X-Git-Url: http://git.ipfire.org/?p=people%2Fpmueller%2Fipfire-2.x.git;a=blobdiff_plain;f=html%2Fcgi-bin%2Fproxy.cgi;h=a387d3e75f8b7042dc4c6bd195608995b7802557;hp=d7827c486958f1e191c633d9affd61a4c5550b50;hb=20c2b559121a4cc220f68b0ef8846adbe739cb00;hpb=9fb25b1c17181bf7d73ac5daa9585d8fd8974604 diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi index d7827c4869..a387d3e75f 100644 --- a/html/cgi-bin/proxy.cgi +++ b/html/cgi-bin/proxy.cgi @@ -1,17 +1,36 @@ #!/usr/bin/perl +############################################################################### +# # +# IPFire.org - A linux based firewall # +# Copyright (C) 2009 Michael Tremer & Christian Schmidt # +# # +# This program is free software: you can redistribute it and/or modify # +# it under the terms of the GNU General Public License as published by # +# the Free Software Foundation, either version 3 of the License, or # +# (at your option) any later version. # +# # +# This program is distributed in the hope that it will be useful, # +# but WITHOUT ANY WARRANTY; without even the implied warranty of # +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # +# GNU General Public License for more details. # +# # +# You should have received a copy of the GNU General Public License # +# along with this program. If not, see . # +# # +############################################################################### # -# (c) 2004-2007 marco.s - http://www.advproxy.net +# (c) 2004-2009 marco.s - http://www.advproxy.net # # This code is distributed under the terms of the GPL # -# $Id: advproxy.cgi,v 2.1.0 2007/03/06 00:00:00 marco.s Exp $ +# $Id: advproxy.cgi,v 3.0.2 2009/02/04 00:00:00 marco.s Exp $ # use strict; # enable only the following on debugging purpose -use warnings; -use CGI::Carp 'fatalsToBrowser'; +#use warnings; +#use CGI::Carp 'fatalsToBrowser'; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; @@ -21,6 +40,11 @@ my @squidversion = `/usr/sbin/squid -v`; my $http_port='81'; my $https_port='444'; +my %color = (); +my %mainsettings = (); +&General::readhash("${General::swroot}/main/settings", \%mainsettings); +&General::readhash("/srv/web/ipfire/html/themes/".$mainsettings{'THEME'}."/include/colors.txt", \%color); + my %proxysettings=(); my %netsettings=(); my %filtersettings=(); @@ -85,7 +109,7 @@ my $cre_svhosts = "${General::swroot}/proxy/advanced/cre/supervisors"; my $identhosts = "$identdir/hosts"; -my $authdir = "/usr/lib/squid/auth"; +my $authdir = "/usr/lib/squid/"; my $errordir = "/usr/lib/squid/errors"; my $acl_src_subnets = "$acldir/src_subnets.acl"; @@ -95,8 +119,14 @@ my $acl_src_unrestricted_ip = "$acldir/src_unrestricted_ip.acl"; my $acl_src_unrestricted_mac = "$acldir/src_unrestricted_mac.acl"; my $acl_src_noaccess_ip = "$acldir/src_noaccess_ip.acl"; my $acl_src_noaccess_mac = "$acldir/src_noaccess_mac.acl"; -my $acl_dst_nocache = "$acldir/dst_nocache.acl"; my $acl_dst_noauth = "$acldir/dst_noauth.acl"; +my $acl_dst_noauth_dom = "$acldir/dst_noauth_dom.acl"; +my $acl_dst_noauth_net = "$acldir/dst_noauth_net.acl"; +my $acl_dst_noauth_url = "$acldir/dst_noauth_url.acl"; +my $acl_dst_nocache = "$acldir/dst_nocache.acl"; +my $acl_dst_nocache_dom = "$acldir/dst_nocache_dom.acl"; +my $acl_dst_nocache_net = "$acldir/dst_nocache_net.acl"; +my $acl_dst_nocache_url = "$acldir/dst_nocache_url.acl"; my $acl_dst_throttle = "$acldir/dst_throttle.acl"; my $acl_ports_safe = "$acldir/ports_safe.acl"; my $acl_ports_ssl = "$acldir/ports_ssl.acl"; @@ -127,8 +157,14 @@ unless (-e $acl_src_unrestricted_ip) { system("touch $acl_src_unrestricted_ip") unless (-e $acl_src_unrestricted_mac) { system("touch $acl_src_unrestricted_mac"); } unless (-e $acl_src_noaccess_ip) { system("touch $acl_src_noaccess_ip"); } unless (-e $acl_src_noaccess_mac) { system("touch $acl_src_noaccess_mac"); } -unless (-e $acl_dst_nocache) { system("touch $acl_dst_nocache"); } -unless (-e $acl_dst_noauth) { system("touch $acl_dst_noauth"); } +unless (-e $acl_dst_noauth) { system("touch $acl_dst_noauth"); } +unless (-e $acl_dst_noauth_dom) { system("touch $acl_dst_noauth_dom"); } +unless (-e $acl_dst_noauth_net) { system("touch $acl_dst_noauth_net"); } +unless (-e $acl_dst_noauth_url) { system("touch $acl_dst_noauth_url"); } +unless (-e $acl_dst_nocache) { system("touch $acl_dst_nocache"); } +unless (-e $acl_dst_nocache_dom) { system("touch $acl_dst_nocache_dom"); } +unless (-e $acl_dst_nocache_net) { system("touch $acl_dst_nocache_net"); } +unless (-e $acl_dst_nocache_url) { system("touch $acl_dst_nocache_url"); } unless (-e $acl_dst_throttle) { system("touch $acl_dst_throttle"); } unless (-e $acl_ports_safe) { system("touch $acl_ports_safe"); } unless (-e $acl_ports_ssl) { system("touch $acl_ports_ssl"); } @@ -144,14 +180,10 @@ close(FILE); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); &General::readhash("${General::swroot}/main/settings", \%mainsettings); -$filtersettings{'CHILDREN'} = '5'; -if (-e "${General::swroot}/urlfilter/settings") { - &General::readhash("${General::swroot}/urlfilter/settings", \%filtersettings); -} - -$xlratorsettings{'CHILDREN'} = '5'; -if (-e "${General::swroot}/updatexlrator/settings") { - &General::readhash("${General::swroot}/updatexlrator/settings", \%xlratorsettings); +my $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}"); +my $blue_cidr = "# Blue not defined"; +if ($netsettings{'BLUE_DEV'}) { + $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}\/$netsettings{'BLUE_NETMASK'}"); } &Header::showhttpheaders(); @@ -166,8 +198,9 @@ $proxysettings{'TRANSPARENT_BLUE'} = 'off'; $proxysettings{'PROXY_PORT'} = '800'; $proxysettings{'VISIBLE_HOSTNAME'} = ''; $proxysettings{'ADMIN_MAIL_ADDRESS'} = ''; -$proxysettings{'ERR_LANGUAGE'} = 'English'; -$proxysettings{'ERR_DESIGN'} = 'IPCop'; +$proxysettings{'ADMIN_PASSWORD'} = ''; +$proxysettings{'ERR_LANGUAGE'} = 'German'; +$proxysettings{'ERR_DESIGN'} = 'ipfire'; $proxysettings{'SUPPRESS_VERSION'} = 'off'; $proxysettings{'FORWARD_VIA'} = 'off'; $proxysettings{'FORWARD_IPADDRESS'} = 'off'; @@ -177,8 +210,10 @@ $proxysettings{'UPSTREAM_PROXY'} = ''; $proxysettings{'UPSTREAM_USER'} = ''; $proxysettings{'UPSTREAM_PASSWORD'} = ''; $proxysettings{'LOGGING'} = 'off'; +$proxysettings{'CACHEMGR'} = 'off'; $proxysettings{'LOGQUERY'} = 'off'; $proxysettings{'LOGUSERAGENT'} = 'off'; +$proxysettings{'FILEDESCRIPTORS'} = '4096'; $proxysettings{'CACHE_MEM'} = '2'; $proxysettings{'CACHE_SIZE'} = '50'; $proxysettings{'MAX_SIZE'} = '4096'; @@ -245,6 +280,8 @@ $proxysettings{'IDENT_ENABLE_ACL'} = 'off'; $proxysettings{'IDENT_USER_ACL'} = 'positive'; $proxysettings{'ENABLE_FILTER'} = 'off'; $proxysettings{'ENABLE_UPDXLRATOR'} = 'off'; +$proxysettings{'ENABLE_CLAMAV'} = 'off'; +$proxysettings{'CHILDREN'} = '10'; $ncsa_buttontext = $Lang::tr{'advproxy NCSA create user'}; @@ -303,15 +340,15 @@ if ($proxysettings{'ACTION'} eq $Lang::tr{'edit'}) $proxysettings{'NCSA_PASS_CONFIRM'} = $proxysettings{'NCSA_PASS'}; } -if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'})) -{ - if ($proxysettings{'ENABLE'} !~ /^(on|off)$/ || - $proxysettings{'TRANSPARENT'} !~ /^(on|off)$/ || - $proxysettings{'ENABLE_BLUE'} !~ /^(on|off)$/ || +if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) || ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'})) +{ + if ($proxysettings{'ENABLE'} !~ /^(on|off)$/ || + $proxysettings{'TRANSPARENT'} !~ /^(on|off)$/ || + $proxysettings{'ENABLE_BLUE'} !~ /^(on|off)$/ || $proxysettings{'TRANSPARENT_BLUE'} !