diff options
71 files changed, 8612 insertions, 0 deletions
diff --git a/client_wizard/scripts/do_it_client.sh b/client_wizard/scripts/do_it_client.sh new file mode 100755 index 00000000..4a2ec587 --- /dev/null +++ b/client_wizard/scripts/do_it_client.sh @@ -0,0 +1,80 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +echo_debug "in $0" + +wiz_ip_net=`get_var wiz_ip_net` +wiz_ip_server=`get_var wiz_ip_server` +wiz_domain_name=`get_var wiz_domain_name` +s_trunc=${wiz_ip_net%.*} +ds=${wiz_ip_server##*.} +sc_trunc=${wiz_client_ip%.*} +dc=${wiz_client_ip##*.} + +wiz_client_name=${wiz_client_name%%.*} + +# change serial number +# $1 : file +up_serial(){ +TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 +cat $1 > ${TMPFILE} +serial_nbm=$(date "+%Y%m%d00") +serial_f=`sed -ne "s/^\([[:space:]]*\)\([0-9]*\)\([[:space:]]*;[[:space:]]*Serial.*$\)/\2/p" ${TMPFILE}` +serial_f=$((${serial_f}+1)) +if [ ${serial_f} -le ${serial_nbm} ]; then + serial_f=${serial_nbm} +fi + +cat ${TMPFILE}\ +|sed -e "s/^\([[:space:]]*\)\([0-9]*\)\([[:space:]]*;[[:space:]]*Serial.*$\)/\1${serial_f}\3/"\ +> $1 +rm -f ${TMPFILE} +} + + + +file="/var/named/${wiz_domain_name}.db" + +bck_file ${file} + +echo "${wiz_client_name} IN A ${wiz_client_ip} ; $(date)" >> ${file} + +up_serial ${file} + + + +file="/var/named/${s_trunc}.rev" + +bck_file ${file} + +echo "${dc} IN PTR ${wiz_client_name}. ; $(date)" >> ${file} + +up_serial ${file} + + +/etc/rc.d/init.d/named restart + +# all seems to be ok +exit 10 diff --git a/client_wizard/scripts/test_client.sh b/client_wizard/scripts/test_client.sh new file mode 100755 index 00000000..6a73e96d --- /dev/null +++ b/client_wizard/scripts/test_client.sh @@ -0,0 +1,93 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +echo_debug "in $0" + +wiz_ip_net=`get_var wiz_ip_net` +wiz_ip_server=`get_var wiz_ip_server` +wiz_domain_name=`get_var wiz_domain_name` +s_trunc=${wiz_ip_net%.*} +ds=${wiz_ip_server##*.} +sc_trunc=${wiz_client_ip%.*} +dc=${wiz_client_ip##*.} + +wiz_client_name=${wiz_client_name%%.*} + +if [ -z "${wiz_client_name}" ]; then + echo_debug "incorrect name" + exit 1 +fi + +if [ -z "${wiz_client_ip}" ]; then + echo_debug "incorrect address" + exit 1 +fi + +if [ -z "${sc_trunc}" ]; then + echo_debug "incorrect address" + exit 1 +fi +if [ -z "${dc}" ]; then + echo_debug "incorrect address" + exit 1 +fi + +if [ "${s_trunc}" != "${sc_trunc}" ]; then + echo_debug "range not in network" + exit 1 +fi + +if [ "${dc}" = "${ds}" -o ${dc} -le 0 -o ${dc} -gt 255 ]; then + echo_debug "bad ip" + exit 1 +fi + + +file="/var/named/${wiz_domain_name}.db" +t=`grep -E "^${wiz_client_name}[[:space:]]*IN" ${file}` +if [ -n "$t" ]; then + echo_debug "${wiz_client_name} got in ${file}" + exit 2 +fi +t=`grep -E "^[^;]*A[[:space:]]*${wiz_client_ip}" ${file}` +if [ -n "$t" ]; then + echo_debug "${wiz_client_ip} got in ${file}" + exit 2 +fi + +file="/var/named/${s_trunc}.rev" +t=`grep -E "^${dc}[[:space:]]*IN" ${file}` +if [ -n "$t" ]; then + echo_debug "${dc} got in ${file}" + exit 2 +fi +t=`grep -E "^[^;]*PTR[[:space:]]*${wiz_client_name}" ${file}` +if [ -n "$t" ]; then + echo_debug "${wiz_client_name} got in ${file}" + exit 2 +fi + +# all seems to be ok +exit 10 diff --git a/common/scripts/check.sh b/common/scripts/check.sh new file mode 100755 index 00000000..1a96052e --- /dev/null +++ b/common/scripts/check.sh @@ -0,0 +1,64 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard configuration +# +# $1, $2, ... : root wiz_ip_net wiz_... +# +# exit 0 if all is ok, else exit nb , where nb is the arg number that fails + +typeset -i cpt +cpt=0 + +for test in $@ ; do + + cpt=$cpt+1 + + case "$test" in + + root) + if [ ! -z "${_WIZ_DO_AS_ROOT}" ]; then + echo_debug "Emulating Root login , no problem" + else + if [ `id|sed 's/^uid=\([0-9]*\)[^0-9]*.*$/\1/'` -ne 0 ]; then + echo_debug "need to be root, exit $cpt" + exit $cpt + fi + fi + ;; + *) + ret=`get_var ${test}` + if [ -z "$ret" ]; then + echo_debug "no value for $test , exit $cpt" + exit $cpt + fi + ;; + esac + +done + +# all seems to be ok +exit 0 + diff --git a/common/scripts/check_root.sh b/common/scripts/check_root.sh new file mode 100755 index 00000000..98ae2839 --- /dev/null +++ b/common/scripts/check_root.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# are we root ? + +if [ ! -z "${_WIZ_DO_AS_ROOT}" ]; then + echo_debug "Emulating Root login" + exit 10 +fi + +if [ `id|sed 's/^uid=\([0-9]*\)[^0-9]*.*$/\1/'` -ne 0 ]; then + echo_debug "need to be root" + exit 1 +fi + +file=/etc/sysconfig/system +if [ ! -f ${file} ]; then + echo_debug "no ${file} ... not Mandrake system" + exit 1 +fi + + + + +# all seems to be ok +exit 10 + diff --git a/common/scripts/functions.sh b/common/scripts/functions.sh new file mode 100755 index 00000000..deca8a0a --- /dev/null +++ b/common/scripts/functions.sh @@ -0,0 +1,534 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000,2001 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# include for a few functions used in various scripts +# +# - this should be loaded at the beginning of every wizard - +# (wiz load it for you) + + +#[ "${wiz_loaded_function}" = "yes" ] && return 0 + + +# assume not multi line values +#(sed -e :a -e '/\\$/N; s/\\\n//; ta') +#debug function +# $1 : message +echo_debug () { +([ -n "${DEBUG_VAL}" ] && echo $1 >> ${DEBUG_VAL})||: +} + + +# back up the specified file +bck_file(){ +# $1 file +fic=$1 +if [ -f ${fic} ]; then + j=3 + for i in 2 1 ; do + [ -f ${fic}.mdk_orig.$i ] && mv -f ${fic}.mdk_orig.$i ${fic}.mdk_orig.$j + j=$i + done + cp -f ${fic} ${fic}.mdk_orig.1 +fi +} + + +rm_val(){ + grep -v -E "^[[:space:]]*$1[[:space:]]*=" +} + + +# retrive a value from config file +get_val(){ +# $1 : config file +# $2 : variable +if [ ! -f "${1}" -o -z "$2" ]; then + return 1 +fi +sed -n "s£^[[:space:]]*$2[[:space:]]*=[[:space:]]*\(.*\)[[:space:]]*$£\1£p" $1 2>/dev/null\ +|sed 's£^\"\(.*\)\"$£\1£' +} + +# retrive a value from config file, other version without "=" +get_val2(){ +# $1 : config file +# $2 : variable +if [ ! -f "${1}" -o -z "$2" ]; then + return 1 +fi +sed -n "s£^[[:space:]]*$2[[:space:]]\+\(.*\)[[:space:]]*$£\1£p" $1 2>/dev/null\ +|sed 's£^\"\(.*\)\"$£\1£' +} + + + +comment_val(){ +sed "s/^[[:space:]]*$1[[:space:]]*=.*$/#&/" +} + + +mod_val(){ +sed -e '\£^[[:space:]]*'"$1"'[[:space:]]*=.*$£{ +i \ +# removed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"$1=\"$2\""' +} +' +} + +mod_val2(){ +# same as chg_val, but without "=" symbol neither "" +sed -e '\£^[[:space:]]*'"$1"'[[:space:]]\+.*$£{ +i \ +# removed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"$1 $2"' +} +' +} + + +chg_val(){ +# $1 : config file +# $2 : variable +# $3 : new value +# $4 : "s" : silent mode + +[ -f "$1" ] || exit 1 + +#if [ -n "`grep -E \"^\[\[:space:\]\]*$2\[\[:space:\]\]*=\" \"$1\"`" ]; then + +t=`grep -c -E "^[[:space:]]*$2[[:space:]]*=" $1` + +if [ $t -ge 1 ]; then + TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 + cat "$1" > ${TMPFILE} + (cat ${TMPFILE}|mod_val "$2" "$3" > "$1") && rm -f ${TMPFILE} +else + if [ "$4" = "s" ]; then + echo -e "\ +$2=\"$3\"\n\ +" >> "$1" + else + echo -e "\ +# added by mdk_serv script on $(date)\n\ +$2=\"$3\"\n\ +" >> "$1" + fi +fi +} + +chg_val2(){ +# same as chg_val, but without "=" symbol neither "" + +# $1 : config file +# $2 : variable +# $3 : new value +# $4 : "s" : silent mode + +[ -f "$1" ] || exit 1 + +t=`grep -c -E "^[[:space:]]*$2[[:space:]]+" $1` +if [ $t -ge 1 ]; then + TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 + cat "$1" > ${TMPFILE} + (cat ${TMPFILE}|mod_val2 "$2" "$3" > "$1") && rm -f ${TMPFILE} +else + if [ "$4" = "s" ]; then + echo -e "\ +$2 $3\n\ +" >> "$1" + else + echo -e "\ +# added by mdk_serv script on $(date)\n\ +$2 $3\n\ +" >> "$1" + fi +fi +} + + +# get_var $1 : function to retrieve stored value of wiz_variables +# - if $2 is provided, returns $2 (ok, it's a hack) +# - if the stored value is empty, returns the current one (in memory) +# - this function may return a null string if value is really not found - +get_var(){ +# $1 : name of the variable +# $2 : forcing value + +[ -z "$1" ] && return 1 + +if [ -n "$2" ]; then + echo "$2" + return 0 +fi + +file=/etc/sysconfig/mdk_serv + +case "$1" in + wiz_host_name) + t=`get_val ${file} wiz_host_name` + if [ -z "$t" ]; then + echo ${wiz_host_name} + else + echo "$t" + fi + ;; + wiz_domain_name) + t=`get_val ${file} wiz_domain_name` + if [ -z "$t" ]; then + echo ${wiz_domain_name} + else + echo "$t" + fi + ;; + wiz_device) + t=`get_val ${file} wiz_device` + if [ -z "$t" ]; then + echo ${wiz_device} + else + echo "$t" + fi + ;; + wiz_ext_dns1) + t=`get_val ${file} wiz_ext_dns1` + if [ -z "$t" ]; then + echo ${wiz_ext_dns1} + else + echo "$t" + fi + ;; + wiz_ext_dns2) + t=`get_val ${file} wiz_ext_dns2` + if [ -z "$t" ]; then + echo ${wiz_ext_dns2} + else + echo "$t" + fi + ;; + wiz_web_internal) + t=`get_val ${file} wiz_web_internal` + if [ -z "$t" ]; then + echo ${wiz_web_internal} + else + echo "$t" + fi + ;; + wiz_web_external) + t=`get_val ${file} wiz_web_external` + if [ -z "$t" ]; then + echo ${wiz_web_external} + else + echo "$t" + fi + ;; + wiz_ftp_internal) + t=`get_val ${file} wiz_ftp_internal` + if [ -z "$t" ]; then + echo ${wiz_ftp_internal} + else + echo "$t" + fi + ;; + wiz_ftp_external) + t=`get_val ${file} wiz_ftp_external` + if [ -z "$t" ]; then + echo ${wiz_ftp_external} + else + echo "$t" + fi + ;; + wiz_news_freq) + t=`get_val ${file} wiz_news_freq` + if [ -z "$t" ]; then + echo ${wiz_news_freq} + else + echo "$t" + fi + ;; + wiz_news_server) + t=`get_val ${file} wiz_news_server` + if [ -z "$t" ]; then + echo ${wiz_news_server} + else + echo "$t" + fi + ;; + wiz_banner) + t=`get_val ${file} wiz_banner` + if [ -z "$t" ]; then + echo ${wiz_banner} + else + echo "$t" + fi + ;; + wiz_workgroup) + t=`get_val ${file} wiz_workgroup` + if [ -z "$t" ]; then + echo ${wiz_workgroup} + else + echo "$t" + fi + ;; + wiz_do_printer_sharing) + t=`get_val ${file} wiz_do_printer_sharing` + if [ -z "$t" ]; then + echo ${wiz_do_printer_sharing} + else + echo "$t" + fi + ;; + wiz_do_file_sharing) + t=`get_val ${file} wiz_do_file_sharing` + if [ -z "$t" ]; then + echo ${wiz_do_file_sharing} + else + echo "$t" + fi + ;; + wiz_ip_net) + wdevice=`get_val ${file} wiz_device` + nfile="/etc/sysconfig/network-scripts/ifcfg-${wdevice}" + t=`get_val ${nfile} NETWORK` + if [ -z "$t" ]; then + echo ${wiz_ip_net} + else + echo "$t" + fi + ;; + wiz_ip_netmask) + wdevice=`get_val ${file} wiz_device` + nfile="/etc/sysconfig/network-scripts/ifcfg-${wdevice}" + t=`get_val ${nfile} NETMASK` + if [ -z "$t" ]; then + echo ${wiz_ip_netmask} + else + echo "$t" + fi + ;; + wiz_ip_server) + wdevice=`get_val ${file} wiz_device` + nfile="/etc/sysconfig/network-scripts/ifcfg-${wdevice}" + t=`get_val ${nfile} IPADDR` + if [ -z "$t" ]; then + echo ${wiz_ip_server} + else + echo "$t" + fi + ;; + wiz_ip_range1) + wdevice=`get_val ${file} wiz_device` + nfile="/etc/sysconfig/network-scripts/ifcfg-${wdevice}" + twnet=`get_val ${nfile} NETWORK` + nfile=/etc/dhcpd.conf + rnge= + if [ -f ${nfile} ]; then + rnge=`sed -n -e 's/^[[:space:]]*range[[:space:]]*\([1-9\.]*\)[[:space:]].*$/\1/p' ${nfile}` + fi + [ "${rnge%.*}" == "${twnet%.*}" ] || rnge="" + if [ -z "$rnge" ]; then + echo ${wiz_ip_range1} + else + echo "$rnge" + fi + ;; + wiz_ip_range2) + wdevice=`get_val ${file} wiz_device` + nfile="/etc/sysconfig/network-scripts/ifcfg-${wdevice}" + twnet=`get_val ${nfile} NETWORK` + nfile=/etc/dhcpd.conf + rnge= + if [ -f ${nfile} ]; then + rnge=`sed -n -e 's/^[[:space:]]*range[[:space:]]*[1-9\.]*[[:space:]]*\([1-9\.]*\)[^1-9\.].*$/\1/p' ${nfile}` + fi + [ "${rnge%.*}" == "${twnet%.*}" ] || rnge="" + if [ -z "$rnge" ]; then + echo ${wiz_ip_range2} + else + echo "$rnge" + fi + ;; + wiz_ext_device) + t=`get_val ${file} wiz_ext_device` + if [ -z "$t" ]; then + echo ${wiz_ext_device} + else + echo "$t" + fi + ;; + wiz_extn_device) + t=`get_val /etc/sysconfig/network GATEWAYDEV` + if [ -z "$t" ]; then + echo ${wiz_extn_device} + else + echo "$t" + fi + ;; + wiz_extn_gateway) + t=`get_val /etc/sysconfig/network GATEWAY` + if [ -z "$t" ]; then + echo ${wiz_extn_gateway} + else + echo "$t" + fi + ;; + wiz_firewall_level) + t=`get_val ${file} wiz_firewall_level` + if [ -z "$t" ]; then + echo ${wiz_firewall_level} + else + echo "$t" + fi + ;; + wiz_ext_mail_relay) + postconf -h relayhost + ;; + wiz_mail_masquerade) + nfile=/etc/postfix/canonical + wdname=`get_val ${file} wiz_domain_name` + t="" + if [ -f ${nfile} ]; then + t=`sed -n -e 's/^[[:space:]]*@'"${wdname}"'[[:space:]]*@\([^[:space:]]*\)[[:space:]]*$/\1/p' ${nfile}` + fi + if [ -z "$t" -o -z "wdname" ]; then + echo ${wiz_mail_masquerade} + else + echo "$t" + fi + ;; + wiz_timezone) + nfile=/etc/sysconfig/clock + t=`get_val ${nfile} ZONE` + if [ -z "$t" ]; then + echo ${wiz_timezone} + else + echo "$t" + fi + ;; + wiz_squid_port) + nfile=/etc/squid/squid.conf + t=`get_val2 ${nfile} http_port` + if [ -z "$t" ]; then + echo ${wiz_squid_port} + else + echo "$t" + fi + ;; + wiz_squid_mem) + nfile=/etc/squid/squid.conf + t=`get_val2 ${nfile} cache_mem` + if [ -z "$t" ]; then + echo ${wiz_squid_mem} + else + t1=`echo $t|awk '{print $1}'` + t2=`echo $t|awk '{print $2}'` + if [ "$t2" == "MB" ]; then + echo $t1 + else + echo ${wiz_squid_mem} + fi + fi + ;; + wiz_squid_disk) + nfile=/etc/squid/squid.conf + # nota : only one dir : wiz_squid_defdir + export wiz_squid_defdir=`get_var wiz_squid_defdir` + t=`sed -n "s£^[[:space:]]*cache_dir[[:space:]]\+[a-z]\+[[:space:]]\+$wiz_squid_defdir[[:space:]]\+\([0-9]\+\)[[:space:]]*.*$£\1£p" $nfile 2>/dev/null` + if [ -z "$t" ]; then + echo ${wiz_squid_disk} + else + echo $t + fi + ;; + wiz_squid_level) + t=`get_val ${file} wiz_squid_level` + if [ -z "$t" ]; then + echo ${wiz_squid_level} + else + echo "$t" + fi + ;; + wiz_squid_defdir) + t=`get_val ${file} wiz_squid_defdir` + if [ -z "$t" ]; then + [ -z "${wiz_squid_defdir}" ] && wiz_squid_defdir="/var/spool/squid" + echo ${wiz_squid_defdir} + else + echo "$t" + fi + ;; + wiz_squid_mynetw) + nfile=/etc/squid/squid.conf + t=`get_val2 ${nfile} "acl mynetwork src"` + if [ -z "$t" ]; then + echo `get_var wiz_ip_net`"/"`get_var wiz_ip_netmask` + else + echo $t + fi + ;; + wiz_squid_cachepeer) + nfile=/etc/squid/squid.conf + t=`get_val2 ${nfile} "cache_peer"` + if [ -z "$t" ]; then + echo ${wiz_squid_cachepeer} + else + echo $t|awk '{print $1}' + fi + ;; + wiz_squid_peerport) + nfile=/etc/squid/squid.conf + t=`get_val2 ${nfile} "cache_peer"` + if [ -z "$t" ]; then + echo ${wiz_squid_peerport} + else + echo $t|awk '{print $3}' + fi + ;; + + *) + return 1 + ;; +esac +} + + + + +export -f echo_debug +export -f rm_val +export -f get_val +export -f get_val2 +export -f mod_val +export -f mod_val2 +export -f chg_val +export -f chg_val2 +export -f bck_file + +export -f get_var +#export wiz_loaded_function=yes diff --git a/dhcp_wizard/scripts/check_range.sh b/dhcp_wizard/scripts/check_range.sh new file mode 100755 index 00000000..4f5de970 --- /dev/null +++ b/dhcp_wizard/scripts/check_range.sh @@ -0,0 +1,83 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# assuming : +# - C class network, mask 255.255.255.0 +# +# echo on stdout range of ip for DHCP subnet (second part of range) + +echo_debug "in $0" + +r1_trunc=${wiz_ip_range1%.*} +r2_trunc=${wiz_ip_range2%.*} +d1=${wiz_ip_range1##*.} +d2=${wiz_ip_range2##*.} + +se=`get_var wiz_ip_server` + +s_trunc=${se%.*} +ds=${se##*.} + +if [ -z "${r1_trunc}" ]; then + echo_debug "incorrect address range 1" + exit 1 +fi + +if [ -z "${r2_trunc}" ]; then + echo_debug "incorrect address range 2" + exit 1 +fi + +if [ "${s_trunc}" != "${r1_trunc}" -o "${s_trunc}" != "${r2_trunc}" ]; then + echo_debug "range not in network" + exit 1 +fi + +if [ -z "${d1}" -o -z "${d2}" ]; then + echo_debug "bad range" + exit 1 +fi + +if [ ${d1} -gt 254 -o ${d1} -lt 1 -o ${d2} -gt 254 -o ${d2} -lt 1 ]; then + echo_debug "bad range" + exit 1 +fi + +if [ ${d1} -gt ${d2} ]; then + echo_debug "bad range " + exit 1 +fi + +if [ ${ds} -ge ${d1} -a ${ds} -le ${d2} ]; then + echo_debug "server in range" + exit 1 +fi + + +# should be ok +exit 10 + diff --git a/dhcp_wizard/scripts/compute_range1.sh b/dhcp_wizard/scripts/compute_range1.sh new file mode 100755 index 00000000..8e1f89fb --- /dev/null +++ b/dhcp_wizard/scripts/compute_range1.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# assuming : +# - C class network, mask 255.255.255.0 +# +# echo on stdout range of ip for DHCP subnet (first part of range) + +#truncating addresses + +se=`get_var wiz_ip_server` + +s_trunc=${se%.*} +d=${se##*.} + +if [ $d -le 64 ]; then + r=65 +elif [ $d -le 128 ]; then + r=129 +else + r=1 +fi + +echo "${s_trunc}.$r" + +exit 0 + diff --git a/dhcp_wizard/scripts/compute_range2.sh b/dhcp_wizard/scripts/compute_range2.sh new file mode 100755 index 00000000..3055a6e2 --- /dev/null +++ b/dhcp_wizard/scripts/compute_range2.sh @@ -0,0 +1,51 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# assuming : +# - C class network, mask 255.255.255.0 +# +# echo on stdout range of ip for DHCP subnet (second part of range) + +#truncating addresses +se=`get_var wiz_ip_server` + +s_trunc=${se%.*} +d=${se##*.} + +if [ $d -le 128 ]; then + r=254 +elif [ $d -gt 192 ]; then + r=192 +else + r=128 +fi + + +echo "${s_trunc}.$r" + +exit 0 + diff --git a/dhcp_wizard/scripts/dhcpd.conf.default b/dhcp_wizard/scripts/dhcpd.conf.default new file mode 100644 index 00000000..c2135639 --- /dev/null +++ b/dhcp_wizard/scripts/dhcpd.conf.default @@ -0,0 +1,27 @@ +# default file for dhcpd +# replace __ip__ by the IP adress of the server (same server for +# all services in this config file) + +server-identifier __hname__; +default-lease-time 36000; +max-lease-time 144000; +ddns-update-style ad-hoc; + + +subnet __net__ netmask __mask__{ + range __rng1__ __rng2__; + option domain-name "__dname__"; + option domain-name-servers __ip__; + option nis-servers __ip__; + option lpr-servers __ip__; + option netbios-name-servers __ip__; + option routers __ip__; + option subnet-mask __mask__; + option time-servers __ip__; + ddns-updates on; + ddns-domainname "__dname__"; + ddns-rev-domainname "in-addr.arpa"; + +} + + diff --git a/dhcp_wizard/scripts/dhcpd.patch b/dhcp_wizard/scripts/dhcpd.patch new file mode 100644 index 00000000..45d84c4b --- /dev/null +++ b/dhcp_wizard/scripts/dhcpd.patch @@ -0,0 +1,13 @@ +--- dhcpd.o Wed Mar 22 18:39:19 2000 ++++ dhcpd Wed Mar 22 18:40:17 2000 +@@ -25,8 +25,9 @@ + # # Note that this work around assumes only using eth0!!! + # echo -n "Adding local broadcast host route: " + # /sbin/route add -host 255.255.255.255 dev eth0 ++ [ -f /etc/sysconfig/dhcpd ] && . /etc/sysconfig/dhcpd + echo -n "Starting dhcpd: " +- daemon /usr/sbin/dhcpd ++ daemon /usr/sbin/dhcpd ${INTERFACES} + echo + touch /var/lock/subsys/dhcpd + ;; diff --git a/dhcp_wizard/scripts/do_it_dhcp.sh b/dhcp_wizard/scripts/do_it_dhcp.sh new file mode 100755 index 00000000..5141b8c0 --- /dev/null +++ b/dhcp_wizard/scripts/do_it_dhcp.sh @@ -0,0 +1,124 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard network configuration +# +# install default dhcpd configuration for dhcp server +# assuming all dependencies are ok + +echo_debug "in $0" + +cfg_file=/etc/sysconfig/mdk_serv +# loading var +wiz_device=`get_var wiz_device` +echo_debug "wiz_device=$wiz_device" +wiz_host_name=`get_var wiz_host_name` +echo_debug "wiz_host_name=$wiz_host_name" +wiz_ip_net=`get_var wiz_ip_net` +echo_debug "wiz_ip_net=$wiz_ip_net" +wiz_ip_netmask=`get_var wiz_ip_netmask` +echo_debug "wiz_ip_netmask=$wiz_ip_netmask" +wiz_domain_name=`get_var wiz_domain_name` +echo_debug "wiz_domain_name=$wiz_domain_name" +wiz_ip_server=`get_var wiz_ip_server` +echo_debug "=wiz_ip_server=$wiz_ip_server" + +echo_debug "wiz_ip_range1 is $wiz_ip_range1" +echo_debug "wiz_ip_range2 is $wiz_ip_range2" +chg_val ${cfg_file} wiz_ip_range1 "${wiz_ip_range1}" s +chg_val ${cfg_file} wiz_ip_range2 "${wiz_ip_range2}" s + +# patch to rewrite when got new file about dhcp with INTERFACES value +# currently, I put the device to configure as dhcp server +# in /etc/sysconfig/dhcpd + +# ok, the new init.d/dhcp is not as wanted, still need a patch + +#[ -f /etc/sysconfig/dhcpd ] && cp -f /etc/sysconfig/dhcpd /var/tmp/wiz_bck/orig/dhcpd +bck_file /etc/sysconfig/dhcpd +echo "INTERFACES=${wiz_device}" > /etc/sysconfig/dhcpd + +# ok, the new init.d/dhcp is not as wanted, still need a patch +# now patching /etc/rc.d/init.d/dhcpd if needed + +if [ -z "`grep INTERFACES /etc/rc.d/init.d/dhcpd`" ]; then + echo_debug "now patching etc/rc.d/init.d/dhcpd" + bck_file /etc/rc.d/init.d/dhcpd + cat /etc/rc.d/init.d/dhcpd.mdk_orig.1 \ +|sed -e '/daemon \/usr\/sbin\/dhcpd/{ +i \ + if [ -f /etc/sysconfig/dhcpd ]; then\ + . /etc/sysconfig/dhcpd\ + DEV=$INTERFACES\ + fi + }' > /etc/rc.d/init.d/dhcpd + +#old version patch /etc/rc.d/init.d/dhcpd < ${CWD}/scripts/dhcpd.patch + +fi + + +# dhcpd.conf + +bck_file /etc/dhcpd.conf + +echo_debug "now putting dhcpd config file" + +cat ${CWD}/scripts/dhcpd.conf.default \ +|sed "s|__hname__|${wiz_host_name}|g" \ +|sed "s|__net__|${wiz_ip_net}|g" \ +|sed "s|__ip__|${wiz_ip_server}|g" \ +|sed "s|__mask__|${wiz_ip_netmask}|g" \ +|sed "s|__rng1__|${wiz_ip_range1}|g" \ +|sed "s|__rng2__|${wiz_ip_range2}|g" \ +|sed "s|__dname__|${wiz_domain_name}|g" \ +> /etc/dhcpd.conf + +touch /var/dhcpd/dhcpd.leases + + +# modifying webmin config + +echo_debug "modifying webmin config" + +file="/etc/webmin/dhcpd/config" +if [ -f ${file} ]; then + chg_val ${file} lease_file "/var/dhcpd/dhcpd.leases" + chg_val ${file} interfaces "${wiz_device}" +fi + + +# this part of script to be played at the very end + +echo_debug "restarting services" + +/etc/rc.d/init.d/dhcpd restart + + +# all is ok +exit 10 + + + diff --git a/dns_wizard/scripts/127.0.0.rev.default b/dns_wizard/scripts/127.0.0.rev.default new file mode 100644 index 00000000..97bf97bb --- /dev/null +++ b/dns_wizard/scripts/127.0.0.rev.default @@ -0,0 +1,17 @@ +; default file for 127.0.0.rev (to be used by bind8) +; +; setting a local DNS server for a local Class C network +; with an external DNS referee for non locally resolved address +; +; Don't forget to upgrade the Serial number after a change +; +@ IN SOA localhost. root.localhost. ( + 1999070401 ; Serial + 28800 ; Refresh + 14400 ; Retry + 3600000 ; Expire + 86400 ) ; Minimum + IN NS 127.0.0.1 + IN NS __hname__. + + 1 IN PTR localhost. diff --git a/dns_wizard/scripts/check_ext_dns.sh b/dns_wizard/scripts/check_ext_dns.sh new file mode 100755 index 00000000..e62c55b7 --- /dev/null +++ b/dns_wizard/scripts/check_ext_dns.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard external dns configuration +# +# checking if the provided network address is correct + +# ip is tested as ip=a.b.c.d + +if [ -n "${wiz_ext_dns1}" ]; then + +a=${wiz_ext_dns1%%.*} +b=`echo ${wiz_ext_dns1}|sed -n -e 's/^[0-9]\{1,3\}\.\([0-9]\{1,3\}\)\..*$/\1/p'` +c=`echo ${wiz_ext_dns1}|sed -n -e 's/^[0-9]\{1,3\}\.[0-9]\{1,3\}\.\([0-9]\{1,3\}\)\..*$/\1/p'` +d=${wiz_ext_dns1##*.} + +echo_debug "ip1 -$a-$b-$c-$d-" + +if [ -z "$a" -o -z "$b" -o -z "$c" -o -z "$d" ]; then + echo_debug "incomplete ip" + exit 1 +fi + +if [ $a -gt 255 -o $b -gt 255 -o $c -gt 255 -o $d -gt 255 ]; then + echo_debug "not a network ip" + exit 1 +fi + +fi + + +if [ -n "${wiz_ext_dns2}" ]; then + +a=${wiz_ext_dns2%%.*} +b=`echo ${wiz_ext_dns2}|sed -n -e 's/^[0-9]\{1,3\}\.\([0-9]\{1,3\}\)\..*$/\1/p'` +c=`echo ${wiz_ext_dns2}|sed -n -e 's/^[0-9]\{1,3\}\.[0-9]\{1,3\}\.\([0-9]\{1,3\}\)\..*$/\1/p'` +d=${wiz_ext_dns2##*.} + +echo_debug "ip2 -$a-$b-$c-$d-" + +if [ -z "$a" -o -z "$b" -o -z "$c" -o -z "$d" ]; then + echo_debug "incomplete ip" + exit 1 +fi + +if [ $a -gt 255 -o $b -gt 255 -o $c -gt 255 -o $d -gt 255 ]; then + echo_debug "not a network ip" + exit 1 +fi + +fi + +if [ -z "${wiz_ext_dns1}" -a -z "${wiz_ext_dns2}" ]; then + echo_debug "warning, no DNS address" + exit 2 +fi + + +# all seems to be ok +exit 10 diff --git a/dns_wizard/scripts/do_it_dns.sh b/dns_wizard/scripts/do_it_dns.sh new file mode 100755 index 00000000..84807609 --- /dev/null +++ b/dns_wizard/scripts/do_it_dns.sh @@ -0,0 +1,177 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard dns configuration +# +# install default dns configuration for server +# assuming all dependencies are ok + +wiz_ip_net=`get_var wiz_ip_net` +wiz_ip_server=`get_var wiz_ip_server` +wiz_domain_name=`get_var wiz_domain_name` +wiz_host_name=`get_var wiz_host_name` +s_trunc=${wiz_ip_net%.*} +ds=${wiz_ip_server##*.} +host=${wiz_host_name%%.*} + + +# change serial number +# $1 : file +up_serial(){ +TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 +cat $1 > ${TMPFILE} +serial_nbm=$(date "+%Y%m%d00") +serial_f=`sed -ne "s/^\([[:space:]]*\)\([0-9]*\)\([[:space:]]*;[[:space:]]*Serial.*$\)/\2/p" ${TMPFILE}` +serial_f=$((${serial_f}+1)) +if [ ${serial_f} -le ${serial_nbm} ]; then + serial_f=${serial_nbm} +fi + +cat ${TMPFILE}\ +|sed -e "s/^\([[:space:]]*\)\([0-9]*\)\([[:space:]]*;[[:space:]]*Serial.*$\)/\1${serial_f}\3/"\ +> $1 +rm -f ${TMPFILE} +} + + + + + + + +# host.conf +bck_file /etc/host.conf +cat ${CWD}/scripts/host.conf.default > /etc/host.conf + +# named.conf +file=/etc/named.conf +bck_file ${file} + +echo_debug "now putting ${file} configuration" + +reversenet=`echo ${wiz_ip_net}|sed -e 's/^\([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)\.[0-9]*$/\3\.\2\.\1/'` +echo_debug "reversenet : ${reversenet}" + +cat ${CWD}/scripts/named.conf.default > /var/tmp/named.conf.default + +if [ -z "${wiz_ext_dns1}" ]; then + TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 + cat /var/tmp/named.conf.default > ${TMPFILE} + cat ${TMPFILE}|sed -e "s/^.*__ISPNS1__.*$/\/\/&/" >/var/tmp/named.conf.default + rm -f ${TMPFILE} +fi +if [ -z "${wiz_ext_dns2}" ]; then + TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 + cat /var/tmp/named.conf.default > ${TMPFILE} + cat ${TMPFILE}|sed -e "s/^.*__ISPNS2__.*$/\/\/&/" >/var/tmp/named.conf.default + rm -f ${TMPFILE} +fi + +cat /var/tmp/named.conf.default \ +|sed "s|__ISPNS1__|${wiz_ext_dns1}|g" \ +|sed "s|__ISPNS2__|${wiz_ext_dns2}|g" \ +|sed "s|__dname__|${wiz_domain_name}|g" \ +|sed "s|__revnet__|${reversenet}|g" \ +|sed "s|__net__|${s_trunc}|g" \ +> ${file} + +# Bug fix for bind 9: +touch /etc/rndc.key + +# root.hints +file=/var/named/root.hints +bck_file ${file} + +cat ${CWD}/scripts/root.hints.default > ${file} + +# 127.0.0.rev +file=/var/named/127.0.0.rev +bck_file ${file} + +cat ${CWD}/scripts/127.0.0.rev.default \ +|sed "s|__hname__|${wiz_host_name}|g" \ +> ${file} + +up_serial ${file} + +# ipnet.rev + +file=/var/named/${s_trunc}.rev +echo_debug "config about ${file}" +bck_file ${file} + +cat ${CWD}/scripts/ipnet.rev.default > /var/tmp/ipnet.rev.default + +cat /var/tmp/ipnet.rev.default \ +|sed "s|__dname__|${wiz_domain_name}|g" \ +|sed "s|__hname__|${wiz_host_name}|g" \ +|sed "s|__revnet__|${reversenet}|g" \ +|sed "s|__nb__|${ds}|g" \ +> ${file} + +up_serial ${file} + +# domain.db +file=/var/named/${wiz_domain_name}.db +bck_file ${file} +echo_debug "config ${file}" + +cat ${CWD}/scripts/domain.db.default > /var/tmp/domain.db.default + +cat /var/tmp/domain.db.default \ +|sed "s|__dname__|${wiz_domain_name}|g" \ +|sed "s|__hname__|${wiz_host_name}|g" \ +|sed "s|__ip__|${wiz_ip_server}|g" \ +|sed "s|__host__|${host}|g" \ +> ${file} + +up_serial ${file} + +# resolv.conf +file=/etc/resolv.conf +bck_file ${file} +echo_debug "config ${file}" + +echo -e "\ +domain ${wiz_domain_name}\n\ +nameserver ${wiz_ip_server}\n\ +" > ${file} + + + + +# restarting bind +/sbin/chkconfig --level 235 named on +/etc/rc.d/init.d/named restart + + +file=/etc/sysconfig/mdk_serv +wiz_caching_dns="1" +chg_val ${file} wiz_caching_dns ${wiz_caching_dns} s +# all is ok +exit 10 + + + diff --git a/dns_wizard/scripts/domain.db.default b/dns_wizard/scripts/domain.db.default new file mode 100644 index 00000000..3624df67 --- /dev/null +++ b/dns_wizard/scripts/domain.db.default @@ -0,0 +1,31 @@ +$ORIGIN . +$TTL 86400 ; 1 day +__dname__ IN SOA __dname__. root.