webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-27 11:13:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata

Browse Source
This commit is contained in:
Stefan Schantl
2019-01-21 13:04:13 +01:00
parent b749416ad7 f6326e4f77
commit c1a3401235
116 changed files with 2471 additions and 1649 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
html/cgi-bin/dnsforward.cgi
View File

@@ -220,7 +220,7 @@ print <<END
</tr>
<tr>
<td width='20%' class='base'>$Lang::tr{'dnsforward forward_server'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
<td width='20%' class='base'>$Lang::tr{'dnsforward forward_servers'}:&nbsp;<img src='/blob.gif' alt='*' /></td>
<td><input type='text' name='FORWARD_SERVERS' value='$cgiparams{'FORWARD_SERVERS'}' size='24' /></td>
</tr>
</table>

1
html/cgi-bin/ids.cgi
View File

@@ -225,7 +225,6 @@ if (-e $IDS::storederrorfile) {
unlink($IDS::storederrorfile);
}
## Grab all available snort rules and store them in the idsrules hash.
#
# Open snort rules directory and do a directory listing.

2
html/cgi-bin/logs.cgi/log.dat
View File

@@ -79,7 +79,7 @@ my %sections = (
my %trsections = (
'auth' => "$Lang::tr{'loginlogout'}",
'wio' => 'Who Is Online?',
'captive' => $Lang::tr{'captive'},
'captive' => $Lang::tr{'Captive'},
'clamav' => 'ClamAV',
'collectd' => 'Collectd',
'cron' => 'Cron',

9
html/cgi-bin/ovpnmain.cgi
View File

@@ -174,7 +174,12 @@ sub cleanssldatabase
print FILE "";
close FILE;
}
if (open(FILE, ">${General::swroot}/ovpn/certs/index.txt.attr")) {
print FILE "";
close FILE;
}
unlink ("${General::swroot}/ovpn/certs/index.txt.old");
unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
unlink ("${General::swroot}/ovpn/certs/serial.old");
unlink ("${General::swroot}/ovpn/certs/01.pem");
}
@@ -189,7 +194,11 @@ sub newcleanssldatabase
if (! -s ">${General::swroot}/ovpn/certs/index.txt") {
system ("touch ${General::swroot}/ovpn/certs/index.txt");
}
if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") {
system ("touch ${General::swroot}/ovpn/certs/index.txt.attr");
}
unlink ("${General::swroot}/ovpn/certs/index.txt.old");
unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old");
unlink ("${General::swroot}/ovpn/certs/serial.old");
}

433
html/cgi-bin/proxy.cgi
View File

@@ -56,17 +56,11 @@ my %mainsettings=();
my %checked=();
my %selected=();
my @throttle_limits=(64,128,256,384,512,768,1024,1280,1536,1792,2048,2560,3072,3584,4096,5120,6144,7168,8192,10240,12288,16384,20480);
my $throttle_binary="7z|arj|bin|bz2|cab|exe|gz|lzh|rar|sea|tar|tgz|xz|zip";
my $throttle_dskimg="b5t|bin|bwt|ccd|cdi|cue|gho|img|iso|mds|nrg|pqi|vmdk";
my $throttle_mmedia="aiff?|asf|avi|divx|mov|mp3|mpe?g|ogg|qt|ra?m|ts|vob";
my @throttle_limits=(64,128,256,512,1024,1536,2048,3072,4096,5120,6144,7168,8192,10240,16384,20480,51200,102400);
my $def_ports_safe="80 # http\n21 # ftp\n443 # https\n563 # snews\n70 # gopher\n210 # wais\n1025-65535 # unregistered ports\n280 # http-mgmt\n488 # gss-http\n591 # filemaker\n777 # multiling http\n800 # Squids port (for icons)\n";
my $def_ports_ssl="443 # https\n563 # snews\n";
my @useragent=();
my @useragentlist=();
my $hintcolour='#FFFFCC';
my $ncsa_buttontext='';
my $language='';
@@ -89,7 +83,6 @@ my $errormessage='';
my $acldir = "${General::swroot}/proxy/advanced/acls";
my $ncsadir = "${General::swroot}/proxy/advanced/ncsa";
my $ntlmdir = "${General::swroot}/proxy/advanced/ntlm";
my $raddir = "${General::swroot}/proxy/advanced/radius";
my $identdir = "${General::swroot}/proxy/advanced/ident";
my $credir = "${General::swroot}/proxy/advanced/cre";
@@ -99,7 +92,6 @@ my $stdgrp = "$ncsadir/standard.grp";
my $extgrp = "$ncsadir/extended.grp";
my $disgrp = "$ncsadir/disabled.grp";
my $browserdb = "${General::swroot}/proxy/advanced/useragents";
my $mimetypes = "${General::swroot}/proxy/advanced/mimetypes";
my $throttled_urls = "${General::swroot}/proxy/advanced/throttle";
@@ -137,7 +129,6 @@ my $urlfilterversion = 'n/a';
unless (-d "$acldir") { mkdir("$acldir"); }
unless (-d "$ncsadir") { mkdir("$ncsadir"); }
