###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2013 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
-#
-# (c) 2004-2009 marco.s - http://www.advproxy.net
-#
-# This code is distributed under the terms of the GPL
-#
-# $Id: advproxy.cgi,v 3.0.2 2009/02/04 00:00:00 marco.s Exp $
-#
use strict;
use Apache::Htpasswd;
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
+require "${General::swroot}/ids-functions.pl";
+
my @squidversion = `/usr/sbin/squid -v`;
my $http_port='81';
my $https_port='444';
$proxysettings{'AUTH_REALM'} = '';
$proxysettings{'AUTH_MAX_USERIP'} = '';
$proxysettings{'AUTH_CACHE_TTL'} = '60';
+$proxysettings{'AUTH_IPCACHE_TTL'} = '0';
$proxysettings{'AUTH_CHILDREN'} = '5';
$proxysettings{'NCSA_MIN_PASS_LEN'} = '6';
$proxysettings{'NCSA_BYPASS_REDIR'} = 'off';
}
}
}
+ if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
+ ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+ {
+ $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+ goto ERROR;
+ }
if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/))
{
$errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'};
goto ERROR;
}
- if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
- ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/))
{
- $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+ $errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'};
goto ERROR;
}
- if (!($proxysettings{'AUTH_MAX_USERIP'} eq ''))
+ if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0'))
{
$errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'};
goto ERROR;
if ($proxysettings{'VALID'} eq 'yes')
{
+ # Determine if suricata may needs to be restarted.
+ my $suricata_proxy_ports_changed;
+
+ # Check if the IDS is running
+ if(&IDS::ids_is_running()) {
+ my %oldproxysettings;
+
+ # Read-in current proxy settings and store them as oldsettings hash.
+ &General::readhash("${General::swroot}/proxy/advanced/settings", \%oldproxysettings);
+
+ # Check if the proxy port has been changed.
+ unless ($proxysettings{'PROXY_PORT'} eq $oldproxysettings{'PROXY_PORT'}) {
+ # Port has changed, suricata needs to be adjusted.
+ $suricata_proxy_ports_changed = 1;
+ }
+
+ # Check if the transparent port has been changed.
+ unless ($proxysettings{'TRANSPARENT_PORT'} eq $oldproxysettings{'TRANSPARENT_PORT'}) {
+ # Transparent port has changed, suricata needs to be adjusted.
+ $suricata_proxy_ports_changed = 1;
+ }
+ }
+
&write_acls;
delete $proxysettings{'SRC_SUBNETS'};
delete $proxysettings{'SRC_UNRESTRICTED_MAC'};
delete $proxysettings{'DST_NOCACHE'};
delete $proxysettings{'DST_NOAUTH'};
+ delete $proxysettings{'DST_NOPROXY_IP'};
+ delete $proxysettings{'DST_NOPROXY_URL'};
delete $proxysettings{'PORTS_SAFE'};
delete $proxysettings{'PORTS_SSL'};
delete $proxysettings{'MIME_TYPES'};
if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); }
+
+ # Check if the suricata_proxy_ports_changed flag has been set.
+ if ($suricata_proxy_ports_changed) {
+ # Re-generate HTTP ports file.
+ &IDS::generate_http_ports_file();
+
+ # Restart suricata.
