squid
Services: Proxy Server
Security
2.5.10_4
installedpackages->package->squidng->configuration->settings
/pkg_edit.php?xml=squid_ng.xml&id=0
/usr/local/pkg/
0755
- http://www.pfsense.com/packages/config/squid_cache.xml
/usr/local/pkg/
0755
- http://www.pfsense.com/packages/config/squid_nac.xml
/usr/local/pkg/
0755
- http://www.pfsense.com/packages/config/squid_ng.inc
/usr/local/pkg/
0755
- http://www.pfsense.com/packages/config/squid_traffic.xml
/usr/local/pkg/
0755
- http://www.pfsense.com/packages/config/squid_upstream.xml
/usr/local/pkg/
0755
- http://www.pfsense.com/packages/config/squid_auth.xml
/usr/local/pkg/
0755
- http://www.pfsense.com/packages/config/squid_extauth.xml
General Settings
/pkg_edit.php?xml=squid.xml&id=0
Upstream Proxy
/pkg_edit.php?xml=squid_upstream.xml&id=0
Cache Mgmt
/pkg_edit.php?xml=squid_cache.xml&id=0
Network Access Control
/pkg_edit.php?xml=squid_nac.xml&id=0
Traffic Mgmt
/pkg_edit.php?xml=squid_traffic.xml&id=0
Auth Settings
/pkg_edit.php?xml=squid_auth.xml&id=0
Extended Auth Settings
/pkg_edit.php?xml=squid_extauth.xml&id=0
Proxy Listening Interface
active_interface
This defines the active listening interface to which the proxy server will listen for its requests.
interfaces_selection
Transparent Proxy
transparent_proxy
If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary.
checkbox
Log Enabled
log_enabled
This enables the Web Proxy logging feature. All clients requests will be written to a log file viewable under Services -> Proxy Log.
checkbox
URL Filtering Enabled
urlfilter_enable
This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering
checkbox
Log Query Terms
log_query_terms
This will log the complete URL rather than the part of the URL containing dynamic queries.
checkbox
Log User Agents
log_user_agents
This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes.
checkbox
true
Proxy Port
proxy_port
This is the port the Proxy Server will listen for client requests on. The default is 3128.
4
input
ICP Port
icp_port
This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled.
4
input
Visible Hostname
visible_hostname
This URL is displayed on the Proxy Server error messages.
35
input
Cache Administrator E-Mail
cache_admin_email
This E-Mail address is displayed on the Proxy Server error messages.
35
input
Error Messages Language
error_language
Select the language in which the Proxy Server shall display error messages to users.
select
function write_static_squid_config() {
global $config;
$lancfg = $config['interfaces']['lan'];
$lanif = $lancfg['if'];
$lanip = $lancfg['ipaddr'];
$lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']);
$lansn = $lancfg['subnet'];
$fout = fopen("/usr/local/etc/squid/squid.conf","w");
fwrite($fout, "#\n");
fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n");
fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n");
fwrite($fout, "#\n");
fwrite($fout, "shutdown_lifetime 5 seconds\n");
fwrite($fout, "icp_port 0\n");
fwrite($fout, "\n");
fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n");
fwrite($fout, "no_cache deny QUERY\n");
fwrite($fout, "\n");
fwrite($fout, "pid_filename /var/run/squid.pid\n");
fwrite($fout, "\n");
fwrite($fout, "cache_mem 8 MB\n");
fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n");
fwrite($fout, "\n");
fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n");
fwrite($fout, "\n");
fwrite($fout, "memory_replacement_policy heap GDSF\n");
fwrite($fout, "cache_replacement_policy heap GDSF\n");
fwrite($fout, "\n");
fwrite($fout, "cache_access_log /dev/null\n");
fwrite($fout, "cache_log /dev/null\n");
fwrite($fout, "cache_store_log none\n");
fwrite($fout, "\n");
fwrite($fout, "log_mime_hdrs off\n");
fwrite($fout, "emulate_httpd_log on\n");
fwrite($fout, "forwarded_for off\n");
fwrite($fout, "\n");
fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n");
fwrite($fout, "\n");
fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n");
fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n");
fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n");
fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n");
fwrite($fout, "acl Safe_ports port 80 # http\n");
fwrite($fout, "acl Safe_ports port 21 # ftp\n");
fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n");
fwrite($fout, "acl Safe_ports port 70 # gopher\n");
fwrite($fout, "acl Safe_ports port 210 # wais\n");
fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n");
fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n");
fwrite($fout, "acl Safe_ports port 488 # gss-http\n");
fwrite($fout, "acl Safe_ports port 591 # filemaker\n");
fwrite($fout, "acl Safe_ports port 777 # multiling http\n");
fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n");
fwrite($fout, "\n");
fwrite($fout, "acl CONNECT method CONNECT\n");
fwrite($fout, "\n");
