]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blobdiff - html/cgi-bin/proxy.cgi
projects / people / pmueller / ipfire-2.x.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
suricata: Change midstream policy to "pass-flow"
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / proxy.cgi
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index 4c20fbf6be96360b4361e29af130d261bf3ca185..c8e3576dfe2b2226b8e5e59a6159f336668dcb0d 100644 (file)
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2013  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2021  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -18,16 +18,10 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
 #                                                                             #
 ###############################################################################
-#
-# (c) 2004-2009 marco.s - http://www.advproxy.net
-#
-# This code is distributed under the terms of the GPL
-#
-# $Id: advproxy.cgi,v 3.0.2 2009/02/04 00:00:00 marco.s Exp $
-#
 
 use strict;
 use Apache::Htpasswd;
+use Scalar::Util qw(looks_like_number);
 
 # enable only the following on debugging purpose
 #use warnings;
@@ -37,14 +31,16 @@ require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";
 
-my @squidversion = `/usr/sbin/squid -v`;
+require "${General::swroot}/ids-functions.pl";
+
+my @squidversion = &General::system_output("/usr/sbin/squid", "-v");
 my $http_port='81';
 my $https_port='444';
 
 my %color = ();
 my %mainsettings = ();
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
 
 my %proxysettings=();
 my %netsettings=();
@@ -56,17 +52,11 @@ my %mainsettings=();
 my %checked=();
 my %selected=();
 
-my @throttle_limits=(64,128,256,384,512,768,1024,1280,1536,1792,2048,2560,3072,3584,4096,5120,6144,7168,8192,10240,12288,16384,20480);
-my $throttle_binary="7z|arj|bin|bz2|cab|exe|gz|lzh|rar|sea|tar|tgz|xz|zip";
-my $throttle_dskimg="b5t|bin|bwt|ccd|cdi|cue|gho|img|iso|mds|nrg|pqi|vmdk";
-my $throttle_mmedia="aiff?|asf|avi|divx|mov|mp3|mpe?g|ogg|qt|ra?m|ts|vob";
+my @throttle_limits=(64,128,256,512,1024,1536,2048,3072,4096,5120,6144,7168,8192,10240,16384,20480,51200,102400);
 
 my $def_ports_safe="80 # http\n21 # ftp\n443 # https\n563 # snews\n70 # gopher\n210 # wais\n1025-65535 # unregistered ports\n280 # http-mgmt\n488 # gss-http\n591 # filemaker\n777 # multiling http\n800 # Squids port (for icons)\n";
 my $def_ports_ssl="443 # https\n563 # snews\n";
 
-my @useragent=();
-my @useragentlist=();
-
 my $hintcolour='#FFFFCC';
 my $ncsa_buttontext='';
 my $language='';
@@ -98,7 +88,6 @@ my $stdgrp = "$ncsadir/standard.grp";
 my $extgrp = "$ncsadir/extended.grp";
 my $disgrp = "$ncsadir/disabled.grp";
 
-my $browserdb = "${General::swroot}/proxy/advanced/useragents";
 my $mimetypes = "${General::swroot}/proxy/advanced/mimetypes";
 my $throttled_urls = "${General::swroot}/proxy/advanced/throttle";
 
@@ -108,7 +97,7 @@ my $cre_svhosts = "${General::swroot}/proxy/advanced/cre/supervisors";
 
 my $identhosts = "$identdir/hosts";
 
-my $authdir  = "/usr/lib/squid/";
+my $authdir  = "/usr/lib/squid";
 my $errordir = "/usr/lib/squid/errors";
 
 my $acl_src_subnets = "$acldir/src_subnets.acl";
@@ -131,6 +120,9 @@ my $acl_ports_safe = "$acldir/ports_safe.acl";
 my $acl_ports_ssl  = "$acldir/ports_ssl.acl";
 my $acl_include = "$acldir/include.acl";
 
+my $acl_dst_noproxy_url = "$acldir/dst_noproxy_url.acl";
+my $acl_dst_noproxy_ip = "$acldir/dst_noproxy_ip.acl";
+
 my $updaccelversion  = 'n/a';
 my $urlfilterversion = 'n/a';
 
@@ -140,47 +132,46 @@ unless (-d "$raddir")   { mkdir("$raddir"); }
 unless (-d "$identdir") { mkdir("$identdir"); }
 unless (-d "$credir")   { mkdir("$credir"); }
 
