function build_services() { $q = new mysql_squid_builder(); $unix = new unix(); if (!isset($GLOBALS["NETWORK_ALL_INTERFACES"])) { $unix = new unix(); $GLOBALS["NETWORK_ALL_INTERFACES"] = $unix->NETWORK_ALL_INTERFACES(); } if (!isset($GLOBALS["NETWORK_ALL_NICS"])) { $unix = new unix(); $GLOBALS["NETWORK_ALL_NICS"] = $unix->NETWORK_ALL_INTERFACES(); } @mkdir("/home/squid/dante", 0755, true); @mkdir("/var/run/dante", 0755, true); @chown("/home/squid/dante", "squid"); @chgrp("/home/squid/dante", "squid"); @chgrp("/var/run/dante", "squid"); @chgrp("/var/run/dante", "squid"); $sql = "SELECT * FROM proxy_ports WHERE SOCKS=1 AND enabled=1"; $results = $q->QUERY_SQL($sql); if (!$q->ok) { return; } if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: Starting " . mysql_num_rows($results) . " service(s)\n"; } if (mysql_num_rows($results) == 0) { remove_init_parent(); return; } while ($ligne = mysql_fetch_assoc($results)) { $BindToDevice = null; $ID = $ligne["ID"]; $port = intval($ligne["port"]); $eth = $ligne["nic"]; $WANPROXY_PORT = $ligne["WANPROXY_PORT"]; $outgoing_addr = $ligne["outgoing_addr"]; if ($eth != null) { $BindToDevice = $eth; $ipaddr = $GLOBALS["NETWORK_ALL_NICS"][$eth]["IPADDR"]; } if ($ipaddr == null) { $ipaddr = "0.0.0.0"; } if ($BindToDevice == null) { $BindToDevice = "0.0.0.0"; } if ($GLOBALS["OUTPUT"]) { echo "Starting......: " . date("H:i:s") . " [INIT]: Starting Listen {$ipaddr} port = {$port} and forward to {$outgoing_addr}\n"; } $f[] = "logoutput: /var/log/squid/sockd.log"; $f[] = "internal: {$ipaddr} port = {$port}"; $f[] = "external: {$outgoing_addr}"; $f[] = "user.notprivileged: squid"; $f[] = "debug: 1"; $f[] = "clientmethod: none"; $f[] = "socksmethod: none"; $f[] = "client pass {\n\t\t\tfrom: 0.0.0.0/0 port 1-65535 to: 0.0.0.0/0\n\t\t\t\n\t\t}"; $f[] = "socks pass {"; $f[] = "from: 0.0.0.0/0 to: 0.0.0.0/0"; $f[] = " protocol: tcp udp"; $f[] = "}"; $f[] = ""; @mkdir("/etc/dante/conf.d", 0755, true); @file_put_contents("/etc/dante/conf.d/config.{$ligne["ID"]}", @implode("\n", $f)); $f = array(); create_init($ID); } }
function build_services() { $q = new mysql_squid_builder(); $unix = new unix(); if (!isset($GLOBALS["NETWORK_ALL_INTERFACES"])) { $unix = new unix(); $GLOBALS["NETWORK_ALL_INTERFACES"] = $unix->NETWORK_ALL_INTERFACES(); } if (!isset($GLOBALS["NETWORK_ALL_NICS"])) { $unix = new unix(); $GLOBALS["NETWORK_ALL_NICS"] = $unix->NETWORK_ALL_INTERFACES(); } @mkdir("/home/squid/dante", 0755, true); @mkdir("/var/run/dante", 0755, true); @chown("/home/squid/dante", "squid"); @chgrp("/home/squid/dante", "squid"); @chgrp("/var/run/dante", "squid"); @chgrp("/var/run/dante", "squid"); $sql = "SELECT * FROM proxy_ports WHERE SOCKS=1 AND enabled=1"; $results = $q->QUERY_SQL($sql); if (!