From bae0cf87550ce6d985efa98cad532eebdcf58c98 Mon Sep 17 00:00:00 2001
From: doktornotor <notordoktor@gmail.com>
Date: Sat, 21 Oct 2017 10:49:47 +0200
Subject: [PATCH 1/4] Remove useless conf_mount_{ro,rw} calls

---
 www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
index 1ddc80901d07..745ec6ff88ed 100644
--- a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
+++ b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
@@ -170,7 +170,6 @@ function squid_check_ca_hashes() {
 		}
 	}
 	if ($cert_count < 10) {
-		conf_mount_rw();
 		// create ca-root hashes from ca-root-nss package
 		log_error("[squid] Creating root certificate bundle hashes from the Mozilla Project...");
 		$cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt');
@@ -361,9 +360,7 @@ fi
 
 EOD;
 
-	conf_mount_rw();
 	write_rcfile($rc);
-	conf_mount_ro();
 }
 
 /* Start sqp_monitor.sh watchdog script */
@@ -2010,8 +2007,6 @@ function squid_resync($via_rpc = "no") {
 		return;
 	}
 
-	conf_mount_rw();
-
 	// Fix user/group entry permissions
 	squid_fixup_user();
 
@@ -2049,7 +2044,6 @@ function squid_resync($via_rpc = "no") {
 	// restart Squid if enabled and reconfigure filter
 	squid_restart_services();
 	filter_configure();
-	conf_mount_ro();
 }
 
 /*
@@ -2426,4 +2420,4 @@ function squid_list_ssl_ca() {
 		}
 	}
 	return $prvca_list;
-}
\ No newline at end of file
+}

From 21f974f67a8cd30616794b17049224e30bee0282 Mon Sep 17 00:00:00 2001
From: doktornotor <notordoktor@gmail.com>
Date: Sat, 21 Oct 2017 10:51:39 +0200
Subject: [PATCH 2/4] Remove useless conf_mount_{ro,rw} calls

---
 .../files/usr/local/pkg/squid_antivirus.inc                  | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc
index 29013be3327e..0570adbfdc0c 100644
--- a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc
+++ b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc
@@ -690,10 +690,8 @@ fi
 
 EOD;
 
-	conf_mount_rw();
 	log_error("[squid] Creating 'clamd.sh' rc script.");
 	write_rcfile($rc);
-	conf_mount_ro();
 }
 
 /* Create c-icap.sh rc script */
@@ -713,7 +711,7 @@ fi
 sleep 5
 /bin/rm -f {$cicap_pipe}
 EOF;
-	conf_mount_rw();
+
 	log_error("[squid] Creating '{$c_icap_rcfile}' rc script.");
 	write_rcfile(array(
 		"file" => "{$c_icap_rcfile}",
@@ -721,7 +719,6 @@ EOF;
 		"stop" => "{$cicap_stop_cmd}"
 		)
 	);
-	conf_mount_ro();
 }
 
 /* (Re)start antivirus services if AV features are enabled */

From 7d87607063b106399686cb42e5df8ee76e093737 Mon Sep 17 00:00:00 2001
From: doktornotor <notordoktor@gmail.com>
Date: Sat, 21 Oct 2017 11:06:05 +0200
Subject: [PATCH 3/4] Allow "all" ACL in Do Not Cache as special case to
 disable any cache access

---
 .../files/usr/local/pkg/squid.inc              | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
index 745ec6ff88ed..607204cd38ff 100644
--- a/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
+++ b/www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc
@@ -943,7 +943,8 @@ function squid_validate_cache($post, &$input_errors) {
 			if (strpos($host, '.') === 0) {
 				$host = substr($host, 1);
 			}
-			if (!is_ipaddr($host) && !is_domain($host)) {
+			// Allow "all" ACL as special case to disable any cache access
+			if (!is_ipaddr($host) && !is_domain($host) && $host != "all") {
 				$input_errors[] = "The host '$host' is not a valid IP or hostname.";
 			}
 		}
@@ -1464,13 +1465,20 @@ EOD;
 
 	$donotcache = sq_text_area_decode($settings['donotcache']);
 	if (!empty($donotcache)) {
-		file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
-		$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
-		$conf .= "cache deny donotcache\n";
+		// Allow "all" ACL as special case to disable any cache access
+		if ($donotcache == "all") {
+			$conf .= "cache deny all\n";
+		} else {
+			file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
+			$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
+			$conf .= "cache deny donotcache\n";
+		}
 	} elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
 		unlink(SQUID_ACLDIR . '/donotcache.acl');
 	}
-	$conf .= "cache allow all\n";
+	if ($donotcache != "all") {
+		$conf .= "cache allow all\n";
+	}
 
 	return $conf.$refresh_conf;
 }

From 73fcbbd180a4e04752cff397f4a0cfddc78a506f Mon Sep 17 00:00:00 2001
From: doktornotor <notordoktor@gmail.com>
Date: Sat, 21 Oct 2017 11:15:16 +0200
Subject: [PATCH 4/4] Allow "all" ACL in Do Not Cache as special case to
 disable any cache access

Also add a hint about subdomains matching.
---
 www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml
index 45873330b248..509c0f5cd0b4 100644
--- a/www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml
+++ b/www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml
@@ -142,7 +142,9 @@
 			<description>
 				<![CDATA[
 				Enter domain(s) and/or IP address(es) that should never be cached.
-				<span class="text-info">Put each entry on a separate line.</span>
+				<span class="text-info">Put each entry on a separate line.</span><br/>
+    				Hint: To deny any access to cached objects, use <code>all</code>.
+				To match subdomains, prefix a domain with <code>.</code>
 				]]>
 			</description>
 			<type>textarea</type>