-unless (-e $cre_groups)  { system("touch $cre_groups"); }
-unless (-e $cre_svhosts) { system("touch $cre_svhosts"); }
-
-unless (-e $userdb) { system("touch $userdb"); }
-unless (-e $stdgrp) { system("touch $stdgrp"); }
-unless (-e $extgrp) { system("touch $extgrp"); }
-unless (-e $disgrp) { system("touch $disgrp"); }
-
-unless (-e $acl_src_subnets)    { system("touch $acl_src_subnets"); }
-unless (-e $acl_src_banned_ip)  { system("touch $acl_src_banned_ip"); }
-unless (-e $acl_src_banned_mac) { system("touch $acl_src_banned_mac"); }
-unless (-e $acl_src_unrestricted_ip)  { system("touch $acl_src_unrestricted_ip"); }
-unless (-e $acl_src_unrestricted_mac) { system("touch $acl_src_unrestricted_mac"); }
-unless (-e $acl_src_noaccess_ip)  { system("touch $acl_src_noaccess_ip"); }
-unless (-e $acl_src_noaccess_mac) { system("touch $acl_src_noaccess_mac"); }
-unless (-e $acl_dst_noauth)     { system("touch $acl_dst_noauth"); }
-unless (-e $acl_dst_noauth_dom) { system("touch $acl_dst_noauth_dom"); }
-unless (-e $acl_dst_noauth_net) { system("touch $acl_dst_noauth_net"); }
-unless (-e $acl_dst_noauth_url) { system("touch $acl_dst_noauth_url"); }
-unless (-e $acl_dst_nocache)     { system("touch $acl_dst_nocache"); }
-unless (-e $acl_dst_nocache_dom) { system("touch $acl_dst_nocache_dom"); }
-unless (-e $acl_dst_nocache_net) { system("touch $acl_dst_nocache_net"); }
-unless (-e $acl_dst_nocache_url) { system("touch $acl_dst_nocache_url"); }
-unless (-e $acl_dst_throttle)  { system("touch $acl_dst_throttle"); }
-unless (-e $acl_ports_safe) { system("touch $acl_ports_safe"); }
-unless (-e $acl_ports_ssl)  { system("touch $acl_ports_ssl"); }
-unless (-e $acl_include) { system("touch $acl_include"); }
-
-unless (-e $browserdb) { system("touch $browserdb"); }
-unless (-e $mimetypes) { system("touch $mimetypes"); }
+unless (-e $cre_groups)  { &General::system("touch", "$cre_groups"); }
+unless (-e $cre_svhosts) { &General::system("touch $cre_svhosts"); }
+
+unless (-e $userdb) { &General::system("touch", "$userdb"); }
+unless (-e $stdgrp) { &General::system("touch", "$stdgrp"); }
+unless (-e $extgrp) { &General::system("touch", "$extgrp"); }
+unless (-e $disgrp) { &General::system("touch", "$disgrp"); }
+
+unless (-e $acl_src_subnets)    { &General::system("touch", "$acl_src_subnets"); }
+unless (-e $acl_src_banned_ip)  { &General::system("touch", "$acl_src_banned_ip"); }
+unless (-e $acl_src_banned_mac) { &General::system("touch", "$acl_src_banned_mac"); }
+unless (-e $acl_src_unrestricted_ip)  { &General::system("touch", "$acl_src_unrestricted_ip"); }
+unless (-e $acl_src_unrestricted_mac) { &General::system("touch", "$acl_src_unrestricted_mac"); }
+unless (-e $acl_src_noaccess_ip)  { &General::system("touch", "$acl_src_noaccess_ip"); }
+unless (-e $acl_src_noaccess_mac) { &General::system("touch", "$acl_src_noaccess_mac"); }
+unless (-e $acl_dst_noauth)     { &General::system("touch", "$acl_dst_noauth"); }
+unless (-e $acl_dst_noauth_dom) { &General::system("touch", "$acl_dst_noauth_dom"); }
+unless (-e $acl_dst_noauth_net) { &General::system("touch", "$acl_dst_noauth_net"); }
+unless (-e $acl_dst_noauth_url) { &General::system("touch", "$acl_dst_noauth_url"); }
+unless (-e $acl_dst_nocache)     { &General::system("touch", "$acl_dst_nocache"); }
+unless (-e $acl_dst_nocache_dom) { &General::system("touch", "$acl_dst_nocache_dom"); }
+unless (-e $acl_dst_nocache_net) { &General::system("touch", "$acl_dst_nocache_net"); }
+unless (-e $acl_dst_nocache_url) { &General::system("touch", "$acl_dst_nocache_url"); }
+unless (-e $acl_dst_throttle)  { &General::system("touch", "$acl_dst_throttle"); }
+unless (-e $acl_ports_safe) { &General::system("touch", "$acl_ports_safe"); }
+unless (-e $acl_ports_ssl)  { &General::system("touch", "$acl_ports_ssl"); }
+unless (-e $acl_include) { &General::system("touch", "$acl_include"); }
+
+unless (-e $mimetypes) { &General::system("touch", "$mimetypes"); }
 
 my $HAVE_NTLM_AUTH = (-e "/usr/bin/ntlm_auth");
 
-open FILE, $browserdb;
-@useragentlist = sort { reverse(substr(reverse(substr($a,index($a,',')+1)),index(reverse(substr($a,index($a,','))),',')+1)) cmp reverse(substr(reverse(substr($b,index($b,',')+1)),index(reverse(substr($b,index($b,','))),',')+1))} grep !/(^$)|(^\s*#)/,<FILE>;
-close(FILE);
-
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
 
-my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}");
+my $green_cidr = "";
+if (&Header::green_used() && $netsettings{'GREEN_DEV'}) {
+       $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}");
+}
+
 my $blue_cidr = "";
 if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {
        $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}\/$netsettings{'BLUE_NETMASK'}");
@@ -200,9 +191,8 @@ $proxysettings{'TRANSPARENT_PORT'} = '3128';
 $proxysettings{'VISIBLE_HOSTNAME'} = '';
 $proxysettings{'ADMIN_MAIL_ADDRESS'} = '';
 $proxysettings{'ADMIN_PASSWORD'} = '';
-$proxysettings{'ERR_LANGUAGE'} = 'German';
+$proxysettings{'ERR_LANGUAGE'} = 'en';
 $proxysettings{'ERR_DESIGN'} = 'ipfire';
-$proxysettings{'SUPPRESS_VERSION'} = 'off';
 $proxysettings{'FORWARD_VIA'} = 'off';
 $proxysettings{'FORWARD_IPADDRESS'} = 'off';
 $proxysettings{'FORWARD_USERNAME'} = 'off';
@@ -215,8 +205,8 @@ $proxysettings{'CACHEMGR'} = 'off';
 $proxysettings{'LOGQUERY'} = 'off';
 $proxysettings{'LOGUSERAGENT'} = 'off';
 $proxysettings{'FILEDESCRIPTORS'} = '16384';
-$proxysettings{'CACHE_MEM'} = '2';
-$proxysettings{'CACHE_SIZE'} = '50';
+$proxysettings{'CACHE_MEM'} = '128';
+$proxysettings{'CACHE_SIZE'} = '0';
 $proxysettings{'MAX_SIZE'} = '4096';
 $proxysettings{'MIN_SIZE'} = '0';
 $proxysettings{'MEM_POLICY'} = 'LRU';
@@ -239,17 +229,15 @@ $proxysettings{'THROTTLING_GREEN_TOTAL'} = 'unlimited';
 $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited';
 $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited';
 $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited';
-$proxysettings{'THROTTLE_BINARY'} = 'off';
-$proxysettings{'THROTTLE_DSKIMG'} = 'off';
-$proxysettings{'THROTTLE_MMEDIA'} = 'off';
+$proxysettings{'ASNBL_FASTFLUX_DETECTION'} = 'off';
+$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} = '5';
+$proxysettings{'ASNBL_SELECANN_DETECTION'} = 'off';
 $proxysettings{'ENABLE_MIME_FILTER'} = 'off';
-$proxysettings{'ENABLE_BROWSER_CHECK'} = 'off';
-$proxysettings{'FAKE_USERAGENT'} = '';
-$proxysettings{'FAKE_REFERER'} = '';
 $proxysettings{'AUTH_METHOD'} = 'none';
 $proxysettings{'AUTH_REALM'} = '';
 $proxysettings{'AUTH_MAX_USERIP'} = '';
 $proxysettings{'AUTH_CACHE_TTL'} = '60';
+$proxysettings{'AUTH_IPCACHE_TTL'} = '0';
 $proxysettings{'AUTH_CHILDREN'} = '5';
 $proxysettings{'NCSA_MIN_PASS_LEN'} = '6';
 $proxysettings{'NCSA_BYPASS_REDIR'} = 'off';
@@ -402,7 +390,7 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
                $errormessage = $Lang::tr{'advproxy errmsg mem cache size'};
                goto ERROR;
        }
-       my @free = `/usr/bin/free`;
+       my @free = &General::system_output("/usr/bin/free");
        $free[1] =~ m/(\d+)/;
        $cachemem = int $1 / 2048;
        if ($proxysettings{'CACHE_MEM'} > $cachemem) {
@@ -433,19 +421,18 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
                $errormessage = $Lang::tr{'invalid maximum incoming size'};
                goto ERROR;
        }
-       if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on')
+       if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on'))
        {
-               $browser_regexp = '';
-               foreach (@useragentlist)
-               {
-                       chomp;
-                       @useragent = split(/,/);
-                       if ($proxysettings{'UA_'.$useragent[0]} eq 'on') { $browser_regexp .= "$useragent[2]|"; }
+               if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) {
+                       $errormessage = $Lang::tr{'advproxy fastflux no threshold given'};
+                       goto ERROR;
                }
-               chop($browser_regexp);
-               if (!$browser_regexp)
-               {
-                       $errormessage = $Lang::tr{'advproxy errmsg no browser'};
+               if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) {
+                       $errormessage = $Lang::tr{'advproxy fastflux threshold invalid'};
+                       goto ERROR;
+               }
+               if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} > 10)) {
+                       $errormessage = $Lang::tr{'advproxy fastflux threshold out of bounds'};
                        goto ERROR;
                }
        }
@@ -471,18 +458,23 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
                                }
                        }
                }
+               if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
+                       ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+               {
+                       $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+                       goto ERROR;
+               }
                if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/))
                {
                        $errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'};
                        goto ERROR;
                }
-               if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
-                       ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+               if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/))
                {
-                       $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+                       $errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'};
                        goto ERROR;
                }
-               if (!($proxysettings{'AUTH_MAX_USERIP'} eq ''))
+               if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0'))
                {
                        $errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'};
                        goto ERROR;
@@ -579,6 +571,29 @@ ERROR:
 
