From a0cb9388ff0e76467e2ec973103efac6a62a2712 Mon Sep 17 00:00:00 2001 From: Scott Ullrich Date: Wed, 5 Oct 2005 14:11:33 +0000 Subject: Squid updates from Michael Capp --- packages/squid_auth.inc | 203 +++++++++++++++++++++++++++++++++++++++--------- packages/squid_ng.inc | 45 ++++++++++- packages/squid_ng.xml | 37 ++++----- 3 files changed, 224 insertions(+), 61 deletions(-) (limited to 'packages') diff --git a/packages/squid_auth.inc b/packages/squid_auth.inc index 7b29ce00..ae431f22 100644 --- a/packages/squid_auth.inc +++ b/packages/squid_auth.inc @@ -41,35 +41,15 @@ function global_eval_auth_options(){ switch ($auth_method) { case "none": - $filecontents = file('/usr/local/pkg/squid_auth.xml'); - - $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); - foreach($filecontents as $line) { - if (stristr($line, "/pkg.php?xml=squid_extauth.xml&id=0")) { - fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); - } else { - fwrite($fout, $line); - } - } - + dynamic_auth_content("pkg_edit"); dynamic_no_auth(); break; case "local_auth": - dynamic_auth_content(); + dynamic_auth_content("pkg"); dynamic_local_auth(); break; case "ldap_bind": - $filecontents = file('/usr/local/pkg/squid_auth.xml'); - - $fout = fopen("/usr/local/pkg/squid_auth.xml","w"); - foreach($filecontents as $line) { - if (stristr($line, "/pkg.php?xml=squid_extauth.xml&id=0")) { - fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); - } else { - fwrite($fout, $line); - } - } - + dynamic_auth_content("pkg_edit"); dynamic_ldap_auth(); break; case "domain_auth": @@ -134,7 +114,7 @@ function dynamic_no_auth() { fwrite($fout, '' . "\n"); fwrite($fout, "\n"); fwrite($fout, " squidextnoauth\n"); - fwrite($fout, " Services: Squid Advanced Proxy -> Extended Authentication Settings\n"); + fwrite($fout, " Services: Proxy Server -> Extended Authentication Settings\n"); fwrite($fout, " installedpackages->package->squidextnoauth->configuration->settings\n"); fwrite($fout, "\n"); fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); @@ -211,7 +191,7 @@ function dynamic_local_auth() { fwrite($fout, "\n"); fwrite($fout, "\n"); fwrite($fout, " squidextlocalauth\n"); - fwrite($fout, " Services: Squid Advanced Proxy -> Extended Authentication Settings\n"); + fwrite($fout, " Services: Proxy Server -> Extended Authentication Settings\n"); fwrite($fout, " 2.5.10_4\n"); fwrite($fout, " installedpackages->package->squidextlocalauth->configuration->settings\n"); fwrite($fout, "\n"); @@ -328,21 +308,172 @@ function dynamic_local_auth() { config_unlock(); } /* end function dynamic_local_auth */ +function dynamic_ldap_auth() { + conf_mount_rw(); + config_lock(); + + global $config; + + $pkgfile = "/usr/local/pkg/squid_extauth.xml"; + + $fout = fopen($pkgfile, "w"); + + fwrite($fout, '' . "\n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); + fwrite($fout, " squidextldapauth\n"); + fwrite($fout, " Services: Proxy Server -> Extended Auth Settings\n"); + fwrite($fout, " 2.5.11\n"); + fwrite($fout, " installedpackages->package->squidextldapauth->configuration->settings\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " General Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_ng.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Upstream Proxy\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_upstream.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Cache Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_cache.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Network Access Control\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_nac.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Traffic Mgmt\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_traffic.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_auth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Extended Auth Settings\n"); + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " Base DN\n"); + fwrite($fout, " ldap_basedn\n"); + fwrite($fout, " This is the base where the LDAP search starts. All subsequent organizational units (OUs)will be included. Example: "ou=users,o=company" will search for users in and under the specified company.\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 50\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Server\n"); + fwrite($fout, " ldap_server\n"); + fwrite($fout, " This is the LDAP server that the bind will be attempted against.\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 20\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Type\n"); + fwrite($fout, " ldap_type\n"); + fwrite($fout, " This specifies the supported LDAP types.