#!/usr/bin/perl ############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2007-2021 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### use strict; use Apache::Htpasswd; use Scalar::Util qw(looks_like_number); # enable only the following on debugging purpose #use warnings; #use CGI::Carp 'fatalsToBrowser'; require '/var/ipfire/general-functions.pl'; require "${General::swroot}/lang.pl"; require "${General::swroot}/header.pl"; require "${General::swroot}/ids-functions.pl"; my @squidversion = &General::system_output("/usr/sbin/squid", "-v"); my $http_port='81'; my $https_port='444'; my %color = (); my %mainsettings = (); &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); my %proxysettings=(); my %netsettings=(); my %filtersettings=(); my %xlratorsettings=(); my %stdproxysettings=(); my %mainsettings=(); my %checked=(); my %selected=(); my @throttle_limits=(64,128,256,512,1024,1536,2048,3072,4096,5120,6144,7168,8192,10240,16384,20480,51200,102400); my $def_ports_safe="80 # http\n21 # ftp\n443 # https\n563 # snews\n70 # gopher\n210 # wais\n1025-65535 # unregistered ports\n280 # http-mgmt\n488 # gss-http\n591 # filemaker\n777 # multiling http\n800 # Squids port (for icons)\n"; my $def_ports_ssl="443 # https\n563 # snews\n"; my $hintcolour='#FFFFCC'; my $ncsa_buttontext=''; my $language=''; my $i=0; my $n=0; my $id=0; my $line=''; my $user=''; my @userlist=(); my @grouplist=(); my @temp=(); my @templist=(); my $cachemem=0; my $proxy1=''; my $proxy2=''; my $browser_regexp=''; my $needhup = 0; my $errormessage=''; my $acldir = "${General::swroot}/proxy/advanced/acls"; my $ncsadir = "${General::swroot}/proxy/advanced/ncsa"; my $raddir = "${General::swroot}/proxy/advanced/radius"; my $identdir = "${General::swroot}/proxy/advanced/ident"; my $credir = "${General::swroot}/proxy/advanced/cre"; my $userdb = "$ncsadir/passwd"; my $stdgrp = "$ncsadir/standard.grp"; my $extgrp = "$ncsadir/extended.grp"; my $disgrp = "$ncsadir/disabled.grp"; my $mimetypes = "${General::swroot}/proxy/advanced/mimetypes"; my $throttled_urls = "${General::swroot}/proxy/advanced/throttle"; my $cre_enabled = "${General::swroot}/proxy/advanced/cre/enable"; my $cre_groups = "${General::swroot}/proxy/advanced/cre/classrooms"; my $cre_svhosts = "${General::swroot}/proxy/advanced/cre/supervisors"; my $identhosts = "$identdir/hosts"; my $authdir = "/usr/lib/squid"; my $errordir = "/usr/lib/squid/errors"; my $acl_src_subnets = "$acldir/src_subnets.acl"; my $acl_src_banned_ip = "$acldir/src_banned_ip.acl"; my $acl_src_banned_mac = "$acldir/src_banned_mac.acl"; my $acl_src_unrestricted_ip = "$acldir/src_unrestricted_ip.acl"; my $acl_src_unrestricted_mac = "$acldir/src_unrestricted_mac.acl"; my $acl_src_noaccess_ip = "$acldir/src_noaccess_ip.acl"; my $acl_src_noaccess_mac = "$acldir/src_noaccess_mac.acl"; my $acl_dst_noauth = "$acldir/dst_noauth.acl"; my $acl_dst_noauth_dom = "$acldir/dst_noauth_dom.acl"; my $acl_dst_noauth_net = "$acldir/dst_noauth_net.acl"; my $acl_dst_noauth_url = "$acldir/dst_noauth_url.acl"; my $acl_dst_nocache = "$acldir/dst_nocache.acl"; my $acl_dst_nocache_dom = "$acldir/dst_nocache_dom.acl"; my $acl_dst_nocache_net = "$acldir/dst_nocache_net.acl"; my $acl_dst_nocache_url = "$acldir/dst_nocache_url.acl"; my $acl_dst_throttle = "$acldir/dst_throttle.acl"; my $acl_ports_safe = "$acldir/ports_safe.acl"; my $acl_ports_ssl = "$acldir/ports_ssl.acl"; my $acl_include = "$acldir/include.acl"; my $acl_dst_noproxy_url = "$acldir/dst_noproxy_url.acl"; my $acl_dst_noproxy_ip = "$acldir/dst_noproxy_ip.acl"; my $updaccelversion = 'n/a'; my $urlfilterversion = 'n/a'; unless (-d "$acldir") { mkdir("$acldir"); } unless (-d "$ncsadir") { mkdir("$ncsadir"); } unless (-d "$raddir") { mkdir("$raddir"); } unless (-d "$identdir") { mkdir("$identdir"); } unless (-d "$credir") { mkdir("$credir"); } unless (-e $cre_groups) { &General::system("touch", "$cre_groups"); } unless (-e $cre_svhosts) { &General::system("touch $cre_svhosts"); } unless (-e $userdb) { &General::system("touch", "$userdb"); } unless (-e $stdgrp) { &General::system("touch", "$stdgrp"); } unless (-e $extgrp) { &General::system("touch", "$extgrp"); } unless (-e $disgrp) { &General::system("touch", "$disgrp"); } unless (-e $acl_src_subnets) { &General::system("touch", "$acl_src_subnets"); } unless (-e $acl_src_banned_ip) { &General::system("touch", "$acl_src_banned_ip"); } unless (-e $acl_src_banned_mac) { &General::system("touch", "$acl_src_banned_mac"); } unless (-e $acl_src_unrestricted_ip) { &General::system("touch", "$acl_src_unrestricted_ip"); } unless (-e $acl_src_unrestricted_mac) { &General::system("touch", "$acl_src_unrestricted_mac"); } unless (-e $acl_src_noaccess_ip) { &General::system("touch", "$acl_src_noaccess_ip"); } unless (-e $acl_src_noaccess_mac) { &General::system("touch", "$acl_src_noaccess_mac"); } unless (-e $acl_dst_noauth) { &General::system("touch", "$acl_dst_noauth"); } unless (-e $acl_dst_noauth_dom) { &General::system("touch", "$acl_dst_noauth_dom"); } unless (-e $acl_dst_noauth_net) { &General::system("touch", "$acl_dst_noauth_net"); } unless (-e $acl_dst_noauth_url) { &General::system("touch", "$acl_dst_noauth_url"); } unless (-e $acl_dst_nocache) { &General::system("touch", "$acl_dst_nocache"); } unless (-e $acl_dst_nocache_dom) { &General::system("touch", "$acl_dst_nocache_dom"); } unless (-e $acl_dst_nocache_net) { &General::system("touch", "$acl_dst_nocache_net"); } unless (-e $acl_dst_nocache_url) { &General::system("touch", "$acl_dst_nocache_url"); } unless (-e $acl_dst_throttle) { &General::system("touch", "$acl_dst_throttle"); } unless (-e $acl_ports_safe) { &General::system("touch", "$acl_ports_safe"); } unless (-e $acl_ports_ssl) { &General::system("touch", "$acl_ports_ssl"); } unless (-e $acl_include) { &General::system("touch", "$acl_include"); } unless (-e $mimetypes) { &General::system("touch", "$mimetypes"); } my $HAVE_NTLM_AUTH = (-e "/usr/bin/ntlm_auth"); &General::readhash("${General::swroot}/ethernet/settings", \%netsettings); &General::readhash("${General::swroot}/main/settings", \%mainsettings); my $green_cidr = ""; if (&Header::green_used() && $netsettings{'GREEN_DEV'}) { $green_cidr = &General::ipcidr("$netsettings{'GREEN_NETADDRESS'}\/$netsettings{'GREEN_NETMASK'}"); } my $blue_cidr = ""; if (&Header::blue_used() && $netsettings{'BLUE_DEV'}) { $blue_cidr = &General::ipcidr("$netsettings{'BLUE_NETADDRESS'}\/$netsettings{'BLUE_NETMASK'}"); } &Header::showhttpheaders(); $proxysettings{'ACTION'} = ''; $proxysettings{'VALID'} = ''; $proxysettings{'ENABLE'} = 'off'; $proxysettings{'ENABLE_BLUE'} = 'off'; $proxysettings{'TRANSPARENT'} = 'off'; $proxysettings{'TRANSPARENT_BLUE'} = 'off'; $proxysettings{'PROXY_PORT'} = '800'; $proxysettings{'TRANSPARENT_PORT'} = '3128'; $proxysettings{'VISIBLE_HOSTNAME'} = ''; $proxysettings{'ADMIN_MAIL_ADDRESS'} = ''; $proxysettings{'ADMIN_PASSWORD'} = ''; $proxysettings{'ERR_LANGUAGE'} = 'en'; $proxysettings{'ERR_DESIGN'} = 'ipfire'; $proxysettings{'FORWARD_VIA'} = 'off'; $proxysettings{'FORWARD_IPADDRESS'} = 'off'; $proxysettings{'FORWARD_USERNAME'} = 'off'; $proxysettings{'NO_CONNECTION_AUTH'} = 'off'; $proxysettings{'UPSTREAM_PROXY'} = ''; $proxysettings{'UPSTREAM_USER'} = ''; $proxysettings{'UPSTREAM_PASSWORD'} = ''; $proxysettings{'LOGGING'} = 'off'; $proxysettings{'CACHEMGR'} = 'off'; $proxysettings{'LOGQUERY'} = 'off'; $proxysettings{'LOGUSERAGENT'} = 'off'; $proxysettings{'FILEDESCRIPTORS'} = '16384'; $proxysettings{'CACHE_MEM'} = '128'; $proxysettings{'CACHE_SIZE'} = '0'; $proxysettings{'MAX_SIZE'} = '4096'; $proxysettings{'MIN_SIZE'} = '0'; $proxysettings{'MEM_POLICY'} = 'LRU'; $proxysettings{'CACHE_POLICY'} = 'LRU'; $proxysettings{'L1_DIRS'} = '16'; $proxysettings{'OFFLINE_MODE'} = 'off'; $proxysettings{'CACHE_DIGESTS'} = 'off'; $proxysettings{'CLASSROOM_EXT'} = 'off'; $proxysettings{'SUPERVISOR_PASSWORD'} = ''; $proxysettings{'NO_PROXY_LOCAL'} = 'off'; $proxysettings{'NO_PROXY_LOCAL_BLUE'} = 'off'; $proxysettings{'TIME_ACCESS_MODE'} = 'allow'; $proxysettings{'TIME_FROM_HOUR'} = '00'; $proxysettings{'TIME_FROM_MINUTE'} = '00'; $proxysettings{'TIME_TO_HOUR'} = '24'; $proxysettings{'TIME_TO_MINUTE'} = '00'; $proxysettings{'MAX_OUTGOING_SIZE'} = '0'; $proxysettings{'MAX_INCOMING_SIZE'} = '0'; $proxysettings{'THROTTLING_GREEN_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited'; $proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited'; $proxysettings{'ASNBL_FASTFLUX_DETECTION'} = 