###############################################################################
# #
# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2013 IPFire Team <info@ipfire.org> #
+# Copyright (C) 2007-2021 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
-#
-# (c) 2004-2009 marco.s - http://www.advproxy.net
-#
-# This code is distributed under the terms of the GPL
-#
-# $Id: advproxy.cgi,v 3.0.2 2009/02/04 00:00:00 marco.s Exp $
-#
use strict;
use Apache::Htpasswd;
+use Scalar::Util qw(looks_like_number);
# enable only the following on debugging purpose
#use warnings;
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
-my @squidversion = `/usr/sbin/squid -v`;
+require "${General::swroot}/ids-functions.pl";
+
+my @squidversion = &General::system_output("/usr/sbin/squid", "-v");
my $http_port='81';
my $https_port='444';
my %color = ();
my %mainsettings = ();
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color);
+&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
my %proxysettings=();
my %netsettings=();
my $identhosts = "$identdir/hosts";
-my $authdir = "/usr/lib/squid/";
+my $authdir = "/usr/lib/squid";
my $errordir = "/usr/lib/squid/errors";
my $acl_src_subnets = "$acldir/src_subnets.acl";
my $acl_ports_ssl = "$acldir/ports_ssl.acl";
my $acl_include = "$acldir/include.acl";
+my $acl_dst_noproxy_url = "$acldir/dst_noproxy_url.acl";
+my $acl_dst_noproxy_ip = "$acldir/dst_noproxy_ip.acl";
+
my $updaccelversion = 'n/a';
my $urlfilterversion = 'n/a';
unless (-d "$identdir") { mkdir("$identdir"); }
unless (-d "$credir") { mkdir("$credir"); }
-unless (-e $cre_groups) { system("touch $cre_groups"); }
-unless (-e $cre_svhosts) { system("touch $cre_svhosts"); }
-
-unless (-e $userdb) { system("touch $userdb"); }
-unless (-e $stdgrp) { system("touch $stdgrp"); }
-unless (-e $extgrp) { system("touch $extgrp"); }
-unless (-e $disgrp) { system("touch $disgrp"); }
-
-unless (-e $acl_src_subnets) { system("touch $acl_src_subnets"); }
-unless (-e $acl_src_banned_ip) { system("touch $acl_src_banned_ip"); }
-unless (-e $acl_src_banned_mac) { system("touch $acl_src_banned_mac"); }
-unless (-e $acl_src_unrestricted_ip) { system("touch $acl_src_unrestricted_ip"); }
-unless (-e $acl_src_unrestricted_mac) { system("touch $acl_src_unrestricted_mac"); }
-unless (-e $acl_src_noaccess_ip) { system("touch $acl_src_noaccess_ip"); }
-unless (-e $acl_src_noaccess_mac) { system("touch $acl_src_noaccess_mac"); }
-unless (-e $acl_dst_noauth) { system("touch $acl_dst_noauth"); }
-unless (-e $acl_dst_noauth_dom) { system("touch $acl_dst_noauth_dom"); }
-unless (-e $acl_dst_noauth_net) { system("touch $acl_dst_noauth_net"); }
-unless (-e $acl_dst_noauth_url) { system("touch $acl_dst_noauth_url"); }
-unless (-e $acl_dst_nocache) { system("touch $acl_dst_nocache"); }
-unless (-e $acl_dst_nocache_dom) { system("touch $acl_dst_nocache_dom"); }
-unless (-e $acl_dst_nocache_net) { system("touch $acl_dst_nocache_net"); }
-unless (-e $acl_dst_nocache_url) { system("touch $acl_dst_nocache_url"); }
-unless (-e $acl_dst_throttle) { system("touch $acl_dst_throttle"); }
-unless (-e $acl_ports_safe) { system("touch $acl_ports_safe"); }
-unless (-e $acl_ports_ssl) { system("touch $acl_ports_ssl"); }
-unless (-e $acl_include) { system("touch $acl_include"); }
-
-unless (-e $mimetypes) { system("touch $mimetypes"); }
+unless (-e $cre_groups) { &General::system("touch", "$cre_groups"); }
+unless (-e $cre_svhosts) { &General::system("touch $cre_svhosts"); }
+
+unless (-e $userdb) { &General::system("touch", "$userdb"); }
+unless (-e $stdgrp) { &General::system("touch", "$stdgrp"); }
+unless (-e $extgrp) { &General::system("touch", "$extgrp"); }
+unless (-e $disgrp) { &General::system("touch", "$disgrp"); }
+
+unless (-e $acl_src_subnets) { &General::system("touch", "$acl_src_subnets"); }
+unless (-e $acl_src_banned_ip) { &General::system("touch", "$acl_src_banned_ip"); }
+unless (-e $acl_src_banned_mac) { &General::system("touch", "$acl_src_banned_mac"); }
+unless (-e $acl_src_unrestricted_ip) { &General::system("touch", "$acl_src_unrestricted_ip"); }
+unless (-e $acl_src_unrestricted_mac) { &General::system("touch", "$acl_src_unrestricted_mac"); }
+unless (-e $acl_src_noaccess_ip) { &General::system("touch", "$acl_src_noaccess_ip"); }
+unless (-e $acl_src_noaccess_mac) { &General::system("touch", "$acl_src_noaccess_mac"); }