        if ($proxysettings{'VALID'} eq 'yes')
        {
+               # Determine if suricata may needs to be restarted.
+               my $suricata_proxy_ports_changed;
+
+               # Check if the IDS is running
+               if(&IDS::ids_is_running()) {
+                       my %oldproxysettings;
+
+                       # Read-in current proxy settings and store them as oldsettings hash.
+                       &General::readhash("${General::swroot}/proxy/advanced/settings", \%oldproxysettings);
+
+                       # Check if the proxy port has been changed.
+                       unless ($proxysettings{'PROXY_PORT'} eq $oldproxysettings{'PROXY_PORT'}) {
+                               # Port has changed, suricata needs to be adjusted.
+                               $suricata_proxy_ports_changed = 1;
+                       }
+
+                       # Check if the transparent port has been changed.
+                       unless ($proxysettings{'TRANSPARENT_PORT'} eq $oldproxysettings{'TRANSPARENT_PORT'}) {
+                               # Transparent port has changed, suricata needs to be adjusted.
+                               $suricata_proxy_ports_changed = 1;
+                       }
+               }
+
                &write_acls;
 
                delete $proxysettings{'SRC_SUBNETS'};
@@ -588,6 +603,8 @@ ERROR:
                delete $proxysettings{'SRC_UNRESTRICTED_MAC'};
                delete $proxysettings{'DST_NOCACHE'};
                delete $proxysettings{'DST_NOAUTH'};
+               delete $proxysettings{'DST_NOPROXY_IP'};
+               delete $proxysettings{'DST_NOPROXY_URL'};
                delete $proxysettings{'PORTS_SAFE'};
                delete $proxysettings{'PORTS_SSL'};
                delete $proxysettings{'MIME_TYPES'};
@@ -635,31 +652,40 @@ ERROR:
 
                if ($proxysettings{'CACHEMGR'} eq 'on'){&writecachemgr;}
 
-               system ('/usr/local/bin/squidctrl', 'disable');
+               &General::system ('/usr/local/bin/squidctrl', 'disable');
                unlink "${General::swroot}/proxy/enable";
                unlink "${General::swroot}/proxy/transparent";
                unlink "${General::swroot}/proxy/enable_blue";
                unlink "${General::swroot}/proxy/transparent_blue";
 
                if ($proxysettings{'ENABLE'} eq 'on') {
-                       system ('/usr/bin/touch', "${General::swroot}/proxy/enable");
-                       system ('/usr/local/bin/squidctrl', 'enable'); }
+                       &General::system('/usr/bin/touch', "${General::swroot}/proxy/enable");
+                       &General::system('/usr/local/bin/squidctrl', 'enable'); }
                if ($proxysettings{'TRANSPARENT'} eq 'on' && $proxysettings{'ENABLE'} eq 'on') {
-                       system ('/usr/bin/touch', "${General::swroot}/proxy/transparent"); }
+                       &General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent"); }
                if ($proxysettings{'ENABLE_BLUE'} eq 'on') {
-                       system ('/usr/bin/touch', "${General::swroot}/proxy/enable_blue");
-                       system ('/usr/local/bin/squidctrl', 'enable'); }
+                       &General::system('/usr/bin/touch', "${General::swroot}/proxy/enable_blue");
+                       &General::system('/usr/local/bin/squidctrl', 'enable'); }
                if ($proxysettings{'TRANSPARENT_BLUE'} eq 'on' && $proxysettings{'ENABLE_BLUE'} eq 'on') {
-                       system ('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); }
+                       &General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); }
+
+               if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { &General::system('/usr/local/bin/squidctrl', 'restart'); }
+               if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { &General::system('/usr/local/bin/squidctrl', 'reconfigure'); }
+
+               # Check if the suricata_proxy_ports_changed flag has been set.
+               if ($suricata_proxy_ports_changed) {
+                       # Re-generate HTTP ports file.
+                       &IDS::generate_http_ports_file();
 
-               if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
-               if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); }
+                       # Restart suricata.
+                       &IDS::call_suricatactrl("restart");
+               }
   }
 }
 
 if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy clear cache'})
 {
-       system('/usr/local/bin/squidctrl flush >/dev/null 2>&1');
+       &General::system('/usr/local/bin/squidctrl', 'flush');
 }
 
 if (!$errormessage)
@@ -698,10 +724,6 @@ $checked{'TRANSPARENT_BLUE'}{'off'} = '';
 $checked{'TRANSPARENT_BLUE'}{'on'} = '';
 $checked{'TRANSPARENT_BLUE'}{$proxysettings{'TRANSPARENT_BLUE'}} = "checked='checked'";
 
-$checked{'SUPPRESS_VERSION'}{'off'} = '';
-$checked{'SUPPRESS_VERSION'}{'on'} = '';
-$checked{'SUPPRESS_VERSION'}{$proxysettings{'SUPPRESS_VERSION'}} = "checked='checked'";
-
 $checked{'FORWARD_IPADDRESS'}{'off'} = '';
 $checked{'FORWARD_IPADDRESS'}{'on'} = '';
 $checked{'FORWARD_IPADDRESS'}{$proxysettings{'FORWARD_IPADDRESS'}} = "checked='checked'";
@@ -793,31 +815,18 @@ $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'THROTTLING_GREEN_HOST'}} = "s
 $selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}} = "selected='selected'";
 $selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = "selected='selected'";
 
