From 6b88fe1f72accb4f45b3117aaa540e73720bb587 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 4 Jul 2016 18:36:35 +0200
Subject: [PATCH] (proxy) move acl part to separate file and add option for
 custom templates, closes https://github.com/opnsense/core/issues/802

---
 .../templates/OPNsense/Proxy/squid.acl.conf   | 156 ++++++++++++++++++
 .../templates/OPNsense/Proxy/squid.conf       | 155 +----------------
 2 files changed, 159 insertions(+), 152 deletions(-)
 create mode 100644 src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf

diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
new file mode 100644
index 000000000..3573e14a3
--- /dev/null
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.acl.conf
@@ -0,0 +1,156 @@
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
+
+# ALLOW UNRESTRICTED
+# ACL list (Allow) unrestricted
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow unrestricted
+adaptation_access request_mod allow unrestricted
+{% endif %}
+http_access allow unrestricted
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
+
+# ACL list (Allow) whitelist
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow whiteList
+adaptation_access request_mod allow whiteList
+{% endif %}
+http_access allow whiteList
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
+
+#
+# ACL list (Deny) blacklist
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny blackList
+adaptation_access request_mod deny blackList
+{% endif %}
+http_access deny blackList
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
+{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
+# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
+adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
+{% endif %}
+http_access deny remoteblacklist_{{blacklist.filename}}
+{%   endfor %}
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
+
+# ACL list (Deny) blockuseragent
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny blockuseragents
+adaptation_access request_mod deny blockuseragents
+{% endif %}
+http_access deny blockuseragents
+{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
+
+# ACL list (Deny) blockmimetypes
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+{% endif %}
+http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+
+http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
+
+{% endif %}
+
+# Deny requests to certain unsafe ports
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+{% endif %}
+
+http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+# Deny CONNECT to other than secure SSL ports
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+{% endif %}
+
+http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
+
+{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny bannedHosts
+adaptation_access request_mod deny bannedHosts
+{% endif %}
+http_access deny bannedHosts
+{% endif %}
+
+# Only allow cachemgr access from localhost
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow localhost manager
+adaptation_access request_mod allow localhost manager
+adaptation_access response_mod deny manager
+adaptation_access request_mod deny manager
+{% endif %}
+http_access allow localhost manager
+http_access deny manager
+
+# We strongly recommend the following be uncommented to protect innocent
+# web applications running on the proxy server who think the only
+# one who can access services on "localhost" is a local user
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny to_localhost
+adaptation_access request_mod deny to_localhost
+{% endif %}
+http_access deny to_localhost
+
+#
+# Access Permission configuration:
+#
+# Deny request from unauthorized clients
+{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow local_auth
+adaptation_access request_mod allow local_auth
+{% endif %}
+http_access allow local_auth
+{% endif %}
+
+#
+# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow localnet
+adaptation_access request_mod allow localnet
+{% endif %}
+http_access allow localnet
+
+# ACL - localhost
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow localhost
+adaptation_access request_mod allow localhost
+{% endif %}
+http_access allow localhost
+{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
+
+# ACL list (Allow) subnets
+{%   if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod allow subnets
+adaptation_access request_mod allow subnets
+{%   endif %}
+http_access allow subnets
+{% endif %}
+
+# Deny all other access to this proxy
+{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
+adaptation_access response_mod deny all
+adaptation_access request_mod deny all
+{% endif %}
+http_access deny all
diff --git a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
index aa769a368..2c501b79e 100644
--- a/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
+++ b/src/opnsense/service/templates/OPNsense/Proxy/squid.conf
@@ -261,161 +261,12 @@ auth_param basic children {{OPNsense.proxy.forward.authentication.children}}
 # ACL - Local Authorized Users - local_auth
 acl local_auth proxy_auth REQUIRED
 {% endif %}
-{% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}
 
-# ALLOW UNRESTRICTED
-# ACL list (Allow) unrestricted
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod allow unrestricted
-adaptation_access request_mod allow unrestricted
-{% endif %}
-http_access allow unrestricted
-{% endif %}
+{% include "OPNsense/Proxy/squid.user.pre_auth.conf" ignore missing with context %}
 
-{% if helpers.exists('OPNsense.proxy.forward.acl.whiteList') %}
+{% include "OPNsense/Proxy/squid.acl.conf" ignore missing with context %}
 
