2.0)
define('SQUID_LOCALBASE', '/usr/pbi/squid-' . php_uname("m"));
else
define('SQUID_LOCALBASE','/usr/local');
define('SQUID_CONFBASE', SQUID_LOCALBASE .'/etc/squid');
define('SQUID_CONFFILE', SQUID_CONFBASE . '/squid.conf');
define('SQUID_BASE', '/var/squid/');
define('SQUID_ACLDIR', '/var/squid/acl');
define('SQUID_PASSWD', '/var/etc/squid.passwd');
define('SQUID_LIB','/var/squid/lib');
define('SQUID_SSL_DB','/var/squid/lib/ssl_db');
$valid_acls = array();
$uname=posix_uname();
if ($uname['machine']=='amd64')
ini_set('memory_limit', '250M');
function sq_text_area_decode($text){
return preg_replace('/\r\n/', "\n",base64_decode($text));
}
function squid_get_real_interface_address($iface) {
global $config;
$iface = convert_friendly_interface_to_real_interface_name($iface);
$line = trim(shell_exec("ifconfig $iface | grep inet | grep -v inet6"));
list($dummy, $ip, $dummy2, $netmask) = explode(" ", $line);
return array($ip, long2ip(hexdec($netmask)));
}
function squid_chown_recursive($dir, $user, $group) {
chown($dir, $user);
chgrp($dir, $group);
$handle = opendir($dir) ;
while (($item = readdir($handle)) !== false) {
if (($item != ".") && ($item != "..")) {
$path = "$dir/$item";
// Recurse unless it's the cache dir, that is slow and rarely necessary.
if (is_dir($path) && (basename($dir) != "cache"))
squid_chown_recursive($path, $user, $group);
elseif (is_file($path)) {
chown($path, $user);
chgrp($path, $group);
}
}
}
}
/* setup cache */
function squid_dash_z() {
global $config;
//Do nothing if there is no cache config
if (!is_array($config['installedpackages']['squidcache']['config']))
return;
$settings = $config['installedpackages']['squidcache']['config'][0];
// If the cache system is null, there is no need to initialize the (irrelevant) cache dir.
if ($settings['harddisk_cache_system'] == "null")
return;
$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
if(!is_dir($cachedir.'/')) {
log_error("Creating Squid cache dir $cachedir");
make_dirs($cachedir);
// Double check permissions here, should be safe to recurse cache dir if it's small here.
mwexec("/usr/sbin/chown -R proxy:proxy $cachedir");
}
if(!is_dir($cachedir.'/00/')) {
log_error("Creating squid cache subdirs in $cachedir");
mwexec(SQUID_LOCALBASE. "/sbin/squid -k shutdown -f " . SQUID_CONFFILE);
sleep(5);
mwexec(SQUID_LOCALBASE. "/sbin/squid -k kill -f " . SQUID_CONFFILE);
// Double check permissions here, should be safe to recurse cache dir if it's small here.
mwexec("/usr/sbin/chown -R proxy:proxy $cachedir");
mwexec(SQUID_LOCALBASE. "/sbin/squid -z -f " . SQUID_CONFFILE);
}
if(file_exists("/var/squid/cache/swap.state")) {
chown("/var/squid/cache/swap.state", "proxy");
chgrp("/var/squid/cache/swap.state", "proxy");
exec("chmod a+rw /var/squid/cache/swap.state");
}
}
function squid_is_valid_acl($acl) {
global $valid_acls;
if(!is_array($valid_acls))
return;
return in_array($acl, $valid_acls);
}
function squid_install_command() {
global $config;
global $g;
update_status("Checking if there is configuration to migrate... One moment please...");
/* migrate existing csv config fields */
if (is_array($config['installedpackages']['squidauth']['config']))
$settingsauth = $config['installedpackages']['squidauth']['config'][0];
if (is_array($config['installedpackages']['squidcache']['config']))
$settingscache = $config['installedpackages']['squidcache']['config'][0];
if (is_array($config['installedpackages']['squidnac']['config']))
$settingsnac = $config['installedpackages']['squidnac']['config'][0];
if (is_array($config['installedpackages']['squid']['config']))
$settingsgen = $config['installedpackages']['squid']['config'][0];
if (file_exists("/usr/local/pkg/check_ip.php"))
rename("/usr/local/pkg/check_ip.php",SQUID_LOCALBASE . "/libexec/squid/check_ip.php");
/* Set storage system */
if ($g['platform'] == "nanobsd") {
$config['installedpackages']['squidcache']['config'][0]['harddisk_cache_system'] = 'null';
}
/* migrate auth settings */
if (!empty($settingsauth['no_auth_hosts'])) {
if(strstr($settingsauth['no_auth_hosts'], ",")) {
$settingsauth['no_auth_hosts'] = base64_encode(implode("\n", explode(",", $settingsauth['no_auth_hosts'])));
$config['installedpackages']['squidauth']['config'][0]['no_auth_hosts'] = $settingsauth['no_auth_hosts'];
}
}
/* migrate cache settings */
if (!empty($settingscache['donotcache'])) {
if(strstr($settingscache['donotcache'], ",")) {
$settingscache['donotcache'] = base64_encode(implode("\n", explode(",", $settingscache['donotcache'])));
$config['installedpackages']['squidcache']['config'][0]['donotcache'] = $settingscache['donotcache'];
}
}
/* migrate nac settings */
if(! empty($settingsnac['allowed_subnets'])) {
if(strstr($settingsnac['allowed_subnets'], ",")) {
$settingsnac['allowed_subnets'] = base64_encode(implode("\n", explode(",", $settingsnac['allowed_subnets'])));
$config['installedpackages']['squidnac']['config'][0]['allowed_subnets'] = $settingsnac['allowed_subnets'];
}
}
if(! empty($settingsnac['banned_hosts'])) {
if(strstr($settingsnac['banned_hosts'], ",")) {
$settingsnac['banned_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_hosts'])));
$config['installedpackages']['squidnac']['config'][0]['banned_hosts'] = $settingsnac['banned_hosts'];
}
}
if(! empty($settingsnac['banned_macs'])) {
if(strstr($settingsnac['banned_macs'], ",")) {
$settingsnac['banned_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['banned_macs'])));
$config['installedpackages']['squidnac']['config'][0]['banned_macs'] = $settingsnac['banned_macs'];
}
}
if(! empty($settingsnac['unrestricted_hosts'])) {
if(strstr($settingsnac['unrestricted_hosts'], ",")) {
$settingsnac['unrestricted_hosts'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_hosts'])));
$config['installedpackages']['squidnac']['config'][0]['unrestricted_hosts'] = $settingsnac['unrestricted_hosts'];
}
}
if(! empty($settingsnac['unrestricted_macs'])) {
if(strstr($settingsnac['unrestricted_macs'], ",")) {
$settingsnac['unrestricted_macs'] = base64_encode(implode("\n", explode(",", $settingsnac['unrestricted_macs'])));
$config['installedpackages']['squidnac']['config'][0]['unrestricted_macs'] = $settingsnac['unrestricted_macs'];
}
}
if(! empty($settingsnac['whitelist'])) {
if(strstr($settingsnac['whitelist'], ",")) {
$settingsnac['whitelist'] = base64_encode(implode("\n", explode(",", $settingsnac['whitelist'])));
$config['installedpackages']['squidnac']['config'][0]['whitelist'] = $settingsnac['whitelist'];
}
}
if(! empty($settingsnac['blacklist'])) {
if(strstr($settingsnac['blacklist'], ",")) {
$settingsnac['blacklist'] = base64_encode(implode("\n", explode(",", $settingsnac['blacklist'])));
$config['installedpackages']['squidnac']['config'][0]['blacklist'] = $settingsnac['blacklist'];
}
}
if(! empty($settingsnac['block_user_agent'])) {
if(strstr($settingsnac['block_user_agent'], ",")) {
$settingsnac['block_user_agent'] = base64_encode(implode("\n", explode(",", $settingsnac['block_user_agent'])));
$config['installedpackages']['squidnac']['config'][0]['block_user_agent'] = $settingsnac['block_user_agent'];
}
}
if(! empty($settingsnac['block_reply_mime_type'])) {
if(strstr($settingsnac['block_reply_mime_type'], ",")) {
$settingsnac['block_reply_mime_type'] = base64_encode(implode("\n", explode(",", $settingsnac['block_reply_mime_type'])));
$config['installedpackages']['squidnac']['config'][0]['block_reply_mime_type'] = $settingsnac['block_reply_mime_type'];
}
}
/*Migrate reverse settings*/
if (is_array($config['installedpackages']['squidreverse'])){
$old_reverse_settings=$config['installedpackages']['squidreverse']['config'][0];
//Settings
if (!is_array($config['installedpackages']['squidreversegeneral'])){
$config['installedpackages']['squidreversegeneral']['config'][0]=$old_reverse_settings;
unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_cache_peer']);
unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_uri']);
unset ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_acl']);
}
//PEERS
if (!is_array($config['installedpackages']['squidreversepeer'])){
foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_cache_peer'])) as $cache_peers)
foreach (explode(";",$cache_peers) as $cache_peer)
$config['installedpackages']['squidreversepeer']['config'][]=array('description'=>'migrated',
'enable'=> 'on',
'name'=> $cache_peer[0],
'port'=> $cache_peer[1],
'protocol' => $cache_peer[2]);
}
//MAPPINGS
if (!is_array($config['installedpackages']['squidreverseuri'])){
foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_acl'])) as $acls){
