings[$banned])) { - $conf .= "http_access deny $acl\n"; + if(! empty($settingsnac['banned_hosts'])) { + if (squid_is_valid_acl('banned_hosts')) { + $conf .= "# These hosts are banned\n"; + $conf .= "http_access deny banned_hosts\n"; + } + } + if(! empty($settingsnac['banned_macs'])) { + if (squid_is_valid_acl('banned_macs')) { + $conf .= "# These macs are banned\n"; + $conf .= "http_access deny banned_macs\n"; } } // Unrestricted hosts take precendence over blacklist - if(! empty($settings['unrestricted_hosts'])) { + if(! empty($settingsnac['unrestricted_hosts'])) { if (squid_is_valid_acl('unrestricted_hosts')) { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_hosts\n"; } } - if(! empty($settings['unrestricted_macs'])) { + if(! empty($settingsnac['unrestricted_macs'])) { if (squid_is_valid_acl('unrestricted_macs')) { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_macs\n"; } } - // Whitelist and blacklist also take precendence - if(! empty($settings['whitelist'])) { + // Whitelist and blacklist also take precendence over other allow rules + if(! empty($settingsnac['whitelist'])) { if (squid_is_valid_acl('whitelist')) { $conf .= "# Always allow access to whitelist domains\n"; $conf .= "http_access allow whitelist\n"; } } - if(! empty($settings['blacklist'])) { + if(! empty($settingsnac['blacklist'])) { if (squid_is_valid_acl('blacklist')) { $conf .= "# Block access to blacklist domains\n"; $conf .= "http_access deny blacklist\n"; } } - $transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'); + $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); // Allow the remaining ACLs if no authentication is set if ($auth_method == 'none') { if ($settingsconfig['allow_interface'] == 'on') { + $conf .= "# Allow local network(s) on interface(s)\n"; $allowed = array('localnet', 'allowed_subnets'); $allowed = array_filter($allowed, 'squid_is_valid_acl'); foreach ($allowed as $acl) - $conf .= "# Allow local network(s) on interface(s)\n"; $conf .= "http_access allow $acl\n"; } } else { - $noauth = implode(' ', array_map('trim', explode(',', $settings['no_auth_hosts']))); + $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { $conf .= "acl noauth src $noauth\n"; $valid_acls[] = 'noauth'; @@ -724,7 +737,7 @@ EOD; // Onto the ACLs $password = array('localnet', 'allowed_subnets'); - $passwordless = array('unrestricted_hosts', 'unrestricted_macs'); + $passwordless = array('unrestricted_hosts'); if ($settings['unrestricted_auth'] == 'on') { // Even the unrestricted hosts should authenticate $password = array_merge($password, $passwordless); @@ -924,7 +937,7 @@ function squid_generate_rules($type) { return; } - $ifaces = explode(',', $squid_conf['active_interface']); + $ifaces = explode(",", $squid_conf['active_interface']); $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml index a1c46fee..5ebbfd10 100644 --- a/packages/squid/squid.xml +++ b/packages/squid/squid.xml @@ -1,7 +1,7 @@ squid - 2.6.5_1-p11 + 2.6.5_1-p12 /usr/local/pkg/squid.inc @@ -115,6 +115,7 @@ log_dir Log store directory The directory where the log will be stored (note: do not end with a / mark) + input 60 /var/squid/log diff --git a/packages/squid/squid_auth.xml b/packages/squid/squid_auth.xml index 9367231d..2f20d755 100644 --- a/packages/squid/squid_auth.xml +++ b/packages/squid/squid_auth.xml @@ -132,8 +132,9 @@ no_auth_hosts Subnets that don't need authentication - A comma-separated list of subnets (in CIDR range, e.g.: 10.5.0.0/16, 192.168.1.50/32) whose hosts won't be asked for authentication to access the proxy. + Enter each subnet or IP address on a new line (in CIDR format, e.g.: 10.5.0.0/16, 192.168.1.50/32) that should not be asked for authentication to access the proxy. textarea + base64 5 50 diff --git a/packages/squid/squid_cache.xml b/packages/squid/squid_cache.xml index ee5db606..b13409f6 100644 --- a/packages/squid/squid_cache.xml +++ b/packages/squid/squid_cache.xml @@ -121,8 +121,9 @@ Do not cache donotcache - The specified domains or IP addresses (separated by commas) will never be cached. + Enter each domain or IP address on a new line that should never be cached. textarea + base64 5 50 diff --git a/packages/squid/squid_nac.xml b/packages/squid/squid_nac.xml index 9b6268ee..0d5128b8 100644 --- a/packages/squid/squid_nac.xml +++ b/packages/squid/squid_nac.xml @@ -38,40 +38,45 @@ allowed_subnets Allowed subnets - Those are the subnets (separated by commas) that are allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy. + Enter each subnet on a new line that is allowed to use the proxy. The subnets must be expressed as CIDR ranges (e.g.: 192.168.1.0/24). Note that the proxy interface subnet is already an allowed subnet. All the other subnets won't be able to use the proxy. textarea + base64 5 50 unrestricted_hosts Unrestricted IPs - The IP addresses specified here (separated by commas) won't be filtered out by the other access control directives set in this page. + Enter each unrestricted IP address on a new line that is not to be filtered out by the other access control directives set in this page. textarea + base64 5 50 banned_hosts Banned host addresses - The IP addresses specified here (separated by commas) won't be allowed to use the proxy. + Enter each IP address on a new line that is not to be allowed to use the proxy. textarea + base64 5 50 whitelist Whitelist - Those are the destination domains (separated by commas) that will be accessable to the users that are allowed to use the proxy. + Enter each destination domain on a new line that will be accessable to the users that are allowed to use the proxy. textarea + base64 5 50 blacklist Blacklist - Those are the destination domains (separated by commas) that will be blocked to the users that are allowed to use the proxy. + Enter each destination domain on a new line that will be blocked to the users that are allowed to use the proxy. textarea + base64 5 50 -- cgit v1.2.3