+unless (-e $acl_dst_noauth) { &General::system("touch", "$acl_dst_noauth"); }
+unless (-e $acl_dst_noauth_dom) { &General::system("touch", "$acl_dst_noauth_dom"); }
+unless (-e $acl_dst_noauth_net) { &General::system("touch", "$acl_dst_noauth_net"); }
+unless (-e $acl_dst_noauth_url) { &General::system("touch", "$acl_dst_noauth_url"); }
+unless (-e $acl_dst_nocache) { &General::system("touch", "$acl_dst_nocache"); }
+unless (-e $acl_dst_nocache_dom) { &General::system("touch", "$acl_dst_nocache_dom"); }
+unless (-e $acl_dst_nocache_net) { &General::system("touch", "$acl_dst_nocache_net"); }
+unless (-e $acl_dst_nocache_url) { &General::system("touch", "$acl_dst_nocache_url"); }
+unless (-e $acl_dst_throttle) { &General::system("touch", "$acl_dst_throttle"); }
+unless (-e $acl_ports_safe) { &General::system("touch", "$acl_ports_safe"); }
+unless (-e $acl_ports_ssl) { &General::system("touch", "$acl_ports_ssl"); }
+unless (-e $acl_include) { &General::system("touch", "$acl_include"); }
+
+unless (-e $mimetypes) { &General::system("touch", "$mimetypes"); }
my $HAVE_NTLM_AUTH = (-e "/usr/bin/ntlm_auth");
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}");
+my $green_cidr = "";
+if (&Header::green_used() && $netsettings{'GREEN_DEV'}) {
+ $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}");
+}
+
my $blue_cidr = "";
if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) {
$blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}\/$netsettings{'BLUE_NETMASK'}");
$proxysettings{'ADMIN_PASSWORD'} = '';
$proxysettings{'ERR_LANGUAGE'} = 'en';
$proxysettings{'ERR_DESIGN'} = 'ipfire';
-$proxysettings{'SUPPRESS_VERSION'} = 'off';
$proxysettings{'FORWARD_VIA'} = 'off';
$proxysettings{'FORWARD_IPADDRESS'} = 'off';
$proxysettings{'FORWARD_USERNAME'} = 'off';
$proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited';
$proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited';
$proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited';
+$proxysettings{'ASNBL_FASTFLUX_DETECTION'} = 'off';
+$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} = '5';
+$proxysettings{'ASNBL_SELECANN_DETECTION'} = 'off';
$proxysettings{'ENABLE_MIME_FILTER'} = 'off';
-$proxysettings{'FAKE_USERAGENT'} = '';
-$proxysettings{'FAKE_REFERER'} = '';
$proxysettings{'AUTH_METHOD'} = 'none';
$proxysettings{'AUTH_REALM'} = '';
$proxysettings{'AUTH_MAX_USERIP'} = '';
$proxysettings{'AUTH_CACHE_TTL'} = '60';
+$proxysettings{'AUTH_IPCACHE_TTL'} = '0';
$proxysettings{'AUTH_CHILDREN'} = '5';
$proxysettings{'NCSA_MIN_PASS_LEN'} = '6';
$proxysettings{'NCSA_BYPASS_REDIR'} = 'off';
$errormessage = $Lang::tr{'advproxy errmsg mem cache size'};
goto ERROR;
}
- my @free = `/usr/bin/free`;
+ my @free = &General::system_output("/usr/bin/free");
$free[1] =~ m/(\d+)/;
$cachemem = int $1 / 2048;
if ($proxysettings{'CACHE_MEM'} > $cachemem) {
$errormessage = $Lang::tr{'invalid maximum incoming size'};
goto ERROR;
}
+ if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on'))
+ {
+ if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) {
+ $errormessage = $Lang::tr{'advproxy fastflux no threshold given'};
+ goto ERROR;
+ }
+ if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) {
+ $errormessage = $Lang::tr{'advproxy fastflux threshold invalid'};
+ goto ERROR;
+ }
+ if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} > 10)) {
+ $errormessage = $Lang::tr{'advproxy fastflux threshold out of bounds'};
+ goto ERROR;
+ }
+ }
if (!($proxysettings{'AUTH_METHOD'} eq 'none'))
{
unless (($proxysettings{'AUTH_METHOD'} eq 'ident') &&
}
}
}
+ if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
+ ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+ {
+ $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+ goto ERROR;
+ }
if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/))
{
$errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'};
goto ERROR;
}
- if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
- ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/))
{
- $errormessage = $Lang::tr{'advproxy errmsg max userip'};
+ $errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'};
goto ERROR;
}
- if (!($proxysettings{'AUTH_MAX_USERIP'} eq ''))
+ if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0'))
{
$errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'};
goto ERROR;
if ($proxysettings{'VALID'} eq 'yes')
{
+ # Determine if suricata may needs to be restarted.
