-
Notifications
You must be signed in to change notification settings - Fork 137
/
ChangeLog
556 lines (546 loc) · 21.3 KB
/
ChangeLog
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
HEAD
+ Fix configuration for external AD
+ Do not listen on internal interfaces
4.0
+ Remove ads on deprecated features
+ Set version to 4.0
+ Added dynamical group authorization
+ Do not lowercase user names if kerberos is used
+ Fix exception accesing the access rules model when samba not provisioned
+ Fixed populateGroups() in AccessRules when upgrading from 3.4
+ Fixed wrong old-style try-catch
3.5.1
+ Remove categorized domains temporary files
3.5
+ Fixed generated rules for blanket domain deny
+ Adapted to samba4 instead of OpenLDAP
+ Set version to 3.5
+ Speed up external AD connection using persistence
+ Allow dansguardian user to read categories lists files
3.4
+ Give support to multiple addresses for a domain in Transparent
Proxy Exemptions
+ Save modules configurations after initialSetup
+ Added all subdomains in cache exemptions
+ Deny cache explicitly from cache exemption domains
+ Give support to optional ABORTED flag in denied requests when
the HTTP client aborts the request
+ Adapt configuration for squid 3.3.8
+ Use service instead of deprecated invoke-rc.d for init.d scripts
+ Set version to 3.4
+ Forced 644 permission on Dansguardian files to avoid zombie processes
+ Remove canonical_dn call for compatibility with MS LDAP servers in
external AD mode
+ Synchronise AD groups every 30 min if using external AD and any
filter profile includes an AD group
+ Manage errors when AD failed on fulfill our requests in external
AD mode
+ Give support to groups with more than 1500 members and more than
1000 groups in external AD mode
+ Fixed regression in authenticationMode method
+ Added validation of the domains added to the transparent proxy
exceptions
3.3
+ Switch from Error to TryCatch for exception handling
+ Delete migration code from old versions
+ Update strings to new offering
+ Make external AD auth available for offer 2013
+ Added http_allow to internal squid stub so proxy event does not need
an explicit rule
+ Added missing EBox::Exceptions uses
+ Fix group based filter access rules in external AD mode, retrieving
members of nested groups
+ Correctly escape DNs and search filters or external ACL helper script
+ Explicitly specify to listen on all IPv4 interfaces
+ Add new config key auth_ad_negative_acl_ttl to configure negative ACL
cache time in external AD mode
+ Transparent proxy redirection for openvpn servers' clients
+ Moved EBox::SquidFirewall to EBox::Squid::Firewall
+ Avoid error in access rules model when using external AD and
module has not been configured
+ Improve squid group membership helper script
+ Fixed squid basic authentication to support multi-OU
+ Set version to 3.3
3.2
+ Set version to 3.2
3.1.7
+ Include domains with final slash as filtered when required
+ Ignore 407 requests when auth is required in log helper
3.1.6
+ Override daemons when migrating from 3.0
+ Disable load_url_list by default to reduce CPU and memory usage
3.1.5
+ Use DATETIME type in date column for consolidation tables
+ Summarised report has breadcrumbs now
3.1.4
+ Fixed regression on Delay Pools table triggered by changes in updatedRowNotify
3.1.3
+ Mark logs as changed when an access rule is added, updated or deleted
+ Fix duplicated entries generated by the LogHelper
+ Prerouting rules have no iaccept chain, use ACCEPT target
+ Adapted to updatedRowNotify call with no changes in values
+ Added menu icon
+ Fix parse of the dansguardian log in the LogHelper
+ Make LogHelper extract data from internal and external log files
+ Adapt firewall rules to new accept chains
+ Show correct group names in the Access Rules menu when using Users Group
+ Handle domains that are actually IP addresses in the LogHelper
+ Set transparent HTTP proxy firewall rules unless the module is
temporary stopped
+ Added support for multiple Organizational Units
+ Updated to use the new security group concept
+ Adapted squid to new user module interface for external AD authorization
3.1.2
+ Use external squid log file to retrieve HTTP proxy requests
+ Added Auth and Cache Exceptions for non-transparent mode
which allow to bypass Squid + Dansguardian auth
+ Added CUPS and ftp to SSL_ports
+ Avoid warning in AccessRules validateTypedRow
3.1.1
+ Squid time ACLs have independient ids, this fixes several issues
with combinations of time, dates and long acls
+ Do not repeat Squid ACL declarations
+ Changed HTTP keytab permission in order to avoid krb5_kt_add_entry errors
3.1
+ Removed 3.0.X migration code
+ Implemented _daemonsToDisable()
+ Added Pre-Depends on mysql-server to avoid problems with upgrades
+ Depend on zentyal-core 3.1
3.0.9
+ Change the kerberos service from squid to http. Zarafa and Squid must
share the service principal.