__dname__. ( + 20000101 ; Serial number + 3600 ; 1 hour refresh + 300 ; 5 minutes retry + 172800 ; 2 days expiry + 43200 ) ; 12 hours minimum + +; List the name servers in use. Unresolved (entries in other zones) +; will go to our ISP's name server isp.domain.name.com + IN NS __hname__. + + + IN MX 10 __hname__. + +$ORIGIN __dname__. +$TTL 86400 ; 1 day + +__host__ IN A __ip__ + +localhost IN A 127.0.0.1 + + ; Alias (canonical) names +ftp IN CNAME __hname__. +www IN CNAME __hname__. +mail IN CNAME __hname__. + + ; List of machine names & addresses +;box2 IN A 192.168.0.2 ; comment +;box3 IN A 192.168.0.3 ; comment diff --git a/dns_wizard/scripts/host.conf.default b/dns_wizard/scripts/host.conf.default new file mode 100644 index 00000000..1a8c1e15 --- /dev/null +++ b/dns_wizard/scripts/host.conf.default @@ -0,0 +1,2 @@ +order hosts,bind +multi on diff --git a/dns_wizard/scripts/ipnet.rev.default b/dns_wizard/scripts/ipnet.rev.default new file mode 100644 index 00000000..6d93cba0 --- /dev/null +++ b/dns_wizard/scripts/ipnet.rev.default @@ -0,0 +1,30 @@ +$ORIGIN . +$TTL 86400 ; 1 day +; default file for 192.168.0.rev (to be used by bind8) +; +; setting a local DNS server for a local Class C network +; with an external DNS referee for non locally resolved address +; +; replace the __xxx__ values by the real ones +; +; Don't forget to upgrade the Serial number after a change +; +__revnet__.in-addr.arpa IN SOA __dname__. root.__dname__. ( + 1999070401 ; Serial + 28800 ; Refresh + 14400 ; Retry + 3600000 ; Expire + 86400 ) ; Minimum + IN NS __hname__. + +$ORIGIN __revnet__.in-addr.arpa. +$TTL 3600 ; 1 hour + +__nb__ IN PTR __hname__. + + +;1 IN PTR box1. +;2 IN PTR box2. + +; 254 IN PTR box254. + diff --git a/dns_wizard/scripts/named.conf.default b/dns_wizard/scripts/named.conf.default new file mode 100644 index 00000000..4c2dd2c5 --- /dev/null +++ b/dns_wizard/scripts/named.conf.default @@ -0,0 +1,54 @@ +options { + // DNS tables are located in the /var/named directory + directory "/var/named"; + pid-file "/var/run/named/named.pid"; + + // Forward any unresolved requests to our ISP's name server + forwarders { + __ISPNS1__; + __ISPNS2__; + }; + /* + * If there is a firewall between you and nameservers you want + * to talk to, you might need to uncomment the query-source + * directive below. Previous versions of BIND always asked + * questions using port 53, but BIND 8.1 uses an unprivileged + * port by default. + */ + // query-source address * port 53; + }; + + + zone "." { + type hint; + file "root.hints"; + }; + // All our DNS information is stored in /var/named/domain.name.db + + zone "__dname__" { + type master; + file "__dname__.db"; + // some security + allow-transfer { 127.0.0.1; }; + }; + + + + zone "0.0.127.in-addr.arpa" { + notify no; + type master; + file "127.0.0.rev"; + allow-transfer { 127.0.0.1; }; + }; + + + zone "__revnet__.in-addr.arpa" { + notify no; + type master; + file "__net__.rev"; + allow-transfer { 127.0.0.1; }; + }; + + + + diff --git a/dns_wizard/scripts/root.hints.default b/dns_wizard/scripts/root.hints.default new file mode 100644 index 00000000..a97a5e89 --- /dev/null +++ b/dns_wizard/scripts/root.hints.default @@ -0,0 +1,44 @@ + +; <<>> DiG 8.2 <<>> +;; res options: init recurs defnam dnsrch +;; got answer: +;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 +;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 +;; QUERY SECTION: +;; ., type = NS, class = IN + +;; ANSWER SECTION: +. 2d11h37m30s IN NS I.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS E.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS D.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS A.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS H.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS C.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS G.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS F.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS B.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS J.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS K.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS L.ROOT-SERVERS.NET. +. 2d11h37m30s IN NS M.ROOT-SERVERS.NET. + +;; ADDITIONAL SECTION: +I.ROOT-SERVERS.NET. 3d11h37m30s IN A 192.36.148.17 +E.ROOT-SERVERS.NET. 3d11h37m30s IN A 192.203.230.10 +D.ROOT-SERVERS.NET. 3d11h37m30s IN A 128.8.10.90 +A.ROOT-SERVERS.NET. 3d11h37m30s IN A 198.41.0.4 +H.ROOT-SERVERS.NET. 3d11h37m30s IN A 128.63.2.53 +C.ROOT-SERVERS.NET. 3d11h37m30s IN A 192.33.4.12 +G.ROOT-SERVERS.NET. 3d11h37m30s IN A 192.112.36.4 +F.ROOT-SERVERS.NET. 3d11h37m30s IN A 192.5.5.241 +B.ROOT-SERVERS.NET. 3d11h37m30s IN A 128.9.0.107 +J.ROOT-SERVERS.NET. 3d11h37m30s IN A 198.41.0.10 +K.ROOT-SERVERS.NET. 3d11h37m30s IN A 193.0.14.129 +L.ROOT-SERVERS.NET. 3d11h37m30s IN A 198.32.64.12 +M.ROOT-SERVERS.NET. 3d11h37m30s IN A 202.12.27.33 + +;; Total query time: 7 msec +;; FROM: keima.mandrakesoft.com to SERVER: default -- 192.168.1.11 +;; WHEN: Fri Mar 24 21:01:57 2000 +;; MSG SIZE sent: 17 rcvd: 436 + diff --git a/firewall_wizard/scripts/bastille-firewall.cfg.default b/firewall_wizard/scripts/bastille-firewall.cfg.default new file mode 100644 index 00000000..746c61de --- /dev/null +++ b/firewall_wizard/scripts/bastille-firewall.cfg.default @@ -0,0 +1,288 @@ +# +# /etc/bastille-firewall.cfg +# +# Configuration fiel for both 2.2/ipchains and 2.4/netfilter scripts +# +# version 0.99-beta1 +# Copyright (C) 1999-2001 Peter Watkins +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# +# Thanks to David Ranch, Brad A, Don G, and others for their suggestions + +# the configuration values should be whitespace-delimited lists of +# appropriate values, e.g. +# TCP_PUBLIC_SERVICES="80 smtp ssh" +# lists Web (port 80), SMTP mail, and Secure Shell ports +# +# This script is suitable for workstations or simple NAT firewalls; +# you may want to add more "output" restrictions for serious servers + +# 0) DNS servers. You must list your DNS servers here so that +# the firewall will allow them to service your lookup requests +# +# List of DNS servers/networks to allow "domain" responses from +# This _could_ be nameservers as a list of <ip-address>/32 entries +#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32" +# If you are running a caching nameserver, you'll need to allow from +# "0.0.0.0/0" so named can query any arbitrary nameserver +# (To enable a caching nameserver, you will also probably need to +# add "domain" to the TCP and UDP public service lists.) +#DNS_SERVERS="0.0.0.0/0" +# +# To have the DNS servers parsed from /etc/resolv.conf at runtime, +# as normal workstations will want, make this variable empty +#DNS_SERVERS="" +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +DNS_SERVERS="" + + +# 1) define your interfaces +# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP +# interface +# +# list internal/trusted interfaces +# traffic from these interfaces will be allowed +# through the firewall, no restrictions +#TRUSTED_IFACES="lo" # MINIMAL/SAFEST +# +# list external/untrusted interfaces +#PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST +# +# list internal/partially-trusted interfaces +# e.g. if this acts as a NAT/IP Masq server and you +# don't want clients on those interfaces having +# full network access to services running on this +# server (as the TRUSTED_IFACES allows) +#INTERNAL_IFACES="" # SAFEST +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +TRUSTED_IFACES="lo" # MINIMAL/SAFEST +PUBLIC_IFACES="eth+ ppp+" # SAFEST +INTERNAL_IFACES="" # SAFEST + + +# 2) services for which we want to log access attempts to syslog +# Note this only audits connection attempts from public interfaces +# +# Also see item 12, LOG_FAILURES +# +#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh" +# anyone probing for BackOrifice? +#UDP_AUDIT_SERVICES="31337" +# how about ICMP? +#ICMP_AUDIT_TYPES="" +#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert +# +# To enable auditing, you must have syslog configured to log "kern" +# messages of "info" level; typically you'd do this with a line in +# syslog.conf like +# kern.info /var/log/messages +# though the Bastille port monitor will normally want these messages +# logged to a named pipe instead, and the Bastille script normally +# configures syslog for "kern.*" which catches these messages +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +TCP_AUDIT_SERVICES="" +UDP_AUDIT_SERVICES="" +ICMP_AUDIT_TYPES="" + + +# 3) services we allow connections to +# +# FTP note: +# To allow your machine to service "passive" FTP clients, +# you will need to make allowances for the passive data +# ports; Bastille users should read README.FTP for more +# information +# +# "public" interfaces: +# TCP services that "public" hosts should be allowed to connect to +#TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST +# +# UDP services that "public" hosts should be allowed to connect to +#UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST +# +# "internal" interfaces: +# (NB: you will need to repeat the "public" services if you want +# to allow "internal" hosts to reach those services, too.) +# TCP services that internal clients can connect to +#TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST +# +# UDP services that internal clients can connect to +#UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +#TCP_PUBLIC_SERVICES="109 53 143 80 20 21 22 110 443 25" # MINIMAL/SAFEST +TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST +UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST +TCP_INTERNAL_SERVICES="www ssh" # MINIMAL/SAFEST +UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST + +# 4) FTP is a firewall nightmare; if you allow "normal" FTP connections, +# you must be careful to block any TCP services that are listening +# on high ports; it's safer to require your FTP clients to use +# "passive" mode. +# +# Note this will also force clients on machines +# that use this one for NAT/IP Masquerading to use passive mode +# for connections that go through this server (e.g. from the +# internal network to public Internet machines +# +# For more information about FTP, see the Bastille README.FTP doc +# +#FORCE_PASV_FTP="N" +#FORCE_PASV_FTP="Y" # SAFEST +# +FORCE_PASV_FTP="N" # SAFEST + + +# 5) Services to explicitly block. See FTP note above +# Note that ranges of ports are specified with colons, and you +# can specify an open range by using only one number, e.g. +# 1024: means ports >= 1024 and :6000 means ports <= 6000 +# +# TCP services on high ports that should be blocked if not forcing passive FTP +# This should include X (6000:6010) and anything else revealed by 'netstat -an' +# (this does not matter unless you're not forcing "passive" FTP) +#TCP_BLOCKED_SERVICES="6000:6020" +# +# UDP services to block: this should be UDP services on high ports. +# Your only vulnerability from public interfaces are the DNS and +# NTP servers/networks (those with 0.0.0.0 for DNS servers should +# obviously be very careful here!) +#UDP_BLOCKED_SERVICES="2049" +# +# types of ICMP packets to allow +#ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST +# the following allows you to ping/traceroute outbound +#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded" +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +TCP_BLOCKED_SERVICES="6000:6020" +UDP_BLOCKED_SERVICES="2049" +ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded" + + +# 6) Source Address Verification helps prevent "IP Spoofing" attacks +# +ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST + + +# 7) IP Masquerading / NAT. List your internal/masq'ed networks here +# +# Also see item 4, FORCE_PASV_FTP, as that setting affects +# clients using IP Masquerading through this machine +# +# Set this variable if you're using IP Masq / NAT for a local network +#IP_MASQ_NETWORK="" # DISABLE/SAFEST +#IP_MASQ_NETWORK="10.0.0.0/8" # example +#IP_MASQ_NETWORK="192.168.0.0/16" # example +# +# Have lots of masq hosts? uncomment the following six lines +# and list the hosts/networks in /etc/firewall-masqhosts +# the script assumes any address without a "/" netmask afterwards +# is an individual address (netmask /255.255.255.255): +#if [ -f /etc/firewall-masqhosts ]; then +# echo "Reading list of masq hosts from /etc/firewall-masqhosts" +# # Read the file, but use 'awk' to strip comments +# # Note the sed bracket phrase includes a space and tab char +# IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'` +#fi +# +# Masq modules +# NB: The script will prepend "ip_masq_" to each module name +#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?) +#IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +IP_MASQ_NETWORK="192.168.4.0/24" # DISABLE/SAFEST +IP_MASQ_MODULES="" # RECOMMENDED + + +# 8) How to react to disallowed packets +# whether to "REJECT" or "DENY" disallowed packets; if you're running any +# public services, you probably ought to use "REJECT"; if in serious stealth +# mode, choose "DENY" so simple probes don't know if there's anything out there +# NOTE: disallowed ICMP packets are discarded with "DENY", as +# it would not make sense to "reject" the packet if you're +# trying to disallow ping/traceroute +# +REJECT_METHOD="DENY" + + +# 9) DHCP +# In case your server needs to get a DHCP address from some other +# machine (e.g. cable modem) +#DHCP_IFACES="eth0" # example, to allow you to query on eth0 +#DHCP_IFACES="" # DISABLED +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +DHCP_IFACES="" # DISABLED + + +# 10) more UDP fun. List IP addresses or network space of NTP servers +# +#NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST +#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST + + +# 11) more ICMP. Control the outbound ICMP to make yourself invisible to +# traceroute probes +# +#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" +# +# Please make sure variable assignments are on single lines; do NOT +# use the "\" continuation character (so Bastille can change the +# values if it is run more than once) +ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded" + + +# 12) Logging +# With this enabled, ipchains will log all blocked packets. +# ** this could generate huge logs ** +# This is primarily intended for the port mointoring system; +# also note that you probably do not want to "AUDIT" any services +# that you are not allowing, as doing so would mean duplicate +# logging +LOG_FAILURES="N" # do not log blocked packets + +# 13) Block fragmented packets +# There's no good reason to allow these +#ALLOW_FRAGMENTS="N" # safest +ALLOW_FRAGMENTS="Y" # old behavior + +# 14) Prevent SMB broadcasts from leaking out NAT setup +# Windows machines will poll teh net with SMB broadcasts, +# basically advertising their existence. Most folks agree +# that this traffic should be dropped +#DROP_SMB_NAT_BCAST="N" # allow them (are you sure?) +DROP_SMB_NAT_BCAST="Y" # drop those packets + diff --git a/firewall_wizard/scripts/check_ext_device.sh b/firewall_wizard/scripts/check_ext_device.sh new file mode 100755 index 00000000..c1fc0092 --- /dev/null +++ b/firewall_wizard/scripts/check_ext_device.sh @@ -0,0 +1,15 @@ +#!/bin/bash +# script for wizard firewall configuration +# +# checking if the provided value is correct : +# strip the @, need at least a dot + + +dtmp=`echo ${wiz_ext_device} |sed -e 's/^\(\w*\).*$/\1/'` +if [ -z "${dtmp}" ] ;then + echo_debug "wiz_ext_device is empty, should not." + exit 1 +fi + +# all seems to be ok +exit 10 diff --git a/firewall_wizard/scripts/compute_ext_device.sh b/firewall_wizard/scripts/compute_ext_device.sh new file mode 100755 index 00000000..718517c6 --- /dev/null +++ b/firewall_wizard/scripts/compute_ext_device.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# script for wizard firewall configuration +# +# return on stdout the default value for network device + + +device= +file=/etc/sysconfig/network + +[ -f ${file} ] && device=`get_val ${file} GATEWAYDEV` + +[ -z "${device}" ] && device="ppp0" + +echo_debug "proposed ext device : ${device}" + +echo ${device} + +exit 0 + diff --git a/firewall_wizard/scripts/compute_level_name.sh b/firewall_wizard/scripts/compute_level_name.sh new file mode 100755 index 00000000..578b06f7 --- /dev/null +++ b/firewall_wizard/scripts/compute_level_name.sh @@ -0,0 +1,147 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + + +# firewall protection level +# +#- level 0 : no protection +# +#- level 1 : light filtering, usual services opened +# +#- level 2 : only 'internet' services +# +#- level 3 : strong protection : only out mail & http +# + +[ -z "${wiz_firewall_level}" ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -le 0 ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -ge 3 ] && wiz_firewall_level=3 + +[ -z "$LANG" ] && LANG=en + +case "$LANG" in + + fr) + case "${wiz_firewall_level}" in + + 0) txt="Aucun - Pas de protection" + ;; + 1) txt="Faible - Léger filtrage, services standards ouverts" + ;; + 2) txt="Intermédiaire - Web, ftp et ssh accessibles de l'extérieur" + ;; + 3) txt="Fort - Invisible de l'extérieur, usage interne limité au web" + ;; + *) txt="Aucun niveau selectionné ???" + ;; + esac + ;; + + it) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; + + es) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; + + de) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; + + es) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; + + *) + case "${wiz_firewall_level}" in + + 0) txt="None - No protection" + ;; + 1) txt="Low - Light filtering, standard services available" + ;; + 2) txt="Medium - web, ftp and ssh shown to outside" + ;; + 3) txt="Strong - no outside visibility, users limited to web" + ;; + *) txt="No Level protection selected ???" + ;; + esac + ;; +esac + +echo_debug "firewall level : ${txt}" + +echo $txt + +exit 0 diff --git a/firewall_wizard/scripts/do_it_firew.sh b/firewall_wizard/scripts/do_it_firew.sh new file mode 100755 index 00000000..89defad7 --- /dev/null +++ b/firewall_wizard/scripts/do_it_firew.sh @@ -0,0 +1,230 @@ +#!/bin/bash +# +# firewall This script sets up firewall rules. +# +# description: Sets up or removes firewall rules. +# +# Firewall rules for a firewall between a private internal network and the +# Internet. +# +# hacked to fit with wizard, protection level and initscripts. +# +# initial copyright : +# Copyright (C) 2000 Roaring Penguin Software Inc. This software may +# be distributed under the terms of the GNU General Public License, version +# 2 or any later version. + +# firewall protection level +# +#- level 0 : no protection +# open all TCP/UDP PORT on / and through the server/firewall +# DROP unroutable network +# +#- level 1 : light filtering, usual services opened +# open all TCP/UDP PORT on / and through the server/firewall +# DROP unroutable network +# NAT Activated on external interface +# +#- level 2 : only 'internet' services +# open only configured services on this server/firewall +# DROP unroutable network +# NAT Activated on external interface +# +#- level 3 : strong protection : only out mail & http +# DROP unroutable network +# block all ports except ssh +# + +# this should be launched by a wizard screen ? +${CWD}/scripts/store_fwall.sh + +typeset -i firewall_level +wiz_firewall_level=`get_var wiz_firewall_level` +[ -z "${wiz_firewall_level}" ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -le 0 ] && wiz_firewall_level=0 +[ ${wiz_firewall_level} -ge 3 ] && wiz_firewall_level=3 +echo_debug "# firewall level : ${wiz_firewall_level}" + +firewall_cfg=/etc/Bastille/bastille-firewall.cfg +bastille_firewall=/etc/init.d/bastille-firewall +bastille_ipchains=/sbin/bastille-ipchains +bastille_netfilter=/sbin/bastille-netfilter +file=/etc/sysconfig/mdk_serv + +# check requires files +[ -f $firewall_cfg ] || { + echo_debug "no Bastille config file" + cp -a ./scripts/bastille-firewall.cfg.default $firewall_cfg + } +for f in $bastille_firewall $bastille_ipchains $bastille_netfilter; do + [ -f $f ] || { + echo_debug "no $f file" + cp /usr/share/Bastille/$(basename $f) $f + chmod +x $f +} +done + +TCP_PUBLIC_SERVICES="" +UDP_PUBLIC_SERVICES="" +TCP_INTERNAL_SERVICES="" +UDP_INTERNAL_SERVICES="" + +# Wildcard address +ANY=0.0.0.0/0 + +# Interface to Internet +EXTIF=`get_var wiz_ext_device` +if [ -z "${EXTIF}" ]; then + EXTIF=ppp0 +fi + +INTERNAL_IFACES=`get_var wiz_device` +if [ -z "${INTERNAL_IFACES}" ]; then + echo_debug "# no internal network, exiting" + exit 1 +fi +if [ "x$INTERNAL_IFACES" = "x$EXTIF" ]; then + echo_debug "# external network device : ${EXTIF}" + chg_val ${firewall_cfg} PUBLIC_IFACES "" + + echo_debug "# internal network device : ${INTERNAL_IFACES}" + chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES} + +else + echo_debug "# external network device : ${EXTIF}" + chg_val ${firewall_cfg} PUBLIC_IFACES ${EXTIF} + + echo_debug "# internal network device : ${INTERNAL_IFACES}" + chg_val ${firewall_cfg} INTERNAL_IFACES ${INTERNAL_IFACES} +fi + +# Internal network address. For stand-alone machines, delete this and +# all the "forward" rules. +INTERNAL=`get_var wiz_ip_net`/24 +if [ "${INTERNAL}" = "/24" ]; then + echo_debug "# no internal network, exiting" + exit 1 +fi + +# DNS Caching Name Server activated or not +wiz_caching_dns=`get_val ${file} wiz_caching_dns` +if [ ${wiz_caching_dns} -eq 1 ]; then + echo_debug "# DNS caching dns server : ${wiz_caching_dns}" + chg_val ${firewall_cfg} DNS_SERVERS ${ANY} s + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES domain " +else + echo_debug "# No DNS caching dns server : ${wiz_caching_dns}" + chg_val ${firewall_cfg} DNS_SERVERS "" s +fi +# news +echo_debug "# if exist, activate news server queries" +wiz_news_server=`get_val ${file} wiz_news_server` +if [ ! -z "${wiz_news_server}" ]; then + chg_val ${firewall_cfg} NTP_SERVERS ${wiz_news_server} s + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES nntp " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES nntp " +else + chg_val ${firewall_cfg} NTP_SERVERS "" s +fi + +echo_debug "# check ftp server" +wiz_ftp_internal=`get_val ${file} wiz_ftp_internal` +wiz_ftp_external=`get_val ${file} wiz_ftp_external` + +if [ ${wiz_ftp_external} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES ftp ftp-data " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES ftp ftp-data " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data " +elif [ ${wiz_ftp_internal} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ftp ftp-data " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ftp ftp-data " +fi + +echo_debug "# check http server" +wiz_web_internal=`get_val ${file} wiz_web_internal` +wiz_web_external=`get_val ${file} wiz_web_external` + +if [ ${wiz_web_external} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES http https " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES http https " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https " +elif [ ${wiz_web_internal} -eq 1 ]; then + TCP_PUBLIC_SERVICES="$TCP_PUBLIC_SERVICES " + UDP_PUBLIC_SERVICES="$UDP_PUBLIC_SERVICES " + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES http https " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES http https " +fi + +echo_debug "# check Samba server" +wiz_workgroup=`get_val ${file} wiz_workgroup` + +if [ ! -z ${wiz_workgroup} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES netbios-ns netbios-dgm netbios-ssn " +fi + +echo_debug "# check Mail server" +wiz_mail_server=`get_val ${file} wiz_mail_server` +if [ ! -z ${wiz_mail_server} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES smtp pop3 pop3s pop2 imap imap3 imap4-ssl imaps " +fi +echo_debug "# check DHCP server" +wiz_ip_range1=`get_val ${file} wiz_ip_range1` +if [ ! -z ${wiz_ip_range1} -a ! -z ${wiz_ip_range2} ]; then + TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES bootps bootpc " + UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES bootps bootpc " +fi +# open ssh +TCP_PUBLIC_SERVICES="$TCP_INTERNAL_SERVICES ssh " +UDP_PUBLIC_SERVICES="$UDP_INTERNAL_SERVICES ssh " +TCP_INTERNAL_SERVICES="$TCP_INTERNAL_SERVICES ssh " +UDP_INTERNAL_SERVICES="$UDP_INTERNAL_SERVICES ssh " + + +# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. +#. /etc/rc.d/init.d/functions + +# level 0 et 3 +if [ ${wiz_firewall_level} -eq 0 -o ${wiz_firewall_level} -eq 3 ]; then + echo_debug "# Direct routing (without NAT)" + chg_val ${firewall_cfg} IP_MASQ_NETWORK "" s +else + echo_debug "# NAT internal network : ${INTERNAL}" + chg_val ${firewall_cfg} IP_MASQ_NETWORK ${INTERNAL} +fi + +# level 0 ou 1 +if [ ${wiz_firewall_level} -le 1 ]; then + echo_debug "# open all TCP/UDP PORT on/and through the server/firewall" + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES ":" s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES ":" s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES ":" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES ":" s +fi + + +if [ ${wiz_firewall_level} -eq 2 ]; then + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES "$TCP_PUBLIC_SERVICES" s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES "$UDP_PUBLIC_SERVICES" s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "$TCP_INTERNAL_SERVICES" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "$UDP_INTERNAL_SERVICES" s +fi + +if [ ${wiz_firewall_level} -eq 3 ]; then + chg_val ${firewall_cfg} TCP_PUBLIC_SERVICES " " s + chg_val ${firewall_cfg} UDP_PUBLIC_SERVICES " " s + chg_val ${firewall_cfg} TCP_INTERNAL_SERVICES "ssh" s + chg_val ${firewall_cfg} UDP_INTERNAL_SERVICES "ssh" s +fi + +echo_debug "# launch bastille-firewall script" + +chkconfig --level 345 bastille-firewall on +service bastille-firewall start + +exit 0 diff --git a/firewall_wizard/scripts/firew.sh b/firewall_wizard/scripts/firew.sh new file mode 100755 index 00000000..c7f1b10b --- /dev/null +++ b/firewall_wizard/scripts/firew.sh @@ -0,0 +1,140 @@ +#!/bin/sh +# +# firewall This script sets up firewall rules. +# +# chkconfig: 2345 09 91 +# description: Sets up or removes firewall rules. +# +# Firewall rules for a firewall between a private internal network and the +# Internet. +# +# Copyright (C) 2000 Roaring Penguin Software Inc. This software may +# be distributed under the terms of the GNU General Public License, version +# 2 or any later version. + +# Interface to Internet +EXTIF=ppp0 + +# Internal network address. For stand-alone machines, delete this and +# all the "forward" rules. +INTERNAL=192.168.2.0/24 + +# Wildcard address +ANY=0.0.0.0/0 + +# Source function library. THIS WORKS ONLY ON RED HAT-LIKE SYSTEMS. + +. /etc/rc.d/init.d/functions + +### For details, see the man page ipchains(1) and +### /usr/share/doc/HOWTO/IPCHAINS-HOWTO -- David. + +case "$1" in + start) + echo -n "Setting up firewall rules" + + # Turn on forwarding to silence warnings... + echo 1 > /proc/sys/net/ipv4/ip_forward + + # Set default policies; clear all rules + ipchains -P input ACCEPT + ipchains -P output ACCEPT + ipchains -P forward DENY + + ipchains -F forward + ipchains -F input + ipchains -F output + + ### Spoof protection: Drop obviously suspect packets ### + + # Drop packets claiming to be from unroutable addresses + ipchains -A input -l -s 10.0.0.0/8 -i $EXTIF -j DENY + ipchains -A input -l -s 172.16.0.0/12 -i $EXTIF -j DENY + ipchains -A input -l -s 192.168.0.0/16 -i $EXTIF -j DENY + + # Drop packets wanting to go to unroutable addresses + ipchains -A input -l -d 10.0.0.0/8 -i $EXTIF -j DENY + ipchains -A input -l -d 172.16.0.0/12 -i $EXTIF -j DENY + ipchains -A input -l -d 192.168.0.0/16 -i $EXTIF -j DENY + + ### External access to services on this machine ### + + # Reject identd packets without logging + ipchains -A input -i $EXTIF -p tcp -d $ANY 113 -j REJECT + + # Allow access to sendmail -- log connection attempts + #ipchains -A input -l -i $EXTIF -p tcp -d $ANY 25 -y -j ACCEPT + #ipchains -A input -i $EXTIF -p tcp -d $ANY 25 -j ACCEPT + + # Allow access to ssh -- we run ssh on port 23 because of + # a stupid client firewall at one place we work. + #ipchains -A input -l -i $EXTIF -p tcp -d $ANY 23 -y -j ACCEPT + #ipchains -A input -i $EXTIF -p tcp -d $ANY 23 -j ACCEPT + + # Deny all other TCP connection attempts on the external interface + ipchains -A input -l -i $EXTIF -p tcp -y -j DENY + + # Deny TCP and UDP packets to privileged ports + ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY + ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY + + ### FORWARD rules only apply if you have an internal LAN gatewaying + ### through this computer. + # Allow DNS queries + ipchains -A forward -s $INTERNAL 1024: -d $ANY 53 -p udp -j MASQ + + # Allow internal users to browse web (http and https) + ipchains -A forward -s $INTERNAL 1024: -d $ANY 80 -p tcp -b -j MASQ + ipchains -A forward -s $INTERNAL 1024: -d $ANY 443 -p tcp -b -j MASQ + + # Allow internal users to read news + ipchains -A forward -s $INTERNAL 1024: -d $ANY 119 -p tcp -b -j MASQ + + # Allow internal users to access POP and IMAP services on mail server + ipchains -A forward -s $INTERNAL 1024: -d $ANY 25 -p tcp -b -j MASQ + ipchains -A forward -s $INTERNAL 1024: -d $ANY 110 -p tcp -b -j MASQ + ipchains -A forward -s $INTERNAL 1024: -d $ANY 143 -p tcp -b -j MASQ + + # Allow internal users to access external FTP servers + ipchains -A forward -s $INTERNAL 1024: -d $ANY 21 -p tcp -b -j MASQ + + # Allow internal users to access external Telnet and SSH servers + ipchains -A forward -s $INTERNAL 1024: -d $ANY 22 -p tcp -b -j MASQ + ipchains -A forward -s $INTERNAL 1024: -d $ANY 23 -p tcp -b -j MASQ + + # Allow unprivileged ports --> unprivileged ports for passive FTP + ipchains -A forward -s $INTERNAL 1024: -d $ANY 1024: -p tcp -b -j MASQ + + # A catch-all rule for logging purposes + ipchains -A forward -s $ANY -d $ANY -l -j DENY + + # Turn on forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + echo_success + echo "" + ;; + + stop) + echo -n "Shutting down firewall rules" + # Turn off forwarding + echo 0 > /proc/sys/net/ipv4/ip_forward + + # Set default policies; clear all rules + ipchains -P input ACCEPT + ipchains -P output ACCEPT + ipchains -P forward DENY + + ipchains -F forward + ipchains -F input + ipchains -F output + echo_success + echo "" + ;; + + *) + echo "Usage: firewall {start|stop}" + exit 1 +esac + +exit 0 diff --git a/firewall_wizard/scripts/liste_ext_device.sh b/firewall_wizard/scripts/liste_ext_device.sh new file mode 100755 index 00000000..042590f0 --- /dev/null +++ b/firewall_wizard/scripts/liste_ext_device.sh @@ -0,0 +1,29 @@ +#!