foreach (explode(";",$acls) as $acl)
array_push(${'peer_'.$acl[0]},$acl[1]);
}
foreach (explode("\n",sq_text_area_decode($old_reverse_settings['reverse_uri'])) as $uris)
foreach (explode(";",$uris) as $uri){
$peer_list=(is_array(${'peer_'.$uri[0]})?implode(",",${'peer_'.$uri[0]}):"");
$config['installedpackages']['squidreverseuri']['config'][]=array('description'=>'migrated',
'enable'=> 'on',
'name'=> $uri[0],
'uri'=> $uri[1],
'vhost' => $uri[2],
'peers'=>$peer_list);
}
}
}
update_status("Writing configuration... One moment please...");
write_config();
/* create cache */
update_status("Creating squid cache pools... One moment please...");
squid_dash_z();
/* make sure pinger is executable */
if(file_exists(SQUID_LOCALBASE. "/libexec/squid/pinger"))
exec("/bin/chmod a+x ". SQUID_LOCALBASE. "/libexec/squid/pinger");
if(file_exists("/usr/local/etc/rc.d/squid"))
exec("/bin/rm /usr/local/etc/rc.d/squid");
squid_write_rcfile();
if(file_exists("/usr/local/pkg/swapstate_check.php"))
exec("/bin/chmod a+x /usr/local/pkg/swapstate_check.php");
write_rcfile(array(
"file" => "sqp_monitor.sh",
"start" => "/usr/local/pkg/sqpmon.sh &",
"stop" => "ps awux | grep \"sqpmon\" | grep -v \"grep\" | grep -v \"php\" | awk '{ print $2 }' | xargs kill"));
foreach (array( SQUID_CONFBASE,
SQUID_ACLDIR,
SQUID_BASE,
SQUID_LIB,
SQUID_SSL_DB ) as $dir) {
make_dirs($dir);
squid_chown_recursive($dir, 'proxy', 'proxy');
}
/* kill any running proxy alarm scripts */
update_status("Checking for running processes... One moment please...");
log_error("Stopping any running proxy monitors");
mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop");
sleep(1);
if (!file_exists(SQUID_CONFBASE . '/mime.conf') && file_exists(SQUID_CONFBASE . '/mime.conf.default'))
copy(SQUID_CONFBASE . '/mime.conf.default', SQUID_CONFBASE . '/mime.conf');
update_status("Checking cache... One moment please...");
squid_dash_z();
if (!is_service_running('squid')) {
update_status("Starting... One moment please...");
log_error("Starting Squid");
mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -f " . SQUID_CONFFILE);
} else {
update_status("Reloading Squid for configuration sync... One moment please...");
log_error("Reloading Squid for configuration sync");
mwexec_bg(SQUID_LOCALBASE. "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE);
}
/* restart proxy alarm scripts */
log_error("Starting a proxy monitor script");
mwexec_bg("/usr/local/etc/rc.d/sqp_monitor.sh start");
update_status("Reconfiguring filter... One moment please...");
filter_configure();
}
function squid_deinstall_command() {
global $config, $g;
$plswait_txt = "This operation may take quite some time, please be patient. Do not press stop or attempt to navigate away from this page during this process.";
squid_install_cron(false);
if (is_array($config['installedpackages']['squidcache']))
$settings = $config['installedpackages']['squidcache']['config'][0];
else
$settings = array();
$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
$logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs');
update_status("Removing swap.state ... One moment please...");
update_output_window("$plswait_txt");
mwexec('rm -rf $cachedir/swap.state');
mwexec('rm -rf $logdir');
update_status("Finishing package cleanup.");
mwexec("/usr/local/etc/rc.d/sqp_monitor.sh stop");
mwexec('rm -f /usr/local/etc/rc.d/sqp_monitor.sh');
mwexec("ps awux | grep \"squid\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
mwexec("ps awux | grep \"dnsserver\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
mwexec("ps awux | grep \"unlinkd\" | grep -v \"grep\" | awk '{ print $2 }' | xargs kill");
update_status("Reloading filter...");
filter_configure();
}
function squid_before_form_general($pkg) {
$values = get_dir(SQUID_CONFBASE . '/errors/');
// Get rid of '..' and '.' and ...
array_shift($values);
array_shift($values);
array_shift($values);
array_shift($values);
$name = array();
foreach ($values as $value)
$names[] = implode(" ", explode("_", $value));
$i = 0;
foreach ($pkg['fields']['field'] as $field) {
if ($field['fieldname'] == 'error_language')
break;
$i++;
}
$field = &$pkg['fields']['field'][$i];
for ($i = 0; $i < count($values) - 1; $i++)
$field['options']['option'][] = array('name' => $names[$i], 'value' => $values[$i]);
}
function squid_validate_general($post, $input_errors) {
global $config;
if (is_array($config['installedpackages']['squid']))
$settings = $config['installedpackages']['squid']['config'][0];
else
$settings = array();
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$port = $post['proxy_port'] ? $post['proxy_port'] : $port;
$icp_port = trim($post['icp_port']);
if (!empty($icp_port) && !is_port($icp_port))
$input_errors[] = 'You must enter a valid port number in the \'ICP port\' field';
if (substr($post['log_dir'], -1, 1) == '/')
$input_errors[] = 'You may not end log location with an / mark';
if ($post['log_dir']{0} != '/')
$input_errors[] = 'You must start log location with a / mark';
if (strlen($post['log_dir']) <= 3)
$input_errors[] = "That is not a valid log location dir";
$log_rotate = trim($post['log_rotate']);
if (!empty($log_rotate) && (!is_numeric($log_rotate) or ($log_rotate < 1)))
$input_errors[] = 'You must enter a valid number of days in the \'Log rotate\' field';
$webgui_port = $config['system']['webgui']['port'];
if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "http")) {
$webgui_port = 80;
}
if(($config['system']['webgui']['port'] == "") && ($config['system']['webgui']['protocol'] == "https")) {
$webgui_port = 443;
}
if (($post['transparent_proxy'] != 'on') && ($port == $webgui_port)) {
$input_errors[] = "You can not run squid on the same port as the webgui";
}
if (($post['ssl_proxy'] == 'on') && ( $post['dca'] == '')) {
$input_errors[] = "SSL interception cannot be enabled without a CA.";
}
foreach (array('defined_ip_proxy_off') as $hosts) {
foreach (explode(";", $post[$hosts]) as $host) {
$host = trim($host);
if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host))
$input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias";
}
}
foreach (array('defined_ip_proxy_off_dest') as $hosts) {
foreach (explode(";", $post[$hosts]) as $host) {
$host = trim($host);
if (!empty($host) && !is_ipaddr($host) && !is_alias($host) && !is_hostname($host) && !is_subnet($host))
$input_errors[] = "The entry '$host' is not a valid IP address, hostname, or alias";
}
}
if(!empty($post['dns_nameservers'])) {
$altdns = explode(";", ($post['dns_nameservers']));
foreach ($altdns as $dnssrv) {
if (!is_ipaddr($dnssrv))
$input_errors[] = 'You must enter a valid IP address in the \'Alternate DNS servers\' field';
break;
}}
}
function squid_validate_upstream($post, $input_errors) {
if ($post['enabled'] == 'on') {
$addr = trim($post['proxyaddr']);
if (empty($addr))
$input_errors[] = 'The field \'Hostname\' is required';
else {
if (!is_ipaddr($addr) && !is_domain($addr))
$input_errors[] = 'You must enter a valid IP address or host name in the \'Proxy hostname\' field';
}
foreach (array('proxyport' => 'TCP port', 'icpport' => 'ICP port') as $field => $name) {
$port = trim($post[$field]);
if (empty($port))
$input_errors[] = "The field '$name' is required";
else {
if (!is_port($port))
$input_errors[] = "The field '$name' must contain a valid port number, between 0 and 65535";
}
}
}
}
function squid_validate_cache($post, $input_errors) {
$num_fields = array( 'harddisk_cache_size' => 'Hard disk cache size',
'memory_cache_size' => 'Memory cache size',
'maximum_object_size' => 'Maximum object size',
);
foreach ($num_fields as $field => $name) {
$value = trim($post[$field]);
if (!is_numeric($value) || ($value < 0))
$input_errors[] = "You must enter a valid value for '$field'";
}
$value = trim($post['minimum_object_size']);
if (!is_numeric($value) || ($value < 0))
$input_errors[] = 'You must enter a valid value for \'Minimum object size\'';
if (!empty($post['cache_swap_low'])) {
$value = trim($post['cache_swap_low']);
if (!is_numeric($value) || ($value > 100))
$input_errors[] = 'You must enter a valid value for \'Low-water-mark\'';
}
if (!empty($post['cache_swap_high'])) {
$value = trim($post['cache_swap_high']);
if (!is_numeric($value) || ($value > 100))
$input_errors[] = 'You must enter a valid value for \'High-water-mark\'';
}
if ($post['donotcache'] != "") {
foreach (split("\n", $post['donotcache']) as $host) {
$host = trim($host);
if (!is_ipaddr($host) && !is_domain($host))
$input_errors[] = "The host '$host' is not a valid IP or host name";
