#!/bin/bash # Copyright (C) 2023 Pädagogisches Landesinstitut Rheinland-Pfalz # Copyright (C) 2023 Mike Gabriel # Copyright (C) 2023 Daniel Teichmann # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the # Free Software Foundation, Inc., # 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. # postinst script for debian-edu-router-plugin.content-filter # # see: dh_installdeb(1) set -e . /usr/share/debconf/confmodule || exit 255 if [ -e /etc/debian-edu/router.conf ]; then source /etc/debian-edu/router.conf fi PRODUCTNAME="${PRODUCTNAME:-"Debian Edu Router"}" PRODUCTNAME_PLUGIN_SUFFIX="${PRODUCTNAME_PLUGIN_SUFFIX:-"Plugin"}" PRODUCTNAME_PLUGIN="${PRODUCTNAME_PLUGIN:-"${PRODUCTNAME} ${PRODUCTNAME_PLUGIN_SUFFIX}: Content filter"}" PRODUCTVERSION=$(dpkg-query --show --showformat='${Version}' "${DPKG_MAINTSCRIPT_PACKAGE}" 2>/dev/null || echo "UNKNOWN") db_title "${PRODUCTNAME_PLUGIN}" common_file="/usr/share/debian-edu-router/debian-edu-router.common" # Load common functions, variables and stuff. if [ -s "$common_file" ]; then source "$common_file" else echo "Could not load common file at "$common_file"." exit 0; fi db_version 2.0 db_capb backup escape # prepare debconf export DC_PRIO_HIGH="high" # summary of how this script can be called: # * `configure' # * `abort-upgrade' # * `abort-remove' `in-favour' # # * `abort-remove' # * `abort-deconfigure' `in-favour' # `removing' # # for details, see https://www.debian.org/doc/debian-policy/ or # the debian-policy package # Prepares services to use proxy authentication. # TODO: Make this a debconf question. # TODO: State of debconf question should enable/disable connector plugins. # Or plugins should override this question, and reconfigure d-e-r-p.c-f (via dpkg-trigger?). # TODO: Do not generate Proxy*User.* filterlist files, if disabled. AUTHENTICATION_ENABLED="yes" CONFIG_BACKUP_DIR="$(mktemp -d --suffix -debian-edu-router-plugin.content-filter_CONFIG_BACKUP)" DEBUG_CONFIG_DIR="$(mktemp -d --suffix -debian-edu-router-plugin.content-filter_DEBUG_CONFIG)" db_get debian-edu-router-plugin.content-filter/content-filter-enabled content_filter_enabled="${RET}" db_get debian-edu-router-plugin.content-filter/dns-alias dns_alias="${RET}" db_get debian-edu-router-plugin.content-filter/dns-servers || true contentfilter_dns_servers="${RET}" db_get debian-edu-router-plugin.content-filter/service-httpproxy-networks-enabled service_httpproxy_networks_enabled=( $(echo ${RET} | tr -d ',') ) db_get debian-edu-router-config/service-firewall-networks-allow-internet unblocked_networks=( $(echo ${RET} | tr -d ',') ) db_get debian-edu-router-plugin.content-filter/proxy-port-exposed-to-clients http_proxy_port=${RET} http_transparent_proxy_port=$(($http_proxy_port + 1)) https_transparent_proxy_port=$(($http_proxy_port + 2)) db_get debian-edu-router-plugin.content-filter/service-httpproxy-transparent-mode-enabled || true transparent_proxy_mode_enabled="${RET}" db_get debian-edu-router-plugin.content-filter/apache2-http-port http_apache2_port="${RET}" if [[ -n "${http_apache2_port}" ]] && [[ "${http_apache2_port}" != "80" ]]; then notice_log "Serving HTTP website (Apache2) at custom port '${http_apache2_port}'." else notice_log "Serving HTTP website (Apache2) at default port '${http_apache2_port}'." fi db_get debian-edu-router-plugin.content-filter/apache2-https-port https_apache2_port="${RET}" if [[ -n "${https_apache2_port}" ]]; then if [[ "${https_apache2_port}" != "443" ]]; then notice_log "Serving HTTPS website (Apache2) at custom port '${https_apache2_port}'." else notice_log "Serving HTTPS website (Apache2) at default port '${https_apache2_port}'." fi else notice_log "Do not serve HTTPS website (Apache2)." fi db_get debian-edu-router-plugin.content-filter/parent-proxy parent_proxy_hostname="$(echo "${RET}" | cut -d ":" -f1)" parent_proxy_port="$(echo "${RET}" | cut -d ":" -f2)" if [ -n "${parent_proxy_hostname}" ] && [ "${parent_proxy_hostname}" = "${parent_proxy_port}" ]; then # no ':' in RET string, assuming hard-coded default port parent_proxy_port=3128 fi db_get debian-edu-router-plugin.content-filter/service-httpproxy-enable-sslbumping service_httpproxy_enable_sslbumping=${RET} db_get debian-edu-router-plugin.content-filter/service-httpproxy-networks-with-sslbumping service_httpproxy_networks_with_sslbumping=( $(echo ${RET} | tr -d ',') ) db_get debian-edu-router-plugin.content-filter/service-contentfilter-networks-enabled service_contentfilter_networks_enabled=( $(echo ${RET} | tr -d ',') ) db_get debian-edu-router-plugin.content-filter/service-httpproxy-sslbumping-ca-org || true ca_org="${RET}" db_get debian-edu-router-plugin.content-filter/service-httpproxy-sslbumping-ca-ou || true ca_ou="${RET}" db_get debian-edu-router-plugin.content-filter/service-httpproxy-sslbumping-ca-province || true ca_province="${RET}" db_get debian-edu-router-plugin.content-filter/service-httpproxy-sslbumping-ca-city || true ca_city="${RET}" db_get debian-edu-router-plugin.content-filter/service-httpproxy-sslbumping-ca-country || true ca_country="${RET}" db_get debian-edu-router-plugin.content-filter/service-httpproxy-sslbumping-ca-cn || true ca_cn="${RET}" db_get debian-edu-router-plugin.content-filter/service-httpproxy-sslbumping-ca-email || true ca_email="${RET}" db_get debian-edu-router-plugin.content-filter/service-contentfilter-autorefresh-blacklist || true autorefresh_blacklist="${RET}" db_get debian-edu-router-plugin.content-filter/service-contentfilter-autoregenerate-ips || true autoregenerate_ips="${RET}" function create_config_backup() { chmod -R 0700 "${CONFIG_BACKUP_DIR}" # Creating a backup of old d-e-r config files. mkdir -p \ ${CONFIG_BACKUP_DIR}/etc/squid/conf.d/debian-edu-router-plugin.content-filter cp /etc/squid/conf.d/debian-edu-router-plugin.content-filter/??_d-e-r-p.c-f_*.conf \ ${CONFIG_BACKUP_DIR}/etc/squid/conf.d/debian-edu-router-plugin.content-filter &> /dev/null || true mkdir -p ${CONFIG_BACKUP_DIR}/etc/uif/uif.conf.d/ cp /etc/uif/uif.conf.d/??_d-e-r-p.c-f_* ${CONFIG_BACKUP_DIR}/etc/uif/uif.conf.d/ &> /dev/null || true } function restore_config_backup() { error_log "New configuration for '$1' failed while restarting the service." error_log "Restoring configuration backup now..." if [ -n "${D_E_R_DEBUG}" ]; then config_files=( "/etc/squid/conf.d/debian-edu-router-plugin.content-filter" "/etc/uif/uif.conf.d" ) for conf_file in "${config_files[@]}"; do mkdir -p "${DEBUG_CONFIG_DIR}/$conf_file" # Move new and broken conf files into tmp folder. mv -v "$conf_file"/??_d-e-r-p.c-f_* "${DEBUG_CONFIG_DIR}$conf_file" || true done debug_log "Generated config files are now located at: '${cyan}${DEBUG_CONFIG_DIR}${green}'." else # Delete new and broken d-e-r config files. rm -fv /etc/squid/conf.d/debian-edu-router-plugin.content-filter/??_d-e-r-p.c-f_*.conf || true rm -fv /etc/uif/uif.conf.d//??_d-e-r-p.c-f_* || true debug_log "Generated config files were purged from the system." fi # Copying old and hopefully working d-e-r config files. cp -fv ${CONFIG_BACKUP_DIR}/etc/squid/conf.d/debian-edu-router-plugin.content-filter/* /etc/squid/conf.d/debian-edu-router-plugin.content-filter || true cp -fv ${CONFIG_BACKUP_DIR}/etc/uif/uif.conf.d/* /etc/uif/uif.conf.d/ || true debug_log "Old config files are installed again." # Hopefully everything should be alright now. manage_unit restart e2guardian_d-e-r || error_log "Something is terribly broken since the old config files for 'e2guardian_d-e-r' don't work either!" manage_unit restart squid_d-e-r.target || error_log "Something is terribly broken since the old config files for 'squid_d-e-r.target' don't work either!" manage_unit restart uif || error_log "Something is terribly broken since the old config files for 'uif' don't work either!" exit 1 } function process_firewall_answers() { # When running in production mode, make sure all (not-to-be-configured) # uif configurations files are removed from /etc/uif/uif.conf.d/ rm -f /etc/uif/uif.conf.d/??