/bin/bash +# script for wizard firewall configuration +# +# return on stdout the list of allowed devices for external network interface + +# this script should be improved + +pdevice=`. ./common/scripts/functions.sh; ./firewall_wizard/scripts/compute_ext_device.sh` + +liste="ppp0\nppp0\nppp1\nppp1\nisdn0\nisdn0\nisdn1\nisdn1\n" + +liste=$liste"`ifconfig -a | awk ' /^eth/ { print $1"\n"$1, $4,":",$5 } '`\n" + +#for i in 0 1 2 3 ;do +# liste=${liste}"eth$i\nethernet adapter \ +# `ifconfig -a | grep eth$i| sed -n -e '1{s/.*HWaddr \(.*\)$/\1/p;}'`\n" + +# liste=${liste}"eth$i\neth$i \ +# `dmesg | grep eth$i| sed -n -e '1{s/^[^:]*: *\(.*\)$/\1/p;}'`\n" +#done + +test=`echo "${liste}" | grep ${pdevice}` + +[ -z "${test}" ] && liste="${pdevice}\n"${liste} + +echo -ne "${liste}" + +exit 0 + diff --git a/firewall_wizard/scripts/store_fwall.sh b/firewall_wizard/scripts/store_fwall.sh new file mode 100755 index 00000000..80f6b109 --- /dev/null +++ b/firewall_wizard/scripts/store_fwall.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# script for wizard firewall configuration +# +# store the value of device and security level in /etc/sysconfig/mdk_serv + +file=/etc/sysconfig/mdk_serv + +# store the external device value +dtmp=`echo ${wiz_ext_device} |sed -e 's/^\(\w*\).*$/\1/'` +chg_val ${file} wiz_ext_device ${dtmp} + +# store the security level +chg_val ${file} wiz_firewall_level ${wiz_firewall_level} + +exit 0 + diff --git a/ftp_wizard/scripts/do_it_ftp.sh b/ftp_wizard/scripts/do_it_ftp.sh new file mode 100755 index 00000000..2f73aeb6 --- /dev/null +++ b/ftp_wizard/scripts/do_it_ftp.sh @@ -0,0 +1,127 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard anonymous configuration +# +# modify default ftp configuration +# assuming all dependencies are ok +# +# WARNING : just using /etc/ftphosts for ftp configuration, assuming +# other files are close to standard configuration + + +open_inet_ftp(){ +if [ -z "`grep -E '^[[:space:]]*ftp[[:space:]]' /etc/inetd.conf`" ]; then + echo_debug "opening ftp in inetd.conf" + bck_file /etc/inetd.conf + cat /etc/inetd.conf.mdk_orig.1 \ +|sed -e '/[[:space:]]*#[[:space:]]*\(ftp[[:space:]].*\)$/{ +i \ +# opened by mdk_serv script on '"$(date)"' +s//\1/ +} +' >/etc/inetd.conf + +fi +} + + + +# wiz_ftp_external and wiz_ftp_internal are provided by the running wizard +# now, save them +file=/etc/sysconfig/mdk_serv + +echo_debug "internal : ${wiz_ftp_internal}" +echo_debug "external : ${wiz_ftp_external}" + +# security +[ "${wiz_ftp_external}" = "1" -o "${wiz_ftp_external}" = "0" ] || wiz_ftp_external=0 +[ "${wiz_ftp_internal}" = "1" -o "${wiz_ftp_internal}" = "0" ] || wiz_ftp_internal=0 + +[ "${wiz_ftp_external}" = "1" ] && wiz_ftp_internal=1 + +# store the wiz_ftp_external and wiz_ftp_internal value +chg_val ${file} wiz_ftp_external ${wiz_ftp_external} s +chg_val ${file} wiz_ftp_internal ${wiz_ftp_internal} s + + +# saving /etc/ftphosts configuration file +config="/etc/ftphosts" +if [ ! -f ${config} ]; then + echo_debug "no ftp configuration file found ! warning." +else + bck_file ${config} +fi + + +if [ "${wiz_ftp_external}" = "1" ]; then + +echo -e "\ +# host access file\n\ +# Everything after a '#' is treated as comment,\n\ +# empty lines are ignored\n\ +# acces allowed without host restriction done\n\ +# by script $(date)\ +"> ${config} + + open_inet_ftp + +elif [ "${wiz_ftp_internal}" = "1" ]; then + +ip=`get_var wiz_ip_net` +echo -e "\ +# host access file\n\ +# Everything after a '#' is treated as comment,\n\ +# empty lines are ignored\n\ +# anonymous acces allowed for local network, done\n\ +# by script $(date)\n\ +allow * ${ip%.*}.*\ +"> ${config} + + open_inet_ftp + +else +echo -e "\ +# host access file\n\ +# Everything after a '#' is treated as comment,\n\ +# empty lines are ignored\n\ +# anonymous acces denied, done\n\ +# by script $(date)\n\ +deny * *\ +"> ${config} + +fi + + +echo_debug "restarting services" + +service xinetd restart + + +# all is ok +exit 10 + + + diff --git a/ftp_wizard/scripts/proftpd.conf.default b/ftp_wizard/scripts/proftpd.conf.default new file mode 100644 index 00000000..1325e599 --- /dev/null +++ b/ftp_wizard/scripts/proftpd.conf.default @@ -0,0 +1,45 @@ +# This is a basic ProFTPD configuration file (rename it to +# 'proftpd.conf' for actual use. It establishes a single server +# and a single anonymous login. It assumes that you have a user/group +# "nobody" and "ftp" for normal operation and anon. + +ServerName "ProFTPD Default Installation" +ServerType standalone +DefaultServer on + +# Allow FTP resuming. +# Remember to set to off if you have an incoming ftp for upload. +AllowStoreRestart on + +# Port 21 is the standard FTP port. +Port 21 +# Umask 022 is a good standard umask to prevent new dirs and files +# from being group and world writable. +Umask 022 + +# To prevent DoS attacks, set the maximum number of child processes +# to 30. If you need to allow more than 30 concurrent connections +# at once, simply increase this value. Note that this ONLY works +# in standalone mode, in inetd mode you should use an inetd server +# that allows you to limit maximum number of processes per service +# (such as xinetd) +MaxInstances 30 + +# Set the user and group that the server normally runs at. +User nobody +Group nogroup + +# Normally, we want files to be overwriteable. +<Directory /*> + AllowOverwrite on +</Directory> + +# Needed for NIS. +PersistentPasswd off + +# Default root can be used to put users in a chroot environment. +# As an example if you have a user foo and you want to put foo in /home/foo +# chroot environment you would do this: +# +# DefaultRoot /home/foo foo + diff --git a/news_wizard/scripts/check_news_server.sh b/news_wizard/scripts/check_news_server.sh new file mode 100755 index 00000000..f1eee021 --- /dev/null +++ b/news_wizard/scripts/check_news_server.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard leafnode configuration +# +# checking if the provided server is correct : +# strip the @ and illegal characters + + +if [ -z "${wiz_news_server}" ] ;then + echo_debug "wiz_news_server is empty, should not." + exit 1 +fi + + +test=`echo ${wiz_news_server##*@} |sed -e 's/[^0-9a-zA-Z-\.]//g'` + +if [ -z "${test}" ] ;then + echo_debug "wiz_news_server is empty, should not." + exit 1 +fi + + +# all seems to be ok +exit 10 + diff --git a/news_wizard/scripts/check_valid_hours.sh b/news_wizard/scripts/check_valid_hours.sh new file mode 100755 index 00000000..ea30c0bd --- /dev/null +++ b/news_wizard/scripts/check_valid_hours.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard leafnode configuration +# +# checking if the provided hours are correct : +# from 1 to 24 + + +if [ -z "${wiz_news_freq}" ] ;then + echo_debug "wiz_news_freq is empty, should not." + exit 1 +fi + +typeset -i test + +test=`echo ${wiz_news_freq} |sed -e 's/[^0-9]//g'` + +if [ -z "${test}" ] ;then + echo_debug "wiz_news_freq is empty, should not." + exit 1 +fi + + +# all seems to be ok +exit 10 + diff --git a/news_wizard/scripts/config.default b/news_wizard/scripts/config.default new file mode 100644 index 00000000..c1c98a3d --- /dev/null +++ b/news_wizard/scripts/config.default @@ -0,0 +1,116 @@ +## This is the NNTP server leafnode fetches its news from. +## You need read and post access to it. Mandatory. +server = __server__ + +## Unread discussion threads will be deleted after this many days if +## you don't define special expire times. Mandatory. +expire = 14 + +## +## All the following parameters are optional +## + +## I have free access to my news server. If you don't have, comment out +## the following two lines and change them accordingly. +# username = gulbrandsen +# password = secret + +## Standard news servers run on port 119. If your newsserver doesn't, comment +## out the following line and change it accordingly. +# port = 8000 + +## This is another news server which stores some groups that are not +## available on the first one. You can define username, password and port +## for each server separately. +# server = sex.and.warez.com +# username = xenu +# password = secret + +## This is a news server which does not understand the +## "LIST NEWSGROUP news.group" command. For this reason, we don't try to +## download newsgroups descriptions when getting new newsgroups. This is +## achieved by putting "nodesc = 1" somewhere behind the server +## line. +# server = broken.upstream.server +# nodesc = 1 + +## Here we have another news server which has a very slow connection. For +## that reason, we wait a full minute before we give up trying to connect. +## The default is 10 seconds. +# server = really.slow.snail +# timeout = 60 + +## Non-standard expire times (glob(7) wildcard constructs possible) +# groupexpire comp.os.linux.* = 5 # groups too big to hold articles 20 days +# groupexpire any.local.newsgroup = 100 # very interesting, hold articles longer + +## Never fetch more than this many articles from one group in one run. +## Be careful with this; setting it much below 1000 is probably a bad +## idea. +maxfetch = 2000 + +## Fetch only a few articles when we subscribe a new newsgroup. The +## default is to fetch all articles. +initialfetch = 1000 + +## If you want to use leafnode like an offline newsreader (e.g. Forte +## Agent) you can download headers and bodies separately if you set +## delaybody to 1. In this case, fetch will only download the headers +## and only when you select an article, it will download the body. +## This can save a huge amount of bandwith if only few articles are really +## read from groups with lots of postings. +## This feature works not very well with Netscape, though (which is not +## a fault of Leafnode). +# delaybody = 0 + +## To avoid spam, you can select the maximum number of crosspostings +## that are allowed in incoming postings. Setting this below 5 is +## probably a bad idea. The default is unlimited crossposting. +maxcrosspost = 8 + +## If you suffer from repeatedly receiving old postings (this happens +## sometimes when an upstream server goes into hiccup mode) you can +## refuse to receive them with the parameter "maxage" which tells the +## maximum allowed age of an article in days. The default maxage is 10 +## days. +maxage = 7 + +## maxlines will make fetch reject postings that are longer than a certain +## amount of lines. +maxlines = 500 + +## minlines will make fetch reject postings that are shorter than a certain +## amount of lines. +minlines = 2 + +## maxbytes will make fetch reject postings that are larger +maxbytes = 50000 + +## timeout_short determines how many days fetch gets a newsgroup which +## has been accidentally opened. The default is two days. +timeout_short = 2 + +## timeout_long determines how many days fetch will wait before not getting +## an unread newsgroup any more. The default is seven days. +timeout_long = 7 + +## timeout_active determines how many days fetch will wait before re-reading +## the whole active file. The default is 90 days. +# timeout_active = 365 + +## If you want to have your newsreader score/kill on Xref: lines, you might +## want to uncomment this. +# create_all_links = 1 + +## If you want to filter out certain regular expressions in the header, +## create a "filterfile" (how this is done is explained in the README) +## and set +# filterfile = /path/to/your/filterfile + +## If your newsreader does not supply a Message-ID for your postings +## Leafnode will supply one, using the hostname of the machine it is +## running on. If this hostname is not suitable, this parameter can be +## used to override it. Do not use a fantasy name, it may interfere with +## the propagation of your messages. Most modern newsreaders do provide +## a Message-ID. +# hostname = host.domain.country diff --git a/news_wizard/scripts/do_it_news.sh b/news_wizard/scripts/do_it_news.sh new file mode 100755 index 00000000..a67d0d99 --- /dev/null +++ b/news_wizard/scripts/do_it_news.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard leafnode configuration +# +# put the default leafnode configuration +# assuming all dependencies are ok + + +# wiz_news_server and wiz_news_freq are provided by the running wizard + +# security +typeset -i freq +freq=`echo ${wiz_news_freq} |sed -e 's/[^0-9]//g'` + +if [ $freq -le 0 ]; then + freq=1 +fi +if [ $freq -ge 24 ]; then + freq=24 +fi + + +server=`echo ${wiz_news_server##*@} |sed -e 's/[^0-9a-zA-Z-\.]//g'` + +# store the wiz_news_server and wiz_news_freq value +file=/etc/sysconfig/mdk_serv +chg_val ${file} wiz_news_freq ${freq} s +chg_val ${file} wiz_news_server ${server} s + + +# leafnode configuration file +config="/etc/leafnode/config" +if [ ! -f ${config} ]; then + echo_debug "no leafnode configuration file found ! exiting." + exit 1 +fi + +bck_file ${config} + +cat ${CWD}/scripts/config.default \ +| sed -e 's/__server__/'"${server}"'/' > ${config} + +echo_debug "config file done, putting crontab for news" + +if [ -f /var/spool/cron/news ]; then + cp -f /var/spool/cron/news /etc/leafnode/crontab +fi + +bck_file /etc/leafnode/crontab + +cat ${CWD}/scripts/news.cron \ +| sed -e 's/__freq__/'"${freq}"'/' > /etc/leafnode/crontab + + +echo_debug "installing news crontab" +crontab -u news /etc/leafnode/crontab + + +# all is ok +exit 10 + + + diff --git a/news_wizard/scripts/news.cron b/news_wizard/scripts/news.cron new file mode 100644 index 00000000..5785bfb2 --- /dev/null +++ b/news_wizard/scripts/news.cron @@ -0,0 +1,10 @@ +### leafnode crontab +SHELL=/bin/bash +PATH=/bin:/sbin:/usr/bin:/usr/sbin +MAILTO=root@localhost + + +35 4 * * * /usr/sbin/texpire + +5 */__freq__ * * * /usr/sbin/fetchnews -v 2>&1 + diff --git a/nfs_wizard/scripts/do_it_nfs.sh b/nfs_wizard/scripts/do_it_nfs.sh new file mode 100755 index 00000000..917d838d --- /dev/null +++ b/nfs_wizard/scripts/do_it_nfs.sh @@ -0,0 +1,52 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Philippe Vivien, Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard nfs configuration +# +# modify default nfs configuration +# assuming all dependencies are ok +# +# WARNING : just using /etc/exports for nfs configuration, assuming +# other files are close to standard configuration + +nfs_file="/etc/exports" + +echo "${wiz_nfs_dir} ${wiz_ip_net} ${wiz_ip_netmask}" +echo "wiz_ip_net:${wiz_ip_net}" >t.log +echo "wiz_ip_netmask:${wiz_ip_netmask}" >>t.log + +echo "dir:${wiz_nfs_dir}" >>t.log +echo "clt:${wiz_ip_net}/${wiz_ip_netmask}" >>t.log + +echo "export :\n">>t.log +echo "${wiz_nfs_dir} ${wiz_ip_net}/${wiz_ip_netmask}(rw,no_root_squash)" >> t.log +echo "${wiz_nfs_dir} ${wiz_ip_net}/${wiz_ip_netmask}(rw,no_root_squash)" > ${nfs_file} + +/usr/sbin/exportfs -a + +# all is ok +exit 10 + + + diff --git a/postfix_wizard/scripts/check_masquerade.sh b/postfix_wizard/scripts/check_masquerade.sh new file mode 100755 index 00000000..ad0559c6 --- /dev/null +++ b/postfix_wizard/scripts/check_masquerade.sh @@ -0,0 +1,53 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard postfix configuration +# +# checking if the provided domain value is correct : +# strip the @, need at least a dot + +if [ -z "${wiz_mail_masquerade}" ] ;then + echo_debug "wiz_mail_masquerade is empty, should not." + exit 1 +fi + +test=`echo ${wiz_mail_masquerade} |sed -e '/@/{s/^[^@]*@\([^@]*\)$/\1/;}' |grep "\."` +echo_debug "test of masquerading domain : ${test}" + +if [ -z "${test}" ] ;then + echo_debug "domain empty, should not." + exit 1 +fi +if `echo ${test}| grep -q ' '` ;then + echo_debug "bad domain : $test" + exit 1 +fi + +# all seems to be ok +exit 10 + + + + diff --git a/postfix_wizard/scripts/check_relay.sh b/postfix_wizard/scripts/check_relay.sh new file mode 100755 index 00000000..c7a2368f --- /dev/null +++ b/postfix_wizard/scripts/check_relay.sh @@ -0,0 +1,50 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard postfix configuration +# +# checking if the provided hostname of relay value is correct +# +# at least a dot, strip @ + + +if [ -z "${wiz_ext_mail_relay}" ]; then + echo_debug "wiz_ext_mail_relay is empty, should not." + exit 1 +fi + +# (no need to skip white space), stripping @, need dot + +test=`echo ${wiz_ext_mail_relay} |sed -e '/@/{s/^[^@]*@\([^@]*\)$/\1/;}'|grep "\."` +echo_debug "test of relay domain : ${test}" + +if [ -z "${test}" ] ;then + echo_debug "relay empty, should not." + exit 1 +fi + +# all seems to be ok +exit 10 + diff --git a/postfix_wizard/scripts/compute_mail_relay.sh b/postfix_wizard/scripts/compute_mail_relay.sh new file mode 100755 index 00000000..b2fc35e6 --- /dev/null +++ b/postfix_wizard/scripts/compute_mail_relay.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard postfix configuration +# +# echo on stdout the correct value of wiz_ext_mail_relay +# (strip @) + + +#stripping @, need dot + +test=`echo ${wiz_ext_mail_relay} |sed -e '/@/{s/^[^@]*@\([^@]*\)$/\1/;}' -e 's! .*$!!'` +echo_debug "relay domain : ${test}" + +echo ${test} + +# all seems to be ok +exit 0 + diff --git a/postfix_wizard/scripts/compute_masquerade.sh b/postfix_wizard/scripts/compute_masquerade.sh new file mode 100755 index 00000000..a6f37111 --- /dev/null +++ b/postfix_wizard/scripts/compute_masquerade.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard postfix configuration +# +# echo on stdout the correct value of wiz_mail_masquerade +# (strip @) + + +#stripping @ + +test=`echo ${wiz_mail_masquerade} |sed -e '/@/{s/^[^@]*@\([^@]*\)$/\1/;}' -e 's! .*$!!'` +echo_debug "masquerade domain : ${test}" + +echo ${test} + +# all seems to be ok +exit 0 + diff --git a/postfix_wizard/scripts/postfix_do_it.sh b/postfix_wizard/scripts/postfix_do_it.sh new file mode 100755 index 00000000..1fbaffd9 --- /dev/null +++ b/postfix_wizard/scripts/postfix_do_it.sh @@ -0,0 +1,103 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard network configuration +# +# install default postfix configuration for server +# assuming all dependencies are ok + + +echo_debug "now applying configuration for postfix" + +[ -d /etc/postfix ] || exit 1 + +# first loading values +. /etc/sysconfig/network + +# loading values from /etc/sysconfig/mdk_serv +# wiz_host_name and wiz_domain_name +wiz_host_name=`get_var wiz_host_name` +wiz_domain_name=`get_var wiz_domain_name` + +wiz_device=`get_var wiz_device` + + +file="/etc/sysconfig/network-scripts/ifcfg-${wiz_device}" +echo_debug "device config : ${file}" +[ -f ${file} ] || exit 1 +. ${file} + +# store the wiz_mail variable +cfg_file=/etc/sysconfig/mdk_serv +echo_debug "wiz_mail_masquerade ${wiz_mail_masquerade}" +chg_val ${cfg_file} wiz_ext_mail_relay "${wiz_ext_mail_relay}" s +chg_val ${cfg_file} wiz_mail_masquerade "${wiz_mail_masquerade}" s + +bck_file /etc/postfix/aliases +bck_file /etc/postfix/canonical +bck_file /etc/postfix/main.cf +bck_file /etc/postfix/master.cf +bck_file /etc/postfix/virtual + +# now configuring + +postconf -e "myhostname = ${wiz_host_name}" +postconf -e 'myorigin = $mydomain' +postconf -e 'inet_interfaces = all' +postconf -e 'mydestination = $myhostname, localhost.$mydomain, $mydomain' + +if [ -n "${wiz_ext_mail_relay}" ]; then + postconf -e "relayhost = ${wiz_ext_mail_relay}" +fi + +postconf -e 'masquerade_domains = $mydomain' + +postconf -e 'alias_maps = hash:/etc/postfix/aliases' +postconf -e 'alias_database = hash:/etc/postfix/aliases' + +postconf -e 'virtual_maps = hash:/etc/postfix/virtual' +postconf -e 'canonical_maps = hash:/etc/postfix/canonical' + +if [ -n "${wiz_mail_masquerade}" ]; then + if [ ! `grep "@${wiz_domain_name} @${wiz_mail_masquerade}" /etc/postfix/canonical` ]; then + echo "@${wiz_domain_name} @${wiz_mail_masquerade}" >> /etc/postfix/canonical + fi +fi + +echo_debug "rebuilding hash" + +postmap /etc/postfix/canonical +postmap /etc/postfix/virtual +postalias /etc/postfix/aliases + +postfix check + +echo_debug "end of postfix configuration, restarting" + +service postfix restart +service xinetd restart + +# all is ok +exit 10 diff --git a/postfix_wizard/scripts/testlabel.pl b/postfix_wizard/scripts/testlabel.pl new file mode 100644 index 00000000..c61d3cb0 --- /dev/null +++ b/postfix_wizard/scripts/testlabel.pl @@ -0,0 +1,15 @@ +$toto = "tutu"; +$tata = "titi"; + +$file = "/home/logarno/toto"; +open(CANONICAL, "< $file"); +while (<CANONICAL>) { + if (/\@$toto\s*\@$tata/){ + goto NOUPDATE; + } +} +close(CANONICAL); +open(CANONICAL, ">> $file"); +print CANONICAL "\n\@$toto \@$tata"; + NOUPDATE: + close(CANONICAL); diff --git a/proxy_wizard/scripts/dfh.sh b/proxy_wizard/scripts/dfh.sh new file mode 100755 index 00000000..8ab8956a --- /dev/null +++ b/proxy_wizard/scripts/dfh.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000,2001 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# +# squid wizard + +r='/var/spool/squid' +howmany(){ + [ -n "$1" ] && { + [ -d "$1" ] && df -h "$1" || howmany ${1%/*} + } || { + howmany '/' + } +} + +howmany $r|tail -1 diff --git a/proxy_wizard/scripts/do_it_squid.sh b/proxy_wizard/scripts/do_it_squid.sh new file mode 100755 index 00000000..28b2de1f --- /dev/null +++ b/proxy_wizard/scripts/do_it_squid.sh @@ -0,0 +1,264 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000,2001 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# +# squid wizard +# +# This script sets up proxy params +# + + +#store wizard config values +file=/etc/sysconfig/mdk_serv + +service squid stop + +chg_val ${file} wiz_squid_defdir ${wiz_squid_defdir} +chg_val ${file} wiz_squid_level ${wiz_squid_level} + + + +# find squid config file +export conf=/etc/squid/squid.conf + +[ -f ${conf} ] || { + [ -d "/etc/squid" ] || exit 1 + cp -f ${CWD}/scripts/squid.conf.default ${conf} +} + +# backup squid config file +bck_file ${conf} + + + + + +echo_debug "squid port ${wiz_squid_port}" +chg_val2 ${conf} http_port ${wiz_squid_port} + + + +echo_debug "squid mem ${wiz_squid_mem}" +chg_val2 ${conf} cache_mem "${wiz_squid_mem} MB" + + + +echo_debug "squid disk ${wiz_squid_disk}" + +t=`grep -E "^[[:space:]]*cache_dir[[:space:]]+[a-z]+[[:space:]]+${wiz_squid_defdir}[[:space:]]+[0-9]+" ${conf}` + +if [ -n "$t" ]; then + tpe=`echo $t|awk '{print $2}'` + opt=`echo $t|awk '{print $5" "$6" "$7" "$8" "$9}'` + + TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 + cat "${conf}" > ${TMPFILE} + (cat ${TMPFILE}\ +|sed -e '\£^[[:space:]]*cache_dir[[:space:]]\+'"${tpe}"'[[:space:]]\+'"${wiz_squid_defdir}"'[[:space:]]\+[0-9]\+.*$£{ +i \ +# removed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"cache_dir ${tpe} ${wiz_squid_defdir} ${wiz_squid_disk} ${opt}"' +} +' > "${conf}") && rm -f ${TMPFILE} + +else + echo -e "\ +# added by mdk_serv script on $(date)\n\ +cache_dir ufs ${wiz_squid_defdir} ${wiz_squid_disk} 16 256\n\ +" >> "${conf}" +fi + + + + + + + + +echo_debug "squid ACL ${wiz_squid_level} ${wiz_squid_mynetw}" + +# ACL first step, define an acl definition for "mynetwork", like : +# acl mynetwork src 192.168.1.0/255.255.255.0 + +t=`grep -E "^[[:space:]]*acl[[:space:]]+mynetwork[[:space:]]+src[[:space:]]+" ${conf}` + +TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 +cat "${conf}" > ${TMPFILE} + +if [ -n "$t" ]; then + (cat ${TMPFILE}\ +|sed -e '\£^[[:space:]]*acl[[:space:]]\+mynetwork[[:space:]]\+src[[:space:]]\+.*$£{ +i \ +# removed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"acl mynetwork src ${wiz_squid_mynetw}"' +} +' > "${conf}") && rm -f ${TMPFILE} +else + (cat ${TMPFILE}\ +|sed -e '\£^[[:space:]]*acl[[:space:]]\+all[[:space:]]\+src[[:space:]]\+.*$£{ +a \ +# added by mdk_serv script on '"$(date)"' +a \ +'"acl mynetwork src ${wiz_squid_mynetw}"' +} +' > "${conf}") && rm -f ${TMPFILE} +fi + + + +# ACL second step, insert the control rule from the chosen level + +TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 +cat "${conf}" > ${TMPFILE} + +case ${wiz_squid_level} in + 1) # all + sed -e '\£^[[:space:]]*http_access[[:space:]]\+deny[[:space:]]\+all[[:space:]]*.*$£{ +i \ +# changed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"http_access allow all"' +}' ${TMPFILE} > ${conf} + + ;; + + 2) # local network + sed -e '\£^[[:space:]]*http_access[[:space:]]\+allow[[:space:]]\+all[[:space:]]*.*$£{ +i \ +# changed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"http_access deny all"' +}' ${TMPFILE} > ${conf} + + +cat ${conf} > ${TMPFILE} + sed -e '\£^[[:space:]]*http_access[[:space:]]\+allow[[:space:]]\+localhost[[:space:]]*.*$£{ +i \ +# changed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"http_access allow mynetwork"' +}' ${TMPFILE} > ${conf} + + ;; + + 3) + sed -e '\£^[[:space:]]*http_access[[:space:]]\+allow[[:space:]]\+all[[:space:]]*.*$£{ +i \ +# changed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"http_access deny all"' +}' ${TMPFILE} > ${conf} + +cat ${conf} > ${TMPFILE} + + sed -e '\£^[[:space:]]*http_access[[:space:]]\+allow[[:space:]]\+mynetwork[[:space:]]*.*$£{ +i \ +# changed by mdk_serv script on '"$(date)"' +s££#&£ +a \ +'"http_access allow localhost"' +}' ${TMPFILE} > ${conf} + + ;; + + *) # should not happen + exit 1 + ;; +esac + +rm -f ${TMPFILE} + + + + + +echo_debug "squid cache peer ${wiz_squid_menupeer} ${wiz_squid_cachepeer} ${wiz_squid_peerport}" + + +t=`grep -E "^[[:space:]]*cache_peer[[:space:]]+" ${conf}` + +if [ "${wiz_squid_menupeer}" == "1" -a -n "$t" ]; +# if no peer value, we have to remove the possible cache_peer +# in the config file +then + TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 + cat "${conf}" > ${TMPFILE} + (cat ${TMPFILE}\ + |sed -e '\£^[[:space:]]*cache_peer[[:space:]]\+.*$£{ +i \ +# removed by mdk_serv script on '"$(date)"' +s££#&£ +} +' > "${conf}") && rm -f ${TMPFILE} + + +elif [ "${wiz_squid_menupeer}" == "2" -a -n "${wiz_squid_cachepeer}" -a -n "$t" ]; +# if the cachepeer value exist, we have to remove the old value of the cache +# peer in the config file, then add the new one. +# WARNING : +# All this works very badly if more than one cache peer exist in the file +then + TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 + cat "${conf}" > ${TMPFILE} + (cat ${TMPFILE}\ + |sed -e '\£^[[:space:]]*cache_peer[[:space:]]\+.