コード例 #1
0
function iptables_rules()
{
    $squid = new squidbee();
    $unix = new unix();
    $sock = new sockets();
    $SquidBinIpaddr = trim($sock->GET_INFO("SquidBinIpaddr"));
    if ($SquidBinIpaddr == null) {
        $SquidBinIpaddr = "0.0.0.0";
    }
    $UseTProxyMode = intval($sock->GET_INFO("UseTProxyMode"));
    $EnableArticaHotSpot = $sock->GET_INFO("EnableArticaHotSpot");
    $ssl_port = $squid->get_ssl_port();
    if (!is_numeric($squid->listen_port)) {
        $squid->listen_port = 3128;
    }
    $listen_ssl_port = $squid->listen_port + 1;
    $SSL_BUMP = $squid->SSL_BUMP;
    $iptables = $unix->find_program("iptables");
    $GLOBALS["IPTABLESBIN"] = $iptables;
    $sysctl = $unix->find_program("sysctl");
    $ips = $unix->ifconfig_interfaces_list();
    $KernelSendRedirects = $sock->GET_INFO("KernelSendRedirects");
    if (!is_numeric($KernelSendRedirects)) {
        $KernelSendRedirects = 1;
    }
    if (!is_numeric($EnableArticaHotSpot)) {
        $EnableArticaHotSpot = 0;
    }
    $EnableNatProxy = intval($sock->GET_INFO("EnableNatProxy"));
    $NatProxyServer = $sock->GET_INFO("NatProxyServer");
    $NatProxyPort = intval($sock->GET_INFO("NatProxyPort"));
    echo "Starting......: " . date("H:i:s") . " Squid iptables Rules: UseTProxyMode.....:{$UseTProxyMode}\n";
    if ($UseTProxyMode == 1) {
        disable_transparent();
        iptables_wccp_delete_all();
        $php = $unix->LOCATE_PHP5_BIN();
        echo "Starting......: " . date("H:i:s") . " Squid running Tproxy Mode\n";
        system("{$php} /usr/share/artica-postfix/exec.squid.tproxy.php");
        echo "Starting......: " . date("H:i:s") . " Squid running TProxy script...\n";
        shell_exec("/etc/init.d/tproxy start");
        return;
    }
    $php = $unix->LOCATE_PHP5_BIN();
    $GLOBALS["echobin"] = $unix->find_program("echo");
    $MARKLOG = "-m comment --comment \"ArticaSquidTransparent\"";
    $sh = array();
    $sh[] = script_startfile();
    build_progress("Creating rules...", 35);
    $sh[] = "{$GLOBALS["echobin"]} \"Patching kernel\"";
    $sh[] = "{$sysctl} -w net.ipv4.ip_forward=1 2>&1";
    $sh[] = "{$sysctl} -w net.ipv4.conf.default.send_redirects={$KernelSendRedirects} 2>&1";
    $sh[] = "{$sysctl} -w net.ipv4.conf.all.send_redirects={$KernelSendRedirects} 2>&1";
    if (is_file("/proc/sys/net/ipv4/conf/eth0/send_redirects")) {
        $sh[] = "{$sysctl} -w net.ipv4.conf.eth0.send_redirects={$KernelSendRedirects} 2>&1";
    }
    $sh[] = "{$php} /usr/share/artica-postfix/exec.squid.transparent.delete.php || true";
    $sh[] = ebtables_rules();
    $sh[] = "{$GLOBALS["echobin"]} \"Enable rules\"";
    $sh[] = "{$iptables} -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT {$MARKLOG}  || true";
    if (!$GLOBALS["EBTABLES"]) {
        $sh[] = "{$GLOBALS["echobin"]} \"Add internetT dictionary\"";
        $sh[] = "{$iptables} -t mangle -N internetT {$MARKLOG}  || true";
        $sh[] = "{$GLOBALS["echobin"]} \"Add internsslT dictionary\"";
        $sh[] = "{$iptables} -t mangle -N internsslT {$MARKLOG}  || true";
        $sh[] = "{$GLOBALS["echobin"]} \"Add mangle MARK 97 for internsslT\"";
