squid Services: Proxy Server Security 2.5.10_4 installedpackages->package->squidng->configuration->settings /pkg_edit.php?xml=squid_ng.xml&id=0 Squid Modify settings for Proxy Server
Services
/pkg_edit.php?xml=squid_ng.xml&id=0
squid squid.sh /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_cache.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_nac.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_ng.inc /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_traffic.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_upstream.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_auth.xml /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_auth.inc /usr/local/pkg/ 0755 http://www.pfsense.com/packages/config/squid_extauth.xml General Settings /pkg_edit.php?xml=squid.xml&id=0 Upstream Proxy /pkg_edit.php?xml=squid_upstream.xml&id=0 Cache Mgmt /pkg_edit.php?xml=squid_cache.xml&id=0 Network Access Control /pkg_edit.php?xml=squid_nac.xml&id=0 Traffic Mgmt /pkg_edit.php?xml=squid_traffic.xml&id=0 Auth Settings /pkg_edit.php?xml=squid_auth.xml&id=0 Extended Auth Settings /pkg_edit.php?xml=squid_extauth.xml&id=0 Proxy Listening Interface active_interface This defines the active listening interface to which the proxy server will listen for its requests. interfaces_selection Transparent Proxy transparent_proxy If transparent mode is enabled; all requests for destination port 80 will be forwarded to the proxy server without any additional configuration necessary. checkbox Log Enabled log_enabled This enables the Web Proxy logging feature. All clients requests will be written to a log file viewable under Services -> Proxy Log. checkbox URL Filtering Enabled urlfilter_enable This enables the advanced functionality in conjunction with squidGuard to provide an array of URL filtering options. This squidGuard functionality can be additionally configured from Services -> Advanced Proxy Filtering checkbox Log Query Terms log_query_terms This will log the complete URL rather than the part of the URL containing dynamic queries. checkbox Log User Agents log_user_agents This will enable the useragent string to be written to a separate log. The results are not shown in the GUI and should only be used for debugging purposes. checkbox true Proxy Port proxy_port This is the port the Proxy Server will listen for client requests on. The default is 3128. 4 input ICP Port icp_port This is the port the Proxy Server will send and receive ICP queries to and from neighbor caches. The default value is 0, which means this function is disabled. 4 input Visible Hostname visible_hostname This URL is displayed on the Proxy Server error messages. 35 input Cache Administrator E-Mail cache_admin_email This E-Mail address is displayed on the Proxy Server error messages. 35 input Error Messages Language error_language Select the language in which the Proxy Server shall display error messages to users. select function write_static_squid_config() { touch("/tmp/write_static_squid_config"); global $config; $lancfg = $config['interfaces']['lan']; $lanif = $lancfg['if']; $lanip = $lancfg['ipaddr']; $lansa = gen_subnet($lancfg['ipaddr'], $lancfg['subnet']); $lansn = $lancfg['subnet']; $fout = fopen("/usr/local/etc/squid/squid.conf","w"); fwrite($fout, "#\n"); fwrite($fout, "# This file was automatically generated by the pfSense package manager.\n"); fwrite($fout, "# This default policy enables transparent proxy with no local disk logging.\n"); fwrite($fout, "#\n"); fwrite($fout, "shutdown_lifetime 5 seconds\n"); fwrite($fout, "icp_port 0\n"); fwrite($fout, "\n"); fwrite($fout, "acl QUERY urlpath_regex cgi-bin \?\n"); fwrite($fout, "no_cache deny QUERY\n"); fwrite($fout, "\n"); fwrite($fout, "pid_filename /var/run/squid.pid\n"); fwrite($fout, "\n"); fwrite($fout, "cache_mem 8 MB\n"); fwrite($fout, "cache_dir diskd /var/squid/cache 500 16 256\n"); fwrite($fout, "\n"); fwrite($fout, "error_directory /usr/local/etc/squid/errors/English\n"); fwrite($fout, "\n"); fwrite($fout, "memory_replacement_policy heap GDSF\n"); fwrite($fout, "cache_replacement_policy heap GDSF\n"); fwrite($fout, "\n"); fwrite($fout, "cache_access_log /dev/null\n"); fwrite($fout, "cache_log /dev/null\n"); fwrite($fout, "cache_store_log none\n"); fwrite($fout, "\n"); fwrite($fout, "log_mime_hdrs off\n"); fwrite($fout, "emulate_httpd_log on\n"); fwrite($fout, "forwarded_for off\n"); fwrite($fout, "\n"); fwrite($fout, "acl within_timeframe time MTWHFAS 00:00-24:00\n"); fwrite($fout, "\n"); fwrite($fout, "acl all src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localnet src " . $lansa . "/" . $lansn . "\n"); fwrite($fout, "acl localhost src 127.0.0.1/255.255.255.255\n"); fwrite($fout, "acl SSL_ports port 443 563 873 # https, snews, rsync\n"); fwrite($fout, "acl Safe_ports port 80 # http\n"); fwrite($fout, "acl Safe_ports port 21 # ftp\n"); fwrite($fout, "acl Safe_ports port 443 563 873 # https, snews, rsync\n"); fwrite($fout, "acl Safe_ports port 70 # gopher\n"); fwrite($fout, "acl Safe_ports port 210 # wais\n"); fwrite($fout, "acl Safe_ports port 1025-65535 # unregistered ports\n"); fwrite($fout, "acl Safe_ports port 280 # http-mgmt\n"); fwrite($fout, "acl Safe_ports port 488 # gss-http\n"); fwrite($fout, "acl Safe_ports port 591 # filemaker\n"); fwrite($fout, "acl