initial commit of file from CVS for e-smith-proxy on Wed 12 Jul 09:06:18 BST 2023

2023-07-12 09:06:18 +01:00
parent 1041715762
commit a376640216
68 changed files with 1794 additions and 2 deletions
--- a/root/etc/e-smith/db/configuration/defaults/squid/EnforceSafePorts
+++ b/root/etc/e-smith/db/configuration/defaults/squid/EnforceSafePorts
@@ -0,0 +1 @@
+no
--- a/root/etc/e-smith/db/configuration/defaults/squid/SafePorts
+++ b/root/etc/e-smith/db/configuration/defaults/squid/SafePorts
@@ -0,0 +1 @@
+21,70,80,81,119,210,443,563,980,1024-65535
--- a/root/etc/e-smith/db/configuration/defaults/squid/TCPPort
+++ b/root/etc/e-smith/db/configuration/defaults/squid/TCPPort
@@ -0,0 +1 @@
+3128
--- a/root/etc/e-smith/db/configuration/defaults/squid/TCPProxyPort
+++ b/root/etc/e-smith/db/configuration/defaults/squid/TCPProxyPort
@@ -0,0 +1 @@
+80:3128
--- a/root/etc/e-smith/db/configuration/defaults/squid/TransparentPort
+++ b/root/etc/e-smith/db/configuration/defaults/squid/TransparentPort
@@ -0,0 +1 @@
+3128
--- a/root/etc/e-smith/db/configuration/defaults/squid/access
+++ b/root/etc/e-smith/db/configuration/defaults/squid/access
@@ -0,0 +1 @@
+private
--- a/root/etc/e-smith/db/configuration/defaults/squid/status
+++ b/root/etc/e-smith/db/configuration/defaults/squid/status
@@ -0,0 +1 @@
+enabled
--- a/root/etc/e-smith/db/configuration/defaults/squid/type
+++ b/root/etc/e-smith/db/configuration/defaults/squid/type
@@ -0,0 +1 @@
+service
--- a/root/etc/e-smith/events/bootstrap-console-save/.gitignore
+++ b/root/etc/e-smith/events/bootstrap-console-save/.gitignore
--- a/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/proxy
+++ b/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/proxy
@@ -0,0 +1,76 @@
+<!-- vim: ft=xml ts=4 sw=4 et ai:
+-->
+<lexicon lang="en-us">
+    <entry>
+        <base>Proxy settings</base>
+        <trans>Proxy settings</trans>
+    </entry>
+    <entry>
+        <base>FIRST_PAGE_DESCRIPTION</base>
+        <trans>
+            This page allows configuration of the server's 
+            proxy settings.
+
+            The server includes a transparent proxy and cache for 
+            HTTP traffic. This is enabled by default, but not enforced 
+            if the server is in &quot;serveronly&quot; mode. 
+
+            If this server is acting as an e-mail server, connections 
+            from local network clients to external SMTP servers 
+            will default to being redirected to the local e-mail server.
+        </trans>
+    </entry>
+    <entry>
+        <base>HTTP_PROXY_STATUS_DESCRIPTION</base>
+        <trans>
+            The server's HTTP proxy works to reduce overall uplink usage by
+            caching recently-visited pages. It is transparent to web browsers
+            using this server as their gateway. Enable or disable this proxy
+            with the following toggle.
+        </trans>
+    </entry>
+    <entry>
+        <base>HTTP_PROXY_STATUS_LABEL</base>
+        <trans>HTTP proxy status</trans>
+    </entry>
+    <entry>
+        <base>SMTP_PROXY_STATUS_DESCRIPTION</base>
+        <trans>
+            The server's transparent SMTP proxy works to reduce virus traffic 
+            from infected client hosts by forcing all outgoing SMTP traffic 
+            through this server if set to "enabled". 
+
+            If you wish to use an alternate SMTP server, and this server is 
+            your gateway to it, set this proxy to "disabled". Setting the 
+            proxy to "blocked" prevents all SMTP traffic to other servers, 
+            this is the default. The proxy only intercepts/blocks normal smtp 
+            (port 25) traffic.
+        </trans>
+    </entry>
+    <entry>
+        <base>SMTP_PROXY_STATUS_LABEL</base>
+        <trans>SMTP proxy status</trans>
+    </entry>
+    <entry>
+        <base>ERR_PROXY_UPDATE_FAILED</base>
+        <trans>
+            ERROR: The proxy-update event returned an error.