        $sh[] = "{$iptables} -t mangle -A internsslT -j MARK --set-mark 97 {$MARKLOG}  || true";
        $sh[] = "{$GLOBALS["echobin"]} \"Add mangle MARK 96 for internetT\"";
        $sh[] = "{$iptables} -t mangle -A internetT -j MARK --set-mark 96 {$MARKLOG}  || true";
    }
    $sh[] = "{$iptables} -t nat -A OUTPUT --match owner --uid-owner squid -p tcp -j ACCEPT {$MARKLOG}";
    $sh[] = "{$iptables} -t nat -A OUTPUT --match owner --uid-owner squid -p tcp -j ACCEPT {$MARKLOG}";
    $sh[] = "{$iptables} -t nat -I POSTROUTING -p tcp --dport 80 -j MASQUERADE {$MARKLOG}";
    $sh[] = "{$iptables} -t nat -I POSTROUTING -p tcp --dport 443 -j MASQUERADE {$MARKLOG}";
    $sql = "SELECT *  FROM transparent_networks WHERE `enabled`=1 ORDER BY zOrder";
    $q = new mysql_squid_builder();
    $results = $q->QUERY_SQL($sql);
    while ($ligne = mysql_fetch_assoc($results)) {
        $transparent = $ligne["transparent"];
        $block = $ligne["block"];
        if ($ligne["destination_port"] == 0) {
            $ligne["destination_port"] = 80;
            if ($ligne["ssl"] == 1) {
                $ligne["destination_port"] == 443;
            }
        }
        if ($ligne["destination_port"] == 443) {
            $ligne["ssl"] = 1;
        }
        if ($ligne["destination_port"] == 80) {
            $ligne["ssl"] = 0;
        }
        if ($block == 1) {
            $sh[] = pattern_to_www($ligne);
            continue;
        }
        if ($transparent == 0) {
            $sh[] = pattern_to_direct($ligne);
            continue;
        }
        $sh[] = pattern_to_proxy($ligne, $squid->listen_port, $ssl_port);
    }
    if ($EnableNatProxy == 1) {
        $sh[] = "{$iptables} -t nat -I PREROUTING -s {$NatProxyServer}/32 -p tcp -m tcp --dport 80 {$MARKLOG} -j RETURN";
        $sh[] = "{$iptables} -t nat -I PREROUTING -s {$NatProxyServer}/32 -p tcp -m tcp --dport 443 {$MARKLOG} -j RETURN";
    }
    $sh[] = ChildsProxys();
    $sh[] = script_endfile();
    build_progress("Writing script...", 45);
    @file_put_contents("/etc/init.d/tproxy", @implode("\n", $sh));
    build_progress("Installing script...", 48);
    script_install();
}
コード例 #2
0
ファイル: exec.squid27.php プロジェクト: brucewu16899/1.6.x
function build()
{
    $sock = new sockets();
    $unix = new unix();
    $ini = new Bs_IniHandler();
    $IPADDRSSL = array();
    $IPADDRSSL2 = array();
    $ArticaSquidParameters = $sock->GET_INFO('ArticaSquidParameters');
    $visible_hostname = $ini->_params["NETWORK"]["visible_hostname"];
    if ($visible_hostname == null) {
        $visible_hostname = $unix->hostname_g();
    }
    $SquidBinIpaddr = $sock->GET_INFO("SquidBinIpaddr");
    $AllowAllNetworksInSquid = $sock->GET_INFO("AllowAllNetworksInSquid");
    if (!is_numeric($AllowAllNetworksInSquid)) {
        $AllowAllNetworksInSquid = 1;
    }
    $ini->loadString($ArticaSquidParameters);
    NETWORK_ALL_INTERFACES();
    $LISTEN_PORT = intval($ini->_params["NETWORK"]["LISTEN_PORT"]);
    $ICP_PORT = intval(trim($ini->_params["NETWORK"]["ICP_PORT"]));
    $certificate_center = $ini->_params["NETWORK"]["certificate_center"];
    $SSL_BUMP = intval($ini->_params["NETWORK"]["SSL_BUMP"]);