'off'; $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} = '5'; $proxysettings{'ASNBL_SELECANN_DETECTION'} = 'off'; $proxysettings{'ENABLE_MIME_FILTER'} = 'off'; $proxysettings{'AUTH_METHOD'} = 'none'; $proxysettings{'AUTH_REALM'} = ''; $proxysettings{'AUTH_MAX_USERIP'} = ''; $proxysettings{'AUTH_CACHE_TTL'} = '60'; $proxysettings{'AUTH_IPCACHE_TTL'} = '0'; $proxysettings{'AUTH_CHILDREN'} = '5'; $proxysettings{'NCSA_MIN_PASS_LEN'} = '6'; $proxysettings{'NCSA_BYPASS_REDIR'} = 'off'; $proxysettings{'NCSA_USERNAME'} = ''; $proxysettings{'NCSA_GROUP'} = ''; $proxysettings{'NCSA_PASS'} = ''; $proxysettings{'NCSA_PASS_CONFIRM'} = ''; $proxysettings{'LDAP_BASEDN'} = ''; $proxysettings{'LDAP_TYPE'} = 'ADS'; $proxysettings{'LDAP_SERVER'} = ''; $proxysettings{'LDAP_PORT'} = '389'; $proxysettings{'LDAP_BINDDN_USER'} = ''; $proxysettings{'LDAP_BINDDN_PASS'} = ''; $proxysettings{'LDAP_GROUP'} = ''; $proxysettings{'NTLM_AUTH_GROUP'} = ''; $proxysettings{'NTLM_AUTH_BASIC'} = 'off'; $proxysettings{'NTLM_DOMAIN'} = ''; $proxysettings{'NTLM_PDC'} = ''; $proxysettings{'NTLM_BDC'} = ''; $proxysettings{'NTLM_ENABLE_ACL'} = 'off'; $proxysettings{'NTLM_USER_ACL'} = 'positive'; $proxysettings{'RADIUS_SERVER'} = ''; $proxysettings{'RADIUS_PORT'} = '1812'; $proxysettings{'RADIUS_IDENTIFIER'} = ''; $proxysettings{'RADIUS_SECRET'} = ''; $proxysettings{'RADIUS_ENABLE_ACL'} = 'off'; $proxysettings{'RADIUS_USER_ACL'} = 'positive'; $proxysettings{'IDENT_REQUIRED'} = 'off'; $proxysettings{'IDENT_TIMEOUT'} = '10'; $proxysettings{'IDENT_ENABLE_ACL'} = 'off'; $proxysettings{'IDENT_USER_ACL'} = 'positive'; $proxysettings{'ENABLE_FILTER'} = 'off'; $proxysettings{'ENABLE_UPDXLRATOR'} = 'off'; $proxysettings{'ENABLE_CLAMAV'} = 'off'; $ncsa_buttontext = $Lang::tr{'advproxy NCSA create user'}; &Header::getcgihash(\%proxysettings); if ($proxysettings{'THROTTLING_GREEN_TOTAL'} eq 0) {$proxysettings{'THROTTLING_GREEN_TOTAL'} = 'unlimited';} if ($proxysettings{'THROTTLING_GREEN_HOST'} eq 0) {$proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited';} if ($proxysettings{'THROTTLING_BLUE_TOTAL'} eq 0) {$proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited';} if ($proxysettings{'THROTTLING_BLUE_HOST'} eq 0) {$proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited';} if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy NCSA user management'}) { $proxysettings{'NCSA_EDIT_MODE'} = 'yes'; } if ($proxysettings{'ACTION'} eq $Lang::tr{'add'}) { $proxysettings{'NCSA_EDIT_MODE'} = 'yes'; if (length($proxysettings{'NCSA_PASS'}) < $proxysettings{'NCSA_MIN_PASS_LEN'}) { $errormessage = $Lang::tr{'advproxy errmsg password length 1'}.$proxysettings{'NCSA_MIN_PASS_LEN'}.$Lang::tr{'advproxy errmsg password length 2'}; } if (!($proxysettings{'NCSA_PASS'} eq $proxysettings{'NCSA_PASS_CONFIRM'})) { $errormessage = $Lang::tr{'advproxy errmsg passwords different'}; } if ($proxysettings{'NCSA_USERNAME'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg no username'}; } if (!$errormessage) { $proxysettings{'NCSA_USERNAME'} =~ tr/A-Z/a-z/; &adduser($proxysettings{'NCSA_USERNAME'}, $proxysettings{'NCSA_PASS'}, $proxysettings{'NCSA_GROUP'}); } $proxysettings{'NCSA_USERNAME'} = ''; $proxysettings{'NCSA_GROUP'} = ''; $proxysettings{'NCSA_PASS'} = ''; $proxysettings{'NCSA_PASS_CONFIRM'} = ''; } if ($proxysettings{'ACTION'} eq $Lang::tr{'remove'}) { $proxysettings{'NCSA_EDIT_MODE'} = 'yes'; &deluser($proxysettings{'ID'}); } $checked{'ENABLE_UPDXLRATOR'}{'off'} = ''; $checked{'ENABLE_UPDXLRATOR'}{'on'} = ''; $checked{'ENABLE_UPDXLRATOR'}{$proxysettings{'ENABLE_UPDXLRATOR'}} = "checked='checked'"; if ($proxysettings{'ACTION'} eq $Lang::tr{'edit'}) { $proxysettings{'NCSA_EDIT_MODE'} = 'yes'; $ncsa_buttontext = $Lang::tr{'advproxy NCSA update user'}; @temp = split(/:/,$proxysettings{'ID'}); $proxysettings{'NCSA_USERNAME'} = $temp[0]; $proxysettings{'NCSA_GROUP'} = $temp[1]; $proxysettings{'NCSA_PASS'} = "lEaVeAlOnE"; $proxysettings{'NCSA_PASS_CONFIRM'} = $proxysettings{'NCSA_PASS'}; } if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) || ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'})) { if ($proxysettings{'ENABLE'} !~ /^(on|off)$/ || $proxysettings{'TRANSPARENT'} !~ /^(on|off)$/ || $proxysettings{'ENABLE_BLUE'} !~ /^(on|off)$/ || $proxysettings{'TRANSPARENT_BLUE'} !~ /^(on|off)$/ ) { $errormessage = $Lang::tr{'invalid input'}; goto ERROR; } if($proxysettings{'CACHE_MEM'} > $proxysettings{'CACHE_SIZE'} && $proxysettings{'CACHE_SIZE'} > 0){ $errormessage = $Lang::tr{'advproxy errmsg cache'}." ".$proxysettings{'CACHE_MEM'}." > ".$proxysettings{'CACHE_SIZE'}; goto ERROR; } if (!(&General::validport($proxysettings{'PROXY_PORT'}))) { $errormessage = $Lang::tr{'advproxy errmsg invalid proxy port'}; goto ERROR; } if (!(&General::validport($proxysettings{'TRANSPARENT_PORT'}))) { $errormessage = $Lang::tr{'advproxy errmsg invalid proxy port'}; goto ERROR; } if ($proxysettings{'PROXY_PORT'} eq $proxysettings{'TRANSPARENT_PORT'}) { $errormessage = $Lang::tr{'advproxy errmsg proxy ports equal'}; goto ERROR; } if (!($proxysettings{'UPSTREAM_PROXY'} eq '')) { my @temp = split(/:/,$proxysettings{'UPSTREAM_PROXY'}); if (!(&General::validip($temp[0]))) { if (!(&General::validdomainname($temp[0]))) { $errormessage = $Lang::tr{'advproxy errmsg invalid upstream proxy'}; goto ERROR; } } } if (!($proxysettings{'CACHE_SIZE'} =~ /^\d+/) || ($proxysettings{'CACHE_SIZE'} < 10)) { if (!($proxysettings{'CACHE_SIZE'} eq '0')) { $errormessage = $Lang::tr{'advproxy errmsg hdd cache size'}; goto ERROR; } } if (!($proxysettings{'FILEDESCRIPTORS'} =~ /^\d+/) || ($proxysettings{'FILEDESCRIPTORS'} < 1) || ($proxysettings{'FILEDESCRIPTORS'} > 1048576)) { $errormessage = $Lang::tr{'proxy errmsg filedescriptors'}; goto ERROR; } if (!($proxysettings{'CACHE_MEM'} =~ /^\d+/)) { $errormessage = $Lang::tr{'advproxy errmsg mem cache size'}; goto ERROR; } my @free = &General::system_output("/usr/bin/free"); $free[1] =~ m/(\d+)/; $cachemem = int $1 / 2048; if ($proxysettings{'CACHE_MEM'} > $cachemem) { $proxysettings{'CACHE_MEM'} = $cachemem; } if (!($proxysettings{'MAX_SIZE'} =~ /^\d+/)) { $errormessage = $Lang::tr{'invalid maximum object size'}; goto ERROR; } if (!($proxysettings{'MIN_SIZE'} =~ /^\d+/)) { $errormessage = $Lang::tr{'invalid minimum object size'}; goto ERROR; } if (!($proxysettings{'MAX_OUTGOING_SIZE'} =~ /^\d+/)) { $errormessage = $Lang::tr{'invalid maximum outgoing size'}; goto ERROR; } if (!($proxysettings{'TIME_TO_HOUR'}.$proxysettings{'TIME_TO_MINUTE'} gt $proxysettings{'TIME_FROM_HOUR'}.$proxysettings{'TIME_FROM_MINUTE'})) { $errormessage = $Lang::tr{'advproxy errmsg time restriction'}; goto ERROR; } if (!($proxysettings{'MAX_INCOMING_SIZE'} =~ /^\d+/)) { $errormessage = $Lang::tr{'invalid maximum incoming size'}; goto ERROR; } if (($proxysettings{'ASNBL_FASTFLUX_DETECTION'} eq 'on') || ($proxysettings{'ASNBL_SELECANN_DETECTION'} eq 'on')) { if (-z $proxysettings{'ASNBL_FASTFLUX_THRESHOLD'}) { $errormessage = $Lang::tr{'advproxy fastflux no threshold given'}; goto ERROR; } if (! looks_like_number($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'})) { $errormessage = $Lang::tr{'advproxy fastflux threshold invalid'}; goto ERROR; } if (($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} < 2) || ($proxysettings{'ASNBL_FASTFLUX_THRESHOLD'} > 10)) { $errormessage = $Lang::tr{'advproxy fastflux threshold out of bounds'}; goto ERROR; } } if (!($proxysettings{'AUTH_METHOD'} eq 'none')) { unless (($proxysettings{'AUTH_METHOD'} eq 'ident') && ($proxysettings{'IDENT_REQUIRED'} eq 'off') && ($proxysettings{'IDENT_ENABLE_ACL'} eq 'off')) { if ($netsettings{'BLUE_DEV'}) { if ((($proxysettings{'ENABLE'} eq 'off') || ($proxysettings{'TRANSPARENT'} eq 'on')) && (($proxysettings{'ENABLE_BLUE'} eq 'off') || ($proxysettings{'TRANSPARENT_BLUE'} eq 'on'))) { $errormessage = $Lang::tr{'advproxy errmsg non-transparent proxy required'}; goto ERROR; } } else { if (($proxysettings{'ENABLE'} eq 'off') || ($proxysettings{'TRANSPARENT'} eq 'on')) { $errormessage = $Lang::tr{'advproxy errmsg non-transparent proxy required'}; goto ERROR; } } } if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255))) { $errormessage = $Lang::tr{'advproxy errmsg max userip'}; goto ERROR; } if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/)) { $errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'}; goto ERROR; } if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/)) { $errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'}; goto ERROR; } if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { $errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'}; goto ERROR; } if ((!