_d-e-r-p.c-f_* # Only generate firewall conf files, if we actually have networks which # should be content filtered. if [[ -z "${service_httpproxy_networks_enabled[@]}" ]]; then return 0; fi # # Squid (Firewall rules) # uif_cfg_file="/etc/uif/uif.conf.d/01_d-e-r-p.c-f_Squid" _p=${http_proxy_port} _p_t=${http_transparent_proxy_port} _p_t_ssl=${https_transparent_proxy_port} echo "###" 1> "${uif_cfg_file}" echo "### $PRODUCTNAME_PLUGIN - Firewall" >> "${uif_cfg_file}" echo "###" >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" echo "### Managed by debian-edu-router-plugin.content-filter." >> "${uif_cfg_file}" echo "### Don't modify this file." >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" if [ "$transparent_proxy_mode_enabled" != "true" ]; then echo "# NOTE: Transparent proxy mode has been disabled. To change that, configure " >> "${uif_cfg_file}" echo "# the content filter via the login menu or execute dpkg-reconfigure " >> "${uif_cfg_file}" echo "# debian-edu-router-plugin.content-filter." >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" fi echo "service {" >> "${uif_cfg_file}" echo " squid_d-e-r tcp(/${_p})" >> "${uif_cfg_file}" if [ "$transparent_proxy_mode_enabled" = "true" ]; then echo " squid_transp_d-e-r tcp(/${_p_t})" >> "${uif_cfg_file}" echo " squid_transp_ssl_d-e-r tcp(/${_p_t_ssl})" >> "${uif_cfg_file}" fi echo "}" >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" echo "filter {" >> "${uif_cfg_file}" for _i_n_name in "${service_httpproxy_networks_enabled[@]}"; do echo " # Allow Squid to receive incoming requests on network '${_i_n_name}'." >> "${uif_cfg_file}" echo " in+ p=squid_d-e-r i=iface_${_i_n_name}" >> "${uif_cfg_file}" if [ "$transparent_proxy_mode_enabled" = "true" ]; then echo " in+ p=squid_transp_d-e-r i=iface_${_i_n_name}" >> "${uif_cfg_file}" echo " in+ p=squid_transp_ssl_d-e-r i=iface_${_i_n_name}" >> "${uif_cfg_file}" fi echo >> "${uif_cfg_file}" done echo " # Allow Squid to receive incoming requests from local machine." >> "${uif_cfg_file}" echo " in+ p=squid_d-e-r i=loop" >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" # setup firewall rules for transparent proxying for _i_n_name in "${service_httpproxy_networks_enabled[@]}"; do if echo "${unblocked_networks[@]}" | grep -q "${_i_n_name}"; then echo " # Network ${_i_n_name} has direct internet access, no need to map ports." >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" continue; fi if [ "$transparent_proxy_mode_enabled" = "true" ]; then echo " # Map connections which come from ${_i_n_name} network on http(s) ports" >> "${uif_cfg_file}" echo " # to internal squid_transp(_ssl)_d-e-r ports." >> "${uif_cfg_file}" echo " nat+ s=net_${_i_n_name} p=http P=squid_transp_d-e-r D=self_${_i_n_name}" >> "${uif_cfg_file}" echo " nat+ s=net_${_i_n_name} p=https P=squid_transp_ssl_d-e-r D=self_${_i_n_name}" >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" fi done echo "}" >> "${uif_cfg_file}" # # Apache2 (Firewall rules) # uif_cfg_file="/etc/uif/uif.conf.d/02_d-e-r-p.c-f_Apache2" echo "###" 1> "${uif_cfg_file}" echo "### $PRODUCTNAME_PLUGIN - Firewall" >> "${uif_cfg_file}" echo "###" >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" echo "### Managed by debian-edu-router-plugin.content-filter." >> "${uif_cfg_file}" echo "### Don't modify this file." >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" echo "service {" >> "${uif_cfg_file}" echo " apache2_http tcp(/${http_apache2_port})" >> "${uif_cfg_file}" if [[ -n "${https_apache2_port}" ]]; then echo " apache2_https tcp(/${https_apache2_port})" >> "${uif_cfg_file}" fi echo "}" >> "${uif_cfg_file}" echo >> "${uif_cfg_file}" echo "filter {" >> "${uif_cfg_file}" for _i_n_name in "${service_httpproxy_networks_enabled[@]}"; do echo " # Make CA certificate download URL reachable from clients" >> "${uif_cfg_file}" echo " in+ p=apache2_http i=iface_${_i_n_name},loop" >> "${uif_cfg_file}" if [[ -n "${https_apache2_port}" ]]; then echo " in+ p=apache2_https i=iface_${_i_n_name},loop" >> "${uif_cfg_file}" fi done echo "}" >> "${uif_cfg_file}" } function copy_docs_from_templates() { docs_templates_dir="/usr/share/debian-edu-router/templates/doc/d-e-r-p.c.f/" for docs_tpl in $(ls ${docs_templates_dir}/*.in); do docs="/usr/share/doc/debian-edu-router-plugin.content-filter/$(basename ${docs_tpl/.in/})" cp "${docs_tpl}" "${docs}" sed -i "${docs}" -e "s|@PRODUCTNAME@|${PRODUCTNAME_PLUGIN}|" \ ${NULL} done } # Returns $logo_data_uri function get_logo_data_uri() { local LOGO_FILES="/usr/share/debian-edu-router/logos/" local logo_file local logo_mimetype # Select file from /usr/share/debian-edu-router/logos/ (alphanum) sorted. # Must start with a number to order by (??_*). # This file will be used as the error page logo. logo_file="$(find "${LOGO_FILES}" -maxdepth 1 -name "??_*" -type f | sort | tail -n1)" if ! [ -s "$logo_file" ]; then warning_log "No logo file found in ${LOGO_FILES}, using default Squid image." logo_data_uri="http://${dns_alias}:${http_proxy_port}/squid-internal-static/icons/SN.png" return fi logo_mimetype=$(file -bN --mime-type "${logo_file}") logo_data_uri=$(echo "data:${logo_mimetype};base64,$(base64 -w 0 ${logo_file})") debug_log "Found logo file at: ${logo_file}, which translates to data URI: '$(echo ${logo_data_uri} | head -c50)...'." } function create_apache2_stuff_from_templates() { local sites_available_dir="/etc/apache2/sites-available/" local conf_available_dir="/etc/apache2/conf-available/" mkdir -p "${sites_available_dir}" mkdir -p "${conf_available_dir}" local _selfsigned_cert="#" local _snakeoil_cert="" if [[ -s "/etc/debian-edu-router/ssl/private/d-e-r_sslmitm-ca.key" ]] && \ [[ -s "/etc/debian-edu-router/ssl/certs/d-e-r_sslmitm-ca.crt" ]]; then _selfsigned_cert="" _snakeoil_cert="#" fi local sites_templates_dir="/usr/share/debian-edu-router/templates/apache2/sites-available/" for sites_conf_tpl in $(ls ${sites_templates_dir}/*.in); do local sites_name="$(basename ${sites_conf_tpl/.in/})" local sites_conf="${sites_available_dir}/${sites_name}" # Make sure HTTPS site gets disabled, if ${https_apache2_port} is empty. if [[ "${sites_name,,}" =~ "https" ]]; then if [[ -z "${https_apache2_port}" ]]; then debug_log "Disable serving of Apache2 HTTPS default D-E-R site." a2dissite "${sites_name}" 2>/dev/null 1>/dev/null || true continue fi fi mkdir -p "$(dirname $sites_conf)" cp "${sites_conf_tpl}" "${sites_conf}" sed -i "${sites_conf}" -e "s|@PRODUCTNAME@|${PRODUCTNAME}|" \ -e "s/@PRODUCTVERSION@/${PRODUCTVERSION}/" \ -e "s/@APACHE2_HTTP_PORT@/${http_apache2_port}/" \ -e "s/@APACHE2_HTTPS_PORT@/${https_apache2_port}/" \ -e "s/@APACHE2_SELFSIGNED_CERT@/${_selfsigned_cert}/" \ -e "s/@APACHE2_SNAKEOIL_CERT@/${_snakeoil_cert}/" \ ${NULL} a2ensite "${sites_name}" 1>/dev/null done # Enable the Apache2 config that we ship for obtaining the SSL-MitM CA certificate files. local _apache2_listen_http_port="" if [[ -n "${http_apache2_port}" ]] && [[ "${http_apache2_port}" != "80" ]]; then _apache2_listen_http_port="Listen ${http_apache2_port}" fi local _apache2_listen_https_port="" if [[ -n "${https_apache2_port}" ]]; then a2enmod ssl 1>/dev/null if [[ "${https_apache2_port}" != "443" ]]; then _apache2_listen_https_port="Listen ${https_apache2_port}" fi fi local conf_templates_dir="/usr/share/debian-edu-router/templates/apache2/conf-available/" for conf_tpl in $(ls ${conf_templates_dir}/*.in); do local conf_name="$(basename ${conf_tpl/.in/})" local conf="${conf_available_dir}/${conf_name}" mkdir -p "$(dirname $conf)" cp "${conf_tpl}" "${conf}" sed -i "${conf}" -e "s|@PRODUCTNAME@|${PRODUCTNAME}|" \ -e "s/@PRODUCTVERSION@/${PRODUCTVERSION}/" \ -e "s/@APACHE2_LISTEN_HTTP_PORT@/${_apache2_listen_http_port}/" \ -e "s/@APACHE2_LISTEN_HTTPS_PORT@/${_apache2_listen_https_port}/" \ ${NULL} a2enconf "${conf_name}" 1>/dev/null done a2dissite "000-default" 1>/dev/null a2dissite "default-ssl" 1>/dev/null } function create_static_files_from_templates() { get_logo_data_uri # Stores