unless (-d "$ntlmdir") { mkdir("$ntlmdir"); }
unless (-d "$raddir") { mkdir("$raddir"); }
unless (-d "$identdir") { mkdir("$identdir"); }
unless (-d "$credir") { mkdir("$credir"); }
@@ -170,15 +161,10 @@ unless (-e $acl_ports_safe) { system("touch $acl_ports_safe"); }
unless (-e $acl_ports_ssl) { system("touch $acl_ports_ssl"); }
unless (-e $acl_include) { system("touch $acl_include"); }
unless (-e $browserdb) { system("touch $browserdb"); }
unless (-e $mimetypes) { system("touch $mimetypes"); }
my $HAVE_NTLM_AUTH = (-e "/usr/bin/ntlm_auth");
open FILE, $browserdb;
@useragentlist = sort { reverse(substr(reverse(substr($a,index($a,',')+1)),index(reverse(substr($a,index($a,','))),',')+1)) cmp reverse(substr(reverse(substr($b,index($b,',')+1)),index(reverse(substr($b,index($b,','))),',')+1))} grep !/(^$)|(^\s*#)/,<FILE>;
close(FILE);
&General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
&General::readhash("${General::swroot}/main/settings", \%mainsettings);
@@ -217,8 +203,8 @@ $proxysettings{'CACHEMGR'} = 'off';
$proxysettings{'LOGQUERY'} = 'off';
$proxysettings{'LOGUSERAGENT'} = 'off';
$proxysettings{'FILEDESCRIPTORS'} = '16384';
$proxysettings{'CACHE_MEM'} = '2';
$proxysettings{'CACHE_SIZE'} = '50';
$proxysettings{'CACHE_MEM'} = '128';
$proxysettings{'CACHE_SIZE'} = '0';
$proxysettings{'MAX_SIZE'} = '4096';
$proxysettings{'MIN_SIZE'} = '0';
$proxysettings{'MEM_POLICY'} = 'LRU';
@@ -241,18 +227,13 @@ $proxysettings{'THROTTLING_GREEN_TOTAL'} = 'unlimited';
$proxysettings{'THROTTLING_GREEN_HOST'} = 'unlimited';
$proxysettings{'THROTTLING_BLUE_TOTAL'} = 'unlimited';
$proxysettings{'THROTTLING_BLUE_HOST'} = 'unlimited';
$proxysettings{'THROTTLE_BINARY'} = 'off';
$proxysettings{'THROTTLE_DSKIMG'} = 'off';
$proxysettings{'THROTTLE_MMEDIA'} = 'off';
$proxysettings{'ENABLE_MIME_FILTER'} = 'off';
$proxysettings{'ENABLE_BROWSER_CHECK'} = 'off';
$proxysettings{'FAKE_USERAGENT'} = '';
$proxysettings{'FAKE_REFERER'} = '';
$proxysettings{'AUTH_METHOD'} = 'none';
$proxysettings{'AUTH_REALM'} = '';
$proxysettings{'AUTH_MAX_USERIP'} = '';
$proxysettings{'AUTH_CACHE_TTL'} = '60';
$proxysettings{'AUTH_IPCACHE_TTL'} = '0';
$proxysettings{'AUTH_CHILDREN'} = '5';
$proxysettings{'NCSA_MIN_PASS_LEN'} = '6';
$proxysettings{'NCSA_BYPASS_REDIR'} = 'off';
@@ -287,7 +268,6 @@ $proxysettings{'IDENT_USER_ACL'} = 'positive';
$proxysettings{'ENABLE_FILTER'} = 'off';
$proxysettings{'ENABLE_UPDXLRATOR'} = 'off';
$proxysettings{'ENABLE_CLAMAV'} = 'off';
$proxysettings{'CHILDREN'} = '10';
$ncsa_buttontext = $Lang::tr{'advproxy NCSA create user'};
@@ -436,27 +416,6 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
{
$errormessage = $Lang::tr{'invalid maximum incoming size'};
goto ERROR;
}
if (!($proxysettings{'CHILDREN'} =~ /^\d+$/) || ($proxysettings{'CHILDREN'} < 1))
{
$errormessage = $Lang::tr{'advproxy invalid num of children'};
goto ERROR;
}
if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on')
{
$browser_regexp = '';
foreach (@useragentlist)
{
chomp;
@useragent = split(/,/);
if ($proxysettings{'UA_'.$useragent[0]} eq 'on') { $browser_regexp .= "$useragent[2]|"; }
}
chop($browser_regexp);
if (!$browser_regexp)
{
$errormessage = $Lang::tr{'advproxy errmsg no browser'};
goto ERROR;
}
}
if (!($proxysettings{'AUTH_METHOD'} eq 'none'))
{
@@ -480,23 +439,18 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
}
}
}
if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/))
{
$errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'};
goto ERROR;
}
if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) &&
((!($proxysettings{'AUTH_MAX_USERIP'} =~ /^\d+/)) || ($proxysettings{'AUTH_MAX_USERIP'} < 1) || ($proxysettings{'AUTH_MAX_USERIP'} > 255)))
{
$errormessage = $Lang::tr{'advproxy errmsg max userip'};
goto ERROR;
}
if (!($proxysettings{'AUTH_CACHE_TTL'} =~ /^\d+/))
{
$errormessage = $Lang::tr{'advproxy errmsg auth cache ttl'};
goto ERROR;
}
if (!($proxysettings{'AUTH_IPCACHE_TTL'} =~ /^\d+/))
{
$errormessage = $Lang::tr{'advproxy errmsg auth ipcache ttl'};