($proxysettings{'AUTH_CHILDREN'} =~ /^\d+/)) || ($proxysettings{'AUTH_CHILDREN'} < 1) || ($proxysettings{'AUTH_CHILDREN'} > 255)) { $errormessage = $Lang::tr{'advproxy errmsg auth children'}; goto ERROR; } } if ($proxysettings{'AUTH_METHOD'} eq 'ncsa') { if ((!($proxysettings{'NCSA_MIN_PASS_LEN'} =~ /^\d+/)) || ($proxysettings{'NCSA_MIN_PASS_LEN'} < 1) || ($proxysettings{'NCSA_MIN_PASS_LEN'} > 255)) { $errormessage = $Lang::tr{'advproxy errmsg password length'}; goto ERROR; } } if ($proxysettings{'AUTH_METHOD'} eq 'ident') { if ((!($proxysettings{'IDENT_TIMEOUT'} =~ /^\d+/)) || ($proxysettings{'IDENT_TIMEOUT'} < 1)) { $errormessage = $Lang::tr{'advproxy errmsg ident timeout'}; goto ERROR; } } if ($proxysettings{'AUTH_METHOD'} eq 'ldap') { if ($proxysettings{'LDAP_BASEDN'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg ldap base dn'}; goto ERROR; } if (!&General::validip($proxysettings{'LDAP_SERVER'})) { if (!&General::validdomainname($proxysettings{'LDAP_SERVER'})) { $errormessage = $Lang::tr{'advproxy errmsg ldap server'}; goto ERROR; } } if (!&General::validport($proxysettings{'LDAP_PORT'})) { $errormessage = $Lang::tr{'advproxy errmsg ldap port'}; goto ERROR; } if (($proxysettings{'LDAP_TYPE'} eq 'ADS') || ($proxysettings{'LDAP_TYPE'} eq 'NDS')) { if (($proxysettings{'LDAP_BINDDN_USER'} eq '') || ($proxysettings{'LDAP_BINDDN_PASS'} eq '')) { $errormessage = $Lang::tr{'advproxy errmsg ldap bind dn'}; goto ERROR; } } } if ($proxysettings{'AUTH_METHOD'} eq 'radius') { if (!&General::validip($proxysettings{'RADIUS_SERVER'})) { $errormessage = $Lang::tr{'advproxy errmsg radius server'}; goto ERROR; } if (!&General::validport($proxysettings{'RADIUS_PORT'})) { $errormessage = $Lang::tr{'advproxy errmsg radius port'}; goto ERROR; } if ($proxysettings{'RADIUS_SECRET'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg radius secret'}; goto ERROR; } } # Quick parent proxy error checking of username and password info. If username password don't both exist give an error. $proxy1 = 'YES'; $proxy2 = 'YES'; if (($proxysettings{'UPSTREAM_USER'} eq '')) {$proxy1 = '';} if (($proxysettings{'UPSTREAM_PASSWORD'} eq '')) {$proxy2 = '';} if ($proxysettings{'UPSTREAM_USER'} eq 'PASS') {$proxy1=$proxy2='PASS'; $proxysettings{'UPSTREAM_PASSWORD'} = '';} if (($proxy1 ne $proxy2)) { $errormessage = $Lang::tr{'advproxy errmsg invalid upstream proxy username or password setting'}; goto ERROR; } ERROR: &check_acls; if ($errormessage) { $proxysettings{'VALID'} = 'no'; } else { $proxysettings{'VALID'} = 'yes'; } if ($proxysettings{'VALID'} eq 'yes') { # Determine if suricata may needs to be restarted. my $suricata_proxy_ports_changed; # Check if the IDS is running if(&IDS::ids_is_running()) { my %oldproxysettings; # Read-in current proxy settings and store them as oldsettings hash. &General::readhash("${General::swroot}/proxy/advanced/settings", \%oldproxysettings); # Check if the proxy port has been changed. unless ($proxysettings{'PROXY_PORT'} eq $oldproxysettings{'PROXY_PORT'}) { # Port has changed, suricata needs to be adjusted. $suricata_proxy_ports_changed = 1; } # Check if the transparent port has been changed. unless ($proxysettings{'TRANSPARENT_PORT'} eq $oldproxysettings{'TRANSPARENT_PORT'}) { # Transparent port has changed, suricata needs to be adjusted. $suricata_proxy_ports_changed = 1; } } &write_acls; delete $proxysettings{'SRC_SUBNETS'}; delete $proxysettings{'SRC_BANNED_IP'}; delete $proxysettings{'SRC_BANNED_MAC'}; delete $proxysettings{'SRC_UNRESTRICTED_IP'}; delete $proxysettings{'SRC_UNRESTRICTED_MAC'}; delete $proxysettings{'DST_NOCACHE'}; delete $proxysettings{'DST_NOAUTH'}; delete $proxysettings{'DST_NOPROXY_IP'}; delete $proxysettings{'DST_NOPROXY_URL'}; delete $proxysettings{'PORTS_SAFE'}; delete $proxysettings{'PORTS_SSL'}; delete $proxysettings{'MIME_TYPES'}; delete $proxysettings{'NTLM_ALLOW_USERS'}; delete $proxysettings{'NTLM_DENY_USERS'}; delete $proxysettings{'RADIUS_ALLOW_USERS'}; delete $proxysettings{'RADIUS_DENY_USERS'}; delete $proxysettings{'IDENT_HOSTS'}; delete $proxysettings{'IDENT_ALLOW_USERS'}; delete $proxysettings{'IDENT_DENY_USERS'}; delete $proxysettings{'CRE_GROUPS'}; delete $proxysettings{'CRE_SVHOSTS'}; delete $proxysettings{'NCSA_USERNAME'}; delete $proxysettings{'NCSA_GROUP'}; delete $proxysettings{'NCSA_PASS'}; delete $proxysettings{'NCSA_PASS_CONFIRM'}; $proxysettings{'TIME_MON'} = 'off' unless exists $proxysettings{'TIME_MON'}; $proxysettings{'TIME_TUE'} = 'off' unless exists $proxysettings{'TIME_TUE'}; $proxysettings{'TIME_WED'} = 'off' unless exists $proxysettings{'TIME_WED'}; $proxysettings{'TIME_THU'} = 'off' unless exists $proxysettings{'TIME_THU'}; $proxysettings{'TIME_FRI'} = 'off' unless exists $proxysettings{'TIME_FRI'}; $proxysettings{'TIME_SAT'} = 'off' unless exists $proxysettings{'TIME_SAT'}; $proxysettings{'TIME_SUN'} = 'off' unless exists $proxysettings{'TIME_SUN'}; $proxysettings{'AUTH_ALWAYS_REQUIRED'} = 'off' unless exists $proxysettings{'AUTH_ALWAYS_REQUIRED'}; $proxysettings{'NTLM_ENABLE_INT_AUTH'} = 'off' unless exists $proxysettings{'NTLM_ENABLE_INT_AUTH'}; &General::writehash("${General::swroot}/proxy/advanced/settings", \%proxysettings); if (-e "${General::swroot}/proxy/settings") { &General::readhash("${General::swroot}/proxy/settings", \%stdproxysettings); } $stdproxysettings{'PROXY_PORT'} = $proxysettings{'PROXY_PORT'}; $stdproxysettings{'UPSTREAM_PROXY'} = $proxysettings{'UPSTREAM_PROXY'}; $stdproxysettings{'UPSTREAM_USER'} = $proxysettings{'UPSTREAM_USER'}; $stdproxysettings{'UPSTREAM_PASSWORD'} = $proxysettings{'UPSTREAM_PASSWORD'}; $stdproxysettings{'ENABLE_FILTER'} = $proxysettings{'ENABLE_FILTER'}; $stdproxysettings{'ENABLE_UPDXLRATOR'} = $proxysettings{'ENABLE_UPDXLRATOR'}; $stdproxysettings{'ENABLE_CLAMAV'} = $proxysettings{'ENABLE_CLAMAV'}; &General::writehash("${General::swroot}/proxy/settings", \%stdproxysettings); &writeconfig; &writepacfile; if ($proxysettings{'CACHEMGR'} eq 'on'){&writecachemgr;} &General::system ('/usr/local/bin/squidctrl', 'disable'); unlink "${General::swroot}/proxy/enable"; unlink "${General::swroot}/proxy/transparent"; unlink "${General::swroot}/proxy/enable_blue"; unlink "${General::swroot}/proxy/transparent_blue"; if ($proxysettings{'ENABLE'} eq 'on') { &General::system('/usr/bin/touch', "${General::swroot}/proxy/enable"); &General::system('/usr/local/bin/squidctrl', 'enable'); } if ($proxysettings{'TRANSPARENT'} eq 'on' && $proxysettings{'ENABLE'} eq 'on') { &General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent"); } if ($proxysettings{'ENABLE_BLUE'} eq 'on') { &General::system('/usr/bin/touch', "${General::swroot}/proxy/enable_blue"); &General::system('/usr/local/bin/squidctrl', 'enable'); } if ($proxysettings{'TRANSPARENT_BLUE'} eq 'on' && $proxysettings{'ENABLE_BLUE'} eq 'on') { &General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); } if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { &General::system('/usr/local/bin/squidctrl', 'restart'); } if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { &General::system('/usr/local/bin/squidctrl', 'reconfigure'); } # Check if the suricata_proxy_ports_changed flag has been set. if ($suricata_proxy_ports_changed) { # Re-generate HTTP ports file. &IDS::generate_http_ports_file(); # Restart suricata. &IDS::call_suricatactrl("restart"); } } } if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy clear cache'}) { &General::system('/usr/local/bin/squidctrl', 'flush'); } if (!