initial commit of file from CVS for e-smith-proxy on Wed 12 Jul 09:06:18 BST 2023

2023-07-12 09:06:18 +01:00
parent 1041715762
commit a376640216
68 changed files with 1794 additions and 2 deletions
--- a/root/etc/e-smith/templates/etc/crontab/squid
+++ b/root/etc/e-smith/templates/etc/crontab/squid
@@ -0,0 +1,20 @@
+{
+    return "# squid is disabled\n" unless $squid{status} eq 'enabled';
+
+    my $freq = $squid{Rotate} || 'daily';
+    my $min = int(rand(60));
+    my $hour = int(rand(5));
+    my $dow = substr(localtime,0,3);
+    
+    if ($freq eq 'hourly') {
+	return "$min * * * * root squid -k rotate\n";
+    } elsif ($freq eq 'weekly') {
+	return "$min $hour * * $dow root squid -k rotate\n";
+    } elsif ($freq eq 'monthly') {
+	return "$min $hour 15 * * root squid -k rotate\n";
+    } elsif ($freq eq 'disabled') {
+	 return "# squid rotate disabled\n";
+    } else {
+	return "$min $hour * * * root squid -k rotate\n"
+    }
+}
--- a/root/etc/e-smith/templates/etc/dhcpd.conf/11wpad
+++ b/root/etc/e-smith/templates/etc/dhcpd.conf/11wpad
@@ -0,0 +1,2 @@
+option wpad-url code 252 = text;
+
--- a/root/etc/e-smith/templates/etc/dhcpd.conf/26wpad
+++ b/root/etc/e-smith/templates/etc/dhcpd.conf/26wpad
@@ -0,0 +1,15 @@
+{
+        my $transproxy = $squid{Transparent} || "yes";
+        my $status = $squid{status} || "disabled";
+        if ($transproxy eq "yes" && $status eq "enabled")
+
+        {
+
+        $OUT .= "    option wpad-url            \"http://wpad.$DomainName/wpad.dat\";";
+}
+ else
+        {
+        $OUT .= '# wpad-url disabled';
+    }
+}
+
--- a/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/96ProxyConf
+++ b/root/etc/e-smith/templates/etc/httpd/conf/httpd.conf/96ProxyConf
@@ -0,0 +1,9 @@
+{
+    foreach my $file (qw(wpad.dat proxy.pac))
+    {
+	$OUT .= "Alias /$file /etc/httpd/conf/proxy/proxy.pac\n";
+	$OUT .= "<Location /$file>\n";
+	$OUT .= "    Require ip $localAccess\n";
+	$OUT .= "</Location>\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/05directLocalhostname
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/05directLocalhostname
@@ -0,0 +1,2 @@
+    if (isPlainHostName(host))
+        return "DIRECT";
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalNetwork
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalNetwork
@@ -0,0 +1,2 @@
+    if (isInNet(host, "{ $LocalIP }", "{ $LocalNetmask }"))
+        return "DIRECT";
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalhost
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/10directLocalhost
@@ -0,0 +1,2 @@
+    if (isInNet(host, "127.0.0.1", "255.255.255.255"))
+        return "DIRECT";
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/90proxyDefault
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/90proxyDefault
@@ -0,0 +1,9 @@
+{    
+    my $enabled = $squid{status} || 'disabled';
+    my $port = $squid{TransparentPort} || 3128;
+    my $target = ($enabled eq 'enabled') ?
+	"PROXY proxy.$DomainName:$port" :
+	"DIRECT";
+
+    $OUT = '	return "' . $target . '";';
+}
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/99endFunction
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/99endFunction
@@ -0,0 +1 @@
+\}
--- a/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/template-begin
+++ b/root/etc/e-smith/templates/etc/httpd/conf/proxy/proxy.pac/template-begin
@@ -0,0 +1,2 @@
+function FindProxyForURL(url, host)
+\{
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/35transproxy
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/35transproxy
@@ -0,0 +1,38 @@
+{
+    $OUT = '';
+
+    # Create new chain to manage TransProxy stuff
+    # Note: We send all traffic destined to port 80, regardless of
+    # where it's from, since the filter table will worry about source.