~ /^(on|off)$/ ) { $errormessage = $Lang::tr{'invalid input'}; goto ERROR; - } + } if (!(&General::validport($proxysettings{'PROXY_PORT'}))) { $errormessage = $Lang::tr{'advproxy errmsg invalid proxy port'}; @@ -320,7 +357,16 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} if (!($proxysettings{'CACHE_SIZE'} =~ /^\d+/) || ($proxysettings{'CACHE_SIZE'} < 10)) { - $errormessage = $Lang::tr{'advproxy errmsg hdd cache size'}; + if (!($proxysettings{'CACHE_SIZE'} eq '0')) + { + $errormessage = $Lang::tr{'advproxy errmsg hdd cache size'}; + goto ERROR; + } + } + if (!($proxysettings{'FILEDESCRIPTORS'} =~ /^\d+/) || + ($proxysettings{'FILEDESCRIPTORS'} < 1) || ($proxysettings{'FILEDESCRIPTORS'} > 16384)) + { + $errormessage = $Lang::tr{'proxy errmsg filedescriptors'}; goto ERROR; } if (!($proxysettings{'CACHE_MEM'} =~ /^\d+/) || @@ -328,7 +374,7 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} { $errormessage = $Lang::tr{'advproxy errmsg mem cache size'}; goto ERROR; - } + } my @free = `/usr/bin/free`; $free[1] =~ m/(\d+)/; $cachemem = int $1 / 2048; @@ -359,6 +405,11 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} { $errormessage = $Lang::tr{'invalid maximum incoming size'}; goto ERROR; + } + if (!($proxysettings{'CHILDREN'} =~ /^\d+$/) || ($proxysettings{'CHILDREN'} < 1)) + { + $errormessage = $Lang::tr{'advproxy invalid num of children'}; + goto ERROR; } if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { @@ -367,7 +418,7 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} { chomp; @useragent = split(/,/); - if ($proxysettings{'UA_'.@useragent[0]} eq 'on') { $browser_regexp .= "@useragent[2]|"; } + if ($proxysettings{'UA_'.$useragent[0]} eq 'on') { $browser_regexp .= "$useragent[2]|"; } } chop($browser_regexp); if (!$browser_regexp) @@ -398,8 +449,8 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} } } } - if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && - ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255))) + if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && + ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255))) { $errormessage = $Lang::tr{'advproxy errmsg max userip'}; goto ERROR; @@ -489,6 +540,10 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} $errormessage = $Lang::tr{'advproxy errmsg invalid bdc'}; goto ERROR; } + + $proxysettings{'NTLM_DOMAIN'} = lc($proxysettings{'NTLM_DOMAIN'}); + $proxysettings{'NTLM_PDC'} = lc($proxysettings{'NTLM_PDC'}); + $proxysettings{'NTLM_BDC'} = lc($proxysettings{'NTLM_BDC'}); } if ($proxysettings{'AUTH_METHOD'} eq 'radius') { @@ -574,34 +629,44 @@ ERROR: if (-e "${General::swroot}/proxy/settings") { &General::readhash("${General::swroot}/proxy/settings", \%stdproxysettings); } $stdproxysettings{'PROXY_PORT'} = $proxysettings{'PROXY_PORT'}; + $stdproxysettings{'UPSTREAM_PROXY'} = $proxysettings{'UPSTREAM_PROXY'}; + $stdproxysettings{'UPSTREAM_USER'} = $proxysettings{'UPSTREAM_USER'}; + $stdproxysettings{'UPSTREAM_PASSWORD'} = $proxysettings{'UPSTREAM_PASSWORD'}; $stdproxysettings{'ENABLE_FILTER'} = $proxysettings{'ENABLE_FILTER'}; $stdproxysettings{'ENABLE_UPDXLRATOR'} = $proxysettings{'ENABLE_UPDXLRATOR'}; + $stdproxysettings{'ENABLE_CLAMAV'} = $proxysettings{'ENABLE_CLAMAV'}; &General::writehash("${General::swroot}/proxy/settings", \%stdproxysettings); &writeconfig; &writepacfile; + if ($proxysettings{'CACHEMGR'} eq 'on'){&writecachemgr;} + + system ('/usr/local/bin/squidctrl', 'disable'); unlink "${General::swroot}/proxy/enable"; unlink "${General::swroot}/proxy/transparent"; unlink "${General::swroot}/proxy/enable_blue"; unlink "${General::swroot}/proxy/transparent_blue"; if ($proxysettings{'ENABLE'} eq 'on') { - system ('/usr/bin/touch', "${General::swroot}/proxy/enable"); } - if ($proxysettings{'TRANSPARENT'} eq 'on') { + system ('/usr/bin/touch', "${General::swroot}/proxy/enable"); + system ('/usr/local/bin/squidctrl', 'enable'); } + if ($proxysettings{'TRANSPARENT'} eq 'on' && $proxysettings{'ENABLE'} eq 'on') { system ('/usr/bin/touch', "${General::swroot}/proxy/transparent"); } if ($proxysettings{'ENABLE_BLUE'} eq 'on') { - system ('/usr/bin/touch', "${General::swroot}/proxy/enable_blue"); } - if ($proxysettings{'TRANSPARENT_BLUE'} eq 'on') { + system ('/usr/bin/touch', "${General::swroot}/proxy/enable_blue"); + system ('/usr/local/bin/squidctrl', 'enable'); } + if ($proxysettings{'TRANSPARENT_BLUE'} eq 'on' && $proxysettings{'ENABLE_BLUE'} eq 'on') { system ('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); } - if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/restartsquid'); } - } + if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); } + if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); } + } } if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy clear cache'}) { - system('/usr/local/bin/restartsquid','-f'); + system('/usr/local/bin/squidctrl flush >/dev/null 2>&1'); } if (!$errormessage) @@ -657,6 +722,9 @@ $checked{'OFFLINE_MODE'}{$proxysettings{'OFFLINE_MODE'}} = "checked='checked'"; $checked{'LOGGING'}{'off'} = ''; $checked{'LOGGING'}{'on'} = ''; $checked{'LOGGING'}{$proxysettings{'LOGGING'}} = "checked='checked'"; +$checked{'CACHEMGR'}{'off'} = ''; +$checked{'CACHEMGR'}{'on'} = ''; +$checked{'CACHEMGR'}{$proxysettings{'CACHEMGR'}} = "checked='checked'"; $checked{'LOGQUERY'}{'off'} = ''; $checked{'LOGQUERY'}{'on'} = ''; $checked{'LOGQUERY'}{$proxysettings{'LOGQUERY'}} = "checked='checked'"; @@ -739,9 +807,9 @@ $checked{'ENABLE_BROWSER_CHECK'}{$proxysettings{'ENABLE_BROWSER_CHECK'}} = "chec foreach (@useragentlist) { @useragent = split(/,/); - $checked{'UA_'.@useragent[0]}{'off'} = ''; - $checked{'UA_'.@useragent[0]}{'on'} = ''; - $checked{'UA_'.@useragent[0]}{$proxysettings{'UA_'.@useragent[0]}} = "checked='checked'"; + $checked{'UA_'.$useragent[0]}{'off'} = ''; + $checked{'UA_'.$useragent[0]}{'on'} = ''; + $checked{'UA_'.$useragent[0]}{$proxysettings{'UA_'.$useragent[0]}} = "checked='checked'"; } $checked{'AUTH_METHOD'}{'none'} = ''; @@ -808,6 +876,10 @@ $checked{'ENABLE_UPDXLRATOR'}{'off'} = ''; $checked{'ENABLE_UPDXLRATOR'}{'on'} = ''; $checked{'ENABLE_UPDXLRATOR'}{$proxysettings{'ENABLE_UPDXLRATOR'}} = "checked='checked'"; +$checked{'ENABLE_CLAMAV'}{'off'} = ''; +$checked{'ENABLE_CLAMAV'}{'on'} = ''; +$checked{'ENABLE_CLAMAV'}{$proxysettings{'ENABLE_CLAMAV'}} = "checked='checked'"; + &Header::openpage($Lang::tr{'advproxy advanced web proxy configuration'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); @@ -864,8 +936,7 @@ if ($netsettings{'BLUE_DEV'}) { print " "; } print <$Lang::tr{'advproxy admin mail'}: * - +   END @@ -897,7 +968,7 @@ print < $Lang::tr{'advproxy error design'}: @@ -910,6 +981,37 @@ print <
+ + +END +; +my $count = `arp -a | wc -l`; +if ( $count < 1 ){$count = 1;} +if ( -e "/usr/bin/squidclamav" ) { + print ""; +} else { + print ""; +} +print ""; +print ""; +print < +
+
$Lang::tr{'advproxy redirector children'}
$Lang::tr{'processes'}".$Lang::tr{'advproxy squidclamav'}."
"; + if ( ! -e "/var/run/clamav/clamd.pid" ){ + print "clamav not running

"; + $proxysettings{'ENABLE_CLAMAV'} = 'off'; + } + else { + print $Lang::tr{'advproxy enabled'}."
"; + print "+ ".int(( $count**(1/3)) * 8);} + print "		".$Lang::tr{'advproxy url filter'}."
"; +print $Lang::tr{'advproxy enabled'}."
"; +print "+ ".int(($count**(1/3)) * 6); +print "		".$Lang::tr{'advproxy update accelerator'}."
"; +print $Lang::tr{'advproxy enabled'}."