+        </trans>
+    </entry>
+    <entry>
+        <base>ERR_NO_SQUID_REC</base>
+        <trans>
+            ERROR: There is no squid record in the configuration database.
+        </trans>
+    </entry>
+    <entry>
+        <base>SUCCESS</base>
+        <trans>
+            The new proxy settings were applied successfully.
+        </trans>
+    </entry>
+    <entry>
+        <base>BLOCKED</base>
+        <trans>Blocked</trans>
+    </entry>
+</lexicon>
--- a/root/etc/e-smith/templates.metadata/etc/squid/squid.conf
+++ b/root/etc/e-smith/templates.metadata/etc/squid/squid.conf
@@ -0,0 +1,3 @@
+PERMS=0640
+UID="root"
+GID="squid"
--- a/root/etc/e-smith/templates/etc/crontab/squid
+++ b/root/etc/e-smith/templates/etc/crontab/squid
@@ -0,0 +1,20 @@
+{
+    return "# squid is disabled\n" unless $squid{status} eq 'enabled';
+
+    my $freq = $squid{Rotate} || 'daily';
+    my $min = int(rand(60));
+    my $hour = int(rand(5));
+    my $dow = substr(localtime,0,3);
+    
+    if ($freq eq 'hourly') {
+	return "$min * * * * root squid -k rotate\n";
+    } elsif ($freq eq 'weekly') {
+	return "$min $hour * * $dow root squid -k rotate\n";
+    } elsif ($freq eq 'monthly') {
+	return "$min $hour 15 * * root squid -k rotate\n";
+    } elsif ($freq eq 'disabled') {
+	 return "# squid rotate disabled\n";
+    } else {
+	return "$min $hour * * * root squid -k rotate\n"
+    }
+}
--- a/root/etc/e-smith/templates/etc/dhcpd.conf/11wpad
+++ b/root/etc/e-smith/templates/etc/dhcpd.conf/11wpad
@@ -0,0 +1,2 @@
+option wpad-url code 252 = text;
+
--- a/root/etc/e-smith/templates/etc/dhcpd.conf/26wpad
+++ b/root/etc/e-smith/templates/etc/dhcpd.conf/26wpad
@@ -0,0 +1,15 @@
+{
+        my $transproxy = $squid{Transparent} || "yes";
+        my $status = $squid{status} || "disabled";
+        if ($transproxy eq "yes" && $status eq "enabled")
+
+        {
+
+        $OUT .= "    option wpad-url            \"http://wpad.$DomainName/wpad.dat\";";
+}
+ else
+        {
+        $OUT .= '# wpad-url disabled';
+    }
+}
+
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/96ProxyConf
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/96ProxyConf
@@ -0,0 +1,9 @@
+{
+    foreach my $file (qw(wpad.dat proxy.pac))
+    {
+	$OUT .= "Alias /$file /etc/httpd/conf/proxy/proxy.pac\n";
+	$OUT .= "<Location /$file>\n";
+	$OUT .= "    Require ip $localAccess\n";
+	$OUT .= "</Location>\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/05directLocalhostname
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/05directLocalhostname
@@ -0,0 +1,2 @@
+    if (isPlainHostName(host))
+        return "DIRECT";
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalNetwork
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalNetwork
@@ -0,0 +1,2 @@
+    if (isInNet(host, "{ $LocalIP }", "{ $LocalNetmask }"))
+        return "DIRECT";
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalhost
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalhost
@@ -0,0 +1,2 @@
+    if (isInNet(host, "127.0.0.1", "255.255.255.255"))
+        return "DIRECT";
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/90proxyDefault
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/90proxyDefault
@@ -0,0 +1,9 @@
+{    
+    my $enabled = $squid{status} || 'disabled';
+    my $port = $squid{TransparentPort} || 3128;
+    my $target = ($enabled eq 'enabled') ?
+	"PROXY proxy.$DomainName:$port" :
+	"DIRECT";
+
+    $OUT = '	return "' . $target . '";';
+}
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/99endFunction
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/99endFunction
@@ -0,0 +1 @@
+\}
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/template-begin
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/template-begin
@@ -0,0 +1,2 @@
+function FindProxyForURL(url, host)
+\{
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/35transproxy
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/35transproxy
@@ -0,0 +1,38 @@
+{
+    $OUT = '';
+
+    # Create new chain to manage TransProxy stuff
+    # Note: We send all traffic destined to port 80, regardless of
+    # where it's from, since the filter table will worry about source.