goto ERROR;
}
if ((!($proxysettings{'AUTH_MAX_USERIP'} eq '')) && ($proxysettings{'AUTH_IPCACHE_TTL'} eq '0'))
if (!($proxysettings{'AUTH_MAX_USERIP'} eq ''))
{
$errormessage = $Lang::tr{'advproxy errmsg auth ipcache may not be null'};
goto ERROR;
@@ -552,33 +506,6 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
}
}
}
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm')
{
if ($proxysettings{'NTLM_DOMAIN'} eq '')
{
$errormessage = $Lang::tr{'advproxy errmsg ntlm domain'};
goto ERROR;
}
if ($proxysettings{'NTLM_PDC'} eq '')
{
$errormessage = $Lang::tr{'advproxy errmsg ntlm pdc'};
goto ERROR;
}
if (!&General::validhostname($proxysettings{'NTLM_PDC'}))
{
$errormessage = $Lang::tr{'advproxy errmsg invalid pdc'};
goto ERROR;
}
if ((!($proxysettings{'NTLM_BDC'} eq '')) && (!&General::validhostname($proxysettings{'NTLM_BDC'})))
{
$errormessage = $Lang::tr{'advproxy errmsg invalid bdc'};
goto ERROR;
}
$proxysettings{'NTLM_DOMAIN'} = lc($proxysettings{'NTLM_DOMAIN'});
$proxysettings{'NTLM_PDC'} = lc($proxysettings{'NTLM_PDC'});
$proxysettings{'NTLM_BDC'} = lc($proxysettings{'NTLM_BDC'});
}
if ($proxysettings{'AUTH_METHOD'} eq 'radius')
{
if (!&General::validip($proxysettings{'RADIUS_SERVER'}))
@@ -834,36 +761,14 @@ $selected{'THROTTLING_GREEN_HOST'}{$proxysettings{'THROTTLING_GREEN_HOST'}} = "s
$selected{'THROTTLING_BLUE_TOTAL'}{$proxysettings{'THROTTLING_BLUE_TOTAL'}} = "selected='selected'";
$selected{'THROTTLING_BLUE_HOST'}{$proxysettings{'THROTTLING_BLUE_HOST'}} = "selected='selected'";
$checked{'THROTTLE_BINARY'}{'off'} = '';
$checked{'THROTTLE_BINARY'}{'on'} = '';
$checked{'THROTTLE_BINARY'}{$proxysettings{'THROTTLE_BINARY'}} = "checked='checked'";
$checked{'THROTTLE_DSKIMG'}{'off'} = '';
$checked{'THROTTLE_DSKIMG'}{'on'} = '';
$checked{'THROTTLE_DSKIMG'}{$proxysettings{'THROTTLE_DSKIMG'}} = "checked='checked'";
$checked{'THROTTLE_MMEDIA'}{'off'} = '';
$checked{'THROTTLE_MMEDIA'}{'on'} = '';
$checked{'THROTTLE_MMEDIA'}{$proxysettings{'THROTTLE_MMEDIA'}} = "checked='checked'";
$checked{'ENABLE_MIME_FILTER'}{'off'} = '';
$checked{'ENABLE_MIME_FILTER'}{'on'} = '';
$checked{'ENABLE_MIME_FILTER'}{$proxysettings{'ENABLE_MIME_FILTER'}} = "checked='checked'";
$checked{'ENABLE_BROWSER_CHECK'}{'off'} = '';
$checked{'ENABLE_BROWSER_CHECK'}{'on'} = '';
$checked{'ENABLE_BROWSER_CHECK'}{$proxysettings{'ENABLE_BROWSER_CHECK'}} = "checked='checked'";
foreach (@useragentlist) {
@useragent = split(/,/);
$checked{'UA_'.$useragent[0]}{'off'} = '';
$checked{'UA_'.$useragent[0]}{'on'} = '';
$checked{'UA_'.$useragent[0]}{$proxysettings{'UA_'.$useragent[0]}} = "checked='checked'";
}
$checked{'AUTH_METHOD'}{'none'} = '';
$checked{'AUTH_METHOD'}{'ncsa'} = '';
$checked{'AUTH_METHOD'}{'ident'} = '';
$checked{'AUTH_METHOD'}{'ldap'} = '';
$checked{'AUTH_METHOD'}{'ntlm'} = '';
$checked{'AUTH_METHOD'}{'ntlm-auth'} = '';
$checked{'AUTH_METHOD'}{'radius'} = '';
$checked{'AUTH_METHOD'}{$proxysettings{'AUTH_METHOD'}} = "checked='checked'";
@@ -1034,12 +939,8 @@ print <<END
</table>
<hr size='1'>
<table width='100%'>
<tr><td class='base' colspan='4'><b>$Lang::tr{'advproxy redirector children'}</b></td></tr>
<tr><td class='base' >$Lang::tr{'processes'}:&nbsp;<img src='/blob.gif' alt='*' /><input type='text' name='CHILDREN' value='$proxysettings{'CHILDREN'}' size='5' /></td>
END
;
my $count = `ip n| wc -l`;
if ( $count < 1 ){$count = 1;}
if ( -e "/usr/bin/squidclamav" ) {
print "<td class='base'><b>".$Lang::tr{'advproxy squidclamav'}."</b><br />";
if ( ! -e "/var/run/clamav/clamd.pid" ){
@@ -1048,18 +949,16 @@ if ( -e "/usr/bin/squidclamav" ) {
}
else {
print $Lang::tr{'advproxy enabled'}."<input type='checkbox' name='ENABLE_CLAMAV' ".$checked{'ENABLE_CLAMAV'}{'on'}." /><br />";
print "+ ".int(( $count**(1/3)) * 8);}
}
print "</td>";
} else {
print "<td></td>";
}
print "<td class='base'><a href='/cgi-bin/urlfilter.cgi'><b>".$Lang::tr{'advproxy url filter'}."</a></b><br />";
print $Lang::tr{'advproxy enabled'}."<input type='checkbox' name='ENABLE_FILTER' ".$checked{'ENABLE_FILTER'}{'on'}." /><br />";