+    $OUT .= "    /sbin/iptables --table nat --new-chain TransProxy\n";
+    $OUT .= "    /sbin/iptables --table nat --append PREROUTING\\\n";
+    $OUT .= "\t-p tcp --dport 80 -j TransProxy\n";
+
+    # Accept any accesses to the local IPs directly
+
+    $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
+    $OUT .= "\t--destination 127.0.0.1 --jump ACCEPT\n";
+    $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
+    $OUT .= "\t--destination $LocalIP --jump ACCEPT\n";
+
+    if (defined $ExternalIP) {
+        # Accept any accesses to the ExternalIP directly
+        $OUT .= "    /sbin/iptables --table nat --append TransProxy \\\n";
+        $OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
+    }
+
+    my $transproxy = $squid{Transparent} || "yes";
+    my $status = $squid{status} || "disabled";
+    if ($transproxy eq "yes" && $status eq "enabled") {
+        ##my $proxyport = $squid{TransparentPort} || "3128";
+        my $proxyport = $squid{InterceptPort} || "8080";
+
+        # Otherwise, divert port 80 traffic through our proxy
+        $OUT .= "    /sbin/iptables --table nat --append TransProxy\\\n";
+        $OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
+    } else {
+        # Or just let it go unhindered
+        $OUT .= "    /sbin/iptables --table nat --append TransProxy\\\n";
+        $OUT .= "\t--jump ACCEPT\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustTransProxy
+++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustTransProxy
@@ -0,0 +1,32 @@
+{
+    # Update any rules which may have changed, meaning
+    # - $ExternalIP
+    # - enabled/disabled
+    # - Transproxy port (unlikely)
+    my $rule = 3;
+    if (defined $ExternalIP)
+    {
+	# Accept any accesses to the ExternalIP directly
+	$OUT .= "    /sbin/iptables --table nat \\\n";
+	$OUT .= "\t--replace TransProxy $rule\\\n";
+	$OUT .= "\t--destination \$OUTERNET --jump ACCEPT\n";
+	$rule++;
+    }
+    my $transproxy = $squid{Transparent} || "yes";
+    my $status = $squid{status} || "disabled";
+    if ($transproxy eq "yes" && $status eq "enabled")
+    {
+	##my $proxyport = $squid{TransparentPort} || "3128";
+	my $proxyport = $squid{InterceptPort} || "8080";
+
+	# Otherwise, divert port 80 traffic through our proxy
+	$OUT .= "    /sbin/iptables --table nat --replace TransProxy $rule\\\n";
+	$OUT .= "\t-p TCP -j DNAT --to $LocalIP:$proxyport\n";
+    }
+    else
+    {
+	# Or just let it go unhindered
+	$OUT .= "    /sbin/iptables --table nat --replace TransProxy $rule\\\n";
+	$OUT .= "\t--jump ACCEPT\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/rsyslog.conf/46squid
+++ b/root/etc/e-smith/templates/etc/rsyslog.conf/46squid
@@ -0,0 +1,2 @@
+if $programname == 'squid' then                 /var/log/squid/squid.log
+& stop
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/10HTTPPort
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/10HTTPPort
@@ -0,0 +1,13 @@
+{
+    my $transproxy = $squid{Transparent} || "yes";
+
+    if ($transproxy eq 'yes') {
+        $OUT .= "http_port $LocalIP:" . ($squid{TCPPort} || '3128') . "\n";
+        $OUT .= "http_port 127.0.0.1:" . ($squid{TCPPort} || '3128') . "\n";
+        $OUT .= "http_port $LocalIP:" . ($squid{InterceptPort} || '8080') . " intercept\n";
+        $OUT .= "http_port 127.0.0.1:" . ($squid{InterceptPort} || '8080') . " intercept\n";
+    } else {
+	$OUT .= "http_port $LocalIP:" . ($squid{TCPPort} || '3128') . "\n";
+	$OUT .= "http_port 127.0.0.1:" . ($squid{TCPPort} || '3128') . "\n";
+    }
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/10ICPAddresses
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/10ICPAddresses
@@ -0,0 +1,4 @@
+{
+    $OUT .= "udp_incoming_address $LocalIP\n";
+    $OUT .= "udp_outgoing_address 0.0.0.0";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/10ParentCache
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/10ParentCache
@@ -0,0 +1,10 @@
+{
+    $OUT = "";
+
+    if (defined $SquidParent && $SquidParent)
+    {
+	$OUT .= "cache_peer $SquidParent parent ";
+	$OUT .= $SquidParentPort || "3128";
+	$OUT .= " 7 no-query default";
+    }
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL10localhost
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL10localhost
@@ -0,0 +1,24 @@
+{
+    use esmith::NetworksDB;
+    use Net::IPv4Addr;
+
+    my $ndb = esmith::NetworksDB->open_ro();
+
+    my $localAccess = '';
+    foreach ($ndb->local_access_spec()){
+        # If there's a / in the network string