+    $OUT .= "    /sbin/iptables --table nat --new-chain TransProxy\n";
+    $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
+    $OUT .= "\t-p tcp --dport 80 -j TransProxy\n";
+
+    # Accept any accesses to the local IPs directly
+
+    $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
+    $OUT .= "\t--destination 127.0.0.1 --jump ACCEPT\n";
+    $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
+    $OUT .= "\t--destination $LocalIP --jump ACCEPT\n";
+
+    if (defined $ExternalIP) {
+        # Accept any accesses to the ExternalIP directly
+        $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
+        $OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
+    }
+
+    my $transproxy = $squid{Transparent} || "yes";
+    my $status = $squid{status} || "disabled";
+    if ($transproxy eq "yes" && $status eq "enabled") {
+        ##my $proxyport = $squid{TransparentPort} || "3128";
+        my $proxyport = $squid{InterceptPort} || "8080";
+
+        # Otherwise, divert port 80 traffic through our proxy
+        $OUT .= "    /sbin/iptables --table nat --append TransProxy\\\n";
+        $OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
+    } else {
+        # Or just let it go unhindered
+        $OUT .= "    /sbin/iptables --table nat --append TransProxy\\\n";
+        $OUT .= "\t--jump ACCEPT\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustTransProxy
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustTransProxy
@@ -0,0 +1,32 @@
+{
+    # Update any rules which may have changed, meaning
+    # - $ExternalIP
+    # - enabled/disabled
+    # - Transproxy port (unlikely)
+    my $rule = 3;
+    if (defined $ExternalIP)
+    {
+	# Accept any accesses to the ExternalIP directly
+	$OUT .= "    /sbin/iptables --table nat \\\n";
+	$OUT .= "\t--replace TransProxy $rule\\\n";
+	$OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
+	$rule++;
+    }
+    my $transproxy = $squid{Transparent} || "yes";
+    my $status = $squid{status} || "disabled";
+    if ($transproxy eq "yes" && $status eq "enabled")
+    {
+	##my $proxyport = $squid{TransparentPort} || "3128";
+	my $proxyport = $squid{InterceptPort} || "8080";
+
+	# Otherwise, divert port 80 traffic through our proxy
+	$OUT .= "    /sbin/iptables --table nat --replace TransProxy $rule\\\n";
+	$OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
+    }
+    else
+    {
+	# Or just let it go unhindered
+	$OUT .= "    /sbin/iptables --table nat --replace TransProxy $rule\\\n";
+	$OUT .= "\t--jump ACCEPT\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/rsyslog.conf/46squid
+++ b/root/etc/e-smith/templates/etc/rsyslog.conf/46squid
@@ -0,0 +1,2 @@
+if $programname == 'squid' then                 /var/log/squid/squid.log
+& stop
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/10HTTPPort
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/10HTTPPort
@@ -0,0 +1,13 @@
+{
+    my $transproxy = $squid{Transparent} || "yes";
+
+    if ($transproxy eq 'yes') {
+        $OUT .= "http_port $LocalIP:" . ($squid{TCPPort} || '3128') . "\n";
+        $OUT .= "http_port 127.0.0.1:" . ($squid{TCPPort} || '3128') . "\n";
+        $OUT .= "http_port $LocalIP:" . ($squid{InterceptPort} || '8080') . " intercept\n";
+        $OUT .= "http_port 127.0.0.1:" . ($squid{InterceptPort} || '8080') . " intercept\n";
+    } else {
+	$OUT .= "http_port $LocalIP:" . ($squid{TCPPort} || '3128') . "\n";
+	$OUT .= "http_port 127.0.0.1:" . ($squid{TCPPort} || '3128') . "\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/10ICPAddresses
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/10ICPAddresses
@@ -0,0 +1,4 @@
+{
+    $OUT .= "udp_incoming_address $LocalIP\n";
+    $OUT .= "udp_outgoing_address 0.0.0.0";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/10ParentCache
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/10ParentCache
@@ -0,0 +1,10 @@
+{
+    $OUT = "";
+
+    if (defined $SquidParent && $SquidParent)
+    {
+	$OUT .= "cache_peer $SquidParent parent ";
+	$OUT .= $SquidParentPort || "3128";
+	$OUT .= " 7 no-query default";
+    }
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL10localhost
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL10localhost
@@ -0,0 +1,24 @@
+{
+    use esmith::NetworksDB;
+    use Net::IPv4Addr;
+
+    my $ndb = esmith::NetworksDB->open_ro();
+
+    my $localAccess = '';
+    foreach ($ndb->local_access_spec()){
+        # If there's a / in the network string
+        # then convert to CIDR notation
+        if (m!/!) {
