<?xml version="1.0" encoding="utf-8" ?>
<packagegui>
	<name>squid</name>
	<title>Services: Proxy Server</title>
	<category>Security</category>
	<version>2.5.10_4</version>
	<configpath>installedpackages->package->squidng->configuration->settings</configpath>
	
	<aftersaveredirect>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</aftersaveredirect>
	
	<menu>
		<name>Squid</name>
		<tooltiptext>Modify settings for Proxy Server</tooltiptext>
		<section>Services</section>
		<url>/pkg_edit.php?xml=squid_ng.xml&amp;id=0</url>
	</menu>
		
	<!-- TODO: Add xml to parse proxy logs into readable format
	<menu>
		<name>Proxy Log</name>
		<section>Status</section>
		<configfile>squid_log.xml</configfile>
	</menu> -->
			
	<additional_files_needed>
		<prefix>/usr/local/pkg/</prefix>
		<chmod>0755</chmod>
		<item>http://www.pfsense.com/packages/config/squid_cache.xml</item>
	</additional_files_needed>
	
    <additional_files_needed>
	    <prefix>/usr/local/pkg/</prefix>
	    <chmod>0755</chmod>
	    <item>http://www.pfsense.com/packages/config/squid_nac.xml</item>
	</additional_files_needed>
    	
    <additional_files_needed>
	    <prefix>/usr/local/pkg/</prefix>
	    <chmod>0755</chmod>
	    <item>http://www.pfsense.com/packages/config/squid_ng.inc</item>
	</additional_files_needed>
    
   	<additional_files_needed>
	    <prefix>/usr/local/pkg/</prefix>
	    <chmod>0755</chmod>
	    <item>http://www.pfsense.com/packages/config/squid_traffic.xml</item>
	</additional_files_needed>
	
	<additional_files_needed>
	    <prefix>/usr/local/pkg/</prefix>
	    <chmod>0755</chmod>
	    <item>http://www.pfsense.com/packages/config/squid_upstream.xml</item>
	</additional_files_needed>

	<additional_files_needed>
		<prefix>/usr/local/pkg/</prefix>
		<chmod>0755</chmod>
		<item>http://www.pfsense.com/packages/config/squid_auth.xml</item>
	</additional_files_needed>
	
	<additional_files_needed>
		<prefix>/usr/local/pkg/</prefix>
		<chmod>0755</chmod>
		<item>http://www.pfsense.com/packages/config/squid_extauth.xml</item>
	</additional_files_needed>
	
	<tabs>
		<tab>
			<text>General Settings</text>
			<url>/pkg_edit.php?xml=squid.xml&amp;id=0</url>
			<active/>
		</tab>
		
		<tab>
			<text>Upstream Proxy</text>
			<url>/pkg_edit.php?xml=squid_upstream.xml&amp;id=0</url>
		</tab>
		
		<tab>
			<text>Cache Mgmt</text>
			<url>/pkg_edit.php?xml=squid_cache.xml&amp;id=0</url>
		</tab>
			
		<tab>
			<text>Network Access Control</text>
			<url>/pkg_edit.php?xml=squid_nac.xml&amp;id=0</url>
		</tab>
			
		<tab>
			<text>Traffic Mgmt</text>
			<url>/pkg_edit.php?xml=squid_traffic.xml&amp;id=0</url>
		</tab>
			
		<tab>
			<text>Auth Settings</text>
			<url>/pkg_edit.php?xml=squid_auth.xml&amp;id=0</url>
		</tab>
		
		<tab>
			<text>Extended Auth Settings</text>
			<url>/pkg_edit.php?xml=squid_extauth.xml&amp;id=0</url>
		</tab>
	</tabs>
	
	<fields>	
		<field>
			<fielddescr>Proxy Listening Interface</fielddescr>
			<fieldname>active_interface</fieldname>
			<description>This defines the active listening interface to which the proxy server will listen for its requests.</description>
			<type>interfaces_selection</type>
		</field>
		
		<field>
			<fielddescr>Transparent Proxy</fielddescr>
			<fieldname>transparent_proxy</fieldname>
			<description>If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.</description>
			<type>checkbox</type>
		</field>
		
		<field>
			<fielddescr>Log Enabled</fielddescr>
			<fieldname>log_enabled</fieldname>
			<description>This enables the Web Proxy logging feature.  All clients requests will be written to a log file viewable under Services -> Proxy Log.</description>
			<type>checkbox</type>
		</field>
		
		<field>
			<fielddescr>URL Filtering Enabled</fielddescr>
			<fieldname>urlfilter_enable</fieldname>
			<description>This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options.  This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering</description>
			<type>checkbox</type>
		</field>
		
		<field>
			<fielddescr>Log Query Terms</fielddescr>
			<fieldname>log_query_terms</fieldname>
			<description>This will log the complete URL rather than the part of the URL containing dynamic queries.</description>
			<type>checkbox</type>
		</field>
		
		<field>
			<fielddescr>Log User Agents</fielddescr>
			<fieldname>log_user_agents</fieldname>
			<description>This will enable the useragent string to be written to a separate log.  The results are not shown in the GUI and should only be used for debugging purposes.</description>
			<type>checkbox</type>
		</field>
		