+ my $suricata_proxy_ports_changed;
+
+ # Check if the IDS is running
+ if(&IDS::ids_is_running()) {
+ my %oldproxysettings;
+
+ # Read-in current proxy settings and store them as oldsettings hash.
+ &General::readhash("${General::swroot}/proxy/advanced/settings", \%oldproxysettings);
+
+ # Check if the proxy port has been changed.
+ unless ($proxysettings{'PROXY_PORT'} eq $oldproxysettings{'PROXY_PORT'}) {
+ # Port has changed, suricata needs to be adjusted.
+ $suricata_proxy_ports_changed = 1;
+ }
+
+ # Check if the transparent port has been changed.
+ unless ($proxysettings{'TRANSPARENT_PORT'} eq $oldproxysettings{'TRANSPARENT_PORT'}) {
+ # Transparent port has changed, suricata needs to be adjusted.
+ $suricata_proxy_ports_changed = 1;
+ }
+ }
+
&write_acls;
delete $proxysettings{'SRC_SUBNETS'};
delete $proxysettings{'SRC_UNRESTRICTED_MAC'};
delete $proxysettings{'DST_NOCACHE'};
delete $proxysettings{'DST_NOAUTH'};
+ delete $proxysettings{'DST_NOPROXY_IP'};
+ delete $proxysettings{'DST_NOPROXY_URL'};
delete $proxysettings{'PORTS_SAFE'};
delete $proxysettings{'PORTS_SSL'};
delete $proxysettings{'MIME_TYPES'};
if ($proxysettings{'CACHEMGR'} eq 'on'){&writecachemgr;}
- system ('/usr/local/bin/squidctrl', 'disable');
+ &General::system ('/usr/local/bin/squidctrl', 'disable');
unlink "${General::swroot}/proxy/enable";
unlink "${General::swroot}/proxy/transparent";
unlink "${General::swroot}/proxy/enable_blue";
unlink "${General::swroot}/proxy/transparent_blue";
if ($proxysettings{'ENABLE'} eq 'on') {
- system ('/usr/bin/touch', "${General::swroot}/proxy/enable");
- system ('/usr/local/bin/squidctrl', 'enable'); }
+ &General::system('/usr/bin/touch', "${General::swroot}/proxy/enable");
+ &General::system('/usr/local/bin/squidctrl', 'enable'); }
if ($proxysettings{'TRANSPARENT'} eq 'on' && $proxysettings{'ENABLE'} eq 'on') {
- system ('/usr/bin/touch', "${General::swroot}/proxy/transparent"); }
+ &General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent"); }
if ($proxysettings{'ENABLE_BLUE'} eq 'on') {
- system ('/usr/bin/touch', "${General::swroot}/proxy/enable_blue");
- system ('/usr/local/bin/squidctrl', 'enable'); }
+ &General::system('/usr/bin/touch', "${General::swroot}/proxy/enable_blue");
+ &General::system('/usr/local/bin/squidctrl', 'enable'); }
if ($proxysettings{'TRANSPARENT_BLUE'} eq 'on' && $proxysettings{'ENABLE_BLUE'} eq 'on') {
- system ('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); }
+ &General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); }
+
+ if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { &General::system('/usr/local/bin/squidctrl', 'restart'); }
+ if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { &General::system('/usr/local/bin/squidctrl', 'reconfigure'); }
+
+ # Check if the suricata_proxy_ports_changed flag has been set.
+ if ($suricata_proxy_ports_changed) {
+ # Re-generate HTTP ports file.
+ &IDS::generate_http_ports_file();
- if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
- if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); }
+ # Restart suricata.