*$£{ +i \ +# removed by mdk_serv script on '"$(date)"' +s££#&£ +} +' > "${conf}") && rm -f ${TMPFILE} + + echo -e \ +"# added by mdk_serv script on $(date)\n\ +cache_peer ${wiz_squid_cachepeer} parent ${wiz_squid_peerport} 3130" \ + >> ${conf} + + +elif [ "${wiz_squid_menupeer}" == "2" -a -n "${wiz_squid_cachepeer}" -a -z "$t" ]; +# Just need to add the new value to the config file +then +echo_debug "hop ${conf}" + echo -e \ +"# added by mdk_serv script on $(date)\n\ +cache_peer ${wiz_squid_cachepeer} parent ${wiz_squid_peerport} 3130" \ + >> ${conf} +fi + + +####### + +/sbin/chkconfig --level 345 squid on + +service squid start + +exit 10 diff --git a/proxy_wizard/scripts/echolevel.sh b/proxy_wizard/scripts/echolevel.sh new file mode 100755 index 00000000..45fb40c4 --- /dev/null +++ b/proxy_wizard/scripts/echolevel.sh @@ -0,0 +1,31 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000,2001 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# +# squid wizard + +echo_debug $0 $1 + +exit $1 diff --git a/proxy_wizard/scripts/printservices.sh b/proxy_wizard/scripts/printservices.sh new file mode 100755 index 00000000..909fdc9f --- /dev/null +++ b/proxy_wizard/scripts/printservices.sh @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000,2001 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# +# squid wizard + +echo_debug $0 +echo_debug "$wiz_squid_port" + +grep -E -s "[[:space:]]$wiz_squid_port/tcp" /etc/services diff --git a/proxy_wizard/scripts/showlevel.sh b/proxy_wizard/scripts/showlevel.sh new file mode 100755 index 00000000..fd6e29a2 --- /dev/null +++ b/proxy_wizard/scripts/showlevel.sh @@ -0,0 +1,77 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000,2001 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# +# squid wizard + +echo_debug $0 + +# +# Squid access control level +# +# level 1 : all +# level 2 : local network +# level 3 : localhost + +param="$1" + +[ -z "${param}" ] && param=3 +[ ${param} -lt 1 ] && param=1 +[ ${param} -gt 3 ] && param=3 + +[ -z "$LANG" ] && LANG=en + +case "$LANG" in + + fr) + case "${param}" in + + 1) txt="Tous, pas de restriction d'accès" + ;; + 2) txt="${wiz_squid_mynetw}" + ;; + 3) txt="Uniquement cette machine" + ;; + esac + ;; + + *) + case "${param}" in + 1) txt="All, no access restriction" + ;; + 2) txt="${wiz_squid_mynetw}" + ;; + 3) txt="Local host only" + ;; + esac + ;; +esac + +echo_debug "ACL : ${txt}" + +echo $txt + +exit 0 + diff --git a/proxy_wizard/scripts/squid.conf.default b/proxy_wizard/scripts/squid.conf.default new file mode 100644 index 00000000..cd765fec --- /dev/null +++ b/proxy_wizard/scripts/squid.conf.default @@ -0,0 +1,2758 @@ + +# WELCOME TO SQUID 2 +# ------------------ +# +# This is the default Squid configuration file. You may wish +# to look at the Squid home page (http://www.squid-cache.org/) +# for the FAQ and other documentation. +# +# The default Squid config file shows what the defaults for +# various options happen to be. If you don't need to change the +# default, you shouldn't uncomment the line. Doing so may cause +# run-time problems. In some cases "none" refers to no default +# setting at all, while in other cases it refers to a valid +# option - the comments for that keyword indicate if this is the +# case. +# + + +# NETWORK OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: http_port +# Usage: port +# hostname:port +# 1.2.3.4:port +# +# The socket addresses where Squid will listen for HTTP client +# requests. You may specify multiple socket addresses. +# There are three forms: port alone, hostname with port, and +# IP address with port. If you specify a hostname or IP +# address, then Squid binds the socket to that specific +# address. This replaces the old 'tcp_incoming_address' +# option. Most likely, you do not need to bind to a specific +# address, so you can use the port number alone. +# +# The default port number is 3128. +# +# If you are running Squid in accelerator mode, then you +# probably want to listen on port 80 also, or instead. +# +# The -a command line option will override the *first* port +# number listed here. That option will NOT override an IP +# address, however. +# +# You may specify multiple socket addresses on multiple lines. +# +#Default: +# http_port 3128 + +# TAG: icp_port +# The port number where Squid sends and receives ICP queries to +# and from neighbor caches. Default is 3130. To disable use +# "0". May be overridden with -u on the command line. +# +#Default: +# icp_port 3130 + +# TAG: htcp_port +# The port number where Squid sends and receives HTCP queries to +# and from neighbor caches. Default is 4827. To disable use +# "0". +# +# To enable this option, you must use --enable-htcp with the +# configure script. +# +#Default: +# htcp_port 4827 + +# TAG: mcast_groups +# This tag specifies a list of multicast groups which your server +# should join to receive multicasted ICP queries. +# +# NOTE! Be very careful what you put here! Be sure you +# understand the difference between an ICP _query_ and an ICP +# _reply_. This option is to be set only if you want to RECEIVE +# multicast queries. Do NOT set this option to SEND multicast +# ICP (use cache_peer for that). ICP replies are always sent via +# unicast, so this option does not affect whether or not you will +# receive replies from multicast group members. +# +# You must be very careful to NOT use a multicast address which +# is already in use by another group of caches. +# +# If you are unsure about multicast, please read the Multicast +# chapter in the Squid FAQ (http://www.squid-cache.org/FAQ/). +# +# Usage: mcast_groups 239.128.16.128 224.0.1.20 +# +# By default, Squid doesn't listen on any multicast groups. +# +#Default: +# none + +# TAG: tcp_outgoing_address +# TAG: udp_incoming_address +# TAG: udp_outgoing_address +# Usage: tcp_incoming_address 10.20.30.40 +# udp_outgoing_address fully.qualified.domain.name +# +# tcp_outgoing_address is used for connections made to remote +# servers and other caches. +# udp_incoming_address is used for the ICP socket receiving packets +# from other caches. +# udp_outgoing_address is used for ICP packets sent out to other +# caches. +# +# The default behavior is to not bind to any specific address. +# +# A *_incoming_address value of 0.0.0.0 indicates that Squid should +# listen on all available interfaces. +# +# If udp_outgoing_address is set to 255.255.255.255 (the default) +# then it will use the same socket as udp_incoming_address. Only +# change this if you want to have ICP queries sent using another +# address than where this Squid listens for ICP queries from other +# caches. +# +# NOTE, udp_incoming_address and udp_outgoing_address can not +# have the same value since they both use port 3130. +# +# NOTE, tcp_incoming_address has been removed. You can now +# specify IP addresses on the 'http_port' line. +# +#Default: +# tcp_outgoing_address 255.255.255.255 +# udp_incoming_address 0.0.0.0 +# udp_outgoing_address 255.255.255.255 + + +# OPTIONS WHICH AFFECT THE NEIGHBOR SELECTION ALGORITHM +# ----------------------------------------------------------------------------- + +# TAG: cache_peer +# To specify other caches in a hierarchy, use the format: +# +# cache_peer hostname type http_port icp_port +# +# For example, +# +# # proxy icp +# # hostname type port port options +# # -------------------- -------- ----- ----- ----------- +# cache_peer parent.foo.net parent 3128 3130 [proxy-only] +# cache_peer sib1.foo.net sibling 3128 3130 [proxy-only] +# cache_peer sib2.foo.net sibling 3128 3130 [proxy-only] +# +# type: either 'parent', 'sibling', or 'multicast'. +# +# proxy_port: The port number where the cache listens for proxy +# requests. +# +# icp_port: Used for querying neighbor caches about +# objects. To have a non-ICP neighbor +# specify '7' for the ICP port and make sure the +# neighbor machine has the UDP echo port +# enabled in its /etc/inetd.conf file. +# +# options: proxy-only +# weight=n +# ttl=n +# no-query +# default +# round-robin +# multicast-responder +# closest-only +# no-digest +# no-netdb-exchange +# no-delay +# login=user:password +# connect-timeout=nn +# digest-url=url +# allow-miss +# +# use 'proxy-only' to specify that objects fetched +# from this cache should not be saved locally. +# +# use 'weight=n' to specify a weighted parent. +# The weight must be an integer. The default weight +# is 1, larger weights are favored more. +# +# use 'ttl=n' to specify a IP multicast TTL to use +# when sending an ICP queries to this address. +# Only useful when sending to a multicast group. +# Because we don't accept ICP replies from random +# hosts, you must configure other group members as +# peers with the 'multicast-responder' option below. +# +# use 'no-query' to NOT send ICP queries to this +# neighbor. +# +# use 'default' if this is a parent cache which can +# be used as a "last-resort." You should probably +# only use 'default' in situations where you cannot +# use ICP with your parent cache(s). +# +# use 'round-robin' to define a set of parents which +# should be used in a round-robin fashion in the +# absence of any ICP queries. +# +# 'multicast-responder' indicates that the named peer +# is a member of a multicast group. ICP queries will +# not be sent directly to the peer, but ICP replies +# will be accepted from it. +# +# 'closest-only' indicates that, for ICP_OP_MISS +# replies, we'll only forward CLOSEST_PARENT_MISSes +# and never FIRST_PARENT_MISSes. +# +# use 'no-digest' to NOT request cache digests from +# this neighbor. +# +# 'no-netdb-exchange' disables requesting ICMP +# RTT database (NetDB) from the neighbor. +# +# use 'no-delay' to prevent access to this neighbor +# from influencing the delay pools. +# +# use 'login=user:password' if this is a personal/workgroup +# proxy and your parent requires proxy authentication. +# +# use 'connect-timeout=nn' to specify a peer +# specific connect timeout (also see the +# peer_connect_timeout directive) +# +# use 'digest-url=url' to tell Squid to fetch the cache +# digest (if digests are enabled) for this host from +# the specified URL rather than the Squid default +# location. +# +# use 'allow-miss' to disable Squid's use of only-if-cached +# when forwarding requests to siblings. This is primarily +# useful when icp_hit_stale is used by the sibling. To +# extensive use of this option may result in forwarding +# loops, and you should avoid having two-way peerings +# with this option. (for example to deny peer usage on +# requests from peer by denying cache_peer_access if the +# source is a peer) +# +# NOTE: non-ICP neighbors must be specified as 'parent'. +# +#Default: +# none + +# TAG: cache_peer_domain +# Use to limit the domains for which a neighbor cache will be +# queried. Usage: +# +# cache_peer_domain cache-host domain [domain ...] +# cache_peer_domain cache-host !domain +# +# For example, specifying +# +# cache_peer_domain parent.foo.net .edu +# +# has the effect such that UDP query packets are sent to +# 'bigserver' only when the requested object exists on a +# server in the .edu domain. Prefixing the domainname +# with '!' means that the cache will be queried for objects +# NOT in that domain. +# +# NOTE: * Any number of domains may be given for a cache-host, +# either on the same or separate lines. +# * When multiple domains are given for a particular +# cache-host, the first matched domain is applied. +# * Cache hosts with no domain restrictions are queried +# for all requests. +# * There are no defaults. +# * There is also a 'cache_peer_access' tag in the ACL +# section. +# +#Default: +# none + +# TAG: neighbor_type_domain +# usage: neighbor_type_domain parent|sibling domain domain ... +# +# Modifying the neighbor type for specific domains is now +# possible. You can treat some domains differently than the the +# default neighbor type specified on the 'cache_peer' line. +# Normally it should only be necessary to list domains which +# should be treated differently because the default neighbor type +# applies for hostnames which do not match domains listed here. +# +#EXAMPLE: +# cache_peer parent cache.foo.org 3128 3130 +# neighbor_type_domain cache.foo.org sibling .com .net +# neighbor_type_domain cache.foo.org sibling .au .de +# +#Default: +# none + +# TAG: icp_query_timeout (msec) +# Normally Squid will automatically determine an optimal ICP +# query timeout value based on the round-trip-time of recent ICP +# queries. If you want to override the value determined by +# Squid, set this 'icp_query_timeout' to a non-zero value. This +# value is specified in MILLISECONDS, so, to use a 2-second +# timeout (the old default), you would write: +# +# icp_query_timeout 2000 +# +#Default: +# icp_query_timeout 0 + +# TAG: maximum_icp_query_timeout (msec) +# Normally the ICP query timeout is determined dynamically. But +# sometimes it can lead to very large values (say 5 seconds). +# Use this option to put an upper limit on the dynamic timeout +# value. Do NOT use this option to always use a fixed (instead +# of a dynamic) timeout value. To set a fixed timeout see the +# 'icp_query_timeout' directive. +# +#Default: +# maximum_icp_query_timeout 2000 + +# TAG: mcast_icp_query_timeout (msec) +# For Multicast peers, Squid regularly sends out ICP "probes" to +# count how many other peers are listening on the given multicast +# address. This value specifies how long Squid should wait to +# count all the replies. The default is 2000 msec, or 2 +# seconds. +# +#Default: +# mcast_icp_query_timeout 2000 + +# TAG: dead_peer_timeout (seconds) +# This controls how long Squid waits to declare a peer cache +# as "dead." If there are no ICP replies received in this +# amount of time, Squid will declare the peer dead and not +# expect to receive any further ICP replies. However, it +# continues to send ICP queries, and will mark the peer as +# alive upon receipt of the first subsequent ICP reply. +# +# This timeout also affects when Squid expects to receive ICP +# replies from peers. If more than 'dead_peer' seconds have +# passed since the last ICP reply was received, Squid will not +# expect to receive an ICP reply on the next query. Thus, if +# your time between requests is greater than this timeout, you +# will see a lot of requests sent DIRECT to origin servers +# instead of to your parents. +# +#Default: +# dead_peer_timeout 10 seconds + +# TAG: hierarchy_stoplist +# A list of words which, if found in a URL, cause the object to +# be handled directly by this cache. In other words, use this +# to not query neighbor caches for certain objects. You may +# list this option multiple times. +# +#We recommend you to use at least the following line. +hierarchy_stoplist cgi-bin ? + +# TAG: no_cache +# A list of ACL elements which, if matched, cause the reply to +# immediately removed from the cache. In other words, use this +# to force certain objects to never be cached. +# +# You must use the word 'DENY' to indicate the ACL names which should +# NOT be cached. +# +#We recommend you to use the following two lines. +acl QUERY urlpath_regex cgi-bin \? +no_cache deny QUERY + + +# OPTIONS WHICH AFFECT THE CACHE SIZE +# ----------------------------------------------------------------------------- + +# TAG: cache_mem (bytes) +# NOTE: THIS PARAMETER DOES NOT SPECIFY THE MAXIMUM PROCESS +# SIZE. IT PLACES A LIMIT ON ONE ASPECT OF SQUID'S MEMORY +# USAGE. SQUID USES MEMORY FOR OTHER THINGS AS WELL. +# YOUR PROCESS WILL PROBABLY BECOME TWICE OR THREE TIMES +# BIGGER THAN THE VALUE YOU PUT HERE +# +# 'cache_mem' specifies the ideal amount of memory to be used +# for: +# * In-Transit objects +# * Hot Objects +# * Negative-Cached objects +# +# Data for these objects are stored in 4 KB blocks. This +# parameter specifies the ideal upper limit on the total size of +# 4 KB blocks allocated. In-Transit objects take the highest +# priority. +# +# In-transit objects have priority over the others. When +# additional space is needed for incoming data, negative-cached +# and hot objects will be released. In other words, the +# negative-cached and hot objects will fill up any unused space +# not needed for in-transit objects. +# +# If circumstances require, this limit will be exceeded. +# Specifically, if your incoming request rate requires more than +# 'cache_mem' of memory to hold in-transit objects, Squid will +# exceed this limit to satisfy the new requests. When the load +# decreases, blocks will be freed until the high-water mark is +# reached. Thereafter, blocks will be used to store hot +# objects. +# +#Default: +# cache_mem 8 MB + +# TAG: cache_swap_low (percent, 0-100) +# TAG: cache_swap_high (percent, 0-100) +# +# The low- and high-water marks for cache object replacement. +# Replacement begins when the swap (disk) usage is above the +# low-water mark and attempts to maintain utilization near the +# low-water mark. As swap utilization gets close to high-water +# mark object eviction becomes more aggressive. If utilization is +# close to the low-water mark less replacement is done each time. +# +# Defaults are 90% and 95%. If you have a large cache, 5% could be +# hundreds of MB. If this is the case you may wish to set these +# numbers closer together. +# +#Default: +# cache_swap_low 90 +# cache_swap_high 95 + +# TAG: maximum_object_size (bytes) +# Objects larger than this size will NOT be saved on disk. The +# value is specified in kilobytes, and the default is 4MB. If +# you wish to get a high BYTES hit ratio, you should probably +# increase this (one 32 MB object hit counts for 3200 10KB +# hits). If you wish to increase speed more than your want to +# save bandwidth you should leave this low. +# +# NOTE: if using the LFUDA replacement policy you should increase +# this value to maximize the byte hit rate improvement of LFUDA! +# See replacement_policy below for a discussion of this policy. +# +#Default: +# maximum_object_size 4096 KB + +# TAG: minimum_object_size (bytes) +# Objects smaller than this size will NOT be saved on disk. The +# value is specified in kilobytes, and the default is 0 KB, which +# means there is no minimum. +# +#Default: +# minimum_object_size 0 KB + +# TAG: maximum_object_size_in_memory (bytes) +# Objects greater than this size will not be attempted to kept in +# the memory cache. This should be set high enough to keep objects +# accessed frequently in memory to improve performance whilst low +# enough to keep larger objects from hoarding cache_mem . +# +#Default: +# maximum_object_size_in_memory 8 KB + +# TAG: ipcache_size (number of entries) +# TAG: ipcache_low (percent) +# TAG: ipcache_high (percent) +# The size, low-, and high-water marks for the IP cache. +# +#Default: +# ipcache_size 1024 +# ipcache_low 90 +# ipcache_high 95 + +# TAG: fqdncache_size (number of entries) +# Maximum number of FQDN cache entries. +# +#Default: +# fqdncache_size 1024 + +# TAG: cache_replacement_policy +# The cache replacement policy parameter determines which +# objects are evicted (replaced) when disk space is needed. +# +# lru : Squid's original list based LRU policy +# heap GDSF : Greedy-Dual Size Frequency +# heap LFUDA: Least Frequently Used with Dynamic Aging +# heap LRU : LRU policy implemented using a heap +# +# Applies to any cache_dir lines listed below this. +# +# The LRU policies keeps recently referenced objects. +# +# The heap GDSF policy optimizes object hit rate by keeping smaller +# popular objects in cache so it has a better chance of getting a +# hit. It achieves a lower byte hit rate than LFUDA though since +# it evicts larger (possibly popular) objects. +# +# The heap LFUDA policy keeps popular objects in cache regardless of +# their size and thus optimizes byte hit rate at the expense of +# hit rate since one large, popular object will prevent many +# smaller, slightly less popular objects from being cached. +# +# Both policies utilize a dynamic aging mechanism that prevents +# cache pollution that can otherwise occur with frequency-based +# replacement policies. +# +# NOTE: if using the LFUDA replacement policy you should increase +# the value of maximum_object_size above its default of 4096 KB to +# to maximize the potential byte hit rate improvement of LFUDA. +# +# For more information about the GDSF and LFUDA cache replacement +# policies see http://www.hpl.hp.com/techreports/1999/HPL-1999-69.html +# and http://fog.hpl.external.hp.com/techreports/98/HPL-98-173.html. +# +#Default: +# cache_replacement_policy lru + +# TAG: memory_replacement_policy +# The memory replacement policy parameter determines which +# objects are purged from memory when memory space is needed. +# +# See cache_replacement_policy for details. +# +#Default: +# memory_replacement_policy lru + + +# LOGFILE PATHNAMES AND CACHE DIRECTORIES +# ----------------------------------------------------------------------------- + +# TAG: cache_dir +# Usage: +# +# cache_dir Type Directory-Name Fs-specific-data [options] +# +# You can specify multiple cache_dir lines to spread the +# cache among different disk partitions. +# +# Type specifies the kind of storage system to use. Most +# everyone will want to use "ufs" as the type. If you are using +# Async I/O (--enable async-io) on Linux or Solaris, then you may +# want to try "aufs" as the type. Async IO support may be +# buggy, however, so beware. +# +# 'Directory' is a top-level directory where cache swap +# files will be stored. If you want to use an entire disk +# for caching, then this can be the mount-point directory. +# The directory must exist and be writable by the Squid +# process. Squid will NOT create this directory for you. +# +# The ufs store type: +# +# "ufs" is the old well-known Squid storage format that has always +# been there. +# +# cache_dir ufs Directory-Name Mbytes L1 L2 [options] +# +# 'Mbytes' is the amount of disk space (MB) to use under this +# directory. The default is 100 MB. Change this to suit your +# configuration. +# +# 'Level-1' is the number of first-level subdirectories which +# will be created under the 'Directory'. The default is 16. +# +# 'Level-2' is the number of second-level subdirectories which +# will be created under each first-level directory. The default +# is 256. +# +# The aufs store type: +# +# "aufs" uses the same storage format as "ufs", utilizing +# POSIX-threads to avoid blocking the main Squid process on +# disk-I/O. This was formerly known in Squid as async-io. +# +# cache_dir aufs Directory-Name Mbytes L1 L2 [options] +# +# see argument descriptions under ufs above +# +# The diskd store type: +# +# "diskd" uses the same storage format as "ufs", utilizing a +# separate process to avoid blocking the main Squid process on +# disk-I/O. +# +# cache_dir diskd Directory-Name Mbytes L1 L2 [options] [Q1=n] [Q2=n] +# +# see argument descriptions under ufs above +# +# Q1 specifies the number of unacknowledged I/O requests when Squid +# stops opening new files. If this many messages are in the queues, +# Squid won't open new files. Default is 64 +# +# Q2 specifies the number of unacknowledged messages when Squid +# starts blocking. If this many messages are in the queues, +# Squid blocks until it recevies some replies. Default is 72 +# +# Common options: +# +# read-only, this cache_dir is read only. +# +# max-size=n, refers to the max object size this storedir supports. +# It is used to initially choose the storedir to dump the object. +# Note: To make optimal use of the max-size limits you should order +# the cache_dir lines with the smallest max-size value first and the +# ones with no max-size specification last. +# +#Default: +# cache_dir ufs /var/spool/squid 100 16 256 + +# TAG: cache_access_log +# Logs the client request activity. Contains an entry for +# every HTTP and ICP queries received. +# +#Default: +# cache_access_log /var/log/squid/access.log + +# TAG: cache_log +# Cache logging file. This is where general information about +# your cache's behavior goes. You can increase the amount of data +# logged to this file with the "debug_options" tag below. +# +#Default: +# cache_log /var/log/squid/cache.log + +# TAG: cache_store_log +# Logs the activities of the storage manager. Shows which +# objects are ejected from the cache, and which objects are +# saved and for how long. To disable, enter "none". There are +# not really utilities to analyze this data, so you can safely +# disable it. +# +#Default: +# cache_store_log /var/log/squid/store.log + +# TAG: cache_swap_log +# Location for the cache "swap.log." This log file holds the +# metadata of objects saved on disk. It is used to rebuild the +# cache during startup. Normally this file resides in each +# 'cache_dir' directory, but you may specify an alternate +# pathname here. Note you must give a full filename, not just +# a directory. Since this is the index for the whole object +# list you CANNOT periodically rotate it! +# +# If %s can be used in the file name then it will be replaced with a +# a representation of the cache_dir name where each / is replaced +# with '.'. This is needed to allow adding/removing cache_dir +# lines when cache_swap_log is being used. +# +# If have more than one 'cache_dir', and %s is not used in the name +# then these swap logs will have names such as: +# +# cache_swap_log.00 +# cache_swap_log.01 +# cache_swap_log.02 +# +# The numbered extension (which is added automatically) +# corresponds to the order of the 'cache_dir' lines in this +# configuration file. If you change the order of the 'cache_dir' +# lines in this file, then these log files will NOT correspond to +# the correct 'cache_dir' entry (unless you manually rename +# them). We recommend that you do NOT use this option. It is +# better to keep these log files in each 'cache_dir' directory. +# +#Default: +# none + +# TAG: emulate_httpd_log on|off +# The Cache can emulate the log file format which many 'httpd' +# programs use. To disable/enable this emulation, set +# emulate_httpd_log to 'off' or 'on'. The default +# is to use the native log format since it includes useful +# information that Squid-specific log analyzers use. +# +#Default: +# emulate_httpd_log off + +# TAG: log_ip_on_direct on|off +# Log the destination IP address in the hierarchy log tag when going +# direct. Earlier Squid versions logged the hostname here. If you +# prefer the old way set this to off. +# +#Default: +# log_ip_on_direct on + +# TAG: mime_table +# Pathname to Squid's MIME table. You shouldn't need to change +# this, but the default file contains examples and formatting +# information if you do. +# +#Default: +# mime_table /etc/squid/mime.conf + +# TAG: log_mime_hdrs on|off +# The Cache can record both the request and the response MIME +# headers for each HTTP transaction. The headers are encoded +# safely and will appear as two bracketed fields at the end of +# the access log (for either the native or httpd-emulated log +# formats). To enable this logging set log_mime_hdrs to 'on'. +# +#Default: +# log_mime_hdrs off + +# TAG: useragent_log +# Squid will write the User-Agent field from HTTP requests +# to the filename specified here. By default useragent_log +# is disabled. +# +#Default: +# none + +# TAG: referer_log +# Note: This option is only available if Squid is rebuilt with the +# --enable-referer-log option +# +# Squid will write the Referer field from HTTP requests to the +# filename specified here. By default referer_log is disabled. +# +#Default: +# none + +# TAG: pid_filename +# A filename to write the process-id to. To disable, enter "none". +# +#Default: +# pid_filename /var/run/squid.pid + +# TAG: debug_options +# Logging options are set as section,level where each source file +# is assigned a unique section. Lower levels result in less +# output, Full debugging (level 9) can result in a very large +# log file, so be careful. The magic word "ALL" sets debugging +# levels for all sections. We recommend normally running with +# "ALL,1". +# +#Default: +# debug_options ALL,1 + +# TAG: log_fqdn on|off +# Turn this on if you wish to log fully qualified domain names +# in the access.log. To do this Squid does a DNS lookup of all +# IP's connecting to it. This can (in some situations) increase +# latency, which makes your cache seem slower for interactive +# browsing. +# +#Default: +# log_fqdn off + +# TAG: client_netmask +# A netmask for client addresses in logfiles and cachemgr output. +# Change this to protect the privacy of your cache clients. +# A netmask of 255.255.255.0 will log all IP's in that range with +# the last digit set to '0'. +# +#Default: +# client_netmask 255.255.255.255 + + +# OPTIONS FOR EXTERNAL SUPPORT PROGRAMS +# ----------------------------------------------------------------------------- + +# TAG: ftp_user +# If you want the anonymous login password to be more informative +# (and enable the use of picky ftp servers), set this to something +# reasonable for your domain, like wwwuser@somewhere.net +# +# The reason why this is domainless by default is that the +# request can be made on the behalf of a user in any domain, +# depending on how the cache is used. +# Some ftp server also validate that the email address is valid +# (for example perl.com). +# +#Default: +# ftp_user Squid@ + +# TAG: ftp_list_width +# Sets the width of ftp listings. This should be set to fit in +# the width of a standard browser. Setting this too small +# can cut off long filenames when browsing ftp sites. +# +#Default: +# ftp_list_width 32 + +# TAG: ftp_passive +# If your firewall does not allow Squid to use passive +# connections, then turn off this option. +# +#Default: +# ftp_passive on + +# TAG: cache_dns_program +# Note: This option is only available if Squid is rebuilt with the +# --disable-internal-dns option +# +# Specify the location of the executable for dnslookup process. +# +#Default: +# cache_dns_program /usr/lib/squid/ + +# TAG: dns_children +# Note: This option is only available if Squid is rebuilt with the +# --disable-internal-dns option +# +# The number of processes spawn to service DNS name