		<field>
			<combinefieldsend>true</combinefieldsend>
			<fielddescr>Proxy Port</fielddescr>
			<fieldname>proxy_port</fieldname>
			<description>This is the port the Proxy Server will listen for client requests on.  The default is 3128.</description>
			<size>4</size>
			<type>input</type>
		</field>
		
		<field>
			<fielddescr>ICP Port</fielddescr>
			<fieldname>icp_port</fieldname>
			<description>This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches.  The default value is 0, which means this function is disabled.</description>
			<size>4</size>
			<type>input</type>
		</field>
		
		<field>
			<fielddescr>Visible Hostname</fielddescr>
			<fieldname>visible_hostname</fieldname>
			<description>This URL is displayed on the Proxy Server error messages.</description>
			<size>35</size>
			<type>input</type>
		</field>
		
		<field>
			<fielddescr>Cache Administrator E-Mail</fielddescr>
			<fieldname>cache_admin_email</fieldname>
			<description>This E-Mail address is displayed on the Proxy Server error messages.</description>
			<size>35</size>
			<type>input</type>
		</field>
		
		<field>
			<fielddescr>Error Messages Language</fielddescr>
			<fieldname>error_language</fieldname>
			<description>Select the language in which the Proxy Server shall display error messages to users.</description>
			<type>select</type>
			<options>
				<option><name>Bulgarian</name><value>Bulgarian</value></option>
				<option><name>Catalan</name><value>Catalan</value></option>
				<option><name>Czech</name><value>Czech</value></option>
				<option><name>Danish</name><value>Danish</value></option>
				<option><name>Dutch</name><value>Dutch</value></option>
				<option><name>English</name><value>English</value></option>
				<option><name>Estonian</name><value>Estonian</value></option>
				<option><name>Finnish</name><value>Finnish</value></option>
				<option><name>French</name><value>French</value></option>
				<option><name>German</name><value>German</value></option>
				<option><name>Hebrew</name><value>Hebrew</value></option>
				<option><name>Hungarian</name><value>Hungarian</value></option>
				<option><name>Italian</name><value>Italian</value></option>
				<option><name>Japanese</name><value>Japanese</value></option>
				<option><name>Korean</name><value>Korean</value></option>
				<option><name>Lithuanian</name><value>Lithuanian</value></option>
				<option><name>Polish</name><value>Polish</value></option>
				<option><name>Portuguese</name><value>Portuguese</value></option>
				<option><name>Romanian</name><value>Romanian</value></option>
				<option><name>Russian-1251</name><value>Russian-1251</value></option>
				<option><name>Russian-koi8-r</name><value>Russian-koi8-r</value></option>
				<option><name>Serbian</name><value>Serbian</value></option>
				<option><name>Simplify Chinese</name><value>Simplify Chinese</value></option>
				<option><name>Slovak</name><value>Slovak</value></option>
				<option><name>Spanish</name><value>Spanish</value></option>
				<option><name>Swedish</name><value>Swedish</value></option>
				<option><name>Traditional Chinese</name><value>Traditional Chinese</value></option>
				<option><name>Turkish</name><value>Turkish</value></option>
			</options>
		</field>
				
	</fields>
	
	<!-- The below writes the configuration as defined by the GUI options -->
	<custom_php_global_functions>
		function write_static_squid_config() {
        	global $config;
		$lancfg = $config['interfaces']['lan'];
		$lanif = $lancfg['if'];
		$lanip = $lancfg['ipaddr'];
		$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
		$lansn = $lancfg['subnet'];
		
		$fout = fopen("/usr/local/etc/squid/squid.conf","w");
		fwrite($fout, "#\n");
		fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n");
		fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n");
		fwrite($fout, "#\n");
		fwrite($fout, "shutdown_lifetime 5 seconds\n");            
		fwrite($fout, "icp_port 0\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n");
		fwrite($fout, "no_cache deny QUERY\n");
		fwrite($fout, "\n");
			   
		fwrite($fout, "pid_filename /var/run/squid.pid\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "cache_mem 8 MB\n");
		fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "memory_replacement_policy heap GDSF\n");
		fwrite($fout, "cache_replacement_policy heap GDSF\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "cache_access_log /dev/null\n");
		fwrite($fout, "cache_log /dev/null\n");
		fwrite($fout, "cache_store_log none\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "log_mime_hdrs off\n");
		fwrite($fout, "emulate_httpd_log on\n");
		fwrite($fout, "forwarded_for off\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n");
		fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n");
		fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n");
		fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n");
		fwrite($fout, "acl Safe_ports port 80 # http\n");
		fwrite($fout, "acl Safe_ports port 21 # ftp\n");
		fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n");
		fwrite($fout, "acl Safe_ports port 70 # gopher\n");
		fwrite($fout, "acl Safe_ports port 210 # wais\n");
		fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n");
		fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n");
		fwrite($fout, "acl Safe_ports port 488 # gss-http\n");
		fwrite($fout, "acl Safe_ports port 591 # filemaker\n");
		fwrite($fout, "acl Safe_ports port 777 # multiling http\n");
		fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "acl CONNECT method CONNECT\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "#access to squid; local machine; no restrictions\n");
		fwrite($fout, "http_access allow localnet\n");
		fwrite($fout, "http_access allow localhost\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "#Deny non web services\n");
		fwrite($fout, "http_access deny !Safe_ports\n");
		fwrite($fout, "http_access deny CONNECT !SSL_ports\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "#Set custom configured ACLs\n");
		fwrite($fout, "http_access deny all\n");
		fwrite($fout, "visible_hostname pfSense\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "cache_effective_user squid\n");
		fwrite($fout, "cache_effective_group squid\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "maximum_object_size 4096 KB\n");
		fwrite($fout, "minimum_object_size 0 KB\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "request_body_max_size 0 KB\n");
		fwrite($fout, "reply_body_max_size 0 allow all\n");
		fwrite($fout, "\n");
		
