Skip to content

Commit

Permalink
Merge pull request #305 from doktornotor/patch-1
Browse files Browse the repository at this point in the history
  • Loading branch information
@rbgarga
rbgarga committed Feb 22, 2017
2 parents 031da77 + c8d2946 commit 1bb1b4e
Show file tree
Hide file tree
Showing 6 changed files with 77 additions and 62 deletions.
3 changes: 1 addition & 2 deletions www/pfSense-pkg-squid/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
# $FreeBSD$

PORTNAME= pfSense-pkg-squid
PORTVERSION= 0.4.35
PORTREVISION= 3
PORTVERSION= 0.4.36
CATEGORIES= www
MASTER_SITES= # empty
DISTFILES= # empty
Expand Down
93 changes: 53 additions & 40 deletions www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2034,7 +2034,7 @@ function squid_generate_rules($type) {

$squid_conf = $config['installedpackages']['squid']['config'][0];

// do not install any firewall rules if Squid is disabled or used as reverse proxy only
// Do not install any firewall rules if Squid is disabled or used as reverse proxy only
if (!squid_enabled()) {
log_error("[squid] Installed but disabled. Not installing '{$type}' rules.");
return;
Expand All @@ -2043,61 +2043,61 @@ function squid_generate_rules($type) {
return;
}

// normal squid rule check
if (($squid_conf['transparent_proxy'] != 'on') || ($squid_conf['allow_interface'] != 'on')) {
return;
}

// Do not install any firewall rules if Squid is not running
if (!is_service_running('squid')) {
log_error("[squid] Installed but not started. Not installing '{$type}' rules.");
return;
}
// Read assigned interfaces

// Proxy Interface(s)
$proxy_ifaces = explode(",", $squid_conf['active_interface']);
$proxy_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $proxy_ifaces);
// Transparent Proxy Interface(s)
if ($squid_conf['transparent_proxy'] == "on") {
$transparent_ifaces = explode(",", $squid_conf['transparent_active_interface']);
$transparent_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $transparent_ifaces);
} else {
$transparent_ifaces = array();
}
// SSL Intercept Interface(s)
if ($squid_conf['ssl_proxy'] == "on") {
$ssl_ifaces = explode(",", $squid_conf['ssl_active_interface']);
$ssl_ifaces = array_map('convert_friendly_interface_to_real_interface_name', $ssl_ifaces);
} else {
$ssl_ifaces = array();
}

// Define proxy ports
$port = ($squid_conf['proxy_port'] ? $squid_conf['proxy_port'] : 3128);
$ssl_port = ($squid_conf['ssl_proxy_port'] ? $squid_conf['ssl_proxy_port'] : 3129);
$pf_rule_ports = "{{$port},{$ssl_port}}";

$fw_aliases = filter_generate_aliases();
if (strstr($fw_aliases, "pptp =")) {
$PPTP_ALIAS = "\$pptp";
} else {
$PPTP_ALIAS = "\$PPTP";
}
if (strstr($fw_aliases, "PPPoE =")) {
$PPPOE_ALIAS = "\$PPPoE";
} else {
$PPPOE_ALIAS = "\$pppoe";
}
// Define NAT ports - 80 and 443 if SSL filtering is enabled
$pf_nat_ports = ($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80");