Safe_ports port 777 # multiling http\n"); fwrite($fout, "acl Safe_ports port 800 # Squids port (for icons)\n"); fwrite($fout, "\n"); fwrite($fout, "acl CONNECT method CONNECT\n"); fwrite($fout, "\n"); fwrite($fout, "#access to squid; local machine; no restrictions\n"); fwrite($fout, "http_access allow localnet\n"); fwrite($fout, "http_access allow localhost\n"); fwrite($fout, "\n"); fwrite($fout, "#Deny non web services\n"); fwrite($fout, "http_access deny !Safe_ports\n"); fwrite($fout, "http_access deny CONNECT !SSL_ports\n"); fwrite($fout, "\n"); fwrite($fout, "#Set custom configured ACLs\n"); fwrite($fout, "http_access deny all\n"); fwrite($fout, "visible_hostname pfSense\n"); fwrite($fout, "\n"); fwrite($fout, "cache_effective_user squid\n"); fwrite($fout, "cache_effective_group squid\n"); fwrite($fout, "\n"); fwrite($fout, "maximum_object_size 4096 KB\n"); fwrite($fout, "minimum_object_size 0 KB\n"); fwrite($fout, "\n"); fwrite($fout, "request_body_max_size 0 KB\n"); fwrite($fout, "reply_body_max_size 0 allow all\n"); fwrite($fout, "\n"); fwrite($fout, "httpd_accel_host virtual\n"); fwrite($fout, "httpd_accel_port 80\n"); fwrite($fout, "httpd_accel_with_proxy on\n"); fwrite($fout, "httpd_accel_uses_host_header on\n"); fclose($fout); } require_once("/usr/local/pkg/squid_ng.inc"); global_write_squid_config(); mwexec("/usr/local/sbin/squid -k reconfigure"); /* write initial static config for transparent proxy */ write_static_squid_config(); touch("/tmp/custom_php_install_command"); /* make sure this all exists, see: * http://forum.pfsense.org/index.php?topic=23.msg2391#msg2391 */ update_output_window("Setting up Squid environment..."); mwexec("mkdir -p /var/squid"); mwexec("chown squid:squid /var/squid"); mwexec("mkdir -p /var/squid/logs"); mwexec("chown squid:squid /var/squid/logs"); mwexec("mkdir -p /var/squid/cache"); mwexec("chown squid:squid /var/squid/cache"); mwexec("mkdir -p /usr/local/etc/squid/advanced"); mwexec("chown squid:squid /usr/local/etc/squid/advanced"); mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls"); mwexec("touch /usr/local/etc/squid/advanced/acls/src_subnets.acl"); mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_subnets.acl"); mwexec("touch /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); mwexec("chown squid:squid /usr/local/etc/squid/advanced/acls/src_unrestricted_ip.acl"); mwexec("cp /usr/local/etc/squid/mime.conf.default /usr/local/etc/squid/mime.conf"); update_output_window("Creating Proxy Server initialization scripts..."); $start = <<<EOD touch /tmp/ro_root_mount /usr/local/sbin/squid -D touch /tmp/filter_dirty EOD; $stop = "/usr/local/sbin/squid -k shutdown"; write_rcfile(array( "file" => "squid.sh", "start" => $start, "stop" => $stop ) ); mwexec("chmod 755 /usr/local/etc/rc.d/squid.sh"); /* create log directory hierarchies if they don't exist */ update_output_window("Creating required directory hierarchies..."); if (!file_exists("/var/squid/logs")) { mwexec("mkdir -p /var/squid/logs"); } mwexec("/usr/sbin/chown squid:squid /var/squid/logs"); if (!file_exists("/var/squid/cache")) { mwexec("mkdir -p /var/squid/cache"); } mwexec("/usr/sbin/chown squid:squid /var/squid/cache"); if (!file_exists("/usr/local/etc/squid/advanced/acls")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/acls"); } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/acls"); if (!file_exists("/usr/local/etc/squid/advanced/ncsa")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/ncsa"); } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ncsa"); if (!file_exists("/usr/local/etc/squid/advanced/ntlm")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/ntlm"); } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/ntlm"); if (!file_exists("/usr/local/etc/squid/advanced/radius")) { mwexec("mkdir -p /usr/local/etc/squid/advanced/radius"); } mwexec("/usr/sbin/chown squid:squid /usr/local/etc/squid/advanced/radius"); /* EmanuelG: update pf group ownership settings to enhance squid performance and correct issue relating */ /* to error message: parseHttpRequest: PF open failed: (13) Permission denied */ mwexec("chgrp squid /dev/pf"); mwexec("chmod g+rw /dev/pf"); $devfs_file = fopen("/etc/devfs.conf", "a"); fwrite($devfs_file, "\n# Allow squid to query the packet filter bymaking is group-accessable. "); fwrite($devfs_file, "own pf root:squid"); fwrite($devfs_file, "perm pf 0640"); fclose($devfs_file); update_output_window("Initializing Cache... This may take a moment..."); mwexec("/usr/local/sbin/squid -z"); update_output_window("Starting Proxy Server..."); start_service("squid"); update_output_window("Stopping proxy service..."); stop_service("squid"); sleep(1); /* brute force any remaining squid processes out */ mwexec("/usr/bin/killall squid"); mwexec("/usr/bin/killall pinger"); update_output_window("Recursively removing directories hierarchies..."); update_output_window("If existant, log files in /var/squid/logs will remain..."); mwexec("rm -rf /usr/local/squid"); mwexec("rm -rf /var/squid/cache"); mwexec("rm -rf /usr/local/etc/squid"); update_output_window("Removing configuration files..."); unlink_if_exists("/usr/local/etc/rc.d/squid.sh"); unlink_if_exists("/usr/local/etc/squid"); unlink_if_exists("/usr/local/libexec/squid"); filter_configure();