+ Disable DC reverse DNS lookup for msktutil commands
+ Explicitly set the DC for msktutil command when updating the keytab
3.0.8
+ Regenerate Kerberos keytab on LDAP reprovision
3.0.7
+ Fixed bug which returned the list of users of a profile inside
another list
+ Authenticate against external AD for Enterprise editions
3.0.6
+ Avoid to request authorization again when 'deny unknown domain'
option is set in filter profile
+ Access rules for the same source can have different time
periods if they dont overlap
3.0.5
+ Reload dansguardian configuration in log rotation instead of
restarting the full module
+ Overwrite squid3 logrotate file to take care of the squid-external daemon
3.0.4
+ Fixed SNMP acl
+ Removed redundant cache_log line from squid-external configuration
+ Fixed bug which did not include users from __USERS__ group in
dansguardian filter group file
3.0.3
+ Fixed error triggered when creating a delay pool without an object
+ Make sure in categorized lists model that list archives are not
backed up
+ Migrate old directories with blank names and their asociated
configuration values
+ Better escape of whitespace in ACL names
+ Replace blanks for categorized lists directories to workaround
squid bug.
+ Fixed bug which allowed bad long names for ACL for 'all' object
+ Set visible_hostname to host '(instance)FQDN'. The standard value
'localhost' causes access denied under certain circumstances
+ Ignore access rules for empty objects
+ Ignore access rules for empty groups
+ Mark module as changed if addition/removal of users modify ACLs
3.0.2
+ Fix escaping in categorised list uploading. This is a regression
from 3.0.1 release.
+ Force all connections to pass through squid-external or deny access
+ Allow access to the proxy for clients which are not in local networks
+ Don't allow to set kerberos and transparent proxy at the same time
3.0.1
+ Changed ownership of categorized list files to ebox to allow download
+ Removed no-configured files when saving changes after restoring
a backup
+ Added configuration key to load regexes url lists from
categorized lists or not
+ Adapted domains files to squid object to be able to use
dstdomain ACLs with thems
+ Added explicit error when a squid configuration file is invalid
when debug is enabled
+ Limited object ACLs to ten addresses per line
+ When creating user ACLs put only ten users per line to avoid
reaching maximun configuration file line length
+ Use lowercase user names in configuration file, otherwise
authorization fails
+ Use of reserved character in generated ACl names to avoid name clashes
+ Protection for ACL from profiles with too long names
+ Added validation of categorized list structure
+ Changed paths for categorized lists files so they are all under
/var/lib/zentyal/files/squid
+ Work arounded the removal of archive files until the framework
takes care again of them
+ Fixed categories list removal of extracted files
+ Moved a lot of the filter functionality to squid. In DG remains:
filter by text analysys, antivirus and block ip
+ Adapted to improvement of EBox::Module::Service::isRunning method
+ Moved most of the filter functionality to squid. In DG remains:
filter by text content analysys, antivirus and IP block
+ Fix kerberos authentication when filter profile applied. As dansguardian
does not support kerberos auth, now there are two squid instances, one
on the front of dansguardian to perform the authentication and one in
the back to cache contents
+ Added memory cache of seen list directories to DomainFilterCategories
+ Categories from bigblacklist are now accepted
3.0
+ Customized "Access Denied" page theme
+ Added 'All users' option for Access Rules with group source
+ Using again squid ACLs when DG is active
+ Fixed issues in timed regeneration of DG files
+ Do not allow mix of IP and basic authorization in DG
+ Fixed directory to store archive files
+ Reviewed registration strings
2.3.12
+ Squid is restarted if groups in use change their members
+ Adapted LdapUserImplementation to new users API
+ Added kerberos real to auth acls on squid.conf to fix SSO
+ Added -i option to squid_kerb_auth to ease debugging
+ Archive list can now have spaces in the name
+ ListArchive type now accept spaces in the file name
+ Move report code to remoteservices
+ Perform the domain processing in log helper, very valuable for
querying and reporting
+ Fixed auth rules in squid.conf to not allow all authorized users
+ Kerberos auth is optional and disabled by default
2.3.11
+ Removed duplicated Domain Filter Settings model in tabs
+ Better order and names in Filter Profile models
+ Better order for menu items
2.3.10
+ Added users as enabledepend
+ Add rule to allow web browsing by default on initial setup
+ Categorized lists now work
2.3.9
+ Summarized report works again
+ Added modeldepends to yaml schema
+ Fixed cache-peer authorization parameters when using a global proxy.
