$names[$i], 'value' => $values[$i]); } function squid_validate_general($post, $input_errors) { global $config; $settings = $config['installedpackages']['squid']['config'][0]; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $port = $post['proxy_port'] ? $post['proxy_port'] : $port; $icp_port = trim($post['icp_port']); if (!empty($icp_port) && !is_port($icp_port)) $input_errors[] = 'You must enter a valid port number in the \'ICP port\' field'; if (substr($post['log_dir'], -1, 1) == '/') $input_errors[] = 'You may not end log location with an / mark'; if ($post['log_dir']{0} != '/') $input_errors[] = 'You must start log location with a / mark'; if (strlen($post['log_dir']) <= 3) $input_errors[] = "That is not a valid log location dir"; $log_rotate = trim($post['log_rotate']); if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1))) $input_errors[] = 'You must enter a valid number of days \'Log rotate\' field'; $webgui_port = $config['system']['webgui']['port']; if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) { $webgui_port = 80; } if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) { $webgui_port = 443; } if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) { $input_errors[] = "You can not run squid on the same port as the webgui"; } foreach (array('defined_ip_proxy_off') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; } } foreach (array('defined_ip_proxy_off_dest') as $hosts) { foreach (explode(";", $post[$hosts]) as $host) { $host = trim($host); if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host)) $input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias"; } } if(!empty($post['dns_nameservers'])) { $altdns = explode(";", ($post['dns_nameservers'])); foreach ($altdns as $dnssrv) { if (!is_ipaddr($dnssrv)) $input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field'; }} } function squid_validate_upstream($post, $input_errors) { if ($post['proxy_forwarding'] == 'on') { $addr = trim($post['proxy_addr']); if (empty($addr)) $input_errors[] = 'The field \'Hostname\' is required'; else { if (!is_ipaddr($addr) && !is_domain($addr)) $input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field'; } foreach (array('proxy_port' => 'TCP port', 'icp_port' => 'ICP port') as $field => $name) { $port = trim($post[$field]); if (empty($port)) $input_errors[] = "The field '$name' is required"; else { if (!is_port($port)) $input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535"; } } } } function squid_validate_cache($post, $input_errors) { $num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size', 'memory_cache_size' => 'Memory cache size', 'maximum_object_size' => 'Maximum object size', ); foreach ($num_fields as $field => $name) { $value = trim($post[$field]); if (!is_numeric($value) || ($value < 0)) $input_errors[] = "You must enter a valid value for '$field'"; } $value = trim($post['minimum_object_size']); if (!is_numeric($value) || ($value < 0)) $input_errors[] = 'You must enter a valid value for \'Minimum object size\''; if (!empty($post['cache_swap_low'])) { $value = trim($post['cache_swap_low']); if (!is_numeric($value) || ($value > 100)) $input_errors[] = 'You must enter a valid value for \'Low-water-mark\''; } if (!empty($post['cache_swap_high'])) { $value = trim($post['cache_swap_high']); if (!is_numeric($value) || ($value > 100)) $input_errors[] = 'You must enter a valid value for \'High-water-mark\''; } if ($post['donotcache'] != "") { foreach (split("\n", $post['donotcache']) as $host) { $host = trim($host); if (!is_ipaddr($host) && !is_domain($host)) $input_errors[] = "The host '$host' is not a valid IP or host name"; } } squid_dash_z(); } function squid_validate_nac($post, $input_errors) { $allowed_subnets = explode("\n", $post['allowed_subnets']); foreach ($allowed_subnets as $subnet) { $subnet = trim($subnet); if (!empty($subnet) && !is_subnet($subnet)) $input_errors[] = "The subnet '$subnet' is not a valid CIDR range"; } foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) { foreach (explode("\n", $post[$hosts]) as $host) { $host = trim($host); if (!empty($host) && !is_ipaddr($host)) $input_errors[] = "The host '$host' is not a valid IP address"; } } foreach (array('unrestricted_macs', 'banned_macs') as $macs) { foreach (explode("\n", $post[$macs]) as $mac) { $mac = trim($mac); if (!empty($mac) && !is_macaddr($mac)) $input_errors[] = "The mac '$mac' is not a valid MAC address"; } } foreach (explode(",", $post['timelist']) as $time) { $time = trim($time); if (!empty($time) && !squid_is_timerange($time)) $input_errors[] = "The time range '$time' is not a valid time range"; } if(!empty($post['ext_cachemanager'])) { $extmgr = explode(";", ($post['ext_cachemanager'])); foreach ($extmgr as $mgr) { if (!is_ipaddr($mgr)) $input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field'; }} } function squid_validate_traffic($post, $input_errors) { $num_fields = array( 'max_download_size' => 'Maximum download size', 'max_upload_size' => 'Maximum upload size', 'perhost_throttling' => 'Per-host bandwidth throttling', 'overall_throttling' => 'Overall bandwidth throttling', ); foreach ($num_fields as $field => $name) { $value = trim($post[$field]); if (!is_numeric($value) || ($value < 0)) $input_errors[] = "The field '$name' must contain a positive number"; } if (!empty($post['quick_abort_min'])) { $value = trim($post['quick_abort_min']); if (!is_numeric($value)) $input_errors[] = "The field 'Finish when remaining KB' must contain a positive number"; } if (!empty($post['quick_abort_max'])) { $value = trim($post['quick_abort_max']); if (!is_numeric($value)) $input_errors[] = "The field 'Abort when remaining KB' must contain a positive number"; } if (!empty($post['quick_abort_pct'])) { $value = trim($post['quick_abort_pct']); if (!is_numeric($value) || ($value > 100)) $input_errors[] = "The field 'Finish when remaining %' must contain a percentaged value"; } } function squid_validate_reverse($post, $input_errors) { $fqdn = trim($post['reverse_external_fqdn']); if (!empty($fqdn) && !is_domain($fqdn)) $input_errors[] = 'The field \'external FQDN\' must contain a valid domain name'; $port = trim($post['reverse_http_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number'; $port = trim($post['reverse_https_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number'; if ($post['reverse_ssl_cert'] == 'none') $input_errors[] = 'A valid certificate for the external interface must be selected'; if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) { $input_errors[] = "You have to enable reverse HTTPS before enabling OWA support."; } /* if (!is_cert($post['reverse_int_ca'])) $input_errors[] = 'A valid certificate for the external interface must be selected'; */ $rowa = trim($post['reverse_owa_ip']); if (!empty($rowa) && !is_ipaddr($rowa)) $input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address'; $contents = $post['reverse_cache_peer']; if(!empty($contents)) { $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); if (!is_ipaddr($cfg[1])) $input_errors[] = "please choose a valid IP in the cache peer configuration."; if (!is_port($cfg[2])) $input_errors[] = "please choose a valid port in the cache peer configuration."; if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP')) $input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration."; }} } function squid_validate_auth($post, $input_errors) { $num_fields = array( array('auth_processes', 'Authentication processes', 1), array('auth_ttl', 'Authentication TTL', 0), ); foreach ($num_fields as $field) { $value = trim($post[$field[0]]); if (!empty($value) && (!is_numeric($value) || ($value < $field[2]))) $input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}"; } $auth_method = $post['auth_method']; if (($auth_method != 'none') && ($auth_method != 'local')) { $server = trim($post['auth_server']); if (empty($server)) $input_errors[] = 'The field \'Authentication server\' is required'; else if (!is_ipaddr($server) && !is_domain($server)) $input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name'; $port = trim($post['auth_server_port']); if (!empty($port) && !is_port($port)) $input_errors[] = 'The field \'Authentication server port\' must contain a valid port number'; switch ($auth_method) { case 'ldap': $user = trim($post['ldap_user']); if (empty($user)) $input_errors[] = 'The field \'LDAP server user DN\' is required'; else if (!