print "+ ".int(($count**(1/3)) * 6);
print "</td>";
print "<td class='base'><a href='/cgi-bin/updatexlrator.cgi'><b>".$Lang::tr{'advproxy update accelerator'}."</a></b><br />";
print $Lang::tr{'advproxy enabled'}."<input type='checkbox' name='ENABLE_UPDXLRATOR' ".$checked{'ENABLE_UPDXLRATOR'}{'on'}." /><br />";
print "+ ".int(($count**(1/3)) * 5);
print "</td></tr>";
print <<END
</table>
@@ -1531,7 +1430,15 @@ END
;
foreach (@throttle_limits) {
print "\t<option value='$_' $selected{'THROTTLING_GREEN_TOTAL'}{$_}>$_ kbit/s</option>\n";
my $val = $_;
my $unit = "kbit/s";
if ($val >= 1024) {
$unit = "Mbit/s";
$val /= 1024;
}
print "\t<option value='$_' $selected{'THROTTLING_GREEN_TOTAL'}{$_}>$val $unit</option>\n";
}
print <<END
@@ -1594,21 +1501,6 @@ END
print <<END
</table>
<table width='100%'>
<tr>
<td colspan='4'><i>$Lang::tr{'advproxy content based throttling'}:</i></td>
</tr>
<tr>
<td width='15%' class='base'>$Lang::tr{'advproxy throttle binary'}:</td>
<td width='10%'><input type='checkbox' name='THROTTLE_BINARY' $checked{'THROTTLE_BINARY'}{'on'} /></td>
<td width='15%' class='base'>$Lang::tr{'advproxy throttle dskimg'}:</td>
<td width='10%'><input type='checkbox' name='THROTTLE_DSKIMG' $checked{'THROTTLE_DSKIMG'}{'on'} /></td>
<td width='15%' class='base'>$Lang::tr{'advproxy throttle mmedia'}:</td>
<td width='10%'><input type='checkbox' name='THROTTLE_MMEDIA' $checked{'THROTTLE_MMEDIA'}{'on'} /></td>
<td width='15%'>&nbsp;</td>
<td width='10%'>&nbsp;</td>
</tr>
</table>
<hr size='1'>
<table width='100%'>
<tr>
@@ -1642,42 +1534,7 @@ print <<END
</table>
<hr size='1'>
<table width='100%'>
<tr>
<td colspan='4'><b>$Lang::tr{'advproxy web browser'}</b> $Lang::tr{'advproxy UA enable filter'}:<input type='checkbox' name='ENABLE_BROWSER_CHECK' $checked{'ENABLE_BROWSER_CHECK'}{'on'} /></td>
</tr>
END
;
if ( $proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on' ){
print <<END
<tr>
<td colspan='4'><i>
END
;
if (@useragentlist) { print "$Lang::tr{'advproxy allowed web browsers'}:"; } else { print "$Lang::tr{'advproxy no clients defined'}"; }
print <<END
</i></td>
</tr>
</table>
<table width='100%'>
END
;
for ($n=0; $n<=@useragentlist; $n = $n + $i) {
for ($i=0; $i<=3; $i++) {
if ($i eq 0) { print "<tr>\n"; }
if (($n+$i) < @useragentlist) {
@useragent = split(/,/,@useragentlist[$n+$i]);
print "<td width='15%'>$useragent[1]:<\/td>\n";
print "<td width='10%'><input type='checkbox' name='UA_$useragent[0]' $checked{'UA_'.$useragent[0]}{'on'} /></td>\n";
}
if ($i eq 3) { print "<\/tr>\n"; }
}
}
}
print <<END
</table>
<hr size='1'>
<table width='100%'>
<tr>
<td><b>$Lang::tr{'advproxy privacy'}</b></td>
@@ -1711,7 +1568,6 @@ print <<END;
<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ncsa' $checked{'AUTH_METHOD'}{'ncsa'} />$Lang::tr{'advproxy AUTH method ncsa'}</td>
<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ident' $checked{'AUTH_METHOD'}{'ident'} />$Lang::tr{'advproxy AUTH method ident'}</td>
<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ldap' $checked{'AUTH_METHOD'}{'ldap'} />$Lang::tr{'advproxy AUTH method ldap'}</td>
<td width='$auth_column_width%' class='base'><input type='radio' name='AUTH_METHOD' value='ntlm' $checked{'AUTH_METHOD'}{'ntlm'} />$Lang::tr{'advproxy AUTH method ntlm'}</td>
END
if ($HAVE_NTLM_AUTH) {
@@ -1789,10 +1645,6 @@ print <<END
<td class='base'>$Lang::tr{'advproxy AUTH limit of IP addresses'}:</td>
<td><input type='text' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
</tr>
<tr>
<td class='base'>$Lang::tr{'advproxy AUTH user IP cache TTL'}:</td>
<td><input type='text' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
</tr>
<tr>
<td class='base'>$Lang::tr{'advproxy AUTH always required'}:</td>
<td><input type='checkbox' name='AUTH_ALWAYS_REQUIRED' $checked{'AUTH_ALWAYS_REQUIRED'}{'on'} /></td>
@@ -1926,80 +1778,6 @@ if ($proxysettings{'AUTH_METHOD'} eq 'ident') { print <<END
END
; }