+ &IDS::call_suricatactrl("restart");
+ }
}
}
if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy clear cache'})
{
- system('/usr/local/bin/squidctrl flush >/dev/null 2>&1');
+ &General::system('/usr/local/bin/squidctrl', 'flush');
}
if (!$errormessage)
$checked{'TRANSPARENT_BLUE'}{'on'} = '';
$checked{'TRANSPARENT_BLUE'}{$proxysettings{'TRANSPARENT_BLUE'}} = "checked='checked'";
-$checked{'SUPPRESS_VERSION'}{'off'} = '';
-$checked{'SUPPRESS_VERSION'}{'on'} = '';
-$checked{'SUPPRESS_VERSION'}{$proxysettings{'SUPPRESS_VERSION'}} = "checked='checked'";
-
$checked{'FORWARD_IPADDRESS'}{'off'} = '';
$checked{'FORWARD_IPADDRESS'}{'on'} = '';
$checked{'FORWARD_IPADDRESS'}{$proxysettings{'FORWARD_IPADDRESS'}} = "checked='checked'";
$selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}} = "selected='selected'";
$selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = "selected='selected'";
+$checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} = '';
+$checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} = '';
+$checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETECTION'}} = "checked='checked'";
+
+$checked{'ASNBL_SELECANN_DETECTION'}{'off'} = '';
+$checked{'ASNBL_SELECANN_DETECTION'}{'on'} = '';
+$checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETECTION'}} = "checked='checked'";
+
$checked{'ENABLE_MIME_FILTER'}{'off'} = '';
$checked{'ENABLE_MIME_FILTER'}{'on'} = '';
$checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} = "checked='checked'";
</td>
</tr>
<tr>
- <td class='base'>$Lang::tr{'advproxy suppress version'}:</td>
- <td><input type='checkbox' name='SUPPRESS_VERSION' $checked{'SUPPRESS_VERSION'}{'on'} /></td>
+ <td> </td>
+ <td> </td>
<td class='base'>$Lang::tr{'advproxy error design'}:</td>
<td class='base'><select name='ERR_DESIGN'>
<option value='ipfire' $selected{'ERR_DESIGN'}{'ipfire'}>IPFire</option>
<option value='squid' $selected{'ERR_DESIGN'}{'squid'}>$Lang::tr{'advproxy standard'}</option>
</select></td>
</tr>
-<tr>
- <td class='base'>$Lang::tr{'advproxy squid version'}:</td>
- <td class='base'> [<font color='$Header::colourred'> $squidversion[0] </font>]</td>
- <td> </td>
- <td> </td>
-</tr>
</table>
<hr size='1'>
<table width='100%'>
if (!$proxysettings{'SRC_SUBNETS'})
{
- print "$green_cidr\n";
- if ($netsettings{'BLUE_DEV'})
- {
+ if (&Header::green_used()) {
+ print "$green_cidr\n";
+ }
+
+ if (&Header::blue_used()) {
print "$blue_cidr\n";
}
} else { print $proxysettings{'SRC_SUBNETS'}; }
;
}
+# ===================================================================
+# WPAD settings
+# ===================================================================
+
+print <<END
+<table width='100%'>
+<tr>
+ <td colspan='4'><b>$Lang::tr{'advproxy wpad title'}</b></td>
+</tr>
+<tr>
+ <td width='25%'></td> <td width='20%'> </td><td width='25%'> </td><td width='30%'></td>
+</tr>
+<tr>
+ <td colspan='2' class='base'>$Lang::tr{'advproxy wpad label dst_noproxy_ip'}:</td>
+ <td colspan='2' class='base'>$Lang::tr{'advproxy wpad label dst_noproxy_url'}:</td>
+</tr>
+<tr>
+ <td colspan='2'><textarea name='DST_NOPROXY_IP' cols='32' rows='3' wrap='off'>
+END
+;
+
+ print $proxysettings{'DST_NOPROXY_IP'};
+
+print <<END
+</textarea></td>
+
+ <td colspan='2'><textarea name='DST_NOPROXY_URL' cols='32' rows='3' wrap='off'>
+END
+;
+
+ print $proxysettings{'DST_NOPROXY_URL'};
+
+print <<END
+</textarea></td>
+</tr>
+<tr>
+ <td colspan='2' class='base'>$Lang::tr{'advproxy wpad example dst_noproxy_ip'}</td>
+ <td colspan='2' class='base'>$Lang::tr{'advproxy wpad example dst_noproxy_url'}</td>
+</tr>
+<tr>
+ <td colspan="4"> </td>
+</tr>
+<tr>
+ <td colspan="4">$Lang::tr{'advproxy wpad view pac'}: <a href="http://$ENV{SERVER_ADDR}:81/wpad.dat" target="_blank">http://$ENV{SERVER_ADDR}:81/wpad.dat</a></td>
