squidng Security 2.5.10_4 ['installedpackages']['package']['squidng']['configuration']['settings'] /pkg_edit.php?xml=squid_ng.xml&id=0 package ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/www/squid-2.5.10_4.tbz package ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/www/squidGuard-1.2.0_1.tbz configfile http://www.pfsense.com/packages/config/squid_upstream.xml configfile http://www.pfsense.com/packages/config/squid_cache.xml configfile http://www.pfsense.com/packages/config/squid_nac.xml configfile http://www.pfsense.com/packages/config/squid_traffic.xml Squid Advanced Proxy Modify settings for Squid Advanced Proxy

Services

General Settings /pkg_edit.php?xml=squid_ng.xml&id=0 Upstream Proxy /pkg_edit.php?xml=squid_upstream.xml&id=0 Cache Mgmt /pkg_edit.php?xml=squid_cache.xml&id=0 Network Access Control /pkg_edit.php?xml=squid_nac.xml&id=0 Traffic Mgmt /pkg_edit.php?xml=squid_traffic.xml&id=0 Proxy Listening Interface active_interface This defines the active listening interface to which the proxy server will listen for its requests. interfaces_selection Transparent Proxy transparent_proxy If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary. checkbox Log Enabled log_enabled This enables the Web Proxy logging feature. All clients requests will be written to a log file viewable under Services -> Proxy Log. checkbox URL Filtering Enabled urlfilter_enable This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering checkbox Log Query Terms log_query_terms This will log the complete URL rather than the part of the URL containing dynamic queries. checkbox Log User Agents log_user_agents This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes. checkbox true Proxy Port proxy_port This is the port the Proxy Server will listen for client requests on. The default is 3128. 4 input ICP Port icp_port This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled. 4 input Visible Hostname visible_hostname This URL is displayed on the Proxy Server error messages. 35 input Cache Administrator E-Mail cache_admin_email This E-Mail address is displayed on the Proxy Server error messages. 35 input Error Messages Language error_language Select the language in which the Proxy Server shall display error messages to users. select Bulgarianbulgarian Catalancatalan Czechczech Danishdanish Dutchdutch Englishenglish Estonianestonian Finnishfinnish Frenchfrench Germangerman Hebrewhebrew Hungarianhungarian Italianitalian Japanesejapanese Koreankorean Lithuanianlithuanian Polishpolish Portugueseportuguese Romanianromanian Russian-1251russian_1251 Russian-koi8-rrussian_koi8 Serbianserbian Simplified Chinesesimplified_chinese Slovakslovak Spanishspanish Swedishswedish Traditional Chinesetraditional_chinese Turkishturkish function write_static_squid_config() { global $config; $lancfg = $config['interfaces']['lan']; $lanif = $lancfg['if']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; $fout = fopen("/usr/local/etc/squid/squid.conf.new","w"); fwrite($fout, "#\n"); fwrite($fout, "# This file was automatically generated by the pfSense package manager\n"); fwrite($fout, "# This default policy enables transparent proxy with no local disk logging\n"); fwrite($fout, "#\n"); fwrite($fout, "shutdown_lifetime 5 seconds\n"); fwrite($fout, "icp_port 0\n"); fwrite($fout, "\n"); fwrite($fout, "http_port 3128\n"); fwrite($fout, "\n"); fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); fwrite($fout, "no_cache deny QUERY\n"); if ($domain != "") { $aclout = fopen("/usr/local/etc/squid/dst_nocache.acl","w"); $each_domain = explode(" ", $domain); foreach ($each_domain as $line) { fwrite($aclout, $line . "\n"); } fclose($aclout); } fwrite($fout, "\n"); fwrite($fout, "pid_filename /var/run/squid.pid\n"); fwrite($fout, "\n"); fwrite($fout, "cache_mem 8 MB\n"); fwrite($fout, "cache_dir aufs /usr/local/squid/cache 500 16 256\n"); fwrite($fout, "\n"); fwrite($fout, "error_directory /usr/local/squid/etc/errors/English\n"); fwrite($fout, "\n"); fwrite($fout, "memory_replacement_policy