    $LogsWarninStop = intval($sock->GET_INFO("LogsWarninStop"));
    $ssl = false;
    if ($ICP_PORT == 0) {
        $ICP_PORT = 3130;
    }
    if ($LISTEN_PORT == 0) {
        $LISTEN_PORT = 3128;
    }
    $squid = new squidbee();
    $q = new mysql_squid_builder();
    $IPADDRS = array();
    if ($SquidBinIpaddr != null) {
        if (!isset($GLOBALS["NETWORK_ALL_INTERFACES"][$SquidBinIpaddr])) {
            $SquidBinIpaddr = null;
        } else {
            $IPADDRS[$SquidBinIpaddr] = $LISTEN_PORT;
            if ($GLOBALS["OUTPUT"]) {
                echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Listens {$SquidBinIpaddr}\n";
            }
        }
    }
    if ($SSL_BUMP == 1) {
        $ssl = true;
        $ssl_port = $squid->get_ssl_port();
    }
    if ($SquidBinIpaddr == null) {
        reset($GLOBALS["NETWORK_ALL_INTERFACES"]);
        while (list($ipaddr, $val) = each($GLOBALS["NETWORK_ALL_INTERFACES"])) {
            if ($GLOBALS["OUTPUT"]) {
                echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Listens {$ipaddr}:{$LISTEN_PORT}\n";
            }
            $IPADDRS[$ipaddr] = $LISTEN_PORT;
            $IPADDRSSL[$ipaddr] = $ssl_port;
        }
    }
    if ($GLOBALS["OUTPUT"]) {
        echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} visible hostname........: {$visible_hostname}\n";
    }
    if ($GLOBALS["OUTPUT"]) {
        echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} AllowAllNetworksInSquid.: {$AllowAllNetworksInSquid}\n";
    }
    if ($GLOBALS["OUTPUT"]) {
        echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} ICP Port................: {$ICP_PORT}\n";
    }
    if ($ssl) {
        if ($GLOBALS["OUTPUT"]) {
            echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} SSL Intercept...........: Yes - {$ssl_port}\n";
        }
        if ($GLOBALS["OUTPUT"]) {
            echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Certificate.............: {$certificate_center}\n";
        }
        $MAINSSL = $squid->SaveCertificate($certificate_center, false, false, false, true);
        $f[] = $MAINSSL[0];
        $certificate = $MAINSSL[1]["certificate"];
        $key = $MAINSSL[1]["key"];
        if ($GLOBALS["OUTPUT"]) {
            echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Certificate.............: {$certificate}\n";
        }
        if ($GLOBALS["OUTPUT"]) {
            echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} Key.....................: {$key}\n";
        }
    }
    $sql = "SELECT * FROM proxy_ports WHERE enabled=1 and transparent=1";
    $results = $q->QUERY_SQL($sql);
    $f[] = "# --------- proxy_ports enabled=1 and transparent=1 -> " . mysql_num_rows($results) . " ports";
    while ($ligne = mysql_fetch_assoc($results)) {
        $ipaddr = $ligne["ipaddr"];
        $xport = $ligne["port"];
        $transparent_text = null;
        if (!isset($GLOBALS["NETWORK_ALL_INTERFACES"][$ipaddr])) {
            $f[] = "# --------- table proxy_ports {$ipaddr}:{$xport} -> Hardware Error [" . __LINE__ . "]\n";
            $f[] = "# --------- http {$ipaddr} -> Hardware Error [" . __LINE__ . "]\n";
            continue;