+        # then convert to CIDR notation
+        if (m!/!) {
+            my ($ip,$bits) = Net::IPv4Addr::ipv4_parse($_);
+            $localAccess .= "$ip/$bits ";
+        }
+        else {
+            $localAccess .= "$_ ";
+        }
+    }
+
+    $OUT .= "acl localsrc src $localAccess\n";
+    $OUT .= "acl localdst dst $localAccess\n";
+    $OUT .= "acl selfdst dst 127.0.0.1 $LocalIP\n";
+    $OUT .= "acl selfport port " . ($squid{TCPPort} || '3128');
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL15SSL_ports
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL15SSL_ports
@@ -0,0 +1,6 @@
+
+{
+    my @ports = split(",", ($squid{SSLPorts} || "") );
+
+    return "acl SSL_ports port 443 563 @ports";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL15Safe_ports
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL15Safe_ports
@@ -0,0 +1,5 @@
+{
+    my @ports = split(",", ($squid{SafePorts} || "80") );
+
+    return "acl Safe_ports port @ports";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL20CONNECT
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL20CONNECT
@@ -0,0 +1 @@
+acl CONNECT method CONNECT
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL30webdav
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20ACL30webdav
@@ -0,0 +1 @@
+acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK 
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/20PidFilename
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/20PidFilename
@@ -0,0 +1,3 @@
+{
+    $OUT = "pid_filename /run/squid/squid.pid";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/24Logfile
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/24Logfile
@@ -0,0 +1 @@
+access_log /var/log/squid/access.log squid
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/25LogfileRotate
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/25LogfileRotate
@@ -0,0 +1 @@
+logfile_rotate 0
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/30append_domain
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/30append_domain
@@ -0,0 +1,3 @@
+append_domain {
+    $OUT = ".$DomainName";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/30cache_mgr
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/30cache_mgr
@@ -0,0 +1 @@
+cache_mgr { "admin\@$DomainName" }
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/30ftp_user
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/30ftp_user
@@ -0,0 +1 @@
+ftp_user { "nobody\@$DomainName" }
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access00manager
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access00manager
@@ -0,0 +1,2 @@
+http_access allow manager localsrc
+http_access deny manager
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access10notSafe_ports
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access10notSafe_ports
@@ -0,0 +1,5 @@
+{
+    return "" unless ( ($squid{EnforceSafePorts} || "no") eq "yes");
+    
+    return "http_access deny !Safe_ports";
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access20denyCONNECTunlessSSL
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access20denyCONNECTunlessSSL
@@ -0,0 +1 @@
+http_access deny CONNECT !SSL_ports
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access40denySelf
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access40denySelf
@@ -0,0 +1 @@
+http_access deny selfdst selfport
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access75AllowLocal
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access75AllowLocal
@@ -0,0 +1 @@
+http_access allow localsrc
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access99denyall
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/40http_access99denyall
@@ -0,0 +1 @@
+http_access deny all
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/50icp_access50AllowAll
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/50icp_access50AllowAll
@@ -0,0 +1 @@
+icp_access allow all
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/60miss_access50AllowAll
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/60miss_access50AllowAll
@@ -0,0 +1 @@
+miss_access allow all
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/70StoreAvgObjectSize
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/70StoreAvgObjectSize
@@ -0,0 +1,11 @@
+{
+#  TAG: store_avg_object_size	(kbytes)
+#	Average object size, used to estimate number of objects your
+#	cache can hold.  See doc/Release-Notes-1.1.txt.  The default is
+#	13 KB.