heap LRU\n"); fwrite($fout, "cache_replacement_policy heap GSDF\n"); fwrite($fout, "\n"); fwrite($fout, "cache_access_log /dev/null\n"); fwrite($fout, "cache_log /dev/null\n"); fwrite($fout, "cache_store_log none\n"); fwrite($fout, "\n"); fwrite($fout, "log_mime_hdrs off\n"); fwrite($fout, "emulate_httpd_log on\n"); fwrite($fout, "forwarded_for off\n"); fwrite($fout, "\n"); fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); fwrite($fout, "\n"); fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); fwrite($fout, "acl SSL_ports port 443 563\n"); fwrite($fout, "acl Safe_ports port 80 # http\n"); fwrite($fout, "acl Safe_ports port 21 # ftp\n"); fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n"); fwrite($fout, "acl Safe_ports port 70 # gopher\n"); fwrite($fout, "acl Safe_ports port 210 # wais\n"); fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); fwrite($fout, "\n"); fwrite($fout, "acl CONNECT method CONNECT\n"); fwrite($fout, "\n"); fwrite($fout, "#access to squid; local machine; no restrictions\n"); fwrite($fout, "http_access allow localnet\n"); fwrite($fout, "http_access allow localhost\n"); fwrite($fout, "\n"); fwrite($fout, "#Deny non web services\n"); fwrite($fout, "http_access deny !Safe_ports\n"); fwrite($fout, "http_access deny CONNECT\n"); fwrite($fout, "\n"); fwrite($fout, "#Set custom configured ACLs\n"); fwrite($fout, "http_access deny all\n"); fwrite($fout, "visible_hostname pfSense\n"); fwrite($fout, "httpd_accel_host virtual\n"); fwrite($fout, "httpd_accel_port 80\n"); fwrite($fout, "httpd_accel_with_proxy on\n"); fwrite($fout, "httpd_accel_uses_host_header on\n"); fwrite($fout, "cache_effective_user squid\n"); fwrite($fout, "cache_effective_group squid\n"); fwrite($fout, "\n"); fwrite($fout, "#Strip HTTP Header\n"); fwrite($fout, "header_access X-Forwarded-For deny all\n"); fwrite($fout, "header_access deny all\n"); fwrite($fout, "\n"); fwrite($fout, "maximum_object_size 4096 KB\n"); fwrite($fout, "minimum_object_size 0 KB\n"); fwrite($fout, "\n"); fwrite($fout, "request_body_max_size 0 KB\n"); fwrite($fout, "reply_body_max_size 0 allow all\n"); fwrite($fout, "\n"); fclose($fout); } function global_write_squid_config() { global $config; $squidconfig = "/usr/local/etc/squid/squid.conf.new"; $active_interface = $config['installedpackages']['squidng']['config'][0]['active_interface']; $transparent_proxy = $config['installedpackages']['squidng']['config'][0]['transparent_proxy']; $log_enabled = $config['installedpackages']['squidng']['config'][0]['log_enabled']; $urlfilter_enable = $config['installedpackages']['squidng']['config'][0]['urlfilter_enable']; $log_query_terms = $config['installedpackages']['squidng']['config'][0]['log_query_terms']; $log_user_agents = $config['installedpackages']['squidng']['config'][0]['log_user_agents']; $proxy_port = $config['installedpackages']['squidng']['config'][0]['proxy_port']; $visible_hostname = $config['installedpackages']['squidng']['config'][0]['visible_hostname']; $cache_admin_email = $config['installedpackages']['squidng']['config'][0]['cache_admin_email']; $error_language = $config['installedpackages']['squidng']['config'][0]['error_language']; $proxy_forwarding = $config['installedpackages']['squidupstream']['config'][0]['proxy_forwarding']; $client_ip_forwarding = $config['installedpackages']['squidupstream']['config'][0]['client_ip_forwarding']; $user_forwarding = $config['installedpackages']['squidupstream']['config'][0]['user_forwarding']; $upstream_proxy = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy']; $upstream_proxy_port = $config['installedpackages']['squidupstream']['config'][0]['upstream_proxy_port']; $upstream_username = $config['installedpackages']['squidupstream']['config'][0]['upstream_username']; $upstream_password = $config['installedpackages']['squidupstream']['config'][0]['upstream_psasword']; $memory_cache_size = $config['installedpackages']['squidcache']['config'][0]['memory_cache_size']; $harddisk_cache_size = $config['installedpackages']['squidcache']['config'][0]['harddisk_cache_size']; $minimum_object_size = $config['installedpackages']['squidcache']['config'][0]['minimum_object_size']; $maximum_object_size = $config['installedpackages']['squidcache']['config'][0]['maximum_object_size']; $level_subdirs = $config['installedpackages']['squidcache']['config'][0]['level_subdirs']; $memory_replacement = $config['installedpackages']['squidcache']['config'][0]['memory_replacement']; $cache_replacement = $config['installedpackages']['squidcache']['config'][0]['cache_replacement']; $enable_offline = $config['installedpackages']['squidcache']['config'][0]['enable_offline']; $allowed_subnets = $config['installedpackages']['squidnac']['config'][0]['allowed_subnets']; $unrestricted_ip_address = $config['installedpackages']['squidnac']['config'][0]['unrestricted_ip_address']; $max_download_size = $config['installedpackages']['squidtraffic']['config'][0]['max_download_size']; $max_upload_size = $config['installedpackages']['squidtraffic']['config'][0]['max_upload_size']; $dl_overall = $config['installedpackages']['squidtraffic']['config'][0]['dl_overall']; $dl_per_host = $config['installedpackages']['squidtraffic']['config'][0]['dl_per_host']; $throttle_binary_files = $config['installedpackages']['squidtraffic']['config'][0]['throttle_binary_files']; $throttle_cd_image = $config['installedpackages']['squidtraffic']['config'][0]['throttle_cd_image']; $throttle_multimedia = $config['installedpackages']['squidtraffic']['config'][0]['throttle_multimedia']; $fout = fopen($squidconfig,"w"); fwrite($fout, "shutdown_lifetime 5 seconds\n"); fwrite($fout, "\n"); if($icp_port == "") $icp_port="3130"; fwrite($fout, "icp_port " . $icp_port . "\n"); if($http_port == "") $http_port="3128"; $int = convert_friendly_interface_to_real_interface_name($config['installedpackages']['squidng']['config'][0]['active_interface']); $listen_ip = find_interface_ip($int); fwrite($fout, "http_port " . $listen_ip . ":" . $http_port . "\n"); fwrite($fout, "\n"); fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); fwrite($fout, "non_cache deny QUERY\n"); fwrite($fout, "\n"); fwrite($fout, "cache_effective_user squid\n"); fwrite($fout, "cache_effective_group squid\n"); fwrite($fout, "\n"); fwrite($fout, "pid_filename /var/run/squid.pid\n"); fwrite($fout, "\n"); if ($memory_cache_size == "") $memory_cache_size="8"; fwrite($fout, "cache_mem " . $memory_cache_size . " MB\n"); if ($harddisk_cache_size == "") $harddisk_cache_size="500"; if ($level_subdirs == "") $level_subdirs="16"; fwrite($fout, "cache_dirs aufs /usr/local/squid/cache " . $harddisk_cache_size . " " . $level_subdirs . " 256\n"); fwrite($fout, "\n"); if ($error_language == "") $error_language="English"; fwrite($fout, "error_directory /usr/local/squid/etc/errors/" . $error_language . "\n"); fwrite($fout, "\n"); if ($offline_mode == "on") { fwrite($fout, "offline_mode on\n"); fwrite($fout, "\n"); } if ($memory_replacement == "") $memory_replacement="heap GSDF"; fwrite($fout, "memory_replacement_policy " . $memory_replacement . "\n"); if ($cache_replacement == "") $cache_replacement="heap GSDF"; fwrite($fout, "cache_replacement_policy " . $cache_replacement . "\n"); fwrite($fout, "\n"); if ($log_enabled == "on" ) { fwrite($fout, "cache_access_log /var/log/squid/access.log\n"); fwrite($fout, "cache_log /var/log/squid/cache.log\n"); fwrite($fout, "cache_store_log none\n"); } else { fwrite($fout, "cache_access_log /dev/null\n"); fwrite($fout, "cache_log /dev/null\n"); fwrite($fout, "cache_store_log none\n"); } if ($log_query_terms == "on") { fwrite($fout, "strip_query_terms off\n"); } else { fwrite($fout, "strip_query_terms on\n"); } if ($log_user_agents == "on") { fwrite($fout, "useragent_log /var/log/squid/useragent.log\n"); } fwrite($fout, "\n"); fwrite($fout, "log_mime_hdrs off\n"); fwrite($fout, "emulate_httpd_log on\n"); if ($client_ip_forwarding !