+</tr>
+<tr>
+ <td colspan="4"> </td>
+</tr>
+</table>
+
+<hr size='1'>
+
+END
+;
+
# -------------------------------------------------------------------
print <<END
<table width='100%'>
<tr>
- <td><b>$Lang::tr{'advproxy privacy'}</b></td>
+ <td><b>$Lang::tr{'advproxy asbased anomaly detection'}</b></td>
</tr>
<tr>
- <td class='base'>$Lang::tr{'advproxy fake useragent'}:</td>
- <td class='base'>$Lang::tr{'advproxy fake referer'}:</td>
+ <td class='base'>$Lang::tr{'advproxy fastflux detection'}:</td>
+ <td><input type='checkbox' name='ASNBL_FASTFLUX_DETECTION' $checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} /></td>
+ <td class='base'>$Lang::tr{'advproxy fastflux detection threshold'}:</td>
+ <td><input type='text' name='ASNBL_FASTFLUX_THRESHOLD' value='$proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}' size=2 /></td>
</tr>
<tr>
- <td><input type='text' name='FAKE_USERAGENT' value='$proxysettings{'FAKE_USERAGENT'}' size='40%' /></td>
- <td><input type='text' name='FAKE_REFERER' value='$proxysettings{'FAKE_REFERER'}' size='40%' /></td>
+ <td class='base'>$Lang::tr{'advproxy selectively announcements detection'}:</td>
+ <td colspan='3'><input type='checkbox' name='ASNBL_SELECANN_DETECTION' $checked{'ASNBL_SELECANN_DETECTION'}{'on'} /></td>
</tr>
</table>
+
<hr size='1'>
END
;
<td class='base'>$Lang::tr{'advproxy AUTH limit of IP addresses'}:</td>
<td><input type='text' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
</tr>
+<tr>
+ <td class='base'>$Lang::tr{'advproxy AUTH user IP cache TTL'}:</td>
+ <td><input type='text' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
+</tr>
<tr>
<td class='base'>$Lang::tr{'advproxy AUTH always required'}:</td>
<td><input type='checkbox' name='AUTH_ALWAYS_REQUIRED' $checked{'AUTH_ALWAYS_REQUIRED'}{'on'} /></td>
END
;
if (!$proxysettings{'IDENT_HOSTS'}) {
- print "$green_cidr\n";
- if ($netsettings{'BLUE_DEV'}) {
+ if (&Header::green_used()) {
+ print "$green_cidr\n";
+ }
+
+ if (&Header::blue_used()) {
print "$blue_cidr\n";
}
} else {
<td><input type='hidden' name='AUTH_CHILDREN' value='$proxysettings{'AUTH_CHILDREN'}'></td>
<td><input type='hidden' name='AUTH_CACHE_TTL' value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_ALWAYS_REQUIRED' value='$proxysettings{'AUTH_ALWAYS_REQUIRED'}'></td>
<td><input type='hidden' name='AUTH_REALM' value='$proxysettings{'AUTH_REALM'}'></td>
<td><input type='hidden' name='DST_NOAUTH' value='$proxysettings{'DST_NOAUTH'}'></td>
<td><input type='hidden' name='AUTH_CHILDREN' value='$proxysettings{'AUTH_CHILDREN'}'></td>
<td><input type='hidden' name='AUTH_CACHE_TTL' value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
+<td><input type='hidden' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_REALM' value='$proxysettings{'AUTH_REALM'}'></td>
END
; }
while (<FILE>) { $proxysettings{'DST_NOAUTH'} .= $_ };
close(FILE);
}
+ if (-e "$acl_dst_noproxy_ip") {
+ open(FILE,"$acl_dst_noproxy_ip");
+ delete $proxysettings{'DST_NOPROXY_IP'};
+ while (<FILE>) { $proxysettings{'DST_NOPROXY_IP'} .= $_ };
+ close(FILE);
+ }
+ if (-e "$acl_dst_noproxy_url") {
+ open(FILE,"$acl_dst_noproxy_url");
+ delete $proxysettings{'DST_NOPROXY_URL'};
+ while (<FILE>) { $proxysettings{'DST_NOPROXY_URL'} .= $_ };
+ close(FILE);
+ }
if (-e "$acl_ports_safe") {
open(FILE,"$acl_ports_safe");
delete $proxysettings{'PORTS_SAFE'};
if ($_)
{
if (/^\./) { $_ = '*'.$_; }
+ unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); }
$proxysettings{'DST_NOCACHE'} .= $_."\n";
}
}
s/^\s+//g; s/\s+$//g;
if ($_)
{
- unless (&General::validipandmask($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'}; }
+ unless (&Network::check_subnet($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'} . ": $_"; }
$proxysettings{'SRC_SUBNETS'} .= $_."\n";
