diff options
| -rw-r--r-- | Makefile | 2 | ||||
| -rw-r--r-- | config.mk | 1 | ||||
| -rw-r--r-- | dansguardian-general-html.lsp | 3 | ||||
| -rw-r--r-- | squid-authentication-html.lsp | 3 | ||||
| -rw-r--r-- | squid-basic-html.lsp | 2 | ||||
| -rw-r--r-- | squid-controller.lua | 43 | ||||
| -rw-r--r-- | squid-dep-html.lsp | 16 | ||||
| -rw-r--r-- | squid-digest-html.lsp | 29 | ||||
| -rw-r--r-- | squid-model.lua | 92 | ||||
| -rw-r--r-- | squid-ntlm-html.lsp | 58 | ||||
| -rw-r--r-- | squid-saccess-html.lsp | 43 | ||||
| -rw-r--r-- | squid.conf.template | 111 |
12 files changed, 392 insertions, 11 deletions
@@ -10,6 +10,7 @@ APP_DIST=squid-controller.lua \ squid-digest-html.lsp \ squid-ntlm-html.lsp \ squid-saccess-html.lsp \ + squid-dep-html.lsp \ squid.menu \ dansguardian-controller.lua \ dansguardian-model.lua \ @@ -38,6 +39,7 @@ dist: $(tarball) install: mkdir -p "$(install_dir)" cp -a $(APP_DIST) "$(install_dir)" + cp -a squid.conf.template "$(squid-cfg-dir)" $(tarball): $(DISTFILES) rm -rf $(P) @@ -8,3 +8,4 @@ cgibindir=${acfdir}/cgi-bin appdir=${acfdir}/app acflibdir=${acfdir}/lib sessionsdir=${localstatedir}/lib/acf/sessions +squid-cfg-dir=/etc/squid diff --git a/dansguardian-general-html.lsp b/dansguardian-general-html.lsp index 0d286ac..2dc3dcd 100644 --- a/dansguardian-general-html.lsp +++ b/dansguardian-general-html.lsp @@ -51,7 +51,6 @@ until you restart the service. <form action="" method="POST"> <h2>Configuration</h2> <pre style="color: #ff2020;"><? io.write( service.cfgerr ) ?></pre><br> -<h2>Listener service</h2> <p> These parameters define the interface and port that Dansguardian uses to accept connections. </p> @@ -77,7 +76,7 @@ The author recommends 50 for "young children", 100 for "older children" and 160 <dt>accessdeniedaddress</dt><dd><input class="text" type="text" name="accessdeniedaddress" value="<? io.write( config.accessdeniedaddress.value ) ?>" style="width:350px"></dd> <dt>naughtynesslimit</dt><dd><input class="text" type="text" name="naughtynesslimit" value="<? io.write( config.naughtynesslimit.value ) ?>" style="width:100px"></dd> -<h3>Save Changes</h3> +<h2>Save Changes</h2> <dt>Save the above changes?</dt><dd><input class="submit" type="submit" name="cmd" value="save" style="width:100px"></dd> </form> diff --git a/squid-authentication-html.lsp b/squid-authentication-html.lsp index 6f5cbd5..feef6c5 100644 --- a/squid-authentication-html.lsp +++ b/squid-authentication-html.lsp @@ -107,8 +107,5 @@ Choose the desired authentication mechanisms and their order. </select> </td></tr> </table><br> - -<h3>Save Changes</h3> -<dt>Save Authentication Scheme</dt><dd><input class="submit" type="submit" name="cmd" value="save"></dd> </form> diff --git a/squid-basic-html.lsp b/squid-basic-html.lsp index 2a10624..f4676dd 100644 --- a/squid-basic-html.lsp +++ b/squid-basic-html.lsp @@ -88,6 +88,6 @@ servers run on other ports as well. These fields list all ports and port ranges <dt>Safe_ports</dt><dd><input class="text" type="text" name="safeports" value="<? io.write( config.safeports.value ) ?>" style="width:400px;"></dd> <dt>SSL_ports</dt><dd><input class="text" type="text" name="sslports" value="<? io.write( config.sslports.value ) ?