/dev/null sleep 1 killall squid 2>/dev/null EOD; $rc['restart'] = << $names[$i], 'value' => $values[$i]); } function squid_validate_general($post, $input_errors) { $icp_port = trim($post['icp_port']); if (!empty($icp_port) && !is_port($icp_port)) $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; $children = $post['redirect_children']; if (!empty($children) && !is_numeric($children)) $input_errors[] = 'You must enter a valid number for the \'Redirect children\' field'; } function squid_validate_upstream($post, $input_errors) { if ($post['proxy_forwarding'] == 'on') { $addr = trim($post['proxy_addr']); if (empty($addr)) $input_errors[] = 'The field \'Hostname\' is required'; else { if (!is_ipaddr($addr) && !is_domain($addr)) $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; } foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { $port = trim($post[$field]); if (empty($port)) $input_errors[] = "The field '$name' is required"; else { if (!is_port($port)) $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; } } } } function squid_validate_cache($post, $input_errors) { $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', 'memory_cache_size' => 'Memory cache size', 'maximum_object_size' => 'Maximum object size', ); foreach ($num_fields as $field => $name) { $value = trim($post[$field]); if (!is_numeric($value) || ($value < 1)) $input_errors[] = "You must enter a valid value for '$field'"; } $value = trim($post['minimum_object_size']); if (!is_numeric($value) || ($value < 0)) $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; foreach (explode(',', $post['donotcache']) as $host) { $host = trim($host); if (!is_ipaddr($host) && !is_domain($host)) $input_errors[] = "$host is not a valid IP or host name"; } } function squid_validate_nac($post, $input_errors) { $allowed_subnets = explode(',', trim($post['allowed_subnets'])); foreach ($allowed_subnets as $subnet) { $subnet = trim($subnet); if (!empty($subnet) && !is_subnet($subnet)) $input_errors[] = "'$subnet' is not a valid CIDR range"; } foreach (array( 'unrestricted_hosts', 'banned_hosts', 'whitelist', 'blacklist', ) as $hosts) { foreach (explode(',', $post[$hosts]) as $host) { $host = trim($host); if (!empty($host) && !is_ipaddr($host)) $input_errors[] = "'$host' is not a valid IP address"; } } foreach (array('unrestricted_macs', 'banned_macs') as $macs) { foreach (explode(',', $post[$macs]) as $mac) { $mac = trim($mac); if (!empty($mac) && !is_macaddr($mac)) $input_errors[] = "'$mac' is not a valid MAC address"; } } foreach (explode(',', $post['timelist']) as $time) { $time = trim($time); if (!empty($time) && !squid_is_timerange($time)) $input_errors[] = "'$time' is not a valid time range"; } } function squid_validate_traffic($post, $input_errors) { $num_fields = array( 'max_download_size' => 'Maximum download size', 'max_upload_size' => 'Maximum upload size', 'perhost_capping' => 'Per-host bandwidth capping', 'overall_capping' => 'Overall bandwidth capping', 'perhost_throttling' => 'Per-host bandwidth throttling', 'overall_throttling' => 'Overall bandwidth throttling', 'initial_bucket_level' => 'Initial bucket level', ); foreach ($num_fields as $field => $name) { $value = trim($post[$field]); if (!is_numeric($value) || ($value < 0)) $input_errors[] = "The field '$name' must contain a positive number"; } } function squid_validate_auth($post, $input_errors) { $num_fields = array( array('auth_processes', 'Authentication processes', 1), array('auth_ttl', 'Authentication TTL', 0), ); foreach ($num_fields as $field) { $value = trim($post[$field[0]]); if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; } $auth_method = $post['auth_method']; if (($auth_method != 'none') && ($auth_method != 'local')) { $server = trim($post['auth_server']); if (empty($server)) $input_errors[] = 'The field \'Authentication server\' is required'; else if (!is_ipaddr($server) && !is_domain($server)) $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; $port = trim($post['auth_server_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; switch ($auth_method) { case 'ldap': $required = array( 'ldap_basedn' => 'LDAP base DN', 'ldap_filter' => 'LDAP filter', ); foreach ($required as $field => $descr) { $value = trim($post[$field]); if (empty($value)) $input_errors[] = "The field '$descr' is required"; } $user = trim($post['ldap_user']); $password = trim($post['ldap_password']); if (!empty($password) && empty($user)) $input_errors[] = 'You must specify an username if you specify a password'; break; case 'radius': $secret = trim($post['radius_secret']); if (empty($secret)) $input_errors[] = 'The field \'RADIUS secret\' is required'; break; case 'msnt': $bdc = $post['msnt_bdc']; if (!empty($bdc) && !is_ipaddr($bdc) && !is_domain($bdc)) $input_errors[] = "'$bdc' isn't a valid IP address or domain name"; $domain = $post['msnt_domain']; if (empty($domain) || !is_domain($domain)) $input_errors[] = 'You must enter a valid domain name in the \'NT domain\' field'; break; } $no_auth = explode(',', trim($post['no_auth_hosts'])); foreach ($no_auth as $host) { $host = trim($host); if (!empty($host) && !is_subnet($host)) $input_errors[] = "'$host' isn't a valid CIDR range"; } } } function squid_resync_general() { global $g, $config, $valid_acls; $settings = $config['installedpackages']['squid']['config'][0]; $conf = ''; if ($settings['transparent_proxy'] == 'on') { $conf .