squid Security 2.5.10_4 installedpackages->package->squidng->configuration->settings /pkg_edit.php?xml=squid_ng.xml&id=0 Squid Modify settings for Proxy Server

Services

/pkg_edit.php?xml=squid_ng.xml&id=0 squid squid.sh /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_cache.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_nac.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_ng.inc /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_traffic.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_upstream.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_auth.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_auth.inc /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_extauth.xml General Settings /pkg_edit.php?xml=squid.xml&id=0 Upstream Proxy /pkg_edit.php?xml=squid_upstream.xml&id=0 Cache Mgmt /pkg_edit.php?xml=squid_cache.xml&id=0 Network Access Control /pkg_edit.php?xml=squid_nac.xml&id=0 Traffic Mgmt /pkg_edit.php?xml=squid_traffic.xml&id=0 Auth Settings /pkg_edit.php?xml=squid_auth.xml&id=0 Extended Auth Settings /pkg_edit.php?xml=squid_extauth.xml&id=0 Proxy Listening Interface active_interface This defines the active listening interface to which the proxy server will listen for its requests. interfaces_selection Transparent Proxy transparent_proxy If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary. checkbox Log Enabled log_enabled This enables the Web Proxy logging feature. All clients requests will be written to a log file viewable under Services -> Proxy Log. checkbox URL Filtering Enabled urlfilter_enable This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering checkbox Log Query Terms log_query_terms This will log the complete URL rather than the part of the URL containing dynamic queries. checkbox Log User Agents log_user_agents This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes. checkbox true Proxy Port proxy_port This is the port the Proxy Server will listen for client requests on. The default is 3128. 4 input ICP Port icp_port This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled. 4 input Visible Hostname visible_hostname This URL is displayed on the Proxy Server error messages. 35 input Cache Administrator E-Mail cache_admin_email This E-Mail address is displayed on the Proxy Server error messages. 35 input Error Messages Language error_language Select the language in which the Proxy Server shall display error messages to users. select BulgarianBulgarian CatalanCatalan CzechCzech DanishDanish DutchDutch EnglishEnglish EstonianEstonian FinnishFinnish FrenchFrench GermanGerman HebrewHebrew HungarianHungarian ItalianItalian JapaneseJapanese KoreanKorean LithuanianLithuanian PolishPolish PortuguesePortuguese RomanianRomanian Russian-1251Russian-1251 Russian-koi8-rRussian-koi8-r SerbianSerbian Simplify ChineseSimplify Chinese SlovakSlovak SpanishSpanish SwedishSwedish Traditional ChineseTraditional Chinese TurkishTurkish function write_static_squid_config() { touch("/tmp/write_static_squid_config"); global $config; $lancfg = $config['interfaces']['lan']; $lanif = $lancfg['if']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; $fout = fopen("/usr/local/etc/squid/squid.conf","w"); fwrite($fout, "#\n"); fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); fwrite($fout, "#\n"); fwrite($fout, "shutdown_lifetime 5 seconds\n"); fwrite($fout, "icp_port 0\n"); fwrite($fout, "\n"); fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); fwrite($fout, "no_cache deny QUERY\n"); fwrite($fout, "\n"); fwrite($fout, "pid_filename /var/run/squid.pid\n"); fwrite($fout, "\n"); fwrite($fout, "cache_mem 8 MB\n"); fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); fwrite($fout, "\n"); fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); fwrite($fout, "\n"); fwrite($fout, "memory_replacement_policy heap GDSF\n"); fwrite($fout, "cache_replacement_policy heap GDSF\n"); fwrite($fout, "\n"); fwrite($fout, "cache_access_log /dev/null\n"); fwrite($fout, "cache_log /dev/null\n"); fwrite($fout, "cache_store_log none\n"); fwrite($fout, "\n"); fwrite($fout, "log_mime_hdrs off\n"); fwrite($fout, "emulate_httpd_log on\n"); fwrite($fout, "forwarded_for off\n"); fwrite($fout, "\n"); fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); fwrite($fout, "\n"); fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); fwrite($fout, "acl Safe_ports port 80 # http\n"); fwrite($fout, "acl Safe_ports port 21 # ftp\n"); fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); fwrite($fout, "acl Safe_ports port 70 # gopher\n"); fwrite($fout, "acl Safe_ports port 210 # wais\n"); fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); fwrite($fout, "\n"); fwrite($fout, "acl CONNECT method CONNECT\n"); fwrite($fout, "\n"); fwrite($fout, "#access to squid; local machine; no restrictions\n"); fwrite($fout, "http_access allow localnet\n"); fwrite($fout, "http_access allow localhost\n"); fwrite($fout, "\n"); fwrite($fout, "#Deny non web services\n"); fwrite($fout, "http_access deny !Safe_ports\n"); fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); fwrite($fout, "\n"); fwrite($fout, "#Set custom configured ACLs\n"); fwrite($fout, "http_access deny all\n"); fwrite($fout, "visible_hostname pfSense\n"); fwrite($fout, "\n"); fwrite($fout, "cache_effective_user squid\n"); fwrite($fout, "cache_effective_group squid\n"); fwrite($fout, "\n"); fwrite($fout, "maximum_object_size 4096 KB\n"); fwrite($fout, "minimum_object_size 0 KB\n"); fwrite($fout, "\n"); fwrite($fout, "request_body_max_size 0 KB\n"); fwrite($fout, "reply_body_max_size 0 allow all\n"); fwrite($fout, "\n"); fwrite($fout, "httpd_accel_host virtual\n"); fwrite($fout, "httpd_accel_port 80\n"); fwrite($fout, "httpd_accel_with_proxy on\n"); fwrite($fout, "httpd_accel_uses_host_header on\n"); fclose($fout); } require_once("/usr/local/pkg/squid_ng.inc"); global_write_squid_config(); mwexec("/usr/local/sbin/squid -k reconfigure"); /* write initial static config for transparent proxy */ write_static_squid_config(); touch("/tmp/custom_php_install_command"); /* make sure this all exists, see: * http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 */ update_output_window("Setting up Squid environment..."); mwexec("mkdir -p /var/squid"); mwexec("chown squid:squid /var/squid"); mwexec("mkdir -p /var/squid/logs"); mwexec("chown squid:squid /var/squid/logs"); mwexec("mkdir -p /var/squid/cache"); mwexec("chown squid:squid /var/squid/cache"); mwexec("mkdir -p /usr/local/etc/squid/advanced"); mwexec("chown squid:squid /usr/local/etc/squid/advanced"); mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); update_output_window("Creating Proxy Server initialization scripts..."); $start = <<<EOD touch /tmp/ro_root_mount /usr/local/sbin/squid -D touch /tmp/filter_dirty EOD; $stop = "/usr/local/sbin/squid -k shutdown"; write_rcfile(array( "file" => "squid.sh", "start" => $start, "stop" => $stop ) ); mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); /* create log directory hierarchies if they don't exist */ update_output_window("Creating required directory hierarchies..."); if (!file_exists("/var/squid/logs")) { mwexec("mkdir -p /var/squid/logs"); } mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); if (!file_exists("/var/squid/cache")) { mwexec("mkdir -p /var/squid/cache"); } mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); if (!file_exists("/usr/local/etc/squid/advanced/acls")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); if (!file_exists("/usr/local/etc/squid/advanced/radius")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); /* EmanuelG: update pf group ownership settings to enhance squid performance and correct issue relating */ /* to error message: parseHttpRequest: PF open failed: (13) Permission denied */ mwexec("chgrp squid /dev/pf"); mwexec("chmod g+rw /dev/pf"); $devfs_file = fopen("/etc/devfs.conf", "a"); fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); fwrite($devfs_file, "own pf root:squid"); fwrite($devfs_file, "perm pf 0640"); fclose($devfs_file); update_output_window("Initializing Cache... This may take a moment..."); mwexec("/usr/local/sbin/squid -z"); update_output_window("Starting Proxy Server..."); start_service("squid"); update_output_window("Stopping proxy service..."); stop_service("squid"); sleep(1); /* brute force any remaining squid processes out */ mwexec("/usr/bin/killall squid"); mwexec("/usr/bin/killall pinger"); update_output_window("Recursively removing directories hierarchies..."); update_output_window("If existant, log files in /var/squid/logs will remain..."); mwexec("rm -rf /usr/local/squid"); mwexec("rm -rf /var/squid/cache"); mwexec("rm -rf /usr/local/etc/squid"); update_output_window("Removing configuration files..."); unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); unlink_if_exists("/usr/local/etc/squid"); unlink_if_exists("/usr/local/libexec/squid"); filter_configure();