}
}
squid_dash_z();
}
function squid_validate_nac($post, $input_errors) {
$allowed_subnets = explode("\n", $post['allowed_subnets']);
foreach ($allowed_subnets as $subnet) {
$subnet = trim($subnet);
if (!empty($subnet) && !is_subnet($subnet))
$input_errors[] = "The subnet '$subnet' is not a valid CIDR range";
}
foreach (array( 'unrestricted_hosts', 'banned_hosts') as $hosts) {
if (preg_match_all("@([0-9.]+)(/[0-9.]+|)@",$_POST[$hosts],$matches)){
for ($x=0;$x < count($matches[1]);$x++){
if ($matches[2][$x] == ""){
if (!is_ipaddr($matches[1][$x]))
$input_errors[] = "'{$matches[1][$x]}' is not a valid IP address";
}
else{
if (!is_subnet($matches[0][$x]))
$input_errors[] = "The subnet '{$matches[0][$x]}' is not a valid CIDR range";
}
}
}
}
foreach (array('unrestricted_macs', 'banned_macs') as $macs) {
foreach (explode("\n", $post[$macs]) as $mac) {
$mac = trim($mac);
if (!empty($mac) && !is_macaddr($mac))
$input_errors[] = "The mac '$mac' is not a valid MAC address";
}
}
foreach (explode(",", $post['timelist']) as $time) {
$time = trim($time);
if (!empty($time) && !squid_is_timerange($time))
$input_errors[] = "The time range '$time' is not a valid time range";
}
if(!empty($post['ext_cachemanager'])) {
$extmgr = explode(";", ($post['ext_cachemanager']));
foreach ($extmgr as $mgr) {
if (!is_ipaddr($mgr))
$input_errors[] = 'You must enter a valid IP address in the \'External Cache Manager\' field';
}}
}
function squid_validate_traffic($post, $input_errors) {
$num_fields = array( 'max_download_size' => 'Maximum download size',
'max_upload_size' => 'Maximum upload size',
'perhost_throttling' => 'Per-host bandwidth throttling',
'overall_throttling' => 'Overall bandwidth throttling',
);
foreach ($num_fields as $field => $name) {
$value = trim($post[$field]);
if (!is_numeric($value) || ($value < 0))
$input_errors[] = "The field '$name' must contain a positive number";
}
if (!empty($post['quick_abort_min'])) {
$value = trim($post['quick_abort_min']);
if (!is_numeric($value))
$input_errors[] = "The field 'Finish when remaining KB' must contain a positive number";
}
if (!empty($post['quick_abort_max'])) {
$value = trim($post['quick_abort_max']);
if (!is_numeric($value))
$input_errors[] = "The field 'Abort when remaining KB' must contain a positive number";
}
if (!empty($post['quick_abort_pct'])) {
$value = trim($post['quick_abort_pct']);
if (!is_numeric($value) || ($value > 100))
$input_errors[] = "The field 'Finish when remaining %' must contain a percentage";
}
}
function squid_validate_reverse($post, $input_errors) {
if(!empty($post['reverse_ip'])) {
$reverse_ip = explode(";", ($post['reverse_ip']));
foreach ($reverse_ip as $reip) {
if (!is_ipaddr($reip))
$input_errors[] = 'You must enter a valid IP address in the \'User-defined reverse-proxy IPs\' field';
break;
}}
$fqdn = trim($post['reverse_external_fqdn']);
if (!empty($fqdn) && !is_domain($fqdn))
$input_errors[] = 'The field \'external FQDN\' must contain a valid domain name';
$port = trim($post['reverse_http_port']);
if (!empty($port) && !is_port($port))
$input_errors[] = 'The field \'reverse HTTP port\' must contain a valid port number';
$port = trim($post['reverse_https_port']);
if (!empty($port) && !is_port($port))
$input_errors[] = 'The field \'reverse HTTPS port\' must contain a valid port number';
if ($post['reverse_ssl_cert'] == 'none')
$input_errors[] = 'A valid certificate for the external interface must be selected';
if (($post['reverse_https'] != 'on') && ($post['reverse_owa'] == 'on')) {
$input_errors[] = "You have to enable reverse HTTPS before enabling OWA support.";
}
/*
if (!is_cert($post['reverse_int_ca']))
$input_errors[] = 'A valid certificate for the external interface must be selected';
*/
$rowa = trim($post['reverse_owa_ip']);
if (!empty($rowa) && !is_ipaddr($rowa))
$input_errors[] = 'The field \'OWA frontend IP address\' must contain a valid IP address';
$contents = $post['reverse_cache_peer'];
if(!empty($contents)) {
$defs = explode("\r\n", ($contents));
foreach ($defs as $def) {
$cfg = explode(";",($def));
if (!is_ipaddr($cfg[1]))
$input_errors[] = "please choose a valid IP in the cache peer configuration.";
if (!is_port($cfg[2]))
$input_errors[] = "please choose a valid port in the cache peer configuration.";
if (($cfg[3] != 'HTTPS') && ($cfg[3] != 'HTTP'))
$input_errors[] = "please choose HTTP or HTTPS in the cache peer configuration.";
}}
}
function squid_validate_auth($post, $input_errors) {
$num_fields = array( array('auth_processes', 'Authentication processes', 1),
array('auth_ttl', 'Authentication TTL', 0),
);
foreach ($num_fields as $field) {
$value = trim($post[$field[0]]);
if (!empty($value) && (!is_numeric($value) || ($value < $field[2])))
$input_errors[] = "The field '{$field[1]}' must contain a valid number greater than {$field[2]}";
}
$auth_method = $post['auth_method'];
if (($auth_method != 'none') && ($auth_method != 'local') && ($auth_method != 'cp')) {
$server = trim($post['auth_server']);
if (empty($server))
$input_errors[] = 'The field \'Authentication server\' is required';
else if (!is_ipaddr($server) && !is_domain($server))
$input_errors[] = 'The field \'Authentication server\' must contain a valid IP address or domain name';
$port = trim($post['auth_server_port']);
if (!empty($port) && !is_port($port))
$input_errors[] = 'The field \'Authentication server port\' must contain a valid port number';
switch ($auth_method) {
case 'ldap':
$user = trim($post['ldap_user']);
if (empty($user))
$input_errors[] = 'The field \'LDAP server user DN\' is required';
else if (!$user)
$input_errors[] = 'The field \'LDAP server user DN\' must be a valid domain name';
break;
case 'radius':
$secret = trim($post['radius_secret']);
if (empty($secret))
$input_errors[] = 'The field \'RADIUS secret\' is required';
break;
case 'msnt':
foreach (explode(",", trim($post['msnt_secondary'])) as $server) {
if (!empty($server) && !is_ipaddr($server) && !is_domain($server))
$input_errors[] = "The host '$server' is not a valid IP address or domain name";
}
break;
}
$no_auth = explode("\n", $post['no_auth_hosts']);
foreach ($no_auth as $host) {
$host = trim($host);
if (!empty($host) && !is_subnet($host))
$input_errors[] = "The host '$host' is not a valid CIDR range";
}
}
}
function squid_install_cron($should_install) {
global $config, $g;
if($g['booting']==true)
return;
$rotate_is_installed = false;
$swapstate_is_installed = false;
if(!$config['cron']['item'])
return;
if (is_array($config['installedpackages']['squidcache']))
$settings = $config['installedpackages']['squidcache']['config'][0];
else
$settings = array();
$x=0;
$rotate_job_id=-1;
$swapstate_job_id=-1;
foreach($config['cron']['item'] as $item) {
if(strstr($item['task_name'], "squid_rotate_logs")) {
$rotate_job_id = $x;
} elseif(strstr($item['task_name'], "squid_check_swapstate")) {
$swapstate_job_id = $x;
}
$x++;
}
$need_write = false;
switch($should_install) {
case true:
$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
if($rotate_job_id < 0) {
$cron_item = array();
$cron_item['task_name'] = "squid_rotate_logs";
$cron_item['minute'] = "0";
$cron_item['hour'] = "0";
$cron_item['mday'] = "*";
$cron_item['month'] = "*";
$cron_item['wday'] = "*";
$cron_item['who'] = "root";
$cron_item['command'] = "/bin/rm {$cachedir}/swap.state; ". SQUID_LOCALBASE."/sbin/squid -k rotate -f " . SQUID_CONFFILE;
/* Add this cron_item as a new entry at the end of the item array. */
$config['cron']['item'][] = $cron_item;
$need_write = true;
}
if($swapstate_job_id < 0) {
$cron_item = array();
$cron_item['task_name'] = "squid_check_swapstate";
$cron_item['minute'] = "*/15";
$cron_item['hour'] = "*";
$cron_item['mday'] = "*";
$cron_item['month'] = "*";
$cron_item['wday'] = "*";
$cron_item['who'] = "root";
$cron_item['command'] = "/usr/local/pkg/swapstate_check.php";
/* Add this cron_item as a new entry at the end of the item array. */
$config['cron']['item'][] = $cron_item;
$need_write = true;
}
if ($need_write) {
parse_config(true);
write_config("Adding Squid Cron Jobs");
}
break;
case false:
if($rotate_job_id >= 0) {
unset($config['cron']['item'][$rotate_job_id]);
$need_write = true;
}
if($swapstate_job_id >= 0) {
unset($config['cron']['item'][$swapstate_job_id]);
$need_write = true;
}
if ($need_write) {
parse_config(true);
write_config("Removing Squid Cron Jobs");
}
break;
}
configure_cron();
}
function squid_check_ca_hashes(){
global $config,$g;
#check certificates
$cert_count=0;
if (is_dir(SQUID_LOCALBASE. '/share/certs'))