return value in $logo_data_uri static_templates_dir="/usr/share/debian-edu-router/templates/static/" for static_tpl in $(ls ${static_templates_dir}/*.in); do static="/usr/share/debian-edu-router/content-filter/static/$(basename ${static_tpl/.in/})" mkdir -p "$(dirname $static)" cp "${static_tpl}" "${static}" sed -i "${static}" -e "s|@PRODUCTNAME@|${PRODUCTNAME_PLUGIN}|" \ -e "s|@LOGO_DATA_URI@|${logo_data_uri}|" \ ${NULL} done } function create_e2guardian_config_from_templates() { if [ -n "$D_E_R_DEBUG" ]; then debuglevel="debuglevel = 'ALL'" else debuglevel="" fi config_templates_dir="/usr/share/debian-edu-router/templates/e2guardian/" for conf_tpl in $(ls ${config_templates_dir}/*.in); do conf="/etc/debian-edu-router/e2guardian.d/$(basename ${conf_tpl/.in/})" cp "${conf_tpl}" "${conf}" sed -i "${conf}" -e "s|@PRODUCTNAME@|${PRODUCTNAME_PLUGIN}|" \ -e "s|@DEBUGLEVEL@|${debuglevel}|" \ ${NULL} done } function create_squid_config_sslbumping_rules() { _i_n_name="$1" squid_cfg_file="$2" echo "# Include SSL bumping settings" >> "${squid_cfg_file}" echo "include /etc/squid/conf.d/debian-edu-router-plugin.content-filter/$( )10_SSL-bumping_d-e-r-p.c-f_${_i_n_name}.conf" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" old_squid_cfg_file="$squid_cfg_file" squid_cfg_file="/etc/squid/conf.d/debian-edu-router-plugin.content-filter/10_SSL-bumping_d-e-r-p.c-f_${_i_n_name}.conf" echo "# --- SSL Bump ---" > "${squid_cfg_file}" echo >> "${squid_cfg_file}" if [ "${service_httpproxy_enable_sslbumping}" = "true" ] && \ echo "${service_httpproxy_networks_with_sslbumping[@]}" | grep -q "${_i_n_name}" then echo "#acl step1 at_step SslBump1" >> "${squid_cfg_file}" echo "#acl step2 at_step SslBump2" >> "${squid_cfg_file}" echo "#acl step3 at_step SslBump3" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "# Splice (TCP-Passthrough) sites, which should not be intercepted at all." >> "${squid_cfg_file}" echo "# Thats means that Squid does not need to sign the connection with its $( )own selfsigned CA certificate)." >> "${squid_cfg_file}" echo "ssl_bump splice localhost # Skip splicing for requests from localhost" >> "${squid_cfg_file}" echo "ssl_bump splice to_localhost # or to localhost directly (e.g. for $( )downloading the selfsigned CA certificate.)" >> "${squid_cfg_file}" echo "ssl_bump splice ProxyKeepcertSite" >> "${squid_cfg_file}" echo "ssl_bump splice ProxyKeepcertSiteIP" >> "${squid_cfg_file}" echo "ssl_bump splice ProxyKeepcertSiteIP_Generated transparent_mode" >> "${squid_cfg_file}" echo "ssl_bump splice ProxyKeepcertSiteRegex" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "# [Allow Mode] Do not do SSL Bumping." >> "${squid_cfg_file}" echo "ssl_bump splice ProxyAllowClientIP" >> "${squid_cfg_file}" echo "ssl_bump splice ProxyAllowClient" >> "${squid_cfg_file}" echo "#ssl_bump splice ProxyAllowUser # Do not activate." >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "# [Trusted Mode] Do not do SSL Bumping." >> "${squid_cfg_file}" echo "ssl_bump splice ProxyTrustedClientIP" >> "${squid_cfg_file}" echo "ssl_bump splice ProxyTrustedClient" >> "${squid_cfg_file}" echo "#ssl_bump splice ProxyTrustedUser # Do not activate." >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "# Everything else must be bumped." >> "${squid_cfg_file}" echo "ssl_bump bump all" >> "${squid_cfg_file}" echo "# --- / SSL Bump ---" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" squid_cfg_file="$old_squid_cfg_file" return elif [ "${service_httpproxy_enable_sslbumping}" != "true" ]; then if [ "$transparent_proxy_mode_enabled" = "true" ]; then echo "# [T-P-M] Splice (TCP-Passthrough) all connections, if SSL-bumping is" >> "${squid_cfg_file}" echo "# disabled and T-P-M is enabled." >> "${squid_cfg_file}" echo "ssl_bump splice all" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" squid_cfg_file="$old_squid_cfg_file" return fi fi echo "# SSL-Bumping is disabled and no bumping rules are applied." >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" } function create_logrotate_configs() { local LOGROTATE_PATH="/etc/logrotate.d" rm -f "${LOGROTATE_PATH}/squid_d-e-r_*" for _i_n_name in "${service_httpproxy_networks_enabled[@]}"; do local logrotate_config_file="${LOGROTATE_PATH}/squid_d-e-r_${_i_n_name}" cp /usr/share/debian-edu-router/templates/logrotate/squid_d-e-r.in "${logrotate_config_file}" sed -i "${logrotate_config_file}" -e "s|@PRODUCTNAME@|${PRODUCTNAME}|" \ -e "s|@NETWORK_NAME@|${_i_n_name}|" \ ${NULL} done } function create_squid_config_icap() { _i_n_name="$1" squid_cfg_file="$2" if echo "${service_contentfilter_networks_enabled[@]}" | grep -q "${_i_n_name}"; then # Enable ICAP connecting to e2guardian for this network. notice_log "Enabling deep introspection content filter for network '$_i_n_name' (via e2guardian)." # If e2guardian is not available (stopped? crashed?) # If '1': Just act like nothing happened and ignore this error. # This means that potential harmful website will be visitable. (Squid ACLs still apply!) # If '0': Block access, show ERR_ICAP_FAILURE error message to the user. is_optional="0" port="1344" echo "# Include ICAP integration with e2guardian" >> "${squid_cfg_file}" echo "include /etc/squid/conf.d/debian-edu-router-plugin.content-filter/20_ICAP-e2guardian_d-e-r-p.c-f_${_i_n_name}.conf" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" old_squid_cfg_file="$squid_cfg_file" squid_cfg_file="/etc/squid/conf.d/debian-edu-router-plugin.content-filter/20_ICAP-e2guardian_d-e-r-p.c-f_${_i_n_name}.conf" debug_log "Enabling ICAP (port $port) network '$_i_n_name' (Optional=$is_optional)." echo "# --- ICAP ---" 1> "${squid_cfg_file}" echo "# Enabling deep introspection content filter for network '$_i_n_name' (via e2guardian)" >> "${squid_cfg_file}" echo "icap_enable on" >> "${squid_cfg_file}" echo "" >> "${squid_cfg_file}" echo "# Suspend service usage after 10 failures in 5 seconds:" >> "${squid_cfg_file}" echo "icap_service_failure_limit 10" >> "${squid_cfg_file}" echo "icap_persistent_connections on" >> "${squid_cfg_file}" echo "" >> "${squid_cfg_file}" echo "adaptation_send_client_ip on" >> "${squid_cfg_file}" echo "adaptation_masterx_shared_names X-ICAP-E2G" >> "${squid_cfg_file}" echo "" >> "${squid_cfg_file}" echo "icap_service service_req reqmod_precache bypass=$is_optional icap://127.0.0.1:$port/request" >> "${squid_cfg_file}" echo "adaptation_access service_req deny ProxyAllowSite" >> "${squid_cfg_file}" if [[ -n "${AUTHENTICATION_ENABLED}" ]]; then echo -n "adaptation_access service_req deny " >> "${squid_cfg_file}" echo "!ProxyBlacklistClient !ProxyBlacklistClientIP !ProxyBlacklistUser" >> "${squid_cfg_file}" echo "adaptation_access service_req deny ProxyTrustedUser" >> "${squid_cfg_file}" echo "adaptation_access service_req deny ProxyAllowUser" >> "${squid_cfg_file}" echo "adaptation_access service_req deny ProxyWhitelistUser" >> "${squid_cfg_file}" echo "adaptation_access service_req allow ProxyBlacklistUser" >> "${squid_cfg_file}" else echo "adaptation_access service_req deny !ProxyBlacklistClient !ProxyBlacklistClientIP" >> "${squid_cfg_file}" fi echo "adaptation_access service_req allow ProxyBlacklistClient" >> "${squid_cfg_file}" echo "adaptation_access service_req allow ProxyBlacklistClientIP" >> "${squid_cfg_file}" echo "" >> "${squid_cfg_file}" echo "icap_service service_resp respmod_precache bypass=$is_optional icap://127.0.0.1:$port/response" >> "${squid_cfg_file}" echo "adaptation_access service_resp deny ProxyAllowSite" >> "${squid_cfg_file}" if [[ -n "${AUTHENTICATION_ENABLED}" ]]; then echo -n "adaptation_access service_resp deny " >> "${squid_cfg_file}" echo "!ProxyBlacklistClient !ProxyBlacklistClientIP !ProxyBlacklistUser" >> "${squid_cfg_file}" echo "adaptation_access service_resp deny ProxyTrustedUser" >> "${squid_cfg_file}" echo "adaptation_access service_resp deny ProxyAllowUser" >> "${squid_cfg_file}" echo "adaptation_access service_resp deny ProxyWhitelistUser" >> "${squid_cfg_file}" echo "adaptation_access service_req allow ProxyBlacklistUser" >> "${squid_cfg_file}" else echo "adaptation_access service_resp deny !ProxyBlacklistClient !ProxyBlacklistClientIP" >> "${squid_cfg_file}" fi echo "adaptation_access service_req allow ProxyBlacklistClient" >> "${squid_cfg_file}" echo "adaptation_access service_req allow ProxyBlacklistClientIP" >> "${squid_cfg_file}" echo "" >> "${squid_cfg_file}" echo "icap_log stdio:/var/log/debian-edu-router/squid/icap_$_i_n_name.log" >> "${squid_cfg_file}" echo "#--- / ICAP ---" >> "${squid_cfg_file}" echo "" >> "${squid_cfg_file}" squid_cfg_file="$old_squid_cfg_file" fi } function create_squid_config_lockout_unknown_nets() { squid_cfg_file="/etc/debian-edu-router/squid-snippets.d/20_squid_acls-lockout_unknown_nets_d-e-r.conf" # Collect all internal addresses/networks declare -A internal_networks # Don't convert network name to lowercase get_internal_networks_v4 "false" echo "# ${PRODUCTNAME_PLUGIN}" 1> "${squid_cfg_file}" echo "# DO NOT MODIFY THIS FILE. CHANGES WILL GET DELETED EVENTUALLY." >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" for _i_n_name in "${!internal_networks[@]}"; do echo "# Allow incoming requests from network: ${_i_n_name}." >> "${squid_cfg_file}" echo "acl der_nets src ${internal_networks[$_i_n_name]}" >> "${squid_cfg_file}" done echo >> "${squid_cfg_file}" echo "# Only allow proxying from withing ${PRODUCTNAME} defined networks." >> "${squid_cfg_file}" echo "http_access deny !der_nets" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" for _i_n_name in "${!internal_networks[@]}"; do echo "# Also allow incoming requests to this machine on ${_i_n_name}." >> "${squid_cfg_file}" echo "acl thisHostIP dst ${internal_networks[$_i_n_name]%/*}" >> "${squid_cfg_file}" done echo "# Also allow incoming requests to this machine via hostname." >> "${squid_cfg_file}" echo "acl thisHostHostname dstdomain ${dns_alias}" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "# Allow every request to the webcache itself." >> "${squid_cfg_file}" echo "http_access allow thisHostIP" >> "${squid_cfg_file}" echo "http_access allow thisHostHostname" >> "${squid_cfg_file}" } function create_squid_config_from_templates() { config_templates_dir="/usr/share/debian-edu-router/templates/squid/conf.d/d-e-r-p.c-f/" snippets_templates_dir="/usr/share/debian-edu-router/templates/squid/snippets.d/d-e-r-p.c-f/" # CONFIGS for conf_tpl in $(ls ${config_templates_dir}/*.in); do conf="/etc/squid/conf.d/$(basename ${conf_tpl/.in/})" cp "${conf_tpl}" "${conf}" sed -i "${conf}" -e "s|@PRODUCTNAME@|${PRODUCTNAME_PLUGIN}|" \ ${NULL} done # SNIPPETS # FIXME: Adjust this to direct vs. cache_peer upstream internet access pathway if [ "${parent_proxy_hostname}" != "" ]; then access_method_upstream="cache_peer_access extern" cache_peer_parent_proxy="cache_peer ${parent_proxy_hostname} parent ${parent_proxy_port} 0 no-query allow-miss no-netdb-exchange no-digest name=extern" never_direct="never_direct allow all" else access_method_upstream="http_access" cache_peer_parent_proxy="# no cache_peer parent required, direct internet access is available" never_direct="" fi disengage_user_authentication="" disengage_proxy_auth_required="#" if [[ -n "${AUTHENTICATION_ENABLED}" ]]; then disengage_user_authentication="#" disengage_proxy_auth_required="" fi for snippet_tpl in $(ls ${snippets_templates_dir}/*.in); do snippet="/etc/debian-edu-router/squid-snippets.d/$(basename ${snippet_tpl/.in/})" cp "${snippet_tpl}" "${snippet}" sed -i "${snippet}" -e "s|@PRODUCTNAME@|${PRODUCTNAME_PLUGIN}|" \ -e "s/@HTTP_OR_CACHEPEER_ACCESS_UPSTREAM@/${access_method_upstream}/g" \ -e "s/@CACHE_PEER_PARENT_PROXY@/${cache_peer_parent_proxy}/g" \ -e "s/@NEVER_DIRECT@/${never_direct}/g" \ -e "s/@DNS_SERVERS_CF@/${contentfilter_dns_servers}/" \ -e "s/@SQUID_TRANSPARENT_SSL_PORT@/${https_transparent_proxy_port}/" \ -e "s/@SQUID_TRANSPARENT_NON_SSL_PORT@/${http_transparent_proxy_port}/" \ -e "s/@DISENGAGE_USER_AUTHENTICATION@/${disengage_user_authentication}/" \ -e "s/@DISENGAGE_PROXY_AUTH_REQUIRED@/${disengage_proxy_auth_required}/" \ ${NULL} done } function create_sslmitm_ca() { # Only run SSL-MitM PKI CA creation if the .cnf files hasn't been created, yet. # This also implies: removing the .cnf file will re-trigger the CA creation. if [ ! -s "/etc/debian-edu-router/ssl/openssl.d-e-r_sslmitm-ca.cnf" ]; then # Assure that the ssl_db directory becomes blank before (re-)creating # our SSL-MitM PKI. if [ -d "/var/lib/debian-edu-router/ssl_db/" ]; then rm -Rf "/var/lib/debian-edu-router/ssl_db/" fi sslcfg_template="/usr/share/debian-edu-router/templates/ssl/openssl.d-e-r_sslmitm-ca.cnf.in" sslcfg="/etc/debian-edu-router/ssl/openssl.d-e-r_sslmitm-ca.cnf" cat "${sslcfg_template}" | sed -e "s/@CA_ORG@/${ca_org}/g" \ -e "s/@CA_OU@/${ca_ou}/g" \ -e "s/@CA_PROVINCE@/${ca_province}/g" \ -e "s/@CA_CITY@/${ca_city}/g" \ -e "s/@CA_COUNTRY@/${ca_country}/g" \ -e "s/@CA_CN@/${ca_cn}/g" \ -e "s/@CA_EMAIL@/${ca_email}/g" \ > "${sslcfg}" RECREATE_DER_SSLMITM_CA="true" debian-edu-router_mk-sslmitm-ca fi } # Makes a backup of filterlist file and places a warning into the original file, # which explains that the filterlist file is disabled. function backup_disabled_proxylists() { for filterlist in $@; do if ! cat "/var/lib/debian-edu-router/filterlists.d/${filterlist}" | head -n2 | grep "# This list is DISABLED at the moment." > /dev/null; then filterlist_file="/var/lib/debian-edu-router/filterlists.d/${filterlist}" backup_file="/var/lib/debian-edu-router/filterlists.d/${filterlist}.backup" doc_file="/usr/share/doc/debian-edu-router-plugin.content-filter/squid_ACLs_explained.md" mkdir -p "$(dirname $backup_file)" && { cp "/var/lib/debian-edu-router/filterlists.d/${filterlist}" "$backup_file" echo "# ===========================================================================" 1> $filterlist_file echo "# This list is DISABLED at the moment." >> $filterlist_file echo "# Please see the following documentation file at 'Overview of all site lists'" >> $filterlist_file echo "# for further information:" >> $filterlist_file echo "# $doc_file" >> $filterlist_file echo "#" >> $filterlist_file echo "# The original unmodified file may be found at:" >> $filterlist_file echo "# $backup_file" >> $filterlist_file echo "# ===========================================================================" >> $filterlist_file echo >> $filterlist_file echo "$(cat $backup_file)" >> $filterlist_file } fi done } function prepare_e2guardian_err_page_templates() { ### Just copy templates from Squid for now. ### # https://wiki.squid-cache.org/Features/CustomErrors # -URL- gives the URL the user was trying to get to # -REASONGIVEN- gives the nice reason (i.e. not quoting the banned phrase) # -REASONLOGGED- gives the reason that gets logged including full details # -USER- gives the username if known # -IP- gives the originating IP # -FILTERGROUP- gives the group name # -BYPASS- Allows an admin with with bypass access to bypass the block errorpage_css="/usr/share/debian-edu-router/content-filter/static/content-filter-errorpage.css" languages_dir="/usr/share/e2guardian/languages" custom_languages_file="debian-edu-router.html" languages=($(ls $languages_dir)) for language in ${languages[@]}; do # FIXME: TODO: Map $language to $language_squid. language_squid="en" cp "/usr/share/squid-langpack/$language_squid/ERR_ACCESS_DENIED" "$languages_dir/$language/$custom_languages_file" || true sed -i 's|%U|-URL-|g' "$languages_dir/$language/$custom_languages_file" sed -i 's|%w|webmaster|g' "$languages_dir/$language/$custom_languages_file" sed -i 's|%W|mailto:webmaster|g' "$languages_dir/$language/$custom_languages_file" sed -i 's|%T ||g' "$languages_dir/$language/$custom_languages_file" sed -i 's|%h|Debian Edu Router|g' "$languages_dir/$language/$custom_languages_file" sed -i 's|%s|e2guardian|g' "$languages_dir/$language/$custom_languages_file" # FIXME: Support other languages. #sed -i 's|

Access Denied.