        }
        if ($ssl) {
            $IPADDRSSL[$ipaddr] = $ssl_port;
        }
        $IPADDRS[$ipaddr] = $xport;
    }
    $transparent = " transparent";
    while (list($ipaddr, $xport) = each($IPADDRSSL)) {
        $IPADDRSSL2["{$ipaddr}:{$xport}"] = true;
    }
    while (list($ipaddr, $xport) = each($IPADDRS)) {
        $IPADDRS2["{$ipaddr}:{$xport}"] = true;
    }
    while (list($ipaddr, $none) = each($IPADDRS2)) {
        $f[] = "http_port {$ipaddr}{$transparent}";
    }
    if ($ssl) {
        $f[] = "# --------- https -> " . count($IPADDRSSL2) . " addresses";
        while (list($ipaddr, $none) = each($IPADDRSSL2)) {
            $f[] = "https_port {$ipaddr} transparent cert={$certificate} key={$key}";
        }
    }
    if ($AllowAllNetworksInSquid == 1) {
        $f[] = "acl localnet src all";
    }
    if ($AllowAllNetworksInSquid == 0) {
        $k = array();
        $NetworkScannerMasks = $sock->GET_INFO('NetworkScannerMasks');
        $tbl = explode("\n", $NetworkScannerMasks);
        if (is_array($tbl)) {
            while (list($num, $cidr) = each($tbl)) {
                if (trim($cidr) == null) {
                    continue;
                }
                $k[$cidr] = $cidr;
            }
        }
        if (count($this->network_array) > 0) {
            while (list($num, $val) = each($this->network_array)) {
                if ($val == null) {
                    continue;
                }
                $k[$val] = $val;
            }
        }
        if (count($k == 0)) {
            $f[] = "acl localnet src all";
        }
        if (count($k > 0)) {
            while (list($m, $l) = each($k)) {
                $s[] = $l;
            }
            $f[] = "acl localnet src " . implode(" ", $s);
        }
    }
    if ($ssl) {
    }
    $f[] = "acl all src all";
    $f[] = "acl manager proto cache_object";
    $f[] = "acl localhost src 127.0.0.1/32";
    $f[] = "acl to_localhost dst 127.0.0.0/8 0.0.0.0/32";
    $f[] = "acl SSL_ports port \"/etc/squid3/acls/SSLPorts\"";
    $f[] = "acl Safe_ports port 80\t\t# http";
    $f[] = "acl Safe_ports port 21\t\t# ftp";
    $f[] = "acl Safe_ports port 443\t\t# https";
    $f[] = "acl Safe_ports port 70\t\t# gopher";
    $f[] = "acl Safe_ports port 210\t\t# wais";
    $f[] = "acl Safe_ports port 1025-65535\t# unregistered ports";
    $f[] = "acl Safe_ports port 280\t\t# http-mgmt";
    $f[] = "acl Safe_ports port 488\t\t# gss-http";
    $f[] = "acl Safe_ports port 591\t\t# filemaker";
    $f[] = "acl Safe_ports port 777\t\t# multiling http";
    $f[] = "acl CONNECT method CONNECT";
    $f[] = "";
    $f[] = "";
    if ($sock->EnableUfdbGuard() == 1) {
        $f[] = ufdbguard27();
        $EnableUfdbGuardArtica = $sock->EnableUfdbGuardArtica();
        if (!is_file("/etc/squid3/acls/office365-nets.acl")) {
            @touch("/etc/squid3/acls/office365-nets.acl");
        }
        if (!is_file("/etc/squid3/acls/office365-domains.acl")) {
            @touch("/etc/squid3/acls/office365-domains.acl");
        }
        if (!is_file("/etc/squid3/acls/skype-nets.acl")) {
            @touch("/etc/squid3/acls/skype-nets.acl");
        }