= << $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if (!empty($real_ifaces[$i][0])) $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; } $icp_port = $settings['icp_port'] ? $settings['icp_port'] : 0; $pidfile = "{$g['varrun_path']}/squid.pid"; $language = $settings['error_language'] ? $settings['error_language'] : 'English'; $errordir = SQUID_CONFBASE . '/errors/' . $language; $hostname = $settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'; $email = $settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'; $logdir_cache = SQUID_LOGDIR . '/cache.log'; $logdir_access = $settings['log_enabled'] == 'on' ? SQUID_LOGDIR . '/access.log' : '/dev/null'; $conf .= << 'src', 'unrestricted_macs' => 'arp', 'banned_hosts' => 'src', 'banned_macs' => 'arp', 'whitelist' => 'url_regex -i', 'blacklist' => 'url_regex -i', ); foreach ($options as $option => $directive) { $contents = trim(implode("\n", array_map('trim', explode(',', $settings[$option])))); if (!empty($contents)) { file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; $valid_acls[] = $option; } } $conf .= << $binaries, 'throttle_cdimages' => $cdimages, 'throttle_multimedia' => $multimedia) as $field => $set) { if ($settings[$field] == 'on') $exts = array_merge($exts, explode(',', $set)); } foreach (explode(',', $settings['throttle_others']) as $ext) { if (!empty($ext)) $exts[] = $ext; } $contents = ''; foreach ($exts as $ext) $contents .= "\.$ext\$\n"; file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); if (!empty($contents)) { // avoid crashing Squid $conf .= 'acl throttle_exts url_regex -i "' . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; $conf .= "delay_access 1 allow throttle_exts\n"; $conf .= "delay_access 1 deny all\n"; } } else $conf .= "delay_access 1 allow all\n"; return $conf; } function squid_resync_auth() { global $config, $valid_acls; $settings = $config['installedpackages']['squidauth']['config'][0]; $conf = ''; // Deny the banned guys before allowing the good guys $banned = array( 'banned_hosts', 'banned_macs', ); $banned = array_filter($banned, 'squid_is_valid_acl'); foreach ($banned as $acl) $conf .= "http_access deny $acl\n"; // Whitelist and blacklist also take precendence if (squid_is_valid_acl('whitelist')) $conf .= "http_access allow whitelist\n"; if (squid_is_valid_acl('blacklist')) $conf .= "http_access deny blacklist\n"; $transparent_proxy = $config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on'; $auth_method = ($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'; // Allow the remaining ACLs if no authentication is set if ($auth_method == 'none') { $allowed = array('localnet', 'allowed_subnets', 'unrestricted_hosts', 'unrestricted_macs'); $allowed = array_filter($allowed, 'squid_is_valid_acl'); foreach ($allowed as $acl) $conf .= "http_access allow $acl\n"; } else { $noauth = implode(' ', array_map('trim', explode(',', $settings['no_auth_hosts']))); if (!empty($noauth)) { $conf .= "acl noauth src $noauth\n"; $valid_acls[] = 'noauth'; } // Set up the external authentication programs $auth_ttl = $settings['auth_ttl'] ? $settings['auth_ttl'] : 60; $processes = $settings['auth_processes'] ? $settings['auth_processes'] : 5; $prompt = $settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'; switch ($auth_method) { case 'local': $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; break; case 'ldap': $port = isset($settings['auth_port']) ? ":{$settings['auth_port']}" : ''; $user = isset($settings['ldap_user']) ? "-D {$settings['ldap_user']}" : ''; $password = isset($settings['ldap_password']) ? "-w '{$settings['ldap_password']}'" : ''; $filter = isset($settings['ldap_filter']) ? "-f '{$settings['ldap_filter']}'" : ''; $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -b {$settings['ldap_basedn']} $user $password $filter {$settings['auth_server']}$port\n"; break; case 'radius': $port = isset($settings['auth_port']) ? "-p {$settings['auth_server_port']}" : ''; $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; case 'msnt': $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; $bdc = trim($settings['msnt_bdc']); if (empty($bdc)) $bdc = $settings['auth_server']; $msntauth_conf = "server {$settings['auth_server']} $bdc {$settings['msnt_domain']}\n"; file_put_contents(MSNTAUTH_CONF, $msntauth_conf); break; } $conf .= << EOD; } else { $javascript = << EOD; } print($javascript); } function squid_print_javascript_auth2() { print("\n"); } function squid_generate_rules($type) { global $config; $squid_conf = $config['installedpackages']['squid']['config'][0]; if (!is_service_running('squid') || ($squid_conf['transparent_proxy'] != 'on')) { log_error('Squid is installed but not started. Not installing redirect rules.'); return; } $port = isset($squid_conf['proxy_port']) ? $squid_conf['proxy_port'] : 3128; $ifaces = explode(',', $squid_conf['active_interface']); $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); switch($type) { case 'nat': foreach ($ifaces as $iface) $rules .= "rdr on $iface inet proto tcp from any to !($iface) port 80 -> ($iface) port $port\n"; break; case 'filter': foreach ($ifaces as $iface) $rules .= "pass quick on $iface inet proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; break; } return $rules; } ?>