>" style="width:400px;"></dd> -<H3>Save changes</h3> +<h2>Save changes</h2> <DT>Save above changes</DT><DD><input class="submit" type="submit" name="cmd" value="save"></DD> </form> diff --git a/squid-controller.lua b/squid-controller.lua index 03c6f7b..cb23c07 100644 --- a/squid-controller.lua +++ b/squid-controller.lua @@ -29,6 +29,26 @@ mvc.post_exec = function( self ) return pvt.parent_on_exec() end +dep = function( self ) + + if self.model.dependancy_ok() then + self.conf.type = "redir" + self.conf.action = "basic" + error(self.conf) + end + + if self.clientdata.cmd then + if self.clientdata.cmd == "create file" then + self.model.create_cfg_from_template() + self.conf.type = "redir" + self.conf.action = "basic" + error(self.conf) + end + end + + return +end + basic = function( self ) local option = { script = ENV["SCRIPT_NAME"], @@ -38,6 +58,12 @@ basic = function( self ) extra = "" } + if not self.model.dependancy_ok() then + self.conf.type = "redir" + self.conf.action = "dep" + error(self.conf) + end + local service = { message="", status="", error="" } if self.clientdata.srvcmd then local srvcmd = self.clientdata.srvcmd @@ -89,13 +115,20 @@ authentication = function( self ) end if self.clientdata.inout then + local newauth = "" if self.clientdata.inout == " << " then - local newauth = self.clientdata.authmethod - if #self.clientdata.tmpempty > 0 then - newauth = newauth .. self.clientdata.tmpempty + if self.clientdata.tmpempty then + newauth = self.clientdata.authmethod .. self.clientdata.tmpempty + end + elseif self.clientdata.inout == " >> " then + local tmpauth = self.clientdata.authmethod + local lap = 1 + while lap <= #tmpauth do + if string.sub( tmpauth, lap, lap ) ~= self.clientdata.tmpauth then + newauth = newauth .. string.sub( tmpauth, lap, lap ) + end + lap = lap + 1 end - else - end self.model.upd_authmethod(newauth) end diff --git a/squid-dep-html.lsp b/squid-dep-html.lsp new file mode 100644 index 0000000..8cd2bcb --- /dev/null +++ b/squid-dep-html.lsp @@ -0,0 +1,16 @@ +<? +?> +<h1>Web Proxy Configuration</h1> +<h2>Dependancy Check - Failed!</h2> +<p> +squid-acf needs some tags inside the squid.conf file to be able to properly distinguish between +what it is supposed to touch and what not. +</p> +<p>These tags have not been found in your config file.</p> +<p> +If you press the button below a template config file will be created which holds all the tags. You can +then modify this config file as you like, just leave the tags where they are. +</p> +<form action="" method="POST"> +<dt>Action</dt><dd><input class="submit" type="submit" name="cmd" value="create file"></dd> +</form> diff --git a/squid-digest-html.lsp b/squid-digest-html.lsp new file mode 100644 index 0000000..2f13432 --- /dev/null +++ b/squid-digest-html.lsp @@ -0,0 +1,29 @@ +<? + local form = ... + local data = form.option + local service = form.service + + local srv1fill = "" + local srv2fill = "disabled" + if service.status == "running" then + srv1fill = "disabled" + srv2fill = "" + end + +?> +<h1>Web Proxy Configuration</h1> +<p> +<dt> + This panel allows you to edit the list of usernames allowed to access the internet through the squid web proxy. + This list is active only for digest authentication. If you are using NTLM authentication, all domain users are + allowed to use the web proxy. +</dt> +</p> + +<h2>User List</h2> +<form action="" method="POST"> +<textarea name="userlist" style="width:100%;"><? io.write( service.config ) ?