if ($handle = opendir(SQUID_LOCALBASE.'/share/certs')) {
while (false !== ($file = readdir($handle)))
if (preg_match ("/\d+.0/",$file))
$cert_count++;
}
closedir($handle);
if ($cert_count < 10){
conf_mount_rw();
#create ca-root hashes from ca-root-nss package
log_error("Creating root certificate bundle hashes from the Mozilla Project");
$cas=file(SQUID_LOCALBASE.'/share/certs/ca-root-nss.crt');
$cert=0;
foreach ($cas as $ca){
if (preg_match("/--BEGIN CERTIFICATE--/",$ca))
$cert=1;
if ($cert == 1)
$crt.=$ca;
if (preg_match("/-END CERTIFICATE-/",$ca)){
file_put_contents("/tmp/cert.pem",$crt, LOCK_EX);
$cert_hash=array();
exec("/usr/bin/openssl x509 -hash -noout -in /tmp/cert.pem",$cert_hash);
file_put_contents(SQUID_LOCALBASE."/share/certs/".$cert_hash[0].".0",$crt,LOCK_EX);
$crt="";
$cert=0;
}
}
}
}
function squid_resync_general() {
global $g, $config, $valid_acls;
if (is_array($config['installedpackages']['squid']))
$settings = $config['installedpackages']['squid']['config'][0];
else
$settings=array();
$conf = "# This file is automatically generated by pfSense\n";
$conf .= "# Do not edit manually !\n\n";
#Check ssl interception
if (($settings['ssl_proxy'] == 'on')) {
squid_check_ca_hashes();
$srv_cert = lookup_ca($settings["dca"]);
if ($srv_cert != false) {
if(base64_decode($srv_cert['prv'])) {
#check if ssl_db was initilized by squid
if (! file_exists("/var/squid/lib/ssl_db/serial")){
if (is_dir("/var/squid/lib/ssl_db")){
mwexec("/bin/rm -rf /var/squid/lib/ssl_db");
}
mwexec(SQUID_LOCALBASE."/libexec/squid/ssl_crtd -c -s /var/squid/lib/ssl_db/");
}
#force squid user permission on /var/squid/lib/ssl_db/
squid_chown_recursive("/var/squid/lib/ssl_db/", 'proxy', 'proxy');
# cert, key, version, cipher,options, clientca, cafile, capath, crlfile, dhparams,sslflags, and sslcontext
$crt_pk=SQUID_CONFBASE."/serverkey.pem";
$crt_capath=SQUID_LOCALBASE."/share/certs/";
file_put_contents($crt_pk,base64_decode($srv_cert['prv']).base64_decode($srv_cert['crt']));
$sslcrtd_children= ($settings['sslcrtd_children'] ? $settings['sslcrtd_children'] : 5);
$ssl_interception.="ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=".($sslcrtd_children*2)."MB cert={$crt_pk} capath={$crt_capath}\n";
$interception_checks = "sslcrtd_program ".SQUID_LOCALBASE."/libexec/squid/ssl_crtd -s /var/squid/lib/ssl_db -M 4MB -b 2048\n";
$interception_checks .= "sslcrtd_children {$sslcrtd_children}\n";
$interception_checks .= "sslproxy_capath {$crt_capath}\n";
if (preg_match("/sslproxy_cert_error/",$settings["interception_checks"]))
$interception_checks.="sslproxy_cert_error allow all\n";
if (preg_match("/sslproxy_flags/",$settings["interception_checks"]))
$interception_checks.="sslproxy_flags DONT_VERIFY_PEER\n";
if ($settings["interception_adapt"] != ""){
foreach (explode(",",$settings["interception_adapt"]) as $adapt)
$interception_checks.="sslproxy_cert_adapt {$adapt} all\n";
}
}
}
}
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
#Read assigned interfaces
$real_ifaces = array();
if($settings['active_interface'])
$proxy_ifaces = explode(",", $settings['active_interface']);
else
$proxy_ifaces=array("lan");
if ($settings['transparent_proxy']=="on"){
$transparent_ifaces = explode(",", $settings['transparent_active_interface']);
foreach ($transparent_ifaces as $t_iface){
$t_iface_ip = squid_get_real_interface_address($t_iface);
if($t_iface_ip[0])
$real_ifaces[]=$t_iface_ip;
}
}
else{
$transparent_ifaces=array();
}
if ($settings['ssl_proxy']=="on"){
$ssl_ifaces = explode(",", $settings['ssl_active_interface']);
foreach ($ssl_ifaces as $s_iface){
$s_iface_ip = squid_get_real_interface_address($s_iface);
if($s_iface_ip[0])
$real_ifaces[]=$s_iface_ip;
}
}
else{
$ssl_ifaces=array();
}
#check all proxy interfaces selected
foreach ($proxy_ifaces as $iface) {
$iface_ip = squid_get_real_interface_address($iface);
if($iface_ip[0]) {
$real_ifaces[]=$iface_ip;
if (in_array($iface,$ssl_ifaces))
$conf .= "http_port {$iface_ip[0]}:{$port} {$ssl_interception}\n";
else
$conf .= "http_port {$iface_ip[0]}:{$port}\n";
}
}
if (($settings['transparent_proxy'] == 'on')) {
if ($settings['ssl_proxy'] == "on" && count($ssl_ifaces)>0){
$conf .= "http_port 127.0.0.1:{$port} intercept {$ssl_interception}\n";
$conf .= "https_port 127.0.0.1:{$ssl_port} intercept {$ssl_interception}\n";
}
else{
$conf .= "http_port 127.0.0.1:{$port} intercept\n";
}
}
$icp_port = ($settings['icp_port'] ? $settings['icp_port'] : 7);
$dns_v4_first= ($settings['dns_v4_first'] == "on" ? "on" : "off" );
$pidfile = "{$g['varrun_path']}/squid.pid";
$language = ($settings['error_language'] ? $settings['error_language'] : 'en');
$icondir = SQUID_CONFBASE . '/icons';
$hostname = ($settings['visible_hostname'] ? $settings['visible_hostname'] : 'localhost');
$email = ($settings['admin_email'] ? $settings['admin_email'] : 'admin@localhost');
$logdir = ($settings['log_dir'] ? $settings['log_dir'] : '/var/squid/logs');
if (! is_dir($logdir)){
make_dirs($logdir);
squid_chown_recursive($logdir, 'proxy', 'proxy');
}
$logdir_cache = $logdir . '/cache.log';
$logdir_access = ($settings['log_enabled'] == 'on' ? $logdir . '/access.log' : '/dev/null');
$conf .= <<< EOD
icp_port {$icp_port}
dns_v4_first {$dns_v4_first}
pid_filename {$pidfile}
cache_effective_user proxy
cache_effective_group proxy
error_default_language {$language}
icon_directory {$icondir}
visible_hostname {$hostname}
cache_mgr {$email}
access_log {$logdir_access}
cache_log {$logdir_cache}
cache_store_log none
{$interception_checks}
EOD;
// Per squid docs, setting logfile_rotate to 0 is safe and causes a simple close/reopen.
// Rotating also ensures that swap.state is rewritten, so is useful even if the logs
// are not being rotated.
$rotate = empty($settings['log_rotate']) ? 0 : $settings['log_rotate'];
$conf .= "logfile_rotate {$rotate}\n";
squid_install_cron(true);
$conf .= <<< EOD
shutdown_lifetime 3 seconds
EOD;
if ($settings['allow_interface'] == 'on') {
$src = '';
foreach ($real_ifaces as $iface) {
list($ip, $mask) = $iface;
$ip = long2ip(ip2long($ip) & ip2long($mask));
$mask = 32-log((ip2long($mask) ^ ip2long('255.255.255.255'))+1,2);
if (!preg_match("@$ip/$mask@",$src))
$src .= " $ip/$mask";
}
$conf .= "# Allow local network(s) on interface(s)\n";
$conf .= "acl localnet src $src\n";
$valid_acls[] = 'localnet';
}
if ($settings['disable_xforward']) $conf .= "forwarded_for off\n";
if ($settings['disable_via']) $conf .= "via off\n";
if ($settings['disable_squidversion']) $conf .= "httpd_suppress_version_string on\n";
if (!empty($settings['uri_whitespace'])) $conf .= "uri_whitespace {$settings['uri_whitespace']}\n";
else $conf .= "uri_whitespace strip\n"; //only used for first run
if(!empty($settings['dns_nameservers'])) {
$altdns = explode(";", ($settings['dns_nameservers']));
$conf .= "dns_nameservers ";
foreach ($altdns as $dnssrv) {
$conf .= $dnssrv." ";
}
// $conf .= "\n"; //Kill blank line after DNS-Servers
}
return $conf;
}
function squid_resync_cache() {
global $config, $g;
if (is_array($config['installedpackages']['squidcache']))
$settings = $config['installedpackages']['squidcache']['config'][0];
else
$settings = array();
//apply cache settings
$cachedir =($settings['harddisk_cache_location'] ? $settings['harddisk_cache_location'] : '/var/squid/cache');
$disk_cache_size = ($settings['harddisk_cache_size'] ? $settings['harddisk_cache_size'] : 100);
$level1 = ($settings['level1_subdirs'] ? $settings['level1_subdirs'] : 16);
$memory_cache_size = ($settings['memory_cache_size'] ? $settings['memory_cache_size'] : 8);
$max_objsize = ($settings['maximum_object_size'] ? $settings['maximum_object_size']." KB" : "10 KB");
$min_objsize = ($settings['minimum_object_size'] ? $settings['minimum_object_size'] : 0);
$max_objsize_in_mem = ($settings['maximum_objsize_in_mem'] ? $settings['maximum_objsize_in_mem'] : 32);
$cache_policy = ($settings['cache_replacement_policy'] ? $settings['cache_replacement_policy'] : 'heap LFUDA');
$memory_policy = ($settings['memory_replacement_policy'] ? $settings['memory_replacement_policy'] : 'heap GDSF');
$offline_mode = ($settings['enable_offline'] == 'on' ? 'on' : 'off');
$conf = '';
if (!isset($settings['harddisk_cache_system'])) {
if ($g['platform'] == "nanobsd" || !is_array ($config['installedpackages']['squidcache']['config']))
$disk_cache_system = 'null';
else
$disk_cache_system = 'ufs';
}
else{
$disk_cache_system = $settings['harddisk_cache_system'];
}
#'null' storage type dropped. In-memory cache is always present. Remove all cache_dir options to prevent on-disk caching.