$user) $input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name'; break; case 'radius': $secret = trim($post['radius_secret']); if (empty($secret)) $input_errors[] = 'The field \'RADIUS secret\' is required'; break; case 'msnt': foreach (explode(",", trim($post['msnt_secondary'])) as $server) { if (!empty($server) && !is_ipaddr($server) && !is_domain($server)) $input_errors[] = "The host '$server' is not a valid IP address or domain name"; } break; } $no_auth = explode("\n", $post['no_auth_hosts']); foreach ($no_auth as $host) { $host = trim($host); if (!empty($host) && !is_subnet($host)) $input_errors[] = "The host '$host' is not a valid CIDR range"; } } } function squid_install_cron($should_install) { global $config, $g; if($g['booting']==true) return; $is_installed = false; if(!$config['cron']['item']) return; $x=0; foreach($config['cron']['item'] as $item) { if(strstr($item['task_name'], "squid_rotate_logs")) { $is_installed = true; break; } $x++; } switch($should_install) { case true: if(!$is_installed) { $cron_item = array(); $cron_item['task_name'] = "squid_rotate_logs"; $cron_item['minute'] = "0"; $cron_item['hour'] = "0"; $cron_item['mday'] = "*"; $cron_item['month'] = "*"; $cron_item['wday'] = "*"; $cron_item['who'] = "root"; $cron_item['command'] = "/usr/local/sbin/squid -k rotate"; $config['cron']['item'][] = $cron_item; parse_config(true); write_config("Squid Log Rotation"); configure_cron(); } break; case false: if($is_installed == true) { if($x > 0) { unset($config['cron']['item'][$x]); parse_config(true); write_config(); } configure_cron(); } break; } } function squid_resync_general() { global $g, $config, $valid_acls; $settings = $config['installedpackages']['squid']['config'][0]; $conf = "# This file is automatically generated by pfSense\n"; $conf .= "# Do not edit manually !\n"; $port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128); $ifaces = ($settings['active_interface'] ? $settings['active_interface'] : 'lan'); $real_ifaces = array(); foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if($real_ifaces[$i][0]) { $conf .= "http_port {$real_ifaces[$i][0]}:$port\n"; } } if (($settings['transparent_proxy'] == 'on')) { $conf .= "http_port 127.0.0.1:" . $settings['proxy_port'] . " transparent\n"; } $icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 0); $pidfile = "{$g['varrun_path']}/squid.pid"; $language = ($settings['error_language'] ? $settings['error_language'] : 'English'); $errordir = SQUID_CONFBASE . '/errors/' . $language; $icondir = SQUID_CONFBASE . '/icons'; $hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost'); $email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost'); $logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs'); $logdir_cache = $logdir . '/cache.log'; $logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null'); $conf .= << 'src', 'banned_hosts' => 'src', 'whitelist' => 'dstdom_regex -i', 'blacklist' => 'dstdom_regex -i', ); foreach ($options as $option => $directive) { $contents = base64_decode($settings[$option]); if (!empty($contents)) { file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents); $conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n"; $valid_acls[] = $option; } elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) { unlink(SQUID_ACLDIR . "/$option.acl"); } } $conf .= << $binaries, 'throttle_cdimages' => $cdimages, 'throttle_multimedia' => $multimedia) as $field => $set) { if ($settings[$field] == 'on') $exts = array_merge($exts, explode(",", $set)); } foreach (explode(",", $settings['throttle_others']) as $ext) { if (!empty($ext)) $exts[] = $ext; } $contents = ''; foreach ($exts as $ext) $contents .= "\.$ext\$\n"; file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents); $conf .= "# Throttle extensions matched in the url\n"; $conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n"; $conf .= "delay_access 1 allow throttle_exts\n"; $conf .= "delay_access 1 deny all\n"; } else $conf .= "delay_access 1 allow all\n"; return $conf; } function squid_get_server_certs() { global $config; $cert_arr = array(); $cert_arr[] = array('refid' => 'none', 'descr' => 'none'); foreach ($config['cert'] as $cert) { $cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']); } return $cert_arr; } function squid_resync_reverse() { global $config, $valid_acls; if(!is_array($valid_acls)) return; $settings = $config['installedpackages']['squidreverse']['config'][0]; $conf = ''; $conf .