From 65667436518ec021da136848e63d87170acfcacc Mon Sep 17 00:00:00 2001 From: liveaverage Date: Wed, 9 Oct 2013 13:44:44 -0400 Subject: [PATCH] Added support for using SquidGuard Redirect URL if using SG backend --- openufp.c | 55 ++++++++++++++++++++++++++++++++++++++++++---------- openufp.h | 4 +++- squidguard.c | 25 ++++++++++++++++++++---- squidguard.h | 4 ++-- 4 files changed, 71 insertions(+), 17 deletions(-) diff --git a/openufp.c b/openufp.c index ec4833c..5481db2 100644 --- a/openufp.c +++ b/openufp.c @@ -24,7 +24,7 @@ void usage() { printf("OPTIONS:\n"); printf(" -l PORT on which port openufp will listen for incoming requests\n"); printf(" -r URL when url is denied the client will be redirected to this url; n2h2 only\n"); - printf(" -u utilize User Identity info from capable Cisco products. Must use with -w as frontend\n"); + printf(" -u utilize User Identity info from capable Cisco products. Must use with -w as frontend\n"); printf(" -c SECS cache expire time in seconds; default 3600; 0 disables caching\n"); printf(" -C URL remove specified URL from cache\n"); printf(" -d LEVEL debug level 1-3\n\n"); @@ -54,6 +54,7 @@ int main(int argc, char**argv) { struct sockaddr_in openufp_addr; int local_port = 0; char *redirect_url = NULL; + char sg_redirect[URL_SIZE]; int cache_exp_secs = 3600; int debug = 0; int frontend = 0; @@ -64,6 +65,9 @@ int main(int argc, char**argv) { int squidguard = 0; int usrid = 0; int c; + char *https = "https://"; +// bool isIp; + while ((c = getopt(argc, argv, "l:r:c:C:d:nwp:f:gu")) != -1) { char *p; char hash[10]; @@ -230,7 +234,7 @@ int main(int argc, char**argv) { request = n2h2_validate(n2h2_request, msgsize); } else { websns_request = (struct websns_req *)msg; - + //secret debug if(debug > 3) { @@ -264,8 +268,26 @@ int main(int argc, char**argv) { // URL request if (request.type == N2H2_REQ || request.type == WEBSNS_REQ) { - if (debug > 0) - syslog(LOG_INFO, "received url request: %s", request.url); + if (debug > 0) { + syslog(LOG_INFO, "received url request - Original URL: %s", request.url); + } + + // Handle HTTPS for N2H2 only since IP is provided in URI: + if (strstr(https, request.url) != NULL && request.type == N2H2_REQ) { + //char substr[URL_SIZE]; + //substr = strndup(request.url+8, URL_SIZE); + //isIp = isValidIpAddress(substr); + + if (debug > 0) { + syslog(LOG_INFO, "received HTTPS url request"); + //if (isIp) { + // syslog(LOG_INFO, "received HTTPS url request. Substring passed IP validation"); + //} + } + + //request.url = strndup(substr, strlen(substr)); + //free(substr); + } // check if cached get_hash(request.url, hash); @@ -286,22 +308,35 @@ int main(int argc, char**argv) { // parse url to squidguard if (!cached && !denied && squidguard) { // check whether srcip or srcip+usrid will be used: + if (usrid == 1) { - denied = squidguard_backend_uid(sg_fd, request.srcip, request.usr, request.url, debug); + denied = squidguard_backend_uid(sg_fd, request.srcip, request.usr, request.url, sg_redirect, debug); } else { - denied = squidguard_backend(sg_fd, request.srcip, request.url, debug); + denied = squidguard_backend(sg_fd, request.srcip, request.url, sg_redirect, debug); } } if (denied) { - if (frontend == N2H2) { - n2h2_deny(cli_fd, n2h2_request, redirect_url); - } else { - websns_deny(cli_fd, websns_request, redirect_url); + if (frontend == N2H2 && squidguard) + { + n2h2_deny(cli_fd, n2h2_request, sg_redirect); } + else if (frontend == WEBSNS && squidguard) + { + websns_deny(cli_fd, websns_request, sg_redirect); + } + else if (frontend == N2H2) + { + n2h2_deny(cli_fd, n2h2_request, redirect_url); + } + else + { + websns_deny(cli_fd, websns_request, redirect_url); + } + if (debug > 0) { if (usrid == 1) diff --git a/openufp.h b/openufp.h index deedcb9..a96fd8b 100644 --- a/openufp.h +++ b/openufp.h @@ -9,8 +9,10 @@ #include #include #include +#include +#include -#define VERSION "1.07" +#define VERSION "1.08" #define URL_SIZE 65535 #define REQ_SIZE 65535 diff --git a/squidguard.c b/squidguard.c index 5da3cb2..04f8ae7 100644 --- a/squidguard.c +++ b/squidguard.c @@ -67,7 +67,7 @@ int squidguard_closefd(FILE *sg_fd[2]) { return 0; } -int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], int debug) { +int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], char *sg_redirect, int debug) { char redirect_url[URL_SIZE]; if (debug > 2) @@ -79,6 +79,7 @@ int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], int d syslog(LOG_WARNING, "squidguard: could not open fd for input."); return 0; } + fprintf(sg_fd[1], "%s %s/ - - GET\n", url, srcip); fflush(sg_fd[1]); @@ -90,8 +91,13 @@ int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], int d if (debug > 1) syslog(LOG_INFO, "squidguard: redirect_url (%s).", redirect_url); if (strlen(redirect_url) > 1) { + char *parse; + parse = strtok (redirect_url, " "); + strcpy(sg_redirect, parse); + if (debug > 0) - syslog(LOG_INFO, "squidguard: url blocked."); + syslog(LOG_INFO, "squidguard: url blocked. parsed_red: %s -- sg_redirectURL: %s", parse, sg_redirect ); + return 1; } if (debug > 0) @@ -101,7 +107,7 @@ int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], int d return 0; } -int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE], char url[URL_SIZE], int debug) { +int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE], char url[URL_SIZE], char *sg_redirect, int debug) { char redirect_url[URL_SIZE]; if (debug > 2) @@ -133,8 +139,13 @@ int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE] } while (fgets(redirect_url, URL_SIZE, sg_fd[0]) != NULL) { if (strlen(redirect_url) > 2) { + char *parse; + parse = strtok (redirect_url, " "); + strcpy(sg_redirect, parse); + if (debug > 0) - syslog(LOG_INFO, "squidguard: url blocked."); + syslog(LOG_INFO, "squidguard: url blocked. parsed_red: %s -- sg_redirectURL: %s", parse, sg_redirect ); + return 1; } if (debug > 0) @@ -144,3 +155,9 @@ int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE] return 0; } +bool isValidIpAddress(char *ipAddress) +{ + struct sockaddr_in sa; + int result = inet_pton(AF_INET, ipAddress, &(sa.sin_addr)); + return result != 0; +} diff --git a/squidguard.h b/squidguard.h index 7b1f099..fd3c34d 100644 --- a/squidguard.h +++ b/squidguard.h @@ -8,5 +8,5 @@ extern int squidguard_getfd(FILE *sg_fd[2]); extern int squidguard_closefd(FILE *sg_fd[2]); -extern int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], int debug); -extern int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE], char url[URL_SIZE], int debug); +extern int squidguard_backend(FILE *sg_fd[2], char srcip[15], char url[URL_SIZE], char *sg_redirect, int debug); +extern int squidguard_backend_uid(FILE *sg_fd[2], char srcip[15], char srcusr[URL_SIZE], char url[URL_SIZE], char *sg_redirect, int debug);