$q->ok) { return; } if (mysql_num_rows($results) == 0) { remove_init_parent(); return; } while ($ligne = mysql_fetch_assoc($results)) { $BindToDevice = null; $ID = $ligne["ID"]; $port = intval($ligne["port"]); $eth = $ligne["nic"]; $WANPROXY_PORT = $ligne["WANPROXY_PORT"]; if ($eth != null) { $BindToDevice = $eth; $ipaddr = $GLOBALS["NETWORK_ALL_NICS"][$eth]["IPADDR"]; } if ($ipaddr == null) { $ipaddr = "0.0.0.0"; } $f[] = "logoutput: /var/log/squid/sockd.log"; $f[] = "internal: {$ipaddr} port = {$port}"; $f[] = "external: {$BindToDevice}"; $f[] = "user.notprivileged: squid"; $f[] = "clientmethod: none"; $f[] = "method: none"; $f[] = ""; $f[] = "# Send SIGHUP after editing and it will be reread. This will fail"; $f[] = "# completely if we are chrooted and the config file isn't within the"; $f[] = "# dir we are chrooted to, or if we have dropped priveleges and no"; $f[] = "# longer have permission to read it! We may also no longer have"; $f[] = "# permission to bind to device."; $f[] = ""; $f[] = "# Address to listen on - default is 0.0.0.0"; $f[] = "#"; $f[] = "# Listen firewall.localnet"; $f[] = "Listen {$ipaddr}"; $f[] = ""; $f[] = "# Port to listen on. Must be supplied."; $f[] = "#"; $f[] = "Port {$port}"; $f[] = ""; $f[] = "# If specified then bind to this device"; $f[] = "#"; if ($BindToDevice != null) { $f[] = "BindToDevice {$BindToDevice}"; } $f[] = ""; $f[] = "# Specify ranges for local ports to use for outgoing connections and"; $f[] = "# for sending out in PORT commands. By default these are all between"; $f[] = "# 40000 and 50000, but you might want to split them up if you have"; $f[] = "# complicated firewalling rules."; $f[] = "#"; $f[] = "# ControlPorts 40000-40999"; $f[] = "# PassivePorts 41000-41999"; $f[] = "# ActivePorts 42000-42999"; $f[] = ""; $f[] = "# Number of seconds of no activity before closing session"; $f[] = "# Defaults to 3600"; $f[] = "#"; $f[] = "Timeout 1800"; $f[] = ""; $f[] = "#Maximum number of processes to fork."; $f[] = "#"; $f[] = "# MaxForks 0 # For debugging -- only one connection may be served."; $f[] = "MaxForks 10"; $f[] = ""; $f[] = "# User and group to drop priveliges to. Default is not to drop."; $f[] = "#"; $f[] = "User squid"; $f[] = "Group squid"; $f[] = ""; $f[] = "# Directory to chroot to. Default is not to chroot. Filenames for"; $f[] = "# other options should be within this directory, but specified"; $f[] = "# relative to /."; $f[] = "#"; $f[] = "# Chroot /usr/local/lib/frox"; $f[] = ""; $f[] = "# Block PORT commands asking data to be sent to ports<1024 and"; $f[] = "# prevent incoming control stream connections from port 20 to "; $f[] = "# help depend against ftp bounce attacks. Defaults to on."; $f[] = "#"; $f[] = "BounceDefend yes"; $f[] = ""; $f[] = "# If true then only accept data connections from the hosts the control"; $f[] = "# connections are to. Breaks the rfc, and defaults to off."; $f[] = "#"; $f[] = "#SameAddress on"; $f[] = ""; $f[] = "# Try to transparently proxy the data connections as well. Not"; $f[] = "# necessary for most clients, and does increase security risks. Read"; $f[] = "# README.transdata for details. Defaults to off."; $f[] = "#"; $f[] = "# TransparentData yes"; $f[] = ""; $f[] = "# File to log to. Default is stderr"; $f[] = "#"; $f[] = "# LogFile /dev/null"; $f[] = "LogFile /var/log/squid/ftp.access.log"; $f[] = "WorkingDir /home/squid/frox"; $f[] = ""; $f[] = "# File to store PID in. Default is not to. If this file is not within"; $f[] = "# the Chroot directory then it cannot be deleted on exit, but will"; $f[] = "# otherwise work