}
}
}
}
+ @temp = split(/\n/,$proxysettings{'DST_NOPROXY_IP'});
+ undef $proxysettings{'DST_NOPROXY_IP'};
+ foreach (@temp)
+ {
+ s/^\s+//g; s/\s+$//g;
+ if ($_)
+ {
+ unless (&General::validipormask($_)) { $errormessage = $Lang::tr{'advproxy errmsg wpad invalid ip or mask'}; }
+ $proxysettings{'DST_NOPROXY_IP'} .= $_."\n";
+ }
+ }
+
+ @temp = split(/\n/,$proxysettings{'DST_NOPROXY_URL'});
+ undef $proxysettings{'DST_NOPROXY_URL'};
+ foreach (@temp)
+ {
+ s/^\s+//g;
+ unless (/^#/) { s/\s+//g; }
+ if ($_)
+ {
+ if (/^\./) { $_ = '*'.$_; }
+ unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); }
+ $proxysettings{'DST_NOPROXY_URL'} .= $_."\n";
+ }
+ }
+
if (($proxysettings{'NTLM_ENABLE_ACL'} eq 'on') && ($proxysettings{'NTLM_USER_ACL'} eq 'positive'))
{
@temp = split(/\n/,$proxysettings{'NTLM_ALLOW_USERS'});
flock(FILE, 2);
if (!$proxysettings{'SRC_SUBNETS'})
{
- print FILE "$green_cidr\n";
- if ($netsettings{'BLUE_DEV'})
- {
+ if (&Header::green_used()) {
+ print FILE "$green_cidr\n";
+ }
+
+ if (&Header::blue_used()) {
print FILE "$blue_cidr\n";
}
} else { print FILE $proxysettings{'SRC_SUBNETS'}; }
print FILE $proxysettings{'DST_NOAUTH'};
close(FILE);
+ open(FILE, ">$acl_dst_noproxy_ip");
+ flock(FILE, 2);
+ print FILE $proxysettings{'DST_NOPROXY_IP'};
+ close(FILE);
+
+ open(FILE, ">$acl_dst_noproxy_url");
+ flock(FILE, 2);
+ print FILE $proxysettings{'DST_NOPROXY_URL'};
+ close(FILE);
+
open(FILE, ">$acl_dst_noauth_net");
close(FILE);
open(FILE, ">$acl_dst_noauth_dom");
sub writepacfile
{
+ my %vpnconfig=();
+ my %ovpnconfig=();
+ &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig);
+ &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfig);
open(FILE, ">/srv/web/ipfire/html/proxy.pac");
flock(FILE, 2);
print FILE "function FindProxyForURL(url, host)\n";
print FILE " (isInNet(host, \"$netsettings{'ORANGE_NETADDRESS'}\", \"$netsettings{'ORANGE_NETMASK'}\")) ||\n";
}
+ # Additional exceptions for URLs
+ # The file has to be created by the user and should contain one entry per line
+ # Line-Format: <URL incl. wildcards>
+ # e.g. *.ipfire.org*
+ if (-s "$acl_dst_noproxy_url") {
+ undef @templist;
+
+ open(NOPROXY,"$acl_dst_noproxy_url");
+ @templist = <NOPROXY>;
+ close(NOPROXY);
+ chomp (@templist);
+
+ foreach (@templist)
+ {
+ print FILE " (shExpMatch(url, \"$_\")) ||\n";
+ }
+ }
+
+ # Additional exceptions for Subnets
+ # The file has to be created by the user and should contain one entry per line
+ # Line-Format: <IP>/<SUBNET MASK>
+ # e.g. 192.168.0.0/255.255.255.0
+ if (-s "$acl_dst_noproxy_ip") {
+ undef @templist;
+
+ open(NOPROXY,"$acl_dst_noproxy_ip");
+ @templist = <NOPROXY>;
+ close(NOPROXY);
+ chomp (@templist);
+
+ foreach (@templist)
+ {
+ @temp = split(/\//);
+ print FILE " (isInNet(host, \"$temp[0]\", \"$temp[1]\")) ||\n";
+ }
+ }
+
+ foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) {
+ if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') {
+ my @networks = split(/\|/, $vpnconfig{$key}[11]);
+ foreach my $network (@networks) {
+ my ($vpnip, $vpnsub) = split("/", $network);
+ $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub;
+ next if ($vpnip eq "0.0.0.0" || $vpnsub eq "0.0.0.0");
+ print FILE " (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n";
+ }
+ }
+ }
+
+ foreach my $key (sort { uc($ovpnconfig{$a}[1]) cmp uc($ovpnconfig{$b}[1]) } keys %ovpnconfig) {
+ if ($ovpnconfig{$key}[0] eq 'on' && $ovpnconfig{$key}[3] ne 'host') {
+ my @networks = split(/\|/, $ovpnconfig{$key}[11]);
+ foreach my $network (@networks) {
+ my ($vpnip, $vpnsub) = split("/", $network);
+ $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub;
+ next if ($vpnip eq "0.0.0.0" || $vpnsub eq "0.0.0.0");
+ print FILE " (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n";