"; +print "+ ".int(($count**(1/3)) * 5); +print "
@@ -961,6 +1063,18 @@ print < + + + + + + + + + + + + @@ -1044,7 +1158,7 @@ print <$Lang::tr{'advproxy destination ports'} - + @@ -1079,16 +1193,16 @@ print <$Lang::tr{'advproxy allowed subnets'}: - - - - -
$Lang::tr{'advproxy upstream proxy'}
$Lang::tr{'advproxy cache management'}
$Lang::tr{'proxy cachemgr'}:$Lang::tr{'advproxy admin mail'}: *
$Lang::tr{'proxy filedescriptors'}:$Lang::tr{'proxy admin password'}: *
$Lang::tr{'advproxy standard ports'}:
- -
END ; +} +print "
"; + } else { print < @@ -1240,7 +1361,7 @@ END # ------------------------------------------------------------------- -print < @@ -1429,17 +1550,17 @@ print <     - +
- - - - - + +END +; +if ( $proxysettings{'ENABLE_MIME_FILTER'} eq 'on' ){ +print < @@ -1457,18 +1578,21 @@ print <  +END +; +} +print < +
$Lang::tr{'advproxy MIME filter'}
$Lang::tr{'advproxy enabled'}:$Lang::tr{'advproxy MIME filter'} $Lang::tr{'advproxy enabled'}:
$Lang::tr{'advproxy MIME block types'}: *   
- - - - - - - + +END +; +if ( $proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on' ){ +print < \n"; } if (($n+$i) < @useragentlist) { @useragent = split(/,/,@useragentlist[$n+$i]); - print "\n"; + print "\n"; } if ($i eq 3) { print "<\/tr>\n"; } } } - +} print <
@@ -1503,14 +1627,10 @@ print < - - - - - +
$Lang::tr{'advproxy web browser'}
$Lang::tr{'advproxy UA enable filter'}:  $Lang::tr{'advproxy web browser'} $Lang::tr{'advproxy UA enable filter'}:
END @@ -1487,13 +1611,13 @@ for ($n=0; $n<=@useragentlist; $n = $n + $i) { if ($i eq 0) { print "
@useragent[1]:<\/td>\n"; - print "$useragent[1]:<\/td>\n"; + print "
$Lang::tr{'advproxy fake useragent'}: *
$Lang::tr{'advproxy fake referer'}: *
@@ -1519,32 +1639,6 @@ END ; print < - - $Lang::tr{'advproxy url filter'} - - - $Lang::tr{'advproxy enabled'}: - -   -   - - -
- - - - - - - - - - - -
$Lang::tr{'advproxy update accelerator'}
$Lang::tr{'advproxy enabled'}:  
-
- @@ -1697,9 +1791,9 @@ print < + @@ -2163,7 +2258,7 @@ if (-e $disgrp) # If the password file contains entries, print entries and action icons -if (! -z "$userdb") { +if ( ! -z "$userdb" ) { print < @@ -2181,9 +2276,9 @@ END if($proxysettings{'ACTION'} eq $Lang::tr{'edit'} && $proxysettings{'ID'} eq $line) { print "\n"; } elsif ($id % 2) { - print "\n"; } + print "\n"; } else { - print "\n"; } + print "\n"; } print <$temp[0] @@ -2416,10 +2511,11 @@ sub check_acls undef $proxysettings{'DST_NOCACHE'}; foreach (@temp) { - s/^\s+//g; s/\s+$//g; + s/^\s+//g; + unless (/^#/) { s/\s+//g; } if ($_) { - unless (/^\./) { $_ = '.'.$_; } + if (/^\./) { $_ = '*'.$_; } $proxysettings{'DST_NOCACHE'} .= $_."\n"; } } @@ -2488,10 +2584,11 @@ sub check_acls undef $proxysettings{'DST_NOAUTH'}; foreach (@temp) { - s/^\s+//g; s/\s+$//g; + s/^\s+//g; + unless (/^#/) { s/\s+//g; } if ($_) { - unless (/^\./) { $_ = '.'.$_; } + if (/^\./) { $_ = '*'.$_; } $proxysettings{'DST_NOAUTH'} .= $_."\n"; } } @@ -2601,10 +2698,10 @@ sub write_acls flock(FILE, 2); if (!$proxysettings{'SRC_SUBNETS'}) { - print FILE "$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}\n"; + print FILE "$green_cidr\n"; if ($netsettings{'BLUE_DEV'}) { - print FILE "$netsettings{'BLUE_NETADDRESS'}\/$netsettings{'BLUE_NETMASK'}\n"; + print FILE "$blue_cidr\n"; } } else { print FILE $proxysettings{'SRC_SUBNETS'}; } close(FILE); @@ -2629,16 +2726,104 @@ sub write_acls print FILE $proxysettings{'SRC_UNRESTRICTED_MAC'}; close(FILE); + open(FILE, ">$acl_dst_noauth"); + flock(FILE, 2); + print FILE $proxysettings{'DST_NOAUTH'}; + close(FILE); + + open(FILE, ">$acl_dst_noauth_net"); + close(FILE); + open(FILE, ">$acl_dst_noauth_dom"); + close(FILE); + open(FILE, ">$acl_dst_noauth_url"); + close(FILE); + + @temp = split(/\n/,$proxysettings{'DST_NOAUTH'}); + foreach(@temp) + { + unless (/^#/) + { + if (/^\*\.