###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2013 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
-#
-# (c) 2004-2009 marco.s - http://www.advproxy.net
-#
-# This code is distributed under the terms of the GPL
-#
-# $Id: advproxy.cgi,v 3.0.2 2009/02/04 00:00:00 marco.s Exp $
-#
use strict;
use Apache::Htpasswd;
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
-my @squidversion = `/usr/sbin/squid -v`;
+require "${General::swroot}/ids-functions.pl";
+
+my @squidversion = &General::system_output("/usr/sbin/squid", "-v");
my $http_port='81';
my $https_port='444';
my %color = ();
my %mainsettings = ();
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
my %proxysettings=();
my %netsettings=();
unless (-d "$identdir") { mkdir("$identdir"); }
unless (-d "$credir") { mkdir("$credir"); }
-unless (-e $cre_groups) { system("touch $cre_groups"); }
-unless (-e $cre_svhosts) { system("touch $cre_svhosts"); }
-
-unless (-e $userdb) { system("touch $userdb"); }
-unless (-e $stdgrp) { system("touch $stdgrp"); }
-unless (-e $extgrp) { system("touch $extgrp"); }
-unless (-e $disgrp) { system("touch $disgrp"); }
-
-unless (-e $acl_src_subnets) { system("touch $acl_src_subnets"); }
-unless (-e $acl_src_banned_ip) { system("touch $acl_src_banned_ip"); }
-unless (-e $acl_src_banned_mac) { system("touch $acl_src_banned_mac"); }
-unless (-e $acl_src_unrestricted_ip) { system("touch $acl_src_unrestricted_ip"); }
-unless (-e $acl_src_unrestricted_mac) { system("touch $acl_src_unrestricted_mac"); }
-unless (-e $acl_src_noaccess_ip) { system("touch $acl_src_noaccess_ip"); }
-unless (-e $acl_src_noaccess_mac) { system("touch $acl_src_noaccess_mac"); }
-unless (-e $acl_dst_noauth) { system("touch $acl_dst_noauth"); }
-unless (-e $acl_dst_noauth_dom) { system("touch $acl_dst_noauth_dom"); }
-unless (-e $acl_dst_noauth_net) { system("touch $acl_dst_noauth_net"); }
-unless (-e $acl_dst_noauth_url) { system("touch $acl_dst_noauth_url"); }
-unless (-e $acl_dst_nocache) { system("touch $acl_dst_nocache"); }
-unless (-e $acl_dst_nocache_dom) { system("touch $acl_dst_nocache_dom"); }
-unless (-e $acl_dst_nocache_net) { system("touch $acl_dst_nocache_net"); }
-unless (-e $acl_dst_nocache_url) { system("touch $acl_dst_nocache_url"); }
-unless (-e $acl_dst_throttle) { system("touch $acl_dst_throttle"); }
-unless (-e $acl_ports_safe) { system("touch $acl_ports_safe"); }
-unless (-e $acl_ports_ssl) { system("touch $acl_ports_ssl"); }
-unless (-e $acl_include) { system("touch $acl_include"); }
-
-unless (-e $mimetypes) { system("touch $mimetypes"); }
+unless (-e $cre_groups) { &General::system("touch", "$cre_groups"); }
+unless (-e $cre_svhosts) { &General::system("touch $cre_svhosts"); }
+
+unless (-e $userdb) { &General::system("touch", "$userdb"); }
+unless (-e $stdgrp) { &General::system("touch", "$stdgrp"); }
+unless (-e $extgrp) { &General::system("touch", "$extgrp"); }
+unless (-e $disgrp) { &General::system("touch", "$disgrp"); }
+
+unless (-e $acl_src_subnets) { &General::system("touch", "$acl_src_subnets"); }
+unless (-e $acl_src_banned_ip) { &General::system("touch", "$acl_src_banned_ip"); }
+unless (-e $acl_src_banned_mac) { &General::system("touch", "$acl_src_banned_mac"); }
+unless (-e $acl_src_unrestricted_ip) { &General::system("touch", "$acl_src_unrestricted_ip"); }
+unless (-e $acl_src_unrestricted_mac) { &General::system("touch", "$acl_src_unrestricted_mac"); }