-$checked{'THROTTLE_BINARY'}{'off'} = '';
-$checked{'THROTTLE_BINARY'}{'on'} = '';
-$checked{'THROTTLE_BINARY'}{$proxysettings{'THROTTLE_BINARY'}} = "checked='checked'";
-$checked{'THROTTLE_DSKIMG'}{'off'} = '';
-$checked{'THROTTLE_DSKIMG'}{'on'} = '';
-$checked{'THROTTLE_DSKIMG'}{$proxysettings{'THROTTLE_DSKIMG'}} = "checked='checked'";
-$checked{'THROTTLE_MMEDIA'}{'off'} = '';
-$checked{'THROTTLE_MMEDIA'}{'on'} = '';
-$checked{'THROTTLE_MMEDIA'}{$proxysettings{'THROTTLE_MMEDIA'}} = "checked='checked'";
+$checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} = '';
+$checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} = '';
+$checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETECTION'}} = "checked='checked'";
+
+$checked{'ASNBL_SELECANN_DETECTION'}{'off'} = '';
+$checked{'ASNBL_SELECANN_DETECTION'}{'on'} = '';
+$checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETECTION'}} = "checked='checked'";
 
 $checked{'ENABLE_MIME_FILTER'}{'off'} = '';
 $checked{'ENABLE_MIME_FILTER'}{'on'} = '';
 $checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} = "checked='checked'";
 
-$checked{'ENABLE_BROWSER_CHECK'}{'off'} = '';
-$checked{'ENABLE_BROWSER_CHECK'}{'on'} = '';
-$checked{'ENABLE_BROWSER_CHECK'}{$proxysettings{'ENABLE_BROWSER_CHECK'}} = "checked='checked'";
-
-foreach (@useragentlist) {
-       @useragent = split(/,/);
-       $checked{'UA_'.$useragent[0]}{'off'} = '';
-       $checked{'UA_'.$useragent[0]}{'on'} = '';
-       $checked{'UA_'.$useragent[0]}{$proxysettings{'UA_'.$useragent[0]}} = "checked='checked'";
-}
-
 $checked{'AUTH_METHOD'}{'none'} = '';
 $checked{'AUTH_METHOD'}{'ncsa'} = '';
 $checked{'AUTH_METHOD'}{'ident'} = '';
@@ -975,20 +984,14 @@ print <<END
        </td>
 </tr>
 <tr>
-       <td class='base'>$Lang::tr{'advproxy suppress version'}:</td>
-       <td><input type='checkbox' name='SUPPRESS_VERSION' $checked{'SUPPRESS_VERSION'}{'on'} /></td>
+       <td>&nbsp;</td>
+       <td>&nbsp;</td>
        <td class='base'>$Lang::tr{'advproxy error design'}:</td>
        <td class='base'><select name='ERR_DESIGN'>
                <option value='ipfire' $selected{'ERR_DESIGN'}{'ipfire'}>IPFire</option>
                <option value='squid' $selected{'ERR_DESIGN'}{'squid'}>$Lang::tr{'advproxy standard'}</option>
        </select></td>
 </tr>
-<tr>
-       <td class='base'>$Lang::tr{'advproxy squid version'}:</td>
-       <td class='base'>&nbsp;[<font color='$Header::colourred'> $squidversion[0] </font>]</td>
-       <td>&nbsp;</td>
-       <td>&nbsp;</td>
-</tr>
 </table>
 <hr size='1'>
 <table width='100%'>
@@ -1208,9 +1211,11 @@ END
 
 if (!$proxysettings{'SRC_SUBNETS'})
 {
-       print "$green_cidr\n";
-       if ($netsettings{'BLUE_DEV'})
-       {
+       if (&Header::green_used()) {
+               print "$green_cidr\n";
+       }
+
+       if (&Header::blue_used()) {
                print "$blue_cidr\n";
        }
 } else { print $proxysettings{'SRC_SUBNETS'}; }
@@ -1368,6 +1373,61 @@ END
 ;
 }
 
+# ===================================================================
+#  WPAD settings
+# ===================================================================
+
+print <<END
+<table width='100%'>
+<tr>
+       <td colspan='4'><b>$Lang::tr{'advproxy wpad title'}</b></td>
+</tr>
+<tr>
+       <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
+</tr>
+<tr>
+       <td colspan='2' class='base'>$Lang::tr{'advproxy wpad label dst_noproxy_ip'}:</td>
+       <td colspan='2' class='base'>$Lang::tr{'advproxy wpad label dst_noproxy_url'}:</td>
+</tr>
+<tr>
+       <td colspan='2'><textarea name='DST_NOPROXY_IP' cols='32' rows='3' wrap='off'>
+END
+;
+
+       print $proxysettings{'DST_NOPROXY_IP'};
+
+print <<END
+</textarea></td>
+
+       <td colspan='2'><textarea name='DST_NOPROXY_URL' cols='32' rows='3' wrap='off'>
+END
+;
+
+       print $proxysettings{'DST_NOPROXY_URL'};
+
+print <<END
+</textarea></td>
+</tr>
+<tr>
+       <td colspan='2' class='base'>$Lang::tr{'advproxy wpad example dst_noproxy_ip'}</td>
+       <td colspan='2' class='base'>$Lang::tr{'advproxy wpad example dst_noproxy_url'}</td>
+</tr>
+<tr>
+       <td colspan="4">&nbsp;</td>
+</tr>
+<tr>
+       <td colspan="4">$Lang::tr{'advproxy wpad view pac'}: <a href="http://$ENV{SERVER_ADDR}:81/wpad.dat" target="_blank">http://$ENV{SERVER_ADDR}:81/wpad.dat</a></td>
+</tr>
+<tr>
+       <td colspan="4">&nbsp;</td>
+</tr>
+</table>
+
+<hr size='1'>
+
+END
+;
+
 # -------------------------------------------------------------------
 
 print <<END
@@ -1483,7 +1543,15 @@ END
 ;
 
 foreach (@throttle_limits) {
-       print "\t<option value='$_' $selected{'THROTTLING_GREEN_TOTAL'}{$_}>$_ kbit/s</option>\n";
+       my $val = $_;
+       my $unit = "kbit/s";
+
+       if ($val >= 1024) {
+               $unit = "Mbit/s";
+               $val /= 1024;
+       }
+
+       print "\t<option value='$_' $selected{'THROTTLING_GREEN_TOTAL'}{$_}>$val $unit</option>\n";
 }
 
