X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fproxy.cgi;h=3139e51729091548bc3f1040b1e6bf980131d339;hp=9abcb9181f67981bf72fee7f2db4a7a90ae2231d;hb=ea72700a3b5f53680b218e9261593806bdc5f7d4;hpb=935c2f233b730a010b241029f559e837d93a7ea7 diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index 9abcb9181f..3139e51729 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -27,6 +27,7 @@ # use strict; +use Apache::Htpasswd; # enable only the following on debugging purpose #use warnings; @@ -88,7 +89,6 @@ my $errormessage=''; my $acldir = "${General::swroot}/proxy/advanced/acls"; my $ncsadir = "${General::swroot}/proxy/advanced/ncsa"; -my $ntlmdir = "${General::swroot}/proxy/advanced/ntlm"; my $raddir = "${General::swroot}/proxy/advanced/radius"; my $identdir = "${General::swroot}/proxy/advanced/ident"; my $credir = "${General::swroot}/proxy/advanced/cre"; @@ -136,7 +136,6 @@ my $urlfilterversion = 'n/a'; unless (-d "$acldir") { mkdir("$acldir"); } unless (-d "$ncsadir") { mkdir("$ncsadir"); } -unless (-d "$ntlmdir") { mkdir("$ntlmdir"); } unless (-d "$raddir") { mkdir("$raddir"); } unless (-d "$identdir") { mkdir("$identdir"); } unless (-d "$credir") { mkdir("$credir"); } @@ -267,6 +266,7 @@ $proxysettings{'LDAP_BINDDN_USER'} = ''; $proxysettings{'LDAP_BINDDN_PASS'} = ''; $proxysettings{'LDAP_GROUP'} = ''; $proxysettings{'NTLM_AUTH_GROUP'} = ''; +$proxysettings{'NTLM_AUTH_BASIC'} = 'off'; $proxysettings{'NTLM_DOMAIN'} = ''; $proxysettings{'NTLM_PDC'} = ''; $proxysettings{'NTLM_BDC'} = ''; @@ -285,7 +285,6 @@ $proxysettings{'IDENT_USER_ACL'} = 'positive'; $proxysettings{'ENABLE_FILTER'} = 'off'; $proxysettings{'ENABLE_UPDXLRATOR'} = 'off'; $proxysettings{'ENABLE_CLAMAV'} = 'off'; -$proxysettings{'CHILDREN'} = '10'; $ncsa_buttontext = $Lang::tr{'advproxy NCSA create user'}; @@ -357,7 +356,7 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} $errormessage = $Lang::tr{'advproxy errmsg cache'}." ".$proxysettings{'CACHE_MEM'}." > ".$proxysettings{'CACHE_SIZE'}; goto ERROR; } - + if (!(&General::validport($proxysettings{'PROXY_PORT'}))) { $errormessage = $Lang::tr{'advproxy errmsg invalid proxy port'}; @@ -399,8 +398,7 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} $errormessage = $Lang::tr{'proxy errmsg filedescriptors'}; goto ERROR; } - if (!($proxysettings{'CACHE_MEM'} =~ /^\d+/) || - ($proxysettings{'CACHE_MEM'} < 1)) + if (!($proxysettings{'CACHE_MEM'} =~ /^\d+/)) { $errormessage = $Lang::tr{'advproxy errmsg mem cache size'}; goto ERROR; @@ -435,11 +433,6 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} { $errormessage = $Lang::tr{'invalid maximum incoming size'}; goto ERROR; - } - if (!($proxysettings{'CHILDREN'} =~ /^\d+$/) || ($proxysettings{'CHILDREN'} < 1)) - { - $errormessage = $Lang::tr{'advproxy invalid num of children'}; - goto ERROR; } if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { @@ -551,33 +544,6 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} } } } - if ($proxysettings{'AUTH_METHOD'} eq 'ntlm') - { - if ($proxysettings{'NTLM_DOMAIN'} eq '') - { - $errormessage = $Lang::tr{'advproxy errmsg ntlm domain'}; - goto ERROR; - } - if ($proxysettings{'NTLM_PDC'} eq '') - { - $errormessage = $Lang::tr{'advproxy errmsg ntlm pdc'}; - goto ERROR; - } - if (!