		fwrite($fout, "httpd_accel_host virtual\n");
		fwrite($fout, "httpd_accel_port 80\n");
		fwrite($fout, "httpd_accel_with_proxy on\n");
		fwrite($fout, "httpd_accel_uses_host_header on\n");            
		
		fclose($fout);	
		}
	</custom_php_global_functions>
	
	<custom_add_php_command_late>	
		require_once("/usr/local/pkg/squid_ng.inc");

		global_write_squid_config();
		mwexec("/usr/local/sbin/squid -k reconfigure");
	</custom_add_php_command_late>
	
	<custom_php_install_command>
		write_static_squid_config();
		
		touch("/tmp/custom_php_install_command");

		update_output_window("Creating Proxy Server initialization scripts...");
		$fout = fopen("/usr/local/etc/rc.d/squid.sh","w");
		fwrite($fout, "#!/bin/sh\n");
		fwrite($fout, "#: /usr/local/etc/rc.d/squid.sh\n\n");
		fwrite($fout, "touch /tmp/ro_root_mount\n");
		fwrite($fout, "/usr/local/sbin/squid -D\n");
		fwrite($fout, "touch /tmp/filter_dirty\n");
		fclose($fout);
		
		mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh");
			
		/* create log directory hierarchies if they don't exist */
		update_output_window("Creating required directory hierarchies...");
		
		if (!file_exists("/var/squid/logs")) {
			mwexec("mkdir -p /var/squid/logs");
		}
		mwexec("/usr/sbin/chown squid:squid /var/squid/logs");
		
		if (!file_exists("/var/squid/cache")) {
			mwexec("mkdir -p /var/squid/cache");
		}
		mwexec("/usr/sbin/chown squid:squid /var/squid/cache");
		
		if (!file_exists("/usr/local/etc/squid/advanced/acls")) {
			mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
		}
		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls");
		
		if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) {
			mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
		}
		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa");
			
		if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) {
			mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm");
		}
		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm");		
		
		if (!file_exists("/usr/local/etc/squid/advanced/radius")) {
			mwexec("mkdir -p /usr/local/etc/squid/advanced/radius");
		}
		mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius");
		
		/*    EmanuelG: update pf group ownership settings to enhance squid performance and correct issue relating 
		 *              to error message: parseHttpRequest: PF open failed: (13) Permission denied
		 */
		mwexec("chgrp squid /dev/pf");
		mwexec("chmod g+rw /dev/pf");
		
		$devfs_file = fopen("/etc/devfs.conf", "a");
		fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. ");
		fwrite($devfs_file, "own pf root:squid");
		fwrite($devfs_file, "perm pf 0640"); 
		fclose($devfs_file);
		
		update_output_window("Initializing Cache... This may take a moment...");
		mwexec("/usr/local/sbin/squid -z");
		
		write_static_squid_config();
		
		update_output_window("Starting Proxy Server...");
		mwexec("/usr/local/etc/rc.d/squid.sh");
		filter_configure();	
	</custom_php_install_command>

	<custom_php_deinstall_command>
		update_output_window("Stopping proxy service...");
		
		do while ((file_exists("/var/run/squid.pid") or ($i == 30)) {
			mwexec("/usr/local/sbin/squid -k shutdown");
			$i++;
		}
		
		/* brute force any remaining squid processes out */
		mwxec("/usr/bin/killall squid");
	
		update_output_window("Recursively removing directories hierarchies...");
		update_output_window("If existant, log files in /var/squid/logs will remain...");
		mwexec("rm -rf /usr/local/squid");
		mwexec("rm -rf /var/squid/cache");	
		mwexec("rm -rf /usr/local/etc/squid");
		
		update_output_window("Removing configuration files...");
		unlink_if_exists("/usr/local/etc/rc.d/squid.sh");
		unlink_if_exists("/usr/local/etc/squid");
		unlink_if_exists("/usr/local/libexec/squid");
		
		filter_configure();
	</custom_php_deinstall_command>
	
	<start_command>/usr/local/etc/rc.d/squid.sh</start_command>
	
	<process_kill_command>/usr/local/sbin/squid -k shutdown</process_kill_command>
	
</packagegui>