diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
index 1ddc80901d07..607204cd38ff 100644
--- a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
+++ b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
@@ -170,7 +170,6 @@ function squid_check_ca_hashes() {
}
}
if ($cert_count < 10) {
- conf_mount_rw();
// create ca-root hashes from ca-root-nss package
log_error("[squid] Creating root certificate bundle hashes from the Mozilla Project...");
$cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt');
@@ -361,9 +360,7 @@ fi
EOD;
- conf_mount_rw();
write_rcfile($rc);
- conf_mount_ro();
}
/* Start sqp_monitor.sh watchdog script */
@@ -946,7 +943,8 @@ function squid_validate_cache($post, &$input_errors) {
if (strpos($host, '.') === 0) {
$host = substr($host, 1);
}
- if (!is_ipaddr($host) && !is_domain($host)) {
+ // Allow "all" ACL as special case to disable any cache access
+ if (!is_ipaddr($host) && !is_domain($host) && $host != "all") {
$input_errors[] = "The host '$host' is not a valid IP or hostname.";
}
}
@@ -1467,13 +1465,20 @@ EOD;
$donotcache = sq_text_area_decode($settings['donotcache']);
if (!empty($donotcache)) {
- file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
- $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
- $conf .= "cache deny donotcache\n";
+ // Allow "all" ACL as special case to disable any cache access
+ if ($donotcache == "all") {
+ $conf .= "cache deny all\n";
+ } else {
+ file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
+ $conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
+ $conf .= "cache deny donotcache\n";
+ }
} elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
unlink(SQUID_ACLDIR . '/donotcache.acl');
}
- $conf .= "cache allow all\n";
+ if ($donotcache != "all") {
+ $conf .= "cache allow all\n";
+ }
return $conf.$refresh_conf;
}
@@ -2010,8 +2015,6 @@ function squid_resync($via_rpc = "no") {
return;
}
- conf_mount_rw();
-
// Fix user/group entry permissions
squid_fixup_user();
@@ -2049,7 +2052,6 @@ function squid_resync($via_rpc = "no") {
// restart Squid if enabled and reconfigure filter
squid_restart_services();
filter_configure();
- conf_mount_ro();
}
/*
@@ -2426,4 +2428,4 @@ function squid_list_ssl_ca() {
}
}
return $prvca_list;
-}
\ No newline at end of file
+}
diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc
index 29013be3327e..0570adbfdc0c 100644
--- a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc
+++ b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc
@@ -690,10 +690,8 @@ fi
EOD;
- conf_mount_rw();
log_error("[squid] Creating 'clamd.sh' rc script.");
write_rcfile($rc);
- conf_mount_ro();
}
/* Create c-icap.sh rc script */
@@ -713,7 +711,7 @@ fi
sleep 5
/bin/rm -f {$cicap_pipe}
EOF;
- conf_mount_rw();
+
log_error("[squid] Creating '{$c_icap_rcfile}' rc script.");
write_rcfile(array(
"file" => "{$c_icap_rcfile}",
@@ -721,7 +719,6 @@ EOF;
"stop" => "{$cicap_stop_cmd}"
)
);
- conf_mount_ro();
}
/* (Re)start antivirus services if AV features are enabled */
diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml
index 45873330b248..509c0f5cd0b4 100644
--- a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml
+++ b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml
@@ -142,7 +142,9 @@
Put each entry on a separate line.
+ Put each entry on a separate line.
+ Hint: To deny any access to cached objects, use all
.
+ To match subdomains, prefix a domain with .
]]>
textarea