\n"); + fwrite($fout, " select\n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " LDAP Port\n"); + fwrite($fout, " ldap_port\n"); + fwrite($fout, ' This is the port that LDAP bind will attempt on. The default is "389".' . "\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 5\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Bind DN Username\n"); + fwrite($fout, " bind_dn_username\n"); + fwrite($fout, ' If "anonymous bind" is not supported, please specify the bind username that can access the Base DN hierarchy.' . "\n"); + fwrite($fout, " input\n"); + fwrite($fout, " 30\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, " Bind DN Password\n"); + fwrite($fout, " bind_dn_password\n"); + fwrite($fout, " This is the associated password with the Bind DN Username previously specified.\n"); + fwrite($fout, " password\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, " \n"); + fwrite($fout, ' require_once("/usr/local/pkg/squid_ng.inc");' . "\n"); + fwrite($fout, "\n"); + fwrite($fout, " if ($password == $confirm_password) {\n"); + fwrite($fout, ' mwexec("/usr/bin/htpasswd -b /usr/local/etc/squid/advanced/ncsa/passwd "' . $username . " " . $password . "\n"); + fwrite($fout, " }\n"); + fwrite($fout, "\n"); + fwrite($fout, " global_write_squid_config();\n"); + fwrite($fout, ' mwexec("/usr/local/sbin/squid -k reconfigure");' . "\n"); + fwrite($fout, " \n"); + fwrite($fout, "\n"); + fwrite($fout, "\n"); +} + /* dynamically re-writes all squid xml files to handle adddeletecolumnitems properly */ -function dynamic_auth_content() { +function dynamic_auth_content($pkgvar) { - if ($handle = opendir('/usr/local/pkg')) { - while (($file = readdir($handle)) != false) { - if (stristr($file, "squid_") && stristr($file, ".xml")) { + if ($pkgvar == "pkg") { + if ($handle = opendir('/usr/local/pkg')) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { + + $filecontents = file("/usr/local/pkg/" . $file); + + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "/pkg_edit.php?xml=squid_extauth.xml&id=0")) { + fwrite($fout, " /pkg.php?xml=squid_extauth.xml&id=0\n"); + } else { + fwrite($fout, $line); + } + } + } + } + } + } else { + if ($handle = opendir('/usr/local/pkg')) { + while (($file = readdir($handle)) != false) { + if (stristr($file, "squid_") && stristr($file, ".xml")) { - $filecontents = file("/usr/local/pkg/" . $file); + $filecontents = file("/usr/local/pkg/" . $file); - $fout = fopen("/usr/local/pkg/" . $file,"w"); - foreach($filecontents as $line) { - if (stristr($line, "/pkg_edit.php?xml=squid_extauth.xml&id=0")) { - fwrite($fout, " /pkg.php?xml=squid_extauth.xml&id=0\n"); - } else { - fwrite($fout, $line); + $fout = fopen("/usr/local/pkg/" . $file,"w"); + foreach($filecontents as $line) { + if (stristr($line, "/pkg.php?xml=squid_extauth.xml&id=0")) { + fwrite($fout, " /pkg_edit.php?xml=squid_extauth.xml&id=0\n"); + } else { + fwrite($fout, $line); + } } } } diff --git a/packages/squid_ng.inc b/packages/squid_ng.inc index 6a92718b..da3e2a6f 100644 --- a/packages/squid_ng.inc +++ b/packages/squid_ng.inc @@ -88,7 +88,7 @@ function global_write_squid_config() { $throttle_cd_images = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_images']; $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; - /* TODO: squid_auth.xml values (placeholder for now) */ + /* squid_auth.xml values */ $auth_method = $config['installedpackages']['squidauth']['config'][0]['auth_method']; $auth_processes = $config['installedpackages']['squidauth']['config'][0]['auth_processes']; $auth_cache_ttl = $config['installedpackages']['squidauth']['config'][0]['auth_cache_ttl']; @@ -100,6 +100,14 @@ function global_write_squid_config() { $min_pass_length = $config['installedpackages']['squidauth']['config'][0]['min_pass_length']; $bypass_extended = $config['installedpackages']['squidauth']['config'][0]['bypass_extended']; + /* squid_extauth.xml (ldap) values */ + $ldap_basedn = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_basedn']; + $ldap_server = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_server']; + $ldap_type = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_type']; + $ldap_port = $config['installedpackages']['squidextldapauth']['config'][0]['ldap_port']; + $bind_dn_username = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_username']; + $bind_dn_password = $config['installedpackages']['squidextldapauth']['config'][0]['bind_dn_password']; + /* static variable assignments for directory mapping */ $acldir = "/usr/local/etc/squid/advanced/acls"; $ncsadir = "/usr/local/etc/squid/advanced/ncsa"; @@ -244,7 +252,26 @@ function global_write_squid_config() { break; case "radius_auth"; break; - case "ldap_auth"; + case "ldap_bind"; + /* fwrite($fout, 'auth_param basic program /usr/local/libexec/squid_ldap_auth -b "' . $ldap_basedn . '" -D "' . $bind_dn_username . '" -w "' . $bind_dn_password . '" -f "(&(objectClass=person)(cn=%s))" -u -cn -P "' . $ldap_server . ":" . $ldap_port . "\n"); */ + fwrite($fout, "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth"); + fwrite($fout, ' -b "' . $ldap_basedn . '"'); + fwrite($fout, ' -D "' . $bind_dn_username . '"'); + fwrite($fout, " -w " . $bind_dn_password); + fwrite($fout, ' -f "(&(objectClass=person)(cn=%s))"'); + fwrite($fout, " -u cn -P " . $ldap_server . ":" . $ldap_port . "\n"); + + if (!isset($auth_processes) or ($auth_processes == "")) $auth_processes = "5"; + fwrite($fout, "auth_param basic children " . $auth_processes . "\n"); + + if (!isset($auth_realm_prompt) or ($auth_realm_prompt == "")) $auth_realm_prompt = "pfSense Advanced Proxy"; + fwrite($fout, "auth_param basic realm " . $auth_realm_prompt . "\n"); + + if (!isset($auth_cache_ttl) or ($auth_cache_ttl == "")) $auth_cache_ttl = "60"; + fwrite($fout, "auth_param basic credentialsttl " . $auth_cache_ttl . " minutes\n"); + fwrite($fout, "\n"); + fwrite($fout, "acl for_inetusers proxy_auth REQUIRED\n"); + fwrite($fout, "\n"); break; case "windows_auth"; break; @@ -339,7 +366,12 @@ function global_write_squid_config() { fclose($aclout); fwrite($fout, 'acl pf_networks src "/usr/local/etc/squid/advanced/acls/src_subnets.acl"' . "\n"); + } else { + $aclout = fopen($acldir . "/src_subnets.acl","w"); + fwrite($aclout, $lansa . "/" . $lansn . "\n"); + fclose($aclout); } + /* define ip addresses that have 'unrestricted' access */ if (isset($unrestricted_ip_addr) && ($unrestricted_ip_addr !== "")) { @@ -410,9 +442,14 @@ function global_write_squid_config() { fwrite($fout, "\n"); fwrite($fout, "#access to squid; local machine; no restrictions\n"); - fwrite($fout, "http_access allow localnet\n"); + if (isset($auth_method) && ($auth_method == "none")) fwrite($fout, "http_access allow localnet\n"); + fwrite($fout, "http_access allow localhost\n"); fwrite($fout, "\n"); + + fwrite($fout, "#GUI admin to allow local connections\n"); + if ($config['system']['webgui']['protocol'] == "http") fwrite($fout, "http_access allow pf_ips pf_networks pf_admin_port\n"); + if ($config['system']['webgui']['protocol'] == "https") fwrite($fout, "http_access allow CONNECT pf_ips pf_networks pf_admin_port\n"); fwrite($fout, "#Deny non web services\n"); fwrite($fout, "http_access deny !Safe_ports\n"); @@ -420,7 +457,7 @@ function global_write_squid_config() { fwrite($fout, "\n"); fwrite($fout, "#Set custom configured ACLs\n"); - if (isset($auth_method) and ($auth_method != "no_auth")) { + if (isset($auth_method) && ($auth_method != "none")) { fwrite($fout, "http_access allow pf_networks for_inetusers within_timeframe\n"); } diff --git a/packages/squid_ng.xml b/packages/squid_ng.xml index b47b5416..06a86634 100644 --- a/packages/squid_ng.xml +++ b/packages/squid_ng.xml @@ -22,12 +22,6 @@
Status
squid_log.xml --> - - - /usr/local/pkg/ - 0755 - http://www.pfsense.com/packages/config/squid.xml - /usr/local/pkg/ @@ -35,13 +29,13 @@ http://www.pfsense.com/packages/config/squid_cache.xml - + /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_nac.xml - + /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_ng.inc @@ -64,12 +58,6 @@ 0755 http://www.pfsense.com/packages/config/squid_auth.xml - - - /usr/local/pkg/ - 0755 - http://www.pfsense.com/packages/config/squid_auth.inc - /usr/local/pkg/ @@ -361,33 +349,35 @@ if (!file_exists("/var/squid/logs")) { mwexec("mkdir -p /var/squid/logs"); - mwexec("chown squid:squid /var/squid/logs"); } + mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); + if (!file_exists("/var/squid/cache")) { mwexec("mkdir -p /var/squid/cache"); - mwexec("chown squid:squid /var/squid/cache"); } + mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); + if (!file_exists("/usr/local/etc/squid/advanced/acls")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/ncsa"); } - + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); + if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/ntlm"); } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); if (!file_exists("/usr/local/etc/squid/advanced/radius")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); - mwexec("chown squid:squid /usr/local/etc/squid/advanced/radius"); } + mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); update_output_window("Initializing Cache... This may take a moment..."); mwexec("/usr/local/sbin/squid -z"); @@ -398,10 +388,15 @@ + update_output_window("Stopping proxy service..."); + mwexec("/usr/local/sbin/squid -k shutdown"); + + update_output_window("Recursively removing directories hierarchies..."); mwexec("rm -rf /usr/local/squid"); mwexec("rm -rf /var/squid/cache"); mwexec("rm -rf /usr/local/etc/squid"); + update_output_window("Removing configuration files..."); unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); unlink_if_exists("/usr/local/etc/squid"); unlink_if_exists("/usr/local/libexec/squid"); -- cgit v1.2.3