+#
+# Note: At e-smith, some of our customers have had average object sizes
+# as low as 3.5 KB, so we set the limit to 3 KB to be safe.
+# - JMorrison, January 5, 2000
+# }
+store_avg_object_size 3 KB
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/80always_direct50webdav
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/80always_direct50webdav
@@ -0,0 +1 @@
+always_direct allow webdav 
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/80always_direct80default
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/80always_direct80default
@@ -0,0 +1,13 @@
+{
+    if (defined $SquidParent && $SquidParent)
+    {
+	$OUT .= "always_direct allow localdst\n";
+	$OUT .= "always_direct deny all\n";
+	$OUT .= "never_direct deny localdst\n";
+	$OUT .= "never_direct allow all";
+    }
+    else
+    {
+	$OUT .= "always_direct allow all";
+    }
+}
--- a/root/etc/e-smith/templates/etc/squid/squid.conf/96filedescriptor
+++ b/root/etc/e-smith/templates/etc/squid/squid.conf/96filedescriptor
@@ -0,0 +1 @@
+max_filedesc { ($squid{'MaxFileDesc'} || '4096') }
--- a/root/etc/e-smith/templates/etc/sysconfig/squid/10ALL_ORIG
+++ b/root/etc/e-smith/templates/etc/sysconfig/squid/10ALL_ORIG
@@ -0,0 +1,10 @@
+# default squid options
+SQUID_OPTS=""
+
+# Time to wait for Squid to shut down when asked. Should not be necessary
+# most of the time.
+SQUID_SHUTDOWN_TIMEOUT=100
+
+# default squid conf file
+SQUID_CONF="/etc/squid/squid.conf"
+
--- a/root/etc/e-smith/templates/etc/sysconfig/squid/20OPTS
+++ b/root/etc/e-smith/templates/etc/sysconfig/squid/20OPTS
@@ -0,0 +1,4 @@
+# specific squid options
+SQUID_OPTS="-s"
+
+
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/20unit
+++ b/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/20unit
@@ -0,0 +1,4 @@
+
+[Unit]
+After=network-online.target
+
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/40service
+++ b/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/40service
@@ -0,0 +1,12 @@
+[Service]
+{
+# Is there a Files limit in the configuration database
+$OUT .= "LimitNOFILE=";
+$OUT .= $squid{MaxFileDesc} || 4096;
+$OUT .= "\n";
+}
+PIDFile=/run/squid/squid.pid
+#   squid option -s  ---->> $SQUID_OPTS
+ExecStartPre=/sbin/e-smith/service-status squid
+User=root
+Group=root
--- a/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/80install
+++ b/root/etc/e-smith/templates/usr/lib/systemd/system/squid.service.d/50koozali.conf/80install
@@ -0,0 +1,2 @@
+[Install]
+WantedBy=sme-server.target
				`@@ -0,0 +1 @@`
				`acl webdav method PROPFIND TRACE PURGE PROPPATCH MKCOL COPY MOVE LOCK UNLOCK`
				`@@ -0,0 +1 @@`
				`max_filedesc { ($squid{'MaxFileDesc'} \|\| '4096') }`