]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blobdiff - html/cgi-bin/proxy.cgi
projects / people / pmueller / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
proxy.cgi: Use new system methods
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / proxy.cgi
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 91e4fcee83203640b7a437269a1a875f19484b92..aaf04594cf6603661975111d71c89da0415e995c 100644 (file)
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2013  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -18,13 +18,6 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
 #                                                                             #
 ###############################################################################
-#
-# (c) 2004-2009 marco.s - http://www.advproxy.net
-#
-# This code is distributed under the terms of the GPL
-#
-# $Id: advproxy.cgi,v 3.0.2 2009/02/04 00:00:00 marco.s Exp $
-#
 
 use strict;
 use Apache::Htpasswd;
@@ -37,14 +30,16 @@ require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
 
-my @squidversion = `/usr/sbin/squid -v`;
+require "${General::swroot}/ids-functions.pl";
+
+my @squidversion = &General::system_output("/usr/sbin/squid", "-v");
 my $http_port='81';
 my $https_port='444';
 
 my %color = ();
 my %mainsettings = ();
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
 
 my %proxysettings=();
 my %netsettings=();
@@ -237,6 +232,7 @@ $proxysettings{'AUTH_METHOD'} = 'none';
 $proxysettings{'AUTH_REALM'} = '';
 $proxysettings{'AUTH_MAX_USERIP'} = '';
 $proxysettings{'AUTH_CACHE_TTL'} = '60';
+$proxysettings{'AUTH_IPCACHE_TTL'} = '0';
 $proxysettings{'AUTH_CHILDREN'} = '5';
 $proxysettings{'NCSA_MIN_PASS_LEN'} = '6';
 $proxysettings{'NCSA_BYPASS_REDIR'} = 'off';
@@ -389,7 +385,7 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
                $errormessage = $Lang::tr{'advproxy errmsg mem cache size'};
                goto ERROR;
        }
-       my @free = `/usr/bin/free`;
+       my @free = &General::system_output("/usr/bin/free");
        $free[1] =~ m/(\d+)/;
        $cachemem = int $1 / 2048;
        if ($proxysettings{'CACHE_MEM'} > $cachemem) {
@@ -442,18 +438,23 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
                                }
                        }
                }
+               if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
+                       ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+               {
+                       $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+                       goto ERROR;
+               }
                if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/))
                {
                        $errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'};
                        goto ERROR;
                }
-               if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
-                       ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+               if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/))
                {
-                       $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+                       $errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'};
                        goto ERROR;
                }
-               if (!($proxysettings{'AUTH_MAX_USERIP'} eq ''))
+               if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0'))
                {
                        $errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'};
                        goto ERROR;
@@ -550,6 +551,29 @@ ERROR:
 
        if ($proxysettings{'VALID'} eq 'yes')
        {
+               # Determine if suricata may needs to be restarted.
+               my $suricata_proxy_ports_changed;
+
+               # Check if the IDS is running
+               if(&IDS::ids_is_running()) {
+                       my %oldproxysettings;
+
+                       # Read-in current proxy settings and store them as oldsettings hash.
+                       &General::readhash("${General::swroot}/proxy/advanced/settings", \%oldproxysettings);
+
+                       # Check if the proxy port has been changed.
+                       unless ($proxysettings{'PROXY_PORT'} eq $oldproxysettings{'PROXY_PORT'}) {
+                               # Port has changed, suricata needs to be adjusted.
+                               $suricata_proxy_ports_changed = 1;
+                       }
+
+                       # Check if the transparent port has been changed.
+                       unless ($proxysettings{'TRANSPARENT_PORT'} eq $oldproxysettings{'TRANSPARENT_PORT'}) {
+                               # Transparent port has changed, suricata needs to be adjusted.
+                               $suricata_proxy_ports_changed = 1;
+                       }
+               }
+
                &write_acls;
 
                delete $proxysettings{'SRC_SUBNETS'};
@@ -627,6 +651,15 @@ ERROR:
 
                if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
                if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); }
+
+               # Check if the suricata_proxy_ports_changed flag has been set.
+               if ($suricata_proxy_ports_changed) {
+                       # Re-generate HTTP ports file.
+                       &IDS::generate_http_ports_file();
+
+                       # Restart suricata.
+                       &IDS::call_suricatactrl("restart");
+               }
   }
 }
 