 print <<END
@@ -1546,21 +1614,6 @@ END
 
 print <<END
 </table>
-<table width='100%'>
-<tr>
-       <td colspan='4'><i>$Lang::tr{'advproxy content based throttling'}:</i></td>
-</tr>
-<tr>
-       <td width='15%' class='base'>$Lang::tr{'advproxy throttle binary'}:</td>
-       <td width='10%'><input type='checkbox' name='THROTTLE_BINARY' $checked{'THROTTLE_BINARY'}{'on'} /></td>
-       <td width='15%' class='base'>$Lang::tr{'advproxy throttle dskimg'}:</td>
-       <td width='10%'><input type='checkbox' name='THROTTLE_DSKIMG' $checked{'THROTTLE_DSKIMG'}{'on'} /></td>
-       <td width='15%' class='base'>$Lang::tr{'advproxy throttle mmedia'}:</td>
-       <td width='10%'><input type='checkbox' name='THROTTLE_MMEDIA' $checked{'THROTTLE_MMEDIA'}{'on'} /></td>
-       <td width='15%'>&nbsp;</td>
-       <td width='10%'>&nbsp;</td>
-</tr>
-</table>
 <hr size='1'>
 <table width='100%'>
 <tr>
@@ -1594,55 +1647,23 @@ print <<END
 </table>
 
 <hr size='1'>
-<table width='100%'>
-<tr>
-       <td colspan='4'><b>$Lang::tr{'advproxy web browser'}</b> $Lang::tr{'advproxy UA enable filter'}:<input type='checkbox' name='ENABLE_BROWSER_CHECK' $checked{'ENABLE_BROWSER_CHECK'}{'on'} /></td>
-</tr>
-END
-;
-if ( $proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on' ){
-print <<END
-<tr>
-       <td colspan='4'><i>
-END
-;
-if (@useragentlist) { print "$Lang::tr{'advproxy allowed web browsers'}:"; } else { print "$Lang::tr{'advproxy no clients defined'}"; }
-print <<END
-</i></td>
-</tr>
-</table>
-<table width='100%'>
-END
-;
 
-for ($n=0; $n<=@useragentlist; $n = $n + $i) {
-       for ($i=0; $i<=3; $i++) {
-               if ($i eq 0) { print "<tr>\n"; }
-               if (($n+$i) < @useragentlist) {
-                       @useragent = split(/,/,@useragentlist[$n+$i]);
-                       print "<td width='15%'>$useragent[1]:<\/td>\n";
-                       print "<td width='10%'><input type='checkbox' name='UA_$useragent[0]' $checked{'UA_'.$useragent[0]}{'on'} /></td>\n";
-               }
-               if ($i eq 3) { print "<\/tr>\n"; }
-       }
-}
-}
-print <<END
-</table>
-<hr size='1'>
 <table width='100%'>
 <tr>
-       <td><b>$Lang::tr{'advproxy privacy'}</b></td>
+       <td><b>$Lang::tr{'advproxy asbased anomaly detection'}</b></td>
 </tr>
 <tr>
-       <td class='base'>$Lang::tr{'advproxy fake useragent'}:</td>
-       <td class='base'>$Lang::tr{'advproxy fake referer'}:</td>
+       <td class='base'>$Lang::tr{'advproxy fastflux detection'}:</td>
+       <td><input type='checkbox' name='ASNBL_FASTFLUX_DETECTION' $checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} /></td>
+       <td class='base'>$Lang::tr{'advproxy fastflux detection threshold'}:</td>
+       <td><input type='text' name='ASNBL_FASTFLUX_THRESHOLD' value='$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}' size=2 /></td>
 </tr>
 <tr>
-       <td><input type='text' name='FAKE_USERAGENT' value='$proxysettings{'FAKE_USERAGENT'}' size='40%' /></td>
-       <td><input type='text' name='FAKE_REFERER' value='$proxysettings{'FAKE_REFERER'}' size='40%' /></td>
+       <td class='base'>$Lang::tr{'advproxy selectively announcements detection'}:</td>
+       <td colspan='3'><input type='checkbox' name='ASNBL_SELECANN_DETECTION' $checked{'ASNBL_SELECANN_DETECTION'}{'on'} /></td>
 </tr>
 </table>
+
 <hr size='1'>
 END
 ;
@@ -1740,6 +1761,10 @@ print <<END
        <td class='base'>$Lang::tr{'advproxy AUTH limit of IP addresses'}:</td>
        <td><input type='text' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
 </tr>
+<tr>
+       <td class='base'>$Lang::tr{'advproxy AUTH user IP cache TTL'}:</td>
+       <td><input type='text' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
+</tr>
 <tr>
        <td class='base'>$Lang::tr{'advproxy AUTH always required'}:</td>
        <td><input type='checkbox' name='AUTH_ALWAYS_REQUIRED' $checked{'AUTH_ALWAYS_REQUIRED'}{'on'} /></td>
@@ -1810,8 +1835,11 @@ print <<END
 END
 ;
 if (!$proxysettings{'IDENT_HOSTS'}) {
-       print "$green_cidr\n";
-       if ($netsettings{'BLUE_DEV'}) {
+       if (&Header::green_used()) {
+               print "$green_cidr\n";
+       }
+
+       if (&Header::blue_used()) {
                print "$blue_cidr\n";
        }
 } else {
@@ -2036,6 +2064,7 @@ print <<END
 <td><input type='hidden' name='AUTH_CHILDREN'        value='$proxysettings{'AUTH_CHILDREN'}'></td>
 <td><input type='hidden' name='AUTH_CACHE_TTL'       value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_MAX_USERIP'      value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL'     value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_ALWAYS_REQUIRED' value='$proxysettings{'AUTH_ALWAYS_REQUIRED'}'></td>
 <td><input type='hidden' name='AUTH_REALM'           value='$proxysettings{'AUTH_REALM'}'></td>
 <td><input type='hidden' name='DST_NOAUTH'           value='$proxysettings{'DST_NOAUTH'}'></td>
@@ -2047,6 +2076,7 @@ print <<END
 <td><input type='hidden' name='AUTH_CHILDREN'        value='$proxysettings{'AUTH_CHILDREN'}'></td>
 <td><input type='hidden' name='AUTH_CACHE_TTL'       value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_MAX_USERIP'      value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL'     value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
 <td><input type='hidden' name='AUTH_REALM'           value='$proxysettings{'AUTH_REALM'}'></td>
 END
 ; }
@@ -2353,6 +2383,18 @@ sub read_acls
                while (<FILE>) { $proxysettings{'DST_NOAUTH'} .= $_ };
                close(FILE);
        }
+       if (-e "$acl_dst_noproxy_ip") {
+               open(FILE,"$acl_dst_noproxy_ip");
+               delete $proxysettings{'DST_NOPROXY_IP'};
+               while (<FILE>) { $proxysettings{'DST_NOPROXY_IP'} .= $_ };
+               close(FILE);
+       }
+       if (-e "$acl_dst_noproxy_url") {
+               open(FILE,"$acl_dst_noproxy_url");
+               delete $proxysettings{'DST_NOPROXY_URL'};
+               while (<FILE>) { $proxysettings{'DST_NOPROXY_URL'} .= $_ };
+               close(FILE);
+       }
        if (-e "$acl_ports_safe") {
                open(FILE,"$acl_ports_safe");
                delete $proxysettings{'PORTS_SAFE'};
@@ -2461,6 +2503,7 @@ sub check_acls
                if ($_)
                {
                        if (/^\./) { $_ = '*'.$_; }
+                       unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); }
                        $proxysettings{'DST_NOCACHE'} .= $_."\n";
                }
        }
@@ -2472,7 +2515,7 @@ sub check_acls
                s/^\s+//g; s/\s+$//g;
                if ($_)
                {
-                       unless (&General::validipandmask($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'}; }
+                       unless (&Network::check_subnet($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'} . ": $_"; }
                        $proxysettings{'SRC_SUBNETS'} .= $_."\n";
                }
        }
@@ -2538,6 +2581,32 @@ sub check_acls
                }
        }
 
