<?xml version="1.0" encoding="utf-8" ?> <!DOCTYPE packagegui SYSTEM "../schema/packages.dtd"> <?xml-stylesheet type="text/xsl" href="../xsl/package.xsl"?> <packagegui> <copyright> <![CDATA[ /* $Id$ */ /* ========================================================================== */ /* squid_upstream.xml part of pfSense (http://www.pfSense.com) Copyright (C) 2007 to whom it may belong Copyright (C) 2012-2014 Marcello Coutinho All rights reserved. Based on m0n0wall (http://m0n0.ch/wall) Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>. All rights reserved. */ /* ========================================================================== */ /* Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code MUST retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ /* ========================================================================== */ ]]> </copyright> <description>Describe your package here</description> <requirements>Describe your package requirements here</requirements> <faq>Currently there are no FAQ items provided.</faq> <name>squidremote</name> <version>none</version> <title>Proxy server: Remote proxy settings</title> <include_file>/usr/local/pkg/squid.inc</include_file> <tabs> <tab> <text>General</text> <url>/pkg_edit.php?xml=squid.xml&id=0</url> </tab> <tab> <text>Remote Cache</text> <url>/pkg.php?xml=squid_upstream.xml</url> <active/> </tab> <tab> <text>Local Cache</text> <url>/pkg_edit.php?xml=squid_cache.xml&id=0</url> </tab> <tab> <text>Antivirus</text> <url>/pkg_edit.php?xml=squid_antivirus.xml&id=0</url> </tab> <tab> <text>ACLs</text> <url>/pkg_edit.php?xml=squid_nac.xml&id=0</url> </tab> <tab> <text>Traffic Mgmt</text> <url>/pkg_edit.php?xml=squid_traffic.xml&id=0</url> </tab> <tab> <text>Authentication</text> <url>/pkg_edit.php?xml=squid_auth.xml&id=0</url> </tab> <tab> <text>Users</text> <url>/pkg.php?xml=squid_users.xml</url> </tab> <tab> <text>Real time</text> <url>/squid_monitor.php</url> </tab> <tab> <text>Sync</text> <url>/pkg_edit.php?xml=squid_sync.xml</url> </tab> </tabs> <adddeleteeditpagefields> <columnitem> <fielddescr>Status</fielddescr> <fieldname>enable</fieldname> </columnitem> <columnitem> <fielddescr>name</fielddescr> <fieldname>proxyaddr</fieldname> </columnitem> <columnitem> <fielddescr>Port</fielddescr> <fieldname>proxyport</fieldname> </columnitem> <columnitem> <fielddescr>ICP</fielddescr> <fieldname>icpport</fieldname> </columnitem> <columnitem> <fielddescr>Peer type</fielddescr> <fieldname>hierarchy</fieldname> </columnitem> <columnitem> <fielddescr>Method</fielddescr> <fieldname>peermethod</fieldname> </columnitem> </adddeleteeditpagefields> <fields> <field> <name>General Settings</name> <type>listtopic</type> </field> <field> <fielddescr>Enable</fielddescr> <fieldname>enable</fieldname> <description>This option enables the proxy server to forward requests to an upstream/neighbor server.</description> <type>checkbox</type> <required/> </field> <field> <fielddescr>Hostname</fielddescr> <fieldname>proxyaddr</fieldname> <description>Enter here the IP address or host name of the upstream proxy.</description> <type>input</type> <size>35</size> <required/> </field> <field> <fielddescr>Name</fielddescr> <fieldname>proxyname</fieldname> <description>Unique name for the peer.Required if you have multiple peers on the same host but different ports.</description> <type>input</type> <size>35</size> <required/> </field> <field> <fielddescr>TCP port</fielddescr> <fieldname>proxyport</fieldname> <description>Enter the port to use to connect to the upstream proxy.</description> <type>input</type> <size>5</size> <default_value>3128</default_value> <required/> </field> <field> <fielddescr>Timeout</fielddescr> <fieldname>connecttimeout</fieldname> <description>A peer-specific connect timeout. Also see the peer_connect_timeout directive.</description> <type>input</type> <size>5</size> </field> <field> <fielddescr>Fail Limit</fielddescr> <fieldname>connectfailLimit</fieldname> <description>How many times connecting to a peer must fail before it is marked as down. Default is 10.</description> <type>input</type> <size>5</size> <default_value>10</default_value> </field> <field> <fielddescr>Max</fielddescr> <fieldname>maxconn</fieldname> <description>Limit the amount of connections Squid may open to this peer.</description> <type>input</type> <size>5</size> </field> <field> <fielddescr>Allow Miss</fielddescr> <fieldname>allowmiss</fieldname> <description><![CDATA[<strong>allow-miss</strong> - Disable Squid's use of only-if-cached when forwarding requests to siblings. This is primarily useful when icp_hit_stale is used by the sibling.<br><br> <strong>no-tproxy</strong> - Do not use the client-spoof TPROXY support when forwarding requests to this peer. Use normal address selection instead.<br><br> <strong>proxy-only</strong> - Objects fetched from the peer will not be stored locally.]]