Due to this change squid.conf is no longer readable by all
+ Avoid multiple calls to store row in DelayPools::_setUndefinedValues()
2.3.8
+ Fixed group-based authorization
+ Fixed wrongly set time period acls in squid configuration in some cases
+ Fixed 'any' rules in dansguardian configuration
2.3.7
+ Unify FirewallHelper, removed no longer needed SquidOnlyFirewall
+ Support for different filter profiles depending on the time period
+ Update dansguardian conf templates to 2.10 version
+ Use new clone and check all options in tables
+ Added HTTPS proxy support if squid is compiled with SSL support
+ New Transparent Exemptions model to skip proxying of some websites
+ Rearranged components on filter profile configuration
+ New Categorized Lists model to upload the lists archives
+ Download sizes for Bandwidth Throttling now use MB instead of KB
+ Users and Antivirus enable dependencies are now optional
+ Default policy if no other allow or filter rules are present is deny
+ There is no need of manually specify global authorize or filter policy
+ New AccessRules model instead of objects and groups policy tables
+ Simplified Bandwidth Throttling using a single table
+ Removed useless HTTP proxy status widget
+ Using EBox::Object::Members class to generate iptables rules
+ Removed greylist feature that was confusing
2.3.6
+ Added enabled control to domains files lists
+ Remove duplicated models for default profile and custom filter profiles
+ Remove "apply on all" and "use defaults" models
+ Adapted to new Model management framework
+ Use new _keys() which takes cache into account instead of _redis_call()
+ Adapted TimePeriod type to the changes in the types framework
+ Kerberized authentication
+ Implement new EBox::NetworkObserver::regenGatewaysFailover()
2.3.5
+ Create tables with MyISAM engine by default
2.3.4
+ Use new tableBody.mas in TrafficDetails.pm
+ Fixed regresion which broke the apply all button for MIME and extensions
2.3.3
+ Packaging fixes for precise
2.3.2
+ Updated Standard-Versions to 3.9.2
2.3.1
+ Adapted messages in the UI for new editions
+ Uniformize config boolean values (from true/false to yes/no)
+ Now you can use the default profile in a custom profile for file
extensions
2.3
+ Adapted to new MySQL logs backend
+ Ignore localnets with undefined DHCP address when writing conf
+ Adapted to squid3 new paths and daemon and squid.conf syntax
+ Replaced autotools with zbuildtools
+ Fixed regression on filter selection depending on the objects
policy. Now it works again
+ Fixed regression which broke filter policies in objects when a
non-filter global policy was selected
+ Fixed use of not-defined yet ACL when using parent peer
2.2.1
+ Fixed deprecated syntax for some iptables rules
+ Fixed parameter for unlimited value in delay pools
+ Fixed order of refresh patterns
+ Properly set of never_direct option when setting a parent peer
2.1.11
+ Improved bandwidth throttling texts
+ Set proper message type in General Settings model
2.1.10
+ Remove dansguardian startup link to avoid start when disabled
2.1.9
+ Fixed encoding in blocked page template
+ Reviewed some subscription strings
2.1.8
+ Differentiate ads from notes
+ Removed /zentyal prefix from URLs
+ Added configuration key to omit domain categorized files from backup
+ Avoid duplicated restart during postinst
+ Give support for setting a new adblocking redirector
+ Give support for adding postmatch patterns in Ad-blocking
2.1.7
+ HTTPS works both for banned domains and block blanket options
+ Added guard against missing rows in antivirusNeeded method
+ Order top domains by visits instead of traffic bytes in
reporting
2.1.6
+ Include missing dansguardian.logrotate file
2.1.5
+ No longer use custom upstart scripts and custom logrotate conf
2.1.4
+ Humanize units in Delay Pools (from Bytes to KB)
+ Use the new "Add new..." option in the object selectors
+ Added global ad-blocking option
+ Use quote column option for periodic and report log consolidation
+ Guard against generating empty localeboxnet ACL
2.1.3
+ Dansguardian is only started when a global filter policy is choosen