# ===================================================================
# NTLM auth settings
# ===================================================================
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm') {
print <<END
<hr size='1'>
<table width='100%'>
<tr>
<td colspan='6'><b>$Lang::tr{'advproxy NTLM domain settings'}</b></td>
</tr>
<tr>
<td class='base'>$Lang::tr{'advproxy NTLM domain'}:</td>
<td><input type='text' name='NTLM_DOMAIN' value='$proxysettings{'NTLM_DOMAIN'}' size='15' /></td>
<td class='base'>$Lang::tr{'advproxy NTLM PDC hostname'}:</td>
<td><input type='text' name='NTLM_PDC' value='$proxysettings{'NTLM_PDC'}' size='14' /></td>
<td class='base'>$Lang::tr{'advproxy NTLM BDC hostname'}:</td>
<td><input type='text' name='NTLM_BDC' value='$proxysettings{'NTLM_BDC'}' size='14' /></td>
</tr>
</table>
<hr size ='1'>
<table width='100%'>
<tr>
<td colspan='3'><b>$Lang::tr{'advproxy NTLM auth mode'}</b></td>
</tr>
<tr>
<td width='25%' class='base' width='25%'>$Lang::tr{'advproxy NTLM use integrated auth'}:</td>
<td width='20%'><input type='checkbox' name='NTLM_ENABLE_INT_AUTH' $checked{'NTLM_ENABLE_INT_AUTH'}{'on'} /></td>
<td>&nbsp;</td>
</tr>
</table>
<hr size ='1'>
<table width='100%'>
<tr>
<td colspan='4'><b>$Lang::tr{'advproxy NTLM user based access restrictions'}</b></td>
</tr>
<tr>
<td width='25%' class='base'>$Lang::tr{'advproxy enabled'}:</td>
<td width='20%'><input type='checkbox' name='NTLM_ENABLE_ACL' $checked{'NTLM_ENABLE_ACL'}{'on'} /></td>
<td width='25%'>&nbsp;</td>
<td width='30%'>&nbsp;</td>
</tr>
<tr>
<td colspan='2'><input type='radio' name='NTLM_USER_ACL' value='positive' $checked{'NTLM_USER_ACL'}{'positive'} />
$Lang::tr{'advproxy NTLM use positive access list'}:</td>
<td colspan='2'><input type='radio' name='NTLM_USER_ACL' value='negative' $checked{'NTLM_USER_ACL'}{'negative'} />
$Lang::tr{'advproxy NTLM use negative access list'}:</td>
</tr>
<tr>
<td colspan='2'>$Lang::tr{'advproxy NTLM authorized users'}</td>
<td colspan='2'>$Lang::tr{'advproxy NTLM unauthorized users'}</td>
</tr>
<tr>
<td colspan='2'><textarea name='NTLM_ALLOW_USERS' cols='32' rows='6' wrap='off'>
END
; }
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm') { print $proxysettings{'NTLM_ALLOW_USERS'}; }
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm') { print <<END
</textarea></td>
<td colspan='2'><textarea name='NTLM_DENY_USERS' cols='32' rows='6' wrap='off'>
END
; }
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm') { print $proxysettings{'NTLM_DENY_USERS'}; }
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm') { print <<END
</textarea></td>
</tr>
</table>
END
; }
# ===================================================================
# NTLM-AUTH settings
# ===================================================================
@@ -2163,7 +1941,6 @@ print <<END
<td><input type='hidden' name='AUTH_CHILDREN' value='$proxysettings{'AUTH_CHILDREN'}'></td>
<td><input type='hidden' name='AUTH_CACHE_TTL' value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
<td><input type='hidden' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_ALWAYS_REQUIRED' value='$proxysettings{'AUTH_ALWAYS_REQUIRED'}'></td>
<td><input type='hidden' name='AUTH_REALM' value='$proxysettings{'AUTH_REALM'}'></td>
<td><input type='hidden' name='DST_NOAUTH' value='$proxysettings{'DST_NOAUTH'}'></td>
@@ -2175,7 +1952,6 @@ print <<END
<td><input type='hidden' name='AUTH_CHILDREN' value='$proxysettings{'AUTH_CHILDREN'}'></td>
<td><input type='hidden' name='AUTH_CACHE_TTL' value='$proxysettings{'AUTH_CACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_MAX_USERIP' value='$proxysettings{'AUTH_MAX_USERIP'}' size='5' /></td>
<td><input type='hidden' name='AUTH_IPCACHE_TTL' value='$proxysettings{'AUTH_IPCACHE_TTL'}' size='5' /></td>
<td><input type='hidden' name='AUTH_REALM' value='$proxysettings{'AUTH_REALM'}'></td>
END
; }
@@ -2211,19 +1987,6 @@ print <<END
END
; }
if (!($proxysettings{'AUTH_METHOD'} eq 'ntlm')) {
print <<END
<td><input type='hidden' name='NTLM_DOMAIN' value='$proxysettings{'NTLM_DOMAIN'}'></td>