></description> <type>select</type> <default_value>allow-miss</default_value> <options> <option><name>Allow Miss</name><value>allow-miss</value></option> <option><name>No Tproxy</name><value>no-tproxy</value></option> <option><name>Proxy Only</name><value>proxy-only</value></option> </options> <multiple/> <size>4</size> </field> <field> <name>Peer settings</name> <type>listtopic</type> </field> <field> <fielddescr>Hierarchy</fielddescr> <fieldname>hierarchy</fieldname> <description>Specify remote caches hierarchy.</description> <type>select</type> <default_value>parent</default_value> <options> <option><name>parent</name><value>parent</value></option> <option><name>sibling</name><value>sibling</value></option> <option><name>multicast</name><value>multicast</value></option> </options> </field> <field> <fielddescr>Select method</fielddescr> <fieldname>peermethod</fieldname> <description><![CDATA[The default peer selection method is ICP, with the first responding peer being used as source. These options can be used for better load balancing.<br><br> <strong>default</strong> - This is a parent cache which can be used as a "last-resort" if a peer cannot be located by any of the peer-selection methods.<br> If specified more than once, only the first is used.<br><br> <strong>round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion in the absence of any ICP queries.<br>weight=N can be used to add bias.<br><br> <strong>weighted-round-robin</strong> - Load-Balance parents which should be used in a round-robin fashion with the frequency of each parent being based on the round trip time.<br> Closer parents are used more often. Usually used for background-ping parents. weight=N can be used to add bias.<br><br> <strong>carp</strong> - Load-Balance parents which should be used as a CARP array. The requests will be distributed among the parents based on the CARP load balancing hash function based on their weight.<br><br> <strong>userhash</strong> - Load-balance parents based on the client proxy_auth or ident username.<br><br> <strong>sourcehash</strong> - Load-balance parents based on the client source IP.<br><br> <strong>multicast-siblings</strong> - To be used only for cache peers of type "multicast".<br> ALL members of this multicast group have "sibling" relationship with it, not "parent". This is to a multicast group when the requested object would be fetched only from a "parent" cache, anyway.<br> It's useful, e.g., when configuring a pool of redundant Squid proxies, being members of the same multicast group.]]></description> <type>select</type> <default_value>round-robin</default_value> <options> <option><name>round-robin</name><value>round-robin</value></option> <option><name>default</name><value>default</value></option> <option><name>weighted-round-robin</name><value>weighted-round-robin</value></option> <option><name>carp</name><value>carp</value></option> <option><name>userhash</name><value>userhash</value></option> <option><name>sourcehash</name><value>sourcehash</value></option> <option><name>multicast-sibling</name><value>multicast-sibling</value></option> </options> </field> <field> <fielddescr>weight</fielddescr> <fieldname>weight</fieldname> <description>Use to affect the selection of a peer during any weighted peer-selection mechanisms. The weight must be an integer; default is 1,larger weights are favored more.</description> <type>input</type> <size>5</size> <default>1</default> </field> <field> <fielddescr>basetime</fielddescr> <fieldname>basetime</fieldname> <description><![CDATA[Specify a base amount to be subtracted from round trip times of parents.<br> It is subtracted before division by weight in calculating which parent to fectch from. If the rtt is less than the base time the rtt is set to a minimal value.]]></description> <type>input</type> <size>5</size> <default>1</default> </field> <field> <fielddescr>ttl</fielddescr> <fieldname>ttl</fieldname> <description><![CDATA[Specify a TTL to use when sending multicast ICP queries to this address<br> Only useful when sending to a multicast group. Because we don't accept ICP replies from random hosts, you must configure other group members as peers with the 'multicast-responder' option.]]></description> <type>input</type> <size>5</size> <default>1</default> </field> <field> <fielddescr>no-delay</fielddescr> <fieldname>nodelay</fieldname> <description><![CDATA[To prevent access to this neighbor from influencing the delay pools.]]></description> <type>checkbox</type> </field> <field> <name>ICP settings</name> <type>listtopic</type> </field> <field> <fielddescr>ICP port</fielddescr> <fieldname>icpport</fieldname> <description>Enter the port to connect to the upstream proxy for the ICP protocol. Use port number 7 to disable ICP communication between the proxies.</description> <type>input</type> <size>5</size> <default_value>7</default_value> </field> <field> <fielddescr>ICP Options</fielddescr> <fieldname>icpoptions</fieldname> <description><![CDATA[You MUST also set icp_port and icp_access explicitly when using these options.