$errormessage) { if (-e "${General::swroot}/proxy/advanced/settings") { &General::readhash("${General::swroot}/proxy/advanced/settings", \%proxysettings); } elsif (-e "${General::swroot}/proxy/settings") { &General::readhash("${General::swroot}/proxy/settings", \%proxysettings); } &read_acls; } # ------------------------------------------------------------------ # Hook to regenerate the configuration files, if cgi got called from command line. if ($ENV{"REMOTE_ADDR"} eq "") { writeconfig(); exit(0); } # ------------------------------------------------------------------- $checked{'ENABLE'}{'off'} = ''; $checked{'ENABLE'}{'on'} = ''; $checked{'ENABLE'}{$proxysettings{'ENABLE'}} = "checked='checked'"; $checked{'TRANSPARENT'}{'off'} = ''; $checked{'TRANSPARENT'}{'on'} = ''; $checked{'TRANSPARENT'}{$proxysettings{'TRANSPARENT'}} = "checked='checked'"; $checked{'ENABLE_BLUE'}{'off'} = ''; $checked{'ENABLE_BLUE'}{'on'} = ''; $checked{'ENABLE_BLUE'}{$proxysettings{'ENABLE_BLUE'}} = "checked='checked'"; $checked{'TRANSPARENT_BLUE'}{'off'} = ''; $checked{'TRANSPARENT_BLUE'}{'on'} = ''; $checked{'TRANSPARENT_BLUE'}{$proxysettings{'TRANSPARENT_BLUE'}} = "checked='checked'"; $checked{'FORWARD_IPADDRESS'}{'off'} = ''; $checked{'FORWARD_IPADDRESS'}{'on'} = ''; $checked{'FORWARD_IPADDRESS'}{$proxysettings{'FORWARD_IPADDRESS'}} = "checked='checked'"; $checked{'FORWARD_USERNAME'}{'off'} = ''; $checked{'FORWARD_USERNAME'}{'on'} = ''; $checked{'FORWARD_USERNAME'}{$proxysettings{'FORWARD_USERNAME'}} = "checked='checked'"; $checked{'FORWARD_VIA'}{'off'} = ''; $checked{'FORWARD_VIA'}{'on'} = ''; $checked{'FORWARD_VIA'}{$proxysettings{'FORWARD_VIA'}} = "checked='checked'"; $checked{'NO_CONNECTION_AUTH'}{'off'} = ''; $checked{'NO_CONNECTION_AUTH'}{'on'} = ''; $checked{'NO_CONNECTION_AUTH'}{$proxysettings{'NO_CONNECTION_AUTH'}} = "checked='checked'"; $selected{'MEM_POLICY'}{$proxysettings{'MEM_POLICY'}} = "selected='selected'"; $selected{'CACHE_POLICY'}{$proxysettings{'CACHE_POLICY'}} = "selected='selected'"; $selected{'L1_DIRS'}{$proxysettings{'L1_DIRS'}} = "selected='selected'"; $checked{'OFFLINE_MODE'}{'off'} = ''; $checked{'OFFLINE_MODE'}{'on'} = ''; $checked{'OFFLINE_MODE'}{$proxysettings{'OFFLINE_MODE'}} = "checked='checked'"; $checked{'CACHE_DIGESTS'}{'off'} = ''; $checked{'CACHE_DIGESTS'}{'on'} = ''; $checked{'CACHE_DIGESTS'}{$proxysettings{'CACHE_DIGESTS'}} = "checked='checked'"; $checked{'LOGGING'}{'off'} = ''; $checked{'LOGGING'}{'on'} = ''; $checked{'LOGGING'}{$proxysettings{'LOGGING'}} = "checked='checked'"; $checked{'CACHEMGR'}{'off'} = ''; $checked{'CACHEMGR'}{'on'} = ''; $checked{'CACHEMGR'}{$proxysettings{'CACHEMGR'}} = "checked='checked'"; $checked{'LOGQUERY'}{'off'} = ''; $checked{'LOGQUERY'}{'on'} = ''; $checked{'LOGQUERY'}{$proxysettings{'LOGQUERY'}} = "checked='checked'"; $checked{'LOGUSERAGENT'}{'off'} = ''; $checked{'LOGUSERAGENT'}{'on'} = ''; $checked{'LOGUSERAGENT'}{$proxysettings{'LOGUSERAGENT'}} = "checked='checked'"; $selected{'ERR_LANGUAGE'}{$proxysettings{'ERR_LANGUAGE'}} = "selected='selected'"; $selected{'ERR_DESIGN'}{$proxysettings{'ERR_DESIGN'}} = "selected='selected'"; $checked{'NO_PROXY_LOCAL'}{'off'} = ''; $checked{'NO_PROXY_LOCAL'}{'on'} = ''; $checked{'NO_PROXY_LOCAL'}{$proxysettings{'NO_PROXY_LOCAL'}} = "checked='checked'"; $checked{'NO_PROXY_LOCAL_BLUE'}{'off'} = ''; $checked{'NO_PROXY_LOCAL_BLUE'}{'on'} = ''; $checked{'NO_PROXY_LOCAL_BLUE'}{$proxysettings{'NO_PROXY_LOCAL_BLUE'}} = "checked='checked'"; $checked{'CLASSROOM_EXT'}{'off'} = ''; $checked{'CLASSROOM_EXT'}{'on'} = ''; $checked{'CLASSROOM_EXT'}{$proxysettings{'CLASSROOM_EXT'}} = "checked='checked'"; $selected{'TIME_ACCESS_MODE'}{$proxysettings{'TIME_ACCESS_MODE'}} = "selected='selected'"; $selected{'TIME_FROM_HOUR'}{$proxysettings{'TIME_FROM_HOUR'}} = "selected='selected'"; $selected{'TIME_FROM_MINUTE'}{$proxysettings{'TIME_FROM_MINUTE'}} = "selected='selected'"; $selected{'TIME_TO_HOUR'}{$proxysettings{'TIME_TO_HOUR'}} = "selected='selected'"; $selected{'TIME_TO_MINUTE'}{$proxysettings{'TIME_TO_MINUTE'}} = "selected='selected'"; $proxysettings{'TIME_MON'} = 'on' unless exists $proxysettings{'TIME_MON'}; $proxysettings{'TIME_TUE'} = 'on' unless exists $proxysettings{'TIME_TUE'}; $proxysettings{'TIME_WED'} = 'on' unless exists $proxysettings{'TIME_WED'}; $proxysettings{'TIME_THU'} = 'on' unless exists $proxysettings{'TIME_THU'}; $proxysettings{'TIME_FRI'} = 'on' unless exists $proxysettings{'TIME_FRI'}; $proxysettings{'TIME_SAT'} = 'on' unless exists $proxysettings{'TIME_SAT'}; $proxysettings{'TIME_SUN'} = 'on' unless exists $proxysettings{'TIME_SUN'}; $checked{'TIME_MON'}{'off'} = ''; $checked{'TIME_MON'}{'on'} = ''; $checked{'TIME_MON'}{$proxysettings{'TIME_MON'}} = "checked='checked'"; $checked{'TIME_TUE'}{'off'} = ''; $checked{'TIME_TUE'}{'on'} = ''; $checked{'TIME_TUE'}{$proxysettings{'TIME_TUE'}} = "checked='checked'"; $checked{'TIME_WED'}{'off'} = ''; $checked{'TIME_WED'}{'on'} = ''; $checked{'TIME_WED'}{$proxysettings{'TIME_WED'}} = "checked='checked'"; $checked{'TIME_THU'}{'off'} = ''; $checked{'TIME_THU'}{'on'} = ''; $checked{'TIME_THU'}{$proxysettings{'TIME_THU'}} = "checked='checked'"; $checked{'TIME_FRI'}{'off'} = ''; $checked{'TIME_FRI'}{'on'} = ''; $checked{'TIME_FRI'}{$proxysettings{'TIME_FRI'}} = "checked='checked'"; $checked{'TIME_SAT'}{'off'} = ''; $checked{'TIME_SAT'}{'on'} = ''; $checked{'TIME_SAT'}{$proxysettings{'TIME_SAT'}} = "checked='checked'"; $checked{'TIME_SUN'}{'off'} = ''; $checked{'TIME_SUN'}{'on'} = ''; $checked{'TIME_SUN'}{$proxysettings{'TIME_SUN'}} = "checked='checked'"; $selected{'THROTTLING_GREEN_TOTAL'}{$proxysettings{'THROTTLING_GREEN_TOTAL'}} = "selected='selected'"; $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'THROTTLING_GREEN_HOST'}} = "selected='selected'"; $selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}} = "selected='selected'"; $selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = "selected='selected'"; $checked{'ASNBL_FASTFLUX_DETECTION'}{'off'} = ''; $checked{'ASNBL_FASTFLUX_DETECTION'}{'on'} = ''; $checked{'ASNBL_FASTFLUX_DETECTION'}{$proxysettings{'ASNBL_FASTFLUX_DETECTION'}} = "checked='checked'"; $checked{'ASNBL_SELECANN_DETECTION'}{'off'} = ''; $checked{'ASNBL_SELECANN_DETECTION'}{'on'} = ''; $checked{'ASNBL_SELECANN_DETECTION'}{$proxysettings{'ASNBL_SELECANN_DETECTION'}} = "checked='checked'"; $checked{'ENABLE_MIME_FILTER'}{'off'} = ''; $checked{'ENABLE_MIME_FILTER'}{'on'} = ''; $checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} = "checked='checked'"; $checked{'AUTH_METHOD'}{'none'} = ''; $checked{'AUTH_METHOD'}{'ncsa'} = ''; $checked{'AUTH_METHOD'}{'ident'} = ''; $checked{'AUTH_METHOD'}{'ldap'} = ''; $checked{'AUTH_METHOD'}{'ntlm-auth'} = ''; $checked{'AUTH_METHOD'}{'radius'} = ''; $checked{'AUTH_METHOD'}{$proxysettings{'AUTH_METHOD'}} = "checked='checked'"; $proxysettings{'AUTH_ALWAYS_REQUIRED'} = 'on' unless exists $proxysettings{'AUTH_ALWAYS_REQUIRED'}; $checked{'AUTH_ALWAYS_REQUIRED'}{'off'} = ''; $checked{'AUTH_ALWAYS_REQUIRED'}{'on'} = ''; $checked{'AUTH_ALWAYS_REQUIRED'}{$proxysettings{'AUTH_ALWAYS_REQUIRED'}} = "checked='checked'"; $checked{'NCSA_BYPASS_REDIR'}{'off'} = ''; $checked{'NCSA_BYPASS_REDIR'}{'on'} = ''; $checked{'NCSA_BYPASS_REDIR'}{$proxysettings{'NCSA_BYPASS_REDIR'}} = "checked='checked'"; $selected{'NCSA_GROUP'}{$proxysettings{'NCSA_GROUP'}} = "selected='selected'"; $selected{'LDAP_TYPE'}{$proxysettings{'LDAP_TYPE'}} = "selected='selected'"; $proxysettings{'NTLM_ENABLE_INT_AUTH'} = 'on' unless exists $proxysettings{'NTLM_ENABLE_INT_AUTH'}; $checked{'NTLM_ENABLE_INT_AUTH'}{'off'} = ''; $checked{'NTLM_ENABLE_INT_AUTH'}{'on'} = ''; $checked{'NTLM_ENABLE_INT_AUTH'}{$proxysettings{'NTLM_ENABLE_INT_AUTH'}} = "checked='checked'"; $checked{'NTLM_ENABLE_ACL'}{'off'} = ''; $checked{'NTLM_ENABLE_ACL'}{'on'} = ''; $checked{'NTLM_ENABLE_ACL'}{$proxysettings{'NTLM_ENABLE_ACL'}} = "checked='checked'"; $checked{'NTLM_USER_ACL'}{'positive'} = ''; $checked{'NTLM_USER_ACL'}{'negative'} = ''; $checked{'NTLM_USER_ACL'}{$proxysettings{'NTLM_USER_ACL'}} = "checked='checked'"; $checked{'NTLM_AUTH_BASIC'}{'on'} = ''; $checked{'NTLM_AUTH_BASIC'}{'off'} = ''; $checked{'NTLM_AUTH_BASIC'}{$proxysettings{'NTLM_AUTH_BASIC'}} = "checked='checked'"; $checked{'RADIUS_ENABLE_ACL'}{'off'} = ''; $checked{'RADIUS_ENABLE_ACL'}{'on'} = ''; $checked{'RADIUS_ENABLE_ACL'}{$proxysettings{'RADIUS_ENABLE_ACL'}} = "checked='checked'"; $checked{'RADIUS_USER_ACL'}{'positive'} = ''; $checked{'RADIUS_USER_ACL'}{'negative'} = ''; $checked{'RADIUS_USER_ACL'}{$proxysettings{'RADIUS_USER_ACL'}} = "checked='checked'"; $checked{'IDENT_REQUIRED'}{'off'} = ''; $checked{'IDENT_REQUIRED'}{'on'} = ''; $checked{'IDENT_REQUIRED'}{$proxysettings{'IDENT_REQUIRED'}} = "checked='checked'"; $checked{'IDENT_ENABLE_ACL'}{'off'} = ''; $checked{'IDENT_ENABLE_ACL'}{'on'} = ''; $checked{'IDENT_ENABLE_ACL'}{$proxysettings{'IDENT_ENABLE_ACL'}} = "checked='checked'"; $checked{'IDENT_USER_ACL'}{'positive'} = ''; $checked{'IDENT_USER_ACL'}{'negative'} = ''; $checked{'IDENT_USER_ACL'}{$proxysettings{'IDENT_USER_ACL'}} = "checked='checked'"; $checked{'ENABLE_FILTER'}{'off'} = ''; $checked{'ENABLE_FILTER'}{'on'} = ''; $checked{'ENABLE_FILTER'}{$proxysettings{'ENABLE_FILTER'}} = "checked='checked'"; $checked{'ENABLE_UPDXLRATOR'}{'off'} = ''; $checked{'ENABLE_UPDXLRATOR'}{'on'} = ''; $checked{'ENABLE_UPDXLRATOR'}{$proxysettings{'ENABLE_UPDXLRATOR'}} = "checked='checked'"; $checked{'ENABLE_CLAMAV'}{'off'} = ''; $checked{'ENABLE_CLAMAV'}{'on'} = ''; $checked{'ENABLE_CLAMAV'}{$proxysettings{'ENABLE_CLAMAV'}} = "checked='checked'"; &Header::openpage($Lang::tr{'advproxy advanced web proxy configuration'}, 1, ''); &Header::openbigbox('100%', 'left', '', $errormessage); if ($errormessage) { &Header::openbox('100%', 'left', $Lang::tr{'error messages'}); print "$errormessage \n"; &Header::closebox(); } if ($squidversion[0] =~ /^Squid\sCache:\sVersion\s/i) { $squidversion[0] =~ s/^Squid\sCache:\sVersion//i; $squidversion[0] =~ s/^\s+//g; $squidversion[0] =~ s/\s+$//g; } else { $squidversion[0] = $Lang::tr{'advproxy unknown'}; } # =================================================================== # Main settings # =================================================================== unless ($proxysettings{'NCSA_EDIT_MODE'} eq 'yes') { print "