<td><input type='hidden' name='NTLM_PDC' value='$proxysettings{'NTLM_PDC'}'></td>
<td><input type='hidden' name='NTLM_BDC' value='$proxysettings{'NTLM_BDC'}'></td>
<td><input type='hidden' name='NTLM_ENABLE_INT_AUTH' value='$proxysettings{'NTLM_ENABLE_INT_AUTH'}'></td>
<td><input type='hidden' name='NTLM_ENABLE_ACL' value='$proxysettings{'NTLM_ENABLE_ACL'}'></td>
<td><input type='hidden' name='NTLM_USER_ACL' value='$proxysettings{'NTLM_USER_ACL'}'></td>
<td><input type='hidden' name='NTLM_ALLOW_USERS' value='$proxysettings{'NTLM_ALLOW_USERS'}'></td>
<td><input type='hidden' name='NTLM_DENY_USERS' value='$proxysettings{'NTLM_DENY_USERS'}'></td>
END
; }
if (!($proxysettings{'AUTH_METHOD'} eq 'radius')) {
print <<END
<td><input type='hidden' name='RADIUS_SERVER' value='$proxysettings{'RADIUS_SERVER'}'></td>
@@ -2513,18 +2276,6 @@ sub read_acls
while (<FILE>) { $proxysettings{'MIME_TYPES'} .= $_ };
close(FILE);
}
if (-e "$ntlmdir/msntauth.allowusers") {
open(FILE,"$ntlmdir/msntauth.allowusers");
delete $proxysettings{'NTLM_ALLOW_USERS'};
while (<FILE>) { $proxysettings{'NTLM_ALLOW_USERS'} .= $_ };
close(FILE);
}
if (-e "$ntlmdir/msntauth.denyusers") {
open(FILE,"$ntlmdir/msntauth.denyusers");
delete $proxysettings{'NTLM_DENY_USERS'};
while (<FILE>) { $proxysettings{'NTLM_DENY_USERS'} .= $_ };
close(FILE);
}
if (-e "$raddir/radauth.allowusers") {
open(FILE,"$raddir/radauth.allowusers");
delete $proxysettings{'RADIUS_ALLOW_USERS'};
@@ -2933,23 +2684,6 @@ sub write_acls
if (!$proxysettings{'PORTS_SSL'}) { print FILE $def_ports_ssl; } else { print FILE $proxysettings{'PORTS_SSL'}; }
close(FILE);
open(FILE, ">$acl_dst_throttle");
flock(FILE, 2);
if ($proxysettings{'THROTTLE_BINARY'} eq 'on')
{
@temp = split(/\|/,$throttle_binary);
foreach (@temp) { print FILE "\\.$_\$\n"; }
}
if ($proxysettings{'THROTTLE_DSKIMG'} eq 'on')
{
@temp = split(/\|/,$throttle_dskimg);
foreach (@temp) { print FILE "\\.$_\$\n"; }
}
if ($proxysettings{'THROTTLE_MMEDIA'} eq 'on')
{
@temp = split(/\|/,$throttle_mmedia);
foreach (@temp) { print FILE "\\.$_\$\n"; }
}
if (-s $throttled_urls)
{
open(URLFILE, $throttled_urls);
@@ -2964,16 +2698,6 @@ sub write_acls
print FILE $proxysettings{'MIME_TYPES'};
close(FILE);
open(FILE, ">$ntlmdir/msntauth.allowusers");
flock(FILE, 2);
print FILE $proxysettings{'NTLM_ALLOW_USERS'};
close(FILE);
open(FILE, ">$ntlmdir/msntauth.denyusers");
flock(FILE, 2);
print FILE $proxysettings{'NTLM_DENY_USERS'};
close(FILE);
open(FILE, ">$raddir/radauth.allowusers");
flock(FILE, 2);
print FILE $proxysettings{'RADIUS_ALLOW_USERS'};
@@ -3332,6 +3056,11 @@ END
}
print FILE "\n";
# If we use authentication, users must always authenticate
unless ($proxysettings{"AUTH_METHOD"} eq "") {
print FILE "authenticate_ip_ttl 0\n\n";
}
if ((!($proxysettings{'AUTH_METHOD'} eq 'none')) && (!($proxysettings{'AUTH_METHOD'} eq 'ident')))
{
if ($proxysettings{'AUTH_METHOD'} eq 'ncsa')
@@ -3340,7 +3069,6 @@ END
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
if ($proxysettings{'AUTH_METHOD'} eq 'ldap')
@@ -3385,40 +3113,6 @@ END
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm')
{
if ($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'on')
{
print FILE "auth_param ntlm program $authdir/ntlm_smb_lm_auth $proxysettings{'NTLM_DOMAIN'}/$proxysettings{'NTLM_PDC'}";
if ($proxysettings{'NTLM_BDC'} eq '') { print FILE "\n"; } else { print FILE " $proxysettings{'NTLM_DOMAIN'}/$proxysettings{'NTLM_BDC'}\n"; }
print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n";
if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
} else {
print FILE "auth_param basic program $authdir/basic_msnt_auth\n";
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
open(MSNTCONF, ">$ntlmdir/msntauth.conf");
flock(MSNTCONF,2);
print MSNTCONF "server $proxysettings{'NTLM_PDC'}";
if ($proxysettings{'NTLM_BDC'} eq '') { print MSNTCONF " $proxysettings{'NTLM_PDC'}"; } else { print MSNTCONF " $proxysettings{'NTLM_BDC'}"; }
print MSNTCONF " $proxysettings{'NTLM_DOMAIN'}\n";
if ($proxysettings{'NTLM_ENABLE_ACL'} eq 'on')