fine."; $f[] = "#"; $f[] = "PidFile /var/run/frox/frox-ftp-{$ID}.pid"; $f[] = ""; $f[] = "# Caching options. There should be at most one CacheModule line, and"; $f[] = "# Cache lines to give the options for that caching module. CacheModule"; $f[] = "# is HTTP (rewrites ftp requests as HTTP and sends them to a HTTP"; $f[] = "# proxy like squid), or local (cache files locally). The relevant"; $f[] = "# module needs to have been compiled in at compile time. See"; $f[] = "# FAQ for details. If there are no CacheModule lines then no"; $f[] = "# caching will be done."; $f[] = "#"; $f[] = "# CacheModule local"; $f[] = "# Cache Dir /usr/local/lib/frox/cache/"; $f[] = "# Cache CacheSize 400"; $f[] = "#"; $f[] = "CacheModule HTTP"; $f[] = "HTTPProxy 127.0.0.1:{$WANPROXY_PORT}"; $f[] = "MinCacheSize 65536"; $f[] = ""; $f[] = "# Active --> Passive conversion. If set then all outgoing connections"; $f[] = "# from the proxy will be passive FTP, regardless of the type of the"; $f[] = "# connection coming in. This makes firewalling a lot easier. Defaults"; $f[] = "# to no."; $f[] = "#"; $f[] = "APConv yes"; $f[] = ""; $f[] = "# Allow non-transparent proxying support. The user can connect"; $f[] = "# directly to frox, and give his username as user@host:port or"; $f[] = "# user@host. Defaults to no"; $f[] = "#"; $f[] = "# DoNTP yes"; $f[] = ""; $f[] = "#########################"; $f[] = "# Access control lists. #"; $f[] = "#########################"; $f[] = "# The format is: \"ACL Allow|Deny SRC - DST [PORTS]\""; $f[] = ""; $f[] = "# SRC and DST may be in the form x.x.x.x, x.x.x.x/yy, x.x.x.x/y.y.y.y,"; $f[] = "# a dns name, or * to match everything."; $f[] = "#"; $f[] = "# PORTS is a list of ports. If specified then the rule will only match"; $f[] = "# if the destination port of the connection is in this list. This is"; $f[] = "# likely only relevant if you are allowing non-transparent proxying of"; $f[] = "# ftp connections (ie. DoNTP is enabled above). Specifying * is equivalent "; $f[] = "# to not specifying anything - all ports will be matched"; $f[] = "#"; $f[] = "# Any connection that matches no rules will be denied. Since there are"; $f[] = "# no rules by default you'll need to add something to let any"; $f[] = "# connections happen at all (look at the last example if you are"; $f[] = "# feeling lazy/not bothered by security)."; $f[] = "#"; $f[] = "# # Examples:"; $f[] = "# # Allow local network to ftp to port 21 only, and block host ftp.evil"; $f[] = "# ACL Deny * - ftp.evil "; $f[] = "# ACL Allow 192.168.0.0/255.255.0.0 - * 21"; $f[] = "#"; $f[] = "# # Allow local network to ftp anywhere except certain dodgy ports. Network "; $f[] = "# # admin's machine can ftp anywhere."; $f[] = "# ACL Allow admin.localnet - *"; $f[] = "# ACL Deny * - * 1-20,22-1024,6000-6007,7100"; $f[] = "# ACL Allow 192.168.0.0/16 - * *"; $f[] = "#"; $f[] = "# # You don't really believe in this security stuff, and just want"; $f[] = "# # everything to work. "; $f[] = "ACL Allow * - *"; $f[] = ""; $f[] = ""; @mkdir("/etc/frox/conf.d", 0755, true); @file_put_contents("/etc/frox/conf.d/config.{$ligne["ID"]}", @implode("\n", $f)); $f = array(); create_init($ID); } }