fwrite($fout, "#access to squid; local machine; no restrictions\n");
fwrite($fout, "http_access allow localnet\n");
fwrite($fout, "http_access allow localhost\n");
fwrite($fout, "\n");
fwrite($fout, "#Deny non web services\n");
fwrite($fout, "http_access deny !Safe_ports\n");
fwrite($fout, "http_access deny CONNECT !SSL_ports\n");
fwrite($fout, "\n");
fwrite($fout, "#Set custom configured ACLs\n");
fwrite($fout, "http_access deny all\n");
fwrite($fout, "visible_hostname pfSense\n");
fwrite($fout, "\n");
fwrite($fout, "cache_effective_user squid\n");
fwrite($fout, "cache_effective_group squid\n");
fwrite($fout, "\n");
fwrite($fout, "maximum_object_size 4096 KB\n");
fwrite($fout, "minimum_object_size 0 KB\n");
fwrite($fout, "\n");
fwrite($fout, "request_body_max_size 0 KB\n");
fwrite($fout, "reply_body_max_size 0 allow all\n");
fwrite($fout, "\n");
fwrite($fout, "httpd_accel_host virtual\n");
fwrite($fout, "httpd_accel_port 80\n");
fwrite($fout, "httpd_accel_with_proxy on\n");
fwrite($fout, "httpd_accel_uses_host_header on\n");
fclose($fout);
}
require_once("/usr/local/pkg/squid_ng.inc");
global_write_squid_config();
mwexec("/usr/local/sbin/squid -k reconfigure");
write_static_squid_config();
touch("/tmp/custom_php_install_command");
/* make sure this all exists, see:
* http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391
*/
update_output_window("Setting up Squid environment...");
mwexec("mkdir -p /var/squid");
mwexec("chown squid:squid /var/squid");
mwexec("mkdir -p /var/squid/logs");
mwexec("chown squid:squid /var/squid/logs");
mwexec("mkdir -p /var/squid/cache");
mwexec("chown squid:squid /var/squid/cache");
mwexec("mkdir -p /usr/local/etc/squid/advanced");
mwexec("chown squid:squid /usr/local/etc/squid/advanced");
mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls");
mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl");
mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl");
mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl");
update_output_window("Creating Proxy Server initialization scripts...");
$fout = fopen("/usr/local/etc/rc.d/squid.sh","w");
fwrite($fout, "#!/bin/sh\n");
fwrite($fout, "#: /usr/local/etc/rc.d/squid.sh\n\n");
fwrite($fout, "touch /tmp/ro_root_mount\n");
fwrite($fout, "/usr/local/sbin/squid -D\n");
fwrite($fout, "touch /tmp/filter_dirty\n");
fclose($fout);
mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh");
update_output_window("Creating required directory hierarchies...");
if (!file_exists("/var/squid/logs")) {
mwexec("mkdir -p /var/squid/logs");
}
mwexec("/usr/sbin/chown squid:squid /var/squid/logs");
if (!file_exists("/var/squid/cache")) {
mwexec("mkdir -p /var/squid/cache");
}
mwexec("/usr/sbin/chown squid:squid /var/squid/cache");
if (!file_exists("/usr/local/etc/squid/advanced/acls")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/acls");
}
mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls");
if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa");
}
mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa");
if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm");
}
mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm");
if (!file_exists("/usr/local/etc/squid/advanced/radius")) {
mwexec("mkdir -p /usr/local/etc/squid/advanced/radius");
}
mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius");
/* EmanuelG: update pf group ownership settings to enhance squid performance and correct issue relating */
/* to error message: parseHttpRequest: PF open failed: (13) Permission denied */
mwexec("chgrp squid /dev/pf");
mwexec("chmod g+rw /dev/pf");
$devfs_file = fopen("/etc/devfs.conf", "a");
fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable.
fwrite($devfs_file, "own pf root:squid");
fwrite($devfs_file, "perm pf 0640");
fclose($devfs_file);
update_output_window("Initializing Cache... This may take a moment...");
mwexec("/usr/local/sbin/squid -z");
update_output_window("Starting Proxy Server...");
mwexec("/usr/local/etc/rc.d/squid.sh");
filter_configure();
update_output_window("Stopping proxy service...");
do while ((file_exists("/var/run/squid.pid") or ($i == 30)) {
mwexec("/usr/local/sbin/squid -k shutdown");
$i++;
}
/* brute force any remaining squid processes out */
mwxec("/usr/bin/killall squid");
update_output_window("Recursively removing directories hierarchies...");
update_output_window("If existant, log files in /var/squid/logs will remain...");
mwexec("rm -rf /usr/local/squid");
mwexec("rm -rf /var/squid/cache");
mwexec("rm -rf /usr/local/etc/squid");
update_output_window("Removing configuration files...");
unlink_if_exists("/usr/local/etc/rc.d/squid.sh");
unlink_if_exists("/usr/local/etc/squid");
unlink_if_exists("/usr/local/libexec/squid");
filter_configure();
/usr/local/etc/rc.d/squid.sh
/usr/local/sbin/squid -k shutdown