{
if ($proxysettings{'NTLM_USER_ACL'} eq 'positive')
{
print MSNTCONF "allowusers $ntlmdir/msntauth.allowusers\n";
} else {
print MSNTCONF "denyusers $ntlmdir/msntauth.denyusers\n";
}
}
close(MSNTCONF);
}
}
if ($proxysettings{'AUTH_METHOD'} eq 'ntlm-auth')
@@ -3433,6 +3127,7 @@ END
print FILE "\n";
print FILE "auth_param ntlm children $proxysettings{'AUTH_CHILDREN'}\n\n";
print FILE "auth_param ntlm credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n\n";
# BASIC authentication
if ($proxysettings{'NTLM_AUTH_BASIC'} eq "on") {
@@ -3444,9 +3139,9 @@ END
print FILE " --require-membership-of=$ntlm_auth_group";
}
print FILE "\n";
print FILE "auth_param basic children 10\n";
print FILE "auth_param basic realm IPFire Web Proxy Server\n";
print FILE "auth_param basic credentialsttl 2 hours\n\n";
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n\n";
}
}
@@ -3458,22 +3153,10 @@ END
print FILE "auth_param basic children $proxysettings{'AUTH_CHILDREN'}\n";
print FILE "auth_param basic realm $authrealm\n";
print FILE "auth_param basic credentialsttl $proxysettings{'AUTH_CACHE_TTL'} minutes\n";
if (!($proxysettings{'AUTH_IPCACHE_TTL'} eq '0')) { print FILE "\nauthenticate_ip_ttl $proxysettings{'AUTH_IPCACHE_TTL'} minutes\n"; }
}
print FILE "\n";
print FILE "acl for_inetusers proxy_auth REQUIRED\n";
if (($proxysettings{'AUTH_METHOD'} eq 'ntlm') && ($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'on') && ($proxysettings{'NTLM_ENABLE_ACL'} eq 'on'))
{
if ((!-z "$ntlmdir/msntauth.allowusers") && ($proxysettings{'NTLM_USER_ACL'} eq 'positive'))
{
print FILE "acl for_acl_users proxy_auth \"$ntlmdir/msntauth.allowusers\"\n";
}
if ((!-z "$ntlmdir/msntauth.denyusers") && ($proxysettings{'NTLM_USER_ACL'} eq 'negative'))
{
print FILE "acl for_acl_users proxy_auth \"$ntlmdir/msntauth.denyusers\"\n";
}
}
if (($proxysettings{'AUTH_METHOD'} eq 'radius') && ($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on'))
{
if ((!-z "$raddir/radauth.allowusers") && ($proxysettings{'RADIUS_USER_ACL'} eq 'positive'))
@@ -3526,8 +3209,6 @@ END
if (($delaypools) && (!-z $acl_dst_throttle)) { print FILE "acl for_throttled_urls url_regex -i \"$acl_dst_throttle\"\n\n"; }
if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE "acl with_allowed_useragents browser $browser_regexp\n\n"; }
print FILE "acl within_timeframe time ";
if ($proxysettings{'TIME_MON'} eq 'on') { print FILE "M"; }
if ($proxysettings{'TIME_TUE'} eq 'on') { print FILE "T"; }
@@ -3778,7 +3459,6 @@ END
print FILE " !within_timeframe";
} else {
print FILE " within_timeframe"; }
if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
print FILE " to_ipaddr_without_auth\n";
}
if (!-z $acl_dst_noauth_dom)
@@ -3788,7 +3468,6 @@ END
print FILE " !within_timeframe";
} else {
print FILE " within_timeframe"; }
if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
print FILE " to_domains_without_auth\n";
}
if (!-z $acl_dst_noauth_url)
@@ -3798,7 +3477,6 @@ END
print FILE " !within_timeframe";
} else {
print FILE " within_timeframe"; }
if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
print FILE " to_hosts_without_auth\n";
}
}
@@ -3832,24 +3510,10 @@ END
{
if (!-z $disgrp) { print FILE " !for_disabled_users"; } else { print FILE " for_inetusers"; }
}
if (($proxysettings{'AUTH_METHOD'} eq 'ldap') || (($proxysettings{'AUTH_METHOD'} eq 'ntlm') && ($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'off')) || ($proxysettings{'AUTH_METHOD'} eq 'radius'))
if (($proxysettings{'AUTH_METHOD'} eq 'ldap') || ($proxysettings{'AUTH_METHOD'} eq 'radius'))
{
print FILE " for_inetusers";
}
if (($proxysettings{'AUTH_METHOD'} eq 'ntlm') && ($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'on'))
{
if ($proxysettings{'NTLM_ENABLE_ACL'} eq 'on')
{
if (($proxysettings{'NTLM_USER_ACL'} eq 'positive') && (!-z "$ntlmdir/msntauth.allowusers"))
{
print FILE " for_acl_users";
}
if (($proxysettings{'NTLM_USER_ACL'} eq 'negative') && (!-z "$ntlmdir/msntauth.denyusers"))
{
print FILE " !for_acl_users";