= "# Reverse Proxy settings\n"; if(isset($settings["reverse_ssl_cert"]) && $settings["reverse_ssl_cert"] != "none") { $svr_cert = lookup_cert($settings["reverse_ssl_cert"]); if ($svr_cert != false) { if(base64_decode($svr_cert['crt'])) { file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt",base64_decode($svr_cert['crt'])); $reverse_crt = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt"; } if(base64_decode($svr_cert['prv'])) { file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key",base64_decode($svr_cert['prv'])); $reverse_key = SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.key"; }}} if (!empty($settings['reverse_int_ca'])) file_put_contents(SQUID_CONFBASE . "/{$settings["reverse_ssl_cert"]}.crt","\n" . base64_decode($settings['reverse_int_ca']),FILE_APPEND | LOCK_EX); $ifaces = ($settings['reverse_interface'] ? $settings['reverse_interface'] : 'wan'); $real_ifaces = array(); foreach (explode(",", $ifaces) as $i => $iface) { $real_ifaces[] = squid_get_real_interface_address($iface); if($real_ifaces[$i][0]) { //HTTP if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && empty($settings['reverse_http_defsite'])) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_external_fqdn']} vhost\n"; if (!empty($settings['reverse_http']) && empty($settings['reverse_http_port']) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:80 accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; if (!empty($settings['reverse_http']) && (!empty($settings['reverse_http_port'])) && (!empty($settings['reverse_http_defsite']))) $conf .= "http_port {$real_ifaces[$i][0]}:{$settings['reverse_http_port']} accel defaultsite={$settings['reverse_http_defsite']} vhost\n"; //HTTPS if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']}\n"; if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && empty($settings['reverse_https_defsite'])) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_external_fqdn']} vhost\n"; if (!empty($settings['reverse_https']) && empty($settings['reverse_https_port']) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:443 cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; if (!empty($settings['reverse_https']) && (!empty($settings['reverse_https_port'])) && (!empty($settings['reverse_https_defsite']))) $conf .= "https_port {$real_ifaces[$i][0]}:{$settings['reverse_https_port']} cert={$reverse_crt} key={$reverse_key} defaultsite={$settings['reverse_https_defsite']} vhost\n"; } } //PEERS if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) $conf .= "cache_peer {$settings['reverse_owa_ip']} parent 443 0 proxy-only no-query originserver login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto name=OWA_HOST_pfs\n"; $contents = base64_decode($settings['reverse_cache_peer']); if(!empty($contents)) { $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != '' && ($cfg[2]) != ''){ $conf .= "cache_peer {$cfg[1]} parent {$cfg[2]} 0 proxy-only no-query originserver "; if($cfg[3] == 'HTTPS') $conf .= "login=PASS ssl sslflags=DONT_VERIFY_PEER front-end-https=auto "; $conf .= "name={$cfg[0]}\n"; }}} //ACLs if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/owa.*$\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchange.*$\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/public.*$\n"; $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/exchwebexchweb.*$\n"; } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_activesync'] == 'on')) { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/Microsoft-Server-ActiveSync.*$\n"; } if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip'])) && ($settings['reverse_owa_rpchttp'] == 'on')) { $conf .= "acl OWA_URI_pfs url_regex -i ^https://{$settings['reverse_external_fqdn']}/rpc/rpcproxy.dll.*$\n"; $conf .= "extension_methods RPC_IN_DATA RPC_OUT_DATA\n"; } $contents = base64_decode($settings['revrse_uri']); if(!empty($contents)) { $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ if($cfg[2] != '') $conf .= "acl {$cfg[0]} url_regex -i {$cfg[2]}/{$cfg[1]}.*$\n"; if($cfg[2] == '') $conf .= "acl {$cfg[0]} url_regex -i {$settings['reverse_external_fqdn']}/{$cfg[1]}.