        if (!is_file("/etc/squid3/acls/dropbox-nets.acl")) {
            @touch("/etc/squid3/acls/dropbox-nets.acl");
        }
        $f[] = "acl squidclient proto cache_object";
        $f[] = "acl MgRDest dst 127.0.0.1";
        $f[] = "acl MgRPort dst 127.0.0.1";
        $f[] = "acl MyTestPort src 127.0.0.1";
        $f[] = "acl MyLocalIpsDest dst 127.0.0.1";
        $f[] = "acl ToArticaWWW dstdomain .artica.fr .articatech.net .articatech.com";
        if ($EnableUfdbGuardArtica == 0) {
            $f[] = "acl UrlRewriteDenyList dstdomain \"/etc/squid3/url_rewrite_program.deny.db\"";
        }
        $f[] = "acl ArticaMetaWhiteDoms dstdomain \"/etc/squid3/artica-meta/whitelist-domains.db\"";
        $f[] = "acl ArticaMetaWhiteIPs dst \"/etc/squid3/artica-meta/whitelist-nets.db\"";
        $f[] = "acl BrowsersNoWebF browser -i \"/etc/squid3/acls/Browsers-nofilter.acl\"";
        $f[] = "acl whitelisted_mac_computers arp \"/etc/squid3/whitelisted-computers-by-mac.acl\"";
        $f[] = "acl office365_ips dst \"/etc/squid3/acls/office365-nets.acl\"";
        $f[] = "acl office365_www dstdomain \"/etc/squid3/acls/office365-domains.acl\"";
        $f[] = "acl skype_www dstdomain  .live.com  .skypeassets.com";
        $f[] = "acl skype_ips dst \"/etc/squid3/acls/skype-nets.acl\"";
        $f[] = "acl dropbox_ips dst \"/etc/squid3/acls/dropbox-nets.acl\"";
        $f[] = "acl dropbox_www dstdomain  .dropbox.com";
        $f[] = @file_get_contents("/etc/squid3/url_rewrite_access.conf");
    }
    $f[] = "http_access allow manager localhost";
    $f[] = "http_access deny manager";
    $f[] = "http_access deny !Safe_ports";
    $f[] = "http_access deny CONNECT !SSL_ports";
    $f[] = "http_access allow localnet";
    $f[] = "http_access deny all";
    $f[] = "icp_access allow localnet";
    $f[] = "icp_access deny all";
    $f[] = "cache_peer 127.0.0.1\tparent\t{$LISTEN_PORT}\t3130\tdefault";
    $f[] = "never_direct allow all";
    $f[] = "cache_mem 64 MB";
    $f[] = "maximum_object_size_in_memory 256 KB";
    $f[] = "memory_replacement_policy lru";
    $LOGFORMAT[] = "%>a";
    $LOGFORMAT[] = "%[ui";
    $LOGFORMAT[] = "%[un";
    $LOGFORMAT[] = "[%tl]";
    $LOGFORMAT[] = "\"%rm %ru HTTP/%rv\"";
    $LOGFORMAT[] = "%Hs";
    $LOGFORMAT[] = "%<st";
    $LOGFORMAT[] = "%Ss:";
    $LOGFORMAT[] = "%Sh";
    $LOGFORMAT[] = "UserAgent:\"%{User-Agent}>h\"";
    $LOGFORMAT[] = "Forwarded:\"%{X-Forwarded-For}>h\"";
    $f[] = "logformat common MAC:00:00:00:00:00:00 " . @implode(" ", $LOGFORMAT);
    $f[] = "access_log none";
    $f[] = "cache_store_log none";
    if ($LogsWarninStop == 0) {
        $f[] = "logfile_rotate 10";
    }
    if ($LogsWarninStop == 1) {
        $f[] = "logfile_rotate 0";
    }
    $f[] = "# emulate_httpd_log off";
    $f[] = "log_ip_on_direct on";
    $f[] = "mime_table /etc/squid27/mime.conf";
    $f[] = "# log_mime_hdrs off";
    $f[] = "pid_filename /var/run/squid/squid-nat.pid";
    $f[] = "debug_options ALL,1";
    $f[] = "log_fqdn on";
    $f[] = "client_netmask 255.255.255.255";
    $f[] = "strip_query_terms off";
    $f[] = "buffered_logs on";
    $f[] = "netdb_filename /var/log/squid/netdb_nat.state";