&General::validhostname($proxysettings{'NTLM_PDC'})) - { - $errormessage = $Lang::tr{'advproxy errmsg invalid pdc'}; - goto ERROR; - } - if ((!($proxysettings{'NTLM_BDC'} eq '')) && (!&General::validhostname($proxysettings{'NTLM_BDC'}))) - { - $errormessage = $Lang::tr{'advproxy errmsg invalid bdc'}; - goto ERROR; - } - - $proxysettings{'NTLM_DOMAIN'} = lc($proxysettings{'NTLM_DOMAIN'}); - $proxysettings{'NTLM_PDC'} = lc($proxysettings{'NTLM_PDC'}); - $proxysettings{'NTLM_BDC'} = lc($proxysettings{'NTLM_BDC'}); - } if ($proxysettings{'AUTH_METHOD'} eq 'radius') { if (!&General::validip($proxysettings{'RADIUS_SERVER'})) @@ -693,7 +659,7 @@ ERROR: system ('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); } if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); } - if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); } + if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); } } } @@ -862,7 +828,6 @@ $checked{'AUTH_METHOD'}{'none'} = ''; $checked{'AUTH_METHOD'}{'ncsa'} = ''; $checked{'AUTH_METHOD'}{'ident'} = ''; $checked{'AUTH_METHOD'}{'ldap'} = ''; -$checked{'AUTH_METHOD'}{'ntlm'} = ''; $checked{'AUTH_METHOD'}{'ntlm-auth'} = ''; $checked{'AUTH_METHOD'}{'radius'} = ''; $checked{'AUTH_METHOD'}{$proxysettings{'AUTH_METHOD'}} = "checked='checked'"; @@ -895,6 +860,10 @@ $checked{'NTLM_USER_ACL'}{'positive'} = ''; $checked{'NTLM_USER_ACL'}{'negative'} = ''; $checked{'NTLM_USER_ACL'}{$proxysettings{'NTLM_USER_ACL'}} = "checked='checked'"; +$checked{'NTLM_AUTH_BASIC'}{'on'} = ''; +$checked{'NTLM_AUTH_BASIC'}{'off'} = ''; +$checked{'NTLM_AUTH_BASIC'}{$proxysettings{'NTLM_AUTH_BASIC'}} = "checked='checked'"; + $checked{'RADIUS_ENABLE_ACL'}{'off'} = ''; $checked{'RADIUS_ENABLE_ACL'}{'on'} = ''; $checked{'RADIUS_ENABLE_ACL'}{$proxysettings{'RADIUS_ENABLE_ACL'}} = "checked='checked'"; @@ -964,13 +933,13 @@ print < $Lang::tr{'advproxy enabled on'} Green: - $Lang::tr{'advproxy proxy port'}: + $Lang::tr{'advproxy proxy port'}: * $Lang::tr{'advproxy transparent on'} Green: - $Lang::tr{'advproxy proxy port transparent'}: + $Lang::tr{'advproxy proxy port transparent'}: * @@ -983,7 +952,7 @@ if ($netsettings{'BLUE_DEV'}) { print " "; } print <$Lang::tr{'advproxy visible hostname'}: * + $Lang::tr{'advproxy visible hostname'}: @@ -1029,12 +998,8 @@ print <
- - END ; -my $count = `ip n| wc -l`; -if ( $count < 1 ){$count = 1;} if ( -e "/usr/bin/squidclamav" ) { print ""; } else { print ""; } -print ""; -print ""; print < @@ -1066,19 +1029,19 @@ print < - + - + - + @@ -1112,30 +1075,30 @@ print <$Lang::tr{'advproxy cache management'} - + - + - + - + - + - + - + - + @@ -1153,7 +1116,7 @@ print < - + @@ -1213,8 +1176,8 @@ print < - - + + - - -
$Lang::tr{'advproxy redirector children'}
$Lang::tr{'processes'}".$Lang::tr{'advproxy squidclamav'}."
"; if ( ! -e "/var/run/clamav/clamd.pid" ){ @@ -1043,18 +1008,16 @@ if ( -e "/usr/bin/squidclamav" ) { } else { print $Lang::tr{'advproxy enabled'}."
"; - print "+ ".int(( $count**(1/3)) * 8);} +} print "		".$Lang::tr{'advproxy url filter'}."
"; +print "		".$Lang::tr{'advproxy url filter'}."
"; print $Lang::tr{'advproxy enabled'}."
"; -print "+ ".int(($count**(1/3)) * 6); print "		".$Lang::tr{'advproxy update accelerator'}."
"; +print "		".$Lang::tr{'advproxy update accelerator'}."
"; print $Lang::tr{'advproxy enabled'}."