-# ACL list (Allow) whitelist
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod allow whiteList
-adaptation_access request_mod allow whiteList
-{% endif %}
-http_access allow whiteList
-{% endif %}
-
-{% if helpers.exists('OPNsense.proxy.forward.acl.blackList') %}
-
-#
-# ACL list (Deny) blacklist
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny blackList
-adaptation_access request_mod deny blackList
-{% endif %}
-http_access deny blackList
-{% endif %}
-
-{% if helpers.exists('OPNsense.proxy.forward.acl.remoteACLs.blacklists') %}
-{%   for blacklist in helpers.toList('OPNsense.proxy.forward.acl.remoteACLs.blacklists.blacklist') if blacklist.enabled=='1' %}
-# ACL list (Deny) remoteblacklist_{{blacklist.filename}}
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny remoteblacklist_{{blacklist.filename}}
-adaptation_access request_mod deny remoteblacklist_{{blacklist.filename}}
-{% endif %}
-http_access deny remoteblacklist_{{blacklist.filename}}
-{%   endfor %}
-{% endif %}
-
-{% if helpers.exists('OPNsense.proxy.forward.acl.browser') %}
-
-# ACL list (Deny) blockuseragent
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny blockuseragents
-adaptation_access request_mod deny blockuseragents
-{% endif %}
-http_access deny blockuseragents
-{% endif %}
-
-{% if helpers.exists('OPNsense.proxy.forward.acl.mimeType') %}
-
-# ACL list (Deny) blockmimetypes
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
-adaptation_access request_mod deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
-adaptation_access response_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
-adaptation_access request_mod deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
-{% endif %}
-http_reply_access deny blockmimetypes {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
-
-http_access deny blockmimetypes_requests {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted {% endif %}
-
-{% endif %}
-
-# Deny requests to certain unsafe ports
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
-
-adaptation_access request_mod deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
-{% endif %}
-
-http_access deny !Safe_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
-
-# Deny CONNECT to other than secure SSL ports
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
-
-adaptation_access request_mod deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
-{% endif %}
-
-http_access deny CONNECT !SSL_ports {% if helpers.exists('OPNsense.proxy.forward.acl.unrestricted') %}!unrestricted{% endif %}
-
-{% if helpers.exists('OPNsense.proxy.forward.acl.bannedHosts') %}
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny bannedHosts
-adaptation_access request_mod deny bannedHosts
-{% endif %}
-http_access deny bannedHosts
-{% endif %}
-
-# Only allow cachemgr access from localhost
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod allow localhost manager
-adaptation_access request_mod allow localhost manager
-adaptation_access response_mod deny manager
-adaptation_access request_mod deny manager
-{% endif %}
-http_access allow localhost manager
-http_access deny manager
-
-# We strongly recommend the following be uncommented to protect innocent
-# web applications running on the proxy server who think the only
-# one who can access services on "localhost" is a local user
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny to_localhost
-adaptation_access request_mod deny to_localhost
-{% endif %}
-http_access deny to_localhost
-
-#
-# Access Permission configuration:
-#
-# Deny request from unauthorized clients
-{% if helpers.exists('OPNsense.proxy.forward.authentication.method') and  OPNsense.proxy.forward.authentication.method != '' %}
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod allow local_auth
-adaptation_access request_mod allow local_auth
-{% endif %}
-http_access allow local_auth
-{% endif %}
-
-#
-# ACL - localnet - default these include ranges from selected interfaces (Allow local subnets)
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod allow localnet
-adaptation_access request_mod allow localnet
-{% endif %}
-http_access allow localnet
-
-# ACL - localhost
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod allow localhost
-adaptation_access request_mod allow localhost
-{% endif %}
-http_access allow localhost
-{% if helpers.exists('OPNsense.proxy.forward.acl.allowedSubnets') %}
-
-# ACL list (Allow) subnets
-{%   if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod allow subnets
-adaptation_access request_mod allow subnets
-{%   endif %}
-http_access allow subnets
-{% endif %}
-
-# Deny all other access to this proxy
-{% if helpers.exists('OPNsense.proxy.forward.icap.enable') and OPNsense.proxy.forward.icap.enable == '1' %}
-adaptation_access response_mod deny all
-adaptation_access request_mod deny all
-{% endif %}
-http_access deny all
+{% include "OPNsense/Proxy/squid.user.post_auth.conf" ignore missing with context %}
 
 {% if helpers.exists('OPNsense.proxy.general.cache.local')  %}
 cache_mem {{ OPNsense.proxy.general.cache.local.cache_mem|default('256') }} MB