if ($disk_cache_system != "null") {
$disk_cache_opts = "cache_dir {$disk_cache_system} {$cachedir} {$disk_cache_size} {$level1} 256";
}
//check dynamic content
if(empty($settings['cache_dynamic_content'])){
$conf.='acl dynamic urlpath_regex cgi-bin \?'."\n";
$conf.="cache deny dynamic\n";
}
else{
if(preg_match('/youtube/',$settings['refresh_patterns'])){
$conf.=<<< EOC
# Break HTTP standard for flash videos. Keep them in cache even if asked not to.
refresh_pattern -i \.flv$ 10080 90% 999999 ignore-no-cache override-expire ignore-private
# Let the clients favorite video site through with full caching
acl youtube dstdomain .youtube.com
cache allow youtube
EOC;
}
if(preg_match('/windows/',$settings['refresh_patterns'])){
$conf.=<<< EOC
# Windows Update refresh_pattern
range_offset_limit -1
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i my.windowsupdate.website.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
EOC;
}
if(preg_match('/symantec/',$settings['refresh_patterns'])){
$conf.=<<< EOC
# Symantec refresh_pattern
range_offset_limit -1
refresh_pattern liveupdate.symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
refresh_pattern symantecliveupdate.com/.*\.(cab|exe|dll|msi) 10080 100% 43200 reload-into-ims
EOC;
}
if(preg_match('/avast/',$settings['refresh_patterns'])){
$conf.=<<< EOC
# Avast refresh_pattern
range_offset_limit -1
refresh_pattern avast.com/.*\.(vpu|cab|stamp|exe) 10080 100% 43200 reload-into-ims
EOC;
}
if(preg_match('/avira/',$settings['refresh_patterns'])){
$conf.=<<< EOC
# Avira refresh_pattern
range_offset_limit -1
refresh_pattern personal.avira-update.com/.*\.(cab|exe|dll|msi|gz) 10080 100% 43200 reload-into-ims
EOC;
}
$refresh_conf=<<< EOC
# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
EOC;
}
If ($settings['custom_refresh_patterns'] !="")
$conf .= sq_text_area_decode($settings['custom_refresh_patterns'])."\n";
$conf .= <<< EOD
cache_mem $memory_cache_size MB
maximum_object_size_in_memory {$max_objsize_in_mem} KB
memory_replacement_policy {$memory_policy}
cache_replacement_policy {$cache_policy}
$disk_cache_opts
minimum_object_size {$min_objsize} KB
maximum_object_size {$max_objsize}
offline_mode {$offline_mode}
EOD;
if (!empty($settings['cache_swap_low'])) $conf .= "cache_swap_low {$settings['cache_swap_low']}\n";
if (!empty($settings['cache_swap_high'])) $conf .= "cache_swap_high {$settings['cache_swap_high']}\n";
$donotcache = sq_text_area_decode($settings['donotcache']);
if (!empty($donotcache)) {
file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
$conf .= "cache deny donotcache\n";
}
elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
unlink(SQUID_ACLDIR . '/donotcache.acl');
}
$conf .= "cache allow all\n";
return $conf.$refresh_conf;
}
function squid_resync_upstream() {
global $config;
$conf = "\n#Remote proxies\n";
if (is_array($config['installedpackages']['squidremote']['config']))
foreach ($config['installedpackages']['squidremote']['config'] as $settings){
if ($settings['enable'] == 'on') {
$conf .= "cache_peer {$settings['proxyaddr']} {$settings['hierarchy']} {$settings['proxyport']} ";
if ($settings['icpport'] == '7')
$conf .= "{$settings['icpport']} {$settings['icpoptions']} {$settings['peermethod']} {$settings['allowmiss']} ";
else
$conf .= "{$settings['icpport']} ";
#auth settings
if (!empty($settings['username']) && !empty($settings['password'])){
$conf .= " login={$settings['username']}:{$settings['password']}";
}
else{
$conf .= "{$settings['authoption']} ";
}
#other options settings
if (!empty($settings['weight']))
$conf .= "weight={$settings['weight']} ";
if (!empty($settings['basetime']))
$conf .= "basetime={$settings['basetime']} ";
if (!empty($settings['ttl']))
$conf .= "ttl={$settings['ttl']} ";
if (!empty($settings['nodelay']))
$conf .= "no-delay";
}
$conf .= "\n";
}
return $conf;
}
function squid_resync_redirector() {
global $config;
$httpav_enabled = ($config['installedpackages']['clamav']['config'][0]['scan_http'] == 'on');
if ($httpav_enabled) {
$conf = "url_rewrite_program /usr/local/bin/squirm\n";
} else {
$conf = "# No redirector configured\n";
}
return $conf;
}
function squid_resync_nac() {
global $config, $valid_acls;
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
if (is_array($config['installedpackages']['squidnac']))
$settings = $config['installedpackages']['squidnac']['config'][0];
else
$settings = array();
$webgui_port = $config['system']['webgui']['port'];
$addtl_ports = $settings['addtl_ports'];
$addtl_sslports = $settings['addtl_sslports'];
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$ssl_port = ($settings['ssl_proxy_port'] ? $settings['ssl_proxy_port'] : 3127);
$conf = <<< EOD
# Setup some default acls
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
# acl localhost src 127.0.0.1/32
acl allsrc src all
acl safeports port 21 70 80 210 280 443 488 563 591 631 777 901 $webgui_port $port $ssl_port 1025-65535 $addtl_ports
acl sslports port 443 563 $webgui_port $addtl_sslports
# From 3.2 further configuration cleanups have been done to make things easier and safer. The manager, localhost, and to_localhost ACL definitions are now built-in.
#acl manager proto cache_object
acl purge method PURGE
acl connect method CONNECT
# Define protocols used for redirects
acl HTTP proto HTTP
acl HTTPS proto HTTPS
EOD;
$allowed_subnets = preg_replace("/\s+/"," ",sq_text_area_decode($settings['allowed_subnets']));
#$allowed = "";
#foreach ($allowed_subnets as $subnet) {
# if(!empty($subnet)) {
# $subnet = trim($subnet);
# $allowed .= "$subnet ";
# }
#}
if (!empty($allowed_subnets)) {
$conf .= "acl allowed_subnets src $allowed_subnets\n";
$valid_acls[] = 'allowed_subnets';
}
$options = array( 'unrestricted_hosts' => 'src',
'banned_hosts' => 'src',
'whitelist' => 'dstdom_regex -i',
'blacklist' => 'dstdom_regex -i',
'block_user_agent' => 'browser -i',
'block_reply_mime_type' => 'rep_mime_type -i',
);
foreach ($options as $option => $directive) {
$contents = sq_text_area_decode($settings[$option]);
if (!empty($contents)) {
file_put_contents(SQUID_ACLDIR . "/$option.acl", $contents);
$conf .= "acl $option $directive \"" . SQUID_ACLDIR . "/$option.acl\"\n";
$valid_acls[] = $option;
}
elseif (file_exists(SQUID_ACLDIR . "/$option.acl")) {
unlink(SQUID_ACLDIR . "/$option.acl");
}
}
$conf .= <<< EOD
http_access allow manager localhost
EOD;
if (is_array($config['installedpackages']['squidcache'])){
$settings_ch = $config['installedpackages']['squidcache']['config'][0];
if(!empty($settings_ch['ext_cachemanager'])) {
$extmgr = explode(";", ($settings_ch['ext_cachemanager']));
$conf .= "\n# Allow external cache managers\n";
foreach ($extmgr as $mgr) {
$conf .= "acl ext_manager src {$mgr}\n";
}
$conf .= "http_access allow manager ext_manager\n";