"; -print "+ ".int(($count**(1/3)) * 5); print "
$Lang::tr{'advproxy via forwarding'}: $Lang::tr{'advproxy upstream proxy host:port'} *$Lang::tr{'advproxy upstream proxy host:port'}:
$Lang::tr{'advproxy client IP forwarding'}: $Lang::tr{'advproxy upstream username'}: *$Lang::tr{'advproxy upstream username'}:
$Lang::tr{'advproxy username forwarding'}: $Lang::tr{'advproxy upstream password'}: *$Lang::tr{'advproxy upstream password'}:
$Lang::tr{'proxy cachemgr'}:$Lang::tr{'proxy cachemgr'}: $Lang::tr{'advproxy admin mail'}: *$Lang::tr{'advproxy admin mail'}:
$Lang::tr{'proxy filedescriptors'}:$Lang::tr{'proxy filedescriptors'}: * $Lang::tr{'proxy admin password'}: *$Lang::tr{'proxy admin password'}:
$Lang::tr{'advproxy ram cache size'}:$Lang::tr{'advproxy ram cache size'}: * $Lang::tr{'advproxy hdd cache size'}:$Lang::tr{'advproxy hdd cache size'}: *
$Lang::tr{'advproxy min size'}:$Lang::tr{'advproxy min size'}: * $Lang::tr{'advproxy max size'}:$Lang::tr{'advproxy max size'}: *
$Lang::tr{'advproxy no cache sites'}: *$Lang::tr{'advproxy no cache sites'}:
$Lang::tr{'advproxy standard ports'}:$Lang::tr{'advproxy ssl ports'}:$Lang::tr{'advproxy standard ports'}: *$Lang::tr{'advproxy ssl ports'}: *
-END -; } - # =================================================================== # NTLM-AUTH settings # =================================================================== @@ -2002,12 +1890,20 @@ END if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth') { print < + + + + +
$Lang::tr{'advproxy basic authentication'}: 
+ +
+ - + @@ -2063,7 +1959,7 @@ print <$Lang::tr{'advproxy LDAP group access control'} - + @@ -2090,7 +1986,7 @@ print < - + @@ -2198,19 +2094,6 @@ print < - - - - - - - -END -; } - if (!($proxysettings{'AUTH_METHOD'} eq 'radius')) { print < @@ -2246,9 +2129,7 @@ print <
$Lang::tr{'advproxy group access control'}
$Lang::tr{'advproxy group required'}: *$Lang::tr{'advproxy group required'}:    
$Lang::tr{'advproxy LDAP group required'}: *$Lang::tr{'advproxy LDAP group required'}:    
$Lang::tr{'advproxy RADIUS identifier'}: *$Lang::tr{'advproxy RADIUS identifier'}: $Lang::tr{'advproxy RADIUS secret'}:
- +
*  - $Lang::tr{'this field may be blank'} - * $Lang::tr{'required field'}  
@@ -2502,18 +2383,6 @@ sub read_acls while () { $proxysettings{'MIME_TYPES'} .= $_ }; close(FILE); } - if (-e "$ntlmdir/msntauth.allowusers") { - open(FILE,"$ntlmdir/msntauth.allowusers"); - delete $proxysettings{'NTLM_ALLOW_USERS'}; - while () { $proxysettings{'NTLM_ALLOW_USERS'} .= $_ }; - close(FILE); - } - if (-e "$ntlmdir/msntauth.denyusers") { - open(FILE,"$ntlmdir/msntauth.denyusers"); - delete $proxysettings{'NTLM_DENY_USERS'}; - while () { $proxysettings{'NTLM_DENY_USERS'} .= $_ }; - close(FILE); - } if (-e "$raddir/radauth.allowusers") { open(FILE,"$raddir/radauth.allowusers"); delete $proxysettings{'RADIUS_ALLOW_USERS'}; @@ -2953,16 +2822,6 @@ sub write_acls print FILE $proxysettings{'MIME_TYPES'}; close(FILE); - open(FILE, ">$ntlmdir/msntauth.allowusers"); - flock(FILE, 2); - print FILE $proxysettings{'NTLM_ALLOW_USERS'}; - close(FILE); - - open(FILE, ">$ntlmdir/msntauth.denyusers"); - flock(FILE, 2); - print FILE $proxysettings{'NTLM_DENY_USERS'}; - close(FILE); - open(FILE, ">$raddir/radauth.allowusers"); flock(FILE, 2); print FILE $proxysettings{'RADIUS_ALLOW_USERS'}; @@ -3065,8 +2924,6 @@ END print FILE "\n"; print FILE < 0) + if (($proxysettings{'CACHE_SIZE'} > 0) || ($proxysettings{'CACHE_MEM'} > 0)) { print FILE "\n"; @@ -3194,7 +3051,7 @@ END if ($proxysettings{'OFFLINE_MODE'} eq 'on') { print FILE "offline_mode on\n\n"; } if ($proxysettings{'CACHE_DIGESTS'} eq 'on') { print FILE "digest_generation on\n\n"; } else { print FILE "digest_generation off\n\n"; } - + if ((!($proxysettings{'MEM_POLICY'} eq 'LRU')) || (!