}
} else { print FILE " for_inetusers"; }
}
if (($proxysettings{'AUTH_METHOD'} eq 'radius') && ($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on'))
{
if ($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on')
@@ -3877,24 +3541,10 @@ END
{
if (!-z $disgrp) { print FILE " !for_disabled_users"; } else { print FILE " for_inetusers"; }
}
if (($proxysettings{'AUTH_METHOD'} eq 'ldap') || (($proxysettings{'AUTH_METHOD'} eq 'ntlm') && ($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'off')) || ($proxysettings{'AUTH_METHOD'} eq 'radius'))
if (($proxysettings{'AUTH_METHOD'} eq 'ldap') || ($proxysettings{'AUTH_METHOD'} eq 'radius'))
{
print FILE " for_inetusers";
}
if (($proxysettings{'AUTH_METHOD'} eq 'ntlm') && ($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'on'))
{
if ($proxysettings{'NTLM_ENABLE_ACL'} eq 'on')
{
if (($proxysettings{'NTLM_USER_ACL'} eq 'positive') && (!-z "$ntlmdir/msntauth.allowusers"))
{
print FILE " for_acl_users";
}
if (($proxysettings{'NTLM_USER_ACL'} eq 'negative') && (!-z "$ntlmdir/msntauth.denyusers"))
{
print FILE " !for_acl_users";
}
} else { print FILE " for_inetusers"; }
}
if (($proxysettings{'AUTH_METHOD'} eq 'radius') && ($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on'))
{
if ($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on')
@@ -3920,14 +3570,6 @@ END
}
if (
(
($proxysettings{'AUTH_METHOD'} eq 'ntlm') &&
($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'on') &&
($proxysettings{'NTLM_ENABLE_ACL'} eq 'on') &&
($proxysettings{'NTLM_USER_ACL'} eq 'negative') &&
(!-z "$ntlmdir/msntauth.denyusers")
)
||
(
($proxysettings{'AUTH_METHOD'} eq 'radius') &&
($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on') &&
@@ -3956,20 +3598,11 @@ END
print FILE " !within_timeframe";
} else {
print FILE " within_timeframe"; }
if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
print FILE " !on_ident_aware_hosts\n";
}
print FILE "http_access allow IPFire_networks";
if (
(
($proxysettings{'AUTH_METHOD'} eq 'ntlm') &&
($proxysettings{'NTLM_ENABLE_INT_AUTH'} eq 'on') &&
($proxysettings{'NTLM_ENABLE_ACL'} eq 'on') &&
($proxysettings{'NTLM_USER_ACL'} eq 'positive') &&
(!-z "$ntlmdir/msntauth.allowusers")
)
||
(
($proxysettings{'AUTH_METHOD'} eq 'radius') &&
($proxysettings{'RADIUS_ENABLE_ACL'} eq 'on') &&
@@ -3999,7 +3632,6 @@ END
print FILE " !within_timeframe";
} else {
print FILE " within_timeframe"; }
if ($proxysettings{'ENABLE_BROWSER_CHECK'} eq 'on') { print FILE " with_allowed_useragents"; }
print FILE "\n";
print FILE "http_access deny all\n\n";
@@ -4095,7 +3727,10 @@ END
if (($proxysettings{'ENABLE_FILTER'} eq 'on') || ($proxysettings{'ENABLE_UPDXLRATOR'} eq 'on') || ($proxysettings{'ENABLE_CLAMAV'} eq 'on'))
{
print FILE "url_rewrite_program /usr/sbin/redirect_wrapper\n";
print FILE "url_rewrite_children $proxysettings{'CHILDREN'}\n\n";
print FILE "url_rewrite_children ", &General::number_cpu_cores();
print FILE " startup=", &General::number_cpu_cores();
print FILE " idle=", &General::number_cpu_cores();
print FILE " queue-size=", &General::number_cpu_cores() * 32, "\n\n";
}
# Include file with user defined settings.

9
html/cgi-bin/vpnmain.cgi
View File

@@ -149,7 +149,12 @@ sub cleanssldatabase {
print FILE "";
close FILE;
}
if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
print FILE "";
close FILE;
}
unlink ("${General::swroot}/certs/index.txt.old");
unlink ("${General::swroot}/certs/index.txt.attr.old");
unlink ("${General::swroot}/certs/serial.old");
unlink ("${General::swroot}/certs/01.pem");
}
@@ -162,7 +167,11 @@ sub newcleanssldatabase {
if (! -s ">${General::swroot}/certs/index.txt") {
system ("touch ${General::swroot}/certs/index.txt");
}
if (! -s ">${General::swroot}/certs/index.txt.attr") {
system ("touch ${General::swroot}/certs/index.txt.attr");
}
unlink ("${General::swroot}/certs/index.txt.old");
unlink ("${General::swroot}/certs/index.txt.attr.old");
unlink ("${General::swroot}/certs/serial.old");
# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete
}