lookups. +# For heavily loaded caches on large servers, you should +# probably increase this value to at least 10. The maximum +# is 32. The default is 5. +# +# You must have at least one dnsserver process. +# +#Default: +# dns_children 5 + +# TAG: dns_retransmit_interval +# Initial retransmit interval for DNS queries. The interval is +# doubled each time all configured DNS servers have been tried. +# +# +#Default: +# dns_retransmit_interval 5 seconds + +# TAG: dns_timeout +# DNS Query timeout. If no response is received to a DNS query +# within this time then all DNS servers for the queried domain +# is assumed to be unavailable. +# +#Default: +# dns_timeout 5 minutes + +# TAG: dns_defnames on|off +# Note: This option is only available if Squid is rebuilt with the +# --disable-internal-dns option +# +# Normally the 'dnsserver' disables the RES_DEFNAMES resolver +# option (see res_init(3)). This prevents caches in a hierarchy +# from interpreting single-component hostnames locally. To allow +# dnsserver to handle single-component names, enable this +# option. +# +#Default: +# dns_defnames off + +# TAG: dns_nameservers +# Use this if you want to specify a list of DNS name servers +# (IP addresses) to use instead of those given in your +# /etc/resolv.conf file. +# +# Example: dns_nameservers 10.0.0.1 192.172.0.4 +# +#Default: +# none + +# TAG: diskd_program +# Specify the location of the diskd executable. +# Note that this is only useful if you have compiled in +# diskd as one of the store io modules. +# +#Default: +# diskd_program /usr/lib/squid/diskd + +# TAG: unlinkd_program +# Specify the location of the executable for file deletion process. +# +#Default: +# unlinkd_program /usr/lib/squid/unlinkd + +# TAG: pinger_program +# Note: This option is only available if Squid is rebuilt with the +# --enable-icmp option +# +# Specify the location of the executable for the pinger process. +# This is only useful if you configured Squid (during compilation) +# with the '--enable-icmp' option. +# +#Default: +# pinger_program /usr/lib/squid/ + +# TAG: redirect_program +# Specify the location of the executable for the URL redirector. +# Since they can perform almost any function there isn't one included. +# See the Release-Notes for information on how to write one. +# By default, a redirector is not used. +# +#Default: +# none + +# TAG: redirect_children +# The number of redirector processes to spawn. If you start +# too few Squid will have to wait for them to process a backlog of +# URLs, slowing it down. If you start too many they will use RAM +# and other system resources. +# +#Default: +# redirect_children 5 + +# TAG: redirect_rewrites_host_header +# By default Squid rewrites any Host: header in redirected +# requests. If you are running a accelerator then this may +# not be a wanted effect of a redirector. +# +#Default: +# redirect_rewrites_host_header on + +# TAG: redirector_access +# If defined, this access list specifies which requests are +# sent to the redirector processes. By default all requests +# are sent. +# +#Default: +# none + +# TAG: authenticate_program +# Specify the command for the external authenticator. Such a +# program reads a line containing "username password" and replies +# "OK" or "ERR" in an endless loop. If you use an authenticator, +# make sure you have 1 acl of type proxy_auth. By default, the +# authenticator_program is not used. +# +# If you want to use the traditional proxy authentication, +# jump over to the ../auth_modules/NCSA directory and +# type: +# % make +# % make install +# +# Then, set this line to something like +# +# authenticate_program /usr/bin/ncsa_auth /usr/etc/passwd +# +#Default: +# none + +# TAG: authenticate_children +# The number of authenticator processes to spawn (default 5). If you +# start too few Squid will have to wait for them to process a backlog +# of usercode/password verifications, slowing it down. When password +# verifications are done via a (slow) network you are likely to need +# lots of authenticator processes. +# +#Default: +# authenticate_children 5 + +# TAG: authenticate_ttl +# The time a checked username/password combination remains cached. +# If a wrong password is given for a cached user, the user gets +# removed from the username/password cache forcing a revalidation. +# +#Default: +# authenticate_ttl 1 hour + +# TAG: authenticate_ip_ttl +# With this option you control how long a proxy authentication +# will be bound to a specific IP address. If a request using +# the same user name is received during this time then access +# will be denied and both users are required to reauthenticate +# them selves. The idea behind this is to make it annoying +# for people to share their password to their friends, but +# yet allow a dialup user to reconnect on a different dialup +# port. +# +# The default is 0 to disable the check. Recommended value +# if you have dialup users are no more than 60 seconds to allow +# the user to redial without hassle. If all your users are +# stationary then higher values may be used. +# +# See also authenticate_ip_ttl_is_strict +# +#Default: +# authenticate_ip_ttl 0 seconds + +# TAG: authenticate_ip_ttl_is_strict +# This option makes authenticate_ip_ttl a bit stricted. With this +# enabled authenticate_ip_ttl will deny all access from other IP +# addresses until the TTL has expired, and the IP address "owning" +# the userid will not be forced to reauthenticate. +# +#Default: +# authenticate_ip_ttl_is_strict on + + +# OPTIONS FOR TUNING THE CACHE +# ----------------------------------------------------------------------------- + +# TAG: wais_relay_host +# TAG: wais_relay_port +# Relay WAIS request to host (1st arg) at port (2 arg). +# +#Default: +# wais_relay_port 0 + +# TAG: request_header_max_size (KB) +# This specifies the maximum size for HTTP headers in a request. +# Request headers are usually relatively small (about 512 bytes). +# Placing a limit on the request header size will catch certain +# bugs (for example with persistent connections) and possibly +# buffer-overflow or denial-of-service attacks. +# +#Default: +# request_header_max_size 10 KB + +# TAG: request_body_max_size (KB) +# This specifies the maximum size for an HTTP request body. +# In other words, the maximum size of a PUT/POST request. +# A user who attempts to send a request with a body larger +# than this limit receives an "Invalid Request" error message. +# If you set this parameter to a zero, there will be no limit +# imposed. +# +#Default: +# request_body_max_size 1 MB + +# TAG: reply_body_max_size (KB) +# This option specifies the maximum size of a reply body. It +# can be used to prevent users from downloading very large files, +# such as MP3's and movies. The reply size is checked twice. +# First when we get the reply headers, we check the +# content-length value. If the content length value exists and +# is larger than this parameter, the request is denied and the +# user receives an error message that says "the request or reply +# is too large." If there is no content-length, and the reply +# size exceeds this limit, the client's connection is just closed +# and they will receive a partial reply. +# +# NOTE: downstream caches probably can not detect a partial reply +# if there is no content-length header, so they will cache +# partial responses and give them out as hits. You should NOT +# use this option if you have downstream caches. +# +# If you set this parameter to zero (the default), there will be +# no limit imposed. +# +#Default: +# reply_body_max_size 0 + +# TAG: refresh_pattern +# usage: refresh_pattern [-i] regex min percent max [options] +# +# By default, regular expressions are CASE-SENSITIVE. To make +# them case-insensitive, use the -i option. +# +# 'Min' is the time (in minutes) an object without an explicit +# expiry time should be considered fresh. The recommended +# value is 0, any higher values may cause dynamic applications +# to be erroneously cached unless the application designer +# has taken the appropriate actions. +# +# 'Percent' is a percentage of the objects age (time since last +# modification age) an object without explicit expiry time +# will be considered fresh. +# +# 'Max' is an upper limit on how long objects without an explicit +# expiry time will be considered fresh. +# +# options: overrsde-expire +# override-lastmod +# reload-into-ims +# ignore-reload +# +# override-expire enforces min age even if the server +# sent a Expires: header. Doing this VIOLATES the HTTP +# standard. Enabling this feature could make you liable +# for problems which it causes. +# +# override-lastmod enforces min age even on objects +# that was modified recently. +# +# reload-into-ims changes client no-cache or ``reload'' +# to If-Modified-Since requests. Doing this VIOLATES the +# HTTP standard. Enabling this feature could make you +# liable for problems which it causes. +# +# ignore-reload ignores a client no-cache or ``reload'' +# header. Doing this VIOLATES the HTTP standard. Enabling +# this feature could make you liable for problems which +# it causes. +# +# Please see the file doc/Release-Notes-1.1.txt for a full +# description of Squid's refresh algorithm. Basically a +# cached object is: (the order is changed from 1.1.X) +# +# FRESH if expires < now, else STALE +# STALE if age > max +# FRESH if lm-factor < percent, else STALE +# FRESH if age < min +# else STALE +# +# The refresh_pattern lines are checked in the order listed here. +# The first entry which matches is used. If none of the entries +# match, then the default will be used. +# +# Note, you must uncomment all the default lines if you want +# to change one. The default setting is only active if none is +# used. +# +#Default: +# refresh_pattern ^ftp: 1440 20% 10080 +# refresh_pattern ^gopher: 1440 0% 1440 +# refresh_pattern . 0 20% 4320 + +# TAG: reference_age +# As a part of normal operation, Squid performs Least Recently +# Used removal of cached objects. The LRU age for removal is +# computed dynamically, based on the amount of disk space in +# use. The dynamic value can be seen in the Cache Manager 'info' +# output. +# +# The 'reference_age' parameter defines the maximum LRU age. For +# example, setting reference_age to '1 week' will cause objects +# to be removed if they have not been accessed for a week or +# more. The default value is one year. +# +# Specify a number here, followed by units of time. For example: +# 1 week +# 3.5 days +# 4 months +# 2.2 hours +# +# NOTE: this parameter is not used when using the enhanced +# replacement policies, GDSH or LFUDA. +# +#Default: +# reference_age 1 year + +# TAG: quick_abort_min (KB) +# TAG: quick_abort_max (KB) +# TAG: quick_abort_pct (percent) +# The cache can be configured to continue downloading aborted +# requests. This may be undesirable on slow (e.g. SLIP) links +# and/or very busy caches. Impatient users may tie up file +# descriptors and bandwidth by repeatedly requesting and +# immediately aborting downloads. +# +# When the user aborts a request, Squid will check the +# quick_abort values to the amount of data transfered until +# then. +# +# If the transfer has less than 'quick_abort_min' KB remaining, +# it will finish the retrieval. Setting 'quick_abort_min' to -1 +# will disable the quick_abort feature. +# +# If the transfer has more than 'quick_abort_max' KB remaining, +# it will abort the retrieval. +# +# If more than 'quick_abort_pct' of the transfer has completed, +# it will finish the retrieval. +# +#Default: +# quick_abort_min 16 KB +# quick_abort_max 16 KB +# quick_abort_pct 95 + +# TAG: negative_ttl time-units +# Time-to-Live (TTL) for failed requests. Certain types of +# failures (such as "connection refused" and "404 Not Found") are +# negatively-cached for a configurable amount of time. The +# default is 5 minutes. Note that this is different from +# negative caching of DNS lookups. +# +#Default: +# negative_ttl 5 minutes + +# TAG: positive_dns_ttl time-units +# Time-to-Live (TTL) for positive caching of successful DNS lookups. +# Default is 6 hours (360 minutes). If you want to minimize the +# use of Squid's ipcache, set this to 1, not 0. +# +#Default: +# positive_dns_ttl 6 hours + +# TAG: negative_dns_ttl time-units +# Time-to-Live (TTL) for negative caching of failed DNS lookups. +# +#Default: +# negative_dns_ttl 5 minutes + +# TAG: range_offset_limit (bytes) +# Sets a upper limit on how far into the the file a Range request +# may be to cause Squid to prefetch the whole file. If beyond this +# limit then Squid forwards the Range request as it is and the result +# is NOT cached. +# +# This is to stop a far ahead range request (lets say start at 17MB) +# from making Squid fetch the whole object up to that point before +# sending anything to the client. +# +# A value of -1 causes Squid to always fetch the object from the +# beginning so that it may cache the result. (2.0 style) +# +# A value of 0 causes Squid to never fetch more than the +# client requested. (default) +# +#Default: +# range_offset_limit 0 KB + + +# TIMEOUTS +# ----------------------------------------------------------------------------- + +# TAG: connect_timeout time-units +# Some systems (notably Linux) can not be relied upon to properly +# time out connect(2) requests. Therefore the Squid process +# enforces its own timeout on server connections. This parameter +# specifies how long to wait for the connect to complete. The +# default is two minutes (120 seconds). +# +#Default: +# connect_timeout 2 minutes + +# TAG: peer_connect_timeout time-units +# This parameter specifies how long to wait for a pending TCP +# connection to a peer cache. The default is 30 seconds. You +# may also set different timeout values for individual neighbors +# with the 'connect-timeout' option on a 'cache_peer' line. +# +#Default: +# peer_connect_timeout 30 seconds + +# TAG: siteselect_timeout time-units +# For URN to multiple URL's URL selection +# +#Default: +# siteselect_timeout 4 seconds + +# TAG: read_timeout time-units +# The read_timeout is applied on server-side connections. After +# each successful read(), the timeout will be extended by this +# amount. If no data is read again after this amount of time, +# the request is aborted and logged with ERR_READ_TIMEOUT. The +# default is 15 minutes. +# +#Default: +# read_timeout 15 minutes + +# TAG: request_timeout +# How long to wait for an HTTP request after connection +# establishment. For persistent connections, wait this long +# after the previous request completes. +# +#Default: +# request_timeout 30 seconds + +# TAG: client_lifetime time-units +# The maximum amount of time that a client (browser) is allowed to +# remain connected to the cache process. This protects the Cache +# from having a lot of sockets (and hence file descriptors) tied up +# in a CLOSE_WAIT state from remote clients that go away without +# properly shutting down (either because of a network failure or +# because of a poor client implementation). The default is one +# day, 1440 minutes. +# +# NOTE: The default value is intended to be much larger than any +# client would ever need to be connected to your cache. You +# should probably change client_lifetime only as a last resort. +# If you seem to have many client connections tying up +# filedescriptors, we recommend first tuning the read_timeout, +# request_timeout, pconn_timeout and quick_abort values. +# +#Default: +# client_lifetime 1 day + +# TAG: half_closed_clients +# Some clients may shutdown the sending side of their TCP +# connections, while leaving their receiving sides open. Sometimes, +# Squid can not tell the difference between a half-closed and a +# fully-closed TCP connection. By default, half-closed client +# connections are kept open until a read(2) or write(2) on the +# socket returns an error. Change this option to 'off' and Squid +# will immediately close client connections when read(2) returns +# "no more data to read." +# +#Default: +# half_closed_clients on + +# TAG: pconn_timeout +# Timeout for idle persistent connections to servers and other +# proxies. +# +#Default: +# pconn_timeout 120 seconds + +# TAG: ident_timeout +# Maximum time to wait for IDENT requests. If this is too high, +# and you enabled 'ident_lookup', then you might be susceptible +# to denial-of-service by having many ident requests going at +# once. +# +# Only src type ACL checks are fully supported. A src_domain +# ACL might work at times, but it will not always provide +# the correct result. +# +# This option may be disabled by using --disable-ident with +# the configure script. +# +#Default: +# ident_timeout 10 seconds + +# TAG: shutdown_lifetime time-units +# When SIGTERM or SIGHUP is received, the cache is put into +# "shutdown pending" mode until all active sockets are closed. +# This value is the lifetime to set for all open descriptors +# during shutdown mode. Any active clients after this many +# seconds will receive a 'timeout' message. +# +#Default: +# shutdown_lifetime 30 seconds + + +# ACCESS CONTROLS +# ----------------------------------------------------------------------------- + +# TAG: acl +# Defining an Access List +# +# acl aclname acltype string1 ... +# acl aclname acltype "file" ... +# +# when using "file", the file should contain one item per line +# +# acltype is one of src dst srcdomain dstdomain url_pattern +# urlpath_pattern time port proto method browser user +# +# By default, regular expressions are CASE-SENSITIVE. To make +# them case-insensitive, use the -i option. +# +# acl aclname src ip-address/netmask ... (clients IP address) +# acl aclname src addr1-addr2/netmask ... (range of addresses) +# acl aclname dst ip-address/netmask ... (URL host's IP address) +# acl aclname myip ip-address/netmask ... (local socket IP address) +# +# acl aclname srcdomain .foo.com ... # reverse lookup, client IP +# acl aclname dstdomain .foo.com ... # Destination server from URL +# acl aclname srcdom_regex [-i] xxx ... # regex matching client name +# acl aclname dstdom_regex [-i] xxx ... # regex matching server +# # For dstdomain and dstdom_regex a reverse lookup is tried if a IP +# # based URL is used. The name "none" is used if the reverse lookup +# # fails. +# +# acl aclname time [day-abbrevs] [h1:m1-h2:m2] +# day-abbrevs: +# S - Sunday +# M - Monday +# T - Tuesday +# W - Wednesday +# H - Thursday +# F - Friday +# A - Saturday +# h1:m1 must be less than h2:m2 +# acl aclname url_regex [-i] ^http:// ... # regex matching on whole URL +# acl aclname urlpath_regex [-i] \.gif$ ... # regex matching on URL path +# acl aclname port 80 70 21 ... +# acl aclname port 0-1024 ... # ranges allowed +# acl aclname myport 3128 ... # (local socket TCP port) +# acl aclname proto HTTP FTP ... +# acl aclname method GET POST ... +# acl aclname browser [-i] regexp +# # pattern match on User-Agent header +# acl aclname ident username ... +# acl aclname ident_regex [-i] pattern ... +# # string match on ident output. +# # use REQUIRED to accept any non-null ident. +# acl aclname src_as number ... +# acl aclname dst_as number ... +# # Except for access control, AS numbers can be used for +# # routing of requests to specific caches. Here's an +# # example for routing all requests for AS#1241 and only +# # those to mycache.mydomain.net: +# # acl asexample dst_as 1241 +# # cache_peer_access mycache.mydomain.net allow asexample +# # cache_peer_access mycache_mydomain.net deny all +# +# acl aclname proxy_auth username ... +# acl aclname proxy_auth_regex [-i] pattern ... +# # list of valid usernames +# # use REQUIRED to accept any valid username. +# # +# # NOTE: when a Proxy-Authentication header is sent but it is not +# # needed during ACL checking the username is NOT logged +# # in access.log. +# # +# # NOTE: proxy_auth requires a EXTERNAL authentication program +# # to check username/password combinations (see +# # authenticate_program). +# # +# # WARNING: proxy_auth can't be used in a transparent proxy. It +# # collides with any authentication done by origin servers. It may +# # seem like it works at first, but it doesn't. +# +# acl aclname snmp_community string ... +# # A community string to limit access to your SNMP Agent +# # Example: +# # +# # acl snmppublic snmp_community public +# +# acl aclname maxconn number +# # This will be matched when the client's IP address has +# # more than <number> HTTP connections established. +# +# acl req_mime_type mime-type1 ... +# # regex match agains the mime type of the request generated +# # by the client. Can be used to detect file upload or some +# # types HTTP tunelling requests. +# # NOTE: This does NOT match the reply. You cannot use this +# # to match the returned file type. +# +#Examples: +#acl myexample dst_as 1241 +#acl password proxy_auth REQUIRED +#acl fileupload req_mime_type -i ^multipart/form-data$ +# +#Recommended minimum configuration: +acl all src 0.0.0.0/0.0.0.0 +acl manager proto cache_object +acl localhost src 127.0.0.1/255.255.255.255 +acl SSL_ports port 443 563 +acl Safe_ports port 80 # http +acl Safe_ports port 21 # ftp +acl Safe_ports port 443 563 # https, snews +acl Safe_ports port 70 # gopher +acl Safe_ports port 210 # wais +acl Safe_ports port 1025-65535 # unregistered ports +acl Safe_ports port 280 # http-mgmt +acl Safe_ports port 488 # gss-http +acl Safe_ports port 591 # filemaker +acl Safe_ports port 777 # multiling http +acl CONNECT method CONNECT + +# TAG: http_access +# Allowing or Denying access based on defined access lists +# +# Access to the HTTP port: +# http_access allow|deny [!]aclname ... +# +# NOTE on default values: +# +# If there are no "access" lines present, the default is to deny +# the request. +# +# If none of the "access" lines cause a match, the default is the +# opposite of the last line in the list. If the last line was +# deny, then the default is allow. Conversely, if the last line +# is allow, the default will be deny. For these reasons, it is a +# good idea to have an "deny all" or "allow all" entry at the end +# of your access lists to avoid potential confusion. +# +#Default: +# http_access deny all +# +#Recommended minimum configuration: +# +# Only allow cachemgr access from localhost +http_access allow manager localhost +http_access deny manager +# Deny requests to unknown ports +http_access deny !Safe_ports +# Deny CONNECT to other than SSL ports +http_access deny CONNECT !SSL_ports +# +# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS +# +# And finally deny all other access to this proxy +http_access allow localhost +http_access deny all + +# TAG: icp_access +# Allowing or Denying access to the ICP port based on defined +# access lists +# +# icp_access allow|deny [!]aclname ... +# +# See http_access for details +# +#Default: +# icp_access deny all +# +#Allow ICP queries from eveyone +icp_access allow all + +# TAG: miss_access +# Use to force your neighbors to use you as a sibling instead of +# a parent. For example: +# +# acl localclients src 172.16.0.0/16 +# miss_access allow localclients +# miss_access deny !localclients +# +# This means that only your local clients are allowed to fetch +# MISSES and all other clients can only fetch HITS. +# +# By default, allow all clients who passed the http_access rules +# to fetch MISSES from us. +# +#Default setting: +# miss_access allow all + +# TAG: cache_peer_access +# Similar to 'cache_peer_domain' but provides more flexibility by +# using ACL elements. +# +# cache_peer_access cache-host allow|deny [!]aclname ... +# +# The syntax is identical to 'http_access' and the other lists of +# ACL elements. See the comments for 'http_access' below, or +# the Squid FAQ (http://www.squid-cache.org/FAQ/FAQ-10.html). +# +#Default: +# none + +# TAG: proxy_auth_realm +# Specifies the realm name which is to be reported to the client for +# proxy authentication (part of the text the user will see when +# prompted their username and password). +# +#Default: +# proxy_auth_realm Squid proxy-caching web server + +# TAG: ident_lookup_access +# A list of ACL elements which, if matched, cause an ident +# (RFC 931) lookup to be performed for this request. For +# example, you might choose to always perform ident lookups +# for your main multi-user Unix boxes, but not for your Macs +# and PCs. By default, ident lookups are not performed for +# any requests. +# +# To enable ident lookups for specific client addresses, you +# can follow this example: +# +# acl ident_aware_hosts src 198.168.1.0/255.255.255.0 +# ident_lookup_access allow ident_aware_hosts +# ident_lookup_access deny all +# +# This option may be disabled by using --disable-ident with +# the configure script. +# +#Default: +# ident_lookup_access deny all + + +# ADMINISTRATIVE PARAMETERS +# ----------------------------------------------------------------------------- + +# TAG: cache_mgr +# Email-address of local cache manager who will receive +# mail if the cache dies. The default is "webmaster." +# +#Default: +# cache_mgr root + +# TAG: cache_effective_user +# TAG: cache_effective_group +# +# If the cache is run as root, it will change its effective/real +# UID/GID to the UID/GID specified below. The default is to +# change to UID to nobody and GID to nobody. +# +# If Squid is not started as root, the default is to keep the +# current UID/GID. Note that if Squid is not started as root then +# you cannot set http_port to a value lower than 1024. +# +#Default: +# cache_effective_user nobody +# cache_effective_group nobody + +# TAG: visible_hostname +# If you want to present a special hostname in error messages, etc, +# then define this. Otherwise, the return value of gethostname() +# will be used. If you have multiple caches in a cluster and +# get errors about IP-forwarding you must set them to have individual +# names with this setting. +# +#Default: +# none + +# TAG: unique_hostname +# If you want to have multiple machines with the same +# 'visible_hostname' then you must give each machine a different +# 'unique_hostname' so that forwarding loops can be detected. +# +#Default: +# none + +# TAG: hostname_aliases +# A list of other DNS names that your cache has. +# +#Default: +# none + + +# OPTIONS FOR THE CACHE REGISTRATION SERVICE +# ----------------------------------------------------------------------------- +# +# This section contains parameters for the (optional) cache +# announcement service. This service is provided to help +# cache administrators locate one another in order to join or +# create cache hierarchies. +# +# An 'announcement' message is sent (via UDP) to the registration +# service by Squid. By default, the announcement message is NOT +# SENT unless you enable it with 'announce_period' below. +# +# The announcement message includes your hostname, plus the +# following information from this configuration file: +# +# http_port +# icp_port +# cache_mgr +# +# All current information is processed regularly and made +# available on the Web at http://www.ircache.net/Cache/Tracker/. + +# TAG: announce_period +# This is how frequently to send cache announcements. The +# default is `0' which disables sending the announcement +# messages. +# +# To enable announcing your cache, just uncomment the line +# below. +# +#Default: +# announce_period 0 +# +#To enable announcing your cache, just uncomment the line below. +#announce_period 1 day + +# TAG: announce_host +# TAG: announce_file +# TAG: announce_port +# announce_host and announce_port set the hostname and port +# number where the registration message will be sent. +# +# Hostname will default to 'tracker.ircache.net' and port will +# default default to 3131. If the 'filename' argument is given, +# the contents of that file will be included in the announce +# message. +# +#Default: +# announce_host tracker.ircache.net +# announce_port 3131 + + +# HTTPD-ACCELERATOR OPTIONS +# ----------------------------------------------------------------------------- + +# TAG: httpd_accel_host +# TAG: httpd_accel_port +# If you want to run Squid as an httpd accelerator, define the +# host name and port number where the real HTTP server is. +# +# If you want virtual host support then specify the hostname +# as "virtual". +# +# If you want virtual port support then specify the port as "0". +# +# NOTE: enabling httpd_accel_host disables proxy-caching and +# ICP. If you want these features enabled also, then set +# the 'httpd_accel_with_proxy' option. +# +#Default: +# httpd_accel_port 80 + +# TAG: httpd_accel_single_host on|off +# If you are running Squid as a accelerator and have a single backend +# server then set this to on. This causes Squid to forward the request +# to this server irregardles of what any redirectors or Host headers +# says. +# +# Leave this at off if you have multiple backend servers, and use a +# redirector (or host table or private DNS) to map the requests to the +# appropriate backend servers. Note that the mapping needs to be a +# 1-1 mapping between requested and backend (from redirector) domain +# names or caching will fail, as cacing is performed using the +# URL returned from the redirector. +# +# See also redirect_rewrites_host_header. +# +#Default: +# httpd_accel_single_host off + +# TAG: httpd_accel_with_proxy on|off +# If you want to use Squid as both a local httpd accelerator +# and as a proxy, change this to 'on'. Note however that your +# proxy users may have trouble to reach the accelerated domains +# unless their browsers are configured not to use this proxy for +# those domains (for example via the no_proxy browser configuration +# setting) +# +#Default: +# httpd_accel_with_proxy off + +# TAG: httpd_accel_uses_host_header on|off +# HTTP/1.1 requests include a Host: header which is basically the +# hostname from the URL. Squid can be an accelerator for +# different HTTP servers by looking at this header. However, +# Squid does NOT check the value of the Host header, so it opens +# a big security hole. We recommend that this option remain +# disabled unless you are sure of what you are doing. +# +# However, you will need to enable this option if you run Squid +# as a transparent proxy. Otherwise, virtual servers which +# require the Host: header will not be properly cached. +# +#Default: +# httpd_accel_uses_host_header off + + +# MISCELLANEOUS +# ----------------------------------------------------------------------------- + +# TAG: dns_testnames +# The DNS tests exit as soon as the first site is successfully looked up +# +# This test can be disabled with the -D command line option. +# +#Default: +# dns_testnames netscape.com internic.net nlanr.net microsoft.com + +# TAG: logfile_rotate +# Specifies the number of logfile rotations to make when you +# type 'squid -k rotate'. The default is 10, which will rotate +# with extensions 0 through 9. Setting logfile_rotate to 0 will +# disable the rotation, but the logfiles are still closed and +# re-opened. This will enable you to rename the logfiles +# yourself just before sending the rotate signal. +# +# Note, the 'squid -k rotate' command normally sends a USR1 +# signal to the running squid process. In certain situations +# (e.g. on Linux with Async I/O), USR1 is used for other +# purposes, so -k rotate uses another signal. It is best to get +# in the habit of using 'squid -k rotate' instead of 'kill -USR1 +# <pid>'. +# +#Default: +# logfile_rotate 0 + +# TAG: append_domain +# Appends local domain name to hostnames without any dots in +# them. append_domain must begin with a period. +# +#Example: +# append_domain .yourdomain.com +# +#Default: +# none + +# TAG: tcp_recv_bufsize (bytes) +# Size of receive buffer to set for TCP sockets. Probably just +# as easy to change your kernel's default. Set to zero to use +# the default buffer size. +# +#Default: +# tcp_recv_bufsize 0 bytes + +# TAG: err_html_text +# HTML text to include in error messages. Make this a "mailto" +# URL to your admin address, or maybe just a link to your +# organizations Web page. +# +# To include this in your error messages, you must rewrite +# the error template files (found in the "errors" directory). +# Wherever you want the 'err_html_text' line to appear, +# insert a %L tag in the error template file. +# +#Default: +# none + +# TAG: deny_info +# Usage: deny_info err_page_name acl +# Example: deny_info ERR_CUSTOM_ACCESS_DENIED bad_guys +# +# This can be used to return a ERR_ page for requests which +# do not pass the 'http_access' rules. A single ACL will cause +# the http_access check to fail. If a 'deny_info' line exists +# for that ACL then Squid returns a corresponding error page. +# +# You may use ERR_ pages that come with Squid or create your own pages +# and put them into the configured errors/ directory. +# +#Default: +# none + +# TAG: memory_pools on|off +# If set, Squid will keep pools of allocated (but unused) memory +# available for future use. If memory is a premium on your +# system and you believe your malloc library outperforms Squid +# routines, disable this. +# +#Default: +# memory_pools on + +# TAG: memory_pools_limit (bytes) +# Used only with memory_pools on: +# memory_pools_limit 50 MB +# +# If set to a non-zero value, Squid will keep at most the specified +# limit of allocated (but unused) memory in memory pools. All free() +# requests that exceed this limit will be handled by your malloc +# library. Squid does not pre-allocate any memory, just safe-keeps +# objects that otherwise would be free()d. Thus, it is safe to set +# memory_pools_limit to a reasonably high value even if your +# configuration will use less memory. +# +# If not set (default) or set to zero, Squid will keep all memory it +# can. That is, there will be no limit on the total amount of memory +# used for safe-keeping. +# +# To disable memory allocation optimization, do not set +# memory_pools_limit to 0. Set memory_pools to "off" instead. +# +# An overhead for maintaining memory pools is not taken into account +# when the limit is checked. This overhead is close to four bytes per +# object kept. However, pools may actually _save_ memory because of +# reduced memory thrashing in your malloc library. +# +#Default: +# none + +# TAG: forwarded_for on|off +# If set, Squid will include your system's IP address or name +# in the HTTP requests it forwards. By default it looks like +# this: +# +# X-Forwarded-For: 192.1.2.3 +# +# If you disable this, it will appear as +# +# X-Forwarded-For: unknown +# +#Default: +# forwarded_for on + +# TAG: log_icp_queries on|off +# If set, ICP queries are logged to access.log. You may wish +# do disable this if your ICP load is VERY high to speed things +# up or to simplify log analysis. +# +#Default: +# log_icp_queries on + +# TAG: icp_hit_stale on|off +# If you want to return ICP_HIT for stale cache objects, set this +# option to 'on'. If you have sibling relationships with caches +# in other administrative domains, this should be 'off'. If you only +# have sibling relationships with caches under your control, then +# it is probably okay to set this to 'on'. +# +#Default: +# icp_hit_stale off + +# TAG: minimum_direct_hops +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many hops away. +# +#Default: +# minimum_direct_hops 4 + +# TAG: minimum_direct_rtt +# If using the ICMP pinging stuff, do direct fetches for sites +# which are no more than this many rtt milliseconds away. +# +#Default: +# minimum_direct_rtt 400 + +# TAG: cachemgr_passwd +# Specify passwords for cachemgr operations. +# +# Usage: cachemgr_passwd password action action ... +# +# Some valid actions are (see cache manager menu for a full list): +# 5min +# 60min +# asndb +# authenticator +# cbdata +# client_list +# comm_incoming +# config * +# counters +# delay +# digest_stats +# dns +# events +# filedescriptors +# fqdncache +# histograms +# http_headers +# info +# io +# ipcache +# mem +# menu +# netdb +# non_peers +# objects +# pconn +# peer_select +# redirector +# refresh +# server_list +# shutdown * +# store_digest +# storedir +# utilization +# via_headers +# vm_objects +# +# * Indicates actions which will not be performed without a +# valid password, others can be performed if not listed here. +# +# To disable an action, set the password to "disable". +# To allow performing an action without a password, set the +# password to "none". +# +# Use the keyword "all" to set the same password for all actions. +# +#Example: +# cachemgr_passwd secret shutdown +# cachemgr_passwd lesssssssecret info stats/objects +# cachemgr_passwd disable all +# +#Default: +# none + +# TAG: store_avg_object_size (kbytes) +# Average object size, used to estimate number of objects your +# cache can hold. See doc/Release-Notes-1.1.txt. The default is +# 13 KB. +# +#Default: +# store_avg_object_size 13 KB + +# TAG: store_objects_per_bucket +# Target number of objects per bucket in the store hash table. +# Lowering this value increases the total number of buckets and +# also the storage maintenance rate. The default is 50. +# +#Default: +# store_objects_per_bucket 20 + +# TAG: client_db on|off +# If you want to disable collecting per-client statistics, then +# turn off client_db here. +# +#Default: +# client_db on + +# TAG: netdb_low +# TAG: netdb_high +# The low and high water marks for the ICMP measurement +# database. These are counts, not percents. The defaults are +# 900 and 1000. When the high water mark is reached, database +# entries will be deleted until the low mark is reached. +# +#Default: +# netdb_low 900 +# netdb_high 1000 + +# TAG: netdb_ping_period +# The minimum period for measuring a site. There will be at +# least this much delay between successive pings to the same +# network. The default is five minutes. +# +#Default: +# netdb_ping_period 5 minutes + +# TAG: query_icmp on|off +# If you want to ask your peers to include ICMP data in their ICP +# replies, enable this option. +# +# If your peer has configured Squid (during compilation) with +# '--enable-icmp' then that peer will send ICMP pings to origin server +# sites of the URLs it receives. If you enable this option then the +# ICP replies from that peer will include the ICMP data (if available). +# Then, when choosing a parent cache, Squid will choose the parent with +# the minimal RTT to the origin server. When this happens, the +# hierarchy field of the access.log will be +# "CLOSEST_PARENT_MISS". This option is off by default. +# +#Default: +# query_icmp off + +# TAG: test_reachability on|off +# When this is 'on', ICP MISS replies will be ICP_MISS_NOFETCH +# instead of ICP_MISS if the target host is NOT in the ICMP +# database, or has a zero RTT. +# +#Default: +# test_reachability off + +# TAG: buffered_logs on|off +# Some log files (cache.log, useragent.log) are written with +# stdio functions, and as such they can be buffered or +# unbuffered. By default they will be unbuffered. Buffering them +# can speed up the writing slightly (though you are unlikely to +# need to worry). +# +#Default: +# buffered_logs off + +# TAG: reload_into_ims on|off +# When you enable this option, client no-cache or ``reload'' +# requests will be changed to If-Modified-Since requests. +# Doing this VIOLATES the HTTP standard. Enabling this +# feature could make you liable for problems which it +# causes. +# +# see also refresh_pattern for a more selective approach. +# +# This option may be disabled by using --disable-http-violations +# with the configure script. +# +#Default: +# reload_into_ims off + +# TAG: always_direct +# Usage: always_direct allow|deny [!]aclname ... +# +# Here you can use ACL elements to specify requests which should +# ALWAYS be forwarded directly to origin servers. For example, +# to always directly forward requests for local servers use +# something like: +# +# acl local-servers dstdomain my.domain.net +# always_direct allow local-servers +# +# To always forward FTP requests directly, use +# +# acl FTP proto FTP +# always_direct allow FTP +# +# NOTE: There is a similar, but opposite option named +# 'never_direct'. You need to be aware that "always_direct deny +# foo" is NOT the same thing as "never_direct allow foo". You +# may need to use a deny rule to exclude a more-specific case of +# some other rule. Example: +# +# acl local-external dstdomain external.foo.net +# acl local-servers dstdomain foo.net +# always_direct deny local-external +# always_direct allow local-servers +# +# This option replaces some v1.1 options such as local_domain +# and local_ip. +# +#Default: +# none + +# TAG: never_direct +# Usage: never_direct allow|deny [!]aclname ... +# +# never_direct is the opposite of always_direct. Please read +# the description for always_direct if you have not already. +# +# With 'never_direct' you can use ACL elements to specify +# requests which should NEVER be forwarded directly to origin +# servers. For example, to force the use of a proxy for all +# requests, except those in your local domain use something like: +# +# acl local-servers dstdomain foo.net +# acl all src 0.0.0.0/0.0.0.0 +# never_direct deny local-servers +# never_direct allow all +# +# or if squid is inside a firewall and there is local intranet +# servers inside the firewall then use something like: +# +# acl local-intranet dstdomain foo.net +# acl local-external dstdomain external.foo.net +# always_direct deny local-external +# always_direct allow local-intranet +# never_direct allow all +# +# This option replaces some v1.1 options such as inside_firewall +# and firewall_ip. +# +#Default: +# none + +# TAG: anonymize_headers +# Usage: anonymize_headers allow|deny header_name ... +# +# This option replaces the old 'http_anonymizer' option with +# something that is much more configurable. You may now +# specify exactly which headers are to be allowed, or which +# are to be removed from outgoing requests. +# +# There are two methods of using this option. You may either +# allow specific headers (thus denying all others), or you +# may deny specific headers (thus allowing all others). +# +# For example, to achieve the same behavior as the old +# 'http_anonymizer standard' option, you should use: +# +# anonymize_headers deny From Referer Server +# anonymize_headers deny User-Agent WWW-Authenticate Link +# +# Or, to reproduce the old 'http_anonymizer paranoid' feature +# you should use: +# +# anonymize_headers allow Allow Authorization Cache-Control +# anonymize_headers allow Content-Encoding Content-Length +# anonymize_headers allow Content-Type Date Expires Host +# anonymize_headers allow If-Modified-Since Last-Modified +# anonymize_headers allow Location Pragma Accept +# anonymize_headers allow Accept-Encoding Accept-Language +# anonymize_headers allow Content-Language Mime-Version +# anonymize_headers allow Retry-After Title Connection +# anonymize_headers allow Proxy-Connection +# +# NOTE: You can not mix "allow" and "deny". All 'anonymize_headers' +# lines must have the same second argument. +# +# By default, all headers are allowed (no anonymizing is +# performed). +# +#Default: +# none + +# TAG: fake_user_agent +# If you filter the User-Agent header with 'anonymize_headers' it +# may cause some Web servers to refuse your request. Use this to +# fake one up. For example: +# +# fake_user_agent Nutscrape/1.0 (CP/M; 8-bit) +# (credit to Paul Southworth pauls@etext.org for this one!) +# +#Default: +# none + +# TAG: icon_directory +# Where the icons are stored. These are normally kept in +# /usr/lib/squid/icons +# +#Default: +# icon_directory /usr/lib/squid/icons + +# TAG: error_directory +# Directory where the error files are read from. +# /usr/lib/squid/errors contains sets of error files +# in different languages. The default error directory +# is /etc/squid/errors, which is a link to one of these +# error sets. +# +# If you wish to create your own versions of the error files, +# either to customize them to suit your language or company, +# copy the template English files to another +# directory and point this tag at them. +# +#error_directory /etc/squid/errors +# +#Default: +# error_directory /etc/squid/errors + +# TAG: minimum_retry_timeout (seconds) +# This specifies the minimum connect timeout, for when the +# connect timeout is reduced to compensate for the availability +# of multiple IP addresses. +# +# When a connection to a host is initiated, and that host has +# several IP addresses, the default connection timeout is reduced +# by dividing it by the number of addresses. So, a site with 15 +# addresses would then have a timeout of 8 seconds for each +# address attempted. To avoid having the timeout reduced to the +# point where even a working host would not have a chance to +# respond, this setting is provided. The default, and the +# minimum value, is five seconds, and the maximum value is sixty +# seconds, or half of connect_timeout, whichever is greater and +# less than connect_timeout. +# +#Default: +# minimum_retry_timeout 5 seconds + +# TAG: maximum_single_addr_tries +# This sets the maximum number of connection attempts for a +# host that only has one address (for multiple-address hosts, +# each address is tried once). +# +# The default value is three tries, the (not recommended) +# maximum is 255 tries. A warning message will be generated +# if it is set to a value greater than ten. +# +#Default: +# maximum_single_addr_tries 3 + +# TAG: snmp_port +# Squid can now serve statistics and status information via SNMP. +# By default it listens to port 3401 on the machine. If you don't +# wish to use SNMP, set this to "0". +# +# NOTE: SNMP support requires use the --enable-snmp configure +# command line option. +# +#Default: +# snmp_port 3401 + +# TAG: snmp_access +# Allowing or denying access to the SNMP port. +# +# All access to the agent is denied by default. +# usage: +# +# snmp_access allow|deny [!]aclname ... +# +#Example: +# snmp_access allow snmppublic localhost +# snmp_access deny all +# +#Default: +# snmp_access deny all + +# TAG: snmp_incoming_address +# TAG: snmp_outgoing_address +# Just like 'udp_incoming_address' above, but for the SNMP port. +# +# snmp_incoming_address is used for the SNMP socket receiving +# messages from SNMP agents. +# snmp_outgoing_address is used for SNMP packets returned to SNMP +# agents. +# +# The default snmp_incoming_address (0.0.0.0) is to listen on all +# available network interfaces. +# +# If snmp_outgoing_address is set to 255.255.255.255 (the default) +# then it will use the same socket as snmp_incoming_address. Only +# change this if you want to have SNMP replies sent using another +# address than where this Squid listens for SNMP queries. +# +# NOTE, snmp_incoming_address and snmp_outgoing_address can not have +# the same value since they both use port 3401. +# +#Default: +# snmp_incoming_address 0.0.0.0 +# snmp_outgoing_address 255.255.255.255 + +# TAG: as_whois_server +# WHOIS server to query for AS numbers. NOTE: AS numbers are +# queried only when Squid starts up, not for every request. +# +#Default: +# as_whois_server whois.ra.net +# as_whois_server whois.ra.net + +# TAG: wccp_router +# Use this option to define your WCCP ``home'' router for +# Squid. Setting the 'wccp_router' to 0.0.0.0 (the default) +# disables WCCP. +# +#Default: +# wccp_router 0.0.0.0 + +# TAG: wccp_version +# According to some users, Cisco IOS 11.2 only supports WCCP +# version 3. If you're using that version of IOS, change +# this value to 3. +# +#Default: +# wccp_version 4 + +# TAG: wccp_incoming_address +# TAG: wccp_outgoing_address +# wccp_incoming_address Use this option if you require WCCP +# messages to be received on only one +# interface. Do NOT use this option if +# you're unsure how many interfaces you +# have, or if you know you have only one +# interface. +# +# wccp_outgoing_address Use this option if you require WCCP +# messages to be sent out on only one +# interface. Do NOT use this option if +# you're unsure how many interfaces you +# have, or if you know you have only one +# interface. +# +# The default behavior is to not bind to any specific address. +# +# NOTE, wccp_incoming_address and wccp_outgoing_address can not have +# the same value since they both use port 2048. +# +#Default: +# wccp_incoming_address 0.0.0.0 +# wccp_outgoing_address 255.255.255.255 + + +# DELAY POOL PARAMETERS (all require DELAY_POOLS compilation option) +# ----------------------------------------------------------------------------- + +# TAG: delay_pools +# This represents the number of delay pools to be used. For example, +# if you have one class 2 delay pool and one class 3 delays pool, you +# have a total of 2 delay pools. +# +# To enable this option, you must use --enable-delay-pools with the +# configure script. +# +#Default: +# delay_pools 0 + +# TAG: delay_class +# This defines the class of each delay pool. There must be exactly one +# delay_class line for each delay pool. For example, to define two +# delay pools, one of class 2 and one of class 3, the settings above +# and here would be: +# +#Example: +# delay_pools 2 # 2 delay pools +# delay_class 1 2 # pool 1 is a class 2 pool +# delay_class 2 3 # pool 2 is a class 3 pool +# +# The delay pool classes are: +# +# class 1 Everything is limited by a single aggregate +# bucket. +# +# class 2 Everything is limited by a single aggregate +# bucket as well as an "individual" bucket chosen +# from bits 25 through 32 of the IP address. +# +# class 3 Everything is limited by a single aggregate +# bucket as well as a "network" bucket chosen +# from bits 17 through 24 of the IP address and a +# "individual" bucket chosen from bits 17 through +# 32 of the IP address. +# +# NOTE: If an IP address is a.b.c.d +# -> bits 25 through 32 are "d" +# -> bits 17 through 24 are "c" +# -> bits 17 through 32 are "c * 256 + d" +# +#Default: +# none + +# TAG: delay_access +# This is used to determine which delay pool a request falls into. +# The first matched delay pool is always used, i.e., if a request falls +# into delay pool number one, no more delay are checked, otherwise the +# rest are checked in order of their delay pool number until they have +# all been checked. For example, if you want some_big_clients in delay +# pool 1 and lotsa_little_clients in delay pool 2: +# +#Example: +# delay_access 1 allow some_big_clients +# delay_access 1 deny all +# delay_access 2 allow lotsa_little_clients +# delay_access 2 deny all +# +#Default: +# none + +# TAG: delay_parameters +# This defines the parameters for a delay pool. Each delay pool has +# a number of "buckets" associated with it, as explained in the +# description of delay_class. For a class 1 delay pool, the syntax is: +# +#delay_parameters pool aggregate +# +# For a class 2 delay pool: +# +#delay_parameters pool aggregate individual +# +# For a class 3 delay pool: +# +#delay_parameters pool aggregate network individual +# +# The variables here are: +# +# pool a pool number - ie, a number between 1 and the +# number specified in delay_pools as used in +# delay_class lines. +# +# aggregate the "delay parameters" for the aggregate bucket +# (class 1, 2, 3). +# +# individual the "delay parameters" for the individual +# buckets (class 2, 3). +# +# network the "delay parameters" for the network buckets +# (class 3). +# +# A pair of delay parameters is written restore/maximum, where restore is +# the number of bytes (not bits - modem and network speeds are usually +# quoted in bits) per second placed into the bucket, and maximum is the +# maximum number of bytes which can be in the bucket at any time. +# +# For example, if delay pool number 1 is a class 2 delay pool as in the +# above example, and is being used to strictly limit each host to 64kbps +# (plus overheads), with no overall limit, the line is: +# +#delay_parameters 1 -1/-1 8000/8000 +# +# Note that the figure -1 is used to represent "unlimited". +# +# And, if delay pool number 2 is a class 3 delay pool as in the above +# example, and you want to limit it to a total of 256kbps (strict limit) +# with each 8-bit network permitted 64kbps (strict limit) and each +# individual host permitted 4800bps with a bucket maximum size of 64kb +# to permit a decent web page to be downloaded at a decent speed +# (if the network is not being limited due to overuse) but slow down +# large downloads more significantly: +# +#delay_parameters 2 32000/32000 8000/8000 600/64000 +# +# There must be one delay_parameters line for each delay pool. +# +#Default: +# none + +# TAG: delay_initial_bucket_level (percent, 0-100) +# The initial bucket percentage is used to determine how much is put +# in each bucket when squid starts, is reconfigured, or first notices +# a host accessing it (in class 2 and class 3, individual hosts and +# networks only have buckets associated with them once they have been +# "seen" by squid). +# +#Default: +# delay_initial_bucket_level 50 + +# TAG: incoming_icp_average +# TAG: incoming_http_average +# TAG: incoming_dns_average +# TAG: min_icp_poll_cnt +# TAG: min_dns_poll_cnt +# TAG: min_http_poll_cnt +# Heavy voodoo here. I can't even believe you are reading this. +# Are you crazy? Don't even think about adjusting these unless +# you understand the algorithms in comm_select.c first! +# +#Default: +# incoming_icp_average 6 +# incoming_http_average 4 +# incoming_dns_average 4 +# min_icp_poll_cnt 8 +# min_dns_poll_cnt 8 +# min_http_poll_cnt 8 + +# TAG: max_open_disk_fds +# To avoid having disk as the I/O bottleneck Squid can optionally +# bypass the on-disk cache if more than this amount of disk file +# descriptors are open. +# +# A value of 0 indicates no limit. +# +#Default: +# max_open_disk_fds 0 + +# TAG: offline_mode +# Enable this option and Squid will never try to validate cached +# objects. +# +#Default: +# offline_mode off + +# TAG: uri_whitespace +# What to do with requests that have whitespace characters in the +# URI. Options: +# +# strip: The whitespace characters are stripped out of the URL. +# This is the behavior recommended by RFC2616. +# deny: The request is denied. The user receives an "Invalid +# Request" message. +# allow: The request is allowed and the URI is not changed. The +# whitespace characters remain in the URI. Note the +# whitespace is passed to redirector processes if they +# are in use. +# encode: The request is allowed and the whitespace characters are +# encoded according to RFC1738. This could be considered +# a violation of the HTTP/1.1 +# RFC because proxies are not allowed to rewrite URI's. +# chop: The request is allowed and the URI is chopped at the +# first whitespace. This might also be considered a +# violation. +# +#Default: +# uri_whitespace strip + +# TAG: broken_posts +# A list of ACL elements which, if matched, causes Squid to send +# a extra CRLF pair after the body of a PUT/POST request. +# +# Some HTTP servers has broken implementations of PUT/POST, +# and rely on a extra CRLF pair sent by some WWW clients. +# +# Quote from RFC 2068 section 4.1 on this matter: +# +# Note: certain buggy HTTP/1.0 client implementations generate an +# extra CRLF's after a POST request. To restate what is explicitly +# forbidden by the BNF, an HTTP/1.1 client must not preface or follow +# a request with an extra CRLF. +# +#Example: +# acl buggy_server url_regex ^http://.... +# broken_posts allow buggy_server +# +#Default: +# none + +# TAG: mcast_miss_addr +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM option +# +# If you enable this option, every "cache miss" URL will +# be sent out on the specified multicast address. +# +# Do not enable this option unless you are are absolutely +# certain you understand what you are doing. +# +#Default: +# mcast_miss_addr 255.255.255.255 + +# TAG: mcast_miss_ttl +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_TTL option +# +# This is the time-to-live value for packets multicasted +# when multicasting off cache miss URLs is enabled. By +# default this is set to 'site scope', i.e. 16. +# +#Default: +# mcast_miss_ttl 16 + +# TAG: mcast_miss_port +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM option +# +# This is the port number to be used in conjunction with +# 'mcast_miss_addr'. +# +#Default: +# mcast_miss_port 3135 + +# TAG: mcast_miss_encode_key +# Note: This option is only available if Squid is rebuilt with the +# -DMULTICAST_MISS_STREAM option +# +# The URLs that are sent in the multicast miss stream are +# encrypted. This is the encryption key. +# +#Default: +# mcast_miss_encode_key XXXXXXXXXXXXXXXX + +# TAG: nonhierarchical_direct +# By default, Squid will send any non-hierarchical requests +# (matching hierarchy_stoplist or not cachable request type) direct +# to origin servers. +# +# If you set this to off, then Squid will prefer to send these +# requests to parents. +# +# Note that in most configurations, by turning this off you will only +# add latency to these request without any improvement in global hit +# ratio. +# +# If you are inside an firewall then see never_direct instead of +# this directive. +# +#Default: +# nonhierarchical_direct on + +# TAG: prefer_direct +# Normally Squid tries to use parents for most requests. If you by some +# reason like it to first try going direct and only use a parent if +# going direct fails then set this to off. +# +# By combining nonhierarchical_direct off and prefer_direct on you +# can set up Squid to use a