@@ -1708,6 +1741,10 @@ print <<END
        <td class='base'>$Lang::tr{'advproxy AUTH limit of IP addresses'}:</td>
        <td><input type='text' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
 </tr>
+<tr>
+       <td class='base'>$Lang::tr{'advproxy AUTH user IP cache TTL'}:</td>
+       <td><input type='text' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
+</tr>
 <tr>
        <td class='base'>$Lang::tr{'advproxy AUTH always required'}:</td>
        <td><input type='checkbox' name='AUTH_ALWAYS_REQUIRED' $checked{'AUTH_ALWAYS_REQUIRED'}{'on'} /></td>
@@ -2004,6 +2041,7 @@ print <<END
 <td><input type='hidden' name='AUTH_CHILDREN'        value='$proxysettings{'AUTH_CHILDREN'}'></td>
 <td><input type='hidden' name='AUTH_CACHE_TTL'       value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_MAX_USERIP'      value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL'     value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_ALWAYS_REQUIRED' value='$proxysettings{'AUTH_ALWAYS_REQUIRED'}'></td>
 <td><input type='hidden' name='AUTH_REALM'           value='$proxysettings{'AUTH_REALM'}'></td>
 <td><input type='hidden' name='DST_NOAUTH'           value='$proxysettings{'DST_NOAUTH'}'></td>
@@ -2015,6 +2053,7 @@ print <<END
 <td><input type='hidden' name='AUTH_CHILDREN'        value='$proxysettings{'AUTH_CHILDREN'}'></td>
 <td><input type='hidden' name='AUTH_CACHE_TTL'       value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_MAX_USERIP'      value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL'     value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_REALM'           value='$proxysettings{'AUTH_REALM'}'></td>
 END
 ; }
@@ -2848,6 +2887,10 @@ sub write_acls
 
 sub writepacfile
 {
+       my %vpnconfig=();
+       my %ovpnconfig=();
+       &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
+       &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfig);
        open(FILE, ">/srv/web/ipfire/html/proxy.pac");
        flock(FILE, 2);
        print FILE "function FindProxyForURL(url, host)\n";
@@ -2910,6 +2953,27 @@ END
                }
        }
 
+       foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) {
+               if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') {
+                       my @networks = split(/\|/, $vpnconfig{$key}[11]);
+                       foreach my $network (@networks) {
+                               my ($vpnip, $vpnsub) = split("/", $network);
+                               $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub;
+                               print FILE "     (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n";
+                       }
+               }
+       }
+
+       foreach my $key (sort { uc($ovpnconfig{$a}[1]) cmp uc($ovpnconfig{$b}[1]) } keys %ovpnconfig) {
+               if ($ovpnconfig{$key}[0] eq 'on' && $ovpnconfig{$key}[3] ne 'host') {
+                       my @networks = split(/\|/, $ovpnconfig{$key}[11]);
+                       foreach my $network (@networks) {
+                               my ($vpnip, $vpnsub) = split("/", $network);
+                               print FILE "     (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n";
+                       }
+               }
+       }
+
        print FILE <<END
      (isInNet(host, "169.254.0.0", "255.255.0.0"))
    )
@@ -2940,7 +3004,8 @@ END
                                        )
                                {
                                        chomp $temp[1];
-                                       print FILE " ||\n     (isInNet(myIpAddress(), \"$temp[0]\", \"$temp[1]\"))";
+                                       my $tempmask = &Network::convert_prefix2netmask($temp[1]);
+                                       print FILE " ||\n     (isInNet(myIpAddress(), \"$temp[0]\", \"$tempmask\"))";
                                }
                        }
 
@@ -3203,11 +3268,6 @@ END
        }
        print FILE "\n";
 
-       # If we use authentication, users must always authenticate
-       unless ($proxysettings{"AUTH_METHOD"} eq "") {
-               print FILE "authenticate_ip_ttl 0\n\n";
-       }
-
        if ((!($proxysettings{'AUTH_METHOD'} eq 'none')) && (!($proxysettings{'AUTH_METHOD'} eq 'ident')))
        {
                if ($proxysettings{'AUTH_METHOD'} eq 'ncsa')
@@ -3216,6 +3276,7 @@ END
                        print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
                        print FILE "auth_param basic realm $authrealm\n";
                        print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+                       if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
                }
 
                if ($proxysettings{'AUTH_METHOD'} eq 'ldap')
@@ -3260,6 +3321,7 @@ END
                        print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
                        print FILE "auth_param basic realm $authrealm\n";
                        print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+                       if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
                }
 
                if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
@@ -3300,6 +3362,7 @@ END
                        print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
                        print FILE "auth_param basic realm $authrealm\n";
                        print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+                       if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
                }
 
                print FILE "\n";
@@ -3920,7 +3983,13 @@ sub adduser
        } else {
                &deluser($str_user);
 
-               my $htpasswd = new Apache::Htpasswd("$userdb");
+               my %htpasswd_options = (
+                       passwdFile => "$userdb",
+                       UseMD5 => 1,
+               );
+
+               my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
+
                $htpasswd->htpasswd($str_user, $str_pass);
        }
 
Peter's tree of IPFire 2.x