\n"; &Header::openbox('100%', 'left', "$Lang::tr{'advproxy advanced web proxy'}"); print < $Lang::tr{'advproxy common settings'} $Lang::tr{'advproxy enabled on'} Green: $Lang::tr{'advproxy proxy port'}: * $Lang::tr{'advproxy transparent on'} Green: $Lang::tr{'advproxy proxy port transparent'}: * END ; if ($netsettings{'BLUE_DEV'}) { print "$Lang::tr{'advproxy enabled on'} Blue:"; print ""; } else { print " "; } print <$Lang::tr{'advproxy visible hostname'}: END ; if ($netsettings{'BLUE_DEV'}) { print "$Lang::tr{'advproxy transparent on'} Blue:"; print ""; } else { print " "; } print <$Lang::tr{'advproxy error language'}:
END ; if ( -e "/usr/bin/squidclamav" ) { print ""; } else { print ""; } print ""; print ""; print <
".$Lang::tr{'advproxy squidclamav'}."
"; if ( ! -e "/var/run/clamav/clamd.pid" ){ print "clamav not running

"; $proxysettings{'ENABLE_CLAMAV'} = 'off'; } else { print $Lang::tr{'advproxy enabled'}."
"; } print "		".$Lang::tr{'advproxy url filter'}."
"; print $Lang::tr{'advproxy enabled'}."
"; print "		".$Lang::tr{'advproxy update accelerator'}."
"; print $Lang::tr{'advproxy enabled'}."
"; print "
$Lang::tr{'advproxy upstream proxy'}
$Lang::tr{'advproxy via forwarding'}: $Lang::tr{'advproxy upstream proxy host:port'}:
$Lang::tr{'advproxy client IP forwarding'}: $Lang::tr{'advproxy upstream username'}:
$Lang::tr{'advproxy username forwarding'}: $Lang::tr{'advproxy upstream password'}:
$Lang::tr{'advproxy no connection auth'}:    
$Lang::tr{'advproxy log settings'}
$Lang::tr{'advproxy log enabled'}: $Lang::tr{'advproxy log query'}:
    $Lang::tr{'advproxy log useragent'}:
$Lang::tr{'advproxy cache management'}
$Lang::tr{'proxy cachemgr'}: $Lang::tr{'advproxy admin mail'}:
$Lang::tr{'proxy filedescriptors'}: * $Lang::tr{'proxy admin password'}:
$Lang::tr{'advproxy ram cache size'}: * $Lang::tr{'advproxy hdd cache size'}: *
$Lang::tr{'advproxy min size'}: * $Lang::tr{'advproxy max size'}: *
$Lang::tr{'advproxy number of L1 dirs'}:
$Lang::tr{'advproxy no cache sites'}:
$Lang::tr{'advproxy memory replacement policy'}:
$Lang::tr{'advproxy cache replacement policy'}:
 
$Lang::tr{'advproxy offline mode'}:
$Lang::tr{'advproxy cache-digest'}:
$Lang::tr{'advproxy destination ports'}
$Lang::tr{'advproxy standard ports'}: * $Lang::tr{'advproxy ssl ports'}: *
END ; $line = $Lang::tr{'advproxy no internal proxy on green'}; $line =~ s/Green/Green<\/font>/i; print "\n"; print < END ; if ($netsettings{'BLUE_DEV'}) { $line = $Lang::tr{'advproxy no internal proxy on blue'}; $line =~ s/Blue/Blue<\/font>/i; print "\n"; print "\n"; print < END ; } print <
$Lang::tr{'advproxy network based access'}
$Lang::tr{'advproxy allowed subnets'}: *
$line:
$line:
 
 
$Lang::tr{'advproxy unrestricted ip clients'}: $Lang::tr{'advproxy unrestricted mac clients'}:
$Lang::tr{'advproxy banned ip clients'}: $Lang::tr{'advproxy banned mac clients'}:
END ; # ------------------------------------------------------------------- # CRE GUI - optional # ------------------------------------------------------------------- if (-e $cre_enabled) { print < $Lang::tr{'advproxy classroom extensions'} $Lang::tr{'advproxy enabled'}: END ; if ($proxysettings{'CLASSROOM_EXT'} eq 'on'){ print <$Lang::tr{'advproxy supervisor password'}: $Lang::tr{'advproxy cre group definitions'}: $Lang::tr{'advproxy cre supervisors'}: END ; } print ""; if ($proxysettings{'CLASSROOM_EXT'} eq 'on'){ print < END ; } print "
"; } else { print < END ; } # =================================================================== # WPAD settings # =================================================================== print < $Lang::tr{'advproxy wpad title'} $Lang::tr{'advproxy wpad label dst_noproxy_ip'}: $Lang::tr{'advproxy wpad label dst_noproxy_url'}: $Lang::tr{'advproxy wpad example dst_noproxy_ip'} $Lang::tr{'advproxy wpad example dst_noproxy_url'}   $Lang::tr{'advproxy wpad view pac'}: http://$ENV{SERVER_ADDR}:81/wpad.dat  
END ; # ------------------------------------------------------------------- print < $Lang::tr{'advproxy time restrictions'}
$Lang::tr{'advproxy access'}   $Lang::tr{'advproxy monday'} $Lang::tr{'advproxy tuesday'} $Lang::tr{'advproxy wednesday'} $Lang::tr{'advproxy thursday'} $Lang::tr{'advproxy friday'} $Lang::tr{'advproxy saturday'} $Lang::tr{'advproxy sunday'}    $Lang::tr{'advproxy from'}   $Lang::tr{'advproxy to'}  
    : - :
$Lang::tr{'advproxy transfer limits'}
$Lang::tr{'advproxy max download size'}: * $Lang::tr{'advproxy max upload size'}: *
END ; if ($netsettings{'BLUE_DEV'}) { print < END ; } print <
$Lang::tr{'advproxy download throttling'}
$Lang::tr{'advproxy throttling total on'} Green: $Lang::tr{'advproxy throttling per host on'} Green:
$Lang::tr{'advproxy throttling total on'} Blue: $Lang::tr{'advproxy throttling per host on'} Blue:
END ; if ( $proxysettings{'ENABLE_MIME_FILTER'} eq 'on' ){ print < END ; } print <
$Lang::tr{'advproxy MIME filter'} $Lang::tr{'advproxy enabled'}:
$Lang::tr{'advproxy MIME block types'}:    
   
$Lang::tr{'advproxy asbased anomaly detection'}
$Lang::tr{'advproxy fastflux detection'}: $Lang::tr{'advproxy fastflux detection threshold'}:
$Lang::tr{'advproxy selectively announcements detection'}:
END ; my $auth_columns = 5; if ($HAVE_NTLM_AUTH) { $auth_columns++; } my $auth_column_width = 100 / $auth_columns; print < $Lang::tr{'advproxy AUTH method'} $Lang::tr{'advproxy AUTH method none'} $Lang::tr{'advproxy AUTH method ncsa'} $Lang::tr{'advproxy AUTH method ident'} $Lang::tr{'advproxy AUTH method ldap'} END if ($HAVE_NTLM_AUTH) { print <$Lang::tr{'advproxy AUTH method ntlm auth'} END } print <$Lang::tr{'advproxy AUTH method radius'} END ; if (!($proxysettings{'AUTH_METHOD'} eq 'none')) { if (!($proxysettings{'AUTH_METHOD'} eq 'ident')) { print <
$Lang::tr{'advproxy AUTH global settings'}
$Lang::tr{'advproxy AUTH number of auth processes'}:
$Lang::tr{'advproxy AUTH realm'}:
$Lang::tr{'advproxy AUTH no auth'}:
$Lang::tr{'advproxy AUTH auth cache TTL'}:
$Lang::tr{'advproxy AUTH limit of IP addresses'}:
$Lang::tr{'advproxy AUTH user IP cache TTL'}:
$Lang::tr{'advproxy AUTH always required'}:
 
END ; } # =================================================================== # NCSA auth settings # =================================================================== if ($proxysettings{'AUTH_METHOD'} eq 'ncsa') { print <
$Lang::tr{'advproxy NCSA auth'}
$Lang::tr{'advproxy NCSA min password length'}: $Lang::tr{'advproxy NCSA redirector bypass'} \'$Lang::tr{'advproxy NCSA grp extended'}\':

 		    
END ; } # =================================================================== # IDENTD auth settings # =================================================================== if ($proxysettings{'AUTH_METHOD'} eq 'ident') { print <
$Lang::tr{'advproxy IDENT identd settings'}
$Lang::tr{'advproxy IDENT required'}: $Lang::tr{'advproxy AUTH always required'}:
$Lang::tr{'advproxy IDENT timeout'}:    
$Lang::tr{'advproxy IDENT aware hosts'}: $Lang::tr{'advproxy AUTH no auth'}:
$Lang::tr{'advproxy IDENT user based access restrictions'}
$Lang::tr{'advproxy enabled'}:    
$Lang::tr{'advproxy IDENT use positive access list'}: $Lang::tr{'advproxy IDENT use negative access list'}:
$Lang::tr{'advproxy IDENT authorized users'} $Lang::tr{'advproxy IDENT unauthorized users'}
END ; } # =================================================================== # NTLM-AUTH settings # =================================================================== if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth') { print <
$Lang::tr{'advproxy basic authentication'}:  
$Lang::tr{'advproxy group access control'}
$Lang::tr{'advproxy group required'}:    