+ }
+ }
+ }
+
print FILE <<END
(isInNet(host, "169.254.0.0", "255.255.0.0"))
)
)
{
chomp $temp[1];
- print FILE " ||\n (isInNet(myIpAddress(), \"$temp[0]\", \"$temp[1]\"))";
+ my $tempmask = &Network::convert_prefix2netmask($temp[1]);
+ print FILE " ||\n (isInNet(myIpAddress(), \"$temp[0]\", \"$tempmask\"))";
}
}
shutdown_lifetime 5 seconds
icp_port 0
+httpd_suppress_version_string on
END
;
print FILE "include /etc/squid/squid.conf.pre.local\n\n";
}
- print FILE "http_port $netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}";
+ if (&Header::green_used()) {
+ print FILE "http_port $netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}";
+ } else {
+ print FILE "http_port 0.0.0.0:$proxysettings{'PROXY_PORT'}";
+ }
if ($proxysettings{'NO_CONNECTION_AUTH'} eq 'on') { print FILE " no-connection-auth" }
print FILE "\n";
- if ($proxysettings{'TRANSPARENT'} eq 'on') {
+ if (&Header::green_used() && $proxysettings{'TRANSPARENT'} eq 'on') {
print FILE "http_port $netsettings{'GREEN_ADDRESS'}:$proxysettings{'TRANSPARENT_PORT'} intercept";
if ($proxysettings{'NO_CONNECTION_AUTH'} eq 'on') { print FILE " no-connection-auth" }
print FILE "\n";
}
}
- print FILE <<END
-
+ print FILE <<END;
+acl IPFire_ips dst 127.0.0.1
acl IPFire_http port $http_port
acl IPFire_https port $https_port
-acl IPFire_ips dst $netsettings{'GREEN_ADDRESS'}
acl IPFire_networks src "$acl_src_subnets"
acl IPFire_servers dst "$acl_src_subnets"
+END
+ if (&Header::green_used()) {
+ print FILE <<END;
+acl IPFire_ips dst $netsettings{'GREEN_ADDRESS'}
acl IPFire_green_network src $green_cidr
acl IPFire_green_servers dst $green_cidr
END
- ;
+ }
if ($netsettings{'BLUE_DEV'}) { print FILE "acl IPFire_blue_network src $blue_cidr\n"; }
if ($netsettings{'BLUE_DEV'}) { print FILE "acl IPFire_blue_servers dst $blue_cidr\n"; }
if (!-z $acl_src_banned_ip) { print FILE "acl IPFire_banned_ips src \"$acl_src_banned_ip\"\n"; }
}
print FILE "\n";
- # If we use authentication, users must always authenticate
- unless ($proxysettings{"AUTH_METHOD"} eq "") {
- print FILE "authenticate_ip_ttl 0\n\n";
- }
-
if ((!($proxysettings{'AUTH_METHOD'} eq 'none')) && (!($proxysettings{'AUTH_METHOD'} eq 'ident')))
{
if ($proxysettings{'AUTH_METHOD'} eq 'ncsa')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
if ($proxysettings{'AUTH_METHOD'} eq 'ldap')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
+ if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
print FILE "\n";
print FILE "http_access deny CONNECT !SSL_ports\n";
}
+ if ((($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') && (!-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) {
+ print FILE "external_acl_type asnblhelper children-max=10 children-startup=2 ttl=86400 %DST /usr/bin/asnbl-helper.py ${General::swroot}/proxy/asnbl-helper.conf\n";
+ print FILE "acl asnbl external asnblhelper\n";
+
+ # Use the user-defined URL filter whitelist (if present and populated) for the ASNBL helper as well
+ # Necessary for destinations such as fedoraproject.org, but we do not want to maintain a dedicated
+ # or hardcoded list for such FQDNs.
+ if ((-e "${General::swroot}/urlfilter/blacklists/custom/allowed/domains") && (!-z "${General::swroot}/urlfilter/blacklists/custom/allowed/domains")) {
+ print FILE "acl asnbl_whitelisted_destinations dstdomain \"${General::swroot}/urlfilter/blacklists/custom/allowed/domains\"\n";
+ print FILE "http_access deny asnbl !asnbl_whitelisted_destinations\n\n";
+ } else {
+ print FILE "http_access deny asnbl\n\n";
+ }
+
+ # Write ASNBL helper configuration file...
+ open(ASNBLFILE, ">${General::swroot}/proxy/asnbl-helper.conf");
+ flock(ASNBLFILE, 2);
+
+ print ASNBLFILE<<END
+#
+# This file has been automatically generated. Manual changes will be overwritten.