|

Access Denied because the content is seemingly unsafe.

|g' "$languages_dir/$language/$custom_languages_file" # Replace '%l' with content of "$errorpage_css" in file "$languages_dir/$language/$custom_languages_file". sed -e '/%l/ {' -e "r $errorpage_css" -e 'd' -e '}' -i "$languages_dir/$language/$custom_languages_file" done } function check_autorefresh_blacklists() { if [ -z "$FORCE_SWITCH_AUTOREFRESH_BLACKLISTS" ]; then return fi db_get debian-edu-router-plugin.content-filter/service-contentfilter-autorefresh-blacklist autorefresh_blacklist_then="${RET}" if [ "$autorefresh_blacklist" = "true" ]; then if [ "$autorefresh_blacklist_then" = "true" ]; then notice_log "Switching blacklists auto-refresh tasks off." db_set debian-edu-router-plugin.content-filter/service-contentfilter-autorefresh-blacklist false fi rm -f /var/lib/debian-edu-router/d-e-r-p.c-f/autorefresh_blacklists.enabled else if [ "$autorefresh_blacklist_then" = "false" ]; then notice_log "Switching blacklists auto-refresh tasks on." db_set debian-edu-router-plugin.content-filter/service-contentfilter-autorefresh-blacklist true fi echo "# This file indicates that the blacklists auto-refresh task is turned ON. (Used in loginmenu)" > \ /var/lib/debian-edu-router/d-e-r-p.c-f/autorefresh_blacklists.enabled fi db_get debian-edu-router-plugin.content-filter/service-contentfilter-autorefresh-blacklist autorefresh_blacklist="${RET}" } function check_e2guardian_autoregenerate_ips() { if [ -z "$FORCE_SWITCH_AUTOREGENERATE_IPS" ]; then return fi db_get debian-edu-router-plugin.content-filter/service-contentfilter-autoregenerate-ips autoregenerate_ips_then="${RET}" if [ "$autoregenerate_ips" = "true" ]; then if [ "$autoregenerate_ips_then" = "true" ]; then notice_log "Switching auto-regenerating IPs task off." db_set debian-edu-router-plugin.content-filter/service-contentfilter-autoregenerate-ips false fi rm -f /var/lib/debian-edu-router/d-e-r-p.c-f/autogenerate_IPs.enabled else if [ "$autoregenerate_ips_then" = "false" ]; then notice_log "Switching auto-regenerating IPs task on." db_set debian-edu-router-plugin.content-filter/service-contentfilter-autoregenerate-ips true fi echo "# This file indicates that the auto-regenerating IPs task is turned ON. (Used in loginmenu)" > \ /var/lib/debian-edu-router/d-e-r-p.c-f/autogenerate_IPs.enabled fi db_get debian-edu-router-plugin.content-filter/service-contentfilter-autoregenerate-ips autoregenerate_ips="${RET}" } function prepare_e2guardian_lists() { LISTS_DIR="/etc/debian-edu-router/e2guardian.d/lists" mkdir -p "${LISTS_DIR}" # Copy e2guardian lists ONCE (or if newer) to $LISTS_DIR. Needed by e2guardian_d-e-r. lines="$(cp -Rvu /etc/e2guardian/lists/* "${LISTS_DIR}" | wc -l)" [ $lines -gt 0 ] && debug_log "Copied $lines new files from /etc/e2guardian/lists/* to '$LISTS_DIR'." if [[ -n "${D_E_R_DEBUG}" ]]; then notice_log "Allowing downloads of .crt files via e2guardian (enabled because of debug-mode)." sed -i '/^#/!s/\.crt/# \.crt/' "${LISTS_DIR}/example.group/bannedextensionlist" || true else notice_log "Disabling downloads of .crt files via e2guardian (default behavior)." sed -i 's|#\s*\.crt|\.crt|g' "${LISTS_DIR}/example.group/bannedextensionlist" || true fi local old_list_path="/etc/e2guardian/lists/" local new_list_path="/etc/debian-edu-router/e2guardian.d/lists/" find "${LISTS_DIR}" -type f -exec sed -i "s|${old_list_path}|${new_list_path}|g" {} \; || { error_log "prepare_e2guardian_lists(): Failed to sed-replace list paths in e2guardian lists directory '${new_list_path}'." } } function restart_autorefresh_blacklists() { if [ "$autorefresh_blacklist" = "true" ]; then if [ -d /run/systemd/system ]; then # Checks if systemd is available. notice_log "Enabling systemd service for auto-refreshing blacklists." manage_unit enable squid_d-e-r_refresh-blacklists.service manage_unit enablenow squid_d-e-r_refresh-blacklists.timer rm -fv /etc/cron.d/d-e-r-p.c-f_refresh-blacklists || true else notice_log "Enabling auto-refreshing blacklists cron job (for now)." cp -v /usr/share/debian-edu-router/templates/cron.d/d-e-r-p.c-f_refresh-blacklists /etc/cron.d/ fi else warning_log "Blacklists auto-refreshing is disabled!" notice_log "To update blacklists manually execute '/usr/sbin/debian-edu-router_refresh-blacklists'." notice_log "or just open the loginmenu and press 'r' in the ${PRODUCTNAME_PLUGIN} submenu." manage_unit disablenow squid_d-e-r_refresh-blacklists.service manage_unit disablenow squid_d-e-r_refresh-blacklists.timer rm -f /etc/cron.d/d-e-r-p.c-f_refresh-blacklists || true fi } function restart_autoregenerate_ips() { if [ "$autoregenerate_ips" = "true" ]; then if [ -d /run/systemd/system ]; then # Checks if systemd is available. notice_log "Enabling systemd service for auto-regenerating Proxy*Site.* IPs." manage_unit enable squid_d-e-r_refresh-generated-ips.service manage_unit enablenow squid_d-e-r_refresh-generated-ips.timer rm -fv /etc/cron.d/d-e-r-p.c-f_refresh-generated-ips || true else notice_log "Enabling auto-refreshing blacklists cron job (for now)." notice_log "Enabling auto-regenerating Proxy*Site.* IPs cron job (for now)." cp -v /usr/share/debian-edu-router/templates/cron.d/d-e-r-p.c-f_refresh-generated-ips /etc/cron.d/ fi else warning_log "Auto-regeneration of Proxy*Site.* IPs is disabled! To regenerate them manually" warning_log "execute '/usr/sbin/debian-edu-router_refresh-generated-ips'." manage_unit disablenow squid_d-e-r_refresh-generated-ips.service manage_unit disablenow squid_d-e-r_refresh-generated-ips.timer rm -f /etc/cron.d/d-e-r-p.c-f_refresh-generated-ips || true fi } function process_services_answers() { # Only generate conf files, if we actually have networks which # should be content filtered. if [[ -z "${service_httpproxy_networks_enabled[@]}" ]]; then return 0; fi ### E2GUARDIAN prepare_e2guardian_err_page_templates prepare_e2guardian_lists # Make sure e2guardian can write into log files. logdir="/var/log/debian-edu-router/e2guardian" mkdir -p "${logdir}" || true chown "e2guardian:e2guardian" "$logdir" || true chmod u=rwx "${logdir}" || true chown "e2guardian:e2guardian" "${logdir}/"* 2>/dev/null || true chmod u=rw "${logdir}/"* 2>/dev/null || true # SQUID # When running in production mode, make sure all (not-to-be-configured) # squid configurations files are removed from # /etc/squid/conf.d/debian-edu-router-plugin.content-filter/ rm -f /etc/squid/conf.d/debian-edu-router-plugin.content-filter/??_d-e-r-p.c-f_*.conf # Calculate an optimal cache size per squid instance. cache_dir_base="/var/spool/squid/" mount_point="$(stat -c %m ${cache_dir_base})" fs_size_mbyte="$(( $(df ${mount_point} | grep -E ".