END } # =================================================================== # LDAP auth settings # =================================================================== if ($proxysettings{'AUTH_METHOD'} eq 'ldap') { print <
$Lang::tr{'advproxy LDAP common settings'}
$Lang::tr{'advproxy LDAP basedn'}: $Lang::tr{'advproxy LDAP type'}:
$Lang::tr{'advproxy LDAP server'}: $Lang::tr{'advproxy LDAP port'}:
$Lang::tr{'advproxy LDAP binddn settings'}
$Lang::tr{'advproxy LDAP binddn username'}: $Lang::tr{'advproxy LDAP binddn password'}:
$Lang::tr{'advproxy LDAP group access control'}
$Lang::tr{'advproxy LDAP group required'}:    
END ; } # =================================================================== # RADIUS auth settings # =================================================================== if ($proxysettings{'AUTH_METHOD'} eq 'radius') { print <
$Lang::tr{'advproxy RADIUS radius settings'}
$Lang::tr{'advproxy RADIUS server'}: $Lang::tr{'advproxy RADIUS port'}:
$Lang::tr{'advproxy RADIUS identifier'}: $Lang::tr{'advproxy RADIUS secret'}:
$Lang::tr{'advproxy RADIUS user based access restrictions'}
$Lang::tr{'advproxy enabled'}:    
$Lang::tr{'advproxy RADIUS use positive access list'}: $Lang::tr{'advproxy RADIUS use negative access list'}:
$Lang::tr{'advproxy RADIUS authorized users'} $Lang::tr{'advproxy RADIUS unauthorized users'}
END ; } # =================================================================== } print "\n"; if ($proxysettings{'AUTH_METHOD'} eq 'none') { print < END ; } if ($proxysettings{'AUTH_METHOD'} eq 'ident') { print < END ; } if (!($proxysettings{'AUTH_METHOD'} eq 'ncsa')) { print < END ; } if (!($proxysettings{'AUTH_METHOD'} eq 'ident')) { print < END ; } if (!($proxysettings{'AUTH_METHOD'} eq 'ldap')) { print < END ; } if (!($proxysettings{'AUTH_METHOD'} eq 'radius')) { print < END ; } print "
\n"; print < END ; print <    
* $Lang::tr{'required field'}  
END ; &Header::closebox(); } else { # =================================================================== # NCSA user management # =================================================================== &Header::openbox('100%', 'left', "$Lang::tr{'advproxy NCSA auth'}"); print <
$Lang::tr{'advproxy NCSA user management'}
$Lang::tr{'advproxy NCSA username'}: $Lang::tr{'advproxy NCSA group'}:
$Lang::tr{'advproxy NCSA password'}: $Lang::tr{'advproxy NCSA password confirm'}:

END ; if ($proxysettings{'ACTION'} eq $Lang::tr{'edit'}) { print "\n"; } print < 
   
$Lang::tr{'advproxy NCSA user accounts'}:
END ; if (-e $extgrp) { open(FILE, $extgrp); @grouplist = ; close(FILE); foreach $user (@grouplist) { chomp($user); push(@userlist,$user.":extended"); } } if (-e $stdgrp) { open(FILE, $stdgrp); @grouplist = ; close(FILE); foreach $user (@grouplist) { chomp($user); push(@userlist,$user.":standard"); } } if (-e $disgrp) { open(FILE, $disgrp); @grouplist = ; close(FILE); foreach $user (@grouplist) { chomp($user); push(@userlist,$user.":disabled"); } } @userlist = sort(@userlist); # If the password file contains entries, print entries and action icons if ( ! -z "$userdb" ) { print < END ; $id = 0; foreach $line (@userlist) { $id++; chomp($line); @temp = split(/:/,$line); if($proxysettings{'ACTION'} eq $Lang::tr{'edit'} && $proxysettings{'ID'} eq $line) { print "\n"; } elsif ($id % 2) { print "\n"; } else { print "\n"; } print <$temp[0] END ; } print <
$Lang::tr{'advproxy NCSA username'} $Lang::tr{'advproxy NCSA group membership'}  
END ; if ($temp[1] eq 'standard') { print $Lang::tr{'advproxy NCSA grp standard'}; } elsif ($temp[1] eq 'extended') { print $Lang::tr{'advproxy NCSA grp extended'}; } elsif ($temp[1] eq 'disabled') { print $Lang::tr{'advproxy NCSA grp disabled'}; } print <
END ; } else { print < END ; } print < END ; &Header::closebox(); } # =================================================================== &Header::closebigbox(); &Header::closepage(); # ------------------------------------------------------------------- sub read_acls { if (-e "$acl_src_subnets") { open(FILE,"$acl_src_subnets"); delete $proxysettings{'SRC_SUBNETS'}; while () { $proxysettings{'SRC_SUBNETS'} .= $_ }; close(FILE); } if (-e "$acl_src_banned_ip") { open(FILE,"$acl_src_banned_ip"); delete $proxysettings{'SRC_BANNED_IP'}; while () { $proxysettings{'SRC_BANNED_IP'} .= $_ }; close(FILE); } if (-e "$acl_src_banned_mac") { open(FILE,"$acl_src_banned_mac"); delete $proxysettings{'SRC_BANNED_MAC'}; while () { $proxysettings{'SRC_BANNED_MAC'} .= $_ }; close(FILE); } if (-e "$acl_src_unrestricted_ip") { open(FILE,"$acl_src_unrestricted_ip"); delete $proxysettings{'SRC_UNRESTRICTED_IP'}; while () { $proxysettings{'SRC_UNRESTRICTED_IP'} .= $_ }; close(FILE); } if (-e "$acl_src_unrestricted_mac") { open(FILE,"$acl_src_unrestricted_mac"); delete $proxysettings{'SRC_UNRESTRICTED_MAC'}; while () { $proxysettings{'SRC_UNRESTRICTED_MAC'} .= $_ }; close(FILE); } if (-e "$acl_dst_nocache") { open(FILE,"$acl_dst_nocache"); delete $proxysettings{'DST_NOCACHE'}; while () { $proxysettings{'DST_NOCACHE'} .= $_ }; close(FILE); } if (-e "$acl_dst_noauth") { open(FILE,"$acl_dst_noauth"); delete $proxysettings{'DST_NOAUTH'}; while () { $proxysettings{'DST_NOAUTH'} .= $_ }; close(FILE); } if (-e "$acl_dst_noproxy_ip") { open(FILE,"$acl_dst_noproxy_ip"); delete $proxysettings{'DST_NOPROXY_IP'}; while () { $proxysettings{'DST_NOPROXY_IP'} .= $_ }; close(FILE); } if (-e "$acl_dst_noproxy_url") { open(FILE,"$acl_dst_noproxy_url"); delete $proxysettings{'DST_NOPROXY_URL'}; while () { $proxysettings{'DST_NOPROXY_URL'} .= $_ }; close(FILE); } if (-e "$acl_ports_safe") { open(FILE,"$acl_ports_safe"); delete $proxysettings{'PORTS_SAFE'}; while () { $proxysettings{'PORTS_SAFE'} .= $_ }; close(FILE); } if (-e "$acl_ports_ssl") { open(FILE,"$acl_ports_ssl"); delete $proxysettings{'PORTS_SSL'}; while () { $proxysettings{'PORTS_SSL'} .= $_ }; close(FILE); } if (-e "$mimetypes") { open(FILE,"$mimetypes"); delete $proxysettings{'MIME_TYPES'}; while () { $proxysettings{'MIME_TYPES'} .= $_ }; close(FILE); } if (-e "$raddir/radauth.allowusers") { open(FILE,"$raddir/radauth.allowusers"); delete $proxysettings{'RADIUS_ALLOW_USERS'}; while () { $proxysettings{'RADIUS_ALLOW_USERS'} .= $_ }; close(FILE); } if (-e "$raddir/radauth.denyusers") { open(FILE,"$raddir/radauth.denyusers"); delete $proxysettings{'RADIUS_DENY_USERS'}; while () { $proxysettings{'RADIUS_DENY_USERS'} .= $_ }; close(FILE); } if (-e "$identdir/identauth.allowusers") { open(FILE,"$identdir/identauth.allowusers"); delete $proxysettings{'IDENT_ALLOW_USERS'}; while () { $proxysettings{'IDENT_ALLOW_USERS'} .= $_ }; close(FILE); } if (-e "$identdir/identauth.denyusers") { open(FILE,"$identdir/identauth.denyusers"); delete $proxysettings{'IDENT_DENY_USERS'}; while () { $proxysettings{'IDENT_DENY_USERS'} .= $_ }; close(FILE); } if (-e "$identhosts") { open(FILE,"$identhosts"); delete $proxysettings{'IDENT_HOSTS'}; while () { $proxysettings{'IDENT_HOSTS'} .= $_ }; close(FILE); } if (-e "$cre_groups") { open(FILE,"$cre_groups"); delete $proxysettings{'CRE_GROUPS'}; while () { $proxysettings{'CRE_GROUPS'} .= $_ }; close(FILE); } if (-e "$cre_svhosts") { open(FILE,"$cre_svhosts"); delete $proxysettings{'CRE_SVHOSTS'}; while () { $proxysettings{'CRE_SVHOSTS'} .= $_ }; close(FILE); } } # ------------------------------------------------------------------- sub check_acls { @temp = split(/\n/,$proxysettings{'PORTS_SAFE'}); undef $proxysettings{'PORTS_SAFE'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { $line = $_; if (/^[^#]+\s+#\sSquids\sport/) { s/(^[^#]+)(\s+#\sSquids\sport)/$proxysettings{'PROXY_PORT'}\2/; $line=$_; } s/#.*//g; s/\s+//g; if (/.*-.*-.*/) { $errormessage = $Lang::tr{'advproxy errmsg invalid destination port'}; } @templist = split(/-/); foreach (@templist) { unless (&General::validport($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid destination port'}; } } $proxysettings{'PORTS_SAFE'} .= $line."\n"; } } @temp = split(/\n/,$proxysettings{'PORTS_SSL'}); undef $proxysettings{'PORTS_SSL'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { $line = $_; s/#.*//g; s/\s+//g; if (/.*-.*-.*/) { $errormessage = $Lang::tr{'advproxy errmsg invalid destination port'}; } @templist = split(/-/); foreach (@templist) { unless (&General::validport($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid destination port'}; } } $proxysettings{'PORTS_SSL'} .= $line."\n"; } } @temp = split(/\n/,$proxysettings{'DST_NOCACHE'}); undef $proxysettings{'DST_NOCACHE'}; foreach (@temp) { s/^\s+//g; unless (/^#/) { s/\s+//g; } if ($_) { if (/^\./) { $_ = '*'.