    if ($LogsWarninStop == 0) {
        $f[] = "cache_log /var/log/squid/cache-nat.log";
    }
    if ($LogsWarninStop == 1) {
        $f[] = "cache_log /dev/null";
    }
    $f[] = "#url_rewrite_program";
    $f[] = "# url_rewrite_children 5";
    $f[] = "# url_rewrite_concurrency 0";
    $f[] = "# url_rewrite_host_header on";
    $f[] = "refresh_pattern .\t\t0\t20%\t4320";
    $f[] = "cache_effective_user squid";
    $f[] = "cache_effective_group squid";
    $f[] = "httpd_suppress_version_string on";
    $f[] = "visible_hostname {$visible_hostname}";
    $f[] = "cache_dir null /tmp";
    $f[] = "# icon_directory /usr/share/squid27/icons";
    $f[] = "# error_directory /usr/share/squid27/errors/English";
    $f[] = "forwarded_for on";
    $f[] = "client_db on";
    $f[] = "";
    CheckFilesAndSecurity();
    @file_put_contents("/etc/squid27/squid.conf", @implode("\n", $f));
    if ($GLOBALS["OUTPUT"]) {
        echo "Starting......: " . date("H:i:s") . " [INIT]: {$GLOBALS["SERVICE_NAME"]} /etc/squid27/squid.conf done\n";
    }
}
コード例 #3
0
function ucarp_notify($nic = null, $SQUIDIP = null, $trois = null, $quatre = null, $cinq = null)
{
    if ($nic == null) {
        VirtualsIPSyslog("[Failover] No nic, no IP...");
        return;
    }
    $unix = new unix();
    $LOCATE_SQUID_BIN = $unix->LOCATE_SQUID_BIN();
    if (!is_file($LOCATE_SQUID_BIN)) {
        return;
    }
    $nohup = $unix->find_program("nohup");
    include_once dirname(__FILE__) . "/ressources/class.squid.inc";
    $sock = new sockets();
    $hasProxyTransparent = $sock->GET_INFO("hasProxyTransparent");
    if (!is_numeric($hasProxyTransparent)) {
        $hasProxyTransparent = 0;
    }
    VirtualsIPSyslog("[Failover] state UP detected {$nic}:{$SQUIDIP} Proxy Transparent mode: {$hasProxyTransparent}");
    if (is_file("/usr/share/ucarp/Master")) {
        VirtualsIPSyslog("[Failover] UP mode Master... nothing to do...");
        return;
    }
    $MAIN = unserialize(base64_decode($sock->GET_INFO("HASettings")));
    if ($MAIN["SLAVE"] != null) {
        VirtualsIPSyslog("[Failover] UP mode Master... nothing to do...");
        return;
    }
    if ($hasProxyTransparent == 0) {
        return;
    }
    $squid = new squidbee();
    $ssl_port = $squid->get_ssl_port();
    if (!is_numeric($squid->listen_port)) {
        $squid->listen_port = 3128;
    }
    $listen_ssl_port = $squid->listen_port + 1;
    $SSL_BUMP = $squid->SSL_BUMP;
    $iptables = $unix->find_program("iptables");
    $MARKLOG = "-m comment --comment \"SquidFailOverTransparent\"";
    $SQUIDPORT = $squid->listen_port;
    VirtualsIPSyslog("[Failover] UP Redirect connections from {$SQUIDIP}:80/443 to port {$SQUIDPORT}/{$ssl_port} - if ssl enabled -");
    ucarp_notify_removeiptables();
    shell_exec("{$iptables} -t nat -A PREROUTING -s {$SQUIDIP} -p tcp --dport 80 -j ACCEPT {$MARKLOG}");
    if ($SSL_BUMP == 1) {
        shell_exec("{$iptables} -t nat -A PREROUTING -s {$SQUIDIP} -p tcp --dport 443 -j ACCEPT {$MARKLOG}");
    }
    shell_exec("{$iptables} -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port {$SQUIDPORT} {$MARKLOG}");
    if ($SSL_BUMP == 1) {