\w/) + { + s/^\*//; + open(FILE, ">>$acl_dst_noauth_dom"); + flock(FILE, 2); + print FILE "$_\n"; + close(FILE); + } + elsif (&General::validipormask($_)) + { + open(FILE, ">>$acl_dst_noauth_net"); + flock(FILE, 2); + print FILE "$_\n"; + close(FILE); + } + elsif (/\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?-\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?/) + { + open(FILE, ">>$acl_dst_noauth_net"); + flock(FILE, 2); + print FILE "$_\n"; + close(FILE); + } + else + { + open(FILE, ">>$acl_dst_noauth_url"); + flock(FILE, 2); + if (/^[fh]tt?ps?:\/\//) { print FILE "$_\n"; } else { print FILE "^[fh]tt?ps?://$_\n"; } + close(FILE); + } + } + } + open(FILE, ">$acl_dst_nocache"); flock(FILE, 2); print FILE $proxysettings{'DST_NOCACHE'}; close(FILE); - open(FILE, ">$acl_dst_noauth"); - flock(FILE, 2); - print FILE $proxysettings{'DST_NOAUTH'}; + open(FILE, ">$acl_dst_nocache_net"); + close(FILE); + open(FILE, ">$acl_dst_nocache_dom"); + close(FILE); + open(FILE, ">$acl_dst_nocache_url"); close(FILE); + @temp = split(/\n/,$proxysettings{'DST_NOCACHE'}); + foreach(@temp) + { + unless (/^#/) + { + if (/^\*\.\w/) + { + s/^\*//; + open(FILE, ">>$acl_dst_nocache_dom"); + flock(FILE, 2); + print FILE "$_\n"; + close(FILE); + } + elsif (&General::validipormask($_)) + { + open(FILE, ">>$acl_dst_nocache_net"); + flock(FILE, 2); + print FILE "$_\n"; + close(FILE); + } + elsif (/\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?-\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?/) + { + open(FILE, ">>$acl_dst_nocache_net"); + flock(FILE, 2); + print FILE "$_\n"; + close(FILE); + } + else + { + open(FILE, ">>$acl_dst_nocache_url"); + flock(FILE, 2); + if (/^[fh]tt?ps?:\/\//) { print FILE "$_\n"; } else { print FILE "^[fh]tt?ps?://$_\n"; } + close(FILE); + } + } + } + open(FILE, ">$acl_ports_safe"); flock(FILE, 2); if (!$proxysettings{'PORTS_SAFE'}) { print FILE $def_ports_safe; } else { print FILE $proxysettings{'PORTS_SAFE'}; } @@ -2730,7 +2915,7 @@ sub write_acls sub writepacfile { - open(FILE, ">/home/httpd/html/proxy.pac"); + open(FILE, ">/srv/web/ipfire/html/proxy.pac"); flock(FILE, 2); print FILE "function FindProxyForURL(url, host)\n"; print FILE "{\n"; @@ -2742,8 +2927,8 @@ if ( (dnsDomainIs(host, ".$mainsettings{'DOMAINNAME'}")) || (isInNet(host, "10.0.0.0", "255.0.0.0")) || (isInNet(host, "172.16.0.0", "255.240.0.0")) || - (isInNet(host, "169.254.0.0", "255.255.0.0")) || - (isInNet(host, "192.168.0.0", "255.255.0.0")) + (isInNet(host, "192.168.0.0", "255.255.0.0")) || + (isInNet(host, "169.254.0.0", "255.255.0.0")) ) return "DIRECT"; @@ -2753,9 +2938,34 @@ END ; if ($proxysettings{'ENABLE'} eq 'on') { + print FILE "if (\n"; + print FILE " (isInNet(myIpAddress(), \"$netsettings{'GREEN_NETADDRESS'}\", \"$netsettings{'GREEN_NETMASK'}\"))"; + + undef @templist; + if (-e "$acl_src_subnets") { + open(SUBNETS,"$acl_src_subnets"); + @templist = ; + close(SUBNETS); + } + + foreach (@templist) + { + @temp = split(/\//); + if ( + ($temp[0] ne $netsettings{'GREEN_NETADDRESS'}) && ($temp[1] ne $netsettings{'GREEN_NETMASK'}) && + ($temp[0] ne $netsettings{'BLUE_NETADDRESS'}) && ($temp[1] ne $netsettings{'BLUE_NETMASK'}) + ) + { + chomp $temp[1]; + print FILE " ||\n (isInNet(myIpAddress(), \"$temp[0]\", \"$temp[1]\"))"; + } + } + + print FILE "\n"; + print FILE < 0) + { + print FILE "\n"; -acl QUERY urlpath_regex cgi-bin \\? -cache deny QUERY -END - ; - if (!