$_; } unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); } $proxysettings{'DST_NOCACHE'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'SRC_SUBNETS'}); undef $proxysettings{'SRC_SUBNETS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { unless (&Network::check_subnet($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'} . ": $_"; } $proxysettings{'SRC_SUBNETS'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'SRC_BANNED_IP'}); undef $proxysettings{'SRC_BANNED_IP'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { unless (&General::validipormask($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'}; } $proxysettings{'SRC_BANNED_IP'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'SRC_BANNED_MAC'}); undef $proxysettings{'SRC_BANNED_MAC'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; s/-/:/g; if ($_) { unless (&General::validmac($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid mac'}; } $proxysettings{'SRC_BANNED_MAC'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'SRC_UNRESTRICTED_IP'}); undef $proxysettings{'SRC_UNRESTRICTED_IP'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { unless (&General::validipormask($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'}; } $proxysettings{'SRC_UNRESTRICTED_IP'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'SRC_UNRESTRICTED_MAC'}); undef $proxysettings{'SRC_UNRESTRICTED_MAC'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; s/-/:/g; if ($_) { unless (&General::validmac($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid mac'}; } $proxysettings{'SRC_UNRESTRICTED_MAC'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'DST_NOAUTH'}); undef $proxysettings{'DST_NOAUTH'}; foreach (@temp) { s/^\s+//g; unless (/^#/) { s/\s+//g; } if ($_) { if (/^\./) { $_ = '*'.$_; } $proxysettings{'DST_NOAUTH'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'DST_NOPROXY_IP'}); undef $proxysettings{'DST_NOPROXY_IP'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { unless (&General::validipormask($_)) { $errormessage = $Lang::tr{'advproxy errmsg wpad invalid ip or mask'}; } $proxysettings{'DST_NOPROXY_IP'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'DST_NOPROXY_URL'}); undef $proxysettings{'DST_NOPROXY_URL'}; foreach (@temp) { s/^\s+//g; unless (/^#/) { s/\s+//g; } if ($_) { if (/^\./) { $_ = '*'.$_; } unless (&General::validwildcarddomainname($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid url'} . ": " . &Header::escape($_); } $proxysettings{'DST_NOPROXY_URL'} .= $_."\n"; } } if (($proxysettings{'NTLM_ENABLE_ACL'} eq 'on') && ($proxysettings{'NTLM_USER_ACL'} eq 'positive')) { @temp = split(/\n/,$proxysettings{'NTLM_ALLOW_USERS'}); undef $proxysettings{'NTLM_ALLOW_USERS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { $proxysettings{'NTLM_ALLOW_USERS'} .= $_."\n"; } } if ($proxysettings{'NTLM_ALLOW_USERS'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg acl cannot be empty'}; } } if (($proxysettings{'NTLM_ENABLE_ACL'} eq 'on') && ($proxysettings{'NTLM_USER_ACL'} eq 'negative')) { @temp = split(/\n/,$proxysettings{'NTLM_DENY_USERS'}); undef $proxysettings{'NTLM_DENY_USERS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { $proxysettings{'NTLM_DENY_USERS'} .= $_."\n"; } } if ($proxysettings{'NTLM_DENY_USERS'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg acl cannot be empty'}; } } if (($proxysettings{'IDENT_ENABLE_ACL'} eq 'on') && ($proxysettings{'IDENT_USER_ACL'} eq 'positive')) { @temp = split(/\n/,$proxysettings{'IDENT_ALLOW_USERS'}); undef $proxysettings{'IDENT_ALLOW_USERS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { $proxysettings{'IDENT_ALLOW_USERS'} .= $_."\n"; } } if ($proxysettings{'IDENT_ALLOW_USERS'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg acl cannot be empty'}; } } if (($proxysettings{'IDENT_ENABLE_ACL'} eq 'on') && ($proxysettings{'IDENT_USER_ACL'} eq 'negative')) { @temp = split(/\n/,$proxysettings{'IDENT_DENY_USERS'}); undef $proxysettings{'IDENT_DENY_USERS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { $proxysettings{'IDENT_DENY_USERS'} .= $_."\n"; } } if ($proxysettings{'IDENT_DENY_USERS'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg acl cannot be empty'}; } } if (($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on') && ($proxysettings{'RADIUS_USER_ACL'} eq 'positive')) { @temp = split(/\n/,$proxysettings{'RADIUS_ALLOW_USERS'}); undef $proxysettings{'RADIUS_ALLOW_USERS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { $proxysettings{'RADIUS_ALLOW_USERS'} .= $_."\n"; } } if ($proxysettings{'RADIUS_ALLOW_USERS'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg acl cannot be empty'}; } } if (($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on') && ($proxysettings{'RADIUS_USER_ACL'} eq 'negative')) { @temp = split(/\n/,$proxysettings{'RADIUS_DENY_USERS'}); undef $proxysettings{'RADIUS_DENY_USERS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { $proxysettings{'RADIUS_DENY_USERS'} .= $_."\n"; } } if ($proxysettings{'RADIUS_DENY_USERS'} eq '') { $errormessage = $Lang::tr{'advproxy errmsg acl cannot be empty'}; } } @temp = split(/\n/,$proxysettings{'IDENT_HOSTS'}); undef $proxysettings{'IDENT_HOSTS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { unless (&General::validipormask($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'}; } $proxysettings{'IDENT_HOSTS'} .= $_."\n"; } } @temp = split(/\n/,$proxysettings{'CRE_SVHOSTS'}); undef $proxysettings{'CRE_SVHOSTS'}; foreach (@temp) { s/^\s+//g; s/\s+$//g; if ($_) { unless (&General::validipormask($_)) { $errormessage = $Lang::tr{'advproxy errmsg invalid ip or mask'}; } $proxysettings{'CRE_SVHOSTS'} .= $_."\n"; } } } # ------------------------------------------------------------------- sub write_acls { open(FILE, ">$acl_src_subnets"); flock(FILE, 2); if (!$proxysettings{'SRC_SUBNETS'}) { if (&Header::green_used()) { print FILE "$green_cidr\n"; } if (&Header::blue_used()) { print FILE "$blue_cidr\n"; } } else { print FILE $proxysettings{'SRC_SUBNETS'}; } close(FILE); open(FILE, ">$acl_src_banned_ip"); flock(FILE, 2); print FILE $proxysettings{'SRC_BANNED_IP'}; close(FILE); open(FILE, ">$acl_src_banned_mac"); flock(FILE, 2); print FILE $proxysettings{'SRC_BANNED_MAC'}; close(FILE); open(FILE, ">$acl_src_unrestricted_ip"); flock(FILE, 2); print FILE $proxysettings{'SRC_UNRESTRICTED_IP'}; close(FILE); open(FILE, ">$acl_src_unrestricted_mac"); flock(FILE, 2); print FILE $proxysettings{'SRC_UNRESTRICTED_MAC'}; close(FILE); open(FILE, ">$acl_dst_noauth"); flock(FILE, 2); print FILE $proxysettings{'DST_NOAUTH'}; close(FILE); open(FILE, ">$acl_dst_noproxy_ip"); flock(FILE, 2); print FILE $proxysettings{'DST_NOPROXY_IP'}; close(FILE); open(FILE, ">$acl_dst_noproxy_url"); flock(FILE, 2); print FILE $proxysettings{'DST_NOPROXY_URL'}; close(FILE); open(FILE, ">$acl_dst_noauth_net"); close(FILE); open(FILE, ">$acl_dst_noauth_dom"); close(FILE); open(FILE, ">$acl_dst_noauth_url"); close(FILE); @temp = split(/\n/,$proxysettings{'DST_NOAUTH'}); foreach(@temp) { unless (/^#/) { if (/^\*\.\w/) { s/^\*//; open(FILE, ">>$acl_dst_noauth_dom"); flock(FILE, 2); print FILE "$_\n"; close(FILE); } elsif (&General::validipormask($_)) { open(FILE, ">>$acl_dst_noauth_net"); flock(FILE, 2); print FILE "$_\n"; close(FILE); } elsif (/\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?-\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?/) { open(FILE, ">>$acl_dst_noauth_net"); flock(FILE, 2); print FILE "$_\n"; close(FILE); } else { open(FILE, ">>$acl_dst_noauth_url"); flock(FILE, 2); if (/^[fh]tt?ps?:\/\//) { print FILE "$_\n"; } else { print FILE "^[fh]tt?ps?://$_\n"; } close(FILE); } } } open(FILE, ">$acl_dst_nocache"); flock(FILE, 2); print FILE $proxysettings{'DST_NOCACHE'}; close(FILE); open(FILE, ">$acl_dst_nocache_net"); close(FILE); open(FILE, ">$acl_dst_nocache_dom"); close(FILE); open(FILE, ">$acl_dst_nocache_url"); close(FILE); @temp = split(/\n/,$proxysettings{'DST_NOCACHE'}); foreach(@temp) { unless (/^#/) { if (/^\*\.\w/) { s/^\*//; open(FILE, ">>$acl_dst_nocache_dom"); flock(FILE, 2); print FILE "$_\n"; close(FILE); } elsif (&General::validipormask($_)) { open(FILE, ">>$acl_dst_nocache_net"); flock(FILE, 2); print FILE "$_\n"; close(FILE); } elsif (/\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?-\d\d?\d?\.\d\d?\d?\.\d\d?\d?\.\d\d?\d?/) { open(FILE, ">>$acl_dst_nocache_net"); flock(FILE, 2); print FILE "$_\n"; close(FILE); } else { open(FILE, ">>$acl_dst_nocache_url"); flock(FILE, 2); if (/^[fh]tt?ps?:\/\//) { print FILE "$_\n"; } else { print FILE "^[fh]tt?ps?://$_\n"; } close(FILE); } } } open(FILE, ">$acl_ports_safe"); flock(FILE, 2); if (!