        shell_exec("{$iptables} -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port {$ssl_port} {$MARKLOG}");
    }
    shell_exec("{$iptables} -t nat -A POSTROUTING -j MASQUERADE {$MARKLOG}");
    shell_exec("{$iptables} -t mangle -A PREROUTING -p tcp --dport {$SQUIDPORT} -j DROP {$MARKLOG}");
    if ($SSL_BUMP == 1) {
        shell_exec("{$iptables} -t mangle -A PREROUTING -p tcp --dport {$ssl_port} -j DROP {$MARKLOG}");
    }
    $cmd = "/etc/init.d/squid reload --script=" . basename(__FILE__);
    shell_exec("{$cmd} >/dev/null 2>&1");
    shell_exec("{$nohup} /etc/init.d/snmpd restart >/dev/null 2>&1 &");
}
コード例 #4
0
function script_tproxy()
{
    $unix = new unix();
    $ip = $unix->find_program("ip");
    $sock = new sockets();
    $squid = new squidbee();
    $SSL_BUMP = $squid->SSL_BUMP;
    $ssl_port = $squid->get_ssl_port();
    $php = $unix->LOCATE_PHP5_BIN();
    $SquidTProxyInterface = $sock->GET_INFO("SquidTProxyInterface");
    $MARKLOG = "-m comment --comment \"ArticaSquidTransparent\"";
    $echo = $unix->find_program("echo");
    $iptables = $unix->find_program("iptables");
    $modprobe = $unix->find_program("modprobe");
    $sh[] = "{$modprobe} xt_TPROXY || true";
    $sh[] = "{$modprobe} xt_socket || true";
    $sh[] = "{$modprobe} xt_mark || true";
    $sh[] = "{$modprobe} nf_nat || true";
    $sh[] = "{$modprobe} nf_conntrack_ipv4 || true";
    $sh[] = "{$modprobe} nf_conntrack || true";
    $sh[] = "{$modprobe} nf_defrag_ipv4 || true";
    $sh[] = "{$modprobe} ipt_REDIRECT || true";
    $sh[] = "{$modprobe} iptable_nat || true";
    $sh[] = "{$echo} \"Squid TProxy mode: Check routing table 'Proxy'\"";
    $sh[] = "{$php} " . __FILE__ . " --table-proxy || true";
    $sh[] = "{$ip} route del 127.0.0.1 dev lo  || true";
    $sh[] = "{$ip} route del local 127.0.0.0/24 dev lo  table local || true";
    $sh[] = "{$ip} route del local 127.0.0.0/8 del lo table local || true";
    $sh[] = "{$ip} -f inet rule add fwmark 1 lookup proxy || true";
    $sh[] = "{$ip} -f inet route add local default dev lo table proxy || true";
    $sh[] = "{$echo} 1 > /proc/sys/net/ipv4/ip_forward";
    $sh[] = "{$echo} 0 > /proc/sys/net/ipv4/conf/default/rp_filter";
    $sh[] = "{$echo} 0 > /proc/sys/net/ipv4/conf/all/rp_filter";
    $sh[] = "{$echo} 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter";
    $sh[] = "{$iptables} -t mangle -N DIVERT {$MARKLOG} || true";
    $sh[] = "{$iptables} -t mangle -A DIVERT -j MARK --set-mark 1 {$MARKLOG} || true";
    $sh[] = "{$iptables} -t mangle -A DIVERT -j ACCEPT {$MARKLOG} || true";
    $sh[] = "{$iptables}  -t mangle -A PREROUTING -p tcp -m socket -j DIVERT {$MARKLOG} || true";
    $sh[] = "{$echo} \"Squid TProxy mode: enabled in transparent mode in {$squid->listen_port} Port (SSL_BUMP={$SSL_BUMP}) SSL PORT:{$ssl_port}\"";
    $sh[] = "{$iptables}  -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port {$squid->listen_port} {$MARKLOG} || true";
    if ($SSL_BUMP == 1) {
        $sh[] = "{$iptables}  -t mangle -A PREROUTING -p tcp --dport 443 -j TPROXY --tproxy-mark 0x1/0x1 --on-port {$ssl_port} {$MARKLOG} || true";
    }
    return @implode("\n", $sh);
}