+       @temp = split(/\n/,$proxysettings{'DST_NOPROXY_IP'});
+       undef $proxysettings{'DST_NOPROXY_IP'};
+       foreach (@temp)
+       {
+                       s/^\s+//g; s/\s+$//g;
+                       if ($_)
+                       {
+                                       unless (&General::validipormask($_)) { $errormessage = $Lang::tr{'advproxy errmsg wpad invalid ip or mask'}; }
+                                       $proxysettings{'DST_NOPROXY_IP'} .= $_."\n";
+                       }
+       }
+
+       @temp = split(/\n/,$proxysettings{'DST_NOPROXY_URL'});
+       undef $proxysettings{'DST_NOPROXY_URL'};
+       foreach (@temp)
+       {
+                       s/^\s+//g;
+                       unless (/^#/) { s/\s+//g; }
+                       if ($_)
+                       {
+                                       if (/^\./) { $_ = '*'.$_; }
+                                       unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); }
+                                       $proxysettings{'DST_NOPROXY_URL'} .= $_."\n";
+                       }
+       }
+
        if (($proxysettings{'NTLM_ENABLE_ACL'} eq 'on') && ($proxysettings{'NTLM_USER_ACL'} eq 'positive'))
        {
                @temp = split(/\n/,$proxysettings{'NTLM_ALLOW_USERS'});
@@ -2643,9 +2712,11 @@ sub write_acls
        flock(FILE, 2);
        if (!$proxysettings{'SRC_SUBNETS'})
        {
-               print FILE "$green_cidr\n";
-               if ($netsettings{'BLUE_DEV'})
-               {
+               if (&Header::green_used()) {
+                       print FILE "$green_cidr\n";
+               }
+
+               if (&Header::blue_used()) {
                        print FILE "$blue_cidr\n";
                }
        } else { print FILE $proxysettings{'SRC_SUBNETS'}; }
@@ -2676,6 +2747,16 @@ sub write_acls
        print FILE $proxysettings{'DST_NOAUTH'};
        close(FILE);
 
+       open(FILE, ">$acl_dst_noproxy_ip");
+       flock(FILE, 2);
+       print FILE $proxysettings{'DST_NOPROXY_IP'};
+       close(FILE);
+
+       open(FILE, ">$acl_dst_noproxy_url");
+       flock(FILE, 2);
+       print FILE $proxysettings{'DST_NOPROXY_URL'};
+       close(FILE);
+
        open(FILE, ">$acl_dst_noauth_net");
        close(FILE);
        open(FILE, ">$acl_dst_noauth_dom");
@@ -2779,23 +2860,6 @@ sub write_acls
        if (!$proxysettings{'PORTS_SSL'}) { print FILE $def_ports_ssl; } else { print FILE $proxysettings{'PORTS_SSL'}; }
        close(FILE);
 
-       open(FILE, ">$acl_dst_throttle");
-       flock(FILE, 2);
-       if ($proxysettings{'THROTTLE_BINARY'} eq 'on')
-       {
-               @temp = split(/\|/,$throttle_binary);
-               foreach (@temp) { print FILE "\\.$_\$\n"; }
-       }
-       if ($proxysettings{'THROTTLE_DSKIMG'} eq 'on')
-       {
-               @temp = split(/\|/,$throttle_dskimg);
-               foreach (@temp) { print FILE "\\.$_\$\n"; }
-       }
-       if ($proxysettings{'THROTTLE_MMEDIA'} eq 'on')
-       {
-               @temp = split(/\|/,$throttle_mmedia);
-               foreach (@temp) { print FILE "\\.$_\$\n"; }
-       }
        if (-s $throttled_urls)
        {
                open(URLFILE, $throttled_urls);
@@ -2850,6 +2914,10 @@ sub write_acls
 
 sub writepacfile
 {
+       my %vpnconfig=();
+       my %ovpnconfig=();
+       &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
+       &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfig);
        open(FILE, ">/srv/web/ipfire/html/proxy.pac");
        flock(FILE, 2);
        print FILE "function FindProxyForURL(url, host)\n";
@@ -2875,6 +2943,67 @@ END
                print FILE "     (isInNet(host, \"$netsettings{'ORANGE_NETADDRESS'}\", \"$netsettings{'ORANGE_NETMASK'}\")) ||\n";
        }
 