*\s+${mount_point}\$" | awk '{ print $2 }') / 1024 ))" # Grant 60% of the underlying filesystem for proxy caching cache_size_mbyte="$((${fs_size_mbyte} * 6/10))" number_of_instances="${#service_httpproxy_networks_enabled[@]}" cache_size_per_instance_mbyte="$((${cache_size_mbyte} / ${number_of_instances}))" for _i_n_name in "${service_httpproxy_networks_enabled[@]}"; do _address_netmask_v4="${internal_networks[${_i_n_name}]}" _address_v4="$(echo ${_address_netmask_v4} | cut -d "/" -f1)" _netmask_v4_short="$(echo ${_address_netmask_v4} | cut -d "/" -f2)" _netmask_v4="$(netmask_v4_converter ${_netmask_v4_short})" _network_v4="$(network_v4_calculator ${_address_v4} ${_netmask_v4})" cache_dir="${cache_dir_base}/d-e-r_${_i_n_name}_Network" squid_cfg_file="/etc/squid/conf.d/debian-edu-router-plugin.content-filter/00_d-e-r-p.c-f_${_i_n_name}.conf" echo "###" 1> "${squid_cfg_file}" echo "### $PRODUCTNAME_PLUGIN - Squid" >> "${squid_cfg_file}" echo "###" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "### Managed by debian-edu-router-plugin.content-filter." >> "${squid_cfg_file}" echo "### For internal network: '${_i_n_name}'." >> "${squid_cfg_file}" echo "### Don't modify this file." >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "pid_filename /run/squid_d-e-r-p.c-f_${_i_n_name}.pid" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "# Include the main squid config file." >> "${squid_cfg_file}" echo "# Note: It includes /etc/squid/conf.d/* but the configuration" >> "${squid_cfg_file}" echo "# there could be overwritten by this file." >> "${squid_cfg_file}" echo "include /etc/squid/squid-base_d-e-r.conf" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" ssldb_dir="/var/lib/debian-edu-router/ssl_db/" if [ ! -d "${ssldb_dir}/${_i_n_name}" ]; then mkdir -p "${ssldb_dir}" /usr/lib/squid/security_file_certgen -c -s "${ssldb_dir}${_i_n_name}" -M 4MB chown proxy:proxy "${ssldb_dir}${_i_n_name}" chown proxy:proxy "${ssldb_dir}${_i_n_name}/certs" chown proxy:proxy "${ssldb_dir}${_i_n_name}/index.txt" chown proxy:proxy "${ssldb_dir}${_i_n_name}/size" chmod o-rwx "${ssldb_dir}${_i_n_name}" fi echo "sslcrtd_program /usr/lib/squid/security_file_certgen \\" >> "${squid_cfg_file}" echo " -s ${ssldb_dir}${_i_n_name} \\" >> "${squid_cfg_file}" echo " -M 4MB" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" if [ "${service_httpproxy_enable_sslbumping}" = "true" ] && echo "${service_httpproxy_networks_with_sslbumping[@]}" | grep -q "${_i_n_name}"; then create_sslmitm_ca echo "# bump SSL connections (normal proxy mode)" >> "${squid_cfg_file}" echo "http_port ${_address_v4}:${http_proxy_port} ssl-bump \\" >> "${squid_cfg_file}" echo " generate-host-certificates=on \\" >> "${squid_cfg_file}" echo " dynamic_cert_mem_cache_size=4MB \\" >> "${squid_cfg_file}" echo " cert=/etc/debian-edu-router/ssl/certs/d-e-r_sslmitm-ca.crt \\" >> "${squid_cfg_file}" echo " key=/etc/debian-edu-router/ssl/private/d-e-r_sslmitm-ca.key" >> "${squid_cfg_file}" if [ "$transparent_proxy_mode_enabled" = "true" ]; then echo "# intercept & no SSL (transparent proxy mode (allows NAT))" >> "${squid_cfg_file}" echo "http_port ${_address_v4}:${http_transparent_proxy_port} intercept" >> "${squid_cfg_file}" echo "# intercept & bump SSL connections (transparent proxy mode (allows NAT))" >> "${squid_cfg_file}" echo "https_port ${_address_v4}:${https_transparent_proxy_port} intercept ssl-bump \\" >> "${squid_cfg_file}" echo " generate-host-certificates=on \\" >> "${squid_cfg_file}" echo " dynamic_cert_mem_cache_size=4MB \\" >> "${squid_cfg_file}" echo " cert=/etc/debian-edu-router/ssl/certs/d-e-r_sslmitm-ca.crt \\" >> "${squid_cfg_file}" echo " key=/etc/debian-edu-router/ssl/private/d-e-r_sslmitm-ca.key" >> "${squid_cfg_file}" fi else echo "# HTTP and HTTPS connections (normal proxy mode)" >> "${squid_cfg_file}" echo "http_port ${_address_v4}:${http_proxy_port}" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" while [ "$transparent_proxy_mode_enabled" = "true" ]; do echo "http_port ${_address_v4}:${http_transparent_proxy_port} intercept" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" if ! [[ -s "/etc/ssl/certs/ssl-cert-snakeoil.pem" ]] || ! [[ -s "/etc/ssl/private/ssl-cert-snakeoil.key" ]]; then warning_log "Could not activate ssl-bumpless transparent proxy mode for Squid." warning_log "Could not find snakeoil SSL certificates at '/etc/ssl/{certs, private}/ssl-cert-snakeoil.{pem, key}'." warning_log "Please make sure the package 'ssl-cert' is installed and configured successfully." break fi echo "# HTTPS connections (transparent proxy mode (allows NAT)), but do not actually" >> "${squid_cfg_file}" echo "# ssl-bump connections. We'll splice all connections (TCP passthrough)." >> "${squid_cfg_file}" echo "https_port ${_address_v4}:${https_transparent_proxy_port} intercept ssl-bump \\" >> "${squid_cfg_file}" echo " generate-host-certificates=on \\" >> "${squid_cfg_file}" echo " dynamic_cert_mem_cache_size=4MB \\" >> "${squid_cfg_file}" echo " cert=/etc/ssl/certs/ssl-cert-snakeoil.pem \\" >> "${squid_cfg_file}" echo " key=/etc/ssl/private/ssl-cert-snakeoil.key" >> "${squid_cfg_file}" break done fi echo >> "${squid_cfg_file}" echo "acl ${_i_n_name}_Network src ${_network_v4}/${_netmask_v4_short}" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" echo "include /etc/debian-edu-router/squid-snippets.d/*.conf" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" if [[ -n "${D_E_R_DEBUG}" ]]; then echo "debug_options ALL,1 33,2 28,9" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" fi # Creating own files for these. create_squid_config_sslbumping_rules "${_i_n_name}" "${squid_cfg_file}" create_squid_config_icap "${_i_n_name}" "${squid_cfg_file}" echo "access_log daemon:/var/log/debian-edu-router/squid/access_${_i_n_name}.log squid" >> "${squid_cfg_file}" echo "cache_log stdio:/var/log/debian-edu-router/squid/cache_${_i_n_name}.log" >> "${squid_cfg_file}" echo "coredump_dir ${cache_dir}/" >> "${squid_cfg_file}" echo "cache_dir ufs ${cache_dir}/ ${cache_size_per_instance_mbyte} 16 256" >> "${squid_cfg_file}" echo "unique_hostname ${dns_alias}_${_i_n_name}" >> "${squid_cfg_file}" echo "visible_hostname ${dns_alias}" >> "${squid_cfg_file}" # echo "cache_dir ${_address}:3128" >> "${squid_cfg_file}" echo >> "${squid_cfg_file}" # Populate cache directory if not already existent. if [ ! -e "${cache_dir}" ]; then mkdir -p "${cache_dir}" chown proxy:proxy "${cache_dir}" # Create missing swap directories and other missing cache_dir structures, then exit. squid --foreground -z -f "${squid_cfg_file}" 2>/dev/null fi done # Prepare file-based fallback authentication scheme for Squid. LOCAL_USERS_PASSWD_FILE="/etc/debian-edu-router/squid.d/local-users.passwd" if ! [ -s "$LOCAL_USERS_PASSWD_FILE" ]; then cp /usr/share/debian-edu-router/templates/squid/local-users.passwd "${LOCAL_USERS_PASSWD_FILE}" fi chown root:proxy "${LOCAL_USERS_PASSWD_FILE}" chmod 640 "${LOCAL_USERS_PASSWD_FILE}" } function prepare_squid_filterlists() { # Prepare empty .local filter lists for being maintained by site admins. for filterlist in ProxyTrustedClient.local \ ProxyTrustedClientIP.local \ ProxyTrustedUser.local \ ProxyAllowClientIP.local \ ProxyAllowClient.local \ ProxyAllowSite.local \ ProxyAllowSiteRegex.local \ ProxyAllowSiteIP.local \ ProxyAllowURL.local \ ProxyAllowUser.local \ ProxyKeepcertSite.local \ ProxyKeepcertSiteRegex.local \ ProxyKeepcertSiteIP.local \ ProxyDenyClientIP.local \ ProxyDenyClient.local \ ProxyDenySite.local \ ProxyDenySiteRegex.local \ ProxyDenySiteIP.local \ ProxyDenyURL.local \ ProxyDenyUser.local \ ProxyBlacklistClientIP.local \ ProxyBlacklistClient.local \ ProxyBlacklistURL.local \ ProxyBlacklistSite.local \ ProxyBlacklistSiteRegex.local \ ProxyBlacklistSiteIP.local \ ProxyBlacklistUser.local \ ProxyNoauthClient.local \ ProxyWhitelistClientIP.local \ ProxyWhitelistClient.local \ ProxyWhitelistURL.local \ ProxyWhitelistSite.local \ ProxyWhitelistSiteRegex.local \ ProxyWhitelistSiteIP.local \ ProxyWhitelistUser.local; do if [ ! -e "/var/lib/debian-edu-router/filterlists.d/${filterlist}" ]; then cp /usr/share/debian-edu-router/templates/ProxyHeader.local "/var/lib/debian-edu-router/filterlists.d/${filterlist}" # Add headers with tips and tricks for .local only. if [[ "${filterlist}" = "Proxy"*"Site.local" ]]; then cat /usr/share/debian-edu-router/templates/ProxyHeader.proxysites >> "/var/lib/debian-edu-router/filterlists.d/${filterlist}" || true elif [[ "${filterlist}" = "Proxy"*"SiteRegex.local" ]]; then cat /usr/share/debian-edu-router/templates/ProxyHeader.proxysitesregex >> "/var/lib/debian-edu-router/filterlists.d/${filterlist}" || true elif [[ "${filterlist}" = "Proxy"*"SiteIP.local" ]]; then cat /usr/share/debian-edu-router/templates/ProxyHeader.proxysitesip >> "/var/lib/debian-edu-router/filterlists.d/${filterlist}" || true elif [[ "${filterlist}" = "Proxy"*"URL.local" ]]; then cat /usr/share/debian-edu-router/templates/ProxyHeader.proxysitesurl >> "/var/lib/debian-edu-router/filterlists.d/${filterlist}" || true elif [[ "${filterlist}" = "Proxy"*"Client.local" ]]; then cat /usr/share/debian-edu-router/templates/ProxyHeader.proxyclients >> "/var/lib/debian-edu-router/filterlists.d/${filterlist}" || true elif [[ "${filterlist}" = "Proxy"*"ClientIP.local" ]]; then cat /usr/share/debian-edu-router/templates/ProxyHeader.proxyclientsip >> "/var/lib/debian-edu-router/filterlists.d/${filterlist}" || true elif [[ "${filterlist}" = "Proxy"*"User.local" ]]; then cat /usr/share/debian-edu-router/templates/ProxyHeader.proxyusers >> "/var/lib/debian-edu-router/filterlists.d/${filterlist}" || true fi fi done # Prepare empty .org filter lists for being maintained by organisations. for filterlist in ProxyTrustedClient.org \ ProxyTrustedClientIP.org \ ProxyAllowSite.org \ ProxyAllowSiteIP.org \ ProxyAllowSiteRegex.org \ ProxyKeepcertSite.org \ ProxyKeepcertSiteRegex.org \ ProxyKeepcertSiteIP.org \ ProxyAllowURL.org \ ProxyDenySite.org \ ProxyDenySiteIP.org \ ProxyDenySiteRegex.org \ ProxyDenyURL.org \ ProxyBlacklistURL.org \ ProxyBlacklistSite.org \ ProxyBlacklistSiteRegex.org \ ProxyBlacklistSiteIP.org \ ProxyWhitelistURL.org \ ProxyWhitelistSite.org \ ProxyWhitelistSiteRegex.org \ ProxyWhitelistSiteIP.org; do if [ ! -e "/var/lib/debian-edu-router/filterlists.d/${filterlist}" ]; then cp /usr/share/debian-edu-router/templates/ProxyHeader.org "/var/lib/debian-edu-router/filterlists.d/${filterlist}" fi done # ProxyAllowURL and ProxyWhitelistURL are disabled for now. # Please see /usr/share/doc/debian-edu-router-plugin.content-filter/squid_ACLs_explained.md # at 'Overview of all site lists'. backup_disabled_proxylists \ ProxyAllowURL.local \ ProxyWhitelistURL.local \ ProxyAllowURL.org \ ProxyWhitelistURL.org # TODO: Disable Proxy*SiteIP based on if transparent proxy mode is enabled? } function check_plugin_enabled() { if [ "$content_filter_enabled" = "false" ]; then if [ "${D_E_R_LOGINMENU}" = "true" ] && [ "$CONFIGURE_ONLY" != "ONOFF" ]; then error_log "$PRODUCTNAME_PLUGIN is turned off! Please re-enable it via 't', before retrying." exit 0 fi manage_unit disablenow squid_d-e-r.target manage_unit disablenow e2guardian_d-e-r.service manage_unit disablenow squid_d-e-r_acl_watcher.path # Force DISABLING auto-refreshing of blacklists. autorefresh_blacklist="true"; FORCE_SWITCH_AUTOREFRESH_BLACKLISTS="true" check_autorefresh_blacklists # Force DISABLING auto-regeneration of Proxy*Site.* IPs. autoregenerate_ips="true"; FORCE_SWITCH_AUTOREGENERATE_IPS="true" check_e2guardian_autoregenerate_ips rm -f /var/lib/debian-edu-router/d-e-r-p.c-f/enabled exit 0 notice_log "Deactivating ${PRODUCTNAME_PLUGIN}..." else echo "${PRODUCTNAME_PLUGIN} is enabled." > /var/lib/debian-edu-router/d-e-r-p.c-f/enabled fi } function main() { # This is needed because piuparts would break, if the symlinks at # /etc/debian-edu-router/filterlists.d/ are broken. # To avoid this, we need to create the filterlists regardless of, # if the plugin is enabled or not. prepare_squid_filterlists check_plugin_enabled # may never come back (exit 0)... if [ "${service_httpproxy_enable_sslbumping}" = "true" ]; then # check networks with content filter enabled and identify non-blocked networks choices=$(intersect_comma_separated_items \ "$(echo "${service_httpproxy_networks_enabled[@]}" | sed "s/ /, /g")" \ "$(echo "${unblocked_networks[@]}" | sed "s/ /, /g")" \ ) num_networks=$(echo "${choices}" | wc -w) if [[ $num_networks -gt 0 ]]; then if [[ "$1" == "configure" ]]; then db_subst debian-edu-router-plugin.content-filter/warning-networks-internet-allowed num_networks "${num_networks}" # TODO: This is not optimal. Network names are NOT translated! db_subst debian-edu-router-plugin.content-filter/warning-networks-internet-allowed list_networks "${choices}" db_input ${DC_PRIO_HIGH} debian-edu-router-plugin.content-filter/warning-networks-internet-allowed || true db_go elif [[ "$1" == "triggered" ]]; then warning_log "There are content-filtered internal networks that still allow clients to" warning_log "directly access the internet. The recommendation is to block clients on" warning_log "such networks from direct internet access." warning_log "To make this warning go away, either disable content-filtering for those" warning_log "networks or adjust the firewall settings and block their internet access." warning_log "Affected networks: ${choices}" fi fi fi # Apache2: Create 'wpad.dat' from template file 'wpad.dat.in'. www_dir="/etc/debian-edu-router/www" mkdir -p "$www_dir" cp /usr/share/debian-edu-router/templates/apache2/wpad.dat.in "$www_dir"/wpad.dat sed -i "$www_dir/wpad.dat" -e "s|@PRODUCTNAME@|${PRODUCTNAME}|" \ -e "s/@DNS_ALIAS@/${dns_alias}/" \ -e "s/@HTTP_PROXY_PORT@/${http_proxy_port}/" \ ${NULL} # Apache2: Create 'index.html' from template file 'index.html.in'. cp /usr/share/debian-edu-router/templates/apache2/index.html.in "$www_dir"/index.html sed -i "$www_dir/index.html" -e "s|@PRODUCTNAME@|${PRODUCTNAME}|" \ -e "s/@PRODUCTVERSION@/${PRODUCTVERSION}/" \ ${NULL} copy_docs_from_templates create_apache2_stuff_from_templates create_static_files_from_templates create_e2guardian_config_from_templates create_squid_config_from_templates create_squid_config_lockout_unknown_nets create_logrotate_configs # # Put trustworthy IP addresses and networks into ProxyTrustedClientIP. # db_get debian-edu-router-config/service-firewall-trustworthy-ips service_int_firewall_trustworthy_ips=( $(echo ${RET}) ) if [[ -n "${service_int_firewall_trustworthy_ips[@]}" ]]; then filterlist_path="/var/lib/debian-edu-router/filterlists.d/ProxyTrustedClientIP.generated" echo "$(cat /usr/share/debian-edu-router/templates/ProxyHeader.generated)" 1> "$filterlist_path" echo "# Automatically put all trustworthy IPs into ProxyTrustedClientIP." >> "$filterlist_path" echo "# To modify this file, please reconfigure $PRODUCTNAME, either via" >> "$filterlist_path" echo "# the loginmenu or '$ dpkg-reconfigure debian-edu-router-config'." >> "$filterlist_path" echo "" >> "$filterlist_path" for item in "${service_int_firewall_trustworthy_ips[@]}"; do if ! is_valid_ipconfig_v6 "$item" && ! is_address_v6 "$item" && \ ! is_valid_ipconfig_v4 "$item" && ! is_address_v4 "$item"; then warning_log "Malformed trustworthy IP entry: '$item', skipping it." continue fi echo "$item" >> $filterlist_path done fi parse_ip_versions # Collect all internal addresses/networks declare -A internal_networks # Don't convert network name to lowercase get_internal_networks_v4 "false" # Check if all networks specified are actually supported. debug_log "Internal networks found for content filter postinst: " for _i_n_name in "${service_httpproxy_networks_enabled[@]}"; do # »