$proxysettings{'PORTS_SAFE'}) { print FILE $def_ports_safe; } else { print FILE $proxysettings{'PORTS_SAFE'}; } close(FILE); open(FILE, ">$acl_ports_ssl"); flock(FILE, 2); if (!$proxysettings{'PORTS_SSL'}) { print FILE $def_ports_ssl; } else { print FILE $proxysettings{'PORTS_SSL'}; } close(FILE); if (-s $throttled_urls) { open(URLFILE, $throttled_urls); @temp = ; close(URLFILE); foreach (@temp) { print FILE; } } close(FILE); open(FILE, ">$mimetypes"); flock(FILE, 2); print FILE $proxysettings{'MIME_TYPES'}; close(FILE); open(FILE, ">$raddir/radauth.allowusers"); flock(FILE, 2); print FILE $proxysettings{'RADIUS_ALLOW_USERS'}; close(FILE); open(FILE, ">$raddir/radauth.denyusers"); flock(FILE, 2); print FILE $proxysettings{'RADIUS_DENY_USERS'}; close(FILE); open(FILE, ">$identdir/identauth.allowusers"); flock(FILE, 2); print FILE $proxysettings{'IDENT_ALLOW_USERS'}; close(FILE); open(FILE, ">$identdir/identauth.denyusers"); flock(FILE, 2); print FILE $proxysettings{'IDENT_DENY_USERS'}; close(FILE); open(FILE, ">$identhosts"); flock(FILE, 2); print FILE $proxysettings{'IDENT_HOSTS'}; close(FILE); open(FILE, ">$cre_groups"); flock(FILE, 2); print FILE $proxysettings{'CRE_GROUPS'}; close(FILE); open(FILE, ">$cre_svhosts"); flock(FILE, 2); print FILE $proxysettings{'CRE_SVHOSTS'}; close(FILE); } # ------------------------------------------------------------------- sub writepacfile { my %vpnconfig=(); my %ovpnconfig=(); &General::readhasharray("${General::swroot}/vpn/config", \%vpnconfig); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%ovpnconfig); open(FILE, ">/srv/web/ipfire/html/proxy.pac"); flock(FILE, 2); print FILE "function FindProxyForURL(url, host)\n"; print FILE "{\n"; if (($proxysettings{'ENABLE'} eq 'on') || ($proxysettings{'ENABLE_BLUE'} eq 'on')) { print FILE < # e.g. *.ipfire.org* if (-s "$acl_dst_noproxy_url") { undef @templist; open(NOPROXY,"$acl_dst_noproxy_url"); @templist = ; close(NOPROXY); chomp (@templist); foreach (@templist) { print FILE " (shExpMatch(url, \"$_\")) ||\n"; } } # Additional exceptions for Subnets # The file has to be created by the user and should contain one entry per line # Line-Format: / # e.g. 192.168.0.0/255.255.255.0 if (-s "$acl_dst_noproxy_ip") { undef @templist; open(NOPROXY,"$acl_dst_noproxy_ip"); @templist = ; close(NOPROXY); chomp (@templist); foreach (@templist) { @temp = split(/\//); print FILE " (isInNet(host, \"$temp[0]\", \"$temp[1]\")) ||\n"; } } foreach my $key (sort { uc($vpnconfig{$a}[1]) cmp uc($vpnconfig{$b}[1]) } keys %vpnconfig) { if ($vpnconfig{$key}[0] eq 'on' && $vpnconfig{$key}[3] ne 'host') { my @networks = split(/\|/, $vpnconfig{$key}[11]); foreach my $network (@networks) { my ($vpnip, $vpnsub) = split("/", $network); $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub; next if ($vpnip eq "0.0.0.0" || $vpnsub eq "0.0.0.0"); print FILE " (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n"; } } } foreach my $key (sort { uc($ovpnconfig{$a}[1]) cmp uc($ovpnconfig{$b}[1]) } keys %ovpnconfig) { if ($ovpnconfig{$key}[0] eq 'on' && $ovpnconfig{$key}[3] ne 'host') { my @networks = split(/\|/, $ovpnconfig{$key}[11]); foreach my $network (@networks) { my ($vpnip, $vpnsub) = split("/", $network); $vpnsub = &Network::convert_prefix2netmask($vpnsub) || $vpnsub; next if ($vpnip eq "0.0.0.0" || $vpnsub eq "0.0.0.0"); print FILE " (isInNet(host, \"$vpnip\", \"$vpnsub\")) ||\n"; } } } print FILE <; close(SUBNETS); } foreach (@templist) { @temp = split(/\//); if ( ($temp[0] ne $netsettings{'GREEN_NETADDRESS'}) && ($temp[1] ne $netsettings{'GREEN_NETMASK'}) && ($temp[0] ne $netsettings{'BLUE_NETADDRESS'}) && ($temp[1] ne $netsettings{'BLUE_NETMASK'}) ) { chomp $temp[1]; my $tempmask = &Network::convert_prefix2netmask($temp[1]); print FILE " ||\n (isInNet(myIpAddress(), \"$temp[0]\", \"$tempmask\"))"; } } print FILE "\n"; print FILE <${General::swroot}/proxy/squid.conf"); flock(FILE, 2); print FILE < 0) || ($proxysettings{'CACHE_MEM'} > 0)) { print FILE "\n"; if (!-z $acl_dst_nocache_dom) { print FILE "acl no_cache_domains dstdomain \"$acl_dst_nocache_dom\"\n"; print FILE "cache deny no_cache_domains\n"; } if (!-z $acl_dst_nocache_net) { print FILE "acl no_cache_ipaddr dst \"$acl_dst_nocache_net\"\n"; print FILE "cache deny no_cache_ipaddr\n"; } if (!-z $acl_dst_nocache_url) { print FILE "acl no_cache_hosts url_regex -i \"$acl_dst_nocache_url\"\n"; print FILE "cache deny no_cache_hosts\n"; } } print FILE <; close PORTS; if (@ssl_ports) { foreach (@ssl_ports) { print FILE "acl SSL_ports port $_"; } } open (PORTS,"$acl_ports_safe"); my @safe_ports = ; close PORTS; if (@safe_ports) { foreach (@safe_ports) { print FILE "acl Safe_ports port $_"; } } print FILE < 0) { print FILE < 0) { # always 2% of CACHE_MEM defined as max object size print FILE "maximum_object_size_in_memory " . int($proxysettings{'CACHE_MEM'} * 1024 * 0.02) . " KB\n\n"; } else { print FILE "cache deny all\n\n"; } } print FILE < 0) { if (!-z $acl_src_unrestricted_ip) { print FILE "reply_body_max_size none IPFire_unrestricted_ips\n"; } if (!-z $acl_src_unrestricted_mac) { print FILE "reply_body_max_size none IPFire_unrestricted_mac\n"; } if ($proxysettings{'AUTH_METHOD'} eq 'ncsa') { if (!-z $extgrp) { print FILE "reply_body_max_size none for_extended_users\n"; } } } if ( $proxysettings{'MAX_INCOMING_SIZE'} != '0' ) { print FILE "reply_body_max_size $proxysettings{'MAX_INCOMING_SIZE'} KB all\n\n"; } if ($proxysettings{'LOGGING'} eq 'on') { print FILE <) { $_ =~ s/__GREEN_IP__/$netsettings{'GREEN_ADDRESS'}/; $_ =~ s/__GREEN_NET__/$green_cidr/; $_ =~ s/__BLUE_IP__/$blue_ip/; $_ =~ s/__BLUE_NET__/$blue_net/; $_ =~ s/__PROXY_PORT__/$proxysettings{'PROXY_PORT'}/; print FILE $_; } print FILE "\n#End of custom includes\n"; close (ACL); } if ((!-z $extgrp) && ($proxysettings{'AUTH_METHOD'} eq 'ncsa') && ($proxysettings{'NCSA_BYPASS_REDIR'} eq 'on')) { print FILE "\nredirector_access deny for_extended_users\n"; } # Check if squidclamav is enabled. if ($proxysettings{'ENABLE_CLAMAV'} eq 'on') { print FILE "\n#Settings for squidclamav:\n"; print FILE "http_port 127.0.0.1:$proxysettings{'PROXY_PORT'}\n"; print FILE "acl purge method PURGE\n"; print FILE "http_access deny to_localhost\n"; print FILE "http_access allow localhost\n"; print FILE "http_access allow purge localhost\n"; print FILE "http_access deny purge\n"; print FILE "url_rewrite_access deny localhost\n"; } print FILE <${General::swroot}/proxy/asnbl-helper.conf"); flock(ASNBLFILE, 2); print ASNBLFILE<; close(FILE); foreach $line (@groupmembers) { if ($line =~ /^$str_user:/i) { $str_pass = substr($line,index($line,":")); } } &deluser($str_user); open(FILE, ">>$userdb"); flock FILE,2; print FILE "$str_user$str_pass"; close(FILE); } else { &deluser($str_user); my %htpasswd_options = ( passwdFile => "$userdb", UseMD5 => 1, ); my $htpasswd = new Apache::Htpasswd(\%htpasswd_options); $htpasswd->htpasswd($str_user, $str_pass); } if ($str_group eq 'standard') { open(FILE, ">>$stdgrp"); } elsif ($str_group eq 'extended') { open(FILE, ">>$extgrp"); } elsif ($str_group eq 'disabled') { open(FILE, ">>$disgrp"); } flock FILE, 2; print FILE "$str_user\n"; close(FILE); return; } # ------------------------------------------------------------------- sub deluser { my ($str_user) = @_; my $groupfile=''; my @groupmembers=(); my @templist=(); foreach $groupfile ($stdgrp, $extgrp, $disgrp) { undef @templist; open(FILE, "$groupfile"); @groupmembers = ; close(FILE); foreach $line (@groupmembers) { if (!($line =~ /^$str_user$/i)) { push(@templist, $line); } } open(FILE, ">$groupfile"); flock FILE, 2; print FILE @templist; close(FILE); } undef @templist; open(FILE, "$userdb"); @groupmembers = ; close(FILE); foreach $line (@groupmembers) { if (!($line =~ /^$str_user:/i)) { push(@templist, $line); } } open(FILE, ">$userdb"); flock FILE, 2; print FILE @templist; close(FILE); return; } # ------------------------------------------------------------------- sub writecachemgr { open(FILE, ">${General::swroot}/proxy/cachemgr.conf"); flock(FILE, 2); if (&Header::green_used()) { print FILE "$netsettings{'GREEN_ADDRESS'}:$proxysettings{'PROXY_PORT'}\n"; } print FILE "localhost"; close(FILE); return; } # -------------------------------------------------------------------
  $Lang::tr{'legend'}:     $Lang::tr{ $Lang::tr{'edit'}     $Lang::tr{ $Lang::tr{'remove'}
$Lang::tr{'advproxy NCSA no accounts'}