+ &IDS::call_suricatactrl("restart");
+ }
}
}
;
}
+# ===================================================================
+# WPAD settings
+# ===================================================================
+
+print <<END
+<table width='100%'>
+<tr>
+ <td colspan='4'><b>$Lang::tr{'advproxy wpad title'}</b></td>
+</tr>
+<tr>
+ <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
+</tr>
+<tr>
+ <td colspan='2' class='base'>$Lang::tr{'advproxy wpad label dst_noproxy_ip'}:</td>
+ <td colspan='2' class='base'>$Lang::tr{'advproxy wpad label dst_noproxy_url'}:</td>
+</tr>
+<tr>
+ <td colspan='2'><textarea name='DST_NOPROXY_IP' cols='32' rows='3' wrap='off'>
+END
+;
+
+ print $proxysettings{'DST_NOPROXY_IP'};
+
+print <<END
+</textarea></td>
+
+ <td colspan='2'><textarea name='DST_NOPROXY_URL' cols='32' rows='3' wrap='off'>
+END
+;
+
+ print $proxysettings{'DST_NOPROXY_URL'};
+
+print <<END
+</textarea></td>
+</tr>
+<tr>
+ <td colspan='2' class='base'>$Lang::tr{'advproxy wpad example dst_noproxy_ip'}</td>
+ <td colspan='2' class='base'>$Lang::tr{'advproxy wpad example dst_noproxy_url'}</td>
+</tr>
+<tr>
+ <td colspan="4"> </td>
+</tr>
+<tr>
+ <td colspan="4">$Lang::tr{'advproxy wpad view pac'}: <a href="http://$ENV{SERVER_ADDR}:81/wpad.dat" target="_blank">http://$ENV{SERVER_ADDR}:81/wpad.dat</a></td>
+</tr>
+<tr>
+ <td colspan="4"> </td>
+</tr>
+<tr>
+ <td colspan="4">$Lang::tr{'advproxy wpad notice'}</td>
+</tr>
+</table>
+
+<hr size='1'>
+
+END
+;
+
# -------------------------------------------------------------------
print <<END
<td class='base'>$Lang::tr{'advproxy AUTH limit of IP addresses'}:</td>
<td><input type='text' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
</tr>
+<tr>
+ <td class='base'>$Lang::tr{'advproxy AUTH user IP cache TTL'}:</td>
+ <td><input type='text' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
+</tr>
<tr>
<td class='base'>$Lang::tr{'advproxy AUTH always required'}:</td>
<td><input type='checkbox' name='AUTH_ALWAYS_REQUIRED' $checked{'AUTH_ALWAYS_REQUIRED'}{'on'} /></td>
<td><input type='hidden' name='AUTH_CHILDREN' value='$proxysettings{'AUTH_CHILDREN'}'></td>
<td><input type='hidden' name='AUTH_CACHE_TTL' value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_ALWAYS_REQUIRED' value='$proxysettings{'AUTH_ALWAYS_REQUIRED'}'></td>
<td><input type='hidden' name='AUTH_REALM' value='$proxysettings{'AUTH_REALM'}'></td>
<td><input type='hidden' name='DST_NOAUTH' value='$proxysettings{'DST_NOAUTH'}'></td>
<td><input type='hidden' name='AUTH_CHILDREN' value='$proxysettings{'AUTH_CHILDREN'}'></td>
<td><input type='hidden' name='AUTH_CACHE_TTL' value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_REALM' value='$proxysettings{'AUTH_REALM'}'></td>
END
; }
while (<FILE>) { $proxysettings{'DST_NOAUTH'} .= $_ };
close(FILE);
}
+ if (-e "$acl_dst_noproxy_ip") {
+ open(FILE,"$acl_dst_noproxy_ip");
+ delete $proxysettings{'DST_NOPROXY_IP'};
+ while (<FILE>) { $proxysettings{'DST_NOPROXY_IP'} .= $_ };
+ close(FILE);
+ }
+ if (-e "$acl_dst_noproxy_url") {
+ open(FILE,"$acl_dst_noproxy_url");
+ delete $proxysettings{'DST_NOPROXY_URL'};
+ while (<FILE>) { $proxysettings{'DST_NOPROXY_URL'} .= $_ };
+ close(FILE);
+ }
if (-e "$acl_ports_safe") {
open(FILE,"$acl_ports_safe");
delete $proxysettings{'PORTS_SAFE'};
}
}
+ @temp = split(/\n/,$proxysettings{'DST_NOPROXY_IP'});
+ undef $proxysettings{'DST_NOPROXY_IP'};
+ foreach (@temp)
+ {
+ s/^\s+//g; s/\s+$//g;
+ if ($_)
+ {