+ Applied keyGenerator option to report queries
2.1.2
+ Removed workarounds on component's parent/child relationship
+ Adapted logrotate configuration to new PID file
2.1.1
+ Added guard against empty fileList_path keys
+ Added missing Microsoft updates server in squid.conf.mas
+ Zentyal squid daemon uses a different pidfile now
+ Fixed bug that could delete the default profile file list
+ Avoid call to set_string with undefined value
+ Added missing dependency on network module
2.1
+ Use new standard enable-module script
+ Improved order of tabs in filter profiles
+ Custom filter profiles are also populated with default extensions
and MIME types
+ Delete all migrations and use initial-setup
+ Replace /etc/ebox/80squid.conf with /etc/zentyal/squid.conf
+ Disable default arbitrary regexes in bannedregexpurllist.mas
2.0.3
+ Bugfix: when having different filter profiles with domain lists,
the lists files are no longer deleted on the second restart
2.0.2
+ Filter profiles names with spaces are forbidden to avoid errors
+ Avoid problems with some languages on disk usage graph
2.0.1
+ Added commercial message
+ Set DNS servers in Squid configuration
1.5.13
+ Rebranded access denied page
1.5.12
+ Add SNMP server from Squid when required
1.5.11
+ More global proxy configuration and domain configuration improvements
+ Zentyal rebrand
+ Running squid daemons are killed when starting ebox proxy if pidfile
exists
1.5.10
+ Fixed dansguardian/squid crash when logrotate was daily executed
1.5.9
+ Fixed profile mime types migrations
1.5.8
+ Added upstart script for squid to avoid first start problems
1.5.7
+ Fixed problems with ACL names
1.5.6
+ Fixed problem with whitespaces in users/groups/objects in squid
configuration file
1.5.5
+ Revert range_offset_limit option to default value because was causing
troubles with streaming sites.
1.5.4
+ Added bridged mode support in firewall helper
1.5.3
+ Bugfix: Delay pools ordering works on UI
1.5.2
+ Bugfix: use default squid init script instead of old missing ebox.squid
1.5.1
+ Maximum file descriptor option in now set in /etc/default/squid
+ Bugfix: Log exception hits in dansguardian so whitelisted
domains are now logged properly
+ Bugfix: Get virtual interfaces as well to set firewall rules
+ Bugfix: Make some checks in delay pools to avoid
misconfiguration, do not write the disabled rules and set the
proper labels and more detailed explanation
+ New bandwidth throttling support with delay pools
+ Bugfix: trim URL string as DB stores it as a varchar(1024) (Log)
+ Disabled ban URL regexes
+ Added filter profile per object
+ Bugfix, breadcrumbs triggered old problem with parent method in
DomainFilterCategories model, so we enable again the old
workaround to avoid this error
+ Add new information about saved bandwidth to the reports
+ Fixed bug in filter profile by object with network addresses
+ Customized Dansguardian blocked page template
+ Exclude localnetworks from bandwidth throttling
+ Added flash MIME types to default MIME types
+ Squid default cache_mem set to 128 MB
+ New option to configure maximum_object_size which defaults to 300 MB
+ Add refresh_pattern options for Microsoft Windows, Debian and Ubuntu
updates
+ Removed dead code in dumpConfig/restoreConfig methods
+ In configuration report mode the module does not longe include
the domain lists archives
1.3.14
+ Bugfix: in restartService we assure that all files are in place
before restarting the daemons
+ Changed labels in cache exemptions form 'domain' to 'domain name
address' to make clearer the actual working of the feature
+ Better help messages for time period parameters
+ Added custom script to delay downtime while log rotation is done
+ Only unzip domain categoris archives when they have changed,
this speeds up the module startup
+ You can establish the same policies for URLs than for full domains
1.3.13
+ Switching antivirus from clamavscan to clamdscan
+ Better MIME type check, removed false negatives with some subtypes
1.3.12
+ Bug fix: Added migration to rename access table to squid_access.