-z $acl_dst_nocache) { - print FILE "acl no_cache_domains dstdomain \"$acl_dst_nocache\"\n"; - print FILE "cache deny no_cache_domains\n"; + if (!-z $acl_dst_nocache_dom) { + print FILE "acl no_cache_domains dstdomain \"$acl_dst_nocache_dom\"\n"; + print FILE "cache deny no_cache_domains\n"; + } + if (!-z $acl_dst_nocache_net) { + print FILE "acl no_cache_ipaddr dst \"$acl_dst_nocache_net\"\n"; + print FILE "cache deny no_cache_ipaddr\n"; + } + if (!-z $acl_dst_nocache_url) { + print FILE "acl no_cache_hosts url_regex -i \"$acl_dst_nocache_url\"\n"; + print FILE "cache deny no_cache_hosts\n"; + } } print FILE <) { $_ =~ s/__GREEN_IP__/$netsettings{'GREEN_ADDRESS'}/; - $_ =~ s/__GREEN_NET__/$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}/; + $_ =~ s/__GREEN_NET__/$green_cidr/; $_ =~ s/__BLUE_IP__/$blue_ip/; $_ =~ s/__BLUE_NET__/$blue_net/; $_ =~ s/__PROXY_PORT__/$proxysettings{'PROXY_PORT'}/; print FILE $_; } - print FILE "#End of custom includes\n"; + print FILE "\n#End of custom includes\n"; close (ACL); } if ((!-z $extgrp) && ($proxysettings{'AUTH_METHOD'} eq 'ncsa') && ($proxysettings{'NCSA_BYPASS_REDIR'} eq 'on')) { print FILE "\nredirector_access deny for_extended_users\n"; } @@ -3202,8 +3429,8 @@ END http_access allow localhost #GUI admin if local machine connects -http_access allow IPCop_ips IPCop_networks IPCop_http -http_access allow CONNECT IPCop_ips IPCop_networks IPCop_https +http_access allow IPFire_ips IPFire_networks IPFire_http +http_access allow CONNECT IPFire_ips IPFire_networks IPFire_https #Deny not web services http_access deny !Safe_ports @@ -3283,14 +3510,14 @@ if ($delaypools) { print FILE "\n"; } - print FILE "delay_access 1 deny IPCop_ips\n"; - if (!-z $acl_src_unrestricted_ip) { print FILE "delay_access 1 deny IPCop_unrestricted_ips\n"; } - if (!-z $acl_src_unrestricted_mac) { print FILE "delay_access 1 deny IPCop_unrestricted_mac\n"; } + print FILE "delay_access 1 deny IPFire_ips\n"; + if (!-z $acl_src_unrestricted_ip) { print FILE "delay_access 1 deny IPFire_unrestricted_ips\n"; } + if (!-z $acl_src_unrestricted_mac) { print FILE "delay_access 1 deny IPFire_unrestricted_mac\n"; } if (($proxysettings{'AUTH_METHOD'} eq 'ncsa') && (!-z $extgrp)) { print FILE "delay_access 1 deny for_extended_users\n"; } if ($netsettings{'BLUE_DEV'}) { - print FILE "delay_access 1 allow IPCop_green_network"; + print FILE "delay_access 1 allow IPFire_green_network"; if (!-z $acl_dst_throttle) { print FILE " for_throttled_urls"; } print FILE "\n"; print FILE "delay_access 1 deny all\n"; @@ -3302,57 +3529,84 @@ if ($delaypools) { if ($netsettings{'BLUE_DEV'}) { - print FILE "delay_access 2 deny IPCop_ips\n"; - if (!-z $acl_src_unrestricted_ip) { print FILE "delay_access 2 deny IPCop_unrestricted_ips\n"; } - if (!-z $acl_src_unrestricted_mac) { print FILE "delay_access 2 deny IPCop_unrestricted_mac\n"; } + print FILE "delay_access 2 deny IPFire_ips\n"; + if (!-z $acl_src_unrestricted_ip) { print FILE "delay_access 2 deny IPFire_unrestricted_ips\n"; } + if (!-z $acl_src_unrestricted_mac) { print FILE "delay_access 2 deny IPFire_unrestricted_mac\n"; } if (($proxysettings{'AUTH_METHOD'} eq 'ncsa') && (!-z $extgrp)) { print FILE "delay_access 2 deny for_extended_users\n"; } - print FILE "delay_access 2 allow IPCop_blue_network"; + print FILE "delay_access 2 allow IPFire_blue_network"; if (!