parent as a backup path if going direct +# fails. +# +#Default: +# prefer_direct off + +# TAG: strip_query_terms +# By default, Squid strips query terms from requested URLs before +# logging. This protects your user's privacy. +# +#Default: +# strip_query_terms on + +# TAG: coredump_dir +# By default Squid leaves core files in the first cache_dir +# directory. If you set 'coredump_dir' to a directory +# that exists, Squid will chdir() to that directory at startup +# and coredump files will be left there. +# +#Default: +# none + +# TAG: redirector_bypass +# When this is 'on', a request will not go through the +# redirector if all redirectors are busy. If this is 'off' +# and the redirector queue grows too large, Squid will exit +# with a FATAL error and ask you to increase the number of +# redirectors. You should only enable this if the redirectors +# are not critical to your caching system. If you use +# redirectors for access control, and you enable this option, +# then users may have access to pages that they should not +# be allowed to request. +# +#Default: +# redirector_bypass off + +# TAG: ignore_unknown_nameservers +# By default Squid checks that DNS responses are received +# from the same IP addresses that they are sent to. If they +# don't match, Squid ignores the response and writes a warning +# message to cache.log. You can allow responses from unknown +# nameservers by setting this option to 'off'. +# +#Default: +# ignore_unknown_nameservers on + +# TAG: digest_generation +# Note: This option is only available if Squid is rebuilt with the +# --enable-cache-digests option +# +# This controls whether the server will generate a Cache Digest +# of its contents. By default, Cache Digest generation is +# enabled if Squid is compiled with USE_CACHE_DIGESTS defined. +# +#Default: +# digest_generation on + +# TAG: digest_bits_per_entry +# Note: This option is only available if Squid is rebuilt with the +# --enable-cache-digests option +# +# This is the number of bits of the server's Cache Digest which +# will be associated with the Digest entry for a given HTTP +# Method and URL (public key) combination. The default is 5. +# +#Default: +# digest_bits_per_entry 5 + +# TAG: digest_rebuild_period (seconds) +# Note: This option is only available if Squid is rebuilt with the +# --enable-cache-digests option +# +# This is the number of seconds between Cache Digest rebuilds. +# +#Default: +# digest_rebuild_period 1 hour + +# TAG: digest_rewrite_period (seconds) +# Note: This option is only available if Squid is rebuilt with the +# --enable-cache-digests option +# +# This is the number of seconds between Cache Digest writes to +# disk. +# +#Default: +# digest_rewrite_period 1 hour + +# TAG: digest_swapout_chunk_size (bytes) +# Note: This option is only available if Squid is rebuilt with the +# --enable-cache-digests option +# +# This is the number of bytes of the Cache Digest to write to +# disk at a time. It defaults to 4096 bytes (4KB), the Squid +# default swap page. +# +#Default: +# digest_swapout_chunk_size 4096 bytes + +# TAG: digest_rebuild_chunk_percentage (percent, 0-100) +# Note: This option is only available if Squid is rebuilt with the +# --enable-cache-digests option +# +# This is the percentage of the Cache Digest to be scanned at a +# time. By default it is set to 10% of the Cache Digest. +# +#Default: +# digest_rebuild_chunk_percentage 10 + +# TAG: chroot +# Use this to have Squid do a chroot() while initializing. This +# also causes Squid to fully drop root privileges after +# initializing. This means, for example, that if you use a HTTP +# port less than 1024 and try to reconfigure, you will get an +# error. +# +#Default: +# none + +# TAG: client_persistent_connections +# TAG: server_persistent_connections +# Persistent connection support for clients and servers. By +# default, Squid uses persistent connections (when allowed) +# with its clients and servers. You can use these options to +# disable persistent connections with clients and/or servers. +# +#Default: +# client_persistent_connections on +# server_persistent_connections on + +# TAG: pipeline_prefetch +# To boost the performance of pipelined requests to closer +# match that of a non-proxied environment Squid tries to fetch +# up to two requests in parallell from a pipeline. +# +#Default: +# pipeline_prefetch on + +# TAG: extension_methods +# Squid only knows about standardized HTTP request methods. +# You can add up to 20 additional "extension" methods here. +# +#Default: +# none + +# TAG: high_response_time_warning (msec) +# If the one-minute median response time exceeds this value, +# Squid prints a WARNING with debug level 0 to get the +# administrators attention. The value is in milliseconds. +# +#Default: +# high_response_time_warning 0 + +# TAG: high_page_fault_warning +# If the one-minute average page fault rate exceeds this +# value, Squid prints a WARNING with debug level 0 to get +# the administrators attention. The value is in page faults +# per second. +# +#Default: +# high_page_fault_warning 0 + +# TAG: high_memory_warning +# If the memory usage (as determined by mallinfo) exceeds +# value, Squid prints a WARNING with debug level 0 to get +# the administrators attention. +# +#Default: +# high_memory_warning 0 + +# TAG: store_dir_select_algorithm +# Set this to 'round-robin' as an alternative. +# +#Default: +# store_dir_select_algorithm least-load + +# TAG: forward_log +# Note: This option is only available if Squid is rebuilt with the +# -DWIP_FWD_LOG option +# +# Logs the server-side requests. +# +# This is currently work in progress. +# +#Default: +# none + +# TAG: ie_refresh on|off +# Microsoft Internet Explorer up until version 5.5 Service +# Pack 1 has an issue with transparent proxies, wherein it +# is impossible to force a refresh. Turning this on provides +# a partial fix to the problem, by causing all IMS-REFRESH +# requests from older IE versions to check the origin server +# for fresh content. This reduces hit ratio by some amount +# (~10% in my experience), but allows users to actually get +# fresh content when they want it. Note that because Squid +# cannot tell if the user is using 5.5 or 5.5SP1, the behavior +# of 5.5 is unchanged from old versions of Squid (i.e. a +# forced refresh is impossible). Newer versions of IE will, +# hopefully, continue to have the new behavior and will be +# handled based on that assumption. This option defaults to +# the old Squid behavior, which is better for hit ratios but +# worse for clients using IE, if they need to be able to +# force fresh content. +# +#Default: +# ie_refresh off + diff --git a/proxy_wizard/scripts/testport.sh b/proxy_wizard/scripts/testport.sh new file mode 100755 index 00000000..e800dbd5 --- /dev/null +++ b/proxy_wizard/scripts/testport.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000,2001 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# +# squid wizard + +echo_debug $0 + +[ -r /etc/services ] || exit 0 + +echo_debug $wiz_squid_port + +# we now that we got a positive integer (uint) + +[ $wiz_squid_port -eq 8080 ] && exit 0 +[ $wiz_squid_port -lt 1024 ] && exit 2 +[ $wiz_squid_port -ge 65536 ] && exit 2 + +grep -qs "[[:space:]]$wiz_squid_port/tcp" /etc/services && { + echo_debug "err service" + exit 1 +} +echo_debug "no pb" +exit 0 + diff --git a/samba_wizard/scripts/check_banner.sh b/samba_wizard/scripts/check_banner.sh new file mode 100755 index 00000000..42aed456 --- /dev/null +++ b/samba_wizard/scripts/check_banner.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard samba configuration +# +# checking if the provided server banner is correct : + + +if [ -z "${wiz_banner}" ] ;then + echo_debug "wiz_banner is empty, should not." + exit 1 +fi + + +# all seems to be ok +exit 10 + diff --git a/samba_wizard/scripts/check_services.sh b/samba_wizard/scripts/check_services.sh new file mode 100755 index 00000000..802bc320 --- /dev/null +++ b/samba_wizard/scripts/check_services.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard samba configuration +# +# checking if the provided services are correct : + + +if [ -z "${wiz_do_file_sharing}" ] ;then + echo_debug "wiz_do_file_sharing is empty, should not." + exit 1 +fi + +if [ -z "${wiz_do_printer_sharing}" ] ;then + echo_debug "wiz_do_file_sharing is empty, should not." + exit 1 +fi + + +# all seems to be ok +exit 10 + diff --git a/samba_wizard/scripts/check_workgroup.sh b/samba_wizard/scripts/check_workgroup.sh new file mode 100755 index 00000000..db70ec8b --- /dev/null +++ b/samba_wizard/scripts/check_workgroup.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard samba configuration +# +# checking if the provided server workgroup is correct : + + +if [ -z "${wiz_workgroup}" ] ;then + echo_debug "wiz_banner is empty, should not." + exit 1 +fi + + +# all seems to be ok +exit 10 diff --git a/samba_wizard/scripts/do_it_samba.sh b/samba_wizard/scripts/do_it_samba.sh new file mode 100755 index 00000000..2f3fc0be --- /dev/null +++ b/samba_wizard/scripts/do_it_samba.sh @@ -0,0 +1,80 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# +# set up the config for samba +# assuming all dependencies are ok + +file=/etc/sysconfig/mdk_serv + +# store the variables + +chg_val ${file} wiz_banner ${wiz_banner} s +chg_val ${file} wiz_workgroup ${wiz_workgroup} s +chg_val ${file} wiz_do_printer_sharing ${wiz_do_printer_sharing} s +chg_val ${file} wiz_do_file_sharing ${wiz_do_file_sharing} s + + +ip=`get_var wiz_ip_net` + + +echo_debug "printer ${wiz_do_printer_sharing}" +echo_debug "file share ${wiz_do_file_sharing}" +echo_debug "banner ${wiz_banner}" +echo_debug "workgr ${wiz_workgroup}" + + +# samba configuration file +config="/etc/samba/smb.conf" +if [ ! -f ${config} ]; then + echo_debug "no smb.conf configuration file found ! exiting." + exit 2 +fi + +bck_file ${config} + +cat ${CWD}/scripts/smb.conf.default > ${config} + +${CWD}/scripts/smbconfig.pl --set-hosts-allow="${ip%.*}. 127." \ +--set-workgroup="${wiz_workgroup}" --set-banner="${wiz_banner}" + +if [ "${wiz_do_file_sharing}" == "true" ]; then + echo_debug "enabling file sharing" + ${CWD}/scripts/smbconfig.pl --remove-homes --enable-public --set-security-share +fi + +if [ "${wiz_do_printer_sharing}" == "enabled" ]; then + echo_debug "enabling printer access" + ${CWD}/scripts/smbconfig.pl --enable-printer-access +fi + + +echo_debug "restarting service smb" +# restarting service +#/etc/rc.d/init.d/smb restart >/dev/null 2>&1 + + +# exiting ok +exit 1 diff --git a/samba_wizard/scripts/smbconfig.pl b/samba_wizard/scripts/smbconfig.pl new file mode 100755 index 00000000..bee6d7a8 --- /dev/null +++ b/samba_wizard/scripts/smbconfig.pl @@ -0,0 +1,232 @@ +#!/usr/bin/perl -w +# +# smbconfig by Guillaume Cottenceau <gc@mandrakesoft.com> +# +# Copyright (c) 2000 by Mandrakesoft +# +# Permission to use, copy, modify, and distribute this software and its +# documentation under the terms of the GNU General Public License is hereby +# granted. No representations are made about the suitability of this software +# for any purpose. It is provided "as is" without express or implied warranty. +# See the GNU General Public License for more details. + +$program_name = "smbconfig"; +$version = "0.1.3"; + +$debug_printings = 0; + + +sub debug_print +{ + $debug_printings && print "[DEBUG] ".$_[0]; +} + +sub debug_print2 +{ + $debug_printings && print $_[0]; +} + + +sub fail +{ + die "Exiting on failure.\n"; +} + + +sub fail_with_message +{ + print $_[0]; + fail(); +} + + +@options = ( [ "--debug", "\t\tadditional debug printings", \$debug_printings ] ); + +@modes = ( [ "--help", "\t\tthis help screen", \&show_options ], + [ "--set-security-share", "setup security = share, very useful because we would need otherwise smbpasswd", \&set_security_share ], + [ "--set-hosts-allow=<..>", "setup which hosts are allowed to access; for example \"192.168.1. 127.\"", \&set_hosts_allow ], + [ "--set-workgroup=<name>", "setup workgroup name", \&set_workgroup ], + [ "--set-banner=<name>", "setup the \"server string\" banner of this smb server", \&set_banner ], + [ "--remove-homes", "\tremove the default [homes] share (which needs the security=user)", \&remove_homes ], + [ "--enable-public", "\tenable read-write share \"public\" at /home/local/samba-public", \&enable_corpo_public ], + [ "--enable-printer-access", "setup access to printers of this machine", \&set_printer_access ] ); + + + +sub read_conf +{ + open(FH, "+< /etc/samba/smb.conf") or fail_with_message("Could not open /etc/samba/smb.conf\n"); + @conf = <FH> or fail_with_message("Could not read /etc/samba/smb.conf\n"); + debug_print("/etc/samba/smb.conf read, #lines=".$#conf."\n"); +} + +sub write_conf +{ + debug_print("Will write /etc/samba/smb.conf, #lines=".$#conf."\n"); + seek(FH, 0, 0) or fail_with_message("Could not seek in /etc/samba/smb.conf\n"); + print FH @conf or fail_with_message("Could not write /etc/samba/smb.conf\n"); + truncate(FH, tell(FH)) or fail_with_message("Could not truncate /etc/samba/smb.conf\n"); + close(FH) or fail_with_message("Could not close /etc/samba/smb.conf\n"); +} + +# set_parameter: section param value +sub set_parameter +{ + my $section = $_[0]; my $param = $_[1]; my $value = $_[2]; + debug_print("Attempt to find section \"$section\", parameter \"$param\", and setup to \"$value\"\n"); + my $i = 0; + ($i++ && (lc($_) =~ /^\s*\[$section\]/) && last) foreach (@conf); + while (1) + { + ($i < $#conf) or ($conf[$i] = "$conf[$i]\n\n\t$param = $value") and last; + ($conf[$i] =~ /^\s*\[\S+\]/) && ($conf[$i] = "\t$param = $value\n\n$conf[$i]") && last; + ($conf[$i] =~ /^\s*$param\s*=/) && ($conf[$i] = "\t$param = $value\n") && last; + $i++; + } +} + +sub enable_corpo_public +{ + system("mkdir -p /home/local/samba-public") && fail_with_message("Could not create public dir. Probably run as non-root..\n"); + system("chown nobody /home/local/samba-public") && fail_with_message("Could not chown public dir to nobody. Requests admin help.\n"); + my $i = 0; + ($i++ && (lc($_) =~ /^\s*\[public\]/) && fail_with_message("An active [public] section has been found in /etc/samba/smb.conf at line $i\n")) foreach (@conf); + push(@conf, ( "$banner"."[public]\n\tcomment = Public space with read-write access\n\tpath = /home/local/samba-public\n\tguest ok = yes\n\twriteable = yes\n" )); + $did_something = 1; +} + + +sub set_workgroup +{ + set_parameter("global", "workgroup", $_[0]); + $did_something = 1; +} + +sub set_banner +{ + set_parameter("global", "server string", $_[0]); + $did_something = 1; +} + +sub set_security_share +{ + set_parameter("global", "security", "share"); + $did_something = 1; +} + +sub set_hosts_allow +{ + set_parameter("global", "hosts allow", $_[0]); + $did_something = 1; +} + + +sub set_printer_access +{ + my $i = 0; my $found = 0; + # look for default section "printers" + ($i++ && (lc($_) =~ /^\s*\[printers\]/) && ($found = 1) && last) foreach (@conf); + ($found) && debug_print("Printer section found at line $i\n"); + if ($found == 1) + { + $conf[$i-1] = ";".$conf[$i-1]; + while ($i <= $#conf) + { + (($conf[$i] =~ /^\s*\[\S+\]/) && last) || ($conf[$i] = ";".$conf[$i]); + $i++; + } + debug_print("End of printer section at line $i\n"); + } + push(@conf, ( "$banner"."[printers]\n\tcomment = All Printers\n\tpath = /var/spool/samba\n\tbrowseable = no\n\tguest ok = yes\n\twritable = no\n\tprintable = yes\n" )); + $did_something = 1; +} + +sub remove_homes +{ + my $i = 0; my $found = 0; + # look for default section "printers" + ($i++ && (lc($_) =~ /^\s*\[homes\]/) && ($found = 1) && last) foreach (@conf); + ($found) && debug_print("[homes] section found at line $i\n"); + if ($found == 1) + { + $conf[$i-1] = ";".$conf[$i-1]; + while ($i <= $#conf) + { + (($conf[$i] =~ /^\s*\[\S+\]/) && last) || ($conf[$i] = ";".$conf[$i]); + $i++; + } + debug_print("End of [homes] section at line $i\n"); + } + $did_something = 1; +} + + +sub show_options +{ + print "$program_name v$version helps auto-config of Samba.\n\n"; + + print "mode:\n"; + print "\t".$_->[0]."\t\t".$_->[1]."\n" foreach (@modes); + print "options:\n"; + print "\t".$_->[0]."\t\t".$_->[1]."\n" foreach (@options); + print "\n"; + $did_something = 1; +} + + +sub arg_without_value +{ + $_[0] =~ /([^=]*)/; + return $1; +} + +sub arg_value +{ + $_[0] =~ /([^=]*)=(.*)/; + return $2; +} + +# Disable file buffering [to display strings on the tty even when no trailing \n is added] +$| = 1; + +$date = `date`; chop $date; +$host = `hostname`; chop $host; +$banner = "\n### Autogenerated by $program_name at $date on host $host\n"; + +$did_something = 0; + + +foreach $arg (@ARGV) +{ + (($arg eq $_->[0]) && (${$_->[2]} = 1)) foreach (@options) +} + + +read_conf(); + +foreach $arg (@ARGV) +{ + ((arg_without_value($arg) eq arg_without_value($_->[0])) && &{$_->[2]}(arg_value($arg))) foreach (@modes) +} + + +($did_something && write_conf()) || show_options(); + + + +# Changelog +# +# 0.1.3 +# remove smb.conf end of file bug +# +# 0.1.2 +# added parameter support: hosts allow +# +# 0.1.1 +# added parameter support: server string +# support multiple parameter sets at same time +# added parameter support: security = share +# added remove homes +# +# 0.1.0 +# first version with configure for printers, public, workgroup diff --git a/server_wizard/scripts/check_config.sh b/server_wizard/scripts/check_config.sh new file mode 100755 index 00000000..f44bd42c --- /dev/null +++ b/server_wizard/scripts/check_config.sh @@ -0,0 +1,50 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# checking if the provided domain value is correct : +# strip the @, need at least a dot + +echo_debug "$(date) begin $0" + +fic=/etc/sysconfig/mdk_serv +if [ ! -f "$fic" ] ;then + . /etc/sysconfig/network + echo_debug "${HOSTNAME}" + echo_debug "${DOMAINNAME}" + echo -e "\ +# mdk server basic info $(date)\n\ +mdk_serv_version=1.0\n\ +wiz_device=eth0\n\ +wiz_host_name=${HOSTNAME}\n\ +wiz_domain_name=${DOMAINNAME}\n\ +" > ${fic} + +fi + echo_debug "${wiz_device}" + echo_debug "${wiz_host_name}" + echo_debug "${wiz_domain_name}" +exit 1 diff --git a/server_wizard/scripts/check_domain.sh b/server_wizard/scripts/check_domain.sh new file mode 100755 index 00000000..4575b069 --- /dev/null +++ b/server_wizard/scripts/check_domain.sh @@ -0,0 +1,59 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# checking if the provided domain value is correct : +# strip the @, need at least a dot + +echo_debug "$(date) begin $0" + +if [ -z "${wiz_host_name}" ] ;then + echo_debug "wiz_host_name is empty, should not." + exit 1 +fi + + +test=`echo ${wiz_host_name##*@} |sed -e 's/[^0-9a-zA-Z-\.]//g'|sed -n -e's/^[^.]*\.\(.*\)$/\1/p'|grep "\."` + +htest=`echo ${wiz_host_name##*@} |sed -e 's/[^0-9a-zA-Z-\.]//g'|sed -n -e's/^\([^.]*\)\..*$/\1/p'` + +echo_debug "test of host : ${htest}" + +if [ -z "${htest}" ] ;then + echo_debug "host empty, should not." + exit 1 +fi + +echo_debug "test of domain : ${test}" + +if [ -z "${test}" ] ;then + echo_debug "domain empty, should not." + exit 1 +fi + +# all seems to be ok +exit 10 + diff --git a/server_wizard/scripts/check_network.sh b/server_wizard/scripts/check_network.sh new file mode 100755 index 00000000..6533dbb6 --- /dev/null +++ b/server_wizard/scripts/check_network.sh @@ -0,0 +1,55 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# assuming : +# - C class network, mask 255.255.255.0 +# +# checking if the provided network address is correct + +echo_debug "$(date) begin $0" +# ip is tested as ip=a.b.c.d + +a=`echo ${wiz_ip_net}|sed -n -e 's/^\([0-9]\{1,3\}\)\..*$/\1/p'` +b=`echo ${wiz_ip_net}|sed -n -e 's/^[0-9]\{1,3\}\.\([0-9]\{1,3\}\)\..*$/\1/p'` +c=`echo ${wiz_ip_net}|sed -n -e 's/^[0-9]\{1,3\}\.[0-9]\{1,3\}\.\([0-9]\{1,3\}\)\..*$/\1/p'` +d=`echo ${wiz_ip_net}|sed -n -e 's/^.*\.\([0-9]\{1,3\}\)$/\1/p'` + +echo_debug "ip -$a-$b-$c-$d-" + +if [ -z "$a" -o -z "$b" -o -z "$c" -o -z "$d" ]; then + echo_debug "incomplete ip" + exit 1 +fi + +if [ $a -gt 255 -o $b -gt 255 -o $c -gt 255 -o $d -ne 0 ]; then + echo_debug "not a network ip" + exit 1 +fi + + +# all seems to be ok +exit 10 diff --git a/server_wizard/scripts/check_server_ip.sh b/server_wizard/scripts/check_server_ip.sh new file mode 100755 index 00000000..1b98fee0 --- /dev/null +++ b/server_wizard/scripts/check_server_ip.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# assuming : +# - C class network, mask 255.255.255.0 +# +# checking if the provided server address is correct (belongs to network...) + +echo_debug "$(date) begin $0" +#truncating addresses +n_trunc=${wiz_ip_net%.*} +s_trunc=${wiz_ip_server%.*} +d=${wiz_ip_server##*.} + + +echo_debug "_${wiz_ip_net}_ _${wiz_ip_server}_ ${s_trunc} $d" + +if [ -z "${s_trunc}" ]; then + echo_debug "incorrect address" + exit 1 +fi + +if [ "${s_trunc}" != "${n_trunc}" ]; then + echo_debug "server not in network" + exit 1 +fi + +if [ -z "$d" ]; then + echo_debug "not a server ip" + exit 1 +fi + +if [ $d -gt 254 -o $d -lt 1 ]; then + echo_debug "not a server ip" + exit 1 +fi + + +# all seems to be ok +exit 10 + diff --git a/server_wizard/scripts/compute_domain.sh b/server_wizard/scripts/compute_domain.sh new file mode 100755 index 00000000..18bf2b76 --- /dev/null +++ b/server_wizard/scripts/compute_domain.sh @@ -0,0 +1,38 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# return on stdout the domain name (computed from hostname) + +echo_debug "$(date) begin $0" +test=`echo ${wiz_host_name##*@}|sed -e 's/[^0-9a-zA-Z-\.]//g'|sed -n -e's/^[^.]*\.\(.*\)$/\1/p'` + +echo_debug "computed domain: ${test}" + +echo ${test} + +exit 0 + diff --git a/server_wizard/scripts/compute_ipnet.sh b/server_wizard/scripts/compute_ipnet.sh new file mode 100755 index 00000000..98387e58 --- /dev/null +++ b/server_wizard/scripts/compute_ipnet.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# return on stdout the default value for server ip address + +echo_debug "$(date) begin $0" +echo_debug "$wiz_device" + +nfile="/etc/sysconfig/network-scripts/ifcfg-${wiz_device}" +t=`get_val ${nfile} NETWORK` +if [ -z "$t" ]; then + echo ${wiz_ip_net} +else + echo "$t" +fi + +echo_debug "net adr : ${t}" + +exit 0 + diff --git a/server_wizard/scripts/compute_server_ip.sh b/server_wizard/scripts/compute_server_ip.sh new file mode 100755 index 00000000..c16c9a80 --- /dev/null +++ b/server_wizard/scripts/compute_server_ip.sh @@ -0,0 +1,39 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# return on stdout the default value for server ip address + +echo_debug "$(date) begin $0" + +adr="${wiz_ip_net%.*}.1" + +echo_debug "serv adr : ${adr}" + +echo ${adr} + +exit 0 + diff --git a/server_wizard/scripts/do_it_last.sh b/server_wizard/scripts/do_it_last.sh new file mode 100755 index 00000000..479be201 --- /dev/null +++ b/server_wizard/scripts/do_it_last.sh @@ -0,0 +1,49 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard network configuration +# +# restarting all services + +# putting a few infos in /etc/sysconfig/mdk_serv file + +echo_debug "$(date) begin $0" +fic=/etc/sysconfig/mdk_serv + +bck_file ${fic} + +echo_debug "saving server basic info" + +echo -e "\ +# mdk server basic info $(date)\n\ +mdk_serv_version=1.0\n\ +wiz_device=${wiz_device}\n\ +wiz_host_name=${wiz_host_name}\n\ +wiz_domain_name=${wiz_domain_name}\n\ +" > ${fic} + + +# all is ok +exit 10 diff --git a/server_wizard/scripts/do_it_net.sh b/server_wizard/scripts/do_it_net.sh new file mode 100755 index 00000000..839dda54 --- /dev/null +++ b/server_wizard/scripts/do_it_net.sh @@ -0,0 +1,207 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard network configuration +# +# install default for network +# change files : +# /etc/sysconfig/network +# /etc/sysconfig/network-cripts/ifcfg-ethx +# /etc/hosts +# /etc/HOSTNAME +# + +echo_debug "$(date) begin $0" + +if [ ! -f /etc/sysconfig/network ]; then + [ -d /etc/sysconfig ] || exit 1 + echo_debug "warning, no network file" + echo "# warning, this file was not create during install $(date)"\ + > /etc/sysconfig/network +fi + +bck_file /etc/sysconfig/network + +# first loading values +. /etc/sysconfig/network + +# default value for netmask +export wiz_ip_netmask=255.255.255.0 + +# configuring /etc/sysconfig/network + +if [ "${FORWARD_IPV4}" = "false" ]; then + echo_debug "putting FORWARD_IPV4 to \"yes\"" + chg_val /etc/sysconfig/network FORWARD_IPV4 yes +fi + +if [ "${HOSTNAME}" != "${wiz_host_name}" ]; then + echo_debug "changing hostname from ${HOSTNAME} to ${wiz_host_name}" + chg_val /etc/sysconfig/network HOSTNAME ${wiz_host_name} +fi + +if [ "${DOMAINNAME}" != "${wiz_domain_name}" ]; then + echo_debug "changing domain name from ${DOMAINNAME} to ${wiz_domain_name}" + chg_val /etc/sysconfig/network DOMAINNAME ${wiz_domain_name} +fi + +if [ "${NETWORKING}" != "yes" ]; then + echo_debug "WARNING, NETWORKING was ${NETWORKING}" + chg_val /etc/sysconfig/network NETWORKING yes +fi + +if [ "${GATEWAYDEV}" != "${wiz_extn_device}" ]; then + echo_debug "changing GATEWAYDEV name from ${GATEWAYDEV} to ${wiz_extn_device}" + chg_val /etc/sysconfig/network GATEWAYDEV ${wiz_extn_device} +fi + +if [ "${GATEWAY}" != "${wiz_extn_gateway}" ]; then + echo_debug "changing GATEWAY name from ${GATEWAY} to ${wiz_extn_gateway}" + chg_val /etc/sysconfig/network GATEWAY ${wiz_extn_gateway} +fi + + +# now reloading +echo_debug "reloading net params" +. /etc/sysconfig/network + +# configuring /etc/sysconfig/network-scripts/. +file="/etc/sysconfig/network-scripts/ifcfg-${wiz_device}" + +if [ -f ${file} ]; then + echo_debug "WARNING ${file} already exists, saved." + bck_file ${file} + oldip=`get_val ${file} IPADDR` +else + oldip="" + touch ${file} +fi + + +echo_debug "starting chg_val sequence" + +chg_val ${file} DEVICE "${wiz_device}" +chg_val ${file} BOOTPROTO none +chg_val ${file} IPADDR "${wiz_ip_server}" +# by default, just accept ../24 network : +chg_val ${file} NETMASK "${wiz_ip_netmask}" +chg_val ${file} NETWORK "${wiz_ip_net}" +chg_val ${file} BROADCAST "${wiz_ip_net%.*}.255" +chg_val ${file} ONBOOT yes +chg_val ${file} IPXNETNUM_802_2 "" +chg_val ${file} IPXPRIMARY_802_2 no +chg_val ${file} IPXACTIVE_802_2 no +chg_val ${file} IPXNETNUM_802_3 "" +chg_val ${file} IPXPRIMARY_802_3 no +chg_val ${file} IPXACTIVE_802_3 no +chg_val ${file} IPXNETNUM_ETHERII "" +chg_val ${file} IPXPRIMARY_ETHERII no +chg_val ${file} IPXACTIVE_ETHERII no +chg_val ${file} IPXNETNUM_SNAP "" +chg_val ${file} IPXPRIMARY_SNAP no +chg_val ${file} IPXACTIVE_SNAP no + +echo_debug "chg_val sequence ended" + +#loading new values +. ${file} + + +# now setup of /etc/hosts +# +# <warning> all this assumes that ip address of server is hard coded +# in /etc/hosts, which may be wrong in some situations +# + + + +# first, storing new hostname (/etc/sysconfig/network has been reloaded) +bck_file /etc/HOSTNAME +echo ${HOSTNAME} > /etc/HOSTNAME +hostname ${HOSTNAME} +echo_debug "done hostname" + +hostalias=`echo ${HOSTNAME} |sed -e 's|^\([^.]*\)\..*$|\1|'` + +# replacing . by \. for use in sed command +chgipaddr=`echo ${IPADDR} |sed -e 's/\./\\./g'` + +TMPFILE=`mktemp /tmp/temp.XXXXXX` || exit 1 +TMPFIL2=`mktemp /tmp/temp.XXXXXX` || exit 1 +cat /etc/hosts > ${TMPFILE} +bck_file /etc/hosts +#cp -f /etc/hosts /var/tmp/wiz_bck/orig/ + +cat ${TMPFILE}|sed -e '/^[[:space:]]*'"${chgipaddr}"'[[:space:]]\{1,\}.*$/{ +i \ +# removed by mdk_serv script on '"$(date)"' +s//#&/ +a \ +'"${IPADDR} ${HOSTNAME} ${hostalias}"' +} +' > ${TMPFIL2} + +if [ -z "`grep -E "^[[:space:]]*${chipaddr}[[:space:]]+" ${TMPFIL2}`" ]; then + echo "${IPADDR} ${HOSTNAME} ${hostalias}" >> ${TMPFIL2} +fi + + + +if [ -n "${oldip}" -a "${oldip}" != "${IPADDR}" ]; then + chgoldip=`echo ${oldip} |sed -e 's/\./\\./g'` + cat ${TMPFIL2}|sed -e '/^[[:space:]]*'"${chgoldip}"'[[:space:]]\{1,\}.*$/{ +i \ +# removed by mdk_serv script on '"$(date)"' +s//#&/ +} +' > /etc/hosts +else + cat ${TMPFIL2} > /etc/hosts +fi + +rm -f ${TMPFIL2} +rm -f ${TMPFILE} + +echo_debug "done /etc/hosts" + + + +# +# </warning> see above +# + +# storing network values in /etc/sysconfig/mdk_serv +echo_debug "storing network values" +${CWD}/scripts/do_it_last.sh + +# restarting network +echo_debug "restarting network" +/etc/rc.d/init.d/network stop +/etc/rc.d/init.d/network start +echo_debug "done restarting network" + +# all is ok +exit 10 + diff --git a/server_wizard/scripts/liste_device.sh b/server_wizard/scripts/liste_device.sh new file mode 100755 index 00000000..0f830728 --- /dev/null +++ b/server_wizard/scripts/liste_device.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# return on stdout the list of allowed devices for network interfaces + +# this script should be improved (use of detect) + +liste="" + +liste=$liste"`ifconfig -a | awk ' /^eth/ { print $1"\n"$1, $4,":",$5 } '`\n" + +# display only configured device +#for i in 0 1 2 3 ;do +# liste=${liste}"eth$i\nethernet adapter \ +# `ifconfig -a | grep eth$i| sed -n -e '1{s/.*HWaddr \(.*\)$/\1/p;}'`\n" + +# liste=${liste}"eth$i\neth$i \ +# `dmesg | grep eth$i| sed -n -e '1{s/^[^:]*: *\(.*\)$/\1/p;}'`\n" +#done + +echo -ne "${liste}" + +exit 0 + diff --git a/server_wizard/scripts/set_ip.sh b/server_wizard/scripts/set_ip.sh new file mode 100755 index 00000000..e5787e95 --- /dev/null +++ b/server_wizard/scripts/set_ip.sh @@ -0,0 +1,40 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard basic network configuration +# +# assuming : +# - C class network, mask 255.255.255.0 +# +# checking if the provided network address is correct + +# ip is tested as ip=a.b.c.d + +echo_debug "$(date) begin $0" +echo_debug "$wiz_device" +file=/etc/sysconfig/mdk_serv +bck_file ${file} +chg_val ${file} wiz_device ${wiz_device} +exit 1 diff --git a/server_wizard/scripts/test.pl b/server_wizard/scripts/test.pl new file mode 100644 index 00000000..f1c7c1da --- /dev/null +++ b/server_wizard/scripts/test.pl @@ -0,0 +1,3 @@ +use Serverconf; + +Serverconf::do_it(); diff --git a/server_wizard/scripts/test.sh b/server_wizard/scripts/test.sh new file mode 100755 index 00000000..dabc4f38 --- /dev/null +++ b/server_wizard/scripts/test.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +#if [ -n "${oldip}" -a "${oldip}" != "${IPADDR}" ]; then +if [ -f "/etc/motd" -a "${oldip}" != "${IPADDR}" ]; then +echo "toto\n" +fi