></textarea> + +<h3>Save Changes</h3> +<dt>Save the contents of the box above</dt><dd><input class="submit" type="submit" name="cmd" value="save"></dd> +</form> diff --git a/squid-model.lua b/squid-model.lua index 7e7fed7..0a080a2 100644 --- a/squid-model.lua +++ b/squid-model.lua @@ -5,6 +5,7 @@ module (..., package.seeall) require "format" squidconf = "/etc/squid/squid.conf" +squidtempl = "/etc/squid/squid.conf.template" --- the tokenizer functions - must be dislocated into a library later tokenizer = {} @@ -768,3 +769,94 @@ update_basic_config = function( config ) return error end +upd_authmethod = function( method ) + + local tmpfilename = os.tmpname() + local tmpfile = io.open( tmpfilename, "w+" ) + local cfgfile = io.open( squidconf, "r" ) + local error = "" + local line = "" + local done = false + + config_preblock_copy( cfgfile, tmpfile, "### ACF-SQUID-TAG-0004" ) + + while not done do + line = cfgfile:read( "*l" ) + if string.sub( line, 1, 7 ) == "### ACF" then + done = true + tmpfile:write( line .. "\n" ) + else + if string.sub( line, 1, 17 ) == "auth_param digest" then + if string.find( method, "D" ) ~= nil then + tmpfile:write( line .. "\n" ) + else + tmpfile:write( "#" .. line .. "\n" ) + end + elseif string.sub( line, 1, 18 ) == "#auth_param digest" then + if string.find( method, "D" ) ~= nil then + tmpfile:write( string.sub( line, 2 ) .. "\n" ) + else + tmpfile:write( line .. "\n" ) + end + elseif string.sub( line, 1, 15 ) == "auth_param ntlm" then + if string.find( method, "N" ) ~= nil then + tmpfile:write( line .. "\n" ) + else + tmpfile:write( "#" .. line .. "\n" ) + end + elseif string.sub( line, 1, 16 ) == "#auth_param ntlm" then + if string.find( method, "N" ) ~= nil then + tmpfile:write( string.sub( line, 2 ) .. "\n" ) + else + tmpfile:write( line .. "\n" ) + end + else + tmpfile:write( line .. "\n" ) + end + end + end + + config_postblock_copy( cfgfile, tmpfile ) + + tmpfile:close() + cfgfile:close() + os.rename( tmpfilename, squidconf ) + + return error +end + +dependancy_ok = function() + + local retval = false + local cfgfile = io.open( squidconf ) + local line = "" + + if cfgfile ~= nil then + line = cfgfile:read( "*l" ) + if string.sub( line, 1, 19 ) == "### ACF-SQUID-MAGIC" then + retval = true + end + end + + return retval +end + +create_cfg_from_template = function() + + local from = io.open( squidtempl ) + local to = io.open( squidconf, "wb+" ) + local line = "" + + while line ~= nil do + line = from:read( "*l" ) + if line ~= nil then + to:write( line .. "\n" ) + end + end + + from:close() + to:close() + + return +end + diff --git a/squid-ntlm-html.lsp b/squid-ntlm-html.lsp new file mode 100644 index 0000000..ed11492 --- /dev/null +++ b/squid-ntlm-html.lsp @@ -0,0 +1,58 @@ +<? + local form = ... + local data = form.option + local service = form.service + local config = form.service.config + + local srv1fill = "" + local srv2fill = "disabled" + if service.status == "running" then + srv1fill = "disabled" + srv2fill = "" + end + + local ifthen = function( variable, value, result ) + if variable == value then + io.write( result ) + end + end + +?