+ unless (&General::validipormask($_)) { $errormessage = $Lang::tr{'advproxy errmsg wpad invalid ip or mask'}; }
+ $proxysettings{'DST_NOPROXY_IP'} .= $_."\n";
+ }
+ }
+
+ @temp = split(/\n/,$proxysettings{'DST_NOPROXY_URL'});
+ undef $proxysettings{'DST_NOPROXY_URL'};
+ foreach (@temp)
+ {
+ s/^\s+//g;
+ unless (/^#/) { s/\s+//g; }
+ if ($_)
+ {
+ if (/^\./) { $_ = '*'.$_; }
+ $proxysettings{'DST_NOPROXY_URL'} .= $_."\n";
+ }
+ }
+
if (($proxysettings{'NTLM_ENABLE_ACL'} eq 'on') && ($proxysettings{'NTLM_USER_ACL'} eq 'positive'))
{
@temp = split(/\n/,$proxysettings{'NTLM_ALLOW_USERS'});
print FILE $proxysettings{'DST_NOAUTH'};
close(FILE);
+ open(FILE, ">$acl_dst_noproxy_ip");
+ flock(FILE, 2);
+ print FILE $proxysettings{'DST_NOPROXY_IP'};
+ close(FILE);
+
+ open(FILE, ">$acl_dst_noproxy_url");
+ flock(FILE, 2);
+ print FILE $proxysettings{'DST_NOPROXY_URL'};
+ close(FILE);
+
open(FILE, ">$acl_dst_noauth_net");
close(FILE);
open(FILE, ">$acl_dst_noauth_dom");
sub writepacfile
{
+ my %vpnconfig=();
+ my %ovpnconfig=();
+ &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
+ &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfig);
open(FILE, ">/srv/web/ipfire/html/proxy.pac");
flock(FILE, 2);
print FILE "function FindProxyForURL(url, host)\n";
# Additional exceptions for URLs
# The file has to be created by the user and should contain one entry per line
# Line-Format: <URL incl. wildcards>
- # e.g. *ipfire.org*
+ # e.g. *.ipfire.org*
if (-s "$acl_dst_noproxy_url") {
undef @templist;
# Additional exceptions for Subnets
# The file has to be created by the user and should contain one entry per line
- # Line-Format: "<IP>", "<SUBNET MASK>"
- # e.g. "192.168.0.0", "255.255.255.0"
+ # Line-Format: <IP>/<SUBNET MASK>
+ # e.g. 192.168.0.0/255.255.255.0
if (-s "$acl_dst_noproxy_ip") {
undef @templist;
foreach (@templist)
{
- print FILE " (isInNet(host, $_)) ||\n";
+ @temp = split(/\//);
+ print FILE " (isInNet(host, \"$temp[0]\", \"$temp[1]\")) ||\n";
+ }
+ }
+
+ foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) {
+ if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') {
+ my @networks = split(/\|/, $vpnconfig{$key}[11]);
+ foreach my $network (@networks) {
+ my ($vpnip, $vpnsub) = split("/", $network);
+ $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub;
+ print FILE " (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n";
+ }
+ }
+ }
+
+ foreach my $key (sort { uc($ovpnconfig{$a}[1]) cmp uc($ovpnconfig{$b}[1]) } keys %ovpnconfig) {
+ if ($ovpnconfig{$key}[0] eq 'on' && $ovpnconfig{$key}[3] ne 'host') {
+ my @networks = split(/\|/, $ovpnconfig{$key}[11]);
+ foreach my $network (@networks) {
+ my ($vpnip, $vpnsub) = split("/", $network);
+ print FILE " (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n";
+ }
}
}
}
print FILE "\n";
- # If we use authentication, users must always authenticate
- unless ($proxysettings{"AUTH_METHOD"} eq "") {
- print FILE "authenticate_ip_ttl 0\n\n";
- }
-
if ((!($proxysettings{'AUTH_METHOD'} eq 'none')) && (!($proxysettings{'AUTH_METHOD'} eq 'ident')))
{
if ($proxysettings{'AUTH_METHOD'} eq 'ncsa')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
if ($proxysettings{'AUTH_METHOD'} eq 'ldap')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
print FILE "\n";
} else {
&deluser($str_user);
- my $htpasswd = new Apache::Htpasswd("$userdb");
+ my %htpasswd_options = (
+ passwdFile => "$userdb",
+ UseMD5 => 1,
+ );
+
+ my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
+
$htpasswd->htpasswd($str_user, $str_pass);
}