($proxysettings{'CACHE_POLICY'} eq 'LRU'))) { if (!($proxysettings{'MEM_POLICY'} eq 'LRU')) @@ -3208,6 +3065,48 @@ END print FILE "\n"; } + open (PORTS,"$acl_ports_ssl"); + my @ssl_ports = ; + close PORTS; + + if (@ssl_ports) { + foreach (@ssl_ports) { + print FILE "acl SSL_ports port $_"; + } + } + + open (PORTS,"$acl_ports_safe"); + my @safe_ports = ; + close PORTS; + + if (@safe_ports) { + foreach (@safe_ports) { + print FILE "acl Safe_ports port $_"; + } + } + + print FILE < 0) { print FILE < 0) { + # always 2% of CACHE_MEM defined as max object size + print FILE "maximum_object_size_in_memory " . int($proxysettings{'CACHE_MEM'} * 1024 * 0.02) . " KB\n\n"; + } else { + print FILE "cache deny all\n\n"; + } } print FILE <$ntlmdir/msntauth.conf"); - flock(MSNTCONF,2); - print MSNTCONF "server $proxysettings{'NTLM_PDC'}"; - if ($proxysettings{'NTLM_BDC'} eq '') { print MSNTCONF " $proxysettings{'NTLM_PDC'}"; } else { print MSNTCONF " $proxysettings{'NTLM_BDC'}"; } - print MSNTCONF " $proxysettings{'NTLM_DOMAIN'}\n"; - if ($proxysettings{'NTLM_ENABLE_ACL'} eq 'on') - { - if ($proxysettings{'NTLM_USER_ACL'} eq 'positive') - { - print MSNTCONF "allowusers $ntlmdir/msntauth.allowusers\n"; - } else { - print MSNTCONF "denyusers $ntlmdir/msntauth.denyusers\n"; - } - } - close(MSNTCONF); - } - } - if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth') { print FILE "auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp"; @@ -3372,11 +3243,26 @@ END my $ntlm_auth_group = $proxysettings{'NTLM_AUTH_GROUP'}; $ntlm_auth_group =~ s/\\/\+/; - print FILE " --require-membership-of=\"$ntlm_auth_group\""; + print FILE " --require-membership-of=$ntlm_auth_group"; } print FILE "\n"; - print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n"; + print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n\n"; + + # BASIC authentication + if ($proxysettings{'NTLM_AUTH_BASIC'} eq "on") { + print FILE "auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic"; + if ($proxysettings{'NTLM_AUTH_GROUP'}) { + my $ntlm_auth_group = $proxysettings{'NTLM_AUTH_GROUP'}; + $ntlm_auth_group =~ s/\\/\+/; + + print FILE " --require-membership-of=$ntlm_auth_group"; + } + print FILE "\n"; + print FILE "auth_param basic children 10\n"; + print FILE "auth_param basic realm IPFire Web Proxy Server\n"; + print FILE "auth_param basic credentialsttl 2 hours\n\n"; + } } if ($proxysettings{'AUTH_METHOD'} eq 'radius') @@ -3392,17 +3278,6 @@ END print FILE "\n"; print FILE "acl for_inetusers proxy_auth REQUIRED\n"; - if (($proxysettings{'AUTH_METHOD'} eq 'ntlm') && ($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'on') && ($proxysettings{'NTLM_ENABLE_ACL'} eq 'on')) - { - if ((!-z "$ntlmdir/msntauth.allowusers") && ($proxysettings{'NTLM_USER_ACL'} eq 'positive')) - { - print FILE "acl for_acl_users proxy_auth \"$ntlmdir/msntauth.allowusers\"\n"; - } - if ((!-z "$ntlmdir/msntauth.denyusers") && ($proxysettings{'NTLM_USER_ACL'} eq 'negative')) - { - print FILE "acl for_acl_users proxy_auth \"$ntlmdir/msntauth.denyusers\"\n"; - } - } if (($proxysettings{'AUTH_METHOD'} eq 'radius') && ($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on')) { if ((!-z "$raddir/radauth.allowusers") && ($proxysettings{'RADIUS_USER_ACL'} eq 'positive')) @@ -3474,48 +3349,6 @@ END print FILE "acl blocked_mimetypes rep_mime_type \"$mimetypes\"\n\n"; } -open (PORTS,"$acl_ports_ssl"); -my @ssl_ports = ; -close PORTS; - -if (@ssl_ports) { - foreach (@ssl_ports) { - print FILE "acl SSL_ports port $_"; - } -} - -open (PORTS,"$acl_ports_safe"); -my @safe_ports = ; -close PORTS; - -if (@safe_ports) { - foreach (@safe_ports) { - print FILE "acl Safe_ports port $_"; - } -} - - print FILE <htpasswd($str_user, $str_pass); } if ($str_group eq 'standard') { open(FILE, ">>$stdgrp");