+unless (-e $acl_src_noaccess_ip) { &General::system("touch", "$acl_src_noaccess_ip"); }
+unless (-e $acl_src_noaccess_mac) { &General::system("touch", "$acl_src_noaccess_mac"); }
+unless (-e $acl_dst_noauth) { &General::system("touch", "$acl_dst_noauth"); }
+unless (-e $acl_dst_noauth_dom) { &General::system("touch", "$acl_dst_noauth_dom"); }
+unless (-e $acl_dst_noauth_net) { &General::system("touch", "$acl_dst_noauth_net"); }
+unless (-e $acl_dst_noauth_url) { &General::system("touch", "$acl_dst_noauth_url"); }
+unless (-e $acl_dst_nocache) { &General::system("touch", "$acl_dst_nocache"); }
+unless (-e $acl_dst_nocache_dom) { &General::system("touch", "$acl_dst_nocache_dom"); }
+unless (-e $acl_dst_nocache_net) { &General::system("touch", "$acl_dst_nocache_net"); }
+unless (-e $acl_dst_nocache_url) { &General::system("touch", "$acl_dst_nocache_url"); }
+unless (-e $acl_dst_throttle) { &General::system("touch", "$acl_dst_throttle"); }
+unless (-e $acl_ports_safe) { &General::system("touch", "$acl_ports_safe"); }
+unless (-e $acl_ports_ssl) { &General::system("touch", "$acl_ports_ssl"); }
+unless (-e $acl_include) { &General::system("touch", "$acl_include"); }
+
+unless (-e $mimetypes) { &General::system("touch", "$mimetypes"); }
my $HAVE_NTLM_AUTH = (-e "/usr/bin/ntlm_auth");
$proxysettings{'AUTH_REALM'} = '';
$proxysettings{'AUTH_MAX_USERIP'} = '';
$proxysettings{'AUTH_CACHE_TTL'} = '60';
+$proxysettings{'AUTH_IPCACHE_TTL'} = '0';
$proxysettings{'AUTH_CHILDREN'} = '5';
$proxysettings{'NCSA_MIN_PASS_LEN'} = '6';
$proxysettings{'NCSA_BYPASS_REDIR'} = 'off';
$errormessage = $Lang::tr{'advproxy errmsg mem cache size'};
goto ERROR;
}
- my @free = `/usr/bin/free`;
+ my @free = &General::system_output("/usr/bin/free");
$free[1] =~ m/(\d+)/;
$cachemem = int $1 / 2048;
if ($proxysettings{'CACHE_MEM'} > $cachemem) {
}
}
}
+ if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
+ ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+ {
+ $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+ goto ERROR;
+ }
if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/))
{
$errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'};
goto ERROR;
}
- if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
- ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/))
{
- $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+ $errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'};
goto ERROR;
}
- if (!($proxysettings{'AUTH_MAX_USERIP'} eq ''))
+ if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0'))
{
$errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'};
goto ERROR;
if ($proxysettings{'VALID'} eq 'yes')
{
+ # Determine if suricata may needs to be restarted.
+ my $suricata_proxy_ports_changed;
+
+ # Check if the IDS is running
+ if(&IDS::ids_is_running()) {
+ my %oldproxysettings;
+
+ # Read-in current proxy settings and store them as oldsettings hash.
+ &General::readhash("${General::swroot}/proxy/advanced/settings", \%oldproxysettings);
+
+ # Check if the proxy port has been changed.
+ unless ($proxysettings{'PROXY_PORT'} eq $oldproxysettings{'PROXY_PORT'}) {
+ # Port has changed, suricata needs to be adjusted.
+ $suricata_proxy_ports_changed = 1;
+ }
+
+ # Check if the transparent port has been changed.
+ unless ($proxysettings{'TRANSPARENT_PORT'} eq $oldproxysettings{'TRANSPARENT_PORT'}) {
+ # Transparent port has changed, suricata needs to be adjusted.