+ Add breadcrumbs
1.3.11
+ Added report support
1.3.6
+ Bug fix: Disable cache in Group Policy base to be able to fetch new groups in
"Group" select
+ Bug fix: no more duplicated log for the same URL
+ UI improvement: precondition in objects and user polices
1.3.5
+ tableInfo returns an array of hash refs
+ Bugfix: group policies are deleted when the group is deleted
+ Bugfix: added notification when antivirus is enabled to assure
that we have a correct configuration
1.1.30
+ Added to Traffic details report _noAggregateFileds and fixed bug
with defaultController
+ Bugfix: HTTPS traffic tunneled correctly
1.1.20
+ Disable PICs ratings by default
+ logs are sesrchable by user
1.1.10
+ Change default dansguardian conf to make it work with dansguardian 2.9.9.7
1.0
+ new release
0.12.100
+ New release
+ Added user based authorization
+ Added filter profiles
+ Added group polices
+ Added time period option to policies
+ Added per-object group policies
+ Added antivirus support
+ Added dansguardian's custom logrotate file
+ Added cache exceptions
+ Added cache size
+ Disabled exception and banned phrases to avoid uncontrolled
content filter results
0.12.99
+ Add support for reporting
+ User support
+ Exemption for cache option added
+ Adapted to objects with overlapping addresses
0.12
+ Use the new EBox::Model::Row api
+ Add field help to models
+ Fix titles within tabs
+ Set deny as default policy
0.11.101
+ New release
0.11.100
+ Use the new syntax to enable transparent proxy
+ Do not launch dansguardian with setsid. It was necessary with runit,
but not with upstart any more.
+ do not remove rc scripts, stop on pre-start
0.11.99
+ Set proper language to show denied access page by dansguardian
using eBox locale (Currently manually maintained)
0.11.1
+ Bugfix. MIME and extension filter allow attribute is NOT
optional but they have a default value
O.11
+ New release
0.10.99
+ Use new model/view framework. UI uses Ajax
+ Attempt to simplify content filter interface
0.10
+ New release
0.9.100
+ New release
0.9.99
+ New release
0.9.3
+ New release
0.9.2
+ Add nasty workaround to try to stop and create swap directories for
squid
O.9.1
+ New release
0.9
+ Added Polish translation.00
+ Added German Translation
0.8.99
+ New release
0.8.1
+ force creation of swap directories in postinst
0.8
+ New release
0.7.99
+ Add Mime Type Filter Support
+ Add custom filter support for file extensions and Mime Type
+ Merge portuguese translation thanks to JC Junior
+ Add some explanatory notes
+ Fix some small bugs
+ Fix a bug which made dansguardian crash at start
+ Dansguardian does not start when it shouldn't
0.7.1
+ Add support to configure banned extension list in dansguardian
+ GUI consitency
+ Use of ebox-sudoers-friendly
0.7
+ First public release
0.6
+ move to client
+ API documented using naturaldocs
+ Update install
+ Update debian scripts
0.5.2
+ Fix some packaging issues
0.5.1
+ Convert module to new menu system
0.5
+ No changes
0.4
+ debian package
+ Added content filter based on dansguardian
+ Rework to support dansguardian
+ Added French translation
+ Added Catalan translation
0.3
+ Supports i18n
+ Supports banned domains
+ API name consistency
+ Use Mason for templates
+ added tips to GUI
+ Fixed bugs to IE compliant
+ Several bugfixes
0.2
+ All modules are now based on gconf.
+ Removed dependencies on xml-simple, xerces and xpath
+ New MAC address field in Object members.
+ Several bugfixes.
0.1
+ Initial release