+       # Additional exceptions for URLs
+       # The file has to be created by the user and should contain one entry per line
+       # Line-Format: <URL incl. wildcards>
+       # e.g. *.ipfire.org*
+       if (-s "$acl_dst_noproxy_url") {
+               undef @templist;
+
+               open(NOPROXY,"$acl_dst_noproxy_url");
+               @templist = <NOPROXY>;
+               close(NOPROXY);
+               chomp (@templist);
+
+               foreach (@templist)
+               {
+                       print FILE "     (shExpMatch(url, \"$_\")) ||\n";
+               }
+       }
+
+       # Additional exceptions for Subnets
+       # The file has to be created by the user and should contain one entry per line
+       # Line-Format: <IP>/<SUBNET MASK>
+       # e.g. 192.168.0.0/255.255.255.0
+       if (-s "$acl_dst_noproxy_ip") {
+               undef @templist;
+
+               open(NOPROXY,"$acl_dst_noproxy_ip");
+               @templist = <NOPROXY>;
+               close(NOPROXY);
+               chomp (@templist);
+
+               foreach (@templist)
+               {
+                       @temp = split(/\//);
+                       print FILE "     (isInNet(host, \"$temp[0]\", \"$temp[1]\")) ||\n";
+               }
+       }
+
+       foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) {
+               if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') {
+                       my @networks = split(/\|/, $vpnconfig{$key}[11]);
+                       foreach my $network (@networks) {
+                               my ($vpnip, $vpnsub) = split("/", $network);
+                               $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub;
+                               next if ($vpnip eq "0.0.0.0" || $vpnsub eq "0.0.0.0");
+                               print FILE "     (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n";
+                       }
+               }
+       }
+
+       foreach my $key (sort { uc($ovpnconfig{$a}[1]) cmp uc($ovpnconfig{$b}[1]) } keys %ovpnconfig) {
+               if ($ovpnconfig{$key}[0] eq 'on' && $ovpnconfig{$key}[3] ne 'host') {
+                       my @networks = split(/\|/, $ovpnconfig{$key}[11]);
+                       foreach my $network (@networks) {
+                               my ($vpnip, $vpnsub) = split("/", $network);
+                               $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub;
+                               next if ($vpnip eq "0.0.0.0" || $vpnsub eq "0.0.0.0");
+                               print FILE "     (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n";
+                       }
+               }
+       }
+
        print FILE <<END
      (isInNet(host, "169.254.0.0", "255.255.0.0"))
    )
@@ -2905,7 +3034,8 @@ END
                                        )
                                {
                                        chomp $temp[1];
-                                       print FILE " ||\n     (isInNet(myIpAddress(), \"$temp[0]\", \"$temp[1]\"))";
+                                       my $tempmask = &Network::convert_prefix2netmask($temp[1]);
+                                       print FILE " ||\n     (isInNet(myIpAddress(), \"$temp[0]\", \"$tempmask\"))";
                                }
                        }
 
@@ -2976,6 +3106,7 @@ sub writeconfig
 
 shutdown_lifetime 5 seconds
 icp_port 0
+httpd_suppress_version_string on
 
 END
        ;
@@ -2985,11 +3116,15 @@ END
                print FILE "include /etc/squid/squid.conf.pre.local\n\n";
        }
 
-       print FILE "http_port $netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}";
+       if (&Header::green_used()) {
+               print FILE "http_port $netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}";
+       } else {
+               print FILE "http_port 0.0.0.0:$proxysettings{'PROXY_PORT'}";
+       }
        if ($proxysettings{'NO_CONNECTION_AUTH'} eq 'on') { print FILE " no-connection-auth" }
        print FILE "\n";
 
-       if ($proxysettings{'TRANSPARENT'} eq 'on') {
+       if (&Header::green_used() && $proxysettings{'TRANSPARENT'} eq 'on') {
                print FILE "http_port $netsettings{'GREEN_ADDRESS'}:$proxysettings{'TRANSPARENT_PORT'} intercept";
                if ($proxysettings{'NO_CONNECTION_AUTH'} eq 'on') { print FILE " no-connection-auth" }
                print FILE "\n";
@@ -3073,17 +3208,20 @@ END
                }
        }
 
-       print FILE <<END
-
+       print FILE <<END;
+acl IPFire_ips dst 127.0.0.1
 acl IPFire_http  port $http_port
 acl IPFire_https port $https_port
-acl IPFire_ips              dst $netsettings{'GREEN_ADDRESS'}
 acl IPFire_networks         src "$acl_src_subnets"
 acl IPFire_servers          dst "$acl_src_subnets"
+END
+       if (&Header::green_used()) {
+               print FILE <<END;
+acl IPFire_ips              dst $netsettings{'GREEN_ADDRESS'}
 acl IPFire_green_network    src $green_cidr
 acl IPFire_green_servers    dst $green_cidr
 END
-       ;
+       }
        if ($netsettings{'BLUE_DEV'}) { print FILE "acl IPFire_blue_network     src $blue_cidr\n"; }
        if ($netsettings{'BLUE_DEV'}) { print FILE "acl IPFire_blue_servers     dst $blue_cidr\n"; }
        if (!-z $acl_src_banned_ip) { print FILE "acl IPFire_banned_ips       src \"$acl_src_banned_ip\"\n"; }
@@ -3168,11 +3306,6 @@ END
        }
        print FILE "\n";
 
-       # If we use authentication, users must always authenticate
-       unless ($proxysettings{"AUTH_METHOD"} eq "") {
-               print FILE "authenticate_ip_ttl 0\n\n";
-       }
-
        if ((!($proxysettings{'AUTH_METHOD'} eq 'none')) && (!($proxysettings{'AUTH_METHOD'} eq 'ident')))
        {
                if ($proxysettings{'AUTH_METHOD'} eq 'ncsa')
@@ -3181,6 +3314,7 @@ END
                        print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
                        print FILE "auth_param basic realm $authrealm\n";
                        print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+                       if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
                }
 
                if ($proxysettings{'AUTH_METHOD'} eq 'ldap')
@@ -3225,6 +3359,7 @@ END
                        print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
                        print FILE "auth_param basic realm $authrealm\n";
                        print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+                       if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
                }
 
                if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
@@ -3239,6 +3374,7 @@ END
                        print FILE "\n";
 
                        print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n\n";
+                       print FILE "auth_param ntlm credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n\n";
 
                        # BASIC authentication
                        if ($proxysettings{'NTLM_AUTH_BASIC'} eq "on") {
@@ -3252,7 +3388,7 @@ END
                                print FILE "\n";
                                print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
                                print FILE "auth_param basic realm $authrealm\n";
-                               print FILE "auth_param basic credentialsttl 2 hours\n\n";
+                               print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n\n";
                        }
                }
 
@@ -3264,6 +3400,7 @@ END
                        print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
                        print FILE "auth_param basic realm $authrealm\n";
                        print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+                       if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
                }
 
                print FILE "\n";
@@ -3320,8 +3457,6 @@ END
 
        if (($delaypools) && (!-z $acl_dst_throttle)) { print FILE "acl for_throttled_urls url_regex -i \"$acl_dst_throttle\"\n\n"; }
 
-       if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE "acl with_allowed_useragents browser $browser_regexp\n\n"; }
-
        print FILE "acl within_timeframe time ";
        if ($proxysettings{'TIME_MON'} eq 'on') { print FILE "M"; }
        if ($proxysettings{'TIME_TUE'} eq 'on') { print FILE "T"; }
@@ -3427,6 +3562,59 @@ if (@ssl_ports) {
        print FILE "http_access deny  CONNECT !SSL_ports\n";
 }
 