}
}
$conf .= <<< EOD
http_access deny manager
http_access allow purge localhost
http_access deny purge
http_access deny !safeports
http_access deny CONNECT !sslports
# Always allow localhost connections
# From 3.2 further configuration cleanups have been done to make things easier and safer.
# The manager, localhost, and to_localhost ACL definitions are now built-in.
# http_access allow localhost
EOD;
return $conf;
}
function squid_resync_antivirus(){
global $config;
if (is_array($config['installedpackages']['squidantivirus']))
$antivirus_config = $config['installedpackages']['squidantivirus']['config'][0];
else
$antivirus_config = array();
if ($antivirus_config['enable']=="on"){
switch ($antivirus_config['client_info']){
case "both":
$icap_send_client_ip="on";
$icap_send_client_username="on";
break;
case "IP":
$icap_send_client_ip="on";
$icap_send_client_username="off";
break;
case "username":
$icap_send_client_ip="off";
$icap_send_client_username="on";
break;
case "none":
$icap_send_client_ip="off";
$icap_send_client_username="off";
break;
}
if (is_array($config['installedpackages']['squid']))
$squid_config=$config['installedpackages']['squid']['config'][0];
$clwarn="clwarn.cgi.en_EN";
if (preg_match("/de/i",$squid_config['error_language']))
$clwarn="clwarn.cgi.de_DE";
if (preg_match("/ru/i",$squid_config['error_language']))
$clwarn="clwarn.cgi.ru_RU";
if (preg_match("/fr/i",$squid_config['error_language']))
$clwarn="clwarn.cgi.fr_FR";
if (preg_match("/pt_br/i",$squid_config['error_language']))
$clwarn="clwarn.cgi.pt_BR";
copy(SQUID_LOCALBASE."/libexec/squidclamav/{$clwarn}","/usr/local/www/clwarn.cgi");
$conf = <<< EOF
icap_enable on
icap_send_client_ip {$icap_send_client_ip}
icap_send_client_username {$icap_send_client_username}
icap_client_username_encode off
icap_client_username_header X-Authenticated-User
icap_preview_enable on
icap_preview_size 1024
icap_service service_req reqmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
icap_service service_resp respmod_precache bypass=0 icap://127.0.0.1:1344/squidclamav
adaptation_access service_req allow all
adaptation_access service_resp allow all
EOF;
#check if icap is enabled on rc.conf.local
if (file_exists("/etc/rc.conf.local")){
$rc_old_file=file("/etc/rc.conf.local");
foreach ($rc_old_file as $rc_line){
if (preg_match("/^(c_icap_enable|clamav_clamd_enable)/",$rc_line,$matches)){
$rc_file.=$matches[1].'="YES"'."\n";
${$matches[1]}="ok";
}
else
$rc_file.=$rc_line;
}
}
if (!isset($c_icap_enable))
$rc_file.='c_icap_enable="YES"'."\n";
if (!isset($clamav_clamd_enable))
$rc_file.='clamav_clamd_enable="YES"'."\n";
file_put_contents("/etc/rc.conf.local",$rc_file,LOCK_EX);
#patch sample files to pfsense dirs
#squidclamav.conf
if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"))
if (file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default")){
$sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.default");
$clamav_m[0]="@/var/run/clamav/clamd.ctl@";
$clamav_r[0]="/var/run/clamav/clamd.sock";
file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample",preg_replace($clamav_m,$clamav_r,$sample_file),LOCK_EX);
}
#c-icap.conf
if (!file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"))
if (file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default")){
$sample_file=file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.default");
if (! preg_match ("/squidclamav/"))
$sample_file.="\nService squidclamav squidclamav.so\n";
file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample",$sample_file,LOCK_EX);
}
$loadsample=0;
if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample")){
$config['installedpackages']['squidantivirus']['config'][0]['squidclamav']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf.sample"));
$loadsample++;
}
if ($antivirus_config['c-icap_conf'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample")){
$config['installedpackages']['squidantivirus']['config'][0]['c-icap_conf']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf.sample"));
$loadsample++;
}
if ($antivirus_config['squidclamav'] =="" && file_exists(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default")){
$config['installedpackages']['squidantivirus']['config'][0]['c-icap_magic']=base64_encode(file_get_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic.default"));
$loadsample++;
}
if($loadsample > 0){
write_config();
$antivirus_config = $config['installedpackages']['squidantivirus']['config'][0];
}
#check dirs
$dirs=array("/var/run/c-icap" => "clamav",
"/var/log/c-icap" => "clamav",
"/var/log/clamav" => "clamav",
"/var/run/clamav" => "clamav",
"/var/db/clamav" => "clamav");
foreach ($dirs as $dir_path => $dir_user){
if (!is_dir($dir_path))
make_dirs($dir_path);
squid_chown_recursive($dir_path, $dir_user, $dir_user);
}
#check startup scripts on pfsense > 2.1
if (preg_match("/usr.pbi/",SQUID_LOCALBASE)){
$rcd_files = scandir(SQUID_LOCALBASE."/etc/rc.d");
foreach($rcd_files as $rcd_file)
if (!file_exists("/usr/local/etc/rc.d/{$rcd_file}"))
symlink (SQUID_LOCALBASE."/etc/rc.d/{$rcd_file}","/usr/local/etc/rc.d/{$rcd_file}");
}
#write advanced icap config files
file_put_contents(SQUID_LOCALBASE."/etc/c-icap/squidclamav.conf",base64_decode($antivirus_config['squidclamav']),LOCK_EX);
file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.conf",base64_decode($antivirus_config['c-icap_conf']),LOCK_EX);
file_put_contents(SQUID_LOCALBASE."/etc/c-icap/c-icap.magic",base64_decode($antivirus_config['c-icap_magic']),LOCK_EX);
#check antivirus daemons
#check icap
if (is_process_running("c-icap")){
mwexec('/bin/echo -n "reconfigure" > /var/run/c-icap/c-icap.ctl');
}
else{
#check c-icap user on startup file
$c_icap_rcfile="/usr/local/etc/rc.d/c-icap";
if (file_exists($c_icap_rcfile)){
$sample_file=file_get_contents($c_icap_rcfile);
$cicapm[0]="@c_icap_user=.*}@";
$cicapr[0]='c_icap_user="clamav"}';
file_put_contents($c_icap_rcfile,preg_replace($cicapm,$cicapr,$sample_file),LOCK_EX);
}
mwexec("/usr/local/etc/rc.d/c-icap start");
}
#check clamav
if (is_process_running("clamd"))
mwexec_bg("/usr/local/etc/rc.d/clamav-clamd reload");
else
mwexec("/usr/local/etc/rc.d/clamav-clamd start");
}
return $conf;
}
function squid_resync_traffic() {
global $config, $valid_acls;
if(!is_array($valid_acls))
return;
if (is_array($config['installedpackages']['squidtraffic']))
$settings = $config['installedpackages']['squidtraffic']['config'][0];
else
$settings = array();
$conf = '';
if (!empty($settings['quick_abort_min']) || ($settings['quick_abort_min']) == "0")
$conf .= "quick_abort_min {$settings['quick_abort_min']} KB\n";
if (!empty($settings['quick_abort_max']) || ($settings['quick_abort_max']) == "0")
$conf .= "quick_abort_max {$settings['quick_abort_max']} KB\n";
if (!empty($settings['quick_abort_pct']))
$conf .= "quick_abort_pct {$settings['quick_abort_pct']}\n";
$up_limit = ($settings['max_upload_size'] ? $settings['max_upload_size'] : 0);
$down_limit = ($settings['max_download_size'] ? $settings['max_download_size'] : 0);
$conf .= "request_body_max_size $up_limit KB\n";
if ($down_limit != 0)
$conf .= 'reply_body_max_size ' . $down_limit . " KB allsrc \n";
// Only apply throttling past 10MB
// XXX: Should this really be hardcoded?
$threshold = 10 * 1024 * 1024;
$overall = $settings['overall_throttling'];
if (!isset($overall) || ($overall == 0))
$overall = -1;
else
$overall *= 1024;
$perhost = $settings['perhost_throttling'];
if (!isset($perhost) || ($perhost == 0))
$perhost = -1;
else
$perhost *= 1024;
$conf .= <<< EOD
delay_pools 1
delay_class 1 2
delay_parameters 1 $overall/$overall $perhost/$perhost
delay_initial_bucket_level 100
EOD;
if(! empty($settings['unrestricted_hosts'])) {
foreach (array('unrestricted_hosts') as $item) {
if (in_array($item, $valid_acls))
$conf .= "# Do not throttle unrestricted hosts\n";
$conf .= "delay_access 1 deny $item\n";
}
}
if ($settings['throttle_specific'] == 'on') {
$exts = array();
$binaries = 'bin,cab,sea,ar,arj,tar,tgz,gz,tbz,bz2,zip,7z,exe,com';
$cdimages = 'iso,bin,mds,nrg,gho,bwt,b5t,pqi';
$multimedia = 'aiff?,asf,avi,divx,mov,mp3,mp4,wmv,mpe?g,qt,ra?m';
foreach (array( 'throttle_binaries' => $binaries,
'throttle_cdimages' => $cdimages,
'throttle_multimedia' => $multimedia) as $field => $set) {
if ($settings[$field] == 'on')
$exts = array_merge($exts, explode(",", $set));
}
foreach (explode(",", $settings['throttle_others']) as $ext) {
if (!empty($ext)) $exts[] = $ext;
}
$contents = '';
foreach ($exts as $ext)
$contents .= "\.$ext\$\n";
file_put_contents(SQUID_ACLDIR . '/throttle_exts.acl', $contents);
$conf .= "# Throttle extensions matched in the url\n";
$conf .= "acl throttle_exts urlpath_regex -i \"" . SQUID_ACLDIR . "/throttle_exts.acl\"\n";
$conf .= "delay_access 1 allow throttle_exts\n";
$conf .= "delay_access 1 deny allsrc\n";
}
else
$conf .= "delay_access 1 allow allsrc\n";
return $conf;
}
function squid_get_server_certs() {
global $config;
$cert_arr = array();
$cert_arr[] = array('refid' => 'none', 'descr' => 'none');
foreach ($config['cert'] as $cert) {
$cert_arr[] = array('refid' => $cert['refid'], 'descr' => $cert['descr']);
}
return $cert_arr;
}
#squid reverse
include('/usr/local/pkg/squid_reverse.inc');
function squid_resync_auth() {
global $config, $valid_acls;
if (is_array($config['installedpackages']['squidauth']['config']))
$settings = $config['installedpackages']['squidauth']['config'][0];
else
$settings = array();
if (is_array($config['installedpackages']['squidnac']['config']))
$settingsnac = $config['installedpackages']['squidnac']['config'][0];
else
$settingsnac = array();
if (is_array($config['installedpackages']['squid']['config']))
$settingsconfig = $config['installedpackages']['squid']['config'][0];
else
$settingsconfig = array();
$conf = '';
// SSL interception acl options part 1