+            my ($ip,$bits) = Net::IPv4Addr::ipv4_parse($_);
+            $localAccess .= "$ip/$bits ";
+        }
+        else {
+            $localAccess .= "$_ ";
+        }
+    }
+
+    $OUT .= "acl localsrc src $localAccess\n";
+    $OUT .= "acl localdst dst $localAccess\n";
+    $OUT .= "acl selfdst dst 127.0.0.1 $LocalIP\n";
+    $OUT .= "acl selfport port " . ($squid{TCPPort} || '3128');
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL15SSL_ports
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL15SSL_ports
@@ -0,0 +1,6 @@
+
+{
+    my @ports = split(",", ($squid{SSLPorts} || "") );
+
+    return "acl SSL_ports port 443 563 @ports";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL15Safe_ports
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL15Safe_ports
@@ -0,0 +1,5 @@
+{
+    my @ports = split(",", ($squid{SafePorts} || "80") );
+
+    return "acl Safe_ports port @ports";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL20CONNECT
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL20CONNECT
@@ -0,0 +1 @@
+acl CONNECT method CONNECT
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL30webdav
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL30webdav
@@ -0,0 +1 @@
+acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK 
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20PidFilename
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20PidFilename
@@ -0,0 +1,3 @@
+{
+    $OUT = "pid_filename /run/squid/squid.pid";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/24Logfile
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/24Logfile
@@ -0,0 +1 @@
+access_log /var/log/squid/access.log squid
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/25LogfileRotate
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/25LogfileRotate
@@ -0,0 +1 @@
+logfile_rotate 0
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/30append_domain
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/30append_domain
@@ -0,0 +1,3 @@
+append_domain {
+    $OUT = ".$DomainName";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/30cache_mgr
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/30cache_mgr
@@ -0,0 +1 @@
+cache_mgr { "admin\@$DomainName" }
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/30ftp_user
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/30ftp_user
@@ -0,0 +1 @@
+ftp_user { "nobody\@$DomainName" }
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access00manager
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access00manager
@@ -0,0 +1,2 @@
+http_access allow manager localsrc
+http_access deny manager
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access10notSafe_ports
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access10notSafe_ports
@@ -0,0 +1,5 @@
+{
+    return "" unless ( ($squid{EnforceSafePorts} || "no") eq "yes");
+    
+    return "http_access deny !Safe_ports";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access20denyCONNECTunlessSSL
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access20denyCONNECTunlessSSL
@@ -0,0 +1 @@
+http_access deny CONNECT !SSL_ports
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access40denySelf
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access40denySelf
@@ -0,0 +1 @@
+http_access deny selfdst selfport
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access75AllowLocal
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access75AllowLocal
@@ -0,0 +1 @@
+http_access allow localsrc
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access99denyall
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access99denyall
@@ -0,0 +1 @@
+http_access deny all
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/50icp_access50AllowAll
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/50icp_access50AllowAll
@@ -0,0 +1 @@
+icp_access allow all
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/60miss_access50AllowAll
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/60miss_access50AllowAll
@@ -0,0 +1 @@
+miss_access allow all
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/70StoreAvgObjectSize
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/70StoreAvgObjectSize
@@ -0,0 +1,11 @@
+{
+#  TAG: store_avg_object_size	(kbytes)
+#	Average object size, used to estimate number of objects your
+#	cache can hold.  See doc/Release-Notes-1.1.txt.  The default is
+#	13 KB.
+#
+# Note: At e-smith, some of our customers have had average object sizes
+# as low as 3.5 KB, so we set the limit to 3 KB to be safe.