-z $acl_dst_throttle) { print FILE " for_throttled_urls"; } print FILE "\n"; print FILE "delay_access 2 deny all\n"; } - print FILE "delay_initial_bucket_level 100\n"; + print FILE "delay_initial_bucket_level 100\n"; print FILE "\n"; } if ($proxysettings{'NO_PROXY_LOCAL'} eq 'on') { print FILE "#Prevent internal proxy access to Green\n"; - print FILE "http_access deny IPCop_green_servers !IPCop_green_network\n\n"; + print FILE "http_access deny IPFire_green_servers !IPFire_green_network\n\n"; } if ($proxysettings{'NO_PROXY_LOCAL_BLUE'} eq 'on') { print FILE "#Prevent internal proxy access from Blue\n"; - print FILE "http_access allow IPCop_blue_network IPCop_blue_servers\n"; - print FILE "http_access deny IPCop_blue_network IPCop_servers\n\n"; + print FILE "http_access allow IPFire_blue_network IPFire_blue_servers\n"; + print FILE "http_access deny IPFire_blue_network IPFire_servers\n\n"; } print FILE < 0) + { + print FILE < 0) { - if (!-z $acl_src_unrestricted_ip) { print FILE "reply_body_max_size 0 allow IPCop_unrestricted_ips\n"; } - if (!-z $acl_src_unrestricted_mac) { print FILE "reply_body_max_size 0 allow IPCop_unrestricted_mac\n"; } + if (!-z $acl_src_unrestricted_ip) { print FILE "reply_body_max_size 0 deny IPFire_unrestricted_ips\n"; } + if (!-z $acl_src_unrestricted_mac) { print FILE "reply_body_max_size 0 deny IPFire_unrestricted_mac\n"; } if ($proxysettings{'AUTH_METHOD'} eq 'ncsa') { - if (!-z $extgrp) { print FILE "reply_body_max_size 0 allow for_extended_users\n"; } + if (!-z $extgrp) { print FILE "reply_body_max_size 0 deny for_extended_users\n"; } } } - print FILE "reply_body_max_size $replybodymaxsize allow all\n\n"; + + if ( $replybodymaxsize != '0' ) + { + print FILE "reply_body_max_size $replybodymaxsize deny all\n\n"; + } print FILE "visible_hostname"; if ($proxysettings{'VISIBLE_HOSTNAME'} eq '') @@ -3633,7 +3902,11 @@ END print FILE " $proxysettings{'VISIBLE_HOSTNAME'}\n\n"; } - if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n\n"; } + if (!($proxysettings{'ADMIN_MAIL_ADDRESS'} eq '')) { print FILE "cache_mgr $proxysettings{'ADMIN_MAIL_ADDRESS'}\n"; } + if (!($proxysettings{'ADMIN_PASSWORD'} eq '')) { print FILE "cachemgr_passwd $proxysettings{'ADMIN_PASSWORD'} all\n"; } + print FILE "\n"; + + print FILE "max_filedescriptors $proxysettings{'FILEDESCRIPTORS'}\n\n"; # Write the parent proxy info, if needed. if ($remotehost ne '') @@ -3651,38 +3924,13 @@ END } elsif ($proxysettings{'FORWARD_USERNAME'} eq 'on') { print FILE " login=*:password"; } - print FILE "\nnever_direct allow all\n\n"; + print FILE "\nalways_direct allow IPFire_ips\n"; + print FILE "never_direct allow all\n\n"; } - if (($proxysettings{'ENABLE_FILTER'} eq 'on') && ($proxysettings{'ENABLE_UPDXLRATOR'} eq 'on')) + if (($proxysettings{'ENABLE_FILTER'} eq 'on') || ($proxysettings{'ENABLE_UPDXLRATOR'} eq 'on') || ($proxysettings{'ENABLE_CLAMAV'} eq 'on')) { print FILE "url_rewrite_program /usr/sbin/redirect_wrapper\n"; - if ($filtersettings{'CHILDREN'} > $xlratorsettings{'CHILDREN'}) - { - print FILE "url_rewrite_children $filtersettings{'CHILDREN'}\n\n"; - } else { - print FILE "url_rewrite_children $xlratorsettings{'CHILDREN'}\n\n"; - } - } else - { - - if ($proxysettings{'ENABLE_FILTER'} eq 'on') - { - print FILE <>$stdgrp"); @@ -3756,3 +4004,15 @@ sub deluser } # ------------------------------------------------------------------- + +sub writecachemgr +{ + open(FILE, ">${General::swroot}/proxy/cachemgr.conf"); + flock(FILE, 2); + print FILE "$netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}\n"; + print FILE "localhost"; + close(FILE); + return; +} + +# -------------------------------------------------------------------
$Lang::tr{'advproxy AUTH method'}   $Lang::tr{'advproxy NCSA username'}