if ($settingsconfig['ssl_proxy'] == "on" && ! empty($settingsnac['whitelist'])){
$conf .= "always_direct allow whitelist\n";
$conf .= "ssl_bump none whitelist\n";
}
// Package integration
if(!empty($settingsconfig['custom_options'])){
$co_preg[0]='/;/';
$co_rep[0]="\n";
$co_preg[1]="/redirect_program/";
$co_rep[1]="url_rewrite_program";
$co_preg[2]="/redirector_bypass/";
$co_rep[2]="url_rewrite_bypass";
$conf.="# Package Integration\n".preg_replace($co_preg,$co_rep,$settingsconfig['custom_options'])."\n\n";
}
// Custom User Options
$conf .= "# Custom options\n".sq_text_area_decode($settingsconfig['custom_options_squid3'])."\n\n";
// Deny the banned guys before allowing the good guys
if(! empty($settingsnac['banned_hosts'])) {
if (squid_is_valid_acl('banned_hosts')) {
$conf .= "# These hosts are banned\n";
$conf .= "http_access deny banned_hosts\n";
}
}
if(! empty($settingsnac['banned_macs'])) {
if (squid_is_valid_acl('banned_macs')) {
$conf .= "# These macs are banned\n";
$conf .= "http_access deny banned_macs\n";
}
}
// Unrestricted hosts take precedence over blacklist
if(! empty($settingsnac['unrestricted_hosts'])) {
if (squid_is_valid_acl('unrestricted_hosts') && $settings['unrestricted_auth']!= "on") {
$conf .= "# These hosts do not have any restrictions\n";
$conf .= "http_access allow unrestricted_hosts\n";
}
}
if(! empty($settingsnac['unrestricted_macs'])) {
if (squid_is_valid_acl('unrestricted_macs')) {
$conf .= "# These hosts do not have any restrictions\n";
$conf .= "http_access allow unrestricted_macs\n";
}
}
// Whitelist and blacklist also take precedence over other allow rules
if(! empty($settingsnac['whitelist'])) {
if (squid_is_valid_acl('whitelist')) {
$conf .= "# Always allow access to whitelist domains\n";
$conf .= "http_access allow whitelist\n";
}
}
if(! empty($settingsnac['blacklist'])) {
if (squid_is_valid_acl('blacklist')) {
$conf .= "# Block access to blacklist domains\n";
$conf .= "http_access deny blacklist\n";
}
}
if(! empty($settingsnac['block_user_agent'])) {
if (squid_is_valid_acl('block_user_agent')) {
$conf .= "# Block access with user agents and browsers\n";
$conf .= "http_access deny block_user_agent\n";
}
}
if(! empty($settingsnac['block_reply_mime_type'])) {
if (squid_is_valid_acl('block_reply_mime_type')) {
$conf .= "# Block access with mime type in the reply\n";
$conf .= "http_reply_access deny block_reply_mime_type\n";
}
}
// SSL interception acl options part 2
if ($settingsconfig['ssl_proxy'] == "on"){
$conf .= "always_direct allow all\n";
$conf .= "ssl_bump server-first all\n";
}
// Include squidguard denied acl log in squid
if ($settingsconfig['log_sqd'])
$conf .= "acl sglog url_regex -i sgr=ACCESSDENIED\n";
$transparent_proxy = ($settingsconfig['transparent_proxy'] == 'on');
if ($transparent_proxy){
if (preg_match ("/(none|cp)/",$settings['auth_method']))
$auth_method=$settings['auth_method'];
else
$auth_method="none";
}
else{
$auth_method=$settings['auth_method'];
}
// Allow the remaining ACLs if no authentication is set
if ($auth_method == 'none' || $auth_method == 'cp') {
// Include squidguard denied acl log in squid
if ($settingsconfig['log_sqd'])
$conf .="http_access deny sglog\n";
}
if ($auth_method == 'none' ) {
$conf .="# Setup allowed acls\n";
$allowed = array('allowed_subnets');
if ($settingsconfig['allow_interface'] == 'on') {
$conf .= "# Allow local network(s) on interface(s)\n";
$allowed[] = "localnet";
}
$allowed = array_filter($allowed, 'squid_is_valid_acl');
foreach ($allowed as $acl)
$conf .= "http_access allow $acl\n";
}
else {
$noauth = implode(' ', explode("\n", base64_decode($settings['no_auth_hosts'])));
if (!empty($noauth)) {
$conf .= "acl noauth src $noauth\n";
$valid_acls[] = 'noauth';
}
// Set up the external authentication programs
$auth_ttl = ($settings['auth_ttl'] ? $settings['auth_ttl'] : 5);
$processes = ($settings['auth_processes'] ? $settings['auth_processes'] : 5);
$prompt = ($settings['auth_prompt'] ? $settings['auth_prompt'] : 'Please enter your credentials to access the proxy');
switch ($auth_method) {
case 'local':
$conf .= 'auth_param basic program '.SQUID_LOCALBASE.'/libexec/squid/basic_ncsa_auth ' . SQUID_PASSWD . "\n";
break;
case 'ldap':
$port = (isset($settings['auth_server_port']) ? ":{$settings['auth_server_port']}" : '');
$password = (isset($settings['ldap_pass']) ? "-w {$settings['ldap_pass']}" : '');
$conf .= "auth_param basic program " . SQUID_LOCALBASE . "/libexec/squid/basic_ldap_auth -v {$settings['ldap_version']} -b {$settings['ldap_basedomain']} -D {$settings['ldap_user']} $password -f \"{$settings['ldap_filter']}\" -u {$settings['ldap_userattribute']} -P {$settings['auth_server']}$port\n";
break;
case 'radius':
$port = (isset($settings['auth_server_port']) ? "-p {$settings['auth_server_port']}" : '');
$conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_radius_auth -w {$settings['radius_secret']} -h {$settings['auth_server']} $port\n";
break;
case 'cp':
$conf .= "external_acl_type check_filter children-startup={$processes} ttl={$auth_ttl} %SRC ". SQUID_LOCALBASE . "/libexec/squid/check_ip.php\n";
$conf .= "acl dgfilter external check_filter\n";
$conf .= "http_access allow dgfilter\n";
break;
case 'msnt':
$conf .= "auth_param basic program ". SQUID_LOCALBASE . "/libexec/squid/basic_msnt_auth\n";
squid_resync_msnt();
break;
}
if ($auth_method != 'cp'){
$conf .= <<< EOD
auth_param basic children $processes
auth_param basic realm $prompt
auth_param basic credentialsttl $auth_ttl minutes
acl password proxy_auth REQUIRED
EOD;
}
// Onto the ACLs
$password = array('localnet', 'allowed_subnets');
$passwordless = array('unrestricted_hosts');
if ($settings['unrestricted_auth'] == 'on') {
// Even the unrestricted hosts should authenticate
$password = array_merge($password, $passwordless);
$passwordless = array();
}
$passwordless[] = 'noauth';
$password = array_filter($password, 'squid_is_valid_acl');
$passwordless = array_filter($passwordless, 'squid_is_valid_acl');
// Allow the ACLs that don't need to authenticate
foreach ($passwordless as $acl)
$conf .= "http_access allow $acl\n";
if ($auth_method != 'cp'){
// Include squidguard denied acl log in squid
if ($settingsconfig['log_sqd'])
$conf .="http_access deny password sglog\n";
// Allow the other ACLs as long as they authenticate
foreach ($password as $acl)
$conf .= "http_access allow password $acl\n";
}
}
$conf .= "# Default block all to be sure\n";
$conf .= "http_access deny allsrc\n";
return $conf;
}
function squid_resync_users() {
global $config;
$users = $config['installedpackages']['squidusers']['config'];
$contents = '';
if (is_array($users)) {
foreach ($users as $user)
$contents .= $user['username'] . ':' . crypt($user['password'], base64_encode($user['password'])) . "\n";
}
file_put_contents(SQUID_PASSWD, $contents);
chown(SQUID_PASSWD, 'proxy');
chmod(SQUID_PASSWD, 0600);
}
function squid_resync_msnt() {
global $config;
if (is_array($config['installedpackages']['squidauth']))
$settings = $config['installedpackages']['squidauth']['config'][0];
else
$settings = array();
$pdcserver = $settings['auth_server'];
$bdcserver = str_replace(',',' ',$settings['msnt_secondary']);
$ntdomain = $settings['auth_ntdomain'];
file_put_contents(SQUID_CONFBASE."/msntauth.conf","server {$pdcserver} {$bdcserver} {$ntdomain}");
chown(SQUID_CONFBASE."/msntauth.conf", 'proxy');
chmod(SQUID_CONFBASE."/msntauth.conf", 0600);
}
function squid_resync($via_rpc="no") {
global $config;
# detect boot process
if (is_array($_POST)){
if (preg_match("/\w+/",$_POST['__csrf_magic']))
unset($boot_process);
else
$boot_process="on";
}
log_error("[Squid] - Squid_resync function call pr:".is_process_running('squid')." bp:".isset($boot_process)." rpc:".$via_rpc);
if (is_process_running('squid') && isset($boot_process) && $via_rpc=="no")
return;
conf_mount_rw();
foreach (array( SQUID_CONFBASE,
SQUID_ACLDIR,
SQUID_BASE,
SQUID_LIB,
SQUID_SSL_DB ) as $dir) {
make_dirs($dir);
chown($dir, 'proxy');
chgrp($dir, 'proxy');
squid_chown_recursive($dir, 'proxy', 'proxy');
}
$conf = squid_resync_general() . "\n";
$conf .= squid_resync_cache() . "\n";
$conf .= squid_resync_redirector() . "\n";
$conf .= squid_resync_upstream() . "\n";
$conf .= squid_resync_nac() . "\n";
$conf .= squid_resync_traffic() . "\n";
$conf .= squid_resync_reverse() . "\n";
$conf .= squid_resync_auth()."\n";
$conf .= squid_resync_antivirus();
squid_resync_users();
squid_write_rcfile();
if(!isset($boot_process) || $via_rpc="yes")
squid_sync_on_changes();
#write config file
file_put_contents(SQUID_CONFBASE . '/squid.conf', $conf);
/* make sure pinger is executable */
if(file_exists(SQUID_LOCALBASE . "/libexec/squid/pinger"))
exec("chmod a+x " . SQUID_LOCALBASE . "/libexec/squid/pinger");
$log_dir="";
#check if squid is enabled
if (is_array($config['installedpackages']['squid']['config'])){
if ($config['installedpackages']['squid']['config'][0]['active_interface']!= "")
$log_dir = $config['installedpackages']['squid']['config'][0]['log_dir'].'/';
}
#check if squidreverse is enabled
else if (is_array($config['installedpackages']['squidreversegeneral']['config'])){
if ($config['installedpackages']['squidreversegeneral']['config'][0]['reverse_interface'] != "")
$log_dir="/var/squid/logs/";
}
#do not start squid if there is no log dir
if ($log_dir != ""){
if(!is_dir($log_dir)) {
log_error("Creating squid log dir $log_dir");
make_dirs($log_dir);
squid_chown_recursive($log_dir, 'proxy', 'proxy');
}
squid_dash_z();
if (!is_service_running('squid')) {
log_error("Starting Squid");
mwexec(SQUID_LOCALBASE . "/sbin/squid -f " . SQUID_CONFFILE);
}
else {
if (!isset($boot_process)){
log_error("Reloading Squid for configuration sync");
mwexec(SQUID_LOCALBASE . "/sbin/squid -k reconfigure -f " . SQUID_CONFFILE);
}
}
// Sleep for a couple seconds to give squid a chance to fire up fully.