// define ports based on transparent options and ssl filtering
$pf_rule_port = ($squid_conf['ssl_proxy'] == "on" ? "{80,443}" : "80");
/*
* When transparent proxy is enabled and we are doing NAT, use rdr pass to pass traffic
* For PPPoE server, the $pppoe below is a pf macro, not a PHP variable, needs to be escaped.
*/
switch($type) {
case 'nat':
// No NAT rules if transparent proxy is not enabled
if ($squid_conf['transparent_proxy'] != 'on') {
break;
}
$rules .= "\n# Setup Squid proxy redirect\n";
/* Bypass Proxy for Private Address Destination - RFC1918 */
if ($squid_conf['private_subnet_proxy_off'] == 'on') {
foreach ($transparent_ifaces as $iface) {
$pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443}" : "80");
$rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_transparent_rule_port}\n";
}
/* Handle PPPOE case */
if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
$rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_rule_port}\n";
$rules .= "no rdr on \$pppoe proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port {$pf_nat_ports}\n";
}
}
/* Bypass Proxy for These Source IPs */
if (!empty($squid_conf['defined_ip_proxy_off'])) {
$defined_ip_proxy_off = explode(";", $squid_conf['defined_ip_proxy_off']);
$exempt_ip = "";
Expand All @@ -2117,9 +2117,10 @@ function squid_generate_rules($type) {
}
/* Handle PPPOE case */
if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
$rules .= "no rdr on $PPPOE_ALIAS proto tcp from { $exempt_ip } to any port {$pf_rule_port}\n";
$rules .= "no rdr on \$pppoe proto tcp from { $exempt_ip } to any port {$pf_nat_ports}\n";
}
}
/* Bypass Proxy for These Destination IPs */
if (!empty($squid_conf['defined_ip_proxy_off_dest'])) {
$defined_ip_proxy_off_dest = explode(";", $squid_conf['defined_ip_proxy_off_dest']);
$exempt_dest = "";
Expand All @@ -2139,33 +2140,46 @@ function squid_generate_rules($type) {
}
/* Handle PPPOE case */
if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
$rules .= "no rdr on $PPPOE_ALIAS proto tcp from any to { $exempt_dest } port {$pf_rule_port}\n";
$rules .= "no rdr on \$pppoe proto tcp from any to { $exempt_dest } port {$pf_nat_ports}\n";
}
}
/* Transparent Proxy Interface(s) */
foreach ($transparent_ifaces as $t_iface) {
$pf_transparent_rule_port = (in_array($t_iface, $ssl_ifaces) ? "{80,443}" : "80");
$rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n";
$rules .= "rdr pass on $t_iface proto tcp from any to !($t_iface) port 80 -> 127.0.0.1 port {$port}\n";
if (in_array($t_iface, $ssl_ifaces)) {
$rules .= "rdr on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n";
$rules .= "rdr pass on $t_iface proto tcp from any to !($t_iface) port 443 -> 127.0.0.1 port {$ssl_port}\n";
}
}
/* Handle PPPOE case */
/*
* Transparent Proxy Interface(s) - handle the PPPOE case
* For PPPoE server, mpd uses a group of different _local_ interfaces
* The rules below are needed so that the clients can be transparently proxied
*/
if (($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) || (function_exists("is_pppoe_server_enabled") && is_pppoe_server_enabled())) {
$rules .= "rdr on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$pf_rule_port} -> 127.0.0.1 port {$port}\n";
$rules .= "rdr pass on \$pppoe proto tcp from any to !127.0.0.1 port 80 -> 127.0.0.1 port {$port}\n";
if ($squid_conf['ssl_proxy'] == "on") {
$rules .= "rdr pass on \$pppoe proto tcp from any to !127.0.0.1 port 443 -> 127.0.0.1 port {$ssl_port}\n";
}
}
$rules .= "\n";
break;
case 'filter':
case 'rule':
foreach ($transparent_ifaces as $iface) {
$pf_transparent_rule_port = (in_array($iface, $ssl_ifaces) ? "{80,443,{$port},{$ssl_port}}" : "{80,{$port}}");
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$pf_transparent_rule_port} flags S/SA keep state\n";
// $rules .= "pass in quick on $iface proto tcp from any to !($iface) port {$port} flags S/SA keep state\n";
$rules .= "\n";
}
if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) {
$rules .= "pass in quick on $PPPOE_ALIAS proto tcp from any to !127.0.0.1 port {$port} flags S/SA keep state\n";
/*
* Non-Transparent Proxy Interface(s)
* Pass traffic to proxy ports on the proxy interface(s) when 'Allow Users on Interface' is enabled
* XXX: Consider ACLs > Allowed Subnets
*/
if ($squid_conf['allow_interface'] == 'on') {
foreach ($proxy_ifaces as $iface) {
$rules .= "# Setup squid pass rules for proxy\n";
$rules .= "pass in quick on $iface proto tcp from any to ($iface) port {$pf_rule_ports} flags S/SA keep state\n";
$rules .= "\n";
}
/* Handle PPPOE case */
if ($config['pppoe']['mode'] == "server" && $config['pppoe']['localip']) {
$rules .= "pass in quick on \$pppoe proto tcp from any to {$config['pppoe']['localip']} port {$pf_rule_ports} flags S/SA keep state\n";
}
}
break;
default:
Expand Down Expand Up @@ -2265,7 +2279,7 @@ function squid_sync_on_changes() {
}
}

if(!function_exists('pf_version')) {
if (!function_exists('pf_version')) {
function pf_version() {
return substr(trim(file_get_contents("/etc/version")), 0, 3);
}
Expand Down Expand Up @@ -2294,6 +2308,7 @@ function squid_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $passwor
$xml['squidauth'] = $config['installedpackages']['squidauth'];
$xml['squidusers'] = $config['installedpackages']['squidusers'];

/* Commands to reload Squid settings on the destination sync host. */
$execcmd = "require_once('/usr/local/pkg/squid.inc');\n";
$execcmd .= "squid_resync('yes');";

Expand Down Expand Up @@ -2349,8 +2364,6 @@ function squid_do_xmlrpc_sync($sync_to_ip, $port, $protocol, $username, $passwor

/* Tell Squid to reload our settings on the destination sync host. */
$method = 'pfsense.exec_php';
$execcmd = "require_once('/usr/local/pkg/squid.inc');\n";
$execcmd .= "squid_resync('yes');";
/* Assemble XMLRPC payload */
$params = array(XML_RPC_encode($password), XML_RPC_encode($execcmd));