*$\n"; }}} //ACCESS if (($settings['reverse_owa'] == 'on') && (!empty($settings['reverse_owa_ip']))) { $conf .= "cache_peer_access OWA_HOST_pfs allow OWA_URI_pfs\n"; $conf .= "cache_peer_access OWA_HOST_pfs deny all\n"; $conf .= "never_direct allow OWA_URI_pfs\n"; $conf .= "http_access allow OWA_URI_pfs\n"; } $contents = base64_decode($settings['reverse_acl']); if(!empty($contents)) { $defs = explode("\r\n", ($contents)); foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ $conf .= "cache_peer_access {$cfg[0]} allow {$cfg[1]}\n"; }} foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ $conf .= "cache_peer_access {$cfg[0]} deny all\n"; }} foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ $conf .= "never direct allow {$cfg[1]}\n"; }} foreach ($defs as $def) { $cfg = explode(";",($def)); if (($cfg[0]) != '' && ($cfg[1]) != ''){ $conf .= "http_access allow {$cfg[1]}\n"; }} } $conf .= "\n"; if (!empty($settings['deny_info_tcp_reset'])) $conf .= "deny_info TCP_RESET all\n"; return $conf; } function squid_resync_auth() { global $config, $valid_acls; $settings = $config['installedpackages']['squidauth']['config'][0]; $settingsnac = $config['installedpackages']['squidnac']['config'][0]; $settingsconfig = $config['installedpackages']['squid']['config'][0]; $conf = ''; // Custom Options if(!empty($config['installedpackages']['squid']['config'][0]['custom_options'])) { $custopts = explode(";", ($config['installedpackages']['squid']['config'][0]['custom_options'])); $conf .= "# Custom options\n"; foreach ($custopts as $custopt) { $conf .= $custopt."\n"; } } // Deny the banned guys before allowing the good guys if(! empty($settingsnac['banned_hosts'])) { if (squid_is_valid_acl('banned_hosts')) { $conf .= "# These hosts are banned\n"; $conf .= "http_access deny banned_hosts\n"; } } if(! empty($settingsnac['banned_macs'])) { if (squid_is_valid_acl('banned_macs')) { $conf .= "# These macs are banned\n"; $conf .= "http_access deny banned_macs\n"; } } // Unrestricted hosts take precendence over blacklist if(! empty($settingsnac['unrestricted_hosts'])) { if (squid_is_valid_acl('unrestricted_hosts')) { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_hosts\n"; } } if(! empty($settingsnac['unrestricted_macs'])) { if (squid_is_valid_acl('unrestricted_macs')) { $conf .= "# These hosts do not have any restrictions\n"; $conf .= "http_access allow unrestricted_macs\n"; } } // Whitelist and blacklist also take precendence over other allow rules if(! empty($settingsnac['whitelist'])) { if (squid_is_valid_acl('whitelist')) { $conf .= "# Always allow access to whitelist domains\n"; $conf .= "http_access allow whitelist\n"; } } if(! empty($settingsnac['blacklist'])) { if (squid_is_valid_acl('blacklist')) { $conf .= "# Block access to blacklist domains\n"; $conf .= "http_access deny blacklist\n"; } } $transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on'); $auth_method = (($settings['auth_method'] && !$transparent_proxy) ? $settings['auth_method'] : 'none'); // Allow the remaining ACLs if no authentication is set if ($auth_method == 'none') { $conf .="# Setup allowed acls\n"; $allowed = array('allowed_subnets'); if ($settingsconfig['allow_interface'] == 'on') { $conf .= "# Allow local network(s) on interface(s)\n"; $allowed[] = "localnet"; } $allowed = array_filter($allowed, 'squid_is_valid_acl'); foreach ($allowed as $acl) $conf .= "http_access allow $acl\n"; } else { $noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts']))); if (!empty($noauth)) { $conf .= "acl noauth src $noauth\n"; $valid_acls[] = 'noauth'; } // Set up the external authentication programs $auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 60); $processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5); $prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy'); switch ($auth_method) { case 'local': $conf .= 'auth_param basic program /usr/local/libexec/squid/ncsa_auth ' . SQUID_PASSWD . "\n"; break; case 'ldap': $port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : ''); $password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : ''); $conf .= "auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n"; break; case 'radius': $port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : ''); $conf .