-> _network="${internal_networks[${_i_n_name}]}" debug_log "$(printf " » %-18s-> ${_i_n_name}" "${_network}")" if ! is_supported "${_i_n_name}"; then warning_log "Internal network '${_i_n_name}' is not supported." warning_log "This could mean that you recently removed this network from" warning_log "the list of supported internal networks." warning_log "This network will be ignored from now on and won't be" warning_log "content-filtered anymore." service_httpproxy_networks_enabled=( $(filter_item "${_i_n_name}" "${service_httpproxy_networks_enabled[@]}") ) db_set debian-edu-router-plugin.content-filter/service-httpproxy-networks-enabled "${service_httpproxy_networks_enabled[@]}" fi done # Making sure temporary backup folder isn't accessible to others if [ -n "${CONFIG_BACKUP_DIR}" ]; then create_config_backup else error_log "\${CONFIG_BACKUP_DIR} is not initialized! Can't create backup!" exit 1 fi # process firewall settings and restart firewall process_firewall_answers if [ "${SKIP_SERVICE_RESTARTS_POSTINST}" != "1" ]; then ### uif manage_unit restart uif || restore_config_backup "uif" && \ debug_log "Firewall 'uif' reconfigured and restarted." fi # process service settings and restart related services process_services_answers check_autorefresh_blacklists check_e2guardian_autoregenerate_ips if [ "${SKIP_SERVICE_RESTARTS_POSTINST}" != "1" ]; then ### Squid notice_log "Fully disabling default service '${green}squid${blue}'." manage_unit disablenow "squid.service" manage_unit mask "squid.service" # Stop our Squid target manage_unit stop "squid_d-e-r.target" # Collect a list of services, which are setup (and running?) already. Finally stop them all. list_old_services=( $(systemctl list-dependencies --plain squid_d-e-r.target | tail -n +2 | awk '{ print $1 }' | tr '\n' ' ') ) for service in "${list_old_services[@]}"; do manage_unit disablenow "$service" done for _i_n_name in "${service_httpproxy_networks_enabled[@]}"; do service="squid_d-e-r@${_i_n_name}.service" # Enable service now, or restore config. if ! manage_unit enablenow "$service"; then # Only ignore error in debug mode. if [[ -n "$D_E_R_DEBUG" ]]; then debug_log "Ignoring error for this service now." continue fi # restore_config_backup "$service" && \ # debug_log "Service '$service' reconfigured and restarted." exit 1 fi # This delay is needed since Squid uses the default PID file # path for a few seconds at startup but after reading the config # file it switches to the new PID file. sleep 2s; done notice_log "Starting '${magenta}squid_d-e-r.target${blue}'. This could take a while..." manage_unit enablenow squid_d-e-r.target restart_autorefresh_blacklists # Restart Squid if filterlists were edited. manage_unit unmask squid_d-e-r_acl_watcher manage_unit enablenow squid_d-e-r_acl_watcher.path ### e2guardian notice_log "Fully disabling default service '${green}e2guardian${blue}'." manage_unit disablenow "e2guardian.service" manage_unit mask "e2guardian.service" restart_autoregenerate_ips notice_log "Restarting '${magenta}e2guardian_d-e-r.service${blue}'. This could take a while..." manage_unit enable "e2guardian_d-e-r.service" manage_unit restart "e2guardian_d-e-r.service" fi manage_unit restart "apache2.service" notice_log "Configuration of '$PRODUCTNAME_PLUGIN' finished." } configure_package="" if [[ "$1" == "triggered" ]]; then debug_log "Reconfiguring since trigger '$2' got activated. This" \ "probably means, the admin reconfigures d-e-r-c currently." configure_package="true" fi if [[ "$1" == "configure" ]] || [[ "$configure_package" == "true" ]]; then main else error_log "postinst called with unknown argument \`$1'" >&2 exit 1 fi # dh_installdeb will replace this with shell code automatically # generated by other debhelper scripts. # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'e2guardian_d-e-r.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'e2guardian_d-e-r.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'e2guardian_d-e-r.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'e2guardian_d-e-r.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'squid_d-e-r.target' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'squid_d-e-r.target'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'squid_d-e-r.target' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'squid_d-e-r.target' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'squid_d-e-r_acl_watcher.path' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'squid_d-e-r_acl_watcher.path'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'squid_d-e-r_acl_watcher.path' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'squid_d-e-r_acl_watcher.path' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'squid_d-e-r_refresh-blacklists.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'squid_d-e-r_refresh-blacklists.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'squid_d-e-r_refresh-blacklists.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'squid_d-e-r_refresh-blacklists.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'squid_d-e-r_refresh-blacklists.timer' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'squid_d-e-r_refresh-blacklists.timer'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'squid_d-e-r_refresh-blacklists.timer' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'squid_d-e-r_refresh-blacklists.timer' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'squid_d-e-r_refresh-generated-ips.service' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'squid_d-e-r_refresh-generated-ips.service'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'squid_d-e-r_refresh-generated-ips.service' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'squid_d-e-r_refresh-generated-ips.service' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then # The following line should be removed in trixie or trixie+1 deb-systemd-helper unmask 'squid_d-e-r_refresh-generated-ips.timer' >/dev/null || true # was-enabled defaults to true, so new installations run enable. if deb-systemd-helper --quiet was-enabled 'squid_d-e-r_refresh-generated-ips.timer'; then # Enables the unit on first installation, creates new # symlinks on upgrades if the unit file has changed. deb-systemd-helper enable 'squid_d-e-r_refresh-generated-ips.timer' >/dev/null || true else # Update the statefile to add new symlinks (if any), which need to be # cleaned up on purge. Also remove old symlinks. deb-systemd-helper update-state 'squid_d-e-r_refresh-generated-ips.timer' >/dev/null || true fi fi # End automatically added section # Automatically added by dh_installsystemd/13.24.2 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ -d /run/systemd/system ]; then systemctl --system daemon-reload >/dev/null || true if [ -n "$2" ]; then _dh_action=restart else _dh_action=start fi deb-systemd-invoke $_dh_action 'e2guardian_d-e-r.service' 'squid_d-e-r.target' 'squid_d-e-r_acl_watcher.path' 'squid_d-e-r_acl_watcher.service' 'squid_d-e-r_refresh-blacklists.service' 'squid_d-e-r_refresh-blacklists.timer' 'squid_d-e-r_refresh-generated-ips.service' 'squid_d-e-r_refresh-generated-ips.timer' >/dev/null || true fi fi # End automatically added section exit 0