+ $suricata_proxy_ports_changed = 1;
+ }
+ }
+
&write_acls;
delete $proxysettings{'SRC_SUBNETS'};
if ($proxysettings{'CACHEMGR'} eq 'on'){&writecachemgr;}
- system ('/usr/local/bin/squidctrl', 'disable');
+ &General::system ('/usr/local/bin/squidctrl', 'disable');
unlink "${General::swroot}/proxy/enable";
unlink "${General::swroot}/proxy/transparent";
unlink "${General::swroot}/proxy/enable_blue";
unlink "${General::swroot}/proxy/transparent_blue";
if ($proxysettings{'ENABLE'} eq 'on') {
- system ('/usr/bin/touch', "${General::swroot}/proxy/enable");
- system ('/usr/local/bin/squidctrl', 'enable'); }
+ &General::system('/usr/bin/touch', "${General::swroot}/proxy/enable");
+ &General::system('/usr/local/bin/squidctrl', 'enable'); }
if ($proxysettings{'TRANSPARENT'} eq 'on' && $proxysettings{'ENABLE'} eq 'on') {
- system ('/usr/bin/touch', "${General::swroot}/proxy/transparent"); }
+ &General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent"); }
if ($proxysettings{'ENABLE_BLUE'} eq 'on') {
- system ('/usr/bin/touch', "${General::swroot}/proxy/enable_blue");
- system ('/usr/local/bin/squidctrl', 'enable'); }
+ &General::system('/usr/bin/touch', "${General::swroot}/proxy/enable_blue");
+ &General::system('/usr/local/bin/squidctrl', 'enable'); }
if ($proxysettings{'TRANSPARENT_BLUE'} eq 'on' && $proxysettings{'ENABLE_BLUE'} eq 'on') {
- system ('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); }
+ &General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); }
- if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
- if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); }
+ if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { &General::system('/usr/local/bin/squidctrl', 'restart'); }
+ if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { &General::system('/usr/local/bin/squidctrl', 'reconfigure'); }
+
+ # Check if the suricata_proxy_ports_changed flag has been set.
+ if ($suricata_proxy_ports_changed) {
+ # Re-generate HTTP ports file.
+ &IDS::generate_http_ports_file();
+
+ # Restart suricata.
+ &IDS::call_suricatactrl("restart");
+ }
}
}
if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy clear cache'})
{
- system('/usr/local/bin/squidctrl flush >/dev/null 2>&1');
+ &General::system('/usr/local/bin/squidctrl', 'flush');
}
if (!$errormessage)
<td class='base'>$Lang::tr{'advproxy AUTH limit of IP addresses'}:</td>
<td><input type='text' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
</tr>
+<tr>
+ <td class='base'>$Lang::tr{'advproxy AUTH user IP cache TTL'}:</td>
+ <td><input type='text' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
+</tr>
<tr>
<td class='base'>$Lang::tr{'advproxy AUTH always required'}:</td>
<td><input type='checkbox' name='AUTH_ALWAYS_REQUIRED' $checked{'AUTH_ALWAYS_REQUIRED'}{'on'} /></td>
<td><input type='hidden' name='AUTH_CHILDREN' value='$proxysettings{'AUTH_CHILDREN'}'></td>
<td><input type='hidden' name='AUTH_CACHE_TTL' value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_ALWAYS_REQUIRED' value='$proxysettings{'AUTH_ALWAYS_REQUIRED'}'></td>
<td><input type='hidden' name='AUTH_REALM' value='$proxysettings{'AUTH_REALM'}'></td>
<td><input type='hidden' name='DST_NOAUTH' value='$proxysettings{'DST_NOAUTH'}'></td>
<td><input type='hidden' name='AUTH_CHILDREN' value='$proxysettings{'AUTH_CHILDREN'}'></td>
<td><input type='hidden' name='AUTH_CACHE_TTL' value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_REALM' value='$proxysettings{'AUTH_REALM'}'></td>
END
; }
)
{
chomp $temp[1];
- print FILE " ||\n (isInNet(myIpAddress(), \"$temp[0]\", \"$temp[1]\"))";
+ my $tempmask = &Network::convert_prefix2netmask($temp[1]);
+ print FILE " ||\n (isInNet(myIpAddress(), \"$temp[0]\", \"$tempmask\"))";
}
}
}
print FILE "\n";
- # If we use authentication, users must always authenticate
- unless ($proxysettings{"AUTH_METHOD"} eq "") {
- print FILE "authenticate_ip_ttl 0\n\n";
- }
-
if ((!($proxysettings{'AUTH_METHOD'} eq 'none')) && (!($proxysettings{'AUTH_METHOD'} eq 'ident')))
{
if ($proxysettings{'AUTH_METHOD'} eq 'ncsa')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
if ($proxysettings{'AUTH_METHOD'} eq 'ldap')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
print FILE "\n";