= "auth_param basic program /usr/local/libexec/squid/squid_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n"; break; case 'msnt': $conf .= "auth_param basic program /usr/local/libexec/squid/msnt_auth\n"; squid_resync_msnt(); break; } $conf .= << EOD; } else { $javascript = << EOD; } print($javascript); } function squid_print_javascript_auth2() { print("\n"); } function squid_generate_rules($type) { global $config; $squid_conf = $config['installedpackages']['squid']['config'][0]; if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) { return; } if (!is_service_running('squid')) { log_error("SQUID is installed but not started. Not installing \"{$type}\" rules."); return; } $ifaces = explode(",", $squid_conf['active_interface']); $ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ifaces); $port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128); $fw_aliases = filter_generate_aliases(); if(strstr($fw_aliases, "pptp =")) $PPTP_ALIAS = "\$pptp"; else $PPTP_ALIAS = "\$PPTP"; if(strstr($fw_aliases, "PPPoE =")) $PPPOE_ALIAS = "\$PPPoE"; else $PPPOE_ALIAS = "\$pppoe"; switch($type) { case 'nat': $rules .= "\n# Setup Squid proxy redirect\n"; if ($squid_conf['private_subnet_proxy_off'] == 'on') { foreach ($ifaces as $iface) { $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; } /* Handle PPPOE case */ if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; } /* Handle PPTP case */ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; } } if (!empty($squid_conf['defined_ip_proxy_off'])) { $defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']); $exempt_ip = ""; foreach ($defined_ip_proxy_off as $ip_proxy_off) { if(!empty($ip_proxy_off)) { $ip_proxy_off = trim($ip_proxy_off); if (is_alias($ip_proxy_off)) $ip_proxy_off = '$'.$ip_proxy_off; $exempt_ip .= ", $ip_proxy_off"; } } $exempt_ip = substr($exempt_ip,2); foreach ($ifaces as $iface) { $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; } /* Handle PPPOE case */ if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { $rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port 80\n"; } /* Handle PPTP case */ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { $rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port 80\n"; } } if (!empty($squid_conf['defined_ip_proxy_off_dest'])) { $defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']); $exempt_dest = ""; foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) { if(!empty($ip_proxy_off_dest)) { $ip_proxy_off_dest = trim($ip_proxy_off_dest); if (is_alias($ip_proxy_off_dest)) $ip_proxy_off_dest = '$'.$ip_proxy_off_dest; $exempt_dest .= ", $ip_proxy_off_dest"; } } $exempt_dest = substr($exempt_dest,2); foreach ($ifaces as $iface) { $rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port 80\n"; } /* Handle PPPOE case */ if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { $rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port 80\n"; } /* Handle PPTP case */ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { $rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port 80\n"; } } foreach ($ifaces as $iface) { $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; } /* Handle PPPOE case */ if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) { $rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; } /* Handle PPTP case */ if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { $rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port " . $squid_conf['proxy_port'] . "\n"; } $rules .= "\n"; break; case 'filter': case 'rule': foreach ($ifaces as $iface) { $rules .= "# Setup squid pass rules for proxy\n"; $rules .= "pass in quick on $iface proto tcp from any to !($iface) port 80 flags S/SA keep state\n"; $rules .= "pass in quick on $iface proto tcp from any to !($iface) port $port flags S/SA keep state\n"; $rules .= "\n"; }; if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) { $rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; } if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) { $rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port $port flags S/SA keep state\n"; } break; default: break; } return $rules; } function squid_write_rcfile() { $rc = array(); $rc['file'] = 'squid.sh'; $rc['start'] = <</dev/null killall pinger 2>/dev/null EOD; $rc['restart'] = <<