diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf index 897f9c05a..6b7d8ac9d 100644 --- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf +++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf @@ -3,46 +3,44 @@ # Do not edit this file manually. # -{# wrap http_port ssl bump configuration for reuse #} -{% macro sslbump_httpsconfig(network, tags='') -%} - {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} -https_port {{network}}:{{OPNsense.proxy.forward.sslbumpport|default('3129')}} {{tags}} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on - {% endif %} +{# wrap listener configuration for reuse #} +{% macro listener_config(network, port='3129', tags='', protocol='') -%} +{% if protocol == 'ssl' %} +{% set listener_type = 'https_port' %} +{% else %} +{% set listener_type = 'http_port' %} +{% endif %} +{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} +{% set sslparams = 'ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on' %} +{% endif %} +{{listener_type}} {{network}}:{{port}} {{tags}} {{sslparams}} {%- endmacro %} {% if helpers.exists('OPNsense.proxy.forward.transparentMode') and OPNsense.proxy.forward.transparentMode == '1' %} -# transparent mode, listen on localhost -http_port 127.0.0.1:{{ OPNsense.proxy.forward.port }} intercept -{{ sslbump_httpsconfig('127.0.0.1', 'intercept') }} -http_port [::1]:{{ OPNsense.proxy.forward.port }} intercept -{{ sslbump_httpsconfig('[::1]', 'intercept') }} +# Setup transparent mode listeners on loopback interfaces +{{ listener_config('127.0.0.1', OPNsense.proxy.forward.port, 'intercept') }} +{{ listener_config('127.0.0.1', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }} +{{ listener_config('[::1]', OPNsense.proxy.forward.port, 'intercept') }} +{{ listener_config('[::1]', OPNsense.proxy.forward.sslbumpport, 'intercept', 'ssl') }} {% endif %} -# Setup listen configuration +# Setup regular listeners configuration {% if helpers.exists('OPNsense.proxy.forward.interfaces') %} -{% for interface in OPNsense.proxy.forward.interfaces.split(",") %} -{% for intf_key,intf_item in interfaces.iteritems() %} -{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} -{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} -http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on -{% else %} -http_port {{intf_item.ipaddr}}:{{ OPNsense.proxy.forward.port }} -{% endif %} -{% endif %} -{% endfor %} +{% for interface in OPNsense.proxy.forward.interfaces.split(",") %} +{% for intf_key,intf_item in interfaces.iteritems() %} +{% if intf_key == interface and intf_item.ipaddr != 'dhcp' %} +{{ listener_config(intf_item.ipaddr, OPNsense.proxy.forward.port) }} +{% endif %} +{% endfor %} {# virtual ip's #} -{% if helpers.exists('virtualip') %} -{% for intf_key,intf_item in virtualip.iteritems() %} -{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} -{% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %} -http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} ssl-bump cert=/var/squid/ssl/ca.pem dynamic_cert_mem_cache_size=10MB generate-host-certificates=on -{% else %} -http_port {{intf_item.subnet}}:{{ OPNsense.proxy.forward.port }} -{% endif %} -{% endif %} -{% endfor %} -{% endif %} -{% endfor %} +{% if helpers.exists('virtualip') %} +{% for intf_key,intf_item in virtualip.iteritems() %} +{% if intf_item.interface == interface and intf_item.mode == 'ipalias' %} +{{ listener_config(intf_item.subnet, OPNsense.proxy.forward.port) }} +{% endif %} +{% endfor %} +{% endif %} +{% endfor %} {% endif %} {% if helpers.exists('OPNsense.proxy.forward.sslbump') and OPNsense.proxy.forward.sslbump == '1' %}