Squid - Allow "all" ACL in Do Not Cache, add some hints to GUI, remove useless remount code

www/pfSense-pkg-squid/files/usr/local/pkg/squid.inc

@@ -170,7 +170,6 @@ function squid_check_ca_hashes() {
 		}
 	}
 	if ($cert_count < 10) {
-		conf_mount_rw();
 		// create ca-root hashes from ca-root-nss package
 		log_error("[squid] Creating root certificate bundle hashes from the Mozilla Project...");
 		$cas = file(SQUID_LOCALBASE . '/share/certs/ca-root-nss.crt');
@@ -361,9 +360,7 @@ fi
 
 EOD;
 
-	conf_mount_rw();
 	write_rcfile($rc);
-	conf_mount_ro();
 }
 
 /* Start sqp_monitor.sh watchdog script */
@@ -946,7 +943,8 @@ function squid_validate_cache($post, &$input_errors) {
 			if (strpos($host, '.') === 0) {
 				$host = substr($host, 1);
 			}
-			if (!is_ipaddr($host) && !is_domain($host)) {
+			// Allow "all" ACL as special case to disable any cache access
+			if (!is_ipaddr($host) && !is_domain($host) && $host != "all") {
 				$input_errors[] = "The host '$host' is not a valid IP or hostname.";
 			}
 		}
@@ -1467,13 +1465,20 @@ EOD;
 
 	$donotcache = sq_text_area_decode($settings['donotcache']);
 	if (!empty($donotcache)) {
-		file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
-		$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
-		$conf .= "cache deny donotcache\n";
+		// Allow "all" ACL as special case to disable any cache access
+		if ($donotcache == "all") {
+			$conf .= "cache deny all\n";
+		} else {
+			file_put_contents(SQUID_ACLDIR . '/donotcache.acl', $donotcache);
+			$conf .= 'acl donotcache dstdomain "' . SQUID_ACLDIR . "/donotcache.acl\"\n";
+			$conf .= "cache deny donotcache\n";
+		}
 	} elseif (file_exists(SQUID_ACLDIR . '/donotcache.acl')) {
 		unlink(SQUID_ACLDIR . '/donotcache.acl');
 	}
-	$conf .= "cache allow all\n";
+	if ($donotcache != "all") {
+		$conf .= "cache allow all\n";
+	}
 
 	return $conf.$refresh_conf;
 }
@@ -2010,8 +2015,6 @@ function squid_resync($via_rpc = "no") {
 		return;
 	}
 
-	conf_mount_rw();
-
 	// Fix user/group entry permissions
 	squid_fixup_user();
 
@@ -2049,7 +2052,6 @@ function squid_resync($via_rpc = "no") {
 	// restart Squid if enabled and reconfigure filter
 	squid_restart_services();
 	filter_configure();
-	conf_mount_ro();
 }
 
 /*
@@ -2426,4 +2428,4 @@ function squid_list_ssl_ca() {
 		}
 	}
 	return $prvca_list;
-}
+}

www/pfSense-pkg-squid/files/usr/local/pkg/squid_antivirus.inc

@@ -690,10 +690,8 @@ fi
 
 EOD;
 
-	conf_mount_rw();
 	log_error("[squid] Creating 'clamd.sh' rc script.");
 	write_rcfile($rc);
-	conf_mount_ro();
 }
 
 /* Create c-icap.sh rc script */
@@ -713,15 +711,14 @@ fi
 sleep 5
 /bin/rm -f {$cicap_pipe}
 EOF;
-	conf_mount_rw();
+
 	log_error("[squid] Creating '{$c_icap_rcfile}' rc script.");
 	write_rcfile(array(
 		"file" => "{$c_icap_rcfile}",
 		"start" => "{$cicap_start_cmd}",
 		"stop" => "{$cicap_stop_cmd}"
 		)
 	);
-	conf_mount_ro();
 }
 
 /* (Re)start antivirus services if AV features are enabled */

www/pfSense-pkg-squid/files/usr/local/pkg/squid_cache.xml

@@ -142,7 +142,9 @@
 			<description>
 				<![CDATA[
 				Enter domain(s) and/or IP address(es) that should never be cached.
-				<span class="text-info">Put each entry on a separate line.</span>
+				<span class="text-info">Put each entry on a separate line.</span><br/>
+    				Hint: To deny any access to cached objects, use <code>all</code>.
+				To match subdomains, prefix a domain with <code>.</code>
 				]]>
 			</description>
 			<type>textarea</type>