+# - JMorrison, January 5, 2000
+# }
+store_avg_object_size 3 KB
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/80always_direct50webdav
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/80always_direct50webdav
@@ -0,0 +1 @@
+always_direct allow webdav 
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/80always_direct80default
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/80always_direct80default
@@ -0,0 +1,13 @@
+{
+    if (defined $SquidParent && $SquidParent)
+    {
+	$OUT .= "always_direct allow localdst\n";
+	$OUT .= "always_direct deny all\n";
+	$OUT .= "never_direct deny localdst\n";
+	$OUT .= "never_direct allow all";
+    }
+    else
+    {
+	$OUT .= "always_direct allow all";
+    }
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/96filedescriptor
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/96filedescriptor
@@ -0,0 +1 @@
+max_filedesc { ($squid{'MaxFileDesc'} || '4096') }
--- a/root/etc/e-smith/templates/etc/sysconfig/squid/10ALL_ORIG
+++ b/root/etc/e-smith/templates/etc/sysconfig/squid/10ALL_ORIG
@@ -0,0 +1,10 @@
+# default squid options
+SQUID_OPTS=""
+
+# Time to wait for Squid to shut down when asked. Should not be necessary
+# most of the time.
+SQUID_SHUTDOWN_TIMEOUT=100
+
+# default squid conf file
+SQUID_CONF="/etc/squid/squid.conf"
+
--- a/root/etc/e-smith/templates/etc/sysconfig/squid/20OPTS
+++ b/root/etc/e-smith/templates/etc/sysconfig/squid/20OPTS
@@ -0,0 +1,4 @@
+# specific squid options
+SQUID_OPTS="-s"
+
+
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/20unit
+++ b/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/20unit
@@ -0,0 +1,4 @@
+
+[Unit]
+After=network-online.target
+
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/40service
+++ b/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/40service
@@ -0,0 +1,12 @@
+[Service]
+{
+# Is there a Files limit in the configuration database
+$OUT .= "LimitNOFILE=";
+$OUT .= $squid{MaxFileDesc} || 4096;
+$OUT .= "\n";
+}
+PIDFile=/run/squid/squid.pid
+#   squid option -s  ---->> $SQUID_OPTS
+ExecStartPre=/sbin/e-smith/service-status squid
+User=root
+Group=root
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/80install
+++ b/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/80install
@@ -0,0 +1,2 @@
+[Install]
+WantedBy=sme-server.target
--- a/root/etc/e-smith/web/functions/proxy
+++ b/root/etc/e-smith/web/functions/proxy
@@ -0,0 +1,62 @@
+#!/usr/bin/perl -wT
+# vim: ts=4 sw=4 et ft=xml ai:
+
+#----------------------------------------------------------------------
+# heading     : Security
+# description : Proxy settings
+# navigation  : 5000 5500
+#----------------------------------------------------------------------
+#----------------------------------------------------------------------
+# copyright (C) 1999-2003 Mitel Networks Corporation
+#----------------------------------------------------------------------
+
+use strict;
+use CGI;
+use esmith::FormMagick::Panel::proxy;
+
+eval {
+    my $q = CGI->new();
+    my $f = esmith::FormMagick::Panel::proxy->new();
+
+    $f->display();
+};
+if ($@)
+{
+    print<<EOF;
+<html>
+<head><title>Fatal error caught</title></head>
+<body bgcolor=\"#ffffff\">
+<h3>Fatal error caught</h3>
+<pre>
+$@
+</pre>
+</body>
+</html>
+EOF
+}
+
+__DATA__
+<form title="Proxy settings" header="/etc/e-smith/web/common/head.tmpl"
+    footer="/etc/e-smith/web/common/foot.tmpl">
+
+    <page
+        name="First"
+        post-event="change_settings()"
+        pre-event="print_status_message()">
+
+        <description>FIRST_PAGE_DESCRIPTION</description>
+
+        <field
+            id="http_proxy_status"
+            value="get_http_proxy_status()"
+            type="select"
+            options="'enabled' => 'ENABLED','disabled' => 'DISABLED'">
+            <description>HTTP_PROXY_STATUS_DESCRIPTION</description>
+            <label>HTTP_PROXY_STATUS_LABEL</label>
+        </field>
+
+        <subroutine src="show_smtp_proxy_status()" />
+
+        <subroutine src="print_button('SAVE')" />
+    </page>
+</form>
				`@@ -0,0 +1 @@`
				`acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK`
				`@@ -0,0 +1 @@`
				`max_filedesc { ($squid{'MaxFileDesc'} \|\| '4096') }`