== "on") { fwrite($fout, "forwarded_for off\n"); } elseif ($user_forwarding !== "on") { fwrite($fout, "forwarded_for off\n"); } else { fwrite($fout, "forwarded_for on\n"); } fwrite($fout, "\n"); fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); fwrite($fout, "\n"); $lactive_interface = strtolower($active_interface); $lancfg = $config['interfaces'][$lactive_interface]; $lanif = $lancfg['if']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); fwrite($fout, "acl SSL_ports port 443 563\n"); fwrite($fout, "acl Safe_ports port 80 # http\n"); fwrite($fout, "acl Safe_ports port 21 # ftp\n"); fwrite($fout, "acl Safe_ports port 443 563 # https, snews\n"); fwrite($fout, "acl Safe_ports port 70 # gopher\n"); fwrite($fout, "acl Safe_ports port 210 # wais\n"); fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); fwrite($fout, "\n"); fwrite($fout, "acl CONNECT method CONNECT\n"); fwrite($fout, "\n"); fwrite($fout, "#access to squid; local machine; no restrictions\n"); fwrite($fout, "http_access allow localnet\n"); fwrite($fout, "http_access allow localhost\n"); fwrite($fout, "\n"); fwrite($fout, "#Deny non web services\n"); fwrite($fout, "http_access deny !Safe_ports\n"); fwrite($fout, "http_access deny CONNECT\n"); fwrite($fout, "\n"); fwrite($fout, "#Set custom configured ACLs\n"); fwrite($fout, "http_access deny all\n"); fwrite($fout, "\n"); fwrite($fout, "cache_effective_user squid\n"); fwrite($fout, "cache_effective_group squid\n"); fwrite($fout, "\n"); fwrite($fout, "#Strip HTTP Header\n"); fwrite($fout, "header_access X-Forwarded-For deny all\n"); fwrite($fout, "header_access deny all\n"); fwrite($fout, "\n"); if ($urlfilter_enable == "on") { fwrite($fout, "redirect_program /usr/sbin/squidGuard"); fwrite($fout, "redirect_children 5"); } if ($visible_hostname !== "") { fwrite($fout, "visible_hostname " . $visible_hostname . "\n"); } if ($cache_admin_email !== "") { fwrite($fout, "cache_mgr " . $cache_admin_email . "\n"); } if ($maximum_object_size == "") $maximum_object_size="4096"; if ($minimum_object_size == "") $minimum_object_size="0"; fwrite($fout, "maximum_object_size " . $maximum_object_size . " KB\n"); fwrite($fout, "minimum_object_size " . $minimum_object_size . " KB\n"); fwrite($fout, "\n"); if ($proxy_forwarding == "on") { fwrite($fout, "cache_peer " . $upstream_proxy . "parent " . $upstream_proxy_port . "3130 login=" . upstream_username . ":" . upstream_password . " default no-query\n"); fwrite($fout, "never_direct allow all\n"); } if ($transparent_proxy == "on") { fwrite($fout, "httpd_accel_host virtual\n"); fwrite($fout, "httpd_accel_port 80\n"); fwrite($fout, "httpd_accel_with_proxy on\n"); fwrite($fout, "httpd_accel_uses_host_header on\n"); fwrite($fout, "\n"); } fclose($fout); } function sync_package_squid () { mwexec("/usr/local/sbin/squid -k reconfigure"); conf_mount_ro(); config_unlock(); } global_write_squid_config(); function sync_package_squid() { mwexec("/usr/local/sbin/squid -k reconfigure"); conf_mount_ro(); config_unlock(); } global_write_squid_config(); sync_package_squid(); write_static_squid_config(); $fout = fopen("/usr/local/etc/rc.d/squid.sh","w"); fwrite($fout, "#!/bin/sh\n"); fwrite($fout, "# PACKAGE: Squid\n); fwrite($fout, "# EXECUTABLE: squid\n\n"); fwrite($fout "# Alert system that we need the / mount rw\n"); fwrite($fout, "touch /tmp/rw_root_mount\n\n"); fwrite($fout, "/usr/local/sbin/squid -D\n\n"); fwrite($fout, "touch /tmp/filter_dirty\n\n"); fclose($fout); chmod("/usr/local/etc/rc.d/squid.sh", 755); update_output_window("Configuring Squid... This may take a moment..."); mwexec("/usr/local/sbin/squid -z"); update_output_window("Starting Squid..."); mwexec_bg("/usr/local/etc/rc.d/squid.sh"); filter_configure(); rmdir_recursive("/usr/local/squid"); unlink_if_exists("/var/mail/squid"); unlink_if_exists("/usr/local/etc/rc.d/squid"); unlink_if_exists("/usr/local/etc/squid/squid.conf"); unlink_if_exists("/usr/local/etc/squid"); unlink_if_exists("/usr/local/libexec/squid"); filter_configure(); squid