for ($i=0; $i < 10; $i++) {
if (!is_service_running('squid'))
sleep(1);
}
filter_configure();
}
conf_mount_ro();
}
function squid_print_javascript_auth() {
global $config;
$transparent_proxy = ($config['installedpackages']['squid']['config'][0]['transparent_proxy'] == 'on');
// No authentication for transparent proxy
if ($transparent_proxy and preg_match("/(local|ldap|radius|msnt|ntlm)/",$config['installedpackages']['squidauth']['config'][0]['auth_method'])) {
$javascript = <<< EOD
EOD;
}
else {
$javascript = <<< EOD
EOD;
}
print($javascript);
}
function squid_print_javascript_auth2() {
print("\n");
}
function squid_generate_rules($type) {
global $config,$pf_version;
$squid_conf = $config['installedpackages']['squid']['config'][0];
//check captive portal option
$cp_file='/etc/inc/captiveportal.inc';
$pfsense_version=preg_replace("/\s/","",file_get_contents("/etc/version"));
$port = ($settings['proxy_port'] ? $settings['proxy_port'] : 3128);
$cp_inc = file($cp_file);
$new_cp_inc="";
$found_rule=0;
foreach ($cp_inc as $line){
$new_line=$line;
//remove applied squid patch
if (preg_match('/skipto 65314 ip/',$line)){
$found_rule++;
$new_line ="";
}
if (substr($pfsense_version,0,3) > 2.0){
if (preg_match('/255.255.255.255/',$line) && $squid_conf['patch_cp']){
$found_rule++;
$new_line .= "\n\t".'$cprules .= "add {$rulenum} skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n";
$new_line .= "\t".'$cprules .= "add {$rulenum} skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n";
}
}
else{
//add squid patch option based on current config
if (preg_match('/set 1 pass ip from any to/',$line) && $squid_conf['patch_cp']){
$found_rule++;
$new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from any to {$ips} '.$port.' in\n";'."\n";
$new_line .= $line;
}
if (preg_match('/set 1 pass ip from {/',$line) && $squid_conf['patch_cp']){
$found_rule++;
$new_line = "\t".'$cprules .= "add {$rulenum} set 1 skipto 65314 ip from {$ips} '.$port.' to any out\n";'."\n";
$new_line .= $line;
}
}
$new_cp_inc .= $new_line;
}
if (!file_exists('/root/'.$pfsense_version.'.captiveportal.inc.backup')) {
copy ($cp_file,'/root/'.$pfsense_version.'.captiveportal.inc.backup');
}
if($found_rule > 0){
file_put_contents($cp_file,$new_cp_inc, LOCK_EX);
}
//normal squid rule check
if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) {
return;
}
if (!is_service_running('squid')) {
log_error("SQUID is installed but not started. Not installing \"{$type}\" rules.");
return;
}
#Read assigned interfaces
$proxy_ifaces = explode(",", $squid_conf['active_interface']);
$proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces);
if ($squid_conf['transparent_proxy']=="on"){
$transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']);
$transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces);
}
else{
$transparent_ifaces=array();
}
if ($squid_conf['ssl_proxy'] == "on"){
$ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']);
$ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces);
}
else{
$ssl_ifaces=array();
}
$port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128);
$ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3127);
$fw_aliases = filter_generate_aliases();
if(strstr($fw_aliases, "pptp ="))
$PPTP_ALIAS = "\$pptp";
else
$PPTP_ALIAS = "\$PPTP";
if(strstr($fw_aliases, "PPPoE ="))
$PPPOE_ALIAS = "\$PPPoE";
else
$PPPOE_ALIAS = "\$pppoe";
#define ports based on transparent options and ssl filtering
$pf_rule_port=($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80");
switch($type) {
case 'nat':
$rules .= "\n# Setup Squid proxy redirect\n";
if ($squid_conf['private_subnet_proxy_off'] == 'on') {
foreach ($transparent_ifaces as $iface) {
$pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n";
}
/* Handle PPPOE case */
if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
$rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
}
/* Handle PPTP case */
if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
$rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
}
}
if (!empty($squid_conf['defined_ip_proxy_off'])) {
$defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']);
$exempt_ip = "";
foreach ($defined_ip_proxy_off as $ip_proxy_off) {
if(!empty($ip_proxy_off)) {
$ip_proxy_off = trim($ip_proxy_off);
if (is_alias($ip_proxy_off))
$ip_proxy_off = '$'.$ip_proxy_off;
$exempt_ip .= ", $ip_proxy_off";
}
}
$exempt_ip = substr($exempt_ip,2);
foreach ($transparent_ifaces as $iface) {
$pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
$rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port {$pf_transparent_rule_port}\n";
}
/* Handle PPPOE case */
if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
$rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
}
/* Handle PPTP case */
if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
$rules .= "no rdr on $PPTP_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
}
}
if (!empty($squid_conf['defined_ip_proxy_off_dest'])) {
$defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']);
$exempt_dest = "";
foreach ($defined_ip_proxy_off_dest as $ip_proxy_off_dest) {
if(!empty($ip_proxy_off_dest)) {
$ip_proxy_off_dest = trim($ip_proxy_off_dest);
if (is_alias($ip_proxy_off_dest))
$ip_proxy_off_dest = '$'.$ip_proxy_off_dest;
$exempt_dest .= ", $ip_proxy_off_dest";
}
}
$exempt_dest = substr($exempt_dest,2);
foreach ($transparent_ifaces as $iface) {
$pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443}" : "80");
$rules .= "no rdr on $iface proto tcp from any to { $exempt_dest } port {$pf_transparent_rule_port}\n";
}
/* Handle PPPOE case */
if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
$rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
}
/* Handle PPTP case */
if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
$rules .= "no rdr on $PPTP_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
}
}
foreach ($transparent_ifaces as $t_iface) {
$pf_transparent_rule_port=(in_array($t_iface,$ssl_ifaces) ? "{80,443}" : "80");
$rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n";
if (in_array($t_iface,$ssl_ifaces))
$rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n";
}
/* Handle PPPOE case */
if(($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
$rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
}
/* Handle PPTP case */
if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
$rules .= "rdr on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
}
$rules .= "\n";
break;
case 'filter':
case 'rule':
foreach ($transparent_ifaces as $iface) {
$pf_transparent_rule_port=(in_array($iface,$ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}");
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n";
#$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n";
$rules .= "\n";
};
if($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) {
$rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
}
if($config['pptpd']['mode'] == "server" && $config['pptpd']['localip']) {
$rules .= "pass in quick on $PPTP_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
}
break;
default:
break;
}
return $rules;
}
function squid_write_rcfile() {
/* Declare a variable for the SQUID_CONFFILE constant. */
/* Then the variable can be referenced easily in the Heredoc text that generates the rc file. */
$squid_conffile_var = SQUID_CONFFILE;
$squid_local_base = SQUID_LOCALBASE;
$rc = array();
$rc['file'] = 'squid.sh';
$rc['start'] = <</dev/null
killall pinger 2>/dev/null
EOD;
$rc['restart'] = <<setCredentials($username, $password);
if($g['debug'])
$cli->setDebug(1);
/* send our XMLRPC message and timeout after defined sync timeout value*/
$resp = $cli->send($msg, $synctimeout);
if(!$resp) {
$error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port}.";
log_error($error);
file_notice("sync_settings", $error, "squid Settings Sync", "");
} elseif($resp->faultCode()) {
$cli->setDebug(1);
$resp = $cli->send($msg, $synctimeout);
$error = "An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "squid Settings Sync", "");
} else {
log_error("[Squid] XMLRPC sync successfully completed with {$url}:{$port}.");
}
/* tell squid to reload our settings on the destination sync host. */
$method = 'pfsense.exec_php';
$execcmd = "require_once('/usr/local/pkg/squid.inc');\n";
$execcmd .= "squid_resync('yes');";
/* assemble xmlrpc payload */
$params = array(
XML_RPC_encode($password),
XML_RPC_encode($execcmd)
);
log_error("[Squid] XMLRPC reload data {$url}:{$port}.");
$msg = new XML_RPC_Message($method, $params);
$cli = new XML_RPC_Client('/xmlrpc.php', $url, $port);
$cli->setCredentials($username, $password);
$resp = $cli->send($msg, $synctimeout);
if(!$resp) {
$error = "A communications error occurred while attempting squid XMLRPC sync with {$url}:{$port} (pfsense.exec_php).";
log_error($error);
file_notice("sync_settings", $error, "squid Settings Sync", "");
} elseif($resp->faultCode()) {
$cli->setDebug(1);
$resp = $cli->send($msg, $synctimeout);
$error = "[Squid] An error code was received while attempting squid XMLRPC sync with {$url}:{$port} - Code " . $resp->faultCode() . ": " . $resp->faultString();
log_error($error);
file_notice("sync_settings", $error, "squid Settings Sync", "");
} else {
log_error("squid XMLRPC reload data success with {$url}:{$port} (pfsense.exec_php).");
}
}
?>