lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-16 17:44:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

(proxy) move acl part to separate file and add option for custom templates, closes https://github.com/opnsense/core/issues/802

Browse Source
This commit is contained in:
Ad Schellevis 2016-07-04 18:36:35 +02:00
parent 4d1a8eca37
commit 6b88fe1f72
2 changed files with 159 additions and 152 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf Normal file
View File

@ -0,0 +1,156 @@
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow unrestricted
adaptation_access request_mod allow unrestricted
{% endif %}
http_access allow unrestricted
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
# ACL list (Allow) whitelist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow whiteList
adaptation_access request_mod allow whiteList
{% endif %}
http_access allow whiteList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
#
# ACL list (Deny) blacklist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blackList
adaptation_access request_mod deny blackList
{% endif %}
http_access deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
{% endif %}
http_access deny remoteblacklist_{{blacklist.filename}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ACL list (Deny) blockuseragent
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockuseragents
adaptation_access request_mod deny blockuseragents
{% endif %}
http_access deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ACL list (Deny) blockmimetypes
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
# Deny requests to certain unsafe ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
# Deny CONNECT to other than secure SSL ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny bannedHosts
adaptation_access request_mod deny bannedHosts
{% endif %}
http_access deny bannedHosts
{% endif %}
# Only allow cachemgr access from localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
{% endif %}
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
{% endif %}
http_access deny to_localhost
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow local_auth
adaptation_access request_mod allow local_auth
{% endif %}
http_access allow local_auth
{% endif %}
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
{% endif %}
http_access allow localnet
# ACL - localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
{% endif %}
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL list (Allow) subnets
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow subnets
adaptation_access request_mod allow subnets
{% endif %}
http_access allow subnets
{% endif %}
# Deny all other access to this proxy
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny all
adaptation_access request_mod deny all
{% endif %}
http_access deny all

155
src/opnsense/service/templates/OPNsense/Proxy/squid.conf
View File

@ -261,161 +261,12 @@ auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
# ACL - Local Authorized Users - local_auth
acl local_auth proxy_auth REQUIRED
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
# ALLOW UNRESTRICTED
# ACL list (Allow) unrestricted
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow unrestricted
adaptation_access request_mod allow unrestricted
{% endif %}
http_access allow unrestricted
{% endif %}
{% include "OPNsense/Proxy/squid.user.pre_auth.conf" ignore missing with context %}
{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
{% include "OPNsense/Proxy/squid.acl.conf" ignore missing with context %}
# ACL list (Allow) whitelist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow whiteList
adaptation_access request_mod allow whiteList
{% endif %}
http_access allow whiteList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
#
# ACL list (Deny) blacklist
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blackList
adaptation_access request_mod deny blackList
{% endif %}
http_access deny blackList
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
{% for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
{% endif %}
http_access deny remoteblacklist_{{blacklist.filename}}
{% endfor %}
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
# ACL list (Deny) blockuseragent
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockuseragents
adaptation_access request_mod deny blockuseragents
{% endif %}
http_access deny blockuseragents
{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
# ACL list (Deny) blockmimetypes
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
{% endif %}
# Deny requests to certain unsafe ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
# Deny CONNECT to other than secure SSL ports
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% endif %}
http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny bannedHosts
adaptation_access request_mod deny bannedHosts
{% endif %}
http_access deny bannedHosts
{% endif %}
# Only allow cachemgr access from localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost manager
adaptation_access request_mod allow localhost manager
adaptation_access response_mod deny manager
adaptation_access request_mod deny manager
{% endif %}
http_access allow localhost manager
http_access deny manager
# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny to_localhost
adaptation_access request_mod deny to_localhost
{% endif %}
http_access deny to_localhost
#
# Access Permission configuration:
#
# Deny request from unauthorized clients
{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and OPNsense.proxy.forward.authentication.method != '' %}
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow local_auth
adaptation_access request_mod allow local_auth
{% endif %}
http_access allow local_auth
{% endif %}
#
# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localnet
adaptation_access request_mod allow localnet
{% endif %}
http_access allow localnet
# ACL - localhost
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow localhost
adaptation_access request_mod allow localhost
{% endif %}
http_access allow localhost
{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
# ACL list (Allow) subnets
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod allow subnets
adaptation_access request_mod allow subnets
{% endif %}
http_access allow subnets
{% endif %}
# Deny all other access to this proxy
{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
adaptation_access response_mod deny all
adaptation_access request_mod deny all
{% endif %}
http_access deny all
{% include "OPNsense/Proxy/squid.user.post_auth.conf" ignore missing with context %}
{% if helpers.exists('OPNsense.proxy.general.cache.local') %}
cache_mem {{ OPNsense.proxy.general.cache.local.cache_mem|default('256') }} MB