> +<h1>Web Proxy - NTLM Authentication</h1> +<p> +Winbindd is a service that allows squid to authenticate against a Windows Domain Controller. +Before authentication is possible, this machine must join the Windows domain and the winbindd +service must be (re)started. It is only necessary to join the domain once. +</p> + +<h2>Status</h2> +<form action="" method="POST"> +<dt>winbindd is: <? io.write( service.status ) ?></dt> +<dd><input class="submit" type="submit" name="srvcmd" value="start" <? io.write( srv1fill ) ?> style="width:100px"> +<input class="submit" type="submit" name="srvcmd" value="stop" <? io.write( srv2fill ) ?> style="width:100px"> +<input class="submit" type="submit" name="srvcmd" value="restart" <? io.write( srv2fill ) ?> style="width:100px"></dd> +</form> + +<p> +<pre style="color: #ff2020;"><? io.write( service.message ) ?></pre> +</p> + +<p> +This process runs as a service. When you make and save changes, the configuration +files for the service are changed. However, the changes will not be <i>applied</i> +until you restart the service. +</p> + +<form action="" method="POST"> +<h2>Configuration</h2> + +<table> + <dt>Name</dt><dd>Value</dd> +</table> + +<h3>Action</h3> +<dt>What to do?</dt> +<dd><input class="submit" type="submit" name="cmd" value="join domain"> +<input class="submit" type="submit" name="cmd" value="save"></dd> +</form> + diff --git a/squid-saccess-html.lsp b/squid-saccess-html.lsp new file mode 100644 index 0000000..322be02 --- /dev/null +++ b/squid-saccess-html.lsp @@ -0,0 +1,43 @@ +<? + local form = ... + local data = form.option + local service = form.service + + local srv1fill = "" + local srv2fill = "disabled" + if service.status == "running" then + srv1fill = "disabled" + srv2fill = "" + end + +?> +<h1>Web Proxy - Special Access</h1> +<p> +<dt> + The squid web proxy server is normally configured to require authenticated access. In some cases, such + as anti-virus update programs, the process cannot authenticate itself to the proxy server. For these + <i>special</i> cases, it is possible to have squid allow anonymous access to the Internet.<br><br> + You may choose to specify the special cases by specific ip address, browser identification or destination + domain. +</dt> +</p> + +<form action="" method="POST"> +<h2>Special IP Addresses</h2> +<p> +<textarea name="s_ip" style="width:100%;"><? io.write( service.config.s_ip ) ?></textarea> +</p> + +<h2>Browser Identification</h2> +<p> +<textarea name="s_browser" style="width:100%;"><? io.write( service.config.s_browser ) ?></textarea> +</p> + +<h2>Special Domains</h2> +<p> +<textarea name="s_domain" style="width:100%;"><? io.write( service.config.s_domain ) ?></textarea> +</p> + +<h3>Save Changes</h3> +<dt>Save changes of the above boxes</dt><dd><input class="submit" type="submit" name="cmd" value="save"></dd> +</form> diff --git a/squid.conf.template b/squid.conf.template new file mode 100644 index 0000000..1b55448 --- /dev/null +++ b/squid.conf.template @@ -0,0 +1,111 @@ +### ACF-SQUID-MAGIC ### DO NOT REMOVE THIS LINE + +cache_effective_user squid +cache_effective_group squid + +### ACF-SQUID-TAG-0001 ### DO NOT REMOVE THIS LINE +http_port 192.168.1.1:8080 +http_port 127.0.0.1:3128 +visible_hostname services +cache_mem 8 MB +### ACF-SQUID-GAT-0001 ### DO NOT REMOVE THIS LINE + +hierarchy_stoplist cgi-bin \? + +### ACF-SQUID-TAG-0002 ### DO NOT REMOVE THIS LINE +# Examples: +# :cache_dir diskd /var/cache/squid 900 16 256 +# :cache_dir null +cache_dir diskd /var/cache/squid 900 16 256 +#cache_dir null +### ACF-SQUID-GAT-0002 ### DO NOT REMOVE THIS LINE + +### ACF-SQUID-TAG-0003 ### DO NOT REMOVE THIS LINE +cache_access_log /var/log/squid/cache_access.log +cache_log /var/log/squid/cache.log +cache_store_log none +### ACF-SQUID-GAT-0003 ### DO NOT REMOVE THIS LINE + +pid_filename /var/run/squid.pid + +debug_options 29,9 +debug_options 28,9 +debug_options 84,9 + +# Web auditors want to see the full uri, even with the query terms +strip_query_terms off + +### ACF-SQUID-TAG-0004 ### DO NOT REMOVE THIS LINE +auth_param digest program /usr/libexec/squid/digest_pw_auth /etc/squid/users.list +auth_param digest children 5 +auth_param digest realm Squid proxy-caching web server +auth_param digest nonce_garbage_interval 5 minutes +auth_param digest nonce_max_duration 30 minutes +auth_param digest nonce_max_count 50 +#auth_param ntlm program /usr/libexec/squid/wb_ntlmauth +#auth_param ntlm children 30 +#auth_param ntlm max_challenge_reuses 3 +#auth_param ntlm max_challenge_lifetime 2 minutes +### ACF-SQUID-GAT-0004 ### DO NOT REMOVE THIS LINE + +authenticate_cache_garbage_interval 1 hour +authenticate_ttl 1 hour + +refresh_pattern ^ftp: 1440 20% 10080 +refresh_pattern ^gopher: 1440 0% 1440 +refresh_pattern . 0 20% 4320 + +### ACF-SQUID-TAG-0008 ### DO NOT REMOVE THIS LINE +acl QUERY urlpath_regex cgi-bin \? +acl all src 0.0.0.0/0.0.0.0 +acl manager proto cache_object +acl localhost src 127.0.0.1/255.255.255.255 +acl to_localhost dst 127.0.0.0/8 +# Special access acls +acl AnonBrowsers browser "/etc/squid/anonbrowserlist" +acl AnonIPAddrs src "/etc/squid/anoniplist" +acl AnonDomain url_regex "/etc/squid/anondomainlist" +acl CONNECT method CONNECT +### ACF-SQUID-GAT-0008 ### DO NOT REMOVE THIS LINE + +### ACF-SQUID-TAG-0005 ### DO NOT REMOVE THIS LINE +acl SSL_ports port 443 563 8004 9000 +acl Safe_ports port 21 70 80 81 210 280 443 563 499 591 777 1025-65535 +acl ContentFilter urlpath_regex -i \.html$ \.htm$ \.php$ \.asp$ \.jsp$ \? ^http:\/\/[^\/]*\.[a-z]*$ /$ +### ACF-SQUID-GAT-0005 ### DO NOT REMOVE THIS LINE + +### ACF-SQUID-TAG-0006 ### DO NOT REMOVE THIS LINE +acl userlist proxy_auth REQUIRED +### ACF-SQUID-GAT-0006 ### DO NOT REMOVE THIS LINE + +# This is for the "second pass" squid +no_cache deny localhost +always_direct allow CONNECT +http_access allow localhost + +# These force us to use an upstream proxy - like DansGuardian +# except if its not an html looking uri - like, say isos, mp3s, etc. +# DG chews up *way* too many resources for large downloads +### ACF-SQUID-TAG-0007 ### DO NOT REMOVE THIS LINE +never_direct allow !localhost +always_direct allow !ContentFilter +cache_peer 127.0.0.1 parent 8081 0 no-query no-digest no-netdb-exchange login=*: default +### ACF-SQUID-GAT-0007 ### DO NOT REMOVE THIS LINE + +### ACF-SQUID-TAG-0009 ### DO NOT REMOVE THIS LINE +http_access allow manager localhost +http_access deny manager +http_access deny !Safe_ports +http_access deny CONNECT !SSL_ports +http_access allow AnonIPAddrs +http_access allow AnonDomain +http_access allow AnonBrowsers +http_access allow userlist +http_access deny all +### ACF-SQUID-GAT-0009 ### DO NOT REMOVE THIS LINE + +http_reply_access allow all +icp_access allow all + +no_cache deny QUERY + |