IDS: Dynamically generate and import the HTTP ports.

With this commit suricata reads the HTTP port declarations from a newly introduced external file (/var/ipfire/suricata/suricata-http-ports.yaml). This file dynamically will be generated. HTTP ports always are the default port "80" and "81" for update Accelerator and HTTP access to the WUI. In case the Web-proxy is used, the configured proxy port and/or Transparent Proxy port also will be declared as a HTTP port and written to that file. In case one of the proxy ports will be changed, the HTTP port file will be re-generated and suricate restarted if launched. Also if an old backup with snort will be restored the convert script handles the generation of the HTTP ports file. Finally the suricata-generate-http-ports-file as a tiny script which simply generates the http ports file and needs to be launched during the installation of a core update. (The script will no be required anymore, so it could be deleted afterwards.) Fixes #12308. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2026-04-26 10:52:57 +02:00 · 2020-04-03 16:25:01 +02:00
parent 6084e66e70
commit e698090e7f
6 changed files with 154 additions and 7 deletions
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2013  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2020  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -37,6 +37,8 @@ require '/var/ipfire/general-functions.pl';
 require "${General::swroot}/lang.pl";
 require "${General::swroot}/header.pl";

+require "${General::swroot}/ids-functions.pl";
+
 my @squidversion = `/usr/sbin/squid -v`;
 my $http_port='81';
 my $https_port='444';
@@ -550,6 +552,29 @@ ERROR:

 	if ($proxysettings{'VALID'} eq 'yes')
 	{
+		# Determine if suricata may needs to be restarted.
+		my $suricata_proxy_ports_changed;
+
+		# Check if the IDS is running
+		if(&IDS::ids_is_running()) {
+			my %oldproxysettings;
+
+			# Read-in current proxy settings and store them as oldsettings hash.
+			&General::readhash("${General::swroot}/proxy/advanced/settings", \%oldproxysettings);
+
+			# Check if the proxy port has been changed.
+			unless ($proxysettings{'PROXY_PORT'} eq $oldproxysettings{'PROXY_PORT'}) {
+				# Port has changed, suricata needs to be adjusted.
+				$suricata_proxy_ports_changed = 1;
+			}
+
+			# Check if the transparent port has been changed.
+			unless ($proxysettings{'TRANSPARENT_PORT'} eq $oldproxysettings{'TRANSPARENT_PORT'}) {
+				# Transparent port has changed, suricata needs to be adjusted.
+				$suricata_proxy_ports_changed = 1;
+			}
+		}
+
 		&write_acls;

 		delete $proxysettings{'SRC_SUBNETS'};
@@ -627,6 +652,15 @@ ERROR:

 		if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
 		if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); }
+
+		# Check if the suricata_proxy_ports_changed flag has been set.
+		if ($suricata_proxy_ports_changed) {
+			# Re-generate HTTP ports file.
+			&IDS::generate_http_ports_file();
+
+			# Restart suricata.
+			&IDS::call_suricatactrl("restart");
+		}
  }
 }