+       if ((($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') && (!-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) {
+               print FILE "external_acl_type asnblhelper children-max=10 children-startup=2 ttl=86400 %DST /usr/bin/asnbl-helper.py ${General::swroot}/proxy/asnbl-helper.conf\n";
+               print FILE "acl asnbl external asnblhelper\n";
+
+               # Use the user-defined URL filter whitelist (if present and populated) for the ASNBL helper as well
+               # Necessary for destinations such as fedoraproject.org, but we do not want to maintain a dedicated
+               # or hardcoded list for such FQDNs.
+               if ((-e "${General::swroot}/urlfilter/blacklists/custom/allowed/domains") && (!-z "${General::swroot}/urlfilter/blacklists/custom/allowed/domains")) {
+                       print FILE "acl asnbl_whitelisted_destinations dstdomain \"${General::swroot}/urlfilter/blacklists/custom/allowed/domains\"\n";
+                       print FILE "http_access deny asnbl !asnbl_whitelisted_destinations\n\n";
+               } else {
+                       print FILE "http_access deny asnbl\n\n";
+               }
+
+               # Write ASNBL helper configuration file...
+               open(ASNBLFILE, ">${General::swroot}/proxy/asnbl-helper.conf");
+               flock(ASNBLFILE, 2);
+
+               print ASNBLFILE<<END
+#
+# This file has been automatically generated. Manual changes will be overwritten.
+#
+
+[GENERAL]
+LOGLEVEL = INFO
+ASNDB_PATH = /var/lib/location/database.db
+USE_REPLYMAP = no
+END
+;
+
+               print ASNBLFILE "AS_DIVERSITY_THRESHOLD = $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}\n";
+
+               if ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on') {
+                       print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS = yes\n";
+               } else {
+                       print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS = no\n";
+               }
+
+               if ($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') {
+                       print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS = yes\n";
+               } else {
+                       print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS = no\n";
+               }
+
+               print ASNBLFILE<<END
+TESTDATA = (10.0.0.1, 0) (127.0.0.1, 0) (fe80::1, 0)
+ACTIVE_ASNBLS =
+END
+;
+
+               close ASNBLFILE;
+    }
+
 if ($proxysettings{'AUTH_METHOD'} eq 'ident')
 {
 print FILE "#Set ident ACLs\n";
@@ -3505,9 +3693,11 @@ if ($delaypools) {
 
        if ($netsettings{'BLUE_DEV'})
        {
-               print FILE "delay_access 1 allow IPFire_green_network";
-               if (!-z $acl_dst_throttle) { print FILE " for_throttled_urls"; }
-               print FILE "\n";
+               if (&Header::green_used()) {
+                       print FILE "delay_access 1 allow IPFire_green_network";
+                       if (!-z $acl_dst_throttle) { print FILE " for_throttled_urls"; }
+                       print FILE "\n";
+               }
                print FILE "delay_access 1 deny  all\n";
        } else {
                print FILE "delay_access 1 allow all";
@@ -3531,7 +3721,7 @@ if ($delaypools) {
        print FILE "\n";
 }
 
-if ($proxysettings{'NO_PROXY_LOCAL'} eq 'on')
+if (&Header::green_used() && $proxysettings{'NO_PROXY_LOCAL'} eq 'on')
 {
        print FILE "#Prevent internal proxy access to Green except IPFire itself\n";
        print FILE "http_access deny IPFire_green_servers !IPFire_ips !IPFire_green_network\n\n";
@@ -3572,7 +3762,6 @@ END
                                print FILE " !within_timeframe";
                        } else {
                                print FILE " within_timeframe"; }
-                       if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
                        print FILE " to_ipaddr_without_auth\n";
                }
                if (!-z $acl_dst_noauth_dom)
@@ -3582,7 +3771,6 @@ END
                                print FILE " !within_timeframe";
                        } else {
                                print FILE " within_timeframe"; }
-                       if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
                        print FILE " to_domains_without_auth\n";
                }
                if (!-z $acl_dst_noauth_url)
@@ -3592,7 +3780,6 @@ END
                                print FILE " !within_timeframe";
                        } else {
                                print FILE " within_timeframe"; }
-                       if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
                        print FILE " to_hosts_without_auth\n";
                }
        }
@@ -3714,7 +3901,6 @@ END
                        print FILE " !within_timeframe";
                } else {
                        print FILE " within_timeframe"; }
-               if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
                print FILE " !on_ident_aware_hosts\n";
        }
 
@@ -3749,13 +3935,11 @@ END
                print FILE " !within_timeframe";
        } else {
                print FILE " within_timeframe"; }
-       if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
        print FILE "\n";
 
        print FILE "http_access deny  all\n\n";
 
-       if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off') ||
-               (!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
+       if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off'))
        {
                print FILE "#Strip HTTP Header\n";
 
@@ -3769,35 +3953,11 @@ END
                        print FILE "request_header_access Via deny all\n";
                        print FILE "reply_header_access Via deny all\n";
                }
-               if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
-               {
-                       print FILE "request_header_access User-Agent deny all\n";
-                       print FILE "reply_header_access User-Agent deny all\n";
-               }
-               if (!($proxysettings{'FAKE_REFERER'} eq ''))
-               {
-                       print FILE "request_header_access Referer deny all\n";
-                       print FILE "reply_header_access Referer deny all\n";
-               }
 
                print FILE "\n";
 
-               if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
-               {
-                       if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
-                       {
-                               print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}\n";
-                       }
-                       if (!($proxysettings{'FAKE_REFERER'} eq ''))
-                       {
-                               print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n";
-                       }
-                       print FILE "\n";
-               }
        }
 
-       if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_suppress_version_string on\n\n" }
-
        if ((!-z $mimetypes) && ($proxysettings{'ENABLE_MIME_FILTER'} eq 'on')) {
                if (!-z $acl_src_unrestricted_ip)  { print FILE "http_reply_access allow IPFire_unrestricted_ips\n"; }
                if (!-z $acl_src_unrestricted_mac) { print FILE "http_reply_access allow IPFire_unrestricted_mac\n"; }
@@ -3891,7 +4051,13 @@ sub adduser
        } else {
                &deluser($str_user);
 
-               my $htpasswd = new Apache::Htpasswd("$userdb");
+               my %htpasswd_options = (
+                       passwdFile => "$userdb",
+                       UseMD5 => 1,
+               );
+
+               my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
+
                $htpasswd->htpasswd($str_user, $str_pass);
        }
 
@@ -3946,7 +4112,9 @@ sub writecachemgr
 {
        open(FILE, ">${General::swroot}/proxy/cachemgr.conf");
        flock(FILE, 2);
-       print FILE "$netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}\n";
+       if (&Header::green_used()) {
+               print FILE "$netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}\n";
+       }
        print FILE "localhost";
        close(FILE);
   return;
Peter's tree of IPFire 2.x