Expand Down
12 changes: 6 additions & 6 deletions www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@
<fieldname>enable_advanced</fieldname>
<description>
<![CDATA[
<strong><span class="text-danger">Warning: Only enable this if you know what are you doing.</span></strong>
<strong><span class="text-danger">Warning: Only enable this if you know what you are doing.</span></strong>
<div class="infoblock blockopen">
When enabled, the options below no longer have any effect.
You must edit the configuration files directly in the 'Advanced Features'.<br/>
Expand Down Expand Up @@ -232,7 +232,7 @@
<description>
<![CDATA[
squidclamav.conf file.
<span class="text-danger">Edit only if you know what are you doing.</span>
<span class="text-danger">Edit only if you know what you are doing.</span>
]]>
</description>
<type>textarea</type>
Expand All @@ -247,7 +247,7 @@
<description>
<![CDATA[
c-icap.conf file.
<span class="text-danger">Edit only if you know what are you doing.</span>
<span class="text-danger">Edit only if you know what you are doing.</span>
]]>
</description>
<type>textarea</type>
Expand All @@ -262,7 +262,7 @@
<description>
<![CDATA[
c-icap.conf file.
<span class="text-danger">Edit only if you know what are you doing.</span>
<span class="text-danger">Edit only if you know what you are doing.</span>
]]>
</description>
<type>textarea</type>
Expand All @@ -277,7 +277,7 @@
<description>
<![CDATA[
freshclam.conf file.
<span class="text-danger">Edit only if you know what are you doing.</span>
<span class="text-danger">Edit only if you know what you are doing.</span>
]]>
</description>
<type>textarea</type>
Expand All @@ -292,7 +292,7 @@
<description>
<![CDATA[
clamd.conf file.
<span class="text-danger">Edit only if you know what are you doing.</span>
<span class="text-danger">Edit only if you know what you are doing.</span>
]]>
</description>
<type>textarea</type>
Expand Down
5 changes: 3 additions & 2 deletions www/pfSense-pkg-squid/files/usr/local/pkg/squid_nac.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,8 +84,9 @@
<![CDATA[
Enter subnets that are allowed to use the proxy in CIDR format.
All the other subnets won't be able to use the proxy.<br/>
<span class="text-info">Put each entry on a separate line.
<strong>The proxy interface subnet is allowed by default.</strong></span>
<span class="text-info">Put each entry on a separate line.<br/>
<strong>When 'Allow Users on Interface' is checked on 'General' tab, there is no need to add the 'Proxy Interface(s)' subnet(s) to this list.</strong>
</span>
]]>
</description>
<type>textarea</type>
Expand Down
13 changes: 7 additions & 6 deletions www/pfSense-pkg-squid/files/usr/local/pkg/squid_reverse_sync.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,13 +101,11 @@
<rowhelperfield>
<fielddescr>Enable</fielddescr>
<fieldname>syncdestinenable</fieldname>
<description><![CDATA[Enable this host as a replication target]]></description>
<type>checkbox</type>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Protocol</fielddescr>
<fieldname>syncprotocol</fieldname>
<description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description>
<type>select</type>
<default_value>HTTP</default_value>
<options>
Expand All @@ -119,23 +117,26 @@
<rowhelperfield>
<fielddescr>IP Address/Hostname</fielddescr>
<fieldname>ipaddress</fieldname>
<description><![CDATA[IP address or hostname of the destination host.]]></description>
<type>input</type>
<required/>
<width>2</width>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Port</fielddescr>
<fieldname>syncport</fieldname>
<description><![CDATA[Choose the sync port of the destination host.]]></description>
<type>input</type>
<width>1</width>
<required/>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Admin Password</fielddescr>
<fielddescr>Username</fielddescr>
<fieldname>username</fieldname>
<type>input</type>
<width>2</width>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Password</fielddescr>
<fieldname>password</fieldname>
<description><![CDATA[Password of the user "admin" on the destination host.]]></description>
<type>password</type>
<width>2</width>
<required/>
Expand Down
13 changes: 7 additions & 6 deletions www/pfSense-pkg-squid/files/usr/local/pkg/squid_sync.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,13 +117,11 @@
<rowhelperfield>
<fielddescr>Enable</fielddescr>
<fieldname>syncdestinenable</fieldname>
<description><![CDATA[Enable this host as a replication target]]></description>
<type>checkbox</type>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Protocol</fielddescr>
<fieldname>syncprotocol</fieldname>
<description><![CDATA[Choose the protocol used to sync with the destination host (HTTP or HTTPS).]]></description>
<type>select</type>
<default_value>HTTP</default_value>
<options>
Expand All @@ -135,23 +133,26 @@
<rowhelperfield>
<fielddescr>IP Address/Hostname</fielddescr>
<fieldname>ipaddress</fieldname>
<description><![CDATA[IP address or hostname of the destination host.]]></description>
<type>input</type>
<required/>
<width>2</width>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Port</fielddescr>
<fieldname>syncport</fieldname>
<description><![CDATA[Choose the sync port of the destination host.]]></description>
<type>input</type>
<width>1</width>
<required/>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Admin Password</fielddescr>
<fielddescr>Username</fielddescr>
<fieldname>username</fieldname>
<type>input</type>
<width>2</width>
</rowhelperfield>
<rowhelperfield>
<fielddescr>Password</fielddescr>
<fieldname>password</fieldname>
<description><![CDATA[Password of the user "admin" on the destination host.]]></description>
<type>password</type>
<width>2</width>
<required/>
Expand Down

0 comments on commit 1bb1b4e

Please sign in to comment.