+#
+
+[GENERAL]
+LOGLEVEL = INFO
+ASNDB_PATH = /var/lib/location/database.db
+USE_REPLYMAP = no
+END
+;
+
+ print ASNBLFILE "AS_DIVERSITY_THRESHOLD = $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}\n";
+
+ if ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on') {
+ print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS = yes\n";
+ } else {
+ print ASNBLFILE "BLOCK_SUSPECTED_SELECTIVE_ANNOUNCEMENTS = no\n";
+ }
+
+ if ($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') {
+ print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS = yes\n";
+ } else {
+ print ASNBLFILE "BLOCK_DIVERSITY_EXCEEDING_DESTINATIONS = no\n";
+ }
+
+ print ASNBLFILE<<END
+TESTDATA = (10.0.0.1, 0) (127.0.0.1, 0) (fe80::1, 0)
+ACTIVE_ASNBLS =
+END
+;
+
+ close ASNBLFILE;
+ }
+
if ($proxysettings{'AUTH_METHOD'} eq 'ident')
{
print FILE "#Set ident ACLs\n";
if ($netsettings{'BLUE_DEV'})
{
- print FILE "delay_access 1 allow IPFire_green_network";
- if (!-z $acl_dst_throttle) { print FILE " for_throttled_urls"; }
- print FILE "\n";
+ if (&Header::green_used()) {
+ print FILE "delay_access 1 allow IPFire_green_network";
+ if (!-z $acl_dst_throttle) { print FILE " for_throttled_urls"; }
+ print FILE "\n";
+ }
print FILE "delay_access 1 deny all\n";
} else {
print FILE "delay_access 1 allow all";
print FILE "\n";
}
-if ($proxysettings{'NO_PROXY_LOCAL'} eq 'on')
+if (&Header::green_used() && $proxysettings{'NO_PROXY_LOCAL'} eq 'on')
{
print FILE "#Prevent internal proxy access to Green except IPFire itself\n";
print FILE "http_access deny IPFire_green_servers !IPFire_ips !IPFire_green_network\n\n";
print FILE "http_access deny all\n\n";
- if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off') ||
- (!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
+ if (($proxysettings{'FORWARD_IPADDRESS'} eq 'off') || ($proxysettings{'FORWARD_VIA'} eq 'off'))
{
print FILE "#Strip HTTP Header\n";
print FILE "request_header_access Via deny all\n";
print FILE "reply_header_access Via deny all\n";
}
- if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
- {
- print FILE "request_header_access User-Agent deny all\n";
- print FILE "reply_header_access User-Agent deny all\n";
- }
- if (!($proxysettings{'FAKE_REFERER'} eq ''))
- {
- print FILE "request_header_access Referer deny all\n";
- print FILE "reply_header_access Referer deny all\n";
- }
print FILE "\n";
- if ((!($proxysettings{'FAKE_USERAGENT'} eq '')) || (!($proxysettings{'FAKE_REFERER'} eq '')))
- {
- if (!($proxysettings{'FAKE_USERAGENT'} eq ''))
- {
- print FILE "header_replace User-Agent $proxysettings{'FAKE_USERAGENT'}\n";
- }
- if (!($proxysettings{'FAKE_REFERER'} eq ''))
- {
- print FILE "header_replace Referer $proxysettings{'FAKE_REFERER'}\n";
- }
- print FILE "\n";
- }
}
- if ($proxysettings{'SUPPRESS_VERSION'} eq 'on') { print FILE "httpd_suppress_version_string on\n\n" }
-
if ((!-z $mimetypes) && ($proxysettings{'ENABLE_MIME_FILTER'} eq 'on')) {
if (!-z $acl_src_unrestricted_ip) { print FILE "http_reply_access allow IPFire_unrestricted_ips\n"; }
if (!-z $acl_src_unrestricted_mac) { print FILE "http_reply_access allow IPFire_unrestricted_mac\n"; }
} else {
&deluser($str_user);
- my $htpasswd = new Apache::Htpasswd("$userdb");
+ my %htpasswd_options = (
+ passwdFile => "$userdb",
+ UseMD5 => 1,
+ );
+
+ my $htpasswd = new Apache::Htpasswd(\%htpasswd_options);
+
$htpasswd->htpasswd($str_user, $str_pass);
}
{
open(FILE, ">${General::swroot}/proxy/cachemgr.conf");
flock(FILE, 2);
- print FILE "$netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}\n";
+ if (&Header::green_used()) {
+ print FILE "$netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}\n";
+ }
print FILE "localhost";
close(FILE);
return;
projects / people / pmueller / ipfire-2.x.git / blobdiff