<br> The defaults will prevent peer traffic using ICP<br><br> <strong>no-query</strong> - Disable ICP queries to this neighbor.<br><br> <strong>multicast-responder</strong> -Indicates the named peer is a member of a multicast group.<br> ICP queries will not be sent directly to the peer, but ICP replies will be accepted from it.<br><br> <strong>closest-only</strong> - Indicates that, for ICP_OP_MISS replies, we'll only forward CLOSEST_PARENT_MISSes and never FIRST_PARENT_MISSes.<br><br> <strong>background-ping</strong> - To only send ICP queries to this neighbor infrequently.<br> This is used to keep the neighbor round trip time updated and is usually used in conjunction with weighted-round-robin.]]></description> <type>select</type> <default_value>no-query</default_value> <options> <option><name>no-query</name><value>no-query</value></option> <option><name>multicast-responder</name><value>multicast-responder</value></option> <option><name>closest-only</name><value>closest-only</value></option> <option><name>background-ping</name><value>background-ping</value></option> </options> </field> <field> <name>Auth settings</name> <type>listtopic</type> </field> <field> <fielddescr>Username</fielddescr> <fieldname>username</fieldname> <description>If the upstream proxy requires a username, specify it here.</description> <type>input</type> </field> <field> <fielddescr>Password</fielddescr> <fieldname>password</fieldname> <description>If the upstream proxy requires a password, specify it here.</description> <type>password</type> </field> <field> <fielddescr>Authentication options</fielddescr> <fieldname>authoption</fieldname> <description><![CDATA[<br><strong>login=user:password</strong> - If this is a personal/workgroup proxy and your parent requires proxy authentication.<br><br> <strong>login=PASSTHRU</strong> - Send login details received from client to this peer. Authentication is not required by Squid for this to work.<br> This will pass any form of authentication but only Basic auth will work through a proxy unless the connection-auth options are also used.<br><br> <strong>login=PASS</strong> - Send login details received from client to this peer.Authentication is not required by this option.<br> To combine this with proxy_auth both proxies must share the same user database as HTTP only allows for a single login (one for proxy, one for origin server).<br> Also be warned this will expose your users proxy password to the peer. USE WITH CAUTION<br><br> <strong>login=*:password</strong> - Send the username to the upstream cache, but with a fixed password. This is meant to be used when the peer is in another administrative domain, but it is still needed to identify each user.<br><br> <strong>login=NEGOTIATE</strong> - If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> The first principal from the default keytab or defined by the environment variable KRB5_KTNAME will be used.<br> WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br> <strong>login=NEGOTIATE:principal_name</strong>If this is a personal/workgroup proxy and your parent requires a secure proxy authentication.<br> The principal principal_name from the default keytab or defined by the environment variable KRB5_KTNAME will be used. WARNING: The connection may transmit requests from multiple clients. Negotiate often assumes end-to-end authentication and a single-client. Which is not strictly true here.<br><br> <strong>connection-auth=on</strong> - Tell Squid that this peer does support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br> Default is auto to automatically determine the status of the peer.<br><br> <strong>connection-auth=off</strong> - Tell Squid that this peer does not support Microsoft connection oriented authentication, and any such challenges received from there should be ignored.<br> Default is auto to automatically determine the status of the peer.]]></description> <type>select</type> <default_value>login=*:password</default_value> <options> <option><name>login=*:password</name><value>login=*:password</value></option> <option><name>login=user:password</name><value>login=user:password</value></option> <option><name>login=PASSTHRU</name><value>login=PASSTHRU</value></option> <option><name>login=PASS</name><value>login=PASS</value></option> <option><name>login=NEGOTIATE</name><value>login=NEGOTIATE</value></option> <option><name>login=NEGOTIATE:principal_name</name><value>login=NEGOTIATE:principal_name</value></option> <option><name>connection-auth=on</name><value>connection-auth=on</value></option> <option><name>connection-auth=off</name><value>connection-auth=off</value></option> </options> </field> </fields> <custom_php_validation_command> squid_validate_upstream($_POST, $input_errors); </custom_php_validation_command> <custom_php_resync_config_command> squid_resync(); </custom_php_resync_config_command> </packagegui>