\ No newline at end of file diff --git a/web_wizard/scripts/commonhttpd.conf b/web_wizard/scripts/commonhttpd.conf new file mode 100644 index 00000000..7a746686 --- /dev/null +++ b/web_wizard/scripts/commonhttpd.conf @@ -0,0 +1,765 @@ +### Common server configuration +# +User apache +Group apache + +# +# ServerAdmin: Your address, where problems with the server should be +# e-mailed. This address appears on some server-generated pages, such +# as error documents. +# +ServerAdmin root@localhost + +# DocumentRoot: The directory out of which you will serve your +# documents. By default, all requests are taken from this directory, but +# symbolic links and aliases may be used to point to other locations. +# DO NOT MODIFY THIS ONE, USE httpd.conf and httpd-perl.conf +#DocumentRoot /var/www/html + + +# +# Each directory to which Apache has access, can be configured with respect +# to which services and features are allowed and/or disabled in that +# directory (and its subdirectories). +# +# First, we configure the "default" to be a very restrictive set of +# permissions. +# +# Also, for security, we disable indexes globally +# +#<Directory /> +# Options -Indexes FollowSymLinks +# AllowOverride None +#</Directory> + +#Restricted set of options +<Directory /> + Options -All -Multiviews + AllowOverride None + Order deny,allow + Deny from all +</Directory> + + +# +# Note that from this point forward you must specifically allow +# particular features to be enabled - so if something's not working as +# you might expect, make sure that you have specifically enabled it +# below. +# + + +# +# UserDir: The name of the directory which is appended onto a user's home +# directory if a ~user request is received. +# +<IfModule mod_userdir.c> + UserDir public_html +</IfModule> + + +# +# DirectoryIndex: Name of the file or files to use as a pre-written HTML +# directory index. Separate multiple entries with spaces. +# +<IfModule mod_dir.c> + DirectoryIndex index.html index.php index.php3 index.shtml index.cgi index.pl index.htm Default.htm default.htm +</IfModule> + +# +# AccessFileName: The name of the file to look for in each directory +# for access control information. +# +AccessFileName .htaccess + +# +# The following lines prevent .htaccess files from being viewed by +# Web clients. Since .htaccess files often contain authorization +# information, access is disallowed for security reasons. Comment +# these lines out if you want Web visitors to see the contents of +# .htaccess files. If you change the AccessFileName directive above, +# be sure to make the corresponding changes here. +# +# Also, folks tend to use names such as .htpasswd for password +# files, so this will protect those as well. +# +<Files ~ "^\.ht"> + Order allow,deny + Deny from all +</Files> + +# +# CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each +# document that was negotiated on the basis of content. This asks proxy +# servers not to cache the document. Uncommenting the following line disables +# this behavior, and proxies will be allowed to cache the documents. +# +#CacheNegotiatedDocs + +# +# UseCanonicalName: (new for 1.3) With this setting turned on, whenever +# Apache needs to construct a self-referencing URL (a URL that refers back +# to the server the response is coming from) it will use ServerName and +# Port to form a "canonical" name. With this setting off, Apache will +# use the hostname:port that the client supplied, when possible. This +# also affects SERVER_NAME and SERVER_PORT in CGI scripts. +# +UseCanonicalName On + +# +# TypesConfig describes where the mime.types file (or equivalent) is +# to be found. +# +<IfModule mod_mime.c> + TypesConfig conf/apache-mime.types +</IfModule> + +# +# DefaultType is the default MIME type the server will use for a document +# if it cannot otherwise determine one, such as from filename extensions. +# If your server contains mostly text or HTML documents, "text/plain" is +# a good value. If most of your content is binary, such as applications +# or images, you may want to use "application/octet-stream" instead to +# keep browsers from trying to display binary files as though they are +# text. +# +DefaultType text/plain + +# +# The mod_mime_magic module allows the server to use various hints from the +# contents of the file itself to determine its type. The MIMEMagicFile +# directive tells the module where the hint definitions are located. +# mod_mime_magic is not part of the default server (you have to add +# it yourself with a LoadModule [see the DSO paragraph in the 'Global +# Environment' section], or recompile the server and include mod_mime_magic +# as part of the configuration), so it's enclosed in an <IfModule> container. +# This means that the MIMEMagicFile directive will only be processed if the +# module is part of the server. +# +<IfModule mod_mime_magic.c> + MIMEMagicFile conf/magic +</IfModule> + +# +# HostnameLookups: Log the names of clients or just their IP addresses +# e.g., www.apache.org (on) or 204.62.129.132 (off). +# The default is off because it'd be overall better for the net if people +# had to knowingly turn this feature on, since enabling it means that +# each client request will result in AT LEAST one lookup request to the +# nameserver. +# +HostnameLookups Off + +# The following directives define some format nicknames for use with +# a CustomLog directive (see below). +# +LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined +LogFormat "%h %l %u %t \"%r\" %>s %b" common +LogFormat "%{Referer}i -> %U" referer +LogFormat "%{User-agent}i" agent +LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script +LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost + +# +# The location and format of the access logfile (Common Logfile Format). +#CustomLog logs/access_log common + +# +# If you would like to have agent and referer logfiles, uncomment the +# following directives. +# +#CustomLog logs/referer_log referer +#CustomLog logs/agent_log agent + +# +# If you prefer a single logfile with access, agent, and referer information +# (Combined Logfile Format) you can use the following directive. +# +#CustomLog logs/access_log combined + +# +# Optionally add a line containing the server version and virtual host +# name to server-generated pages (error documents, FTP directory listings, +# mod_status and mod_info output etc., but not CGI generated documents). +# Set to "EMail" to also include a mailto: link to the ServerAdmin. +# Set to one of: On | Off | EMail +# +ServerSignature On + +# +# Aliases: Add here as many aliases as you need (with no limit). The format is +# Alias fakename realname +# +<IfModule mod_alias.c> + + # + # Note that if you include a trailing / on fakename then the server will + # require it to be present in the URL. So "/icons" isn't aliased in this + # example, only "/icons/".. + # + Alias /icons/ /var/www/icons/ + Alias /doc /usr/share/doc + + + # + # ScriptAlias: This controls which directories contain server scripts. + # ScriptAliases are essentially the same as Aliases, except that + # documents in the realname directory are treated as applications and + # run by the server when requested rather than as documents sent to the client. + # The same rules about trailing "/" apply to ScriptAlias directives as to + # Alias. + # + ScriptAlias /cgi-bin/ /var/www/cgi-bin/ + ScriptAlias /protected-cgi-bin/ /var/www/protected-cgi-bin/ + + <IfModule mod_perl.c> + #Provide two aliases to the same cgi-bin directory, + #to see the effects of the 2 different mod_perl modes + #for Apache::Registry Mode + Alias /perl/ /var/www/perl/ + #for Apache::Perlrun Mode + Alias /cgi-perl/ /var/www/perl/ + </IfModule> + + +</IfModule> +# End of aliases. + +# +# Redirect allows you to tell clients about documents which used to exist in +# your server's namespace, but do not anymore. This allows you to tell the +# clients where to look for the relocated document. +# Format: Redirect old-URI new-URL +# + +# +# Directives controlling the display of server-generated directory listings. +# +<IfModule mod_autoindex.c> + + # + # FancyIndexing is whether you want fancy directory indexing or standard + # + IndexOptions FancyIndexing + + # + # AddIcon* directives tell the server which icon to show for different + # files or filename extensions. These are only displayed for + # FancyIndexed directories. + # + AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip + + AddIconByType (TXT,/icons/text.gif) text/* + AddIconByType (IMG,/icons/image2.gif) image/* + AddIconByType (SND,/icons/sound2.gif) audio/* + AddIconByType (VID,/icons/movie.gif) video/* + + AddIcon /icons/binary.gif .bin .exe + AddIcon /icons/binhex.gif .hqx + AddIcon /icons/tar.gif .tar + AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv + AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip .bz2 + AddIcon /icons/a.gif .ps .ai .eps + AddIcon /icons/layout.gif .html .shtml .htm .pdf + AddIcon /icons/text.gif .txt + AddIcon /icons/c.gif .c + AddIcon /icons/p.gif .pl .py .php .php3 + AddIcon /icons/f.gif .for + AddIcon /icons/dvi.gif .dvi + AddIcon /icons/uuencoded.gif .uu + AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl + AddIcon /icons/tex.gif .tex + AddIcon /icons/bomb.gif core + + AddIcon /icons/back.gif .. + AddIcon /icons/hand.right.gif README + AddIcon /icons/folder.gif ^^DIRECTORY^^ + AddIcon /icons/blank.gif ^^BLANKICON^^ + + # + # DefaultIcon is which icon to show for files which do not have an icon + # explicitly set. + # + DefaultIcon /icons/unknown.gif + + # + # AddDescription allows you to place a short description after a file in + # server-generated indexes. These are only displayed for FancyIndexed + # directories. + # Format: AddDescription "description" filename + # + #AddDescription "GZIP compressed document" .gz + #AddDescription "tar archive" .tar + #AddDescription "GZIP compressed tar archive" .tgz + + # + # ReadmeName is the name of the README file the server will look for by + # default, and append to directory listings. + # + # HeaderName is the name of a file which should be prepended to + # directory indexes. + # + # If MultiViews are amongst the Options in effect, the server will + # first look for name.html and include it if found. If name.html + # doesn't exist, the server will then look for name.txt and include + # it as plaintext if found. + # + ReadmeName README + HeaderName HEADER + + # + # IndexIgnore is a set of filenames which directory indexing should ignore + # and not include in the listing. Shell-style wildcarding is permitted. + # + IndexIgnore .??* *~ *# HEADER* RCS CVS *,v *,t + +</IfModule> +# End of indexing directives. + +# +# Document types. +# +<IfModule mod_mime.c> + + # + # AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress + # information on the fly. Note: Not all browsers support this. + # Despite the name similarity, the following Add* directives have nothing + # to do with the FancyIndexing customization directives above. + # + AddEncoding x-compress Z + AddEncoding x-gzip gz tgz + + # + # AddLanguage allows you to specify the language of a document. You can + # then use content negotiation to give a browser a file in a language + # it can understand. + # + # Note 1: The suffix does not have to be the same as the language + # keyword --- those with documents in Polish (whose net-standard + # language code is pl) may wish to use "AddLanguage pl .po" to + # avoid the ambiguity with the common suffix for perl scripts. + # + # Note 2: The example entries below illustrate that in quite + # some cases the two character 'Language' abbreviation is not + # identical to the two character 'Country' code for its country, + # E.g. 'Danmark/dk' versus 'Danish/da'. + # + # Note 3: In the case of 'ltz' we violate the RFC by using a three char + # specifier. But there is 'work in progress' to fix this and get + # the reference data for rfc1766 cleaned up. + # + # Danish (da) - Dutch (nl) - English (en) - Estonian (ee) + # French (fr) - German (de) - Greek-Modern (el) + # Italian (it) - Korean (kr) - Norwegian (no) + # Portugese (pt) - Luxembourgeois* (ltz) + # Spanish (es) - Swedish (sv) - Catalan (ca) - Czech(cz) + # Polish (pl) - Brazilian Portuguese (pt-br) - Japanese (ja) + # Russian (ru) + # + AddLanguage da .dk + AddLanguage nl .nl + AddLanguage en .en + AddLanguage et .ee + AddLanguage fr .fr + AddLanguage de .de + AddLanguage el .el + AddLanguage he .he + AddCharset ISO-8859-8 .iso8859-8 + AddLanguage it .it + AddLanguage ja .ja + AddCharset ISO-2022-JP .jis + AddLanguage kr .kr + AddCharset ISO-2022-KR .iso-kr + AddLanguage no .no + AddLanguage pl .po + AddCharset ISO-8859-2 .iso-pl + AddLanguage pt .pt + AddLanguage pt-br .pt-br + AddLanguage ltz .lu + AddLanguage ca .ca + AddLanguage es .es + AddLanguage sv .se + AddLanguage cz .cz + AddLanguage ru .ru + AddLanguage zh-tw .tw + AddLanguage tw .tw + AddCharset Big5 .Big5 .big5 + AddCharset WINDOWS-1251 .cp-1251 + AddCharset CP866 .cp866 + AddCharset ISO-8859-5 .iso-ru + AddCharset KOI8-R .koi8-r + AddCharset UCS-2 .ucs2 + AddCharset UCS-4 .ucs4 + AddCharset UTF-8 .utf8 + + # LanguagePriority allows you to give precedence to some languages + # in case of a tie during content negotiation. + # + # Just list the languages in decreasing order of preference. We have + # more or less alphabetized them here. You probably want to change this. + # + <IfModule mod_negotiation.c> + LanguagePriority en fr de es it da nl et el ja kr no pl pt pt-br ru ltz ca sv tw + </IfModule> + + # + # AddType allows you to tweak mime.types without actually editing it, or to + # make certain files to be certain types. + # + # For example, the PHP 3.x module (not part of the Apache distribution - see + # http://www.php.net) will typically use: + # + #AddType application/x-httpd-php3 .php3 + #AddType application/x-httpd-php3-source .phps + # + # And for PHP 4.x, use: + # + #AddType application/x-httpd-php .php + #AddType application/x-httpd-php-source .phps + + AddType application/x-tar .tgz + + # + # AddHandler allows you to map certain file extensions to "handlers", + # actions unrelated to filetype. These can be either built into the server + # or added with the Action command (see below) + # + # If you want to use server side includes, or CGI outside + # ScriptAliased directories, uncomment the following lines. + # + # To use CGI scripts: + # + AddHandler cgi-script .cgi + + # + # To use server-parsed HTML files + # + AddType text/html .shtml + AddHandler server-parsed .shtml + + # + # Uncomment the following line to enable Apache's send-asis HTTP file + # feature + # + #AddHandler send-as-is asis + + # + # If you wish to use server-parsed imagemap files, use + # + AddHandler imap-file map + + # + # To enable type maps, you might want to use + # + #AddHandler type-map var + +</IfModule> +# End of document types. + +# +# Action lets you define media types that will execute a script whenever +# a matching file is called. This eliminates the need for repeated URL +# pathnames for oft-used CGI file processors. +# Format: Action media/type /cgi-script/location +# Format: Action handler-name /cgi-script/location +# + +# +# MetaDir: specifies the name of the directory in which Apache can find +# meta information files. These files contain additional HTTP headers +# to include when sending the document +# +#MetaDir .web + +# +# MetaSuffix: specifies the file name suffix for the file containing the +# meta information. +# +#MetaSuffix .meta + +# +# Customizable error response (Apache style) +# these come in three flavors +# +# 1) plain text +#ErrorDocument 500 "The server made a boo boo. +# n.b. the single leading (") marks it as text, it does not get output +# +# 2) local redirects +#ErrorDocument 404 /missing.html +# to redirect to local URL /missing.html +#ErrorDocument 404 /cgi-bin/missing_handler.pl +# N.B.: You can redirect to a script or a document using server-side-includes. +# +# 3) external redirects +#ErrorDocument 402 http://some.other_server.com/subscription_info.html +# N.B.: Many of the environment variables associated with the original +# request will *not* be available to such a script. + +<Location /manual> +Options Multiviews +ErrorDocument 404 "The document you requested has not been installed on your system. Please install the apache-manual package. +</Location> + + +# +# Customize behaviour based on the browser +# +<IfModule mod_setenvif.c> + + # + # The following directives modify normal HTTP response behavior. + # The first directive disables keepalive for Netscape 2.x and browsers that + # spoof it. There are known problems with these browser implementations. + # The second directive is for Microsoft Internet Explorer 4.0b2 + # which has a broken HTTP/1.1 implementation and does not properly + # support keepalive when it is used on 301 or 302 (redirect) responses. + # + BrowserMatch "Mozilla/2" nokeepalive + BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 + + # + # The following directive disables HTTP/1.1 responses to browsers which + # are in violation of the HTTP/1.0 spec by not being able to grok a + # basic 1.1 response. + # + BrowserMatch "RealPlayer 4\.0" force-response-1.0 + BrowserMatch "Java/1\.0" force-response-1.0 + BrowserMatch "JDK/1\.0" force-response-1.0 + +</IfModule> +# End of browser customization directives + +# +# Allow server status reports, with the URL of http://servername/server-status +# Change the ".your_domain.com" to match your domain to enable. +# +<IfModule mod_status.c> + <Location /server-status> + SetHandler server-status + Order deny,allow + Deny from all + allow from 127.0.0.1 + #Allow from .your_domain.com + </Location> +# +# ExtendedStatus controls whether Apache will generate "full" status +# information (ExtendedStatus On) or just basic information (ExtendedStatus +# Off) when the "server-status" handler is called. The default is Off. +# +#ExtendedStatus On +</IfModule> + +# +# Allow remote server configuration reports, with the URL of +# http://servername/server-info (requires that mod_info.c be loaded). +# Change the ".your_domain.com" to match your domain to enable. +# +<IfModule mod_info.c> + <Location /server-info> + SetHandler server-info + Order deny,allow + Deny from all + Allow from .your_domain.com + </Location> +</IfModule> + +<IfModule mod_perl.c> + <Location /perl-status> + SetHandler perl-script + PerlHandler Apache::Status + Order deny,allow + Deny from all + Allow from 127.0.0.1 + </Location> +</IfModule> + +# +# There have been reports of people trying to abuse an old bug from pre-1.1 +# days. This bug involved a CGI script distributed as a part of Apache. +# By uncommenting these lines you can redirect these attacks to a logging +# script on phf.apache.org. Or, you can record them yourself, using the script +# support/phf_abuse_log.cgi. +# +#<Location /cgi-bin/phf*> +# Deny from all +# ErrorDocument 403 http://phf.apache.org/phf_abuse_log.cgi +#</Location> + +# +# Proxy Server directives. Uncomment the following lines to +# enable the proxy server: +# +#<IfModule mod_proxy.c> +# ProxyRequests On + +# <Directory proxy:*> +# Order deny,allow +# Deny from all +# Allow from .your_domain.com +# </Directory> + + # + # Enable/disable the handling of HTTP/1.1 "Via:" headers. + # ("Full" adds the server version; "Block" removes all outgoing Via: headers) + # Set to one of: Off | On | Full | Block + # +# ProxyVia On + + # + # To enable the cache as well, edit and uncomment the following lines: + # (no cacheing without CacheRoot) + # +# CacheRoot /var/cache/httpd +# CacheSize 5 +# CacheGcInterval 4 +# CacheMaxExpire 24 +# CacheLastModifiedFactor 0.1 +# CacheDefaultExpire 1 +# NoCache a_domain.com another_domain.edu joes.garage_sale.com + +#</IfModule> +# End of proxy directives. + +<IfModule mod_dav.c> +# DavLockDB /var/lock/DAVLock +</IfModule> + +<IfModule mod_include.c> +# XBitHack on +</IfModule> + + +# +# This should be changed to whatever you set DocumentRoot to. +# +<Directory /var/www/html> + +# +# This may also be "None", "All", or any combination of "Indexes", +# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews". +# +# Note that "MultiViews" must be named *explicitly* --- "Options All" +# doesn't give it to you. +# + Options -Indexes FollowSymLinks MultiViews + +# +# This controls which options the .htaccess files in directories can +# override. Can also be "All", or any combination of "Options", "FileInfo", +# "AuthConfig", and "Limit" +# + AllowOverride All + +# +# Controls who can get stuff from this server. +# + Order allow,deny + Allow from all +</Directory> + +<Directory /var/www/perl> + AllowOverride All + Options -Indexes FollowSymLinks MultiViews ExecCGI + Order allow,deny + Allow from all +</Directory> + +<Directory /var/www/cgi-bin> + AllowOverride All + Options ExecCGI +</Directory> + +<Directory /var/www/protected-cgi-bin> + AllowOverride None + Options ExecCGI + Order deny,allow + Deny from all + Allow from 127.0.0.1 + #allow from .your_domain.com +</Directory> + +# +# Control access to UserDir directories. The following is an example +# for a site where these directories are restricted to read-only. +# +#<Directory /home/*/public_html> +# AllowOverride FileInfo AuthConfig Limit +# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec +# <Limit GET POST OPTIONS PROPFIND> +# Order allow,deny +# Allow from all +# </Limit> +# <LimitExcept GET POST OPTIONS PROPFIND> +# Order deny,allow +# Deny from all +# </LimitExcept> +#</Directory> + +# These settings are pretty flexible, and allow for Frontpage and XSSI +<Directory /home/*/public_html> + AllowOverride All + Options MultiViews -Indexes Includes FollowSymLinks + Order allow,deny + Allow from all +</Directory> + +<Directory /home/*/public_html/cgi-bin> + Options +ExecCGI -Includes -Indexes + SetHandler cgi-script +</Directory> + + +<IfModule mod_perl.c> + <Directory /home/*/public_html/perl> + SetHandler perl-script + PerlHandler Apache::PerlRun + Options -Indexes ExecCGI + PerlSendHeader On + </Directory> +</IfModule> + +<Directory /var/www/icons> + Options -Indexes MultiViews + AllowOverride None + Order allow,deny + Allow from all +</Directory> + +<Directory /usr/share/doc> + Options Indexes FollowSymLinks + Order deny,allow + Deny from all + Allow from 127.0.0.1 + #allow from .your_domain.com +</Directory> + +<Directory /var/www/html/addon-modules> + Options Indexes FollowSymLinks +</Directory> + +<Location /index.shtml> + Options +Includes +</Location> + +<IfModule mod_perl.c> + PerlModule Apache::Registry + + #set Apache::Registry Mode for /perl Alias + <Location /perl/*.pl> + SetHandler perl-script + PerlHandler Apache::Registry + Options -Indexes ExecCGI + PerlSendHeader On + </Location> + + #set Apache::PerlRun Mode for /cgi-perl Alias + <Location /cgi-perl/*.pl> + SetHandler perl-script + PerlHandler Apache::PerlRun + Options -Indexes ExecCGI + PerlSendHeader On + </Location> +</IfModule> + diff --git a/web_wizard/scripts/do_it_web.sh b/web_wizard/scripts/do_it_web.sh new file mode 100755 index 00000000..b82d2c86 --- /dev/null +++ b/web_wizard/scripts/do_it_web.sh @@ -0,0 +1,98 @@ +#!/bin/bash +# +# Wizard +# +# Copyright (C) 2000 Mandrakesoft. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License +# as published by the Free Software Foundation; either version 2 +# of the License, or (at your option) any later version. +# See file LICENSE for further informations on licensing terms. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# +# Authors: Jerome Dumonteil, Maurizio De Cecco, Enzo Maggi +# icons: Helene Durosini <ln@mandrakesoft.com> +# <corporate@mandrakesoft.com> http://www.mandrakesoft.com + +# script for wizard web configuration +# +# modify default apache configuration +# assuming all dependencies are ok + + +# wiz_web_external and wiz_web_internal are provided by the running wizard +# now, save them +file=/etc/sysconfig/mdk_serv + +# security +[ "${wiz_web_external}" = "1" -o "${wiz_web_external}" = "0" ] || wiz_web_external="0" +[ "${wiz_web_internal}" = "1" -o "${wiz_web_internal}" = "0" ] || wiz_web_internal="0" + +[ "${wiz_web_external}" = "1" ] && wiz_web_internal="1" + +# store the wiz_web_external and wiz_web_internal value +chg_val ${file} wiz_web_external ${wiz_web_external} s +chg_val ${file} wiz_web_internal ${wiz_web_internal} s + + +# apache configuration file +config="/etc/httpd/conf/commonhttpd.conf" +if [ ! -f ${config} ]; then + echo_debug "no apache configuration file found ! exiting." + exit 1 +fi + + +bck_file ${config} + + +if [ "${wiz_web_external}" = "1" ]; then + + cat ${config}.mdk_orig.1 \ + |sed -e '/^[[:space:]]*<Directory \/home/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from all/;} +/^[[:space:]]*<Directory \/var\/www/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from all/;} ' > ${config} + +elif [ "${wiz_web_internal}" = "1" ]; then + +ip=`get_var wiz_ip_net` + + cat ${config}.mdk_orig.1 \ +|sed -e '/^[[:space:]]*<Directory \/home/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from '"${ip%\.*}"'./;} +/^[[:space:]]*<Directory \/var\/www/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from '"${ip%\.*}"'./;} ' > ${config} + +else + + cat ${config}.mdk_orig.1 \ +|sed -e '/^[[:space:]]*<Directory \/home/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from localhost/;} +/^[[:space:]]*<Directory \/var\/www/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from localhost/;} ' > ${config} + +fi + + + +echo_debug "restarting services" + +/etc/rc.d/init.d/httpd restart + + + +# all is ok +exit 10 + + + diff --git a/web_wizard/scripts/mytest.pl b/web_wizard/scripts/mytest.pl new file mode 100755 index 00000000..e13f3708 --- /dev/null +++ b/web_wizard/scripts/mytest.pl @@ -0,0 +1,28 @@ +#!/usr/bin/perl +use strict; + +open(FH, $ARGV[0]); + +my $that; + +if ($ENV{wiz_web_external} eq "1") { + $that = "all"; +} +elsif ($ENV{wiz_web_internal} eq "1") { + $that = $ip; +} +else { + $that = "localhost"; +} + + +while(<FH>) { + if( m/^[[:space:]]*<Directory \/home/s...m/^[[:space:]]*<\/Directory>/s ) { + s/^[[:space:]]*Allow .*$/Allow from $that/s; + } + if( m /^[[:space:]]*<Directory \/var\/www/s...m/^[[:space:]]*<\/Directory>/s ) { + s/^[[:space:]]*Allow .*$/Allow from $that/s; + } + print $_; +} + diff --git a/web_wizard/scripts/sedscript b/web_wizard/scripts/sedscript new file mode 100644 index 00000000..e5acafb9 --- /dev/null +++ b/web_wizard/scripts/sedscript @@ -0,0 +1,4 @@ +/^[[:space:]]*<Directory \/home/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from all/;} +/^[[:space:]]*<Directory \/var\/www/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from all/;}
\ No newline at end of file diff --git a/web_wizard/scripts/test.sed b/web_wizard/scripts/test.sed new file mode 100644 index 00000000..6f03dc5c --- /dev/null +++ b/web_wizard/scripts/test.sed @@ -0,0 +1,6 @@ +/^[[:space:]]*<Directory \/home/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from all/ +} +/^[[:space:]]*<Directory \/var\/www/,/^[[:space:]]*<\/Directory>/{ +s/^[[:space:]]*Allow .*$/Allow from all/ +} |